From c6a1d64dc138902f81d21691c952d67d427e2fd4 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <forgejo-release-manager@noreply.codeberg.org>
Date: Thu, 26 Mar 2026 08:40:03 +0100
Subject: [PATCH 001/287] chore: 15.0.0 is now stable - development tag [skip
 ci]

---
 release-notes-published/15.0.0.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 release-notes-published/15.0.0.md

diff --git a/release-notes-published/15.0.0.md b/release-notes-published/15.0.0.md
new file mode 100644
index 0000000000..e69de29bb2

From 75906efe932ed520efcda55c08471d8d4291ab9f Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <forgejo-release-manager@noreply.codeberg.org>
Date: Thu, 26 Mar 2026 08:40:14 +0100
Subject: [PATCH 002/287] chore: 15.0.0 is now stable - first commit

---
 release-notes-published/15.0.0.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes-published/15.0.0.md b/release-notes-published/15.0.0.md
index e69de29bb2..48cdce8528 100644
--- a/release-notes-published/15.0.0.md
+++ b/release-notes-published/15.0.0.md
@@ -0,0 +1 @@
+placeholder

From 8707cc10d0a5459d82f23bb391864a38501211d7 Mon Sep 17 00:00:00 2001
From: Beowulf <beowulf@beocode.eu>
Date: Thu, 26 Mar 2026 11:00:37 +0100
Subject: [PATCH 003/287] chore: run renovate on v15 branch (#11823)

ToDo: After merge schedule a PR to remove v14 when it is EoL
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11823
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
---
 .forgejo/renovate.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.forgejo/renovate.json b/.forgejo/renovate.json
index 34c5c1f958..f3360b6647 100644
--- a/.forgejo/renovate.json
+++ b/.forgejo/renovate.json
@@ -9,7 +9,8 @@
   "baseBranchPatterns": [
     "$default",
     "/^v11\\.\\d+/forgejo$/",
-    "/^v14\\.\\d+/forgejo$/"
+    "/^v14\\.\\d+/forgejo$/",
+    "/^v15\\.\\d+/forgejo$/"
   ],
   "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths", "npmDedupe"],
   "prConcurrentLimit": 10,

From 989804fcc33451b4a57560c6661186df4568f0c2 Mon Sep 17 00:00:00 2001
From: Guangxiong Lin <hi@gxlin.org>
Date: Thu, 26 Mar 2026 15:30:16 +0100
Subject: [PATCH 004/287] fix(api): package name in route not properly
 unescaped (#11822)

This pull fixes the issue described in https://codeberg.org/forgejo/forgejo/issues/11427 .

The api handler of link/unlink packages use escaped path params to find packages. It causes errors when it comes to npm packages, which contains characters like `@` and `/`.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11822
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Guangxiong Lin <hi@gxlin.org>
Co-committed-by: Guangxiong Lin <hi@gxlin.org>
---
 routers/api/v1/packages/package.go         |  6 +++---
 tests/integration/api_packages_npm_test.go | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/routers/api/v1/packages/package.go b/routers/api/v1/packages/package.go
index 03057c4feb..1f7bf89027 100644
--- a/routers/api/v1/packages/package.go
+++ b/routers/api/v1/packages/package.go
@@ -249,7 +249,7 @@ func LinkPackage(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	pkg, err := packages.GetPackageByName(ctx, ctx.ContextUser.ID, packages.Type(ctx.PathParamRaw("type")), ctx.PathParamRaw("name"))
+	pkg, err := packages.GetPackageByName(ctx, ctx.ContextUser.ID, packages.Type(ctx.Params("type")), ctx.Params("name"))
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
 			ctx.Error(http.StatusNotFound, "GetPackageByName", err)
@@ -259,7 +259,7 @@ func LinkPackage(ctx *context.APIContext) {
 		return
 	}
 
-	repo, err := repo_model.GetRepositoryByName(ctx, ctx.ContextUser.ID, ctx.PathParamRaw("repo_name"))
+	repo, err := repo_model.GetRepositoryByName(ctx, ctx.ContextUser.ID, ctx.Params("repo_name"))
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
 			ctx.Error(http.StatusNotFound, "GetRepositoryByName", err)
@@ -311,7 +311,7 @@ func UnlinkPackage(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	pkg, err := packages.GetPackageByName(ctx, ctx.ContextUser.ID, packages.Type(ctx.PathParamRaw("type")), ctx.PathParamRaw("name"))
+	pkg, err := packages.GetPackageByName(ctx, ctx.ContextUser.ID, packages.Type(ctx.Params("type")), ctx.Params("name"))
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
 			ctx.Error(http.StatusNotFound, "GetPackageByName", err)
diff --git a/tests/integration/api_packages_npm_test.go b/tests/integration/api_packages_npm_test.go
index 38c7ee54c0..78c683c4e4 100644
--- a/tests/integration/api_packages_npm_test.go
+++ b/tests/integration/api_packages_npm_test.go
@@ -14,6 +14,7 @@ import (
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	"forgejo.org/models/packages"
+	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/packages/npm"
@@ -28,6 +29,8 @@ func TestPackageNpm(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	session := loginUser(t, user.Name)
+	tokenWritePackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWritePackage)
 
 	token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name), auth_model.AccessTokenScopeWritePackage))
 
@@ -117,6 +120,22 @@ func TestPackageNpm(t *testing.T) {
 		assert.Equal(t, int64(192), pb.Size)
 	})
 
+	t.Run("RepositoryLink", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// create a repository
+		repo, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit_model.Type{unit_model.TypeCode}, nil, nil)
+		defer f()
+
+		// link to public repository
+		req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/npm/%s/-/link/%s", user.Name, url.QueryEscape(packageName), repo.Name)).AddTokenAuth(tokenWritePackage)
+		MakeRequest(t, req, http.StatusCreated)
+
+		// remove link
+		req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/packages/%s/npm/%s/-/unlink", user.Name, url.QueryEscape(packageName))).AddTokenAuth(tokenWritePackage)
+		MakeRequest(t, req, http.StatusNoContent)
+	})
+
 	t.Run("UploadExists", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 

From 7c7c6ba3b7e3678b54cc371aeb604bd318ec1e65 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 26 Mar 2026 15:32:35 +0100
Subject: [PATCH 005/287] Update module golang.org/x/image to v0.38.0
 [SECURITY] (forgejo) (#11818)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) | [`v0.37.0` → `v0.38.0`](https://cs.opensource.google/go/x/image/+/refs/tags/v0.37.0...refs/tags/v0.38.0) | ![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fimage/v0.38.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fimage/v0.37.0/v0.38.0?slim=true) |

---

### OOM from malicious IFD offset in golang.org/x/image/tiff
[CVE-2026-33809](https://nvd.nist.gov/vuln/detail/CVE-2026-33809) / [GO-2026-4815](https://pkg.go.dev/vuln/GO-2026-4815)

<details>
<summary>More information</summary>

#### Details
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

#### Severity
Unknown

#### References
- [https://go.dev/cl/757660](https://go.dev/cl/757660)
- [https://go.dev/issue/78267](https://go.dev/issue/78267)

This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-4815) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuODYuMCIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11818
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index b7c217def8..68381a87a7 100644
--- a/go.mod
+++ b/go.mod
@@ -103,7 +103,7 @@ require (
 	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.49.0
-	golang.org/x/image v0.37.0
+	golang.org/x/image v0.38.0
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
diff --git a/go.sum b/go.sum
index 33570a84d1..410025ae97 100644
--- a/go.sum
+++ b/go.sum
@@ -738,8 +738,8 @@ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.37.0 h1:ZiRjArKI8GwxZOoEtUfhrBtaCN+4b/7709dlT6SSnQA=
-golang.org/x/image v0.37.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
+golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

From 9c41a5f717589b86fcf55814f46899ef4691a7e3 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 26 Mar 2026 17:11:10 +0100
Subject: [PATCH 006/287] fix: out of synchronization error after interrupting
 a PR merge by user-agent disconnect (#11821)

If the HTTP request to `/user/repo/pulls/N/merge` is cancelled by the user agent, don't stop work once we've passed validation and started to merge the PR.  Go will automatically cancel the context if the user-agent disconnects, but that can leave Forgejo in an inconsistent state -- the `git` command can be cancelled at an arbitrary location, the `branch` database table update may not be completed, timers may not be stopped, cross-references may not be populated, etc.

Added test `TestMergeHTTPRequestCancellation` stress-tests the fix by cancelling merge requests, and then verifying that the in-database repository state and in-repository database state are consistent.  I've verified that this test fails if the fix is removed -- the in-database commit and commit messages don't match the repository in all PRs.

This is a problem that likely affects other Forgejo endpoints.  For example, even the PR merge API would be impacted.  But this will be one of the most common real-world places for it to occur, so my thought is we'll see how well this fix works and what (if any) side-effects it has.  We can apply a similar pattern in other areas if they are identified as problems.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11821
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 routers/web/repo/pull.go             |  20 ++-
 tests/integration/pull_merge_test.go | 228 ++++++++++++++++++++-------
 2 files changed, 182 insertions(+), 66 deletions(-)

diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index 83e3a3cef3..c4b8583e2d 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -7,6 +7,7 @@
 package repo
 
 import (
+	stdCtx "context"
 	"errors"
 	"fmt"
 	"html"
@@ -16,6 +17,7 @@ import (
 	"path"
 	"strconv"
 	"strings"
+	"time"
 
 	"forgejo.org/models"
 	actions_model "forgejo.org/models/actions"
@@ -1420,7 +1422,15 @@ func MergePullRequest(ctx *context.Context) {
 		}
 	}
 
-	if err := pull_service.Merge(ctx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message, false); err != nil {
+	// If the HTTP request is cancelled by the user agent, don't stop work. We've started a merge and need to finish all
+	// the related work. All usage of `ctx` throughout the rest of this function should be only for error handling or UI
+	// interactions, and all effective work should use `workCtx` instead.
+	workCtx, cancelWorkCtx := stdCtx.WithTimeout(
+		stdCtx.WithoutCancel(ctx),
+		time.Duration(setting.Git.Timeout.Default)*time.Second)
+	defer cancelWorkCtx()
+
+	if err := pull_service.Merge(workCtx, pr, ctx.Doer, ctx.Repo.GitRepo, repo_model.MergeStyle(form.Do), form.HeadCommitID, message, false); err != nil {
 		if models.IsErrInvalidMergeStyle(err) {
 			ctx.JSONError(ctx.Tr("repo.pulls.invalid_merge_option"))
 		} else if models.IsErrMergeConflicts(err) {
@@ -1491,7 +1501,7 @@ func MergePullRequest(ctx *context.Context) {
 	}
 	log.Trace("Pull request merged: %d", pr.ID)
 
-	if err := stopTimerIfAvailable(ctx, ctx.Doer, issue); err != nil {
+	if err := stopTimerIfAvailable(workCtx, ctx.Doer, issue); err != nil {
 		ctx.ServerError("stopTimerIfAvailable", err)
 		return
 	}
@@ -1504,7 +1514,7 @@ func MergePullRequest(ctx *context.Context) {
 			headRepo = ctx.Repo.GitRepo
 		} else {
 			var err error
-			headRepo, err = gitrepo.OpenRepository(ctx, pr.HeadRepo)
+			headRepo, err = gitrepo.OpenRepository(workCtx, pr.HeadRepo)
 			if err != nil {
 				ctx.ServerError(fmt.Sprintf("OpenRepository[%s]", pr.HeadRepo.FullName()), err)
 				return
@@ -1512,7 +1522,7 @@ func MergePullRequest(ctx *context.Context) {
 			defer headRepo.Close()
 		}
 
-		if err := repo_service.DeleteBranchAfterMerge(ctx, ctx.Doer, pr, headRepo); err != nil {
+		if err := repo_service.DeleteBranchAfterMerge(workCtx, ctx.Doer, pr, headRepo); err != nil {
 			switch {
 			case errors.Is(err, repo_service.ErrBranchIsDefault):
 				ctx.Flash.Error(ctx.Tr("repo.pulls.delete_after_merge.head_branch.is_default"))
@@ -1557,7 +1567,7 @@ func CancelAutoMergePullRequest(ctx *context.Context) {
 	ctx.Redirect(issue.HTMLURL())
 }
 
-func stopTimerIfAvailable(ctx *context.Context, user *user_model.User, issue *issues_model.Issue) error {
+func stopTimerIfAvailable(ctx stdCtx.Context, user *user_model.User, issue *issues_model.Issue) error {
 	if issues_model.StopwatchExists(ctx, user.ID, issue.ID) {
 		if err := issues_model.CreateOrStopIssueStopwatch(ctx, user, issue); err != nil {
 			return err
diff --git a/tests/integration/pull_merge_test.go b/tests/integration/pull_merge_test.go
index b12ced9073..a987603ce7 100644
--- a/tests/integration/pull_merge_test.go
+++ b/tests/integration/pull_merge_test.go
@@ -5,6 +5,7 @@ package integration
 
 import (
 	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
 	"math/rand/v2"
@@ -1197,6 +1198,68 @@ func shuffleSlice(slice []int64) {
 	})
 }
 
+func bulkCreatePRs(t *testing.T, prCount int, repo *repo_model.Repository, token string, labelIDs []int64, milestoneID int64) {
+	var createAllPRs sync.WaitGroup
+	var errorListMutex sync.Mutex
+	var errorList []any
+	for i := range prCount {
+		createAllPRs.Add(1)
+		go func(i int) {
+			defer createAllPRs.Done()
+			defer func() {
+				if r := recover(); r != nil {
+					errorListMutex.Lock()
+					defer errorListMutex.Unlock()
+					errorList = append(errorList, r)
+				}
+			}()
+
+			// We're going to create two branches; a new target branch where the PR will merge *into*, and a new
+			// head branch where the PR will merge *from*.  This test is about finding internal concurrency
+			// conflicts within Forgejo that prevent merges, and, merging simultaneously into the *same branch*
+			// would have natural conflicts that aren't what we're attempting to test.
+			targetBranchName := fmt.Sprintf("target-branch-%d", i)
+			req := NewRequestWithJSON(t,
+				"POST",
+				fmt.Sprintf("/api/v1/repos/%s/%s/branches", repo.OwnerName, repo.Name),
+				&api.CreateBranchRepoOption{
+					OldRefName: "main",
+					BranchName: targetBranchName,
+				}).AddTokenAuth(token)
+			MakeRequest(t, req, http.StatusCreated)
+
+			// Create the head branch that we'll be trying to merge from, with a file change:
+			headBranchName := fmt.Sprintf("update-%d", i)
+			req = NewRequestWithJSON(t,
+				"POST",
+				fmt.Sprintf("/api/v1/repos/%s/%s/contents/README-%d.md", repo.OwnerName, repo.Name, i),
+				&api.CreateFileOptions{
+					FileOptions: api.FileOptions{
+						NewBranchName: headBranchName,
+					},
+					ContentBase64: base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "Hello, world %d!\n", i)),
+				}).AddTokenAuth(token)
+			MakeRequest(t, req, http.StatusCreated)
+
+			// Create a PR for the branch
+			myLabelIDs := slices.Clone(labelIDs)
+			shuffleSlice(myLabelIDs) // use a random ordering for labels as it may cause deadlocks when their count of assigned issues is updated
+			req = NewRequestWithJSON(t, http.MethodPost,
+				fmt.Sprintf("/api/v1/repos/%s/%s/pulls", repo.OwnerName, repo.Name),
+				&api.CreatePullRequestOption{
+					Head:      headBranchName,
+					Base:      targetBranchName,
+					Title:     fmt.Sprintf("create PR from branch %s", headBranchName),
+					Labels:    myLabelIDs,
+					Milestone: milestoneID,
+				}).AddTokenAuth(token)
+			MakeRequest(t, req, http.StatusCreated)
+		}(i)
+	}
+	createAllPRs.Wait()
+	assert.Empty(t, errorList)
+}
+
 func TestMergeConcurrency(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, giteaURL *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
@@ -1241,67 +1304,7 @@ func TestMergeConcurrency(t *testing.T) {
 		var apiMilestone api.Milestone
 		DecodeJSON(t, resp, &apiMilestone)
 
-		{
-			var createAllPRs sync.WaitGroup
-			var errorListMutex sync.Mutex
-			var errorList []any
-			for i := range concurrentCount {
-				createAllPRs.Add(1)
-				go func(i int) {
-					defer createAllPRs.Done()
-					defer func() {
-						if r := recover(); r != nil {
-							errorListMutex.Lock()
-							defer errorListMutex.Unlock()
-							errorList = append(errorList, r)
-						}
-					}()
-
-					// We're going to create two branches; a new target branch where the PR will merge *into*, and a new
-					// head branch where the PR will merge *from*.  This test is about finding internal concurrency
-					// conflicts within Forgejo that prevent merges, and, merging simultaneously into the *same branch*
-					// would have natural conflicts that aren't what we're attempting to test.
-					targetBranchName := fmt.Sprintf("target-branch-%d", i)
-					req := NewRequestWithJSON(t,
-						"POST",
-						fmt.Sprintf("/api/v1/repos/%s/%s/branches", repo.OwnerName, repo.Name),
-						&api.CreateBranchRepoOption{
-							OldRefName: "main",
-							BranchName: targetBranchName,
-						}).AddTokenAuth(token)
-					MakeRequest(t, req, http.StatusCreated)
-
-					// Create the head branch that we'll be trying to merge from, with a file change:
-					headBranchName := fmt.Sprintf("update-%d", i)
-					req = NewRequestWithJSON(t,
-						"POST",
-						fmt.Sprintf("/api/v1/repos/%s/%s/contents/README-%d.md", repo.OwnerName, repo.Name, i),
-						&api.CreateFileOptions{
-							FileOptions: api.FileOptions{
-								NewBranchName: headBranchName,
-							},
-							ContentBase64: base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "Hello, world %d!\n", i)),
-						}).AddTokenAuth(token)
-					MakeRequest(t, req, http.StatusCreated)
-
-					// Create a PR for the branch
-					myLabelIDs := slices.Clone(labelIDs)
-					shuffleSlice(myLabelIDs) // use a random ordering for labels as it may cause deadlocks when their count of assigned issues is updated
-					req = NewRequestWithJSON(t, http.MethodPost,
-						fmt.Sprintf("/api/v1/repos/%s/%s/pulls", repo.OwnerName, repo.Name),
-						&api.CreatePullRequestOption{
-							Head:      headBranchName,
-							Base:      targetBranchName,
-							Title:     fmt.Sprintf("create PR from branch %s", headBranchName),
-							Labels:    myLabelIDs,
-							Milestone: apiMilestone.ID,
-						}).AddTokenAuth(token)
-					MakeRequest(t, req, http.StatusCreated)
-				}(i)
-			}
-			createAllPRs.Wait()
-			assert.Empty(t, errorList)
-		}
+		bulkCreatePRs(t, concurrentCount, repo, token, labelIDs, apiMilestone.ID)
 
 		// All our PRs are created; now let's try to merge them concurrently.
 
@@ -1377,3 +1380,106 @@ func TestMergeConcurrency(t *testing.T) {
 		}
 	})
 }
+
+func TestMergeHTTPRequestCancellation(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, giteaURL *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		user2Session := loginUser(t, "user2")
+		token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteIssue)
+
+		// The purpose of this test is to interrupt the HTTP request to "/%s/%s/pulls/%d/merge" by cancelling the
+		// context at various times during the request, and ensuring that we don't get into any states where the request
+		// has partially succeeded but then been cancelled -- for example, wrote the merge to the repo, but didn't
+		// update Forgejo's database. To do this we're going to create a bunch of PRs, merge them, and cancel request
+		// during merge -- evenly distributing the cancellation times like this:
+		cancellationChecks := 5                                                       // number of pull requests to create and attempt to merge
+		measuredMergeTime := 283 * time.Millisecond                                   // time measured on a test system for one POST /%s/%s/pulls/%d/merge
+		cancellationDuration := measuredMergeTime / time.Duration(cancellationChecks) // cancel after (i+1) * cancellationDuration for each PR
+
+		repo, _, deferrer := tests.CreateDeclarativeRepo(t, user2, "concurrency-test", nil, nil, nil)
+		defer deferrer()
+
+		bulkCreatePRs(t, cancellationChecks, repo, token, nil, 0)
+
+		// All our PRs are created; now let's try to merge them concurrently. This technically doesn't have to be
+		// concurrent, but `TestMergeConcurrency` already had all this logic for this test to copy, and it reduces the
+		// test runtime:
+		{
+			var mergeAllPRs sync.WaitGroup
+			var errorListMutex sync.Mutex
+			var errorList []any
+			for i := range cancellationChecks {
+				mergeAllPRs.Add(1)
+				go func(i int) {
+					defer mergeAllPRs.Done()
+					defer func() {
+						if r := recover(); r != nil {
+							errorListMutex.Lock()
+							defer errorListMutex.Unlock()
+							errorList = append(errorList, r)
+						}
+					}()
+
+					targetBranchName := fmt.Sprintf("target-branch-%d", i)
+					headBranchName := fmt.Sprintf("update-%d", i)
+					pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{
+						HeadRepoID: repo.ID,
+						BaseRepoID: repo.ID,
+						HeadBranch: headBranchName,
+						BaseBranch: targetBranchName,
+					})
+
+					// Here's the major subject of this test: every merge request is fired with a different context
+					// timeout, causing the HTTP request to be interrupted in different places throughout the request.
+					reqCtx, cancel := context.WithTimeout(t.Context(), time.Duration(i+1)*cancellationDuration)
+					defer cancel()
+
+					req := NewRequestWithValues(t, "POST",
+						fmt.Sprintf("/%s/%s/pulls/%d/merge", repo.OwnerName, repo.Name, pr.Index), map[string]string{
+							"do":                        "merge",
+							"delete_branch_after_merge": "on",
+						})
+					req.Request = req.WithContext(reqCtx)
+					user2Session.MakeRequest(t, req, NoExpectedStatus)
+				}(i)
+			}
+			mergeAllPRs.Wait()
+			assert.Empty(t, errorList)
+		}
+
+		// Verify that all PRs are in a consistent state of merged or not (not a corrupt state):
+		gitRepo, err := gitrepo.OpenRepository(t.Context(), repo)
+		require.NoError(t, err)
+
+		for i := range cancellationChecks {
+			targetBranchName := fmt.Sprintf("target-branch-%d", i)
+			headBranchName := fmt.Sprintf("update-%d", i)
+			pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{
+				HeadRepoID: repo.ID,
+				BaseRepoID: repo.ID,
+				HeadBranch: headBranchName,
+				BaseBranch: targetBranchName,
+			})
+			targetBranchInDB := unittest.AssertExistsAndLoadBean(t, &git_model.Branch{
+				RepoID: repo.ID,
+				Name:   targetBranchName,
+			})
+
+			targetBranchCommitIDInRepo, err := gitRepo.GetBranchCommitID(targetBranchName)
+			require.NoError(t, err)
+			assert.Equal(t, targetBranchCommitIDInRepo, targetBranchInDB.CommitID, "real commit ID match for %s", targetBranchName)
+
+			targetBranchCommitInRepo, err := gitRepo.GetCommit(targetBranchCommitIDInRepo)
+			require.NoError(t, err)
+			assert.Equal(t, strings.TrimSpace(targetBranchCommitInRepo.CommitMessage), strings.TrimSpace(targetBranchInDB.CommitMessage))
+
+			if pr.HasMerged {
+				assert.Equal(t,
+					fmt.Sprintf("Merge pull request 'create PR from branch %[1]s' (#%[2]d) from %[1]s into %[3]s", headBranchName, pr.Index, targetBranchName),
+					targetBranchInDB.CommitMessage)
+			} else {
+				assert.Equal(t, "Initial commit", targetBranchInDB.CommitMessage)
+			}
+		}
+	})
+}

From bdb87ac3d3b4b187c5d17199a148d971e30db51b Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 26 Mar 2026 19:30:34 +0100
Subject: [PATCH 007/287] chore: remove duplicate release notes from Jan 8
 security release (#11791)

As the security patches in #10719 were backported to [v11](https://codeberg.org/forgejo/forgejo/pulls/10722), [v13](https://codeberg.org/forgejo/forgejo/pulls/10721), and [v14](https://codeberg.org/forgejo/forgejo/pulls/10720), they shouldn't be present in the [v15 release notes](https://codeberg.org/forgejo/forgejo/milestone/36366) as "Security bug fixes", but they presently are:

![image](/attachments/9b0ee1ce-5fcd-4d82-a705-a8f9014c2215)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11791
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 release-notes/10719.md | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 release-notes/10719.md

diff --git a/release-notes/10719.md b/release-notes/10719.md
deleted file mode 100644
index 807e660339..0000000000
--- a/release-notes/10719.md
+++ /dev/null
@@ -1,5 +0,0 @@
-fix: hide user profile anonymous options on public repo APIs
-fix: incorrect whitespace handling on pre&post receive hooks
-fix: reduce memory usage while processing large attachment uploads
-fix: load reviewer for pull review dismiss action notifier
-fix: use correct GPG key for export

From e823e8cd694e7fcbd18c59ca00b0e086f65be14a Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 26 Mar 2026 21:50:25 +0100
Subject: [PATCH 008/287] fix: duplicate key violates unique constraint in
 concurrent debian package uploads (#11776)

Fixes #11438.

Whenever a "unique constraint violation" error is encountered by package mutation, detect if a `xorm.ErrUniqueConstraintViolation` error occurs.  If it does, retry the entire transaction.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11776
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .deadcode-out                                 |   1 -
 go.mod                                        |   2 +-
 go.sum                                        |   4 +-
 models/db/context.go                          |  41 ++++++
 models/db/context_test.go                     |  56 ++++++++
 models/packages/package_version.go            |  21 +++
 services/packages/packages.go                 | 129 ++++++++++++------
 tests/integration/api_packages_debian_test.go | 111 ++++++++++-----
 8 files changed, 286 insertions(+), 79 deletions(-)

diff --git a/.deadcode-out b/.deadcode-out
index 6d2c35e374..45ad117ccd 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -19,7 +19,6 @@ forgejo.org/models/auth
 forgejo.org/models/db
 	TruncateBeans
 	TruncateBeansCascade
-	InTransaction
 	DumpTables
 	GetTableNames
 	extendBeansForCascade
diff --git a/go.mod b/go.mod
index 68381a87a7..c7a29c014c 100644
--- a/go.mod
+++ b/go.mod
@@ -274,4 +274,4 @@ replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-2024121
 
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
 
-replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.8
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.9
diff --git a/go.sum b/go.sum
index 410025ae97..594dbb4315 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkA
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
 code.forgejo.org/go-chi/session v1.0.3 h1:ByJ9c/UC0AU57hxiGl53TXh+NdBOBwK/bhZ9jyadEwE=
 code.forgejo.org/go-chi/session v1.0.3/go.mod h1:xzGtFrV/agCJoZCUhFDlqAr1he6BrAdqlaprKOB1W90=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.8 h1:dsSKm2nus0NhHsqYxeuB3Gldk6TtlusD1CBGV6V1SS0=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.8/go.mod h1:A7sFd3BFmRp20h6drSsCXgQRQdF8Vz8HuCSrzFS3m90=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.9 h1:hzEXDa53opdp5nrGG4F6y8HzFzrGXd5GIvFyUHcvGmI=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.9/go.mod h1:A7sFd3BFmRp20h6drSsCXgQRQdF8Vz8HuCSrzFS3m90=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
 code.superseriousbusiness.org/exif-terminator v0.11.1 h1:qnujLH4/Yk/CFtFMmtjozbdV6Ry5G3Q/E/mLlWm/gQI=
diff --git a/models/db/context.go b/models/db/context.go
index 9be158ccca..f098b40a32 100644
--- a/models/db/context.go
+++ b/models/db/context.go
@@ -6,6 +6,8 @@ package db
 import (
 	"context"
 	"database/sql"
+	"errors"
+	"fmt"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -416,3 +418,42 @@ func inTransaction(ctx context.Context) (*xorm.Session, bool) {
 		return nil, false
 	}
 }
+
+type RetryConfig struct {
+	ErrorIs      []error
+	AttemptCount int
+}
+
+// Execute the given function in a transaction. RetryConfig will retry the function on an error, if it matches the
+// ErrorIs parameter, up to the total of AttemptCount number of tries. RetryTx cannot be invoked when already within a
+// transaction and will return an error immediately.
+func RetryTx(ctx context.Context, config RetryConfig, f func(ctx context.Context) error) error {
+	if InTransaction(ctx) {
+		return errors.New("unsupported operation: attempted to use RetryTx while already within a transaction")
+	} else if config.AttemptCount == 0 {
+		return errors.New("unsupported operation: attempted to use RetryTx with 0 attempts")
+	}
+
+	var lastError error
+	for range config.AttemptCount {
+		err := WithTx(ctx, f)
+		if err == nil {
+			return nil
+		}
+
+		foundMatch := false
+		for _, possibleError := range config.ErrorIs {
+			if errors.Is(err, possibleError) {
+				foundMatch = true
+				break
+			}
+		}
+		if !foundMatch {
+			return err
+		}
+
+		lastError = err
+	}
+
+	return fmt.Errorf("retry tx failed after %d attempts; last error: %w", config.AttemptCount, lastError)
+}
diff --git a/models/db/context_test.go b/models/db/context_test.go
index 525ab54d99..60ef8462cc 100644
--- a/models/db/context_test.go
+++ b/models/db/context_test.go
@@ -220,3 +220,59 @@ func TestAfterTx(t *testing.T) {
 		})
 	}
 }
+
+func TestRetryTx(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		err := db.RetryTx(t.Context(), db.RetryConfig{AttemptCount: 1}, func(ctx context.Context) error {
+			assert.True(t, db.InTransaction(ctx))
+			return nil
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("fail constantly", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{testError},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return testError
+		})
+		require.ErrorIs(t, err, testError)
+		require.ErrorContains(t, err, "2 attempts")
+		assert.Equal(t, 2, attemptCount)
+	})
+
+	t.Run("fail w/ non retriable error", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return testError
+		})
+		require.ErrorIs(t, err, testError)
+		assert.Equal(t, 1, attemptCount)
+	})
+
+	t.Run("succeed on retry", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{testError},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			if attemptCount == 1 {
+				return testError
+			}
+			return nil
+		})
+		require.NoError(t, err)
+		assert.Equal(t, 2, attemptCount)
+	})
+}
diff --git a/models/packages/package_version.go b/models/packages/package_version.go
index 873f7bf9b6..545ad63eb4 100644
--- a/models/packages/package_version.go
+++ b/models/packages/package_version.go
@@ -5,11 +5,13 @@ package packages
 
 import (
 	"context"
+	"errors"
 	"strconv"
 	"strings"
 
 	"forgejo.org/models/db"
 	"forgejo.org/modules/optional"
+	"forgejo.org/modules/setting"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 
@@ -155,6 +157,25 @@ func HasVersionFileReferences(ctx context.Context, versionID int64) (bool, error
 	})
 }
 
+func (pv *PackageVersion) LockForUpdate(ctx context.Context) error {
+	if !db.InTransaction(ctx) {
+		return errors.New("invalid state for PackageVersion.LockForUpdate: database is not in a transaction")
+	} else if setting.Database.Type.IsSQLite3() {
+		// SQLite both doesn't support "SELECT ... FOR UPDATE", and it's irrelevant for SQLite as the entire database is
+		// locked for write when a write transaction is open.
+		return nil
+	}
+
+	pvfu := PackageVersion{}
+	has, err := db.GetEngine(ctx).ID(pv.ID).ForUpdate().Get(&pvfu)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrPackageNotExist
+	}
+	return nil
+}
+
 // SearchValue describes a value to search
 // If ExactMatch is true, the field must match the value otherwise a LIKE search is performed.
 type SearchValue struct {
diff --git a/services/packages/packages.go b/services/packages/packages.go
index 418ceab798..a1772cc1d9 100644
--- a/services/packages/packages.go
+++ b/services/packages/packages.go
@@ -23,6 +23,8 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"
 	notify_service "forgejo.org/services/notify"
+
+	"xorm.io/xorm"
 )
 
 var (
@@ -76,38 +78,54 @@ func CreatePackageOrAddFileToExisting(ctx context.Context, pvci *PackageCreation
 }
 
 func createPackageAndAddFile(ctx context.Context, pvci *PackageCreationInfo, pfci *PackageFileCreationInfo, allowDuplicate bool) (*packages_model.PackageVersion, *packages_model.PackageFile, error) {
-	dbCtx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer committer.Close()
+	var pv *packages_model.PackageVersion
+	var pf *packages_model.PackageFile
+	var blobHash256Created optional.Option[string]
+	var createdPackage bool
 
-	pv, created, err := createPackageAndVersion(dbCtx, pvci, allowDuplicate)
-	if err != nil {
-		return nil, nil, err
-	}
+	// ErrUniqueConstraintViolation can occur when two concurrent updates occur to a package registry. Typically this
+	// occurs when a registry with an index of organization-level packages is modified (Debian, Alpine, Alt, Arch, RPM)
+	// and that index needs to be rebuilt -- even if two different packages are being updated, they can write the
+	// registry concurrently and that can cause ErrUniqueConstraintViolation errors from the database operations that
+	// "check if record exists, if not, create it".
+	//
+	// The simple approach of detecting the ErrUniqueConstraintViolation error inside the transaction and picking up the
+	// other write isn't possible for two reasons: (a) PostgreSQL can't continue a transaction with an error in it, a
+	// SAVEPOINT and ROLLBACK TO SAVEPOINT are required, and (b) xorm keeps internal state during a transaction that
+	// causes such a recovery from error to panic.  So, we retry the entire modification transaction if
+	// ErrUniqueConstraintViolation is encountered.
+	err := db.RetryTx(ctx, db.RetryConfig{
+		// A single retry is sufficient as any package index that was concurrently modified should now be present:
+		AttemptCount: 2,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+	}, func(ctx context.Context) error {
+		var err error
+		var pb *packages_model.PackageBlob
+		var blobCreated bool
 
-	pf, pb, blobCreated, err := addFileToPackageVersion(dbCtx, pv, &pvci.PackageInfo, pfci)
-	removeBlob := false
-	defer func() {
-		if blobCreated && removeBlob {
-			contentStore := packages_module.NewContentStore()
-			if err := contentStore.Delete(packages_module.BlobHash256Key(pb.HashSHA256)); err != nil {
+		pv, createdPackage, err = createPackageAndVersion(ctx, pvci, allowDuplicate)
+		if err != nil {
+			return err
+		}
+
+		pf, pb, blobCreated, err = addFileToPackageVersion(ctx, pv, &pvci.PackageInfo, pfci)
+		if blobCreated {
+			blobHash256Created = optional.Some(pb.HashSHA256)
+		}
+		return err
+	})
+	if err != nil {
+		// If we have an error later in the process after writing a blob to the content store, make our best effort to
+		// remove the content -- it won't be referenced in the DB because the transaction would be rolled back.
+		if has, hash := blobHash256Created.Get(); has {
+			if err := packages_module.NewContentStore().Delete(packages_module.BlobHash256Key(hash)); err != nil {
 				log.Error("Error deleting package blob from content store: %v", err)
 			}
 		}
-	}()
-	if err != nil {
-		removeBlob = true
 		return nil, nil, err
 	}
 
-	if err := committer.Commit(); err != nil {
-		removeBlob = true
-		return nil, nil, err
-	}
-
-	if created {
+	if createdPackage {
 		pd, err := packages_model.GetPackageDescriptor(ctx, pv)
 		if err != nil {
 			return nil, nil, err
@@ -213,29 +231,33 @@ func AddFileToPackageVersionInternal(ctx context.Context, pv *packages_model.Pac
 }
 
 func addFileToPackageWrapper(ctx context.Context, fn func(ctx context.Context) (*packages_model.PackageFile, *packages_model.PackageBlob, bool, error)) (*packages_model.PackageFile, error) {
-	ctx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-	defer committer.Close()
+	var pf *packages_model.PackageFile
+	var pb *packages_model.PackageBlob
+	var blobHash256Created optional.Option[string]
 
-	pf, pb, blobCreated, err := fn(ctx)
-	removeBlob := false
-	defer func() {
-		if removeBlob {
-			contentStore := packages_module.NewContentStore()
-			if err := contentStore.Delete(packages_module.BlobHash256Key(pb.HashSHA256)); err != nil {
+	// See comment in createPackageAndAddFile which explains why RetryTx is used with ErrUniqueConstraintViolation.
+	err := db.RetryTx(ctx, db.RetryConfig{
+		// A single retry is sufficient as any package index that was concurrently modified should now be present:
+		AttemptCount: 2,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+	}, func(ctx context.Context) error {
+		var err error
+		var blobCreated bool
+
+		pf, pb, blobCreated, err = fn(ctx)
+		if blobCreated {
+			blobHash256Created = optional.Some(pb.HashSHA256)
+		}
+		return err
+	})
+	if err != nil {
+		// If we have an error later in the process after writing a blob to the content store, make our best effort to
+		// remove the content -- it won't be referenced in the DB because the transaction would be rolled back.
+		if has, hash := blobHash256Created.Get(); has {
+			if err := packages_module.NewContentStore().Delete(packages_module.BlobHash256Key(hash)); err != nil {
 				log.Error("Error deleting package blob from content store: %v", err)
 			}
 		}
-	}()
-	if err != nil {
-		removeBlob = blobCreated
-		return nil, err
-	}
-
-	if err := committer.Commit(); err != nil {
-		removeBlob = blobCreated
 		return nil, err
 	}
 
@@ -267,6 +289,20 @@ func addFileToPackageVersion(ctx context.Context, pv *packages_model.PackageVers
 func addFileToPackageVersionUnchecked(ctx context.Context, pv *packages_model.PackageVersion, pfci *PackageFileCreationInfo, packageType packages_model.Type) (*packages_model.PackageFile, *packages_model.PackageBlob, bool, error) {
 	log.Trace("Adding package file: %v, %s", pv.ID, pfci.Filename)
 
+	// The `OverwriteExisting` capability in this method has a race condition in it -- it will check if the file already
+	// exists in the package, and delete the file's properties and the file, and then it will attempt to insert the new
+	// file.  This can cause the `ErrDuplicatePackageFile` error to be returned even when `OverwriteExisting` in
+	// concurrent modifications, as both modifications will attempt to delete the existing file, one will succeed, one
+	// will delete zero records and think it succeeded, and then both will attempt to add the file and one will hit
+	// `ErrDuplicatePackageFile`.
+	//
+	// To address this, lock the package version being modified by performing a `SELECT ... FOR UPDATE` on it,
+	// guaranteeing only one `addFileToPackageVersionUnchecked` is running on a specific package version.
+	err := pv.LockForUpdate(ctx)
+	if err != nil {
+		return nil, nil, false, err
+	}
+
 	pb, exists, err := packages_model.GetOrInsertBlob(ctx, NewPackageBlob(pfci.Data))
 	if err != nil {
 		log.Error("Error inserting package blob: %v", err)
@@ -430,7 +466,12 @@ func CheckSizeQuotaExceeded(ctx context.Context, doer, owner *user_model.User, p
 func GetOrCreateInternalPackageVersion(ctx context.Context, ownerID int64, packageType packages_model.Type, name, version string) (*packages_model.PackageVersion, error) {
 	var pv *packages_model.PackageVersion
 
-	return pv, db.WithTx(ctx, func(ctx context.Context) error {
+	// See comment in createPackageAndAddFile which explains why RetryTx is used with ErrUniqueConstraintViolation.
+	return pv, db.RetryTx(ctx, db.RetryConfig{
+		// A single retry is sufficient as any package index that was concurrently modified should now be present:
+		AttemptCount: 2,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+	}, func(ctx context.Context) error {
 		p := &packages_model.Package{
 			OwnerID:    ownerID,
 			Type:       packageType,
diff --git a/tests/integration/api_packages_debian_test.go b/tests/integration/api_packages_debian_test.go
index e22165c44b..4dc5288bc5 100644
--- a/tests/integration/api_packages_debian_test.go
+++ b/tests/integration/api_packages_debian_test.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"net/http"
 	"strings"
+	"sync"
 	"testing"
 
 	"forgejo.org/models/db"
@@ -19,6 +20,7 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/base"
 	debian_module "forgejo.org/modules/packages/debian"
+	"forgejo.org/modules/setting"
 	"forgejo.org/tests"
 
 	"github.com/blakesmith/ar"
@@ -26,6 +28,32 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func createDebianArchive(name, version, architecture, packageDescription string) io.Reader {
+	var cbuf bytes.Buffer
+	zw := gzip.NewWriter(&cbuf)
+	tw := tar.NewWriter(zw)
+	tw.WriteHeader(&tar.Header{
+		Name: "control",
+		Mode: 0o600,
+		Size: 50,
+	})
+	fmt.Fprintf(tw, "Package: %s\nVersion: %s\nArchitecture: %s\nDescription: %s\n", name, version, architecture, packageDescription)
+	tw.Close()
+	zw.Close()
+
+	var buf bytes.Buffer
+	aw := ar.NewWriter(&buf)
+	aw.WriteGlobalHeader()
+	hdr := &ar.Header{
+		Name: "control.tar.gz",
+		Mode: 0o600,
+		Size: int64(cbuf.Len()),
+	}
+	aw.WriteHeader(hdr)
+	aw.Write(cbuf.Bytes())
+	return &buf
+}
+
 func TestPackageDebian(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
@@ -35,32 +63,6 @@ func TestPackageDebian(t *testing.T) {
 	packageVersion2 := "1.0.4"
 	packageDescription := "Package Description"
 
-	createArchive := func(name, version, architecture string) io.Reader {
-		var cbuf bytes.Buffer
-		zw := gzip.NewWriter(&cbuf)
-		tw := tar.NewWriter(zw)
-		tw.WriteHeader(&tar.Header{
-			Name: "control",
-			Mode: 0o600,
-			Size: 50,
-		})
-		fmt.Fprintf(tw, "Package: %s\nVersion: %s\nArchitecture: %s\nDescription: %s\n", name, version, architecture, packageDescription)
-		tw.Close()
-		zw.Close()
-
-		var buf bytes.Buffer
-		aw := ar.NewWriter(&buf)
-		aw.WriteGlobalHeader()
-		hdr := &ar.Header{
-			Name: "control.tar.gz",
-			Mode: 0o600,
-			Size: int64(cbuf.Len()),
-		}
-		aw.WriteHeader(hdr)
-		aw.Write(cbuf.Bytes())
-		return &buf
-	}
-
 	distributions := []string{"test", "gitea"}
 	components := []string{"main", "stable"}
 	architectures := []string{"all", "amd64"}
@@ -97,16 +99,16 @@ func TestPackageDebian(t *testing.T) {
 								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusBadRequest)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive("", "", "")).
+							req = NewRequestWithBody(t, "PUT", uploadURL, createDebianArchive("", "", "", packageDescription)).
 								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusBadRequest)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture)).
+							req = NewRequestWithBody(t, "PUT", uploadURL, createDebianArchive(packageName, packageVersion, architecture, packageDescription)).
 								AddBasicAuth(user.Name).
 								SetHeader("content-type", "multipart/form-data")
 							MakeRequest(t, req, http.StatusBadRequest)
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture)).
+							req = NewRequestWithBody(t, "PUT", uploadURL, createDebianArchive(packageName, packageVersion, architecture, packageDescription)).
 								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusCreated)
 
@@ -154,7 +156,7 @@ func TestPackageDebian(t *testing.T) {
 								return seen
 							})
 
-							req = NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion, architecture)).
+							req = NewRequestWithBody(t, "PUT", uploadURL, createDebianArchive(packageName, packageVersion, architecture, packageDescription)).
 								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusConflict)
 						})
@@ -171,7 +173,7 @@ func TestPackageDebian(t *testing.T) {
 						t.Run("Packages", func(t *testing.T) {
 							defer tests.PrintCurrentTest(t)()
 
-							req := NewRequestWithBody(t, "PUT", uploadURL, createArchive(packageName, packageVersion2, architecture)).
+							req := NewRequestWithBody(t, "PUT", uploadURL, createDebianArchive(packageName, packageVersion2, architecture, packageDescription)).
 								AddBasicAuth(user.Name)
 							MakeRequest(t, req, http.StatusCreated)
 
@@ -308,3 +310,50 @@ func TestPackageDebian(t *testing.T) {
 		require.Contains(t, body, fmt.Sprintf("Version: %s", packageVersion2))
 	})
 }
+
+func TestPackageDebianConcurrent(t *testing.T) {
+	if setting.Database.Type.IsSQLite3() {
+		// Concurrency test fails on SQLite w/ "database is locked"
+		t.Skip()
+	}
+
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	distribution := "test"
+	component := "main"
+	architecture := "amd64"
+	packageName := "gitea"
+	packageDescription := "Package Description"
+
+	rootURL := fmt.Sprintf("/api/packages/%s/debian", user.Name)
+	uploadURL := fmt.Sprintf("%s/pool/%s/%s/upload", rootURL, distribution, component)
+
+	t.Run("Concurrent Upload", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		var wg sync.WaitGroup
+		packageCount := 10
+		for i := range packageCount {
+			wg.Go(func() {
+				req := NewRequestWithBody(t, "PUT", uploadURL,
+					createDebianArchive(packageName, fmt.Sprintf("1.0.%d", i), architecture, packageDescription)).
+					AddBasicAuth(user.Name)
+				MakeRequest(t, req, http.StatusCreated)
+			})
+		}
+		wg.Wait()
+
+		url := fmt.Sprintf("%s/dists/%s/%s/binary-%s/Packages", rootURL, distribution, component, architecture)
+
+		req := NewRequest(t, "GET", url)
+		resp := MakeRequest(t, req, http.StatusOK)
+		body := resp.Body.String()
+
+		assert.Contains(t, body, fmt.Sprintf("Package: %s\n", packageName))
+		for i := range packageCount {
+			assert.Contains(t, body, fmt.Sprintf("Version: 1.0.%d\n", i))
+		}
+	})
+}

From 326809a1334a91b3185ca76907ec5a8af47b6256 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 27 Mar 2026 06:50:09 +0100
Subject: [PATCH 009/287] Update dependency happy-dom to v20.8.8 [SECURITY]
 (forgejo) (#11836)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 60 ++++++++++++++++++++++++++++++++++++++++++-----
 package.json      |  2 +-
 2 files changed, 55 insertions(+), 7 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index b6a45fb066..45e38ee021 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -108,7 +108,7 @@
         "eslint-plugin-vue-scoped-css": "2.12.0",
         "eslint-plugin-wc": "3.1.0",
         "globals": "17.4.0",
-        "happy-dom": "20.0.11",
+        "happy-dom": "20.8.8",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.47.0",
         "postcss-html": "1.8.1",
@@ -4284,6 +4284,16 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/ws": {
+      "version": "8.18.1",
+      "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.18.1.tgz",
+      "integrity": "sha512-ThVF6DCVhA8kUGy+aazFQ4kXQ7E1Ty7A3ypFOe0IcJV8O/M511G99AW24irKrW56Wt44yG9+ij8FaqoBGkuBXg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@typescript-eslint/eslint-plugin": {
       "version": "8.56.1",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.56.1.tgz",
@@ -9150,20 +9160,36 @@
       }
     },
     "node_modules/happy-dom": {
-      "version": "20.0.11",
-      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.0.11.tgz",
-      "integrity": "sha512-QsCdAUHAmiDeKeaNojb1OHOPF7NjcWPBR7obdu3NwH2a/oyQaLg5d0aaCy/9My6CdPChYF07dvz5chaXBGaD4g==",
+      "version": "20.8.8",
+      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.8.8.tgz",
+      "integrity": "sha512-5/F8wxkNxYtsN0bXfMwIyNLZ9WYsoOYPbmoluqVJqv8KBUbcyKZawJ7uYK4WTX8IHBLYv+VXIwfeNDPy1oKMwQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/node": "^20.0.0",
+        "@types/node": ">=20.0.0",
         "@types/whatwg-mimetype": "^3.0.2",
-        "whatwg-mimetype": "^3.0.0"
+        "@types/ws": "^8.18.1",
+        "entities": "^7.0.1",
+        "whatwg-mimetype": "^3.0.0",
+        "ws": "^8.18.3"
       },
       "engines": {
         "node": ">=20.0.0"
       }
     },
+    "node_modules/happy-dom/node_modules/entities": {
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
+      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/has-bigints": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/has-bigints/-/has-bigints-1.1.0.tgz",
@@ -16235,6 +16261,28 @@
         "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
+    "node_modules/ws": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/xml-name-validator": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-4.0.0.tgz",
diff --git a/package.json b/package.json
index 309a16ec1a..4e8988bd79 100644
--- a/package.json
+++ b/package.json
@@ -107,7 +107,7 @@
     "eslint-plugin-vue-scoped-css": "2.12.0",
     "eslint-plugin-wc": "3.1.0",
     "globals": "17.4.0",
-    "happy-dom": "20.0.11",
+    "happy-dom": "20.8.8",
     "license-checker-rseidelsohn": "4.4.2",
     "markdownlint-cli": "0.47.0",
     "postcss-html": "1.8.1",

From b68caa311fe5e3b7118130c2894c5b396b319681 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 27 Mar 2026 06:51:45 +0100
Subject: [PATCH 010/287] Update module github.com/klauspost/compress to
 v1.18.5 (forgejo) (#11764)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11764
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index c7a29c014c..b9163f8ed3 100644
--- a/go.mod
+++ b/go.mod
@@ -71,7 +71,7 @@ require (
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.18.4
+	github.com/klauspost/compress v1.18.5
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.20
diff --git a/go.sum b/go.sum
index 594dbb4315..85de0b8246 100644
--- a/go.sum
+++ b/go.sum
@@ -479,8 +479,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=

From 0a25c2a7fdfbee86512d6bbb80f92b22a20b55df Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sun, 29 Mar 2026 18:04:24 +0200
Subject: [PATCH 011/287] feat: use `--token-url` in runner setup instructions
 (#11874)

Use `--token-url` instead of `--token` in the runner setup instructions. `--token-url` is more secure. It was also decided [not to implement `--token`](https://code.forgejo.org/forgejo/runner/pulls/1457). The new instructions look as follows:

```
$ echo -n "a3bac733-079f-4917-ae9f-4acb99f1827b" > /path/to/runner-token
$ forgejo-runner daemon \
	--url http://192.168.178.62:3000/ \
	--uuid 5982831f-8ee7-42c7-abcc-49c7d6dba586 \
	--token-url file:///path/to/runner-token \
	--label docker:docker://node:lts
```

`--label` is also new because Forgejo Runner is inoperable when neither a runner configuration nor `--label` are present.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11874
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 templates/shared/actions/runner_setup.tmpl | 6 ++++--
 tests/e2e/runner-management.test.e2e.ts    | 6 +++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/templates/shared/actions/runner_setup.tmpl b/templates/shared/actions/runner_setup.tmpl
index b18c995b3b..a24f63d536 100644
--- a/templates/shared/actions/runner_setup.tmpl
+++ b/templates/shared/actions/runner_setup.tmpl
@@ -43,10 +43,12 @@
 </code></pre>
 		<p>{{ctx.Locale.Tr "actions.runners.runner_setup.instruction_replace_connection_name"}}</p>
 		<h5>{{ctx.Locale.Tr "actions.runners.runner_setup.heading_using_options"}}</h5>
-		<pre><code aria-label="{{ctx.Locale.Tr "actions.runners.runner_setup.program_options_snippet_aria"}}">forgejo-runner daemon \
+		<pre><code aria-label="{{ctx.Locale.Tr "actions.runners.runner_setup.program_options_snippet_aria"}}">$ echo -n &quot;{{.Runner.Token}}&quot; > /path/to/runner-token
+$ forgejo-runner daemon \
 	--url {{.AppURL}} \
 	--uuid {{.Runner.UUID}} \
-	--token {{.Runner.Token}}
+	--token-url file:///path/to/runner-token \
+	--label docker:docker://node:lts
 </code></pre>
 		<p>{{ctx.Locale.Tr "actions.runners.runner_setup.instruction_advanced_configurations"}}</p>
 	</div>
diff --git a/tests/e2e/runner-management.test.e2e.ts b/tests/e2e/runner-management.test.e2e.ts
index 8f4d5584be..cecde7a850 100644
--- a/tests/e2e/runner-management.test.e2e.ts
+++ b/tests/e2e/runner-management.test.e2e.ts
@@ -134,7 +134,7 @@ test.describe('Runners of user2', () => {
 
     await expect(page.getByRole('heading', {name: 'Using program options'})).toBeVisible();
     await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--uuid ${runnerUUID}`);
-    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--token ${runnerToken}`);
+    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`echo -n "${runnerToken}"`);
 
     // Go back to list of runners.
     await page.getByRole('link', {name: 'List of runners', exact: true}).click();
@@ -238,7 +238,7 @@ test.describe('Runners of user2', () => {
 
     await expect(page.getByRole('heading', {name: 'Using program options'})).toBeVisible();
     await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--uuid ${runnerUUID}`);
-    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--token ${runnerToken}`);
+    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`echo -n "${runnerToken}"`);
   });
 
   test('delete runner', async ({page}) => {
@@ -425,7 +425,7 @@ test.describe('Global runners', () => {
 
     await expect(page.getByRole('heading', {name: 'Using program options'})).toBeVisible();
     await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--uuid ${runnerUUID}`);
-    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`--token ${runnerToken}`);
+    await expect(page.getByLabel('How to invoke forgejo-runner')).toContainText(`echo -n "${runnerToken}"`);
 
     // Go back to list of runners.
     await page.getByRole('link', {name: 'List of runners', exact: true}).click();

From 5afb9467d5bc8592229bd885b11c8a7197e1e888 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 01:02:38 +0200
Subject: [PATCH 012/287] Update dependency happy-dom to v20.8.9 [SECURITY]
 (forgejo) (#11883)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 45e38ee021..a5756c475f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -108,7 +108,7 @@
         "eslint-plugin-vue-scoped-css": "2.12.0",
         "eslint-plugin-wc": "3.1.0",
         "globals": "17.4.0",
-        "happy-dom": "20.8.8",
+        "happy-dom": "20.8.9",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.47.0",
         "postcss-html": "1.8.1",
@@ -9160,9 +9160,9 @@
       }
     },
     "node_modules/happy-dom": {
-      "version": "20.8.8",
-      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.8.8.tgz",
-      "integrity": "sha512-5/F8wxkNxYtsN0bXfMwIyNLZ9WYsoOYPbmoluqVJqv8KBUbcyKZawJ7uYK4WTX8IHBLYv+VXIwfeNDPy1oKMwQ==",
+      "version": "20.8.9",
+      "resolved": "https://registry.npmjs.org/happy-dom/-/happy-dom-20.8.9.tgz",
+      "integrity": "sha512-Tz23LR9T9jOGVZm2x1EPdXqwA37G/owYMxRwU0E4miurAtFsPMQ1d2Jc2okUaSjZqAFz2oEn3FLXC5a0a+siyA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index 4e8988bd79..6aa43fa143 100644
--- a/package.json
+++ b/package.json
@@ -107,7 +107,7 @@
     "eslint-plugin-vue-scoped-css": "2.12.0",
     "eslint-plugin-wc": "3.1.0",
     "globals": "17.4.0",
-    "happy-dom": "20.8.8",
+    "happy-dom": "20.8.9",
     "license-checker-rseidelsohn": "4.4.2",
     "markdownlint-cli": "0.47.0",
     "postcss-html": "1.8.1",

From 7d7e75c43fb187bdde95c32c57446fe85cff7d43 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 01:08:14 +0200
Subject: [PATCH 013/287] Update dependency katex to v0.16.43 (forgejo)
 (#11782)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11782
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a5756c475f..76f7995551 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -54,7 +54,7 @@
         "htmx.org": "2.0.8",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
-        "katex": "0.16.38",
+        "katex": "0.16.43",
         "mermaid": "11.13.0",
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.4",
@@ -10552,9 +10552,9 @@
       "license": "MIT"
     },
     "node_modules/katex": {
-      "version": "0.16.38",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.38.tgz",
-      "integrity": "sha512-cjHooZUmIAUmDsHBN+1n8LaZdpmbj03LtYeYPyuYB7OuloiaeaV6N4LcfjcnHVzGWjVQmKrxxTrpDcmSzEZQwQ==",
+      "version": "0.16.43",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.43.tgz",
+      "integrity": "sha512-K7NL5JtGrFEglipOAjY4UYA69CnTuNmjArxeXF6+bw7h2OGySUPv6QWRjfb1gmutJ4Mw/qLeBqiROOEDULp4nA==",
       "funding": [
         "https://opencollective.com/katex",
         "https://github.com/sponsors/katex"
diff --git a/package.json b/package.json
index 6aa43fa143..adaa47f3eb 100644
--- a/package.json
+++ b/package.json
@@ -53,7 +53,7 @@
     "htmx.org": "2.0.8",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
-    "katex": "0.16.38",
+    "katex": "0.16.43",
     "mermaid": "11.13.0",
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.4",

From edc8e19ab0747ac0c87644e807bd5c893023017e Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 01:11:53 +0200
Subject: [PATCH 014/287] Update CodeMirror (forgejo) (#11854)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11854
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 16 ++++++++--------
 package.json      |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 76f7995551..1f34b34913 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -26,8 +26,8 @@
         "@codemirror/lang-rust": "6.0.2",
         "@codemirror/lang-sass": "6.0.2",
         "@codemirror/lang-xml": "6.1.0",
-        "@codemirror/lang-yaml": "6.1.2",
-        "@codemirror/language": "6.12.2",
+        "@codemirror/lang-yaml": "6.1.3",
+        "@codemirror/language": "6.12.3",
         "@codemirror/search": "6.6.0",
         "@codemirror/state": "6.6.0",
         "@codemirror/view": "6.40.0",
@@ -716,9 +716,9 @@
       }
     },
     "node_modules/@codemirror/lang-yaml": {
-      "version": "6.1.2",
-      "resolved": "https://registry.npmjs.org/@codemirror/lang-yaml/-/lang-yaml-6.1.2.tgz",
-      "integrity": "sha512-dxrfG8w5Ce/QbT7YID7mWZFKhdhsaTNOYjOkSIMt1qmC4VQnXSDSYVHHHn8k6kJUfIhtLo8t1JJgltlxWdsITw==",
+      "version": "6.1.3",
+      "resolved": "https://registry.npmjs.org/@codemirror/lang-yaml/-/lang-yaml-6.1.3.tgz",
+      "integrity": "sha512-AZ8DJBuXGVHybpBQhmZtgew5//4hv3tdkXnr3vDmOUMJRuB6vn/uuwtmTOTlqEaQFg3hQSVeA90NmvIQyUV6FQ==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/autocomplete": "^6.0.0",
@@ -731,9 +731,9 @@
       }
     },
     "node_modules/@codemirror/language": {
-      "version": "6.12.2",
-      "resolved": "https://registry.npmjs.org/@codemirror/language/-/language-6.12.2.tgz",
-      "integrity": "sha512-jEPmz2nGGDxhRTg3lTpzmIyGKxz3Gp3SJES4b0nAuE5SWQoKdT5GoQ69cwMmFd+wvFUhYirtDTr0/DRHpQAyWg==",
+      "version": "6.12.3",
+      "resolved": "https://registry.npmjs.org/@codemirror/language/-/language-6.12.3.tgz",
+      "integrity": "sha512-QwCZW6Tt1siP37Jet9Tb02Zs81TQt6qQrZR2H+eGMcFsL1zMrk2/b9CLC7/9ieP1fjIUMgviLWMmgiHoJrj+ZA==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.0.0",
diff --git a/package.json b/package.json
index adaa47f3eb..321396bf9c 100644
--- a/package.json
+++ b/package.json
@@ -25,8 +25,8 @@
     "@codemirror/lang-rust": "6.0.2",
     "@codemirror/lang-sass": "6.0.2",
     "@codemirror/lang-xml": "6.1.0",
-    "@codemirror/lang-yaml": "6.1.2",
-    "@codemirror/language": "6.12.2",
+    "@codemirror/lang-yaml": "6.1.3",
+    "@codemirror/language": "6.12.3",
     "@codemirror/search": "6.6.0",
     "@codemirror/state": "6.6.0",
     "@codemirror/view": "6.40.0",

From a6ee3e61ccb0a27feedbdb27580bed9f82ead575 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 01:52:22 +0200
Subject: [PATCH 015/287] Update module github.com/urfave/cli/v3 to v3.8.0
 (forgejo) (#11834)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11834
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index b9163f8ed3..43a243f532 100644
--- a/go.mod
+++ b/go.mod
@@ -94,7 +94,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/ulikunitz/xz v0.5.15
-	github.com/urfave/cli/v3 v3.7.0
+	github.com/urfave/cli/v3 v3.8.0
 	github.com/valyala/fastjson v1.6.10
 	github.com/yohcop/openid-go v1.0.1
 	github.com/yuin/goldmark v1.7.17
diff --git a/go.sum b/go.sum
index 85de0b8246..532ba82b5b 100644
--- a/go.sum
+++ b/go.sum
@@ -662,8 +662,8 @@ github.com/tinylib/msgp v1.6.1/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77ro
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/urfave/cli/v3 v3.7.0 h1:AGSnbUyjtLiM+WJUb4dzXKldl/gL+F8OwmRDtVr6g2U=
-github.com/urfave/cli/v3 v3.7.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
+github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=
+github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
 github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE=

From cacbe76b13eb8154bbf87f6b21c8600635f921b4 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 01:57:11 +0200
Subject: [PATCH 016/287] Update
 https://data.forgejo.org/actions/git-backporting action to v4.9.1 (forgejo)
 (#11767)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11767
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/backport.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/backport.yml b/.forgejo/workflows/backport.yml
index 56956c4641..4854eb225e 100644
--- a/.forgejo/workflows/backport.yml
+++ b/.forgejo/workflows/backport.yml
@@ -47,7 +47,7 @@ jobs:
           cat <<'EOF'
           ${{ toJSON(github) }}
           EOF
-      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.7
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.9.1
         with:
           target-branch-pattern: "^backport/(?<target>(v.*))$"
           strategy: ort

From eaceb845ea8f5758cf09bee99fcfa3a435a26dec Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 30 Mar 2026 04:17:07 +0200
Subject: [PATCH 017/287] Update renovate Docker tag to v43.99.1 (forgejo)
 (#11889)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 61d5b22162..0008653790 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasour
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.43.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.86.1 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.99.1 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

From 3ec8e96646502eed8568726feb1c8bd1971c196e Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 31 Mar 2026 02:42:52 +0200
Subject: [PATCH 018/287] Update module github.com/mattn/go-sqlite3 to v1.14.38
 (forgejo) (#11902)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `v1.14.37` → `v1.14.38` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmattn%2fgo-sqlite3/v1.14.38?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmattn%2fgo-sqlite3/v1.14.37/v1.14.38?slim=true) |

---

### Release Notes

<details>
<summary>mattn/go-sqlite3 (github.com/mattn/go-sqlite3)</summary>

### [`v1.14.38`](https://github.com/mattn/go-sqlite3/compare/v1.14.37...v1.14.38)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.37...v1.14.38)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11902
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 43a243f532..e807add673 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.37
+	github.com/mattn/go-sqlite3 v1.14.38
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
diff --git a/go.sum b/go.sum
index 532ba82b5b..f3aa7a35f4 100644
--- a/go.sum
+++ b/go.sum
@@ -520,8 +520,8 @@ github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkEN
 github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.37 h1:3DOZp4cXis1cUIpCfXLtmlGolNLp2VEqhiB/PARNBIg=
-github.com/mattn/go-sqlite3 v1.14.37/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.38 h1:tDUzL85kMvOrvpCt8P64SbGgVFtJB11GPi2AdmITgb4=
+github.com/mattn/go-sqlite3 v1.14.38/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
 github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=

From 7886e74b257930504c8e53b7a901ea8936f47fed Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 31 Mar 2026 02:49:54 +0200
Subject: [PATCH 019/287] Update github.com/go-git/go-git/v5 (indirect) to
 v5.17.1 [SECURITY] (forgejo) (#11897)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.17.0` → `v5.17.1` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.0/v5.17.1?slim=true) |

---

### go-git missing validation decoding Index v4 files leads to panic
[CVE-2026-33762](https://nvd.nist.gov/vuln/detail/CVE-2026-33762) / [GHSA-gm2x-2g9h-ccm8](https://github.com/advisories/GHSA-gm2x-2g9h-ccm8)

<details>
<summary>More information</summary>

#### Details
##### Impact

`go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.

This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue.

An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.

Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory.

##### Patches

Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.

##### Credit

go-git maintainers thank @&#8203;kq5y for finding and reporting this issue privately to the `go-git` project.

#### Severity
- CVSS Score: 2.8 / 10 (Low)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L`

#### References
- [https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8](https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8)
- [https://github.com/go-git/go-git](https://github.com/go-git/go-git)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gm2x-2g9h-ccm8) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### go-git: Maliciously crafted idx file can cause asymmetric memory consumption
[CVE-2026-34165](https://nvd.nist.gov/vuln/detail/CVE-2026-34165) / [GHSA-jhf3-xxhw-2wpp](https://github.com/advisories/GHSA-jhf3-xxhw-2wpp)

<details>
<summary>More information</summary>

#### Details
##### Impact

A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files.

##### Patches

Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.

##### Credit

The go-git maintainers thank @&#8203;kq5y for finding and reporting this issue privately to the `go-git` project.

#### Severity
- CVSS Score: 5.0 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H`

#### References
- [https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp](https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp)
- [https://github.com/go-git/go-git](https://github.com/go-git/go-git)
- [https://github.com/go-git/go-git/releases/tag/v5.17.1](https://github.com/go-git/go-git/releases/tag/v5.17.1)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jhf3-xxhw-2wpp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>

### [`v5.17.1`](https://github.com/go-git/go-git/releases/tag/v5.17.1)

[Compare Source](https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1)

#### What's Changed

- build: Update module github.com/cloudflare/circl to v1.6.3 \[SECURITY] (releases/v5.x) by [@&#8203;go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#&#8203;1930](https://github.com/go-git/go-git/pull/1930)
- \[v5] plumbing: format/index, Improve v4 entry name validation by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;1935](https://github.com/go-git/go-git/pull/1935)
- \[v5] plumbing: format/idxfile, Fix version and fanout checks by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;1937](https://github.com/go-git/go-git/pull/1937)

**Full Changelog**: <https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11897
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index e807add673..53b90801b6 100644
--- a/go.mod
+++ b/go.mod
@@ -175,7 +175,7 @@ require (
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.8.0 // indirect
-	github.com/go-git/go-git/v5 v5.17.0 // indirect
+	github.com/go-git/go-git/v5 v5.17.1 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect
diff --git a/go.sum b/go.sum
index f3aa7a35f4..d6b747d096 100644
--- a/go.sum
+++ b/go.sum
@@ -284,8 +284,8 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66D
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
 github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
-github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=
-github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
+github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk=
+github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=

From 5c135636823f62c9bc97b1bdd3a43773000d3c5b Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Tue, 31 Mar 2026 02:56:12 +0200
Subject: [PATCH 020/287] feat: "Add member" button in org members list
 (#11848)

Fixes #1529.

This adds an "Add member" button to the list of members of an organization, offering a more intuitive way to add a user to an organization (instead of going through the list of teams).
This follows the design proposed in #1529. This PR can already be reviewed as such, but I plan to work on follow-up improvements:
- adding a confirmation dialog when adding the new member to the "Owners" team, since they get absolute rights on the org
- adding a text input to filter the list of teams, making it easier to select the desired teams when there are many of them
- potentially, improving the team creation link so that it brings the user back to the modal dialog once the team is created (but I'm not sure there's a ton of value behind this added complexity, since currently, creating a team will lead the user to the team page, which is a good place to add the member to the team)

This new way of adding members does not support issuing email invites, since we decided in #9884 that the invite feature hasn't got good enough of a UX to advertise it yet. Following [this discussion](https://codeberg.org/forgejo/discussions/issues/441), I am planning to work on enabling invites everywhere (potentially even making it the default).

## Checklist

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

I plan to update https://docs.codeberg.org/collaborating/create-organization/#people once we are ready to take final screenshots of the feature.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

### Screenshots

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11848): <!--number 11848 --><!--line 0 --><!--description IkFkZCBtZW1iZXIiIGJ1dHRvbiBpbiBvcmcgbWVtYmVycyBsaXN0-->"Add member" button in org members list<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11848
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
---
 options/locale_next/locale_en-US.json    |   4 +
 routers/web/org/members.go               |  61 ++++++++
 templates/org/member/add_org_member.tmpl |  55 +++++++
 templates/org/member/members.tmpl        |   9 ++
 tests/e2e/org-members.test.e2e.ts        |  26 ++++
 tests/integration/org_members_test.go    | 175 +++++++++++++++++++++++
 web_src/css/base.css                     |   5 +
 web_src/css/org.css                      |   5 +
 web_src/js/features/add-org-member.ts    |  24 ++++
 web_src/js/index.js                      |   2 +
 10 files changed, 366 insertions(+)
 create mode 100644 templates/org/member/add_org_member.tmpl
 create mode 100644 web_src/js/features/add-org-member.ts

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 59edecac03..643b1388f5 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -563,6 +563,10 @@
 	},
 	"teams.add_all_repos.modal.header": "Add all repositories",
 	"teams.remove_all_repos.modal.header": "Remove all repositories",
+	"members.add_member": "Add member",
+	"members.user": "User",
+	"members.user_already_member": "This user is already a member of the organization.",
+	"members.no_team_selected": "Organization members must belong to at least one team.",
 	"pulls.manual_merge.helper": "Manual merge helper",
 	"pulls.manual_merge.helpder.description": "Use this merge commit message when completing the merge manually.",
 	"pulls.manual_merge.commit.title": "Merge commit title",
diff --git a/routers/web/org/members.go b/routers/web/org/members.go
index 65e2b032e8..4550d5f0e7 100644
--- a/routers/web/org/members.go
+++ b/routers/web/org/members.go
@@ -5,10 +5,12 @@
 package org
 
 import (
+	"fmt"
 	"net/http"
 
 	"forgejo.org/models"
 	"forgejo.org/models/organization"
+	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/base"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
@@ -67,8 +69,14 @@ func Members(ctx *context.Context) {
 		ctx.ServerError("GetMembers", err)
 		return
 	}
+	teams, err := organization.FindOrgTeams(ctx, org.ID)
+	if err != nil {
+		ctx.ServerError("GetTeams", err)
+		return
+	}
 	ctx.Data["Page"] = pager
 	ctx.Data["Members"] = members
+	ctx.Data["Teams"] = teams
 	ctx.Data["MembersIsPublicMember"] = membersIsPublic
 	ctx.Data["MembersIsUserOrgOwner"] = organization.IsUserOrgOwner(ctx, members, org.ID)
 	ctx.Data["MembersTwoFaStatus"] = members.GetTwoFaStatus(ctx)
@@ -110,6 +118,59 @@ func MembersAction(ctx *context.Context) {
 			ctx.JSONRedirect(ctx.Org.OrgLink + "/members")
 			return
 		}
+	case "add":
+		if !ctx.Org.IsOwner {
+			ctx.Error(http.StatusNotFound)
+			return
+		}
+		uname := ctx.FormString("uname")
+		var u *user_model.User
+		u, err = user_model.GetUserByName(ctx, uname)
+		if err != nil {
+			ctx.ServerError("GetUserByName", err)
+			return
+		}
+
+		if u.IsOrganization() {
+			ctx.Flash.Error(ctx.Tr("form.cannot_add_org_to_team"))
+			ctx.Redirect(ctx.Org.OrgLink + "/members")
+			return
+		}
+
+		alreadyMember, err := ctx.Org.Organization.IsOrgMember(ctx, u.ID)
+		if err != nil {
+			ctx.ServerError("IsOrgMember", err)
+			return
+		}
+		if alreadyMember {
+			ctx.Flash.Error(ctx.Tr("members.user_already_member"))
+			ctx.Redirect(ctx.Org.OrgLink + "/members")
+			return
+		}
+
+		teams, err := organization.FindOrgTeams(ctx, org.ID)
+		if err != nil {
+			ctx.ServerError("GetTeams", err)
+			return
+		}
+		addedToTeam := false
+		for _, team := range teams {
+			addToTeam := ctx.FormBool(fmt.Sprintf("team_%d", team.ID))
+			if addToTeam {
+				err = models.AddTeamMember(ctx, team, u.ID)
+				if err != nil {
+					ctx.ServerError("AddTeamMember", err)
+					return
+				}
+				addedToTeam = true
+			}
+		}
+
+		if !addedToTeam {
+			ctx.Flash.Error(ctx.Tr("members.no_team_selected"))
+		}
+		ctx.Redirect(ctx.Org.OrgLink + "/members")
+		return
 	case "leave":
 		err = models.RemoveOrgUser(ctx, org.ID, ctx.Doer.ID)
 		if err == nil {
diff --git a/templates/org/member/add_org_member.tmpl b/templates/org/member/add_org_member.tmpl
new file mode 100644
index 0000000000..e2b8f1b572
--- /dev/null
+++ b/templates/org/member/add_org_member.tmpl
@@ -0,0 +1,55 @@
+<div class="ui g-modal-confirm delete modal" id="delete-label">
+	<div class="header">
+		{{svg "octicon-trash"}}
+		{{ctx.Locale.Tr "repo.issues.label_deletion"}}
+	</div>
+	<div class="content">
+		<p>{{ctx.Locale.Tr "repo.issues.label_deletion_desc"}}</p>
+	</div>
+	{{template "base/modal_actions_confirm" .}}
+</div>
+
+<dialog id="add-member-modal">
+	<article>
+		<header>{{ctx.Locale.Tr "members.add_member"}}</header>
+		<form class="ui add-member form ignore-dirty" action="{{$.OrgLink}}/members/action/add" method="post">
+			<input type="hidden" name="uid" value="{{.SignedUser.ID}}">
+			<div class="content">
+				<div class="field">
+					<label>{{ctx.Locale.Tr "members.user"}}</label>
+					<div id="search-user-box" class="ui search tw-mr-2"{{if .IsEmailInviteEnabled}} data-allow-email="true" data-allow-email-description="{{ctx.Locale.Tr "org.teams.invite_team_member" $.Team.Name}}"{{end}}>
+						<div class="ui input">
+							<input class="prompt" name="uname" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" required>
+						</div>
+					</div>
+				</div>
+
+				<div class="field">
+					<label>{{ctx.Locale.Tr "org.teams"}}</label>
+					<div class="ui negative message flash-message flash-error" id="no-team-selected-message" hidden>{{ctx.Locale.Tr "members.no_team_selected"}}</div>
+					<div class="team-list">
+						{{range .Teams}}
+						<div class="inline field">
+							<div class="ui checkbox">
+								<input name="team_{{.ID}}" id="add-member-team_{{.ID}}" type="checkbox">
+								<label for="add-member-team_{{.ID}}">{{.Name}}</label>
+							</div>
+						</div>
+						{{end}}
+						<div class="inline">
+							{{svg "octicon-plus"}} <a href="{{$.OrgLink}}/teams/new">{{ctx.Locale.Tr "org.create_new_team"}}</a>
+						</div>
+					</div>
+				</div>
+
+			</div>
+		</form>
+		<div class="actions">
+			<button class="secondary cancel button">
+				{{svg "octicon-x"}}
+				{{ctx.Locale.Tr "cancel"}}
+			</button>
+			<button class="primary ok button" type="submit">{{ctx.Locale.Tr "members.add_member"}}</button>
+		</div>
+	</article>
+</dialog>
diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl
index 24d7fd09e0..08bb8b9894 100644
--- a/templates/org/member/members.tmpl
+++ b/templates/org/member/members.tmpl
@@ -4,6 +4,14 @@
 	<div class="ui container">
 		{{template "base/alert" .}}
 
+		{{if $.IsOrganizationOwner}}
+			<div class="text right">
+				<button class="primary button" id="add-org-member-button">
+				{{svg "octicon-plus"}} {{ctx.Locale.Tr "members.add_member"}}
+				</button>
+			</div>
+			<div class="divider"></div>
+		{{end}}
 		<div class="list">
 			{{range $idx, $_ := .Members}}
 				{{if ne $idx 0}}
@@ -87,5 +95,6 @@
 	</div>
 	{{template "base/modal_actions_confirm" .}}
 </div>
+{{template "org/member/add_org_member" .}}
 
 {{template "base/footer" .}}
diff --git a/tests/e2e/org-members.test.e2e.ts b/tests/e2e/org-members.test.e2e.ts
index b5cb9bd104..7be6714639 100644
--- a/tests/e2e/org-members.test.e2e.ts
+++ b/tests/e2e/org-members.test.e2e.ts
@@ -49,3 +49,29 @@ test('Leave org', async ({page}) => {
   // Getting error is enough to know that the correct request went though
   await expect(page.locator('.flash-error').getByText('You cannot remove the last user from the "owners" team.')).toBeVisible();
 });
+
+test('Add a new member to the org', async ({page}) => {
+  page.goto('/org/org3/members');
+
+  // Click the "Add member" button
+  const newMemberButton = page.locator('#add-org-member-button');
+  await newMemberButton.click();
+
+  // A modal dialog appears
+  await expect(page.locator('#add-member-modal')).toBeVisible();
+
+  // Fill in the name of the user to add
+  await page.locator('#search-user-box input').fill('user5');
+  // Pick the auto-complete suggestion
+  await page.locator('#search-user-box .results a.result').click();
+
+  // Choose some teams
+  await page.locator('#add-member-team_2').click();
+  await page.locator('#add-member-team_12').click();
+
+  // Click the button
+  await page.locator('#add-member-modal .actions button.ok').click();
+
+  // Getting error is enough to know that the correct request went though
+  await expect(page.locator('.organization.members .list a').getByText('user5 (User Five)')).toBeVisible();
+});
diff --git a/tests/integration/org_members_test.go b/tests/integration/org_members_test.go
index e51850126f..b0cdb2f3f0 100644
--- a/tests/integration/org_members_test.go
+++ b/tests/integration/org_members_test.go
@@ -4,12 +4,19 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 	"testing"
 
+	"forgejo.org/models/db"
+	"forgejo.org/models/organization"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestOrgMembersPage(t *testing.T) {
@@ -24,6 +31,8 @@ func TestOrgMembersPage(t *testing.T) {
 		/* No interactive buttons - though such evaluation is easy to break in rename */
 		assert.Equal(t, 0, doc.Find(".members .list .link-action").Length())
 		assert.Equal(t, 0, doc.Find(".members .list .delete-button").Length())
+		/* Guests cannot add members to organizations */
+		doc.AssertElement(t, "#add-org-member-button", false)
 	})
 
 	t.Run("Member PoV", func(t *testing.T) {
@@ -34,6 +43,8 @@ func TestOrgMembersPage(t *testing.T) {
 		/* Interactive buttons are only available for own entry in the list */
 		assert.Equal(t, 1, doc.Find(".members .list .link-action").Length())
 		assert.Equal(t, 1, doc.Find(".members .list .delete-button").Length())
+		/* Adding new members is not possible, as the member isn't an owner */
+		doc.AssertElement(t, "#add-org-member-button", false)
 	})
 
 	t.Run("Owner PoV", func(t *testing.T) {
@@ -44,5 +55,169 @@ func TestOrgMembersPage(t *testing.T) {
 		/* Interactive buttons are available for all entries in the list (> 2) */
 		assert.Less(t, 2, doc.Find(".members .list .link-action").Length())
 		assert.Less(t, 2, doc.Find(".members .list .delete-button").Length())
+		/* Adding new members is possible */
+		doc.AssertElement(t, "#add-org-member-button", true)
 	})
 }
+
+func TestOrgAddMember(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	team1 := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 1})
+	team2 := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 2})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	isMember, err := organization.IsTeamMember(db.DefaultContext, team1.OrgID, team1.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isMember)
+	isMember, err = organization.IsTeamMember(db.DefaultContext, team2.OrgID, team2.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isMember)
+
+	session := loginUser(t, "user2")
+
+	teamURL := fmt.Sprintf("/org/%s/members", org.Name)
+	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
+		"uid":    "2",
+		"uname":  user.LoginName,
+		"team_1": "on",
+		"team_2": "on",
+	})
+	resp := session.MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, teamURL, resp.Header().Get("Location"))
+
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	isMember, err = organization.IsTeamMember(db.DefaultContext, team1.OrgID, team1.ID, user.ID)
+	require.NoError(t, err)
+	assert.True(t, isMember)
+	isMember, err = organization.IsTeamMember(db.DefaultContext, team2.OrgID, team2.ID, user.ID)
+	require.NoError(t, err)
+	assert.True(t, isMember)
+}
+
+func TestOrgAddMemberToNoTeam(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	isOrgMember, err := org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isOrgMember)
+
+	session := loginUser(t, "user2")
+
+	teamURL := fmt.Sprintf("/org/%s/members", org.Name)
+	resp := session.MakeRequest(t, NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
+		"uid":   "2",
+		"uname": user.LoginName,
+	}), http.StatusSeeOther)
+	assert.Equal(t, teamURL, resp.Header().Get("Location"))
+
+	doc := NewHTMLParser(t, session.MakeRequest(t, NewRequest(t, "GET", teamURL), http.StatusOK).Body)
+	assert.Contains(t, strings.TrimSpace(doc.Find(".flash-error").Text()), "Organization members must belong to at least one team.")
+
+	isOrgMember, err = org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isOrgMember)
+}
+
+func TestOrgAddMemberToForeignTeam(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	foreignTeam := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 5})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	isOrgMember, err := org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isOrgMember)
+
+	isForeignTeamMember, err := organization.IsTeamMember(db.DefaultContext, foreignTeam.OrgID, foreignTeam.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isForeignTeamMember)
+
+	session := loginUser(t, "user2")
+
+	teamURL := fmt.Sprintf("/org/%s/members", org.Name)
+	// This test scenario is here for security purposes as the UI will not offer adding the user to
+	// a foreign team in the first place (but a malicious request could be performed in other ways).
+	resp := session.MakeRequest(t, NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
+		"uid":    "2",
+		"uname":  user.LoginName,
+		"team_5": "on",
+	}), http.StatusSeeOther)
+	assert.Equal(t, teamURL, resp.Header().Get("Location"))
+
+	doc := NewHTMLParser(t, session.MakeRequest(t, NewRequest(t, "GET", teamURL), http.StatusOK).Body)
+	// This error message isn't specific to this "exploit" attempt, but shows that no action was taken.
+	assert.Contains(t, strings.TrimSpace(doc.Find(".flash-error").Text()), "Organization members must belong to at least one team.")
+
+	isOrgMember, err = org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isOrgMember)
+
+	isForeignTeamMember, err = organization.IsTeamMember(db.DefaultContext, foreignTeam.OrgID, foreignTeam.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isForeignTeamMember)
+}
+
+func TestOrgAddMemberWithoutProperRights(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+	isOrgMember, err := org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isOrgMember)
+
+	session := loginUser(t, user.Name) // user5 is not a member of this org, so it cannot add anyone to it
+
+	teamURL := fmt.Sprintf("/org/%s/members", org.Name)
+	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
+		"uid":    "5",
+		"uname":  user.LoginName,
+		"team_2": "on",
+	})
+	session.MakeRequest(t, req, http.StatusNotFound)
+}
+
+func TestOrgAddExistingMemberFails(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	team := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 2})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 28})
+
+	members, _, err := organization.FindOrgMembers(db.DefaultContext, &organization.FindOrgMembersOpts{
+		OrgID: org.ID,
+	})
+	require.NoError(t, err)
+	assert.Len(t, members, 2)
+	isOrgMember, err := org.IsOrgMember(db.DefaultContext, user.ID)
+	require.NoError(t, err)
+	assert.True(t, isOrgMember)
+	isTeamMember, err := organization.IsTeamMember(db.DefaultContext, team.OrgID, team.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isTeamMember)
+
+	session := loginUser(t, "user2")
+
+	teamURL := fmt.Sprintf("/org/%s/members", org.Name)
+	req := NewRequestWithValues(t, "POST", teamURL+"/action/add", map[string]string{
+		"uid":    "2",
+		"uname":  user.LoginName,
+		"team_2": "on",
+	})
+	resp := session.MakeRequest(t, req, http.StatusSeeOther)
+	assert.Equal(t, teamURL, resp.Header().Get("Location"))
+	doc := NewHTMLParser(t, session.MakeRequest(t, NewRequest(t, "GET", teamURL), http.StatusOK).Body)
+	assert.Contains(t, strings.TrimSpace(doc.Find(".flash-error").Text()), "This user is already a member of the organization.")
+
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 28})
+	isTeamMember, err = organization.IsTeamMember(db.DefaultContext, team.OrgID, team.ID, user.ID)
+	require.NoError(t, err)
+	assert.False(t, isTeamMember)
+}
diff --git a/web_src/css/base.css b/web_src/css/base.css
index 68b5c7b323..0ac81dca26 100644
--- a/web_src/css/base.css
+++ b/web_src/css/base.css
@@ -361,6 +361,11 @@ a.label,
   background: var(--color-hover);
 }
 
+.ui.search > .results .content {
+  padding: 0;
+  background: none;
+}
+
 .inline-code-block {
   padding: 2px 4px;
   border-radius: .24em;
diff --git a/web_src/css/org.css b/web_src/css/org.css
index 240ed5c98e..78cf2e2c61 100644
--- a/web_src/css/org.css
+++ b/web_src/css/org.css
@@ -202,3 +202,8 @@
 .org-team-navbar .active.item {
   background: var(--color-box-body) !important;
 }
+
+#add-member-modal .team-list {
+  max-height: 300px;
+  overflow-y: auto;
+}
diff --git a/web_src/js/features/add-org-member.ts b/web_src/js/features/add-org-member.ts
new file mode 100644
index 0000000000..fbb8c12423
--- /dev/null
+++ b/web_src/js/features/add-org-member.ts
@@ -0,0 +1,24 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+import {showModal} from '../modules/modal.ts';
+
+export function initAddOrgMemberButton() {
+  const addMemberButton = document.querySelector('#add-org-member-button');
+  addMemberButton?.addEventListener('click', () => {
+    showModal('add-member-modal', () => {
+      const form: HTMLFormElement = document.querySelector('.add-member.form');
+      if (!form.checkValidity()) {
+        form.reportValidity();
+        return false;
+      }
+      const selectedTeamCount = document.querySelectorAll('.add-member.form input[type=checkbox]:checked').length;
+      const noTeamSelectedMessage : HTMLElement = document.querySelector('#no-team-selected-message');
+      noTeamSelectedMessage.hidden = (selectedTeamCount !== 0);
+      if (selectedTeamCount === 0) {
+        return false;
+      }
+      form.requestSubmit();
+    });
+    return false;
+  });
+}
diff --git a/web_src/js/index.js b/web_src/js/index.js
index a3dabeacc0..c187780364 100644
--- a/web_src/js/index.js
+++ b/web_src/js/index.js
@@ -64,6 +64,7 @@ import {initOrgTeamSearchRepoBox} from './features/org-team.js';
 import {initUserAuthWebAuthn, initUserAuthWebAuthnRegister} from './features/user-auth-webauthn.js';
 import {initRepoRelease, initRepoReleaseNew} from './features/repo-release.js';
 import {initRepoEditor} from './features/repo-editor.js';
+import {initAddOrgMemberButton} from './features/add-org-member.ts';
 import {initCompSearchUserBox} from './features/comp/SearchUserBox.js';
 import {initInstall} from './features/install.js';
 import {initCompWebHookEditor} from './features/comp/WebHookEditor.js';
@@ -152,6 +153,7 @@ onDomReady(() => {
   initRepoEllipsisButton();
   initRepoDiffCommitBranchesAndTags();
   initRepoEditor();
+  initAddOrgMemberButton();
   initRepoGraphGit();
   initRepoIssueContentHistory();
   initRepoIssueDue();

From 8387974e2e16b19a2ceba1ca3d9a99de2749cafb Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 31 Mar 2026 02:56:43 +0200
Subject: [PATCH 021/287] ci: prevent usage of live application models &
 services in migrations (#11872)

Prevent access to "current" application models and services from migrations via `golangci` config:

eg:
```
models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go:18:2: import 'forgejo.org/models/user' is not allowed from list 'migration-isolation': Migrations must not import application models. Application models will be the most recent schema for Forgejo, while migrations will be operating against the database schema that existed when they were authored. (depguard)
	user_model "forgejo.org/models/user"
	^
models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go:21:2: import 'forgejo.org/services/user' is not allowed from list 'migration-isolation': Migrations must not import application services. Application services will reference application models which will use the most recent schema for Forgejo, while migrations will be operating against the database schema that existed when they were authored. (depguard)
	user_service "forgejo.org/services/user"
```

Fixes an existing migration issue where it isn't possible to add a new column to the `User` table ([test errors that occur](https://codeberg.org/forgejo/forgejo/actions/runs/148633/jobs/10/attempt/1#jobstep-5-323)), but also guarantees that future migrations don't stumble into the same issue by inadvertently referencing live application code from historical migrations.

Originally identified and draft fix by @codecat w/ proposed fix in #11870.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: Melissa Geels <melissa@nimble.tools>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11872
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .golangci.yml                                 | 19 +++++
 .../v14a_actions-approval-and-trust.go        | 15 +++-
 .../v14a_actions-approval-and-trust_test.go   | 27 +++----
 .../v14a_ap-change-fedi-handle-structure.go   | 80 ++++++++++++-------
 .../v14a_migrate_task_secrets.go              | 21 ++++-
 .../v14a_migrate_webhook_authorization.go     | 16 +++-
 ...v14a_migrate_webhook_authorization_test.go |  6 +-
 .../v14a_rework-notification.go               |  6 +-
 .../v14a_set_remote_user_prohibit_login.go    | 47 +++++++++--
 9 files changed, 172 insertions(+), 65 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 1d0dcb489f..de3f3a9255 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -45,6 +45,25 @@ linters:
               desc: use forgejo.org/modules/git instead, see https://codeberg.org/forgejo/forgejo/pulls/4941
             - pkg: gopkg.in/yaml.v3
               desc: use go.yaml.in/yaml instead, see https://codeberg.org/forgejo/forgejo/pulls/8956
+        migration-isolation:
+          list-mode: lax
+          files:
+            - "**/models/forgejo_migrations/**"
+          deny:
+            - pkg: "forgejo.org/models"
+              desc: >
+                Migrations must not import application models. Application models will be the most recent schema for
+                Forgejo, while migrations will be operating against the database schema that existed when they were
+                authored.
+            - pkg: "forgejo.org/services"
+              desc: >
+                Migrations must not import application services. Application services will reference application
+                models which will use the most recent schema for Forgejo, while migrations will be operating against the
+                database schema that existed when they were authored.
+          allow:
+            - "forgejo.org/models/db"
+            - "forgejo.org/models/gitea_migrations/base"
+            - "forgejo.org/models/gitea_migrations/test"
     gocritic:
       disabled-checks:
         - ifElseChain
diff --git a/models/forgejo_migrations/v14a_actions-approval-and-trust.go b/models/forgejo_migrations/v14a_actions-approval-and-trust.go
index 9f6691c4f0..f8be109dda 100644
--- a/models/forgejo_migrations/v14a_actions-approval-and-trust.go
+++ b/models/forgejo_migrations/v14a_actions-approval-and-trust.go
@@ -6,7 +6,6 @@ package forgejo_migrations
 import (
 	"context"
 
-	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/timeutil"
@@ -59,6 +58,18 @@ type v14ActionsApprovalAndTrustTrusted struct {
 }
 
 func v14ActionsApprovalAndTrustPopulateTableActionUser(x *xorm.Engine) error {
+	type ActionUser struct {
+		ID                      int64 `xorm:"pk autoincr"`
+		UserID                  int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
+		RepoID                  int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(repository, id)"`
+		TrustedWithPullRequests bool
+		LastAccess              timeutil.TimeStamp `xorm:"INDEX"`
+	}
+	insertActionUser := func(ctx context.Context, user *ActionUser) error {
+		user.LastAccess = timeutil.TimeStampNow()
+		return db.Insert(ctx, user)
+	}
+
 	//
 	// Users approved once were trusted before and are trusted now.
 	//
@@ -87,7 +98,7 @@ func v14ActionsApprovalAndTrustPopulateTableActionUser(x *xorm.Engine) error {
 	if err := db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		for _, trusted := range trustedList {
 			log.Debug("v14a_actions-approval-and-trust: repository %d trusts user %d", trusted.RepoID, trusted.UserID)
-			if err := actions_model.InsertActionUser(ctx, &actions_model.ActionUser{
+			if err := insertActionUser(ctx, &ActionUser{
 				RepoID:                  trusted.RepoID,
 				UserID:                  trusted.UserID,
 				TrustedWithPullRequests: true,
diff --git a/models/forgejo_migrations/v14a_actions-approval-and-trust_test.go b/models/forgejo_migrations/v14a_actions-approval-and-trust_test.go
index c639a0d2e9..8ff1b1c066 100644
--- a/models/forgejo_migrations/v14a_actions-approval-and-trust_test.go
+++ b/models/forgejo_migrations/v14a_actions-approval-and-trust_test.go
@@ -7,11 +7,8 @@ import (
 	"testing"
 	"time"
 
-	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	migration_tests "forgejo.org/models/gitea_migrations/test"
-	repo_model "forgejo.org/models/repo"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/timeutil"
 	webhook_module "forgejo.org/modules/webhook"
 
@@ -20,6 +17,9 @@ import (
 )
 
 func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
+	type ConcurrencyMode int
+	type Status int
+
 	type ActionUser struct {
 		ID     int64 `xorm:"pk autoincr"`
 		UserID int64 `xorm:"INDEX UNIQUE(action_user_index) REFERENCES(user, id)"`
@@ -32,21 +32,18 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 	type ActionRun struct {
 		ID            int64
 		Title         string
-		RepoID        int64                  `xorm:"index unique(repo_index) index(concurrency)"`
-		Repo          *repo_model.Repository `xorm:"-"`
-		OwnerID       int64                  `xorm:"index"`
-		WorkflowID    string                 `xorm:"index"`                    // the name of workflow file
-		Index         int64                  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
-		TriggerUserID int64                  `xorm:"index"`
-		TriggerUser   *user_model.User       `xorm:"-"`
+		RepoID        int64  `xorm:"index unique(repo_index) index(concurrency)"`
+		OwnerID       int64  `xorm:"index"`
+		WorkflowID    string `xorm:"index"`                    // the name of workflow file
+		Index         int64  `xorm:"index unique(repo_index)"` // a unique number for each run of a repository
+		TriggerUserID int64  `xorm:"index"`
 		ScheduleID    int64
 		Ref           string `xorm:"index"` // the commit/tag/… that caused the run
-		IsRefDeleted  bool   `xorm:"-"`
 		CommitSHA     string
 		Event         webhook_module.HookEventType // the webhook event that causes the workflow to run
 		EventPayload  string                       `xorm:"LONGTEXT"`
 		TriggerEvent  string                       // the trigger event defined in the `on` configuration of the triggered workflow
-		Status        actions_model.Status         `xorm:"index"`
+		Status        Status                       `xorm:"index"`
 		Version       int                          `xorm:"version default 0"` // Status could be updated concomitantly, so an optimistic lock is needed
 		// Started and Stopped is used for recording last run time, if rerun happened, they will be reset to 0
 		Started timeutil.TimeStamp
@@ -65,7 +62,7 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 		ApprovedBy          int64 `xorm:"index"`
 
 		ConcurrencyGroup string `xorm:"'concurrency_group' index(concurrency)"`
-		ConcurrencyType  actions_model.ConcurrencyMode
+		ConcurrencyType  ConcurrencyMode
 
 		PreExecutionError string `xorm:"LONGTEXT"` // used to report errors that blocked execution of a workflow
 	}
@@ -83,10 +80,10 @@ func Test_v14ActionsApprovalAndTrustPopulateTableActionUser(t *testing.T) {
 
 	require.NoError(t, v14ActionsApprovalAndTrustPopulateTableActionUser(x))
 
-	var users []*actions_model.ActionUser
+	var users []*ActionUser
 	require.NoError(t, db.GetEngine(t.Context()).Select("`repo_id`, `user_id`").OrderBy("`id`").Find(&users))
 	// See models/gitea_migrations/fixtures/Test_v14ActionsApprovalAndTrustPopulateTableActionUser/action_run.yml
-	assert.Equal(t, []*actions_model.ActionUser{
+	assert.Equal(t, []*ActionUser{
 		{
 			UserID: 3,
 			RepoID: 15,
diff --git a/models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go b/models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go
index fe0a68489a..a412ceb737 100644
--- a/models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go
+++ b/models/forgejo_migrations/v14a_ap-change-fedi-handle-structure.go
@@ -10,15 +10,14 @@ package forgejo_migrations
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"strings"
 
 	"forgejo.org/models/db"
-	"forgejo.org/models/forgefed"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/validation"
-	user_service "forgejo.org/services/user"
 
 	"xorm.io/xorm"
 )
@@ -31,6 +30,42 @@ func init() {
 }
 
 func changeActivityPubUsernameFormat(x *xorm.Engine) error {
+	type FederationHost struct {
+		ID         int64              `xorm:"pk autoincr"`
+		HostFqdn   string             `xorm:"host_fqdn UNIQUE(federation_host) INDEX VARCHAR(255) NOT NULL"`
+		HostPort   uint16             `xorm:" UNIQUE(federation_host) INDEX NOT NULL DEFAULT 443"`
+		HostSchema string             `xorm:"NOT NULL DEFAULT 'https'"`
+		Created    timeutil.TimeStamp `xorm:"created"`
+		Updated    timeutil.TimeStamp `xorm:"updated"`
+	}
+	type FederatedUser struct {
+		ID                    int64                  `xorm:"pk autoincr"`
+		UserID                int64                  `xorm:"NOT NULL INDEX user_id"`
+		ExternalID            string                 `xorm:"UNIQUE(federation_user_mapping) NOT NULL"`
+		FederationHostID      int64                  `xorm:"UNIQUE(federation_user_mapping) NOT NULL"`
+		KeyID                 sql.NullString         `xorm:"key_id UNIQUE"`
+		PublicKey             sql.Null[sql.RawBytes] `xorm:"BLOB"`
+		InboxPath             string
+		NormalizedOriginalURL string // This field is just to keep original information. Pls. do not use for search or as ID!
+	}
+	type User struct {
+		ID          int64              `xorm:"pk autoincr"`
+		LowerName   string             `xorm:"UNIQUE NOT NULL"`
+		Name        string             `xorm:"UNIQUE NOT NULL"`
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+	deleteFederatedUser := func(ctx context.Context, userID int64) error {
+		_, err := db.GetEngine(ctx).Delete(&FederatedUser{UserID: userID})
+		return err
+	}
+	userLogString := func(u *User) string {
+		if u == nil {
+			return "<User nil>"
+		}
+		return fmt.Sprintf("<User %d:%s>", u.ID, u.Name)
+	}
+
 	// Normally, the db.WithTx statement ensures that the database transaction (aka. all changes made
 	// by this migration) will only be committed if the SQL operations inside of the iteration
 	// (db.Iterate) don't return an error.
@@ -45,9 +80,9 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 	// migrations at a later point and has been kept as-is.
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		// The transaction is committed only if modifying all federated users is possible.
-		return db.Iterate(ctx, nil, func(ctx context.Context, federatedUser *user_model.FederatedUser) error {
+		return db.Iterate(ctx, nil, func(ctx context.Context, federatedUser *FederatedUser) error {
 			// localUser represents the "local" representation of an ActivityPub (federated) user
-			localUser := &user_model.User{}
+			localUser := &User{}
 			has, err := db.GetEngine(ctx).ID(federatedUser.UserID).Get(localUser)
 			if err != nil {
 				log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while getting local user (ID: %d), ignoring...: %e", federatedUser.UserID, err)
@@ -56,7 +91,7 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 
 			if !has {
 				log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: User missing for federated user: %v", federatedUser)
-				err := user_model.DeleteFederatedUser(ctx, federatedUser.UserID)
+				err := deleteFederatedUser(ctx, federatedUser.UserID)
 				if err != nil {
 					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", federatedUser, err)
 					return nil
@@ -68,24 +103,13 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 			} else {
 				// Copied from models/forgefed/federationhost_repository.go (forgefed.GetFederationHost),
 				// minus some validation code for FederationHost which we do not otherwise manipulate here.
-				federationHost := new(forgefed.FederationHost)
+				federationHost := new(FederationHost)
 				has, err := db.GetEngine(ctx).ID(federatedUser.FederationHostID).Get(federationHost)
 				if err != nil {
 					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while looking up federation host info (for %v), ignoring...: %e", federatedUser, err)
 					return nil
 				} else if !has {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Federation host for federated user missing, deleting: %v", federatedUser)
-					err := user_model.DeleteFederatedUser(ctx, federatedUser.UserID)
-					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%v), ignoring...: %e", federatedUser, err)
-						return nil
-					}
-
-					err = user_service.DeleteUser(ctx, localUser, true)
-					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting user (%s), ignoring...: %v", localUser.LogString(), err)
-					}
-
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Federation host for federated user %s is missing", federatedUser)
 					return nil
 				}
 
@@ -117,10 +141,10 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 
 				// Implicitly assumes that there won't be a lower name unique constraint violation.
 				// Potentially a bit paranoid, but why not?
-				userThatShouldntExist := &user_model.User{}
+				userThatShouldntExist := &User{}
 				lowernameTaken, err := db.GetEngine(ctx).Where("lower_name = ?", strings.ToLower(newUsername)).Table("user").Get(userThatShouldntExist)
 				if err != nil {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred, skipping migration of %s: %e", localUser.LogString(), err)
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred, skipping migration of %s: %e", userLogString(localUser), err)
 					return nil
 				}
 
@@ -128,23 +152,23 @@ func changeActivityPubUsernameFormat(x *xorm.Engine) error {
 					log.Warn(
 						"Migration[v14a_ap-change-fedi-handle-structure]: New username %s for %s already taken by %s, deleting the former...",
 						newUsername,
-						localUser.LogString(),
-						userThatShouldntExist.LogString(),
+						userLogString(localUser),
+						userLogString(userThatShouldntExist),
 					)
-					err := user_model.DeleteFederatedUser(ctx, localUser.ID)
+					err := deleteFederatedUser(ctx, localUser.ID)
 					if err != nil {
-						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", localUser.LogString(), err)
+						log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred while deleting federated user (%s), ignoring...: %e", userLogString(localUser), err)
 					}
 					return nil
 				}
 
 				// Safe to assume that the following operations should just work now.
-				log.Info("Migration[v14a_ap-change-fedi-handle-structure]: Updating username of %s to %s", localUser.LogString(), newUsername)
-				if _, err := db.GetEngine(ctx).ID(localUser.ID).Cols("lower_name", "name").Update(&user_model.User{
+				log.Info("Migration[v14a_ap-change-fedi-handle-structure]: Updating username of %s to %s", userLogString(localUser), newUsername)
+				if _, err := db.GetEngine(ctx).ID(localUser.ID).Cols("lower_name", "name").Update(&User{
 					LowerName: strings.ToLower(newUsername),
 					Name:      newUsername,
 				}); err != nil {
-					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred when updating federated user's username (%s), ignoring...: %e", localUser.LogString(), err)
+					log.Warn("Migration[v14a_ap-change-fedi-handle-structure]: Database error occurred when updating federated user's username (%s), ignoring...: %e", userLogString(localUser), err)
 					return nil
 				}
 			}
diff --git a/models/forgejo_migrations/v14a_migrate_task_secrets.go b/models/forgejo_migrations/v14a_migrate_task_secrets.go
index a177dff92a..3484a024b2 100644
--- a/models/forgejo_migrations/v14a_migrate_task_secrets.go
+++ b/models/forgejo_migrations/v14a_migrate_task_secrets.go
@@ -8,7 +8,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	admin_model "forgejo.org/models/admin"
 	"forgejo.org/models/db"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/keying"
@@ -17,6 +16,7 @@ import (
 	"forgejo.org/modules/secret"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -30,6 +30,19 @@ func init() {
 }
 
 func migrateTaskSecrets(x *xorm.Engine) error {
+	type Task struct {
+		ID             int64
+		DoerID         int64              `xorm:"index"`
+		OwnerID        int64              `xorm:"index"`
+		RepoID         int64              `xorm:"index"`
+		PayloadContent string             `xorm:"TEXT"`
+		Created        timeutil.TimeStamp `xorm:"created"`
+	}
+	taskUpdateCols := func(ctx context.Context, task *Task, cols ...string) error {
+		_, err := db.GetEngine(ctx).ID(task.ID).Cols(cols...).Update(task)
+		return err
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		sess := db.GetEngine(ctx)
 
@@ -39,7 +52,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 		messages := make([]string, 0, 100)
 		ids := make([]int64, 0, 100)
 
-		err := db.Iterate(ctx, builder.Eq{"type": structs.TaskTypeMigrateRepo}, func(ctx context.Context, bean *admin_model.Task) error {
+		err := db.Iterate(ctx, builder.Eq{"type": structs.TaskTypeMigrateRepo}, func(ctx context.Context, bean *Task) error {
 			var opts migration.MigrateOptions
 			err := json.Unmarshal([]byte(bean.PayloadContent), &opts)
 			if err != nil {
@@ -96,7 +109,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 			}
 			bean.PayloadContent = string(bs)
 
-			return bean.UpdateCols(ctx, "payload_content")
+			return taskUpdateCols(ctx, bean, "payload_content")
 		})
 
 		if err == nil {
@@ -106,7 +119,7 @@ func migrateTaskSecrets(x *xorm.Engine) error {
 					log.Error("v14a_migrate_task_secrets: %s", message)
 				}
 
-				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&admin_model.Task{})
+				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&Task{})
 			}
 		}
 		return err
diff --git a/models/forgejo_migrations/v14a_migrate_webhook_authorization.go b/models/forgejo_migrations/v14a_migrate_webhook_authorization.go
index 738841eb2b..5921329b3e 100644
--- a/models/forgejo_migrations/v14a_migrate_webhook_authorization.go
+++ b/models/forgejo_migrations/v14a_migrate_webhook_authorization.go
@@ -8,11 +8,11 @@ import (
 	"fmt"
 
 	"forgejo.org/models/db"
-	webhook_model "forgejo.org/models/webhook"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/secret"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/xorm"
 	"xorm.io/xorm/schemas"
@@ -26,6 +26,16 @@ func init() {
 }
 
 func migrateWebhookSecrets(x *xorm.Engine) error {
+	type Webhook struct {
+		ID                           int64  `xorm:"pk autoincr"`
+		RepoID                       int64  `xorm:"INDEX"` // An ID of 0 indicates either a default or system webhook
+		OwnerID                      int64  `xorm:"INDEX"`
+		HeaderAuthorizationEncrypted []byte `xorm:"BLOB"`
+
+		CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
 		sess := db.GetEngine(ctx)
 
@@ -59,7 +69,7 @@ func migrateWebhookSecrets(x *xorm.Engine) error {
 		messages := make([]string, 0, 100)
 		ids := make([]int64, 0, 100)
 
-		err := db.Iterate(ctx, nil, func(ctx context.Context, bean *webhook_model.Webhook) error {
+		err := db.Iterate(ctx, nil, func(ctx context.Context, bean *Webhook) error {
 			if len(bean.HeaderAuthorizationEncrypted) == 0 {
 				return nil
 			}
@@ -83,7 +93,7 @@ func migrateWebhookSecrets(x *xorm.Engine) error {
 					log.Error("migration[v14a_migrate_webhook_authorization]: %s", message)
 				}
 
-				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&webhook_model.Webhook{})
+				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&Webhook{})
 			}
 		}
 		return err
diff --git a/models/forgejo_migrations/v14a_migrate_webhook_authorization_test.go b/models/forgejo_migrations/v14a_migrate_webhook_authorization_test.go
index 0b5701c88c..9da06f4baf 100644
--- a/models/forgejo_migrations/v14a_migrate_webhook_authorization_test.go
+++ b/models/forgejo_migrations/v14a_migrate_webhook_authorization_test.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	migration_tests "forgejo.org/models/gitea_migrations/test"
-	webhook_model "forgejo.org/models/webhook"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/timeutil"
 	webhook_module "forgejo.org/modules/webhook"
@@ -17,6 +16,7 @@ import (
 )
 
 func Test_MigrateWebhookSecrets(t *testing.T) {
+	type HookContentType int
 	type Webhook struct {
 		ID              int64 `xorm:"pk autoincr"`
 		RepoID          int64 `xorm:"INDEX"`
@@ -24,7 +24,7 @@ func Test_MigrateWebhookSecrets(t *testing.T) {
 		IsSystemWebhook bool
 		URL             string `xorm:"url TEXT"`
 		HTTPMethod      string `xorm:"http_method"`
-		ContentType     webhook_model.HookContentType
+		ContentType     HookContentType
 		Secret          string                  `xorm:"TEXT"`
 		Events          string                  `xorm:"TEXT"`
 		IsActive        bool                    `xorm:"INDEX"`
@@ -45,7 +45,7 @@ func Test_MigrateWebhookSecrets(t *testing.T) {
 		IsSystemWebhook bool
 		URL             string `xorm:"url TEXT"`
 		HTTPMethod      string `xorm:"http_method"`
-		ContentType     webhook_model.HookContentType
+		ContentType     HookContentType
 		Secret          string                  `xorm:"TEXT"`
 		Events          string                  `xorm:"TEXT"`
 		IsActive        bool                    `xorm:"INDEX"`
diff --git a/models/forgejo_migrations/v14a_rework-notification.go b/models/forgejo_migrations/v14a_rework-notification.go
index 77ae79d86f..04303559e8 100644
--- a/models/forgejo_migrations/v14a_rework-notification.go
+++ b/models/forgejo_migrations/v14a_rework-notification.go
@@ -4,7 +4,6 @@
 package forgejo_migrations
 
 import (
-	activities_model "forgejo.org/models/activities"
 	"forgejo.org/modules/setting"
 
 	"xorm.io/xorm"
@@ -18,9 +17,10 @@ func init() {
 }
 
 func reworkNotification(x *xorm.Engine) error {
+	type NotificationStatus uint8
 	type Notification struct {
-		UserID int64                               `xorm:"NOT NULL INDEX(s)"`
-		Status activities_model.NotificationStatus `xorm:"SMALLINT NOT NULL INDEX(s)"`
+		UserID int64              `xorm:"NOT NULL INDEX(s)"`
+		Status NotificationStatus `xorm:"SMALLINT NOT NULL INDEX(s)"`
 	}
 
 	if err := dropIndexIfExists(x, "notification", "IDX_notification_user_id"); err != nil {
diff --git a/models/forgejo_migrations/v14a_set_remote_user_prohibit_login.go b/models/forgejo_migrations/v14a_set_remote_user_prohibit_login.go
index 3575dad832..9f453e05f3 100644
--- a/models/forgejo_migrations/v14a_set_remote_user_prohibit_login.go
+++ b/models/forgejo_migrations/v14a_set_remote_user_prohibit_login.go
@@ -5,10 +5,11 @@ package forgejo_migrations
 
 import (
 	"context"
+	"fmt"
 
 	"forgejo.org/models/db"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/timeutil"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -22,13 +23,45 @@ func init() {
 }
 
 func setProhibitLoginActivityPubUser(x *xorm.Engine) error {
+	type UserType int
+	const (
+		UserTypeIndividual           UserType = iota // Historic reason to make it starts at 0.
+		UserTypeOrganization                         // 1
+		UserTypeUserReserved                         // 2
+		UserTypeOrganizationReserved                 // 3
+		UserTypeBot                                  // 4
+		UserTypeRemoteUser                           // 5
+		UserTypeActivityPubUser                      // 6
+	)
+	type User struct {
+		ID             int64  `xorm:"pk autoincr"`
+		Name           string `xorm:"UNIQUE NOT NULL"`
+		Passwd         string `xorm:"NOT NULL"`
+		PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'argon2'"`
+		Type           UserType
+		Salt           string             `xorm:"VARCHAR(32)"`
+		CreatedUnix    timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix    timeutil.TimeStamp `xorm:"INDEX updated"`
+		ProhibitLogin  bool               `xorm:"NOT NULL DEFAULT false"`
+	}
+	type FederatedUser struct {
+		UserID int64 `xorm:"NOT NULL INDEX user_id"`
+	}
+
+	userLogString := func(u *User) string {
+		if u == nil {
+			return "<User nil>"
+		}
+		return fmt.Sprintf("<User %d:%s>", u.ID, u.Name)
+	}
+
 	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
-		return db.Iterate(ctx, builder.Eq{"type": 5}, func(ctx context.Context, user *user_model.User) error {
-			log.Info("Checking if user %s is created from ActivityPub", user.LogString())
+		return db.Iterate(ctx, builder.Eq{"type": 5}, func(ctx context.Context, user *User) error {
+			log.Info("Checking if user %s is created from ActivityPub", userLogString(user))
 
 			// Users created from f3 also have the RemoteUser user type. All
 			// FederatedUser should reference exactly one User.
-			has, err := db.GetEngine(ctx).Table("federated_user").Get(&user_model.FederatedUser{UserID: user.ID})
+			has, err := db.GetEngine(ctx).Table("federated_user").Get(&FederatedUser{UserID: user.ID})
 			if err != nil {
 				return err
 			}
@@ -37,9 +70,9 @@ func setProhibitLoginActivityPubUser(x *xorm.Engine) error {
 				return nil
 			}
 
-			log.Info("Updating user %s", user.LogString())
-			_, err = db.GetEngine(ctx).Table("user").ID(user.ID).Cols("type", "prohibit_login", "passwd", "salt", "passwd_hash_algo").Update(&user_model.User{
-				Type:           user_model.UserTypeActivityPubUser,
+			log.Info("Updating user %s", userLogString(user))
+			_, err = db.GetEngine(ctx).Table("user").ID(user.ID).Cols("type", "prohibit_login", "passwd", "salt", "passwd_hash_algo").Update(&User{
+				Type:           UserTypeActivityPubUser,
 				ProhibitLogin:  true,
 				Passwd:         "",
 				Salt:           "",

From 2176403a8d925515e54c5f5dbdd5ebb6c25136f2 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 31 Mar 2026 03:54:28 +0200
Subject: [PATCH 022/287] fix: unique key violation in first-time concurrent
 debian package uploads to a user (#11881)

Fixes an intermittent test failure in `TestPackageDebianConcurrent`, [example](https://codeberg.org/forgejo/forgejo/actions/runs/148747/jobs/9/attempt/1#jobstep-5-981), introduced by testing in #11776.  This one is caused by duplicate writes to `user_setting` to store a GPG key (questionable place for that...).

Confirmed reproduced in local testing and test now passes:
```
=== TestPackageDebianConcurrent (tests/test_utils.go:344)
=== TestPackageDebianConcurrent/Concurrent_Upload (tests/integration/api_packages_debian_test.go:334)
... other duplicate key violations ...
// TestPackageDebianConcurrent/Concurrent_Upload
	"2026/03/29 10:31:57 ...dels/user/setting.go:210:func1() [E] [Error SQL Query] INSERT INTO \"gtestschema\".\"user_setting\" (\"user_id\",\"setting_key\",\"setting_value\") VALUES ($1,$2,$3) RETURNING \"id\" [2 debian.key.private -----BEGIN PGP PRIVATE KEY BLOCK-----\n\n...snip...\n-----END PGP PRIVATE KEY BLOCK-----] - ERROR: duplicate key value violates unique constraint \"UQE_user_setting_key_userid\" (SQLSTATE 23505)",
PASS
```

No additional test required as it is already tripping a test failure.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. (already present and failing)
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11881
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 services/packages/debian/repository.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/services/packages/debian/repository.go b/services/packages/debian/repository.go
index a8a401662e..ab8c4fdc45 100644
--- a/services/packages/debian/repository.go
+++ b/services/packages/debian/repository.go
@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"
 
+	"forgejo.org/models/db"
 	packages_model "forgejo.org/models/packages"
 	debian_model "forgejo.org/models/packages/debian"
 	user_model "forgejo.org/models/user"
@@ -28,6 +29,7 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/clearsign"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/ulikunitz/xz"
+	"xorm.io/xorm"
 )
 
 // GetOrCreateRepositoryVersion gets or creates the internal repository package
@@ -308,7 +310,21 @@ func buildReleaseFiles(ctx context.Context, ownerID int64, repoVersion *packages
 
 	sort.Strings(architectures)
 
-	priv, _, err := GetOrCreateKeyPair(ctx, ownerID)
+	// ErrUniqueConstraintViolation can occur rarely when two concurrent updates occur to the same organization and
+	// `GetOrCreateKeyPair` ends up being invoked simulatneously, which writes to `user_setting` to store a GPG key for
+	// the `Release.gpg` file.  In that event, retry the rebuild.
+	//
+	// See comment in package services' createPackageAndAddFile for why we cannot recover from the error in any other
+	// way.
+	var priv string
+	err = db.RetryTx(ctx, db.RetryConfig{
+		// A single retry is sufficient the user/org's key pair would have been created by the first successful tx.
+		AttemptCount: 2,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+	}, func(ctx context.Context) error {
+		priv, _, err = GetOrCreateKeyPair(ctx, ownerID)
+		return err
+	})
 	if err != nil {
 		return err
 	}

From 939a3ada66e7e74fe6a9690102aaf1e74cdee596 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 31 Mar 2026 05:02:59 +0200
Subject: [PATCH 023/287] Update dependency vue to v3.5.31 (forgejo) (#11871)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 150 +++++++++++++++++++++++++++-------------------
 package.json      |   2 +-
 2 files changed, 90 insertions(+), 62 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 1f34b34913..5670aec7a0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -73,7 +73,7 @@
         "tributejs": "5.1.3",
         "uint8-to-base64": "0.2.1",
         "vanilla-colorful": "0.7.2",
-        "vue": "3.5.28",
+        "vue": "3.5.31",
         "vue-chartjs": "5.3.3",
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
@@ -214,9 +214,9 @@
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
       "license": "MIT",
       "dependencies": {
         "@babel/types": "^7.29.0"
@@ -5040,13 +5040,13 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.28.tgz",
-      "integrity": "sha512-kviccYxTgoE8n6OCw96BNdYlBg2GOWfBuOW4Vqwrt7mSKWKwFVvI8egdTltqRgITGPsTFYtKYfxIG8ptX2PJHQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
+      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/shared": "3.5.28",
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.31",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
@@ -5065,29 +5065,29 @@
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.28.tgz",
-      "integrity": "sha512-/1ZepxAb159jKR1btkefDP+J2xuWL5V3WtleRmxaT+K2Aqiek/Ab/+Ebrw2pPj0sdHO8ViAyyJWfhXXOP/+LQA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
+      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.28",
-        "@vue/shared": "3.5.28"
+        "@vue/compiler-core": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.28.tgz",
-      "integrity": "sha512-6TnKMiNkd6u6VeVDhZn/07KhEZuBSn43Wd2No5zaP5s3xm8IqFTHBj84HJah4UepSUJTro5SoqqlOY22FKY96g==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
+      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/compiler-core": "3.5.28",
-        "@vue/compiler-dom": "3.5.28",
-        "@vue/compiler-ssr": "3.5.28",
-        "@vue/shared": "3.5.28",
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.31",
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
-        "postcss": "^8.5.6",
+        "postcss": "^8.5.8",
         "source-map-js": "^1.2.1"
       }
     },
@@ -5100,64 +5100,92 @@
         "@jridgewell/sourcemap-codec": "^1.5.5"
       }
     },
-    "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.28.tgz",
-      "integrity": "sha512-JCq//9w1qmC6UGLWJX7RXzrGpKkroubey/ZFqTpvEIDJEKGgntuDMqkuWiZvzTzTA5h2qZvFBFHY7fAAa9475g==",
+    "node_modules/@vue/compiler-sfc/node_modules/postcss": {
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.28",
-        "@vue/shared": "3.5.28"
+        "nanoid": "^3.3.11",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/@vue/compiler-ssr": {
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
+      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
+      "license": "MIT",
+      "dependencies": {
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.28.tgz",
-      "integrity": "sha512-gr5hEsxvn+RNyu9/9o1WtdYdwDjg5FgjUSBEkZWqgTKlo/fvwZ2+8W6AfKsc9YN2k/+iHYdS9vZYAhpi10kNaw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.31.tgz",
+      "integrity": "sha512-DtKXxk9E/KuVvt8VxWu+6Luc9I9ETNcqR1T1oW1gf02nXaZ1kuAx58oVu7uX9XxJR0iJCro6fqBLw9oSBELo5g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.28"
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.28.tgz",
-      "integrity": "sha512-POVHTdbgnrBBIpnbYU4y7pOMNlPn2QVxVzkvEA2pEgvzbelQq4ZOUxbp2oiyo+BOtiYlm8Q44wShHJoBvDPAjQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.31.tgz",
+      "integrity": "sha512-AZPmIHXEAyhpkmN7aWlqjSfYynmkWlluDNPHMCZKFHH+lLtxP/30UJmoVhXmbDoP1Ng0jG0fyY2zCj1PnSSA6Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.28",
-        "@vue/shared": "3.5.28"
+        "@vue/reactivity": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.28.tgz",
-      "integrity": "sha512-4SXxSF8SXYMuhAIkT+eBRqOkWEfPu6nhccrzrkioA6l0boiq7sp18HCOov9qWJA5HML61kW8p/cB4MmBiG9dSA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.31.tgz",
+      "integrity": "sha512-xQJsNRmGPeDCJq/u813tyonNgWBFjzfVkBwDREdEWndBnGdHLHgkwNBQxLtg4zDrzKTEcnikUy1UUNecb3lJ6g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.28",
-        "@vue/runtime-core": "3.5.28",
-        "@vue/shared": "3.5.28",
+        "@vue/reactivity": "3.5.31",
+        "@vue/runtime-core": "3.5.31",
+        "@vue/shared": "3.5.31",
         "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.28.tgz",
-      "integrity": "sha512-pf+5ECKGj8fX95bNincbzJ6yp6nyzuLDhYZCeFxUNp8EBrQpPpQaLX3nNCp49+UbgbPun3CeVE+5CXVV1Xydfg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.31.tgz",
+      "integrity": "sha512-GJuwRvMcdZX/CriUnyIIOGkx3rMV3H6sOu0JhdKbduaeCji6zb60iOGMY7tFoN24NfsUYoFBhshZtGxGpxO4iA==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.28",
-        "@vue/shared": "3.5.28"
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
-        "vue": "3.5.28"
+        "vue": "3.5.31"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.28.tgz",
-      "integrity": "sha512-cfWa1fCGBxrvaHRhvV3Is0MgmrbSCxYTXCSCau2I0a1Xw1N1pHAvkWCiXPRAqjvToILvguNyEwjevUqAuBQWvQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
+      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
       "license": "MIT"
     },
     "node_modules/@vue/test-utils": {
@@ -15704,16 +15732,16 @@
       "license": "MIT"
     },
     "node_modules/vue": {
-      "version": "3.5.28",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.28.tgz",
-      "integrity": "sha512-BRdrNfeoccSoIZeIhyPBfvWSLFP4q8J3u8Ju8Ug5vu3LdD+yTM13Sg4sKtljxozbnuMu1NB1X5HBHRYUzFocKg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.31.tgz",
+      "integrity": "sha512-iV/sU9SzOlmA/0tygSmjkEN6Jbs3nPoIPFhCMLD2STrjgOU8DX7ZtzMhg4ahVwf5Rp9KoFzcXeB1ZrVbLBp5/Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.28",
-        "@vue/compiler-sfc": "3.5.28",
-        "@vue/runtime-dom": "3.5.28",
-        "@vue/server-renderer": "3.5.28",
-        "@vue/shared": "3.5.28"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-sfc": "3.5.31",
+        "@vue/runtime-dom": "3.5.31",
+        "@vue/server-renderer": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
         "typescript": "*"
diff --git a/package.json b/package.json
index 321396bf9c..cb1dd3014d 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
     "tributejs": "5.1.3",
     "uint8-to-base64": "0.2.1",
     "vanilla-colorful": "0.7.2",
-    "vue": "3.5.28",
+    "vue": "3.5.31",
     "vue-chartjs": "5.3.3",
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",

From a9bd068d00be473fdeb424cc948022e08e12b98c Mon Sep 17 00:00:00 2001
From: doasu <me@doasu.dev>
Date: Tue, 31 Mar 2026 21:51:57 +0200
Subject: [PATCH 024/287] fix: URL-encode login provider name in the `href`
 attribute (#10301)

The authentication provider's name (`$provider.DisplayName`) is not URL-encoded, so any illegal characters (e.g., '/') will be put in the link's href attribute verbatim.
For example, if the provider's name is `foo/bar` (valid name), the href attribute will point to `/user/oauth2/foo/bar` instead of `/user/oauth2/foo%2Fbar`, resulting in a "404 Not found" error.

This patch fixes this behaviour by URL-encoding the provider's DisplayName before appending it to the href attribute.

Signed-off-by: doasu <me@doasu.dev>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10301
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: doasu <me@doasu.dev>
Co-committed-by: doasu <me@doasu.dev>
---
 templates/user/auth/oauth_container.tmpl |  2 +-
 tests/integration/signin_test.go         | 30 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/templates/user/auth/oauth_container.tmpl b/templates/user/auth/oauth_container.tmpl
index 7531320394..a50ca5f612 100644
--- a/templates/user/auth/oauth_container.tmpl
+++ b/templates/user/auth/oauth_container.tmpl
@@ -8,7 +8,7 @@
 	<div class="tw-flex tw-flex-col tw-justify-center">
 		<div id="oauth2-login-navigator-inner" class="tw-flex tw-flex-col tw-flex-wrap tw-items-center tw-gap-2">
 			{{range $provider := .OAuth2Providers}}
-				<a class="{{$provider.Name}} ui button tw-flex tw-items-center tw-justify-center tw-py-2 tw-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName}}">
+				<a class="{{$provider.Name}} ui button tw-flex tw-items-center tw-justify-center tw-py-2 tw-w-full oauth-login-link" href="{{AppSubUrl}}/user/oauth2/{{$provider.DisplayName | PathEscape}}">
 					{{$provider.IconHTML 28}}
 					{{ctx.Locale.Tr "sign_in_with_provider" $provider.DisplayName}}
 				</a>
diff --git a/tests/integration/signin_test.go b/tests/integration/signin_test.go
index c9b2d6ed1c..0367bedd6e 100644
--- a/tests/integration/signin_test.go
+++ b/tests/integration/signin_test.go
@@ -97,6 +97,36 @@ func TestSigninWithRememberMe(t *testing.T) {
 	session.MakeRequest(t, req, http.StatusOK)
 }
 
+func TestProviderDisplayNameIsPathEscaped(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	testCases := []string{
+		"sla/shed",
+		"per%cent",
+		"que?ry=string",
+		"ha#sh",
+		"spa ce",     // doesn't break the path
+		"pl+us",      // unchanged by url.PathEscape
+		"amper&sand", // unchanged by url.PathEscape
+	}
+
+	for _, testCase := range testCases {
+		// GitLab is only used here for convenience.
+		addAuthSource(t, authSourcePayloadGitLabCustom(testCase))
+	}
+
+	request := NewRequest(t, "GET", "/user/login")
+	response := MakeRequest(t, request, http.StatusOK)
+	htmlDoc := NewHTMLParser(t, response.Body)
+
+	for _, testCase := range testCases {
+		t.Run(testCase, func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			htmlDoc.AssertElement(t, fmt.Sprintf("a.oauth-login-link[href='/user/oauth2/%s']", url.PathEscape(testCase)), true)
+		})
+	}
+}
+
 func TestDisableSignin(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	// Mock alternative auth ways as enabled

From 676940a853aabfcfa24d5ec7d2b9f2e2ed4c13ed Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Tue, 31 Mar 2026 23:02:10 +0200
Subject: [PATCH 025/287] Add aria-current="page" to active navbar items
 (#11887)

By setting `aria-current="page"` on the active navbar item we make the information about which one corresponds to the current page available in a non-visual way. Both the attached screen recordings were produced on http://localhost:3000/pulls, so the "Pull requests" link is the active one. In `before.mp4` all the links are announced identically, and in `after.mp4` the "Pull requests" link is announced like this.

> current page, visited, link, Pull requests

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11887
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 templates/base/head_navbar.tmpl | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl
index e4627451cd..f7405a743e 100644
--- a/templates/base/head_navbar.tmpl
+++ b/templates/base/head_navbar.tmpl
@@ -28,21 +28,21 @@
 			{{/* No links */}}
 		{{else if .IsSigned}}
 			{{if not .UnitIssuesGlobalDisabled}}
-				<a class="item{{if .PageIsIssues}} active{{end}}" href="{{AppSubUrl}}/issues">{{ctx.Locale.Tr "issues"}}</a>
+				<a class="item{{if .PageIsIssues}} active{{end}}" {{if .PageIsIssues}}aria-current="page" {{end}}href="{{AppSubUrl}}/issues">{{ctx.Locale.Tr "issues"}}</a>
 			{{end}}
 			{{if not .UnitPullsGlobalDisabled}}
-				<a class="item{{if .PageIsPulls}} active{{end}}" href="{{AppSubUrl}}/pulls">{{ctx.Locale.Tr "pull_requests"}}</a>
+				<a class="item{{if .PageIsPulls}} active{{end}}" {{if .PageIsPulls}}aria-current="page" {{end}}href="{{AppSubUrl}}/pulls">{{ctx.Locale.Tr "pull_requests"}}</a>
 			{{end}}
 			{{if not (and .UnitIssuesGlobalDisabled .UnitPullsGlobalDisabled)}}
 				{{if .ShowMilestonesDashboardPage}}
-					<a class="item{{if .PageIsMilestonesDashboard}} active{{end}}" href="{{AppSubUrl}}/milestones">{{ctx.Locale.Tr "milestones"}}</a>
+					<a class="item{{if .PageIsMilestonesDashboard}} active{{end}}" {{if .PageIsMilestonesDashboard}}aria-current="page" {{end}}href="{{AppSubUrl}}/milestones">{{ctx.Locale.Tr "milestones"}}</a>
 				{{end}}
 			{{end}}
-			<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/repos">{{ctx.Locale.Tr "explore"}}</a>
+			<a class="item{{if .PageIsExplore}} active{{end}}" {{if .PageIsExplore}}aria-current="page" {{end}}href="{{AppSubUrl}}/explore/repos">{{ctx.Locale.Tr "explore"}}</a>
 		{{else if .IsLandingPageOrganizations}}
-			<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/organizations">{{ctx.Locale.Tr "explore"}}</a>
+			<a class="item{{if .PageIsExplore}} active{{end}}" {{if .PageIsExplore}}aria-current="page" {{end}}href="{{AppSubUrl}}/explore/organizations">{{ctx.Locale.Tr "explore"}}</a>
 		{{else}}
-			<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/repos">{{ctx.Locale.Tr "explore"}}</a>
+			<a class="item{{if .PageIsExplore}} active{{end}}" {{if .PageIsExplore}}aria-current="page" {{end}}href="{{AppSubUrl}}/explore/repos">{{ctx.Locale.Tr "explore"}}</a>
 		{{end}}
 
 		{{template "custom/extra_links" .}}

From 6726b6e3e909677d017c36a4e2abbcdfbef3eae8 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Tue, 31 Mar 2026 23:22:20 +0200
Subject: [PATCH 026/287] Add aria-labels to ensure watch and star buttons
 always have a text label (#11878)

Fixes https://codeberg.org/forgejo/forgejo/issues/6621.

The attached screen recording `before.mp4` demos the problem as described by https://codeberg.org/forgejo/forgejo/issues/6621. And `after.mp4` is the fixed version.

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11878
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 templates/repo/star_unstar.tmpl   | 2 +-
 templates/repo/watch_unwatch.tmpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/repo/star_unstar.tmpl b/templates/repo/star_unstar.tmpl
index 74239fafa4..d483495dd4 100644
--- a/templates/repo/star_unstar.tmpl
+++ b/templates/repo/star_unstar.tmpl
@@ -1,6 +1,6 @@
 <form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsStaringRepo}}un{{end}}star">
 	<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{ctx.Locale.Tr "repo.star_guest_user"}}"{{end}}>
-		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}}>
+		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}} aria-label="{{if $.IsStaringRepo}}{{ctx.Locale.Tr "repo.unstar"}}{{else}}{{ctx.Locale.Tr "repo.star"}}{{end}}">
 			{{if $.IsStaringRepo}}
 				{{svg "octicon-star-fill"}}<span class="text not-mobile">{{ctx.Locale.Tr "repo.unstar"}}</span>
 			{{else}}
diff --git a/templates/repo/watch_unwatch.tmpl b/templates/repo/watch_unwatch.tmpl
index b0dbd9af92..35d527af98 100644
--- a/templates/repo/watch_unwatch.tmpl
+++ b/templates/repo/watch_unwatch.tmpl
@@ -1,6 +1,6 @@
 <form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsWatchingRepo}}un{{end}}watch">
 	<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{ctx.Locale.Tr "repo.watch_guest_user"}}"{{end}}>
-		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}}>
+		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}} aria-label="{{if $.IsWatchingRepo}}{{ctx.Locale.Tr "repo.unwatch"}}{{else}}{{ctx.Locale.Tr "repo.watch"}}{{end}}">
 			{{if $.IsWatchingRepo}}
 				{{svg "octicon-eye-closed" 16}}<span class="text not-mobile">{{ctx.Locale.Tr "repo.unwatch"}}</span>
 			{{else}}

From ba6794348ef70f40c4cc760743302a8250bddfa0 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Tue, 31 Mar 2026 23:22:46 +0200
Subject: [PATCH 027/287] Make label dropdown menu items with .tw-hidden
 unselectable (#11858)

Fixes https://codeberg.org/forgejo/forgejo/issues/9894.

The dropdown menu items are being hidden with `.tw-hidden`. The Fomentic dropdown  makes items with `.disabled` and `.filtered` unselectable by default but can be [easily configured](https://fomantic-ui.com/modules/dropdown.html#/settings) to broaden this selector.

In the before & after GIFs attached, there is an archived label between "duplicate" and "help wanted". In the before GIF, focus disappears momentarily between the two, which is when the hidden, archived label has been programmatically focused by Fomentic. In the after GIF, focus hops instantaneously between the two selectable labels because of the broader `unselectable` selector.

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https
- [ ]
- [ ] ://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11858
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 web_src/js/features/repo-legacy.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 4d2f25148c..523ce555c4 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -90,6 +90,9 @@ export function initRepoCommentForm() {
     $(`.${selector}`).dropdown({
       'action': 'nothing', // do not hide the menu if user presses Enter
       fullTextSearch: 'exact',
+      selector: {
+        unselectable: '.disabled, .filtered, .tw-hidden',
+      },
       async onHide() {
         hasUpdateAction = $listMenu.data('action') === 'update'; // Update the var
         if (hasUpdateAction) {

From bfebd42a3dd8cffca2958807e9f4657b344fb1e6 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Wed, 1 Apr 2026 00:14:47 +0200
Subject: [PATCH 028/287] Fix @mention combobox semantics for screen reader
 accessibility (#11860)

Fixes https://codeberg.org/forgejo/forgejo/issues/7668.

This was simpler to fix than my theory I posted on https://codeberg.org/forgejo/forgejo/issues/7668 about needing to patch the upstream package. When testing in Firefox with the developer console open and warnings enabled, I noticed a `Empty string passed to getElementById()` warning coming from `@github/combobox-nav` while attempting to manage the `aria-activedescendant` attribute. Then I found this in the [README for that project](https://github.com/github/combobox-nav).

> Markup requirements:
> - Each option needs to have role="option" and a unique id

This was easy to miss, as we're using `@github/text-expander-element` and the combobox-nav package is one of _its_ dependencies. Without a unique ID on each dropdown menu item, `@github/text-expander-element` is unable to set an appropriate `aria-activedescendant` attribute on the textarea. Once that's in place, the screen reader announcements come to life beautifully.

While working on it I noticed the emoji picker combobox was affected by the same problem and patched that as well.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11860
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 tests/e2e/issue-comment.test.e2e.ts      | 2 +-
 web_src/js/features/comp/TextExpander.js | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/e2e/issue-comment.test.e2e.ts b/tests/e2e/issue-comment.test.e2e.ts
index 94e4bb7243..ed1c79a585 100644
--- a/tests/e2e/issue-comment.test.e2e.ts
+++ b/tests/e2e/issue-comment.test.e2e.ts
@@ -331,7 +331,7 @@ test('Emoji suggestions', async ({page}) => {
   ];
 
   for (const {emoji, name} of expectedSuggestions) {
-    const item = suggestionList.locator(`li:has-text("${name}")`);
+    const item = suggestionList.locator(`[id="combobox-emoji-${name}"]`);
     await expect(item).toContainText(`${emoji} ${name}`);
   }
 
diff --git a/web_src/js/features/comp/TextExpander.js b/web_src/js/features/comp/TextExpander.js
index 8777f3a334..ae652a013b 100644
--- a/web_src/js/features/comp/TextExpander.js
+++ b/web_src/js/features/comp/TextExpander.js
@@ -12,6 +12,7 @@ export function initTextExpander(expander) {
       ul.classList.add('suggestions');
       for (const name of matches) {
         const li = document.createElement('li');
+        li.setAttribute('id', `combobox-emoji-${name}`);
         li.setAttribute('role', 'option');
         li.setAttribute('data-value', emojiString(name));
         if (customEmojis.has(name)) {
@@ -33,10 +34,12 @@ export function initTextExpander(expander) {
       ul.classList.add('suggestions');
       for (const {value, name, fullname, avatar} of matches) {
         const li = document.createElement('li');
+        li.setAttribute('id', `combobox-user-${name}`);
         li.setAttribute('role', 'option');
         li.setAttribute('data-value', `${key}${value}`);
 
         const img = document.createElement('img');
+        img.setAttribute('aria-hidden', 'true');
         img.src = avatar;
         li.append(img);
 

From 7a34a7fc6d8fd26e8c9fbe621556102ccf7623f0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 01:57:20 +0200
Subject: [PATCH 029/287] Update dependency @axe-core/playwright to v4.11.1
 (forgejo) (#11921)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 10 +++++-----
 package.json      |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5670aec7a0..ba3a2dfb4b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -82,7 +82,7 @@
         "wrap-ansi": "10.0.0"
       },
       "devDependencies": {
-        "@axe-core/playwright": "4.11.0",
+        "@axe-core/playwright": "4.11.1",
         "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
         "@playwright/test": "1.57.0",
         "@stoplight/spectral-cli": "6.15.0",
@@ -163,13 +163,13 @@
       }
     },
     "node_modules/@axe-core/playwright": {
-      "version": "4.11.0",
-      "resolved": "https://registry.npmjs.org/@axe-core/playwright/-/playwright-4.11.0.tgz",
-      "integrity": "sha512-70vBT/Ylqpm65RQz2iCG2o0JJCEG/WCNyefTr2xcOcr1CoSee60gNQYUMZZ7YukoKkFLv26I/jjlsvwwp532oQ==",
+      "version": "4.11.1",
+      "resolved": "https://registry.npmjs.org/@axe-core/playwright/-/playwright-4.11.1.tgz",
+      "integrity": "sha512-mKEfoUIB1MkVTht0BGZFXtSAEKXMJoDkyV5YZ9jbBmZCcWDz71tegNsdTkIN8zc/yMi5Gm2kx7Z5YQ9PfWNAWw==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
-        "axe-core": "~4.11.0"
+        "axe-core": "~4.11.1"
       },
       "peerDependencies": {
         "playwright-core": ">= 1.0.0"
diff --git a/package.json b/package.json
index cb1dd3014d..87b1eee8a6 100644
--- a/package.json
+++ b/package.json
@@ -81,7 +81,7 @@
     "wrap-ansi": "10.0.0"
   },
   "devDependencies": {
-    "@axe-core/playwright": "4.11.0",
+    "@axe-core/playwright": "4.11.1",
     "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
     "@playwright/test": "1.57.0",
     "@stoplight/spectral-cli": "6.15.0",

From 34937d93054844f35d41f52705aaee6ef81eee7f Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 02:13:47 +0200
Subject: [PATCH 030/287] Update github.com/google/pprof digest to a15ffb7
 (forgejo) (#11920)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11920
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 53b90801b6..7bcd0f0510 100644
--- a/go.mod
+++ b/go.mod
@@ -59,7 +59,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0
 	github.com/google/go-github/v81 v81.0.0
-	github.com/google/pprof v0.0.0-20251114195745-4902fdda35c8
+	github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
 	github.com/gorilla/sessions v1.4.0
diff --git a/go.sum b/go.sum
index d6b747d096..e9b0dbbcfc 100644
--- a/go.sum
+++ b/go.sum
@@ -400,8 +400,8 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20251114195745-4902fdda35c8 h1:3DsUAV+VNEQa2CUVLxCY3f87278uWfIDhJnbdvDjvmE=
-github.com/google/pprof v0.0.0-20251114195745-4902fdda35c8/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
+github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc h1:VBbFa1lDYWEeV5FZKUiYKYT0VxCp9twUmmaq9eb8sXw=
+github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=

From 5803c596b600995cad62d4147ed50bd7440eb73a Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 03:19:27 +0200
Subject: [PATCH 031/287] Update dependency katex to v0.16.44 (forgejo)
 (#11901)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11901
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ba3a2dfb4b..9f0f62cb70 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -54,7 +54,7 @@
         "htmx.org": "2.0.8",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
-        "katex": "0.16.43",
+        "katex": "0.16.44",
         "mermaid": "11.13.0",
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.4",
@@ -10580,9 +10580,9 @@
       "license": "MIT"
     },
     "node_modules/katex": {
-      "version": "0.16.43",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.43.tgz",
-      "integrity": "sha512-K7NL5JtGrFEglipOAjY4UYA69CnTuNmjArxeXF6+bw7h2OGySUPv6QWRjfb1gmutJ4Mw/qLeBqiROOEDULp4nA==",
+      "version": "0.16.44",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.44.tgz",
+      "integrity": "sha512-EkxoDTk8ufHqHlf9QxGwcxeLkWRR3iOuYfRpfORgYfqc8s13bgb+YtRY59NK5ZpRaCwq1kqA6a5lpX8C/eLphQ==",
       "funding": [
         "https://opencollective.com/katex",
         "https://github.com/sponsors/katex"
diff --git a/package.json b/package.json
index 87b1eee8a6..b2ae24a7e4 100644
--- a/package.json
+++ b/package.json
@@ -53,7 +53,7 @@
     "htmx.org": "2.0.8",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
-    "katex": "0.16.43",
+    "katex": "0.16.44",
     "mermaid": "11.13.0",
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.4",

From 9e3c3e5d537d6740c4da7fa66e3cae36cb27b294 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 03:35:45 +0200
Subject: [PATCH 032/287] Update module github.com/yuin/goldmark to v1.8.2
 (forgejo) (#11808)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11808
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 7bcd0f0510..b4634a30b6 100644
--- a/go.mod
+++ b/go.mod
@@ -97,7 +97,7 @@ require (
 	github.com/urfave/cli/v3 v3.8.0
 	github.com/valyala/fastjson v1.6.10
 	github.com/yohcop/openid-go v1.0.1
-	github.com/yuin/goldmark v1.7.17
+	github.com/yuin/goldmark v1.8.2
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.143.2
 	go.uber.org/mock v0.6.0
diff --git a/go.sum b/go.sum
index e9b0dbbcfc..97492a6fa2 100644
--- a/go.sum
+++ b/go.sum
@@ -676,8 +676,8 @@ github.com/yohcop/openid-go v1.0.1/go.mod h1:b/AvD03P0KHj4yuihb+VtLD6bYYgsy0zqBz
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yuin/goldmark v1.7.17 h1:p36OVWwRb246iHxA/U4p8OPEpOTESm4n+g+8t0EE5uA=
-github.com/yuin/goldmark v1.7.17/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
+github.com/yuin/goldmark v1.8.2 h1:kEGpgqJXdgbkhcOgBxkC0X0PmoPG1ZyoZ117rDVp4zE=
+github.com/yuin/goldmark v1.8.2/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc h1:+IAOyRda+RLrxa1WC7umKOZRsGq4QrFFMYApOeHzQwQ=
 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
 github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=

From 3763a88c671ca54ecbe6cfab92057af33ac1b31e Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Wed, 1 Apr 2026 04:23:13 +0200
Subject: [PATCH 033/287] fix: allow modals to be submitted multiple times
 (#11843)

Fixes #11842.

The `once: true` was likely added to prevent multiple concurrent
submissions of the same form. This could still be worth preventing,
but I suspect it would require wrapping the supplied `onApprove`
callback with the corresponding logic, implemented manually, as I
am not aware of any native API to prevent concurrent executions of
callbacks.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11843
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
---
 tests/e2e/repo-labels.test.e2e.ts | 20 ++++++++++++++++++++
 web_src/js/modules/modal.ts       |  2 +-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/tests/e2e/repo-labels.test.e2e.ts b/tests/e2e/repo-labels.test.e2e.ts
index ef33e91dda..956c4c19d5 100644
--- a/tests/e2e/repo-labels.test.e2e.ts
+++ b/tests/e2e/repo-labels.test.e2e.ts
@@ -41,3 +41,23 @@ test('Edit label', async ({page}) => {
 
   await expect(page.locator('.label-title').filter({hasText: labelName})).toBeVisible();
 });
+
+test('New label after a failed validation', async ({page}) => {
+  // for issue https://codeberg.org/forgejo/forgejo/issues/11842
+  const response = await page.goto('/user2/repo1/labels');
+  expect(response?.status()).toBe(200);
+
+  await page.getByRole('button', {name: 'New label'}).click();
+  await expect(page.locator('#new-label-modal')).toBeVisible();
+
+  // attempt to submit the form without having filled it first
+  await page.getByRole('button', {name: 'Create label'}).click();
+  await screenshot(page, page.locator('#new-label-modal'));
+
+  // then fill the form and submit it again
+  const labelName = dynamic_id();
+  await page.getByRole('textbox', {name: 'Label name'}).fill(labelName);
+  await page.getByRole('button', {name: 'Create label'}).click();
+
+  await expect(page.locator('.label-title').filter({hasText: labelName})).toBeVisible();
+});
diff --git a/web_src/js/modules/modal.ts b/web_src/js/modules/modal.ts
index 290dccee70..b6fef12b2b 100644
--- a/web_src/js/modules/modal.ts
+++ b/web_src/js/modules/modal.ts
@@ -13,7 +13,7 @@ export function showModal(modalID: string, onApprove: () => void) {
   modal.querySelector('.cancel')?.addEventListener('click', () => {
     modal.close();
   }, {once: true, passive: true});
-  modal.querySelector('.ok')?.addEventListener('click', onApprove, {once: true, passive: true});
+  modal.querySelector('.ok')?.addEventListener('click', onApprove, {passive: true});
 
   // The modal is ready to be shown.
   modal.showModal();

From 8d49d598776446dad91279c96b4fdccf9582e198 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 06:21:07 +0200
Subject: [PATCH 034/287] Update dependency vite-string-plugin to v2.0.2
 (forgejo) (#11924)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9f0f62cb70..726f70073b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -120,7 +120,7 @@
         "svgo": "4.0.1",
         "typescript": "5.9.3",
         "typescript-eslint": "8.56.1",
-        "vite-string-plugin": "2.0.0",
+        "vite-string-plugin": "2.0.2",
         "vitest": "4.0.18"
       },
       "engines": {
@@ -15474,9 +15474,9 @@
       }
     },
     "node_modules/vite-string-plugin": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/vite-string-plugin/-/vite-string-plugin-2.0.0.tgz",
-      "integrity": "sha512-7p4aOvow1kphhZppt62A6Aj03NhUzOTiBgjHaTWDIdmtiUbjoJeVLarV52UjQNvLFC6BxJgV8r1AAwJfcxwZSQ==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/vite-string-plugin/-/vite-string-plugin-2.0.2.tgz",
+      "integrity": "sha512-pHU9lZuUoMSYyZixdn2XBYko9IAhk3dr41CG6VsXrjB+wN2th06SZsO9mJm6+2NhKBJKNfRERaRej8TBcoq9tQ==",
       "dev": true,
       "license": "BSD-2-Clause",
       "peerDependencies": {
diff --git a/package.json b/package.json
index b2ae24a7e4..c17c05b616 100644
--- a/package.json
+++ b/package.json
@@ -119,7 +119,7 @@
     "svgo": "4.0.1",
     "typescript": "5.9.3",
     "typescript-eslint": "8.56.1",
-    "vite-string-plugin": "2.0.0",
+    "vite-string-plugin": "2.0.2",
     "vitest": "4.0.18"
   },
   "browserslist": ["defaults"],

From 26da41171abadad719b9d116650a235e31f0cf13 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 07:58:08 +0200
Subject: [PATCH 035/287] Update dependency @vitejs/plugin-vue to v6.0.5
 (forgejo) (#11923)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 18 +++++++++---------
 package.json      |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 726f70073b..96065b8fd9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -88,7 +88,7 @@
         "@stoplight/spectral-cli": "6.15.0",
         "@stylistic/eslint-plugin": "5.10.0",
         "@stylistic/stylelint-plugin": "4.0.1",
-        "@vitejs/plugin-vue": "6.0.3",
+        "@vitejs/plugin-vue": "6.0.5",
         "@vitest/coverage-v8": "4.0.18",
         "@vitest/eslint-plugin": "1.6.9",
         "@vue/test-utils": "2.4.6",
@@ -2834,9 +2834,9 @@
       }
     },
     "node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-beta.53",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.53.tgz",
-      "integrity": "sha512-vENRlFU4YbrwVqNDZ7fLvy+JR1CRkyr01jhSiDpE1u6py3OMzQfztQU2jxykW3ALNxO4kSlqIDeYyD0Y9RcQeQ==",
+      "version": "1.0.0-rc.2",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
+      "integrity": "sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==",
       "dev": true,
       "license": "MIT"
     },
@@ -4817,19 +4817,19 @@
       }
     },
     "node_modules/@vitejs/plugin-vue": {
-      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.3.tgz",
-      "integrity": "sha512-TlGPkLFLVOY3T7fZrwdvKpjprR3s4fxRln0ORDo1VQ7HHyxJwTlrjKU3kpVWTlaAjIEuCTokmjkZnr8Tpc925w==",
+      "version": "6.0.5",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.5.tgz",
+      "integrity": "sha512-bL3AxKuQySfk1iGcBsQnoRVexTPJq0Z/ixFVM8OhVJAP6ZXXXLtM7NFKWhLl30Kg7uTBqIaPXbh+nuQCuBDedg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rolldown/pluginutils": "1.0.0-beta.53"
+        "@rolldown/pluginutils": "1.0.0-rc.2"
       },
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
       },
       "peerDependencies": {
-        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0",
         "vue": "^3.2.25"
       }
     },
diff --git a/package.json b/package.json
index c17c05b616..ae2b34a98e 100644
--- a/package.json
+++ b/package.json
@@ -87,7 +87,7 @@
     "@stoplight/spectral-cli": "6.15.0",
     "@stylistic/eslint-plugin": "5.10.0",
     "@stylistic/stylelint-plugin": "4.0.1",
-    "@vitejs/plugin-vue": "6.0.3",
+    "@vitejs/plugin-vue": "6.0.5",
     "@vitest/coverage-v8": "4.0.18",
     "@vitest/eslint-plugin": "1.6.9",
     "@vue/test-utils": "2.4.6",

From 46d2f15c949c5c09d0814499c82a5adcd84c7a42 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 09:04:13 +0200
Subject: [PATCH 036/287] Update linters (forgejo) (#11925)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 193 +++++++++++++++++++++++++---------------------
 package.json      |  12 +--
 2 files changed, 112 insertions(+), 93 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 96065b8fd9..f5b8036a2d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -90,20 +90,20 @@
         "@stylistic/stylelint-plugin": "4.0.1",
         "@vitejs/plugin-vue": "6.0.5",
         "@vitest/coverage-v8": "4.0.18",
-        "@vitest/eslint-plugin": "1.6.9",
+        "@vitest/eslint-plugin": "1.6.13",
         "@vue/test-utils": "2.4.6",
         "eslint": "9.39.4",
         "eslint-import-resolver-typescript": "4.4.4",
         "eslint-plugin-array-func": "5.1.1",
-        "eslint-plugin-import-x": "4.16.1",
+        "eslint-plugin-import-x": "4.16.2",
         "eslint-plugin-no-jquery": "3.1.1",
         "eslint-plugin-no-use-extend-native": "0.7.2",
-        "eslint-plugin-playwright": "2.9.0",
-        "eslint-plugin-regexp": "3.0.0",
+        "eslint-plugin-playwright": "2.10.1",
+        "eslint-plugin-regexp": "3.1.0",
         "eslint-plugin-sonarjs": "3.0.7",
         "eslint-plugin-toml": "0.13.1",
         "eslint-plugin-unicorn": "63.0.0",
-        "eslint-plugin-vitest-globals": "1.5.0",
+        "eslint-plugin-vitest-globals": "1.6.1",
         "eslint-plugin-vue": "10.8.0",
         "eslint-plugin-vue-scoped-css": "2.12.0",
         "eslint-plugin-wc": "3.1.0",
@@ -119,7 +119,7 @@
         "stylelint-value-no-unknown-custom-properties": "6.1.1",
         "svgo": "4.0.1",
         "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1",
+        "typescript-eslint": "8.57.2",
         "vite-string-plugin": "2.0.2",
         "vitest": "4.0.18"
       },
@@ -2787,6 +2787,13 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@package-json/types": {
+      "version": "0.0.12",
+      "resolved": "https://registry.npmjs.org/@package-json/types/-/types-0.0.12.tgz",
+      "integrity": "sha512-uu43FGU34B5VM9mCNjXCwLaGHYjXdNincqKLaraaCW+7S2+SmiBg1Nv8bPnmschrIfZmfKNY9f3fC376MRrObw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@pkgjs/parseargs": {
       "version": "0.11.0",
       "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
@@ -4295,17 +4302,17 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.56.1.tgz",
-      "integrity": "sha512-Jz9ZztpB37dNC+HU2HI28Bs9QXpzCz+y/twHOwhyrIRdbuVDxSytJNDl6z/aAKlaRIwC7y8wJdkBv7FxYGgi0A==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.57.2.tgz",
+      "integrity": "sha512-NZZgp0Fm2IkD+La5PR81sd+g+8oS6JwJje+aRWsDocxHkjyRw0J5L5ZTlN3LI1LlOcGL7ph3eaIUmTXMIjLk0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.56.1",
-        "@typescript-eslint/type-utils": "8.56.1",
-        "@typescript-eslint/utils": "8.56.1",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/scope-manager": "8.57.2",
+        "@typescript-eslint/type-utils": "8.57.2",
+        "@typescript-eslint/utils": "8.57.2",
+        "@typescript-eslint/visitor-keys": "8.57.2",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
         "ts-api-utils": "^2.4.0"
@@ -4318,7 +4325,7 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.56.1",
+        "@typescript-eslint/parser": "^8.57.2",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "typescript": ">=4.8.4 <6.0.0"
       }
@@ -4334,16 +4341,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.56.1.tgz",
-      "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.2.tgz",
+      "integrity": "sha512-30ScMRHIAD33JJQkgfGW1t8CURZtjc2JpTrq5n2HFhOefbAhb7ucc7xJwdWcrEtqUIYJ73Nybpsggii6GtAHjA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.56.1",
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/typescript-estree": "8.56.1",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/scope-manager": "8.57.2",
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/typescript-estree": "8.57.2",
+        "@typescript-eslint/visitor-keys": "8.57.2",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -4359,14 +4366,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.56.1.tgz",
-      "integrity": "sha512-TAdqQTzHNNvlVFfR+hu2PDJrURiwKsUvxFn1M0h95BB8ah5jejas08jUWG4dBA68jDMI988IvtfdAI53JzEHOQ==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.2.tgz",
+      "integrity": "sha512-FuH0wipFywXRTHf+bTTjNyuNQQsQC3qh/dYzaM4I4W0jrCqjCVuUh99+xd9KamUfmCGPvbO8NDngo/vsnNVqgw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.56.1",
-        "@typescript-eslint/types": "^8.56.1",
+        "@typescript-eslint/tsconfig-utils": "^8.57.2",
+        "@typescript-eslint/types": "^8.57.2",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -4381,14 +4388,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.56.1.tgz",
-      "integrity": "sha512-YAi4VDKcIZp0O4tz/haYKhmIDZFEUPOreKbfdAN3SzUDMcPhJ8QI99xQXqX+HoUVq8cs85eRKnD+rne2UAnj2w==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.57.2.tgz",
+      "integrity": "sha512-snZKH+W4WbWkrBqj4gUNRIGb/jipDW3qMqVJ4C9rzdFc+wLwruxk+2a5D+uoFcKPAqyqEnSb4l2ULuZf95eSkw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/visitor-keys": "8.56.1"
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/visitor-keys": "8.57.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4399,9 +4406,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.56.1.tgz",
-      "integrity": "sha512-qOtCYzKEeyr3aR9f28mPJqBty7+DBqsdd63eO0yyDwc6vgThj2UjWfJIcsFeSucYydqcuudMOprZ+x1SpF3ZuQ==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.2.tgz",
+      "integrity": "sha512-3Lm5DSM+DCowsUOJC+YqHHnKEfFh5CoGkj5Z31NQSNF4l5wdOwqGn99wmwN/LImhfY3KJnmordBq/4+VDe2eKw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4416,15 +4423,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.56.1.tgz",
-      "integrity": "sha512-yB/7dxi7MgTtGhZdaHCemf7PuwrHMenHjmzgUW1aJpO+bBU43OycnM3Wn+DdvDO/8zzA9HlhaJ0AUGuvri4oGg==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.57.2.tgz",
+      "integrity": "sha512-Co6ZCShm6kIbAM/s+oYVpKFfW7LBc6FXoPXjTRQ449PPNBY8U0KZXuevz5IFuuUj2H9ss40atTaf9dlGLzbWZg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/typescript-estree": "8.56.1",
-        "@typescript-eslint/utils": "8.56.1",
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/typescript-estree": "8.57.2",
+        "@typescript-eslint/utils": "8.57.2",
         "debug": "^4.4.3",
         "ts-api-utils": "^2.4.0"
       },
@@ -4441,9 +4448,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.56.1.tgz",
-      "integrity": "sha512-dbMkdIUkIkchgGDIv7KLUpa0Mda4IYjo4IAMJUZ+3xNoUXxMsk9YtKpTHSChRS85o+H9ftm51gsK1dZReY9CVw==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.2.tgz",
+      "integrity": "sha512-/iZM6FnM4tnx9csuTxspMW4BOSegshwX5oBDznJ7S4WggL7Vczz5d2W11ecc4vRrQMQHXRSxzrCsyG5EsPPTbA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4455,16 +4462,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.56.1.tgz",
-      "integrity": "sha512-qzUL1qgalIvKWAf9C1HpvBjif+Vm6rcT5wZd4VoMb9+Km3iS3Cv9DY6dMRMDtPnwRAFyAi7YXJpTIEXLvdfPxg==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.2.tgz",
+      "integrity": "sha512-2MKM+I6g8tJxfSmFKOnHv2t8Sk3T6rF20A1Puk0svLK+uVapDZB/4pfAeB7nE83uAZrU6OxW+HmOd5wHVdXwXA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.56.1",
-        "@typescript-eslint/tsconfig-utils": "8.56.1",
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/project-service": "8.57.2",
+        "@typescript-eslint/tsconfig-utils": "8.57.2",
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/visitor-keys": "8.57.2",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -4483,16 +4490,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.56.1.tgz",
-      "integrity": "sha512-HPAVNIME3tABJ61siYlHzSWCGtOoeP2RTIaHXFMPqjrQKCGB9OgUVdiNgH7TJS2JNIQ5qQ4RsAUDuGaGme/KOA==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.57.2.tgz",
+      "integrity": "sha512-krRIbvPK1ju1WBKIefiX+bngPs+odIQUtR7kymzPfo1POVw3jlF+nLkmexdSSd4UCbDcQn+wMBATOOmpBbqgKg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.56.1",
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/typescript-estree": "8.56.1"
+        "@typescript-eslint/scope-manager": "8.57.2",
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/typescript-estree": "8.57.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4507,13 +4514,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.56.1.tgz",
-      "integrity": "sha512-KiROIzYdEV85YygXw6BI/Dx4fnBlFQu6Mq4QE4MOH9fFnhohw6wX/OAvDY2/C+ut0I3RSPKenvZJIVYqJNkhEw==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.2.tgz",
+      "integrity": "sha512-zhahknjobV2FiD6Ee9iLbS7OV9zi10rG26odsQdfBO/hjSzUQbkIYgda+iNKK1zNiW2ey+Lf8MU5btN17V3dUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.2",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -4865,9 +4872,9 @@
       }
     },
     "node_modules/@vitest/eslint-plugin": {
-      "version": "1.6.9",
-      "resolved": "https://registry.npmjs.org/@vitest/eslint-plugin/-/eslint-plugin-1.6.9.tgz",
-      "integrity": "sha512-9WfPx1OwJ19QLCSRLkqVO7//1WcWnK3fE/3fJhKMAmDe8+9G4rB47xCNIIeCq3FdEzkIoLTfDlwDlPBaUTMhow==",
+      "version": "1.6.13",
+      "resolved": "https://registry.npmjs.org/@vitest/eslint-plugin/-/eslint-plugin-1.6.13.tgz",
+      "integrity": "sha512-ui7JGWBoQpS5NKKW0FDb1eTuFEZ5EupEv2Psemuyfba7DfA5K52SeDLelt6P4pQJJ/4UGkker/BgMk/KrjH3WQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4878,11 +4885,15 @@
         "node": ">=18"
       },
       "peerDependencies": {
+        "@typescript-eslint/eslint-plugin": "*",
         "eslint": ">=8.57.0",
         "typescript": ">=5.0.0",
         "vitest": "*"
       },
       "peerDependenciesMeta": {
+        "@typescript-eslint/eslint-plugin": {
+          "optional": true
+        },
         "typescript": {
           "optional": true
         },
@@ -8093,18 +8104,19 @@
       }
     },
     "node_modules/eslint-plugin-import-x": {
-      "version": "4.16.1",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-import-x/-/eslint-plugin-import-x-4.16.1.tgz",
-      "integrity": "sha512-vPZZsiOKaBAIATpFE2uMI4w5IRwdv/FpQ+qZZMR4E+PeOcM4OeoEbqxRMnywdxP19TyB/3h6QBB0EWon7letSQ==",
+      "version": "4.16.2",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-import-x/-/eslint-plugin-import-x-4.16.2.tgz",
+      "integrity": "sha512-rM9K8UBHcWKpzQzStn1YRN2T5NvdeIfSVoKu/lKF41znQXHAUcBbYXe5wd6GNjZjTrP7viQ49n1D83x/2gYgIw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "^8.35.0",
+        "@package-json/types": "^0.0.12",
+        "@typescript-eslint/types": "^8.56.0",
         "comment-parser": "^1.4.1",
         "debug": "^4.4.1",
         "eslint-import-context": "^0.1.9",
         "is-glob": "^4.0.3",
-        "minimatch": "^9.0.3 || ^10.0.1",
+        "minimatch": "^9.0.3 || ^10.1.2",
         "semver": "^7.7.2",
         "stable-hash-x": "^0.2.0",
         "unrs-resolver": "^1.9.2"
@@ -8116,8 +8128,8 @@
         "url": "https://opencollective.com/eslint-plugin-import-x"
       },
       "peerDependencies": {
-        "@typescript-eslint/utils": "^8.0.0",
-        "eslint": "^8.57.0 || ^9.0.0",
+        "@typescript-eslint/utils": "^8.56.0",
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "eslint-import-resolver-node": "*"
       },
       "peerDependenciesMeta": {
@@ -8159,9 +8171,9 @@
       }
     },
     "node_modules/eslint-plugin-playwright": {
-      "version": "2.9.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-playwright/-/eslint-plugin-playwright-2.9.0.tgz",
-      "integrity": "sha512-k3xrG6YzrallWNFMoGUjMNeu3SFFKXN79KJQBD2PkM4PasJegqV2Up+mPY5od2UmPKQGT+MeIhCmWH8r5eYuQQ==",
+      "version": "2.10.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-playwright/-/eslint-plugin-playwright-2.10.1.tgz",
+      "integrity": "sha512-qea3UxBOb8fTwJ77FMApZKvRye5DOluDHcev0LDJwID3RELeun0JlqzrNIXAB/SXCyB/AesCW/6sZfcT9q3Edg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -8175,9 +8187,9 @@
       }
     },
     "node_modules/eslint-plugin-regexp": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-regexp/-/eslint-plugin-regexp-3.0.0.tgz",
-      "integrity": "sha512-iW7hgAV8NOG6E2dz+VeKpq67YLQ9jaajOKYpoOSic2/q8y9BMdXBKkSR9gcMtbqEhNQzdW41E3wWzvhp8ExYwQ==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-regexp/-/eslint-plugin-regexp-3.1.0.tgz",
+      "integrity": "sha512-qGXIC3DIKZHcK1H9A9+Byz9gmndY6TTSRkSMTZpNXdyCw2ObSehRgccJv35n9AdUakEjQp5VFNLas6BMXizCZg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -8303,11 +8315,18 @@
       }
     },
     "node_modules/eslint-plugin-vitest-globals": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-vitest-globals/-/eslint-plugin-vitest-globals-1.5.0.tgz",
-      "integrity": "sha512-ZSsVOaOIig0oVLzRTyk8lUfBfqzWxr/J3/NFMfGGRIkGQPejJYmDH3gXmSJxAojts77uzAGB/UmVrwi2DC4LYA==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-vitest-globals/-/eslint-plugin-vitest-globals-1.6.1.tgz",
+      "integrity": "sha512-ydMvr96XRaT913a8gy8TY/LLyGB49Wmj0+x/FCbaWSpWMSaWDLG63/5zSLLrdSGXJ0PTjWpYZOZ61YBuzNyyTw==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "engines": {
+        "node": ">=16"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/saqqdy"
+      }
     },
     "node_modules/eslint-plugin-vue": {
       "version": "10.8.0",
@@ -15177,16 +15196,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.56.1.tgz",
-      "integrity": "sha512-U4lM6pjmBX7J5wk4szltF7I1cGBHXZopnAXCMXb3+fZ3B/0Z3hq3wS/CCUB2NZBNAExK92mCU2tEohWuwVMsDQ==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.57.2.tgz",
+      "integrity": "sha512-VEPQ0iPgWO/sBaZOU1xo4nuNdODVOajPnTIbog2GKYr31nIlZ0fWPoCQgGfF3ETyBl1vn63F/p50Um9Z4J8O8A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.56.1",
-        "@typescript-eslint/parser": "8.56.1",
-        "@typescript-eslint/typescript-estree": "8.56.1",
-        "@typescript-eslint/utils": "8.56.1"
+        "@typescript-eslint/eslint-plugin": "8.57.2",
+        "@typescript-eslint/parser": "8.57.2",
+        "@typescript-eslint/typescript-estree": "8.57.2",
+        "@typescript-eslint/utils": "8.57.2"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
diff --git a/package.json b/package.json
index ae2b34a98e..432fc0791e 100644
--- a/package.json
+++ b/package.json
@@ -89,20 +89,20 @@
     "@stylistic/stylelint-plugin": "4.0.1",
     "@vitejs/plugin-vue": "6.0.5",
     "@vitest/coverage-v8": "4.0.18",
-    "@vitest/eslint-plugin": "1.6.9",
+    "@vitest/eslint-plugin": "1.6.13",
     "@vue/test-utils": "2.4.6",
     "eslint": "9.39.4",
     "eslint-import-resolver-typescript": "4.4.4",
     "eslint-plugin-array-func": "5.1.1",
-    "eslint-plugin-import-x": "4.16.1",
+    "eslint-plugin-import-x": "4.16.2",
     "eslint-plugin-no-jquery": "3.1.1",
     "eslint-plugin-no-use-extend-native": "0.7.2",
-    "eslint-plugin-playwright": "2.9.0",
-    "eslint-plugin-regexp": "3.0.0",
+    "eslint-plugin-playwright": "2.10.1",
+    "eslint-plugin-regexp": "3.1.0",
     "eslint-plugin-sonarjs": "3.0.7",
     "eslint-plugin-toml": "0.13.1",
     "eslint-plugin-unicorn": "63.0.0",
-    "eslint-plugin-vitest-globals": "1.5.0",
+    "eslint-plugin-vitest-globals": "1.6.1",
     "eslint-plugin-vue": "10.8.0",
     "eslint-plugin-vue-scoped-css": "2.12.0",
     "eslint-plugin-wc": "3.1.0",
@@ -118,7 +118,7 @@
     "stylelint-value-no-unknown-custom-properties": "6.1.1",
     "svgo": "4.0.1",
     "typescript": "5.9.3",
-    "typescript-eslint": "8.56.1",
+    "typescript-eslint": "8.57.2",
     "vite-string-plugin": "2.0.2",
     "vitest": "4.0.18"
   },

From 645b29395ca54513a7409cb7f41b1a19d41a2a14 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 09:30:22 +0200
Subject: [PATCH 037/287] Update dependency markdownlint-cli to v0.48.0
 (forgejo) (#11929)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 73 +++++++++++------------------------------------
 package.json      |  2 +-
 2 files changed, 18 insertions(+), 57 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f5b8036a2d..9ecf2697b6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -110,7 +110,7 @@
         "globals": "17.4.0",
         "happy-dom": "20.8.9",
         "license-checker-rseidelsohn": "4.4.2",
-        "markdownlint-cli": "0.47.0",
+        "markdownlint-cli": "0.48.0",
         "postcss-html": "1.8.1",
         "sharp": "0.34.5",
         "stylelint": "16.26.1",
@@ -10956,9 +10956,9 @@
       "license": "MIT"
     },
     "node_modules/markdown-it": {
-      "version": "14.1.0",
-      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
-      "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
+      "version": "14.1.1",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz",
+      "integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -10998,23 +10998,23 @@
       }
     },
     "node_modules/markdownlint-cli": {
-      "version": "0.47.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.47.0.tgz",
-      "integrity": "sha512-HOcxeKFAdDoldvoYDofd85vI8LgNWy8vmYpCwnlLV46PJcodmGzD7COSSBlhHwsfT4o9KrAStGodImVBus31Bg==",
+      "version": "0.48.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.48.0.tgz",
+      "integrity": "sha512-NkZQNu2E0Q5qLEEHwWj674eYISTLD4jMHkBzDobujXd1kv+yCxi8jOaD/rZoQNW1FBBMMGQpuW5So8B51N/e0A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "commander": "~14.0.2",
+        "commander": "~14.0.3",
         "deep-extend": "~0.6.0",
         "ignore": "~7.0.5",
         "js-yaml": "~4.1.1",
         "jsonc-parser": "~3.3.1",
         "jsonpointer": "~5.0.1",
-        "markdown-it": "~14.1.0",
+        "markdown-it": "~14.1.1",
         "markdownlint": "~0.40.0",
-        "minimatch": "~10.1.1",
+        "minimatch": "~10.2.4",
         "run-con": "~1.3.2",
-        "smol-toml": "~1.5.2",
+        "smol-toml": "~1.6.0",
         "tinyglobby": "~0.2.15"
       },
       "bin": {
@@ -11024,33 +11024,10 @@
         "node": ">=20"
       }
     },
-    "node_modules/markdownlint-cli/node_modules/balanced-match": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.3.tgz",
-      "integrity": "sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
-    "node_modules/markdownlint-cli/node_modules/brace-expansion": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
-      "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "20 || >=22"
-      }
-    },
     "node_modules/markdownlint-cli/node_modules/commander": {
-      "version": "14.0.2",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.2.tgz",
-      "integrity": "sha512-TywoWNNRbhoD0BXs1P3ZEScW8W5iKrnbithIl0YH+uCmBd0QpPOA8yc82DS3BIE5Ma6FnBVUsJ7wVUDz4dvOWQ==",
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -11074,22 +11051,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/markdownlint-cli/node_modules/minimatch": {
-      "version": "10.1.3",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.3.tgz",
-      "integrity": "sha512-IF6URNyBX7Z6XfvjpaNy5meRxPZiIf2OqtOoSLs+hLJ9pJAScnM1RjrFcbCaD85y42KcI+oZmKjFIJKYDFjQfg==",
-      "dev": true,
-      "license": "BlueOak-1.0.0",
-      "dependencies": {
-        "brace-expansion": "^5.0.2"
-      },
-      "engines": {
-        "node": "20 || >=22"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/markdownlint/node_modules/ansi-regex": {
       "version": "6.2.2",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
@@ -13979,9 +13940,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.5.2",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.5.2.tgz",
-      "integrity": "sha512-QlaZEqcAH3/RtNyet1IPIYPsEWAaYyXXv1Krsi+1L/QHppjX4Ifm8MQsBISz9vE8cHicIq3clogsheili5vhaQ==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
+      "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
diff --git a/package.json b/package.json
index 432fc0791e..c7d278dc4b 100644
--- a/package.json
+++ b/package.json
@@ -109,7 +109,7 @@
     "globals": "17.4.0",
     "happy-dom": "20.8.9",
     "license-checker-rseidelsohn": "4.4.2",
-    "markdownlint-cli": "0.47.0",
+    "markdownlint-cli": "0.48.0",
     "postcss-html": "1.8.1",
     "sharp": "0.34.5",
     "stylelint": "16.26.1",

From d23d895220407e2ee432b8a6ca4379fd20a59d13 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 10:17:54 +0200
Subject: [PATCH 038/287] Update dependency @playwright/test to v1.58.2
 (forgejo) (#11928)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 24 ++++++++++++------------
 package.json      |  2 +-
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9ecf2697b6..45ab3e14bf 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -84,7 +84,7 @@
       "devDependencies": {
         "@axe-core/playwright": "4.11.1",
         "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
-        "@playwright/test": "1.57.0",
+        "@playwright/test": "1.58.2",
         "@stoplight/spectral-cli": "6.15.0",
         "@stylistic/eslint-plugin": "5.10.0",
         "@stylistic/stylelint-plugin": "4.0.1",
@@ -2806,13 +2806,13 @@
       }
     },
     "node_modules/@playwright/test": {
-      "version": "1.57.0",
-      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.57.0.tgz",
-      "integrity": "sha512-6TyEnHgd6SArQO8UO2OMTxshln3QMWBtPGrOCgs3wVEmQmwyuNtB10IZMfmYDE0riwNR1cu4q+pPcxMVtaG3TA==",
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.2.tgz",
+      "integrity": "sha512-akea+6bHYBBfA9uQqSYmlJXn61cTa+jbO87xVLCWbTqbWadRVmhxlXATaOjOgcBaWU4ePo0wB41KMFv3o35IXA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright": "1.57.0"
+        "playwright": "1.58.2"
       },
       "bin": {
         "playwright": "cli.js"
@@ -12522,13 +12522,13 @@
       }
     },
     "node_modules/playwright": {
-      "version": "1.57.0",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.57.0.tgz",
-      "integrity": "sha512-ilYQj1s8sr2ppEJ2YVadYBN0Mb3mdo9J0wQ+UuDhzYqURwSoW4n1Xs5vs7ORwgDGmyEh33tRMeS8KhdkMoLXQw==",
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright-core": "1.57.0"
+        "playwright-core": "1.58.2"
       },
       "bin": {
         "playwright": "cli.js"
@@ -12541,9 +12541,9 @@
       }
     },
     "node_modules/playwright-core": {
-      "version": "1.57.0",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.57.0.tgz",
-      "integrity": "sha512-agTcKlMw/mjBWOnD6kFZttAAGHgi/Nw0CZ2o6JqWSbMlI219lAFLZZCyqByTsvVAJq5XA5H8cA6PrvBRpBWEuQ==",
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {
diff --git a/package.json b/package.json
index c7d278dc4b..29bf0984dc 100644
--- a/package.json
+++ b/package.json
@@ -83,7 +83,7 @@
   "devDependencies": {
     "@axe-core/playwright": "4.11.1",
     "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
-    "@playwright/test": "1.57.0",
+    "@playwright/test": "1.58.2",
     "@stoplight/spectral-cli": "6.15.0",
     "@stylistic/eslint-plugin": "5.10.0",
     "@stylistic/stylelint-plugin": "4.0.1",

From 8f5dd8153719b23e497732767366f9d1cf86481d Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 1 Apr 2026 16:05:20 +0200
Subject: [PATCH 039/287] fix: allow repository deletion when referenced by a
 repo-specific access token (#11927)

Fixes #11919.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - Will be a fix before the feature is released, therefore not "visible to users".

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11927
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 services/repository/delete.go          |  2 ++
 services/repository/repository_test.go | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/services/repository/delete.go b/services/repository/delete.go
index 3ea7e51a9b..8766204f34 100644
--- a/services/repository/delete.go
+++ b/services/repository/delete.go
@@ -13,6 +13,7 @@ import (
 	activities_model "forgejo.org/models/activities"
 	admin_model "forgejo.org/models/admin"
 	asymkey_model "forgejo.org/models/asymkey"
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	git_model "forgejo.org/models/git"
 	issues_model "forgejo.org/models/issues"
@@ -189,6 +190,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID
 		&actions_model.ActionUser{RepoID: repoID},
 		&repo_model.RepoArchiveDownloadCount{RepoID: repoID},
 		&actions_model.ActionRunnerToken{RepoID: optional.Some(repoID)},
+		&auth_model.AccessTokenResourceRepo{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
 	}
diff --git a/services/repository/repository_test.go b/services/repository/repository_test.go
index 5f63e4d9cb..e5ae3ecb32 100644
--- a/services/repository/repository_test.go
+++ b/services/repository/repository_test.go
@@ -6,6 +6,7 @@ package repository
 import (
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
@@ -62,3 +63,19 @@ func TestDeleteRepository(t *testing.T) {
 	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	require.NoError(t, DeleteRepository(t.Context(), doer, repo, false))
 }
+
+func TestDeleteRepositoryWithReferences(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	token1 := unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{ID: 1})
+	err := db.Insert(t.Context(), &auth_model.AccessTokenResourceRepo{
+		TokenID: token1.ID,
+		RepoID:  repo.ID,
+	})
+	require.NoError(t, err)
+
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	require.NoError(t, DeleteRepository(t.Context(), doer, repo, false))
+}

From 2469344824fbb0546243a3d0b4c565c0056455a3 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 20:16:03 +0200
Subject: [PATCH 040/287] Update module github.com/PuerkitoBio/goquery to
 v1.12.0 (forgejo) (#11941)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index b4634a30b6..8b460a79c2 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/42wim/sshsig v0.0.0-20250502153856-5100632e8920
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
 	github.com/ProtonMail/go-crypto v1.4.1
-	github.com/PuerkitoBio/goquery v1.11.0
+	github.com/PuerkitoBio/goquery v1.12.0
 	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.8.0
 	github.com/alecthomas/chroma/v2 v2.23.1
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
diff --git a/go.sum b/go.sum
index 97492a6fa2..3fee3d98b3 100644
--- a/go.sum
+++ b/go.sum
@@ -73,8 +73,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/ProtonMail/go-crypto v1.4.1 h1:9RfcZHqEQUvP8RzecWEUafnZVtEvrBVL9BiF67IQOfM=
 github.com/ProtonMail/go-crypto v1.4.1/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
-github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
-github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/PuerkitoBio/goquery v1.12.0 h1:pAcL4g3WRXekcB9AU/y1mbKez2dbY2AajVhtkO8RIBo=
+github.com/PuerkitoBio/goquery v1.12.0/go.mod h1:802ej+gV2y7bbIhOIoPY5sT183ZW0YFofScC4q/hIpQ=
 github.com/RoaringBitmap/roaring/v2 v2.4.5 h1:uGrrMreGjvAtTBobc0g5IrW1D5ldxDQYe2JW2gggRdg=
 github.com/RoaringBitmap/roaring/v2 v2.4.5/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
 github.com/STARRY-S/zip v0.2.3 h1:luE4dMvRPDOWQdeDdUxUoZkzUIpTccdKdhHHsQJ1fm4=

From 5add2e0dee5f80ea7604aea2860e604de4b96b1b Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 20:43:17 +0200
Subject: [PATCH 041/287] Update dependency webpack-cli to v7 (forgejo)
 (#11944)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11944
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 88 ++++++++++-------------------------------------
 package.json      |  2 +-
 2 files changed, 19 insertions(+), 71 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 45ab3e14bf..8ae8be8ac3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -78,7 +78,7 @@
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
         "webpack": "5.105.4",
-        "webpack-cli": "6.0.1",
+        "webpack-cli": "7.0.2",
         "wrap-ansi": "10.0.0"
       },
       "devDependencies": {
@@ -917,9 +917,9 @@
       }
     },
     "node_modules/@discoveryjs/json-ext": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-0.6.3.tgz",
-      "integrity": "sha512-4B4OijXeVNOPZlYA2oEwWOTkzyltLao+xbotHQeqN++Rv27Y6s818+n2Qkp8q+Fxhn0t/5lA5X1Mxktud8eayQ==",
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-1.0.0.tgz",
+      "integrity": "sha512-dDlz3W405VMFO4w5kIP9DOmELBcvFQGmLoKSdIRstBDubKFYwaNHV1NnlzMCQpXQFGWVALmeMORAuiLx18AvZQ==",
       "license": "MIT",
       "engines": {
         "node": ">=14.17.0"
@@ -5356,50 +5356,6 @@
         "@xtuc/long": "4.2.2"
       }
     },
-    "node_modules/@webpack-cli/configtest": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@webpack-cli/configtest/-/configtest-3.0.1.tgz",
-      "integrity": "sha512-u8d0pJ5YFgneF/GuvEiDA61Tf1VDomHHYMjv/wc9XzYj7nopltpG96nXN5dJRstxZhcNpV1g+nT6CydO7pHbjA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.12.0"
-      },
-      "peerDependencies": {
-        "webpack": "^5.82.0",
-        "webpack-cli": "6.x.x"
-      }
-    },
-    "node_modules/@webpack-cli/info": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@webpack-cli/info/-/info-3.0.1.tgz",
-      "integrity": "sha512-coEmDzc2u/ffMvuW9aCjoRzNSPDl/XLuhPdlFRpT9tZHmJ/039az33CE7uH+8s0uL1j5ZNtfdv0HkfaKRBGJsQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.12.0"
-      },
-      "peerDependencies": {
-        "webpack": "^5.82.0",
-        "webpack-cli": "6.x.x"
-      }
-    },
-    "node_modules/@webpack-cli/serve": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/@webpack-cli/serve/-/serve-3.0.1.tgz",
-      "integrity": "sha512-sbgw03xQaCLiT6gcY/6u3qBDn01CWw/nbaXl3gTdTFuJJ75Gffv3E3DBpgvY2fkkrdS1fpjaXNOmJlnbtKauKg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.12.0"
-      },
-      "peerDependencies": {
-        "webpack": "^5.82.0",
-        "webpack-cli": "6.x.x"
-      },
-      "peerDependenciesMeta": {
-        "webpack-dev-server": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/@xtuc/ieee754": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/@xtuc/ieee754/-/ieee754-1.2.0.tgz",
@@ -6420,12 +6376,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/colorette": {
-      "version": "2.0.20",
-      "resolved": "https://registry.npmjs.org/colorette/-/colorette-2.0.20.tgz",
-      "integrity": "sha512-IfEDxwoWIjkeXL1eXcDiow4UbKjhLdq6/EuSVR9GMN7KVH3r9gQ83e73hsz1Nd1T3ijd5xv1wcWRYO+D6kCI2w==",
-      "license": "MIT"
-    },
     "node_modules/commander": {
       "version": "10.0.1",
       "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
@@ -15883,18 +15833,14 @@
       }
     },
     "node_modules/webpack-cli": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/webpack-cli/-/webpack-cli-6.0.1.tgz",
-      "integrity": "sha512-MfwFQ6SfwinsUVi0rNJm7rHZ31GyTcpVE5pgVA3hwFRb7COD4TzjUUwhGWKfO50+xdc2MQPuEBBJoqIMGt3JDw==",
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/webpack-cli/-/webpack-cli-7.0.2.tgz",
+      "integrity": "sha512-dB0R4T+C/8YuvM+fabdvil6QE44/ChDXikV5lOOkrUeCkW5hTJv2pGLE3keh+D5hjYw8icBaJkZzpFoaHV4T+g==",
       "license": "MIT",
       "dependencies": {
-        "@discoveryjs/json-ext": "^0.6.1",
-        "@webpack-cli/configtest": "^3.0.1",
-        "@webpack-cli/info": "^3.0.1",
-        "@webpack-cli/serve": "^3.0.1",
-        "colorette": "^2.0.14",
-        "commander": "^12.1.0",
-        "cross-spawn": "^7.0.3",
+        "@discoveryjs/json-ext": "^1.0.0",
+        "commander": "^14.0.3",
+        "cross-spawn": "^7.0.6",
         "envinfo": "^7.14.0",
         "fastest-levenshtein": "^1.0.12",
         "import-local": "^3.0.2",
@@ -15906,14 +15852,16 @@
         "webpack-cli": "bin/cli.js"
       },
       "engines": {
-        "node": ">=18.12.0"
+        "node": ">=20.9.0"
       },
       "funding": {
         "type": "opencollective",
         "url": "https://opencollective.com/webpack"
       },
       "peerDependencies": {
-        "webpack": "^5.82.0"
+        "webpack": "^5.101.0",
+        "webpack-bundle-analyzer": "^4.0.0 || ^5.0.0",
+        "webpack-dev-server": "^5.0.0"
       },
       "peerDependenciesMeta": {
         "webpack-bundle-analyzer": {
@@ -15925,12 +15873,12 @@
       }
     },
     "node_modules/webpack-cli/node_modules/commander": {
-      "version": "12.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz",
-      "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==",
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
       "license": "MIT",
       "engines": {
-        "node": ">=18"
+        "node": ">=20"
       }
     },
     "node_modules/webpack-merge": {
diff --git a/package.json b/package.json
index 29bf0984dc..e17bbf13ed 100644
--- a/package.json
+++ b/package.json
@@ -77,7 +77,7 @@
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",
     "webpack": "5.105.4",
-    "webpack-cli": "6.0.1",
+    "webpack-cli": "7.0.2",
     "wrap-ansi": "10.0.0"
   },
   "devDependencies": {

From b09cf32cb99b48a8a529201175ace366c89cd3ea Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 22:04:54 +0200
Subject: [PATCH 042/287] Update vitest monorepo to v4.1.2 (forgejo) (#11942)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 199 ++++++++++++++++++++++++----------------------
 package.json      |   4 +-
 2 files changed, 108 insertions(+), 95 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8ae8be8ac3..e2d5d0e3bb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -89,7 +89,7 @@
         "@stylistic/eslint-plugin": "5.10.0",
         "@stylistic/stylelint-plugin": "4.0.1",
         "@vitejs/plugin-vue": "6.0.5",
-        "@vitest/coverage-v8": "4.0.18",
+        "@vitest/coverage-v8": "4.1.2",
         "@vitest/eslint-plugin": "1.6.13",
         "@vue/test-utils": "2.4.6",
         "eslint": "9.39.4",
@@ -121,7 +121,7 @@
         "typescript": "5.9.3",
         "typescript-eslint": "8.57.2",
         "vite-string-plugin": "2.0.2",
-        "vitest": "4.0.18"
+        "vitest": "4.1.2"
       },
       "engines": {
         "node": ">= 20.0.0"
@@ -4841,29 +4841,29 @@
       }
     },
     "node_modules/@vitest/coverage-v8": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.0.18.tgz",
-      "integrity": "sha512-7i+N2i0+ME+2JFZhfuz7Tg/FqKtilHjGyGvoHYQ6iLV0zahbsJ9sljC9OcFcPDbhYKCet+sG8SsVqlyGvPflZg==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.2.tgz",
+      "integrity": "sha512-sPK//PHO+kAkScb8XITeB1bf7fsk85Km7+rt4eeuRR3VS1/crD47cmV5wicisJmjNdfeokTZwjMk4Mj2d58Mgg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@bcoe/v8-coverage": "^1.0.2",
-        "@vitest/utils": "4.0.18",
-        "ast-v8-to-istanbul": "^0.3.10",
+        "@vitest/utils": "4.1.2",
+        "ast-v8-to-istanbul": "^1.0.0",
         "istanbul-lib-coverage": "^3.2.2",
         "istanbul-lib-report": "^3.0.1",
         "istanbul-reports": "^3.2.0",
-        "magicast": "^0.5.1",
+        "magicast": "^0.5.2",
         "obug": "^2.1.1",
-        "std-env": "^3.10.0",
-        "tinyrainbow": "^3.0.3"
+        "std-env": "^4.0.0-rc.1",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
-        "@vitest/browser": "4.0.18",
-        "vitest": "4.0.18"
+        "@vitest/browser": "4.1.2",
+        "vitest": "4.1.2"
       },
       "peerDependenciesMeta": {
         "@vitest/browser": {
@@ -4903,31 +4903,31 @@
       }
     },
     "node_modules/@vitest/expect": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.0.18.tgz",
-      "integrity": "sha512-8sCWUyckXXYvx4opfzVY03EOiYVxyNrHS5QxX3DAIi5dpJAAkyJezHCP77VMX4HKA2LDT/Jpfo8i2r5BE3GnQQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.2.tgz",
+      "integrity": "sha512-gbu+7B0YgUJ2nkdsRJrFFW6X7NTP44WlhiclHniUhxADQJH5Szt9mZ9hWnJPJ8YwOK5zUOSSlSvyzRf0u1DSBQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@standard-schema/spec": "^1.0.0",
+        "@standard-schema/spec": "^1.1.0",
         "@types/chai": "^5.2.2",
-        "@vitest/spy": "4.0.18",
-        "@vitest/utils": "4.0.18",
-        "chai": "^6.2.1",
-        "tinyrainbow": "^3.0.3"
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
+        "chai": "^6.2.2",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/mocker": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.0.18.tgz",
-      "integrity": "sha512-HhVd0MDnzzsgevnOWCBj5Otnzobjy5wLBe4EdeeFGv8luMsGcYqDuFRMcttKWZA5vVO8RFjexVovXvAM4JoJDQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.2.tgz",
+      "integrity": "sha512-Ize4iQtEALHDttPRCmN+FKqOl2vxTiNUhzobQFFt/BM1lRUTG7zRCLOykG/6Vo4E4hnUdfVLo5/eqKPukcWW7Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/spy": "4.0.18",
+        "@vitest/spy": "4.1.2",
         "estree-walker": "^3.0.3",
         "magic-string": "^0.30.21"
       },
@@ -4936,7 +4936,7 @@
       },
       "peerDependencies": {
         "msw": "^2.4.9",
-        "vite": "^6.0.0 || ^7.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "msw": {
@@ -4975,26 +4975,26 @@
       }
     },
     "node_modules/@vitest/pretty-format": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.0.18.tgz",
-      "integrity": "sha512-P24GK3GulZWC5tz87ux0m8OADrQIUVDPIjjj65vBXYG17ZeU3qD7r+MNZ1RNv4l8CGU2vtTRqixrOi9fYk/yKw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.2.tgz",
+      "integrity": "sha512-dwQga8aejqeuB+TvXCMzSQemvV9hNEtDDpgUKDzOmNQayl2OG241PSWeJwKRH3CiC+sESrmoFd49rfnq7T4RnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/runner": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.0.18.tgz",
-      "integrity": "sha512-rpk9y12PGa22Jg6g5M3UVVnTS7+zycIGk9ZNGN+m6tZHKQb7jrP7/77WfZy13Y/EUDd52NDsLRQhYKtv7XfPQw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.2.tgz",
+      "integrity": "sha512-Gr+FQan34CdiYAwpGJmQG8PgkyFVmARK8/xSijia3eTFgVfpcpztWLuP6FttGNfPLJhaZVP/euvujeNYar36OQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/utils": "4.0.18",
+        "@vitest/utils": "4.1.2",
         "pathe": "^2.0.3"
       },
       "funding": {
@@ -5002,13 +5002,14 @@
       }
     },
     "node_modules/@vitest/snapshot": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.0.18.tgz",
-      "integrity": "sha512-PCiV0rcl7jKQjbgYqjtakly6T1uwv/5BQ9SwBLekVg/EaYeQFPiXcgrC2Y7vDMA8dM1SUEAEV82kgSQIlXNMvA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.2.tgz",
+      "integrity": "sha512-g7yfUmxYS4mNxk31qbOYsSt2F4m1E02LFqO53Xpzg3zKMhLAPZAjjfyl9e6z7HrW6LvUdTwAQR3HHfLjpko16A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.0.18",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "magic-string": "^0.30.21",
         "pathe": "^2.0.3"
       },
@@ -5027,9 +5028,9 @@
       }
     },
     "node_modules/@vitest/spy": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.0.18.tgz",
-      "integrity": "sha512-cbQt3PTSD7P2OARdVW3qWER5EGq7PHlvE+QfzSC0lbwO+xnt7+XH06ZzFjFRgzUX//JmpxrCu92VdwvEPlWSNw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.2.tgz",
+      "integrity": "sha512-DU4fBnbVCJGNBwVA6xSToNXrkZNSiw59H8tcuUspVMsBDBST4nfvsPsEHDHGtWRRnqBERBQu7TrTKskmjqTXKA==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -5037,14 +5038,15 @@
       }
     },
     "node_modules/@vitest/utils": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.0.18.tgz",
-      "integrity": "sha512-msMRKLMVLWygpK3u2Hybgi4MNjcYJvwTb0Ru09+fOyCXIgT5raYP041DRRdiJiI3k/2U6SEbAETB3YtBrUkCFA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.2.tgz",
+      "integrity": "sha512-xw2/TiX82lQHA06cgbqRKFb5lCAy3axQ4H4SoUFhUsg+wztiet+co86IAMDtF6Vm1hc7J6j09oh/rgDn+JdKIQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.0.18",
-        "tinyrainbow": "^3.0.3"
+        "@vitest/pretty-format": "4.1.2",
+        "convert-source-map": "^2.0.0",
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
@@ -5664,15 +5666,15 @@
       }
     },
     "node_modules/ast-v8-to-istanbul": {
-      "version": "0.3.10",
-      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-0.3.10.tgz",
-      "integrity": "sha512-p4K7vMz2ZSk3wN8l5o3y2bJAoZXT3VuJI5OLTATY/01CYWumWvwkUw0SqDBnNq6IiTO3qDa1eSQDibAV8g7XOQ==",
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-1.0.0.tgz",
+      "integrity": "sha512-1fSfIwuDICFA4LKkCzRPO7F0hzFf0B7+Xqrl27ynQaa+Rh0e1Es0v6kWHPott3lU10AyAr7oKHa65OppjLn3Rg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@jridgewell/trace-mapping": "^0.3.31",
         "estree-walker": "^3.0.3",
-        "js-tokens": "^9.0.1"
+        "js-tokens": "^10.0.0"
       }
     },
     "node_modules/ast-v8-to-istanbul/node_modules/@types/estree": {
@@ -5692,6 +5694,13 @@
         "@types/estree": "^1.0.0"
       }
     },
+    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/astral-regex": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-2.0.0.tgz",
@@ -6427,6 +6436,13 @@
         "proto-list": "~1.2.1"
       }
     },
+    "node_modules/convert-source-map": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/core-js-compat": {
       "version": "3.48.0",
       "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.48.0.tgz",
@@ -7758,10 +7774,9 @@
       }
     },
     "node_modules/es-module-lexer": {
-      "version": "1.7.0",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
-      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
-      "dev": true,
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz",
+      "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==",
       "license": "MIT"
     },
     "node_modules/es-object-atoms": {
@@ -10871,14 +10886,14 @@
       }
     },
     "node_modules/magicast": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.5.1.tgz",
-      "integrity": "sha512-xrHS24IxaLrvuo613F719wvOIv9xPHFWQHuvGUBmPnCA/3MQxKI3b+r7n1jAoDHmsbC5bRhTZYR77invLAxVnw==",
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.5.2.tgz",
+      "integrity": "sha512-E3ZJh4J3S9KfwdjZhe2afj6R9lGIN5Pher1pF39UGrXRqq/VDaGVIGN13BjHd2u8B61hArAGOnso7nBOouW3TQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.28.5",
-        "@babel/types": "^7.28.5",
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
         "source-map-js": "^1.2.1"
       }
     },
@@ -14086,9 +14101,9 @@
       }
     },
     "node_modules/std-env": {
-      "version": "3.10.0",
-      "resolved": "https://registry.npmjs.org/std-env/-/std-env-3.10.0.tgz",
-      "integrity": "sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/std-env/-/std-env-4.0.0.tgz",
+      "integrity": "sha512-zUMPtQ/HBY3/50VbpkupYHbRroTRZJPRLvreamgErJVys0ceuzMkD44J/QjqhHjOzK42GQ3QZIeFG1OYfOtKqQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -14879,9 +14894,9 @@
       }
     },
     "node_modules/tinyrainbow": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
-      "integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.1.0.tgz",
+      "integrity": "sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -15512,31 +15527,31 @@
       }
     },
     "node_modules/vitest": {
-      "version": "4.0.18",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.18.tgz",
-      "integrity": "sha512-hOQuK7h0FGKgBAas7v0mSAsnvrIgAvWmRFjmzpJ7SwFHH3g1k2u37JtYwOwmEKhK6ZO3v9ggDBBm0La1LCK4uQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.2.tgz",
+      "integrity": "sha512-xjR1dMTVHlFLh98JE3i/f/WePqJsah4A0FK9cc8Ehp9Udk0AZk6ccpIZhh1qJ/yxVWRZ+Q54ocnD8TXmkhspGg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/expect": "4.0.18",
-        "@vitest/mocker": "4.0.18",
-        "@vitest/pretty-format": "4.0.18",
-        "@vitest/runner": "4.0.18",
-        "@vitest/snapshot": "4.0.18",
-        "@vitest/spy": "4.0.18",
-        "@vitest/utils": "4.0.18",
-        "es-module-lexer": "^1.7.0",
-        "expect-type": "^1.2.2",
+        "@vitest/expect": "4.1.2",
+        "@vitest/mocker": "4.1.2",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/runner": "4.1.2",
+        "@vitest/snapshot": "4.1.2",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
+        "es-module-lexer": "^2.0.0",
+        "expect-type": "^1.3.0",
         "magic-string": "^0.30.21",
         "obug": "^2.1.1",
         "pathe": "^2.0.3",
         "picomatch": "^4.0.3",
-        "std-env": "^3.10.0",
+        "std-env": "^4.0.0-rc.1",
         "tinybench": "^2.9.0",
         "tinyexec": "^1.0.2",
         "tinyglobby": "^0.2.15",
-        "tinyrainbow": "^3.0.3",
-        "vite": "^6.0.0 || ^7.0.0",
+        "tinyrainbow": "^3.1.0",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",
         "why-is-node-running": "^2.3.0"
       },
       "bin": {
@@ -15552,12 +15567,13 @@
         "@edge-runtime/vm": "*",
         "@opentelemetry/api": "^1.9.0",
         "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
-        "@vitest/browser-playwright": "4.0.18",
-        "@vitest/browser-preview": "4.0.18",
-        "@vitest/browser-webdriverio": "4.0.18",
-        "@vitest/ui": "4.0.18",
+        "@vitest/browser-playwright": "4.1.2",
+        "@vitest/browser-preview": "4.1.2",
+        "@vitest/browser-webdriverio": "4.1.2",
+        "@vitest/ui": "4.1.2",
         "happy-dom": "*",
-        "jsdom": "*"
+        "jsdom": "*",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "@edge-runtime/vm": {
@@ -15586,6 +15602,9 @@
         },
         "jsdom": {
           "optional": true
+        },
+        "vite": {
+          "optional": false
         }
       }
     },
@@ -15600,9 +15619,9 @@
       }
     },
     "node_modules/vitest/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -15911,12 +15930,6 @@
       "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
       "license": "MIT"
     },
-    "node_modules/webpack/node_modules/es-module-lexer": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz",
-      "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==",
-      "license": "MIT"
-    },
     "node_modules/webpack/node_modules/eslint-scope": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.1.1.tgz",
diff --git a/package.json b/package.json
index e17bbf13ed..6cad44ea31 100644
--- a/package.json
+++ b/package.json
@@ -88,7 +88,7 @@
     "@stylistic/eslint-plugin": "5.10.0",
     "@stylistic/stylelint-plugin": "4.0.1",
     "@vitejs/plugin-vue": "6.0.5",
-    "@vitest/coverage-v8": "4.0.18",
+    "@vitest/coverage-v8": "4.1.2",
     "@vitest/eslint-plugin": "1.6.13",
     "@vue/test-utils": "2.4.6",
     "eslint": "9.39.4",
@@ -120,7 +120,7 @@
     "typescript": "5.9.3",
     "typescript-eslint": "8.57.2",
     "vite-string-plugin": "2.0.2",
-    "vitest": "4.0.18"
+    "vitest": "4.1.2"
   },
   "browserslist": ["defaults"],
   "scarfSettings": {

From 6fa7bf933aed973cae75e3cd27ed49d143c6ab6d Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 22:21:33 +0200
Subject: [PATCH 043/287] Update module github.com/inbucket/html2text to v1
 (forgejo) (#11946)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11946
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 8b460a79c2..7a09fe7bba 100644
--- a/go.mod
+++ b/go.mod
@@ -66,7 +66,7 @@ require (
 	github.com/hashicorp/go-version v1.8.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
-	github.com/inbucket/html2text v0.9.0
+	github.com/inbucket/html2text v1.0.0
 	github.com/jackc/pgx/v5 v5.9.1
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
diff --git a/go.sum b/go.sum
index 3fee3d98b3..fb74d8b500 100644
--- a/go.sum
+++ b/go.sum
@@ -441,8 +441,8 @@ github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
-github.com/inbucket/html2text v0.9.0 h1:ULJmVcBEMAcmLE+/rN815KG1Fx6+a4HhbUxiDiN+qks=
-github.com/inbucket/html2text v0.9.0/go.mod h1:QDaumzl+/OzlSVbNohhmg+yAy5pKjUjzCKW2BMvztKE=
+github.com/inbucket/html2text v1.0.0 h1:N5kza++4uBBDJ2Z3KUnTRyPNoBcW+YfOgNiNmNB+sgs=
+github.com/inbucket/html2text v1.0.0/go.mod h1:5TrhXQKGU+LXurODaSm55Y9eXoPBRnYiOz4x2XfUoJU=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=

From d728fddec51aa5248c66840084c7115fa2547ccb Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 1 Apr 2026 23:37:00 +0200
Subject: [PATCH 044/287] Update module
 github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.11.4 (forgejo)
 (#11940)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 0008653790..08e8632ac8 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ XGO_VERSION := go-1.21.x
 AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.6.1 # renovate: datasource=go
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.9.2 # renovate: datasource=go
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 # renovate: datasource=go
 GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.15 # renovate: datasource=go
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest

From 77dbc3513864e420cef7d81c46425f3c38ce4c97 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Thu, 2 Apr 2026 03:29:37 +0200
Subject: [PATCH 045/287] chore: add modernizer linter (#11936)

- Go has a suite of small linters that helps with modernizing Go code by using newer functions and catching small mistakes, https://pkg.go.dev/golang.org/x/tools/go/analysis/passes/modernize.
- Enable this linter in golangci-lint.
- There's also [`go fix`](https://go.dev/blog/gofix), which is not yet released as a linter in golangci-lint: https://github.com/golangci/golangci-lint/pull/6385

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11936
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 .golangci.yml                                 |  1 +
 cmd/cert.go                                   |  4 +-
 cmd/dump.go                                   | 37 ++++++--------
 cmd/dump_repo.go                              |  4 +-
 models/actions/status.go                      |  9 ++--
 models/activities/action.go                   |  7 +--
 models/activities/notification_list.go        | 20 ++------
 models/activities/repo_activity.go            |  5 +-
 models/auth/access_token_scope.go             |  8 +--
 models/auth/oauth2.go                         |  2 +-
 models/auth/source.go                         |  2 +-
 models/db/iterate.go                          |  2 +-
 models/db/name.go                             |  7 ++-
 models/dbfs/dbfile.go                         | 20 ++------
 models/git/protected_branch.go                |  2 +-
 models/gitea_migrations/test/tests.go         |  2 +-
 models/gitea_migrations/v1_11/v111.go         |  7 ++-
 models/gitea_migrations/v1_11/v115.go         |  2 +-
 models/gitea_migrations/v1_20/v259.go         |  2 +-
 models/issues/comment.go                      | 10 ++--
 models/issues/comment_list.go                 | 35 +++----------
 models/issues/issue_list.go                   | 50 ++++---------------
 models/issues/issue_stats.go                  |  5 +-
 models/issues/issue_test.go                   |  7 +--
 models/issues/issue_update.go                 |  2 +-
 models/issues/review_list.go                  |  2 +-
 models/issues/tracked_time.go                 |  5 +-
 models/perm/access/repo_permission.go         | 12 +++--
 models/project/column_test.go                 |  2 +-
 models/pull/review_state.go                   |  5 +-
 models/repo/repo.go                           | 13 +++--
 models/repo/repo_list.go                      |  4 +-
 models/repo/repo_unit.go                      |  6 +--
 models/repo/upload.go                         |  2 +-
 models/unit/unit.go                           | 14 +-----
 models/unittest/fixture_loader.go             |  4 +-
 models/unittest/mock_http.go                  |  8 +--
 models/unittest/reflection.go                 |  2 +-
 models/user/avatar.go                         |  2 +-
 models/user/email_address_test.go             |  8 +--
 models/user/moderation.go                     |  2 +-
 models/user/user.go                           |  4 +-
 models/user/user_test.go                      |  4 +-
 models/webhook/webhook.go                     |  2 +-
 modules/actions/workflows.go                  | 15 ++----
 modules/auth/password/password.go             |  2 +-
 modules/auth/password/password_test.go        |  2 +-
 modules/auth/password/pwn/pwn.go              |  2 +-
 modules/avatar/identicon/block.go             |  4 +-
 modules/avatar/identicon/identicon.go         |  2 +-
 modules/charset/charset.go                    |  2 +-
 modules/charset/charset_test.go               |  2 +-
 modules/forgefed/actor.go                     |  8 +--
 modules/forgefed/repository.go                |  2 +-
 modules/git/commit.go                         |  4 +-
 modules/git/commit_info.go                    |  5 +-
 modules/git/foreachref/format.go              |  8 +--
 modules/git/hook.go                           |  8 +--
 modules/git/last_commit_cache.go              |  2 +-
 modules/git/log_name_status.go                |  5 +-
 modules/git/notes.go                          | 11 ++--
 modules/git/parse.go                          |  8 +--
 modules/git/pushoptions/pushoptions.go        |  2 +-
 modules/git/ref.go                            |  4 +-
 modules/git/repo.go                           |  4 +-
 modules/git/repo_attribute.go                 |  4 +-
 modules/git/repo_index.go                     |  2 +-
 modules/git/repo_tag.go                       |  6 +--
 modules/git/tag.go                            | 10 ++--
 modules/git/tree.go                           |  2 +-
 modules/git/tree_entry.go                     |  2 +-
 modules/git/tree_test.go                      |  2 +-
 modules/hostmatcher/hostmatcher.go            | 11 ++--
 modules/httpcache/httpcache.go                |  2 +-
 modules/httplib/serve.go                      |  5 +-
 modules/indexer/code/git.go                   |  4 +-
 modules/issue/template/template.go            |  8 +--
 modules/label/parser.go                       |  4 +-
 modules/log/event_format.go                   |  6 +--
 modules/log/event_writer_conn_test.go         |  6 +--
 modules/log/flags.go                          |  2 +-
 modules/log/level_test.go                     |  6 +--
 modules/markup/file_preview.go                |  4 +-
 modules/markup/html.go                        | 21 +++-----
 modules/markup/markdown/markdown.go           |  5 +-
 modules/markup/markdown/markdown_test.go      |  4 +-
 .../markup/markdown/math/block_renderer.go    |  2 +-
 modules/markup/markdown/meta_test.go          |  8 +--
 modules/markup/markdown/toc.go                |  2 +-
 modules/markup/markdown/transform_heading.go  |  2 +-
 modules/markup/renderer.go                    | 12 ++---
 modules/packages/npm/creator.go               |  4 +-
 modules/packages/npm/metadata.go              |  2 +-
 modules/packages/nuget/symbol_extractor.go    |  4 +-
 modules/packages/rubygems/marshal.go          |  4 +-
 modules/packages/swift/metadata.go            |  2 +-
 modules/private/serv.go                       | 12 +++--
 modules/public/public.go                      |  2 +-
 modules/queue/base_levelqueue_common.go       |  2 +-
 modules/queue/base_redis.go                   |  2 +-
 modules/queue/base_test.go                    |  2 +-
 modules/queue/manager.go                      |  5 +-
 modules/queue/workergroup.go                  |  8 +--
 modules/queue/workerqueue_test.go             | 22 ++++----
 modules/repository/init.go                    |  2 +-
 modules/setting/config.go                     |  7 +--
 modules/setting/config_env.go                 | 25 +++++-----
 modules/setting/indexer.go                    |  2 +-
 modules/setting/log.go                        |  4 +-
 modules/setting/markup.go                     |  4 +-
 modules/setting/mirror.go                     |  6 +--
 modules/setting/storage.go                    |  8 +--
 modules/structs/action.go                     |  8 +--
 modules/structs/issue.go                      |  2 +-
 modules/structs/repo.go                       |  2 +-
 modules/structs/user.go                       |  4 +-
 modules/structs/user_gpgkey.go                |  4 +-
 modules/structs/user_key.go                   |  2 +-
 modules/templates/eval/eval_test.go           |  2 +-
 modules/templates/htmlrenderer.go             |  2 +-
 modules/templates/scopedtmpl/scopedtmpl.go    | 13 ++---
 modules/templates/util_render.go              |  9 ++--
 modules/test/logchecker.go                    |  4 +-
 modules/testlogger/testlogger.go              |  2 +-
 modules/updatechecker/update_checker.go       |  4 +-
 modules/util/remove.go                        |  6 +--
 .../util/rotatingfilewriter/writer_test.go    |  2 +-
 modules/util/timer_test.go                    | 24 ++++-----
 modules/util/truncate.go                      |  2 +-
 modules/util/util_test.go                     |  2 +-
 modules/validation/binding.go                 | 10 ++--
 modules/validation/helpers.go                 |  8 +--
 modules/validation/validatable.go             |  7 ++-
 modules/web/handler.go                        |  8 +--
 modules/web/middleware/binding.go             |  6 +--
 modules/web/middleware/data.go                |  5 +-
 modules/web/route.go                          |  4 +-
 routers/api/actions/oidc.go                   |  3 +-
 routers/api/packages/cargo/cargo.go           |  5 +-
 routers/api/packages/composer/composer.go     |  5 +-
 routers/api/v1/repo/issue_dependency.go       | 10 +---
 routers/api/v1/repo/wiki.go                   | 10 +---
 routers/install/install.go                    |  8 ++-
 routers/private/serv.go                       | 17 +++----
 routers/web/admin/auths.go                    |  2 +-
 routers/web/admin/config.go                   |  2 +-
 routers/web/admin/notice.go                   |  5 +-
 routers/web/admin/packages.go                 |  5 +-
 routers/web/auth/oauth.go                     | 10 ++--
 routers/web/org/members.go                    |  5 +-
 routers/web/org/projects.go                   |  5 +-
 routers/web/repo/branch.go                    |  5 +-
 routers/web/repo/commit.go                    | 10 +---
 routers/web/repo/editor.go                    |  2 +-
 routers/web/repo/githttp.go                   |  8 +--
 routers/web/repo/issue.go                     | 12 ++---
 routers/web/repo/issue_label_test.go          |  9 ++--
 routers/web/repo/milestone.go                 |  5 +-
 routers/web/repo/packages.go                  |  5 +-
 routers/web/repo/projects.go                  |  5 +-
 routers/web/repo/repo.go                      |  2 +-
 routers/web/repo/setting/lfs.go               | 10 +---
 routers/web/repo/wiki.go                      |  5 +-
 routers/web/shared/actions/runners.go         | 10 +---
 routers/web/user/home.go                      |  7 +--
 routers/web/user/notification.go              | 10 +---
 routers/web/user/package.go                   | 10 +---
 services/actions/rerun.go                     | 13 +++--
 services/auth/oauth2.go                       |  2 +-
 services/auth/source/oauth2/urlmapping.go     | 10 ++--
 .../auth/source/pam/source_authenticate.go    |  6 +--
 .../auth/source/smtp/source_authenticate.go   | 12 ++---
 services/context/api.go                       |  9 +---
 services/context/context_model.go             | 10 ++--
 services/context/permission.go                | 13 ++---
 services/context/repo.go                      |  8 +--
 services/context/upload/upload.go             |  2 +-
 services/convert/activitypub_user_action.go   |  7 +--
 services/cron/tasks.go                        |  2 +-
 services/doctor/push_mirror_consistency.go    |  2 +-
 services/forms/repo_form.go                   |  9 +---
 services/gitdiff/csv.go                       | 10 ++--
 services/gitdiff/gitdiff.go                   |  5 +-
 services/gitdiff/gitdiff_test.go              |  6 +--
 services/gitdiff/highlightdiff_test.go        |  2 +-
 services/issue/issue.go                       |  8 ++-
 services/issue/milestone.go                   |  5 +-
 services/lfs/locks.go                         | 10 +---
 services/lfs/server.go                        |  5 +-
 services/mailer/mailer_test.go                |  4 +-
 services/migrations/gitea_uploader_test.go    |  4 +-
 services/migrations/github.go                 |  4 +-
 services/packages/alt/repository.go           | 15 +++---
 services/packages/arch/repository.go          |  4 +-
 services/pull/merge.go                        |  5 +-
 services/repository/adopt_test.go             |  2 +-
 .../repository/commitstatus/commitstatus.go   |  2 +-
 services/repository/create.go                 |  4 +-
 services/repository/create_test.go            |  2 +-
 services/repository/files/file.go             |  2 +-
 services/repository/files/temp_repo.go        |  2 +-
 services/repository/files/tree.go             |  6 +--
 services/repository/files/update.go           | 17 ++-----
 services/repository/gitgraph/graph_models.go  |  4 +-
 services/repository/gitgraph/graph_test.go    | 29 +++--------
 services/repository/gitgraph/parser.go        | 10 ++--
 services/webhook/deliver_test.go              |  2 -
 services/webhook/dingtalk.go                  | 10 ++--
 services/webhook/discord.go                   |  8 +--
 services/webhook/feishu.go                    | 11 ++--
 services/webhook/matrix.go                    |  9 ++--
 services/webhook/msteams.go                   |  8 +--
 services/webhook/slack.go                     |  8 +--
 services/webhook/telegram.go                  | 10 ++--
 services/webhook/wechatwork.go                |  8 +--
 services/wiki/wiki_path.go                    |  4 +-
 services/wiki/wiki_test.go                    |  4 +-
 tests/integration/actions_trigger_test.go     |  2 +-
 ...pi_activitypub_person_inbox_follow_test.go |  8 +--
 ...ivitypub_person_inbox_useractivity_test.go |  4 +-
 .../api_activitypub_repository_test.go        | 12 ++---
 .../api_helper_for_declarative_test.go        |  2 +-
 tests/integration/api_issue_test.go           | 16 +++---
 tests/integration/api_packages_alt_test.go    | 38 +++++++-------
 tests/integration/api_packages_chef_test.go   |  8 +--
 .../api_packages_container_test.go            |  2 +-
 tests/integration/api_packages_maven_test.go  |  2 +-
 tests/integration/api_repo_topic_test.go      |  2 +-
 tests/integration/cmd_forgejo_actions_test.go |  2 +-
 .../git_helper_for_declarative_test.go        |  4 +-
 tests/integration/git_push_test.go            | 12 ++---
 tests/integration/git_test.go                 | 13 +++--
 tests/integration/integration_test.go         |  4 +-
 tests/integration/issue_comment_test.go       |  9 +---
 tests/integration/issue_test.go               | 21 +++-----
 tests/integration/org_test.go                 |  2 +-
 tests/integration/project_test.go             |  2 +-
 tests/integration/pull_merge_test.go          |  5 +-
 tests/integration/quota_use_test.go           |  5 +-
 tests/integration/release_test.go             |  2 +-
 tests/integration/repo_commits_test.go        |  2 +-
 tests/integration/repo_flags_test.go          |  6 +--
 tests/integration/repo_topic_test.go          |  2 +-
 tests/integration/repo_webhook_test.go        |  9 ++--
 tests/integration/signing_git_test.go         |  2 +-
 tests/integration/signup_test.go              |  6 +--
 tests/integration/ssh_key_test.go             |  2 +-
 tests/integration/user_test.go                |  2 +-
 tests/test_utils.go                           | 32 ++++++------
 249 files changed, 659 insertions(+), 1010 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index de3f3a9255..fea9195be2 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -15,6 +15,7 @@ linters:
     - govet
     - importas
     - ineffassign
+    - modernize
     - nakedret
     - nolintlint
     - revive
diff --git a/cmd/cert.go b/cmd/cert.go
index baadcbda85..516ac4ce84 100644
--- a/cmd/cert.go
+++ b/cmd/cert.go
@@ -150,8 +150,8 @@ func runCert(ctx context.Context, c *cli.Command) error {
 		BasicConstraintsValid: true,
 	}
 
-	hosts := strings.Split(c.String("host"), ",")
-	for _, h := range hosts {
+	hosts := strings.SplitSeq(c.String("host"), ",")
+	for h := range hosts {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
diff --git a/cmd/dump.go b/cmd/dump.go
index b94277e529..25459c7731 100644
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -83,11 +84,9 @@ func (o outputType) Join() string {
 }
 
 func (o *outputType) Set(value string) error {
-	for _, enum := range o.Enum {
-		if enum == value {
-			o.selected = value
-			return nil
-		}
+	if slices.Contains(o.Enum, value) {
+		o.selected = value
+		return nil
 	}
 
 	return fmt.Errorf("allowed values are %s", o.Join())
@@ -250,8 +249,8 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 		setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 	} else {
 		for _, suffix := range outputTypeEnum.Enum {
-			if strings.HasSuffix(fileName, "."+suffix) {
-				fileName = strings.TrimSuffix(fileName, "."+suffix)
+			if before, ok := strings.CutSuffix(fileName, "."+suffix); ok {
+				fileName = before
 				break
 			}
 		}
@@ -330,14 +329,12 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	go dumpDatabase(ctx, archiveJobs, &wg, verbose)
 
 	if len(setting.CustomConf) > 0 {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			log.Info("Adding custom configuration file from %s", setting.CustomConf)
 			if err := addFile(archiveJobs, "app.ini", setting.CustomConf, verbose); err != nil {
 				fatal("Failed to include specified app.ini: %v", err)
 			}
-		}()
+		})
 	}
 
 	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
@@ -361,15 +358,13 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
 		log.Info("Skipping attachment data")
 	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "attachments", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump attachments: %v", err)
 			}
-		}()
+		})
 	}
 
 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
@@ -377,15 +372,13 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 	} else if !setting.Packages.Enabled {
 		log.Info("Package registry not enabled - skipping")
 	} else {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 				return addObject(archiveJobs, object, path.Join("data", "packages", objPath), verbose)
 			}); err != nil {
 				fatal("Failed to dump packages: %v", err)
 			}
-		}()
+		})
 	}
 
 	// Doesn't check if LogRootPath exists before processing --skip-log intentionally,
@@ -399,13 +392,11 @@ func runDump(stdCtx context.Context, ctx *cli.Command) error {
 			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
-			wg.Add(1)
-			go func() {
-				defer wg.Done()
+			wg.Go(func() {
 				if err := addRecursiveExclude(archiveJobs, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
 					fatal("Failed to include log: %v", err)
 				}
-			}()
+			})
 		}
 	}
 
diff --git a/cmd/dump_repo.go b/cmd/dump_repo.go
index 8e0ef0311f..60fffe1226 100644
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@@ -143,8 +143,8 @@ func runDumpRepository(stdCtx context.Context, ctx *cli.Command) error {
 		opts.PullRequests = true
 		opts.ReleaseAssets = true
 	} else {
-		units := strings.Split(ctx.String("units"), ",")
-		for _, unit := range units {
+		units := strings.SplitSeq(ctx.String("units"), ",")
+		for unit := range units {
 			switch strings.ToLower(strings.TrimSpace(unit)) {
 			case "":
 				continue
diff --git a/models/actions/status.go b/models/actions/status.go
index 1f6aa5e890..7f06b6231b 100644
--- a/models/actions/status.go
+++ b/models/actions/status.go
@@ -4,6 +4,8 @@
 package actions
 
 import (
+	"slices"
+
 	"forgejo.org/modules/translation"
 
 	runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1"
@@ -107,12 +109,7 @@ func (s Status) IsBlocked() bool {
 
 // In returns whether s is one of the given statuses
 func (s Status) In(statuses ...Status) bool {
-	for _, v := range statuses {
-		if s == v {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(statuses, s)
 }
 
 func (s Status) AsResult() runnerv1.Result {
diff --git a/models/activities/action.go b/models/activities/action.go
index 8fd7709e81..6b3fabfae0 100644
--- a/models/activities/action.go
+++ b/models/activities/action.go
@@ -132,12 +132,7 @@ func (at ActionType) String() string {
 }
 
 func (at ActionType) InActions(actions ...string) bool {
-	for _, action := range actions {
-		if action == at.String() {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(actions, at.String())
 }
 
 // Action represents user operation type and other information to
diff --git a/models/activities/notification_list.go b/models/activities/notification_list.go
index 02206b1d6b..bf6356021e 100644
--- a/models/activities/notification_list.go
+++ b/models/activities/notification_list.go
@@ -213,10 +213,7 @@ func (nl NotificationList) LoadRepos(ctx context.Context) (repo_model.Repository
 	repos := make(map[int64]*repo_model.Repository, len(repoIDs))
 	left := len(repoIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", repoIDs[:limit]).
 			Rows(new(repo_model.Repository))
@@ -287,10 +284,7 @@ func (nl NotificationList) LoadIssues(ctx context.Context) ([]int, error) {
 	issues := make(map[int64]*issues_model.Issue, len(issueIDs))
 	left := len(issueIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", issueIDs[:limit]).
 			Rows(new(issues_model.Issue))
@@ -382,10 +376,7 @@ func (nl NotificationList) LoadUsers(ctx context.Context) ([]int, error) {
 	users := make(map[int64]*user_model.User, len(userIDs))
 	left := len(userIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", userIDs[:limit]).
 			Rows(new(user_model.User))
@@ -433,10 +424,7 @@ func (nl NotificationList) LoadComments(ctx context.Context) ([]int, error) {
 	comments := make(map[int64]*issues_model.Comment, len(commentIDs))
 	left := len(commentIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", commentIDs[:limit]).
 			Rows(new(issues_model.Comment))
diff --git a/models/activities/repo_activity.go b/models/activities/repo_activity.go
index 3d15c22e19..0b9522be1b 100644
--- a/models/activities/repo_activity.go
+++ b/models/activities/repo_activity.go
@@ -138,10 +138,7 @@ func GetActivityStatsTopAuthors(ctx context.Context, repo *repo_model.Repository
 		return v[i].Commits > v[j].Commits
 	})
 
-	cnt := count
-	if cnt > len(v) {
-		cnt = len(v)
-	}
+	cnt := min(count, len(v))
 
 	return v[:cnt], nil
 }
diff --git a/models/auth/access_token_scope.go b/models/auth/access_token_scope.go
index d14838cf02..6dc143b122 100644
--- a/models/auth/access_token_scope.go
+++ b/models/auth/access_token_scope.go
@@ -5,6 +5,7 @@ package auth
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	"forgejo.org/models/perm"
@@ -204,12 +205,7 @@ func GetRequiredScopes(level AccessTokenScopeLevel, scopeCategories ...AccessTok
 
 // ContainsCategory checks if a list of categories contains a specific category
 func ContainsCategory(categories []AccessTokenScopeCategory, category AccessTokenScopeCategory) bool {
-	for _, c := range categories {
-		if c == category {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(categories, category)
 }
 
 // GetScopeLevelFromAccessMode converts permission access mode to scope level
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index fa68197cf0..9acd9a46b0 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -505,7 +505,7 @@ func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error {
 
 // ScopeContains returns true if the grant scope contains the specified scope
 func (grant *OAuth2Grant) ScopeContains(scope string) bool {
-	for _, currentScope := range strings.Split(grant.Scope, " ") {
+	for currentScope := range strings.SplitSeq(grant.Scope, " ") {
 		if scope == currentScope {
 			return true
 		}
diff --git a/models/auth/source.go b/models/auth/source.go
index db566c7039..fd016e02da 100644
--- a/models/auth/source.go
+++ b/models/auth/source.go
@@ -91,7 +91,7 @@ var registeredConfigs = map[Type]func() Config{}
 
 // RegisterTypeConfig register a config for a provided type
 func RegisterTypeConfig(typ Type, exemplar Config) {
-	if reflect.TypeOf(exemplar).Kind() == reflect.Ptr {
+	if reflect.TypeOf(exemplar).Kind() == reflect.Pointer {
 		// Pointer:
 		registeredConfigs[typ] = func() Config {
 			return reflect.New(reflect.ValueOf(exemplar).Elem().Type()).Interface().(Config)
diff --git a/models/db/iterate.go b/models/db/iterate.go
index d2315cb12c..c56871d503 100644
--- a/models/db/iterate.go
+++ b/models/db/iterate.go
@@ -80,7 +80,7 @@ func Iterate[Bean any](ctx context.Context, cond builder.Cond, f func(ctx contex
 
 func extractFieldValue(bean any, fieldName string) any {
 	v := reflect.ValueOf(bean)
-	if v.Kind() == reflect.Ptr {
+	if v.Kind() == reflect.Pointer {
 		v = v.Elem()
 	}
 	field := v.FieldByName(fieldName)
diff --git a/models/db/name.go b/models/db/name.go
index d456f49d9c..efd1c2b5f3 100644
--- a/models/db/name.go
+++ b/models/db/name.go
@@ -6,6 +6,7 @@ package db
 import (
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"
 	"unicode/utf8"
 
@@ -114,10 +115,8 @@ func IsUsableName(names, patterns []string, name string) error {
 		return ErrNameEmpty
 	}
 
-	for i := range names {
-		if name == names[i] {
-			return ErrNameReserved{name}
-		}
+	if slices.Contains(names, name) {
+		return ErrNameReserved{name}
 	}
 
 	for _, pat := range patterns {
diff --git a/models/dbfs/dbfile.go b/models/dbfs/dbfile.go
index 8cd64177dd..7e7c58cc6c 100644
--- a/models/dbfs/dbfile.go
+++ b/models/dbfs/dbfile.go
@@ -46,10 +46,7 @@ func (f *file) readAt(fileMeta *DbfsMeta, offset int64, p []byte) (n int, err er
 	blobPos := int(offset % f.blockSize)
 	blobOffset := offset - int64(blobPos)
 	blobRemaining := int(f.blockSize) - blobPos
-	needRead := len(p)
-	if needRead > blobRemaining {
-		needRead = blobRemaining
-	}
+	needRead := min(len(p), blobRemaining)
 	if blobOffset+int64(blobPos)+int64(needRead) > fileMeta.FileSize {
 		needRead = int(fileMeta.FileSize - blobOffset - int64(blobPos))
 	}
@@ -66,14 +63,8 @@ func (f *file) readAt(fileMeta *DbfsMeta, offset int64, p []byte) (n int, err er
 		blobData = nil
 	}
 
-	canCopy := len(blobData) - blobPos
-	if canCopy <= 0 {
-		canCopy = 0
-	}
-	realRead := needRead
-	if realRead > canCopy {
-		realRead = canCopy
-	}
+	canCopy := max(len(blobData)-blobPos, 0)
+	realRead := min(needRead, canCopy)
 	if realRead > 0 {
 		copy(p[:realRead], fileData.BlobData[blobPos:blobPos+realRead])
 	}
@@ -113,10 +104,7 @@ func (f *file) Write(p []byte) (n int, err error) {
 		blobPos := int(f.offset % f.blockSize)
 		blobOffset := f.offset - int64(blobPos)
 		blobRemaining := int(f.blockSize) - blobPos
-		needWrite := len(p)
-		if needWrite > blobRemaining {
-			needWrite = blobRemaining
-		}
+		needWrite := min(len(p), blobRemaining)
 		buf := make([]byte, f.blockSize)
 		readBytes, err := f.readAt(fileMeta, blobOffset, buf)
 		if err != nil && !errors.Is(err, io.EOF) {
diff --git a/models/git/protected_branch.go b/models/git/protected_branch.go
index c1eb750230..3eaada2fdd 100644
--- a/models/git/protected_branch.go
+++ b/models/git/protected_branch.go
@@ -213,7 +213,7 @@ func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
 
 func getFilePatterns(filePatterns string) []glob.Glob {
 	extarr := make([]glob.Glob, 0, 10)
-	for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
+	for expr := range strings.SplitSeq(strings.ToLower(filePatterns), ";") {
 		expr = strings.TrimSpace(expr)
 		if expr != "" {
 			if g, err := glob.Compile(expr, '.', '/'); err != nil {
diff --git a/models/gitea_migrations/test/tests.go b/models/gitea_migrations/test/tests.go
index fc54b65626..086127a2e8 100644
--- a/models/gitea_migrations/test/tests.go
+++ b/models/gitea_migrations/test/tests.go
@@ -265,7 +265,7 @@ func deleteDB() error {
 
 func removeAllWithRetry(dir string) error {
 	var err error
-	for i := 0; i < 20; i++ {
+	for range 20 {
 		err = os.RemoveAll(dir)
 		if err == nil {
 			break
diff --git a/models/gitea_migrations/v1_11/v111.go b/models/gitea_migrations/v1_11/v111.go
index fcd2ee7be3..59ca416af0 100644
--- a/models/gitea_migrations/v1_11/v111.go
+++ b/models/gitea_migrations/v1_11/v111.go
@@ -5,6 +5,7 @@ package v1_11
 
 import (
 	"fmt"
+	"slices"
 
 	"xorm.io/xorm"
 )
@@ -345,10 +346,8 @@ func AddBranchProtectionCanPushAndEnableWhitelist(x *xorm.Engine) error {
 			}
 			return AccessModeWrite <= perm.UnitsMode[UnitTypeCode], nil
 		}
-		for _, id := range protectedBranch.ApprovalsWhitelistUserIDs {
-			if id == reviewer.ID {
-				return true, nil
-			}
+		if slices.Contains(protectedBranch.ApprovalsWhitelistUserIDs, reviewer.ID) {
+			return true, nil
 		}
 
 		// isUserInTeams
diff --git a/models/gitea_migrations/v1_11/v115.go b/models/gitea_migrations/v1_11/v115.go
index 65094df93d..84364e310b 100644
--- a/models/gitea_migrations/v1_11/v115.go
+++ b/models/gitea_migrations/v1_11/v115.go
@@ -146,7 +146,7 @@ func copyOldAvatarToNewLocation(userID int64, oldAvatar string) (string, error)
 		return "", fmt.Errorf("io.ReadAll: %w", err)
 	}
 
-	newAvatar := fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", userID, md5.Sum(data)))))
+	newAvatar := fmt.Sprintf("%x", md5.Sum(fmt.Appendf(nil, "%d-%x", userID, md5.Sum(data))))
 	if newAvatar == oldAvatar {
 		return newAvatar, nil
 	}
diff --git a/models/gitea_migrations/v1_20/v259.go b/models/gitea_migrations/v1_20/v259.go
index 9b2b68263e..1ae8b2e30f 100644
--- a/models/gitea_migrations/v1_20/v259.go
+++ b/models/gitea_migrations/v1_20/v259.go
@@ -329,7 +329,7 @@ func ConvertScopedAccessTokens(x *xorm.Engine) error {
 	for _, token := range tokens {
 		var scopes []string
 		allNewScopesMap := make(map[AccessTokenScope]bool)
-		for _, oldScope := range strings.Split(token.Scope, ",") {
+		for oldScope := range strings.SplitSeq(token.Scope, ",") {
 			if newScopes, exists := accessTokenScopeMap[OldAccessTokenScope(oldScope)]; exists {
 				for _, newScope := range newScopes {
 					allNewScopesMap[newScope] = true
diff --git a/models/issues/comment.go b/models/issues/comment.go
index 325fcbe30b..fd0f595945 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"html/template"
+	"slices"
 	"strconv"
 	"unicode/utf8"
 
@@ -198,12 +199,7 @@ func (t CommentType) HasMailReplySupport() bool {
 }
 
 func (t CommentType) CountedAsConversation() bool {
-	for _, ct := range ConversationCountedCommentType() {
-		if t == ct {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(ConversationCountedCommentType(), t)
 }
 
 // ConversationCountedCommentType returns the comment types that are counted as a conversation
@@ -619,7 +615,7 @@ func (c *Comment) UpdateAttachments(ctx context.Context, uuids []string) error {
 	if err != nil {
 		return fmt.Errorf("FindRepoAttachmentsByUUID[uuids=%q,repoID=%d]: %w", uuids, c.Issue.RepoID, err)
 	}
-	for i := 0; i < len(attachments); i++ {
+	for i := range attachments {
 		attachments[i].IssueID = c.IssueID
 		attachments[i].CommentID = c.ID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
diff --git a/models/issues/comment_list.go b/models/issues/comment_list.go
index 3996dcb29a..53903bea31 100644
--- a/models/issues/comment_list.go
+++ b/models/issues/comment_list.go
@@ -54,10 +54,7 @@ func (comments CommentList) loadLabels(ctx context.Context) error {
 	commentLabels := make(map[int64]*Label, len(labelIDs))
 	left := len(labelIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", labelIDs[:limit]).
 			Rows(new(Label))
@@ -104,10 +101,7 @@ func (comments CommentList) loadMilestones(ctx context.Context) error {
 	milestones := make(map[int64]*Milestone, len(milestoneIDs))
 	left := len(milestoneIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		err := db.GetEngine(ctx).
 			In("id", milestoneIDs[:limit]).
 			Find(&milestones)
@@ -143,10 +137,7 @@ func (comments CommentList) loadOldMilestones(ctx context.Context) error {
 	milestones := make(map[int64]*Milestone, len(milestoneIDs))
 	left := len(milestoneIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		err := db.GetEngine(ctx).
 			In("id", milestoneIDs[:limit]).
 			Find(&milestones)
@@ -178,10 +169,7 @@ func (comments CommentList) loadAssignees(ctx context.Context) error {
 	assignees := make(map[int64]*user_model.User, len(assigneeIDs))
 	left := len(assigneeIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", assigneeIDs[:limit]).
 			Rows(new(user_model.User))
@@ -246,10 +234,7 @@ func (comments CommentList) LoadIssues(ctx context.Context) error {
 	issues := make(map[int64]*Issue, len(issueIDs))
 	left := len(issueIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("id", issueIDs[:limit]).
 			Rows(new(Issue))
@@ -300,10 +285,7 @@ func (comments CommentList) loadDependentIssues(ctx context.Context) error {
 	issues := make(map[int64]*Issue, len(issueIDs))
 	left := len(issueIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := e.
 			In("id", issueIDs[:limit]).
 			Rows(new(Issue))
@@ -379,10 +361,7 @@ func (comments CommentList) LoadAttachments(ctx context.Context) (err error) {
 	commentsIDs := comments.getAttachmentCommentIDs()
 	left := len(commentsIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("comment_id", commentsIDs[:limit]).
 			Rows(new(repo_model.Attachment))
diff --git a/models/issues/issue_list.go b/models/issues/issue_list.go
index 5a02baa428..34cfe35475 100644
--- a/models/issues/issue_list.go
+++ b/models/issues/issue_list.go
@@ -43,10 +43,7 @@ func (issues IssueList) LoadRepositories(ctx context.Context) (repo_model.Reposi
 	repoMaps := make(map[int64]*repo_model.Repository, len(repoIDs))
 	left := len(repoIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		err := db.GetEngine(ctx).
 			In("id", repoIDs[:limit]).
 			Find(&repoMaps)
@@ -99,10 +96,7 @@ func getPostersByIDs(ctx context.Context, posterIDs []int64) (map[int64]*user_mo
 	posterMaps := make(map[int64]*user_model.User, len(posterIDs))
 	left := len(posterIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		err := db.GetEngine(ctx).
 			In("id", posterIDs[:limit]).
 			Find(&posterMaps)
@@ -137,10 +131,7 @@ func (issues IssueList) LoadLabels(ctx context.Context) error {
 	issueIDs := issues.getIssueIDs()
 	left := len(issueIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).Table("label").
 			Join("LEFT", "issue_label", "issue_label.label_id = label.id").
 			In("issue_label.issue_id", issueIDs[:limit]).
@@ -192,10 +183,7 @@ func (issues IssueList) LoadMilestones(ctx context.Context) error {
 	milestoneMaps := make(map[int64]*Milestone, len(milestoneIDs))
 	left := len(milestoneIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		err := db.GetEngine(ctx).
 			In("id", milestoneIDs[:limit]).
 			Find(&milestoneMaps)
@@ -224,10 +212,7 @@ func (issues IssueList) LoadProjects(ctx context.Context) error {
 	}
 
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 
 		projects := make([]*projectWithIssueID, 0, limit)
 		err := db.GetEngine(ctx).
@@ -266,10 +251,7 @@ func (issues IssueList) LoadAssignees(ctx context.Context) error {
 	issueIDs := issues.getIssueIDs()
 	left := len(issueIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).Table("issue_assignees").
 			Join("INNER", "`user`", "`user`.id = `issue_assignees`.assignee_id").
 			In("`issue_assignees`.issue_id", issueIDs[:limit]).OrderBy(user_model.GetOrderByName()).
@@ -327,10 +309,7 @@ func (issues IssueList) LoadPullRequests(ctx context.Context) error {
 	pullRequestMaps := make(map[int64]*PullRequest, len(issuesIDs))
 	left := len(issuesIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("issue_id", issuesIDs[:limit]).
 			Rows(new(PullRequest))
@@ -375,10 +354,7 @@ func (issues IssueList) LoadAttachments(ctx context.Context) (err error) {
 	issuesIDs := issues.getIssueIDs()
 	left := len(issuesIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).
 			In("issue_id", issuesIDs[:limit]).
 			Rows(new(repo_model.Attachment))
@@ -420,10 +396,7 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 	issuesIDs := issues.getIssueIDs()
 	left := len(issuesIDs)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 		rows, err := db.GetEngine(ctx).Table("comment").
 			Join("INNER", "issue", "issue.id = comment.issue_id").
 			In("issue.id", issuesIDs[:limit]).
@@ -486,10 +459,7 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 
 	left := len(ids)
 	for left > 0 {
-		limit := db.DefaultMaxInSize
-		if left < limit {
-			limit = left
-		}
+		limit := min(left, db.DefaultMaxInSize)
 
 		// select issue_id, sum(time) from tracked_time where issue_id in (<issue ids in current page>) group by issue_id
 		rows, err := db.GetEngine(ctx).Table("tracked_time").
diff --git a/models/issues/issue_stats.go b/models/issues/issue_stats.go
index 2fd2641d92..03660803a4 100644
--- a/models/issues/issue_stats.go
+++ b/models/issues/issue_stats.go
@@ -94,10 +94,7 @@ func GetIssueStats(ctx context.Context, opts *IssuesOptions) (*IssueStats, error
 	// ids in a temporary table and join from them.
 	accum := &IssueStats{}
 	for i := 0; i < len(opts.IssueIDs); {
-		chunk := i + MaxQueryParameters
-		if chunk > len(opts.IssueIDs) {
-			chunk = len(opts.IssueIDs)
-		}
+		chunk := min(i+MaxQueryParameters, len(opts.IssueIDs))
 		stats, err := getIssueStatsChunk(ctx, opts, opts.IssueIDs[i:chunk])
 		if err != nil {
 			return nil, err
diff --git a/models/issues/issue_test.go b/models/issues/issue_test.go
index e9617548e9..0c5da6a2aa 100644
--- a/models/issues/issue_test.go
+++ b/models/issues/issue_test.go
@@ -5,6 +5,7 @@ package issues_test
 
 import (
 	"fmt"
+	"slices"
 	"sort"
 	"sync"
 	"testing"
@@ -311,7 +312,7 @@ func TestIssue_ResolveMentions(t *testing.T) {
 		for i, user := range resolved {
 			ids[i] = user.ID
 		}
-		sort.Slice(ids, func(i, j int) bool { return ids[i] < ids[j] })
+		slices.Sort(ids)
 		assert.Equal(t, expected, ids)
 	}
 
@@ -338,7 +339,7 @@ func TestResourceIndex(t *testing.T) {
 	require.NoError(t, err)
 
 	var wg sync.WaitGroup
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		wg.Add(1)
 		t.Run(fmt.Sprintf("issue %d", i+1), func(t *testing.T) {
 			t.Parallel()
@@ -369,7 +370,7 @@ func TestCorrectIssueStats(t *testing.T) {
 	issueAmount := issues_model.MaxQueryParameters + 10
 
 	var wg sync.WaitGroup
-	for i := 0; i < issueAmount; i++ {
+	for i := range issueAmount {
 		wg.Add(1)
 		go func(i int) {
 			testInsertIssue(t, fmt.Sprintf("Issue %d", i+1), "Bugs are nasty", 0)
diff --git a/models/issues/issue_update.go b/models/issues/issue_update.go
index 22e6fcb8d4..35f69e3a0b 100644
--- a/models/issues/issue_update.go
+++ b/models/issues/issue_update.go
@@ -244,7 +244,7 @@ func UpdateIssueAttachments(ctx context.Context, issue *Issue, uuids []string) (
 	if err != nil {
 		return fmt.Errorf("FindRepoAttachmentsByUUID[uuids=%q,repoID=%d]: %w", uuids, issue.RepoID, err)
 	}
-	for i := 0; i < len(attachments); i++ {
+	for i := range attachments {
 		attachments[i].IssueID = issue.ID
 		if err := repo_model.UpdateAttachment(ctx, attachments[i]); err != nil {
 			return fmt.Errorf("update attachment [id: %d]: %w", attachments[i].ID, err)
diff --git a/models/issues/review_list.go b/models/issues/review_list.go
index 04c08bc5c4..878ceac9ce 100644
--- a/models/issues/review_list.go
+++ b/models/issues/review_list.go
@@ -20,7 +20,7 @@ type ReviewList []*Review
 // LoadReviewers loads reviewers
 func (reviews ReviewList) LoadReviewers(ctx context.Context) error {
 	reviewerIDs := make([]int64, len(reviews))
-	for i := 0; i < len(reviews); i++ {
+	for i := range reviews {
 		reviewerIDs[i] = reviews[i].ReviewerID
 	}
 	reviewers, err := user_model.GetPossibleUserByIDs(ctx, reviewerIDs)
diff --git a/models/issues/tracked_time.go b/models/issues/tracked_time.go
index 2f050759d2..54173681bd 100644
--- a/models/issues/tracked_time.go
+++ b/models/issues/tracked_time.go
@@ -350,10 +350,7 @@ func GetIssueTotalTrackedTime(ctx context.Context, opts *IssuesOptions, isClosed
 	// we get the statistics in smaller chunks and get accumulates
 	var accum int64
 	for i := 0; i < len(opts.IssueIDs); {
-		chunk := i + MaxQueryParameters
-		if chunk > len(opts.IssueIDs) {
-			chunk = len(opts.IssueIDs)
-		}
+		chunk := min(i+MaxQueryParameters, len(opts.IssueIDs))
 		time, err := getIssueTotalTrackedTimeChunk(ctx, opts, isClosed, opts.IssueIDs[i:chunk])
 		if err != nil {
 			return 0, err
diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go
index 22639d1e42..fd1b93c867 100644
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@@ -6,6 +6,7 @@ package access
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
@@ -115,7 +116,8 @@ func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {
 }
 
 func (p *Permission) LogString() string {
-	format := "<Permission AccessMode=%s, %d Units, %d UnitsMode(s): [ "
+	var format strings.Builder
+	format.WriteString("<Permission AccessMode=%s, %d Units, %d UnitsMode(s): [ ")
 	args := []any{p.AccessMode.String(), len(p.Units), len(p.UnitsMode)}
 
 	for i, unit := range p.Units {
@@ -127,15 +129,15 @@ func (p *Permission) LogString() string {
 				config = err.Error()
 			}
 		}
-		format += "\nUnits[%d]: ID: %d RepoID: %d Type: %s Config: %s"
+		format.WriteString("\nUnits[%d]: ID: %d RepoID: %d Type: %s Config: %s")
 		args = append(args, i, unit.ID, unit.RepoID, unit.Type.LogString(), config)
 	}
 	for key, value := range p.UnitsMode {
-		format += "\nUnitMode[%-v]: %-v"
+		format.WriteString("\nUnitMode[%-v]: %-v")
 		args = append(args, key.LogString(), value.LogString())
 	}
-	format += " ]>"
-	return fmt.Sprintf(format, args...)
+	format.WriteString(" ]>")
+	return fmt.Sprintf(format.String(), args...)
 }
 
 func GetActionRepoPermission(ctx context.Context, repo *repo_model.Repository, task *actions_model.ActionTask) (Permission, error) {
diff --git a/models/project/column_test.go b/models/project/column_test.go
index aef7a6f9d4..2f4cc79367 100644
--- a/models/project/column_test.go
+++ b/models/project/column_test.go
@@ -164,7 +164,7 @@ func Test_NewColumn(t *testing.T) {
 	require.NoError(t, err)
 	assert.Len(t, columns, 3)
 
-	for i := 0; i < maxProjectColumns-3; i++ {
+	for i := range maxProjectColumns - 3 {
 		err := NewColumn(db.DefaultContext, &Column{
 			Title:     fmt.Sprintf("column-%d", i+4),
 			ProjectID: project1.ID,
diff --git a/models/pull/review_state.go b/models/pull/review_state.go
index 2702d5d5a1..3fc3ab65c2 100644
--- a/models/pull/review_state.go
+++ b/models/pull/review_state.go
@@ -6,6 +6,7 @@ package pull
 import (
 	"context"
 	"fmt"
+	"maps"
 
 	"forgejo.org/models/db"
 	"forgejo.org/modules/log"
@@ -100,9 +101,7 @@ func mergeFiles(oldFiles, newFiles map[string]ViewedState) map[string]ViewedStat
 		return oldFiles
 	}
 
-	for file, viewed := range newFiles {
-		oldFiles[file] = viewed
-	}
+	maps.Copy(oldFiles, newFiles)
 	return oldFiles
 }
 
diff --git a/models/repo/repo.go b/models/repo/repo.go
index cdb30aa1a9..0c45f483e4 100644
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
+	"maps"
 	"net"
 	"net/url"
 	"path/filepath"
@@ -543,9 +544,7 @@ func (repo *Repository) ComposeMetas(ctx context.Context) map[string]string {
 func (repo *Repository) ComposeDocumentMetas(ctx context.Context) map[string]string {
 	if len(repo.DocumentRenderingMetas) == 0 {
 		metas := map[string]string{}
-		for k, v := range repo.ComposeMetas(ctx) {
-			metas[k] = v
-		}
+		maps.Copy(metas, repo.ComposeMetas(ctx))
 		metas["mode"] = "document"
 		repo.DocumentRenderingMetas = metas
 	}
@@ -786,8 +785,8 @@ func GetRepositoryByName(ctx context.Context, ownerID int64, name string) (*Repo
 
 // getRepositoryURLPathSegments returns segments (owner, reponame) extracted from a url
 func getRepositoryURLPathSegments(repoURL string) []string {
-	if strings.HasPrefix(repoURL, setting.AppURL) {
-		return strings.Split(strings.TrimPrefix(repoURL, setting.AppURL), "/")
+	if after, ok := strings.CutPrefix(repoURL, setting.AppURL); ok {
+		return strings.Split(after, "/")
 	}
 
 	sshURLVariants := [4]string{
@@ -798,8 +797,8 @@ func getRepositoryURLPathSegments(repoURL string) []string {
 	}
 
 	for _, sshURL := range sshURLVariants {
-		if strings.HasPrefix(repoURL, sshURL) {
-			return strings.Split(strings.TrimPrefix(repoURL, sshURL), "/")
+		if after, ok := strings.CutPrefix(repoURL, sshURL); ok {
+			return strings.Split(after, "/")
 		}
 	}
 
diff --git a/models/repo/repo_list.go b/models/repo/repo_list.go
index 732d7b627c..daa60c81e9 100644
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@@ -401,7 +401,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 	if opts.Keyword != "" {
 		// separate keyword
 		subQueryCond := builder.NewCond()
-		for _, v := range strings.Split(opts.Keyword, ",") {
+		for v := range strings.SplitSeq(opts.Keyword, ",") {
 			if opts.TopicOnly {
 				subQueryCond = subQueryCond.Or(builder.Eq{"topic.name": strings.ToLower(v)})
 			} else {
@@ -416,7 +416,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 		keywordCond := builder.In("id", subQuery)
 		if !opts.TopicOnly {
 			likes := builder.NewCond()
-			for _, v := range strings.Split(opts.Keyword, ",") {
+			for v := range strings.SplitSeq(opts.Keyword, ",") {
 				likes = likes.Or(builder.Like{"lower_name", strings.ToLower(v)})
 
 				// If the string looks like "org/repo", match against that pattern too
diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index aa6f2fa0ae..3db6dc95e8 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -237,10 +237,8 @@ func (cfg *ActionsConfig) IsWorkflowDisabled(file string) bool {
 }
 
 func (cfg *ActionsConfig) DisableWorkflow(file string) {
-	for _, workflow := range cfg.DisabledWorkflows {
-		if file == workflow {
-			return
-		}
+	if slices.Contains(cfg.DisabledWorkflows, file) {
+		return
 	}
 
 	cfg.DisabledWorkflows = append(cfg.DisabledWorkflows, file)
diff --git a/models/repo/upload.go b/models/repo/upload.go
index a213cb1986..67b5409650 100644
--- a/models/repo/upload.go
+++ b/models/repo/upload.go
@@ -117,7 +117,7 @@ func DeleteUploads(ctx context.Context, uploads ...*Upload) (err error) {
 	defer committer.Close()
 
 	ids := make([]int64, len(uploads))
-	for i := 0; i < len(uploads); i++ {
+	for i := range uploads {
 		ids[i] = uploads[i].ID
 	}
 	if err = db.DeleteByIDs[Upload](ctx, ids...); err != nil {
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 434e5f0acc..2a31c804aa 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -248,22 +248,12 @@ func LoadUnitConfig() error {
 
 // UnitGlobalDisabled checks if unit type is global disabled
 func (u Type) UnitGlobalDisabled() bool {
-	for _, ud := range DisabledRepoUnitsGet() {
-		if u == ud {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(DisabledRepoUnitsGet(), u)
 }
 
 // CanBeDefault checks if the unit type can be a default repo unit
 func (u *Type) CanBeDefault() bool {
-	for _, nadU := range NotAllowedDefaultRepoUnits {
-		if *u == nadU {
-			return false
-		}
-	}
-	return true
+	return !slices.Contains(NotAllowedDefaultRepoUnits, *u)
 }
 
 // Unit is a section of one repository
diff --git a/models/unittest/fixture_loader.go b/models/unittest/fixture_loader.go
index 5aea06550c..3cf2efdced 100644
--- a/models/unittest/fixture_loader.go
+++ b/models/unittest/fixture_loader.go
@@ -151,8 +151,8 @@ func (l *loader) buildFixtureFile(fixturePath string) (*fixtureFile, error) {
 			switch v := value.(type) {
 			case string:
 				// Try to decode hex.
-				if strings.HasPrefix(v, "0x") {
-					value, err = hex.DecodeString(strings.TrimPrefix(v, "0x"))
+				if after, ok := strings.CutPrefix(v, "0x"); ok {
+					value, err = hex.DecodeString(after)
 					if err != nil {
 						return nil, err
 					}
diff --git a/models/unittest/mock_http.go b/models/unittest/mock_http.go
index b8413104b3..5e420533d8 100644
--- a/models/unittest/mock_http.go
+++ b/models/unittest/mock_http.go
@@ -102,13 +102,13 @@ func NewMockWebServer(t *testing.T, liveServerBaseURL, testDataDir string, liveM
 		// parse back the fixture file into a series of HTTP headers followed by response body
 		lines := strings.Split(stringFixture, "\n")
 		for idx, line := range lines {
-			colonIndex := strings.Index(line, ": ")
-			if colonIndex != -1 {
+			before, after, ok := strings.Cut(line, ": ")
+			if ok {
 				// Because we modified the body with ReplaceAll() above, we need to
 				// remove Content-Length. w.Write() should add it back.
-				header := line[0:colonIndex]
+				header := before
 				if !strings.EqualFold(header, "Content-Length") {
-					w.Header().Set(line[0:colonIndex], line[colonIndex+2:])
+					w.Header().Set(before, after)
 				}
 			} else {
 				// we reached the end of the headers (empty line), so what follows is the body
diff --git a/models/unittest/reflection.go b/models/unittest/reflection.go
index 141fc66b99..939891283d 100644
--- a/models/unittest/reflection.go
+++ b/models/unittest/reflection.go
@@ -9,7 +9,7 @@ import (
 )
 
 func fieldByName(v reflect.Value, field string) reflect.Value {
-	if v.Kind() == reflect.Ptr {
+	if v.Kind() == reflect.Pointer {
 		v = v.Elem()
 	}
 	f := v.FieldByName(field)
diff --git a/models/user/avatar.go b/models/user/avatar.go
index cc1b1b7b9d..726d67f5e0 100644
--- a/models/user/avatar.go
+++ b/models/user/avatar.go
@@ -108,7 +108,7 @@ func (u *User) IsUploadAvatarChanged(data []byte) bool {
 	if !u.UseCustomAvatar || len(u.Avatar) == 0 {
 		return true
 	}
-	avatarID := fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", u.ID, md5.Sum(data)))))
+	avatarID := fmt.Sprintf("%x", md5.Sum(fmt.Appendf(nil, "%d-%x", u.ID, md5.Sum(data))))
 	return u.Avatar != avatarID
 }
 
diff --git a/models/user/email_address_test.go b/models/user/email_address_test.go
index 85f5b16c65..35b33933c2 100644
--- a/models/user/email_address_test.go
+++ b/models/user/email_address_test.go
@@ -5,6 +5,7 @@ package user_test
 
 import (
 	"fmt"
+	"slices"
 	"testing"
 
 	"forgejo.org/models/db"
@@ -77,12 +78,7 @@ func TestListEmails(t *testing.T) {
 	assert.Greater(t, count, int64(5))
 
 	contains := func(match func(s *user_model.SearchEmailResult) bool) bool {
-		for _, v := range emails {
-			if match(v) {
-				return true
-			}
-		}
-		return false
+		return slices.ContainsFunc(emails, match)
 	}
 
 	assert.True(t, contains(func(s *user_model.SearchEmailResult) bool { return s.UID == 18 }))
diff --git a/models/user/moderation.go b/models/user/moderation.go
index 7bc857489a..765414acc0 100644
--- a/models/user/moderation.go
+++ b/models/user/moderation.go
@@ -87,7 +87,7 @@ func newUserData(user *User) UserData {
 // (e.g. FieldName -> field_name) corresponding to UserData struct fields.
 var userDataColumnNames = sync.OnceValue(func() []string {
 	mapper := new(names.GonicMapper)
-	udType := reflect.TypeOf(UserData{})
+	udType := reflect.TypeFor[UserData]()
 	columnNames := make([]string, 0, udType.NumField())
 	for i := 0; i < udType.NumField(); i++ {
 		columnNames = append(columnNames, mapper.Obj2Table(udType.Field(i).Name))
diff --git a/models/user/user.go b/models/user/user.go
index 7e2101d7cc..2c20cd977d 100644
--- a/models/user/user.go
+++ b/models/user/user.go
@@ -1243,8 +1243,8 @@ func GetUserByEmail(ctx context.Context, email string) (*User, error) {
 	}
 
 	// Finally, if email address is the protected email address:
-	if strings.HasSuffix(email, fmt.Sprintf("@%s", setting.Service.NoReplyAddress)) {
-		username := strings.TrimSuffix(email, fmt.Sprintf("@%s", setting.Service.NoReplyAddress))
+	if before, ok := strings.CutSuffix(email, fmt.Sprintf("@%s", setting.Service.NoReplyAddress)); ok {
+		username := before
 		user := &User{}
 		has, err := db.GetEngine(ctx).Where("lower_name=?", username).Get(user)
 		if err != nil {
diff --git a/models/user/user_test.go b/models/user/user_test.go
index d1af3a750f..6da645d672 100644
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@@ -273,9 +273,9 @@ func TestHashPasswordDeterministic(t *testing.T) {
 	b := make([]byte, 16)
 	u := &user_model.User{}
 	algos := hash.RecommendedHashAlgorithms
-	for j := 0; j < len(algos); j++ {
+	for j := range algos {
 		u.PasswdHashAlgo = algos[j]
-		for i := 0; i < 50; i++ {
+		for range 50 {
 			// generate a random password
 			rand.Read(b)
 			pass := string(b)
diff --git a/models/webhook/webhook.go b/models/webhook/webhook.go
index b23f3fd348..196a5313bc 100644
--- a/models/webhook/webhook.go
+++ b/models/webhook/webhook.go
@@ -429,7 +429,7 @@ func CreateWebhooks(ctx context.Context, ws []*Webhook) error {
 	if len(ws) == 0 {
 		return nil
 	}
-	for i := 0; i < len(ws); i++ {
+	for i := range ws {
 		ws[i].Type = strings.TrimSpace(ws[i].Type)
 	}
 	return db.Insert(ctx, ws)
diff --git a/modules/actions/workflows.go b/modules/actions/workflows.go
index 99c9446805..ed54ccc98b 100644
--- a/modules/actions/workflows.go
+++ b/modules/actions/workflows.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 
 	actions_model "forgejo.org/models/actions"
@@ -609,11 +610,8 @@ func matchPullRequestReviewEvent(prPayload *api.PullRequestPayload, evt *jobpars
 
 			matched := false
 			for _, val := range vals {
-				for _, action := range actions {
-					if glob.MustCompile(val, '/').Match(action) {
-						matched = true
-						break
-					}
+				if slices.ContainsFunc(actions, glob.MustCompile(val, '/').Match) {
+					matched = true
 				}
 				if matched {
 					break
@@ -658,11 +656,8 @@ func matchPullRequestReviewCommentEvent(prPayload *api.PullRequestPayload, evt *
 
 			matched := false
 			for _, val := range vals {
-				for _, action := range actions {
-					if glob.MustCompile(val, '/').Match(action) {
-						matched = true
-						break
-					}
+				if slices.ContainsFunc(actions, glob.MustCompile(val, '/').Match) {
+					matched = true
 				}
 				if matched {
 					break
diff --git a/modules/auth/password/password.go b/modules/auth/password/password.go
index fdbc4ff291..744a431ea8 100644
--- a/modules/auth/password/password.go
+++ b/modules/auth/password/password.go
@@ -101,7 +101,7 @@ func Generate(n int) (string, error) {
 	buffer := make([]byte, n)
 	max := big.NewInt(int64(len(validChars)))
 	for {
-		for j := 0; j < n; j++ {
+		for j := range n {
 			rnd, err := rand.Int(rand.Reader, max)
 			if err != nil {
 				return "", err
diff --git a/modules/auth/password/password_test.go b/modules/auth/password/password_test.go
index 1fe3fb5ce1..8f5d64514c 100644
--- a/modules/auth/password/password_test.go
+++ b/modules/auth/password/password_test.go
@@ -51,7 +51,7 @@ func TestComplexity_Generate(t *testing.T) {
 
 	test := func(t *testing.T, modes []string) {
 		testComplextity(modes)
-		for i := 0; i < maxCount; i++ {
+		for range maxCount {
 			pwd, err := Generate(pwdLen)
 			require.NoError(t, err)
 			assert.Len(t, pwd, pwdLen)
diff --git a/modules/auth/password/pwn/pwn.go b/modules/auth/password/pwn/pwn.go
index 10693ec663..f3277ff616 100644
--- a/modules/auth/password/pwn/pwn.go
+++ b/modules/auth/password/pwn/pwn.go
@@ -101,7 +101,7 @@ func (c *Client) CheckPassword(pw string, padding bool) (int, error) {
 	}
 	defer resp.Body.Close()
 
-	for _, pair := range strings.Split(string(body), "\n") {
+	for pair := range strings.SplitSeq(string(body), "\n") {
 		parts := strings.Split(pair, ":")
 		if len(parts) != 2 {
 			continue
diff --git a/modules/avatar/identicon/block.go b/modules/avatar/identicon/block.go
index cb1803a231..fc8ce90212 100644
--- a/modules/avatar/identicon/block.go
+++ b/modules/avatar/identicon/block.go
@@ -24,8 +24,8 @@ func drawBlock(img *image.Paletted, x, y, size, angle int, points []int) {
 		rotate(points, m, m, angle)
 	}
 
-	for i := 0; i < size; i++ {
-		for j := 0; j < size; j++ {
+	for i := range size {
+		for j := range size {
 			if pointInPolygon(i, j, points) {
 				img.SetColorIndex(x+i, y+j, 1)
 			}
diff --git a/modules/avatar/identicon/identicon.go b/modules/avatar/identicon/identicon.go
index 13e8ec88e6..19f87da85a 100644
--- a/modules/avatar/identicon/identicon.go
+++ b/modules/avatar/identicon/identicon.go
@@ -134,7 +134,7 @@ func drawBlocks(p *image.Paletted, size int, c, b1, b2 blockFunc, b1Angle, b2Ang
 
 	// then we make it left-right mirror, so we didn't draw 3/6/9 before
 	for x := 0; x < size/2; x++ {
-		for y := 0; y < size; y++ {
+		for y := range size {
 			p.SetColorIndex(size-x, y, p.ColorIndexAt(x, y))
 		}
 	}
diff --git a/modules/charset/charset.go b/modules/charset/charset.go
index cb03deb966..d4121fb27f 100644
--- a/modules/charset/charset.go
+++ b/modules/charset/charset.go
@@ -164,7 +164,7 @@ func DetectEncoding(content []byte) (string, error) {
 		}
 		times := 1024 / len(content)
 		detectContent = make([]byte, 0, times*len(content))
-		for i := 0; i < times; i++ {
+		for range times {
 			detectContent = append(detectContent, content...)
 		}
 	} else {
diff --git a/modules/charset/charset_test.go b/modules/charset/charset_test.go
index 358220494b..c29987beb6 100644
--- a/modules/charset/charset_test.go
+++ b/modules/charset/charset_test.go
@@ -243,7 +243,7 @@ func stringMustEndWith(t *testing.T, expected, value string) {
 func TestToUTF8WithFallbackReader(t *testing.T) {
 	resetDefaultCharsetsOrder()
 
-	for testLen := 0; testLen < 2048; testLen++ {
+	for testLen := range 2048 {
 		pattern := "    test { () }\n"
 		input := ""
 		for len(input) < testLen {
diff --git a/modules/forgefed/actor.go b/modules/forgefed/actor.go
index 5383d5adaf..1f6e1f1fdf 100644
--- a/modules/forgefed/actor.go
+++ b/modules/forgefed/actor.go
@@ -6,6 +6,7 @@ package forgefed
 import (
 	"fmt"
 	"net/url"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -107,12 +108,7 @@ func newActorID(uri string) (ActorID, error) {
 }
 
 func containsEmptyString(ar []string) bool {
-	for _, elem := range ar {
-		if elem == "" {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(ar, "")
 }
 
 func removeEmptyStrings(ls []string) []string {
diff --git a/modules/forgefed/repository.go b/modules/forgefed/repository.go
index 63680ccd35..1e85d1e64c 100644
--- a/modules/forgefed/repository.go
+++ b/modules/forgefed/repository.go
@@ -88,7 +88,7 @@ func ToRepository(it ap.Item) (*Repository, error) {
 		return (*Repository)(unsafe.Pointer(&i)), nil
 	default:
 		// NOTE(marius): this is an ugly way of dealing with the interface conversion error: types from different scopes
-		typ := reflect.TypeOf(new(Repository))
+		typ := reflect.TypeFor[*Repository]()
 		if i, ok := reflect.ValueOf(it).Convert(typ).Interface().(*Repository); ok {
 			return i, nil
 		}
diff --git a/modules/git/commit.go b/modules/git/commit.go
index 4fb13ecd4f..36ba8ef8ca 100644
--- a/modules/git/commit.go
+++ b/modules/git/commit.go
@@ -269,8 +269,8 @@ func NewSearchCommitsOptions(searchString string, forAllRefs bool) SearchCommits
 	var keywords, authors, committers []string
 	var after, before string
 
-	fields := strings.Fields(searchString)
-	for _, k := range fields {
+	fields := strings.FieldsSeq(searchString)
+	for k := range fields {
 		switch {
 		case strings.HasPrefix(k, "author:"):
 			authors = append(authors, strings.TrimPrefix(k, "author:"))
diff --git a/modules/git/commit_info.go b/modules/git/commit_info.go
index 6511a1689a..62f58f8767 100644
--- a/modules/git/commit_info.go
+++ b/modules/git/commit_info.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"maps"
 	"path"
 	"sort"
 
@@ -45,9 +46,7 @@ func (tes Entries) GetCommitsInfo(ctx context.Context, commit *Commit, treePath
 				return nil, nil, err
 			}
 
-			for pth, found := range commits {
-				revs[pth] = found
-			}
+			maps.Copy(revs, commits)
 		}
 	} else {
 		sort.Strings(entryPaths)
diff --git a/modules/git/foreachref/format.go b/modules/git/foreachref/format.go
index 2f5ec08991..87c1c9a4ff 100644
--- a/modules/git/foreachref/format.go
+++ b/modules/git/foreachref/format.go
@@ -75,9 +75,9 @@ func (f Format) Parser(r io.Reader) *Parser {
 // hexEscaped produces hex-escaped characters from a string. For example, "\n\0"
 // would turn into "%0a%00".
 func (f Format) hexEscaped(delim []byte) string {
-	escaped := ""
-	for i := 0; i < len(delim); i++ {
-		escaped += "%" + hex.EncodeToString([]byte{delim[i]})
+	var escaped strings.Builder
+	for i := range delim {
+		escaped.WriteString("%" + hex.EncodeToString([]byte{delim[i]}))
 	}
-	return escaped
+	return escaped.String()
 }
diff --git a/modules/git/hook.go b/modules/git/hook.go
index bef4d024c8..3b650fe9db 100644
--- a/modules/git/hook.go
+++ b/modules/git/hook.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	"forgejo.org/modules/log"
@@ -27,12 +28,7 @@ var ErrNotValidHook = errors.New("not a valid Git hook")
 
 // IsValidHookName returns true if given name is a valid Git hook.
 func IsValidHookName(name string) bool {
-	for _, hn := range hookNames {
-		if hn == name {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(hookNames, name)
 }
 
 // Hook represents a Git hook.
diff --git a/modules/git/last_commit_cache.go b/modules/git/last_commit_cache.go
index 1d7e74a0d7..9b49a18aaa 100644
--- a/modules/git/last_commit_cache.go
+++ b/modules/git/last_commit_cache.go
@@ -21,7 +21,7 @@ type Cache interface {
 }
 
 func getCacheKey(repoPath, commitID, entryPath string) string {
-	hashBytes := sha256.Sum256([]byte(fmt.Sprintf("%s:%s:%s", repoPath, commitID, entryPath)))
+	hashBytes := sha256.Sum256(fmt.Appendf(nil, "%s:%s:%s", repoPath, commitID, entryPath))
 	return fmt.Sprintf("last_commit:%x", hashBytes)
 }
 
diff --git a/modules/git/log_name_status.go b/modules/git/log_name_status.go
index 50786e7a42..800e83c4a4 100644
--- a/modules/git/log_name_status.go
+++ b/modules/git/log_name_status.go
@@ -346,10 +346,7 @@ func WalkGitLog(ctx context.Context, repo *Repository, head *Commit, treepath st
 
 	results := make([]string, len(paths))
 	remaining := len(paths)
-	nextRestart := (len(paths) * 3) / 4
-	if nextRestart > 70 {
-		nextRestart = 70
-	}
+	nextRestart := min((len(paths)*3)/4, 70)
 	lastEmptyParent := head.ID.String()
 	commitSinceLastEmptyParent := uint64(0)
 	commitSinceNextRestart := uint64(0)
diff --git a/modules/git/notes.go b/modules/git/notes.go
index a52314bdd7..1bc68b6366 100644
--- a/modules/git/notes.go
+++ b/modules/git/notes.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"io"
 	"os"
+	"strings"
 
 	"forgejo.org/modules/log"
 )
@@ -33,7 +34,7 @@ func GetNote(ctx context.Context, repo *Repository, commitID string) (*Note, err
 		return nil, err
 	}
 
-	path := ""
+	var path strings.Builder
 
 	tree := &notes.Tree
 	log.Trace("Found tree with ID %q while searching for git note corresponding to the commit %q", tree.ID, commitID)
@@ -43,12 +44,12 @@ func GetNote(ctx context.Context, repo *Repository, commitID string) (*Note, err
 	for len(commitID) > 2 {
 		entry, err = tree.GetTreeEntryByPath(commitID)
 		if err == nil {
-			path += commitID
+			path.WriteString(commitID)
 			break
 		}
 		if IsErrNotExist(err) {
 			tree, err = tree.SubTree(commitID[0:2])
-			path += commitID[0:2] + "/"
+			path.WriteString(commitID[0:2] + "/")
 			commitID = commitID[2:]
 		}
 		if err != nil {
@@ -80,9 +81,9 @@ func GetNote(ctx context.Context, repo *Repository, commitID string) (*Note, err
 	_ = dataRc.Close()
 	closed = true
 
-	lastCommit, err := repo.getCommitByPathWithID(notes.ID, path)
+	lastCommit, err := repo.getCommitByPathWithID(notes.ID, path.String())
 	if err != nil {
-		log.Error("Unable to get the commit for the path %q. Error: %v", path, err)
+		log.Error("Unable to get the commit for the path %q. Error: %v", path.String(), err)
 		return nil, err
 	}
 
diff --git a/modules/git/parse.go b/modules/git/parse.go
index c7b84d7198..d2d70d4cfa 100644
--- a/modules/git/parse.go
+++ b/modules/git/parse.go
@@ -33,16 +33,16 @@ func parseTreeEntries(data []byte, ptree *Tree) ([]*TreeEntry, error) {
 			posEnd += pos
 		}
 		line := data[pos:posEnd]
-		posTab := bytes.IndexByte(line, '\t')
-		if posTab == -1 {
+		before, after, ok := bytes.Cut(line, []byte{'\t'})
+		if !ok {
 			return nil, fmt.Errorf("invalid ls-tree output (no tab): %q", line)
 		}
 
 		entry := new(TreeEntry)
 		entry.ptree = ptree
 
-		entryAttrs := line[:posTab]
-		entryName := line[posTab+1:]
+		entryAttrs := before
+		entryName := after
 
 		entryMode, entryAttrs, _ := bytes.Cut(entryAttrs, sepSpace)
 		_ /* entryType */, entryAttrs, _ = bytes.Cut(entryAttrs, sepSpace) // the type is not used, the mode is enough to determine the type
diff --git a/modules/git/pushoptions/pushoptions.go b/modules/git/pushoptions/pushoptions.go
index 3fa2e01c44..14e2c5d283 100644
--- a/modules/git/pushoptions/pushoptions.go
+++ b/modules/git/pushoptions/pushoptions.go
@@ -52,7 +52,7 @@ func NewFromMap(o *map[string]string) Interface {
 
 func (o *gitPushOptions) ReadEnv() Interface {
 	if pushCount, err := strconv.Atoi(os.Getenv(EnvCount)); err == nil {
-		for idx := 0; idx < pushCount; idx++ {
+		for idx := range pushCount {
 			_ = o.Parse(os.Getenv(fmt.Sprintf(EnvFormat, idx)))
 		}
 	}
diff --git a/modules/git/ref.go b/modules/git/ref.go
index 1475d4dc5a..fdccd2b2e2 100644
--- a/modules/git/ref.go
+++ b/modules/git/ref.go
@@ -105,8 +105,8 @@ func (ref RefName) IsFor() bool {
 }
 
 func (ref RefName) nameWithoutPrefix(prefix string) string {
-	if strings.HasPrefix(string(ref), prefix) {
-		return strings.TrimPrefix(string(ref), prefix)
+	if after, ok := strings.CutPrefix(string(ref), prefix); ok {
+		return after
 	}
 	return ""
 }
diff --git a/modules/git/repo.go b/modules/git/repo.go
index 21845d9b55..6bd03f8e3c 100644
--- a/modules/git/repo.go
+++ b/modules/git/repo.go
@@ -46,9 +46,9 @@ func (repo *Repository) parsePrettyFormatLogToList(logs []byte) ([]*Commit, erro
 		return commits, nil
 	}
 
-	parts := bytes.Split(logs, []byte{'\n'})
+	parts := bytes.SplitSeq(logs, []byte{'\n'})
 
-	for _, commitID := range parts {
+	for commitID := range parts {
 		commit, err := repo.GetCommit(string(commitID))
 		if err != nil {
 			return nil, err
diff --git a/modules/git/repo_attribute.go b/modules/git/repo_attribute.go
index 2b07513162..56a86bde14 100644
--- a/modules/git/repo_attribute.go
+++ b/modules/git/repo_attribute.go
@@ -96,8 +96,8 @@ func (ca GitAttribute) String() string {
 // sometimes used within gitlab-language: https://docs.gitlab.com/ee/user/project/highlighting.html#override-syntax-highlighting-for-a-file-type
 func (ca GitAttribute) Prefix() string {
 	s := ca.String()
-	if i := strings.IndexByte(s, '?'); i >= 0 {
-		return s[:i]
+	if before, _, ok := strings.Cut(s, "?"); ok {
+		return before
 	}
 	return s
 }
diff --git a/modules/git/repo_index.go b/modules/git/repo_index.go
index f58757a9a2..7fc5c573dd 100644
--- a/modules/git/repo_index.go
+++ b/modules/git/repo_index.go
@@ -95,7 +95,7 @@ func (repo *Repository) LsFiles(filenames ...string) ([]string, error) {
 		return nil, err
 	}
 	filelist := make([]string, 0, len(filenames))
-	for _, line := range bytes.Split(res, []byte{'\000'}) {
+	for line := range bytes.SplitSeq(res, []byte{'\000'}) {
 		filelist = append(filelist, string(line))
 	}
 
diff --git a/modules/git/repo_tag.go b/modules/git/repo_tag.go
index f7f04e1f10..bd851a3be3 100644
--- a/modules/git/repo_tag.go
+++ b/modules/git/repo_tag.go
@@ -42,8 +42,8 @@ func (repo *Repository) GetTagNameBySHA(sha string) (string, error) {
 		return "", err
 	}
 
-	tagRefs := strings.Split(stdout, "\n")
-	for _, tagRef := range tagRefs {
+	tagRefs := strings.SplitSeq(stdout, "\n")
+	for tagRef := range tagRefs {
 		if len(strings.TrimSpace(tagRef)) > 0 {
 			fields := strings.Fields(tagRef)
 			if strings.HasPrefix(fields[0], sha) && strings.HasPrefix(fields[1], TagPrefix) {
@@ -65,7 +65,7 @@ func (repo *Repository) GetTagID(name string) (string, error) {
 		return "", err
 	}
 	// Make sure exact match is used: "v1" != "release/v1"
-	for _, line := range strings.Split(stdout, "\n") {
+	for line := range strings.SplitSeq(stdout, "\n") {
 		fields := strings.Fields(line)
 		if len(fields) == 2 && fields[1] == "refs/tags/"+name {
 			return fields[0], nil
diff --git a/modules/git/tag.go b/modules/git/tag.go
index edbe54b853..3af062a51a 100644
--- a/modules/git/tag.go
+++ b/modules/git/tag.go
@@ -50,20 +50,20 @@ l:
 		switch {
 		case eol > 0:
 			line := data[nextline : nextline+eol]
-			spacepos := bytes.IndexByte(line, ' ')
-			reftype := line[:spacepos]
+			before, after, _ := bytes.Cut(line, []byte{' '})
+			reftype := before
 			switch string(reftype) {
 			case "object":
-				id, err := NewIDFromString(string(line[spacepos+1:]))
+				id, err := NewIDFromString(string(after))
 				if err != nil {
 					return nil, err
 				}
 				tag.Object = id
 			case "type":
 				// A commit can have one or more parents
-				tag.Type = string(line[spacepos+1:])
+				tag.Type = string(after)
 			case "tagger":
-				tag.Tagger = parseSignatureFromCommitLine(util.UnsafeBytesToString(line[spacepos+1:]))
+				tag.Tagger = parseSignatureFromCommitLine(util.UnsafeBytesToString(after))
 			}
 			nextline += eol + 1
 		case eol == 0:
diff --git a/modules/git/tree.go b/modules/git/tree.go
index f6201f6cc9..9a91787c9e 100644
--- a/modules/git/tree.go
+++ b/modules/git/tree.go
@@ -170,7 +170,7 @@ func (repo *Repository) LsTree(ref string, filenames ...string) ([]string, error
 		return nil, err
 	}
 	filelist := make([]string, 0, len(filenames))
-	for _, line := range bytes.Split(res, []byte{'\000'}) {
+	for line := range bytes.SplitSeq(res, []byte{'\000'}) {
 		filelist = append(filelist, string(line))
 	}
 
diff --git a/modules/git/tree_entry.go b/modules/git/tree_entry.go
index 8b6c4c467c..5e3bb8ac21 100644
--- a/modules/git/tree_entry.go
+++ b/modules/git/tree_entry.go
@@ -171,7 +171,7 @@ func (te *TreeEntry) FollowLinks() (*TreeEntry, string, error) {
 	}
 	entry := te
 	entryLink := ""
-	for i := 0; i < 999; i++ {
+	for range 999 {
 		if entry.IsLink() {
 			next, link, err := entry.FollowLink()
 			entryLink = link
diff --git a/modules/git/tree_test.go b/modules/git/tree_test.go
index aa092cc56b..6277154acd 100644
--- a/modules/git/tree_test.go
+++ b/modules/git/tree_test.go
@@ -20,7 +20,7 @@ func TestSubTree_Issue29101(t *testing.T) {
 	require.NoError(t, err)
 
 	// old code could produce a different error if called multiple times
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		_, err = commit.SubTree("file1.txt")
 		require.Error(t, err)
 		assert.True(t, IsErrNotExist(err))
diff --git a/modules/hostmatcher/hostmatcher.go b/modules/hostmatcher/hostmatcher.go
index 1069310316..15c6371422 100644
--- a/modules/hostmatcher/hostmatcher.go
+++ b/modules/hostmatcher/hostmatcher.go
@@ -6,6 +6,7 @@ package hostmatcher
 import (
 	"net"
 	"path/filepath"
+	"slices"
 	"strings"
 )
 
@@ -38,7 +39,7 @@ func isBuiltin(s string) bool {
 // ParseHostMatchList parses the host list HostMatchList
 func ParseHostMatchList(settingKeyHint, hostList string) *HostMatchList {
 	hl := &HostMatchList{SettingKeyHint: settingKeyHint, SettingValue: hostList}
-	for _, s := range strings.Split(hostList, ",") {
+	for s := range strings.SplitSeq(hostList, ",") {
 		s = strings.ToLower(strings.TrimSpace(s))
 		if s == "" {
 			continue
@@ -61,7 +62,7 @@ func ParseSimpleMatchList(settingKeyHint, matchList string) *HostMatchList {
 		SettingKeyHint: settingKeyHint,
 		SettingValue:   matchList,
 	}
-	for _, s := range strings.Split(matchList, ",") {
+	for s := range strings.SplitSeq(matchList, ",") {
 		s = strings.ToLower(strings.TrimSpace(s))
 		if s == "" {
 			continue
@@ -98,10 +99,8 @@ func (hl *HostMatchList) checkPattern(host string) bool {
 }
 
 func (hl *HostMatchList) checkIP(ip net.IP) bool {
-	for _, pattern := range hl.patterns {
-		if pattern == "*" {
-			return true
-		}
+	if slices.Contains(hl.patterns, "*") {
+		return true
 	}
 	for _, builtin := range hl.builtins {
 		switch builtin {
diff --git a/modules/httpcache/httpcache.go b/modules/httpcache/httpcache.go
index 7978fc38a1..311f7215b2 100644
--- a/modules/httpcache/httpcache.go
+++ b/modules/httpcache/httpcache.go
@@ -59,7 +59,7 @@ func HandleGenericETagCache(req *http.Request, w http.ResponseWriter, etag strin
 func checkIfNoneMatchIsValid(req *http.Request, etag string) bool {
 	ifNoneMatch := req.Header.Get("If-None-Match")
 	if len(ifNoneMatch) > 0 {
-		for _, item := range strings.Split(ifNoneMatch, ",") {
+		for item := range strings.SplitSeq(ifNoneMatch, ",") {
 			item = strings.TrimPrefix(strings.TrimSpace(item), "W/") // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag#directives
 			if item == etag {
 				return true
diff --git a/modules/httplib/serve.go b/modules/httplib/serve.go
index d385ac21c9..4c71437fc5 100644
--- a/modules/httplib/serve.go
+++ b/modules/httplib/serve.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"net/url"
 	"path"
@@ -86,9 +87,7 @@ func ServeSetHeaders(w http.ResponseWriter, opts *ServeHeaderOptions) {
 	}
 
 	if opts.AdditionalHeaders != nil {
-		for k, v := range opts.AdditionalHeaders {
-			header[k] = v
-		}
+		maps.Copy(header, opts.AdditionalHeaders)
 	}
 }
 
diff --git a/modules/indexer/code/git.go b/modules/indexer/code/git.go
index 14a43cf3be..8ec3c1181f 100644
--- a/modules/indexer/code/git.go
+++ b/modules/indexer/code/git.go
@@ -129,8 +129,8 @@ func nonGenesisChanges(ctx context.Context, repo *repo_model.Repository, revisio
 		changes.Updates = append(changes.Updates, updates...)
 		return nil
 	}
-	lines := strings.Split(stdout, "\n")
-	for _, line := range lines {
+	lines := strings.SplitSeq(stdout, "\n")
+	for line := range lines {
 		line = strings.TrimSpace(line)
 		if len(line) == 0 {
 			continue
diff --git a/modules/issue/template/template.go b/modules/issue/template/template.go
index 08c1b21c26..09dfe10e08 100644
--- a/modules/issue/template/template.go
+++ b/modules/issue/template/template.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net/url"
 	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -447,12 +448,7 @@ func (o *valuedOption) IsChecked() bool {
 	case api.IssueFormFieldTypeDropdown:
 		checks := strings.Split(o.field.Get(fmt.Sprintf("form-field-%s", o.field.ID)), ",")
 		idx := strconv.Itoa(o.index)
-		for _, v := range checks {
-			if v == idx {
-				return true
-			}
-		}
-		return false
+		return slices.Contains(checks, idx)
 	case api.IssueFormFieldTypeCheckboxes:
 		return o.field.Get(fmt.Sprintf("form-field-%s-%d", o.field.ID, o.index)) == "on"
 	}
diff --git a/modules/label/parser.go b/modules/label/parser.go
index 12fc176967..b27b2c9ee6 100644
--- a/modules/label/parser.go
+++ b/modules/label/parser.go
@@ -72,7 +72,7 @@ func parseYamlFormat(fileName string, data []byte) ([]*Label, error) {
 func parseLegacyFormat(fileName string, data []byte) ([]*Label, error) {
 	lines := strings.Split(string(data), "\n")
 	list := make([]*Label, 0, len(lines))
-	for i := 0; i < len(lines); i++ {
+	for i := range lines {
 		line := strings.TrimSpace(lines[i])
 		if len(line) == 0 {
 			continue
@@ -108,7 +108,7 @@ func LoadTemplateDescription(fileName string) (string, error) {
 		return "", err
 	}
 
-	for i := 0; i < len(list); i++ {
+	for i := range list {
 		if i > 0 {
 			buf.WriteString(", ")
 		}
diff --git a/modules/log/event_format.go b/modules/log/event_format.go
index 6835a4ca5b..70df2cbce2 100644
--- a/modules/log/event_format.go
+++ b/modules/log/event_format.go
@@ -208,7 +208,7 @@ func EventFormatTextMessage(mode *WriterMode, event *Event, msgFormat string, ms
 			}
 		}
 		if hasColorValue {
-			msg = []byte(fmt.Sprintf(msgFormat, msgArgs...))
+			msg = fmt.Appendf(nil, msgFormat, msgArgs...)
 		}
 	}
 	// try to reuse the pre-formatted simple text message
@@ -227,8 +227,8 @@ func EventFormatTextMessage(mode *WriterMode, event *Event, msgFormat string, ms
 	buf = append(buf, msg...)
 
 	if event.Stacktrace != "" && mode.StacktraceLevel <= event.Level {
-		lines := bytes.Split([]byte(event.Stacktrace), []byte("\n"))
-		for _, line := range lines {
+		lines := bytes.SplitSeq([]byte(event.Stacktrace), []byte("\n"))
+		for line := range lines {
 			buf = append(buf, "\n\t"...)
 			buf = append(buf, line...)
 		}
diff --git a/modules/log/event_writer_conn_test.go b/modules/log/event_writer_conn_test.go
index 0cf447149a..6d528a68d1 100644
--- a/modules/log/event_writer_conn_test.go
+++ b/modules/log/event_writer_conn_test.go
@@ -63,11 +63,9 @@ func TestConnLogger(t *testing.T) {
 	}
 	expected := fmt.Sprintf("%s%s %s:%d:%s [%c] %s\n", prefix, dateString, event.Filename, event.Line, event.Caller, strings.ToUpper(event.Level.String())[0], event.MsgSimpleText)
 	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
+	wg.Go(func() {
 		listenReadAndClose(t, l, expected)
-	}()
+	})
 	logger.SendLogEvent(&event)
 	wg.Wait()
 
diff --git a/modules/log/flags.go b/modules/log/flags.go
index 1e4fe830c1..c428d58a1d 100644
--- a/modules/log/flags.go
+++ b/modules/log/flags.go
@@ -124,7 +124,7 @@ func FlagsFromString(from string, def ...uint32) Flags {
 		return Flags{defined: true, flags: def[0]}
 	}
 	flags := uint32(0)
-	for _, flag := range strings.Split(strings.ToLower(from), ",") {
+	for flag := range strings.SplitSeq(strings.ToLower(from), ",") {
 		flags |= flagFromString[strings.TrimSpace(flag)]
 	}
 	return Flags{defined: true, flags: flags}
diff --git a/modules/log/level_test.go b/modules/log/level_test.go
index e6cacc723b..73e2355960 100644
--- a/modules/log/level_test.go
+++ b/modules/log/level_test.go
@@ -33,11 +33,11 @@ func TestLevelMarshalUnmarshalJSON(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, INFO, testLevel.Level)
 
-	err = json.Unmarshal([]byte(fmt.Sprintf(`{"level":%d}`, 2)), &testLevel)
+	err = json.Unmarshal(fmt.Appendf(nil, `{"level":%d}`, 2), &testLevel)
 	require.NoError(t, err)
 	assert.Equal(t, INFO, testLevel.Level)
 
-	err = json.Unmarshal([]byte(fmt.Sprintf(`{"level":%d}`, 10012)), &testLevel)
+	err = json.Unmarshal(fmt.Appendf(nil, `{"level":%d}`, 10012), &testLevel)
 	require.NoError(t, err)
 	assert.Equal(t, INFO, testLevel.Level)
 
@@ -52,5 +52,5 @@ func TestLevelMarshalUnmarshalJSON(t *testing.T) {
 }
 
 func makeTestLevelBytes(level string) []byte {
-	return []byte(fmt.Sprintf(`{"level":"%s"}`, level))
+	return fmt.Appendf(nil, `{"level":"%s"}`, level)
 }
diff --git a/modules/markup/file_preview.go b/modules/markup/file_preview.go
index dab6057cf4..22dcf93d75 100644
--- a/modules/markup/file_preview.go
+++ b/modules/markup/file_preview.go
@@ -80,8 +80,8 @@ func newFilePreview(ctx *RenderContext, node *html.Node, locale translation.Loca
 	filePath := node.Data[m[6]:m[7]]
 	hash := node.Data[m[8]:m[9]]
 	urlFullSource := urlFull
-	if strings.HasSuffix(filePath, "?display=source") {
-		filePath = strings.TrimSuffix(filePath, "?display=source")
+	if before, ok := strings.CutSuffix(filePath, "?display=source"); ok {
+		filePath = before
 	} else if Type(filePath) != "" {
 		urlFullSource = node.Data[m[0]:m[6]] + filePath + "?display=source#" + hash
 	}
diff --git a/modules/markup/html.go b/modules/markup/html.go
index d60021bfbb..5bca4c4596 100644
--- a/modules/markup/html.go
+++ b/modules/markup/html.go
@@ -11,6 +11,7 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strings"
 	"sync"
 
@@ -124,13 +125,7 @@ func CustomLinkURLSchemes(schemes []string) {
 		if !validScheme.MatchString(s) {
 			continue
 		}
-		without := false
-		for _, sna := range xurls.SchemesNoAuthority {
-			if s == sna {
-				without = true
-				break
-			}
-		}
+		without := slices.Contains(xurls.SchemesNoAuthority, s)
 		if without {
 			s += ":"
 		} else {
@@ -675,9 +670,9 @@ func shortLinkProcessor(ctx *RenderContext, node *html.Node) {
 		// It makes page handling terrible, but we prefer GitHub syntax
 		// And fall back to MediaWiki only when it is obvious from the look
 		// Of text and link contents
-		sl := strings.Split(content, "|")
-		for _, v := range sl {
-			if equalPos := strings.IndexByte(v, '='); equalPos == -1 {
+		sl := strings.SplitSeq(content, "|")
+		for v := range sl {
+			if found := strings.Contains(v, "="); !found {
 				// There is no equal in this argument; this is a mandatory arg
 				if props["name"] == "" {
 					if IsLinkStr(v) {
@@ -699,8 +694,8 @@ func shortLinkProcessor(ctx *RenderContext, node *html.Node) {
 			} else {
 				// There is an equal; optional argument.
 
-				sep := strings.IndexByte(v, '=')
-				key, val := v[:sep], html.UnescapeString(v[sep+1:])
+				before, after, _ := strings.Cut(v, "=")
+				key, val := before, html.UnescapeString(after)
 
 				// When parsing HTML, x/net/html will change all quotes which are
 				// not used for syntax into UTF-8 quotes. So checking val[0] won't
@@ -1148,7 +1143,7 @@ func comparePatternProcessor(ctx *RenderContext, node *html.Node) {
 		}
 
 		// Ensure that every group (m[0]...m[9]) has a match
-		for i := 0; i < 10; i++ {
+		for i := range 10 {
 			if m[i] == -1 {
 				return
 			}
diff --git a/modules/markup/markdown/markdown.go b/modules/markup/markdown/markdown.go
index 2b19e0f1c9..9a112109dd 100644
--- a/modules/markup/markdown/markdown.go
+++ b/modules/markup/markdown/markdown.go
@@ -182,10 +182,7 @@ func actualRender(ctx *markup.RenderContext, input io.Reader, output io.Writer)
 	}
 	buf, _ = ExtractMetadataBytes(buf, rc)
 
-	metaLength := bufWithMetadataLength - len(buf)
-	if metaLength < 0 {
-		metaLength = 0
-	}
+	metaLength := max(bufWithMetadataLength-len(buf), 0)
 	rc.metaLength = metaLength
 
 	pc.Set(markdownutil.RenderConfigKey, rc)
diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index 82c2c7fe8c..61ded3cedc 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -319,7 +319,7 @@ func TestTotal_RenderWiki(t *testing.T) {
 
 	answers := testAnswers(util.URLJoin(FullURL, "wiki"), util.URLJoin(FullURL, "wiki", "raw"))
 
-	for i := 0; i < len(sameCases); i++ {
+	for i := range sameCases {
 		line, err := markdown.RenderString(&markup.RenderContext{
 			Ctx: git.DefaultContext,
 			Links: markup.Links{
@@ -363,7 +363,7 @@ func TestTotal_RenderString(t *testing.T) {
 
 	answers := testAnswers(util.URLJoin(FullURL, "src", "master"), util.URLJoin(FullURL, "media", "master"))
 
-	for i := 0; i < len(sameCases); i++ {
+	for i := range sameCases {
 		line, err := markdown.RenderString(&markup.RenderContext{
 			Ctx: git.DefaultContext,
 			Links: markup.Links{
diff --git a/modules/markup/markdown/math/block_renderer.go b/modules/markup/markdown/math/block_renderer.go
index 84817ef1e4..d27318c623 100644
--- a/modules/markup/markdown/math/block_renderer.go
+++ b/modules/markup/markdown/math/block_renderer.go
@@ -24,7 +24,7 @@ func (r *BlockRenderer) RegisterFuncs(reg renderer.NodeRendererFuncRegisterer) {
 
 func (r *BlockRenderer) writeLines(w util.BufWriter, source []byte, n gast.Node) {
 	l := n.Lines().Len()
-	for i := 0; i < l; i++ {
+	for i := range l {
 		line := n.Lines().At(i)
 		_, _ = w.Write(util.EscapeHTML(line.Value(source)))
 	}
diff --git a/modules/markup/markdown/meta_test.go b/modules/markup/markdown/meta_test.go
index aaf116ff20..9345dd528a 100644
--- a/modules/markup/markdown/meta_test.go
+++ b/modules/markup/markdown/meta_test.go
@@ -63,7 +63,7 @@ func TestExtractMetadata(t *testing.T) {
 func TestExtractMetadataBytes(t *testing.T) {
 	t.Run("ValidFrontAndBody", func(t *testing.T) {
 		var meta IssueTemplate
-		body, err := ExtractMetadataBytes([]byte(fmt.Sprintf("%s\n%s\n%s\n%s", sepTest, frontTest, sepTest, bodyTest)), &meta)
+		body, err := ExtractMetadataBytes(fmt.Appendf(nil, "%s\n%s\n%s\n%s", sepTest, frontTest, sepTest, bodyTest), &meta)
 		require.NoError(t, err)
 		assert.Equal(t, bodyTest, string(body))
 		assert.Equal(t, metaTest, meta)
@@ -72,19 +72,19 @@ func TestExtractMetadataBytes(t *testing.T) {
 
 	t.Run("NoFirstSeparator", func(t *testing.T) {
 		var meta IssueTemplate
-		_, err := ExtractMetadataBytes([]byte(fmt.Sprintf("%s\n%s\n%s", frontTest, sepTest, bodyTest)), &meta)
+		_, err := ExtractMetadataBytes(fmt.Appendf(nil, "%s\n%s\n%s", frontTest, sepTest, bodyTest), &meta)
 		require.Error(t, err)
 	})
 
 	t.Run("NoLastSeparator", func(t *testing.T) {
 		var meta IssueTemplate
-		_, err := ExtractMetadataBytes([]byte(fmt.Sprintf("%s\n%s\n%s", sepTest, frontTest, bodyTest)), &meta)
+		_, err := ExtractMetadataBytes(fmt.Appendf(nil, "%s\n%s\n%s", sepTest, frontTest, bodyTest), &meta)
 		require.Error(t, err)
 	})
 
 	t.Run("NoBody", func(t *testing.T) {
 		var meta IssueTemplate
-		body, err := ExtractMetadataBytes([]byte(fmt.Sprintf("%s\n%s\n%s", sepTest, frontTest, sepTest)), &meta)
+		body, err := ExtractMetadataBytes(fmt.Appendf(nil, "%s\n%s\n%s", sepTest, frontTest, sepTest), &meta)
 		require.NoError(t, err)
 		assert.Empty(t, string(body))
 		assert.Equal(t, metaTest, meta)
diff --git a/modules/markup/markdown/toc.go b/modules/markup/markdown/toc.go
index dbfab3e9dc..53add219f5 100644
--- a/modules/markup/markdown/toc.go
+++ b/modules/markup/markdown/toc.go
@@ -44,7 +44,7 @@ func createTOCNode(toc []markup.Header, lang string, detailsAttrs map[string]str
 		}
 		li := ast.NewListItem(currentLevel * 2)
 		a := ast.NewLink()
-		a.Destination = []byte(fmt.Sprintf("#%s", url.QueryEscape(header.ID)))
+		a.Destination = fmt.Appendf(nil, "#%s", url.QueryEscape(header.ID))
 		a.AppendChild(a, ast.NewString([]byte(header.Text)))
 		li.AppendChild(li, a)
 		ul.AppendChild(ul, li)
diff --git a/modules/markup/markdown/transform_heading.go b/modules/markup/markdown/transform_heading.go
index eedaf58556..16779d5099 100644
--- a/modules/markup/markdown/transform_heading.go
+++ b/modules/markup/markdown/transform_heading.go
@@ -17,7 +17,7 @@ import (
 func (g *ASTTransformer) transformHeading(_ *markup.RenderContext, v *ast.Heading, reader text.Reader, tocList *[]markup.Header) {
 	for _, attr := range v.Attributes() {
 		if _, ok := attr.Value.([]byte); !ok {
-			v.SetAttribute(attr.Name, []byte(fmt.Sprintf("%v", attr.Value)))
+			v.SetAttribute(attr.Name, fmt.Appendf(nil, "%v", attr.Value))
 		}
 	}
 	txt := mdutil.Text(v, reader.Source())
diff --git a/modules/markup/renderer.go b/modules/markup/renderer.go
index b1c3d35e73..0a66caf1d5 100644
--- a/modules/markup/renderer.go
+++ b/modules/markup/renderer.go
@@ -319,23 +319,19 @@ func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Wr
 			_ = pw2.Close()
 		}()
 
-		wg.Add(1)
-		go func() {
+		wg.Go(func() {
 			err = donotpanic.SafeFuncWithError(func() error { return SanitizeReader(pr2, renderer.Name(), output) })
 			_ = pr2.Close()
-			wg.Done()
-		}()
+		})
 	} else {
 		pw2 = nopCloser{output}
 	}
 
-	wg.Add(1)
-	go func() {
+	wg.Go(func() {
 		err = donotpanic.SafeFuncWithError(func() error { return postProcessOrCopy(ctx, renderer, pr, pw2) })
 		_ = pr.Close()
 		_ = pw2.Close()
-		wg.Done()
-	}()
+	})
 
 	if err1 := renderer.Render(ctx, input, pw); err1 != nil {
 		return err1
diff --git a/modules/packages/npm/creator.go b/modules/packages/npm/creator.go
index ed163d30ac..2f83d2ee7b 100644
--- a/modules/packages/npm/creator.go
+++ b/modules/packages/npm/creator.go
@@ -58,7 +58,7 @@ type PackageMetadata struct {
 	Time           map[string]time.Time               `json:"time,omitempty"`
 	Homepage       string                             `json:"homepage,omitempty"`
 	Keywords       []string                           `json:"keywords,omitempty"`
-	Repository     Repository                         `json:"repository,omitempty"`
+	Repository     Repository                         `json:"repository"`
 	Author         User                               `json:"author"`
 	ReadmeFilename string                             `json:"readmeFilename,omitempty"`
 	Users          map[string]bool                    `json:"users,omitempty"`
@@ -75,7 +75,7 @@ type PackageMetadataVersion struct {
 	Author               User                `json:"author"`
 	Homepage             string              `json:"homepage,omitempty"`
 	License              string              `json:"license,omitempty"`
-	Repository           Repository          `json:"repository,omitempty"`
+	Repository           Repository          `json:"repository"`
 	Keywords             []string            `json:"keywords,omitempty"`
 	Dependencies         map[string]string   `json:"dependencies,omitempty"`
 	BundleDependencies   []string            `json:"bundleDependencies,omitempty"`
diff --git a/modules/packages/npm/metadata.go b/modules/packages/npm/metadata.go
index 6bb77f302b..0e5bf19ce7 100644
--- a/modules/packages/npm/metadata.go
+++ b/modules/packages/npm/metadata.go
@@ -22,5 +22,5 @@ type Metadata struct {
 	OptionalDependencies    map[string]string `json:"optional_dependencies,omitempty"`
 	Bin                     map[string]string `json:"bin,omitempty"`
 	Readme                  string            `json:"readme,omitempty"`
-	Repository              Repository        `json:"repository,omitempty"`
+	Repository              Repository        `json:"repository"`
 }
diff --git a/modules/packages/nuget/symbol_extractor.go b/modules/packages/nuget/symbol_extractor.go
index 992ade7e8f..dd9fac96c6 100644
--- a/modules/packages/nuget/symbol_extractor.go
+++ b/modules/packages/nuget/symbol_extractor.go
@@ -142,8 +142,8 @@ func ParseDebugHeaderID(r io.ReadSeeker) (string, error) {
 			if _, err := r.Read(b); err != nil {
 				return "", err
 			}
-			if i := bytes.IndexByte(b, 0); i != -1 {
-				buf.Write(b[:i])
+			if before, _, ok := bytes.Cut(b, []byte{0}); ok {
+				buf.Write(before)
 				return buf.String(), nil
 			}
 			buf.Write(b)
diff --git a/modules/packages/rubygems/marshal.go b/modules/packages/rubygems/marshal.go
index 191efc7c0e..7d498c66b8 100644
--- a/modules/packages/rubygems/marshal.go
+++ b/modules/packages/rubygems/marshal.go
@@ -91,7 +91,7 @@ func (e *MarshalEncoder) marshal(v any) error {
 	val := reflect.ValueOf(v)
 	typ := reflect.TypeOf(v)
 
-	if typ.Kind() == reflect.Ptr {
+	if typ.Kind() == reflect.Pointer {
 		val = val.Elem()
 		typ = typ.Elem()
 	}
@@ -250,7 +250,7 @@ func (e *MarshalEncoder) marshalArray(arr reflect.Value) error {
 		return err
 	}
 
-	for i := 0; i < length; i++ {
+	for i := range length {
 		if err := e.marshal(arr.Index(i).Interface()); err != nil {
 			return err
 		}
diff --git a/modules/packages/swift/metadata.go b/modules/packages/swift/metadata.go
index 34fc4f1784..094fa0c7a4 100644
--- a/modules/packages/swift/metadata.go
+++ b/modules/packages/swift/metadata.go
@@ -47,7 +47,7 @@ type Metadata struct {
 	Keywords      []string             `json:"keywords,omitempty"`
 	RepositoryURL string               `json:"repository_url,omitempty"`
 	License       string               `json:"license,omitempty"`
-	Author        Person               `json:"author,omitempty"`
+	Author        Person               `json:"author"`
 	Manifests     map[string]*Manifest `json:"manifests,omitempty"`
 }
 
diff --git a/modules/private/serv.go b/modules/private/serv.go
index fb8496930e..1e04b2ce29 100644
--- a/modules/private/serv.go
+++ b/modules/private/serv.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"net/url"
+	"strings"
 
 	asymkey_model "forgejo.org/models/asymkey"
 	"forgejo.org/models/perm"
@@ -47,17 +48,18 @@ type ServCommandResults struct {
 
 // ServCommand preps for a serv call
 func ServCommand(ctx context.Context, keyID int64, ownerName, repoName string, mode perm.AccessMode, verbs ...string) (*ServCommandResults, ResponseExtra) {
-	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/serv/command/%d/%s/%s?mode=%d",
+	var reqURL strings.Builder
+	fmt.Fprintf(&reqURL, "%sapi/internal/serv/command/%d/%s/%s?mode=%d",
+		setting.LocalURL,
 		keyID,
 		url.PathEscape(ownerName),
 		url.PathEscape(repoName),
-		mode,
-	)
+		mode)
 	for _, verb := range verbs {
 		if verb != "" {
-			reqURL += fmt.Sprintf("&verb=%s", url.QueryEscape(verb))
+			fmt.Fprintf(&reqURL, "&verb=%s", url.QueryEscape(verb))
 		}
 	}
-	req := newInternalRequest(ctx, reqURL, "GET")
+	req := newInternalRequest(ctx, reqURL.String(), "GET")
 	return requestJSONResp(req, &ServCommandResults{})
 }
diff --git a/modules/public/public.go b/modules/public/public.go
index a7db5b62e9..52cb8757a0 100644
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -45,7 +45,7 @@ func FileHandlerFunc() http.HandlerFunc {
 func parseAcceptEncoding(val string) container.Set[string] {
 	parts := strings.Split(val, ";")
 	types := make(container.Set[string])
-	for _, v := range strings.Split(parts[0], ",") {
+	for v := range strings.SplitSeq(parts[0], ",") {
 		types.Add(strings.TrimSpace(v))
 	}
 	return types
diff --git a/modules/queue/base_levelqueue_common.go b/modules/queue/base_levelqueue_common.go
index 8b4f35c47d..c57bf8597b 100644
--- a/modules/queue/base_levelqueue_common.go
+++ b/modules/queue/base_levelqueue_common.go
@@ -83,7 +83,7 @@ func prepareLevelDB(cfg *BaseConfig) (conn string, db *leveldb.DB, err error) {
 		}
 		conn = cfg.ConnStr
 	}
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		if db, err = nosql.GetManager().GetLevelDB(conn); err == nil {
 			break
 		}
diff --git a/modules/queue/base_redis.go b/modules/queue/base_redis.go
index ec3c6dc16d..8b20e0b443 100644
--- a/modules/queue/base_redis.go
+++ b/modules/queue/base_redis.go
@@ -49,7 +49,7 @@ func newBaseRedisGeneric(cfg *BaseConfig, unique bool, client nosql.RedisClient)
 	}
 
 	var err error
-	for i := 0; i < 10; i++ {
+	for range 10 {
 		err = client.Ping(graceful.GetManager().ShutdownContext()).Err()
 		if err == nil {
 			break
diff --git a/modules/queue/base_test.go b/modules/queue/base_test.go
index caa930158c..758faf1459 100644
--- a/modules/queue/base_test.go
+++ b/modules/queue/base_test.go
@@ -88,7 +88,7 @@ func testQueueBasic(t *testing.T, newFn func(cfg *BaseConfig) (baseQueue, error)
 
 		// test blocking push if queue is full
 		for i := 0; i < cfg.Length; i++ {
-			err = q.PushItem(ctx, []byte(fmt.Sprintf("item-%d", i)))
+			err = q.PushItem(ctx, fmt.Appendf(nil, "item-%d", i))
 			require.NoError(t, err)
 		}
 		ctxTimed, cancel = context.WithTimeout(ctx, 10*time.Millisecond)
diff --git a/modules/queue/manager.go b/modules/queue/manager.go
index 8f1a93f273..9c655b7fdc 100644
--- a/modules/queue/manager.go
+++ b/modules/queue/manager.go
@@ -5,6 +5,7 @@ package queue
 
 import (
 	"context"
+	"maps"
 	"sync"
 	"time"
 
@@ -68,9 +69,7 @@ func (m *Manager) ManagedQueues() map[int64]ManagedWorkerPoolQueue {
 	defer m.mu.Unlock()
 
 	queues := make(map[int64]ManagedWorkerPoolQueue, len(m.Queues))
-	for k, v := range m.Queues {
-		queues[k] = v
-	}
+	maps.Copy(queues, m.Queues)
 	return queues
 }
 
diff --git a/modules/queue/workergroup.go b/modules/queue/workergroup.go
index 2d1228db2c..87f01755aa 100644
--- a/modules/queue/workergroup.go
+++ b/modules/queue/workergroup.go
@@ -142,11 +142,7 @@ func (q *WorkerPoolQueue[T]) basePushForShutdown(items ...T) bool {
 
 // doStartNewWorker starts a new worker for the queue, the worker reads from worker's channel and handles the items.
 func (q *WorkerPoolQueue[T]) doStartNewWorker(wp *workerGroup[T]) {
-	wp.wg.Add(1)
-
-	go func() {
-		defer wp.wg.Done()
-
+	wp.wg.Go(func() {
 		log.Debug("Queue %q starts new worker", q.GetName())
 		defer log.Debug("Queue %q stops idle worker", q.GetName())
 
@@ -187,7 +183,7 @@ func (q *WorkerPoolQueue[T]) doStartNewWorker(wp *workerGroup[T]) {
 				q.workerNumMu.Unlock()
 			}
 		}
-	}()
+	})
 }
 
 // doFlush flushes the queue: it tries to read all items from the queue and handles them.
diff --git a/modules/queue/workerqueue_test.go b/modules/queue/workerqueue_test.go
index 8d907ed8cd..da857b9405 100644
--- a/modules/queue/workerqueue_test.go
+++ b/modules/queue/workerqueue_test.go
@@ -78,17 +78,17 @@ func TestWorkerPoolQueueUnhandled(t *testing.T) {
 
 	runCount := 2 // we can run these tests even hundreds times to see its stability
 	t.Run("1/1", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			test(t, setting.QueueSettings{BatchLength: 1, MaxWorkers: 1})
 		}
 	})
 	t.Run("3/1", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			test(t, setting.QueueSettings{BatchLength: 3, MaxWorkers: 1})
 		}
 	})
 	t.Run("4/5", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			test(t, setting.QueueSettings{BatchLength: 4, MaxWorkers: 5})
 		}
 	})
@@ -97,17 +97,17 @@ func TestWorkerPoolQueueUnhandled(t *testing.T) {
 func TestWorkerPoolQueuePersistence(t *testing.T) {
 	runCount := 2 // we can run these tests even hundreds times to see its stability
 	t.Run("1/1", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			testWorkerPoolQueuePersistence(t, setting.QueueSettings{BatchLength: 1, MaxWorkers: 1, Length: 100})
 		}
 	})
 	t.Run("3/1", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			testWorkerPoolQueuePersistence(t, setting.QueueSettings{BatchLength: 3, MaxWorkers: 1, Length: 100})
 		}
 	})
 	t.Run("4/5", func(t *testing.T) {
-		for i := 0; i < runCount; i++ {
+		for range runCount {
 			testWorkerPoolQueuePersistence(t, setting.QueueSettings{BatchLength: 4, MaxWorkers: 5, Length: 100})
 		}
 	})
@@ -142,7 +142,7 @@ func testWorkerPoolQueuePersistence(t *testing.T, queueSetting setting.QueueSett
 
 		q, _ := newWorkerPoolQueueForTest("pr_patch_checker_test", queueSetting, testHandler, true)
 		stop := runWorkerPoolQueue(q)
-		for i := 0; i < testCount; i++ {
+		for i := range testCount {
 			_ = q.Push("task-" + strconv.Itoa(i))
 		}
 		close(startWhenAllReady)
@@ -187,7 +187,7 @@ func TestWorkerPoolQueueActiveWorkers(t *testing.T) {
 
 	q, _ := newWorkerPoolQueueForTest("test-workpoolqueue", setting.QueueSettings{Type: "channel", BatchLength: 1, MaxWorkers: 1, Length: 100}, handler, false)
 	stop := runWorkerPoolQueue(q)
-	for i := 0; i < 5; i++ {
+	for i := range 5 {
 		require.NoError(t, q.Push(i))
 	}
 
@@ -203,7 +203,7 @@ func TestWorkerPoolQueueActiveWorkers(t *testing.T) {
 
 	q, _ = newWorkerPoolQueueForTest("test-workpoolqueue", setting.QueueSettings{Type: "channel", BatchLength: 1, MaxWorkers: 3, Length: 100}, handler, false)
 	stop = runWorkerPoolQueue(q)
-	for i := 0; i < 15; i++ {
+	for i := range 15 {
 		require.NoError(t, q.Push(i))
 	}
 
@@ -264,12 +264,12 @@ func TestWorkerPoolQueueWorkerIdleReset(t *testing.T) {
 	stop := runWorkerPoolQueue(q)
 
 	const workloadSize = 12
-	for i := 0; i < workloadSize; i++ {
+	for i := range workloadSize {
 		require.NoError(t, q.Push(i))
 	}
 
 	workerIDs := make(map[string]struct{})
-	for i := 0; i < workloadSize; i++ {
+	for i := range workloadSize {
 		c := <-chGoroutineIDs
 		workerIDs[c] = struct{}{}
 		t.Logf("%d workers: overall=%d current=%d", i, len(workerIDs), q.GetWorkerNumber())
diff --git a/modules/repository/init.go b/modules/repository/init.go
index 7b1442be93..66a65599a8 100644
--- a/modules/repository/init.go
+++ b/modules/repository/init.go
@@ -152,7 +152,7 @@ func InitializeLabels(ctx context.Context, id int64, labelTemplate string, isOrg
 	}
 
 	labels := make([]*issues_model.Label, len(list))
-	for i := 0; i < len(list); i++ {
+	for i := range list {
 		labels[i] = &issues_model.Label{
 			Name:        list[i].Name,
 			Exclusive:   list[i].Exclusive,
diff --git a/modules/setting/config.go b/modules/setting/config.go
index 6299640e61..90f3d12d11 100644
--- a/modules/setting/config.go
+++ b/modules/setting/config.go
@@ -4,6 +4,7 @@
 package setting
 
 import (
+	"strings"
 	"sync"
 
 	"forgejo.org/modules/log"
@@ -23,11 +24,11 @@ type OpenWithEditorApp struct {
 type OpenWithEditorAppsType []OpenWithEditorApp
 
 func (t OpenWithEditorAppsType) ToTextareaString() string {
-	ret := ""
+	var ret strings.Builder
 	for _, app := range t {
-		ret += app.DisplayName + " = " + app.OpenURL + "\n"
+		ret.WriteString(app.DisplayName + " = " + app.OpenURL + "\n")
 	}
-	return ret
+	return ret.String()
 }
 
 func DefaultOpenWithEditorApps() OpenWithEditorAppsType {
diff --git a/modules/setting/config_env.go b/modules/setting/config_env.go
index 458dbb51bb..68a7c94db2 100644
--- a/modules/setting/config_env.go
+++ b/modules/setting/config_env.go
@@ -51,10 +51,10 @@ func decodeEnvSectionKey(encoded string) (ok bool, section, key string) {
 	for _, unescapeIdx := range escapeStringIndices {
 		preceding := encoded[last:unescapeIdx[0]]
 		if !inKey {
-			if splitter := strings.Index(preceding, "__"); splitter > -1 {
-				section += preceding[:splitter]
+			if before, after, ok := strings.Cut(preceding, "__"); ok {
+				section += before
 				inKey = true
-				key += preceding[splitter+2:]
+				key += after
 			} else {
 				section += preceding
 			}
@@ -77,9 +77,9 @@ func decodeEnvSectionKey(encoded string) (ok bool, section, key string) {
 	}
 	remaining := encoded[last:]
 	if !inKey {
-		if splitter := strings.Index(remaining, "__"); splitter > -1 {
-			section += remaining[:splitter]
-			key += remaining[splitter+2:]
+		if before, after, ok := strings.Cut(remaining, "__"); ok {
+			section += before
+			key += after
 		} else {
 			section += remaining
 		}
@@ -113,25 +113,24 @@ func decodeEnvironmentKey(prefixRegexp *regexp.Regexp, suffixFile, envKey string
 func EnvironmentToConfig(cfg ConfigProvider, envs []string) (changed bool) {
 	prefixRegexp := regexp.MustCompile(EnvConfigKeyPrefixGitea)
 	for _, kv := range envs {
-		idx := strings.IndexByte(kv, '=')
-		if idx < 0 {
+		before, after, ok0 := strings.Cut(kv, "=")
+		if !ok0 {
 			continue
 		}
 
 		// parse the environment variable to config section name and key name
-		envKey := kv[:idx]
-		envValue := kv[idx+1:]
+		envKey := before
+		keyValue := after
 		ok, sectionName, keyName, useFileValue := decodeEnvironmentKey(prefixRegexp, EnvConfigKeySuffixFile, envKey)
 		if !ok {
 			continue
 		}
 
 		// use environment value as config value, or read the file content as value if the key indicates a file
-		keyValue := envValue
 		if useFileValue {
-			fileContent, err := os.ReadFile(envValue)
+			fileContent, err := os.ReadFile(keyValue)
 			if err != nil {
-				log.Error("Error reading file for %s : %v", envKey, envValue, err)
+				log.Error("Error reading file for %s : %v", envKey, keyValue, err)
 				continue
 			}
 			if bytes.HasSuffix(fileContent, []byte("\r\n")) {
diff --git a/modules/setting/indexer.go b/modules/setting/indexer.go
index b112a50cfa..948dae0bea 100644
--- a/modules/setting/indexer.go
+++ b/modules/setting/indexer.go
@@ -108,7 +108,7 @@ func loadIndexerFrom(rootCfg ConfigProvider) {
 // IndexerGlobFromString parses a comma separated list of patterns and returns a glob.Glob slice suited for repo indexing
 func IndexerGlobFromString(globstr string) []Glob {
 	extarr := make([]Glob, 0, 10)
-	for _, expr := range strings.Split(strings.ToLower(globstr), ",") {
+	for expr := range strings.SplitSeq(strings.ToLower(globstr), ",") {
 		expr = strings.TrimSpace(expr)
 		if expr != "" {
 			if g, err := glob.Compile(expr, '.', '/'); err != nil {
diff --git a/modules/setting/log.go b/modules/setting/log.go
index ecc591fd35..7799f8187b 100644
--- a/modules/setting/log.go
+++ b/modules/setting/log.go
@@ -269,8 +269,8 @@ func initLoggerByName(manager *log.LoggerManager, rootCfg ConfigProvider, logger
 	}
 
 	var eventWriters []log.EventWriter
-	modes := strings.Split(modeVal, ",")
-	for _, modeName := range modes {
+	modes := strings.SplitSeq(modeVal, ",")
+	for modeName := range modes {
 		modeName = strings.TrimSpace(modeName)
 		if modeName == "" {
 			continue
diff --git a/modules/setting/markup.go b/modules/setting/markup.go
index 4ab9e7b2d1..0ece86dfd1 100644
--- a/modules/setting/markup.go
+++ b/modules/setting/markup.go
@@ -85,8 +85,8 @@ func loadMarkupFrom(rootCfg ConfigProvider) {
 func newMarkupSanitizer(name string, sec ConfigSection) {
 	rule, ok := createMarkupSanitizerRule(name, sec)
 	if ok {
-		if strings.HasPrefix(name, "sanitizer.") {
-			names := strings.SplitN(strings.TrimPrefix(name, "sanitizer."), ".", 2)
+		if after, ok0 := strings.CutPrefix(name, "sanitizer."); ok0 {
+			names := strings.SplitN(after, ".", 2)
 			name = names[0]
 		}
 		for _, renderer := range ExternalMarkupRenderers {
diff --git a/modules/setting/mirror.go b/modules/setting/mirror.go
index 58c57c5c95..083c67db45 100644
--- a/modules/setting/mirror.go
+++ b/modules/setting/mirror.go
@@ -48,11 +48,7 @@ func loadMirrorFrom(rootCfg ConfigProvider) {
 		Mirror.MinInterval = 1 * time.Minute
 	}
 	if Mirror.DefaultInterval < Mirror.MinInterval {
-		if time.Hour*8 < Mirror.MinInterval {
-			Mirror.DefaultInterval = Mirror.MinInterval
-		} else {
-			Mirror.DefaultInterval = time.Hour * 8
-		}
+		Mirror.DefaultInterval = max(time.Hour*8, Mirror.MinInterval)
 		log.Warn("Mirror.DefaultInterval is less than Mirror.MinInterval, set to %s", Mirror.DefaultInterval.String())
 	}
 }
diff --git a/modules/setting/storage.go b/modules/setting/storage.go
index e458300727..93958219a8 100644
--- a/modules/setting/storage.go
+++ b/modules/setting/storage.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"strings"
 )
 
@@ -27,12 +28,7 @@ var storageTypes = []StorageType{
 
 // IsValidStorageType returns true if the given storage type is valid
 func IsValidStorageType(storageType StorageType) bool {
-	for _, t := range storageTypes {
-		if t == storageType {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(storageTypes, storageType)
 }
 
 // MinioStorageConfig represents the configuration for a minio storage
diff --git a/modules/structs/action.go b/modules/structs/action.go
index a39ae11d65..cb6d76f3e3 100644
--- a/modules/structs/action.go
+++ b/modules/structs/action.go
@@ -70,13 +70,13 @@ type ActionRun struct {
 	// the current status of this run
 	Status string `json:"status"`
 	// when the action run was started
-	Started time.Time `json:"started,omitempty"`
+	Started time.Time `json:"started"`
 	// when the action run was stopped
-	Stopped time.Time `json:"stopped,omitempty"`
+	Stopped time.Time `json:"stopped"`
 	// when the action run was created
-	Created time.Time `json:"created,omitempty"`
+	Created time.Time `json:"created"`
 	// when the action run was last updated
-	Updated time.Time `json:"updated,omitempty"`
+	Updated time.Time `json:"updated"`
 	// how long the action run ran for
 	Duration time.Duration `json:"duration,omitempty"`
 	// the url of this action run
diff --git a/modules/structs/issue.go b/modules/structs/issue.go
index 6208c28be1..37c71f5736 100644
--- a/modules/structs/issue.go
+++ b/modules/structs/issue.go
@@ -204,7 +204,7 @@ func (l *IssueTemplateLabels) UnmarshalYAML(value *yaml.Node) error {
 		if err != nil {
 			return err
 		}
-		for _, v := range strings.Split(str, ",") {
+		for v := range strings.SplitSeq(str, ",") {
 			if v = strings.TrimSpace(v); v == "" {
 				continue
 			}
diff --git a/modules/structs/repo.go b/modules/structs/repo.go
index 059f19c2bb..3fa43ce0cb 100644
--- a/modules/structs/repo.go
+++ b/modules/structs/repo.go
@@ -118,7 +118,7 @@ type Repository struct {
 	// enum: ["sha1", "sha256"]
 	ObjectFormatName string `json:"object_format_name"`
 	// swagger:strfmt date-time
-	MirrorUpdated time.Time     `json:"mirror_updated,omitempty"`
+	MirrorUpdated time.Time     `json:"mirror_updated"`
 	RepoTransfer  *RepoTransfer `json:"repo_transfer"`
 	Topics        []string      `json:"topics"`
 }
diff --git a/modules/structs/user.go b/modules/structs/user.go
index 49e4c495cf..e0767071d0 100644
--- a/modules/structs/user.go
+++ b/modules/structs/user.go
@@ -34,9 +34,9 @@ type User struct {
 	// Is the user an administrator
 	IsAdmin bool `json:"is_admin"`
 	// swagger:strfmt date-time
-	LastLogin time.Time `json:"last_login,omitempty"`
+	LastLogin time.Time `json:"last_login"`
 	// swagger:strfmt date-time
-	Created time.Time `json:"created,omitempty"`
+	Created time.Time `json:"created"`
 	// Is user restricted
 	Restricted bool `json:"restricted"`
 	// Is user active
diff --git a/modules/structs/user_gpgkey.go b/modules/structs/user_gpgkey.go
index ff9b0aea1d..deae70de33 100644
--- a/modules/structs/user_gpgkey.go
+++ b/modules/structs/user_gpgkey.go
@@ -21,9 +21,9 @@ type GPGKey struct {
 	CanCertify        bool           `json:"can_certify"`
 	Verified          bool           `json:"verified"`
 	// swagger:strfmt date-time
-	Created time.Time `json:"created_at,omitempty"`
+	Created time.Time `json:"created_at"`
 	// swagger:strfmt date-time
-	Expires time.Time `json:"expires_at,omitempty"`
+	Expires time.Time `json:"expires_at"`
 }
 
 // GPGKeyEmail an email attached to a GPGKey
diff --git a/modules/structs/user_key.go b/modules/structs/user_key.go
index 08eed59a89..b92552b200 100644
--- a/modules/structs/user_key.go
+++ b/modules/structs/user_key.go
@@ -15,7 +15,7 @@ type PublicKey struct {
 	Title       string `json:"title,omitempty"`
 	Fingerprint string `json:"fingerprint,omitempty"`
 	// swagger:strfmt date-time
-	Created  time.Time `json:"created_at,omitempty"`
+	Created  time.Time `json:"created_at"`
 	Owner    *User     `json:"user,omitempty"`
 	ReadOnly bool      `json:"read_only,omitempty"`
 	KeyType  string    `json:"key_type,omitempty"`
diff --git a/modules/templates/eval/eval_test.go b/modules/templates/eval/eval_test.go
index 3e68203638..6b13d14007 100644
--- a/modules/templates/eval/eval_test.go
+++ b/modules/templates/eval/eval_test.go
@@ -13,7 +13,7 @@ import (
 )
 
 func tokens(s string) (a []any) {
-	for _, v := range strings.Fields(s) {
+	for v := range strings.FieldsSeq(s) {
 		a = append(a, v)
 	}
 	return a
diff --git a/modules/templates/htmlrenderer.go b/modules/templates/htmlrenderer.go
index d60397df08..4290e1c29f 100644
--- a/modules/templates/htmlrenderer.go
+++ b/modules/templates/htmlrenderer.go
@@ -248,7 +248,7 @@ func extractErrorLine(code []byte, lineNum, posNum int, target string) string {
 	b := bufio.NewReader(bytes.NewReader(code))
 	var line []byte
 	var err error
-	for i := 0; i < lineNum; i++ {
+	for i := range lineNum {
 		if line, err = b.ReadBytes('\n'); err != nil {
 			if i == lineNum-1 && errors.Is(err, io.EOF) {
 				err = nil
diff --git a/modules/templates/scopedtmpl/scopedtmpl.go b/modules/templates/scopedtmpl/scopedtmpl.go
index 41a8ca86e9..d9866b3513 100644
--- a/modules/templates/scopedtmpl/scopedtmpl.go
+++ b/modules/templates/scopedtmpl/scopedtmpl.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"html/template"
 	"io"
+	"maps"
 	"reflect"
 	"sync"
 	texttemplate "text/template"
@@ -40,9 +41,7 @@ func (t *ScopedTemplate) Funcs(funcMap template.FuncMap) {
 		panic("cannot add new functions to frozen template set")
 	}
 	t.all.Funcs(funcMap)
-	for k, v := range funcMap {
-		t.parseFuncs[k] = v
-	}
+	maps.Copy(t.parseFuncs, funcMap)
 }
 
 func (t *ScopedTemplate) New(name string) *template.Template {
@@ -159,9 +158,7 @@ func newScopedTemplateSet(all *template.Template, name string) (*scopedTemplateS
 
 	textTmplPtr.muFuncs.Lock()
 	ts.execFuncs = map[string]reflect.Value{}
-	for k, v := range textTmplPtr.execFuncs {
-		ts.execFuncs[k] = v
-	}
+	maps.Copy(ts.execFuncs, textTmplPtr.execFuncs)
 	textTmplPtr.muFuncs.Unlock()
 
 	var collectTemplates func(nodes []parse.Node)
@@ -220,9 +217,7 @@ func (ts *scopedTemplateSet) newExecutor(funcMap map[string]any) TemplateExecuto
 	tmpl := texttemplate.New("")
 	tmplPtr := ptr[textTemplate](tmpl)
 	tmplPtr.execFuncs = map[string]reflect.Value{}
-	for k, v := range ts.execFuncs {
-		tmplPtr.execFuncs[k] = v
-	}
+	maps.Copy(tmplPtr.execFuncs, ts.execFuncs)
 	if funcMap != nil {
 		tmpl.Funcs(funcMap)
 	}
diff --git a/modules/templates/util_render.go b/modules/templates/util_render.go
index 02851ed75d..e1ad83b88d 100644
--- a/modules/templates/util_render.go
+++ b/modules/templates/util_render.go
@@ -246,7 +246,8 @@ func RenderMarkdownToHtml(ctx context.Context, input string) template.HTML { //n
 }
 
 func RenderLabels(ctx *Context, labels []*issues_model.Label, repoLink string, isPull bool) template.HTML {
-	htmlCode := `<span class="labels-list">`
+	var htmlCode strings.Builder
+	htmlCode.WriteString(`<span class="labels-list">`)
 	for _, label := range labels {
 		// Protect against nil value in labels - shouldn't happen but would cause a panic if so
 		if label == nil {
@@ -257,11 +258,11 @@ func RenderLabels(ctx *Context, labels []*issues_model.Label, repoLink string, i
 		if isPull {
 			issuesOrPull = "pulls"
 		}
-		htmlCode += fmt.Sprintf("<a href='%s/%s?labels=%d' rel='nofollow'>%s</a> ",
+		fmt.Fprintf(&htmlCode, "<a href='%s/%s?labels=%d' rel='nofollow'>%s</a> ",
 			repoLink, issuesOrPull, label.ID, RenderLabel(ctx, label))
 	}
-	htmlCode += "</span>"
-	return template.HTML(htmlCode)
+	htmlCode.WriteString("</span>")
+	return template.HTML(htmlCode.String())
 }
 
 func RenderUser(ctx context.Context, user user_model.User) template.HTML {
diff --git a/modules/test/logchecker.go b/modules/test/logchecker.go
index 8e8fc32216..af82ff0461 100644
--- a/modules/test/logchecker.go
+++ b/modules/test/logchecker.go
@@ -53,11 +53,11 @@ func (lc *LogChecker) checkLogEvent(event *log.EventFormatted) {
 	}
 }
 
-var checkerIndex int64
+var checkerIndex atomic.Int64
 
 func NewLogChecker(namePrefix string, level log.Level) (logChecker *LogChecker, cancel func()) {
 	logger := log.GetManager().GetLogger(namePrefix)
-	newCheckerIndex := atomic.AddInt64(&checkerIndex, 1)
+	newCheckerIndex := checkerIndex.Add(1)
 	writerName := namePrefix + "-" + fmt.Sprint(newCheckerIndex)
 
 	lc := &LogChecker{}
diff --git a/modules/testlogger/testlogger.go b/modules/testlogger/testlogger.go
index 6ced5f6780..54f0462703 100644
--- a/modules/testlogger/testlogger.go
+++ b/modules/testlogger/testlogger.go
@@ -501,7 +501,7 @@ func PrintCurrentTest(t testing.TB, skip ...int) func() {
 // Printf takes a format and args and prints the string to os.Stdout
 func Printf(format string, args ...any) {
 	if log.CanColorStdout {
-		for i := 0; i < len(args); i++ {
+		for i := range args {
 			args[i] = log.NewColoredValue(args[i])
 		}
 	}
diff --git a/modules/updatechecker/update_checker.go b/modules/updatechecker/update_checker.go
index b0932ba663..8b524b6519 100644
--- a/modules/updatechecker/update_checker.go
+++ b/modules/updatechecker/update_checker.go
@@ -60,9 +60,9 @@ func getVersionDNS(domainEndpoint string) (version string, err error) {
 	}
 
 	for _, record := range records {
-		if strings.HasPrefix(record, "forgejo_versions=") {
+		if after, ok := strings.CutPrefix(record, "forgejo_versions="); ok {
 			// Get all supported versions, separated by a comma.
-			supportedVersions := strings.Split(strings.TrimPrefix(record, "forgejo_versions="), ",")
+			supportedVersions := strings.Split(after, ",")
 			// For now always return the latest supported version.
 			return supportedVersions[len(supportedVersions)-1], nil
 		}
diff --git a/modules/util/remove.go b/modules/util/remove.go
index 2a65a6b0aa..e2cffc92c9 100644
--- a/modules/util/remove.go
+++ b/modules/util/remove.go
@@ -12,7 +12,7 @@ import (
 // Remove removes the named file or (empty) directory with at most 5 attempts.
 func Remove(name string) error {
 	var err error
-	for i := 0; i < 5; i++ {
+	for range 5 {
 		err = os.Remove(name)
 		if err == nil {
 			break
@@ -35,7 +35,7 @@ func Remove(name string) error {
 // RemoveAll removes the named file or (empty) directory with at most 5 attempts.
 func RemoveAll(name string) error {
 	var err error
-	for i := 0; i < 5; i++ {
+	for range 5 {
 		err = os.RemoveAll(name)
 		if err == nil {
 			break
@@ -58,7 +58,7 @@ func RemoveAll(name string) error {
 // Rename renames (moves) oldpath to newpath with at most 5 attempts.
 func Rename(oldpath, newpath string) error {
 	var err error
-	for i := 0; i < 5; i++ {
+	for i := range 5 {
 		err = os.Rename(oldpath, newpath)
 		if err == nil {
 			break
diff --git a/modules/util/rotatingfilewriter/writer_test.go b/modules/util/rotatingfilewriter/writer_test.go
index 5b3b351667..c3664d8c4f 100644
--- a/modules/util/rotatingfilewriter/writer_test.go
+++ b/modules/util/rotatingfilewriter/writer_test.go
@@ -24,7 +24,7 @@ func TestCompressOldFile(t *testing.T) {
 	ng, err := os.OpenFile(nonGzip, os.O_CREATE|os.O_WRONLY, 0o660)
 	require.NoError(t, err)
 
-	for i := 0; i < 999; i++ {
+	for range 999 {
 		f.WriteString("This is a test file\n")
 		ng.WriteString("This is a test file\n")
 	}
diff --git a/modules/util/timer_test.go b/modules/util/timer_test.go
index 602800c248..1f9a4ac586 100644
--- a/modules/util/timer_test.go
+++ b/modules/util/timer_test.go
@@ -12,19 +12,19 @@ import (
 )
 
 func TestDebounce(t *testing.T) {
-	var c int64
+	var c atomic.Int64
 	d := Debounce(50 * time.Millisecond)
-	d(func() { atomic.AddInt64(&c, 1) })
-	assert.EqualValues(t, 0, atomic.LoadInt64(&c))
-	d(func() { atomic.AddInt64(&c, 1) })
-	d(func() { atomic.AddInt64(&c, 1) })
+	d(func() { c.Add(1) })
+	assert.EqualValues(t, 0, c.Load())
+	d(func() { c.Add(1) })
+	d(func() { c.Add(1) })
 	time.Sleep(100 * time.Millisecond)
-	assert.EqualValues(t, 1, atomic.LoadInt64(&c))
-	d(func() { atomic.AddInt64(&c, 1) })
-	assert.EqualValues(t, 1, atomic.LoadInt64(&c))
-	d(func() { atomic.AddInt64(&c, 1) })
-	d(func() { atomic.AddInt64(&c, 1) })
-	d(func() { atomic.AddInt64(&c, 1) })
+	assert.EqualValues(t, 1, c.Load())
+	d(func() { c.Add(1) })
+	assert.EqualValues(t, 1, c.Load())
+	d(func() { c.Add(1) })
+	d(func() { c.Add(1) })
+	d(func() { c.Add(1) })
 	time.Sleep(100 * time.Millisecond)
-	assert.EqualValues(t, 2, atomic.LoadInt64(&c))
+	assert.EqualValues(t, 2, c.Load())
 }
diff --git a/modules/util/truncate.go b/modules/util/truncate.go
index 7207a89177..35836f745c 100644
--- a/modules/util/truncate.go
+++ b/modules/util/truncate.go
@@ -47,7 +47,7 @@ func SplitTrimSpace(input, sep string) []string {
 	input = strings.ReplaceAll(input, "\r\n", "\n")
 
 	var stringList []string
-	for _, s := range strings.Split(input, sep) {
+	for s := range strings.SplitSeq(input, sep) {
 		// trim leading and trailing space
 		stringList = append(stringList, strings.TrimSpace(s))
 	}
diff --git a/modules/util/util_test.go b/modules/util/util_test.go
index a85113b2f4..24fca75e7b 100644
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -243,7 +243,7 @@ func TestGeneratingEd25519Keypair(t *testing.T) {
 	// And another 32 bytes are required, which is included as random value
 	// in the OpenSSH format.
 	b := make([]byte, 64)
-	for i := 0; i < 64; i++ {
+	for i := range 64 {
 		b[i] = byte(i)
 	}
 	rand.Reader = bytes.NewReader(b)
diff --git a/modules/validation/binding.go b/modules/validation/binding.go
index 463e7e8f7a..23d0622de4 100644
--- a/modules/validation/binding.go
+++ b/modules/validation/binding.go
@@ -266,17 +266,17 @@ func addEmailBindingRules() {
 }
 
 func portOnly(hostport string) string {
-	colon := strings.IndexByte(hostport, ':')
-	if colon == -1 {
+	_, after, ok := strings.Cut(hostport, ":")
+	if !ok {
 		return ""
 	}
-	if i := strings.Index(hostport, "]:"); i != -1 {
-		return hostport[i+len("]:"):]
+	if _, after, ok := strings.Cut(hostport, "]:"); ok {
+		return after
 	}
 	if strings.Contains(hostport, "]") {
 		return ""
 	}
-	return hostport[colon+len(":"):]
+	return after
 }
 
 func validPort(p string) bool {
diff --git a/modules/validation/helpers.go b/modules/validation/helpers.go
index 848fb70af5..ce451b8ff4 100644
--- a/modules/validation/helpers.go
+++ b/modules/validation/helpers.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/url"
 	"regexp"
+	"slices"
 	"strings"
 
 	"forgejo.org/modules/setting"
@@ -40,12 +41,7 @@ func IsValidSiteURL(uri string) bool {
 		return false
 	}
 
-	for _, scheme := range setting.Service.ValidSiteURLSchemes {
-		if scheme == u.Scheme {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(setting.Service.ValidSiteURLSchemes, u.Scheme)
 }
 
 // IsAPIURL checks if URL is current Gitea instance API URL
diff --git a/modules/validation/validatable.go b/modules/validation/validatable.go
index 1b0d4aa382..1751e727f3 100644
--- a/modules/validation/validatable.go
+++ b/modules/validation/validatable.go
@@ -6,6 +6,7 @@ package validation
 import (
 	"fmt"
 	"reflect"
+	"slices"
 	"strings"
 	"unicode/utf8"
 
@@ -87,10 +88,8 @@ func ValidateMaxLen(value string, maxLen int, name string) []string {
 }
 
 func ValidateOneOf(value any, allowed []any, name string) []string {
-	for _, allowedElem := range allowed {
-		if value == allowedElem {
-			return []string{}
-		}
+	if slices.Contains(allowed, value) {
+		return []string{}
 	}
 	return []string{fmt.Sprintf("Field %s contains the value %v, which is not in allowed subset %v", name, value, allowed)}
 }
diff --git a/modules/web/handler.go b/modules/web/handler.go
index 4a7f28b1fa..e3f0b029fd 100644
--- a/modules/web/handler.go
+++ b/modules/web/handler.go
@@ -17,7 +17,7 @@ import (
 var responseStatusProviders = map[reflect.Type]func(req *http.Request) types.ResponseStatusProvider{}
 
 func RegisterResponseStatusProvider[T any](fn func(req *http.Request) types.ResponseStatusProvider) {
-	responseStatusProviders[reflect.TypeOf((*T)(nil)).Elem()] = fn
+	responseStatusProviders[reflect.TypeFor[T]()] = fn
 }
 
 // responseWriter is a wrapper of http.ResponseWriter, to check whether the response has been written
@@ -49,9 +49,9 @@ func (r *responseWriter) WriteHeader(statusCode int) {
 }
 
 var (
-	httpReqType    = reflect.TypeOf((*http.Request)(nil))
-	respWriterType = reflect.TypeOf((*http.ResponseWriter)(nil)).Elem()
-	cancelFuncType = reflect.TypeOf((*goctx.CancelFunc)(nil)).Elem()
+	httpReqType    = reflect.TypeFor[*http.Request]()
+	respWriterType = reflect.TypeFor[http.ResponseWriter]()
+	cancelFuncType = reflect.TypeFor[goctx.CancelFunc]()
 )
 
 // preCheckHandler checks whether the handler is valid, developers could get first-time feedback, all mistakes could be found at startup
diff --git a/modules/web/middleware/binding.go b/modules/web/middleware/binding.go
index 123eb29015..06bf55b571 100644
--- a/modules/web/middleware/binding.go
+++ b/modules/web/middleware/binding.go
@@ -30,7 +30,7 @@ func AssignForm(form any, data map[string]any) {
 	typ := reflect.TypeOf(form)
 	val := reflect.ValueOf(form)
 
-	for typ.Kind() == reflect.Ptr {
+	for typ.Kind() == reflect.Pointer {
 		typ = typ.Elem()
 		val = val.Elem()
 	}
@@ -51,7 +51,7 @@ func AssignForm(form any, data map[string]any) {
 }
 
 func getRuleBody(field reflect.StructField, prefix string) string {
-	for _, rule := range strings.Split(field.Tag.Get("binding"), ";") {
+	for rule := range strings.SplitSeq(field.Tag.Get("binding"), ";") {
 		if strings.HasPrefix(rule, prefix) {
 			return rule[len(prefix) : len(rule)-1]
 		}
@@ -99,7 +99,7 @@ func Validate(errs binding.Errors, data map[string]any, f any, l translation.Loc
 
 	typ := reflect.TypeOf(f)
 
-	if typ.Kind() == reflect.Ptr {
+	if typ.Kind() == reflect.Pointer {
 		typ = typ.Elem()
 	}
 
diff --git a/modules/web/middleware/data.go b/modules/web/middleware/data.go
index 4603e64052..c8bb8276c5 100644
--- a/modules/web/middleware/data.go
+++ b/modules/web/middleware/data.go
@@ -5,6 +5,7 @@ package middleware
 
 import (
 	"context"
+	"maps"
 	"time"
 
 	"forgejo.org/modules/setting"
@@ -22,9 +23,7 @@ func (ds ContextData) GetData() ContextData {
 }
 
 func (ds ContextData) MergeFrom(other ContextData) ContextData {
-	for k, v := range other {
-		ds[k] = v
-	}
+	maps.Copy(ds, other)
 	return ds
 }
 
diff --git a/modules/web/route.go b/modules/web/route.go
index ceb97ba333..dc83178f74 100644
--- a/modules/web/route.go
+++ b/modules/web/route.go
@@ -107,8 +107,8 @@ func (r *Route) Methods(methods, pattern string, h ...any) {
 	middlewares, handlerFunc := r.wrapMiddlewareAndHandler(h)
 	fullPattern := r.getPattern(pattern)
 	if strings.Contains(methods, ",") {
-		methods := strings.Split(methods, ",")
-		for _, method := range methods {
+		methods := strings.SplitSeq(methods, ",")
+		for method := range methods {
 			r.R.With(middlewares...).Method(strings.TrimSpace(method), fullPattern, handlerFunc)
 		}
 	} else {
diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go
index 92341e4f66..d824030ca7 100644
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@@ -99,8 +99,7 @@ func OIDCRoutes(prefix string) *web.Route {
 
 	// Add custom claims by iterating over [actions_service.IDTokenCustomClaims]
 	// and inspecting the names of the json struct tags
-	customClaims := actions_service.IDTokenCustomClaims{}
-	rt := reflect.TypeOf(customClaims)
+	rt := reflect.TypeFor[actions_service.IDTokenCustomClaims]()
 
 	for i := 0; i < rt.NumField(); i++ {
 		f := rt.Field(i)
diff --git a/routers/api/packages/cargo/cargo.go b/routers/api/packages/cargo/cargo.go
index 50dc8d1c3d..9d4539a732 100644
--- a/routers/api/packages/cargo/cargo.go
+++ b/routers/api/packages/cargo/cargo.go
@@ -95,10 +95,7 @@ type SearchResultMeta struct {
 
 // https://doc.rust-lang.org/cargo/reference/registries.html#search
 func SearchPackages(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	perPage := ctx.FormInt("per_page")
 	paginator := db.ListOptions{
 		Page:     page,
diff --git a/routers/api/packages/composer/composer.go b/routers/api/packages/composer/composer.go
index 9e67d419ec..8f87d27f3f 100644
--- a/routers/api/packages/composer/composer.go
+++ b/routers/api/packages/composer/composer.go
@@ -53,10 +53,7 @@ func ServiceIndex(ctx *context.Context) {
 // SearchPackages searches packages, only "q" is supported
 // https://packagist.org/apidoc#search-packages
 func SearchPackages(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	perPage := ctx.FormInt("per_page")
 	paginator := db.ListOptions{
 		Page:     page,
diff --git a/routers/api/v1/repo/issue_dependency.go b/routers/api/v1/repo/issue_dependency.go
index 7c087e28b9..3d3ca58bd4 100644
--- a/routers/api/v1/repo/issue_dependency.go
+++ b/routers/api/v1/repo/issue_dependency.go
@@ -78,10 +78,7 @@ func GetIssueDependencies(ctx *context.APIContext) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	limit := ctx.FormInt("limit")
 	if limit == 0 {
 		limit = setting.API.DefaultPagingNum
@@ -332,10 +329,7 @@ func GetIssueBlocks(ctx *context.APIContext) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	limit := ctx.FormInt("limit")
 	if limit <= 1 {
 		limit = setting.API.DefaultPagingNum
diff --git a/routers/api/v1/repo/wiki.go b/routers/api/v1/repo/wiki.go
index 71d29d026b..2b14bacf89 100644
--- a/routers/api/v1/repo/wiki.go
+++ b/routers/api/v1/repo/wiki.go
@@ -303,10 +303,7 @@ func ListWikiPages(ctx *context.APIContext) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	limit := ctx.FormInt("limit")
 	if limit <= 1 {
 		limit = setting.API.DefaultPagingNum
@@ -439,10 +436,7 @@ func ListPageRevisions(ctx *context.APIContext) {
 	// get commit count - wiki revisions
 	commitsCount, _ := wikiRepo.FileCommitsCount(ctx.Repo.Repository.GetWikiBranchName(), pageFilename)
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	// get Commit Count
 	commitsHistory, err := wikiRepo.CommitsByFileAndRange(
diff --git a/routers/install/install.go b/routers/install/install.go
index 243f4a8f19..95452e64dd 100644
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -103,11 +104,8 @@ func Install(ctx *context.Context) {
 
 	curDBType := setting.Database.Type.String()
 	var isCurDBTypeSupported bool
-	for _, dbType := range setting.SupportedDatabaseTypes {
-		if dbType == curDBType {
-			isCurDBTypeSupported = true
-			break
-		}
+	if slices.Contains(setting.SupportedDatabaseTypes, curDBType) {
+		isCurDBTypeSupported = true
 	}
 	if !isCurDBTypeSupported {
 		curDBType = "mysql"
diff --git a/routers/private/serv.go b/routers/private/serv.go
index 7c4a5b8bb7..26f7e288cd 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -6,6 +6,7 @@ package private
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 
 	asymkey_model "forgejo.org/models/asymkey"
@@ -165,15 +166,13 @@ func ServCommand(ctx *context.PrivateContext) {
 	if err != nil {
 		if repo_model.IsErrRepoNotExist(err) {
 			repoExist = false
-			for _, verb := range ctx.FormStrings("verb") {
-				if verb == "git-upload-pack" {
-					// User is fetching/cloning a non-existent repository
-					sshLogger.Warn("Failed authentication attempt (cannot find repository: %s/%s) from %s", results.OwnerName, results.RepoName, ctx.RemoteAddr())
-					ctx.JSON(http.StatusNotFound, private.Response{
-						UserMsg: fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),
-					})
-					return
-				}
+			if slices.Contains(ctx.FormStrings("verb"), "git-upload-pack") {
+				// User is fetching/cloning a non-existent repository
+				sshLogger.Warn("Failed authentication attempt (cannot find repository: %s/%s) from %s", results.OwnerName, results.RepoName, ctx.RemoteAddr())
+				ctx.JSON(http.StatusNotFound, private.Response{
+					UserMsg: fmt.Sprintf("Cannot find repository: %s/%s", results.OwnerName, results.RepoName),
+				})
+				return
 			}
 		} else {
 			sshLogger.Error("Unable to get repository: %s/%s Error: %v", results.OwnerName, results.RepoName, err)
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 27a241f508..e03fea9da2 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -166,7 +166,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source {
 		customURLMapping = nil
 	}
 	var scopes []string
-	for _, s := range strings.Split(form.Oauth2Scopes, ",") {
+	for s := range strings.SplitSeq(form.Oauth2Scopes, ",") {
 		s = strings.TrimSpace(s)
 		if s != "" {
 			scopes = append(scopes, s)
diff --git a/routers/web/admin/config.go b/routers/web/admin/config.go
index e1c3a5f9ee..2d3ea78052 100644
--- a/routers/web/admin/config.go
+++ b/routers/web/admin/config.go
@@ -62,7 +62,7 @@ func TestCache(ctx *context.Context) {
 
 func shadowPasswordKV(cfgItem, splitter string) string {
 	fields := strings.Split(cfgItem, splitter)
-	for i := 0; i < len(fields); i++ {
+	for i := range fields {
 		if strings.HasPrefix(fields[i], "password=") {
 			fields[i] = "password=******"
 			break
diff --git a/routers/web/admin/notice.go b/routers/web/admin/notice.go
index 8bcaadf915..f67430f386 100644
--- a/routers/web/admin/notice.go
+++ b/routers/web/admin/notice.go
@@ -26,10 +26,7 @@ func Notices(ctx *context.Context) {
 	ctx.Data["PageIsAdminNotices"] = true
 
 	total := system_model.CountNotices(ctx)
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	notices, err := system_model.Notices(ctx, page, setting.UI.Admin.NoticePagingNum)
 	if err != nil {
diff --git a/routers/web/admin/packages.go b/routers/web/admin/packages.go
index 5c80a1eada..032d10fc41 100644
--- a/routers/web/admin/packages.go
+++ b/routers/web/admin/packages.go
@@ -24,10 +24,7 @@ const (
 
 // Packages shows all packages
 func Packages(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	query := ctx.FormTrim("q")
 	packageType := ctx.FormTrim("type")
 	sort := ctx.FormTrim("sort")
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 89d2fd37ce..eba2b441c4 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -283,8 +283,8 @@ type userInfoResponse struct {
 
 func ifOnlyPublicGroups(scopes string) bool {
 	scopes = strings.ReplaceAll(scopes, ",", " ")
-	scopesList := strings.Fields(scopes)
-	for _, scope := range scopesList {
+	scopesList := strings.FieldsSeq(scopes)
+	for scope := range scopesList {
 		if scope == "all" || scope == "read:organization" || scope == "read:admin" {
 			return false
 		}
@@ -424,11 +424,11 @@ func AuthorizeOAuth(ctx *context.Context) {
 	errs := binding.Errors{}
 	errs = form.Validate(ctx.Req, errs)
 	if len(errs) > 0 {
-		errstring := ""
+		var errstring strings.Builder
 		for _, e := range errs {
-			errstring += e.Error() + "\n"
+			errstring.WriteString(e.Error() + "\n")
 		}
-		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))
+		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring.String()))
 		return
 	}
 
diff --git a/routers/web/org/members.go b/routers/web/org/members.go
index 4550d5f0e7..8a8c5122de 100644
--- a/routers/web/org/members.go
+++ b/routers/web/org/members.go
@@ -29,10 +29,7 @@ func Members(ctx *context.Context) {
 	ctx.Data["Title"] = org.FullName
 	ctx.Data["PageIsOrgMembers"] = true
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	opts := &organization.FindOrgMembersOpts{
 		Doer:  ctx.Doer,
diff --git a/routers/web/org/projects.go b/routers/web/org/projects.go
index a492d85d84..6e5f4079ac 100644
--- a/routers/web/org/projects.go
+++ b/routers/web/org/projects.go
@@ -48,10 +48,7 @@ func Projects(ctx *context.Context) {
 
 	isShowClosed := strings.ToLower(ctx.FormTrim("state")) == "closed"
 	keyword := ctx.FormTrim("q")
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	var projectType project_model.Type
 	if ctx.ContextUser.IsOrganization() {
diff --git a/routers/web/repo/branch.go b/routers/web/repo/branch.go
index 0fe52bfb48..3c32a3b9e5 100644
--- a/routers/web/repo/branch.go
+++ b/routers/web/repo/branch.go
@@ -46,10 +46,7 @@ func Branches(ctx *context.Context) {
 	ctx.Data["PageIsViewCode"] = true
 	ctx.Data["PageIsBranches"] = true
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	pageSize := setting.Git.BranchesRangeSize
 
 	kw := ctx.FormString("q")
diff --git a/routers/web/repo/commit.go b/routers/web/repo/commit.go
index 3db8a091b0..5b8f35f5b1 100644
--- a/routers/web/repo/commit.go
+++ b/routers/web/repo/commit.go
@@ -68,10 +68,7 @@ func Commits(ctx *context.Context) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	pageSize := ctx.FormInt("limit")
 	if pageSize <= 0 {
@@ -241,10 +238,7 @@ func FileHistory(ctx *context.Context) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	commits, err := ctx.Repo.GitRepo.CommitsByFileAndRange(
 		git.CommitsByFileAndRangeOptions{
diff --git a/routers/web/repo/editor.go b/routers/web/repo/editor.go
index 2948c1db3c..fb1aaf042a 100644
--- a/routers/web/repo/editor.go
+++ b/routers/web/repo/editor.go
@@ -832,7 +832,7 @@ func cleanUploadFileName(name string) string {
 	// Rebase the filename
 	name = util.PathJoinRel(name)
 	// Git disallows any filenames to have a .git directory in them.
-	for _, part := range strings.Split(name, "/") {
+	for part := range strings.SplitSeq(name, "/") {
 		if strings.ToLower(part) == ".git" {
 			return ""
 		}
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 403245596d..de05d99a3e 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -13,6 +13,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -363,12 +364,7 @@ func containsParentDirectorySeparator(v string) bool {
 	if !strings.Contains(v, "..") {
 		return false
 	}
-	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
-		if ent == ".." {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(strings.FieldsFunc(v, isSlashRune), "..")
 }
 
 func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index cc09651e97..3852c4c18f 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"html/template"
+	"maps"
 	"math/big"
 	"net/http"
 	"net/url"
@@ -267,10 +268,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption opt
 
 	archived := ctx.FormBool("archived")
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	var total int
 	switch {
@@ -1014,9 +1012,7 @@ func NewIssue(ctx *context.Context) {
 
 	_, templateErrs := issue_service.GetTemplatesFromDefaultBranch(ctx.Repo.Repository, ctx.Repo.GitRepo)
 	templateLoaded, errs := setTemplateIfExists(ctx, issueTemplateKey, issueTemplateCandidates)
-	for k, v := range errs {
-		templateErrs[k] = v
-	}
+	maps.Copy(templateErrs, errs)
 	if ctx.Written() {
 		return
 	}
@@ -2190,7 +2186,7 @@ func getActionIssues(ctx *context.Context) issues_model.IssueList {
 		return nil
 	}
 	issueIDs := make([]int64, 0, 10)
-	for _, stringIssueID := range strings.Split(commaSeparatedIssueIDs, ",") {
+	for stringIssueID := range strings.SplitSeq(commaSeparatedIssueIDs, ",") {
 		issueID, err := strconv.ParseInt(stringIssueID, 10, 64)
 		if err != nil {
 			ctx.ServerError("ParseInt", err)
diff --git a/routers/web/repo/issue_label_test.go b/routers/web/repo/issue_label_test.go
index 0adcc39499..b4d350b31d 100644
--- a/routers/web/repo/issue_label_test.go
+++ b/routers/web/repo/issue_label_test.go
@@ -6,6 +6,7 @@ package repo
 import (
 	"net/http"
 	"strconv"
+	"strings"
 	"testing"
 
 	issues_model "forgejo.org/models/issues"
@@ -21,14 +22,14 @@ import (
 )
 
 func int64SliceToCommaSeparated(a []int64) string {
-	s := ""
+	var s strings.Builder
 	for i, n := range a {
 		if i > 0 {
-			s += ","
+			s.WriteString(",")
 		}
-		s += strconv.Itoa(int(n))
+		s.WriteString(strconv.Itoa(int(n)))
 	}
-	return s
+	return s.String()
 }
 
 func TestInitializeLabels(t *testing.T) {
diff --git a/routers/web/repo/milestone.go b/routers/web/repo/milestone.go
index 920a9ee12a..5ede62d992 100644
--- a/routers/web/repo/milestone.go
+++ b/routers/web/repo/milestone.go
@@ -40,10 +40,7 @@ func Milestones(ctx *context.Context) {
 	isShowClosed := ctx.FormString("state") == "closed"
 	sortType := ctx.FormString("sort")
 	keyword := ctx.FormTrim("q")
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	miles, total, err := db.FindAndCount[issues_model.Milestone](ctx, issues_model.FindMilestoneOptions{
 		ListOptions: db.ListOptions{
diff --git a/routers/web/repo/packages.go b/routers/web/repo/packages.go
index c947fb99bf..fd7e886557 100644
--- a/routers/web/repo/packages.go
+++ b/routers/web/repo/packages.go
@@ -21,10 +21,7 @@ const (
 
 // Packages displays a list of all packages in the repository
 func Packages(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	query := ctx.FormTrim("q")
 	packageType := ctx.FormTrim("type")
 
diff --git a/routers/web/repo/projects.go b/routers/web/repo/projects.go
index e3e9ce0eb7..98e4c35fa2 100644
--- a/routers/web/repo/projects.go
+++ b/routers/web/repo/projects.go
@@ -57,10 +57,7 @@ func Projects(ctx *context.Context) {
 	isShowClosed := strings.ToLower(ctx.FormTrim("state")) == "closed"
 	keyword := ctx.FormTrim("q")
 	repo := ctx.Repo.Repository
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	ctx.Data["OpenCount"] = repo.NumOpenProjects
 	ctx.Data["ClosedCount"] = repo.NumClosedProjects
diff --git a/routers/web/repo/repo.go b/routers/web/repo/repo.go
index 6b6ec55720..e5ede13bf5 100644
--- a/routers/web/repo/repo.go
+++ b/routers/web/repo/repo.go
@@ -92,7 +92,7 @@ func checkContextUser(ctx *context.Context, uid int64) *user_model.User {
 
 	if !ctx.Doer.IsAdmin {
 		orgsAvailable := []*organization.Organization{}
-		for i := 0; i < len(orgs); i++ {
+		for i := range orgs {
 			if orgs[i].CanCreateRepo() {
 				orgsAvailable = append(orgsAvailable, orgs[i])
 			}
diff --git a/routers/web/repo/setting/lfs.go b/routers/web/repo/setting/lfs.go
index 78184930d3..40181ebb52 100644
--- a/routers/web/repo/setting/lfs.go
+++ b/routers/web/repo/setting/lfs.go
@@ -44,10 +44,7 @@ func LFSFiles(ctx *context.Context) {
 		ctx.NotFound("LFSFiles", nil)
 		return
 	}
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	total, err := git_model.CountLFSMetaObjects(ctx, ctx.Repo.Repository.ID)
 	if err != nil {
 		ctx.ServerError("LFSFiles", err)
@@ -76,10 +73,7 @@ func LFSLocks(ctx *context.Context) {
 	}
 	ctx.Data["LFSFilesLink"] = ctx.Repo.RepoLink + "/settings/lfs"
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	total, err := git_model.CountLFSLockByRepoID(ctx, ctx.Repo.Repository.ID)
 	if err != nil {
 		ctx.ServerError("LFSLocks", err)
diff --git a/routers/web/repo/wiki.go b/routers/web/repo/wiki.go
index 1b5265978a..8153288312 100644
--- a/routers/web/repo/wiki.go
+++ b/routers/web/repo/wiki.go
@@ -374,10 +374,7 @@ func renderRevisionPage(ctx *context.Context) (*git.Repository, *git.TreeEntry)
 	ctx.Data["CommitCount"] = commitsCount
 
 	// get page
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	// get Commit Count
 	commitsHistory, err := wikiRepo.CommitsByFileAndRange(
diff --git a/routers/web/shared/actions/runners.go b/routers/web/shared/actions/runners.go
index 012ec246fd..93543f92df 100644
--- a/routers/web/shared/actions/runners.go
+++ b/routers/web/shared/actions/runners.go
@@ -134,10 +134,7 @@ func RunnersList(ctx *context.Context) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	opts := actions_model.FindRunnerOptions{
 		ListOptions: db.ListOptions{
@@ -216,10 +213,7 @@ func RunnerDetails(ctx *context.Context) {
 	}
 
 	runnerID := ctx.ParamsInt64(":runnerid")
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	runner, err := actions_model.GetVisibleRunnerByID(ctx, runnerID, rCtx.OwnerID, rCtx.RepoID)
 	if errors.Is(err, util.ErrNotExist) {
diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 9c40236475..60d6fc2bd0 100644
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -191,7 +191,7 @@ func Milestones(ctx *context.Context) {
 			reposQuery = reposQuery[1 : len(reposQuery)-1]
 			// for each ID (delimiter ",") add to int to repoIDs
 
-			for _, rID := range strings.Split(reposQuery, ",") {
+			for rID := range strings.SplitSeq(reposQuery, ",") {
 				// Ensure nonempty string entries
 				if rID != "" && rID != "0" {
 					rIDint64, err := strconv.ParseInt(rID, 10, 64)
@@ -532,10 +532,7 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 	opts.IsClosed = optional.Some(isShowClosed)
 
 	// Make sure page number is at least 1. Will be posted to ctx.Data.
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	opts.Paginator = &db.ListOptions{
 		Page:     page,
 		PageSize: setting.UI.IssuePagingNum,
diff --git a/routers/web/user/notification.go b/routers/web/user/notification.go
index 3b69e5bddf..1445658c18 100644
--- a/routers/web/user/notification.go
+++ b/routers/web/user/notification.go
@@ -226,10 +226,7 @@ func NotificationPurgePost(ctx *context.Context) {
 
 // NotificationSubscriptions returns the list of subscribed issues
 func NotificationSubscriptions(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	sortType := ctx.FormString("sort")
 	ctx.Data["SortType"] = sortType
@@ -358,10 +355,7 @@ func NotificationSubscriptions(ctx *context.Context) {
 
 // NotificationWatching returns the list of watching repos
 func NotificationWatching(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	keyword := ctx.FormTrim("q")
 	ctx.Data["Keyword"] = keyword
diff --git a/routers/web/user/package.go b/routers/web/user/package.go
index 9a77af0bb2..0c403a2613 100644
--- a/routers/web/user/package.go
+++ b/routers/web/user/package.go
@@ -42,10 +42,7 @@ const (
 // ListPackages displays a list of all packages of the context user
 func ListPackages(ctx *context.Context) {
 	shared_user.PrepareContextForProfileBigAvatar(ctx)
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	query := ctx.FormTrim("q")
 	packageType := ctx.FormTrim("type")
 
@@ -314,10 +311,7 @@ func ListPackageVersions(ctx *context.Context) {
 		return
 	}
 
-	page := ctx.FormInt("page")
-	if page <= 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 	pagination := &db.ListOptions{
 		PageSize: setting.UI.PackagesPagingNum,
 		Page:     page,
diff --git a/services/actions/rerun.go b/services/actions/rerun.go
index f6dd4af5c7..61aede5d7c 100644
--- a/services/actions/rerun.go
+++ b/services/actions/rerun.go
@@ -4,6 +4,8 @@
 package actions
 
 import (
+	"slices"
+
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/modules/container"
 )
@@ -20,13 +22,10 @@ func GetAllRerunJobs(job *actions_model.ActionRunJob, allJobs []*actions_model.A
 			if rerunJobsIDSet.Contains(j.JobID) {
 				continue
 			}
-			for _, need := range j.Needs {
-				if rerunJobsIDSet.Contains(need) {
-					found = true
-					rerunJobs = append(rerunJobs, j)
-					rerunJobsIDSet.Add(j.JobID)
-					break
-				}
+			if slices.ContainsFunc(j.Needs, rerunJobsIDSet.Contains) {
+				found = true
+				rerunJobs = append(rerunJobs, j)
+				rerunJobsIDSet.Add(j.JobID)
 			}
 		}
 		if !found {
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 1c1809b092..a23f586ffd 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -39,7 +39,7 @@ func grantAdditionalScopes(grantScopes string) string {
 	}
 
 	var apiTokenScopes []string
-	for _, apiTokenScope := range strings.Split(grantScopes, " ") {
+	for apiTokenScope := range strings.SplitSeq(grantScopes, " ") {
 		if slices.Index(scopesSupported, apiTokenScope) == -1 {
 			apiTokenScopes = append(apiTokenScopes, apiTokenScope)
 		}
diff --git a/services/auth/source/oauth2/urlmapping.go b/services/auth/source/oauth2/urlmapping.go
index d0442d58a8..b9f445caa7 100644
--- a/services/auth/source/oauth2/urlmapping.go
+++ b/services/auth/source/oauth2/urlmapping.go
@@ -14,11 +14,11 @@ type CustomURLMapping struct {
 
 // CustomURLSettings describes the urls values and availability to use when customizing OAuth2 provider URLs
 type CustomURLSettings struct {
-	AuthURL    Attribute `json:",omitempty"`
-	TokenURL   Attribute `json:",omitempty"`
-	ProfileURL Attribute `json:",omitempty"`
-	EmailURL   Attribute `json:",omitempty"`
-	Tenant     Attribute `json:",omitempty"`
+	AuthURL    Attribute
+	TokenURL   Attribute
+	ProfileURL Attribute
+	EmailURL   Attribute
+	Tenant     Attribute
 }
 
 // Attribute describes the availability, and required status for a custom url configuration
diff --git a/services/auth/source/pam/source_authenticate.go b/services/auth/source/pam/source_authenticate.go
index 8a84683d29..f368d7e0b1 100644
--- a/services/auth/source/pam/source_authenticate.go
+++ b/services/auth/source/pam/source_authenticate.go
@@ -37,9 +37,9 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
 	// Allow PAM sources with `@` in their name, like from Active Directory
 	username := pamLogin
 	email := pamLogin
-	idx := strings.Index(pamLogin, "@")
-	if idx > -1 {
-		username = pamLogin[:idx]
+	before, _, ok := strings.Cut(pamLogin, "@")
+	if ok {
+		username = before
 	}
 	if validation.ValidateEmail(email) != nil {
 		if source.EmailDomain != "" {
diff --git a/services/auth/source/smtp/source_authenticate.go b/services/auth/source/smtp/source_authenticate.go
index 3d7ccd0669..919a7d0b5b 100644
--- a/services/auth/source/smtp/source_authenticate.go
+++ b/services/auth/source/smtp/source_authenticate.go
@@ -21,10 +21,10 @@ import (
 func (source *Source) Authenticate(ctx context.Context, user *user_model.User, userName, password string) (*user_model.User, error) {
 	// Verify allowed domains.
 	if len(source.AllowedDomains) > 0 {
-		idx := strings.Index(userName, "@")
-		if idx == -1 {
+		_, after, ok := strings.Cut(userName, "@")
+		if !ok {
 			return nil, user_model.ErrUserNotExist{Name: userName}
-		} else if !util.SliceContainsString(strings.Split(source.AllowedDomains, ","), userName[idx+1:], true) {
+		} else if !util.SliceContainsString(strings.Split(source.AllowedDomains, ","), after, true) {
 			return nil, user_model.ErrUserNotExist{Name: userName}
 		}
 	}
@@ -61,9 +61,9 @@ func (source *Source) Authenticate(ctx context.Context, user *user_model.User, u
 	}
 
 	username := userName
-	idx := strings.Index(userName, "@")
-	if idx > -1 {
-		username = userName[:idx]
+	before, _, ok := strings.Cut(userName, "@")
+	if ok {
+		username = before
 	}
 
 	user = &user_model.User{
diff --git a/services/context/api.go b/services/context/api.go
index 434da29906..1064b1ab4a 100644
--- a/services/context/api.go
+++ b/services/context/api.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 
 	issues_model "forgejo.org/models/issues"
@@ -466,13 +467,7 @@ func (ctx *APIContext) IsUserRepoAdmin() bool {
 
 // IsUserRepoWriter returns true if current user has write privilege in current repo
 func (ctx *APIContext) IsUserRepoWriter(unitTypes []unit.Type) bool {
-	for _, unitType := range unitTypes {
-		if ctx.Repo.CanWrite(unitType) {
-			return true
-		}
-	}
-
-	return false
+	return slices.ContainsFunc(unitTypes, ctx.Repo.CanWrite)
 }
 
 // Returns true when the requests indicates that it accepts a Github response.
diff --git a/services/context/context_model.go b/services/context/context_model.go
index 1a8751ee63..dae244f843 100644
--- a/services/context/context_model.go
+++ b/services/context/context_model.go
@@ -4,6 +4,8 @@
 package context
 
 import (
+	"slices"
+
 	"forgejo.org/models/unit"
 )
 
@@ -19,11 +21,5 @@ func (ctx *Context) IsUserRepoAdmin() bool {
 
 // IsUserRepoWriter returns true if current user has write privilege in current repo
 func (ctx *Context) IsUserRepoWriter(unitTypes []unit.Type) bool {
-	for _, unitType := range unitTypes {
-		if ctx.Repo.CanWrite(unitType) {
-			return true
-		}
-	}
-
-	return false
+	return slices.ContainsFunc(unitTypes, ctx.Repo.CanWrite)
 }
diff --git a/services/context/permission.go b/services/context/permission.go
index 49504e5043..f898bd98ae 100644
--- a/services/context/permission.go
+++ b/services/context/permission.go
@@ -5,6 +5,7 @@ package context
 
 import (
 	"net/http"
+	"slices"
 
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/perm"
@@ -47,10 +48,8 @@ func CanEnableEditor() func(ctx *Context) {
 // RequireRepoWriterOr returns a middleware for requiring repository write to one of the unit permission
 func RequireRepoWriterOr(unitTypes ...unit.Type) func(ctx *Context) {
 	return func(ctx *Context) {
-		for _, unitType := range unitTypes {
-			if ctx.Repo.CanWrite(unitType) {
-				return
-			}
+		if slices.ContainsFunc(unitTypes, ctx.Repo.CanWrite) {
+			return
 		}
 		ctx.NotFound(ctx.Req.URL.RequestURI(), nil)
 	}
@@ -85,10 +84,8 @@ func RequireRepoReader(unitType unit.Type) func(ctx *Context) {
 // RequireRepoReaderOr returns a middleware for requiring repository write to one of the unit permission
 func RequireRepoReaderOr(unitTypes ...unit.Type) func(ctx *Context) {
 	return func(ctx *Context) {
-		for _, unitType := range unitTypes {
-			if ctx.Repo.CanRead(unitType) {
-				return
-			}
+		if slices.ContainsFunc(unitTypes, ctx.Repo.CanRead) {
+			return
 		}
 		if log.IsTrace() {
 			var format string
diff --git a/services/context/repo.go b/services/context/repo.go
index ebc9109c96..583eb35474 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -395,14 +395,14 @@ func repoAssignment(ctx *Context, repo *repo_model.Repository) {
 
 	followingRepoList, err := repo_model.FindFollowingReposByRepoID(ctx, repo.ID)
 	if err == nil {
-		followingRepoString := ""
+		var followingRepoString strings.Builder
 		for idx, followingRepo := range followingRepoList {
 			if idx > 0 {
-				followingRepoString += ";"
+				followingRepoString.WriteString(";")
 			}
-			followingRepoString += followingRepo.URI
+			followingRepoString.WriteString(followingRepo.URI)
 		}
-		ctx.Data["FollowingRepos"] = followingRepoString
+		ctx.Data["FollowingRepos"] = followingRepoString.String()
 	} else if err != repo_model.ErrMirrorNotExist {
 		ctx.ServerError("FindFollowingRepoByRepoID", err)
 		return
diff --git a/services/context/upload/upload.go b/services/context/upload/upload.go
index e71fc50c1f..79f4d66f5f 100644
--- a/services/context/upload/upload.go
+++ b/services/context/upload/upload.go
@@ -38,7 +38,7 @@ func Verify(buf []byte, fileName, allowedTypesStr string) error {
 	allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format
 
 	allowedTypes := []string{}
-	for _, entry := range strings.Split(allowedTypesStr, ",") {
+	for entry := range strings.SplitSeq(allowedTypesStr, ",") {
 		entry = strings.ToLower(strings.TrimSpace(entry))
 		if entry != "" {
 			allowedTypes = append(allowedTypes, entry)
diff --git a/services/convert/activitypub_user_action.go b/services/convert/activitypub_user_action.go
index b08eaa14c7..6db3834ef2 100644
--- a/services/convert/activitypub_user_action.go
+++ b/services/convert/activitypub_user_action.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"html"
 	"net/url"
+	"strings"
 	"time"
 
 	activities_model "forgejo.org/models/activities"
@@ -73,7 +74,7 @@ func ActionToForgeUserActivity(ctx context.Context, action *activities_model.Act
 		if err := json.Unmarshal([]byte(action.GetContent()), commits); err != nil {
 			return fm.ForgeUserActivity{}, err
 		}
-		commitsHTML := ""
+		var commitsHTML strings.Builder
 		renderCommit := func(commit *PushCommit) string {
 			return fmt.Sprintf(`<li><a href="%s" rel="nofollow">%s</a> <pre>%s</pre></li>`,
 				fmt.Sprintf("%s/commit/%s", action.GetRepoAbsoluteLink(ctx), url.PathEscape(commit.Sha1)),
@@ -82,9 +83,9 @@ func ActionToForgeUserActivity(ctx context.Context, action *activities_model.Act
 			)
 		}
 		for _, commit := range commits.Commits {
-			commitsHTML += renderCommit(commit)
+			commitsHTML.WriteString(renderCommit(commit))
 		}
-		return makeUserActivity("pushed to %s at %s: <ul>%s</ul>", renderBranch(), renderRepo(), commitsHTML)
+		return makeUserActivity("pushed to %s at %s: <ul>%s</ul>", renderBranch(), renderRepo(), commitsHTML.String())
 	case activities_model.ActionCreateIssue:
 		if err := action.LoadIssue(ctx); err != nil {
 			return fm.ForgeUserActivity{}, err
diff --git a/services/cron/tasks.go b/services/cron/tasks.go
index b547acdf05..bd64dd081d 100644
--- a/services/cron/tasks.go
+++ b/services/cron/tasks.go
@@ -54,7 +54,7 @@ func (t *Task) IsEnabled() bool {
 
 // GetConfig will return a copy of the task's config
 func (t *Task) GetConfig() Config {
-	if reflect.TypeOf(t.config).Kind() == reflect.Ptr {
+	if reflect.TypeOf(t.config).Kind() == reflect.Pointer {
 		// Pointer:
 		return reflect.New(reflect.ValueOf(t.config).Elem().Type()).Interface().(Config)
 	}
diff --git a/services/doctor/push_mirror_consistency.go b/services/doctor/push_mirror_consistency.go
index 07986770b2..e85b1740a4 100644
--- a/services/doctor/push_mirror_consistency.go
+++ b/services/doctor/push_mirror_consistency.go
@@ -23,7 +23,7 @@ func FixPushMirrorsWithoutGitRemote(ctx context.Context, logger log.Logger, auto
 			return err
 		}
 
-		for i := 0; i < len(pushMirrors); i++ {
+		for i := range pushMirrors {
 			_, err = repo_model.GetPushMirrorRemoteAddress(repo.OwnerName, repo.Name, pushMirrors[i].RemoteName)
 			if err != nil {
 				if strings.Contains(err.Error(), "No such remote") {
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index e894b79a14..f9443b8b6c 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
+	"slices"
 	"strings"
 
 	"forgejo.org/models"
@@ -383,13 +384,7 @@ func (i IssueLockForm) HasValidReason() bool {
 		return true
 	}
 
-	for _, v := range setting.Repository.Issue.LockReasons {
-		if v == i.Reason {
-			return true
-		}
-	}
-
-	return false
+	return slices.Contains(setting.Repository.Issue.LockReasons, i.Reason)
 }
 
 // CreateProjectForm form for creating a project
diff --git a/services/gitdiff/csv.go b/services/gitdiff/csv.go
index 8db73c56a3..c10ee14490 100644
--- a/services/gitdiff/csv.go
+++ b/services/gitdiff/csv.go
@@ -134,7 +134,7 @@ func createCsvDiffSingle(reader *csv.Reader, celltype TableDiffCellType) ([]*Tab
 			return nil, err
 		}
 		cells := make([]*TableDiffCell, len(row))
-		for j := 0; j < len(row); j++ {
+		for j := range row {
 			if celltype == TableDiffCellDel {
 				cells[j] = &TableDiffCell{LeftCell: row[j], Type: celltype}
 			} else {
@@ -365,11 +365,11 @@ func getColumnMapping(baseCSVReader, headCSVReader *csvReader) ([]int, []int) {
 	}
 
 	// Loops through the baseRow and see if there is a match in the head row
-	for i := 0; i < len(baseRow); i++ {
+	for i := range baseRow {
 		base2HeadColMap[i] = unmappedColumn
 		baseCell, err := getCell(baseRow, i)
 		if err == nil {
-			for j := 0; j < len(headRow); j++ {
+			for j := range headRow {
 				if head2BaseColMap[j] == -1 {
 					headCell, err := getCell(headRow, j)
 					if err == nil && baseCell == headCell {
@@ -390,7 +390,7 @@ func getColumnMapping(baseCSVReader, headCSVReader *csvReader) ([]int, []int) {
 
 // tryMapColumnsByContent tries to map missing columns by the content of the first lines.
 func tryMapColumnsByContent(baseCSVReader *csvReader, base2HeadColMap []int, headCSVReader *csvReader, head2BaseColMap []int) {
-	for i := 0; i < len(base2HeadColMap); i++ {
+	for i := range base2HeadColMap {
 		headStart := 0
 		for base2HeadColMap[i] == unmappedColumn && headStart < len(head2BaseColMap) {
 			if head2BaseColMap[headStart] == unmappedColumn {
@@ -424,7 +424,7 @@ func getCell(row []string, column int) (string, error) {
 // countUnmappedColumns returns the count of unmapped columns.
 func countUnmappedColumns(mapping []int) int {
 	count := 0
-	for i := 0; i < len(mapping); i++ {
+	for i := range mapping {
 		if mapping[i] == unmappedColumn {
 			count++
 		}
diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index 544c664ca2..c1d0bc0107 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -524,10 +524,7 @@ func ParsePatch(ctx context.Context, maxLines, maxLineCharacters, maxFiles int,
 
 	// OK let's set a reasonable buffer size.
 	// This should be at least the size of maxLineCharacters or 4096 whichever is larger.
-	readerSize := maxLineCharacters
-	if readerSize < 4096 {
-		readerSize = 4096
-	}
+	readerSize := max(maxLineCharacters, 4096)
 
 	input := bufio.NewReaderSize(reader, readerSize)
 	line, err := input.ReadString('\n')
diff --git a/services/gitdiff/gitdiff_test.go b/services/gitdiff/gitdiff_test.go
index d4d1cd4460..7ba439be35 100644
--- a/services/gitdiff/gitdiff_test.go
+++ b/services/gitdiff/gitdiff_test.go
@@ -445,7 +445,7 @@ index 0000000..6bb8f39
 `
 	diffBuilder.WriteString(diff)
 
-	for i := 0; i < 35; i++ {
+	for i := range 35 {
 		diffBuilder.WriteString("+line" + strconv.Itoa(i) + "\n")
 	}
 	diff = diffBuilder.String()
@@ -482,11 +482,11 @@ index 0000000..6bb8f39
 	diffBuilder.Reset()
 	diffBuilder.WriteString(diff)
 
-	for i := 0; i < 33; i++ {
+	for i := range 33 {
 		diffBuilder.WriteString("+line" + strconv.Itoa(i) + "\n")
 	}
 	diffBuilder.WriteString("+line33")
-	for i := 0; i < 512; i++ {
+	for range 512 {
 		diffBuilder.WriteString("0123456789ABCDEF")
 	}
 	diffBuilder.WriteByte('\n')
diff --git a/services/gitdiff/highlightdiff_test.go b/services/gitdiff/highlightdiff_test.go
index 0070173b9f..f5486b3f34 100644
--- a/services/gitdiff/highlightdiff_test.go
+++ b/services/gitdiff/highlightdiff_test.go
@@ -101,7 +101,7 @@ func TestDiffWithHighlightPlaceholderExhausted(t *testing.T) {
 
 func TestDiffWithHighlightTagMatch(t *testing.T) {
 	totalOverflow := 0
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		hcd := NewHighlightCodeDiff()
 		hcd.placeholderMaxCount = i
 		diffs := hcd.diffWithHighlight(
diff --git a/services/issue/issue.go b/services/issue/issue.go
index ab42916017..41a6000d52 100644
--- a/services/issue/issue.go
+++ b/services/issue/issue.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"time"
 
 	activities_model "forgejo.org/models/activities"
@@ -127,11 +128,8 @@ func UpdateAssignees(ctx context.Context, issue *issues_model.Issue, oneAssignee
 	if oneAssignee != "" {
 		// Prevent double adding assignees
 		var isDouble bool
-		for _, assignee := range multipleAssignees {
-			if assignee == oneAssignee {
-				isDouble = true
-				break
-			}
+		if slices.Contains(multipleAssignees, oneAssignee) {
+			isDouble = true
 		}
 
 		if !isDouble {
diff --git a/services/issue/milestone.go b/services/issue/milestone.go
index 928979d74e..158abb0663 100644
--- a/services/issue/milestone.go
+++ b/services/issue/milestone.go
@@ -26,10 +26,7 @@ func updateMilestoneCounters(ctx context.Context, issue *issues_model.Issue, id
 		if err != nil {
 			return fmt.Errorf("GetMilestoneByRepoID: %w", err)
 		}
-		updatedUnix := milestone.UpdatedUnix
-		if issue.UpdatedUnix > updatedUnix {
-			updatedUnix = issue.UpdatedUnix
-		}
+		updatedUnix := max(issue.UpdatedUnix, milestone.UpdatedUnix)
 		stats.QueueRecalcMilestoneByIDWithDate(ctx, id, updatedUnix)
 	} else {
 		stats.QueueRecalcMilestoneByID(ctx, id)
diff --git a/services/lfs/locks.go b/services/lfs/locks.go
index a45b2cc93b..16f6dc1631 100644
--- a/services/lfs/locks.go
+++ b/services/lfs/locks.go
@@ -74,10 +74,7 @@ func GetListLockHandler(ctx *context.Context) {
 	}
 	ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
 
-	cursor := ctx.FormInt("cursor")
-	if cursor < 0 {
-		cursor = 0
-	}
+	cursor := max(ctx.FormInt("cursor"), 0)
 	limit := ctx.FormInt("limit")
 	if limit > setting.LFS.LocksPagingNum && setting.LFS.LocksPagingNum > 0 {
 		limit = setting.LFS.LocksPagingNum
@@ -239,10 +236,7 @@ func VerifyLockHandler(ctx *context.Context) {
 
 	ctx.Resp.Header().Set("Content-Type", lfs_module.MediaType)
 
-	cursor := ctx.FormInt("cursor")
-	if cursor < 0 {
-		cursor = 0
-	}
+	cursor := max(ctx.FormInt("cursor"), 0)
 	limit := ctx.FormInt("limit")
 	if limit > setting.LFS.LocksPagingNum && setting.LFS.LocksPagingNum > 0 {
 		limit = setting.LFS.LocksPagingNum
diff --git a/services/lfs/server.go b/services/lfs/server.go
index 30878d8edd..cc8afc2aa8 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"net/url"
 	"path"
@@ -503,9 +504,7 @@ func buildObjectResponse(rc *requestContext, pointer lfs_module.Pointer, downloa
 			rep.Actions["upload"] = &lfs_module.Link{Href: rc.UploadLink(pointer), Header: header}
 
 			verifyHeader := make(map[string]string)
-			for key, value := range header {
-				verifyHeader[key] = value
-			}
+			maps.Copy(verifyHeader, header)
 
 			// This is only needed to workaround https://github.com/git-lfs/git-lfs/issues/3662
 			verifyHeader["Accept"] = lfs_module.AcceptHeader
diff --git a/services/mailer/mailer_test.go b/services/mailer/mailer_test.go
index 34fd847c05..855e424ab2 100644
--- a/services/mailer/mailer_test.go
+++ b/services/mailer/mailer_test.go
@@ -114,9 +114,9 @@ func extractMailHeaderAndContent(t *testing.T, mail string) (map[string]string,
 	}
 	content := strings.TrimSpace("boundary=" + parts[1])
 
-	hParts := strings.Split(parts[0], "\n")
+	hParts := strings.SplitSeq(parts[0], "\n")
 
-	for _, hPart := range hParts {
+	for hPart := range hParts {
 		parts := strings.SplitN(hPart, ":", 2)
 		hk := strings.TrimSpace(parts[0])
 		if hk != "" {
diff --git a/services/migrations/gitea_uploader_test.go b/services/migrations/gitea_uploader_test.go
index e33d597cdc..dc0210a8cc 100644
--- a/services/migrations/gitea_uploader_test.go
+++ b/services/migrations/gitea_uploader_test.go
@@ -361,7 +361,7 @@ func TestGiteaUploadUpdateGitForPullRequest(t *testing.T) {
 	require.NoError(t, git.InitRepository(git.DefaultContext, fromRepo.RepoPath(), false, fromRepo.ObjectFormatName))
 	err := git.NewCommand(git.DefaultContext, "symbolic-ref").AddDynamicArguments("HEAD", git.BranchPrefix+baseRef).Run(&git.RunOpts{Dir: fromRepo.RepoPath()})
 	require.NoError(t, err)
-	require.NoError(t, os.WriteFile(filepath.Join(fromRepo.RepoPath(), "README.md"), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s", fromRepo.RepoPath())), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(fromRepo.RepoPath(), "README.md"), fmt.Appendf(nil, "# Testing Repository\n\nOriginally created in: %s", fromRepo.RepoPath()), 0o644))
 	require.NoError(t, git.AddChanges(fromRepo.RepoPath(), true))
 	signature := git.Signature{
 		Email: "test@example.com",
@@ -409,7 +409,7 @@ func TestGiteaUploadUpdateGitForPullRequest(t *testing.T) {
 	}))
 	_, _, err = git.NewCommand(git.DefaultContext, "checkout", "-b").AddDynamicArguments(forkHeadRef).RunStdString(&git.RunOpts{Dir: forkRepo.RepoPath()})
 	require.NoError(t, err)
-	require.NoError(t, os.WriteFile(filepath.Join(forkRepo.RepoPath(), "README.md"), []byte(fmt.Sprintf("# branch2 %s", forkRepo.RepoPath())), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(forkRepo.RepoPath(), "README.md"), fmt.Appendf(nil, "# branch2 %s", forkRepo.RepoPath()), 0o644))
 	require.NoError(t, git.AddChanges(forkRepo.RepoPath(), true))
 	require.NoError(t, git.CommitChanges(forkRepo.RepoPath(), git.CommitChangesOptions{
 		Committer: &signature,
diff --git a/services/migrations/github.go b/services/migrations/github.go
index 7cfb626a15..540dfdd9d4 100644
--- a/services/migrations/github.go
+++ b/services/migrations/github.go
@@ -108,8 +108,8 @@ func NewGithubDownloaderV3(ctx context.Context, baseURL string, getPullRequests,
 	downloader.SetContext(ctx)
 
 	if token != "" {
-		tokens := strings.Split(token, ",")
-		for _, token := range tokens {
+		tokens := strings.SplitSeq(token, ",")
+		for token := range tokens {
 			token = strings.TrimSpace(token)
 			ts := oauth2.StaticTokenSource(
 				&oauth2.Token{AccessToken: token},
diff --git a/services/packages/alt/repository.go b/services/packages/alt/repository.go
index 9693f4322e..5eed86fb67 100644
--- a/services/packages/alt/repository.go
+++ b/services/packages/alt/repository.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"path"
+	"strings"
 	"time"
 
 	packages_model "forgejo.org/models/packages"
@@ -734,15 +735,15 @@ NotAutomatic: false
 		codename := time.Now().Unix()
 		date := time.Now().UTC().Format(time.RFC1123)
 
-		var md5Sum string
-		var blake2b string
+		var md5Sum strings.Builder
+		var blake2b strings.Builder
 
 		for _, pkglistByArch := range pkglist[architecture] {
-			md5Sum += fmt.Sprintf(" %s %d %s\n", pkglistByArch.MD5Checksum.Value, pkglistByArch.Size, "base/"+pkglistByArch.Type)
-			blake2b += fmt.Sprintf(" %s %d %s\n", pkglistByArch.Blake2bHash.Value, pkglistByArch.Size, "base/"+pkglistByArch.Type)
+			fmt.Fprintf(&md5Sum, " %s %d %s\n", pkglistByArch.MD5Checksum.Value, pkglistByArch.Size, "base/"+pkglistByArch.Type)
+			fmt.Fprintf(&blake2b, " %s %d %s\n", pkglistByArch.Blake2bHash.Value, pkglistByArch.Size, "base/"+pkglistByArch.Type)
 		}
-		md5Sum += fmt.Sprintf(" %s %d %s\n", fileInfo.MD5Checksum.Value, fileInfo.Size, "base/"+fileInfo.Type)
-		blake2b += fmt.Sprintf(" %s %d %s\n", fileInfo.Blake2bHash.Value, fileInfo.Size, "base/"+fileInfo.Type)
+		fmt.Fprintf(&md5Sum, " %s %d %s\n", fileInfo.MD5Checksum.Value, fileInfo.Size, "base/"+fileInfo.Type)
+		fmt.Fprintf(&blake2b, " %s %d %s\n", fileInfo.Blake2bHash.Value, fileInfo.Size, "base/"+fileInfo.Type)
 
 		data = fmt.Sprintf(`Origin: %s
 Label: %s
@@ -755,7 +756,7 @@ MD5Sum:
 %s
 
 `,
-			origin, label, codename, date, architecture, md5Sum, blake2b)
+			origin, label, codename, date, architecture, md5Sum.String(), blake2b.String())
 		_, err = addReleaseAsFileToRepo(ctx, pv, "release", data, group, architecture)
 		if err != nil {
 			return err
diff --git a/services/packages/arch/repository.go b/services/packages/arch/repository.go
index 2a865e6dbd..384895fd65 100644
--- a/services/packages/arch/repository.go
+++ b/services/packages/arch/repository.go
@@ -47,8 +47,8 @@ func BuildAllRepositoryFiles(ctx context.Context, ownerID int64) error {
 		return err
 	}
 	for _, pf := range pfs {
-		if strings.HasSuffix(pf.Name, ".db") {
-			arch := strings.TrimSuffix(pf.Name, ".db")
+		if before, ok := strings.CutSuffix(pf.Name, ".db"); ok {
+			arch := before
 			if err := BuildPacmanDB(ctx, ownerID, pf.CompositeKey, arch); err != nil {
 				return err
 			}
diff --git a/services/pull/merge.go b/services/pull/merge.go
index 1d5e82e969..aa9b25d738 100644
--- a/services/pull/merge.go
+++ b/services/pull/merge.go
@@ -7,6 +7,7 @@ package pull
 import (
 	"context"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -139,9 +140,7 @@ func getMergeMessage(ctx context.Context, baseGitRepo *git.Repository, pr *issue
 				vars["HeadRepoOwnerName"] = pr.HeadRepo.OwnerName
 				vars["HeadRepoName"] = pr.HeadRepo.Name
 			}
-			for extraKey, extraValue := range extraVars {
-				vars[extraKey] = extraValue
-			}
+			maps.Copy(vars, extraVars)
 			refs, err := pr.ResolveCrossReferences(ctx)
 			if err == nil {
 				closeIssueIndexes := make([]string, 0, len(refs))
diff --git a/services/repository/adopt_test.go b/services/repository/adopt_test.go
index 79e4fc0023..b133deb7c1 100644
--- a/services/repository/adopt_test.go
+++ b/services/repository/adopt_test.go
@@ -28,7 +28,7 @@ func TestCheckUnadoptedRepositories_Add(t *testing.T) {
 	}
 
 	total := 30
-	for i := 0; i < total; i++ {
+	for range total {
 		unadopted.add("something")
 	}
 
diff --git a/services/repository/commitstatus/commitstatus.go b/services/repository/commitstatus/commitstatus.go
index 23b4a6a132..5a48aa64b4 100644
--- a/services/repository/commitstatus/commitstatus.go
+++ b/services/repository/commitstatus/commitstatus.go
@@ -23,7 +23,7 @@ import (
 )
 
 func getCacheKey(repoID int64, branchName string) string {
-	hashBytes := sha256.Sum256([]byte(fmt.Sprintf("%d:%s", repoID, branchName)))
+	hashBytes := sha256.Sum256(fmt.Appendf(nil, "%d:%s", repoID, branchName))
 	return fmt.Sprintf("commit_status:%x", hashBytes)
 }
 
diff --git a/services/repository/create.go b/services/repository/create.go
index 4491b12497..b7232b27cc 100644
--- a/services/repository/create.go
+++ b/services/repository/create.go
@@ -97,8 +97,8 @@ func prepareRepoCommit(ctx context.Context, repo *repo_model.Repository, tmpDir,
 	// .gitignore
 	if len(opts.Gitignores) > 0 {
 		var buf bytes.Buffer
-		names := strings.Split(opts.Gitignores, ",")
-		for _, name := range names {
+		names := strings.SplitSeq(opts.Gitignores, ",")
+		for name := range names {
 			data, err = options.Gitignore(name)
 			if err != nil {
 				return fmt.Errorf("GetRepoInitFile[%s]: %w", name, err)
diff --git a/services/repository/create_test.go b/services/repository/create_test.go
index 0a6c34b6fe..bd14a5e520 100644
--- a/services/repository/create_test.go
+++ b/services/repository/create_test.go
@@ -54,7 +54,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 
 	// Create repos.
 	repoIDs := make([]int64, 0)
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		r, err := CreateRepositoryDirectly(db.DefaultContext, user, org.AsUser(), CreateRepoOptions{Name: fmt.Sprintf("repo-%d", i)})
 		require.NoError(t, err, "CreateRepository %d", i)
 		if r != nil {
diff --git a/services/repository/files/file.go b/services/repository/files/file.go
index 5b93258840..2e9ba628af 100644
--- a/services/repository/files/file.go
+++ b/services/repository/files/file.go
@@ -151,7 +151,7 @@ func CleanUploadFileName(name string) string {
 	// Rebase the filename
 	name = util.PathJoinRel(name)
 	// Git disallows any filenames to have a .git directory in them.
-	for _, part := range strings.Split(name, "/") {
+	for part := range strings.SplitSeq(name, "/") {
 		if strings.ToLower(part) == ".git" {
 			return ""
 		}
diff --git a/services/repository/files/temp_repo.go b/services/repository/files/temp_repo.go
index 3ce6a3413c..17a8467e01 100644
--- a/services/repository/files/temp_repo.go
+++ b/services/repository/files/temp_repo.go
@@ -128,7 +128,7 @@ func (t *TemporaryUploadRepository) LsFiles(filenames ...string) ([]string, erro
 	}
 
 	fileList := make([]string, 0, len(filenames))
-	for _, line := range bytes.Split(stdOut.Bytes(), []byte{'\000'}) {
+	for line := range bytes.SplitSeq(stdOut.Bytes(), []byte{'\000'}) {
 		fileList = append(fileList, string(line))
 	}
 
diff --git a/services/repository/files/tree.go b/services/repository/files/tree.go
index 5a369b27a5..3e99655261 100644
--- a/services/repository/files/tree.go
+++ b/services/repository/files/tree.go
@@ -69,11 +69,7 @@ func GetTreeBySHA(ctx context.Context, repo *repo_model.Repository, gitRepo *git
 	if len(entries) > perPage {
 		tree.Truncated = true
 	}
-	if rangeStart+perPage < len(entries) {
-		rangeEnd = rangeStart + perPage
-	} else {
-		rangeEnd = len(entries)
-	}
+	rangeEnd = min(rangeStart+perPage, len(entries))
 	tree.Entries = make([]api.GitEntry, rangeEnd-rangeStart)
 	for e := rangeStart; e < rangeEnd; e++ {
 		i := e - rangeStart
diff --git a/services/repository/files/update.go b/services/repository/files/update.go
index 9c2fde1c0e..e97c487846 100644
--- a/services/repository/files/update.go
+++ b/services/repository/files/update.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"path"
+	"slices"
 	"strings"
 	"time"
 
@@ -187,13 +188,7 @@ func ChangeRepoFiles(ctx context.Context, repo *repo_model.Repository, doer *use
 			}
 
 			// Find the file we want to delete in the index
-			inFilelist := false
-			for _, indexFile := range filesInIndex {
-				if indexFile == file.TreePath {
-					inFilelist = true
-					break
-				}
-			}
+			inFilelist := slices.Contains(filesInIndex, file.TreePath)
 			if !inFilelist {
 				return nil, models.ErrRepoFileDoesNotExist{
 					Path: file.TreePath,
@@ -390,11 +385,9 @@ func CreateOrUpdateFile(ctx context.Context, t *TemporaryUploadRepository, file
 	}
 	// If is a new file (not updating) then the given path shouldn't exist
 	if file.Operation == "create" {
-		for _, indexFile := range filesInIndex {
-			if indexFile == file.TreePath {
-				return models.ErrRepoFileAlreadyExists{
-					Path: file.TreePath,
-				}
+		if slices.Contains(filesInIndex, file.TreePath) {
+			return models.ErrRepoFileAlreadyExists{
+				Path: file.TreePath,
 			}
 		}
 	}
diff --git a/services/repository/gitgraph/graph_models.go b/services/repository/gitgraph/graph_models.go
index 2c4133e1f2..4b5f630679 100644
--- a/services/repository/gitgraph/graph_models.go
+++ b/services/repository/gitgraph/graph_models.go
@@ -304,8 +304,8 @@ func newRefsFromRefNames(refNames []byte) []git.Reference {
 			continue
 		}
 		refName := string(refNameBytes)
-		if strings.HasPrefix(refName, "tag: ") {
-			refName = strings.TrimPrefix(refName, "tag: ")
+		if after, ok := strings.CutPrefix(refName, "tag: "); ok {
+			refName = after
 		} else {
 			refName = strings.TrimPrefix(refName, "HEAD -> ")
 		}
diff --git a/services/repository/gitgraph/graph_test.go b/services/repository/gitgraph/graph_test.go
index 6dafaf03fd..776b8cacab 100644
--- a/services/repository/gitgraph/graph_test.go
+++ b/services/repository/gitgraph/graph_test.go
@@ -6,6 +6,7 @@ package gitgraph
 import (
 	"bytes"
 	"fmt"
+	"slices"
 	"strings"
 	"testing"
 
@@ -118,13 +119,7 @@ func TestReleaseUnusedColors(t *testing.T) {
 		if parser.firstAvailable == -1 {
 			// All in use
 			for _, color := range parser.availableColors {
-				found := false
-				for _, oldColor := range parser.oldColors {
-					if oldColor == color {
-						found = true
-						break
-					}
-				}
+				found := slices.Contains(parser.oldColors, color)
 				if !found {
 					t.Errorf("In testcase:\n%d\t%d\t%d %d =>\n%d\t%d\t%d %d: %d should be available but is not",
 						testcase.availableColors,
@@ -142,13 +137,7 @@ func TestReleaseUnusedColors(t *testing.T) {
 			// Some in use
 			for i := parser.firstInUse; i != parser.firstAvailable; i = (i + 1) % len(parser.availableColors) {
 				color := parser.availableColors[i]
-				found := false
-				for _, oldColor := range parser.oldColors {
-					if oldColor == color {
-						found = true
-						break
-					}
-				}
+				found := slices.Contains(parser.oldColors, color)
 				if !found {
 					t.Errorf("In testcase:\n%d\t%d\t%d %d =>\n%d\t%d\t%d %d: %d should be available but is not",
 						testcase.availableColors,
@@ -164,13 +153,7 @@ func TestReleaseUnusedColors(t *testing.T) {
 			}
 			for i := parser.firstAvailable; i != parser.firstInUse; i = (i + 1) % len(parser.availableColors) {
 				color := parser.availableColors[i]
-				found := false
-				for _, oldColor := range parser.oldColors {
-					if oldColor == color {
-						found = true
-						break
-					}
-				}
+				found := slices.Contains(parser.oldColors, color)
 				if found {
 					t.Errorf("In testcase:\n%d\t%d\t%d %d =>\n%d\t%d\t%d %d: %d should not be available but is",
 						testcase.availableColors,
@@ -258,8 +241,8 @@ func TestCommitStringParsing(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.testName, func(t *testing.T) {
 			testString := fmt.Sprintf("%s%s", dataFirstPart, test.commitMessage)
-			idx := strings.Index(testString, "DATA:")
-			commit, err := NewCommit(0, 0, []byte(testString[idx+5:]))
+			_, after, _ := strings.Cut(testString, "DATA:")
+			commit, err := NewCommit(0, 0, []byte(after))
 			if err != nil && test.shouldPass {
 				t.Errorf("Could not parse %s", testString)
 				return
diff --git a/services/repository/gitgraph/parser.go b/services/repository/gitgraph/parser.go
index fcbc666f7e..2331e02207 100644
--- a/services/repository/gitgraph/parser.go
+++ b/services/repository/gitgraph/parser.go
@@ -44,11 +44,11 @@ func (parser *Parser) Reset() {
 
 // AddLineToGraph adds the line as a row to the graph
 func (parser *Parser) AddLineToGraph(graph *Graph, row int, line []byte) error {
-	idx := bytes.Index(line, []byte("DATA:"))
-	if idx < 0 {
+	before, after, ok := bytes.Cut(line, []byte("DATA:"))
+	if !ok {
 		parser.ParseGlyphs(line)
 	} else {
-		parser.ParseGlyphs(line[:idx])
+		parser.ParseGlyphs(before)
 	}
 
 	var err error
@@ -72,7 +72,7 @@ func (parser *Parser) AddLineToGraph(graph *Graph, row int, line []byte) error {
 				}
 			}
 			commitDone = true
-			if idx < 0 {
+			if !ok {
 				if err != nil {
 					err = fmt.Errorf("missing data section on line %d with commit: %s. %w", row, string(line), err)
 				} else {
@@ -83,7 +83,7 @@ func (parser *Parser) AddLineToGraph(graph *Graph, row int, line []byte) error {
 			if column < len(parser.oldGlyphs) && parser.oldGlyphs[column] == '|' {
 				graph.continuationAbove[[2]int{row, column}] = true
 			}
-			err2 := graph.AddCommit(row, column, flowID, line[idx+5:])
+			err2 := graph.AddCommit(row, column, flowID, after)
 			if err != nil && err2 != nil {
 				err = fmt.Errorf("%v %w", err2, err)
 				continue
diff --git a/services/webhook/deliver_test.go b/services/webhook/deliver_test.go
index 13890621c6..303a3d9bb1 100644
--- a/services/webhook/deliver_test.go
+++ b/services/webhook/deliver_test.go
@@ -281,8 +281,6 @@ func TestWebhookDeliverSpecificTypes(t *testing.T) {
 	require.NoError(t, err)
 
 	for typ, hc := range cases {
-		typ := typ
-		hc := hc
 		t.Run(typ, func(t *testing.T) {
 			t.Parallel()
 			hook := &webhook_model.Webhook{
diff --git a/services/webhook/dingtalk.go b/services/webhook/dingtalk.go
index e7dece30d3..96d4c18c11 100644
--- a/services/webhook/dingtalk.go
+++ b/services/webhook/dingtalk.go
@@ -110,22 +110,22 @@ func (dc dingtalkConvertor) Push(p *api.PushPayload) (DingtalkPayload, error) {
 
 	title := fmt.Sprintf("[%s:%s] %s", p.Repo.FullName, branchName, commitDesc)
 
-	var text string
+	var text strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
 		var authorName string
 		if commit.Author != nil {
 			authorName = " - " + commit.Author.Name
 		}
-		text += fmt.Sprintf("[%s](%s) %s", commit.ID[:7], commit.URL,
-			strings.TrimRight(commit.Message, "\r\n")) + authorName
+		text.WriteString(fmt.Sprintf("[%s](%s) %s", commit.ID[:7], commit.URL,
+			strings.TrimRight(commit.Message, "\r\n")) + authorName)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\r\n"
+			text.WriteString("\r\n")
 		}
 	}
 
-	return createDingtalkPayload(title, text, linkText, titleLink), nil
+	return createDingtalkPayload(title, text.String(), linkText, titleLink), nil
 }
 
 // Issue implements PayloadConvertor Issue method
diff --git a/services/webhook/discord.go b/services/webhook/discord.go
index 2383a1402b..cb7584e157 100644
--- a/services/webhook/discord.go
+++ b/services/webhook/discord.go
@@ -210,7 +210,7 @@ func (d discordConvertor) Push(p *api.PushPayload) (DiscordPayload, error) {
 
 	title := fmt.Sprintf("[%s:%s] %s", p.Repo.FullName, branchName, commitDesc)
 
-	var text string
+	var text strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
 		// limit the commit message display to just the summary, otherwise it would be hard to read
@@ -223,14 +223,14 @@ func (d discordConvertor) Push(p *api.PushPayload) (DiscordPayload, error) {
 		if utf8.RuneCountInString(message) > 50 {
 			message = fmt.Sprintf("%.47s...", message)
 		}
-		text += fmt.Sprintf("[`%s`](%s) %s \\- %s", commit.ID[:7], commit.URL, message, commit.Author.Name)
+		fmt.Fprintf(&text, "[`%s`](%s) %s \\- %s", commit.ID[:7], commit.URL, message, commit.Author.Name)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\n"
+			text.WriteString("\n")
 		}
 	}
 
-	return d.createPayload(p.Sender, title, text, titleLink, greenColor), nil
+	return d.createPayload(p.Sender, title, text.String(), titleLink, greenColor), nil
 }
 
 // Issue implements PayloadConvertor Issue method
diff --git a/services/webhook/feishu.go b/services/webhook/feishu.go
index f6ffea9acc..ffbd4eb469 100644
--- a/services/webhook/feishu.go
+++ b/services/webhook/feishu.go
@@ -95,22 +95,23 @@ func (fc feishuConvertor) Push(p *api.PushPayload) (FeishuPayload, error) {
 		commitDesc string
 	)
 
-	text := fmt.Sprintf("[%s:%s] %s\r\n", p.Repo.FullName, branchName, commitDesc)
+	var text strings.Builder
+	fmt.Fprintf(&text, "[%s:%s] %s\r\n", p.Repo.FullName, branchName, commitDesc)
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
 		var authorName string
 		if commit.Author != nil {
 			authorName = " - " + commit.Author.Name
 		}
-		text += fmt.Sprintf("[%s](%s) %s", commit.ID[:7], commit.URL,
-			strings.TrimRight(commit.Message, "\r\n")) + authorName
+		text.WriteString(fmt.Sprintf("[%s](%s) %s", commit.ID[:7], commit.URL,
+			strings.TrimRight(commit.Message, "\r\n")) + authorName)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\r\n"
+			text.WriteString("\r\n")
 		}
 	}
 
-	return newFeishuTextPayload(text), nil
+	return newFeishuTextPayload(text.String()), nil
 }
 
 // Issue implements PayloadConvertor Issue method
diff --git a/services/webhook/matrix.go b/services/webhook/matrix.go
index d11933f16a..a4bd774f50 100644
--- a/services/webhook/matrix.go
+++ b/services/webhook/matrix.go
@@ -206,18 +206,19 @@ func (m matrixConvertor) Push(p *api.PushPayload) (MatrixPayload, error) {
 	}
 
 	refName := html.EscapeString(git.RefName(p.Ref).ShortName())
-	text := fmt.Sprintf("[%s] %s pushed %s to %s:<br>", p.Repo.FullName, p.Pusher.UserName, commitDesc, refName)
+	var text strings.Builder
+	fmt.Fprintf(&text, "[%s] %s pushed %s to %s:<br>", p.Repo.FullName, p.Pusher.UserName, commitDesc, refName)
 
 	// for each commit, generate a new line text
 	for i, commit := range p.Commits {
-		text += fmt.Sprintf("%s: %s - %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), commit.Message, commit.Author.Name)
+		fmt.Fprintf(&text, "%s: %s - %s", htmlLinkFormatter(commit.URL, commit.ID[:7]), commit.Message, commit.Author.Name)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "<br>"
+			text.WriteString("<br>")
 		}
 	}
 
-	return m.newPayload(text, p.Commits...)
+	return m.newPayload(text.String(), p.Commits...)
 }
 
 // PullRequest implements payloadConvertor PullRequest method
diff --git a/services/webhook/msteams.go b/services/webhook/msteams.go
index 798d7fb5fc..43ab588230 100644
--- a/services/webhook/msteams.go
+++ b/services/webhook/msteams.go
@@ -154,14 +154,14 @@ func (m msteamsConvertor) Push(p *api.PushPayload) (MSTeamsPayload, error) {
 
 	title := fmt.Sprintf("[%s:%s] %s", p.Repo.FullName, branchName, commitDesc)
 
-	var text string
+	var text strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
-		text += fmt.Sprintf("[%s](%s) %s - %s", commit.ID[:7], commit.URL,
+		fmt.Fprintf(&text, "[%s](%s) %s - %s", commit.ID[:7], commit.URL,
 			strings.TrimRight(commit.Message, "\r\n"), commit.Author.Name)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\n\n"
+			text.WriteString("\n\n")
 		}
 	}
 
@@ -169,7 +169,7 @@ func (m msteamsConvertor) Push(p *api.PushPayload) (MSTeamsPayload, error) {
 		p.Repo,
 		p.Sender,
 		title,
-		text,
+		text.String(),
 		titleLink,
 		greenColor,
 		&MSTeamsFact{"Commit count:", fmt.Sprintf("%d", p.TotalCommits)},
diff --git a/services/webhook/slack.go b/services/webhook/slack.go
index 1804c866f4..fe1bfc8aa4 100644
--- a/services/webhook/slack.go
+++ b/services/webhook/slack.go
@@ -245,13 +245,13 @@ func (s slackConvertor) Push(p *api.PushPayload) (SlackPayload, error) {
 	branchLink := SlackLinkToRef(p.Repo.HTMLURL, p.Ref)
 	text := fmt.Sprintf("[%s:%s] %s pushed by %s", p.Repo.FullName, branchLink, commitString, SlackNameFormatter(p.Pusher.UserName))
 
-	var attachmentText string
+	var attachmentText strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
-		attachmentText += fmt.Sprintf("%s: %s - %s", SlackLinkFormatter(commit.URL, commit.ID[:7]), SlackShortTextFormatter(commit.Message), SlackNameFormatter(commit.Author.Name))
+		fmt.Fprintf(&attachmentText, "%s: %s - %s", SlackLinkFormatter(commit.URL, commit.ID[:7]), SlackShortTextFormatter(commit.Message), SlackNameFormatter(commit.Author.Name))
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			attachmentText += "\n"
+			attachmentText.WriteString("\n")
 		}
 	}
 
@@ -259,7 +259,7 @@ func (s slackConvertor) Push(p *api.PushPayload) (SlackPayload, error) {
 		Color:     s.Color,
 		Title:     p.Repo.HTMLURL,
 		TitleLink: p.Repo.HTMLURL,
-		Text:      attachmentText,
+		Text:      attachmentText.String(),
 	}}), nil
 }
 
diff --git a/services/webhook/telegram.go b/services/webhook/telegram.go
index f8fdea7ae9..47a7514968 100644
--- a/services/webhook/telegram.go
+++ b/services/webhook/telegram.go
@@ -116,22 +116,22 @@ func (t telegramConvertor) Push(p *api.PushPayload) (TelegramPayload, error) {
 
 	title := fmt.Sprintf(`[%s:%s] %s`, p.Repo.FullName, branchName, commitDesc)
 
-	var text string
+	var text strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
 		var authorName string
 		if commit.Author != nil {
 			authorName = " - " + commit.Author.Name
 		}
-		text += fmt.Sprintf(`[<a href="%s">%s</a>] %s`, commit.URL, commit.ID[:7],
-			strings.TrimRight(commit.Message, "\r\n")) + authorName
+		text.WriteString(fmt.Sprintf(`[<a href="%s">%s</a>] %s`, commit.URL, commit.ID[:7],
+			strings.TrimRight(commit.Message, "\r\n")) + authorName)
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\n"
+			text.WriteString("\n")
 		}
 	}
 
-	return createTelegramPayload(title + "\n" + text), nil
+	return createTelegramPayload(title + "\n" + text.String()), nil
 }
 
 // Issue implements PayloadConvertor Issue method
diff --git a/services/webhook/wechatwork.go b/services/webhook/wechatwork.go
index 01db3f0cd9..b22935be81 100644
--- a/services/webhook/wechatwork.go
+++ b/services/webhook/wechatwork.go
@@ -104,7 +104,7 @@ func (wc wechatworkConvertor) Push(p *api.PushPayload) (WechatworkPayload, error
 
 	title := fmt.Sprintf("# %s:%s <font color=\"warning\">  %s  </font>", p.Repo.FullName, branchName, commitDesc)
 
-	var text string
+	var text strings.Builder
 	// for each commit, generate attachment text
 	for i, commit := range p.Commits {
 		var authorName string
@@ -113,15 +113,15 @@ func (wc wechatworkConvertor) Push(p *api.PushPayload) (WechatworkPayload, error
 		}
 
 		message := strings.ReplaceAll(commit.Message, "\n\n", "\r\n")
-		text += fmt.Sprintf(" > [%s](%s) \r\n ><font color=\"info\">%s</font> \n ><font color=\"warning\">%s</font>", commit.ID[:7], commit.URL,
+		fmt.Fprintf(&text, " > [%s](%s) \r\n ><font color=\"info\">%s</font> \n ><font color=\"warning\">%s</font>", commit.ID[:7], commit.URL,
 			message, authorName)
 
 		// add linebreak to each commit but the last
 		if i < len(p.Commits)-1 {
-			text += "\n"
+			text.WriteString("\n")
 		}
 	}
-	return newWechatworkMarkdownPayload(title + "\r\n\r\n" + text), nil
+	return newWechatworkMarkdownPayload(title + "\r\n\r\n" + text.String()), nil
 }
 
 // Issue implements PayloadConvertor Issue method
diff --git a/services/wiki/wiki_path.go b/services/wiki/wiki_path.go
index ca312388af..a7963e9be4 100644
--- a/services/wiki/wiki_path.go
+++ b/services/wiki/wiki_path.go
@@ -129,8 +129,8 @@ func GitPathToWebPath(s string) (wp WebPath, err error) {
 func WebPathToUserTitle(s WebPath) (dir, display string) {
 	dir = path.Dir(string(s))
 	display = path.Base(string(s))
-	if strings.HasSuffix(display, ".md") {
-		display = strings.TrimSuffix(display, ".md")
+	if before, ok := strings.CutSuffix(display, ".md"); ok {
+		display = before
 		display, _ = url.PathUnescape(display)
 	}
 	display, _ = unescapeSegment(display)
diff --git a/services/wiki/wiki_test.go b/services/wiki/wiki_test.go
index 9471904e38..551c251d97 100644
--- a/services/wiki/wiki_test.go
+++ b/services/wiki/wiki_test.go
@@ -116,9 +116,9 @@ func TestGitPathToWebPath(t *testing.T) {
 func TestUserWebGitPathConsistency(t *testing.T) {
 	maxLen := 20
 	b := make([]byte, maxLen)
-	for i := 0; i < 1000; i++ {
+	for range 1000 {
 		l := rand.Intn(maxLen)
-		for j := 0; j < l; j++ {
+		for j := range l {
 			r := rand.Intn(0x80-0x20) + 0x20
 			b[j] = byte(r)
 		}
diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go
index 925434204c..4de8d625ab 100644
--- a/tests/integration/actions_trigger_test.go
+++ b/tests/integration/actions_trigger_test.go
@@ -88,7 +88,7 @@ jobs:
 		labelStr := "/api/v1/repos/user2/repo-pull-request/labels"
 		labelsCount := 2
 		labels := make([]*api.Label, labelsCount)
-		for i := 0; i < labelsCount; i++ {
+		for i := range labelsCount {
 			color := "abcdef"
 			req := NewRequestWithJSON(t, "POST", labelStr, &api.CreateLabelOption{
 				Name:  fmt.Sprintf("label%d", i),
diff --git a/tests/integration/api_activitypub_person_inbox_follow_test.go b/tests/integration/api_activitypub_person_inbox_follow_test.go
index 7270d46a0c..5a0b452447 100644
--- a/tests/integration/api_activitypub_person_inbox_follow_test.go
+++ b/tests/integration/api_activitypub_person_inbox_follow_test.go
@@ -48,13 +48,13 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 		ctx, _ := contexttest.MockAPIContext(t, localUser2Inbox)
 
 		// distant follows local
-		followActivity := []byte(fmt.Sprintf(
+		followActivity := fmt.Appendf(nil,
 			`{"type":"Follow",`+
 				`"actor":"%s",`+
 				`"object":"%s"}`,
 			distantUser15URL,
 			localUser2URL,
-		))
+		)
 		cf, err := activitypub.NewClientFactoryWithTimeout(60 * time.Second)
 		require.NoError(t, err)
 		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey,
@@ -84,7 +84,7 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 		assert.Contains(t, mock.LastPost, "\"type\":\"Accept\"")
 
 		// distant undoes follow
-		undoFollowActivity := []byte(fmt.Sprintf(
+		undoFollowActivity := fmt.Appendf(nil,
 			`{"type":"Undo",`+
 				`"actor":"%s",`+
 				`"object":{"type":"Follow",`+
@@ -93,7 +93,7 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 			distantUser15URL,
 			distantUser15URL,
 			localUser2URL,
-		))
+		)
 		c, err = cf.WithKeysDirect(ctx, mock.ApActor.PrivKey,
 			mock.ApActor.KeyID(federatedSrv.URL))
 		require.NoError(t, err)
diff --git a/tests/integration/api_activitypub_person_inbox_useractivity_test.go b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
index 4201fd94bf..55fd62a3fe 100644
--- a/tests/integration/api_activitypub_person_inbox_useractivity_test.go
+++ b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
@@ -53,13 +53,13 @@ func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 		defer f()
 
 		// follow (distant follows local)
-		followActivity := []byte(fmt.Sprintf(
+		followActivity := fmt.Appendf(nil,
 			`{"type":"Follow",`+
 				`"actor":"%s",`+
 				`"object":"%s"}`,
 			distantUser15URL,
 			localUser2URL,
-		))
+		)
 		ctx, _ := contexttest.MockAPIContext(t, localUser2Inbox)
 		cf, err := activitypub.NewClientFactoryWithTimeout(60 * time.Second)
 		require.NoError(t, err)
diff --git a/tests/integration/api_activitypub_repository_test.go b/tests/integration/api_activitypub_repository_test.go
index 29221bb682..3d17f9b281 100644
--- a/tests/integration/api_activitypub_repository_test.go
+++ b/tests/integration/api_activitypub_repository_test.go
@@ -89,13 +89,13 @@ func TestActivityPubRepositoryInboxValid(t *testing.T) {
 			mock.Persons[0].KeyID(federatedSrv.URL))
 		require.NoError(t, err)
 
-		activity1 := []byte(fmt.Sprintf(
+		activity1 := fmt.Appendf(nil,
 			`{"type":"Like",`+
 				`"startTime":"%s",`+
 				`"actor":"%s/api/v1/activitypub/user-id/15",`+
 				`"object":"%s"}`,
 			timeNow.Format(time.RFC3339),
-			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", repositoryID)).String()))
+			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", repositoryID)).String())
 		t.Logf("activity: %s", activity1)
 		resp, err := c.Post(activity1, localRepoInbox)
 
@@ -107,14 +107,14 @@ func TestActivityPubRepositoryInboxValid(t *testing.T) {
 		unittest.AssertExistsAndLoadBean(t, &user.User{ID: federatedUser.UserID})
 
 		// A like activity by a different user of the same federated host.
-		activity2 := []byte(fmt.Sprintf(
+		activity2 := fmt.Appendf(nil,
 			`{"type":"Like",`+
 				`"startTime":"%s",`+
 				`"actor":"%s/api/v1/activitypub/user-id/30",`+
 				`"object":"%s"}`,
 			// Make sure this activity happens later then the one before
 			timeNow.Add(time.Second).Format(time.RFC3339),
-			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", repositoryID)).String()))
+			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", repositoryID)).String())
 		t.Logf("activity: %s", activity2)
 		resp, err = c.Post(activity2, localRepoInbox)
 
@@ -127,14 +127,14 @@ func TestActivityPubRepositoryInboxValid(t *testing.T) {
 		// The same user sends another like activity
 		otherRepositoryID := 3
 		otherRepoInboxURL := u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d/inbox", otherRepositoryID)).String()
-		activity3 := []byte(fmt.Sprintf(
+		activity3 := fmt.Appendf(nil,
 			`{"type":"Like",`+
 				`"startTime":"%s",`+
 				`"actor":"%s/api/v1/activitypub/user-id/30",`+
 				`"object":"%s"}`,
 			// Make sure this activity happens later then the ones before
 			timeNow.Add(time.Second*2).Format(time.RFC3339),
-			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", otherRepositoryID)).String()))
+			federatedSrv.URL, u.JoinPath(fmt.Sprintf("/api/v1/activitypub/repository-id/%d", otherRepositoryID)).String())
 		t.Logf("activity: %s", activity3)
 		resp, err = c.Post(activity3, otherRepoInboxURL)
 
diff --git a/tests/integration/api_helper_for_declarative_test.go b/tests/integration/api_helper_for_declarative_test.go
index ada6a2c311..6f33322253 100644
--- a/tests/integration/api_helper_for_declarative_test.go
+++ b/tests/integration/api_helper_for_declarative_test.go
@@ -273,7 +273,7 @@ func doAPIMergePullRequestForm(t *testing.T, ctx APITestContext, owner, repo str
 	var req *RequestWrapper
 	var resp *httptest.ResponseRecorder
 
-	for i := 0; i < 6; i++ {
+	for range 6 {
 		req = NewRequestWithJSON(t, http.MethodPost, urlStr, merge).AddTokenAuth(ctx.Token)
 
 		resp = ctx.Session.MakeRequest(t, req, NoExpectedStatus)
diff --git a/tests/integration/api_issue_test.go b/tests/integration/api_issue_test.go
index 6267065602..7f601fa303 100644
--- a/tests/integration/api_issue_test.go
+++ b/tests/integration/api_issue_test.go
@@ -228,7 +228,7 @@ func TestAPICreateIssueParallel(t *testing.T) {
 	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repoBefore.Name)
 
 	var wg sync.WaitGroup
-	for i := 0; i < 100; i++ {
+	for i := range 100 {
 		wg.Add(1)
 		go func(parentT *testing.T, i int) {
 			parentT.Run(fmt.Sprintf("ParallelCreateIssue_%d", i), func(t *testing.T) {
@@ -499,10 +499,9 @@ func TestAPISearchIssues(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	// as this API was used in the frontend, it uses UI page size
-	expectedIssueCount := 20 // from the fixtures
-	if expectedIssueCount > setting.UI.IssuePagingNum {
-		expectedIssueCount = setting.UI.IssuePagingNum
-	}
+	expectedIssueCount := min(
+		// from the fixtures
+		20, setting.UI.IssuePagingNum)
 
 	link, _ := url.Parse("/api/v1/repos/issues/search")
 	token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadIssue)
@@ -603,10 +602,9 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	// as this API was used in the frontend, it uses UI page size
-	expectedIssueCount := 20 // from the fixtures
-	if expectedIssueCount > setting.UI.IssuePagingNum {
-		expectedIssueCount = setting.UI.IssuePagingNum
-	}
+	expectedIssueCount := min(
+		// from the fixtures
+		20, setting.UI.IssuePagingNum)
 
 	link, _ := url.Parse("/api/v1/repos/issues/search")
 	token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadIssue)
diff --git a/tests/integration/api_packages_alt_test.go b/tests/integration/api_packages_alt_test.go
index a15accdbbd..fe299ac14f 100644
--- a/tests/integration/api_packages_alt_test.go
+++ b/tests/integration/api_packages_alt_test.go
@@ -181,9 +181,9 @@ enabled=1`,
 
 					var result ReleaseClassic
 
-					lines := strings.Split(resp, "\n")
+					lines := strings.SplitSeq(resp, "\n")
 
-					for _, line := range lines {
+					for line := range lines {
 						parts := strings.SplitN(line, ": ", 2)
 						if len(parts) < 2 {
 							continue
@@ -406,7 +406,7 @@ enabled=1`,
 
 							if typ == 6 || typ == 8 || typ == 9 {
 								elem := data[offset:]
-								for j := uint32(0); j < count; j++ {
+								for range count {
 									strEnd := bytes.IndexByte(elem, 0)
 									if strEnd == -1 {
 										require.NoError(t, err)
@@ -420,13 +420,13 @@ enabled=1`,
 										result.Release = string(elem[:strEnd])
 									case 1004:
 										var summaries []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											summaries = append(summaries, string(elem[:strEnd]))
 										}
 										result.Summary = summaries
 									case 1005:
 										var descriptions []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											descriptions = append(descriptions, string(elem[:strEnd]))
 										}
 										result.Description = descriptions
@@ -436,7 +436,7 @@ enabled=1`,
 										result.Packager = string(elem[:strEnd])
 									case 1016:
 										var groups []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											groups = append(groups, string(elem[:strEnd]))
 										}
 										result.Group = groups
@@ -448,49 +448,49 @@ enabled=1`,
 										result.SourceRpm = string(elem[:strEnd])
 									case 1047:
 										var provideNames []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											provideNames = append(provideNames, string(elem[:strEnd]))
 										}
 										result.ProvideNames = provideNames
 									case 1049:
 										var requireNames []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											requireNames = append(requireNames, string(elem[:strEnd]))
 										}
 										result.RequireNames = requireNames
 									case 1050:
 										var requireVersions []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											requireVersions = append(requireVersions, string(elem[:strEnd]))
 										}
 										result.RequireVersions = requireVersions
 									case 1081:
 										var changeLogNames []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											changeLogNames = append(changeLogNames, string(elem[:strEnd]))
 										}
 										result.ChangeLogNames = changeLogNames
 									case 1082:
 										var changeLogTexts []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											changeLogTexts = append(changeLogTexts, string(elem[:strEnd]))
 										}
 										result.ChangeLogTexts = changeLogTexts
 									case 1113:
 										var provideVersions []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											provideVersions = append(provideVersions, string(elem[:strEnd]))
 										}
 										result.ProvideVersions = provideVersions
 									case 1117:
 										var baseNames []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											baseNames = append(baseNames, string(elem[:strEnd]))
 										}
 										result.BaseNames = baseNames
 									case 1118:
 										var dirNames []string
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											dirNames = append(dirNames, string(elem[:strEnd]))
 										}
 										result.DirNames = dirNames
@@ -509,7 +509,7 @@ enabled=1`,
 								}
 							} else if typ == 4 {
 								elem := data[offset:]
-								for j := uint32(0); j < count; j++ {
+								for range count {
 									val := binary.BigEndian.Uint32(elem)
 									switch tag {
 									case 1006:
@@ -518,25 +518,25 @@ enabled=1`,
 										result.Size = int(val)
 									case 1048:
 										var requireFlags []int
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											requireFlags = append(requireFlags, int(val))
 										}
 										result.RequireFlags = requireFlags
 									case 1080:
 										var changeLogTimes []int
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											changeLogTimes = append(changeLogTimes, int(val))
 										}
 										result.ChangeLogTimes = changeLogTimes
 									case 1112:
 										var provideFlags []int
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											provideFlags = append(provideFlags, int(val))
 										}
 										result.ProvideFlags = provideFlags
 									case 1116:
 										var dirIndexes []int
-										for i := uint32(0); i < count; i++ {
+										for range count {
 											dirIndexes = append(dirIndexes, int(val))
 										}
 										result.DirIndexes = dirIndexes
diff --git a/tests/integration/api_packages_chef_test.go b/tests/integration/api_packages_chef_test.go
index 390ac50688..cadf46b03f 100644
--- a/tests/integration/api_packages_chef_test.go
+++ b/tests/integration/api_packages_chef_test.go
@@ -182,7 +182,7 @@ nwIDAQAB
 
 				var data []byte
 				if version == "1.3" {
-					data = []byte(fmt.Sprintf(
+					data = fmt.Appendf(nil,
 						"Method:%s\nPath:%s\nX-Ops-Content-Hash:%s\nX-Ops-Sign:version=%s\nX-Ops-Timestamp:%s\nX-Ops-UserId:%s\nX-Ops-Server-API-Version:%s",
 						req.Method,
 						path.Clean(req.URL.Path),
@@ -191,17 +191,17 @@ nwIDAQAB
 						req.Header.Get("X-Ops-Timestamp"),
 						username,
 						req.Header.Get("X-Ops-Server-Api-Version"),
-					))
+					)
 				} else {
 					sum := sha1.Sum([]byte(path.Clean(req.URL.Path)))
-					data = []byte(fmt.Sprintf(
+					data = fmt.Appendf(nil,
 						"Method:%s\nHashed Path:%s\nX-Ops-Content-Hash:%s\nX-Ops-Timestamp:%s\nX-Ops-UserId:%s",
 						req.Method,
 						base64.StdEncoding.EncodeToString(sum[:]),
 						req.Header.Get("X-Ops-Content-Hash"),
 						req.Header.Get("X-Ops-Timestamp"),
 						username,
-					))
+					)
 				}
 
 				for k := range req.Header {
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 6775f3d228..13ce7dc136 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -873,7 +873,7 @@ func TestPackageContainer(t *testing.T) {
 		url := fmt.Sprintf("%sv2/%s/parallel", setting.AppURL, user.Name)
 
 		var wg sync.WaitGroup
-		for i := 0; i < 10; i++ {
+		for i := range 10 {
 			wg.Add(1)
 
 			content := []byte{byte(i)}
diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go
index 74e7883443..2fa43b6b61 100644
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@@ -291,7 +291,7 @@ func TestPackageMavenConcurrent(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		var wg sync.WaitGroup
-		for i := 0; i < 10; i++ {
+		for i := range 10 {
 			wg.Add(1)
 			go func(i int) {
 				putFile(t, fmt.Sprintf("/%s/%s.jar", packageVersion, strconv.Itoa(i)), "test", http.StatusCreated)
diff --git a/tests/integration/api_repo_topic_test.go b/tests/integration/api_repo_topic_test.go
index 69008bbf64..a43e49b0ff 100644
--- a/tests/integration/api_repo_topic_test.go
+++ b/tests/integration/api_repo_topic_test.go
@@ -31,7 +31,7 @@ func TestAPITopicSearchPaging(t *testing.T) {
 	token2 := getUserToken(t, user2.Name, auth_model.AccessTokenScopeWriteRepository)
 	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
-	for i := 0; i < 20; i++ {
+	for i := range 20 {
 		req := NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/paging-topic-%d", user2.Name, repo2.Name, i).
 			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
diff --git a/tests/integration/cmd_forgejo_actions_test.go b/tests/integration/cmd_forgejo_actions_test.go
index 653ff65a9d..088cb5860b 100644
--- a/tests/integration/cmd_forgejo_actions_test.go
+++ b/tests/integration/cmd_forgejo_actions_test.go
@@ -183,7 +183,7 @@ func TestActions_CmdForgejo_Actions(t *testing.T) {
 				//
 				// Run twice to verify it is idempotent
 				//
-				for i := 0; i < 2; i++ {
+				for range 2 {
 					uuid, err := runMainApp("forgejo-cli", cmd...)
 					require.NoError(t, err)
 					if assert.Equal(t, testCase.uuid, uuid) {
diff --git a/tests/integration/git_helper_for_declarative_test.go b/tests/integration/git_helper_for_declarative_test.go
index 1d8f44c8dc..e1f08509df 100644
--- a/tests/integration/git_helper_for_declarative_test.go
+++ b/tests/integration/git_helper_for_declarative_test.go
@@ -143,7 +143,7 @@ func doGitInitTestRepository(dstPath string, objectFormat git.ObjectFormat) func
 		// forcibly set default branch to master
 		_, _, err := git.NewCommand(git.DefaultContext, "symbolic-ref", "HEAD", git.BranchPrefix+"master").RunStdString(&git.RunOpts{Dir: dstPath})
 		require.NoError(t, err)
-		require.NoError(t, os.WriteFile(filepath.Join(dstPath, "README.md"), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s", dstPath)), 0o644))
+		require.NoError(t, os.WriteFile(filepath.Join(dstPath, "README.md"), fmt.Appendf(nil, "# Testing Repository\n\nOriginally created in: %s", dstPath), 0o644))
 		require.NoError(t, git.AddChanges(dstPath, true))
 		signature := git.Signature{
 			Email: "test@example.com",
@@ -194,7 +194,7 @@ func doGitAddSomeCommits(dstPath, branch string) func(*testing.T) {
 	return func(t *testing.T) {
 		doGitCheckoutBranch(dstPath, branch)(t)
 
-		require.NoError(t, os.WriteFile(filepath.Join(dstPath, fmt.Sprintf("file-%s.txt", branch)), []byte(fmt.Sprintf("file %s", branch)), 0o644))
+		require.NoError(t, os.WriteFile(filepath.Join(dstPath, fmt.Sprintf("file-%s.txt", branch)), fmt.Appendf(nil, "file %s", branch), 0o644))
 		require.NoError(t, git.AddChanges(dstPath, true))
 		signature := git.Signature{
 			Email: "test@test.test",
diff --git a/tests/integration/git_push_test.go b/tests/integration/git_push_test.go
index bf8ad8ac12..c7c4f6750e 100644
--- a/tests/integration/git_push_test.go
+++ b/tests/integration/git_push_test.go
@@ -45,7 +45,7 @@ func testGitPush(t *testing.T, u *url.URL) {
 	forEachObjectFormat(t, func(t *testing.T, objectFormat git.ObjectFormat) {
 		t.Run("Push branches at once", func(t *testing.T) {
 			runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
-				for i := 0; i < 10; i++ {
+				for i := range 10 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					pushed = append(pushed, branchName)
 					doGitCreateBranch(gitPath, branchName)(t)
@@ -58,7 +58,7 @@ func testGitPush(t *testing.T, u *url.URL) {
 
 		t.Run("Push branches exists", func(t *testing.T) {
 			runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
-				for i := 0; i < 10; i++ {
+				for i := range 10 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					if i < 5 {
 						pushed = append(pushed, branchName)
@@ -72,7 +72,7 @@ func testGitPush(t *testing.T, u *url.URL) {
 
 				pushed = pushed[:0]
 				// do some changes for the first 5 branches created above
-				for i := 0; i < 5; i++ {
+				for i := range 5 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					pushed = append(pushed, branchName)
 
@@ -93,7 +93,7 @@ func testGitPush(t *testing.T, u *url.URL) {
 
 		t.Run("Push branches one by one", func(t *testing.T) {
 			runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
-				for i := 0; i < 10; i++ {
+				for i := range 10 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					doGitCreateBranch(gitPath, branchName)(t)
 					doGitPushTestRepository(gitPath, "origin", branchName)(t)
@@ -108,14 +108,14 @@ func testGitPush(t *testing.T, u *url.URL) {
 				doGitPushTestRepository(gitPath, "origin", "master")(t) // make sure master is the default branch instead of a branch we are going to delete
 				pushed = append(pushed, "master")
 
-				for i := 0; i < 10; i++ {
+				for i := range 10 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					pushed = append(pushed, branchName)
 					doGitCreateBranch(gitPath, branchName)(t)
 				}
 				doGitPushTestRepository(gitPath, "origin", "--all")(t)
 
-				for i := 0; i < 10; i++ {
+				for i := range 10 {
 					branchName := fmt.Sprintf("branch-%d", i)
 					doGitPushTestRepository(gitPath, "origin", "--delete", branchName)(t)
 					deleted = append(deleted, branchName)
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index f61338e4ee..a5a242b912 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -9,6 +9,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"net/url"
 	"os"
@@ -487,9 +488,7 @@ func doProtectBranch(ctx APITestContext, branch string, addParameter ...paramete
 			"rule_name": branch,
 		}
 		if len(addParameter) > 0 {
-			for k, v := range addParameter[0] {
-				parameter[k] = v
-			}
+			maps.Copy(parameter, addParameter[0])
 		}
 
 		// Change branch to protected
@@ -1162,15 +1161,15 @@ func doLFSNoAccess(ctx APITestContext, publicKeyID int64, objectFormat git.Objec
 }
 
 func extractRemoteMessages(stderr string) string {
-	var remoteMsg string
+	var remoteMsg strings.Builder
 	for line := range strings.SplitSeq(stderr, "\n") {
 		msg, found := strings.CutPrefix(line, "remote: ")
 		if found {
-			remoteMsg += msg
-			remoteMsg += "\n"
+			remoteMsg.WriteString(msg)
+			remoteMsg.WriteString("\n")
 		}
 	}
-	return remoteMsg
+	return remoteMsg.String()
 }
 
 func doTestForkPushMessages(apictx APITestContext, dstPath string) func(*testing.T) {
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index 8657af839c..6cde9be4df 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -471,14 +471,14 @@ func loginUserMaybeTOTP(t testing.TB, user *user_model.User, useTOTP bool) *Test
 }
 
 // token has to be unique this counter take care of
-var tokenCounter int64
+var tokenCounter atomic.Int64
 
 // getTokenForLoggedInUser returns a token for a logged in user.
 // The scope is an optional list of snake_case strings like the frontend form fields,
 // but without the "scope_" prefix.
 func getTokenForLoggedInUser(t testing.TB, session *TestSession, scopes ...auth.AccessTokenScope) string {
 	t.Helper()
-	accessTokenName := fmt.Sprintf("api-testing-token-%d", atomic.AddInt64(&tokenCounter, 1))
+	accessTokenName := fmt.Sprintf("api-testing-token-%d", tokenCounter.Add(1))
 	createApplicationSettingsToken(t, session, accessTokenName, scopes...)
 	token := assertAccessToken(t, session)
 	return token
diff --git a/tests/integration/issue_comment_test.go b/tests/integration/issue_comment_test.go
index a6c4d6c923..2f72ab766e 100644
--- a/tests/integration/issue_comment_test.go
+++ b/tests/integration/issue_comment_test.go
@@ -5,6 +5,7 @@ package integration
 
 import (
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"
 	"testing"
@@ -71,13 +72,7 @@ func testIssueCommentChangeEvent(t *testing.T, htmlDoc *HTMLDoc, commentID, badg
 
 	// Check links (href)
 	issueCommentLink := "#issuecomment-" + commentID
-	found := false
-	for _, link := range links {
-		if link == issueCommentLink {
-			found = true
-			break
-		}
-	}
+	found := slices.Contains(links, issueCommentLink)
 	if !found {
 		links = append(links, issueCommentLink)
 	}
diff --git a/tests/integration/issue_test.go b/tests/integration/issue_test.go
index 19fe59a10a..d764870bab 100644
--- a/tests/integration/issue_test.go
+++ b/tests/integration/issue_test.go
@@ -114,14 +114,11 @@ func TestViewIssuesSortByType(t *testing.T) {
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
 		issuesSelection := getIssuesSelection(t, htmlDoc)
-		expectedNumIssues := unittest.GetCount(t,
+		expectedNumIssues := min(unittest.GetCount(t,
 			&issues_model.Issue{RepoID: repo.ID, PosterID: user.ID},
 			unittest.Cond("is_closed=?", false),
 			unittest.Cond("is_pull=?", false),
-		)
-		if expectedNumIssues > setting.UI.IssuePagingNum {
-			expectedNumIssues = setting.UI.IssuePagingNum
-		}
+		), setting.UI.IssuePagingNum)
 		assert.Equal(t, expectedNumIssues, issuesSelection.Length())
 
 		issuesSelection.Each(func(_ int, selection *goquery.Selection) {
@@ -891,10 +888,9 @@ func TestSearchIssues(t *testing.T) {
 
 	session := loginUser(t, "user2")
 
-	expectedIssueCount := 20 // from the fixtures
-	if expectedIssueCount > setting.UI.IssuePagingNum {
-		expectedIssueCount = setting.UI.IssuePagingNum
-	}
+	expectedIssueCount := min(
+		// from the fixtures
+		20, setting.UI.IssuePagingNum)
 
 	req := NewRequest(t, "GET", "/issues/search")
 	resp := session.MakeRequest(t, req, http.StatusOK)
@@ -1017,10 +1013,9 @@ func TestSearchIssues(t *testing.T) {
 func TestSearchIssuesWithLabels(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	expectedIssueCount := 20 // from the fixtures
-	if expectedIssueCount > setting.UI.IssuePagingNum {
-		expectedIssueCount = setting.UI.IssuePagingNum
-	}
+	expectedIssueCount := min(
+		// from the fixtures
+		20, setting.UI.IssuePagingNum)
 
 	session := loginUser(t, "user1")
 	link, _ := url.Parse("/issues/search")
diff --git a/tests/integration/org_test.go b/tests/integration/org_test.go
index 157ed5dbcd..ddfaf2fa55 100644
--- a/tests/integration/org_test.go
+++ b/tests/integration/org_test.go
@@ -46,7 +46,7 @@ func TestOrgRepos(t *testing.T) {
 
 				sel := htmlDoc.doc.Find("a.name")
 				assert.Len(t, repos, len(sel.Nodes))
-				for i := 0; i < len(repos); i++ {
+				for i := range repos {
 					assert.Equal(t, repos[i], strings.TrimSpace(sel.Eq(i).Text()))
 				}
 			}
diff --git a/tests/integration/project_test.go b/tests/integration/project_test.go
index 955caaf6f7..629793602b 100644
--- a/tests/integration/project_test.go
+++ b/tests/integration/project_test.go
@@ -45,7 +45,7 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 	err := project_model.NewProject(db.DefaultContext, &project1)
 	require.NoError(t, err)
 
-	for i := 0; i < 3; i++ {
+	for i := range 3 {
 		err = project_model.NewColumn(db.DefaultContext, &project_model.Column{
 			Title:     fmt.Sprintf("column %d", i+1),
 			ProjectID: project1.ID,
diff --git a/tests/integration/pull_merge_test.go b/tests/integration/pull_merge_test.go
index a987603ce7..14399fc936 100644
--- a/tests/integration/pull_merge_test.go
+++ b/tests/integration/pull_merge_test.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"maps"
 	"math/rand/v2"
 	"net/http"
 	"net/http/httptest"
@@ -71,9 +72,7 @@ func testPullMergeForm(t *testing.T, session *TestSession, expectedCode int, use
 	link := path.Join(user, repo, "pulls", pullnum, "merge")
 
 	options := map[string]string{}
-	for k, v := range addOptions {
-		options[k] = v
-	}
+	maps.Copy(options, addOptions)
 
 	req := NewRequestWithValues(t, "POST", link, options)
 	resp := session.MakeRequest(t, req, expectedCode)
diff --git a/tests/integration/quota_use_test.go b/tests/integration/quota_use_test.go
index 33d987af36..dd5afd1aed 100644
--- a/tests/integration/quota_use_test.go
+++ b/tests/integration/quota_use_test.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"maps"
 	"mime/multipart"
 	"net/http"
 	"net/http/httptest"
@@ -656,9 +657,7 @@ func (ctx *quotaWebEnvAsContext) With(opts Context) *quotaWebEnvAsContext {
 		ctx.Repo = opts.Repo
 	}
 	if opts.Payload != nil {
-		for key, value := range *opts.Payload {
-			ctx.Payload[key] = value
-		}
+		maps.Copy(ctx.Payload, *opts.Payload)
 	}
 	return ctx
 }
diff --git a/tests/integration/release_test.go b/tests/integration/release_test.go
index 483822e2ac..b54e921fa4 100644
--- a/tests/integration/release_test.go
+++ b/tests/integration/release_test.go
@@ -231,7 +231,7 @@ func TestCreateReleasePaging(t *testing.T) {
 
 	session := loginUser(t, "user2")
 	// Create enough releases to have paging
-	for i := 0; i < 12; i++ {
+	for i := range 12 {
 		version := fmt.Sprintf("v0.0.%d", i)
 		createNewRelease(t, session, "/user2/repo1", version, version, false, false)
 	}
diff --git a/tests/integration/repo_commits_test.go b/tests/integration/repo_commits_test.go
index 47cf7e8534..d2bb4e8849 100644
--- a/tests/integration/repo_commits_test.go
+++ b/tests/integration/repo_commits_test.go
@@ -146,7 +146,7 @@ func TestRepoCommitsStatusParallel(t *testing.T) {
 	assert.NotEmpty(t, commitURL)
 
 	var wg sync.WaitGroup
-	for i := 0; i < 10; i++ {
+	for i := range 10 {
 		wg.Add(1)
 		go func(parentT *testing.T, i int) {
 			parentT.Run(fmt.Sprintf("ParallelCreateStatus_%d", i), func(t *testing.T) {
diff --git a/tests/integration/repo_flags_test.go b/tests/integration/repo_flags_test.go
index bb489f678c..279feefe73 100644
--- a/tests/integration/repo_flags_test.go
+++ b/tests/integration/repo_flags_test.go
@@ -135,7 +135,7 @@ func TestRepositoryFlagsAPI(t *testing.T) {
 		assert.Empty(t, flags)
 
 		// Replacing all tags works, twice in a row
-		for i := 0; i < 2; i++ {
+		for range 2 {
 			req = NewRequestWithJSON(t, "PUT", fmt.Sprintf(baseURLFmtStr, ""), &api.ReplaceFlagsOption{
 				Flags: []string{"flag-1", "flag-2", "flag-3"},
 			}).AddTokenAuth(token)
@@ -160,7 +160,7 @@ func TestRepositoryFlagsAPI(t *testing.T) {
 		MakeRequest(t, req, http.StatusNotFound)
 
 		// We can add the same flag twice
-		for i := 0; i < 2; i++ {
+		for range 2 {
 			req = NewRequestf(t, "PUT", baseURLFmtStr, "/brand-new-flag").AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusNoContent)
 		}
@@ -170,7 +170,7 @@ func TestRepositoryFlagsAPI(t *testing.T) {
 		MakeRequest(t, req, http.StatusNoContent)
 
 		// We can delete a flag, twice
-		for i := 0; i < 2; i++ {
+		for range 2 {
 			req = NewRequestf(t, "DELETE", baseURLFmtStr, "/flag-3").AddTokenAuth(token)
 			MakeRequest(t, req, http.StatusNoContent)
 		}
diff --git a/tests/integration/repo_topic_test.go b/tests/integration/repo_topic_test.go
index 0f11d451d6..7331f23218 100644
--- a/tests/integration/repo_topic_test.go
+++ b/tests/integration/repo_topic_test.go
@@ -62,7 +62,7 @@ func TestTopicSearchPaging(t *testing.T) {
 	token2 := getUserToken(t, user2.Name, auth_model.AccessTokenScopeWriteRepository)
 	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
-	for i := 0; i < 20; i++ {
+	for i := range 20 {
 		req := NewRequestf(t, "PUT", "/api/v1/repos/%s/%s/topics/paging-topic-%d", user2.Name, repo2.Name, i).
 			AddTokenAuth(token2)
 		MakeRequest(t, req, http.StatusNoContent)
diff --git a/tests/integration/repo_webhook_test.go b/tests/integration/repo_webhook_test.go
index 5320c85de1..bbde44892e 100644
--- a/tests/integration/repo_webhook_test.go
+++ b/tests/integration/repo_webhook_test.go
@@ -4,6 +4,7 @@
 package integration
 
 import (
+	"maps"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -408,9 +409,7 @@ func testWebhookFormsShared(t *testing.T, endpoint, name string, session *TestSe
 				payload := map[string]string{
 					"events": "send_everything",
 				}
-				for k, v := range validFields {
-					payload[k] = v
-				}
+				maps.Copy(payload, validFields)
 				for k, v := range invalidPatch {
 					if v == "" {
 						delete(payload, k)
@@ -448,9 +447,7 @@ func assertHasFlashMessages(t *testing.T, resp *httptest.ResponseRecorder, expec
 		for key, value := range flash {
 			// the key is itself url-encoded
 			if flash, err := url.ParseQuery(key); err == nil {
-				for key, value := range flash {
-					seenKeys[key] = value
-				}
+				maps.Copy(seenKeys, flash)
 			} else {
 				seenKeys[key] = value
 			}
diff --git a/tests/integration/signing_git_test.go b/tests/integration/signing_git_test.go
index 5dee5b4801..2fbdb22b6f 100644
--- a/tests/integration/signing_git_test.go
+++ b/tests/integration/signing_git_test.go
@@ -433,7 +433,7 @@ func crudActionCreateFile(_ *testing.T, ctx APITestContext, user *user_model.Use
 				Email: user.Email,
 			},
 		},
-		ContentBase64: base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("This is new text for %s", path))),
+		ContentBase64: base64.StdEncoding.EncodeToString(fmt.Appendf(nil, "This is new text for %s", path)),
 	}, callback...)
 }
 
diff --git a/tests/integration/signup_test.go b/tests/integration/signup_test.go
index e66b193e15..eee022f7ab 100644
--- a/tests/integration/signup_test.go
+++ b/tests/integration/signup_test.go
@@ -185,10 +185,10 @@ func TestSignupImageCaptcha(t *testing.T) {
 	assert.True(t, ok)
 	assert.Len(t, digits, 6)
 
-	digitStr := ""
+	var digitStr strings.Builder
 	// Convert digits to ASCII digits.
 	for _, digit := range digits {
-		digitStr += string(digit + '0')
+		digitStr.WriteString(string(digit + '0'))
 	}
 
 	req = NewRequestWithValues(t, "POST", "/user/sign_up", map[string]string{
@@ -197,7 +197,7 @@ func TestSignupImageCaptcha(t *testing.T) {
 		"password":             "examplePassword!1",
 		"retype":               "examplePassword!1",
 		"img-captcha-id":       idCaptcha,
-		"img-captcha-response": digitStr,
+		"img-captcha-response": digitStr.String(),
 	})
 	MakeRequest(t, req, http.StatusSeeOther)
 
diff --git a/tests/integration/ssh_key_test.go b/tests/integration/ssh_key_test.go
index 156bcb137e..747b6c4eb0 100644
--- a/tests/integration/ssh_key_test.go
+++ b/tests/integration/ssh_key_test.go
@@ -28,7 +28,7 @@ func doCheckRepositoryEmptyStatus(ctx APITestContext, isEmpty bool) func(*testin
 
 func doAddChangesToCheckout(dstPath, filename string) func(*testing.T) {
 	return func(t *testing.T) {
-		require.NoError(t, os.WriteFile(filepath.Join(dstPath, filename), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s at time: %v", dstPath, time.Now())), 0o644))
+		require.NoError(t, os.WriteFile(filepath.Join(dstPath, filename), fmt.Appendf(nil, "# Testing Repository\n\nOriginally created in: %s at time: %v", dstPath, time.Now()), 0o644))
 		require.NoError(t, git.AddChanges(dstPath, true))
 		signature := git.Signature{
 			Email: "test@example.com",
diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go
index f1acafbde8..0f7c099c70 100644
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@@ -1030,7 +1030,7 @@ func TestUserRepos(t *testing.T) {
 
 		sel := htmlDoc.doc.Find("a.name")
 		assert.Len(t, repos, len(sel.Nodes))
-		for i := 0; i < len(repos); i++ {
+		for i := range repos {
 			assert.Equal(t, repos[i], strings.TrimSpace(sel.Eq(i).Text()))
 		}
 	}
diff --git a/tests/test_utils.go b/tests/test_utils.go
index dff1c283d0..5e5b04c860 100644
--- a/tests/test_utils.go
+++ b/tests/test_utils.go
@@ -15,6 +15,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 	"sync/atomic"
 	"testing"
@@ -524,23 +525,20 @@ func CreateDeclarativeRepo(t *testing.T, owner *user_model.User, name string, en
 	if enabledUnits != nil {
 		opts.EnabledUnits = optional.Some(enabledUnits)
 
-		for _, unitType := range enabledUnits {
-			if unitType == unit_model.TypePullRequests {
-				opts.UnitConfig = optional.Some(map[unit_model.Type]convert.Conversion{
-					unit_model.TypePullRequests: &repo_model.PullRequestsConfig{
-						AllowMerge:           true,
-						AllowRebase:          true,
-						AllowRebaseMerge:     true,
-						AllowSquash:          true,
-						AllowFastForwardOnly: true,
-						AllowManualMerge:     true,
-						AllowRebaseUpdate:    true,
-						DefaultMergeStyle:    repo_model.MergeStyleMerge,
-						DefaultUpdateStyle:   repo_model.UpdateStyleMerge,
-					},
-				})
-				break
-			}
+		if slices.Contains(enabledUnits, unit_model.TypePullRequests) {
+			opts.UnitConfig = optional.Some(map[unit_model.Type]convert.Conversion{
+				unit_model.TypePullRequests: &repo_model.PullRequestsConfig{
+					AllowMerge:           true,
+					AllowRebase:          true,
+					AllowRebaseMerge:     true,
+					AllowSquash:          true,
+					AllowFastForwardOnly: true,
+					AllowManualMerge:     true,
+					AllowRebaseUpdate:    true,
+					DefaultMergeStyle:    repo_model.MergeStyleMerge,
+					DefaultUpdateStyle:   repo_model.UpdateStyleMerge,
+				},
+			})
 		}
 	}
 	if disabledUnits != nil {

From f37f7946709d723126dd6b2ad73f54ac4f1a55d9 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 2 Apr 2026 03:39:15 +0200
Subject: [PATCH 046/287] Update dependency swagger-ui-dist to v5.32.1
 (forgejo) (#11766)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11766
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e2d5d0e3bb..6a5b946d0f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -64,7 +64,7 @@
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
         "sortablejs": "1.15.7",
-        "swagger-ui-dist": "5.31.2",
+        "swagger-ui-dist": "5.32.1",
         "tailwindcss": "3.4.19",
         "throttle-debounce": "5.0.0",
         "tinycolor2": "1.6.0",
@@ -14615,9 +14615,9 @@
       }
     },
     "node_modules/swagger-ui-dist": {
-      "version": "5.31.2",
-      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.31.2.tgz",
-      "integrity": "sha512-uIoesCjDcxnAKj/C/HG5pjHZMQs2K/qmqpUlwLxxaVryGKlgm8Ri+VOza5xywAqf//pgg/hW16RYa6dDuTCOSg==",
+      "version": "5.32.1",
+      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.1.tgz",
+      "integrity": "sha512-6HQoo7+j8PA2QqP5kgAb9dl1uxUjvR0SAoL/WUp1sTEvm0F6D5npgU2OGCLwl++bIInqGlEUQ2mpuZRZYtyCzQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@scarf/scarf": "=1.4.0"
diff --git a/package.json b/package.json
index 6cad44ea31..f2ac77f224 100644
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",
     "sortablejs": "1.15.7",
-    "swagger-ui-dist": "5.31.2",
+    "swagger-ui-dist": "5.32.1",
     "tailwindcss": "3.4.19",
     "throttle-debounce": "5.0.0",
     "tinycolor2": "1.6.0",

From 8fb287f9d88634353baff89994d0ccd0f21abb0d Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 2 Apr 2026 03:39:28 +0200
Subject: [PATCH 047/287] Lock file maintenance (forgejo) (#11784)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11784
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json                  | 2373 ++++++++++++++++------------
 web_src/fomantic/package-lock.json |  265 ++--
 2 files changed, 1537 insertions(+), 1101 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6a5b946d0f..6e4d59fdce 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -153,9 +153,9 @@
       }
     },
     "node_modules/@asyncapi/specs": {
-      "version": "6.10.0",
-      "resolved": "https://registry.npmjs.org/@asyncapi/specs/-/specs-6.10.0.tgz",
-      "integrity": "sha512-vB5oKLsdrLUORIZ5BXortZTlVyGWWMC1Nud/0LtgxQ3Yn2738HigAD6EVqScvpPsDUI/bcLVsYEXN4dtXQHVng==",
+      "version": "6.11.1",
+      "resolved": "https://registry.npmjs.org/@asyncapi/specs/-/specs-6.11.1.tgz",
+      "integrity": "sha512-A3WBLqAKGoJ2+6FWFtpjBlCQ1oFCcs4GxF7zsIGvNqp/klGUHjlA3aAcZ9XMMpLGE8zPeYDz2x9FmO6DSuKraQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -176,9 +176,9 @@
       }
     },
     "node_modules/@babel/code-frame": {
-      "version": "7.28.6",
-      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.28.6.tgz",
-      "integrity": "sha512-JYgintcMjRiCvS8mMECzaEn+m3PfoQiyqukOMCCVQtoJGYJw8j/8LBJEiqkHLkfwCcs74E3pbAUFNg7d9VNJ+Q==",
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
       "license": "MIT",
       "dependencies": {
         "@babel/helper-validator-identifier": "^7.28.5",
@@ -229,9 +229,9 @@
       }
     },
     "node_modules/@babel/runtime": {
-      "version": "7.28.6",
-      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
-      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.2.tgz",
+      "integrity": "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==",
       "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
@@ -261,22 +261,22 @@
       }
     },
     "node_modules/@braintree/sanitize-url": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-7.1.1.tgz",
-      "integrity": "sha512-i1L7noDNxtFyL5DmZafWy1wRVhGehQmzZaz1HiN5e7iylJMSZR7ekOV7NsIqa5qBldlLrsKv4HbgFUVlQrz8Mw==",
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/@braintree/sanitize-url/-/sanitize-url-7.1.2.tgz",
+      "integrity": "sha512-jigsZK+sMF/cuiB7sERuo9V7N9jx+dhmHHnQyDSVdpZwVutaBu7WvNYqMDLSgFgfB30n452TP3vjDAvFC973mA==",
       "license": "MIT"
     },
     "node_modules/@cacheable/memory": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/@cacheable/memory/-/memory-2.0.7.tgz",
-      "integrity": "sha512-RbxnxAMf89Tp1dLhXMS7ceft/PGsDl1Ip7T20z5nZ+pwIAsQ1p2izPjVG69oCLv/jfQ7HDPHTWK0c9rcAWXN3A==",
+      "version": "2.0.8",
+      "resolved": "https://registry.npmjs.org/@cacheable/memory/-/memory-2.0.8.tgz",
+      "integrity": "sha512-FvEb29x5wVwu/Kf93IWwsOOEuhHh6dYCJF3vcKLzXc0KXIW181AOzv6ceT4ZpBHDvAfG60eqb+ekmrnLHIy+jw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@cacheable/utils": "^2.3.3",
-        "@keyv/bigmap": "^1.3.0",
-        "hookified": "^1.14.0",
-        "keyv": "^5.5.5"
+        "@cacheable/utils": "^2.4.0",
+        "@keyv/bigmap": "^1.3.1",
+        "hookified": "^1.15.1",
+        "keyv": "^5.6.0"
       }
     },
     "node_modules/@cacheable/memory/node_modules/@keyv/bigmap": {
@@ -307,14 +307,14 @@
       }
     },
     "node_modules/@cacheable/utils": {
-      "version": "2.3.3",
-      "resolved": "https://registry.npmjs.org/@cacheable/utils/-/utils-2.3.3.tgz",
-      "integrity": "sha512-JsXDL70gQ+1Vc2W/KUFfkAJzgb4puKwwKehNLuB+HrNKWf91O736kGfxn4KujXCCSuh6mRRL4XEB0PkAFjWS0A==",
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/@cacheable/utils/-/utils-2.4.1.tgz",
+      "integrity": "sha512-eiFgzCbIneyMlLOmNG4g9xzF7Hv3Mga4LjxjcSC/ues6VYq2+gUbQI8JqNuw/ZM8tJIeIaBGpswAsqV2V7ApgA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "hashery": "^1.3.0",
-        "keyv": "^5.5.5"
+        "hashery": "^1.5.1",
+        "keyv": "^5.6.0"
       }
     },
     "node_modules/@cacheable/utils/node_modules/keyv": {
@@ -328,42 +328,42 @@
       }
     },
     "node_modules/@chevrotain/cst-dts-gen": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-11.1.1.tgz",
-      "integrity": "sha512-fRHyv6/f542qQqiRGalrfJl/evD39mAvbJLCekPazhiextEatq1Jx1K/i9gSd5NNO0ds03ek0Cbo/4uVKmOBcw==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-11.1.2.tgz",
+      "integrity": "sha512-XTsjvDVB5nDZBQB8o0o/0ozNelQtn2KrUVteIHSlPd2VAV2utEb6JzyCJaJ8tGxACR4RiBNWy5uYUHX2eji88Q==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/gast": "11.1.1",
-        "@chevrotain/types": "11.1.1",
+        "@chevrotain/gast": "11.1.2",
+        "@chevrotain/types": "11.1.2",
         "lodash-es": "4.17.23"
       }
     },
     "node_modules/@chevrotain/gast": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-11.1.1.tgz",
-      "integrity": "sha512-Ko/5vPEYy1vn5CbCjjvnSO4U7GgxyGm+dfUZZJIWTlQFkXkyym0jFYrWEU10hyCjrA7rQtiHtBr0EaZqvHFZvg==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-11.1.2.tgz",
+      "integrity": "sha512-Z9zfXR5jNZb1Hlsd/p+4XWeUFugrHirq36bKzPWDSIacV+GPSVXdk+ahVWZTwjhNwofAWg/sZg58fyucKSQx5g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/types": "11.1.1",
+        "@chevrotain/types": "11.1.2",
         "lodash-es": "4.17.23"
       }
     },
     "node_modules/@chevrotain/regexp-to-ast": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.1.1.tgz",
-      "integrity": "sha512-ctRw1OKSXkOrR8VTvOxrQ5USEc4sNrfwXHa1NuTcR7wre4YbjPcKw+82C2uylg/TEwFRgwLmbhlln4qkmDyteg==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.1.2.tgz",
+      "integrity": "sha512-nMU3Uj8naWer7xpZTYJdxbAs6RIv/dxYzkYU8GSwgUtcAAlzjcPfX1w+RKRcYG8POlzMeayOQ/znfwxEGo5ulw==",
       "license": "Apache-2.0"
     },
     "node_modules/@chevrotain/types": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.1.1.tgz",
-      "integrity": "sha512-wb2ToxG8LkgPYnKe9FH8oGn3TMCBdnwiuNC5l5y+CtlaVRbCytU0kbVsk6CGrqTL4ZN4ksJa0TXOYbxpbthtqw==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.1.2.tgz",
+      "integrity": "sha512-U+HFai5+zmJCkK86QsaJtoITlboZHBqrVketcO2ROv865xfCMSFpELQoz1GkX5GzME8pTa+3kbKrZHQtI0gdbw==",
       "license": "Apache-2.0"
     },
     "node_modules/@chevrotain/utils": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-11.1.1.tgz",
-      "integrity": "sha512-71eTYMzYXYSFPrbg/ZwftSaSDld7UYlS8OQa3lNnn9jzNtpFbaReRRyghzqS7rI3CDaorqpPJJcXGHK+FE1TVQ==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-11.1.2.tgz",
+      "integrity": "sha512-4mudFAQ6H+MqBTfqLmU7G1ZwRzCLfJEooL/fsF6rCX5eePMbGhoy5n4g+G4vlh2muDcsCTJtL+uKbOzWxs5LHA==",
       "license": "Apache-2.0"
     },
     "node_modules/@citation-js/core": {
@@ -745,9 +745,9 @@
       }
     },
     "node_modules/@codemirror/lint": {
-      "version": "6.9.2",
-      "resolved": "https://registry.npmjs.org/@codemirror/lint/-/lint-6.9.2.tgz",
-      "integrity": "sha512-sv3DylBiIyi+xKwRCJAAsBZZZWo82shJ/RTMymLabAdtbkV5cSKwWDeCgtUq3v8flTaXS2y1kKkICuRYtUswyQ==",
+      "version": "6.9.5",
+      "resolved": "https://registry.npmjs.org/@codemirror/lint/-/lint-6.9.5.tgz",
+      "integrity": "sha512-GElsbU9G7QT9xXhpUg1zWGmftA/7jamh+7+ydKRuT0ORpWS3wOSP0yT1FOlIZa7mIJjpVPipErsyvVqB9cfTFA==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.0.0",
@@ -811,9 +811,9 @@
       }
     },
     "node_modules/@csstools/css-syntax-patches-for-csstree": {
-      "version": "1.0.26",
-      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.26.tgz",
-      "integrity": "sha512-6boXK0KkzT5u5xOgF6TKB+CLq9SOpEGmkZw0g5n9/7yg85wab3UzSxB8TxhLJ31L4SGJ6BCFRw/iftTha1CJXA==",
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.2.tgz",
+      "integrity": "sha512-5GkLzz4prTIpoyeUiIu3iV6CSG3Plo7xRVOFPKI7FVEJ3mZ0A8SwK0XU3Gl7xAkiQ+mDyam+NNp875/C5y+jSA==",
       "dev": true,
       "funding": [
         {
@@ -825,7 +825,15 @@
           "url": "https://opencollective.com/csstools"
         }
       ],
-      "license": "MIT-0"
+      "license": "MIT-0",
+      "peerDependencies": {
+        "css-tree": "^3.2.1"
+      },
+      "peerDependenciesMeta": {
+        "css-tree": {
+          "optional": true
+        }
+      }
     },
     "node_modules/@csstools/css-tokenizer": {
       "version": "3.0.4",
@@ -894,10 +902,9 @@
       }
     },
     "node_modules/@csstools/selector-specificity": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-5.0.0.tgz",
-      "integrity": "sha512-PCqQV3c4CoVm3kdPhyeZ07VmBRdH2EpMFA/pd9OASpOEC3aXNGoqPDAZ80D0cLpMBxnmk0+yNhGsEx31hq7Gtw==",
-      "dev": true,
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-6.0.0.tgz",
+      "integrity": "sha512-4sSgl78OtOXEX/2d++8A83zHNTgwCJMaR24FvsYL7Uf/VS8HZk9PTwR51elTbGqMuwH3szLvvOXEaVnqn0Z3zA==",
       "funding": [
         {
           "type": "github",
@@ -910,10 +917,10 @@
       ],
       "license": "MIT-0",
       "engines": {
-        "node": ">=18"
+        "node": ">=20.19.0"
       },
       "peerDependencies": {
-        "postcss-selector-parser": "^7.0.0"
+        "postcss-selector-parser": "^7.1.1"
       }
     },
     "node_modules/@discoveryjs/json-ext": {
@@ -937,21 +944,21 @@
       }
     },
     "node_modules/@emnapi/core": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
       "dev": true,
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
+        "@emnapi/wasi-threads": "1.2.0",
         "tslib": "^2.4.0"
       }
     },
     "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -960,9 +967,9 @@
       }
     },
     "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -971,9 +978,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz",
-      "integrity": "sha512-GZMB+a0mOMZs4MpDbj8RJp4cw+w1WV5NYD6xzgvzUJ5Ek2jerwfO2eADyI6ExDSUED+1X8aMbegahsJi+8mgpw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
       "cpu": [
         "ppc64"
       ],
@@ -987,9 +994,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.2.tgz",
-      "integrity": "sha512-DVNI8jlPa7Ujbr1yjU2PfUSRtAUZPG9I1RwW4F4xFB1Imiu2on0ADiI/c3td+KmDtVKNbi+nffGDQMfcIMkwIA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
       "cpu": [
         "arm"
       ],
@@ -1003,9 +1010,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.2.tgz",
-      "integrity": "sha512-pvz8ZZ7ot/RBphf8fv60ljmaoydPU12VuXHImtAs0XhLLw+EXBi2BLe3OYSBslR4rryHvweW5gmkKFwTiFy6KA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
       "cpu": [
         "arm64"
       ],
@@ -1019,9 +1026,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.2.tgz",
-      "integrity": "sha512-z8Ank4Byh4TJJOh4wpz8g2vDy75zFL0TlZlkUkEwYXuPSgX8yzep596n6mT7905kA9uHZsf/o2OJZubl2l3M7A==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
       "cpu": [
         "x64"
       ],
@@ -1035,9 +1042,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.2.tgz",
-      "integrity": "sha512-davCD2Zc80nzDVRwXTcQP/28fiJbcOwvdolL0sOiOsbwBa72kegmVU0Wrh1MYrbuCL98Omp5dVhQFWRKR2ZAlg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
       "cpu": [
         "arm64"
       ],
@@ -1051,9 +1058,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.2.tgz",
-      "integrity": "sha512-ZxtijOmlQCBWGwbVmwOF/UCzuGIbUkqB1faQRf5akQmxRJ1ujusWsb3CVfk/9iZKr2L5SMU5wPBi1UWbvL+VQA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
       "cpu": [
         "x64"
       ],
@@ -1067,9 +1074,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.2.tgz",
-      "integrity": "sha512-lS/9CN+rgqQ9czogxlMcBMGd+l8Q3Nj1MFQwBZJyoEKI50XGxwuzznYdwcav6lpOGv5BqaZXqvBSiB/kJ5op+g==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
       "cpu": [
         "arm64"
       ],
@@ -1083,9 +1090,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.2.tgz",
-      "integrity": "sha512-tAfqtNYb4YgPnJlEFu4c212HYjQWSO/w/h/lQaBK7RbwGIkBOuNKQI9tqWzx7Wtp7bTPaGC6MJvWI608P3wXYA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
       "cpu": [
         "x64"
       ],
@@ -1099,9 +1106,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.2.tgz",
-      "integrity": "sha512-vWfq4GaIMP9AIe4yj1ZUW18RDhx6EPQKjwe7n8BbIecFtCQG4CfHGaHuh7fdfq+y3LIA2vGS/o9ZBGVxIDi9hw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
       "cpu": [
         "arm"
       ],
@@ -1115,9 +1122,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.2.tgz",
-      "integrity": "sha512-hYxN8pr66NsCCiRFkHUAsxylNOcAQaxSSkHMMjcpx0si13t1LHFphxJZUiGwojB1a/Hd5OiPIqDdXONia6bhTw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
       "cpu": [
         "arm64"
       ],
@@ -1131,9 +1138,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.2.tgz",
-      "integrity": "sha512-MJt5BRRSScPDwG2hLelYhAAKh9imjHK5+NE/tvnRLbIqUWa+0E9N4WNMjmp/kXXPHZGqPLxggwVhz7QP8CTR8w==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
       "cpu": [
         "ia32"
       ],
@@ -1147,9 +1154,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.2.tgz",
-      "integrity": "sha512-lugyF1atnAT463aO6KPshVCJK5NgRnU4yb3FUumyVz+cGvZbontBgzeGFO1nF+dPueHD367a2ZXe1NtUkAjOtg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
       "cpu": [
         "loong64"
       ],
@@ -1163,9 +1170,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.2.tgz",
-      "integrity": "sha512-nlP2I6ArEBewvJ2gjrrkESEZkB5mIoaTswuqNFRv/WYd+ATtUpe9Y09RnJvgvdag7he0OWgEZWhviS1OTOKixw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
       "cpu": [
         "mips64el"
       ],
@@ -1179,9 +1186,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.2.tgz",
-      "integrity": "sha512-C92gnpey7tUQONqg1n6dKVbx3vphKtTHJaNG2Ok9lGwbZil6DrfyecMsp9CrmXGQJmZ7iiVXvvZH6Ml5hL6XdQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
       "cpu": [
         "ppc64"
       ],
@@ -1195,9 +1202,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.2.tgz",
-      "integrity": "sha512-B5BOmojNtUyN8AXlK0QJyvjEZkWwy/FKvakkTDCziX95AowLZKR6aCDhG7LeF7uMCXEJqwa8Bejz5LTPYm8AvA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
       "cpu": [
         "riscv64"
       ],
@@ -1211,9 +1218,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.2.tgz",
-      "integrity": "sha512-p4bm9+wsPwup5Z8f4EpfN63qNagQ47Ua2znaqGH6bqLlmJ4bx97Y9JdqxgGZ6Y8xVTixUnEkoKSHcpRlDnNr5w==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
       "cpu": [
         "s390x"
       ],
@@ -1227,9 +1234,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.2.tgz",
-      "integrity": "sha512-uwp2Tip5aPmH+NRUwTcfLb+W32WXjpFejTIOWZFw/v7/KnpCDKG66u4DLcurQpiYTiYwQ9B7KOeMJvLCu/OvbA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
       "cpu": [
         "x64"
       ],
@@ -1243,9 +1250,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.2.tgz",
-      "integrity": "sha512-Kj6DiBlwXrPsCRDeRvGAUb/LNrBASrfqAIok+xB0LxK8CHqxZ037viF13ugfsIpePH93mX7xfJp97cyDuTZ3cw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
       "cpu": [
         "arm64"
       ],
@@ -1259,9 +1266,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.2.tgz",
-      "integrity": "sha512-HwGDZ0VLVBY3Y+Nw0JexZy9o/nUAWq9MlV7cahpaXKW6TOzfVno3y3/M8Ga8u8Yr7GldLOov27xiCnqRZf0tCA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
       "cpu": [
         "x64"
       ],
@@ -1275,9 +1282,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.2.tgz",
-      "integrity": "sha512-DNIHH2BPQ5551A7oSHD0CKbwIA/Ox7+78/AWkbS5QoRzaqlev2uFayfSxq68EkonB+IKjiuxBFoV8ESJy8bOHA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
       "cpu": [
         "arm64"
       ],
@@ -1291,9 +1298,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.2.tgz",
-      "integrity": "sha512-/it7w9Nb7+0KFIzjalNJVR5bOzA9Vay+yIPLVHfIQYG/j+j9VTH84aNB8ExGKPU4AzfaEvN9/V4HV+F+vo8OEg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
       "cpu": [
         "x64"
       ],
@@ -1307,9 +1314,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.2.tgz",
-      "integrity": "sha512-LRBbCmiU51IXfeXk59csuX/aSaToeG7w48nMwA6049Y4J4+VbWALAuXcs+qcD04rHDuSCSRKdmY63sruDS5qag==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
       "cpu": [
         "arm64"
       ],
@@ -1323,9 +1330,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.2.tgz",
-      "integrity": "sha512-kMtx1yqJHTmqaqHPAzKCAkDaKsffmXkPHThSfRwZGyuqyIeBvf08KSsYXl+abf5HDAPMJIPnbBfXvP2ZC2TfHg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
       "cpu": [
         "x64"
       ],
@@ -1339,9 +1346,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.2.tgz",
-      "integrity": "sha512-Yaf78O/B3Kkh+nKABUF++bvJv5Ijoy9AN1ww904rOXZFLWVc5OLOfL56W+C8F9xn5JQZa3UX6m+IktJnIb1Jjg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
       "cpu": [
         "arm64"
       ],
@@ -1355,9 +1362,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.2.tgz",
-      "integrity": "sha512-Iuws0kxo4yusk7sw70Xa2E2imZU5HoixzxfGCdxwBdhiDgt9vX9VUCBhqcwY7/uh//78A1hMkkROMJq9l27oLQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
       "cpu": [
         "ia32"
       ],
@@ -1371,9 +1378,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.2.tgz",
-      "integrity": "sha512-sRdU18mcKf7F+YgheI/zGf5alZatMUTKj/jNS6l744f9u3WFu4v7twcUI9vu4mknF4Y9aDlblIie0IM+5xxaqQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
       "cpu": [
         "x64"
       ],
@@ -1406,16 +1413,6 @@
         "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0"
       }
     },
-    "node_modules/@eslint-community/eslint-plugin-eslint-comments/node_modules/ignore": {
-      "version": "7.0.5",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
-      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
     "node_modules/@eslint-community/eslint-utils": {
       "version": "4.9.1",
       "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.1.tgz",
@@ -1473,6 +1470,24 @@
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
       }
     },
+    "node_modules/@eslint/config-array/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@eslint/config-array/node_modules/brace-expansion": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
     "node_modules/@eslint/config-array/node_modules/minimatch": {
       "version": "3.1.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
@@ -1553,6 +1568,24 @@
         "url": "https://github.com/sponsors/epoberezkin"
       }
     },
+    "node_modules/@eslint/eslintrc/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@eslint/eslintrc/node_modules/brace-expansion": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
     "node_modules/@eslint/eslintrc/node_modules/globals": {
       "version": "14.0.0",
       "resolved": "https://registry.npmjs.org/globals/-/globals-14.0.0.tgz",
@@ -1566,6 +1599,16 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/@eslint/eslintrc/node_modules/ignore": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
     "node_modules/@eslint/eslintrc/node_modules/json-schema-traverse": {
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
@@ -1737,9 +1780,9 @@
       }
     },
     "node_modules/@img/colour": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.0.0.tgz",
-      "integrity": "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.1.0.tgz",
+      "integrity": "sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -1834,6 +1877,9 @@
         "arm"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1851,6 +1897,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1868,6 +1917,9 @@
         "ppc64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1885,6 +1937,9 @@
         "riscv64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1902,6 +1957,9 @@
         "s390x"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1919,6 +1977,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1936,6 +1997,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1953,6 +2017,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -1970,6 +2037,9 @@
         "arm"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -1993,6 +2063,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2016,6 +2089,9 @@
         "ppc64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2039,6 +2115,9 @@
         "riscv64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2062,6 +2141,9 @@
         "s390x"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2085,6 +2167,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2108,6 +2193,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2131,6 +2219,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2319,13 +2410,13 @@
       }
     },
     "node_modules/@isaacs/cliui/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
@@ -2450,9 +2541,9 @@
       "license": "MIT"
     },
     "node_modules/@lezer/common": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.5.0.tgz",
-      "integrity": "sha512-PNGcolp9hr4PJdXR4ix7XtixDrClScvtSCYW3rQG106oVMOOI+jFb+0+J3mbeL/53g1Zd6s0kJzaw6Ri68GmAA==",
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.5.1.tgz",
+      "integrity": "sha512-6YRVG9vBkaY7p1IVxL4s44n5nUnaNnGM2/AckNgYOnxTG2kWh1vR8BMxPseWPjRNpb5VtXnMpeYAEAADoRV1Iw==",
       "license": "MIT"
     },
     "node_modules/@lezer/cpp": {
@@ -2467,9 +2558,9 @@
       }
     },
     "node_modules/@lezer/css": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/@lezer/css/-/css-1.3.0.tgz",
-      "integrity": "sha512-pBL7hup88KbI7hXnZV3PQsn43DHy6TWyzuyk2AO9UyoXcDltvIdqWKE1dLL/45JVZ+YZkHe1WVHqO6wugZZWcw==",
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/@lezer/css/-/css-1.3.3.tgz",
+      "integrity": "sha512-RzBo8r+/6QJeow7aPHIpGVIH59xTcJXp399820gZoMo9noQDRVpJLheIBUicYwKcsbOYoBRoLZlf2720dG/4Tg==",
       "license": "MIT",
       "dependencies": {
         "@lezer/common": "^1.2.0",
@@ -2616,9 +2707,9 @@
       }
     },
     "node_modules/@lezer/yaml": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/@lezer/yaml/-/yaml-1.0.3.tgz",
-      "integrity": "sha512-GuBLekbw9jDBDhGur82nuwkxKQ+a3W5H0GfaAthDXcAu+XdpS43VlnxA9E9hllkpSP5ellRDKjLLj7Lu9Wr6xA==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@lezer/yaml/-/yaml-1.0.4.tgz",
+      "integrity": "sha512-2lrrHqxalACEbxIbsjhqGpSW8kWpUKuY6RHgnSAFZa6qK62wvnPxA8hGOwOoDbwHcOFs5M4o27mjGu+P7TvBmw==",
       "license": "MIT",
       "dependencies": {
         "@lezer/common": "^1.2.0",
@@ -2699,9 +2790,9 @@
       }
     },
     "node_modules/@mermaid-js/parser": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.0.1.tgz",
-      "integrity": "sha512-opmV19kN1JsK0T6HhhokHpcVkqKpF+x2pPDKKM2ThHtZAB5F4PROopk0amuVYK5qMrIA4erzpNm8gmPNJgMDxQ==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.0.tgz",
+      "integrity": "sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==",
       "license": "MIT",
       "dependencies": {
         "langium": "^4.0.0"
@@ -2787,6 +2878,16 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@oxc-project/types": {
+      "version": "0.122.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.122.0.tgz",
+      "integrity": "sha512-oLAl5kBpV4w69UtFZ9xqcmTi+GENWOcPF7FCrczTiBbmC0ibXxCwyvZGbO39rCVEuLGAZM84DH0pUIyyv/YJzA==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
+      }
+    },
     "node_modules/@package-json/types": {
       "version": "0.0.12",
       "resolved": "https://registry.npmjs.org/@package-json/types/-/types-0.0.12.tgz",
@@ -2840,6 +2941,298 @@
         "object-assign": "^4.1.1"
       }
     },
+    "node_modules/@rolldown/binding-android-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-pv1y2Fv0JybcykuiiD3qBOBdz6RteYojRFY1d+b95WVuzx211CRh+ytI/+9iVyWQ6koTh5dawe4S/yRfOFjgaA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-darwin-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-cFYr6zTG/3PXXF3pUO+umXxt1wkRK/0AYT8lDwuqvRC+LuKYWSAQAQZjCWDQpAH172ZV6ieYrNnFzVVcnSflAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-darwin-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ZCsYknnHzeXYps0lGBz8JrF37GpE9bFVefrlmDrAQhOEi4IOIlcoU1+FwHEtyXGx2VkYAvhu7dyBf75EJQffBw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-freebsd-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-dMLeprcVsyJsKolRXyoTH3NL6qtsT0Y2xeuEA8WQJquWFXkEC4bcu1rLZZSnZRMtAqwtrF/Ib9Ddtpa/Gkge9Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.12.tgz",
+      "integrity": "sha512-YqWjAgGC/9M1lz3GR1r1rP79nMgo3mQiiA+Hfo+pvKFK1fAJ1bCi0ZQVh8noOqNacuY1qIcfyVfP6HoyBRZ85Q==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-/I5AS4cIroLpslsmzXfwbe5OmWvSsrFuEw3mwvbQ1kDxJ822hFHIx+vsN/TAzNVyepI/j/GSzrtCIwQPeKCLIg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-V6/wZztnBqlx5hJQqNWwFdxIKN0m38p8Jas+VoSfgH54HSj9tKTt1dZvG6JRHcjh6D7TvrJPWFGaY9UBVOaWPw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-ppc64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-AP3E9BpcUYliZCxa3w5Kwj9OtEVDYK6sVoUzy4vTOJsjPOgdaJZKFmN4oOlX0Wp0RPV2ETfmIra9x1xuayFB7g==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-s390x-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-nWwpvUSPkoFmZo0kQazZYOrT7J5DGOJ/+QHHzjvNlooDZED8oH82Yg67HvehPPLAg5fUff7TfWFHQS8IV1n3og==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-x64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-RNrafz5bcwRy+O9e6P8Z/OCAJW/A+qtBczIqVYwTs14pf4iV1/+eKEjdOUta93q2TsT/FI0XYDP3TCky38LMAg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-x64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-Jpw/0iwoKWx3LJ2rc1yjFrj+T7iHZn2JDg1Yny1ma0luviFS4mhAIcd1LFNxK3EYu3DHWCps0ydXQ5i/rrJ2ig==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-openharmony-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-vRugONE4yMfVn0+7lUKdKvN4D5YusEiPilaoO2sgUWpCvrncvWgPMzK00ZFFJuiPgLwgFNP5eSiUlv2tfc+lpA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-wasm32-wasi": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ykGiLr/6kkiHc0XnBfmFJuCjr5ZYKKofkx+chJWDjitX+KsJuAmrzWhwyOMSHzPhzOHOy7u9HlFoa5MoAOJ/Zg==",
+      "cpu": [
+        "wasm32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@napi-rs/wasm-runtime": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
+      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@tybys/wasm-util": "^0.10.1"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      },
+      "peerDependencies": {
+        "@emnapi/core": "^1.7.1",
+        "@emnapi/runtime": "^1.7.1"
+      }
+    },
+    "node_modules/@rolldown/binding-win32-arm64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-5eOND4duWkwx1AzCxadcOrNeighiLwMInEADT0YM7xeEOOFcovWZCq8dadXgcRHSf3Ulh1kFo/qvzoFiCLOL1Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-win32-x64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-PyqoipaswDLAZtot351MLhrlrh6lcZPo2LSYE+VDxbVk24LVKAGOuE4hb8xZQmrPAuEtTZW8E6D2zc5EUZX4Lw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
     "node_modules/@rolldown/pluginutils": {
       "version": "1.0.0-rc.2",
       "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
@@ -2894,356 +3287,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.56.0.tgz",
-      "integrity": "sha512-LNKIPA5k8PF1+jAFomGe3qN3bbIgJe/IlpDBwuVjrDKrJhVWywgnJvflMt/zkbVNLFtF1+94SljYQS6e99klnw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.56.0.tgz",
-      "integrity": "sha512-lfbVUbelYqXlYiU/HApNMJzT1E87UPGvzveGg2h0ktUNlOCxKlWuJ9jtfvs1sKHdwU4fzY7Pl8sAl49/XaEk6Q==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.56.0.tgz",
-      "integrity": "sha512-EgxD1ocWfhoD6xSOeEEwyE7tDvwTgZc8Bss7wCWe+uc7wO8G34HHCUH+Q6cHqJubxIAnQzAsyUsClt0yFLu06w==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ]
-    },
-    "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.56.0.tgz",
-      "integrity": "sha512-1vXe1vcMOssb/hOF8iv52A7feWW2xnu+c8BV4t1F//m9QVLTfNVpEdja5ia762j/UEJe2Z1jAmEqZAK42tVW3g==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ]
-    },
-    "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.56.0.tgz",
-      "integrity": "sha512-bof7fbIlvqsyv/DtaXSck4VYQ9lPtoWNFCB/JY4snlFuJREXfZnm+Ej6yaCHfQvofJDXLDMTVxWscVSuQvVWUQ==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.56.0.tgz",
-      "integrity": "sha512-KNa6lYHloW+7lTEkYGa37fpvPq+NKG/EHKM8+G/g9WDU7ls4sMqbVRV78J6LdNuVaeeK5WB9/9VAFbKxcbXKYg==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.56.0.tgz",
-      "integrity": "sha512-E8jKK87uOvLrrLN28jnAAAChNq5LeCd2mGgZF+fGF5D507WlG/Noct3lP/QzQ6MrqJ5BCKNwI9ipADB6jyiq2A==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.56.0.tgz",
-      "integrity": "sha512-jQosa5FMYF5Z6prEpTCCmzCXz6eKr/tCBssSmQGEeozA9tkRUty/5Vx06ibaOP9RCrW1Pvb8yp3gvZhHwTDsJw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.56.0.tgz",
-      "integrity": "sha512-uQVoKkrC1KGEV6udrdVahASIsaF8h7iLG0U0W+Xn14ucFwi6uS539PsAr24IEF9/FoDtzMeeJXJIBo5RkbNWvQ==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.56.0.tgz",
-      "integrity": "sha512-vLZ1yJKLxhQLFKTs42RwTwa6zkGln+bnXc8ueFGMYmBTLfNu58sl5/eXyxRa2RarTkJbXl8TKPgfS6V5ijNqEA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.56.0.tgz",
-      "integrity": "sha512-FWfHOCub564kSE3xJQLLIC/hbKqHSVxy8vY75/YHHzWvbJL7aYJkdgwD/xGfUlL5UV2SB7otapLrcCj2xnF1dg==",
-      "cpu": [
-        "loong64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.56.0.tgz",
-      "integrity": "sha512-z1EkujxIh7nbrKL1lmIpqFTc/sr0u8Uk0zK/qIEFldbt6EDKWFk/pxFq3gYj4Bjn3aa9eEhYRlL3H8ZbPT1xvA==",
-      "cpu": [
-        "loong64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.56.0.tgz",
-      "integrity": "sha512-iNFTluqgdoQC7AIE8Q34R3AuPrJGJirj5wMUErxj22deOcY7XwZRaqYmB6ZKFHoVGqRcRd0mqO+845jAibKCkw==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.56.0.tgz",
-      "integrity": "sha512-MtMeFVlD2LIKjp2sE2xM2slq3Zxf9zwVuw0jemsxvh1QOpHSsSzfNOTH9uYW9i1MXFxUSMmLpeVeUzoNOKBaWg==",
-      "cpu": [
-        "ppc64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.56.0.tgz",
-      "integrity": "sha512-in+v6wiHdzzVhYKXIk5U74dEZHdKN9KH0Q4ANHOTvyXPG41bajYRsy7a8TPKbYPl34hU7PP7hMVHRvv/5aCSew==",
-      "cpu": [
-        "riscv64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.56.0.tgz",
-      "integrity": "sha512-yni2raKHB8m9NQpI9fPVwN754mn6dHQSbDTwxdr9SE0ks38DTjLMMBjrwvB5+mXrX+C0npX0CVeCUcvvvD8CNQ==",
-      "cpu": [
-        "riscv64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.56.0.tgz",
-      "integrity": "sha512-zhLLJx9nQPu7wezbxt2ut+CI4YlXi68ndEve16tPc/iwoylWS9B3FxpLS2PkmfYgDQtosah07Mj9E0khc3Y+vQ==",
-      "cpu": [
-        "s390x"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.56.0.tgz",
-      "integrity": "sha512-MVC6UDp16ZSH7x4rtuJPAEoE1RwS8N4oK9DLHy3FTEdFoUTCFVzMfJl/BVJ330C+hx8FfprA5Wqx4FhZXkj2Kw==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.56.0.tgz",
-      "integrity": "sha512-ZhGH1eA4Qv0lxaV00azCIS1ChedK0V32952Md3FtnxSqZTBTd6tgil4nZT5cU8B+SIw3PFYkvyR4FKo2oyZIHA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.56.0.tgz",
-      "integrity": "sha512-O16XcmyDeFI9879pEcmtWvD/2nyxR9mF7Gs44lf1vGGx8Vg2DRNx11aVXBEqOQhWb92WN4z7fW/q4+2NYzCbBA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.56.0.tgz",
-      "integrity": "sha512-LhN/Reh+7F3RCgQIRbgw8ZMwUwyqJM+8pXNT6IIJAqm2IdKkzpCh/V9EdgOMBKuebIrzswqy4ATlrDgiOwbRcQ==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openharmony"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.56.0.tgz",
-      "integrity": "sha512-kbFsOObXp3LBULg1d3JIUQMa9Kv4UitDmpS+k0tinPBz3watcUiV2/LUDMMucA6pZO3WGE27P7DsfaN54l9ing==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.56.0.tgz",
-      "integrity": "sha512-vSSgny54D6P4vf2izbtFm/TcWYedw7f8eBrOiGGecyHyQB9q4Kqentjaj8hToe+995nob/Wv48pDqL5a62EWtg==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.56.0.tgz",
-      "integrity": "sha512-FeCnkPCTHQJFbiGG49KjV5YGW/8b9rrXAM2Mz2kiIoktq2qsJxRD5giEMEOD2lPdgs72upzefaUvS+nc8E3UzQ==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.56.0.tgz",
-      "integrity": "sha512-H8AE9Ur/t0+1VXujj90w0HrSOuv0Nq9r1vSZF2t5km20NTfosQsGGUXDaKdQZzwuLts7IyL1fYT4hM95TI9c4g==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
-    },
     "node_modules/@scarf/scarf": {
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/@scarf/scarf/-/scarf-1.4.0.tgz",
@@ -3252,12 +3295,12 @@
       "license": "Apache-2.0"
     },
     "node_modules/@solid-primitives/refs": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@solid-primitives/refs/-/refs-1.1.2.tgz",
-      "integrity": "sha512-K7tf2thy7L+YJjdqXspXOg5xvNEOH8tgEWsp0+1mQk3obHBRD6hEjYZk7p7FlJphSZImS35je3UfmWuD7MhDfg==",
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@solid-primitives/refs/-/refs-1.1.3.tgz",
+      "integrity": "sha512-aam02fjNKpBteewF/UliPSQCVJsIIGOLEWQOh+ll6R/QePzBOOBMcC4G+5jTaO75JuUS1d/14Q1YXT3X0Ow6iA==",
       "license": "MIT",
       "dependencies": {
-        "@solid-primitives/utils": "^6.3.2"
+        "@solid-primitives/utils": "^6.4.0"
       },
       "peerDependencies": {
         "solid-js": "^1.6.12"
@@ -3273,9 +3316,9 @@
       }
     },
     "node_modules/@solid-primitives/utils": {
-      "version": "6.3.2",
-      "resolved": "https://registry.npmjs.org/@solid-primitives/utils/-/utils-6.3.2.tgz",
-      "integrity": "sha512-hZ/M/qr25QOCcwDPOHtGjxTD8w2mNyVAYvcfgwzBHq2RwNqHNdDNsMZYap20+ruRwW4A3Cdkczyoz0TSxLCAPQ==",
+      "version": "6.4.0",
+      "resolved": "https://registry.npmjs.org/@solid-primitives/utils/-/utils-6.4.0.tgz",
+      "integrity": "sha512-AeGTBg8Wtkh/0s+evyLtP8piQoS4wyqqQaAFs2HJcFMMjYAtUgo+ZPduRXLjPlqKVc2ejeR544oeqpbn8Egn8A==",
       "license": "MIT",
       "peerDependencies": {
         "solid-js": "^1.6.12"
@@ -3451,9 +3494,9 @@
       }
     },
     "node_modules/@stoplight/spectral-core": {
-      "version": "1.20.0",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-core/-/spectral-core-1.20.0.tgz",
-      "integrity": "sha512-5hBP81nCC1zn1hJXL/uxPNRKNcB+/pEIHgCjPRpl/w/qy9yC9ver04tw1W0l/PMiv0UeB5dYgozXVQ4j5a6QQQ==",
+      "version": "1.21.0",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-core/-/spectral-core-1.21.0.tgz",
+      "integrity": "sha512-oj4e/FrDLUhBRocIW+lRMKlJ/q/rDZw61HkLbTFsdMd+f/FTkli2xHNB1YC6n1mrMKjjvy7XlUuFkC7XxtgbWw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3471,7 +3514,7 @@
         "ajv-formats": "~2.1.1",
         "es-aggregate-error": "^1.0.7",
         "jsonpath-plus": "^10.3.0",
-        "lodash": "~4.17.21",
+        "lodash": "~4.17.23",
         "lodash.topath": "^4.5.2",
         "minimatch": "3.1.2",
         "nimma": "0.2.3",
@@ -3497,6 +3540,24 @@
         "node": "^12.20 || >=14.13"
       }
     },
+    "node_modules/@stoplight/spectral-core/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@stoplight/spectral-core/node_modules/brace-expansion": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
     "node_modules/@stoplight/spectral-core/node_modules/minimatch": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -3817,9 +3878,9 @@
       }
     },
     "node_modules/@stylistic/eslint-plugin/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4142,9 +4203,9 @@
       }
     },
     "node_modules/@types/debug": {
-      "version": "4.1.12",
-      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
-      "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
+      "version": "4.1.13",
+      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.13.tgz",
+      "integrity": "sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4240,12 +4301,12 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.19.30",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.30.tgz",
-      "integrity": "sha512-WJtwWJu7UdlvzEAUm484QNg5eAoq5QR08KDNx7g45Usrs2NtOPiX8ugDqmKdXkyL03rBqU5dYNYVQetEpBHq2g==",
+      "version": "25.5.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
+      "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~6.21.0"
+        "undici-types": "~7.18.0"
       }
     },
     "node_modules/@types/sarif": {
@@ -4330,16 +4391,6 @@
         "typescript": ">=4.8.4 <6.0.0"
       }
     },
-    "node_modules/@typescript-eslint/eslint-plugin/node_modules/ignore": {
-      "version": "7.0.5",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
-      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
     "node_modules/@typescript-eslint/parser": {
       "version": "8.57.2",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.2.tgz",
@@ -4650,6 +4701,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4664,6 +4718,9 @@
         "arm64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4678,6 +4735,9 @@
         "ppc64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4692,6 +4752,9 @@
         "riscv64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4706,6 +4769,9 @@
         "riscv64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4720,6 +4786,9 @@
         "s390x"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4734,6 +4803,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -4748,6 +4820,9 @@
         "x64"
       ],
       "dev": true,
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -5065,18 +5140,6 @@
         "source-map-js": "^1.2.1"
       }
     },
-    "node_modules/@vue/compiler-core/node_modules/entities": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
-      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
-      "license": "BSD-2-Clause",
-      "engines": {
-        "node": ">=0.12"
-      },
-      "funding": {
-        "url": "https://github.com/fb55/entities?sponsor=1"
-      }
-    },
     "node_modules/@vue/compiler-dom": {
       "version": "3.5.31",
       "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
@@ -5428,9 +5491,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "8.17.1",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
-      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -5694,13 +5757,6 @@
         "@types/estree": "^1.0.0"
       }
     },
-    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
-      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/astral-regex": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-2.0.0.tgz",
@@ -5761,9 +5817,9 @@
       }
     },
     "node_modules/axe-core": {
-      "version": "4.11.1",
-      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.1.tgz",
-      "integrity": "sha512-BASOg+YwO2C+346x3LZOeoovTIoTrRqEsqMa6fmfAV0P+U9mFr9NsyOEpiYvFjbc64NMrSswhV50WdXzdb/Z5A==",
+      "version": "4.11.2",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.2.tgz",
+      "integrity": "sha512-byD6KPdvo72y/wj2T/4zGEvvlis+PsZsn/yPS3pEO+sFpcrqRpX/TJCxvVaEsNeMrfQbCr7w163YqoD9IYwHXw==",
       "dev": true,
       "license": "MPL-2.0",
       "engines": {
@@ -5771,11 +5827,13 @@
       }
     },
     "node_modules/balanced-match": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-2.0.0.tgz",
-      "integrity": "sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==",
-      "dev": true,
-      "license": "MIT"
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
     },
     "node_modules/base64-js": {
       "version": "1.5.1",
@@ -5798,12 +5856,15 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.9.18",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.9.18.tgz",
-      "integrity": "sha512-e23vBV1ZLfjb9apvfPk4rHVu2ry6RIr2Wfs+O324okSidrX7pTAnEJPCh/O5BtRlr7QtZI7ktOP3vsqr7Z5XoA==",
+      "version": "2.10.13",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.13.tgz",
+      "integrity": "sha512-BL2sTuHOdy0YT1lYieUxTw/QMtPBC3pmlJC6xk8BBYVv6vcw3SGdKemQ+Xsx9ik2F/lYDO9tqsFQH1r9PFuHKw==",
       "license": "Apache-2.0",
       "bin": {
-        "baseline-browser-mapping": "dist/cli.js"
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
       }
     },
     "node_modules/big.js": {
@@ -5835,23 +5896,17 @@
       "license": "ISC"
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
-      "dev": true,
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "license": "MIT",
       "dependencies": {
-        "balanced-match": "^1.0.0",
-        "concat-map": "0.0.1"
+        "balanced-match": "^4.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
       }
     },
-    "node_modules/brace-expansion/node_modules/balanced-match": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/braces": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
@@ -5865,9 +5920,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.28.1",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz",
-      "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==",
+      "version": "4.28.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz",
+      "integrity": "sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==",
       "funding": [
         {
           "type": "opencollective",
@@ -5884,11 +5939,11 @@
       ],
       "license": "MIT",
       "dependencies": {
-        "baseline-browser-mapping": "^2.9.0",
-        "caniuse-lite": "^1.0.30001759",
-        "electron-to-chromium": "^1.5.263",
-        "node-releases": "^2.0.27",
-        "update-browserslist-db": "^1.2.0"
+        "baseline-browser-mapping": "^2.10.12",
+        "caniuse-lite": "^1.0.30001782",
+        "electron-to-chromium": "^1.5.328",
+        "node-releases": "^2.0.36",
+        "update-browserslist-db": "^1.2.3"
       },
       "bin": {
         "browserslist": "cli.js"
@@ -5958,17 +6013,17 @@
       }
     },
     "node_modules/cacheable": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/cacheable/-/cacheable-2.3.2.tgz",
-      "integrity": "sha512-w+ZuRNmex9c1TR9RcsxbfTKCjSL0rh1WA5SABbrWprIHeNBdmyQLSYonlDy9gpD+63XT8DgZ/wNh1Smvc9WnJA==",
+      "version": "2.3.4",
+      "resolved": "https://registry.npmjs.org/cacheable/-/cacheable-2.3.4.tgz",
+      "integrity": "sha512-djgxybDbw9fL/ZWMI3+CE8ZilNxcwFkVtDc1gJ+IlOSSWkSMPQabhV/XCHTQ6pwwN6aivXPZ43omTooZiX06Ew==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@cacheable/memory": "^2.0.7",
-        "@cacheable/utils": "^2.3.3",
+        "@cacheable/memory": "^2.0.8",
+        "@cacheable/utils": "^2.4.0",
         "hookified": "^1.15.0",
-        "keyv": "^5.5.5",
-        "qified": "^0.6.0"
+        "keyv": "^5.6.0",
+        "qified": "^0.9.0"
       }
     },
     "node_modules/cacheable/node_modules/keyv": {
@@ -6050,9 +6105,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001766",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001766.tgz",
-      "integrity": "sha512-4C0lfJ0/YPjJQHagaE9x2Elb69CIqEPZeG0anQt9SIvIoOH4a4uaRl73IavyO+0qZh6MDLH//DrXThEYKHkmYA==",
+      "version": "1.0.30001784",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001784.tgz",
+      "integrity": "sha512-WU346nBTklUV9YfUl60fqRbU5ZqyXlqvo1SgigE1OAXK5bFL8LL9q1K7aap3N739l4BvNqnkm3YrGHiY9sfUQw==",
       "funding": [
         {
           "type": "opencollective",
@@ -6174,16 +6229,16 @@
       }
     },
     "node_modules/chevrotain": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.1.1.tgz",
-      "integrity": "sha512-f0yv5CPKaFxfsPTBzX7vGuim4oIC1/gcS7LUGdBSwl2dU6+FON6LVUksdOo1qJjoUvXNn45urgh8C+0a24pACQ==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.1.2.tgz",
+      "integrity": "sha512-opLQzEVriiH1uUQ4Kctsd49bRoFDXGGSC4GUqj7pGyxM3RehRhvTlZJc1FL/Flew2p5uwxa1tUDWKzI4wNM8pg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/cst-dts-gen": "11.1.1",
-        "@chevrotain/gast": "11.1.1",
-        "@chevrotain/regexp-to-ast": "11.1.1",
-        "@chevrotain/types": "11.1.1",
-        "@chevrotain/utils": "11.1.1",
+        "@chevrotain/cst-dts-gen": "11.1.2",
+        "@chevrotain/gast": "11.1.2",
+        "@chevrotain/regexp-to-ast": "11.1.2",
+        "@chevrotain/types": "11.1.2",
+        "@chevrotain/utils": "11.1.2",
         "lodash-es": "4.17.23"
       }
     },
@@ -6245,9 +6300,9 @@
       }
     },
     "node_modules/ci-info": {
-      "version": "4.3.1",
-      "resolved": "https://registry.npmjs.org/ci-info/-/ci-info-4.3.1.tgz",
-      "integrity": "sha512-Wdy2Igu8OcBpI2pZePZ5oWjPC38tmDVx5WKUXKwlLYkA0ozo85sLsLvkBbBn/sZaSCMFOGZJ14fvW9t5/d7kdA==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/ci-info/-/ci-info-4.4.0.tgz",
+      "integrity": "sha512-77PSwercCZU2Fc4sX94eF8k8Pxte6JAwL4/ICZLFjJLqegs7kCuAsqqj/70NQF6TvDpgFjkubQB2FW2ZZddvQg==",
       "dev": true,
       "funding": [
         {
@@ -6346,9 +6401,9 @@
       }
     },
     "node_modules/codemirror": {
-      "version": "5.65.20",
-      "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.20.tgz",
-      "integrity": "sha512-i5dLDDxwkFCbhjvL2pNjShsojoL3XHyDwsGv1jqETUoW+lzpBKKqNTUWgQwVAOa0tUm4BwekT455ujafi8payA==",
+      "version": "5.65.21",
+      "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.21.tgz",
+      "integrity": "sha512-6teYk0bA0nR3QP0ihGMoxuKzpl5W80FpnHpBJpgy66NK3cZv5b/d/HY8PnRvfSsCG1MTfr92u2WUl+wT0E40mQ==",
       "license": "MIT"
     },
     "node_modules/codemirror-spell-checker": {
@@ -6396,9 +6451,9 @@
       }
     },
     "node_modules/comment-parser": {
-      "version": "1.4.5",
-      "resolved": "https://registry.npmjs.org/comment-parser/-/comment-parser-1.4.5.tgz",
-      "integrity": "sha512-aRDkn3uyIlCFfk5NUA+VdwMmMsh8JGhc4hapfV4yxymHGQ3BVskMQfoXGpCo5IoBuQ9tS5iiVKhCpTcB4pW4qw==",
+      "version": "1.4.6",
+      "resolved": "https://registry.npmjs.org/comment-parser/-/comment-parser-1.4.6.tgz",
+      "integrity": "sha512-ObxuY6vnbWTN6Od72xfwN9DbzC7Y2vv8u1Soi9ahRKL37gb6y1qk6/dgjs+3JWuXJHWvsg3BXIwzd/rkmAwavg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6444,9 +6499,9 @@
       "license": "MIT"
     },
     "node_modules/core-js-compat": {
-      "version": "3.48.0",
-      "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.48.0.tgz",
-      "integrity": "sha512-OM4cAF3D6VtH/WkLtWvyNC56EZVXsZdU3iqaMG2B4WvYrlqU831pc4UtG5yp0sE9z8Y02wVN7PjW5Zf9Gt0f1Q==",
+      "version": "3.49.0",
+      "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.49.0.tgz",
+      "integrity": "sha512-VQXt1jr9cBz03b331DFDCCP90b3fanciLkgiOoy8SBHy06gNf+vQ1A3WFLqG7I8TipYIKeYK9wxd0tUrvHcOZA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -6467,9 +6522,9 @@
       }
     },
     "node_modules/cosmiconfig": {
-      "version": "9.0.0",
-      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-9.0.0.tgz",
-      "integrity": "sha512-itvL5h8RETACmOTFc4UfIyB2RfEHi71Ax6E/PivVxq9NseKbOWpeyHEOIbmAw1rs8Ak0VursQNww7lf7YtUwzg==",
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-9.0.1.tgz",
+      "integrity": "sha512-hr4ihw+DBqcvrsEDioRO31Z17x71pUYoNe/4h6Z0wB72p7MU7/9gH8Q3s12NFhHPfYBBOV3qyfUxmr/Yn3shnQ==",
       "license": "MIT",
       "dependencies": {
         "env-paths": "^2.2.1",
@@ -6525,13 +6580,13 @@
       }
     },
     "node_modules/css-functions-list": {
-      "version": "3.2.3",
-      "resolved": "https://registry.npmjs.org/css-functions-list/-/css-functions-list-3.2.3.tgz",
-      "integrity": "sha512-IQOkD3hbR5KrN93MtcYuad6YPuTSUhntLHDuLEbFWE+ff2/XSZNdZG+LcbbIW5AXKg/WFIfYItIzVoHngHXZzA==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/css-functions-list/-/css-functions-list-3.3.3.tgz",
+      "integrity": "sha512-8HFEBPKhOpJPEPu70wJJetjKta86Gw9+CCyCnB3sui2qQfOvRyqBy4IKLKKAwdMpWb2lHXWk9Wb4Z6AmaUT1Pg==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=12 || >=16"
+        "node": ">=12"
       }
     },
     "node_modules/css-loader": {
@@ -6587,14 +6642,14 @@
       }
     },
     "node_modules/css-tree": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.1.0.tgz",
-      "integrity": "sha512-0eW44TGN5SQXU1mWSkKwFstI/22X2bG1nYzZTYMAWjylYURhse752YgbE4Cx46AC+bAvI+/dYTPRk1LqSUnu6w==",
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+      "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "mdn-data": "2.12.2",
-        "source-map-js": "^1.0.1"
+        "mdn-data": "2.27.1",
+        "source-map-js": "^1.2.1"
       },
       "engines": {
         "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
@@ -7332,9 +7387,9 @@
       }
     },
     "node_modules/delaunator": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.0.1.tgz",
-      "integrity": "sha512-8nvh+XBe96aCESrGOqMp/84b13H9cdKbG5P2ejQCh4d4sK9RL4371qou9drQjMhvnPmhWl5hnmqbEE0fXr9Xnw==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/delaunator/-/delaunator-5.1.0.tgz",
+      "integrity": "sha512-AGrQ4QSgssa1NGmWmLPqN5NY2KajF5MqxetNEO+o0n3ZwZZeTmt7bBnvzHWrmkZFxGgr4HdyFgelzgi06otLuQ==",
       "license": "ISC",
       "dependencies": {
         "robust-predicates": "^3.0.2"
@@ -7433,6 +7488,19 @@
         "url": "https://github.com/cheeriojs/dom-serializer?sponsor=1"
       }
     },
+    "node_modules/dom-serializer/node_modules/entities": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/domelementtype": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.3.0.tgz",
@@ -7463,9 +7531,9 @@
       }
     },
     "node_modules/dompurify": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
-      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.3.tgz",
+      "integrity": "sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==",
       "license": "(MPL-2.0 OR Apache-2.0)",
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
@@ -7532,15 +7600,15 @@
       }
     },
     "node_modules/editorconfig": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/editorconfig/-/editorconfig-1.0.4.tgz",
-      "integrity": "sha512-L9Qe08KWTlqYMVvMcTIvMAdl1cDUubzRNYL+WfA4bLDMHe4nemKkpmYzkznE1FwLKu0EEmy6obgQKzMJrg4x9Q==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/editorconfig/-/editorconfig-1.0.7.tgz",
+      "integrity": "sha512-e0GOtq/aTQhVdNyDU9e02+wz9oDDM+SIOQxWME2QRjzRX5yyLAuHDE+0aE8vHb9XRC8XD37eO2u57+F09JqFhw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@one-ini/wasm": "0.1.1",
         "commander": "^10.0.0",
-        "minimatch": "9.0.1",
+        "minimatch": "^9.0.1",
         "semver": "^7.5.3"
       },
       "bin": {
@@ -7558,9 +7626,9 @@
       "license": "MIT"
     },
     "node_modules/editorconfig/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7568,13 +7636,13 @@
       }
     },
     "node_modules/editorconfig/node_modules/minimatch": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.1.tgz",
-      "integrity": "sha512-0jWhJpD/MdhPXwPuiRkCbfYfSKp2qnn2eOc279qI7f+osl/l+prKSrvhg157zSYvx/1nmgn2NqdT6k2Z7zSH9w==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -7584,9 +7652,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.278",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.278.tgz",
-      "integrity": "sha512-dQ0tM1svDRQOwxnXxm+twlGTjr9Upvt8UFWAgmLsxEzFQxhbti4VwxmMjsDxVC51Zo84swW7FVCXEV+VAkhuPw==",
+      "version": "1.5.330",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.330.tgz",
+      "integrity": "sha512-jFNydB5kFtYUobh4IkWUnXeyDbjf/r9gcUEXe1xcrcUxIGfTdzPXA+ld6zBRbwvgIGVzDll/LTIiDztEtckSnA==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -7606,9 +7674,9 @@
       }
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-      "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "license": "MIT",
       "dependencies": {
         "graceful-fs": "^4.2.4",
@@ -7619,10 +7687,9 @@
       }
     },
     "node_modules/entities": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
-      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
-      "dev": true,
+      "version": "7.0.1",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
+      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
       "license": "BSD-2-Clause",
       "engines": {
         "node": ">=0.12"
@@ -7827,9 +7894,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.2",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.2.tgz",
-      "integrity": "sha512-HyNQImnsOC7X9PMNaCIeAm4ISCQXs5a5YasTXVliKv4uuBo1dKrG0A+uQS8M5eXjVMnLg3WgXaKvprHlFJQffw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "hasInstallScript": true,
       "license": "MIT",
       "bin": {
@@ -7839,32 +7906,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.2",
-        "@esbuild/android-arm": "0.27.2",
-        "@esbuild/android-arm64": "0.27.2",
-        "@esbuild/android-x64": "0.27.2",
-        "@esbuild/darwin-arm64": "0.27.2",
-        "@esbuild/darwin-x64": "0.27.2",
-        "@esbuild/freebsd-arm64": "0.27.2",
-        "@esbuild/freebsd-x64": "0.27.2",
-        "@esbuild/linux-arm": "0.27.2",
-        "@esbuild/linux-arm64": "0.27.2",
-        "@esbuild/linux-ia32": "0.27.2",
-        "@esbuild/linux-loong64": "0.27.2",
-        "@esbuild/linux-mips64el": "0.27.2",
-        "@esbuild/linux-ppc64": "0.27.2",
-        "@esbuild/linux-riscv64": "0.27.2",
-        "@esbuild/linux-s390x": "0.27.2",
-        "@esbuild/linux-x64": "0.27.2",
-        "@esbuild/netbsd-arm64": "0.27.2",
-        "@esbuild/netbsd-x64": "0.27.2",
-        "@esbuild/openbsd-arm64": "0.27.2",
-        "@esbuild/openbsd-x64": "0.27.2",
-        "@esbuild/openharmony-arm64": "0.27.2",
-        "@esbuild/sunos-x64": "0.27.2",
-        "@esbuild/win32-arm64": "0.27.2",
-        "@esbuild/win32-ia32": "0.27.2",
-        "@esbuild/win32-x64": "0.27.2"
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
       }
     },
     "node_modules/esbuild-loader": {
@@ -8420,6 +8487,34 @@
         "url": "https://github.com/sponsors/epoberezkin"
       }
     },
+    "node_modules/eslint/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/eslint/node_modules/brace-expansion": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/eslint/node_modules/ignore": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
     "node_modules/eslint/node_modules/json-schema-traverse": {
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
@@ -8741,9 +8836,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true,
       "license": "ISC"
     },
@@ -8974,9 +9069,9 @@
       }
     },
     "node_modules/get-tsconfig": {
-      "version": "4.13.0",
-      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.0.tgz",
-      "integrity": "sha512-1VKTZJCwBrvbd+Wn3AOgQP/2Av+TfTCOlE4AcRJE72W1ksZXbAx8PPBR9RzgTeSPzlPMHrbANMH3LbltH73wxQ==",
+      "version": "4.13.7",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
+      "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==",
       "license": "MIT",
       "dependencies": {
         "resolve-pkg-maps": "^1.0.0"
@@ -8989,7 +9084,7 @@
       "version": "7.2.3",
       "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
       "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "deprecated": "Glob versions prior to v9 are no longer supported",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -9025,10 +9120,28 @@
       "integrity": "sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw==",
       "license": "BSD-2-Clause"
     },
+    "node_modules/glob/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/glob/node_modules/brace-expansion": {
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
     "node_modules/glob/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -9130,6 +9243,16 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/globby/node_modules/ignore": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
     "node_modules/globjoin": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/globjoin/-/globjoin-0.1.4.tgz",
@@ -9189,19 +9312,6 @@
         "node": ">=20.0.0"
       }
     },
-    "node_modules/happy-dom/node_modules/entities": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/entities/-/entities-7.0.1.tgz",
-      "integrity": "sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==",
-      "dev": true,
-      "license": "BSD-2-Clause",
-      "engines": {
-        "node": ">=0.12"
-      },
-      "funding": {
-        "url": "https://github.com/fb55/entities?sponsor=1"
-      }
-    },
     "node_modules/has-bigints": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/has-bigints/-/has-bigints-1.1.0.tgz",
@@ -9289,13 +9399,13 @@
       "license": "MIT"
     },
     "node_modules/hashery": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/hashery/-/hashery-1.4.0.tgz",
-      "integrity": "sha512-Wn2i1In6XFxl8Az55kkgnFRiAlIAushzh26PTjL2AKtQcEfXrcLa7Hn5QOWGZEf3LU057P9TwwZjFyxfS1VuvQ==",
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/hashery/-/hashery-1.5.1.tgz",
+      "integrity": "sha512-iZyKG96/JwPz1N55vj2Ie2vXbhu440zfUfJvSwEqEbeLluk7NnapfGqa7LH0mOsnDxTF85Mx8/dyR6HfqcbmbQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "hookified": "^1.14.0"
+        "hookified": "^1.15.0"
       },
       "engines": {
         "node": ">=20"
@@ -9314,9 +9424,9 @@
       }
     },
     "node_modules/hookified": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/hookified/-/hookified-1.15.0.tgz",
-      "integrity": "sha512-51w+ZZGt7Zw5q7rM3nC4t3aLn/xvKDETsXqMczndvwyVQhAHfUmUuFBRFcos8Iyebtk7OAE9dL26wFNzZVVOkw==",
+      "version": "1.15.1",
+      "resolved": "https://registry.npmjs.org/hookified/-/hookified-1.15.1.tgz",
+      "integrity": "sha512-MvG/clsADq1GPM2KGo2nyfaWVyn9naPiXrqIe4jYjXNZQt238kWyOGrsyc/DmRAQ+Re6yeo6yX/yoNCG5KAEVg==",
       "dev": true,
       "license": "MIT"
     },
@@ -9383,6 +9493,19 @@
         "entities": "^4.4.0"
       }
     },
+    "node_modules/htmlparser2/node_modules/entities": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/htmx.org": {
       "version": "2.0.8",
       "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.8.tgz",
@@ -9440,9 +9563,9 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/ignore": {
-      "version": "5.3.2",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
-      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -10332,9 +10455,9 @@
       "license": "MIT"
     },
     "node_modules/js-beautify/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -10345,6 +10468,7 @@
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
       "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -10363,13 +10487,13 @@
       }
     },
     "node_modules/js-beautify/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -10396,9 +10520,9 @@
       "license": "MIT"
     },
     "node_modules/js-tokens": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-9.0.1.tgz",
-      "integrity": "sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==",
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
       "dev": true,
       "license": "MIT"
     },
@@ -10428,9 +10552,9 @@
       }
     },
     "node_modules/jsdoc-type-pratt-parser": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.1.1.tgz",
-      "integrity": "sha512-/2uqY7x6bsrpi3i9LVU6J89352C0rpMk0as8trXxCtvd4kPk1ke/Eyif6wqfSLvoNJqcDG9Vk4UsXgygzCt2xA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/jsdoc-type-pratt-parser/-/jsdoc-type-pratt-parser-7.2.0.tgz",
+      "integrity": "sha512-dh140MMgjyg3JhJZY/+iEzW+NO5xR2gpbDFKHqotCmexElVntw7GjWjt511+C/Ef02RU5TKYrJo/Xlzk+OLaTw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -10519,9 +10643,9 @@
       }
     },
     "node_modules/jsonpath-plus": {
-      "version": "10.3.0",
-      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.3.0.tgz",
-      "integrity": "sha512-8TNmfeTCk2Le33A3vRRwtuworG/L5RrgMvdjhKZxvyShO+mBu2fP50OWUjRLNtvw344DdDarFh9buFAZs5ujeA==",
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.4.0.tgz",
+      "integrity": "sha512-T92WWatJXmhBbKsgH/0hl+jxjdXrifi5IKeMY02DWggRxX0UElcbVzPlmgLTbvsPeW1PasQ6xE2Q75stkhGbsA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -10702,6 +10826,279 @@
         "immediate": "~3.0.5"
       }
     },
+    "node_modules/lightningcss": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
+      "dev": true,
+      "license": "MPL-2.0",
+      "dependencies": {
+        "detect-libc": "^2.0.3"
+      },
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      },
+      "optionalDependencies": {
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
+      }
+    },
+    "node_modules/lightningcss-android-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-freebsd-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm-gnueabihf": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "glibc"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "libc": [
+        "musl"
+      ],
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-arm64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-x64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
     "node_modules/lilconfig": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz",
@@ -10938,6 +11335,19 @@
         "markdown-it": "bin/markdown-it.mjs"
       }
     },
+    "node_modules/markdown-it/node_modules/entities": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
     "node_modules/markdownlint": {
       "version": "0.40.0",
       "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.40.0.tgz",
@@ -10999,16 +11409,6 @@
         "node": ">=20"
       }
     },
-    "node_modules/markdownlint-cli/node_modules/ignore": {
-      "version": "7.0.5",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
-      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
     "node_modules/markdownlint-cli/node_modules/jsonc-parser": {
       "version": "3.3.1",
       "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz",
@@ -11047,13 +11447,13 @@
       }
     },
     "node_modules/markdownlint/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
@@ -11096,9 +11496,9 @@
       }
     },
     "node_modules/mdn-data": {
-      "version": "2.12.2",
-      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.12.2.tgz",
-      "integrity": "sha512-IEn+pegP1aManZuckezWCO+XZQDplx1366JoVhTpMpBB1sPey/SbveZQUosKiKiGYjg1wH4pMlNgXbCiYgihQA==",
+      "version": "2.27.1",
+      "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+      "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
       "dev": true,
       "license": "CC0-1.0"
     },
@@ -11783,27 +12183,6 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
-    "node_modules/minimatch/node_modules/balanced-match": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-      "license": "MIT",
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
-    "node_modules/minimatch/node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
     "node_modules/minimist": {
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
@@ -11815,11 +12194,11 @@
       }
     },
     "node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz",
+      "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==",
       "dev": true,
-      "license": "ISC",
+      "license": "BlueOak-1.0.0",
       "engines": {
         "node": ">=16 || 14 >=14.17"
       }
@@ -11838,21 +12217,21 @@
       }
     },
     "node_modules/mlly": {
-      "version": "1.8.0",
-      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.0.tgz",
-      "integrity": "sha512-l8D9ODSRWLe2KHJSifWGwBqpTZXIXTeo8mlKjY+E2HAakaTeNpqAyBZ8GSqLzHgw4XmHmC8whvpjJNMbFZN7/g==",
+      "version": "1.8.2",
+      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.2.tgz",
+      "integrity": "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==",
       "license": "MIT",
       "dependencies": {
-        "acorn": "^8.15.0",
+        "acorn": "^8.16.0",
         "pathe": "^2.0.3",
         "pkg-types": "^1.3.1",
-        "ufo": "^1.6.1"
+        "ufo": "^1.6.3"
       }
     },
     "node_modules/moo": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/moo/-/moo-0.5.2.tgz",
-      "integrity": "sha512-iSAJLHYKnX41mKcJKjqvnAN9sf0LMDTXDEvFv+ffuRR9a1MIuXLjMNL6EsnDHSkKLTWNqQQ5uo61P4EbU4NU+Q==",
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/moo/-/moo-0.5.3.tgz",
+      "integrity": "sha512-m2fmM2dDm7GZQsY7KK2cme8agi+AAljILjQnof7p1ZMDe6dQ4bdnSMx0cPppudoeNv5hEFQirN6u+O4fDE0IWA==",
       "license": "BSD-3-Clause"
     },
     "node_modules/ms": {
@@ -11961,9 +12340,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.27",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz",
-      "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==",
+      "version": "2.0.36",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
+      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
       "license": "MIT"
     },
     "node_modules/node-sarif-builder": {
@@ -12382,9 +12761,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "license": "MIT",
       "engines": {
         "node": ">=8.6"
@@ -12608,6 +12987,13 @@
         "node": "^12 || >=14"
       }
     },
+    "node_modules/postcss-html/node_modules/js-tokens": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-9.0.1.tgz",
+      "integrity": "sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/postcss-import": {
       "version": "15.1.0",
       "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-15.1.0.tgz",
@@ -12847,28 +13233,6 @@
         "postcss": "^8.4"
       }
     },
-    "node_modules/postcss-nesting/node_modules/@csstools/selector-specificity": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-6.0.0.tgz",
-      "integrity": "sha512-4sSgl78OtOXEX/2d++8A83zHNTgwCJMaR24FvsYL7Uf/VS8HZk9PTwR51elTbGqMuwH3szLvvOXEaVnqn0Z3zA==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT-0",
-      "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "postcss-selector-parser": "^7.1.1"
-      }
-    },
     "node_modules/postcss-resolve-nested-selector": {
       "version": "0.1.6",
       "resolved": "https://registry.npmjs.org/postcss-resolve-nested-selector/-/postcss-resolve-nested-selector-0.1.6.tgz",
@@ -13009,9 +13373,9 @@
       "license": "ISC"
     },
     "node_modules/prototype-properties": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/prototype-properties/-/prototype-properties-5.0.0.tgz",
-      "integrity": "sha512-uCWE2QqnGlwvvJXTwiHTPTyHE62+zORO5hpFWhAwBGDtEtTmNZZleNLJDoFsqHCL4p/CeAP2Q1uMKFUKALuRGQ==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/prototype-properties/-/prototype-properties-5.1.0.tgz",
+      "integrity": "sha512-lq/vK1+nYV/bbjZ70pDmaTzin143xX9hVAU5CrsNQL57A8j4Q6AfjsY8kRFoUpCBncaUdfkz9MdsQ8PFtiKrUQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -13042,18 +13406,25 @@
       }
     },
     "node_modules/qified": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/qified/-/qified-0.6.0.tgz",
-      "integrity": "sha512-tsSGN1x3h569ZSU1u6diwhltLyfUWDp3YbFHedapTmpBl0B3P6U3+Qptg7xu+v+1io1EwhdPyyRHYbEw0KN2FA==",
+      "version": "0.9.1",
+      "resolved": "https://registry.npmjs.org/qified/-/qified-0.9.1.tgz",
+      "integrity": "sha512-n7mar4T0xQ+39dE2vGTAlbxUEpndwPANH0kDef1/MYsB8Bba9wshkybIRx74qgcvKQPEWErf9AqAdYjhzY2Ilg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "hookified": "^1.14.0"
+        "hookified": "^2.1.1"
       },
       "engines": {
         "node": ">=20"
       }
     },
+    "node_modules/qified/node_modules/hookified": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/hookified/-/hookified-2.1.1.tgz",
+      "integrity": "sha512-AHb76R16GB5EsPBE2J7Ko5kiEyXwviB9P5SMrAKcuAu4vJPZttViAbj9+tZeaQE5zjDme+1vcHP78Yj/WoAveA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/queue-microtask": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
@@ -13128,9 +13499,9 @@
       "license": "MIT"
     },
     "node_modules/read-package-json/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -13141,6 +13512,7 @@
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
       "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -13169,13 +13541,13 @@
       }
     },
     "node_modules/read-package-json/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -13400,11 +13772,52 @@
       }
     },
     "node_modules/robust-predicates": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.2.tgz",
-      "integrity": "sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/robust-predicates/-/robust-predicates-3.0.3.tgz",
+      "integrity": "sha512-NS3levdsRIUOmiJ8FZWCP7LG3QpJyrs/TE0Zpf1yvZu8cAJJ6QMW92H1c7kWpdIHo8RvmLxN/o2JXTKHp74lUA==",
       "license": "Unlicense"
     },
+    "node_modules/rolldown": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.12.tgz",
+      "integrity": "sha512-yP4USLIMYrwpPHEFB5JGH1uxhcslv6/hL0OyvTuY+3qlOSJvZ7ntYnoWpehBxufkgN0cvXxppuTu5hHa/zPh+A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oxc-project/types": "=0.122.0",
+        "@rolldown/pluginutils": "1.0.0-rc.12"
+      },
+      "bin": {
+        "rolldown": "bin/cli.mjs"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "optionalDependencies": {
+        "@rolldown/binding-android-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.12",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.12",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.12",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.12"
+      }
+    },
+    "node_modules/rolldown/node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.12.tgz",
+      "integrity": "sha512-HHMwmarRKvoFsJorqYlFeFRzXZqCt2ETQlEDOb9aqssrnVBB1/+xgTGtuTrIk5vzLNX1MjMtTf7W9z3tsSbrxw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/rollup": {
       "version": "2.79.2",
       "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz",
@@ -13610,18 +14023,18 @@
       }
     },
     "node_modules/seroval": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.0.tgz",
-      "integrity": "sha512-OE4cvmJ1uSPrKorFIH9/w/Qwuvi/IMcGbv5RKgcJ/zjA/IohDLU6SVaxFN9FwajbP7nsX0dQqMDes1whk3y+yw==",
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.1.tgz",
+      "integrity": "sha512-OwrZRZAfhHww0WEnKHDY8OM0U/Qs8OTfIDWhUD4BLpNJUfXK4cGmjiagGze086m+mhI+V2nD0gfbHEnJjb9STA==",
       "license": "MIT",
       "engines": {
         "node": ">=10"
       }
     },
     "node_modules/seroval-plugins": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.0.tgz",
-      "integrity": "sha512-EAHqADIQondwRZIdeW2I636zgsODzoBDwb3PT/+7TLDWyw1Dy/Xv7iGUIEXXav7usHDE9HVhOU61irI3EnyyHA==",
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.1.tgz",
+      "integrity": "sha512-4FbuZ/TMl02sqv0RTFexu0SP6V+ywaIe5bAWCCEik0fk17BhALgwvUDVF7e3Uvf9pxmwCEJsRPmlkUE6HdzLAw==",
       "license": "MIT",
       "engines": {
         "node": ">=10"
@@ -13918,9 +14331,9 @@
       }
     },
     "node_modules/solid-js": {
-      "version": "1.9.11",
-      "resolved": "https://registry.npmjs.org/solid-js/-/solid-js-1.9.11.tgz",
-      "integrity": "sha512-WEJtcc5mkh/BnHA6Yrg4whlF8g6QwpmXXRg4P2ztPmcKeHHlH4+djYecBLhSpecZY2RRECXYUwIc/C2r3yzQ4Q==",
+      "version": "1.9.12",
+      "resolved": "https://registry.npmjs.org/solid-js/-/solid-js-1.9.12.tgz",
+      "integrity": "sha512-QzKaSJq2/iDrWR1As6MHZQ8fQkdOBf8GReYb7L5iKwMGceg7HxDcaOHk0at66tNgn9U2U7dXo8ZZpLIAmGMzgw==",
       "license": "MIT",
       "dependencies": {
         "csstype": "^3.1.0",
@@ -14047,9 +14460,9 @@
       }
     },
     "node_modules/spdx-license-ids": {
-      "version": "3.0.22",
-      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.22.tgz",
-      "integrity": "sha512-4PRT4nh1EImPbt2jASOKHX7PB7I+e4IWNLvkKFDxNhJlfjbYlleYQh285Z/3mPTHSAK/AvdMmw5BNNuYH8ShgQ==",
+      "version": "3.0.23",
+      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.23.tgz",
+      "integrity": "sha512-CWLcCCH7VLu13TgOH+r8p1O/Znwhqv/dbb6lqWy67G+pT1kHmeD/+V36AVb/vq8QMIQwVShJ6Ssl5FPh0fuSdw==",
       "dev": true,
       "license": "CC0-1.0"
     },
@@ -14090,9 +14503,9 @@
       "license": "MIT"
     },
     "node_modules/stacktracey": {
-      "version": "2.1.8",
-      "resolved": "https://registry.npmjs.org/stacktracey/-/stacktracey-2.1.8.tgz",
-      "integrity": "sha512-Kpij9riA+UNg7TnphqjH7/CzctQ/owJGNbFkfEeve4Z4uxT5+JapVLFXcsurIfN34gnTWZNJ/f7NMG0E8JDzTw==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/stacktracey/-/stacktracey-2.2.0.tgz",
+      "integrity": "sha512-ETyQEz+CzXiLjEbyJqpbp+/T79RQD/6wqFucRBIlVNZfYq2Ay7wbretD4cxpbymZlaPWx58aIhPEY1Cr8DlVvg==",
       "dev": true,
       "license": "Unlicense",
       "dependencies": {
@@ -14384,6 +14797,36 @@
         "stylelint": ">=16"
       }
     },
+    "node_modules/stylelint/node_modules/@csstools/selector-specificity": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-5.0.0.tgz",
+      "integrity": "sha512-PCqQV3c4CoVm3kdPhyeZ07VmBRdH2EpMFA/pd9OASpOEC3aXNGoqPDAZ80D0cLpMBxnmk0+yNhGsEx31hq7Gtw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "postcss-selector-parser": "^7.0.0"
+      }
+    },
+    "node_modules/stylelint/node_modules/balanced-match": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-2.0.0.tgz",
+      "integrity": "sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/stylelint/node_modules/file-entry-cache": {
       "version": "11.1.2",
       "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-11.1.2.tgz",
@@ -14395,27 +14838,17 @@
       }
     },
     "node_modules/stylelint/node_modules/flat-cache": {
-      "version": "6.1.20",
-      "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-6.1.20.tgz",
-      "integrity": "sha512-AhHYqwvN62NVLp4lObVXGVluiABTHapoB57EyegZVmazN+hhGhLTn3uZbOofoTw4DSDvVCadzzyChXhOAvy8uQ==",
+      "version": "6.1.22",
+      "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-6.1.22.tgz",
+      "integrity": "sha512-N2dnzVJIphnNsjHcrxGW7DePckJ6haPrSFqpsBUhHYgwtKGVq4JrBGielEGD2fCVnsGm1zlBVZ8wGhkyuetgug==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "cacheable": "^2.3.2",
-        "flatted": "^3.3.3",
+        "cacheable": "^2.3.4",
+        "flatted": "^3.4.2",
         "hookified": "^1.15.0"
       }
     },
-    "node_modules/stylelint/node_modules/ignore": {
-      "version": "7.0.5",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
-      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">= 4"
-      }
-    },
     "node_modules/stylelint/node_modules/postcss-safe-parser": {
       "version": "7.0.1",
       "resolved": "https://registry.npmjs.org/postcss-safe-parser/-/postcss-safe-parser-7.0.1.tgz",
@@ -14605,9 +15038,9 @@
       }
     },
     "node_modules/svgo/node_modules/sax": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/sax/-/sax-1.5.0.tgz",
-      "integrity": "sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==",
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/sax/-/sax-1.6.0.tgz",
+      "integrity": "sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==",
       "dev": true,
       "license": "BlueOak-1.0.0",
       "engines": {
@@ -14713,9 +15146,9 @@
       }
     },
     "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
       "license": "MIT",
       "engines": {
         "node": ">=6"
@@ -14726,9 +15159,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.46.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.0.tgz",
-      "integrity": "sha512-jTwoImyr/QbOWFFso3YoU3ik0jBBDJ6JTOQiy/J2YxVJdZCc+5u7skhNwiOR3FQIygFqVUPHl7qbbxtjW2K3Qg==",
+      "version": "5.46.1",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.1.tgz",
+      "integrity": "sha512-vzCjQO/rgUuK9sf8VJZvjqiqiHFaZLnOiimmUuOKODxWL8mm/xua7viT7aqX7dgPY60otQjUotzFMmCB4VdmqQ==",
       "license": "BSD-2-Clause",
       "dependencies": {
         "@jridgewell/source-map": "^0.3.3",
@@ -14744,9 +15177,9 @@
       }
     },
     "node_modules/terser-webpack-plugin": {
-      "version": "5.3.17",
-      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.3.17.tgz",
-      "integrity": "sha512-YR7PtUp6GMU91BgSJmlaX/rS2lGDbAF7D+Wtq7hRO+MiljNmodYvqslzCFiYVAgW+Qoaaia/QUIP4lGXufjdZw==",
+      "version": "5.4.0",
+      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.4.0.tgz",
+      "integrity": "sha512-Bn5vxm48flOIfkdl5CaD2+1CiUVbonWQ3KQPyP7/EuIl9Gbzq/gQFOzaMFUEgVjB1396tcK0SG8XcNJ/2kDH8g==",
       "license": "MIT",
       "dependencies": {
         "@jridgewell/trace-mapping": "^0.3.25",
@@ -14840,9 +15273,9 @@
       "license": "MIT"
     },
     "node_modules/tinyexec": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
-      "integrity": "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.4.tgz",
+      "integrity": "sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==",
       "license": "MIT",
       "engines": {
         "node": ">=18"
@@ -14882,9 +15315,9 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -14982,9 +15415,9 @@
       "license": "MIT"
     },
     "node_modules/ts-api-utils": {
-      "version": "2.4.0",
-      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.4.0.tgz",
-      "integrity": "sha512-3TaVTaAv2gTiMB35i3FiGJaRfwb3Pyn/j3m/bfAvGe8FB7CF6u+LMYqYlDh7reQf7UNvoTvdfAqHGmPGOSsPmA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.5.0.tgz",
+      "integrity": "sha512-OJ/ibxhPlqrMM0UiNHJ/0CKQkoKF243/AEmplt3qpRgkW8VG7IfOS41h7V8TjITqdByHzrjcS/2si+y4lIh8NA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -15190,9 +15623,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "6.21.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
-      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "version": "7.18.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
+      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
       "license": "MIT"
     },
     "node_modules/universalify": {
@@ -15344,17 +15777,16 @@
       "license": "MIT"
     },
     "node_modules/vite": {
-      "version": "7.3.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
-      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.3.tgz",
+      "integrity": "sha512-B9ifbFudT1TFhfltfaIPgjo9Z3mDynBTJSUYxTjOQruf/zHH+ezCQKcoqO+h7a9Pw9Nm/OtlXAiGT1axBgwqrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "esbuild": "^0.27.0",
-        "fdir": "^6.5.0",
-        "picomatch": "^4.0.3",
-        "postcss": "^8.5.6",
-        "rollup": "^4.43.0",
+        "lightningcss": "^1.32.0",
+        "picomatch": "^4.0.4",
+        "postcss": "^8.5.8",
+        "rolldown": "1.0.0-rc.12",
         "tinyglobby": "^0.2.15"
       },
       "bin": {
@@ -15371,9 +15803,10 @@
       },
       "peerDependencies": {
         "@types/node": "^20.19.0 || >=22.12.0",
+        "@vitejs/devtools": "^0.1.0",
+        "esbuild": "^0.27.0",
         "jiti": ">=1.21.0",
         "less": "^4.0.0",
-        "lightningcss": "^1.21.0",
         "sass": "^1.70.0",
         "sass-embedded": "^1.70.0",
         "stylus": ">=0.54.8",
@@ -15386,15 +15819,18 @@
         "@types/node": {
           "optional": true
         },
+        "@vitejs/devtools": {
+          "optional": true
+        },
+        "esbuild": {
+          "optional": true
+        },
         "jiti": {
           "optional": true
         },
         "less": {
           "optional": true
         },
-        "lightningcss": {
-          "optional": true
-        },
         "sass": {
           "optional": true
         },
@@ -15428,31 +15864,6 @@
         "vite": "*"
       }
     },
-    "node_modules/vite/node_modules/@types/estree": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
-      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/vite/node_modules/fdir": {
-      "version": "6.5.0",
-      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
-      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=12.0.0"
-      },
-      "peerDependencies": {
-        "picomatch": "^3 || ^4"
-      },
-      "peerDependenciesMeta": {
-        "picomatch": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/vite/node_modules/fsevents": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
@@ -15469,9 +15880,9 @@
       }
     },
     "node_modules/vite/node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -15481,49 +15892,33 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
-    "node_modules/vite/node_modules/rollup": {
-      "version": "4.56.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.56.0.tgz",
-      "integrity": "sha512-9FwVqlgUHzbXtDg9RCMgodF3Ua4Na6Gau+Sdt9vyCN4RhHfVKX2DCHy3BjMLTDd47ITDhYAnTwGulWTblJSDLg==",
+    "node_modules/vite/node_modules/postcss": {
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
       "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
       "license": "MIT",
       "dependencies": {
-        "@types/estree": "1.0.8"
-      },
-      "bin": {
-        "rollup": "dist/bin/rollup"
+        "nanoid": "^3.3.11",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
       },
       "engines": {
-        "node": ">=18.0.0",
-        "npm": ">=8.0.0"
-      },
-      "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.56.0",
-        "@rollup/rollup-android-arm64": "4.56.0",
-        "@rollup/rollup-darwin-arm64": "4.56.0",
-        "@rollup/rollup-darwin-x64": "4.56.0",
-        "@rollup/rollup-freebsd-arm64": "4.56.0",
-        "@rollup/rollup-freebsd-x64": "4.56.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.56.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.56.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.56.0",
-        "@rollup/rollup-linux-arm64-musl": "4.56.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.56.0",
-        "@rollup/rollup-linux-loong64-musl": "4.56.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.56.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.56.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.56.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.56.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.56.0",
-        "@rollup/rollup-linux-x64-gnu": "4.56.0",
-        "@rollup/rollup-linux-x64-musl": "4.56.0",
-        "@rollup/rollup-openbsd-x64": "4.56.0",
-        "@rollup/rollup-openharmony-arm64": "4.56.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.56.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.56.0",
-        "@rollup/rollup-win32-x64-gnu": "4.56.0",
-        "@rollup/rollup-win32-x64-msvc": "4.56.0",
-        "fsevents": "~2.3.2"
+        "node": "^10 || ^12 || >=14"
       }
     },
     "node_modules/vitest": {
@@ -15719,17 +16114,17 @@
       "license": "MIT"
     },
     "node_modules/vue-eslint-parser": {
-      "version": "10.2.0",
-      "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-10.2.0.tgz",
-      "integrity": "sha512-CydUvFOQKD928UzZhTp4pr2vWz1L+H99t7Pkln2QSPdvmURT0MoC4wUccfCnuEaihNsu9aYYyk+bep8rlfkUXw==",
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/vue-eslint-parser/-/vue-eslint-parser-10.4.0.tgz",
+      "integrity": "sha512-Vxi9pJdbN3ZnVGLODVtZ7y4Y2kzAAE2Cm0CZ3ZDRvydVYxZ6VrnBhLikBsRS+dpwj4Jv4UCv21PTEwF5rQ9WXg==",
       "dev": true,
       "license": "MIT",
       "peer": true,
       "dependencies": {
         "debug": "^4.4.0",
-        "eslint-scope": "^8.2.0",
-        "eslint-visitor-keys": "^4.2.0",
-        "espree": "^10.3.0",
+        "eslint-scope": "^8.2.0 || ^9.0.0",
+        "eslint-visitor-keys": "^4.2.0 || ^5.0.0",
+        "espree": "^10.3.0 || ^11.0.0",
         "esquery": "^1.6.0",
         "semver": "^7.6.3"
       },
@@ -15740,7 +16135,7 @@
         "url": "https://github.com/sponsors/mysticatea"
       },
       "peerDependencies": {
-        "eslint": "^8.57.0 || ^9.0.0"
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0"
       }
     },
     "node_modules/vue-loader": {
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index b8f6c9e298..d3cc9367a7 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -91,12 +91,12 @@
       }
     },
     "node_modules/@isaacs/cliui/node_modules/strip-ansi": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
-      "integrity": "sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==",
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "license": "MIT",
       "dependencies": {
-        "ansi-regex": "^6.0.1"
+        "ansi-regex": "^6.2.2"
       },
       "engines": {
         "node": ">=12"
@@ -136,6 +136,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
       "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/auth-token": "^6.0.0",
         "@octokit/graphql": "^9.0.3",
@@ -154,15 +155,17 @@
       "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
       "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">= 20"
       }
     },
     "node_modules/@octokit/core/node_modules/@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
+      "version": "11.0.3",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.3.tgz",
+      "integrity": "sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/types": "^16.0.0",
         "universal-user-agent": "^7.0.2"
@@ -175,18 +178,21 @@
       "version": "27.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
       "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/@octokit/core/node_modules/@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.8.tgz",
+      "integrity": "sha512-SJZNwY9pur9Agf7l87ywFi14W+Hd9Jg6Ifivsd33+/bGUQIjNujdFiXII2/qSlN2ybqUHfp5xpekMEjIBTjlSw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
-        "@octokit/endpoint": "^11.0.2",
+        "@octokit/endpoint": "^11.0.3",
         "@octokit/request-error": "^7.0.2",
         "@octokit/types": "^16.0.0",
         "fast-content-type-parse": "^3.0.0",
+        "json-with-bigint": "^3.5.3",
         "universal-user-agent": "^7.0.2"
       },
       "engines": {
@@ -198,6 +204,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
       "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/types": "^16.0.0"
       },
@@ -210,6 +217,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
       "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/openapi-types": "^27.0.0"
       }
@@ -218,13 +226,15 @@
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
       "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
-      "license": "Apache-2.0"
+      "license": "Apache-2.0",
+      "peer": true
     },
     "node_modules/@octokit/core/node_modules/universal-user-agent": {
       "version": "7.0.3",
       "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
       "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
+      "license": "ISC",
+      "peer": true
     },
     "node_modules/@octokit/endpoint": {
       "version": "6.0.12",
@@ -248,6 +258,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
       "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/request": "^10.0.6",
         "@octokit/types": "^16.0.0",
@@ -258,10 +269,11 @@
       }
     },
     "node_modules/@octokit/graphql/node_modules/@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
+      "version": "11.0.3",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.3.tgz",
+      "integrity": "sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/types": "^16.0.0",
         "universal-user-agent": "^7.0.2"
@@ -274,18 +286,21 @@
       "version": "27.0.0",
       "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
       "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/@octokit/graphql/node_modules/@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
+      "version": "10.0.8",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.8.tgz",
+      "integrity": "sha512-SJZNwY9pur9Agf7l87ywFi14W+Hd9Jg6Ifivsd33+/bGUQIjNujdFiXII2/qSlN2ybqUHfp5xpekMEjIBTjlSw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
-        "@octokit/endpoint": "^11.0.2",
+        "@octokit/endpoint": "^11.0.3",
         "@octokit/request-error": "^7.0.2",
         "@octokit/types": "^16.0.0",
         "fast-content-type-parse": "^3.0.0",
+        "json-with-bigint": "^3.5.3",
         "universal-user-agent": "^7.0.2"
       },
       "engines": {
@@ -297,6 +312,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
       "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/types": "^16.0.0"
       },
@@ -309,6 +325,7 @@
       "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
       "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@octokit/openapi-types": "^27.0.0"
       }
@@ -317,7 +334,8 @@
       "version": "7.0.3",
       "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
       "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
+      "license": "ISC",
+      "peer": true
     },
     "node_modules/@octokit/openapi-types": {
       "version": "12.11.0",
@@ -478,12 +496,12 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.0.10",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.0.10.tgz",
-      "integrity": "sha512-zWW5KPngR/yvakJgGOmZ5vTBemDoSqF3AcV/LrO5u5wTWyEAVVh+IT39G4gtyAkh3CtTZs8aX/yRM82OfzHJRg==",
+      "version": "25.5.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
+      "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~7.16.0"
+        "undici-types": "~7.18.0"
       }
     },
     "node_modules/@types/vinyl": {
@@ -1014,12 +1032,15 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.9.18",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.9.18.tgz",
-      "integrity": "sha512-e23vBV1ZLfjb9apvfPk4rHVu2ry6RIr2Wfs+O324okSidrX7pTAnEJPCh/O5BtRlr7QtZI7ktOP3vsqr7Z5XoA==",
+      "version": "2.10.13",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.13.tgz",
+      "integrity": "sha512-BL2sTuHOdy0YT1lYieUxTw/QMtPBC3pmlJC6xk8BBYVv6vcw3SGdKemQ+Xsx9ik2F/lYDO9tqsFQH1r9PFuHKw==",
       "license": "Apache-2.0",
       "bin": {
-        "baseline-browser-mapping": "dist/cli.js"
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
       }
     },
     "node_modules/beeper": {
@@ -1079,9 +1100,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.13",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
+      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -1110,9 +1131,9 @@
       }
     },
     "node_modules/browserslist": {
-      "version": "4.28.1",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz",
-      "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==",
+      "version": "4.28.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz",
+      "integrity": "sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==",
       "funding": [
         {
           "type": "opencollective",
@@ -1128,13 +1149,12 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
-        "baseline-browser-mapping": "^2.9.0",
-        "caniuse-lite": "^1.0.30001759",
-        "electron-to-chromium": "^1.5.263",
-        "node-releases": "^2.0.27",
-        "update-browserslist-db": "^1.2.0"
+        "baseline-browser-mapping": "^2.10.12",
+        "caniuse-lite": "^1.0.30001782",
+        "electron-to-chromium": "^1.5.328",
+        "node-releases": "^2.0.36",
+        "update-browserslist-db": "^1.2.3"
       },
       "bin": {
         "browserslist": "cli.js"
@@ -1244,9 +1264,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001766",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001766.tgz",
-      "integrity": "sha512-4C0lfJ0/YPjJQHagaE9x2Elb69CIqEPZeG0anQt9SIvIoOH4a4uaRl73IavyO+0qZh6MDLH//DrXThEYKHkmYA==",
+      "version": "1.0.30001784",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001784.tgz",
+      "integrity": "sha512-WU346nBTklUV9YfUl60fqRbU5ZqyXlqvo1SgigE1OAXK5bFL8LL9q1K7aap3N739l4BvNqnkm3YrGHiY9sfUQw==",
       "funding": [
         {
           "type": "opencollective",
@@ -1946,14 +1966,14 @@
       "license": "MIT"
     },
     "node_modules/editorconfig": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/editorconfig/-/editorconfig-1.0.4.tgz",
-      "integrity": "sha512-L9Qe08KWTlqYMVvMcTIvMAdl1cDUubzRNYL+WfA4bLDMHe4nemKkpmYzkznE1FwLKu0EEmy6obgQKzMJrg4x9Q==",
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/editorconfig/-/editorconfig-1.0.7.tgz",
+      "integrity": "sha512-e0GOtq/aTQhVdNyDU9e02+wz9oDDM+SIOQxWME2QRjzRX5yyLAuHDE+0aE8vHb9XRC8XD37eO2u57+F09JqFhw==",
       "license": "MIT",
       "dependencies": {
         "@one-ini/wasm": "0.1.1",
         "commander": "^10.0.0",
-        "minimatch": "9.0.1",
+        "minimatch": "^9.0.1",
         "semver": "^7.5.3"
       },
       "bin": {
@@ -1964,21 +1984,21 @@
       }
     },
     "node_modules/editorconfig/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
       }
     },
     "node_modules/editorconfig/node_modules/minimatch": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.1.tgz",
-      "integrity": "sha512-0jWhJpD/MdhPXwPuiRkCbfYfSKp2qnn2eOc279qI7f+osl/l+prKSrvhg157zSYvx/1nmgn2NqdT6k2Z7zSH9w==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -1988,9 +2008,9 @@
       }
     },
     "node_modules/editorconfig/node_modules/semver": {
-      "version": "7.7.3",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
-      "integrity": "sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==",
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -2000,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.278",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.278.tgz",
-      "integrity": "sha512-dQ0tM1svDRQOwxnXxm+twlGTjr9Upvt8UFWAgmLsxEzFQxhbti4VwxmMjsDxVC51Zo84swW7FVCXEV+VAkhuPw==",
+      "version": "1.5.330",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.330.tgz",
+      "integrity": "sha512-jFNydB5kFtYUobh4IkWUnXeyDbjf/r9gcUEXe1xcrcUxIGfTdzPXA+ld6zBRbwvgIGVzDll/LTIiDztEtckSnA==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -2341,7 +2361,8 @@
           "url": "https://opencollective.com/fastify"
         }
       ],
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/fast-levenshtein": {
       "version": "1.1.4",
@@ -2781,9 +2802,9 @@
       }
     },
     "node_modules/get-stream/node_modules/pump": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.3.tgz",
-      "integrity": "sha512-todwxLMY7/heScKmntwQG8CXVkWUOdYxIvY2s0VWAAMh/nd8SoYiRaKjlr7+iCs984f2P8zvrfWcDDYVb73NfA==",
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.4.tgz",
+      "integrity": "sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==",
       "license": "MIT",
       "dependencies": {
         "end-of-stream": "^1.1.0",
@@ -2803,7 +2824,7 @@
       "version": "7.2.3",
       "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
       "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
-      "deprecated": "Glob versions prior to v9 are no longer supported",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "license": "ISC",
       "dependencies": {
         "fs.realpath": "^1.0.0",
@@ -2977,7 +2998,6 @@
       "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz",
       "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "glob-watcher": "^5.0.3",
         "gulp-cli": "^2.2.0",
@@ -3630,15 +3650,15 @@
       }
     },
     "node_modules/gulp-header": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/gulp-header/-/gulp-header-2.0.9.tgz",
-      "integrity": "sha512-LMGiBx+qH8giwrOuuZXSGvswcIUh0OiioNkUpLhNyvaC6/Ga8X6cfAeme2L5PqsbXMhL8o8b/OmVqIQdxprhcQ==",
+      "version": "2.0.12",
+      "resolved": "https://registry.npmjs.org/gulp-header/-/gulp-header-2.0.12.tgz",
+      "integrity": "sha512-7PFW56tRISOroZ3N5R+f1Bn4wvdtE5LZXfZqz4ubEAXLEsLS7kSifgsk/lF26hSqnYO786GniQCxCuLxQZ0SoA==",
       "license": "MIT",
       "dependencies": {
         "concat-with-sourcemaps": "^1.1.0",
-        "lodash.template": "^4.5.0",
-        "map-stream": "0.0.7",
-        "through2": "^2.0.0"
+        "lodash": "^4.17.21",
+        "map-stream": "^0.0.7",
+        "through2": "^4.0.2"
       }
     },
     "node_modules/gulp-header/node_modules/map-stream": {
@@ -3647,14 +3667,27 @@
       "integrity": "sha512-C0X0KQmGm3N2ftbTGBhSyuydQ+vV1LC3f3zPvT3RXHXNZrvfPZcoXp/N5DOa8vedX/rTMm2CjTtivFg2STJMRQ==",
       "license": "MIT"
     },
-    "node_modules/gulp-header/node_modules/through2": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz",
-      "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==",
+    "node_modules/gulp-header/node_modules/readable-stream": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
       "license": "MIT",
       "dependencies": {
-        "readable-stream": "~2.3.6",
-        "xtend": "~4.0.1"
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/gulp-header/node_modules/through2": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/through2/-/through2-4.0.2.tgz",
+      "integrity": "sha512-iOqSav00cVxEEICeD7TjLB1sueEL+81Wpzp2bY17uZjZN0pWZPuo4suZ/61VujxmqSGFfgOcNuTZ85QJwNZQpw==",
+      "license": "MIT",
+      "dependencies": {
+        "readable-stream": "3"
       }
     },
     "node_modules/gulp-if": {
@@ -5014,9 +5047,9 @@
       }
     },
     "node_modules/js-beautify/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
+      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -5026,6 +5059,7 @@
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
       "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "license": "ISC",
       "dependencies": {
         "foreground-child": "^3.1.0",
@@ -5043,12 +5077,12 @@
       }
     },
     "node_modules/js-beautify/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "version": "9.0.9",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz",
+      "integrity": "sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==",
       "license": "ISC",
       "dependencies": {
-        "brace-expansion": "^2.0.1"
+        "brace-expansion": "^2.0.2"
       },
       "engines": {
         "node": ">=16 || 14 >=14.17"
@@ -5072,6 +5106,13 @@
       "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
       "license": "MIT"
     },
+    "node_modules/json-with-bigint": {
+      "version": "3.5.8",
+      "resolved": "https://registry.npmjs.org/json-with-bigint/-/json-with-bigint-3.5.8.tgz",
+      "integrity": "sha512-eq/4KP6K34kwa7TcFdtvnftvHCD9KvHOGGICWwMFc4dOOKF5t4iYqnfLK8otCRCRv06FXOzGGyqE8h8ElMvvdw==",
+      "license": "MIT",
+      "peer": true
+    },
     "node_modules/just-debounce": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/just-debounce/-/just-debounce-1.1.0.tgz",
@@ -5448,10 +5489,10 @@
       "license": "MIT"
     },
     "node_modules/lodash.template": {
-      "version": "4.5.0",
-      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz",
-      "integrity": "sha512-84vYFxIkmidUiFxidA/KjjH9pAycqW+h980j7Fuz5qxRtO9pgB7MDFTdys1N7A5mcucRiDyEq4fusljItR1T/A==",
-      "deprecated": "This package is deprecated. Use https://socket.dev/npm/package/eta instead.",
+      "version": "4.18.0",
+      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.18.0.tgz",
+      "integrity": "sha512-VbCU2mYTHF/JUjasKG50ozrbli//eixCFmKBiAfvmz0cGt7iywc087M7zxflSoEQFS0Xtv0RqpE8ko8BXv3TOQ==",
+      "deprecated": "Bad release. Please use lodash.template@4.5.0 instead.",
       "license": "MIT",
       "dependencies": {
         "lodash._reinterpolate": "^3.0.0",
@@ -5736,9 +5777,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "license": "ISC",
       "dependencies": {
         "brace-expansion": "^1.1.7"
@@ -5757,10 +5798,10 @@
       }
     },
     "node_modules/minipass": {
-      "version": "7.1.2",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-      "license": "ISC",
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz",
+      "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==",
+      "license": "BlueOak-1.0.0",
       "engines": {
         "node": ">=16 || 14 >=14.17"
       }
@@ -5845,9 +5886,9 @@
       "license": "ISC"
     },
     "node_modules/nan": {
-      "version": "2.25.0",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.25.0.tgz",
-      "integrity": "sha512-0M90Ag7Xn5KMLLZ7zliPWP3rT90P6PN+IzVFS0VqmnPktBk3700xUVv8Ikm9EUaUE5SDWdp/BIxdENzVznpm1g==",
+      "version": "2.26.2",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.26.2.tgz",
+      "integrity": "sha512-0tTvBTYkt3tdGw22nrAy50x7gpbGCCFH3AFcyS5WiUu7Eu4vWlri1woE6qHBSfy11vksDqkiwjOnlR7WV8G1Hw==",
       "license": "MIT",
       "optional": true
     },
@@ -5972,9 +6013,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.27",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz",
-      "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==",
+      "version": "2.0.36",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
+      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
       "license": "MIT"
     },
     "node_modules/node.extend": {
@@ -7029,7 +7070,7 @@
       "version": "5.0.15",
       "resolved": "https://registry.npmjs.org/glob/-/glob-5.0.15.tgz",
       "integrity": "sha512-c9IPMazfRITpmAAKi22dK1VKxGDX9ehhqfABDriL/lzO92xcUKEJPQHrVA/2YHSNFB4iFlykVmWvwo48nr3OxA==",
-      "deprecated": "Glob versions prior to v9 are no longer supported",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
       "license": "ISC",
       "dependencies": {
         "inflight": "^1.0.4",
@@ -7504,9 +7545,9 @@
       }
     },
     "node_modules/spdx-license-ids": {
-      "version": "3.0.22",
-      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.22.tgz",
-      "integrity": "sha512-4PRT4nh1EImPbt2jASOKHX7PB7I+e4IWNLvkKFDxNhJlfjbYlleYQh285Z/3mPTHSAK/AvdMmw5BNNuYH8ShgQ==",
+      "version": "3.0.23",
+      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.23.tgz",
+      "integrity": "sha512-CWLcCCH7VLu13TgOH+r8p1O/Znwhqv/dbb6lqWy67G+pT1kHmeD/+V36AVb/vq8QMIQwVShJ6Ssl5FPh0fuSdw==",
       "license": "CC0-1.0"
     },
     "node_modules/split-string": {
@@ -8221,9 +8262,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "7.16.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
-      "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
+      "version": "7.18.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
+      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
       "license": "MIT"
     },
     "node_modules/union-value": {

From c01b13d119a49ba8c3ea10442e63ab2be6a36741 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 2 Apr 2026 03:45:37 +0200
Subject: [PATCH 048/287] Update dependency @codemirror/view to v6.41.0
 (forgejo) (#11939)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11939
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6e4d59fdce..a1b819adc7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -30,7 +30,7 @@
         "@codemirror/language": "6.12.3",
         "@codemirror/search": "6.6.0",
         "@codemirror/state": "6.6.0",
-        "@codemirror/view": "6.40.0",
+        "@codemirror/view": "6.41.0",
         "@github/markdown-toolbar-element": "2.2.3",
         "@github/quote-selection": "2.1.0",
         "@github/text-expander-element": "2.9.4",
@@ -776,9 +776,9 @@
       }
     },
     "node_modules/@codemirror/view": {
-      "version": "6.40.0",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.40.0.tgz",
-      "integrity": "sha512-WA0zdU7xfF10+5I3HhUUq3kqOx3KjqmtQ9lqZjfK7jtYk4G72YW9rezcSywpaUMCWOMlq+6E0pO1IWg1TNIhtg==",
+      "version": "6.41.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.41.0.tgz",
+      "integrity": "sha512-6H/qadXsVuDY219Yljhohglve8xf4B8xJkVOEWfA5uiYKiTFppjqsvsfR5iPA0RbvRBoOyTZpbLIxe9+0UR8xA==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.6.0",
diff --git a/package.json b/package.json
index f2ac77f224..b95738195e 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
     "@codemirror/language": "6.12.3",
     "@codemirror/search": "6.6.0",
     "@codemirror/state": "6.6.0",
-    "@codemirror/view": "6.40.0",
+    "@codemirror/view": "6.41.0",
     "@github/markdown-toolbar-element": "2.2.3",
     "@github/quote-selection": "2.1.0",
     "@github/text-expander-element": "2.9.4",

From 6e8939952c157393daecffd354d11971a1ae5746 Mon Sep 17 00:00:00 2001
From: Eloy <degeneloy@gmail.com>
Date: Thu, 2 Apr 2026 03:46:55 +0200
Subject: [PATCH 049/287] enh: add suggestion to document reason for repository
 archival (#11375)

Fixes #11370

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11375
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Co-authored-by: Eloy <degeneloy@gmail.com>
Co-committed-by: Eloy <degeneloy@gmail.com>
---
 options/locale/locale_en-US.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 6ec0ba978c..2df0b3a728 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2569,7 +2569,7 @@ settings.matrix.access_token_helper = It is recommended to setup a dedicated Mat
 settings.matrix.room_id_helper = The Room ID can be retrieved from the Element web client > Room Settings > Advanced > Internal room ID. Example: %s.
 settings.archive.button = Archive repo
 settings.archive.header = Archive this repo
-settings.archive.text = Archiving the repo will make it entirely read-only. It will be hidden from the dashboard. Nobody (not even you!) will be able to make new commits, or open any issues or pull requests.
+settings.archive.text = Archiving the repo will make it entirely read-only. It will be hidden from the dashboard. Nobody (not even you!) will be able to make new commits, or open any issues or pull requests. Documenting the archival reason is recommended to guide future developers who plan to fork the repository.
 settings.archive.success = The repo was successfully archived.
 settings.archive.error = An error occurred while trying to archive the repo. See the log for more details.
 settings.archive.error_ismirror = You cannot archive a mirrored repo.

From 4121d5ec8514bb93a92b7c5cee7b93145d3d53af Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 2 Apr 2026 20:52:09 +0200
Subject: [PATCH 050/287] Update linters (forgejo) (#11938)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 146 +++++++++++++++++++++++-----------------------
 package.json      |   2 +-
 2 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a1b819adc7..96688e44ef 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -119,7 +119,7 @@
         "stylelint-value-no-unknown-custom-properties": "6.1.1",
         "svgo": "4.0.1",
         "typescript": "5.9.3",
-        "typescript-eslint": "8.57.2",
+        "typescript-eslint": "8.58.0",
         "vite-string-plugin": "2.0.2",
         "vitest": "4.1.2"
       },
@@ -4363,20 +4363,20 @@
       }
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.57.2.tgz",
-      "integrity": "sha512-NZZgp0Fm2IkD+La5PR81sd+g+8oS6JwJje+aRWsDocxHkjyRw0J5L5ZTlN3LI1LlOcGL7ph3eaIUmTXMIjLk0w==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.58.0.tgz",
+      "integrity": "sha512-RLkVSiNuUP1C2ROIWfqX+YcUfLaSnxGE/8M+Y57lopVwg9VTYYfhuz15Yf1IzCKgZj6/rIbYTmJCUSqr76r0Wg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.57.2",
-        "@typescript-eslint/type-utils": "8.57.2",
-        "@typescript-eslint/utils": "8.57.2",
-        "@typescript-eslint/visitor-keys": "8.57.2",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/type-utils": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
-        "ts-api-utils": "^2.4.0"
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4386,22 +4386,22 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.57.2",
+        "@typescript-eslint/parser": "^8.58.0",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.2.tgz",
-      "integrity": "sha512-30ScMRHIAD33JJQkgfGW1t8CURZtjc2JpTrq5n2HFhOefbAhb7ucc7xJwdWcrEtqUIYJ73Nybpsggii6GtAHjA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.58.0.tgz",
+      "integrity": "sha512-rLoGZIf9afaRBYsPUMtvkDWykwXwUPL60HebR4JgTI8mxfFe2cQTu3AGitANp4b9B2QlVru6WzjgB2IzJKiCSA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.57.2",
-        "@typescript-eslint/types": "8.57.2",
-        "@typescript-eslint/typescript-estree": "8.57.2",
-        "@typescript-eslint/visitor-keys": "8.57.2",
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -4413,18 +4413,18 @@
       },
       "peerDependencies": {
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.2.tgz",
-      "integrity": "sha512-FuH0wipFywXRTHf+bTTjNyuNQQsQC3qh/dYzaM4I4W0jrCqjCVuUh99+xd9KamUfmCGPvbO8NDngo/vsnNVqgw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.58.0.tgz",
+      "integrity": "sha512-8Q/wBPWLQP1j16NxoPNIKpDZFMaxl7yWIoqXWYeWO+Bbd2mjgvoF0dxP2jKZg5+x49rgKdf7Ck473M8PC3V9lg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.57.2",
-        "@typescript-eslint/types": "^8.57.2",
+        "@typescript-eslint/tsconfig-utils": "^8.58.0",
+        "@typescript-eslint/types": "^8.58.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -4435,18 +4435,18 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.57.2.tgz",
-      "integrity": "sha512-snZKH+W4WbWkrBqj4gUNRIGb/jipDW3qMqVJ4C9rzdFc+wLwruxk+2a5D+uoFcKPAqyqEnSb4l2ULuZf95eSkw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.58.0.tgz",
+      "integrity": "sha512-W1Lur1oF50FxSnNdGp3Vs6P+yBRSmZiw4IIjEeYxd8UQJwhUF0gDgDD/W/Tgmh73mxgEU3qX0Bzdl/NGuSPEpQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.57.2",
-        "@typescript-eslint/visitor-keys": "8.57.2"
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4457,9 +4457,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.2.tgz",
-      "integrity": "sha512-3Lm5DSM+DCowsUOJC+YqHHnKEfFh5CoGkj5Z31NQSNF4l5wdOwqGn99wmwN/LImhfY3KJnmordBq/4+VDe2eKw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.58.0.tgz",
+      "integrity": "sha512-doNSZEVJsWEu4htiVC+PR6NpM+pa+a4ClH9INRWOWCUzMst/VA9c4gXq92F8GUD1rwhNvRLkgjfYtFXegXQF7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4470,21 +4470,21 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.57.2.tgz",
-      "integrity": "sha512-Co6ZCShm6kIbAM/s+oYVpKFfW7LBc6FXoPXjTRQ449PPNBY8U0KZXuevz5IFuuUj2H9ss40atTaf9dlGLzbWZg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.58.0.tgz",
+      "integrity": "sha512-aGsCQImkDIqMyx1u4PrVlbi/krmDsQUs4zAcCV6M7yPcPev+RqVlndsJy9kJ8TLihW9TZ0kbDAzctpLn5o+lOg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.57.2",
-        "@typescript-eslint/typescript-estree": "8.57.2",
-        "@typescript-eslint/utils": "8.57.2",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0",
         "debug": "^4.4.3",
-        "ts-api-utils": "^2.4.0"
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4495,13 +4495,13 @@
       },
       "peerDependencies": {
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.2.tgz",
-      "integrity": "sha512-/iZM6FnM4tnx9csuTxspMW4BOSegshwX5oBDznJ7S4WggL7Vczz5d2W11ecc4vRrQMQHXRSxzrCsyG5EsPPTbA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.58.0.tgz",
+      "integrity": "sha512-O9CjxypDT89fbHxRfETNoAnHj/i6IpRK0CvbVN3qibxlLdo5p5hcLmUuCCrHMpxiWSwKyI8mCP7qRNYuOJ0Uww==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4513,21 +4513,21 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.2.tgz",
-      "integrity": "sha512-2MKM+I6g8tJxfSmFKOnHv2t8Sk3T6rF20A1Puk0svLK+uVapDZB/4pfAeB7nE83uAZrU6OxW+HmOd5wHVdXwXA==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.58.0.tgz",
+      "integrity": "sha512-7vv5UWbHqew/dvs+D3e1RvLv1v2eeZ9txRHPnEEBUgSNLx5ghdzjHa0sgLWYVKssH+lYmV0JaWdoubo0ncGYLA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.57.2",
-        "@typescript-eslint/tsconfig-utils": "8.57.2",
-        "@typescript-eslint/types": "8.57.2",
-        "@typescript-eslint/visitor-keys": "8.57.2",
+        "@typescript-eslint/project-service": "8.58.0",
+        "@typescript-eslint/tsconfig-utils": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/visitor-keys": "8.58.0",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
         "tinyglobby": "^0.2.15",
-        "ts-api-utils": "^2.4.0"
+        "ts-api-utils": "^2.5.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4537,20 +4537,20 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.57.2.tgz",
-      "integrity": "sha512-krRIbvPK1ju1WBKIefiX+bngPs+odIQUtR7kymzPfo1POVw3jlF+nLkmexdSSd4UCbDcQn+wMBATOOmpBbqgKg==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.58.0.tgz",
+      "integrity": "sha512-RfeSqcFeHMHlAWzt4TBjWOAtoW9lnsAGiP3GbaX9uVgTYYrMbVnGONEfUCiSss+xMHFl+eHZiipmA8WkQ7FuNA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.57.2",
-        "@typescript-eslint/types": "8.57.2",
-        "@typescript-eslint/typescript-estree": "8.57.2"
+        "@typescript-eslint/scope-manager": "8.58.0",
+        "@typescript-eslint/types": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4561,17 +4561,17 @@
       },
       "peerDependencies": {
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.2.tgz",
-      "integrity": "sha512-zhahknjobV2FiD6Ee9iLbS7OV9zi10rG26odsQdfBO/hjSzUQbkIYgda+iNKK1zNiW2ey+Lf8MU5btN17V3dUw==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.58.0.tgz",
+      "integrity": "sha512-XJ9UD9+bbDo4a4epraTwG3TsNPeiB9aShrUneAVXy8q4LuwowN+qu89/6ByLMINqvIMeI9H9hOHQtg/ijrYXzQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/types": "8.58.0",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -15555,16 +15555,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.57.2",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.57.2.tgz",
-      "integrity": "sha512-VEPQ0iPgWO/sBaZOU1xo4nuNdODVOajPnTIbog2GKYr31nIlZ0fWPoCQgGfF3ETyBl1vn63F/p50Um9Z4J8O8A==",
+      "version": "8.58.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.58.0.tgz",
+      "integrity": "sha512-e2TQzKfaI85fO+F3QywtX+tCTsu/D3WW5LVU6nz8hTFKFZ8yBJ6mSYRpXqdR3mFjPWmO0eWsTa5f+UpAOe/FMA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.57.2",
-        "@typescript-eslint/parser": "8.57.2",
-        "@typescript-eslint/typescript-estree": "8.57.2",
-        "@typescript-eslint/utils": "8.57.2"
+        "@typescript-eslint/eslint-plugin": "8.58.0",
+        "@typescript-eslint/parser": "8.58.0",
+        "@typescript-eslint/typescript-estree": "8.58.0",
+        "@typescript-eslint/utils": "8.58.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -15575,7 +15575,7 @@
       },
       "peerDependencies": {
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
-        "typescript": ">=4.8.4 <6.0.0"
+        "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/typo-js": {
diff --git a/package.json b/package.json
index b95738195e..cb734aab0c 100644
--- a/package.json
+++ b/package.json
@@ -118,7 +118,7 @@
     "stylelint-value-no-unknown-custom-properties": "6.1.1",
     "svgo": "4.0.1",
     "typescript": "5.9.3",
-    "typescript-eslint": "8.57.2",
+    "typescript-eslint": "8.58.0",
     "vite-string-plugin": "2.0.2",
     "vitest": "4.1.2"
   },

From 2fc3144de4cc157b4f6bd4c7f79724d51effd277 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Thu, 2 Apr 2026 23:57:13 +0200
Subject: [PATCH 051/287] chore: update github.com/go-ap/activitypub to 902f6cf
 (#11301)

Picks the update commit from https://codeberg.org/forgejo/forgejo/pulls/11200 and fixes the new incompatibilities.

I ran full end-to-end tests against Forgejo and basic end-to-end tests against GoToSocial which appear to be working.

Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11301
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 go.mod                                             |  4 ++--
 go.sum                                             | 10 ++++------
 modules/forgefed/activity_follow.go                |  4 ++--
 modules/forgefed/activity_follow_test.go           |  2 +-
 modules/forgefed/activity_like.go                  |  4 ++--
 modules/forgefed/activity_like_test.go             |  6 +++---
 modules/forgefed/activity_undo_like.go             |  8 ++++----
 modules/forgefed/activity_undo_like_test.go        |  4 ++--
 modules/forgefed/activity_user_activity.go         |  4 ++--
 modules/forgefed/activity_user_activity_test.go    |  9 +++------
 modules/forgefed/actor_person.go                   |  4 ++--
 modules/forgefed/actor_person_test.go              |  8 ++++----
 modules/forgefed/object_user_activity_note.go      |  9 +++------
 modules/forgefed/object_user_activity_note_test.go |  7 ++-----
 modules/validation/validatable.go                  |  2 ++
 routers/api/v1/activitypub/actor.go                |  2 +-
 routers/api/v1/activitypub/repository.go           |  2 +-
 services/convert/activitypub_person.go             |  6 +++---
 tests/integration/repo_star_federation_test.go     |  4 +++-
 19 files changed, 46 insertions(+), 53 deletions(-)

diff --git a/go.mod b/go.mod
index 7a09fe7bba..24de250644 100644
--- a/go.mod
+++ b/go.mod
@@ -43,7 +43,7 @@ require (
 	github.com/felixge/fgprof v0.9.5
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
-	github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9
+	github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc
 	github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/cors v1.2.2
@@ -168,7 +168,7 @@ require (
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 // indirect
+	github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
diff --git a/go.sum b/go.sum
index fb74d8b500..11678e62ab 100644
--- a/go.sum
+++ b/go.sum
@@ -253,11 +253,10 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9 h1:j2TrkUG/NATGi/EQS+MvEoF79CxiRUmT16ErFroNcKI=
-github.com/go-ap/activitypub v0.0.0-20231114162308-e219254dc5c9/go.mod h1:cJ9Ye0ZNSMN7RzZDBRY3E+8M3Bpf/R1JX22Ir9yX6WI=
-github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7 h1:I2nuhyVI/48VXoRCCZR2hYBgnSXa+EuDJf/VyX06TC0=
-github.com/go-ap/errors v0.0.0-20231003111023-183eef4b31b7/go.mod h1:5x8a6P/dhmMGFxWLcyYlyOuJ2lRNaHGhRv+yu8BaTSI=
-github.com/go-ap/jsonld v0.0.0-20221030091449-f2a191312c73/go.mod h1:jyveZeGw5LaADntW+UEsMjl3IlIwk+DxlYNsbofQkGA=
+github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc h1:yLe7YJhK+XNjNV4SqDxAjpWAgft+KU+XwKZS4AKEUV0=
+github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc/go.mod h1:jUs8eczo1EAT4ByRpZ4mQmNvjarw9eNf7Nm5udpMRhY=
+github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 h1:tV+3kZgqFMKVUf+JPKBV400ISM8440+6y/SQCS0WZwQ=
+github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966/go.mod h1:zkp58Q5yXpCxZbh3d0GDvwqiYclfVuHEHjc9SZKAj6I=
 github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77 h1:yHAmoR6avNy84PlLmjHt1z9flAp2Qs2ens5QDE/CNWk=
 github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77/go.mod h1:4h93IBxgfnE/DEleMLgJ/XCeu/RtQ+MUh3ucANseeXA=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
@@ -664,7 +663,6 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=
 github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
-github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
 github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
diff --git a/modules/forgefed/activity_follow.go b/modules/forgefed/activity_follow.go
index 5cb45ca885..928321a00a 100644
--- a/modules/forgefed/activity_follow.go
+++ b/modules/forgefed/activity_follow.go
@@ -48,8 +48,8 @@ func (follow *ForgeFollow) UnmarshalJSON(data []byte) error {
 
 func (follow ForgeFollow) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(follow.Type), "type")...)
-	result = append(result, validation.ValidateOneOf(string(follow.Type), []any{"Follow"}, "type")...)
+	result = append(result, validation.ValidateNotEmpty(follow.Type, "type")...)
+	result = append(result, validation.ValidateOneOf(follow.Type, []any{ap.FollowType}, "type")...)
 	result = append(result, validation.ValidateIDExists(follow.Actor, "actor")...)
 	result = append(result, validation.ValidateIDExists(follow.Object, "object")...)
 
diff --git a/modules/forgefed/activity_follow_test.go b/modules/forgefed/activity_follow_test.go
index 18fbef33aa..e0142a39f2 100644
--- a/modules/forgefed/activity_follow_test.go
+++ b/modules/forgefed/activity_follow_test.go
@@ -15,7 +15,7 @@ import (
 
 func Test_NewForgeFollowValidation(t *testing.T) {
 	sut := forgefed.ForgeFollow{}
-	sut.Type = "Follow"
+	sut.Type = ap.FollowType
 	sut.Actor = ap.IRI("example.org/alice")
 	sut.Object = ap.IRI("example.org/bob")
 
diff --git a/modules/forgefed/activity_like.go b/modules/forgefed/activity_like.go
index e52d0a9af6..7849aec568 100644
--- a/modules/forgefed/activity_like.go
+++ b/modules/forgefed/activity_like.go
@@ -44,8 +44,8 @@ func (like ForgeLike) IsNewer(compareTo time.Time) bool {
 
 func (like ForgeLike) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(like.Type), "type")...)
-	result = append(result, validation.ValidateOneOf(string(like.Type), []any{"Like"}, "type")...)
+	result = append(result, validation.ValidateNotEmpty(like.Type, "type")...)
+	result = append(result, validation.ValidateOneOf(like.Type, []any{ap.LikeType}, "type")...)
 
 	if like.Actor == nil {
 		result = append(result, "Actor should not be nil.")
diff --git a/modules/forgefed/activity_like_test.go b/modules/forgefed/activity_like_test.go
index c0b565f4db..dc2d8efdc7 100644
--- a/modules/forgefed/activity_like_test.go
+++ b/modules/forgefed/activity_like_test.go
@@ -51,7 +51,7 @@ func Test_LikeMarshalJSON(t *testing.T) {
 			item: forgefed.ForgeLike{
 				Activity: ap.Activity{
 					Actor:  ap.IRI("https://repo.prod.meissa.de/api/v1/activitypub/user-id/1"),
-					Type:   "Like",
+					Type:   ap.LikeType,
 					Object: ap.IRI("https://codeberg.org/api/v1/activitypub/repository-id/1"),
 				},
 			},
@@ -80,7 +80,7 @@ func Test_LikeUnmarshalJSON(t *testing.T) {
 			item: []byte(`{"type":"Like","actor":"https://repo.prod.meissa.de/api/activitypub/user-id/1","object":"https://codeberg.org/api/activitypub/repository-id/1"}`),
 			want: &forgefed.ForgeLike{
 				Activity: ap.Activity{
-					Type:   "Like",
+					Type:   ap.LikeType,
 					Actor:  ap.IRI("https://repo.prod.meissa.de/api/activitypub/user-id/1"),
 					Object: ap.IRI("https://codeberg.org/api/activitypub/repository-id/1"),
 				},
@@ -124,7 +124,7 @@ func Test_ForgeLikeValidation(t *testing.T) {
 	validate := sut.Validate()
 	assert.Len(t, validate, 2)
 	assert.Equal(t,
-		"Field type contains the value , which is not in allowed subset [Like]",
+		"Field type contains the value <nil>, which is not in allowed subset [Like]",
 		validate[1])
 
 	sut.UnmarshalJSON([]byte(`{"type":"bad-type",
diff --git a/modules/forgefed/activity_undo_like.go b/modules/forgefed/activity_undo_like.go
index 8b7df582ad..eaf32ab09f 100644
--- a/modules/forgefed/activity_undo_like.go
+++ b/modules/forgefed/activity_undo_like.go
@@ -42,8 +42,8 @@ func (undo *ForgeUndoLike) UnmarshalJSON(data []byte) error {
 
 func (undo ForgeUndoLike) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(undo.Type), "type")...)
-	result = append(result, validation.ValidateOneOf(string(undo.Type), []any{"Undo"}, "type")...)
+	result = append(result, validation.ValidateNotEmpty(undo.Type, "type")...)
+	result = append(result, validation.ValidateOneOf(undo.Type, []any{ap.UndoType}, "type")...)
 
 	if undo.Actor == nil {
 		result = append(result, "Actor should not be nil.")
@@ -61,8 +61,8 @@ func (undo ForgeUndoLike) Validate() []string {
 	} else if activity, ok := undo.Object.(*ap.Activity); !ok {
 		result = append(result, "object is not of type Activity")
 	} else {
-		result = append(result, validation.ValidateNotEmpty(string(activity.Type), "type")...)
-		result = append(result, validation.ValidateOneOf(string(activity.Type), []any{"Like"}, "type")...)
+		result = append(result, validation.ValidateNotEmpty(activity.Type, "type")...)
+		result = append(result, validation.ValidateOneOf(activity.Type, []any{ap.LikeType}, "type")...)
 
 		if activity.Actor == nil {
 			result = append(result, "Object.Actor should not be nil.")
diff --git a/modules/forgefed/activity_undo_like_test.go b/modules/forgefed/activity_undo_like_test.go
index 18db688c48..cbb309afc5 100644
--- a/modules/forgefed/activity_undo_like_test.go
+++ b/modules/forgefed/activity_undo_like_test.go
@@ -64,7 +64,7 @@ func Test_UndoLikeMarshalJSON(t *testing.T) {
 				Activity: ap.Activity{
 					StartTime: startTime,
 					Actor:     ap.IRI("https://repo.prod.meissa.de/api/v1/activitypub/user-id/1"),
-					Type:      "Undo",
+					Type:      ap.UndoType,
 					Object:    like,
 				},
 			},
@@ -117,7 +117,7 @@ func Test_UndoLikeUnmarshalJSON(t *testing.T) {
 				Activity: ap.Activity{
 					StartTime: startTime,
 					Actor:     ap.IRI("https://repo.prod.meissa.de/api/v1/activitypub/user-id/1"),
-					Type:      "Undo",
+					Type:      ap.UndoType,
 					Object:    like,
 				},
 			},
diff --git a/modules/forgefed/activity_user_activity.go b/modules/forgefed/activity_user_activity.go
index 82353245c9..69e7bc3ead 100644
--- a/modules/forgefed/activity_user_activity.go
+++ b/modules/forgefed/activity_user_activity.go
@@ -60,8 +60,8 @@ func NewForgeUserActivity(doer *user_model.User, actionID int64, content string)
 
 func (userActivity ForgeUserActivity) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(userActivity.Type), "type")...)
-	result = append(result, validation.ValidateOneOf(string(userActivity.Type), []any{"Create"}, "type")...)
+	result = append(result, validation.ValidateNotEmpty(userActivity.Type, "type")...)
+	result = append(result, validation.ValidateOneOf(userActivity.Type, []any{ap.CreateType}, "type")...)
 	result = append(result, validation.ValidateIDExists(userActivity.Actor, "actor")...)
 
 	if len(userActivity.To) == 0 {
diff --git a/modules/forgefed/activity_user_activity_test.go b/modules/forgefed/activity_user_activity_test.go
index 49137c7ab4..106f0ac73c 100644
--- a/modules/forgefed/activity_user_activity_test.go
+++ b/modules/forgefed/activity_user_activity_test.go
@@ -15,17 +15,14 @@ import (
 
 func Test_ForgeUserActivityValidation(t *testing.T) {
 	note := forgefed.ForgeUserActivityNote{}
-	note.Type = "Note"
+	note.Type = ap.NoteType
 	note.Content = ap.NaturalLanguageValues{
-		{
-			Ref:   ap.NilLangRef,
-			Value: ap.Content("Any Content!"),
-		},
+		ap.NilLangRef: ap.Content("Any Content!"),
 	}
 	note.URL = ap.IRI("example.org/user-id/57")
 
 	sut := forgefed.ForgeUserActivity{}
-	sut.Type = "Create"
+	sut.Type = ap.CreateType
 	sut.Actor = ap.IRI("example.org/user-id/23")
 	sut.CC = ap.ItemCollection{
 		ap.IRI("example.org/registration/public#2nd"),
diff --git a/modules/forgefed/actor_person.go b/modules/forgefed/actor_person.go
index 72768f4815..cde2dea9ce 100644
--- a/modules/forgefed/actor_person.go
+++ b/modules/forgefed/actor_person.go
@@ -115,8 +115,8 @@ func (s *ForgePerson) UnmarshalJSON(data []byte) error {
 
 func (s ForgePerson) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(s.Type), "Type")...)
-	result = append(result, validation.ValidateOneOf(string(s.Type), []any{string(ap.PersonType)}, "Type")...)
+	result = append(result, validation.ValidateNotEmpty(s.Type, "Type")...)
+	result = append(result, validation.ValidateOneOf(s.Type, []any{ap.PersonType}, "Type")...)
 	result = append(result, validation.ValidateNotEmpty(s.PreferredUsername.String(), "PreferredUsername")...)
 
 	return result
diff --git a/modules/forgefed/actor_person_test.go b/modules/forgefed/actor_person_test.go
index 82bd9fabc3..f673aabba1 100644
--- a/modules/forgefed/actor_person_test.go
+++ b/modules/forgefed/actor_person_test.go
@@ -194,9 +194,9 @@ func TestShouldThrowErrorOnInvalidInput(t *testing.T) {
 
 func Test_PersonMarshalJSON(t *testing.T) {
 	sut := forgefed.ForgePerson{}
-	sut.Type = "Person"
+	sut.Type = ap.PersonType
 	sut.PreferredUsername = ap.NaturalLanguageValuesNew()
-	sut.PreferredUsername.Set("en", ap.Content("MaxMuster"))
+	sut.PreferredUsername.Set(ap.English, ap.Content("MaxMuster"))
 	result, _ := sut.MarshalJSON()
 	assert.JSONEq(t, `{"type":"Person","preferredUsername":"MaxMuster"}`, string(result), "Expected string is not equal")
 }
@@ -204,9 +204,9 @@ func Test_PersonMarshalJSON(t *testing.T) {
 func Test_PersonUnmarshalJSON(t *testing.T) {
 	expected := &forgefed.ForgePerson{
 		Actor: ap.Actor{
-			Type: "Person",
+			Type: ap.PersonType,
 			PreferredUsername: ap.NaturalLanguageValues{
-				ap.LangRefValue{Ref: "en", Value: []byte("MaxMuster")},
+				ap.English: []byte("MaxMuster"),
 			},
 		},
 	}
diff --git a/modules/forgefed/object_user_activity_note.go b/modules/forgefed/object_user_activity_note.go
index 758c25aef8..b8e09ecf94 100644
--- a/modules/forgefed/object_user_activity_note.go
+++ b/modules/forgefed/object_user_activity_note.go
@@ -35,10 +35,7 @@ func newNote(doer *user_model.User, content, id string, published time.Time) (Fo
 	note.Type = ap.NoteType
 	note.AttributedTo = ap.IRI(doer.APActorID())
 	note.Content = ap.NaturalLanguageValues{
-		{
-			Ref:   ap.NilLangRef,
-			Value: ap.Content(content),
-		},
+		ap.NilLangRef: ap.Content(content),
 	}
 	note.ID = ap.IRI(id)
 	note.Published = published
@@ -59,8 +56,8 @@ func newNote(doer *user_model.User, content, id string, published time.Time) (Fo
 
 func (note ForgeUserActivityNote) Validate() []string {
 	var result []string
-	result = append(result, validation.ValidateNotEmpty(string(note.Type), "type")...)
-	result = append(result, validation.ValidateOneOf(string(note.Type), []any{"Note"}, "type")...)
+	result = append(result, validation.ValidateNotEmpty(note.Type, "type")...)
+	result = append(result, validation.ValidateOneOf(note.Type, []any{ap.NoteType}, "type")...)
 	result = append(result, validation.ValidateNotEmpty(note.Content.String(), "content")...)
 	result = append(result, validation.ValidateIDExists(note.URL, "url")...)
 
diff --git a/modules/forgefed/object_user_activity_note_test.go b/modules/forgefed/object_user_activity_note_test.go
index 4f790033bc..e559ce84f7 100644
--- a/modules/forgefed/object_user_activity_note_test.go
+++ b/modules/forgefed/object_user_activity_note_test.go
@@ -15,12 +15,9 @@ import (
 
 func Test_UserActivityNoteValidation(t *testing.T) {
 	sut := forgefed.ForgeUserActivityNote{}
-	sut.Type = "Note"
+	sut.Type = ap.NoteType
 	sut.Content = ap.NaturalLanguageValues{
-		{
-			Ref:   ap.NilLangRef,
-			Value: ap.Content("Any Content!"),
-		},
+		ap.NilLangRef: ap.Content("Any Content!"),
 	}
 	sut.URL = ap.IRI("example.org/user-id/57")
 
diff --git a/modules/validation/validatable.go b/modules/validation/validatable.go
index 1751e727f3..6c58a9148e 100644
--- a/modules/validation/validatable.go
+++ b/modules/validation/validatable.go
@@ -70,6 +70,8 @@ func ValidateNotEmpty(value any, name string) []string {
 		if v == 0 {
 			isValid = false
 		}
+	case ap.Typer:
+		isValid = len(value.(ap.Typer).AsTypes()) > 0
 	default:
 		isValid = false
 	}
diff --git a/routers/api/v1/activitypub/actor.go b/routers/api/v1/activitypub/actor.go
index f8b08e92c3..4bbeb7e7f2 100644
--- a/routers/api/v1/activitypub/actor.go
+++ b/routers/api/v1/activitypub/actor.go
@@ -32,7 +32,7 @@ func Actor(ctx *context.APIContext) {
 	actor := ap.ActorNew(ap.IRI(link), ap.ApplicationType)
 
 	actor.PreferredUsername = ap.NaturalLanguageValuesNew()
-	err := actor.PreferredUsername.Set("en", ap.Content("ghost"))
+	err := actor.PreferredUsername.Set(ap.NilLangRef, ap.Content("ghost"))
 	if err != nil {
 		ctx.ServerError("PreferredUsername.Set", err)
 		return
diff --git a/routers/api/v1/activitypub/repository.go b/routers/api/v1/activitypub/repository.go
index 178f4b246f..153719478f 100644
--- a/routers/api/v1/activitypub/repository.go
+++ b/routers/api/v1/activitypub/repository.go
@@ -45,7 +45,7 @@ func Repository(ctx *context.APIContext) {
 	repo.Outbox = ap.IRI(link + "/outbox")
 
 	repo.Name = ap.NaturalLanguageValuesNew()
-	err := repo.Name.Set("en", ap.Content(ctx.Repo.Repository.Name))
+	err := repo.Name.Set(ap.NilLangRef, ap.Content(ctx.Repo.Repository.Name))
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "Set Name", err)
 		return
diff --git a/services/convert/activitypub_person.go b/services/convert/activitypub_person.go
index 2c05f8c1c0..e4186cf30d 100644
--- a/services/convert/activitypub_person.go
+++ b/services/convert/activitypub_person.go
@@ -16,7 +16,7 @@ import (
 func ToActivityPubPersonFeedItem(item *activities.FederatedUserActivity) ap.Note {
 	return ap.Note{
 		AttributedTo: ap.IRI(item.ActorURI),
-		Content:      ap.NaturalLanguageValues{{Value: ap.Content(item.NoteContent), Ref: ap.NilLangRef}},
+		Content:      ap.NaturalLanguageValues{ap.NilLangRef: ap.Content(item.NoteContent)},
 		ID:           ap.IRI(item.NoteURL),
 		URL:          ap.IRI(item.OriginalNote),
 	}
@@ -27,13 +27,13 @@ func ToActivityPubPerson(ctx context.Context, user *user_model.User) (*ap.Person
 	person := ap.PersonNew(ap.IRI(link))
 
 	person.Name = ap.NaturalLanguageValuesNew()
-	err := person.Name.Set("en", ap.Content(user.FullName))
+	err := person.Name.Set(ap.NilLangRef, ap.Content(user.FullName))
 	if err != nil {
 		return nil, err
 	}
 
 	person.PreferredUsername = ap.NaturalLanguageValuesNew()
-	err = person.PreferredUsername.Set("en", ap.Content(user.Name))
+	err = person.PreferredUsername.Set(ap.NilLangRef, ap.Content(user.Name))
 	if err != nil {
 		return nil, err
 	}
diff --git a/tests/integration/repo_star_federation_test.go b/tests/integration/repo_star_federation_test.go
index d6f31ed246..3b5fc0d802 100644
--- a/tests/integration/repo_star_federation_test.go
+++ b/tests/integration/repo_star_federation_test.go
@@ -18,6 +18,8 @@ import (
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/validation"
 	"forgejo.org/tests"
+
+	ap "github.com/go-ap/activitypub"
 )
 
 func TestActivityPubRepoFollowing(t *testing.T) {
@@ -69,7 +71,7 @@ func TestActivityPubRepoFollowing(t *testing.T) {
 		}
 		activityType := like.Type
 		object := like.Object.GetLink().String()
-		isLikeType := activityType == "Like"
+		isLikeType := activityType == ap.LikeType
 		isCorrectObject := strings.HasSuffix(object, "/api/v1/activitypub/repository-id/1")
 		if !isLikeType || !isCorrectObject {
 			t.Error("Activity is not a like for this repo")

From 728936ccd90cc87a9a59de02a2ed6f40f4f6a014 Mon Sep 17 00:00:00 2001
From: Codeberg Translate <translate@codeberg.org>
Date: Fri, 3 Apr 2026 10:28:39 +0000
Subject: [PATCH 052/287] i18n: update of translations from Codeberg Translate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: AndreiSerban <andreiserban@noreply.codeberg.org>
Co-authored-by: AshyPinguin <ashypinguin@noreply.codeberg.org>
Co-authored-by: Benedikt Straub <benedikt-straub@web.de>
Co-authored-by: Codeberg Translate <translate@codeberg.org>
Co-authored-by: Fjuro <fjuro@noreply.codeberg.org>
Co-authored-by: Languages add-on <noreply-addon-languages@weblate.org>
Co-authored-by: Lzebulon <lzebulon@noreply.codeberg.org>
Co-authored-by: SomeTr <sometr@noreply.codeberg.org>
Co-authored-by: Wuzzy <wuzzy@disroot.org>
Co-authored-by: Yago Raña Gayoso <yago.rana.gayoso@gmail.com>
Co-authored-by: bittin <bittin@noreply.codeberg.org>
Co-authored-by: dyniec <dyniec@noreply.codeberg.org>
Co-authored-by: hanklank <hanklank@noreply.codeberg.org>
Co-authored-by: justbispo <justbispo@noreply.codeberg.org>
Co-authored-by: krisfremen <krisfremen@noreply.codeberg.org>
Co-authored-by: mahlzahn <mahlzahn@posteo.de>
Co-authored-by: main_void <main_void@noreply.codeberg.org>
Co-authored-by: markinosags <markinosags@noreply.codeberg.org>
Co-authored-by: sindrenm <sindrenm@noreply.codeberg.org>
Co-authored-by: vitoravelino <vitoravelino@noreply.codeberg.org>
Co-authored-by: vmtj <vmtj@noreply.codeberg.org>
Co-authored-by: xtex <xtexchooser@duck.com>
Co-authored-by: yeager <yeager@noreply.codeberg.org>
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/cs/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/de/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/es/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/fr/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nds/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/pl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/pt_BR/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/pt_PT/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/sv/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/uk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/zh_Hans/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ca/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/cs/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/de/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/es/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/mk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/nb_NO/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/nds/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ro/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/sv/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/uk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/zh_Hans/
Translation: Forgejo/forgejo
Translation: Forgejo/forgejo-next
---
 options/locale/locale_ca.ini          | 359 +++++++++++++++++++++++++-
 options/locale/locale_cs-CZ.ini       |   2 +-
 options/locale/locale_de-DE.ini       |   2 +-
 options/locale/locale_es-ES.ini       |  16 +-
 options/locale/locale_mk.ini          |  14 +
 options/locale/locale_nb_NO.ini       |  18 +-
 options/locale/locale_nds.ini         |   2 +-
 options/locale/locale_ro.ini          | 209 ++++++++++++++-
 options/locale/locale_ru-RU.ini       |   2 +-
 options/locale/locale_sv-SE.ini       | 240 ++++++++---------
 options/locale/locale_uk-UA.ini       |   6 +-
 options/locale/locale_zh-CN.ini       |  14 +-
 options/locale_next/locale_cs-CZ.json |  23 +-
 options/locale_next/locale_de-DE.json |  28 +-
 options/locale_next/locale_es-ES.json |   4 +-
 options/locale_next/locale_fr-FR.json |  26 +-
 options/locale_next/locale_mk.json    |   1 +
 options/locale_next/locale_nds.json   |   6 +-
 options/locale_next/locale_nl-NL.json |  11 +-
 options/locale_next/locale_pl-PL.json |  21 +-
 options/locale_next/locale_pt-BR.json |  17 +-
 options/locale_next/locale_pt-PT.json |   5 +-
 options/locale_next/locale_ru-RU.json |  29 ++-
 options/locale_next/locale_sv-SE.json |  14 +-
 options/locale_next/locale_uk-UA.json |   6 +-
 options/locale_next/locale_zh-CN.json |  25 +-
 26 files changed, 922 insertions(+), 178 deletions(-)
 create mode 100644 options/locale/locale_mk.ini
 create mode 100644 options/locale_next/locale_mk.json

diff --git a/options/locale/locale_ca.ini b/options/locale/locale_ca.ini
index e6f3cac5e2..3342aab4a5 100644
--- a/options/locale/locale_ca.ini
+++ b/options/locale/locale_ca.ini
@@ -246,25 +246,25 @@ admin_password = Contrasenya
 err_empty_admin_password = La contrasenya de l'administrador no por ser buida.
 ssh_port = Por del servidor SSH
 disable_gravatar = Deshabilitar Gravatar
-disable_registration = Deshabilitar l'auto-registre
+disable_registration = Deshabilita l'auto-registre
 openid_signin = Habilita l'inici de sessió amb OpenID
 enable_captcha = Habilita el CAPTCHA al registre
-default_keep_email_private = Amaga les direccions de correu per defecte
+default_keep_email_private = Amaga les adreces de correu, per defecte
 app_slogan = Eslogan de la instància
 app_slogan_helper = Escriu l'eslogan de la teva instància aquí. Deixa buit per deshabilitar.
-repo_path = Ruta de l'arrel del repositori
+repo_path = Camí arrel del repositori
 log_root_path_helper = Els arxius dels registres es s'escriuran en aquest directori.
 optional_title = Configuracions opcionals
 host = Amfitrió
 lfs_path = Ruta arreal de Git LFS
-run_user = Executar com a usuari
+run_user = Executa com a usuari
 domain_helper = Domini o adreça de l'hosta per al servidor.
 http_port = Port d'escolta HTTP
 app_url_helper = Adreces base per a clonació HTTP(S) i notificacions per correu.
 log_root_path = Ruta dels registres
 smtp_from_invalid = L'adreça d'"Enviar correu com a" és invalida
 smtp_from_helper = L'adreça de correu que Forgejo utilitzarà. Entri el correu en pla o en format "Nom" <correu@example.com>.
-register_confirm = Requereix confirmació de correu per a registrar-se
+register_confirm = Requereix una confirmació de correu per a registrar-se
 disable_gravatar.description = Deshabilitar l'ús de Gravatar o d'altres serveis d'avatars de tercers. S'utilitzaran imatges per defecte per als avatars dels uauris fins que pujin el seu propi a la instància.
 federated_avatar_lookup.description = Cerca d'avatars amb Libravatar.
 allow_only_external_registration = Permet el registre només amb serveis externs
@@ -272,8 +272,8 @@ allow_only_external_registration.description = Els usuaris nomes podràn crear n
 enable_captcha.description = Requereix als usuaris passar el CAPTCHA per a poder-se crear comptes.
 require_sign_in_view = Requereix inciar sessió per a veure el contingut de la instància
 default_keep_email_private.description = Habilita l'ocultament de les direccions de correu per a nous usuaris per defecte, amb tal que aquesta informació no sigui filtrada immediatament despres de registrar-se.
-default_allow_create_organization = Per defecte permet crear organitzacions
-default_enable_timetracking = Per defecta habilita el seguiment de temps
+default_allow_create_organization = Permet crear organitzacions, per defecte
+default_enable_timetracking = Habilita el seguiment de temps, per defecte
 default_enable_timetracking.description = Per defecte activa el de seguiment de temps als nous repositoris.
 admin_name = Nom d'usuari de l'administrador
 install_btn_confirm = Instaŀlar Forgejo
@@ -287,7 +287,7 @@ env_config_keys = configuració de l'entorn
 db_type = Tipus de base de dades
 lfs_path_helper = Els arxius seguits per Git LFS es desaran en aquest directory. Deixa buit per deshabilitar.
 http_port_helper = Numero de port que utilitzarà el servidor web de Forgejo.
-repo_path_helper = Els repositoris Git remotes es desaran en aquest diectori.
+repo_path_helper = Els repositoris Git remots es desaran en aquest directori.
 run_user_helper = El nom d'usuari del sistema operatiu sota el que Forgejo s'executa. Notis que aquest usuari ha de tenir accés a la ruta arrel del repositori.
 ssh_port_helper = Numero del port que utilitzarà el servidor SSH. Deixa buit per deshablitar el servidor SSH.
 require_sign_in_view.description = Limita l'accès al contingut per als usuaris connectats. Els visitatnts només podran veure les pàgines d'autenticació.
@@ -948,7 +948,7 @@ settings.basic_settings = Configuració bàsica
 settings.event_issues = Modificació
 settings.web_hook_name_msteams = Microsoft Teams
 settings.tracker_issue_style.numeric = Numèric
-settings.allow_only_contributors_to_track_time = Permet només als contribuidors fer un seguiment del temps
+settings.allow_only_contributors_to_track_time = Fes que només els contribuïdors puguin fer un seguiment de temps
 settings.admin_stats_indexer = Indexador d'estadístiques del codi
 settings.admin_code_indexer = Indexador del codi
 issue_labels = Etiquetes
@@ -2189,8 +2189,8 @@ settings.use_external_wiki = Usar una wiki externa
 settings.external_wiki_url = URL de la wiki externa
 settings.external_wiki_url_error = L'URL de la wiki externa no és vàlida.
 settings.external_wiki_url_desc = Els visitants es redirigiran a l'URL de la wiki externa quan facin clic a la pestanya wiki.
-settings.enable_timetracker = Activar el seguiment de temps
-settings.pulls_desc = Activar les «pull requests» del repositori
+settings.enable_timetracker = Habilita el seguiment de temps
+settings.pulls_desc = Activa les «pull requests» del repositori
 settings.pulls.enable_autodetect_manual_merge = Activar la detecció automàtica de les fusions manuals (Nota: En alguns casos, la detecció es pot equivocar)
 settings.projects_desc = Activar els projectes del repositori
 settings.actions_desc = Activar la «pipeline» CI/CD integrada amb Forgejo Actions
@@ -2609,6 +2609,8 @@ settings.web_hook_name_larksuite_only = Lark Suite
 settings.web_hook_name_wechatwork = WeCom (Wechat Work)
 settings.lfs_pointers.found = S'ha trobat %d punters de blob - %d associats, %d no associats (%d no són a l'emmagatzematge)
 settings.lfs_pointers.associateAccessible = Associar %d OIDs accessibles
+settings.matrix.access_token_helper = Es recomana muntar un compte de Matrix dedicat per això. El testimoni d'accés el podeu trobar al client web Element (en una pestanya privada/d'incògnit) > User menu (cantó superior esquerre) > All settings > Help & About > Advanced > Access Token (sota de l'URL del homeserver). Tanqueu la pestanya privada/d'incògnit (tancar la sessió invalidaria el testimoni).
+settings.matrix.room_id_helper = L'ID de sala el podeu trobar al client web Element > Room Settings > Advanced > Internal room ID. Per exemple: %s.
 
 [user]
 unblock = Desbloquejar
@@ -2852,6 +2854,341 @@ dashboard.operations = Operacions de manteniment
 dashboard.system_status = Estat del sistema
 dashboard.operation_name = Nom d'operació
 dashboard.clean_unbind_oauth = Neteja les connexions OAuth desenllaçades
+dashboard.operation_run = Executar
+dashboard.clean_unbind_oauth_success = S'han eliminat totes les connexions OAuth desenllaçades.
+dashboard.task.started = Tasca iniciada: %[1]s
+dashboard.task.process = Tasca: %[1]s
+dashboard.task.cancelled = Tasca: %[1]s cancel·lada: %[3]s
+dashboard.task.error = Error en la tasca: %[1]s: %[3]s
+dashboard.task.finished = Tasca: %[1] iniciada per %[2s] ha finalitzat
+dashboard.task.unknown = Tasca desconeguda: %[1]s
+dashboard.cron.started = Cron iniciat: %[1]s
+dashboard.cron.cancelled = Cron: %[1]s cancel·lat: %[3]s
+dashboard.cron.error = Error amb Cron: %s: %[3]s
+dashboard.sync_repo_branches = La sincronització ha ignorat branques de les dades Git a la base de dades
+dashboard.check_repo_stats = Comprovar totes les estadístiques del repositori
+dashboard.deleted_branches_cleanup = Netejar branques eliminades
+dashboard.update_migration_poster_id =Actualitza les ID de l'autor de migració
+dashboard.git_gc_repos = Recull la brossa de tots els repositoris
+dashboard.resync_all_sshkeys = Actualitzar el fitxer ".ssh/authorized_keys" amb les claus SSH de Forgejo.
+dashboard.resync_all_sshprincipals = Actualitzar el fitxer ".ssh/authorized_principals" amb els principals SSH de Forgejo.
+dashboard.resync_all_hooks = Resincronitzar els ganxos Git de tots els repositoris (pre-receive, update, post-receive, proc-receive, …)
+dashboard.reinit_missing_repos = Reinicialitza tots els repositoris Git que falten i que tenen registres
+dashboard.sync_external_users = Sincronitzar dades d'usuari externes
+dashboard.cleanup_hook_task_table = Netejar la taula hook_task
+dashboard.cleanup_packages = Netejar paquets caducats
+dashboard.cleanup_actions = Netejar registres i artefactes d'accions caducats
+dashboard.server_uptime = Temps de funcionament del servidor
+dashboard.current_goroutine = Goroutines actuals
+dashboard.current_memory_usage = Ús de memòria actual
+dashboard.total_memory_allocated = Total de memòria adjudicada
+dashboard.memory_obtained = Memòria rebuda
+dashboard.pointer_lookup_times = Temps de consulta dels punters
+dashboard.memory_free_times = Alliberaments de memòria
+dashboard.current_heap_usage = Ús del heap actual
+dashboard.heap_memory_obtained = Memòria de heap rebuda
+dashboard.heap_memory_idle = Memòria del heap en repòs
+dashboard.heap_memory_in_use = Memòria del heap en ús
+dashboard.heap_memory_released = Memòria del heap alliberada
+dashboard.heap_objects = Objectes del heap
+dashboard.bootstrap_stack_usage = Ús de l'arrancada de la pila (stack)
+dashboard.stack_memory_obtained = Memòria de la pila (stack) rebuda
+dashboard.mspan_structures_usage = Ús de les estructures MSpan
+dashboard.mspan_structures_obtained = Estructures MSpan rebudes
+dashboard.mcache_structures_usage = Ús de les estructures MCache
+dashboard.mcache_structures_obtained = Estructures MCache rebudes
+dashboard.gc_metadata_obtained = Metadades del GC rebudes
+dashboard.next_gc_recycle = Proper cicle de GC
+dashboard.last_gc_time = Temps des del darrer GC
+dashboard.total_gc_pause = Pausa total de GC
+dashboard.last_gc_pause = Darrera pausa de GC
+dashboard.delete_old_actions = Eliminar totes les activitats antigues de la base de dades
+dashboard.delete_old_actions.started = Eliminar totes les activitats antigues des que s'ha iniciat la base de dades.
+dashboard.delete_old_system_notices = Eliminar totes les notificacions de sistema antigues de la base de dades
+dashboard.gc_lfs = Recull la brossa d'objectes meta LFS
+dashboard.stop_zombie_tasks = Aturar tasques d'accions zombi
+dashboard.stop_endless_tasks = Aturar tasques d'accions infinites
+dashboard.cancel_abandoned_jobs = Cancel·lar feines d'accions abandonades
+dashboard.sync_branch.started = S'ha iniciat la sincronització de branca
+dashboard.sync_tag.started = S'ha iniciat la sincronització d'etiquetes
+dashboard.cron.process = Cron: %[1]s
+notices = Notificacions del sistema
+dashboard.rebuild_issue_indexer = Reconstruir l'indexador d'incidències
+users.user_manage_panel = Gestionar comptes d'usuari
+users.new_account = Crear compte d'usuari
+users.restricted = Restringit
+users.reserved = Reservat
+users.bot = Bot
+users.remote = Remot
+users.repos = Repos
+users.created = Creats
+users.last_login = Darrer inici de sessió
+users.never_login = Mai ha iniciat sessió
+users.send_register_notify = Notificar sobre el registre per correu
+users.new_success = S'ha creat l'usuari "%s".
+users.edit = Editar
+users.auth_source = Font d'autenticació
+users.local = Local
+users.auth_login_name = Nom d'autenticació de sessió
+users.password_helper = Deixeu la contrasenya buida si no la voleu canviar.
+users.update_profile_success = S'ha actualitzat el compte d'usuari.
+users.edit_account = Editar compte d'usuari
+users.max_repo_creation = Nombre màxim de repositoris
+users.max_repo_creation_desc = (Introduïu -1 per usar el límit global predeterminat.)
+users.is_activated = Compte actiu
+users.activated.description = Completar la verificació per correu. L'usuari d'un compte inactiu no podrà iniciar-hi sessió fins que n'hagi verificat el correu.
+users.prohibit_login = Compte suspès
+users.block.description = Fa que l'usuari no pugui interactuar amb aquest servei a través del seu compte i en prohibeix l'inici de sessió.
+users.is_admin = Compte d'administrador
+users.admin.description = Dona accés complet a totes les funcions d'administració a través de la interfície web i l'API.
+users.is_restricted = Compte restringit
+users.restricted.description = Només permet interactuar amb repositoris i organitzacions quan l'usuari n'és col·laborador. Això no permet l'accés als repositoris públics d'aquesta instància.
+users.allow_git_hook = Pot crear ganxos Git
+users.allow_git_hook_tooltip = Els ganxos Git s'executen com a l'usuari del sistema operatiu on corre Forgejo, i tenen el mateix nivell d'accés a l'amfitrió. Per tant, els usuaris amb aquest privilegi especial poden accedir i modificar tots els repositoris de Forgejo, així com la base de dades que fa servir Forgejo. Això també els permet obtenir privilegis d'administrador a Forgejo.
+users.allow_import_local = Pot importar repositoris locals
+users.local_import.description = Permet la importació de repositoris des del sistema de fitxers local del servidor. Això pot ser un problema de seguretat.
+users.allow_create_organization = Pot crear organitzacions
+users.organization_creation.description = Permet crear noves organitzacions.
+users.update_profile = Actualitzar compte d'usuari
+users.delete_account = Eliminar compte d'usuari
+users.cannot_delete_self = No podeu eliminar-vos vós mateix
+users.still_own_repo = Aquest usuari encara té un o més repositoris. Elimineu-los o transferiu-los abans.
+users.still_has_org = Aquest usuari és membre d'una organització. Elimineu-lo de totes les organitzacions abans.
+users.purge = Purgar usuari
+users.purge_help = Elimina forçosament l'usuari i tots els seus repositoris, organitzacions i paquets. També s'eliminaran tots els seus comentaris i incidències.
+users.still_own_packages = Aquest usuari encara té un o més paquets. Elimineu-los abans.
+users.deletion_success = S'ha eliminat l'usuari.
+users.list_status_filter.menu_text = Filtrar
+users.list_status_filter.reset = Restaurar
+users.list_status_filter.is_active = Actiu
+users.list_status_filter.not_active = Inactiu
+users.list_status_filter.not_admin = No administrador
+users.list_status_filter.is_restricted = Restringit
+users.list_status_filter.not_restricted = No restringit
+users.list_status_filter.is_prohibit_login = Inici de sessió prohibit
+users.list_status_filter.not_prohibit_login = Inici de sessió permès
+users.details = Detalls d'usuari
+emails.email_manage_panel = Gestionar correus d'usuari
+emails.primary = Principal
+emails.filter_sort.email_reverse = Correu (invers)
+emails.filter_sort.name_reverse = Nom d'usuari (invers)
+emails.updated = Correu actualitzat
+emails.not_updated = No s'ha pogut actualitzar l'adreça de correu: %v
+emails.duplicate_active = Aquesta adreça de correu ja pertany a un altre usuari.
+emails.change_email_header = Actualitzar propietats del correu
+emails.change_email_text = Esteu segur que voleu modificar aquesta adreça de correu?
+emails.delete = Eliminar adreça de correu
+emails.delete_desc = Esteu segur que voleu eliminar aquesta adreça de correu?
+emails.deletion_success = S'ha eliminat l'adreça de correu.
+emails.delete_primary_email_error = No podeu eliminar l'adreça de correu principal.
+orgs.org_manage_panel = Gestionar organitzacions
+repos.repo_manage_panel = Gestionar repositoris
+repos.unadopted = Repositoris no-adoptats
+repos.unadopted.no_more = No s'han trobat repositoris no-adoptats.
+repos.owner = Propietari
+repos.lfs_size = Mida LFS
+packages.package_manage_panel = Gestionar paquets
+packages.total_size = Mida total: %s
+packages.unreferenced_size = Mida sense referenciar: %s
+packages.cleanup = Netejar les dades caducades
+packages.cleanup.success = S'han netejat les dades caducades satisfactòriament
+packages.owner = Propietari
+packages.creator = Creador
+packages.published = Publicat
+defaulthooks = Webhooks predeterminats
+defaulthooks.desc = Els webhooks fan una petició automàtica HTTP POST a un servidor quan s'activen alguns esdeveniments de Forgejo. Els webhooks definits aquí són predeterminats i es copiaran a tots els nous repositoris. Llegiu-ne més en la <a target="_blank" rel="noopener" href="%s">guia de webhooks</a>.
+defaulthooks.add_webhook = Afegir webhook per defecte
+defaulthooks.update_webhook = Actualitzar webhook per defecte
+systemhooks = Webhooks del sistema
+systemhooks.desc = Els webhooks fan una petició automàtica HTTP POST a un servidor quan s'activen alguns esdeveniments de Forgejo. Els webhooks definits aquí s'aplicaran a tots els repositoris del sistema, així que considereu l'impacte que poden tenir en el rendiment. Llegiu-ne més en la <a target="_blank" rel="noopener" href="%s">guia de webhooks</a>.
+systemhooks.add_webhook = Afegir webhook de sistema
+systemhooks.update_webhook = Actualitzar webhook de sistema
+auths.auth_manage_panel = Gestionar fonts d'autenticació
+auths.new = Afegir font d'autenticació
+auths.syncenabled = Activar la sincronització d'usuaris
+auths.updated = Actualitzat
+auths.auth_type = Tipus d'autenticació
+auths.auth_name = Nom d'autenticació
+auths.security_protocol = Protocol de seguretat
+auths.attribute_username = Atribut de nom d'usuari
+auths.attribute_username_placeholder = Deixeu-ho buit per usar el nom d'usuari de Forgejo.
+auths.attribute_name = Atribut de nom
+auths.attribute_surname = Atribut de cognom
+auths.attribute_mail = Atribut de correu electrònic
+auths.attribute_ssh_public_key = Atribut de clau pública SSH
+auths.attribute_avatar = Atribut d'avatar
+auths.use_paged_search = Usar cerca en pàgines
+auths.search_page_size = Mida de pàgina
+auths.filter = Filtre d'usuari
+auths.admin_filter = Filtre d'administrador
+auths.restricted_filter = Filtre restringit
+auths.restricted_filter_helper = Deixeu-ho buit per no marcar cap usuari com a restringit. Useu un asterisc ("*") per marcar tots els usuaris que no coincideixin amb el Filtre d'administrador com a restringits.
+auths.verify_group_membership = Verificar l'adhesió de grup a LDAP (deixeu el filtre buit per ignorar-ho)
+auths.enable_ldap_groups = Activar grups LDAP
+auths.smtp_auth = Tipus d'autenticació SMTP
+auths.smtphost = Amfitrió SMTP
+auths.smtpport = Port SMTP
+auths.allowed_domains = Dominis permesos
+auths.allowed_domains_helper = Deixeu-ho buit per permetre tots els dominis. Separeu múltiples dominis amb una coma (",").
+auths.skip_tls_verify = Salta't la verificació TLS
+auths.force_smtps = Força l'SMTPS
+auths.force_smtps_helper = L'SMTPS sempre usa el port 465. Indiqueu això per forçar l'SMTPS en un altre port. (Sinó s'usarà l'STARTTLS en altres ports, sempre que l'amfitrió ho suporti.)
+auths.pam_service_name = Nom de servei PAM
+auths.pam_email_domain = Domini de correu PAM (opcional)
+auths.oauth2_provider = Proveïdor OAuth2
+auths.oauth2_icon_url = URL d'icona
+auths.oauth2_clientID = ID de client (clau)
+auths.oauth2_clientSecret = Secret de client
+auths.openIdConnectAutoDiscoveryURL = URL d'OpenID Connect Auto Discovery
+auths.oauth2_use_custom_url = Usar URL personalitzades enlloc d'URL predeterminades
+auths.oauth2_tokenURL = URL de testimoni (token)
+auths.oauth2_authURL = URL d'autorització
+auths.oauth2_profileURL = URL de perfil
+auths.oauth2_emailURL = URL de correu
+auths.edit = Editar font d'autenticació
+auths.activated = S'ha activat aquesta font d'autenticació
+auths.new_success = S'ha afegit l'autenticació "%s".
+auths.update_success = S'ha actualitzat la font d'autenticació.
+auths.update = Actualitzar font d'autenticació
+auths.delete = Eliminar font d'autenticació
+auths.delete_auth_title = Eliminar font d'autenticació
+auths.delete_auth_desc = Eliminar una font d'autenticació fa que els usuaris que en fan ús no puguin iniciar sessió. Continuar?
+auths.still_in_used = Aquesta font d'autenticació encara s'utilitza. Convertiu o elimineu els usuaris que en fan ús abans.
+auths.deletion_success = S'ha eliminat la font d'autenticació.
+auths.login_source_exist = La font d'autenticació "%s" ja existeix.
+config.server_config = Configuració de servidor
+config.app_name = Títol de la instància
+config.app_slogan = Eslògan de la instància
+config.app_ver = Versió de Forgejo
+config.app_url = URL base
+config.custom_conf = Camí al fitxer de configuració
+config.domain = Domini del servidor
+config.offline_mode = Mode local
+config.git_version = Versió de Git
+config.ssh_config = Configuració SSH
+config.run_user = Executa com a usuari
+auths.tips.oauth2.general = Autenticació OAuth2
+auths.tips.oauth2.general.tip = Quan registreu una nova autenticació OAuth2, l'URL de crida/redirecció serà:
+auths.tip.oauth2_provider = Proveïdor OAuth2
+auths.tip.bitbucket = Registreu un nou consumidor OAuth2 a %s i afegiu els permisos "Compte" - "Lectura"
+auths.tip.nextcloud = Registreu un nou consumidor OAuth en la vostra instància amb el menú "Configuració -> Seguretat -> Client OAuth 2.0"
+auths.tip.dropbox = Crea una nova aplicació a %s
+auths.tip.facebook = Registreu una nova aplicació a %s i afegiu el producte "Facebook Login"
+config.repo_root_path = Camí arrel del repositori
+auths.bind_dn = DN bind
+auths.bind_password = Contrasenya bind
+auths.user_base = Base de cerca d'usuari
+auths.user_dn = DN d'usuari
+auths.attributes_in_bind = Recupera els atributs del context bind DN
+auths.default_domain_name = Nom de domini per defecte usat per l'adreça de correu
+auths.allow_deactivate_all = Permet que un resultat de cerca buit desactivi tots els usuaris
+auths.oauth2_required_claim_value_helper = Assigneu aquest valor per restringir l'inici de sessió des d'aquesta font als usuaris que declarin aquest nom i valor
+auths.tip.mastodon = Introduïu l'URL a una instància diferent de Mastodon amb la que voleu autenticar-vos (o bé useu la instància per defecte)
+auths.unable_to_initialize_openid = No s'ha pogut inicialitzar el proveïdor d'OpenID Connect: %s
+auths.invalid_openIdConnectAutoDiscoveryURL = URL d'Auto Discovery invàlida (ha de ser una URL vàlida començant amb http:// o https://)
+config.custom_file_root_path = Camí arrel dels fitxers personalitzada
+config.disable_router_log = Desactiva els registres de l'encaminador
+config.run_mode = Mode d'execució
+config.app_data_path = Camí a les dades d'aplicació
+config.log_file_root_path = Camí de registres
+config.script_type = Tipus d'script
+config.reverse_auth_user = Usuari d'autenticació al servidor intermediari revers
+config.ssh_start_builtin_server = Usa el servidor integrat
+config.ssh_domain = Domini del servidor SSH
+config.ssh_listen_port = Port d'escolta
+config.ssh_root_path = Camí arrel
+config.ssh_key_test_path = Camí al test de clau
+config.ssh_keygen_path = Camí keygen ("ssh-keygen")
+config.ssh_minimum_key_size_check = Comprovació mínima de la mida de clau
+config.ssh_minimum_key_sizes = Mides mínimes de clau
+config.lfs_config = Configuració LFS
+config.lfs_content_path = Camí de contingut LFS
+config.lfs_http_auth_expiry = Temps de caducitat d'autenticació HTTP de l'LFS
+config.db_config = Configuració de la base de dades
+config.service_config = Configuració del servei
+config.register_email_confirm = Requereix una confirmació de correu per a registrar-se
+config.disable_register = Deshabilita l'auto-registre
+config.allow_only_internal_registration = Permet el registre només a través de Forgejo
+config.allow_only_external_registration = Permet el registre només a través de serveis externs
+config.enable_openid_signup = Habilita l'auto-registre amb OpenID
+config.enable_openid_signin = Habilita l'inici de sessió amb OpenID
+config.show_registration_button = Mostra el botó de registre
+config.require_sign_in_view = Requereix iniciar sessió per veure el contingut
+config.mail_notify = Habilita les notificacions per correu
+config.enable_captcha = Habilita el CAPTCHA
+config.active_code_lives = Temps de caducitat del codi d'activació
+config.reset_password_code_lives = Temps de caducitat del codi de recuperació
+config.default_keep_email_private = Amaga les adreces de correu, per defecte
+config.default_allow_create_organization = Permet crear organitzacions, per defecte
+config.enable_timetracking = Habilita el seguiment de temps
+config.default_enable_timetracking = Habilita el seguiment de temps, per defecte
+config.allow_dots_in_usernames = Permet que el usuaris utilitzin punts en el nom d'usuari. Això no afecta als comptes que ja existeixen.
+config.default_allow_only_contributors_to_track_time = Fes que només els contribuïdors puguin fer un seguiment de temps
+config.no_reply_address = Domini del correu ocult
+config.default_visibility_organization = Visibilitat per defecte de les noves organitzacions
+config.default_enable_dependencies = Habilita les dependències d'incidències, per defecte
+config.webhook_config = Configuració dels Webhooks
+config.queue_length = Longitud de la cua
+config.deliver_timeout = Temps d'espera d'entrega
+config.skip_tls_verify = Salta't la verificació TLS
+config.mailer_config = Configuració del remitent
+config.mailer_enable_helo = Habilita HELO
+config.mailer_protocol = Protocol
+config.mailer_smtp_addr = Amfitrió SMTP
+config.mailer_smtp_port = Port SMTP
+config.mailer_user = Usuari
+config.mailer_use_sendmail = Usa Sendmail
+config.mailer_sendmail_path = Camí de Sendmail
+config.mailer_sendmail_args = Arguments extra per Sendmail
+config.mailer_sendmail_timeout = Temps d'espera per Sendmail
+config.test_email_placeholder = Correu electrònic (ex. test@example.com)
+config.send_test_mail = Envia un correu de prova
+config.send_test_mail_submit = Envia
+config.test_mail_failed = No s'ha pogut enviar el correu de prova a "%s": %v
+config.test_mail_sent = S'ha enviat un correu de prova a "%s".
+config.cache_config =
+config.cache_adapter =Adaptador de la memòria cau
+config.cache_interval =Interval de la memòria cau
+config.cache_conn =Connexió de la memòria cau
+config.cache_item_ttl = TTL dels ítems de la memòria cau
+config.cache_test = Prova la memòria cau
+config.cache_test_failed = No s'ha pogut examinar la memòria cau: %v.
+config.cache_test_slow = La memòria cau s'ha provat correctament, però la resposta és lenta: %s.
+config.cache_test_succeeded = La memòria cau s'ha provat correctament, s'ha rebut una resposta en %s.
+config.session_config = Configuració de la sessió
+config.session_provider = Proveïdor de la sessió
+config.provider_config = Configuració del proveïdor
+config.cookie_name = Nom de la galeta
+config.gc_interval_time = Interval de temps del GC
+config.session_life_time = Temps de vida de la sessió
+config.https_only = Només HTTPS
+config.picture_config = Configuració d'imatge i avatar
+config.disable_gravatar = Deshabilita Gravatar
+config.enable_federated_avatar = Habilita els avatars federats
+dashboard.operation_switch = Intercanvia
+users.2fa = A2F
+users.reset_2fa = Restableix l'A2F
+users.list_status_filter.is_2fa_enabled = A2F activada
+users.list_status_filter.not_2fa_enabled = A2F desactivada
+auths.group_search_base = DN base de cerca de grup
+auths.group_attribute_list_users = Atribut de grup amb la llista d'usuaris
+auths.user_attribute_in_group = Atribut d'usuari llistat en el grup
+auths.map_group_to_team = Assigna els grups LDAP a equips d'organització (deixeu-ho buit per saltar-ho)
+auths.map_group_to_team_removal = Elimina els usuaris dels equips sincronitzats si no pertanyen al grup LDAP corresponent
+auths.helo_hostname = Hostname HELO
+auths.helo_hostname_helper = Hostname enviat amb HELO. Deixeu-ho en blanc per enviar el hostname actual.
+auths.disable_helo = Deshabilita HELO
+auths.skip_local_two_fa = Salta l'A2F local
+auths.skip_local_two_fa_helper = No marcar aquesta opció farà que els usuaris que tenen l'A2F definida igualment hauran de passar l'A2F per iniciar sessió
+auths.oauth2_tenant = Tenant
+auths.oauth2_scopes = Àmbits addicionals
+auths.oauth2_map_group_to_team_removal = Elimina els usuaris dels equips sincronitzats si no pertanyen al grup corresponent.
+auths.tips = Consells
+auths.tips.gmail_settings = Configuracions de Gmail:
+auths.tip.github = Registra una aplicació OAuth nova a %s
+auths.tip.gitlab_new = Registra una aplicació nova a %s
+auths.tip.google_plus = Obté les credencials del client OAuth2 amb la consola del Google API a %s
+auths.tip.openid_connect = Usa l'URL d'OpenID Connect Discovery (<server>/.well-known/openid-configuration) per a especificar els endpoints
 
 [actions]
 variables = Variables
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index f1893024ce..91e5e8dbc5 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -2381,7 +2381,7 @@ settings.matrix.room_id=ID místnosti
 settings.matrix.message_type=Typ zprávy
 settings.archive.button=Archivovat repozitář
 settings.archive.header=Archivovat tento repozitář
-settings.archive.text = Archivováním repozitáře jej celý převedete do stavu pouze pro čtení. Bude skryt z nástěnky. Nikdo (ani vy!) nebude moci vytvářet nové revize ani otevírat problémy a žádosti o sloučení.
+settings.archive.text = Archivováním repozitáře jej celý převedete do stavu pouze pro čtení. Bude skryt z nástěnky. Nikdo (ani vy!) nebude moci vytvářet nové revize ani otevírat problémy a žádosti o sloučení. Je doporučena dokumentace důvodu archivace pro budoucí vývojáře, kteří chtějí vytvořit fork repozitáře.
 settings.archive.success=Repozitář byl úspěšně archivován.
 settings.archive.error=Nastala chyba při archivování repozitáře. Prohlédněte si záznam pro více detailů.
 settings.archive.error_ismirror=Nemůžete archivovat zrcadlený repozitář.
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index c34f152934..897d335cb8 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -2382,7 +2382,7 @@ settings.matrix.room_id=Raum-ID
 settings.matrix.message_type=Nachrichtentyp
 settings.archive.button=Repo archivieren
 settings.archive.header=Dieses Repo archivieren
-settings.archive.text=Durch das Archivieren wird ein Repo vollständig schreibgeschützt. Es wird von der Übersichtsseite versteckt. Niemand (nicht einmal du!) wird in der Lage sein, neue Commits zu erstellen oder Issues oder Pull-Requests zu öffnen.
+settings.archive.text=Durch das Archivieren wird ein Repo vollständig schreibgeschützt. Es wird von der Übersichtsseite versteckt. Niemand (nicht einmal du!) wird in der Lage sein, neue Commits zu erstellen oder Issues oder Pull-Requests zu öffnen. Es wird empfohlen, den Archivierungsgrund zu dokumentieren, um zukünftigen Entwicklern, die planen, das Repository zu forken, zu helfen.
 settings.archive.success=Das Repo wurde erfolgreich archiviert.
 settings.archive.error=Beim Versuch, das Repository zu archivieren, ist ein Fehler aufgetreten. Weitere Details finden sich im Log.
 settings.archive.error_ismirror=Du kannst kein gespiegeltes Repo archivieren.
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index a7aa0f17ae..8809dca726 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -32,7 +32,7 @@ password=Contraseña
 access_token=Token de acceso
 re_type=Confirmar contraseña
 captcha=CAPTCHA
-twofa=Autenticación de dos factores
+twofa=Autenticación de doble factor
 twofa_scratch=Código de respaldo
 passcode=Código de acceso
 
@@ -147,7 +147,7 @@ filter.private = Privado
 toggle_menu = Alternar menú
 invalid_data = Datos inválidos: %v
 confirm_delete_artifact = ¿Estás seguro de que deseas eliminar el artefacto "%s"?
-more_items = Mas cosas
+more_items = Mas elementos
 copy_generic = Copiar al portapapeles
 filter.not_fork = No hay bifurcaciones
 filter.is_fork = Bifurcaciones
@@ -3138,7 +3138,7 @@ auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desact
 auths.use_paged_search=Usar búsqueda paginada
 auths.search_page_size=Tamaño de página
 auths.filter=Filtro de usuario
-auths.admin_filter=Filtro de aministrador
+auths.admin_filter=Filtro de administrador
 auths.restricted_filter=Filtro restringido
 auths.restricted_filter_helper=Dejar en blanco para no establecer ningún usuario como restringido. Utilice un asterisco ('*') para establecer todos los usuarios que no coincidan con el filtro de administración como restringido.
 auths.verify_group_membership=Verificar pertenencia al grupo en LDAP (dejar el filtro vacío para saltar)
@@ -3152,15 +3152,15 @@ auths.ms_ad_sa=Atributos de búsqueda de MS AD
 auths.smtp_auth=Tipo de autenticación SMTP
 auths.smtphost=Servidor SMTP
 auths.smtpport=Puerto SMTP
-auths.allowed_domains=Dominios Permitidos
-auths.allowed_domains_helper=Dejar vacío para permitir todos los dominios. Separa múltiples dominios con una coma (',').
+auths.allowed_domains=Dominios permitidos
+auths.allowed_domains_helper=Dejar vacío para permitir todos los dominios. Separa múltiples dominios con una coma (",").
 auths.skip_tls_verify=Omitir la verificación TLS
 auths.force_smtps=Forzar SMTPS
 auths.force_smtps_helper=SMTPS se utiliza siempre en el puerto 465. Establezca esto para forzar SMTPS en otros puertos. (De lo contrario, STARTTLS se utilizará en otros puertos si es soportado por el host.)
 auths.helo_hostname=Nombre de anfitrión HELO
 auths.helo_hostname_helper=Nombre de anfitrión enviado con HELO. Déjelo vacío para enviar el nombre de anfitrión actual.
 auths.disable_helo=Desactivar HELO
-auths.pam_service_name=Nombre del Servicio PAM
+auths.pam_service_name=Nombre del servicio PAM
 auths.pam_email_domain=Dominio de correo de PAM (opcional)
 auths.oauth2_provider=Proveedor OAuth2
 auths.oauth2_icon_url=URL de icono
@@ -3217,9 +3217,9 @@ auths.unable_to_initialize_openid=No se puede inicializar el proveedor de OpenID
 auths.invalid_openIdConnectAutoDiscoveryURL=URL de auto descubrimiento no válida (esta debe ser una URL válida comenzando con http:// o https://)
 
 config.server_config=Configuración del servidor
-config.app_name=Título del sitio
+config.app_name=Título de la instancia
 config.app_ver=Versión de Forgejo
-config.app_url=URL base de Forgejo
+config.app_url=URL base
 config.custom_conf=Ruta del fichero de configuración
 config.custom_file_root_path=Ruta raíz de los archivos personalizada
 config.domain=Dominio del Servidor
diff --git a/options/locale/locale_mk.ini b/options/locale/locale_mk.ini
new file mode 100644
index 0000000000..5bc16b4700
--- /dev/null
+++ b/options/locale/locale_mk.ini
@@ -0,0 +1,14 @@
+
+
+
+[common]
+home = Дома
+dashboard = Контролна табла
+help = Помош
+logo = Лого
+version = Верзија
+notifications = Нотификации
+sign_in_or = или
+password = Лозинка
+username = Корисничко име
+your_profile = Профил
\ No newline at end of file
diff --git a/options/locale/locale_nb_NO.ini b/options/locale/locale_nb_NO.ini
index ada3a5bc39..692a70e350 100644
--- a/options/locale/locale_nb_NO.ini
+++ b/options/locale/locale_nb_NO.ini
@@ -510,4 +510,20 @@ admin.new_user.user_info = Bruker informasjon
 admin.new_user.text = Vennligst <a href="%s">Trykk her</a> for å administrere denne brukeren fra admin panelet.
 register_notify = Velkommen til %s
 register_notify.text_1 = Dette er e-posten som bekrefter din registrering for %s!
-register_notify.text_2 = Du kan logge in på din konto med bruk av ditt brukernavn: %s
\ No newline at end of file
+register_notify.text_2 = Du kan logge in på din konto med bruk av ditt brukernavn: %s
+register_notify.text_3 = Hvis noen andre laget denne kontoen for deg, må du <a href="%s">sette et passord</a> først.
+reset_password = Gjenopprett kontoen din
+reset_password.text = Hvis dette var deg, vennligst klikk følgende lenge for å gjenopprette kontoen din innen <b>%s</b>:
+password_change.subject = Passordet ditt har blitt endret
+password_change.text_1 = Passordet for kontoen din ble akkurat endret.
+primary_mail_change.subject = Din hoved-e-postadresse er endret
+primary_mail_change.text_1 = Din hoved-e-postadresse ble akkurat endret til %[1]s. Dette betyr at denne e-postadressen ikke lenger vil motta e-postvarsler for kontoen din.
+totp_disabled.subject = TOTP has blitt slått av
+totp_disabled.text_1 = Tidsbasert engangskode (TOTP) ble nettopp slått av på din konto.
+totp_disabled.no_2fa = Det er ikke lenger satt opp noen 2FA-metoder, hvilket betyr at det ikke lenger er nødvendig å bruke 2FA for å logge inn på kontoen din.
+removed_security_key.subject = En sikkerhetsnøkkel har blitt fjernet
+removed_security_key.text_1 = Sikkerhetsnøkkelen «%[1]s» ble akkurat fjernet fra din konto.
+account_security_caution.text_1 = Hvis dette var deg, så kan du trygt ignorere denne e-posten.
+account_security_caution.text_2 = Hvis dette ikke var deg, så kan noen ha fått uautorisert tilgang til kontoen din. Ta kontakt med administratorene for denne siden.
+totp_enrolled.subject = Du har aktivert TOTP som 2FA-metode
+totp_enrolled.text_1.no_webauthn = Du har akkurat slått på TOTP for kontoen din. Dette betyr at for alle fremtidige innlogginger må du bruke TOTP som en 2FA-metode.
\ No newline at end of file
diff --git a/options/locale/locale_nds.ini b/options/locale/locale_nds.ini
index d8b97b61cf..6825b38fe9 100644
--- a/options/locale/locale_nds.ini
+++ b/options/locale/locale_nds.ini
@@ -2308,7 +2308,7 @@ settings.archive.mirrors_unavailable = Spegels sünd in archiveert Repos nich ve
 settings.tags.protection.create = Örder hentofögen
 settings.bot_token = Bot-Teken
 settings.matrix.message_type = Narichten-Aard
-settings.archive.text = Wenn dat Repo archiveert word, kann man daar blots noch lesen. Dat word vum Kontor verburgen. Nüms (ok nich du sülvst!) kann noch neje Kommitterens maken of Gefallens of Haalvörslagen opmaken.
+settings.archive.text = Wenn dat Repo archiveert word, kann man daar blots noch lesen. Dat word vum Kontor verburgen. Nüms (ok nich du sülvst!) kann noch neje Kommitterens maken of Gefallens of Haalvörslagen opmaken. Dat word anraden, to dokumenteren, um wat dat archiveert worden is, um tokünftig Entwicklers to hülpen, well deeses Repositorium gabeln wullen.
 settings.archive.success = Dat Repo is archiveert worden.
 settings.archive.error = Een Fehler is bi’m Archiveren vum Repo uptreden. Kiek in de Utgaav för mehr Informatioonen.
 settings.archive.branchsettings_unavailable = Twieg-Instellens sünd in archiveert Repos nich verföögbaar.
diff --git a/options/locale/locale_ro.ini b/options/locale/locale_ro.ini
index 5540c32d77..e2b404808c 100644
--- a/options/locale/locale_ro.ini
+++ b/options/locale/locale_ro.ini
@@ -303,6 +303,11 @@ default_enable_timetracking = Activează urmărirea timpului în mod implicit
 default_enable_timetracking.description = Permite utilizarea funcției de urmărire a timpului pentru depozitele noi în mod implicit.
 invalid_repo_path = Calea rădăcină a depozitului este invalidă: %v
 run_user_not_match = Numele de utilizator „utilizatorul sub care rulează" nu este același cu numele de utilizator curent: %s -> %s
+enable_update_checker_helper_forgejo = Se va verifica periodic noi versiuni de Forgejo prin interogarea unei înregistrări DNS de tip TXT la release.forgejo.org.
+invalid_log_root_path = Calea către fișierul de loguri este invalidă: %v
+password_algorithm_helper = Setează algoritmul de hashing al parolei. Algoritmii au cerințe și puncte forte diferite. Algoritmul argon2 este foarte sigur, însă folosește multă memorie și poate fi nepotrivit pentru sistemele slabe.
+env_config_keys = Configurări de Mediu
+env_config_keys_prompt = Următoarele variabile de mediu vor fi aplicate fișierului tău de configurații:
 
 [search]
 user_kind = Căutați utilizatori…
@@ -344,4 +349,206 @@ contributions_few = contribuții
 less = Mai puțin
 number_of_contributions_in_the_last_12_months = %s contribuții în ultimele 12 luni
 more = Mai mult
-contributions_one = contribuție
\ No newline at end of file
+contributions_one = contribuție
+
+[home]
+uname_holder = Numele de utilizator sau adresa de email
+switch_dashboard_context = Schimbă contextul tabloului de bord
+my_repos = Repozitorii
+my_orgs = Organizații
+view_home = Vezi %s
+filter = Alte filtre
+filter_by_team_repositories = Filtrează după repozitoriile echipei
+feed_of = Fluxul lui "%s"
+show_archived = Arhivat
+show_both_archived_unarchived = Se afișează atât arhivate cât și nearhivate
+show_only_archived = Se afișează doar arhivate
+show_only_unarchived = Se afișează doar nearhivate
+show_private = Privat
+show_both_private_public = Se afișează atât publice cât și private
+show_only_private = Se afișează doar private
+show_only_public = Se afișează doar publice
+issues.in_your_repos = In repozitoriile tale
+
+[explore]
+repos = Repozitorii
+users = Utilizatori
+organizations = Organizații
+go_to = Mergi la
+code = Cod
+code_last_indexed_at = Ultima indexare %s
+relevant_repositories_tooltip = Repozitorii care sunt fork-uri sau care nu au niciun subiect, nicio pictogramă sau nicio descriere sunt ascunse.
+relevant_repositories = Doar repozitoriile relevante sunt arătate, <a href="%s">arată rezultatele nefiltrate</a>.
+
+[auth]
+create_new_account = Înregistrează un cont
+disable_register_prompt = Înregistrarea este oprită. Vă rugăm contactați administratorul site-ului.
+disable_register_mail = Confirmarea emailului pentru înregistrare este oprită.
+manual_activation_only = Contactați administratorul site-ului pentru a completa activarea.
+remember_me = Ține minte acest dispozitiv
+forgot_password_title = Am uitat parola
+forgot_password = Ai uitat parola?
+hint_login = Ai deja un cont? <a href="%s">Autentifică-te acum!</a>
+hint_register = Ai nevoie de un cont? <a href="%s">Înregistrează-te acum.</a>
+sign_up_button = Înregistrează-te acum.
+sign_up_successful = Contul a fost creat cu succes. Bine ai venit!
+confirmation_mail_sent_prompt = Un nou email de confirmare a fost trimis către <b>%s</b>. Pentru a finaliza procesul de înregistrare, vă rugăm să verificați căsuța poștală și să accesați link-ul primit în următoarele %s. Dacă adresa de email este greșită, vă puteți autentifica, și puteți cere un alt email de confirmare către o altă adresă.
+must_change_password = Actualizează parola
+allow_password_change = Solicită utilizatorului să schimbe parola (recomandat)
+reset_password_mail_sent_prompt = Un email de confirmare a fost trimis către <b>%s</b>. Pentru a finaliza procesul de recuperare, vă rugăm să vă verificați căsuța poștală și să accesați link-ul în următoarele %s.
+active_your_account = Activați-vă contul
+account_activated = Contul a fost activat
+prohibit_login = Contul este suspendat
+prohibit_login_desc = Contul dumneavoastră a fost suspendat din a interacționa cu această instanță. Vă rugăm să contactați administratorul instanței pentru a reprimi acces.
+resent_limit_prompt = Ați cerut recent deja un email de activare. Vă rugăm să așteptați 3 minute și să încercați din nou.
+has_unconfirmed_mail = Bună %s, ai o adresă de email neconfirmată (<b>%s</b>). Dacă nu ai primit un mesaj de confirmare sau trebuie să îți trimitem unul nou, te rog apasă pe butonul de mai jos.
+change_unconfirmed_email_summary = Schimbă adresa de email către care mesajul de activare este trimis.
+change_unconfirmed_email = Dacă ai pus adresa de email greșită în timpul înregistrării, o poți schimba mai jos, și o confirmare va fi trimisă la adresa nouă de email.
+change_unconfirmed_email_error = Nu s-a putut schimba adresa de email: %v
+resend_mail = Apasă aici pentru a retrimite mesajul de activare
+send_reset_mail = Trimite mesajul de activare
+reset_password = Recuperarea contului
+invalid_code = Codul tău de confirmare este invalid sau a expirat.
+invalid_code_forgot_password = Codul tău de confirmare este invalid sau a expirat. Apasă <a href="%s">aici</a> pentru a începe o nouă sesiune.
+invalid_password = Parola ta nu se potrivește cu parola care a fost folosită pentru a crea contul.
+reset_password_helper = Recuperează Contul
+reset_password_wrong_user = Ești autentificat ca %s, dar link-ul pentru recuperarea contului era pentru %s
+password_too_short = Lungimea parolei nu poate fi mai mică de %d caractere.
+non_local_account = Utilizatorii externi nu își pot actualiza parola prin intermediul interfeței web Forgejo.
+verify = Verifică
+unauthorized_credentials = Credențialele sunt incorecte sau au expirat. Reîncearcă comanda sau vezi %s pentru mai multe informații
+scratch_code = Cod de rezervă
+use_scratch_code = Folosește un cod de rezervă
+use_onetime_code = Folosește un cod de unică folosință
+twofa_scratch_used = Ai folosit codul tău de rezervă. Ai fost redirecționat către pagina de autentificare în doi pași pentru a putea să vă ștergeți înrolarea dispozitivului sau să vă generați un nou cod de rezervă.
+twofa_passcode_incorrect = Codul tău de acces este incorect. Dacă ți-ai pierdut dispozitivul, folosește codul de rezervă pentru a te autentifica.
+twofa_scratch_token_incorrect = Codul tău de rezervă este incorect.
+login_userpass = Autentificare
+oauth_signup_tab = Înregistrează un cont nou
+oauth_signup_title = Finalizare cont nou
+oauth_signup_submit = Finalizare cont
+oauth_signin_tab = Asociază cu un cont existent
+oauth_signin_title = Autentifică-te pentru a autoriza asocierea contului
+oauth_signin_submit = Asociază cont
+oauth.signin.error = A apărut o eroare la procesarea cererii de autorizare. Dacă această eroare persistă, contactați administratorul site-ului.
+oauth.signin.error.access_denied = Cererea de autorizare a fost respinsă.
+oauth.signin.error.temporarily_unavailable = Autorizarea a eșuat deoarece serverul de autentificare este temporar indisponibil. Vă rugăm să încercați din nou mai târziu.
+openid_connect_submit = Conectare
+openid_connect_title = Conectează-te la un cont existent
+openid_connect_desc = URI-ul OpenID ales este necunoscut. Asociați-l cu un cont nou aici.
+openid_register_title = Creează un cont nou
+openid_register_desc = URI-ul OpenID ales este necunoscut. Asociați-l cu un cont nou aici.
+openid_signin_desc = Introduceți URI-ul vostru OpenID. De exemplu: alice.openid.example.org sau https://openid.example.org/alice.
+disable_forgot_password_mail = Recuperarea contului este dezactivată deoarece niciun cont de email nu este setat. Vă rugăm să contactați administratorul site-ului.
+disable_forgot_password_mail_admin = Recuperarea contului este activă doar atunci când un cont de email este setat. Vă rugăm să vă setați adresa de email pentru a activa recuperarea contului.
+email_domain_blacklisted = Nu te poți înregistra cu adresa ta de email.
+authorize_application = Autorizează Aplicația
+authorize_redirect_notice = Vei fi redirecționat către %s dacă autorizezi aplicația.
+authorize_application_created_by = Aplicația a fost creată de către %s.
+authorize_application_description = Dacă îi acorzi acces, va putea să îți acceseze și să scrie toate informațiile contului tău, incluzând repozitoarele private și organizațiile.
+authorize_title = Autorizează "%s" să îți acceseze contul?
+authorization_failed = Autorizarea a eșuat
+authorization_failed_desc = Autorizarea a eșuat deoarece am detectat o cerere invalidă. Vă rugăm să contactați responsabilul aplicației pe care ați încercat să o autorizați.
+password_pwned = Parola pe care ai ales-o este pe <a target="_blank" rel="noopener noreferrer" href="%s">o listă de parole furate</a> obținute anterior dintr-o bază de date expusă public. Vă rugăm să încercați cu o parolă diferită și să considerați schimbarea parolei și oriunde altundeva mai este folosită.
+password_pwned_err = Nu s-a putut completa cererea către HaveIBeenPwned
+last_admin = Nu poți șterge ultimul administrator. Trebuie să existe cel puțin un administrator.
+back_to_sign_in = Înapoi la Autentificare
+sign_in_openid = Continuă cu OpenID
+
+[mail]
+view_it_on = Vezi pe %s
+reply = sau răspunde direct la acest mesaj
+link_not_working_do_paste = Link-ul nu a mers? Încearcă să îl copiezi și să îl lipești în bara URL a browserului.
+hi_user_x = Bună <b>%s</b>,
+activate_account = Vă rugăm activați-vă contul
+activate_account.text_1 = Bună <b>%[1]s</b>, mulțumim pentru înregistrarea pe %[2]s!
+activate_account.text_2 = Vă rugăm urmăriți pe următorul link pentru a vă activa contul în <b>%s</b>:
+activate_email = Verifică-ți adresa de email
+activate_email.text = Vă rugăm apăsați pe următorul link pentru a vă activa contul în <b>%s</b>:
+admin.new_user.subject = Un nou utilizator, %s, s-a înregistrat
+admin.new_user.user_info = Informațiile utilizatorului
+admin.new_user.text = Vă rugăm <a href="%s">apăsați aici</a> pentru a administra acest utilizator din tabloul de administrator.
+register_notify = Bine ai venit pe %s
+register_notify.text_1 = acesta este mesajul tău de confirmarea a înregistrării pentru %s!
+register_notify.text_2 = Te poți autentifica în contul tău folosind numele tău de utilizator: %s
+register_notify.text_3 = Dacă altcineva a făcut acest cont pentru tine, va trebui <a href="%s">să îți setezi parola</a> prima dată.
+reset_password = Recuperează-ți contul
+reset_password.text = Dacă ai fost tu, te rugăm să accesezi link-ul pentru a îți recupera contul în <b>%s</b>:
+password_change.subject = Parola ta a fost schimbată
+password_change.text_1 = Parola pentru contul tău tocmai a fost schimbată.
+primary_mail_change.subject = Adresa ta de email principală a fost schimbată
+primary_mail_change.text_1 = Adresa de email principală a contului tău tocmai a fost schimbată la %[1]s. Asta înseamnă că această adresă de email nu va mai primi notificări email pentru contul tău.
+totp_disabled.subject = TOTP a fost dezactivat
+totp_disabled.text_1 = Parola de unică folosință bazată pe timp (TOTP) pentru contul tău tocmai a fost dezactivată.
+totp_disabled.no_2fa = Nu mai sunt configurate alte metode de autentificare în doi pași, ceea ce înseamnă că nu mai este necesar să vă autentificați în cont cu 2FA.
+removed_security_key.subject = O cheie de securitate a fost scoasă
+removed_security_key.text_1 = Cheia de securitate "%[1]s" tocmai a fost scoasă din contul tău.
+removed_security_key.no_2fa = Nu mai sunt configurate alte metode de autentificare în doi pași, ceea ce înseamnă că nu mai este necesar să vă autentificați în cont cu 2FA.
+account_security_caution.text_1 = Dacă ai fost tu, poți ignora acest email.
+account_security_caution.text_2 = Dacă nu ai fost tu, contul tău este compromis. Te rugăm să contactezi administratorii acestui site.
+totp_enrolled.subject = Ai activat TOTP ca metodă de 2FA
+totp_enrolled.text_1.no_webauthn = Tocmai ai activat TOTP pentru contul tău. Asta înseamnă că pentru autentificările viitoare în contul tău, trebuie să folosești TOTP ca metodă de 2FA.
+totp_enrolled.text_1.has_webauthn = Tocmai ai activat TOTP pentru contul tău. Asta înseamnă că pentru autentificările viitoare, poți folosi TOTP ca metodă de autentificare 2FA sau oricare din cheile tale de securitate.
+issue_assigned.pull = @%[1]s te-a atribuit la pull request-ul %[2]s în repozitoriul %[3]s.
+issue_assigned.issue = @%[1]s ți-a atribuit problema %[2]s în repozitoriul %[3]s.
+issue.x_mentioned_you = <b>@%s</b> te-a menționat:
+issue.action.force_push = <b>%[1]s</b> a împins cu forța <b>%[2]s</b> de la %[3]s la %[4]s.
+issue.action.push_1 = <b>@%[1]s</b> a împins %[3]d commit la %[2]s
+issue.action.push_n = <b>@%[1]s</b> a împins %[3]d commit-uri la %[2]s
+issue.action.close = <b>@%[1]s</b> a închis #%[2]d.
+issue.action.reopen = <b>@%[1]s</b> a redeschis #%[2]d.
+issue.action.merge = <b>@%[1]s</b> a merge-uit #%[2]d în %[3]s.
+issue.action.approve = <b>@%[1]s</b> a aprobat acest pull request.
+issue.action.reject = <b>@%[1]s</b> a cerut modificări pe acest pull request.
+issue.action.review = <b>@%[1]s</b> a comentat pe acest pull request.
+issue.action.review_dismissed = <b>@%[1]s</b> a scos ultima recenzie a lui %[2]s de pe acest pull request.
+issue.action.ready_for_review = <b>@%[1]s</b> a marcat acest pull request ca pregătită pentru recenzie.
+issue.action.new = <b>@%[1]s</b> a creat #%[2]d.
+issue.in_tree_path = În %s:
+release.new.subject = %s în %s a fost lansat
+release.new.text = <b>@%[1]s</b> a lansat %[2]s în %[3]s
+release.title = Titlu: %s
+release.note = Notă:
+release.downloads = Descărcări:
+release.download.zip = Cod Sursă (ZIP)
+release.download.targz = Cod Sursă (TAR.GZ)
+repo.transfer.subject_to = %s vrea să transfere repozitoriul "%s" către %s
+repo.transfer.subject_to_you = %s vrea să transfere repozitoriul "%s" către tine
+repo.transfer.to_you = tu
+repo.transfer.body = Pentru a îl accepta sau a refuza vizitează %s sau doar ignoră-l.
+repo.collaborator.added.subject = %s te-a adăugat la %s ca și colaborator
+repo.collaborator.added.text = Ai fost adăugat ca și colaborator la repozitoriul:
+team_invite.subject = %[1]s te-a invitat sa intrii în organizația %[2]s
+team_invite.text_1 = %[1]s te-a invitat să intrii in echipa %[2]s din organizația %[3]s.
+team_invite.text_2 = Te rugăm să accesezi următorul link pentru a te alătura la echipă:
+team_invite.text_3 = Notă: Această invitație îi este adresată lui %[1]s. Dacă nu te așteptai la această invitație, poți ignora acest mesaj.
+
+[modal]
+yes = Da
+no = Nu
+confirm = Confirmă
+cancel = Anulează
+
+[form]
+UserName = Nume de utilizator
+FullName = Numele complet
+Description = Descriere
+Pronouns = Pronume
+Biography = Biografie
+Website = Website
+Location = Locație
+RepoName = Numele repozitoriului
+Email = Adresă de email
+Password = Parolă
+Retype = Confirmă parola
+TeamName = Numele echipei
+AuthName = Numele autorizării
+AdminEmail = Emailul administratorului
+To = Numele branch-ului
+AccessToken = Token de acces
+NewBranchName = Nume nou pentru branch
+CommitSummary = Rezumatul commit-urilor
+CommitMessage = Mesajul commit-ului
+CommitChoice = Alegerea commit-ului
+TreeName = Locația fișierului
+Content = Conținut
\ No newline at end of file
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index e74f0a2b81..8a80a02284 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -852,7 +852,7 @@ added_on=Добавлено %s
 valid_until_date=Действительно до %s
 valid_forever=Действителен навсегда
 last_used=Последний раз использовался
-no_activity=Еще не применялся
+no_activity=Еще не использовался
 can_read_info=Чтение
 can_write_info=Запись
 key_state_desc=Этот ключ использовался в течение последних 7 дней
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index 92268e33a8..b619a6904a 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -1439,14 +1439,14 @@ issues.dependency.remove_info=Ta bort detta beroende
 issues.dependency.added_dependency=`lade till ett nytt beroende %s`
 issues.dependency.removed_dependency=`tog bort ett beroende %s`
 issues.dependency.issue_close_blocks=Detta ärende blockerar en stängning av följande ärenden
-issues.dependency.pr_close_blocks=Denna pull-förfrågan blockerar stängning av följande ärenden
+issues.dependency.pr_close_blocks=Denna ändringsförfrågan blockerar stängning av följande ärenden
 issues.dependency.issue_close_blocked=Du måste stänga alla ärenden som blockerar det här ärendet innan du kan stänga det.
-issues.dependency.pr_close_blocked=Du måste stänga alla ärenden som blockerar denna pull-förfrågan innan du kan merga det.
+issues.dependency.pr_close_blocked=Du måste stänga alla ärenden som blockerar denna ändringsförfrågan innan du kan sammanfoga den.
 issues.dependency.blocks_short=Blockerar
 issues.dependency.blocked_by_short=Beroende av
 issues.dependency.remove_header=Ta bort beroende
 issues.dependency.issue_remove_text=Detta tar bort beroendet från det här ärendet. Vill du fortsätta?
-issues.dependency.pr_remove_text=Det här kommer att ta bort beroendet från denna pull-förfrågan. Vill du fortsätta?
+issues.dependency.pr_remove_text=Det här kommer att ta bort beroendet från den här ändringsförfrågan. Vill du fortsätta?
 issues.dependency.setting=Aktivera beroenden för ärenden och ändringsförfrågningar
 issues.dependency.add_error_same_issue=Ett ärende kan inte bero på sig själv.
 issues.dependency.add_error_dep_issue_not_exist=Ärendet du beror på, finns inte.
@@ -1454,8 +1454,8 @@ issues.dependency.add_error_dep_not_exist=Beroendet finns inte.
 issues.dependency.add_error_dep_exists=Beroendet finns redan.
 issues.dependency.add_error_cannot_create_circular=Du kan inte skapa ett beroende med två ärenden som blockerar varandra.
 issues.dependency.add_error_dep_not_same_repo=Båda ärendena måste vara i samma kodförråd.
-issues.review.self.approval=Du kan inte godkänna din egen pull-begäran.
-issues.review.self.rejection=Du kan inte begära ändringar för din egna pull-förfrågan.
+issues.review.self.approval=Du kan inte godkänna din egen ändringsförfrågan.
+issues.review.self.rejection=Du kan inte begära ändringar för din egna ändringsförfrågan.
 issues.review.approve=godkände dessa ändringar %s
 issues.review.comment=granskad av %s
 issues.review.left_comment=lämnade en kommentar
@@ -1486,22 +1486,22 @@ pulls.filter_branch=Filtrera gren
 pulls.no_results=Inga resultat hittades.
 pulls.nothing_to_compare=Dessa grenar är likvärdigt. Det finns ingen anledning att skapa en ändringsförfrågan.
 pulls.create=Skapa ändringsförfrågan
-pulls.change_target_branch_at=`ändrade mål-branch från <b>%s</b> till <b>%s</b>%s`
+pulls.change_target_branch_at=`ändrade målgrenen från <b>%s</b> till <b>%s</b>%s`
 pulls.tab_conversation=Konversation
 pulls.tab_commits=Incheckningar
 pulls.tab_files=Ändrade filer
-pulls.reopen_to_merge=Vänligen återöppna denna Pull-förfrågan igen för att utföra sammanfogningen.
-pulls.cant_reopen_deleted_branch=Denna pull-förfrågan kan inte öppnas igen eftersom branchen tagits bort.
+pulls.reopen_to_merge=Återöppna denna ändringsförfrågan för att utföra sammanslagningen.
+pulls.cant_reopen_deleted_branch=Denna ändringsförfrågan kan inte öppnas eftersom grenen har tagits bort.
 pulls.merged=Sammanfogat
-pulls.is_closed=Pull-förfrågan har stängts.
-pulls.title_wip_desc=`<a href="#">Börja titeln med <strong>%s</strong></a> för att förhindra att pull-förfrågan sammanfogas av misstag`
-pulls.data_broken=Ändringsbegäran är trasig på grund av saknad information on avgreningen.
-pulls.files_conflicted=Den här pull-förfrågan ha ändringar som är i konflikt med mål-branchen.
+pulls.is_closed=Denna ändringsförfrågan har stängts.
+pulls.title_wip_desc=`<a href="#">Börja titeln med <strong>%s</strong></a> för att förhindra att ändringsförfrågan sammanfogas av misstag`
+pulls.data_broken=Ändringsförfrågan är trasig på grund av saknad information on avgreningen.
+pulls.files_conflicted=Den här ändringsförfrågningen har ändringar som är i konflikt med målgrenen.
 pulls.is_checking=Sammanfognings-konfliktkontroll pågår. Försök igen senare.
 pulls.required_status_check_failed=Vissa tvingande kontroller lyckades inte.
 pulls.required_status_check_missing=Vissa tvingande kontroller saknas.
-pulls.required_status_check_administrator=Som administratör kan du fortfarande merga den här pull requesten.
-pulls.can_auto_merge_desc=Denna pull-förfrågan kan sammanfogas automatiskt.
+pulls.required_status_check_administrator=Som administratör kan du fortfarande sammanfoga denna ändringsförfrågan.
+pulls.can_auto_merge_desc=Den här ändringsförfrågningen kan sammanfogas automatiskt.
 pulls.cannot_auto_merge_desc=Ändringsförfrågan kan inte sammanfogas automatiskt på grund av konflikter.
 pulls.cannot_auto_merge_helper=Sammanfoga manuellt för att lösa konflikterna.
 
@@ -1512,7 +1512,7 @@ pulls.invalid_merge_option=Du kan inte använda detta mergealternativet för den
 pulls.open_unmerged_pull_exists=`Du kan inte återuppliva denna pull-request då det redan finns en identisk pull-request öppen (#%d).`
 pulls.update_branch_success=Uppdatering av branchen lyckades
 pulls.update_not_allowed=Du är inte behörig att uppdatera grenen
-pulls.outdated_with_base_branch=Denna branch är föråldrad gentemot bas-branchen
+pulls.outdated_with_base_branch=Den här grenen är föråldrad gentemot basgrenen
 
 
 
@@ -1673,7 +1673,7 @@ settings.convert_confirm=Konvertera kodförråd
 settings.convert_succeed=Speglingen har blivit konverterad till ett vanligt kodförråd.
 settings.convert_fork=Konvertera till vanligt kodförråd
 settings.convert_fork_confirm=Konvertera kodförråd
-settings.transfer.title=Överför Ägarskap
+settings.transfer.title=Överför ägarskap
 settings.transfer_desc=Överför detta kodförråd till en användare eller organisation för vilken du har administratörsrättigheter till.
 settings.transfer_notices_1=- Du kommer förlora åtkomst till kodförrådet om du för över den till en individuell användare.
 settings.transfer_notices_2=- Du kommer behålla åtkomst till kodförrådet om du för över den till en organisation som du antingen äger eller är delägare i.
@@ -1685,7 +1685,7 @@ settings.wiki_delete_desc=Borttagning av kodförrådets wiki-data är permanent
 settings.wiki_delete_notices_1=- Detta kommer permanent ta bort och inaktivera kodförrådets wiki för %s.
 settings.confirm_wiki_delete=Ta bort wikidata
 settings.wiki_deletion_success=Kodförrådets wiki-data har tagits bort.
-settings.delete=Ta bort detta kodförråd
+settings.delete=Ta bort kodförrådet
 settings.delete_desc=Borttagning av en kodförrådet är permanent och kan ej ångras.
 settings.delete_notices_1=- Denna åtgärd kan <strong>INTE</strong> ångras.
 settings.delete_notices_2=- Denna åtgärd kommer permanent ta bort kodförrådet <strong>%s</strong> inklusive kod, ärenden, kommentarer, wiki-data samt medarbetarinställningar.
@@ -1708,7 +1708,7 @@ settings.add_team_duplicate=Teamet har redan kodförrådet
 settings.add_team_success=Teamet har nu tillgång till kodförrådet.
 settings.remove_team_success=Teamets åtkomst till kodförrådet har tagits bort.
 settings.add_webhook=Lägg till webbkrok
-settings.hooks_desc=Webhooks gör automatiskt ett HTTP POST anrop mot en server när vissa Forgejo events triggas. Läs mer om detta i <a target="_blank" rel="noopener noreferrer" href="%s">webhooks guiden</a>.
+settings.hooks_desc=Webbkrokar gör automatiskt ett HTTP POST-anrop mot en server när vissa Forgejo events triggas. Läs mer om detta i <a target="_blank" rel="noopener noreferrer" href="%s">guiden för webbkrokar</a>.
 settings.webhook_deletion=Ta bort webbkrok
 settings.webhook_deletion_desc=Borttagning utav en webhook tar även bort dess inställningar och leveranshistorik. Vill du fortsätta?
 settings.webhook_deletion_success=Webhooken har blivit borttagen.
@@ -1723,7 +1723,7 @@ settings.githook_edit_desc=Om kroken är inaktiv visas exempelinnehåll. Inaktiv
 settings.githook_name=Kroknamn
 settings.githook_content=Krokinnehåll
 settings.update_githook=Uppdatera krok
-settings.add_webhook_desc=Forgejo kommer skicka ett <code>POST</code>-anrop med en specificerad Content-Type till måladressen. Läs mer om detta i <a target="_blank" rel="noopener noreferrer" href="%s">webbkroksguiden</a>.
+settings.add_webhook_desc=Forgejo kommer skicka ett <code>POST</code>-anrop med en specificerad Content-Type till måladressen. Läs mer om det här i <a target="_blank" rel="noopener noreferrer" href="%s">webbkroksguiden</a>.
 settings.payload_url=Mål-URL
 settings.http_method=HTTP-metod
 settings.content_type=POST-innehållstyp
@@ -1812,7 +1812,7 @@ settings.chat_id=Chatt-ID
 settings.matrix.room_id=Rum-ID
 settings.matrix.message_type=Typ av meddelande
 settings.archive.button=Arkivera kodförråd
-settings.archive.header=Arkivera detta kodförråd
+settings.archive.header=Arkivera kodförrådet
 settings.archive.success=Förrådet arkiverades.
 settings.archive.error=Ett fel uppstod när kodförrådet arkiverades. Se loggen för fler detaljer.
 settings.archive.error_ismirror=Du kan inte arkivera ett speglat förråd.
@@ -1822,7 +1822,7 @@ settings.lfs=LFS
 settings.lfs_filelist=LFS filer lagrade i detta kodförråd
 settings.lfs_no_lfs_files=Inga LFS filer är lagrade i detta kodförråd
 settings.lfs_findcommits=Hitta commits
-settings.lfs_lfs_file_no_commits=Ingen incheckning hittad för denna LFS-fil
+settings.lfs_lfs_file_no_commits=Ingen incheckning hittad för den här LFS-fil
 settings.lfs_locks=Lås
 settings.lfs_invalid_locking_path=Ogiltig sökväg: %s
 settings.lfs_invalid_lock_directory=Kan inte låsa katalog: %s
@@ -2303,7 +2303,7 @@ issues.review.un_resolve_conversation = Återöppna konversation
 issues.reference_issue.body = Brödtext
 issues.content_history.delete_from_history = Radera från historik
 issues.content_history.delete_from_history_confirm = Radera från historik?
-issues.blocked_by_user = Du kan inte skapa ärenden i detta kodförråd eftersom du är blockerad av kodförrådets ägare.
+issues.blocked_by_user = Du kan inte skapa ärenden i det här kodförråd eftersom du är blockerad av kodförrådets ägare.
 comment.blocked_by_user = Kommentering är inte möjlig eftersom du är blockerad av kodförrådets ägare eller författaren.
 issues.summary_card_alt = Sammanfattningskort för ett ärende med titel "%s" i kodförråd %s
 compare.compare_base = bas
@@ -2311,7 +2311,7 @@ pulls.view = Visa ändringsförfrågan
 pulls.edit.already_changed = Det gick inte att spara ändringar till ändringsförfrågan. Det verkar som att innehållet redan har ändrats av en annan användare. Uppdatera sidan och försök redigera igen för att undvika att skriva över deras ändringar
 pulls.sign_in_require = <a href="%s">Logga in</a> för att skapa en ny ändringsförfrågan.
 pulls.allow_edits_from_maintainers = Tillåt redigeringar från underhållare
-pulls.allow_edits_from_maintainers_desc = Användare med skrivåtkomst till basgrenen kan också skicka till denna gren
+pulls.allow_edits_from_maintainers_desc = Användare med skrivåtkomst till basgrenen kan också skicka till den här gren
 pulls.allow_edits_from_maintainers_err = Uppdatering misslyckades
 pulls.has_changed_since_last_review = Ändrad sedan din senaste granskning
 pulls.viewed_files_label = %[1]d / %[2]d filer visade
@@ -2326,38 +2326,38 @@ pulls.showing_specified_commit_range = Visar endast ändringar mellan %[1]s..%[2
 pulls.select_commit_hold_shift_for_range = Välj incheckning. Håll shift + klicka för att välja ett intervall
 pulls.filter_changes_by_commit = Filtrera efter incheckning
 pulls.nothing_to_compare_have_tag = De valda grenarna/taggarna är identiska.
-pulls.nothing_to_compare_and_allow_empty_pr = Dessa grenar är identiska. Denna PR kommer vara tom.
-pulls.has_pull_request = `En ändringsförfrågan mellan dessa grenar finns redan: <a href="%[1]s">%[2]s#%[3]d</a>`
+pulls.nothing_to_compare_and_allow_empty_pr = de här grenar är identiska. den här PR kommer vara tom.
+pulls.has_pull_request = `En ändringsförfrågan mellan de här grenar finns redan: <a href="%[1]s">%[2]s#%[3]d</a>`
 pulls.merged_success = Ändringsförfrågan sammanfogad och stängd
 pulls.closed = Ändringsförfrågan stängd
 pulls.manually_merged = Manuellt sammanfogad
 pulls.merged_info_text = Grenen %s kan nu raderas.
-pulls.cannot_merge_work_in_progress = Denna ändringsförfrågan är markerad som pågående arbete.
+pulls.cannot_merge_work_in_progress = den här ändringsförfrågan är markerad som pågående arbete.
 pulls.still_in_progress = Ännu pågående?
 pulls.add_prefix = Lägg till <strong>%s</strong>-prefix
 pulls.ready_for_review = Redo för granskning?
 pulls.remove_prefix = Ta bort <strong>%s</strong>-prefix
-pulls.is_ancestor = Denna gren ingår redan i målgrenen. Det finns inget att sammanfoga.
-pulls.is_empty = Ändringarna på denna gren finns redan på målgrenen. Detta blir en tom incheckning.
-pulls.blocked_by_approvals = Denna ändringsförfrågan har inte tillräckligt med godkännanden ännu. %d av %d godkännanden beviljade.
-pulls.blocked_by_rejection = Denna ändringsförfrågan har ändringar begärda av en officiell granskare.
-pulls.blocked_by_official_review_requests = Denna ändringsförfrågan är blockerad eftersom den saknar godkännande från en eller flera officiella granskare.
-pulls.blocked_by_outdated_branch = Denna ändringsförfrågan är blockerad eftersom den är föråldrad.
-pulls.blocked_by_changed_protected_files_1 = Denna ändringsförfrågan är blockerad eftersom den ändrar en skyddad fil:
-pulls.blocked_by_changed_protected_files_n = Denna ändringsförfrågan är blockerad eftersom den ändrar skyddade filer:
+pulls.is_ancestor = den här gren ingår redan i målgrenen. Det finns inget att sammanfoga.
+pulls.is_empty = Ändringarna på den här gren finns redan på målgrenen. Det här blir en tom incheckning.
+pulls.blocked_by_approvals = den här ändringsförfrågan har inte tillräckligt med godkännanden ännu. %d av %d godkännanden beviljade.
+pulls.blocked_by_rejection = den här ändringsförfrågan har ändringar begärda av en officiell granskare.
+pulls.blocked_by_official_review_requests = den här ändringsförfrågan är blockerad eftersom den saknar godkännande från en eller flera officiella granskare.
+pulls.blocked_by_outdated_branch = den här ändringsförfrågan är blockerad eftersom den är föråldrad.
+pulls.blocked_by_changed_protected_files_1 = den här ändringsförfrågan är blockerad eftersom den ändrar en skyddad fil:
+pulls.blocked_by_changed_protected_files_n = den här ändringsförfrågan är blockerad eftersom den ändrar skyddade filer:
 pulls.num_conflicting_files_1 = %d konfliktande fil
 pulls.num_conflicting_files_n = %d konfliktande filer
 pulls.approve_count_1 = %d godkännande
 pulls.approve_count_n = %d godkännanden
-pulls.reject_count_1 = %d ändringsbegäran
-pulls.reject_count_n = %d ändringsbegäranden
+pulls.reject_count_1 = %d ändringsförfrågan
+pulls.reject_count_n = %d ändringsförfrågan
 pulls.waiting_count_1 = %d väntande granskning
 pulls.waiting_count_n = %d väntande granskningar
 pulls.wrong_commit_id = inchecknings-id måste vara ett inchecknings-id på målgrenen
-pulls.blocked_by_user = Du kan inte skapa en ändringsförfrågan på detta kodförråd eftersom du är blockerad av kodförrådets ägare.
-pulls.no_merge_wip = Denna ändringsförfrågan kan inte sammanfogas eftersom den är markerad som pågående arbete.
-pulls.no_merge_not_ready = Denna ändringsförfrågan är inte redo att sammanfogas, kontrollera granskningsstatus och statuskontroller.
-pulls.no_merge_access = Du är inte behörig att sammanfoga denna ändringsförfrågan.
+pulls.blocked_by_user = Du kan inte skapa en ändringsförfrågan på det här kodförråd eftersom du är blockerad av kodförrådets ägare.
+pulls.no_merge_wip = den här ändringsförfrågan kan inte sammanfogas eftersom den är markerad som pågående arbete.
+pulls.no_merge_not_ready = den här ändringsförfrågan är inte redo att sammanfogas, kontrollera granskningsstatus och statuskontroller.
+pulls.no_merge_access = Du är inte behörig att sammanfoga den här ändringsförfrågan.
 pulls.merge_pull_request = Skapa sammanfogningsincheckning
 pulls.rebase_merge_pull_request = Ombasera sedan snabbspola
 pulls.rebase_merge_commit_pull_request = Ombasera sedan skapa sammanfogningsincheckning
@@ -2365,16 +2365,16 @@ pulls.squash_merge_pull_request = Slå samman till en incheckning
 pulls.fast_forward_only_merge_pull_request = Endast snabbspolning
 pulls.merge_manually = Manuellt sammanfogad
 pulls.merge_commit_id = Sammanfogningsincheckningens ID
-pulls.require_signed_wont_sign = Grenen kräver signerade incheckningar men denna sammanfogning kommer inte signeras
+pulls.require_signed_wont_sign = Grenen kräver signerade incheckningar men den här sammanfogning kommer inte signeras
 pulls.merge_conflict = Sammanfogning misslyckades: Det uppstod en konflikt vid sammanfogning. Tips: Prova en annan strategi
 pulls.rebase_conflict = Sammanfogning misslyckades: Det uppstod en konflikt vid ombasering av incheckning: %[1]s. Tips: Prova en annan strategi
 pulls.unrelated_histories = Sammanfogning misslyckades: Sammanfogningshuvudet och basen delar ingen gemensam historik. Tips: Prova en annan strategi
 pulls.merge_out_of_date = Sammanfogning misslyckades: Under sammanfogningen uppdaterades basen. Tips: Försök igen.
 pulls.head_out_of_date = Sammanfogning misslyckades: Under sammanfogningen uppdaterades huvudet. Tips: Försök igen.
 pulls.has_merged = Misslyckades: Ändringsförfrågan har redan sammanfogats, du kan inte sammanfoga igen eller ändra målgren.
-pulls.push_rejected = Skickning misslyckades: Skickningen avvisades. Granska Git-krokarna för detta kodförråd.
+pulls.push_rejected = Skickning misslyckades: Skickningen avvisades. Granska Git-krokarna för det här kodförråd.
 pulls.push_rejected_summary = Fullständigt avvisningsmeddelande
-pulls.push_rejected_no_message = Skickning misslyckades: Skickningen avvisades men det fanns inget fjärrmeddelande. Granska Git-krokarna för detta kodförråd
+pulls.push_rejected_no_message = Skickning misslyckades: Skickningen avvisades men det fanns inget fjärrmeddelande. Granska Git-krokarna för det här kodförråd
 pulls.status_checking = Vissa kontroller väntar
 pulls.status_checks_success = Alla kontroller lyckades
 pulls.status_checks_warning = Vissa kontroller rapporterade varningar
@@ -2386,36 +2386,36 @@ pulls.status_checks_show_all = Visa alla kontroller
 pulls.update_branch = Uppdatera gren via sammanfogning
 pulls.update_branch_rebase = Uppdatera gren via ombasering
 pulls.close = Stäng ändringsförfrågan
-pulls.closed_at = `stängde denna ändringsförfrågan %s`
-pulls.reopened_at = `återöppnade denna ändringsförfrågan %s`
-pulls.commit_ref_at = `refererade denna ändringsförfrågan från en incheckning %s`
+pulls.closed_at = `stängde den här ändringsförfrågan %s`
+pulls.reopened_at = `återöppnade den här ändringsförfrågan %s`
+pulls.commit_ref_at = `refererade den här ändringsförfrågan från en incheckning %s`
 pulls.cmd_instruction_hint = Visa kommandoradsinstruktioner
 pulls.cmd_instruction_checkout_title = Checka ut
 pulls.cmd_instruction_checkout_desc = Från din projektkatalog, checka ut en ny gren och testa ändringarna.
 pulls.cmd_instruction_merge_title = Sammanfoga
 pulls.cmd_instruction_merge_desc = Sammanfoga ändringarna och uppdatera på Forgejo.
-pulls.cmd_instruction_merge_warning = <b>Varning:</b> Inställningen "Automatisk identifiering av manuell sammanfogning" är inte aktiverad för detta kodförråd, du måste markera denna ändringsförfrågan som manuellt sammanfogad efteråt.
+pulls.cmd_instruction_merge_warning = <b>Varning:</b> Inställningen "Automatisk identifiering av manuell sammanfogning" är inte aktiverad för det här kodförråd, du måste markera den här ändringsförfrågan som manuellt sammanfogad efteråt.
 pulls.clear_merge_message = Rensa sammanfogningsmeddelande
 pulls.clear_merge_message_hint = Att rensa sammanfogningsmeddelandet tar endast bort incheckningsmeddelandes innehåll och behåller genererade git-trailers som "Co-Authored-By …".
 pulls.reopen_failed.head_branch = Ändringsförfrågan kan inte återöppnas eftersom huvudgrenen inte längre existerar.
 pulls.reopen_failed.base_branch = Ändringsförfrågan kan inte återöppnas eftersom basgrenen inte längre existerar.
 pulls.made_using_agit = AGit
 pulls.agit_explanation = Skapad med AGit-arbetsflödet. AGit låter bidragsgivare föreslå ändringar med "git-skickning" utan att skapa en avgrening eller en ny gren.
-pulls.editable_explanation = Denna ändringsförfrågan tillåter redigeringar från underhållare. Du kan bidra direkt till den.
+pulls.editable_explanation = den här ändringsförfrågan tillåter redigeringar från underhållare. Du kan bidra direkt till den.
 pulls.auto_merge_button_when_succeed = (När kontroller lyckas)
 pulls.auto_merge_when_succeed = Automatisk sammanfogning när alla kontroller lyckas
 pulls.auto_merge_newly_scheduled = Ändringsförfrågan schemalagdes att sammanfogas när alla kontroller lyckas.
-pulls.auto_merge_has_pending_schedule = %[1]s schemalade denna ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[2]s.
+pulls.auto_merge_has_pending_schedule = %[1]s schemalade den här ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[2]s.
 pulls.auto_merge_cancel_schedule = Avbryt automatisk sammanfogning
-pulls.auto_merge_not_scheduled = Denna ändringsförfrågan är inte schemalagd för automatisk sammanfogning.
-pulls.auto_merge_canceled_schedule = Automatisk sammanfogning avbröts för denna ändringsförfrågan.
-pulls.auto_merge_newly_scheduled_comment = `schemalade denna ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[1]s`
-pulls.auto_merge_canceled_schedule_comment = `avbröt automatisk sammanfogning av denna ändringsförfrågan när alla kontroller lyckas %[1]s`
+pulls.auto_merge_not_scheduled = den här ändringsförfrågan är inte schemalagd för automatisk sammanfogning.
+pulls.auto_merge_canceled_schedule = Automatisk sammanfogning avbröts för den här ändringsförfrågan.
+pulls.auto_merge_newly_scheduled_comment = `schemalade den här ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[1]s`
+pulls.auto_merge_canceled_schedule_comment = `avbröt automatisk sammanfogning av den här ändringsförfrågan när alla kontroller lyckas %[1]s`
 pulls.delete_after_merge.head_branch.is_default = Huvudgrenen du vill radera är standardgrenen och kan inte raderas.
 pulls.delete_after_merge.head_branch.is_protected = Huvudgrenen du vill radera är en skyddad gren och kan inte raderas.
 pulls.delete_after_merge.head_branch.insufficient_branch = Du har inte behörighet att radera huvudgrenen.
-pulls.delete.title = Radera denna ändringsförfrågan?
-pulls.delete.text = Vill du verkligen radera denna ändringsförfrågan? (Detta tar permanent bort allt innehåll. Överväg att stänga den istället om du vill behålla den arkiverad)
+pulls.delete.title = Radera den här ändringsförfrågan?
+pulls.delete.text = Vill du verkligen radera den här ändringsförfrågan? (Det här tar permanent bort allt innehåll. Överväg att stänga den istället om du vill behålla den arkiverad)
 pulls.recently_pushed_new_branches = Du skickade till gren <a href="%[3]s"><strong>%[1]s</strong></a> %[2]s
 pull.deleted_branch = (raderad):%s
 comments.edit.already_changed = Det gick inte att spara ändringar till kommentaren. Det verkar som att innehållet redan har ändrats av en annan användare. Uppdatera sidan och försök redigera igen för att undvika att skriva över deras ändringar
@@ -2425,9 +2425,9 @@ milestones.create_success = Milstolpen "%s" har skapats.
 milestones.edit_success = Milstolpen "%s" har uppdaterats.
 milestones.filter_sort.earliest_due_data = Närmaste förfallodatum
 milestones.filter_sort.latest_due_date = Avlägsnaste förfallodatum
-signing.will_sign = Denna incheckning kommer signeras med nyckel "%s".
+signing.will_sign = den här incheckning kommer signeras med nyckel "%s".
 signing.wont_sign.error = Det uppstod ett fel vid kontroll om incheckningen kunde signeras.
-signing.wont_sign.nokey = Denna instans har ingen nyckel att signera denna incheckning med.
+signing.wont_sign.nokey = den här instans har ingen nyckel att signera den här incheckning med.
 signing.wont_sign.never = Incheckningar signeras aldrig.
 signing.wont_sign.always = Incheckningar signeras alltid.
 signing.wont_sign.pubkey = Incheckningen kommer inte signeras eftersom du inte har en offentlig nyckel kopplad till ditt konto.
@@ -2442,7 +2442,7 @@ wiki.file_revision = Sidrevision
 wiki.wiki_page_revisions = Sidrevisioner
 wiki.delete_page_notice_1 = Borttagning av wiki-sidan "%s" kan inte ångras. Vill du fortsätta?
 wiki.reserved_page = Wiki-sidnamnet "%s" är reserverat.
-wiki.page_name_desc = Ange ett namn för denna wiki-sida. Vissa speciella namn är: "Home", "_Sidebar" och "_Footer".
+wiki.page_name_desc = Ange ett namn för den här wiki-sida. Vissa speciella namn är: "Home", "_Sidebar" och "_Footer".
 wiki.original_git_entry_tooltip = Visa ursprunglig Git-fil istället för att använda vänlig länk.
 activity.navbar.contributors = Bidragsgivare
 activity.navbar.recent_commits = Senaste incheckningar
@@ -2459,18 +2459,18 @@ contributors.contribution_type.filter_label = Bidragstyp:
 contributors.contribution_type.additions = Tillägg
 contributors.contribution_type.deletions = Borttagningar
 settings.federation_settings = Federationsinställningar
-settings.federation_apapiurl = Federations-URL för detta kodförråd. Kopiera och klistra in detta i Federationsinställningar för ett annat kodförråd som en URL för ett följt kodförråd.
+settings.federation_apapiurl = Federations-URL för det här kodförråd. Kopiera och klistra in det här i Federationsinställningar för ett annat kodförråd som en URL för ett följt kodförråd.
 settings.federation_following_repos = URL:er för följda kodförråd. Separerade med ";", inga mellanslag.
 settings.federation_not_enabled = Federation är inte aktiverat på din instans.
 settings.mirror_settings.docs = Konfigurera ditt kodförråd för att automatiskt synkronisera incheckningar, taggar och grenar med ett annat kodförråd.
-settings.mirror_settings.docs.disabled_pull_mirror.instructions = Konfigurera ditt projekt för att automatiskt skicka incheckningar, taggar och grenar till ett annat kodförråd. Dra-speglingar har inaktiverats av din webbplatsadministratör.
+settings.mirror_settings.docs.disabled_pull_mirror.instructions = Konfigurera ditt projekt för att automatiskt skicka incheckningar, taggar och grenar till ett annat kodförråd. Hämtningspeglingar har inaktiverats av din webbplatsadministratör.
 settings.mirror_settings.docs.disabled_push_mirror.instructions = Konfigurera ditt projekt för att automatiskt hämta incheckningar, taggar och grenar från ett annat kodförråd.
-settings.mirror_settings.docs.disabled_push_mirror.pull_mirror_warning = Just nu kan detta endast göras i menyn "Ny migrering". För mer information, se:
+settings.mirror_settings.docs.disabled_push_mirror.pull_mirror_warning = Just nu kan det här endast göras i menyn "Ny migrering". För mer information, se:
 settings.mirror_settings.docs.disabled_push_mirror.info = Skicka-speglingar har inaktiverats av din webbplatsadministratör.
 settings.mirror_settings.docs.no_new_mirrors = Ditt kodförråd speglar ändringar till eller från ett annat kodförråd. Observera att du inte kan skapa några nya speglingar just nu.
 settings.mirror_settings.docs.can_still_use = Även om du inte kan ändra befintliga speglingar eller skapa nya, kan du fortfarande använda din befintliga spegling.
 settings.mirror_settings.docs.pull_mirror_instructions = För att konfigurera en dra-spegling, se:
-settings.mirror_settings.docs.more_information_if_disabled = Du kan läsa mer om skicka- och dra-speglingar här:
+settings.mirror_settings.docs.more_information_if_disabled = Du kan läsa mer om skicka- och hämtaspeglingar här:
 settings.mirror_settings.docs.doc_link_title = Hur speglar jag kodförråd?
 settings.mirror_settings.docs.doc_link_pull_section = avsnittet "Hämta från ett fjärr-kodförråd" i dokumentationen.
 settings.mirror_settings.docs.pulling_remote_title = Hämta från ett fjärr-kodförråd
@@ -2519,27 +2519,27 @@ settings.transfer.success = Överföring av kodförråd lyckades.
 settings.transfer_abort_invalid = Du kan inte avbryta en obefintlig överföring av kodförråd.
 settings.transfer_abort_success = Överföringen av kodförrådet till %s avbröts framgångsrikt.
 settings.confirmation_string = Bekräftelsesträng
-settings.transfer_in_progress = Det pågår för närvarande en överföring. Avbryt den om du vill överföra detta kodförråd till en annan användare.
-settings.transfer_notices_3 = - Om kodförrådet är privat och överförs till en enskild användare, ser denna åtgärd till att användaren har åtminstone läsbehörighet (och ändrar behörigheter vid behov).
+settings.transfer_in_progress = Det pågår för närvarande en överföring. Avbryt den om du vill överföra det här kodförråd till en annan användare.
+settings.transfer_notices_3 = - Om kodförrådet är privat och överförs till en enskild användare, ser den här åtgärd till att användaren har åtminstone läsbehörighet (och ändrar behörigheter vid behov).
 settings.transfer_perform = Genomför överföring
-settings.transfer_started = Detta kodförråd har markerats för överföring och väntar på bekräftelse från "%s"
+settings.transfer_started = Det här kodförråd har markerats för överföring och väntar på bekräftelse från "%s"
 settings.transfer_quota_exceeded = Den nya ägaren (%s) har överskridit kvoten. Kodförrådet har inte överförts.
 settings.signing_settings = Inställningar för signaturverifiering
 settings.trust_model = Förtroendemodell för signaturer
 settings.trust_model.default = Standardförtroendemodell
-settings.trust_model.default.desc = Använd standardförtroendemodell för kodförråd i denna installation.
+settings.trust_model.default.desc = Använd standardförtroendemodell för kodförråd i den här installation.
 settings.trust_model.collaborator.long = Medarbetare: Lita på signaturer från medarbetare
-settings.trust_model.collaborator.desc = Giltiga signaturer från medarbetare i detta kodförråd markeras som "betrodda" - (oavsett om de matchar incheckaren eller inte). Annars markeras giltiga signaturer som "ej betrodda" om signaturen matchar incheckaren och "ej matchande" om inte.
+settings.trust_model.collaborator.desc = Giltiga signaturer från medarbetare i det här kodförråd markeras som "betrodda" - (oavsett om de matchar incheckaren eller inte). Annars markeras giltiga signaturer som "ej betrodda" om signaturen matchar incheckaren och "ej matchande" om inte.
 settings.trust_model.committer = Incheckare
-settings.trust_model.committer.long = Incheckare: Lita på signaturer som matchar incheckare (Detta matchar GitHub och tvingar Forgejo-signerade incheckningar att ha Forgejo som incheckare)
-settings.trust_model.committer.desc = Giltiga signaturer markeras endast som "betrodda" om de matchar incheckaren, annars markeras de som "ej matchande". Detta tvingar Forgejo att vara incheckare på signerade incheckningar med den faktiska incheckaren markerad som Co-authored-by: och Co-committed-by: i incheckningens avslutning. Forgejos standardnyckel måste matcha en användare i databasen.
+settings.trust_model.committer.long = Incheckare: Lita på signaturer som matchar incheckare (Det här matchar GitHub och tvingar Forgejo-signerade incheckningar att ha Forgejo som incheckare)
+settings.trust_model.committer.desc = Giltiga signaturer markeras endast som "betrodda" om de matchar incheckaren, annars markeras de som "ej matchande". Det här tvingar Forgejo att vara incheckare på signerade incheckningar med den faktiska incheckaren markerad som Co-authored-by: och Co-committed-by: i incheckningens avslutning. Forgejos standardnyckel måste matcha en användare i databasen.
 settings.trust_model.collaboratorcommitter = Medarbetare+Incheckare
 settings.trust_model.collaboratorcommitter.long = Medarbetare+Incheckare: Lita på signaturer från medarbetare som matchar incheckaren
-settings.trust_model.collaboratorcommitter.desc = Giltiga signaturer från medarbetare i detta kodförråd markeras som "betrodda" om de matchar incheckaren. Annars markeras giltiga signaturer som "ej betrodda" om signaturen matchar incheckaren och "ej matchande" annars. Detta tvingar Forgejo att markeras som incheckare på signerade incheckningar med den faktiska incheckaren markerad som Co-Authored-By: och Co-Committed-By: i incheckningens avslutning. Forgejos standardnyckel måste matcha en användare i databasen.
+settings.trust_model.collaboratorcommitter.desc = Giltiga signaturer från medarbetare i det här kodförråd markeras som "betrodda" om de matchar incheckaren. Annars markeras giltiga signaturer som "ej betrodda" om signaturen matchar incheckaren och "ej matchande" annars. Det här tvingar Forgejo att markeras som incheckare på signerade incheckningar med den faktiska incheckaren markerad som Co-Authored-By: och Co-Committed-By: i incheckningens avslutning. Forgejos standardnyckel måste matcha en användare i databasen.
 settings.wiki_rename_branch_main = Normalisera wiki-grenens namn
-settings.wiki_rename_branch_main_desc = Byt namn på grenen som används internt av wikin till "%s". Denna ändring är permanent och kan inte ångras.
-settings.wiki_rename_branch_main_notices_1 = Denna åtgärd kan <strong>INTE</strong> ångras.
-settings.wiki_rename_branch_main_notices_2 = Detta kommer permanent byta namn på den interna grenen för %s:s wiki. Befintliga utcheckningar behöver uppdateras.
+settings.wiki_rename_branch_main_desc = Byt namn på grenen som används internt av wikin till "%s". den här ändring är permanent och kan inte ångras.
+settings.wiki_rename_branch_main_notices_1 = den här åtgärd kan <strong>INTE</strong> ångras.
+settings.wiki_rename_branch_main_notices_2 = Det här kommer permanent byta namn på den interna grenen för %s:s wiki. Befintliga utcheckningar behöver uppdateras.
 settings.wiki_branch_rename_success = Kodförrådets wiki-grennamn har normaliserats framgångsrikt.
 settings.wiki_branch_rename_failure = Misslyckades med att normalisera kodförrådets wiki-grennamn.
 settings.confirm_wiki_branch_rename = Byt namn på wiki-grenen
@@ -2549,12 +2549,12 @@ settings.add_collaborator_owner = Det går inte att lägga till en ägare som me
 settings.add_collaborator_blocked_our = Det går inte att lägga till medarbetaren, eftersom kodförrådets ägare har blockerat dem.
 settings.add_collaborator_blocked_them = Det går inte att lägga till medarbetaren, eftersom de har blockerat kodförrådets ägare.
 settings.change_team_permission_tip = Teamets behörighet ställs in på teaminställningssidan och kan inte ändras per kodförråd
-settings.delete_team_tip = Detta team har åtkomst till alla kodförråd och kan inte tas bort
+settings.delete_team_tip = Det här team har åtkomst till alla kodförråd och kan inte tas bort
 settings.add_webhook.invalid_channel_name = Webbkrok-kanalnamn kan inte vara tomt och kan inte bara innehålla ett #-tecken.
 settings.add_webhook.invalid_path = Sökvägen får inte innehålla en del som är "." eller ".." eller en tom sträng. Den kan inte börja eller sluta med ett snedstreck.
-settings.webhook.test_delivery_desc_disabled = För att testa denna webbkrok med en simulerad händelse, aktivera den.
-settings.webhook.replay.description = Spela upp denna webbkrok igen.
-settings.webhook.replay.description_disabled = För att spela upp denna webbkrok igen, aktivera den.
+settings.webhook.test_delivery_desc_disabled = För att testa den här webbkrok med en simulerad händelse, aktivera den.
+settings.webhook.replay.description = Spela upp den här webbkrok igen.
+settings.webhook.replay.description_disabled = För att spela upp den här webbkrok igen, aktivera den.
 settings.webhook.delivery.success = Ett händelse har lagts till i leveranskön. Det kan ta några sekunder innan det visas i leveranshistoriken.
 settings.githooks_desc = Git-krokar drivs av Git själv. Du kan redigera krokfiler nedan för att sätta upp anpassade operationer.
 settings.discord_icon_url.exceeds_max_length = Ikon-URL måste vara 2048 tecken eller färre
@@ -2592,7 +2592,7 @@ settings.event_package_desc = Paket skapat eller borttaget i ett kodförråd.
 settings.branch_filter_desc = Vitlista för grenar vid skicka-, grenskapande- och grenborttagningshändelser, angivet som glob-mönster. Om tomt eller <code>*</code>, rapporteras händelser för alla grenar. Se <a href="%[1]s">%[2]s</a>-dokumentationen för syntax. Exempel: <code>master</code>, <code>{master,release*}</code>.
 settings.authorization_header = Auktoriseringshuvud
 settings.authorization_header_desc = Kommer att inkluderas som auktoriseringshuvud för förfrågningar när det finns. Exempel: %s.
-settings.active_helper = Information om utlösta händelser kommer att skickas till denna webbkrok-URL.
+settings.active_helper = Information om utlösta händelser kommer att skickas till den här webbkrok-URL.
 settings.add_web_hook_desc = Integrera <a target="_blank" rel="noreferrer" href="%s">%s</a> i ditt kodförråd.
 settings.web_hook_name_gitea = Gitea
 settings.web_hook_name_forgejo = Forgejo
@@ -2615,11 +2615,11 @@ settings.sourcehut_builds.access_token_helper = Åtkomsttoken som har JOBS:RW-be
 settings.add_key_success = Distributionsnyckeln "%s" har lagts till.
 settings.protect_new_rule = Skapa en ny grenskyddsregel
 settings.protect_enable_merge = Aktivera sammanfogning
-settings.protect_enable_merge_desc = Alla med skrivåtkomst kommer att kunna sammanfoga ändringsförfrågningar till denna gren.
+settings.protect_enable_merge_desc = Alla med skrivåtkomst kommer att kunna sammanfoga ändringsförfrågningar till den här gren.
 settings.protect_whitelist_committers = Vitlista begränsad skickning
-settings.protect_whitelist_committers_desc = Endast vitlistade användare eller team kommer att kunna skicka till denna gren (men inte tvångsskicka).
+settings.protect_whitelist_committers_desc = Endast vitlistade användare eller team kommer att kunna skicka till den här gren (men inte tvångsskicka).
 settings.protect_status_check_patterns = Mönster för statuskontroller
-settings.protect_status_check_patterns_desc = Ange mönster för att specificera vilka statuskontroller som måste godkännas innan grenar kan sammanfogas till en gren som matchar denna regel. Varje rad anger ett mönster. Mönster kan inte vara tomma.
+settings.protect_status_check_patterns_desc = Ange mönster för att specificera vilka statuskontroller som måste godkännas innan grenar kan sammanfogas till en gren som matchar den här regel. Varje rad anger ett mönster. Mönster kan inte vara tomma.
 settings.protect_status_check_matched = Matchad
 settings.protect_invalid_status_check_pattern = Ogiltigt mönster för statuskontroll: "%s".
 settings.protect_no_valid_status_check_patterns = Inga giltiga mönster för statuskontroll.
@@ -2633,7 +2633,7 @@ settings.ignore_stale_approvals_desc = Räkna inte godkännanden som gjordes på
 settings.protect_branch_name_pattern = Mönster för skyddat grennamn
 settings.protect_branch_name_pattern_desc = Mönster för skyddade grennamn. Se <a href="%s">dokumentationen</a> för mönstersyntax. Exempel: main, release/**
 settings.protect_protected_file_patterns = Mönster för skyddade filer (separerade med semikolon ";")
-settings.protect_protected_file_patterns_desc = Skyddade filer får inte ändras direkt även om användaren har rättigheter att lägga till, redigera, eller ta bort filer i denna gren. Flera mönster kan separeras med semikolon (";"). Se <a href="%[1]s">%[2]s</a>-dokumentationen för mönstersyntax. Exempel: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
+settings.protect_protected_file_patterns_desc = Skyddade filer får inte ändras direkt även om användaren har rättigheter att lägga till, redigera, eller ta bort filer i den här gren. Flera mönster kan separeras med semikolon (";"). Se <a href="%[1]s">%[2]s</a>-dokumentationen för mönstersyntax. Exempel: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
 settings.protect_unprotected_file_patterns = Mönster för oskyddade filer (separerade med semikolon ";")
 settings.protect_unprotected_file_patterns_desc = Oskyddade filer som kan ändras direkt om användaren har skrivåtkomst, förbi push-begränsningen. Flera mönster kan separeras med semikolon (";"). Se <a href="%[1]s">%[2]s</a>-dokumentationen för mönstersyntax. Exempel: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
 settings.update_protect_branch_success = Grenskydd för regeln "%s" har uppdaterats.
@@ -2645,29 +2645,29 @@ settings.block_on_official_review_requests = Blockera sammanfogning vid officiel
 settings.block_on_official_review_requests_desc = Sammanfogning kommer inte vara möjlig när det finns officiella granskningsförfrågningar, även om det finns tillräckligt med godkännanden.
 settings.block_outdated_branch = Blockera sammanfogning om ändringsförfrågan är inaktuell
 settings.block_outdated_branch_desc = Sammanfogning kommer inte vara möjlig när head-grenen ligger efter basgrenen.
-settings.enforce_on_admins = Tillämpa denna regel för kodförrådsadministratörer
-settings.enforce_on_admins_desc = Kodförrådsadministratörer kan inte kringgå denna regel.
+settings.enforce_on_admins = Tillämpa den här regel för kodförrådsadministratörer
+settings.enforce_on_admins_desc = Kodförrådsadministratörer kan inte kringgå den här regel.
 settings.merge_style_desc = Sammanfogningsstilar
 settings.default_merge_style_desc = Standard sammanfogningsstil
 settings.protected_branch_required_rule_name = Obligatoriskt regelnamn
-settings.protected_branch_duplicate_rule_name = Det finns redan en regel för denna uppsättning grenar
+settings.protected_branch_duplicate_rule_name = Det finns redan en regel för den här uppsättning grenar
 settings.tags.protection = Taggskydd
 settings.tags.protection.pattern = Taggmönster
 settings.tags.protection.allowed = Tillåtna
 settings.tags.protection.none = Det finns inga skyddade taggar.
 settings.tags.protection.pattern.description = Du kan använda ett enda namn eller ett glob-mönster eller reguljärt uttryck för att matcha flera taggar. Läs mer i <a target="_blank" rel="noopener" href="%s">guiden för skyddade taggar</a>.
 settings.matrix.homeserver_url = Homeserver URL
-settings.matrix.access_token_helper = Det rekommenderas att skapa ett dedikerat Matrix-konto för detta. Åtkomsttoken kan hämtas från Element-webbklienten (i en privat/inkognito-flik) > Användarmeny (uppe till vänster) > Alla inställningar > Hjälp & Om > Avancerat > Åtkomsttoken (precis under Homeserver-URL). Stäng den privata/inkognito-fliken (att logga ut skulle ogiltigförklara token).
+settings.matrix.access_token_helper = Det rekommenderas att skapa ett dedikerat Matrix-konto för det här. Åtkomsttoken kan hämtas från Element-webbklienten (i en privat/inkognito-flik) > Användarmeny (uppe till vänster) > Alla inställningar > Hjälp & Om > Avancerat > Åtkomsttoken (precis under Homeserver-URL). Stäng den privata/inkognito-fliken (att logga ut skulle ogiltigförklara token).
 settings.matrix.room_id_helper = Rum-ID kan hämtas från Element-webbklienten > Rumsinställningar > Avancerat > Internt rum-ID. Exempel: %s.
-settings.archive.text = Arkivering av kodförrådet gör det helt skrivskyddat. Det kommer att döljas från instrumentpanelen. Ingen (inte ens du!) kommer att kunna göra nya incheckningar, eller öppna ärenden eller ändringsförfrågningar.
+settings.archive.text = Arkivering av kodförrådet gör det helt skrivskyddat. Det kommer att döljas från instrumentpanelen. Ingen (inte ens du!) kommer att kunna göra nya incheckningar, eller öppna ärenden eller ändringsförfrågningar. Att dokumentera arkiveringsorsaken rekommenderas för att vägleda framtida utvecklare som planerar att avgrena arkivet.
 settings.archive.tagsettings_unavailable = Tagginställningar är inte tillgängliga i arkiverade kodförråd.
 settings.archive.mirrors_unavailable = Speglingar är inte tillgängliga i arkiverade kodförråd.
 settings.unarchive.button = Avarkivera kodförråd
-settings.unarchive.header = Avarkivera detta kodförråd
+settings.unarchive.header = Avarkivera kodförrådet
 settings.unarchive.text = Avarkivering av kodförrådet återställer dess förmåga att ta emot incheckningar och skickar, samt nya ärenden och ändringsförfrågningar.
 settings.unarchive.success = Kodförrådet avarkiverades framgångsrikt.
 settings.unarchive.error = Ett fel uppstod vid försök att avarkivera kodförrådet. Se loggen för mer detaljer.
-settings.lfs_noattribute = Denna sökväg har inte attributet låsbar i standardgrenen
+settings.lfs_noattribute = den här sökväg har inte attributet låsbar i standardgrenen
 settings.lfs_delete = Ta bort LFS-fil med OID %s
 settings.lfs_delete_warning = Borttagning av en LFS-fil kan orsaka "objekt finns inte"-fel vid utcheckning. Är du säker?
 settings.lfs_findpointerfiles = Hitta pekarfiler
@@ -2681,14 +2681,14 @@ settings.rename_branch_failed_exist = Det går inte att byta namn på grenen eft
 settings.rename_branch_success = Grenen %s byttes framgångsrikt namn till %s.
 diff.git-notes.add = Lägg till anteckning
 diff.git-notes.remove-header = Ta bort anteckning
-diff.git-notes.remove-body = Denna anteckning kommer att tas bort.
+diff.git-notes.remove-body = den här anteckning kommer att tas bort.
 diff.options_button = Diff-alternativ
 diff.download_patch = Ladda ner programfixfil
 diff.download_diff = Ladda ner diff-fil
 diff.stats_desc_file = %d ändringar: %d tillägg och %d borttagningar
 diff.bin_not_shown = Binärfil visas inte.
 diff.file_suppressed_line_too_long = Fil-diff undertryckt eftersom en eller flera rader är för långa
-diff.too_many_files = Vissa filer visades inte eftersom för många filer har ändrats i denna diff
+diff.too_many_files = Vissa filer visades inte eftersom för många filer har ändrats i den här diff
 diff.load = Ladda diff
 diff.generated = genererad
 diff.vendored = tredjepartspaketerad
@@ -2703,7 +2703,7 @@ diff.image.overlay = Överlägga
 diff.show_file_tree = Visa filträd
 diff.hide_file_tree = Dölj filträd
 release.detail = Utgåvedetaljer
-release.tag_helper_new = Ny tagg. Denna tagg kommer att skapas från målet.
+release.tag_helper_new = Ny tagg. den här tagg kommer att skapas från målet.
 release.title = Utgåvetitel
 release.title_empty = Titeln kan inte vara tom.
 release.message = Beskriv denna utgåva
@@ -2730,7 +2730,7 @@ branch.deletion_success = Grenen "%s" har tagits bort.
 branch.deletion_failed = Misslyckades med att ta bort grenen "%s".
 branch.delete_branch_has_new_commits = Grenen "%s" kan inte tas bort eftersom nya incheckningar har lagts till efter sammanfogning.
 branch.create_success = Grenen "%s" har skapats.
-branch.branch_already_exists = Grenen "%s" finns redan i detta kodförråd.
+branch.branch_already_exists = Grenen "%s" finns redan i det här kodförråd.
 branch.branch_name_conflict = Grennamnet "%s" är i konflikt med den redan befintliga grenen "%s".
 branch.tag_collision = Grenen "%s" kan inte skapas eftersom en tagg med samma namn redan finns i kodförrådet.
 branch.restore_success = Grenen "%s" har återställts.
@@ -2740,7 +2740,7 @@ branch.default_deletion_failed = Grenen "%s" är standardgrenen. Den kan inte ta
 branch.restore = Återställ grenen "%s"
 branch.download = Ladda ner grenen "%s"
 branch.rename = Byt namn på grenen "%s"
-branch.included_desc = Denna gren är en del av standardgrenen
+branch.included_desc = den här gren är en del av standardgrenen
 branch.included = Inkluderad
 branch.create_new_branch = Skapa gren från gren:
 branch.warning_rename_default_branch = Du byter namn på standardgrenen.
@@ -2754,9 +2754,9 @@ tag.create_success = Taggen "%s" har skapats.
 topic.format_prompt = Ämnen måste börja med en bokstav eller siffra, kan innehålla bindestreck ("-") och punkter ("."), och kan vara upp till 35 tecken långa. Bokstäver måste vara gemener.
 find_file.go_to_file = Hitta en fil
 find_file.no_matching = Ingen matchande fil hittades
-error.csv.too_large = Det går inte att rendera denna fil eftersom den är för stor.
-error.csv.unexpected = Det går inte att rendera denna fil eftersom den innehåller ett oväntat tecken på rad %d och kolumn %d.
-error.csv.invalid_field_count = Det går inte att rendera denna fil eftersom den har fel antal fält på rad %d.
+error.csv.too_large = Det går inte att rendera den här fil eftersom den är för stor.
+error.csv.unexpected = Det går inte att rendera den här fil eftersom den innehåller ett oväntat tecken på rad %d och kolumn %d.
+error.csv.invalid_field_count = Det går inte att rendera den här fil eftersom den har fel antal fält på rad %d.
 
 
 
@@ -2764,7 +2764,7 @@ error.csv.invalid_field_count = Det går inte att rendera denna fil eftersom den
 component_loading = Laddar %s…
 code_frequency.what = kodfrekvens
 component_loading_failed = Det gick inte att ladda %s
-component_loading_info = Detta kan ta en stund…
+component_loading_info = Det här kan ta en stund…
 component_failed_to_load = Ett oväntat fel inträffade.
 contributors.what = bidrag
 recent_commits.what = senaste incheckningar
@@ -2809,7 +2809,7 @@ settings.update_settings=Uppdatera inställningar
 settings.update_setting_success=Organisationsinställningarna har uppdaterats.
 settings.update_avatar_success=Organisationens avatar har uppdateras.
 settings.delete=Tag bort organisation
-settings.delete_account=Ta bort denna organisation
+settings.delete_account=Ta bort den här organisation
 settings.delete_prompt=Organisationen kommer tas bort permanent, och det går <strong>INTE</strong> att ångra detta!
 settings.confirm_delete_account=Bekräfta borttagning
 settings.delete_org_title=Ta bort organisation
@@ -2848,7 +2848,7 @@ teams.add_team_member=Lägg till teammedlem
 teams.delete_team_title=Ta bort team
 teams.delete_team_desc=Borttagning av ett team återkallar åtkomsten till kodförråd för dess medlemmar. Vill du fortsätta?
 teams.delete_team_success=Teamet har blivit borttaget.
-teams.admin_permission_desc=Medlemskap i detta team ger <strong>administratörsrättigheter</strong>: medlemmar kan läsa från, skicka till och lägga till medarbetare till teamets kodförråd.
+teams.admin_permission_desc=Medlemskap i det här team ger <strong>administratörsrättigheter</strong>: medlemmar kan läsa från, skicka till och lägga till medarbetare till teamets kodförråd.
 teams.create_repo_permission_desc=Vidare så ger detta team <strong>Skapa utvecklingskatalog</strong> rättigheten: medlemmar can skapa nya utvecklingskataloger i organisationen.
 teams.repositories=Lagets utvecklingskataloger
 teams.remove_all_repos_title=Ta bort alla utvecklingskataloger för teamet
@@ -2869,7 +2869,7 @@ teams.none_access = Ingen åtkomst
 teams.general_access = Anpassad åtkomst
 teams.invite_team_member.list = Väntande inbjudningar
 open_dashboard = Öppna instrumentpanel
-follow_blocked_user = Du kan inte följa denna organisation eftersom denna organisation har blockerat dig.
+follow_blocked_user = Du kan inte följa den här organisation eftersom den här organisation har blockerat dig.
 form.name_reserved = Organisationsnamnet "%s" är reserverat.
 form.name_pattern_not_allowed = Mönstret "%s" är inte tillåtet i ett organisationsnamn.
 settings.email = Kontakt-e-post
@@ -3062,10 +3062,10 @@ auths.tip.facebook=Registrera en ny appliaktion på %s och lägg till produkten
 auths.tip.github=Registrera en ny OAuth applikation på %s
 auths.tip.google_plus=Erhåll inloggningsuppgifter för OAuth2 från Google API-konsolen på %s
 auths.tip.openid_connect=Använd OpenID Connect Discovery länken (<server>/.well-known/openid-configuration) för att ange slutpunkterna
-auths.tip.twitter=Gå till %s, skapa en applikation och försäkra att alternativet "Tillåt att denna applikation används för att logga in med Twitter" är aktiverat
+auths.tip.twitter=Gå till %s, skapa en applikation och försäkra att alternativet "Tillåt att den här applikation används för att logga in med Twitter" är aktiverat
 auths.tip.discord=Registrera en ny applikation på %s
 auths.edit=Redigera autentiseringskälla
-auths.activated=Denna autentiseringskälla är aktiverad
+auths.activated=den här autentiseringskälla är aktiverad
 auths.update_success=Autentiseringskällan har uppdaterats.
 auths.update=Uppdatera autentiseringskälla
 auths.delete=Ta bort autentiseringskälla
@@ -3223,7 +3223,7 @@ users.bot = Bott
 users.remote = Fjärråtkomst
 users.restricted.description = Tillåt endast interaktion med kodförråd och organisationer där den här användaren finns tillagd som medarbetare. Det förhindrar tillgång till allmänna kodförråd i den här instansen.
 users.is_restricted = Begränsat konto
-self_check.database_inconsistent_collation_columns = Databasen använder kollateringen %s, men dessa kolumner använder felanpassade kollateringar. Det kan komma att orsaka oväntade problem.
+self_check.database_inconsistent_collation_columns = Databasen använder kollateringen %s, men de här kolumner använder felanpassade kollateringar. Det kan komma att orsaka oväntade problem.
 hooks = webbkrokar
 integrations = Integrationer
 users.list_status_filter.menu_text = Filter
@@ -3296,15 +3296,15 @@ dashboard.rebuild_issue_indexer = Återuppbygg ärendeindexerare
 users.restricted = Begränsad
 users.new_success = Användarkontot "%s" har skapats.
 users.activated.description = Slutförande av e-postverifiering. Ägaren av ett oaktiverat konto kommer inte kunna logga in förrän e-postverifieringen är slutförd.
-users.block.description = Blockera denna användare från att interagera med denna tjänst genom deras konto och förbjud inloggning.
-users.admin.description = Ge denna användare full åtkomst till alla administrativa funktioner tillgängliga via webbgränssnittet och API:et.
-users.allow_git_hook_tooltip = Git-krokar körs som OS-användaren som kör Forgejo och kommer ha samma nivå av värdåtkomst. Som ett resultat kan användare med denna speciella Git-hook-behörighet komma åt och modifiera alla Forgejo-kodförråd samt databasen som används av Forgejo. Följaktligen kan de också få Forgejo-administratörsbehörigheter.
-users.local_import.description = Tillåt import av kodförråd från serverns lokala filsystem. Detta kan vara ett säkerhetsproblem.
+users.block.description = Blockera den här användare från att interagera med den här tjänst genom deras konto och förbjud inloggning.
+users.admin.description = Ge den här användare full åtkomst till alla administrativa funktioner tillgängliga via webbgränssnittet och API:et.
+users.allow_git_hook_tooltip = Git-krokar körs som OS-användaren som kör Forgejo och kommer ha samma nivå av värdåtkomst. Som ett resultat kan användare med den här speciella Git-hook-behörighet komma åt och modifiera alla Forgejo-kodförråd samt databasen som används av Forgejo. Följaktligen kan de också få Forgejo-administratörsbehörigheter.
+users.local_import.description = Tillåt import av kodförråd från serverns lokala filsystem. Det här kan vara ett säkerhetsproblem.
 users.organization_creation.description = Tillåt skapande av nya organisationer.
 users.cannot_delete_self = Du kan inte radera dig själv
 users.purge = Rensa användare
-users.purge_help = Tvångsradera användare och alla kodförråd, organisationer och paket som ägs av användaren. Alla kommentarer och ärenden skapade av denna användare kommer också raderas.
-users.still_own_packages = Denna användare äger fortfarande ett eller flera paket, radera dessa paket först.
+users.purge_help = Tvångsradera användare och alla kodförråd, organisationer och paket som ägs av användaren. Alla kommentarer och ärenden skapade av den här användare kommer också raderas.
+users.still_own_packages = den här användare äger fortfarande ett eller flera paket, radera de här paket först.
 users.reset_2fa = Återställ 2FA
 users.list_status_filter.reset = Återställ
 users.list_status_filter.not_active = Inaktiv
@@ -3315,11 +3315,11 @@ users.list_status_filter.is_2fa_enabled = 2FA aktiverad
 users.list_status_filter.not_2fa_enabled = 2FA inaktiverad
 emails.email_manage_panel = Hantera användares e-postadresser
 emails.not_updated = Det gick inte att uppdatera den begärda e-postadressen: %v
-emails.duplicate_active = Denna e-postadress är redan aktiv för en annan användare.
+emails.duplicate_active = den här e-postadress är redan aktiv för en annan användare.
 emails.change_email_header = Uppdatera e-postegenskaper
-emails.change_email_text = Är du säker på att du vill uppdatera denna e-postadress?
+emails.change_email_text = Är du säker på att du vill uppdatera den här e-postadress?
 emails.delete = Radera e-postadress
-emails.delete_desc = Är du säker på att du vill radera denna e-postadress?
+emails.delete_desc = Är du säker på att du vill radera den här e-postadress?
 emails.deletion_success = E-postadressen har raderats.
 emails.delete_primary_email_error = Du kan inte radera den primära e-postadressen.
 repos.unadopted = Oadopterade kodförråd
@@ -3349,7 +3349,7 @@ auths.user_attribute_in_group = Användarattribut listat i grupp
 auths.map_group_to_team = Mappa LDAP-grupper till organisationsteam (lämna fältet tomt för att hoppa över)
 auths.map_group_to_team_removal = Ta bort användare från synkroniserade team om användaren inte tillhör motsvarande LDAP-grupp
 auths.enable_ldap_groups = Aktivera LDAP-grupper
-auths.force_smtps_helper = SMTPS används alltid på port 465. Ställ in detta för att tvinga SMTPS på andra portar. (Annars används STARTTLS på andra portar om det stöds av värden.)
+auths.force_smtps_helper = SMTPS används alltid på port 465. Ställ in det här för att tvinga SMTPS på andra portar. (Annars används STARTTLS på andra portar om det stöds av värden.)
 auths.helo_hostname = HELO-värdnamn
 auths.helo_hostname_helper = Värdnamn som skickas med HELO. Lämna tomt för att skicka nuvarande värdnamn.
 auths.disable_helo = Inaktivera HELO
@@ -3359,10 +3359,10 @@ auths.skip_local_two_fa_helper = Att lämna det omarkerat innebär att lokala an
 auths.oauth2_tenant = Klient
 auths.oauth2_scopes = Ytterligare scopes
 auths.oauth2_required_claim_name = Obligatoriskt claim-namn
-auths.oauth2_required_claim_name_helper = Ange detta namn för att begränsa inloggning från denna källa till användare med ett claim med detta namn
+auths.oauth2_required_claim_name_helper = Ange det här namn för att begränsa inloggning från den här källa till användare med ett claim med det här namn
 auths.oauth2_required_claim_value = Obligatoriskt claim-värde
-auths.oauth2_required_claim_value_helper = Ange detta värde för att begränsa inloggning från denna källa till användare med ett claim med detta namn och värde
-auths.oauth2_group_claim_name = Claim-namn som ger gruppnamn för denna källa. (Valfritt)
+auths.oauth2_required_claim_value_helper = Ange det här värde för att begränsa inloggning från den här källa till användare med ett claim med det här namn och värde
+auths.oauth2_group_claim_name = Claim-namn som ger gruppnamn för den här källa. (Valfritt)
 auths.oauth2_admin_group = Grupp-claim-värde för administratörsanvändare. (Valfritt - kräver claim-namn ovan)
 auths.oauth2_restricted_group = Grupp-claim-värde för begränsade användare. (Valfritt - kräver claim-namn ovan)
 auths.oauth2_map_group_to_team = Mappa claimade grupper till organisationsteam. (Valfritt - kräver claim-namn ovan)
@@ -3376,7 +3376,7 @@ auths.tip.mastodon = Ange en anpassad instans-URL för Mastodon-instansen du vil
 auths.new_success = Autentiseringen "%s" har lagts till.
 auths.login_source_exist = Autentiseringskällan "%s" finns redan.
 auths.unable_to_initialize_openid = Det gick inte att initiera OpenID Connect-leverantör: %s
-auths.invalid_openIdConnectAutoDiscoveryURL = Ogiltig Auto Discovery-URL (detta måste vara en giltig URL som börjar med http:// eller https://)
+auths.invalid_openIdConnectAutoDiscoveryURL = Ogiltig Auto Discovery-URL (det här måste vara en giltig URL som börjar med http:// eller https://)
 config.app_slogan = Instansslogan
 config.custom_file_root_path = Anpassad filrotsökväg
 config.app_data_path = Sökväg för appdata
@@ -3530,7 +3530,7 @@ workflow.disable_success = Arbetsflödet "%s" inaktiverat framgångsrikt.
 workflow.enable = Aktivera arbetsflöde
 workflow.enable_success = Arbetsflödet "%s" aktiverat framgångsrikt.
 workflow.disabled = Arbetsflödet är inaktiverat.
-workflow.dispatch.trigger_found = Detta arbetsflöde har en <c>workflow_dispatch</c>-händelseutlösare.
+workflow.dispatch.trigger_found = Det här arbetsflöde har en <c>workflow_dispatch</c>-händelseutlösare.
 workflow.dispatch.use_from = Använd arbetsflöde från
 workflow.dispatch.run = Kör arbetsflöde
 workflow.dispatch.success = Arbetsflödeskörning begärdes framgångsrikt.
@@ -3597,7 +3597,7 @@ keyword_search_unavailable = Sökning på nyckelord är för närvarande inte ti
 
 
 [translation_meta]
-test = Det här är en teststräng. Den visas inte i Forgejo UI men används vid testtillfälle. Vänligen skriv in "ok" för att spara tid (eller en intressant fakta du själv väljer) för att nå upp till 100% komplett :)
+test = Det här är en teststräng. Den visas inte i Forgejo UI men används vid testtillfälle. skriv in "ok" för att spara tid (eller en intressant fakta du själv väljer) för att nå upp till 100% komplett :)
 
 [munits.data]
 
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index 6292177a32..9c02d496f9 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -2311,7 +2311,7 @@ pulls.clear_merge_message_hint = Очищення повідомлення пр
 branch.delete_branch_has_new_commits = Гілку «%s» не можна видалити, оскільки після об’єднання було додано нові коміти.
 settings.graphql_url = Посилання GraphQL
 settings.packagist_api_token = Токен API
-settings.archive.text = Архівування репозиторію зробить його доступним тільки для читання. Він буде прихований з панелі управління. Ніхто (навіть ви!) не зможе робити нові коміти, створювати задачі чи запити на злиття.
+settings.archive.text = Архівування репозиторію зробить його доступним тільки для читання. Він буде прихований з панелі управління. Ніхто (навіть ви!) не зможе робити нові коміти, створювати задачі чи запити на злиття. Рекомендуємо вказати причину архівування для тих, хто у майбутньому захоче створити форк цього репозиторію.
 settings.protected_branch.delete_rule = Видалити правило
 settings.branches.add_new_rule = Додати нове правило
 settings.add_key_success = Ключ розгортання «%s» додано.
@@ -2877,7 +2877,7 @@ teams.add_all_repos_desc=Усі репозиторії організації б
 teams.add_duplicate_users=Користувач уже є учасником команди.
 teams.repos.none=Для команди немає доступних репозиторіїв.
 teams.members.none=У цій команді немає учасників.
-teams.specific_repositories=Конкретні репозиторії
+teams.specific_repositories=Визначені репозиторії
 teams.specific_repositories_helper=Учасники матимуть доступ лише до репозиторіїв, які були явно додані до команди. Вибір цього пункту <strong>не призводить</strong> до автоматичного видалення репозиторіїв, доданих з <i>Усі репозиторії</i>.
 teams.all_repositories=Усі репозиторії
 teams.all_repositories_helper=Команда має доступ до всіх репозиторіїв. Вибір цього пункту <strong>додасть усі наявні</strong> репозиторії до команди.
@@ -3019,7 +3019,7 @@ users.allow_create_organization=Може створювати організац
 users.update_profile=Оновити обліковий запис
 users.delete_account=Видалити обліковий запис
 users.still_own_repo=Цьому користувачу досі належать один чи більше репозиторіїв. Спершу видаліть або передайте їх.
-users.still_has_org=Цей обліковий запис все ще є учасником однієї або декількох організацій. Для продовження, покиньте або видаліть організації.
+users.still_has_org=Цей користувач є учасником однієї або декількох організацій. Спочатку видаліть користувача з усіх організацій.
 users.deletion_success=Обліковий запис користувача видалено.
 users.reset_2fa=Скинути 2FA
 users.list_status_filter.menu_text=Фільтр
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index 5b685e36ae..e278b425c9 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -347,7 +347,7 @@ app_slogan_helper = 在此处输入您的实例标语。留空则禁用。
 [home]
 uname_holder=用户名或电子邮件地址
 switch_dashboard_context=切换控制面板用户
-my_repos=仓库列表
+my_repos=仓库
 my_orgs=我的组织
 view_home=访问%s
 filter=其他过滤器
@@ -641,7 +641,7 @@ email_domain_is_not_allowed = 用户电子邮件地址的域名<b>%s</b>与EMAIL
 [user]
 change_avatar=修改头像……
 joined_on=加入于%s
-repositories=仓库列表
+repositories=仓库
 activity=公开活动
 followers_few=%d位关注者
 starred=已点赞
@@ -691,7 +691,7 @@ avatar=头像设置
 ssh_gpg_keys=SSH / GPG公钥
 applications=应用
 orgs=组织
-repos=仓库列表
+repos=仓库
 delete=删除账号
 twofa=两步验证（TOTP）
 organization=组织
@@ -1350,7 +1350,7 @@ editor.cherry_pick=Cherry-pick %s到：
 editor.revert=将%s还原到：
 
 commits.desc=浏览代码修改历史。
-commits.commits=次代码提交
+commits.commits=次提交
 commits.no_commits=没有共同的提交。%s和%s的历史完全不同。
 commits.nothing_to_compare=这些分支是相同的。
 commits.search.tooltip=您可以在关键词前加上前缀"author:"、"committer:"、"after:"或"before:"，例如"revert author:Alice before:2019-01-13"。
@@ -1574,7 +1574,7 @@ issues.role.member=成员
 issues.role.member_helper=该用户是拥有该仓库的组织成员。
 issues.role.collaborator=协作者
 issues.role.collaborator_helper=该用户已被邀请在仓库上进行协作。
-issues.role.first_time_contributor=首次贡献者
+issues.role.first_time_contributor=初次贡献者
 issues.role.first_time_contributor_helper=这是该用户对仓库的第一次贡献。
 issues.role.contributor=贡献者
 issues.role.contributor_helper=该用户之前已提交至该仓库。
@@ -1776,7 +1776,7 @@ pulls.has_pull_request=这些分支之间的合并请求已存在：<a href="%[1
 pulls.create=创建合并请求
 pulls.change_target_branch_at=将目标分支从<b>%s</b>更改为<b>%s</b> %s
 pulls.tab_conversation=对话
-pulls.tab_commits=代码提交
+pulls.tab_commits=提交
 pulls.tab_files=文件更改
 pulls.reopen_to_merge=请重新创建此合并请求。
 pulls.cant_reopen_deleted_branch=无法重新打开此合并请求，因为分支已删除。
@@ -2404,7 +2404,7 @@ settings.matrix.room_id=房间ID
 settings.matrix.message_type=消息类型
 settings.archive.button=存档仓库
 settings.archive.header=存档此仓库
-settings.archive.text=存档仓库将使其完全只读。它将在首页隐藏。没有人（甚至包括你！）能够进行新的提交，或打开议题及合并请求。
+settings.archive.text=存档仓库将使其完全只读。它将在首页隐藏。没有人（甚至包括你！）能够进行新的提交，或打开议题及合并请求。建议记载存档的原因以便引导未来计划从本仓库派生新仓库的开发者。
 settings.archive.success=仓库已成功存档。
 settings.archive.error=仓库在存档时出现异常。请通过日志获取详细信息。
 settings.archive.error_ismirror=不能存档镜像仓库。
diff --git a/options/locale_next/locale_cs-CZ.json b/options/locale_next/locale_cs-CZ.json
index d352f29aec..74e66831e9 100644
--- a/options/locale_next/locale_cs-CZ.json
+++ b/options/locale_next/locale_cs-CZ.json
@@ -581,5 +581,26 @@
 	"actions.secrets.mutation.success_message": "Tajný klíč „%s“ byl upraven.",
 	"actions.secrets.mutation.failure_message": "Tajný klíč „%s“ se nepodařilo upravit.",
 	"actions.secrets.mutation.name_description": "Název tajného klíče může obsahovat pouze písmena, číslice a podtržítka. Nemůže začínat textem FORGEJO_, GITEA_, GITHUB_ nebo číslem. Forgejo jej automaticky převede na velká písmena.",
-	"actions.secrets.mutation.value_description": "Existující hodnota nebude zobrazena. Ponechte pole prázdné, pokud jej nechcete upravit. Zvláštní znaky zůstanou zachovány. CRLF (zakončení řádků ve stylu Windows) budou automaticky převedeny na LF. Pokud chcete zachovat zakončení řádků, zakódujte hodnotu pomocí Base64."
+	"actions.secrets.mutation.value_description": "Existující hodnota nebude zobrazena. Ponechte pole prázdné, pokud jej nechcete upravit. Zvláštní znaky zůstanou zachovány. CRLF (zakončení řádků ve stylu Windows) budou automaticky převedeny na LF. Pokud chcete zachovat zakončení řádků, zakódujte hodnotu pomocí Base64.",
+	"settings.permissions_access_specific_repositories": "Konkrétní repozitáře",
+	"settings.access_token.selected_repositories": {
+		"one": "Vybrán repozitář (%d)",
+		"few": "Vybrány repozitáře (%d)",
+		"other": "Vybrány repozitáře (%d)"
+	},
+	"settings.access_token.available_repositories": "Dostupné repozitáře",
+	"settings.access_token.no_repositories_selected": "Nejsou vybrány žádné repozitáře.",
+	"settings.access_token.no_repositories_found": "Nenalezeny žádné repozitáře.",
+	"settings.access_token.remove": "Odstranit %s",
+	"settings.access_token.resource_all_help": "Povolit přístup ke všem zdrojům.",
+	"settings.access_token.resource_public_only_help": "Omezit přístup k veřejným repozitářům a organizacím.",
+	"settings.access_token.resource_specific_repo_help": "Omezit přístup ke konkrétním repozitářům. Přístup pouze ke čtení je udělen všem veřejným repozitářům. Povolena mohou být pouze oprávnění, která povolují přístup k repozitářům a problémům.",
+	"settings.access_token.admin_disabled": "Administrativní oprávnění jsou zakázána.",
+	"actions.runs.scheduled_description": "Naplánovaný běh revize <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Běh revize <a href=\"%[1]s\">%[2]s</a> spuštěný službou <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Revize <a href=\"%[1]s\">%[2]s</a> odeslaná uživatelem <a href=\"%[3]s\">%[4]s</a>",
+	"members.add_member": "Přidat člena",
+	"members.user": "Uživatel",
+	"members.user_already_member": "Tento uživatel již je členem organizace.",
+	"members.no_team_selected": "Členové organizace musí patřit do alespoň jednoho týmu."
 }
diff --git a/options/locale_next/locale_de-DE.json b/options/locale_next/locale_de-DE.json
index 15137fd5e8..253b3188c7 100644
--- a/options/locale_next/locale_de-DE.json
+++ b/options/locale_next/locale_de-DE.json
@@ -560,5 +560,31 @@
 	"actions.runners.task_list_user": "Neuliche Aufgaben dieses Benutzers auf diesem Runner",
 	"settings.new_access_token": "Neuer Zugangstoken",
 	"graphs.recent_commits.title": "Anzahl der Commits im letzten Jahr",
-	"graphs.code_frequency.title": "Code-Frequenz über die Geschichte von {0}"
+	"graphs.code_frequency.title": "Code-Frequenz über die Geschichte von {0}",
+	"settings.permissions_access_specific_repositories": "Bestimmte Repositorys",
+	"settings.access_token.selected_repositories": {
+		"one": "Ausgewähltes Repository (%d)",
+		"other": "Ausgewählte Repositorys (%d)"
+	},
+	"settings.access_token.available_repositories": "Verfügbare Repositorys",
+	"settings.access_token.no_repositories_selected": "Keine Repositorys ausgewählt.",
+	"settings.access_token.no_repositories_found": "Keine Repositorys gefunden.",
+	"settings.access_token.remove": "%s entfernen",
+	"settings.access_token.resource_all_help": "Erlaube den Zugang zu allen Ressourcen.",
+	"settings.access_token.resource_public_only_help": "Beschränke den Zugang auf Repositorys und Organisationen, die öffentlich sind.",
+	"settings.access_token.resource_specific_repo_help": "Beschränke den Zugang auf eine Liste bestimmter Repositorys. Der Lesezugriff wird auf alle öffentlichen Repositorys gewährt. Nur Berechtigungen, die den Zugriff auf Repositorys und Issues erlauben, können aktiviert werden.",
+	"settings.access_token.admin_disabled": "Verwaltungsberechtigungen sind deaktiviert.",
+	"actions.runs.scheduled_description": "Planmäßiger Run des Commits <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Run des Commits <a href=\"%[1]s\">%[2]s</a>, ausgelöst von <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a>, gepusht von <a href=\"%[3]s\">%[4]s</a>",
+	"actions.secrets.edit_button": "Geheimnis „%s“ bearbeiten",
+	"actions.secrets.mutation.header": "Geheimnis „%s“ bearbeiten",
+	"actions.secrets.mutation.success_message": "Das Geheimnis „%s“ wurde aktualisiert.",
+	"actions.secrets.mutation.failure_message": "Das Geheimnis „%s“ konnte nicht aktualisiert werden.",
+	"actions.secrets.mutation.name_description": "Der Name eines Geheimnisses darf nur Buchstaben, Ziffern und Unterstriche enthalten. Er darf nicht mit „FORGEJO_“, „GITEA_“, „GITHUB_“ oder einer Zahl anfangen. Forgejo wird ihn automatisch in Großbuchstaben umwandeln.",
+	"actions.secrets.mutation.value_description": "Ein bereits existierender Wert wird nicht angezeigt. Lasse das Feld leer, wenn es nicht geändert werden soll. Sonderzeichen bleiben erhalten. CRLF (Windows-Zeilenumbrüche) werden automatisch in LF umgewandelt. Kodiere den Wert mit Base64, wenn Zeilenumbrüche beibehalten werden sollen.",
+	"members.add_member": "Mitglied hinzufügen",
+	"members.user": "Benutzer",
+	"members.user_already_member": "Dieser Benutzer ist bereits ein Mitglied der Organisation.",
+	"members.no_team_selected": "Organisationsmitglieder müssen mindestens einem Team angehören."
 }
diff --git a/options/locale_next/locale_es-ES.json b/options/locale_next/locale_es-ES.json
index cae0fc7db3..fff792b714 100644
--- a/options/locale_next/locale_es-ES.json
+++ b/options/locale_next/locale_es-ES.json
@@ -411,5 +411,7 @@
 	"moderation.comment.deletion_success": "El comentario ha sido eliminado.",
 	"mail.actions.run_info_sha": "Confirmación: %[1]s",
 	"mail.issue.action.close_by_commit": "%[1]s cerró %[2]s en la confirmación %[3]s.",
-	"repo.diff.commit.next-short": "Siguiente"
+	"repo.diff.commit.next-short": "Siguiente",
+	"admin.config.global_2fa_requirement.all": "Todos los usuarios",
+	"admin.config.global_2fa_requirement.admin": "Administradores"
 }
diff --git a/options/locale_next/locale_fr-FR.json b/options/locale_next/locale_fr-FR.json
index ca3635c641..d80cb70025 100644
--- a/options/locale_next/locale_fr-FR.json
+++ b/options/locale_next/locale_fr-FR.json
@@ -19,7 +19,7 @@
 	"notification.mark_all_as_read": "Tout marquer comme lu",
 	"notification.subscriptions": "Abonnements",
 	"notification.watching": "Suivi",
-	"notification.no_subscriptions": "Pas d'abonnements",
+	"notification.no_subscriptions": "Vous n'avez pas d'abonnements.",
 	"dropzone.default_message": "Déposez les fichiers ou cliquez ici pour téléverser.",
 	"dropzone.invalid_input_type": "Les fichiers de ce type ne peuvent pas être téléversés.",
 	"dropzone.file_too_big": "La taille du fichier ({{filesize}} Mo) dépasse la taille maximale ({{maxFilesize}} Mo).",
@@ -372,14 +372,14 @@
 	"actions.runners.labels": "Labels",
 	"actions.runners.last_online": "Dernière fois en ligne",
 	"actions.runners.runner_title": "Exécuteur %s",
-	"actions.runners.task_list.no_tasks": "Il n'y a pas de tâche ici.",
+	"actions.runners.task_list.no_tasks": "Il n'y a pas de tâches ici.",
 	"actions.runners.task_list.run": "Exécuter",
 	"actions.runners.task_list.status": "Statut",
 	"actions.runners.task_list.repository": "Dépôt",
 	"actions.runners.task_list.commit": "Révision",
 	"actions.runners.task_list.done_at": "Fait à",
 	"actions.runners.update_runner.success": "Exécuteur édité avec succès",
-	"actions.runners.update_runner.failed": "Impossible d'actualiser l'Exécuteur",
+	"actions.runners.update_runner.failed": "Impossible d'éditer l'exécuteur",
 	"actions.runners.delete_runner.success": "Exécuteur supprimé avec succès",
 	"actions.runners.delete_runner.failed": "Impossible de supprimer l'Exécuteur",
 	"actions.runners.delete_runner.header": "Confirmer la suppression de cet exécuteur",
@@ -563,5 +563,23 @@
 	"actions.secrets.mutation.name_description": "Le nom d'un secret ne peut contenir que des lettres, des chiffres et des `_`. Il ne peut pas démarrer avec FORGEJO_ , GITEA_ , GITHUB_ , ou un nombre. Forgejo le convertira automatiquement en majuscules.",
 	"form.RunnerName": "Nom",
 	"graphs.recent_commits.title": "Nombre de commits au cours de l'année écoulée",
-	"graphs.code_frequency.title": "Fréquence de code sur l'historique de {0}"
+	"graphs.code_frequency.title": "Fréquence de code sur l'historique de {0}",
+	"settings.permissions_access_specific_repositories": "Dépôts spécifiques",
+	"settings.access_token.selected_repositories": {
+		"one": "Dépôt sélectionné (%d)",
+		"many": "Dépôts sélectionnés (%d)",
+		"other": "Dépôts sélectionnés (%d)"
+	},
+	"settings.access_token.available_repositories": "Dépôts disponibles",
+	"settings.access_token.no_repositories_selected": "Aucun dépôt sélectionné.",
+	"settings.access_token.no_repositories_found": "Aucun dépôt trouvé.",
+	"settings.access_token.remove": "Supprimer %s",
+	"settings.access_token.resource_public_only_help": "Limiter l'accès aux dépôts et aux organisations publiques.",
+	"settings.access_token.resource_specific_repo_help": "Limiter l'accès à une liste spécifique de dépôts. L'accès en lecture seule est autorisé sur tous les dépôts publiques. Seules les permissions permettant l'accès aux dépôts et aux tickets peuvent être activées.",
+	"settings.access_token.admin_disabled": "Les autorisations administratives sont désactivées.",
+	"actions.runners.token": "Jeton",
+	"actions.runners.ephemeral.no": "non",
+	"actions.runs.scheduled_description": "Exécution planifiée du commit <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Exécution du commit <a href=\"%[1]s\">%[2]s</a> déclenché par <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> poussé par <a href=\"%[3]s\">%[4]s</a>"
 }
diff --git a/options/locale_next/locale_mk.json b/options/locale_next/locale_mk.json
new file mode 100644
index 0000000000..0967ef424b
--- /dev/null
+++ b/options/locale_next/locale_mk.json
@@ -0,0 +1 @@
+{}
diff --git a/options/locale_next/locale_nds.json b/options/locale_next/locale_nds.json
index 71d6d8dfbc..5806fe1eeb 100644
--- a/options/locale_next/locale_nds.json
+++ b/options/locale_next/locale_nds.json
@@ -582,5 +582,9 @@
 	"settings.access_token.admin_disabled": "Chef-Rechten sünd utknipst.",
 	"actions.runs.scheduled_description": "Utföhren na Tiedplaan vun Kommitteren <a href=\"%[1]s\">%[2]s</a>",
 	"actions.runs.workflow_dispatch_description": "Utföhren vun Kommitteren <a href=\"%[1]s\">%[2]s</a> vun <a href=\"%[3]s\">%[4]s</a> utlööst",
-	"actions.runs.on_push_description": "Kommitteren <a href=\"%[1]s\">%[2]s</a> vun <a href=\"%[3]s\">%[4]s</a> schuven"
+	"actions.runs.on_push_description": "Kommitteren <a href=\"%[1]s\">%[2]s</a> vun <a href=\"%[3]s\">%[4]s</a> schuven",
+	"members.add_member": "Liddmaat hentofögen",
+	"members.user": "Bruker",
+	"members.user_already_member": "Deeser Bruker is al een Liddmaat vun deeser Vereenigung.",
+	"members.no_team_selected": "Vereenigungs-Liddmaten mutten to tominnst eener Klottje tohören."
 }
diff --git a/options/locale_next/locale_nl-NL.json b/options/locale_next/locale_nl-NL.json
index 978fe5b3c5..f740233d69 100644
--- a/options/locale_next/locale_nl-NL.json
+++ b/options/locale_next/locale_nl-NL.json
@@ -499,5 +499,14 @@
 	"packages.common.install": "Voer de volgende opdracht uit om het pakket te installeren:",
 	"packages.common.registry": "Stel dit register in vanaf de opdrachtregel:",
 	"packages.common.repository": "Repository informatie",
-	"actions.runs.all_runs_link": "alle runs"
+	"actions.runs.all_runs_link": "alle runs",
+	"settings.specific_repo_access": "Repositories toegang",
+	"settings.permissions_access_specific_repositories": "Specifieke repositories",
+	"settings.access_token.available_repositories": "Beschikbare repositories",
+	"settings.access_token.no_repositories_selected": "Geen repositories geselecteerd.",
+	"settings.access_token.no_repositories_found": "Geen repositories gevonden.",
+	"settings.access_token.remove": "Verwijder %s",
+	"settings.access_token.resource_all_help": "Toegang tot alle bronnen toestaan.",
+	"settings.access_token.resource_public_only_help": "Toegang tot repositories en organisaties die openbaar zijn beperken.",
+	"actions.runners.list_runners.delete_column": "Verwijder"
 }
diff --git a/options/locale_next/locale_pl-PL.json b/options/locale_next/locale_pl-PL.json
index 0d169466e0..4f74217753 100644
--- a/options/locale_next/locale_pl-PL.json
+++ b/options/locale_next/locale_pl-PL.json
@@ -19,7 +19,7 @@
 	"notification.mark_all_as_read": "Oznacz wszystkie jako przeczytane",
 	"notification.subscriptions": "Subskrypcje",
 	"notification.watching": "Obserwowane",
-	"notification.no_subscriptions": "Brak subskrypcji",
+	"notification.no_subscriptions": "Nie masz żadnych subskrypcji.",
 	"dropzone.default_message": "Upuść pliki tutaj lub kliknij, aby przesłać.",
 	"dropzone.invalid_input_type": "Nie można przesłać plików tego typu.",
 	"dropzone.file_too_big": "Rozmiar pliku ({{filesize}} MB) przekracza maksymalny rozmiar ({{maxFilesize}} MB).",
@@ -195,7 +195,7 @@
 	"release.n_downloads": {
 		"one": "%s pobranie",
 		"few": "%s pobrania",
-		"many": ""
+		"many": "%s pobrań"
 	},
 	"repo.pulls.merged_title_desc": {
 		"one": "scala %[1]d commit z <code>%[2]s</code> do <code>%[3]s</code> %[4]s",
@@ -327,9 +327,9 @@
 	"repo.issues.filter_modified.hint": "Filtruj według daty ostatniej modyfikacji",
 	"issues.updated": "ostatnia aktualizacja: %s",
 	"repo.pulls.poster_manage_approval": "Zarządzaj zatwierdzeniami",
-	"repo.pulls.poster_requires_approval": "Kilka workflowów <a href=\"%[1]s\">oczekuje na sprawdzenie.</a>",
+	"repo.pulls.poster_requires_approval": "Kilka workflowów <a href=\"%[1]s\">oczekuje na sprawdzenie</a>.",
 	"repo.pulls.poster_requires_approval.tooltip": "Autor tego pull requesta nie jest zaufany do uruchamiania workflowów wyzwalanych przez pull requesty utworzone z forkowanego repozytorium lub z AGit. Workflowy wyzwalane przez zdarzenie `pull_request` nie zostaną uruchomione, dopóki nie zostaną zatwierdzone.",
-	"repo.pulls.poster_is_trusted": "Autor tego pull requesta jest <a href=\"%[1]s\">zawsze zaufany do uruchamiania workflowów.</a>",
+	"repo.pulls.poster_is_trusted": "Autor tego pull requesta jest <a href=\"%[1]s\">zawsze zaufany do uruchamiania workflowów</a>.",
 	"repo.pulls.poster_is_trusted.tooltip": "Autor tego pull requesta jest jawnie zaufany do uruchamiania workflowów wyzwalanych przez zdarzenia `pull_request`.",
 	"repo.pulls.poster_trust_deny.tooltip": "Workflowy oczekujące na zatwierdzenie zostaną anulowane.",
 	"repo.pulls.poster_trust_once.tooltip": "Workflowy wyzwalane przez zdarzenie `pull_request` zostaną uruchomione dla tego commita, ale będą wymagały zatwierdzenia dla wszystkich przyszłych commitów pushowanych do tego pull requesta.",
@@ -401,7 +401,7 @@
 	"repo.commit.load_tags_failed": "Wczytywanie tagów nie powiodło się z powodu wewnętrznego błędu serwera",
 	"teams.remove_all_repos.modal.header": "Usuń wszystkie repozytoria",
 	"teams.add_all_repos.modal.header": "Dodaj wszystkie repozytoria",
-	"search.fuzzy": "fFzzy",
+	"search.fuzzy": "fuzzy",
 	"moderation.comment.deletion_success": "Komentarz został usunięty.",
 	"moderation.issue.deletion_success": "Zgłoszenie zostało usunięte.",
 	"moderation.users.cannot_delete_admins": "Użytkownik z uprawnieniami administratora nie może zostać usunięty.",
@@ -462,5 +462,14 @@
 	"actions.runs.status_no_select": "Wszystkie stany",
 	"actions.runs.no_results": "Brak pasujących wyników.",
 	"actions.runs.no_workflows": "Nie ma jeszcze żadnych procesów pracy.",
-	"meta.last_line": " "
+	"meta.last_line": " ",
+	"repo.issues.filter_sort.hint_with_placeholder": "Sortuj wg: %s",
+	"issues.filters.labels.exclude": "Wyklucz etykietę",
+	"issues.filters.labels.unexclude": "Usuń wykluczenie",
+	"repo.pulls.auto_merge.no_permission": "Nie masz uprawnień aby anulować auto merge tego pull requesta.",
+	"settings.access_token.selected_repositories": {
+		"one": "Wybrane (%d) repozytorium",
+		"few": "Wybrane (%d) repozytoria",
+		"many": "Wybrane (%d) repozytoriów"
+	}
 }
diff --git a/options/locale_next/locale_pt-BR.json b/options/locale_next/locale_pt-BR.json
index 074d7239af..e9ef391e49 100644
--- a/options/locale_next/locale_pt-BR.json
+++ b/options/locale_next/locale_pt-BR.json
@@ -514,5 +514,20 @@
 	"editor.search": "Busca",
 	"editor.find_previous": "Ocorrência anterior",
 	"editor.find_next": "Ocorrência seguinte",
-	"editor.toggle_whole_word": "Alternar correspondência completa de palavras"
+	"editor.toggle_whole_word": "Alternar correspondência completa de palavras",
+	"settings.specific_repo_access": "Acesso ao repositório",
+	"settings.new_access_token": "Novo token de acesso",
+	"settings.permissions_access_specific_repositories": "Repositórios específicos",
+	"settings.access_token.available_repositories": "Repositórios disponíveis",
+	"settings.access_token.no_repositories_selected": "Nenhum repositório selecionado.",
+	"settings.access_token.no_repositories_found": "Nenhum repositório encontrado.",
+	"settings.access_token.remove": "Remova %s",
+	"actions.runners.edit_runner.title": "Editar executor %s",
+	"actions.runners.edit_runner.page_title": "Editar executor %s",
+	"actions.runners.create_runner.name_label": "Noe",
+	"actions.runners.create_runner.title": "Criar novo executor",
+	"actions.runners.create_runner.page_title": "Criar novo executor",
+	"actions.runners.edit_runner_button": "Editar executor",
+	"actions.runners.task_list_user": "Tarefas recentes deste usuário neste executor",
+	"actions.runners.task_list_admin": "Tarefas recentes neste executor"
 }
diff --git a/options/locale_next/locale_pt-PT.json b/options/locale_next/locale_pt-PT.json
index e884f34fa3..f3a6c5c9ff 100644
--- a/options/locale_next/locale_pt-PT.json
+++ b/options/locale_next/locale_pt-PT.json
@@ -595,5 +595,8 @@
 	"actions.secrets.mutation.name_description": "O nome de um segredo só pode conter letras, números e sublinhados. Não pode começar por FORGEJO_, GITEA_, GITHUB_ ou um número. O Forgejo irá convertê-lo automaticamente para maiúsculas.",
 	"actions.secrets.mutation.value_description": "O valor atual não será apresentado. Deixe o campo em branco se não pretender alterá-lo. Os caracteres especiais são mantidos. CRLF (quebras de linha no estilo Windows) é automaticamente convertido para LF. Codifique o valor com Base64 se as quebras de linha devem ser mantidas.",
 	"graphs.recent_commits.title": "Número de cometimentos no último ano",
-	"graphs.code_frequency.title": "Frequência do código ao longo da história de {0}"
+	"graphs.code_frequency.title": "Frequência do código ao longo da história de {0}",
+	"actions.runs.scheduled_description": "Execução agendada do cometimento <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Execução do commit <a href=\"%[1]s\">%[2]s</a> acionada por <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Cometimento <a href=\"%[1]s\">%[2]s</a> enviado por <a href=\"%[3]s\">%[4]s</a>"
 }
diff --git a/options/locale_next/locale_ru-RU.json b/options/locale_next/locale_ru-RU.json
index c710490152..9009203114 100644
--- a/options/locale_next/locale_ru-RU.json
+++ b/options/locale_next/locale_ru-RU.json
@@ -523,8 +523,8 @@
 	"actions.runners.uuid": "УУИД",
 	"actions.runners.token": "Токен",
 	"actions.runners.ephemeral": "Одноразовый",
-	"actions.runners.list_runners.details_column": "Подробности",
-	"actions.runners.list_runners.delete_column": "Удалить",
+	"actions.runners.list_runners.details_column": "Свойства",
+	"actions.runners.list_runners.delete_column": "Удаление",
 	"actions.runners.runner_setup.list_of_runners_link": "Список исполнителей",
 	"actions.runners.runner_setup.last_chance_copying_token": "Скопируйте токен сейчас – потом он не будет отображаться!",
 	"actions.runners.runner_setup.button_copy_uuid_aria": "Копировать УУИД исполнителя",
@@ -553,5 +553,28 @@
 	"actions.runners.runner_setup.heading_using_configuration": "Используя файл конфигурации исполнителя",
 	"actions.runners.runner_setup.configuration_snippet_aria": "Часть конфигурации, которую нужно добавить",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Замените название подключения (в примере – <code>forgejo</code>) на нужное.",
-	"actions.runners.runner_setup.heading_using_options": "Используя параметры запуска"
+	"actions.runners.runner_setup.heading_using_options": "Используя параметры запуска",
+	"members.add_member": "Добавить участника",
+	"members.user": "Пользователь",
+	"members.user_already_member": "Этот пользователь уже состоит в организации.",
+	"members.no_team_selected": "Участники организации должны состоять хотя бы в одной команде.",
+	"settings.access_token.remove": "Исключить %s",
+	"settings.access_token.resource_all_help": "Разрешить доступ ко всем ресурсам.",
+	"settings.access_token.resource_public_only_help": "Разрешить доступ только к публичным репозиториям и организациям.",
+	"settings.access_token.resource_specific_repo_help": "Разрешить доступ только к списку выбранных репозиториев. Доступ на чтение разрешён для всех публичных репозиториев. Могут быть выбраны только разрешения, относящиеся к репозиториям и задачам.",
+	"settings.access_token.admin_disabled": "Административные разрешения выключены.",
+	"actions.runners.list_runners.edit_column": "Правка",
+	"actions.runners.list_runners.details_button": "Свойства",
+	"actions.runners.list_runners.details_button_aria": "Открыть свойства %s",
+	"actions.runners.list_runners.delete_button": "Удалить",
+	"actions.runners.list_runners.delete_button_aria": "Удалить %s",
+	"actions.runners.list_runners.edit_button": "Изменить",
+	"actions.runners.list_runners.edit_button_aria": "Изменить %s",
+	"actions.runners.ephemeral.yes": "да",
+	"actions.runners.ephemeral.no": "нет",
+	"actions.runners.edit_runner_button": "Изменить исполнителя",
+	"actions.runners.create_runner.page_title": "Новый исполнитель",
+	"actions.runners.create_runner.create_button": "Создать",
+	"actions.runners.create_runner.cancel_button": "Отмена",
+	"actions.runners.show_registration_token": "Показать токен регистрации"
 }
diff --git a/options/locale_next/locale_sv-SE.json b/options/locale_next/locale_sv-SE.json
index c8c8f188ee..af72a4c8f8 100644
--- a/options/locale_next/locale_sv-SE.json
+++ b/options/locale_next/locale_sv-SE.json
@@ -574,5 +574,17 @@
 	"settings.access_token.resource_public_only_help": "Begränsa tillgången till publika kodförråd och organisationer.",
 	"settings.access_token.admin_disabled": "Administrativa rättigheter är inaktiverade.",
 	"actions.secrets.edit_button": "Redigera hemlighet \"%s\"",
-	"actions.secrets.mutation.header": "Redigera hemlighet \"%s\""
+	"actions.secrets.mutation.header": "Redigera hemlighet \"%s\"",
+	"settings.access_token.resource_specific_repo_help": "Begränsa åtkomsten till en specifik lista med kodförråd. Skrivskyddad åtkomst är tillåten till alla publika kodförråd. Endast behörigheter som ger åtkomst till kodförråd och ärenden kan aktiveras.",
+	"actions.runs.scheduled_description": "Schemalagd körning av incheckning <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Körning av incheckning <a href=\"%[1]s\">%[2]s</a> utlöst av <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Incheckning <a href=\"%[1]s\">%[2]s</a> skickades av <a href=\"%[3]s\">%[4]s</a>",
+	"actions.secrets.mutation.success_message": "Hemligheten \"%s\" har uppdaterats.",
+	"actions.secrets.mutation.failure_message": "Hemligheten \"%s\" kunde inte uppdateras.",
+	"actions.secrets.mutation.name_description": "Namnet på en hemlighet får bara innehålla bokstäver, siffror och understreck. Den får inte börja med FORGEJO_, GITEA_, GITHUB_ eller en siffra. Forgejo konverterar den automatiskt till versaler.",
+	"actions.secrets.mutation.value_description": "Det existerande värdet visas inte. Lämna fältet tomt om du inte vill ändra det. Specialtecken behålls. CRLF (radbrytningar i Windows-stil) konverteras automatiskt till LF. Koda värdet med Base64 om radbrytningar ska behållas.",
+	"members.add_member": "Lägg till medlem",
+	"members.user": "Användare",
+	"members.user_already_member": "Den här användaren är redan medlem i organisationen.",
+	"members.no_team_selected": "Organisationsmedlemmar måste tillhöra minst ett lag."
 }
diff --git a/options/locale_next/locale_uk-UA.json b/options/locale_next/locale_uk-UA.json
index dde95ff019..e2b90565ab 100644
--- a/options/locale_next/locale_uk-UA.json
+++ b/options/locale_next/locale_uk-UA.json
@@ -598,5 +598,9 @@
 	"settings.access_token.no_repositories_found": "Не знайдено жодного репозиторію.",
 	"settings.access_token.resource_public_only_help": "Дозволити доступ лише до публічних репозиторіїв та організацій.",
 	"settings.access_token.resource_specific_repo_help": "Дозволити доступ лише до окремих репозиторіїв. Доступ тільки для читання дозволено до всіх публічних репозиторіїв. Можна ввімкнути лише дозволи, що надають доступ до репозиторіїв і задач.",
-	"settings.permissions_access_specific_repositories": "Визначені репозиторії"
+	"settings.permissions_access_specific_repositories": "Визначені репозиторії",
+	"members.add_member": "Додати учасника",
+	"members.user": "Користувач",
+	"members.user_already_member": "Цей користувач уже є учасником організації.",
+	"members.no_team_selected": "Учасники організації повинні входити принаймні до однієї команди."
 }
diff --git a/options/locale_next/locale_zh-CN.json b/options/locale_next/locale_zh-CN.json
index dc54cb4990..f8591727b8 100644
--- a/options/locale_next/locale_zh-CN.json
+++ b/options/locale_next/locale_zh-CN.json
@@ -515,5 +515,28 @@
 	"actions.runners.task_list_admin": "最近在此运行器上的任务",
 	"actions.runners.task_list_user": "最近在此运行器上的此用户的任务",
 	"graphs.recent_commits.title": "过去一年的提交总数",
-	"graphs.code_frequency.title": "{0}的历史提交频率"
+	"graphs.code_frequency.title": "{0}的历史提交频率",
+	"settings.permissions_access_specific_repositories": "仅限部分仓库",
+	"settings.access_token.selected_repositories": "选中的仓库（%d）",
+	"settings.access_token.available_repositories": "可用的仓库",
+	"settings.access_token.no_repositories_selected": "未选中任何仓库。",
+	"settings.access_token.no_repositories_found": "没有找到任何仓库。",
+	"settings.access_token.remove": "移除“%s”",
+	"settings.access_token.resource_all_help": "允许访问所有资源。",
+	"settings.access_token.resource_public_only_help": "仅允许访问公开的仓库和组织。",
+	"settings.access_token.resource_specific_repo_help": "仅允许访问特定的一组仓库，允许对所有公开仓库的只读访问，仅能启用对仓库和工单的访问权限。",
+	"settings.access_token.admin_disabled": "禁用管理权限。",
+	"actions.runs.scheduled_description": "计划运行，提交<a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "运行提交<a href=\"%[1]s\">%[2]s</a>，由<a href=\"%[3]s\">%[4]s</a>触发",
+	"actions.runs.on_push_description": "提交<a href=\"%[1]s\">%[2]s</a>，由<a href=\"%[3]s\">%[4]s</a>推送",
+	"actions.secrets.edit_button": "编辑机密“%s”",
+	"actions.secrets.mutation.header": "编辑机密“%s”",
+	"actions.secrets.mutation.success_message": "机密“%s”已更新。",
+	"actions.secrets.mutation.failure_message": "无法更新机密“%s”。",
+	"actions.secrets.mutation.name_description": "机密的名字只能包含字母、数字和下划线，不能以FORGEJO_、GITEA_、GITHUB_或数字开头，会自动转换为大写格式。",
+	"actions.secrets.mutation.value_description": "现有值不会显示，留空以保留现有值。特殊字符会被保留，CRLF（Windows式换行符）会被转换为LF；要保留换行符，请使用Base64编码。",
+	"members.add_member": "添加成员",
+	"members.user": "用户",
+	"members.user_already_member": "该用户已经是当前组织的成员。",
+	"members.no_team_selected": "组织成员至少属于一个团队。"
 }

From fd489b69631a7e54247ac7bcfabc0a8ab9c7ea39 Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Fri, 3 Apr 2026 14:11:48 +0200
Subject: [PATCH 053/287] chore(i18n): migrate strings to json, unhardcode one,
 improve plurals (#11879)

* migrate 17 strings related to repository migrations from INI to JSON
    * changed templates to get rid of unhelpful prefix `repo`
* migrate 4 strings related to counters
    * also changed templates to get rid of `repo`, but it had to be done anyway to use `TrPluralString`
* Unhardcode the header on migraiton type selector page, which I haven't noticed in https://codeberg.org/forgejo/forgejo/pulls/6795 or in two other PRs I did on this template since

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11879
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
---
 options/locale/locale_ar.ini           | 25 -------------------
 options/locale/locale_bg.ini           | 25 -------------------
 options/locale/locale_ca.ini           | 27 +-------------------
 options/locale/locale_cs-CZ.ini        | 26 --------------------
 options/locale/locale_da.ini           | 25 -------------------
 options/locale/locale_de-DE.ini        | 26 --------------------
 options/locale/locale_el-GR.ini        | 26 --------------------
 options/locale/locale_en-US.ini        | 27 --------------------
 options/locale/locale_eo.ini           |  5 +---
 options/locale/locale_es-ES.ini        | 26 --------------------
 options/locale/locale_et.ini           |  2 --
 options/locale/locale_fa-IR.ini        | 16 ------------
 options/locale/locale_fi-FI.ini        | 26 --------------------
 options/locale/locale_fil.ini          | 25 -------------------
 options/locale/locale_fr-FR.ini        | 26 --------------------
 options/locale/locale_ga-IE.ini        | 17 -------------
 options/locale/locale_he.ini           | 13 +---------
 options/locale/locale_hu-HU.ini        |  6 -----
 options/locale/locale_id-ID.ini        |  6 -----
 options/locale/locale_is-IS.ini        |  9 -------
 options/locale/locale_it-IT.ini        | 26 --------------------
 options/locale/locale_ja-JP.ini        | 26 --------------------
 options/locale/locale_ka.ini           |  5 ----
 options/locale/locale_kab.ini          |  3 ---
 options/locale/locale_ko-KR.ini        |  7 +-----
 options/locale/locale_lv-LV.ini        | 26 --------------------
 options/locale/locale_ml-IN.ini        |  7 ------
 options/locale/locale_nb_NO.ini        |  1 -
 options/locale/locale_nds.ini          | 25 -------------------
 options/locale/locale_nl-NL.ini        | 26 --------------------
 options/locale/locale_pl-PL.ini        | 26 --------------------
 options/locale/locale_pt-BR.ini        | 26 --------------------
 options/locale/locale_pt-PT.ini        | 26 --------------------
 options/locale/locale_ru-RU.ini        | 26 --------------------
 options/locale/locale_si-LK.ini        | 16 ------------
 options/locale/locale_sk-SK.ini        |  5 ----
 options/locale/locale_sv-SE.ini        | 26 --------------------
 options/locale/locale_ta.ini           | 25 -------------------
 options/locale/locale_th.ini           | 25 -------------------
 options/locale/locale_tr-TR.ini        | 26 --------------------
 options/locale/locale_uk-UA.ini        | 26 --------------------
 options/locale/locale_vi.ini           | 27 +++-----------------
 options/locale/locale_zh-CN.ini        | 26 --------------------
 options/locale/locale_zh-HK.ini        |  6 -----
 options/locale/locale_zh-TW.ini        | 26 --------------------
 options/locale_next/locale_ar.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_bg.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ca.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_cs-CZ.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_da.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_de-DE.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_el-GR.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_en-US.json  | 34 ++++++++++++++++++++++++++
 options/locale_next/locale_eo.json     |  3 +++
 options/locale_next/locale_es-ES.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_et.json     |  4 +++
 options/locale_next/locale_fa-IR.json  | 15 ++++++++++++
 options/locale_next/locale_fi-FI.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_fil.json    | 33 +++++++++++++++++++++++++
 options/locale_next/locale_fr-FR.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ga.json     | 17 +++++++++++++
 options/locale_next/locale_he.json     | 11 +++++++++
 options/locale_next/locale_hu-HU.json  |  6 +++++
 options/locale_next/locale_id-ID.json  |  6 +++++
 options/locale_next/locale_is-IS.json  |  8 ++++++
 options/locale_next/locale_it-IT.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ja-JP.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ka.json     |  5 ++++
 options/locale_next/locale_kab.json    |  3 +++
 options/locale_next/locale_ko-KR.json  |  5 ++++
 options/locale_next/locale_lv-LV.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ml-IN.json  |  7 ++++++
 options/locale_next/locale_nb_NO.json  |  1 +
 options/locale_next/locale_nds.json    | 33 +++++++++++++++++++++++++
 options/locale_next/locale_nl-NL.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_pl-PL.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_pt-BR.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_pt-PT.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ru-RU.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_si-LK.json  | 15 ++++++++++++
 options/locale_next/locale_sk-SK.json  |  5 ++++
 options/locale_next/locale_sv-SE.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_ta.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_th.json     | 33 +++++++++++++++++++++++++
 options/locale_next/locale_tr-TR.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_uk-UA.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_vi.json     | 27 ++++++++++++++++++++
 options/locale_next/locale_zh-CN.json  | 33 +++++++++++++++++++++++++
 options/locale_next/locale_zh-HK.json  |  6 +++++
 options/locale_next/locale_zh-TW.json  | 33 +++++++++++++++++++++++++
 services/migrations/migrate.go         | 14 +++++------
 templates/repo/commits_table.tmpl      |  2 +-
 templates/repo/migrate/codebase.tmpl   | 10 ++++----
 templates/repo/migrate/gitbucket.tmpl  | 14 +++++------
 templates/repo/migrate/gitea.tmpl      | 14 +++++------
 templates/repo/migrate/github.tmpl     | 14 +++++------
 templates/repo/migrate/gitlab.tmpl     | 14 +++++------
 templates/repo/migrate/gogs.tmpl       | 14 +++++------
 templates/repo/migrate/migrate.tmpl    |  2 +-
 templates/repo/migrate/migrating.tmpl  |  4 +--
 templates/repo/migrate/onedev.tmpl     | 10 ++++----
 templates/repo/migrate/pagure.tmpl     | 10 ++++----
 templates/repo/release_tag_header.tmpl |  4 +--
 templates/repo/sub_menu.tmpl           |  6 ++---
 104 files changed, 1142 insertions(+), 933 deletions(-)

diff --git a/options/locale/locale_ar.ini b/options/locale/locale_ar.ini
index 5e9808d2f0..9d719a4e5e 100644
--- a/options/locale/locale_ar.ini
+++ b/options/locale/locale_ar.ini
@@ -722,12 +722,9 @@ issues.blocked_by_user = لا يمكنك أن ترسل مسألة في هذا ا
 mirror_sync = متزامن
 settings.archive.mirrors_unavailable = المرايا ليست متاحة إذا تم أرشفة المستودع.
 pulls.blocked_by_user = لا يمكنك أن ترسل طلب سحب في هذا المستودع لأنك محظور من قبل مالك المستودع.
-migrate.migrating_milestones = ترحيل الأهداف
-migrate_items_milestones = أهداف
 repo_size = حجم المستودع
 object_format = تنسيق الكائنات
 use_template = استخدم هذا القالب
-migrate_items_merge_requests = طلبات الدمج
 repo_name = اسم المستودع
 template = القالب
 projects.modify = عدّل المشروع
@@ -745,23 +742,19 @@ template.git_hooks = خطاطيف Git
 template_description = المستودع القالب هو مستودع يستخدمه المستخدمون لتوليد مستودعات جديدة لها الإعدادات والملفات وهيكلة المجلدات نفسها.
 projects.edit = عدّل المشروع
 template.avatar = الصورة الرمزية
-migrate_items_wiki = الموسوعة
 repo_desc = الوصف
 template_select = اختر قالبا
 repo_name_helper = الأسماء الحسنة للمستودعات تستخدم كلمات مفتاحية قصيرة وسهلة التذكر وفريدة.
 default_branch = الفرع الافتراضي
 all_branches = كل الفروع
-migrate_items_issues = البلاغات
 projects.deletion_desc = حذف مشروع يحذف كل المسائل المرتبطة به. أتريد الاستمرار؟
 repo_desc_helper = أدخل وصفاً قصيراً (اختياري)
 create_repo = إنشاء مستودع
-migrate_items_releases = الإصدارات
 already_forked = لقد اشتققت %s بالفعل
 license_helper = اختر ملف ترخيص.
 tree_path_not_found.tag = المسار %[1]s غير موجود في الوسم %[2]s
 object_format_helper = صيغة كائنات المستودع. لا يمكن تغييرها بعد ذلك. SHA1 هي الأكثر توافقية.
 forks = الاشتقاقات
-migrate_items_pullrequests = طلبات السحب
 fork_to_different_account = اشتق إلى حساب مختلف
 tree_path_not_found.branch = المسار %[1]s غير موجود في الفرع %[2]s
 projects.edit_success = حدِّث المشروع "%s".
@@ -885,7 +878,6 @@ release.publish = انشر الإصدار
 issues.lock_duplicate = لا يمكن إقفال مسألة مقفلة.
 issues.filter_type.assigned_to_you = كُلِّفت بها
 issues.save = احفظ
-migrate_items_labels = تصنيفات
 issues.add_assignee_at = `كلّفه <b>%s</b> بها %s`
 milestones.filter_sort.least_complete = الأقل اكتمالا
 branch.create_branch = أنشئ الفرع %s
@@ -1507,7 +1499,6 @@ transfer.accept = قبول النقل
 blame.ignore_revs.failed = فشل تجاهل المراجعات في <a href="%s">.git-blame-ignore-revs</a>.
 form.name_pattern_not_allowed = النمط ”%s“ غير مسموح به في اسم المستودع.
 migrate_options_lfs_endpoint.description = سيحاول الترحيل استخدام مسار Git البعيد (remote) لـ <a target="_blank" rel="noopener noreferrer" href="%s">تحديد خادم LFS</a>. يمكنك أيضًا تحديد نقطة نهاية مخصصة إذا كانت بيانات LFS للمستودع مخزنة في مكان آخر.
-migrate_items = عناصر الترحيل
 adopt_preexisting_content = إنشاء مستودع من %s
 migrate_repo = ترحيل المستودع
 mirror_password_placeholder = (لم يتم تعديله)
@@ -1526,16 +1517,12 @@ form.reach_limit_of_creation_1 = لقد وصل المالك بالفعل إلى
 form.name_reserved = تم حجز اسم المستودع ”%s“.
 mirror_address_url_invalid = عنوان URL المقدم غير صالح. تأكد من تحرير مكونات عنوان URL بشكل صحيح.
 migrate.migrate = الترحيل من %s
-migrate.migrating_topics = ترحيل المواضيع
-migrate.cancel_migrating_title = إلغاء الترحيل
 generated_from = تم توليده من
 star_guest_user = قم بتسجيل الدخول لإعطاء نجمة لهذا المستودع.
 subscribe.pull.guest.tooltip = سجّل الدخول للاشتراك في طلب السحب هذا.
 unwatch = إلغاء المشاهدة
 quick_guide = دليل سريع
 empty_message = لا يحتوي هذا المستودع على أي محتوى.
-migrate.migrating_labels = ترحيل الوسوم
-migrate.migrating_releases = ترحيل الإصدارات
 watch_guest_user = سجّل الدخول لمشاهدة هذا المستودع.
 star = نجمة
 cite_this_repo = الاستشهاد بهذا المستودع
@@ -1549,8 +1536,6 @@ more_operations = المزيد من العمليات
 push_exist_repo = دفع مستودع موجود من موجّه الأوامر
 broken_message = لا يمكن قراءة بيانات Git التي يستند إليها هذا المستودع. اتصل بمسؤول هذا المثيل أو احذف هذا المستودع.
 watch = شاهد
-migrate.migrating_git = ترحيل بيانات Git
-migrate.cancel_migrating_confirm = تريد إلغاء عملية الترحيل هذه؟
 migrate.permission_denied_blocked = لا يمكنك الاستيراد من مضيفين غير مسموح بهم، يُرجى الطلب من المسؤول التحقق من إعدادات ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS.
 migrate.migrating = الترحيل من <b>%s</b> …
 migrate.migrating_failed.error = أخفق الترحيل: %s
@@ -1565,8 +1550,6 @@ create_new_repo_command = إنشاء مستودع جديد على موجّه ا
 fork = اشتقاق
 migrate.migrating_failed_no_addr = أخفق الترحيل.
 unstar = إزالة النجمة
-migrate.migrating_issues = ترحيل البلاغات
-migrate.migrating_pulls = ترحيل طلبات السحب
 code = الكود
 migrate.invalid_lfs_endpoint = نقطة نهاية LFS غير صالحة.
 migrate.migrating_failed = فشل الترحيل من <b>%s</b>.
@@ -1581,19 +1564,15 @@ find_tag = البحث عن علامة
 commit_graph = الرسم البياني للإيداع
 editor.edit_this_file = عدل الملف
 editor.signoff_desc = أضف مقطورة موقّعة من قِبل المُجرّد في نهاية رسالة سجل الدخول.
-n_release_one = %s إصدار
 symbolic_link = رابط رمزي
 editor.cannot_edit_lfs_files = لا يمكن تحرير ملفات LFS في واجهة الويب.
 editor.this_file_locked = الملف مقفل
-n_commit_few = %s إيداعات
 editor.file_delete_success = تم حذف الملف "%s".
 editor.edit_file = عدّل الملف
 commit.contained_in_default_branch = هذا الإيداع جزء من الفرع الافتراضي
 line = سطر
 lines = أسطر
 normal_view = عرض عادي
-n_branch_one = %s فرع
-n_commit_one = %s إيداع
 view_git_blame = عرض مسؤول تعديل git
 editor.add_tmpl.filename = اسم الملف
 editor.name_your_file = اسم ملفك…
@@ -1605,10 +1584,6 @@ no_eol.tooltip = هذا الملف لا يحتوي على نهاية لخط ال
 stored_lfs = مخزن مع Git LFS
 commit.contained_in = هذا الإيداع موجود في:
 file_view_rendered = عرض المُخرج النهائي
-n_branch_few = %s فروع
-n_tag_one = %s علامة
-n_tag_few = ‪%s علامات
-n_release_few = %s إصدارات
 file.title = %s عند %s
 vendored = مضمن
 file_follow = متابعة الروابط الرمزية
diff --git a/options/locale/locale_bg.ini b/options/locale/locale_bg.ini
index 762f50afa6..be9ef509d7 100644
--- a/options/locale/locale_bg.ini
+++ b/options/locale/locale_bg.ini
@@ -545,7 +545,6 @@ forks = Разклонения
 editor.or = или
 issues.new_label_desc_placeholder = Описание
 watch_guest_user = Влезте, за да наблюдавате това хранилище.
-migrate_items_milestones = Етапи
 unstar = Премахване на звездата
 owner = Притежател
 issues.num_comments_1 = %d коментар
@@ -623,7 +622,6 @@ readme_helper_desc = Това е мястото, където можете да
 repo_gitignore_helper = Изберете .gitignore шаблони
 auto_init = Да се инициализира хранилище
 template.issue_labels = Етикети за задачите
-migrate_items_labels = Етикети
 issues.label_templates.title = Зареждане на предв. зададен набор от етикети
 issues.label_templates.helper = Изберете предв. зададен набор от етикети
 projects.template.desc = Шаблон
@@ -657,8 +655,6 @@ milestones.new = Нов етап
 milestones.cancel = Отказ
 settings.http_method = HTTP метод
 clone_helper = Нуждаете се от помощ за клониране? Посетете <a target="_blank" rel="noopener noreferrer" href="%s">Помощ</a>.
-migrate_items_pullrequests = Заявки за сливане
-migrate_items_wiki = Уики
 quick_guide = Бързо ръководство
 clone_this_repo = Клонирайте това хранилище
 push_exist_repo = Изтласкване на съществуващо хранилище от командния ред
@@ -724,7 +720,6 @@ wiki.desc = Пишете и споделяйте документация със
 wiki.default_commit_message = Напишете бележка относно това обновяване на страницата (опционално).
 release.releases = Издания
 wiki.last_commit_info = %s редактира тази страница %s
-migrate_items_releases = Издания
 release = Издание
 releases = Издания
 settings.desc = Настройките са мястото, където можете да управлявате настройките за хранилището
@@ -904,8 +899,6 @@ download_tar = Изтегляне на TAR.GZ
 desc.public = Публично
 desc.archived = Архивирано
 desc.internal = Вътрешно
-migrate_items_merge_requests = Заявки за сливане
-migrate_items_issues = Задачи
 fork_guest_user = Влезте, за да разклоните това хранилище.
 actions = Действия
 more_operations = Още операции
@@ -1189,16 +1182,10 @@ activity.git_stats_pushed_1 = е изтласкал
 activity.git_stats_push_to_branch = към %s и
 contributors.contribution_type.commits = Подавания
 stars = Звезди
-n_commit_few = %s подавания
-n_branch_one = %s клон
-n_branch_few = %s клона
-n_tag_one = %s маркер
-n_tag_few = %s маркера
 commit_graph = Граф с подавания
 commits.renamed_from = Преименувано от %s
 commits.view_path = Преглед на този момент в историята
 commits.search_branch = Този клон
-n_commit_one = %s подаване
 release.ahead.commits = <strong>%d</strong> подавания
 release.stable = Стабилно
 commits.gpg_key_id = ID на GPG ключ
@@ -1321,8 +1308,6 @@ issues.review.option.show_outdated_comments = Показване на остар
 issues.content_history.delete_from_history_confirm = Да се изтрие ли от историята?
 project = Проекти
 issues.content_history.delete_from_history = Изтриване от историята
-n_release_few = %s издания
-n_release_one = %s издание
 editor.cannot_edit_non_text_files = Двоични файлове не могат да се редактират през уеб интерфейса.
 settings.mirror_settings.push_mirror.copy_public_key = Копиране на публичния ключ
 activity.published_tag_label = Маркер
@@ -1451,7 +1436,6 @@ file_follow = Последване на символната връзка
 commitstatus.failure = Неуспех
 issues.filter_label_exclude = Използвайте <kbd>Alt</kbd> + <kbd>Click</kbd>, за да изключите етикети
 migrate.migrating_failed = Мигрирането от <b>%s</b> е неуспешно.
-migrate.migrating_issues = Мигриране на задачи
 mirror_from = огледално на
 fork_from_self = Не можете да разклоните хранилище, което притежавате.
 commit_graph.hide_pr_refs = Скриване на заявките за сливане
@@ -1468,12 +1452,9 @@ form.reach_limit_of_creation_1 = Притежателят вече е дости
 editor.patching = Прилагане на кръпка:
 editor.fail_to_apply_patch = Неуспешно прилагане на кръпка „%s“
 commits.no_commits = Няма общи подавания. „%s“ и „%s“ имат напълно различни истории.
-migrate.migrating_pulls = Мигриране на заявки за сливане
-migrate.migrating_topics = Мигриране на теми
 projects.desc = Управлявайте задачи и заявки за сливане в проектни табла.
 issues.choose.invalid_templates = %v невалидни шаблона са намерени
 pulls.edit.already_changed = Неуспешно запазване на промените в заявката за сливане. Изглежда съдържанието вече е променено от друг потребител. Моля, презаредете страницата и опитайте да редактирате отново, за да избегнете презаписването на техните промени
-migrate.migrating_git = Мигриране на Git данни
 commits.newer = По-нови
 issues.choose.blank_about = Създаване на задача от стандартен шаблон.
 issues.filter_no_results = Няма резултати
@@ -1483,8 +1464,6 @@ transfer.no_permission_to_accept = Нямате разрешение да при
 transfer.no_permission_to_reject = Нямате разрешение да отхвърлите това прехвърляне.
 editor.file_changed_while_editing = Съдържанието на файла е променено, откакто сте го отворили. <a target="_blank" rel="noopener noreferrer" href="%s">Щракнете тук</a>, за да го видите, или <strong>Подайте промените отново</strong>, за да ги презапишете.
 sync_fork.button = Синхронизиране
-migrate.migrating_labels = Мигриране на етикети
-migrate.migrating_releases = Мигриране на издания
 editor.push_rejected_no_message = Промяната беше отхвърлена от сървъра без съобщение. Моля, проверете Git куките.
 issues.choose.open_external_link = Отваряне
 comments.edit.already_changed = Неуспешно запазване на промените в коментара. Изглежда съдържанието вече е променено от друг потребител. Моля, презаредете страницата и опитайте да редактирате отново, за да избегнете презаписването на техните промени
@@ -1511,7 +1490,6 @@ editor.commit_id_not_matching = Файлът е променен, докато 
 editor.user_no_push_to_branch = Потребителят не може да изтласква в клона
 archive.pull.noreview = Това хранилище е архивирано. Не можете да рецензирате заявки за сливане.
 migrate.migrating_failed.error = Неуспешно мигриране: %s
-migrate.migrating_milestones = Мигриране на етапи
 migrate.failed = Мигрирането е неуспешно: %v
 pulls.nothing_to_compare_and_allow_empty_pr = Тези клонове са равни. Тази заявка за сливане ще бъде празна.
 pulls.has_pull_request = `Вече съществува заявка за сливане между тези клонове: <a href="%[1]s">%[2]s#%[3]d</a>`
@@ -1552,7 +1530,6 @@ issues.time_spent_from_all_authors = `Общо изразходвано врем
 issues.attachment.download = `Щракнете, за да изтеглите „%s“`
 issues.attachment.open_tab = `Щракнете, за да видите „%s“ в нов раздел`
 pulls.update_branch = Обновяване на клона чрез сливане
-migrate_items = Елементи за мигриране
 commit.load_referencing_branches_and_tags = Зареждане на клонове и маркери, препращащи към това подаване
 pulls.files_conflicted = Тази заявка за сливане има промени, които са в конфликт с целевия клон.
 pulls.still_in_progress = Все още е в процес на работа?
@@ -1574,8 +1551,6 @@ editor.cannot_edit_lfs_files = LFS файлове не могат да се ре
 commits.ssh_key_fingerprint = Отпечатък на SSH ключ
 issues.comment_on_locked = Не можете да коментирате заключена задача.
 commit.revert = Връщане
-migrate.cancel_migrating_title = Отказ от миграцията
-migrate.cancel_migrating_confirm = Искате ли да откажете тази миграция?
 issues.choose.invalid_config = Конфигурацията на задачите съдържа грешки:
 unit_disabled = Администраторът на сайта е изключил тази секция на хранилището.
 issues.blocked_by_user = Не можете да създавате задачи в това хранилище, защото сте блокирани от притежателя на хранилището.
diff --git a/options/locale/locale_ca.ini b/options/locale/locale_ca.ini
index 3342aab4a5..4902188c7e 100644
--- a/options/locale/locale_ca.ini
+++ b/options/locale/locale_ca.ini
@@ -1130,11 +1130,6 @@ template.webhooks = Webhooks
 template.topics = Temes
 template.avatar = Avatar
 need_auth = Autorització
-migrate_items_wiki = Wiki
-migrate_items_milestones = Fites
-migrate_items_labels = Etiquetes
-migrate_items_issues = Problemes
-migrate_items_releases = Publicacions
 unwatch = Deixa de seguir
 watch = Segueix
 unstar = Treu l'estrella
@@ -1652,7 +1647,6 @@ form.string_too_long = El text introduït té més de %d caràcters.
 migrate_options = Opcions de migració
 migrate_options_mirror_helper = Aquest repositori serà un mirall
 migrate_options_lfs_endpoint.description.local = També s'accepta un camí al servidor local.
-migrate_items = Elements de migració
 open_with_editor = Obre amb %s
 mirror_prune_desc = Elimina les referències de seguiment remot obsoletes
 mirror_sync_on_commit = Sincronitza quan es pugin commits
@@ -1679,7 +1673,6 @@ migrate_options_lfs = Migra els fitxers LFS
 migrate_options_lfs_endpoint.label = Punt final LFS
 migrate_options_lfs_endpoint.description = En migrar, s'intentarà utilitzar el vostre remot git per a <a target="_blank" rel="noopener noreferrer" href="%s">determinar el servidor LFS</a>. També podeu especificar un punt final personalitzat si les dades LFS del repositori són en un altre lloc.
 migrate_options_lfs_endpoint.placeholder = Si ho deixeu en blanc, el punt final derivarà de l'URL de clonació
-migrate_items_pullrequests = Pull requests
 generated_from = generat des de
 editor.update = Actualitzar %s
 diff.whitespace_ignore_at_eol = Ignorar els canvis en els espais en blanc al final de la línia
@@ -1807,15 +1800,6 @@ migrate.migrating = S'està migrant des de <b>%s</b> …
 migrate.migrating_failed = La migració des de <b>%s</b> ha fallat.
 migrate.migrating_failed.error = No s'ha pogut migrar: %s
 migrate.migrating_failed_no_addr = La migració ha fallat.
-migrate.migrating_git = Migrant dades Git
-migrate.migrating_topics = Migrant tòpics
-migrate.migrating_milestones = Migrant fites
-migrate.migrating_labels = Migrant etiquetes
-migrate.migrating_releases = Migrant publicacions
-migrate.migrating_issues = Migrant problemes
-migrate.migrating_pulls = Migrant «pull requests»
-migrate.cancel_migrating_title = Cancel·la la migració
-migrate.cancel_migrating_confirm = Voleu cancel·lar aquesta migració?
 mirror_from = mirall de
 forked_from = bifurcat des de
 fork_from_self = No podeu bifurcar un repositori que us pertany.
@@ -1833,18 +1817,9 @@ repo_gitignore_helper_desc = Escolliu de quins fitxers no s'ha de fer seguiment
 readme_helper_desc = Aquí podeu escriure una descripció completa del vostre projecte.
 mirror_interval = Interval de rèplica (les unitats de temps vàlides són "h", "m", "s"). 0 per desactivar la sincronització periòdica. (Interval mínim: %s)
 mirror_use_ssh.helper = Si seleccioneu aquesta opció, Forgejo replicarà el repositori mitjançant Git per SSH i us crearà una parella de claus. Heu d'assegurar-vos que la clau pública generada estigui autoritzada per publicar al repositori de destí. No podreu fer servir autenticació basada en contrasenyes.
-n_commit_one = %s commit
-n_commit_few = %s commits
-n_branch_one = Branca %s
-n_branch_few = Branques %s
-n_tag_one = Etiqueta %s
-n_tag_few = Etiquetes %s
-migrate_items_merge_requests = Sol·licituds de fusió
 migrate.github_token_desc = Podeu posar un o més testimonis separats amb comes per fer que la migració sigui més ràpida, evitant així el límit de taxa de l'API de GitHub. ATENCIÓ: Abusar aquesta funció pot anar en contra de la política de servei del proveïdor i pot comportar el bloqueig del/s vostre/s compte/s.
 migrate.clone_local_path = o el camí a un servidor local
 migrate.permission_denied_blocked = No podeu importar des d'amfitrions rebutjats, si us plau, demaneu a l'administrador que comprovi les configuracions ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS.
-n_release_one = Publicació %s
-n_release_few = Publicacions %s
 file.title = %s a %s
 file_view_rendered = Veure renderitzat
 file_view_raw = Veure cru
@@ -3146,7 +3121,7 @@ config.send_test_mail = Envia un correu de prova
 config.send_test_mail_submit = Envia
 config.test_mail_failed = No s'ha pogut enviar el correu de prova a "%s": %v
 config.test_mail_sent = S'ha enviat un correu de prova a "%s".
-config.cache_config =
+config.cache_config = 
 config.cache_adapter =Adaptador de la memòria cau
 config.cache_interval =Interval de la memòria cau
 config.cache_conn =Connexió de la memòria cau
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index 91e5e8dbc5..8272952312 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -1154,14 +1154,6 @@ migrate_options_lfs_endpoint.label=Endpoint LFS
 migrate_options_lfs_endpoint.description=Migrace se pokusí použít váš vzdálený Git pro <a target="_blank" rel="noopener noreferrer" href="%s">určení LFS serveru</a>. Můžete také zadat vlastní koncový bod, pokud jsou data LFS repozitáře uložena někde jinde.
 migrate_options_lfs_endpoint.description.local=Podporována je také cesta k lokálnímu serveru.
 migrate_options_lfs_endpoint.placeholder=Ponecháte-li prázdné, koncový bod bude odvozen z adresy URL klonu
-migrate_items=Položky pro migrování
-migrate_items_wiki=Wiki
-migrate_items_milestones=Milníky
-migrate_items_labels=Štítky
-migrate_items_issues=Problémy
-migrate_items_pullrequests=Žádosti o sloučení
-migrate_items_merge_requests=Sloučit žádosti
-migrate_items_releases=Vydání
 migrate_repo=Migrovat repozitář
 migrate.clone_address=Migrovat / klonovat z URL
 migrate.clone_address_desc=HTTP(S) nebo URL Git „clone“ existujícího repozitáře
@@ -1180,16 +1172,6 @@ migrate.migrating=Probíhá migrace z <b>%s</b> …
 migrate.migrating_failed=Migrace z <b>%s</b> se nezdařila.
 migrate.migrating_failed.error=Nepodařilo se migrovat: %s
 migrate.migrating_failed_no_addr=Migrace se nezdařila.
-migrate.migrating_git=Migrace dat z Gitu
-migrate.migrating_topics=Migrace témat
-migrate.migrating_milestones=Migrace milníků
-migrate.migrating_labels=Migrace štítků
-migrate.migrating_releases=Migrace vydání
-migrate.migrating_issues=Migrace problémů
-migrate.migrating_pulls=Migrace žádostí o sloučení
-migrate.cancel_migrating_title=Zrušit migraci
-migrate.cancel_migrating_confirm=Chcete zrušit tuto migraci?
-
 mirror_from=zrcadlo
 forked_from=forknuto z
 generated_from=generováno z
@@ -2647,12 +2629,6 @@ pulls.ready_for_review = Připraveni na posouzení?
 settings.rename_branch_failed_protected = Nepodařilo se přejmenovat větev %s, jelikož se jedná o chráněnou větev.
 editor.push_out_of_date = Push je nejspíše zastaralý.
 stars = Oblíbení
-n_commit_one = %s revize
-n_commit_few = %s revizí
-n_branch_one = %s větev
-n_tag_one = %s značka
-n_tag_few = %s značek
-n_branch_few = %s větví
 settings.event_pull_request_enforcement = Vynucení
 settings.enforce_on_admins = Vynutit toto pravidlo pro správce repozitáře
 settings.enforce_on_admins_desc = Správci repozitáře nemohou obejít toto pravidlo.
@@ -2676,8 +2652,6 @@ settings.transfer.button = Převést vlastnictví
 settings.transfer.modal.title = Převést vlastnictví
 wiki.search = Hledat na wiki
 wiki.no_search_results = Žádné výsledky
-n_release_one = %s vydání
-n_release_few = %s vydání
 settings.federation_settings = Nastavení federace
 settings.federation_apapiurl = Adresa URL federace tohoto repozitáře. Zkopírujte a vložte tuto adresu do nastavení federace jiného repozitáře jako adresu sledovaného repozitáře.
 settings.federation_not_enabled = Na vaší instanci není dostupná federace.
diff --git a/options/locale/locale_da.ini b/options/locale/locale_da.ini
index 869fd0b734..83f5b14ea2 100644
--- a/options/locale/locale_da.ini
+++ b/options/locale/locale_da.ini
@@ -1134,14 +1134,6 @@ migrate_options_mirror_helper = Dette depot vil være et spejl
 migrate_options_lfs = Migrer LFS-filer
 migrate_options_lfs_endpoint.label = LFS endepunkt
 migrate_options_lfs_endpoint.description.local = En lokal serversti understøttes også.
-migrate_items = Migration Elementer
-migrate_items_wiki = Wiki
-migrate_items_milestones = Milepæle
-migrate_items_labels = Etiketter
-migrate_items_issues = Problemmer
-migrate_items_pullrequests = Pull-anmodninger
-migrate_items_merge_requests = Flet anmodninger
-migrate_items_releases = Udgivelser
 migrate_repo = Migrer depot
 migrate.clone_address_desc = HTTP(S) eller Git "klone" URL'en for et eksisterende depot
 migrate.clone_local_path = eller en lokal serversti
@@ -1157,14 +1149,6 @@ migrate.migrating = Migrerer fra <b>%s</b> …
 migrate.migrating_failed = Migrering fra <b>%s</b> mislykkedes.
 migrate.migrating_failed.error = Kunne ikke migrere: %s
 migrate.migrating_failed_no_addr = Migration mislykkedes.
-migrate.migrating_git = Migrering af Git-data
-migrate.migrating_topics = Migrering af emner
-migrate.migrating_milestones = Migrerende milepæle
-migrate.migrating_labels = Migrering af etiketter
-migrate.migrating_releases = Migrering af udgivelser
-migrate.migrating_issues = Migrering af problemer
-migrate.migrating_pulls = Migrering af pull-anmodninger
-migrate.cancel_migrating_title = Annuller migrering
 mirror_from = spejl af
 forked_from = forked fra
 generated_from = genereret fra
@@ -1175,7 +1159,6 @@ migrate_options_lfs_endpoint.description = Migration vil forsøge at bruge din f
 form.name_pattern_not_allowed = Mønsteret "%s" er ikke tilladt i et depotnavn.
 migrate_options_lfs_endpoint.placeholder = Hvis det efterlades tomt, vil endepunktet blive afledt fra klonens URL
 migrate.clone_address = Migrer / Klon fra URL
-migrate.cancel_migrating_confirm = Vil du annullere denne migrering?
 more_operations = Flere operationer
 new_from_template = Brug en skabelon
 new_from_template_description = Du kan vælge en eksisterende depotskabelon på denne instans og anvende dens indstillinger.
@@ -1269,15 +1252,10 @@ packages = Pakker
 actions = Handlinger
 labels = Etiketter
 milestones = Milepæle
-n_commit_few = %s commits
-n_branch_one = %s gren
-n_branch_few = %s grene
 org_labels_desc_manage = Styr
 commits = Commits
 commit = Commit
 org_labels_desc = Etiketter på organisationsniveau, der kan bruges med <strong>alle depoter</strong> under denne organisation
-n_commit_one = %s commit
-n_release_few = %s udgivelser
 released_this = udgivet dette
 file.title = %s ved %s
 file_raw = Rå
@@ -1287,9 +1265,6 @@ editor.fail_to_update_file_summary = Fejlmeddelelse:
 editor.push_rejected_summary = Fuldstændig afvisningsmeddelelse:
 editor.add_subdir = Tilføj en mappe…
 editor.unable_to_upload_files = Kunne ikke uploade filer til "%s" med fejl: %v
-n_tag_one = %s tag
-n_tag_few = %s tags
-n_release_one = %s udgivelse
 file_history = Historie
 file_view_source = Se kilde
 file_view_rendered = Vis gengivet
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index 897d335cb8..494d64a6f7 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -1153,14 +1153,6 @@ migrate_options_lfs_endpoint.label=LFS-Endpunkt
 migrate_options_lfs_endpoint.description=Migration wird versuchen, über den entfernten Git-Server <a target="_blank" rel="noopener noreferrer" href="%s">den LFS-Server zu bestimmen</a>. Du kannst auch einen eigenen Endpunkt angeben, wenn die LFS-Dateien woanders gespeichert werden.
 migrate_options_lfs_endpoint.description.local=Ein lokaler Serverpfad wird ebenfalls unterstützt.
 migrate_options_lfs_endpoint.placeholder=Wenn leer gelassen, wird der Endpunkt von der Klon-URL abgeleitet
-migrate_items=Migrationselemente
-migrate_items_wiki=Wiki
-migrate_items_milestones=Meilensteine
-migrate_items_labels=Labels
-migrate_items_issues=Issues
-migrate_items_pullrequests=Pull-Requests
-migrate_items_merge_requests=Merge-Requests
-migrate_items_releases=Releases
 migrate_repo=Repository migrieren
 migrate.clone_address=Migrations-/Klon-URL
 migrate.clone_address_desc=Die HTTP(S)- oder „git clone“-URL eines bereits existierenden Repositorys
@@ -1179,16 +1171,6 @@ migrate.migrating=Migriere von <b>%s</b> …
 migrate.migrating_failed=Migrieren von <b>%s</b> fehlgeschlagen.
 migrate.migrating_failed.error=Migration fehlgeschlagen: %s
 migrate.migrating_failed_no_addr=Migration fehlgeschlagen.
-migrate.migrating_git=Git-Daten werden migriert
-migrate.migrating_topics=Themen werden migriert
-migrate.migrating_milestones=Meilensteine werden migriert
-migrate.migrating_labels=Labels werden migriert
-migrate.migrating_releases=Releases werden migriert
-migrate.migrating_issues=Issues werden migriert
-migrate.migrating_pulls=Pull-Requests werden migriert
-migrate.cancel_migrating_title=Migration abbrechen
-migrate.cancel_migrating_confirm=Möchtest du diese Migration abbrechen?
-
 mirror_from=Spiegel von
 forked_from=geforkt von
 generated_from=erzeugt von
@@ -2647,13 +2629,7 @@ pulls.ready_for_review = Bereit zur Sichtung?
 settings.rename_branch_failed_protected = Branch %s kann nicht umbenannt werden, weil er ein geschützter Branch ist.
 editor.commit_id_not_matching = Die Datei wurde geändert, während du sie bearbeitet hast. Committe in einen neuen Branch, dann führe einen Merge durch.
 editor.push_out_of_date = Der Push scheint veraltet zu sein.
-n_commit_few = %s Commits
-n_branch_one = %s Branch
-n_branch_few = %s Branches
-n_tag_one = %s Tag
-n_tag_few = %s Tags
 stars = Favorisierungen
-n_commit_one = %s Commit
 issues.num_participants_one = %d Beteiligter
 settings.enforce_on_admins_desc = Repositoryadministratoren können diese Regel nicht umgehen.
 settings.enforce_on_admins = Erzwinge diese Regel für alle Repositoryadministratoren
@@ -2677,8 +2653,6 @@ settings.transfer.button = Besitz übertragen
 settings.transfer.modal.title = Besitz übertragen
 wiki.no_search_results = Keine Ergebnisse
 wiki.search = Wiki durchsuchen
-n_release_one = %s freigegeben
-n_release_few = %s Veröffentlichungen
 form.string_too_long = Die Zeichenkette ist länger als %d Zeichen.
 settings.federation_settings = Föderationseinstellungen
 settings.federation_following_repos = URLs folgender Repositorys. Durch „;“ getrennt, keine Leerzeichen.
diff --git a/options/locale/locale_el-GR.ini b/options/locale/locale_el-GR.ini
index 682af86f78..a4c2cb14f6 100644
--- a/options/locale/locale_el-GR.ini
+++ b/options/locale/locale_el-GR.ini
@@ -1154,14 +1154,6 @@ migrate_options_lfs_endpoint.label=Άκρο LFS
 migrate_options_lfs_endpoint.description=Η μεταφορά θα προσπαθήσει να χρησιμοποιήσει το Git remote για να <a target="_blank" rel="noopener noreferrer" href="%s">καθορίσει τον διακομιστή LFS</a>. Μπορείτε επίσης να καθορίσετε ένα δικό σας endpoint αν τα δεδομένα LFS του αποθετηρίου αποθηκεύονται κάπου αλλού.
 migrate_options_lfs_endpoint.description.local=Μια διαδρομή στο τοπικό διακομιστή επίσης υποστηρίζεται.
 migrate_options_lfs_endpoint.placeholder=Αν αφεθεί κενό, το άκρο θα προκύψει από το URL του κλώνου
-migrate_items=Αντικείμενα μεταφοράς
-migrate_items_wiki=Wiki
-migrate_items_milestones=Ορόσημα
-migrate_items_labels=Σήματα
-migrate_items_issues=Ζητήματα
-migrate_items_pullrequests=Pull requests
-migrate_items_merge_requests=Merge requests
-migrate_items_releases=Κυκλοφορίες
 migrate_repo=Μεταφορά αποθετηρίου
 migrate.clone_address=Μεταφορά / Κλωνοποίηση από το URL
 migrate.clone_address_desc=Το HTTP(S) ή το Git URL «κλωνοποίησης» ενός υπάρχοντος αποθετηρίου
@@ -1180,16 +1172,6 @@ migrate.migrating=Γίνεται μεταφορά από το <b>%s</b>…
 migrate.migrating_failed=Η μεταφορά από το <b>%s</b> απέτυχε.
 migrate.migrating_failed.error=Αποτυχία μεταφοράς: %s
 migrate.migrating_failed_no_addr=Η μεταφορά απέτυχε.
-migrate.migrating_git=Τα δεδομένα Git μεταφέρονται
-migrate.migrating_topics=Τα θέματα μεταφέρονται
-migrate.migrating_milestones=Τα ορόσημα μεταφέρονται
-migrate.migrating_labels=Τα σήματα μεταφέρονται
-migrate.migrating_releases=Οι κυκλοφορίες μεταφέρονται
-migrate.migrating_issues=Τα ζητήματα μεταφέρονται
-migrate.migrating_pulls=Μεταφέρονται τα pull requests
-migrate.cancel_migrating_title=Ακύρωση μεταφοράς
-migrate.cancel_migrating_confirm=Θέλετε να ακυρώσετε αυτή τη μεταφορά;
-
 mirror_from=είδωλο του
 forked_from=forked από
 generated_from=παραγμένο από
@@ -2634,14 +2616,8 @@ activity.navbar.pulse = Παλμός
 settings.add_collaborator_blocked_them = Δεν είναι δυνατή η προσθήκη του χρήστη ως συνεργάτη, καθώς έχει αποκλείσει τον κάτοχο του αποθετηρίου.
 settings.wiki_rename_branch_main_notices_2 = Θα αλλάξει το όνομα του εσωτερικού κλάδου για το wiki του αποθετηρίου %s. Οι υπάρχουσες υποβολές θα πρέπει να ενημερωθούν.
 settings.add_collaborator_blocked_our = Δεν είναι δυνατή η προσθήκη του χρήστη ως συνεργάτη, καθώς ο κάτοχος του αποθετηρίου τον έχει αποκλείσει.
-n_branch_few = %s κλάδοι
-n_tag_one = %s ετικέτα
-n_tag_few = %s ετικέτες
-n_commit_one = %s υποβολή
 stars = Αστέρια
-n_branch_one = %s κλάδος
 commits.search_branch = Αυτός ο κλάδος
-n_commit_few = %s υποβολές
 settings.sourcehut_builds.secrets = Μυστικά
 settings.add_webhook.invalid_path = Η τοποθεσία του αρχείου δεν μπορεί να περιέχει κενά, «.» ή «..». Δεν μπορεί να αρχίζει ή να τελειώνει με μία κάθετο.
 commits.browse_further = Περιήγηση περισσοτέρων
@@ -2690,8 +2666,6 @@ settings.transfer.button = Παραχώρηση ιδιοκτησίας
 settings.matrix.room_id_helper = Το ID δωματίου μπορείτε να το βρείτε στο πρόγραμμα Element > Room Settings > Advanced > Internal room ID. Παράδειγμα: %s.
 wiki.search = Αναζήτηση wiki
 wiki.no_search_results = Κανένα αποτέλεσμα
-n_release_one = %s κυκλοφορία
-n_release_few = %s κυκλοφορίες
 release.hide_archive_links_helper = Απόκρυψη των αρχείων πηγαίου κώδικα που δημιουργούνται αυτόματα για αυτή την δημιοσίευση. Αυτή η ρύθμιση είναι χρήσιμη αν ανεβάζετε τα δικά σας αρχεία.
 release.type_attachment = Συνημμένο
 activity.published_prerelease_label = Προδημοσίευση
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 2df0b3a728..1fdced67c2 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1208,14 +1208,6 @@ migrate_options_lfs_endpoint.label = LFS endpoint
 migrate_options_lfs_endpoint.description = Migration will attempt to use your Git remote to <a target="_blank" rel="noopener noreferrer" href="%s">determine the LFS server</a>. You can also specify a custom endpoint if the repository LFS data is stored somewhere else.
 migrate_options_lfs_endpoint.description.local = A local server path is supported too.
 migrate_options_lfs_endpoint.placeholder = If left blank, the endpoint will be derived from the clone URL
-migrate_items = Migration items
-migrate_items_wiki = Wiki
-migrate_items_milestones = Milestones
-migrate_items_labels = Labels
-migrate_items_issues = Issues
-migrate_items_pullrequests = Pull requests
-migrate_items_merge_requests = Merge requests
-migrate_items_releases = Releases
 migrate_repo = Migrate repository
 migrate.repo_desc_helper = Leave empty to import existing description
 migrate.clone_address = Migrate / Clone from URL
@@ -1235,16 +1227,6 @@ migrate.migrating = Migrating from <b>%s</b> …
 migrate.migrating_failed = Migrating from <b>%s</b> failed.
 migrate.migrating_failed.error = Failed to migrate: %s
 migrate.migrating_failed_no_addr = Migration failed.
-migrate.migrating_git = Migrating Git data
-migrate.migrating_topics = Migrating topics
-migrate.migrating_milestones = Migrating milestones
-migrate.migrating_labels = Migrating labels
-migrate.migrating_releases = Migrating releases
-migrate.migrating_issues = Migrating issues
-migrate.migrating_pulls = Migrating pull requests
-migrate.cancel_migrating_title = Cancel migration
-migrate.cancel_migrating_confirm = Do you want to cancel this migration?
-
 mirror_from = mirror of
 forked_from = forked from
 generated_from = generated from
@@ -1289,15 +1271,6 @@ milestones = Milestones
 org_labels_desc = Organization level labels that can be used with <strong>all repositories</strong> under this organization
 org_labels_desc_manage = manage
 
-n_commit_one=%s commit
-n_commit_few=%s commits
-n_branch_one=%s branch
-n_branch_few=%s branches
-n_tag_one=%s tag
-n_tag_few=%s tags
-n_release_one = %s release
-n_release_few = %s releases
-
 released_this = released this
 file.title = %s at %s
 file_raw = Raw
diff --git a/options/locale/locale_eo.ini b/options/locale/locale_eo.ini
index 249597b718..015c11c5b1 100644
--- a/options/locale/locale_eo.ini
+++ b/options/locale/locale_eo.ini
@@ -772,7 +772,7 @@ enable_custom_avatar = Uzi propran profilbildon
 change_password = Ŝanĝi pasvorton
 keep_pronouns_private = Montri pronomojn nur al la aŭtentikigitaj uzantoj
 keep_pronouns_private.description = Tio maskos viajn pronomojn kontraŭ neaŭtentikigitaj vizitantoj.
-add_new_principal =
+add_new_principal = 
 gpg_token_required = Vi devas disponigi signaturon por la malsupran ĵetono
 gpg_token = Ĵetono
 gpg_token_help = Vi povas generi signaturon uzante:
@@ -879,8 +879,6 @@ form.name_pattern_not_allowed = La ŝablono "%s" ne estas permesata en uzantnomo
 editor.add_file = Aldoni dosieron
 settings.tags = Etikedoj
 archive.title_date = Ĉi tiu deponejo arĥiviĝis je %s. Vi povas vidi kaj elŝuti dosierojn, sed ne povas puŝi nek raporti problemojn nek tirpeti.
-migrate_items_pullrequests = Tirpetoj
-migrate.migrating_pulls = Migrante tirpetojn
 unwatch = Malspuri
 watch = Spuri
 star = Stelumi
@@ -919,7 +917,6 @@ settings.default_branch_desc = Elekti implicutan deponejan branĉon por tirpetoj
 archive.title = Ĉi tiu deponejo estas arĥivigita. Vi povas vidi kaj elŝuti dosierojn, sed ne povas puŝi nek raporti problemojn nek tirpeti.
 activity.active_prs_count_n = <strong>%d</strong> aktivaj tirpetoj
 settings.archive.text = Arĥivigi la deponejon igus ĝin sole legebla. Ĝi kaŝiĝos de la labortablo. Neniu (ne eĉ vi!) povos fari enmetojn, raportojn, kaj tirpetojn.
-migrate_items_releases = Eldonoj
 commits.commits = Enmetoj
 rss.must_be_on_branch = Vi devas esti en branĉo por havi RSS-fluon.
 repo_name = Deponejonomo
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index 8809dca726..5fb0a270eb 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -1153,14 +1153,6 @@ migrate_options_lfs_endpoint.label=Destino LFS
 migrate_options_lfs_endpoint.description=Migración intentará usar su mando Git para <a target="_blank" rel="noopener noreferrer" href="%s">determinar el servidor LFS</a>. También puede especificar un punto final personalizado si los datos LFS del repositorio se almacenan en otro lugar.
 migrate_options_lfs_endpoint.description.local=También se admite una ruta del servidor local.
 migrate_options_lfs_endpoint.placeholder=Si se deja en blanco, el punto final se derivará de la URL de clonación
-migrate_items=Objetos de migración
-migrate_items_wiki=Wiki
-migrate_items_milestones=Hitos
-migrate_items_labels=Etiquetas
-migrate_items_issues=Incidencias
-migrate_items_pullrequests=Solicitudes de extracción
-migrate_items_merge_requests=Solicitudes de fusión
-migrate_items_releases=Lanzamientos
 migrate_repo=Migrar repositorio
 migrate.clone_address=Migrar / Clonar desde URL
 migrate.clone_address_desc=La URL HTTP(S) o de Git "clone" de un repositorio existente
@@ -1179,16 +1171,6 @@ migrate.migrating=Migrando desde <b>%s</b>…
 migrate.migrating_failed=La migración desde <b>%s</b> ha fallado.
 migrate.migrating_failed.error=Error al migrar: %s
 migrate.migrating_failed_no_addr=Migración fallida.
-migrate.migrating_git=Migrando datos de Git
-migrate.migrating_topics=Migrando temas
-migrate.migrating_milestones=Migrando hitos
-migrate.migrating_labels=Migrando etiquetas
-migrate.migrating_releases=Migrar versiones
-migrate.migrating_issues=Migrando incidencias
-migrate.migrating_pulls=Migrando solicitudes de incorporación de cambios
-migrate.cancel_migrating_title=Cancelar la migración
-migrate.cancel_migrating_confirm=¿Quiere cancelar esta migración?
-
 mirror_from=réplica de
 forked_from=bifurcado de
 generated_from=generado desde
@@ -2583,24 +2565,16 @@ error.csv.invalid_field_count=No se puede procesar este archivo porque tiene un
 rss.must_be_on_branch = Debes estar en una rama para tener un feed RSS.
 desc.sha256 = SHA256
 issues.num_participants_one = %d participante
-n_commit_few = %s commits
-n_branch_few = %s ramas
-n_tag_one = %s etiqueta
-n_tag_few = %s etiquetas
 file_follow = Seguir enlace simbólico
 vendored = Vendored
 open_with_editor = Abrir con %s
-n_branch_one = %s rama
 issues.archived_label_description = (Archivado) %s
-n_commit_one = %s commit
 generated = Generado
 pulls.nothing_to_compare_have_tag = Las ramas/etiquetas seleccionadas son iguales.
 commits.search_branch = Esta rama
 commits.renamed_from = Renombrado de %s
 form.string_too_long = El texto introducido tiene más de %d caracteres.
 object_format = Formato de objetos
-n_release_one = %s lanzamiento
-n_release_few = %s versiones
 stars = Estrellas
 editor.invalid_commit_mail = Correo no válido para crear un commit.
 project = Proyectos
diff --git a/options/locale/locale_et.ini b/options/locale/locale_et.ini
index e86a0669dd..a18e593213 100644
--- a/options/locale/locale_et.ini
+++ b/options/locale/locale_et.ini
@@ -468,8 +468,6 @@ default_branch_label = vaikimisi
 code.desc = Ligipääs lähtekoodile, failidele, sissekannetele ja alamharudele.
 filter_branch_and_tag = Filtreeri alamharu või sildi alusel
 branches = Alamharud
-n_branch_one = %s alamharu
-n_branch_few = %s alamharu
 commit_graph.select = Vali alamharud
 commit.contained_in_default_branch = See sissekanne on vaikimisi alamharu osa
 editor.new_branch_name_desc = Alamharu uus nimi…
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
index 64639e80a1..0e5fcc4e68 100644
--- a/options/locale/locale_fa-IR.ini
+++ b/options/locale/locale_fa-IR.ini
@@ -883,14 +883,6 @@ migrate_options_lfs=مهاجرت فایلهای LFS
 migrate_options_lfs_endpoint.label=نشانهای پایانی LFS
 migrate_options_lfs_endpoint.description=Migration سعی خواهد کرد از کنترل از راه دور Git شما برای <a target="_blank" rel="noopener noreferrer" href="%s">تعیین سرور LFS</a> استفاده کند. همچنین اگر داده های LFS مخزن در جای دیگری ذخیره شده باشد، می توانید یک نقطه پایانی سفارشی را مشخص کنید.
 migrate_options_lfs_endpoint.description.local=مسیر سرور محلی نیز پشتیبانی می شود.
-migrate_items=مولفه های مهاجرت
-migrate_items_wiki=دانشنامه
-migrate_items_milestones=نقاط عطف
-migrate_items_labels=برچسب‌ها
-migrate_items_issues=مسائل
-migrate_items_pullrequests=تقاضاهای واکشی
-migrate_items_merge_requests=تقاضاهای واکشی
-migrate_items_releases=انتشارها
 migrate_repo=انتقال مخزن
 migrate.clone_address=انتقال / همسان‌سازی از نشانی
 migrate.clone_address_desc=HTTP(S) or Git 'همسان‌سازی' نشانی‌های موجود در این مخزن
@@ -906,14 +898,6 @@ migrate.migrate=مهاجرت از %s
 migrate.migrating=مهاجرت از <b>%s</b> ...
 migrate.migrating_failed=مهاجرت از <b>%s</b> ناموفق بود.
 migrate.migrating_failed_no_addr=مهاجرت ناموفق بود.
-migrate.migrating_git=انتقال داده های Git
-migrate.migrating_topics=موضوعات مهاجرت
-migrate.migrating_milestones=نقاط عطف مهاجرت
-migrate.migrating_labels=برچسب های مهاجرت
-migrate.migrating_releases=انتشارات مهاجرت
-migrate.migrating_issues=مشکلات مهاجرت
-migrate.migrating_pulls=مهاجرت درخواست های pull
-
 mirror_from=قرینه از
 forked_from=انشعاب شده از
 generated_from=ساخته شده از
diff --git a/options/locale/locale_fi-FI.ini b/options/locale/locale_fi-FI.ini
index 763e036069..c98bdebeea 100644
--- a/options/locale/locale_fi-FI.ini
+++ b/options/locale/locale_fi-FI.ini
@@ -1070,13 +1070,6 @@ template.issue_labels=Ongelmanimilaput
 
 
 
-migrate_items=Migraation kohteet
-migrate_items_wiki=Wiki
-migrate_items_milestones=Merkkipaalut
-migrate_items_labels=Nimilaput
-migrate_items_issues=Ongelmat
-migrate_items_pullrequests=Vetopyynnöt
-migrate_items_releases=Julkaisut
 migrate_repo=Suorita tietovaraston migraatio
 migrate.clone_address=Migraatio/kloonaus URL-osoitteesta
 migrate.github_token_desc=Voit lisätä tähän yhden tai useamman tunnuksen pilkuilla erotettuna nopeuttaaksesi migraatiota kiertämällä GitHub API:n nopeusrajoituksen. Varoitus: Tämän ominaisuuden väärinkäyttö voi rikkoa palveluntarjoajan käytäntöä ja johtaa tiliesi sulkemiseen.
@@ -1085,8 +1078,6 @@ migrate.failed=Migraatio epäonnistui: %v
 migrate.migrate_items_options=Lisäkohteiden migraatiota varten vaaditaan pääsypoletti
 migrate.migrating=Suoritetaan migraatio lähteestä <b>%s</b> …
 migrate.migrating_failed=Migraatio lähteestä <b>%s</b> epäonnistui.
-migrate.migrating_git=Suoritetaan Git-datan migraatiota
-
 mirror_from=peili kohteelle
 forked_from=forkattu tietovarastosta
 unwatch=Lopeta tarkkailu
@@ -1680,7 +1671,6 @@ fork_to_different_account = Forkkaa toiselle tilille
 release.compare = Vertaa
 release.ahead.commits = <strong>%d</strong> kommittia
 all_branches = Kaikki haarat
-n_tag_few = %s tagia
 settings.event_fork_desc = Tietovarasto forkattu.
 actions = Toiminnat
 fork_guest_user = Kirjaudu sisään forkataksesi tämän tietovaraston.
@@ -1689,19 +1679,16 @@ visibility_fork_helper = (Tämän muuttaminen vaikuttaa kaikkien forkkien näkyv
 fork = Forkkaa
 activity.git_stats_commit_n = %d kommittia
 commits.search_branch = Tämä haara
-n_branch_few = %s haaraa
 pulls.show_all_commits = Näytä kaikki kommitit
 commit_graph.select = Valitse haarat
 activity.navbar.recent_commits = Viimeaikaiset kommitit
 settings.branches.add_new_rule = Lisää uusi sääntö
-n_commit_few = %s kommittia
 issues.force_push_compare = Vertaa
 commits.desc = Selaa lähdekoodin muutoshistoriaa.
 clone_helper = Tarvitseko apua kloonauksen kanssa? Siirry <a target="_blank" rel="noopener noreferrer" href="%s">tukisivulle</a>.
 settings.mirror_settings.push_mirror.copy_public_key = Kopioi julkinen avain
 object_format = Objektimuoto
 editor.fail_to_update_file_summary = Virheviesti:
-n_branch_one = %s haara
 issues.content_history.delete_from_history_confirm = Poistetaanko historiasta?
 editor.new_patch = Uusi paikkaus
 pulls.merged_success = Vetopyyntö yhdistetty onnistuneesti ja suljettu
@@ -1751,8 +1738,6 @@ issues.dependency.add_error_dep_exists = Riippuvuus on jo olemassa.
 wiki.page_content = Sivun sisältö
 wiki.page_title = Sivun otsikko
 activity.navbar.contributors = Avustajat
-n_release_few = %s julkaisua
-n_release_one = %s julkaisu
 symbolic_link = Symbolinen linkki
 mirror_last_synced = Viimeksi synkronoitu
 find_file.go_to_file = Löydä tiedosto
@@ -1875,7 +1860,6 @@ issues.filter_label_select_no_label = Ei nimilappua
 projects.column.set_default = Aseta oletukseksi
 projects.edit_success = Projekti "%s" on päivitetty.
 desc.sha256 = SHA256
-n_commit_one = %s kommitti
 transfer.accept = Hyväksy siirto
 transfer.reject = Hylkää siirto
 default_branch_label = oletus
@@ -1932,7 +1916,6 @@ milestones.deletion = Poista merkkipaalu
 more_operations = Lisää toimintoja
 settings.branches.switch_default_branch = Vaihda oletushaara
 tag.confirm_create_tag = Luo tagi
-n_tag_one = %s tagi
 branch.renamed = Haaran %s uudeksi nimeksi asetettiin %s.
 release.tag_name_protected = Tagin nimi on suojattu.
 pulls.merge_conflict_summary = Virheviesti
@@ -1985,7 +1968,6 @@ milestones.filter_sort.earliest_due_data = Lähin eräpäivä
 issues.filter_type.reviewed_by_you = Katselmoitu toimestasi
 settings.units.overview = Yleisnäkymä
 settings.remove_team_success = Tiimin pääsy tietovarastoon on poistettu.
-migrate.cancel_migrating_confirm = Haluatko perua tämän migraation?
 settings.units.units = Yksiköt
 settings.update_settings_no_unit = Tietovaraston tulisi sallia edes jonkinlainen vuorovaikutus.
 settings.units.add_more = Ota lisää käyttöön
@@ -2059,7 +2041,6 @@ release.title_empty = Nimi ei voi olla tyhjä.
 archive.title = Tämä tietovarasto on arkistoitu. Voit tarkastella sen tiedostoja ja kloonata sen, mutta et voi tehdä muutoksia sen tilaan, kuten tehdä työntöjä tai luoda uusia ongelmia, vetopyyntöjä tai kommentteja.
 reactions_more = ja %d lisää
 mirror_address = Kloonaa URL-osoitteesta
-migrate_items_merge_requests = Yhdistämispyynnöt
 stars_remove_warning = Tämä poistaa kaikki tähdet tästä tietovarastosta.
 settings.webhook_deletion_desc = Webkoukun poistaminen poistaa sen asetukset ja toimitushistorian. Jatketaanko?
 settings.discord_icon_url.exceeds_max_length = Kuvakkeen URL-osoite voi sisältää enintään 2048 merkkiä
@@ -2228,8 +2209,6 @@ issues.dismiss_review_warning = Haluatko hylätä katselmoinnin?
 commit.operations = Toimenpiteet
 commits.view_single_diff = Näytä tässä kommitissa tähän tiedostoon kohdistuneet muutokset
 issues.choose.ignore_invalid_templates = Virheelliset mallipohjat on jätetty huomiotta
-migrate.migrating_milestones = Suoritetaan merkkipaalujen migraatiota
-migrate.migrating_issues = Suoritetaan ongelmien migraatiota
 migrate.clone_local_path = tai paikallisen palvelimen polku
 pulls.filter_changes_by_commit = Suodata kommitin perusteella
 pulls.show_changes_since_your_last_review = Näytä viimeisimmän katselmointisi jälkeiset muutokset
@@ -2244,7 +2223,6 @@ migrate.invalid_lfs_endpoint = LFS-päätepiste ei ole kelvollinen.
 issues.new.clear_projects = Tyhjennä projektit
 mirror_denied_combination = Julkiseen avaimeen ja salasanaan pohjautuvaa todennusta ei voi käyttää yhdessä.
 template.git_content = Git-sisältö (Oletushaara)
-migrate.migrating_releases = Suoritetaan julkaisujen migraatiota
 unit_disabled = Sivuston ylläpitäjä on poistanut käytöstä tämän tietovarasto-osion.
 issues.filter_sort.relevance = Asiaankuuluvuus
 pulls.reopen_to_merge = Avaa tämä vetopyyntö uudelleen suorittaaksesi yhdistämisen.
@@ -2256,9 +2234,6 @@ issues.dismiss_review = Hylkää katselmointi
 editor.file_changed_while_editing = Tiedoston sisältö on muuttunut sen avaamisen jälkeen. <a target="_blank" rel="noopener noreferrer" href="%s">Napsauta tästä</a> nähdäksesi muutokset tai <strong>kommitoi muutokset uudelleen</strong> korvataksesi muutokset.
 sync_fork.button = Synkronoi
 migrated_from = Suoritettu migraatio lähteestä <a href="%[1]s">%[2]s</a>
-migrate.migrating_topics = Suoritetaan aiheiden migraatiota
-migrate.migrating_pulls = Suoritetaan vetopyyntöjen migraatiota
-migrate.cancel_migrating_title = Peruuta migraatio
 file_follow = Seuraa symbolista linkkiä
 commit.load_referencing_branches_and_tags = Lataa haarat ja tagit, jotka viittaavat tähän kommittiin
 editor.commit_id_not_matching = Tiedosto muuttui sillä aikaa, kun muokkasit sitä. Kommitoi uuteen haaraan ja yhdistä sen jälkeen.
@@ -2282,7 +2257,6 @@ projects.column.deletion_desc = Projektin sarakkeen poistaminen siirtää kaikki
 issues.del_time = Poista tämä aikaloki
 migrated_from_fake = Suoritettu migraatio lähteestä %[1]s
 migrate.migrate = Tee migraatio lähteestä %s
-migrate.migrating_labels = Suoritetaan nimilappujen migraatiota
 file_view_rendered = Näytä renderöitynä
 editor.invalid_commit_mail = Virheellinen sähköposti kommitin luomista varten.
 sync_fork.branch_behind_one = Tämä haara on %[1]d kommitin jäljessä %[2]s
diff --git a/options/locale/locale_fil.ini b/options/locale/locale_fil.ini
index 0181f32452..8c8db3045e 100644
--- a/options/locale/locale_fil.ini
+++ b/options/locale/locale_fil.ini
@@ -1091,7 +1091,6 @@ delete_preexisting = Burahin ang mga dating umiiral na file
 delete_preexisting_content = Burahin ang mga file sa %s
 tree_path_not_found_commit = Hindi umiiral ang path na %[1]s sa commit %[2]s
 tree_path_not_found_branch = Hindi umiiral ang daanang %[1]s sa branch %[2]s
-migrate_items_pullrequests = Mga hiling sa paghila
 archive.title = Naka-archive ang repositoryong ito. Maaari mong itignan ang mga file at i-clone ito, pero hindi ka makakagawa ng anumang pagbabago sa estado ito, tulad ng pagtulak at paggawa ng mga isyu, pull request o mga komento.
 archive.title_date = Naka-archive ang repositoryo na ito noong %s. Maaari mong itignan ang mga file at i-clone ito, pero hindi ka makakagawa ng anumang pagbabago sa estado nito, tulad ng pagtulak o paggawa ng mga bagong isyu, mga pull request, o komento.
 pulls = Mga hiling sa paghila
@@ -1143,13 +1142,7 @@ form.name_pattern_not_allowed = Hindi pinapayagan ang pattern na "%s" sa pangala
 migrate_options_lfs = I-migrate ang mga LFS file
 migrate_options_lfs_endpoint.label = Endpoint ng LFS
 migrate_options_lfs_endpoint.placeholder = Kung iwanang blangko, ang endpoint ay magmumula sa clone URL
-migrate_items_milestones = Mga milestone
-migrate_items_labels = Mga label
-migrate_items_issues = Mga isyu
-migrate_items_merge_requests = Mga merge request
 migrate.clone_address = Magmigrate / Mag-clone mula sa URL
-migrate_items = Mga item sa pagmigrate
-migrate_items_releases = Mga paglabas
 migrate_repo = I-migrate ang repositoryo
 size_format = %[1]s: %[2]s, %[3]s: %[4]s
 template.git_hooks_tooltip = Kasalukuyang hindi mo mababago o matatanggal ang mga hook ng Git kapag nadagdag. Piliin lang ito kapag pinagkakatiwalaan mo ang template na repositoryo.
@@ -1157,7 +1150,6 @@ template.webhooks = Mga webhook
 template.topics = Mga paksa
 template.issue_labels = Mga label ng isyu
 template.one_item = Kailangang pumili ng kahit isang template item
-migrate_items_wiki = Wiki
 migrate.clone_local_path = o isang lokal na path ng server
 adopt_preexisting_success = Pinagtibay ang mga file at ginawa ang repositoryo mula sa %s
 delete_preexisting_success = Burahin ang mga hindi pinatibay na file sa %s
@@ -1168,12 +1160,6 @@ migrate.invalid_local_path = Hindi wasto ang lokal na path. Hindi ito umiiral o
 migrate.invalid_lfs_endpoint = Hindi wasto ang LFS endpoint.
 migrate.migrating_failed = Nabigo ang pag-migrate mula sa <b>%s</b>.
 migrate.migrating_failed_no_addr = Nabigo ang pagmigrate.
-migrate.migrating_topics = Nililipat ang mga paksa
-migrate.migrating_milestones = Nililipat ang mga milestone
-migrate.migrating_releases = Nililipat ang mga paglabas
-migrate.migrating_pulls = Nililipat ang mga pull request
-migrate.cancel_migrating_title = Kanselahin ang pag-migrate
-migrate.cancel_migrating_confirm = Gusto mo bang kanselahin ang migration na ito?
 mirror_from = mirror ng
 forked_from = na-fork mula sa
 generated_from = na-generate mula sa
@@ -1227,7 +1213,6 @@ from_comment = (komento)
 editor.add_file = Magdagdag ng file
 editor.upload_file = Mag-upload ng file
 editor.cannot_edit_lfs_files = Hindi mababago ang mga LFS file sa web interface.
-migrate.migrating_issues = Nililipat ang mga isyu
 fork_from_self = Hindi ka makaka-fork ng repositoryo na minamay-ari mo.
 broken_message = Ang Git data na pinagbabatayan sa repositoryo na ito ay hindi mabasa. Makipag-ugnayan sa tagapangasiwa ng instansya na ito o burahin ang repositoryo na ito.
 file_history = Kasaysayan
@@ -1235,7 +1220,6 @@ invisible_runes_header = `Nalalaman ng file na ito ng mga hindi nakikitang Unico
 file_too_large = Masyadong malaki ang file para ipakita.
 invisible_runes_description = `Ang file na ito ay naglalaman ng mga hindi nakikitang Unicode character na hindi nakikilala ng mga tao ngunit maaaring maproseso ng ibang paraan ng isang computer. Kung sa tingin mo ay sinasadya ito, maaari mong ligtas na hindi pansinin ang babala na ito. Gamitin ang I-escape na button para ipakita sila.`
 commit.contained_in_default_branch = Ang commit na ito ay bahagi ng default na branch
-migrate.migrating_labels = Nililipat ang mga label
 filter_branch_and_tag = I-filter ang branch o tag
 clear_ref = `Burahin ang kasalukuyang sanggunian`
 actions = Mga Aksyon
@@ -1248,12 +1232,6 @@ commits = Mga Commit
 file_permalink = Permalink
 migrate.migrating_failed.error = Nabigong magmigrate: %s
 unwatch = I-unwatch
-n_commit_one = %s commit
-n_commit_few = %s mga commit
-n_branch_one = %s branch
-n_branch_few = %s mga branch
-n_tag_one = %s tag
-n_tag_few = %s mga tag
 editor.cannot_edit_non_text_files = Hindi mababago ang mga binary file sa web interface.
 migrated_from = Na-migrate mula sa <a href="%[1]s">%[2]s</a>
 migrated_from_fake = Na-migrate mula sa %[1]s
@@ -1272,7 +1250,6 @@ unescape_control_characters = I-unescape
 invisible_runes_line = `Ang linya na ito ay may mga hindi nakikitang Unicode character`
 ambiguous_runes_line = `Ang linya na ito ay may mga hindi tiyak na Unicode character`
 tag = Tag
-migrate.migrating_git = Nililipat ang Git data
 vendored = Naka-vendor
 editor.delete = Burahin ang %s
 editor.add = Idagdag ang %s
@@ -1612,7 +1589,6 @@ issues.new.clear_assignees = I-clear ang mga mangangasiwa
 issues.new.no_assignees = Walang mga mangangasiwa
 issues.choose.invalid_config = Ang config ng isyu ay naglalaman ng mga error:
 issues.label_templates.info = Walang pang mga umiiral na label. Gumawa ng label gamit ang "Bagong label" o gumamit ng label preset:
-n_release_one = %s release
 issues.action_label = Label
 issues.action_milestone = Milestone
 issues.action_milestone_no_select = Walang milestone
@@ -1646,7 +1622,6 @@ issues.remove_project_at = `tinanggal ito mula sa <b>%s</b> na proyekto %s`
 issues.filter_label_select_no_label = Walang label
 issues.filter_sort.fewestforks = Pinakakaunting fork
 issues.add_assignee_at = `ay itinalaga ni/ng <b>%s</b> %s`
-n_release_few = %s mga release
 issues.remove_ref_at = `tinanggal ang sangguni na <b>%s</b> %s`
 issues.add_ref_at = `idinagdag ang sangguni na <b>%s</b> %s`
 issues.filter_milestone = Milestone
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
index d48753763a..c513bc9ca5 100644
--- a/options/locale/locale_fr-FR.ini
+++ b/options/locale/locale_fr-FR.ini
@@ -1153,14 +1153,6 @@ migrate_options_lfs_endpoint.label=Point d'accès LFS
 migrate_options_lfs_endpoint.description=La migration va tenter d'utiliser votre dépôt Git distant pour <a target="_blank" rel="noopener noreferrer" href="%s">déterminer le serveur LFS</a>. Vous pouvez également spécifier un point d'accès personnalisé si les données LFS du dépôt sont stockées ailleurs.
 migrate_options_lfs_endpoint.description.local=Un chemin de serveur local est également pris en charge.
 migrate_options_lfs_endpoint.placeholder=Si laissé vide, le point de terminaison sera dérivé de l'URL du clone
-migrate_items=Éléments à migrer
-migrate_items_wiki=Wiki
-migrate_items_milestones=Jalons
-migrate_items_labels=Labels
-migrate_items_issues=Tickets
-migrate_items_pullrequests=Demandes d'ajout
-migrate_items_merge_requests=Demandes de fusion
-migrate_items_releases=Publications
 migrate_repo=Migrer le dépôt
 migrate.clone_address=Migrer/Cloner depuis une URL
 migrate.clone_address_desc=L'URL HTTP(S) ou Git "clone" d'un dépôt existant
@@ -1179,16 +1171,6 @@ migrate.migrating=Migration de <b>%s</b> …
 migrate.migrating_failed=La migration de <b>%s</b> a échoué.
 migrate.migrating_failed.error=Échec de la migration : %s
 migrate.migrating_failed_no_addr=Échec de la migration.
-migrate.migrating_git=Migration des données Git
-migrate.migrating_topics=Migration des sujets
-migrate.migrating_milestones=Migration des jalons
-migrate.migrating_labels=Migration des labels
-migrate.migrating_releases=Migration des publications
-migrate.migrating_issues=Migration des tickets
-migrate.migrating_pulls=Migration des demandes d'ajout
-migrate.cancel_migrating_title=Annuler la migration
-migrate.cancel_migrating_confirm=Voulez-vous abandonner cette migration ?
-
 mirror_from=miroir de
 forked_from=bifurqué depuis
 generated_from=généré depuis
@@ -2639,16 +2621,10 @@ file_follow = Suivre le lien symbolique
 settings.confirmation_string = Chaine de confirmation
 pulls.agit_explanation = Créé par le workflow AGit. AGit permet aux contributeurs de proposer des modifications en utilisant "git push" sans créer une bifurcation ou une nouvelle branche.
 stars = Étoiles
-n_tag_few = %s étiquettes
 editor.commit_id_not_matching = Le fichier a été modifié pendant que vous l'éditiez. Appliquez les modifications à une nouvelle branche puis procédez à la fusion.
 commits.search_branch = Cette branche
 open_with_editor = Ouvrir avec %s
 pulls.ready_for_review = Prêt à être évalué ?
-n_commit_one = %s commit
-n_commit_few = %s commits
-n_branch_one = %s branch
-n_branch_few = %s branches
-n_tag_one = %s étiquettes
 editor.push_out_of_date = Le push semble obsolète.
 issues.num_participants_one = %d participant
 issues.archived_label_description = (Archivé) %s
@@ -2679,8 +2655,6 @@ settings.federation_settings = Paramètres de féderation
 project = Projets
 subscribe.issue.guest.tooltip = Authentifiez vous pour vous abonner à ce ticket.
 subscribe.pull.guest.tooltip = Authentifiez vous pour suivre cette demande d'ajout.
-n_release_one = %s publication
-n_release_few = %s publications
 issues.author.tooltip.pr = Cet utilisateur est l'auteur de cette pull request.
 issues.author.tooltip.issue = Cet utilisateur est l'auteur de ce ticket.
 issues.edit.already_changed = Impossible de sauvegarder les changements du ticket car son contenu a déjà été modifié par un autre utilisateur. Veuillez recharger la page et essayer de l'éditer à nouveau pour éviter d'écraser ses changements
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
index 27e61dd0ac..9f72c9b2f6 100644
--- a/options/locale/locale_ga-IE.ini
+++ b/options/locale/locale_ga-IE.ini
@@ -895,14 +895,6 @@ migrate_options_lfs_endpoint.label = Críochphointe LFS
 migrate_options_lfs_endpoint.description = Déanfaidh imirce iarracht do chianda Git a úsáid chun <a target="_blank" rel="noopener noreferrer" href="%s">freastalaí LFS a chinneadh</a>. Is féidir leat críochphointe saincheaptha a shonrú freisin má tá na sonraí LFS stórtha stóráilte áit éigin eile.
 migrate_options_lfs_endpoint.description.local = Tacaítear le cosán freastalaí áitiúil freisin.
 migrate_options_lfs_endpoint.placeholder = Má fhágtar bán, díorthófar an críochphointe ón URL clóin
-migrate_items = Míreanna Imirce
-migrate_items_wiki = Wiki
-migrate_items_milestones = Clocha míle
-migrate_items_labels = Lipéid
-migrate_items_issues = Saincheisteanna
-migrate_items_pullrequests = Iarrataí Tarraing
-migrate_items_merge_requests = Iarrataí Cumaisc
-migrate_items_releases = Eisiúintí
 migrate_repo = Stóras Imirc
 migrate.clone_address = Aimirce/ Clón Ó URL
 migrate.github_token_desc = Is féidir leat comhartha amháin nó níos mó a chur le camóg scartha anseo chun imirce a dhéanamh níos gasta mar gheall ar theorainn ráta API GitHub. RABHADH: D'fhéadfadh mí-úsáid na ngné seo beartas an sholáthraí seirbhíse a shárú agus blocáil cuntais a bheith mar thoradh air.
@@ -919,15 +911,6 @@ migrate.migrating = Ag aistriú ó <b>%s</b> ...
 migrate.migrating_failed = Theip ar aistriú ó <b>%s</b>.
 migrate.migrating_failed.error = Theip ar aistriú: %s
 migrate.migrating_failed_no_addr = Theip ar an imirce.
-migrate.migrating_git = Sonraí Git a Aimirce
-migrate.migrating_topics = Ábhair Imirce
-migrate.migrating_milestones = Clocha Míle a Imirce
-migrate.migrating_labels = Lipéid Imirce
-migrate.migrating_releases = Eisiúintí Imirce
-migrate.migrating_issues = Saincheisteanna Imirce
-migrate.migrating_pulls = Iarratais Tarraingthe á n-Imirce
-migrate.cancel_migrating_title = Cealaigh Imirce
-migrate.cancel_migrating_confirm = Ar mhaith leat an imirce seo a chealú?
 mirror_from = scáthán de
 forked_from = forcailte ó
 generated_from = a ghintear ó
diff --git a/options/locale/locale_he.ini b/options/locale/locale_he.ini
index 047e4d7bd6..b176332689 100644
--- a/options/locale/locale_he.ini
+++ b/options/locale/locale_he.ini
@@ -520,7 +520,7 @@ remove_account_link_success = החשבון המקושר הוסר.
 
 [repo]
 new_advanced = הגדרות מתקדמות
-new_advanced_expand =
+new_advanced_expand = 
 owner = בעלים
 repo_name = שם הקרפיף
 repo_name_helper = שמות קרפיפים טובים הם זכירים, קצרים וייחודיים.
@@ -571,9 +571,6 @@ desc.archived = בארכיון
 archive.pull.noreview = קרפיף זה בארכיון. אי אפשר לבקר בקשות מיזוג.
 form.reach_limit_of_creation_n = החשבון של הבעלים כבר הגיע לכמות הקרפיפים המקסימלית (%s).
 form.name_reserved = שם הקרפיף "%s" שמור.
-migrate_items_wiki = ויקי
-migrate_items_issues = סוגיות
-migrate_items_pullrequests = בקשות מיזוג
 migrate.clone_address = ייבוא \ שכפול מ־URL
 migrated_from = יובא מ‏־<a href="%[1]s">%[2]s</a>
 migrated_from_fake = יובא מ־%[1]s
@@ -582,8 +579,6 @@ migrate.migrating = פורג'ו בתהליכי יבוא מ־<b>%s</b>...
 migrate.migrating_failed = היבוא מ<b>%s</b> נכשל.
 migrate.migrating_failed.error = הייבוא נכשל: %s
 migrate.migrating_failed_no_addr = הייבוא נכשל.
-migrate.migrating_topics = ייבוא נושאים
-migrate.migrating_milestones = ייבוא אבני דרך
 editor.delete_this_file = מחיקת קובץ
 editor.name_your_file = שם הקובץ…
 editor.or = או
@@ -600,8 +595,6 @@ default_branch = ענף ברירת המחדל
 migrate_options_mirror_helper = קרפיף זה יהיה מראה
 migrate_options_lfs = ייבוא אחסון קבצים גדולים (LFS)
 migrate_options = אפשרויות ייבוא
-migrate.migrating_labels = ייבוא תוויות
-migrate.migrating_releases = ייבוא גרסאות
 editor.file_delete_success = הקובץ "%s" נמחק.
 editor.commit_message_desc = תיאור ארוך לא חובה…
 already_forked = כבר מזלגת את %s
@@ -631,7 +624,6 @@ template.topics = נושאים
 stars_remove_warning = פעולה זו תסיר מהקרפיף את כל הכוכבים.
 owner_helper = ארגונים שכבר יצרו את כמות הקרפיפים המקסימלית לא מוצגים בתפריט.
 fork_to_different_account = מזלוג לחשבון אחר
-migrate_items_releases = גרסאות
 migrate.permission_denied = אין לך הרשאה לייבא קרפיפים מהשרת הנוכחי.
 fork_repo = מזלוג
 watchers = מנויים
@@ -642,14 +634,11 @@ archive.title_date = קרפיך זה בארכיון כבר %s. אפשר לצפו
 form.name_pattern_not_allowed = התבנית "%s" לא חוקית בתוך שם של קרפיף.
 mirror_use_ssh.helper = פורג'ו ישקף את הקרפיף דרך התמיכה המובנית של גיט ב־SSH, ויצור בשבילך זוג מפתחות אוטומטית. באחריותך לוודא שלמפתח הציבורי שיווצר יהיה גישה לקרפיף היעד. אי אפשר להשתמש בכניסה על־בסיס סיסמה עם אפשרות זו.
 mirror_lfs = אחסון קבצים גדולים (LFS)
-migrate_items_labels = תוויות
 migrate_repo = ייבוא קרפיף
 transfer.no_permission_to_accept = אין לך הרשאה לאשר את העברת הקרפיף הזו.
 form.string_too_long = הטקסט הנתון ארוך מ־%d תווים.
-migrate_items_milestones = אבני דרך
 migrate.failed = הייבוא נכשל: %v
 migrate.migrate_items_options = פורג'ו צריך קוד גישה כדי לייבא מידע נוסף
-migrate.migrating_git = ייבוא הקרפיף עצמו
 editor.filename_help = אפשר להפריד בין תיקיות עם סלאשים, ו"למחוק" תיקיות עם backspace, כאילו זוהי תיבת טקסט רגילה.
 editor.filename_is_a_directory = אי אפשר לקרוא לקובץ "%s"; כבר קיימת תיקייה תחת אותו שם.
 editor.file_editing_no_longer_exists = הקובץ הנערך שהיה ידוע כ־"%s" לא קיים יותר בקרפיף זה.
diff --git a/options/locale/locale_hu-HU.ini b/options/locale/locale_hu-HU.ini
index 6810f20c1e..481159fd3c 100644
--- a/options/locale/locale_hu-HU.ini
+++ b/options/locale/locale_hu-HU.ini
@@ -685,12 +685,6 @@ template.issue_labels=Hibajegy címkék
 template.one_item=Legalább egy sablonelemet ki kell választani
 template.invalid=Ki kell választani egy sablon tárolót
 
-migrate_items_wiki=Wiki
-migrate_items_milestones=Mérföldkövek
-migrate_items_labels=Címkék
-migrate_items_issues=Hibajegyek
-migrate_items_pullrequests=Pull request-ek
-migrate_items_releases=Kiadások
 migrate_repo=Tároló migrációja
 migrate.clone_address=Migráció / Másolás URL-ről
 migrate.clone_address_desc=HTTP(S) vagy Git URL-e egy már létező tárolónak
diff --git a/options/locale/locale_id-ID.ini b/options/locale/locale_id-ID.ini
index 18ec4df928..297f110135 100644
--- a/options/locale/locale_id-ID.ini
+++ b/options/locale/locale_id-ID.ini
@@ -587,12 +587,6 @@ template.topics=Topik
 template.avatar=Avatar
 template.issue_labels=Label Masalah
 
-migrate_items=Ihwal Migrasi
-migrate_items_wiki=Wiki
-migrate_items_milestones=Tonggak
-migrate_items_issues=Masalah
-migrate_items_pullrequests=Tarik Permintaan
-migrate_items_releases=Rilis
 migrate_repo=Migrasi Repositori
 migrate.permission_denied=Anda tidak diizinkan untuk mengimpor repositori lokal.
 migrate.failed=Migrasi gagal: %v
diff --git a/options/locale/locale_is-IS.ini b/options/locale/locale_is-IS.ini
index 41d35e2738..805024281b 100644
--- a/options/locale/locale_is-IS.ini
+++ b/options/locale/locale_is-IS.ini
@@ -590,17 +590,8 @@ template.issue_labels=Vandamálslýsingar
 
 migrate_options_lfs=Flytja LFS skrár
 migrate_options_lfs_endpoint.label=LFS Endapunktur
-migrate_items_wiki=Handbók
-migrate_items_milestones=Tímamót
-migrate_items_labels=Skýringar
-migrate_items_issues=Vandamál
-migrate_items_pullrequests=Sameiningarbeiðnir
-migrate_items_merge_requests=Sameiningarbeiðnir
-migrate_items_releases=Útgáfur
 migrate_repo=Flytja Hugbúnaðarsafn
 migrate.migrate=Flytja Frá %s
-migrate.migrating_labels=Að færa Lýsingar
-
 mirror_from=speglun af
 forked_from=tvískipt frá
 generated_from=myndað frá
diff --git a/options/locale/locale_it-IT.ini b/options/locale/locale_it-IT.ini
index 2869750807..3eb67a2f59 100644
--- a/options/locale/locale_it-IT.ini
+++ b/options/locale/locale_it-IT.ini
@@ -1132,14 +1132,6 @@ migrate_options_lfs=Migra file LFS
 migrate_options_lfs_endpoint.label=Punto d'accesso LFS
 migrate_options_lfs_endpoint.description=La migrazione tenterà di utilizzare il tuo Git remote per <a target="_blank" rel="noopener noreferrer" href="%s">determinare il server LFS</a>. È inoltre possibile specificare un endpoint personalizzato se il repositorio dati LFS è memorizzato da qualche altra parte.
 migrate_options_lfs_endpoint.description.local=È supportato anche un percorso server locale.
-migrate_items=Elementi di migrazione
-migrate_items_wiki=Wiki
-migrate_items_milestones=Traguardi
-migrate_items_labels=Etichette
-migrate_items_issues=Segnalazioni
-migrate_items_pullrequests=Richieste di modifica
-migrate_items_merge_requests=Richieste di fusione
-migrate_items_releases=Rilasci
 migrate_repo=Migra repositorio
 migrate.clone_address=Migra / Clona da URL
 migrate.clone_address_desc=URL HTTP(S) o Git "clone" di un repositorio esistente
@@ -1156,14 +1148,6 @@ migrate.migrate=Migra da %s
 migrate.migrating=Migrazione da <b>%s</b>...
 migrate.migrating_failed=Migrazione da <b>%s</b> fallita.
 migrate.migrating_failed_no_addr=Migrazione non riuscita.
-migrate.migrating_git=Migrazione dei dati Git
-migrate.migrating_topics=Migrazione degli argomenti
-migrate.migrating_milestones=Migrazione dei traguardi
-migrate.migrating_labels=Migrazione delle etichette
-migrate.migrating_releases=Migrazione dei rilasci
-migrate.migrating_issues=Migrazione delle segnalazioni
-migrate.migrating_pulls=Migrazione delle richieste di modifica
-
 mirror_from=mirror da
 forked_from=derivato da
 generated_from=generato da
@@ -2316,7 +2300,6 @@ pulls.cmd_instruction_merge_title = Merge
 pulls.cmd_instruction_checkout_desc = Dalla tua repository del progetto, accedi a un nuovo ramo e prova le modifiche.
 milestones.new_subheader = I traguardi possono aiutarti ad organizzare le segnalazioni e a tracciarne i progressi.
 activity.navbar.contributors = Contributori
-migrate.cancel_migrating_title = Annulla migrazione
 more_operations = Ulteriori operazioni
 actions = Azioni
 commit.operations = Operazioni
@@ -2526,7 +2509,6 @@ tree_path_not_found.tag = Il percorso %[1]s non esiste nel tag %[2]s
 transfer.no_permission_to_accept = Non hai i permessi per accettare questo trasferimento.
 transfer.no_permission_to_reject = Non hai i permessi per rifiutare questo trasferimento.
 migrate_options_lfs_endpoint.placeholder = Se lasciato vuoto il punto di accesso sarà derivato dall'URL usato per clonare
-migrate.cancel_migrating_confirm = Vuoi annullare questa migrazione?
 editor.filename_is_invalid = Nome file invalido: "%s".
 editor.unable_to_upload_files = Impossibile caricare i file su "%s" con errore: %v
 projects.create_success = Il progetto "%s" è stato creato.
@@ -2645,9 +2627,6 @@ settings.event_pull_request_review_request_desc = Richiesta la revisione della r
 stars = Stelle
 issues.num_participants_one = %d partecipante
 open_with_editor = Apri con %s
-n_commit_few = %s commit
-n_branch_one = %s ramo
-n_tag_few = %s etichette
 settings.web_hook_name_sourcehut_builds = Build SourceHut
 settings.sourcehut_builds.manifest_path = Percorso manifest della build
 settings.sourcehut_builds.visibility = Visibilità attività
@@ -2658,13 +2637,10 @@ editor.push_out_of_date = Il push sembra essere obsoleto.
 issues.archived_label_description = (Archiviato) %s
 settings.sourcehut_builds.secrets_helper = Fornisci l'accesso ai segreti della build all'incarico (richiede il permesso SECRETS:RO)
 settings.add_webhook.invalid_path = Il percorso non deve contenere dei componenti quali ".", "..", o una stringa vuota. Non può iniziare o finire con uno slash.
-n_commit_one = %s commit
 settings.enforce_on_admins = Imponi questa regola agli amministratori del repository
 release.system_generated = Questo allegato è stato generato automaticamente.
 pulls.ready_for_review = Pronto alla revisione?
 editor.commit_id_not_matching = L'ID del commit non combacia con quello del commit che stavi modificando. Conferma le tue modifiche su un nuovo ramo, poi fondilo col ramo desiderato.
-n_branch_few = %s rami
-n_tag_one = %s etichetta
 commits.search_branch = Questo ramo
 settings.rename_branch_failed_protected = Non è possibile rinominare il ramo %s perché è un ramo protetto.
 settings.event_pull_request_enforcement = Imposizione
@@ -2678,8 +2654,6 @@ project = Progetti
 issues.edit.already_changed = Impossibile salvare le modifiche alla segnalazione. Sembra che il contenuto sia già stato modificato da un*altrə utente. Aggiornare la pagina e provare a modificare nuovamente per evitare di sovrascrivere le modifiche
 subscribe.pull.guest.tooltip = Accedi per iscriverti a questa richiesta di modifica.
 subscribe.issue.guest.tooltip = Accedere per seguire questa segnalazione.
-n_release_one = %s rilascio
-n_release_few = %s rilasci
 issues.author.tooltip.pr = Quest'utente è l'autorə di questa richiesta di modifica.
 release.hide_archive_links = Nascondi automaticamente gli archivi generati
 settings.federation_settings = Impostazioni di federazione
diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 89da29c8a4..5a1acddeef 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -1149,14 +1149,6 @@ migrate_options_lfs_endpoint.label=LFS エンドポイント
 migrate_options_lfs_endpoint.description=マイグレーションでは、リモート側のGitをもとに<a target="_blank" rel="noopener noreferrer" href="%s">LFSサーバーを決定</a>しようとします。 リポジトリのLFSデータがほかの場所に保存されている場合は、独自のエンドポイントを指定することができます。
 migrate_options_lfs_endpoint.description.local=ローカルサーバーのパスもサポートされています。
 migrate_options_lfs_endpoint.placeholder=空にするとエンドポイントはクローン URL から決定されます
-migrate_items=移行する項目
-migrate_items_wiki=Wiki
-migrate_items_milestones=マイルストーン
-migrate_items_labels=ラベル
-migrate_items_issues=イシュー
-migrate_items_pullrequests=プルリクエスト
-migrate_items_merge_requests=マージリクエスト
-migrate_items_releases=リリース
 migrate_repo=リポジトリを移行
 migrate.clone_address=移行 / クローンするURL
 migrate.clone_address_desc=既存リポジトリの、HTTP(S)またはGit形式のクローンURL
@@ -1175,16 +1167,6 @@ migrate.migrating=<b>%s</b> から移行しています …
 migrate.migrating_failed=<b>%s</b> からの移行が失敗しました。
 migrate.migrating_failed.error=移行に失敗しました: %s
 migrate.migrating_failed_no_addr=移行に失敗しました。
-migrate.migrating_git=Gitデータ移行中
-migrate.migrating_topics=トピック移行中
-migrate.migrating_milestones=マイルストーン移行中
-migrate.migrating_labels=ラベル移行中
-migrate.migrating_releases=リリース移行中
-migrate.migrating_issues=イシュー移行中
-migrate.migrating_pulls=プルリクエスト移行中
-migrate.cancel_migrating_title=移行のキャンセル
-migrate.cancel_migrating_confirm=この移行をキャンセルしますか？
-
 mirror_from=ミラー元
 forked_from=フォーク元
 generated_from=generated from
@@ -2624,9 +2606,7 @@ settings.wiki_globally_editable = 誰でもWikiを編集できる様にする
 settings.confirmation_string = 確認
 settings.wiki_rename_branch_main_notices_1 = この操作は 取り消し<strong>できません</strong> 。
 stars = スター
-n_tag_few = %s のタグ
 settings.graphql_url = GraphQL URL
-n_branch_one = %s のブランチ
 settings.units.units = 機能設定
 settings.wiki_rename_branch_main_notices_2 = これにより、%s のリポジトリ wiki の内部ブランチの名前が永久に変更されます。既存のチェックアウトを更新する必要があります。
 settings.sourcehut_builds.access_token_helper = JOBS:RW 権限を持つアクセス トークン。meta.sr.ht で <a target="_blank" rel="noopener noreferrer" href="%s">builds.sr.ht トークン</a> または <a target="_blank" rel="noopener noreferrer" href="%s">シークレット アクセスを持つ builds.sr.ht トークン</a> を生成します。
@@ -2638,9 +2618,6 @@ open_with_editor = %s で開く
 release.system_generated = この添付ファイルは自動的に生成されます。
 settings.archive.mirrors_unavailable = リポジトリがアーカイブされている場合、ミラーは利用できません。
 settings.rename_branch_failed_protected = 保護されたブランチのため、ブランチ %s の名前を変更できません。
-n_tag_one = %s のタグ
-n_branch_few = %s のブランチ
-n_commit_few = %s のコミット
 settings.confirm_wiki_branch_rename = Wikiブランチの名前を変更する
 settings.add_collaborator_blocked_our = リポジトリ所有者が共同作業者をブロックしているため、共同作業者を追加できません。
 settings.sourcehut_builds.visibility = ジョブの可視性
@@ -2648,7 +2625,6 @@ settings.sourcehut_builds.secrets = シークレット
 settings.ignore_stale_approvals_desc = 古いコミット (古いレビュー) に対して行われた承認を、PR の承認数にカウントしないでください。古いレビューがすでに却下されている場合は関係ありません。
 settings.enforce_on_admins_desc = リポジトリ管理者はこのルールを回避できません。
 release.hide_archive_links = 自動生成されたアーカイブを非表示にする
-n_commit_one = %s のコミット
 settings.wiki_branch_rename_success = リポジトリ wiki のブランチ名が正常に正規化されました。
 settings.add_collaborator_blocked_them = リポジトリ所有者がブロックされているため、共同作業者を追加できません。
 settings.add_webhook.invalid_path = パスには「.」や「..」や空の文字列を含めることはできません。また、スラッシュで開始または終了することはできません。
@@ -2683,8 +2659,6 @@ issues.edit.already_changed = イシューの変更を保存できません。
 no_eol.text = EOLなし
 pulls.edit.already_changed = プルリクエストの変更を保存できません。コンテンツは既に別のユーザーによって変更されているようです。変更が上書きされないように、ページを更新して再度編集してください
 pulls.cmd_instruction_merge_warning = <b>警告:</b> このリポジトリでは「手動マージの自動検出」設定が有効になっていません。後でこのプル リクエストを手動でマージ済みとしてマークする必要があります。
-n_release_one = %s リリース
-n_release_few = %s リリース
 milestones.filter_sort.name = 名前
 mirror_use_ssh.not_available = SSH認証は利用できません。
 mirror_denied_combination = 公開鍵とパスワードベースの認証を組み合わせて使用することはできません。
diff --git a/options/locale/locale_ka.ini b/options/locale/locale_ka.ini
index 8e47c125b8..f5dff16977 100644
--- a/options/locale/locale_ka.ini
+++ b/options/locale/locale_ka.ini
@@ -285,10 +285,6 @@ template.webhooks = ვებჰუკები
 template.topics = თემები
 template.avatar = ავატარი
 need_auth = ავტორიზაცია
-migrate_items_wiki = ვიკი
-migrate_items_labels = ჭდეები
-migrate_items_issues = პრობლემები
-migrate_items_releases = რელიზები
 star = ვარსკვლავი
 unstar = ვარსკვლავის მოხსნა
 fork = ფორკი
@@ -579,7 +575,6 @@ diff.vendored = გარედან შემოტანილია
 release.edit = ჩასწორება
 release.type_attachment = მიმაგრებული ფაილი
 topic.done = დასრულება
-migrate_items_milestones = მისაღწევი გეგმები
 issues.subscribe = გამოწერა
 issues.review.outdated = ვადაგადაცილებული
 activity.merged_prs_label = შერწყმულია
diff --git a/options/locale/locale_kab.ini b/options/locale/locale_kab.ini
index 605a69e2dc..795ecd2a6b 100644
--- a/options/locale/locale_kab.ini
+++ b/options/locale/locale_kab.ini
@@ -138,8 +138,6 @@ desc.sha256 = SHA256
 template.topics = Isental
 template.avatar = Avaṭar
 sync_fork.button = Mtawi
-migrate_items_wiki = Wiki
-migrate_items_labels = Tibzimin
 tags = Tibzimin
 project = Isenfaren
 packages = Ikemmusen
@@ -167,7 +165,6 @@ projects.title = Azwel
 projects.type.none = Ula yiwen
 projects.template.desc = Tamudemt
 mirror_sync = yemtawa
-migrate_items_issues = Uguren
 star = Rnu-yas itri
 branches = Tiṣeḍwa
 issues = Uguren
diff --git a/options/locale/locale_ko-KR.ini b/options/locale/locale_ko-KR.ini
index 5409c84818..7a45572463 100644
--- a/options/locale/locale_ko-KR.ini
+++ b/options/locale/locale_ko-KR.ini
@@ -387,7 +387,7 @@ allow_password_change=사용자에게 비밀번호 변경을 요청 (권장됨)
 reset_password_mail_sent_prompt=확인 메일이 <b>%s</b>로 전송되었습니다. 받은 편지함으로 도착한 메일을 %s 안에 확인해서 비밀번호 찾기 절차를 완료하십시오.
 active_your_account=계정 활성화
 account_activated=계정이 활성화 되었습니다
-prohibit_login =
+prohibit_login = 
 resent_limit_prompt=활성화를 위한 이메일을 이미 전송했습니다. 3분 내로 이메일을 받지 못한 경우 재시도해주세요.
 has_unconfirmed_mail=안녕하세요 %s, 이메일 주소(<b>%s</b>)가 확인되지 않았습니다. 확인 메일을 받으시지 못하겼거나 새로운 확인 메일이 필요하다면, 아래 버튼을 클릭해 재발송하실 수 있습니다.
 resend_mail=여기를 눌러 확인 메일 재전송
@@ -752,11 +752,6 @@ template.avatar=아바타
 
 
 
-migrate_items_wiki=위키
-migrate_items_milestones=마일스톤
-migrate_items_issues=이슈
-migrate_items_pullrequests=풀 리퀘스트
-migrate_items_releases=릴리즈
 migrate_repo=저장소 마이그레이션
 migrate.clone_address=URL로 부터 마이그레이트 / 클론
 migrate.clone_local_path=또는 로컬 서버의 경로
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
index 4ffc1d37a7..6531335974 100644
--- a/options/locale/locale_lv-LV.ini
+++ b/options/locale/locale_lv-LV.ini
@@ -1155,14 +1155,6 @@ migrate_options_lfs_endpoint.label=LFS galapunkts
 migrate_options_lfs_endpoint.description=Pārcelšana mēģinās izmantot attālo Git, lai <a target="_blank" rel="noopener noreferrer" href="%s">noteiktu LFS serveri</a>. Var arī norādīt pielāgotu galapunktu, ja glabātavas LFS dati tiek glabāti kaut kur citur.
 migrate_options_lfs_endpoint.description.local=Iespējams norādīt arī servera ceļu.
 migrate_options_lfs_endpoint.placeholder=Ja nav norādīts, galamērķis tiks atvasināts no klonēšanas URL
-migrate_items=Pārcelšanas vienumi
-migrate_items_wiki=Vikivietni
-migrate_items_milestones=Atskaites punktus
-migrate_items_labels=Iezīmes
-migrate_items_issues=Pieteikumi
-migrate_items_pullrequests=Izmaiņu pieprasījumus
-migrate_items_merge_requests=Iekļaušanas pieprasījumi
-migrate_items_releases=Laidienus
 migrate_repo=Pārcelt glabātavu
 migrate.clone_address=Pārcelt/klonēt no URL
 migrate.clone_address_desc=Esošas glabātavas HTTP(S) vai Git "clone" URL
@@ -1181,16 +1173,6 @@ migrate.migrating=Pārceļ no <b>%s</b> …
 migrate.migrating_failed=Pārcelšana no <b>%s</b> neizdevās.
 migrate.migrating_failed.error=Neizdevās pārcelt: %s
 migrate.migrating_failed_no_addr=Pārcelšana neizdevās.
-migrate.migrating_git=Pārceļ Git datus
-migrate.migrating_topics=Pārceļ tēmas
-migrate.migrating_milestones=Pārceļ atskaites punktus
-migrate.migrating_labels=Pārceļ iezīmes
-migrate.migrating_releases=Pārceļ laidienus
-migrate.migrating_issues=Pārnes pieteikumus
-migrate.migrating_pulls=Pārceļ izmaiņu pieprasījumus
-migrate.cancel_migrating_title=Atcelt pārcelšanu
-migrate.cancel_migrating_confirm=Vai atcelt šo pārcelšanu?
-
 mirror_from=spoguļota no
 forked_from=atzarota no
 generated_from=izveidots no
@@ -2591,14 +2573,11 @@ find_file.no_matching=Netika atrasta neviena atbilstoša datne
 error.csv.too_large=Nevar atveidot šo datni, jo tā ir pārāk liela.
 error.csv.unexpected=Nevar atveidot šo datni, jo tā satur neparedzētu rakstzīmi %d. rindas %d. slejā.
 error.csv.invalid_field_count=Nevar atveidot šo datni, jo tā satur nepareizu lauku skaitu %d. rindā.
-n_release_one = %s laidiens
-n_release_few = %s laidieni
 issues.new.assign_to_me = Piešķirt man
 admin.flags_replaced = Glabātavas karogi aizvietoti
 admin.failed_to_replace_flags = Neizdevās aizvietot glabātavas karogus
 admin.manage_flags = Pārvaldīt karogus
 admin.enabled_flags = Glabātavā iespējotie karogi:
-n_commit_one = %s iesūtījums
 editor.push_out_of_date = Aizgādājums izskatās novecojis.
 file_follow = Sekot simboliskajai saitei
 stars = Zvaigznes
@@ -2612,16 +2591,11 @@ generated = Izveidota
 commits.search_branch = Šis zars
 editor.commit_id_not_matching = Datne labošanas laikā tika izmainīta. Jāiesūta jaunā zarā, tad jāapvieno.
 object_format = Objektu veidols
-n_tag_one = %s birka
-n_tag_few = %s birkas
-n_branch_few = %s zari
-n_branch_one = %s zars
 object_format_helper = Glabātavas objektu veidols. Vēlak to nevarēs mainīt. SHA1 ir vissaderīgākais.
 commits.renamed_from = Pārdēvēts no %s
 rss.must_be_on_branch = Jāatrodas zarā, lai iegūtu RSS barotni.
 admin.update_flags = Atjaunināt karogus
 open_with_editor = Atvērt ar %s
-n_commit_few = %s iesūtījumi
 no_eol.text = Nav EOL
 size_format = %[1]s: %[2]s; %[3]s: %[4]s
 mirror_public_key = Publiskā SSH atslēga
diff --git a/options/locale/locale_ml-IN.ini b/options/locale/locale_ml-IN.ini
index f7eb04495e..e68ec7e99e 100644
--- a/options/locale/locale_ml-IN.ini
+++ b/options/locale/locale_ml-IN.ini
@@ -525,13 +525,6 @@ archive.title=ഈ കലവറ ചരിത്രരേഖാപരമായി
 form.name_reserved='%s' എന്ന കലവറയുടെ പേരു് മറ്റാവശ്യങ്ങള്‍ക്കായി നീക്കിവച്ചിരിക്കുന്നു.
 form.name_pattern_not_allowed=കലവറനാമത്തിൽ '%s' എന്ന ശ്രേണി അനുവദനീയമല്ല.
 
-migrate_items=മൈഗ്രേഷൻ ഇനങ്ങൾ
-migrate_items_wiki=വിക്കി
-migrate_items_milestones=നാഴികക്കല്ലുകള്‍
-migrate_items_labels=ലേബലുകള്‍
-migrate_items_issues=പ്രശ്നങ്ങൾ
-migrate_items_pullrequests=ലയന അഭ്യർത്ഥനകൾ
-migrate_items_releases=പ്രസിദ്ധീകരണങ്ങള്‍
 migrate_repo=കലവറ മൈഗ്രേറ്റ് ചെയ്യുക
 migrate.clone_address=URL- ൽ നിന്ന് മൈഗ്രേറ്റ് / ക്ലോൺ ചെയ്യുക
 migrate.clone_address_desc=നിലവിലുള്ള ഒരു കലവറയുടെ HTTP(S) അല്ലെങ്കിൽ ഗിറ്റു് 'ക്ലോൺ' URL
diff --git a/options/locale/locale_nb_NO.ini b/options/locale/locale_nb_NO.ini
index 692a70e350..268302b1e7 100644
--- a/options/locale/locale_nb_NO.ini
+++ b/options/locale/locale_nb_NO.ini
@@ -454,7 +454,6 @@ relevant_repositories_tooltip = Depoter som er en forgrening eller har ingen tem
 relevant_repositories = Kun relevante depoter er vist, <a href="%s">vis ufiltrerte resultater</a>.
 
 [repo]
-migrate_items_releases = Utgivelser
 releases = Utgivelser
 n_release_few = %s utgivelser
 activity.title.releases_1 = %d utgivelse
diff --git a/options/locale/locale_nds.ini b/options/locale/locale_nds.ini
index 6825b38fe9..358ad5dc6a 100644
--- a/options/locale/locale_nds.ini
+++ b/options/locale/locale_nds.ini
@@ -980,11 +980,6 @@ template.one_item = Tominnst een Vörlaag-Ding mutt utköört worden
 template.invalid = Een Vörlaag-Repositorium mutt utköört worden
 migrate_options_lfs_endpoint.label = LFS-Ennpunkt
 migrate_options_lfs_endpoint.placeholder = Wenn leeg laten, word de Ennpunkt vun de Kloon-URL avleit
-migrate_items = Umtreck-Dingen
-migrate_items_wiki = Wiki
-migrate_items_milestones = Markstenen
-migrate_items_pullrequests = Haalvörslagen
-migrate_items_releases = Publizerens
 migrate_repo = Repositorium umtrecken
 migrate.clone_address = Umtrecken / Klonen vun URL
 migrate.failed = Umtreck fehlslagen: %v
@@ -992,12 +987,6 @@ migrate.migrate_items_options = Togang-Teken is nödig, um mehr Dingen umtotreck
 migrated_from = Vun <a href="%[1]s">%[2]s</a> umtrucken
 migrate.migrate = Vun %s umtrecken
 migrate.migrating = Treckt vun <b>%s</b> um …
-migrate.migrating_git = Git-Daten worden umtrucken
-migrate.migrating_topics = Themen worden umtrucken
-migrate.migrating_labels = Vermarkens worden umtrucken
-migrate.migrating_releases = Publizerens worden umtrucken
-migrate.migrating_issues = Gefallens worden umtrucken
-migrate.cancel_migrating_title = Umtreck ofbreken
 mirror_from = Spegel vun
 forked_from = gabelt vun
 fork_from_self = Du kannst dien eegen Repositorium nich gabeln.
@@ -1027,7 +1016,6 @@ mirror_password_help = Änner de Brukernaam, um een sekert Passwoord to lösken.
 author_search_tooltip = Wiest bit to 30 Brukers
 transfer.reject_desc = Överdragen to »%s« ofbreken
 migrate_options_lfs = LFS-Dateien umtrecken
-migrate_items_labels = Vermarkens
 migrate.clone_address_desc = De HTTP(S) of Git »clone« URL vun eenem bestahn Repositorium
 migrate.invalid_local_path = De stedenwies Padd is ungültig. ’t gifft dat nich of dat is keen Verteeknis.
 fork_guest_user = Mell di an, um deeses Repositorium to gabeln.
@@ -1050,13 +1038,11 @@ archive.title_date = Deeses Repositorium is am %s archiveert worden. Du kannst d
 form.reach_limit_of_creation_1 = De Eegner is al bi de Grenz vun %d Repositorium.
 form.name_reserved = De Repositoriums-Naam »%s« is vörbehollen.
 form.string_too_long = De angeven Text is langer as %d Bookstavens.
-migrate_items_issues = Gefallens
 template.items = Vörlaag-Dingen
 template.git_hooks_tooltip = Du kannst jüüst keene Git-Hakens bewarken of lösken, nadeem se hentoföögt sünd. Köör dat blots ut, wenn du de Vörlaag-Repositorium vertraust.
 form.reach_limit_of_creation_n = De Eegner is al bi de Grenz vun %d Repositoriums.
 migrate_options_mirror_helper = Deeses Repositorium word een Spegel wesen
 migrate_options_lfs_endpoint.description.local = Een stedenwies Server-Padd word ok unnerstütt.
-migrate_items_merge_requests = Tosamenföhren-Vörslagen
 migrate.permission_denied = Du düürst keene stedenwies Repositoriums importeren.
 archive.title = Deeses Repositorium is archiveert. Du kannst de Dateien ankieken un ’t klonen, aver du kannst sienen Tostand nich ännern, also nix schuven un keene nejen Gefallens, Haalvörslagen of Kommentaren maken.
 need_auth = Anmellen
@@ -1064,15 +1050,12 @@ migrate_options = Umtreck-Instellens
 migrate.clone_local_path = of een stedenwies Server-Padd
 migrate.migrating_failed.error = Umtrecken fehlslagen: %s
 migrate.migrating_failed_no_addr = Umtreck fehlslagen.
-migrate.migrating_pulls = Haalvörslagen worden umtrucken
 empty_message = Deeses Repositorium hett noch keenen Inholl.
 migrate.invalid_lfs_endpoint = De LFS-Ennpunkt is nich gültig.
 migrated_from_fake = Vun %[1]s umtrucken
 generated_from = maakt vun
 migrate.migrating_failed = Umtrecken un <b>%s</b> fehlslagen.
-migrate.migrating_milestones = Markstenen worden umtrucken
 create_new_repo_command = Een nejes Repositorium in de Oorderreeg maken
-migrate.cancel_migrating_confirm = Willst du deesen Umtreck ofbreken?
 subscribe.pull.guest.tooltip = Mell di an, um deesen Haalvörslag to abonneren.
 more_operations = Mehr doon
 find_tag = Mark finnen
@@ -1088,13 +1071,6 @@ milestones = Markstenen
 org_labels_desc_manage = Verwalten
 commits = Kommitterens
 commit = Kommitteren
-n_commit_one = %s Kommitteren
-n_commit_few = %s Kommitterens
-n_branch_one = %s Twieg
-n_tag_one = %s Mark
-n_tag_few = %s Markens
-n_release_one = %s Publizeren
-n_release_few = %s Publizerens
 file.title = %s am %s
 file_history = Histoorje
 file_view_source = Quelltext wiesen
@@ -1259,7 +1235,6 @@ symbolic_link = Symbolisk Verwies
 editor.cannot_edit_non_text_files = Binäärdateien könen nich in de Internett-Schnittstee bewarkt worden.
 editor.must_be_on_a_branch = Du muttst up eenem Twieg wesen, um Ännerns an deeser Datei to maken of vörtoslagen.
 editor.fork_before_edit = Du muttst deeses Repositorium gabeln, um Ännerns an deeser Datei to maken of vörtoslagen.
-n_branch_few = %s Twiegen
 released_this = hett dat publizeert
 escape_control_characters = Utkielen
 editor.edit_this_file = Datei bewarken
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
index 5ab06e61d0..c8e8428628 100644
--- a/options/locale/locale_nl-NL.ini
+++ b/options/locale/locale_nl-NL.ini
@@ -1132,14 +1132,6 @@ migrate_options_lfs=Migreer LFS bestanden
 migrate_options_lfs_endpoint.label=LFS eindpunt
 migrate_options_lfs_endpoint.description=Migratie zal proberen om je Git remote te gebruiken om <a target="_blank" rel="noopener noreferrer" href="%s">de LFS-server</a> te bepalen. Je kan ook een aangepast eindpunt opgeven als de LFS-gegevens ergens anders zijn opgeslagen.
 migrate_options_lfs_endpoint.description.local=Een lokaal serverpad wordt ook ondersteund.
-migrate_items=Migratie items
-migrate_items_wiki=Wiki
-migrate_items_milestones=Mijlpalen
-migrate_items_labels=Labels
-migrate_items_issues=Issues
-migrate_items_pullrequests=Pull requests
-migrate_items_merge_requests=Samenvoeg verzoeken
-migrate_items_releases=Releases
 migrate_repo=Migreer repository
 migrate.clone_address=Migreer / kloon van URL
 migrate.clone_address_desc=De HTTP(S) of Git "kloon" URL van een bestaande repository
@@ -1156,14 +1148,6 @@ migrate.migrate=Migreer van %s
 migrate.migrating=Migreren van <b>%s</b>…
 migrate.migrating_failed=Migreren van <b>%s</b> is mislukt.
 migrate.migrating_failed_no_addr=Migratie is mislukt.
-migrate.migrating_git=Git gegevens migreren
-migrate.migrating_topics=Onderwerpen migreren
-migrate.migrating_milestones=Mijlpalen migreren
-migrate.migrating_labels=Labels migreren
-migrate.migrating_releases=Releases migreren
-migrate.migrating_issues=Issues migreren
-migrate.migrating_pulls=Pull requests migreren
-
 mirror_from=kopie van
 forked_from=geforked van
 generated_from=gegenereerd van
@@ -2355,8 +2339,6 @@ form.name_reserved = De repository naam "%s" is gereserveerd.
 form.name_pattern_not_allowed = Het patroon "%s" is niet toegestaan in een repository naam.
 migrate.invalid_local_path = Het lokale pad is niet geldig. Het bestaat niet of is geen folder.
 migrate.migrating_failed.error = Fout bij migreren: %s
-migrate.cancel_migrating_title = Annuleer migratie
-migrate.cancel_migrating_confirm = Wil je deze migratie annuleren?
 more_operations = Meer operaties
 cite_this_repo = Citeer deze repository
 actions = Acties
@@ -2643,12 +2625,6 @@ editor.push_out_of_date = De push lijkt verouderd.
 editor.commit_id_not_matching = Het bestand is gewijzigd terwijl je het aan het bewerken was. Committeer naar een nieuwe branch en voeg dan samen.
 settings.rename_branch_failed_protected = Kan branch %s niet hernoemen omdat het een beschermde branch is.
 stars = Sterren
-n_commit_few = %s commits
-n_branch_one = %s branch
-n_branch_few = %s branches
-n_tag_one = %s tag
-n_tag_few = %s tags
-n_commit_one = %s commit
 issues.num_participants_one = %d deelnemer
 size_format = %[1]s: %[2]s, %[3]s: %[4]s
 settings.enforce_on_admins = Handhaaf deze regel voor repository admins
@@ -2675,8 +2651,6 @@ wiki.search = Zoek wiki
 wiki.no_search_results = Geen resultaten
 settings.sourcehut_builds.visibility = Job zichtbaarheid
 settings.sourcehut_builds.manifest_path = Bouw manifestpad
-n_release_one = %s release
-n_release_few = %s releases
 issues.author.tooltip.issue = Deze gebruiker is de auteur van deze issue.
 issues.author.tooltip.pr = Deze gebruiker is de auteur van deze pull request.
 settings.matrix.room_id_helper = De kamer-ID kan worden opgehaald uit de Element webclient > Kamerinstellingen > Geavanceerd > Interne ruimte ID. Voorbeeld: %s.
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
index ed49655922..708ab6b6ef 100644
--- a/options/locale/locale_pl-PL.ini
+++ b/options/locale/locale_pl-PL.ini
@@ -1122,14 +1122,6 @@ migrate_options_lfs=Migruj pliki LFS
 migrate_options_lfs_endpoint.label=Punkt końcowy LFS
 migrate_options_lfs_endpoint.description=Migracja spróbuje użyć Git remote, aby <a target="_blank" rel="noopener noreferrer" href="%s">określić serwer LFS</a>. Możesz również określić niestandardowy punkt końcowy, jeśli dane repozytorium LFS są przechowywane gdzieś indziej.
 migrate_options_lfs_endpoint.description.local=Obsługiwana jest również lokalna ścieżka serwera.
-migrate_items=Elementy migracji
-migrate_items_wiki=Wiki
-migrate_items_milestones=Kamienie milowe
-migrate_items_labels=Etykiety
-migrate_items_issues=Zgłoszenia
-migrate_items_pullrequests=Pull requesty
-migrate_items_merge_requests=Requesty scalające
-migrate_items_releases=Wydania
 migrate_repo=Migruj repozytorium
 migrate.clone_address=Migruj / Klonuj z adresu URL
 migrate.clone_address_desc=Adres HTTP(S) lub "klona" Gita istniejącego repozytorium
@@ -1145,14 +1137,6 @@ migrate.migrate=Migracja z %s
 migrate.migrating=Migrowanie z <b>%s</b>…
 migrate.migrating_failed=Migrowanie z <b>%s</b> nie powiodło się.
 migrate.migrating_failed_no_addr=Migracja nie powiodła się.
-migrate.migrating_git=Migracja danych Git
-migrate.migrating_topics=Migracja tematów
-migrate.migrating_milestones=Migracja kamieni milowych
-migrate.migrating_labels=Migracja etykiet
-migrate.migrating_releases=Migracja wydań
-migrate.migrating_issues=Migracja zgłoszeń
-migrate.migrating_pulls=Migracja pull requestów
-
 mirror_from=kopia lustrzana
 forked_from=sforkowany z
 generated_from=wygenerowane z
@@ -2233,8 +2217,6 @@ summary_card_alt = Karta podsumowania repozytorium %s
 tree_path_not_found.tag = Ścieżka %[1]s nie istnieje w tagu %[2]s
 archive.pull.noreview = To repozytorium jest zarchiwizowane. Nie możesz recenzować pull requestów.
 migrate.migrating_failed.error = Nie udało się migrować: %s
-migrate.cancel_migrating_title = Anuluj migrację
-migrate.cancel_migrating_confirm = Czy chcesz anulować tę migrację?
 migrate.github_token_desc = Możesz wprowadzić tutaj jeden lub więcej tokenów oddzielonych przecinkiem by przeprowadzić migrację szybciej w związku z ograniczeniem GitHub API. OSTRZEŻENIE: Nadużywanie tej funkcjonalności może naruszyć politykę dostawcy usług i doprowadzić do zablokowania konta.
 migrate.invalid_local_path = Ścieżka lokalna jest niepoprawna. Nie istnieje lub nie jest katalogiem.
 issues.review.add_remove_review_requests = poprosił o recenzje od %[1]s i cofnął prośby o recenzje od %[2]s %[3]s
@@ -2370,7 +2352,6 @@ settings.packagist_package_url = URL pakietu Packagist
 settings.update_protect_branch_success = Ochrona gałęzi dla reguły "%s" została zaktualizowana.
 topic.format_prompt = Tematy muszą zaczynać się od litery lub liczby, mogą zawierać myślniki ("-") i kropki ("."), mogą być długie do 35 znaków. Litery muszą być małe.
 find_file.go_to_file = Szukaj pliku
-n_branch_few = %s gałęzie
 issues.dismiss_review = Odrzuć recenzję
 settings.trust_model.collaboratorcommitter = Współpracownik+Commitujący
 release.type_attachment = Załącznik
@@ -2430,9 +2411,6 @@ activity.navbar.recent_commits = Ostatnie commity
 signing.wont_sign.headsigned = To scalenie nie będzie podpisane ponieważ head commit nie jest podpisany.
 pulls.has_changed_since_last_review = Zmiany od twojej ostatniej recenzji
 find_file.no_matching = Nie znaleziono pasujących plików
-n_tag_one = %s tag
-n_tag_few = %s tagi
-n_release_few = %s wydań
 no_eol.text = Brak znaku końca linii
 editor.add_file = Dodaj plik
 pulls.has_merged = Niepowodzenie: Pull request został scalony, nie możesz scalić ponownie lub zmienić gałęzi docelowej.
@@ -2459,11 +2437,7 @@ pulls.blocked_by_official_review_requests = Ten pull request jest zablokowany po
 pulls.wrong_commit_id = Identyfikator commitu musi być identyfikatorem commitu na gałęzi docelowej
 pulls.rebase_merge_commit_pull_request = Zmiana bazy, potem utwórz commit scalający
 branch.tag_collision = Gałąź "%s" nie może zostać utworzona, ponieważ tag z tą samą nazwą już istnieje w tym repozytorium.
-n_commit_one = %s commit
-n_commit_few = %s commity
 file_follow = Podążaj za dowiązaniem
-n_branch_one = %s gałąź
-n_release_one = %s wydanie
 editor.new_branch_name = Nazwij nową gałąź dla tego commita
 issues.action_check = Zaznacz/Odznacz
 issues.close = Zamknij zgłoszenie
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index c1e3cac697..ad3ebebf55 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -1146,14 +1146,6 @@ migrate_options_lfs_endpoint.label=Destino LFS
 migrate_options_lfs_endpoint.description=A migração tentará usar seu controle remoto Git para <a target="_blank" rel="noopener noreferrer" href="%s">determinar o servidor LFS</a>. Você também pode especificar um destino personalizado se os dados do repositório LFS forem armazenados em outro lugar.
 migrate_options_lfs_endpoint.description.local=Um caminho de servidor local também é suportado.
 migrate_options_lfs_endpoint.placeholder=Se for deixado em branco, o endpoint será derivado do URL do clone
-migrate_items=Itens da migração
-migrate_items_wiki=Wiki
-migrate_items_milestones=Marcos
-migrate_items_labels=Etiquetas
-migrate_items_issues=Issues
-migrate_items_pullrequests=Propostas de revisão
-migrate_items_merge_requests=Pedidos de merge
-migrate_items_releases=Versões
 migrate_repo=Migrar repositório
 migrate.clone_address=Migrar / Clonar de URL
 migrate.clone_address_desc=URL HTTP(S) ou comando git "clone" de um repositório existente
@@ -1172,16 +1164,6 @@ migrate.migrating=Migrando de <b>%s</b> …
 migrate.migrating_failed=Migração a partir de <b>%s</b> falhou.
 migrate.migrating_failed.error=Falha ao migrar: %s
 migrate.migrating_failed_no_addr=A migração falhou.
-migrate.migrating_git=Migrando dados Git
-migrate.migrating_topics=Migrando tópicos
-migrate.migrating_milestones=Migrando marcos
-migrate.migrating_labels=Migrando rótulos
-migrate.migrating_releases=Migrando releases
-migrate.migrating_issues=Migrando issues
-migrate.migrating_pulls=Migrando propostas de revisão
-migrate.cancel_migrating_title=Cancelar migração
-migrate.cancel_migrating_confirm=Você quer cancelar essa migração?
-
 mirror_from=espelhamento de
 forked_from=feito fork de
 generated_from=gerado a partir de
@@ -2580,10 +2562,7 @@ settings.units.units = Unidades
 vendored = Externo
 issues.num_participants_one = %d participante
 issues.archived_label_description = (arquivada) %s
-n_branch_few = %s ramos
 stars = Favoritos
-n_commit_one = %s commit
-n_tag_few = %s etiquetas
 settings.federation_settings = Configurações de federação
 settings.confirm_wiki_branch_rename = Renomar o ramo da wiki
 activity.navbar.recent_commits = Commits recentes
@@ -2595,15 +2574,10 @@ contributors.contribution_type.additions = Adições
 contributors.contribution_type.deletions = Remoções
 settings.transfer.button = Transferir titularidade
 settings.transfer.modal.title = Transferir titularidade
-n_commit_few = %s commits
-n_branch_one = %s ramo
-n_tag_one = %s etiqueta
 file_follow = Seguir ligação simbólica
 open_with_editor = Abrir com %s
 wiki.search = Pesquisar na wiki
 wiki.no_search_results = Nenhum resultado
-n_release_one = %s versão
-n_release_few = %s versões
 form.string_too_long = O texto fornecido possui mais que %d caracteres.
 branch.branch_name_conflict = O nome do ramo "%s" está em conflito com o ramo "%s" já existente.
 settings.graphql_url = URL do GraphQL
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index 564293ce73..5884a9e65a 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -1158,14 +1158,6 @@ migrate_options_lfs_endpoint.label=Destino LFS
 migrate_options_lfs_endpoint.description=A migração irá tentar usar o seu controlo remoto do Git para <a target="_blank" rel="noopener noreferrer" href="%s">determinar o servidor LFS</a>. Também pode especificar um destino personalizado se os dados do repositório LFS forem armazenados noutro lugar.
 migrate_options_lfs_endpoint.description.local=Uma localização de servidor local também é suportada.
 migrate_options_lfs_endpoint.placeholder=Se for deixado em branco, o destino será determinado a partir do URL do clone
-migrate_items=Itens da migração
-migrate_items_wiki=Wiki
-migrate_items_milestones=Etapas
-migrate_items_labels=Rótulos
-migrate_items_issues=Questões
-migrate_items_pullrequests=Pedidos de integração
-migrate_items_merge_requests=Pedidos de integração
-migrate_items_releases=Lançamentos
 migrate_repo=Migrar o repositório
 migrate.clone_address=Migrar / clonar a partir do URL
 migrate.clone_address_desc=O URL de clonagem HTTP(S) ou Git de um repositório existente
@@ -1184,16 +1176,6 @@ migrate.migrating=Migrando a partir de <b>%s</b> …
 migrate.migrating_failed=A migração de <b>%s</b> falhou.
 migrate.migrating_failed.error=Falhou a migração: %s
 migrate.migrating_failed_no_addr=A migração falhou.
-migrate.migrating_git=Migrando dados Git
-migrate.migrating_topics=Migrando tópicos
-migrate.migrating_milestones=Migrando etapas
-migrate.migrating_labels=Migrando rótulos
-migrate.migrating_releases=Migrando lançamentos
-migrate.migrating_issues=Migrando questões
-migrate.migrating_pulls=Migrando pedidos de integração
-migrate.cancel_migrating_title=Cancelar migração
-migrate.cancel_migrating_confirm=Quer cancelar esta migração?
-
 mirror_from=réplica de
 forked_from=derivado de
 generated_from=gerado a partir de
@@ -2623,12 +2605,6 @@ open_with_editor = Abrir com %s
 admin.manage_flags = Gerir marcadores
 file_follow = Seguir ligação simbólica
 rss.must_be_on_branch = Tem que estar num ramo que tenha uma fonte RSS.
-n_commit_few = %s cometimentos
-n_branch_one = %s ramo
-n_branch_few = %s ramos
-n_tag_one = %s etiqueta
-n_tag_few = %s etiquetas
-n_commit_one = %s cometimento
 editor.commit_id_not_matching = O ficheiro foi modificado enquanto o estava a editar. Cometa para um ramo novo e depois integre.
 commits.search_branch = Este ramo
 pulls.reopen_failed.base_branch = O pedido de integração não pode ser reaberto porque o ramo base já não existe.
@@ -2689,8 +2665,6 @@ subscribe.pull.guest.tooltip = Inicie sessão para subscrever este pedido de int
 comments.edit.already_changed = Não foi possível guardar as modificações do comentário. O conteúdo parece ter sido modificado por outro utilizador. Refresque a página e tente editar novamente para evitar sobrescrever as modificações que fizeram
 settings.federation_following_repos = URLs de repositórios que estão a ser seguidos. Separe-os com ";" sem espaços em branco.
 settings.federation_not_enabled = A federação não está a habilitada na sua instância.
-n_release_one = %s lançamento
-n_release_few = %s lançamentos
 issues.author.tooltip.issue = Este/a utilizador/a é o/a autor/a desta questão.
 issues.author.tooltip.pr = Este/a utilizador/a é o/a autor/a deste pedido de integração.
 activity.commit = Cometimentos feitos
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index 8a80a02284..3d410c87f8 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -1143,14 +1143,6 @@ migrate_options_lfs=Перенос LFS файлов
 migrate_options_lfs_endpoint.label=Конечная точка LFS
 migrate_options_lfs_endpoint.description=При переносе будет произведена попытка <a target="_blank" rel="noopener noreferrer" href="%s">определить сервер LFS</a> автоматически через Git. Если данные LFS хранятся в другом месте, укажите конечную точку самостоятельно.
 migrate_options_lfs_endpoint.description.local=Также поддерживается путь на локальном сервере.
-migrate_items=Переносимые элементы
-migrate_items_wiki=Вики
-migrate_items_milestones=Этапы
-migrate_items_labels=Метки
-migrate_items_issues=Задачи
-migrate_items_pullrequests=Запросы на слияние
-migrate_items_merge_requests=Запросы на слияние
-migrate_items_releases=Выпуски
 migrate_repo=Перенос репозитория
 migrate.clone_address=Перенос / Клонирование по URL
 migrate.clone_address_desc=HTTP/HTTPS или Git адрес существующего репозитория
@@ -1169,16 +1161,6 @@ migrate.migrating=Перенос из <b>%s</b>…
 migrate.migrating_failed=Перенос из <b>%s</b> не удался.
 migrate.migrating_failed.error=Не удалось перенести: %s
 migrate.migrating_failed_no_addr=Перенос не удался.
-migrate.migrating_git=Перенос данных Git
-migrate.migrating_topics=Перенос тем
-migrate.migrating_milestones=Перенос этапов
-migrate.migrating_labels=Перенос меток
-migrate.migrating_releases=Перенос выпусков
-migrate.migrating_issues=Перенос задач
-migrate.migrating_pulls=Перенос запросов на слияние
-migrate.cancel_migrating_title=Отменить перенос
-migrate.cancel_migrating_confirm=Вы хотите отменить перенос?
-
 mirror_from=зеркало из
 forked_from=ответвлён от
 generated_from=создано из
@@ -2643,12 +2625,6 @@ wiki.original_git_entry_tooltip = Перейти по настоящему пу
 open_with_editor = Открыть в %s
 commits.search_branch = В этой ветви
 stars = Добавившие в избранное
-n_tag_one = %s тег
-n_branch_few = %s ветвей
-n_commit_few = %s коммитов
-n_commit_one = %s коммит
-n_tag_few = %s тегов
-n_branch_one = %s ветвь
 pulls.ready_for_review = Готово к рецензии?
 editor.commit_id_not_matching = Файл был изменён кем-то другим, пока вы его редактировали. Сохраните изменения в новую ветвь и выполните слияние.
 editor.push_out_of_date = Похоже, отправка устарела.
@@ -2686,8 +2662,6 @@ comments.edit.already_changed = Не удалось отредактироват
 settings.federation_settings = Настройки федерации
 settings.federation_apapiurl = Федеративная ссылка на этот репозиторий. Скопируйте и вставьте её в настройки федерации другого репозитория как ссылку отслеживаемого репозитория.
 settings.federation_following_repos = Ссылки на отслеживаемые репозитории. Разделяются с помощью «;», без пробелов.
-n_release_one = %s выпуск
-n_release_few = %s выпусков
 subscribe.issue.guest.tooltip = Войдите, чтобы подписаться на эту задачу.
 subscribe.pull.guest.tooltip = Войдите, чтобы подписаться на это слияние.
 issues.author.tooltip.issue = Автор этой задачи.
diff --git a/options/locale/locale_si-LK.ini b/options/locale/locale_si-LK.ini
index df801ec30a..38bcbdbe6d 100644
--- a/options/locale/locale_si-LK.ini
+++ b/options/locale/locale_si-LK.ini
@@ -750,14 +750,6 @@ migrate_options_lfs=LFS ගොනු සංක්රමණය
 migrate_options_lfs_endpoint.label=LFS එන්පොයින්ට්
 migrate_options_lfs_endpoint.description=සංක්රමණය ඔබගේ Git දුරස්ථ භාවිතා කිරීමට උත්සාහ කරනු ඇත <a target="_blank" rel="noopener noreferrer" href="%s">LFS සේවාදායකය තීරණය</a>. නිධිය LFS දත්ත වෙන කොහේ හරි ගබඩා කර තිබේ නම් ඔබට අභිරුචි අන්ත ලක්ෂ්යයක් නියම කළ හැකිය.
 migrate_options_lfs_endpoint.description.local=දේශීය සේවාදායක මාර්ගයක් ද සහාය දක්වයි.
-migrate_items=සංක්රමණ අයිතම
-migrate_items_wiki=විකි
-migrate_items_milestones=සන්ධිස්ථාන
-migrate_items_labels=ලේබල
-migrate_items_issues=ගැටළු
-migrate_items_pullrequests=ඉල්ලීම් අදින්න
-migrate_items_merge_requests=සංයුක්ත කිරීමේ ඉල්ලීම්
-migrate_items_releases=නිකුතු
 migrate_repo=නිධිය සංක්රමණය කරන්න
 migrate.clone_address=URL එක සිට සංක්රමණය/පරිගණක ක්රිඩාවට සමාන
 migrate.clone_address_desc=පවතින ගබඩාවේ HTTP (S) හෝ Git 'පරිගණක ක්රිඩාවට සමාන' URL
@@ -773,14 +765,6 @@ migrate.migrate=%sසිට සංක්රමණය
 migrate.migrating=<b>%s</b> සිට සංක්රමණය වීම...
 migrate.migrating_failed=<b>%s</b> සිට සංක්රමණය වීම අසාර්ථක විය.
 migrate.migrating_failed_no_addr=සංක්රමණය අසාර්ථකයි.
-migrate.migrating_git=Git දත්ත සංක්රමණය
-migrate.migrating_topics=සංක්රමණය මාතෘකා
-migrate.migrating_milestones=සංක්රමික සන්ධිස්ථාන
-migrate.migrating_labels=සංක්රමණය ලේබල
-migrate.migrating_releases=සංක්රමණ නිකුතු
-migrate.migrating_issues=සංක්රමණ ගැටළු
-migrate.migrating_pulls=අදින්න ඉල්ලීම් සංක්රමණය
-
 mirror_from=කැඩපත
 forked_from=සිට දෙබලක
 generated_from=වෙතින් ජනනය කරන ලද
diff --git a/options/locale/locale_sk-SK.ini b/options/locale/locale_sk-SK.ini
index e2be661dcf..cab953088e 100644
--- a/options/locale/locale_sk-SK.ini
+++ b/options/locale/locale_sk-SK.ini
@@ -1004,11 +1004,6 @@ migrate_options_lfs=Migrovať LFS súbory
 migrate_options_lfs_endpoint.label=Koncový bod LFS
 migrate_options_lfs_endpoint.description=Migrácia sa pokúsi použiť váš vzdialený Git na <a target="_blank" rel="noopener noreferrer" href="%s">určenie servera LFS</a>. Môžete tiež zadať vlastný koncový bod, ak sú dáta repozitára LFS uložené niekde inde.
 migrate_options_lfs_endpoint.description.local=Podporovaná je aj cesta k lokálnemu serveru.
-migrate_items=Položky migrácie
-migrate_items_wiki=Wiki
-migrate_items_milestones=Míľniky
-migrate_items_labels=Štítky
-migrate_items_pullrequests=Pull requesty
 migrate_repo=Migrovať repozitár
 migrate.clone_address_desc=HTTP(S) alebo Git 'clone' URL pre klonovanie existujúceho repozitára
 migrate.github_token_desc=Sem môžete vložiť jeden alebo viac tokenov oddelených čiarkami, aby sa migrácia zrýchlila z dôvodu limitu rýchlosti rozhrania GitHub API. UPOZORNENIE: Zneužitie tejto funkcie môže porušiť zásady poskytovateľa služieb a viesť k zablokovaniu účtu.
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index b619a6904a..22213cebf4 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -1093,14 +1093,6 @@ template.one_item=Du måste välja minst ett mallobjekt
 template.invalid=Du måste välja ett mallkodförråd
 
 migrate_options=Migreringsalternativ
-migrate_items=Migrationsobjekt
-migrate_items_wiki=Wiki
-migrate_items_milestones=Milstolpar
-migrate_items_labels=Etiketter
-migrate_items_issues=Ärenden
-migrate_items_pullrequests=Ändringsförfrågningar
-migrate_items_merge_requests=Ändringsförfrågningar
-migrate_items_releases=Utgåvor
 migrate_repo=Migrera kodförråd
 migrate.clone_address=Migrera eller klona från URL
 migrate.clone_address_desc=HTTP(S)- eller Git "clone"-länk för ett befintligt kodförråd
@@ -1113,8 +1105,6 @@ migrated_from_fake=Migrerad från %[1]s
 migrate.migrate=Migrera från %s
 migrate.migrating=Migrerar från <b>%s</b> …
 migrate.migrating_failed=Migrering från <b>%s</b> misslyckades.
-migrate.migrating_issues=Migrerar ärenden
-
 mirror_from=spegling av
 forked_from=avgrenad från
 generated_from=skapad från
@@ -2098,28 +2088,12 @@ migrate.invalid_local_path = Den lokala sökvägen är ogiltig. Den finns inte e
 migrate.invalid_lfs_endpoint = LFS-slutpunkten är inte giltig.
 migrate.migrating_failed.error = Misslyckades med att migrera: %s
 migrate.migrating_failed_no_addr = Migreringen misslyckades.
-migrate.migrating_git = Migrerar Git-data
-migrate.migrating_topics = Migrerar ämnen
-migrate.migrating_milestones = Migrerar milstolpar
-migrate.migrating_labels = Migrerar etiketter
-migrate.migrating_releases = Migrerar utgåvor
-migrate.migrating_pulls = Migrerar ändringsförfrågningar
-migrate.cancel_migrating_title = Avbryt migrering
-migrate.cancel_migrating_confirm = Vill du avbryta denna migrering?
 subscribe.issue.guest.tooltip = Logga in för att prenumerera på detta ärende.
 subscribe.pull.guest.tooltip = Logga in för att prenumerera på denna ändringsförfrågan.
 more_operations = Fler åtgärder
 cite_this_repo = Citera detta kodförråd
 broken_message = Git-datan som ligger till grund för detta kodförråd kan inte läsas. Kontakta administratören för denna instans eller ta bort detta kodförråd.
 actions = Actions
-n_commit_one = %s incheckning
-n_commit_few = %s incheckningar
-n_branch_one = %s gren
-n_branch_few = %s grenar
-n_tag_one = %s tagg
-n_tag_few = %s taggar
-n_release_one = %s utgåva
-n_release_few = %s utgåvor
 released_this = publicerade detta
 file.title = %s vid %s
 file_follow = Följ symlänk
diff --git a/options/locale/locale_ta.ini b/options/locale/locale_ta.ini
index a4874f6c48..74fef432c4 100644
--- a/options/locale/locale_ta.ini
+++ b/options/locale/locale_ta.ini
@@ -1124,14 +1124,6 @@ migrate_options_lfs_endpoint.label = LFS இறுதிப்புள்ளி
 migrate_options_lfs_endpoint.description = <a target="_blank" rel="noopener noreferrer" href="%s">LFS சர்வரைத் தீர்மானிக்க</a> உங்கள் Git ரிமோட்டைப் பயன்படுத்துவதற்கு இடம்பெயர்வு முயற்சிக்கும். களஞ்சியமான LFS தரவு வேறு எங்காவது சேமிக்கப்பட்டிருந்தால் தனிப்பயன் இறுதிப்புள்ளியையும் நீங்கள் குறிப்பிடலாம்.
 migrate_options_lfs_endpoint.description.local = உள்ளக சர்வர் பாதையும் ஆதரிக்கப்படுகிறது.
 migrate_options_lfs_endpoint.placeholder = காலியாக விடப்பட்டால், இறுதிப்புள்ளியானது நகலி முகவரி இலிருந்து பெறப்படும்
-migrate_items = இடம்பெயர்வு பொருட்கள்
-migrate_items_wiki = விக்கி
-migrate_items_milestones = மைல்கற்கள்
-migrate_items_labels = சிட்டைகள்
-migrate_items_issues = சிக்கல்கள்
-migrate_items_pullrequests = கோரிக்கைகளை இழுக்கவும்
-migrate_items_merge_requests = கோரிக்கைகளை ஒன்றிணைக்கவும்
-migrate_items_releases = வெளியிடுகிறது
 migrate_repo = களஞ்சியத்தை நகர்த்தவும்
 migrate.repo_desc_helper = ஏற்கனவே உள்ள விளக்கத்தை இறக்குமதி செய்ய காலியாக விடவும்
 migrate.clone_address = முகவரி இலிருந்து நகர்த்தவும் / நகலி செய்யவும்
@@ -1151,15 +1143,6 @@ migrate.migrating = <b>%s</b> இலிருந்து நகர்கிற
 migrate.migrating_failed = <b>%s</b> இலிருந்து நகர்த்துவது தோல்வியடைந்தது.
 migrate.migrating_failed.error = நகர்த்துவதில் தோல்வி: %s
 migrate.migrating_failed_no_addr = இடம்பெயர்வு தோல்வியடைந்தது.
-migrate.migrating_git = Git தரவை நகர்த்துகிறது
-migrate.migrating_topics = இடம்பெயர்ந்த தலைப்புகள்
-migrate.migrating_milestones = இடம்பெயரும் மைல்கற்கள்
-migrate.migrating_labels = இடம்பெயர்தல் லேபிள்கள்
-migrate.migrating_releases = இடம்பெயர்ந்த வெளியீடுகள்
-migrate.migrating_issues = இடம்பெயர்வு பிரச்சினைகள்
-migrate.migrating_pulls = இழுக்கும் கோரிக்கைகளை நகர்த்துகிறது
-migrate.cancel_migrating_title = இடம்பெயர்வை நீக்கறல்
-migrate.cancel_migrating_confirm = இந்த இடம்பெயர்வை ரத்துசெய்ய விரும்புகிறீர்களா?
 mirror_from = கண்ணாடி
 forked_from = இருந்து முட்கரண்டி
 generated_from = இருந்து உருவாக்கப்பட்டது
@@ -1200,14 +1183,6 @@ labels = சிட்டைகள்
 milestones = மைல்கற்கள்
 org_labels_desc = இந்த நிறுவனத்தின் கீழ் உள்ள <strong>அனைத்து களஞ்சியங்களுடனும்</strong> பயன்படுத்தக்கூடிய நிறுவன நிலை லேபிள்கள்
 org_labels_desc_manage = நிர்வகிக்க
-n_commit_one = %s உறுதி
-n_commit_few = %s உறுதியளிக்கிறது
-n_branch_one = %s கிளை
-n_branch_few = %s கிளைகள்
-n_tag_one = %s குறிச்சொல்
-n_tag_few = %s குறிச்சொற்கள்
-n_release_one = %s வெளியீடு
-n_release_few = %s வெளியீடுகள்
 released_this = இதை வெளியிட்டது
 file.title = %s இல் %s
 file_raw = மூல
diff --git a/options/locale/locale_th.ini b/options/locale/locale_th.ini
index de5c22ccc5..d873f72e47 100644
--- a/options/locale/locale_th.ini
+++ b/options/locale/locale_th.ini
@@ -1124,14 +1124,6 @@ migrate_options_lfs_endpoint.label = ปลายทาง LFS
 migrate_options_lfs_endpoint.description = การย้ายจะพยายามใช้ Git remote ของคุณเพื่อ <a target="_blank" rel="noopener noreferrer" href="%s">กำหนดเซิร์ฟเวอร์ LFS</a> คุณยังสามารถระบุปลายทางที่กำหนดเองได้หากข้อมูล LFS ของที่เก็บถูกเก็บไว้ที่อื่น
 migrate_options_lfs_endpoint.description.local = รองรับพาธเซิร์ฟเวอร์โลคัลด้วย
 migrate_options_lfs_endpoint.placeholder = หากเว้นว่างไว้ ปลายทางจะถูกสืบทอดจาก URL การโคลน
-migrate_items = รายการการย้าย
-migrate_items_wiki = วิกิ
-migrate_items_milestones = เหตุการณ์สำคัญ
-migrate_items_labels = ป้ายกำกับ
-migrate_items_issues = ปัญหา
-migrate_items_pullrequests = คำขอดึง
-migrate_items_merge_requests = คำขอผสาน
-migrate_items_releases = รีลีส
 migrate_repo = ย้ายที่เก็บ
 migrate.repo_desc_helper = เว้นว่างไว้เพื่อนำเข้าคำอธิบายที่มีอยู่
 migrate.clone_address = ย้าย / โคลนจาก URL
@@ -1151,15 +1143,6 @@ migrate.migrating = กำลังย้ายจาก <b>%s</b> …
 migrate.migrating_failed = การย้ายจาก <b>%s</b> ล้มเหลว
 migrate.migrating_failed.error = ไม่สามารถย้าย: %s
 migrate.migrating_failed_no_addr = การย้ายล้มเหลว
-migrate.migrating_git = กำลังย้ายข้อมูล Git
-migrate.migrating_topics = กำลังย้ายหัวข้อ
-migrate.migrating_milestones = กำลังย้ายเหตุการณ์สำคัญ
-migrate.migrating_labels = กำลังย้ายป้ายกำกับ
-migrate.migrating_releases = กำลังย้ายรีลีส
-migrate.migrating_issues = กำลังย้ายปัญหา
-migrate.migrating_pulls = กำลังย้ายคำขอดึง
-migrate.cancel_migrating_title = ยกเลิกการย้าย
-migrate.cancel_migrating_confirm = คุณต้องการยกเลิกการย้ายนี้หรือไม่?
 mirror_from = มิเรอร์ของ
 forked_from = แยกจาก
 generated_from = สร้างจาก
@@ -1200,14 +1183,6 @@ labels = ป้ายกำกับ
 milestones = เหตุการณ์สำคัญ
 org_labels_desc = ป้ายกำกับระดับองค์กรที่สามารถใช้กับ <strong>ที่เก็บทั้งหมด</strong> ภายใต้องค์กรนี้
 org_labels_desc_manage = จัดการ
-n_commit_one = %s คอมมิต
-n_commit_few = %s คอมมิต
-n_branch_one = %s สาขา
-n_branch_few = %s สาขา
-n_tag_one = %s แท็ก
-n_tag_few = %s แท็ก
-n_release_one = %s รีลีส
-n_release_few = %s รีลีส
 released_this = ปล่อยสิ่งนี้
 file.title = %s ที่ %s
 file_raw = ดิบ
diff --git a/options/locale/locale_tr-TR.ini b/options/locale/locale_tr-TR.ini
index 1622c29942..def4980a19 100644
--- a/options/locale/locale_tr-TR.ini
+++ b/options/locale/locale_tr-TR.ini
@@ -1156,14 +1156,6 @@ migrate_options_lfs_endpoint.label=LFS uç noktası
 migrate_options_lfs_endpoint.description=Taşıma, <a target="_blank" rel="noopener noreferrer" href="%s"> LFS sunucusunu belirlemek</a> için Git uzak sunucusunu kullanmaya çalışacak. Eğer LFS veri deposu başka yerdeyse özel bir uç nokta da belirtebilirsiniz.
 migrate_options_lfs_endpoint.description.local=Yerel bir sunucu yolu da destekleniyor.
 migrate_options_lfs_endpoint.placeholder=Boş bırakılırsa, uç nokta klon URL'sinden türetilecektir
-migrate_items=Taşıma öğeleri
-migrate_items_wiki=Wiki
-migrate_items_milestones=Kilometre Taşları
-migrate_items_labels=Etiketler
-migrate_items_issues=Konular
-migrate_items_pullrequests=Birleştirme istekleri
-migrate_items_merge_requests=Birleştirme istekleri
-migrate_items_releases=Sürümler
 migrate_repo=Depoyu taşı
 migrate.clone_address=URL'den Taşı / Klonla
 migrate.clone_address_desc=Varolan bir deponun HTTP(S) veya Git 'klonlama' URL'si
@@ -1182,16 +1174,6 @@ migrate.migrating=<b>%s</b> konumundan taşınıyor ...
 migrate.migrating_failed=<b>%s</b> konumundan taşıma başarısız oldu.
 migrate.migrating_failed.error=Göç yapılamadı: %s
 migrate.migrating_failed_no_addr=Göç başarısız oldu.
-migrate.migrating_git=Git Verilerini Taşıma
-migrate.migrating_topics=Konuları taşıma
-migrate.migrating_milestones=Kilometre Taşlarını Taşıma
-migrate.migrating_labels=Etiketleri Taşıma
-migrate.migrating_releases=Sürümleri Taşıma
-migrate.migrating_issues=Konuları Taşıma
-migrate.migrating_pulls=Değişiklik İsteklerini Taşıma
-migrate.cancel_migrating_title=Göçü iptal et
-migrate.cancel_migrating_confirm=Bu göçü iptal etmek istiyor musunuz?
-
 mirror_from=şunun yansıması
 forked_from=şundan çatallanmış
 generated_from=şuradan oluşturuldu
@@ -2642,13 +2624,9 @@ mirror_use_ssh.text = SSH yetkilendirme kullan
 settings.default_update_style_desc = Temel dalın ardındaki çekme isteklerini güncellemek için kullanılan varsayılan güncelleme stili.
 mirror_denied_combination = Ortak anahtar ve parola tabanlı kimlik doğrulama birlikte kullanılamaz.
 mirror_public_key = Ortak SSH anahtarı
-n_branch_few = %s dal
-n_commit_few = %s gönderi
-n_tag_few = %s etiket
 settings.wiki_rename_branch_main = Viki dal adını normalleştir
 mirror_use_ssh.not_available = SSH yetkilendirme kullanılamıyor.
 mirror_use_ssh.helper = Forgejo, bu seçeneği seçtiğinizde deponuzu SSH üzerinden Git üzerinden yansıtacak ve sizin için bir anahtar çifti oluşturacaktır. Oluşturulan ortak anahtarın hedef depoya gönderilmek üzere yetkilendirildiğinden emin olmalısınız. Bunu seçerken parola tabanlı yetkilendirme kullanamazsınız.
-n_branch_one = %s dal
 settings.units.add_more = Daha fazlasını etkinleştir
 settings.wiki_globally_editable = Vikiyi herkesin düzenlemesine izin ver
 issues.filter_no_results_placeholder = Arama filtrelerini değiştirmeyi deneyin.
@@ -2674,10 +2652,6 @@ migrate.repo_desc_helper = Var olan açıklamayı içe aktarmak için boş bıra
 subscribe.issue.guest.tooltip = Bu soruna abone olmak için oturum açın.
 subscribe.pull.guest.tooltip = Bu birleştirme isteğine abone olmak için oturum açın.
 project = Projeler
-n_commit_one = %s katkı
-n_tag_one = %s etiket
-n_release_one = %s sürüm
-n_release_few = %s sürüm
 file_follow = Sembolik bağlantıyı takip et
 no_eol.text = EOL bulunamadı
 no_eol.tooltip = Bu dosya, en sonunda satır sonu karakterini içermiyor.
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index 9c02d496f9..a1e7455471 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -1126,14 +1126,6 @@ migrate_options_lfs=Перенесення файлів LFS
 migrate_options_lfs_endpoint.label=Кінцева точка LFS
 migrate_options_lfs_endpoint.description=Під час перенесення буде виконано спробу <a target="_blank" rel="noopener noreferrer" href="%s">визначити сервер LFS</a> через ваш віддалений сервер Git. Ви також можете вказати свою кінцеву точку, якщо дані LFS репозиторію зберігаються в іншому місці.
 migrate_options_lfs_endpoint.description.local=Також підтримується шлях на локальному сервері.
-migrate_items=Елементи для перенесення
-migrate_items_wiki=Вікі
-migrate_items_milestones=Етапи
-migrate_items_labels=Мітки
-migrate_items_issues=Задачі
-migrate_items_pullrequests=Запити на злиття
-migrate_items_merge_requests=Запити на об’єднання
-migrate_items_releases=Випуски
 migrate_repo=Перенести репозиторій
 migrate.clone_address=Перенести / клонувати з URL-адреси
 migrate.clone_address_desc=URL-адреса HTTP(S) або Git «clone» існуючого репозиторію
@@ -1149,14 +1141,6 @@ migrate.migrate=Перенесення з %s
 migrate.migrating=Перенесення з <b>%s</b>…
 migrate.migrating_failed=Перенесення з <b>%s</b> не вдалося.
 migrate.migrating_failed_no_addr=Перенесення не вдалося.
-migrate.migrating_git=Перенесення даних Git
-migrate.migrating_topics=Перенесення тем
-migrate.migrating_milestones=Перенесення етапів
-migrate.migrating_labels=Перенесення міток
-migrate.migrating_releases=Перенесення випусків
-migrate.migrating_issues=Перенесення задач
-migrate.migrating_pulls=Перенесення запитів на злиття
-
 mirror_from=дзеркало
 forked_from=форк від
 generated_from=згенеровано з
@@ -2350,14 +2334,11 @@ pull.deleted_branch = (видалено): %s
 milestones.update_ago = Оновлено %s
 size_format = %[1]s: %[2]s; %[3]s: %[4]s
 settings.units.add_more = Увімкнути ще
-migrate.cancel_migrating_title = Скасувати перенесення
 settings.units.units = Розділи
 settings.units.overview = Огляд
 projects.create_success = Проєкт «%s» створено.
 issues.no_content = Немає опису.
 settings.mirror_settings.docs.doc_link_title = Як дзеркалювати репозиторії?
-n_commit_one = %s коміт
-n_commit_few = %s комітів
 signing.will_sign = Коміт буде підписано ключем «%s».
 signing.wont_sign.error = Під час перевірки можливості підписати коміт сталася помилка.
 commits.search_branch = У цій гілці
@@ -2371,8 +2352,6 @@ project = Проєкти
 issues.review.outdated_description = Вміст змінився з моменту написання цього коментаря
 commits.browse_further = Дивитися далі
 issues.unpin_issue = Відкріпити задачу
-n_branch_one = %s гілка
-n_branch_few = %s гілок
 executable_file = Виконуваний файл
 migrate_options_mirror_helper = Цей репозиторій буде дзеркалом
 projects.edit_success = Проєкт «%s» оновлено.
@@ -2457,10 +2436,8 @@ archive.title_date = Цей репозиторій архівовано %s. Ви
 settings.event_pull_request_review_request_desc = Створено або видалено запит на відгук до запиту на злиття.
 archive.pull.noreview = Цей репозиторій архівовано. Ви не можете рецензувати запити на злиття.
 issues.num_reviews_few = %d відгуків
-n_release_few = %s випусків
 release.releases_for = Випуски %s
 release.type_attachment = Вкладення
-n_release_one = %s випуск
 issues.reopen.blocked_by_user = Ви не можете знову відкрити цю задачу, оскільки вас заблокував власник репозиторію або автор задачі.
 settings.actions_desc = Увімкнути вбудовані конвеєри CI/CD з Діями Forgejo
 tree_path_not_found_commit = Шлях %[1]s не існує в коміті %[2]s
@@ -2498,8 +2475,6 @@ pulls.nothing_to_compare_have_tag = Вибрані гілки/теги одна
 pulls.delete_after_merge.head_branch.is_protected = Головна гілка, яку ви намагаєтеся видалити, є захищеною і її неможливо видалити.
 settings.default_update_style_desc = Типовий стиль оновлення для запитів на злиття, що знаходяться позаду базової гілки.
 commit.load_referencing_branches_and_tags = Завантажити гілки і теги, які посилаються на цей коміт
-n_tag_few = %s тегів
-n_tag_one = %s тег
 settings.branches.switch_default_branch = Змінити типову гілку
 branch.branch_already_exists = Гілка «%s» вже є у цьому репозиторії.
 commit.contained_in_default_branch = Цей коміт — частина типової гілки
@@ -2696,7 +2671,6 @@ settings.mirror_settings.docs.disabled_push_mirror.instructions = Налашту
 settings.mirror_settings.docs.disabled_push_mirror.info = Push-дзеркала вимкнено адміністрацією сайту.
 settings.mirror_settings.docs.disabled_pull_mirror.instructions = Налаштуйте свій проєкт на автоматичне надсилання комітів, тегів і гілок до іншого репозиторію. Pull-дзеркала вимкнено адміністрацією сайту.
 issues.label_templates.fail_to_load_file = Не вдалося завантажити файл шаблону міток «%s»: %v
-migrate.cancel_migrating_confirm = Бажаєте скасувати перенесення?
 transfer.no_permission_to_accept = У вас немає дозволу прийняти цю передачу.
 transfer.no_permission_to_reject = У вас немає дозволу відхилити цю передачу.
 issues.choose.ignore_invalid_templates = Недійсні шаблони проігноровано
diff --git a/options/locale/locale_vi.ini b/options/locale/locale_vi.ini
index 61d7117b73..3c51eb51b9 100644
--- a/options/locale/locale_vi.ini
+++ b/options/locale/locale_vi.ini
@@ -706,7 +706,7 @@ update_hints = Cập nhật các gợi ý
 update_hints_success = Đã cập nhật các gợi ý.
 hidden_comment_types = Loại bình luận bị ẩn
 hidden_comment_types_description = Các loại bình luận được chọn ở đây sẽ không hiện trên các trang vấn đề. Ví dụ: Chọn "Nhãn" thì sẽ loại bỏ tất cả các bình luận "<user> đã thêm/bỏ <label>".
-hidden_comment_types.ref_tooltip =
+hidden_comment_types.ref_tooltip = 
 hidden_comment_types.issue_ref_tooltip = Các bình luận mà người dùng đổi nhánh/nhãn gắn với vấn đề
 comment_type_group_reference = Đề cập
 comment_type_group_label = Nhãn
@@ -782,7 +782,7 @@ key_content_gpg_placeholder = Bắt đầu bằng "-----BEGIN PGP PUBLIC KEY BLO
 ssh_key_been_used = Mã SSH này đã được thêm vào máy chủ rồi.
 ssh_key_name_used = Một mã SSH cùng tên đã tồn tại trong tài khoản của bạn.
 gpg_key_id_used = Một mã GPG công khai cùng ID đã tồn tại.
-gpg_no_key_email_found =
+gpg_no_key_email_found = 
 gpg_key_matched_identities = Các danh tính khớp:
 gpg_key_verify = Xác thực
 gpg_token_help = Bạn có thể tạo chữ kí bằng:
@@ -803,7 +803,7 @@ delete_key = Gỡ
 ssh_key_deletion = Gỡ mã SSH
 gpg_key_deletion = Gỡ mã GPG
 ssh_key_deletion_desc = Việc gỡ mã SSH sẽ tước quyền truy cập của nó đến tài khoản của bạn. Tiếp tục?
-gpg_key_deletion_desc =
+gpg_key_deletion_desc = 
 ssh_key_deletion_success = Đã gỡ mã SSH.
 gpg_key_deletion_success = Đã gỡ mã GPG.
 added_on = Đã được thêm từ %s
@@ -1043,11 +1043,6 @@ need_auth = Cấp phép
 migrate_options = Cài đặt nhập
 migrate_options_lfs = Nhập các tệp LFS
 migrate_options_lfs_endpoint.description.local = Đường dẫn máy chủ cục bộ cũng được hỗ trợ.
-migrate_items_milestones = Cột mốc
-migrate_items_labels = Nhãn
-migrate_items_issues = Vấn đề
-migrate_items_merge_requests = Yêu cầu hợp
-migrate_items_releases = Bản phát hành
 migrate_repo = Nhập kho mã
 migrate.repo_desc_helper = Bỏ trống để nhập mô tả có sẵn
 migrate.clone_local_path = hoặc một đường dẫn máy chủ cục bộ
@@ -1062,15 +1057,6 @@ migrate.migrating = Đang nhập từ <b>%s</b>…
 migrate.migrating_failed = Nhập từ <b>%s</b> thất bại.
 migrate.migrating_failed.error = Nhập thất bại: %s
 migrate.migrating_failed_no_addr = Nhập thất bại.
-migrate.migrating_git = Đang nhập dữ liệu Git
-migrate.migrating_topics = Đang nhập các chủ đề
-migrate.migrating_milestones = Đang nhập các cột mốc
-migrate.migrating_labels = Đang nhập các nhãn
-migrate.migrating_releases = Đang nhập các bản phát hành
-migrate.migrating_issues = Đang nhập các vấn đề
-migrate.migrating_pulls = Đang nhập các yêu cầu kéo
-migrate.cancel_migrating_title = Huỷ nhập
-migrate.cancel_migrating_confirm = Bạn có muốn huỷ nhập không?
 forked_from = phân nhánh từ
 generated_from = tạo từ
 fork_from_self = Bạn không thể phân nhánh kho mã của bạn.
@@ -1088,7 +1074,6 @@ more_operations = Thêm thao tác
 no_desc = Không có mô tả
 quick_guide = Chỉ dẫn nhanh
 fork_branch = Nhánh để nhân bản đến phân nhánh
-migrate_items_pullrequests = Yêu cầu kéo
 archive.pull.noreview = Kho mã này được lưu trữ. Bạn không thể xem xét yêu cầu kéo.
 archive.title_date = Kho mã này đã được lưu trữ vào %s. Bạn có thể xem tệp và nhân bản nó, nhưng bạn không thể thay đổi trạng thái của nó, như việc tạo vấn đề, yêu cầu kéo hay bình luận.
 archive.title = Kho mã này được lưu trữ. Bạn có thể xem tệp và nhân bản nó, nhưng bạn không thể thay đổi trạng thái của nó, như việc tạo vấn đề, yêu cầu kéo hay bình luận.
@@ -1174,8 +1159,6 @@ settings.packagist_api_token = Mã API
 filter_branch_and_tag = Lọc nhánh hoặc nhãn
 find_tag = Tìm nhãn
 tags = Nhãn
-n_tag_one = %s nhãn
-n_tag_few = %s nhãn
 video_not_supported_in_browser = Trình duyệt của bạn không hỗ trợ thẻ "video" HTML5.
 audio_not_supported_in_browser = Trình duyệt của bạn không hỗ trợ thẻ "audio" HTML5.
 pulls.nothing_to_compare_have_tag = Các nhánh/nhãn đã chọn bằng nhau.
@@ -1268,10 +1251,6 @@ labels = Nhãn
 milestones = Cột mốc
 org_labels_desc = Nhãn cấp tổ chức mà có thể được dùng với <strong>tất cả các kho mã</strong> của tổ chức này
 org_labels_desc_manage = quản lí
-n_branch_one = %s nhánh
-n_branch_few = %s nhánh
-n_release_one = %s bản phát hành
-n_release_few = %s bản phát hành
 released_this = đã phát hành bản này
 file.title = %s tại %s
 file_raw = Thô
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index e278b425c9..d292f171df 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -1156,14 +1156,6 @@ migrate_options_lfs_endpoint.label=LFS网址
 migrate_options_lfs_endpoint.description=迁移将尝试使用你的Git remote来<a target="_blank" rel="noopener noreferrer" href="%s">确定LFS服务器</a>。如果仓库LFS数据存储在其他位置，你还可以指定自定义网址。
 migrate_options_lfs_endpoint.description.local=支持本地服务器路径。
 migrate_options_lfs_endpoint.placeholder=如果留空，网址将从克隆URL中得到
-migrate_items=迁移项目
-migrate_items_wiki=百科
-migrate_items_milestones=里程碑
-migrate_items_labels=标签
-migrate_items_issues=议题
-migrate_items_pullrequests=合并请求
-migrate_items_merge_requests=合并请求
-migrate_items_releases=版本发布
 migrate_repo=迁移仓库
 migrate.clone_address=从URL迁移/克隆
 migrate.clone_address_desc=现有仓库的HTTP(S)或Git“clone”URL
@@ -1182,16 +1174,6 @@ migrate.migrating=正在从<b>%s</b>迁移……
 migrate.migrating_failed=从<b>%s</b>迁移失败。
 migrate.migrating_failed.error=迁移失败：%s
 migrate.migrating_failed_no_addr=迁移失败。
-migrate.migrating_git=迁移Git数据
-migrate.migrating_topics=正在迁移主题
-migrate.migrating_milestones=正在迁移里程碑
-migrate.migrating_labels=正在迁移标签
-migrate.migrating_releases=正在迁移发布
-migrate.migrating_issues=正在迁移议题
-migrate.migrating_pulls=正在迁移合并请求
-migrate.cancel_migrating_title=取消迁移
-migrate.cancel_migrating_confirm=您想要取消此次迁移吗？
-
 mirror_from=镜像自地址
 forked_from=派生自
 generated_from=生成自
@@ -2644,12 +2626,6 @@ open_with_editor = 使用%s打开
 settings.rename_branch_failed_protected = 无法重命名受保护的分支%s。
 stars = 点赞
 settings.confirmation_string = 确认输入
-n_commit_one = %s提交
-n_commit_few = %s提交
-n_branch_one = %s分支
-n_branch_few = %s分支
-n_tag_one = %s标签
-n_tag_few = %s标签
 editor.commit_id_not_matching = 您在编辑文件时该文件已被更改。请提交到一个新的分支，然后再将这个新的分支合并回当前分支。
 issues.num_participants_one = %d位参与者
 issues.archived_label_description = （已存档）%s
@@ -2677,8 +2653,6 @@ settings.transfer.button = 转移所有权
 wiki.search = 搜索百科
 wiki.no_search_results = 无结果
 form.string_too_long = 给定的字符串长度超过%d个字符。
-n_release_one = %s版本发布
-n_release_few = %s版本发布
 project = 项目
 issues.edit.already_changed = 无法保存对议题的更改。议题似乎已经被另一个用户修改了，为了防止修改被覆盖，请刷新页面后再次尝试编辑
 pulls.edit.already_changed = 无法保存对合并请求的更改。内容似乎已经被另一个用户修改了，为了防止修改被覆盖，请刷新页面后再次尝试编辑
diff --git a/options/locale/locale_zh-HK.ini b/options/locale/locale_zh-HK.ini
index dcec0908ef..790012ecd9 100644
--- a/options/locale/locale_zh-HK.ini
+++ b/options/locale/locale_zh-HK.ini
@@ -420,9 +420,6 @@ template.avatar=頭像
 
 
 
-migrate_items_issues=問題數
-migrate_items_pullrequests=合併請求
-migrate_items_releases=版本發佈
 migrate_repo=遷移儲存庫
 migrate.permission_denied=您並沒有導入本地儲存庫的權限。
 migrate.failed=遷移失敗：%v
@@ -725,7 +722,6 @@ release.downloads=下載附件
 mirror_password_blank_placeholder = （未設定）
 settings.trust_model.default = 預設信任模型
 issue_labels = 標籤
-migrate_items_milestones = 里程碑
 settings.default_merge_style_desc = 預設合併方式
 language_other = 其他
 delete_preexisting_label = 刪除
@@ -742,8 +738,6 @@ mirror_password_placeholder = （未變更）
 readme = 讀我檔案
 release = 發佈
 commit = 提交
-migrate_items_wiki = 維基
-migrate_items_labels = 標籤
 tag = 標籤
 settings.branches.switch_default_branch = 切換預設分支
 mirror_sync = 已同步
diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini
index b1b1156ef6..09052f05b2 100644
--- a/options/locale/locale_zh-TW.ini
+++ b/options/locale/locale_zh-TW.ini
@@ -1133,14 +1133,6 @@ migrate_options_lfs=遷移 LFS 檔案
 migrate_options_lfs_endpoint.label=LFS 端點
 migrate_options_lfs_endpoint.description=遷移將會嘗試使用您的 Git 遠端來<a target="_blank" rel="noopener noreferrer" href="%s">確認 LFS 伺服器</a>。如果存儲庫的 LFS 資料放在其他地方，您也可以指定自訂的端點。
 migrate_options_lfs_endpoint.description.local=同時也支援本地伺服器路徑。
-migrate_items=遷移項目
-migrate_items_wiki=Wiki
-migrate_items_milestones=里程碑
-migrate_items_labels=標籤
-migrate_items_issues=問題
-migrate_items_pullrequests=合併請求
-migrate_items_merge_requests=合併請求
-migrate_items_releases=版本發布
 migrate_repo=遷移儲存庫
 migrate.clone_address=從 URL 遷移 / Clone
 migrate.clone_address_desc=現有儲存庫的 HTTP(S) 或 Git 「clone」 URL
@@ -1158,14 +1150,6 @@ migrate.migrate=從 %s 遷移
 migrate.migrating=正在從 <b>%s</b> 遷移…
 migrate.migrating_failed=從 <b>%s</b> 遷移失敗。
 migrate.migrating_failed_no_addr=遷移失敗。
-migrate.migrating_git=正在遷移 Git 資料
-migrate.migrating_topics=正在遷移主題
-migrate.migrating_milestones=正在遷移里程碑
-migrate.migrating_labels=正在遷移標籤
-migrate.migrating_releases=正在遷移版本發佈
-migrate.migrating_issues=正在遷移問題
-migrate.migrating_pulls=正在遷移合併請求
-
 mirror_from=鏡像自
 forked_from=分叉自
 generated_from=產生自
@@ -2447,7 +2431,6 @@ tree_path_not_found.branch = 路徑 %[1]s 不存在於分支 %[2]s 中
 transfer.no_permission_to_accept = 您沒有權限接受這項轉讓。
 archive.title = 這個儲存庫已被封存。您可以檢視其中的檔案或拓製儲存庫，但您無法提交推送和創建新議題、合併請求或評論。
 archive.title_date = 這個儲存庫在 %s 被封存了。您可以檢視其中的檔案或拓製儲存庫，但您無法提交推送和創建新議題、合併請求或評論。
-migrate.cancel_migrating_title = 取消遷移
 executable_file = 可執行檔
 all_branches = 所有分支
 object_format_helper = 儲存庫的物件格式。一旦設定便無法更改。SHA1 的相容性最好。
@@ -2459,7 +2442,6 @@ admin.manage_flags = 管理旗標
 visibility_helper = 將儲存庫設為私有
 mirror_address_url_invalid = 提供的網址無效。必須確保正確的跳脫（escape）此網址的每個部份。
 migrate.migrating_failed.error = 遷移失敗：%s
-migrate.cancel_migrating_confirm = 您確定要取消這次的遷移嗎？
 invisible_runes_header = `此檔案內含不可見的 Unicode 字元`
 ambiguous_runes_header = `這個檔案內含模棱兩可的 Unicode 字元`
 rss.must_be_on_branch = 您必須在一個分支上才能訂閱 RSS。
@@ -2478,17 +2460,11 @@ generated = 自動生成的
 object_format = 物件格式
 open_with_editor = 用 %s 打開
 stars = 星星
-n_tag_few = %s 個標籤
 migrate_options_lfs_endpoint.placeholder =如果留空，將利用拓製 URL 推導出 endpoint
 signing.wont_sign.nokey = 這個站點沒有可以用來簽署的金鑰。
-n_branch_few = %s 條分支
-n_tag_one = %s 個標籤
 settings.transfer.button = 轉移所有權
 settings.transfer.modal.title = 轉移所有權
 commits.view_path = 在歷史中檢視這個時間點
-n_commit_one = %s 個提交
-n_commit_few = %s 個提交
-n_branch_one = %s 條分支
 commits.search_branch = 此分支
 commits.browse_further = 進一步瀏覽
 commits.renamed_from = 自 %s 重新命名
@@ -2629,8 +2605,6 @@ milestones.new_subheader = 里程碑可以幫助你組織問題並追蹤其進
 comments.edit.already_changed = 無法儲存對評論的變更。內容似乎已被其他使用者變更。請重新整理頁面並再次嘗試編輯以避免覆蓋其變更
 activity.published_prerelease_label = 預發行
 no_eol.tooltip = 此檔案不包含行尾字元。
-n_release_one = %s 發行
-n_release_few = %s 發行
 no_eol.text = 無檔案結尾符
 issues.all_title = 全部
 mirror_public_key = 公共 SSH 金鑰
diff --git a/options/locale_next/locale_ar.json b/options/locale_next/locale_ar.json
index 6eb05e75c4..7861f67193 100644
--- a/options/locale_next/locale_ar.json
+++ b/options/locale_next/locale_ar.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s إيداع",
+		"other": "%s إيداعات"
+	},
+	"counters.n_branches": {
+		"one": "%s فرع",
+		"other": "%s فروع"
+	},
+	"counters.n_tags": {
+		"one": "%s علامة",
+		"other": "‪%s علامات"
+	},
+	"counters.n_releases": {
+		"one": "%s إصدار",
+		"other": "%s إصدارات"
+	},
 	"actions.actions": "الإجراءات",
 	"actions.status.unknown": "مجهول",
 	"actions.status.waiting": "ينتظر",
@@ -254,6 +270,23 @@
 	"migrate.gitbucket.description": "ترحيل البيانات من مثيلات GitBucket.",
 	"migrate.codebase.description": "ترحيل البيانات من codebasehq.com.",
 	"migrate.forgejo.description": "ترحيل المعلومات من كودبيرج أو خوادم فورجيو الأخرى.",
+	"migrate.items.label": "عناصر الترحيل",
+	"migrate.items.wiki": "الموسوعة",
+	"migrate.items.milestones": "أهداف",
+	"migrate.items.labels": "تصنيفات",
+	"migrate.items.issues": "البلاغات",
+	"migrate.items.pull_requests": "طلبات السحب",
+	"migrate.items.merge_requests": "طلبات الدمج",
+	"migrate.items.releases": "الإصدارات",
+	"migrate.in_progress.git": "ترحيل بيانات Git",
+	"migrate.in_progress.topics": "ترحيل المواضيع",
+	"migrate.in_progress.milestones": "ترحيل الأهداف",
+	"migrate.in_progress.labels": "ترحيل الوسوم",
+	"migrate.in_progress.releases": "ترحيل الإصدارات",
+	"migrate.in_progress.issues": "ترحيل البلاغات",
+	"migrate.in_progress.pulls": "ترحيل طلبات السحب",
+	"migrate.cancel.title": "إلغاء الترحيل",
+	"migrate.cancel.confirmation": "تريد إلغاء عملية الترحيل هذه؟",
 	"user.ghost.tooltip": "تم حذف هذا المستخدم أو لا يمكن مطابقته.",
 	"migrate.form.error.url_credentials": "يحتوي عنوان الرابط على بيانات اعتماد، ضعها في حقلي اسم المستخدم وكلمة المرور على التوالي",
 	"pulse.n_active_issues": {
diff --git a/options/locale_next/locale_bg.json b/options/locale_next/locale_bg.json
index 2525e1c239..625961ffca 100644
--- a/options/locale_next/locale_bg.json
+++ b/options/locale_next/locale_bg.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s подаване",
+		"other": "%s подавания"
+	},
+	"counters.n_branches": {
+		"one": "%s клон",
+		"other": "%s клона"
+	},
+	"counters.n_tags": {
+		"one": "%s маркер",
+		"other": "%s маркера"
+	},
+	"counters.n_releases": {
+		"one": "%s издание",
+		"other": "%s издания"
+	},
 	"actions.actions": "Действия",
 	"actions.status.unknown": "Неизвестно",
 	"actions.status.waiting": "Изчаква се",
@@ -283,6 +299,23 @@
 	"migrate.gitbucket.description": "Мигриране на данни от GitBucket инстанции.",
 	"migrate.codebase.description": "Мигриране на данни от codebasehq.com.",
 	"migrate.forgejo.description": "Мигриране на данни от codeberg.org или други Forgejo инстанции.",
+	"migrate.items.label": "Елементи за мигриране",
+	"migrate.items.wiki": "Уики",
+	"migrate.items.milestones": "Етапи",
+	"migrate.items.labels": "Етикети",
+	"migrate.items.issues": "Задачи",
+	"migrate.items.pull_requests": "Заявки за сливане",
+	"migrate.items.merge_requests": "Заявки за сливане",
+	"migrate.items.releases": "Издания",
+	"migrate.in_progress.git": "Мигриране на Git данни",
+	"migrate.in_progress.topics": "Мигриране на теми",
+	"migrate.in_progress.milestones": "Мигриране на етапи",
+	"migrate.in_progress.labels": "Мигриране на етикети",
+	"migrate.in_progress.releases": "Мигриране на издания",
+	"migrate.in_progress.issues": "Мигриране на задачи",
+	"migrate.in_progress.pulls": "Мигриране на заявки за сливане",
+	"migrate.cancel.title": "Отказ от миграцията",
+	"migrate.cancel.confirmation": "Искате ли да откажете тази миграция?",
 	"keys.ssh.link": "SSH ключове",
 	"feed.atom.link": "Atom емисия",
 	"keys.gpg.link": "GPG ключове",
diff --git a/options/locale_next/locale_ca.json b/options/locale_next/locale_ca.json
index 1fd3ede667..989e404f46 100644
--- a/options/locale_next/locale_ca.json
+++ b/options/locale_next/locale_ca.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "Branca %s",
+		"other": "Branques %s"
+	},
+	"counters.n_tags": {
+		"one": "Etiqueta %s",
+		"other": "Etiquetes %s"
+	},
+	"counters.n_releases": {
+		"one": "Publicació %s",
+		"other": "Publicacions %s"
+	},
 	"fork.n_forks": {
 		"one": "%s fork",
 		"many": "%s forks",
@@ -65,6 +81,23 @@
 	"migrate.gitbucket.description": "Migrar dades d'instàncies de GitBucket.",
 	"migrate.codebase.description": "Migrar dades de codebasehq.com.",
 	"migrate.forgejo.description": "Migrar dades de codeberg.org o d'altres instàncies de Forgejo.",
+	"migrate.items.label": "Elements de migració",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Fites",
+	"migrate.items.labels": "Etiquetes",
+	"migrate.items.issues": "Problemes",
+	"migrate.items.pull_requests": "Pull requests",
+	"migrate.items.merge_requests": "Sol·licituds de fusió",
+	"migrate.items.releases": "Publicacions",
+	"migrate.in_progress.git": "Migrant dades Git",
+	"migrate.in_progress.topics": "Migrant tòpics",
+	"migrate.in_progress.milestones": "Migrant fites",
+	"migrate.in_progress.labels": "Migrant etiquetes",
+	"migrate.in_progress.releases": "Migrant publicacions",
+	"migrate.in_progress.issues": "Migrant problemes",
+	"migrate.in_progress.pulls": "Migrant «pull requests»",
+	"migrate.cancel.title": "Cancel·la la migració",
+	"migrate.cancel.confirmation": "Voleu cancel·lar aquesta migració?",
 	"repo.issue_indexer.title": "Indexador d'incidències",
 	"repo.settings.push_mirror.branch_filter.label": "Filtre de branca (opcional)",
 	"incorrect_root_url": "Aquesta instància de Forejo està configurada per ser servida a \"%s\". Actualment esteu veient Forgejo des d'una URL diferent, la qual cosa pot provocar que algunes parts de l'aplicació no funcionin correctament. Els administradors de Forgejo controlen l'URL canònica mitjançant el paràmetre ROOT_URL a app.ini.",
diff --git a/options/locale_next/locale_cs-CZ.json b/options/locale_next/locale_cs-CZ.json
index 74e66831e9..7acc2453d8 100644
--- a/options/locale_next/locale_cs-CZ.json
+++ b/options/locale_next/locale_cs-CZ.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s revize",
+		"other": "%s revizí"
+	},
+	"counters.n_branches": {
+		"one": "%s větev",
+		"other": "%s větví"
+	},
+	"counters.n_tags": {
+		"one": "%s značka",
+		"other": "%s značek"
+	},
+	"counters.n_releases": {
+		"one": "%s vydání",
+		"other": "%s vydání"
+	},
 	"gpg.default_key": "Podepsáno výchozím klíčem",
 	"gpg.error.extract_sign": "Nepodařilo se získat podpis",
 	"gpg.error.generate_hash": "Nepodařilo se vygenerovat hash revize",
@@ -334,6 +350,23 @@
 	"migrate.gitbucket.description": "Migrovat data z instancí GitBucket.",
 	"migrate.codebase.description": "Migrovat data z codebasehq.com.",
 	"migrate.forgejo.description": "Migrovat data z codeberg.org nebo jiných instancí Forgejo.",
+	"migrate.items.label": "Položky pro migrování",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Milníky",
+	"migrate.items.labels": "Štítky",
+	"migrate.items.issues": "Problémy",
+	"migrate.items.pull_requests": "Žádosti o sloučení",
+	"migrate.items.merge_requests": "Sloučit žádosti",
+	"migrate.items.releases": "Vydání",
+	"migrate.in_progress.git": "Migrace dat z Gitu",
+	"migrate.in_progress.topics": "Migrace témat",
+	"migrate.in_progress.milestones": "Migrace milníků",
+	"migrate.in_progress.labels": "Migrace štítků",
+	"migrate.in_progress.releases": "Migrace vydání",
+	"migrate.in_progress.issues": "Migrace problémů",
+	"migrate.in_progress.pulls": "Migrace žádostí o sloučení",
+	"migrate.cancel.title": "Zrušit migraci",
+	"migrate.cancel.confirmation": "Chcete zrušit tuto migraci?",
 	"admin.config.security": "Nastavení zabezpečení",
 	"admin.config.global_2fa_requirement.title": "Globální požadavek dvoufázového ověření",
 	"error.must_enable_2fa": "Tato instance Forgejo vyžaduje, aby si všichni uživatelé zapnuli dvoufázové ověření, než začnou používat svůj účet. Povolíte jej zde: %s",
diff --git a/options/locale_next/locale_da.json b/options/locale_next/locale_da.json
index 949283dc56..3244a0cc7c 100644
--- a/options/locale_next/locale_da.json
+++ b/options/locale_next/locale_da.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s gren",
+		"other": "%s grene"
+	},
+	"counters.n_tags": {
+		"one": "%s tag",
+		"other": "%s tags"
+	},
+	"counters.n_releases": {
+		"one": "%s udgivelse",
+		"other": "%s udgivelser"
+	},
 	"actions.actions": "Handlinger",
 	"actions.status.unknown": "Ukendt",
 	"actions.status.waiting": "Venter",
@@ -353,6 +369,23 @@
 	"migrate.gitbucket.description": "Migrer data fra GitBucket-instanser.",
 	"migrate.codebase.description": "Migrer data fra codebasehq.com.",
 	"migrate.forgejo.description": "Migrer data fra codeberg.org eller andre Forgejo-instanser.",
+	"migrate.items.label": "Migration Elementer",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Milepæle",
+	"migrate.items.labels": "Etiketter",
+	"migrate.items.issues": "Problemmer",
+	"migrate.items.pull_requests": "Pull-anmodninger",
+	"migrate.items.merge_requests": "Flet anmodninger",
+	"migrate.items.releases": "Udgivelser",
+	"migrate.in_progress.git": "Migrering af Git-data",
+	"migrate.in_progress.topics": "Migrering af emner",
+	"migrate.in_progress.milestones": "Migrerende milepæle",
+	"migrate.in_progress.labels": "Migrering af etiketter",
+	"migrate.in_progress.releases": "Migrering af udgivelser",
+	"migrate.in_progress.issues": "Migrering af problemer",
+	"migrate.in_progress.pulls": "Migrering af pull-anmodninger",
+	"migrate.cancel.title": "Annuller migrering",
+	"migrate.cancel.confirmation": "Vil du annullere denne migrering?",
 	"pulse.n_active_issues": {
 		"one": "%s aktivt problem",
 		"other": "%s aktive problemer"
diff --git a/options/locale_next/locale_de-DE.json b/options/locale_next/locale_de-DE.json
index 253b3188c7..af1132e371 100644
--- a/options/locale_next/locale_de-DE.json
+++ b/options/locale_next/locale_de-DE.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s Commit",
+		"other": "%s Commits"
+	},
+	"counters.n_branches": {
+		"one": "%s Branch",
+		"other": "%s Branches"
+	},
+	"counters.n_tags": {
+		"one": "%s Tag",
+		"other": "%s Tags"
+	},
+	"counters.n_releases": {
+		"one": "%s freigegeben",
+		"other": "%s Veröffentlichungen"
+	},
 	"gpg.default_key": "Mit Standardschlüssel signiert",
 	"gpg.error.extract_sign": "Die Signatur konnte nicht extrahiert werden",
 	"gpg.error.generate_hash": "Es konnte kein Hash vom Commit generiert werden",
@@ -317,6 +333,23 @@
 	"migrate.gitbucket.description": "Daten von GitBucket-Instanzen migrieren.",
 	"migrate.codebase.description": "Daten von codebasehq.com migrieren.",
 	"migrate.forgejo.description": "Daten von codeberg.org oder anderen Forgejo-Instanzen migrieren.",
+	"migrate.items.label": "Migrationselemente",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Meilensteine",
+	"migrate.items.labels": "Labels",
+	"migrate.items.issues": "Issues",
+	"migrate.items.pull_requests": "Pull-Requests",
+	"migrate.items.merge_requests": "Merge-Requests",
+	"migrate.items.releases": "Releases",
+	"migrate.in_progress.git": "Git-Daten werden migriert",
+	"migrate.in_progress.topics": "Themen werden migriert",
+	"migrate.in_progress.milestones": "Meilensteine werden migriert",
+	"migrate.in_progress.labels": "Labels werden migriert",
+	"migrate.in_progress.releases": "Releases werden migriert",
+	"migrate.in_progress.issues": "Issues werden migriert",
+	"migrate.in_progress.pulls": "Pull-Requests werden migriert",
+	"migrate.cancel.title": "Migration abbrechen",
+	"migrate.cancel.confirmation": "Möchtest du diese Migration abbrechen?",
 	"repo.pulls.already_merged": "Zusammenführung fehlgeschlagen. Der Pull-Request wurde bereits zusammengeführt.",
 	"migrate.pagure.incorrect_url": "Falsche Quellrepository-URL wurde angegeben",
 	"migrate.pagure.project_example": "Die URL des Pagure-Projekts, z. B. https://pagure.io/pagure",
diff --git a/options/locale_next/locale_el-GR.json b/options/locale_next/locale_el-GR.json
index b83629006d..e755e6d90a 100644
--- a/options/locale_next/locale_el-GR.json
+++ b/options/locale_next/locale_el-GR.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s υποβολή",
+		"other": "%s υποβολές"
+	},
+	"counters.n_branches": {
+		"one": "%s κλάδος",
+		"other": "%s κλάδοι"
+	},
+	"counters.n_tags": {
+		"one": "%s ετικέτα",
+		"other": "%s ετικέτες"
+	},
+	"counters.n_releases": {
+		"one": "%s κυκλοφορία",
+		"other": "%s κυκλοφορίες"
+	},
 	"gpg.default_key": "Υπογραφή με το προεπιλεγμένο κλειδί",
 	"gpg.error.extract_sign": "Αποτυχία εξαγωγής υπογραφής",
 	"gpg.error.generate_hash": "Αποτυχία δημιουργίας hash της υποβολής",
@@ -224,6 +240,23 @@
 	"migrate.gitbucket.description": "Μεταφορά δεδομένων από διακομιστές GitBucket.",
 	"migrate.codebase.description": "Μεταφορά δεδομένων από το codebasehq.com.",
 	"migrate.forgejo.description": "Μεταφορά δεδομένων από το codeberg.org ή άλλων υπηρεσιών Forgejo.",
+	"migrate.items.label": "Αντικείμενα μεταφοράς",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Ορόσημα",
+	"migrate.items.labels": "Σήματα",
+	"migrate.items.issues": "Ζητήματα",
+	"migrate.items.pull_requests": "Pull requests",
+	"migrate.items.merge_requests": "Merge requests",
+	"migrate.items.releases": "Κυκλοφορίες",
+	"migrate.in_progress.git": "Τα δεδομένα Git μεταφέρονται",
+	"migrate.in_progress.topics": "Τα θέματα μεταφέρονται",
+	"migrate.in_progress.milestones": "Τα ορόσημα μεταφέρονται",
+	"migrate.in_progress.labels": "Τα σήματα μεταφέρονται",
+	"migrate.in_progress.releases": "Οι κυκλοφορίες μεταφέρονται",
+	"migrate.in_progress.issues": "Τα ζητήματα μεταφέρονται",
+	"migrate.in_progress.pulls": "Μεταφέρονται τα pull requests",
+	"migrate.cancel.title": "Ακύρωση μεταφοράς",
+	"migrate.cancel.confirmation": "Θέλετε να ακυρώσετε αυτή τη μεταφορά;",
 	"relativetime.future": "στο μέλλον",
 	"relativetime.now": "τώρα",
 	"repo.form.cannot_create": "Όλοι οι χώροι που μπορείτε να δημιουργήσετε αποθετήρια έχουν φτάσει στο μέγιστο όριο αποθετηρίων.",
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 643b1388f5..c0ed083b66 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -88,6 +88,7 @@
 	"repo.pulls.maintainers_cannot_edit": "Maintainers cannot edit this pull request.",
 	"repo.form.cannot_create": "All spaces in which you can create repositories have reached the limit of repositories.",
 	"repo.view.gitmodules_too_large": "The .gitmodules file is too large and will be ignored (on API calls for instance)",
+	"migrate.select.title": "Migrate repository",
 	"migrate.form.error.url_credentials": "The URL contains credentials, put them in the username and password fields respectively",
 	"migrate.github.description": "Migrate data from github.com or GitHub Enterprise server.",
 	"migrate.git.description": "Migrate a repository only from any Git service.",
@@ -98,6 +99,23 @@
 	"migrate.gitbucket.description": "Migrate data from GitBucket instances.",
 	"migrate.codebase.description": "Migrate data from codebasehq.com.",
 	"migrate.forgejo.description": "Migrate data from codeberg.org or other Forgejo instances.",
+	"migrate.items.label": "Migration items",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Milestones",
+	"migrate.items.labels": "Labels",
+	"migrate.items.issues": "Issues",
+	"migrate.items.pull_requests": "Pull requests",
+	"migrate.items.merge_requests": "Merge requests",
+	"migrate.items.releases": "Releases",
+	"migrate.in_progress.git": "Migrating Git data",
+	"migrate.in_progress.topics": "Migrating topics",
+	"migrate.in_progress.milestones": "Migrating milestones",
+	"migrate.in_progress.labels": "Migrating labels",
+	"migrate.in_progress.releases": "Migrating releases",
+	"migrate.in_progress.issues": "Migrating issues",
+	"migrate.in_progress.pulls": "Migrating pull requests",
+	"migrate.cancel.title": "Cancel migration",
+	"migrate.cancel.confirmation": "Do you want to cancel this migration?",
 	"repo.issue_indexer.title": "Issue Indexer",
 	"search.milestone_kind": "Search milestones…",
 	"search.syntax": "Search syntax",
@@ -257,6 +275,22 @@
 	"munits.data.tib": "TiB",
 	"munits.data.pib": "PiB",
 	"munits.data.eib": "EiB",
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s branch",
+		"other": "%s branches"
+	},
+	"counters.n_tags": {
+		"one": "%s tag",
+		"other": "%s tags"
+	},
+	"counters.n_releases": {
+		"one": "%s release",
+		"other": "%s releases"
+	},
 	"packages.title": "Packages",
 	"packages.empty": "There are no packages yet.",
 	"packages.empty.documentation": "For more information on the package registry, see <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">the documentation</a>.",
diff --git a/options/locale_next/locale_eo.json b/options/locale_next/locale_eo.json
index 20d9f4515c..721b708a63 100644
--- a/options/locale_next/locale_eo.json
+++ b/options/locale_next/locale_eo.json
@@ -52,6 +52,9 @@
 	"migrate.gitbucket.description": "Migrigi datumojn el GitBucket instancoj.",
 	"migrate.codebase.description": "Migrigi datumojn el codebasehq.com.",
 	"migrate.forgejo.description": "Migrigi datumojn el codeberg.org aŭ aliaj Forgejo instancoj.",
+	"migrate.items.pull_requests": "Tirpetoj",
+	"migrate.items.releases": "Eldonoj",
+	"migrate.in_progress.pulls": "Migrante tirpetojn",
 	"repo.settings.push_mirror.branch_filter.label": "Branĉa filtrilo (malnepra)",
 	"themes.names.forgejo-auto": "Forgejo (konformi kun sistema etoso)",
 	"themes.names.forgejo-light": "Forgejo hela",
diff --git a/options/locale_next/locale_es-ES.json b/options/locale_next/locale_es-ES.json
index fff792b714..1d39325ed3 100644
--- a/options/locale_next/locale_es-ES.json
+++ b/options/locale_next/locale_es-ES.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s rama",
+		"other": "%s ramas"
+	},
+	"counters.n_tags": {
+		"one": "%s etiqueta",
+		"other": "%s etiquetas"
+	},
+	"counters.n_releases": {
+		"one": "%s lanzamiento",
+		"other": "%s versiones"
+	},
 	"actions.actions": "Acciones",
 	"actions.status.unknown": "Desconocido",
 	"actions.status.waiting": "Esperando",
@@ -355,6 +371,23 @@
 	"migrate.gitbucket.description": "Migrar datos de instancias de GitBucket.",
 	"migrate.codebase.description": "Migrar datos desde codebasehq.com.",
 	"migrate.forgejo.description": "Migrar datos desde codeberg.org u otras instancias de Forgejo.",
+	"migrate.items.label": "Objetos de migración",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Hitos",
+	"migrate.items.labels": "Etiquetas",
+	"migrate.items.issues": "Incidencias",
+	"migrate.items.pull_requests": "Solicitudes de extracción",
+	"migrate.items.merge_requests": "Solicitudes de fusión",
+	"migrate.items.releases": "Lanzamientos",
+	"migrate.in_progress.git": "Migrando datos de Git",
+	"migrate.in_progress.topics": "Migrando temas",
+	"migrate.in_progress.milestones": "Migrando hitos",
+	"migrate.in_progress.labels": "Migrando etiquetas",
+	"migrate.in_progress.releases": "Migrar versiones",
+	"migrate.in_progress.issues": "Migrando incidencias",
+	"migrate.in_progress.pulls": "Migrando solicitudes de incorporación de cambios",
+	"migrate.cancel.title": "Cancelar la migración",
+	"migrate.cancel.confirmation": "¿Quiere cancelar esta migración?",
 	"moderation.abuse_category.spam": "Spam",
 	"pulse.n_active_issues": {
 		"one": "%s incidencia activa",
diff --git a/options/locale_next/locale_et.json b/options/locale_next/locale_et.json
index 884f7da179..d7138925cf 100644
--- a/options/locale_next/locale_et.json
+++ b/options/locale_next/locale_et.json
@@ -1,4 +1,8 @@
 {
+	"counters.n_branches": {
+		"one": "%s alamharu",
+		"other": "%s alamharu"
+	},
 	"packages.alpine.repository.branches": "Alamharud",
 	"stars.n_stars": {
 		"one": "%s tärn",
diff --git a/options/locale_next/locale_fa-IR.json b/options/locale_next/locale_fa-IR.json
index 72dec1fc85..75190f2fbf 100644
--- a/options/locale_next/locale_fa-IR.json
+++ b/options/locale_next/locale_fa-IR.json
@@ -52,6 +52,21 @@
 	"migrate.onedev.description": "مهاجرت داده از code.onedev.io یا پیاده‌سازی‌های دیگر OneDev.",
 	"migrate.gitbucket.description": "مهاجرت داده از نمونه های GitBucket",
 	"migrate.codebase.description": "مهاجر داده ها از codebasehq.com.",
+	"migrate.items.label": "مولفه های مهاجرت",
+	"migrate.items.wiki": "دانشنامه",
+	"migrate.items.milestones": "نقاط عطف",
+	"migrate.items.labels": "برچسب‌ها",
+	"migrate.items.issues": "مسائل",
+	"migrate.items.pull_requests": "تقاضاهای واکشی",
+	"migrate.items.merge_requests": "تقاضاهای واکشی",
+	"migrate.items.releases": "انتشارها",
+	"migrate.in_progress.git": "انتقال داده های Git",
+	"migrate.in_progress.topics": "موضوعات مهاجرت",
+	"migrate.in_progress.milestones": "نقاط عطف مهاجرت",
+	"migrate.in_progress.labels": "برچسب های مهاجرت",
+	"migrate.in_progress.releases": "انتشارات مهاجرت",
+	"migrate.in_progress.issues": "مشکلات مهاجرت",
+	"migrate.in_progress.pulls": "مهاجرت درخواست های pull",
 	"pulse.n_active_issues": {
 		"one": "%s مسئله فعال",
 		"other": "%s مسئله فعال"
diff --git a/options/locale_next/locale_fi-FI.json b/options/locale_next/locale_fi-FI.json
index e2862e49a2..7993d9ae12 100644
--- a/options/locale_next/locale_fi-FI.json
+++ b/options/locale_next/locale_fi-FI.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s kommitti",
+		"other": "%s kommittia"
+	},
+	"counters.n_branches": {
+		"one": "%s haara",
+		"other": "%s haaraa"
+	},
+	"counters.n_tags": {
+		"one": "%s tagi",
+		"other": "%s tagia"
+	},
+	"counters.n_releases": {
+		"one": "%s julkaisu",
+		"other": "%s julkaisua"
+	},
 	"gpg.default_key": "Allekirjoitettu oletusavaimella",
 	"gpg.error.extract_sign": "Allekirjoituksen purkaminen epäonnistui",
 	"gpg.error.generate_hash": "Kommitin tiivisteen luominen epäonnistui",
@@ -284,6 +300,23 @@
 	"migrate.gitbucket.description": "Tee migraatio GitBucket-instansseista.",
 	"migrate.codebase.description": "Tee migraatio codebasehq.comista.",
 	"migrate.forgejo.description": "Tee migraatio codeberg.orgista tai muista Forgejo-instansseista.",
+	"migrate.items.label": "Migraation kohteet",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Merkkipaalut",
+	"migrate.items.labels": "Nimilaput",
+	"migrate.items.issues": "Ongelmat",
+	"migrate.items.pull_requests": "Vetopyynnöt",
+	"migrate.items.merge_requests": "Yhdistämispyynnöt",
+	"migrate.items.releases": "Julkaisut",
+	"migrate.in_progress.git": "Suoritetaan Git-datan migraatiota",
+	"migrate.in_progress.topics": "Suoritetaan aiheiden migraatiota",
+	"migrate.in_progress.milestones": "Suoritetaan merkkipaalujen migraatiota",
+	"migrate.in_progress.labels": "Suoritetaan nimilappujen migraatiota",
+	"migrate.in_progress.releases": "Suoritetaan julkaisujen migraatiota",
+	"migrate.in_progress.issues": "Suoritetaan ongelmien migraatiota",
+	"migrate.in_progress.pulls": "Suoritetaan vetopyyntöjen migraatiota",
+	"migrate.cancel.title": "Peruuta migraatio",
+	"migrate.cancel.confirmation": "Haluatko perua tämän migraation?",
 	"moderation.report_abuse_form.invalid": "Virheelliset argumentit",
 	"admin.config.security": "Turvallisuusasetukset",
 	"admin.config.global_2fa_requirement.title": "Globaali kaksivaiheisen tunnistuksen vaatimus",
diff --git a/options/locale_next/locale_fil.json b/options/locale_next/locale_fil.json
index 8f9949cd30..1319c71f64 100644
--- a/options/locale_next/locale_fil.json
+++ b/options/locale_next/locale_fil.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s mga commit"
+	},
+	"counters.n_branches": {
+		"one": "%s branch",
+		"other": "%s mga branch"
+	},
+	"counters.n_tags": {
+		"one": "%s tag",
+		"other": "%s mga tag"
+	},
+	"counters.n_releases": {
+		"one": "%s release",
+		"other": "%s mga release"
+	},
 	"gpg.default_key": "Naka-sign gamit ang default key",
 	"gpg.error.extract_sign": "Nabigong i-extract ang signature",
 	"gpg.error.generate_hash": "Nabigong i-generate ang hash ng commit",
@@ -323,6 +339,23 @@
 	"migrate.gitbucket.description": "Mag-migrate ng data mula sa mga GitBucket na instansya.",
 	"migrate.codebase.description": "Mag-migrate ng data mula sa codebasehq.com.",
 	"migrate.forgejo.description": "Mag-migrate ng data mula sa codeberg.org o iba pang mga Forgejo na instansya.",
+	"migrate.items.label": "Mga item sa pagmigrate",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Mga milestone",
+	"migrate.items.labels": "Mga label",
+	"migrate.items.issues": "Mga isyu",
+	"migrate.items.pull_requests": "Mga hiling sa paghila",
+	"migrate.items.merge_requests": "Mga merge request",
+	"migrate.items.releases": "Mga paglabas",
+	"migrate.in_progress.git": "Nililipat ang Git data",
+	"migrate.in_progress.topics": "Nililipat ang mga paksa",
+	"migrate.in_progress.milestones": "Nililipat ang mga milestone",
+	"migrate.in_progress.labels": "Nililipat ang mga label",
+	"migrate.in_progress.releases": "Nililipat ang mga paglabas",
+	"migrate.in_progress.issues": "Nililipat ang mga isyu",
+	"migrate.in_progress.pulls": "Nililipat ang mga pull request",
+	"migrate.cancel.title": "Kanselahin ang pag-migrate",
+	"migrate.cancel.confirmation": "Gusto mo bang kanselahin ang migration na ito?",
 	"admin.config.security": "Pagsasaayos sa seguridad",
 	"error.must_enable_2fa": "Kinakailangan ng instansyang ito na ang mga user ay paganahin ang authentikasyong two-factor bago nila i-access ang kani-kanilang account. Paganahin ito sa: %s",
 	"admin.config.global_2fa_requirement.title": "Global na pangangailangan ng two-factor",
diff --git a/options/locale_next/locale_fr-FR.json b/options/locale_next/locale_fr-FR.json
index d80cb70025..84e53d0311 100644
--- a/options/locale_next/locale_fr-FR.json
+++ b/options/locale_next/locale_fr-FR.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s branch",
+		"other": "%s branches"
+	},
+	"counters.n_tags": {
+		"one": "%s étiquettes",
+		"other": "%s étiquettes"
+	},
+	"counters.n_releases": {
+		"one": "%s publication",
+		"other": "%s publications"
+	},
 	"gpg.default_key": "Signé avec la clé par défaut",
 	"gpg.error.extract_sign": "Impossible d'extraire la signature",
 	"gpg.error.generate_hash": "Impossible de générer la chaine de hachage de la révision",
@@ -326,6 +342,23 @@
 	"migrate.gitbucket.description": "Migrer les données depuis des instances GitBucket.",
 	"migrate.codebase.description": "Migrer les données depuis codebasehq.com.",
 	"migrate.forgejo.description": "Migrer les données depuis codeberg.org ou une autre instance Forgejo.",
+	"migrate.items.label": "Éléments à migrer",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Jalons",
+	"migrate.items.labels": "Labels",
+	"migrate.items.issues": "Tickets",
+	"migrate.items.pull_requests": "Demandes d'ajout",
+	"migrate.items.merge_requests": "Demandes de fusion",
+	"migrate.items.releases": "Publications",
+	"migrate.in_progress.git": "Migration des données Git",
+	"migrate.in_progress.topics": "Migration des sujets",
+	"migrate.in_progress.milestones": "Migration des jalons",
+	"migrate.in_progress.labels": "Migration des labels",
+	"migrate.in_progress.releases": "Migration des publications",
+	"migrate.in_progress.issues": "Migration des tickets",
+	"migrate.in_progress.pulls": "Migration des demandes d'ajout",
+	"migrate.cancel.title": "Annuler la migration",
+	"migrate.cancel.confirmation": "Voulez-vous abandonner cette migration ?",
 	"admin.dashboard.remove_resolved_reports": "Supprimer les signalements résolus",
 	"admin.auths.allow_username_change": "Autoriser le changement de nom d'utilisateur",
 	"admin.auths.allow_username_change.description": "Autoriser les utilisateurs à changer leur nom d'utilisateur dans les paramètres du profil",
diff --git a/options/locale_next/locale_ga.json b/options/locale_next/locale_ga.json
index 4943232f8c..f41ecfb09f 100644
--- a/options/locale_next/locale_ga.json
+++ b/options/locale_next/locale_ga.json
@@ -151,6 +151,23 @@
 	"migrate.onedev.description": "Imirce sonraí ó code.onedev.io nó ó chásanna OneDev eile.",
 	"migrate.gitbucket.description": "Imirce sonraí ó chásanna GitBucket.",
 	"migrate.codebase.description": "Imirce sonraí ó codebasehq.com.",
+	"migrate.items.label": "Míreanna Imirce",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Clocha míle",
+	"migrate.items.labels": "Lipéid",
+	"migrate.items.issues": "Saincheisteanna",
+	"migrate.items.pull_requests": "Iarrataí Tarraing",
+	"migrate.items.merge_requests": "Iarrataí Cumaisc",
+	"migrate.items.releases": "Eisiúintí",
+	"migrate.in_progress.git": "Sonraí Git a Aimirce",
+	"migrate.in_progress.topics": "Ábhair Imirce",
+	"migrate.in_progress.milestones": "Clocha Míle a Imirce",
+	"migrate.in_progress.labels": "Lipéid Imirce",
+	"migrate.in_progress.releases": "Eisiúintí Imirce",
+	"migrate.in_progress.issues": "Saincheisteanna Imirce",
+	"migrate.in_progress.pulls": "Iarratais Tarraingthe á n-Imirce",
+	"migrate.cancel.title": "Cealaigh Imirce",
+	"migrate.cancel.confirmation": "Ar mhaith leat an imirce seo a chealú?",
 	"pulse.n_active_issues": {
 		"one": "%s saincheist ghníomhach",
 		"two": "%s saincheisteanna ghníomhach",
diff --git a/options/locale_next/locale_he.json b/options/locale_next/locale_he.json
index c06efd2497..3837b8a1de 100644
--- a/options/locale_next/locale_he.json
+++ b/options/locale_next/locale_he.json
@@ -18,6 +18,17 @@
 	"migrate.gitbucket.description": "יבוא מידע משרת GitBucket.",
 	"migrate.codebase.description": "ייבוא מידע מ־codebasehq.com.",
 	"migrate.forgejo.description": "ייבוא מידע מקודברג או שרת פורג'ו אחר.",
+	"migrate.items.wiki": "ויקי",
+	"migrate.items.milestones": "אבני דרך",
+	"migrate.items.labels": "תוויות",
+	"migrate.items.issues": "סוגיות",
+	"migrate.items.pull_requests": "בקשות מיזוג",
+	"migrate.items.releases": "גרסאות",
+	"migrate.in_progress.git": "ייבוא הקרפיף עצמו",
+	"migrate.in_progress.topics": "ייבוא נושאים",
+	"migrate.in_progress.milestones": "ייבוא אבני דרך",
+	"migrate.in_progress.labels": "ייבוא תוויות",
+	"migrate.in_progress.releases": "ייבוא גרסאות",
 	"home.welcome.no_activity": "אין פעילות",
 	"home.explore_users": "גלה משתמשים",
 	"home.explore_orgs": "גלה ארגונים",
diff --git a/options/locale_next/locale_hu-HU.json b/options/locale_next/locale_hu-HU.json
index 2b9b2b5181..f43220464c 100644
--- a/options/locale_next/locale_hu-HU.json
+++ b/options/locale_next/locale_hu-HU.json
@@ -1,4 +1,10 @@
 {
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Mérföldkövek",
+	"migrate.items.labels": "Címkék",
+	"migrate.items.issues": "Hibajegyek",
+	"migrate.items.pull_requests": "Pull request-ek",
+	"migrate.items.releases": "Kiadások",
 	"actions.runners.name": "Név",
 	"actions.runners.owner_type": "Típus",
 	"actions.runners.description": "Leírás",
diff --git a/options/locale_next/locale_id-ID.json b/options/locale_next/locale_id-ID.json
index 5f0ab19bf1..db7579d252 100644
--- a/options/locale_next/locale_id-ID.json
+++ b/options/locale_next/locale_id-ID.json
@@ -59,6 +59,12 @@
 	"migrate.gitbucket.description": "Migrasikan data dari instance GitBucket.",
 	"migrate.codebase.description": "Migrasikan data dari codebasehq.com.",
 	"migrate.forgejo.description": "Migrasikan data dari codeberg.org atau instance Forgejo lainnya.",
+	"migrate.items.label": "Ihwal Migrasi",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Tonggak",
+	"migrate.items.issues": "Masalah",
+	"migrate.items.pull_requests": "Tarik Permintaan",
+	"migrate.items.releases": "Rilis",
 	"repo.issue_indexer.title": "Indeks Masalah",
 	"search.milestone_kind": "Cari milestone…",
 	"repo.settings.push_mirror.branch_filter.label": "Filter cabang (opsional)",
diff --git a/options/locale_next/locale_is-IS.json b/options/locale_next/locale_is-IS.json
index ff203bc503..0b3dca401f 100644
--- a/options/locale_next/locale_is-IS.json
+++ b/options/locale_next/locale_is-IS.json
@@ -32,5 +32,13 @@
 	"packages.pypi.requires": "Þarfnast Python",
 	"repo.pulls.title_desc": "vill sameina %[1]d framlög frá <code>%[2]s</code> í <code id=\"%[4]s\">%[3]s</code>",
 	"migrate.git.description": "Flytja hugbúnaðarsafn aðeins frá Git þjónustu.",
+	"migrate.items.wiki": "Handbók",
+	"migrate.items.milestones": "Tímamót",
+	"migrate.items.labels": "Skýringar",
+	"migrate.items.issues": "Vandamál",
+	"migrate.items.pull_requests": "Sameiningarbeiðnir",
+	"migrate.items.merge_requests": "Sameiningarbeiðnir",
+	"migrate.items.releases": "Útgáfur",
+	"migrate.in_progress.labels": "Að færa Lýsingar",
 	"meta.last_line": " "
 }
diff --git a/options/locale_next/locale_it-IT.json b/options/locale_next/locale_it-IT.json
index f1fb401608..4380c58640 100644
--- a/options/locale_next/locale_it-IT.json
+++ b/options/locale_next/locale_it-IT.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commit"
+	},
+	"counters.n_branches": {
+		"one": "%s ramo",
+		"other": "%s rami"
+	},
+	"counters.n_tags": {
+		"one": "%s etichetta",
+		"other": "%s etichette"
+	},
+	"counters.n_releases": {
+		"one": "%s rilascio",
+		"other": "%s rilasci"
+	},
 	"gpg.default_key": "Firmato con la chiave predefinita",
 	"gpg.error.extract_sign": "Impossibile ricavare la firma",
 	"gpg.error.generate_hash": "Impossibile generare hash del commit",
@@ -296,6 +312,23 @@
 	"migrate.gitbucket.description": "Migra i dati dalle istanze di GitBucket.",
 	"migrate.codebase.description": "Migrare i dati da codebasehq.com.",
 	"migrate.forgejo.description": "Migra dati da codeberg.org o da altre istanze Forgejo.",
+	"migrate.items.label": "Elementi di migrazione",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Traguardi",
+	"migrate.items.labels": "Etichette",
+	"migrate.items.issues": "Segnalazioni",
+	"migrate.items.pull_requests": "Richieste di modifica",
+	"migrate.items.merge_requests": "Richieste di fusione",
+	"migrate.items.releases": "Rilasci",
+	"migrate.in_progress.git": "Migrazione dei dati Git",
+	"migrate.in_progress.topics": "Migrazione degli argomenti",
+	"migrate.in_progress.milestones": "Migrazione dei traguardi",
+	"migrate.in_progress.labels": "Migrazione delle etichette",
+	"migrate.in_progress.releases": "Migrazione dei rilasci",
+	"migrate.in_progress.issues": "Migrazione delle segnalazioni",
+	"migrate.in_progress.pulls": "Migrazione delle richieste di modifica",
+	"migrate.cancel.title": "Annulla migrazione",
+	"migrate.cancel.confirmation": "Vuoi annullare questa migrazione?",
 	"repo.settings.push_mirror.branch_filter.label": "Filtro ramo (opzionale)",
 	"alert.range_error": " deve essere un numero tra %[1]s e %[2]s.",
 	"keys.gpg.link": "Chiavi GPG",
diff --git a/options/locale_next/locale_ja-JP.json b/options/locale_next/locale_ja-JP.json
index bc9038e648..5ad5f68868 100644
--- a/options/locale_next/locale_ja-JP.json
+++ b/options/locale_next/locale_ja-JP.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s のコミット",
+		"other": "%s のコミット"
+	},
+	"counters.n_branches": {
+		"one": "%s のブランチ",
+		"other": "%s のブランチ"
+	},
+	"counters.n_tags": {
+		"one": "%s のタグ",
+		"other": "%s のタグ"
+	},
+	"counters.n_releases": {
+		"one": "%s リリース",
+		"other": "%s リリース"
+	},
 	"actions.actions": "Actions",
 	"actions.status.unknown": "不明",
 	"actions.status.waiting": "待機中",
@@ -229,6 +245,23 @@
 	"migrate.gitbucket.description": "GitBucket インスタンスからデータを移行します。",
 	"migrate.codebase.description": "codebasehq.com からデータを移行します。",
 	"migrate.forgejo.description": "codeberg.orgまたは他のインスタンスからデータを移行する。",
+	"migrate.items.label": "移行する項目",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "マイルストーン",
+	"migrate.items.labels": "ラベル",
+	"migrate.items.issues": "イシュー",
+	"migrate.items.pull_requests": "プルリクエスト",
+	"migrate.items.merge_requests": "マージリクエスト",
+	"migrate.items.releases": "リリース",
+	"migrate.in_progress.git": "Gitデータ移行中",
+	"migrate.in_progress.topics": "トピック移行中",
+	"migrate.in_progress.milestones": "マイルストーン移行中",
+	"migrate.in_progress.labels": "ラベル移行中",
+	"migrate.in_progress.releases": "リリース移行中",
+	"migrate.in_progress.issues": "イシュー移行中",
+	"migrate.in_progress.pulls": "プルリクエスト移行中",
+	"migrate.cancel.title": "移行のキャンセル",
+	"migrate.cancel.confirmation": "この移行をキャンセルしますか？",
 	"pulse.n_active_issues": "%s件のアクティブなイシュー",
 	"pulse.n_active_prs": "%s件のアクティブなプルリクエスト",
 	"meta.last_line": " ",
diff --git a/options/locale_next/locale_ka.json b/options/locale_next/locale_ka.json
index 37fd5b4a8b..7f8a474f4e 100644
--- a/options/locale_next/locale_ka.json
+++ b/options/locale_next/locale_ka.json
@@ -1,4 +1,9 @@
 {
+	"migrate.items.wiki": "ვიკი",
+	"migrate.items.milestones": "მისაღწევი გეგმები",
+	"migrate.items.labels": "ჭდეები",
+	"migrate.items.issues": "პრობლემები",
+	"migrate.items.releases": "რელიზები",
 	"actions.actions": "ქმედებები",
 	"actions.status.unknown": "უცნობი",
 	"actions.status.waiting": "ველოდები",
diff --git a/options/locale_next/locale_kab.json b/options/locale_next/locale_kab.json
index e83f329d38..1b777db276 100644
--- a/options/locale_next/locale_kab.json
+++ b/options/locale_next/locale_kab.json
@@ -29,6 +29,9 @@
 	"admin.config.global_2fa_requirement.none": "Uhu",
 	"admin.config.global_2fa_requirement.admin": "Inedbalen",
 	"migrate.pagure.token_label": "Ajiṭun API n Pagure",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.labels": "Tibzimin",
+	"migrate.items.issues": "Uguren",
 	"home.explore_repos": "Snirem ikufan",
 	"home.explore_users": "Snirem iseqdacen",
 	"relativetime.1week": "dduṛt yezrin",
diff --git a/options/locale_next/locale_ko-KR.json b/options/locale_next/locale_ko-KR.json
index 08b746eba9..0c725dfef2 100644
--- a/options/locale_next/locale_ko-KR.json
+++ b/options/locale_next/locale_ko-KR.json
@@ -1,4 +1,9 @@
 {
+	"migrate.items.wiki": "위키",
+	"migrate.items.milestones": "마일스톤",
+	"migrate.items.issues": "이슈",
+	"migrate.items.pull_requests": "풀 리퀘스트",
+	"migrate.items.releases": "릴리즈",
 	"actions.runners.name": "이름",
 	"actions.runners.owner_type": "유형",
 	"actions.runners.description": "설명",
diff --git a/options/locale_next/locale_lv-LV.json b/options/locale_next/locale_lv-LV.json
index 30b0ea23c4..3910315bd6 100644
--- a/options/locale_next/locale_lv-LV.json
+++ b/options/locale_next/locale_lv-LV.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s iesūtījums",
+		"other": "%s iesūtījumi"
+	},
+	"counters.n_branches": {
+		"one": "%s zars",
+		"other": "%s zari"
+	},
+	"counters.n_tags": {
+		"one": "%s birka",
+		"other": "%s birkas"
+	},
+	"counters.n_releases": {
+		"one": "%s laidiens",
+		"other": "%s laidieni"
+	},
 	"gpg.default_key": "Parakstīts ar noklusējuma atslēgu",
 	"gpg.error.extract_sign": "Neizdevās izgūt parakstu",
 	"gpg.error.generate_hash": "Neizdevās izveidot iesūtījuma jaucējkodu",
@@ -333,6 +349,23 @@
 	"migrate.gitbucket.description": "Pārcelt datus no GitBucket serveriem.",
 	"migrate.codebase.description": "Pārcelt datus no codebasehq.com.",
 	"migrate.forgejo.description": "Pārcelt datus no codeberg.org vai citiem Fogejo serveriem.",
+	"migrate.items.label": "Pārcelšanas vienumi",
+	"migrate.items.wiki": "Vikivietni",
+	"migrate.items.milestones": "Atskaites punktus",
+	"migrate.items.labels": "Iezīmes",
+	"migrate.items.issues": "Pieteikumi",
+	"migrate.items.pull_requests": "Izmaiņu pieprasījumus",
+	"migrate.items.merge_requests": "Iekļaušanas pieprasījumi",
+	"migrate.items.releases": "Laidienus",
+	"migrate.in_progress.git": "Pārceļ Git datus",
+	"migrate.in_progress.topics": "Pārceļ tēmas",
+	"migrate.in_progress.milestones": "Pārceļ atskaites punktus",
+	"migrate.in_progress.labels": "Pārceļ iezīmes",
+	"migrate.in_progress.releases": "Pārceļ laidienus",
+	"migrate.in_progress.issues": "Pārnes pieteikumus",
+	"migrate.in_progress.pulls": "Pārceļ izmaiņu pieprasījumus",
+	"migrate.cancel.title": "Atcelt pārcelšanu",
+	"migrate.cancel.confirmation": "Vai atcelt šo pārcelšanu?",
 	"repo.pulls.already_merged": "Apvienošana neizdevās: šis izmaiņu pieprasījums jau ir iekļauts.",
 	"admin.config.security": "Drošības konfigurācija",
 	"settings.twofa_reenroll.description": "Atkārtoti ieslēgt savu divpakāpju autentificēšanos",
diff --git a/options/locale_next/locale_ml-IN.json b/options/locale_next/locale_ml-IN.json
index e1940e1e14..c960db3be9 100644
--- a/options/locale_next/locale_ml-IN.json
+++ b/options/locale_next/locale_ml-IN.json
@@ -1,3 +1,10 @@
 {
+	"migrate.items.label": "മൈഗ്രേഷൻ ഇനങ്ങൾ",
+	"migrate.items.wiki": "വിക്കി",
+	"migrate.items.milestones": "നാഴികക്കല്ലുകള്‍",
+	"migrate.items.labels": "ലേബലുകള്‍",
+	"migrate.items.issues": "പ്രശ്നങ്ങൾ",
+	"migrate.items.pull_requests": "ലയന അഭ്യർത്ഥനകൾ",
+	"migrate.items.releases": "പ്രസിദ്ധീകരണങ്ങള്‍",
 	"meta.last_line": " "
 }
diff --git a/options/locale_next/locale_nb_NO.json b/options/locale_next/locale_nb_NO.json
index 3fe643bf12..d18da5792b 100644
--- a/options/locale_next/locale_nb_NO.json
+++ b/options/locale_next/locale_nb_NO.json
@@ -144,6 +144,7 @@
 	"migrate.gitbucket.description": "Migrer data fra GitBucket instanser.",
 	"migrate.codebase.description": "Migrer data fra codebasehq.com.",
 	"migrate.forgejo.description": "Migrer data fra codeberg.org eller andre Forgejo instanser.",
+	"migrate.items.releases": "Utgivelser",
 	"search.syntax": "Søkesyntaks",
 	"search.fuzzy": "Fuzzy",
 	"search.fuzzy_tooltip": "Inkluder resultater som er omtrent like søkeordet",
diff --git a/options/locale_next/locale_nds.json b/options/locale_next/locale_nds.json
index 5806fe1eeb..d409733f59 100644
--- a/options/locale_next/locale_nds.json
+++ b/options/locale_next/locale_nds.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s Kommitteren",
+		"other": "%s Kommitterens"
+	},
+	"counters.n_branches": {
+		"one": "%s Twieg",
+		"other": "%s Twiegen"
+	},
+	"counters.n_tags": {
+		"one": "%s Mark",
+		"other": "%s Markens"
+	},
+	"counters.n_releases": {
+		"one": "%s Publizeren",
+		"other": "%s Publizerens"
+	},
 	"gpg.default_key": "Mit normaalem Slötel unnerschrieven",
 	"gpg.error.extract_sign": "Kunn Unnerschrift nich uttrecken",
 	"gpg.error.generate_hash": "Kunn Prüfsumm vum Kommitteren nich bereken",
@@ -323,6 +339,23 @@
 	"migrate.gitbucket.description": "Daten vun GitBucket-Instanzen umtrecken.",
 	"migrate.codebase.description": "Daten vun codebasehq.com umtrecken.",
 	"migrate.forgejo.description": "Daten vun codeberg.org of anner Forgejo-Instanzen umtrecken.",
+	"migrate.items.label": "Umtreck-Dingen",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Markstenen",
+	"migrate.items.labels": "Vermarkens",
+	"migrate.items.issues": "Gefallens",
+	"migrate.items.pull_requests": "Haalvörslagen",
+	"migrate.items.merge_requests": "Tosamenföhren-Vörslagen",
+	"migrate.items.releases": "Publizerens",
+	"migrate.in_progress.git": "Git-Daten worden umtrucken",
+	"migrate.in_progress.topics": "Themen worden umtrucken",
+	"migrate.in_progress.milestones": "Markstenen worden umtrucken",
+	"migrate.in_progress.labels": "Vermarkens worden umtrucken",
+	"migrate.in_progress.releases": "Publizerens worden umtrucken",
+	"migrate.in_progress.issues": "Gefallens worden umtrucken",
+	"migrate.in_progress.pulls": "Haalvörslagen worden umtrucken",
+	"migrate.cancel.title": "Umtreck ofbreken",
+	"migrate.cancel.confirmation": "Willst du deesen Umtreck ofbreken?",
 	"admin.config.security": "Sekerheids-Instellens",
 	"admin.config.global_2fa_requirement.all": "All Brukers",
 	"error.must_enable_2fa": "Deese Forgejo-Instanz verlangt, dat Brukers Twee-Faktooren-Anmellen anknipsen, ehr se up hör Konten togriepen könen. Knips dat hier an: %s",
diff --git a/options/locale_next/locale_nl-NL.json b/options/locale_next/locale_nl-NL.json
index f740233d69..c824dd23fc 100644
--- a/options/locale_next/locale_nl-NL.json
+++ b/options/locale_next/locale_nl-NL.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s branch",
+		"other": "%s branches"
+	},
+	"counters.n_tags": {
+		"one": "%s tag",
+		"other": "%s tags"
+	},
+	"counters.n_releases": {
+		"one": "%s release",
+		"other": "%s releases"
+	},
 	"gpg.default_key": "Ondertekend met standaard sleutel",
 	"gpg.error.extract_sign": "Handtekening uitpakken mislukt",
 	"gpg.error.generate_hash": "Genereren van commit hash mislukt",
@@ -323,6 +339,23 @@
 	"migrate.gitbucket.description": "Gegevens migreren van GitBucket instanties.",
 	"migrate.codebase.description": "Gegevens migreren van codebasehq.com.",
 	"migrate.forgejo.description": "Migreer data van codeberg.org of andere Forgejo instanties.",
+	"migrate.items.label": "Migratie items",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Mijlpalen",
+	"migrate.items.labels": "Labels",
+	"migrate.items.issues": "Issues",
+	"migrate.items.pull_requests": "Pull requests",
+	"migrate.items.merge_requests": "Samenvoeg verzoeken",
+	"migrate.items.releases": "Releases",
+	"migrate.in_progress.git": "Git gegevens migreren",
+	"migrate.in_progress.topics": "Onderwerpen migreren",
+	"migrate.in_progress.milestones": "Mijlpalen migreren",
+	"migrate.in_progress.labels": "Labels migreren",
+	"migrate.in_progress.releases": "Releases migreren",
+	"migrate.in_progress.issues": "Issues migreren",
+	"migrate.in_progress.pulls": "Pull requests migreren",
+	"migrate.cancel.title": "Annuleer migratie",
+	"migrate.cancel.confirmation": "Wil je deze migratie annuleren?",
 	"settings.twofa_unroll_unavailable": "Tweefactorauthenticatie is vereist voor uw account en kan niet worden uitgeschakeld.",
 	"admin.config.security": "Beveiligingsconfiguratie",
 	"admin.config.global_2fa_requirement.title": "Globale vereiste van tweefactorauthenticatie",
diff --git a/options/locale_next/locale_pl-PL.json b/options/locale_next/locale_pl-PL.json
index 4f74217753..08f6f99c96 100644
--- a/options/locale_next/locale_pl-PL.json
+++ b/options/locale_next/locale_pl-PL.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"many": "%s commity"
+	},
+	"counters.n_branches": {
+		"one": "%s gałąź",
+		"many": "%s gałęzie"
+	},
+	"counters.n_tags": {
+		"one": "%s tag",
+		"many": "%s tagi"
+	},
+	"counters.n_releases": {
+		"one": "%s wydanie",
+		"many": "%s wydań"
+	},
 	"gpg.default_key": "Podpisano domyślnym kluczem",
 	"gpg.error.extract_sign": "Nie udało się wyłuskać podpisu",
 	"gpg.error.generate_hash": "Nie udało się wygenerować skrótu dla commitu",
@@ -236,6 +252,23 @@
 	"migrate.gitbucket.description": "Migruj dane z instancji GitBucket.",
 	"migrate.codebase.description": "Migracja danych z codebasehq.com.",
 	"migrate.forgejo.description": "Migruj dane z codeberg.org lub innych instancji Forgejo.",
+	"migrate.items.label": "Elementy migracji",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Kamienie milowe",
+	"migrate.items.labels": "Etykiety",
+	"migrate.items.issues": "Zgłoszenia",
+	"migrate.items.pull_requests": "Pull requesty",
+	"migrate.items.merge_requests": "Requesty scalające",
+	"migrate.items.releases": "Wydania",
+	"migrate.in_progress.git": "Migracja danych Git",
+	"migrate.in_progress.topics": "Migracja tematów",
+	"migrate.in_progress.milestones": "Migracja kamieni milowych",
+	"migrate.in_progress.labels": "Migracja etykiet",
+	"migrate.in_progress.releases": "Migracja wydań",
+	"migrate.in_progress.issues": "Migracja zgłoszeń",
+	"migrate.in_progress.pulls": "Migracja pull requestów",
+	"migrate.cancel.title": "Anuluj migrację",
+	"migrate.cancel.confirmation": "Czy chcesz anulować tę migrację?",
 	"relativetime.hours": {
 		"one": "godzinę temu",
 		"few": "%d godziny temu",
diff --git a/options/locale_next/locale_pt-BR.json b/options/locale_next/locale_pt-BR.json
index e9ef391e49..ab46f4b038 100644
--- a/options/locale_next/locale_pt-BR.json
+++ b/options/locale_next/locale_pt-BR.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s commit",
+		"other": "%s commits"
+	},
+	"counters.n_branches": {
+		"one": "%s ramo",
+		"other": "%s ramos"
+	},
+	"counters.n_tags": {
+		"one": "%s etiqueta",
+		"other": "%s etiquetas"
+	},
+	"counters.n_releases": {
+		"one": "%s versão",
+		"other": "%s versões"
+	},
 	"gpg.default_key": "Assinado com a chave padrão",
 	"gpg.error.extract_sign": "Falha ao extrair assinatura",
 	"gpg.error.generate_hash": "Falha ao gerar hash de commit",
@@ -328,6 +344,23 @@
 	"migrate.gitbucket.description": "Migrar dados de instâncias do GitBucket.",
 	"migrate.codebase.description": "Migrar dados de codebasehq.com.",
 	"migrate.forgejo.description": "Migrar dados do codeberg.org ou outras servidores Forgejo.",
+	"migrate.items.label": "Itens da migração",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Marcos",
+	"migrate.items.labels": "Etiquetas",
+	"migrate.items.issues": "Issues",
+	"migrate.items.pull_requests": "Propostas de revisão",
+	"migrate.items.merge_requests": "Pedidos de merge",
+	"migrate.items.releases": "Versões",
+	"migrate.in_progress.git": "Migrando dados Git",
+	"migrate.in_progress.topics": "Migrando tópicos",
+	"migrate.in_progress.milestones": "Migrando marcos",
+	"migrate.in_progress.labels": "Migrando rótulos",
+	"migrate.in_progress.releases": "Migrando releases",
+	"migrate.in_progress.issues": "Migrando issues",
+	"migrate.in_progress.pulls": "Migrando propostas de revisão",
+	"migrate.cancel.title": "Cancelar migração",
+	"migrate.cancel.confirmation": "Você quer cancelar essa migração?",
 	"warning.repository.out_of_sync": "A representação deste repositório no banco de dados está fora de sincronia. Se este aviso ainda aparecer após fazer push de um commit para este repositório, contate o administrador.",
 	"repo.pulls.already_merged": "Mescla falhou: Este pull request já foi mesclado.",
 	"migrate.pagure.incorrect_url": "Uma URL incorreta do repositório fonte foi fornecida",
diff --git a/options/locale_next/locale_pt-PT.json b/options/locale_next/locale_pt-PT.json
index f3a6c5c9ff..0b1177271d 100644
--- a/options/locale_next/locale_pt-PT.json
+++ b/options/locale_next/locale_pt-PT.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s cometimento",
+		"other": "%s cometimentos"
+	},
+	"counters.n_branches": {
+		"one": "%s ramo",
+		"other": "%s ramos"
+	},
+	"counters.n_tags": {
+		"one": "%s etiqueta",
+		"other": "%s etiquetas"
+	},
+	"counters.n_releases": {
+		"one": "%s lançamento",
+		"other": "%s lançamentos"
+	},
 	"gpg.default_key": "Assinado com a chave padrão",
 	"gpg.error.extract_sign": "Falhou ao extrair a assinatura",
 	"gpg.error.generate_hash": "Falhou ao gerar o <i>hash</i> do cometimento",
@@ -345,6 +361,23 @@
 	"migrate.codebase.description": "Migrar dados de codebasehq.com.",
 	"migrate.forgejo.description": "Migrar dados de codeberg.org ou de outras instâncias Forgejo.",
 	"migrate.form.error.url_credentials": "O URL contém credenciais, insira-as nos campos do nome de utilizador e palavra-passe, respetivamente",
+	"migrate.items.label": "Itens da migração",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Etapas",
+	"migrate.items.labels": "Rótulos",
+	"migrate.items.issues": "Questões",
+	"migrate.items.pull_requests": "Pedidos de integração",
+	"migrate.items.merge_requests": "Pedidos de integração",
+	"migrate.items.releases": "Lançamentos",
+	"migrate.in_progress.git": "Migrando dados Git",
+	"migrate.in_progress.topics": "Migrando tópicos",
+	"migrate.in_progress.milestones": "Migrando etapas",
+	"migrate.in_progress.labels": "Migrando rótulos",
+	"migrate.in_progress.releases": "Migrando lançamentos",
+	"migrate.in_progress.issues": "Migrando questões",
+	"migrate.in_progress.pulls": "Migrando pedidos de integração",
+	"migrate.cancel.title": "Cancelar migração",
+	"migrate.cancel.confirmation": "Quer cancelar esta migração?",
 	"user.ghost.tooltip": "Este utilizador foi eliminado ou não é possível encontrar uma correspondência.",
 	"actions.runs.run_attempt_label": "Tentativa de execução #%[1]s (%[2]s)",
 	"actions.runs.viewing_out_of_date_run": "Está a visualizar uma execução desatualizada deste trabalho que foi executado %[1]s.",
diff --git a/options/locale_next/locale_ru-RU.json b/options/locale_next/locale_ru-RU.json
index 9009203114..5837e7d425 100644
--- a/options/locale_next/locale_ru-RU.json
+++ b/options/locale_next/locale_ru-RU.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s коммит",
+		"many": "%s коммитов"
+	},
+	"counters.n_branches": {
+		"one": "%s ветвь",
+		"many": "%s ветвей"
+	},
+	"counters.n_tags": {
+		"one": "%s тег",
+		"many": "%s тегов"
+	},
+	"counters.n_releases": {
+		"one": "%s выпуск",
+		"many": "%s выпусков"
+	},
 	"gpg.default_key": "Подписано ключом по умолчанию",
 	"gpg.error.extract_sign": "Не удалось извлечь подпись",
 	"gpg.error.generate_hash": "Не удалось создать хеш коммита",
@@ -344,6 +360,23 @@
 	"migrate.gitbucket.description": "Перенести данные с сервера GitBucket.",
 	"migrate.codebase.description": "Перенести данные с codebasehq.com.",
 	"migrate.forgejo.description": "Перенести данные с codeberg.org или другого сервера Forgejo.",
+	"migrate.items.label": "Переносимые элементы",
+	"migrate.items.wiki": "Вики",
+	"migrate.items.milestones": "Этапы",
+	"migrate.items.labels": "Метки",
+	"migrate.items.issues": "Задачи",
+	"migrate.items.pull_requests": "Запросы на слияние",
+	"migrate.items.merge_requests": "Запросы на слияние",
+	"migrate.items.releases": "Выпуски",
+	"migrate.in_progress.git": "Перенос данных Git",
+	"migrate.in_progress.topics": "Перенос тем",
+	"migrate.in_progress.milestones": "Перенос этапов",
+	"migrate.in_progress.labels": "Перенос меток",
+	"migrate.in_progress.releases": "Перенос выпусков",
+	"migrate.in_progress.issues": "Перенос задач",
+	"migrate.in_progress.pulls": "Перенос запросов на слияние",
+	"migrate.cancel.title": "Отменить перенос",
+	"migrate.cancel.confirmation": "Вы хотите отменить перенос?",
 	"user.ghost.tooltip": "Пользователь удалён или неизвестен.",
 	"migrate.form.error.url_credentials": "Ссылка содержит данные авторизации. Поместите их в соответствующие поля",
 	"actions.runs.run_attempt_label": "Попытка №%[1]s (%[2]s)",
diff --git a/options/locale_next/locale_si-LK.json b/options/locale_next/locale_si-LK.json
index 42f249b0a8..b8cb8a863a 100644
--- a/options/locale_next/locale_si-LK.json
+++ b/options/locale_next/locale_si-LK.json
@@ -24,6 +24,21 @@
 	"migrate.gogs.description": "notabug.org හෝ වෙනත් Gogs අවස්ථා වලින් දත්ත සංක්රමණය කරන්න.",
 	"migrate.onedev.description": "code.onedev.io හෝ වෙනත් OnedeV අවස්ථා වලින් දත්ත සංක්රමණය කරන්න.",
 	"migrate.gitbucket.description": "GitBucket අවස්ථා වලින් දත්ත සංක්රමණය කරන්න.",
+	"migrate.items.label": "සංක්රමණ අයිතම",
+	"migrate.items.wiki": "විකි",
+	"migrate.items.milestones": "සන්ධිස්ථාන",
+	"migrate.items.labels": "ලේබල",
+	"migrate.items.issues": "ගැටළු",
+	"migrate.items.pull_requests": "ඉල්ලීම් අදින්න",
+	"migrate.items.merge_requests": "සංයුක්ත කිරීමේ ඉල්ලීම්",
+	"migrate.items.releases": "නිකුතු",
+	"migrate.in_progress.git": "Git දත්ත සංක්රමණය",
+	"migrate.in_progress.topics": "සංක්රමණය මාතෘකා",
+	"migrate.in_progress.milestones": "සංක්රමික සන්ධිස්ථාන",
+	"migrate.in_progress.labels": "සංක්රමණය ලේබල",
+	"migrate.in_progress.releases": "සංක්රමණ නිකුතු",
+	"migrate.in_progress.issues": "සංක්රමණ ගැටළු",
+	"migrate.in_progress.pulls": "අදින්න ඉල්ලීම් සංක්රමණය",
 	"pulse.n_active_issues": {
 		"one": "%s ක්රියාකාරී නිකුතුව",
 		"other": "%s ක්රියාකාරී ගැටළු"
diff --git a/options/locale_next/locale_sk-SK.json b/options/locale_next/locale_sk-SK.json
index 2844fd9645..4be4418e1a 100644
--- a/options/locale_next/locale_sk-SK.json
+++ b/options/locale_next/locale_sk-SK.json
@@ -113,6 +113,11 @@
 	"migrate.onedev.description": "Migrovať dáta z code.onedev.io alebo iných inštancií OneDev.",
 	"migrate.gitbucket.description": "Migrovať dáta z inštancií GitBucket.",
 	"migrate.codebase.description": "Migrovať dáta z codebasehq.com.",
+	"migrate.items.label": "Položky migrácie",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Míľniky",
+	"migrate.items.labels": "Štítky",
+	"migrate.items.pull_requests": "Pull requesty",
 	"repo.pulls.title_desc": {
 		"one": "je potrebné zlúčiť %[1]d revíziu z <code>%[2]s</code> do <code id=\"%[4]s\">%[3]s</code>",
 		"few": "je potrebné zlúčiť %[1]d revízie z <code>%[2]s</code> do <code id=\"%[4]s\">%[3]s</code>",
diff --git a/options/locale_next/locale_sv-SE.json b/options/locale_next/locale_sv-SE.json
index af72a4c8f8..90e27fb73a 100644
--- a/options/locale_next/locale_sv-SE.json
+++ b/options/locale_next/locale_sv-SE.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s incheckning",
+		"other": "%s incheckningar"
+	},
+	"counters.n_branches": {
+		"one": "%s gren",
+		"other": "%s grenar"
+	},
+	"counters.n_tags": {
+		"one": "%s tagg",
+		"other": "%s taggar"
+	},
+	"counters.n_releases": {
+		"one": "%s utgåva",
+		"other": "%s utgåvor"
+	},
 	"gpg.default_key": "Signerad med standardnyckeln",
 	"gpg.error.extract_sign": "Det gick inte att extrahera signatur",
 	"gpg.error.generate_hash": "Misslyckades att generera en hashsumma för incheckningen",
@@ -304,6 +320,23 @@
 	"migrate.gitbucket.description": "Migrera data från GitBucket-instans.",
 	"migrate.codebase.description": "Migrera data från codebasehq.com.",
 	"migrate.forgejo.description": "Migrera data från codeberg.org eller annan Forgejo-instans.",
+	"migrate.items.label": "Migrationsobjekt",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Milstolpar",
+	"migrate.items.labels": "Etiketter",
+	"migrate.items.issues": "Ärenden",
+	"migrate.items.pull_requests": "Ändringsförfrågningar",
+	"migrate.items.merge_requests": "Ändringsförfrågningar",
+	"migrate.items.releases": "Utgåvor",
+	"migrate.in_progress.git": "Migrerar Git-data",
+	"migrate.in_progress.topics": "Migrerar ämnen",
+	"migrate.in_progress.milestones": "Migrerar milstolpar",
+	"migrate.in_progress.labels": "Migrerar etiketter",
+	"migrate.in_progress.releases": "Migrerar utgåvor",
+	"migrate.in_progress.issues": "Migrerar ärenden",
+	"migrate.in_progress.pulls": "Migrerar ändringsförfrågningar",
+	"migrate.cancel.title": "Avbryt migrering",
+	"migrate.cancel.confirmation": "Vill du avbryta denna migrering?",
 	"repo.settings.push_mirror.branch_filter.label": "Grenfilter (frivilligt)",
 	"repo.settings.push_mirror.branch_filter.description": "Grenar att speglas. Lämna tom för att spegla alla grenar. Se <a href=\"%[1]s\">%[2]s dokumentation</a> för syntax. Exempel: <code>main, release/*</code>",
 	"admin.moderation.moderation_reports": "Modereringsrapporter",
diff --git a/options/locale_next/locale_ta.json b/options/locale_next/locale_ta.json
index 3b9b69d2f6..03aae7e0ef 100644
--- a/options/locale_next/locale_ta.json
+++ b/options/locale_next/locale_ta.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s உறுதி",
+		"other": "%s உறுதியளிக்கிறது"
+	},
+	"counters.n_branches": {
+		"one": "%s கிளை",
+		"other": "%s கிளைகள்"
+	},
+	"counters.n_tags": {
+		"one": "%s குறிச்சொல்",
+		"other": "%s குறிச்சொற்கள்"
+	},
+	"counters.n_releases": {
+		"one": "%s வெளியீடு",
+		"other": "%s வெளியீடுகள்"
+	},
 	"gpg.default_key": "இயல்புநிலை விசையுடன் கையொப்பமிடப்பட்டது",
 	"gpg.error.extract_sign": "கையொப்பத்தைப் பிரித்தெடுக்க முடியவில்லை",
 	"gpg.error.generate_hash": "உறுதியின் ஆச் உருவாக்க முடியவில்லை",
@@ -257,6 +273,23 @@
 	"migrate.gitbucket.description": "GitBucket நிகழ்வுகளிலிருந்து தரவை நகர்த்தவும்.",
 	"migrate.codebase.description": "codebasehq.com இலிருந்து தரவை நகர்த்தவும்.",
 	"migrate.forgejo.description": "codeberg.org அல்லது பிற Forgejo நிகழ்வுகளில் இருந்து தரவை நகர்த்தவும்.",
+	"migrate.items.label": "இடம்பெயர்வு பொருட்கள்",
+	"migrate.items.wiki": "விக்கி",
+	"migrate.items.milestones": "மைல்கற்கள்",
+	"migrate.items.labels": "சிட்டைகள்",
+	"migrate.items.issues": "சிக்கல்கள்",
+	"migrate.items.pull_requests": "கோரிக்கைகளை இழுக்கவும்",
+	"migrate.items.merge_requests": "கோரிக்கைகளை ஒன்றிணைக்கவும்",
+	"migrate.items.releases": "வெளியிடுகிறது",
+	"migrate.in_progress.git": "Git தரவை நகர்த்துகிறது",
+	"migrate.in_progress.topics": "இடம்பெயர்ந்த தலைப்புகள்",
+	"migrate.in_progress.milestones": "இடம்பெயரும் மைல்கற்கள்",
+	"migrate.in_progress.labels": "இடம்பெயர்தல் லேபிள்கள்",
+	"migrate.in_progress.releases": "இடம்பெயர்ந்த வெளியீடுகள்",
+	"migrate.in_progress.issues": "இடம்பெயர்வு பிரச்சினைகள்",
+	"migrate.in_progress.pulls": "இழுக்கும் கோரிக்கைகளை நகர்த்துகிறது",
+	"migrate.cancel.title": "இடம்பெயர்வை நீக்கறல்",
+	"migrate.cancel.confirmation": "இந்த இடம்பெயர்வை ரத்துசெய்ய விரும்புகிறீர்களா?",
 	"repo.issue_indexer.title": "வெளியீட்டு அட்டவணை",
 	"search.milestone_kind": "மைல்கற்களைத் தேடு…",
 	"repo.settings.push_mirror.branch_filter.label": "கிளை வடிகட்டி (விரும்பினால்)",
diff --git a/options/locale_next/locale_th.json b/options/locale_next/locale_th.json
index a0bad37ae5..01dcb1522a 100644
--- a/options/locale_next/locale_th.json
+++ b/options/locale_next/locale_th.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s คอมมิต",
+		"other": "%s คอมมิต"
+	},
+	"counters.n_branches": {
+		"one": "%s สาขา",
+		"other": "%s สาขา"
+	},
+	"counters.n_tags": {
+		"one": "%s แท็ก",
+		"other": "%s แท็ก"
+	},
+	"counters.n_releases": {
+		"one": "%s รีลีส",
+		"other": "%s รีลีส"
+	},
 	"gpg.default_key": "ลงนามด้วยคีย์เริ่มต้น",
 	"gpg.error.extract_sign": "ไม่สามารถแยกข้อมูลลายเซ็นได้",
 	"gpg.error.generate_hash": "ไม่สามารถสร้างแฮชของคอมมิตได้",
@@ -224,6 +240,23 @@
 	"migrate.gitbucket.description": "ย้ายข้อมูลจากอินสแตนซ์ GitBucket",
 	"migrate.codebase.description": "ย้ายข้อมูลจาก codebasehq.com",
 	"migrate.forgejo.description": "ย้ายข้อมูลจาก codeberg.org หรืออินสแตนซ์ Forgejo อื่นๆ",
+	"migrate.items.label": "รายการการย้าย",
+	"migrate.items.wiki": "วิกิ",
+	"migrate.items.milestones": "เหตุการณ์สำคัญ",
+	"migrate.items.labels": "ป้ายกำกับ",
+	"migrate.items.issues": "ปัญหา",
+	"migrate.items.pull_requests": "คำขอดึง",
+	"migrate.items.merge_requests": "คำขอผสาน",
+	"migrate.items.releases": "รีลีส",
+	"migrate.in_progress.git": "กำลังย้ายข้อมูล Git",
+	"migrate.in_progress.topics": "กำลังย้ายหัวข้อ",
+	"migrate.in_progress.milestones": "กำลังย้ายเหตุการณ์สำคัญ",
+	"migrate.in_progress.labels": "กำลังย้ายป้ายกำกับ",
+	"migrate.in_progress.releases": "กำลังย้ายรีลีส",
+	"migrate.in_progress.issues": "กำลังย้ายปัญหา",
+	"migrate.in_progress.pulls": "กำลังย้ายคำขอดึง",
+	"migrate.cancel.title": "ยกเลิกการย้าย",
+	"migrate.cancel.confirmation": "คุณต้องการยกเลิกการย้ายนี้หรือไม่?",
 	"repo.issue_indexer.title": "ตัวจัดทำดัชนี Issue",
 	"search.milestone_kind": "ค้นหาเหตุการณ์สำคัญ…",
 	"repo.settings.push_mirror.branch_filter.label": "ตัวกรองสาขา (ไม่บังคับ)",
diff --git a/options/locale_next/locale_tr-TR.json b/options/locale_next/locale_tr-TR.json
index c55ece68a6..2c11db6ff4 100644
--- a/options/locale_next/locale_tr-TR.json
+++ b/options/locale_next/locale_tr-TR.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s katkı",
+		"other": "%s gönderi"
+	},
+	"counters.n_branches": {
+		"one": "%s dal",
+		"other": "%s dal"
+	},
+	"counters.n_tags": {
+		"one": "%s etiket",
+		"other": "%s etiket"
+	},
+	"counters.n_releases": {
+		"one": "%s sürüm",
+		"other": "%s sürüm"
+	},
 	"gpg.default_key": "Varsayılan anahtarla imzalanmış",
 	"gpg.error.extract_sign": "İmza çıkarılamadı",
 	"gpg.error.generate_hash": "İşlemenin sağlama kodu oluşturulamadı",
@@ -186,6 +202,23 @@
 	"migrate.onedev.description": "code.onedev.io veya diğer OneDev oluşumlarından veri aktar.",
 	"migrate.gitbucket.description": "GitBucket oluşumlarından veri aktar.",
 	"migrate.codebase.description": "codebasehq.com'dan veri aktar.",
+	"migrate.items.label": "Taşıma öğeleri",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "Kilometre Taşları",
+	"migrate.items.labels": "Etiketler",
+	"migrate.items.issues": "Konular",
+	"migrate.items.pull_requests": "Birleştirme istekleri",
+	"migrate.items.merge_requests": "Birleştirme istekleri",
+	"migrate.items.releases": "Sürümler",
+	"migrate.in_progress.git": "Git Verilerini Taşıma",
+	"migrate.in_progress.topics": "Konuları taşıma",
+	"migrate.in_progress.milestones": "Kilometre Taşlarını Taşıma",
+	"migrate.in_progress.labels": "Etiketleri Taşıma",
+	"migrate.in_progress.releases": "Sürümleri Taşıma",
+	"migrate.in_progress.issues": "Konuları Taşıma",
+	"migrate.in_progress.pulls": "Değişiklik İsteklerini Taşıma",
+	"migrate.cancel.title": "Göçü iptal et",
+	"migrate.cancel.confirmation": "Bu göçü iptal etmek istiyor musunuz?",
 	"pulse.n_active_issues": {
 		"one": "%s aktif sorun",
 		"other": "%s aktif sorun"
diff --git a/options/locale_next/locale_uk-UA.json b/options/locale_next/locale_uk-UA.json
index e2b90565ab..d58c1dbd76 100644
--- a/options/locale_next/locale_uk-UA.json
+++ b/options/locale_next/locale_uk-UA.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s коміт",
+		"many": "%s комітів"
+	},
+	"counters.n_branches": {
+		"one": "%s гілка",
+		"many": "%s гілок"
+	},
+	"counters.n_tags": {
+		"one": "%s тег",
+		"many": "%s тегів"
+	},
+	"counters.n_releases": {
+		"one": "%s випуск",
+		"many": "%s випусків"
+	},
 	"gpg.default_key": "Підписано типовим ключем",
 	"gpg.error.extract_sign": "Не вдалося витягти підпис",
 	"gpg.error.generate_hash": "Не вдалося згенерувати хеш коміту",
@@ -334,6 +350,23 @@
 	"migrate.gitbucket.description": "Перенести дані з екземплярів GitBucket.",
 	"migrate.codebase.description": "Перенести дані з codebasehq.com.",
 	"migrate.forgejo.description": "Перенести дані з codeberg.org або інших екземплярів Forgejo.",
+	"migrate.items.label": "Елементи для перенесення",
+	"migrate.items.wiki": "Вікі",
+	"migrate.items.milestones": "Етапи",
+	"migrate.items.labels": "Мітки",
+	"migrate.items.issues": "Задачі",
+	"migrate.items.pull_requests": "Запити на злиття",
+	"migrate.items.merge_requests": "Запити на об’єднання",
+	"migrate.items.releases": "Випуски",
+	"migrate.in_progress.git": "Перенесення даних Git",
+	"migrate.in_progress.topics": "Перенесення тем",
+	"migrate.in_progress.milestones": "Перенесення етапів",
+	"migrate.in_progress.labels": "Перенесення міток",
+	"migrate.in_progress.releases": "Перенесення випусків",
+	"migrate.in_progress.issues": "Перенесення задач",
+	"migrate.in_progress.pulls": "Перенесення запитів на злиття",
+	"migrate.cancel.title": "Скасувати перенесення",
+	"migrate.cancel.confirmation": "Бажаєте скасувати перенесення?",
 	"settings.must_enable_2fa": "На цьому екземплярі Forgejo для доступу до облікового запису вам необхідно захистити його двофакторною автентифікацією.",
 	"error.must_enable_2fa": "На цьому екземплярі Forgejo для доступу до облікового запису вам необхідно захистити його двофакторною автентифікацією. Увімкніть її тут: %s",
 	"admin.config.global_2fa_requirement.none": "Немає",
diff --git a/options/locale_next/locale_vi.json b/options/locale_next/locale_vi.json
index dee83ccaa0..79148e1fee 100644
--- a/options/locale_next/locale_vi.json
+++ b/options/locale_next/locale_vi.json
@@ -1,4 +1,16 @@
 {
+	"counters.n_branches": {
+		"one": "%s nhánh",
+		"other": "%s nhánh"
+	},
+	"counters.n_tags": {
+		"one": "%s nhãn",
+		"other": "%s nhãn"
+	},
+	"counters.n_releases": {
+		"one": "%s bản phát hành",
+		"other": "%s bản phát hành"
+	},
 	"packages.filter.container.tagged": "Được gắn nhãn",
 	"packages.filter.container.untagged": "Không được gắn nhãn",
 	"packages.details.project_site": "Trang mạng dự án",
@@ -30,6 +42,21 @@
 	"migrate.form.error.url_credentials": "URL có chứa thông tin đăng nhập, điền chúng vào các ô tên người dùng và mật khẩu tương ứng",
 	"migrate.github.description": "Nhập dữ liệu từ github.com hoặc máy chủ GitHub Enterprise.",
 	"migrate.git.description": "Chỉ nhập kho mã từ dịch vụ Git bất kì.",
+	"migrate.items.milestones": "Cột mốc",
+	"migrate.items.labels": "Nhãn",
+	"migrate.items.issues": "Vấn đề",
+	"migrate.items.pull_requests": "Yêu cầu kéo",
+	"migrate.items.merge_requests": "Yêu cầu hợp",
+	"migrate.items.releases": "Bản phát hành",
+	"migrate.in_progress.git": "Đang nhập dữ liệu Git",
+	"migrate.in_progress.topics": "Đang nhập các chủ đề",
+	"migrate.in_progress.milestones": "Đang nhập các cột mốc",
+	"migrate.in_progress.labels": "Đang nhập các nhãn",
+	"migrate.in_progress.releases": "Đang nhập các bản phát hành",
+	"migrate.in_progress.issues": "Đang nhập các vấn đề",
+	"migrate.in_progress.pulls": "Đang nhập các yêu cầu kéo",
+	"migrate.cancel.title": "Huỷ nhập",
+	"migrate.cancel.confirmation": "Bạn có muốn huỷ nhập không?",
 	"home.explore_repos": "Khám phá kho mã",
 	"stars.list.none": "Chưa ai tặng sao cho kho mã này.",
 	"watch.list.none": "Không có ai đang theo dõi kho mã này.",
diff --git a/options/locale_next/locale_zh-CN.json b/options/locale_next/locale_zh-CN.json
index f8591727b8..fc00da3eb7 100644
--- a/options/locale_next/locale_zh-CN.json
+++ b/options/locale_next/locale_zh-CN.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s提交",
+		"other": "%s提交"
+	},
+	"counters.n_branches": {
+		"one": "%s分支",
+		"other": "%s分支"
+	},
+	"counters.n_tags": {
+		"one": "%s标签",
+		"other": "%s标签"
+	},
+	"counters.n_releases": {
+		"one": "%s版本发布",
+		"other": "%s版本发布"
+	},
 	"gpg.default_key": "使用默认密钥签名",
 	"gpg.error.extract_sign": "无法提取签名",
 	"gpg.error.generate_hash": "无法生成提交散列",
@@ -284,6 +300,23 @@
 	"migrate.gitbucket.description": "从GitBucket实例迁移数据。",
 	"migrate.codebase.description": "从codebasehq.com迁移数据。",
 	"migrate.forgejo.description": "从codeberg.org或其他Forgejo实例迁移数据。",
+	"migrate.items.label": "迁移项目",
+	"migrate.items.wiki": "百科",
+	"migrate.items.milestones": "里程碑",
+	"migrate.items.labels": "标签",
+	"migrate.items.issues": "议题",
+	"migrate.items.pull_requests": "合并请求",
+	"migrate.items.merge_requests": "合并请求",
+	"migrate.items.releases": "版本发布",
+	"migrate.in_progress.git": "迁移Git数据",
+	"migrate.in_progress.topics": "正在迁移主题",
+	"migrate.in_progress.milestones": "正在迁移里程碑",
+	"migrate.in_progress.labels": "正在迁移标签",
+	"migrate.in_progress.releases": "正在迁移发布",
+	"migrate.in_progress.issues": "正在迁移议题",
+	"migrate.in_progress.pulls": "正在迁移合并请求",
+	"migrate.cancel.title": "取消迁移",
+	"migrate.cancel.confirmation": "您想要取消此次迁移吗？",
 	"warning.repository.out_of_sync": "此仓库的数据库表示已脱同步。如果在向此仓库推送提交后仍出现此警告，请联系管理员。",
 	"admin.config.security": "安全设置",
 	"settings.twofa_unroll_unavailable": "你的账户必须启用双因子认证，无法禁用。",
diff --git a/options/locale_next/locale_zh-HK.json b/options/locale_next/locale_zh-HK.json
index a595ec54f5..d81aa3f202 100644
--- a/options/locale_next/locale_zh-HK.json
+++ b/options/locale_next/locale_zh-HK.json
@@ -1,4 +1,10 @@
 {
+	"migrate.items.wiki": "維基",
+	"migrate.items.milestones": "里程碑",
+	"migrate.items.labels": "標籤",
+	"migrate.items.issues": "問題數",
+	"migrate.items.pull_requests": "合併請求",
+	"migrate.items.releases": "版本發佈",
 	"actions.runners.name": "名稱",
 	"actions.runners.owner_type": "認證類型",
 	"actions.runners.description": "描述",
diff --git a/options/locale_next/locale_zh-TW.json b/options/locale_next/locale_zh-TW.json
index 08649ca69a..ac46e41245 100644
--- a/options/locale_next/locale_zh-TW.json
+++ b/options/locale_next/locale_zh-TW.json
@@ -1,4 +1,20 @@
 {
+	"counters.n_commits": {
+		"one": "%s 個提交",
+		"other": "%s 個提交"
+	},
+	"counters.n_branches": {
+		"one": "%s 條分支",
+		"other": "%s 條分支"
+	},
+	"counters.n_tags": {
+		"one": "%s 個標籤",
+		"other": "%s 個標籤"
+	},
+	"counters.n_releases": {
+		"one": "%s 發行",
+		"other": "%s 發行"
+	},
 	"actions.actions": "Actions",
 	"actions.status.unknown": "未知的",
 	"actions.status.waiting": "等待中",
@@ -315,6 +331,23 @@
 	"migrate.gitbucket.description": "從 GitBucket 站點遷移資料。",
 	"migrate.codebase.description": "從 codebasehq.com 遷移資料。",
 	"migrate.forgejo.description": "從 codeberg.org 或其他 Forgejo 站點遷移資料。",
+	"migrate.items.label": "遷移項目",
+	"migrate.items.wiki": "Wiki",
+	"migrate.items.milestones": "里程碑",
+	"migrate.items.labels": "標籤",
+	"migrate.items.issues": "問題",
+	"migrate.items.pull_requests": "合併請求",
+	"migrate.items.merge_requests": "合併請求",
+	"migrate.items.releases": "版本發布",
+	"migrate.in_progress.git": "正在遷移 Git 資料",
+	"migrate.in_progress.topics": "正在遷移主題",
+	"migrate.in_progress.milestones": "正在遷移里程碑",
+	"migrate.in_progress.labels": "正在遷移標籤",
+	"migrate.in_progress.releases": "正在遷移版本發佈",
+	"migrate.in_progress.issues": "正在遷移問題",
+	"migrate.in_progress.pulls": "正在遷移合併請求",
+	"migrate.cancel.title": "取消遷移",
+	"migrate.cancel.confirmation": "您確定要取消這次的遷移嗎？",
 	"pulse.n_active_issues": "%s 個問題",
 	"pulse.n_active_prs": "%s 個合併請求",
 	"watch.n_watchers": "%s 位關注者",
diff --git a/services/migrations/migrate.go b/services/migrations/migrate.go
index 61630d9c6d..6746a8c915 100644
--- a/services/migrations/migrate.go
+++ b/services/migrations/migrate.go
@@ -236,14 +236,14 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 	}
 
 	log.Trace("migrating git data from %s", repo.CloneURL)
-	messenger("repo.migrate.migrating_git")
+	messenger("migrate.in_progress.git")
 	if err = uploader.CreateRepo(repo, opts); err != nil {
 		return err
 	}
 	defer uploader.Close()
 
 	log.Trace("migrating topics")
-	messenger("repo.migrate.migrating_topics")
+	messenger("migrate.in_progress.topics")
 	topics, err := downloader.GetTopics()
 	if err != nil {
 		if !base.IsErrNotSupported(err) {
@@ -259,7 +259,7 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 
 	if opts.Milestones {
 		log.Trace("migrating milestones")
-		messenger("repo.migrate.migrating_milestones")
+		messenger("migrate.in_progress.milestones")
 		milestones, err := downloader.GetMilestones()
 		if err != nil {
 			if !base.IsErrNotSupported(err) {
@@ -282,7 +282,7 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 
 	if opts.Labels {
 		log.Trace("migrating labels")
-		messenger("repo.migrate.migrating_labels")
+		messenger("migrate.in_progress.labels")
 		labels, err := downloader.GetLabels()
 		if err != nil {
 			if !base.IsErrNotSupported(err) {
@@ -306,7 +306,7 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 
 	if opts.Releases {
 		log.Trace("migrating releases")
-		messenger("repo.migrate.migrating_releases")
+		messenger("migrate.in_progress.releases")
 		releases, err := downloader.GetReleases()
 		if err != nil {
 			if !base.IsErrNotSupported(err) {
@@ -342,7 +342,7 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 
 	if opts.Issues {
 		log.Trace("migrating issues and comments")
-		messenger("repo.migrate.migrating_issues")
+		messenger("migrate.in_progress.issues")
 		issueBatchSize := uploader.MaxBatchInsertSize("issue")
 
 		for i := 1; ; i++ {
@@ -397,7 +397,7 @@ func migrateRepository(_ context.Context, doer *user_model.User, downloader base
 
 	if opts.PullRequests {
 		log.Trace("migrating pull requests and comments")
-		messenger("repo.migrate.migrating_pulls")
+		messenger("migrate.in_progress.pulls")
 		prBatchSize := uploader.MaxBatchInsertSize("pullrequest")
 		for i := 1; ; i++ {
 			prs, isEnd, err := downloader.GetPullRequests(i, prBatchSize)
diff --git a/templates/repo/commits_table.tmpl b/templates/repo/commits_table.tmpl
index be6462b269..87feb06a98 100644
--- a/templates/repo/commits_table.tmpl
+++ b/templates/repo/commits_table.tmpl
@@ -1,7 +1,7 @@
 <h4 class="ui top attached header commits-table tw-flex tw-items-center tw-justify-between">
 	<div class="commits-table-left tw-flex tw-items-center">
 		{{if or .PageIsCommits (gt .CommitCount 0)}}
-			{{ctx.Locale.TrN .CommitCount "repo.n_commit_one" "repo.n_commit_few" (ctx.Locale.PrettyNumber .CommitCount)}}
+			{{ctx.Locale.TrPluralString .CommitCount "counters.n_commits" (ctx.Locale.PrettyNumber .CommitCount)}}
 		{{else if .IsNothingToCompare}}
 			{{ctx.Locale.Tr "repo.commits.nothing_to_compare"}}
 		{{else}}
diff --git a/templates/repo/migrate/codebase.tmpl b/templates/repo/migrate/codebase.tmpl
index c921a3bdbc..037185b8a0 100644
--- a/templates/repo/migrate/codebase.tmpl
+++ b/templates/repo/migrate/codebase.tmpl
@@ -31,31 +31,31 @@
 
 					<div id="migrate_items">
 						<div class="inline field">
-							<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_merge_requests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.merge_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/gitbucket.tmpl b/templates/repo/migrate/gitbucket.tmpl
index eae80bccc6..33a14b678f 100644
--- a/templates/repo/migrate/gitbucket.tmpl
+++ b/templates/repo/migrate/gitbucket.tmpl
@@ -30,10 +30,10 @@
 					{{template "repo/migrate/options" .}}
 
 					<div class="inline field">
-						<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+						<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 						<div class="ui checkbox">
 							<input name="wiki" type="checkbox" {{if .wiki}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "repo.migrate_items_wiki"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.wiki"}}</label>
 						</div>
 					</div>
 
@@ -43,35 +43,35 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_pullrequests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.pull_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="releases" type="checkbox" {{if .releases}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_releases"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.releases"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/gitea.tmpl b/templates/repo/migrate/gitea.tmpl
index e000e3bb93..fd59124841 100644
--- a/templates/repo/migrate/gitea.tmpl
+++ b/templates/repo/migrate/gitea.tmpl
@@ -26,10 +26,10 @@
 					{{template "repo/migrate/options" .}}
 
 					<div class="inline field">
-						<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+						<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 						<div class="ui checkbox">
 							<input name="wiki" type="checkbox" {{if .wiki}} checked{{end}}>
-							<label>{{ctx.Locale.Tr "repo.migrate_items_wiki"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.wiki"}}</label>
 						</div>
 					</div>
 
@@ -39,35 +39,35 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_pullrequests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.pull_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="releases" type="checkbox" {{if .releases}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_releases"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.releases"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/github.tmpl b/templates/repo/migrate/github.tmpl
index c4ebfddd9a..ab1be1f575 100644
--- a/templates/repo/migrate/github.tmpl
+++ b/templates/repo/migrate/github.tmpl
@@ -29,10 +29,10 @@
 					{{template "repo/migrate/options" .}}
 
 					<div class="inline field">
-						<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+						<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 						<div class="ui checkbox">
 							<input name="wiki" type="checkbox" {{if .wiki}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "repo.migrate_items_wiki"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.wiki"}}</label>
 						</div>
 					</div>
 					<div id="migrate_items">
@@ -41,35 +41,35 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_pullrequests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.pull_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="releases" type="checkbox" {{if .releases}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_releases"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.releases"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/gitlab.tmpl b/templates/repo/migrate/gitlab.tmpl
index 13cdddb992..a406091394 100644
--- a/templates/repo/migrate/gitlab.tmpl
+++ b/templates/repo/migrate/gitlab.tmpl
@@ -26,10 +26,10 @@
 					{{template "repo/migrate/options" .}}
 
 					<div class="inline field">
-						<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+						<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 						<div class="ui checkbox">
 							<input name="wiki" type="checkbox" {{if .wiki}}checked{{end}}>
-							<label>{{ctx.Locale.Tr "repo.migrate_items_wiki"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.wiki"}}</label>
 						</div>
 					</div>
 					<div id="migrate_items">
@@ -38,35 +38,35 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_merge_requests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.merge_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="releases" type="checkbox" {{if .releases}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_releases"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.releases"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/gogs.tmpl b/templates/repo/migrate/gogs.tmpl
index 58e3fff035..e70976c730 100644
--- a/templates/repo/migrate/gogs.tmpl
+++ b/templates/repo/migrate/gogs.tmpl
@@ -26,10 +26,10 @@
 					{{template "repo/migrate/options" .}}
 
 					<div class="inline field">
-						<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+						<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 						<div class="ui checkbox">
 							<input name="wiki" type="checkbox" {{if .wiki}} checked{{end}}>
-							<label>{{ctx.Locale.Tr "repo.migrate_items_wiki"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.wiki"}}</label>
 						</div>
 					</div>
 
@@ -39,21 +39,21 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 						<!-- Gogs do not support it
@@ -61,11 +61,11 @@
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_merge_requests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.merge_requests"}}</label>
 							</div>
 							<div class="ui checkbox">
 								<input name="releases" type="checkbox" {{if .releases}} checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_releases"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.releases"}}</label>
 							</div>
 						</div>
 						-->
diff --git a/templates/repo/migrate/migrate.tmpl b/templates/repo/migrate/migrate.tmpl
index 48ee678a13..f3fb53895a 100644
--- a/templates/repo/migrate/migrate.tmpl
+++ b/templates/repo/migrate/migrate.tmpl
@@ -1,7 +1,7 @@
 {{template "base/head" .}}
 <div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui container">
-		<h2 class="tw-mt-4">Migrate repository</h1>
+		<h2 class="tw-mt-4">{{ctx.Locale.Tr "migrate.select.title"}}</h1>
 		{{template "repo/migrate/helper" .}}
 		<div class="migrate-entries">
 			{{range .Services}}
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index a3a1baf57b..6b2db26aaf 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -86,11 +86,11 @@
 
 <div class="ui g-modal-confirm modal" id="cancel-repo-modal">
 	<div class="header">
-		{{ctx.Locale.Tr "repo.migrate.cancel_migrating_title"}}
+		{{ctx.Locale.Tr "migrate.cancel.title"}}
 	</div>
 	<form action="{{.Link}}/settings/migrate/cancel" method="post">
 		<div class="content">
-			{{ctx.Locale.Tr "repo.migrate.cancel_migrating_confirm"}}
+			{{ctx.Locale.Tr "migrate.cancel.confirmation"}}
 		</div>
 		{{template "base/modal_actions_confirm" .}}
 	</form>
diff --git a/templates/repo/migrate/onedev.tmpl b/templates/repo/migrate/onedev.tmpl
index 3024142648..377fbf2881 100644
--- a/templates/repo/migrate/onedev.tmpl
+++ b/templates/repo/migrate/onedev.tmpl
@@ -31,31 +31,31 @@
 
 					<div id="migrate_items">
 						<div class="inline field">
-							<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_pullrequests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.pull_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/migrate/pagure.tmpl b/templates/repo/migrate/pagure.tmpl
index be71827e7f..6f48cbc7fe 100644
--- a/templates/repo/migrate/pagure.tmpl
+++ b/templates/repo/migrate/pagure.tmpl
@@ -27,31 +27,31 @@
 					{{template "repo/migrate/options" .}}
 					<div id="migrate_items">
 						<div class="inline field">
-							<label>{{ctx.Locale.Tr "repo.migrate_items"}}</label>
+							<label>{{ctx.Locale.Tr "migrate.items.label"}}</label>
 							<div class="ui checkbox">
 								<input name="issues" type="checkbox" {{if .issues}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_issues"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.issues"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="pull_requests" type="checkbox" {{if .pull_requests}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_pullrequests"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.pull_requests"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="labels" type="checkbox" {{if .labels}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_labels"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.labels"}}</label>
 							</div>
 						</div>
 						<div class="inline field">
 							<label></label>
 							<div class="ui checkbox">
 								<input name="milestones" type="checkbox" {{if .milestones}}checked{{end}}>
-								<label>{{ctx.Locale.Tr "repo.migrate_items_milestones"}}</label>
+								<label>{{ctx.Locale.Tr "migrate.items.milestones"}}</label>
 							</div>
 						</div>
 					</div>
diff --git a/templates/repo/release_tag_header.tmpl b/templates/repo/release_tag_header.tmpl
index 9044bd6043..0e39076aca 100644
--- a/templates/repo/release_tag_header.tmpl
+++ b/templates/repo/release_tag_header.tmpl
@@ -4,9 +4,9 @@
 {{if $canReadReleases}}
 	<div class="list-header tw-justify-between">
 		<div class="switch">
-			<a class="{{if and .PageIsReleaseList (not .PageIsSingleTag)}}active {{end}}item" href="{{.RepoLink}}/releases{{if .Keyword}}?q={{.Keyword}}{{end}}">{{ctx.Locale.TrN .NumReleases "repo.n_release_one" "repo.n_release_few" (ctx.Locale.PrettyNumber .NumReleases)}}</a>
+			<a class="{{if and .PageIsReleaseList (not .PageIsSingleTag)}}active {{end}}item" href="{{.RepoLink}}/releases{{if .Keyword}}?q={{.Keyword}}{{end}}">{{ctx.Locale.TrPluralString .NumReleases "counters.n_releases" (ctx.Locale.PrettyNumber .NumReleases)}}</a>
 			{{if $canReadCode}}
-				<a class="{{if or .PageIsTagList .PageIsSingleTag}}active {{end}}item" href="{{.RepoLink}}/tags{{if .Keyword}}?q={{.Keyword}}{{end}}">{{ctx.Locale.TrN .NumTags "repo.n_tag_one" "repo.n_tag_few" (ctx.Locale.PrettyNumber .NumTags)}}</a>
+				<a class="{{if or .PageIsTagList .PageIsSingleTag}}active {{end}}item" href="{{.RepoLink}}/tags{{if .Keyword}}?q={{.Keyword}}{{end}}">{{ctx.Locale.TrPluralString .NumTags "counters.n_tags" (ctx.Locale.PrettyNumber .NumTags)}}</a>
 			{{end}}
 		</div>
 		{{if .ShowReleaseSearch}}
diff --git a/templates/repo/sub_menu.tmpl b/templates/repo/sub_menu.tmpl
index 96ecfdb50c..c476df0e7a 100644
--- a/templates/repo/sub_menu.tmpl
+++ b/templates/repo/sub_menu.tmpl
@@ -3,14 +3,14 @@
 	<div class="ui segment repository-menu">
 		{{if and (.Permission.CanRead $.UnitTypeCode) (not .IsEmptyRepo)}}
 			<a class="item muted {{if .PageIsCommits}}active{{end}}" href="{{.RepoLink}}/commits/{{.BranchNameSubURL}}">
-				{{svg "octicon-history"}} {{ctx.Locale.TrN .CommitsCount "repo.n_commit_one" "repo.n_commit_few" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .CommitsCount) | TrustHTML)}}
+				{{svg "octicon-history"}} {{ctx.Locale.TrPluralString .CommitsCount "counters.n_commits" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .CommitsCount) | TrustHTML)}}
 			</a>
 			<a class="item muted {{if .PageIsBranches}}active{{end}}" href="{{.RepoLink}}/branches">
-				{{svg "octicon-git-branch"}} {{ctx.Locale.TrN .BranchesCount "repo.n_branch_one" "repo.n_branch_few" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .BranchesCount) | TrustHTML)}}
+				{{svg "octicon-git-branch"}} {{ctx.Locale.TrPluralString .BranchesCount "counters.n_branches" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .BranchesCount) | TrustHTML)}}
 			</a>
 			{{if $.Permission.CanRead $.UnitTypeCode}}
 				<a class="item muted {{if .PageIsTagList}}active{{end}}" href="{{.RepoLink}}/tags">
-					{{svg "octicon-tag"}} {{ctx.Locale.TrN .NumTags "repo.n_tag_one" "repo.n_tag_few" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .NumTags) | TrustHTML)}}
+					{{svg "octicon-tag"}} {{ctx.Locale.TrPluralString .NumTags "counters.n_tags" (printf "<b>%s</b>" (ctx.Locale.PrettyNumber .NumTags) | TrustHTML)}}
 				</a>
 			{{end}}
 			<span class="item" {{if not (eq .Repository.Size 0)}}data-tooltip-content="{{.Repository.SizeDetailsString ctx.Locale}}"{{end}}>

From ce27a5993cc71f3d0877e54b66584df85b0943f9 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Fri, 3 Apr 2026 16:05:09 +0200
Subject: [PATCH 054/287] fix: superfluous increment of ActionTask attempt
 breaks job view (#11956)

https://codeberg.org/forgejo/forgejo/pulls/11750 missed a place where the attempt number is incremented independently. This caused the job view to break when running a reusable workflow with workflow expansion.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11956
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 models/actions/task.go                                      | 4 +---
 .../Test_tryHandleWorkflowCallOuterJob/action_run_job.yml   | 6 +++++-
 services/actions/job_emitter.go                             | 1 -
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/models/actions/task.go b/models/actions/task.go
index 1a208dad9d..ed2cab60e8 100644
--- a/models/actions/task.go
+++ b/models/actions/task.go
@@ -451,9 +451,7 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner, requestKey,
 }
 
 // Placeholder tasks are created when the status/content of an [ActionRunJob] is resolved by Forgejo without dispatch to
-// a runner, specifically in the case of a workflow call's outer job. It is the responsibility of the caller to
-// increment the job's Attempt field before invoking this method, and to update that field in the database, so that
-// reruns can function for placeholder tasks and provide updated outputs.
+// a runner, specifically in the case of a workflow call's outer job.
 func CreatePlaceholderTask(ctx context.Context, job *ActionRunJob, outputs map[string]string) (*ActionTask, error) {
 	actionTask := &ActionTask{
 		JobID:             job.ID,
diff --git a/services/actions/Test_tryHandleWorkflowCallOuterJob/action_run_job.yml b/services/actions/Test_tryHandleWorkflowCallOuterJob/action_run_job.yml
index 03449040ca..f710f4bf2e 100644
--- a/services/actions/Test_tryHandleWorkflowCallOuterJob/action_run_job.yml
+++ b/services/actions/Test_tryHandleWorkflowCallOuterJob/action_run_job.yml
@@ -1,6 +1,7 @@
 # Case 600 -- workflow that is not a workflow call outer job
 -
   id: 600
+  attempt: 1
   status: 1 # success
   started: 1683636528
   workflow_payload: |
@@ -18,6 +19,7 @@
 # contexts should be considered as those in `on.workflow_call.outputs`.
 -
   id: 601
+  attempt: 1
   run_id: 900
   status: 1 # success
   started: 1683636528
@@ -44,6 +46,7 @@
       workflow_call_id: b5a9f46f1f2513d7777fde50b169d323a6519e349cc175484c947ac315a209ed
 - # inner job of run 601
   id: 602
+  attempt: 1
   run_id: 900
   status: 1 # success
   job_id: outer-job.inner-job
@@ -54,7 +57,7 @@
 -
   id: 603
   run_id: 901
-  attempt: 1
+  attempt: 2
   status: 1 # success
   started: 1683636528
   needs: ["outer-job.inner-job"]
@@ -81,6 +84,7 @@
 - # inner job of run 603
   id: 604
   run_id: 901
+  attempt: 2
   status: 1 # success
   job_id: outer-job.inner-job
   task_id: 101
diff --git a/services/actions/job_emitter.go b/services/actions/job_emitter.go
index 02ad9d66f5..b23918e42f 100644
--- a/services/actions/job_emitter.go
+++ b/services/actions/job_emitter.go
@@ -597,7 +597,6 @@ func tryHandleWorkflowCallOuterJob(ctx context.Context, job *actions_model.Actio
 	)
 
 	// Insert a placeholder task with all the computed outputs
-	job.Attempt++
 	actionTask, err := actions_model.CreatePlaceholderTask(ctx, job, outputs)
 	if err != nil {
 		return nil, fmt.Errorf("failure to insert placeholder task: %w", err)

From 1d0503d6b5597d8245b064d22804fec594d7f45e Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Fri, 3 Apr 2026 16:57:53 +0200
Subject: [PATCH 055/287] Add aria-label="Copy" to copy button (#11895)

This copy button on the pull request page lacks an accessible name. You can hear the screen reader announce it as just "button" in the screen recording `button.mp4`, and then hear the amended version in `copy.mp4` where it's announced as "copy, button".

The most relevant WCAG success criteria here is [1.1.1 Non-text content](https://www.w3.org/WAI/WCAG21/Understanding/non-text-content.html).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11895
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 templates/repo/issue/view_content/sidebar/reference.tmpl | 2 +-
 tests/e2e/issue-sidebar.test.e2e.ts                      | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/sidebar/reference.tmpl b/templates/repo/issue/view_content/sidebar/reference.tmpl
index 5083b97fc2..1b02769ad1 100644
--- a/templates/repo/issue/view_content/sidebar/reference.tmpl
+++ b/templates/repo/issue/view_content/sidebar/reference.tmpl
@@ -13,7 +13,7 @@
 	<div class="ui equal width compact grid">
 		<div class="row tw-items-center" data-tooltip-content="{{$issueReferenceLink}}">
 			<span class="text column truncate">{{$issueReferenceLink}}</span>
-			<button class="ui two wide button column tw-p-2" data-clipboard-text="{{$issueReferenceLink}}">{{svg "octicon-copy" 14}}</button>
+			<button class="ui two wide button column tw-p-2" data-tooltip-content="{{ctx.Locale.Tr "copy"}}" data-clipboard-text="{{$issueReferenceLink}}">{{svg "octicon-copy" 14}}</button>
 		</div>
 	</div>
 </div>
diff --git a/tests/e2e/issue-sidebar.test.e2e.ts b/tests/e2e/issue-sidebar.test.e2e.ts
index 6eb44be856..cf3fe607d2 100644
--- a/tests/e2e/issue-sidebar.test.e2e.ts
+++ b/tests/e2e/issue-sidebar.test.e2e.ts
@@ -378,4 +378,8 @@ test('Issue: Reference', async ({page}) => {
   await expect(page.locator('.ui.reference .truncate')).toContainText(
     'user2/repo1#1',
   );
+
+  await page.getByRole('button', {name: 'Copy'}).click();
+  const reference = await page.evaluate(() => navigator.clipboard.readText());
+  expect(reference).toBe('user2/repo1#1');
 });

From 2027ccd994158587944b24b07adf209c2a60a921 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 4 Apr 2026 02:41:07 +0200
Subject: [PATCH 056/287] Update module github.com/mattn/go-sqlite3 to v1.14.40
 (forgejo) (#11977)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `v1.14.38` → `v1.14.40` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmattn%2fgo-sqlite3/v1.14.40?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmattn%2fgo-sqlite3/v1.14.38/v1.14.40?slim=true) |

---

### Release Notes

<details>
<summary>mattn/go-sqlite3 (github.com/mattn/go-sqlite3)</summary>

### [`v1.14.40`](https://github.com/mattn/go-sqlite3/compare/v1.14.39...v1.14.40)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.39...v1.14.40)

### [`v1.14.39`](https://github.com/mattn/go-sqlite3/compare/v1.14.38...v1.14.39)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.38...v1.14.39)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11977
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 24de250644..317dd8ac3a 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.38
+	github.com/mattn/go-sqlite3 v1.14.40
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
diff --git a/go.sum b/go.sum
index 11678e62ab..438aa11cfa 100644
--- a/go.sum
+++ b/go.sum
@@ -519,8 +519,8 @@ github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkEN
 github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.38 h1:tDUzL85kMvOrvpCt8P64SbGgVFtJB11GPi2AdmITgb4=
-github.com/mattn/go-sqlite3 v1.14.38/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.40 h1:f7+saIsbq4EF86mUqe0uiecQOJYMOdfi5uATADmUG94=
+github.com/mattn/go-sqlite3 v1.14.40/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
 github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=

From 267f90c97a46b333c6f8db897f6554be664c38a6 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 4 Apr 2026 03:54:32 +0200
Subject: [PATCH 057/287] Update module code.forgejo.org/go-chi/session to
 v1.0.4 (forgejo) (#11976)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/go-chi/session](https://code.forgejo.org/go-chi/session) | `v1.0.3` → `v1.0.4` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fgo-chi%2fsession/v1.0.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fgo-chi%2fsession/v1.0.3/v1.0.4?slim=true) |

---

### Release Notes

<details>
<summary>go-chi/session (code.forgejo.org/go-chi/session)</summary>

### [`v1.0.4`](https://code.forgejo.org/go-chi/session/compare/v1.0.3...v1.0.4)

[Compare Source](https://code.forgejo.org/go-chi/session/compare/v1.0.3...v1.0.4)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11976
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 assets/go-licenses.json | 5 -----
 go.mod                  | 3 +--
 go.sum                  | 6 ++----
 3 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index dd1d033d1a..330b5cbed6 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -869,11 +869,6 @@
     "path": "github.com/klauspost/pgzip/LICENSE",
     "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2014 Klaus Post\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n"
   },
-  {
-    "name": "github.com/lib/pq",
-    "path": "github.com/lib/pq/LICENSE",
-    "licenseText": "MIT License\n\nCopyright (c) 2011-2013, 'pq' Contributors. Portions Copyright (c) 2011 Blake Mizerany\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
-  },
   {
     "name": "github.com/libdns/libdns",
     "path": "github.com/libdns/libdns/LICENSE",
diff --git a/go.mod b/go.mod
index 317dd8ac3a..c02310548b 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
-	code.forgejo.org/go-chi/session v1.0.3
+	code.forgejo.org/go-chi/session v1.0.4
 	code.gitea.io/sdk/gitea v0.21.0
 	code.superseriousbusiness.org/exif-terminator v0.11.1
 	code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0
@@ -208,7 +208,6 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/lib/pq v1.11.2 // indirect
 	github.com/libdns/libdns v1.0.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
diff --git a/go.sum b/go.sum
index 438aa11cfa..8c06077317 100644
--- a/go.sum
+++ b/go.sum
@@ -40,8 +40,8 @@ code.forgejo.org/go-chi/cache v1.0.1 h1:w6IsDcPbeEnEYZn7M2HJe3/3/Ehtcw/72VjcVK7+
 code.forgejo.org/go-chi/cache v1.0.1/go.mod h1:K3aQSyRIN4xiuqV1kanfQ6O4ToDpzDpY3bNOyGjFe3U=
 code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkAaqZGQ=
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
-code.forgejo.org/go-chi/session v1.0.3 h1:ByJ9c/UC0AU57hxiGl53TXh+NdBOBwK/bhZ9jyadEwE=
-code.forgejo.org/go-chi/session v1.0.3/go.mod h1:xzGtFrV/agCJoZCUhFDlqAr1he6BrAdqlaprKOB1W90=
+code.forgejo.org/go-chi/session v1.0.4 h1:WQ1NaVxcCpxYwCliEGypKclZnOCjh3p1fk8XciJc62U=
+code.forgejo.org/go-chi/session v1.0.4/go.mod h1:+sSTiomM5C8AUPtxZyTENIbcTz22kcVottKO0lnmDRk=
 code.forgejo.org/xorm/xorm v1.3.9-forgejo.9 h1:hzEXDa53opdp5nrGG4F6y8HzFzrGXd5GIvFyUHcvGmI=
 code.forgejo.org/xorm/xorm v1.3.9-forgejo.9/go.mod h1:A7sFd3BFmRp20h6drSsCXgQRQdF8Vz8HuCSrzFS3m90=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
@@ -500,8 +500,6 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
-github.com/lib/pq v1.11.2 h1:x6gxUeu39V0BHZiugWe8LXZYZ+Utk7hSJGThs8sdzfs=
-github.com/lib/pq v1.11.2/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
 github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA=
 github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=

From e4bd84b574f66c6ef8a25e29561832f44a6dbcc4 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 4 Apr 2026 04:32:32 +0200
Subject: [PATCH 058/287] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.9 (forgejo) (#11980)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | patch | `v3.1.8` → `v3.1.9` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.9`](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.8...v3.1.9)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.8...v3.1.9)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11980
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index 1bec8b7dfa..25a7a6cf44 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v6
 
       - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.8
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.9
         with:
           user: root
           password: admin1234

From 6a99b6b0c163cf7fd845add6af5394d2e158b522 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sat, 4 Apr 2026 13:53:22 +0200
Subject: [PATCH 059/287] fix: store pull mirror creds encrypted with keying
 (#11909)

Fixes #9629.

New pull mirrors have credentials stored encrypted in the database, the same as push mirrors, rather than in the repository's `config` file.  `git fetch` on the pull mirror is updated to use the credential store.  Pull mirrors will have their credentials migrated to the encrypted storage in the database as they're synced or otherwise accessed via the web UI.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11909
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .../v15c_add_mirror_remoteaddressauth.go      |  30 +
 models/repo/mirror.go                         |  79 ++-
 modules/git/command.go                        |  49 ++
 modules/git/repo.go                           |  42 +-
 modules/keying/keying.go                      |   2 +
 modules/templates/util_misc.go                |  15 +-
 routers/web/repo/setting/setting.go           |  28 +-
 services/mirror/mirror_pull.go                | 110 ++--
 services/repository/migrate.go                |   7 +-
 templates/repo/header.tmpl                    |   3 +-
 templates/repo/settings/options.tmpl          |   4 +-
 tests/integration/mirror_pull_test.go         | 587 ++++++++++++++++--
 12 files changed, 774 insertions(+), 182 deletions(-)
 create mode 100644 models/forgejo_migrations/v15c_add_mirror_remoteaddressauth.go

diff --git a/models/forgejo_migrations/v15c_add_mirror_remoteaddressauth.go b/models/forgejo_migrations/v15c_add_mirror_remoteaddressauth.go
new file mode 100644
index 0000000000..b2f30235ad
--- /dev/null
+++ b/models/forgejo_migrations/v15c_add_mirror_remoteaddressauth.go
@@ -0,0 +1,30 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "replace remote_address with encrypted_remote_address in table mirror",
+		Upgrade:     addMirrorRemoteAddressAuth,
+	})
+}
+
+func addMirrorRemoteAddressAuth(x *xorm.Engine) error {
+	type Mirror struct {
+		EncryptedRemoteAddress []byte `xorm:"BLOB NULL"`
+	}
+	if _, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(Mirror)); err != nil {
+		return err
+	}
+	// No data migration is necessary or desired.  `remote_address` contains sanitized URLs which don't have
+	// credentials, so they can't be migrated to `encrypted_remote_address`. Instead, as this data is accessed,
+	// `DecryptOrRecoverRemoteAddress` will recover the fully credentialed contents of the remote address from the git
+	// repo's `origin` remote address.
+	_, err := x.Exec("ALTER TABLE `mirror` DROP COLUMN `remote_address`")
+	return err
+}
diff --git a/models/repo/mirror.go b/models/repo/mirror.go
index 1fe9afd8e9..c64f9dc734 100644
--- a/models/repo/mirror.go
+++ b/models/repo/mirror.go
@@ -6,10 +6,14 @@ package repo
 
 import (
 	"context"
+	"errors"
+	"net/url"
 	"time"
 
 	"forgejo.org/models/db"
+	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 )
@@ -31,7 +35,9 @@ type Mirror struct {
 	LFS         bool   `xorm:"lfs_enabled NOT NULL DEFAULT false"`
 	LFSEndpoint string `xorm:"lfs_endpoint TEXT"`
 
-	RemoteAddress string `xorm:"VARCHAR(2048)"`
+	// Encrypted remote address w/ credentials; can be NULL if a mirror has not performed a sync since this field was
+	// introduced, in which case the remote address exists only in the repo's configured git remote on disk.
+	EncryptedRemoteAddress []byte `xorm:"BLOB NULL"`
 }
 
 func init() {
@@ -73,6 +79,71 @@ func (m *Mirror) ScheduleNextUpdate() {
 	}
 }
 
+// InsertMirror inserts a mirror to database. RemoteAddress must be provided so that it can be encrypted and stored
+// during the insert process.
+func (m *Mirror) InsertWithAddress(ctx context.Context, addr string) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if _, err := db.GetEngine(ctx).Insert(m); err != nil {
+			return err
+		}
+		return m.UpdateRemoteAddress(ctx, addr)
+	})
+}
+
+// Stores a credential-free version of the address in `RemoteAddress`, encrypts the original into `RemoteAddressAuth`,
+// and stores both in the database. The ID of the mirror must be known, so this must be done after the mirror is
+// inserted.
+func (m *Mirror) UpdateRemoteAddress(ctx context.Context, addr string) error {
+	if m.ID == 0 {
+		return errors.New("must persist mirror to database before using UpdateRemoteAddress")
+	}
+
+	m.EncryptedRemoteAddress = keying.PullMirror.Encrypt(
+		[]byte(addr),
+		keying.ColumnAndID("remote_address_auth", m.ID),
+	)
+	_, err := db.GetEngine(ctx).ID(m.ID).Cols("encrypted_remote_address").Update(m)
+	return err
+}
+
+// Retrieves the encrypted remote address and decrypts it. Note that this field is expected to be absent for mirrors
+// created before the introduction of EncryptedRemoteAddress, in which case credentials are not known to Forgejo
+// directly (but may be on-disk in the repository's config file) and None will be returned.
+func (m *Mirror) DecryptRemoteAddress() (optional.Option[string], error) {
+	if m.EncryptedRemoteAddress == nil {
+		return optional.None[string](), nil
+	}
+
+	contents, err := keying.PullMirror.Decrypt(m.EncryptedRemoteAddress, keying.ColumnAndID("remote_address_auth", m.ID))
+	if err != nil {
+		return optional.None[string](), err
+	}
+	return optional.Some(string(contents)), nil
+}
+
+// Retrieves the remote address but sanitizes it of sensitive credentials. May be absent for mirrors created before the
+// introduction of EncryptedRemoteAddress.
+func (m *Mirror) SanitizedRemoteAddress() (optional.Option[string], error) {
+	maybeAddr, err := m.DecryptRemoteAddress()
+	if err != nil {
+		return optional.None[string](), err
+	} else if has, addr := maybeAddr.Get(); has {
+		parsedURL, err := url.Parse(addr)
+		if err != nil {
+			return optional.None[string](), err
+		}
+
+		// Remove the password if present.  Retain the username for consistency with `AddAuthCredentialHelperForRemote`
+		// which retains the username for the `git clone` command line, which ends up as the remote URL in the mirror's
+		// git config.
+		if parsedURL.User != nil {
+			parsedURL.User = url.User(parsedURL.User.Username())
+		}
+		return optional.Some(parsedURL.String()), nil
+	}
+	return optional.None[string](), nil
+}
+
 // GetMirrorByRepoID returns mirror information of a repository.
 func GetMirrorByRepoID(ctx context.Context, repoID int64) (*Mirror, error) {
 	m := &Mirror{RepoID: repoID}
@@ -115,9 +186,3 @@ func MirrorsIterate(ctx context.Context, limit int, f func(idx int, bean any) er
 	}
 	return sess.Iterate(new(Mirror), f)
 }
-
-// InsertMirror inserts a mirror to database
-func InsertMirror(ctx context.Context, mirror *Mirror) error {
-	_, err := db.GetEngine(ctx).Insert(mirror)
-	return err
-}
diff --git a/modules/git/command.go b/modules/git/command.go
index bf1d624dbf..4ab081418b 100644
--- a/modules/git/command.go
+++ b/modules/git/command.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/url"
 	"os"
 	"os/exec"
 	"runtime/trace"
@@ -446,6 +447,54 @@ func (c *Command) RunStdBytes(opts *RunOpts) (stdout, stderr []byte, runErr RunS
 	return stdoutBuf.Bytes(), stderr, nil
 }
 
+// If `remoteURL` is a URL with a password in it, add parameters to the git command that will read that password from a
+// credential store file, and return the URL that should be used in the command instead of the original, and a cleanup
+// function to call to remove the credential file. If `remoteURL` doesn't have a password, then it is returned as-is.
+// This function must be invoked on the the git command before the git sub-command -- eg. before the `clone` or `fetch`
+// parameter is added to the command's args.
+func (c *Command) AddAuthCredentialHelperForRemote(remoteURL string) (commandURL string, cleanup func(), err error) {
+	parsedFromURL, _ := url.Parse(remoteURL)
+
+	// If the clone URL has credentials, build a credential file for usage by git-credential-store
+	// to prevent credential leak in the process list.
+	// https://git-scm.com/docs/git-credential-store#_storage_format
+	// credential.helper adjustment must be set before the git subcommand
+	if strings.Contains(remoteURL, "://") && strings.Contains(remoteURL, "@") && parsedFromURL != nil {
+		credentialsFile, err := os.CreateTemp("", "forgejo-clone-credentials-")
+		if err != nil {
+			return "", nil, err
+		}
+		credentialsPath := credentialsFile.Name()
+
+		cleanup := func() {
+			_ = credentialsFile.Close()
+			if err := util.Remove(credentialsPath); err != nil {
+				log.Warn("Unable to remove temporary file %q: %v", credentialsPath, err)
+			}
+		}
+		_, err = credentialsFile.Write([]byte(parsedFromURL.String()))
+		if err != nil {
+			cleanup()
+			return "", nil, err
+		}
+		err = credentialsFile.Close()
+		if err != nil {
+			cleanup()
+			return "", nil, err
+		}
+
+		c.AddArguments("-c").AddDynamicArguments("credential.helper=store --file=" + credentialsPath)
+
+		// remove the password from the URL argument
+		parsedFromURL.User = url.User(parsedFromURL.User.Username())
+		commandURL = parsedFromURL.String()
+
+		return commandURL, cleanup, nil
+	}
+
+	return remoteURL, func() {}, nil
+}
+
 // AllowLFSFiltersArgs return globalCommandArgs with lfs filter, it should only be used for tests
 func AllowLFSFiltersArgs() TrustedCmdArgs {
 	// Now here we should explicitly allow lfs filters to run
diff --git a/modules/git/repo.go b/modules/git/repo.go
index 6bd03f8e3c..8f9b95f1f2 100644
--- a/modules/git/repo.go
+++ b/modules/git/repo.go
@@ -18,7 +18,6 @@ import (
 	"strings"
 	"time"
 
-	"forgejo.org/modules/log"
 	"forgejo.org/modules/proxy"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
@@ -141,44 +140,13 @@ func CloneWithArgs(ctx context.Context, args TrustedCmdArgs, from, to string, op
 		envs = proxy.EnvWithProxy(parsedFromURL)
 	}
 
-	fromURL := from
-	sanitizedFrom := from
+	sanitizedFrom := util.SanitizeCredentialURLs(from)
 
-	// If the clone URL has credentials, build a credential file for usage by git-credential-store
-	// to prevent credential leak in the process list.
-	// https://git-scm.com/docs/git-credential-store#_storage_format
-	// credential.helper adjustment must be set before the git subcommand
-	if strings.Contains(from, "://") && strings.Contains(from, "@") {
-		sanitizedFrom = util.SanitizeCredentialURLs(from)
-		if parsedFromURL != nil {
-			credentialsFile, err := os.CreateTemp("", "forgejo-clone-credentials-")
-			if err != nil {
-				return err
-			}
-			credentialsPath := credentialsFile.Name()
-
-			defer func() {
-				_ = credentialsFile.Close()
-				if err := util.Remove(credentialsPath); err != nil {
-					log.Warn("Unable to remove temporary file %q: %v", credentialsPath, err)
-				}
-			}()
-			_, err = credentialsFile.Write([]byte(parsedFromURL.String()))
-			if err != nil {
-				return err
-			}
-			err = credentialsFile.Close()
-			if err != nil {
-				return err
-			}
-
-			cmd.AddArguments("-c").AddDynamicArguments("credential.helper=store --file=" + credentialsPath)
-
-			// remove the password from the URL argument
-			parsedFromURL.User = url.User(parsedFromURL.User.Username())
-			fromURL = parsedFromURL.String()
-		}
+	fromURL, cleanup, err := cmd.AddAuthCredentialHelperForRemote(from)
+	if err != nil {
+		return err
 	}
+	defer cleanup()
 
 	cmd.AddArguments("clone")
 
diff --git a/modules/keying/keying.go b/modules/keying/keying.go
index 751fd77521..14fbaaca98 100644
--- a/modules/keying/keying.go
+++ b/modules/keying/keying.go
@@ -41,6 +41,8 @@ var (
 	MigrateTask = deriveKey("migrate_repo_task")
 	// Used for the `webhook` table.
 	Webhook = deriveKey("webhook")
+	// Used for the `mirror` table.
+	PullMirror = deriveKey("pullmirror")
 )
 
 var (
diff --git a/modules/templates/util_misc.go b/modules/templates/util_misc.go
index 60f918be47..8e1ef71f5d 100644
--- a/modules/templates/util_misc.go
+++ b/modules/templates/util_misc.go
@@ -17,12 +17,11 @@ import (
 	asymkey_model "forgejo.org/models/asymkey"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/git"
-	giturl "forgejo.org/modules/git/url"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/repository"
 	"forgejo.org/modules/svg"
+	mirror_service "forgejo.org/services/mirror"
 
 	"github.com/editorconfig/editorconfig-core-go/v2"
 )
@@ -164,17 +163,11 @@ type remoteAddress struct {
 	Password string
 }
 
-func mirrorRemoteAddress(ctx context.Context, m *repo_model.Repository, remoteName string) remoteAddress {
+func mirrorRemoteAddress(ctx context.Context, mirror *repo_model.Mirror) remoteAddress {
 	ret := remoteAddress{}
-	remoteURL, err := git.GetRemoteAddress(ctx, m.RepoPath(), remoteName)
+	u, err := mirror_service.DecryptOrRecoverRemoteAddress(ctx, mirror)
 	if err != nil {
-		log.Error("GetRemoteURL %v", err)
-		return ret
-	}
-
-	u, err := giturl.Parse(remoteURL)
-	if err != nil {
-		log.Error("giturl.Parse %v", err)
+		log.Error("DecryptOrRecoverRemoteAddress %v", err)
 		return ret
 	}
 
diff --git a/routers/web/repo/setting/setting.go b/routers/web/repo/setting/setting.go
index f7d0348634..b001cf961e 100644
--- a/routers/web/repo/setting/setting.go
+++ b/routers/web/repo/setting/setting.go
@@ -462,12 +462,12 @@ func SettingsPost(ctx *context.Context) {
 			return
 		}
 
-		u, err := git.GetRemoteURL(ctx, ctx.Repo.Repository.RepoPath(), pullMirror.GetRemoteName())
+		u, err := mirror_service.DecryptOrRecoverRemoteAddress(ctx, pullMirror)
 		if err != nil {
-			ctx.Data["Err_MirrorAddress"] = true
-			handleSettingRemoteAddrError(ctx, err, form)
+			ctx.ServerError("DecryptOrRecoverRemoteAddress", err)
 			return
 		}
+
 		if u.User != nil && form.MirrorPassword == "" && form.MirrorUsername == u.User.Username() {
 			form.MirrorPassword, _ = u.User.Password()
 		}
@@ -482,17 +482,25 @@ func SettingsPost(ctx *context.Context) {
 			return
 		}
 
-		if err := mirror_service.UpdateAddress(ctx, pullMirror, address); err != nil {
-			ctx.ServerError("UpdateAddress", err)
-			return
-		}
-		remoteAddress, err := util.SanitizeURL(address)
-		if err != nil {
+		if err := pullMirror.UpdateRemoteAddress(ctx, address); err != nil {
 			ctx.Data["Err_MirrorAddress"] = true
 			handleSettingRemoteAddrError(ctx, err, form)
 			return
 		}
-		pullMirror.RemoteAddress = remoteAddress
+
+		// Update the unencrypted address stored in the git config, so that future `git fetch` will access the right
+		// address. pullMirror.RemoteAddress is the sanitized no-creds version from UpdateRemoteAddress.
+		if maybeSanitizedURL, err := pullMirror.SanitizedRemoteAddress(); err != nil {
+			ctx.ServerError("SanitizedRemoteAddress", err)
+			return
+		} else if has, sanitizedURL := maybeSanitizedURL.Get(); !has {
+			// SanitizedRemoteAddress must be present after we just stored it
+			ctx.ServerError("SanitizedRemoteAddress", err)
+			return
+		} else if err := mirror_service.UpdateAddress(ctx, pullMirror, sanitizedURL); err != nil {
+			ctx.ServerError("UpdateAddress", err)
+			return
+		}
 
 		form.LFS = form.LFS && setting.LFS.StartServer
 
diff --git a/services/mirror/mirror_pull.go b/services/mirror/mirror_pull.go
index d6e1ff6c51..c5adc6105f 100644
--- a/services/mirror/mirror_pull.go
+++ b/services/mirror/mirror_pull.go
@@ -31,55 +31,27 @@ const gitShortEmptySha = "0000000"
 
 // UpdateAddress writes new address to Git repository and database
 func UpdateAddress(ctx context.Context, m *repo_model.Mirror, addr string) error {
-	u, err := giturl.Parse(addr)
-	if err != nil {
-		return fmt.Errorf("invalid addr: %v", err)
-	}
-
 	remoteName := m.GetRemoteName()
 	repoPath := m.GetRepository(ctx).RepoPath()
-	// Remove old remote
-	_, _, err = git.NewCommand(ctx, "remote", "rm").AddDynamicArguments(remoteName).RunStdString(&git.RunOpts{Dir: repoPath})
-	if err != nil && !git.IsRemoteNotExistError(err) {
-		return err
-	}
-
-	cmd := git.NewCommand(ctx, "remote", "add").AddDynamicArguments(remoteName).AddArguments("--mirror=fetch").AddDynamicArguments(addr)
-	if strings.Contains(addr, "://") && strings.Contains(addr, "@") {
-		cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, util.SanitizeCredentialURLs(addr), repoPath))
-	} else {
-		cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, addr, repoPath))
-	}
-	_, _, err = cmd.RunStdString(&git.RunOpts{Dir: repoPath})
-	if err != nil && !git.IsRemoteNotExistError(err) {
+	_, _, err := git.NewCommand(ctx, "remote", "set-url").
+		AddDynamicArguments(remoteName, addr).
+		RunStdString(&git.RunOpts{Dir: repoPath})
+	if err != nil {
 		return err
 	}
 
 	if m.Repo.HasWiki() {
 		wikiPath := m.Repo.WikiPath()
 		wikiRemotePath := repo_module.WikiRemoteURL(ctx, addr)
-		// Remove old remote of wiki
-		_, _, err = git.NewCommand(ctx, "remote", "rm").AddDynamicArguments(remoteName).RunStdString(&git.RunOpts{Dir: wikiPath})
-		if err != nil && !git.IsRemoteNotExistError(err) {
-			return err
-		}
-
-		cmd = git.NewCommand(ctx, "remote", "add").AddDynamicArguments(remoteName).AddArguments("--mirror=fetch").AddDynamicArguments(wikiRemotePath)
-		if strings.Contains(wikiRemotePath, "://") && strings.Contains(wikiRemotePath, "@") {
-			cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, util.SanitizeCredentialURLs(wikiRemotePath), wikiPath))
-		} else {
-			cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, wikiRemotePath, wikiPath))
-		}
-		_, _, err = cmd.RunStdString(&git.RunOpts{Dir: wikiPath})
-		if err != nil && !git.IsRemoteNotExistError(err) {
+		_, _, err = git.NewCommand(ctx, "remote", "set-url").
+			AddDynamicArguments(remoteName, wikiRemotePath).
+			RunStdString(&git.RunOpts{Dir: wikiPath})
+		if err != nil {
 			return err
 		}
 	}
 
-	// erase authentication before storing in database
-	u.User = nil
-	m.Repo.OriginalURL = u.String()
-	return repo_model.UpdateRepositoryCols(ctx, m.Repo, "original_url")
+	return nil
 }
 
 // mirrorSyncResult contains information of a updated reference.
@@ -262,6 +234,46 @@ func checkRecoverableSyncError(stderrMessage string) bool {
 	}
 }
 
+// Decrypt RemoteAddressAuth from the mirror. If absent on the mirror database table, fallback to the older method where
+// credentials are stored in the git config file as the remote's address, encrypt those credentials and store them in
+// the database, and wipe them from the git config file so that they're only stored in the one encrypted location in DB.
+func DecryptOrRecoverRemoteAddress(ctx context.Context, m *repo_model.Mirror) (*giturl.GitURL, error) {
+	decryptedRemoteURL, err := m.DecryptRemoteAddress()
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt remote address: %w", err)
+	}
+
+	if has, url := decryptedRemoteURL.Get(); has {
+		remoteURL, err := giturl.Parse(url)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse decrypted remote address: %w", err)
+		}
+		return remoteURL, nil
+	}
+
+	// fallback to reading remote URL from the git config file for repos that predate DecryptRemoteAddress
+	repoPath := m.GetRepository(ctx).RepoPath()
+	remoteURL, err := git.GetRemoteURL(ctx, repoPath, m.GetRemoteName())
+	if err != nil {
+		return nil, fmt.Errorf("GetRemoteAddress error: %w", err)
+	}
+
+	// Store the full address in the database
+	if err := m.UpdateRemoteAddress(ctx, remoteURL.URL.String()); err != nil {
+		return nil, fmt.Errorf("UpdateRemoteAddress error: %w", err)
+	}
+
+	// Update the git config file to just contain the sanitized address
+	if maybeSanitizedURL, err := m.SanitizedRemoteAddress(); err != nil {
+		return nil, fmt.Errorf("SanitizedRemoteAddress error: %w", err)
+	} else if has, sanitizedURL := maybeSanitizedURL.Get(); !has {
+		return nil, fmt.Errorf("SanitizedRemoteAddress must be present after we just stored it, but had error: %w", err)
+	} else if err := UpdateAddress(ctx, m, sanitizedURL); err != nil {
+		return nil, fmt.Errorf("UpdateAddress error: %w", err)
+	}
+	return remoteURL, nil
+}
+
 // runSync returns true if sync finished without error.
 func runSync(ctx context.Context, m *repo_model.Mirror) ([]*mirrorSyncResult, bool) {
 	repoPath := m.Repo.RepoPath()
@@ -270,19 +282,29 @@ func runSync(ctx context.Context, m *repo_model.Mirror) ([]*mirrorSyncResult, bo
 
 	log.Trace("SyncMirrors [repo: %-v]: running git remote update...", m.Repo)
 
+	remoteURL, err := DecryptOrRecoverRemoteAddress(ctx, m)
+	if err != nil {
+		log.Error("SyncMirrors [repo: %-v]: failed to get remote address: %v", m.Repo, err)
+		return nil, false
+	}
+
+	cmd := git.NewCommand(ctx)
+
+	// Setup credential helper to authenticate the fetch; needs to occur before the `fetch` arg.
+	_, credCleanup, err := cmd.AddAuthCredentialHelperForRemote(remoteURL.URL.String())
+	if err != nil {
+		log.Error("SyncMirrors [repo: %-v]: AddAuthCredentialHelperForRemote Error %v", m.Repo, err)
+		return nil, false
+	}
+	defer credCleanup()
+
 	// use fetch but not remote update because git fetch support --tags but remote update doesn't
-	cmd := git.NewCommand(ctx, "fetch")
+	cmd.AddArguments("fetch")
 	if m.EnablePrune {
 		cmd.AddArguments("--prune")
 	}
 	cmd.AddArguments("--tags").AddDynamicArguments(m.GetRemoteName())
 
-	remoteURL, remoteErr := git.GetRemoteURL(ctx, repoPath, m.GetRemoteName())
-	if remoteErr != nil {
-		log.Error("SyncMirrors [repo: %-v]: GetRemoteAddress Error %v", m.Repo, remoteErr)
-		return nil, false
-	}
-
 	envs := proxy.EnvWithProxy(remoteURL.URL)
 
 	stdoutBuilder := strings.Builder{}
diff --git a/services/repository/migrate.go b/services/repository/migrate.go
index 80f5d68231..46b48d02d3 100644
--- a/services/repository/migrate.go
+++ b/services/repository/migrate.go
@@ -182,17 +182,12 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 	defer committer.Close()
 
 	if opts.Mirror {
-		remoteAddress, err := util.SanitizeURL(opts.CloneAddr)
-		if err != nil {
-			return repo, err
-		}
 		mirrorModel := repo_model.Mirror{
 			RepoID:         repo.ID,
 			Interval:       setting.Mirror.DefaultInterval,
 			EnablePrune:    true,
 			NextUpdateUnix: timeutil.TimeStampNow().AddDuration(setting.Mirror.DefaultInterval),
 			LFS:            opts.LFS,
-			RemoteAddress:  remoteAddress,
 		}
 		if opts.LFS {
 			mirrorModel.LFSEndpoint = opts.LFSEndpoint
@@ -217,7 +212,7 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 			}
 		}
 
-		if err = repo_model.InsertMirror(ctx, &mirrorModel); err != nil {
+		if err = mirrorModel.InsertWithAddress(ctx, opts.CloneAddr); err != nil {
 			return repo, fmt.Errorf("InsertOne: %w", err)
 		}
 
diff --git a/templates/repo/header.tmpl b/templates/repo/header.tmpl
index 513758a149..44254aae82 100644
--- a/templates/repo/header.tmpl
+++ b/templates/repo/header.tmpl
@@ -77,9 +77,10 @@
 			{{end}}
 		</div>
 		{{if $.PullMirror}}
+			{{$address := MirrorRemoteAddress $.Context $.PullMirror}}
 			<div class="fork-flag">
 				{{ctx.Locale.Tr "repo.mirror_from"}}
-				<a target="_blank" rel="noopener noreferrer" href="{{$.PullMirror.RemoteAddress}}">{{$.PullMirror.RemoteAddress}}</a>
+				<a target="_blank" rel="noopener noreferrer" href="{{$address.Address}}">{{$address.Address}}</a>
 				{{if $.PullMirror.UpdatedUnix}}{{ctx.Locale.Tr "repo.mirror_sync"}} {{DateUtils.TimeSince $.PullMirror.UpdatedUnix}}{{end}}
 			</div>
 		{{end}}
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index fa25f4630a..137be0f334 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -148,9 +148,10 @@
 								</tr>
 							</tbody>
 						{{else if $isWorkingPullMirror}}
+						{{$address := MirrorRemoteAddress $.Context .PullMirror}}
 						<tbody>
 							<tr>
-								<td>{{.PullMirror.RemoteAddress}}</td>
+								<td>{{$address.Address}}</td>
 								<td>{{ctx.Locale.Tr "repo.settings.mirror_settings.direction.pull"}}</td>
 								<td>{{DateUtils.FullTime .PullMirror.UpdatedUnix}}</td>
 								<td class="right aligned">
@@ -176,7 +177,6 @@
 											<label for="interval">{{ctx.Locale.Tr "repo.mirror_interval" .MinimumMirrorInterval}}</label>
 											<input id="interval" name="interval" value="{{.PullMirror.Interval}}">
 										</div>
-										{{$address := MirrorRemoteAddress $.Context .Repository .PullMirror.GetRemoteName}}
 										<div class="field {{if .Err_MirrorAddress}}error{{end}}">
 											<label for="mirror_address">{{ctx.Locale.Tr "repo.mirror_address"}}</label>
 											<input id="mirror_address" name="mirror_address" value="{{$address.Address}}" required>
diff --git a/tests/integration/mirror_pull_test.go b/tests/integration/mirror_pull_test.go
index 03d4bdcf92..a0de586aaa 100644
--- a/tests/integration/mirror_pull_test.go
+++ b/tests/integration/mirror_pull_test.go
@@ -5,9 +5,16 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strings"
 	"testing"
+	"time"
 
+	"forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
@@ -15,94 +22,546 @@ import (
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/migration"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/process"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/structs"
 	app_context "forgejo.org/services/context"
+	"forgejo.org/services/forms"
+	"forgejo.org/services/migrations"
 	mirror_service "forgejo.org/services/mirror"
 	release_service "forgejo.org/services/release"
 	repo_service "forgejo.org/services/repository"
+	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
 
+	"github.com/PuerkitoBio/goquery"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func TestMirrorPull(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	t.Run("Basic", func(t *testing.T) {
+		defer tests.PrepareTestEnv(t)()
 
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
-	repoPath := repo_model.RepoPath(user.Name, repo.Name)
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		repoPath := repo_model.RepoPath(user.Name, repo.Name)
 
-	opts := migration.MigrateOptions{
-		RepoName:    "test_mirror",
-		Description: "Test mirror",
-		Private:     false,
-		Mirror:      true,
-		CloneAddr:   repoPath,
-		Wiki:        true,
-		Releases:    false,
-	}
+		opts := migration.MigrateOptions{
+			RepoName:    "test_mirror",
+			Description: "Test mirror",
+			Private:     false,
+			Mirror:      true,
+			CloneAddr:   repoPath,
+			Wiki:        true,
+			Releases:    false,
+		}
 
-	mirrorRepo, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
-		Name:        opts.RepoName,
-		Description: opts.Description,
-		IsPrivate:   opts.Private,
-		IsMirror:    opts.Mirror,
-		Status:      repo_model.RepositoryBeingMigrated,
+		mirrorRepo, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
+			Name:        opts.RepoName,
+			Description: opts.Description,
+			IsPrivate:   opts.Private,
+			IsMirror:    opts.Mirror,
+			Status:      repo_model.RepositoryBeingMigrated,
+		})
+		require.NoError(t, err)
+		assert.True(t, mirrorRepo.IsMirror, "expected pull-mirror repo to be marked as a mirror immediately after its creation")
+
+		ctx := t.Context()
+
+		mirror, err := repo_service.MigrateRepositoryGitData(ctx, user, mirrorRepo, opts, nil)
+		require.NoError(t, err)
+
+		gitRepo, err := gitrepo.OpenRepository(git.DefaultContext, repo)
+		require.NoError(t, err)
+		defer gitRepo.Close()
+
+		findOptions := repo_model.FindReleasesOptions{
+			IncludeDrafts: true,
+			IncludeTags:   true,
+			RepoID:        mirror.ID,
+		}
+		initCount, err := db.Count[repo_model.Release](db.DefaultContext, findOptions)
+		require.NoError(t, err)
+
+		require.NoError(t, release_service.CreateRelease(gitRepo, &repo_model.Release{
+			RepoID:       repo.ID,
+			Repo:         repo,
+			PublisherID:  user.ID,
+			Publisher:    user,
+			TagName:      "v0.2",
+			Target:       "master",
+			Title:        "v0.2 is released",
+			Note:         "v0.2 is released",
+			IsDraft:      false,
+			IsPrerelease: false,
+			IsTag:        true,
+		}, "", []*release_service.AttachmentChange{}))
+
+		_, err = repo_model.GetMirrorByRepoID(ctx, mirror.ID)
+		require.NoError(t, err)
+
+		ok := mirror_service.SyncPullMirror(ctx, mirror.ID)
+		assert.True(t, ok)
+
+		count, err := db.Count[repo_model.Release](db.DefaultContext, findOptions)
+		require.NoError(t, err)
+		assert.Equal(t, initCount+1, count)
+
+		release, err := repo_model.GetRelease(db.DefaultContext, repo.ID, "v0.2")
+		require.NoError(t, err)
+		require.NoError(t, release_service.DeleteReleaseByID(ctx, repo, release, user, true))
+
+		ok = mirror_service.SyncPullMirror(ctx, mirror.ID)
+		assert.True(t, ok)
+
+		count, err = db.Count[repo_model.Release](db.DefaultContext, findOptions)
+		require.NoError(t, err)
+		assert.Equal(t, initCount, count)
 	})
-	require.NoError(t, err)
-	assert.True(t, mirrorRepo.IsMirror, "expected pull-mirror repo to be marked as a mirror immediately after its creation")
 
-	ctx := t.Context()
-
-	mirror, err := repo_service.MigrateRepositoryGitData(ctx, user, mirrorRepo, opts, nil)
-	require.NoError(t, err)
-
-	gitRepo, err := gitrepo.OpenRepository(git.DefaultContext, repo)
-	require.NoError(t, err)
-	defer gitRepo.Close()
-
-	findOptions := repo_model.FindReleasesOptions{
-		IncludeDrafts: true,
-		IncludeTags:   true,
-		RepoID:        mirror.ID,
+	// How will we interact with the pull mirror during this test?
+	interactionMethod := []struct {
+		name                        string
+		useAPI                      bool
+		createPullMirror            func(t *testing.T, sourceRepo *repo_model.Repository, authenticate bool) (repoName string)
+		verifyMirrorDetails         func(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool)
+		triggerPullMirror           func(t *testing.T, mirrorName string)
+		changePullMirrorCredentials func(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool)
+		changePullMirrorAddress     func(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool)
+	}{
+		{
+			name:              "API",
+			useAPI:            true,
+			createPullMirror:  createPullMirrorViaAPI,
+			triggerPullMirror: triggerPullMirrorViaAPI,
+			verifyMirrorDetails: func(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool) {
+				// API provides no visibility into a repo's mirror settings right now
+			},
+		},
+		{
+			name:                        "Web",
+			useAPI:                      false,
+			createPullMirror:            createPullMirrorViaWeb,
+			triggerPullMirror:           triggerPullMirrorViaWeb,
+			verifyMirrorDetails:         verifyPullMirrorViaWeb,
+			changePullMirrorCredentials: changePullMirrorCredentialsViaWeb,
+			changePullMirrorAddress:     changePullMirrorCredentialsViaWeb, // one endpoint, so same as creds
+		},
 	}
-	initCount, err := db.Count[repo_model.Release](db.DefaultContext, findOptions)
+
+	mirrorConfiguration := []struct {
+		name          string
+		privateSource bool
+	}{
+		{
+			name: "HTTP Without Auth",
+		},
+		{
+			name:          "HTTP With Auth",
+			privateSource: true,
+		},
+	}
+
+	// Not using MockVariableValue due to need to undo `migrations.Init()`
+	prev := setting.Migrations.AllowedDomains
+	setting.Migrations.AllowedDomains = "localhost"
+	migrations.Init() // reinitialize for changed allowList
+	defer func() {
+		setting.Migrations.AllowedDomains = prev
+		migrations.Init() // reinitialize for changed allowList
+	}()
+
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		for _, im := range interactionMethod {
+			for _, mc := range mirrorConfiguration {
+				t.Run(fmt.Sprintf("%s/%s", im.name, mc.name), func(t *testing.T) {
+					defer tests.PrintCurrentTest(t)()
+
+					user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+					// Create the source repository that will be mirrored.
+					sourceRepo, sourceRepoSha, cleanupSource := tests.CreateDeclarativeRepoWithOptions(t, user2,
+						tests.DeclarativeRepoOptions{
+							IsPrivate: optional.Some(mc.privateSource),
+							Files: optional.Some([]*files_service.ChangeRepoFile{
+								{
+									Operation:     "create",
+									TreePath:      "docs.md",
+									ContentReader: strings.NewReader("hello, world"),
+								},
+							}),
+						},
+					)
+					defer cleanupSource()
+					require.NotEmpty(t, sourceRepoSha)
+
+					// Create pull mirror
+					mirror := im.createPullMirror(t, sourceRepo, mc.privateSource)
+					verifyPullMirrorContents(t, mirror, sourceRepoSha)
+					verifyPullMirrorConfig(t, mirror, sourceRepo, mc.privateSource)
+					im.verifyMirrorDetails(t, sourceRepo, mirror, mc.privateSource)
+
+					// Push a change to the source and refresh the mirror
+					sourceRepoSha = changePullMirrorSource(t, sourceRepo, sourceRepoSha)
+					im.triggerPullMirror(t, mirror)
+					waitForPullMirror(t, mirror, sourceRepoSha)
+
+					// Test changing the mirror's authentication method (if available)
+					if mc.privateSource && im.changePullMirrorCredentials != nil {
+						sourceRepoSha = changePullMirrorSource(t, sourceRepo, sourceRepoSha)
+						im.changePullMirrorCredentials(t, sourceRepo, mirror, mc.privateSource)
+						verifyPullMirrorConfig(t, mirror, sourceRepo, mc.privateSource)
+						im.verifyMirrorDetails(t, sourceRepo, mirror, mc.privateSource)
+						im.triggerPullMirror(t, mirror)
+						waitForPullMirror(t, mirror, sourceRepoSha)
+					}
+
+					// Test changing the mirror's address (if available)
+					if im.changePullMirrorAddress != nil {
+						sourceRepo = renamePullMirrorSourceRepo(t, sourceRepo)
+						sourceRepoSha = changePullMirrorSource(t, sourceRepo, sourceRepoSha)
+						im.changePullMirrorAddress(t, sourceRepo, mirror, mc.privateSource)
+						verifyPullMirrorConfig(t, mirror, sourceRepo, mc.privateSource)
+						im.verifyMirrorDetails(t, sourceRepo, mirror, mc.privateSource)
+						im.triggerPullMirror(t, mirror)
+						waitForPullMirror(t, mirror, sourceRepoSha)
+					}
+				})
+			}
+		}
+	})
+
+	t.Run("migrate from repo config credentials", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+		mirrorRepo, _, cleanupMirror := tests.CreateDeclarativeRepoWithOptions(t, user2,
+			tests.DeclarativeRepoOptions{},
+		)
+		defer cleanupMirror()
+
+		// Write to the repo a config file that would have plausibly existed before EncryptedRemoteAddress was
+		// introduced:
+		repoPath := mirrorRepo.RepoPath()
+		err := os.WriteFile(path.Join(repoPath, "config"), []byte(`
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+[remote "origin"]
+	url = https://user:password@example.com/org/repo.git
+	tagOpt = --no-tags
+	fetch = +refs/*:refs/*
+	mirror = true
+	fetch = +refs/tags/*:refs/tags/*
+`), 0o644)
+		require.NoError(t, err)
+
+		// Create a Mirror record without an EncryptedRemoteAddress:
+		mirror := &repo_model.Mirror{
+			RepoID:      mirrorRepo.ID,
+			Interval:    8 * time.Hour,
+			EnablePrune: true,
+		}
+		_, err = db.GetEngine(t.Context()).Insert(mirror)
+		require.NoError(t, err)
+		require.Nil(t, mirror.EncryptedRemoteAddress)
+
+		remoteURL, err := mirror_service.DecryptOrRecoverRemoteAddress(t.Context(), mirror)
+		require.NoError(t, err)
+		assert.Equal(t, "https://user:password@example.com/org/repo.git", remoteURL.URL.String())
+
+		// EncryptedRemoteAddress should now be populated from the recovery:
+		assert.NotNil(t, mirror.EncryptedRemoteAddress)
+		maybeDecryptedURL, err := mirror.DecryptRemoteAddress()
+		require.NoError(t, err)
+		has, decryptedURL := maybeDecryptedURL.Get()
+		require.True(t, has)
+		assert.Equal(t, "https://user:password@example.com/org/repo.git", decryptedURL)
+
+		// SanitizedRemoteAddress can be fetched:
+		maybeSanitizedURL, err := mirror.SanitizedRemoteAddress()
+		require.NoError(t, err)
+		has, sanitizedURL := maybeSanitizedURL.Get()
+		require.True(t, has)
+		assert.Equal(t, "https://user@example.com/org/repo.git", sanitizedURL)
+
+		// Database record is updated in the database:
+		refetchMirror := unittest.AssertExistsAndLoadBean(t, &repo_model.Mirror{RepoID: mirrorRepo.ID})
+		assert.Equal(t, mirror.EncryptedRemoteAddress, refetchMirror.EncryptedRemoteAddress)
+
+		// Config file is rewritten:
+		config, err := os.ReadFile(path.Join(repoPath, "config"))
+		require.NoError(t, err)
+		assert.Equal(t, `
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+[remote "origin"]
+	url = https://user@example.com/org/repo.git
+	tagOpt = --no-tags
+	fetch = +refs/*:refs/*
+	mirror = true
+	fetch = +refs/tags/*:refs/tags/*
+`, string(config))
+	})
+}
+
+func createPullMirrorViaWeb(t *testing.T, sourceRepo *repo_model.Repository, authenticate bool) string {
+	session := loginUser(t, "user2")
+
+	mirrorName := fmt.Sprintf("pullmirror-%s", sourceRepo.Name)
+	form := &forms.MigrateRepoForm{
+		CloneAddr: sourceRepo.CloneLink().HTTPS,
+		Service:   structs.PlainGitService,
+		UID:       2,
+		RepoName:  mirrorName,
+		Mirror:    true,
+	}
+	if authenticate {
+		form.AuthUsername = "user2"
+		form.AuthPassword = getTokenForLoggedInUser(t, session, auth.AccessTokenScopeReadRepository)
+	}
+
+	resp := session.MakeRequest(t,
+		NewRequestWithJSON(t, "POST", "/repo/migrate", form),
+		http.StatusSeeOther)
+	location := resp.Header().Get("Location")
+	assert.Equal(t, fmt.Sprintf("/user2/pullmirror-%s", sourceRepo.Name), location)
+
+	var lastBody string
+	if !assert.Eventuallyf(t,
+		func() bool {
+			resp := session.MakeRequest(t,
+				NewRequest(t, "GET", location),
+				http.StatusOK)
+			body := resp.Body.String()
+			lastBody = body
+			// Looking for the repo page to be fully populated indicating that the migration is complete:
+			// Check that the first commit message is present:
+			if !strings.Contains(body, "Initial commit") {
+				return false
+			}
+			// Check that the fork button is present:
+			if !strings.Contains(body, fmt.Sprintf("/user2/%s/fork", mirrorName)) {
+				return false
+			}
+			return true
+		},
+		15*time.Second, 1*time.Second,
+		"expected migration to complete and repo page to render") {
+		t.Logf("last received page body: %s", lastBody)
+	}
+
+	return mirrorName
+}
+
+func createPullMirrorViaAPI(t *testing.T, sourceRepo *repo_model.Repository, authenticate bool) string {
+	session := loginUser(t, "user2")
+	apiToken := getTokenForLoggedInUser(t, session, auth.AccessTokenScopeWriteRepository)
+
+	mirrorName := fmt.Sprintf("pullmirror-%s", sourceRepo.Name)
+	form := &structs.MigrateRepoOptions{
+		CloneAddr: sourceRepo.CloneLink().HTTPS,
+		Service:   "git",
+		RepoOwner: "user2",
+		RepoName:  mirrorName,
+		Mirror:    true,
+	}
+	if authenticate {
+		form.AuthUsername = "user2"
+		form.AuthPassword = getTokenForLoggedInUser(t, session, auth.AccessTokenScopeReadRepository)
+	}
+
+	resp := session.MakeRequest(t,
+		NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", form).AddTokenAuth(apiToken),
+		http.StatusCreated)
+	var repo structs.Repository
+	DecodeJSON(t, resp, &repo)
+	assert.NotNil(t, repo)
+	assert.True(t, repo.Mirror)
+	assert.False(t, repo.Empty)
+
+	return mirrorName
+}
+
+func verifyPullMirrorViaWeb(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool) {
+	session := loginUser(t, "user2")
+	resp := session.MakeRequest(t,
+		NewRequestf(t, "GET", "/user2/%s/settings", mirrorName),
+		http.StatusOK)
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	htmlDoc.AssertAttrEqual(t, "#mirror_address", "value", sourceRepo.CloneLink().HTTPS)
+	if authenticate {
+		htmlDoc.AssertAttrEqual(t, "#mirror_username", "value", "user2")
+		htmlDoc.AssertAttrEqual(t, "#mirror_password", "value", "")
+		htmlDoc.AssertAttrEqual(t, "#mirror_password", "placeholder", "(Unchanged)")
+	} else {
+		htmlDoc.AssertAttrEqual(t, "#mirror_username", "value", "")
+		htmlDoc.AssertAttrEqual(t, "#mirror_password", "value", "")
+		htmlDoc.AssertAttrEqual(t, "#mirror_password", "placeholder", "(Unset)")
+	}
+
+	resp = session.MakeRequest(t,
+		NewRequestf(t, "GET", "/user2/%s", mirrorName),
+		http.StatusOK)
+	htmlDoc = NewHTMLParser(t, resp.Body)
+	htmlDoc.AssertElementPredicate(t, ".fork-flag", func(selection *goquery.Selection) bool {
+		text := strings.TrimSpace(selection.Text())
+		assert.Contains(t, text, "mirror of")
+		assert.Contains(t, text, sourceRepo.CloneLink().HTTPS)
+		return true
+	})
+}
+
+func triggerPullMirrorViaWeb(t *testing.T, mirrorName string) {
+	session := loginUser(t, "user2")
+
+	resp := session.MakeRequest(t,
+		NewRequestWithValues(t, "POST", fmt.Sprintf("/user2/%s/settings", mirrorName), map[string]string{"action": "mirror-sync"}),
+		http.StatusSeeOther)
+	location := resp.Header().Get("Location")
+	assert.Equal(t, fmt.Sprintf("/user2/%s/settings", mirrorName), location)
+}
+
+func triggerPullMirrorViaAPI(t *testing.T, mirrorName string) {
+	session := loginUser(t, "user2")
+	apiToken := getTokenForLoggedInUser(t, session, auth.AccessTokenScopeWriteRepository)
+
+	// Trigger sync...
+	session.MakeRequest(t,
+		NewRequestf(t, "POST", "/api/v1/repos/user2/%s/mirror-sync", mirrorName).AddTokenAuth(apiToken),
+		http.StatusOK)
+}
+
+func changePullMirrorCredentialsViaWeb(t *testing.T, sourceRepo *repo_model.Repository, mirrorName string, authenticate bool) {
+	session := loginUser(t, "user2")
+
+	form := map[string]string{
+		"action":         "mirror",
+		"enable_prune":   "on",
+		"interval":       "8h0m0s",
+		"mirror_address": sourceRepo.CloneLink().HTTPS,
+	}
+	if authenticate {
+		form["mirror_username"] = "user2"
+		form["mirror_password"] = getTokenForLoggedInUser(t, session, auth.AccessTokenScopeReadRepository)
+	}
+
+	resp := session.MakeRequest(t,
+		NewRequestWithValues(t, "POST", fmt.Sprintf("/user2/%s/settings", mirrorName), form),
+		http.StatusSeeOther)
+	location := resp.Header().Get("Location")
+	assert.Equal(t, fmt.Sprintf("/user2/%s/settings", mirrorName), location)
+}
+
+func verifyPullMirrorContents(t *testing.T, mirrorName, expectedSha string) {
+	session := loginUser(t, "user2")
+	apiToken := getTokenForLoggedInUser(t, session, auth.AccessTokenScopeReadRepository)
+	resp := session.MakeRequest(t,
+		NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user2/%s/commits?sha=main&limit=1", mirrorName)).AddTokenAuth(apiToken),
+		http.StatusOK)
+	var commits []*structs.Commit
+	DecodeJSON(t, resp, &commits)
+	require.Len(t, commits, 1)
+	assert.Equal(t, expectedSha, commits[0].SHA)
+}
+
+func waitForPullMirror(t *testing.T, mirrorName, expectedSha string) {
+	session := loginUser(t, "user2")
+	apiToken := getTokenForLoggedInUser(t, session, auth.AccessTokenScopeReadRepository)
+
+	var commits []*structs.Commit
+	if !assert.Eventually(t,
+		func() bool {
+			resp := session.MakeRequest(t,
+				NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user2/%s/commits?sha=main&limit=1", mirrorName)).AddTokenAuth(apiToken),
+				http.StatusOK)
+			DecodeJSON(t, resp, &commits)
+			require.Len(t, commits, 1)
+			return commits[0].SHA == expectedSha
+		},
+		15*time.Second, 1*time.Second) {
+		t.Logf("sync was supposed to bring repo to commit %s, but observed commits = %#v", expectedSha, commits)
+	}
+}
+
+func getGitConfig(t *testing.T, configFile, configPath string) string {
+	stdout, stderr, err := process.GetManager().Exec("getGitConfig", "git", "config", "get", "--file", configFile, configPath)
+	require.NoError(t, err, "fetch config %s failed: git stderr: %s", configPath, stderr)
+	return strings.TrimSpace(stdout)
+}
+
+func verifyPullMirrorConfig(t *testing.T, mirrorName string, sourceRepo *repo_model.Repository, authenticate bool) {
+	mirrorRepo, err := repo_model.GetRepositoryByOwnerAndName(t.Context(), "user2", mirrorName)
 	require.NoError(t, err)
 
-	require.NoError(t, release_service.CreateRelease(gitRepo, &repo_model.Release{
-		RepoID:       repo.ID,
-		Repo:         repo,
-		PublisherID:  user.ID,
-		Publisher:    user,
-		TagName:      "v0.2",
-		Target:       "master",
-		Title:        "v0.2 is released",
-		Note:         "v0.2 is released",
-		IsDraft:      false,
-		IsPrerelease: false,
-		IsTag:        true,
-	}, "", []*release_service.AttachmentChange{}))
+	repoPath := mirrorRepo.RepoPath()
+	configPath := path.Join(repoPath, "config")
 
-	_, err = repo_model.GetMirrorByRepoID(ctx, mirror.ID)
+	expectedURL := sourceRepo.CloneLink().HTTPS
+	if authenticate {
+		expectedURL = strings.Replace(expectedURL, "http://", "http://user2@", 1)
+	}
+	assert.Equal(t, expectedURL, getGitConfig(t, configPath, "remote.origin.url"))
+	assert.Equal(t, "true", getGitConfig(t, configPath, "remote.origin.mirror"))
+	assert.Equal(t, "+refs/tags/*:refs/tags/*", getGitConfig(t, configPath, "remote.origin.fetch"))
+}
+
+func changePullMirrorSource(t *testing.T, sourceRepo *repo_model.Repository, sourceRepoSha string) string {
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	resp, err := files_service.ChangeRepoFiles(git.DefaultContext, sourceRepo, user2,
+		&files_service.ChangeRepoFilesOptions{
+			Files: []*files_service.ChangeRepoFile{
+				{
+					Operation:     "update",
+					TreePath:      "docs.md",
+					ContentReader: strings.NewReader(uuid.NewString()),
+				},
+			},
+			Message:   "add files",
+			OldBranch: "main",
+			NewBranch: "main",
+			Author: &files_service.IdentityOptions{
+				Name:  user2.Name,
+				Email: user2.Email,
+			},
+			Committer: &files_service.IdentityOptions{
+				Name:  user2.Name,
+				Email: user2.Email,
+			},
+			Dates: &files_service.CommitDateOptions{
+				Author:    time.Now(),
+				Committer: time.Now(),
+			},
+			LastCommitID: sourceRepoSha,
+		})
 	require.NoError(t, err)
+	assert.NotEmpty(t, resp)
+	return resp.Commit.SHA
+}
 
-	ok := mirror_service.SyncPullMirror(ctx, mirror.ID)
-	assert.True(t, ok)
+func renamePullMirrorSourceRepo(t *testing.T, sourceRepo *repo_model.Repository) *repo_model.Repository {
+	session := loginUser(t, "user2")
+	apiToken := getTokenForLoggedInUser(t, session, auth.AccessTokenScopeWriteRepository)
 
-	count, err := db.Count[repo_model.Release](db.DefaultContext, findOptions)
-	require.NoError(t, err)
-	assert.Equal(t, initCount+1, count)
+	newName := uuid.NewString()
+	session.MakeRequest(t,
+		NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/user2/%s", sourceRepo.Name),
+			&structs.EditRepoOption{
+				Name: &newName,
+			}).AddTokenAuth(apiToken),
+		http.StatusOK)
 
-	release, err := repo_model.GetRelease(db.DefaultContext, repo.ID, "v0.2")
-	require.NoError(t, err)
-	require.NoError(t, release_service.DeleteReleaseByID(ctx, repo, release, user, true))
-
-	ok = mirror_service.SyncPullMirror(ctx, mirror.ID)
-	assert.True(t, ok)
-
-	count, err = db.Count[repo_model.Release](db.DefaultContext, findOptions)
-	require.NoError(t, err)
-	assert.Equal(t, initCount, count)
+	newRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: sourceRepo.ID})
+	assert.Equal(t, newRepo.Name, newName)
+	assert.NotEqual(t, newRepo.CloneLink().HTTPS, sourceRepo.CloneLink().HTTPS) // should have changed to new name
+	return newRepo
 }
 
 func TestPullMirrorRedactCredentials(t *testing.T) {

From 2d2029c5982e898b39e826a5eee76d6107d12b50 Mon Sep 17 00:00:00 2001
From: limiting-factor <limiting-factor@posteo.com>
Date: Sat, 4 Apr 2026 16:29:14 +0200
Subject: [PATCH 060/287] tests: make buffer log writer thread safe (#11962)

When two goroutines attempt to access the content of the buffer log writer, they must be made thread safe with a write mutex.

The buffer log writer is only used in testing.

## Checklist

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11962
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: limiting-factor <limiting-factor@posteo.com>
Co-committed-by: limiting-factor <limiting-factor@posteo.com>
---
 .deadcode-out                           |  3 ++
 modules/log/event_writer_buffer.go      | 42 ++++++++++++++++++++-----
 modules/log/event_writer_buffer_test.go | 12 +++----
 modules/log/logger_impl_test.go         |  2 +-
 4 files changed, 44 insertions(+), 15 deletions(-)

diff --git a/.deadcode-out b/.deadcode-out
index 45ad117ccd..0c44d2bdfd 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -134,6 +134,9 @@ forgejo.org/modules/json
 	StdJSON.Indent
 
 forgejo.org/modules/log
+	eventWriterBuffer.Close
+	eventWriterBuffer.Write
+	eventWriterBuffer.GetString
 	NewEventWriterBuffer
 
 forgejo.org/modules/markup
diff --git a/modules/log/event_writer_buffer.go b/modules/log/event_writer_buffer.go
index 28857c2189..a7557618a8 100644
--- a/modules/log/event_writer_buffer.go
+++ b/modules/log/event_writer_buffer.go
@@ -5,18 +5,44 @@ package log
 
 import (
 	"bytes"
+	"sync"
 )
 
-type EventWriterBuffer struct {
-	*EventWriterBaseImpl
-	Buffer *bytes.Buffer
+type EventWriterBuffer interface {
+	EventWriter
+	GetString() string
 }
 
-var _ EventWriter = (*EventWriterBuffer)(nil)
+type eventWriterBuffer struct {
+	*EventWriterBaseImpl
+	buffer *bytes.Buffer
+	mu     sync.RWMutex
+}
 
-func NewEventWriterBuffer(name string, mode WriterMode) *EventWriterBuffer {
-	w := &EventWriterBuffer{EventWriterBaseImpl: NewEventWriterBase(name, "buffer", mode)}
-	w.Buffer = new(bytes.Buffer)
-	w.OutputWriteCloser = nopCloser{w.Buffer}
+var _ EventWriterBuffer = (*eventWriterBuffer)(nil)
+
+func (*eventWriterBuffer) Close() error {
+	return nil
+}
+
+func (o *eventWriterBuffer) Write(p []byte) (n int, err error) {
+	o.mu.Lock()
+	defer o.mu.Unlock()
+	return o.buffer.Write(p)
+}
+
+func (o *eventWriterBuffer) GetString() string {
+	o.mu.Lock()
+	defer o.mu.Unlock()
+	b := o.buffer.Bytes()
+	s := make([]byte, len(b))
+	copy(s, b)
+	return string(s)
+}
+
+func NewEventWriterBuffer(name string, mode WriterMode) EventWriter {
+	w := &eventWriterBuffer{EventWriterBaseImpl: NewEventWriterBase(name, "buffer", mode)}
+	w.buffer = new(bytes.Buffer)
+	w.OutputWriteCloser = w
 	return w
 }
diff --git a/modules/log/event_writer_buffer_test.go b/modules/log/event_writer_buffer_test.go
index d1e37c3673..ac0759ad0b 100644
--- a/modules/log/event_writer_buffer_test.go
+++ b/modules/log/event_writer_buffer_test.go
@@ -29,7 +29,7 @@ func TestBufferLogger(t *testing.T) {
 		MsgSimpleText: expected,
 	})
 	logger.Close()
-	assert.Contains(t, bufferWriter.Buffer.String(), expected)
+	assert.Contains(t, bufferWriter.(log.EventWriterBuffer).GetString(), expected)
 }
 
 func TestBufferLoggerWithExclusion(t *testing.T) {
@@ -41,7 +41,7 @@ func TestBufferLoggerWithExclusion(t *testing.T) {
 		Level:     level,
 		Prefix:    prefix,
 		Exclusion: message,
-	})
+	}).(log.EventWriterBuffer)
 
 	logger := log.NewLoggerWithWriters(t.Context(), "test", bufferWriter)
 
@@ -50,7 +50,7 @@ func TestBufferLoggerWithExclusion(t *testing.T) {
 		MsgSimpleText: message,
 	})
 	logger.Close()
-	assert.NotContains(t, bufferWriter.Buffer.String(), message)
+	assert.NotContains(t, bufferWriter.GetString(), message)
 }
 
 func TestBufferLoggerWithExpressionAndExclusion(t *testing.T) {
@@ -64,7 +64,7 @@ func TestBufferLoggerWithExpressionAndExclusion(t *testing.T) {
 		Prefix:     prefix,
 		Expression: expression,
 		Exclusion:  exclusion,
-	})
+	}).(log.EventWriterBuffer)
 
 	logger := log.NewLoggerWithWriters(t.Context(), "test", bufferWriter)
 
@@ -74,6 +74,6 @@ func TestBufferLoggerWithExpressionAndExclusion(t *testing.T) {
 	logger.SendLogEvent(&log.Event{Level: log.INFO, MsgSimpleText: "none"})
 	logger.Close()
 
-	assert.Contains(t, bufferWriter.Buffer.String(), "foo expression")
-	assert.NotContains(t, bufferWriter.Buffer.String(), "bar")
+	assert.Contains(t, bufferWriter.GetString(), "foo expression")
+	assert.NotContains(t, bufferWriter.GetString(), "bar")
 }
diff --git a/modules/log/logger_impl_test.go b/modules/log/logger_impl_test.go
index 59276a83f4..1d77ae0c25 100644
--- a/modules/log/logger_impl_test.go
+++ b/modules/log/logger_impl_test.go
@@ -23,5 +23,5 @@ func TestLog(t *testing.T) {
 	testGeneric(logger, "I'm the generic value!")
 	logger.Close()
 
-	assert.Contains(t, bufferWriter.Buffer.String(), ".../logger_impl_test.go:13:testGeneric() [I] Just testing the logging of a generic function I'm the generic value!")
+	assert.Contains(t, bufferWriter.(EventWriterBuffer).GetString(), ".../logger_impl_test.go:13:testGeneric() [I] Just testing the logging of a generic function I'm the generic value!")
 }

From df86b495dc76204c1a8c188ef1a8833c7a8cc8b4 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sat, 4 Apr 2026 18:23:06 +0200
Subject: [PATCH 061/287] feat: support `timezone` in scheduled workflows
 (#11851)

GitHub recently added the ability to [specify a time zone for scheduled workflows](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onschedule), thereby making it possible to run scheduled workflows at a certain local time, no matter whether daylight saving time (DST) is currently active or not. Example copied from GitHub's documentation:

```yaml
on:
  schedule:
    - cron: '30 5 * * 1-5'
      timezone: "America/New_York"
```

The workflow would run at 05:30 each morning in the America/New_York timezone every Monday through Friday. `timezone` accepts IANA time zone names. If `timezone` is absent, `Etc/UTC` is used. GitHub runs workflows that were scheduled during DST jumps forward, for example, between 2 o'clock and 3 o'clock, directly after the clock jumped forward. In this case, that would be 3 o'clock.

Forgejo already supports time zones by prepending cron schedules with `TZ=<zone-id>` or `CRON_TZ=<zone-id>`:

```yaml
on:
  schedule:
    - cron: 'CRON_TZ=America/New_York 30 5 * * 1-5'
```

However, that capability is not documented. Workflows that are scheduled to run during DST changes are skipped when the clock jumps forward and run twice when it jumps backward.

This two-part PR adds support for `timezone` to improve compatibility with GitHub. `TZ` and `CRON_TZ` continue working. When both `timezone` and `TZ` or `CRON_TZ` are present, `timezone` takes precedence. When neither `timezone` nor `TZ` nor `CRON_TZ` are present, `Etc/UTC` is used as before. Because `TZ` and `CRON_TZ` were already supported by Forgejo before GitHub introduced `timezone`, `timezone` behaves during DST changes as previous versions of Forgejo, thereby deviating from GitHub. That means that workflows that are scheduled to run during DST changes are skipped when the clock jumps forward. And they run twice when it jumps backwards. However, it is generally recommended not to schedule workflows during the time of day when DST changes occur.

This part of the PR integrates the [workflow validation and parsing of the `timezone` field](https://code.forgejo.org/forgejo/runner/pulls/1454) supplied by Forgejo Runner.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - https://codeberg.org/forgejo/docs/pulls/1853
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11851): <!--number 11851 --><!--line 0 --><!--description c3VwcG9ydCBgdGltZXpvbmVgIGluIHNjaGVkdWxlZCB3b3JrZmxvd3M=-->support `timezone` in scheduled workflows<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Renovate Bot <bot@kriese.eu>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11851
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 go.mod                                        |   2 +-
 go.sum                                        |   4 +-
 models/actions/schedule.go                    |  22 +---
 models/actions/schedule_spec.go               |  44 ++++++--
 models/actions/schedule_spec_test.go          |  79 ++++++++++++--
 models/actions/schedule_test.go               | 102 ++++++++++++++++++
 .../v15c_add_schedule_spec_time_zones.go      |  31 ++++++
 .../action_schedule.yml                       |   4 -
 services/actions/notifier_helper.go           |  14 ++-
 services/actions/schedule_tasks_test.go       |  30 ++++--
 tests/integration/actions_trigger_test.go     |  49 ++++++++-
 11 files changed, 323 insertions(+), 58 deletions(-)
 create mode 100644 models/actions/schedule_test.go
 create mode 100644 models/forgejo_migrations/v15c_add_schedule_spec_time_zones.go

diff --git a/go.mod b/go.mod
index c02310548b..37039873c8 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.7.3
+	code.forgejo.org/forgejo/runner/v12 v12.8.0
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
diff --git a/go.sum b/go.sum
index 8c06077317..cd477466b7 100644
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.7.3 h1:+thSawVfLeAZaWB6sYeUPvLj4lxYjCIDt/ktvkfX5Rs=
-code.forgejo.org/forgejo/runner/v12 v12.7.3/go.mod h1:OO+Vy9Dww6WNV7GG/6VUWo/0WwXY+ASGlINmAfEA9Ws=
+code.forgejo.org/forgejo/runner/v12 v12.8.0 h1:/MqOseYbsGaQ2qzepaZr3VyuqpESvSP/ZnC2aKfmU3g=
+code.forgejo.org/forgejo/runner/v12 v12.8.0/go.mod h1:sgDAYfO4NJI1kUzGuD7klHuoFLQzWmZPw0erg7QlbJU=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=
diff --git a/models/actions/schedule.go b/models/actions/schedule.go
index 05c9f15d38..8c410b9d38 100644
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@@ -5,7 +5,6 @@ package actions
 
 import (
 	"context"
-	"time"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -21,7 +20,7 @@ import (
 type ActionSchedule struct {
 	ID                int64
 	Title             string
-	Specs             []string
+	Specs             []*ActionScheduleSpec  `xorm:"-"`
 	RepoID            int64                  `xorm:"index"`
 	Repo              *repo_model.Repository `xorm:"-"`
 	OwnerID           int64                  `xorm:"index"`
@@ -73,25 +72,12 @@ func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
 			return err
 		}
 
-		// Loop through each schedule spec and create a new spec row
-		now := time.Now()
-
 		for _, spec := range row.Specs {
-			specRow := &ActionScheduleSpec{
-				RepoID:     row.RepoID,
-				ScheduleID: row.ID,
-				Spec:       spec,
-			}
-			// Parse the spec and check for errors
-			schedule, err := specRow.Parse()
-			if err != nil {
-				continue // skip to the next spec if there's an error
-			}
-
-			specRow.Next = timeutil.TimeStamp(schedule.Next(now).Unix())
+			spec.ScheduleID = row.ID
+			spec.RepoID = row.RepoID
 
 			// Insert the new schedule spec row
-			if err = db.Insert(ctx, specRow); err != nil {
+			if err = db.Insert(ctx, spec); err != nil {
 				return err
 			}
 		}
diff --git a/models/actions/schedule_spec.go b/models/actions/schedule_spec.go
index 83bdceb850..bcaee8bd6f 100644
--- a/models/actions/schedule_spec.go
+++ b/models/actions/schedule_spec.go
@@ -10,6 +10,7 @@ import (
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 
 	"github.com/robfig/cron/v3"
@@ -27,13 +28,28 @@ type ActionScheduleSpec struct {
 	// started or this entry's schedule is unsatisfiable
 	Next timeutil.TimeStamp `xorm:"index"`
 	// Prev is the last time this job was run, or the zero time if never.
-	Prev timeutil.TimeStamp
-	Spec string
+	Prev     timeutil.TimeStamp
+	Spec     string
+	TimeZone optional.Option[string]
 
 	Created timeutil.TimeStamp `xorm:"created"`
 	Updated timeutil.TimeStamp `xorm:"updated"`
 }
 
+func NewActionScheduleSpec(cron string, tz optional.Option[string], referenceTime time.Time) (*ActionScheduleSpec, error) {
+	spec := &ActionScheduleSpec{
+		Spec:     cron,
+		TimeZone: tz,
+	}
+	cronSchedule, err := spec.Parse()
+	if err != nil {
+		return nil, err
+	}
+
+	spec.Next = timeutil.TimeStamp(cronSchedule.Next(referenceTime).Unix())
+	return spec, nil
+}
+
 // Parse parses the spec and returns a cron.Schedule
 // Unlike the default cron parser, Parse uses UTC timezone as the default if none is specified.
 func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
@@ -43,19 +59,29 @@ func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
 		return nil, err
 	}
 
-	// If the spec has specified a timezone, use it
-	if strings.HasPrefix(s.Spec, "TZ=") || strings.HasPrefix(s.Spec, "CRON_TZ=") {
-		return schedule, nil
-	}
-
 	specSchedule, ok := schedule.(*cron.SpecSchedule)
 	// If it's not a spec schedule, like "@every 5m", timezone is not relevant
 	if !ok {
 		return schedule, nil
 	}
 
-	// Set the timezone to UTC
-	specSchedule.Location = time.UTC
+	// If `timezone` is not defined in the workflow, but the spec includes a timezone, use it.
+	if !s.TimeZone.Has() && (strings.HasPrefix(s.Spec, "TZ=") || strings.HasPrefix(s.Spec, "CRON_TZ=")) {
+		return schedule, nil
+	}
+
+	var location *time.Location
+	if present, tz := s.TimeZone.Get(); present {
+		location, err = time.LoadLocation(tz)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// UTC is the default time zone.
+		location = time.UTC
+	}
+
+	specSchedule.Location = location
 	return specSchedule, nil
 }
 
diff --git a/models/actions/schedule_spec_test.go b/models/actions/schedule_spec_test.go
index 0c26fce4b2..eb3a83d0a6 100644
--- a/models/actions/schedule_spec_test.go
+++ b/models/actions/schedule_spec_test.go
@@ -7,6 +7,8 @@ import (
 	"testing"
 	"time"
 
+	"forgejo.org/modules/optional"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -21,50 +23,105 @@ func TestActionScheduleSpec_Parse(t *testing.T) {
 	}()
 	time.Local = tz
 
-	now, err := time.Parse(time.RFC3339, "2024-07-31T15:47:55+08:00")
-	require.NoError(t, err)
-
 	tests := []struct {
-		name    string
-		spec    string
-		want    string
-		wantErr assert.ErrorAssertionFunc
+		name     string
+		refTime  time.Time
+		spec     string
+		timeZone string
+		want     string
+		wantErr  assert.ErrorAssertionFunc
 	}{
 		{
 			name:    "regular",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "0 10 * * *",
 			want:    "2024-07-31T10:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
 			name:    "invalid",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "0 10 * *",
 			want:    "",
 			wantErr: assert.Error,
 		},
 		{
-			name:    "with timezone",
+			name:    "with TZ in cron schedule",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "TZ=America/New_York 0 10 * * *",
 			want:    "2024-07-31T14:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
-			name:    "timezone irrelevant",
+			name:    "with CRON_TZ in cron schedule",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:    "CRON_TZ=America/New_York 0 10 * * *",
+			want:    "2024-07-31T14:00:00Z",
+			wantErr: assert.NoError,
+		},
+		{
+			name:     "with separate time zone",
+			refTime:  time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:     "0 10 * * *",
+			timeZone: "America/New_York",
+			want:     "2024-07-31T14:00:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "separate time zone takes precedence over inlined time zone",
+			refTime:  time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
+			spec:     "CRON_TZ=Europe/Berlin 0 10 * * *",
+			timeZone: "America/New_York",
+			want:     "2024-07-31T14:00:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:    "time zone irrelevant",
+			refTime: time.Date(2024, 7, 31, 15, 47, 55, 0, time.Local),
 			spec:    "@every 5m",
 			want:    "2024-07-31T07:52:55Z",
 			wantErr: assert.NoError,
 		},
+		{
+			// The various cron implementations handle the DST jump forwards differently. The most popular approaches
+			// are (a) scheduling all jobs at 3 o'clock that were supposed to run between 2 and 3 o'clock, or (b)
+			// skipping the execution on that day because any time between 2 and 3 o'clock never happened. Forgejo uses
+			// option B because the code it inherited already did that and was exposed to users.
+			name:     "skips execution during DST jump forwards",
+			refTime:  time.Date(2025, 3, 30, 1, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 2 o'clock to 3 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-03-31T00:10:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "executes a first time before DST jump backwards",
+			refTime:  time.Date(2025, 10, 26, 0, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-10-26T00:10:00Z",
+			wantErr:  assert.NoError,
+		},
+		{
+			name:     "executes a second time after DST jump backwards",
+			refTime:  time.Date(2025, 10, 26, 1, 5, 0, 0, time.UTC),
+			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			timeZone: "Europe/Berlin",
+			want:     "2025-10-26T01:10:00Z",
+			wantErr:  assert.NoError,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			s := &ActionScheduleSpec{
-				Spec: tt.spec,
+				Spec:     tt.spec,
+				TimeZone: optional.FromNonDefault(tt.timeZone),
 			}
 			got, err := s.Parse()
 			tt.wantErr(t, err)
 
 			if err == nil {
-				assert.Equal(t, tt.want, got.Next(now).UTC().Format(time.RFC3339))
+				assert.Equal(t, tt.want, got.Next(tt.refTime).UTC().Format(time.RFC3339))
 			}
 		})
 	}
diff --git a/models/actions/schedule_test.go b/models/actions/schedule_test.go
new file mode 100644
index 0000000000..016185cb42
--- /dev/null
+++ b/models/actions/schedule_test.go
@@ -0,0 +1,102 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+	"time"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/webhook"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestScheduleCreateScheduleTask(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user.User{ID: 2})
+	repo62 := unittest.AssertExistsAndLoadBean(t, &repo.Repository{ID: 62, Name: "test_workflows", OwnerID: user2.ID})
+
+	content := `
+on:
+  push:
+  schedule:
+    - cron: "2 13 * * *"
+    - cron: "03 13 * * *"
+      timezone: Europe/Paris
+jobs:
+  test:
+    runs-on: debian
+    steps:
+      - run: |
+          echo "OK"
+`
+
+	referenceTime := time.Date(2026, 3, 27, 17, 41, 21, 0, time.UTC)
+
+	specWithoutTZ, err := NewActionScheduleSpec("2 13 * * *", optional.None[string](), referenceTime)
+	require.NoError(t, err)
+
+	specWithTZ, err := NewActionScheduleSpec("3 13 * * *", optional.Some("Europe/Paris"), referenceTime)
+	require.NoError(t, err)
+
+	schedule := &ActionSchedule{
+		Title:             ".forgejo/workflows/test.yaml",
+		Specs:             []*ActionScheduleSpec{specWithoutTZ, specWithTZ},
+		RepoID:            repo62.ID,
+		OwnerID:           user2.ID,
+		WorkflowID:        "test.yaml",
+		WorkflowDirectory: ".forgejo/workflows",
+		TriggerUserID:     -2,
+		Ref:               "main",
+		CommitSHA:         "6af834a5bc97c1a337eb3a21d26903c5cdceca0c",
+		Event:             webhook.HookEventPush,
+		EventPayload:      "{\"action\":\"schedule\"}",
+		Content:           []byte(content),
+	}
+
+	err = CreateScheduleTask(t.Context(), []*ActionSchedule{schedule})
+	require.NoError(t, err)
+
+	schedules, err := db.Find[ActionSchedule](t.Context(), FindScheduleOptions{OwnerID: user2.ID, RepoID: repo62.ID})
+	require.NoError(t, err)
+	require.Len(t, schedules, 1)
+
+	assert.NotZero(t, schedules[0].ID)
+	assert.Equal(t, ".forgejo/workflows/test.yaml", schedules[0].Title)
+	assert.Equal(t, "test.yaml", schedules[0].WorkflowID)
+	assert.Equal(t, ".forgejo/workflows", schedules[0].WorkflowDirectory)
+	assert.Equal(t, int64(-2), schedules[0].TriggerUserID)
+	assert.Equal(t, "main", schedules[0].Ref)
+	assert.Equal(t, "6af834a5bc97c1a337eb3a21d26903c5cdceca0c", schedules[0].CommitSHA)
+	assert.Equal(t, webhook.HookEventPush, schedules[0].Event)
+	assert.JSONEq(t, "{\"action\":\"schedule\"}", schedules[0].EventPayload)
+	assert.Equal(t, []byte(content), schedules[0].Content)
+
+	specs, total, err := FindSpecs(t.Context(), FindSpecOptions{RepoID: repo62.ID})
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(2), total)
+
+	assert.NotZero(t, specs[0].ID)
+	assert.Equal(t, schedules[0].ID, specs[0].ScheduleID)
+	assert.Equal(t, timeutil.TimeStamp(1774699380), specs[0].Next)
+	assert.Equal(t, "3 13 * * *", specs[0].Spec)
+	assert.Equal(t, optional.Some("Europe/Paris"), specs[0].TimeZone)
+	assert.Zero(t, specs[0].Prev)
+
+	assert.NotZero(t, specs[1].ID)
+	assert.Equal(t, schedules[0].ID, specs[1].ScheduleID)
+	assert.Equal(t, timeutil.TimeStamp(1774702920), specs[1].Next)
+	assert.Equal(t, "2 13 * * *", specs[1].Spec)
+	assert.Equal(t, optional.None[string](), specs[1].TimeZone)
+	assert.Zero(t, specs[1].Prev)
+}
diff --git a/models/forgejo_migrations/v15c_add_schedule_spec_time_zones.go b/models/forgejo_migrations/v15c_add_schedule_spec_time_zones.go
new file mode 100644
index 0000000000..d72d585725
--- /dev/null
+++ b/models/forgejo_migrations/v15c_add_schedule_spec_time_zones.go
@@ -0,0 +1,31 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"forgejo.org/modules/optional"
+
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "add time zone support to action_schedule_spec",
+		Upgrade:     addActionScheduleSpecTimeZone,
+	})
+}
+
+func addActionScheduleSpecTimeZone(x *xorm.Engine) error {
+	type ActionScheduleSpec struct {
+		TimeZone optional.Option[string]
+	}
+
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(ActionScheduleSpec))
+	if err != nil {
+		return err
+	}
+
+	_, err = x.Exec("ALTER TABLE action_schedule DROP COLUMN `specs`")
+	return err
+}
diff --git a/services/actions/TestServiceActions_startTask/action_schedule.yml b/services/actions/TestServiceActions_startTask/action_schedule.yml
index d0e7234475..8102e3f9e3 100644
--- a/services/actions/TestServiceActions_startTask/action_schedule.yml
+++ b/services/actions/TestServiceActions_startTask/action_schedule.yml
@@ -2,8 +2,6 @@
 -
   id: 1
   title: schedule_title1
-  specs:
-    - '* * * * *'
   repo_id: 4
   owner_id: 2
   workflow_id: 'workflow1.yml'
@@ -23,8 +21,6 @@
 -
   id: 2
   title: schedule_title2
-  specs:
-    - '* * * * *'
   repo_id: 4
   owner_id: 2
   workflow_id: 'workflow2.yml'
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index c6af9b5b82..5e048a83ad 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"slices"
 	"strings"
+	"time"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
@@ -24,6 +25,7 @@ import (
 	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/util"
@@ -574,6 +576,16 @@ func handleSchedules(
 			continue
 		}
 
+		now := time.Now()
+		specs := make([]*actions_model.ActionScheduleSpec, 0, len(schedules))
+		for _, schedule := range schedules {
+			scheduleSpec, err := actions_model.NewActionScheduleSpec(schedule.Cron, optional.FromNonDefault(schedule.TimeZone), now)
+			if err != nil {
+				return err
+			}
+			specs = append(specs, scheduleSpec)
+		}
+
 		title := workflow.Name
 		if len(title) < 1 {
 			title = dwf.GetWorkflowPath()
@@ -590,7 +602,7 @@ func handleSchedules(
 			CommitSHA:         commit.ID.String(),
 			Event:             input.Event,
 			EventPayload:      string(p),
-			Specs:             schedules,
+			Specs:             specs,
 			Content:           dwf.Content,
 		}
 		crons = append(crons, run)
diff --git a/services/actions/schedule_tasks_test.go b/services/actions/schedule_tasks_test.go
index 9bf964fd90..57ee6b955a 100644
--- a/services/actions/schedule_tasks_test.go
+++ b/services/actions/schedule_tasks_test.go
@@ -6,12 +6,14 @@ package actions
 import (
 	"context"
 	"testing"
+	"time"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/timeutil"
 	webhook_module "forgejo.org/modules/webhook"
@@ -29,6 +31,9 @@ func TestServiceActions_startTask(t *testing.T) {
 	// Load fixtures that are corrupted and create one valid scheduled workflow
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 
+	spec, err := actions_model.NewActionScheduleSpec("* * * * *", optional.None[string](), time.Now())
+	require.NoError(t, err)
+
 	workflowID := "some.yml"
 	schedules := []*actions_model.ActionSchedule{
 		{
@@ -42,7 +47,7 @@ func TestServiceActions_startTask(t *testing.T) {
 			CommitSHA:         "fakeSHA",
 			Event:             webhook_module.HookEventSchedule,
 			EventPayload:      "fakepayload",
-			Specs:             []string{"* * * * *"},
+			Specs:             []*actions_model.ActionScheduleSpec{spec},
 			Content: []byte(
 				`
 jobs:
@@ -57,7 +62,7 @@ jobs:
 	require.Equal(t, 2, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
 	require.NoError(t, actions_model.CreateScheduleTask(t.Context(), schedules))
 	require.Equal(t, 3, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
-	_, err := db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
+	_, err = db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
 	require.NoError(t, err)
 
 	// After running startTasks an ActionRun row is created for the valid scheduled workflow
@@ -291,6 +296,9 @@ func TestServiceActions_DynamicMatrix(t *testing.T) {
 	// Load fixtures that are corrupted and create one valid scheduled workflow
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 
+	spec, err := actions_model.NewActionScheduleSpec("* * * * *", optional.None[string](), time.Now())
+	require.NoError(t, err)
+
 	workflowID := "some.yml"
 	schedules := []*actions_model.ActionSchedule{
 		{
@@ -304,7 +312,7 @@ func TestServiceActions_DynamicMatrix(t *testing.T) {
 			CommitSHA:         "fakeSHA",
 			Event:             webhook_module.HookEventSchedule,
 			EventPayload:      "fakepayload",
-			Specs:             []string{"* * * * *"},
+			Specs:             []*actions_model.ActionScheduleSpec{spec},
 			Content: []byte(
 				`
 jobs:
@@ -322,7 +330,7 @@ jobs:
 	require.Equal(t, 2, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
 	require.NoError(t, actions_model.CreateScheduleTask(t.Context(), schedules))
 	require.Equal(t, 3, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
-	_, err := db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
+	_, err = db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
 	require.NoError(t, err)
 
 	// After running startTasks an ActionRun row is created for the valid scheduled workflow
@@ -354,6 +362,9 @@ func TestServiceActions_RunsOnNeeds(t *testing.T) {
 	// Load fixtures that are corrupted and create one valid scheduled workflow
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 
+	spec, err := actions_model.NewActionScheduleSpec("* * * * *", optional.None[string](), time.Now())
+	require.NoError(t, err)
+
 	workflowID := "some.yml"
 	schedules := []*actions_model.ActionSchedule{
 		{
@@ -366,7 +377,7 @@ func TestServiceActions_RunsOnNeeds(t *testing.T) {
 			CommitSHA:     "fakeSHA",
 			Event:         webhook_module.HookEventSchedule,
 			EventPayload:  "fakepayload",
-			Specs:         []string{"* * * * *"},
+			Specs:         []*actions_model.ActionScheduleSpec{spec},
 			Content: []byte(
 				`
 jobs:
@@ -381,7 +392,7 @@ jobs:
 	require.Equal(t, 2, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
 	require.NoError(t, actions_model.CreateScheduleTask(t.Context(), schedules))
 	require.Equal(t, 3, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
-	_, err := db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
+	_, err = db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
 	require.NoError(t, err)
 
 	// After running startTasks an ActionRun row is created for the valid scheduled workflow
@@ -440,6 +451,9 @@ func TestServiceActions_ExpandReusableWorkflow(t *testing.T) {
 	// Load fixtures that are corrupted and create one valid scheduled workflow
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 
+	spec, err := actions_model.NewActionScheduleSpec("* * * * *", optional.None[string](), time.Now())
+	require.NoError(t, err)
+
 	workflowID := "some.yml"
 	schedules := []*actions_model.ActionSchedule{
 		{
@@ -452,7 +466,7 @@ func TestServiceActions_ExpandReusableWorkflow(t *testing.T) {
 			CommitSHA:     "fakeSHA",
 			Event:         webhook_module.HookEventSchedule,
 			EventPayload:  "fakepayload",
-			Specs:         []string{"* * * * *"},
+			Specs:         []*actions_model.ActionScheduleSpec{spec},
 			Content: []byte(
 				`
 jobs:
@@ -467,7 +481,7 @@ jobs:
 	require.Equal(t, 2, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
 	require.NoError(t, actions_model.CreateScheduleTask(t.Context(), schedules))
 	require.Equal(t, 3, unittest.GetCount(t, actions_model.ActionScheduleSpec{}))
-	_, err := db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
+	_, err = db.GetEngine(db.DefaultContext).Exec("UPDATE `action_schedule_spec` SET next = 1")
 	require.NoError(t, err)
 
 	// After running startTasks an ActionRun row is created for the valid scheduled workflow
diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go
index 4de8d625ab..914acadf14 100644
--- a/tests/integration/actions_trigger_test.go
+++ b/tests/integration/actions_trigger_test.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -23,6 +24,7 @@ import (
 	actions_module "forgejo.org/modules/actions"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@@ -1136,13 +1138,18 @@ func TestActionsWorkflowDispatchConcurrencyGroup(t *testing.T) {
 }
 
 func TestActionsScheduledWorkflow(t *testing.T) {
+	type expectedSpec struct {
+		cron     string
+		timeZone optional.Option[string]
+	}
+
 	testCases := []struct {
 		name                  string
 		workflowID            string
 		workflowDirectory     string
 		workflowContent       string
 		expectedWorkflowTitle string
-		expectedCronSpecs     []string
+		expectedCronSpecs     []expectedSpec
 	}{
 		{
 			name:              "GitHub",
@@ -1158,7 +1165,7 @@ jobs:
       - run: echo OK
 `,
 			expectedWorkflowTitle: ".github/workflows/scheduled.yml",
-			expectedCronSpecs:     []string{"30 5,17 * * *"},
+			expectedCronSpecs:     []expectedSpec{{cron: "30 5,17 * * *", timeZone: optional.None[string]()}},
 		},
 		{
 			name:              "Gitea",
@@ -1175,7 +1182,28 @@ jobs:
       - run: echo OK
 `,
 			expectedWorkflowTitle: "My scheduled workflow",
-			expectedCronSpecs:     []string{"* * * * *"},
+			expectedCronSpecs:     []expectedSpec{{cron: "* * * * *", timeZone: optional.None[string]()}},
+		},
+		{
+			name:              "Forgejo with time zone",
+			workflowID:        "tz.yml",
+			workflowDirectory: ".forgejo/workflows",
+			workflowContent: `
+on:
+  schedule:
+    - cron: "44 10 * * *"
+    - cron: "25 19 * * *"
+      timezone: Europe/Madrid
+jobs:
+  test:
+    steps:
+      - run: echo OK
+`,
+			expectedWorkflowTitle: ".forgejo/workflows/tz.yml",
+			expectedCronSpecs: []expectedSpec{
+				{cron: "44 10 * * *", timeZone: optional.None[string]()},
+				{cron: "25 19 * * *", timeZone: optional.Some("Europe/Madrid")},
+			},
 		},
 	}
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
@@ -1201,7 +1229,6 @@ jobs:
 				require.Len(t, schedules, 1)
 
 				assert.Equal(t, testCase.expectedWorkflowTitle, schedules[0].Title)
-				assert.Equal(t, testCase.expectedCronSpecs, schedules[0].Specs)
 				assert.Equal(t, repo.ID, schedules[0].RepoID)
 				assert.Equal(t, repo.OwnerID, schedules[0].OwnerID)
 				assert.Equal(t, testCase.workflowID, schedules[0].WorkflowID)
@@ -1210,6 +1237,20 @@ jobs:
 				assert.Equal(t, sha, schedules[0].CommitSHA)
 				assert.Equal(t, webhook_module.HookEventPush, schedules[0].Event)
 				assert.Equal(t, []byte(testCase.workflowContent), schedules[0].Content)
+
+				specs, total, err := actions_model.FindSpecs(t.Context(), actions_model.FindSpecOptions{RepoID: repo.ID})
+				require.NoError(t, err)
+
+				assert.Equal(t, int64(len(testCase.expectedCronSpecs)), total)
+
+				// The query to return cron specs orders by `id DESC`.
+				slices.Reverse(testCase.expectedCronSpecs)
+
+				for i, expected := range testCase.expectedCronSpecs {
+					assert.Equal(t, schedules[0].ID, specs[i].ScheduleID)
+					assert.Equal(t, expected.cron, specs[i].Spec)
+					assert.Equal(t, expected.timeZone, specs[i].TimeZone)
+				}
 			})
 		}
 	})

From 80d840c1284e4f44b9efac208811b9ed26455ade Mon Sep 17 00:00:00 2001
From: grangelouis <grangelouis@noreply.codeberg.org>
Date: Sat, 4 Apr 2026 21:58:16 +0200
Subject: [PATCH 062/287] fix: missing syntax dialog rounded corners (#11945)

Fixes #11299

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11945
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: grangelouis <grangelouis@noreply.codeberg.org>
Co-committed-by: grangelouis <grangelouis@noreply.codeberg.org>
---
 web_src/css/modules/dialog.css | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/web_src/css/modules/dialog.css b/web_src/css/modules/dialog.css
index 897eb838cf..3f9a1a44bf 100644
--- a/web_src/css/modules/dialog.css
+++ b/web_src/css/modules/dialog.css
@@ -88,6 +88,11 @@ dialog .actions {
   padding: 1rem;
 }
 
+dialog footer {
+  border-bottom-left-radius: var(--border-radius);
+  border-bottom-right-radius: var(--border-radius);
+}
+
 /* positive/negative action buttons */
 dialog .actions .ui.button {
   display: inline-flex;

From 90ca6116954c0471280c6576e36c67577ff22c88 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 5 Apr 2026 02:15:52 +0200
Subject: [PATCH 063/287] Update dependency mermaid to v11.14.0 (forgejo)
 (#11990)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [mermaid](https://github.com/mermaid-js/mermaid) | [`11.13.0` → `11.14.0`](https://renovatebot.com/diffs/npm/mermaid/11.13.0/11.14.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/mermaid/11.14.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/mermaid/11.13.0/11.14.0?slim=true) |

---

### Release Notes

<details>
<summary>mermaid-js/mermaid (mermaid)</summary>

### [`v11.14.0`](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.14.0)

[Compare Source](https://github.com/mermaid-js/mermaid/compare/mermaid@11.13.0...mermaid@11.14.0)

Thanks to our awesome mermaid community that contributed to this release: [@&#8203;ashishjain0512](https://github.com/ashishjain0512), [@&#8203;tractorjuice](https://github.com/tractorjuice), [@&#8203;autofix-ci\[bot\]](https://github.com/autofix-ci%5Bbot%5D), [@&#8203;aloisklink](https://github.com/aloisklink), [@&#8203;knsv](https://github.com/knsv), [@&#8203;kibanana](https://github.com/kibanana), [@&#8203;chandershekhar22](https://github.com/chandershekhar22), [@&#8203;khalil](https://github.com/khalil), [@&#8203;ytatsuno](https://github.com/ytatsuno), [@&#8203;sidharthv96](https://github.com/sidharthv96), [@&#8203;github-actions\[bot\]](https://github.com/github-actions%5Bbot%5D), [@&#8203;dripcoding](https://github.com/dripcoding), [@&#8203;knsv-bot](https://github.com/knsv-bot), [@&#8203;jeroensmink98](https://github.com/jeroensmink98), [@&#8203;Alex9583](https://github.com/Alex9583), [@&#8203;GhassenS](https://github.com/GhassenS), [@&#8203;omkarht](https://github.com/omkarht), [@&#8203;darshanr0107](https://github.com/darshanr0107), [@&#8203;leentaylor](https://github.com/leentaylor), [@&#8203;lee-treehouse](https://github.com/lee-treehouse), [@&#8203;veeceey](https://github.com/veeceey), [@&#8203;turntrout](https://github.com/turntrout), [@&#8203;Mermaid-Chart](https://github.com/Mermaid-Chart), [@&#8203;BambioGaming](https://github.com/BambioGaming), Claude

### Releases

#### [@&#8203;mermaid-js/examples](https://github.com/mermaid-js/examples)@&#8203;1.2.0

##### Minor Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - add new TreeView diagram

#### mermaid\@&#8203;11.14.0

##### Minor Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as `wardley-beta`). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  - Component positioning with \[visibility, evolution] coordinates (OWM format)
  - Anchors for users/customers
  - Multiple link types: dependencies, flows, labeled links
  - Evolution arrows and trend indicators
  - Custom evolution stages with optional dual labels
  - Custom stage widths using [@&#8203;boundary](https://github.com/boundary) notation
  - Pipeline components with visibility inheritance
  - Annotations, notes, and visual elements
  - Source strategy markers: build, buy, outsource, market
  - Inertia indicators
  - Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for state diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: add `randomize` config option for architecture diagrams, defaulting to `false` for deterministic layout

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: Add option to change timeline direction

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like `#arrowhead` should use attribute-ending selectors like `[id$="-arrowhead"]` instead.

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for ER diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for requirement diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: add theme support for data label colour in xy chart

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: implement neo look styling for mindmap diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: implement neo look for mermaid flowchart diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: implement neo look and themes for class diagram

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: add showDataLabelOutsideBar option for xy chart

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look and themes for gitGraph diagram

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - add new TreeView diagram

##### Patch Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - add link to ishikawa diagram on mermaid.js.org

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - docs: document valid duration token formats in gantt.md

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like `a many to 1 1:` because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern `"1"(?=\s+[0-9])` to correctly identify the cardinality alias before a numeric entity name.

  Fixes [#&#8203;7472](https://github.com/mermaid-js/mermaid/issues/7472)

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: support inline annotation syntax in class diagrams (class Shape <<interface>>)

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: warn when `style` statement targets a non-existent node in flowcharts

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: group state diagram SVG children under single root <g> element

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - fix: Allow :::className syntax inside composite state blocks

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) Thanks [@&#8203;aloisklink](https://github.com/aloisklink), [@&#8203;BambioGaming](https://github.com/BambioGaming)! - fix: prevent escaping `<` and `&` when `htmlLabels: false`

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: treemap title and labels use theme-aware colors for dark backgrounds

- Updated dependencies \[[`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)]:
  - [@&#8203;mermaid-js/parser](https://github.com/mermaid-js/parser)@&#8203;1.1.0

#### [@&#8203;mermaid-js/parser](https://github.com/mermaid-js/parser)@&#8203;1.1.0

##### Minor Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - add new TreeView diagram

#### [@&#8203;mermaid-js/tiny](https://github.com/mermaid-js/tiny)@&#8203;11.14.0

##### Minor Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as `wardley-beta`). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  - Component positioning with \[visibility, evolution] coordinates (OWM format)
  - Anchors for users/customers
  - Multiple link types: dependencies, flows, labeled links
  - Evolution arrows and trend indicators
  - Custom evolution stages with optional dual labels
  - Custom stage widths using [@&#8203;boundary](https://github.com/boundary) notation
  - Pipeline components with visibility inheritance
  - Annotations, notes, and visual elements
  - Source strategy markers: build, buy, outsource, market
  - Inertia indicators
  - Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: implement neo look styling for state diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - feat: add `randomize` config option for architecture diagrams, defaulting to `false` for deterministic layout

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: Add option to change timeline direction

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like `#arrowhead` should use attribute-ending selectors like `[id$="-arrowhead"]` instead.

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for ER diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for requirement diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: add theme support for data label colour in xy chart

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look styling for mindmap diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look for mermaid flowchart diagrams

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look and themes for class diagram

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: add showDataLabelOutsideBar option for xy chart

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - feat: implement neo look and themes for gitGraph diagram

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - add new TreeView diagram

##### Patch Changes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - add link to ishikawa diagram on mermaid.js.org

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - docs: document valid duration token formats in gantt.md

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like `a many to 1 1:` because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern `"1"(?=\s+[0-9])` to correctly identify the cardinality alias before a numeric entity name.

  Fixes [#&#8203;7472](https://github.com/mermaid-js/mermaid/issues/7472)

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: support inline annotation syntax in class diagrams (class Shape <<interface>>)

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: warn when `style` statement targets a non-existent node in flowcharts

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: group state diagram SVG children under single root <g> element

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: Allow :::className syntax inside composite state blocks

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519) Thanks [@&#8203;aloisklink](https://github.com/aloisklink), [@&#8203;BambioGaming](https://github.com/BambioGaming)! - fix: prevent escaping `<` and `&` when `htmlLabels: false`

- [#&#8203;7526](https://github.com/mermaid-js/mermaid/pull/7526) [`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)  - fix: treemap title and labels use theme-aware colors for dark backgrounds

- Updated dependencies \[[`efe218a`](https://github.com/mermaid-js/mermaid/commit/efe218a47fb5a4c2bd5489b48ce69213b141e519)]:
  - [@&#8203;mermaid-js/parser](https://github.com/mermaid-js/parser)@&#8203;1.1.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11990
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 10 +++++-----
 package.json      |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 96688e44ef..72aeb9821b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -55,7 +55,7 @@
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
         "katex": "0.16.44",
-        "mermaid": "11.13.0",
+        "mermaid": "11.14.0",
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.4",
         "pdfobject": "2.3.0",
@@ -11538,14 +11538,14 @@
       }
     },
     "node_modules/mermaid": {
-      "version": "11.13.0",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.13.0.tgz",
-      "integrity": "sha512-fEnci+Immw6lKMFI8sqzjlATTyjLkRa6axrEgLV2yHTfv8r+h1wjFbV6xeRtd4rUV1cS4EpR9rwp3Rci7TRWDw==",
+      "version": "11.14.0",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.14.0.tgz",
+      "integrity": "sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==",
       "license": "MIT",
       "dependencies": {
         "@braintree/sanitize-url": "^7.1.1",
         "@iconify/utils": "^3.0.2",
-        "@mermaid-js/parser": "^1.0.1",
+        "@mermaid-js/parser": "^1.1.0",
         "@types/d3": "^7.4.3",
         "@upsetjs/venn.js": "^2.0.0",
         "cytoscape": "^3.33.1",
diff --git a/package.json b/package.json
index cb734aab0c..3c368c5b1a 100644
--- a/package.json
+++ b/package.json
@@ -54,7 +54,7 @@
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
     "katex": "0.16.44",
-    "mermaid": "11.13.0",
+    "mermaid": "11.14.0",
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.4",
     "pdfobject": "2.3.0",

From e14e2206513f38589665229d7a786e0de41b78fa Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 5 Apr 2026 14:37:09 +0200
Subject: [PATCH 064/287] perf: bulk load resolvers & reactions on pull request
 comments (#11988)

Optimize loading pull request review comments, which currently perform separate database queries for each comment in order to load the resolver of the comment, and the reactions on that comment, and the users on each reaction of the comments.

I stumbled across this ugly code, which enticed me to look into this:

https://codeberg.org/forgejo/forgejo/src/commit/80d840c1284e4f44b9efac208811b9ed26455ade/routers/web/repo/pull.go#L1107-L1120

It appeared to load the attachments from each comment on the pull request review page in separate database queries.  It turned out to be a noop, as the attachments are already loaded in bulk:

https://codeberg.org/forgejo/forgejo/src/commit/80d840c1284e4f44b9efac208811b9ed26455ade/models/issues/comment_code.go#L120-L122

but the `findCodeComments` method loads the "resolver doer" and the reactions one-by-one for each comment.  So I fixed that instead, and removed the ineffective deeply nested for loop.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11988
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/issues/comment.go             |  15 ----
 models/issues/comment_code.go        |  22 +++---
 models/issues/comment_list.go        |  79 ++++++++++++++++++++
 models/issues/comment_list_test.go   | 108 +++++++++++++++++++++++++++
 models/issues/comment_test.go        |  25 ++++++-
 models/issues/reaction.go            |  31 ++++++++
 routers/api/v1/repo/issue_comment.go |   5 ++
 routers/web/repo/issue.go            |   9 ++-
 routers/web/repo/pull.go             |  15 ----
 services/convert/issue_comment.go    |   6 --
 10 files changed, 261 insertions(+), 54 deletions(-)

diff --git a/models/issues/comment.go b/models/issues/comment.go
index fd0f595945..bfad3935fb 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -663,21 +663,6 @@ func (c *Comment) LoadAssigneeUserAndTeam(ctx context.Context) error {
 	return nil
 }
 
-// LoadResolveDoer if comment.Type is CommentTypeCode and ResolveDoerID not zero, then load resolveDoer
-func (c *Comment) LoadResolveDoer(ctx context.Context) (err error) {
-	if c.ResolveDoerID == 0 || c.Type != CommentTypeCode {
-		return nil
-	}
-	c.ResolveDoer, err = user_model.GetUserByID(ctx, c.ResolveDoerID)
-	if err != nil {
-		if user_model.IsErrUserNotExist(err) {
-			c.ResolveDoer = user_model.NewGhostUser()
-			err = nil
-		}
-	}
-	return err
-}
-
 // IsResolved check if an code comment is resolved
 func (c *Comment) IsResolved() bool {
 	return c.ResolveDoerID != 0 && c.Type == CommentTypeCode
diff --git a/models/issues/comment_code.go b/models/issues/comment_code.go
index 3c87a1b41a..800d1e830e 100644
--- a/models/issues/comment_code.go
+++ b/models/issues/comment_code.go
@@ -133,7 +133,7 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 		return nil, err
 	}
 
-	n := 0
+	readyComments := make(CommentList, 0, len(comments))
 	for _, comment := range comments {
 		if re, ok := reviews[comment.ReviewID]; ok && re != nil {
 			// If the review is pending only the author can see the comments (except if the review is set)
@@ -143,17 +143,18 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 			}
 			comment.Review = re
 		}
-		comments[n] = comment
-		n++
+		readyComments = append(readyComments, comment)
+	}
 
-		if err := comment.LoadResolveDoer(ctx); err != nil {
-			return nil, err
-		}
+	if err := readyComments.LoadResolveDoers(ctx); err != nil {
+		return nil, err
+	}
 
-		if err := comment.LoadReactions(ctx, issue.Repo); err != nil {
-			return nil, err
-		}
+	if err := readyComments.LoadReactions(ctx, issue.Repo); err != nil {
+		return nil, err
+	}
 
+	for _, comment := range readyComments {
 		var err error
 		if comment.RenderedContent, err = markdown.RenderString(&markup.RenderContext{
 			Ctx: ctx,
@@ -165,7 +166,8 @@ func findCodeComments(ctx context.Context, opts FindCommentsOptions, issue *Issu
 			return nil, err
 		}
 	}
-	return comments[:n], nil
+
+	return readyComments, nil
 }
 
 // FetchCodeConversation fetches the code conversation of a given comment (same review, treePath and line number)
diff --git a/models/issues/comment_list.go b/models/issues/comment_list.go
index 53903bea31..9a5c22244b 100644
--- a/models/issues/comment_list.go
+++ b/models/issues/comment_list.go
@@ -5,6 +5,7 @@ package issues
 
 import (
 	"context"
+	"errors"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -390,6 +391,84 @@ func (comments CommentList) LoadAttachments(ctx context.Context) (err error) {
 	return nil
 }
 
+func (comments CommentList) LoadResolveDoers(ctx context.Context) (err error) {
+	relevant := func(c *Comment) bool {
+		return c.ResolveDoerID != 0 && c.Type == CommentTypeCode
+	}
+	userIDs := make(container.Set[int64])
+	for _, comment := range comments {
+		if relevant(comment) {
+			userIDs.Add(comment.ResolveDoerID)
+		}
+	}
+
+	if len(userIDs) == 0 {
+		return nil
+	}
+
+	userMap := make(map[int64]*user_model.User)
+	users, err := user_model.GetUsersByIDs(ctx, userIDs.Slice())
+	if err != nil {
+		return err
+	}
+	for _, user := range users {
+		userMap[user.ID] = user
+	}
+
+	for _, comment := range comments {
+		if !relevant(comment) {
+			continue
+		}
+		resolveDoer, ok := userMap[comment.ResolveDoerID]
+		if !ok {
+			comment.ResolveDoer = user_model.NewGhostUser()
+		} else {
+			comment.ResolveDoer = resolveDoer
+		}
+	}
+
+	return nil
+}
+
+func (comments CommentList) LoadReactions(ctx context.Context, repo *repo_model.Repository) (err error) {
+	loadIssueID := int64(0)
+	loadCommentIDs := make([]int64, 0, len(comments))
+
+	for _, comment := range comments {
+		if loadIssueID == 0 {
+			loadIssueID = comment.IssueID
+		} else if loadIssueID != comment.IssueID {
+			return errors.New("unable to load reactions from comments on different issues than each other")
+		}
+		if comment.Reactions == nil {
+			loadCommentIDs = append(loadCommentIDs, comment.ID)
+		}
+	}
+
+	if loadIssueID == 0 {
+		return nil
+	}
+
+	reactions, err := getReactionsForComments(ctx, loadIssueID, loadCommentIDs)
+	if err != nil {
+		return err
+	}
+
+	allReactions := make(ReactionList, 0, len(reactions))
+	for _, comment := range comments {
+		if comment.Reactions == nil {
+			comment.Reactions = reactions[comment.ID]
+			allReactions = append(allReactions, comment.Reactions...)
+		}
+	}
+
+	if _, err := allReactions.LoadUsers(ctx, repo); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (comments CommentList) getReviewIDs() []int64 {
 	return container.FilterSlice(comments, func(comment *Comment) (int64, bool) {
 		return comment.ReviewID, comment.ReviewID > 0
diff --git a/models/issues/comment_list_test.go b/models/issues/comment_list_test.go
index 062a710b84..12a9144722 100644
--- a/models/issues/comment_list_test.go
+++ b/models/issues/comment_list_test.go
@@ -84,3 +84,111 @@ func TestCommentListLoadUser(t *testing.T) {
 		})
 	}
 }
+
+func TestCommentListLoadResolveDoers(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &Issue{})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	empty := CommentList{}
+	require.NoError(t, empty.LoadResolveDoers(t.Context()))
+
+	comment1, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello",
+	})
+	require.NoError(t, err)
+	require.NoError(t, MarkConversation(t.Context(), comment1, doer, true))
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID}) // reload after change
+	comment1List := CommentList{comment1}
+	require.NoError(t, comment1List.LoadResolveDoers(t.Context()))
+	require.NotNil(t, comment1.ResolveDoer)
+	assert.Equal(t, doer.ID, comment1.ResolveDoer.ID)
+
+	comment2, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello again",
+	})
+	require.NoError(t, err)
+	require.NoError(t, MarkConversation(t.Context(), comment2, user_model.NewGhostUser(), true))
+
+	// Reload for fresh objects
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID})
+	comment2 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment2.ID})
+
+	comment2List := CommentList{comment1, comment2}
+	require.NoError(t, comment2List.LoadResolveDoers(t.Context()))
+	require.NotNil(t, comment1.ResolveDoer)
+	assert.Equal(t, doer.ID, comment1.ResolveDoer.ID)
+	require.NotNil(t, comment2.ResolveDoer)
+	assert.EqualValues(t, -1, comment2.ResolveDoer.ID)
+}
+
+func TestCommentListLoadReactions(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	issue := unittest.AssertExistsAndLoadBean(t, &Issue{})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	empty := CommentList{}
+	require.NoError(t, empty.LoadReactions(t.Context(), repo))
+
+	comment1, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello",
+	})
+	require.NoError(t, err)
+	_, err = CreateReaction(t.Context(), &ReactionOptions{
+		Type:      "eyes",
+		DoerID:    doer.ID,
+		IssueID:   issue.ID,
+		CommentID: comment1.ID,
+	})
+	require.NoError(t, err)
+
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID}) // reload after change
+	comment1List := CommentList{comment1}
+	require.NoError(t, comment1List.LoadReactions(t.Context(), repo))
+	require.Len(t, comment1.Reactions, 1)
+	assert.Equal(t, "eyes", comment1.Reactions[0].Type)
+	assert.NotNil(t, comment1.Reactions[0].User)
+
+	comment2, err := CreateComment(db.DefaultContext, &CreateCommentOptions{
+		Type:    CommentTypeCode,
+		Doer:    doer,
+		Repo:    repo,
+		Issue:   issue,
+		Content: "Hello again",
+	})
+	require.NoError(t, err)
+	_, err = CreateReaction(t.Context(), &ReactionOptions{
+		Type:      "rocket",
+		DoerID:    doer.ID,
+		IssueID:   issue.ID,
+		CommentID: comment2.ID,
+	})
+	require.NoError(t, err)
+
+	// Reload for fresh objects
+	comment1 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment1.ID})
+	comment2 = unittest.AssertExistsAndLoadBean(t, &Comment{ID: comment2.ID})
+
+	comment2List := CommentList{comment1, comment2}
+	require.NoError(t, comment2List.LoadReactions(t.Context(), repo))
+	require.Len(t, comment1.Reactions, 1)
+	require.Len(t, comment2.Reactions, 1)
+	assert.Equal(t, "rocket", comment2.Reactions[0].Type)
+	assert.NotNil(t, comment2.Reactions[0].User)
+}
diff --git a/models/issues/comment_test.go b/models/issues/comment_test.go
index c7adf6f62e..da87b8ec2f 100644
--- a/models/issues/comment_test.go
+++ b/models/issues/comment_test.go
@@ -52,12 +52,29 @@ func TestFetchCodeConversations(t *testing.T) {
 
 	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	_, err := issues_model.CreateReaction(t.Context(), &issues_model.ReactionOptions{
+		Type:      "eyes",
+		DoerID:    2,
+		IssueID:   issue.ID,
+		CommentID: 4,
+	})
+	require.NoError(t, err)
+	require.NoError(t, issues_model.MarkConversation(t.Context(),
+		unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 4}),
+		user, true))
+
 	res, err := issues_model.FetchCodeConversations(db.DefaultContext, issue, user, false)
 	require.NoError(t, err)
-	assert.Contains(t, res, "README.md")
-	assert.Contains(t, res["README.md"], int64(4))
-	assert.Len(t, res["README.md"][4], 1)
-	assert.Equal(t, int64(4), res["README.md"][4][0][0].ID)
+	require.Contains(t, res, "README.md")
+	require.Contains(t, res["README.md"], int64(4))
+	require.Len(t, res["README.md"][4], 1)
+	require.Len(t, res["README.md"][4][0], 1)
+	comment := res["README.md"][4][0][0]
+	assert.Equal(t, int64(4), comment.ID)
+	assert.NotNil(t, comment.ResolveDoer)
+	require.Len(t, comment.Reactions, 1)
+	r := comment.Reactions[0]
+	assert.NotNil(t, r.User)
 
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 	res, err = issues_model.FetchCodeConversations(db.DefaultContext, issue, user2, false)
diff --git a/models/issues/reaction.go b/models/issues/reaction.go
index 522040c022..9a277a8c12 100644
--- a/models/issues/reaction.go
+++ b/models/issues/reaction.go
@@ -176,6 +176,37 @@ func FindReactions(ctx context.Context, opts FindReactionsOptions) (ReactionList
 	return reactions, count, err
 }
 
+func getReactionsForComments(ctx context.Context, issueID int64, commentIDs []int64) (map[int64]ReactionList, error) {
+	reactions := make(map[int64]ReactionList, len(commentIDs))
+	left := len(commentIDs)
+	for left > 0 {
+		limit := min(left, db.DefaultMaxInSize)
+		rows, err := db.GetEngine(ctx).
+			Where(builder.Eq{"issue_id": issueID}).
+			In("reaction.`type`", setting.UI.Reactions).
+			In("comment_id", commentIDs[:limit]).
+			Rows(&Reaction{})
+		if err != nil {
+			return nil, err
+		}
+
+		for rows.Next() {
+			var reaction Reaction
+			err = rows.Scan(&reaction)
+			if err != nil {
+				_ = rows.Close()
+				return nil, err
+			}
+			reactions[reaction.CommentID] = append(reactions[reaction.CommentID], &reaction)
+		}
+
+		_ = rows.Close()
+		left -= limit
+		commentIDs = commentIDs[limit:]
+	}
+	return reactions, nil
+}
+
 func createReaction(ctx context.Context, opts *ReactionOptions) (*Reaction, error) {
 	reaction := &Reaction{
 		Type:      opts.Type,
diff --git a/routers/api/v1/repo/issue_comment.go b/routers/api/v1/repo/issue_comment.go
index ceebb41f9e..3f58e4e271 100644
--- a/routers/api/v1/repo/issue_comment.go
+++ b/routers/api/v1/repo/issue_comment.go
@@ -215,6 +215,11 @@ func ListIssueCommentsAndTimeline(ctx *context.APIContext) {
 		return
 	}
 
+	if err := comments.LoadResolveDoers(ctx); err != nil {
+		ctx.Error(http.StatusInternalServerError, "LoadResolveDoers", err)
+		return
+	}
+
 	var apiComments []*api.TimelineComment
 	for _, comment := range comments {
 		if comment.Type != issues_model.CommentTypeCode && isXRefCommentAccessible(ctx, ctx.Doer, comment, issue.RepoID, ctx.Reducer) {
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 3852c4c18f..bb4185f785 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -1663,6 +1663,11 @@ func ViewIssue(ctx *context.Context) {
 		return
 	}
 
+	if err := issue.Comments.LoadResolveDoers(ctx); err != nil {
+		ctx.ServerError("LoadResolveDoers", err)
+		return
+	}
+
 	for commentIdx, comment = range issue.Comments {
 		comment.Issue = issue
 		metas := ctx.Repo.Repository.ComposeMetas(ctx)
@@ -1801,10 +1806,6 @@ func ViewIssue(ctx *context.Context) {
 					}
 				}
 			}
-			if err = comment.LoadResolveDoer(ctx); err != nil {
-				ctx.ServerError("LoadResolveDoer", err)
-				return
-			}
 		} else if comment.Type == issues_model.CommentTypePullRequestPush {
 			participants = addParticipant(comment.Poster, participants)
 			if err = comment.LoadPushCommits(ctx); err != nil {
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index c4b8583e2d..e9cdfc5ac7 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -1104,21 +1104,6 @@ func viewPullFiles(ctx *context.Context, specifiedStartCommit, specifiedEndCommi
 		return
 	}
 
-	for _, file := range diff.Files {
-		for _, section := range file.Sections {
-			for _, line := range section.Lines {
-				for _, comments := range line.Conversations {
-					for _, comment := range comments {
-						if err := comment.LoadAttachments(ctx); err != nil {
-							ctx.ServerError("LoadAttachments", err)
-							return
-						}
-					}
-				}
-			}
-		}
-	}
-
 	pb, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pull.BaseRepoID, pull.BaseBranch)
 	if err != nil {
 		ctx.ServerError("LoadProtectedBranch", err)
diff --git a/services/convert/issue_comment.go b/services/convert/issue_comment.go
index 9ea315aee6..2f9af9be7c 100644
--- a/services/convert/issue_comment.go
+++ b/services/convert/issue_comment.go
@@ -43,12 +43,6 @@ func ToTimelineComment(ctx context.Context, repo *repo_model.Repository, c *issu
 		return nil
 	}
 
-	err = c.LoadResolveDoer(ctx)
-	if err != nil {
-		log.Error("LoadResolveDoer: %v", err)
-		return nil
-	}
-
 	err = c.LoadDepIssueDetails(ctx)
 	if err != nil {
 		log.Error("LoadDepIssueDetails: %v", err)

From 15b4c5efe81ba47b6415a9c188981813aec7f775 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 5 Apr 2026 16:36:57 +0200
Subject: [PATCH 065/287] chore(deps): bump xorm to v1.3.9-forgejo.10 (#11992)

Brings [deadlock error type](https://code.forgejo.org/xorm/xorm/pulls/95), which should allow fixing #11968.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11992
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 37039873c8..9ec653792b 100644
--- a/go.mod
+++ b/go.mod
@@ -273,4 +273,4 @@ replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-2024121
 
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
 
-replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.9
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.10
diff --git a/go.sum b/go.sum
index cd477466b7..1f79a74863 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkA
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
 code.forgejo.org/go-chi/session v1.0.4 h1:WQ1NaVxcCpxYwCliEGypKclZnOCjh3p1fk8XciJc62U=
 code.forgejo.org/go-chi/session v1.0.4/go.mod h1:+sSTiomM5C8AUPtxZyTENIbcTz22kcVottKO0lnmDRk=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.9 h1:hzEXDa53opdp5nrGG4F6y8HzFzrGXd5GIvFyUHcvGmI=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.9/go.mod h1:A7sFd3BFmRp20h6drSsCXgQRQdF8Vz8HuCSrzFS3m90=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.10 h1:DCProZz7GP10ue7NoVr1vreuADhH9tEImYFye2+aDG8=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.10/go.mod h1:ly5tUt9l3b+y7HdXDM1UucQXuS58ahNxB9tPM5/6LfM=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
 code.superseriousbusiness.org/exif-terminator v0.11.1 h1:qnujLH4/Yk/CFtFMmtjozbdV6Ry5G3Q/E/mLlWm/gQI=

From 6a879e79dfaf32bc2876e39815cc7d53a5e5eb6a Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 5 Apr 2026 18:38:33 +0200
Subject: [PATCH 066/287] test: fix intermittent test failure in
 TestPackageDebianConcurrent (#11997)

Fixes #11968.

Adds deadlocks to the package `RetryTx` operations, and bumps the attempt count to 3.  Technically this affects production code, not just test code, but the resulting failure is only likely to occur in highly concurrent operations when uploading packages to the debian registry for the first time for a user, which is more of a test artifact than a production likelihood.

Manually tested by modifying the `Makefile` to add the `-test.count=25` option to the test command.  This failed consistently on my dev system before this change, failed consistently after the deadlock err was added, and then succeeded consistently (multiple runs) after both changes were combined, giving me confidence that the intermittent failure is squashed.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
      - Fixing a test failure, so no new tests added, but they already failed.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11997
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 services/packages/debian/repository.go |  7 ++++---
 services/packages/packages.go          | 21 ++++++++++++---------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/services/packages/debian/repository.go b/services/packages/debian/repository.go
index ab8c4fdc45..e84ae45ebe 100644
--- a/services/packages/debian/repository.go
+++ b/services/packages/debian/repository.go
@@ -318,9 +318,10 @@ func buildReleaseFiles(ctx context.Context, ownerID int64, repoVersion *packages
 	// way.
 	var priv string
 	err = db.RetryTx(ctx, db.RetryConfig{
-		// A single retry is sufficient the user/org's key pair would have been created by the first successful tx.
-		AttemptCount: 2,
-		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+		// A single retry is sufficient the user/org's key pair would have been created by the first successful tx; an
+		// additional retry may be necessary if a deadlock occurs with concurrent updates.
+		AttemptCount: 3,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation, xorm.ErrDeadlock},
 	}, func(ctx context.Context) error {
 		priv, _, err = GetOrCreateKeyPair(ctx, ownerID)
 		return err
diff --git a/services/packages/packages.go b/services/packages/packages.go
index a1772cc1d9..c75b4559c8 100644
--- a/services/packages/packages.go
+++ b/services/packages/packages.go
@@ -95,9 +95,10 @@ func createPackageAndAddFile(ctx context.Context, pvci *PackageCreationInfo, pfc
 	// causes such a recovery from error to panic.  So, we retry the entire modification transaction if
 	// ErrUniqueConstraintViolation is encountered.
 	err := db.RetryTx(ctx, db.RetryConfig{
-		// A single retry is sufficient as any package index that was concurrently modified should now be present:
-		AttemptCount: 2,
-		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+		// A single retry is sufficient as any package index that was concurrently modified should now be present; an
+		// additional retry may be necessary if a deadlock occurs with concurrent updates.
+		AttemptCount: 3,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation, xorm.ErrDeadlock},
 	}, func(ctx context.Context) error {
 		var err error
 		var pb *packages_model.PackageBlob
@@ -237,9 +238,10 @@ func addFileToPackageWrapper(ctx context.Context, fn func(ctx context.Context) (
 
 	// See comment in createPackageAndAddFile which explains why RetryTx is used with ErrUniqueConstraintViolation.
 	err := db.RetryTx(ctx, db.RetryConfig{
-		// A single retry is sufficient as any package index that was concurrently modified should now be present:
-		AttemptCount: 2,
-		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+		// A single retry is sufficient as any package index that was concurrently modified should now be present; an
+		// additional retry may be necessary if a deadlock occurs with concurrent updates.
+		AttemptCount: 3,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation, xorm.ErrDeadlock},
 	}, func(ctx context.Context) error {
 		var err error
 		var blobCreated bool
@@ -468,9 +470,10 @@ func GetOrCreateInternalPackageVersion(ctx context.Context, ownerID int64, packa
 
 	// See comment in createPackageAndAddFile which explains why RetryTx is used with ErrUniqueConstraintViolation.
 	return pv, db.RetryTx(ctx, db.RetryConfig{
-		// A single retry is sufficient as any package index that was concurrently modified should now be present:
-		AttemptCount: 2,
-		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation},
+		// A single retry is sufficient as any package index that was concurrently modified should now be present; an
+		// additional retry may be necessary if a deadlock occurs with concurrent updates.
+		AttemptCount: 3,
+		ErrorIs:      []error{xorm.ErrUniqueConstraintViolation, xorm.ErrDeadlock},
 	}, func(ctx context.Context) error {
 		p := &packages_model.Package{
 			OwnerID:    ownerID,

From 9abc1b0144feaf053176ff80bd94d694a3cfce13 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 5 Apr 2026 22:03:45 +0200
Subject: [PATCH 067/287] refactor: reduce code duplication when accessing
 `DefaultMaxInSize` (#11999)

`DefaultMaxInSize` is an internal parameter for limiting the size of `field IN (...)` clauses in DB queries, which is a reasonable thing to do -- in addition to the errors noted when [originally introduced](https://github.com/go-gitea/gitea/pull/4594), there are technical limits that apply to each of PostgreSQL, MySQL, and SQLite which would prevent an unbounded size for a query like this.  However: the size is incredibly small at 50, and, the implementation of `DefaultMaxInSize` is really wasteful with copy-and-paste coding.

This PR:
- introduces `GetByIDs` which fetches a `map[int64]*Model` from the database for an array of ID values, while respecting `IN` clause size limits
- introduces `GetByFieldIn` which fetches a `map[int64][]*Model` from the database for an array of field values, while respecting `IN` clause size limits
- uses `slices.Chunk` for other locations where queries are too complex for these implementations
- bumps the `DefaultMaxInSize` parameter from 50 to 500, a conservative increase well under known limits, but 10x the current value:
    - PostgreSQL supports up to 1GB query text size with 65,535 parameters, but I've experienced performance degradation at high value counts
    - MySQL supports 64MB query text size without known limits of parameter count
    - SQLite supports 32,766 parameters in a query

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
      - Refactored functions are assumed to be covered by existing tests to some extent; that assumption is probably wrong but the changes here are relatively easily reviewed for correctness as well.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11999
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/activities/notification_list.go | 112 ++---------------
 models/db/context.go                   |  86 +++++++++++++
 models/db/list.go                      |   2 +-
 models/issues/comment_list.go          | 168 ++++---------------------
 models/issues/issue_list.go            | 151 ++++------------------
 models/issues/reaction.go              |  10 +-
 tests/integration/db_query_test.go     |  64 ++++++++++
 7 files changed, 215 insertions(+), 378 deletions(-)
 create mode 100644 tests/integration/db_query_test.go

diff --git a/models/activities/notification_list.go b/models/activities/notification_list.go
index bf6356021e..3f3a48eaa5 100644
--- a/models/activities/notification_list.go
+++ b/models/activities/notification_list.go
@@ -210,31 +210,9 @@ func (nl NotificationList) LoadRepos(ctx context.Context) (repo_model.Repository
 	}
 
 	repoIDs := nl.getPendingRepoIDs()
-	repos := make(map[int64]*repo_model.Repository, len(repoIDs))
-	left := len(repoIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", repoIDs[:limit]).
-			Rows(new(repo_model.Repository))
-		if err != nil {
-			return nil, nil, err
-		}
-
-		for rows.Next() {
-			var repo repo_model.Repository
-			err = rows.Scan(&repo)
-			if err != nil {
-				rows.Close()
-				return nil, nil, err
-			}
-
-			repos[repo.ID] = &repo
-		}
-		_ = rows.Close()
-
-		left -= limit
-		repoIDs = repoIDs[limit:]
+	repos, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return nil, nil, err
 	}
 
 	failed := []int{}
@@ -281,31 +259,9 @@ func (nl NotificationList) LoadIssues(ctx context.Context) ([]int, error) {
 	}
 
 	issueIDs := nl.getPendingIssueIDs()
-	issues := make(map[int64]*issues_model.Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", issueIDs[:limit]).
-			Rows(new(issues_model.Issue))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var issue issues_model.Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &issues_model.Issue{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}
@@ -373,31 +329,9 @@ func (nl NotificationList) LoadUsers(ctx context.Context) ([]int, error) {
 	}
 
 	userIDs := nl.getUserIDs()
-	users := make(map[int64]*user_model.User, len(userIDs))
-	left := len(userIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", userIDs[:limit]).
-			Rows(new(user_model.User))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var user user_model.User
-			err = rows.Scan(&user)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			users[user.ID] = &user
-		}
-		_ = rows.Close()
-
-		left -= limit
-		userIDs = userIDs[limit:]
+	users, err := db.GetByIDs(ctx, "id", userIDs, &user_model.User{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}
@@ -421,31 +355,9 @@ func (nl NotificationList) LoadComments(ctx context.Context) ([]int, error) {
 	}
 
 	commentIDs := nl.getPendingCommentIDs()
-	comments := make(map[int64]*issues_model.Comment, len(commentIDs))
-	left := len(commentIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", commentIDs[:limit]).
-			Rows(new(issues_model.Comment))
-		if err != nil {
-			return nil, err
-		}
-
-		for rows.Next() {
-			var comment issues_model.Comment
-			err = rows.Scan(&comment)
-			if err != nil {
-				rows.Close()
-				return nil, err
-			}
-
-			comments[comment.ID] = &comment
-		}
-		_ = rows.Close()
-
-		left -= limit
-		commentIDs = commentIDs[limit:]
+	comments, err := db.GetByIDs(ctx, "id", commentIDs, &issues_model.Comment{})
+	if err != nil {
+		return nil, err
 	}
 
 	failures := []int{}
diff --git a/models/db/context.go b/models/db/context.go
index f098b40a32..18237bb2a2 100644
--- a/models/db/context.go
+++ b/models/db/context.go
@@ -8,6 +8,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"slices"
 
 	"xorm.io/builder"
 	"xorm.io/xorm"
@@ -270,6 +271,91 @@ func GetByID[T any](ctx context.Context, id int64) (object *T, exist bool, err e
 	return &bean, true, nil
 }
 
+// Retrieves multiple objects with database queries similar to an xorm `.In(idField, idList)`. idField must be a unique
+// field on the database table, as a map[id]obj is returned and the usage of a non-unique field would result in objects
+// being overwritten in the map.
+//
+// The length of the IN list is constrained to DefaultMaxInSize for each database query, resulting in multiple database
+// queries if the length of the idList exceeds that setting; this constraint prevents exceeding bind parameter
+// limitations or query length limitations in the database engine.
+func GetByIDs[Bean any, Id comparable](ctx context.Context, idField string, idList []Id, bean *Bean) (map[Id]*Bean, error) {
+	retval := make(map[Id]*Bean, len(idList))
+	if len(idList) == 0 {
+		return retval, nil
+	}
+
+	table, err := TableInfo(bean)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch table info for bean %v: %w", bean, err)
+	}
+
+	var structFieldName string
+	for _, c := range table.Columns() {
+		if c.Name == idField {
+			structFieldName = c.FieldName
+			break
+		}
+	}
+	if structFieldName == "" {
+		return nil, fmt.Errorf("unable to identify struct field for id field %s", idField)
+	}
+
+	for idChunk := range slices.Chunk(idList, DefaultMaxInSize) {
+		beans := make([]*Bean, 0, len(idChunk))
+		if err := GetEngine(ctx).In(idField, idChunk).Find(&beans); err != nil {
+			return nil, err
+		}
+		for _, bean := range beans {
+			retval[extractFieldValue(bean, structFieldName).(Id)] = bean
+		}
+	}
+
+	return retval, nil
+}
+
+// Retrieves multiple objects with database queries similar to an xorm `.In(field, valueList)`. Similar to GetByIDs,
+// except that a map[Id][]*Bean is returned as the field value is not assumed to be a unique value -- if there are
+// multiple rows in the table for each value, all of them are returned.
+//
+// The length of the IN list is constrained to DefaultMaxInSize for each database query, resulting in multiple database
+// queries if the length of the idList exceeds that setting; this constraint prevents exceeding bind parameter
+// limitations or query length limitations in the database engine.
+func GetByFieldIn[Bean any, Id comparable](ctx context.Context, field string, valueList []Id, bean *Bean) (map[Id][]*Bean, error) {
+	retval := make(map[Id][]*Bean, len(valueList))
+	if len(valueList) == 0 {
+		return retval, nil
+	}
+
+	table, err := TableInfo(bean)
+	if err != nil {
+		return nil, fmt.Errorf("unable to fetch table info for bean %v: %w", bean, err)
+	}
+
+	var structFieldName string
+	for _, c := range table.Columns() {
+		if c.Name == field {
+			structFieldName = c.FieldName
+			break
+		}
+	}
+	if structFieldName == "" {
+		return nil, fmt.Errorf("unable to identify struct field for field %s", field)
+	}
+
+	for idChunk := range slices.Chunk(valueList, DefaultMaxInSize) {
+		beans := make([]*Bean, 0, len(idChunk))
+		if err := GetEngine(ctx).In(field, idChunk).Find(&beans); err != nil {
+			return nil, err
+		}
+		for _, bean := range beans {
+			fieldValue := extractFieldValue(bean, structFieldName).(Id)
+			retval[fieldValue] = append(retval[fieldValue], bean)
+		}
+	}
+
+	return retval, nil
+}
+
 func Exist[T any](ctx context.Context, cond builder.Cond) (bool, error) {
 	if !cond.IsValid() {
 		panic("cond is invalid in db.Exist(ctx, cond). This should not be possible.")
diff --git a/models/db/list.go b/models/db/list.go
index 057221936c..71e9a0b1d2 100644
--- a/models/db/list.go
+++ b/models/db/list.go
@@ -14,7 +14,7 @@ import (
 
 const (
 	// DefaultMaxInSize represents default variables number on IN () in SQL
-	DefaultMaxInSize     = 50
+	DefaultMaxInSize     = 500
 	defaultFindSliceSize = 10
 )
 
diff --git a/models/issues/comment_list.go b/models/issues/comment_list.go
index 9a5c22244b..b218f11dfa 100644
--- a/models/issues/comment_list.go
+++ b/models/issues/comment_list.go
@@ -52,29 +52,9 @@ func (comments CommentList) loadLabels(ctx context.Context) error {
 	}
 
 	labelIDs := comments.getLabelIDs()
-	commentLabels := make(map[int64]*Label, len(labelIDs))
-	left := len(labelIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", labelIDs[:limit]).
-			Rows(new(Label))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var label Label
-			err = rows.Scan(&label)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-			commentLabels[label.ID] = &label
-		}
-		_ = rows.Close()
-		left -= limit
-		labelIDs = labelIDs[limit:]
+	commentLabels, err := db.GetByIDs(ctx, "id", labelIDs, &Label{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -99,18 +79,9 @@ func (comments CommentList) loadMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestones := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestones)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestones, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -135,18 +106,9 @@ func (comments CommentList) loadOldMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestones := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestones)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestones, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -167,31 +129,9 @@ func (comments CommentList) loadAssignees(ctx context.Context) error {
 	}
 
 	assigneeIDs := comments.getAssigneeIDs()
-	assignees := make(map[int64]*user_model.User, len(assigneeIDs))
-	left := len(assigneeIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", assigneeIDs[:limit]).
-			Rows(new(user_model.User))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var user user_model.User
-			err = rows.Scan(&user)
-			if err != nil {
-				rows.Close()
-				return err
-			}
-
-			assignees[user.ID] = &user
-		}
-		_ = rows.Close()
-
-		left -= limit
-		assigneeIDs = assigneeIDs[limit:]
+	assignees, err := db.GetByIDs(ctx, "id", assigneeIDs, &user_model.User{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -232,31 +172,9 @@ func (comments CommentList) LoadIssues(ctx context.Context) error {
 	}
 
 	issueIDs := comments.getIssueIDs()
-	issues := make(map[int64]*Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("id", issueIDs[:limit]).
-			Rows(new(Issue))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var issue Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				rows.Close()
-				return err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &Issue{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -281,33 +199,10 @@ func (comments CommentList) loadDependentIssues(ctx context.Context) error {
 		return nil
 	}
 
-	e := db.GetEngine(ctx)
 	issueIDs := comments.getDependentIssueIDs()
-	issues := make(map[int64]*Issue, len(issueIDs))
-	left := len(issueIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := e.
-			In("id", issueIDs[:limit]).
-			Rows(new(Issue))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var issue Issue
-			err = rows.Scan(&issue)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-
-			issues[issue.ID] = &issue
-		}
-		_ = rows.Close()
-
-		left -= limit
-		issueIDs = issueIDs[limit:]
+	issues, err := db.GetByIDs(ctx, "id", issueIDs, &Issue{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
@@ -358,31 +253,10 @@ func (comments CommentList) LoadAttachments(ctx context.Context) (err error) {
 		return nil
 	}
 
-	attachments := make(map[int64][]*repo_model.Attachment, len(comments))
 	commentsIDs := comments.getAttachmentCommentIDs()
-	left := len(commentsIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("comment_id", commentsIDs[:limit]).
-			Rows(new(repo_model.Attachment))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var attachment repo_model.Attachment
-			err = rows.Scan(&attachment)
-			if err != nil {
-				_ = rows.Close()
-				return err
-			}
-			attachments[attachment.CommentID] = append(attachments[attachment.CommentID], &attachment)
-		}
-
-		_ = rows.Close()
-		left -= limit
-		commentsIDs = commentsIDs[limit:]
+	attachments, err := db.GetByFieldIn(ctx, "comment_id", commentsIDs, &repo_model.Attachment{})
+	if err != nil {
+		return err
 	}
 
 	for _, comment := range comments {
diff --git a/models/issues/issue_list.go b/models/issues/issue_list.go
index 34cfe35475..e4fd9eef2b 100644
--- a/models/issues/issue_list.go
+++ b/models/issues/issue_list.go
@@ -6,6 +6,7 @@ package issues
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	"forgejo.org/models/db"
 	project_model "forgejo.org/models/project"
@@ -40,18 +41,9 @@ func (issues IssueList) LoadRepositories(ctx context.Context) (repo_model.Reposi
 	}
 
 	repoIDs := issues.getRepoIDs()
-	repoMaps := make(map[int64]*repo_model.Repository, len(repoIDs))
-	left := len(repoIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		err := db.GetEngine(ctx).
-			In("id", repoIDs[:limit]).
-			Find(&repoMaps)
-		if err != nil {
-			return nil, fmt.Errorf("find repository: %w", err)
-		}
-		left -= limit
-		repoIDs = repoIDs[limit:]
+	repoMaps, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return nil, fmt.Errorf("find repository: %w", err)
 	}
 
 	for _, issue := range issues {
@@ -93,18 +85,9 @@ func (issues IssueList) LoadPosters(ctx context.Context) error {
 }
 
 func getPostersByIDs(ctx context.Context, posterIDs []int64) (map[int64]*user_model.User, error) {
-	posterMaps := make(map[int64]*user_model.User, len(posterIDs))
-	left := len(posterIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		err := db.GetEngine(ctx).
-			In("id", posterIDs[:limit]).
-			Find(&posterMaps)
-		if err != nil {
-			return nil, err
-		}
-		left -= limit
-		posterIDs = posterIDs[limit:]
+	posterMaps, err := db.GetByIDs(ctx, "id", posterIDs, &user_model.User{})
+	if err != nil {
+		return nil, err
 	}
 	return posterMaps, nil
 }
@@ -129,18 +112,15 @@ func (issues IssueList) LoadLabels(ctx context.Context) error {
 
 	issueLabels := make(map[int64][]*Label, len(issues)*3)
 	issueIDs := issues.getIssueIDs()
-	left := len(issueIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("label").
 			Join("LEFT", "issue_label", "issue_label.label_id = label.id").
-			In("issue_label.issue_id", issueIDs[:limit]).
+			In("issue_label.issue_id", issueIDChunk).
 			Asc("label.name").
 			Rows(new(LabelIssue))
 		if err != nil {
 			return err
 		}
-
 		for rows.Next() {
 			var labelIssue LabelIssue
 			err = rows.Scan(&labelIssue)
@@ -157,8 +137,6 @@ func (issues IssueList) LoadLabels(ctx context.Context) error {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.LoadLabels: Close: %w", err1)
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -180,18 +158,9 @@ func (issues IssueList) LoadMilestones(ctx context.Context) error {
 		return nil
 	}
 
-	milestoneMaps := make(map[int64]*Milestone, len(milestoneIDs))
-	left := len(milestoneIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		err := db.GetEngine(ctx).
-			In("id", milestoneIDs[:limit]).
-			Find(&milestoneMaps)
-		if err != nil {
-			return err
-		}
-		left -= limit
-		milestoneIDs = milestoneIDs[limit:]
+	milestoneMaps, err := db.GetByIDs(ctx, "id", milestoneIDs, &Milestone{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -204,22 +173,19 @@ func (issues IssueList) LoadMilestones(ctx context.Context) error {
 func (issues IssueList) LoadProjects(ctx context.Context) error {
 	issueIDs := issues.getIssueIDs()
 	projectMaps := make(map[int64]*project_model.Project, len(issues))
-	left := len(issueIDs)
 
 	type projectWithIssueID struct {
 		*project_model.Project `xorm:"extends"`
 		IssueID                int64
 	}
 
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-
-		projects := make([]*projectWithIssueID, 0, limit)
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
+		projects := make([]*projectWithIssueID, 0, len(issueIDChunk))
 		err := db.GetEngine(ctx).
 			Table("project").
 			Select("project.*, project_issue.issue_id").
 			Join("INNER", "project_issue", "project.id = project_issue.project_id").
-			In("project_issue.issue_id", issueIDs[:limit]).
+			In("project_issue.issue_id", issueIDChunk).
 			Find(&projects)
 		if err != nil {
 			return err
@@ -227,8 +193,6 @@ func (issues IssueList) LoadProjects(ctx context.Context) error {
 		for _, project := range projects {
 			projectMaps[project.IssueID] = project.Project
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -249,12 +213,10 @@ func (issues IssueList) LoadAssignees(ctx context.Context) error {
 
 	assignees := make(map[int64][]*user_model.User, len(issues))
 	issueIDs := issues.getIssueIDs()
-	left := len(issueIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
+	for issueIDChunk := range slices.Chunk(issueIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("issue_assignees").
 			Join("INNER", "`user`", "`user`.id = `issue_assignees`.assignee_id").
-			In("`issue_assignees`.issue_id", issueIDs[:limit]).OrderBy(user_model.GetOrderByName()).
+			In("`issue_assignees`.issue_id", issueIDChunk).OrderBy(user_model.GetOrderByName()).
 			Rows(new(AssigneeIssue))
 		if err != nil {
 			return err
@@ -275,8 +237,6 @@ func (issues IssueList) LoadAssignees(ctx context.Context) error {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadAssignees: Close: %w", err1)
 		}
-		left -= limit
-		issueIDs = issueIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -306,33 +266,9 @@ func (issues IssueList) LoadPullRequests(ctx context.Context) error {
 		return nil
 	}
 
-	pullRequestMaps := make(map[int64]*PullRequest, len(issuesIDs))
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("issue_id", issuesIDs[:limit]).
-			Rows(new(PullRequest))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var pr PullRequest
-			err = rows.Scan(&pr)
-			if err != nil {
-				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
-				}
-				return err
-			}
-			pullRequestMaps[pr.IssueID] = &pr
-		}
-		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadPullRequests: Close: %w", err1)
-		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
+	pullRequestMaps, err := db.GetByIDs(ctx, "issue_id", issuesIDs, &PullRequest{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -350,34 +286,10 @@ func (issues IssueList) LoadAttachments(ctx context.Context) (err error) {
 		return nil
 	}
 
-	attachments := make(map[int64][]*repo_model.Attachment, len(issues))
 	issuesIDs := issues.getIssueIDs()
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-		rows, err := db.GetEngine(ctx).
-			In("issue_id", issuesIDs[:limit]).
-			Rows(new(repo_model.Attachment))
-		if err != nil {
-			return err
-		}
-
-		for rows.Next() {
-			var attachment repo_model.Attachment
-			err = rows.Scan(&attachment)
-			if err != nil {
-				if err1 := rows.Close(); err1 != nil {
-					return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
-				}
-				return err
-			}
-			attachments[attachment.IssueID] = append(attachments[attachment.IssueID], &attachment)
-		}
-		if err1 := rows.Close(); err1 != nil {
-			return fmt.Errorf("IssueList.loadAttachments: Close: %w", err1)
-		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
+	attachments, err := db.GetByFieldIn(ctx, "issue_id", issuesIDs, &repo_model.Attachment{})
+	if err != nil {
+		return err
 	}
 
 	for _, issue := range issues {
@@ -394,12 +306,10 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 
 	comments := make(map[int64][]*Comment, len(issues))
 	issuesIDs := issues.getIssueIDs()
-	left := len(issuesIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
+	for issueIDChunk := range slices.Chunk(issuesIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).Table("comment").
 			Join("INNER", "issue", "issue.id = comment.issue_id").
-			In("issue.id", issuesIDs[:limit]).
+			In("issue.id", issueIDChunk).
 			Where(cond).
 			Rows(new(Comment))
 		if err != nil {
@@ -420,8 +330,6 @@ func (issues IssueList) loadComments(ctx context.Context, cond builder.Cond) (er
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadComments: Close: %w", err1)
 		}
-		left -= limit
-		issuesIDs = issuesIDs[limit:]
 	}
 
 	for _, issue := range issues {
@@ -457,15 +365,12 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 		}
 	}
 
-	left := len(ids)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
-
+	for idChunk := range slices.Chunk(ids, db.DefaultMaxInSize) {
 		// select issue_id, sum(time) from tracked_time where issue_id in (<issue ids in current page>) group by issue_id
 		rows, err := db.GetEngine(ctx).Table("tracked_time").
 			Where("deleted = ?", false).
 			Select("issue_id, sum(time) as time").
-			In("issue_id", ids[:limit]).
+			In("issue_id", idChunk).
 			GroupBy("issue_id").
 			Rows(new(totalTimesByIssue))
 		if err != nil {
@@ -486,8 +391,6 @@ func (issues IssueList) loadTotalTrackedTimes(ctx context.Context) (err error) {
 		if err1 := rows.Close(); err1 != nil {
 			return fmt.Errorf("IssueList.loadTotalTrackedTimes: Close: %w", err1)
 		}
-		left -= limit
-		ids = ids[limit:]
 	}
 
 	for _, issue := range issues {
diff --git a/models/issues/reaction.go b/models/issues/reaction.go
index 9a277a8c12..21975c6b00 100644
--- a/models/issues/reaction.go
+++ b/models/issues/reaction.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"slices"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
@@ -178,13 +179,12 @@ func FindReactions(ctx context.Context, opts FindReactionsOptions) (ReactionList
 
 func getReactionsForComments(ctx context.Context, issueID int64, commentIDs []int64) (map[int64]ReactionList, error) {
 	reactions := make(map[int64]ReactionList, len(commentIDs))
-	left := len(commentIDs)
-	for left > 0 {
-		limit := min(left, db.DefaultMaxInSize)
+
+	for commentIDChunk := range slices.Chunk(commentIDs, db.DefaultMaxInSize) {
 		rows, err := db.GetEngine(ctx).
 			Where(builder.Eq{"issue_id": issueID}).
 			In("reaction.`type`", setting.UI.Reactions).
-			In("comment_id", commentIDs[:limit]).
+			In("comment_id", commentIDChunk).
 			Rows(&Reaction{})
 		if err != nil {
 			return nil, err
@@ -201,8 +201,6 @@ func getReactionsForComments(ctx context.Context, issueID int64, commentIDs []in
 		}
 
 		_ = rows.Close()
-		left -= limit
-		commentIDs = commentIDs[limit:]
 	}
 	return reactions, nil
 }
diff --git a/tests/integration/db_query_test.go b/tests/integration/db_query_test.go
new file mode 100644
index 0000000000..799d3219e8
--- /dev/null
+++ b/tests/integration/db_query_test.go
@@ -0,0 +1,64 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"testing"
+
+	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/db"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// These are basically unit tests, but by running them in the integration test suite they are tested against all
+// supported database types.
+
+func TestDatabaseDefaultMaxInSize(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// Ensure there are more than db.DefaultMaxInSize objects in a table:
+	targetCount := db.DefaultMaxInSize * 2
+	for i := range targetCount {
+		_, err := actions_model.InsertVariable(t.Context(), 2, 2, fmt.Sprintf("VAR_%d", i), fmt.Sprintf("Value %d", i))
+		require.NoError(t, err)
+	}
+
+	t.Run("GetByIDs", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		allActionVariables := make([]*actions_model.ActionVariable, 0, targetCount)
+		err := db.GetEngine(t.Context()).Find(&allActionVariables)
+		require.NoError(t, err)
+
+		allIDs := make([]int64, len(allActionVariables))
+		for i := range allActionVariables {
+			allIDs[i] = allActionVariables[i].ID
+		}
+
+		allActionVariablesAgain, err := db.GetByIDs(t.Context(), "id", allIDs, &actions_model.ActionVariable{})
+		require.NoError(t, err)
+		assert.Len(t, allActionVariablesAgain, len(allActionVariables))
+	})
+
+	t.Run("GetByFieldIn", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		allActionVariables := make([]*actions_model.ActionVariable, 0, targetCount)
+		err := db.GetEngine(t.Context()).Find(&allActionVariables)
+		require.NoError(t, err)
+
+		allIDs := make([]int64, len(allActionVariables))
+		for i := range allActionVariables {
+			allIDs[i] = allActionVariables[i].ID
+		}
+
+		allActionVariablesAgain, err := db.GetByFieldIn(t.Context(), "id", allIDs, &actions_model.ActionVariable{})
+		require.NoError(t, err)
+		assert.Len(t, allActionVariablesAgain, len(allActionVariables))
+	})
+}

From f18873f83be2369b34222bbf1c4a5a6bd85b5d4f Mon Sep 17 00:00:00 2001
From: elbaro <elbaro@noreply.codeberg.org>
Date: Mon, 6 Apr 2026 03:43:41 +0200
Subject: [PATCH 068/287] feat: add /actions/runs/{id}/jobs (#11915)

This PR is a minimal implementation to add `/actions/runs/{id}/jobs` (#11859).
This endpoint is also required by `/actions/jobs/{id}/logs`.

The pagination, filtering, custom sorting, more response fields are left to future work.

## Usage

```
curl -X 'GET' \
  'https://hostname/api/v1/repos/{owner}/{repo}/actions/runs/{id}/jobs' \
  -H 'accept: application/json'
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: elbaro <elbaro@users.noreply.github.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11915
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: elbaro <elbaro@noreply.codeberg.org>
Co-committed-by: elbaro <elbaro@noreply.codeberg.org>
---
 routers/api/v1/api.go                      |   1 +
 routers/api/v1/repo/action.go              |  65 +++++++++++++
 routers/api/v1/shared/runners.go           |  13 +--
 routers/api/v1/swagger/repo.go             |   7 ++
 services/convert/action.go                 |  19 ++++
 templates/swagger/v1_json.tmpl             |  59 ++++++++++++
 tests/integration/api_repo_actions_test.go | 107 +++++++++++++++++++++
 7 files changed, 259 insertions(+), 12 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 2c10464438..d0b8531aea 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1238,6 +1238,7 @@ func Routes() *web.Route {
 					m.Group("/runs", func() {
 						m.Get("", repo.ListActionRuns)
 						m.Get("/{run_id}", repo.GetActionRun)
+						m.Get("/{run_id}/jobs", repo.ListActionRunJobs)
 					})
 
 					m.Group("/workflows", func() {
diff --git a/routers/api/v1/repo/action.go b/routers/api/v1/repo/action.go
index 63baaf4437..ba430d2e64 100644
--- a/routers/api/v1/repo/action.go
+++ b/routers/api/v1/repo/action.go
@@ -1031,3 +1031,68 @@ func GetActionRun(ctx *context.APIContext) {
 
 	ctx.JSON(http.StatusOK, convert.ToActionRun(ctx, run, ctx.Doer))
 }
+
+// ListActionRunJobs return a filtered list of jobs that belong to a single workflow run
+func ListActionRunJobs(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/actions/runs/{run_id}/jobs repository ListActionRunJobs
+	// ---
+	// summary: List jobs of a workflow run
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: run_id
+	//   in: path
+	//   description: ID of the workflow run
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/ActionRunJobList"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	run, err := actions_model.GetRunByID(ctx, ctx.ParamsInt64(":run_id"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetRunById", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetRunByID", err)
+		}
+		return
+	}
+
+	// Action runs lives in its own table, therefore we check that the
+	// run with the requested ID is owned by the repository
+	if ctx.Repo.Repository.ID != run.RepoID {
+		ctx.Error(http.StatusNotFound, "GetRunById", util.ErrNotExist)
+		return
+	}
+
+	jobs, err := actions_model.GetRunJobsByRunID(ctx, run.ID)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "GetRunJobsByRunID", err)
+		return
+	}
+
+	response := make([]*api.ActionRunJob, 0, len(jobs))
+	for _, job := range jobs {
+		response = append(response, convert.ToActionRunJob(job))
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
diff --git a/routers/api/v1/shared/runners.go b/routers/api/v1/shared/runners.go
index 21021e4076..6c99630ae1 100644
--- a/routers/api/v1/shared/runners.go
+++ b/routers/api/v1/shared/runners.go
@@ -74,18 +74,7 @@ func fromRunJobModelToResponse(job []*actions_model.ActionRunJob, labels []strin
 	var res []*structs.ActionRunJob
 	for i := range job {
 		if len(labels) == 0 || labels[0] == "" && len(job[i].RunsOn) == 0 || job[i].ItRunsOn(labels) {
-			res = append(res, &structs.ActionRunJob{
-				ID:      job[i].ID,
-				Attempt: job[i].Attempt,
-				Handle:  job[i].Handle,
-				RepoID:  job[i].RepoID,
-				OwnerID: job[i].OwnerID,
-				Name:    job[i].Name,
-				Needs:   job[i].Needs,
-				RunsOn:  job[i].RunsOn,
-				TaskID:  job[i].TaskID,
-				Status:  job[i].Status.String(),
-			})
+			res = append(res, convert.ToActionRunJob(job[i]))
 		}
 	}
 	return res
diff --git a/routers/api/v1/swagger/repo.go b/routers/api/v1/swagger/repo.go
index 31da865bb5..5ad16b21ae 100644
--- a/routers/api/v1/swagger/repo.go
+++ b/routers/api/v1/swagger/repo.go
@@ -526,3 +526,10 @@ type swaggerActionRun struct {
 	// in:body
 	Body api.ActionRun `json:"body"`
 }
+
+// ActionRunJobList
+// swagger:response ActionRunJobList
+type swaggerActionRunJobList struct {
+	// in:body
+	Body []api.ActionRunJob `json:"body"`
+}
diff --git a/services/convert/action.go b/services/convert/action.go
index 703c1f1261..204139e3aa 100644
--- a/services/convert/action.go
+++ b/services/convert/action.go
@@ -47,3 +47,22 @@ func ToActionRun(ctx context.Context, run *actions_model.ActionRun, doer *user_m
 		HTMLURL:           run.HTMLURL(),
 	}
 }
+
+func ToActionRunJob(job *actions_model.ActionRunJob) *api.ActionRunJob {
+	if job == nil {
+		return nil
+	}
+
+	return &api.ActionRunJob{
+		ID:      job.ID,
+		Attempt: job.Attempt,
+		Handle:  job.Handle,
+		RepoID:  job.RepoID,
+		OwnerID: job.OwnerID,
+		Name:    job.Name,
+		Needs:   job.Needs,
+		RunsOn:  job.RunsOn,
+		TaskID:  job.TaskID,
+		Status:  job.Status.String(),
+	}
+}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index d45f9b2893..e9b10e1e52 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -5882,6 +5882,56 @@
         }
       }
     },
+    "/repos/{owner}/{repo}/actions/runs/{run_id}/jobs": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "List jobs of a workflow run",
+        "operationId": "ListActionRunJobs",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "ID of the workflow run",
+            "name": "run_id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/ActionRunJobList"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
     "/repos/{owner}/{repo}/actions/secrets": {
       "get": {
         "produces": [
@@ -30327,6 +30377,15 @@
         "$ref": "#/definitions/ActionRun"
       }
     },
+    "ActionRunJobList": {
+      "description": "ActionRunJobList",
+      "schema": {
+        "type": "array",
+        "items": {
+          "$ref": "#/definitions/ActionRunJob"
+        }
+      }
+    },
     "ActionRunList": {
       "description": "ActionRunList",
       "schema": {
diff --git a/tests/integration/api_repo_actions_test.go b/tests/integration/api_repo_actions_test.go
index fa56346a27..ccf333191e 100644
--- a/tests/integration/api_repo_actions_test.go
+++ b/tests/integration/api_repo_actions_test.go
@@ -4,6 +4,7 @@
 package integration
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -668,3 +669,109 @@ func TestAPIRepoActionsRunnerOperations(t *testing.T) {
 		MakeRequest(t, request, http.StatusNotFound)
 	})
 }
+
+func TestActionsAPIListActionRunJobs(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("Jobs", func(t *testing.T) {
+		for _, setup := range []struct {
+			runID, repoID int64
+		}{
+			{793, 4},
+			{895, 4},
+		} {
+			repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: setup.repoID})
+			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+			token := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+			req := NewRequest(t, http.MethodGet,
+				fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/%d/jobs",
+					repo.OwnerName, repo.Name, setup.runID,
+				),
+			).AddTokenAuth(token)
+			res := MakeRequest(t, req, http.StatusOK)
+			var jobList []*api.ActionRunJob
+			DecodeJSON(t, res, &jobList)
+
+			correctJobList, err := actions_model.GetRunJobsByRunID(context.Background(), setup.runID)
+			require.NoError(t, err, "GetRunJobsByRunID")
+			assert.Len(t, jobList, len(correctJobList))
+
+			for i := range jobList {
+				expected := correctJobList[i]
+				actual := jobList[i]
+				assert.Equal(t, expected.ID, actual.ID)
+				assert.Equal(t, expected.Attempt, actual.Attempt)
+				assert.Equal(t, expected.Handle, actual.Handle)
+				assert.Equal(t, expected.RepoID, actual.RepoID)
+				assert.Equal(t, expected.OwnerID, actual.OwnerID)
+				assert.Equal(t, expected.Name, actual.Name)
+				assert.Equal(t, expected.Needs, actual.Needs)
+				assert.Equal(t, expected.RunsOn, actual.RunsOn)
+				assert.Equal(t, expected.TaskID, actual.TaskID)
+				assert.Equal(t, expected.Status.String(), actual.Status)
+
+				if expected.ID == 195 {
+					assert.Equal(t, &api.ActionRunJob{
+						ID:      195,
+						Attempt: 1,
+						Handle:  "",
+						RepoID:  4,
+						OwnerID: 1,
+						Name:    "job1 (2)",
+						Needs:   nil,
+						RunsOn:  nil,
+						TaskID:  50,
+						Status:  "success",
+					}, actual)
+				} else if expected.ID == 197 {
+					assert.Equal(t, &api.ActionRunJob{
+						ID:      197,
+						Attempt: 0,
+						Handle:  "",
+						RepoID:  4,
+						OwnerID: 1,
+						Name:    "job1 (1)",
+						Needs:   nil,
+						RunsOn:  []string{"postmarketOS"},
+						TaskID:  54,
+						Status:  "failure",
+					}, actual)
+				}
+			}
+		}
+	})
+
+	repoID := int64(4)
+	runID := int64(793)
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	token := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+
+	t.Run("Wrong Run ID", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/%d/jobs",
+				repo.OwnerName, repo.Name, runID+9999,
+			),
+		).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("Wrong Repo Name", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/%d/jobs",
+				repo.OwnerName, repo.Name+"_wrong_repo", runID,
+			),
+		).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("Wrong Owner", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/%d/jobs",
+				repo.OwnerName+"_wrong_owner", repo.Name, runID,
+			),
+		).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+}

From 92f1b6fdd2851bb522b8b153d77f51eaf67ad309 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Tue, 7 Apr 2026 05:03:26 +0200
Subject: [PATCH 069/287] test: fix test that was supposed to test DST
 behaviour but did not (#12007)

https://codeberg.org/forgejo/forgejo/pulls/11851 introduced tests that verify the scheduling of Forgejo Actions workflows during daylight saving time (DST) changes. Unfortunately, one test didn't test what it was supposed to because it used a reference time in UTC that was already after the clock change has happened.

This change also adds tests that verify that `NewActionScheduleSpec()` respects time zones when calculating the initial execution time of a scheduled workflow.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12007
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 models/actions/schedule_spec_test.go | 50 ++++++++++++++++++++++++----
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/models/actions/schedule_spec_test.go b/models/actions/schedule_spec_test.go
index eb3a83d0a6..6b9db9f39a 100644
--- a/models/actions/schedule_spec_test.go
+++ b/models/actions/schedule_spec_test.go
@@ -13,6 +13,44 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestActionScheduleSpec_NewActionScheduleSpec(t *testing.T) {
+	tests := []struct {
+		name        string
+		refTime     time.Time
+		cronPattern string
+		timeZone    string
+		want        string
+		wantErr     assert.ErrorAssertionFunc
+	}{
+		{
+			name:        "without timezone",
+			refTime:     time.Date(2026, 4, 6, 11, 56, 0, 0, time.UTC),
+			cronPattern: "58 14 * * *",
+			want:        "2026-04-06T14:58:00Z",
+			wantErr:     assert.NoError,
+		},
+		{
+			name:        "with separate timezone",
+			refTime:     time.Date(2026, 4, 6, 11, 56, 0, 0, time.UTC),
+			cronPattern: "58 14 * * *",
+			timeZone:    "Europe/Tallinn", // +03 (EEST)
+			want:        "2026-04-06T11:58:00Z",
+			wantErr:     assert.NoError,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			s, err := NewActionScheduleSpec(test.cronPattern, optional.FromNonDefault(test.timeZone), test.refTime)
+			test.wantErr(t, err)
+
+			if err == nil {
+				assert.Equal(t, test.want, s.Next.AsTime().UTC().Format(time.RFC3339))
+			}
+		})
+	}
+}
+
 func TestActionScheduleSpec_Parse(t *testing.T) {
 	// Mock the local timezone is not UTC
 	local := time.Local
@@ -88,24 +126,24 @@ func TestActionScheduleSpec_Parse(t *testing.T) {
 			// skipping the execution on that day because any time between 2 and 3 o'clock never happened. Forgejo uses
 			// option B because the code it inherited already did that and was exposed to users.
 			name:     "skips execution during DST jump forwards",
-			refTime:  time.Date(2025, 3, 30, 1, 5, 0, 0, time.UTC),
-			spec:     "10 2 * * *", // The clock jumps at 2 o'clock to 3 o'clock.
+			refTime:  time.Date(2025, 3, 30, 0, 55, 0, 0, time.UTC), // 01:55 local time
+			spec:     "10 2 * * *",                                  // The clock jumps at 2 o'clock to 3 o'clock.
 			timeZone: "Europe/Berlin",
 			want:     "2025-03-31T00:10:00Z",
 			wantErr:  assert.NoError,
 		},
 		{
 			name:     "executes a first time before DST jump backwards",
-			refTime:  time.Date(2025, 10, 26, 0, 5, 0, 0, time.UTC),
-			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			refTime:  time.Date(2025, 10, 26, 0, 5, 0, 0, time.UTC), // 02:05 local time
+			spec:     "10 2 * * *",                                  // The clock jumps at 3 o'clock to 2 o'clock.
 			timeZone: "Europe/Berlin",
 			want:     "2025-10-26T00:10:00Z",
 			wantErr:  assert.NoError,
 		},
 		{
 			name:     "executes a second time after DST jump backwards",
-			refTime:  time.Date(2025, 10, 26, 1, 5, 0, 0, time.UTC),
-			spec:     "10 2 * * *", // The clock jumps at 3 o'clock to 2 o'clock.
+			refTime:  time.Date(2025, 10, 26, 1, 5, 0, 0, time.UTC), // 02:05 local time
+			spec:     "10 2 * * *",                                  // The clock jumps at 3 o'clock to 2 o'clock.
 			timeZone: "Europe/Berlin",
 			want:     "2025-10-26T01:10:00Z",
 			wantErr:  assert.NoError,

From 0b9e11d96bce9660ce9becdf6ed08d1ae90071e7 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 7 Apr 2026 06:50:24 +0200
Subject: [PATCH 070/287] Update renovate Docker tag to v43.104.4 (forgejo)
 (#12002)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 08e8632ac8..665d8b5f38 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasour
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.43.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.99.1 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.104.8 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

From dd968f147d500920b80dbbf3fc0faf9034ca8ddd Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Wed, 8 Apr 2026 02:20:35 +0200
Subject: [PATCH 071/287] Improve repo file list table semantics for screen
 readers (#11846)

https://codeberg.org/forgejo/forgejo/issues/11116

To understand the impact of this you really need to listen to the before and after screen recordings attached. https://codeberg.org/forgejo/forgejo/issues/11116 is a really great bug report, and I was surprised by how disorienting this actually was when testing manually compared to my expectation after reading the issue. This is an impactful improvement!

This is my first time adding new translation strings. Excited to learn more about that if I've guessed wrong about how to do it.

To summarise, what we're doing here is as follows.

1. Address the core issue by changing the existing `<th>` elements to `<td>` so that screen readers stop semantically associating them with each row and reading them out for every table cell.
2. Replace them with real `<th>` elements that communicate the true semantic role of each column.
3. Add a `<caption>`. This serves a dual purpose: it gives the table an accessible name which improves the navigability of the page, and it gives us a place to explain to the user that the first row of the table is a little bit different because it's the latest commit rather than a file in the repo.
4. Visually hide the new caption and headings so that only screen reader users get them.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for JavaScript changes

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11846
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 options/locale_next/locale_en-US.json |  4 ++++
 templates/repo/view_list.tmpl         | 18 ++++++++++++------
 tests/integration/repo_test.go        |  4 ++--
 web_src/css/repo.css                  |  2 +-
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index c0ed083b66..3ffcb45bce 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -52,6 +52,10 @@
 	"relativetime.1week": "last week",
 	"relativetime.1month": "last month",
 	"relativetime.1year": "last year",
+	"repo.files.caption": "Repository files (latest commit first)",
+	"repo.files.filename": "Filename",
+	"repo.files.last_commit_message": "Latest commit message",
+	"repo.files.last_commit_date": "Latest commit date",
 	"repo.issues.filter_poster.hint": "Filter by the author",
 	"repo.issues.filter_assignee.hint": "Filter by assigned user",
 	"repo.issues.filter_reviewers.hint": "Filter by user who reviewed",
diff --git a/templates/repo/view_list.tmpl b/templates/repo/view_list.tmpl
index ffd8b1a515..75f53c1b5f 100644
--- a/templates/repo/view_list.tmpl
+++ b/templates/repo/view_list.tmpl
@@ -1,17 +1,23 @@
 <table id="repo-files-table" class="ui single line table tw-mt-0" {{if .HasFilesWithoutLatestCommit}}hx-indicator="tr.notready td.message span" hx-trigger="load" hx-swap="morph" hx-post="{{.LastCommitLoaderURL}}"{{end}}>
-	<thead>
+	<caption class="tw-sr-only">
+		{{ctx.Locale.Tr "repo.files.caption"}}
+	</caption>
+	<thead class="tw-sr-only">
+		<th>{{ctx.Locale.Tr "repo.files.filename"}}</th>
+		<th>{{ctx.Locale.Tr "repo.files.last_commit_message"}}</th>
+		<th>{{ctx.Locale.Tr "repo.files.last_commit_date"}}</th>
+	</thead>
+	<tbody>
 		<tr class="commit-list">
-			<th class="tw-overflow-hidden" colspan="2">
+			<td class="tw-overflow-hidden" colspan="2">
 				<div class="tw-flex">
 					<div class="latest-commit">
 						{{template "repo/latest_commit" .}}
 					</div>
 				</div>
-			</th>
-			<th class="text grey right age">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</th>
+			</td>
+			<td class="text grey right age">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</td>
 		</tr>
-	</thead>
-	<tbody>
 		{{if .HasParentPath}}
 			<tr class="has-parent">
 				<td colspan="3"><a class="muted" href="{{.BranchLink}}{{if .ParentPath}}{{PathEscapeSegments .ParentPath}}{{end}}">{{svg "octicon-reply" 16 "tw-mr-2"}}..</a></td>
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 1b4a574f13..2f189bf7a8 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -70,7 +70,7 @@ func testViewRepo(t *testing.T) {
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	htmlDoc := NewHTMLParser(t, resp.Body)
-	files := htmlDoc.doc.Find("#repo-files-table  > TBODY > TR")
+	files := htmlDoc.doc.Find("#repo-files-table > tbody > tr:not(.commit-list)")
 
 	type file struct {
 		fileName   string
@@ -1039,7 +1039,7 @@ func TestRepoFilesList(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
-		filesList := htmlDoc.Find("#repo-files-table tbody tr").Map(func(_ int, s *goquery.Selection) string {
+		filesList := htmlDoc.Find("#repo-files-table tbody tr:not(.commit-list)").Map(func(_ int, s *goquery.Selection) string {
 			return s.AttrOr("data-entryname", "")
 		})
 
diff --git a/web_src/css/repo.css b/web_src/css/repo.css
index 00f159f33b..66b1d5df71 100644
--- a/web_src/css/repo.css
+++ b/web_src/css/repo.css
@@ -237,7 +237,7 @@ td .commit-summary {
   max-width: calc(calc(min(100vw, 1280px)) - 145px - calc(2 * var(--page-margin-x)));
 }
 
-.repository.file.list #repo-files-table thead th {
+.repo-files-table-latest-commit-row td {
   font-weight: var(--font-weight-normal);
 }
 

From 8a6d76cff4800b459f0d8bd03f49d24638598214 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Wed, 8 Apr 2026 02:32:14 +0200
Subject: [PATCH 072/287] Preserve focus on star/unstar & watch/unwatch buttons
 after click (#11932)

Fixes https://codeberg.org/forgejo/forgejo/issues/11880.

Adding `hx-on::after-settle="this.querySelector('button').focus()"` restores focus after the content has been swapped and the DOM has been setled. I tried `hx-on::after-swap` first since it's mentioned more often in https://github.com/bigskysoftware/htmx/issues/1869, but it didn't work.

The demo attached in `focus.mp4` runs through a series of repeated clicks on both buttons. You can hear the screen reader announce the button's new label when focus is restored.

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11932
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 templates/repo/star_unstar.tmpl   |  2 +-
 templates/repo/watch_unwatch.tmpl |  2 +-
 tests/e2e/repo-home.test.e2e.ts   | 14 ++++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/templates/repo/star_unstar.tmpl b/templates/repo/star_unstar.tmpl
index d483495dd4..f3c1afc53c 100644
--- a/templates/repo/star_unstar.tmpl
+++ b/templates/repo/star_unstar.tmpl
@@ -1,4 +1,4 @@
-<form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsStaringRepo}}un{{end}}star">
+<form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsStaringRepo}}un{{end}}star" hx-on::after-settle="this.querySelector('button').focus()">
 	<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{ctx.Locale.Tr "repo.star_guest_user"}}"{{end}}>
 		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}} aria-label="{{if $.IsStaringRepo}}{{ctx.Locale.Tr "repo.unstar"}}{{else}}{{ctx.Locale.Tr "repo.star"}}{{end}}">
 			{{if $.IsStaringRepo}}
diff --git a/templates/repo/watch_unwatch.tmpl b/templates/repo/watch_unwatch.tmpl
index 35d527af98..d846e17dce 100644
--- a/templates/repo/watch_unwatch.tmpl
+++ b/templates/repo/watch_unwatch.tmpl
@@ -1,4 +1,4 @@
-<form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsWatchingRepo}}un{{end}}watch">
+<form hx-boost="true" hx-target="this" method="post" action="{{$.RepoLink}}/action/{{if $.IsWatchingRepo}}un{{end}}watch" hx-on::after-settle="this.querySelector('button').focus()">
 	<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{ctx.Locale.Tr "repo.watch_guest_user"}}"{{end}}>
 		<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}} aria-label="{{if $.IsWatchingRepo}}{{ctx.Locale.Tr "repo.unwatch"}}{{else}}{{ctx.Locale.Tr "repo.watch"}}{{end}}">
 			{{if $.IsWatchingRepo}}
diff --git a/tests/e2e/repo-home.test.e2e.ts b/tests/e2e/repo-home.test.e2e.ts
index 5a10c719c7..2869147429 100644
--- a/tests/e2e/repo-home.test.e2e.ts
+++ b/tests/e2e/repo-home.test.e2e.ts
@@ -12,6 +12,8 @@ import {expect} from '@playwright/test';
 import {test} from './utils_e2e.ts';
 import {screenshot} from './shared/screenshots.ts';
 
+test.use({user: 'user2'});
+
 test('Language stats bar', async ({browser}) => {
   // This test doesn't need JS and runs a little faster without it
   const context = await browser.newContext({javaScriptEnabled: false});
@@ -55,3 +57,15 @@ test('Branch selector commit icon', async ({page}) => {
   await expect(page.locator('.branch-dropdown-button svg.octicon-git-commit')).toBeVisible();
   await expect(page.locator('.branch-dropdown-button')).toHaveText('65f1bf27bc');
 });
+
+test('Star button focus retention', async ({page}) => {
+  const response = await page.goto('/user2/repo1');
+  expect(response?.status()).toBe(200);
+
+  const starButton = page.locator('button[aria-label="Star"], button[aria-label="Unstar"]');
+  await starButton.click();
+
+  await expect(
+    page.locator('button[aria-label="Star"]:focus, button[aria-label="Unstar"]:focus'),
+  ).toBeVisible();
+});

From 8f48841c683cc53c3de941e2f0c029874e786541 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 15:30:57 +0200
Subject: [PATCH 073/287] Update dependency go to v1.26.2 (forgejo) (#12025)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12025
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 9ec653792b..290c39dcdf 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module forgejo.org
 
 go 1.25.0
 
-toolchain go1.26.1
+toolchain go1.26.2
 
 require (
 	code.forgejo.org/f3/gof3/v3 v3.11.15

From bdd2a1def7a2364f3f8175d5ef29b6c48b88d486 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 8 Apr 2026 15:42:39 +0200
Subject: [PATCH 074/287] fix: prevent actions workflows from generating OIDC
 tokens if not authorized in workflow (#12030)

When using Forgejo's `enable-openid-connect: true`, a URL is generated into the actions under `$ACTIONS_ID_TOKEN_REQUEST_URL` that can be used to generate a JWT for accessing third-party resources authenticated as the action executing in this server on this repo.  However, the endpoint of that url (`.../idtoken`) had unintentionally missed a `return` on an internal server error, and was missing a check that the action actually had `enable-openid-connect: true` on it.  As a result, it was possible to generate a JWT for accessing third-party resources from an action that wasn't expected to be generating JWTs.

In terms of real-world vulnerability, the most likely risk is that the JWT could be generated from a forked pull request.  By not using the `$ACTIONS_ID_TOKEN_REQUEST_URL` and instead going directly to the `.../idtoken` endpoint, and parsing a generated JWT response that will be mixed with an error response, it's possible to retrieve a JWT in a forked pull request.  It would require a slight misconfiguration on a third-party system to allow that JWT access, but it's a plausible risk.

As this is a feature in Forgejo 15 that hasn't been released, it will be fixed in-public.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - Feature is not yet released.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12030
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 routers/api/actions/id_token.go                | 9 +++++++++
 tests/integration/api_actions_id_token_test.go | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/routers/api/actions/id_token.go b/routers/api/actions/id_token.go
index 5eacc77fc9..ab9b2c8d22 100644
--- a/routers/api/actions/id_token.go
+++ b/routers/api/actions/id_token.go
@@ -6,6 +6,7 @@ package actions
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"
 
@@ -72,6 +73,7 @@ func IDTokenContexter() func(next http.Handler) http.Handler {
 			if err != nil {
 				log.Error("Error runner api parsing custom claims: %v", err)
 				ctx.Error(http.StatusInternalServerError, "Error runner api parsing custom claims")
+				return
 			}
 
 			task, err := actions.GetTaskByID(req.Context(), authorizationTokenClaims.TaskID)
@@ -99,6 +101,13 @@ func IDTokenContexter() func(next http.Handler) http.Handler {
 				return
 			}
 
+			generateIDTokenScp := fmt.Sprintf("generate_id_token:%d:%d", task.Job.RunID, task.Job.ID)
+			scp := strings.Split(authorizationTokenClaims.Scp, " ")
+			if !slices.Contains(scp, generateIDTokenScp) {
+				ctx.Error(http.StatusForbidden, "missing scp generate_id_token")
+				return
+			}
+
 			audience := req.URL.Query().Get("audience")
 			if audience == "" {
 				// Default to organization that owns the repo if no audience is provided
diff --git a/tests/integration/api_actions_id_token_test.go b/tests/integration/api_actions_id_token_test.go
index d5c7301ad1..53a0a5b269 100644
--- a/tests/integration/api_actions_id_token_test.go
+++ b/tests/integration/api_actions_id_token_test.go
@@ -47,6 +47,8 @@ func TestActionsIDToken(t *testing.T) {
 
 	token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true)
 	require.NoError(t, err)
+	tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false)
+	require.NoError(t, err)
 
 	// get JWKs information
 	req := NewRequest(t, "GET", "/api/actions/.well-known/keys")
@@ -118,6 +120,13 @@ func TestActionsIDToken(t *testing.T) {
 		doAssertions("testingAud", claims)
 	})
 
+	t.Run("with token that doesn't support OIDC", func(t *testing.T) {
+		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true").AddTokenAuth(tokenWithoutOIDCAccess)
+		resp = MakeRequest(t, req, http.StatusInternalServerError)
+		assert.Contains(t, resp.Body.String(), "Error runner api parsing custom claims")
+		assert.NotContains(t, resp.Body.String(), "value") // must not leak an actual `getTokenResponse`
+	})
+
 	t.Run("with no auth header", func(t *testing.T) {
 		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud")
 		resp = MakeRequest(t, req, http.StatusUnauthorized)

From 8154ea5beaf13ed815a137ab65bcd0df5925f46f Mon Sep 17 00:00:00 2001
From: Saibotk <git@saibotk.de>
Date: Wed, 8 Apr 2026 16:20:19 +0200
Subject: [PATCH 075/287] fix(doctor): remove broken mergebase check (#12023)

Fixes https://codeberg.org/forgejo/forgejo/issues/6163
Fixes https://codeberg.org/forgejo/forgejo/issues/3343

The merge base doctor check & fix was broken and could introduce irreversible "fixes" to wrong merge bases for PRs using the `fast-forward` and `rebase-and-merge` strategies.

The mergebase fix was originally introduced in a migration [0] to fix an existing issue [1] in the merge code in 2020.
Later added as a doctor command without explanation [2].

We decided to remove this check, as there is no apparent reason for it to still be necessary or any PR merge base state being out of sync with the current implementation.
It does more harm to keep the code in and there is no way to fix `fast-forward` and `rebase-and-merge` PRs, due to their merge implementation.

`fast-forward`: The git state inherently cannot reconstruct a merge base in this scenario by design.
`rebase-and-merge`: Is rebased on a temporary repository clone and thus might receive a different merge base, depending on how far the target branch is ahead.

[0]: https://codeberg.org/forgejo/forgejo/commit/4a2b76d9c8e00769d81eed2f149b6da20cc2d339
[1]: https://codeberg.org/forgejo/forgejo/commit/4a2b76d9c8e00769d81eed2f149b6da20cc2d339
[2]: https://codeberg.org/forgejo/forgejo/commit/d26885e2bf0a53af1c5c97c9d062f329250d8d20#diff-84d6d60112991392d6ba2cae4cd919fb3ee8afb8

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12023
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Saibotk <git@saibotk.de>
Co-committed-by: Saibotk <git@saibotk.de>
---
 services/doctor/mergebase.go | 114 -----------------------------------
 1 file changed, 114 deletions(-)
 delete mode 100644 services/doctor/mergebase.go

diff --git a/services/doctor/mergebase.go b/services/doctor/mergebase.go
deleted file mode 100644
index bebde30bee..0000000000
--- a/services/doctor/mergebase.go
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package doctor
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"forgejo.org/models/db"
-	issues_model "forgejo.org/models/issues"
-	repo_model "forgejo.org/models/repo"
-	"forgejo.org/modules/git"
-	"forgejo.org/modules/log"
-
-	"xorm.io/builder"
-)
-
-func iteratePRs(ctx context.Context, repo *repo_model.Repository, each func(*repo_model.Repository, *issues_model.PullRequest) error) error {
-	return db.Iterate(
-		ctx,
-		builder.Eq{"base_repo_id": repo.ID},
-		func(ctx context.Context, bean *issues_model.PullRequest) error {
-			return each(repo, bean)
-		},
-	)
-}
-
-func checkPRMergeBase(ctx context.Context, logger log.Logger, autofix bool) error {
-	numRepos := 0
-	numPRs := 0
-	numPRsUpdated := 0
-	err := iterateRepositories(ctx, func(repo *repo_model.Repository) error {
-		numRepos++
-		return iteratePRs(ctx, repo, func(repo *repo_model.Repository, pr *issues_model.PullRequest) error {
-			numPRs++
-			pr.BaseRepo = repo
-			repoPath := repo.RepoPath()
-
-			oldMergeBase := pr.MergeBase
-
-			if !pr.HasMerged {
-				var err error
-				pr.MergeBase, _, err = git.NewCommand(ctx, "merge-base").AddDashesAndList(pr.BaseBranch, pr.GetGitRefName()).RunStdString(&git.RunOpts{Dir: repoPath})
-				if err != nil {
-					var err2 error
-					pr.MergeBase, _, err2 = git.NewCommand(ctx, "rev-parse").AddDynamicArguments(git.BranchPrefix + pr.BaseBranch).RunStdString(&git.RunOpts{Dir: repoPath})
-					if err2 != nil {
-						logger.Warn("Unable to get merge base for PR ID %d, #%d onto %s in %s/%s. Error: %v & %v", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err, err2)
-						return nil
-					}
-				}
-			} else {
-				parentsString, _, err := git.NewCommand(ctx, "rev-list", "--parents", "-n", "1").AddDynamicArguments(pr.MergedCommitID).RunStdString(&git.RunOpts{Dir: repoPath})
-				if err != nil {
-					logger.Warn("Unable to get parents for merged PR ID %d, #%d onto %s in %s/%s. Error: %v", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err)
-					return nil
-				}
-				parents := strings.Split(strings.TrimSpace(parentsString), " ")
-				if len(parents) < 2 {
-					return nil
-				}
-
-				refs := append([]string{}, parents[1:]...)
-				refs = append(refs, pr.GetGitRefName())
-				cmd := git.NewCommand(ctx, "merge-base").AddDashesAndList(refs...)
-				pr.MergeBase, _, err = cmd.RunStdString(&git.RunOpts{Dir: repoPath})
-				if err != nil {
-					logger.Warn("Unable to get merge base for merged PR ID %d, #%d onto %s in %s/%s. Error: %v", pr.ID, pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, err)
-					return nil
-				}
-			}
-			pr.MergeBase = strings.TrimSpace(pr.MergeBase)
-			if pr.MergeBase != oldMergeBase {
-				if autofix {
-					if err := pr.UpdateCols(ctx, "merge_base"); err != nil {
-						logger.Critical("Failed to update merge_base. ERROR: %v", err)
-						return fmt.Errorf("Failed to update merge_base. ERROR: %w", err)
-					}
-				} else {
-					logger.Info("#%d onto %s in %s/%s: MergeBase should be %s but is %s", pr.Index, pr.BaseBranch, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, oldMergeBase, pr.MergeBase)
-				}
-				numPRsUpdated++
-			}
-			return nil
-		})
-	})
-
-	if autofix {
-		logger.Info("%d PR mergebases updated of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos)
-	} else {
-		if numPRsUpdated == 0 {
-			logger.Info("All %d PRs in %d repos have a correct mergebase", numPRs, numRepos)
-		} else if err == nil {
-			logger.Critical("%d PRs with incorrect mergebases of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos)
-			return fmt.Errorf("%d PRs with incorrect mergebases of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos)
-		} else {
-			logger.Warn("%d PRs with incorrect mergebases of %d PRs total in %d repos", numPRsUpdated, numPRs, numRepos)
-		}
-	}
-
-	return err
-}
-
-func init() {
-	Register(&Check{
-		Title:     "Recalculate merge bases",
-		Name:      "recalculate-merge-bases",
-		IsDefault: false,
-		Run:       checkPRMergeBase,
-		Priority:  7,
-	})
-}

From 8b7327c34498f32532bb11ddee8ae7c67297e921 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 17:13:10 +0200
Subject: [PATCH 076/287] Update module code.forgejo.org/forgejo/runner/v12 to
 v12.8.2 (forgejo) (#12011)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.8.0` → `v12.8.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.8.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.8.0/v12.8.2?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.8.2`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.8.2)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.1...v12.8.2)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1477): <!--number 1477 --><!--line 0 --><!--description Zml4OiByZXR1cm4gZXJyb3Igd2hlbiBgb25lLWpvYmAgcmVjZWl2ZXMgbm8gdGFzaw==-->fix: return error when `one-job` receives no task<!--description-->

<!--end release-notes-assistant-->

### [`v12.8.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.8.1)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.0...v12.8.1)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1476): <!--number 1476 --><!--line 0 --><!--description Zml4OiB1c2UgYF57Y29tbWl0fWAgdG8gYWN0dWFsbHkgbGV0IGByZXYtcGFyc2VgIHJlc29sdmUgdG8gdGhlIGNvbW1pdA==-->fix: use `^{commit}` to actually let `rev-parse` resolve to the commit<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1474): <!--number 1474 --><!--line 0 --><!--description Y2hvcmU6IHVwZ3JhZGUgTW9ja2VyeSB0byB2Mw==-->chore: upgrade Mockery to v3<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDQuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEwNC40IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12011
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 290c39dcdf..f0d14e8c44 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.8.0
+	code.forgejo.org/forgejo/runner/v12 v12.8.2
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
diff --git a/go.sum b/go.sum
index 1f79a74863..be7eb7100c 100644
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.8.0 h1:/MqOseYbsGaQ2qzepaZr3VyuqpESvSP/ZnC2aKfmU3g=
-code.forgejo.org/forgejo/runner/v12 v12.8.0/go.mod h1:sgDAYfO4NJI1kUzGuD7klHuoFLQzWmZPw0erg7QlbJU=
+code.forgejo.org/forgejo/runner/v12 v12.8.2 h1:jhSs/gQQAz0OiHnSxMx297jreLctfm52/rcXlCFMb58=
+code.forgejo.org/forgejo/runner/v12 v12.8.2/go.mod h1:sgDAYfO4NJI1kUzGuD7klHuoFLQzWmZPw0erg7QlbJU=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=

From 503bcf1237bbef7bcda87b974800a24aedc9c2fa Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 18:41:12 +0200
Subject: [PATCH 077/287] Update dependency vue to v3.5.32 (forgejo) (#12010)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 108 +++++++++++++++++++++++-----------------------
 package.json      |   2 +-
 2 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 72aeb9821b..aa3ef539c2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -73,7 +73,7 @@
         "tributejs": "5.1.3",
         "uint8-to-base64": "0.2.1",
         "vanilla-colorful": "0.7.2",
-        "vue": "3.5.31",
+        "vue": "3.5.32",
         "vue-chartjs": "5.3.3",
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
@@ -5128,39 +5128,39 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
-      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.32.tgz",
+      "integrity": "sha512-4x74Tbtqnda8s/NSD6e1Dr5p1c8HdMU5RWSjMSUzb8RTcUQqevDCxVAitcLBKT+ie3o0Dl9crc/S/opJM7qBGQ==",
       "license": "MIT",
       "dependencies": {
         "@babel/parser": "^7.29.2",
-        "@vue/shared": "3.5.31",
+        "@vue/shared": "3.5.32",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
-      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.32.tgz",
+      "integrity": "sha512-ybHAu70NtiEI1fvAUz3oXZqkUYEe5J98GjMDpTGl5iHb0T15wQYLR4wE3h9xfuTNA+Cm2f4czfe8B4s+CCH57Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.31",
-        "@vue/shared": "3.5.31"
+        "@vue/compiler-core": "3.5.32",
+        "@vue/shared": "3.5.32"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
-      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.32.tgz",
+      "integrity": "sha512-8UYUYo71cP/0YHMO814TRZlPuUUw3oifHuMR7Wp9SNoRSrxRQnhMLNlCeaODNn6kNTJsjFoQ/kqIj4qGvya4Xg==",
       "license": "MIT",
       "dependencies": {
         "@babel/parser": "^7.29.2",
-        "@vue/compiler-core": "3.5.31",
-        "@vue/compiler-dom": "3.5.31",
-        "@vue/compiler-ssr": "3.5.31",
-        "@vue/shared": "3.5.31",
+        "@vue/compiler-core": "3.5.32",
+        "@vue/compiler-dom": "3.5.32",
+        "@vue/compiler-ssr": "3.5.32",
+        "@vue/shared": "3.5.32",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
         "postcss": "^8.5.8",
@@ -5205,63 +5205,63 @@
       }
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
-      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.32.tgz",
+      "integrity": "sha512-Gp4gTs22T3DgRotZ8aA/6m2jMR+GMztvBXUBEUOYOcST+giyGWJ4WvFd7QLHBkzTxkfOt8IELKNdpzITLbA2rw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.31",
-        "@vue/shared": "3.5.31"
+        "@vue/compiler-dom": "3.5.32",
+        "@vue/shared": "3.5.32"
       }
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.31.tgz",
-      "integrity": "sha512-DtKXxk9E/KuVvt8VxWu+6Luc9I9ETNcqR1T1oW1gf02nXaZ1kuAx58oVu7uX9XxJR0iJCro6fqBLw9oSBELo5g==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.32.tgz",
+      "integrity": "sha512-/ORasxSGvZ6MN5gc+uE364SxFdJ0+WqVG0CENXaGW58TOCdrAW76WWaplDtECeS1qphvtBZtR+3/o1g1zL4xPQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.31"
+        "@vue/shared": "3.5.32"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.31.tgz",
-      "integrity": "sha512-AZPmIHXEAyhpkmN7aWlqjSfYynmkWlluDNPHMCZKFHH+lLtxP/30UJmoVhXmbDoP1Ng0jG0fyY2zCj1PnSSA6Q==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.32.tgz",
+      "integrity": "sha512-pDrXCejn4UpFDFmMd27AcJEbHaLemaE5o4pbb7sLk79SRIhc6/t34BQA7SGNgYtbMnvbF/HHOftYBgFJtUoJUQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.31",
-        "@vue/shared": "3.5.31"
+        "@vue/reactivity": "3.5.32",
+        "@vue/shared": "3.5.32"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.31.tgz",
-      "integrity": "sha512-xQJsNRmGPeDCJq/u813tyonNgWBFjzfVkBwDREdEWndBnGdHLHgkwNBQxLtg4zDrzKTEcnikUy1UUNecb3lJ6g==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.32.tgz",
+      "integrity": "sha512-1CDVv7tv/IV13V8Nip1k/aaObVbWqRlVCVezTwx3K07p7Vxossp5JU1dcPNhJk3w347gonIUT9jQOGutyJrSVQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.31",
-        "@vue/runtime-core": "3.5.31",
-        "@vue/shared": "3.5.31",
+        "@vue/reactivity": "3.5.32",
+        "@vue/runtime-core": "3.5.32",
+        "@vue/shared": "3.5.32",
         "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.31.tgz",
-      "integrity": "sha512-GJuwRvMcdZX/CriUnyIIOGkx3rMV3H6sOu0JhdKbduaeCji6zb60iOGMY7tFoN24NfsUYoFBhshZtGxGpxO4iA==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.32.tgz",
+      "integrity": "sha512-IOjm2+JQwRFS7W28HNuJeXQle9KdZbODFY7hFGVtnnghF51ta20EWAZJHX+zLGtsHhaU6uC9BGPV52KVpYryMQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.31",
-        "@vue/shared": "3.5.31"
+        "@vue/compiler-ssr": "3.5.32",
+        "@vue/shared": "3.5.32"
       },
       "peerDependencies": {
-        "vue": "3.5.31"
+        "vue": "3.5.32"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
-      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.32.tgz",
+      "integrity": "sha512-ksNyrmRQzWJJ8n3cRDuSF7zNNontuJg1YHnmWRJd2AMu8Ij2bqwiiri2lH5rHtYPZjj4STkNcgcmiQqlOjiYGg==",
       "license": "MIT"
     },
     "node_modules/@vue/test-utils": {
@@ -16076,16 +16076,16 @@
       "license": "MIT"
     },
     "node_modules/vue": {
-      "version": "3.5.31",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.31.tgz",
-      "integrity": "sha512-iV/sU9SzOlmA/0tygSmjkEN6Jbs3nPoIPFhCMLD2STrjgOU8DX7ZtzMhg4ahVwf5Rp9KoFzcXeB1ZrVbLBp5/Q==",
+      "version": "3.5.32",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.32.tgz",
+      "integrity": "sha512-vM4z4Q9tTafVfMAK7IVzmxg34rSzTFMyIe0UUEijUCkn9+23lj0WRfA83dg7eQZIUlgOSGrkViIaCfqSAUXsMw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.31",
-        "@vue/compiler-sfc": "3.5.31",
-        "@vue/runtime-dom": "3.5.31",
-        "@vue/server-renderer": "3.5.31",
-        "@vue/shared": "3.5.31"
+        "@vue/compiler-dom": "3.5.32",
+        "@vue/compiler-sfc": "3.5.32",
+        "@vue/runtime-dom": "3.5.32",
+        "@vue/server-renderer": "3.5.32",
+        "@vue/shared": "3.5.32"
       },
       "peerDependencies": {
         "typescript": "*"
diff --git a/package.json b/package.json
index 3c368c5b1a..684bee7999 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
     "tributejs": "5.1.3",
     "uint8-to-base64": "0.2.1",
     "vanilla-colorful": "0.7.2",
-    "vue": "3.5.31",
+    "vue": "3.5.32",
     "vue-chartjs": "5.3.3",
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",

From c55d7ba9d417e7a4e742dfeece0a2706b0e8125f Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 19:49:28 +0200
Subject: [PATCH 078/287] Update dependency esbuild-loader to v4.4.3 (forgejo)
 (#12003)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12003
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 36 ++++++++++--------------------------
 package.json      |  2 +-
 2 files changed, 11 insertions(+), 27 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index aa3ef539c2..93619d5f13 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -48,7 +48,7 @@
         "dayjs": "1.11.19",
         "dropzone": "6.0.0-beta.2",
         "easymde": "2.18.0",
-        "esbuild-loader": "4.4.2",
+        "esbuild-loader": "4.4.3",
         "escape-goat": "4.0.0",
         "fast-glob": "3.3.3",
         "htmx.org": "2.0.8",
@@ -7935,15 +7935,15 @@
       }
     },
     "node_modules/esbuild-loader": {
-      "version": "4.4.2",
-      "resolved": "https://registry.npmjs.org/esbuild-loader/-/esbuild-loader-4.4.2.tgz",
-      "integrity": "sha512-8LdoT9sC7fzfvhxhsIAiWhzLJr9yT3ggmckXxsgvM07wgrRxhuT98XhLn3E7VczU5W5AFsPKv9DdWcZIubbWkQ==",
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/esbuild-loader/-/esbuild-loader-4.4.3.tgz",
+      "integrity": "sha512-Wpui03EzqC151xFteKlgJQhbyZl5CgnBpUHXVuao02nItULlkaTeiLdEMPTmR2zdwpEBWkXVNoT5dDOYJluUzg==",
       "license": "MIT",
       "dependencies": {
         "esbuild": "^0.27.1",
         "get-tsconfig": "^4.10.1",
         "loader-utils": "^2.0.4",
-        "webpack-sources": "^1.4.3"
+        "webpack-sources": "^3.3.4"
       },
       "funding": {
         "url": "https://github.com/privatenumber/esbuild-loader?sponsor=1"
@@ -14364,12 +14364,6 @@
       "integrity": "sha512-Kk8wLQPlS+yi1ZEf48a4+fzHa4yxjC30M/Sr2AnQu+f/MPwvvX9XjZ6OWejiz8crBsLwSq8GHqaxaET7u6ux0A==",
       "license": "MIT"
     },
-    "node_modules/source-list-map": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/source-list-map/-/source-list-map-2.0.1.tgz",
-      "integrity": "sha512-qnQ7gVMxGNxsiL4lEuJwe/To8UnK7fAnmbGEEH8RpLouuKbeEm0lhbQVFIrNSuB+G7tVrAlVsZgETT5nljf+Iw==",
-      "license": "MIT"
-    },
     "node_modules/source-map": {
       "version": "0.6.1",
       "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
@@ -16310,13 +16304,12 @@
       }
     },
     "node_modules/webpack-sources": {
-      "version": "1.4.3",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-1.4.3.tgz",
-      "integrity": "sha512-lgTS3Xhv1lCOKo7SA5TjKXMjpSM4sBjNV5+q2bqesbSPs5FjGmU6jjtBSkX9b4qW87vDIsCIlUPOEhbZrMdjeQ==",
+      "version": "3.3.4",
+      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.4.tgz",
+      "integrity": "sha512-7tP1PdV4vF+lYPnkMR0jMY5/la2ub5Fc/8VQrrU+lXkiM6C4TjVfGw7iKfyhnTQOsD+6Q/iKw0eFciziRgD58Q==",
       "license": "MIT",
-      "dependencies": {
-        "source-list-map": "^2.0.0",
-        "source-map": "~0.6.1"
+      "engines": {
+        "node": ">=10.13.0"
       }
     },
     "node_modules/webpack/node_modules/@types/estree": {
@@ -16347,15 +16340,6 @@
         "node": ">=4.0"
       }
     },
-    "node_modules/webpack/node_modules/webpack-sources": {
-      "version": "3.3.4",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.4.tgz",
-      "integrity": "sha512-7tP1PdV4vF+lYPnkMR0jMY5/la2ub5Fc/8VQrrU+lXkiM6C4TjVfGw7iKfyhnTQOsD+6Q/iKw0eFciziRgD58Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=10.13.0"
-      }
-    },
     "node_modules/whatwg-mimetype": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-3.0.0.tgz",
diff --git a/package.json b/package.json
index 684bee7999..65f6ace31d 100644
--- a/package.json
+++ b/package.json
@@ -47,7 +47,7 @@
     "dayjs": "1.11.19",
     "dropzone": "6.0.0-beta.2",
     "easymde": "2.18.0",
-    "esbuild-loader": "4.4.2",
+    "esbuild-loader": "4.4.3",
     "escape-goat": "4.0.0",
     "fast-glob": "3.3.3",
     "htmx.org": "2.0.8",

From 24af9cf8ee9c4cb3cd8c923c472bf4668c1145bb Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 19:59:58 +0200
Subject: [PATCH 079/287] Update module github.com/go-enry/go-enry/v2 to v2.9.6
 (forgejo) (#11989)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11989
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index f0d14e8c44..554e03e181 100644
--- a/go.mod
+++ b/go.mod
@@ -48,7 +48,7 @@ require (
 	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-chi/cors v1.2.2
 	github.com/go-co-op/gocron v1.37.0
-	github.com/go-enry/go-enry/v2 v2.9.5
+	github.com/go-enry/go-enry/v2 v2.9.6
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-openapi/spec v0.22.3
 	github.com/go-sql-driver/mysql v1.9.3
diff --git a/go.sum b/go.sum
index be7eb7100c..7398064c4d 100644
--- a/go.sum
+++ b/go.sum
@@ -268,8 +268,8 @@ github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-co-op/gocron v1.37.0 h1:ZYDJGtQ4OMhTLKOKMIch+/CY70Brbb1dGdooLEhh7b0=
 github.com/go-co-op/gocron v1.37.0/go.mod h1:3L/n6BkO7ABj+TrfSVXLRzsP26zmikL4ISkLQ0O8iNY=
-github.com/go-enry/go-enry/v2 v2.9.5 h1:HPhAQQHYwJgihL2PxBZiUMFWiROsGwOBdB6/D8zCUhY=
-github.com/go-enry/go-enry/v2 v2.9.5/go.mod h1:9yrj4ES1YrbNb1Wb7/PWYr2bpaCXUGRt0uafN0ISyG8=
+github.com/go-enry/go-enry/v2 v2.9.6 h1:np63eOtMV56zfYDHnFVgpEVOk8fr2kmylcMnAZUDbSs=
+github.com/go-enry/go-enry/v2 v2.9.6/go.mod h1:9yrj4ES1YrbNb1Wb7/PWYr2bpaCXUGRt0uafN0ISyG8=
 github.com/go-enry/go-oniguruma v1.2.1 h1:k8aAMuJfMrqm/56SG2lV9Cfti6tC4x8673aHCcBk+eo=
 github.com/go-enry/go-oniguruma v1.2.1/go.mod h1:bWDhYP+S6xZQgiRL7wlTScFYBe023B6ilRZbCAD5Hf4=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=

From 3982685c35c27866b54671cc65de0d16412965cb Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 20:01:56 +0200
Subject: [PATCH 080/287] Lock file maintenance (forgejo) (#12005)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12005
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json                  | 282 ++++++++++++++---------------
 web_src/fomantic/package-lock.json |  44 ++---
 2 files changed, 163 insertions(+), 163 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 93619d5f13..81bf558b03 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -944,21 +944,21 @@
       }
     },
     "node_modules/@emnapi/core": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
-      "integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
+      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
       "dev": true,
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/wasi-threads": "1.2.0",
+        "@emnapi/wasi-threads": "1.2.1",
         "tslib": "^2.4.0"
       }
     },
     "node_modules/@emnapi/runtime": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
-      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
+      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -967,9 +967,9 @@
       }
     },
     "node_modules/@emnapi/wasi-threads": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
-      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
+      "integrity": "sha512-uTII7OYF+/Mes/MrcIOYp5yOtSMLBWSIoLPpcgwipoiKbli6k322tcoFsxoIIxPDqW01SQGAgko4EzZi2BNv2w==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -978,9 +978,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
-      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.7.tgz",
+      "integrity": "sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg==",
       "cpu": [
         "ppc64"
       ],
@@ -994,9 +994,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
-      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.7.tgz",
+      "integrity": "sha512-jbPXvB4Yj2yBV7HUfE2KHe4GJX51QplCN1pGbYjvsyCZbQmies29EoJbkEc+vYuU5o45AfQn37vZlyXy4YJ8RQ==",
       "cpu": [
         "arm"
       ],
@@ -1010,9 +1010,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
-      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.7.tgz",
+      "integrity": "sha512-62dPZHpIXzvChfvfLJow3q5dDtiNMkwiRzPylSCfriLvZeq0a1bWChrGx/BbUbPwOrsWKMn8idSllklzBy+dgQ==",
       "cpu": [
         "arm64"
       ],
@@ -1026,9 +1026,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
-      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.7.tgz",
+      "integrity": "sha512-x5VpMODneVDb70PYV2VQOmIUUiBtY3D3mPBG8NxVk5CogneYhkR7MmM3yR/uMdITLrC1ml/NV1rj4bMJuy9MCg==",
       "cpu": [
         "x64"
       ],
@@ -1042,9 +1042,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
-      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.7.tgz",
+      "integrity": "sha512-5lckdqeuBPlKUwvoCXIgI2D9/ABmPq3Rdp7IfL70393YgaASt7tbju3Ac+ePVi3KDH6N2RqePfHnXkaDtY9fkw==",
       "cpu": [
         "arm64"
       ],
@@ -1058,9 +1058,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
-      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.7.tgz",
+      "integrity": "sha512-rYnXrKcXuT7Z+WL5K980jVFdvVKhCHhUwid+dDYQpH+qu+TefcomiMAJpIiC2EM3Rjtq0sO3StMV/+3w3MyyqQ==",
       "cpu": [
         "x64"
       ],
@@ -1074,9 +1074,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-B48PqeCsEgOtzME2GbNM2roU29AMTuOIN91dsMO30t+Ydis3z/3Ngoj5hhnsOSSwNzS+6JppqWsuhTp6E82l2w==",
       "cpu": [
         "arm64"
       ],
@@ -1090,9 +1090,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
-      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.7.tgz",
+      "integrity": "sha512-jOBDK5XEjA4m5IJK3bpAQF9/Lelu/Z9ZcdhTRLf4cajlB+8VEhFFRjWgfy3M1O4rO2GQ/b2dLwCUGpiF/eATNQ==",
       "cpu": [
         "x64"
       ],
@@ -1106,9 +1106,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
-      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.7.tgz",
+      "integrity": "sha512-RkT/YXYBTSULo3+af8Ib0ykH8u2MBh57o7q/DAs3lTJlyVQkgQvlrPTnjIzzRPQyavxtPtfg0EopvDyIt0j1rA==",
       "cpu": [
         "arm"
       ],
@@ -1122,9 +1122,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
-      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.7.tgz",
+      "integrity": "sha512-RZPHBoxXuNnPQO9rvjh5jdkRmVizktkT7TCDkDmQ0W2SwHInKCAV95GRuvdSvA7w4VMwfCjUiPwDi0ZO6Nfe9A==",
       "cpu": [
         "arm64"
       ],
@@ -1138,9 +1138,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
-      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.7.tgz",
+      "integrity": "sha512-GA48aKNkyQDbd3KtkplYWT102C5sn/EZTY4XROkxONgruHPU72l+gW+FfF8tf2cFjeHaRbWpOYa/uRBz/Xq1Pg==",
       "cpu": [
         "ia32"
       ],
@@ -1154,9 +1154,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
-      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.7.tgz",
+      "integrity": "sha512-a4POruNM2oWsD4WKvBSEKGIiWQF8fZOAsycHOt6JBpZ+JN2n2JH9WAv56SOyu9X5IqAjqSIPTaJkqN8F7XOQ5Q==",
       "cpu": [
         "loong64"
       ],
@@ -1170,9 +1170,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
-      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.7.tgz",
+      "integrity": "sha512-KabT5I6StirGfIz0FMgl1I+R1H73Gp0ofL9A3nG3i/cYFJzKHhouBV5VWK1CSgKvVaG4q1RNpCTR2LuTVB3fIw==",
       "cpu": [
         "mips64el"
       ],
@@ -1186,9 +1186,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
-      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.7.tgz",
+      "integrity": "sha512-gRsL4x6wsGHGRqhtI+ifpN/vpOFTQtnbsupUF5R5YTAg+y/lKelYR1hXbnBdzDjGbMYjVJLJTd2OFmMewAgwlQ==",
       "cpu": [
         "ppc64"
       ],
@@ -1202,9 +1202,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
-      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.7.tgz",
+      "integrity": "sha512-hL25LbxO1QOngGzu2U5xeXtxXcW+/GvMN3ejANqXkxZ/opySAZMrc+9LY/WyjAan41unrR3YrmtTsUpwT66InQ==",
       "cpu": [
         "riscv64"
       ],
@@ -1218,9 +1218,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
-      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.7.tgz",
+      "integrity": "sha512-2k8go8Ycu1Kb46vEelhu1vqEP+UeRVj2zY1pSuPdgvbd5ykAw82Lrro28vXUrRmzEsUV0NzCf54yARIK8r0fdw==",
       "cpu": [
         "s390x"
       ],
@@ -1234,9 +1234,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
-      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.7.tgz",
+      "integrity": "sha512-hzznmADPt+OmsYzw1EE33ccA+HPdIqiCRq7cQeL1Jlq2gb1+OyWBkMCrYGBJ+sxVzve2ZJEVeePbLM2iEIZSxA==",
       "cpu": [
         "x64"
       ],
@@ -1250,9 +1250,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==",
       "cpu": [
         "arm64"
       ],
@@ -1266,9 +1266,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
-      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.7.tgz",
+      "integrity": "sha512-OfatkLojr6U+WN5EDYuoQhtM+1xco+/6FSzJJnuWiUw5eVcicbyK3dq5EeV/QHT1uy6GoDhGbFpprUiHUYggrw==",
       "cpu": [
         "x64"
       ],
@@ -1282,9 +1282,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
-      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.7.tgz",
+      "integrity": "sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==",
       "cpu": [
         "arm64"
       ],
@@ -1298,9 +1298,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
-      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.7.tgz",
+      "integrity": "sha512-+A1NJmfM8WNDv5CLVQYJ5PshuRm/4cI6WMZRg1by1GwPIQPCTs1GLEUHwiiQGT5zDdyLiRM/l1G0Pv54gvtKIg==",
       "cpu": [
         "x64"
       ],
@@ -1314,9 +1314,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
-      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.7.tgz",
+      "integrity": "sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==",
       "cpu": [
         "arm64"
       ],
@@ -1330,9 +1330,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
-      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.7.tgz",
+      "integrity": "sha512-ikktIhFBzQNt/QDyOL580ti9+5mL/YZeUPKU2ivGtGjdTYoqz6jObj6nOMfhASpS4GU4Q/Clh1QtxWAvcYKamA==",
       "cpu": [
         "x64"
       ],
@@ -1346,9 +1346,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
-      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.7.tgz",
+      "integrity": "sha512-7yRhbHvPqSpRUV7Q20VuDwbjW5kIMwTHpptuUzV+AA46kiPze5Z7qgt6CLCK3pWFrHeNfDd1VKgyP4O+ng17CA==",
       "cpu": [
         "arm64"
       ],
@@ -1362,9 +1362,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
-      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz",
+      "integrity": "sha512-SmwKXe6VHIyZYbBLJrhOoCJRB/Z1tckzmgTLfFYOfpMAx63BJEaL9ExI8x7v0oAO3Zh6D/Oi1gVxEYr5oUCFhw==",
       "cpu": [
         "ia32"
       ],
@@ -1378,9 +1378,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
-      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.7.tgz",
+      "integrity": "sha512-56hiAJPhwQ1R4i+21FVF7V8kSD5zZTdHcVuRFMW0hn753vVfQN8xlx4uOPT4xoGH0Z/oVATuR82AiqSTDIpaHg==",
       "cpu": [
         "x64"
       ],
@@ -4301,9 +4301,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.5.0",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
-      "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
+      "version": "25.5.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.2.tgz",
+      "integrity": "sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg==",
       "license": "MIT",
       "dependencies": {
         "undici-types": "~7.18.0"
@@ -5856,9 +5856,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.13",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.13.tgz",
-      "integrity": "sha512-BL2sTuHOdy0YT1lYieUxTw/QMtPBC3pmlJC6xk8BBYVv6vcw3SGdKemQ+Xsx9ik2F/lYDO9tqsFQH1r9PFuHKw==",
+      "version": "2.10.15",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.15.tgz",
+      "integrity": "sha512-1nfKCq9wuAZFTkA2ey/3OXXx7GzFjLdkTiFVNwlJ9WqdI706CZRIhEqjuwanjMIja+84jDLa9rcyZDPDiVkASQ==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -6105,9 +6105,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001784",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001784.tgz",
-      "integrity": "sha512-WU346nBTklUV9YfUl60fqRbU5ZqyXlqvo1SgigE1OAXK5bFL8LL9q1K7aap3N739l4BvNqnkm3YrGHiY9sfUQw==",
+      "version": "1.0.30001785",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001785.tgz",
+      "integrity": "sha512-blhOL/WNR+Km1RI/LCVAvA73xplXA7ZbjzI4YkMK9pa6T/P3F2GxjNpEkyw5repTw9IvkyrjyHpwjnhZ5FOvYQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -7652,9 +7652,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.330",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.330.tgz",
-      "integrity": "sha512-jFNydB5kFtYUobh4IkWUnXeyDbjf/r9gcUEXe1xcrcUxIGfTdzPXA+ld6zBRbwvgIGVzDll/LTIiDztEtckSnA==",
+      "version": "1.5.331",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.331.tgz",
+      "integrity": "sha512-IbxXrsTlD3hRodkLnbxAPP4OuJYdWCeM3IOdT+CpcMoIwIoDfCmRpEtSPfwBXxVkg9xmBeY7Lz2Eo2TDn/HC3Q==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -7894,9 +7894,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.4",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
-      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
+      "version": "0.27.7",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.7.tgz",
+      "integrity": "sha512-IxpibTjyVnmrIQo5aqNpCgoACA/dTKLTlhMHihVHhdkxKyPO1uBBthumT0rdHmcsk9uMonIWS0m4FljWzILh3w==",
       "hasInstallScript": true,
       "license": "MIT",
       "bin": {
@@ -7906,32 +7906,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.4",
-        "@esbuild/android-arm": "0.27.4",
-        "@esbuild/android-arm64": "0.27.4",
-        "@esbuild/android-x64": "0.27.4",
-        "@esbuild/darwin-arm64": "0.27.4",
-        "@esbuild/darwin-x64": "0.27.4",
-        "@esbuild/freebsd-arm64": "0.27.4",
-        "@esbuild/freebsd-x64": "0.27.4",
-        "@esbuild/linux-arm": "0.27.4",
-        "@esbuild/linux-arm64": "0.27.4",
-        "@esbuild/linux-ia32": "0.27.4",
-        "@esbuild/linux-loong64": "0.27.4",
-        "@esbuild/linux-mips64el": "0.27.4",
-        "@esbuild/linux-ppc64": "0.27.4",
-        "@esbuild/linux-riscv64": "0.27.4",
-        "@esbuild/linux-s390x": "0.27.4",
-        "@esbuild/linux-x64": "0.27.4",
-        "@esbuild/netbsd-arm64": "0.27.4",
-        "@esbuild/netbsd-x64": "0.27.4",
-        "@esbuild/openbsd-arm64": "0.27.4",
-        "@esbuild/openbsd-x64": "0.27.4",
-        "@esbuild/openharmony-arm64": "0.27.4",
-        "@esbuild/sunos-x64": "0.27.4",
-        "@esbuild/win32-arm64": "0.27.4",
-        "@esbuild/win32-ia32": "0.27.4",
-        "@esbuild/win32-x64": "0.27.4"
+        "@esbuild/aix-ppc64": "0.27.7",
+        "@esbuild/android-arm": "0.27.7",
+        "@esbuild/android-arm64": "0.27.7",
+        "@esbuild/android-x64": "0.27.7",
+        "@esbuild/darwin-arm64": "0.27.7",
+        "@esbuild/darwin-x64": "0.27.7",
+        "@esbuild/freebsd-arm64": "0.27.7",
+        "@esbuild/freebsd-x64": "0.27.7",
+        "@esbuild/linux-arm": "0.27.7",
+        "@esbuild/linux-arm64": "0.27.7",
+        "@esbuild/linux-ia32": "0.27.7",
+        "@esbuild/linux-loong64": "0.27.7",
+        "@esbuild/linux-mips64el": "0.27.7",
+        "@esbuild/linux-ppc64": "0.27.7",
+        "@esbuild/linux-riscv64": "0.27.7",
+        "@esbuild/linux-s390x": "0.27.7",
+        "@esbuild/linux-x64": "0.27.7",
+        "@esbuild/netbsd-arm64": "0.27.7",
+        "@esbuild/netbsd-x64": "0.27.7",
+        "@esbuild/openbsd-arm64": "0.27.7",
+        "@esbuild/openbsd-x64": "0.27.7",
+        "@esbuild/openharmony-arm64": "0.27.7",
+        "@esbuild/sunos-x64": "0.27.7",
+        "@esbuild/win32-arm64": "0.27.7",
+        "@esbuild/win32-ia32": "0.27.7",
+        "@esbuild/win32-x64": "0.27.7"
       }
     },
     "node_modules/esbuild-loader": {
@@ -12340,9 +12340,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.36",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
-      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
+      "version": "2.0.37",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.37.tgz",
+      "integrity": "sha512-1h5gKZCF+pO/o3Iqt5Jp7wc9rH3eJJ0+nh/CIoiRwjRxde/hAHyLPXYN4V3CqKAbiZPSeJFSWHmJsbkicta0Eg==",
       "license": "MIT"
     },
     "node_modules/node-sarif-builder": {
@@ -13662,9 +13662,9 @@
       }
     },
     "node_modules/regjsparser": {
-      "version": "0.13.0",
-      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.13.0.tgz",
-      "integrity": "sha512-NZQZdC5wOE/H3UT28fVGL+ikOZcEzfMGk/c3iN9UGxzWHMa1op7274oyiUVrAG4B2EuFhus8SvkaYnhvW92p9Q==",
+      "version": "0.13.1",
+      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.13.1.tgz",
+      "integrity": "sha512-dLsljMd9sqwRkby8zhO1gSg3PnJIBFid8f4CQj/sXx+7cKx+E7u0PKhZ+U4wmhx7EfmtvnA318oVaIkAB1lRJw==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -14023,18 +14023,18 @@
       }
     },
     "node_modules/seroval": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.1.tgz",
-      "integrity": "sha512-OwrZRZAfhHww0WEnKHDY8OM0U/Qs8OTfIDWhUD4BLpNJUfXK4cGmjiagGze086m+mhI+V2nD0gfbHEnJjb9STA==",
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.5.2.tgz",
+      "integrity": "sha512-xcRN39BdsnO9Tf+VzsE7b3JyTJASItIV1FVFewJKCFcW4s4haIKS3e6vj8PGB9qBwC7tnuOywQMdv5N4qkzi7Q==",
       "license": "MIT",
       "engines": {
         "node": ">=10"
       }
     },
     "node_modules/seroval-plugins": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.1.tgz",
-      "integrity": "sha512-4FbuZ/TMl02sqv0RTFexu0SP6V+ywaIe5bAWCCEik0fk17BhALgwvUDVF7e3Uvf9pxmwCEJsRPmlkUE6HdzLAw==",
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.5.2.tgz",
+      "integrity": "sha512-qpY0Cl+fKYFn4GOf3cMiq6l72CpuVaawb6ILjubOQ+diJ54LfOWaSSPsaswN8DRPIPW4Yq+tE1k5aKd7ILyaFg==",
       "license": "MIT",
       "engines": {
         "node": ">=10"
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index d3cc9367a7..3e8b18f00e 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -496,9 +496,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.5.0",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
-      "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
+      "version": "25.5.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.2.tgz",
+      "integrity": "sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg==",
       "license": "MIT",
       "dependencies": {
         "undici-types": "~7.18.0"
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.13",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.13.tgz",
-      "integrity": "sha512-BL2sTuHOdy0YT1lYieUxTw/QMtPBC3pmlJC6xk8BBYVv6vcw3SGdKemQ+Xsx9ik2F/lYDO9tqsFQH1r9PFuHKw==",
+      "version": "2.10.15",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.15.tgz",
+      "integrity": "sha512-1nfKCq9wuAZFTkA2ey/3OXXx7GzFjLdkTiFVNwlJ9WqdI706CZRIhEqjuwanjMIja+84jDLa9rcyZDPDiVkASQ==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -1264,9 +1264,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001784",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001784.tgz",
-      "integrity": "sha512-WU346nBTklUV9YfUl60fqRbU5ZqyXlqvo1SgigE1OAXK5bFL8LL9q1K7aap3N739l4BvNqnkm3YrGHiY9sfUQw==",
+      "version": "1.0.30001785",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001785.tgz",
+      "integrity": "sha512-blhOL/WNR+Km1RI/LCVAvA73xplXA7ZbjzI4YkMK9pa6T/P3F2GxjNpEkyw5repTw9IvkyrjyHpwjnhZ5FOvYQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -2020,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.330",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.330.tgz",
-      "integrity": "sha512-jFNydB5kFtYUobh4IkWUnXeyDbjf/r9gcUEXe1xcrcUxIGfTdzPXA+ld6zBRbwvgIGVzDll/LTIiDztEtckSnA==",
+      "version": "1.5.331",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.331.tgz",
+      "integrity": "sha512-IbxXrsTlD3hRodkLnbxAPP4OuJYdWCeM3IOdT+CpcMoIwIoDfCmRpEtSPfwBXxVkg9xmBeY7Lz2Eo2TDn/HC3Q==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -5268,9 +5268,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "license": "MIT"
     },
     "node_modules/lodash._baseassign": {
@@ -5489,10 +5489,10 @@
       "license": "MIT"
     },
     "node_modules/lodash.template": {
-      "version": "4.18.0",
-      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.18.0.tgz",
-      "integrity": "sha512-VbCU2mYTHF/JUjasKG50ozrbli//eixCFmKBiAfvmz0cGt7iywc087M7zxflSoEQFS0Xtv0RqpE8ko8BXv3TOQ==",
-      "deprecated": "Bad release. Please use lodash.template@4.5.0 instead.",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash.template/-/lodash.template-4.18.1.tgz",
+      "integrity": "sha512-5urZrLnV/VD6zHK5KsVtZgt7H19v51mIzoS0aBNH8yp3I8tbswrEjOABOPY8m8uB7NuibubLrMX+Y0PXsU9X+w==",
+      "deprecated": "This package is deprecated. Use https://socket.dev/npm/package/eta instead.",
       "license": "MIT",
       "dependencies": {
         "lodash._reinterpolate": "^3.0.0",
@@ -6013,9 +6013,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.36",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
-      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
+      "version": "2.0.37",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.37.tgz",
+      "integrity": "sha512-1h5gKZCF+pO/o3Iqt5Jp7wc9rH3eJJ0+nh/CIoiRwjRxde/hAHyLPXYN4V3CqKAbiZPSeJFSWHmJsbkicta0Eg==",
       "license": "MIT"
     },
     "node_modules/node.extend": {

From 64d19661cece9d428815a542b181f262d878f1bc Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 8 Apr 2026 20:02:23 +0200
Subject: [PATCH 081/287] Update dependency minimatch to v10.2.5 (forgejo)
 (#11937)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11937
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 10 +++++-----
 package.json      |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 81bf558b03..14ff10ddca 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -57,7 +57,7 @@
         "katex": "0.16.44",
         "mermaid": "11.14.0",
         "mini-css-extract-plugin": "2.10.0",
-        "minimatch": "10.2.4",
+        "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
         "postcss": "8.5.6",
         "postcss-loader": "8.2.1",
@@ -12169,12 +12169,12 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "10.2.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
-      "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==",
+      "version": "10.2.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
+      "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
       "license": "BlueOak-1.0.0",
       "dependencies": {
-        "brace-expansion": "^5.0.2"
+        "brace-expansion": "^5.0.5"
       },
       "engines": {
         "node": "18 || 20 || >=22"
diff --git a/package.json b/package.json
index 65f6ace31d..b4622b469c 100644
--- a/package.json
+++ b/package.json
@@ -56,7 +56,7 @@
     "katex": "0.16.44",
     "mermaid": "11.14.0",
     "mini-css-extract-plugin": "2.10.0",
-    "minimatch": "10.2.4",
+    "minimatch": "10.2.5",
     "pdfobject": "2.3.0",
     "postcss": "8.5.6",
     "postcss-loader": "8.2.1",

From 4b2969ab848bbcd90956c5505c9a810098089cc2 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Wed, 8 Apr 2026 20:03:10 +0200
Subject: [PATCH 082/287] fix: incorrect identification of outdated run
 attempts (#12021)

Since https://codeberg.org/forgejo/forgejo/pulls/11750, the attempt number of a Forgejo Actions job is set eagerly. When an job is ultimately not run, for example, because its `needs` weren't satisfied, it leads to discontinuous attempt numbers of completed attempts that the component for viewing action logs could not handle. This has been rectified by actually determining the number of the last attempt.

Resolves https://codeberg.org/forgejo/forgejo/issues/11994.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12021
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 web_src/js/components/RepoActionView.test.js | 13 ++++++------
 web_src/js/components/RepoActionView.vue     | 22 +++++++++++---------
 2 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/web_src/js/components/RepoActionView.test.js b/web_src/js/components/RepoActionView.test.js
index 12c201916f..fb6af25dd0 100644
--- a/web_src/js/components/RepoActionView.test.js
+++ b/web_src/js/components/RepoActionView.test.js
@@ -183,7 +183,8 @@ function configureForMultipleAttemptTests({viewHistorical}) {
         },
       ],
       allAttempts: [
-        {number: 2, time_since_started_html: 'yesterday', status: 'success', status_diagnostics: ['Success']},
+        {number: 3, time_since_started_html: 'yesterday', status: 'success', status_diagnostics: ['Success']},
+        // Omit one attempt to simulate the case when a job isn't run because a `needs:` failed.
         {number: 1, time_since_started_html: 'two days ago', status: 'failure', status_diagnostics: ['Failure']},
       ],
     },
@@ -218,7 +219,7 @@ function configureForMultipleAttemptTests({viewHistorical}) {
     props: {
       ...defaultTestProps,
       runIndex: '123',
-      attemptNumber: viewHistorical ? '1' : '2',
+      attemptNumber: viewHistorical ? '1' : '3',
       actionsURL: toAbsoluteUrl('/user1/repo2/actions'),
       initialJobData: {...minimalInitialJobData, state: myJobState},
     },
@@ -243,7 +244,7 @@ test('display baseline with most-recent attempt', async () => {
   // Attempt selector dropdown...
   expect(wrapper.findAll('.job-attempt-dropdown').length).toEqual(1);
   expect(wrapper.findAll('.job-attempt-dropdown .svg.octicon-check-circle-fill.text.green').length).toEqual(1);
-  expect(wrapper.get('.job-attempt-dropdown .ui.dropdown').text()).toEqual('Run attempt 2 yesterday');
+  expect(wrapper.get('.job-attempt-dropdown .ui.dropdown').text()).toEqual('Run attempt 3 yesterday');
 
   // Attempt status
   expect(wrapper.get('.job-info-header h3').text()).toEqual('test');
@@ -302,7 +303,7 @@ test('historical attempt dropdown interactions', async () => {
   const attemptsExpanded = () => {
     expect(wrapper.findAll('.job-attempt-dropdown .action-job-menu').length).toEqual(1);
     expect(wrapper.get('.job-attempt-dropdown .action-job-menu').isVisible()).toBe(true);
-    expect(wrapper.findAll('.job-attempt-dropdown .action-job-menu a').filter((a) => a.text() === 'Run attempt 2 yesterday').length).toEqual(1);
+    expect(wrapper.findAll('.job-attempt-dropdown .action-job-menu a').filter((a) => a.text() === 'Run attempt 3 yesterday').length).toEqual(1);
     expect(wrapper.findAll('.job-attempt-dropdown .action-job-menu a').filter((a) => a.text() === 'Run attempt 1 two days ago').length).toEqual(1);
   };
   attemptsExpanded();
@@ -332,8 +333,8 @@ test('historical attempt dropdown interactions', async () => {
   attemptsExpanded();
 
   // Click on the other option in the dropdown to verify it navigates to the target attempt
-  wrapper.findAll('.job-attempt-dropdown .action-job-menu a').find((a) => a.text() === 'Run attempt 2 yesterday').trigger('click');
-  expect(window.location.href).toEqual(toAbsoluteUrl('/user1/repo2/actions/runs/123/jobs/1/attempt/2'));
+  wrapper.findAll('.job-attempt-dropdown .action-job-menu a').find((a) => a.text() === 'Run attempt 3 yesterday').trigger('click');
+  expect(window.location.href).toEqual(toAbsoluteUrl('/user1/repo2/actions/runs/123/jobs/1/attempt/3'));
 });
 
 test('run approval interaction', async () => {
diff --git a/web_src/js/components/RepoActionView.vue b/web_src/js/components/RepoActionView.vue
index e42ae52fe7..5c00eecc6b 100644
--- a/web_src/js/components/RepoActionView.vue
+++ b/web_src/js/components/RepoActionView.vue
@@ -124,10 +124,10 @@ export default {
         ],
         // All available attempts for the job we're currently viewing.
         //
-        // initial value here is configured so that currentingViewingMostRecentAttempt() -> true on the default `data()`, so that the
+        // initial value here is configured so that currentlyViewingMostRecentAttempt() -> true on the default `data()`, so that the
         // initial render (before `loadJob`'s first execution is complete) doesn't display "You are viewing an
         // out-of-date run..."
-        allAttempts: new Array(parseInt(this.attemptNumber)).fill({index: 0, time_since_started_html: '', status: 'success', status_diagnostics: []}),
+        allAttempts: [],
       },
     };
   },
@@ -138,19 +138,19 @@ export default {
     },
 
     displayOtherJobs() {
-      return this.currentingViewingMostRecentAttempt;
+      return this.currentlyViewingMostRecentAttempt;
     },
 
     canApprove() {
-      return this.currentingViewingMostRecentAttempt && this.run.canApprove;
+      return this.currentlyViewingMostRecentAttempt && this.run.canApprove;
     },
 
     canCancel() {
-      return this.currentingViewingMostRecentAttempt && this.run.canCancel;
+      return this.currentlyViewingMostRecentAttempt && this.run.canCancel;
     },
 
     canRerun() {
-      return this.currentingViewingMostRecentAttempt && this.run.canRerun;
+      return this.currentlyViewingMostRecentAttempt && this.run.canRerun;
     },
 
     viewingAttemptNumber() {
@@ -167,11 +167,13 @@ export default {
       return attempt || fallback;
     },
 
-    currentingViewingMostRecentAttempt() {
-      if (!this.currentJob.allAttempts) {
+    currentlyViewingMostRecentAttempt() {
+      if (!this.currentJob.allAttempts || this.currentJob.allAttempts.length === 0) {
         return true;
       }
-      return this.viewingAttemptNumber === this.currentJob.allAttempts.length;
+
+      const mostRecentAttemptNumber = this.currentJob.allAttempts[0].number;
+      return this.viewingAttemptNumber === mostRecentAttemptNumber;
     },
 
     displayGearDropdown() {
@@ -452,7 +454,7 @@ export default {
 </script>
 <template>
   <div class="ui container fluid padded action-view-container" :class="{ 'interval-pending': intervalID }">
-    <div class="action-view-header job-out-of-date-warning" v-if="!currentingViewingMostRecentAttempt">
+    <div class="action-view-header job-out-of-date-warning" v-if="!currentlyViewingMostRecentAttempt">
       <div class="ui warning message">
         <!-- eslint-disable-next-line vue/no-v-html -->
         <span v-html="viewingOutOfDateRunLabel"/>

From ace9bd2a685e53cf9e3274e8b644cd3071958655 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 9 Apr 2026 09:25:26 +0200
Subject: [PATCH 083/287] Update dependency katex to v0.16.45 (forgejo)
 (#12048)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12048
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 14ff10ddca..ce85a04de5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -54,7 +54,7 @@
         "htmx.org": "2.0.8",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
-        "katex": "0.16.44",
+        "katex": "0.16.45",
         "mermaid": "11.14.0",
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
@@ -10688,9 +10688,9 @@
       "license": "MIT"
     },
     "node_modules/katex": {
-      "version": "0.16.44",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.44.tgz",
-      "integrity": "sha512-EkxoDTk8ufHqHlf9QxGwcxeLkWRR3iOuYfRpfORgYfqc8s13bgb+YtRY59NK5ZpRaCwq1kqA6a5lpX8C/eLphQ==",
+      "version": "0.16.45",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.45.tgz",
+      "integrity": "sha512-pQpZbdBu7wCTmQUh7ufPmLr0pFoObnGUoL/yhtwJDgmmQpbkg/0HSVti25Fu4rmd1oCR6NGWe9vqTWuWv3GcNA==",
       "funding": [
         "https://opencollective.com/katex",
         "https://github.com/sponsors/katex"
diff --git a/package.json b/package.json
index b4622b469c..f5d96c8372 100644
--- a/package.json
+++ b/package.json
@@ -53,7 +53,7 @@
     "htmx.org": "2.0.8",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
-    "katex": "0.16.44",
+    "katex": "0.16.45",
     "mermaid": "11.14.0",
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",

From 7069203e3ed0949ce62a9e7920cad3abda7e8f0b Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 9 Apr 2026 09:26:30 +0200
Subject: [PATCH 084/287] Update module github.com/mattn/go-isatty to v0.0.21
 (forgejo) (#12049)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12049
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 554e03e181..c32c7e3c27 100644
--- a/go.mod
+++ b/go.mod
@@ -74,7 +74,7 @@ require (
 	github.com/klauspost/compress v1.18.5
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
-	github.com/mattn/go-isatty v0.0.20
+	github.com/mattn/go-isatty v0.0.21
 	github.com/mattn/go-sqlite3 v1.14.40
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
diff --git a/go.sum b/go.sum
index 7398064c4d..63c74eebf6 100644
--- a/go.sum
+++ b/go.sum
@@ -511,8 +511,8 @@ github.com/markbates/goth v1.82.0 h1:8j/c34AjBSTNzO7zTsOyP5IYCQCMBTRBHAbBt/PI0bQ
 github.com/markbates/goth v1.82.0/go.mod h1:/DRlcq0pyqkKToyZjsL2KgiA1zbF1HIjE7u2uC79rUk=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkENfrjQ=
 github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=

From b2617cf0bb84384aed62e12bafa365ae9e5740e1 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 9 Apr 2026 09:29:43 +0200
Subject: [PATCH 085/287] Update module golang.org/x/sys to v0.43.0 (forgejo)
 (#12052)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12052
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index c32c7e3c27..9486551c71 100644
--- a/go.mod
+++ b/go.mod
@@ -107,7 +107,7 @@ require (
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.42.0
+	golang.org/x/sys v0.43.0
 	golang.org/x/text v0.35.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
diff --git a/go.sum b/go.sum
index 63c74eebf6..ffb418ecfd 100644
--- a/go.sum
+++ b/go.sum
@@ -847,8 +847,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

From 703256e50eebc66701750bdca8604d9788a0549c Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Thu, 9 Apr 2026 12:21:44 +0200
Subject: [PATCH 086/287] Revert "fix: add challenge for HTTP Basic
 Authentication to container registry" (#12058)

This reverts commit 79ed45d39a05533f55a4694cd62176eaa99dae16.

Testing has shown that it breaks Docker 26 which is the version included in Debian Trixie.

It was originally introduced with https://codeberg.org/forgejo/forgejo/pulls/11678.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12058
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 routers/api/packages/container/container.go                  | 3 +--
 .../api_packages_container_cleanup_sha256_test.go            | 5 +----
 tests/integration/api_packages_container_test.go             | 5 +----
 3 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index f79bea2c84..6781f511c8 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -118,8 +118,7 @@ func apiErrorDefined(ctx *context.Context, err *container_service.NamedError) {
 func APIUnauthorizedError(ctx *context.Context) {
 	// Do not include more than one challenge in the same header field. That breaks clients even though the HTTP RFC
 	// allows it.
-	ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
-	ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Forgejo Container Registry"`)
+	ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm="`+setting.AppURL+`v2/token",service="container_registry",scope="*"`)
 	apiErrorDefined(ctx, container_service.ErrUnauthorized)
 }
 
diff --git a/tests/integration/api_packages_container_cleanup_sha256_test.go b/tests/integration/api_packages_container_cleanup_sha256_test.go
index 50106e6834..19b73f7698 100644
--- a/tests/integration/api_packages_container_cleanup_sha256_test.go
+++ b/tests/integration/api_packages_container_cleanup_sha256_test.go
@@ -63,10 +63,7 @@ func TestPackageContainerCleanupSHA256(t *testing.T) {
 			Token string `json:"token"`
 		}
 
-		authenticate := []string{
-			`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`,
-			`Basic realm="Forgejo Container Registry"`,
-		}
+		authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`}
 
 		t.Run("User", func(t *testing.T) {
 			req := NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL))
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 13ce7dc136..70e3f40d6c 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -91,10 +91,7 @@ func TestPackageContainer(t *testing.T) {
 			Token string `json:"token"`
 		}
 
-		authenticate := []string{
-			`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`,
-			`Basic realm="Forgejo Container Registry"`,
-		}
+		authenticate := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`}
 
 		t.Run("Anonymous", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()

From 73ad72949a7a1c1bb108bc9b4f3769946a406a6f Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Thu, 9 Apr 2026 16:51:16 +0200
Subject: [PATCH 087/287] fix: display runner version on details page (#12059)

Display the version of Forgejo Runner on the runner's detail page. That is useful for diagnostics.

Originally, the version was displayed on the overview page, but removed in https://codeberg.org/forgejo/forgejo/pulls/11516 due to space constraints. It should have been moved to the details page, but that never happened.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [x] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12059
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 options/locale_next/locale_en-US.json        |  1 +
 templates/shared/actions/runner_details.tmpl | 10 ++++++++++
 tests/e2e/runner-management.test.e2e.ts      | 12 ++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 3ffcb45bce..09b5d3fd69 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -481,6 +481,7 @@
 	"actions.runners.token": "Token",
 	"actions.runners.ephemeral": "Ephemeral",
 	"actions.runners.labels": "Labels",
+	"actions.runners.version": "Version",
 	"actions.runners.last_online": "Last online time",
 	"actions.runners.list_runners.details_column": "Details",
 	"actions.runners.list_runners.edit_column": "Edit",
diff --git a/templates/shared/actions/runner_details.tmpl b/templates/shared/actions/runner_details.tmpl
index 7e4cad3b35..f50e96482a 100644
--- a/templates/shared/actions/runner_details.tmpl
+++ b/templates/shared/actions/runner_details.tmpl
@@ -78,6 +78,16 @@
 					{{end}}
 				</dd>
 			</div>
+			<div class="item">
+				<dt>{{ctx.Locale.Tr "actions.runners.version"}}</dt>
+				<dd>
+					{{if .Runner.Version}}
+						{{.Runner.Version}}
+					{{else}}
+						&mdash;
+					{{end}}
+				</dd>
+			</div>
 			<div class="item">
 				<dt>{{ctx.Locale.Tr "actions.runners.description"}}</dt>
 				<dd>
diff --git a/tests/e2e/runner-management.test.e2e.ts b/tests/e2e/runner-management.test.e2e.ts
index cecde7a850..41808f72d1 100644
--- a/tests/e2e/runner-management.test.e2e.ts
+++ b/tests/e2e/runner-management.test.e2e.ts
@@ -80,6 +80,8 @@ test.describe('Runners of user2', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: 12.2.0
       - term: Description
       - definition: A runner for everyone
     `);
@@ -200,6 +202,8 @@ test.describe('Runners of user2', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: —
       - term: Description
       - definition: Description of runner-46636
     `);
@@ -370,6 +374,8 @@ test.describe('Global runners', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: 12.2.0
       - term: Description
       - definition: A runner for everyone
     `);
@@ -491,6 +497,8 @@ test.describe('Global runners', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: —
       - term: Description
       - definition: Description of runner-956858
     `);
@@ -594,6 +602,8 @@ test.describe('Organization runners', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: 12.2.0
       - term: Description
       - definition: A runner for everyone
     `);
@@ -722,6 +732,8 @@ test.describe('Repository runners', () => {
       - definition: Offline
       - term: Ephemeral
       - definition: "no"
+      - term: Version
+      - definition: 12.2.0
       - term: Description
       - definition: A runner for everyone
     `);

From 65044ca76526a39a83cea27f8237c92c3daa4d34 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 9 Apr 2026 18:01:45 +0200
Subject: [PATCH 088/287] Update module github.com/mattn/go-sqlite3 to v1.14.42
 (forgejo) (#12051)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `v1.14.40` → `v1.14.42` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmattn%2fgo-sqlite3/v1.14.42?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmattn%2fgo-sqlite3/v1.14.40/v1.14.42?slim=true) |

---

### Release Notes

<details>
<summary>mattn/go-sqlite3 (github.com/mattn/go-sqlite3)</summary>

### [`v1.14.42`](https://github.com/mattn/go-sqlite3/compare/v1.14.41...v1.14.42)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.41...v1.14.42)

### [`v1.14.41`](https://github.com/mattn/go-sqlite3/compare/v1.14.40...v1.14.41)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.40...v1.14.41)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDQuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEwNC40IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12051
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 9486551c71..f931c40a5c 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.21
-	github.com/mattn/go-sqlite3 v1.14.40
+	github.com/mattn/go-sqlite3 v1.14.42
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
diff --git a/go.sum b/go.sum
index ffb418ecfd..c294d1c993 100644
--- a/go.sum
+++ b/go.sum
@@ -517,8 +517,8 @@ github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkEN
 github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.40 h1:f7+saIsbq4EF86mUqe0uiecQOJYMOdfi5uATADmUG94=
-github.com/mattn/go-sqlite3 v1.14.40/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
+github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
+github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
 github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=

From 4e6a782a8945cf4074da57d990ff8e847d4e6482 Mon Sep 17 00:00:00 2001
From: Florian Pallas <mail@fpallas.com>
Date: Thu, 9 Apr 2026 19:38:33 +0200
Subject: [PATCH 089/287] feat: add admin views for federation configuration,
 hosts and users (#11115)

Fixes #9282

Adds a new admin panel category for federation related administration.

Includes views for:
- Instance Federation Configuration
- List of Federation Hosts
- (Per-Instance) List of Federated Users

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11115
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
Reviewed-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Florian Pallas <mail@fpallas.com>
Co-committed-by: Florian Pallas <mail@fpallas.com>
---
 models/forgefed/federationhost_repository.go  |  25 ++
 models/user/user_repository.go                |  51 ++++
 modules/setting/ui.go                         |  30 ++-
 options/locale_next/locale_en-US.json         |  31 +++
 routers/web/admin/config.go                   |   2 +
 routers/web/admin/federation_host.go          |  65 ++++++
 routers/web/admin/federation_hosts.go         |  58 +++++
 routers/web/admin/federation_users.go         |  56 +++++
 routers/web/web.go                            |   8 +
 services/context/context.go                   |   1 +
 templates/admin/config.tmpl                   |  27 +++
 templates/admin/federation/host.tmpl          |  39 ++++
 templates/admin/federation/hosts.tmpl         |  56 +++++
 templates/admin/federation/user_list.tmpl     |  28 +++
 templates/admin/federation/users.tmpl         |  11 +
 templates/admin/navbar.tmpl                   |  13 ++
 tests/integration/admin_federation_test.go    | 128 ++++++++++
 .../federated_user.yml                        |  17 ++
 .../federation_host.yml                       |  13 ++
 .../user.yml                                  | 107 +++++++++
 tests/integration/repo_forgefed_test.go       | 219 ++++++++++++++++++
 21 files changed, 973 insertions(+), 12 deletions(-)
 create mode 100644 routers/web/admin/federation_host.go
 create mode 100644 routers/web/admin/federation_hosts.go
 create mode 100644 routers/web/admin/federation_users.go
 create mode 100644 templates/admin/federation/host.tmpl
 create mode 100644 templates/admin/federation/hosts.tmpl
 create mode 100644 templates/admin/federation/user_list.tmpl
 create mode 100644 templates/admin/federation/users.tmpl
 create mode 100644 tests/integration/admin_federation_test.go
 create mode 100644 tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federated_user.yml
 create mode 100644 tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federation_host.yml
 create mode 100644 tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/user.yml
 create mode 100644 tests/integration/repo_forgefed_test.go

diff --git a/models/forgefed/federationhost_repository.go b/models/forgefed/federationhost_repository.go
index a44b502ba1..c889c1140b 100644
--- a/models/forgefed/federationhost_repository.go
+++ b/models/forgefed/federationhost_repository.go
@@ -16,6 +16,31 @@ func init() {
 	db.RegisterModel(new(FederationHost))
 }
 
+func CountFederationHosts(ctx context.Context) (int64, error) {
+	return db.GetEngine(ctx).Count(FederationHost{})
+}
+
+func FindFederationHosts(ctx context.Context, opts db.ListOptions) (hosts []*FederationHost, err error) {
+	sess := db.GetEngine(ctx)
+
+	if opts.PageSize > 0 {
+		sess = db.SetSessionPagination(sess, &opts)
+	}
+
+	err = sess.Find(&hosts)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, host := range hosts {
+		if res, err := validation.IsValid(host); !res {
+			return nil, err
+		}
+	}
+
+	return hosts, nil
+}
+
 func GetFederationHost(ctx context.Context, ID int64) (*FederationHost, error) {
 	log.Trace("GetFederationHost: %v", ID)
 	host := new(FederationHost)
diff --git a/models/user/user_repository.go b/models/user/user_repository.go
index 9692bd7304..1ec0906e4b 100644
--- a/models/user/user_repository.go
+++ b/models/user/user_repository.go
@@ -83,6 +83,57 @@ func FindFederatedUser(ctx context.Context, externalID string, federationHostID
 	return user, federatedUser, nil
 }
 
+func CountFederatedUsers(ctx context.Context) (int64, error) {
+	return db.GetEngine(ctx).Count(FederatedUser{})
+}
+
+func FindFederatedUsers(ctx context.Context, opts db.ListOptions) (users []*FederatedUser, err error) {
+	sess := db.GetEngine(ctx)
+
+	if opts.PageSize > 0 {
+		sess = db.SetSessionPagination(sess, &opts)
+	}
+
+	err = sess.Find(&users)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, user := range users {
+		if res, err := validation.IsValid(user); !res {
+			return nil, err
+		}
+	}
+
+	return users, err
+}
+
+func CountFederatedUsersByHostID(ctx context.Context, federationHostID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("federation_host_id = ?", federationHostID).Count(FederatedUser{})
+}
+
+func FindFederatedUsersByHostID(ctx context.Context, federationHostID int64, opts db.ListOptions) ([]*FederatedUser, error) {
+	var users []*FederatedUser
+	sess := db.GetEngine(ctx).Where("federation_host_id = ?", federationHostID)
+
+	if opts.PageSize > 0 {
+		sess = db.SetSessionPagination(sess, &opts)
+	}
+
+	err := sess.Find(&users)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, user := range users {
+		if res, err := validation.IsValid(user); !res {
+			return nil, err
+		}
+	}
+
+	return users, nil
+}
+
 func GetFederatedUser(ctx context.Context, externalID string, federationHostID int64) (*User, *FederatedUser, error) {
 	user, federatedUser, err := FindFederatedUser(ctx, externalID, federationHostID)
 	if err != nil {
diff --git a/modules/setting/ui.go b/modules/setting/ui.go
index 61378e0596..abe902dfc6 100644
--- a/modules/setting/ui.go
+++ b/modules/setting/ui.go
@@ -55,10 +55,12 @@ var UI = struct {
 	} `ini:"ui.csv"`
 
 	Admin struct {
-		UserPagingNum   int
-		RepoPagingNum   int
-		NoticePagingNum int
-		OrgPagingNum    int
+		UserPagingNum           int
+		RepoPagingNum           int
+		NoticePagingNum         int
+		OrgPagingNum            int
+		FederationHostPagingNum int
+		FederationUserPagingNum int
 	} `ini:"ui.admin"`
 	User struct {
 		RepoPagingNum int
@@ -114,15 +116,19 @@ var UI = struct {
 		MaxRows:     2500,
 	},
 	Admin: struct {
-		UserPagingNum   int
-		RepoPagingNum   int
-		NoticePagingNum int
-		OrgPagingNum    int
+		UserPagingNum           int
+		RepoPagingNum           int
+		NoticePagingNum         int
+		OrgPagingNum            int
+		FederationHostPagingNum int
+		FederationUserPagingNum int
 	}{
-		UserPagingNum:   50,
-		RepoPagingNum:   50,
-		NoticePagingNum: 25,
-		OrgPagingNum:    50,
+		UserPagingNum:           50,
+		RepoPagingNum:           50,
+		NoticePagingNum:         25,
+		OrgPagingNum:            50,
+		FederationHostPagingNum: 50,
+		FederationUserPagingNum: 50,
 	},
 	User: struct {
 		RepoPagingNum int
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 09b5d3fd69..aab1be7e1b 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -144,6 +144,37 @@
 	"keys.ssh.link": "SSH keys",
 	"keys.gpg.link": "GPG keys",
 	"keys.verify.token.hint": "The token is only valid for 1 minute. <a href=\"%[1]s\">Get a new one if it expired</a>.",
+	"admin.federation.federation": "Federation",
+	"admin.federation.hosts": "Hosts",
+	"admin.federation.hosts.title": "Federation hosts",
+	"admin.federation.hosts.manage_panel": "Manage federation hosts",
+	"admin.federation.hosts.details_panel": "Federation host details",
+	"admin.federation.hosts.show_details": "Show host details",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Created",
+	"admin.federation.host.updated": "Updated",
+	"admin.federation.host.latest_activity": "Latest activity",
+	"admin.federation.users": "Users",
+	"admin.federation.users.title": "Federated users",
+	"admin.federation.users.manage_panel": "Manage federated users",
+	"admin.federation.users.show_local_user": "Show local user details",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "Local user ID",
+	"admin.federation.user.external_id": "External user ID",
+	"admin.federation.user.inbox_path": "Inbox path",
+	"admin.config.federation": "Federation configuration",
+	"admin.config.federation.enabled": "Enabled",
+	"admin.config.federation.share_user_statistics": "Share user statistics with other hosts",
+	"admin.config.federation.max_size": "Max allowed response size",
+	"admin.config.federation.signature_enforced": "Require HTTP signatures",
+	"admin.config.federation.signature_algorithms": "Signature algorithms",
+	"admin.config.federation.digest_algorithm": "Signature digest algorithm",
+	"admin.config.federation.get_headers": "Signed GET headers",
+	"admin.config.federation.post_headers": "Signed POST headers",
 	"admin.config.moderation_config": "Moderation configuration",
 	"admin.moderation.moderation_reports": "Moderation reports",
 	"admin.moderation.reports": "Reports",
diff --git a/routers/web/admin/config.go b/routers/web/admin/config.go
index 2d3ea78052..c0eae0846b 100644
--- a/routers/web/admin/config.go
+++ b/routers/web/admin/config.go
@@ -148,6 +148,8 @@ func Config(ctx *context.Context) {
 	ctx.Data["DbCfg"] = setting.Database
 	ctx.Data["Webhook"] = setting.Webhook
 	ctx.Data["Moderation"] = setting.Moderation
+	ctx.Data["Federation"] = setting.Federation
+	ctx.Data["FederationMaxSize"] = setting.Federation.MaxSize / 1024 / 1024 // in MiB
 
 	ctx.Data["MailerEnabled"] = false
 	if setting.MailService != nil {
diff --git a/routers/web/admin/federation_host.go b/routers/web/admin/federation_host.go
new file mode 100644
index 0000000000..278509f217
--- /dev/null
+++ b/routers/web/admin/federation_host.go
@@ -0,0 +1,65 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package admin
+
+import (
+	"net/http"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/forgefed"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/base"
+	"forgejo.org/modules/setting"
+	"forgejo.org/services/context"
+)
+
+const (
+	tplFederationHost base.TplName = "admin/federation/host"
+)
+
+func FederationHost(ctx *context.Context) {
+	federationHostID := ctx.ParamsInt64("id")
+	page := ctx.FormInt("page")
+	if page < 1 {
+		page = 1
+	}
+
+	host, err := forgefed.GetFederationHost(ctx, federationHostID)
+	if err != nil {
+		ctx.ServerError("GetFederationHost", err)
+		return
+	}
+
+	users, err := user_model.FindFederatedUsersByHostID(ctx, federationHostID, db.ListOptions{
+		PageSize: setting.UI.Admin.FederationUserPagingNum,
+		Page:     int(page),
+	})
+	if err != nil {
+		ctx.ServerError("FindFederatedUsersByHostID", err)
+		return
+	}
+
+	total, err := user_model.CountFederatedUsersByHostID(ctx, federationHostID)
+	if err != nil {
+		ctx.ServerError("CountFederatedUsersByHostID", err)
+		return
+	}
+
+	ctx.Data["Host"] = host
+	ctx.Data["Users"] = users
+	ctx.Data["UsersTotal"] = int(total)
+	ctx.Data["Title"] = ctx.Tr("admin.federation.hosts.details_panel")
+	ctx.Data["PageIsAdminFederationHosts"] = true
+
+	numPages := 0
+	if total > 0 {
+		numPages = (int(total) - 1/setting.UI.Admin.FederationUserPagingNum)
+	}
+
+	pager := context.NewPagination(int(total), setting.UI.Admin.FederationUserPagingNum, page, numPages)
+	pager.SetDefaultParams(ctx)
+	ctx.Data["Page"] = pager
+
+	ctx.HTML(http.StatusOK, tplFederationHost)
+}
diff --git a/routers/web/admin/federation_hosts.go b/routers/web/admin/federation_hosts.go
new file mode 100644
index 0000000000..e710f0aba5
--- /dev/null
+++ b/routers/web/admin/federation_hosts.go
@@ -0,0 +1,58 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package admin
+
+import (
+	"net/http"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/forgefed"
+	"forgejo.org/modules/base"
+	"forgejo.org/modules/setting"
+	"forgejo.org/services/context"
+)
+
+const (
+	tplFederationHosts base.TplName = "admin/federation/hosts"
+)
+
+func FederationHosts(ctx *context.Context) {
+	sort := ctx.FormTrim("sort")
+	page := ctx.FormInt("page")
+	if page < 1 {
+		page = 1
+	}
+
+	hosts, err := forgefed.FindFederationHosts(ctx, db.ListOptions{
+		Page:     page,
+		PageSize: setting.UI.Admin.FederationHostPagingNum,
+	})
+	if err != nil {
+		ctx.ServerError("GetFederationHosts", err)
+		return
+	}
+
+	total, err := forgefed.CountFederationHosts(ctx)
+	if err != nil {
+		ctx.ServerError("CountFederationHosts", err)
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("admin.federation.hosts.title")
+	ctx.Data["PageIsAdminFederationHosts"] = true
+	ctx.Data["SortType"] = sort
+	ctx.Data["TotalCount"] = int(total)
+	ctx.Data["Hosts"] = hosts
+
+	numPages := 0
+	if total > 0 {
+		numPages = (int(total) - 1/setting.UI.Admin.FederationHostPagingNum)
+	}
+
+	pager := context.NewPagination(int(total), setting.UI.Admin.FederationHostPagingNum, page, numPages)
+	pager.SetDefaultParams(ctx)
+	ctx.Data["Page"] = pager
+
+	ctx.HTML(http.StatusOK, tplFederationHosts)
+}
diff --git a/routers/web/admin/federation_users.go b/routers/web/admin/federation_users.go
new file mode 100644
index 0000000000..098479dcc1
--- /dev/null
+++ b/routers/web/admin/federation_users.go
@@ -0,0 +1,56 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package admin
+
+import (
+	"net/http"
+
+	"forgejo.org/models/db"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/base"
+	"forgejo.org/modules/setting"
+	"forgejo.org/services/context"
+)
+
+const (
+	tplFederationUsers base.TplName = "admin/federation/users"
+)
+
+func FederationUsers(ctx *context.Context) {
+	page := ctx.FormInt("page")
+	if page < 1 {
+		page = 1
+	}
+
+	users, err := user_model.FindFederatedUsers(ctx, db.ListOptions{
+		Page:     page,
+		PageSize: setting.UI.Admin.FederationUserPagingNum,
+	})
+	if err != nil {
+		ctx.ServerError("FindFederatedUsers", err)
+		return
+	}
+
+	total, err := user_model.CountFederatedUsers(ctx)
+	if err != nil {
+		ctx.ServerError("CountFederatedUsers", err)
+		return
+	}
+
+	ctx.Data["Users"] = users
+	ctx.Data["TotalCount"] = int(total)
+	ctx.Data["Title"] = ctx.Tr("admin.federation.users.title")
+	ctx.Data["PageIsAdminFederationUsers"] = true
+
+	numPages := 0
+	if total > 0 {
+		numPages = (int(total) - 1/setting.UI.Admin.FederationUserPagingNum)
+	}
+
+	pager := context.NewPagination(int(total), setting.UI.Admin.FederationUserPagingNum, page, numPages)
+	pager.SetDefaultParams(ctx)
+	ctx.Data["Page"] = pager
+
+	ctx.HTML(http.StatusOK, tplFederationUsers)
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index 7463bf3ea2..766c39fa57 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -837,6 +837,14 @@ func registerRoutes(m *web.Route) {
 			})
 			m.Post("/abuse_reports/act", admin.PerformAction)
 		}
+
+		if setting.Federation.Enabled {
+			m.Group("/federation", func() {
+				m.Get("/hosts", admin.FederationHosts)
+				m.Get("/users", admin.FederationUsers)
+				m.Get("/hosts/{id}", admin.FederationHost)
+			})
+		}
 	}, adminReq, ctxDataSet("EnableOAuth2", setting.OAuth2.Enabled, "EnablePackages", setting.Packages.Enabled, "EnableModeration", setting.Moderation.Enabled))
 	// ***** END: Admin *****
 
diff --git a/services/context/context.go b/services/context/context.go
index f0502b32fe..8ced686aac 100644
--- a/services/context/context.go
+++ b/services/context/context.go
@@ -184,6 +184,7 @@ func Contexter() func(next http.Handler) http.Handler {
 			ctx.Data["DisableStars"] = setting.Repository.DisableStars
 			ctx.Data["DisableForks"] = setting.Repository.DisableForks
 			ctx.Data["EnableActions"] = setting.Actions.Enabled
+			ctx.Data["EnableFederation"] = setting.Federation.Enabled
 
 			ctx.Data["UnitWikiGlobalDisabled"] = unit.TypeWiki.UnitGlobalDisabled()
 			ctx.Data["UnitIssuesGlobalDisabled"] = unit.TypeIssues.UnitGlobalDisabled()
diff --git a/templates/admin/config.tmpl b/templates/admin/config.tmpl
index 0962c6bfc7..c4688922dd 100644
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@@ -344,6 +344,33 @@
 			</dl>
 		</div>
 
+		<h4 class="ui top attached header">
+			{{ctx.Locale.Tr "admin.config.federation"}}
+		</h4>
+		<div class="ui attached table segment">
+			<dl class="admin-dl-horizontal">
+				<dt>{{ctx.Locale.Tr "admin.config.federation.enabled"}}</dt>
+				<dd>{{if .Federation.Enabled}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.share_user_statistics"}}</dt>
+				<dd>{{if .Federation.ShareUserStatistics}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.max_size"}}</dt>
+				<dd>{{.FederationMaxSize}} MiB</dd>
+
+				<div class="divider"></div>
+
+				<dt>{{ctx.Locale.Tr "admin.config.federation.signature_enforced"}}</dt>
+				<dd>{{if .Federation.SignatureEnforced}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.signature_algorithms"}}</dt>
+				<dd>{{.Federation.SignatureAlgorithms}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.digest_algorithm"}}</dt>
+				<dd>{{.Federation.DigestAlgorithm}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.get_headers"}}</dt>
+				<dd>{{.Federation.GetHeaders}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.config.federation.post_headers"}}</dt>
+				<dd>{{.Federation.PostHeaders}}</dd>
+			</dl>
+		</div>
+
 		<h4 class="ui top attached header">
 			{{ctx.Locale.Tr "admin.config.log_config"}}
 		</h4>
diff --git a/templates/admin/federation/host.tmpl b/templates/admin/federation/host.tmpl
new file mode 100644
index 0000000000..92fbd1ee2a
--- /dev/null
+++ b/templates/admin/federation/host.tmpl
@@ -0,0 +1,39 @@
+{{template "admin/layout_head" (dict "ctxData" . "pageClass" "admin config")}}
+	<div class="admin-setting-content">
+		{{if .Host}}
+		<h4 class="ui top attached header">
+			{{ctx.Locale.Tr "admin.federation.hosts.details_panel"}}
+		</h4>
+		<div class="ui attached table segment">
+			<dl class="admin-dl-horizontal">
+				<dt>{{ctx.Locale.Tr "admin.federation.host.id"}}</dt>
+				<dd>{{.Host.ID}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.fqdn"}}</dt>
+				<dd>{{.Host.HostFqdn}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.port"}}</dt>
+				<dd>{{.Host.HostPort}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.schema"}}</dt>
+				<dd>{{.Host.HostSchema}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.software_name"}}</dt>
+				<dd>{{.Host.NodeInfo.SoftwareName}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.created"}}</dt>
+				<dd>{{DateUtils.AbsoluteShort .Host.Created}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.updated"}}</dt>
+				<dd>{{DateUtils.AbsoluteShort .Host.Updated}}</dd>
+				<dt>{{ctx.Locale.Tr "admin.federation.host.latest_activity"}}</dt>
+				<dd>{{DateUtils.FullTime .Host.LatestActivity}}</dd>
+			</dl>
+		</div>
+		{{end}}
+		<h4 class="ui top attached header">
+			{{ctx.Locale.Tr "admin.federation.users.manage_panel"}}
+			<div class="ui right">
+				{{.UsersTotal}}
+			</div>
+		</h4>
+		<div class="ui attached table segment">
+			{{template "admin/federation/user_list" .}}
+		</div>
+		{{template "base/paginate" .}}
+	</div>
+{{template "admin/layout_footer" .}}
diff --git a/templates/admin/federation/hosts.tmpl b/templates/admin/federation/hosts.tmpl
new file mode 100644
index 0000000000..2222873805
--- /dev/null
+++ b/templates/admin/federation/hosts.tmpl
@@ -0,0 +1,56 @@
+{{template "admin/layout_head" (dict "ctxData" . "pageClass" "admin user")}}
+	<div class="admin-setting-content">
+		<h4 class="ui top attached header">
+			{{ctx.Locale.Tr "admin.federation.hosts.manage_panel"}} ({{ctx.Locale.Tr "admin.total" .TotalCount}})
+		</h4>
+		<div class="ui attached table segment">
+			<table class="ui very basic striped table unstackable">
+				<thead>
+					<tr>
+						<th data-sortt-asc="id_asc" data-sortt-desc="id_desc">
+							{{ctx.Locale.Tr "admin.federation.host.id"}}
+							{{SortArrow "id_asc" "id_desc" .SortType true}}
+						</th>
+						<th data-sortt-asc="fqdn_asc" data-sortt-desc="fqdn_desc">
+							{{ctx.Locale.Tr "admin.federation.host.fqdn"}}
+							{{SortArrow "fqdn_asc" "fqdn_desc" .SortType false}}
+						</th>
+						<th>{{ctx.Locale.Tr "admin.federation.host.schema"}}</th>
+						<th>{{ctx.Locale.Tr "admin.federation.host.port"}}</th>
+						<th>{{ctx.Locale.Tr "admin.federation.host.software_name"}}</th>
+						<th data-sortt-asc="created_asc" data-sortt-desc="created_desc">
+							{{ctx.Locale.Tr "admin.federation.host.created"}}
+							{{SortArrow "created_asc" "created_desc" .SortType true}}
+						</th>
+						<th data-sortt-asc="activity_asc" data-sortt-desc="activity_desc">
+							{{ctx.Locale.Tr "admin.federation.host.latest_activity"}}
+							{{SortArrow "activity_asc" "activity_desc" .SortType true}}
+						</th>
+						<th></th>
+					</tr>
+				</thead>
+				<tbody>
+					{{range .Hosts}}
+						<tr>
+							<td>{{.ID}}</td>
+							<td>{{.HostFqdn}}</td>
+							<td>{{.HostSchema}}</td>
+							<td>{{.HostPort}}</td>
+							<td>{{.NodeInfo.SoftwareName}}</td>
+							<td>{{DateUtils.AbsoluteShort .Created}}</td>
+							<td>{{DateUtils.FullTime .LatestActivity}}</td>
+							<td>
+								<div class="tw-flex tw-gap-2">
+									<a href="{{$.Link}}/{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "admin.federation.hosts.show_details"}}">{{svg "octicon-server"}}</a>
+								</div>
+							</td>
+						</tr>
+					{{else}}
+						<tr><td class="tw-text-center" colspan="10">{{ctx.Locale.Tr "repo.pulls.no_results"}}</td></tr>
+					{{end}}
+				</tbody>
+			</table>
+		</div>
+		{{template "base/paginate" .}}
+	</div>
+{{template "admin/layout_footer" .}}
diff --git a/templates/admin/federation/user_list.tmpl b/templates/admin/federation/user_list.tmpl
new file mode 100644
index 0000000000..18ff34b848
--- /dev/null
+++ b/templates/admin/federation/user_list.tmpl
@@ -0,0 +1,28 @@
+<table class="ui very basic striped table unstackable">
+	<thead>
+		<tr>
+			<th>{{ctx.Locale.Tr "admin.federation.user.id"}}</th>
+			<th>{{ctx.Locale.Tr "admin.federation.user.user_id"}}</th>
+			<th>{{ctx.Locale.Tr "admin.federation.user.external_id"}}</th>
+			<th>{{ctx.Locale.Tr "admin.federation.user.inbox_path"}}</th>
+			<th></th>
+		</tr>
+	</thead>
+	<tbody>
+		{{range .Users}}
+			<tr>
+				<td>{{.ID}}</td>
+				<td>{{.UserID}}</td>
+				<td>{{.ExternalID}}</td>
+				<td>{{.InboxPath}}</td>
+				<td>
+					<div class="tw-flex tw-gap-2">
+						<a href="{{AppUrl}}admin/users/{{.UserID}}" data-tooltip-content="{{ctx.Locale.Tr "admin.federation.users.show_local_user"}}">{{svg "octicon-person"}}</a>
+					</div>
+				</td>
+			</tr>
+		{{else}}
+			<tr><td class="tw-text-center" colspan="10">{{ctx.Locale.Tr "repo.pulls.no_results"}}</td></tr>
+		{{end}}
+	</tbody>
+</table>
diff --git a/templates/admin/federation/users.tmpl b/templates/admin/federation/users.tmpl
new file mode 100644
index 0000000000..8ddcff3dad
--- /dev/null
+++ b/templates/admin/federation/users.tmpl
@@ -0,0 +1,11 @@
+{{template "admin/layout_head" (dict "ctxData" . "pageClass" "admin user")}}
+	<div class="admin-setting-content">
+		<h4 class="ui top attached header">
+			{{ctx.Locale.Tr "admin.federation.users.manage_panel"}} ({{ctx.Locale.Tr "admin.total" .TotalCount}})
+		</h4>
+		<div class="ui attached table segment">
+			{{template "admin/federation/user_list" .}}
+		</div>
+		{{template "base/paginate" .}}
+	</div>
+{{template "admin/layout_footer" .}}
diff --git a/templates/admin/navbar.tmpl b/templates/admin/navbar.tmpl
index 7ca8538bce..fa1500341d 100644
--- a/templates/admin/navbar.tmpl
+++ b/templates/admin/navbar.tmpl
@@ -77,6 +77,19 @@
 			</div>
 		</details>
 		{{end}}
+		{{if .EnableFederation}}
+		<details class="item toggleable-item" {{if or .PageIsAdminFederationHosts .PageIsAdminFederationUsers}}open{{end}}>
+			<summary>{{ctx.Locale.Tr "admin.federation.federation"}}</summary>
+			<div class="menu">
+				<a class="{{if .PageIsAdminFederationHosts}}active {{end}}item" href="{{AppSubUrl}}/admin/federation/hosts">
+					{{ctx.Locale.Tr "admin.federation.hosts"}}
+				</a>
+				<a class="{{if .PageIsAdminFederationUsers}}active {{end}}item" href="{{AppSubUrl}}/admin/federation/users">
+					{{ctx.Locale.Tr "admin.federation.users"}}
+				</a>
+			</div>
+		</details>
+		{{end}}
 		<details class="item toggleable-item" {{if or .PageIsAdminConfig}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "admin.config"}}</summary>
 			<div class="menu">
diff --git a/tests/integration/admin_federation_test.go b/tests/integration/admin_federation_test.go
new file mode 100644
index 0000000000..75b94c3167
--- /dev/null
+++ b/tests/integration/admin_federation_test.go
@@ -0,0 +1,128 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	"forgejo.org/models/unittest"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAdminFederationViewHostsAndUsers(t *testing.T) {
+	defer unittest.OverrideFixtures("tests/integration/fixtures/TestAdminFederationViewHostsAndUsers")()
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("Federation enabled", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+		t.Run("Anonymous user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			MakeRequest(t, req, http.StatusSeeOther)
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			MakeRequest(t, req, http.StatusSeeOther)
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			MakeRequest(t, req, http.StatusSeeOther)
+		})
+
+		t.Run("Normal user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			session.MakeRequest(t, req, http.StatusForbidden)
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			session.MakeRequest(t, req, http.StatusForbidden)
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			session.MakeRequest(t, req, http.StatusForbidden)
+		})
+
+		t.Run("Admin user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user1")
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			resp := session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			hostRows := htmlDoc.Find(".admin-setting-content table tbody tr")
+			assert.Equal(t, 2, hostRows.Length())
+			assert.Contains(t, hostRows.Text(), "bob.example.com")
+			assert.Contains(t, hostRows.Text(), "alice.example.com")
+
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			resp = session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			userRows := htmlDoc.Find(".admin-setting-content table tbody tr")
+			assert.Equal(t, 3, userRows.Length())
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/1/inbox#bob")
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/1/inbox#alice")
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/2/inbox#eve")
+
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			resp = session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			userRows = htmlDoc.Find(".admin-setting-content table tbody tr")
+			assert.Equal(t, 1, userRows.Length())
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/1/inbox#bob")
+
+			req = NewRequest(t, "GET", "/admin/federation/hosts/2")
+			resp = session.MakeRequest(t, req, http.StatusOK)
+			htmlDoc = NewHTMLParser(t, resp.Body)
+			userRows = htmlDoc.Find(".admin-setting-content table tbody tr")
+			assert.Equal(t, 2, userRows.Length())
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/1/inbox#alice")
+			assert.Contains(t, userRows.Text(), "/api/v1/activitypub/user-id/2/inbox#eve")
+		})
+	})
+
+	t.Run("Federation disabled", func(t *testing.T) {
+		t.Run("Anonymous user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+
+		t.Run("Normal user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			session.MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			session.MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			session.MakeRequest(t, req, http.StatusNotFound)
+		})
+
+		t.Run("Admin user", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user1")
+
+			req := NewRequest(t, "GET", "/admin/federation/hosts")
+			session.MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/hosts/1")
+			session.MakeRequest(t, req, http.StatusNotFound)
+			req = NewRequest(t, "GET", "/admin/federation/users")
+			session.MakeRequest(t, req, http.StatusNotFound)
+		})
+	})
+}
diff --git a/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federated_user.yml b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federated_user.yml
new file mode 100644
index 0000000000..be6299fd2c
--- /dev/null
+++ b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federated_user.yml
@@ -0,0 +1,17 @@
+- id: 1
+  user_id: 1001
+  external_id: "1"
+  federation_host_id: 1
+  inbox_path: /api/v1/activitypub/user-id/1/inbox#bob
+
+- id: 2
+  user_id: 1002
+  external_id: "1"
+  federation_host_id: 2
+  inbox_path: /api/v1/activitypub/user-id/1/inbox#alice
+
+- id: 3
+  user_id: 1003
+  external_id: "2"
+  federation_host_id: 2
+  inbox_path: /api/v1/activitypub/user-id/2/inbox#eve
diff --git a/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federation_host.yml b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federation_host.yml
new file mode 100644
index 0000000000..4fb334ee70
--- /dev/null
+++ b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/federation_host.yml
@@ -0,0 +1,13 @@
+- id: 1
+  host_fqdn: bob.example.com
+  host_port: 80
+  host_schema: http
+  software_name: forgejo
+  latest_activity: 2023-01-01T00:00:00Z
+
+- id: 2
+  host_fqdn: alice.example.com
+  host_port: 443
+  host_schema: https
+  software_name: gitea
+  latest_activity: 2023-01-01T00:00:00Z
diff --git a/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/user.yml b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/user.yml
new file mode 100644
index 0000000000..45460029e9
--- /dev/null
+++ b/tests/integration/fixtures/TestAdminFederationViewHostsAndUsers/user.yml
@@ -0,0 +1,107 @@
+- id: 1001
+  lower_name: "@bob@bob.example.com"
+  name: "@bob@bob.example.com"
+  full_name: "@bob@bob.example.com"
+  email: bob@bob.example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: bob
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: avatar1001
+  avatar_email: bob@bob.example.com
+  use_custom_avatar: false
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: false
+
+- id: 1002
+  lower_name: "@alice@alice.example.com"
+  name: "@alice@alice.example.com"
+  full_name: "@alice@alice.example.com"
+  email: alice@alice.example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: alice
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: avatar1002
+  avatar_email: alice@alice.example.com
+  use_custom_avatar: false
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: false
+
+- id: 1003
+  lower_name: "@eve@alice.example.com"
+  name: "@eve@alice.example.com"
+  full_name: "@eve@alice.example.com"
+  email: eve@alice.example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: eve
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: avatar1003
+  avatar_email: eve@alice.example.com
+  use_custom_avatar: false
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: false
diff --git a/tests/integration/repo_forgefed_test.go b/tests/integration/repo_forgefed_test.go
new file mode 100644
index 0000000000..dbad115082
--- /dev/null
+++ b/tests/integration/repo_forgefed_test.go
@@ -0,0 +1,219 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"net/url"
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/forgefed"
+	"forgejo.org/models/unittest"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestForgefedRepositoryCreateHostValid(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		// Arrange
+		ctx := t.Context()
+
+		// Act
+		err := forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			HostFqdn:   "forgejo.example.com",
+			HostPort:   80,
+			HostSchema: "http",
+			NodeInfo: forgefed.NodeInfo{
+				SoftwareName: "forgejo",
+			},
+		})
+
+		// Assert
+		require.NoError(t, err)
+		unittest.AssertExistsAndLoadBean(t, &forgefed.FederationHost{HostFqdn: "forgejo.example.com"})
+	})
+}
+
+func TestForgefedRepositoryCreateHostInvalid(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		// Arrange
+		ctx := t.Context()
+
+		// Act
+		err := forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			// invalid
+		})
+
+		// Assert
+		require.Error(t, err)
+		unittest.AssertNotExistsBean(t, &forgefed.FederationHost{HostFqdn: "forgejo.example.com"})
+	})
+}
+
+func TestForgefedRepositoryCreateUserValid(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		// Arrange
+		ctx := t.Context()
+
+		err := forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			HostFqdn:   "forgejo.example.com",
+			HostPort:   80,
+			HostSchema: "http",
+			NodeInfo: forgefed.NodeInfo{
+				SoftwareName: "forgejo",
+			},
+		})
+		require.NoError(t, err)
+
+		// Act
+		err = user.CreateFederatedUser(ctx, &user.User{
+			Name:  "@bob@forgejo.example.com",
+			Email: "bob@forgejo.example.com",
+		}, &user.FederatedUser{
+			ExternalID:       "1",
+			FederationHostID: 1,
+			InboxPath:        "/inbox",
+		})
+
+		// Assert
+		require.NoError(t, err)
+		localUser := unittest.AssertExistsAndLoadBean(t, &user.User{Name: "@bob@forgejo.example.com", Email: "bob@forgejo.example.com"})
+		unittest.AssertExistsAndLoadBean(t, &user.FederatedUser{UserID: localUser.ID, FederationHostID: 1})
+	})
+}
+
+func TestForgefedRepositoryCreateUserInvalid(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		// Arrange
+		ctx := t.Context()
+
+		err := forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			HostFqdn:   "forgejo.example.com",
+			HostPort:   80,
+			HostSchema: "http",
+			NodeInfo: forgefed.NodeInfo{
+				SoftwareName: "forgejo",
+			},
+		})
+		require.NoError(t, err)
+
+		// Act
+		err = user.CreateFederatedUser(ctx, &user.User{
+			Name:  "@bob@forgejo.example.com",
+			Email: "bob@forgejo.example.com",
+		}, &user.FederatedUser{
+			// invalid
+		})
+
+		// Assert
+		require.Error(t, err)
+		unittest.AssertNotExistsBean(t, &user.User{Email: "bob@forgejo.example.com"})
+		unittest.AssertNotExistsBean(t, &user.FederatedUser{FederationHostID: 1})
+	})
+}
+
+func TestForgefedRepositoryFindHostsAndUsers(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		// Arrange
+		ctx := t.Context()
+
+		err := forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			HostFqdn:   "bob.example.com",
+			HostPort:   80,
+			HostSchema: "http",
+			NodeInfo: forgefed.NodeInfo{
+				SoftwareName: "forgejo",
+			},
+		})
+		require.NoError(t, err)
+
+		err = forgefed.CreateFederationHost(ctx, &forgefed.FederationHost{
+			HostFqdn:   "alice.example.com",
+			HostPort:   443,
+			HostSchema: "https",
+			NodeInfo: forgefed.NodeInfo{
+				SoftwareName: "gitea",
+			},
+		})
+		require.NoError(t, err)
+
+		err = user.CreateFederatedUser(ctx, &user.User{
+			Name:  "@bob@bob.example.com",
+			Email: "bob@bob.example.com",
+		}, &user.FederatedUser{
+			ExternalID:       "1",
+			FederationHostID: 1,
+			InboxPath:        "/inbox",
+		})
+		require.NoError(t, err)
+
+		err = user.CreateFederatedUser(ctx, &user.User{
+			Name:  "@alice@alice.example.com",
+			Email: "alice@alice.example.com",
+		}, &user.FederatedUser{
+			ExternalID:       "1",
+			FederationHostID: 2,
+			InboxPath:        "/inbox",
+		})
+		require.NoError(t, err)
+
+		err = user.CreateFederatedUser(ctx, &user.User{
+			Name:  "@eve@alice.example.com",
+			Email: "eve@alice.example.com",
+		}, &user.FederatedUser{
+			ExternalID:       "2",
+			FederationHostID: 2,
+			InboxPath:        "/inbox",
+		})
+		require.NoError(t, err)
+
+		// Act & Assert
+		hosts, err := forgefed.FindFederationHosts(ctx, db.ListOptions{PageSize: 100, Page: 1})
+		require.NoError(t, err)
+		assert.Len(t, hosts, 2)
+		hostFqdns := []string{hosts[0].HostFqdn, hosts[1].HostFqdn}
+		assert.Contains(t, hostFqdns, "bob.example.com")
+		assert.Contains(t, hostFqdns, "alice.example.com")
+
+		count, err := forgefed.CountFederationHosts(ctx)
+		require.NoError(t, err)
+		assert.Equal(t, int64(2), count)
+
+		users, err := user.FindFederatedUsers(ctx, db.ListOptions{PageSize: 100, Page: 1})
+		require.NoError(t, err)
+		assert.Len(t, users, 3) // Bob, Alice and Eve
+
+		count, err = user.CountFederatedUsers(ctx)
+		require.NoError(t, err)
+		assert.Equal(t, int64(3), count)
+
+		users, err = user.FindFederatedUsersByHostID(ctx, 1, db.ListOptions{PageSize: 100, Page: 1})
+		require.NoError(t, err)
+		assert.Len(t, users, 1) // Only Bob belongs to the host with ID 1
+		assert.Equal(t, int64(1), users[0].FederationHostID)
+
+		count, err = user.CountFederatedUsersByHostID(ctx, 1)
+		require.NoError(t, err)
+		assert.Equal(t, int64(1), count)
+
+		users, err = user.FindFederatedUsersByHostID(ctx, 2, db.ListOptions{PageSize: 100, Page: 1})
+		require.NoError(t, err)
+		assert.Len(t, users, 2) // Alice and Eve belong to the host with ID 2
+		assert.Equal(t, int64(2), users[0].FederationHostID)
+		assert.Equal(t, int64(2), users[1].FederationHostID)
+
+		count, err = user.CountFederatedUsersByHostID(ctx, 2)
+		require.NoError(t, err)
+		assert.Equal(t, int64(2), count)
+	})
+}

From e16dc2ebfdb8b6b09a60c63f651eed2a86c30afe Mon Sep 17 00:00:00 2001
From: abdo <dev@abdo.wtf>
Date: Thu, 9 Apr 2026 20:26:27 +0200
Subject: [PATCH 090/287] fix: apply signed-merge checks by merge style
 (#11403)

Fixes #6438

When a protected branch requires signed commits and no signing key is available, fast-forward-only merges should still be allowed because they do not create a new commit.

This patch applies signing checks by merge behaviour/style instead of one global gate:

- pass `mergeStyle` through `CheckPullMergeable(...)` in web/API/automerge paths
- require signing for commit-creating styles (`merge`, `rebase`, `rebase-merge`, `squash`)
- bypass signing precheck only for `fast-forward-only`
- align merge UI options with backend behaviour so signing-dependent styles are unavailable when signing cannot happen
- add Go unit tests for merge-style signing requirements
- add frontend unit coverage for the no-allowed-merge-styles guard

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11403
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: abdo <dev@abdo.wtf>
Co-committed-by: abdo <dev@abdo.wtf>
---
 routers/api/v1/repo/pull.go                   |  5 +-
 routers/web/repo/pull.go                      |  5 +-
 services/automerge/automerge.go               |  2 +-
 services/pull/check.go                        | 17 +++++--
 services/pull/check_test.go                   | 51 +++++++++++++++++++
 templates/repo/issue/view_content/pull.tmpl   | 33 +++++++-----
 .../components/PullRequestMergeForm.test.js   | 32 ++++++++++++
 .../js/components/PullRequestMergeForm.vue    |  9 ++--
 8 files changed, 129 insertions(+), 25 deletions(-)

diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index 3c3eb66d5c..1f82bfce1b 100644
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -922,7 +922,8 @@ func MergePullRequest(ctx *context.APIContext) {
 		}
 	}
 
-	manuallyMerged := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
+	mergeStyle := repo_model.MergeStyle(form.Do)
+	manuallyMerged := mergeStyle == repo_model.MergeStyleManuallyMerged
 
 	mergeCheckType := pull_service.MergeCheckTypeGeneral
 	if form.MergeWhenChecksSucceed {
@@ -933,7 +934,7 @@ func MergePullRequest(ctx *context.APIContext) {
 	}
 
 	// start with merging by checking
-	if err := pull_service.CheckPullMergeable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge); err != nil {
+	if err := pull_service.CheckPullMergeable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge, mergeStyle); err != nil {
 		if errors.Is(err, pull_service.ErrIsClosed) {
 			ctx.NotFound()
 		} else if errors.Is(err, pull_service.ErrUserNotAllowedToMerge) {
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index e9cdfc5ac7..dc36d2de68 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -1317,7 +1317,8 @@ func MergePullRequest(ctx *context.Context) {
 	pr.Issue = issue
 	pr.Issue.Repo = ctx.Repo.Repository
 
-	manuallyMerged := repo_model.MergeStyle(form.Do) == repo_model.MergeStyleManuallyMerged
+	mergeStyle := repo_model.MergeStyle(form.Do)
+	manuallyMerged := mergeStyle == repo_model.MergeStyleManuallyMerged
 
 	mergeCheckType := pull_service.MergeCheckTypeGeneral
 	if form.MergeWhenChecksSucceed {
@@ -1328,7 +1329,7 @@ func MergePullRequest(ctx *context.Context) {
 	}
 
 	// start with merging by checking
-	if err := pull_service.CheckPullMergeable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge); err != nil {
+	if err := pull_service.CheckPullMergeable(ctx, ctx.Doer, &ctx.Repo.Permission, pr, mergeCheckType, form.ForceMerge, mergeStyle); err != nil {
 		switch {
 		case errors.Is(err, pull_service.ErrIsClosed):
 			if issue.IsPull {
diff --git a/services/automerge/automerge.go b/services/automerge/automerge.go
index 099d048927..4c5459adf6 100644
--- a/services/automerge/automerge.go
+++ b/services/automerge/automerge.go
@@ -215,7 +215,7 @@ func handlePullRequestAutoMerge(pullID int64, sha string) {
 		return
 	}
 
-	if err := pull_service.CheckPullMergeable(ctx, doer, &perm, pr, pull_service.MergeCheckTypeGeneral, false); err != nil {
+	if err := pull_service.CheckPullMergeable(ctx, doer, &perm, pr, pull_service.MergeCheckTypeGeneral, false, scheduledPRM.MergeStyle); err != nil {
 		if errors.Is(err, pull_service.ErrUserNotAllowedToMerge) {
 			log.Info("%-v was scheduled to automerge by an unauthorized user", pr)
 			return
diff --git a/services/pull/check.go b/services/pull/check.go
index 64bddf497c..0e74973456 100644
--- a/services/pull/check.go
+++ b/services/pull/check.go
@@ -65,7 +65,7 @@ const (
 )
 
 // CheckPullMergeable check if the pull mergeable based on all conditions (branch protection, merge options, ...)
-func CheckPullMergeable(stdCtx context.Context, doer *user_model.User, perm *access_model.Permission, pr *issues_model.PullRequest, mergeCheckType MergeCheckType, adminSkipProtectionCheck bool) error {
+func CheckPullMergeable(stdCtx context.Context, doer *user_model.User, perm *access_model.Permission, pr *issues_model.PullRequest, mergeCheckType MergeCheckType, adminSkipProtectionCheck bool, mergeStyle repo_model.MergeStyle) error {
 	return db.WithTx(stdCtx, func(ctx context.Context) error {
 		if pr.HasMerged {
 			return ErrHasMerged
@@ -136,7 +136,7 @@ func CheckPullMergeable(stdCtx context.Context, doer *user_model.User, perm *acc
 			}
 		}
 
-		if _, err := isSignedIfRequired(ctx, pr, doer); err != nil {
+		if _, err := isSignedIfRequired(ctx, pr, doer, mergeStyle); err != nil {
 			return err
 		}
 
@@ -151,7 +151,7 @@ func CheckPullMergeable(stdCtx context.Context, doer *user_model.User, perm *acc
 }
 
 // isSignedIfRequired check if merge will be signed if required
-func isSignedIfRequired(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.User) (bool, error) {
+func isSignedIfRequired(ctx context.Context, pr *issues_model.PullRequest, doer *user_model.User, mergeStyle repo_model.MergeStyle) (bool, error) {
 	pb, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pr.BaseRepoID, pr.BaseBranch)
 	if err != nil {
 		return false, err
@@ -161,11 +161,22 @@ func isSignedIfRequired(ctx context.Context, pr *issues_model.PullRequest, doer
 		return true, nil
 	}
 
+	if !isMergeSigningRequired(mergeStyle) {
+		return true, nil
+	}
+
 	sign, _, _, err := asymkey_service.SignMerge(ctx, pr, doer, pr.BaseRepo.RepoPath(), pr.BaseBranch, pr.GetGitRefName())
 
 	return sign, err
 }
 
+func isMergeSigningRequired(mergeStyle repo_model.MergeStyle) bool {
+	// Only fast-forward-only is guaranteed not to create a new commit. Rebase
+	// rewrites commits when the pull request is behind, and it can also amend
+	// the tip commit when a REBASE_TEMPLATE is configured.
+	return mergeStyle != repo_model.MergeStyleFastForwardOnly
+}
+
 // checkAndUpdateStatus checks if pull request is possible to leaving checking status,
 // and set to be either conflict or mergeable.
 func checkAndUpdateStatus(ctx context.Context, pr *issues_model.PullRequest) bool {
diff --git a/services/pull/check_test.go b/services/pull/check_test.go
index 9b7e1660bc..3115bb7a21 100644
--- a/services/pull/check_test.go
+++ b/services/pull/check_test.go
@@ -11,6 +11,7 @@ import (
 
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	"forgejo.org/modules/queue"
 	"forgejo.org/modules/setting"
@@ -67,3 +68,53 @@ func TestPullRequest_AddToTaskQueue(t *testing.T) {
 	prPatchCheckerQueue.ShutdownWait(5 * time.Second)
 	prPatchCheckerQueue = nil
 }
+
+func TestIsMergeSigningRequired(t *testing.T) {
+	testCases := []struct {
+		name       string
+		mergeStyle repo_model.MergeStyle
+		expected   bool
+	}{
+		{
+			name:       "fast-forward never requires signing",
+			mergeStyle: repo_model.MergeStyleFastForwardOnly,
+			expected:   false,
+		},
+		{
+			name:       "rebase requires signing even when up to date",
+			mergeStyle: repo_model.MergeStyleRebase,
+			expected:   true,
+		},
+		{
+			name:       "rebase-merge requires signing",
+			mergeStyle: repo_model.MergeStyleRebaseMerge,
+			expected:   true,
+		},
+		{
+			name:       "squash commits require signing",
+			mergeStyle: repo_model.MergeStyleSquash,
+			expected:   true,
+		},
+		{
+			name:       "merge commits require signing",
+			mergeStyle: repo_model.MergeStyleMerge,
+			expected:   true,
+		},
+		{
+			name:       "rebase-update style still requires signing",
+			mergeStyle: repo_model.MergeStyleRebaseUpdate,
+			expected:   true,
+		},
+		{
+			name:       "empty merge style requires signing",
+			mergeStyle: "",
+			expected:   true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.expected, isMergeSigningRequired(testCase.mergeStyle))
+		})
+	}
+}
diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index b5cce664a3..ca9b943fa2 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -1,3 +1,9 @@
+{{$prUnit := .Repository.MustGetUnit $.Context $.UnitTypePullRequests}}
+{{$prConfig := $prUnit.PullRequestsConfig}}
+{{$fastForwardStyleAllowed := and $prConfig.AllowFastForwardOnly (eq .Issue.PullRequest.CommitsBehind 0)}}
+{{$manualMergeStyleAllowed := $prConfig.AllowManualMerge}}
+{{$hasUnsignedMergeStyle := or $fastForwardStyleAllowed $manualMergeStyleAllowed}}
+{{$signingBlocksAllMergeStyles := and .AllowMerge .RequireSigned (not .WillSign) (not $hasUnsignedMergeStyle)}}
 {{if and .Issue.PullRequest.HasMerged (not .IsPullBranchDeletable)}}
 {{/* Then the merge box will not be displayed because this page already contains enough information */}}
 {{else}}
@@ -14,7 +20,7 @@
 	{{- else if .IsBlockedByChangedProtectedFiles}}red
 	{{- else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsFailure .RequiredStatusCheckState.IsError)}}red
 	{{- else if and .EnableStatusCheck (or (not $.LatestCommitStatus) .RequiredStatusCheckState.IsPending .RequiredStatusCheckState.IsWarning)}}yellow
-	{{- else if and .AllowMerge .RequireSigned (not .WillSign)}}red
+	{{- else if $signingBlocksAllMergeStyles}}red
 	{{- else if .Issue.PullRequest.IsChecking}}yellow
 	{{- else if .Issue.PullRequest.IsEmpty}}grey
 	{{- else if .Issue.PullRequest.CanAutoMerge}}green
@@ -148,7 +154,7 @@
 						{{svg "octicon-x"}}
 						{{ctx.Locale.Tr "repo.pulls.required_status_check_missing"}}
 					</div>
-				{{else if and .AllowMerge .RequireSigned (not .WillSign)}}
+				{{else if $signingBlocksAllMergeStyles}}
 					<div class="item">
 						{{svg "octicon-x"}}
 						{{ctx.Locale.Tr "repo.pulls.require_signed_wont_sign"}}
@@ -162,7 +168,7 @@
 				{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
 
 				{{/* admin can merge without checks, writer can merge when checks succeed */}}
-				{{$canMergeNow := and (or (and $.IsRepoAdmin (not .ProtectedBranch.ApplyToAdmins)) (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
+				{{$canMergeNow := and (or (and $.IsRepoAdmin (not .ProtectedBranch.ApplyToAdmins)) (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not $signingBlocksAllMergeStyles))}}
 				{{/* admin and writer both can make an auto merge schedule */}}
 
 				{{if $canMergeNow}}
@@ -201,8 +207,7 @@
 				{{end}}
 
 				{{if .AllowMerge}} {{/* user is allowed to merge */}}
-					{{$prUnit := .Repository.MustGetUnit $.Context $.UnitTypePullRequests}}
-					{{if or $prUnit.PullRequestsConfig.AllowMerge $prUnit.PullRequestsConfig.AllowRebase $prUnit.PullRequestsConfig.AllowRebaseMerge $prUnit.PullRequestsConfig.AllowSquash $prUnit.PullRequestsConfig.AllowFastForwardOnly $prUnit.PullRequestsConfig.AllowManualMerge}}
+					{{if or $prConfig.AllowMerge $prConfig.AllowRebase $prConfig.AllowRebaseMerge $prConfig.AllowSquash $prConfig.AllowFastForwardOnly $prConfig.AllowManualMerge}}
 						{{$hasPendingPullRequestMergeTip := ""}}
 						{{if .HasPendingPullRequestMerge}}
 							{{$createdPRMergeStr := DateUtils.TimeSince .PendingPullRequestMerge.CreatedUnix}}
@@ -231,7 +236,7 @@
 								'pullHeadCommitID': {{.PullHeadCommitID}},
 								'isPullBranchDeletable': {{.IsPullBranchDeletable}},
 								'defaultMergeStyle': {{.MergeStyle}},
-								'defaultDeleteBranchAfterMerge': {{$prUnit.PullRequestsConfig.DefaultDeleteBranchAfterMerge}},
+								'defaultDeleteBranchAfterMerge': {{$prConfig.DefaultDeleteBranchAfterMerge}},
 								'mergeMessageFieldPlaceHolder': {{ctx.Locale.Tr "repo.editor.commit_message_desc"}},
 								'defaultMergeMessage': defaultMergeMessage,
 
@@ -243,7 +248,7 @@
 							mergeForm['mergeStyles'] = [
 								{
 									'name': 'merge',
-									'allowed': {{$prUnit.PullRequestsConfig.AllowMerge}},
+									'allowed': {{and $prConfig.AllowMerge (or (not .RequireSigned) .WillSign)}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.merge_pull_request"}},
 									'mergeTitleFieldText': defaultMergeTitle,
 									'mergeMessageFieldText': defaultMergeMessage,
@@ -251,14 +256,14 @@
 								},
 								{
 									'name': 'rebase',
-									'allowed': {{$prUnit.PullRequestsConfig.AllowRebase}},
+									'allowed': {{and $prConfig.AllowRebase (or (not .RequireSigned) .WillSign)}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.rebase_merge_pull_request"}},
 									'hideMergeMessageTexts': true,
 									'hideAutoMerge': generalHideAutoMerge,
 								},
 								{
 									'name': 'rebase-merge',
-									'allowed': {{$prUnit.PullRequestsConfig.AllowRebaseMerge}},
+									'allowed': {{and $prConfig.AllowRebaseMerge (or (not .RequireSigned) .WillSign)}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.rebase_merge_commit_pull_request"}},
 									'mergeTitleFieldText': defaultMergeTitle,
 									'mergeMessageFieldText': defaultMergeMessage,
@@ -266,7 +271,7 @@
 								},
 								{
 									'name': 'squash',
-									'allowed': {{$prUnit.PullRequestsConfig.AllowSquash}},
+									'allowed': {{and $prConfig.AllowSquash (or (not .RequireSigned) .WillSign)}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.squash_merge_pull_request"}},
 									'mergeTitleFieldText': defaultSquashMergeTitle,
 									'mergeMessageFieldText': {{.GetCommitMessages}} + defaultSquashMergeMessage,
@@ -274,14 +279,14 @@
 								},
 								{
 									'name': 'fast-forward-only',
-									'allowed': {{and $prUnit.PullRequestsConfig.AllowFastForwardOnly (eq .Issue.PullRequest.CommitsBehind 0)}},
+									'allowed': {{$fastForwardStyleAllowed}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.fast_forward_only_merge_pull_request"}},
 									'hideMergeMessageTexts': true,
 									'hideAutoMerge': generalHideAutoMerge,
 								},
 								{
 									'name': 'manually-merged',
-									'allowed': {{$prUnit.PullRequestsConfig.AllowManualMerge}},
+									'allowed': {{$manualMergeStyleAllowed}},
 									'textDoMerge': {{ctx.Locale.Tr "repo.pulls.merge_manually"}},
 									'hideMergeMessageTexts': true,
 									'hideAutoMerge': true,
@@ -293,7 +298,7 @@
 						{{$showGeneralMergeForm = true}}
 						<div id="pull-request-merge-form"></div>
 					{{else}}
-						{{/* no merge style was set in repo setting: not or ($prUnit.PullRequestsConfig.AllowMerge ...) */}}
+						{{/* no merge style was set in repo setting: not or ($prConfig.AllowMerge ...) */}}
 						<div class="divider"></div>
 						<div class="item text red">
 							{{svg "octicon-x"}}
@@ -349,7 +354,7 @@
 						{{svg "octicon-x"}}
 						{{ctx.Locale.Tr "repo.pulls.required_status_check_failed"}}
 					</div>
-				{{else if and .RequireSigned (not .WillSign)}}
+				{{else if $signingBlocksAllMergeStyles}}
 					<div class="item text red">
 						{{svg "octicon-x"}}
 						{{ctx.Locale.Tr "repo.pulls.require_signed_wont_sign"}}
diff --git a/web_src/js/components/PullRequestMergeForm.test.js b/web_src/js/components/PullRequestMergeForm.test.js
index 7b856e0b88..86402eebc6 100644
--- a/web_src/js/components/PullRequestMergeForm.test.js
+++ b/web_src/js/components/PullRequestMergeForm.test.js
@@ -32,3 +32,35 @@ test('renders escaped branch name', async () => {
   mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
   expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
 });
+
+test('hides merge controls when no merge style is allowed', () => {
+  window.config.pageData.pullRequestMergeForm = {
+    textDeleteBranch: 'Delete branch',
+    textAutoMergeButtonWhenSucceed: 'when checks succeed',
+    textAutoMergeWhenSucceed: 'Auto merge when checks succeed',
+    textAutoMergeCancelSchedule: 'Cancel schedule',
+    textCancel: 'Cancel',
+    defaultDeleteBranchAfterMerge: false,
+    defaultMergeMessage: '',
+    defaultMergeStyle: 'merge',
+    emptyCommit: false,
+    hasPendingPullRequestMerge: false,
+    hasPendingPullRequestMergeTip: '',
+    isPullBranchDeletable: false,
+    canMergeNow: true,
+    allOverridableChecksOk: true,
+    pullHeadCommitID: 'abc123',
+    mergeStyles: [{
+      name: 'merge',
+      allowed: false,
+      textDoMerge: 'Merge',
+      mergeTitleFieldText: '',
+      mergeMessageFieldText: '',
+      hideAutoMerge: false,
+    }],
+  };
+
+  const mergeform = mount(PullRequestMergeForm);
+  expect(mergeform.find('.merge-button').exists()).toBe(false);
+  expect(mergeform.find('form.form-fetch-action').exists()).toBe(false);
+});
diff --git a/web_src/js/components/PullRequestMergeForm.vue b/web_src/js/components/PullRequestMergeForm.vue
index df123f5e2f..56265b10dd 100644
--- a/web_src/js/components/PullRequestMergeForm.vue
+++ b/web_src/js/components/PullRequestMergeForm.vue
@@ -38,7 +38,8 @@ export default {
   },
   watch: {
     mergeStyle(val) {
-      this.mergeStyleDetail = this.mergeForm.mergeStyles.find((e) => e.name === val);
+      const mergeStyleDetail = this.mergeForm.mergeStyles.find((e) => e.name === val);
+      if (mergeStyleDetail) this.mergeStyleDetail = mergeStyleDetail;
       for (const elem of document.querySelectorAll('[data-pull-merge-style]')) {
         toggleElem(elem, elem.getAttribute('data-pull-merge-style') === val);
       }
@@ -49,6 +50,7 @@ export default {
 
     let mergeStyle = this.mergeForm.mergeStyles.find((e) => e.allowed && e.name === this.mergeForm.defaultMergeStyle)?.name;
     if (!mergeStyle) mergeStyle = this.mergeForm.mergeStyles.find((e) => e.allowed)?.name;
+    if (!mergeStyle) return;
     this.switchMergeStyle(mergeStyle, !this.mergeForm.canMergeNow);
   },
   mounted() {
@@ -62,6 +64,7 @@ export default {
       this.showMergeStyleMenu = false;
     },
     toggleActionForm(show) {
+      if (show && this.mergeStyleAllowedCount === 0) return;
       this.showActionForm = show;
       if (!show) return;
       this.deleteBranchAfterMerge = this.mergeForm.defaultDeleteBranchAfterMerge;
@@ -134,7 +137,7 @@ export default {
       </div>
     </form>
 
-    <div v-if="!showActionForm" class="tw-flex">
+    <div v-if="!showActionForm && mergeStyleAllowedCount > 0" class="tw-flex">
       <!-- the merge button -->
       <div class="ui buttons merge-button" :class="[mergeForm.emptyCommit ? 'grey' : mergeForm.allOverridableChecksOk ? 'primary' : 'red']" @click="toggleActionForm(true)">
         <button class="ui button">
@@ -146,7 +149,7 @@ export default {
             </template>
           </span>
         </button>
-        <div class="ui dropdown icon button" @click.stop="showMergeStyleMenu = !showMergeStyleMenu" v-if="mergeStyleAllowedCount>1">
+        <div class="ui dropdown icon button" @click.stop="showMergeStyleMenu = !showMergeStyleMenu" v-if="mergeStyleAllowedCount > 1">
           <svg-icon name="octicon-triangle-down" :size="14"/>
           <div class="menu" :class="{'show':showMergeStyleMenu}">
             <template v-for="msd in mergeForm.mergeStyles">

From 6a5dda711628a4ed826846f208839561b9a6b1c3 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Thu, 9 Apr 2026 21:34:33 +0200
Subject: [PATCH 091/287] chore: modernize code (#12065)

Followup of !11115, it was not checked against the the modernizer linter.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12065
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 routers/web/admin/federation_host.go  | 7 ++-----
 routers/web/admin/federation_hosts.go | 5 +----
 routers/web/admin/federation_users.go | 5 +----
 3 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/routers/web/admin/federation_host.go b/routers/web/admin/federation_host.go
index 278509f217..fa7ac80c30 100644
--- a/routers/web/admin/federation_host.go
+++ b/routers/web/admin/federation_host.go
@@ -20,10 +20,7 @@ const (
 
 func FederationHost(ctx *context.Context) {
 	federationHostID := ctx.ParamsInt64("id")
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	host, err := forgefed.GetFederationHost(ctx, federationHostID)
 	if err != nil {
@@ -33,7 +30,7 @@ func FederationHost(ctx *context.Context) {
 
 	users, err := user_model.FindFederatedUsersByHostID(ctx, federationHostID, db.ListOptions{
 		PageSize: setting.UI.Admin.FederationUserPagingNum,
-		Page:     int(page),
+		Page:     page,
 	})
 	if err != nil {
 		ctx.ServerError("FindFederatedUsersByHostID", err)
diff --git a/routers/web/admin/federation_hosts.go b/routers/web/admin/federation_hosts.go
index e710f0aba5..a371b2c064 100644
--- a/routers/web/admin/federation_hosts.go
+++ b/routers/web/admin/federation_hosts.go
@@ -19,10 +19,7 @@ const (
 
 func FederationHosts(ctx *context.Context) {
 	sort := ctx.FormTrim("sort")
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	hosts, err := forgefed.FindFederationHosts(ctx, db.ListOptions{
 		Page:     page,
diff --git a/routers/web/admin/federation_users.go b/routers/web/admin/federation_users.go
index 098479dcc1..f7e89e164f 100644
--- a/routers/web/admin/federation_users.go
+++ b/routers/web/admin/federation_users.go
@@ -18,10 +18,7 @@ const (
 )
 
 func FederationUsers(ctx *context.Context) {
-	page := ctx.FormInt("page")
-	if page < 1 {
-		page = 1
-	}
+	page := max(ctx.FormInt("page"), 1)
 
 	users, err := user_model.FindFederatedUsers(ctx, db.ListOptions{
 		Page:     page,

From 16fbcff8fa356a83276b4956108ae53220dbec51 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Fri, 10 Apr 2026 14:50:29 +0200
Subject: [PATCH 092/287] chore(release-notes): Forgejo v11.0.12 [skip ci]
 (#12073)

https://codeberg.org/forgejo/forgejo/milestone/67351
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12073
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
---
 release-notes-published/11.0.12.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 release-notes-published/11.0.12.md

diff --git a/release-notes-published/11.0.12.md b/release-notes-published/11.0.12.md
new file mode 100644
index 0000000000..34b91c3460
--- /dev/null
+++ b/release-notes-published/11.0.12.md
@@ -0,0 +1,18 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12027): <!--number 12027 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.9 (v11.0/forgejo)<!--description-->
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11642) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11679)): <!--number 11679 --><!--line 0 --><!--description Zml4OiBkb24ndCB0cmlwIGRlbGV0aW5nIGF0dGFjaG1lbnQgd2l0aCBtaXNzaW5nIHBlcm1pc3Npb24gZXJyb3I=-->fix: don't trip deleting attachment with missing permission error<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11884): <!--number 11884 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjkgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.8.9 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11898): <!--number 11898 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTcuMSBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11837): <!--number 11837 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjggW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.8.8 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11831): <!--number 11831 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUxLjAgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.51.0 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11819): <!--number 11819 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzguMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.38.0 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11801) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11803)): <!--number 11803 --><!--line 0 --><!--description Y2k6IHVwZGF0ZSB0ZXN0cyB0byBydW4gZGViaWFuIHRyaXhpZSwgcmVtb3ZlIG1hbnVhbCBpbnN0YWxsYXRpb24gZnJvbSBgdGVzdGluZ2A=-->ci: update tests to run debian trixie, remove manual installation from `testing`<!--description-->
+<!--end release-notes-assistant-->

From 43075c080a2c524f0676809fba7247acadc939e6 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Fri, 10 Apr 2026 14:50:59 +0200
Subject: [PATCH 093/287] chore(release-notes): Forgejo v14.0.4 [skip ci]
 (#12074)

https://codeberg.org/forgejo/forgejo/milestone/67354
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12074
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
---
 release-notes-published/14.0.4.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 release-notes-published/14.0.4.md

diff --git a/release-notes-published/14.0.4.md b/release-notes-published/14.0.4.md
new file mode 100644
index 0000000000..533378dc21
--- /dev/null
+++ b/release-notes-published/14.0.4.md
@@ -0,0 +1,30 @@
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12028): <!--number 12028 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOSAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency go to v1.25.9 (v14.0/forgejo)<!--description-->
+- User Interface bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11614) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11725)): <!--number 11725 --><!--line 0 --><!--description TWFrZSBvdmVyZmxvdy1tZW51IFdlYiBDb21wb25lbnQgc2Nyb2xsIC8gb3ZlcmZsb3cgd2l0aCBKUyBvZmY=-->Make overflow-menu Web Component scroll / overflow with JS off<!--description-->
+- Localization
+  - Updates from from Codeberg Translate: [#12039](https://codeberg.org/forgejo/forgejo/pulls/12039) (backport of [#11460](https://codeberg.org/forgejo/forgejo/pulls/11460), [#11810](https://codeberg.org/forgejo/forgejo/pulls/11810))
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11821) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11850)): <!--number 11850 --><!--line 0 --><!--description Zml4OiBvdXQgb2Ygc3luY2hyb25pemF0aW9uIGVycm9yIGFmdGVyIGludGVycnVwdGluZyBhIFBSIG1lcmdlIGJ5IHVzZXItYWdlbnQgZGlzY29ubmVjdA==-->fix: out of synchronization error after interrupting a PR merge by user-agent disconnect<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11623) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11742)): <!--number 11742 --><!--line 0 --><!--description Zml4OiBjb21tZW50IGF0dGFjaG1lbnQgQVBJIGlzIG1vcmUgcmVzdHJpY3RpdmUgdGhhbiB0aGUgd2ViIFVJ-->fix: comment attachment API is more restrictive than the web UI<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11642) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11658)): <!--number 11658 --><!--line 0 --><!--description Zml4OiBkb24ndCB0cmlwIGRlbGV0aW5nIGF0dGFjaG1lbnQgd2l0aCBtaXNzaW5nIHBlcm1pc3Npb24gZXJyb3I=-->fix: don't trip deleting attachment with missing permission error<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11885): <!--number 11885 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjkgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.8.9 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11296) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11317)): <!--number 11317 --><!--line 0 --><!--description UEFNOiBwb3J0YWJsZSBlcnJvciByZXBvcnRpbmc=-->PAM: portable error reporting<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11899): <!--number 11899 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tZ2l0L2dvLWdpdC92NSAoaW5kaXJlY3QpIHRvIHY1LjE3LjEgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update github.com/go-git/go-git/v5 (indirect) to v5.17.1 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11838): <!--number 11838 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjggW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.8.8 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11828): <!--number 11828 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUxLjAgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.51.0 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11820): <!--number 11820 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzguMCBbU0VDVVJJVFldICh2MTQuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.38.0 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11801) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11802)): <!--number 11802 --><!--line 0 --><!--description Y2k6IHVwZGF0ZSB0ZXN0cyB0byBydW4gZGViaWFuIHRyaXhpZSwgcmVtb3ZlIG1hbnVhbCBpbnN0YWxsYXRpb24gZnJvbSBgdGVzdGluZ2A=-->ci: update tests to run debian trixie, remove manual installation from `testing`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11733) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11737)): <!--number 11737 --><!--line 0 --><!--description Zml4OiBwcmV2ZW50IGNvbnRhaW5lciByZWdpc3RyeSBoZWFkZXJzIGZyb20gbGVha2luZyBpbnRvIG90aGVyIHJlZ2lzdHJpZXM=-->fix: prevent container registry headers from leaking into other registries<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11691) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11722)): <!--number 11722 --><!--line 0 --><!--description Zml4OiByZW1vdmUgdGVtcGxhdGUgZmlsZSBmcm9tIGdlbmVyYXRlZCByZXBv-->fix: remove template file from generated repo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11624) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11626)): <!--number 11626 --><!--line 0 --><!--description Y2hvcmUoZGVwcyk6IGJ1bXAgeG9ybSB0byB2MS4zLjktZm9yZ2Vqby44-->chore(deps): bump xorm to v1.3.9-forgejo.8<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11616) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11625)): <!--number 11625 --><!--line 0 --><!--description OiBmaXg6IHJlbW92ZSBzZWNvbmQgY2hhbGxlbmdlIGZyb20gV1dXLUF1dGhlbnRpY2F0ZSBoZWFkZXI=-->fix: remove second challenge from WWW-Authenticate header<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11588) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11613)): <!--number 11613 --><!--line 0 --><!--description Zml4OiB3ZWJob29rL2Rpc2NvcmQ6IG9taXQgZW1wdHkgZW1iZWRzLmZvb3RlciBmcm9tIHRoZSBwYXlsb2FkIGZvciBTcGFjZWJhciBjb21wYXRpYmlsaXR5-->fix: webhook/discord: omit empty embeds.footer from the payload for Spacebar compatibility<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11585) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11596)): <!--number 11596 --><!--line 0 --><!--description Zml4KGlzc3VlLXNlYXJjaCk6IGRlbGV0ZSBpc3N1ZSBmcm9tIGluZGV4ZXIgb24gRGVsZXRlSXNzdWU=-->fix(issue-search): delete issue from indexer on DeleteIssue<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11442) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11594)): <!--number 11594 --><!--line 0 --><!--description Zml4OiBlbmZvcmNlIHBhY2thZ2UgcXVvdGEgYWdhaW5zdCBwYWNrYWdlIG93bmVyLCBub3QgdXBsb2FkZXI=-->fix: enforce package quota against package owner, not uploader<!--description-->
+<!--end release-notes-assistant-->

From d1b69632aa7a40a249b667b8d6a759214e4ddd9b Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Fri, 10 Apr 2026 15:40:08 +0200
Subject: [PATCH 094/287] fix: prevent jobs with unknown needs from running
 (#12046)

If Forgejo encounters an Actions workflow with unknown jobs in a needs definition, Forgejo will ignore those and run the job anyway. That is bad. For example, releases could be published without any testing because the name of the testing job was misspelt.

Workflow that demonstrates the problem:

```yaml
on:
  push:
  workflow_dispatch:
jobs:
  build:
    runs-on: debian
    steps:
      - run: |
          echo "OK"
  test:
    runs-on: debian
    needs: [does-not-exist]
    steps:
      - run: |
          echo "OK"
```

Now, before a workflow is run, Forgejo will check whether all jobs referenced in `needs` exist. If any of them does not, it raises a pre-execution error which fails the workflow immediately. It also displays an appropriate error to the user, for example:

```
Workflow was not executed due to an error that blocked the execution attempt.
Job with ID test references unknown jobs in `needs`: does-not-exist.
```

Futhermore, workflows with pre-execution errors can no longer be rerun, which was previously possible.

Original issue: https://code.forgejo.org/forgejo/runner/issues/977.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12046
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 models/actions/pre_execution_errors.go        |   3 +
 models/actions/run.go                         |  13 ++
 models/actions/run_job.go                     |  23 ++++
 models/actions/run_job_list.go                |   8 ++
 models/actions/run_job_list_test.go           |  21 +++
 models/actions/run_job_test.go                | 124 ++++++++++++++++++
 models/actions/run_test.go                    |  80 +++++++++++
 options/locale_next/locale_en-US.json         |   3 +
 .../actions/TestActionsRerun/action_run.yml   |  20 +++
 .../TestActionsRerun/action_run_job.yml       |  15 +++
 routers/web/repo/actions/view.go              |  18 ++-
 routers/web/repo/actions/view_test.go         |  61 ++++++---
 .../action_run.yml                            |  18 +++
 .../action_run_job.yml                        |  44 +++++++
 services/actions/job_emitter.go               |  14 +-
 services/actions/job_emitter_test.go          |  24 ++++
 services/actions/run.go                       |   6 +
 services/actions/run_test.go                  |   6 +
 18 files changed, 478 insertions(+), 23 deletions(-)
 create mode 100644 models/actions/run_job_list_test.go

diff --git a/models/actions/pre_execution_errors.go b/models/actions/pre_execution_errors.go
index 64c9b17727..000d59d71d 100644
--- a/models/actions/pre_execution_errors.go
+++ b/models/actions/pre_execution_errors.go
@@ -30,6 +30,7 @@ const (
 	ErrorCodeIncompleteWithMissingOutput
 	ErrorCodeIncompleteWithMissingMatrixDimension
 	ErrorCodeIncompleteWithUnknownCause
+	ErrorCodeUnknownJobInNeeds
 )
 
 func TranslatePreExecutionError(lang translation.Locale, run *ActionRun) string {
@@ -69,6 +70,8 @@ func TranslatePreExecutionError(lang translation.Locale, run *ActionRun) string
 		return lang.TrString("actions.workflow.incomplete_with_missing_matrix_dimension", run.PreExecutionErrorDetails...)
 	case ErrorCodeIncompleteWithUnknownCause:
 		return lang.TrString("actions.workflow.incomplete_with_unknown_cause", run.PreExecutionErrorDetails...)
+	case ErrorCodeUnknownJobInNeeds:
+		return lang.TrString("actions.workflow.unknown_job_in_needs", run.PreExecutionErrorDetails...)
 	}
 	return fmt.Sprintf("<unsupported error: code=%v details=%#v", run.PreExecutionErrorCode, run.PreExecutionErrorDetails)
 }
diff --git a/models/actions/run.go b/models/actions/run.go
index 6e01715f74..a9c458c86d 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -255,6 +255,19 @@ func (run *ActionRun) IsDispatchedRun() bool {
 	return run.TriggerEvent == "workflow_dispatch"
 }
 
+// IsRunnable indicates whether this ActionRun can generally be run.
+func (run *ActionRun) IsRunnable() bool {
+	return run.PreExecutionErrorCode == 0 && run.PreExecutionError == ""
+}
+
+// CanBeRerun indicates whether this ActionRun can be rerun.
+func (run *ActionRun) CanBeRerun() bool {
+	if !run.IsRunnable() {
+		return false
+	}
+	return run.Status.IsDone()
+}
+
 func actionsCountOpenCacheKey(repoID int64) string {
 	return fmt.Sprintf("Actions:CountOpenActionRuns:%d", repoID)
 }
diff --git a/models/actions/run_job.go b/models/actions/run_job.go
index 412e60aefd..5d3a8aad80 100644
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@@ -140,6 +140,15 @@ func (job *ActionRunJob) PrepareNextAttempt(initialStatus Status) error {
 	return nil
 }
 
+// CanBeRerun answers whether this ActionRunJob can be rerun. Returns true if it is done and the Run it belongs to
+// is runnable. Returns false in all other cases, including when Run is nil.
+func (job *ActionRunJob) CanBeRerun() bool {
+	if job.Run == nil || !job.Run.IsRunnable() {
+		return false
+	}
+	return job.Status.IsDone()
+}
+
 func GetRunJobByID(ctx context.Context, id int64) (*ActionRunJob, error) {
 	var job ActionRunJob
 	has, err := db.GetEngine(ctx).Where("id=?", id).Get(&job)
@@ -338,3 +347,17 @@ func (job *ActionRunJob) EnableOpenIDConnect() (bool, error) {
 	}
 	return jobWorkflow.EnableOpenIDConnect, nil
 }
+
+// AllNeedsExist checks whether this ActionRunJob's Needs can theoretically be met by comparing them with the supplied
+// list of all job IDs that part of a particular workflow run. Returns the list of unknown job IDs found in Needs
+// alongside an indicator whether the check was successful.
+func (job *ActionRunJob) AllNeedsExist(allExistingJobIDs container.Set[string]) ([]string, bool) {
+	unknownJobIDs := []string{}
+	for _, need := range job.Needs {
+		if !allExistingJobIDs.Contains(need) {
+			unknownJobIDs = append(unknownJobIDs, need)
+		}
+	}
+
+	return unknownJobIDs, len(unknownJobIDs) == 0
+}
diff --git a/models/actions/run_job_list.go b/models/actions/run_job_list.go
index e7ad87239b..207da30334 100644
--- a/models/actions/run_job_list.go
+++ b/models/actions/run_job_list.go
@@ -22,6 +22,14 @@ func (jobs ActionJobList) GetRunIDs() []int64 {
 	})
 }
 
+func (jobs ActionJobList) GetJobIDs() container.Set[string] {
+	jobIDs := container.SetOf[string]()
+	for _, job := range jobs {
+		jobIDs.Add(job.JobID)
+	}
+	return jobIDs
+}
+
 func (jobs ActionJobList) LoadRuns(ctx context.Context, withRepo bool) error {
 	runIDs := jobs.GetRunIDs()
 	runs := make(map[int64]*ActionRun, len(runIDs))
diff --git a/models/actions/run_job_list_test.go b/models/actions/run_job_list_test.go
new file mode 100644
index 0000000000..223dd3b411
--- /dev/null
+++ b/models/actions/run_job_list_test.go
@@ -0,0 +1,21 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+
+	"forgejo.org/modules/container"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionJobList_GetJobIDs(t *testing.T) {
+	jobs := ActionJobList{
+		&ActionRunJob{JobID: "job 1"},
+		&ActionRunJob{JobID: "job 2"},
+	}
+
+	assert.Equal(t, container.SetOf("job 2", "job 1"), jobs.GetJobIDs())
+}
diff --git a/models/actions/run_job_test.go b/models/actions/run_job_test.go
index 05c504cf64..6753fb0315 100644
--- a/models/actions/run_job_test.go
+++ b/models/actions/run_job_test.go
@@ -8,6 +8,7 @@ import (
 
 	"forgejo.org/models/db"
 	"forgejo.org/models/unittest"
+	"forgejo.org/modules/container"
 	"forgejo.org/modules/timeutil"
 
 	"code.forgejo.org/forgejo/runner/v12/act/jobparser"
@@ -369,3 +370,126 @@ func TestIsRequestedByRunner(t *testing.T) {
 
 	assert.False(t, emptyHandleJob.IsRequestedByRunner(&differentHandle))
 }
+
+func TestAllNeedsExist(t *testing.T) {
+	testCases := []struct {
+		name               string
+		job                ActionRunJob
+		existingJobIDs     container.Set[string]
+		expectedUnknownIDs []string
+		ok                 bool
+	}{
+		{
+			name:               "no needs",
+			job:                ActionRunJob{Needs: nil},
+			existingJobIDs:     container.Set[string]{},
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "empty needs",
+			job:                ActionRunJob{Needs: []string{}},
+			existingJobIDs:     container.Set[string]{},
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "satisfied needs",
+			job:                ActionRunJob{Needs: []string{"job1", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{},
+			ok:                 true,
+		},
+		{
+			name:               "unsatisfied needs",
+			job:                ActionRunJob{Needs: []string{"unknown", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{"unknown"},
+			ok:                 false,
+		},
+		{
+			name:               "comparison is case-sensitive",
+			job:                ActionRunJob{Needs: []string{"Job1", "job2"}},
+			existingJobIDs:     container.SetOf("job2", "job1"),
+			expectedUnknownIDs: []string{"Job1"},
+			ok:                 false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			unknownIDs, ok := testCase.job.AllNeedsExist(testCase.existingJobIDs)
+
+			assert.Equal(t, testCase.ok, ok)
+			assert.Equal(t, testCase.expectedUnknownIDs, unknownIDs)
+		})
+	}
+}
+
+func TestActionRunJob_CanBeRerun(t *testing.T) {
+	testCases := []struct {
+		name       string
+		job        ActionRunJob
+		canBeRerun bool
+	}{
+		{
+			name:       "job with unknown status",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusUnknown},
+			canBeRerun: false,
+		},
+		{
+			name:       "successful job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name:       "failed job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusFailure},
+			canBeRerun: true,
+		},
+		{
+			name:       "cancelled job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusCancelled},
+			canBeRerun: true,
+		},
+		{
+			name:       "skipped job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusSkipped},
+			canBeRerun: true,
+		},
+		{
+			name:       "waiting job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusWaiting},
+			canBeRerun: false,
+		},
+		{
+			name:       "blocked job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusSuccess}, Status: StatusBlocked},
+			canBeRerun: false,
+		},
+		{
+			name:       "ActionRun is nil",
+			job:        ActionRunJob{Run: nil, Status: StatusSuccess},
+			canBeRerun: false,
+		},
+		{
+			name:       "with busy run but completed job",
+			job:        ActionRunJob{Run: &ActionRun{Status: StatusRunning}, Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name: "with run that cannot be run",
+			job: ActionRunJob{
+				Run:    &ActionRun{Status: StatusRunning, PreExecutionErrorCode: ErrorCodeEventDetectionError},
+				Status: StatusSuccess,
+			},
+			canBeRerun: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.canBeRerun, testCase.job.CanBeRerun())
+		})
+	}
+}
diff --git a/models/actions/run_test.go b/models/actions/run_test.go
index 541fb059cd..9a5eb99537 100644
--- a/models/actions/run_test.go
+++ b/models/actions/run_test.go
@@ -96,6 +96,86 @@ func TestIsManualRun(t *testing.T) {
 	assert.False(t, pushRun.IsDispatchedRun())
 }
 
+func TestActionRun_IsRunnable(t *testing.T) {
+	testCases := []struct {
+		name       string
+		run        ActionRun
+		isRunnable bool
+	}{
+		{
+			name:       "valid run",
+			run:        ActionRun{},
+			isRunnable: true,
+		},
+		{
+			name:       "with pre-execution error",
+			run:        ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput},
+			isRunnable: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.isRunnable, testCase.run.IsRunnable())
+		})
+	}
+}
+
+func TestActionRun_CanBeRerun(t *testing.T) {
+	testCases := []struct {
+		name       string
+		run        ActionRun
+		canBeRerun bool
+	}{
+		{
+			name:       "run with unknown status",
+			run:        ActionRun{Status: StatusUnknown},
+			canBeRerun: false,
+		},
+		{
+			name:       "successful run",
+			run:        ActionRun{Status: StatusSuccess},
+			canBeRerun: true,
+		},
+		{
+			name:       "failed run",
+			run:        ActionRun{Status: StatusFailure},
+			canBeRerun: true,
+		},
+		{
+			name:       "cancelled run",
+			run:        ActionRun{Status: StatusCancelled},
+			canBeRerun: true,
+		},
+		{
+			name:       "skipped run",
+			run:        ActionRun{Status: StatusSkipped},
+			canBeRerun: true,
+		},
+		{
+			name:       "waiting run",
+			run:        ActionRun{Status: StatusWaiting},
+			canBeRerun: false,
+		},
+		{
+			name:       "blocked run",
+			run:        ActionRun{Status: StatusBlocked},
+			canBeRerun: false,
+		},
+		{
+			name:       "with pre-execution error",
+			run:        ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput, Status: StatusSuccess},
+			canBeRerun: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			assert.Equal(t, testCase.canBeRerun, testCase.run.CanBeRerun())
+		})
+	}
+}
+
 func TestRepoNumOpenActions(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	err := cache.Init()
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index aab1be7e1b..3195d6f6f1 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -612,7 +612,10 @@
 	"actions.workflow.incomplete_with_missing_output": "Unable to evaluate `with` of job %[1]s: job %[2]s is missing output %[3]s.",
 	"actions.workflow.incomplete_with_missing_matrix_dimension": "Unable to evaluate `with` of job %[1]s: matrix dimension %[2]s does not exist.",
 	"actions.workflow.incomplete_with_unknown_cause": "Unable to evaluate `with` of job %[1]s: unknown error.",
+	"actions.workflow.unknown_job_in_needs": "Job with ID %[1]s references unknown jobs in `needs`: %[2]s.",
 	"actions.workflow.pre_execution_error": "Workflow was not executed due to an error that blocked the execution attempt.",
+	"actions.workflow.rerun_impossible": "The workflow cannot be rerun.",
+	"actions.workflow.job_rerun_impossible": "The job cannot be rerun.",
 	"actions.secrets.creation.name_description": "The name of a secret can only contain letters, numbers, and underscores. It cannot start with FORGEJO_, GITEA_, GITHUB_, or a number. Forgejo will automatically convert it to uppercase.",
 	"actions.secrets.creation.value_description": "The value of a secret can be any text. Special characters are retained. CRLF (Windows-style line breaks) is automatically converted to LF. Encode the value with Base64 if linebreaks should be retained.",
 	"actions.variables.mutation.name_description": "The name of a variable can only contain letters, numbers, and underscores. It cannot be named CI or start with FORGEJO_, GITEA_, GITHUB_, or a number. Forgejo will automatically convert it to uppercase.",
diff --git a/routers/web/repo/actions/TestActionsRerun/action_run.yml b/routers/web/repo/actions/TestActionsRerun/action_run.yml
index 9db0954b7c..18444ac6c4 100644
--- a/routers/web/repo/actions/TestActionsRerun/action_run.yml
+++ b/routers/web/repo/actions/TestActionsRerun/action_run.yml
@@ -16,4 +16,24 @@
   updated: 1683636626
   need_approval: false
   approved_by: 0
+  event_payload: '{"head_commit":{"id":"5f22f7d0d95d614d25a5b68592adb345a4b5c7fd"}}'
+- id: 83732
+  title: "not runnable"
+  repo_id: 1
+  owner_id: 5
+  workflow_id: "invalid.yaml"
+  index: 138575
+  trigger_user_id: 1
+  ref: "refs/heads/branch2"
+  commit_sha: "985f0301dba5e7b34be866819cd15ad3d8f508ee"
+  event: "push"
+  is_fork_pull_request: false
+  status: 2 # failure
+  started: 0
+  stopped: 1683636626
+  created: 1683636108
+  updated: 1683636626
+  pre_execution_error_code: 10
+  need_approval: false
+  approved_by: 0
   event_payload: '{"head_commit":{"id":"5f22f7d0d95d614d25a5b68592adb345a4b5c7fd"}}'
\ No newline at end of file
diff --git a/routers/web/repo/actions/TestActionsRerun/action_run_job.yml b/routers/web/repo/actions/TestActionsRerun/action_run_job.yml
index 3d97591281..a3bde7a2aa 100644
--- a/routers/web/repo/actions/TestActionsRerun/action_run_job.yml
+++ b/routers/web/repo/actions/TestActionsRerun/action_run_job.yml
@@ -56,3 +56,18 @@
   runs_on: '["fedora"]'
   started: 1683636528
   stopped: 1683636626
+
+- id: 248954
+  run_id: 83732
+  repo_id: 1
+  owner_id: 3
+  commit_sha: 985f0301dba5e7b34be866819cd15ad3d8f508ee
+  is_fork_pull_request: false
+  name: job_2
+  attempt: 1
+  job_id: job_2
+  task_id: 47
+  status: 2 # failure
+  runs_on: '["fedora"]'
+  started: 1683636528
+  stopped: 1683636626
diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index a645f317f9..63db9d0997 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -296,7 +296,7 @@ func getViewResponse(ctx *app_context.Context, req *ViewRequest, runIndex, jobIn
 	resp.State.Run.TitleHTML = templates.RenderCommitMessage(ctx, run.Title, metas)
 	resp.State.Run.Link = run.Link()
 	resp.State.Run.CanApprove = run.NeedApproval && ctx.Repo.CanWrite(unit.TypeActions)
-	resp.State.Run.CanRerun = run.Status.IsDone() && ctx.Repo.CanWrite(unit.TypeActions)
+	resp.State.Run.CanRerun = run.CanBeRerun() && ctx.Repo.CanWrite(unit.TypeActions)
 	resp.State.Run.CanDeleteArtifact = run.Status.IsDone() && ctx.Repo.CanWrite(unit.TypeActions)
 	resp.State.Run.Jobs = make([]*ViewJob, 0, len(jobs)) // marshal to '[]' instead of 'null' in json
 	resp.State.Run.Status = run.Status.String()
@@ -318,7 +318,7 @@ func getViewResponse(ctx *app_context.Context, req *ViewRequest, runIndex, jobIn
 			ID:       v.ID,
 			Name:     v.Name,
 			Status:   v.Status.String(),
-			CanRerun: v.Status.IsDone() && ctx.Repo.CanWrite(unit.TypeActions),
+			CanRerun: v.CanBeRerun() && ctx.Repo.CanWrite(unit.TypeActions),
 			Duration: v.Duration().String(),
 		})
 	}
@@ -495,6 +495,10 @@ func Rerun(ctx *app_context.Context) {
 		ctx.Error(http.StatusInternalServerError, err.Error())
 		return
 	}
+	if jobIndexStr == "" && !run.CanBeRerun() {
+		ctx.JSONError(ctx.Locale.Tr("actions.workflow.rerun_impossible"))
+		return
+	}
 
 	// can not rerun job when workflow is disabled
 	cfgUnit := ctx.Repo.Repository.MustGetUnit(ctx, unit.TypeActions)
@@ -523,6 +527,11 @@ func Rerun(ctx *app_context.Context) {
 	if jobIndexStr == "" { // rerun all jobs
 		var redirectURL string
 		for _, j := range jobs {
+			if !j.CanBeRerun() {
+				ctx.JSONError(ctx.Locale.Tr("actions.workflow.job_rerun_impossible"))
+				return
+			}
+
 			// if the job has needs, it should be set to "blocked" status to wait for other jobs
 			shouldBlock := len(j.Needs) > 0
 			if err := rerunJob(ctx, j, shouldBlock); err != nil {
@@ -550,6 +559,11 @@ func Rerun(ctx *app_context.Context) {
 
 	var redirectURL string
 	for _, j := range rerunJobs {
+		if !j.CanBeRerun() {
+			ctx.JSONError(ctx.Locale.Tr("actions.workflow.job_rerun_impossible"))
+			return
+		}
+
 		// jobs other than the specified one should be set to "blocked" status
 		shouldBlock := j.JobID != job.JobID
 		if err := rerunJob(ctx, j, shouldBlock); err != nil {
diff --git a/routers/web/repo/actions/view_test.go b/routers/web/repo/actions/view_test.go
index 8d8e82a007..04d32f191b 100644
--- a/routers/web/repo/actions/view_test.go
+++ b/routers/web/repo/actions/view_test.go
@@ -520,31 +520,48 @@ func TestActionsViewRedirectToLatestAttempt(t *testing.T) {
 }
 
 func TestActionsRerun(t *testing.T) {
-	defer unittest.OverrideFixtures("routers/web/repo/actions/TestActionsRerun")()
-	unittest.PrepareTestEnv(t)
-
 	tests := []struct {
 		name         string
 		runIndex     int64
 		jobIndex     int64
 		expectedCode int
 		expectedURL  string
+		expectedBody string
 	}{
 		{
-			name:        "rerun all",
-			runIndex:    138574,
-			jobIndex:    -1,
-			expectedURL: "https://try.gitea.io/user2/repo1/actions/runs/138574/jobs/0/attempt/3",
+			name:         "rerun all",
+			runIndex:     138574,
+			jobIndex:     -1,
+			expectedCode: 200,
+			expectedURL:  "https://try.gitea.io/user2/repo1/actions/runs/138574/jobs/0/attempt/3",
 		},
 		{
-			name:        "rerun job",
-			runIndex:    138574,
-			jobIndex:    2,
-			expectedURL: "https://try.gitea.io/user2/repo1/actions/runs/138574/jobs/2/attempt/6",
+			name:         "rerun job",
+			runIndex:     138574,
+			jobIndex:     2,
+			expectedCode: 200,
+			expectedURL:  "https://try.gitea.io/user2/repo1/actions/runs/138574/jobs/2/attempt/6",
+		},
+		{
+			name:         "rerun workflow that cannot be run",
+			runIndex:     138575,
+			jobIndex:     -1,
+			expectedCode: 400,
+			expectedBody: "{\"errorMessage\":\"actions.workflow.rerun_impossible\",\"renderFormat\":\"html\"}\n",
+		},
+		{
+			name:         "rerun job that cannot be run",
+			runIndex:     138575,
+			jobIndex:     1,
+			expectedCode: 400,
+			expectedBody: "{\"errorMessage\":\"actions.workflow.job_rerun_impossible\",\"renderFormat\":\"html\"}\n",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			defer unittest.OverrideFixtures("routers/web/repo/actions/TestActionsRerun")()
+			unittest.PrepareTestEnv(t)
+
 			ctx, resp := contexttest.MockContext(t, "user2/repo1/actions/runs/138574/rerun")
 			contexttest.LoadUser(t, ctx, 2)
 			contexttest.LoadRepo(t, ctx, 1)
@@ -554,16 +571,22 @@ func TestActionsRerun(t *testing.T) {
 			}
 
 			Rerun(ctx)
-			require.Equal(t, http.StatusOK, resp.Result().StatusCode, "failure in Rerun(): %q", resp.Body.String())
 
-			var actual redirectObject
-			err := json.Unmarshal(resp.Body.Bytes(), &actual)
-			require.NoError(t, err)
+			if tt.expectedCode < 300 {
+				require.Equal(t, tt.expectedCode, resp.Result().StatusCode, "failure in Rerun(): %q", resp.Body.String())
 
-			// Note: this test isn't doing any functional testing of the Rerun handler's actual ability to set up a job
-			// rerun.  This test was added when the redirect to the correct `attempt` was added and only covers that
-			// addition at this time.
-			assert.Equal(t, redirectObject{Redirect: tt.expectedURL}, actual)
+				var actual redirectObject
+				err := json.Unmarshal(resp.Body.Bytes(), &actual)
+				require.NoError(t, err)
+
+				// Note: this test isn't doing any functional testing of the Rerun handler's actual ability to set up a job
+				// rerun.  This test was added when the redirect to the correct `attempt` was added and only covers that
+				// addition at this time.
+				assert.Equal(t, redirectObject{Redirect: tt.expectedURL}, actual)
+			} else {
+				require.Equal(t, tt.expectedCode, resp.Result().StatusCode)
+				assert.Equal(t, tt.expectedBody, resp.Body.String())
+			}
 		})
 	}
 }
diff --git a/services/actions/TestActions_consistencyCheckRun/action_run.yml b/services/actions/TestActions_consistencyCheckRun/action_run.yml
index 321600adf9..0872f69b3a 100644
--- a/services/actions/TestActions_consistencyCheckRun/action_run.yml
+++ b/services/actions/TestActions_consistencyCheckRun/action_run.yml
@@ -88,3 +88,21 @@
   updated: 1683636626
   need_approval: 0
   approved_by: 0
+-
+  id: 905
+  title: "waiting workflow_dispatch run"
+  repo_id: 63
+  owner_id: 2
+  workflow_id: "running.yaml"
+  index: 9
+  trigger_user_id: 2
+  ref: "refs/heads/main"
+  commit_sha: "97f29ee599c373c729132a5c46a046978311e0ee"
+  trigger_event: "workflow_dispatch"
+  is_fork_pull_request: 0
+  status: 5 # waiting
+  started: 1683636528
+  created: 1683636108
+  updated: 1683636626
+  need_approval: 0
+  approved_by: 0
diff --git a/services/actions/TestActions_consistencyCheckRun/action_run_job.yml b/services/actions/TestActions_consistencyCheckRun/action_run_job.yml
index 8d0adf3f58..e917d7d9a3 100644
--- a/services/actions/TestActions_consistencyCheckRun/action_run_job.yml
+++ b/services/actions/TestActions_consistencyCheckRun/action_run_job.yml
@@ -172,3 +172,47 @@
     incomplete_runs_on_matrix:
       dimension: platform-oops-wrong-dimension
     incomplete_matrix: true
+-
+  id: 607
+  run_id: 905
+  repo_id: 63
+  owner_id: 2
+  commit_sha: 97f29ee599c373c729132a5c46a046978311e0ee
+  is_fork_pull_request: 0
+  name: job_1
+  attempt: 1
+  job_id: job_1
+  task_id: 0
+  status: 7 # blocked
+  runs_on: '["fedora"]'
+  needs: '[]'
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      job_1:
+        runs-on: fedora
+        steps:
+          - run: echo "OK!"
+-
+  id: 608
+  run_id: 905
+  repo_id: 63
+  owner_id: 2
+  commit_sha: 97f29ee599c373c729132a5c46a046978311e0ee
+  is_fork_pull_request: 0
+  name: job_2
+  attempt: 1
+  job_id: job_2
+  task_id: 0
+  status: 7 # blocked
+  runs_on: '["fedora"]'
+  needs: '["unknown","Job_1"]' # invalid capitalization of job_1
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      job_2:
+        runs-on: fedora
+        steps:
+          - run: echo "OK!"
diff --git a/services/actions/job_emitter.go b/services/actions/job_emitter.go
index b23918e42f..593e17517a 100644
--- a/services/actions/job_emitter.go
+++ b/services/actions/job_emitter.go
@@ -136,6 +136,10 @@ type jobStatusResolver struct {
 	jobMap   map[int64]*actions_model.ActionRunJob
 }
 
+// unknownJobID stores the ID of an unknown job that might be referenced in the workflow. The ID can be any number as
+// long it does not match the ID of an existing job.
+var unknownJobID int64 = -1
+
 func newJobStatusResolver(jobs actions_model.ActionJobList) *jobStatusResolver {
 	idToJobs := make(map[string][]*actions_model.ActionRunJob, len(jobs))
 	jobMap := make(map[int64]*actions_model.ActionRunJob)
@@ -149,8 +153,14 @@ func newJobStatusResolver(jobs actions_model.ActionJobList) *jobStatusResolver {
 	for _, job := range jobs {
 		statuses[job.ID] = job.Status
 		for _, need := range job.Needs {
-			for _, v := range idToJobs[need] {
-				needs[job.ID] = append(needs[job.ID], v.ID)
+			neededJobs, ok := idToJobs[need]
+			if ok {
+				for _, v := range neededJobs {
+					needs[job.ID] = append(needs[job.ID], v.ID)
+				}
+			} else {
+				// Handles the case of an unknown job being referenced in `needs`, for example, `needs: ["unknown"]`.
+				needs[job.ID] = append(needs[job.ID], unknownJobID)
 			}
 		}
 	}
diff --git a/services/actions/job_emitter_test.go b/services/actions/job_emitter_test.go
index 7d5853ce1a..44e9163102 100644
--- a/services/actions/job_emitter_test.go
+++ b/services/actions/job_emitter_test.go
@@ -231,6 +231,30 @@ __metadata:
 				3: actions_model.StatusFailure,
 			},
 		},
+		{
+			name: "blocked if needs are unknown",
+			jobs: actions_model.ActionJobList{
+				{ID: 1, JobID: "build", Status: actions_model.StatusSuccess, Needs: []string{}},
+				{ID: 2, JobID: "test", Status: actions_model.StatusBlocked, Needs: []string{"build", "unknown"}},
+			},
+			want: map[int64]actions_model.Status{},
+		},
+		{
+			name: "blocked if needs are unknown despite always()",
+			jobs: actions_model.ActionJobList{
+				{ID: 1, JobID: "build", Status: actions_model.StatusSuccess, Needs: []string{}},
+				{ID: 45, JobID: "test", Needs: []string{"build", "unknown"}, Status: actions_model.StatusBlocked, WorkflowPayload: []byte(`
+on: push
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    needs: [build, unknown]
+    if: always()
+    steps: []
+`)},
+			},
+			want: map[int64]actions_model.Status{},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/services/actions/run.go b/services/actions/run.go
index ed795f2a63..bee0b1581d 100644
--- a/services/actions/run.go
+++ b/services/actions/run.go
@@ -97,11 +97,17 @@ func FailRunPreExecutionError(ctx context.Context, run *actions_model.ActionRun,
 
 // Perform pre-execution checks that would affect the ability for a job to reach an executing stage.
 func consistencyCheckRun(ctx context.Context, run *actions_model.ActionRun) error {
+	var jobs actions_model.ActionJobList
 	jobs, err := actions_model.GetRunJobsByRunID(ctx, run.ID)
 	if err != nil {
 		return err
 	}
+	validJobIDs := jobs.GetJobIDs()
 	for _, job := range jobs {
+		if unknownJobIDs, ok := job.AllNeedsExist(validJobIDs); !ok {
+			return FailRunPreExecutionError(ctx, run, actions_model.ErrorCodeUnknownJobInNeeds,
+				[]any{job.JobID, strings.Join(unknownJobIDs, ", ")})
+		}
 		if stop, err := checkJobWillRevisit(ctx, job); err != nil {
 			return err
 		} else if stop {
diff --git a/services/actions/run_test.go b/services/actions/run_test.go
index e8a198c446..61e580aed1 100644
--- a/services/actions/run_test.go
+++ b/services/actions/run_test.go
@@ -137,6 +137,12 @@ func TestActions_consistencyCheckRun(t *testing.T) {
 			name:  "consistent: matrix missing dimension but matrix is dynamic",
 			runID: 904,
 		},
+		{
+			name:                     "unknown job in needs",
+			runID:                    905,
+			preExecutionError:        actions_model.ErrorCodeUnknownJobInNeeds,
+			preExecutionErrorDetails: []any{"job_2", "unknown, Job_1"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From 72e57743d9089ca8763b87f83f46949b5d60a848 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 10 Apr 2026 18:03:19 +0200
Subject: [PATCH 095/287] Update module golang.org/x/tools/cmd/deadcode to
 v0.44.0 (forgejo) (#12071)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 665d8b5f38..a83ed31bfa 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,7 @@ SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renova
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.43.0 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
 RENOVATE_NPM_PACKAGE ?= renovate@43.104.8 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate

From 543c2d93ad8c61b77d66cf57fc7c2c4cc6f92e40 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 02:37:46 +0200
Subject: [PATCH 096/287] Update data.forgejo.org/forgejo/forgejo Docker tag to
 v11.0.12 (forgejo) (#12084)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [data.forgejo.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `11.0.11` → `11.0.12` |

---

### Release Notes

<details>
<summary>forgejo/forgejo (data.forgejo.org/forgejo/forgejo)</summary>

### [`v11.0.12`](https://codeberg.org/forgejo/forgejo/releases/tag/v11.0.12)

[Compare Source](https://codeberg.org/forgejo/forgejo/compare/v11.0.11...v11.0.12)

See <https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.12.md>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDQuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEwNC40IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12084
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index 25a7a6cf44..723af018c4 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -2,7 +2,7 @@ name: Integration tests for the release process
 enable-email-notifications: true
 
 env:
-  FORGEJO_VERSION: 11.0.11 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
+  FORGEJO_VERSION: 11.0.12 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
 
 on:
   push:

From e636cd276574e486ef124a2c7840440308b8fb66 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 03:29:02 +0200
Subject: [PATCH 097/287] Update dependency postcss to v8.5.9 (forgejo)
 (#12086)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12086
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 65 +++--------------------------------------------
 package.json      |  2 +-
 2 files changed, 5 insertions(+), 62 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ce85a04de5..53fd189835 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -59,7 +59,7 @@
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
-        "postcss": "8.5.6",
+        "postcss": "8.5.9",
         "postcss-loader": "8.2.1",
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
@@ -5176,34 +5176,6 @@
         "@jridgewell/sourcemap-codec": "^1.5.5"
       }
     },
-    "node_modules/@vue/compiler-sfc/node_modules/postcss": {
-      "version": "8.5.8",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
-      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
-      "funding": [
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/postcss/"
-        },
-        {
-          "type": "tidelift",
-          "url": "https://tidelift.com/funding/github/npm/postcss"
-        },
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/ai"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "nanoid": "^3.3.11",
-        "picocolors": "^1.1.1",
-        "source-map-js": "^1.2.1"
-      },
-      "engines": {
-        "node": "^10 || ^12 || >=14"
-      }
-    },
     "node_modules/@vue/compiler-ssr": {
       "version": "3.5.32",
       "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.32.tgz",
@@ -12944,9 +12916,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.9",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
+      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
       "funding": [
         {
           "type": "opencollective",
@@ -15886,35 +15858,6 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
-    "node_modules/vite/node_modules/postcss": {
-      "version": "8.5.8",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
-      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
-      "dev": true,
-      "funding": [
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/postcss/"
-        },
-        {
-          "type": "tidelift",
-          "url": "https://tidelift.com/funding/github/npm/postcss"
-        },
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/ai"
-        }
-      ],
-      "license": "MIT",
-      "dependencies": {
-        "nanoid": "^3.3.11",
-        "picocolors": "^1.1.1",
-        "source-map-js": "^1.2.1"
-      },
-      "engines": {
-        "node": "^10 || ^12 || >=14"
-      }
-    },
     "node_modules/vitest": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.2.tgz",
diff --git a/package.json b/package.json
index f5d96c8372..30f48dea2c 100644
--- a/package.json
+++ b/package.json
@@ -58,7 +58,7 @@
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",
     "pdfobject": "2.3.0",
-    "postcss": "8.5.6",
+    "postcss": "8.5.9",
     "postcss-loader": "8.2.1",
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",

From b0267f7d792d17438f6894bb1ab757293f3c7206 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 04:17:47 +0200
Subject: [PATCH 098/287] Update dependency swagger-ui-dist to v5.32.2
 (forgejo) (#12085)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 53fd189835..588a3e7570 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -64,7 +64,7 @@
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
         "sortablejs": "1.15.7",
-        "swagger-ui-dist": "5.32.1",
+        "swagger-ui-dist": "5.32.2",
         "tailwindcss": "3.4.19",
         "throttle-debounce": "5.0.0",
         "tinycolor2": "1.6.0",
@@ -15014,9 +15014,9 @@
       }
     },
     "node_modules/swagger-ui-dist": {
-      "version": "5.32.1",
-      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.1.tgz",
-      "integrity": "sha512-6HQoo7+j8PA2QqP5kgAb9dl1uxUjvR0SAoL/WUp1sTEvm0F6D5npgU2OGCLwl++bIInqGlEUQ2mpuZRZYtyCzQ==",
+      "version": "5.32.2",
+      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.2.tgz",
+      "integrity": "sha512-t6Ns52nS8LU2hqi0+rezMjFO1ZrCsCrnommXrU7Nfrg2va2dWahdvM6TuSwzdHpG29v6BHJyU1c/UWFhgVZzVQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@scarf/scarf": "=1.4.0"
diff --git a/package.json b/package.json
index 30f48dea2c..aa6d80b52a 100644
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",
     "sortablejs": "1.15.7",
-    "swagger-ui-dist": "5.32.1",
+    "swagger-ui-dist": "5.32.2",
     "tailwindcss": "3.4.19",
     "throttle-debounce": "5.0.0",
     "tinycolor2": "1.6.0",

From 988d7024804c666c4b991d5c61c3ba9a85b793b1 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 04:33:53 +0200
Subject: [PATCH 099/287] Update module
 code.superseriousbusiness.org/exif-terminator to v0.11.2 (forgejo) (#12087)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12087
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index f931c40a5c..28e940eaab 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	code.forgejo.org/go-chi/captcha v1.0.2
 	code.forgejo.org/go-chi/session v1.0.4
 	code.gitea.io/sdk/gitea v0.21.0
-	code.superseriousbusiness.org/exif-terminator v0.11.1
+	code.superseriousbusiness.org/exif-terminator v0.11.2
 	code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
 	connectrpc.com/connect v1.19.1
diff --git a/go.sum b/go.sum
index c294d1c993..4a4eb60bbe 100644
--- a/go.sum
+++ b/go.sum
@@ -46,8 +46,8 @@ code.forgejo.org/xorm/xorm v1.3.9-forgejo.10 h1:DCProZz7GP10ue7NoVr1vreuADhH9tEI
 code.forgejo.org/xorm/xorm v1.3.9-forgejo.10/go.mod h1:ly5tUt9l3b+y7HdXDM1UucQXuS58ahNxB9tPM5/6LfM=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
-code.superseriousbusiness.org/exif-terminator v0.11.1 h1:qnujLH4/Yk/CFtFMmtjozbdV6Ry5G3Q/E/mLlWm/gQI=
-code.superseriousbusiness.org/exif-terminator v0.11.1/go.mod h1:/Z+3DHSrefCzzN5ePkGjVYKFErRimoeUf694Gz8Pn/Y=
+code.superseriousbusiness.org/exif-terminator v0.11.2 h1:nkTdaghZb6I0oGYFhTLSALhA2ShgkPnYAJryE5IE9+0=
+code.superseriousbusiness.org/exif-terminator v0.11.2/go.mod h1:/Z+3DHSrefCzzN5ePkGjVYKFErRimoeUf694Gz8Pn/Y=
 code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0 h1:r9uq8StaSHYKJ8DklR9Xy+E9c40G1Z8yj5TRGi8L6+4=
 code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0/go.mod h1:IK1OlR6APjVB3E9tuYGvf0qXMrwP+TrzcHS5rf4wffQ=
 code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4//2BeSPrRM2ZS4wpBKUaPeTPxakMNGA=

From d9176897d0e0c77cb656f76f30304f54351424ec Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 19:18:41 +0200
Subject: [PATCH 100/287] Update module golang.org/x/text to v0.36.0 (forgejo)
 (#12070)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12070
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod |  6 +++---
 go.sum | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index 28e940eaab..a7e5f48e15 100644
--- a/go.mod
+++ b/go.mod
@@ -108,7 +108,7 @@ require (
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/sys v0.43.0
-	golang.org/x/text v0.35.0
+	golang.org/x/text v0.36.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
@@ -256,9 +256,9 @@ require (
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index 4a4eb60bbe..71f10a9709 100644
--- a/go.sum
+++ b/go.sum
@@ -757,8 +757,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -873,8 +873,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
@@ -908,8 +908,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From bf68be21e7ec6470e6ee4b2d8e10d2dc5f8c9567 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 19:18:59 +0200
Subject: [PATCH 101/287] Update module golang.org/x/image to v0.39.0 (forgejo)
 (#12068)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12068
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index a7e5f48e15..9f2c848503 100644
--- a/go.mod
+++ b/go.mod
@@ -103,7 +103,7 @@ require (
 	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.49.0
-	golang.org/x/image v0.38.0
+	golang.org/x/image v0.39.0
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
diff --git a/go.sum b/go.sum
index 71f10a9709..3602c0aec6 100644
--- a/go.sum
+++ b/go.sum
@@ -734,8 +734,8 @@ golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
-golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
+golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

From 92b95414e8edd553427681ea295668a3c0f30b11 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 21:21:46 +0200
Subject: [PATCH 102/287] Update module github.com/go-webauthn/webauthn to
 v0.16.4 (forgejo) (#11958)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11958
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 10 +++++-----
 go.sum | 24 ++++++++++++------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/go.mod b/go.mod
index 9f2c848503..d38a349c21 100644
--- a/go.mod
+++ b/go.mod
@@ -52,7 +52,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-openapi/spec v0.22.3
 	github.com/go-sql-driver/mysql v1.9.3
-	github.com/go-webauthn/webauthn v0.16.1
+	github.com/go-webauthn/webauthn v0.16.4
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
@@ -102,7 +102,7 @@ require (
 	gitlab.com/gitlab-org/api/client-go v0.143.2
 	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/crypto v0.49.0
+	golang.org/x/crypto v0.50.0
 	golang.org/x/image v0.39.0
 	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
@@ -167,7 +167,7 @@ require (
 	github.com/dsoprea/go-utility/v2 v2.0.0-20221003172846-a3e1774ef349 // indirect
 	github.com/emersion/go-sasl v0.0.0-20231106173351-e73c9f7bad43 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
@@ -187,7 +187,7 @@ require (
 	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
 	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/x v0.2.2 // indirect
+	github.com/go-webauthn/x v0.2.3 // indirect
 	github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
@@ -245,7 +245,7 @@ require (
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.6.1 // indirect
+	github.com/tinylib/msgp v1.6.3 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
diff --git a/go.sum b/go.sum
index 3602c0aec6..da2abee521 100644
--- a/go.sum
+++ b/go.sum
@@ -251,8 +251,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
-github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
+github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc h1:yLe7YJhK+XNjNV4SqDxAjpWAgft+KU+XwKZS4AKEUV0=
 github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc/go.mod h1:jUs8eczo1EAT4ByRpZ4mQmNvjarw9eNf7Nm5udpMRhY=
 github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 h1:tV+3kZgqFMKVUf+JPKBV400ISM8440+6y/SQCS0WZwQ=
@@ -324,10 +324,10 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.1 h1:x5/SSki5/aIfogaRukqvbg/RXa3Sgxy/9vU7UfFPHKU=
-github.com/go-webauthn/webauthn v0.16.1/go.mod h1:RBS+rtQJMkE5VfMQ4diDA2VNrEL8OeUhp4Srz37FHbQ=
-github.com/go-webauthn/x v0.2.2 h1:zIiipvMbr48CXi5RG0XdBJR94kd8I5LfzHPb/q+YYmk=
-github.com/go-webauthn/x v0.2.2/go.mod h1:IpJ5qyWB9NRhLX3C7gIfjTU7RZLXEP6kzFkoVSE7Fz4=
+github.com/go-webauthn/webauthn v0.16.4 h1:R9jqR/cYZa7hRquFF7Za/8qoH/K/TIs1/Q/4CyGN+1Q=
+github.com/go-webauthn/webauthn v0.16.4/go.mod h1:SU2ljAgToTV/YLPI0C05QS4qn+e04WpB5g1RMfcZfS4=
+github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
+github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4/FHQWkvVRmgijNXRfzkIDHh23ggEo=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
@@ -654,8 +654,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
-github.com/tinylib/msgp v1.6.1 h1:ESRv8eL3u+DNHUoSAAQRE50Hm162zqAnBoGv9PzScPY=
-github.com/tinylib/msgp v1.6.1/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
+github.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=
+github.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
@@ -720,8 +720,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -858,8 +858,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

From 9fe0cbee02c055757ed182c2bb09484969ae70e5 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sat, 11 Apr 2026 21:45:39 +0200
Subject: [PATCH 103/287] fix: relocate PR review comments using `git blame
 --reverse`, improving comment placement (#12015)

When a review comment is placed on a PR in Forgejo, Forgejo performs a `git blame` to identify which commit originated the line, and records that commit and line number in the comment's database record.  Later when the review is viewed, Forgejo currently makes no effort to place that comment in the correct *current* location, which may vary -- for example, if a PR had two commits and the comment was made on a line in the first commit, but the second commit changes line numbers in that file, the comment will appear in the incorrect location.

This PR adds the usage of `git blame --reverse` to calculate the correct location to display the comment in the current view (whether reviewing the PR commit-by-commit, or "Files changed").  It certainly does not fix all problems with comment placement (see comments).

Another major addition in this PR is a test harness for making relatively complex PRs and reviewing the diffs on the per-commit view and PR-diff views.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12015): <!--number 12015 --><!--line 0 --><!--description cmVsb2NhdGUgUFIgcmV2aWV3IGNvbW1lbnRzIHVzaW5nIGBnaXQgYmxhbWUgLS1yZXZlcnNlYCwgaW1wcm92aW5nIGNvbW1lbnQgcGxhY2VtZW50-->relocate PR review comments using `git blame --reverse`, improving comment placement<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12015
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/issues/comment.go              |  53 ++
 models/issues/comment_code.go         |  56 ++-
 models/issues/comment_test.go         |   4 +-
 modules/git/repo_blame.go             |  94 ++++
 modules/git/repo_blame_test.go        |  75 +++
 routers/web/repo/pull.go              |   2 +-
 services/gitdiff/gitdiff.go           |   4 +-
 services/gitdiff/gitdiff_test.go      |   4 +-
 tests/integration/pull_review_test.go | 663 ++++++++++++++++++++++++++
 9 files changed, 936 insertions(+), 19 deletions(-)

diff --git a/models/issues/comment.go b/models/issues/comment.go
index bfad3935fb..61d49cf7b6 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -19,7 +19,9 @@ import (
 	project_model "forgejo.org/models/project"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/cache"
 	"forgejo.org/modules/container"
+	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
@@ -321,6 +323,8 @@ type Comment struct {
 	CommitsNum  int64                               `xorm:"-"`
 	IsForcePush bool                                `xorm:"-"`
 
+	reverseLineBlame *git.ReverseLineBlame `xorm:"-"`
+
 	// If you add new fields that might be used to store abusive content (mainly string fields),
 	// please also add them in the CommentData struct and the corresponding constructor.
 }
@@ -744,6 +748,55 @@ func (c *Comment) UnsignedLine() uint64 {
 	return uint64(c.Line)
 }
 
+func (c *Comment) ResolveCurrentLine(ctx context.Context, repo *repo_model.Repository, currentHead string) (*git.ReverseLineBlame, error) {
+	if c.reverseLineBlame != nil {
+		return c.reverseLineBlame, nil
+	}
+
+	// When a PR is viewed, the requirement to perform `git blame --reverse...` on every comment is a bit of a
+	// performance risk. To minimize this risk, cache the results relative to the requested head, so it only needs to be
+	// recalculated when head changes (or on cache eviction).
+	//
+	// Some performance testing was done which showed that a hot cache is much faster than the blame reverse
+	// operation -- 500-1000x runtime difference:
+	//
+	// - cache miss (Forgejo repo)      took 7,690,574 ns
+	// - cache miss (~1000 commit repo) took 1,671,223 ns
+	// - cache hit (in-memory adapter)  took     3,710 ns
+	// - cache hit (redis adapter)      took    77,311 ns
+	resolveJSON, err := cache.GetString(fmt.Sprintf("comment.Resolve;ID=%d;HEAD=%s", c.ID, currentHead), func() (string, error) {
+		gitRepo, closer, err := gitrepo.RepositoryFromContextOrOpen(ctx, repo)
+		if err != nil {
+			return "", fmt.Errorf("failed to open repo: %w", err)
+		}
+		defer closer.Close()
+
+		reverseBlame, err := gitRepo.ReverseLineBlame(c.CommitSHA, c.TreePath, c.UnsignedLine(), currentHead)
+		if err != nil {
+			return "", fmt.Errorf("failed to perform `git blame --reverse` to resolve current line for comment (id=%d): %w", c.ID, err)
+		}
+
+		data, err := json.Marshal(reverseBlame)
+		if err != nil {
+			return "", err
+		}
+
+		return string(data), nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var reverseBlame *git.ReverseLineBlame
+	err = json.Unmarshal([]byte(resolveJSON), &reverseBlame)
+	if err != nil {
+		return nil, err
+	}
+
+	c.reverseLineBlame = reverseBlame
+	return c.reverseLineBlame, nil
+}
+
 // CodeCommentLink returns the url to a comment in code
 func (c *Comment) CodeCommentLink(ctx context.Context) string {
 	err := c.LoadIssue(ctx)
diff --git a/models/issues/comment_code.go b/models/issues/comment_code.go
index 800d1e830e..cc46541743 100644
--- a/models/issues/comment_code.go
+++ b/models/issues/comment_code.go
@@ -7,7 +7,10 @@ import (
 	"context"
 
 	"forgejo.org/models/db"
+	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/git"
+	"forgejo.org/modules/log"
 	"forgejo.org/modules/markup"
 	"forgejo.org/modules/markup/markdown"
 
@@ -23,33 +26,62 @@ type CodeConversationsAtLine map[int64][]CodeConversation
 // CodeConversationsAtLineAndTreePath contains the conversations for a given TreePath and line
 type CodeConversationsAtLineAndTreePath map[string]CodeConversationsAtLine
 
-func newCodeConversationsAtLineAndTreePath(comments []*Comment) CodeConversationsAtLineAndTreePath {
+func newCodeConversationsAtLineAndTreePath(ctx context.Context, comments []*Comment, repo *repo_model.Repository, headCommitID string) (CodeConversationsAtLineAndTreePath, error) {
 	tree := make(CodeConversationsAtLineAndTreePath)
 	for _, comment := range comments {
-		tree.insertComment(comment)
+		blame, err := comment.ResolveCurrentLine(ctx, repo, headCommitID)
+		if err != nil {
+			// ResolveCurrentLine can fail in at least one known situation -- where a comment is left on a line in a
+			// file that is being deleted. The blame would be for the commit that deleted the file, and a reverse git
+			// blame won't work because the file is missing in the target sha.
+			log.Warn("ResolveCurrentLine failed: %s", err.Error())
+			// handle gracefully -- insertComment will use the original values which may be usable
+			blame = nil
+		} else if blame.CommitID != headCommitID {
+			// Commit was made on a line that can't be reverse-blamed to the currently viewing head. This can happen
+			// because:
+			//  - line of code was removed between the commit it was tagged on, and the head commit
+			//  - force push on the repo caused there to be no git relationship between blame.CommitID->headCommitID
+			// We won't insert this comment into the comment tree because we don't know where to place it; it may appear
+			// when the user views a different commit in the PR, and it will always appear on the "Conversations" tab.
+			continue
+		}
+		tree.insertComment(comment, blame)
 	}
-	return tree
+	return tree, nil
 }
 
-func (tree CodeConversationsAtLineAndTreePath) insertComment(comment *Comment) {
+func (tree CodeConversationsAtLineAndTreePath) insertComment(comment *Comment, blame *git.ReverseLineBlame) {
+	treePath := comment.TreePath
+	line := comment.Line
+	if blame != nil {
+		treePath = blame.FilePath
+		line = int64(blame.LineNumber)
+		if comment.Line < 0 {
+			line *= -1
+		}
+	}
+
 	// attempt to append comment to existing conversations (i.e. list of comments belonging to the same review)
-	for i, conversation := range tree[comment.TreePath][comment.Line] {
+	for i, conversation := range tree[treePath][line] {
 		if conversation[0].ReviewID == comment.ReviewID {
-			tree[comment.TreePath][comment.Line][i] = append(conversation, comment)
+			tree[treePath][line][i] = append(conversation, comment)
 			return
 		}
 	}
 
 	// no previous conversation was found at this line, create it
-	if tree[comment.TreePath] == nil {
-		tree[comment.TreePath] = make(map[int64][]CodeConversation)
+	if tree[treePath] == nil {
+		tree[treePath] = make(map[int64][]CodeConversation)
 	}
 
-	tree[comment.TreePath][comment.Line] = append(tree[comment.TreePath][comment.Line], CodeConversation{comment})
+	tree[treePath][line] = append(tree[treePath][line], CodeConversation{comment})
 }
 
-// FetchCodeConversations will return a 2d-map: ["Path"]["Line"] = List of CodeConversation (one per review) for this line
-func FetchCodeConversations(ctx context.Context, issue *Issue, doer *user_model.User, showOutdatedComments bool) (CodeConversationsAtLineAndTreePath, error) {
+// FetchCodeConversations will return a 2d-map: ["Path"]["Line"] = List of CodeConversation (one per review) for this
+// line. headCommitID will be used to reverse-blame the comment into the correct path & line for the current context
+// that is being viewed.
+func FetchCodeConversations(ctx context.Context, issue *Issue, doer *user_model.User, showOutdatedComments bool, headCommitID string) (CodeConversationsAtLineAndTreePath, error) {
 	opts := FindCommentsOptions{
 		Type:    CommentTypeCode,
 		IssueID: issue.ID,
@@ -59,7 +91,7 @@ func FetchCodeConversations(ctx context.Context, issue *Issue, doer *user_model.
 		return nil, err
 	}
 
-	return newCodeConversationsAtLineAndTreePath(comments), nil
+	return newCodeConversationsAtLineAndTreePath(ctx, comments, issue.Repo, headCommitID)
 }
 
 // CodeComments represents comments on code by using this structure: FILENAME -> LINE (+ == proposed; - == previous) -> COMMENTS
diff --git a/models/issues/comment_test.go b/models/issues/comment_test.go
index da87b8ec2f..ea59d4f215 100644
--- a/models/issues/comment_test.go
+++ b/models/issues/comment_test.go
@@ -63,7 +63,7 @@ func TestFetchCodeConversations(t *testing.T) {
 		unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 4}),
 		user, true))
 
-	res, err := issues_model.FetchCodeConversations(db.DefaultContext, issue, user, false)
+	res, err := issues_model.FetchCodeConversations(db.DefaultContext, issue, user, false, "")
 	require.NoError(t, err)
 	require.Contains(t, res, "README.md")
 	require.Contains(t, res["README.md"], int64(4))
@@ -77,7 +77,7 @@ func TestFetchCodeConversations(t *testing.T) {
 	assert.NotNil(t, r.User)
 
 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-	res, err = issues_model.FetchCodeConversations(db.DefaultContext, issue, user2, false)
+	res, err = issues_model.FetchCodeConversations(db.DefaultContext, issue, user2, false, "")
 	require.NoError(t, err)
 	assert.Len(t, res, 1)
 }
diff --git a/modules/git/repo_blame.go b/modules/git/repo_blame.go
index 50f4c572d5..d760898ac6 100644
--- a/modules/git/repo_blame.go
+++ b/modules/git/repo_blame.go
@@ -65,3 +65,97 @@ func (repo *Repository) LineBlame(revision, file string, line uint64) (*Commit,
 
 	return commit, originalLineNo, nil
 }
+
+type ReverseLineBlame struct {
+	CommitID   string
+	LineNumber uint64
+	FilePath   string
+}
+
+// Reverses the effect of [LineBlame]. If a file was modified at originalLine number in originalRevision,
+// ReverseLineBlame will identify the last commit up-to-and-including currentRevision where that line exists, including
+// its new path and line number. If the returned commit is not the same as currentRevision, then it indicates that
+// content can no longer be located in currentRevision, and the returned commit is the last commit that had it.
+func (repo *Repository) ReverseLineBlame(originalRevision, file string, originalLine uint64, currentRevision string) (*ReverseLineBlame, error) {
+	if originalRevision == currentRevision {
+		// Would cause an error to run the reverse, "fatal: More than one commit to dig up from, (N) and (N)"
+		return &ReverseLineBlame{
+			CommitID:   originalRevision,
+			LineNumber: originalLine,
+			FilePath:   file,
+		}, nil
+	}
+
+	res, _, gitErr := NewCommand(repo.Ctx, "blame").
+		AddOptionValues("--reverse").
+		AddDynamicArguments(fmt.Sprintf("%s..%s", originalRevision, currentRevision)).
+		AddOptionFormat("-L %d,%d", originalLine, originalLine).
+		AddOptionValues("-p").
+		AddDashesAndList(file).RunStdString(&RunOpts{Dir: repo.Path})
+	if gitErr != nil {
+		return nil, gitErr
+	}
+
+	// Example output:
+	//
+	// 74be0e8aa338d1374ab7ca0a25a4f594955a69c2 16 9 1
+	// author FirstName LastName
+	// author-mail <author@example.org>
+	// author-time 1775492007
+	// author-tz -0600
+	// committer FirstName LastName
+	// committer-mail <author@example.org>
+	// committer-time 1775492007
+	// committer-tz -0600
+	// summary restore file-in-base to orig, now not present in diff
+	// filename README.md
+	//
+	// Header (https://git-scm.com/docs/git-blame#_the_porcelain_format):
+	// - 40-byte SHA-1 of the commit the line is attributed to;
+	// - the line number of the line in the original file; [note: opposite in reverse]
+	// - the line number of the line in the final file; [note: opposite in reverse]
+	// - on a line that starts a group of lines from a different commit than the previous one, the number of lines in
+	//   this group. On subsequent lines this field is absent.
+
+	lines := strings.Split(res, "\n")
+
+	header := lines[0]
+	headerValues := strings.Split(header, " ")
+	if len(headerValues) < 2 {
+		return nil, fmt.Errorf("failed to parse blame --reverse header: %q", header)
+	}
+
+	objectFormat, err := repo.GetObjectFormat()
+	if err != nil {
+		return nil, err
+	}
+	objectIDLen := objectFormat.FullLength()
+	objectID := headerValues[0]
+	if len(objectID) != objectIDLen {
+		return nil, fmt.Errorf("output of blame is invalid, cannot contain commit ID: %s", objectID)
+	}
+	commit, err := repo.GetCommit(objectID)
+	if err != nil {
+		return nil, fmt.Errorf("GetCommit: %w", err)
+	}
+
+	currentLineStr := headerValues[1]
+	currentLineNo, err := strconv.ParseUint(currentLineStr, 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("strconv.ParseUint: %w", err)
+	}
+
+	var filename string
+	for _, otherLine := range lines {
+		if strings.HasPrefix(otherLine, "filename ") {
+			filename = otherLine[len("filename "):]
+			break
+		}
+	}
+
+	return &ReverseLineBlame{
+		CommitID:   commit.ID.String(),
+		LineNumber: currentLineNo,
+		FilePath:   filename,
+	}, nil
+}
diff --git a/modules/git/repo_blame_test.go b/modules/git/repo_blame_test.go
index 4ddd5d9c3f..5803d082f0 100644
--- a/modules/git/repo_blame_test.go
+++ b/modules/git/repo_blame_test.go
@@ -89,11 +89,23 @@ func TestLineBlame(t *testing.T) {
 			assert.Equal(t, firstCommit, commit.ID.String())
 			assert.EqualValues(t, 1, lineno)
 
+			rev, err := gitRepo.ReverseLineBlame(commit.ID.String(), "ANSWER", lineno, secondCommit)
+			require.NoError(t, err)
+			assert.Equal(t, secondCommit, rev.CommitID)
+			assert.Equal(t, "ANSWER", rev.FilePath)
+			assert.EqualValues(t, 10, rev.LineNumber)
+
 			for i := range uint64(9) {
 				commit, lineno, err = gitRepo.LineBlame("HEAD", "ANSWER", i+1)
 				require.NoError(t, err)
 				assert.Equal(t, secondCommit, commit.ID.String())
 				assert.Equal(t, i+1, lineno)
+
+				rev, err := gitRepo.ReverseLineBlame(commit.ID.String(), "ANSWER", lineno, secondCommit)
+				require.NoError(t, err)
+				assert.Equal(t, secondCommit, rev.CommitID)
+				assert.Equal(t, "ANSWER", rev.FilePath)
+				assert.Equal(t, i+1, rev.LineNumber)
 			}
 		}
 
@@ -108,3 +120,66 @@ func TestLineBlame(t *testing.T) {
 		})
 	})
 }
+
+func TestReverseLineBlame(t *testing.T) {
+	t.Run("single commit", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		require.NoError(t, InitRepository(t.Context(), tmpDir, false, Sha1ObjectFormat.Name()))
+
+		gitRepo, err := OpenRepository(t.Context(), tmpDir)
+		require.NoError(t, err)
+		defer gitRepo.Close()
+
+		require.NoError(t, os.WriteFile(path.Join(tmpDir, "file1.md"), []byte("abba\n"), 0o666))
+		require.NoError(t, AddChanges(tmpDir, true))
+		require.NoError(t, CommitChanges(tmpDir, CommitChangesOptions{Message: "abba spelt backwards"}))
+
+		commit, err := gitRepo.GetRefCommitID("HEAD")
+		require.NoError(t, err)
+
+		blameCommit, lineno, err := gitRepo.LineBlame("HEAD", "file1.md", 1)
+		require.NoError(t, err)
+		assert.Equal(t, commit, blameCommit.ID.String())
+		assert.EqualValues(t, 1, lineno)
+
+		rev, err := gitRepo.ReverseLineBlame(commit, "file1.md", lineno, commit)
+		require.NoError(t, err)
+		assert.Equal(t, commit, rev.CommitID)
+		assert.Equal(t, "file1.md", rev.FilePath)
+		assert.EqualValues(t, 1, rev.LineNumber)
+	})
+
+	t.Run("move file", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		require.NoError(t, InitRepository(t.Context(), tmpDir, false, Sha1ObjectFormat.Name()))
+
+		gitRepo, err := OpenRepository(t.Context(), tmpDir)
+		require.NoError(t, err)
+		defer gitRepo.Close()
+
+		require.NoError(t, os.WriteFile(path.Join(tmpDir, "file1.md"), []byte("abba\n"), 0o666))
+		require.NoError(t, AddChanges(tmpDir, true))
+		require.NoError(t, CommitChanges(tmpDir, CommitChangesOptions{Message: "abba spelt backwards"}))
+
+		firstCommit, err := gitRepo.GetRefCommitID("HEAD")
+		require.NoError(t, err)
+
+		require.NoError(t, os.Rename(path.Join(tmpDir, "file1.md"), path.Join(tmpDir, "file2.md")))
+		require.NoError(t, AddChanges(tmpDir, true))
+		require.NoError(t, CommitChanges(tmpDir, CommitChangesOptions{Message: "move file"}))
+
+		secondCommit, err := gitRepo.GetRefCommitID("HEAD")
+		require.NoError(t, err)
+
+		blameCommit, lineno, err := gitRepo.LineBlame("HEAD", "file2.md", 1)
+		require.NoError(t, err)
+		assert.Equal(t, firstCommit, blameCommit.ID.String())
+		assert.EqualValues(t, 1, lineno)
+
+		rev, err := gitRepo.ReverseLineBlame(firstCommit, "file1.md", lineno, secondCommit)
+		require.NoError(t, err)
+		assert.Equal(t, secondCommit, rev.CommitID)
+		assert.Equal(t, "file2.md", rev.FilePath)
+		assert.EqualValues(t, 1, rev.LineNumber)
+	})
+}
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index dc36d2de68..4a8217c719 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -1099,7 +1099,7 @@ func viewPullFiles(ctx *context.Context, specifiedStartCommit, specifiedEndCommi
 		"numberOfViewedFiles": diff.NumViewedFiles,
 	}
 
-	if err = diff.LoadComments(ctx, issue, ctx.Doer, ctx.Data["ShowOutdatedComments"].(bool)); err != nil {
+	if err = diff.LoadComments(ctx, issue, ctx.Doer, ctx.Data["ShowOutdatedComments"].(bool), endCommitID); err != nil {
 		ctx.ServerError("LoadComments", err)
 		return
 	}
diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index c1d0bc0107..fa3c26f149 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -487,8 +487,8 @@ type Diff struct {
 }
 
 // LoadComments loads comments into each line
-func (diff *Diff) LoadComments(ctx context.Context, issue *issues_model.Issue, currentUser *user_model.User, showOutdatedComments bool) error {
-	allConversations, err := issues_model.FetchCodeConversations(ctx, issue, currentUser, showOutdatedComments)
+func (diff *Diff) LoadComments(ctx context.Context, issue *issues_model.Issue, currentUser *user_model.User, showOutdatedComments bool, headCommitID string) error {
+	allConversations, err := issues_model.FetchCodeConversations(ctx, issue, currentUser, showOutdatedComments, headCommitID)
 	if err != nil {
 		return err
 	}
diff --git a/services/gitdiff/gitdiff_test.go b/services/gitdiff/gitdiff_test.go
index 7ba439be35..9748bf3828 100644
--- a/services/gitdiff/gitdiff_test.go
+++ b/services/gitdiff/gitdiff_test.go
@@ -600,7 +600,7 @@ func TestDiff_LoadCommentsNoOutdated(t *testing.T) {
 	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	diff := setupDefaultDiff()
-	require.NoError(t, diff.LoadComments(db.DefaultContext, issue, user, false))
+	require.NoError(t, diff.LoadComments(db.DefaultContext, issue, user, false, ""))
 	assert.Len(t, diff.Files[0].Sections[0].Lines[0].Conversations, 2)
 }
 
@@ -610,7 +610,7 @@ func TestDiff_LoadCommentsWithOutdated(t *testing.T) {
 	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	diff := setupDefaultDiff()
-	require.NoError(t, diff.LoadComments(db.DefaultContext, issue, user, true))
+	require.NoError(t, diff.LoadComments(db.DefaultContext, issue, user, true, ""))
 	assert.Len(t, diff.Files[0].Sections[0].Lines[0].Conversations, 2)
 	assert.Len(t, diff.Files[0].Sections[0].Lines[0].Conversations[0], 2)
 	assert.Len(t, diff.Files[0].Sections[0].Lines[0].Conversations[1], 1)
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 69628e08b5..1a60c1ea11 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -6,6 +6,7 @@ package integration
 
 import (
 	"bytes"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
@@ -13,11 +14,13 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"testing"
 	"time"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
 	repo_model "forgejo.org/models/repo"
@@ -26,7 +29,9 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
+	"forgejo.org/modules/optional"
 	repo_module "forgejo.org/modules/repository"
+	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
 	issue_service "forgejo.org/services/issue"
 	"forgejo.org/services/mailer"
@@ -35,8 +40,10 @@ import (
 	"forgejo.org/tests"
 
 	"github.com/PuerkitoBio/goquery"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/net/html"
 )
 
 func TestPullView_ReviewerMissed(t *testing.T) {
@@ -1048,3 +1055,659 @@ func TestPullRequestStaleReview(t *testing.T) {
 		})
 	})
 }
+
+func TestPullRequestCommentPlacement(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		t.Run("comment directly on change in PR", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			commitSHA := tester.changeFile("file1.md",
+				strings.Replace(tester.fileContent, "Line 50\n", "Line 50--modified\n", 1))
+			tester.createPR()
+
+			comment := tester.commentFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -48,3 +48,3 @@
+ Line 48
+ Line 49
+-Line 50
++Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, commitSHA, comment.CommitSHA)
+
+			diff := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff)
+			tester.assertCommitDiff(commitSHA, diff)
+		})
+
+		t.Run("comment lands on blame from commit within PR", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify an earlier part of the file in one commit, and a later part of the file in a second commit.
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 25\n", "Line 25--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			content = strings.Replace(content, "Line 75\n", "Line 75--modified\n", 1)
+			commit2 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Comment on the earlier change, from the "Files changed" view; this should "git blame" and be asociated
+			// with the first commit where that change was made, therefore appearing on the commit-specific diff later:
+			comment := tester.commentFromFilesChanged("file1.md", 25)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -23,3 +23,3 @@
+ Line 23
+ Line 24
+-Line 25
++Line 25--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 25, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			diff25 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 24"},
+				{rowType: RowDelCode, code: "Line 25"},
+				{rowType: RowAddCode, code: "Line 25--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 26"},
+			}
+			tester.assertFilesChangedDiff(diff25)
+			tester.assertCommitDiff(commit1, diff25)
+
+			diff75 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 74"},
+				{rowType: RowDelCode, code: "Line 75"},
+				{rowType: RowAddCode, code: "Line 75--modified"},
+				{rowType: RowHasCode, code: "Line 76"},
+			}
+			tester.assertFilesChangedDiff(diff75)
+			tester.assertCommitDiff(commit2, diff75)
+		})
+
+		t.Run("comment lands on blame commit from before PR", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50...
+			commitSHA := tester.changeFile("file1.md",
+				strings.Replace(tester.fileContent, "Line 50\n", "Line 50--modified\n", 1))
+			tester.createPR()
+
+			// But while viewing line 50's diff, place a comment on line 49.  This will "git blame" to a commit outside
+			// of this PR, but that's fine...
+			comment := tester.commentFromFilesChanged("file1.md", 49)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,7 @@ Line 46
+ Line 47
+ Line 48
+ Line 49`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 49, comment.Line)
+			assert.NotEqual(t, commitSHA, comment.CommitSHA)
+
+			diff := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 48"},
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff)
+			tester.assertCommitDiff(commitSHA, diff)
+		})
+
+		t.Run("comment on line moves due to a following commit", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Place a comment on "Line 50--modified"
+			comment := tester.commentFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -48,3 +48,3 @@
+ Line 48
+ Line 49
+-Line 50
++Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			commit2 := tester.changeFile("file1.md", content)
+
+			diff2 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 9"},
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowHasCode, code: "Line 11"},
+			}
+			tester.assertFilesChangedDiff(diff2, "checking commit2 contents in full PR diff")
+			tester.assertCommitDiff(commit2, diff2, "checking commit2 contents in single-commit diff")
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+		})
+
+		t.Run("comment on line moves due to a following commit, following commit is rewritten and force-push'd", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Place a comment on "Line 50--modified"
+			comment := tester.commentFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -48,3 +48,3 @@
+ Line 48
+ Line 49
+-Line 50
++Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			tester.changeFile("file1.md", content)
+
+			// Now amend commit2v1 with an additional change, causing a force push of the branch
+			tester.withBranchCheckout(func(repoPath string) {
+				content = strings.Replace(content, "Line 11\n", "", 1) // Remove Line 11 as well
+				require.NoError(t, os.WriteFile(path.Join(repoPath, "file1.md"), []byte(content), 0o644))
+				require.NoError(t, git.NewCommand(t.Context(), "commit", "-a", "--amend", "--no-edit").Run(&git.RunOpts{Dir: repoPath}))
+				require.NoError(t, git.NewCommand(t.Context(), "push", "--force").Run(&git.RunOpts{Dir: repoPath}))
+			})
+
+			diff2 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowDelCode, code: "Line 11"},
+				{rowType: RowHasCode, code: "Line 12"},
+			}
+			tester.assertFilesChangedDiff(diff2, "checking commit2 (force push) contents in full PR diff")
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+		})
+
+		t.Run("comment on line commit is rewritten and force-push'd", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Place a comment on "Line 50--modified"
+			comment := tester.commentFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -48,3 +48,3 @@
+ Line 48
+ Line 49
+-Line 50
++Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			commit2 := tester.changeFile("file1.md", content)
+
+			// Now, reorganize these commits, so that it's main->commit2->commit1 on the branch, rather than
+			// main->commit1->commit2. Then force push the branch.
+			tester.withBranchCheckout(func(repoPath string) {
+				// move commit2 onto main, off commit1
+				require.NoError(t,
+					git.NewCommand(t.Context(), "rebase").
+						AddArguments("--onto").AddDynamicArguments(tester.initialSHA).
+						AddDynamicArguments(commit1).
+						AddDynamicArguments(commit2).
+						Run(&git.RunOpts{Dir: repoPath}))
+				// move commit1 onto HEAD, off main
+				require.NoError(t,
+					git.NewCommand(t.Context(), "rebase").
+						AddArguments("--onto").AddDynamicArguments("HEAD").
+						AddDynamicArguments(tester.initialSHA).
+						AddDynamicArguments(commit1).
+						Run(&git.RunOpts{Dir: repoPath}))
+
+				// delete branch for the PR
+				has, branch := tester.branch.Get()
+				require.True(t, has)
+				require.NoError(t,
+					git.NewCommand(t.Context(), "branch").
+						AddArguments("-D").AddDynamicArguments(branch).
+						Run(&git.RunOpts{Dir: repoPath}))
+				// call HEAD as the branch
+				require.NoError(t,
+					git.NewCommand(t.Context(), "branch").
+						AddDynamicArguments(branch).
+						Run(&git.RunOpts{Dir: repoPath}))
+
+				// force push the rebuilt branch
+				require.NoError(t, git.NewCommand(t.Context(), "push", "--force", "origin").AddDynamicArguments(branch).Run(&git.RunOpts{Dir: repoPath}))
+			})
+
+			diff2 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowHasCode, code: "Line 11"},
+			}
+			tester.assertFilesChangedDiff(diff2, "checking commit2 (force push) contents in full PR diff")
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				// no comment visible anymore; force push has lost its place at this time
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+		})
+
+		t.Run("comment lands on blame with original line number varying from current", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Remove "Line 1" - "Line 10", on the base branch. If you "git blame" Line 50 at that point, it will have
+			// an original line number 50, but actually be appearing at line number index 40, causing wrong outputs.
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			tester.changeFileOnBase("file1.md", content)
+
+			// Now modify "Line 51" in a PR:
+			commitSHA := tester.changeFile("file1.md", strings.Replace(content, "Line 51\n", "Line 51--modified\n", 1))
+			tester.createPR()
+
+			// Place a comment on "Line 50", which would "git blame" to the original commit and line number 50, even
+			// though it's now actually at line number 40.
+			comment := tester.commentFromFilesChanged("file1.md", lineNumber(content, "Line 50"))
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -38,7 +38,7 @@ Line 47
+ Line 48
+ Line 49
+ Line 50`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA)
+
+			diff := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowHasCode, code: "Line 50"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowDelCode, code: "Line 51"},
+				{rowType: RowAddCode, code: "Line 51--modified"},
+				{rowType: RowHasCode, code: "Line 52"},
+			}
+			tester.assertFilesChangedDiff(diff)
+			tester.assertCommitDiff(commitSHA, diff)
+		})
+	})
+}
+
+type PullRequestCommentPlacementTester struct {
+	t           *testing.T
+	user        *user_model.User
+	session     *TestSession
+	apiToken    string
+	fileContent string
+	repo        *repo_model.Repository
+	initialSHA  string
+	branch      optional.Option[string]
+	pr          *api.PullRequest
+}
+
+func newPullRequestCommentPlacementTester(t *testing.T) *PullRequestCommentPlacementTester {
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteIssue)
+	session := loginUser(t, user2.Name)
+
+	var content strings.Builder
+	for i := range 100 {
+		content.WriteString(fmt.Sprintf("Line %d\n", i+1)) // +1 -> make "Line N" appear on the Nth line and avoid off-by-one confusions
+	}
+
+	repo, initialSHA, reset := tests.CreateDeclarativeRepoWithOptions(t, user2, tests.DeclarativeRepoOptions{
+		Files: optional.Some([]*files_service.ChangeRepoFile{
+			{
+				Operation:     "create",
+				TreePath:      "file1.md",
+				ContentReader: strings.NewReader(content.String()),
+			},
+			{
+				Operation:     "create",
+				TreePath:      "file2.md",
+				ContentReader: strings.NewReader(content.String()),
+			},
+		}),
+	})
+	t.Cleanup(reset)
+
+	return &PullRequestCommentPlacementTester{
+		t:           t,
+		user:        user2,
+		session:     session,
+		apiToken:    token,
+		fileContent: content.String(),
+		repo:        repo,
+		initialSHA:  initialSHA,
+	}
+}
+
+func (tester *PullRequestCommentPlacementTester) changeFileOnBranch(sourceBranch, targetBranch string, targetBranchIsNew bool, filename, newContent string) string {
+	req := NewRequest(tester.t,
+		"GET",
+		fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s?ref=%s", tester.repo.OwnerName, tester.repo.Name, filename, sourceBranch)).
+		AddTokenAuth(tester.apiToken)
+	resp := MakeRequest(tester.t, req, http.StatusOK)
+	var existingFile api.ContentsResponse
+	DecodeJSON(tester.t, resp, &existingFile)
+
+	opts := api.UpdateFileOptions{
+		DeleteFileOptions: api.DeleteFileOptions{
+			SHA: existingFile.SHA,
+		},
+		ContentBase64: base64.StdEncoding.EncodeToString([]byte(newContent)),
+	}
+	if targetBranchIsNew {
+		opts.DeleteFileOptions.FileOptions.NewBranchName = targetBranch
+	} else {
+		opts.DeleteFileOptions.FileOptions.BranchName = targetBranch
+	}
+	req = NewRequestWithJSON(tester.t,
+		"PUT",
+		fmt.Sprintf("/api/v1/repos/%s/%s/contents/%s", tester.repo.OwnerName, tester.repo.Name, filename),
+		opts).AddTokenAuth(tester.apiToken)
+	resp = MakeRequest(tester.t, req, http.StatusOK)
+	var updateFileResponse api.FileResponse
+	DecodeJSON(tester.t, resp, &updateFileResponse)
+
+	return updateFileResponse.Commit.SHA
+}
+
+func (tester *PullRequestCommentPlacementTester) changeFileOnBase(filename, newContent string) string {
+	return tester.changeFileOnBranch(tester.repo.DefaultBranch, tester.repo.DefaultBranch, false, filename, newContent)
+}
+
+func (tester *PullRequestCommentPlacementTester) changeFile(filename, newContent string) string {
+	var sourceBranch string // where to get the file's last SHA from
+	branchExists, branch := tester.branch.Get()
+	if !branchExists {
+		branch = fmt.Sprintf("branch-%s", uuid.New().String())
+		tester.branch = optional.Some(branch)
+		sourceBranch = tester.repo.DefaultBranch
+	} else {
+		sourceBranch = branch
+	}
+	return tester.changeFileOnBranch(sourceBranch, branch, !branchExists, filename, newContent)
+}
+
+func (tester *PullRequestCommentPlacementTester) createPR() {
+	branchExists, branch := tester.branch.Get()
+	require.True(tester.t, branchExists)
+	req := NewRequestWithJSON(tester.t, "POST",
+		fmt.Sprintf("/api/v1/repos/%s/%s/pulls", tester.repo.OwnerName, tester.repo.Name),
+		&api.CreatePullRequestOption{
+			Head:  branch,
+			Base:  tester.repo.DefaultBranch,
+			Title: fmt.Sprintf("PR from branch %s", tester.branch),
+		}).AddTokenAuth(tester.apiToken)
+	resp := MakeRequest(tester.t, req, http.StatusCreated)
+	var pr api.PullRequest
+	DecodeJSON(tester.t, resp, &pr)
+	tester.pr = &pr
+}
+
+func (tester *PullRequestCommentPlacementTester) commentFromFilesChanged(filename string, line int) *issues_model.Comment {
+	commentContent := uuid.New().String()
+
+	req := NewRequest(tester.t, "GET",
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+
+	doc := NewHTMLParser(tester.t, resp.Body)
+	req = NewRequestWithValues(tester.t, "POST",
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/comments", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index),
+		map[string]string{
+			"origin":           doc.GetInputValueByName("origin"),
+			"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+			"side":             "proposed", // "proposed" (RHS) or "previous" (LHS)
+			"line":             strconv.Itoa(line),
+			"path":             filename,
+			"diff_start_cid":   doc.GetInputValueByName("diff_start_cid"),
+			"diff_end_cid":     doc.GetInputValueByName("diff_end_cid"),
+			"diff_base_cid":    doc.GetInputValueByName("diff_base_cid"),
+			"content":          commentContent,
+			"single_review":    "true",
+		})
+	tester.session.MakeRequest(tester.t, req, http.StatusOK)
+
+	comment := unittest.AssertExistsAndLoadBean(tester.t, &issues_model.Comment{Content: commentContent})
+	return comment
+}
+
+func (tester *PullRequestCommentPlacementTester) withBranchCheckout(action func(string)) {
+	dstPath := tester.t.TempDir()
+	cloneURL, _ := url.Parse(tester.repo.CloneLink().HTTPS)
+	cloneURL.User = url.UserPassword(tester.user.LoginName, userPassword)
+	require.NoError(tester.t, git.CloneWithArgs(tester.t.Context(), nil, cloneURL.String(), dstPath, git.CloneRepoOptions{}))
+	doGitSetRemoteURL(dstPath, "origin", cloneURL)(tester.t)
+
+	branchExists, branch := tester.branch.Get()
+	require.True(tester.t, branchExists)
+	require.NoError(tester.t, git.NewCommand(tester.t.Context(), "checkout").AddDynamicArguments(branch).Run(&git.RunOpts{Dir: dstPath}))
+
+	action(dstPath)
+}
+
+func (tester *PullRequestCommentPlacementTester) assertFilesChangedDiff(rowAssertions []diffTableRow, note ...string) {
+	req := NewRequest(tester.t, "GET",
+		fmt.Sprintf("/%s/%s/pulls/%d/files?show-outdated=true", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	doc := NewHTMLParser(tester.t, resp.Body)
+	var testNote string
+	if len(note) == 0 {
+		testNote = "contents in single-commit diff"
+	} else {
+		testNote = note[0]
+	}
+	assertDiffTable(tester.t, doc, rowAssertions, testNote)
+}
+
+func (tester *PullRequestCommentPlacementTester) assertCommitDiff(commitSHA string, rowAssertions []diffTableRow, note ...string) {
+	req := NewRequest(tester.t, "GET",
+		fmt.Sprintf("/%s/%s/pulls/%d/commits/%s?show-outdated=true", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitSHA))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	doc := NewHTMLParser(tester.t, resp.Body)
+	var testNote string
+	if len(note) == 0 {
+		testNote = "contents in full PR diff"
+	} else {
+		testNote = note[0]
+	}
+	assertDiffTable(tester.t, doc, rowAssertions, testNote)
+}
+
+func lineNumber(content, line string) int {
+	return slices.Index(strings.Split(content, "\n"), line) + 1
+}
+
+type diffTableRowType int
+
+const (
+	RowHasCode diffTableRowType = iota
+	RowAddCode
+	RowDelCode
+	RowComment
+)
+
+type diffTableRow struct {
+	rowType diffTableRowType
+	// RowHasCode, RowAddCode, RowDelCode
+	code string
+	// RowComment
+	commentID int64
+}
+
+func nodeText(node *html.Node) string {
+	if node.Type == html.TextNode {
+		return node.Data
+	}
+	var builder strings.Builder
+	for child := range node.ChildNodes() {
+		childText := strings.TrimSpace(nodeText(child))
+		builder.WriteString(childText)
+	}
+	return builder.String()
+}
+
+func nodeAttr(node *html.Node, key string) string {
+	for _, attr := range node.Attr {
+		if attr.Key == key {
+			return attr.Val
+		}
+	}
+	return ""
+}
+
+func checkDiffTableRow(t *testing.T, tableRow *html.Node, rowAssertion diffTableRow) string {
+	switch rowAssertion.rowType {
+	case RowHasCode:
+		text := nodeText(tableRow)
+		if text != rowAssertion.code {
+			return fmt.Sprintf("wanted diff %q, but found diff %q", rowAssertion.code, text)
+		}
+	case RowDelCode:
+		dataLineType := nodeAttr(tableRow, "data-line-type")
+		if dataLineType != "del" {
+			return fmt.Sprintf("wanted delete code in diff, but found data-line-type=%q", dataLineType)
+		}
+		text := nodeText(tableRow)
+		if text != rowAssertion.code {
+			return fmt.Sprintf("wanted delete code with line %q, but found diff %q", rowAssertion.code, text)
+		}
+	case RowAddCode:
+		dataLineType := nodeAttr(tableRow, "data-line-type")
+		if dataLineType != "add" {
+			return fmt.Sprintf("wanted add code in diff, but found data-line-type=%q", dataLineType)
+		}
+		text := nodeText(tableRow)
+		if text != rowAssertion.code {
+			return fmt.Sprintf("wanted add code with line %q, but found diff %q", rowAssertion.code, text)
+		}
+	case RowComment:
+		class := nodeAttr(tableRow, "class")
+		if class != "add-comment" {
+			return fmt.Sprintf("wanted comment in diff, but found class=%q", class)
+		}
+		found := false
+		for desc := range tableRow.Descendants() {
+			descID := nodeAttr(desc, "id")
+			if descID == fmt.Sprintf("code-comments-%d", rowAssertion.commentID) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return fmt.Sprintf("wanted comment with ID %d, but could not be identified", rowAssertion.commentID)
+		}
+	}
+	return ""
+}
+
+func assertDiffTable(t *testing.T, doc *HTMLDoc, rowAssertions []diffTableRow, note string) {
+	require.NotEmpty(t, rowAssertions)
+
+	diffTable := doc.Find("table.chroma")
+	require.Equal(t, 1, diffTable.Length())
+
+	rows := diffTable.Find("tbody > tr[data-line-type]") // [data-line-type] is used to avoid matching tables within comment boxes
+
+	// Find the first row to match rowAssertions[0], and then we'll iterate from there matching each row exactly.
+	tableFirstRowIndex := 0
+	foundFirst := false
+	firstRowMismatches := []string{}
+	for ; tableFirstRowIndex < rows.Length(); tableFirstRowIndex++ {
+		mismatch := checkDiffTableRow(t, rows.Get(tableFirstRowIndex), rowAssertions[0])
+		if mismatch == "" {
+			foundFirst = true
+			break
+		}
+		firstRowMismatches = append(firstRowMismatches, mismatch)
+	}
+	if !foundFirst {
+		// We're going to fail because we couldn't find the first row in rowAssertions -- this can be tricky to debug so
+		// help out by outputting all the rows we looked at that didn't match:
+		t.Log("first row mismatches:")
+		for _, mm := range firstRowMismatches {
+			t.Logf("\t%s", mm)
+		}
+		require.Failf(t, "unable to find first row", "test %s: failed to find first row assertion", note)
+	}
+
+	for idx, assertion := range rowAssertions {
+		if idx == 0 { // skip first row assertion, already checked to find tableFirstRowIndex
+			continue
+		}
+
+		tableIdx := tableFirstRowIndex + idx
+		if tableIdx >= rows.Length() {
+			require.Failf(t, "ran out of table rows", "test %s: row assertion at index %d couldn't be satisfied", note, idx)
+		}
+
+		tableRow := rows.Get(tableIdx)
+		check := checkDiffTableRow(t, tableRow, assertion)
+		if check != "" {
+			assert.Failf(t, check, "test %s: row assertion at index %d couldn't be satisfied", note, idx)
+		}
+	}
+}

From 160cd930ff8dad7a880fc5890d255f7dfb237111 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 11 Apr 2026 22:16:09 +0200
Subject: [PATCH 104/287] Update module golang.org/x/net to v0.53.0 (forgejo)
 (#12069)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12069
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index d38a349c21..0088bd43ef 100644
--- a/go.mod
+++ b/go.mod
@@ -104,7 +104,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.50.0
 	golang.org/x/image v0.39.0
-	golang.org/x/net v0.52.0
+	golang.org/x/net v0.53.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/sys v0.43.0
diff --git a/go.sum b/go.sum
index da2abee521..82b1a02a3e 100644
--- a/go.sum
+++ b/go.sum
@@ -789,8 +789,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

From 40aa3a5c7d2e5a69bb395391876f8ebce4aface7 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sat, 11 Apr 2026 23:10:34 +0200
Subject: [PATCH 105/287] fix: mark code comments as Outdated based upon
 line-of-code existence in current PR commit (#12054)

Currently when a commit is pushed to a branch, code comments are marked as Outdated if a `git blame` on the current commit's code returns the same commit as the `git blame` did when the comment was originally created.  This implementation doesn't make sense:
- It doesn't handle the case correctly where the same line of code exists unaltered in the new commit, but it has been relocated (eg. new lines entered or removed above the location).
- It falsely keeps the commit valid if the line of code that the comment was made upon has been removed, if, coincidentally, the line of code that now exists at the commit came from the same source commit.  For example, if the line of code that the comment was on was deleted, but the next line of code came from the same commit, the comment will be kept as valid.

This PR uses the logic introduced in #12015, using a `git blame --reverse` -- the commit & line that was identified as having the comment on it is reversed, and if it still exists in the new head, then the comment is considered valid.  Otherwise it is marked as outdated.

Automated tests are added primarily by revising the automated tests in #12015 -- a comment in an existing test case was marked as outdated, even though it shouldn't have been.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12054): <!--number 12054 --><!--line 0 --><!--description bWFyayBjb2RlIGNvbW1lbnRzIGFzIE91dGRhdGVkIGJhc2VkIHVwb24gbGluZS1vZi1jb2RlIGV4aXN0ZW5jZSBpbiBjdXJyZW50IFBSIGNvbW1pdA==-->mark code comments as Outdated based upon line-of-code existence in current PR commit<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12054
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/unittest/unit_tests.go         |  2 +-
 services/pull/pull.go                 | 11 +++--------
 services/pull/review.go               | 28 ++++++++++++++++++++++++---
 tests/integration/pull_review_test.go | 22 +++++++++++++++++++--
 4 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/models/unittest/unit_tests.go b/models/unittest/unit_tests.go
index 2fa49e443a..411777cb17 100644
--- a/models/unittest/unit_tests.go
+++ b/models/unittest/unit_tests.go
@@ -67,7 +67,7 @@ func BeanExists(t testing.TB, bean any, conditions ...any) bool {
 }
 
 // AssertExistsAndLoadBean assert that a bean exists and load it from the test database
-func AssertExistsAndLoadBean[T any](t testing.TB, bean T, conditions ...any) T {
+func AssertExistsAndLoadBean[T any](t require.TestingT, bean T, conditions ...any) T {
 	exists, err := LoadBeanIfExists(bean, conditions...)
 	require.NoError(t, err)
 	assert.True(t, exists,
diff --git a/services/pull/pull.go b/services/pull/pull.go
index 9cb957d021..03b7ce531b 100644
--- a/services/pull/pull.go
+++ b/services/pull/pull.go
@@ -263,22 +263,17 @@ func ChangeTargetBranch(ctx context.Context, pr *issues_model.PullRequest, doer
 	return nil
 }
 
-func checkForInvalidation(ctx context.Context, requests issues_model.PullRequestList, repoID int64, doer *user_model.User, branch string) error {
+func checkForInvalidation(ctx context.Context, requests issues_model.PullRequestList, repoID int64, doer *user_model.User, branch, newCommitID string) error {
 	repo, err := repo_model.GetRepositoryByID(ctx, repoID)
 	if err != nil {
 		return fmt.Errorf("GetRepositoryByIDCtx: %w", err)
 	}
-	gitRepo, err := gitrepo.OpenRepository(ctx, repo)
-	if err != nil {
-		return fmt.Errorf("gitrepo.OpenRepository: %w", err)
-	}
 	go func() {
 		// FIXME: graceful: We need to tell the manager we're doing something...
-		err := InvalidateCodeComments(ctx, requests, doer, gitRepo, branch)
+		err := InvalidateCodeComments(ctx, requests, doer, repo, branch, newCommitID)
 		if err != nil {
 			log.Error("PullRequestList.InvalidateCodeComments: %v", err)
 		}
-		gitRepo.Close()
 	}()
 	return nil
 }
@@ -340,7 +335,7 @@ func TestPullRequest(ctx context.Context, doer *user_model.User, repoID, olderTh
 		if err = requests.LoadAttributes(ctx); err != nil {
 			log.Error("PullRequestList.LoadAttributes: %v", err)
 		}
-		if invalidationErr := checkForInvalidation(ctx, requests, repoID, doer, branch); invalidationErr != nil {
+		if invalidationErr := checkForInvalidation(ctx, requests, repoID, doer, branch, newCommitID); invalidationErr != nil {
 			log.Error("checkForInvalidation: %v", invalidationErr)
 		}
 		if err == nil {
diff --git a/services/pull/review.go b/services/pull/review.go
index 760235325d..b8d4a30be8 100644
--- a/services/pull/review.go
+++ b/services/pull/review.go
@@ -42,7 +42,29 @@ func (err ErrDismissRequestOnClosedPR) Unwrap() error {
 
 // checkInvalidation checks if the line of code comment got changed by another commit.
 // If the line got changed the comment is going to be invalidated.
-func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *git.Repository, branch string) error {
+func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *repo_model.Repository, branch, newCommitID string) error {
+	if c.Line < 0 {
+		// Comment is on a removed line of code -- the `git blame --reverse` codepath doesn't work for this. Retain the
+		// originalbehaviour until a revision is done specific to removed lines:
+		gitRepo, closer, err := gitrepo.RepositoryFromContextOrOpen(ctx, repo)
+		if err != nil {
+			return fmt.Errorf("failed to open repo: %w", err)
+		}
+		defer closer.Close()
+		return obsoleteCheckInvalidation(ctx, c, gitRepo, branch)
+	}
+
+	reverseBlame, err := c.ResolveCurrentLine(ctx, repo, newCommitID)
+	if err != nil {
+		log.Warn("ResolveCurrentLine failed: %s", err.Error())
+	} else if reverseBlame.CommitID != newCommitID {
+		c.Invalidated = true
+		return issues_model.UpdateCommentInvalidate(ctx, c)
+	}
+	return nil
+}
+
+func obsoleteCheckInvalidation(ctx context.Context, c *issues_model.Comment, repo *git.Repository, branch string) error {
 	// FIXME differentiate between previous and proposed line
 	commit, _, err := repo.LineBlame(branch, c.TreePath, c.UnsignedLine())
 	if err != nil && (errors.Is(err, git.ErrBlameFileDoesNotExist) || errors.Is(err, git.ErrBlameFileNotEnoughLines)) {
@@ -60,7 +82,7 @@ func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *git.R
 }
 
 // InvalidateCodeComments will lookup the prs for code comments which got invalidated by change
-func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestList, doer *user_model.User, repo *git.Repository, branch string) error {
+func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestList, doer *user_model.User, repo *repo_model.Repository, branch, newCommitID string) error {
 	if len(prs) == 0 {
 		return nil
 	}
@@ -76,7 +98,7 @@ func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestLis
 		return fmt.Errorf("find code comments: %v", err)
 	}
 	for _, comment := range codeComments {
-		if err := checkInvalidation(ctx, comment, repo, branch); err != nil {
+		if err := checkInvalidation(ctx, comment, repo, branch, newCommitID); err != nil {
 			return err
 		}
 	}
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 1a60c1ea11..3c0ea62a9c 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -1242,6 +1242,7 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 			assert.Equal(t, "proposed", comment.DiffSide())
 			assert.EqualValues(t, 50, comment.Line)
 			assert.Equal(t, commit1, comment.CommitSHA)
+			assert.False(t, comment.Invalidated)
 
 			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
 			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
@@ -1271,6 +1272,11 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 			}
 			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
 			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+
+			// This comment can still be located in the diff, so it should not be marked as Invalidated/Outdated --
+			// which is kinda guaranteed by it being loaded in the diff, but for test sanity assert specifically.
+			commentReloaded := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+			assert.False(t, commentReloaded.Invalidated)
 		})
 
 		t.Run("comment on line commit is rewritten and force-push'd", func(t *testing.T) {
@@ -1296,6 +1302,7 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 			assert.Equal(t, "proposed", comment.DiffSide())
 			assert.EqualValues(t, 50, comment.Line)
 			assert.Equal(t, commit1, comment.CommitSHA)
+			assert.False(t, comment.Invalidated)
 
 			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
 			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
@@ -1350,6 +1357,17 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 				{rowType: RowHasCode, code: "Line 51"},
 			}
 			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+
+			// After the force push, the comment we originally left should be marked as invalidated since it can no
+			// longer be resolved to a code location in the PR head. The above tests validate that it no longer appears
+			// in the diff, but this will also happen because of the diff-side check for the correct location -- so
+			// let's check that it's invalidated as well, indicating that it will be shown in the UI as "Outdated". This
+			// usually passes on the first check but is wrapped in Eventually because the async goroutine used in the
+			// pull request testing when the branch is pushed may not be immediately complete.
+			assert.EventuallyWithT(t, func(t *assert.CollectT) {
+				commentReloaded := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+				assert.True(t, commentReloaded.Invalidated)
+			}, 1*time.Second, 50*time.Millisecond)
 		})
 
 		t.Run("comment lands on blame with original line number varying from current", func(t *testing.T) {
@@ -1551,7 +1569,7 @@ func (tester *PullRequestCommentPlacementTester) withBranchCheckout(action func(
 
 func (tester *PullRequestCommentPlacementTester) assertFilesChangedDiff(rowAssertions []diffTableRow, note ...string) {
 	req := NewRequest(tester.t, "GET",
-		fmt.Sprintf("/%s/%s/pulls/%d/files?show-outdated=true", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
+		fmt.Sprintf("/%s/%s/pulls/%d/files", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
 	doc := NewHTMLParser(tester.t, resp.Body)
 	var testNote string
@@ -1565,7 +1583,7 @@ func (tester *PullRequestCommentPlacementTester) assertFilesChangedDiff(rowAsser
 
 func (tester *PullRequestCommentPlacementTester) assertCommitDiff(commitSHA string, rowAssertions []diffTableRow, note ...string) {
 	req := NewRequest(tester.t, "GET",
-		fmt.Sprintf("/%s/%s/pulls/%d/commits/%s?show-outdated=true", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitSHA))
+		fmt.Sprintf("/%s/%s/pulls/%d/commits/%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitSHA))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
 	doc := NewHTMLParser(tester.t, resp.Body)
 	var testNote string

From ca00f99c3fbc45550fb5d4e63e3ff29df5ee0886 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 12 Apr 2026 01:20:54 +0200
Subject: [PATCH 106/287] fix: when reviewing in PRs, make comments relative to
 the visible code's commit (#12055)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When performing `git blame` to identify the commit that a line of code came from, limit the blame to the commit that is currently being viewed in the UI.  Before this change, the blame always occurred on the current head of the PR, causing these problems:
- When you click ➕ to load the comment form, the form that is dynamically loaded would have it's commit field pulled from the current PR head.  That may not actually reflect the code that you were viewing at the time you authored the comment -- it could be a newer commit that occurred by the author while you were reviewing.
- When viewing a specific commit within a PR and leaving a comment, the blame would occur from the head -- if the file was changed in a later commit and the line-of-code moved up or down, the comment would be misplaced.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12055): <!--number 12055 --><!--line 0 --><!--description d2hlbiByZXZpZXdpbmcgaW4gUFJzLCBtYWtlIGNvbW1lbnRzIHJlbGF0aXZlIHRvIHRoZSB2aXNpYmxlIGNvZGUncyBjb21taXQ=-->when reviewing in PRs, make comments relative to the visible code's commit<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12055
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 routers/api/v1/repo/pull_review.go      |   1 +
 routers/web/repo/pull_review.go         |  13 +-
 routers/web/repo/pull_review_test.go    |  12 +-
 services/pull/review.go                 |   6 +-
 templates/repo/diff/box.tmpl            |   2 +-
 tests/integration/comment_roles_test.go |  22 +++-
 tests/integration/pull_review_test.go   | 164 +++++++++++++++++-------
 7 files changed, 158 insertions(+), 62 deletions(-)

diff --git a/routers/api/v1/repo/pull_review.go b/routers/api/v1/repo/pull_review.go
index 97c5dcee78..e478f93655 100644
--- a/routers/api/v1/repo/pull_review.go
+++ b/routers/api/v1/repo/pull_review.go
@@ -337,6 +337,7 @@ func CreatePullReviewComment(ctx *context.APIContext) {
 		pr.Issue,
 		opts.Body,
 		opts.Path,
+		review.CommitID,
 		line,
 		review.ID,
 		nil,
diff --git a/routers/web/repo/pull_review.go b/routers/web/repo/pull_review.go
index 941e428039..c2e30770d3 100644
--- a/routers/web/repo/pull_review.go
+++ b/routers/web/repo/pull_review.go
@@ -44,12 +44,15 @@ func RenderNewCodeCommentForm(ctx *context.Context) {
 	ctx.Data["PageIsPullFiles"] = true
 	ctx.Data["Issue"] = issue
 	ctx.Data["CurrentReview"] = currentReview
-	pullHeadCommitID, err := ctx.Repo.GitRepo.GetRefCommitID(issue.PullRequest.GetGitRefName())
-	if err != nil {
-		ctx.ServerError("GetRefCommitID", err)
-		return
+	afterCommitID := ctx.FormString("after_commit_id")
+	if afterCommitID == "" {
+		afterCommitID, err = ctx.Repo.GitRepo.GetRefCommitID(issue.PullRequest.GetGitRefName())
+		if err != nil {
+			ctx.ServerError("GetRefCommitID", err)
+			return
+		}
 	}
-	ctx.Data["AfterCommitID"] = pullHeadCommitID
+	ctx.Data["AfterCommitID"] = afterCommitID
 	ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled
 	upload.AddUploadContext(ctx, "comment")
 	ctx.HTML(http.StatusOK, tplNewComment)
diff --git a/routers/web/repo/pull_review_test.go b/routers/web/repo/pull_review_test.go
index 14e6714a63..dd0fa7df29 100644
--- a/routers/web/repo/pull_review_test.go
+++ b/routers/web/repo/pull_review_test.go
@@ -11,6 +11,7 @@ import (
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
 	"forgejo.org/models/unittest"
+	"forgejo.org/modules/git"
 	"forgejo.org/modules/templates"
 	"forgejo.org/services/context"
 	"forgejo.org/services/contexttest"
@@ -28,6 +29,13 @@ func TestRenderConversation(t *testing.T) {
 	_ = pr.Issue.LoadPoster(db.DefaultContext)
 	_ = pr.Issue.LoadRepo(db.DefaultContext)
 
+	require.NoError(t, pr.LoadHeadRepo(t.Context()))
+	repo, err := git.OpenRepository(t.Context(), pr.HeadRepo.RepoPath())
+	defer repo.Close()
+	require.NoError(t, err)
+	prHeadCommitID, err := repo.GetBranchCommitID(pr.HeadBranch)
+	require.NoError(t, err)
+
 	run := func(name string, cb func(t *testing.T, ctx *context.Context, resp *httptest.ResponseRecorder)) {
 		t.Run(name, func(t *testing.T) {
 			ctx, resp := contexttest.MockContext(t, "/")
@@ -42,7 +50,9 @@ func TestRenderConversation(t *testing.T) {
 
 	var preparedComment *issues_model.Comment
 	run("prepare", func(t *testing.T, ctx *context.Context, resp *httptest.ResponseRecorder) {
-		comment, err := pull.CreateCodeComment(ctx, pr.Issue.Poster, ctx.Repo.GitRepo, pr.Issue, 1, "content", "", false, 0, pr.HeadCommitID, nil)
+		comment, err := pull.CreateCodeComment(ctx, pr.Issue.Poster, ctx.Repo.GitRepo, pr.Issue,
+			1, "content", "", false, 0,
+			prHeadCommitID, nil)
 		require.NoError(t, err)
 
 		comment.Invalidated = true
diff --git a/services/pull/review.go b/services/pull/review.go
index b8d4a30be8..5500ce4582 100644
--- a/services/pull/review.go
+++ b/services/pull/review.go
@@ -137,6 +137,7 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 			issue,
 			content,
 			treePath,
+			latestCommitID,
 			line,
 			replyReviewID,
 			attachments,
@@ -178,6 +179,7 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 		issue,
 		content,
 		treePath,
+		latestCommitID,
 		line,
 		review.ID,
 		attachments,
@@ -199,7 +201,7 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 }
 
 // CreateCodeCommentKnownReviewID creates a plain code comment at the specified line / path
-func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue, content, treePath string, line, reviewID int64, attachments []string) (*issues_model.Comment, error) {
+func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue, content, treePath, afterCommitID string, line, reviewID int64, attachments []string) (*issues_model.Comment, error) {
 	var commitID, blamedCommitID, patch string
 	blamedLine := line
 	if err := issue.LoadPullRequest(ctx); err != nil {
@@ -249,7 +251,7 @@ func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User,
 			// FIXME validate treePath
 			// Get latest commit referencing the commented line
 			// No need for get commit for base branch changes
-			commit, lineres, err := gitRepo.LineBlame(head, treePath, uint64(line))
+			commit, lineres, err := gitRepo.LineBlame(afterCommitID, treePath, uint64(line))
 			if err == nil {
 				blamedCommitID = commit.ID.String()
 				blamedLine = int64(lineres)
diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index f3c0c0989d..5bd9a50b3b 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -201,7 +201,7 @@
 										{{end}}
 									</div>
 								{{else}}
-									<table class="chroma" data-new-comment-url="{{$.Issue.Link}}/files/reviews/new_comment" data-path="{{$file.Name}}">
+									<table class="chroma" data-new-comment-url="{{$.Issue.Link}}/files/reviews/new_comment?after_commit_id={{$.AfterCommitID}}" data-path="{{$file.Name}}">
 										{{if $.IsSplitStyle}}
 											{{template "repo/diff/section_split" dict "file" . "root" $}}
 										{{else}}
diff --git a/tests/integration/comment_roles_test.go b/tests/integration/comment_roles_test.go
index df1c5b1188..f9eebf34ff 100644
--- a/tests/integration/comment_roles_test.go
+++ b/tests/integration/comment_roles_test.go
@@ -4,6 +4,7 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"net/url"
 	"path"
@@ -188,16 +189,23 @@ func testEasyLeavePRComment(t *testing.T, session *TestSession, user, repo, id,
 // testEasyLeavePRReviewComment is used to add review comments to specific lines of changed files in the diff of the PR.
 func testEasyLeavePRReviewComment(t *testing.T, session *TestSession, user, repo, id, file, line, message, replyID string) {
 	t.Helper()
+	req := NewRequestf(t, "GET", "/%s/%s/pulls/%s/files/reviews/new_comment", user, repo, id)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	doc := NewHTMLParser(t, resp.Body)
 	values := map[string]string{
-		"origin":        "diff",
-		"side":          "proposed",
-		"line":          line,
-		"path":          file,
-		"content":       message,
-		"single_review": "true",
+		"origin":           doc.GetInputValueByName("origin"),
+		"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+		"side":             "proposed",
+		"line":             line,
+		"path":             file,
+		"diff_start_cid":   doc.GetInputValueByName("diff_start_cid"),
+		"diff_end_cid":     doc.GetInputValueByName("diff_end_cid"),
+		"diff_base_cid":    doc.GetInputValueByName("diff_base_cid"),
+		"content":          message,
+		"single_review":    "true",
 	}
 	if len(replyID) > 0 {
 		values["reply"] = replyID
 	}
-	session.MakeRequest(t, NewRequestWithValues(t, "POST", path.Join(user, repo, "pulls", id, "files/reviews/comments"), values), http.StatusOK)
+	session.MakeRequest(t, NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/pulls/%s/files/reviews/comments", user, repo, id), values), http.StatusOK)
 }
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 3c0ea62a9c..262733f72b 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -214,27 +214,27 @@ func TestPullView_ResolveInvalidatedReviewComment(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 		req := NewRequest(t, "GET", "/user2/repo1/pulls/3/files/reviews/new_comment")
 		resp := session.MakeRequest(t, req, http.StatusOK)
-		doc := NewHTMLParser(t, resp.Body)
+		newCommentForm := NewHTMLParser(t, resp.Body)
 
 		var firstReviewID int64
 		{
 			// first (outdated) review
 			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/3/files/reviews/comments", map[string]string{
-				"origin":           doc.GetInputValueByName("origin"),
-				"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"origin":           newCommentForm.GetInputValueByName("origin"),
+				"latest_commit_id": newCommentForm.GetInputValueByName("latest_commit_id"),
 				"side":             "proposed",
 				"line":             "2",
 				"path":             "iso-8859-1.txt",
-				"diff_start_cid":   doc.GetInputValueByName("diff_start_cid"),
-				"diff_end_cid":     doc.GetInputValueByName("diff_end_cid"),
-				"diff_base_cid":    doc.GetInputValueByName("diff_base_cid"),
+				"diff_start_cid":   newCommentForm.GetInputValueByName("diff_start_cid"),
+				"diff_end_cid":     newCommentForm.GetInputValueByName("diff_end_cid"),
+				"diff_base_cid":    newCommentForm.GetInputValueByName("diff_base_cid"),
 				"content":          "nitpicking comment",
 				"pending_review":   "",
 			})
 			session.MakeRequest(t, req, http.StatusOK)
 
 			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/3/files/reviews/submit", map[string]string{
-				"commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"commit_id": newCommentForm.GetInputValueByName("latest_commit_id"),
 				"content":   "looks good",
 				"type":      "comment",
 			})
@@ -243,7 +243,7 @@ func TestPullView_ResolveInvalidatedReviewComment(t *testing.T) {
 			// retrieve comment_id by reloading the comment page
 			req = NewRequest(t, "GET", "/user2/repo1/pulls/3")
 			resp = session.MakeRequest(t, req, http.StatusOK)
-			doc = NewHTMLParser(t, resp.Body)
+			doc := NewHTMLParser(t, resp.Body)
 			commentID, ok := doc.Find(`[data-action="Resolve"]`).Attr("data-comment-id")
 			assert.True(t, ok)
 
@@ -266,21 +266,21 @@ func TestPullView_ResolveInvalidatedReviewComment(t *testing.T) {
 			// second (up-to-date) review on the same line
 			// make a second review
 			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/3/files/reviews/comments", map[string]string{
-				"origin":           doc.GetInputValueByName("origin"),
-				"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"origin":           newCommentForm.GetInputValueByName("origin"),
+				"latest_commit_id": newCommentForm.GetInputValueByName("latest_commit_id"),
 				"side":             "proposed",
 				"line":             "2",
 				"path":             "iso-8859-1.txt",
-				"diff_start_cid":   doc.GetInputValueByName("diff_start_cid"),
-				"diff_end_cid":     doc.GetInputValueByName("diff_end_cid"),
-				"diff_base_cid":    doc.GetInputValueByName("diff_base_cid"),
+				"diff_start_cid":   newCommentForm.GetInputValueByName("diff_start_cid"),
+				"diff_end_cid":     newCommentForm.GetInputValueByName("diff_end_cid"),
+				"diff_base_cid":    newCommentForm.GetInputValueByName("diff_base_cid"),
 				"content":          "nitpicking comment",
 				"pending_review":   "",
 			})
 			session.MakeRequest(t, req, http.StatusOK)
 
 			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/3/files/reviews/submit", map[string]string{
-				"commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"commit_id": newCommentForm.GetInputValueByName("latest_commit_id"),
 				"content":   "looks better",
 				"type":      "comment",
 			})
@@ -289,7 +289,7 @@ func TestPullView_ResolveInvalidatedReviewComment(t *testing.T) {
 			// retrieve comment_id by reloading the comment page
 			req = NewRequest(t, "GET", "/user2/repo1/pulls/3")
 			resp = session.MakeRequest(t, req, http.StatusOK)
-			doc = NewHTMLParser(t, resp.Body)
+			doc := NewHTMLParser(t, resp.Body)
 
 			commentIDs := doc.Find(`[data-action="Resolve"]`).Map(func(i int, elt *goquery.Selection) string {
 				v, _ := elt.Attr("data-comment-id")
@@ -318,7 +318,7 @@ func TestPullView_ResolveInvalidatedReviewComment(t *testing.T) {
 
 		// even on template error, the page returns HTTP 200
 		// count the comments to ensure success.
-		doc = NewHTMLParser(t, resp.Body)
+		doc := NewHTMLParser(t, resp.Body)
 		comments := doc.Find(`.comment-code-cloud > .comment`)
 		assert.Len(t, comments.Nodes, 1) // the outdated comment belongs to another review and should not be shown
 	})
@@ -674,13 +674,17 @@ func TestPullRequestReplyMail(t *testing.T) {
 
 		review := unittest.AssertExistsAndLoadBean(t, &issues_model.Review{ID: 1002}, "type = 0")
 
-		req := NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
-			"origin":  "diff",
-			"content": "Just a comment!",
-			"side":    "proposed",
-			"line":    "4",
-			"path":    "README.md",
-			"reply":   strconv.FormatInt(review.ID, 10),
+		req := NewRequest(t, "GET", "/user2/repo1/pulls/2/files/reviews/new_comment")
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		doc := NewHTMLParser(t, resp.Body)
+		req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
+			"origin":           "diff",
+			"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+			"content":          "Just a comment!",
+			"side":             "proposed",
+			"line":             "4",
+			"path":             "README.md",
+			"reply":            strconv.FormatInt(review.ID, 10),
 		})
 		session.MakeRequest(t, req, http.StatusOK)
 
@@ -696,12 +700,16 @@ func TestPullRequestReplyMail(t *testing.T) {
 			called = true
 		})()
 
-		req := NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
-			"origin":  "diff",
-			"content": "Notification time 2!",
-			"side":    "proposed",
-			"line":    "2",
-			"path":    "README.md",
+		req := NewRequest(t, "GET", "/user2/repo1/pulls/2/files/reviews/new_comment")
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		doc := NewHTMLParser(t, resp.Body)
+		req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
+			"origin":           "diff",
+			"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+			"content":          "Notification time 2!",
+			"side":             "proposed",
+			"line":             "2",
+			"path":             "README.md",
 		})
 		session.MakeRequest(t, req, http.StatusOK)
 
@@ -725,13 +733,17 @@ func TestPullRequestReplyMail(t *testing.T) {
 
 			review := unittest.AssertExistsAndLoadBean(t, &issues_model.Review{ID: 1001, Type: issues_model.ReviewTypeComment})
 
-			req := NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
-				"origin":  "diff",
-				"content": "Notification time!",
-				"side":    "proposed",
-				"line":    "3",
-				"path":    "README.md",
-				"reply":   strconv.FormatInt(review.ID, 10),
+			req := NewRequest(t, "GET", "/user2/repo1/pulls/2/files/reviews/new_comment")
+			resp := session.MakeRequest(t, req, http.StatusOK)
+			doc := NewHTMLParser(t, resp.Body)
+			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
+				"origin":           "diff",
+				"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"content":          "Notification time!",
+				"side":             "proposed",
+				"line":             "3",
+				"path":             "README.md",
+				"reply":            strconv.FormatInt(review.ID, 10),
 			})
 			session.MakeRequest(t, req, http.StatusOK)
 
@@ -751,13 +763,17 @@ func TestPullRequestReplyMail(t *testing.T) {
 				called = true
 			})()
 
-			req := NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
-				"origin":        "diff",
-				"content":       "Notification time 2!",
-				"side":          "proposed",
-				"line":          "5",
-				"path":          "README.md",
-				"single_review": "true",
+			req := NewRequest(t, "GET", "/user2/repo1/pulls/2/files/reviews/new_comment")
+			resp := session.MakeRequest(t, req, http.StatusOK)
+			doc := NewHTMLParser(t, resp.Body)
+			req = NewRequestWithValues(t, "POST", "/user2/repo1/pulls/2/files/reviews/comments", map[string]string{
+				"origin":           "diff",
+				"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
+				"content":          "Notification time 2!",
+				"side":             "proposed",
+				"line":             "5",
+				"path":             "README.md",
+				"single_review":    "true",
 			})
 			session.MakeRequest(t, req, http.StatusOK)
 
@@ -1409,6 +1425,52 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 			tester.assertFilesChangedDiff(diff)
 			tester.assertCommitDiff(commitSHA, diff)
 		})
+
+		t.Run("comment on specific commit adjusts correctly to later changes in the PR", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify an earlier part of the file in one commit, and then change line numbers in a second commit by
+			// removing some content from the file earlier than the first commit
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			commit2 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Create a comment on commit1's "Line 50" change, from the commit-specific view:
+			comment := tester.commentFromSpecificCommit(commit1, "file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -48,3 +48,3 @@
+ Line 48
+ Line 49
+-Line 50
++Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide())
+			assert.EqualValues(t, 50, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			diff50 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff50)
+			tester.assertCommitDiff(commit1, diff50)
+
+			diff10 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 9"},
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowHasCode, code: "Line 11"},
+			}
+			tester.assertFilesChangedDiff(diff10)
+			tester.assertCommitDiff(commit2, diff10)
+		})
 	})
 }
 
@@ -1526,14 +1588,24 @@ func (tester *PullRequestCommentPlacementTester) createPR() {
 }
 
 func (tester *PullRequestCommentPlacementTester) commentFromFilesChanged(filename string, line int) *issues_model.Comment {
-	commentContent := uuid.New().String()
-
 	req := NewRequest(tester.t, "GET",
+		// omit after_commit_id -- new_comment form defaults to fetching the PR head
 		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	return tester.commentFromNewCommentForm(resp, filename, line)
+}
 
+func (tester *PullRequestCommentPlacementTester) commentFromSpecificCommit(commitID, filename string, line int) *issues_model.Comment {
+	req := NewRequest(tester.t, "GET",
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitID))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	return tester.commentFromNewCommentForm(resp, filename, line)
+}
+
+func (tester *PullRequestCommentPlacementTester) commentFromNewCommentForm(resp *httptest.ResponseRecorder, filename string, line int) *issues_model.Comment {
+	commentContent := uuid.New().String()
 	doc := NewHTMLParser(tester.t, resp.Body)
-	req = NewRequestWithValues(tester.t, "POST",
+	req := NewRequestWithValues(tester.t, "POST",
 		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/comments", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index),
 		map[string]string{
 			"origin":           doc.GetInputValueByName("origin"),

From 9de142eb7f91c71dc8f4c98a942b4ba73a48b499 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 12 Apr 2026 02:38:50 +0200
Subject: [PATCH 107/287] Update dependency webpack to v5.106.0 (forgejo)
 (#12093)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12093
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 588a3e7570..364c1527cb 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -77,7 +77,7 @@
         "vue-chartjs": "5.3.3",
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
-        "webpack": "5.105.4",
+        "webpack": "5.106.0",
         "webpack-cli": "7.0.2",
         "wrap-ansi": "10.0.0"
       },
@@ -16136,9 +16136,9 @@
       "license": "BSD-2-Clause"
     },
     "node_modules/webpack": {
-      "version": "5.105.4",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.4.tgz",
-      "integrity": "sha512-jTywjboN9aHxFlToqb0K0Zs9SbBoW4zRUlGzI2tYNxVYcEi/IPpn+Xi4ye5jTLvX2YeLuic/IvxNot+Q1jMoOw==",
+      "version": "5.106.0",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.106.0.tgz",
+      "integrity": "sha512-Pkx5joZ9RrdgO5LBkyX1L2ZAJeK/Taz3vqZ9CbcP0wS5LEMx5QkKsEwLl29QJfihZ+DKRBFldzy1O30pJ1MDpA==",
       "license": "MIT",
       "dependencies": {
         "@types/eslint-scope": "^3.7.7",
diff --git a/package.json b/package.json
index aa6d80b52a..73ed4f86fa 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "vue-chartjs": "5.3.3",
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",
-    "webpack": "5.105.4",
+    "webpack": "5.106.0",
     "webpack-cli": "7.0.2",
     "wrap-ansi": "10.0.0"
   },

From fd28fd896bbe7cd676618589ddf3f094906756e8 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Sun, 12 Apr 2026 03:31:03 +0200
Subject: [PATCH 108/287] feat: Follow remote users; feed tab (#10380)

This is hopefully the final part of PR #4767, rebased and squashed.

More thorough federation tests are at https://code.forgejo.org/forgejo/end-to-end/pulls/1276 but the mock has been extended to hopefully cover a good chunk as well.

Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-authored-by: zam <mirco.zachmann@meissa.de>
Co-authored-by: Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10380
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 .deadcode-out                                 |   4 -
 models/activities/federated_user_activity.go  |   2 +-
 models/user/federated_user.go                 |  16 +++
 modules/forgefed/inbox.go                     |  15 +++
 modules/templates/helper.go                   |  25 +++--
 .../test/distant_federation_server_mock.go    | 102 ++++++++++++++----
 options/locale_next/locale_en-US.json         |   6 ++
 public/assets/img/svg/fediverse-small.svg     |   1 +
 release-notes/10380.md                        |   1 +
 routers/api/v1/api.go                         |   5 +
 routers/api/v1/swagger/options.go             |   3 +
 routers/api/v1/user/follower.go               |  32 ++++++
 routers/web/user/profile.go                   |  22 ++++
 services/federation/federation_service.go     |  77 +++++++------
 services/federation/signature_service.go      |   5 -
 templates/base/head.tmpl                      |   3 +
 templates/swagger/v1_json.tmpl                |  42 ++++++++
 templates/user/dashboard/ap_feed.tmpl         |  26 +++++
 templates/user/dashboard/ap_feed_guide.tmpl   |   6 ++
 templates/user/overview/header.tmpl           |   5 +
 templates/user/profile.tmpl                   |   8 ++
 ...pi_activitypub_person_inbox_follow_test.go |  55 +++++++++-
 ...ivitypub_person_inbox_useractivity_test.go |  83 +++++++++++++-
 .../api_user_follow_federation_test.go        |  55 ++++++++++
 .../federation_home_template_test.go          |  53 +++++++++
 web_src/svg/fediverse-small.svg               |  31 ++++++
 26 files changed, 599 insertions(+), 84 deletions(-)
 create mode 100644 modules/forgefed/inbox.go
 create mode 100644 public/assets/img/svg/fediverse-small.svg
 create mode 100644 release-notes/10380.md
 create mode 100644 templates/user/dashboard/ap_feed.tmpl
 create mode 100644 templates/user/dashboard/ap_feed_guide.tmpl
 create mode 100644 tests/integration/api_user_follow_federation_test.go
 create mode 100644 tests/integration/federation_home_template_test.go
 create mode 100644 web_src/svg/fediverse-small.svg

diff --git a/.deadcode-out b/.deadcode-out
index 0c44d2bdfd..a42b499a9f 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -88,7 +88,6 @@ forgejo.org/modules/eventsource
 	Event.String
 
 forgejo.org/modules/forgefed
-	NewForgeFollow
 	NewForgeUndoLike
 	ForgeUndoLike.UnmarshalJSON
 	ForgeUndoLike.Validate
@@ -227,9 +226,6 @@ forgejo.org/routers/web/org
 forgejo.org/services/context
 	GetPrivateContext
 
-forgejo.org/services/federation
-	FollowRemoteActor
-
 forgejo.org/services/notify
 	UnregisterNotifier
 
diff --git a/models/activities/federated_user_activity.go b/models/activities/federated_user_activity.go
index 1ff3a855d0..a9f509e8f7 100644
--- a/models/activities/federated_user_activity.go
+++ b/models/activities/federated_user_activity.go
@@ -82,7 +82,7 @@ func GetFollowingFeeds(ctx context.Context, actorID int64, opts GetFollowingFeed
 	sess = db.SetSessionPagination(sess, &opts)
 
 	actions := make([]*FederatedUserActivity, 0, opts.PageSize)
-	count, err := sess.FindAndCount(&actions)
+	count, err := sess.Desc("`federated_user_activity`.created").FindAndCount(&actions)
 	if err != nil {
 		return nil, 0, fmt.Errorf("FindAndCount: %w", err)
 	}
diff --git a/models/user/federated_user.go b/models/user/federated_user.go
index d2a9c34c9e..8199a9cd22 100644
--- a/models/user/federated_user.go
+++ b/models/user/federated_user.go
@@ -5,6 +5,7 @@ package user
 
 import (
 	"database/sql"
+	"fmt"
 
 	"forgejo.org/modules/validation"
 )
@@ -42,3 +43,18 @@ func (federatedUser FederatedUser) Validate() []string {
 	result = append(result, validation.ValidateNotEmpty(federatedUser.InboxPath, "InboxPath")...)
 	return result
 }
+
+func (federatedUser *FederatedUser) LogString() string {
+	if federatedUser == nil {
+		return "<FederatedUser nil>"
+	}
+
+	return fmt.Sprintf(
+		"<FederatedUser ID: %d, UserID: %d, ExternalID: %s, NormalizedOriginalURL: %s, InboxPath: %s>",
+		federatedUser.ID,
+		federatedUser.UserID,
+		federatedUser.ExternalID,
+		federatedUser.NormalizedOriginalURL,
+		federatedUser.InboxPath,
+	)
+}
diff --git a/modules/forgefed/inbox.go b/modules/forgefed/inbox.go
new file mode 100644
index 0000000000..c02aedd38c
--- /dev/null
+++ b/modules/forgefed/inbox.go
@@ -0,0 +1,15 @@
+// Copyright 2024, 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgefed
+
+import (
+	ap "github.com/go-ap/activitypub"
+)
+
+// ForgeFollow activity data type
+// swagger:model
+type ForgeInbox struct {
+	// swagger:ignore
+	ap.InboxStream
+}
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index a6235c37ba..44f5da24cb 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -52,16 +52,17 @@ func NewFuncMap() template.FuncMap {
 
 		// -----------------------------------------------------------------
 		// html/template related functions
-		"dict":         dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
-		"Eval":         Eval,
-		"TrustHTML":    TrustHTML,
-		"HTMLFormat":   HTMLFormat,
-		"HTMLEscape":   HTMLEscape,
-		"QueryEscape":  QueryEscape,
-		"JSEscape":     JSEscapeSafe,
-		"SanitizeHTML": SanitizeHTML,
-		"URLJoin":      util.URLJoin,
-		"DotEscape":    DotEscape,
+		"dict":               dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names.
+		"Eval":               Eval,
+		"TrustHTML":          TrustHTML,
+		"HTMLFormat":         HTMLFormat,
+		"HTMLEscape":         HTMLEscape,
+		"QueryEscape":        QueryEscape,
+		"JSEscape":           JSEscapeSafe,
+		"SanitizeHTML":       SanitizeHTML,
+		"SanitizeHTMLStrict": SanitizeHTMLStrict,
+		"URLJoin":            util.URLJoin,
+		"DotEscape":          DotEscape,
 
 		"PathEscape":         url.PathEscape,
 		"PathEscapeSegments": util.PathEscapeSegments,
@@ -257,6 +258,10 @@ func SanitizeHTML(s string) template.HTML {
 	return template.HTML(markup.Sanitize(s))
 }
 
+func SanitizeHTMLStrict(s string) template.HTML {
+	return template.HTML(markup.SanitizeDescription(s))
+}
+
 func HTMLEscape(s any) template.HTML {
 	switch v := s.(type) {
 	case string:
diff --git a/modules/test/distant_federation_server_mock.go b/modules/test/distant_federation_server_mock.go
index ea8a69e9b4..abbc82c196 100644
--- a/modules/test/distant_federation_server_mock.go
+++ b/modules/test/distant_federation_server_mock.go
@@ -4,29 +4,38 @@
 package test
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"testing"
 
 	"forgejo.org/modules/util"
+
+	ap "github.com/go-ap/activitypub"
+	"github.com/go-ap/jsonld"
+	"github.com/google/uuid"
 )
 
+type ApActorMock struct {
+	PrivKey string
+	PubKey  string
+}
+
 type FederationServerMockPerson struct {
 	ID      int64
 	Name    string
 	PubKey  string
 	PrivKey string
 }
+
 type FederationServerMockRepository struct {
 	ID int64
 }
-type ApActorMock struct {
-	PrivKey string
-	PubKey  string
-}
+
 type FederationServerMock struct {
 	ApActor      ApActorMock
 	Persons      []FederationServerMockPerson
@@ -34,6 +43,35 @@ type FederationServerMock struct {
 	LastPost     string
 }
 
+func NewApActorMock() ApActorMock {
+	priv, pub, _ := util.GenerateKeyPair(1024)
+	return ApActorMock{
+		PrivKey: priv,
+		PubKey:  pub,
+	}
+}
+
+func (u *ApActorMock) KeyID(host string) string {
+	return fmt.Sprintf("%s/api/v1/activitypub/actor#main-key", host)
+}
+
+func (u *ApActorMock) marshal(host string) string {
+	baseID := fmt.Sprintf("http://%s/api/v1/activitypub/actor", host)
+
+	return fmt.Sprintf(
+		`{ "@context": ["https://www.w3.org/ns/activitystreams", "https://w3id.org/security/v1"],`+
+			`"id": "%[1]s",`+
+			`"type": "Application",`+
+			`"preferredUsername": "ghost",`+
+			`"publicKey": {`+
+			` "id": "%[1]s#main-key",`+
+			` "owner": "%[1]s",`+
+			` "publicKeyPem": %[2]q }}`,
+		baseID,
+		u.PubKey,
+	)
+}
+
 func NewFederationServerMockPerson(id int64, name string) FederationServerMockPerson {
 	priv, pub, _ := util.GenerateKeyPair(3072)
 	return FederationServerMockPerson{
@@ -48,24 +86,6 @@ func (p *FederationServerMockPerson) KeyID(host string) string {
 	return fmt.Sprintf("%[1]v/api/v1/activitypub/user-id/%[2]v#main-key", host, p.ID)
 }
 
-func NewFederationServerMockRepository(id int64) FederationServerMockRepository {
-	return FederationServerMockRepository{
-		ID: id,
-	}
-}
-
-func NewApActorMock() ApActorMock {
-	priv, pub, _ := util.GenerateKeyPair(1024)
-	return ApActorMock{
-		PrivKey: priv,
-		PubKey:  pub,
-	}
-}
-
-func (u *ApActorMock) KeyID(host string) string {
-	return fmt.Sprintf("%[1]v/api/v1/activitypub/actor#main-key", host)
-}
-
 func (p FederationServerMockPerson) marshal(host string) string {
 	return fmt.Sprintf(`{"@context":["https://www.w3.org/ns/activitystreams","https://w3id.org/security/v1"],`+
 		`"id":"http://%[1]v/api/v1/activitypub/user-id/%[2]v",`+
@@ -80,6 +100,12 @@ func (p FederationServerMockPerson) marshal(host string) string {
 		`"publicKeyPem":%[4]q}}`, host, p.ID, p.Name, p.PubKey)
 }
 
+func NewFederationServerMockRepository(id int64) FederationServerMockRepository {
+	return FederationServerMockRepository{
+		ID: id,
+	}
+}
+
 func NewFederationServerMock() *FederationServerMock {
 	return &FederationServerMock{
 		ApActor: NewApActorMock(),
@@ -103,6 +129,26 @@ func (mock *FederationServerMock) recordLastPost(t *testing.T, req *http.Request
 	mock.LastPost = strings.ReplaceAll(buf.String(), req.Host, "DISTANT_FEDERATION_HOST")
 }
 
+func (mock *FederationServerMock) FollowActorUnsigned(host string, localID int64, uri, inboxURL url.URL) error {
+	apID := fmt.Sprintf("%s/api/v1/activitypub/user-id/%d", host, localID)
+
+	activity := ap.Follow{}
+	activity.Type = ap.FollowType
+	activity.ID = ap.IRI(apID + "/follows/" + uuid.New().String())
+	activity.Actor = ap.IRI(apID)
+	activity.Object = ap.IRI(uri.String())
+
+	payload, err := jsonld.WithContext(jsonld.IRI(ap.ActivityBaseURI)).Marshal(activity)
+	if err != nil {
+		return err
+	}
+
+	reader := bytes.NewReader(payload)
+	_, err = http.Post(inboxURL.String(), "application/activity+json", reader)
+
+	return err
+}
+
 func (mock *FederationServerMock) DistantServer(t *testing.T) *httptest.Server {
 	federatedRoutes := http.NewServeMux()
 
@@ -122,6 +168,10 @@ func (mock *FederationServerMock) DistantServer(t *testing.T) *httptest.Server {
 		})
 
 	for _, person := range mock.Persons {
+		federatedRoutes.HandleFunc(fmt.Sprintf("/api/v1/activitypub/user-id/alias%v", person.ID),
+			func(res http.ResponseWriter, req *http.Request) {
+				fmt.Fprint(res, person.marshal(req.Host))
+			})
 		federatedRoutes.HandleFunc(fmt.Sprintf("/api/v1/activitypub/user-id/%v", person.ID),
 			func(res http.ResponseWriter, req *http.Request) {
 				// curl -H "Accept: application/json" https://federated-repo.prod.meissa.de/api/v1/activitypub/user-id/2
@@ -139,10 +189,18 @@ func (mock *FederationServerMock) DistantServer(t *testing.T) *httptest.Server {
 				mock.recordLastPost(t, req)
 			})
 	}
+
+	federatedRoutes.HandleFunc("GET /api/v1/activitypub/actor",
+		func(res http.ResponseWriter, req *http.Request) {
+			fmt.Fprint(res, mock.ApActor.marshal(req.Host))
+		})
+
 	federatedRoutes.HandleFunc("/",
 		func(res http.ResponseWriter, req *http.Request) {
 			t.Errorf("Unhandled %v request: %q", req.Method, req.URL.EscapedPath())
 		})
+
 	federatedSrv := httptest.NewServer(federatedRoutes)
+
 	return federatedSrv
 }
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 3195d6f6f1..c0c73ec860 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -261,6 +261,12 @@
 	"settings.access_token.admin_disabled": "Administrative permissions are disabled.",
 	"error.must_enable_2fa": "This Forgejo instance requires users to enable two-factor authentication before they can access their accounts. Enable it at: %s",
 	"avatar.constraints_hint": "Custom avatar may not exceed %[1]s in size or be larger than %[2]dx%[3]d pixels",
+	"user.activitypub_feed.feed": "Fediverse Feed",
+	"user.activitypub_feed.no_activity": "No fediverse activity",
+	"user.activitypub_feed.is_empty": "Your fediverse feed is empty.",
+	"user.activitypub_feed.hint": "This feed shows activities from fediverse accounts that you follow, as well as federated posts that mentioned you.",
+	"user.activitypub_feed.posted_on": "Posted on %[1]s",
+	"user.activitypub_feed.original_source": "Original source",
 	"user.ghost.tooltip": "This user has been deleted, or cannot be matched.",
 	"og.repo.summary_card.alt_description": "Summary card of repository %[1]s, described as: %[2]s",
 	"repo.commit.load_tags_failed": "Load tags failed because of internal error",
diff --git a/public/assets/img/svg/fediverse-small.svg b/public/assets/img/svg/fediverse-small.svg
new file mode 100644
index 0000000000..90f9a79ef5
--- /dev/null
+++ b/public/assets/img/svg/fediverse-small.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 6.35 6.35" class="svg fediverse-small" width="16" height="16" aria-hidden="true"><path d="M3.59 1.16a.204.204 0 0 0-.24.16.204.204 0 0 0 .158.24 1.63 1.63 0 0 1 .832.45 1.64 1.64 0 0 1 .353 1.806.204.204 0 0 0 .11.268.204.204 0 0 0 .265-.11A2.055 2.055 0 0 0 3.59 1.16M1.547 2.266a.204.204 0 0 0-.266.109 2.054 2.054 0 0 0 1.48 2.814.204.204 0 0 0 .241-.158.204.204 0 0 0-.16-.242 1.63 1.63 0 0 1-.832-.45 1.64 1.64 0 0 1-.483-1.163c0-.228.046-.446.13-.643a.204.204 0 0 0-.11-.267" style="stroke-linecap:round" transform="matrix(1.28704 0 0 1.31102 -.911 -.987)"/><path d="M1.72.264C1.065.264.53.802.53 1.456c0 .655.535 1.19 1.19 1.19s1.19-.535 1.19-1.19S2.373.264 1.72.264m0 .53c.368 0 .661.294.661.662a.66.66 0 0 1-.661.662.66.66 0 0 1-.662-.662c0-.368.293-.661.662-.661M4.63 3.705c-.654 0-1.19.535-1.19 1.19s.536 1.19 1.19 1.19c.655 0 1.19-.536 1.19-1.19 0-.655-.535-1.19-1.19-1.19m0 .527c.37 0 .661.294.661.663a.657.657 0 0 1-.66.662.66.66 0 0 1-.662-.662c0-.369.293-.663.662-.663"/></svg>
\ No newline at end of file
diff --git a/release-notes/10380.md b/release-notes/10380.md
new file mode 100644
index 0000000000..04c1b7c665
--- /dev/null
+++ b/release-notes/10380.md
@@ -0,0 +1 @@
+Allow forgejo users to follow remote users and display federated notes. This feature is still missing some some other basic features for "production use": there is no moderation support, UI for following federated users, and federation is still limited to forgejo, Mastodon, and GoToSocial.
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index d0b8531aea..efd10b567f 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1036,6 +1036,11 @@ func Routes() *web.Route {
 					m.Delete("", user.Unfollow)
 				}, context.UserAssignmentAPI())
 			})
+			if setting.Federation.Enabled {
+				m.Group("/activitypub", func() {
+					m.Post("/follow", bind(api.APRemoteFollowOption{}), user.ActivityPubFollow)
+				})
+			}
 
 			// (admin:public_key scope)
 			m.Group("/keys", func() {
diff --git a/routers/api/v1/swagger/options.go b/routers/api/v1/swagger/options.go
index 1cc77b319a..7df4d42c34 100644
--- a/routers/api/v1/swagger/options.go
+++ b/routers/api/v1/swagger/options.go
@@ -19,6 +19,9 @@ type swaggerParameterBodies struct {
 	// in:body
 	ForgeLike ffed.ForgeLike
 
+	// in:body
+	APRemoteFollowOption api.APRemoteFollowOption `json:"body"`
+
 	// in:body
 	AddCollaboratorOption api.AddCollaboratorOption
 
diff --git a/routers/api/v1/user/follower.go b/routers/api/v1/user/follower.go
index 643ad49b80..508632a6e7 100644
--- a/routers/api/v1/user/follower.go
+++ b/routers/api/v1/user/follower.go
@@ -10,9 +10,11 @@ import (
 
 	user_model "forgejo.org/models/user"
 	api "forgejo.org/modules/structs"
+	"forgejo.org/modules/web"
 	"forgejo.org/routers/api/v1/utils"
 	"forgejo.org/services/context"
 	"forgejo.org/services/convert"
+	"forgejo.org/services/federation"
 )
 
 func responseAPIUsers(ctx *context.APIContext, users []*user_model.User) {
@@ -279,3 +281,33 @@ func Unfollow(ctx *context.APIContext) {
 	}
 	ctx.Status(http.StatusNoContent)
 }
+
+// Follow follow a remote activitypub account
+func ActivityPubFollow(ctx *context.APIContext) {
+	// swagger:operation POST /user/activitypub/follow user userCurrentActivityPubFollow
+	// ---
+	// summary: Follow a remote activitypub account
+	// parameters:
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/APRemoteFollowOption"
+	// responses:
+	//   "204":
+	//     "$ref": "#/responses/empty"
+	//   "401":
+	//     "$ref": "#/responses/unauthorized"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+
+	form := web.GetForm(ctx).(*api.APRemoteFollowOption)
+
+	if err := federation.FollowRemoteActor(ctx, ctx.Doer, form.Target); err != nil {
+		ctx.Error(http.StatusInternalServerError, "federation.FollowRemoteActor", err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
diff --git a/routers/web/user/profile.go b/routers/web/user/profile.go
index 2a3893f80e..ec3cb4a5d3 100644
--- a/routers/web/user/profile.go
+++ b/routers/web/user/profile.go
@@ -176,6 +176,28 @@ func prepareUserProfileTabData(ctx *context.Context, showPrivate bool, profileDb
 		} else {
 			ctx.Data["CardsNoneMsg"] = ctx.Tr("followers.outgoing.list.none", ctx.ContextUser.Name)
 		}
+	case "feed":
+		if setting.Federation.Enabled {
+			pagingNum = setting.UI.FeedPagingNum
+			var items []*activities_model.FederatedUserActivity
+			var count int64
+			if ctx.Doer != nil {
+				items, count, err = activities_model.GetFollowingFeeds(ctx,
+					ctx.Doer.ID,
+					activities_model.GetFollowingFeedsOptions{
+						ListOptions: db.ListOptions{
+							PageSize: pagingNum,
+							Page:     page,
+						},
+					})
+				if err != nil {
+					ctx.ServerError("GetFollowingFeeds", err)
+					return
+				}
+			}
+			ctx.Data["FollowingFeeds"] = items
+			total = int(count)
+		}
 	case "activity":
 		// prepare heatmap data
 		if setting.Service.EnableUserHeatmap {
diff --git a/services/federation/federation_service.go b/services/federation/federation_service.go
index d0336881a8..04cc4e878a 100644
--- a/services/federation/federation_service.go
+++ b/services/federation/federation_service.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 
 	"forgejo.org/models/forgefed"
-	"forgejo.org/models/user"
+	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/activitypub"
 	fm "forgejo.org/modules/forgefed"
 	"forgejo.org/modules/log"
@@ -47,32 +47,51 @@ func FindOrCreateFederationHost(ctx context.Context, actorURI string) (*forgefed
 	return federationHost, nil
 }
 
-func FindOrCreateFederatedUser(ctx context.Context, actorURI string) (*user.User, *user.FederatedUser, *forgefed.FederationHost, error) {
+func FindOrCreateFederatedUser(ctx context.Context, actorURI string) (*user_model.User, *user_model.FederatedUser, *forgefed.FederationHost, error) {
 	user, federatedUser, federationHost, err := findFederatedUser(ctx, actorURI)
 	if err != nil {
 		return nil, nil, nil, err
 	}
+
 	personID, err := fm.NewPersonID(actorURI, string(federationHost.NodeInfo.SoftwareName))
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
 	if user != nil {
-		log.Trace("Local ActivityPub user found (actorURI: %#v, user: %#v)", actorURI, user)
+		log.Trace("Local ActivityPub user found (actorURI: %#v, user: %v)", actorURI, user.Name)
 	} else {
 		log.Trace("Attempting to create new user and federatedUser for actorURI: %#v", actorURI)
-		user, federatedUser, err = createUserFromAP(ctx, personID, federationHost.ID)
+		apUser, apFederatedUser, err := fetchUserFromAP(ctx, personID, federationHost)
 		if err != nil {
 			return nil, nil, nil, err
 		}
-		log.Trace("Created user %#v with federatedUser %#v from distant server", user, federatedUser)
+
+		user, federatedUser, federationHost, err = findFederatedUser(ctx, apFederatedUser.NormalizedOriginalURL)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		if user != nil {
+			log.Trace("Resolved alias %s to %s", actorURI, apFederatedUser.NormalizedOriginalURL)
+		} else {
+			user = apUser
+			federatedUser = apFederatedUser
+
+			err := user_model.CreateFederatedUser(ctx, user, federatedUser)
+			if err != nil {
+				return nil, nil, nil, err
+			}
+
+			log.Trace("Created user %s with federatedUser %s from distant server", user.LogString(), federatedUser.LogString())
+		}
 	}
 	log.Trace("Got user: %v", user.Name)
 
 	return user, federatedUser, federationHost, nil
 }
 
-func findFederatedUser(ctx context.Context, actorURI string) (*user.User, *user.FederatedUser, *forgefed.FederationHost, error) {
+func findFederatedUser(ctx context.Context, actorURI string) (*user_model.User, *user_model.FederatedUser, *forgefed.FederationHost, error) {
 	federationHost, err := FindOrCreateFederationHost(ctx, actorURI)
 	if err != nil {
 		return nil, nil, nil, err
@@ -82,7 +101,7 @@ func findFederatedUser(ctx context.Context, actorURI string) (*user.User, *user.
 		return nil, nil, nil, err
 	}
 
-	user, federatedUser, err := user.FindFederatedUser(ctx, actorID.ID, federationHost.ID)
+	user, federatedUser, err := user_model.FindFederatedUser(ctx, actorID.ID, federationHost.ID)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -91,7 +110,7 @@ func findFederatedUser(ctx context.Context, actorURI string) (*user.User, *user.
 }
 
 func createFederationHostFromAP(ctx context.Context, actorID fm.ActorID) (*forgefed.FederationHost, error) {
-	actionsUser := user.NewAPServerActor()
+	actionsUser := user_model.NewAPServerActor()
 
 	clientFactory, err := activitypub.GetClientFactory(ctx)
 	if err != nil {
@@ -137,8 +156,8 @@ func createFederationHostFromAP(ctx context.Context, actorID fm.ActorID) (*forge
 	return &result, nil
 }
 
-func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID int64) (*user.User, *user.FederatedUser, error) {
-	actionsUser := user.NewAPServerActor()
+func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHost *forgefed.FederationHost) (*user_model.User, *user_model.FederatedUser, error) {
+	actionsUser := user_model.NewAPServerActor()
 	clientFactory, err := activitypub.GetClientFactory(ctx)
 	if err != nil {
 		return nil, nil, err
@@ -164,16 +183,18 @@ func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID
 		return nil, nil, err
 	}
 
-	log.Info("Fetched valid person from distant server: %q", person)
-
 	localFqdn, err := url.ParseRequestURI(setting.AppURL)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	personIDFromActor, err := fm.NewPersonID(person.ID.GetLink().String(), string(federationHost.NodeInfo.SoftwareName))
+	if err != nil {
+		return nil, nil, err
+	}
 	email := fmt.Sprintf("f%v@%v", uuid.New().String(), localFqdn.Hostname())
-	loginName := personID.AsLoginName()
-	name := fmt.Sprintf("@%v%v", person.PreferredUsername.String(), personID.HostSuffix())
+	loginName := personIDFromActor.AsLoginName()
+	name := fmt.Sprintf("@%v%v", person.PreferredUsername.String(), personIDFromActor.HostSuffix())
 	fullName := person.Name.String()
 
 	if len(person.Name) == 0 {
@@ -190,7 +211,7 @@ func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID
 		return nil, nil, err
 	}
 
-	newUser := user.User{
+	newUser := user_model.User{
 		LowerName:                    strings.ToLower(name),
 		Name:                         name,
 		FullName:                     fullName,
@@ -201,15 +222,15 @@ func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID
 		Salt:                         "",
 		PasswdHashAlgo:               "",
 		LoginName:                    loginName,
-		Type:                         user.UserTypeActivityPubUser,
+		Type:                         user_model.UserTypeActivityPubUser,
 		IsAdmin:                      false,
 	}
 
-	federatedUser := user.FederatedUser{
-		ExternalID:            personID.ID,
-		FederationHostID:      federationHostID,
+	federatedUser := user_model.FederatedUser{
+		ExternalID:            personIDFromActor.ID,
+		FederationHostID:      federationHost.ID,
 		InboxPath:             inbox.Path,
-		NormalizedOriginalURL: personID.AsURI(),
+		NormalizedOriginalURL: personIDFromActor.AsURI(),
 		KeyID: sql.NullString{
 			String: person.PublicKey.ID.String(),
 			Valid:  true,
@@ -220,20 +241,6 @@ func fetchUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID
 		},
 	}
 
-	log.Info("Fetched person's %q federatedUser from distant server: %q", person, federatedUser)
+	log.Trace("Fetched person's %v federatedUser from distant server: %s", person, federatedUser.LogString())
 	return &newUser, &federatedUser, nil
 }
-
-func createUserFromAP(ctx context.Context, personID fm.PersonID, federationHostID int64) (*user.User, *user.FederatedUser, error) {
-	newUser, federatedUser, err := fetchUserFromAP(ctx, personID, federationHostID)
-	if err != nil {
-		return nil, nil, err
-	}
-	err = user.CreateFederatedUser(ctx, newUser, federatedUser)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	log.Info("Created federatedUser: %q", federatedUser)
-	return newUser, federatedUser, nil
-}
diff --git a/services/federation/signature_service.go b/services/federation/signature_service.go
index 25e4e270bc..bd40a37beb 100644
--- a/services/federation/signature_service.go
+++ b/services/federation/signature_service.go
@@ -82,11 +82,6 @@ func FindOrCreateFederatedUserKey(ctx context.Context, keyID string) (pubKey any
 		if err != nil {
 			return nil, err
 		}
-	} else {
-		_, err = forgefed.GetFederationHost(ctx, federatedUser.FederationHostID)
-		if err != nil {
-			return nil, err
-		}
 	}
 
 	if federatedUser.PublicKey.Valid {
diff --git a/templates/base/head.tmpl b/templates/base/head.tmpl
index d31d25db46..8b4f661b57 100644
--- a/templates/base/head.tmpl
+++ b/templates/base/head.tmpl
@@ -19,6 +19,9 @@
 {{end}}
 	<link rel="icon" href="{{AssetUrlPrefix}}/img/favicon.svg" type="image/svg+xml">
 	<link rel="alternate icon" href="{{AssetUrlPrefix}}/img/favicon.png" type="image/png">
+{{if and FederationEnabled .PageIsUserProfile .ContextUser .ContextUser.IsIndividual}}
+	<link rel="alternate" type="application/activity+json" href="{{.ContextUser.APActorID}}">
+{{end}}
 	{{template "base/head_script" .}}
 	{{template "shared/user/mention_highlight" .}}
 	{{template "base/head_opengraph" .}}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index e9b10e1e52..8ca012823a 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -19583,6 +19583,38 @@
         }
       }
     },
+    "/user/activitypub/follow": {
+      "post": {
+        "tags": [
+          "user"
+        ],
+        "summary": "Follow a remote activitypub account",
+        "operationId": "userCurrentActivityPubFollow",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/APRemoteFollowOption"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "$ref": "#/responses/empty"
+          },
+          "401": {
+            "$ref": "#/responses/unauthorized"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
     "/user/applications/oauth2": {
       "get": {
         "produces": [
@@ -22279,6 +22311,16 @@
       },
       "x-go-package": "forgejo.org/services/context"
     },
+    "APRemoteFollowOption": {
+      "type": "object",
+      "properties": {
+        "target": {
+          "type": "string",
+          "x-go-name": "Target"
+        }
+      },
+      "x-go-package": "forgejo.org/modules/structs"
+    },
     "AccessToken": {
       "type": "object",
       "title": "AccessToken represents an API access token.",
diff --git a/templates/user/dashboard/ap_feed.tmpl b/templates/user/dashboard/ap_feed.tmpl
new file mode 100644
index 0000000000..1127026139
--- /dev/null
+++ b/templates/user/dashboard/ap_feed.tmpl
@@ -0,0 +1,26 @@
+<div id="activity-feed" class="flex-list">
+	{{range .FollowingFeeds}}
+		<div class="flex-item">
+			{{if not (eq .Actor.ID 0)}}
+				<div class="flex-item-leading">
+					{{ctx.AvatarUtils.Avatar . 48}}
+				</div>
+			{{end}}
+			<div class="flex-item-main">
+				<div class="flex-item-title">
+					<a class="text muted" href="{{.ActorURI}}">{{.Actor.Name}}</a>
+				</div>
+				<div class="render-content markup">
+					{{.NoteContent | SanitizeHTMLStrict}}
+				</div>
+				{{if .NoteURL}}
+					<div class="flex-item-footer">
+						<span class="flex-text-inline">{{svg "octicon-calendar"}}{{ctx.Locale.Tr "user.activitypub_feed.posted_on" (DateUtils.TimeSince .Created)}}</span>
+						<a class="flex-text-inline" href="{{.NoteURL}}">{{svg "octicon-link-external"}}{{ctx.Locale.Tr "user.activitypub_feed.original_source"}}</a>
+					</div>
+				{{end}}
+			</div>
+		</div>
+	{{end}}
+	{{template "base/paginate" .}}
+</div>
diff --git a/templates/user/dashboard/ap_feed_guide.tmpl b/templates/user/dashboard/ap_feed_guide.tmpl
new file mode 100644
index 0000000000..a3a29abbed
--- /dev/null
+++ b/templates/user/dashboard/ap_feed_guide.tmpl
@@ -0,0 +1,6 @@
+<div id="empty-ap-feed" class="tw-text-center tw-p-8">
+	{{svg "octicon-people" 64 "tw-text-placeholder-text"}}
+	<h2>{{ctx.Locale.Tr "user.activitypub_feed.no_activity"}}</h2>
+	<p class="help">{{ctx.Locale.Tr "user.activitypub_feed.is_empty"}}</p>
+	<p class="help">{{ctx.Locale.Tr "user.activitypub_feed.hint"}}</p>
+</div>
diff --git a/templates/user/overview/header.tmpl b/templates/user/overview/header.tmpl
index ea5d8052f4..cc306cc571 100644
--- a/templates/user/overview/header.tmpl
+++ b/templates/user/overview/header.tmpl
@@ -41,6 +41,11 @@
 					{{svg "octicon-rss"}} {{ctx.Locale.Tr "user.activity"}}
 				</a>
 			{{end}}
+			{{if and FederationEnabled (eq .SignedUserID .ContextUser.ID)}}
+			<a class="{{if eq .TabName "feed"}}active {{end}}item" href="{{.ContextUser.HomeLink}}?tab=feed">
+				{{svg "fediverse-small"}} {{ctx.Locale.Tr "user.activitypub_feed.feed"}}
+			</a>
+			{{end}}
 			{{if not .DisableStars}}
 			<a class="{{if eq .TabName "stars"}}active {{end}}item" href="{{.ContextUser.HomeLink}}?tab=stars">
 				{{svg "octicon-star"}} {{ctx.Locale.Tr "user.starred"}}
diff --git a/templates/user/profile.tmpl b/templates/user/profile.tmpl
index 30210a1775..6fd533767f 100644
--- a/templates/user/profile.tmpl
+++ b/templates/user/profile.tmpl
@@ -58,6 +58,14 @@
 						{{.ProfileReadme}}
 					{{end}}
 					</div>
+				{{else if and FederationEnabled (eq .TabName "feed")}}
+					{{if eq .SignedUserID .ContextUser.ID}}
+						{{if .FollowingFeeds}}
+							{{template "user/dashboard/ap_feed" .}}
+						{{else}}
+							{{template "user/dashboard/ap_feed_guide" .}}
+						{{end}}
+					{{end}}
 				{{else}}
 					{{template "shared/repo_search" .}}
 					{{template "explore/repo_list" .}}
diff --git a/tests/integration/api_activitypub_person_inbox_follow_test.go b/tests/integration/api_activitypub_person_inbox_follow_test.go
index 5a0b452447..f31e7e9011 100644
--- a/tests/integration/api_activitypub_person_inbox_follow_test.go
+++ b/tests/integration/api_activitypub_person_inbox_follow_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"forgejo.org/models/db"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/activitypub"
@@ -26,7 +27,6 @@ import (
 // Flow of this test is documented at: https://codeberg.org/forgejo-contrib/federation/src/branch/main/doc/user-activity-following.md
 func TestActivityPubPersonInboxFollow(t *testing.T) {
 	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
-	defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
 
 	federation.Init()
@@ -40,6 +40,7 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 
 		distantURL := federatedSrv.URL
 		distantUser15URL := fmt.Sprintf("%s/api/v1/activitypub/user-id/15", distantURL)
+		distantUser15AliasURL := fmt.Sprintf("%s/api/v1/activitypub/user-id/alias15", distantURL)
 
 		localUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 		localUser2URL := localUrl.JoinPath("/api/v1/activitypub/user-id/2").String()
@@ -52,14 +53,16 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 			`{"type":"Follow",`+
 				`"actor":"%s",`+
 				`"object":"%s"}`,
-			distantUser15URL,
+			distantUser15AliasURL,
 			localUser2URL,
 		)
+
 		cf, err := activitypub.NewClientFactoryWithTimeout(60 * time.Second)
 		require.NoError(t, err)
-		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey,
-			mock.ApActor.KeyID(federatedSrv.URL))
+
+		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey, mock.ApActor.KeyID(federatedSrv.URL))
 		require.NoError(t, err)
+
 		resp, err := c.Post(followActivity, localUser2Inbox)
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusAccepted, resp.StatusCode)
@@ -94,9 +97,12 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 			distantUser15URL,
 			localUser2URL,
 		)
+
 		c, err = cf.WithKeysDirect(ctx, mock.ApActor.PrivKey,
 			mock.ApActor.KeyID(federatedSrv.URL))
+
 		require.NoError(t, err)
+
 		resp, err = c.Post(undoFollowActivity, localUser2Inbox)
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusNoContent, resp.StatusCode)
@@ -110,3 +116,44 @@ func TestActivityPubPersonInboxFollow(t *testing.T) {
 		)
 	})
 }
+
+func TestActivityPubFollowRefollow(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	require.NoError(t, federation.Init())
+
+	mock := test.NewFederationServerMock()
+	federatedSrv := mock.DistantServer(t)
+	defer federatedSrv.Close()
+
+	onApplicationRun(t, func(t *testing.T, localUrl *url.URL) {
+		defer test.MockVariableValue(&setting.AppURL, localUrl.String())()
+
+		distantURL := federatedSrv.URL
+		distantUser15AliasURL := fmt.Sprintf("%s/api/v1/activitypub/user-id/alias15", distantURL)
+
+		localUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		localUser2URL := localUrl.JoinPath("/api/v1/activitypub/user-id/2")
+		localUser2Inbox := localUrl.JoinPath("/api/v1/activitypub/user-id/2/inbox")
+
+		ctx := t.Context()
+
+		var follow user_model.FederatedUserFollower
+		has, err := db.GetEngine(ctx).Get(&follow)
+		require.NoError(t, err)
+		assert.False(t, has)
+
+		require.NoError(t, mock.FollowActorUnsigned(federatedSrv.URL, 15, *localUser2URL, *localUser2Inbox))
+
+		has, err = db.GetEngine(ctx).Get(&follow)
+		require.NoError(t, err)
+		assert.True(t, has)
+		assert.Equal(t, int64(2), follow.FollowedUserID)
+
+		apiCtx, _ := contexttest.MockAPIContext(t, localUser2Inbox.String())
+		err = federation.FollowRemoteActor(apiCtx, localUser, distantUser15AliasURL)
+		require.NoError(t, err)
+	})
+}
diff --git a/tests/integration/api_activitypub_person_inbox_useractivity_test.go b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
index 55fd62a3fe..fa51050045 100644
--- a/tests/integration/api_activitypub_person_inbox_useractivity_test.go
+++ b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"
 
+	"forgejo.org/models/activities"
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
@@ -26,9 +27,80 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestActivityPubPersonInboxNoteFromDistant(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	federation.Init()
+
+	mock := test.NewFederationServerMock()
+	federatedSrv := mock.DistantServer(t)
+	defer federatedSrv.Close()
+
+	onApplicationRun(t, func(t *testing.T, localUrl *url.URL) {
+		defer test.MockVariableValue(&setting.AppURL, localUrl.String())()
+
+		distantURL := federatedSrv.URL
+		distantUser15URL := fmt.Sprintf("%s/api/v1/activitypub/user-id/15", distantURL)
+
+		localUser2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		localUser2URL := localUrl.JoinPath("/api/v1/activitypub/user-id/2").String()
+		localUser2Inbox := localUrl.JoinPath("/api/v1/activitypub/user-id/2/inbox").String()
+		localSession2 := loginUser(t, localUser2.LoginName)
+		localSecssion2Token := getTokenForLoggedInUser(t, localSession2, auth_model.AccessTokenScopeWriteUser)
+
+		// view own empty feed on web UI
+		feedPage := NewHTMLParser(t, localSession2.MakeRequest(t, NewRequest(t, "GET", "/user2?tab=feed"), http.StatusOK).Body)
+		feedPage.AssertElement(t, "#empty-ap-feed", true)
+
+		// follow (local follows distant)
+		req := NewRequestWithJSON(t, "POST",
+			"/api/v1/user/activitypub/follow",
+			&structs.APRemoteFollowOption{
+				Target: distantUser15URL,
+			}).
+			AddTokenAuth(localSecssion2Token)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		// send note (distant -> local)
+		distantNoteURL := fmt.Sprintf("%s/api/v1/activitypub/note/104", distantURL)
+
+		userActivity := fmt.Appendf(
+			[]byte{},
+			`{"type":"Create",`+
+				`"actor":"%s",`+
+				`"to": ["https://www.w3.org/ns/activitystreams#Public"],`+
+				`"cc": ["%s"],`+
+				`"object": {"type":"Note","content":"The Content!",`+
+				`"url":"%s"}}`,
+			distantUser15URL,
+			localUser2URL,
+			distantNoteURL,
+		)
+
+		ctx, _ := contexttest.MockAPIContext(t, localUser2Inbox)
+		cf, err := activitypub.NewClientFactoryWithTimeout(60 * time.Second)
+		require.NoError(t, err)
+
+		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey, mock.ApActor.KeyID(federatedSrv.URL))
+		require.NoError(t, err)
+
+		resp, err := c.Post(userActivity, localUser2Inbox)
+		require.NoError(t, err)
+
+		assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+
+		// check whether user activity exists in local instance
+		unittest.AssertExistsAndLoadBean(t, &activities.FederatedUserActivity{NoteURL: distantNoteURL})
+
+		// view own non-empty feed on web UI
+		feedPage = NewHTMLParser(t, localSession2.MakeRequest(t, NewRequest(t, "GET", "/user2?tab=feed"), http.StatusOK).Body)
+		feedPage.AssertElement(t, "#empty-ap-feed", false)
+	})
+}
+
 func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
-	defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
 
 	federation.Init()
@@ -60,14 +132,17 @@ func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 			distantUser15URL,
 			localUser2URL,
 		)
+
 		ctx, _ := contexttest.MockAPIContext(t, localUser2Inbox)
 		cf, err := activitypub.NewClientFactoryWithTimeout(60 * time.Second)
 		require.NoError(t, err)
-		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey,
-			mock.ApActor.KeyID(federatedSrv.URL))
+
+		c, err := cf.WithKeysDirect(ctx, mock.ApActor.PrivKey, mock.ApActor.KeyID(federatedSrv.URL))
 		require.NoError(t, err)
+
 		resp, err := c.Post(followActivity, localUser2Inbox)
 		require.NoError(t, err)
+
 		assert.Equal(t, http.StatusAccepted, resp.StatusCode)
 
 		// local action which triggers a user activity
@@ -87,9 +162,11 @@ func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 		// distant request activity & activity note
 		localUser2ActivityNote := fmt.Sprintf("%v/activities/1", localUser2URL)
 		localUser2Activity := fmt.Sprintf("%v/activities/1/activity", localUser2URL)
+
 		resp, err = c.Get(localUser2ActivityNote)
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
 		resp, err = c.Get(localUser2Activity)
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
diff --git a/tests/integration/api_user_follow_federation_test.go b/tests/integration/api_user_follow_federation_test.go
new file mode 100644
index 0000000000..e3dc72b264
--- /dev/null
+++ b/tests/integration/api_user_follow_federation_test.go
@@ -0,0 +1,55 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/forgefed"
+	"forgejo.org/models/unittest"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/structs"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActivityPubFollowFederated(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	mock := test.NewFederationServerMock()
+	federatedSrv := mock.DistantServer(t)
+	defer federatedSrv.Close()
+
+	localUser10Name := "user10"
+	localSession10 := loginUser(t, localUser10Name)
+	localSecssion10Token := getTokenForLoggedInUser(t, localSession10, auth_model.AccessTokenScopeWriteUser)
+
+	distantURL := federatedSrv.URL
+	distantUser15URL := fmt.Sprintf("%s/api/v1/activitypub/user-id/15", distantURL)
+
+	// local user follow distant
+	req := NewRequestWithJSON(t, "POST",
+		"/api/v1/user/activitypub/follow",
+		&structs.APRemoteFollowOption{
+			Target: distantUser15URL,
+		}).
+		AddTokenAuth(localSecssion10Token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	// check: federated actors now exist local
+	federationHost := unittest.AssertExistsAndLoadBean(t, &forgefed.FederationHost{HostFqdn: "127.0.0.1"})
+	unittest.AssertExistsAndLoadBean(t, &user.FederatedUser{ExternalID: "15", FederationHostID: federationHost.ID})
+
+	// check: follow request arrived at distant
+	assert.Contains(t, mock.LastPost, "\"object\":\"http://DISTANT_FEDERATION_HOST/api/v1/activitypub/user-id/15\"")
+}
diff --git a/tests/integration/federation_home_template_test.go b/tests/integration/federation_home_template_test.go
new file mode 100644
index 0000000000..806fe31b7b
--- /dev/null
+++ b/tests/integration/federation_home_template_test.go
@@ -0,0 +1,53 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/routers"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/html"
+)
+
+func getLinks(t *testing.T, url string) []*html.Node {
+	req := NewRequest(t, "GET", url)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	links := htmlDoc.doc.Find("link[type=\"application/activity+json\"]").Nodes
+
+	return links
+}
+
+func TestFederationBaseHead(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	t.Run("Federation disabled", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Federation.Enabled, false)()
+
+		links := getLinks(t, "/user1")
+		assert.Empty(t, links)
+	})
+
+	t.Run("Federation enabled", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+
+		links := getLinks(t, "/user1")
+		assert.Len(t, links, 1)
+	})
+
+	t.Run("Organization", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+
+		links := getLinks(t, "/org3")
+		assert.Empty(t, links)
+	})
+}
diff --git a/web_src/svg/fediverse-small.svg b/web_src/svg/fediverse-small.svg
new file mode 100644
index 0000000000..43baee480e
--- /dev/null
+++ b/web_src/svg/fediverse-small.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   width="24"
+   height="24"
+   viewBox="0 0 6.3499999 6.35"
+   version="1.1"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <metadata
+    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+    xmlns:cc="http://creativecommons.org/ns#"
+    xmlns:dc="http://purl.org/dc/elements/1.1/"
+  >
+    <rdf:RDF>
+      <cc:Work rdf:about="https://codeberg.org/forgejo/forgejo/src/web_src/svg/fediverse-small.svg">
+        <dc:title>Forgejo small Fediverse icon</dc:title>
+        <cc:attributionName>The Forgejo Authors</cc:attributionName>
+        <cc:license>MIT</cc:license>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <path
+     style="stroke-linecap:round"
+     d="M 3.5898438,1.1601562 A 0.203686,0.203686 0 0 0 3.3496094,1.3203125 0.203686,0.203686 0 0 0 3.5078125,1.5605469 c 0.1072344,0.021943 0.2100638,0.054028 0.3085938,0.095703 0.1970601,0.08335 0.3741719,0.2042501 0.5234374,0.3535156 0.2985315,0.2985315 0.4843751,0.7096169 0.484375,1.1660157 0,0.2281995 -0.04751,0.4435652 -0.1308593,0.640625 a 0.203686,0.203686 0 0 0 0.109375,0.2675781 0.203686,0.203686 0 0 0 0.265625,-0.109375 C 5.1724517,3.7285087 5.2304688,3.4590205 5.2304687,3.1757813 5.2304687,2.6093024 5.0006974,2.0924942 4.6289062,1.7207031 4.4430106,1.5348075 4.2207091,1.3853417 3.9746094,1.28125 3.8515589,1.2292038 3.7237416,1.1875557 3.5898438,1.1601562 Z M 1.546875,2.265625 A 0.203686,0.203686 0 0 0 1.28125,2.375 C 1.1771594,2.6210999 1.1191406,2.8925415 1.1191406,3.1757813 c 0,0.5664787 0.2297714,1.0813338 0.6015625,1.4531249 0.1858956,0.1858957 0.408197,0.3353614 0.6542969,0.4394532 0.1230501,0.052046 0.2528205,0.093694 0.3867188,0.1210937 A 0.203686,0.203686 0 0 0 3.0019531,5.03125 0.203686,0.203686 0 0 0 2.8417969,4.7890625 C 2.7345627,4.7671193 2.6317332,4.7350342 2.5332031,4.6933594 2.3361428,4.6100096 2.1590312,4.4891093 2.0097656,4.3398437 1.7112341,4.0413123 1.5273438,3.6321799 1.5273437,3.1757813 c 0,-0.2281991 0.045557,-0.4455169 0.1289063,-0.6425782 A 0.203686,0.203686 0 0 0 1.546875,2.265625 Z"
+     transform="matrix(1.2870397,0,0,1.3110209,-0.91132678,-0.98749822)" />
+  <path
+     d="m 1.984375,0.921875 c -0.467452,2e-8 -0.8496094,0.3841105 -0.8496094,0.8515625 0,0.467452 0.3821574,0.8496094 0.8496094,0.8496094 0.467452,0 0.8496094,-0.3821574 0.8496094,-0.8496094 0,-0.467452 -0.3821574,-0.85156248 -0.8496094,-0.8515625 z m 0,0.3789062 c 0.2631744,10e-8 0.4726562,0.2094819 0.4726563,0.4726563 -1e-7,0.2631744 -0.2094819,0.4726562 -0.4726563,0.4726563 -0.2631744,-1e-7 -0.4726562,-0.2094819 -0.4726563,-0.4726563 10e-8,-0.2631744 0.2094819,-0.4726562 0.4726563,-0.4726563 z"
+     transform="matrix(1.3999375,0,0,1.4000066,-1.0582509,-1.0265909)" />
+  <path
+     d="m 4.6308594,3.7050781 c -0.6544307,10e-8 -1.1914062,0.5350214 -1.1914063,1.1894531 10e-8,0.6544318 0.5369756,1.1914062 1.1914063,1.1914063 0.6544307,0 1.1894531,-0.5369745 1.1894531,-1.1914063 0,-0.6544317 -0.5350224,-1.1894531 -1.1894531,-1.1894531 z m 0,0.5273438 c 0.3684464,0 0.6601562,0.2936593 0.6601562,0.6621093 0,0.3684501 -0.2917098,0.6621094 -0.6601562,0.6621094 -0.3684464,0 -0.6621094,-0.2936593 -0.6621094,-0.6621094 0,-0.36845 0.293663,-0.6621093 0.6621094,-0.6621093 z" />
+</svg>
\ No newline at end of file

From 2b42fdaa2617a0cd348000817afd5d6b01ea4171 Mon Sep 17 00:00:00 2001
From: TurtleArmy <turtlearmy@noreply.codeberg.org>
Date: Sun, 12 Apr 2026 18:30:30 +0200
Subject: [PATCH 109/287] feat(ui): Fix comma separated attributes in code
 blocks language preventing syntax-highlighting (#12056)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently, forgejo does not support syntax highlighting code-blocks that have comma separated attributes after the language. This is a pattern sometimes seen in Rust code blocks, with tests like this:

\`\`\`rust
#[test]
fn run_this_test() { /* ... */ }
\`\`\`

\`\`\`rust,ignore
#[test]
fn skip_this_test() { /* ... */ }
\`\`\`

Currently, forgejo only does syntax highlighting in the first case:

```rust
#[test]
fn run_this_test() { /* ... */ }
```

```rust,ignore
#[test]
fn skip_this_test() { /* ... */ }
```

An example of this causing problems can be seen in this commit (https://codeberg.org/zesterer/ariadne/commit/5be9c5b7d2a2eeeefbc014a1ba873b53f1afaee9) causing the following issue (https://codeberg.org/zesterer/ariadne/issues/188).

This PR fixes fixes the second case not getting proper syntax highlighting.

Co-authored-by: TurtleArmy <44322335+TurtleArmyMc@users.noreply.github.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12056
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Ellen Εμίλια Άννα Zscheile <fogti@noreply.codeberg.org>
Co-authored-by: TurtleArmy <turtlearmy@noreply.codeberg.org>
Co-committed-by: TurtleArmy <turtlearmy@noreply.codeberg.org>
---
 modules/markup/markdown/goldmark.go           |  2 ++
 modules/markup/markdown/markdown_test.go      | 24 +++++++++++++++++
 .../markdown/transform_codeblock_lang.go      | 27 +++++++++++++++++++
 3 files changed, 53 insertions(+)
 create mode 100644 modules/markup/markdown/transform_codeblock_lang.go

diff --git a/modules/markup/markdown/goldmark.go b/modules/markup/markdown/goldmark.go
index 1ea3375ab5..aec710fd46 100644
--- a/modules/markup/markdown/goldmark.go
+++ b/modules/markup/markdown/goldmark.go
@@ -90,6 +90,8 @@ func (g *ASTTransformer) Transform(node *ast.Document, reader text.Reader, pc pa
 			}
 		case *ast.RawHTML:
 			g.transformRawHTML(ctx, v, reader)
+		case *ast.FencedCodeBlock:
+			g.transformCodeblockLanguage(v, reader)
 		}
 		return ast.WalkContinue, nil
 	})
diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index 61ded3cedc..fc4a515f72 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -1488,3 +1488,27 @@ func TestCallout(t *testing.T) {
 <p>Bad stuff is brewing here</p>
 </blockquote>`)
 }
+
+func TestCodeblockLanguageStripping(t *testing.T) {
+	test := func(input, expected string) {
+		buffer, err := markdown.RenderString(&markup.RenderContext{Ctx: git.DefaultContext}, input)
+		require.NoError(t, err)
+		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(string(buffer)))
+	}
+
+	// Unstripped
+	test(
+		"```rust\n"+
+			"fn main() {}\n"+
+			"```",
+		`<pre class="code-block"><code class="chroma language-rust display"><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{}</span><span class="w">
+</span></code></pre>`)
+
+	// Stripped
+	test(
+		"```rust,ignore\n"+
+			"fn main() {}\n"+
+			"```",
+		`<pre class="code-block"><code class="chroma language-rust display"><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{}</span><span class="w">
+</span></code></pre>`)
+}
diff --git a/modules/markup/markdown/transform_codeblock_lang.go b/modules/markup/markdown/transform_codeblock_lang.go
new file mode 100644
index 0000000000..2c90373c4e
--- /dev/null
+++ b/modules/markup/markdown/transform_codeblock_lang.go
@@ -0,0 +1,27 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package markdown
+
+import (
+	"bytes"
+
+	"github.com/yuin/goldmark/ast"
+	"github.com/yuin/goldmark/text"
+)
+
+func (g *ASTTransformer) transformCodeblockLanguage(v *ast.FencedCodeBlock, reader text.Reader) {
+	src := reader.Source()
+	info := v.Info.Segment.Value(src)
+	// Strip language after commas
+	//
+	// For example,
+	// ```rust,ignore
+	// ...
+	// ```
+	// Should have a language of "rust", not "rust,ignore"
+	if i := bytes.IndexByte(info, ','); i != -1 {
+		start := v.Info.Segment.Start
+		v.Info = ast.NewTextSegment(text.NewSegment(start, start+i))
+	}
+}

From aad64a9508c0134095e4433a29c04ebc671b0218 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 13 Apr 2026 02:17:33 +0200
Subject: [PATCH 110/287] Update renovate Docker tag to v43.111.0 (forgejo)
 (#12100)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a83ed31bfa..bc5c481a15 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasour
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.104.8 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.111.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

From a1be012c4a1e99cfc482a723ebb32af26baad65c Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 13 Apr 2026 02:25:39 +0200
Subject: [PATCH 111/287] Lock file maintenance (forgejo) (#12101)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12101
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json                  | 397 +++++++++++++++--------------
 web_src/fomantic/package-lock.json |  69 ++---
 2 files changed, 235 insertions(+), 231 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 364c1527cb..ac1dbdcc19 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -328,42 +328,40 @@
       }
     },
     "node_modules/@chevrotain/cst-dts-gen": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-11.1.2.tgz",
-      "integrity": "sha512-XTsjvDVB5nDZBQB8o0o/0ozNelQtn2KrUVteIHSlPd2VAV2utEb6JzyCJaJ8tGxACR4RiBNWy5uYUHX2eji88Q==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-12.0.0.tgz",
+      "integrity": "sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/gast": "11.1.2",
-        "@chevrotain/types": "11.1.2",
-        "lodash-es": "4.17.23"
+        "@chevrotain/gast": "12.0.0",
+        "@chevrotain/types": "12.0.0"
       }
     },
     "node_modules/@chevrotain/gast": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-11.1.2.tgz",
-      "integrity": "sha512-Z9zfXR5jNZb1Hlsd/p+4XWeUFugrHirq36bKzPWDSIacV+GPSVXdk+ahVWZTwjhNwofAWg/sZg58fyucKSQx5g==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-12.0.0.tgz",
+      "integrity": "sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/types": "11.1.2",
-        "lodash-es": "4.17.23"
+        "@chevrotain/types": "12.0.0"
       }
     },
     "node_modules/@chevrotain/regexp-to-ast": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.1.2.tgz",
-      "integrity": "sha512-nMU3Uj8naWer7xpZTYJdxbAs6RIv/dxYzkYU8GSwgUtcAAlzjcPfX1w+RKRcYG8POlzMeayOQ/znfwxEGo5ulw==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-12.0.0.tgz",
+      "integrity": "sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==",
       "license": "Apache-2.0"
     },
     "node_modules/@chevrotain/types": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.1.2.tgz",
-      "integrity": "sha512-U+HFai5+zmJCkK86QsaJtoITlboZHBqrVketcO2ROv865xfCMSFpELQoz1GkX5GzME8pTa+3kbKrZHQtI0gdbw==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-12.0.0.tgz",
+      "integrity": "sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==",
       "license": "Apache-2.0"
     },
     "node_modules/@chevrotain/utils": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-11.1.2.tgz",
-      "integrity": "sha512-4mudFAQ6H+MqBTfqLmU7G1ZwRzCLfJEooL/fsF6rCX5eePMbGhoy5n4g+G4vlh2muDcsCTJtL+uKbOzWxs5LHA==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-12.0.0.tgz",
+      "integrity": "sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==",
       "license": "Apache-2.0"
     },
     "node_modules/@citation-js/core": {
@@ -811,9 +809,9 @@
       }
     },
     "node_modules/@csstools/css-syntax-patches-for-csstree": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.2.tgz",
-      "integrity": "sha512-5GkLzz4prTIpoyeUiIu3iV6CSG3Plo7xRVOFPKI7FVEJ3mZ0A8SwK0XU3Gl7xAkiQ+mDyam+NNp875/C5y+jSA==",
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.3.tgz",
+      "integrity": "sha512-SH60bMfrRCJF3morcdk57WklujF4Jr/EsQUzqkarfHXEFcAR1gg7fS/chAE922Sehgzc1/+Tz5H3Ypa1HiEKrg==",
       "dev": true,
       "funding": [
         {
@@ -1478,9 +1476,9 @@
       "license": "MIT"
     },
     "node_modules/@eslint/config-array/node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1576,9 +1574,9 @@
       "license": "MIT"
     },
     "node_modules/@eslint/eslintrc/node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2541,9 +2539,9 @@
       "license": "MIT"
     },
     "node_modules/@lezer/common": {
-      "version": "1.5.1",
-      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.5.1.tgz",
-      "integrity": "sha512-6YRVG9vBkaY7p1IVxL4s44n5nUnaNnGM2/AckNgYOnxTG2kWh1vR8BMxPseWPjRNpb5VtXnMpeYAEAADoRV1Iw==",
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/@lezer/common/-/common-1.5.2.tgz",
+      "integrity": "sha512-sxQE460fPZyU3sdc8lafxiPwJHBzZRy/udNFynGQky1SePYBdhkBl1kOagA9uT3pxR8K09bOrmTUqA9wb/PjSQ==",
       "license": "MIT"
     },
     "node_modules/@lezer/cpp": {
@@ -2879,9 +2877,9 @@
       "license": "MIT"
     },
     "node_modules/@oxc-project/types": {
-      "version": "0.122.0",
-      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.122.0.tgz",
-      "integrity": "sha512-oLAl5kBpV4w69UtFZ9xqcmTi+GENWOcPF7FCrczTiBbmC0ibXxCwyvZGbO39rCVEuLGAZM84DH0pUIyyv/YJzA==",
+      "version": "0.124.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz",
+      "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -2942,9 +2940,9 @@
       }
     },
     "node_modules/@rolldown/binding-android-arm64": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.12.tgz",
-      "integrity": "sha512-pv1y2Fv0JybcykuiiD3qBOBdz6RteYojRFY1d+b95WVuzx211CRh+ytI/+9iVyWQ6koTh5dawe4S/yRfOFjgaA==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==",
       "cpu": [
         "arm64"
       ],
@@ -2959,9 +2957,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-arm64": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.12.tgz",
-      "integrity": "sha512-cFYr6zTG/3PXXF3pUO+umXxt1wkRK/0AYT8lDwuqvRC+LuKYWSAQAQZjCWDQpAH172ZV6ieYrNnFzVVcnSflAg==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==",
       "cpu": [
         "arm64"
       ],
@@ -2976,9 +2974,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-x64": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.12.tgz",
-      "integrity": "sha512-ZCsYknnHzeXYps0lGBz8JrF37GpE9bFVefrlmDrAQhOEi4IOIlcoU1+FwHEtyXGx2VkYAvhu7dyBf75EJQffBw==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==",
       "cpu": [
         "x64"
       ],
@@ -2993,9 +2991,9 @@
       }
     },
     "node_modules/@rolldown/binding-freebsd-x64": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.12.tgz",
-      "integrity": "sha512-dMLeprcVsyJsKolRXyoTH3NL6qtsT0Y2xeuEA8WQJquWFXkEC4bcu1rLZZSnZRMtAqwtrF/Ib9Ddtpa/Gkge9Q==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==",
       "cpu": [
         "x64"
       ],
@@ -3010,9 +3008,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.12.tgz",
-      "integrity": "sha512-YqWjAgGC/9M1lz3GR1r1rP79nMgo3mQiiA+Hfo+pvKFK1fAJ1bCi0ZQVh8noOqNacuY1qIcfyVfP6HoyBRZ85Q==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz",
+      "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==",
       "cpu": [
         "arm"
       ],
@@ -3027,9 +3025,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-gnu": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.12.tgz",
-      "integrity": "sha512-/I5AS4cIroLpslsmzXfwbe5OmWvSsrFuEw3mwvbQ1kDxJ822hFHIx+vsN/TAzNVyepI/j/GSzrtCIwQPeKCLIg==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==",
       "cpu": [
         "arm64"
       ],
@@ -3047,9 +3045,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-musl": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.12.tgz",
-      "integrity": "sha512-V6/wZztnBqlx5hJQqNWwFdxIKN0m38p8Jas+VoSfgH54HSj9tKTt1dZvG6JRHcjh6D7TvrJPWFGaY9UBVOaWPw==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz",
+      "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==",
       "cpu": [
         "arm64"
       ],
@@ -3067,9 +3065,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-ppc64-gnu": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.12.tgz",
-      "integrity": "sha512-AP3E9BpcUYliZCxa3w5Kwj9OtEVDYK6sVoUzy4vTOJsjPOgdaJZKFmN4oOlX0Wp0RPV2ETfmIra9x1xuayFB7g==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==",
       "cpu": [
         "ppc64"
       ],
@@ -3087,9 +3085,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-s390x-gnu": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.12.tgz",
-      "integrity": "sha512-nWwpvUSPkoFmZo0kQazZYOrT7J5DGOJ/+QHHzjvNlooDZED8oH82Yg67HvehPPLAg5fUff7TfWFHQS8IV1n3og==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==",
       "cpu": [
         "s390x"
       ],
@@ -3107,9 +3105,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-gnu": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.12.tgz",
-      "integrity": "sha512-RNrafz5bcwRy+O9e6P8Z/OCAJW/A+qtBczIqVYwTs14pf4iV1/+eKEjdOUta93q2TsT/FI0XYDP3TCky38LMAg==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==",
       "cpu": [
         "x64"
       ],
@@ -3127,9 +3125,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-musl": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.12.tgz",
-      "integrity": "sha512-Jpw/0iwoKWx3LJ2rc1yjFrj+T7iHZn2JDg1Yny1ma0luviFS4mhAIcd1LFNxK3EYu3DHWCps0ydXQ5i/rrJ2ig==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz",
+      "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==",
       "cpu": [
         "x64"
       ],
@@ -3147,9 +3145,9 @@
       }
     },
     "node_modules/@rolldown/binding-openharmony-arm64": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.12.tgz",
-      "integrity": "sha512-vRugONE4yMfVn0+7lUKdKvN4D5YusEiPilaoO2sgUWpCvrncvWgPMzK00ZFFJuiPgLwgFNP5eSiUlv2tfc+lpA==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==",
       "cpu": [
         "arm64"
       ],
@@ -3164,9 +3162,9 @@
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.12.tgz",
-      "integrity": "sha512-ykGiLr/6kkiHc0XnBfmFJuCjr5ZYKKofkx+chJWDjitX+KsJuAmrzWhwyOMSHzPhzOHOy7u9HlFoa5MoAOJ/Zg==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz",
+      "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==",
       "cpu": [
         "wasm32"
       ],
@@ -3174,16 +3172,18 @@
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@napi-rs/wasm-runtime": "^1.1.1"
+        "@emnapi/core": "1.9.2",
+        "@emnapi/runtime": "1.9.2",
+        "@napi-rs/wasm-runtime": "^1.1.3"
       },
       "engines": {
         "node": ">=14.0.0"
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.2.tgz",
-      "integrity": "sha512-sNXv5oLJ7ob93xkZ1XnxisYhGYXfaG9f65/ZgYuAu3qt7b3NadcOEhLvx28hv31PgX8SZJRYrAIPQilQmFpLVw==",
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.3.tgz",
+      "integrity": "sha512-xK9sGVbJWYb08+mTJt3/YV24WxvxpXcXtP6B172paPZ+Ts69Re9dAr7lKwJoeIx8OoeuimEiRZ7umkiUVClmmQ==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -3200,9 +3200,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-arm64-msvc": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.12.tgz",
-      "integrity": "sha512-5eOND4duWkwx1AzCxadcOrNeighiLwMInEADT0YM7xeEOOFcovWZCq8dadXgcRHSf3Ulh1kFo/qvzoFiCLOL1Q==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz",
+      "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==",
       "cpu": [
         "arm64"
       ],
@@ -3217,9 +3217,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-x64-msvc": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.12.tgz",
-      "integrity": "sha512-PyqoipaswDLAZtot351MLhrlrh6lcZPo2LSYE+VDxbVk24LVKAGOuE4hb8xZQmrPAuEtTZW8E6D2zc5EUZX4Lw==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz",
+      "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==",
       "cpu": [
         "x64"
       ],
@@ -3548,9 +3548,9 @@
       "license": "MIT"
     },
     "node_modules/@stoplight/spectral-core/node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4301,12 +4301,12 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.5.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.2.tgz",
-      "integrity": "sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg==",
+      "version": "25.6.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz",
+      "integrity": "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==",
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~7.18.0"
+        "undici-types": "~7.19.0"
       }
     },
     "node_modules/@types/sarif": {
@@ -5828,9 +5828,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.15",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.15.tgz",
-      "integrity": "sha512-1nfKCq9wuAZFTkA2ey/3OXXx7GzFjLdkTiFVNwlJ9WqdI706CZRIhEqjuwanjMIja+84jDLa9rcyZDPDiVkASQ==",
+      "version": "2.10.18",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.18.tgz",
+      "integrity": "sha512-VSnGQAOLtP5mib/DPyg2/t+Tlv65NTBz83BJBJvmLVHHuKJVaDOBvJJykiT5TR++em5nfAySPccDZDa4oSrn8A==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -6009,15 +6009,15 @@
       }
     },
     "node_modules/call-bind": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.8.tgz",
-      "integrity": "sha512-oKlSFMcMwpUg2ednkhQ454wfWiU/ul3CkJe/PEHcTKuiX6RpbehUiFMXu13HalGZxfUwCQzZG747YXBn1im9ww==",
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.9.tgz",
+      "integrity": "sha512-a/hy+pNsFUTR+Iz8TCJvXudKVLAnz/DyeSUo10I5yvFDQJBFU2s9uqQpoSrJlroHUKoKqzg+epxyP9lqFdzfBQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "call-bind-apply-helpers": "^1.0.0",
-        "es-define-property": "^1.0.0",
-        "get-intrinsic": "^1.2.4",
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "get-intrinsic": "^1.3.0",
         "set-function-length": "^1.2.2"
       },
       "engines": {
@@ -6077,9 +6077,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001785",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001785.tgz",
-      "integrity": "sha512-blhOL/WNR+Km1RI/LCVAvA73xplXA7ZbjzI4YkMK9pa6T/P3F2GxjNpEkyw5repTw9IvkyrjyHpwjnhZ5FOvYQ==",
+      "version": "1.0.30001787",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001787.tgz",
+      "integrity": "sha512-mNcrMN9KeI68u7muanUpEejSLghOKlVhRqS/Za2IeyGllJ9I9otGpR9g3nsw7n4W378TE/LyIteA0+/FOZm4Kg==",
       "funding": [
         {
           "type": "opencollective",
@@ -6201,29 +6201,31 @@
       }
     },
     "node_modules/chevrotain": {
-      "version": "11.1.2",
-      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.1.2.tgz",
-      "integrity": "sha512-opLQzEVriiH1uUQ4Kctsd49bRoFDXGGSC4GUqj7pGyxM3RehRhvTlZJc1FL/Flew2p5uwxa1tUDWKzI4wNM8pg==",
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-12.0.0.tgz",
+      "integrity": "sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@chevrotain/cst-dts-gen": "11.1.2",
-        "@chevrotain/gast": "11.1.2",
-        "@chevrotain/regexp-to-ast": "11.1.2",
-        "@chevrotain/types": "11.1.2",
-        "@chevrotain/utils": "11.1.2",
-        "lodash-es": "4.17.23"
+        "@chevrotain/cst-dts-gen": "12.0.0",
+        "@chevrotain/gast": "12.0.0",
+        "@chevrotain/regexp-to-ast": "12.0.0",
+        "@chevrotain/types": "12.0.0",
+        "@chevrotain/utils": "12.0.0"
+      },
+      "engines": {
+        "node": ">=22.0.0"
       }
     },
     "node_modules/chevrotain-allstar": {
-      "version": "0.3.1",
-      "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.3.1.tgz",
-      "integrity": "sha512-b7g+y9A0v4mxCW1qUhf3BSVPg+/NvGErk/dOkrDaHA0nQIQGAtrOjlX//9OQtRlSCy+x9rfB5N8yC71lH1nvMw==",
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.1.tgz",
+      "integrity": "sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==",
       "license": "MIT",
       "dependencies": {
         "lodash-es": "^4.17.21"
       },
       "peerDependencies": {
-        "chevrotain": "^11.0.0"
+        "chevrotain": "^12.0.0"
       }
     },
     "node_modules/chokidar": {
@@ -6695,9 +6697,9 @@
       "license": "MIT"
     },
     "node_modules/cytoscape": {
-      "version": "3.33.1",
-      "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.1.tgz",
-      "integrity": "sha512-iJc4TwyANnOGR1OmWhsS9ayRS3s+XQ185FmuHObThD+5AeJCakAAbWv8KimMTt08xCCLNgneQwFp+JRJOr9qGQ==",
+      "version": "3.33.2",
+      "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.2.tgz",
+      "integrity": "sha512-sj4HXd3DokGhzZAdjDejGvTPLqlt84vNFN8m7bGsOzDY5DyVcxIb2ejIXat2Iy7HxWhdT/N1oKyheJ5YdpsGuw==",
       "license": "MIT",
       "engines": {
         "node": ">=0.10"
@@ -7598,9 +7600,9 @@
       "license": "MIT"
     },
     "node_modules/editorconfig/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7624,9 +7626,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.331",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.331.tgz",
-      "integrity": "sha512-IbxXrsTlD3hRodkLnbxAPP4OuJYdWCeM3IOdT+CpcMoIwIoDfCmRpEtSPfwBXxVkg9xmBeY7Lz2Eo2TDn/HC3Q==",
+      "version": "1.5.335",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
+      "integrity": "sha512-q9n5T4BR4Xwa2cwbrwcsDJtHD/enpQ5S1xF1IAtdqf5AAgqDFmR/aakqH3ChFdqd/QXJhS3rnnXFtexU7rax6Q==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -7701,9 +7703,9 @@
       }
     },
     "node_modules/es-abstract": {
-      "version": "1.24.1",
-      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.24.1.tgz",
-      "integrity": "sha512-zHXBLhP+QehSSbsS9Pt23Gg964240DPd6QCf8WpkqEXxQ7fhdZzYsocOr5u7apWonsS5EjZDmTF+/slGMyasvw==",
+      "version": "1.24.2",
+      "resolved": "https://registry.npmjs.org/es-abstract/-/es-abstract-1.24.2.tgz",
+      "integrity": "sha512-2FpH9Q5i2RRwyEP1AylXe6nYLR5OhaJTZwmlcP0dL/+JCbgg7yyEo/sEK6HeGZRf3dFpWwThaRHVApXSkW3xeg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7806,7 +7808,6 @@
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
       "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 0.4"
@@ -8467,9 +8468,9 @@
       "license": "MIT"
     },
     "node_modules/eslint/node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -9100,9 +9101,9 @@
       "license": "MIT"
     },
     "node_modules/glob/node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -9807,9 +9808,9 @@
       }
     },
     "node_modules/is-builtin-module/node_modules/builtin-modules": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/builtin-modules/-/builtin-modules-5.0.0.tgz",
-      "integrity": "sha512-bkXY9WsVpY7CvMhKSR6pZilZu9Ln5WDrKVBUXf2S443etkmEO4V58heTecXcUIsNsi4Rx8JUO4NfX1IcQl4deg==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/builtin-modules/-/builtin-modules-5.1.0.tgz",
+      "integrity": "sha512-c5JxaDrzwRjq3WyJkI1AGR5xy6Gr6udlt7sQPbl09+3ckB+Zo2qqQ2KhCTBr7Q8dHB43bENGYEk4xddrFH/b7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -10427,9 +10428,9 @@
       "license": "MIT"
     },
     "node_modules/js-beautify/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -10716,13 +10717,14 @@
       "license": "MIT"
     },
     "node_modules/langium": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.1.tgz",
-      "integrity": "sha512-zu9QWmjpzJcomzdJQAHgDVhLGq5bLosVak1KVa40NzQHXfqr4eAHupvnPOVXEoLkg6Ocefvf/93d//SB7du4YQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.2.tgz",
+      "integrity": "sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==",
       "license": "MIT",
       "dependencies": {
-        "chevrotain": "~11.1.1",
-        "chevrotain-allstar": "~0.3.1",
+        "@chevrotain/regexp-to-ast": "~12.0.0",
+        "chevrotain": "~12.0.0",
+        "chevrotain-allstar": "~0.4.1",
         "vscode-languageserver": "~9.0.1",
         "vscode-languageserver-textdocument": "~1.0.11",
         "vscode-uri": "~3.1.0"
@@ -11181,9 +11183,9 @@
       "license": "MIT"
     },
     "node_modules/lodash-es": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.23.tgz",
-      "integrity": "sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz",
+      "integrity": "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==",
       "license": "MIT"
     },
     "node_modules/lodash.clonedeep": {
@@ -13471,9 +13473,9 @@
       "license": "MIT"
     },
     "node_modules/read-package-json/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -13675,11 +13677,12 @@
       }
     },
     "node_modules/resolve": {
-      "version": "1.22.11",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz",
-      "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==",
+      "version": "1.22.12",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz",
+      "integrity": "sha512-TyeJ1zif53BPfHootBGwPRYT1RUt6oGWsaQr8UyZW/eAm9bKoijtvruSDEmZHm92CwS9nj7/fWttqPCgzep8CA==",
       "license": "MIT",
       "dependencies": {
+        "es-errors": "^1.3.0",
         "is-core-module": "^2.16.1",
         "path-parse": "^1.0.7",
         "supports-preserve-symlinks-flag": "^1.0.0"
@@ -13750,14 +13753,14 @@
       "license": "Unlicense"
     },
     "node_modules/rolldown": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.12.tgz",
-      "integrity": "sha512-yP4USLIMYrwpPHEFB5JGH1uxhcslv6/hL0OyvTuY+3qlOSJvZ7ntYnoWpehBxufkgN0cvXxppuTu5hHa/zPh+A==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz",
+      "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@oxc-project/types": "=0.122.0",
-        "@rolldown/pluginutils": "1.0.0-rc.12"
+        "@oxc-project/types": "=0.124.0",
+        "@rolldown/pluginutils": "1.0.0-rc.15"
       },
       "bin": {
         "rolldown": "bin/cli.mjs"
@@ -13766,27 +13769,27 @@
         "node": "^20.19.0 || >=22.12.0"
       },
       "optionalDependencies": {
-        "@rolldown/binding-android-arm64": "1.0.0-rc.12",
-        "@rolldown/binding-darwin-arm64": "1.0.0-rc.12",
-        "@rolldown/binding-darwin-x64": "1.0.0-rc.12",
-        "@rolldown/binding-freebsd-x64": "1.0.0-rc.12",
-        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.12",
-        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.12",
-        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.12",
-        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.12",
-        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.12",
-        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.12",
-        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.12",
-        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.12",
-        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.12",
-        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.12",
-        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.12"
+        "@rolldown/binding-android-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.15",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15"
       }
     },
     "node_modules/rolldown/node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-rc.12",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.12.tgz",
-      "integrity": "sha512-HHMwmarRKvoFsJorqYlFeFRzXZqCt2ETQlEDOb9aqssrnVBB1/+xgTGtuTrIk5vzLNX1MjMtTf7W9z3tsSbrxw==",
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz",
+      "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==",
       "dev": true,
       "license": "MIT"
     },
@@ -14163,14 +14166,14 @@
       }
     },
     "node_modules/side-channel-list": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz",
-      "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==",
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
+      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.3"
+        "object-inspect": "^1.13.4"
       },
       "engines": {
         "node": ">= 0.4"
@@ -15239,22 +15242,22 @@
       "license": "MIT"
     },
     "node_modules/tinyexec": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.4.tgz",
-      "integrity": "sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.1.tgz",
+      "integrity": "sha512-VKS/ZaQhhkKFMANmAOhhXVoIfBXblQxGX1myCQ2faQrfmobMftXeJPcZGp0gS07ocvGJWDLZGyOZDadDBqYIJg==",
       "license": "MIT",
       "engines": {
         "node": ">=18"
       }
     },
     "node_modules/tinyglobby": {
-      "version": "0.2.15",
-      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
-      "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
+      "version": "0.2.16",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
+      "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
       "license": "MIT",
       "dependencies": {
         "fdir": "^6.5.0",
-        "picomatch": "^4.0.3"
+        "picomatch": "^4.0.4"
       },
       "engines": {
         "node": ">=12.0.0"
@@ -15589,9 +15592,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "7.18.2",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
-      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
+      "version": "7.19.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.19.2.tgz",
+      "integrity": "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==",
       "license": "MIT"
     },
     "node_modules/universalify": {
@@ -15743,16 +15746,16 @@
       "license": "MIT"
     },
     "node_modules/vite": {
-      "version": "8.0.3",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.3.tgz",
-      "integrity": "sha512-B9ifbFudT1TFhfltfaIPgjo9Z3mDynBTJSUYxTjOQruf/zHH+ezCQKcoqO+h7a9Pw9Nm/OtlXAiGT1axBgwqrQ==",
+      "version": "8.0.8",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz",
+      "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "lightningcss": "^1.32.0",
         "picomatch": "^4.0.4",
         "postcss": "^8.5.8",
-        "rolldown": "1.0.0-rc.12",
+        "rolldown": "1.0.0-rc.15",
         "tinyglobby": "^0.2.15"
       },
       "bin": {
@@ -15770,7 +15773,7 @@
       "peerDependencies": {
         "@types/node": "^20.19.0 || >=22.12.0",
         "@vitejs/devtools": "^0.1.0",
-        "esbuild": "^0.27.0",
+        "esbuild": "^0.27.0 || ^0.28.0",
         "jiti": ">=1.21.0",
         "less": "^4.0.0",
         "sass": "^1.70.0",
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index 3e8b18f00e..18f0eaa586 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -496,12 +496,12 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.5.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.2.tgz",
-      "integrity": "sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg==",
+      "version": "25.6.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz",
+      "integrity": "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==",
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~7.18.0"
+        "undici-types": "~7.19.0"
       }
     },
     "node_modules/@types/vinyl": {
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.15",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.15.tgz",
-      "integrity": "sha512-1nfKCq9wuAZFTkA2ey/3OXXx7GzFjLdkTiFVNwlJ9WqdI706CZRIhEqjuwanjMIja+84jDLa9rcyZDPDiVkASQ==",
+      "version": "2.10.18",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.18.tgz",
+      "integrity": "sha512-VSnGQAOLtP5mib/DPyg2/t+Tlv65NTBz83BJBJvmLVHHuKJVaDOBvJJykiT5TR++em5nfAySPccDZDa4oSrn8A==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -1100,9 +1100,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -1208,14 +1208,14 @@
       }
     },
     "node_modules/call-bind": {
-      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.8.tgz",
-      "integrity": "sha512-oKlSFMcMwpUg2ednkhQ454wfWiU/ul3CkJe/PEHcTKuiX6RpbehUiFMXu13HalGZxfUwCQzZG747YXBn1im9ww==",
+      "version": "1.0.9",
+      "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.9.tgz",
+      "integrity": "sha512-a/hy+pNsFUTR+Iz8TCJvXudKVLAnz/DyeSUo10I5yvFDQJBFU2s9uqQpoSrJlroHUKoKqzg+epxyP9lqFdzfBQ==",
       "license": "MIT",
       "dependencies": {
-        "call-bind-apply-helpers": "^1.0.0",
-        "es-define-property": "^1.0.0",
-        "get-intrinsic": "^1.2.4",
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "get-intrinsic": "^1.3.0",
         "set-function-length": "^1.2.2"
       },
       "engines": {
@@ -1264,9 +1264,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001785",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001785.tgz",
-      "integrity": "sha512-blhOL/WNR+Km1RI/LCVAvA73xplXA7ZbjzI4YkMK9pa6T/P3F2GxjNpEkyw5repTw9IvkyrjyHpwjnhZ5FOvYQ==",
+      "version": "1.0.30001787",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001787.tgz",
+      "integrity": "sha512-mNcrMN9KeI68u7muanUpEejSLghOKlVhRqS/Za2IeyGllJ9I9otGpR9g3nsw7n4W378TE/LyIteA0+/FOZm4Kg==",
       "funding": [
         {
           "type": "opencollective",
@@ -1984,9 +1984,9 @@
       }
     },
     "node_modules/editorconfig/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -2020,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.331",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.331.tgz",
-      "integrity": "sha512-IbxXrsTlD3hRodkLnbxAPP4OuJYdWCeM3IOdT+CpcMoIwIoDfCmRpEtSPfwBXxVkg9xmBeY7Lz2Eo2TDn/HC3Q==",
+      "version": "1.5.335",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
+      "integrity": "sha512-q9n5T4BR4Xwa2cwbrwcsDJtHD/enpQ5S1xF1IAtdqf5AAgqDFmR/aakqH3ChFdqd/QXJhS3rnnXFtexU7rax6Q==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -5047,9 +5047,9 @@
       }
     },
     "node_modules/js-beautify/node_modules/brace-expansion": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.3.tgz",
-      "integrity": "sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -6969,11 +6969,12 @@
       "license": "ISC"
     },
     "node_modules/resolve": {
-      "version": "1.22.11",
-      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz",
-      "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==",
+      "version": "1.22.12",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz",
+      "integrity": "sha512-TyeJ1zif53BPfHootBGwPRYT1RUt6oGWsaQr8UyZW/eAm9bKoijtvruSDEmZHm92CwS9nj7/fWttqPCgzep8CA==",
       "license": "MIT",
       "dependencies": {
+        "es-errors": "^1.3.0",
         "is-core-module": "^2.16.1",
         "path-parse": "^1.0.7",
         "supports-preserve-symlinks-flag": "^1.0.0"
@@ -8262,9 +8263,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "7.18.2",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
-      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
+      "version": "7.19.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.19.2.tgz",
+      "integrity": "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg==",
       "license": "MIT"
     },
     "node_modules/union-value": {

From 86898a7d0570205eeb751711426db2f1113ca659 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Mon, 13 Apr 2026 15:06:10 +0200
Subject: [PATCH 112/287] Revert "Improve repo file list table semantics for
 screen readers (#11846)" (#12088)

Fixes https://codeberg.org/forgejo/forgejo/issues/12082 by reverting commit dd968f147d500920b80dbbf3fc0faf9034ca8ddd.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12088
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Henry Catalini Smith <henry@catalinismith.se>
Co-committed-by: Henry Catalini Smith <henry@catalinismith.se>
---
 options/locale_next/locale_en-US.json |  4 ----
 templates/repo/view_list.tmpl         | 18 ++++++------------
 tests/integration/repo_test.go        |  4 ++--
 web_src/css/repo.css                  |  2 +-
 4 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index c0c73ec860..33efb50b75 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -52,10 +52,6 @@
 	"relativetime.1week": "last week",
 	"relativetime.1month": "last month",
 	"relativetime.1year": "last year",
-	"repo.files.caption": "Repository files (latest commit first)",
-	"repo.files.filename": "Filename",
-	"repo.files.last_commit_message": "Latest commit message",
-	"repo.files.last_commit_date": "Latest commit date",
 	"repo.issues.filter_poster.hint": "Filter by the author",
 	"repo.issues.filter_assignee.hint": "Filter by assigned user",
 	"repo.issues.filter_reviewers.hint": "Filter by user who reviewed",
diff --git a/templates/repo/view_list.tmpl b/templates/repo/view_list.tmpl
index 75f53c1b5f..ffd8b1a515 100644
--- a/templates/repo/view_list.tmpl
+++ b/templates/repo/view_list.tmpl
@@ -1,23 +1,17 @@
 <table id="repo-files-table" class="ui single line table tw-mt-0" {{if .HasFilesWithoutLatestCommit}}hx-indicator="tr.notready td.message span" hx-trigger="load" hx-swap="morph" hx-post="{{.LastCommitLoaderURL}}"{{end}}>
-	<caption class="tw-sr-only">
-		{{ctx.Locale.Tr "repo.files.caption"}}
-	</caption>
-	<thead class="tw-sr-only">
-		<th>{{ctx.Locale.Tr "repo.files.filename"}}</th>
-		<th>{{ctx.Locale.Tr "repo.files.last_commit_message"}}</th>
-		<th>{{ctx.Locale.Tr "repo.files.last_commit_date"}}</th>
-	</thead>
-	<tbody>
+	<thead>
 		<tr class="commit-list">
-			<td class="tw-overflow-hidden" colspan="2">
+			<th class="tw-overflow-hidden" colspan="2">
 				<div class="tw-flex">
 					<div class="latest-commit">
 						{{template "repo/latest_commit" .}}
 					</div>
 				</div>
-			</td>
-			<td class="text grey right age">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</td>
+			</th>
+			<th class="text grey right age">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</th>
 		</tr>
+	</thead>
+	<tbody>
 		{{if .HasParentPath}}
 			<tr class="has-parent">
 				<td colspan="3"><a class="muted" href="{{.BranchLink}}{{if .ParentPath}}{{PathEscapeSegments .ParentPath}}{{end}}">{{svg "octicon-reply" 16 "tw-mr-2"}}..</a></td>
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 2f189bf7a8..1b4a574f13 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -70,7 +70,7 @@ func testViewRepo(t *testing.T) {
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	htmlDoc := NewHTMLParser(t, resp.Body)
-	files := htmlDoc.doc.Find("#repo-files-table > tbody > tr:not(.commit-list)")
+	files := htmlDoc.doc.Find("#repo-files-table  > TBODY > TR")
 
 	type file struct {
 		fileName   string
@@ -1039,7 +1039,7 @@ func TestRepoFilesList(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
-		filesList := htmlDoc.Find("#repo-files-table tbody tr:not(.commit-list)").Map(func(_ int, s *goquery.Selection) string {
+		filesList := htmlDoc.Find("#repo-files-table tbody tr").Map(func(_ int, s *goquery.Selection) string {
 			return s.AttrOr("data-entryname", "")
 		})
 
diff --git a/web_src/css/repo.css b/web_src/css/repo.css
index 66b1d5df71..00f159f33b 100644
--- a/web_src/css/repo.css
+++ b/web_src/css/repo.css
@@ -237,7 +237,7 @@ td .commit-summary {
   max-width: calc(calc(min(100vw, 1280px)) - 145px - calc(2 * var(--page-margin-x)));
 }
 
-.repo-files-table-latest-commit-row td {
+.repository.file.list #repo-files-table thead th {
   font-weight: var(--font-weight-normal);
 }
 

From a797a71dea127edd3d93d976131d21d93988c246 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Mon, 13 Apr 2026 18:26:53 +0200
Subject: [PATCH 113/287] fix: display code comments on removed lines-of-code
 to correct locations in PR view (#12092)

With the completion of #12015, when a comment is left on a changed line in a pull request, we track the comment against the line of code with `git blame` and then identify where it currently is in any diff with `git blame --reverse`.  However, this strategy only works for the *modified* lines of code -- eg. the `+...` in diffs, and not the `-...` in diffs.  The reason is that `git blame --reverse` can't track a line of code's location past the commit that it was removed in.

To permit comments that are left on lines of code that are removed to appear correctly in the UI, a separate approach is required for those comments.  This PR performs two major changes, which have been complex to figure out, but are reasonably easy to understand:

- When a comment is placed on a removed line in a PR, perform a `git blame --reverse` from the PR's base to the currently viewed commit, and use this information to record in the comment:
    - the **last commit that the line of code existed in** (stored in the `commit_sha` field)
    - the **line of code as of that commit** (stored in the `line` field, negative, to indicate that the comment is on a removal).
    - the **patch** where the comment was placed (stored in the field `patch`); existing functionality unchanged in this PR
- When viewing any diff in the PR, for each comment on a removal, perform a diff from the `commit_sha` (last commit that the line of code existed in) to the current commit being viewed, and verify that within that diff the left-hand-side line removal still exists at the same line of code in the diff, by comparing the current diff with the stored patch.
    - If present, place the commit in the UI at the line number.
    - If the line of code no longer exists in the diff at that point (for example, it was removed, commented upon, and then re-added in a later commit), then the comment is considered outdated and isn't displayed.

The algorithm used for marking a comment as "outdated" is also updated to use this approach.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12092
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/issues/comment.go                     |  43 ++-
 modules/git/diff.go                          |  71 +++++
 modules/git/diff_test.go                     | 212 ++++++++++++++
 services/mailer/incoming/incoming_handler.go |  22 +-
 services/pull/pull.go                        |   6 +-
 services/pull/review.go                      |  59 ++--
 tests/integration/api_pull_review_test.go    |   6 +-
 tests/integration/pull_review_test.go        | 282 ++++++++++++++++++-
 8 files changed, 656 insertions(+), 45 deletions(-)

diff --git a/models/issues/comment.go b/models/issues/comment.go
index 61d49cf7b6..b42cd8aa40 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -6,11 +6,14 @@
 package issues
 
 import (
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"html/template"
 	"slices"
 	"strconv"
+	"strings"
 	"unicode/utf8"
 
 	"forgejo.org/models/db"
@@ -771,9 +774,43 @@ func (c *Comment) ResolveCurrentLine(ctx context.Context, repo *repo_model.Repos
 		}
 		defer closer.Close()
 
-		reverseBlame, err := gitRepo.ReverseLineBlame(c.CommitSHA, c.TreePath, c.UnsignedLine(), currentHead)
-		if err != nil {
-			return "", fmt.Errorf("failed to perform `git blame --reverse` to resolve current line for comment (id=%d): %w", c.ID, err)
+		var reverseBlame *git.ReverseLineBlame
+		if c.Line > 0 {
+			var err error
+			reverseBlame, err = gitRepo.ReverseLineBlame(c.CommitSHA, c.TreePath, c.UnsignedLine(), currentHead)
+			if err != nil {
+				return "", fmt.Errorf("failed to perform `git blame --reverse` to resolve current line for comment (id=%d): %w", c.ID, err)
+			}
+		} else {
+			// For comments on removed lines, perform a `git diff` between the last commit that the line of code was
+			// known to exist (which is recorded as CommitSHA) and the requested head. Then inspect the diff to verify
+			// that the removed line of code is present in the diff.
+			buffer := bytes.Buffer{}
+			err := git.GetRepoRawDiffForFile(gitRepo, c.CommitSHA, currentHead, git.RawDiffNormal, c.TreePath, &buffer)
+			if err != nil {
+				return "", fmt.Errorf("failed to get diff: %w", err)
+			}
+
+			diff := buffer.String()
+			adjustedLine, err := git.FindAdjustedLineNumber(c.Patch, int64(c.UnsignedLine()), strings.NewReader(diff))
+			if err != nil && errors.Is(err, git.ErrLineNotFound) {
+				// Line not found in the diff. Don't treat this as an error, because that would break the caching --
+				// instead, return a blame where CommitID != headCommitID, which will be an indicator to callers (for
+				// both resolution methods) that the line of code is outdated in the diff.
+				reverseBlame = &git.ReverseLineBlame{
+					CommitID:   c.CommitSHA, // not currentHead
+					LineNumber: c.UnsignedLine(),
+					FilePath:   c.TreePath,
+				}
+			} else if err != nil {
+				return "", fmt.Errorf("failed in finding adjusted line number: %w", err)
+			} else {
+				reverseBlame = &git.ReverseLineBlame{
+					CommitID:   currentHead,
+					LineNumber: uint64(adjustedLine.Left),
+					FilePath:   c.TreePath,
+				}
+			}
 		}
 
 		data, err := json.Marshal(reverseBlame)
diff --git a/modules/git/diff.go b/modules/git/diff.go
index 507dc5b2f5..c954a933ba 100644
--- a/modules/git/diff.go
+++ b/modules/git/diff.go
@@ -7,6 +7,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -277,6 +278,76 @@ func CutDiffAroundLine(originalDiff io.Reader, line int64, old bool, numbersOfLi
 	return strings.Join(newHunk, "\n"), nil
 }
 
+var ErrLineNotFound = errors.New("line not found in diff")
+
+type LinePlacement struct {
+	Left  int64
+	Right int64
+}
+
+// Find the line of code where an old line of code from an old patch is, if present, in a new patch. Given a cutDiff
+// (from CutDiffAroundLine) and the line of code that it was cut from, and, given a single-file diff from the commit
+// where that patch came into a new head, this routine will read through the diff and identify the new line number. It
+// will only return successful if the line is exactly the same as the original line, but just placed in a new location
+// due to added or removed lines in the diff before the target line of code.
+func FindAdjustedLineNumber(cutDiff string, originalLine int64, fullDiff io.Reader) (LinePlacement, error) {
+	cutDiffSplit := strings.Split(cutDiff, "\n")
+	if len(cutDiffSplit) == 0 {
+		return LinePlacement{}, errors.New("cutDiff has no contents")
+	}
+	endOfCutDiff := cutDiffSplit[len(cutDiffSplit)-1]
+
+	scanner := bufio.NewScanner(fullDiff)
+	inHunk := false // used to skip header lines before the first hunk
+	leftLine := int64(-1)
+	rightLine := int64(-1)
+
+	for scanner.Scan() {
+		lineText := scanner.Text()
+		if strings.HasPrefix(lineText, "@@") {
+			// A map with named groups of our regex to recognize them later more easily
+			submatches := hunkRegex.FindStringSubmatch(lineText)
+			groups := make(map[string]string)
+			for i, name := range hunkRegex.SubexpNames() {
+				if i != 0 && name != "" {
+					groups[name] = submatches[i]
+				}
+			}
+			beginLeft, _ := strconv.ParseInt(groups["beginOld"], 10, 64)
+			beginRight, _ := strconv.ParseInt(groups["beginNew"], 10, 64)
+			leftLine = beginLeft
+			rightLine = beginRight
+			inHunk = true
+		} else if inHunk {
+			if leftLine == originalLine {
+				if lineText != endOfCutDiff {
+					return LinePlacement{}, fmt.Errorf(
+						"line was adjusted from index %d to %d, but contents changed from %q to %q: %w",
+						originalLine, leftLine, endOfCutDiff, lineText, ErrLineNotFound)
+				}
+				return LinePlacement{Left: leftLine, Right: rightLine}, nil
+			}
+			switch lineText[0] {
+			case '+':
+				rightLine++
+			case '-':
+				leftLine++
+			case '\\':
+				// Should be the end-of-file with "\ No newline at end of file" -- nothing to do here.
+				break
+			default:
+				rightLine++
+				leftLine++
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return LinePlacement{}, err
+	}
+
+	return LinePlacement{}, fmt.Errorf("line is no longer in diff: %w", ErrLineNotFound)
+}
+
 // GetAffectedFiles returns the affected files between two commits
 func GetAffectedFiles(repo *Repository, oldCommitID, newCommitID string, env []string) ([]string, error) {
 	objectFormat, err := repo.GetObjectFormat()
diff --git a/modules/git/diff_test.go b/modules/git/diff_test.go
index 34e0695fea..e4b7ce6ace 100644
--- a/modules/git/diff_test.go
+++ b/modules/git/diff_test.go
@@ -167,3 +167,215 @@ func TestParseDiffHunkString(t *testing.T) {
 	assert.Equal(t, 19, rightLine)
 	assert.Equal(t, 5, rightHunk)
 }
+
+func TestFindAdjustedLineNumber(t *testing.T) {
+	commentCutDiff := `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50`
+
+	t.Run("no additional changes", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..b21df3f 100644
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50
+ Line 51
+ Line 52
+ Line 53`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 50, Right: 50}, lineNumber)
+	})
+
+	t.Run("removed lines before location", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..c85b903 100644
+--- a/file1.md
++++ b/file1.md
+@@ -1,13 +1,3 @@
+-Line 1
+-Line 2
+-Line 3
+-Line 4
+-Line 5
+-Line 6
+-Line 7
+-Line 8
+-Line 9
+-Line 10
+ Line 11
+ Line 12
+ Line 13
+@@ -47,7 +37,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50
+ Line 51
+ Line 52
+ Line 53`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 50, Right: 40}, lineNumber)
+	})
+
+	t.Run("added lines before location", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..24b1aa6 100644
+--- a/file1.md
++++ b/file1.md
+@@ -8,6 +8,11 @@ Line 7
+ Line 8
+ Line 9
+ Line 10
++Line 10.1
++Line 10.2
++Line 10.3
++Line 10.4
++Line 10.5
+ Line 11
+ Line 12
+ Line 13
+@@ -47,7 +52,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50
+ Line 51
+ Line 52
+ Line 53`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 50, Right: 55}, lineNumber)
+	})
+
+	t.Run("added and removed in lines before location", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..d0cb63f 100644
+--- a/file1.md
++++ b/file1.md
+@@ -5,9 +5,11 @@ Line 4
+ Line 5
+ Line 6
+ Line 7
+-Line 8
+-Line 9
+-Line 10
++Line 10.1
++Line 10.2
++Line 10.3
++Line 10.4
++Line 10.5
+ Line 11
+ Line 12
+ Line 13
+@@ -47,7 +49,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50
+ Line 51
+ Line 52
+ Line 53`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 50, Right: 52}, lineNumber)
+	})
+
+	t.Run("changes above in the same hunk", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..f35a466 100644
+--- a/file1.md
++++ b/file1.md
+@@ -42,12 +42,6 @@ Line 41
+ Line 42
+ Line 43
+ Line 44
+-Line 45
+-Line 46
+-Line 47
+-Line 48
+-Line 49
+-Line 50
+ Line 51
+ Line 52
+ Line 53`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 50, Right: 45}, lineNumber)
+	})
+
+	t.Run("first line in diff", func(t *testing.T) {
+		commentCutDiff := `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -1,4 +1,3 @@
+-Line 1`
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..a490028 100644
+--- a/file1.md
++++ b/file1.md
+@@ -1,4 +1,3 @@
+-Line 1
+ Line 2
+ Line 3
+ Line 4`
+		lineNumber, err := FindAdjustedLineNumber(commentCutDiff, 1, strings.NewReader(diff))
+		require.NoError(t, err)
+		assert.Equal(t, LinePlacement{Left: 1, Right: 1}, lineNumber)
+	})
+
+	t.Run("adjusted line not found", func(t *testing.T) {
+		// "Line 50" is present here but it's no longer "-Line 50", so it should not be identified as present
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..09dd95a 100644
+--- a/file1.md
++++ b/file1.md
+@@ -42,10 +42,6 @@ Line 41
+ Line 42
+ Line 43
+ Line 44
+-Line 45
+-Line 46
+-Line 47
+-Line 48
+ Line 49
+ Line 50
+ Line 51`
+		_, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.ErrorIs(t, err, ErrLineNotFound)
+	})
+
+	t.Run("adjusted line hunk not present - not changed anymore", func(t *testing.T) {
+		diff := `diff --git a/file1.md b/file1.md
+index 2d203fb..d0cb63f 100644
+--- a/file1.md
++++ b/file1.md
+@@ -5,9 +5,11 @@ Line 4
+ Line 5
+ Line 6
+ Line 7
+-Line 8
+-Line 9
+-Line 10
++Line 10.1
++Line 10.2
++Line 10.3
++Line 10.4
++Line 10.5
+ Line 11
+ Line 12
+ Line 13`
+		_, err := FindAdjustedLineNumber(commentCutDiff, 50, strings.NewReader(diff))
+		require.ErrorIs(t, err, ErrLineNotFound)
+	})
+}
diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
index 7505148978..e2a2852b07 100644
--- a/services/mailer/incoming/incoming_handler.go
+++ b/services/mailer/incoming/incoming_handler.go
@@ -12,6 +12,7 @@ import (
 	access_model "forgejo.org/models/perm/access"
 	repo_model "forgejo.org/models/repo"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
@@ -124,7 +125,24 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 				return fmt.Errorf("CreateIssueComment failed: %w", err)
 			}
 		case issues_model.CommentTypeCode:
-			_, err := pull_service.CreateCodeComment(
+			err := issue.LoadRepo(ctx)
+			if err != nil {
+				return fmt.Errorf("LoadRepo failed: %w", err)
+			}
+			err = issue.LoadPullRequest(ctx)
+			if err != nil {
+				return fmt.Errorf("LoadPullRequest failed: %w", err)
+			}
+			repo, err := gitrepo.OpenRepository(ctx, issue.Repo)
+			defer repo.Close()
+			if err != nil {
+				return fmt.Errorf("OpenRepository failed: %w", err)
+			}
+			afterCommitID, err := repo.GetRefCommitID(issue.PullRequest.GetGitRefName())
+			if err != nil {
+				return fmt.Errorf("GetRefCommitID failed: %w", err)
+			}
+			_, err = pull_service.CreateCodeComment(
 				ctx,
 				doer,
 				nil,
@@ -134,7 +152,7 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 				comment.TreePath,
 				false, // not pending review but a single review
 				comment.ReviewID,
-				"",
+				afterCommitID,
 				attachmentIDs,
 			)
 			if err != nil {
diff --git a/services/pull/pull.go b/services/pull/pull.go
index 03b7ce531b..617d5d0806 100644
--- a/services/pull/pull.go
+++ b/services/pull/pull.go
@@ -263,14 +263,14 @@ func ChangeTargetBranch(ctx context.Context, pr *issues_model.PullRequest, doer
 	return nil
 }
 
-func checkForInvalidation(ctx context.Context, requests issues_model.PullRequestList, repoID int64, doer *user_model.User, branch, newCommitID string) error {
+func checkForInvalidation(ctx context.Context, requests issues_model.PullRequestList, repoID int64, doer *user_model.User, newCommitID string) error {
 	repo, err := repo_model.GetRepositoryByID(ctx, repoID)
 	if err != nil {
 		return fmt.Errorf("GetRepositoryByIDCtx: %w", err)
 	}
 	go func() {
 		// FIXME: graceful: We need to tell the manager we're doing something...
-		err := InvalidateCodeComments(ctx, requests, doer, repo, branch, newCommitID)
+		err := InvalidateCodeComments(ctx, requests, doer, repo, newCommitID)
 		if err != nil {
 			log.Error("PullRequestList.InvalidateCodeComments: %v", err)
 		}
@@ -335,7 +335,7 @@ func TestPullRequest(ctx context.Context, doer *user_model.User, repoID, olderTh
 		if err = requests.LoadAttributes(ctx); err != nil {
 			log.Error("PullRequestList.LoadAttributes: %v", err)
 		}
-		if invalidationErr := checkForInvalidation(ctx, requests, repoID, doer, branch, newCommitID); invalidationErr != nil {
+		if invalidationErr := checkForInvalidation(ctx, requests, repoID, doer, newCommitID); invalidationErr != nil {
 			log.Error("checkForInvalidation: %v", invalidationErr)
 		}
 		if err == nil {
diff --git a/services/pull/review.go b/services/pull/review.go
index 5500ce4582..9fc9862823 100644
--- a/services/pull/review.go
+++ b/services/pull/review.go
@@ -42,18 +42,7 @@ func (err ErrDismissRequestOnClosedPR) Unwrap() error {
 
 // checkInvalidation checks if the line of code comment got changed by another commit.
 // If the line got changed the comment is going to be invalidated.
-func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *repo_model.Repository, branch, newCommitID string) error {
-	if c.Line < 0 {
-		// Comment is on a removed line of code -- the `git blame --reverse` codepath doesn't work for this. Retain the
-		// originalbehaviour until a revision is done specific to removed lines:
-		gitRepo, closer, err := gitrepo.RepositoryFromContextOrOpen(ctx, repo)
-		if err != nil {
-			return fmt.Errorf("failed to open repo: %w", err)
-		}
-		defer closer.Close()
-		return obsoleteCheckInvalidation(ctx, c, gitRepo, branch)
-	}
-
+func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *repo_model.Repository, newCommitID string) error {
 	reverseBlame, err := c.ResolveCurrentLine(ctx, repo, newCommitID)
 	if err != nil {
 		log.Warn("ResolveCurrentLine failed: %s", err.Error())
@@ -64,25 +53,8 @@ func checkInvalidation(ctx context.Context, c *issues_model.Comment, repo *repo_
 	return nil
 }
 
-func obsoleteCheckInvalidation(ctx context.Context, c *issues_model.Comment, repo *git.Repository, branch string) error {
-	// FIXME differentiate between previous and proposed line
-	commit, _, err := repo.LineBlame(branch, c.TreePath, c.UnsignedLine())
-	if err != nil && (errors.Is(err, git.ErrBlameFileDoesNotExist) || errors.Is(err, git.ErrBlameFileNotEnoughLines)) {
-		c.Invalidated = true
-		return issues_model.UpdateCommentInvalidate(ctx, c)
-	}
-	if err != nil {
-		return err
-	}
-	if c.CommitSHA != "" && c.CommitSHA != commit.ID.String() {
-		c.Invalidated = true
-		return issues_model.UpdateCommentInvalidate(ctx, c)
-	}
-	return nil
-}
-
 // InvalidateCodeComments will lookup the prs for code comments which got invalidated by change
-func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestList, doer *user_model.User, repo *repo_model.Repository, branch, newCommitID string) error {
+func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestList, doer *user_model.User, repo *repo_model.Repository, newCommitID string) error {
 	if len(prs) == 0 {
 		return nil
 	}
@@ -98,7 +70,7 @@ func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestLis
 		return fmt.Errorf("find code comments: %v", err)
 	}
 	for _, comment := range codeComments {
-		if err := checkInvalidation(ctx, comment, repo, branch, newCommitID); err != nil {
+		if err := checkInvalidation(ctx, comment, repo, newCommitID); err != nil {
 			return err
 		}
 	}
@@ -261,6 +233,31 @@ func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User,
 		} else {
 			blamedCommitID = commitID
 		}
+	} else {
+		// Commenting on a line that was removed. In this case, what we want to track in the comment is which line of
+		// code was this, in the last commit that the line of code actually existed in. We'll use a reverse git blame to
+		// identify this, from the PR base -> commit being viewed.
+		blame, err := gitRepo.ReverseLineBlame(pr.MergeBase, treePath, uint64(-1*line), afterCommitID)
+		if err != nil {
+			return nil, fmt.Errorf("ReverseLineBlame[%s, %s, %d, %s]: %w", pr.MergeBase, treePath, -1*line, afterCommitID, err)
+		} else if blame.CommitID == afterCommitID {
+			// Although this is a comment on the "previous" side of the diff, the reverse blame indicates that the line
+			// of code still exists in the commit being viewed (eg. it was a comment on a white line in the left-side of
+			// the diff, not a red removed line). In order to record the right information for where to place this
+			// commit, we'll convert this into a right-hand comment -- using the present line number that the reverse
+			// blame gave us:
+			commit, lineres, err := gitRepo.LineBlame(afterCommitID, treePath, blame.LineNumber)
+			if err == nil {
+				blamedCommitID = commit.ID.String()
+				blamedLine = int64(lineres)
+			} else if !errors.Is(err, git.ErrBlameFileDoesNotExist) && !errors.Is(err, git.ErrBlameFileNotEnoughLines) {
+				return nil, fmt.Errorf("LineBlame[%s, %s, %s, %d]: %w", pr.GetGitRefName(), gitRepo.Path, treePath, line, err)
+			}
+		} else {
+			blamedCommitID = blame.CommitID
+			// retain negative line numbering to identify we're commenting on the "previous" side of the diff
+			blamedLine = -1 * int64(blame.LineNumber)
+		}
 	}
 
 	// Only fetch diff if comment is review comment
diff --git a/tests/integration/api_pull_review_test.go b/tests/integration/api_pull_review_test.go
index 5ff8bd4adf..0ec229f554 100644
--- a/tests/integration/api_pull_review_test.go
+++ b/tests/integration/api_pull_review_test.go
@@ -112,8 +112,10 @@ func TestAPIPullReviewCreateDeleteComment(t *testing.T) {
 				DecodeJSON(t, resp, &reviewComment)
 				assert.Equal(t, review.ID, reviewComment.ReviewID)
 				assert.Equal(t, newCommentBody, reviewComment.Body)
-				assert.EqualValues(t, reviewLine, reviewComment.OldLineNum)
-				assert.EqualValues(t, 0, reviewComment.LineNum)
+				// we sent OldLineNum: 1, but that line of code isn't modified in this PR, triggering the PR's logic
+				// which standardizes comments on non-modified lines of code to be on the right-hand-side of the diff:
+				assert.EqualValues(t, 0, reviewComment.OldLineNum)
+				assert.EqualValues(t, reviewLine, reviewComment.LineNum)
 				assert.Equal(t, path, reviewComment.Path)
 			}
 
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 262733f72b..b91fdab6d4 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -1471,6 +1471,265 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 			tester.assertFilesChangedDiff(diff10)
 			tester.assertCommitDiff(commit2, diff10)
 		})
+
+		t.Run("comment on removed line", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Remove line 50, place a comment on the removed line.
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "", 1)
+			commit := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			comment := tester.commentOnPreviousFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -50, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA) // tracked back to the previous commit where it was line num 50
+
+			diff50 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff50)
+			tester.assertCommitDiff(commit, diff50)
+		})
+
+		t.Run("comment on removed line moves due to a following commit", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Remove line 50, place a comment on the removed line.
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			comment := tester.commentOnPreviousFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -50, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA) // tracked back to the previous commit where it was line num 50
+
+			// Add a second commit to the PR which removes "Line 1" - "Line 10".
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			commit2 := tester.changeFile("file1.md", content)
+
+			diff2 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 9"},
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowHasCode, code: "Line 11"},
+			}
+			tester.assertFilesChangedDiff(diff2, "checking commit2 contents in full PR diff")
+			tester.assertCommitDiff(commit2, diff2, "checking commit2 contents in single-commit diff")
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+
+			// This comment can still be located in the diff, so it should not be marked as Invalidated/Outdated --
+			// which is kinda guaranteed by it being loaded in the diff, but for test sanity assert specifically.
+			commentReloaded := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+			assert.False(t, commentReloaded.Invalidated)
+		})
+
+		t.Run("comment on previous side line unchanged by PR appears", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Change line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// While viewing the PR, the reviewer made a comment on the previous side on a line of code that wasn't
+			// actually changed in the PR:
+			comment := tester.commentOnPreviousFromFilesChanged("file1.md", 49)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +37,7 @@ Line 46
+ Line 47
+ Line 48
+ Line 49`, comment.PatchQuoted)
+			assert.Equal(t, "proposed", comment.DiffSide()) // will be moved from previous(LHS)->proposed(RHS) because it wasn't a comment on a change in the PR
+			assert.EqualValues(t, 49, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA)
+
+			diff := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff, "checking commit1 contents in single-commit diff")
+		})
+
+		t.Run("comment on first line of file removed", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Remove the first line of the file which will then be commented on, as an edge-case
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 1\n", "", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			comment := tester.commentOnPreviousFromSpecificCommit(commit1, "file1.md", 1)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -1,4 +1,3 @@
+-Line 1`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -1, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA)
+
+			diff := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 1"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 2"},
+			}
+			tester.assertFilesChangedDiff(diff, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff, "checking commit1 contents in single-commit diff")
+		})
+
+		t.Run("comment on removed line moves due to a following commit, following commit is rewritten and force-push'd", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Place a comment on "Line 50" (removed side)
+			comment := tester.commentOnPreviousFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,7 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -50, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA)
+			assert.False(t, comment.Invalidated)
+
+			// Add a second commit to the PR which removes  "Line 1" - "Line 10".
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			tester.changeFile("file1.md", content)
+
+			// Now amend commit2v1 with an additional change, causing a force push of the branch
+			tester.withBranchCheckout(func(repoPath string) {
+				content = strings.Replace(content, "Line 11\n", "", 1) // Remove Line 11 as well
+				require.NoError(t, os.WriteFile(path.Join(repoPath, "file1.md"), []byte(content), 0o644))
+				require.NoError(t, git.NewCommand(t.Context(), "commit", "-a", "--amend", "--no-edit").Run(&git.RunOpts{Dir: repoPath}))
+				require.NoError(t, git.NewCommand(t.Context(), "push", "--force").Run(&git.RunOpts{Dir: repoPath}))
+			})
+
+			diff2 := []diffTableRow{
+				{rowType: RowDelCode, code: "Line 10"},
+				{rowType: RowDelCode, code: "Line 11"},
+				{rowType: RowHasCode, code: "Line 12"},
+			}
+			tester.assertFilesChangedDiff(diff2, "checking commit2 (force push) contents in full PR diff")
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff1, "checking commit1 contents in full PR diff")
+			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+
+			// This comment can still be located in the diff, so it should not be marked as Invalidated/Outdated --
+			// which is kinda guaranteed by it being loaded in the diff, but for test sanity assert specifically.
+			commentReloaded := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+			assert.False(t, commentReloaded.Invalidated)
+		})
+
+		t.Run("comment on removed line invalidated due to force push", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// Modify line 50
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "", 1)
+			tester.changeFile("file1.md", content)
+			tester.createPR()
+
+			// Place a comment on "Line 50" (removed side)
+			comment := tester.commentOnPreviousFromFilesChanged("file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -50, comment.Line)
+			assert.Equal(t, tester.initialSHA, comment.CommitSHA)
+			assert.False(t, comment.Invalidated)
+
+			// Now amend commit1 with an additional change that undoes the earlier change, changes something else instead
+			tester.withBranchCheckout(func(repoPath string) {
+				content = strings.Replace(content, "Line 49\n", "Line 49\nLine 50\n", 1)
+				content = strings.Replace(content, "Line 52\n", "", 1)
+				require.NoError(t, os.WriteFile(path.Join(repoPath, "file1.md"), []byte(content), 0o644))
+				require.NoError(t, git.NewCommand(t.Context(), "commit", "-a", "--amend", "--no-edit").Run(&git.RunOpts{Dir: repoPath}))
+				require.NoError(t, git.NewCommand(t.Context(), "push", "--force").Run(&git.RunOpts{Dir: repoPath}))
+			})
+
+			diff := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowHasCode, code: "Line 50"},
+				{rowType: RowHasCode, code: "Line 51"},
+				{rowType: RowDelCode, code: "Line 52"},
+				{rowType: RowHasCode, code: "Line 53"},
+			}
+			tester.assertFilesChangedDiff(diff, "checking commit2 (force push) contents in full PR diff")
+
+			// The comment on "Line 50" can't be valid anymore since that's not in the diff:
+			assert.EventuallyWithT(t, func(t *assert.CollectT) {
+				commentReloaded := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID})
+				assert.True(t, commentReloaded.Invalidated)
+			}, 1*time.Second, 50*time.Millisecond)
+		})
 	})
 }
 
@@ -1592,17 +1851,32 @@ func (tester *PullRequestCommentPlacementTester) commentFromFilesChanged(filenam
 		// omit after_commit_id -- new_comment form defaults to fetching the PR head
 		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
-	return tester.commentFromNewCommentForm(resp, filename, line)
+	return tester.commentFromNewCommentForm(resp, filename, line, "proposed")
+}
+
+func (tester *PullRequestCommentPlacementTester) commentOnPreviousFromFilesChanged(filename string, line int) *issues_model.Comment {
+	req := NewRequest(tester.t, "GET",
+		// omit after_commit_id -- new_comment form defaults to fetching the PR head
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	return tester.commentFromNewCommentForm(resp, filename, line, "previous")
 }
 
 func (tester *PullRequestCommentPlacementTester) commentFromSpecificCommit(commitID, filename string, line int) *issues_model.Comment {
 	req := NewRequest(tester.t, "GET",
 		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitID))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
-	return tester.commentFromNewCommentForm(resp, filename, line)
+	return tester.commentFromNewCommentForm(resp, filename, line, "proposed")
 }
 
-func (tester *PullRequestCommentPlacementTester) commentFromNewCommentForm(resp *httptest.ResponseRecorder, filename string, line int) *issues_model.Comment {
+func (tester *PullRequestCommentPlacementTester) commentOnPreviousFromSpecificCommit(commitID, filename string, line int) *issues_model.Comment {
+	req := NewRequest(tester.t, "GET",
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitID))
+	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
+	return tester.commentFromNewCommentForm(resp, filename, line, "previous")
+}
+
+func (tester *PullRequestCommentPlacementTester) commentFromNewCommentForm(resp *httptest.ResponseRecorder, filename string, line int, side string) *issues_model.Comment {
 	commentContent := uuid.New().String()
 	doc := NewHTMLParser(tester.t, resp.Body)
 	req := NewRequestWithValues(tester.t, "POST",
@@ -1610,7 +1884,7 @@ func (tester *PullRequestCommentPlacementTester) commentFromNewCommentForm(resp
 		map[string]string{
 			"origin":           doc.GetInputValueByName("origin"),
 			"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
-			"side":             "proposed", // "proposed" (RHS) or "previous" (LHS)
+			"side":             side, // "proposed" (RHS) or "previous" (LHS)
 			"line":             strconv.Itoa(line),
 			"path":             filename,
 			"diff_start_cid":   doc.GetInputValueByName("diff_start_cid"),

From 5f432e32c854b8c8da92cc9c791d5fba1113f864 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Mon, 13 Apr 2026 22:05:29 +0200
Subject: [PATCH 114/287] chore(federation): re-enable nilnil lint (#11253)

First round of patches to re-enable some lints from my side.

This PR also refactors the general key fetching code quite a bit due to the way it currently worked
with relying on some values being nil sometimes.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11253
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 .deadcode-out                                 |   1 -
 .golangci.yml                                 |   9 -
 models/forgefed/error.go                      |  22 ++
 models/forgefed/federationhost_repository.go  |  18 +-
 models/user/error.go                          |  13 +
 models/user/user_repository.go                |  14 +-
 modules/forgefed/actor_person.go              |   9 +-
 modules/forgefed/actor_person_test.go         |  42 +++
 routers/api/v1/activitypub/reqsignature.go    |  10 +-
 services/federation/error.go                  |   8 +
 services/federation/federation_service.go     | 100 ++++---
 services/federation/person_inbox_create.go    |   6 +-
 services/federation/person_inbox_undo.go      |  30 +--
 services/federation/signature_service.go      | 252 +++++++-----------
 .../integration/api_activitypub_actor_test.go |  30 ---
 .../api_federation_httpsig_test.go            |  32 +--
 16 files changed, 291 insertions(+), 305 deletions(-)
 create mode 100644 models/forgefed/error.go

diff --git a/.deadcode-out b/.deadcode-out
index a42b499a9f..b70be3e800 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -58,7 +58,6 @@ forgejo.org/models/user
 	IsErrUserSettingIsNotExist
 	GetUserAllSettings
 	DeleteUserSetting
-	GetFederatedUser
 
 forgejo.org/modules/activitypub
 	NewContext
diff --git a/.golangci.yml b/.golangci.yml
index fea9195be2..b16bb8beb2 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -224,9 +224,6 @@ linters:
       - path: models/dbfs/dbfile.go
         linters:
           - nilnil
-      - path: models/forgefed/federationhost_repository.go
-        linters:
-          - nilnil
       - path: models/forgejo_migrations_legacy/v32.go
         linters:
           - nilnil
@@ -284,9 +281,6 @@ linters:
       - path: models/repo/repo.go
         linters:
           - nilnil
-      - path: models/user/user_repository.go
-        linters:
-          - nilnil
       - path: modules/git/commit.go
         linters:
           - nilnil
@@ -380,9 +374,6 @@ linters:
       - path: routers/api/packages/conan/auth.go
         linters:
           - nilnil
-      - path: services/federation/signature_service.go
-        linters:
-          - nilnil
       - path: services/issue/commit.go
         linters:
           - nilnil
diff --git a/models/forgefed/error.go b/models/forgefed/error.go
new file mode 100644
index 0000000000..f8b5ef852e
--- /dev/null
+++ b/models/forgefed/error.go
@@ -0,0 +1,22 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgefed
+
+import (
+	"fmt"
+)
+
+type ErrFederationHostNotFound struct {
+	SearchKey   string
+	SearchValue string
+}
+
+func (err ErrFederationHostNotFound) Error() string {
+	return fmt.Sprintf("ErrFederationHostNotFound: search key: %s, search value: %s", err.SearchKey, err.SearchValue)
+}
+
+func IsErrFederationHostNotFound(err error) bool {
+	_, ok := err.(ErrFederationHostNotFound)
+	return ok
+}
diff --git a/models/forgefed/federationhost_repository.go b/models/forgefed/federationhost_repository.go
index c889c1140b..0b3329313e 100644
--- a/models/forgefed/federationhost_repository.go
+++ b/models/forgefed/federationhost_repository.go
@@ -57,13 +57,13 @@ func GetFederationHost(ctx context.Context, ID int64) (*FederationHost, error) {
 	return host, nil
 }
 
-func findFederationHostFromDB(ctx context.Context, searchKey, searchValue string) (*FederationHost, error) {
+func findFederationHostFromDB(ctx context.Context, searchKey string, searchValue ...any) (*FederationHost, error) {
 	host := new(FederationHost)
-	has, err := db.GetEngine(ctx).Where(searchKey, searchValue).Get(host)
+	has, err := db.GetEngine(ctx).Where(searchKey, searchValue...).Get(host)
 	if err != nil {
 		return nil, err
 	} else if !has {
-		return nil, nil
+		return nil, ErrFederationHostNotFound{SearchKey: searchKey, SearchValue: fmt.Sprintf("%v", searchValue)}
 	}
 	if res, err := validation.IsValid(host); !res {
 		return nil, err
@@ -72,17 +72,7 @@ func findFederationHostFromDB(ctx context.Context, searchKey, searchValue string
 }
 
 func FindFederationHostByFqdnAndPort(ctx context.Context, fqdn string, port uint16) (*FederationHost, error) {
-	host := new(FederationHost)
-	has, err := db.GetEngine(ctx).Where("host_fqdn=? AND host_port=?", fqdn, port).Get(host)
-	if err != nil {
-		return nil, err
-	} else if !has {
-		return nil, nil
-	}
-	if res, err := validation.IsValid(host); !res {
-		return nil, err
-	}
-	return host, nil
+	return findFederationHostFromDB(ctx, "host_fqdn=? AND host_port=?", fqdn, port)
 }
 
 func FindFederationHostByKeyID(ctx context.Context, keyID string) (*FederationHost, error) {
diff --git a/models/user/error.go b/models/user/error.go
index 264b3fdcd2..7f23758768 100644
--- a/models/user/error.go
+++ b/models/user/error.go
@@ -105,3 +105,16 @@ func IsErrUserIsNotLocal(err error) bool {
 	_, ok := err.(ErrUserIsNotLocal)
 	return ok
 }
+
+type ErrFederatedUserNotExists struct {
+	Identifier string
+}
+
+func (err ErrFederatedUserNotExists) Error() string {
+	return fmt.Sprintf("No cached federated user found for identifier %s", err.Identifier)
+}
+
+func IsErrFederatedUserNotExists(err error) bool {
+	_, ok := err.(ErrFederatedUserNotExists)
+	return ok
+}
diff --git a/models/user/user_repository.go b/models/user/user_repository.go
index 1ec0906e4b..506d1cfb15 100644
--- a/models/user/user_repository.go
+++ b/models/user/user_repository.go
@@ -65,7 +65,7 @@ func FindFederatedUser(ctx context.Context, externalID string, federationHostID
 	if err != nil {
 		return nil, nil, err
 	} else if !has {
-		return nil, nil, nil
+		return nil, nil, ErrFederatedUserNotExists{Identifier: externalID}
 	}
 	has, err = db.GetEngine(ctx).ID(federatedUser.UserID).Get(user)
 	if err != nil {
@@ -134,16 +134,6 @@ func FindFederatedUsersByHostID(ctx context.Context, federationHostID int64, opt
 	return users, nil
 }
 
-func GetFederatedUser(ctx context.Context, externalID string, federationHostID int64) (*User, *FederatedUser, error) {
-	user, federatedUser, err := FindFederatedUser(ctx, externalID, federationHostID)
-	if err != nil {
-		return nil, nil, err
-	} else if federatedUser == nil {
-		return nil, nil, fmt.Errorf("FederatedUser not found (given externalId: %v, federationHostId: %v)", externalID, federationHostID)
-	}
-	return user, federatedUser, nil
-}
-
 func GetFederatedUserByUserID(ctx context.Context, userID int64) (*User, *FederatedUser, error) {
 	federatedUser := new(FederatedUser)
 	user := new(User)
@@ -177,7 +167,7 @@ func FindFederatedUserByKeyID(ctx context.Context, keyID string) (*User, *Federa
 	if err != nil {
 		return nil, nil, err
 	} else if !has {
-		return nil, nil, nil
+		return nil, nil, ErrFederatedUserNotExists{Identifier: keyID}
 	}
 	has, err = db.GetEngine(ctx).ID(federatedUser.UserID).Get(user)
 	if err != nil {
diff --git a/modules/forgefed/actor_person.go b/modules/forgefed/actor_person.go
index cde2dea9ce..aee7d3c37f 100644
--- a/modules/forgefed/actor_person.go
+++ b/modules/forgefed/actor_person.go
@@ -20,6 +20,8 @@ type PersonID struct {
 const (
 	personIDapiPathV1       = "api/v1/activitypub/user-id"
 	personIDapiPathV1Latest = "api/activitypub/user-id"
+	actorIDapiPathV1        = "api/v1/activitypub"
+	actorIDapiPathLatest    = "api/activitypub"
 )
 
 // Factory function for PersonID. Created struct is asserted to be valid
@@ -88,8 +90,11 @@ func (id PersonID) Validate() []string {
 	result = append(result, validation.ValidateOneOf(id.Source, []any{"forgejo", "gitea", "mastodon", "gotosocial"}, "Source")...)
 	if id.Source == "forgejo" {
 		result = append(result, validation.ValidateNotEmpty(id.Path, "path")...)
-		if strings.ToLower(id.Path) != personIDapiPathV1 && strings.ToLower(id.Path) != personIDapiPathV1Latest {
-			result = append(result, fmt.Sprintf("path: %q has to be a person specific api path", id.Path))
+		lowerPath := strings.ToLower(id.Path)
+		if lowerPath != personIDapiPathV1 && lowerPath != personIDapiPathV1Latest {
+			if lowerPath != actorIDapiPathV1 && lowerPath != actorIDapiPathLatest || id.ID != "actor" {
+				result = append(result, fmt.Sprintf("path: %q has to be a person specific api path", id.Path))
+			}
 		}
 	}
 
diff --git a/modules/forgefed/actor_person_test.go b/modules/forgefed/actor_person_test.go
index f673aabba1..72ff976688 100644
--- a/modules/forgefed/actor_person_test.go
+++ b/modules/forgefed/actor_person_test.go
@@ -159,6 +159,48 @@ func TestPersonIdValidation(t *testing.T) {
 	result, err = validation.IsValid(sut)
 	assert.False(t, result)
 	require.EqualError(t, err, "Validation Error: forgefed.PersonID: Field Source contains the value forgejox, which is not in allowed subset [forgejo gitea mastodon gotosocial]")
+
+	sut = forgefed.PersonID{}
+	sut.ID = "actor"
+	sut.Source = "forgejo"
+	sut.HostSchema = "https"
+	sut.Path = "api/v1/activitypub"
+	sut.Host = "example.com"
+	sut.HostPort = 443
+	sut.IsPortSupplemented = true
+	sut.UnvalidatedInput = "https://example.com/api/v1/activitypub/actor"
+
+	result, err = validation.IsValid(sut)
+	assert.True(t, result)
+	require.NoError(t, err)
+
+	sut = forgefed.PersonID{}
+	sut.ID = "actor"
+	sut.Source = "forgejo"
+	sut.HostSchema = "https"
+	sut.Path = "api/activitypub"
+	sut.Host = "example.com"
+	sut.HostPort = 443
+	sut.IsPortSupplemented = true
+	sut.UnvalidatedInput = "https://example.com/api/activitypub/actor"
+
+	result, err = validation.IsValid(sut)
+	assert.True(t, result)
+	require.NoError(t, err)
+
+	sut = forgefed.PersonID{}
+	sut.ID = "1"
+	sut.Source = "forgejo"
+	sut.HostSchema = "https"
+	sut.Path = "api/v1/activitypub"
+	sut.Host = "example.com"
+	sut.HostPort = 443
+	sut.IsPortSupplemented = true
+	sut.UnvalidatedInput = "https://example.com/api/v1/activitypub/1"
+
+	result, err = validation.IsValid(sut)
+	assert.False(t, result)
+	require.EqualError(t, err, "Validation Error: forgefed.PersonID: path: \"api/v1/activitypub\" has to be a person specific api path")
 }
 
 func TestWebfingerId(t *testing.T) {
diff --git a/routers/api/v1/activitypub/reqsignature.go b/routers/api/v1/activitypub/reqsignature.go
index 2c17d953d0..100378b5f1 100644
--- a/routers/api/v1/activitypub/reqsignature.go
+++ b/routers/api/v1/activitypub/reqsignature.go
@@ -30,13 +30,9 @@ func verifyHTTPSignature(ctx app_context.APIContext) (authenticated bool, err er
 
 	log.Debug("Verify %q, signed by KeyId: %v", r.URL.Path, v.KeyId())
 	signatureAlgorithm := httpsig.Algorithm(setting.Federation.SignatureAlgorithms[0])
-	pubKey, err := federation.FindOrCreateFederatedUserKey(ctx, v.KeyId())
-	if err != nil || pubKey == nil {
-		pubKey, err = federation.FindOrCreateFederationHostKey(ctx, v.KeyId())
-		if err != nil {
-			log.Debug("For %q verification failed: %v", r.URL.Path, err)
-			return false, err
-		}
+	pubKey, err := federation.FindOrCreateActorKey(ctx, v.KeyId())
+	if err != nil {
+		return false, err
 	}
 
 	err = v.Verify(pubKey, signatureAlgorithm)
diff --git a/services/federation/error.go b/services/federation/error.go
index 425035d0d5..7ba954dab6 100644
--- a/services/federation/error.go
+++ b/services/federation/error.go
@@ -42,3 +42,11 @@ func HTTPStatus(err error) int {
 		return http.StatusInternalServerError
 	}
 }
+
+type ErrKeyNotFound struct {
+	KeyID string
+}
+
+func (err ErrKeyNotFound) Error() string {
+	return fmt.Sprintf("No key found for key ID: %s", err.KeyID)
+}
diff --git a/services/federation/federation_service.go b/services/federation/federation_service.go
index 04cc4e878a..0b023791ea 100644
--- a/services/federation/federation_service.go
+++ b/services/federation/federation_service.go
@@ -33,80 +33,92 @@ func FindOrCreateFederationHost(ctx context.Context, actorURI string) (*forgefed
 	if err != nil {
 		return nil, err
 	}
+
 	federationHost, err := forgefed.FindFederationHostByFqdnAndPort(ctx, rawActorID.Host, rawActorID.HostPort)
 	if err != nil {
-		return nil, err
-	}
-	if federationHost == nil {
-		result, err := createFederationHostFromAP(ctx, rawActorID)
-		if err != nil {
+		if !forgefed.IsErrFederationHostNotFound(err) {
 			return nil, err
 		}
-		federationHost = result
+
+		federationHost, err = createFederationHostFromAP(ctx, rawActorID)
 	}
-	return federationHost, nil
+
+	return federationHost, err
 }
 
 func FindOrCreateFederatedUser(ctx context.Context, actorURI string) (*user_model.User, *user_model.FederatedUser, *forgefed.FederationHost, error) {
-	user, federatedUser, federationHost, err := findFederatedUser(ctx, actorURI)
+	federationHost, personID, err := findFederationHost(ctx, actorURI)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
-	personID, err := fm.NewPersonID(actorURI, string(federationHost.NodeInfo.SoftwareName))
+	user, federatedUser, err := findFederatedUser(ctx, actorURI)
+	if err == nil {
+		log.Trace("Found local user: %v", user.Name)
+		return user, federatedUser, federationHost, nil
+	}
+
+	if !user_model.IsErrFederatedUserNotExists(err) {
+		return nil, nil, nil, err
+	}
+
+	// Fetch the remote user
+	apUser, apFederatedUser, err := fetchUserFromAP(ctx, *personID, federationHost)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
-	if user != nil {
-		log.Trace("Local ActivityPub user found (actorURI: %#v, user: %v)", actorURI, user.Name)
-	} else {
-		log.Trace("Attempting to create new user and federatedUser for actorURI: %#v", actorURI)
-		apUser, apFederatedUser, err := fetchUserFromAP(ctx, personID, federationHost)
-		if err != nil {
-			return nil, nil, nil, err
-		}
-
-		user, federatedUser, federationHost, err = findFederatedUser(ctx, apFederatedUser.NormalizedOriginalURL)
-		if err != nil {
-			return nil, nil, nil, err
-		}
-
-		if user != nil {
-			log.Trace("Resolved alias %s to %s", actorURI, apFederatedUser.NormalizedOriginalURL)
-		} else {
-			user = apUser
-			federatedUser = apFederatedUser
-
-			err := user_model.CreateFederatedUser(ctx, user, federatedUser)
-			if err != nil {
-				return nil, nil, nil, err
-			}
-
-			log.Trace("Created user %s with federatedUser %s from distant server", user.LogString(), federatedUser.LogString())
-		}
+	// User is an alias, for example in newer Mastodon versions
+	// - example.com/@example
+	// - example.com/users/example
+	// have the ID
+	// - example.com/ap/users/<id>
+	user, federatedUser, err = findFederatedUser(ctx, apFederatedUser.NormalizedOriginalURL)
+	if err == nil {
+		log.Trace("Resolved alias %s to %s", actorURI, apFederatedUser.NormalizedOriginalURL)
+		return user, federatedUser, federationHost, nil
 	}
-	log.Trace("Got user: %v", user.Name)
 
-	return user, federatedUser, federationHost, nil
+	err = user_model.CreateFederatedUser(ctx, apUser, apFederatedUser)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	log.Trace("Created user %s with federatedUser %s from distant server", user.LogString(), federatedUser.LogString())
+	return apUser, apFederatedUser, federationHost, nil
 }
 
-func findFederatedUser(ctx context.Context, actorURI string) (*user_model.User, *user_model.FederatedUser, *forgefed.FederationHost, error) {
+func findFederationHost(ctx context.Context, actorURI string) (*forgefed.FederationHost, *fm.PersonID, error) {
 	federationHost, err := FindOrCreateFederationHost(ctx, actorURI)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
+
 	actorID, err := fm.NewPersonID(actorURI, string(federationHost.NodeInfo.SoftwareName))
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 
-	user, federatedUser, err := user_model.FindFederatedUser(ctx, actorID.ID, federationHost.ID)
+	return federationHost, &actorID, nil
+}
+
+func findFederatedUser(ctx context.Context, actorURI string) (*user_model.User, *user_model.FederatedUser, error) {
+	federationHost, _, err := findFederationHost(ctx, actorURI)
 	if err != nil {
-		return nil, nil, nil, err
+		return nil, nil, err
 	}
 
-	return user, federatedUser, federationHost, nil
+	actorID, err := fm.NewPersonID(actorURI, string(federationHost.NodeInfo.SoftwareName))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	localUser, federatedUser, err := user_model.FindFederatedUser(ctx, actorID.ID, federationHost.ID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return localUser, federatedUser, nil
 }
 
 func createFederationHostFromAP(ctx context.Context, actorID fm.ActorID) (*forgefed.FederationHost, error) {
diff --git a/services/federation/person_inbox_create.go b/services/federation/person_inbox_create.go
index 2132c7ede1..9353c687d0 100644
--- a/services/federation/person_inbox_create.go
+++ b/services/federation/person_inbox_create.go
@@ -23,15 +23,11 @@ func processPersonInboxCreate(ctx context.Context, user *user.User, activity *ap
 	}
 
 	actorURI := createAct.Actor.GetLink().String()
-	federatedBaseUser, _, _, err := findFederatedUser(ctx, actorURI)
+	federatedBaseUser, _, err := findFederatedUser(ctx, actorURI)
 	if err != nil {
 		log.Error("Federated user not found (%s): %v", actorURI, err)
 		return ServiceResult{}, NewErrNotAcceptablef("federated user not found (%s): %v", actorURI, err)
 	}
-	if federatedBaseUser == nil {
-		log.Error("Federated user not found (%s): %v", actorURI, err)
-		return ServiceResult{}, NewErrNotAcceptablef("federated user not found (%s): %v", actorURI, err)
-	}
 
 	federatedUserActivity, err := activities.NewFederatedUserActivity(
 		user.ID,
diff --git a/services/federation/person_inbox_undo.go b/services/federation/person_inbox_undo.go
index 4379cf242a..c7593adace 100644
--- a/services/federation/person_inbox_undo.go
+++ b/services/federation/person_inbox_undo.go
@@ -20,27 +20,25 @@ func processPersonInboxUndo(ctx context.Context, ctxUser *user.User, activity *a
 	}
 
 	actorURI := activity.Actor.GetLink().String()
-	_, federatedUser, _, err := findFederatedUser(ctx, actorURI)
+	_, federatedUser, err := findFederatedUser(ctx, actorURI)
 	if err != nil {
 		log.Error("User not found: %v", err)
 		return ServiceResult{}, NewErrInternalf("User not found: %v", err)
 	}
 
-	if federatedUser != nil {
-		following, err := user.IsFollowingAp(ctx, ctxUser, federatedUser)
-		if err != nil {
-			log.Error("forgefed.IsFollowing: %v", err)
-			return ServiceResult{}, NewErrInternalf("forgefed.IsFollowing: %v", err)
-		}
-		if !following {
-			// The local user is not following the federated one, nothing to do.
-			log.Trace("Local user[%d] is not following federated user[%d]", ctxUser.ID, federatedUser.ID)
-			return NewServiceResultStatusOnly(http.StatusNoContent), nil
-		}
-		if err := user.RemoveFollower(ctx, ctxUser, federatedUser); err != nil {
-			log.Error("Unable to remove follower", err)
-			return ServiceResult{}, NewErrInternalf("Unable to remove follower: %v", err)
-		}
+	following, err := user.IsFollowingAp(ctx, ctxUser, federatedUser)
+	if err != nil {
+		log.Error("forgefed.IsFollowing: %v", err)
+		return ServiceResult{}, NewErrInternalf("forgefed.IsFollowing: %v", err)
+	}
+	if !following {
+		// The local user is not following the federated one, nothing to do.
+		log.Trace("Local user[%d] is not following federated user[%d]", ctxUser.ID, federatedUser.ID)
+		return NewServiceResultStatusOnly(http.StatusNoContent), nil
+	}
+	if err := user.RemoveFollower(ctx, ctxUser, federatedUser); err != nil {
+		log.Error("Unable to remove follower", err)
+		return ServiceResult{}, NewErrInternalf("Unable to remove follower: %v", err)
 	}
 
 	return NewServiceResultStatusOnly(http.StatusNoContent), nil
diff --git a/services/federation/signature_service.go b/services/federation/signature_service.go
index bd40a37beb..cd7992605d 100644
--- a/services/federation/signature_service.go
+++ b/services/federation/signature_service.go
@@ -15,180 +15,128 @@ import (
 	"forgejo.org/models/forgefed"
 	"forgejo.org/models/user"
 	"forgejo.org/modules/activitypub"
-	fm "forgejo.org/modules/forgefed"
 	"forgejo.org/modules/log"
 
 	ap "github.com/go-ap/activitypub"
 )
 
-// Factory function for ActorID. Created struct is asserted to be valid
-func NewActorIDFromKeyID(ctx context.Context, uri string) (fm.ActorID, error) {
-	parsedURI, err := url.Parse(uri)
-	if err != nil {
-		return fm.ActorID{}, err
-	}
-
-	parsedURI.Fragment = ""
-
-	actionsUser := user.NewAPServerActor()
-	clientFactory, err := activitypub.GetClientFactory(ctx)
-	if err != nil {
-		return fm.ActorID{}, err
-	}
-
-	apClient, err := clientFactory.WithKeys(ctx, actionsUser, actionsUser.KeyID())
-	if err != nil {
-		return fm.ActorID{}, err
-	}
-
-	userResponse, err := apClient.GetBody(parsedURI.String())
-	if err != nil {
-		return fm.ActorID{}, err
-	}
-
-	var actor ap.Actor
-	err = actor.UnmarshalJSON(userResponse)
-	if err != nil {
-		return fm.ActorID{}, err
-	}
-
-	result, err := fm.NewActorID(actor.PublicKey.Owner.String())
-	return result, err
-}
-
-func FindOrCreateFederatedUserKey(ctx context.Context, keyID string) (pubKey any, err error) {
-	log.Trace("KeyID: %v", keyID)
-	var federatedUser *user.FederatedUser
-	var keyURL *url.URL
-
-	keyURL, err = url.Parse(keyID)
-	if err != nil {
-		return nil, err
-	}
-
-	// Try if the signing actor is an already known federated user
-	_, federatedUser, err = user.FindFederatedUserByKeyID(ctx, keyURL.String())
-	if err != nil {
-		return nil, err
-	}
-
-	if federatedUser == nil {
-		rawActorID, err := NewActorIDFromKeyID(ctx, keyID)
-		if err != nil {
-			return nil, err
-		}
-
-		_, federatedUser, _, err = FindOrCreateFederatedUser(ctx, rawActorID.AsURI())
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if federatedUser.PublicKey.Valid {
-		pubKey, err := x509.ParsePKIXPublicKey(federatedUser.PublicKey.V)
-		if err != nil {
-			return nil, err
-		}
-		log.Trace("For KeyID %v found pubKey %v", keyID, pubKey)
-		return pubKey, nil
-	}
-
-	// Fetch missing public key
-	pubKey, pubKeyBytes, apPerson, err := fetchKeyFromAp(ctx, *keyURL)
-	if err != nil {
-		return nil, err
-	}
-	if apPerson.Type == ap.ActivityVocabularyType("Person") {
-		// Check federatedUser.id = person.id
-		if federatedUser.ExternalID != apPerson.ID.String() {
-			return nil, fmt.Errorf("federated user fetched (%v) does not match the stored one %v", apPerson, federatedUser)
-		}
-		// update federated user
-		federatedUser.KeyID = sql.NullString{
-			String: apPerson.PublicKey.ID.String(),
-			Valid:  true,
-		}
-		federatedUser.PublicKey = sql.Null[sql.RawBytes]{
-			V:     pubKeyBytes,
-			Valid: true,
-		}
-		err = user.UpdateFederatedUser(ctx, federatedUser)
-		if err != nil {
-			return nil, err
-		}
-		log.Trace("For %v found pubKey %v", keyID, pubKey)
-		return pubKey, nil
-	}
-	log.Trace("For %v found no pubKey", keyID)
-	return nil, nil
-}
-
-func FindOrCreateFederationHostKey(ctx context.Context, keyID string) (pubKey any, err error) {
+func FindOrCreateActorKey(ctx context.Context, keyID string) (pubKey any, err error) {
 	log.Trace("KeyID: %v", keyID)
 	keyURL, err := url.Parse(keyID)
 	if err != nil {
 		return nil, err
 	}
-	rawActorID, err := NewActorIDFromKeyID(ctx, keyID)
-	if err != nil {
-		return nil, err
-	}
 
-	// Is there an already known federation host?
-	federationHost, err := forgefed.FindFederationHostByKeyID(ctx, keyURL.String())
+	// Check for existing user key
+	_, federatedUser, err := user.FindFederatedUserByKeyID(ctx, keyURL.String())
 	if err != nil {
-		return nil, err
-	}
+		if !user.IsErrFederatedUserNotExists(err) {
+			return nil, err
+		}
 
-	if federationHost == nil {
-		federationHost, err = FindOrCreateFederationHost(ctx, rawActorID.AsURI())
+		// Check for existing federation host key
+		federationHost, err := forgefed.FindFederationHostByKeyID(ctx, keyURL.String())
+		if err != nil {
+			if !forgefed.IsErrFederationHostNotFound(err) {
+				return nil, err
+			}
+		} else if federationHost.PublicKey.Valid {
+			pubKey, err := x509.ParsePKIXPublicKey(federationHost.PublicKey.V)
+			if err != nil {
+				return nil, err
+			}
+
+			return pubKey, nil
+		}
+	} else if federatedUser.PublicKey.Valid {
+		pubKey, err := x509.ParsePKIXPublicKey(federatedUser.PublicKey.V)
 		if err != nil {
 			return nil, err
 		}
-	}
 
-	// Is there an already an key?
-	if federationHost.PublicKey.Valid {
-		pubKey, err := x509.ParsePKIXPublicKey(federationHost.PublicKey.V)
-		if err != nil {
-			return nil, err
-		}
-		log.Trace("For %v found pubKey: %v", keyID, pubKey)
 		return pubKey, nil
 	}
 
-	// If not, fetch missing public key
-	pubKey, pubKeyBytes, apPerson, err := fetchKeyFromAp(ctx, *keyURL)
+	// Fetch missing key
+	pubKey, pubKeyBytes, actor, err := fetchKeyFromAp(ctx, *keyURL)
 	if err != nil {
 		return nil, err
 	}
-	if apPerson.Type == ap.ActivityVocabularyType("Application") {
-		// Check federationhost.id = person.id
-		if federationHost.HostPort != rawActorID.HostPort || federationHost.HostFqdn != rawActorID.Host ||
-			federationHost.HostSchema != rawActorID.HostSchema {
-			return nil, fmt.Errorf("federation host fetched (%v) does not match the stored one %v", apPerson, federationHost)
-		}
-		// update federation host
-		federationHost.KeyID = sql.NullString{
-			String: apPerson.PublicKey.ID.String(),
-			Valid:  true,
-		}
-		federationHost.PublicKey = sql.Null[sql.RawBytes]{
-			V:     pubKeyBytes,
-			Valid: true,
-		}
-		err = forgefed.UpdateFederationHost(ctx, federationHost)
+
+	switch actor.Type {
+	case ap.PersonType:
+		_, federatedUser, _, err := FindOrCreateFederatedUser(ctx, actor.ID.String())
 		if err != nil {
 			return nil, err
 		}
-		log.Trace("For %v found pubKey: %v", keyID, pubKey)
-		return pubKey, nil
+
+		err = updateFederatedUserKey(ctx, federatedUser, pubKeyBytes, actor)
+		if err != nil {
+			return nil, err
+		}
+	case ap.ApplicationType:
+		federationHost, err := FindOrCreateFederationHost(ctx, actor.ID.String())
+		if err != nil {
+			return nil, err
+		}
+
+		err = updateFederationHostKey(ctx, federationHost, pubKeyBytes, actor)
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("Fetched actortype (%s) is unhandled", actor.Type)
 	}
-	log.Trace("For %v found no pubKey.", keyID)
-	return nil, nil
+
+	return pubKey, nil
 }
 
-func fetchKeyFromAp(ctx context.Context, keyURL url.URL) (pubKey any, pubKeyBytes []byte, apPerson *ap.Person, err error) {
+func updateFederatedUserKey(ctx context.Context, federatedUser *user.FederatedUser, pubKeyBytes []byte, actor *ap.Actor) (err error) {
+	if actor.Type != ap.PersonType {
+		return fmt.Errorf("Fetched user type (%s) is not of user type Person", actor.Type)
+	}
+
+	if federatedUser.NormalizedOriginalURL != actor.ID.String() {
+		return fmt.Errorf("federated user (%s) does not match the stored one %s", actor.ID, federatedUser.NormalizedOriginalURL)
+	}
+
+	federatedUser.KeyID = sql.NullString{
+		String: actor.PublicKey.ID.String(),
+		Valid:  true,
+	}
+
+	federatedUser.PublicKey = sql.Null[sql.RawBytes]{
+		V:     pubKeyBytes,
+		Valid: true,
+	}
+
+	return user.UpdateFederatedUser(ctx, federatedUser)
+}
+
+func updateFederationHostKey(ctx context.Context, federationHost *forgefed.FederationHost, pubKeyBytes []byte, actor *ap.Actor) (err error) {
+	if actor.Type != ap.ApplicationType {
+		return fmt.Errorf("Fetched user type (%s) is not of user type Application", actor.Type)
+	}
+
+	federationHost.KeyID = sql.NullString{
+		String: actor.PublicKey.ID.String(),
+		Valid:  true,
+	}
+
+	federationHost.PublicKey = sql.Null[sql.RawBytes]{
+		V:     pubKeyBytes,
+		Valid: true,
+	}
+
+	err = forgefed.UpdateFederationHost(ctx, federationHost)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func fetchKeyFromAp(ctx context.Context, keyURL url.URL) (pubKey any, pubKeyBytes []byte, apPerson *ap.Actor, err error) {
 	log.Trace("keyURL %v", keyURL)
 	actionsUser := user.NewAPServerActor()
 
@@ -207,13 +155,17 @@ func fetchKeyFromAp(ctx context.Context, keyURL url.URL) (pubKey any, pubKeyByte
 		return nil, nil, nil, err
 	}
 
-	person := ap.PersonNew(ap.IRI(keyURL.String()))
-	err = person.UnmarshalJSON(b)
+	actor := ap.ActorNew(ap.IRI(keyURL.String()), ap.ActorType)
+	err = actor.UnmarshalJSON(b)
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %w", err)
+		return nil, nil, nil, fmt.Errorf("ActivityStreams object cannot be converted to actor: %w", err)
+	}
+
+	pubKeyFromAp := actor.PublicKey
+	if pubKeyFromAp.PublicKeyPem == "" {
+		return nil, nil, nil, ErrKeyNotFound{KeyID: keyURL.String()}
 	}
 
-	pubKeyFromAp := person.PublicKey
 	if pubKeyFromAp.ID.String() != keyURL.String() {
 		return nil, nil, nil, fmt.Errorf("cannot find publicKey with id: %v in %v", keyURL, string(b))
 	}
@@ -229,7 +181,7 @@ func fetchKeyFromAp(ctx context.Context, keyURL url.URL) (pubKey any, pubKeyByte
 	}
 
 	log.Trace("For %v fetched pubKey %v", keyURL, pubKey)
-	return pubKey, pubKeyBytes, person, err
+	return pubKey, pubKeyBytes, actor, err
 }
 
 func decodePublicKeyPem(pubKeyPem string) ([]byte, error) {
diff --git a/tests/integration/api_activitypub_actor_test.go b/tests/integration/api_activitypub_actor_test.go
index 30e8934e1b..2a758f5424 100644
--- a/tests/integration/api_activitypub_actor_test.go
+++ b/tests/integration/api_activitypub_actor_test.go
@@ -4,19 +4,13 @@
 package integration
 
 import (
-	"fmt"
 	"io"
 	"net/http"
-	"net/url"
-	"strconv"
 	"testing"
 
-	"forgejo.org/modules/forgefed"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
 	"forgejo.org/routers"
-	"forgejo.org/services/contexttest"
-	"forgejo.org/services/federation"
 	"forgejo.org/tests"
 
 	ap "github.com/go-ap/activitypub"
@@ -76,27 +70,3 @@ func TestActivityPubActor(t *testing.T) {
 		assert.Nil(t, outboxCollection.Last)
 	})
 }
-
-func TestActorNewFromKeyId(t *testing.T) {
-	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
-	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
-
-	onApplicationRun(t, func(t *testing.T, u *url.URL) {
-		ctx, _ := contexttest.MockAPIContext(t, "/api/v1/activitypub/actor")
-		sut, err := federation.NewActorIDFromKeyID(ctx.Base, fmt.Sprintf("%sapi/v1/activitypub/actor#main-key", u))
-		require.NoError(t, err)
-
-		port, err := strconv.ParseUint(u.Port(), 10, 16)
-		require.NoError(t, err)
-
-		assert.Equal(t, forgefed.ActorID{
-			ID:                 "actor",
-			HostSchema:         "http",
-			Path:               "api/v1/activitypub",
-			Host:               setting.Domain,
-			HostPort:           uint16(port),
-			UnvalidatedInput:   fmt.Sprintf("http://%s:%d/api/v1/activitypub/actor", setting.Domain, port),
-			IsPortSupplemented: false,
-		}, sut)
-	})
-}
diff --git a/tests/integration/api_federation_httpsig_test.go b/tests/integration/api_federation_httpsig_test.go
index 5003f691d4..2f62efb2af 100644
--- a/tests/integration/api_federation_httpsig_test.go
+++ b/tests/integration/api_federation_httpsig_test.go
@@ -19,7 +19,6 @@ import (
 	"forgejo.org/modules/test"
 	"forgejo.org/routers"
 	"forgejo.org/services/contexttest"
-	"forgejo.org/services/federation"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -42,12 +41,29 @@ func TestFederationHttpSigValidation(t *testing.T) {
 		apClient, err := clientFactory.WithKeys(ctx, user1, user1.KeyID())
 		require.NoError(t, err)
 
+		// HACK HACK HACK: the host part of the URL gets set to which IP forgejo is
+		// listening on, NOT localhost, which is the Domain given to forgejo which
+		// is then used for eg. the keyID all requests
+		applicationKeyID := fmt.Sprintf("%sapi/v1/activitypub/actor#main-key", setting.AppURL)
+		actorKeyID := fmt.Sprintf("%sapi/v1/activitypub/user-id/1#main-key", setting.AppURL)
+
 		// Unsigned request
 		t.Run("UnsignedRequest", func(t *testing.T) {
 			req := NewRequest(t, "GET", userURL)
 			MakeRequest(t, req, http.StatusBadRequest)
 		})
 
+		// Check for missing public keys
+		t.Run("ValidateEmptyCaches", func(t *testing.T) {
+			_, err := forgefed.FindFederationHostByKeyID(db.DefaultContext, applicationKeyID)
+			require.Error(t, err)
+			assert.True(t, forgefed.IsErrFederationHostNotFound(err))
+
+			_, _, err = user.FindFederatedUserByKeyID(db.DefaultContext, actorKeyID)
+			require.Error(t, err)
+			assert.True(t, user.IsErrFederatedUserNotExists(err))
+		})
+
 		// Signed request
 		t.Run("SignedRequest", func(t *testing.T) {
 			resp, err := apClient.Get(userURL)
@@ -55,12 +71,6 @@ func TestFederationHttpSigValidation(t *testing.T) {
 			assert.Equal(t, http.StatusOK, resp.StatusCode)
 		})
 
-		// HACK HACK HACK: the host part of the URL gets set to which IP forgejo is
-		// listening on, NOT localhost, which is the Domain given to forgejo which
-		// is then used for eg. the keyID all requests
-		applicationKeyID := fmt.Sprintf("%sapi/v1/activitypub/actor#main-key", setting.AppURL)
-		actorKeyID := fmt.Sprintf("%sapi/v1/activitypub/user-id/1#main-key", setting.AppURL)
-
 		// Check for cached public keys
 		t.Run("ValidateCaches", func(t *testing.T) {
 			host, err := forgefed.FindFederationHostByKeyID(db.DefaultContext, applicationKeyID)
@@ -74,14 +84,6 @@ func TestFederationHttpSigValidation(t *testing.T) {
 			assert.True(t, user.PublicKey.Valid)
 		})
 
-		t.Run("ValidateActorFromKeyID", func(t *testing.T) {
-			_, err := federation.NewActorIDFromKeyID(ctx, actorKeyID)
-			require.NoError(t, err)
-
-			_, err = federation.NewActorIDFromKeyID(ctx, "http://bad.url/%^&")
-			require.Error(t, err)
-		})
-
 		// Disable signature validation
 		defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
 

From cf26e4c891c728db0c4729fac70763cb37319aea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=CE=88=CE=BB=CE=BB=CE=B5=CE=BD=20=CE=95=CE=BC=CE=AF=CE=BB?=
 =?UTF-8?q?=CE=B9=CE=B1=20=CE=86=CE=BD=CE=BD=CE=B1=20Zscheile?=
 <fogti+devel@ytrizja.de>
Date: Tue, 14 Apr 2026 06:27:39 +0200
Subject: [PATCH 115/287] feat(asymkey/llu): Only interpret .Reason as msgid if
 .Verified=false (#12019)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Split out from #12013.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12019
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Έλλεν Εμίλια Άννα Zscheile <fogti+devel@ytrizja.de>
Co-committed-by: Έλλεν Εμίλια Άννα Zscheile <fogti+devel@ytrizja.de>
---
 models/asymkey/lint-locale-usage/llu.go | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/models/asymkey/lint-locale-usage/llu.go b/models/asymkey/lint-locale-usage/llu.go
index 256b5ca12b..2d6a02ff44 100644
--- a/models/asymkey/lint-locale-usage/llu.go
+++ b/models/asymkey/lint-locale-usage/llu.go
@@ -20,14 +20,32 @@ func HandleCompositeErrorReason(handler llu.Handler, fset *token.FileSet, n *ast
 	}
 
 	// fields are normally named
+	var reason ast.Expr
+	verified := false
 	for _, i := range n.Elts {
 		if kve, ok := i.(*ast.KeyValueExpr); ok {
 			ident, ok = kve.Key.(*ast.Ident)
-			if ok && ident.Name == "Reason" {
-				handler.HandleGoTrArgument(fset, kve.Value, "")
+			if !ok {
+				continue
+			}
+			switch ident.Name {
+			case "Reason":
+				reason = kve.Value
+			case "Verified":
+				if valueIdent, ok := kve.Value.(*ast.Ident); ok {
+					switch valueIdent.Name {
+					case "true":
+						verified = true
+					case "false":
+						verified = false
+					}
+				}
 			}
 		} else {
 			handler.OnWarning(fset, i.Pos(), "unable to parse ObjectVerification field assignment")
 		}
 	}
+	if !verified && reason != nil {
+		handler.HandleGoTrArgument(fset, reason, "")
+	}
 }

From 94a55fc666d0581973bb7db9fac3f9532735780d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=CE=88=CE=BB=CE=BB=CE=B5=CE=BD=20=CE=95=CE=BC=CE=AF=CE=BB?=
 =?UTF-8?q?=CE=B9=CE=B1=20=CE=86=CE=BD=CE=BD=CE=B1=20Zscheile?=
 <fogti+devel@ytrizja.de>
Date: Tue, 14 Apr 2026 07:20:16 +0200
Subject: [PATCH 116/287] i18n(mailer): Fix special usage of .Locale in
 admin_new_user (#12009)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR is in reaction to https://codeberg.org/forgejo/forgejo/issues/1711 .

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12009
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Έλλεν Εμίλια Άννα Zscheile <fogti+devel@ytrizja.de>
Co-committed-by: Έλλεν Εμίλια Άννα Zscheile <fogti+devel@ytrizja.de>
---
 build/lint-locale-usage/handle-tmpl.go    | 6 +++++-
 services/mailer/mail_admin_new_user.go    | 2 +-
 templates/mail/notify/admin_new_user.tmpl | 4 ++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/build/lint-locale-usage/handle-tmpl.go b/build/lint-locale-usage/handle-tmpl.go
index 8d03291205..7fbda8ffd5 100644
--- a/build/lint-locale-usage/handle-tmpl.go
+++ b/build/lint-locale-usage/handle-tmpl.go
@@ -60,9 +60,13 @@ func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.N
 
 		case tmplParser.NodeField:
 			nodeField := nodeCommand.Args[0].(*tmplParser.FieldNode)
-			if len(nodeField.Ident) != 2 || !(nodeField.Ident[0] == "locale" || nodeField.Ident[0] == "Locale") {
+			if len(nodeField.Ident) != 2 || nodeField.Ident[0] != "locale" {
 				return
 			}
+			resolvedPos := fset.PositionFor(token.Pos(nodeCommand.Pos), false)
+			if !strings.Contains(resolvedPos.Filename, "templates/mail/") {
+				handler.OnWarning(fset, token.Pos(nodeCommand.Pos), "encountered unexpected .locale usage")
+			}
 			funcname = nodeField.Ident[1]
 
 		case tmplParser.NodeVariable:
diff --git a/services/mailer/mail_admin_new_user.go b/services/mailer/mail_admin_new_user.go
index ffb03197b7..9b94950235 100644
--- a/services/mailer/mail_admin_new_user.go
+++ b/services/mailer/mail_admin_new_user.go
@@ -57,7 +57,7 @@ func mailNewUser(_ context.Context, u *user_model.User, lang string, tos []strin
 		"Subject":      subject,
 		"Body":         body,
 		"Language":     locale.Language(),
-		"Locale":       locale,
+		"locale":       locale,
 		"SanitizeHTML": templates.SanitizeHTML,
 	}
 
diff --git a/templates/mail/notify/admin_new_user.tmpl b/templates/mail/notify/admin_new_user.tmpl
index 655c7ce5c5..121fa9aa17 100644
--- a/templates/mail/notify/admin_new_user.tmpl
+++ b/templates/mail/notify/admin_new_user.tmpl
@@ -12,8 +12,8 @@
 
 <body>
 	<ul>
-		<h3>{{.Locale.Tr "mail.admin.new_user.user_info"}}: <a href="{{.NewUserUrl}}">@{{.NewUser.Name}}</a></h3>
-		<li>{{.Locale.Tr "admin.users.created"}}: {{DateTime "full" .NewUser.CreatedUnix}}</li>
+		<h3>{{.locale.Tr "mail.admin.new_user.user_info"}}: <a href="{{.NewUserUrl}}">@{{.NewUser.Name}}</a></h3>
+		<li>{{.locale.Tr "admin.users.created"}}: {{DateTime "full" .NewUser.CreatedUnix}}</li>
 	</ul>
 	<p> {{.Body | SanitizeHTML}} </p>
 </body>

From 0d97b8e9da86978baddf9cada4be420998eedb6a Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Tue, 14 Apr 2026 07:25:05 +0200
Subject: [PATCH 117/287] chore: don't load settings twice for running `web`
 (#12111)

- It's quite hard to determine when and why this was added here, my best
  guess is that this being the "oldest" subcommand at some point loading
  the configuration was not unified. Now it is unified in
  `prepareWorkPathAndCustomConf` which is run before any subcommand is
  run. It determines the work path, custom path and (custom) config and
  then loads the settings by calling `LoadCommonSettings`.
- Between `prepareWorkPathAndCustomConf` being called and
  `serveInstalled` being called the `setting.CustomConf` is not changed.
  There was a possibility this being necessary for install page ->
  installed, but the install code already ensures that the new config is
  loaded and used.
- Thus calling to load the settings again here is not necessary. There's
  a small possibility some settings loading code was written to only work
  after being loaded the second time. That's a bug that needs to be fixed,
  because all other subcommands does not load the settings twice and would
  see a different view of the settings in that case. I don't fear such
  code being present here.
- Resolves forgejo/forgejo#11024

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12111
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 cmd/web.go                 | 2 --
 modules/setting/setting.go | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/cmd/web.go b/cmd/web.go
index 683b19c82a..4a2a1de1fe 100644
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -164,8 +164,6 @@ func serveInstall(_ context.Context, ctx *cli.Command) error {
 }
 
 func serveInstalled(_ context.Context, ctx *cli.Command) error {
-	setting.InitCfgProvider(setting.CustomConf)
-	setting.LoadCommonSettings()
 	setting.MustInstalled()
 
 	showWebStartupMessage("Prepare to run web server")
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index fac6e54fb1..44dad1fab1 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -119,8 +119,8 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 
 	mustCurrentRunUserMatch(cfg) // it depends on the SSH config, only non-builtin SSH server requires this check
 
-	loadOAuth2From(cfg)
 	loadSecurityFrom(cfg)
+	loadOAuth2From(cfg)
 	if err := loadAttachmentFrom(cfg); err != nil {
 		return err
 	}

From 179fbdb04e90a73f64e1910f8ca157fa6e1f678f Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 14 Apr 2026 17:18:14 +0200
Subject: [PATCH 118/287] fix: when reviewing in PRs, make comments relative to
 viewed base & head, not just viewed head (#12107)

While developing tests for #12092, I came across a case where making a comment on a single-commit doesn't include the correct diff for the comment.  This is because code comment placement occurs between the PR's base and the commit being viewed, but, that diff could be different from the commit's parent to the commit, which is what is being viewed on a single-commit diff.

Similar to #12055, this PR changes code comments to be more precise in their diff generation by providing the backend with both the base commit (`before_commit_id`) and head commit (`after_commit_id`) currently being viewed.  As a result, the diffs attached to comments should exactly match the diffs being viewed by the user when the comment was placed.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12107
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/issues/comment.go                     |  2 +-
 routers/api/v1/repo/pull_review.go           |  2 +
 routers/web/repo/pull.go                     |  6 +-
 routers/web/repo/pull_review.go              | 10 +++
 routers/web/repo/pull_review_test.go         |  2 +-
 services/forms/repo_form.go                  |  1 +
 services/mailer/incoming/incoming_handler.go |  1 +
 services/pull/review.go                      | 20 +++--
 templates/repo/diff/box.tmpl                 |  2 +-
 templates/repo/diff/comment_form.tmpl        |  1 +
 tests/integration/pull_review_test.go        | 81 +++++++++++++++++++-
 11 files changed, 116 insertions(+), 12 deletions(-)

diff --git a/models/issues/comment.go b/models/issues/comment.go
index b42cd8aa40..e0ea1e111d 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -798,7 +798,7 @@ func (c *Comment) ResolveCurrentLine(ctx context.Context, repo *repo_model.Repos
 				// instead, return a blame where CommitID != headCommitID, which will be an indicator to callers (for
 				// both resolution methods) that the line of code is outdated in the diff.
 				reverseBlame = &git.ReverseLineBlame{
-					CommitID:   c.CommitSHA, // not currentHead
+					CommitID:   "", // not currentHead
 					LineNumber: c.UnsignedLine(),
 					FilePath:   c.TreePath,
 				}
diff --git a/routers/api/v1/repo/pull_review.go b/routers/api/v1/repo/pull_review.go
index e478f93655..e28c1edafc 100644
--- a/routers/api/v1/repo/pull_review.go
+++ b/routers/api/v1/repo/pull_review.go
@@ -337,6 +337,7 @@ func CreatePullReviewComment(ctx *context.APIContext) {
 		pr.Issue,
 		opts.Body,
 		opts.Path,
+		pr.MergeBase,
 		review.CommitID,
 		line,
 		review.ID,
@@ -509,6 +510,7 @@ func CreatePullReview(ctx *context.APIContext) {
 			c.Path,
 			true, // pending review
 			0,    // no reply
+			pr.MergeBase,
 			opts.CommitID,
 			nil,
 		); err != nil {
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
index 4a8217c719..2c5c7f94f3 100644
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@@ -1027,7 +1027,11 @@ func viewPullFiles(ctx *context.Context, specifiedStartCommit, specifiedEndCommi
 		}
 
 		endCommitID = commitID
-		startCommitID = prInfo.MergeBase
+		if prevCommit != nil {
+			startCommitID = prevCommit.ID.String()
+		} else {
+			startCommitID = prInfo.MergeBase
+		}
 		ctx.Data["IsShowingAllCommits"] = false
 	} else if willShowSpecifiedCommitRange {
 		if len(specifiedEndCommit) > 0 {
diff --git a/routers/web/repo/pull_review.go b/routers/web/repo/pull_review.go
index c2e30770d3..401f100d84 100644
--- a/routers/web/repo/pull_review.go
+++ b/routers/web/repo/pull_review.go
@@ -53,6 +53,15 @@ func RenderNewCodeCommentForm(ctx *context.Context) {
 		}
 	}
 	ctx.Data["AfterCommitID"] = afterCommitID
+	beforeCommitID := ctx.FormString("before_commit_id")
+	if beforeCommitID == "" {
+		if err := issue.LoadPullRequest(ctx); err != nil {
+			ctx.ServerError("LoadPullRequest", err)
+			return
+		}
+		beforeCommitID = issue.PullRequest.MergeBase
+	}
+	ctx.Data["BeforeCommitID"] = beforeCommitID
 	ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled
 	upload.AddUploadContext(ctx, "comment")
 	ctx.HTML(http.StatusOK, tplNewComment)
@@ -112,6 +121,7 @@ func CreateCodeComment(ctx *context.Context) {
 		form.TreePath,
 		pendingReview,
 		form.Reply,
+		form.BeforeCommitID,
 		form.LatestCommitID,
 		attachments,
 	)
diff --git a/routers/web/repo/pull_review_test.go b/routers/web/repo/pull_review_test.go
index dd0fa7df29..c068f575dd 100644
--- a/routers/web/repo/pull_review_test.go
+++ b/routers/web/repo/pull_review_test.go
@@ -51,7 +51,7 @@ func TestRenderConversation(t *testing.T) {
 	var preparedComment *issues_model.Comment
 	run("prepare", func(t *testing.T, ctx *context.Context, resp *httptest.ResponseRecorder) {
 		comment, err := pull.CreateCodeComment(ctx, pr.Issue.Poster, ctx.Repo.GitRepo, pr.Issue,
-			1, "content", "", false, 0,
+			1, "content", "", false, 0, pr.MergeBase,
 			prHeadCommitID, nil)
 		require.NoError(t, err)
 
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index f9443b8b6c..d1a5b521f8 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -472,6 +472,7 @@ type CodeCommentForm struct {
 	TreePath       string `form:"path" binding:"Required"`
 	SingleReview   bool   `form:"single_review"`
 	Reply          int64  `form:"reply"`
+	BeforeCommitID string
 	LatestCommitID string
 	Files          []string
 }
diff --git a/services/mailer/incoming/incoming_handler.go b/services/mailer/incoming/incoming_handler.go
index e2a2852b07..6fdf00ca59 100644
--- a/services/mailer/incoming/incoming_handler.go
+++ b/services/mailer/incoming/incoming_handler.go
@@ -152,6 +152,7 @@ func (h *ReplyHandler) Handle(ctx context.Context, content *MailContent, doer *u
 				comment.TreePath,
 				false, // not pending review but a single review
 				comment.ReviewID,
+				issue.PullRequest.MergeBase,
 				afterCommitID,
 				attachmentIDs,
 			)
diff --git a/services/pull/review.go b/services/pull/review.go
index 9fc9862823..d8e04675ea 100644
--- a/services/pull/review.go
+++ b/services/pull/review.go
@@ -78,7 +78,10 @@ func InvalidateCodeComments(ctx context.Context, prs issues_model.PullRequestLis
 }
 
 // CreateCodeComment creates a comment on the code line
-func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.Repository, issue *issues_model.Issue, line int64, content, treePath string, pendingReview bool, replyReviewID int64, latestCommitID string, attachments []string) (*issues_model.Comment, error) {
+func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.Repository,
+	issue *issues_model.Issue, line int64, content, treePath string, pendingReview bool,
+	replyReviewID int64, beforeCommitID, latestCommitID string, attachments []string,
+) (*issues_model.Comment, error) {
 	var (
 		existsReview bool
 		err          error
@@ -109,6 +112,7 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 			issue,
 			content,
 			treePath,
+			beforeCommitID,
 			latestCommitID,
 			line,
 			replyReviewID,
@@ -151,6 +155,7 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 		issue,
 		content,
 		treePath,
+		beforeCommitID,
 		latestCommitID,
 		line,
 		review.ID,
@@ -173,7 +178,10 @@ func CreateCodeComment(ctx context.Context, doer *user_model.User, gitRepo *git.
 }
 
 // CreateCodeCommentKnownReviewID creates a plain code comment at the specified line / path
-func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue, content, treePath, afterCommitID string, line, reviewID int64, attachments []string) (*issues_model.Comment, error) {
+func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User, repo *repo_model.Repository,
+	issue *issues_model.Issue, content, treePath, beforeCommitID, afterCommitID string,
+	line, reviewID int64, attachments []string,
+) (*issues_model.Comment, error) {
 	var commitID, blamedCommitID, patch string
 	blamedLine := line
 	if err := issue.LoadPullRequest(ctx); err != nil {
@@ -237,9 +245,9 @@ func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User,
 		// Commenting on a line that was removed. In this case, what we want to track in the comment is which line of
 		// code was this, in the last commit that the line of code actually existed in. We'll use a reverse git blame to
 		// identify this, from the PR base -> commit being viewed.
-		blame, err := gitRepo.ReverseLineBlame(pr.MergeBase, treePath, uint64(-1*line), afterCommitID)
+		blame, err := gitRepo.ReverseLineBlame(beforeCommitID, treePath, uint64(-1*line), afterCommitID)
 		if err != nil {
-			return nil, fmt.Errorf("ReverseLineBlame[%s, %s, %d, %s]: %w", pr.MergeBase, treePath, -1*line, afterCommitID, err)
+			return nil, fmt.Errorf("ReverseLineBlame[%s, %s, %d, %s]: %w", beforeCommitID, treePath, -1*line, afterCommitID, err)
 		} else if blame.CommitID == afterCommitID {
 			// Although this is a comment on the "previous" side of the diff, the reverse blame indicates that the line
 			// of code still exists in the commit being viewed (eg. it was a comment on a white line in the left-side of
@@ -277,8 +285,8 @@ func CreateCodeCommentKnownReviewID(ctx context.Context, doer *user_model.User,
 			_ = writer.Close()
 		}()
 		go func() {
-			if err := git.GetRepoRawDiffForFile(gitRepo, pr.MergeBase, commitID, git.RawDiffNormal, treePath, writer); err != nil {
-				_ = writer.CloseWithError(fmt.Errorf("GetRawDiffForLine[%s, %s, %s, %s]: %w", gitRepo.Path, pr.MergeBase, commitID, treePath, err))
+			if err := git.GetRepoRawDiffForFile(gitRepo, beforeCommitID, afterCommitID, git.RawDiffNormal, treePath, writer); err != nil {
+				_ = writer.CloseWithError(fmt.Errorf("GetRawDiffForLine[%s, %s, %s, %s]: %w", gitRepo.Path, pr.MergeBase, afterCommitID, treePath, err))
 				return
 			}
 			_ = writer.Close()
diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index 5bd9a50b3b..7577ff0921 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -201,7 +201,7 @@
 										{{end}}
 									</div>
 								{{else}}
-									<table class="chroma" data-new-comment-url="{{$.Issue.Link}}/files/reviews/new_comment?after_commit_id={{$.AfterCommitID}}" data-path="{{$file.Name}}">
+									<table class="chroma" data-new-comment-url="{{$.Issue.Link}}/files/reviews/new_comment?before_commit_id={{$.BeforeCommitID}}&after_commit_id={{$.AfterCommitID}}" data-path="{{$file.Name}}">
 										{{if $.IsSplitStyle}}
 											{{template "repo/diff/section_split" dict "file" . "root" $}}
 										{{else}}
diff --git a/templates/repo/diff/comment_form.tmpl b/templates/repo/diff/comment_form.tmpl
index 922f3f3d73..7b64be71a0 100644
--- a/templates/repo/diff/comment_form.tmpl
+++ b/templates/repo/diff/comment_form.tmpl
@@ -1,6 +1,7 @@
 {{if and $.root.SignedUserID (not $.Repository.IsArchived)}}
 	<form class="ui form {{if $.hidden}}tw-hidden comment-form tw-mt-2{{end}}" action="{{$.root.Issue.Link}}/files/reviews/comments" method="post">
 		<input type="hidden" name="origin" value="{{if $.root.PageIsPullFiles}}diff{{else}}timeline{{end}}">
+		<input type="hidden" name="before_commit_id" value="{{$.root.BeforeCommitID}}">
 		<input type="hidden" name="latest_commit_id" value="{{$.root.AfterCommitID}}">
 		<input type="hidden" name="side" value="{{if $.Side}}{{$.Side}}{{end}}">
 		<input type="hidden" name="line" value="{{if $.Line}}{{$.Line}}{{end}}">
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index b91fdab6d4..8c7b302c68 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -1730,6 +1730,67 @@ func TestPullRequestCommentPlacement(t *testing.T) {
 				assert.True(t, commentReloaded.Invalidated)
 			}, 1*time.Second, 50*time.Millisecond)
 		})
+
+		t.Run("comment on removed line in specific commit adjusts to correct location", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			tester := newPullRequestCommentPlacementTester(t)
+
+			// 3 commits: modify line 50, remove line 50, remove some earlier lines
+			content := tester.fileContent
+			content = strings.Replace(content, "Line 50\n", "Line 50--modified\n", 1)
+			commit1 := tester.changeFile("file1.md", content)
+			t.Logf("commit1 = %q", commit1)
+			content = strings.Replace(content, "Line 50--modified\n", "", 1)
+			commit2 := tester.changeFile("file1.md", content)
+			t.Logf("commit2 = %q", commit2)
+			content = strings.Replace(content, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\n", "", 1)
+			commit3 := tester.changeFile("file1.md", content)
+			t.Logf("commit3 = %q", commit3)
+			tester.createPR()
+
+			comment := tester.commentOnPreviousFromSpecificCommit(commit2, "file1.md", 50)
+			assert.Equal(t, `diff --git a/file1.md b/file1.md
+--- a/file1.md
++++ b/file1.md
+@@ -47,7 +47,6 @@ Line 46
+ Line 47
+ Line 48
+ Line 49
+-Line 50--modified`, comment.PatchQuoted)
+			assert.Equal(t, "previous", comment.DiffSide())
+			assert.EqualValues(t, -50, comment.Line)
+			assert.Equal(t, commit1, comment.CommitSHA)
+
+			diff1 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				{rowType: RowAddCode, code: "Line 50--modified"},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertCommitDiff(commit1, diff1, "checking commit1 contents in single-commit diff")
+
+			diff2 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50--modified"},
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertCommitDiff(commit2, diff2, "checking commit2 contents in single-commit diff")
+
+			diff3 := []diffTableRow{
+				{rowType: RowHasCode, code: "Line 49"},
+				{rowType: RowDelCode, code: "Line 50"},
+				// This is a small bug -- the comment was placed on the code "Line 50--modified" in commit1, which was
+				// later amended by commit2. This comment should be marked out-of-date and not appear here. But the
+				// comment's `ResolveCurrentLine` doesn't quite detect this case correctly -- as the comment's CommitSHA
+				// is commit1, it performs a diff commit1..PR-HEAD, not mergebase..PR-HEAD, and it believes that this
+				// line of code still exists because it exists in that diff range. It's a rare edge case that is defered
+				// for future repair.
+				{rowType: RowComment, commentID: comment.ID},
+				{rowType: RowHasCode, code: "Line 51"},
+			}
+			tester.assertFilesChangedDiff(diff3, "checking overall contents in full PR diff")
+		})
 	})
 }
 
@@ -1862,16 +1923,29 @@ func (tester *PullRequestCommentPlacementTester) commentOnPreviousFromFilesChang
 	return tester.commentFromNewCommentForm(resp, filename, line, "previous")
 }
 
+func (tester *PullRequestCommentPlacementTester) getCommitParent(commitID string) string {
+	repo, err := gitrepo.OpenRepository(tester.t.Context(), tester.repo)
+	require.NoError(tester.t, err)
+	defer repo.Close()
+	commit, err := repo.GetCommit(commitID)
+	require.NoError(tester.t, err)
+	require.Len(tester.t, commit.Parents, 1)
+	return commit.Parents[0].String()
+}
+
 func (tester *PullRequestCommentPlacementTester) commentFromSpecificCommit(commitID, filename string, line int) *issues_model.Comment {
+	beforeCommitID := tester.getCommitParent(commitID)
 	req := NewRequest(tester.t, "GET",
-		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitID))
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?before_commit_id=%s&after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, beforeCommitID, commitID))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
 	return tester.commentFromNewCommentForm(resp, filename, line, "proposed")
 }
 
 func (tester *PullRequestCommentPlacementTester) commentOnPreviousFromSpecificCommit(commitID, filename string, line int) *issues_model.Comment {
+	beforeCommitID := tester.getCommitParent(commitID)
+	tester.t.Logf("beforeCommitID(%q) = %q", commitID, beforeCommitID)
 	req := NewRequest(tester.t, "GET",
-		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, commitID))
+		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/new_comment?before_commit_id=%s&after_commit_id=%s", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index, beforeCommitID, commitID))
 	resp := tester.session.MakeRequest(tester.t, req, http.StatusOK)
 	return tester.commentFromNewCommentForm(resp, filename, line, "previous")
 }
@@ -1879,10 +1953,13 @@ func (tester *PullRequestCommentPlacementTester) commentOnPreviousFromSpecificCo
 func (tester *PullRequestCommentPlacementTester) commentFromNewCommentForm(resp *httptest.ResponseRecorder, filename string, line int, side string) *issues_model.Comment {
 	commentContent := uuid.New().String()
 	doc := NewHTMLParser(tester.t, resp.Body)
+	tester.t.Logf("doc.before = %q", doc.GetInputValueByName("before_commit_id"))
+	tester.t.Logf("doc.latest = %q", doc.GetInputValueByName("latest_commit_id"))
 	req := NewRequestWithValues(tester.t, "POST",
 		fmt.Sprintf("/%s/%s/pulls/%d/files/reviews/comments", tester.repo.OwnerName, tester.repo.Name, tester.pr.Index),
 		map[string]string{
 			"origin":           doc.GetInputValueByName("origin"),
+			"before_commit_id": doc.GetInputValueByName("before_commit_id"),
 			"latest_commit_id": doc.GetInputValueByName("latest_commit_id"),
 			"side":             side, // "proposed" (RHS) or "previous" (LHS)
 			"line":             strconv.Itoa(line),

From 1b6e12408702c81b1ad762be02f7b304d8d73161 Mon Sep 17 00:00:00 2001
From: viceice <michael.kriese@gmx.de>
Date: Tue, 14 Apr 2026 17:25:48 +0200
Subject: [PATCH 119/287] chore(renovate): disable updates on old stable
 branches (#12122)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12122
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: viceice <michael.kriese@gmx.de>
Co-committed-by: viceice <michael.kriese@gmx.de>
---
 .forgejo/renovate.json | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.forgejo/renovate.json b/.forgejo/renovate.json
index f3360b6647..ee6b7212ce 100644
--- a/.forgejo/renovate.json
+++ b/.forgejo/renovate.json
@@ -153,6 +153,12 @@
       "matchUpdateTypes": ["major"],
       "enabled": false
     },
+    {
+      "description": "Disable updates for old stable branches but still allow security updates",
+      "matchBaseBranches": ["v11.0/forgejo", "v14.0/forgejo"],
+      "matchUpdateTypes": ["minor", "patch", "digest"],
+      "enabled": false
+    },
     {
       "description": "Require approval for stable branches (must be last rule to override all others)",
       "matchBaseBranches": ["/^v\\d+\\.\\d+\\/forgejo$/"],

From 8cdfe1d57a020ec91995637eab40d2a2154c1569 Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Tue, 14 Apr 2026 18:50:29 +0200
Subject: [PATCH 120/287] fix(ui): a few small runners UI fixes (#12115)

Followup to https://codeberg.org/forgejo/forgejo/pulls/11516

The string will be fixed in other languages though Weblate after this PR is merged

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12115
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 options/locale_next/locale_en-US.json      | 2 +-
 templates/shared/actions/runner_setup.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 33efb50b75..5581806e80 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -576,7 +576,7 @@
 	"actions.runners.runner_setup.program_options_snippet_aria": "How to invoke forgejo-runner",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Replace the connection name (<code>forgejo</code> in the example) with a value of your liking.",
 	"actions.runners.runner_setup.heading_using_options": "Using program options",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "For configuring Forgejo Runner running in containers or advanced configurations, see the <a href=\"https://TO-BE-REPLACED.COM\">documentation</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "For configuring Forgejo Runner running in containers or advanced configurations, see the <a href=\"%s\">documentation</a>.",
 	"actions.runners.none": "No runners available",
 	"actions.runners.reset_registration_token.token": "Registration Token (Deprecated)",
 	"actions.runners.reset_registration_token.button": "Reset registration token",
diff --git a/templates/shared/actions/runner_setup.tmpl b/templates/shared/actions/runner_setup.tmpl
index a24f63d536..35a96600ef 100644
--- a/templates/shared/actions/runner_setup.tmpl
+++ b/templates/shared/actions/runner_setup.tmpl
@@ -2,7 +2,7 @@
 	<h4 class="ui top attached header">
 		{{ctx.Locale.Tr "actions.runners.runner_setup.title" .Runner.Name}}
 		<div class="ui right">
-			<a class="ui secondary tiny button" href="{{.RunnersListLink}}" tabindex="0">
+			<a class="ui basic tiny button" href="{{.RunnersListLink}}" tabindex="0">
 				{{ctx.Locale.Tr "actions.runners.runner_setup.list_of_runners_link"}}
 			</a>
 		</div>
@@ -50,6 +50,6 @@ $ forgejo-runner daemon \
 	--token-url file:///path/to/runner-token \
 	--label docker:docker://node:lts
 </code></pre>
-		<p>{{ctx.Locale.Tr "actions.runners.runner_setup.instruction_advanced_configurations"}}</p>
+		<p>{{ctx.Locale.Tr "actions.runners.runner_setup.instruction_advanced_configurations" "https://forgejo.org/docs/latest/admin/actions/"}}</p>
 	</div>
 </div>

From 88a0551f544383a51425781e1795942f9045faa7 Mon Sep 17 00:00:00 2001
From: Codeberg Translate <translate@codeberg.org>
Date: Wed, 15 Apr 2026 16:24:17 +0000
Subject: [PATCH 121/287] i18n: update of translations from Codeberg Translate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Aindriú Mac Giolla Eoin <aindriu80@noreply.codeberg.org>
Co-authored-by: AshyPinguin <ashypinguin@noreply.codeberg.org>
Co-authored-by: Atalanttore <atalanttore@noreply.codeberg.org>
Co-authored-by: Benedikt Straub <benedikt-straub@web.de>
Co-authored-by: Codeberg Translate <translate@codeberg.org>
Co-authored-by: Coral Pink <coral.pink@disr.it>
Co-authored-by: Edgarsons <edgarsons@noreply.codeberg.org>
Co-authored-by: Fjuro <fjuro@noreply.codeberg.org>
Co-authored-by: Lzebulon <lzebulon@noreply.codeberg.org>
Co-authored-by: Shadow_Glider <shadow_glider@noreply.codeberg.org>
Co-authored-by: SomeTr <sometr@noreply.codeberg.org>
Co-authored-by: Vyxie <kitakita@disroot.org>
Co-authored-by: Wuzzy <wuzzy@disroot.org>
Co-authored-by: Zughy <zughy@noreply.codeberg.org>
Co-authored-by: alissonlauffer <alissonlauffer@noreply.codeberg.org>
Co-authored-by: artnay <artnay@noreply.codeberg.org>
Co-authored-by: augustd <augustd@noreply.codeberg.org>
Co-authored-by: bahrom04 <bahrom04@noreply.codeberg.org>
Co-authored-by: bittin <bittin@noreply.codeberg.org>
Co-authored-by: butterflyoffire <butterflyoffire@noreply.codeberg.org>
Co-authored-by: cirilla <cirilla@noreply.codeberg.org>
Co-authored-by: hanklank <hanklank@noreply.codeberg.org>
Co-authored-by: justbispo <justbispo@noreply.codeberg.org>
Co-authored-by: kwoot <kwoot@noreply.codeberg.org>
Co-authored-by: mahlzahn <mahlzahn@posteo.de>
Co-authored-by: michi-onl <michi-onl@noreply.codeberg.org>
Co-authored-by: mkljczk <mkljczk@noreply.codeberg.org>
Co-authored-by: ospalh <ospalh@noreply.codeberg.org>
Co-authored-by: pakus <pakus@noreply.codeberg.org>
Co-authored-by: pixelcode <pixelcode@noreply.codeberg.org>
Co-authored-by: vmtj <vmtj@noreply.codeberg.org>
Co-authored-by: xtex <xtexchooser@duck.com>
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ca/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/cs/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/de/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/fil/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/fr/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ga/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/it/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/kab/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/kw/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/lv/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/mk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nds/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/pt_PT/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/sv/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/uk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/uz/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/zh_Hans/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ca/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/cs/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/de/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/eo/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/fi/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/fil/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ga/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/kab/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/kw/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/mk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/pl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/pt_BR/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/pt_PT/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/sv/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/tok/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/uk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/zh_Hans/
Translation: Forgejo/forgejo
Translation: Forgejo/forgejo-next
---
 options/locale/locale_ca.ini          |   6 +-
 options/locale/locale_cs-CZ.ini       |   8 +-
 options/locale/locale_de-DE.ini       | 126 ++--
 options/locale/locale_eo.ini          |   5 +-
 options/locale/locale_fi-FI.ini       |   2 +-
 options/locale/locale_fil.ini         |   4 +-
 options/locale/locale_ga-IE.ini       | 803 +++++++++++++++++++--
 options/locale/locale_kab.ini         |  54 +-
 options/locale/locale_kw.ini          | 995 ++++++++++++++++++++++++++
 options/locale/locale_mk.ini          |  87 ++-
 options/locale/locale_pl-PL.ini       |   6 +-
 options/locale/locale_pt-BR.ini       |   4 +-
 options/locale/locale_pt-PT.ini       |   2 +-
 options/locale/locale_ru-RU.ini       |   2 +-
 options/locale/locale_sv-SE.ini       |  80 +--
 options/locale/locale_tok.ini         |  13 +-
 options/locale/locale_uk-UA.ini       |  32 +-
 options/locale/locale_zh-CN.ini       |  86 +--
 options/locale_next/locale_ca.json    | 109 ++-
 options/locale_next/locale_cs-CZ.json |  52 +-
 options/locale_next/locale_de-DE.json | 128 ++--
 options/locale_next/locale_fil.json   |  59 +-
 options/locale_next/locale_fr-FR.json |  31 +-
 options/locale_next/locale_ga.json    | 162 ++++-
 options/locale_next/locale_it-IT.json |  22 +-
 options/locale_next/locale_kab.json   |  30 +-
 options/locale_next/locale_kw.json    |   3 +
 options/locale_next/locale_lv-LV.json |  92 ++-
 options/locale_next/locale_mk.json    |   5 +-
 options/locale_next/locale_nds.json   |  46 +-
 options/locale_next/locale_nl-NL.json | 108 ++-
 options/locale_next/locale_pt-PT.json |  62 +-
 options/locale_next/locale_ru-RU.json |  44 +-
 options/locale_next/locale_sv-SE.json |  50 +-
 options/locale_next/locale_uk-UA.json |  52 +-
 options/locale_next/locale_uz.json    |  20 +-
 options/locale_next/locale_zh-CN.json |  35 +-
 37 files changed, 3037 insertions(+), 388 deletions(-)
 create mode 100644 options/locale/locale_kw.ini
 create mode 100644 options/locale_next/locale_kw.json

diff --git a/options/locale/locale_ca.ini b/options/locale/locale_ca.ini
index 4902188c7e..c18b662900 100644
--- a/options/locale/locale_ca.ini
+++ b/options/locale/locale_ca.ini
@@ -1,6 +1,6 @@
 [common]
 home = Inici
-dashboard = Panell de control
+dashboard = Tauler de control
 explore = Explorar
 help = Ajuda
 logo = Logotip
@@ -2586,6 +2586,7 @@ settings.lfs_pointers.found = S'ha trobat %d punters de blob - %d associats, %d
 settings.lfs_pointers.associateAccessible = Associar %d OIDs accessibles
 settings.matrix.access_token_helper = Es recomana muntar un compte de Matrix dedicat per això. El testimoni d'accés el podeu trobar al client web Element (en una pestanya privada/d'incògnit) > User menu (cantó superior esquerre) > All settings > Help & About > Advanced > Access Token (sota de l'URL del homeserver). Tanqueu la pestanya privada/d'incògnit (tancar la sessió invalidaria el testimoni).
 settings.matrix.room_id_helper = L'ID de sala el podeu trobar al client web Element > Room Settings > Advanced > Internal room ID. Per exemple: %s.
+diff.parent = pare
 
 [user]
 unblock = Desbloquejar
@@ -3121,7 +3122,7 @@ config.send_test_mail = Envia un correu de prova
 config.send_test_mail_submit = Envia
 config.test_mail_failed = No s'ha pogut enviar el correu de prova a "%s": %v
 config.test_mail_sent = S'ha enviat un correu de prova a "%s".
-config.cache_config = 
+config.cache_config =
 config.cache_adapter =Adaptador de la memòria cau
 config.cache_interval =Interval de la memòria cau
 config.cache_conn =Connexió de la memòria cau
@@ -3164,6 +3165,7 @@ auths.tip.github = Registra una aplicació OAuth nova a %s
 auths.tip.gitlab_new = Registra una aplicació nova a %s
 auths.tip.google_plus = Obté les credencials del client OAuth2 amb la consola del Google API a %s
 auths.tip.openid_connect = Usa l'URL d'OpenID Connect Discovery (<server>/.well-known/openid-configuration) per a especificar els endpoints
+dashboard.update_checker = Comprovador d'actualització
 
 [actions]
 variables = Variables
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index 8272952312..ef5c1ff762 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -609,7 +609,7 @@ organization_leave_success=Úspěšně jste opustili organizaci %s.
 
 invalid_ssh_key=Nepodařilo se ověřit váš klíč SSH: %s
 invalid_gpg_key=Nepodařilo se ověřit váš klíč GPG: %s
-invalid_ssh_principal=Neplatný SSH Principal certifikát: %s
+invalid_ssh_principal=Neplatný principal: %s
 must_use_public_key=Zadaný klíč je soukromý klíč. Nenahrávejte svůj soukromý klíč nikde. Místo toho použijte váš veřejný klíč.
 unable_verify_ssh_key=Nepodařilo se ověřit klíč SSH, zkontrolujte, zda neobsahuje chyby.
 auth_failed=Ověření selhalo: %v
@@ -805,7 +805,7 @@ key_content_gpg_placeholder=Začíná s „-----BEGIN PGP PUBLIC KEY BLOCK-----
 add_new_principal=Přidat principal
 ssh_key_been_used=Tento klíč SSH byl na server již přidán.
 ssh_key_name_used=U vašeho účtu již existuje klíč SSH se stejným názvem.
-ssh_principal_been_used=Tento SSH Principal certifikát již byl přidán na server.
+ssh_principal_been_used=Tento principal již byl přidán na server.
 gpg_key_id_used=Veřejný klíč GPG se stejným ID již existuje.
 gpg_no_key_email_found=Tento klíč GPG neodpovídá žádné aktivované e-mailové adrese spojené s vaším účtem. Může být stále přidán, pokud podepíšete zadaný token.
 gpg_key_matched_identities=Odpovídající identity:
@@ -847,7 +847,7 @@ gpg_key_deletion_desc=Odstraněním klíče GPG zneplatníte ověření revizí,
 ssh_principal_deletion_desc=Odstranění SSH Principal certifikátu zruší jeho přístup k vašemu účtu. Pokračovat?
 ssh_key_deletion_success=Klíč SSH byl odstraněn.
 gpg_key_deletion_success=Klíč GPG byl odstraněn.
-ssh_principal_deletion_success=SSH Principal certifikát byl odstraněn.
+ssh_principal_deletion_success=Principal byl odstraněn.
 added_on=Přidáno %s
 valid_until_date=Platné do %s
 valid_forever=Platné navždy
@@ -857,7 +857,7 @@ can_read_info=Čtení
 can_write_info=Zápis
 key_state_desc=Tento klíč byl použit během posledních 7 dní
 token_state_desc=Tento token byl použit během posledních 7 dní
-principal_state_desc=Tento SSH Principal certifikát byl použit během posledních 7 dní
+principal_state_desc=Tento principal certifikát byl použit během posledních 7 dní
 show_openid=Zobrazit na profilu
 hide_openid=Odstranit z profilu
 ssh_disabled=SSH je zakázáno
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index 494d64a6f7..d777732c65 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -80,7 +80,7 @@ rerun_all=Alle Jobs neu starten
 save=Speichern
 add=Hinzufügen
 add_all=Alle hinzufügen
-remove=Löschen
+remove=Entfernen
 remove_all=Alle entfernen
 remove_label_str=Element „%s“ entfernen
 edit=Bearbeiten
@@ -100,7 +100,7 @@ copy_type_unsupported=Dieser Dateityp kann nicht kopiert werden
 
 write=Verfassen
 preview=Vorschau
-loading=Laden …
+loading=Wird geladen …
 
 error=Fehler
 error404=Die Seite, die du versuchst aufzurufen, <strong>existiert nicht</strong> oder <strong>wurde entfernt</strong>, oder <strong>du bist nicht berechtigt</strong>, diese anzusehen.
@@ -202,7 +202,7 @@ table_modal.label.columns = Spalten
 link_modal.header = Einen Link hinzufügen
 link_modal.url = URL
 link_modal.description = Beschreibung
-link_modal.paste_reminder = Hinweis: Wenn du einen URL in der Zwischenablage hast, kannst du durch Einfügen im Editor direkt einen Link erstellen.
+link_modal.paste_reminder = Hinweis: Wenn du eine URL in der Zwischenablage hast, kannst du durch Einfügen im Editor direkt einen Link erstellen.
 
 [filter]
 string.asc=A–Z
@@ -257,7 +257,7 @@ err_admin_name_is_invalid=Administratornutzername ist ungültig
 
 general_title=Allgemeine Einstellungen
 app_name=Instanztitel
-app_name_helper=Hier Ihren Instanznamen eingeben. Er wird auf jeder Seite angezeigt.
+app_name_helper=Gib hier den Instanznamen ein. Er wird auf jeder Seite angezeigt.
 repo_path=Repository-Verzeichnis
 repo_path_helper=Remote-Git-Repositorys werden in diesem Verzeichnis gespeichert.
 lfs_path=Git-LFS-Wurzelpfad
@@ -287,7 +287,7 @@ register_confirm=E-Mail-Bestätigung benötigt zum Registrieren
 mail_notify=E-Mail-Benachrichtigungen aktivieren
 server_service_title=Sonstige Server- und Drittserviceeinstellungen
 offline_mode=Offline-Modus aktivieren
-offline_mode.description=Drittanbieter-CDNs deaktivieren und alle Ressourcen lokal bereitstellen.
+offline_mode.description=Content Delivery Networks von Drittanbietern deaktivieren und alle Ressourcen lokal bereitstellen.
 disable_gravatar=Gravatar deaktivieren
 disable_gravatar.description=Gravatar und andere Drittanbieter-Avatar-Quellen deaktivieren. Ein Standardavatar wird verwendet, bis der Nutzer einen eigenen Avatar auf deren Instanz hochlädt.
 federated_avatar_lookup=Föderierte Profilbilder einschalten
@@ -332,7 +332,7 @@ no_reply_address=Versteckte E-Mail-Domain
 no_reply_address_helper=Domain-Name für Benutzer mit einer versteckten Emailadresse. Zum Beispiel wird der Benutzername „Joe“ in Git als „joe@noreply.example.org“ protokolliert, wenn die versteckte E-Mail-Domain „noreply.example.org“ festgelegt ist.
 password_algorithm=Passwort-Hashing-Algorithmus
 invalid_password_algorithm=Ungültiger Passwort-Hash-Algorithmus
-password_algorithm_helper=Lege einen Passwort-Hashing-Algorithmus fest. Algorithmen haben unterschiedliche Anforderungen und Stärken. Der argon2-Algorithmus ist ziemlich sicher, aber er verbraucht viel Speicher und kann für kleine Systeme ungeeignet sein.
+password_algorithm_helper=Lege einen Passwort-Hashing-Algorithmus fest. Algorithmen haben unterschiedliche Anforderungen und Stärken. Der Argon2-Algorithmus ist ziemlich sicher, aber er verbraucht viel Speicher und kann für kleine Systeme ungeeignet sein.
 enable_update_checker=Aktualisierungsprüfung aktivieren
 env_config_keys=Umgebungskonfiguration
 env_config_keys_prompt=Die folgenden Umgebungsvariablen werden auch auf Ihre Konfigurationsdatei angewendet:
@@ -385,10 +385,10 @@ remember_me=Dieses Gerät speichern
 forgot_password_title=Passwort vergessen
 forgot_password=Passwort vergessen?
 sign_up_successful=Konto wurde erfolgreich erstellt. Willkommen!
-confirmation_mail_sent_prompt=Eine neue Bestätigungs-E-Mail wurde an <b>%s</b> gesendet. Um den Registrierungsprozess abzuschließen, überprüfe bitte deinen Posteingang und folge dem angegebenen Link innerhalb von: %s. Falls die E-Mail inkorrekt sein sollte, kannst du dich einloggen und anfragen, eine weitere Bestätigungs-E-Mail an eine andere Adresse zu senden.
+confirmation_mail_sent_prompt=Eine neue Bestätigungs-E-Mail wurde an <b>%s</b> gesendet. Um den Registrierung abzuschließen, überprüfe bitte deinen Posteingang und folge dem angegebenen Link innerhalb von: %s. Falls die E-Mail inkorrekt sein sollte, kannst du dich einloggen und anfragen, eine weitere Bestätigungs-E-Mail an eine andere Adresse zu senden.
 must_change_password=Aktualisiere dein Passwort
 allow_password_change=Verlange vom Benutzer das Passwort zu ändern (empfohlen)
-reset_password_mail_sent_prompt=Eine Bestätigungs-E-Mail wurde an <b>%s</b> gesendet. Um den Kontowiederherstellungsprozess abzuschließen, überprüfe bitte deinen Posteingang und folge dem angegebenen Link innerhalb von %s.
+reset_password_mail_sent_prompt=Eine Bestätigungs-E-Mail wurde an <b>%s</b> gesendet. Um den Kontowiederherstellung abzuschließen, überprüfe bitte deinen Posteingang und folge dem angegebenen Link innerhalb von %s.
 active_your_account=Aktiviere dein Konto
 account_activated=Konto wurde aktiviert
 prohibit_login=Das Konto ist gesperrt
@@ -448,7 +448,7 @@ back_to_sign_in = Zurück zur Anmeldung
 sign_in_openid = Mit OpenID fortfahren
 hint_login = Hast du bereits ein Konto? <a href="%s">Jetzt anmelden!</a>
 hint_register = Brauchst du ein Konto? <a href="%s">Jetzt registrieren.</a>
-unauthorized_credentials = Die Zugangsdaten sind inkorrekt oder abgelaufen. Versuchen es erneut oder siehe %s für mehr Informationen
+unauthorized_credentials = Die Zugangsdaten sind inkorrekt oder abgelaufen. Versuche es erneut oder siehe %s für mehr Informationen
 use_onetime_code = Einen Einmal-Code benutzen
 
 [mail]
@@ -634,7 +634,7 @@ Biography = Biografie
 Website = Webseite
 Location = Ort
 To = Branchname
-AccessToken = Zugangstoken
+AccessToken = Zugriffstoken
 username_claiming_cooldown = Der Benutzername kann nicht beansprucht werden, weil seine Schutzzeit noch nicht vorbei ist. Er kann am %[1]s beansprucht werden.
 email_domain_is_not_allowed = Die Domain der E-Mail-Adresse des Benutzers <b>%s</b> steht in Konflikt mit EMAIL_DOMAIN_ALLOWLIST oder EMAIL_DOMAIN_BLOCKLIST. Bitte stelle sicher, dass du die E-Mail-Adresse richtig gesetzt hast.
 
@@ -664,10 +664,10 @@ form.name_pattern_not_allowed=Das Muster „%s“ ist nicht in einem Benutzernam
 form.name_chars_not_allowed=Benutzername „%s“ enthält ungültige Zeichen.
 block_user = Benutzer blockieren
 block_user.detail = Bitte beachte, dass die Blockierung eines Benutzers auch andere Auswirkungen hat, so wie:
-block_user.detail_2 = Dieser Benutzer wird nicht mehr nicht mit deinen Repositorys oder von dir erstellten Issues und Kommentaren interagieren können.
+block_user.detail_2 = Dieser Benutzer wird nicht mehr mit deinen Repositorys oder von dir erstellten Issues und Kommentaren interagieren können.
 block_user.detail_1 = Ihr werdet euch nicht mehr gegenseitig folgen und es auch nicht mehr können.
 block = Blockieren
-follow_blocked_user = Du kannst diesen Benutzer nicht folgen, weil du ihn blockiert hast, oder er dich blockiert hat.
+follow_blocked_user = Du kannst diesem Benutzer nicht folgen, weil du ihn blockiert hast oder er dich blockiert hat.
 block_user.detail_3 = Ihr werdet nicht mehr in der Lage sein, euch gegenseitig als Repository-Mitarbeiter hinzuzufügen.
 unblock = Nicht mehr blockieren
 followers_one = %d Follower
@@ -741,7 +741,7 @@ comment_type_group_issue_ref=Issue-Referenz
 saved_successfully=Die Einstellungen wurden erfolgreich gespeichert.
 privacy=Datenschutz
 keep_activity_private=Aktivität auf der Profilseite ausblenden
-lookup_avatar_by_mail=Profilbild anhand der E-Mail-Addresse suchen
+lookup_avatar_by_mail=Profilbild anhand der E-Mail-Adresse suchen
 enable_custom_avatar=Benutzerdefiniertes Profilbild verwenden
 choose_new_avatar=Neues Profilbild auswählen
 update_avatar=Profilbild aktualisieren
@@ -763,7 +763,7 @@ manage_emails=E-Mail-Adressen verwalten
 manage_themes=Standard-Theme
 manage_openid=OpenID-Adressen
 email_desc=Deine primäre E-Mail-Adresse wird für Benachrichtigungen, Passwort-Wiederherstellung und, sofern sie nicht versteckt ist, web-basierte Git-Operationen verwendet.
-theme_desc=Dieses Thema wird für die Weboberfläche verwendet, wenn du angemeldet bist.
+theme_desc=Dieses Theme wird für die Weboberfläche verwendet, wenn du angemeldet bist.
 primary=Primär
 activated=Aktiviert
 requires_activation=Erfordert Aktivierung
@@ -773,7 +773,7 @@ activations_pending=Aktivierung ausstehend
 can_not_add_email_activations_pending=Es gibt eine ausstehende Aktivierung, versuche es in ein paar Minuten erneut, wenn du eine neue E-Mail hinzufügen möchtest.
 delete_email=Löschen
 email_deletion=E-Mail-Adresse entfernen
-email_deletion_desc=Diese E-Mail-Adresse und die damit verbundenen Informationen werden von deinem Konto entfernt. Git-Commits von dieser E-Mail-Addresse bleiben unverändert. Fortfahren?
+email_deletion_desc=Diese E-Mail-Adresse und die damit verbundenen Informationen werden von deinem Konto entfernt. Git-Commits von dieser E-Mail-Adresse bleiben unverändert. Fortfahren?
 email_deletion_success=Die E-Mail-Adresse wurde entfernt.
 theme_update_success=Deine Theme-Auswahl wurde gespeichert.
 theme_update_error=Das ausgewählte Theme existiert nicht.
@@ -808,7 +808,7 @@ ssh_key_been_used=Dieser SSH-Schlüssel wird auf diesem Server bereits verwendet
 ssh_key_name_used=Ein gleichnamiger SSH-Key existiert bereits in deinem Account.
 ssh_principal_been_used=Diese Identität ist bereits auf dem Server vorhanden.
 gpg_key_id_used=Ein öffentlicher GPG-Schlüssel mit der gleichen ID existiert bereits.
-gpg_no_key_email_found=Dieser GPG-Schlüssel entspricht keiner mit deinem Konto verbundenen aktivierten E-Mail-Addresse. Er kann trotzdem hinzugefügt werden, wenn du den gegebenen Token signierst.
+gpg_no_key_email_found=Dieser GPG-Schlüssel entspricht keiner mit deinem Konto verbundenen aktivierten E-Mail-Adresse. Er kann trotzdem hinzugefügt werden, wenn du den gegebenen Token signierst.
 gpg_key_matched_identities=Passende Identitäten:
 gpg_key_matched_identities_long=Die eingebetteten Identitäten in diesem Schlüssel stimmen mit den folgenden aktivierten E-Mail-Adressen für diesen Benutzer überein. Commits, die mit diesen E-Mail-Addressen committed wurden, können mit diesem Schlüssel verifiziert werden.
 gpg_key_verified=Verifizierter Schlüssel
@@ -825,9 +825,9 @@ ssh_key_verified=Verifizierter Schlüssel
 ssh_key_verified_long=Der Schlüssel wurde mit einem Token verifiziert. Er kann verwendet werden, um Commits zu verifizieren, die mit irgendeiner für diesen Nutzer aktivierten E-Mail-Adresse und irgendeiner Identität dieses Schlüssels übereinstimmen.
 ssh_key_verify=Verifizieren
 ssh_invalid_token_signature=Der gegebene SSH-Schlüssel, Signatur oder Token stimmen nicht überein oder der Token ist veraltet.
-ssh_token_required=Sie müssen eine Signatur für das Token unten angeben
+ssh_token_required=Du musst eine Signatur für das folgende Token angeben
 ssh_token=Token
-ssh_token_help=Sie können eine Signatur wie folgt generieren:
+ssh_token_help=Du kannst eine Signatur wie folgt generieren:
 ssh_token_signature=SSH-Textsignatur (armored signature)
 key_signature_ssh_placeholder=Beginnt mit „-----BEGIN SSH SIGNATURE-----“
 verify_ssh_key_success=SSH-Schlüssel „%s“ wurde verifiziert.
@@ -864,7 +864,7 @@ hide_openid=Nicht im Profil anzeigen
 ssh_disabled=SSH ist deaktiviert
 ssh_signonly=SSH ist derzeit deaktiviert, sodass diese Schlüssel nur zur Commit-Signaturverifizierung verwendet werden.
 ssh_externally_managed=Dieser SSH-Schlüssel wird extern für diesen Benutzer verwaltet
-manage_access_token=Zugriffstokens
+manage_access_token=Zugriffstoken
 generate_new_token=Neuen Token erzeugen
 tokens_desc=Diese Tokens gewähren vollen Zugriff auf dein Konto via Forgejo-API.
 token_name=Token-Name
@@ -917,7 +917,7 @@ revoke_oauth2_grant=Autorisierung widerrufen
 revoke_oauth2_grant_description=Wenn du die Autorisierung widerrufst, kann die Anwendung nicht mehr auf deine Daten zugreifen. Bist du dir sicher?
 revoke_oauth2_grant_success=Zugriff erfolgreich widerrufen.
 
-twofa_desc=Um dein Konto gegen Passwortdiebstahl zu schützen, kannst du eine Smartphone oder ein anderes Gerät verwenden, um zeitbasierte Einmalpasswörter („TOTP“) zu erhalten.
+twofa_desc=Um dein Konto gegen Passwortdiebstahl zu schützen, kannst du ein Smartphone oder ein anderes Gerät verwenden, um zeitbasierte Einmalpasswörter („TOTP“) zu erhalten.
 twofa_is_enrolled=Für dein Konto ist die Zwei-Faktor-Authentifizierung <strong>eingeschaltet</strong>.
 twofa_not_enrolled=Für dein Konto ist die Zwei-Faktor-Authentifizierung momentan nicht eingeschaltet.
 twofa_disable=Zwei-Faktor-Authentifizierung deaktivieren
@@ -935,7 +935,7 @@ passcode_invalid=Die PIN ist falsch. Probiere es erneut.
 twofa_enrolled=Die Zwei-Faktor-Authentifizierung wurde für dein Konto aktiviert. Bewahre deinen einmalig verwendbaren Wiederherstellungsschlüssel (%s) an einem sicheren Ort auf, da er nicht wieder angezeigt werden wird.
 twofa_failed_get_secret=Fehler beim Abrufen des Geheimnisses.
 
-webauthn_desc=Sicherheitsschlüssel sind Geräte, die kryptografische Schlüssel beeinhalten. Diese können für die Zwei-Faktor-Authentifizierung verwendet werden. Der Sicherheitsschlüssel muss den Standard „<a rel="noreferrer" target="_blank" href="%s">WebAuthn</a>“ unterstützen.
+webauthn_desc=Sicherheitsschlüssel sind Geräte, die kryptografische Schlüssel beinhalten. Diese können für die Zwei-Faktor-Authentifizierung verwendet werden. Der Sicherheitsschlüssel muss den Standard „<a rel="noreferrer" target="_blank" href="%s">WebAuthn</a>“ unterstützen.
 webauthn_register_key=Sicherheitsschlüssel hinzufügen
 webauthn_nickname=Nickname
 webauthn_delete_key=Sicherheitsschlüssel entfernen
@@ -974,7 +974,7 @@ visibility.limited_tooltip=Nur für angemeldete Benutzer sichtbar
 visibility.private=Privat
 visibility.private_tooltip=Sichtbar nur für Mitglieder von Organisationen, denen du beigetreten bist
 user_block_success = Dieser Benutzer wurde erfolgreich blockiert.
-twofa_recovery_tip = Falls du dein Gerät verlierst, wirst du in der Lage sein, einen einmalig verwendbaren Wiederherstellungsschlüssel zu verwenden, um den auf dein Konto wiederherzustellen.
+twofa_recovery_tip = Falls du dein Gerät verlierst, kannst du einen einmalig verwendbaren Wiederherstellungsschlüssel benutzen, um den Zugriff auf dein Konto wiederherzustellen.
 webauthn_alternative_tip = Du möchtest vielleicht eine zusätzliche Authentifizierungsmethode einrichten.
 blocked_users_none = Keine Benutzer blockiert.
 webauthn_key_loss_warning = Falls du deine Sicherheitsschlüssel verlierst, wirst du Zugang zu deinem Konto verlieren.
@@ -990,7 +990,7 @@ additional_repo_units_hint_description = Einen „Mehr aktivieren“-Hinweis fü
 pronouns = Pronomen
 pronouns_unspecified = Nicht spezifiziert
 language.title = Standardsprache
-keep_activity_private.description = Deine <a href="%s">öffentliche Aktivität</a> wird nur für dich selbst und die Instanzadminstratoren sichtbar sein.
+keep_activity_private.description = Deine <a href="%s">öffentliche Aktivität</a> wird nur für dich selbst und die Instanzadministratoren sichtbar sein.
 language.localization_project = Hilf uns, Forgejo in deine Sprache zu übersetzen! <a href="%s">Mehr erfahren</a>.
 language.description = Diese Sprache wird in deinem Konto gespeichert und standardmäßig nach dem Anmelden benutzt.
 user_block_yourself = Du kannst dich nicht selbst blockieren.
@@ -1019,10 +1019,10 @@ quota.sizes.assets.attachments.all = Anhänge
 quota.sizes.assets.packages.all = Pakete
 quota.sizes.wiki = Wiki
 regenerate_token_success = Der Token wurde regeneriert. Anwendungen, die ihn benutzen, haben nicht länger Zugriff auf dein Konto und müssen mit dem neuen Token aktualisiert werden.
-access_token_regeneration = Zugangstoken regenerieren
-access_token_regeneration_desc = Einen Token zu regenerieren, wird den Zugriff auf dein Konto von Anwendungen, die ihn nutzen, zurückziehen. Dies kann nicht rückgängig gemacht werden. Fortsetzen?
-regenerate_token = Regenerieren
-ssh_token_help_ssh_agent = , oder, falls Sie einen SSH-Agenten benutzen (mit der Variable SSH_AUTH_SOCK gesetzt):
+access_token_regeneration = Zugriffstoken neu generieren
+access_token_regeneration_desc = Wenn du einen Token neu generierst, verlieren Anwendungen, die ihn nutzen, den Zugriff auf dein Konto. Dies kann nicht rückgängig gemacht werden. Fortfahren?
+regenerate_token = Neu generieren
+ssh_token_help_ssh_agent = , oder, falls du einen SSH-Agenten benutzt (mit der Variable SSH_AUTH_SOCK gesetzt):
 
 [repo]
 owner=Besitzer
@@ -1082,7 +1082,7 @@ mirror_address_desc=Gib alle erforderlichen Anmeldedaten im Abschnitt „Authent
 mirror_address_url_invalid=Die angegebene URL ist ungültig. Achte darauf, dass alle Komponenten der URL korrekt escapt wurden.
 mirror_address_protocol_invalid=Die angegebene URL ist ungültig. Nur Orte mit „http(s)://“ oder „git://“ können fürs Spiegeln benutzt werden.
 mirror_lfs=Großdatei-Speicher (LFS)
-mirror_lfs_desc=Spiegeln von LFS-Dateien aktivieren.
+mirror_lfs_desc=Spiegeln von LFS-Daten aktivieren.
 mirror_lfs_endpoint=LFS-Endpunkt
 mirror_lfs_endpoint_desc=Sync wird versuchen, die Klon-URL zu verwenden, um <a target="_blank" rel="noopener noreferrer" href="%s">den LFS-Server zu bestimmen</a>. Du kannst auch einen eigenen Endpunkt angeben, wenn die LFS-Dateien woanders gespeichert werden.
 mirror_last_synced=Zuletzt synchronisiert
@@ -1141,7 +1141,7 @@ template.invalid=Es muss ein Vorlagen-Repository ausgewählt werden
 archive.title=Dieses Repository ist archiviert. Du kannst Dateien ansehen und es klonen, kannst aber seinen Status nicht verändern, zum Beispiel nichts pushen, keine Issues eröffnen und keine Pull-Requests oder Kommentare erstellen.
 archive.title_date=Dieses Repository wurde am %s archiviert. Du kannst Dateien ansehen und es klonen, kannst aber seinen Status nicht verändern, zum Beispiel nichts pushen, und keine Issues eröffnen oder Pull-Requests oder Kommentare erstellen.
 form.reach_limit_of_creation_1=Du hast bereits dein Limit von %d Repository erreicht.
-form.reach_limit_of_creation_n=Du hast bereits dein Limit von %d Repositorys erreicht.
+form.reach_limit_of_creation_n=Der Besitzer hat bereits das Limit von %d Repositorys erreicht.
 form.name_reserved=Der Repository-Name „%s“ ist reserviert.
 form.name_pattern_not_allowed=Das Muster „%s“ ist in Repository-Namen nicht erlaubt.
 
@@ -1218,12 +1218,12 @@ commit=Commit
 release=Release
 releases=Releases
 tag=Tag
-released_this=hat releast
+released_this=hat es veröffentlicht
 file.title=%s an %s
 file_raw=Originalformat
 file_history=Verlauf
 file_view_source=Quelltext anzeigen
-file_view_rendered=Ansicht rendern
+file_view_rendered=Gerendert anzeigen
 file_view_raw=Originalformat anzeigen
 file_permalink=Permalink
 file_too_large=Die Datei ist zu groß zum Anzeigen.
@@ -1606,7 +1606,7 @@ issues.unlock_comment=hat diese Diskussion %s entsperrt
 issues.lock_confirm=Sperren
 issues.unlock_confirm=Entsperren
 issues.lock.notice_1=- Andere Nutzer können keine neuen Kommentare beisteuern.
-issues.lock.notice_2=– Du und andere Mitarbeiter mit Zugriff auf dieses Repository können weiterhin für andere sichtbare Kommentare hinterlassen.
+issues.lock.notice_2=- Du und andere Mitarbeiter mit Zugriff auf dieses Repository können weiterhin für andere sichtbare Kommentare hinterlassen.
 issues.lock.notice_3=- Du kannst die Diskussion jederzeit wieder entsperren.
 issues.unlock.notice_1=- Jeder wird wieder in der Lage sein, zu diesem Issue zu kommentieren.
 issues.unlock.notice_2=- Du kannst den Issue jederzeit wieder sperren.
@@ -1727,7 +1727,7 @@ pulls.compare_changes=Neuer Pull-Request
 pulls.allow_edits_from_maintainers=Änderungen von Maintainern erlauben
 pulls.allow_edits_from_maintainers_desc=Nutzer mit Schreibzugriff auf den Basisbranch können auch auf diesen Branch pushen
 pulls.allow_edits_from_maintainers_err=Aktualisieren fehlgeschlagen
-pulls.compare_changes_desc=Wähle den Zielbranch, in das zusammengeführt werden soll, und den Quellbranch, von dem gepullt werden soll, aus.
+pulls.compare_changes_desc=Wähle den Zielbranch, in den zusammengeführt werden soll, und den Quellbranch, von dem gepullt werden soll, aus.
 pulls.has_viewed_file=Gesehen
 pulls.has_changed_since_last_review=Seit deiner letzten Sichtung geändert
 pulls.viewed_files_label=%[1]d / %[2]d Dateien betrachtet
@@ -2069,7 +2069,7 @@ settings.pulls.default_allow_edits_from_maintainers=Änderungen von Maintainern
 settings.releases_desc=Repository-Releases aktivieren
 settings.packages_desc=Repository-Paket-Registry aktivieren
 settings.projects_desc=Repository-Projekte aktivieren
-settings.actions_desc=Aktiviere integrierte CI/CD-Pipelines mit Forgejo-Actions
+settings.actions_desc=Integrierte CI/CD-Pipelines mit Forgejo-Actions aktivieren
 settings.admin_settings=Administratoreinstellungen
 settings.admin_enable_health_check=Repository-Health-Checks aktivieren (git fsck)
 settings.admin_code_indexer=Code-Indexer
@@ -2174,7 +2174,7 @@ settings.githook_edit_desc=Wenn ein Hook nicht aktiv ist, wird der Standardinhal
 settings.githook_name=Hook-Name
 settings.githook_content=Hook-Inhalt
 settings.update_githook=Hook aktualisieren
-settings.add_webhook_desc=Forgejo sendet eine <code>POST</code>-Anfrage mit festgelegtem Content-Type an die Ziel-URL. Mehr Informationen findest du in der <a target="_blank" rel="noopener noreferrer" href="%s">Anleitung zu Webhooks (Englisch)</a>.
+settings.add_webhook_desc=Forgejo sendet eine <code>POST</code>-Anfrage mit festgelegtem Content-Type an die Ziel-URL. Mehr dazu in der <a target="_blank" rel="noopener noreferrer" href="%s">Anleitung zu Webhooks (auf Englisch)</a>.
 settings.payload_url=Ziel-URL
 settings.http_method=HTTP-Methode
 settings.content_type=POST-Content-Type
@@ -2334,7 +2334,7 @@ settings.protected_branch_deletion_desc=Wenn du den Branch-Schutz deaktivierst,
 settings.block_rejected_reviews=Zusammenführung bei abgelehnten Sichtungen blockieren
 settings.block_rejected_reviews_desc=Zusammenführen ist nicht möglich, wenn Änderungen durch offizielle Prüfer angefragt werden, auch wenn genügend Genehmigungen existieren.
 settings.block_on_official_review_requests=Merge bei offiziellen Sichtungsanfragen blockieren
-settings.block_on_official_review_requests_desc=Merge ist nicht möglich, wenn offizielle Sichtungsanfrangen vorliegen, selbst wenn genügend Genehmigungen existieren.
+settings.block_on_official_review_requests_desc=Merge ist nicht möglich, wenn offizielle Sichtungsanfragen vorliegen, selbst wenn genügend Genehmigungen existieren.
 settings.block_outdated_branch=Merge blockieren, wenn der Pull-Request veraltet ist
 settings.block_outdated_branch_desc=Merge ist nicht möglich, wenn der Head-Branch hinter dem Basis-Branch ist.
 settings.default_branch_desc=Wähle einen Standardbranch für Pull-Requests und Code-Commits:
@@ -2355,7 +2355,7 @@ settings.tags.protection.allowed.teams=Erlaubte Teams
 settings.tags.protection.allowed.noone=Niemand
 settings.tags.protection.create=Regel hinzufügen
 settings.tags.protection.none=Es gibt keine geschützten Tags.
-settings.tags.protection.pattern.description=Du kannst einen einzigen Namen oder ein globales Schema oder einen regulären Ausdruck verwenden, um mehrere Tags zu schützen. Mehr dazu im <a target="_blank" rel="noopener" href="%s">Guide für geschützte Tags (Englisch)</a>.
+settings.tags.protection.pattern.description=Du kannst einen einzigen Namen oder ein globales Schema oder einen regulären Ausdruck verwenden, um mehrere Tags zu schützen. Mehr dazu in der <a target="_blank" rel="noopener" href="%s">Anleitung für geschützte Tags (auf Englisch)</a>.
 settings.bot_token=Bot-Token
 settings.chat_id=Chat-ID
 settings.thread_id=Thread-ID
@@ -2368,8 +2368,8 @@ settings.archive.text=Durch das Archivieren wird ein Repo vollständig schreibge
 settings.archive.success=Das Repo wurde erfolgreich archiviert.
 settings.archive.error=Beim Versuch, das Repository zu archivieren, ist ein Fehler aufgetreten. Weitere Details finden sich im Log.
 settings.archive.error_ismirror=Du kannst kein gespiegeltes Repo archivieren.
-settings.archive.branchsettings_unavailable=Branch-Einstellungen sind nicht verfügbar in archivierten Repos.
-settings.archive.tagsettings_unavailable=Tag-Einstellungen sind nicht verfügbar in archivierten Repos.
+settings.archive.branchsettings_unavailable=In archivierten Repos sind Branch-Einstellungen nicht verfügbar.
+settings.archive.tagsettings_unavailable=In archivierten Repos sind Tag-Einstellungen nicht verfügbar.
 settings.unarchive.button=Archivierung zurücksetzen
 settings.unarchive.header=Archivierung dieses Repositorys zurücksetzen
 settings.unarchive.text=Durch das Aufheben der Archivierung kann das Repo wieder Commits und Pushes sowie neue Issues und Pull-Requests empfangen.
@@ -2537,7 +2537,7 @@ branch.included=Enthalten
 branch.create_new_branch=Branch aus Branch erstellen:
 branch.confirm_create_branch=Branch erstellen
 branch.warning_rename_default_branch=Du benennst den Standard-Branch um.
-branch.rename_branch_to=Umbenennung des Zweigs "%s".
+branch.rename_branch_to=Branch "%s" wird umbenannt.
 branch.create_branch_operation=Branch erstellen
 branch.new_branch=Neue Branch erstellen
 branch.new_branch_from=Neuen Branch von „%s“ erstellen
@@ -2574,7 +2574,7 @@ settings.add_collaborator_blocked_them = Der Mitarbeiter konnte nicht hinzugefü
 settings.wiki_rename_branch_main = Den Wiki-Branch-Namen normalisieren
 settings.enter_repo_name = Gib den Besitzer- und den Repository-Namen genau wie angezeigt ein:
 settings.wiki_branch_rename_success = Der Branch-Name des Repository-Wikis wurde erfolgreich normalisiert.
-settings.archive.mirrors_unavailable = Spiegel sind nicht verfügbar in archivierten Repos.
+settings.archive.mirrors_unavailable = In archivierten Repos sind Spiegel nicht verfügbar.
 pulls.blocked_by_user = Du kannst keinen Pull-Request in diesem Repository erstellen, weil du vom Repository-Besitzer blockiert wurdest.
 settings.add_collaborator_blocked_our = Der Mitarbeiter konnte nicht hinzugefügt werden, weil der Repository-Besitzer ihn blockiert hat.
 issues.blocked_by_user = Du kannst keine Issues in diesem Repository erstellen, weil du vom Repository-Besitzer blockiert wurdest.
@@ -2610,7 +2610,7 @@ settings.units.overview = Übersicht
 settings.wiki_rename_branch_main_notices_1 = Diese Aktion <strong>KANN NICHT</strong> rückgängig gemacht werden.
 settings.wiki_rename_branch_main_notices_2 = Dies wird den internen Branch des Repository-Wikis von %s permanent umbenennen. Existierende Checkouts müssen aktualisiert werden.
 settings.wiki_branch_rename_failure = Der Branch-Name des Repository-Wiki konnte nicht normalisiert werden.
-settings.confirm_wiki_branch_rename = Den Wiki-Branch umbenenennen
+settings.confirm_wiki_branch_rename = Den Wiki-Branch umbenennen
 activity.navbar.contributors = Mitwirkende
 contributors.contribution_type.deletions = Löschungen
 contributors.contribution_type.additions = Einfügungen
@@ -2641,7 +2641,7 @@ settings.add_webhook.invalid_path = Der Pfad darf kein „.“ oder „..“ enh
 settings.sourcehut_builds.manifest_path = Build-Manifest-Pfad
 settings.sourcehut_builds.visibility = Job-Sichtbarkeit
 settings.sourcehut_builds.secrets = Geheimnisse
-settings.sourcehut_builds.secrets_helper = Dem Job zugriff auf die Build-Geheimnisse geben (benötigt die SECRETS:RO-Berechtigung)
+settings.sourcehut_builds.secrets_helper = Dem Job Zugriff auf die Build-Geheimnisse geben (benötigt die SECRETS:RO-Berechtigung)
 settings.web_hook_name_sourcehut_builds = SourceHut-Builds
 settings.graphql_url = GraphQL-URL
 settings.matrix.room_id_helper = Die Raum-ID kann über den Element-Webclient ermittelt werden: Raumeinstellungen > erweitert > interne Raum-ID. Beispielsweise %s.
@@ -2662,8 +2662,8 @@ project = Projekte
 comments.edit.already_changed = Die Änderungen an diesem Kommentar können nicht gespeichert werden. Es scheint, als seien die Inhalte bereits durch einen anderen Benutzer verändert worden. Bitte die Seite neu laden und das Bearbeiten erneut versuchen, um dessen Änderungen nicht zu überschreiben
 issues.edit.already_changed = Die Änderungen an diesem Issue können nicht gespeichert werden. Es scheint, als seien die Inhalte bereits durch einen anderen Benutzer verändert worden. Bitte die Seite neu laden und das Bearbeiten erneut versuchen, um deren Änderungen nicht zu überschreiben
 pulls.edit.already_changed = Die Änderungen an diesem Pull-Request können nicht gespeichert werden. Es scheint, als seien die Inhalte bereits durch einen anderen Benutzer verändert worden. Bitte die Seite neu laden und das Bearbeiten erneut versuchen, um dessen Änderungen nicht zu überschreiben
-subscribe.pull.guest.tooltip = Anmelden, um diesen Pull-Request zu abbonieren.
-subscribe.issue.guest.tooltip = Anmelden, um dieses Issue zu abbonieren.
+subscribe.pull.guest.tooltip = Anmelden, um diesen Pull-Request zu abonnieren.
+subscribe.issue.guest.tooltip = Anmelden, um dieses Issue zu abonnieren.
 issues.author.tooltip.pr = Dieser Benutzer ist der Autor dieses Pull-Requests.
 issues.author.tooltip.issue = Dieser Benutzer ist der Autor dieses Issues.
 activity.commit = Commit-Aktivität
@@ -2676,8 +2676,8 @@ release.add_external_asset = Externes Asset hinzufügen
 release.invalid_external_url = Ungültige externe URL: „%s“
 activity.published_prerelease_label = Pre-Release
 activity.published_tag_label = Tag
-settings.pull_mirror_sync_quota_exceeded = Quota überschritten, Änderungen werden nicht gepullt.
-settings.transfer_quota_exceeded = Der neue Eigentümer (%s) hat die Quota überschritten. Das Repository wurde nicht übertragen.
+settings.pull_mirror_sync_quota_exceeded = Kontingent überschritten, Änderungen werden nicht gepullt.
+settings.transfer_quota_exceeded = Der neue Eigentümer (%s) hat das Kontingent überschritten. Das Repository wurde nicht übertragen.
 no_eol.text = Kein EOL
 no_eol.tooltip = Diese Datei enthält am Ende kein Zeilenende-Zeichen (EOL).
 pulls.cmd_instruction_merge_warning = <b>Achtung</b>: Die Einstellung „Autoerkennung von manuellen Zusammenführungen“ ist für dieses Repository nicht aktiviert. Du musst hinterher diesen Pull-Request als manuell zusammengeführt markieren.
@@ -2915,7 +2915,7 @@ dashboard.cron.error=Fehler in Cron: %s: %[3]s
 dashboard.cron.finished=Cron: %[1]s ist beendet
 dashboard.delete_inactive_accounts=Alle nicht aktivierten Konten löschen
 dashboard.delete_inactive_accounts.started=Löschen aller nicht aktivierten Account-Aufgabe gestartet.
-dashboard.delete_repo_archives=Lösche alle Repository-Archive (ZIP, TAR.GZ, etc.)
+dashboard.delete_repo_archives=Lösche alle Repository-Archive (ZIP, TAR.GZ usw.)
 dashboard.delete_repo_archives.started=Löschen aller Repository-Archive gestartet.
 dashboard.delete_missing_repos=Alle Repository-Datensätze mit verloren gegangenen Git-Dateien löschen
 dashboard.delete_missing_repos.started=Alle Repositorys löschen, die den Git-Dateien-Task nicht gestartet haben.
@@ -3158,8 +3158,8 @@ auths.oauth2_required_claim_value=Benötigter Claim-Wert
 auths.oauth2_required_claim_value_helper=Setze diesen Wert, damit Nutzer aus dieser Quelle sich nur anmelden dürfen, wenn sie einen Claim mit diesem Namen und Wert besitzen
 auths.oauth2_group_claim_name=Claim-Name, der Gruppennamen für diese Quelle angibt (optional).
 auths.oauth2_admin_group=Gruppen-Claim-Wert für Administratoren (optional – erfordert Claim-Namen oben).
-auths.oauth2_restricted_group=Gruppen-Claim-Wert für eingeschränkte User. (Optional – erfordert Claim-Namen oben)
-auths.oauth2_map_group_to_team=Gruppen aus OAuth-Claims den Organisationsteams zuordnen (optional – oben muss der Name des Claims angegeben werden).
+auths.oauth2_restricted_group=Gruppen-Claim-Wert für eingeschränkte Benutzer (optional – erfordert Claim-Namen oben).
+auths.oauth2_map_group_to_team=Gruppen aus OAuth-Claims den Organisationsteams zuordnen (optional – erfordert Claim-Namen oben).
 auths.oauth2_map_group_to_team_removal=Benutzer aus synchronisierten Teams entfernen, wenn der Benutzer nicht zur entsprechenden Gruppe gehört.
 auths.tips=Tipps
 auths.tips.oauth2.general=OAuth2-Authentifizierung
@@ -3176,13 +3176,13 @@ auths.tip.twitter=Gehe auf %s, erstelle eine Anwendung und stelle sicher, dass d
 auths.tip.discord=Registriere unter %s eine neue Anwendung
 auths.tip.gitea=Registriere eine neue OAuth2-Anwendung. Eine Anleitung findest du unter %s
 auths.tip.yandex=`Erstelle eine neue Anwendung auf %s. Wähle folgende Berechtigungen aus dem Abschnitt „Yandex.Passport API“: „Zugriff auf E-Mail-Adresse“, „Zugriff auf Benutzeravatar“ und „Zugriff auf Benutzername, Vor- und Nachname, Geschlecht“`
-auths.tip.mastodon=Gib eine benutzerdefinierte URL für die Mastodon-Instanz ein, mit der du dich authentifizieren möchtest (oder benutze die standardmäßige)
-auths.edit=Authentifikationsquelle bearbeiten
-auths.activated=Diese Authentifikationsquelle ist aktiviert
+auths.tip.mastodon=Gib eine benutzerdefinierte URL für die Mastodon-Instanz ein, mit der du dich authentifizieren möchtest (oder verwende die Standard-URL)
+auths.edit=Authentifizierungsquelle bearbeiten
+auths.activated=Diese Authentifizierungsquelle ist aktiviert
 auths.new_success=Die Authentifizierung „%s“ wurde hinzugefügt.
 auths.update_success=Diese Authentifizierungsquelle wurde aktualisiert.
 auths.update=Authentifizierungsquelle aktualisieren
-auths.delete=Authentifikationsquelle löschen
+auths.delete=Authentifizierungsquelle löschen
 auths.delete_auth_title=Authentifizierungsquelle löschen
 auths.delete_auth_desc=Das Löschen einer Authentifizierungsquelle verhindert, dass Benutzer sich darüber anmelden können. Fortfahren?
 auths.still_in_used=Diese Authentifizierungsquelle wird noch verwendet. Bearbeite oder lösche zuerst alle Benutzer, die diese Authentifizierungsquelle benutzen.
@@ -3202,7 +3202,7 @@ config.domain=Server-Domain
 config.offline_mode=Lokaler Modus
 config.disable_router_log=Router-Log deaktivieren
 config.run_user=Ausführen als
-config.run_mode=Laufzeit-Modus
+config.run_mode=Betriebsmodus
 config.git_version=Git-Version
 config.app_data_path=App-Datenpfad
 config.repo_root_path=Repository-Wurzelpfad
@@ -3238,7 +3238,7 @@ config.db_ssl_mode=SSL
 config.db_path=Verzeichnis
 
 config.service_config=Service-Konfiguration
-config.register_email_confirm=E-Mail-Bestätigung benötigt zum Registrieren
+config.register_email_confirm=E-Mail-Bestätigung zur Registrierung erforderlich
 config.disable_register=Selbstregistrierung deaktivieren
 config.allow_only_internal_registration=Registrierung nur über Forgejo selbst erlauben
 config.allow_only_external_registration=Registrierung nur über externe Dienste erlauben
@@ -3295,14 +3295,14 @@ config.cache_item_ttl=Cache-Item-TTL
 
 config.session_config=Session-Konfiguration
 config.session_provider=Session-Anbieter
-config.provider_config=Provider-Einstellungen
+config.provider_config=Anbieter-Einstellungen
 config.cookie_name=Cookie-Name
 config.gc_interval_time=GC-Intervall
 config.session_life_time=Session-Lebensdauer
 config.https_only=Nur HTTPS
 config.cookie_life_time=Cookie-Lebensdauer
 
-config.picture_config=Bild-und-Profilbild-Konfiguration
+config.picture_config=Bild- und Avatar-Konfiguration
 config.picture_service=Bilderdienst
 config.disable_gravatar=Gravatar deaktivieren
 config.enable_federated_avatar=Föderierte Profilbilder einschalten
@@ -3357,7 +3357,7 @@ monitor.queue.exemplar=Beispieltyp
 monitor.queue.numberworkers=Anzahl der Worker
 monitor.queue.activeworkers=Aktive Worker
 monitor.queue.maxnumberworkers=Maximale Anzahl der Worker
-monitor.queue.numberinqueue=Nummer in der Warteschlange
+monitor.queue.numberinqueue=Anzahl in der Warteschlange
 monitor.queue.review_add=Worker hinzufügen/prüfen
 monitor.queue.settings.title=Pool-Einstellungen
 monitor.queue.settings.desc=Pools wachsen dynamisch basierend auf der Blockierung der Arbeitswarteschlange.
@@ -3385,7 +3385,7 @@ notices.op=Aktion
 notices.delete_success=Diese Systemmeldung wurde gelöscht.
 self_check.database_fix_mysql = Für MySQL-/MariaDB-Benutzer: Du kannst den Befehl „forgejo doctor convert“ verwenden, um die Collation-Probleme zu lösen, oder du kannst das Problem mit „ALTER … COLLATE …“-SQLs manuell lösen.
 dashboard.sync_tag.started = Tag-Synchronisierung gestartet
-self_check.database_collation_case_insensitive = Datenbank benutzt eine Collation %s, welcher der Groß-/Kleinschreibung egal ist. Obwohl Forgejo damit arbeiten könnte, könnte es ein paar seltene Fälle geben, bei denen es nicht wie erwartet funktioniert.
+self_check.database_collation_case_insensitive = Die Datenbank verwendet die Collation %s, die nicht zwischen Groß- und Kleinschreibung unterscheidet. Forgejo kann damit arbeiten, es gibt aber seltene Fälle, in denen es nicht wie erwartet funktioniert.
 self_check = Selbstprüfung
 dashboard.sync_repo_tags = Tags aus Git-Daten zu Datenbank synchronisieren
 emails.change_email_text = Bist du dir sicher, dass du diese E-Mail-Addresse aktualisieren möchtest?
@@ -3401,7 +3401,7 @@ auths.tip.gitlab_new = Registriere eine neue Anwendung auf %s
 auths.default_domain_name = Standarddomainname, der für die E-Mail-Adresse benutzt wird
 config.app_slogan = Instanz-Slogan
 config.cache_test_failed = Konnte den Cache nicht untersuchen: %v.
-config.cache_test_succeeded = Cache-Test erfolgreich, eine Antwort erhalten in %s.
+config.cache_test_succeeded = Cache-Test erfolgreich, Antwort in %s erhalten.
 config.cache_test = Cache testen
 config.cache_test_slow = Cache-Test erfolgreich, aber die Antwort ist langsam: %s.
 users.block.description = Diesem Benutzer verbieten, durch sein Konto mit diesem Dienst zu interagieren, und ihn am Einloggen hindern.
@@ -3541,7 +3541,7 @@ workflow.dispatch.trigger_found = Dieser Workflow hat einen <c>workflow_dispatch
 workflow.dispatch.success = Ausführung des Workflows wurde erfolgreich angefragt.
 runs.expire_log_message = Logs wurden gelöscht, weil sie zu alt waren.
 runs.no_workflows.help_write_access = Keine Ahnung, wie man mit Forgejo Actions anfangen soll? Schau im <a target="_blank" rel="noopener noreferrer" href="%s">Schnellstart in der Benutzerdokumentation</a> vorbei, um deinen ersten Workflow zu schreiben, dann <a target="_blank" rel="noopener noreferrer" href="%s">setze einen Forgejo-Runner auf</a>, um deine Jobs auszuführen.
-runs.no_workflows.help_no_write_access = Um über Forgejo Actions zu lernen, siehe <a target="_blank" rel="noopener noreferrer" href="%s">die Dokumentation</a>.
+runs.no_workflows.help_no_write_access = Um mehr über Forgejo Actions zu erfahren, siehe <a target="_blank" rel="noopener noreferrer" href="%s">die Dokumentation</a>.
 variables.not_found = Die Variable wurde nicht gefunden.
 
 [projects]
@@ -3576,7 +3576,7 @@ branch_kind = Branches suchen …
 commit_kind = Commits suchen …
 runner_kind = Runner suchen …
 no_results = Keine passenden Ergebnisse gefunden.
-code_search_unavailable = Die Code-Suche ist momentan nicht verfügbar. Bitte kontaktiere den Webseitenadministrator.
+code_search_unavailable = Die Code-Suche ist momentan nicht verfügbar. Bitte kontaktiere den Instanz-Administrator.
 keyword_search_unavailable = Die Suche mittels Schlüsselwort ist momentan nicht verfügbar. Bitte kontaktiere den Webseitenadministrator.
 exact = Exakt
 exact_tooltip = Nur Ergebnisse einbinden, die auf den exakten Suchbegriff passen
diff --git a/options/locale/locale_eo.ini b/options/locale/locale_eo.ini
index 015c11c5b1..a6b3a57428 100644
--- a/options/locale/locale_eo.ini
+++ b/options/locale/locale_eo.ini
@@ -772,7 +772,7 @@ enable_custom_avatar = Uzi propran profilbildon
 change_password = Ŝanĝi pasvorton
 keep_pronouns_private = Montri pronomojn nur al la aŭtentikigitaj uzantoj
 keep_pronouns_private.description = Tio maskos viajn pronomojn kontraŭ neaŭtentikigitaj vizitantoj.
-add_new_principal = 
+add_new_principal =
 gpg_token_required = Vi devas disponigi signaturon por la malsupran ĵetono
 gpg_token = Ĵetono
 gpg_token_help = Vi povas generi signaturon uzante:
@@ -923,6 +923,9 @@ repo_name = Deponejonomo
 size_format = %[1]s: %[2]s; %[3]s: %[4]s
 template = Ŝablono
 template_select = Elektu ŝablonon
+editor.name_your_file = Nomu vian dosieron…
+editor.or = aŭ
+editor.add_tmpl.filename = dosiernomo
 
 [org]
 code = Fontkodo
diff --git a/options/locale/locale_fi-FI.ini b/options/locale/locale_fi-FI.ini
index c98bdebeea..b741795e1a 100644
--- a/options/locale/locale_fi-FI.ini
+++ b/options/locale/locale_fi-FI.ini
@@ -2586,7 +2586,7 @@ repo_updated=Päivitetty %s
 members=Jäsenet
 teams=Tiimit
 lower_members=jäsentä
-lower_repositories=tietovarastot
+lower_repositories=tietovarastoa
 create_new_team=Uusi tiimi
 create_team=Luo tiimi
 org_desc=Kuvaus
diff --git a/options/locale/locale_fil.ini b/options/locale/locale_fil.ini
index 8c8db3045e..e63c5f0307 100644
--- a/options/locale/locale_fil.ini
+++ b/options/locale/locale_fil.ini
@@ -832,7 +832,7 @@ generate_token_success = Nag-generate na ang iyong bagong token. Kopyahin ito ng
 delete_token = Burahin
 access_token_deletion = Burahin ang access token
 access_token_deletion_desc = Ang pagbura ng isang token ay babawiin ang pag-access sa iyong account para sa mga application gamit ito. Ang gawaing ito ay hindi pwedeng baguhin. Magpatuloy?
-repo_and_org_access = Access sa Repositoryo at Organisasyon
+repo_and_org_access = Access sa repositoryo at organisasyon
 permissions_public_only = Publiko lamang
 permissions_access_all = Lahat (publiko, pribado, at limitado)
 select_permissions = Pumili ng mga pahintulot
@@ -2453,7 +2453,7 @@ settings.chat_id = ID ng chat
 settings.matrix.message_type = Uri ng mensahe
 settings.tags.protection.allowed.noone = Walang sinuman
 settings.archive.header = I-archive ang repo na ito
-settings.archive.text = Ang pag-archive ng repo ay gagawin itong buo na read-only. Itatago ito sa dashboard. Walang tao (kahit ikaw rin!) ay makakagawa ng bagong commit, o magbukas ng mga isyu o hiling sa paghila.
+settings.archive.text = Gagawing read-only ang buong repositoryo ang pag-archive. Itatago ito sa dashboard. Hindi magagawa ng anumang tao (kahit ikaw rin!) ang paggawa ng mga bagong commit at makapagbukas ng mga isyu at hiling sa paghila. Inirerekomenda ang pagdokumento ng dahilan ng pagka-archive para bigyan ng tagubilin ang mga developer na nagpaplanong i-fork ang repositoryo sa lalong madaling panahon.
 settings.archive.error = May naganap na error habang sinusubukang i-archive ang repo. Tignan ang log para sa mga detalye.
 settings.archive.error_ismirror = Hindi ka makaka-archive ng naka-mirror na repo.
 settings.unarchive.button = I-unarchive ang repo
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
index 9f72c9b2f6..1b9135785b 100644
--- a/options/locale/locale_ga-IE.ini
+++ b/options/locale/locale_ga-IE.ini
@@ -96,7 +96,7 @@ copy_error = Theip ar an gcóipeáil
 copy_type_unsupported = Ní féidir an cineál comhaid seo a chóipeáil
 write = Scríobh
 preview = Réamhamharc
-loading = Á lódáil...
+loading = Á lódáil…
 error = Earráid
 error404 = Níl an leathanach atá tú <strong>ag iarraidh a bhaint amach ann</strong>, <strong>nó baineadh é</strong> nó <strong>níl údarú </strong>agat é a fheiceáil.
 go_back = Ar ais
@@ -190,7 +190,7 @@ buttons.bold.tooltip = Cuir téacs trom leis (Ctrl+B / ⌘B)
 buttons.italic.tooltip = Cuir téacs iodálach leis (Ctrl+I / ⌘I)
 buttons.quote.tooltip = Téacs luaigh
 buttons.code.tooltip = Cuir cód leis
-buttons.link.tooltip = Cuir nasc leis
+buttons.link.tooltip = Cuir nasc leis (Ctrl+K / ⌘K)
 buttons.list.unordered.tooltip = Cuir liosta piléar leis
 buttons.list.ordered.tooltip = Cuir liosta uimhrithe
 buttons.list.task.tooltip = Cuir liosta tascanna leis
@@ -261,7 +261,7 @@ repo_path = Cosán Fréimhe an Stór
 repo_path_helper = Sábhálfar stórais iargúlta Git chuig an eolaire seo.
 lfs_path = Cosán Fréamh Git LFS
 lfs_path_helper = Stórálfar comhaid a rianóidh Git LFS san eolaire seo. Fág folamh le díchumasú.
-domain = Fearann ​​Freastalaí
+domain = Fearann freastalaí
 domain_helper = Seoladh fearainn nó óstach don fhreastalaí.
 ssh_port = Port Freastalaí SSH
 app_url_helper = Seoladh bonn le haghaidh URLanna clóin HTTP(S) agus fógraí ríomhphoist.
@@ -305,11 +305,49 @@ invalid_log_root_path = Tá an cosán logála neamhbhailí:%v
 no_reply_address = Fearann Ríomhphoist Folaite
 password_algorithm = Algartam Hais Pasfhocal
 invalid_password_algorithm = Algartam hais pasfhocail neamhbhailí
-password_algorithm_helper = Socraigh an algartam hashing pasfhocal. Tá riachtanais agus neart éagsúla ag halgartaim. Tá an algartam argon2 sách slán ach úsáideann sé go leor cuimhne agus d'fhéadfadh sé a bheith míchuí do chórais bheaga.
+password_algorithm_helper = Socraigh an algartam haiseála pasfhocail. Bíonn riachtanais agus láidreachtaí difriúla ag halgartaim. Tá an algartam argon2 sách slán ach úsáideann sé go leor cuimhne agus d'fhéadfadh sé a bheith mí-oiriúnach do chórais bheaga.
 enable_update_checker = Cumasaigh Seiceoir Nuashonraithe
 env_config_keys = Cumraíocht Comhshaoil
 env_config_keys_prompt = Cuirfear na hathróga comhshaoil seo a leanas i bhfeidhm ar do chomhad cumraíochta freisin:
 docker_helper = Má ritheann tú Forgejo taobh istigh de Docker, léigh an <a target="_blank" rel="noopener noreferrer" href="%s">doiciméadú</a> le do thoil sula n-athraíonn tú aon socruithe.
+require_db_desc = Éilíonn Forgejo MySQL, PostgreSQL, SQLite3 nó TiDB (prótacal MySQL).
+sqlite_helper = Cosán comhaid don bhunachar sonraí SQLite3.<br>Cuir isteach cosán absalóideach má ritheann tú Forgejo mar sheirbhís.
+reinstall_error = Tá tú ag iarraidh suiteáil i mbunachar sonraí Forgejo atá ann cheana féin
+reinstall_confirm_message = Is féidir go leor fadhbanna a chruthú má athshuiteáiltear é le bunachar sonraí Forgejo atá ann cheana féin. I bhformhór na gcásanna, ba chóir duit d'"app.ini" atá ann cheana a úsáid chun Forgejo a rith. Má tá a fhios agat cad atá á dhéanamh agat, deimhnigh an méid seo a leanas:
+reinstall_confirm_check_3 = Deimhníonn tú go bhfuil tú cinnte go hiomlán go bhfuil an Forgejo seo ag rith leis an suíomh app.ini ceart agus go bhfuil tú cinnte go gcaithfidh tú athshuiteáil a dhéanamh. Deimhníonn tú go n-aithníonn tú na rioscaí thuas.
+app_name = Teideal an sampla
+app_name_helper = Cuir isteach ainm d’eiseamláire anseo. Taispeánfar é ar gach leathanach.
+app_slogan = Slogan samplach
+app_slogan_helper = Cuir isteach mana do shampla anseo. Fág folamh chun é a dhíchumasú.
+run_user = Úsáideoir le rith mar
+run_user_helper = Ainm úsáideora an chórais oibriúcháin a ritheann Forgejo mar úsáid. Tabhair faoi deara go gcaithfidh rochtain a bheith ag an úsáideoir seo ar chonair fréimhe an stórais.
+ssh_port_helper = Uimhir an phoirt a úsáidfidh an freastalaí SSH. Fág folamh chun an freastalaí SSH a dhíchumasú.
+http_port = Port éisteachta HTTP
+http_port_helper = Uimhir an phoirt a úsáidfidh freastalaí gréasáin Forgejo.
+app_url = Bun-URL
+smtp_from_helper = Seoladh ríomhphoist a úsáidfidh Forgejo. Cuir isteach seoladh ríomhphoist simplí nó bain úsáid as an bhformáid "Ainm" <email@example.com>.
+offline_mode.description = Díchumasaigh líonraí seachadta ábhair tríú páirtí agus freastalaigh na hacmhainní go léir go háitiúil.
+disable_gravatar.description = Díchumasaigh úsáid Gravatar nó foinsí avatar tríú páirtí eile. Úsáidfear íomhánna réamhshocraithe d’avatars úsáideoirí mura n-uaslódálann siad a n-avatar féin chuig an gcás.
+federated_avatar_lookup.description = Cuardaigh avatars ag baint úsáide as Libravatar.
+disable_registration.description = Ní bheidh ach riarthóirí samplaí in ann cuntais úsáideora nua a chruthú. Moltar go mór clárú a choinneáil díchumasaithe mura bhfuil sé ar intinn agat sampla poiblí a óstáil do gach duine agus má tá tú réidh le déileáil le líon mór cuntas turscair.
+allow_only_external_registration = Ceadaigh clárú trí sheirbhísí seachtracha amháin
+allow_only_external_registration.description = Ní bheidh úsáideoirí in ann cuntais nua a chruthú ach trí sheirbhísí seachtracha cumraithe a úsáid.
+openid_signin.description = Ceadaigh d’úsáideoirí síniú isteach trí OpenID.
+openid_signup.description = Ceadaigh d’úsáideoirí cuntais a chruthú trí OpenID má tá féinchlárú cumasaithe.
+enable_captcha.description = Éiligh ar úsáideoirí CAPTCHA a úsáid chun cuntais a chruthú.
+require_sign_in_view = Éilítear síniú isteach chun ábhar an sampla a fheiceáil
+require_sign_in_view.description = Teorainn a chur le rochtain ar ábhar d'úsáideoirí atá sínithe isteach. Ní bheidh aíonna in ann cuairt a thabhairt ach ar na leathanaigh fíordheimhnithe.
+default_keep_email_private.description = Cumasaigh seoladh ríomhphoist a cheilt d’úsáideoirí nua de réir réamhshocraithe ionas nach sceithfear an fhaisnéis seo díreach tar éis clárúcháin.
+default_allow_create_organization.description = Ceadaigh d’úsáideoirí nua eagraíochtaí a chruthú de réir réamhshocraithe. Nuair a bhíonn an rogha seo díchumasaithe, beidh ar riarthóir cead a thabhairt d’úsáideoirí nua eagraíochtaí a chruthú.
+default_enable_timetracking.description = Ceadaigh úsáid ghné rianaithe ama do stórtha nua de réir réamhshocraithe.
+admin_setting.description = Is rogha é cuntas riarthóra a chruthú. Beidh an chéad úsáideoir cláraithe ina riarthóir go huathoibríoch.
+config_location_hint = Sábhálfar na roghanna cumraíochta seo i:
+install_btn_confirm = Suiteáil Forgejo
+test_git_failed = Níorbh fhéidir an t-ordú "git" a thástáil: %v
+sqlite3_not_available = Ní thacaíonn an leagan seo de Forgejo le SQLite3. Íoslódáil an leagan dénártha oifigiúil ó %s (ní an leagan "gobuild").
+run_user_not_match = Ní hé an t-ainm úsáideora "úsáideoir le rith mar" an t-ainm úsáideora reatha: %s -> %s
+enable_update_checker_helper_forgejo = Déanfaidh sé seiceáil tréimhsiúil le haghaidh leaganacha nua de Forgejo trí thaifead DNS TXT a sheiceáil ag release.forgejo.org.
+no_reply_address_helper = Ainm fearainn d'úsáideoirí a bhfuil seoladh ríomhphoist i bhfolach acu. Mar shampla, logálfar an t-ainm úsáideora "joe" i Git mar "joe@noreply.example.org" má shocraítear an fearann ríomhphoist i bhfolach go "noreply.example.org".
 
 [home]
 uname_holder = Ainm Úsáideora nó Seoladh Ríomhphoist
@@ -328,6 +366,7 @@ show_both_private_public = Ag taispeáint poiblí agus príobháideach araon
 show_only_private = Ag taispeáint príobháideach amháin
 show_only_public = Ag taispeáint poiblí amháin
 issues.in_your_repos = I do stórais
+my_orgs = Eagraíochtaí
 
 [explore]
 repos = Stórais
@@ -342,7 +381,7 @@ relevant_repositories = Níl ach stórtha ábhartha á dtaispeáint, <a href="%s
 [auth]
 create_new_account = Cláraigh Cuntas
 disable_register_prompt = Tá clárú faoi dhíchumasú. Téigh i dteagmháil le do riarthóir suíomh.
-disable_register_mail = Tá deimhniú ríomhphoist le haghaidh clárú faoi dhíchum
+disable_register_mail = Tá deimhniú ríomhphoist le haghaidh clárúcháin díchumasaithe.
 manual_activation_only = Déan teagmháil le riarthóir do tsuímh chun gníomhachtú a chur i gcrích.
 remember_me = Cuimhnigh ar an nGléas seo
 forgot_password_title = Dearmad ar an bPasfhocal
@@ -384,7 +423,7 @@ openid_register_title = Cruthaigh cuntas nua
 openid_register_desc = Níl an URI OpenID roghnaithe ar eolas. Comhcheangail é le cuntas nua anseo.
 openid_signin_desc = Cuir isteach do URI OpenID. Mar shampla: alice.openid.example.org nó https://openid.example.org/alice.
 disable_forgot_password_mail = Tá aisghabháil cuntas díchumasaithe toisc nach bhfuil aon ríomhphost ar bun. Téigh i dteagmháil le do riarthóir suíomh.
-disable_forgot_password_mail_admin = Níl aisghabháil cuntas ar fáil ach amháin nuair a bhíonn ríomhphost ar bun. Bunaigh ríomhphost le do thoil chun aisghabháil cuntas a chumasú
+disable_forgot_password_mail_admin = Ní féidir cuntas a aisghabháil ach amháin nuair a bhíonn ríomhphost socraithe. Socraigh ríomhphost le go mbeidh tú in ann cuntas a aisghabháil.
 email_domain_blacklisted = Ní féidir leat clárú le do sheoladh ríomhphoist.
 authorize_application = Údaraigh an Feidhmchlár
 authorize_redirect_notice = Déanfar tú a atreorú chuig %s má údaraíonn tú an feidhmchlár seo.
@@ -396,6 +435,23 @@ password_pwned = Tá an pasfhocal a roghnaigh tú ar <a target="_blank" rel="noo
 password_pwned_err = Ní fhéadfaí iarratas a chomhlánú ar HaveIBeenPwned
 last_admin = Ní féidir leat an riarachán deireanach a bhaint. Caithfidh riarachán amháin ar a laghad a bheith ann.
 back_to_sign_in = Ar ais go Sínigh Isteach
+hint_login = An bhfuil cuntas agat cheana féin? <a href="%s">Sínigh isteach anois!</a>
+hint_register = An bhfuil cuntas uait? <a href="%s">Cláraigh anois.</a>
+sign_up_button = Cláraigh anois.
+confirmation_mail_sent_prompt = Tá ríomhphost deimhnithe nua seolta chuig <b>%s</b>. Chun an próiseas clárúcháin a chríochnú, seiceáil do bhosca isteach agus lean an nasc a cuireadh ar fáil laistigh den chéad %s eile. Mura bhfuil an ríomhphost ceart, is féidir leat logáil isteach agus ríomhphost deimhnithe eile a iarraidh chuig seoladh difriúil.
+reset_password_mail_sent_prompt = Tá ríomhphost deimhnithe seolta chuig <b>%s</b>. Chun an próiseas aisghabhála cuntais a chríochnú, seiceáil do bhosca isteach agus lean an nasc a chuirtear ar fáil laistigh den chéad %s eile.
+prohibit_login = Tá an cuntas ar fionraí
+prohibit_login_desc = Tá do chuntas curtha ar fionraí ó idirghníomhú leis an gcás. Téigh i dteagmháil le riarthóir an chás chun rochtain a fháil ar ais.
+change_unconfirmed_email_summary = Athraigh an seoladh ríomhphoist a seoltar ríomhphost gníomhachtaithe chuige.
+change_unconfirmed_email = Má thug tú an seoladh ríomhphoist mícheart le linn clárúcháin, is féidir leat é a athrú thíos, agus seolfar dearbhú chuig an seoladh nua ina ionad.
+change_unconfirmed_email_error = Ní féidir an seoladh ríomhphoist a athrú: %v
+send_reset_mail = Seol ríomhphost aisghabhála
+non_local_account = Ní féidir le húsáideoirí nach áitiúla iad a bpasfhocal a nuashonrú tríd an gcomhéadan gréasáin Forgejo.
+unauthorized_credentials = Tá na dintiúir mícheart nó imithe in éag. Déan iarracht d’ordú a athdhéanamh nó féach %s le haghaidh tuilleadh eolais
+use_onetime_code = Úsáid cód aonuaire
+oauth_signin_tab = Nasc le cuntas atá ann cheana féin
+authorize_application_description = Má dheonaíonn tú rochtain, beidh sé in ann rochtain a fháil ar fhaisnéis do chuntais go léir agus scríobh chuici, lena n-áirítear stórtha príobháideacha agus eagraíochtaí.
+sign_in_openid = Lean ar aghaidh le OpenID
 
 [mail]
 view_it_on = Féach air ar %s
@@ -439,6 +495,32 @@ team_invite.subject = Tá cuireadh tugtha agat ag %[1]s chun dul le heagraíocht
 team_invite.text_1 = Tá cuireadh tugtha ag %[1]s duit chun dul le foireann %[2]s in eagraíocht %[3]s.
 team_invite.text_2 = Cliceáil ar an nasc seo a leanas le do thoil chun dul isteach san fhoireann:
 team_invite.text_3 = Nóta: Bhí an cuireadh seo beartaithe do %[1]s. Mura raibh tú ag súil leis an gcuireadh seo, is féidir leat neamhaird a dhéanamh den ríomhphost seo.
+link_not_working_do_paste = Nach bhfuil an nasc ag obair? Bain triail as é a chóipeáil agus a ghreamú i mbarra URL do bhrabhsálaí.
+admin.new_user.subject = Úsáideoir nua %s díreach cláraithe
+admin.new_user.user_info = Faisnéis úsáideora
+admin.new_user.text = Le do thoil, <a href="%s">cliceáil anseo</a> chun an t-úsáideoir seo a bhainistiú ón bpainéal riaracháin.
+register_notify.text_2 = Is féidir leat síniú isteach i do chuntas ag baint úsáide as d'ainm úsáideora: %s
+register_notify.text_3 = Más duine eile a chruthaigh an cuntas seo duit, beidh ort <a href="%s">do phasfhocal a shocrú</a> ar dtús.
+reset_password.text = Más tusa a bhí ann, cliceáil an nasc seo a leanas le do chuntas a aisghabháil laistigh de <b>%s</b>:
+password_change.subject = Tá d’fhocal faire athraithe
+password_change.text_1 = Athraíodh pasfhocal do chuntais díreach anois.
+primary_mail_change.subject = Tá do phríomhphost athraithe
+primary_mail_change.text_1 = Athraíodh príomhsheoladh ríomhphoist do chuntais go %[1]s díreach anois. Ciallaíonn sé seo nach bhfaighidh an seoladh ríomhphoist seo fógraí ríomhphoist a thuilleadh chun do chuntas.
+totp_disabled.subject = Tá TOTP díchumasaithe
+totp_disabled.text_1 = Díchumasaíodh pasfhocal aonuaire bunaithe ar am (TOTP) ar do chuntas díreach anois.
+totp_disabled.no_2fa = Níl aon mhodhanna 2FA eile cumraithe a thuilleadh, rud a chiallaíonn nach gá logáil isteach i do chuntas le 2FA a thuilleadh.
+removed_security_key.subject = Baineadh eochair slándála
+removed_security_key.text_1 = Baineadh an eochair slándála "%[1]s" as do chuntas díreach anois.
+removed_security_key.no_2fa = Níl aon mhodhanna 2FA eile cumraithe a thuilleadh, rud a chiallaíonn nach gá logáil isteach i do chuntas le 2FA a thuilleadh.
+account_security_caution.text_1 = Más tusa a bhí ann, is féidir leat neamhaird a dhéanamh den ríomhphost seo go sábháilte.
+account_security_caution.text_2 = Mura tusa a bhí ann, tá do chuntas i mbaol. Téigh i dteagmháil le riarthóirí an tsuímh seo, le do thoil.
+totp_enrolled.subject = Tá TOTP gníomhachtaithe agat mar mhodh 2FA
+totp_enrolled.text_1.no_webauthn = Tá TOTP cumasaithe agat chun do chuntas díreach anois. Ciallaíonn sé seo go gcaithfidh tú TOTP a úsáid mar mhodh 2FA i ngach logáil isteach chuig do chuntas amach anseo.
+totp_enrolled.text_1.has_webauthn = Tá TOTP cumasaithe agat chun do chuntas díreach anois. Ciallaíonn sé seo, i gcás gach logáil isteach chuig do chuntas amach anseo, gur féidir leat TOTP a úsáid mar mhodh 2FA nó aon cheann de do chuid eochracha slándála a úsáid.
+repo.transfer.subject_to = Tá %s ag iarraidh stórlann "%s" a aistriú go %s
+repo.transfer.subject_to_you = Tá %s ag iarraidh stórlann "%s" a aistriú chugat
+repo.collaborator.added.subject = Chuir %s le %s thú mar chomhoibrí
+repo.collaborator.added.text = Cuireadh leis an stór thú mar chomhoibrí:
 
 [modal]
 yes = Tá
@@ -467,7 +549,7 @@ require_error = ` ní féidir a bheith folamh.`
 git_ref_name_error = ` caithfidh gur ainm tagartha Git dea-chruthaithe é.`
 size_error = ` ní mór méid %s.`
 min_size_error = ` ní mór go mbeadh carachtar %s ar a laghad ann.`
-max_size_error = caithfidh %s carachtar ar a mhéad a bheith ann.
+max_size_error = `ní mór %s carachtar ar a mhéad a bheith ann.`
 email_error = `ní seoladh ríomhphoist bailí é.`
 url_error = `ní URL bailí é "%s".`
 include_error = ` ní mór fotheaghrán a bheith ann "%s".`
@@ -518,6 +600,28 @@ must_use_public_key = Is eochair phríobháideach an eochair a sholáthraíonn t
 auth_failed = Theip ar fhíordheimhniú:%v
 target_branch_not_exist = Níl spriocbhrainse ann.
 admin_cannot_delete_self = Ní féidir leat tú féin a scriosadh nuair is riarachán tú. Bain do phribhléidí riaracháin ar dtús.
+FullName = Ainm iomlán
+Description = Cur síos
+Pronouns = Forainmneacha
+Biography = Beathaisnéis
+Website = Suíomh Gréasáin
+Location = Suíomh
+To = Ainm na brainse
+AccessToken = Comhartha rochtana
+alpha_dash_error = `Níor cheart ach carachtair alfa-uimhriúla, fleascáin ("-") agus fo-líne ("_") a bheith sa.`
+alpha_dash_dot_error = `Níor cheart ach carachtair alfa-uimhriúla, fleasc ("-"), fo-líne ("_") agus ponc (".") a bheith sa.`
+username_error = `Ní féidir ach carachtair alfa-uimhriúla ("0-9", "a-z", "A-Z"), fleasc ("-"), fo-líne ("_") agus ponc (".") a bheith ann. Ní féidir é a thosú ná a chríochnú le carachtair neamh-alfa-uimhriúla, agus tá cosc ar charachtair neamh-alfa-uimhriúla as a chéile ach an oiread.`
+username_error_no_dots = `Ní féidir ach carachtair alfa-uimhriúla ("0-9", "a-z", "A-Z"), fleasc ("-") agus fo-líne ("_") a bheith ann. Ní féidir é a thosú ná a chríochnú le carachtair neamh-alfa-uimhriúla, agus tá cosc ar charachtair neamh-alfa-uimhriúla as a chéile ach an oiread.`
+username_claiming_cooldown = Ní féidir an t-ainm úsáideora a éileamh, mar níl a thréimhse fuaraithe thart fós. Is féidir é a éileamh ar %[1]s.
+email_domain_is_not_allowed = Tá coimhlint idir fearann seoladh ríomhphoist an úsáideora <b>%s</b> agus EMAIL_DOMAIN_ALLOWLIST nó EMAIL_DOMAIN_BLOCKLIST. Cinntigh go bhfuil an seoladh ríomhphoist socraithe i gceart agat.
+last_org_owner = Ní féidir leat an t-úsáideoir deireanach a bhaint den fhoireann "úinéirí". Ní mór úinéir amháin ar a laghad a bheith ann d'eagraíocht.
+unable_verify_ssh_key = Ní féidir an eochair SSH a fhíorú, déan seiceáil dhúbailte uirthi le haghaidh earráidí.
+still_own_repo = Tá stór amháin nó níos mó i do chuntas, scrios nó aistrigh iad ar dtús.
+still_has_org = Is ball d'eagraíocht amháin nó níos mó do chuntas, fág iad ar dtús.
+still_own_packages = Tá pacáiste amháin nó níos mó i do chuntas, scrios iad ar dtús.
+org_still_own_repo = Tá stór amháin nó níos mó fós faoi úinéireacht na heagraíochta seo, scrios nó aistrigh iad ar dtús.
+org_still_own_packages = Tá pacáiste amháin nó níos mó fós ag an eagraíocht seo, scrios iad ar dtús.
+required_prefix = Ní mór an ionchur a thosú le "%s"
 
 [user]
 change_avatar = Athraigh do abhatár…
@@ -538,6 +642,28 @@ settings = Socruithe Úsáideora
 disabled_public_activity = Dhíchumasaigh an t-úsáideoir seo infheictheacht phoiblí na gníomhaíochta.
 form.name_reserved = Tá an t-ainm úsáideora "%s" in áirithe.
 form.name_pattern_not_allowed = Ní cheadaítear an patrún "%s" in ainm úsáideora.
+followers.title.one = Leantóir
+followers.title.few = Leantóirí
+following.title.one = Ag leanúint
+following.title.few = Ag leanúint
+followers_one = %d leantóir
+followers_few = %d leantóirí
+following_one = %d ag leanúint
+following_few = %d ag leanúint
+block_user = Úsáideoir blocáilte
+block_user.detail = Tabhair faoi deara go bhfuil éifeachtaí eile ag baint le húsáideoir a bhlocáil, amhail:
+block_user.detail_1 = Scoirfidh sibh de bheith ag leanúint a chéile agus ní bheidh sibh in ann leanúint a chéile.
+block_user.detail_2 = Ní bheidh an t-úsáideoir seo in ann idirghníomhú leis na stórtha atá i do sheilbh, ná leis na saincheisteanna agus na tuairimí atá cruthaithe agat.
+block_user.detail_3 = Ní bheidh sibh in ann a chéile a chur leis mar chomhoibritheoirí stóir.
+follow_blocked_user = Ní féidir leat an t-úsáideoir seo a leanúint mar gur chuir tú bac air nó mar gur chuir an t-úsáideoir seo bac ort.
+block = Bloc
+unblock = Díbhlocáil
+public_activity.visibility_hint.self_public = Tá do ghníomhaíocht le feiceáil ag gach duine, seachas idirghníomhaíochtaí i spásanna príobháideacha. <a href="%s">Cumraigh</a>.
+public_activity.visibility_hint.admin_public = Tá an ghníomhaíocht seo le feiceáil ag gach duine, ach mar riarthóir is féidir leat idirghníomhaíochtaí i spásanna príobháideacha a fheiceáil freisin.
+public_activity.visibility_hint.self_private = Ní féidir ach leatsa agus le riarthóirí an cháis do ghníomhaíocht a fheiceáil. <a href="%s">Cumraigh</a>.
+public_activity.visibility_hint.admin_private = Tá an ghníomhaíocht seo le feiceáil agat mar is riarthóir thú, ach ba mhaith leis an úsáideoir go bhfanfadh sí príobháideach.
+public_activity.visibility_hint.self_private_profile = Ní féidir ach leatsa agus le riarthóirí an cháis do ghníomhaíocht a fheiceáil mar go bhfuil do phróifíl príobháideach. <a href="%s">Cumraigh</a>.
+form.name_chars_not_allowed = Tá carachtair neamhbhailí san ainm úsáideora "%s".
 
 [settings]
 profile = Próifíl
@@ -565,13 +691,13 @@ update_language_success = Tá an teanga nuashonraithe.
 update_profile_success = Nuashonraíodh do phróifíl.
 change_username = Tá d'ainm úsáideora athraithe.
 change_username_prompt = Nóta: Athraíonn athrú d'ainm úsáideora URL do chuntais freisin.
-change_username_redirect_prompt = Athreoróidh an sean-ainm úsáideora go dtí go n-éilíonn duine é
+change_username_redirect_prompt = Déanfar an seanainm úsáideora a atreorú go dtí go n-éileoidh duine éigin é.
 continue = Lean ar aghaidh
 cancel = Cealaigh
 language = Teanga
 ui = Téama
 hidden_comment_types = Cineálacha tráchtaireachta ceilte
-hidden_comment_types.ref_tooltip = Tuairimí ina dtagraíodh an tsaincheist seo ó shaincheiste/coiste eile...
+hidden_comment_types.ref_tooltip = Tráchtanna inar tagraíodh don cheist seo ó cheist/tiomantas/… eile
 hidden_comment_types.issue_ref_tooltip = Tuairimí ina n-athraíonn an t-úsáideoir an brainse/clib a bhaineann leis an tsaincheist
 comment_type_group_reference = Tagairt
 comment_type_group_label = Lipéad
@@ -603,7 +729,7 @@ new_password = Pasfhocal Nua
 retype_new_password = Deimhnigh Pasfhocal Nua
 password_incorrect = Tá an pasfhocal reatha mícheart.
 manage_emails = Bainistigh Seoltaí Ríomhphoist
-email_desc = Úsáidfear do phríomhsheoladh ríomhphoist le haghaidh fógraí, aisghabháil pasfhocal agus, ar choinníoll nach bhfuil sé i bhfolach, oibríochtaí Git bunaithe ar an ngréas
+email_desc = Úsáidfear do phríomhsheoladh ríomhphoist le haghaidh fógraí, aisghabháil pasfhocail agus, ar choinníoll nach bhfuil sé i bhfolach, oibríochtaí Git gréasánbhunaithe.
 primary = Príomhúil
 activated = Gníomhachtaithe
 requires_activation = Éilíonn gníomhachtú
@@ -613,7 +739,7 @@ activations_pending = Gníomhartha ar Feitheamh
 can_not_add_email_activations_pending = Tá gníomhachtú ar feitheamh, déan iarracht arís i gceann cúpla nóiméad más mian leat ríomhphost nua a chur leis.
 delete_email = Bain
 email_deletion = Bain Seoladh R-phoist
-email_deletion_desc = Bainfear an seoladh ríomhphoist agus an fhaisnéis ghaolmhar as do chuntas. Ní bheidh na tiomáintí Git a bhaineann leis an seoladh ríomhphoist seo athraithe. Lean ar aghaidh?
+email_deletion_desc = Bainfear an seoladh ríomhphoist seo agus faisnéis ghaolmhar as do chuntas. Fanfaidh na gealltanais Git ón seoladh ríomhphoist seo gan athrú. Ar mhaith leat leanúint ar aghaidh?
 email_deletion_success = Tá an seoladh ríomhphoist bainte.
 theme_update_success = Nuashonraíodh do théama.
 theme_update_error = Níl an téama roghnaithe ann.
@@ -695,12 +821,12 @@ generate_new_token = Gin Comhartha Nua
 token_name = Ainm Comhartha
 generate_token = Gin Comhartha
 generate_token_success = Gintear do chomhartha nua. Cóipeáil é anois mar ní thaispeánfar é arís.
-generate_token_name_duplicate = <strong>Úsáideadh %s</strong> mar ainm feidhmchláir cheana féin. Úsáid ceann nua le do thoil.
+generate_token_name_duplicate = Tá <strong>%s</strong> in úsáid mar ainm feidhmchláir cheana féin. Bain úsáid as ceann nua le do thoil.
 delete_token = Scrios
 access_token_deletion = Scrios Comhartha Rochtana
 access_token_deletion_desc = Cúlghairfear rochtain ar do chuntas le haghaidh feidhmchláir a úsáideann é a scriosadh comhartha. Ní féidir é seo a chur ar ais. Lean ar aghaidh?
 delete_token_success = Tá an comhartha scriosta. Níl rochtain ag iarratais a úsáideann é ar do chuntas a thuilleadh.
-repo_and_org_access = Rochtain Stórála agus Eagraíochta
+repo_and_org_access = Rochtain ar stórtha agus ar eagraíochta
 permissions_public_only = Poiblí amháin
 permissions_access_all = Gach (poiblí, príobháideach agus teoranta)
 select_permissions = Roghnaigh ceadanna
@@ -753,7 +879,7 @@ then_enter_passcode = Agus cuir isteach an paschód a léirítear san fheidhmchl
 passcode_invalid = Tá an pascód mícheart. Bain triail as arís.
 twofa_enrolled = Tá do chuntas cláraithe go rathúil. Stóráil d'eochair aisghabhála aonúsáide (%s) in áit shábháilte, mar ní thaispeánfar é arís.
 twofa_failed_get_secret = Theip ar rún a fháil.
-webauthn_desc = Is feistí crua-earraí iad eochracha slándála ina bhfuil eochracha cripte Is féidir iad a úsáid le haghaidh fíordheimhniú dhá fhachtóir. Caithfidh eochracha slándála tacú le caigh <a rel="noreferrer" target="_blank" href="%s">deán Fíordheimhnithe WebAuthn</a>
+webauthn_desc = Is gléasanna crua-earraí iad eochracha slándála ina bhfuil eochracha cripteagrafacha. Is féidir iad a úsáid le haghaidh fíordheimhniú dhá fhachtóir. Ní mór d'eochracha slándála tacú leis an gcaighdeán <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a>.
 webauthn_register_key = Cuir Eochair Slándála
 webauthn_nickname = Leasainm
 webauthn_delete_key = Bain Eochair Slándála
@@ -783,6 +909,88 @@ visibility.public_tooltip = Infheicthe do gach duine
 visibility.limited = Teoranta
 visibility.private = Príobháideach
 visibility.private_tooltip = Ní fheictear ach do bhaill d'eagraíochtaí a chuaigh tú isteach
+orgs = Eagraíochtaí
+blocked_users = Úsáideoirí blocáilte
+storage_overview = Forbhreathnú ar stóráil
+quota = Cuóta
+biography_placeholder = Inis beagán do dhaoine eile fút féin! (Tacaítear le Markdown)
+profile_desc = Fút féin
+password_username_disabled = Ní cheadaítear d’úsáideoirí nach úsáideoirí áitiúla iad a n-ainm úsáideora a athrú. Téigh i dteagmháil le riarthóir do shuíomh le haghaidh tuilleadh sonraí.
+pronouns = Forainmneacha
+pronouns_unspecified = Gan sonrú
+update_theme = Athraigh téama
+update_language = Athraigh teanga
+change_username_redirect_prompt.with_cooldown.one = Beidh an seanainm úsáideora ar fáil do gach duine tar éis tréimhse fuaraithe %[1]d lá. Is féidir leat an seanainm úsáideora a éileamh ar ais fós le linn na tréimhse fuaraithe.
+change_username_redirect_prompt.with_cooldown.few = Beidh an seanainm úsáideora ar fáil do gach duine tar éis tréimhse fuaraithe %[1]d lá. Is féidir leat an seanainm úsáideora a éileamh ar ais fós le linn na tréimhse fuaraithe.
+language.title = Teanga réamhshocraithe
+language.description = Sábhálfar an teanga seo chuig do chuntas agus úsáidfear í mar an teanga réamhshocraithe tar éis duit logáil isteach.
+language.localization_project = Cabhraigh linn Forgejo a aistriú go do theanga féin! <a href="%s">Foghlaim tuilleadh</a>.
+hints = Leideanna
+additional_repo_units_hint = Moltar aonaid stórtha breise a chumasú
+additional_repo_units_hint_description = Taispeáin leid "Cumasaigh níos mó" do stórtha nach bhfuil na haonaid uile atá ar fáil cumasaithe iontu.
+update_hints = Leideanna nuashonraithe
+update_hints_success = Tá na leideanna nuashonraithe.
+hidden_comment_types_description = Ní thaispeánfar cineálacha tráchta atá seiceáilte anseo laistigh de leathanaigh eagráin. Má sheiceálann tú "Lipéad", mar shampla, baintear na tráchtanna uile a dúirt "<user> chuir <label> leis/bhain sé".
+keep_activity_private.description = Ní bheidh do <a href="%s">ghníomhaíocht phoiblí</a> le feiceáil ach agatsa agus ag riarthóirí an cháis.
+lookup_avatar_by_mail = Cuardaigh abhatár de réir seoladh ríomhphoist
+change_password = Athraigh an focal faire
+update_password = Nuashonraigh an focal faire
+change_password_success = Tá do phasfhocal nuashonraithe. As seo amach, bain úsáid as do phasfhocal nua chun síniú isteach.
+password_change_disabled = Ní féidir le húsáideoirí nach áitiúla iad a bpasfhocal a nuashonrú tríd an gcomhéadan gréasáin Forgejo.
+manage_themes = Téama réamhshocraithe
+manage_openid = Seoltaí OpenID
+theme_desc = Úsáidfear an téama seo don chomhéadan gréasáin nuair a bheidh tú logáilte isteach.
+add_new_email = Cuir seoladh ríomhphoist leis
+add_email_confirmation_sent = Tá ríomhphost deimhnithe seolta chuig "%s". Chun do sheoladh ríomhphoist a dheimhniú, seiceáil do bhosca isteach agus lean an nasc a chuirtear ar fáil laistigh den chéad %s eile.
+keep_email_private_popup = Ní thaispeánfar an seoladh ríomhphoist ar an leathanach próifíle agus ní bheidh sé mar an seoladh réamhshocraithe le haghaidh gealltanais a dhéantar tríd an gcomhéadan gréasáin, amhail uaslódálacha comhad, eagarthóireachtaí, agus gealltanais chumasc. Ina áit sin, is féidir seoladh speisialta %s a úsáid chun gealltanais a nascadh leis an gcuntas úsáideora. Ní bheidh tionchar ag an rogha seo ar ghealltanais atá ann cheana féin.
+keep_pronouns_private = Taispeáin forainmneacha d'úsáideoirí fíordheimhnithe amháin
+keep_pronouns_private.description = Cuirfidh sé seo do fhorainmneacha i bhfolach ó chuairteoirí nach bhfuil logáilte isteach.
+ssh_desc = Tá na heochracha SSH poiblí seo bainteach le do chuntas. Ceadaíonn na heochracha príobháideacha comhfhreagracha rochtain iomlán ar do stórtha. Is féidir eochracha SSH atá fíoraithe a úsáid chun gealltanais Git sínithe le SSH a fhíorú.
+gpg_desc = Tá na heochracha GPG poiblí seo ceangailte le do chuntas agus úsáidtear iad chun do thiomnais a fhíorú. Coinnigh d’eochracha príobháideacha slán mar go gceadaíonn siad duit tiomnais a shíniú le do chéannacht.
+ssh_helper = <strong>An bhfuil cabhair uait?</strong> Féach ar an treoir chun <a href="%s">d'eochracha SSH féin a chruthú</a> nó chun <a href="%s">fadhbanna coitianta</a> a d'fhéadfadh teacht ort agus SSH á úsáid agat a réiteach.
+gpg_helper = <strong>An bhfuil cabhair uait?</strong> Féach ar an treoir <a href="%s">faoi GPG</a>.
+key_content_ssh_placeholder = Tosaíonn le "ssh-ed25519", "ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "sk-ecdsa-sha2-nistp256@openssh.com", nó "sk-5sh.com"
+key_content_gpg_placeholder = Tosaíonn sé le "-----BEGIN PGP PUBLIC ELECTRONIC BLOCK-----"
+key_signature_gpg_placeholder = Tosaíonn le "-----TOSAIGH SÍNIÚ PGP-----"
+ssh_token_help_ssh_agent = nó, má tá gníomhaire SSH in úsáid agat (leis an athróg SSH_AUTH_SOCK socraithe):
+key_signature_ssh_placeholder = Tosaíonn le "-----TOSAIGH SÍNIÚ SSH-----"
+ssh_disabled = Tá SSH díchumasaithe
+manage_access_token = Comharthaí rochtana
+tokens_desc = Tugann na comharthaí seo rochtain ar do chuntas ag baint úsáide as API Forgejo.
+regenerate_token = Athghiniúint
+access_token_regeneration = Athghin an comhartha rochtana
+access_token_regeneration_desc = Má athghintear comhartha, cuirfear deireadh le rochtain ar do chuntas d’fheidhmchláir a úsáideann é. Ní féidir é seo a chealú. Ar mhaith leat leanúint ar aghaidh?
+regenerate_token_success = Tá an comhartha athghinte. Níl rochtain ag feidhmchláir a úsáideann é ar do chuntas a thuilleadh agus ní mór iad a nuashonrú leis an gcomhartha nua.
+access_token_desc = Ní chuireann ceadanna comhartha roghnaithe teorainn leis an údarú ach amháin do na bealaí <a href="%[1]s" target="_blank">API</a> comhfhreagracha. Léigh an <a href="%[2]s" target="_blank">doiciméadú</a> le haghaidh tuilleadh eolais.
+oauth2_application_locked = Réamhchláraíonn Forgejo roinnt feidhmchlár OAuth2 ar am tosaithe má tá sé cumasaithe sa chumraíocht. Chun iompar gan choinne a chosc, ní féidir iad seo a chur in eagar ná a bhaint. Féach ar dhoiciméadú OAuth2 le haghaidh tuilleadh eolais.
+authorized_oauth2_applications_description = Tá rochtain tugtha agat do na feidhmchláir tríú páirtí seo ar do chuntas pearsanta Forgejo. Le do thoil, cuir rochtain ar ceal i gcás feidhmchlár nach bhfuil in úsáid a thuilleadh.
+manage_account_links = Cuntais nasctha
+manage_account_links_desc = Tá na cuntais sheachtracha seo nasctha le do chuntas Forgejo.
+remove_account_link_desc = Má bhaintear cuntas nasctha, cuirfear deireadh leis an rochtain atá aige ar do chuntas Forgejo. Ar aghaidh?
+blocked_users_none = Níl aon úsáideoirí blocáilte ann.
+visibility.limited_tooltip = Le feiceáil ag úsáideoirí atá sínithe isteach amháin
+blocked_since = Blocáilte ó %s
+user_unblock_success = Tá an t-úsáideoir díbhlocáilte go rathúil.
+user_block_success = Tá an t-úsáideoir blocáilte go rathúil.
+user_block_yourself = Ní féidir leat tú féin a bhac.
+quota.applies_to_user = Baineann na rialacha cuóta seo a leanas le do chuntas
+quota.applies_to_org = Tá feidhm ag na rialacha cuóta seo a leanas maidir leis an eagraíocht seo
+quota.rule.exceeded = Sáraíodh
+quota.rule.exceeded.helper = Tá an cuóta sáraithe ag méid iomlán na réad don riail seo.
+quota.rule.no_limit = Gan teorainn
+quota.sizes.all = Gach
+quota.sizes.repos.all = Stórtha
+quota.sizes.repos.public = Stórtha poiblí
+quota.sizes.repos.private = Stórtha príobháideacha
+quota.sizes.git.all = Ábhar Git
+quota.sizes.git.lfs = Git LFS
+quota.sizes.assets.all = Sócmhainní
+quota.sizes.assets.attachments.all = Ceangaltáin
+quota.sizes.assets.attachments.issues = Ceangaltáin na heisiúna
+quota.sizes.assets.attachments.releases = Scaoil ceangaltáin
+quota.sizes.assets.artifacts = Déantáin
+quota.sizes.assets.packages.all = Pacáistí
+quota.sizes.wiki = Vicí
 
 [repo]
 owner = Úinéir
@@ -830,7 +1038,7 @@ mirror_sync = sioncronaithe
 mirror_sync_on_commit = Sioncrónaigh nuair a bhrúitear geallúintí
 mirror_address = Clón Ó URL
 mirror_address_desc = Cuir aon dhintiúir riachtanacha sa chuid Údaraithe.
-mirror_address_url_invalid = Tá an URL curtha ar fáil neamhbhailí. Caithfidh tú gach comhpháirt den url a éalú i gceart.
+mirror_address_url_invalid = Tá an URL a cuireadh ar fáil neamhbhailí. Cinntigh go bhfuil comhpháirteanna an URL éalaithe i gceart.
 mirror_address_protocol_invalid = Tá an URL curtha ar fáil neamhbhailí. Ní féidir ach suíomhanna http (s)://nó git://a úsáid le haghaidh scátháin.
 mirror_lfs = Stóráil Comhad Móra (LFS)
 mirror_lfs_desc = Gníomhachtaigh scáthú sonraí LFS.
@@ -848,7 +1056,7 @@ stars = Réaltaí
 reactions_more = agus %d níos mó
 unit_disabled = Tá an chuid stórais seo díchumasaithe ag riarthóir an láithreáin.
 language_other = Eile
-adopt_search = Iontráil ainm úsáideora chun stórais neamhghlactha a chuardach... (fág bán chun gach rud a fháil)
+adopt_search = Cuir isteach ainm úsáideora chun cuardach a dhéanamh ar stórtha neamhuchtaithe… (fág bán chun gach ceann a aimsiú)
 adopt_preexisting_label = Glacadh le Comhaid
 adopt_preexisting = Glac le comhaid atá ann cheana
 adopt_preexisting_content = Cruthaigh stór ó %s
@@ -882,7 +1090,7 @@ template.avatar = Abhatár
 template.issue_labels = Lipéid Eisiúna
 template.one_item = Ní mór mír teimpléad amháin ar a laghad a roghnú
 template.invalid = Ní mór stór teimpléad a roghnú
-archive.title_date = Tá an stóras seo cartlannaithe ar %s. Is féidir leat comhaid a fheiceáil agus é a chlónú, ach ní féidir leat saincheisteanna a bhrú nó a oscailt ná iarratais a tharraingt.
+archive.title_date = Tá an stórlann seo cartlannaithe ar %s. Is féidir leat comhaid a fheiceáil agus é a chlónáil, ach ní féidir leat aon athruithe a dhéanamh ar a staid, amhail saincheisteanna nua a bhrú agus a chruthú, iarratais tarraingthe nó tuairimí.
 form.reach_limit_of_creation_1 = Tá úinéir an stóras tar éis teorainn de %d stóras a bhaint amach cheana féin.
 form.reach_limit_of_creation_n = Tá úinéir an stórais tar éis teorainn de %d stórtha a bhaint amach cheana féin.
 form.name_reserved = Tá ainm an stór "%s" in áirithe.
@@ -897,7 +1105,7 @@ migrate_options_lfs_endpoint.description.local = Tacaítear le cosán freastala
 migrate_options_lfs_endpoint.placeholder = Má fhágtar bán, díorthófar an críochphointe ón URL clóin
 migrate_repo = Stóras Imirc
 migrate.clone_address = Aimirce/ Clón Ó URL
-migrate.github_token_desc = Is féidir leat comhartha amháin nó níos mó a chur le camóg scartha anseo chun imirce a dhéanamh níos gasta mar gheall ar theorainn ráta API GitHub. RABHADH: D'fhéadfadh mí-úsáid na ngné seo beartas an sholáthraí seirbhíse a shárú agus blocáil cuntais a bheith mar thoradh air.
+migrate.github_token_desc = Is féidir leat comhartha amháin nó níos mó a chur anseo scartha le camóga chun an t-aistriú a dhéanamh níos tapúla trí theorainn ráta API GitHub a sheachaint. RABHADH: D’fhéadfadh mí-úsáid a bhaint as an ngné seo sárú a dhéanamh ar pholasaí an tsoláthraí seirbhíse agus d’fhéadfadh sé go gcuirfí bac ar do chuntas(í).
 migrate.clone_local_path = nó cosán freastalaí áitiúil
 migrate.permission_denied = Ní cheadaítear duit stórais áitiúla a iompórtáil.
 migrate.permission_denied_blocked = Ní féidir leat allmhairiú ó óstaigh neamh-cheadaithe, iarr ar an riarachán socruithe ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS a sheiceáil le do thoil.
@@ -907,7 +1115,7 @@ migrate.migrate_items_options = Teastaíonn Comhartha Rochtana chun míreanna br
 migrated_from = Aistríodh ó <a href="%[1]s">%[2]s</a>
 migrated_from_fake = Aistrithe ó %[1]s
 migrate.migrate = Aistrigh Ó %s
-migrate.migrating = Ag aistriú ó <b>%s</b> ...
+migrate.migrating = Ag aistriú ó <b>%s</b> …
 migrate.migrating_failed = Theip ar aistriú ó <b>%s</b>.
 migrate.migrating_failed.error = Theip ar aistriú: %s
 migrate.migrating_failed_no_addr = Theip ar an imirce.
@@ -1036,7 +1244,7 @@ editor.file_is_a_symlink = Is nasc siombalach é "%s". Ní féidir naisc shiomba
 editor.filename_is_a_directory = Úsáidtear ainm comhaid "%s" cheana féin mar ainm eolaire sa stóras seo.
 editor.file_editing_no_longer_exists = Níl an comhad atá á chur in eagar, "%s", ann sa stóras seo a thuilleadh.
 editor.file_deleting_no_longer_exists = Níl an comhad atá á scriosadh, "%s", ann sa stóras seo a thuilleadh.
-editor.file_changed_while_editing = Tá athrú tagtha ar ábhar an chomhad ó thosaigh tú ag eagarthóireacht <a target="_blank" rel="noopener noreferrer" href="%s">Cliceáil anseo</a> chun iad a fheiceáil nó Athru <strong>ithe a Tiomantas arís</strong> chun iad a fhorscríobh.
+editor.file_changed_while_editing = Tá athrú tagtha ar ábhar an chomhaid ó d’oscail tú an comhad. <a target="_blank" rel="noopener noreferrer" href="%s">Cliceáil anseo</a> chun iad a fheiceáil nó <strong>Cuir athruithe i bhfeidhm arís</strong> chun iad a athscríobh.
 editor.file_already_exists = Tá comhad darb ainm "%s" ann cheana féin sa stóras seo.
 editor.push_out_of_date = Is cosúil go bhfuil an brú as dáta.
 editor.commit_empty_file_header = Tiomantas comhad folamh
@@ -1106,11 +1314,11 @@ projects.open = Oscailte
 projects.close = Dún
 projects.column.assigned_to = Sannta do
 issues.desc = Eagraigh tuarascálacha fabht, tascanna agus cloch mhíle.
-issues.filter_assignees = Scagaire Sannaitheoir
-issues.filter_milestones = Cloch Mhíle Scagaire
-issues.filter_projects = Tionscadal Scagaire
-issues.filter_labels = Lipéad Scagaire
-issues.filter_reviewers = Athbhreithneoir Scagaire
+issues.filter_assignees = Sannaí scagaire
+issues.filter_milestones = Scagaire cloch mhíle
+issues.filter_projects = Scagaire tionscadail
+issues.filter_labels = Lipéad scagaire
+issues.filter_reviewers = Athbhreithneoir scagaire
 issues.new = Eagrán Nua
 issues.new.title_empty = Ní féidir leis an teideal a bheith folamh
 issues.new.labels = Lipéid
@@ -1152,8 +1360,8 @@ issues.add_milestone_at = `chuir seo leis an gcloch mhíle <b>%s</b> %s`
 issues.add_project_at = `chuir seo leis an tionscadal <b>%s</b> %s`
 issues.change_milestone_at = `mionathraithe an chloch mhíle ó <b>%s</b> go <b>%s</b> %s`
 issues.change_project_at = `mionathraithe an tionscadal ó <b>%s</b> go <b>%s</b> %s`
-issues.remove_milestone_at = ` bhain seo den <b>%s</b>chloch mhíle %s`
-issues.remove_project_at = `bhain sé seo den <b>%s</b>an tionscadal %s`
+issues.remove_milestone_at = `baineadh é seo ón gcloch mhíle <b>%s</b> %s`
+issues.remove_project_at = `baineadh é seo as an tionscadal <b>%s</b> %s`
 issues.deleted_milestone = `(scriosta)`
 issues.deleted_project = `(scriosta)`
 issues.self_assign_at = `féin-shannta an %s seo`
@@ -1213,9 +1421,9 @@ issues.action_check_all = Seiceáil/Dísheiceáil gach mireanna
 issues.opened_by = oscail %[1]s le <a href="%[2]s">%[3]s</a>
 pulls.merged_by = le <a href="%[2]s">%[3]s</a> cumasc %[1]s
 pulls.merged_by_fake = le %[2]s a chumasc %[1]s
-issues.closed_by = le <a href="%[2]s">dúnadh %[3]s</a> %[1]s
+issues.closed_by = ag <a href="%[2]s">%[3]s</a> dúnadh %[1]s
 issues.opened_by_fake = oscail %[1]s le %[2]s
-issues.closed_by_fake = faoi ​​%[2]s dúnadh %[1]s
+issues.closed_by_fake = faoi %[2]s dúnta %[1]s
 issues.previous = Roimhe Seo
 issues.next = Ar Aghaidh
 issues.open_title = Oscailte
@@ -1238,14 +1446,14 @@ issues.reopen_issue = Athoscail
 issues.reopen_comment_issue = Athoscail le trácht
 issues.create_comment = Trácht
 issues.closed_at = `dhún an cheist seo %s`
-issues.reopened_at = `athoscail an t-eagrán seo %s`
-issues.commit_ref_at = `rinne tagairt don cheist seo ó ghealltanas %s`
-issues.ref_issue_from = `<a href="%[2]s">rinne dagairt don cheist seo %[3]s</a> %[1]s`
-issues.ref_pull_from = `<a href="%[2]s">rinne dagairt don iarratas tarraingthe seo %[3]s</a> %[1]s`
+issues.reopened_at = `athoscail an cheist seo %s`
+issues.commit_ref_at = `tagairt déanta don cheist seo ó thiomantas %s`
+issues.ref_issue_from = `<a href="%[2]s">tagairt don cheist seo %[3]s</a> %[1]s`
+issues.ref_pull_from = `<a href="%[2]s">tagairt don iarratas tarraingthe seo %[3]s</a> %[1]s`
 issues.ref_from = `ó %[1]s`
 issues.author = Údar
 issues.role.owner = Úinéir
-issues.role.owner_helper = Is é an t-úsáideoir seo úinéir an stór seo.
+issues.role.owner_helper = Is úinéir an stórais seo an t-úsáideoir seo.
 issues.role.member = Comhalta
 issues.role.member_helper = Is ball den eagraíocht é an t-úsáideoir seo a bhfuil an stór seo ina úinéireacht.
 issues.role.collaborator = Comhoibritheoir
@@ -1300,8 +1508,8 @@ issues.lock.notice_3 = - Is féidir leat an tsaincheist seo a dhíghlasáil arí
 issues.unlock.notice_1 = - Bheadh gach duine in ann trácht a dhéanamh ar an gceist seo arís.
 issues.unlock.notice_2 = - Is féidir leat an tsaincheist seo a ghlasáil arís sa todhchaí i gcónaí.
 issues.lock.reason = Cúis le glasáil
-issues.lock.title = Glas comhrá ar an gceist seo.
-issues.unlock.title = Díghlasáil comhrá ar an gceist seo.
+issues.lock.title = Glasáil an comhrá
+issues.unlock.title = Díghlasáil comhrá
 issues.comment_on_locked = Ní féidir leat trácht a dhéanamh ar shaincheist faoi ghlas.
 issues.delete = Scrios
 issues.delete.title = Scrios an t-eagrán seo?
@@ -1401,7 +1609,7 @@ pulls.select_commit_hold_shift_for_range = Roghnaigh tiomantas. Coinnigh shift +
 pulls.review_only_possible_for_full_diff = Ní féidir athbhreithniú a dhéanamh ach amháin nuair a bhreathnaítear ar an difríocht iomlán
 pulls.filter_changes_by_commit = Scagaigh de réir tiomantas
 pulls.nothing_to_compare = Tá na brainsí seo cothrom. Ní gá iarratas tarraingthe a chruthú.
-pulls.nothing_to_compare_have_tag = Tá an brainse/clib roghnaithe cothrom.
+pulls.nothing_to_compare_have_tag = Tá na brainsí/clibeanna roghnaithe comhionann.
 pulls.nothing_to_compare_and_allow_empty_pr = Tá na brainsí seo cothrom. Beidh an PR seo folamh.
 pulls.has_pull_request = `Tá iarratas tarraingthe idir na brainsí seo ann cheana: <a href="%[1]s">%[2]s#%[3]d</a>`
 pulls.create = Cruthaigh Iarratas Tarraing
@@ -1471,8 +1679,8 @@ pulls.update_branch_success = Bhí nuashonrú brainse rathúil
 pulls.update_not_allowed = Ní cheadaítear duit brainse a nuashonrú
 pulls.outdated_with_base_branch = Tá an brainse seo as dáta leis an mbunbhrainse
 pulls.close = Dún Iarratas Tarraing
-pulls.closed_at = `dhún an t-iarratas tarraingthe seo %s`
-pulls.reopened_at = `athoscail an t-iarratas tarraingthe seo %s`
+pulls.closed_at = `dhún an iarratas tarraingthe seo %s`
+pulls.reopened_at = `athoscail an iarratas tarraingthe seo %s`
 pulls.cmd_instruction_checkout_title = Seiceáil
 pulls.cmd_instruction_checkout_desc = Ó stór tionscadail, seiceáil brainse nua agus déan tástáil ar na hathruithe.
 pulls.cmd_instruction_merge_title = Cumaisc
@@ -1519,7 +1727,7 @@ milestones.filter_sort.most_complete = Is mó críochnaithe
 milestones.filter_sort.most_issues = Saincheisteanna is mó
 milestones.filter_sort.least_issues = Saincheisteanna is lú
 signing.will_sign = Síneofar an gealltanas seo le heochair "%s".
-signing.wont_sign.error = Bhí earráid ann agus tú ag seiceáil an féidir an tiomantas a shíniú.
+signing.wont_sign.error = Tharla earráid agus seiceáil á dhéanamh an bhféadfaí an tiomnú a shíniú.
 signing.wont_sign.never = Ní shínítear tiomáintí riamh.
 signing.wont_sign.always = Sínítear tiomáintí i gcónaí.
 signing.wont_sign.pubkey = Ní shíníofar an tiomantas toisc nach bhfuil eochair phoiblí agat a bhaineann le do chuntas.
@@ -1531,7 +1739,7 @@ signing.wont_sign.commitssigned = Ní shínífear an cumasc toisc nach bhfuil na
 signing.wont_sign.approved = Ní shíníofar an cumaisc toisc nach bhfuil an PR ceadaithe.
 signing.wont_sign.not_signed_in = Níl tú sínithe isteach.
 wiki = Vicí
-wiki.welcome = Fáilte go dtí an Vicí.
+wiki.welcome = Fáilte go dtí an vicí.
 wiki.welcome_desc = Ligeann an vicí duit cáipéisíocht a scríobh agus a roinnt le comhoibrithe.
 wiki.desc = Scríobh agus roinn cáipéisíocht le comhoibrithe.
 wiki.create_first_page = Cruthaigh an Chéad Leathanach
@@ -1733,7 +1941,7 @@ settings.transfer_succeed = Tá an stóras aistrithe.
 settings.signing_settings = Socruithe Fíoraithe Sínithe
 settings.trust_model = Samhail Iontaobhas Sínithe
 settings.trust_model.default = Múnla Iontaobhais Réamhshocraithe
-settings.trust_model.default.desc = Úsáid an tsamhail iontaobhais stórais réamhshocraithe don suiteáil
+settings.trust_model.default.desc = Úsáid an tsamhail iontaobhais réamhshocraithe don stóras seo.
 settings.trust_model.collaborator = Comhoibritheoir
 settings.trust_model.collaborator.long = Comhoibritheoir: Sínithe muinín ag comhoibrithe
 settings.trust_model.collaborator.desc = Déanfar sínithe bailí ó chomhoibritheoirí an stóras seo a mharcáil mar 'iontaofa' – (cibé acu a mheaitseálann siad an tiomnóir nó nach bhfuil). Seachas sin, marcálfar sínithe bailí mar 'neamhiontaofa' má mheaitseálann an síniú an tiomnóir agus mar 'neamh-mheaitseáilte' mura bhfuil.
@@ -1760,7 +1968,7 @@ settings.add_collaborator_inactive_user = Ní féidir úsáideoir neamhghníomha
 settings.add_collaborator_owner = Ní féidir úinéir a chur leis mar chomhoibritheoir.
 settings.add_collaborator_duplicate = Tá an comhoibrí curtha leis an stóras seo cheana féin.
 settings.delete_collaborator = Bain
-settings.collaborator_deletion = Bain Comhoibritheoir
+settings.collaborator_deletion = Bain comhoibrí
 settings.collaborator_deletion_desc = Má dhéantar comhoibrí a bhaint, déanfar a rochtain ar an stóras seo a chúlghairm. Lean ort?
 settings.remove_collaborator_success = Tá an comhoibritheoir bainte.
 settings.org_not_allowed_to_be_collaborator = Ní féidir eagraíochtaí a chur leis mar chomhoibritheoir.
@@ -1865,7 +2073,7 @@ settings.packagist_api_token = Comhartha API
 settings.packagist_package_url = URL pacáiste Packagist
 settings.deploy_keys = Eochracha a imscaradh
 settings.add_deploy_key = Cuir Eochair Imscartha leis
-settings.deploy_key_desc = Tá rochtain tarraingthe léite amháin ag eochracha imscartha ar an stóras.
+settings.deploy_key_desc = Is féidir rochtain léite amháin nó rochtain léite-scríofa a bheith ag eochracha imscartha ar an stór.
 settings.is_writable = Cumasaigh Rochtain Scríobh
 settings.is_writable_info = Lig don eochair imlonnaithe seo <strong>a bhrú</strong> chuig an stóras.
 settings.no_deploy_keys = Níl aon eochracha imscartha ann fós.
@@ -1938,7 +2146,7 @@ settings.matrix.room_id = ID seomra
 settings.matrix.message_type = Cineál teachtaireachta
 settings.archive.button = Cartlann Stóras
 settings.archive.header = Cartlann an Stóras seo
-settings.archive.text = Má dhéantar an stóras a chartlannú, beidh sé léite go hiomlán amháin. Beidh sé i bhfolach ón bpainéal. Aon duine (ní fiú tú!) beidh siad in ann tiomantas nua a dhéanamh, nó aon saincheisteanna nó iarratais a tharraingt a oscailt.
+settings.archive.text = Trí an stór a chartlannú, beidh sé inléite amháin go hiomlán. Beidh sé i bhfolach ón deais. Ní bheidh aon duine (fiú tusa!) in ann gealltanais nua a dhéanamh, ná aon saincheisteanna ná iarratais tarraingthe a oscailt. Moltar an chúis cartlannúcháin a dhoiciméadú chun treoir a thabhairt do fhorbróirí amach anseo a bhfuil sé beartaithe acu an stór a fhorcadh.
 settings.archive.success = Rinneadh an stóras a chartlannú go rathúil.
 settings.archive.error = Tharla earráid agus tú ag iarraidh an stóras a chartlannú. Féach an logáil le haghaidh tuilleadh sonraí.
 settings.archive.error_ismirror = Ní féidir leat stóras scátháin a chartlannú.
@@ -1960,7 +2168,7 @@ settings.lfs_invalid_locking_path = Cosan neamhbhailí: %s
 settings.lfs_invalid_lock_directory = Ní féidir eolaire a ghlasáil: %s
 settings.lfs_lock_already_exists = Tá an glas ann cheana féin: %s
 settings.lfs_lock = Glas
-settings.lfs_lock_path = Cosán comhad le haghaidh glasáil...
+settings.lfs_lock_path = Cosán comhaid le glasáil…
 settings.lfs_locks_no_locks = Gan Glais
 settings.lfs_lock_file_no_exist = Níl an comhad faoi ghlas sa bhrainse réamhshocraithe
 settings.lfs_force_unlock = Díghlasáil Fórsa
@@ -2040,7 +2248,7 @@ release.ahead.commits = Geallann <strong>%d</strong>
 release.ahead.target = go %s ón scaoileadh seo
 tag.ahead.target = chuig %s ón gclib seo
 release.source_code = Cód Foinse
-release.new_subheader = Eagraíonn eiseachtaí leaganacha tionscadail
+release.new_subheader = Eagraíonn eisiúintí leaganacha tionscadail.
 release.edit_subheader = Eagraíonn eisiúintí leaganacha tionscadal.
 release.tag_name = Ainm chlib
 release.target = Sprioc
@@ -2098,7 +2306,7 @@ branch.included = San áireamh
 branch.create_new_branch = Cruthaigh brainse ón mbrainse:
 branch.confirm_create_branch = Cruthaigh brainse
 branch.warning_rename_default_branch = Tá tú ag athainmniú an bhrainse réamhshocraithe.
-branch.rename_branch_to = Athainmnigh "%s" go:
+branch.rename_branch_to = Ag athainmniú na brainse "%s".
 branch.create_branch_operation = Cruthaigh brainse
 branch.new_branch = Cruthaigh brainse nua
 branch.new_branch_from = `Cruthaigh brainse nua ó "%s"`
@@ -2115,9 +2323,353 @@ find_file.no_matching = Níl aon chomhad meaitseála le fáil
 error.csv.too_large = Ní féidir an comhad seo a rinneadh toisc go bhfuil sé ró-mhór.
 error.csv.unexpected = Ní féidir an comhad seo a rindreáil toisc go bhfuil carachtar ann gan súil leis i líne %d agus i gcolún %d.
 error.csv.invalid_field_count = Ní féidir an comhad seo a rindreáil toisc go bhfuil líon mícheart réimsí i líne %d.
+rss.must_be_on_branch = Ní mór duit a bheith ar bhrainse le go mbeidh fotha RSS agat.
+admin.manage_flags = Bainistigh bratacha
+admin.enabled_flags = Bratacha cumasaithe don stórlann:
+admin.update_flags = Bratacha nuashonraithe
+admin.failed_to_replace_flags = Theip ar bhrataí an stórais a athsholáthar
+admin.flags_replaced = Bratacha stórais athsholáthair
+new_repo_helper = Tá gach comhad tionscadail i stórlann, lena n-áirítear stair athbhreithnithe. An bhfuil ceann á óstáil in áit eile cheana féin? <a href="%s">Aistrigh an stórlann</a>.
+new_from_template = Úsáid teimpléad
+new_from_template_description = Is féidir leat teimpléad stórtha atá ann cheana a roghnú ar an gcás seo agus a shocruithe a chur i bhfeidhm.
+new_advanced = Socruithe ardleibhéil
+new_advanced_expand = Cliceáil chun leathnú
+repo_name_helper = Úsáideann ainmneacha maithe stórtha eochairfhocail ghearra, cuimhneacháin agus uathúla.
+size_format = %[1]s: %[2]s, %[3]s: %[4]s
+template_select = Roghnaigh teimpléad
+visibility_fork_helper = (Má athraítear seo, beidh tionchar aige ar infheictheacht na bhforcanna uile.)
+repo_gitignore_helper = Roghnaigh teimpléid .gitignore
+issue_labels = Lipéid
+issue_labels_helper = Roghnaigh tacar lipéad
+license_helper = Roghnaigh comhad ceadúnais
+license_helper_desc = Rialaíonn ceadúnas cad is féidir agus nach féidir le daoine eile a dhéanamh le do chód. Níl tú cinnte cé acu ceann atá ceart chun do thionscadal? Féach <a target="_blank" rel="noopener noreferrer" href="%s">Roghnaigh ceadúnas</a>.
+object_format_helper = Formáid réada an stórais. Ní féidir é a athrú níos déanaí. Is é SHA1 an ceann is comhoiriúnaí.
+readme_helper = Roghnaigh teimpléad comhaid README
+auto_init = Tosaigh an stórlann
+auto_init_description = Tosaigh stair Git le README agus cuir comhaid Ceadúnais agus .gitignore leis más mian leat.
+mirror_interval = Eatramh scátháin (is iad na haonaid ama bailí ná "h", "m", "s"). 0 chun sioncrónú tréimhsiúil a dhíchumasú. (Eatramh íosta: %s)
+mirror_public_key = Eochair SSH phoiblí
+mirror_use_ssh.text = Úsáid fíordheimhniú SSH
+mirror_use_ssh.helper = Déanfaidh Forgejo an stór a scáthánú trí Git thar SSH agus cruthóidh sé péire eochracha duit nuair a roghnaíonn tú an rogha seo. Ní mór duit a chinntiú go bhfuil údarú ag an eochair phoiblí a ghintear chun brú chuig an stór ceann scríbe. Ní féidir leat údarú bunaithe ar phasfhocal a úsáid agus é seo á roghnú agat.
+mirror_use_ssh.not_available = Níl fíordheimhniú SSH ar fáil.
+mirror_denied_combination = Ní féidir fíordheimhniú bunaithe ar eochair phoiblí agus pasfhocal a úsáid i gcomhar.
+author_search_tooltip = Taispeánann sé uasmhéid de 30 úsáideoir
+summary_card_alt = Cárta achoimre den stórlann %s
+tree_path_not_found.commit = Níl an cosán %[1]s ann i ngealltanas %[2]s
+tree_path_not_found.branch = Níl an cosán %[1]s ann i mbrainse %[2]s
+tree_path_not_found.tag = Níl an cosán %[1]s ann sa chlib %[2]s
+archive.title = Tá an stórlann seo cartlannaithe. Is féidir leat comhaid a fheiceáil agus é a chlónáil, ach ní féidir leat aon athruithe a dhéanamh ar a staid, amhail saincheisteanna nua a bhrú agus a chruthú, iarratais tarraingthe nó tuairimí.
+archive.nocomment = Ní féidir trácht a dhéanamh mar go bhfuil an stór cartlannaithe.
+archive.pull.noreview = Tá an stórlann seo cartlannaithe. Ní féidir leat iarratais tarraingthe a athbhreithniú.
+sync_fork.branch_behind_one = Tá an brainse seo %[1]d tiomantas taobh thiar de %[2]s
+sync_fork.branch_behind_few = Tá an brainse seo %[1]d tiomnuithe taobh thiar de %[2]s
+sync_fork.button = Sioncrónaigh
+form.string_too_long = Tá an teaghrán tugtha níos faide ná %d carachtar.
+migrate.repo_desc_helper = Fág folamh chun cur síos atá ann cheana a allmhairiú
+migrate.clone_address_desc = URL "clónála" HTTP(S) nó Git de stórlann atá ann cheana féin
+migrate.invalid_local_path = Tá an cosán áitiúil neamhbhailí. Níl sé ann nó ní eolaire é.
+subscribe.issue.guest.tooltip = Sínigh isteach chun liostáil leis an eagrán seo.
+subscribe.pull.guest.tooltip = Sínigh isteach chun liostáil leis an iarratas tarraingthe seo.
+no_desc = Gan cur síos
+project = Tionscadail
+file_follow = Lean nasc siombalach
+video_not_supported_in_browser = Ní thacaíonn do bhrabhsálaí leis an gclib "físeán" HTML5.
+audio_not_supported_in_browser = Ní thacaíonn do bhrabhsálaí leis an gclib "fuaime" HTML5.
+no_eol.text = Gan EOL
+no_eol.tooltip = Níl carachtar deireadh líne sa chomhad seo.
+editor.filename_help = Cuir eolaire leis trína ainm a chlóscríobh agus slais ("/") ina dhiaidh. Bain eolaire trí chúlspás a chlóscríobh ag tús an réimse ionchuir.
+editor.add_tmpl = Cuir "<%s>" leis
+editor.add_tmpl.filename = ainm comhaid
+editor.commit_directly_to_this_branch = Tiomnaigh go díreach chuig an mbrainse <strong class="%[2]s">%[1]s</strong>.
+editor.invalid_commit_mail = Ríomhphost neamhbhailí le haghaidh cruthú tiomantais.
+editor.commit_id_not_matching = Athraíodh an comhad agus tú á chur in eagar. Cuir i mbrainse nua é agus ansin cumasc é.
+commits.browse_further = Brabhsáil tuilleadh
+commits.renamed_from = Athainmnithe ó %s
+commits.view_single_diff = Féach ar athruithe ar an gcomhad seo a tugadh isteach sa tiomantas seo
+ext_issues = Saincheisteanna seachtracha
+projects.type.none = Dada
+projects.type.basic_kanban = Kanban bunúsach
+projects.type.bug_triage = Triage fabhtanna
+projects.template.desc = Teimpléad
+projects.template.desc_helper = Roghnaigh teimpléad tionscadail le tosú
+projects.column.edit = Cuir colún in eagar
+projects.column.edit_title = Ainm
+projects.column.new_title = Ainm
+projects.column.new_submit = Cruthaigh colún
+projects.column.new = Colún nua
+projects.column.set_default = Socraigh réamhshocrú
+projects.column.set_default_desc = Socraigh an colún seo mar réamhshocrú le haghaidh saincheisteanna agus tarraingtí neamhchatagóirithe
+projects.column.delete = Scrios colún
+projects.column.deletion_desc = Má scriostar colún tionscadail, bogtar na saincheisteanna gaolmhara go léir chuig an gcolún réamhshocraithe. Ar aghaidh?
+projects.column.color = Dath
+projects.card_type.desc = Réamhamhairc cártaí
+projects.card_type.images_and_text = Íomhánna agus téacs
+projects.card_type.text_only = Téacs amháin
+issues.filter_no_results = Gan aon torthaí
+issues.filter_no_results_placeholder = Bain triail as do scagairí cuardaigh a choigeartú.
+issues.new.no_label = Gan lipéid
+issues.new.open_milestone = Clocha míle oscailte
+issues.new.closed_milestone = Clocha míle dúnta
+issues.new.assign_to_me = Sannadh dom
+issues.label_templates.info = Níl aon lipéid ann fós. Cruthaigh lipéad le "Lipéad nua" nó bain úsáid as réamhshocrú lipéid:
+issues.label_templates.helper = Roghnaigh réamhshocrú lipéid
+issues.label_templates.use = Úsáid réamhshocrú lipéid
+issues.filter_poster_no_select = Gach údar
+issues.filter_type.all_pull_requests = Gach iarratas tarraingthe
+issues.filter_sort.relevance = Ábharthacht
+issues.all_title = Gach
+issues.num_reviews_one = %d athbhreithniú
+issues.num_reviews_few = %d athbhreithnithe
+issues.reaction.add = Cuir imoibriú leis
+issues.reaction.alt_few = D’fhreagair %[1] %[2].
+issues.reaction.alt_many = D’imoibrigh %[1]s agus %[2]d eile %[3].
+issues.reaction.alt_remove = Bain imoibriú %[1] ón trácht.
+issues.reaction.alt_add = Cuir imoibriú %[1] leis an trácht.
+issues.context.menu = Roghchlár tráchta
+issues.context.reference_issue = Tagairt in eagrán nua
+issues.ref_closing_from = `<a href="%[2]s">tagairt don cheist seo ó iarratas tarraingthe %[3]s a dhúnfaidh é</a>, %[1]s`
+issues.ref_reopening_from = `<a href="%[2]s">tagairt don cheist seo ó iarratas tarraingthe %[3]s a athosclóidh é</a>, %[1]s`
+issues.author.tooltip.issue = Is é an t-úsáideoir seo údar an tsaincheist seo.
+issues.author.tooltip.pr = Is é an t-úsáideoir seo údar an iarratais tarraingthe seo.
+issues.role.contributor_helper = Tá an t-úsáideoir seo tar éis gealltanas a thabhairt sa stórlann seo roimhe seo.
+issues.archived_label_description = (Cartlannaithe) %s
+issues.num_participants_one = %d rannpháirtí
+issues.num_participants_few = %d rannpháirtí
+issues.unpin_issue = Fadhb le díphionáil
+issues.max_pinned = Ní féidir leat níos mó saincheisteanna a phionáil
+issues.pin_comment = phionáil an %s seo
+issues.unpin_comment = díphionáilte an %s seo
+issues.lock_with_reason = faoi ghlas mar <strong>%s</strong> agus comhrá teoranta do chomhoibritheoirí %s
+issues.lock_no_reason = comhrá faoi ghlas agus teoranta do chomhoibritheoirí %s
+issues.unlock_comment = díghlasáil an comhrá seo %s
+issues.lock.notice_1 = - Ní féidir le húsáideoirí eile tuairimí nua a chur leis an gceist seo.
+issues.start_tracking_short = Tosaigh an lasc ama
+issues.start_tracking = Tosaigh ag rianú ama
+issues.start_tracking_history = `thosaigh ag obair %s`
+issues.stop_tracking = Stop an lasc ama
+issues.stop_tracking_history = `stop ag obair %s`
+issues.cancel_tracking = Caith uait
+issues.add_time = Cuir am leis de láimh
+issues.add_time_short = Cuir am leis
+issues.add_time_cancel = Cealaigh
+issues.add_time_history = `cuirtear am caite %s leis`
+issues.push_commit_1 = cuireadh %d tiomantas %s leis
+issues.push_commits_n = %d tiomantais %s curtha leis
+issues.force_push_codes = `brúite le fórsa %[1]s ó <a class="%[7]s" href="%[3]s"><code>%[2]s</code></a> %[8]s go <a class="%[7]s" href="%[5]s"><code>%[4]s</code></a> %[9]s %[6]s`
+issues.due_date_form = bbbb-mm-ll
+issues.due_date_form_edit = Cuir in Eagar
+issues.due_date_form_remove = Bain
+issues.due_date_not_set = Níl aon dáta dlite socraithe.
+issues.due_date_added = cuireadh an dáta dlite %s %s leis
+issues.due_date_modified = athraíodh an dáta dlite ó %[2]s go %[1]s %[3]s
+issues.due_date_remove = baineadh an dáta dlite %s %s
+issues.due_date_overdue = Thar téarma
+issues.due_date_invalid = Tá an dáta dlite neamhbhailí nó lasmuigh den raon. Úsáid an fhormáid "bbbb-mm-ll" le do thoil.
+issues.dependency.no_permission_1 = Níl cead agat %d spleáchas a léamh
+issues.dependency.no_permission_n = Níl cead agat %d spleáchas a léamh
+issues.dependency.no_permission.can_remove = Níl cead agat an spleáchas seo a léamh ach is féidir leat é a bhaint
+issues.dependency.issue_batch_close_blocked = Ní féidir na saincheisteanna roghnaithe a dhúnadh i mbaisceanna, mar tá spleáchais oscailte fós ag saincheist #%d
+issues.review.approve = ceadaíodh na hathruithe seo %s
+issues.review.comment = athbhreithnithe %s
+issues.review.dismissed = léirmheas %s %s curtha ar ceal
+issues.review.reject = athruithe iarrtha %s
+issues.review.add_review_request = iarradh athbhreithniú ó %[1]s %[2]s
+issues.review.add_review_requests = athbhreithnithe iarrtha ó %[1]s %[2]s
+issues.review.remove_review_request = iarratas athbhreithnithe bainte as %[1]s %[2]s
+issues.review.remove_review_requests = bainte iarratais athbhreithnithe do %[1]s %[2]s
+issues.review.remove_review_request_self = dhiúltaigh athbhreithniú a dhéanamh ar %s
+issues.review.add_remove_review_requests = iarradh léirmheasanna ó %[1]s agus baineadh iarratais ar léirmheasanna ó %[2]s %[3]s
+issues.blocked_by_user = Ní féidir leat saincheisteanna a chruthú sa stórlann seo mar go bhfuil tú blocáilte ag úinéir an stórlainne.
+comment.blocked_by_user = Ní féidir trácht a dhéanamh mar go bhfuil bac ort ag úinéir an stórais nó ag an údar.
+issues.summary_card_alt = Cárta achoimre ar shaincheist dar teideal "%s" sa stórlann %s
+pulls.sign_in_require = <a href="%s">Sínigh isteach</a> chun iarratas tarraingthe nua a chruthú.
+pulls.no_results = Níor aimsíodh aon torthaí.
+pulls.ready_for_review = Réidh le haghaidh athbhreithnithe?
+pulls.is_checking = Tá seiceáil coinbhleachta cumaisc ar siúl. Déan iarracht arís i gceann cúpla nóiméad.
+pulls.is_ancestor = Tá an brainse seo san áireamh cheana féin sa bhrainse sprice. Níl aon rud le cumasc.
+pulls.is_empty = Tá na hathruithe ar an mbrainse seo ar an mbrainse sprice cheana féin. Beidh sé seo ina thiomantas folamh.
+pulls.blocked_by_approvals = Níl dóthain ceaduithe faighte ag an iarratas tarraingthe seo go fóill. %d de %d ceaduithe deonaithe.
+pulls.blocked_by_rejection = Tá athruithe iarrtha ag athbhreithnitheoir oifigiúil ar an iarratas tarraingthe seo.
+pulls.blocked_by_official_review_requests = Tá an t-iarratas tarraingthe seo blocáilte mar níl cead faighte aige ó athbhreithneoir oifigiúil amháin nó níos mó.
+pulls.blocked_by_outdated_branch = Tá an t-iarratas tarraingthe seo blocáilte mar go bhfuil sé as dáta.
+pulls.blocked_by_changed_protected_files_1 = Tá an iarratas tarraingthe seo blocáilte mar go n-athraíonn sé comhad cosanta:
+pulls.blocked_by_changed_protected_files_n = Tá an t-iarratas tarraingthe seo blocáilte mar go n-athraíonn sé comhaid chosanta:
+pulls.num_conflicting_files_1 = %d comhad contrártha
+pulls.num_conflicting_files_n = %d comhad contrártha
+pulls.approve_count_1 = %d ceadú
+pulls.approve_count_n = %d ceaduithe
+pulls.reject_count_1 = %d iarratas athraithe
+pulls.reject_count_n = %d iarratais athraithe
+pulls.waiting_count_1 = %d ag fanacht le hathbhreithniú
+pulls.waiting_count_n = %d léirmheasanna ag fanacht
+pulls.wrong_commit_id = Ní mór don aitheantas tiomantais a bheith ina aitheantas tiomantais ar an mbrainse sprice
+pulls.blocked_by_user = Ní féidir leat iarratas tarraingthe a chruthú ar an stórlann seo mar go bhfuil tú blocáilte ag úinéir an stórlainne.
+pulls.commit_ref_at = `tagairt déanta don iarratas tarraingthe seo ó thiomnadh %s`
+pulls.cmd_instruction_hint = Féach treoracha líne ordaithe
+pulls.cmd_instruction_merge_desc = Cumaisc na hathruithe agus nuashonraigh ar Forgejo.
+pulls.cmd_instruction_merge_warning = <b>Rabhadh:</b> Níl an socrú "Braith cumasc láimhe go huathoibríoch" cumasaithe don stór seo, beidh ort an t-iarratas tarraingthe seo a mharcáil mar chumasctha de láimh ina dhiaidh sin.
+pulls.reopen_failed.head_branch = Ní féidir an t-iarratas tarraingthe a athoscailt, mar nach bhfuil an brainse ceann ann a thuilleadh.
+pulls.reopen_failed.base_branch = Ní féidir an t-iarratas tarraingthe a athoscailt, mar nach bhfuil an brainse bonn ann a thuilleadh.
+pulls.made_using_agit = AGit
+pulls.agit_explanation = Cruthaithe ag baint úsáide as sreabhadh oibre AGit. Ligeann AGit do rannpháirtithe athruithe a mholadh ag baint úsáide as "git push" gan forc ná brainse nua a chruthú.
+pulls.editable = In-eagarthóireacht
+pulls.editable_explanation = Ceadaíonn an iarratas tarraingthe seo eagarthóireachtaí ó chothaitheoirí. Is féidir leat cur leis go díreach.
+pulls.delete_after_merge.head_branch.is_default = Is é an brainse ceann is mian leat a scriosadh an brainse réamhshocraithe agus ní féidir é a scriosadh.
+pulls.delete_after_merge.head_branch.is_protected = Is brainse cosanta an ceannbhrainse is mian leat a scriosadh agus ní féidir í a scriosadh.
+pulls.delete_after_merge.head_branch.insufficient_branch = Níl cead agat an brainse ceann a scriosadh.
+pulls.recently_pushed_new_branches = Bhrúigh tú ar bhrainse <a href="%[3]s"><strong>%[1]s</strong></a> %[2]s
+milestones.invalid_due_date_format = Ní mór don dáta dlite a bheith i bhformáid "bbbb-mm-ll".
+milestones.filter_sort.earliest_due_data = Dáta dlite is gaire
+milestones.filter_sort.latest_due_date = An dáta dlite is faide
+signing.wont_sign.nokey = Níl aon eochair ag an gcás seo chun an tiomantas seo a shíniú leis.
+ext_wiki = Vicí Sheachtrach
+wiki.cancel = Cealaigh
+wiki.wiki_page_revisions = Athbhreithnithe leathanaigh
+wiki.page_name_desc = Cuir isteach ainm don leathanach Vicí seo. Seo a leanas roinnt ainmneacha speisialta: "Baile", "_Barra Taobh" agus "_Buntásc".
+wiki.search = Cuardaigh vicí
+wiki.no_search_results = Gan aon torthaí
+activity.published_release_label = Scaoileadh
+activity.published_prerelease_label = Réamh-eisiúint
+activity.published_tag_label = Clib
+activity.commit = Gníomhaíocht tiomanta
+settings.federation_settings = Socruithe Cónaidhme
+settings.federation_apapiurl = URL Cónaidhme an stórais seo. Cóipeáil agus greamaigh é seo i Socruithe Cónaidhme stórais eile mar URL Stórais ina dhiaidh sin.
+settings.federation_following_repos = URLanna na Stórtha Seo a Leanas. Scartha le ";", gan spás bán.
+settings.federation_not_enabled = Níl cónaidhm cumasaithe ar do chás.
+settings.mirror_settings.push_mirror.none_ssh = Dada
+settings.units.units = Aonaid
+settings.units.overview = Forbhreathnú
+settings.units.add_more = Cumasaigh níos mó
+settings.mirror_settings.push_mirror.copy_public_key = Cóipeáil eochair phoiblí
+settings.pull_mirror_sync_quota_exceeded = Cuóta sáraithe, níl athruithe á dtarraingt.
+settings.update_settings = Sábháil socruithe
+settings.wiki_globally_editable = Ceadaigh d'aon duine an vicí a chur in eagar
+settings.default_update_style_desc = Stíl nuashonraithe réamhshocraithe a úsáidtear chun iarratais tarraingthe atá taobh thiar den bhrainse bonn a nuashonrú.
+settings.packages_desc = Cumasaigh clárlann pacáiste stórtha
+settings.projects_desc = Cumasaigh tionscadail stórtha
+settings.actions_desc = Cumasaigh píblínte comhtháite CI/CD le Gníomhartha Forgejo
+settings.admin_indexer_commit_sha = An tiomnú innéacsaithe deireanach
+settings.new_owner_blocked_doer = Tá an t-úinéir nua tar éis bac a chur ort.
+settings.transfer.title = Aistrigh úinéireacht
+settings.transfer.button = Aistrigh úinéireacht
+settings.transfer.modal.title = Aistrigh úinéireacht
+settings.enter_repo_name = Cuir isteach ainm an úinéara agus an stórais díreach mar a thaispeántar:
+settings.confirmation_string = Teaghrán dearbhaithe
+settings.transfer_quota_exceeded = Tá an t-úinéir nua (%s) thar an gcuóta. Níor aistríodh an stórlann.
+settings.trust_model.committer.long = Tiomnóir: Sínithe muiníne a mheaitseálann tiomnóirí (Meaitseálann sé seo GitHub agus cuirfidh sé iallach ar thiomnuithe sínithe Forgejo a bheith mar an tiomnóir)
+settings.trust_model.committer.desc = Ní mharcálfar sínithe bailí mar "iontaofa" ach amháin má mheaitseálann siad an tiomnóir, nó marcálfar iad mar "gan mheaitseáil". Cuireann sé seo iallach ar Forgejo a bheith ina thiomnóir ar thiomnuithe sínithe agus an tiomnóir iarbhír marcáilte mar Chomhúdaraithe ag: agus Co-thiomnaithe ag: leantóir sa thiomnú. Caithfidh eochair réamhshocraithe Forgejo a bheith ag teacht le hÚsáideoir sa bhunachar sonraí.
+settings.trust_model.collaboratorcommitter.desc = Marcálfar sínithe bailí ó chomhoibritheoirí an stórais seo mar "iontaofa" má mheaitseálann siad an tiomnóir. Seachas sin, marcálfar sínithe bailí mar "neamhiontaofa" má mheaitseálann an síniú an tiomnóir agus "gan mheaitseáil" murach sin. Cuirfidh sé seo iallach ar Forgejo a bheith marcáilte mar an tiomnóir ar thiomnuithe sínithe agus an tiomnóir iarbhír marcáilte mar Chomhúdaraithe ag: agus Co-Tiomnaithe ag: leantóir sa tiomnú. Ní mór don eochair réamhshocraithe Forgejo a bheith ag teacht le hÚsáideoir sa bhunachar sonraí.
+settings.wiki_rename_branch_main = Normalú ainm na brainse Vicí
+settings.wiki_rename_branch_main_desc = Athainmnigh an brainse a úsáideann an Vicí go hinmheánach go "%s". Tá an t-athrú seo buan agus ní féidir é a chealú.
+settings.wiki_rename_branch_main_notices_1 = <strong>NÍ FÉIDIR</strong> an oibríocht seo a chealú.
+settings.wiki_rename_branch_main_notices_2 = Athróidh sé seo ainm buan an bhrainse inmheánaigh de vicí stórtha %s. Beidh gá na seiceálacha atá ann cheana a nuashonrú.
+settings.wiki_branch_rename_success = Tá ainm brainse vicí an stórais déanta ar normalú go rathúil.
+settings.wiki_branch_rename_failure = Theip ar ainm brainse vicí an stórais a normalú.
+settings.confirm_wiki_branch_rename = Athainmnigh an brainse vicí
+settings.add_collaborator_blocked_our = Ní féidir an comhoibrí a chur leis, mar tá bac curtha ag úinéir an stórais air/uirthi.
+settings.add_collaborator_blocked_them = Ní féidir an comhoibrí a chur leis, mar tá úinéir an stórais blocáilte acu.
+settings.add_webhook.invalid_path = Ní féidir cuid den chonair a bheith ann arb ionann í agus "." nó ".." nó an teaghrán folamh. Ní féidir léi tosú ná críochnú le slais.
+settings.hooks_desc = Déanann Webhooks iarratais HTTP POST chuig freastalaí go huathoibríoch nuair a spreagtar imeachtaí Forgejo áirithe. Léigh tuilleadh sa <a target="_blank" rel="noopener noreferrer" href="%s">treoir crúcaí gréasáin</a>.
+settings.githooks_desc = Tá Git féin ag tiomáint crúcaí Git. Is féidir leat comhaid crúcaí a chur in eagar thíos chun oibríochtaí saincheaptha a shocrú.
+settings.add_webhook_desc = Seolfaidh Forgejo iarratais <code>POST</code> le Cineál Ábhair sonraithe chuig an URL sprice. Léigh tuilleadh sa <a target="_blank" rel="noopener noreferrer" href="%s">treoir crúcaí gréasáin</a>.
+settings.discord_icon_url.exceeds_max_length = Ní mór URL an deilbhín a bheith níos lú ná nó cothrom le 2048 carachtar
+settings.event_issues = Modhnú
+settings.event_issue_assign = Sannadh
+settings.event_issue_label = Lipéid
+settings.event_issue_label_desc = Lipéid eisiúna curtha leis nó bainte.
+settings.event_issue_milestone = Clocha míle
+settings.event_issue_milestone_desc = Cloch mhíle curtha leis, bainte nó modhnaithe.
+settings.event_issue_comment = Tráchtanna
+settings.event_pull_request = Modhnú
+settings.event_pull_request_assign = Sannadh
+settings.event_pull_request_label = Lipéid
+settings.event_pull_request_label_desc = Lipéid iarrata tarraingthe curtha leis nó bainte.
+settings.event_pull_request_milestone = Clocha míle
+settings.event_pull_request_milestone_desc = Cloch mhíle curtha leis, bainte nó modhnaithe.
+settings.event_pull_request_comment = Tráchtanna
+settings.event_pull_request_review = Léirmheasanna
+settings.event_pull_request_review_desc = Iarratas tarraingthe ceadaithe, diúltaithe, nó tuairimí athbhreithnithe curtha leis.
+settings.event_pull_request_sync = Sioncrónaithe
+settings.event_pull_request_sync_desc = Brainse nuashonraithe go huathoibríoch leis an mbrainse sprice.
+settings.event_pull_request_review_request = Iarratais athbhreithnithe
+settings.event_pull_request_enforcement = Forfheidhmiú
+settings.event_header_action = Imeachtaí Rith Gníomhaíochta
+settings.event_action_failure = Teip
+settings.event_action_failure_desc = Chríochnaigh an Rith Gníomhaíochta mar theip.
+settings.event_action_recover = Aisghabháil
+settings.event_action_recover_desc = D’éirigh leis an Rith Gníomhaíochta tar éis don Rith Gníomhaíochta deireanach sa sreabhadh oibre céanna teip.
+settings.event_action_success = Rath
+settings.event_action_success_desc = D’éirigh leis an Rith Gníomhaíochta.
+settings.graphql_url = URL GraphQL
+settings.web_hook_name_forgejo = Forgejo
+settings.web_hook_name_feishu = Feishu / Lark Suite
+settings.web_hook_name_feishu_only = Feishu
+settings.web_hook_name_larksuite_only = Sraith Lark
+settings.web_hook_name_sourcehut_builds = Tógálacha SourceHut
+settings.sourcehut_builds.manifest_path = Tóg cosán léirithe
+settings.sourcehut_builds.visibility = Infheictheacht poist
+settings.sourcehut_builds.secrets = Rúin
+settings.sourcehut_builds.secrets_helper = Tabhair rochtain don phost ar na rúin tógála (éilíonn sé seo an deontas SECRETS:RO)
+settings.sourcehut_builds.access_token_helper = Comhartha rochtana a bhfuil deontas JOBS:RW aige. Gin <a target="_blank" rel="noopener noreferrer" href="%s">comhartha builds.sr.ht</a> nó comhartha <a target="_blank" rel="noopener noreferrer" href="%s">builds.sr.ht le rochtain rúnda</a> ar meta.sr.ht.
+settings.branch_protection = Rialacha cosanta don bhrainse "<b>%s</b>"
+settings.protect_new_rule = Cruthaigh riail nua um chosaint brainse
+settings.protect_whitelist_committers = Brú srianta ar an liosta bán
+settings.protect_whitelist_committers_desc = Ní cheadófar ach d'úsáideoirí nó foirne atá ar an liosta bán brú a chur chuig an mbrainse seo (ach ní bheidh cead acu brú fórsaithe a chur orthu).
+settings.protect_whitelist_deploy_keys = Cuir eochracha imscartha le rochtain scríbhneoireachta ar bhrú ar an liosta bán.
+settings.protect_whitelist_users = Úsáideoirí ar an liosta bán le haghaidh brú
+settings.protect_whitelist_teams = Foirne ar an liosta bán le haghaidh brú
+settings.protect_merge_whitelist_committers = Cumasaigh liosta bán cumaiscthe
+settings.protect_merge_whitelist_committers_desc = Lig d’úsáideoirí nó foirne atá ar an liosta bán amháin iarratais tarraingthe a chumasc isteach sa bhrainse seo.
+settings.protect_merge_whitelist_users = Úsáideoirí ar an liosta bán le haghaidh cumasc
+settings.protect_merge_whitelist_teams = Foirne ar an liosta bán le haghaidh cumasc
+settings.protect_status_check_patterns = Patrúin seiceála stádais
+settings.protect_required_approvals = Ceaduithe riachtanacha
+settings.protect_required_approvals_desc = Ní cheadaítear ach iarratas tarraingthe a chumasc le dóthain léirmheasanna dearfacha.
+settings.protect_approvals_whitelist_enabled = Srian a chur le ceaduithe d'úsáideoirí nó foirne atá ar an liosta bán
+settings.protect_approvals_whitelist_enabled_desc = Ní chuirfear san áireamh ach léirmheasanna ó úsáideoirí nó foirne atá ar an liosta bán sna ceaduithe riachtanacha. Gan cheadú ar an liosta bán, cuirfear san áireamh léirmheasanna ó aon duine a bhfuil rochtain scríbhneoireachta acu sna ceaduithe riachtanacha.
+settings.protect_approvals_whitelist_users = Athbhreithneoirí ar an liosta bán
+settings.protect_approvals_whitelist_teams = Foirne ar liosta bán le haghaidh athbhreithnithe
+settings.protect_branch_name_pattern_desc = Patrúin ainmneacha brainse faoi chosaint. Féach <a href="%s">an doiciméadacht</a> le haghaidh comhréir na patrún. Samplaí: main, release/**
+settings.protect_protected_file_patterns = Patrúin chomhaid chosanta (scartha ag baint úsáide as leathstad ";")
+settings.protect_protected_file_patterns_desc = Ní cheadaítear comhaid chosanta a athrú go díreach fiú má tá cearta ag an úsáideoir comhaid a chur leis, a chur in eagar nó a scriosadh sa bhrainse seo. Is féidir patrúin iolracha a dheighilt le leathstad (";"). Féach ar dhoiciméadú <a href="%[1]s">%[2]s</a> le haghaidh comhréir patrún. Samplaí: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
+settings.protect_unprotected_file_patterns = Patrúin chomhaid neamhchosanta (scartha ag baint úsáide as leathstad ";")
+settings.protect_unprotected_file_patterns_desc = Comhaid neamhchosanta a cheadaítear a athrú go díreach má tá rochtain scríbhneoireachta ag an úsáideoir, ag seachaint srianadh brú. Is féidir patrúin iolracha a dheighilt ag baint úsáide as leathstad (";"). Féach ar dhoiciméadú <a href="%[1]s">%[2]s</a> le haghaidh comhréir patrún. Samplaí: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
+settings.enforce_on_admins = Cuir an riail seo i bhfeidhm do riarthóirí stórtha
+settings.enforce_on_admins_desc = Ní féidir le riarthóirí stórtha an riail seo a sheachaint.
+settings.protected_branch_duplicate_rule_name = Tá riail ann cheana féin don tsraith brainsí seo
+settings.tags.protection.create = Cuir riail leis
+settings.matrix.access_token_helper = Moltar cuntas tiomnaithe Matrix a bhunú chuige seo. Is féidir an comhartha rochtana a aisghabháil ón gcliant gréasáin Element (i gcluaisín príobháideach/gan ainm) > Roghchlár Úsáideora (barr ar chlé) > Gach socrú > Cabhair & Maidir Linn > Ardleibhéil > Comhartha Rochtana (díreach faoin URL Homeserver). Dún an cluaisín príobháideach/gan ainm (chuirfeadh logáil amach an comhartha ar neamhní).
+settings.matrix.room_id_helper = Is féidir ID an tSeomra a aisghabháil ón gcliant gréasáin Element > Socruithe Seomra > Ardleibhéil > ID seomra inmheánach. Sampla: %s.
+settings.archive.branchsettings_unavailable = Níl socruithe brainse ar fáil i stórtha cartlannaithe.
+settings.archive.tagsettings_unavailable = Níl socruithe clibeanna ar fáil i stórtha cartlannaithe.
+settings.archive.mirrors_unavailable = Níl scátháin ar fáil i stórtha cartlannaithe.
+settings.unarchive.text = Má dhíchartlannaítear an stór, athbhunófar a chumas chun gealltanais agus brúnna a fháil, chomh maith le saincheisteanna nua agus iarratais tarraingthe.
+settings.lfs_delete_warning = D’fhéadfadh sé go mbeadh earráidí “níl an réad ann” mar thoradh ar chomhad LFS a scriosadh ag an tseiceáil amach. An bhfuil tú cinnte?
+settings.lfs_pointers.sha = Bloba hais
+settings.rename_branch_failed_protected = Ní féidir an brainse %s a athainmniú mar is brainse faoi chosaint é.
+diff.git-notes.add = Cuir nóta leis
+diff.git-notes.remove-header = Bain nóta
+diff.git-notes.remove-body = Bainfear an nóta seo.
+diff.data_not_available = Níl ábhar difriúil ar fáil
+diff.comment.markdown_info = Tacaítear le stíliú le Markdown.
+diff.review = Críochnaigh an t-athbhreithniú
+release.deletion_desc = Ní dhéanann scriosadh eisiúint ach é a bhaint as Forgejo. Ní dhéanfaidh sé difear don chlib Git, d'ábhar do stórtha ná dá stair. Lean ar aghaidh?
+release.hide_archive_links = Folaigh cartlanna a ghintear go huathoibríoch
+release.hide_archive_links_helper = Folaigh cartlanna cód foinse a ghintear go huathoibríoch don eisiúint seo. Mar shampla, má tá tú ag uaslódáil do chuid féin.
+release.add_tag = Cruthaigh clib
+release.system_generated = Gintear an ceangaltán seo go huathoibríoch.
+release.type_attachment = Ceangaltán
+release.type_external_asset = Sócmhainn sheachtrach
+release.asset_name = Ainm sócmhainne
+release.asset_external_url = URL seachtrach
+release.add_external_asset = Cuir sócmhainn sheachtrach leis
+release.invalid_external_url = URL seachtrach neamhbhailí: "%s"
+release.summary_card_alt = Cárta achoimre ar eisiúint dar teideal "%s" sa stórlann %s
+topic.format_prompt = Ní mór do thopaicí tosú le litir nó uimhir, féadfar fleascáin ("-") agus poncanna ("." a áireamh, agus féadfar suas le 35 carachtar a bheith iontu. Ní mór litreacha a bheith i litreacha beaga.
+find_file.go_to_file = Aimsigh comhad
 
 [graphs]
-component_loading = Á lódáil %s...
+component_loading = Ag lódáil %s…
 component_loading_failed = Ní fhéadfaí %s a luchtú
 component_loading_info = Seans go dtógfaidh sé seo beagán…
 component_failed_to_load = Tharla earráid gan choinne.
@@ -2226,6 +2778,18 @@ teams.all_repositories_helper = Tá rochtain ag an bhfoireann ar gach stórais.
 teams.invite.title = Tugadh cuireadh duit dul isteach i bhfoireann <strong>%s</strong> san eagraíocht <strong>%s</strong>.
 teams.invite.by = Ar cuireadh ó %s
 teams.invite.description = Cliceáil ar an gcnaipe thíos le do thoil chun dul isteach san fhoireann.
+open_dashboard = Oscail an painéal rialaithe
+repo_updated = Nuashonraithe %s
+follow_blocked_user = Ní féidir leat an eagraíocht seo a leanúint mar tá bac curtha ag an eagraíocht seo ort.
+settings.visibility.limited = Teoranta (le feiceáil ag úsáideoirí atá sínithe isteach amháin)
+settings.change_orgname_redirect_prompt.with_cooldown.one = Beidh seanainm na heagraíochta ar fáil do chách tar éis tréimhse fuaraithe %[1]d lá. Is féidir leat an seanainm a éileamh ar ais fós le linn na tréimhse fuaraithe.
+settings.change_orgname_redirect_prompt.with_cooldown.few = Beidh seanainm na heagraíochta ar fáil do chách tar éis tréimhse fuaraithe %[1]d lá. Is féidir leat an seanainm a éileamh ar ais fós le linn na tréimhse fuaraithe.
+members.leave.detail = An bhfuil tú cinnte gur mian leat imeacht as eagraíocht "%s"?
+teams.leave.detail = An bhfuil tú cinnte gur mian leat imeacht ón bhfoireann "%s"?
+teams.none_access_helper = Ní bhíonn éifeacht ag an rogha "gan rochtain" ach ar stórtha príobháideacha.
+teams.general_access = Rochtain saincheaptha
+teams.admin_permission_desc = Tugann an fhoireann seo rochtain don <strong>Riarthóir</strong>: is féidir le baill léamh ó stórtha foirne, brú chucu agus comhoibritheoirí a chur leo.
+teams.add_nonexistent_repo = Níl an stórlann atá tú ag iarraidh a chur leis ann, cruthaigh í ar dtús le do thoil.
 
 [admin]
 dashboard = Deais
@@ -2282,8 +2846,8 @@ dashboard.update_migration_poster_id = Nuashonraigh ID póstaer imir
 dashboard.git_gc_repos = Bailíonn truflais gach stórais
 dashboard.reinit_missing_repos = Aththosaigh gach stórais Git atá in easnamh a bhfuil taifid ann dóibh
 dashboard.sync_external_users = Sioncrónaigh sonraí úsáideoirí seachtracha
-dashboard.cleanup_hook_task_table = Tábla hook_task glantacháin
-dashboard.cleanup_packages = Pacáistí glanta in éag
+dashboard.cleanup_hook_task_table = Glan suas an tábla hook_task
+dashboard.cleanup_packages = Glan suas pacáistí atá imithe in éag
 dashboard.server_uptime = Aga fónaimh Freastalaí
 dashboard.current_goroutine = Goroutines Reatha
 dashboard.current_memory_usage = Úsáid Cuimhne Reatha
@@ -2368,9 +2932,9 @@ emails.filter_sort.email_reverse = Ríomhphost (droim ar ais)
 emails.updated = Nuashonraíodh an ríomhphost
 emails.not_updated = Theip ar an seoladh ríomhphoist iarrtha a nuashonrú: %v
 emails.duplicate_active = Tá an seoladh ríomhphoist seo gníomhach cheana féin d'úsáideoir difriúil.
-emails.change_email_header = Nuashonraigh Airíonna Ríomhphoist
+emails.change_email_header = Nuashonraigh airíonna ríomhphoist
 emails.change_email_text = An bhfuil tú cinnte gur mhaith leat an seoladh ríomhphoist seo a nuashonrú?
-emails.delete = Scrios Ríomhphost
+emails.delete = Scrios seoladh ríomhphoist
 emails.delete_desc = An bhfuil tú cinnte gur mhaith leat an seoladh ríomhphoist seo a scriosadh?
 emails.deletion_success = Tá an seoladh ríomhphoist scriosta.
 emails.delete_primary_email_error = Ní féidir leat an ríomhphost príomhúil a scriosadh.
@@ -2496,7 +3060,7 @@ auths.update_success = Nuashonraíodh an fhoinse fíordheimhnithe.
 auths.update = Nuashonraigh Foinse Fíordheimhnithe
 auths.delete = Scrios Foinse Fíordheimhnithe
 auths.delete_auth_title = Scrios Foinse Fíordheimhnithe
-auths.delete_auth_desc = Má scriosann tú foinse fíordheimhnithe cuirtear cosc ​​ar úsáideoirí í a úsáid chun síniú isteach. Lean ort?
+auths.delete_auth_desc = Má scriostar foinse fíordheimhnithe, cuirtear cosc ar úsáideoirí í a úsáid chun síniú isteach. Ar aghaidh?
 auths.still_in_used = Tá an fhoinse fíordheimhnithe fós in úsáid. Tiontaigh nó scrios aon úsáideoir a úsáideann an fhoinse fíordheimhnithe seo ar dtús.
 auths.deletion_success = Tá an fhoinse fíordheimhnithe scriosta.
 auths.login_source_exist = Tá an fhoinse fíordheimhnithe "%s" ann cheana.
@@ -2505,7 +3069,7 @@ auths.unable_to_initialize_openid = Ní féidir Soláthraí Ceangail OpenID a th
 auths.invalid_openIdConnectAutoDiscoveryURL = URL Neamhbhailí Fionnachtana Uathoibríoch (ní mór gur URL bailí é seo ag tosú le http:// nó https://)
 config.server_config = Cumraíocht Freastalaí
 config.custom_conf = Cosán Comhad Cumraíochta
-config.domain = Fearann ​​Freastalaí
+config.domain = Fearann freastalaí
 config.offline_mode = Mód Áitiúil
 config.disable_router_log = Díchumasaigh Loga an Ródaire
 config.run_mode = Mód Rith
@@ -2658,6 +3222,88 @@ notices.delete_success = Scriosadh na fógraí córais.
 self_check.no_problem_found = Níor aimsíodh aon fhadhb fós.
 self_check.database_collation_mismatch = Bí ag súil le comhthiomsú a úsáid sa bhunachar sonraí: %s
 self_check.database_inconsistent_collation_columns = Tá comhthiomsú %s in úsáid ag an mbunachar sonraí, ach tá comhthiomsuithe mímheaitseála á n-úsáid ag na colúin seo. D'fhéadfadh sé a bheith ina chúis le roinnt fadhbanna gan choinne.
+dashboard.new_version_hint = Tá Forgejo %s ar fáil anois, tá %s á rith agat. Seiceáil <a target="_blank" rel="noreferrer" href="%s">an blag</a> le haghaidh tuilleadh sonraí.
+dashboard.operations = Oibríochtaí cothabhála
+dashboard.delete_repo_archives = Scrios cartlanna na stórtha uile (ZIP, TAR.GZ, srl.)
+dashboard.sync_repo_branches = Sioncrónaigh brainsí caillte ó shonraí Git go bunachar sonraí
+dashboard.resync_all_sshkeys = Nuashonraigh an comhad ".ssh/authorized_keys" le heochracha SSH Forgejo.
+dashboard.resync_all_sshprincipals = Nuashonraigh an comhad ".ssh/authorized_principals" le príomhoidí SSH Forgejo.
+dashboard.resync_all_hooks = Athshioncrónaigh crúcaí Git na stórtha uile (réamhghlacadh, nuashonrú, iarghlacadh, próiseasghlacadh, ...)
+dashboard.cleanup_actions = Glan suas logaí agus déantáin atá imithe in éag ó ghníomhartha
+dashboard.last_gc_time = Am ó GC deireanach
+dashboard.stop_zombie_tasks = Stop tascanna gníomhartha zombie
+dashboard.stop_endless_tasks = Stop tascanna gníomhartha gan teorainn
+dashboard.cancel_abandoned_jobs = Cealaigh poist gníomhartha tréigthe
+dashboard.start_schedule_tasks = Tosaigh tascanna gníomhartha sceidealaithe
+dashboard.sync_branch.started = Tosaíodh sioncrónú brainse
+dashboard.sync_tag.started = Tosaíodh sioncrónú clibeanna
+users.user_manage_panel = Bainistigh cuntais úsáideoirí
+users.never_login = Níor shínigh tú isteach riamh
+users.send_register_notify = Fógra faoi chlárú trí ríomhphost
+users.is_activated = Cuntas gníomhachtaithe
+users.activated.description = Fíorú ríomhphoist críochnaithe. Ní bheidh úinéir cuntais neamhghníomhachtaithe in ann logáil isteach go dtí go mbeidh fíorú ríomhphoist críochnaithe.
+users.prohibit_login = Cuntas ar fionraí
+users.block.description = Bac an t-úsáideoir seo ó idirghníomhú leis an tseirbhís seo trína chuntas agus toirmisc síniú isteach.
+users.is_admin = Cuntas riarthóra
+users.admin.description = Tabhair rochtain iomlán don úsáideoir seo ar na gnéithe riaracháin go léir atá ar fáil tríd an gcomhéadan úsáideora gréasáin agus an API.
+users.is_restricted = Cuntas srianta
+users.restricted.description = Ní cheadaítear idirghníomhaíocht ach leis na stórtha agus na heagraíochtaí ina bhfuil an t-úsáideoir seo curtha leis mar chomhoibrí. Cuireann sé seo cosc ar rochtain ar stórtha poiblí ar an gcás seo.
+users.allow_git_hook = Is féidir crúcaí Git a chruthú
+users.allow_git_hook_tooltip = Déantar crúcaí Git a fhorghníomhú mar úsáideoir an chórais oibriúcháin atá ag rith Forgejo agus beidh an leibhéal céanna rochtana óstach acu. Mar thoradh air sin, is féidir le húsáideoirí leis an bpribhléid speisialta seo ar an gcrúca Git rochtain a fháil ar gach stór Forgejo agus iad a mhodhnú chomh maith leis an mbunachar sonraí a úsáideann Forgejo. Dá bhrí sin, is féidir leo pribhléidí riarthóra Forgejo a fháil freisin.
+users.allow_import_local = Is féidir stórtha áitiúla a allmhairiú
+users.local_import.description = Ceadaigh iompórtáil stórtha ó chóras comhad áitiúil an fhreastalaí. Is féidir gur fadhb slándála í seo.
+users.allow_create_organization = Is féidir eagraíochtaí a chruthú
+users.organization_creation.description = Ceadaigh cruthú eagraíochtaí nua.
+users.cannot_delete_self = Ní féidir leat tú féin a scriosadh
+users.purge_help = Scrios an t-úsáideoir agus aon stórtha, eagraíochtaí agus pacáistí atá faoi úinéireacht an úsáideora go foréigneach. Scriosfar gach trácht agus fadhb a phostáil an t-úsáideoir seo freisin.
+emails.email_manage_panel = Bainistigh ríomhphoist úsáideoirí
+emails.filter_sort.name = Ainm úsáideora
+emails.filter_sort.name_reverse = Ainm úsáideora (droim ar ais)
+orgs.org_manage_panel = Bainistigh eagraíochtaí
+repos.repo_manage_panel = Bainistigh stórtha
+repos.unadopted.no_more = Ní bhfuarthas aon stórtha neamhuchtaithe.
+packages.package_manage_panel = Bainistigh pacáistí
+defaulthooks.desc = Déanann crúcaí gréasáin iarratais HTTP POST chuig freastalaí go huathoibríoch nuair a spreagtar imeachtaí Forgejo áirithe. Is réamhshocruithe iad na crúcaí gréasáin atá sainmhínithe anseo agus déanfar iad a chóipeáil isteach i ngach stórlann nua. Léigh tuilleadh sa <a target="_blank" rel="noopener" href="%s">treoir na gcrúcaí gréasáin</a>.
+systemhooks.desc = Déanann crúcaí gréasáin iarratais HTTP POST chuig freastalaí go huathoibríoch nuair a spreagtar imeachtaí Forgejo áirithe. Gníomhóidh crúcaí gréasáin atá sainmhínithe anseo ar gach stórlann ar an gcóras, mar sin smaoinigh ar aon impleachtaí feidhmíochta a d'fhéadfadh a bheith aige seo. Léigh tuilleadh sa <a target="_blank" rel="noopener" href="%s">treoir crúcaí gréasáin</a>.
+auths.auth_manage_panel = Bainistigh foinsí fíordheimhnithe
+auths.attribute_username_placeholder = Fág folamh chun an t-ainm úsáideora a iontráladh i Forgejo a úsáid.
+auths.default_domain_name = Ainm fearainn réamhshocraithe a úsáidtear don seoladh ríomhphoist
+auths.restricted_filter_helper = Fág folamh le gan aon úsáideoirí a shocrú mar shrianta. Úsáid réalta ("*") chun gach úsáideoir nach bhfuil ag teacht le scagaire an Riarthóra a shocrú mar shrianta.
+auths.allowed_domains_helper = Fág folamh chun gach fearann a cheadú. Deighil fearainn iolracha le camóg (",").
+auths.skip_tls_verify = Seachain fíorú TLS
+auths.tips.gmail_settings = Socruithe Gmail:
+auths.tip.bitbucket = Cláraigh tomhaltóir OAuth nua ar %s agus cuir an cead "Cuntas" - "Léigh" leis
+auths.tip.openid_connect = Bain úsáid as URL OpenID Connect Discovery (<server>/.well-known/openid-configuration) chun na críochphointí a shonrú
+config.app_name = Teideal an sampla
+config.app_slogan = Slogan samplach
+config.app_ver = Leagan Forgejo
+config.app_url = Bun-URL
+config.custom_file_root_path = Cosán fréimhe comhaid saincheaptha
+config.run_user = Úsáideoir le rith mar
+config.reverse_auth_user = Úsáideoir fíordheimhnithe seachfhreastalaí droim ar ais
+config.ssh_keygen_path = Cosán Keygen ("ssh-keygen")
+config.lfs_http_auth_expiry = Am éaga údaraithe HTTP LFS
+config.allow_only_internal_registration = Ceadaigh clárú trí Forgejo féin amháin
+config.require_sign_in_view = Éilítear síniú isteach chun ábhar a fheiceáil
+config.active_code_lives = Am éaga an chóid ghníomhachtaithe
+config.reset_password_code_lives = Am éaga an chóid aisghabhála
+config.allow_dots_in_usernames = Ceadaigh d’úsáideoirí poncanna a úsáid ina n-ainmneacha úsáideora. Ní dhéanann sé difear do chuntais atá ann cheana féin.
+config.default_visibility_organization = Infheictheacht réamhshocraithe eagraíochtaí nua
+config.mailer_smtp_addr = Óstach SMTP
+config.send_test_mail = Seol ríomhphost tástála
+config.test_mail_failed = Theip ar ríomhphost tástála a sheoladh chuig "%s": %v
+config.test_mail_sent = Tá ríomhphost tástála seolta chuig "%s".
+config.session_life_time = Saolré na seisiún
+config.git_disable_diff_highlight = Díchumasaigh aibhsiú comhréir difríochta
+config.git_max_diff_lines = Uasmhéid línte difríochta in aghaidh an chomhaid
+config.git_max_diff_line_characters = Uasmhéid carachtair dhifriúla in aghaidh an líne
+config.git_max_diff_files = Uasmhéid comhaid difríochta a thaispeántar
+monitor.duration = Fad (s)
+monitor.process.cancel_desc = D’fhéadfadh caillteanas sonraí a bheith mar thoradh ar phróiseas a chealú
+monitor.process.cancel_notices = Cealaigh: <strong>%s</strong>?
+notices.view_detail_header = Sonraí fógra
+self_check.database_collation_case_insensitive = Tá an bunachar sonraí ag úsáid códaithe %s, ar códaithe neamhíogair é. Cé gur féidir le Forgejo oibriú leis, d'fhéadfadh go mbeadh roinnt cásanna neamhchoitianta ann nach n-oibreoidh mar a bhíothas ag súil leis.
+self_check.database_fix_mysql = I gcás úsáideoirí MySQL/MariaDB, d'fhéadfá an t-ordú "forgejo doctor convert" a úsáid chun na fadhbanna cóimheasa a shocrú, nó d'fhéadfá an fhadhb a shocrú trí "ALTER ... COLLATE ..." SQLanna a dhéanamh de láimh.
 
 [action]
 create_repo = stóras cruthaithe <a href="%s">%s</a>
@@ -2734,7 +3380,7 @@ owner.settings.cleanuprules.keep.count.n = Leaganacha %d in aghaidh an phacáist
 secrets = Rúin
 description = Cuirfear rúin ar aghaidh chuig gníomhartha áirithe agus ní féidir iad a léamh ar mhalairt.
 none = Níl aon rúin ann fós.
-creation = Cuir Rúnda leis
+creation = Cuir rún leis
 creation.name_placeholder = carachtair alfanumair nó íoslaghda amháin nach féidir a thosú le GITEA_ nó GITHUB_
 creation.value_placeholder = Ionchur ábhar ar bith. Fágfar spás bán ag tús agus ag deireadh ar lár.
 creation.success = Tá an rún "%s" curtha leis.
@@ -2743,6 +3389,7 @@ deletion = Bain rún
 deletion.description = Is buan rún a bhaint agus ní féidir é a chealú. Lean ort?
 deletion.success = Tá an rún bainte.
 deletion.failed = Theip ar rún a bhaint.
+management = Bainistigh rúin
 
 [actions]
 runs.no_runs = Níl aon rith ag an sreabhadh oibre fós.
@@ -2750,7 +3397,7 @@ runs.empty_commit_message = (teachtaireacht tiomantas folamh)
 runs.expire_log_message = Glanadh logaí toisc go raibh siad ró-sean.
 workflow.disable = Díchumasaigh sreabhadh oibre
 workflow.enable = Cumasaigh sreabhadh oibre
-workflow.disabled = Tá sreabhadh oibre díchumasaithe
+workflow.disabled = Tá an sreabhadh oibre díchumasaithe.
 need_approval_desc = Teastaíonn faomhadh chun sreafaí oibre a rith le haghaidh iarratas tarraingt forc.
 variables = Athróga
 variables.creation = Cuir Athróg leis
@@ -2766,6 +3413,19 @@ variables.creation.failed = Theip ar athróg a chur leis.
 variables.creation.success = Tá an athróg "%s" curtha leis.
 variables.update.failed = Theip ar athróg a chur in eagar.
 variables.update.success = Tá an t-athróg curtha in eagar.
+runs.no_workflows.help_write_access = Nach bhfuil a fhios agat conas tosú le Gníomhartha Forgejo? Féach ar an <a target="_blank" rel="noopener noreferrer" href="%s">tús tapa sa doiciméadacht úsáideora</a> chun do chéad sreabhadh oibre a scríobh, ansin <a target="_blank" rel="noopener noreferrer" href="%s">bunaigh rithire Forgejo</a> chun do phoist a fhorghníomhú.
+runs.no_workflows.help_no_write_access = Chun tuilleadh eolais a fháil faoi Ghníomhartha Forgejo, féach ar <a target="_blank" rel="noopener noreferrer" href="%s">an doiciméadacht</a>.
+workflow.disable_success = Sreabhadh oibre "%s" díchumasaithe go rathúil.
+workflow.enable_success = Cumasaíodh an sreabhadh oibre "%s" go rathúil.
+workflow.dispatch.trigger_found = Tá spreagadh imeachta <c>workflow_dispatch</c> ag an sreabhadh oibre seo.
+workflow.dispatch.use_from = Bain úsáid as sreabhadh oibre ó
+workflow.dispatch.run = Rith sreabhadh oibre
+workflow.dispatch.success = Iarradh an sreabhadh oibre go rathúil.
+workflow.dispatch.input_required = Éilítear luach don ionchur "%s".
+workflow.dispatch.invalid_input_type = Cineál ionchuir neamhbhailí "%s".
+workflow.dispatch.warn_input_limit = Ag taispeáint na chéad %d ionchur amháin.
+variables.management = Bainistigh athróga
+variables.not_found = Theip ar an athróg a aimsiú.
 
 [projects]
 deleted.display_name = Tionscadal scriosta
@@ -2780,3 +3440,32 @@ normal_file = Comhad gnáth
 executable_file = Comhad infheidhmithe
 symbolic_link = Nasc siombalach
 submodule = Fo-mhodúl
+
+
+[repo.permissions]
+code.read = <b>Léigh:</b> Rochtain a fháil ar chód an stórais agus é a chlónáil.
+code.write = <b>Scríobh:</b> Brúigh chuig an stórlann, cruthaigh brainsí agus clibeanna.
+issues.read = <b>Léigh:</b> Léigh agus cruthaigh saincheisteanna agus tuairimí.
+issues.write = <b>Scríobh:</b> Dún saincheisteanna agus bainistigh meiteashonraí cosúil le lipéid, clocha míle, sannaithe, dátaí dlite agus spleáchais.
+pulls.read = <b>Léigh:</b> Iarratais tarraingthe a léamh agus a chruthú.
+pulls.write = <b>Scríobh:</b> Dún iarratais tarraingthe agus bainistigh meiteashonraí cosúil le lipéid, clocha míle, sannaithe, dátaí dlite agus spleáchais.
+releases.read = <b>Léigh:</b> Féach ar eisiúintí agus íoslódáil iad.
+releases.write = <b>Scríobh:</b> Foilsigh, cuir in eagar agus scrios eisiúintí agus a sócmhainní.
+wiki.read = <b>Léigh:</b> Léigh an vicí comhtháite agus a stair.
+wiki.write = <b>Scríobh:</b> Cruthaigh, nuashonraigh agus scrios leathanaigh sa vicí chomhtháite.
+projects.read = <b>Léigh:</b> Rochtain ar bhoird tionscadail na stórtha.
+projects.write = <b>Scríobh:</b> Cruthaigh tionscadail agus colúin agus cuir in eagar iad.
+packages.read = <b>Léigh:</b> Féach ar na pacáistí atá sannta don stór agus íoslódáil iad.
+packages.write = <b>Scríobh:</b> Foilsigh agus scrios pacáistí atá sannta don stórlann.
+actions.read = <b>Léigh:</b> Féach ar ritheanna sreabha oibre agus a logaí.
+actions.write = <b>Scríobh:</b> Sreafaí oibre a spreagadh, a atosú agus a chealú. Bainistigh toscaireacht muiníne chun póstaeir iarratais a tharraingt.
+ext_issues = Rochtain ar an nasc chuig rianaitheoir saincheisteanna seachtrach. Déantar na ceadanna a bhainistiú go seachtrach.
+ext_wiki = Rochtain ar an nasc chuig vicí seachtrach. Déantar na ceadanna a bhainistiú go seachtrach.
+
+[markup]
+filepreview.line = Líne %[1]d i %[2]s
+filepreview.lines = Línte %[1]d go %[2]d i %[3]s
+filepreview.truncated = Tá an réamhamharc giorraithe
+
+[translation_meta]
+test = Is teaghrán tástála é seo. Ní thaispeántar é i gcomhéadan úsáideora Forgejo ach úsáidtear é chun críocha tástála. Ná bíodh drogall ort "ceart go leor" a iontráil chun am a shábháil (nó fíric spraíúil de do rogha féin) chun an marc críochnaithe 100% sin a bhaint amach :)
\ No newline at end of file
diff --git a/options/locale/locale_kab.ini b/options/locale/locale_kab.ini
index 795ecd2a6b..ebd2af5f63 100644
--- a/options/locale/locale_kab.ini
+++ b/options/locale/locale_kab.ini
@@ -76,6 +76,8 @@ return_to_forgejo = Tuɣalin ɣer Forgejo
 twofa = Asesteb s snat n tarrayin
 filter.not_template = Mačči d timudmiwin
 admin_panel = Tadbelt n wesmel
+add_all = Rnu-ten akk
+remove_all = Kkes-iten akk
 
 [user]
 code = Tangalt
@@ -113,6 +115,13 @@ create_new_team = Agraw amaynut
 create_team = Snulfu-d yiwen n ugraw
 team_name = Isem n ugraw
 settings = Iɣewwaren
+members.private_helper = Err-it ad yettban
+teams = Tirebbuyaɛ
+lower_members = Iɛeggalen
+team_permission_desc = Tasiregt
+teams.delete_team = Kkes tarbaɛt
+teams.update_settings = Leqqem iɣewwaren
+teams.delete_team_title = Kkes tarbaɛt
 
 [repo]
 release.source_code = Tangalt taɣbalut
@@ -366,6 +375,16 @@ settings.basic_settings = Iɣewwaren n taffa
 settings.tracker_issue_style.alphanumeric = Agmumḍin
 settings.tracker_issue_style.numeric = Umḍin
 settings.teams = Igrawen
+visibility_helper = Err akufi d uslig
+issues.filter_poster_no_select = Akk imeskaren
+activity.git_stats_author_1 = %d n umeskar
+activity.git_stats_author_n = %d n imeskaren
+settings.packagist_api_token = Tiddest API
+diff.view_file = Wali afaylu
+diff.show_more = Wali ugar
+diff.comment.add_review_comment = Rnu awennit
+diff.git-notes.add = Rnu tazmilt
+diff.git-notes.remove-header = Kkes tazmilt
 
 [install]
 admin_password = Awal n uɛeddi
@@ -449,6 +468,25 @@ config.mailer_use_sendmail = Seqdec Sendmail
 config.https_only = HTTPS kan
 config.git_config = Tawila n Git
 monitor.queue.settings.remove_all_items = Kkes-iten akk
+auths.oauth2_profileURL = URL n umaɣnu
+users.update_profile = Leqqem amiḍan n useqdac
+auths.type = Anaw
+auths.enabled = D urmid
+auths.host = Asenneftaɣ
+auths.port = Tawwurt
+config.ssh_port = Tawwurt
+config.lfs_enabled = D urmid
+config.db_type = Anaw
+config.db_host = Asenneftaɣ
+config.db_schema = Azenziɣ
+config.db_path = Abrid
+config.mailer_enabled = D urmid
+config.mailer_protocol = Aneggaf
+users.list_status_filter.is_active = D urmid
+users.list_status_filter.not_active = D arurmid
+monitor.stats = Tiddadanin
+config.enable_captcha = Sermed CAPTCHA
+notices.select_all = Fren-iten akk
 
 [search]
 code_kind = Nadi tangalt…
@@ -652,6 +690,14 @@ permissions_public_only = Azayez kan
 oauth2_application_name = Isem n usnas
 delete_account = Kkes amiḍan-ik
 quota.sizes.git.all = Agbur deg Git
+public_profile = Amaɣnu azayaz
+show_openid = Sken-it-id ɣef umaɣnu
+hide_openid = Ffer-it s ufella umaɣnu
+keep_activity_private = Ffer armud s ufella usebter n umaɣnu
+keep_email_private = Ffer tansa n yimayl
+quota.sizes.repos.private = Ikufan usligen
+create_oauth2_application_button = Snulfu-d asnas
+oauth2_client_id = Asulay ID n wemsaɣ
 
 [packages]
 
@@ -672,9 +718,15 @@ years = %d n iseggasen
 1mon = 1 n wayyur
 1y = 1 n useggas
 1d = 1 n wass
+now = tura
+raw_seconds = tasinin
+raw_minutes = tesdatin
 
 [dropzone]
 
 [filter]
 string.asc = A - Z
-string.desc = Z - A
\ No newline at end of file
+string.desc = Z - A
+
+[git.filemode]
+directory = Akaram
\ No newline at end of file
diff --git a/options/locale/locale_kw.ini b/options/locale/locale_kw.ini
new file mode 100644
index 0000000000..6c6c21f9d8
--- /dev/null
+++ b/options/locale/locale_kw.ini
@@ -0,0 +1,995 @@
+
+
+
+[common]
+home = Tre
+dashboard = Skostel
+explore = Trovya
+help = Gweres
+logo = Logo
+sign_in = Omgelmi
+sign_in_with_provider = Omgelmi gans %s
+sign_in_or = po
+sign_out = Omdhigelmi
+sign_up = Kovskrifa
+link_account = Keskelmi akont
+register = Kovskrifa
+version = Versyon
+powered_by = Gallosegys gans %s
+page = Folen
+template = Ensampel
+notifications = Gwarnyansow
+create_new = Gwruthyl…
+user_profile_and_more = Profil ha settyansow…
+signed_in_as = Omgelmys avel
+enable_javascript = An wiasva ma a rekwir JavaScript.
+toc = Mosen a Synsas
+licenses = Leshyansow
+return_to_forgejo = Dehweles dhe Forgejo
+toggle_menu = Dewis rol
+more_items = Moy taklow
+username = Hanow Devnydhyer
+email = Trigva ebost
+password = Ger-tremena
+access_token = Tokyn hedhas
+re_type = Afydhya ger-tremena
+captcha = CAPTCHA
+twofa = Gwirheans dewkamm
+twofa_scratch = Kod kravas dewkamm
+passcode = Kod-tremena
+webauthn_insert_key = Gorra a-bervedh agas alhwedh sawder
+webauthn_sign_in = Tavewgh an boton war agas alhwedh sawder. Mar nyns eus boton, gorrewgh a-bervedh arta.
+webauthn_press_button = Mar pleg gwaskewgh an boton war agas alhwedh sawder…
+webauthn_use_twofa = Devnydhyer kod dewkamm dhyworth agas klapkodh
+webauthn_error = Ny yllir redya agas alhwedh sawder.
+webauthn_unsupported_browser = Ny skoodhya a-lemmyn agas peurell WebAuthn.
+webauthn_error_unknown = Yth esa error ankoth. Mar pleg assayewgh arta.
+webauthn_error_insecure = WebAuthn a skoodh junyans saw yn unnik. Rag ow previ dres HTTP. ty a yll devnydhya an devedhyans "localhost" po "127.0.0.1"
+webauthn_error_unable_to_process = Ny yllir an servell argerdhes agas govyn.
+webauthn_error_duplicated = Nyns yw an alhwedh sawder gesys rag an govyn ma. Mar pleg, surhewgh nyns yw an alhwedh kovskrifys seulabrys.
+webauthn_error_empty = Res yw dhywgh settya hanow rag an alhwedh ma.
+webauthn_error_timeout = Termyn yn-mes hedhys kyns agas alhwedh y hyllys redys. Daskargewgh an folen ma mar pleg hag assayewgh arta.
+repository = Gwithva
+new_fork = Forgh gwithva nowydh
+new_project_column = Koloven nowydh
+admin_panel = Menystrans gwiasva
+settings = Settyansow
+your_profile = Profil
+your_starred = Drudh
+your_settings = Settyansow
+new_repo.title = Gwithva nowydh
+new_migrate.title = Divroans nowydh
+new_org.title = Kowethyans nowydh
+new_repo.link = Gwithva nowydh
+new_migrate.link = Divroans nowydh
+new_org.link = Kowethyans nowydh
+all = Oll
+sources = Pennfentynnyow
+mirrors = Gwedrow-mires
+collaborative = Kesoberus
+forks = Fergh
+activities = Aktivitys
+pull_requests = Profyansow
+issues = Kudynnow
+milestones = Meyn mildir
+ok = Da Lowr
+cancel = Hedhi
+retry = Assaya Arta
+rerun = Daseksekutya
+rerun_all = Daseksekutya oll oberennow
+save = Sawya
+add = Keworra
+add_all = Keworra oll
+remove = Remova
+remove_all = Remova oll
+remove_label_str = Remova tra "%s"
+edit = Golegi
+view = Gweles
+test = Prov
+enabled = Byw
+disabled = Marow
+locked = Alhwedhys
+copy = Kopia
+copy_url = Kopia Gorgevren
+copy_hash = Kopia hash
+copy_path = Kopia tyller
+copy_content = Kopia synsas
+copy_branch = Kopia hanow skorr
+copy_success = Kopys!
+copy_error = Ny yllir kopia
+copy_type_unsupported = Ny yllir an eghen restren ma bos kopys
+write = Skrifa
+preview = Ragweles
+loading = Ow Karga…
+error = Error
+error404 = An folen assayowgh os rag hedhes po <strong>nyns yw eksistya</strong>, <strong>re bos dileys</strong> po <strong>nyns os reythhes</strong> rag gweles.
+error413 = Hwi re spenys agas finweth.
+go_back = Dehweles
+invalid_data = Data anewn: %v
+never = Bythkweth
+unknown = Ankoth
+rss_feed = Strem RSS
+pin = Pynna
+unpin = Dispynna
+artifacts = Eskorransow
+confirm_delete_artifact = Esowgh hwi sur ty a vynn dilea an eskorrans "%s" ?
+archived = Gwithys yn Kovskrif
+concept_system_global = Ollvysel
+concept_user_individual = Unnik
+concept_code_repository = Gwithva
+concept_user_organization = Kowethyans
+show_timestamps = Diskwedhes termynyow
+show_log_seconds = Diskwedhes eylennow
+show_full_screen = Diskwedhes leun-skrin
+download_logs = Iskarga kovskrifow
+confirm_delete_selected = Afydhyewgh rag dilea oll taklow dewisys?
+name = Hanow
+value = Synsas
+filter = Sidhla
+filter.clear = Dilea sidhlow
+filter.is_archived = Gwithys yn kovskrif
+filter.not_archived = Na gwithys yn kovskrif
+filter.is_fork = Fergh
+filter.not_fork = Na fergh
+filter.is_mirror = Gwedrow-mires
+filter.not_mirror = Na gwedrow-mires
+filter.is_template = Ensamplys
+filter.not_template = Na ensamplys
+filter.public = Poblek
+filter.private = Privedh
+active_stopwatch = Hedheuryer byw
+tracked_time_summary = Berrskrif a dermyn helerghys selys war sidhlow a rol kudynnow
+
+[search]
+search = Hwilas…
+type_tooltip = Eghen hwithrans
+repo_kind = Hwilas gwithvaow…
+user_kind = Hwilas devnydhyoryon…
+org_kind = Hwilas kowethyansow…
+team_kind = Hwilas bagasow…
+code_kind = Hwilas kod…
+union = Kesunyans
+union_tooltip = Synsi sewyansow a omdhesedh neb a'n eryow diberthys gans spas
+exact = Kewar
+exact_tooltip = Synsi sewyansow a omdhesedh an term hwithrans kewar
+regexp = RegExp
+regexp_tooltip = Styrya an term hwithrans avel menegyn rewlys
+code_search_unavailable = Hwithrans kod nyns yw kavadow a-lemmyn. Kestavewgh an menystrer gwiasva mar pleg.
+package_kind = Hwilas fardellow…
+project_kind = Hwilas ragdresow…
+branch_kind = Hwilas skorrow…
+commit_kind = Hwilas gwriansow…
+runner_kind = Hwilas eksekutyoryon…
+no_results = Nyns eus sewyansow a omdhesedh.
+issue_kind = Hwilas kudynnow…
+pull_kind = Hwilas profyansow…
+keyword_search_unavailable = Ow hwilas gans ger alhwedh nyns yw kavadow a-lemmyn. Kestavewgh an menystrer gwiasva mar pleg.
+
+[aria]
+navbar = Barr navigacyon
+footer = Ben folen
+footer.software = A-dro dhe'n medhelweyth ma
+footer.links = Gorgevrennow
+
+[heatmap]
+number_of_contributions_in_the_last_12_months = %s kevrohow y'n 12 misyow yw passys
+contributions_zero = Kevrohow vyth
+contributions_format = {contributions} {day} {month} {year}
+contributions_one = kevro
+contributions_few = kevrohow
+less = Le
+more = Moy
+
+[editor]
+buttons.heading.tooltip = Keworra pennlinen
+buttons.bold.tooltip = Keworra tekst poos (Ctrl+B / ⌘B)
+buttons.italic.tooltip = Keworra tekst italek (Ctrl+I / ⌘I)
+buttons.quote.tooltip = Devyn tekst
+buttons.code.tooltip = Keworra kod
+buttons.link.tooltip = Keworra gorgevren (Ctrl+K / ⌘K)
+buttons.list.unordered.tooltip = Keworra rol pellen
+buttons.list.ordered.tooltip = Keworra rol niverys
+buttons.list.task.tooltip = Keworra rol a rannow ober
+buttons.mention.tooltip = Kampolla devnydhyer po bagas
+buttons.ref.tooltip = Kampolla kudyn po profyans
+buttons.switch_to_legacy.tooltip = Devnydhya an janjyell koth yn le
+buttons.enable_monospace_font = Bywhe font unspas
+buttons.disable_monospace_font = Marowhe font unspas
+buttons.indent.tooltip = Neytha taklow gans unn nivel
+buttons.unindent.tooltip = Dineytha taklow gans unn nivel
+buttons.new_table.tooltip = Keworra mosen
+table_modal.header = Keworra mosen
+table_modal.placeholder.header = Pennlinen
+table_modal.placeholder.content = Synsas
+table_modal.label.rows = Rewyow
+table_modal.label.columns = Kolovennow
+link_modal.header = Keworra gorgevren
+link_modal.url = Gorgevren
+link_modal.description = Deskrifans
+link_modal.paste_reminder = Hynt: Gans URL yn agas astel glypp, hwi a yll dasskrifa y'n janjyell distowgh rag gwruthyl gorgevren.
+
+[filter]
+string.asc = A - Z
+string.desc = Z - A
+
+[error]
+occurred = Yth esa error
+report_message = Mar krysowgh kudyn Forgejo yw hemma, hwilasewgh mar pleg rag kudynnow war <a href="%s" target="_blank">Codeberg</a> po ygeri kudyn nowydh mars yma res.
+not_found = Ny yllir kavos an gosten.
+network_error = Error rosweyth
+server_internal = Error a-bervedh servell
+
+[startpage]
+app_desc = Gonis Git dibayn omostys
+install = Es rag lea
+install_desc = Yn sempel <a target="_blank" rel="noopener noreferrer" href="%[1]s">eksekutya an dewek</a> rag agas bynk, danvon gans <a target="_blank" rel="noopener noreferrer" href="%[2]s">Docker</a>, po kavos <a target="_blank" rel="noopener noreferrer" href="%[3]s">fardellys</a>.
+platform = Treus-bynk
+platform_desc = Forgejo yw afydhys rag eksekutya war systemow oberyans rydh kepar ha Linux ha FreeBSD, ha pennsernethow CPU dyffrans. Dewisewgh an onan kyrrowgh!
+lightweight = Skav
+lightweight_desc = Y’s teves Forgejo edhommow ispoyntel isel hag y hyllir eksekutya war Raspberry Pi a bris isel. Difres tredan!
+license = Pennfenten Ygor
+license_desc = Kavewgh <a target="_blank" rel="noopener noreferrer" href="%[1]s">Forgejo</a>! Omjunyewgh ni gans <a target="_blank" rel="noopener noreferrer" href="%[2]s">ow kevri</a> rag gwellhe an ragdres ma moy bryntin hogen. Na berthewgh meth rag bos kevriyas!
+
+[install]
+install = Leyans
+title = Selyans kynsa
+docker_helper = Mars eksekutyowgh Forgejo a-berth yn Docker, redyewgh mar pleg an <a target="_blank" rel="noopener noreferrer" href="%s">kowethlyver</a> kyns ow chanjya neb settyansow.
+require_db_desc = Forgejo a vynn MySQL, PostgreSQL, SQLite3 po TiDB (protokol MySQL).
+db_title = Settyansow sel dherivadow
+db_type = Eghen sel dherivadow
+host = Ost
+user = Hanow Devnydhyer
+password = Ger-tremena
+db_name = Hanow sel dherivadow
+db_schema = Skema
+db_schema_helper = Gwitha gwag rag defowt sel dherivadow ("poblek").
+ssl_mode = SSL
+path = Tyller
+sqlite_helper = Tyller rag an sel dherivadow SQLite3. <br>Ynworra tyller absolut mars eksekutyowgh Forgejo avel gonis.
+reinstall_error = Esowgh owth assaya rag lea yn sel dherivadow Forgejo seulabrys
+reinstall_confirm_message = Ow taslea gans sel dherivadow Forgejo a yll kawsya meur a gudynnow. Yn kasys moyha, y kodh dhywgh devnydhya agas "app.ini" seulabrys rag eksekutya Forgejo. Mar esowgh konnyk, afydhyewgh an pyth a sew:
+reinstall_confirm_check_1 = An data argelys gans an SECRET_KEY yn app.ini a yll bos kellys: martesen ny vydh devnydhyoryon omgelmi gans 2FA/OPT & gwedrow-mires na oberi yn ta. Gans ow checkya an gist ma afydhyowgh an restren app.ini synsi an SECRET_KEY ewn.
+reinstall_confirm_check_2 = Martesen y fydh edhom dhir daskettermynyegi an gwithvaow ha settyansow. Gans ow checkya an gist ma afydhyowgh hwi a wra daskettermynyegi an higennow rag an gwithvaow ha restren authorized_keys dre dhorn. Afydhyowgh hwi a wra surhe settyansow gwithva ha gweder-mires yw ewn.
+reinstall_confirm_check_3 = Afydhyowgh pur sur owgh hwi an Forgejo ma yw owth eksekutya gans an tyller ewn app.ini ha sur owgh hwi yma edhom dhywgh daslea. Afydhyowgh mayth aswonowgh an peryllow ma.
+err_empty_db_path = Ny yll an tyller sel dherivadow SQLite3 bos gwag.
+no_admin_and_disable_registration = Ny yllowgh marowhe omgovskrifans devnydhyer heb ow kwruthyl akont menystrer.
+err_empty_admin_password = Ny yll an ger-tremena menystrer bos gwag.
+err_empty_admin_email = Ny yll an drigva ebost menystrer bos gwag.
+err_admin_name_is_reserved = Anewn yw an hanow devnydhyer menystrer, ragerghys yw an hanow devnydhyer ma
+err_admin_name_pattern_not_allowed = Anewn yw an hanow devnydhyer menystrer, an hanow devnydhyer ma a omdhesedh patron ragerghys
+err_admin_name_is_invalid = Anewn yw an hanow devnydhyer
+general_title = Settyansow ollgemmyn
+app_name = Titel gweyth
+app_name_helper = Ynworrewgh agas hanow gweyth omma. An hanow na a vydh bos diskwedhys war bub folen.
+app_slogan = Lavar gweyth
+app_slogan_helper = Ynworrewgh agas lavar gweyth omma. Gwitha gwag rag marowhe.
+repo_path = Tyller gwreydhek gwithva
+repo_path_helper = Gwithvaow Git pell a vydh bos sawys dhe'n restrenva ma.
+lfs_path = Tyller gwreydhek Git LFS
+lfs_path_helper = Restrennow helerghys gans Git LFS a vydh bos gwithys y'n restrenva ma. Gwitha gwag rag marowhe.
+run_user = Devnydhyer rag eksekutya avel
+run_user_helper = An hanow devnydher rag an system oberyans mayth eksekutir Forgejo. Notyewgh: res yw dhodho kavos hedhas dhe'n tyller gwreydhek gwithva.
+domain = Arlotteth servell
+domain_helper = Arlotteth po trigva ost rag an servell.
+ssh_port = Porth servell SSH
+ssh_port_helper = Niver porth rag devnydh gans an servell SSH. Gwitha gwag rag marowhe servell SSH.
+http_port = Porth goslowes HTTP
+http_port_helper = Niver porth rag devnydh gans an servell gwi Forgejo.
+app_url = Gorgevren Sel
+app_url_helper = Trigva sel rag gorgevrennow HTTP(S) ha gwarnyansow ebost.
+log_root_path = Tyller kovadh
+log_root_path_helper = Restrennow kovadh a vydh bos skrifys war'n restrenva ma.
+optional_title = Settyansow dre dhewis
+email_title = Settyansow ebost
+smtp_addr = Ost SMTP
+smtp_port = Porth SMTP
+smtp_from = Danvon ebost avel
+smtp_from_invalid = Anewn yw an drigva "Danvon ebost avel"
+smtp_from_helper = An drigva ebost ma a vydh bos devnydhys gans Forgejo. Ynworrewgh trigva ebost sempel po devnydhyewgh an furvas "Hanow" <email@example.com>.
+mailer_user = Hanow devnydhyer SMTP
+mailer_password = Ger-tremena SMTP
+register_confirm = Rekwirya afydhyans ebost rag kovskrifa
+mail_notify = Bywhe gwarnyansow ebost
+server_service_title = Settyansow servell ha gonis parti-tressa
+offline_mode = Bywhe fordh leel
+offline_mode.description = Marowhe rosweythyow synsas parti-tressa ha dyghtya oll asnodhow yn leel.
+disable_gravatar = Marowhe Gravatar
+disable_gravatar.description = Marowhe denvydh a Ravatar op pennfentynnyow imach parti-tressa aral. Imajys defowt a vydh bos devnydhys rag imajys devnydhyer marna ughkarg aga honan dhe'n weyth.
+federated_avatar_lookup = Bywhe imajys keffrysek
+federated_avatar_lookup.description = Arhwilas imajys ow tevnydhya Libravatar.
+disable_registration = Marowhe omgovskrifans
+disable_registration.description = Menystroryon gweyth yn unnik a yll gwruthyl akontys devnydhyer nowydh. Pur gomendys yw rag gwitha kovskrifans marowhes marnas mynnowgh ostya gweyth poblek rag pubonan ha parys owgh hwi rag ardhyghtya mynsow bras a akontys atal.
+allow_only_external_registration = Gasa kovskrifans dre wonisyow a-ves yn unnik
+allow_only_external_registration.description = Devnydhyoryon a yll gwruthyl akontys nowydh ow tevnydhya gonisyow a-ves selys.
+openid_signin = Bywhe omgelmyans OpenID
+openid_signin.description = Gasa devnydhyoryon rag omgelmi der OpenID.
+openid_signup = Bywhe omgovskrifans OpenID
+openid_signup.description = Gasa devnydhyoryon rag gwruthyl akontys der OpenID mar bywhes yw omgovskrifans.
+enable_captcha = Bywhe CAPTCHA kovskrifans
+enable_captcha.description = Rekwirya devnydhyoryon tremena CAPTCHA rag gwruthyl akontys.
+require_sign_in_view = Rekwirya omgelmyans rag gweles synsas gweyth
+require_sign_in_view.description = Finwetha hedhas synsas dhe dhevnydhyoryon omgelmys. Ostysi a yll vysytya an folennow omgelmyans yn unnik.
+default_keep_email_private = Kudha trigvaow ebost yn defowt
+default_keep_email_private.description = Bywhe ow kudha trigvaow ebost rag devnydhyoryon nowydh yn defowt rag may nyns eus an kedhlow ma dyllys wosa kovskrifans.
+default_allow_create_organization = Gasa ow kwruthyl kowethyansow yn defowt
+default_allow_create_organization.description = Gasa devnydhyoryon nowydh gwruthyl kowethyansow yn defowt. Mar byw yw an dewis ma, res yw dhodho menystrer grontya kummyas rag gwruthyl kowethyansow dhe dhevnydhyoryon nowydh.
+default_enable_timetracking = Bywhe hedheuryer yn defowt
+default_enable_timetracking.description = Gasa devnydh a'n nas hedheuryer rag gwithvaow nowydh yn defowt.
+admin_title = Settyansow akont menystrer
+admin_setting.description = Dre dhewis yw ow kwruthyl akont menystrer. An devnydhyer kovskrifys kynsa a wra bos menystrer yn awtomatek.
+admin_name = Hanow devnydhyer menystrer
+admin_password = Ger-tremena
+confirm_password = Afydhya ger-tremena
+admin_email = Trigva ebost
+config_location_hint = An dhewisyow selyans ma a vydh bos sawys yn:
+install_btn_confirm = Lea ForgeJo
+test_git_failed = Ny yllir previ arghadow "git": %v
+sqlite3_not_available = Ny skoodhya SQLite3 an dyllans Forgejo ma. Iskargewgh mar pleg an dyllans dewek sodhogel dhyworth %s (nyns yw an dyllans "gobuild").
+invalid_db_setting = Anewn yw an settyansow sel dherivadow: %v
+invalid_db_table = Anewn yw an vosen sel dherivadow "%s": %v
+invalid_repo_path = Anewn yw an tyller gwreydhek gwithva: %v
+invalid_app_data_path = Anewn yw an tyller data app: %v
+run_user_not_match = Nyns yw an hanow devnydhyer "devnydhyer rag eksekutya avel" an hanow devnydhyer a-lemmyn: %s -> %s
+internal_token_failed = Ny yllir dinythi tokyn a-bervedh: %v
+save_config_failed = Ny yllir sawya selyans: %v
+enable_update_checker_helper_forgejo = Checkya a wra rag dyllansow Forgejo nowydh a dermyn dhe dermyn gans ow checkya kovadh DNS TXT yn release.forgejo.org.
+invalid_admin_setting = Anewn yw settyans akont menystrer: %v
+invalid_log_root_path = Anewn yw an tyller kovadh: %v
+no_reply_address = Arlotteth ebost kudh
+no_reply_address_helper = Hanow arlotteth rag devnydhyoryon gans trigva ebost kudh. Rag ensampel, an hanow devnydhyer "jago" a vydh bos kovadhys yn Git avel "jago@noreply.ensampel.org mars an arlotteth ebost kudh yw "noreply.ensampel.org".
+password_algorithm = Method hash ger-tremena
+invalid_password_algorithm = Method hash ger-tremena anewn
+password_algorithm_helper = Settyewgh an method hash ger-tremena. Yma edhommow ha sleyneth dyffrans. An method argon2 yw saw mes a wra devnydhya meur a gov hag a yll bos anwiw rag systemow byghan.
+enable_update_checker = Bwyhe checkyell nowedhyans
+env_config_keys = Selyans Kerghynnedh
+env_config_keys_prompt = An nowejynnow kerghynnedh a sew a vydh bos gweythys dh'gas restren selyans:
+
+[home]
+uname_holder = Hanow devnydhyer po trigva ebost
+switch_dashboard_context = Skwychella testen skostel
+my_repos = Gwithvaow
+my_orgs = Kowethyansow
+view_home = Gweles %s
+filter = Sidhlow aral
+filter_by_team_repositories = Sidhla gans gwithvaow bagas
+feed_of = Strem a "%s"
+show_archived = Gwithys yn kovskrif
+show_both_archived_unarchived = Ow tiskwedhes an dhew yn kovskrif ha na yn kovskrif
+show_only_archived = Ow tiskwedhes yn kovskrif yn unnik
+show_only_unarchived = Ow tiskwedhes na yn kovskrif yn unnik
+show_private = Privedh
+show_both_private_public = Ow tiskwedhes an dhew poblek ha privedh
+show_only_private = Ow tiskwedhes privedh yn unnik
+show_only_public = Ow tiskwedhes poblek yn unnik
+issues.in_your_repos = Yn agas gwithvaow
+
+[explore]
+repos = Gwithvaow
+users = Devnydhyoryon
+organizations = Kowethyansow
+go_to = Mos dhe
+code = Kod
+code_last_indexed_at = Arhwilys kyns %s
+relevant_repositories_tooltip = Kudh yw gwithvaow fergh po kavos testen vyth, arwodhik vyth, ha deskrifans vyth.
+relevant_repositories = Gwithvaow a vri yw diskwedhys yn unnik, <a href="%s">diskwedhes sewyansow ansidhlys</a>.
+
+[auth]
+create_new_account = Kovskrifa akont
+disable_register_prompt = Kovskrifans yw marow. Kestavewgh agas menystrer gwiasva mar pleg.
+disable_register_mail = Afydhyans ebost rag kovskrifans yw marow.
+manual_activation_only = Kestavewgh agas menystrer gwiasva rag kowlwul bywheans.
+remember_me = Kofhe an devis ma
+forgot_password_title = Ger-tremena ankevys
+forgot_password = Ger-tremena ankevys?
+hint_login = Eus akont dhywgh seulabrys? <a href="%s">Omgelmewgh lemmyn!</a>
+hint_register = Eus edhom dhywgh a akont? <a href="%s">Kovskrifewgh lemmyn.</a>
+sign_up_button = Kovskrifewgh lemmyn.
+sign_up_successful = Akont o gwrys yn sewen. Dynnargh!
+confirmation_mail_sent_prompt = Yma ebost afydhyans nowydh danvenys dhe <b>%s</b>. Rag kowlwul an argerdh kovskrifans, checkyewgh agas yngist mar pleg ha holyewgh an gorgevren provys a-ji dhe'n nessa %s. Mars an ebost yw anewn, hwi a yll omgelmi, ha govyn ebost afydhyans rag bos danvenys dhe drigva ebost aral.
+must_change_password = Nowedhi agas ger-tremena
+allow_password_change = Erghi devnydhyer rag chanjya ger-tremena (komendys)
+reset_password_mail_sent_prompt = Yma ebost afydhyans danvenys dhe <b>%s</b>. Rag kowlwul an argerdh yaghheans akont, checkyewgh agas yngist mar pleg ha holyewgh an gorgevren provys a-ji dhe'n nessa %s.
+active_your_account = Bywhe agas akont
+account_activated = Akont yw bywhes
+prohibit_login = Akont yw astelys
+prohibit_login_desc = Agas akont re beu astelys rag ow tevnydhya gans an weyth. Kestavewgh an menystrer weyth rag daskemeres hedhas.
+resent_limit_prompt = Hwi re govynys ebost bywheans seulabrys a-dhiwedhes. Gortewgh 3 mynysennow mar pleg hag ena assayewgh arta.
+has_unconfirmed_mail = Yow %s, yma trigva ebost anafydhys dhywgh (<b>%s</b>). Mar nyns eus ebost afydhyans yn agas yngist po yma edhom dhywgh danvon onan nowydh, klyckyewgh war'n boton a-woles mar pleg.
+change_unconfirmed_email_summary = Chanjya an drigva ebost devnydhys rag danvon an ebost bywheans.
+change_unconfirmed_email = Mar proviowgh an drigva ebost anewn dres kovskrifans, hwi a yll chanjya a-woles, hag yma afydhyans nowydh danvenys dhe'n drigva nowydh yn le.
+change_unconfirmed_email_error = Ny yllir chanjya an drigva ebost: %v
+resend_mail = Klyckyewgh omma rag dastanvon agas ebost bywheans
+send_reset_mail = Danvon ebost yaghheans
+reset_password = Yaghheans akont
+invalid_code = Agas kod afydhyans yw anewn po re diwedhys.
+invalid_code_forgot_password = Agas kod afydhyans yw anewn po re diwedhys. Klyckyewgh <a href="%s">omma</a> rag dalleth esedhek nowydh.
+invalid_password = An ger-tremena ma ny omdhesedha an ger-tremena devnydhys rag gwruthyl an akont.
+reset_password_helper = Daskavos Akont
+reset_password_wrong_user = Omgelmys owgh hwi avel %s, mes an gorgevren yaghheans akont yw rag %s
+password_too_short = An ger-tremena na yllir bos le hir es %d lytherennow.
+non_local_account = Devnydhyoryon anleel na yllir nowedhi aga ger-tremena dres an ynterfas gwi Forgejo.
+verify = Gwirhe
+unauthorized_credentials = Manylyon devnydhyer yw anewn po re diwedhys. Assayewgh arta agas arghadow po gweles %s rag moy kedhlow
+scratch_code = Kod kravas
+use_scratch_code = Devnydhya kod kravas
+use_onetime_code = Devnydhya kod unweyth
+twofa_scratch_used = Hwi re devnydhys agas kod kravas. Hwi re daskevarwodhys dhe'n folen settyansow dewkamm rag may hwi a yll remova agas kovskrifans devis po dinythi kod kravas nowydh.
+twofa_passcode_incorrect = Agas kod-tremena yw anewn. Mar kellowgh agas devis, devnydhya agas kod kravas rag omgelmi.
+twofa_scratch_token_incorrect = Agas kod kravas yw anewn.
+login_userpass = Omgelmi
+oauth_signup_tab = Kovskrifa akont nowydh
+oauth_signup_title = Kowlwul akont nowydh
+oauth_signup_submit = Kowlwul akont
+oauth_signin_tab = Keskelmi dhe akont seulabrys
+oauth_signin_title = Omgelmi rag reythhe akont keskelmys
+oauth_signin_submit = Keskelmi akont
+oauth.signin.error = Yth esa error owth argerdhes an govyn reythheans. Mar durya an error ma, kestavewgh an menystrer gwiasva mar pleg.
+oauth.signin.error.access_denied = An govyn reythheans o naghys.
+oauth.signin.error.temporarily_unavailable = Ny yllir reythhe drefen an ankavadewder a'n servell. Anbarghus yw hemma; assayewgh arta diwettha mar pleg.
+openid_connect_submit = Junya
+openid_connect_title = Junya dhe akont seulabrys
+openid_connect_desc = An URI OpenID dewisys yw ankoth. Kowethya gans akont nowydh omma.
+openid_register_title = Gwruthyl akont nowydh
+openid_register_desc = An URI OpenID dewisys yw ankoth. Kowethya gans akont nowydh omma.
+openid_signin_desc = Ynworrewgh agas URI OpenID. Rag ensampel: alice.openid.example.org po https://openid.example.org/alice.
+disable_forgot_password_mail = Yaghheans akont yw marow drefen nyns eus trigva ebost selys. Kestavewgh agas menystrer gwiasva mar pleg.
+disable_forgot_password_mail_admin = Yaghheans akont yw kavadow mar selys yw ebost. Selyewgh ebost rag bywhe yaghheans akont mar pleg.
+email_domain_blacklisted = Ny yllowgh kovskrifa gans agas trigva ebost.
+authorize_application = Reythhe App
+authorize_redirect_notice = Hwi a vydh daskevarwodhys dhe %s mar reythhowgh an app ma.
+authorize_application_created_by = An app ma o gwrys gans %s.
+authorize_application_description = Mar grontyowgh hedhes, y hyll drehedhes ha skrifa dhe oll agas kedhlow akont, ow synsi gwithvaow ha kowethyansow privedh.
+authorize_title = Reythhe "%s" rag drehedhes agas akont?
+authorization_failed = Reythheans fyllis
+authorization_failed_desc = An reythheans fyllis drefen helerghyn ni govyn anewn. Kestavewgh an mentenour a'n app hwi re assayys rag reythhe mar pleg.
+password_pwned = An ger-tremena hwi re dewisys yw war <a target="_blank" rel="noopener noreferrer" href="%s">rol a eryow ledrys</a> diskudhys kyns lemmyn yn torrvaow data poblek. Assayewgh arta gans ger-tremena aral mar pleg ha prederewgh ow chanjya an ger-tremena ma yn leow aral ynwedh.
+password_pwned_err = Ny yllir kowlwul govyn dhe HaveIBeenPwned
+last_admin = Ny yllowgh remova an menystrer finek. Res yw bos unn menystrer dhe'n lyha.
+back_to_sign_in = Dehweles dhe Omgelmyans
+sign_in_openid = Procedya gans OpenID
+
+[mail]
+view_it_on = Gweles war %s
+reply = po gorthebi dhe'n ebost ma distowgh
+link_not_working_do_paste = Yw an gorgevren terrys? Assayewgh ow kopia hag ow tasskrifa y'n barr a'gas peurell.
+hi_user_x = Yow <b>%s</b>,
+activate_account = Bywhewgh agas akont mar pleg
+activate_account.text_1 = Yow <b>%[1]s</b>, meur ras rag ow kovskrifa yn %[2]s!
+activate_account.text_2 = Klyckyewgh war'n gorgevren a sew mar pleg rag bywhe agas akont a-ji dhe <b>%s</b>:
+activate_email = Gwirhe agas trigva ebost
+activate_email.text = Klyckyewgh an gorgevren a sew mar pleg rag gwirhe agas trigva ebost a-ji dhe <b>%s</b>:
+admin.new_user.subject = Devnydhyer nowydh %s kovskrifys namnygen
+admin.new_user.user_info = Kedhlow devnydhyer
+admin.new_user.text = <a href="%s">Klyckyewgh omma</a> mar pleg rag dyghtya an devnydhyer ma y'n panel menystrer.
+register_notify = %s a'gas dynnargh
+register_notify.text_1 = agas ebost afydhyans kovskrifans yw hemma rag %s!
+register_notify.text_2 = Hwi a yll omgelmi yn agas akont ow tevnydhya dha hanow devnydhyer: %s
+register_notify.text_3 = Mars an akont ma o gwrys rag hwi gans nebonan aral, yma edhom dhywgh <a href="%s">settya agas ger-tremena</a> kyns.
+reset_password = Daskavos agas akont
+reset_password.text = Mar hwi o hemma, klyckyewgh an gorgevren a sew mar pleg rag daskavos agas akont a-ji dhe <b>%s</b>:
+password_change.subject = Agas ger-tremena re beu chanjys
+password_change.text_1 = An ger-tremena rag agas akont o chanjys namnygen.
+primary_mail_change.subject = Agas penntrigva ebost re beu chanjys
+primary_mail_change.text_1 = An penntrigva ebost a'gas akont o chanjys namnygen dhe %[1]s. Hemm a styr an drigva ebost ny vydh degemeres gwarnyans ebost rag agas akont na fella.
+totp_disabled.subject = TOTP re beu marowhes
+totp_disabled.text_1 = Ger-tremena termyn-selys unweyth (TOTP) war agas akont o marowhes namnygen.
+totp_disabled.no_2fa = Nyns eus methodys 2FA selys na fella, ha nyns yw res rag omgelmi yn agas akont gans 2FA.
+removed_security_key.subject = Alhwedh sawder re beu dileys
+removed_security_key.text_1 = Alhwedh sawder "%[1]s" re beu dileys rag agas akont namnygen.
+removed_security_key.no_2fa = Nyns eus methodys 2FA selys na fella, ha nyns yw res rag omgelmi yn agas akont gans 2FA.
+account_security_caution.text_1 = Mar hwi o hemma, hwi a yll skonya aswon an ebost ma.
+account_security_caution.text_2 = Mar nyns yw hwi, agas akont yw diantel. Kestavewgh an venystroryon a'n wiasva ma mar pleg.
+totp_enrolled.subject = Hwi re bywhes TOTP avel method 2FA
+totp_enrolled.text_1.no_webauthn = Hwi re bywhes TOTP rag agas akont namnygen. Hemm a styr rag oll omgelmyansow dh'gas akont, res yw dhywgh devnydhya TOTP avel method 2FA.
+totp_enrolled.text_1.has_webauthn = Hwi re bywhes TOTP rag agas akont namnygen. Hemm a styr rag oll omgelmyansow dh'gas akont, hwi a yll devnydhya TOTP avel method 2FA po devnydhya neb a'gas alhwedhow sawder.
+issue_assigned.pull = Yth ewgh hwi charjys gans @%[1]s dhe brofyans %[2]s yn gwithva %[3]s.
+issue_assigned.issue = Yth ewgh hwi charjys gans @%[1]s dhe gudyn %[2]s yn gwithva %[3]s.
+issue.x_mentioned_you = Yth ewgh hwi kampollys gans <b>@%s</b>:
+issue.action.force_push = <b>%[1]s</b> herdhys gans nerth an <b>%[2]s</b> dhyworth %[3]s dhe %[4]s.
+issue.action.push_1 = <b>@%[1]s</b> herdhys %[3]d gwrians dhe %[2]s
+issue.action.push_n = <b>@%[1]s</b> herdhys %[3]d gwriansow dhe %[2]s
+issue.action.close = <b>@%[1]s</b> deges #%[2]d.
+issue.action.reopen = <b>@%[1]s</b> dasygerys #%[2]d.
+issue.action.merge = <b>@%[1]s</b> kesunys #%[2]d yn %[3]s.
+issue.action.approve = <b>@%[1]s</b> komendys an profyans ma.
+issue.action.reject = <b>@%[1]s</b> govynnys chanjyow orth an profyans ma.
+issue.action.review = <b>@%[1]s</b> kampollys war'n profyans ma.
+issue.action.review_dismissed = <b>@%[1]s</b> naghys breusyans finek dhhyworth %[2]s rag an profyans ma.
+issue.action.ready_for_review = <b>@%[1]s</b> merkys an profyans ma avel parys rag breusyans.
+issue.action.new = <b>@%[1]s</b> gwrys #%[2]d.
+issue.in_tree_path = Yn %s:
+release.new.subject = %s yn %s dyllys
+release.new.text = <b>@%[1]s</b> dyllys %[2]s yn %[3]s
+release.title = Titel: %s
+release.note = Noten:
+release.downloads = Iskargow:
+release.download.zip = Kod Pennfenten (ZIP)
+release.download.targz = Kod Pennfenten (TAR.GZ)
+repo.transfer.subject_to = %s a vynn treusworra gwithva "%s" dhe %s
+repo.transfer.subject_to_you = %s a vynn treusworra gwithva "%s" dhe hwi
+repo.transfer.to_you = hwi
+repo.transfer.body = Rag degemeres po nagha vysytya %s po skonya aswon.
+repo.collaborator.added.subject = %s addys hwi dhe %s avel kesoberer
+repo.collaborator.added.text = Hwi re beu addys avel kesoberer dhe withva:
+team_invite.subject = %[1]s re welwys hwi rag junya an kowethyans %[2]s
+team_invite.text_1 = %[1]s re welwys hwi rag junya bagas %[2]s yn kowethyans %[3]s.
+team_invite.text_2 = Klyckyewgh an gorgevren a sew mar pleg rag junya an bagas:
+team_invite.text_3 = Noten: An galow ma o mynnys rag %[1]s. Mar na gwaytyowgh an galow ma, hwi a yll skonya aswon an ebost ma.
+
+[modal]
+yes = Ya
+no = Na
+confirm = Afydhya
+cancel = Hedhi
+
+[form]
+UserName = Hanow devnydhyer
+FullName = Hanow leun
+Description = Deskrifans
+Pronouns = Rakhenwyn
+Biography = Bewskrif
+Website = Gwiasva
+Location = Tyller
+RepoName = Hanow gwithva
+Email = Trigva ebost
+Password = Ger-tremena
+Retype = Afydhya ger-tremena
+PayloadUrl = Gorgevren karg
+TeamName = Hanow bagas
+AuthName = Hanow reythheans
+AdminEmail = Trigva ebost menystrer
+To = Hanow skorr
+AccessToken = Tokyn hedhas
+NewBranchName = Hanow skorr nowydh
+CommitSummary = Berrskrif gwrians
+CommitMessage = Messach gwrians
+CommitChoice = Dewis gwrians
+TreeName = Tyller restren
+Content = Synsas
+require_error = ` ny yllir bos gwag.`
+alpha_dash_error = ` y kodh synsi lytherennow y'n abecedari, niveryow, linen ("-") hag islinen ("_").`
+alpha_dash_dot_error = ` y kodh synsi lytherennow y'n abecedari, niveryow, linen ("-"), islinen ("_"), ha dyjyn (".").`
+git_ref_name_error = ` res yw bos hanow kampol Git gwrys yn ta.`
+size_error = ` res yw bos braster %s.`
+min_size_error = ` res yw synsi %s lytherennow dhe'n lyha.`
+max_size_error = ` res yw synsi %s lytherennow dhe'n moyha.`
+email_error = ` nyns yw trigva ebost ewn.`
+url_error = `"%s" nyns yw gorgevren ewn.`
+include_error = ` res yw synsi istekst "%s".`
+glob_pattern_error = ` patron glob yw anewn: %s.`
+regex_pattern_error = ` patron menegyn rewlys yw anewn: %s.`
+username_error = ` a yll synsi lytherennow ("0-9","a-z","A-Z"), linen ("-"), islinen ("_") ha dyjyn (".") yn unnik. Ny yllir dalleth po finsya gans lytherennow na'n par na, ha lytherennow na'n par na yw difennys ynwedh.`
+username_error_no_dots = ` a yll synsi lytherennow ("0-9","a-z","A-Z"), linen ("-"), hag islinen ("_") yn unnik. Ny yllir dalleth po finsya gans lytherennow na'n par na, ha lytherennow na'n par na yw difennys ynwedh.`
+invalid_group_team_map_error = ` mappyans yw anewn: %s`
+unknown_error = Error ankoth:
+captcha_incorrect = Anewn yw an kod CAPTCHA.
+password_not_match = Na omdhesedha an eryow-tremena.
+lang_select_error = Dewis yeth dhyworth an rol.
+username_been_taken = An hanow devnydhyer yw kemerys seulabrys.
+username_change_not_local_user = Nyns yw devnydhyoryon anleel gesys rag chanjya aga hanow devnydhyer.
+username_claiming_cooldown = Nyllir perghenegi an hanow devnydhyer drefen nyns yw deu y dermyn-mygla. Y hyll bos perghenegys %[1]s.
+repo_name_been_taken = An hanow gwithva yw devnydhys seulabrys.
+repository_force_private = Ynia Privedh yw byw: ny yllir dylla yn poblek gwithvaow privedh.
+repository_files_already_exist = Yma restrennow rag an gwithva ma seulabrys. Kestavewgh an menystrer system.
+repository_files_already_exist.adopt = Yma restrennow rag an gwithva ma seulabrys hag yllons bos Asvebys hepken.
+repository_files_already_exist.delete = Yma restrennow rag an gwithva ma seulabrys. Res yw dhywgh dilea.
+repository_files_already_exist.adopt_or_delete = Yma restrennow rag an gwithva ma seulabrys. Res yw dhywgh dilea po asvaba.
+visit_rate_limit = Vysytyans pell a ewnhe finweth.
+2fa_auth_required = Vysytyans pell rekwirys gwirheans dewkamm.
+org_name_been_taken = An hanow kowethyans yw kemerys seulabrys.
+team_name_been_taken = An hanow bagas yw kemerys seulabrys.
+team_no_units_error = Gasa hedhas dhe unn dregh gwithva dhe'n lyha.
+email_been_used = An drigva ebost yw devnydhys seulabrys.
+email_invalid = Anewn yw an drigva ebost.
+email_domain_is_not_allowed = Yma kas ynter an arlotteth a'n drigva ebost devnydhyer <b>%s</b> ha EMAIL_DOMAIN_ALLOWLIST po EMAIL_DOMAIN_BLOCKLIST. Surhewgh hwi re settys an drigva ebost yn ta.
+openid_been_used = An drigva OpenID "%s" yw devnydhys seulabrys.
+username_password_incorrect = Hanow devnydhyer po ger-tremena yw anewn.
+password_complexity = Ger-tremena ny hedhes edhommow komplegeth:
+password_lowercase_one = Unn lytheren byghan dhe'n lyha
+password_uppercase_one = Unn lytheren bras dhe'n lyha
+password_digit_one = Unn niver dhe'n lyha
+password_special_one = Unn lytheren arbennik (poyntyans, krommvaghow, devynys, h.e.) dhe'n lyha
+enterred_invalid_repo_name = Anewn yw an hanow gwithva ynworrys.
+enterred_invalid_org_name = Anewn yw an hanow kowethyans ynworrys.
+enterred_invalid_owner_name = Nyns yw ewn an hanow perghen nowydh.
+enterred_invalid_password = Anewn yw an ger-tremena ynworrys.
+unset_password = Ny veu an devnydhyer omgelmyans an ger-tremena settys.
+unsupported_login_type = Nyns yw skoodhys an eghen omgelmyans rag dilea akont.
+user_not_exist = Nyns eus an devnydhyer.
+team_not_exist = Nyns eus an bagas.
+last_org_owner = Ny yllowgh remova an devnydhyer diwettha rag an bagas "perghennow". Res yw bos unn perghen dhe'n lyha rag kowethyans.
+cannot_add_org_to_team = Ny yllir keworra Kowethyans avel esel bagas.
+duplicate_invite_to_team = An devnydhyer yw gelwys avel esel bagas seulabrys.
+organization_leave_success = Hwi re gesys an kowethyans %s yn sewen.
+invalid_ssh_key = Ny yllir gwirhe agas alhwedh SSH: %s
+invalid_gpg_key = Ny yllir gwirhe agas alhwedh GPG: %s
+must_use_public_key = An alhwedh provys yw alhwedh privedh. Na ughkargewgh agas alhwedh privedh yn neb le. Devnydhyewgh agas alhwedh poblek yn le.
+unable_verify_ssh_key = Ny yllir gwirhe an alhwedh SSH, checkyewgh rag kammgemeryansow.
+auth_failed = Ny yllir gwirhe: %v
+still_own_repo = Yma dh'gas akont unn po moy gwithvaow, dileewgh po treusperthi kyns.
+still_has_org = Agas akont yw esel a unn po moy kowethyansow, gasewgh kyns.
+still_own_packages = Yma dh'gas akont unn po moy fardellow, dileewgh kyns.
+org_still_own_repo = Yma dhe'n kowethyans ma unn po moy gwithvaow, dileewgh po treusperthewgh kyns.
+org_still_own_packages = Yma dhe'n kowethyans ma unn po moy fardellow, dileewgh kyns.
+target_branch_not_exist = Nyns eus an skorr kostennys.
+admin_cannot_delete_self = Ny yllowgh dilea agas honan mar menystrer owgh hwi. Removewgh agas pryvylejys menystrer kyns mar pleg.
+required_prefix = Res yw dhywgh dalleth ynworrans gans "%s"
+
+[user]
+change_avatar = Chanjya agas imach…
+joined_on = Omjunys %s
+repositories = Gwithvaow
+activity = Aktivita poblek
+followers.title.one = Holyer
+followers.title.few = Holyoryon
+following.title.one = Ow Holya
+following.title.few = Ow Holya
+followers_one = %d holyer
+followers_few = %d holyoryon
+following_one = %d ow holya
+following_few = %d ow holya
+follow = Holya
+unfollow = Diholya
+block_user = Lettya devnydhyer
+block_user.detail = Notyewgh yma effeythyow aral a ow lettya devnydhyer mar pleg, kepar ha:
+block_user.detail_1 = Hwi a vydh astel ow holya an eyl y gila ha ny yllir holya an eyl y gila.
+block_user.detail_2 = An devnydhyer ma ny yllir ynterweytha gans agas gwithvaow, po an gudynnow ha kampollansow hwi re gwrys.
+block_user.detail_3 = Ny yllowgh keworra an eyl y gila avel kesoberoryon gwithva.
+follow_blocked_user = Ny yllowgh holya an devnydhyer ma drefen hwi re lettys an devnydhyer ma po an devnydhyer ma re hwi lettys.
+starred = Gwithvaow drudh
+watched = Gwithvaow mirys
+code = Kod
+projects = Ragdresow
+overview = Gorwolok
+block = Lettya
+unblock = Dilettya
+user_bio = Bewskrif
+email_visibility.limited = Agas trigva ebost yw gweladow rag oll devnydhyoryon omgelmys
+show_on_map = Diskwedhes an tyller ma war vappa
+settings = Settyansow devnydhyer
+disabled_public_activity = An devnydhyer ma re marowhes an gweladewder poblek a'n aktivita.
+public_activity.visibility_hint.self_public = Agas aktivita yw gweladow rag pubonan, marnas keskowsow yn spassow privedh. <a href="%s">Chanjya</a>.
+public_activity.visibility_hint.admin_public = Agas aktivita yw gweladow rag pubonan mes, drefen menystrer owgh hwi, hwi a yll gweles keskowsow yn spassow privedh.
+public_activity.visibility_hint.self_private = Agas aktivita yw gweladow rag hwi ha'n venystroryon gweyth yn unnik. <a href="%s">Chanjya</a>.
+public_activity.visibility_hint.admin_private = An aktivita ma yw gweladow rag hwi drefen menystrer owgh hwi, mes an devnydhya mynnes gwitha privedh.
+public_activity.visibility_hint.self_private_profile = Agas aktivita yw gweladow rag hwi ha'n venystroryon gweyth yn unnik drefen agas profil yw privedh. <a href="%s">Chanjya</a>.
+form.name_reserved = An hanow devndyhyer "%s" yw ragerghys.
+form.name_pattern_not_allowed = An patron "%s" nyns yw gesys yn hanow devnydhyer.
+form.name_chars_not_allowed = Yma lytherennow anewn y'n hanow devnydhyer "%s".
+
+[settings]
+profile = Profil
+account = Akont
+appearance = Gis
+security = Sawder
+avatar = Imach
+ssh_gpg_keys = Alhwedhow SSH / GPG
+applications = Appys
+orgs = Kowethyansow
+repos = Gwithvaow
+twofa = Reythheans dewkamm (TOTP)
+organization = Kowethyansow
+webauthn = Reythheans dewkamm (Alhwedhow sawder)
+blocked_users = Devnydhyoryon lettys
+storage_overview = Gorwolok gwithans
+quota = Finweth
+public_profile = Profil poblek
+biography_placeholder = Kedhlewgh re erel nebes a-dro dhywgh! (Markdown yw skoodhys)
+location_placeholder = Kevrenna agas tyller nesogas gans re erel
+profile_desc = A-dro dhywgh
+password_username_disabled = Devnydhyoryon anleel nyns yw gesys chanjya aga hanow devnydhyer. Kestavewgh agas menystrer gwiasva rag moy manylyon mar pleg.
+full_name = Hanow leun
+website = Gwiasva
+location = Tyller
+pronouns = Rakhenwyn
+pronouns_unspecified = Anragnotys
+update_theme = Chanjya thema
+update_profile = Nowedhi profil
+update_language = Chanjya yeth
+update_language_not_found = Yeth "%s" nyns yw kavadow.
+update_language_success = Yeth re beu nowedhys.
+update_profile_success = Agas profil re beu nowedhys.
+change_username_prompt = Noten: Ow chanjya agas hanow devnydhyer a wra chanjya an URL a'gas akont.
+change_username_redirect_prompt = An hanow devnydhyer koth a wra daskevarwodha ernag yma nebonan ow perghenegi.
+change_username_redirect_prompt.with_cooldown.one = An hanow devnydhyer koth a wra bos kavadow rag pubonan wosa termyn-mygla a %[1]d dydh. Hwi a yll dasberghenegi an hanow devnydhyer koth dres an termyn-mygla.
+change_username_redirect_prompt.with_cooldown.few = An hanow devnydhyer koth a wra bos kavadow rag pubonan wosa termyn-mygla a %[1]d dedhyow. Hwi a yll dasberghenegi an hanow devnydhyer koth dres an termyn-mygla.
+language = Yeth
+language.title = Yeth defowt
+language.description = An yeth ma y fydh sawys dh'gas akont ha devnydhys avel an defowt wosa omgelmowgh.
+language.localization_project = Gweresewgh ni treylya Forgejo yn agas yeth! <a href="%s">Dyski moy</a>.
+ui = Thema
+hints = Hyntys
+additional_repo_units_hint = Profyewgh bywhe unses gwithva keworransel
+additional_repo_units_hint_description = Diskwedhes hynt "Bywhe moy" rag gwithvaow le may nyns eus oll unses kavadow bywhes.
+update_hints = Nowedhi hyntys
+update_hints_success = Hyntys re beu nowedhys.
+hidden_comment_types = Eghennow kampol kudh
+hidden_comment_types_description = Eghennow kampol checkys omma ny vydh diskwedhys yn folennow kudyn. Ow checkya "Label" rag ensampel a wra remova oll kampollys "<user> keworrys/removys <label>".
+hidden_comment_types.ref_tooltip = Kampollys le may an kudyn ma o kampollys dhyworth kudyn/gwrians/… aral
+hidden_comment_types.issue_ref_tooltip = Kampollys le may an devnydhyer chanjya an skorr/tagg kowethys gans an kudyn
+comment_type_group_reference = Kampol
+comment_type_group_label = Label
+comment_type_group_milestone = Men mildir
+comment_type_group_assignee = Charjyer
+comment_type_group_title = Titel
+comment_type_group_branch = Skorr
+comment_type_group_review_request = Govyn breusyans
+comment_type_group_pull_request_push = Gwriansow keworrys
+comment_type_group_project = Ragdres
+comment_type_group_issue_ref = Kampol kudyn
+saved_successfully = Agas settyansow o sawys yn sewen.
+privacy = Privetter
+keep_activity_private = Kudha aktivita rag folen profil
+keep_activity_private.description = Agas <a href="%s">aktivita poblek</a> y fydh gweladow rag gwi ha'n venystroryon gweyth yn unnik.
+lookup_avatar_by_mail = Hwilas imach gans trigva ebost
+enable_custom_avatar = Devnydhya imach a-vusur
+choose_new_avatar = Dewis imach nowydh
+update_avatar = Nowedhi imach
+delete_current_avatar = Dilea imach a-lemmyn
+uploaded_avatar_not_a_image = An restren ughkargys nyns yw skeusen.
+uploaded_avatar_is_too_big = An restren ughkargys (%d KiB) gordremena an braster moyha (%d KiB).
+update_avatar_success = Agas imach re beu nowedhys.
+update_user_avatar_success = An imach a'n devnydhyer re beu nowedhys.
+change_password = Chanjya ger-tremena
+update_password = Nowedhi ger-tremena
+old_password = Ger-tremena a-lemmyn
+new_password = Ger-tremena nowydh
+retype_new_password = Afydhya ger-tremena nowydh
+password_incorrect = An ger-tremena nowydh yw anewn.
+change_password_success = Agas ger-tremena re beu nowedhys. Alemma rag, devnydhya agas ger-tremena nowydh rag omgelmi.
+password_change_disabled = Devnydhyoryon anleel na yllir nowedhi aga ger-tremena dres an ynterfas gwi Forgejo.
+manage_emails = Dyghtya trigvaow ebost
+manage_themes = Thema defowt
+manage_openid = Trigvaow OpenID
+email_desc = Agas penntrigva ebost y fydh devnydhys rag gwarnyansow, yaghheans ger-tremena ha, mar nyns yw kudh, oberyans gwi-selys Git.
+theme_desc = An thema ma y fydh devnydhys rag an ynterfas gwi mars omgelmys owgh hwi.
+primary = Kynsa
+activated = Bywhes
+requires_activation = Bywheans a res
+primary_email = Bos kynsa
+activate_email = Danvon bywheans
+activations_pending = Bywheansow ow gortos
+can_not_add_email_activations_pending = Yma bywheans ow gortos, assayewgh arta yn nebes mynysennow mar mynnowgh keworra trigva ebost nowydh.
+delete_email = Remova
+email_deletion = Remova trigva ebost
+email_deletion_desc = An drigva ebost ma ha kedhlow keskelmys y fydh dileys rag agas akont. Gwriansow Git gans an drigva ebost a wra gwitha anchanjys. Pesya?
+email_deletion_success = An drigva ebost re beu dileys.
+theme_update_success = Agas thema o nowedhys.
+theme_update_error = Nyns eus an thema dewisys.
+openid_deletion = Remova Trigva OpenID
+openid_deletion_desc = Ow remova an drigva OpenID ma rag agas akont a wra lettya hwi dhyworth owth omgelmi gans an re ma. Pesya?
+openid_deletion_success = An drigva OpenID re beu dileys.
+add_new_email = Keworra trigva ebost
+add_new_openid = Keworra URI OpenID nowydh
+add_email = Keworra trigva ebost
+add_openid = Keworra URI OpenID
+add_email_confirmation_sent = Ebost afydhyans re beu danvenys dhe "%s". Rag afydhya dha trigva ebost, checkyewgh agas yngist mar pleg ha holya an gorgevren provys a-ji dhe'n nessa %s.
+add_email_success = An drigva ebost nowydh re beu keworrys.
+email_preference_set_success = Dewis ebost re beu settys yn sewen.
+add_openid_success = An drigva OpenID nowydh re beu keworrys.
+keep_email_private = Kudha trigva ebost
+keep_email_private_popup = Trigva ebost ny vydh diskwedhys war'n folen profil ha ny vydh an defowt rag gwriansow gwrys ow tevnydhya an ynterfas gwi, kepar ha ughkargys restren, golegyansow, ha gwriansow kesunyans. Yn le, trigva arbennik a yll bos devnydhys rag kevrenna gwriansow dhe'n akont devnydhyer. An dewis ma ny vydh menni gwriansow gwrys seulabrys.
+keep_pronouns_private = Diskwedhes rakhenwyn dhe dhevnydhyoryon reythhes yn unnik
+keep_pronouns_private.description = Hemm a wra kudha agas rakhenwyn rag vysytyoryon anomgelmys.
+manage_ssh_keys = Dyghtya alhwedhow SSH
+manage_ssh_principals = Dyghtya Penntestskifow SSH
+manage_gpg_keys = Dyghtya Alhwedhow GPG
+add_key = Keworra alhwedh
+ssh_desc = An alhwedhow poblek SSH ma yw kowethys gans agas akont. An alhwedhow privedh a omdhesedh gasa hedhas leun dhe agas gwithvaow. Alhwedhow SSH gwirhes a yll bos devnydhys rag gwirhe gwriansow Git sinys gans SSH.
+principal_desc = An penntestskrifow SSH ma yw kowethys gans agas akont ha gasa hedhas leun dh'gas gwithvaow.
+gpg_desc = An alhwedhow poblek GPG yw kowethys gans agas akont ha yw devnydhys rag gwirhe dha gwriansow. Gwitha saw agas alhwedhow privedh drefen gasons i rag sina gwriansow gans agas honanieth.
+webauthn_nickname = Leshanow
+delete_account = Dilea agas akont
+confirm_delete_account = Afydhya dileyans
+delete_account_title = Dilea akont devnydhyer
+delete_account_desc = Owgh hwi sur mynnowgh dilea an akont devnydhyer ma yn andileadow?
+email_notifications.enable = Bywhe gwarnyansow ebost
+visibility = Gweladewder devnydhyer
+visibility.public = Poblek
+visibility.public_tooltip = Gweladow rag oll
+visibility.limited = Strothys
+visibility.limited_tooltip = Gweladow rag devnydhyoryon omgelmys yn unnik
+visibility.private = Privedh
+visibility.private_tooltip = Gweladow yn unnik rag eseli a gowethyansow may rann owgh hwi
+blocked_since = Lettys a-dhia %s
+user_unblock_success = An devnydhya re beu dilettys yn sewen.
+user_block_success = An devnydhya re beu lettys yn sewen.
+user_block_yourself = Ny yllowgh lettya agas honan.
+quota.sizes.assets.artifacts = Eskorransow
+quota.sizes.assets.packages.all = Fardellow
+quota.sizes.wiki = Wiki
+cancel = Hedhi
+comment_type_group_time_tracking = Hedheuryer
+comment_type_group_deadline = Diwedhva
+comment_type_group_dependency = Serghek
+comment_type_group_lock = Studh alhwedha
+openid_desc = OpenID a asa hwi kanasa gwirheans dhe brovier a-ves.
+ssh_helper = <strong>Eus edhom dhywgh a weres?</strong> Gwelewgh an kowethlyver rag <a href="%s">gwruthyl agas honan alhwedhow SSH</a> po digelmi <a href="%s">kudynnow kemmyn</a> gans ow tevnydhya SSH.
+gpg_helper = <strong>Eus edhom dhywgh a weres?</strong> Gwelewgh an kowethlyver rag <a href="%s">a-dro dhe GPG</a>.
+key_content_ssh_placeholder = Dalleth gans "ssh-ed25519", "ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "sk-ecdsa-sha2-nistp256@openssh.com", po "sk-ssh-ed25519@openssh.com"
+key_content_gpg_placeholder = Dalleth gans "-----BEGIN PGP PUBLIC KEY BLOCK-----"
+ssh_key_been_used = An alhwedh SSH ma re veu keworrys dhe'n servell seulabrys.
+ssh_key_name_used = Yma alhwedh SSH gans an hanow keth war agas akont seulabrys.
+gpg_key_id_used = Yma alhwedh GPG poblek gans an ID keth seulabrys.
+gpg_no_key_email_found = An alhwedh GPG ma ny omdhesedha neb trigva ebost byw kowethys gans agas akont. Possybyl yw rag keworra mar sinewgh an tokyn provys.
+gpg_key_matched_identities = Honaniethow Omdhesedhys:
+gpg_key_verified = Alhwedh gwirhys
+gpg_key_verify = Gwirhe
+gpg_token_required = Yma edhom dhywgh provia sinans rag an tokyn a-woles
+gpg_token = Tokyn
+gpg_token_help = Hwi a yll dinythi sinans ow tevnydhya:
+gpg_token_signature = Sinans GPG arvwiskys
+key_signature_gpg_placeholder = Dalleth gans "-----BEGIN PGP SIGNATURE-----"
+verify_gpg_key_success = Alhwedh GPG "%s" re beu gwirhys.
+ssh_key_verified = Alhwedh gwirhys
+ssh_key_verify = Gwirhe
+ssh_token_required = Yma edhom dhywgh provia sinans rag an tokyn a-woles
+ssh_token = Tokyn
+ssh_token_help = Hwi a yll dinythi sinans ow tevnydhya:
+ssh_token_help_ssh_agent = po, mar devnydhyowgh maynor SSH (gans an nowejyn SSH_AUTH_SOCK settys):
+ssh_token_signature = Sinans SSH arvwiskys
+key_signature_ssh_placeholder = Dalleth gans "-----BEGIN SSH SIGNATURE-----"
+verify_ssh_key_success = An alhwedh SSH "%s" re beu gwirhys.
+subkeys = Isalhwedhow
+key_id = ID Alhwedh
+key_name = Hanow alhwedh
+key_content = Synsas
+principal_content = Synsas
+add_key_success = An alhwedh SSH "%s" re beu keworrys.
+add_gpg_key_success = An alhwedh GPG "%s" re beu keworrys.
+delete_key = Remova
+ssh_key_deletion = Remova alhwedh SSH
+gpg_key_deletion = Remova alhwedh GPG
+ssh_key_deletion_success = An alhwedh SSH re beu removys.
+gpg_key_deletion_success = An alhwedh GPG re beu removys.
+added_on = Keworrys %s
+valid_until_date = Ewn bys %s
+valid_forever = Ewn bys vykken
+last_used = Devnydhys diwettha
+no_activity = Nyns eus aktivita a-dhiwedhes
+can_read_info = Redya
+can_write_info = Skrifa
+key_state_desc = An alhwedh ma re beu devnydhys y'n 7 dedhyow yw passys
+token_state_desc = An tokyn ma re beu devnydhys y'n 7 dedhyow yw passys
+show_openid = Diskwedhes war brofil
+hide_openid = Kudha rag profil
+ssh_disabled = SSH yw marow
+ssh_externally_managed = An alhwedh SSH ma yw dyghtys a-ves rag an devnydhyer ma
+manage_access_token = Toknys hedhas
+generate_new_token = Dinythi tokyn nowydh
+tokens_desc = An doknys ma ri hedhas dh'gas akont ow tevnydhya an API Forgejo.
+token_name = Hanow tokyn
+generate_token = Dinythi tokyn
+generate_token_success = Agas tokyn nowydh re beu dinythys. Kopiewgh lemmyn drefen ny vydh diskwedhys arta.
+generate_token_name_duplicate = <strong>%s</strong> re beu devnydhys avel hanow app seulabrys. Devnydhyewgh onan nowydh mar pleg.
+delete_token = Dilea
+access_token_deletion = Dilea tokyn hedhas
+access_token_deletion_desc = Ow tilea tokyn a wra dilea hedhas dh'gas akont rag appys ow tevnydhya. Hemma ny yllir bos diswul. Pesya?
+delete_token_success = An tokyn re beu dileys. Yma dhe appys ow tevnydhya hedhas dh'gas akont na fella.
+regenerate_token = Dasdinythi
+access_token_regeneration = Dasdinythi tokyn hedhas
+access_token_regeneration_desc = Ow tasdinythi tokyn a wra remova hedhas dh'gas akont rag appys ow tevnydhya. Hemma ny yllir bos digelmys. Pesya?
+regenerate_token_success = An tokyn re beu dasdinythys. Nyns eus hedhas dh'gas akont na fella rag appys ow tevnydhya ha res yw bos nowedhys gans an tokyn nowydh.
+repo_and_org_access = Hedhas gwithva ha kowethyans
+permissions_public_only = Poblek yn unnik
+permissions_access_all = Oll (poblek, privedh, ha strothys)
+select_permissions = Dewis kummyasow
+permission_no_access = Hedhas vyth
+permission_read = Redya
+permission_write = Redya ha skrifa
+permissions_list = Kummyasow:
+manage_oauth2_applications = Dyghtya appys OAuth2
+edit_oauth2_application = Golegi App OAuth2
+remove_oauth2_application = Remova App OAuth2
+remove_oauth2_application_success = An app re beu dileys.
+create_oauth2_application = Gwruthyl app OAuth2 nowydh
+create_oauth2_application_button = Gwruthyl app
+create_oauth2_application_success = Hwi re gwrys appys OAuth2 nowydh yn sewen.
+update_oauth2_application_success = Hwi re nowedhys appys OAuth2 nowydh yn sewen.
+oauth2_application_name = Hanow app
+save_application = Sawya
+oauth2_client_id = ID Kliens
+oauth2_client_secret = Kevrin kliens
+oauth2_regenerate_secret = Dasdinythi kevrin
+oauth2_application_edit = Golegi
+revoke_key = Remova
+revoke_oauth2_grant = Remova hedhas
+revoke_oauth2_grant_success = Hedhas removys yn sewen.
+twofa_disable_note = Hwi a yll marowhe gwirheans dewkamm mars yw res.
+or_enter_secret = Po ynworra an kevrin: %s
+then_enter_passcode = Hag ynworra an kod-tremena diskwedhys y'n app:
+passcode_invalid = Anewn yw an kod-tremena. Assayewgh arta.
+twofa_failed_get_secret = Ny yllir kerghes kevrin.
+webauthn_register_key = Keworra alhwedh sawder
+webauthn_delete_key = Remova alhwedh sawder
+manage_account_links = Akontys keskelmys
+link_account = Keskelmi akont
+remove_account_link = Remova akont keskelmys
+blocked_users_none = Nyns eus devnydhyoryon lettys.
+email_notifications.disable = Marowhe gwarnyansow ebost
+email_notifications.submit = Settya dewis ebost
+quota.sizes.all = Oll
+quota.sizes.repos.all = Gwithvaow
+quota.sizes.repos.public = Gwithvaow poblek
+quota.sizes.repos.private = Gwithvaow privedh
+quota.sizes.git.all = Synsas Git
+quota.sizes.git.lfs = Git LFS
+gpg_key_matched_identities_long = An honaniethow a-bervedh y'n alhwedh ma a omdhesedh an trigvaow ebost byw a sew rag an devnydhyer ma. Gwriansow a omdhesedh an trigvaow ebost ma a yll bos gwirhys gans an alhwedh ma.
+gpg_key_verified_long = Alhwedh re beu gwirhys gans tokyn ha'n alhwedh ma a yll bos devnydhys rag gwirhe gwriansow a omdhesedh neb trigvaow ebost byw rag an devnydhyer ma ha neb honaniethow omdhesedhys rag an alwhedh ma.
+gpg_invalid_token_signature = An alhwedh GPG provys, sinans ha tokyn ny omdhesedha po tokyn yw anterrus.
+ssh_key_verified_long = Alhwedh re beu gwirhys gans tokyn ha'n alhwedh ma a yll bos devnydhys rag gwirhe gwriansow a omdhesedh neb trigvaow ebost byw rag an devnydhyer ma.
+ssh_invalid_token_signature = An alhwedh SSH provys, sinans, po tokyn ny omdhesedha po tokyn yw anterrus.
+ssh_key_deletion_desc = Ow tilea alhwedh SSH a wra remova an hedhas dh'gas akont. Pesya?
+gpg_key_deletion_desc = Ow tilea alhwedh GPG an digwirhys gwriansow sinys dhir. Pesya?
+ssh_signonly = SSH yw marow a-lemmyn ytho an alhwedhow ma yw devnydhys rag gwirheans sinans gwrians hepken.
+access_token_desc = Kummyasow tokyn dewisys a finweth reythheans dhe'n hensyow <a href="%[1]s" target="_blank">API</a> a omdhesedh. Redyewgh an <a href="%[2]s" target="_blank">kowethlyver</a> rag moy kedhlow.
+at_least_one_permission = Res yw dhywgh dewis unn kummyas dhe'n lyha rag gwruthyl tokyn
+oauth2_confidential_client = Kliens kelfydhys. Dewis rag appys ow kwitha an kevrin kelfydhys, kepar hag appys gwi. Na dewisewgh rag appys teythiek ow synsi appys rag amontyellow ha klapkodhow.
+oauth2_redirect_uris = Daskevarwodha URIs. Devnydhyewgh linen nowydh rag pub URI mar pleg.
+oauth2_regenerate_secret_hint = Kellys agas kevrin?
+oauth2_application_create_description = Appys OAuth2 ri hedhas dhe akontys devnydhyer war'n weyth ma dh'gas app parti-tressa.
+oauth2_application_remove_description = Ow tilea app OAuth2 a wra lettya rag ow trehedhes akontys devnydhyer reythhys war'n weyth ma. Pesya?
+oauth2_application_locked = Forgejo a ragkovskrif neb appys OAuth2 dres dalleth mar byw yn selyans. Rag lettya fara anwaytys, an re ma ny yllir bos golegys po removys. Gwelewgh an kowethlyver OAuth2 mar pleg rag moy kedhlow.
+authorized_oauth2_applications = Appys OAuth2 reythhys
+authorized_oauth2_applications_description = Hwi re grontys hedhas dh'gas akont Forgejo personel dhe'n appys parti-tressa ma. Removewgh hedhas mar pleg rag appys yn devnydh na fella.
+revoke_oauth2_grant_description = Ow tilea hedhas rag an app parti-tressa ma a wra lettya an app ma rag ow trehedhes agas data. Owgh hwi sur?
+twofa_desc = Rag gwitha agas akont rag ladrans ger-tremena, hwi a yll devnydhya klapkodh po devis aral rag ow tegemeres geryow-tremena unweyth termyn-selys ("TOTP").
+twofa_recovery_tip = Mar kellowgh agas devis, hwi a yll bos abel rag devnydhya alhwedh yaghheans undevnydh rag daskemeres hedhas dh'gas akont.
+twofa_is_enrolled = Agas akont yw <strong>rolys</strong> yn gwirheans dewkamm a-lemmyn.
+twofa_not_enrolled = Nyns yw agas akont rolys yn gwirheans dewkamm.
+twofa_disable = Marowhe gwirheans dewkamm
+twofa_scratch_token_regenerate = Dasdinythi alhwedh yaghheans undevnydh
+twofa_scratch_token_regenerated = Agas alhwedh undevnydh yw %s lemmyn. Gwithewgh yn le saw, ny vydh diskwedhys arta.
+twofa_enroll = Rolya yn gwirheans dewkamm
+twofa_disable_desc = Ow marowhe gwirheans dewkamm a wra disdiogeli agas akont. Pesya?
+regenerate_scratch_token_desc = Mar kellowgh agas alhwedh yaghheans po hwi re devnydhys seulabrys, hwi a yll dassettya omma.
+twofa_disabled = Gwirheans dewkamm re beu marowhys.
+scan_this_image = Arhwilasewgh an skeusen ma gans agas app reythheans:
+twofa_enrolled = Agas akont re beu rolys yn sewen. Gwithewgh agas alhwedh yaghheans undevnydh yn le saw, ny vydh diskwedhys arta.
+
+[repo]
+repo_name = Hanow gwithva
+new_repo_helper = Gwithva syns oll restrennow ragdres, ow synsi istori amendyans. Owth ostyowgh onan yn le aral seulabrys? <a href="%s">Divroa gwithva</a>.
+new_from_template = Devnydhya ensampel
+new_from_template_description = Hwi a yll dewis ensampel gwithva seulabrys war'n weyth ma ha gweytha an settyansow.
+new_advanced = Settyansow avonsys
+new_advanced_expand = Klyckyewgh rag lesa
+owner = Perghen
+owner_helper = Martesen ny vydh nebes kowethyansow diskwedhes y'n rol drefen finweth somm gwithvaow moyha.
+repo_name_helper = Henwyn gwithvaow da devnydh geryow alhwedh berr, hegov hag unnik.
+repo_size = Braster Gwithva
+size_format = %[1]s: %[2]s, %[3]s: %[4]s
+template = Ensampel
+template_select = Dewis ensampel
+template_helper = Gwruthyl an withva ma ensampel
+template_description = Gwithvaow ensampel gasa devnydhyoryon dinythi gwithvaow nowydh gans an kesweyth restrenva, restrennow, ha settyansow dre dhewis keth.
+visibility = Gweladewder
+admin.manage_flags = Dyghtya baneryow
+admin.enabled_flags = Baneryow bywhys rag an gwithva:
+admin.update_flags = Nowedhi baneryow
+admin.failed_to_replace_flags = Ny yllir aslea baneryow gwithva
+admin.flags_replaced = Baneryow gwithva asleys
+visibility_helper = Gwruthyl gwithva privedh
+all_branches = Oll skorrow
+use_template = Devnydhya an ensampel ma
+open_with_editor = Ygeri gans %s
+download_zip = Iskarga ZIP
+download_tar = Iskarga TAR.GZ
+repo_desc = Deskrifans
+repo_desc_helper = Ynworra deskrifans berr (dre dhewis)
+repo_gitignore_helper = Dewis ensamplys .gitignore
+issue_labels = Labelyow
+issue_labels_helper = Dewis sett label
+license = Leshyans
+license_helper = Dewis restren leshyans
+auto_init = Selya gwithva
+create_repo = Gwruthyl gwithva
+default_branch = Skorr defowt
+default_branch_label = defowt
+mirror_prune = Skethra
+mirror_public_key = Alhwedh SSH poblek
+mirror_use_ssh.text = Devnydhya gwirheans SSH
+mirror_sync = kettermynyegys
+mirror_lfs_endpoint = Diwedhva LFS
+mirror_password_placeholder = (Anchanjys)
+mirror_password_blank_placeholder = (Ansettys)
\ No newline at end of file
diff --git a/options/locale/locale_mk.ini b/options/locale/locale_mk.ini
index 5bc16b4700..b776d0b80b 100644
--- a/options/locale/locale_mk.ini
+++ b/options/locale/locale_mk.ini
@@ -11,4 +11,89 @@ notifications = Нотификации
 sign_in_or = или
 password = Лозинка
 username = Корисничко име
-your_profile = Профил
\ No newline at end of file
+your_profile = Профил
+explore = Истражубај
+sign_in = Најавајте се
+sign_in_with_provider = Логин со %s
+sign_out = Одјавување
+sign_up = Најавење
+link_account = Конто поврзување
+register = Регистрирање
+powered_by = Поддржано од
+page = Страна
+template = Шаблон
+active_stopwatch = Активен следач на време
+tracked_time_summary = Резиме на следеното време врз основа на филтрите од листата на проблеми
+create_new = Содавање…
+user_profile_and_more = Профил и постапки…
+signed_in_as = Најавено како
+enable_javascript = Оваа вебстрана бара JavaScript.
+toc = Содржина
+licenses = Лиценци
+return_to_forgejo = Враќање до Форгејо
+toggle_menu = Преклопи мени
+more_items = Повеќе ставки
+email = Е-пошта адреса
+access_token = Пристапен токен
+re_type = Потврди лозинка
+captcha = Капча
+twofa = Двофакторска автентификација
+twofa_scratch = Двофакторски исцртан код
+passcode = Шифра
+webauthn_insert_key = Вметнете го вашиот безбедносен клуч
+webauthn_sign_in = Притиснете го копчето на вашиот безбедносен клуч. Ако вашиот безбедносен клуч нема копче, повторно вметнете го.
+webauthn_press_button = Притиснете го копчето на вашиот безбедносен клуч…
+webauthn_use_twofa = Користете еден двофакторски код од вашиот телефон
+webauthn_error = Неможно да се чита бесбедносен клуч.
+webauthn_unsupported_browser = Вашиот прелистувач во моментов не ја поддржува WebAuthn.
+webauthn_error_unknown = Се случи непозната грешка. Ве молиме обидете се повторно.
+webauthn_error_insecure = WebAuthn поддржува само сигурни врски. За тестирање преку HTTP, можете да го користите изворот "localhost" или "127.0.0.1"
+webauthn_error_unable_to_process = Серверот не можеше да ја обработи вашето барање.
+webauthn_error_duplicated = Безбедносниот клуч не е дозволен за овој барање. Ве молиме уверете се дека клучот не е веќе регистриран.
+webauthn_error_empty = Мора да е поставено име за овој клуч.
+webauthn_error_timeout = Времето истечало пред да може да се прочита вашиот клуч. Ве молиме освежете ја оваа страница и обидете се повторно.
+repository = Репозиториум
+new_fork = нов форк на репозиториум
+new_project_column = Нова колумна
+admin_panel = Администрација на страната
+settings = Поставки
+your_starred = со ѕвездичка
+your_settings = Поставки
+new_repo.title = Нов репозиториум
+new_migrate.title = Нова миграција
+new_org.title = Нова организација
+new_repo.link = Нов репозиториум
+new_migrate.link = Нова миграција
+new_org.link = Нова организација
+all = Сè
+sources = Извори
+mirrors = Огледала
+collaborative = Соработувачки
+forks = Форки
+activities = Активности
+pull_requests = Барања за спојување
+issues = Проблеми
+milestones = Важни прекретници
+ok = ОК
+cancel = Откажење
+retry = Повторно пробување
+rerun = Повторно изврши
+rerun_all = Сите задачи повторно ѓи изврши
+save = Сочување
+add = Додавање
+add_all = Додавајте сите
+remove = Отстранење
+remove_all = Одстранете сите
+remove_label_str = Одстрани ставка "%s"
+edit = Едитирање
+view = Гледајте
+test = Тест
+enabled = Овозможено
+disabled = Невозможено
+name = Име
+locked = Заклучено
+copy = Копирање
+copy_url = Копирајте УРЛ
+copy_hash = Копирајте Хеш
+copy_path = Копирајте патека
+copy_content = Копирајте содржина
\ No newline at end of file
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
index 708ab6b6ef..955ba44bce 100644
--- a/options/locale/locale_pl-PL.ini
+++ b/options/locale/locale_pl-PL.ini
@@ -2719,7 +2719,7 @@ pulls.delete_after_merge.head_branch.is_protected = Head gałęzi który chcesz
 settings.protected_branch_required_rule_name = Wymagana nazwa reguły
 settings.protected_branch_duplicate_rule_name = Już istnieje reguła dla tego zbioru gałęzi
 release.summary_card_alt = Karta podsumowania wydania zatytułowanego "%s" w repozytorium %s
-settings.archive.text = Zarchiwizowanie tego repo sprawi, że będzie ono w całości tylko do odczytu. Będzie ukryte z pulpitu. Nikt (nawet ty!) nie będzie mógł utworzyć nowych commitów, lub otworzyć jakichkolwiek zgłoszeń lub pull requestów.
+settings.archive.text = Zarchiwizowanie tego repo sprawi, że będzie ono w całości tylko do odczytu. Będzie ukryte z pulpitu. Nikt (nawet ty!) nie będzie mógł utworzyć nowych commitów, lub otworzyć jakichkolwiek zgłoszeń lub pull requestów. Udokumentowanie powodu archwizacji jest zalecane jako wskazówka dla przyszłych deweloperów którzy planują sforkować to repozytorium.
 settings.unarchive.button = Odarchiwizuj repo
 commits.view_single_diff = Zobacz zmiany tego pliku wprowadzone w tym commicie
 tag.ahead.target = do %s od tego tagu
@@ -2728,8 +2728,8 @@ settings.matrix.access_token_helper = Zalecane jest skonfigurowanie dedykowany k
 pulls.editable = Edytowalne
 pulls.editable_explanation = Ten pull request zezwala na edycje przez opiekunów. Możesz uczestniczyć w nim bezpośrednio.
 archive.nocomment = Komentowanie nie jest możliwe ponieważ repozytorium jest zarchiwizowane.
-sync_fork.branch_behind_one = Ta gałąź jest %[l]d commit za %[2]s
-sync_fork.branch_behind_few = Ta gałąź jest %[l]d commitów za %[2]s
+sync_fork.branch_behind_one = Ta gałąź jest %[1]d commit za %[2]s
+sync_fork.branch_behind_few = Ta gałąź jest %[1]d commitów za %[2]s
 sync_fork.button = Synchronizuj
 migrate.repo_desc_helper = Pozostaw puste by zaimportować istniejący opis
 issues.filter_no_results = Brak wyników
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index ad3ebebf55..273c68fd8f 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -182,7 +182,7 @@ buttons.bold.tooltip=Adicionar texto em negrito (Ctrl+B / ⌘B)
 buttons.italic.tooltip=Adicionar texto em itálico (Ctrl+I / ⌘I)
 buttons.quote.tooltip=Citar texto
 buttons.code.tooltip=Adicionar código
-buttons.link.tooltip=Adicionar um link
+buttons.link.tooltip=Adicionar um link (Ctrl+K / ⌘K)
 buttons.list.unordered.tooltip=Adicionar uma lista com marcadores
 buttons.list.ordered.tooltip=Adicionar uma lista numerada
 buttons.list.task.tooltip=Adicionar uma lista de tarefas
@@ -875,7 +875,7 @@ delete_token=Excluir
 access_token_deletion=Excluir token de acesso
 access_token_deletion_desc=A exclusão de um token revoga o acesso à sua conta para aplicativos que o usam. Continuar?
 delete_token_success=O token foi excluído. Os aplicativos que o utilizam já não têm acesso à sua conta.
-repo_and_org_access=Acesso ao Repositório e Organização
+repo_and_org_access=Acesso ao repositório e organização
 permissions_public_only=Apenas público
 permissions_access_all=Todos (público, privado e limitado)
 select_permissions=Selecionar permissões
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index 5884a9e65a..ddba7440d5 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -2390,7 +2390,7 @@ settings.matrix.room_id=ID da sala
 settings.matrix.message_type=Tipo de mensagem
 settings.archive.button=Arquivar repositório
 settings.archive.header=Arquivar este repositório
-settings.archive.text=Arquivar o repositório irá torná-lo apenas de leitura. Ficará escondido do painel de controlo. Ninguém (nem você!) será capaz de fazer novos cometimentos, abrir questões ou pedidos de integração.
+settings.archive.text=Arquivar o repositório irá torná-lo apenas de leitura. Ficará escondido do painel de controlo. Ninguém (nem você!) será capaz de fazer novos cometimentos, abrir questões ou pedidos de integração. É recomendável documentar o motivo do arquivamento, para orientar futuros programadores que pretendam criar uma derivação do repositório.
 settings.archive.success=O repositório foi arquivado com sucesso.
 settings.archive.error=Ocorreu um erro enquanto decorria o processo de arquivo do repositório. Veja os registo para obter mais detalhes.
 settings.archive.error_ismirror=Não pode arquivar um repositório que tenha sido replicado.
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index 3d410c87f8..5affdffb25 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -2611,7 +2611,7 @@ activity.navbar.contributors = Соавторы
 activity.navbar.code_frequency = Частота изменений
 activity.navbar.recent_commits = Недавние коммиты
 settings.confirmation_string = Строка подтверждения
-settings.archive.text = Архивация репозитория сделает всё его содержимое доступным только для чтения. Он будет скрыт с домашнего экрана. Никто (включая вас!) не сможет добавлять коммиты, открывать задачи и запросы слияний.
+settings.archive.text = Архивация репозитория сделает всё его содержимое доступным только для чтения. Он будет скрыт с домашнего экрана. Никто (включая вас!) не сможет добавлять коммиты, открывать задачи и запросы слияний. Укажите где-нибудь причину архивации, чтобы помочь разработчикам, которые, возможно, захотят сделать ответвление репозитория.
 release.deletion_desc = Удаление выпуска удаляет его только в Forgejo. Это действие не затронет тег в git, содержимое репозитория и его историю. Продолжить?
 pulls.agit_explanation = Создано через рабочий поток AGit. С ним можно предлагать изменения, используя команду «git push», без необходимости в создании ответвления или новой ветви.
 settings.webhook.replay.description_disabled = Активируйте веб-хук для повторения отправки.
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index 22213cebf4..3e96385031 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -182,7 +182,7 @@ buttons.quote.tooltip = Citera text
 buttons.code.tooltip = Lägg till kod
 buttons.link.tooltip = Lägg till en länk (Ctrl+K / ⌘K)
 buttons.heading.tooltip = Lägg till rubrik
-buttons.bold.tooltip = Lägg till fetstilt text (CTRL+B / ⌘B)
+buttons.bold.tooltip = Lägg till fetstil (Ctrl+B / ⌘B)
 buttons.italic.tooltip = Lägg till kursiv text (CTRL+I / ⌘I)
 buttons.list.unordered.tooltip = Lägg till en punktlista
 buttons.list.ordered.tooltip = Lägg till en numrerad lista
@@ -279,7 +279,7 @@ register_confirm=Kräv bekräftelse via e-post för att registrera
 mail_notify=Aktivera e-postnotiser
 server_service_title=Inställningar för server- och tredjepartstjänster
 offline_mode=Aktivera lokalt läge
-offline_mode.description=Inaktivera CDN från tredjepart och distribuera samtliga resurser lokalt istället.
+offline_mode.description=Inaktivera innehållsleveransnätverk (CDN) från tredjepart och distribuera samtliga resurser lokalt istället.
 disable_gravatar=Inaktivera Gravatar
 disable_gravatar.description=Inaktivera Gravatar- och avatarskällor från tredjepart. Standardbilder kommer att användas för användprofilbilder om de inte laddar upp en egen profilbild till instansen.
 federated_avatar_lookup=Aktivera federerade profilbilder
@@ -761,7 +761,7 @@ add_key=Lägg till nyckel
 ssh_desc=Dessa offentliga SSH-nycklar är kopplade till ditt konto. De motsvarande privata nycklarna ger full åtkomst till dina kodförråd. SSH-nycklar som har verifierats kan användas för att verifiera SSH-signerade Git-incheckningar.
 gpg_desc=Dessa publika GPG-nycklar är kopplade till ditt konto. Håll dina privata nycklar säkra då de gör det möjligt att verifiera incheckningar.
 ssh_helper=<strong>Behöver du hjälp?</strong> Kolla in Github's guide för att <a href="%s">skapa din egen SSH-nycklar</a> eller lösa <a href="%s">vanliga problem</a> som kan uppstå med SSH.
-gpg_helper=<strong>Behöver du hjälp?</strong> Ta en titt på Github's guide <a href="%s"> om GPG</a>.
+gpg_helper=<strong>Behöver du hjälp?</strong> Ta en titt på Github's guide <a href="%s">om GPG</a>.
 key_content_gpg_placeholder=Börjar med "-----BEGIN PGP PUBLIC KEY BLOCK-----"
 ssh_key_been_used=Denna SSH-nyckel har redan lagts till på servern.
 gpg_key_id_used=En publik GPG-nyckel med samma ID existerar redan.
@@ -1595,8 +1595,8 @@ activity.title.releases_published_by=%s publicerad av %s
 activity.published_release_label=Utgåva
 activity.no_git_activity=Det har inte gjorts några commit under den här perioden.
 activity.git_stats_exclude_merges=Exkludera merger,
-activity.git_stats_author_1=%d författare
-activity.git_stats_author_n=%d författare
+activity.git_stats_author_1=%d upphovsperson
+activity.git_stats_author_n=%d upphovspersoner
 activity.git_stats_push_to_all_branches=till alla grenar.
 activity.git_stats_on_default_branch=På %s,
 activity.git_stats_file_1=%d fil
@@ -1759,7 +1759,7 @@ settings.deploy_keys=Distributionsnycklar
 settings.add_deploy_key=Lägg till distributionsnyckel
 settings.deploy_key_desc=Distributionsnycklar kan ha läs- eller läs- och skrivåtkomst till kodförrådet.
 settings.is_writable=Aktivera skrivåtkomst
-settings.is_writable_info=Tillåt denna distributionsnyckel att<strong>skicka</strong> till kodförrådet.
+settings.is_writable_info=Tillåt denna distributionsnyckel att <strong>skicka</strong> till kodförrådet.
 settings.no_deploy_keys=Det finns inga distributionsnycklar ännu.
 settings.title=Titel
 settings.deploy_key_content=Innehåll
@@ -2198,8 +2198,8 @@ issues.filter_milestone_all = Alla milstolpar
 issues.filter_milestone_none = Inga milstolpar
 issues.filter_milestone_open = Öppna milstolpar
 issues.filter_milestone_closed = Stängda milstolpar
-issues.filter_poster = Författare
-issues.filter_poster_no_select = Alla författare
+issues.filter_poster = Upphovsperson
+issues.filter_poster_no_select = Alla upphovspersoner
 issues.filter_type.all_pull_requests = Alla ändringsförfrågningar
 issues.filter_type.review_requested = Granskning begärd
 issues.filter_type.reviewed_by_you = Granskad av dig
@@ -2223,9 +2223,9 @@ issues.no_content = Ingen beskrivning angiven.
 issues.close = Stäng ärende
 issues.comment_pull_merged_at = sammanfogade incheckning %[1]s till %[2]s %[3]s
 issues.comment_manually_pull_merged_at = sammanfogade manuellt incheckning %[1]s till %[2]s %[3]s
-issues.author = Författare
-issues.author.tooltip.issue = Denna användare är författare till detta ärende.
-issues.author.tooltip.pr = Denna användare är författare till denna ändringsförfrågan.
+issues.author = Upphovsperson
+issues.author.tooltip.issue = Användaren är ärendets upphovsperson.
+issues.author.tooltip.pr = Användaren är upphovsperson till ändringsförfrågan.
 issues.role.owner_helper = Denna användare är ägare till detta kodförråd.
 issues.role.member_helper = Denna användare är medlem i organisationen som äger detta kodförråd.
 issues.role.collaborator = Medarbetare
@@ -2278,14 +2278,14 @@ issues.reference_issue.body = Brödtext
 issues.content_history.delete_from_history = Radera från historik
 issues.content_history.delete_from_history_confirm = Radera från historik?
 issues.blocked_by_user = Du kan inte skapa ärenden i det här kodförråd eftersom du är blockerad av kodförrådets ägare.
-comment.blocked_by_user = Kommentering är inte möjlig eftersom du är blockerad av kodförrådets ägare eller författaren.
+comment.blocked_by_user = Det är inte möjligt att kommentera eftersom du är blockerad av kodförrådets ägare eller upphovsperson.
 issues.summary_card_alt = Sammanfattningskort för ett ärende med titel "%s" i kodförråd %s
 compare.compare_base = bas
 pulls.view = Visa ändringsförfrågan
 pulls.edit.already_changed = Det gick inte att spara ändringar till ändringsförfrågan. Det verkar som att innehållet redan har ändrats av en annan användare. Uppdatera sidan och försök redigera igen för att undvika att skriva över deras ändringar
 pulls.sign_in_require = <a href="%s">Logga in</a> för att skapa en ny ändringsförfrågan.
-pulls.allow_edits_from_maintainers = Tillåt redigeringar från underhållare
-pulls.allow_edits_from_maintainers_desc = Användare med skrivåtkomst till basgrenen kan också skicka till den här gren
+pulls.allow_edits_from_maintainers = Tillåt redigeringar från underhållsansvariga
+pulls.allow_edits_from_maintainers_desc = Användare med skrivåtkomst till basgrenen kan också skicka till denna gren
 pulls.allow_edits_from_maintainers_err = Uppdatering misslyckades
 pulls.has_changed_since_last_review = Ändrad sedan din senaste granskning
 pulls.viewed_files_label = %[1]d / %[2]d filer visade
@@ -2295,18 +2295,18 @@ pulls.switch_comparison_type = Byt jämförelsetyp
 pulls.switch_head_and_base = Byt huvud och bas
 pulls.show_all_commits = Visa alla incheckningar
 pulls.show_changes_since_your_last_review = Visa ändringar sedan din senaste granskning
-pulls.showing_only_single_commit = Visar endast ändringar av incheckning %[1]s
+pulls.showing_only_single_commit = Visar endast ändringar för incheckning %[1]s
 pulls.showing_specified_commit_range = Visar endast ändringar mellan %[1]s..%[2]s
 pulls.select_commit_hold_shift_for_range = Välj incheckning. Håll shift + klicka för att välja ett intervall
 pulls.filter_changes_by_commit = Filtrera efter incheckning
 pulls.nothing_to_compare_have_tag = De valda grenarna/taggarna är identiska.
-pulls.nothing_to_compare_and_allow_empty_pr = de här grenar är identiska. den här PR kommer vara tom.
-pulls.has_pull_request = `En ändringsförfrågan mellan de här grenar finns redan: <a href="%[1]s">%[2]s#%[3]d</a>`
+pulls.nothing_to_compare_and_allow_empty_pr = De här grenarna är identiska. Denna PR kommer att vara tom.
+pulls.has_pull_request = `En ändringsförfrågan mellan grenarna finns redan: <a href="%[1]s">%[2]s#%[3]d</a>`
 pulls.merged_success = Ändringsförfrågan sammanfogad och stängd
 pulls.closed = Ändringsförfrågan stängd
 pulls.manually_merged = Manuellt sammanfogad
 pulls.merged_info_text = Grenen %s kan nu raderas.
-pulls.cannot_merge_work_in_progress = den här ändringsförfrågan är markerad som pågående arbete.
+pulls.cannot_merge_work_in_progress = Denna ändringsförfrågan är markerad som pågående arbete.
 pulls.still_in_progress = Ännu pågående?
 pulls.add_prefix = Lägg till <strong>%s</strong>-prefix
 pulls.ready_for_review = Redo för granskning?
@@ -2329,7 +2329,7 @@ pulls.waiting_count_1 = %d väntande granskning
 pulls.waiting_count_n = %d väntande granskningar
 pulls.wrong_commit_id = inchecknings-id måste vara ett inchecknings-id på målgrenen
 pulls.blocked_by_user = Du kan inte skapa en ändringsförfrågan på det här kodförråd eftersom du är blockerad av kodförrådets ägare.
-pulls.no_merge_wip = den här ändringsförfrågan kan inte sammanfogas eftersom den är markerad som pågående arbete.
+pulls.no_merge_wip = Det går inte att sammanfoga denna ändringsförfrågan eftersom den är markerad som pågående arbete.
 pulls.no_merge_not_ready = den här ändringsförfrågan är inte redo att sammanfogas, kontrollera granskningsstatus och statuskontroller.
 pulls.no_merge_access = Du är inte behörig att sammanfoga den här ändringsförfrågan.
 pulls.merge_pull_request = Skapa sammanfogningsincheckning
@@ -2346,43 +2346,43 @@ pulls.unrelated_histories = Sammanfogning misslyckades: Sammanfogningshuvudet oc
 pulls.merge_out_of_date = Sammanfogning misslyckades: Under sammanfogningen uppdaterades basen. Tips: Försök igen.
 pulls.head_out_of_date = Sammanfogning misslyckades: Under sammanfogningen uppdaterades huvudet. Tips: Försök igen.
 pulls.has_merged = Misslyckades: Ändringsförfrågan har redan sammanfogats, du kan inte sammanfoga igen eller ändra målgren.
-pulls.push_rejected = Skickning misslyckades: Skickningen avvisades. Granska Git-krokarna för det här kodförråd.
+pulls.push_rejected = Misslyckades med att skicka: Skickningen avvisades. Granska kodförrådets Git-krokar.
 pulls.push_rejected_summary = Fullständigt avvisningsmeddelande
-pulls.push_rejected_no_message = Skickning misslyckades: Skickningen avvisades men det fanns inget fjärrmeddelande. Granska Git-krokarna för det här kodförråd
-pulls.status_checking = Vissa kontroller väntar
+pulls.push_rejected_no_message = Misslyckades med att skicka: Skickningen avvisades men det fanns inget fjärrmeddelande. Granska kodförrådets Git-krokar
+pulls.status_checking = Väntande kontroller
 pulls.status_checks_success = Alla kontroller lyckades
-pulls.status_checks_warning = Vissa kontroller rapporterade varningar
-pulls.status_checks_failure = Vissa kontroller misslyckades
-pulls.status_checks_error = Vissa kontroller rapporterade fel
+pulls.status_checks_warning = Kontroller rapporterade varningar
+pulls.status_checks_failure = En del kontroller misslyckades
+pulls.status_checks_error = En del kontroller rapporterade fel
 pulls.status_checks_requested = Obligatorisk
 pulls.status_checks_hide_all = Dölj alla kontroller
 pulls.status_checks_show_all = Visa alla kontroller
 pulls.update_branch = Uppdatera gren via sammanfogning
 pulls.update_branch_rebase = Uppdatera gren via ombasering
 pulls.close = Stäng ändringsförfrågan
-pulls.closed_at = `stängde den här ändringsförfrågan %s`
-pulls.reopened_at = `återöppnade den här ändringsförfrågan %s`
-pulls.commit_ref_at = `refererade den här ändringsförfrågan från en incheckning %s`
+pulls.closed_at = `stängde denna ändringsförfrågan %s`
+pulls.reopened_at = `återöppnade denna ändringsförfrågan %s`
+pulls.commit_ref_at = `refererade denna ändringsförfrågan från en incheckning %s`
 pulls.cmd_instruction_hint = Visa kommandoradsinstruktioner
 pulls.cmd_instruction_checkout_title = Checka ut
-pulls.cmd_instruction_checkout_desc = Från din projektkatalog, checka ut en ny gren och testa ändringarna.
+pulls.cmd_instruction_checkout_desc = Checka ut en ny gren från din projektkatalog och testa ändringarna.
 pulls.cmd_instruction_merge_title = Sammanfoga
 pulls.cmd_instruction_merge_desc = Sammanfoga ändringarna och uppdatera på Forgejo.
-pulls.cmd_instruction_merge_warning = <b>Varning:</b> Inställningen "Automatisk identifiering av manuell sammanfogning" är inte aktiverad för det här kodförråd, du måste markera den här ändringsförfrågan som manuellt sammanfogad efteråt.
+pulls.cmd_instruction_merge_warning = <b>Varning:</b> Inställningen "Automatisk identifiering av manuell sammanfogning" är inte aktiverad för detta kodförråd, du måste markera denna ändringsförfrågan som manuellt sammanfogad efteråt.
 pulls.clear_merge_message = Rensa sammanfogningsmeddelande
 pulls.clear_merge_message_hint = Att rensa sammanfogningsmeddelandet tar endast bort incheckningsmeddelandes innehåll och behåller genererade git-trailers som "Co-Authored-By …".
-pulls.reopen_failed.head_branch = Ändringsförfrågan kan inte återöppnas eftersom huvudgrenen inte längre existerar.
-pulls.reopen_failed.base_branch = Ändringsförfrågan kan inte återöppnas eftersom basgrenen inte längre existerar.
+pulls.reopen_failed.head_branch = Det går inte att återöppna denna Ändringsförfrågan eftersom huvudgrenen inte längre existerar.
+pulls.reopen_failed.base_branch = Det går inte att återöppna denna ändringsförfrågan eftersom basgrenen inte längre existerar.
 pulls.made_using_agit = AGit
 pulls.agit_explanation = Skapad med AGit-arbetsflödet. AGit låter bidragsgivare föreslå ändringar med "git-skickning" utan att skapa en avgrening eller en ny gren.
-pulls.editable_explanation = den här ändringsförfrågan tillåter redigeringar från underhållare. Du kan bidra direkt till den.
+pulls.editable_explanation = Denna ändringsförfrågan tillåter redigeringar från underhållare. Du kan bidra direkt.
 pulls.auto_merge_button_when_succeed = (När kontroller lyckas)
-pulls.auto_merge_when_succeed = Automatisk sammanfogning när alla kontroller lyckas
-pulls.auto_merge_newly_scheduled = Ändringsförfrågan schemalagdes att sammanfogas när alla kontroller lyckas.
-pulls.auto_merge_has_pending_schedule = %[1]s schemalade den här ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[2]s.
+pulls.auto_merge_when_succeed = Sammanfoga automatiskt om alla kontroller lyckas
+pulls.auto_merge_newly_scheduled = Ändringsförfrågan har schemalagdes att sammanfogas om alla kontroller lyckas.
+pulls.auto_merge_has_pending_schedule = %[1]s schemalade ändringsförfrågan för automatisk sammanfogning om alla kontroller lyckas %[2]s.
 pulls.auto_merge_cancel_schedule = Avbryt automatisk sammanfogning
-pulls.auto_merge_not_scheduled = den här ändringsförfrågan är inte schemalagd för automatisk sammanfogning.
-pulls.auto_merge_canceled_schedule = Automatisk sammanfogning avbröts för den här ändringsförfrågan.
+pulls.auto_merge_not_scheduled = Denna ändringsförfrågan är inte schemalagd för automatisk sammanfogning.
+pulls.auto_merge_canceled_schedule = Avbröt automatisk sammanfogning avbröts för denna ändringsförfrågan.
 pulls.auto_merge_newly_scheduled_comment = `schemalade den här ändringsförfrågan för automatisk sammanfogning när alla kontroller lyckas %[1]s`
 pulls.auto_merge_canceled_schedule_comment = `avbröt automatisk sammanfogning av den här ändringsförfrågan när alla kontroller lyckas %[1]s`
 pulls.delete_after_merge.head_branch.is_default = Huvudgrenen du vill radera är standardgrenen och kan inte raderas.
@@ -2668,8 +2668,8 @@ diff.generated = genererad
 diff.vendored = tredjepartspaketerad
 diff.comment.add_line_comment = Lägg till radkommentar
 diff.review.header = Skicka granskning
-diff.review.self_reject = Ändringsförfrågan-författare kan inte begära ändringar på sin egen ändringsförfrågan
-diff.review.self_approve = Ändringsförfrågan-författare kan inte godkänna sin egen ändringsförfrågan
+diff.review.self_reject = En upphovsperson av en ändringsförfrågan kan inte begära ändringar på sin egen ändringsförfrågan
+diff.review.self_approve = Upphovspersonen av en ändringsförfrågan kan inte godkänna sin egen ändringsförfrågan
 diff.protected = Skyddad
 diff.image.side_by_side = Sida vid sida
 diff.image.swipe = Svep
diff --git a/options/locale/locale_tok.ini b/options/locale/locale_tok.ini
index 416c88d21b..bb485b94fb 100644
--- a/options/locale/locale_tok.ini
+++ b/options/locale/locale_tok.ini
@@ -6,4 +6,15 @@ home = open
 dashboard = ijo sin
 explore = o alasa
 help = o pana e sona
-logo = sitelen pi ilo Posejo li lon poka sewi. jan li ken ala lukin e sitelen la, ona li lukin e toki "sitelen".
\ No newline at end of file
+logo = sitelen pi ilo Posejo li lon poka sewi. jan li ken ala lukin e sitelen la, ona li lukin e toki "sitelen".
+link_account = o wan e nimi
+sign_up = o pali e nimi
+sign_in = o pana e nimi
+sign_in_with_provider = o pana e nimi kepeken %s
+sign_in_or = anu
+sign_out = o weka e nimi
+register = o pali e nimi
+powered_by = kepeken %s
+page = lipu
+template = nasin open
+notifications = kama sona lili
\ No newline at end of file
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index a1e7455471..3c9a7d4f61 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -298,7 +298,7 @@ openid_signin.description=Увімкнути вхід за допомогою Op
 openid_signup=Увімкнути самостійну реєстрацію за допомогою OpenID
 openid_signup.description=Увімкнути самореєстрацію користувачів тільки через OpenID.
 enable_captcha=Увімкнути CAPTCHA при реєстрації
-enable_captcha.description=Вимагати перевірку CAPTCHA для створення облікових записів.
+enable_captcha.description=Вимагати перевірки CAPTCHA для створення облікових записів.
 require_sign_in_view=Вимагати авторизації для перегляду вмісту екземпляра
 admin_setting.description=Створювати обліковий запис адміністратора необов’язково. Перший зареєстрований користувач автоматично стає адміністратором.
 admin_title=Налаштування облікового запису адміністратора
@@ -391,7 +391,7 @@ active_your_account=Активація облікового запису
 account_activated=Обліковий запис активовано
 prohibit_login=Обліковий запис призупинено
 resent_limit_prompt=Нещодавно ви вже запросили активацію по електронній пошті. Будь ласка, зачекайте 3 хвилини, а потім спробуйте ще раз.
-has_unconfirmed_mail=Привіт, %s! У вас є непідтверджена електронна адреса (<b>%s </b>). Якщо ви не отримали електронний лист із підтвердженням або вам потрібно надіслати новий, натисніть на кнопку нижче.
+has_unconfirmed_mail=Привіт, %s! У вас є непідтверджена електронна адреса (<b>%s</b>). Якщо ви не отримали електронний лист із підтвердженням або вам потрібно надіслати новий, натисніть на кнопку нижче.
 resend_mail=Натисніть тут, щоб вислати лист активації знову
 send_reset_mail=Надіслати листа для відновлення
 reset_password=Відновлення облікового запису
@@ -770,7 +770,7 @@ manage_gpg_keys=Керування ключами GPG
 add_key=Додати ключ
 ssh_desc=Ці відкриті ключі SSH пов’язані з вашим обліковим записом. Відповідні приватні ключі дозволяють отримати повний доступ до ваших репозиторіїв. Підтверджені ключі можна використати для підтвердження комітів Git, підписаних із SSH.
 principal_desc=Ці принципали SSH-сертифікатів пов’язані з вашим обліковим записом і надають повний доступ до ваших репозиторіїв.
-gpg_desc=Ці відкриті ключі GPG пов’язані з вашим обліковим записом і використовуються для підтвердження комітів. Тримайте свої приватні ключі в безпеці, оскільки вони дозволяють підписувати коміти вашим особистим підписом.
+gpg_desc=Ці відкриті ключі GPG пов’язані з вашим обліковим записом і використовуються для підтвердження комітів. Тримайте відповідні приватні ключі в безпеці, оскільки саме вони дозволяють підписувати коміти від вашого імені.
 ssh_helper=<strong>Потрібна допомога?</strong> Перегляньте посібник із <a href="%s">генерації ключів SSH</a> або виправлення <a href="%s">типових неполадок SSH</a>.
 gpg_helper=<strong>Потрібна допомога?</strong> Перегляньте посібник <a href="%s">про GPG</a>.
 key_content_ssh_placeholder=Починається з «ssh-ed25519», «ssh-rsa», «ecdsa-sha2-nistp256», «ecdsa-sha2-nistp384», «ecdsa-sha2-nistp521», «sk-ecdsa-sha2-nistp256@openssh.com» або «sk-ssh-ed25519@openssh.com»
@@ -781,7 +781,7 @@ ssh_key_name_used=Ключ SSH із такою назвою вже існує у
 ssh_principal_been_used=Цей принципал уже доданий на сервер.
 gpg_key_id_used=Відкритий ключ GPG з таким ідентифікатором уже існує.
 gpg_no_key_email_found=Цей ключ GPG не відповідає жодній активованій поштовій адресі, яка пов’язана з вашим обліковим записом. Його все одно можна додати, якщо ви підпишете наданий токен.
-gpg_key_matched_identities=Відповідні отримувачі:
+gpg_key_matched_identities=Відповідні ідентифікатори:
 gpg_key_matched_identities_long=Вбудовані ідентифікатори цього ключа збігаються з такими активованими адресами електронної пошти користувач_ки. Коміти, які відповідають цим адресам, можуть бути підтверджені цим ключем.
 gpg_key_verified=Перевірений ключ
 gpg_key_verified_long=Ключ перевірений за допомогою токена і може підтверджувати коміти з будь-яких активованих адрес електронної пошти користувач_ки на додачу до будь-яких відповідних ідентифікаторів цього ключа.
@@ -985,7 +985,7 @@ keep_pronouns_private.description = Ваші займенники не буде
 hidden_comment_types.ref_tooltip = Коментарі, в яких на цю задачу послалися з іншої задачі, коміту тощо
 hidden_comment_types.issue_ref_tooltip = Коментарі, в яких користувач_ка змінює гілку чи тег, пов’язані з задачею
 comment_type_group_review_request = Запит на відгук
-access_token_desc = При обраних для токена дозволах будуть авторизовані лише відповідні <a href="%[1]s" target="_blank">API</a>-роути. Докладніше в <a href="%[2]s" target="_blank">документації</a>.
+access_token_desc = При обраних для токена дозволах будуть авторизовані лише відповідні <a href="%[1]s" target="_blank">API</a>-роути. Докладніше — в <a href="%[2]s" target="_blank">документації</a>.
 update_oauth2_application_success = Програму OAuth2 успішно оновлено.
 oauth2_client_secret_hint = Ключ більше не буде показано після закриття чи оновлення сторінки. Обов'язково його збережіть.
 oauth2_application_remove_description = Видалена програма OAuth2 не зможе доступатись авторизованих користувацьких облікових записів на цьому сервері. Продовжити?
@@ -1131,7 +1131,7 @@ migrate.clone_address=Перенести / клонувати з URL-адрес
 migrate.clone_address_desc=URL-адреса HTTP(S) або Git «clone» існуючого репозиторію
 migrate.clone_local_path=або шлях до локального сервера
 migrate.permission_denied=Вам не дозволено імпортувати локальні репозиторії.
-migrate.permission_denied_blocked=Ви не можете імпортувати з заборонених вузлів. Будь ласка, попросіть адміністраторів перевірити налаштування ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS.
+migrate.permission_denied_blocked=Ви не можете імпортувати із заборонених хостів. Будь ласка, попросіть адміністраторів перевірити налаштування ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS.
 migrate.invalid_lfs_endpoint=Помилкова кінцева точка LFS.
 migrate.failed=Перенесення не вдалося: %v
 migrate.migrate_items_options=Для перенесення додаткових елементів потрібен токен доступу
@@ -1341,7 +1341,7 @@ issues.add_milestone_at=`додає до етапу <b>%s</b> %s`
 issues.add_project_at=`додає до проєкту <b>%s</b> %s`
 issues.change_milestone_at=`змінює етап з <b>%s</b> на <b>%s</b> %s`
 issues.change_project_at=`змінює проєкт із <b>%s</b> на <b>%s</b> %s`
-issues.remove_milestone_at=`видаляє з етапу<b>%s</b> %s`
+issues.remove_milestone_at=`видаляє з етапу <b>%s</b> %s`
 issues.remove_project_at=`видаляє з проєкту <b>%s</b> %s`
 issues.deleted_milestone=`(видалено)`
 issues.deleted_project=`(видалено)`
@@ -1595,7 +1595,7 @@ pulls.required_status_check_failed=Деякі необхідні перевір
 pulls.required_status_check_missing=Декілька з необхідних перевірок відсутні.
 pulls.required_status_check_administrator=Як адміністратор ви все одно можете об’єднати цей запит на злиття.
 pulls.can_auto_merge_desc=Цей запит можна об’єднати автоматично.
-pulls.cannot_auto_merge_desc=Цей запит на злиття не може бути злитий автоматично через конфлікти.
+pulls.cannot_auto_merge_desc=Цей запит на злиття неможливо злити автоматично через конфлікти.
 pulls.cannot_auto_merge_helper=Злийте вручну для вирішення конфліктів.
 pulls.num_conflicting_files_1=%d конфліктний файл
 pulls.num_conflicting_files_n=%d конфліктних файлів
@@ -1819,15 +1819,15 @@ settings.admin_enable_close_issues_via_commit_in_any_branch=Закрити за
 settings.danger_zone=Небезпечна зона
 settings.new_owner_has_same_repo=Новий власник уже має репозиторій з такою назвою. Будь ласка, виберіть іншу назву.
 settings.convert=Перетворити на звичайний репозиторій
-settings.convert_desc=Ви можете сконвертувати це дзеркало у звичайний репозиторій. Це не може бути скасовано.
-settings.convert_notices_1=Ця операція перетворить дзеркало у звичайний репозиторій і не може бути скасована.
+settings.convert_desc=Ви можете перетворити це дзеркало на звичайний репозиторій. Цю дію неможливо скасувати.
+settings.convert_notices_1=Ця операція перетворить дзеркало на звичайний репозиторій і не може бути скасована.
 settings.convert_confirm=Перетворити репозиторій
-settings.convert_succeed=Репозиторій успішно перетворений в звичайний.
+settings.convert_succeed=Репозиторій успішно перетворено на звичайний.
 settings.convert_fork=Перетворити на звичайний репозиторій
 settings.convert_fork_desc=Ви можете перетворити цей форк на звичайний репозиторій. Цю дію неможливо скасувати.
-settings.convert_fork_notices_1=Ця операція перетворить форк на звичайний репозиторій та не може бути скасованою.
+settings.convert_fork_notices_1=Ця операція перетворить форк на звичайний репозиторій і не може бути скасована.
 settings.convert_fork_confirm=Перетворити репозиторій
-settings.convert_fork_succeed=Цей форк успішно перетворено на звичайний репозиторій.
+settings.convert_fork_succeed=Форк успішно перетворено на звичайний репозиторій.
 settings.transfer.title=Передати новому власнику
 settings.transfer.rejected=Передачу репозиторію відхилено.
 settings.transfer.success=Передача репозиторію відбулася успішно.
@@ -2009,7 +2009,7 @@ settings.protect_approvals_whitelist_users=Білий список реценз
 settings.protect_approvals_whitelist_teams=Білий список команд рецензентів
 settings.dismiss_stale_approvals=Відхилити застарілі схвалення
 settings.dismiss_stale_approvals_desc=Коли нові коміти, що змінюють вміст запиту на злиття, надсилаються в гілку, старі схвалення будуть відхилені.
-settings.require_signed_commits=Вимагати підпис комітів
+settings.require_signed_commits=Вимагати підпису комітів
 settings.require_signed_commits_desc=Відхиляти push до цієї гілки, якщо вони не підписані або підпис неможливо перевірити.
 settings.protected_branch_deletion=Вимкнути захист гілки
 settings.protected_branch_deletion_desc=Будь-який користувач із дозволом на запис зможе виконувати push в цю гілку. Продовжити?
@@ -3334,7 +3334,7 @@ config_summary = Підсумок
 monitor.queue.review_add = Переглянути / додати обробники
 monitor.queue.activeworkers = Активні обробники
 monitor.queue.numberinqueue = Номер у черзі
-monitor.queue.settings.desc = Пули динамічно зростають у відповідь на блокування їхніх черг обробників.
+monitor.queue.settings.desc = Пули динамічно зростають у відповідь на блокування черг їхніх обробників.
 monitor.queue.settings.remove_all_items_done = Усі елементи в черзі видалено.
 monitor.queue.settings.remove_all_items = Видалити всі
 config.app_slogan = Гасло екземпляра
@@ -3402,7 +3402,7 @@ auths.oauth2_required_claim_value_helper = Вкажіть значення, що
 auths.oauth2_group_claim_name = Назва заявки, що надає назви груп для цього джерела. (Необов’язково)
 auths.oauth2_restricted_group = Значення групової заявки для обмежених користувачів. (Необов’язково — потрібна назва заявки вище)
 users.local_import.description = Дозволити імпорт репозиторіїв з локальної файлової системи сервера. Це може становити загрозу безпеці.
-identity_access = Особистість та доступ
+identity_access = Ідентифікація і доступ
 users.activated.description = Завершення перевірки електронної пошти. Власник неактивованого облікового запису не зможе ввійти, допоки не підтвердить свою адресу електронної пошти.
 users.block.description = Заборонити цьому користувачу користуватися цим сервісом через їх обліковий запис та заборонити вхід до їхнього облікового запису.
 users.admin.description = Надати цьому користувачу доступ до всіх адміністративних функцій через інтерфейс та API.
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index d292f171df..87087e3d20 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -1445,12 +1445,12 @@ issues.label_templates.info=还没有任何标签。您可以使用“创建标
 issues.label_templates.helper=选择标签模板
 issues.label_templates.use=使用标签集
 issues.label_templates.fail_to_load_file=加载标签模板文件%s时发生错误：%v
-issues.add_label=于%[2]s添加了标签%[1]s
-issues.add_labels=于%s添加%s标签
-issues.remove_label=于%[2]s删除了标签%[1]s
-issues.remove_labels=于%[2]s删除了标签%[1]s
-issues.add_remove_labels=于%[3]s添加了标签%[1]s，删除了标签%[2]s
-issues.add_milestone_at=于%[2]s添加了里程碑<b>%[1]s</b>
+issues.add_label=添加了标签%[1]s %[2]s
+issues.add_labels=添加了%s标签 %s
+issues.remove_label=删除了标签%[1]s %[2]s
+issues.remove_labels=删除了标签%[1]s %[2]s
+issues.add_remove_labels=添加了标签%[1]s，删除了标签%[2]s %[3]s
+issues.add_milestone_at=添加了里程碑<b>%[1]s</b> %[2]s
 issues.add_project_at=将此添加到<b>%s</b>项目%s
 issues.change_milestone_at=%[3]s修改了里程碑从<b>%[1]s</b>到<b>%[2]s</b>
 issues.change_project_at=修改项目从<b>%s</b>到<b>%s</b> %s
@@ -1458,15 +1458,15 @@ issues.remove_milestone_at=%[2]s删除了里程碑<b>%[1]s</b>
 issues.remove_project_at=从<b>%s</b>项目%s中删除
 issues.deleted_milestone=（已删除）
 issues.deleted_project=（已删除）
-issues.self_assign_at=于%s指派给自己
-issues.add_assignee_at=于%[2]s被<b>%[1]s</b>指派
+issues.self_assign_at=指派给了自己 %s
+issues.add_assignee_at=得到了<b>%[1]s</b>的指派 %[2]s
 issues.remove_assignee_at=<b>%s</b>取消了指派在%s
-issues.remove_self_assignment=于%s取消了指派
-issues.change_title_at=于%[3]s修改标题<b><strike>%[1]s</strike></b>为<b>%[2]s</b>
+issues.remove_self_assignment=取消了给自己的指派 %s
+issues.change_title_at=修改标题<b><strike>%[1]s</strike></b>为<b>%[2]s</b> %[3]s
 issues.change_ref_at=将引用从<b><strike>%s</strike></b>更改为了<b>%s</b> %s
 issues.remove_ref_at=删除了引用<b>%s</b> %s
 issues.add_ref_at=添加了引用<b>%s</b> %s
-issues.delete_branch_at=于%[2]s删除了分支<b>%[1]s</b>
+issues.delete_branch_at=删除了分支<b>%[1]s</b> %[2]s
 issues.filter_label=标签
 issues.filter_label_exclude=使用 <kbd>Alt</kbd> + <kbd>单击</kbd> 排除标签
 issues.filter_label_no_select=所有标签
@@ -1513,11 +1513,11 @@ issues.action_assignee=指派人筛选
 issues.action_assignee_no_select=未指派
 issues.action_check=选中/取消选中
 issues.action_check_all=选中/取消选中所有项目
-issues.opened_by=由<a href="%[2]s">%[3]s</a>创建于%[1]s
+issues.opened_by=由<a href="%[2]s">%[3]s</a>在%[1]s创建
 pulls.merged_by=由<a href="%[2]s">%[3]s</a>创建，合并于%[1]s
 pulls.merged_by_fake=由%[2]s创建，合并于%[1]s
 issues.closed_by=由<a href="%[2]s">%[3]s</a>创建，被关闭于%[1]s
-issues.opened_by_fake=由%[2]s于%[1]s打开
+issues.opened_by_fake=由%[2]s在%[1]s打开
 issues.closed_by_fake=由%[2]s创建，被关闭于%[1]s
 issues.previous=上一页
 issues.next=下一页
@@ -1542,12 +1542,12 @@ issues.reopen_issue=重新开放
 issues.reopen_comment_issue=重新打开并评论
 issues.create_comment=评论
 issues.closed_at=关闭了此议题%s
-issues.reopened_at=于%s重新打开了此议题
-issues.commit_ref_at=于%s从提交中引用了此议题
-issues.ref_issue_from=于%[1]s <a href="%[2]s">引用了此议题%[3]s</a>
+issues.reopened_at=重新打开了此议题 %s
+issues.commit_ref_at=从提交中引用了此议题 %s
+issues.ref_issue_from=<a href="%[2]s">引用了此议题%[3]s</a> %[1]s
 issues.ref_pull_from=<a href="%[2]s">引用了此合并请求%[3]s</a> %[1]s
-issues.ref_closing_from=于%[1]s <a href="%[2]s">从合并请求%[3]s引用了此议题，将关闭此议题</a>
-issues.ref_reopening_from=于%[1]s <a href="%[2]s">从合并请求%[3]s引用了此议题，将重新打开此议题</a>
+issues.ref_closing_from=a href="%[2]s">从合并请求%[3]s引用了此议题，该合并请求会关闭此议题</a> %[1]s
+issues.ref_reopening_from=<a href="%[2]s">从合并请求%[3]s引用了此议题，该合并请求会重新打开此议题</a> %[1]s
 issues.ref_from=来自%[1]s
 issues.author=作者
 issues.role.owner=所有者
@@ -1598,16 +1598,16 @@ issues.subscribe=订阅
 issues.unsubscribe=取消订阅
 issues.unpin_issue=取消置顶
 issues.max_pinned=您不能置顶更多议题
-issues.pin_comment=于%s置顶本议题
-issues.unpin_comment=于%s取消置顶本议题
+issues.pin_comment=置顶了本议题 %s
+issues.unpin_comment=取消了置顶本议题 %s
 issues.lock=锁定对话
 issues.unlock=解锁对话
 issues.lock.unknown_reason=由于未知原因无法锁定。
 issues.lock_duplicate=一个议题不能被锁定两次。
 issues.unlock_error=无法解锁一个未锁定的议题。
-issues.lock_with_reason=于%[2]s以<strong>%[1]s</strong>锁定本议题，并限制仅限协作者发言
-issues.lock_no_reason=于%s锁定本议题并限制仅协作者可发言
-issues.unlock_comment=于%s解锁此议题
+issues.lock_with_reason=因为<strong>%[1]s</strong>而锁定了本议题，并限制仅限协作者发言 %[2]s
+issues.lock_no_reason=锁定了本议题，并限制仅协作者可发言 %s
+issues.unlock_comment=解锁了此议题 %s
 issues.lock_confirm=锁定
 issues.unlock_confirm=解锁
 issues.lock.notice_1=-其他用户不能评论此议题。
@@ -1644,17 +1644,17 @@ issues.add_time_sum_to_small=没有输入时间。
 issues.time_spent_total=总用时
 issues.time_spent_from_all_authors=总花费时间：%s
 issues.due_date=到期时间
-issues.push_commit_1=于%[2]s推送了%[1]d个提交
-issues.push_commits_n=于%[2]s推送了%[1]d个提交
-issues.force_push_codes=于%[6]s强制推送了%[1]s，从<a class="%[7]s" href="%[3]s"><code>%[2]s</code></a>%[8]s至<a class="%[7]s" href="%[5]s"><code>%[4]s</code></a>%[9]s
+issues.push_commit_1=推送了%[1]d个提交 %[2]s
+issues.push_commits_n=推送了%[1]d个提交 %[2]s
+issues.force_push_codes=强制推送了%[1]s，从<a class="%[7]s" href="%[3]s"><code>%[2]s</code></a>%[8]s至<a class="%[7]s" href="%[5]s"><code>%[4]s</code></a>%[9]s %[6]s
 issues.force_push_compare=比较
 issues.due_date_form=yyyy年mm月dd日
 issues.due_date_form_edit=编辑
 issues.due_date_form_remove=删除
 issues.due_date_not_set=未设置到期时间。
-issues.due_date_added=于%[2]s设置到期时间为%[1]s
-issues.due_date_modified=于%[3]s将到期日从%[2]s修改为%[1]s
-issues.due_date_remove=于%[2]s删除了到期时间%[1]s
+issues.due_date_added=设置到期时间为%[1]s %[2]s
+issues.due_date_modified=将到期日从%[2]s修改为%[1]s %[3]s
+issues.due_date_remove=删除了到期时间%[1]s %[2]s
 issues.due_date_overdue=超期
 issues.due_date_invalid=到期日期无效或超出范围。请使用“yyyy-mm-dd”格式。
 issues.dependency.title=依赖议题
@@ -1690,17 +1690,17 @@ issues.dependency.add_error_cannot_create_circular=您不能创建依赖，使
 issues.dependency.add_error_dep_not_same_repo=这两个议题必须在同一仓库。
 issues.review.self.approval=您不能批准您自己的合并请求。
 issues.review.self.rejection=您不能请求对您自己的合并请求进行更改。
-issues.review.approve=于%s批准此合并请求
-issues.review.comment=评审于%s
-issues.review.dismissed=于%[2]s取消了%[1]s的评审
+issues.review.approve=批准了此合并请求 %s
+issues.review.comment=完成评审 %s
+issues.review.dismissed=取消了%[1]s的评审 %[2]s
 issues.review.dismissed_label=已取消
 issues.review.left_comment=留下了一条评论
 issues.review.content.empty=您需要留下一个注释，表明需要的更改。
-issues.review.reject=于%s请求更改
+issues.review.reject=请求更改 %s
 issues.review.wait=于 %s 请求评审
-issues.review.add_review_request=于%[2]s请求%[1]s评审
-issues.review.remove_review_request=于%[2]s取消对%[1]s的评审请求
-issues.review.remove_review_request_self=于%s拒绝评审
+issues.review.add_review_request=请求%[1]s评审 %[2]s
+issues.review.remove_review_request=取消对%[1]s的评审请求 %[2]s
+issues.review.remove_review_request_self=拒绝评审 %s
 issues.review.pending=待定
 issues.review.pending.tooltip=此评论目前对其他用户不可见。若要提交您的待定评论，请在页面顶部选择%s -> %s/%s/%s。
 issues.review.reviewers=评审人
@@ -1841,8 +1841,8 @@ pulls.update_branch_success=分支更新成功
 pulls.update_not_allowed=您无权更新分支
 pulls.outdated_with_base_branch=此分支相比基础分支已过期
 pulls.close=关闭
-pulls.closed_at=于%s关闭了此合并请求
-pulls.reopened_at=于%s重新打开了此合并请求
+pulls.closed_at=关闭了此合并请求 %s
+pulls.reopened_at=重新打开了此合并请求 %s
 pulls.cmd_instruction_hint=查看命令行说明
 pulls.cmd_instruction_checkout_title=检出
 pulls.cmd_instruction_checkout_desc=从你的仓库中检出一个新的分支并测试变更。
@@ -2386,7 +2386,7 @@ settings.matrix.room_id=房间ID
 settings.matrix.message_type=消息类型
 settings.archive.button=存档仓库
 settings.archive.header=存档此仓库
-settings.archive.text=存档仓库将使其完全只读。它将在首页隐藏。没有人（甚至包括你！）能够进行新的提交，或打开议题及合并请求。建议记载存档的原因以便引导未来计划从本仓库派生新仓库的开发者。
+settings.archive.text=存档后，仓库将变为完全只读并从首页隐藏。没有人能够推送新的提交（你也不能！）、打开议题及合并请求。建议记录存档的原因，以便引导未来计划从派生本仓库的开发者。
 settings.archive.success=仓库已成功存档。
 settings.archive.error=仓库在存档时出现异常。请通过日志获取详细信息。
 settings.archive.error_ismirror=不能存档镜像仓库。
@@ -2604,7 +2604,7 @@ settings.wiki_rename_branch_main = 标准化百科分支名称
 settings.wiki_rename_branch_main_notices_1 = 此操作<strong>无法</strong>撤消。
 settings.wiki_branch_rename_success = 百科仓库的分支名称已成功规范化。
 settings.confirm_wiki_branch_rename = 重命名百科分支
-pulls.commit_ref_at = 于%s从提交中引用了此合并请求
+pulls.commit_ref_at = 从提交中引用了此合并请求 %s
 settings.wiki_rename_branch_main_notices_2 = 这将永久重命名%s的仓库百科的内部分支。现存的检出方式需要更新。
 settings.wiki_branch_rename_failure = 无法标准化仓库百科的分支名称。
 settings.add_collaborator_blocked_our = 因仓库所有者已将其拉黑，不能添加该用户为协作者。
@@ -2691,9 +2691,9 @@ mirror_use_ssh.not_available = SSH验证不可用。
 issues.new.assign_to_me = 指派给我
 issues.all_title = 全部
 settings.discord_icon_url.exceeds_max_length = 图标URL必须小于或等于2048个字符
-issues.review.remove_review_requests = 于%[2]s取消对%[1]s的评审请求
-issues.review.add_review_requests = 于%[2]s请求%[1]s评审
-issues.review.add_remove_review_requests = 于%[3]s请求%[1]s评审，并取消对%[2]s的评审请求
+issues.review.remove_review_requests = 取消对%[1]s的评审请求 %[2]s
+issues.review.add_review_requests = 请求%[1]s评审 %[2]s
+issues.review.add_remove_review_requests = 请求%[1]s评审，并取消了对%[2]s的评审请求 %[3]s
 pulls.delete_after_merge.head_branch.is_protected = 您要删除的头部分支是受保护的分支，无法删除。
 pulls.delete_after_merge.head_branch.insufficient_branch = 您没有权限删除头部分支。
 pulls.delete_after_merge.head_branch.is_default = 您要删除的头部分支是默认分支，无法删除。
diff --git a/options/locale_next/locale_ca.json b/options/locale_next/locale_ca.json
index 989e404f46..faf20f2864 100644
--- a/options/locale_next/locale_ca.json
+++ b/options/locale_next/locale_ca.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s commit",
-		"other": "%s commits"
+		"many": "%s commits",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "Branca %s",
-		"other": "Branques %s"
+		"many": "Branques %s",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "Etiqueta %s",
-		"other": "Etiquetes %s"
+		"many": "Etiquetes %s",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "Publicació %s",
-		"other": "Publicacions %s"
+		"many": "Publicacions %s",
+		"other": ""
 	},
 	"fork.n_forks": {
 		"one": "%s fork",
@@ -335,5 +339,100 @@
 	"packages.about": "Sobre aquest paquet",
 	"packages.requirements": "Requisits",
 	"packages.dependencies": "Dependències",
-	"packages.keywords": "Paraules clau"
+	"packages.keywords": "Paraules clau",
+	"migrate.select.title": "Migra el repositori",
+	"install.ssh_authorized_keys_unexpected_key": "Activar l'SSH a Forgejo entra en conflicte amb el fitxer localitzat a %s que ja conté claus SSH. Consell: useu un usuari de sistema dedicat per a Forgejo, o bé desactiveu l'SSH.",
+	"admin.federation.federation": "Federació",
+	"admin.federation.hosts": "Amfitrions",
+	"admin.federation.hosts.title": "Amfitrions de federació",
+	"admin.federation.hosts.manage_panel": "Gestiona els amfitrions de la federació",
+	"admin.federation.hosts.details_panel": "Detalls de l'amfitrió de la federació",
+	"admin.federation.hosts.show_details": "Mostra els detalls de l'amfitrió",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Esquema",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Programari",
+	"admin.federation.host.created": "Creat",
+	"admin.federation.host.updated": "Actualitzat",
+	"admin.federation.host.latest_activity": "Darrera activitat",
+	"admin.federation.users": "Usuaris",
+	"admin.federation.users.title": "Usuaris federats",
+	"admin.federation.users.manage_panel": "Gestiona usuaris federats",
+	"admin.federation.users.show_local_user": "Mostra detalls de l'usuari local",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID de l'usuari local",
+	"admin.federation.user.external_id": "ID de l'usuari extern",
+	"admin.federation.user.inbox_path": "Camí de la safata d'entrada",
+	"admin.config.federation": "Configuració de la federació",
+	"admin.config.federation.enabled": "Actiu",
+	"admin.config.federation.share_user_statistics": "Comparteix les estadístiques d'usuari amb altres amfitrions",
+	"admin.config.federation.max_size": "Mida màxima de resposta permesa",
+	"admin.config.federation.signature_enforced": "Requereix signatures HTTP",
+	"admin.config.federation.signature_algorithms": "Algoritmes de signatura",
+	"admin.config.federation.get_headers": "Capçaleres GET signades",
+	"admin.config.federation.post_headers": "Capçaleres POST signades",
+	"moderation.users.cannot_suspend_self": "No podeu suspendre-us.",
+	"settings.new_access_token": "Nou testimoni d'accés",
+	"settings.permissions_access_specific_repositories": "Repositoris específics",
+	"settings.access_token.selected_repositories": {
+		"one": "Repositori seleccionat (%d)",
+		"many": "Repositoris seleccionats (%d)",
+		"other": "Repositoris seleccionats (%d)"
+	},
+	"settings.access_token.available_repositories": "Repositoris disponibles",
+	"settings.access_token.no_repositories_selected": "No s'ha seleccionat cap repositori.",
+	"settings.access_token.no_repositories_found": "No s'ha trobat cap repositori.",
+	"settings.access_token.remove": "Elimina %s",
+	"settings.access_token.resource_all_help": "Permet l'accés a tots els recursos.",
+	"settings.access_token.resource_public_only_help": "Limita l'accés als repositoris i organitzacions públics.",
+	"settings.access_token.resource_specific_repo_help": "Limita l'accés a una llista específica de repositoris. L'accés de només-lectura es permet a tots els repositoris públics. Només es poden habilitar els permisos que permeten l'accés a repositoris i incidències.",
+	"settings.access_token.admin_disabled": "Els permisos d'administració estan deshabilitats.",
+	"user.activitypub_feed.no_activity": "Sense activitat al fedivers",
+	"user.activitypub_feed.posted_on": "Publicat a %[1]s",
+	"user.activitypub_feed.original_source": "Font original",
+	"gpg.error.probable_bad_default_signature": "COMPTE! Malgrat la clau per defecte té aquesta ID, no verifica aquest commit! Aquest commit és SOSPITÓS.",
+	"notification.notifications": "Notificacions",
+	"notification.unread": "Sense llegir",
+	"notification.read": "Llegides",
+	"notification.no_unread": "No hi ha notificacions sense llegir.",
+	"notification.no_read": "No hi ha notificacions llegides.",
+	"notification.mark_as_read": "Marca com a llegida",
+	"notification.mark_as_unread": "Marca com a no llegida",
+	"packages.details": "Detalls",
+	"packages.details.author": "Autor",
+	"packages.details.project_site": "Pàgina web del projecte",
+	"packages.details.repository_site": "Pàgina web del repositori",
+	"packages.details.documentation_site": "Pàgina web de documentació",
+	"packages.details.license": "Llicència",
+	"packages.versions": "Versions",
+	"packages.versions.view_all": "Veure-ho tot",
+	"packages.dependency.id": "ID",
+	"packages.search_in_external_registry": "Cerca a %s",
+	"packages.common.install": "Per instal·lar un paquet, executa la següent comanda:",
+	"packages.common.registry": "Configura aquest registre des de la línia de comandes:",
+	"packages.common.repository": "Informació del repositori",
+	"packages.alpine.repository.branches": "Branques",
+	"packages.arch.pacman.helper.gpg": "Afegiu un certificat de confiança pel pacman:",
+	"packages.arch.pacman.repo.multi": "%s té la mateix versió en diferents distribucions.",
+	"packages.arch.pacman.repo.multi.item": "Configuració per a %s",
+	"packages.arch.pacman.sync": "Sincronitzeu el paquet amb el pacman:",
+	"packages.arch.version.properties": "Característiques de la versió",
+	"packages.arch.version.provides": "Proveeix",
+	"packages.arch.version.groups": "Grup",
+	"packages.arch.version.optdepends": "Dependències opcionals",
+	"packages.arch.version.conflicts": "Conflictes",
+	"packages.arch.version.replaces": "Reemplaça",
+	"packages.arch.version.backup": "Còpia de seguretat",
+	"packages.container.images.title": "Imatges",
+	"packages.container.details.type": "Tipus d'imatge",
+	"packages.container.details.platform": "Plataforma",
+	"packages.container.pull": "Baixeu la imatge des de la línia de comandes:",
+	"packages.container.multi_arch": "SO / Arquitectura",
+	"packages.container.labels.key": "Clau",
+	"packages.container.labels.value": "Valor",
+	"packages.debian.repository.distributions": "Distribucions",
+	"packages.debian.repository.components": "Components",
+	"packages.generic.download": "Baixeu el paquet des de la línia de comandes:",
+	"packages.go.install": "Instal·leu el paquet des de la línia de comandes:"
 }
diff --git a/options/locale_next/locale_cs-CZ.json b/options/locale_next/locale_cs-CZ.json
index 7acc2453d8..05f501b5cd 100644
--- a/options/locale_next/locale_cs-CZ.json
+++ b/options/locale_next/locale_cs-CZ.json
@@ -1,18 +1,22 @@
 {
 	"counters.n_commits": {
 		"one": "%s revize",
+		"few": "%s revize",
 		"other": "%s revizí"
 	},
 	"counters.n_branches": {
 		"one": "%s větev",
+		"few": "%s větve",
 		"other": "%s větví"
 	},
 	"counters.n_tags": {
 		"one": "%s značka",
+		"few": "%s značky",
 		"other": "%s značek"
 	},
 	"counters.n_releases": {
 		"one": "%s vydání",
+		"few": "%s vydání",
 		"other": "%s vydání"
 	},
 	"gpg.default_key": "Podepsáno výchozím klíčem",
@@ -356,7 +360,7 @@
 	"migrate.items.labels": "Štítky",
 	"migrate.items.issues": "Problémy",
 	"migrate.items.pull_requests": "Žádosti o sloučení",
-	"migrate.items.merge_requests": "Sloučit žádosti",
+	"migrate.items.merge_requests": "Žádosti o sloučení",
 	"migrate.items.releases": "Vydání",
 	"migrate.in_progress.git": "Migrace dat z Gitu",
 	"migrate.in_progress.topics": "Migrace témat",
@@ -599,7 +603,7 @@
 	"actions.runners.runner_setup.program_options_snippet_aria": "Jak spustit forgejo-runner",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Nahraďte název spojení (<code>forgejo</code> v příkladu) vlastní hodnotou.",
 	"actions.runners.runner_setup.heading_using_options": "Používám možnosti programu",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Pro nastavení runneru Forgejo běžícího v kontejnerech nebo pokročilých konfiguracích si přečtěte <a href=\"https://TO-BE-REPLACED.COM\">dokumentaci</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Pro nastavení runneru Forgejo běžícího v kontejnerech nebo pokročilých konfiguracích si přečtěte <a href=\"%s\">dokumentaci</a>.",
 	"actions.runners.reset_registration_token.token": "Registrační token (zastaralý)",
 	"form.RunnerName": "Název",
 	"actions.runners.task_list_repo": "Nedávné úlohy tohoto repozitáře na tomto runneru",
@@ -635,5 +639,47 @@
 	"members.add_member": "Přidat člena",
 	"members.user": "Uživatel",
 	"members.user_already_member": "Tento uživatel již je členem organizace.",
-	"members.no_team_selected": "Členové organizace musí patřit do alespoň jednoho týmu."
+	"members.no_team_selected": "Členové organizace musí patřit do alespoň jednoho týmu.",
+	"migrate.select.title": "Migrovat repozitář",
+	"admin.federation.federation": "Federace",
+	"admin.federation.hosts": "Hostitelé",
+	"admin.federation.hosts.title": "Hostitelé federace",
+	"admin.federation.hosts.manage_panel": "Spravovat hostitele federace",
+	"admin.federation.hosts.details_panel": "Podrobnosti o hostiteli federace",
+	"admin.federation.hosts.show_details": "Zobrazit podrobnosti o hostiteli",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schéma",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Vytvořeno",
+	"admin.federation.host.updated": "Aktualizováno",
+	"admin.federation.host.latest_activity": "Poslední aktivita",
+	"admin.federation.users": "Uživatelé",
+	"admin.federation.users.title": "Federovaní uživatelé",
+	"admin.federation.users.manage_panel": "Spravovat federované uživatele",
+	"admin.federation.users.show_local_user": "Zobrazit podrobnosti o místním uživateli",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID místního uživatele",
+	"admin.federation.user.external_id": "ID externího uživatele",
+	"admin.federation.user.inbox_path": "Cesta ke schránce",
+	"admin.config.federation": "Nastavení federace",
+	"admin.config.federation.enabled": "Povolena",
+	"admin.config.federation.share_user_statistics": "Sdílet statistiky uživatelů s ostatními hostiteli",
+	"admin.config.federation.max_size": "Maximální povolená velikost odpovědi",
+	"admin.config.federation.signature_enforced": "Vyžadovat HTTP podpisy",
+	"admin.config.federation.signature_algorithms": "Algoritmy podpisu",
+	"admin.config.federation.digest_algorithm": "Algoritmus výpočtu kontrolního součtu podpisu",
+	"admin.config.federation.get_headers": "Podepsané hlavičky GET",
+	"admin.config.federation.post_headers": "Podepsané hlavičky POST",
+	"actions.runners.version": "Verze",
+	"actions.workflow.unknown_job_in_needs": "Úloha s ID %[1]s odkazuje na neznámé úlohy v `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "Workflow nelze znovu spustit.",
+	"actions.workflow.job_rerun_impossible": "Úlohu nelze znovu spustit.",
+	"user.activitypub_feed.feed": "Kanál Fediverse",
+	"user.activitypub_feed.no_activity": "Žádná aktivita ve Fediverse",
+	"user.activitypub_feed.is_empty": "Váš kanál Fediverse je prázdný.",
+	"user.activitypub_feed.hint": "Tento kanál zobrazuje aktivity z účtů Fediverse, které sledujete, a z federovaných příspěvků, které vás zmínily.",
+	"user.activitypub_feed.posted_on": "Zveřejněno na %[1]s",
+	"user.activitypub_feed.original_source": "Původní zdroj"
 }
diff --git a/options/locale_next/locale_de-DE.json b/options/locale_next/locale_de-DE.json
index af1132e371..45d8e5b233 100644
--- a/options/locale_next/locale_de-DE.json
+++ b/options/locale_next/locale_de-DE.json
@@ -12,7 +12,7 @@
 		"other": "%s Tags"
 	},
 	"counters.n_releases": {
-		"one": "%s freigegeben",
+		"one": "%s Veröffentlichung",
 		"other": "%s Veröffentlichungen"
 	},
 	"gpg.default_key": "Mit Standardschlüssel signiert",
@@ -24,7 +24,7 @@
 	"gpg.error.failed_retrieval_gpg_keys": "Fehler beim Abrufen eines Schlüssels des Committer-Kontos",
 	"gpg.error.probable_bad_signature": "WARNHINWEIS! Obwohl ein Schlüssel mit dieser ID in der Datenbank existiert, verifiziert er nicht diesen Commit! Dieser Commit ist VERDÄCHTIG.",
 	"gpg.error.probable_bad_default_signature": "WARNHINWEIS! Obwohl der Standardschlüssel diese ID hat, verifiziert er nicht diesen Commit! Dieser Commit ist VERDÄCHTIG.",
-	"notification.notifications": "Nachrichten",
+	"notification.notifications": "Benachrichtigungen",
 	"notification.unread": "Ungelesen",
 	"notification.read": "Gelesen",
 	"notification.no_unread": "Keine ungelesenen Benachrichtigungen.",
@@ -36,7 +36,7 @@
 	"notification.subscriptions": "Abonnements",
 	"notification.watching": "Beobachtet",
 	"notification.no_subscriptions": "Du hast keine Abonnements.",
-	"dropzone.default_message": "Zum Hochladen hier klicken oder Datei ablegen.",
+	"dropzone.default_message": "Dateien zum Hochladen hier ablegen oder klicken.",
 	"dropzone.invalid_input_type": "Dateien dieses Dateityps können nicht hochgeladen werden.",
 	"dropzone.file_too_big": "Dateigröße ({{filesize}} MB) überschreitet die Maximalgröße ({{maxFilesize}} MB).",
 	"dropzone.remove_file": "Datei entfernen",
@@ -77,7 +77,7 @@
 	"packages.dependency.id": "ID",
 	"packages.dependency.version": "Version",
 	"packages.search_in_external_registry": "In %s suchen",
-	"packages.alpine.registry": "Richte diese Registry ein, indem Du die URL in die <code>/etc/apk/repositories</code>-Datei hinzufügst:",
+	"packages.alpine.registry": "Richte diese Registry ein, indem du die URL in die <code>/etc/apk/repositories</code>-Datei hinzufügst:",
 	"packages.alpine.registry.key": "Lade den öffentlichen RSA-Key der Registry in den <code>/etc/apk/keys/</code>-Ordner, um die Signatur zu überprüfen:",
 	"packages.alpine.registry.info": "Wähle $branch und $repository aus der Liste unten.",
 	"packages.alpine.repository.branches": "Branches",
@@ -107,13 +107,13 @@
 	"packages.conan.install": "Um das Paket mit Conan zu installieren, führe den folgenden Befehl aus:",
 	"packages.conda.registry": "Richte diese Registry als Conda-Repository in deiner <code>.condarc</code>-Datei ein:",
 	"packages.conda.install": "Um das Paket mit Conda zu installieren, führe den folgenden Befehl aus:",
-	"packages.container.images.title": "Bilder",
-	"packages.container.details.type": "Abbildtyp",
+	"packages.container.images.title": "Images",
+	"packages.container.details.type": "Image-Typ",
 	"packages.container.details.platform": "Plattform",
 	"packages.container.pull": "Lade das Container-Image von der Kommandozeile aus herunter:",
-	"packages.container.digest": "Prüfsumme",
-	"packages.container.multi_arch": "Betriebsystem/Architektur",
-	"packages.container.layers": "Abbildebenen",
+	"packages.container.digest": "Digest",
+	"packages.container.multi_arch": "Betriebssystem/Architektur",
+	"packages.container.layers": "Image-Layer",
 	"packages.container.labels": "Labels",
 	"packages.container.labels.key": "Schlüssel",
 	"packages.container.labels.value": "Wert",
@@ -174,7 +174,7 @@
 	"packages.owner.settings.cargo.initialize.error": "Cargo-Index konnte nicht initialisiert werden: %v",
 	"packages.owner.settings.cargo.initialize.success": "Der Cargo-Index wurde erfolgreich erstellt.",
 	"packages.owner.settings.cargo.rebuild": "Index neu erstellen",
-	"packages.owner.settings.cargo.rebuild.description": "Neubauen kann hilfreich sein, wenn der Index nicht mit den gespeicherten Cargo-Paketen synchronisiert ist.",
+	"packages.owner.settings.cargo.rebuild.description": "Ein Neuaufbau kann hilfreich sein, wenn der Index nicht mit den gespeicherten Cargo-Paketen synchronisiert ist.",
 	"packages.owner.settings.cargo.rebuild.error": "Cargo-Index konnte nicht neu erstellt werden: %v",
 	"packages.owner.settings.cargo.rebuild.success": "Der Cargo-Index wurde erfolgreich neu erstellt.",
 	"packages.owner.settings.cargo.rebuild.no_index": "Kann nicht erneut erzeugen, es wurde kein Index initialisiert.",
@@ -223,9 +223,9 @@
 	"home.explore_repos": "Repositorys erkunden",
 	"home.explore_users": "Benutzer erkunden",
 	"home.explore_orgs": "Organisationen erkunden",
-	"home.welcome.activity_hint": "Es gibt noch nichts in deinem Feed. Deine Aktionen und Aktivitäten aus Repositorys, die du beobachtest, werden hier auftauchen.",
-	"incorrect_root_url": "Diese Forgejo-Instanz ist konfiguriert, auf „%s“ bereitgestellt zu werden. Du rufst Forgejo über einen anderen URL auf, was dazu führen könnte, dass einige Bereiche nicht funktionieren. Der anerkannte URL wird durch die Forgejo-Admins mittels der Einstellung ROOT_URL in der app.ini kontrolliert.",
-	"themes.names.forgejo-auto": "Forgejo (folge Systemthema)",
+	"home.welcome.activity_hint": "Es gibt noch nichts in deinem Feed. Deine Aktionen und Aktivitäten aus Repositorys, die du beobachtest, werden hier angezeigt.",
+	"incorrect_root_url": "Diese Forgejo-Instanz ist konfiguriert, auf „%s“ bereitgestellt zu werden. Du rufst Forgejo über eine andere URL auf, was dazu führen kann, dass einige Bereiche nicht funktionieren. Die kanonische URL wird von den Forgejo-Admins über die Einstellung ROOT_URL in der app.ini festgelegt.",
+	"themes.names.forgejo-auto": "Forgejo (Systemdesign folgen)",
 	"themes.names.forgejo-light": "Forgejo hell",
 	"themes.names.forgejo-dark": "Forgejo dunkel",
 	"error.not_found.title": "Seite nicht gefunden",
@@ -285,7 +285,7 @@
 	"moderation.abuse_category.illegal_content": "Illegaler Inhalt",
 	"moderation.abuse_category.other_violations": "Andere Verstöße gegen die Plattformregeln",
 	"moderation.report_remarks": "Anmerkungen",
-	"moderation.report_remarks.placeholder": "Bitte stelle Details über den von dir gemeldeten Missbrauch bereit.",
+	"moderation.report_remarks.placeholder": "Bitte beschreibe den Missbrauch, den du melden möchtest.",
 	"moderation.submit_report": "Meldung absenden",
 	"moderation.reporting_failed": "Kann die neue Missbrauchsmeldung nicht absenden: %v",
 	"moderation.reported_thank_you": "Danke für deine Meldung. Die Administration wurde darüber in Kenntnis gesetzt.",
@@ -293,13 +293,13 @@
 	"repo.issue_indexer.title": "Issue-Indexer",
 	"watch.list.none": "Niemand beobachtet dieses Repo.",
 	"followers.incoming.list.self.none": "Niemand folgt deinem Profil.",
-	"followers.outgoing.list.self.none": "Du folgst niemanden.",
-	"followers.outgoing.list.none": "%s folgt niemanden.",
+	"followers.outgoing.list.self.none": "Du folgst niemandem.",
+	"followers.outgoing.list.none": "%s folgt niemandem.",
 	"stars.list.none": "Niemand hat dieses Repo favorisiert.",
 	"followers.incoming.list.none": "Niemand folgt diesem Benutzer.",
 	"editor.textarea.tab_hint": "Zeile bereits eingerückt. Drücke nochmals <kbd>Tab</kbd> oder <kbd>Escape</kbd>, um den Editor zu verlassen.",
 	"editor.textarea.shift_tab_hint": "Keine Einrückung auf dieser Zeile. Drücke nochmals <kbd>Shift</kbd> + <kbd>Tab</kbd> oder <kbd>Escape</kbd>, um den Editor zu verlassen.",
-	"admin.dashboard.cleanup_offline_runners": "Aufräumen der Offline-Runner",
+	"admin.dashboard.cleanup_offline_runners": "Offline-Runner aufräumen",
 	"settings.visibility.description": "Die Profilsichtbarkeit beeinflusst die Möglichkeit anderer, auf deine nicht-privaten Repositorys zuzugreifen. <a href=\"%s\" target=\"_blank\">Erfahre mehr</a>.",
 	"avatar.constraints_hint": "Individuelles Profilbild darf %[1]s in der Größe nicht überschreiten, und nicht größer als %[2]d×%[3]d Pixel sein",
 	"repo.diff.commit.next-short": "Nächste",
@@ -309,7 +309,7 @@
 	"keys.ssh.link": "SSH-Schlüssel",
 	"keys.gpg.link": "GPG-Schlüssel",
 	"profile.actions.tooltip": "Mehr Aktionen",
-	"og.repo.summary_card.alt_description": "Zusammenfassungskarte des Repositorys %[1]s, beschrieben als %[2]s",
+	"og.repo.summary_card.alt_description": "Übersicht zum Repository %[1]s, beschrieben als %[2]s",
 	"mail.actions.run_info_sha": "Commit: %[1]s",
 	"repo.settings.push_mirror.branch_filter.label": "Branch-Filter (optional)",
 	"repo.settings.push_mirror.branch_filter.description": "Zu spiegelnde Branches. Leer lassen, um alle Branches zu spiegeln. Siehe die <a href=\"%[1]s\">„%[2]s“-Dokumentation</a> für die Syntax. Beispiele: <code>main, release/*</code>",
@@ -321,9 +321,9 @@
 	"admin.dashboard.remove_resolved_reports": "Erledigte Meldungen entfernen",
 	"compare.branches.title": "Branches vergleichen",
 	"repo.commit.load_tags_failed": "Laden von Tags aufgrund eines internen Fehlers fehlgeschlagen",
-	"admin.auths.allow_username_change": "Benutzernamen ändern zulassen",
+	"admin.auths.allow_username_change": "Ändern des Benutzernamens zulassen",
 	"admin.auths.allow_username_change.description": "Benutzern erlauben, ihren Benutzernamen in den Profileinstellungen zu ändern",
-	"warning.repository.out_of_sync": "Die Datenbankdarstellung dieses Repositorys ist nicht synchronisiert. Falls diese Warnung immer noch angezeigt wird, nachdem ein Commit zu diesem Repository gepusht wurde, kontaktieren Sie den Administrator.",
+	"warning.repository.out_of_sync": "Die Datenbankdarstellung dieses Repositorys ist nicht synchronisiert. Falls diese Warnung immer noch angezeigt wird, nachdem ein Commit zu diesem Repository gepusht wurde, kontaktiere den Administrator.",
 	"migrate.github.description": "Daten von github.com oder GitHub-Enterprise-Server migrieren.",
 	"migrate.git.description": "Ein Repository von einem beliebigen Git-Dienst klonen.",
 	"migrate.gitea.description": "Daten von gitea.com oder anderen Gitea-Instanzen migrieren.",
@@ -362,13 +362,13 @@
 	"admin.config.global_2fa_requirement.none": "Nein",
 	"admin.config.global_2fa_requirement.all": "Alle Benutzer",
 	"admin.config.global_2fa_requirement.admin": "Administratoren",
-	"settings.twofa_reenroll": "Zwei-Faktor-Authentifizierung neu ausrollen",
-	"settings.twofa_reenroll.description": "Deine Zwei-Faktor-Authentifizierung neu ausrollen",
+	"settings.twofa_reenroll": "Zwei-Faktor-Authentifizierung neu einrichten",
+	"settings.twofa_reenroll.description": "Deine Zwei-Faktor-Authentifizierung neu einrichten",
 	"error.must_enable_2fa": "Diese Forgejo-Instanz verlangt von den Benutzern, dass sie die Zwei-Faktor-Authentifizierung aktivieren, bevor sie auf ihren Accounts zugreifen können. Dies kann aktiviert werden bei: %s",
 	"admin.config.global_2fa_requirement.title": "Globale Zwei-Faktor-Anforderung",
 	"user.ghost.tooltip": "Dieser Benutzer wurde gelöscht oder konnte nicht gefunden werden.",
 	"actions.runs.view_most_recent_run": "Letzten Run betrachten",
-	"actions.runs.viewing_out_of_date_run": "Sie sehen einen veralteten Run dieses Jobs, der %[1]s ausgeführt wurde.",
+	"actions.runs.viewing_out_of_date_run": "Du siehst einen veralteten Run dieses Jobs, der %[1]s ausgeführt wurde.",
 	"actions.runs.run_attempt_label": "Run-Versuch #%[1]s (%[2]s)",
 	"actions.runs.all_workflows": "Alle Workflows",
 	"actions.runs.workflow": "Workflow",
@@ -469,9 +469,9 @@
 	"repo.issues.filter_assignee.hint": "Nach zugewiesenem Benutzer filtern",
 	"repo.issues.filter_reviewers.hint": "Nach Benutzer, der gesichtet hat, filtern",
 	"repo.issues.filter_mention.hint": "Nach erwähntem Benutzer filtern",
-	"repo.issues.filter_modified.hint": "Nach letzten modifiziertem Datum filtern",
+	"repo.issues.filter_modified.hint": "Nach zuletzt geändertem Datum filtern",
 	"search.syntax": "Suchsyntax",
-	"admin.dashboard.transfer_lingering_logs": "Aktionslogs von fertigen Aktions-Jobs aus der Datenbank in den Speicher übertragen",
+	"admin.dashboard.transfer_lingering_logs": "Actions-Logs von abgeschlossenen Actions-Jobs aus der Datenbank in den Speicher übertragen",
 	"actions.workflow.persistent_incomplete_matrix": "`strategy.matrix` vom Job %[1]s konnte aufgrund eines ungültigen `needs`-Ausdrucks nicht ausgewertet werden. Er könnte auf einen Job verweisen, der nicht in seiner „needs“-Liste (%[2]s) ist, oder auf eine Ausgabe, die in keinem dieser Jobs existiert.",
 	"admin.auths.oauth2_quota_group_map_removal": "Benutzer von synchronisierten Quotagruppen entfernen, falls Benutzer nicht zur entsprechenden Gruppe gehört.",
 	"moderation.action.account.delete": "Account löschen",
@@ -479,7 +479,7 @@
 	"moderation.action.repo.delete": "Repository löschen",
 	"moderation.action.issue.delete": "Issue löschen",
 	"moderation.action.comment.delete": "Kommentar löschen",
-	"moderation.unknown_action": "Unbekannte Action",
+	"moderation.unknown_action": "Unbekannte Aktion",
 	"moderation.users.cannot_suspend_self": "Du kannst dich nicht selbst sperren.",
 	"moderation.users.cannot_suspend_admins": "Benutzer mit Adminprivilegien können nicht gesperrt werden.",
 	"moderation.users.cannot_suspend_org": "Organisationen können nicht gesperrt werden.",
@@ -490,7 +490,7 @@
 	"moderation.comment.deletion_success": "Der Kommentar wurde gelöscht.",
 	"moderation.report.mark_as_handled": "Als bearbeitet markieren",
 	"moderation.report.mark_as_ignored": "Als ignoriert markieren",
-	"admin.auths.oauth2_quota_group_claim_name": "Der Claim-Name bietet Gruppennamen für diese Quelle, um für die Quotaverwaltung verwendet zu werden. (Optional)",
+	"admin.auths.oauth2_quota_group_claim_name": "Claim-Name, der Gruppennamen dieser Quelle für die Quotaverwaltung liefert. (Optional)",
 	"admin.auths.oauth2_quota_group_map": "Beanspruchte Gruppen an Quota-Gruppen zuordnen. (Optional – benötigt Claim-Namen oben)",
 	"actions.workflow.incomplete_matrix_missing_job": "`strategy.matrix` vom Job %[1]s konnte nicht evaluiert werden: %[2]s ist nicht in der `needs`-Liste von Job %[1]s (%[3]s).",
 	"actions.workflow.incomplete_matrix_missing_output": "`strategy.matrix` vom Job %[1]s konnte nicht evaluiert werden: %[2]s fehlt die Ausgabe %[3]s.",
@@ -507,10 +507,10 @@
 	"actions.workflow.incomplete_with_missing_matrix_dimension": "`with` vom Job %[1]s konnte nicht evaluiert werden: Matrixdimension %[2]s existiert nicht.",
 	"actions.workflow.incomplete_with_unknown_cause": "`with` vom Job %[1]s konnte nicht evaluiert werden: Unbekannter Fehler.",
 	"pulls.manual_merge.helper": "Manueller Zusammenführungshelfer",
-	"pulls.manual_merge.helpder.description": "Diese Zusammenführungs-Commitnachricht benutzen, wenn die Zusammenführung manuell vorgenommen wird.",
+	"pulls.manual_merge.helpder.description": "Diese Zusammenführungs-Commit-Nachricht benutzen, wenn die Zusammenführung manuell vorgenommen wird.",
 	"pulls.manual_merge.commit.title": "Zusammenführungs-Commit-Titel",
 	"pulls.manual_merge.commit.body": "Zusammenführungs-Commit-Body",
-	"pulls.manual_merge.copy.button": "Zusammenführungs-Commitnachricht kopieren",
+	"pulls.manual_merge.copy.button": "Zusammenführungs-Commit-Nachricht kopieren",
 	"editor.toggle_case": "Beachtung der Groß-/Kleinschreibung umschalten",
 	"editor.toggle_regex": "Mit regulären Ausdrücken umschalten",
 	"editor.search": "Suchen",
@@ -521,18 +521,18 @@
 	"editor.toggle_whole_word": "Treffer auf ganze Wörter umschalten",
 	"repo.view.gitmodules_too_large": "Die .gitmodules-Datei ist zu groß und wird ignoriert (zum Beispiel für API-Aufrufe)",
 	"install.ssh_authorized_keys_inspection_error": "Existierende authorized_keys-Datei konnte nicht untersucht werden: %v",
-	"install.ssh_authorized_keys_unexpected_key": "Die Aktivierung von SSH für Forgejo steht im Konflikt mit der Datei, die sich bei %s befindet und existierende SSH-Keys enthält. Vorschlag: Benutzen Sie einen eigenen Systembenutzer für Forgejo oder deaktivieren Sie SSH.",
+	"install.ssh_authorized_keys_unexpected_key": "Die Aktivierung von SSH für Forgejo steht im Konflikt mit der Datei bei %s, die existierende SSH-Keys enthält. Vorschlag: Verwende einen eigenen Systembenutzer für Forgejo oder deaktiviere SSH.",
 	"actions.secrets.creation.name_description": "Der Name eines Geheimnisses darf nur Buchstaben, Ziffern und Unterstriche enthalten. Es darf nicht mit „FORGEJO_“, „GITEA_“, „GITHUB_“ oder einer Zahl anfangen. Forgejo wird es automatisch in Großbuchstaben umwandeln.",
-	"actions.secrets.creation.value_description": "Der Wert eines Geheimnisses kann jeder Text sein. Sonderzeichen werden beibehalten. CRLF (Zeilenumbrüche im Windows-Stil) werden automatisch zu LF konvertiert. Kodieren Sie den Wert mit Base64, falls Zeilenumbrüche beibehalten werden sollen.",
+	"actions.secrets.creation.value_description": "Der Wert eines Geheimnisses kann jeder Text sein. Sonderzeichen werden beibehalten. CRLF (Zeilenumbrüche im Windows-Stil) werden automatisch zu LF konvertiert. Kodiere den Wert mit Base64, falls Zeilenumbrüche beibehalten werden sollen.",
 	"actions.variables.mutation.name_description": "Der Name einer Variable kann nur Buchstaben, Ziffern und Unterstriche enthalten. Er darf nicht „CI“ lauten oder mit „FORGEJO_“, „GITEA_“, „GITHUB_“ oder einer Zahl beginnen. Forgejo wird ihn automatisch zu Großbuchstaben umwandeln.",
-	"actions.variables.mutation.value_description": "Der Wert einer Variablen kann jeder Text sein. Sonderzeichen werden beibehalten. CRLF (Zeilenumbrüche im Windows-Stil) werden automatisch zu LF konvertiert. Kodieren Sie den Wert mit Base64, falls Zeilenumbrüche beibehalten werden sollen.",
+	"actions.variables.mutation.value_description": "Der Wert einer Variablen kann jeder Text sein. Sonderzeichen werden beibehalten. CRLF (Zeilenumbrüche im Windows-Stil) werden automatisch zu LF konvertiert. Kodiere den Wert mit Base64, falls Zeilenumbrüche beibehalten werden sollen.",
 	"issues.filters.labels.exclude": "Label ausschließen",
-	"issues.filters.labels.unexclude": "Ausschließung aufheben",
+	"issues.filters.labels.unexclude": "Ausschluss aufheben",
 	"packages.common.install": "Um das Paket zu installieren, folgenden Befehl ausführen:",
 	"packages.common.registry": "Diese Registry von der Befehlszeile aus einrichten:",
 	"packages.common.repository": "Repository-Infos",
-	"actions.runs.all_runs_link": "alle Durchläufe",
-	"repo.issues.filter_sort.hint_with_placeholder": "Sortieren nach: %",
+	"actions.runs.all_runs_link": "alle Runs",
+	"repo.issues.filter_sort.hint_with_placeholder": "Sortieren nach: %s",
 	"repo.pulls.auto_merge.no_permission": "Du hast nicht die Erlaubnis, die automatische Zusammenführung dieses Pull-Requests abzubrechen.",
 	"access_token.error.specified_repos_none": "Zugangstokens mit den festgelegten Repositorys müssen mindestens ein Repository haben.",
 	"access_token.error.specified_repos_and_public_only": "Zugangstokens mit den festgelegten Repositorys können nicht mit dem Scope „Nur öffentlich“ kombiniert werden.",
@@ -540,7 +540,7 @@
 	"settings.specific_repo_access": "Repositoryzugang",
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Token",
-	"actions.runners.ephemeral": "Vorrübergehend",
+	"actions.runners.ephemeral": "Vorübergehend",
 	"actions.runners.list_runners.details_column": "Details",
 	"actions.runners.list_runners.edit_column": "Bearbeiten",
 	"actions.runners.list_runners.delete_column": "Löschen",
@@ -584,13 +584,13 @@
 	"actions.runners.runner_setup.program_options_snippet_aria": "Wie man forgejo-runner aufruft",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Ersetze den Verbindungsnamen (<code>forgejo</code> im Beispiel) mit einem Wert deiner Wahl.",
 	"actions.runners.runner_setup.heading_using_options": "Unter Benutzung der Programmoptionen",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Um Forgejo Runner so zu konfigurieren, dass er in Containern oder mit einer fortgeschrittenen Konfigurationen läuft, siehe die <a href=\"https://TO-BE-REPLACED.COM\">Dokumentation</a>.",
-	"actions.runners.reset_registration_token.token": "Registrierungs-Token (missbilligt)",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Um Forgejo Runner so zu konfigurieren, dass er in Containern oder mit fortgeschrittenen Konfigurationen läuft, siehe die <a href=\"%s\">Dokumentation</a>.",
+	"actions.runners.reset_registration_token.token": "Registrierungs-Token (veraltet)",
 	"form.RunnerName": "Name",
-	"actions.runners.task_list_repo": "Neuliche Aufgaben dieses Repositorys auf diesem Runner",
-	"actions.runners.task_list_org": "Neuliche Aufgaben dieses Runners innerhalb dieser Organisation",
-	"actions.runners.task_list_admin": "Neuliche Aufgaben auf diesem Runner",
-	"actions.runners.task_list_user": "Neuliche Aufgaben dieses Benutzers auf diesem Runner",
+	"actions.runners.task_list_repo": "Letzte Aufgaben dieses Repositorys auf diesem Runner",
+	"actions.runners.task_list_org": "Letzte Aufgaben dieses Runners innerhalb dieser Organisation",
+	"actions.runners.task_list_admin": "Letzte Aufgaben auf diesem Runner",
+	"actions.runners.task_list_user": "Letzte Aufgaben dieses Benutzers auf diesem Runner",
 	"settings.new_access_token": "Neuer Zugangstoken",
 	"graphs.recent_commits.title": "Anzahl der Commits im letzten Jahr",
 	"graphs.code_frequency.title": "Code-Frequenz über die Geschichte von {0}",
@@ -619,5 +619,47 @@
 	"members.add_member": "Mitglied hinzufügen",
 	"members.user": "Benutzer",
 	"members.user_already_member": "Dieser Benutzer ist bereits ein Mitglied der Organisation.",
-	"members.no_team_selected": "Organisationsmitglieder müssen mindestens einem Team angehören."
+	"members.no_team_selected": "Organisationsmitglieder müssen mindestens einem Team angehören.",
+	"migrate.select.title": "Repository migrieren",
+	"actions.runners.version": "Version",
+	"admin.federation.federation": "Föderation",
+	"admin.federation.hosts": "Hosts",
+	"admin.federation.hosts.title": "Föderations-Hosts",
+	"admin.federation.hosts.manage_panel": "Föderations-Hosts verwalten",
+	"admin.federation.hosts.details_panel": "Föderations-Host-Details",
+	"admin.federation.hosts.show_details": "Host-Details anzeigen",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Erstellt",
+	"admin.federation.host.updated": "Aktualisiert",
+	"admin.federation.host.latest_activity": "Neuste Aktivität",
+	"admin.federation.users": "Benutzer",
+	"admin.federation.users.title": "Föderierte Benutzer",
+	"admin.federation.users.manage_panel": "Föderierte Benutzer verwalten",
+	"admin.federation.users.show_local_user": "Lokale Benutzerdetails anzeigen",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "Lokale Benutzer-ID",
+	"admin.federation.user.external_id": "Externe Benutzer-ID",
+	"admin.federation.user.inbox_path": "Inbox-Pfad",
+	"admin.config.federation": "Föderations-Konfiguration",
+	"admin.config.federation.enabled": "Aktiviert",
+	"admin.config.federation.share_user_statistics": "Benutzerstatistik mit anderen Hosts teilen",
+	"admin.config.federation.max_size": "Max. erlaubte Antwortgröße",
+	"admin.config.federation.signature_enforced": "HTTP-Signaturen erfordern",
+	"admin.config.federation.signature_algorithms": "Signaturalgorithmen",
+	"admin.config.federation.digest_algorithm": "Signatur-Hashwert-Algorithmus",
+	"admin.config.federation.get_headers": "Signierte GET-Header",
+	"admin.config.federation.post_headers": "Signierte POST-Header",
+	"actions.workflow.unknown_job_in_needs": "Job mit ID %[1]s referenziert unbekannte Jobs in `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "Der Workflow kann nicht erneut ausgeführt werden.",
+	"actions.workflow.job_rerun_impossible": "Der Job kann nicht erneut ausgeführt werden.",
+	"user.activitypub_feed.feed": "Fediverse-Feed",
+	"user.activitypub_feed.no_activity": "Keine Fediverse-Aktivität",
+	"user.activitypub_feed.is_empty": "Dein Fediverse-Feed ist leer.",
+	"user.activitypub_feed.hint": "Dieser Feed zeigt Aktivitäten aus Fediverse-Konten, denen du folgst sowie föderierten Posts, die dich erwähnt haben.",
+	"user.activitypub_feed.posted_on": "Auf %[1]s gepostet",
+	"user.activitypub_feed.original_source": "Ursprüngliche Quelle"
 }
diff --git a/options/locale_next/locale_fil.json b/options/locale_next/locale_fil.json
index 1319c71f64..5d03276981 100644
--- a/options/locale_next/locale_fil.json
+++ b/options/locale_next/locale_fil.json
@@ -533,5 +533,62 @@
 	"packages.common.registry": "I-setup ang registry na ito mula sa command line:",
 	"packages.common.repository": "Info ng repositoryo",
 	"actions.runs.all_runs_link": "lahat ng mga takbo",
-	"repo.pulls.auto_merge.no_permission": "Wala kang pahintulot na kanselahin ang auto merge sa hiling sa paghila."
+	"repo.pulls.auto_merge.no_permission": "Wala kang pahintulot na kanselahin ang auto merge sa hiling sa paghila.",
+	"migrate.select.title": "I-migrate ang repositoryo",
+	"settings.specific_repo_access": "Access sa repositoryo",
+	"settings.new_access_token": "Bagong access token",
+	"settings.permissions_access_specific_repositories": "Ilang repositoryo",
+	"settings.access_token.selected_repositories": {
+		"one": "%d piniling repositoryo",
+		"other": "%d (na) piniling repositoryo"
+	},
+	"settings.access_token.available_repositories": "Mga available na repositoryo",
+	"settings.access_token.no_repositories_selected": "Walang mga piniling repositoryo.",
+	"settings.access_token.no_repositories_found": "Walang mga nahanap na repositoryo.",
+	"settings.access_token.remove": "Tanggalin ang %s",
+	"settings.access_token.resource_all_help": "Payagan ang access sa lahat ng mga resource.",
+	"settings.access_token.resource_public_only_help": "Limitahan ang access sa mga repositoryo at mga organisasyon na publiko.",
+	"settings.access_token.resource_specific_repo_help": "Limitahan ang access sa pasadyang listahan ng mga repositoryo. Pinapayagan lamang ang read-only na access sa lahat ng mga pampublikong repositoryo. Maaari lamang i-enable ang mga pahintulot na pinapayagan ang access sa mga repositoryo at isyu.",
+	"settings.access_token.admin_disabled": "Naka-disable ang administrative na pahintulot.",
+	"access_token.error.specified_repos_none": "Dapat may kahit isang repositoryo ang mga access token na may piniling repositoryo.",
+	"access_token.error.specified_repos_and_public_only": "Hindi maaaring ipagsama ang public-only na scope ang mga access token na may piniling repositoryo.",
+	"access_token.error.specified_repos_and_invalid_scope": "Maaari lamang gamitin ang read:issue, write:issue, read:repository, at write:repository na scope sa mga access token na may piniling repositoryo.",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Token",
+	"actions.runners.ephemeral": "Ephemeral",
+	"actions.runners.list_runners.details_column": "Mga detalye",
+	"actions.runners.list_runners.edit_column": "I-edit",
+	"actions.runners.list_runners.delete_column": "Burahin",
+	"actions.runners.list_runners.details_button": "Mga detalye",
+	"actions.runners.list_runners.details_button_aria": "Ipakita ang mga detalye ng %s",
+	"actions.runners.list_runners.delete_button": "Burahin",
+	"actions.runners.list_runners.delete_button_aria": "Burahin ang %s",
+	"actions.runners.list_runners.edit_button": "I-edit",
+	"actions.runners.list_runners.edit_button_aria": "I-edit ang %s",
+	"actions.runners.ephemeral.yes": "oo",
+	"actions.runners.ephemeral.no": "hindi",
+	"actions.runners.task_list_repo": "Mga kamakailang trabaho ng repositoryong ito sa runner",
+	"actions.runners.task_list_org": "Mga kamakailang trabaho sa runner na ito sa organisasyong ito",
+	"actions.runners.task_list_admin": "Mga kamakailang trabaho sa runner na ito",
+	"actions.runners.task_list_user": "Mga kamakailang trabaho ng user na ito sa runner",
+	"actions.runners.edit_runner_button": "I-edit ang runner",
+	"actions.runners.create_runner.page_title": "Gumawa ng bagong runner",
+	"actions.runners.create_runner.title": "Gumawa ng bagong runner",
+	"actions.runners.create_runner.properties_fieldset": "Mga property",
+	"actions.runners.create_runner.name_label": "Pangalan",
+	"actions.runners.create_runner.description_label": "Paglalarawan",
+	"actions.runners.create_runner.create_button": "Gumawa",
+	"actions.runners.create_runner.cancel_button": "Kanselahin",
+	"actions.runners.edit_runner.page_title": "I-edit ang runner na %s",
+	"actions.runners.edit_runner.title": "I-edit ang runner na %s",
+	"actions.runners.edit_runner.properties_fieldset": "Mga property",
+	"actions.runners.edit_runner.properties_options": "Mga opsyon",
+	"actions.runners.edit_runner.name_label": "Pangalan",
+	"actions.runners.edit_runner.description_label": "Paglalarawan",
+	"actions.runners.edit_runner.regenerate_token_label": "I-regenerate ang token",
+	"actions.runners.edit_runner.regenerate_token_help": "Ipapagwalang bisa agad ang umiiral na token. Makakakuha ka ng bagong token sa susunod na pahina.",
+	"actions.runners.edit_runner.save_button": "I-save",
+	"actions.runners.edit_runner.cancel_button": "Kanselahin",
+	"actions.runners.runner_setup.title": "I-set up ang runner na %s",
+	"actions.runners.show_registration_token": "Ipakita ang token ng pagrehistro"
 }
diff --git a/options/locale_next/locale_fr-FR.json b/options/locale_next/locale_fr-FR.json
index 84e53d0311..0fd20579db 100644
--- a/options/locale_next/locale_fr-FR.json
+++ b/options/locale_next/locale_fr-FR.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s commit",
-		"other": "%s commits"
+		"many": "%s commits",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "%s branch",
-		"other": "%s branches"
+		"many": "%s branches",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "%s étiquettes",
-		"other": "%s étiquettes"
+		"many": "%s étiquettes",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "%s publication",
-		"other": "%s publications"
+		"many": "%s publications",
+		"other": ""
 	},
 	"gpg.default_key": "Signé avec la clé par défaut",
 	"gpg.error.extract_sign": "Impossible d'extraire la signature",
@@ -614,5 +618,22 @@
 	"actions.runners.ephemeral.no": "non",
 	"actions.runs.scheduled_description": "Exécution planifiée du commit <a href=\"%[1]s\">%[2]s</a>",
 	"actions.runs.workflow_dispatch_description": "Exécution du commit <a href=\"%[1]s\">%[2]s</a> déclenché par <a href=\"%[3]s\">%[4]s</a>",
-	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> poussé par <a href=\"%[3]s\">%[4]s</a>"
+	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> poussé par <a href=\"%[3]s\">%[4]s</a>",
+	"migrate.select.title": "Migrer le dépôt",
+	"admin.federation.federation": "Fédération",
+	"admin.federation.hosts": "Hôtes",
+	"admin.federation.hosts.show_details": "Afficher les détails de l'hôte",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.schema": "Schéma",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.latest_activity": "Dernières activités",
+	"admin.federation.users": "Utilisateurs",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID utilisateur local",
+	"admin.federation.user.external_id": "ID utilisateur externe",
+	"admin.config.federation": "Configuration de la fédération",
+	"admin.config.federation.enabled": "Activé",
+	"settings.access_token.resource_all_help": "Autoriser l'accès à toutes les ressources.",
+	"user.activitypub_feed.posted_on": "Posté sur %[1]s",
+	"actions.runners.version": "Version"
 }
diff --git a/options/locale_next/locale_ga.json b/options/locale_next/locale_ga.json
index f41ecfb09f..70003eface 100644
--- a/options/locale_next/locale_ga.json
+++ b/options/locale_next/locale_ga.json
@@ -561,5 +561,165 @@
 	"actions.secrets.creation.name_description": "Ní féidir ach litreacha, uimhreacha agus fo-línte a bheith in ainm rúnda. Ní féidir leis tosú le FORGEJO_, GITEA_, GITHUB_, ná uimhir. Déanfaidh Forgejo é a thiontú go huachtarlitir go huathoibríoch.",
 	"actions.secrets.creation.value_description": "Is féidir luach rúnda a bheith ina théacs ar bith. Coinnítear carachtair speisialta. Déantar CRLF (briseadh líne stíl Windows) a thiontú go huathoibríoch go LF. Ionchódaigh an luach le Base64 más ceart briseadh líne a choinneáil.",
 	"actions.variables.mutation.name_description": "Ní féidir ach litreacha, uimhreacha agus fo-línte a bheith in ainm athróige. Ní féidir CI a thabhairt air ná tosú le FORGEJO_, GITEA_, GITHUB_, ná uimhir. Déanfaidh Forgejo é a thiontú go huachtarlitir go huathoibríoch.",
-	"actions.variables.mutation.value_description": "Is féidir luach athróg a bheith ina théacs ar bith. Coinnítear carachtair speisialta. Déantar CRLF (briseadh líne stíl Windows) a thiontú go huathoibríoch go LF. Ionchódaigh an luach le Base64 más ceart briseadh líne a choinneáil."
+	"actions.variables.mutation.value_description": "Is féidir luach athróg a bheith ina théacs ar bith. Coinnítear carachtair speisialta. Déantar CRLF (briseadh líne stíl Windows) a thiontú go huathoibríoch go LF. Ionchódaigh an luach le Base64 más ceart briseadh líne a choinneáil.",
+	"repo.pulls.auto_merge.no_permission": "Níl cead agat cumasc uathoibríoch an iarratais tarraingthe seo a chealú.",
+	"migrate.select.title": "Imirce stór",
+	"admin.federation.federation": "Cónaidhm",
+	"admin.federation.hosts": "Óstaigh",
+	"admin.federation.hosts.title": "Óstaigh an Chónaidhm",
+	"admin.federation.hosts.manage_panel": "Bainistigh óstach cónaidhme",
+	"admin.federation.hosts.details_panel": "Sonraí óstach cónaidhme",
+	"admin.federation.hosts.show_details": "Taispeáin sonraí an óstaigh",
+	"admin.federation.host.id": "Aitheantas",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Scéim",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Bogearraí",
+	"admin.federation.host.created": "Cruthaithe",
+	"admin.federation.host.updated": "Nuashonraithe",
+	"admin.federation.host.latest_activity": "Gníomhaíocht is déanaí",
+	"admin.federation.users": "Úsáideoirí",
+	"admin.federation.users.title": "Úsáideoirí cónaidhme",
+	"admin.federation.users.manage_panel": "Bainistigh úsáideoirí cónaidhme",
+	"admin.federation.users.show_local_user": "Taispeáin sonraí úsáideora áitiúil",
+	"admin.federation.user.id": "Aitheantas",
+	"admin.federation.user.user_id": "Aitheantas úsáideora áitiúil",
+	"admin.federation.user.external_id": "Aitheantas úsáideora seachtrach",
+	"admin.federation.user.inbox_path": "Cosán an bhosca isteach",
+	"admin.config.federation": "Cumraíocht an Chónaidhm",
+	"admin.config.federation.enabled": "Cumasaithe",
+	"admin.config.federation.share_user_statistics": "Comhroinn staitisticí úsáideora le hóstach eile",
+	"admin.config.federation.max_size": "Uasmhéid freagartha ceadaithe",
+	"admin.config.federation.signature_enforced": "Éiligh sínithe HTTP",
+	"admin.config.federation.signature_algorithms": "Algartaim shínithe",
+	"admin.config.federation.digest_algorithm": "Algartam díleá sínithe",
+	"admin.config.federation.get_headers": "Ceanntásca GET sínithe",
+	"admin.config.federation.post_headers": "Ceanntásca POST sínithe",
+	"settings.specific_repo_access": "Rochtain ar an stór",
+	"settings.new_access_token": "Comhartha rochtana nua",
+	"settings.permissions_access_specific_repositories": "Stórtha sonracha",
+	"settings.access_token.selected_repositories": {
+		"one": "Stórlann roghnaithe (%d)",
+		"two": "Stórtha roghnaithe (%d)",
+		"few": "Stórtha roghnaithe (%d)",
+		"many": "Stórtha roghnaithe (%d)",
+		"other": "Stórtha roghnaithe (%d)"
+	},
+	"settings.access_token.available_repositories": "Stórtha atá ar fáil",
+	"settings.access_token.no_repositories_selected": "Níl aon stórtha roghnaithe.",
+	"settings.access_token.no_repositories_found": "Níor aimsíodh aon stórtha.",
+	"settings.access_token.remove": "Bain %s",
+	"settings.access_token.resource_all_help": "Ceadaigh rochtain ar na hacmhainní go léir.",
+	"settings.access_token.resource_public_only_help": "Teorainn a chur le rochtain ar stórtha agus ar eagraíochtaí atá poiblí.",
+	"settings.access_token.resource_specific_repo_help": "Teorainn a chur le rochtain ar liosta sonrach stórtha. Ceadaítear rochtain léite amháin do gach stór poiblí. Ní féidir ach ceadanna a chumasú a cheadaíonn rochtain ar stórtha agus ar shaincheisteanna.",
+	"settings.access_token.admin_disabled": "Tá ceadanna riaracháin díchumasaithe.",
+	"user.activitypub_feed.feed": "Beatha Fediverse",
+	"user.activitypub_feed.no_activity": "Gan aon ghníomhaíocht ilghnéitheach",
+	"user.activitypub_feed.is_empty": "Tá do bheatha fediverse folamh.",
+	"user.activitypub_feed.hint": "Taispeánann an fotha seo gníomhaíochtaí ó chuntais fediverse a leanann tú, chomh maith le poist chónaidhme inar luaigh tú.",
+	"user.activitypub_feed.posted_on": "Postáilte ar %[1]s",
+	"user.activitypub_feed.original_source": "Foinse bhunaidh",
+	"counters.n_commits": {
+		"one": "%s tiomantas",
+		"two": "%s tiomantais",
+		"few": "%s tiomantais",
+		"many": "%s tiomantais",
+		"other": "%s tiomantais"
+	},
+	"counters.n_branches": {
+		"one": "%s brainse",
+		"two": "%s brainsí",
+		"few": "%s brainsí",
+		"many": "%s brainsí",
+		"other": "%s brainsí"
+	},
+	"counters.n_tags": {
+		"one": "%s clib",
+		"two": "%s clibeanna",
+		"few": "%s clibeanna",
+		"many": "%s clibeanna",
+		"other": "%s clibeanna"
+	},
+	"counters.n_releases": {
+		"one": "%s eisiúint",
+		"two": "%s eisiúintí",
+		"few": "%s eisiúintí",
+		"many": "%s eisiúintí",
+		"other": "%s eisiúintí"
+	},
+	"access_token.error.specified_repos_none": "Ní mór stór amháin ar a laghad a bheith ag comharthaí rochtana le stórtha sonraithe.",
+	"access_token.error.specified_repos_and_public_only": "Ní féidir comharthaí rochtana le stórtha sonraithe a chomhcheangal leis an raon feidhme poiblí amháin.",
+	"access_token.error.specified_repos_and_invalid_scope": "Ní féidir comharthaí rochtana le stórtha sonraithe a úsáid ach leis na raonta read:issue, write:issue, read:repository, agus write:repository.",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Comhartha",
+	"actions.runners.ephemeral": "Sealadach",
+	"actions.runners.version": "Leagan",
+	"actions.runners.list_runners.details_column": "Sonraí",
+	"actions.runners.list_runners.edit_column": "Cuir in Eagar",
+	"actions.runners.list_runners.delete_column": "Scrios",
+	"actions.runners.list_runners.details_button": "Sonraí",
+	"actions.runners.list_runners.details_button_aria": "Taispeáin sonraí %s",
+	"actions.runners.list_runners.delete_button": "Scrios",
+	"actions.runners.list_runners.delete_button_aria": "Scrios %s",
+	"actions.runners.list_runners.edit_button": "Cuir in Eagar",
+	"actions.runners.list_runners.edit_button_aria": "Cuir in Eagar %s",
+	"actions.runners.ephemeral.yes": "tá",
+	"actions.runners.ephemeral.no": "níl",
+	"actions.runners.task_list_repo": "Tascanna le déanaí den stórlann seo ar an rithire seo",
+	"actions.runners.task_list_org": "Tascanna le déanaí ar an rithire seo laistigh den eagraíocht seo",
+	"actions.runners.task_list_admin": "Tascanna le déanaí ar an rithire seo",
+	"actions.runners.task_list_user": "Tascanna le déanaí an úsáideora seo ar an rithire seo",
+	"actions.runners.edit_runner_button": "Cuir an rithire in eagar",
+	"actions.runners.create_runner.page_title": "Cruthaigh reathaí nua",
+	"actions.runners.create_runner.title": "Cruthaigh reathaí nua",
+	"actions.runners.create_runner.properties_fieldset": "Airíonna",
+	"actions.runners.create_runner.name_label": "Ainm",
+	"actions.runners.create_runner.description_label": "Cur síos",
+	"actions.runners.create_runner.create_button": "Cruthaigh",
+	"actions.runners.create_runner.cancel_button": "Cealaigh",
+	"actions.runners.edit_runner.page_title": "Cuir an ritheoir %s in eagar",
+	"actions.runners.edit_runner.title": "Cuir an ritheoir %s in eagar",
+	"actions.runners.edit_runner.properties_fieldset": "Airíonna",
+	"actions.runners.edit_runner.properties_options": "Roghanna",
+	"actions.runners.edit_runner.name_label": "Ainm",
+	"actions.runners.edit_runner.description_label": "Cur síos",
+	"actions.runners.edit_runner.regenerate_token_label": "Athghin an comhartha",
+	"actions.runners.edit_runner.regenerate_token_help": "Cuirfear an comhartha atá ann cheana ar neamhní láithreach. Gheobhaidh tú comhartha nua ar an gcéad leathanach eile.",
+	"actions.runners.edit_runner.save_button": "Sábháil",
+	"actions.runners.edit_runner.cancel_button": "Cealaigh",
+	"actions.runners.runner_setup.title": "Socraigh an ritheoir %s",
+	"actions.runners.show_registration_token": "Taispeáin comhartha clárúcháin",
+	"actions.runners.runner_details.page_title": "Rithóir %s",
+	"actions.runners.runner_details.labels_note": "Sainmhínítear lipéid an rithóir i gcomhad cumraíochta Forgejo Runner nó cuirtear ar aghaidh iad mar rogha líne ordaithe. Nuashonraítear iad gach uair a bhunaíonn Forgejo Runner nasc le Forgejo.",
+	"actions.runners.runner_setup.page_title": "Socraigh an ritheoir %s",
+	"actions.runners.runner_setup.list_of_runners_link": "Liosta reathaithe",
+	"actions.runners.runner_setup.last_chance_copying_token": "Cóipeáil an comhartha anois mar ní bheidh tú in ann é a fheiceáil arís!",
+	"actions.runners.runner_setup.button_copy_uuid_aria": "Cóipeáil UUID an ritheora",
+	"actions.runners.runner_setup.button_copy_token_aria": "Cóipeáil comhartha reathaí",
+	"actions.runners.runner_setup.heading_using_configuration": "Ag baint úsáide as an gcomhad cumraíochta reathaí",
+	"actions.runners.runner_setup.configuration_snippet_aria": "Sleachta le cur isteach i gcumraíocht an rithire",
+	"actions.runners.runner_setup.program_options_snippet_aria": "Conas forgejo-runner a ghairm",
+	"actions.runners.runner_setup.instruction_replace_connection_name": "Cuir luach de do thaitin leat in ionad ainm an naisc (<code>forgejo</code> sa sampla).",
+	"actions.runners.runner_setup.heading_using_options": "Ag baint úsáide as roghanna cláir",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Chun Forgejo Runner a chumrú agus é ag rith i gcoimeádáin nó i gcumraíochtaí ardleibhéil, féach ar an <a href=\"%s\">doiciméadú</a>.",
+	"actions.runners.reset_registration_token.token": "Comhartha Clárúcháin (Imithe as Feidhm)",
+	"actions.runs.scheduled_description": "Rith sceidealaithe de thiomnú <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Rith an tiomnúcháin <a href=\"%[1]s\">%[2]s</a> spreagtha ag <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Tiomnú <a href=\"%[1]s\">%[2]s</a> brúite ag <a href=\"%[3]s\">%[4]s</a>",
+	"actions.workflow.unknown_job_in_needs": "Tagraíonn post leis an ID %[1]s do phoist anaithnide i `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "Ní féidir an sreabhadh oibre a athrith.",
+	"actions.workflow.job_rerun_impossible": "Ní féidir an post a athrith.",
+	"actions.secrets.edit_button": "Cuir rún \"%s\" in eagar",
+	"actions.secrets.mutation.header": "Cuir rún \"%s\" in eagar",
+	"actions.secrets.mutation.success_message": "Tá an rún \"%s\" nuashonraithe.",
+	"actions.secrets.mutation.failure_message": "Níorbh fhéidir an rún \"%s\" a nuashonrú.",
+	"actions.secrets.mutation.name_description": "Ní féidir ach litreacha, uimhreacha agus fo-línte a bheith in ainm rúnda. Ní féidir leis tosú le FORGEJO_, GITEA_, GITHUB_, ná uimhir. Déanfaidh Forgejo é a thiontú go huachtarlitir go huathoibríoch.",
+	"actions.secrets.mutation.value_description": "Ní thaispeánfar an luach atá ann cheana. Fág an réimse folamh mura mian leat é a mhodhnú. Coinnítear carachtair speisialta. Déantar CRLF (briseadh líne de stíl Windows) a thiontú go huathoibríoch go LF. Ionchódaigh an luach le Base64 más ceart briseadh líne a choinneáil.",
+	"members.add_member": "Cuir ball leis",
+	"members.user": "Úsáideoir",
+	"members.user_already_member": "Is ball den eagraíocht an t-úsáideoir seo cheana féin.",
+	"members.no_team_selected": "Ní mór do bhaill na heagraíochta a bheith ina mbaill de fhoireann amháin ar a laghad.",
+	"form.RunnerName": "Ainm",
+	"graphs.recent_commits.title": "Líon na ngealltanas le bliain anuas",
+	"graphs.code_frequency.title": "Minicíocht chód thar stair {0}"
 }
diff --git a/options/locale_next/locale_it-IT.json b/options/locale_next/locale_it-IT.json
index 4380c58640..38e74714bc 100644
--- a/options/locale_next/locale_it-IT.json
+++ b/options/locale_next/locale_it-IT.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s commit",
-		"other": "%s commit"
+		"many": "%s commit",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "%s ramo",
-		"other": "%s rami"
+		"many": "%s rami",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "%s etichetta",
-		"other": "%s etichette"
+		"many": "%s etichette",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "%s rilascio",
-		"other": "%s rilasci"
+		"many": "%s rilasci",
+		"other": ""
 	},
 	"gpg.default_key": "Firmato con la chiave predefinita",
 	"gpg.error.extract_sign": "Impossibile ricavare la firma",
@@ -464,8 +468,8 @@
 	"moderation.action.comment.delete": "Elimina commento",
 	"moderation.action.account.suspend": "Sospendi profilo",
 	"repo.issues.filter_reviewers.hint": "Filtra per utente che ha recensito",
-	"repo.issues.filter_mention.hint": "Filtra per utente menzionato",
-	"repo.issues.filter_modified.hint": "Filtra per ultima data modificata",
+	"repo.issues.filter_mention.hint": "Filtra per utente menzionatə",
+	"repo.issues.filter_modified.hint": "Filtra per ultima modifica",
 	"repo.issues.filter_sort.hint_with_placeholder": "Ordina per: %s",
 	"issues.updated": "aggiornato %s",
 	"issues.filters.labels.exclude": "Escludi etichetta",
@@ -480,5 +484,9 @@
 	"search.syntax": "Sintassi di ricerca",
 	"search.fuzzy": "Fuzzy",
 	"search.fuzzy_tooltip": "Includere i risultati è una corrispondenza approssimativa al termine di ricerca",
-	"install.ssh_authorized_keys_inspection_error": "Ispezione del file authorized_keys esistente fallito: %v"
+	"install.ssh_authorized_keys_inspection_error": "Ispezione del file authorized_keys esistente fallito: %v",
+	"repo.issues.filter_poster.hint": "Filtra per autore",
+	"repo.issues.filter_assignee.hint": "Filtra per utente assegnatə",
+	"repo.pulls.auto_merge.no_permission": "Non hai i permessi di annullare l'immissione automatica di questa richiesta di modifica.",
+	"repo.pulls.poster_manage_approval": "Gestisci approvazione"
 }
diff --git a/options/locale_next/locale_kab.json b/options/locale_next/locale_kab.json
index 1b777db276..01329826e9 100644
--- a/options/locale_next/locale_kab.json
+++ b/options/locale_next/locale_kab.json
@@ -106,5 +106,33 @@
 		"one": "%d n wesrag aya",
 		"other": "%d n yesragen aya"
 	},
-	"packages.settings.delete": "Kkes akemmus"
+	"packages.settings.delete": "Kkes akemmus",
+	"actions.actions": "Tigawin",
+	"actions.runners.token": "Tiddest",
+	"actions.runners.list_runners.edit_column": "Ẓreg",
+	"actions.runners.list_runners.delete_column": "Kkes",
+	"actions.runners.list_runners.details_button": "Talqayt",
+	"actions.runners.list_runners.delete_button": "Kkes",
+	"actions.runners.list_runners.edit_button": "Ẓreg",
+	"actions.runners.ephemeral.yes": "ih",
+	"actions.runners.ephemeral.no": "uhu",
+	"actions.runners.list_runners.details_column": "Talqayt",
+	"actions.runners.create_runner.name_label": "Isem",
+	"actions.runners.create_runner.description_label": "Aglam",
+	"actions.runners.create_runner.create_button": "Snulfu-d",
+	"actions.runners.create_runner.cancel_button": "Semmet",
+	"actions.runners.edit_runner.properties_options": "Tixtiṛiyin",
+	"actions.runners.edit_runner.name_label": "Isem",
+	"actions.runners.edit_runner.description_label": "Aglam",
+	"actions.runners.edit_runner.save_button": "Sekles",
+	"actions.runners.edit_runner.cancel_button": "Semmet",
+	"form.RunnerName": "Isem",
+	"members.user": "Aseqdac",
+	"actions.runners.version": "Lqem",
+	"admin.federation.host.schema": "Azenziɣ",
+	"admin.federation.host.port": "Tawwurt",
+	"admin.federation.host.software_name": "Aseɣẓan",
+	"admin.federation.users": "Iseqdacen",
+	"admin.federation.user.id": "Asulay ID",
+	"admin.config.federation.enabled": "D urmid"
 }
diff --git a/options/locale_next/locale_kw.json b/options/locale_next/locale_kw.json
new file mode 100644
index 0000000000..00322101ea
--- /dev/null
+++ b/options/locale_next/locale_kw.json
@@ -0,0 +1,3 @@
+{
+	"home.welcome.no_activity": "Nyns eys aktivita"
+}
diff --git a/options/locale_next/locale_lv-LV.json b/options/locale_next/locale_lv-LV.json
index 3910315bd6..0482456367 100644
--- a/options/locale_next/locale_lv-LV.json
+++ b/options/locale_next/locale_lv-LV.json
@@ -1,17 +1,21 @@
 {
 	"counters.n_commits": {
+		"zero": "%s iesūtījumu",
 		"one": "%s iesūtījums",
 		"other": "%s iesūtījumi"
 	},
 	"counters.n_branches": {
+		"zero": "%s zaru",
 		"one": "%s zars",
 		"other": "%s zari"
 	},
 	"counters.n_tags": {
+		"zero": "%s birku",
 		"one": "%s birka",
 		"other": "%s birkas"
 	},
 	"counters.n_releases": {
+		"zero": "%s laidienu",
 		"one": "%s laidiens",
 		"other": "%s laidieni"
 	},
@@ -102,17 +106,17 @@
 	"packages.cargo.install": "Lai uzstādītu pakotni ar Cargo, jāizpilda šī komanda:",
 	"packages.chef.registry": "Iestatīt šo reģistru datnē <code>~/.chef/config.rb</code>:",
 	"packages.composer.registry": "Iestatīt šo reģistru datnē <code>~/.composer/config.json</code>:",
-	"packages.composer.install": "Lai uzstādīt pakotni ar Composer, jāizpilda šī komanda:",
+	"packages.composer.install": "Lai uzstādītu pakotni ar Composer, jāizpilda šī komanda:",
 	"packages.composer.dependencies.development": "Izstrādes atkarības",
 	"packages.conan.install": "Lai uzstādītu pakotni ar Conan, jāizpilda šī komanda:",
-	"packages.conda.registry": "Izveidot šo reģistru kā Conda glabātavu datnē <code>.condarc</code>:",
+	"packages.conda.registry": "Iestatīt šo reģistru kā Conda glabātavu datnē <code>.condarc</code>:",
 	"packages.conda.install": "Lai uzstādītu pakotni ar Conda, jāizpilda šī komanda:",
 	"packages.container.images.title": "Attēli",
 	"packages.container.details.type": "Attēla veids",
 	"packages.container.details.platform": "Platforma",
 	"packages.container.pull": "Atgādāt attēlu komandrindā:",
 	"packages.container.digest": "Īssavilkums",
-	"packages.container.multi_arch": "OS / arhitektūra",
+	"packages.container.multi_arch": "OS/arhitektūra",
 	"packages.container.layers": "Attēla slāņi",
 	"packages.container.labels": "Iezīmes",
 	"packages.container.labels.key": "Atslēga",
@@ -120,19 +124,19 @@
 	"packages.cran.registry": "Iestatīt šo reģistru datnē <code>Rprofile.site</code>:",
 	"packages.debian.registry.info": "No zemāk esošā saraksta jāizvēlas $distribution un $component.",
 	"packages.debian.repository.distributions": "Distribūcijas",
-	"packages.debian.repository.components": "Komponentes",
+	"packages.debian.repository.components": "Sastāvdaļas",
 	"packages.debian.repository.architectures": "Arhitektūras",
-	"packages.generic.download": "Lejupielādēt pakotni, izmantojot, komandrindu:",
+	"packages.generic.download": "Lejupielādēt pakotni komandrindā:",
 	"packages.go.install": "Uzstādīt pakotni komandrindā:",
 	"packages.maven.registry": "Iestatīt šo reģistru sava projekta datnē <code>pom.xml</code>:",
 	"packages.maven.install": "Lai izmantotu pakotni, datnes <code>pom.xml</code> sadaļā <code>dependencies</code> jāievieto šīs rindas:",
 	"packages.maven.install2": "Jāizpilda komandrindā:",
-	"packages.maven.download": "Jāizpilda komandrindā, lai lejupielādētu šo atkarību:",
+	"packages.maven.download": "Lai lejupielādētu atkarību, komandrindā jāizpilda:",
 	"packages.nuget.install": "Lai uzstādītu pakotni ar NuGet, jāizpilda šī komanda:",
-	"packages.nuget.dependency.framework": "Mērķa ietvars",
+	"packages.nuget.dependency.framework": "Mērķa satvars",
 	"packages.npm.registry": "Iestatīt šo reģistru sava projekta datnē <code>.npmrc</code>:",
 	"packages.npm.install": "Lai uzstādītu pakotni ar npm, jāizpilda šī komanda:",
-	"packages.npm.install2": "vai datnē package.json jāpievieno:",
+	"packages.npm.install2": "vai jāpievieno datnē package.json:",
 	"packages.npm.dependencies.development": "Izstrādes atkarības",
 	"packages.npm.dependencies.bundle": "Iekļautās atkarības",
 	"packages.npm.dependencies.peer": "Līdzatkarības",
@@ -149,28 +153,28 @@
 	"packages.alt.repository.architectures": "Arhitektūras",
 	"packages.alt.repository.multiple_groups": "Šī pakotne ir pieejama vairākās kopās.",
 	"packages.rubygems.install": "Lai uzstādītu pakotni ar gem, jāizpilda šī komanda:",
-	"packages.rubygems.install2": "vai jāpievieno tas Gemfile:",
+	"packages.rubygems.install2": "vai jāpievieno tā Gemfile:",
 	"packages.rubygems.dependencies.runtime": "Izpildlaika atkarības",
 	"packages.rubygems.dependencies.development": "Izstrādes atkarības",
-	"packages.rubygems.required.ruby": "Nepieciešamā Ruby versija",
-	"packages.rubygems.required.rubygems": "Nepieciešamā RubyGem versija",
+	"packages.rubygems.required.ruby": "Nepieciešama Ruby versija",
+	"packages.rubygems.required.rubygems": "Nepieciešama RubyGem versija",
 	"packages.swift.install": "Pakotne jāpievieno datnē <code>Package.swift</code>:",
-	"packages.swift.install2": "vai jāpievieno tā Gemfile:",
+	"packages.swift.install2": "un jāizpilda šī komanda:",
 	"packages.vagrant.install": "Lai pievienotu Vagrant kasti, jāizpilda šī komanda:",
-	"packages.settings.link": "Piesaistīt šo pakotni glabātavai",
+	"packages.settings.link": "Sasaistīt šo pakotni ar glabātavu",
 	"packages.settings.link.description": "Ja pakotne tiek sasaistīta ar glabātavu, tā tiek attēlota glabātavas pakotņu sarakstā.",
 	"packages.settings.link.select": "Atlasīt glabātavu",
 	"packages.settings.link.button": "Atjaunināt glabātavas saiti",
 	"packages.settings.link.success": "Glabātavas saite tika sekmīgi atjaunināta.",
 	"packages.settings.link.error": "Neizdevās atjaunināt glabātavas saiti.",
 	"packages.settings.delete": "Izdzēst pakotni",
-	"packages.settings.delete.description": "Pakotne tiks neatgriezeniski izdzēsta.",
+	"packages.settings.delete.description": "Pakotnes izdzēšana ir neatgriezeniska, un to nevar atdarīt.",
 	"packages.settings.delete.notice": "Tiks izdzēsta pakotne %s (%s). Šī darbība ir neatgriezeniska. Tiešām turpināt?",
 	"packages.settings.delete.success": "Pakotne tika izdzēsta.",
 	"packages.settings.delete.error": "Neizdevās izdzēst pakotni.",
 	"packages.owner.settings.cargo.title": "Cargo reģistra inkdess",
 	"packages.owner.settings.cargo.initialize": "Sāknēt indeksu",
-	"packages.owner.settings.cargo.initialize.description": "Ir nepieciešams īpaša indeksa Git glabātava, lai izmantotu Cargo reģistru. Šīs iespējas izmantošana (atkārtoti) izveidos glabātavu un automātiski to iestatīs.",
+	"packages.owner.settings.cargo.initialize.description": "Ir nepieciešams īpaša indeksa Git glabātava, lai izmantotu Cargo reģistru. Šīs iespējas izmantošana (atkārtoti) izveidos glabātavu un to automātiski iestatīs.",
 	"packages.owner.settings.cargo.initialize.error": "Neizdevās sāknēt Cargo indeksu: %v",
 	"packages.owner.settings.cargo.initialize.success": "Cargo indekss tika sekmīgi izveidots.",
 	"packages.owner.settings.cargo.rebuild": "Pārbūvēt indeksu",
@@ -191,13 +195,13 @@
 	"packages.owner.settings.cleanuprules.keep.pattern": "Paturēt versijas, kas atbilst",
 	"packages.owner.settings.cleanuprules.keep.pattern.container": "Versija <code>latest</code> vienmēr tiks paturēta konteineru pakotnēm.",
 	"packages.owner.settings.cleanuprules.remove.title": "Versijas, kas atbilst šīm kārtulām, tiks noņemtas, ja vien augstāk esošā kārtula nenosaka, ka tās ir jāpatur.",
-	"packages.owner.settings.cleanuprules.remove.days": "Noņemt versijas vecākas kā",
+	"packages.owner.settings.cleanuprules.remove.days": "Noņemt versijas, kas ir vecākas par",
 	"packages.owner.settings.cleanuprules.remove.pattern": "Noņemt versijas, kas atbilst",
 	"packages.owner.settings.cleanuprules.success.update": "Notīrīšanas kārtula tika atjaunināta.",
 	"packages.owner.settings.cleanuprules.success.delete": "Notīrīšanas kārtula tika izdzēsta.",
 	"packages.owner.settings.chef.title": "Chef reģistrs",
 	"packages.owner.settings.chef.keypair": "Izveidot atslēgu pāri",
-	"packages.owner.settings.chef.keypair.description": "Pieprasījumiem, kuri tiek nosūtīti Chef reģistram, jābūt kriptogrāfiski parakstītam, kas ir autentificēšanās līdzeklis. Kad tiek izveidots atslēgu pāris, Forgejo tiek glabāta tikai publiskā atslēga. Privātā atslēga tiek sniegta, lai to izmantotu ar komandrindas rīku knife. Jauna atslēgu pāra izveidošana aizvietos iepriekšējo.",
+	"packages.owner.settings.chef.keypair.description": "Pieprasījumiem, kuri tiek nosūtīti Chef reģistram, jābūt kriptogrāfiski parakstītiem, kas ir autentificēšanās līdzeklis. Kad tiek izveidots atslēgu pāris, Forgejo tiek glabāta tikai publiskā atslēga. Privātā atslēga tiek sniegta, lai to izmantotu ar komandrindas rīku knife. Jauna atslēgu pāra izveidošana aizvietos iepriekšējo.",
 	"fork.n_forks": {
 		"zero": "%s atzarojumu",
 		"one": "%s atzarojums",
@@ -353,16 +357,16 @@
 	"migrate.items.wiki": "Vikivietni",
 	"migrate.items.milestones": "Atskaites punktus",
 	"migrate.items.labels": "Iezīmes",
-	"migrate.items.issues": "Pieteikumi",
+	"migrate.items.issues": "Pieteikumus",
 	"migrate.items.pull_requests": "Izmaiņu pieprasījumus",
-	"migrate.items.merge_requests": "Iekļaušanas pieprasījumi",
+	"migrate.items.merge_requests": "Iekļaušanas pieprasījumus",
 	"migrate.items.releases": "Laidienus",
 	"migrate.in_progress.git": "Pārceļ Git datus",
 	"migrate.in_progress.topics": "Pārceļ tēmas",
 	"migrate.in_progress.milestones": "Pārceļ atskaites punktus",
 	"migrate.in_progress.labels": "Pārceļ iezīmes",
 	"migrate.in_progress.releases": "Pārceļ laidienus",
-	"migrate.in_progress.issues": "Pārnes pieteikumus",
+	"migrate.in_progress.issues": "Pārceļ pieteikumus",
 	"migrate.in_progress.pulls": "Pārceļ izmaiņu pieprasījumus",
 	"migrate.cancel.title": "Atcelt pārcelšanu",
 	"migrate.cancel.confirmation": "Vai atcelt šo pārcelšanu?",
@@ -385,7 +389,7 @@
 	"actions.runs.all_workflows": "Visas darbplūsmas",
 	"actions.runs.workflow": "Darbplūsma",
 	"actions.runs.invalid_workflow_helper": "Darbplūsmas konfigurācijas datne ir nederīga. Lūgums pārbaudīt konfigurācijas datni: %s",
-	"actions.runs.no_matching_online_runner.helper": "Nav tiešsaistē esošu izpildītāju, kas atbilstu iezīmei: %s",
+	"actions.runs.no_matching_online_runner.helper": "Nav tiešsaistē esošu izpildītāju ar iezīmi: %s",
 	"actions.runs.no_job_without_needs": "Darbplūsmā ir jābūt vismaz vienam darbam bez atkarībām.",
 	"actions.runs.no_job": "Darbplūsmā ir jābūt vismaz vienam darbam",
 	"actions.runs.actor": "Izraisītājs",
@@ -398,7 +402,7 @@
 	"actions.runners": "Izpildītāji",
 	"actions.runners.runner_manage_panel": "Pārvaldīt izpildītājus",
 	"actions.runners.new": "Izveidot jaunu izpildītāju",
-	"actions.runners.new_notice": "Kā uzstādīt izpildītāju",
+	"actions.runners.new_notice": "Kā palaist izpildītāju",
 	"actions.runners.status": "Stāvoklis",
 	"actions.runners.status.unspecified": "Nezināms",
 	"actions.runners.status.idle": "Dīkstāvē",
@@ -408,7 +412,7 @@
 	"actions.runners.owner_type": "Veids",
 	"actions.runners.description": "Apraksts",
 	"actions.runners.labels": "Iezīmes",
-	"actions.runners.last_online": "Pēdējo reizi tiešsaistē",
+	"actions.runners.last_online": "Pēdējā reize tiešsaistē",
 	"actions.runners.runner_title": "Izpildītājs %s",
 	"actions.runners.task_list.no_tasks": "Vēl nav uzdevumu.",
 	"actions.runners.task_list.run": "Izpildījums",
@@ -422,9 +426,9 @@
 	"actions.runners.delete_runner.failed": "Neizdevās izdzēst izpildītāju",
 	"actions.runners.delete_runner.header": "Apstiprināt izpildītāja izdzēšanu",
 	"actions.runners.delete_runner.notice": "Ja šis izpildītājs veic kādus uzdevumus, tad tie tiks apturēti un atzīmēti kā neizdevušies. Tas var sabojāt būvēšanas darbplūsmas.",
-	"actions.runners.none": "Nav pieejami izpildītāji",
-	"actions.runners.reset_registration_token.button": "Atiestatīt reģistrācijas pilnvaru",
-	"actions.runners.reset_registration_token.success": "Izpildītāja reģistrācijas pilnvara tika sekmīgi atiestatīta",
+	"actions.runners.none": "Nav pieejams neviens izpildītājs",
+	"actions.runners.reset_registration_token.button": "Atiestatīt reģistrēšanās pilnvaru",
+	"actions.runners.reset_registration_token.success": "Izpildītāja reģistrēšanās pilnvara tika sekmīgi atiestatīta",
 	"repo.pulls.maintainers_can_edit": "Uzturētāji var labot šo izmaiņu pieprasījumu.",
 	"repo.pulls.maintainers_cannot_edit": "Uzturētāji nevar labot šo izmaiņu pieprasījumu.",
 	"pulse.n_active_issues": {
@@ -546,5 +550,39 @@
 	"packages.common.install": "Lai uzstādītu pakotni, jāizpilda šī komanda:",
 	"packages.common.registry": "Šis reģistrs ir iestatāms komandrindā:",
 	"packages.common.repository": "Informācija par glabātavu",
-	"actions.runs.all_runs_link": "visas izpildīšanas"
+	"actions.runs.all_runs_link": "visas izpildīšanas",
+	"settings.access_token.selected_repositories": {
+		"zero": "Atlasītās glabātavas (%d)",
+		"one": "Atlasītās glabātavas (%d)",
+		"other": "Atlasītās glabātavas (%d)"
+	},
+	"repo.issues.filter_sort.hint_with_placeholder": "Kārtot pēc: %s",
+	"repo.pulls.auto_merge.no_permission": "Nav atļaujas atcelt šī izmaiņu pieprasījuma automātisko iekļaušanu.",
+	"migrate.select.title": "Pārcelt glabātavu",
+	"admin.federation.host.id": "Id",
+	"admin.federation.host.port": "Ports",
+	"admin.federation.host.software_name": "Programmatūra",
+	"admin.federation.host.created": "Izveidots",
+	"admin.federation.host.updated": "Atjaunināts",
+	"admin.federation.host.latest_activity": "Pēdējā darbība",
+	"admin.federation.users": "Lietotāji",
+	"admin.federation.users.show_local_user": "Rādīt vietējo informāciju par lietotāju",
+	"admin.federation.user.id": "Id",
+	"admin.federation.user.user_id": "Vietējais lietotāja Id",
+	"admin.federation.user.external_id": "Ārējais lietotāja Id",
+	"admin.config.federation.enabled": "Iespējota",
+	"admin.config.federation.max_size": "Lielākais pieļaujamais atbildes izmērs",
+	"admin.config.federation.signature_enforced": "Pieprasīt HTTP parakstus",
+	"admin.config.federation.signature_algorithms": "Parakstu algoritmi",
+	"admin.config.federation.get_headers": "Parakstītas GET galvenes",
+	"admin.config.federation.post_headers": "Parakstītas POST galvenes",
+	"settings.specific_repo_access": "Glabātavas piekļuve",
+	"settings.new_access_token": "Jauna piekļuves pilnvara",
+	"settings.permissions_access_specific_repositories": "Noteiktām glabātavām",
+	"settings.access_token.available_repositories": "Pieejamās glabātavas",
+	"settings.access_token.no_repositories_selected": "Nav atlasīta neviena glabātava.",
+	"settings.access_token.no_repositories_found": "Nav atrasta neviena glabātava.",
+	"settings.access_token.remove": "Noņemt %s",
+	"settings.access_token.resource_all_help": "Ļaut piekļuvi visiem resursiem.",
+	"settings.access_token.resource_public_only_help": "Ļaut piekļuvi tikai visiem pieejamām glabātavām un apvienībām."
 }
diff --git a/options/locale_next/locale_mk.json b/options/locale_next/locale_mk.json
index 0967ef424b..c4c884f041 100644
--- a/options/locale_next/locale_mk.json
+++ b/options/locale_next/locale_mk.json
@@ -1 +1,4 @@
-{}
+{
+	"home.welcome.no_activity": "Нема активност",
+	"home.welcome.activity_hint": "Сè уште нема ништо во вашиот фид. Вашите активности и дејства од репозиториумите што ги следите ќе се појават овде."
+}
diff --git a/options/locale_next/locale_nds.json b/options/locale_next/locale_nds.json
index d409733f59..8a4cde599f 100644
--- a/options/locale_next/locale_nds.json
+++ b/options/locale_next/locale_nds.json
@@ -586,7 +586,7 @@
 	"actions.runners.ephemeral": "Körttiedig",
 	"actions.runners.runner_details.labels_note": "De Vermarkens vun de Loper worden in de Inrichtens-Datei vun Forgejo Runner fastleggt of as Oorderreeg-Instellen angeven. Se worden elkeen Maal verneeit, wenn Forgejo Runner sik mit Forgejo verbinnt.",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Wessel de Verbinnens-Naam (<code>forgejo</code> im Bispööl) mit eenem Weert na dienem Smaak ut.",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Um Forgejo Runner so intorichten, dat dat in Behälters löppt, of för kumplizeertere Inrichtens, bekiek de <a href=\"https://TO-BE-REPLACED.COM\">Dokumenteren</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Um Forgejo Runner so intorichten, dat dat in Behälters löppt, of för kumplizeertere Inrichtens, bekiek de <a href=\"%s\">Dokumenteren</a>.",
 	"actions.runners.task_list_repo": "Leste Upgaven vun deesem Repositorium up deesem Loper",
 	"actions.runners.task_list_org": "Leste Upgaven up deesem Loper in deeser Vereenigung",
 	"actions.runners.task_list_admin": "Leste Upgaven up deesem Loper",
@@ -619,5 +619,47 @@
 	"members.add_member": "Liddmaat hentofögen",
 	"members.user": "Bruker",
 	"members.user_already_member": "Deeser Bruker is al een Liddmaat vun deeser Vereenigung.",
-	"members.no_team_selected": "Vereenigungs-Liddmaten mutten to tominnst eener Klottje tohören."
+	"members.no_team_selected": "Vereenigungs-Liddmaten mutten to tominnst eener Klottje tohören.",
+	"migrate.select.title": "Repositorium umtrecken",
+	"actions.runners.version": "Versioon",
+	"admin.federation.federation": "Verdeeltheid",
+	"admin.federation.hosts": "Hosts",
+	"admin.federation.hosts.title": "Verdeeltheids-Hosts",
+	"admin.federation.hosts.manage_panel": "Verdeeltheid-Hosts verwalten",
+	"admin.federation.hosts.details_panel": "Verdeeltheids-Host-Informatioonen",
+	"admin.federation.hosts.show_details": "Informatioonen över de Host wiesen",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Poort",
+	"admin.federation.host.created": "Maakt",
+	"admin.federation.host.updated": "Verneeit",
+	"admin.federation.users": "Brukers",
+	"admin.federation.users.title": "Verdeelt Brukers",
+	"admin.federation.users.manage_panel": "Verdeelt Brukers verwalten",
+	"admin.federation.users.show_local_user": "Informatioonen över stedenwies Bruker wiesen",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID vum stedenwies Bruker",
+	"admin.federation.user.external_id": "ID vum frömden Bruker",
+	"admin.config.federation": "Verdeeltheids-Instellens",
+	"admin.config.federation.enabled": "Anknipst",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.software_name": "Programm",
+	"admin.federation.host.latest_activity": "Lestes Doon",
+	"admin.federation.user.inbox_path": "Ingangs-Padd",
+	"admin.config.federation.share_user_statistics": "Tahlen över Brukers mit anner Hosts delen",
+	"admin.config.federation.max_size": "Hoogste verlöövt Antwoord-Grött",
+	"admin.config.federation.signature_enforced": "HTTP-Unnerschrievens verlangen",
+	"admin.config.federation.signature_algorithms": "Unnerschriev-Programmen",
+	"admin.config.federation.digest_algorithm": "Unnerschrift-Prüüfsumm-Programm",
+	"admin.config.federation.get_headers": "Unnerschreven GET-Koppriegen",
+	"admin.config.federation.post_headers": "Unnerschreven POST-Koppriegen",
+	"actions.workflow.unknown_job_in_needs": "Upgaav mit ID %[1]s benöömt unbekannte Upgaven in `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "De Warkwies kann nich weer lopen laten worden.",
+	"actions.workflow.job_rerun_impossible": "De Upgaav kann nich weer lopen laten worden.",
+	"user.activitypub_feed.feed": "Fediversum-Schuuv",
+	"user.activitypub_feed.no_activity": "Keen Fediversums-Doon",
+	"user.activitypub_feed.is_empty": "Dien Fediversum-Schuuv is leeg.",
+	"user.activitypub_feed.hint": "Deeser Schuuv wiest Doon vun Fediversums-Konten, wat du nagahst, un ok verdeelte Kommentaren, wat di benöömt hebben.",
+	"user.activitypub_feed.posted_on": "Up %[1]s schreven",
+	"user.activitypub_feed.original_source": "Eerste Quell"
 }
diff --git a/options/locale_next/locale_nl-NL.json b/options/locale_next/locale_nl-NL.json
index c824dd23fc..7764ee840f 100644
--- a/options/locale_next/locale_nl-NL.json
+++ b/options/locale_next/locale_nl-NL.json
@@ -541,5 +541,111 @@
 	"settings.access_token.remove": "Verwijder %s",
 	"settings.access_token.resource_all_help": "Toegang tot alle bronnen toestaan.",
 	"settings.access_token.resource_public_only_help": "Toegang tot repositories en organisaties die openbaar zijn beperken.",
-	"actions.runners.list_runners.delete_column": "Verwijder"
+	"actions.runners.list_runners.delete_column": "Verwijder",
+	"admin.federation.host.software_name": "Software",
+	"repo.pulls.auto_merge.no_permission": "U heeft geen rechten voor het afbreken van deze pull requets's auto merge",
+	"migrate.select.title": "Migreer repositorie",
+	"admin.federation.federation": "Federeren",
+	"admin.federation.hosts": "Servers",
+	"admin.federation.hosts.title": "Federeerservers",
+	"admin.federation.hosts.manage_panel": "Beheer federeerservers",
+	"admin.federation.hosts.details_panel": "Federeerserver details",
+	"admin.federation.hosts.show_details": "Toon server details",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Poort",
+	"admin.federation.host.created": "Aangemaakt",
+	"admin.federation.host.updated": "Bijgewerkt",
+	"admin.federation.host.latest_activity": "Laatste activiteit",
+	"admin.federation.users": "Gebruikers",
+	"admin.federation.users.title": "Gefedereerde gebruikers",
+	"admin.federation.users.manage_panel": "Beheer gefedereerde gebruikers",
+	"admin.federation.users.show_local_user": "Toon lokale gebruikerdetails",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "Lokale gebruikersID",
+	"admin.federation.user.external_id": "Externe gebruikersID",
+	"admin.federation.user.inbox_path": "Inboxpad",
+	"admin.config.federation": "Federeerconfiguratie",
+	"admin.config.federation.enabled": "Ingeschakeld",
+	"admin.config.federation.share_user_statistics": "Deel gebruikersstatistieken met andere servers",
+	"admin.config.federation.max_size": "Maximaal toegestane responsegrootte",
+	"admin.config.federation.signature_enforced": "Vereist HTTP handtekeningen",
+	"admin.config.federation.signature_algorithms": "Handtekeningalgoritmes",
+	"admin.config.federation.digest_algorithm": "Handtekening-hashalgoritme",
+	"admin.config.federation.get_headers": "Ondertekende GET headers",
+	"admin.config.federation.post_headers": "Ondertekende POST headers",
+	"settings.new_access_token": "Nieuw acces token",
+	"settings.access_token.selected_repositories": {
+		"one": "Geselecteerde repositorie (%d)",
+		"other": "Geselecteerde repositories (%d)"
+	},
+	"settings.access_token.resource_specific_repo_help": "Beperk toegang tot een specifieke lijst aan repositories. Alleen-lezen toegang is toegestaan voor alle openbare repositories. Alleen permissies die toegang geven tot repositories en issues kunnen aangezet worden.",
+	"settings.access_token.admin_disabled": "Beheerrechten zijn uitgeschakeld.",
+	"user.activitypub_feed.no_activity": "Geen fediverse-activiteit",
+	"user.activitypub_feed.is_empty": "Uw fediverse-feed is leeg.",
+	"user.activitypub_feed.hint": "Deze feed toont activiteiten van fediverse accounts die u volgt, alsook van gefedereerde boodschappen die u vermelden.",
+	"user.activitypub_feed.posted_on": "Gepost op %[1]s",
+	"actions.runners.list_runners.delete_button_aria": "Verwijder %s",
+	"actions.runners.list_runners.edit_button": "Wijzig",
+	"actions.runners.list_runners.edit_button_aria": "Wijzig %s",
+	"actions.runners.ephemeral.yes": "ja",
+	"actions.runners.ephemeral.no": "nee",
+	"actions.runners.task_list_repo": "Recente taken van deze repositorie op deze runner",
+	"actions.runners.task_list_org": "Recente taken van deze runner binnen deze organisatie",
+	"actions.runners.task_list_admin": "Recente taken op deze runner",
+	"actions.runners.task_list_user": "Recente taken van deze gebruiker op deze runner",
+	"actions.runners.edit_runner_button": "Wijzig runner",
+	"actions.runners.create_runner.page_title": "Maak nieuwe runner",
+	"actions.runners.create_runner.title": "Maak nieuwe runner",
+	"actions.runners.create_runner.properties_fieldset": "Eigenschappen",
+	"actions.runners.create_runner.name_label": "Naam",
+	"actions.runners.create_runner.description_label": "Omschrijving",
+	"actions.runners.create_runner.create_button": "Maak",
+	"actions.runners.create_runner.cancel_button": "Afbreken",
+	"actions.runners.edit_runner.page_title": "Wijzig runner %s",
+	"actions.runners.edit_runner.title": "Wijzig runner %s",
+	"actions.runners.edit_runner.properties_fieldset": "Eigenschappen",
+	"actions.runners.edit_runner.properties_options": "Opties",
+	"actions.runners.edit_runner.name_label": "Naam",
+	"actions.runners.edit_runner.description_label": "Omschrijving",
+	"actions.runners.edit_runner.regenerate_token_label": "Regenereer token",
+	"actions.runners.edit_runner.regenerate_token_help": "De bestaande token zal meteen ongeldig worden gemaakt. U krijgt een nieuwe token op de volgende pagina.",
+	"actions.runners.edit_runner.save_button": "Opslaan",
+	"actions.runners.edit_runner.cancel_button": "Afbreken",
+	"actions.runners.runner_setup.title": "Configureer runner %s",
+	"actions.runners.show_registration_token": "Toon registratie token",
+	"actions.runners.runner_details.page_title": "Runner %s",
+	"actions.runners.runner_details.labels_note": "De runner's labels zijn gedefinieerd in het configuratiebestand van de Forgejo Runner of gedefinieerd als optie op de commandoregel. Ze worden elke keer dat de Forgejo Runner een verbinding met Forgejo maakt geactualiseerd.",
+	"actions.runners.runner_setup.page_title": "Configureer runner %s",
+	"actions.runners.runner_setup.list_of_runners_link": "Lijst van runners",
+	"actions.runners.runner_setup.last_chance_copying_token": "Kopieer nu het token want u kunt het hierna niet meer raadplegen!",
+	"actions.runners.runner_setup.button_copy_uuid_aria": "Kopieer runner UUID",
+	"actions.runners.runner_setup.button_copy_token_aria": "Kopieer runner token",
+	"actions.runners.runner_setup.heading_using_configuration": "Gebruik van het runner-configuratiebestand",
+	"actions.runners.runner_setup.configuration_snippet_aria": "Fragment om in de runnerconfiguratie op te nemen",
+	"actions.runners.runner_setup.program_options_snippet_aria": "Hoe de forgejo-runner te gebruiken",
+	"actions.runners.runner_setup.instruction_replace_connection_name": "Vervang de verbindingsnaam (<code>forgejo</code> in dit voorbeeld) met de door u gekozen waarde.",
+	"actions.runners.runner_setup.heading_using_options": "Programmaopties gebruiken",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Voor het configureren van Forgejo Runner die in containers draait of voor geavanceerde configuraties, zie de <a href=\"%s\">documentatie</a>.",
+	"actions.runners.reset_registration_token.token": "Registratietoken (verouderd)",
+	"actions.runs.scheduled_description": "Geplande run van commit <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Run van commit <a href=\"%[1]s\">%[2]s</a> getriggerd door <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> gepusht door <a href=\"%[3]s\">%[4]s</a>",
+	"actions.workflow.unknown_job_in_needs": "Taak met ID %[1]s refereert aan onbekende taken in `nodig`: %[2]s.",
+	"actions.workflow.rerun_impossible": "De workflow kan niet opnieuw gedraaid worden.",
+	"actions.workflow.job_rerun_impossible": "De taak kan niet opnieuw gedraaid worden.",
+	"actions.secrets.edit_button": "Wijzig geheim \"%s\"",
+	"actions.secrets.mutation.header": "Wijzig geheim \"%s\"",
+	"actions.secrets.mutation.success_message": "Het geheim \"%s\" is gewijzigd.",
+	"actions.secrets.mutation.failure_message": "Het geheim \"%s\" kon niet worden gewijzigd.",
+	"actions.secrets.mutation.name_description": "De naam van een geheim mag alleen letters, cijfers en underscores bevatten. Deze mag niet beginnen met FORGEJO_, GITEA_, GITHUB_ of een cijfer. Forgejo zet de naam automatisch om naar hoofdletters.",
+	"actions.secrets.mutation.value_description": "De bestaande waarde wordt niet weergegeven. Laat het veld leeg als je deze niet wilt wijzigen. Speciale tekens blijven behouden. CRLF (Windows-regelafbrekingen) wordt automatisch omgezet naar LF. Converteer de waarde naar Base64 als regelafbrekingen behouden moeten blijven.",
+	"members.add_member": "Voeg lid toe",
+	"members.user": "Gebruiker",
+	"members.user_already_member": "Deze gebruiker is al lid van deze organisatie.",
+	"members.no_team_selected": "Organisatieleden moeten bij minimaal één team zijn aangesloten.",
+	"form.RunnerName": "Naam",
+	"graphs.recent_commits.title": "Aantal commits in het afgelopen jaar",
+	"graphs.code_frequency.title": "Codefrequentie over de geschiedenis van {0}"
 }
diff --git a/options/locale_next/locale_pt-PT.json b/options/locale_next/locale_pt-PT.json
index 0b1177271d..5112d30036 100644
--- a/options/locale_next/locale_pt-PT.json
+++ b/options/locale_next/locale_pt-PT.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s cometimento",
-		"other": "%s cometimentos"
+		"many": "%s cometimentos",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "%s ramo",
-		"other": "%s ramos"
+		"many": "%s ramos",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "%s etiqueta",
-		"other": "%s etiquetas"
+		"many": "%s etiquetas",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "%s lançamento",
-		"other": "%s lançamentos"
+		"many": "%s lançamentos",
+		"other": ""
 	},
 	"gpg.default_key": "Assinado com a chave padrão",
 	"gpg.error.extract_sign": "Falhou ao extrair a assinatura",
@@ -600,7 +604,7 @@
 	"actions.runners.runner_setup.program_options_snippet_aria": "Como iniciar o forgejo-runner",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Substitua o nome da ligação (<code>forgejo</code> no exemplo) por um valor à sua escolha.",
 	"actions.runners.runner_setup.heading_using_options": "Utilizando as opções do programa",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Para configurar o Forgejo Runner em containers ou em configurações avançadas, consulte a <a href=\"https://TO-BE-REPLACED.COM\">documentação</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Para configurar o Forgejo Runner em containers ou em configurações avançadas, consulte a <a href=\"%s\">documentação</a>.",
 	"form.RunnerName": "Nome",
 	"settings.new_access_token": "Novo token de acesso",
 	"settings.permissions_access_specific_repositories": "Repositórios específicos",
@@ -631,5 +635,51 @@
 	"graphs.code_frequency.title": "Frequência do código ao longo da história de {0}",
 	"actions.runs.scheduled_description": "Execução agendada do cometimento <a href=\"%[1]s\">%[2]s</a>",
 	"actions.runs.workflow_dispatch_description": "Execução do commit <a href=\"%[1]s\">%[2]s</a> acionada por <a href=\"%[3]s\">%[4]s</a>",
-	"actions.runs.on_push_description": "Cometimento <a href=\"%[1]s\">%[2]s</a> enviado por <a href=\"%[3]s\">%[4]s</a>"
+	"actions.runs.on_push_description": "Cometimento <a href=\"%[1]s\">%[2]s</a> enviado por <a href=\"%[3]s\">%[4]s</a>",
+	"migrate.select.title": "Migrar repositório",
+	"members.add_member": "Adicionar membro",
+	"members.user": "Utilizador",
+	"members.user_already_member": "Este utilizador já é membro da organização.",
+	"members.no_team_selected": "Os membros da organização devem pertencer a, pelo menos, uma equipa.",
+	"admin.federation.federation": "Federação",
+	"admin.federation.hosts": "Servidores",
+	"admin.federation.hosts.title": "Servidores da federação",
+	"admin.federation.hosts.manage_panel": "Gerir servidores da federação",
+	"admin.federation.hosts.details_panel": "Detalhes do servidor da federação",
+	"admin.federation.hosts.show_details": "Mostrar detalhes do servidor",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Esquema",
+	"admin.federation.host.port": "Porto",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Criado",
+	"admin.federation.host.updated": "Atualizado",
+	"admin.federation.host.latest_activity": "Atividade mais recente",
+	"admin.federation.users": "Utilizadores",
+	"admin.federation.users.title": "Utilizadores federados",
+	"admin.federation.users.manage_panel": "Gerir utilizadores federados",
+	"admin.federation.users.show_local_user": "Mostrar detalhes do utilizador local",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID do utilizador local",
+	"admin.federation.user.external_id": "ID do utilizador externo",
+	"admin.federation.user.inbox_path": "Caminho da caixa de entrada",
+	"admin.config.federation": "Configuração da federação",
+	"admin.config.federation.enabled": "Habilitado",
+	"admin.config.federation.share_user_statistics": "Partilhar estatísticas de utilizadores com outros servidores",
+	"admin.config.federation.max_size": "Tamanho máximo permitido da resposta",
+	"admin.config.federation.signature_enforced": "Exigir assinaturas HTTP",
+	"admin.config.federation.signature_algorithms": "Algoritmos de assinatura",
+	"admin.config.federation.digest_algorithm": "Algoritmo de resumo da assinatura",
+	"admin.config.federation.get_headers": "Cabeçalhos GET assinados",
+	"admin.config.federation.post_headers": "Cabeçalhos POST assinados",
+	"user.activitypub_feed.feed": "Feed do Fediverso",
+	"user.activitypub_feed.no_activity": "Sem atividade no fediverso",
+	"user.activitypub_feed.is_empty": "O seu feed do fediverso está vazio.",
+	"user.activitypub_feed.hint": "Este feed mostra as atividades das contas do fediverso que segue, bem como as publicações federadas que o mencionaram.",
+	"user.activitypub_feed.posted_on": "Publicado em %[1]s",
+	"user.activitypub_feed.original_source": "Fonte original",
+	"actions.runners.version": "Versão",
+	"actions.workflow.unknown_job_in_needs": "O trabalho com o ID %[1]s faz referência a trabalhos desconhecidos em `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "A sequência de trabalho não pode ser executada novamente.",
+	"actions.workflow.job_rerun_impossible": "O trabalho não pode ser executado novamente."
 }
diff --git a/options/locale_next/locale_ru-RU.json b/options/locale_next/locale_ru-RU.json
index 5837e7d425..957ab7b848 100644
--- a/options/locale_next/locale_ru-RU.json
+++ b/options/locale_next/locale_ru-RU.json
@@ -1,18 +1,22 @@
 {
 	"counters.n_commits": {
 		"one": "%s коммит",
+		"few": "%s коммита",
 		"many": "%s коммитов"
 	},
 	"counters.n_branches": {
 		"one": "%s ветвь",
+		"few": "%s ветви",
 		"many": "%s ветвей"
 	},
 	"counters.n_tags": {
 		"one": "%s тег",
+		"few": "%s тега",
 		"many": "%s тегов"
 	},
 	"counters.n_releases": {
 		"one": "%s выпуск",
+		"few": "%s выпуска",
 		"many": "%s выпусков"
 	},
 	"gpg.default_key": "Подписано ключом по умолчанию",
@@ -360,13 +364,13 @@
 	"migrate.gitbucket.description": "Перенести данные с сервера GitBucket.",
 	"migrate.codebase.description": "Перенести данные с codebasehq.com.",
 	"migrate.forgejo.description": "Перенести данные с codeberg.org или другого сервера Forgejo.",
-	"migrate.items.label": "Переносимые элементы",
+	"migrate.items.label": "Элементы для переноса",
 	"migrate.items.wiki": "Вики",
 	"migrate.items.milestones": "Этапы",
 	"migrate.items.labels": "Метки",
 	"migrate.items.issues": "Задачи",
-	"migrate.items.pull_requests": "Запросы на слияние",
-	"migrate.items.merge_requests": "Запросы на слияние",
+	"migrate.items.pull_requests": "Запросы слияний",
+	"migrate.items.merge_requests": "Запросы слияний",
 	"migrate.items.releases": "Выпуски",
 	"migrate.in_progress.git": "Перенос данных Git",
 	"migrate.in_progress.topics": "Перенос тем",
@@ -374,9 +378,9 @@
 	"migrate.in_progress.labels": "Перенос меток",
 	"migrate.in_progress.releases": "Перенос выпусков",
 	"migrate.in_progress.issues": "Перенос задач",
-	"migrate.in_progress.pulls": "Перенос запросов на слияние",
+	"migrate.in_progress.pulls": "Перенос запросов слияний",
 	"migrate.cancel.title": "Отменить перенос",
-	"migrate.cancel.confirmation": "Вы хотите отменить перенос?",
+	"migrate.cancel.confirmation": "Отменить перенос репозитория?",
 	"user.ghost.tooltip": "Пользователь удалён или неизвестен.",
 	"migrate.form.error.url_credentials": "Ссылка содержит данные авторизации. Поместите их в соответствующие поля",
 	"actions.runs.run_attempt_label": "Попытка №%[1]s (%[2]s)",
@@ -609,5 +613,33 @@
 	"actions.runners.create_runner.page_title": "Новый исполнитель",
 	"actions.runners.create_runner.create_button": "Создать",
 	"actions.runners.create_runner.cancel_button": "Отмена",
-	"actions.runners.show_registration_token": "Показать токен регистрации"
+	"actions.runners.show_registration_token": "Показать токен регистрации",
+	"migrate.select.title": "Перенос репозитория",
+	"actions.runners.edit_runner.page_title": "Изменение исполнителя %s",
+	"actions.runners.edit_runner.save_button": "Сохранить",
+	"actions.runners.edit_runner.description_label": "Описание",
+	"actions.runners.runner_details.page_title": "Исполнитель %s",
+	"admin.federation.federation": "Федерация",
+	"admin.federation.host.id": "ИД",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Схема",
+	"admin.federation.host.port": "Порт",
+	"admin.federation.host.created": "Создан",
+	"admin.federation.host.updated": "Обновлён",
+	"admin.federation.host.latest_activity": "Недавняя активность",
+	"admin.federation.users": "Пользователи",
+	"admin.federation.user.id": "ИД",
+	"admin.config.federation": "Настройки федерации",
+	"admin.config.federation.enabled": "Включена",
+	"admin.config.federation.max_size": "Макс. разрешённый размер ответа",
+	"admin.config.federation.signature_enforced": "Требовать подписи HTTP",
+	"admin.config.federation.signature_algorithms": "Алгоритмы подписей",
+	"user.activitypub_feed.feed": "Феди-лента",
+	"actions.runners.version": "Версия",
+	"actions.runners.edit_runner.title": "Изменить исполнителя %s",
+	"actions.runners.edit_runner.properties_fieldset": "Свойства",
+	"actions.runners.edit_runner.cancel_button": "Отмена",
+	"actions.workflow.rerun_impossible": "Раб. поток невозможно выполнить повторно.",
+	"actions.workflow.job_rerun_impossible": "Задание невозможно выполнить повторно.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Для настройки исполнителя Forgejo Действий в контейнерах и др. расширенных настроек, обратитесь к <a href=\"%s\">документации</a>."
 }
diff --git a/options/locale_next/locale_sv-SE.json b/options/locale_next/locale_sv-SE.json
index 90e27fb73a..eace1abac5 100644
--- a/options/locale_next/locale_sv-SE.json
+++ b/options/locale_next/locale_sv-SE.json
@@ -584,7 +584,7 @@
 	"actions.runners.list_runners.delete_button": "Ta bort",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Ersätt anslutningsnamnet (<code>forgejo</code> i exemplet) med ett värde.",
 	"actions.runners.runner_setup.heading_using_options": "Använder programval",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "För konfiguration av Forgejo Runner i containrar eller för avancerade konfigurationer, se <a href=\"https://TO-BE-REPLACED.COM\">dokumentationen.</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "För konfiguration av Forgejo Runner i containrar eller för avancerade konfigurationer, se <a href=\"%s\">dokumentationen</a>.",
 	"actions.runners.reset_registration_token.token": "Registreringstoken (Föråldrad)",
 	"form.RunnerName": "Namn",
 	"settings.new_access_token": "Ny åtkomsttoken",
@@ -600,10 +600,10 @@
 		"other": "Valda kodförråd (%d)"
 	},
 	"settings.access_token.available_repositories": "Tillgängliga kodförråd",
-	"settings.access_token.no_repositories_selected": "Inga valda kodförråd",
+	"settings.access_token.no_repositories_selected": "Inga valda kodförråd.",
 	"settings.access_token.no_repositories_found": "Fann inga kodförråd.",
 	"settings.access_token.remove": "Ta bort %s",
-	"settings.access_token.resource_all_help": "Tillåt åtkomst till alla resurser",
+	"settings.access_token.resource_all_help": "Tillåt åtkomst till alla resurser.",
 	"settings.access_token.resource_public_only_help": "Begränsa tillgången till publika kodförråd och organisationer.",
 	"settings.access_token.admin_disabled": "Administrativa rättigheter är inaktiverade.",
 	"actions.secrets.edit_button": "Redigera hemlighet \"%s\"",
@@ -619,5 +619,47 @@
 	"members.add_member": "Lägg till medlem",
 	"members.user": "Användare",
 	"members.user_already_member": "Den här användaren är redan medlem i organisationen.",
-	"members.no_team_selected": "Organisationsmedlemmar måste tillhöra minst ett lag."
+	"members.no_team_selected": "Organisationsmedlemmar måste tillhöra minst ett lag.",
+	"migrate.select.title": "Migrera kodförråd",
+	"admin.federation.federation": "Federation",
+	"admin.federation.hosts": "servrar",
+	"admin.federation.hosts.title": "Federationsservrar",
+	"admin.federation.hosts.manage_panel": "Hantera federationsservrar",
+	"admin.federation.hosts.details_panel": "Detaljer för federationsserver",
+	"admin.federation.hosts.show_details": "Visa serverdetaljer",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Programvara",
+	"admin.federation.host.created": "Skapad",
+	"admin.federation.host.updated": "Uppdaterad",
+	"admin.federation.host.latest_activity": "Senaste aktivitet",
+	"admin.federation.users": "Användare",
+	"admin.federation.users.title": "Federerade användare",
+	"admin.federation.users.manage_panel": "Hantera federerade användare",
+	"admin.federation.users.show_local_user": "Visa lokala användaruppgifter",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "Lokalt användar-ID",
+	"admin.federation.user.external_id": "Externt användar-ID",
+	"admin.config.federation": "Federationskonfiguration",
+	"admin.config.federation.enabled": "Aktiverad",
+	"admin.config.federation.share_user_statistics": "Dela användarstatistik med andra värdar",
+	"admin.config.federation.max_size": "Maximal tillåten svarsstorlek",
+	"admin.config.federation.signature_enforced": "Kräv HTTP-signaturer",
+	"admin.config.federation.signature_algorithms": "Signaturalgoritmer",
+	"admin.config.federation.digest_algorithm": "Signatursammanfattning algoritm",
+	"admin.config.federation.get_headers": "Signerade GET-rubriker",
+	"admin.config.federation.post_headers": "Signerade POST-rubriker",
+	"actions.runners.version": "Version",
+	"admin.federation.user.inbox_path": "Inkorgssökväg",
+	"user.activitypub_feed.feed": "Fediversum flöde",
+	"user.activitypub_feed.no_activity": "Ingen fediversum aktivitet",
+	"user.activitypub_feed.is_empty": "Ditt fediversum dlöde är tomt.",
+	"user.activitypub_feed.hint": "Detta flöde visar aktiviteter från fediversum konton som du följer, såväl som federerade inlägg som nämner dig.",
+	"user.activitypub_feed.posted_on": "Postat på %[1]s",
+	"user.activitypub_feed.original_source": "Ursprunglig källa",
+	"actions.workflow.unknown_job_in_needs": "Jobb med ID %[1]s refererar till okända jobb i `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "Arbetsflödet kan inte köras om.",
+	"actions.workflow.job_rerun_impossible": "Jobbet kan inte köras om."
 }
diff --git a/options/locale_next/locale_uk-UA.json b/options/locale_next/locale_uk-UA.json
index d58c1dbd76..ba1b832e4c 100644
--- a/options/locale_next/locale_uk-UA.json
+++ b/options/locale_next/locale_uk-UA.json
@@ -1,25 +1,29 @@
 {
 	"counters.n_commits": {
 		"one": "%s коміт",
+		"few": "%s коміти",
 		"many": "%s комітів"
 	},
 	"counters.n_branches": {
 		"one": "%s гілка",
+		"few": "%s гілки",
 		"many": "%s гілок"
 	},
 	"counters.n_tags": {
 		"one": "%s тег",
+		"few": "%s теги",
 		"many": "%s тегів"
 	},
 	"counters.n_releases": {
 		"one": "%s випуск",
+		"few": "%s випуски",
 		"many": "%s випусків"
 	},
 	"gpg.default_key": "Підписано типовим ключем",
 	"gpg.error.extract_sign": "Не вдалося витягти підпис",
 	"gpg.error.generate_hash": "Не вдалося згенерувати хеш коміту",
 	"gpg.error.no_committer_account": "Електронна пошта автора не пов’язана із жодним обліковим записом",
-	"gpg.error.no_gpg_keys_found": "Не вдалося знайти GPG-ключ, що відповідає даному підпису",
+	"gpg.error.no_gpg_keys_found": "Не вдалося знайти ключ, що відповідає даному підпису",
 	"gpg.error.not_signed_commit": "Непідписаний коміт",
 	"gpg.error.failed_retrieval_gpg_keys": "Не вдалось отримати ключ, пов’язаний з обліковим записом комітера",
 	"gpg.error.probable_bad_signature": "УВАГА! Хоча ключ із таким ID і є в базі, цей коміт неможливо ним перевірити! Цей коміт ПІДОЗРІЛИЙ.",
@@ -595,7 +599,7 @@
 	"actions.runners.runner_setup.last_chance_copying_token": "Скопіюйте токен зараз, оскільки ви більше його не побачите!",
 	"actions.runners.runner_setup.program_options_snippet_aria": "Як викликати forgejo-runner",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Замініть назву з’єднання (у прикладі — <code>forgejo</code>) на значення, яке вам до вподоби.",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Щоб налаштувати роботу Forgejo Runner у контейнерах або про розширені налаштування читайте в <a href=\"https://TO-BE-REPLACED.COM\">документації</a>.",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Як налаштувати Forgejo Runner для роботи в контейнерах або з розширеними налаштуваннями, читайте в <a href=\"%s\">документації</a>.",
 	"actions.runners.runner_setup.configuration_snippet_aria": "Фрагмент для вставки в конфігурацію ранера",
 	"actions.runners.runner_details.labels_note": "Мітки ранера вказуються у файлі конфігурації Forgejo Runner або передаються як параметри командного рядка. Вони оновлюються щоразу, коли Forgejo Runner встановлює з’єднання з Forgejo.",
 	"actions.runners.runner_setup.heading_using_options": "Використання налаштувань програми",
@@ -635,5 +639,47 @@
 	"members.add_member": "Додати учасника",
 	"members.user": "Користувач",
 	"members.user_already_member": "Цей користувач уже є учасником організації.",
-	"members.no_team_selected": "Учасники організації повинні входити принаймні до однієї команди."
+	"members.no_team_selected": "Учасники організації повинні входити принаймні до однієї команди.",
+	"migrate.select.title": "Перенести репозиторій",
+	"actions.runners.version": "Версія",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.created": "Створено",
+	"admin.federation.host.updated": "Оновлено",
+	"admin.federation.federation": "Федерація",
+	"admin.federation.host.port": "Порт",
+	"admin.federation.host.software_name": "Програмне забезпечення",
+	"admin.config.federation.enabled": "Увімкнено",
+	"admin.federation.host.id": "ID",
+	"admin.federation.user.id": "ID",
+	"admin.federation.hosts": "Хости",
+	"admin.federation.hosts.title": "Хости федерації",
+	"admin.federation.host.schema": "Схема",
+	"admin.federation.users": "Користувачі",
+	"admin.config.federation": "Налаштування федерації",
+	"admin.config.federation.post_headers": "Підписані заголовки POST",
+	"admin.config.federation.get_headers": "Підписані заголовки GET",
+	"admin.config.federation.signature_algorithms": "Алгоритми підпису",
+	"admin.config.federation.signature_enforced": "Вимагати підписів HTTP",
+	"actions.workflow.rerun_impossible": "Робочий потік неможливо перезапустити.",
+	"actions.workflow.job_rerun_impossible": "Завдання неможливо перезапустити.",
+	"actions.workflow.unknown_job_in_needs": "Завдання з ID %[1]s посилається на невідомі завдання в `needs`: %[2]s.",
+	"admin.config.federation.digest_algorithm": "Алгоритм контрольної суми підпису",
+	"admin.config.federation.max_size": "Максимальний розмір відповіді",
+	"admin.config.federation.share_user_statistics": "Ділитися статистикою користувачів з іншими хостами",
+	"admin.federation.user.inbox_path": "Шлях до вхідних",
+	"admin.federation.hosts.manage_panel": "Керування хостами федерації",
+	"admin.federation.hosts.details_panel": "Інформація про хост",
+	"admin.federation.hosts.show_details": "Показати дані про хост",
+	"admin.federation.users.show_local_user": "Показати дані про локальних користувачів",
+	"admin.federation.host.latest_activity": "Остання активність",
+	"admin.federation.users.title": "Користувачі федерації",
+	"admin.federation.users.manage_panel": "Керування користувачами федерації",
+	"admin.federation.user.user_id": "Локальний ID користувача",
+	"admin.federation.user.external_id": "Зовнішній ID користувача",
+	"user.activitypub_feed.feed": "Стрічка Федісвіту",
+	"user.activitypub_feed.posted_on": "Опубліковано %[1]s",
+	"user.activitypub_feed.no_activity": "Немає подій Федісвіту",
+	"user.activitypub_feed.is_empty": "Ваша стрічка Федісвіту порожня.",
+	"user.activitypub_feed.original_source": "Першоджерело",
+	"user.activitypub_feed.hint": "У цій стрічці відображається діяльність облікових записів Федісвіту, на які ви підписані, а також федеративні публікації, в яких вас згадано."
 }
diff --git a/options/locale_next/locale_uz.json b/options/locale_next/locale_uz.json
index 21fc022cd5..e6199dd11f 100644
--- a/options/locale_next/locale_uz.json
+++ b/options/locale_next/locale_uz.json
@@ -1,37 +1,37 @@
 {
-	"home.explore_repos": "Omborlarni kashf etish",
-	"home.explore_users": "Foydalanuvchilarni kashf etish",
+	"home.explore_repos": "Repolarni kezish",
+	"home.explore_users": "Foydalanuvchilarni kezish",
 	"home.explore_orgs": "`tashkilotlarni` kashf etish",
-	"stars.list.none": "Hech kim bu omborga yulduz bosmagan.",
+	"stars.list.none": "Hech kim bu repoga yulduz bosmagan.",
 	"watch.list.none": "Bu ombor hech kimning ko'ruv'ida emas",
 	"followers.incoming.list.self.none": "Hech kim sizning profilingizga tirkalmagan.",
-	"followers.incoming.list.none": "Hech kim bu foydalanuvchiga tirkalmagan.",
+	"followers.incoming.list.none": "Hech kim bu foydalanuvchiga obuga boʻlmagan.",
 	"followers.outgoing.list.self.none": "Siz hech kimga tirkalmagansiz.",
 	"followers.outgoing.list.none": "%s hech kimga tirkalmagan.",
 	"relativetime.now": "hozir",
 	"relativetime.future": "kelajakda",
 	"relativetime.mins": {
-		"one": "%d daqiqa oldin.",
+		"one": "%d daqiqa oldin",
 		"other": "%d daqiqa oldin."
 	},
 	"relativetime.hours": {
-		"one": "%d soat oldin.",
+		"one": "%d soat oldin",
 		"other": "%d soat oldin."
 	},
 	"relativetime.days": {
-		"one": "%d kun oldin.",
+		"one": "%d kun oldin",
 		"other": "%d kun oldin."
 	},
 	"relativetime.weeks": {
-		"one": "%d hafta oldin.",
+		"one": "%d hafta oldin",
 		"other": "%d hafta oldin."
 	},
 	"relativetime.months": {
-		"one": "%d oy oldin.",
+		"one": "%d oy oldin",
 		"other": "%d oy oldin."
 	},
 	"relativetime.years": {
-		"one": "%d yil oldin.",
+		"one": "%d yil oldin",
 		"other": "%d yil oldin."
 	},
 	"relativetime.1day": "kecha",
diff --git a/options/locale_next/locale_zh-CN.json b/options/locale_next/locale_zh-CN.json
index fc00da3eb7..68a5344621 100644
--- a/options/locale_next/locale_zh-CN.json
+++ b/options/locale_next/locale_zh-CN.json
@@ -1,20 +1,8 @@
 {
-	"counters.n_commits": {
-		"one": "%s提交",
-		"other": "%s提交"
-	},
-	"counters.n_branches": {
-		"one": "%s分支",
-		"other": "%s分支"
-	},
-	"counters.n_tags": {
-		"one": "%s标签",
-		"other": "%s标签"
-	},
-	"counters.n_releases": {
-		"one": "%s版本发布",
-		"other": "%s版本发布"
-	},
+	"counters.n_commits": "%s笔提交",
+	"counters.n_branches": "%s个分支",
+	"counters.n_tags": "%s个标签",
+	"counters.n_releases": "%s个发布版本",
 	"gpg.default_key": "使用默认密钥签名",
 	"gpg.error.extract_sign": "无法提取签名",
 	"gpg.error.generate_hash": "无法生成提交散列",
@@ -300,7 +288,7 @@
 	"migrate.gitbucket.description": "从GitBucket实例迁移数据。",
 	"migrate.codebase.description": "从codebasehq.com迁移数据。",
 	"migrate.forgejo.description": "从codeberg.org或其他Forgejo实例迁移数据。",
-	"migrate.items.label": "迁移项目",
+	"migrate.items.label": "迁移内容",
 	"migrate.items.wiki": "百科",
 	"migrate.items.milestones": "里程碑",
 	"migrate.items.labels": "标签",
@@ -308,15 +296,15 @@
 	"migrate.items.pull_requests": "合并请求",
 	"migrate.items.merge_requests": "合并请求",
 	"migrate.items.releases": "版本发布",
-	"migrate.in_progress.git": "迁移Git数据",
+	"migrate.in_progress.git": "正在迁移Git数据",
 	"migrate.in_progress.topics": "正在迁移主题",
 	"migrate.in_progress.milestones": "正在迁移里程碑",
 	"migrate.in_progress.labels": "正在迁移标签",
-	"migrate.in_progress.releases": "正在迁移发布",
+	"migrate.in_progress.releases": "正在迁移版本发布",
 	"migrate.in_progress.issues": "正在迁移议题",
 	"migrate.in_progress.pulls": "正在迁移合并请求",
 	"migrate.cancel.title": "取消迁移",
-	"migrate.cancel.confirmation": "您想要取消此次迁移吗？",
+	"migrate.cancel.confirmation": "确定要取消此次迁移吗？",
 	"warning.repository.out_of_sync": "此仓库的数据库表示已脱同步。如果在向此仓库推送提交后仍出现此警告，请联系管理员。",
 	"admin.config.security": "安全设置",
 	"settings.twofa_unroll_unavailable": "你的账户必须启用双因子认证，无法禁用。",
@@ -539,7 +527,7 @@
 	"actions.runners.runner_setup.program_options_snippet_aria": "如何调用forgejo-runner",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "将连接名（例子中的<code>forgejo</code>）替换为你喜欢的值。",
 	"actions.runners.runner_setup.heading_using_options": "使用命令行选项",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "参见<a href=\"https://TO-BE-REPLACED.COM\">文档</a>以了解如何配置运行在容器中的Forgejo Runner及其他高级配置。",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "参见<a href=\"%s\">文档</a>以了解如何配置运行在容器中的Forgejo Runner及其他高级配置。",
 	"actions.runners.reset_registration_token.token": "注册令牌（已弃用）",
 	"form.RunnerName": "名称",
 	"settings.new_access_token": "创建访问令牌",
@@ -570,6 +558,7 @@
 	"actions.secrets.mutation.value_description": "现有值不会显示，留空以保留现有值。特殊字符会被保留，CRLF（Windows式换行符）会被转换为LF；要保留换行符，请使用Base64编码。",
 	"members.add_member": "添加成员",
 	"members.user": "用户",
-	"members.user_already_member": "该用户已经是当前组织的成员。",
-	"members.no_team_selected": "组织成员至少属于一个团队。"
+	"members.user_already_member": "该用户已是组织成员。",
+	"members.no_team_selected": "组织成员至少要属于一个团队。",
+	"migrate.select.title": "迁移仓库"
 }

From 1cd81146a9790be2574d8ddec78481cff1e09829 Mon Sep 17 00:00:00 2001
From: Michael Kriese <michael.kriese@visualon.de>
Date: Wed, 15 Apr 2026 20:25:23 +0200
Subject: [PATCH 122/287] fix: improve runner list and details view (#12113)

- shrink runner list width (use icons, move details link to runner name)
- add owner to runner details on admin view
- #11516 removed a lot details which makes it much harder for an admin to find a specific runner

---
### admin list
![image](/attachments/7dd28e5b-6332-48b1-b545-2fc2b83e5368)

### admin org runner details
![image](/attachments/da972377-d401-41fe-8a17-d78824d6d714)

### admin repo runner
![image](/attachments/489e71c2-6087-4441-ad72-695ef0e04161)

### individual list
![image](/attachments/5618b962-0964-415f-a820-e673001f4007)

### individual runner details
![image](/attachments/5799c212-37d5-4047-965f-60952ee7c74c)

### tooltips for edit and delete
![image](/attachments/bcfb9358-0bf3-4d3f-a73c-66fb8e63eb67) ![image](/attachments/63b1c9e5-2fd3-4cc3-9f88-e0a1cf410769)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12113
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>
---
 options/locale_next/locale_en-US.json        |   3 -
 templates/shared/actions/runner_details.tmpl |   8 ++
 templates/shared/actions/runner_list.tmpl    |  16 ++-
 tests/e2e/runner-management.test.e2e.ts      | 124 +++++++++++--------
 4 files changed, 85 insertions(+), 66 deletions(-)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 5581806e80..85a21ef28d 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -516,11 +516,8 @@
 	"actions.runners.labels": "Labels",
 	"actions.runners.version": "Version",
 	"actions.runners.last_online": "Last online time",
-	"actions.runners.list_runners.details_column": "Details",
 	"actions.runners.list_runners.edit_column": "Edit",
 	"actions.runners.list_runners.delete_column": "Delete",
-	"actions.runners.list_runners.details_button": "Details",
-	"actions.runners.list_runners.details_button_aria": "Show details of %s",
 	"actions.runners.list_runners.delete_button": "Delete",
 	"actions.runners.list_runners.delete_button_aria": "Delete %s",
 	"actions.runners.list_runners.edit_button": "Edit",
diff --git a/templates/shared/actions/runner_details.tmpl b/templates/shared/actions/runner_details.tmpl
index f50e96482a..537dd766f6 100644
--- a/templates/shared/actions/runner_details.tmpl
+++ b/templates/shared/actions/runner_details.tmpl
@@ -23,6 +23,14 @@
 					{{.Runner.BelongsToOwnerType.LocaleString ctx.Locale}}
 				</dd>
 			</div>
+			{{if and $.PageIsAdmin .Runner.BelongsToOwnerName}}
+			<div class="item">
+				<dt>{{.Runner.BelongsToOwnerType.LocaleString ctx.Locale}}</dt>
+				<dd>
+					{{.Runner.BelongsToOwnerName}}
+				</dd>
+			</div>
+			{{end}}
 			<div class="item">
 				<dt>{{ctx.Locale.Tr "actions.runners.labels"}}</dt>
 				<dd class="tw-flex tw-items-start tw-flex-wrap tw-gap-2">
diff --git a/templates/shared/actions/runner_list.tmpl b/templates/shared/actions/runner_list.tmpl
index 88c354b7cf..bb5e292528 100644
--- a/templates/shared/actions/runner_list.tmpl
+++ b/templates/shared/actions/runner_list.tmpl
@@ -57,9 +57,6 @@
 						{{ctx.Locale.Tr "actions.runners.status"}}
 						{{SortArrow "online" "offline" .SortType false}}
 					</th>
-					<th scope="col">
-						<span class="tw-sr-only">{{ctx.Locale.Tr "actions.runners.list_runners.details_column"}}</span>
-					</th>
 					<th scope="col">
 						<span class="tw-sr-only">{{ctx.Locale.Tr "actions.runners.list_runners.edit_column"}}</span>
 					</th>
@@ -72,7 +69,7 @@
 				{{range .Runners}}
 				<tr>
 					<td>
-						<div class="tw-font-medium">{{.Name}}</div>
+						<div class="tw-font-medium"><a href="{{$.Link}}/{{.ID}}" class="runner-action-link" tabindex="0">{{.Name}}</a></div>
 						<div class="tw-mt-1">{{.UUID}}</div>
 					</td>
 					<td class="tw-flex tw-items-start tw-flex-wrap tw-gap-2">
@@ -86,6 +83,10 @@
 					</td>
 					<td>
 						{{.BelongsToOwnerType.LocaleString ctx.Locale}}
+						{{if and $.PageIsAdmin .BelongsToOwnerName}}
+							<br>
+							<small>{{.BelongsToOwnerName}}</small>
+						{{end}}
 					</td>
 					<td>
 						<div class="tw-flex tw-items-center tw-gap-x-2">
@@ -107,17 +108,14 @@
 							</div>
 						</div>
 					</td>
-					<td class="tw-text-right">
-						<a href="{{$.Link}}/{{.ID}}" class="runner-action-link" tabindex="0" aria-label="{{ctx.Locale.Tr "actions.runners.list_runners.details_button_aria" .Name}}">{{ctx.Locale.Tr "actions.runners.list_runners.details_button"}}</a>
-					</td>
 					<td class="tw-text-right">
 						{{if .Editable $.RunnerOwnerID $.RunnerRepoID}}
-							<a href="{{$.Link}}/{{.ID}}/edit" class="runner-action-link" tabindex="0" aria-label="{{ctx.Locale.Tr "actions.runners.list_runners.edit_button_aria" .Name}}">{{ctx.Locale.Tr "actions.runners.list_runners.edit_button"}}</a>
+							<a href="{{$.Link}}/{{.ID}}/edit" class="runner-action-link" tabindex="0" aria-label="{{ctx.Locale.Tr "actions.runners.list_runners.edit_button_aria" .Name}}" data-tooltip-content="{{ctx.Locale.Tr "actions.runners.list_runners.edit_button"}}">{{svg "octicon-pencil"}}</a>
 						{{end}}
 					</td>
 					<td class="tw-text-right">
 						{{if .Editable $.RunnerOwnerID $.RunnerRepoID}}
-							<button class="delete-button runner-delete-link" aria-label="{{ctx.Locale.Tr "actions.runners.list_runners.delete_button_aria" .Name}}" data-url="{{$.Link}}/{{.ID}}/delete" data-modal-id="runner-delete-modal">{{ctx.Locale.Tr "actions.runners.list_runners.delete_button"}}</button>
+							<button class="delete-button runner-delete-link" aria-label="{{ctx.Locale.Tr "actions.runners.list_runners.delete_button_aria" .Name}}" data-url="{{$.Link}}/{{.ID}}/delete" data-modal-id="runner-delete-modal" data-tooltip-content="{{ctx.Locale.Tr "actions.runners.list_runners.delete_button"}}">{{svg "octicon-trash"}}</button>
 						{{end}}
 					</td>
 				</tr>
diff --git a/tests/e2e/runner-management.test.e2e.ts b/tests/e2e/runner-management.test.e2e.ts
index 41808f72d1..1dba606a1b 100644
--- a/tests/e2e/runner-management.test.e2e.ts
+++ b/tests/e2e/runner-management.test.e2e.ts
@@ -30,39 +30,41 @@ test.describe('Runners of user2', () => {
 
     // We cannot assert the length of the table because it's influenced by global fixtures. It also changes depending on
     // the ordering of tests.
-    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Details Edit Delete');
+    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Edit Delete');
     await expect(page.locator('tbody tr:has-text("3a20ad8d-d5d6-4b7b-ba55-841ac8264c17")')).toMatchAriaSnapshot(`
-      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17"
+      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17":
+        - link "runner-2":
+          - /url: /user/settings/actions/runners/719932
       - cell "docker"
       - cell "Individual"
       - cell "Offline"
-      - cell "Show details of runner-2"
       - cell "Edit runner-2"
       - cell "Delete runner-2"
     `);
     await expect(page.locator('tbody tr:has-text("1ef59b64-93b7-4ad4-ade4-21ca13db49c0")')).toMatchAriaSnapshot(`
-      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0"
+      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0":
+        - link "runner-4":
+          - /url: /user/settings/actions/runners/719934
       - cell "docker"
       - cell "Global"
       - cell "Offline"
-      - cell "Show details of runner-4"
       - cell
       - cell
     `);
 
-    await page.getByRole('link', {name: 'Show details of runner-2', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-2', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-2 .*/);
 
     await page.goto('/user/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
   });
 
   test('runner details with tasks of repositories owned by user', async ({page}) => {
     await page.goto('/user/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
 
     await expect(page.getByRole('heading', {name: 'Runner runner-4'})).toBeVisible();
@@ -142,11 +144,12 @@ test.describe('Runners of user2', () => {
     await page.getByRole('link', {name: 'List of runners', exact: true}).click();
 
     await expect(page.locator(`tbody tr:has-text("${runnerUUID}")`)).toMatchAriaSnapshot(`
-      - cell "runner-991301 ${runnerUUID}"
+      - cell "runner-991301 ${runnerUUID}":
+        - link "runner-991301":
+          - /url: /user/settings/actions/runners/\\d+/
       - cell ""
       - cell "Individual"
       - cell "Offline"
-      - cell "Show details of runner-991301"
       - cell "Edit runner-991301"
       - cell "Delete runner-991301"
     `);
@@ -287,67 +290,74 @@ test.describe('Global runners', () => {
 
     // We cannot assert the length of the table because it's influenced by global fixtures. It also changes depending on
     // the ordering of tests.
-    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Details Edit Delete');
+    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Edit Delete');
     await expect(page.locator('tbody tr:has-text("8f940b0b-32a2-479a-9d48-06ab8d8a0b90")')).toMatchAriaSnapshot(`
-      - cell "runner-1 8f940b0b-32a2-479a-9d48-06ab8d8a0b90"
+      - cell "runner-1 8f940b0b-32a2-479a-9d48-06ab8d8a0b90":
+        - link "runner-1":
+          - /url: /admin/actions/runners/719931
       - cell "debian gpu"
-      - cell "Organization"
+      - cell "Organization org3"
       - cell "Offline"
-      - cell "Show details of runner-1"
       - cell "Edit runner-1"
       - cell "Delete runner-1"
     `);
     await expect(page.locator('tbody tr:has-text("3a20ad8d-d5d6-4b7b-ba55-841ac8264c17")')).toMatchAriaSnapshot(`
-      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17"
+      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17":
+        - link "runner-2":
+          - /url: /admin/actions/runners/719932
       - cell "docker"
-      - cell "Individual"
+      - cell "Individual user2"
       - cell "Offline"
-      - cell "Show details of runner-2"
       - cell "Edit runner-2"
       - cell "Delete runner-2"
     `);
     await expect(page.locator('tbody tr:has-text("11c9a6da-0a92-46ea-a4f1-b6c98f8c781c")')).toMatchAriaSnapshot(`
-      - cell "runner-3 11c9a6da-0a92-46ea-a4f1-b6c98f8c781c"
+      - cell "runner-3 11c9a6da-0a92-46ea-a4f1-b6c98f8c781c":
+        - link "runner-3":
+          - /url: /admin/actions/runners/719933
       - cell "fedora"
-      - cell "Organization"
+      - cell "Organization org17"
       - cell "Offline"
-      - cell "Show details of runner-3"
       - cell "Edit runner-3"
       - cell "Delete runner-3"
     `);
     await expect(page.locator('tbody tr:has-text("1ef59b64-93b7-4ad4-ade4-21ca13db49c0")')).toMatchAriaSnapshot(`
-      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0"
+      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0":
+        - link "runner-4":
+          - /url: /admin/actions/runners/719934
       - cell "docker"
       - cell "Global"
       - cell "Offline"
-      - cell "Show details of runner-4"
       - cell "Edit runner-4"
       - cell "Delete runner-4"
     `);
     await expect(page.locator('tbody tr:has-text("69d29449-1de5-4d17-845d-e3ae11a04a1b")')).toMatchAriaSnapshot(`
-      - cell "runner-5 69d29449-1de5-4d17-845d-e3ae11a04a1b"
+      - cell "runner-5 69d29449-1de5-4d17-845d-e3ae11a04a1b":
+        - link "runner-5":
+          - /url: /admin/actions/runners/719935
       - cell "debian"
-      - cell "Individual"
+      - cell "Individual user1"
       - cell "Offline"
-      - cell "Show details of runner-5"
       - cell "Edit runner-5"
       - cell "Delete runner-5"
     `);
     await expect(page.locator('tbody tr:has-text("9da25fbb-89a5-4520-a35a-d55fc94e4b76")')).toMatchAriaSnapshot(`
-      - cell "runner-6 9da25fbb-89a5-4520-a35a-d55fc94e4b76"
+      - cell "runner-6 9da25fbb-89a5-4520-a35a-d55fc94e4b76":
+        - link "runner-6":
+          - /url: /admin/actions/runners/719936
       - cell "debian"
-      - cell "Repository"
+      - cell "Repository user2/test_workflows"
       - cell "Offline"
-      - cell "Show details of runner-6"
       - cell "Edit runner-6"
       - cell "Delete runner-6"
     `);
     await expect(page.locator('tbody tr:has-text("d935307e-1d2d-4b61-8885-bc8a1c52c269")')).toMatchAriaSnapshot(`
-      - cell "runner-7 d935307e-1d2d-4b61-8885-bc8a1c52c269"
+      - cell "runner-7 d935307e-1d2d-4b61-8885-bc8a1c52c269":
+        - link "runner-7":
+          - /url: /admin/actions/runners/719937
       - cell "alpine"
-      - cell "Individual"
+      - cell "Individual user4"
       - cell "Offline"
-      - cell "Show details of runner-7"
       - cell "Edit runner-7"
       - cell "Delete runner-7"
     `);
@@ -356,7 +366,7 @@ test.describe('Global runners', () => {
   test('runner details with all tasks visible on details page', async ({page}) => {
     await page.goto('/admin/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
 
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
     await expect(page.getByRole('heading', {name: 'Runner runner-4'})).toBeVisible();
@@ -437,11 +447,12 @@ test.describe('Global runners', () => {
     await page.getByRole('link', {name: 'List of runners', exact: true}).click();
 
     await expect(page.locator(`tbody tr:has-text("${runnerUUID}")`)).toMatchAriaSnapshot(`
-      - cell "runner-473465 ${runnerUUID}"
+      - cell "runner-473465 ${runnerUUID}":
+        - link "runner-473465":
+          - /url: /admin/actions/runners/\\d+/
       - cell ""
       - cell "Global"
       - cell "Offline"
-      - cell "Show details of runner-473465"
       - cell "Edit runner-473465"
       - cell "Delete runner-473465"
     `);
@@ -546,22 +557,24 @@ test.describe('Organization runners', () => {
 
     // We cannot assert the length of the table because it's influenced by global fixtures. It also changes depending on
     // the ordering of tests.
-    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Details Edit Delete');
+    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Edit Delete');
     await expect(page.locator('tbody tr:has-text("8f940b0b-32a2-479a-9d48-06ab8d8a0b90")')).toMatchAriaSnapshot(`
-      - cell "runner-1 8f940b0b-32a2-479a-9d48-06ab8d8a0b90"
+      - cell "runner-1 8f940b0b-32a2-479a-9d48-06ab8d8a0b90":
+        - link "runner-1":
+          - /url: /org/org3/settings/actions/runners/719931
       - cell "debian gpu"
       - cell "Organization"
       - cell "Offline"
-      - cell "Show details of runner-1"
       - cell "Edit runner-1"
       - cell "Delete runner-1"
     `);
     await expect(page.locator('tbody tr:has-text("1ef59b64-93b7-4ad4-ade4-21ca13db49c0")')).toMatchAriaSnapshot(`
-      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0"
+      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0":
+        - link "runner-4":
+          - /url: /org/org3/settings/actions/runners/719934
       - cell "docker"
       - cell "Global"
       - cell "Offline"
-      - cell "Show details of runner-4"
       - cell
       - cell
     `);
@@ -572,19 +585,19 @@ test.describe('Organization runners', () => {
     await expect(page.locator('tbody tr:has-text("d935307e-1d2d-4b61-8885-bc8a1c52c269")')).toBeHidden();
 
     // Verify that details of usable runners are accessible.
-    await page.getByRole('link', {name: 'Show details of runner-1', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-1', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-1 .*/);
 
     await page.goto('/org/org3/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
   });
 
   test('runner details with tasks of repositories owned by organization', async ({page}) => {
     await page.goto('/org/org3/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
 
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
     await expect(page.getByRole('heading', {name: 'Runner runner-4'})).toBeVisible();
@@ -621,7 +634,7 @@ test.describe('Organization runners', () => {
   test('runner details with multiple pages of tasks', async ({page}) => {
     await page.goto('/org/org3/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-1', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-1', exact: true}).click();
 
     await expect(page).toHaveTitle(/^Runner runner-1 .*/);
     await expect(page.getByRole('heading', {name: 'Runner runner-1'})).toBeVisible();
@@ -664,31 +677,34 @@ test.describe('Repository runners', () => {
 
     // We cannot assert the length of the table because it's influenced by global fixtures. It also changes depending on
     // the ordering of tests.
-    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Details Edit Delete');
+    await expect(rows.nth(0)).toHaveAccessibleName('Name Labels Type Status Edit Delete');
     await expect(page.locator('tbody tr:has-text("3a20ad8d-d5d6-4b7b-ba55-841ac8264c17")')).toMatchAriaSnapshot(`
-      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17"
+      - cell "runner-2 3a20ad8d-d5d6-4b7b-ba55-841ac8264c17":
+        - link "runner-2":
+          - /url: /user2/test_workflows/settings/actions/runners/719932
       - cell "docker"
       - cell "Individual"
       - cell "Offline"
-      - cell "Show details of runner-2"
       - cell
       - cell
     `);
     await expect(page.locator('tbody tr:has-text("1ef59b64-93b7-4ad4-ade4-21ca13db49c0")')).toMatchAriaSnapshot(`
-      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0"
+      - cell "runner-4 1ef59b64-93b7-4ad4-ade4-21ca13db49c0":
+        - link "runner-4":
+          - /url: /user2/test_workflows/settings/actions/runners/719934
       - cell "docker"
       - cell "Global"
       - cell "Offline"
-      - cell "Show details of runner-4"
       - cell
       - cell
     `);
     await expect(page.locator('tbody tr:has-text("9da25fbb-89a5-4520-a35a-d55fc94e4b76")')).toMatchAriaSnapshot(`
-      - cell "runner-6 9da25fbb-89a5-4520-a35a-d55fc94e4b76"
+      - cell "runner-6 9da25fbb-89a5-4520-a35a-d55fc94e4b76":
+        - link "runner-6":
+          - /url: /user2/test_workflows/settings/actions/runners/719936
       - cell "debian"
       - cell "Repository"
       - cell "Offline"
-      - cell "Show details of runner-6"
       - cell "Edit runner-6"
       - cell "Delete runner-6"
     `);
@@ -697,24 +713,24 @@ test.describe('Repository runners', () => {
     await expect(page.locator('tbody tr:has-text("d935307e-1d2d-4b61-8885-bc8a1c52c269")')).toBeHidden();
 
     // Verify that details of usable runners are accessible.
-    await page.getByRole('link', {name: 'Show details of runner-2', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-2', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-2 .*/);
 
     await page.goto('/user2/test_workflows/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
 
     await page.goto('/user2/test_workflows/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-6', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-6', exact: true}).click();
     await expect(page).toHaveTitle(/^Runner runner-6 .*/);
   });
 
   test('runner details with tasks of repository only', async ({page}) => {
     await page.goto('/user2/test_workflows/settings/actions/runners');
 
-    await page.getByRole('link', {name: 'Show details of runner-4', exact: true}).click();
+    await page.getByRole('link', {name: 'runner-4', exact: true}).click();
 
     await expect(page).toHaveTitle(/^Runner runner-4 .*/);
     await expect(page.getByRole('heading', {name: 'Runner runner-4'})).toBeVisible();

From 922573ba2d965895a4e9be2516e77b3324b8bffa Mon Sep 17 00:00:00 2001
From: Beowulf <beowulf@beocode.eu>
Date: Wed, 15 Apr 2026 22:13:13 +0200
Subject: [PATCH 123/287] chore: fix cookie name comments in example ini
 (#12131)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12131
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
---
 custom/conf/app.example.ini | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index da83d4636f..b0f6bd3d44 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -457,7 +457,7 @@ INTERNAL_TOKEN =
 ;GLOBAL_TWO_FACTOR_REQUIREMENT = none
 ;;
 ;; Name of cookie used to store authentication information.
-;COOKIE_REMEMBER_NAME = gitea_incredible
+;COOKIE_REMEMBER_NAME = persistent
 ;;
 ;; Reverse proxy authentication header name of user name, email, and full name
 ;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
@@ -1895,7 +1895,7 @@ LEVEL = Info
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
-;COOKIE_NAME = i_like_gitea
+;COOKIE_NAME = session
 ;;
 ;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
 ;COOKIE_SECURE =

From 8cb776dcac4aca7bde86ff3ea2aa787af56da44d Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 16 Apr 2026 02:08:43 +0200
Subject: [PATCH 124/287] chore: fix TestMirrorPull on older git (2.34.1)
 installation (#12134)

`TestMirrorPull` is currently failing when run on git 2.34.1 in the `testing-integration.yml` workflow: https://codeberg.org/forgejo-integration/forgejo/actions/runs/16661/jobs/1/attempt/1#jobstep-5-2539  Began to fail after #11909 when additional checks on pull mirror configuration was added.

This PR addresses the issue and has been manually tested against the same git version:
```
$ git --version
git version 2.34.1

$ make test-sqlite#TestMirrorPull 2>&1
...
=== TestMirrorPull/migrate_from_repo_config_credentials (tests/integration/mirror_pull_test.go:238)
PASS
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12134
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 tests/integration/mirror_pull_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/mirror_pull_test.go b/tests/integration/mirror_pull_test.go
index a0de586aaa..9a520ae5a5 100644
--- a/tests/integration/mirror_pull_test.go
+++ b/tests/integration/mirror_pull_test.go
@@ -492,7 +492,7 @@ func waitForPullMirror(t *testing.T, mirrorName, expectedSha string) {
 }
 
 func getGitConfig(t *testing.T, configFile, configPath string) string {
-	stdout, stderr, err := process.GetManager().Exec("getGitConfig", "git", "config", "get", "--file", configFile, configPath)
+	stdout, stderr, err := process.GetManager().Exec("getGitConfig", "git", "config", "--get", "--file", configFile, configPath)
 	require.NoError(t, err, "fetch config %s failed: git stderr: %s", configPath, stderr)
 	return strings.TrimSpace(stdout)
 }

From eea5ac963908b60b91d21282e37e652f66c284ff Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 16 Apr 2026 07:03:44 +0200
Subject: [PATCH 125/287] Update dependency globals to v17.5.0 (forgejo)
 (#12135)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ac1dbdcc19..e6c087cbd5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -107,7 +107,7 @@
         "eslint-plugin-vue": "10.8.0",
         "eslint-plugin-vue-scoped-css": "2.12.0",
         "eslint-plugin-wc": "3.1.0",
-        "globals": "17.4.0",
+        "globals": "17.5.0",
         "happy-dom": "20.8.9",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.48.0",
@@ -9166,9 +9166,9 @@
       }
     },
     "node_modules/globals": {
-      "version": "17.4.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.4.0.tgz",
-      "integrity": "sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw==",
+      "version": "17.5.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
+      "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package.json b/package.json
index 73ed4f86fa..0415b40868 100644
--- a/package.json
+++ b/package.json
@@ -106,7 +106,7 @@
     "eslint-plugin-vue": "10.8.0",
     "eslint-plugin-vue-scoped-css": "2.12.0",
     "eslint-plugin-wc": "3.1.0",
-    "globals": "17.4.0",
+    "globals": "17.5.0",
     "happy-dom": "20.8.9",
     "license-checker-rseidelsohn": "4.4.2",
     "markdownlint-cli": "0.48.0",

From 60332ed111fd2a4ae853fd3589298feeb4c194b8 Mon Sep 17 00:00:00 2001
From: jaylinski <jaylinski@noreply.codeberg.org>
Date: Thu, 16 Apr 2026 09:58:57 +0200
Subject: [PATCH 126/287] chore(Dockerfile.rootless): update shadowed env
 variables (#11720)

This was missed in https://codeberg.org/forgejo/forgejo/pulls/11098.

See https://github.com/go-gitea/gitea/pull/17846 for why this was added in the first place.

Note that this is not backwards compatible. For users with a custom `app.ini`-config this won't work. But it also didn't work with the previous config. This change only aligns it with the default app.ini-path.

Co-authored-by: Jakob Linskeseder <jakob@linskeseder.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11720
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: jaylinski <jaylinski@noreply.codeberg.org>
Co-committed-by: jaylinski <jaylinski@noreply.codeberg.org>
---
 docker/rootless/usr/local/bin/gitea | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/rootless/usr/local/bin/gitea b/docker/rootless/usr/local/bin/gitea
index 9a9a569b12..d87ec84e86 100644
--- a/docker/rootless/usr/local/bin/gitea
+++ b/docker/rootless/usr/local/bin/gitea
@@ -9,7 +9,7 @@
 # And place the original in /usr/lib/gitea with working files in /data/gitea
 GITEA="/app/gitea/gitea"
 WORK_DIR="/var/lib/gitea"
-APP_INI="/etc/gitea/app.ini"
+APP_INI="/var/lib/gitea/custom/conf/app.ini"
 
 APP_INI_SET=""
 for i in "$@"; do

From da8898822c528a245a4cbe3e0ca02928262a4d5e Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Thu, 16 Apr 2026 14:09:39 +0200
Subject: [PATCH 127/287] chore(release-notes): Forgejo v15.0.0 [skip ci]
 (#12138)

https://codeberg.org/forgejo/forgejo/milestone/36366

https://codeberg.org/forgejo-release-manager/forgejo/src/branch/release-notes-15.0.0/release-notes-published/15.0.0.md
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12138
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
---
 .release-notes-assistant.yaml     |   1 +
 release-notes-published/15.0.0.md | 598 +++++++++++++++++++++++++++++-
 2 files changed, 598 insertions(+), 1 deletion(-)

diff --git a/.release-notes-assistant.yaml b/.release-notes-assistant.yaml
index fe65dc3241..93b0e3d0b2 100644
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@@ -8,6 +8,7 @@ tag-from-version: 'v%[1]d.%[2]d.%[3]d'
 supported-release-count: 3
 branch-known:
   - 'v11.0/forgejo'
+  - 'v15.0/forgejo'
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |
 
diff --git a/release-notes-published/15.0.0.md b/release-notes-published/15.0.0.md
index 48cdce8528..58859791b0 100644
--- a/release-notes-published/15.0.0.md
+++ b/release-notes-published/15.0.0.md
@@ -1 +1,597 @@
-placeholder
+A [companion blog post](https://forgejo.org/2026-04-release-v15-0/) provides additional context on this major release.
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security features
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10059): <!--number 10059 --><!--line 0 --><!--description dXNlIGBrZXlpbmdgIGZvciB3ZWJob29rIHNlY3JldHM=-->use `keying` for webhook secrets<!--description-->
+- Breaking features
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11468): <!--number 11468 --><!--line 0 --><!--description cmVtb3ZlIGFkbWluLWxldmVsIHBlcm1pc3Npb25zIGZyb20gcmVwby1zcGVjaWZpYyAmIHB1YmxpYy1vbmx5IGFjY2VzcyB0b2tlbnM=-->remove admin-level permissions from repo-specific & public-only access tokens<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11736): <!--number 11736 --><!--line 0 --><!--description VGhlIHRlbXBsYXRlIGdlbmVyYXRpb24gKGBQT1NUIC9yZXBvcy97dGVtcGxhdGVfb3duZXJ9L3t0ZW1wbGF0ZV9yZXBvfS9nZW5lcmF0ZWApIGFuZCByZXBvc2l0b3J5IGRlbGV0aW9uIChgREVMRVRFIC9yZXBvcy97dXNlcm5hbWV9L3tyZXBvbmFtZX1gKSBBUElzIGhhdmUgYmVlbiB1cGRhdGVkIHRvIHJlcXVpcmUgdGhlIHNhbWUgcGVybWlzc2lvbiBzY29wZSBhcyBjcmVhdGluZyBhIG5ldyByZXBvc2l0b3J5LiBFaXRoZXIgYHdyaXRlOnVzZXJgIG9yIGB3cml0ZTpvcmdhbml6YXRpb25gIGlzIHJlcXVpcmVkLCBkZXBlbmRpbmcgb24gdGhlIG93bmVyIG9mIHRoZSByZXBvc2l0b3J5IGJlaW5nIGNyZWF0ZWQgb3IgZGVsZXRlZC4=-->The template generation (`POST /repos/{template_owner}/{template_repo}/generate`) and repository deletion (`DELETE /repos/{username}/{reponame}`) APIs have been updated to require the same permission scope as creating a new repository. Either `write:user` or `write:organization` is required, depending on the owner of the repository being created or deleted.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 0 --><!--description QWNjZXNzaW5nIHRoZSBgL3JlcG9zaXRvcmllcy97aWR9YCBBUEkgd2l0aCBhIHB1YmxpYy1vbmx5IGFjY2VzcyB0b2tlbiBkaWQgbm90IHJlc3RyaWN0IHJlYWQgYWNjZXNzIHRvIG9ubHkgcHVibGljIHJlcG9zaXRvcmllcywgd2hpY2ggaXMgbm93IHByZXZlbnRlZC4=-->Accessing the `/repositories/{id}` API with a public-only access token did not restrict read access to only public repositories, which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 1 --><!--description QWNjZXNzaW5nIHRoZSBgL3JlcG9zL3tvd25lcn0ve3JlcG99L2lzc3Vlcy97aW5kZXh9L2RlcGVuZGVuY2llc2AgYW5kIGAvcmVwb3Mve293bmVyfS97cmVwb30vaXNzdWVzL3tpbmRleH0vYmxvY2tzYCBBUElzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gaGFkIGFjY2VzcyB0byBtb2RpZmljYXRpb24gb3BlcmF0aW9ucyBhZ2FpbnN0IHByaXZhdGUgcmVwb3NpdG9yaWVzIGluIHRoZSAqZm9ybSogY29tcG9uZW50IG9mIHRoZSBBUEkgKG5vdCB0aGUgVVJMIGNvbXBvbmVudCksIHdoaWNoIGlzIG5vdyBwcmV2ZW50ZWQu-->Accessing the `/repos/{owner}/{repo}/issues/{index}/dependencies` and `/repos/{owner}/{repo}/issues/{index}/blocks` APIs with a public-only access token had access to modification operations against private repositories in the *form* component of the API (not the URL component), which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 2 --><!--description QWNjZXNzaW5nIHRoZSBgL3JlcG9zL3tvd25lcn0ve3JlcG99L2lzc3Vlcy97aW5kZXh9L2RlcGVuZGVuY2llc2AgYW5kIGAvcmVwb3Mve293bmVyfS97cmVwb30vaXNzdWVzL3tpbmRleH0vYmxvY2tzYCBBUElzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gY291bGQgdmlldyBkZXBlbmRlbmNpZXMgb3IgYmxvY2tpbmcgaXNzdWVzIGZyb20gcHJpdmF0ZSByZXBvc2l0b3JpZXMsIHdoaWNoIGlzIG5vdyBwcmV2ZW50ZWQu-->Accessing the `/repos/{owner}/{repo}/issues/{index}/dependencies` and `/repos/{owner}/{repo}/issues/{index}/blocks` APIs with a public-only access token could view dependencies or blocking issues from private repositories, which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 3 --><!--description QWNjZXNzaW5nIHRoZSBgL3JlcG9zL3tvd25lcn0ve3JlcG99L2lzc3Vlcy97aW5kZXh9L3RpbWVsaW5lYCBBUEkgd2l0aCBhIHB1YmxpYy1vbmx5IGFjY2VzcyB0b2tlbiBjb3VsZCB2aWV3IGNvbW1lbnQgY3Jvc3MtcmVmZXJlbmNlcyBmcm9tIHByaXZhdGUgcmVwb3NpdG9yaWVzLCB3aGljaCBpcyBub3cgcHJldmVudGVkLg==-->Accessing the `/repos/{owner}/{repo}/issues/{index}/timeline` API with a public-only access token could view comment cross-references from private repositories, which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 4 --><!--description QWNjZXNzaW5nIHRoZSBgL3RlYW1zL3tpZH0vcmVwb3Mve29yZ30ve3JlcG99YCBBUEkgd2l0aCBhIHB1YmxpYy1vbmx5IGFjY2VzcyB0b2tlbiBjb3VsZCB2aWV3IHByaXZhdGUgcmVwb3NpdG9yaWVzIGFzc2lnbmVkIHRvIGEgdGVhbSwgd2hpY2ggaXMgbm93IHByZXZlbnRlZC4=-->Accessing the `/teams/{id}/repos/{org}/{repo}` API with a public-only access token could view private repositories assigned to a team, which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11457): <!--number 11457 --><!--line 5 --><!--description QWNjZXNzIHRoZSB3YXRjaGVkIHJlcG9zIGFuZCBzdGFycmVkIHJlcG9zIG9mIGEgeW91ciBvd24gdXNlciB0aHJvdWdoIC91c2VyL3N1YnNjcmlwdGlvbnMgYW5kIC91c2VyL3N0YXJyZWQgQVBJcyB3aXRoIGEgcHVibGljLW9ubHkgYWNjZXNzIHRva2VuIGNvdWxkIHZpZXcgcHJpdmF0ZSByZXBvc2l0b3JpZXMsIHdoaWNoIGlzIG5vdyBwcmV2ZW50ZWQu-->Access the watched repos and starred repos of a your own user through /user/subscriptions and /user/starred APIs with a public-only access token could view private repositories, which is now prevented.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11458): <!--number 11458 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBpbiByZWxldmFudCBzZWFyY2ggJiBsaXN0IEFQSXMuICAqKkJyZWFraW5nKio6IHRoZSBmb2xsb3dpbmcgQVBJcyBjb3VsZCBwcmV2aW91c2x5IHJldHVybiBwcml2YXRlIHJlcG9zaXRvcmllcyB3aGVuIHVzaW5nIGEgcHVibGljLW9ubHkgYWNjZXNzIHRva2VuLCBidXQgY2FuIG5vIGxvbmdlciBkbyBzbzogYC91c2VyL3JlcG9zYCwgYC91c2Vycy97dXNlcm5hbWV9L3JlcG9zYCwgYC9vcmdzL3tvcmd9L3JlcG9zYCwgYW5kIGAvdGVhbXMve2lkfS9yZXBvc2Au-->implement repo-specific access tokens in relevant search & list APIs. **Breaking**: the following APIs could previously return private repositories when using a public-only access token, but can no longer do so: `/user/repos`, `/users/{username}/repos`, `/orgs/{org}/repos`, and `/teams/{id}/repos`.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks. **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path.  As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description-->
+- Breaking bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11096): <!--number 11096 --><!--line 0 --><!--description Zml4KHVpKSE6IFJlbW92ZSB0aGUgaW5zdGFuY2UgY29uZmlndXJhdGlvbiBvcHRpb24gYHJlcG9zaXRvcnkucHVsbC1yZXF1ZXN0LkFERF9DT19DT01NSVRURVJfVFJBSUxFUlNgICh3YXMgZW5hYmxlZCBieSBkZWZhdWx0KS4gSXQgd2FzIHJlc3BvbnNpYmxlIGZvciBhZGRpdGlvbiBvZiB1bmV4cGVjdGVkIHRyYWlsZXJzIHRvIGNvbW1pdCBtZXNzYWdlcyBpbiBzcXVhc2ggbWVyZ2VzLiBUaGVzZSB0cmFpbGVycyB3ZXJlIGBDby1hdXRob3JlZC1ieTogYCBhbmQgYENvLWNvbW1pdHRlZC1ieTogYC4gQm90aCB1c2VkIHRoZSBwdWxsIHJlcXVlc3QgYXV0aG9yIGFzIHZhbHVlLCB3aG8gaXMgYWxzbyBhc3NpZ25lZCBhcyB0aGUgYXV0aG9yIG9mIHRoZSBzcXVhc2ggbWVyZ2UgY29tbWl0LCB3aGljaCB0aGV5IHdlcmUganVzdCByZXBlYXRpbmcuIEZ1cnRoZXJtb3JlLCBgQ28tY29tbWl0dGVkLWJ5OiBgIGlzIGFuIHVuY29tbW9uIGNvbW1pdCB0cmFpbGVyLCBhbmQgdGhlcmUgaXMgb25seSBvbmUgY29tbWl0dGVyIGZvciBhIGNvbW1pdC4gVGhlIHRyYWlsZXJzIHdlcmUgYmVpbmcgYWRkZWQgYnkgRm9yZ2VqbyB3aGlsZSBwZXJmb3JtaW5nIHRoZSBtZXJnZSwgYnlwYXNzaW5nIHVzZXIgaW5wdXQgaW4gdGhlIFVJIGFuZCB3ZXJlbid0IHNob3duIGluIGl0LiBTZWUgZnVydGhlciBkZXNjcmlwdGlvbiBhbmQgbW9yZSBleGFtcGxlcyBpbiBbIzExMDk3XShodHRwczovL2NvZGViZXJnLm9yZy9mb3JnZWpvL2Zvcmdlam8vaXNzdWVzLzExMDk3KS4=-->fix(ui)!: Remove the instance configuration option `repository.pull-request.ADD_CO_COMMITTER_TRAILERS` (was enabled by default). It was responsible for addition of unexpected trailers to commit messages in squash merges. These trailers were `Co-authored-by: ` and `Co-committed-by: `. Both used the pull request author as value, who is also assigned as the author of the squash merge commit, which they were just repeating. Furthermore, `Co-committed-by: ` is an uncommon commit trailer, and there is only one committer for a commit. The trailers were being added by Forgejo while performing the merge, bypassing user input in the UI and weren't shown in it. See further description and more examples in [#11097](https://codeberg.org/forgejo/forgejo/issues/11097).<!--description-->
+- Breaking changes without a feature or bug label
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11098): <!--number 11098 --><!--line 0 --><!--description SW4gRm9yZ2VqbyB2OC4wLjAsIHRoZSBkZWZhdWx0IGxvY2F0aW9uIGZvciB0aGUgY29uZmlnIGZpbGUgd2FzIGNoYW5nZWQgZnJvbSBgL2V0Yy9naXRlYS9hcHAuaW5pYCB0byBgL3Zhci9saWIvZ2l0ZWEvYXBwLmluaWAuIEJhY2t3YXJkIGNvbXBhdGliaWxpdHkgbG9naWMgYW5kIHN0YXJ0dXAgd2FybmluZ3Mgd2VyZSBhZGRlZCB0byBjb250YWluZXIgc2V0dXAgYW5kIGVudHJ5cG9pbnQgc2NyaXB0cy4gTm93IHRoZXkgYXJlIHJlbW92ZWQuIFRoaXMgY2hhbmdlIG9ubHkgYWZmZWN0cyB0aG9zZSB1c2luZyBjb250YWluZXIgZGVwbG95bWVudHMgd2l0aCByb290bGVzcyBpbWFnZXMuIElmIHlvdSBoYXZlIHRoZSBjb25maWcgZmlsZSBzdG9yZWQgaW4gYSB2b2x1bWUgYm91bmQgdG8gY29udGFpbmVyJ3MgL2V0Yy9naXRlYSwgbW92ZSBpdCB0byB0aGUgbmV3IGxvY2F0aW9uIG9yIG92ZXJyaWRlIHRoZSBlbnZpcm9ubWVudCB2YXJpYWJsZSBgR0lURUFfQVBQX0lOSWAuIEFuIHVudXNlZCB2b2x1bWUgYC9ldGMvZ2l0ZWFgIGNhbiBiZSBzYWZlbHkgcmVtb3ZlZCBmcm9tIHRoZSBjb250YWluZXIgYWZ0ZXIgbW92aW5nIHRoZSBjb25maWcgb3IgaWYgdGhlIGRlcGxveW1lbnQgbmV2ZXIgdXNlZCB2ZXJzaW9ucyBwcmlvciB0byB2OC4wLjAu-->In Forgejo v8.0.0, the default location for the config file was changed from `/etc/gitea/app.ini` to `/var/lib/gitea/custom/conf/app.ini`. Backward compatibility logic and startup warnings were added to container setup and entrypoint scripts. Now they are removed. This change only affects those using container deployments with rootless images. If you have the config file stored in a volume bound to container's /etc/gitea, move it to the new location or override the environment variable `GITEA_APP_INI`. An unused volume `/etc/gitea` can be safely removed from the container after moving the config or if the deployment never used versions prior to v8.0.0.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11720) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12137)): <!--number 12137 --><!--line 0 --><!--description Y2hvcmUoRG9ja2VyZmlsZS5yb290bGVzcyk6IHVwZGF0ZSBzaGFkb3dlZCBlbnYgdmFyaWFibGVz-->chore(Dockerfile.rootless): update shadowed env variables<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10645): <!--number 10645 --><!--line 0 --><!--description TWFrZSBjb29raWUgbmFtZXMgYnJhbmQgaW5kZXBlbmRlbnQuPGJyPkF0dGVudGlvbjogQWxsIHVzZXJzIG5lZWQgdG8gcmUtbG9naW4sIGlmIHlvdSBoYXZlbid0IG1hbnVhbGx5IHNldCBhIGNvb2tpZSBuYW1lIGluIHRoZSBzZXR0aW5ncy4gVGhpcyBjYW4gYmUgcHJldmVudGVkIGJ5IGNoYW5naW5nIHRoZSBbcmVtZW1iZXIgbWUgY29va2llXShodHRwczovL2Zvcmdlam8ub3JnL2RvY3MvbGF0ZXN0L2FkbWluL2NvbmZpZy1jaGVhdC1zaGVldC8jc2VjdXJpdHktc2VjdXJpdHk6fjp0ZXh0PUNPT0tJRV9SRU1FTUJFUl9OQU1FKSBiYWNrIHRvIGBnaXRlYV9pbmNyZWRpYmxlYA==-->Make cookie names brand independent.<br>Attention: All users need to re-login, if you haven't manually set a cookie name in the settings. This can be prevented by changing the [remember me cookie](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security:~:text=COOKIE_REMEMBER_NAME) back to `gitea_incredible`<!--description-->
+- User Interface features
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11516): <!--number 11516 --><!--line 0 --><!--description YWRkIGZvcm0tYmFzZWQgcnVubmVyIG1hbmFnZW1lbnQ=-->add form-based runner management<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10932): <!--number 10932 --><!--line 0 --><!--description ZmVhdChwZXJmKTogcmVtb3ZlIHVudXNlZCBzaXplIHVybCBwYXJhbWV0ZXIgZm9yIGxvY2FsIGF2YXRhcnM=-->feat(perf): remove unused size url parameter for local avatars<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11080): <!--number 11080 --><!--line 0 --><!--description ZmVhdCh1aSk6IHJlc3BvbnNpdmUgcmVsZWFzZXMgbGlzdA==-->feat(ui): responsive releases list<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11604): <!--number 11604 --><!--line 0 --><!--description ZmVhdCh1aSk6IGRpc3BsYXkgcmVwb3NpdG9yaWVzIGFjY2Vzc2libGUgYnkgcmVwby1zcGVjaWZpYyBhY2Nlc3MgdG9rZW5z-->feat(ui): display repositories accessible by repo-specific access tokens<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11375) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11950)): <!--number 11950 --><!--line 0 --><!--description ZW5oOiBhZGQgc3VnZ2VzdGlvbiB0byBkb2N1bWVudCByZWFzb24gZm9yIHJlcG9zaXRvcnkgYXJjaGl2YWw=-->enh: add suggestion to document reason for repository archival<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11770): <!--number 11770 --><!--line 0 --><!--description c2hvdyB3b3JrZmxvdyBuYW1lIGZvciBzY2hlZHVsZWQgcnVucw==-->show workflow name for scheduled runs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11659): <!--number 11659 --><!--line 0 --><!--description dWk6IG1vdmUgIk5ldyBhY2Nlc3MgdG9rZW4iIHRvIGEgc2VwYXJhdGUgVUkgcGFnZQ==-->ui: move "New access token" to a separate UI page<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11439): <!--number 11439 --><!--line 0 --><!--description ZmVhdChtYXJrdXAtcmVuZGVyZXIpOiBtYXRjaCBvbiBjb21wb3VuZCBmaWxlbmFtZSBleHRlbnNpb25z-->feat(markup-renderer): match on compound filename extensions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11677): <!--number 11677 --><!--line 0 --><!--description ZmVhdCh1aSk6IHVzZSBiZXR0ZXIgY29udHJhc3QgY29sb3IgZm9yIHJlcXVpcmVkIGZpZWxkIGluZGljYXRvcg==-->feat(ui): use better contrast color for required field indicator<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11340): <!--number 11340 --><!--line 0 --><!--description ZmVhdCh1aSk6IGVuYWJsZSB0ZXh0IGF1dG8tc3BhY2luZw==-->feat(ui): enable text auto-spacing<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11472): <!--number 11472 --><!--line 0 --><!--description ZmVhdCh1aSk6IGltcHJvdmUgdmlzaWJpbGl0eSBvZiBjb3VudGVycyBpbnNpZGUgb2Ygc3dpdGNoIGl0ZW1z-->feat(ui): improve visibility of counters inside of switch items<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11466): <!--number 11466 --><!--line 0 --><!--description QWRkIHNob3J0Y3V0IHRvIGxpbmsgbWFya2Rvd24gYWN0aW9u-->Add shortcut to link markdown action<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11127): <!--number 11127 --><!--line 0 --><!--description ZmVhdCh1aSk6IGNvbnZlcnQgb3JnIG1lbWJlcnMgbGlzdCB0byBncmlk-->feat(ui): convert org members list to grid<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11196): <!--number 11196 --><!--line 0 --><!--description ZmVhdCh1aSk6IGNvbnNpc3RlbnRseSB1c2UgQXBwVmVyTm9NZXRhZGF0YSBpbiBmb290ZXI=-->feat(ui): consistently use AppVerNoMetadata in footer<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10702): <!--number 10702 --><!--line 0 --><!--description aW1wcm92ZSBsYWJlbCBmaWx0ZXJpbmcgZXhjbHVzaW9u-->improve label filtering exclusion<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10873): <!--number 10873 --><!--line 0 --><!--description ZGVkaWNhdGVkIGljb24gZm9yIENJVEFUSU9OIGZpbGU=-->dedicated icon for CITATION file<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10559): <!--number 10559 --><!--line 0 --><!--description ZmVhdCh1aSk6IHJlcGxhY2UgTW9uYWNvIHdpdGggQ29kZU1pcnJvcg==-->feat(ui): replace Monaco with CodeMirror<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10530): <!--number 10530 --><!--line 0 --><!--description Zml4KHVpKTogaW1wcm92ZSByZW5kZXJpbmcgb2YgY29tbWl0IGxpbmtz-->fix(ui): improve rendering of commit links<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10022): <!--number 10022 --><!--line 0 --><!--description UmV0cmlldmUgZGVmYXVsdCBtZXJnZSBjb21taXQgbWVzc2FnZSBmb3IgcHVsbCByZXF1ZXN0cw==-->Retrieve default merge commit message for pull requests<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9261): <!--number 9261 --><!--line 0 --><!--description c2hvdyBjYW5jZWwgYnV0dG9uIGZvciBhY3Rpb25zIHJ1biB1bnRpbCBhbGwgam9icyBhcmUgZmluaXNoZWQ=-->show cancel button for actions run until all jobs are finished<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10488): <!--number 10488 --><!--line 0 --><!--description c2hvdyB1cGRhdGUgdGltZSB3aGVuIHNvcnRpbmcgYnkgcmVjZW50bHkgdXBkYXRlZA==-->show update time when sorting by recently updated<!--description-->
+- User Interface bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11607): <!--number 11607 --><!--line 0 --><!--description Zml4KHVpKTogYWxsb3cgbGFiZWwgZGVzY3JpcHRpb25zIHRvIHdyYXAgaW4gZHJvcGRvd24=-->fix(ui): allow label descriptions to wrap in dropdown<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11365): <!--number 11365 --><!--line 0 --><!--description ZWRpdCByYXcgaW5zdGVhZCBvZiByZW5kZXJlZCBHaXQgbm90ZXMgd2hlbiBlZGl0aW5nIG5vdGVzIG9uIGNvbW1pdCBwYWdlcw==-->edit raw instead of rendered Git notes when editing notes on commit pages<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11365): <!--number 11365 --><!--line 1 --><!--description bWFrZSBlZGl0aW5nIEdpdCBub3RlcyBmcm9tIHNpbmdsZS1jb21taXQgUFIgcGFnZSBhY3R1YWxseSB3b3Jr-->make editing Git notes from single-commit PR page actually work<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11365): <!--number 11365 --><!--line 2 --><!--description YWRkIGNhbmNlbCBidXR0b24gdG8gR2l0IG5vdGUgYWRkaW5nIGFuZCBlZGl0aW5n-->add cancel button to Git note adding and editing<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11315): <!--number 11315 --><!--line 0 --><!--description Zml4KHVpKTogYWRkIGFjdGl2ZSBiYWNrZ3JvdW5kIGNvbG9yIGZvciBtZW51IGl0ZW1zIGluIHRpcHB5IHRvb2x0aXBz-->fix(ui): add active background color for menu items in tippy tooltips<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11423): <!--number 11423 --><!--line 0 --><!--description Zml4KHVpKTogdXBkYXRlIHNvcnQgZHJvcGRvd24gc3RydWN0dXJlIGZvciBjb25zaXN0ZW5jeSBhY3Jvc3MgdGVtcGxhdGVz-->fix(ui): update sort dropdown structure for consistency across templates<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11190): <!--number 11190 --><!--line 0 --><!--description Zml4KCMxMTE4OSk6IG5vcm1hbGl6ZSBpc3N1ZSB0aXRsZSBjYXNlIHdoZW4gbWF0Y2hpbmcgcHJlZml4ZXM=-->fix(#11189): normalize issue title case when matching prefixes<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11259): <!--number 11259 --><!--line 0 --><!--description Zml4KHVpKTogaW1wcm92ZSBhbGlnbm1lbnQgb2YgaWNvbnMgaW4gbmF2YmFy-->fix(ui): improve alignment of icons in navbar<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11231): <!--number 11231 --><!--line 0 --><!--description Zml4KHVpKTogbWFrZSByZWxhdGl2ZSB0aW1lIGNvbnNpc3RlbnQgd2l0aCBvdGhlciB0ZXh0IHdoZW4gc2VsZWN0ZWQ=-->fix(ui): make relative time consistent with other text when selected<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11343): <!--number 11343 --><!--line 0 --><!--description Zml4KHVpKTogaW1wcm92ZSBhIGZldyBFbmdsaXNoIHN0cmluZ3M=-->fix(ui): improve a few English strings<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11274): <!--number 11274 --><!--line 0 --><!--description Zml4KHVpKTogYXBwbHkgbmF2YmFyIG1pbi1oZWlnaHQgY29ycmVjdGx5LCBmaXggaml0dGVyIG9uIG1vYmlsZQ==-->fix(ui): apply navbar min-height correctly, fix jitter on mobile<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11262): <!--number 11262 --><!--line 0 --><!--description Zml4KHVpKTogZml4IGdhcCBjb25zaXN0ZW5jeSBiZXR3ZWVuIG5hdmJhciBpdGVtcyBvbiBtb2JpbGU=-->fix(ui): fix gap consistency between navbar items on mobile<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11469): <!--number 11469 --><!--line 0 --><!--description Zml4KHVpKTogdXNlIG92ZXJmbG93OmF1dG8gdG8gYXZvaWQgc2Nyb2xsYmFycyB3aGVuIHRoZXkgYXJlIG5vdCBuZWVkZWQ=-->fix(ui): use overflow:auto to avoid scrollbars when they are not needed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11461): <!--number 11461 --><!--line 0 --><!--description Zml4KHVpKTogZml4IGRhc2hib2FyZCBzb21lIHN0eWxlIGlzc3Vlcw==-->fix(ui): fix dashboard some style issues<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11057): <!--number 11057 --><!--line 0 --><!--description Zml4KHVpKTogY2VudGVyLWFsaWduIGVtb2ppcyB0byBuZWlnaGJvdXJpbmcgdGV4dA==-->fix(ui): center-align emojis to neighbouring text<!--description-->
+- Localization
+  - Updates from Codeberg Translate: [#10417](https://codeberg.org/forgejo/forgejo/pulls/10417), [#10599](https://codeberg.org/forgejo/forgejo/pulls/10599), [#10660](https://codeberg.org/forgejo/forgejo/pulls/10660), [#10978](https://codeberg.org/forgejo/forgejo/pulls/10978), [#11344](https://codeberg.org/forgejo/forgejo/pulls/11344), [#11460](https://codeberg.org/forgejo/forgejo/pulls/11460), [#12129](https://codeberg.org/forgejo/forgejo/pulls/12129) (backport of [#11810](https://codeberg.org/forgejo/forgejo/pulls/11810), [#11963](https://codeberg.org/forgejo/forgejo/pulls/11963))
+- Features
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10617): <!--number 10617 --><!--line 0 --><!--description QXV0by1saW5rIGNvbnRhaW5lciBpbWFnZXMgdG8gcmVwb3NpdG9yeQ==-->Auto-link container images to repository<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11687): <!--number 11687 --><!--line 0 --><!--description ZXhwb3NlIGF0dGVtcHQgbnVtYmVyIG9mIEFjdGlvblJ1bkpvYiBpbiBIVFRQIEFQSQ==-->expose attempt number of ActionRunJob in HTTP API<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11584): <!--number 11584 --><!--line 0 --><!--description YWRkIG1vcmUgZmlsdGVycyB0byBhY3Rpb25zIHJ1biBhbmQgdGFza3MgYXBp-->add more filters to actions run and tasks api<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10941): <!--number 10941 --><!--line 0 --><!--description ZGV0YWlsZWQgcGVybWlzc2lvbiBkZW5pZWQgbWVzc2FnZSBvbiBwdXNo-->detailed permission denied message on push<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11013): <!--number 11013 --><!--line 0 --><!--description ZmlsdGVyIGFjdGlvbiBydW5zIGJ5IEdpdCByZWZlcmVuY2U=-->filter action runs by Git reference<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11846) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12031)): <!--number 12031 --><!--line 0 --><!--description SW1wcm92ZSByZXBvIGZpbGUgbGlzdCB0YWJsZSBzZW1hbnRpY3MgZm9yIHNjcmVlbiByZWFkZXJz-->Improve repo file list table semantics for screen readers<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11851) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11986)): <!--number 11986 --><!--line 0 --><!--description ZmVhdDogc3VwcG9ydCBgdGltZXpvbmVgIGluIHNjaGVkdWxlZCB3b3JrZmxvd3M=-->feat: support `timezone` in scheduled workflows<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11895) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11970)): <!--number 11970 --><!--line 0 --><!--description QWRkIGFyaWEtbGFiZWw9IkNvcHkiIHRvIGNvcHkgYnV0dG9u-->Add aria-label="Copy" to copy button<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11887) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11969)): <!--number 11969 --><!--line 0 --><!--description QWRkIGFyaWEtY3VycmVudD0icGFnZSIgdG8gYWN0aXZlIG5hdmJhciBpdGVtcw==-->Add aria-current="page" to active navbar items<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11676): <!--number 11676 --><!--line 0 --><!--description YWxsb3cgcnVubmVycyB0byByZXF1ZXN0IGEgcGFydGljdWxhciBqb2I=-->allow runners to request a particular job<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11589): <!--number 11589 --><!--line 0 --><!--description YWRkIHdpa2kgZ2l0IGluZm8gdG8gQVBJ-->add wiki git info to API<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10677): <!--number 10677 --><!--line 0 --><!--description YWRkIEhUVFAgQVBJIGVuZHBvaW50IGZvciBydW5uZXIgcmVnaXN0cmF0aW9u-->add HTTP API endpoint for runner registration<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11489): <!--number 11489 --><!--line 0 --><!--description QWRkIGBIRUFEYCBzdXBwb3J0IGZvciBkZWJpYW4gcmVwbyBmaWxlcyAoIzExNDg4KQ==-->Add `HEAD` support for debian repo files (#11488)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10573): <!--number 10573 --><!--line 0 --><!--description cmVmYWN0b3I6IHVwZGF0ZSBBY3Rpb25zIFJ1bm5lciBhZG1pbiBBUEkgZW5kcG9pbnQgVVJMcyB0byBiZSBjb25zaXN0ZW50IHcvIG90aGVyIGxldmVscw==-->refactor: update Actions Runner admin API endpoint URLs to be consistent w/ other levels<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11671): <!--number 11671 --><!--line 0 --><!--description bWFrZSBpdCBwb3NzaWJsZSB0byBzZWFyY2ggcnVubmVycyBieSBVVUlE-->make it possible to search runners by UUID<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11670): <!--number 11670 --><!--line 0 --><!--description YWRkIHZpc2libGUgZmxhZyB0byBIVFRQIEFQSSBlbmRwb2ludHMgdGhhdCByZXR1cm4gcnVubmVycw==-->add visible flag to HTTP API endpoints that return runners<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10627): <!--number 10627 --><!--line 0 --><!--description c3VwcG9ydCBqb2JzLjxqb2JfaWQ+LnNlY3JldHMgd2l0aCByZXVzYWJsZSB3b3JrZmxvdyBleHBhbnNpb24=-->support jobs.<job_id>.secrets with reusable workflow expansion<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10563): <!--number 10563 --><!--line 0 --><!--description aW5jcmVhc2UgZGVmYXVsdCBsaW1pdCBvZiBkaXNwYXRjaCBpbnB1dHMgdG8gMTAw-->increase default limit of dispatch inputs to 100<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11059): <!--number 11059 --><!--line 0 --><!--description ZW5hYmxlIFNRTGl0ZSBXQUwgYnkgZGVmYXVsdA==-->enable SQLite WAL by default<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10614): <!--number 10614 --><!--line 0 --><!--description c3VwcG9ydCB3b3JrZmxvdyBpbnB1dHMgb24gZXhwYW5kZWQgcmV1c2FibGUgd29ya2Zsb3dz-->support workflow inputs on expanded reusable workflows<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10388): <!--number 10388 --><!--line 0 --><!--description YWxsb3cgdG8gYWRkIHBhbSBzb3VyY2UgZnJvbSBjb21tYW5kIGxpbmU=-->allow to add pam source from command line<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10578): <!--number 10578 --><!--line 0 --><!--description c3VwcG9ydCB3b3JrZmxvdyBvdXRwdXRzIG9uIGV4cGFuZGVkIHJldXNhYmxlIHdvcmtmbG93cw==-->support workflow outputs on expanded reusable workflows<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11504): <!--number 11504 --><!--line 0 --><!--description cmVhZCwgY3JlYXRlLCAmIGRlbGV0ZSByZXBvLXNwZWNpZmljIGFjY2VzcyB0b2tlbnMgdmlhIEFQSQ==-->read, create, & delete repo-specific access tokens via API<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11216): <!--number 11216 --><!--line 0 --><!--description bGluayBDSSBqb2IgdG8gaXRzIGRlZmluaW5nIHdvcmtmbG93IGZpbGU=-->link CI job to its defining workflow file<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9962): <!--number 9962 --><!--line 0 --><!--description SW1wbGVtZW50IEVwaGVtZXJhbCBydW5uZXJz-->Implement Ephemeral runners<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5384): <!--number 5384 --><!--line 0 --><!--description W2FsbG93IGZvcmdlam8gdG8gcnVuIGFzIGEgcHdhIHN0YW5kYWxvbmUgYXBwbGljYXRpb24gJiBvdmVycmlkZSBvZiB0aGUgd2ViYXBwIG1hbmlmZXN0Lmpzb24gdmlhIHRoZSBhIGN1c3RvbSBmaWxlIGluIGBwdWJsaWMvbWFuaWZlc3QuanNvbmBdKGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8vZm9yZ2Vqby9wdWxscy81Mzg0KQ==-->[allow forgejo to run as a pwa standalone application & override of the webapp manifest.json via the a custom file in `public/manifest.json`](https://codeberg.org/forgejo/forgejo/pulls/5384)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10647): <!--number 10647 --><!--line 0 --><!--description c3VwcG9ydCByZXVzYWJsZSB3b3JrZmxvdyBleHBhbnNpb24gd2hlbiBgd2l0aGAgb3IgYHN0cmF0ZWd5Lm1hdHJpeGAgY29udGFpbnMgJHt7IG5lZWRzLi4uIH19-->support reusable workflow expansion when `with` or `strategy.matrix` contains ${{ needs... }}<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10602): <!--number 10602 --><!--line 0 --><!--description cHJvdmlkZSBtdWx0aXBsZSB0YXNrcyB0byBSdW5uZXIgaW4gb25lIEZldGNoVGFzayB3aGVuIHJlcXVlc3RlZA==-->provide multiple tasks to Runner in one FetchTask when requested<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10642): <!--number 10642 --><!--line 0 --><!--description YWRkIEZvcmdlam8gc2VydmVyIHZlcnNpb24gdG8gcnVubmVyIGNvbnRleHQ=-->add Forgejo server version to runner context<!--description-->
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11715): <!--number 11715 --><!--line 0 --><!--description aW1wcm92ZSBPQXV0aDIgZXhwZXJpZW5jZQ==-->improve OAuth2 experience<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11401): <!--number 11401 --><!--line 0 --><!--description YWxsb3cgQWN0aW9ucyBydW5uZXIgdG8gcmVjb3ZlciB0YXNrcyBsb3N0IGR1cmluZyBmZXRjaGluZyBmcm9tIGludGVybWl0dGVudCBlcnJvcnM=-->allow Actions runner to recover tasks lost during fetching from intermittent errors<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11932) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12033)): <!--number 12033 --><!--line 0 --><!--description UHJlc2VydmUgZm9jdXMgb24gc3Rhci91bnN0YXIgJiB3YXRjaC91bndhdGNoIGJ1dHRvbnMgYWZ0ZXIgY2xpY2s=-->Preserve focus on star/unstar & watch/unwatch buttons after click<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11909) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11984)): <!--number 11984 --><!--line 0 --><!--description Zml4OiBzdG9yZSBwdWxsIG1pcnJvciBjcmVkcyBlbmNyeXB0ZWQgd2l0aCBrZXlpbmc=-->fix: store pull mirror creds encrypted with keying<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11878) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11967)): <!--number 11967 --><!--line 0 --><!--description QWRkIGFyaWEtbGFiZWxzIHRvIGVuc3VyZSB3YXRjaCBhbmQgc3RhciBidXR0b25zIGFsd2F5cyBoYXZlIGEgdGV4dCBsYWJlbA==-->Add aria-labels to ensure watch and star buttons always have a text label<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11858) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11966)): <!--number 11966 --><!--line 0 --><!--description TWFrZSBsYWJlbCBkcm9wZG93biBtZW51IGl0ZW1zIHdpdGggLnR3LWhpZGRlbiB1bnNlbGVjdGFibGU=-->Make label dropdown menu items with .tw-hidden unselectable<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11860) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11922)): <!--number 11922 --><!--line 0 --><!--description Rml4IEBtZW50aW9uIGNvbWJvYm94IHNlbWFudGljcyBmb3Igc2NyZWVuIHJlYWRlciBhY2Nlc3NpYmlsaXR5-->Fix @mention combobox semantics for screen reader accessibility<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11881) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11906)): <!--number 11906 --><!--line 0 --><!--description Zml4OiB1bmlxdWUga2V5IHZpb2xhdGlvbiBpbiBmaXJzdC10aW1lIGNvbmN1cnJlbnQgZGViaWFuIHBhY2thZ2UgdXBsb2FkcyB0byBhIHVzZXI=-->fix: unique key violation in first-time concurrent debian package uploads to a user<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11821) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11830)): <!--number 11830 --><!--line 0 --><!--description Zml4OiBvdXQgb2Ygc3luY2hyb25pemF0aW9uIGVycm9yIGFmdGVyIGludGVycnVwdGluZyBhIFBSIG1lcmdlIGJ5IHVzZXItYWdlbnQgZGlzY29ubmVjdA==-->fix: out of synchronization error after interrupting a PR merge by user-agent disconnect<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11292): <!--number 11292 --><!--line 0 --><!--description aW1wcm92ZSBTUUxpdGUgImRhdGFiYXNlIGlzIGxvY2tlZCIgZXJyb3JzIGJ5IGluY3JlYXNpbmcgZGVmYXVsdCBgU1FMSVRFX1RJTUVPVVRgICh0YWtlIDIp-->improve SQLite "database is locked" errors by increasing default `SQLITE_TIMEOUT` (take 2)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11735): <!--number 11735 --><!--line 0 --><!--description aTE4bjogaGFyZGNvZGVkIHN0cmluZ3MgaW4gcmVwb3NpdG9yeSBhY3Rpdml0eSBncmFwaHM=-->i18n: hardcoded strings in repository activity graphs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11052): <!--number 11052 --><!--line 0 --><!--description bm9ybWFsaXplIHNlY3JldHMgY29uc2lzdGVudGx5LCBkaXNwbGF5IGFjY3VyYXRlIGhlbHA=-->normalize secrets consistently, display accurate help<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11699): <!--number 11699 --><!--line 0 --><!--description VGhlIERCIGVudHJpZXMgYWJvdXQgdXNlcnMgZm9sbG93aW5nIGFuIG9yZ2FuaXphdGlvbiBhbmQgdXNlcnMgYmxvY2tlZCBieSBhbiBvcmdhbml6YXRpb24gd2VyZSBub3QgZGVsZXRlZCB3aGVuIGFuIG9yZ2FuaXphdGlvbiB3YXMgZGVsZXRlZC4gT3JwaGFuZWQgZW50cmllcyBjYW4gYmUgY2xlYW5lZCB1cCBieSBydW5uaW5nIGBmb3JnZWpvIGRvY3RvciBjaGVjayAtLXJ1biBjaGVjay1kYi1jb25zaXN0ZW5jeSAtLWZpeGAu-->The DB entries about users following an organization and users blocked by an organization were not deleted when an organization was deleted. Orphaned entries can be cleaned up by running `forgejo doctor check --run check-db-consistency --fix`.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9906): <!--number 9906 --><!--line 0 --><!--description Zml4KHVpKTogSG9ub3Igb3JnL3VzZXIgcHJvamVjdCBpbiBuZXcgaXNzdWUgKCM4NDg5KQ==-->fix(ui): Honor org/user project in new issue (#8489)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10008): <!--number 10008 --><!--line 0 --><!--description ZW5zdXJlIGFjdGlvbnMgbG9ncyBhcmUgdHJhbnNmZXJyZWQgd2hlbiBhIHRhc2sgaXMgZG9uZQ==-->ensure actions logs are transferred when a task is done<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10954): <!--number 10954 --><!--line 0 --><!--description Zml4KHBhY2thZ2VzKTogcmV0dXJuIGJhZCByZXF1ZXN0IG9uIG1hbGZvcm1lZCB1cGxvYWQgaW5wdXQ=-->fix(packages): return bad request on malformed upload input<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11240): <!--number 11240 --><!--line 0 --><!--description Y29ycmVjdCBSZXZpZXdlZC1vbiBVUkwgaW4gbWVyZ2UgbWVzc2FnZSBmb3Igc3VicGF0aCBkZXBsb3ltZW50cw==-->correct Reviewed-on URL in merge message for subpath deployments<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11153): <!--number 11153 --><!--line 0 --><!--description cnVieSBwYWNrYWdlIHZlcnNpb25zOiBvbmx5IHNraXAgZXhwbGljaXQgPj0gMCBhbmQgbGVhdmUgcGVzc2ltaXN0aWMgdmVyc2lvbiBsb2NraW5nIGludGFjdA==-->ruby package versions: only skip explicit >= 0 and leave pessimistic version locking intact<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11109): <!--number 11109 --><!--line 0 --><!--description Zml4IHNlYXJjaGluZyBpc3N1ZXMgYnkgb3JnIGxhYmVscyB2aWEgYXBp-->fix searching issues by org labels via api<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10691): <!--number 10691 --><!--line 0 --><!--description Zml4KGkxOG4pOiByZW1vdmUgdW5uZWVkZWQgc3BlY2lhbCBjYXNlcyBmb3IgcmVsYXRpdmUgdGltZQ==-->fix(i18n): remove unneeded special cases for relative time<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10528): <!--number 10528 --><!--line 0 --><!--description Zml4KCMxMDE1NSk6IGRvbid0IGRpc3BsYXkgcGVuZGluZyByZXZpZXdzIGFzIHBhcnRpY2lwYW50cw==-->fix(#10155): don't display pending reviews as participants<!--description-->
+- User Interface changes without a feature or bug label
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10768): <!--number 10768 --><!--line 0 --><!--description Y2hvcmUodWkpOiBjbGVhbnVwIFBSIGNoZWNrcyBhcmVh-->chore(ui): cleanup PR checks area<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10524): <!--number 10524 --><!--line 0 --><!--description Zml4KHVpKTogYXZhdGFyIGZvciBkaXNtaXNzZWQgcmV2aWV3IGlzIHN0cmV0Y2hlZCBpZiBub3Qgc3F1YXJl-->fix(ui): avatar for dismissed review is stretched if not square<!--description-->
+- Other changes without a feature or bug label
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11822) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11829)): <!--number 11829 --><!--line 0 --><!--description Zml4KGFwaSk6IHBhY2thZ2UgbmFtZSBpbiByb3V0ZSBub3QgcHJvcGVybHkgdW5lc2NhcGVk-->fix(api): package name in route not properly unescaped<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11650): <!--number 11650 --><!--line 0 --><!--description Y2hvcmU6IGRlcHJlY2F0ZSBIVFRQIEFQSSBlbmRwb2ludHMgZm9yIG9idGFpbmluZyB0aGUgcnVubmVyIHJlZ2lzdHJhdGlvbiB0b2tlbg==-->chore: deprecate HTTP API endpoints for obtaining the runner registration token<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11232): <!--number 11232 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBkZXByZWNhdGVkIGF1dGggbWV0aG9kcyBmcm9tIEFQSSBkb2Nz-->chore: remove deprecated auth methods from API docs<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12134) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12136)): <!--number 12136 --><!--line 0 --><!--description Y2hvcmU6IGZpeCBUZXN0TWlycm9yUHVsbCBvbiBvbGRlciBnaXQgKDIuMzQuMSkgaW5zdGFsbGF0aW9u-->chore: fix TestMirrorPull on older git (2.34.1) installation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12131) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12132)): <!--number 12132 --><!--line 0 --><!--description Y2hvcmU6IGZpeCBjb29raWUgbmFtZSBjb21tZW50cyBpbiBleGFtcGxlIGluaQ==-->chore: fix cookie name comments in example ini<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12113) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12130)): <!--number 12130 --><!--line 0 --><!--description Zml4OiBpbXByb3ZlIHJ1bm5lciBsaXN0IGFuZCBkZXRhaWxzIHZpZXc=-->fix: improve runner list and details view<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12114): <!--number 12114 --><!--line 0 --><!--description Zml4KHVpKTogYSBmZXcgc21hbGwgcnVubmVycyBVSSBmaXhlcw==-->fix(ui): a few small runners UI fixes<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11733): <!--number 11733 --><!--line 0 --><!--description cHJldmVudCBjb250YWluZXIgcmVnaXN0cnkgaGVhZGVycyBmcm9tIGxlYWtpbmcgaW50byBvdGhlciByZWdpc3RyaWVz-->prevent container registry headers from leaking into other registries<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11337): <!--number 11337 --><!--line 0 --><!--description Rm9yZ2VqbyBTZWN1cml0eSBQYXRjaGVzLCAyMDI2LTAzLTA5-->fix(e2e): use empty user for overflow menu test<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11324): <!--number 11324 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2dvLWNoaS9zZXNzaW9uIHRvIHYxLjAuMyAoZm9yZ2Vqbyk=-->Update module code.forgejo.org/go-chi/session to v1.0.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10727): <!--number 10727 --><!--line 0 --><!--description dGhlIGVycm9yIG1lc3NhZ2Ugb2YgYSBmYWlsZWQgbWlncmF0aW9uIGJlY2F1c2Ugb2YgYSB3cm9uZyB0b2tlbiBpcyBjb25mdXNpbmc=-->the error message of a failed migration because of a wrong token is confusing<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12009) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12112)): <!--number 12112 --><!--line 0 --><!--description aTE4bihtYWlsZXIpOiBGaXggc3BlY2lhbCB1c2FnZSBvZiAuTG9jYWxlIGluIGFkbWluX25ld191c2Vy-->i18n(mailer): Fix special usage of .Locale in admin_new_user<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10898): <!--number 10898 --><!--line 0 --><!--description Y2hvcmUodWkpOiByZW1vdmUgb2Jzb2xldGUgdmFyIC0tY29sb3ItbmF2LXRleHQ=-->chore(ui): remove obsolete var --color-nav-text<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12094): <!--number 12094 --><!--line 0 --><!--description UmV2ZXJ0ICJJbXByb3ZlIHJlcG8gZmlsZSBsaXN0IHRhYmxlIHNlbWFudGljcyBmb3Igc2NyZWVuIHJlYWRlcnMgKCMxMjAzMSki-->Revert "Improve repo file list table semantics for screen readers (#12031)"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12046) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12077)): <!--number 12077 --><!--line 0 --><!--description Zml4OiBwcmV2ZW50IGpvYnMgd2l0aCB1bmtub3duIG5lZWRzIGZyb20gcnVubmluZw==-->fix: prevent jobs with unknown needs from running<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12059) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12063)): <!--number 12063 --><!--line 0 --><!--description Zml4OiBkaXNwbGF5IHJ1bm5lciB2ZXJzaW9uIG9uIGRldGFpbHMgcGFnZQ==-->fix: display runner version on details page<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12058) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12060)): <!--number 12060 --><!--line 0 --><!--description UmV2ZXJ0ICJmaXg6IGFkZCBjaGFsbGVuZ2UgZm9yIEhUVFAgQmFzaWMgQXV0aGVudGljYXRpb24gdG8gY29udGFpbmVyIHJlZ2lzdHJ5Ig==-->Revert "fix: add challenge for HTTP Basic Authentication to container registry"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11678): <!--number 11678 --><!--line 0 --><!--description YWRkIGNoYWxsZW5nZSBmb3IgSFRUUCBCYXNpYyBBdXRoZW50aWNhdGlvbiB0byBjb250YWluZXIgcmVnaXN0cnk=-->add challenge for HTTP Basic Authentication to container registry<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12021) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12044)): <!--number 12044 --><!--line 0 --><!--description Zml4OiBpbmNvcnJlY3QgaWRlbnRpZmljYXRpb24gb2Ygb3V0ZGF0ZWQgcnVuIGF0dGVtcHRz-->fix: incorrect identification of outdated run attempts<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11750): <!--number 11750 --><!--line 0 --><!--description c2V0IGF0dGVtcHQgbnVtYmVyIG9mIGFjdGlvbiBydW4gam9icyBlYWdlcmx5-->set attempt number of action run jobs eagerly<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12023) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12040)): <!--number 12040 --><!--line 0 --><!--description Zml4KGRvY3Rvcik6IHJlbW92ZSBicm9rZW4gbWVyZ2ViYXNlIGNoZWNr-->fix(doctor): remove broken mergebase check<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12030) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12038)): <!--number 12038 --><!--line 0 --><!--description Zml4OiBwcmV2ZW50IGFjdGlvbnMgd29ya2Zsb3dzIGZyb20gZ2VuZXJhdGluZyBPSURDIHRva2VucyBpZiBub3QgYXV0aG9yaXplZCBpbiB3b3JrZmxvdw==-->fix: prevent actions workflows from generating OIDC tokens if not authorized in workflow<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12029): <!--number 12029 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjYuMiAodjE1LjAvZm9yZ2Vqbyk=-->Update dependency go to v1.26.2 (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11997) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11998)): <!--number 11998 --><!--line 0 --><!--description dGVzdDogZml4IGludGVybWl0dGVudCB0ZXN0IGZhaWx1cmUgaW4gVGVzdFBhY2thZ2VEZWJpYW5Db25jdXJyZW50-->test: fix intermittent test failure in TestPackageDebianConcurrent<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11992) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11996)): <!--number 11996 --><!--line 0 --><!--description Y2hvcmUoZGVwcyk6IGJ1bXAgeG9ybSB0byB2MS4zLjktZm9yZ2Vqby4xMCAoIzExOTkyKQ==-->chore(deps): bump xorm to v1.3.9-forgejo.10 (#11992)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11945) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11987)): <!--number 11987 --><!--line 0 --><!--description Zml4OiBtaXNzaW5nIHN5bnRheCBkaWFsb2cgcm91bmRlZCBjb3JuZXJz-->fix: missing syntax dialog rounded corners<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11999) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12000)): <!--number 12000 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlZHVjZSBjb2RlIGR1cGxpY2F0aW9uIHdoZW4gYWNjZXNzaW5nIGBEZWZhdWx0TWF4SW5TaXplYA==-->refactor: reduce code duplication when accessing `DefaultMaxInSize`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11988) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11995)): <!--number 11995 --><!--line 0 --><!--description cGVyZjogYnVsayBsb2FkIHJlc29sdmVycyAmIHJlYWN0aW9ucyBvbiBwdWxsIHJlcXVlc3QgY29tbWVudHM=-->perf: bulk load resolvers & reactions on pull request comments<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11956) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11964)): <!--number 11964 --><!--line 0 --><!--description Zml4OiBzdXBlcmZsdW91cyBpbmNyZW1lbnQgb2YgQWN0aW9uVGFzayBhdHRlbXB0IGJyZWFrcyBqb2Igdmlldw==-->fix: superfluous increment of ActionTask attempt breaks job view<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11949): <!--number 11949 --><!--line 0 --><!--description OiBjaG9yZTogYWRkIG1vZGVybml6ZXIgbGludGVy-->: chore: add modernizer linter<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11296): <!--number 11296 --><!--line 0 --><!--description UEFNOiBwb3J0YWJsZSBlcnJvciByZXBvcnRpbmc=-->PAM: portable error reporting<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11948): <!--number 11948 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvbGFuZ2NpL2dvbGFuZ2NpLWxpbnQvdjIvY21kL2dvbGFuZ2NpLWxpbnQgdG8gdjIuMTEuNCAodjE1LjAvZm9yZ2Vqbyk=-->Update module github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.11.4 (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11927) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11933)): <!--number 11933 --><!--line 0 --><!--description Zml4OiBhbGxvdyByZXBvc2l0b3J5IGRlbGV0aW9uIHdoZW4gcmVmZXJlbmNlZCBieSBhIHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2Vu-->fix: allow repository deletion when referenced by a repo-specific access token<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11843) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11931)): <!--number 11931 --><!--line 0 --><!--description Zml4OiBhbGxvdyBtb2RhbHMgdG8gYmUgc3VibWl0dGVkIG11bHRpcGxlIHRpbWVz-->fix: allow modals to be submitted multiple times<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11872) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11907)): <!--number 11907 --><!--line 0 --><!--description Y2k6IHByZXZlbnQgdXNhZ2Ugb2YgbGl2ZSBhcHBsaWNhdGlvbiBtb2RlbHMgJiBzZXJ2aWNlcyBpbiBtaWdyYXRpb25z-->ci: prevent usage of live application models & services in migrations<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11432): <!--number 11432 --><!--line 0 --><!--description TW92ZSBDb250YWluZXIgQVBJIHByb2Nlc3NpbmcgbG9naWMgdG8gc2VydmljZQ==-->Move Container API processing logic to service<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11900): <!--number 11900 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tZ2l0L2dvLWdpdC92NSAoaW5kaXJlY3QpIHRvIHY1LjE3LjEgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2Vqbyk=-->Update github.com/go-git/go-git/v5 (indirect) to v5.17.1 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11886): <!--number 11886 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjkgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update dependency happy-dom to v20.8.9 [SECURITY] (v15.0/forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11874) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11877)): <!--number 11877 --><!--line 0 --><!--description ZmVhdDogdXNlIGAtLXRva2VuLXVybGAgaW4gcnVubmVyIHNldHVwIGluc3RydWN0aW9ucw==-->feat: use `--token-url` in runner setup instructions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11696): <!--number 11696 --><!--line 0 --><!--description ZmVhdCh1aSk6IGNyZWF0ZSByZXBvLXNwZWNpZmljIGFjY2VzcyB0b2tlbnM=-->feat(ui): create repo-specific access tokens<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11839): <!--number 11839 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgaGFwcHktZG9tIHRvIHYyMC44LjggW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2Vqbyk=-->Update dependency happy-dom to v20.8.8 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11776) ([backported](https://codeberg.org/forgejo/forgejo/pulls/11833)): <!--number 11833 --><!--line 0 --><!--description Zml4OiBkdXBsaWNhdGUga2V5IHZpb2xhdGVzIHVuaXF1ZSBjb25zdHJhaW50IGluIGNvbmN1cnJlbnQgZGViaWFuIHBhY2thZ2UgdXBsb2Fkcw==-->fix: duplicate key violates unique constraint in concurrent debian package uploads<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11801): <!--number 11801 --><!--line 0 --><!--description Y2k6IHVwZGF0ZSB0ZXN0cyB0byBydW4gZGViaWFuIHRyaXhpZSwgcmVtb3ZlIG1hbnVhbCBpbnN0YWxsYXRpb24gZnJvbSBgdGVzdGluZ2A=-->ci: update tests to run debian trixie, remove manual installation from `testing`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11825): <!--number 11825 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzguMCBbU0VDVVJJVFldICh2MTUuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.38.0 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11805): <!--number 11805 --><!--line 0 --><!--description VXBkYXRlIE5vZGUuanMgdG8gdjI0LjE0LjEgKGZvcmdlam8p-->Update Node.js to v24.14.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11806): <!--number 11806 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vYWN0aW9ucy1wcm90byB0byB2MC43LjAgKGZvcmdlam8p-->Update module code.forgejo.org/forgejo/actions-proto to v0.7.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11804): <!--number 11804 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNy4zIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.7.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11789): <!--number 11789 --><!--line 0 --><!--description Y2hvcmU6IGxpbmsgdG8gQUkgQWdyZWVtZW50IGluIFBSIHRlbXBsYXRl-->chore: link to AI Agreement in PR template<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11732): <!--number 11732 --><!--line 0 --><!--description YWxsb3cgcmVuYW1pbmcgYW5kIHJlcGxhY2luZyBzZWNyZXRz-->allow renaming and replacing secrets<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11781): <!--number 11781 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIERvY2tlciB0YWcgdG8gdjQzLjg2LjEgKGZvcmdlam8p-->Update renovate Docker tag to v43.86.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11772): <!--number 11772 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2phY2tjL3BneC92NSB0byB2NS45LjEgKGZvcmdlam8p-->Update module github.com/jackc/pgx/v5 to v5.9.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11717): <!--number 11717 --><!--line 0 --><!--description ZG9jdW1lbnQgbW9yZSBzdGF0dXMgY29kZXMgaW4gdGhlIEFQSQ==-->document more status codes in the API<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11217): <!--number 11217 --><!--line 0 --><!--description YnVpbGQ6IHBvbGlzaCBsaW50ZXIgZXJyb3IgdnMuIGRlYWQgY29kZSByZXBvcnRpbmc=-->build: polish linter error vs. dead code reporting<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11751): <!--number 11751 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3l1aW4vZ29sZG1hcmsgdG8gdjEuNy4xNyAoZm9yZ2Vqbyk=-->Update module github.com/yuin/goldmark to v1.7.17 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10541): <!--number 10541 --><!--line 0 --><!--description YWRkIG1hbmFnZV9jcmVkZW50aWFscyB0byB1c2VyIGRpc2FibGUgZmVhdHVyZXM=-->add manage_credentials to user disable features<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11745): <!--number 11745 --><!--line 0 --><!--description VXBkYXRlIE5vZGUuanMgdG8gdjI0LjE0LjAgKGZvcmdlam8p-->Update Node.js to v24.14.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11743): <!--number 11743 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvdG9vbHMvY21kL2RlYWRjb2RlIHRvIHYwLjQzLjAgKGZvcmdlam8p-->Update module golang.org/x/tools/cmd/deadcode to v0.43.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11741): <!--number 11741 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvb2F1dGgyIHRvIHYwLjM2LjAgKGZvcmdlam8p-->Update module golang.org/x/oauth2 to v0.36.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11674): <!--number 11674 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLXdlYmF1dGhuL3dlYmF1dGhuIHRvIHYwLjE2LjEgKGZvcmdlam8p-->Update module github.com/go-webauthn/webauthn to v0.16.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11744): <!--number 11744 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBtdmRhbi5jYy94dXJscy92MiB0byB2Mi42LjAgKGZvcmdlam8p-->Update module mvdan.cc/xurls/v2 to v2.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11632): <!--number 11632 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvb2dsZS9nby1saWNlbnNlcyB0byB2MiAoZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update module github.com/google/go-licenses to v2 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11740): <!--number 11740 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUyLjAgKGZvcmdlam8p-->Update module golang.org/x/net to v0.52.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11264): <!--number 11264 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgY2xpcHBpZSB0byB2NC4xLjEwIChmb3JnZWpvKQ==-->Update dependency clippie to v4.1.10 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11738): <!--number 11738 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL1Byb3Rvbk1haWwvZ28tY3J5cHRvIHRvIHYxLjQuMSAoZm9yZ2Vqbyk=-->Update module github.com/ProtonMail/go-crypto to v1.4.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11739): <!--number 11739 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzcuMCAoZm9yZ2Vqbyk=-->Update module golang.org/x/image to v0.37.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11691): <!--number 11691 --><!--line 0 --><!--description cmVtb3ZlIHRlbXBsYXRlIGZpbGUgZnJvbSBnZW5lcmF0ZWQgcmVwbw==-->remove template file from generated repo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11713): <!--number 11713 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3VyZmF2ZS9jbGkvdjMgdG8gdjMuNy4wIChmb3JnZWpvKQ==-->Update module github.com/urfave/cli/v3 to v3.7.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11729): <!--number 11729 --><!--line 0 --><!--description cGVyZjogcmVtb3ZlIHJlZHVuZGFudCAmIGluY29ycmVjdCBmaWx0ZXJzIG9uICdTZWFyY2hSZXBvT3B0aW9ucy5Pd25lcklEJw==-->perf: remove redundant & incorrect filters on 'SearchRepoOptions.OwnerID'<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11728): <!--number 11728 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjQ5LjAgKGZvcmdlam8p-->Update module golang.org/x/crypto to v0.49.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11718): <!--number 11718 --><!--line 0 --><!--description dXNlIENTUyBjbGFzcyB0byBpbmRpY2F0ZSB0aGF0IHJ1bm5lciBuYW1lIGlzIHJlcXVpcmVk-->use CSS class to indicate that runner name is required<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11709): <!--number 11709 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL1Byb3Rvbk1haWwvZ28tY3J5cHRvIHRvIHYxLjQuMCAoZm9yZ2Vqbyk=-->Update module github.com/ProtonMail/go-crypto to v1.4.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11700): <!--number 11700 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3BxdWVybmEvb3RwIHRvIHYxLjUuMCAoZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update module github.com/pquerna/otp to v1.5.0 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11719): <!--number 11719 --><!--line 0 --><!--description Zml4KHVpKTogY2xlYW51cCBjc3MgZGVhZGNvZGUgcmVsYXRlZCB0byBzdGFja2FibGUgbWVudXM=-->fix(ui): cleanup css deadcode related to stackable menus<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11707): <!--number 11707 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBmaWxsbW9yZS1sYWJzLmNvbS9lcnJvcnR5cGUgdG8gdjAuMC4xMSAoZm9yZ2Vqbyk=-->Update module fillmore-labs.com/errortype to v0.0.11 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11708): <!--number 11708 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLXNxbGl0ZTMgdG8gdjEuMTQuMzcgKGZvcmdlam8p-->Update module github.com/mattn/go-sqlite3 to v1.14.37 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11690): <!--number 11690 --><!--line 0 --><!--description c2NvcGUtc3BlY2lmaWMgaGVhZGluZ3MgZm9yIGxpc3Qgb2YgcmVjZW50IHRhc2tz-->scope-specific headings for list of recent tasks<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11616): <!--number 11616 --><!--line 0 --><!--description cmVtb3ZlIHNlY29uZCBjaGFsbGVuZ2UgZnJvbSBXV1ctQXV0aGVudGljYXRlIGhlYWRlcg==-->remove second challenge from WWW-Authenticate header<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11686): <!--number 11686 --><!--line 0 --><!--description dGVzdDogYXR0ZW1wdCB0byBmaXggZmxha3kgVGVzdEJsZXZlRGVsZXRlSXNzdWU=-->test: attempt to fix flaky TestBleveDeleteIssue<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11053): <!--number 11053 --><!--line 0 --><!--description YnVpbGQ6IG1vdmUgYmFja2VuZC1jaGVja3MgQ0kgY2hlY2tzIHRvIE1ha2VmaWxlOiBgbWFrZSBwci1nb2A=-->build: move backend-checks CI checks to Makefile: `make pr-go`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11507): <!--number 11507 --><!--line 0 --><!--description UmVwbGFjZSByZWZlcmVuY2UgdG8gTW9uYWNvIHdpdGggQ29kZU1pcnJvciBpbiBhcHAuZXhhbXBsZS5pbmk=-->Replace reference to Monaco with CodeMirror in app.example.ini<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11295): <!--number 11295 --><!--line 0 --><!--description Zml4KHByb3h5cHJvdG9jb2wpOiByZW1vdmUgdHJhaWxpbmcgbnVsbCBieXRlIGZvciBsb2NhbCBjb25uZWN0aW9u-->fix(proxyprotocol): remove trailing null byte for local connection<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10525): <!--number 10525 --><!--line 0 --><!--description ZXhwYW5kIHJldXNhYmxlIHdvcmtmbG93IGNhbGxzIGludG8gdGhlaXIgaW5uZXIgam9icw==-->expand reusable workflow calls into their inner jobs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11692): <!--number 11692 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIERvY2tlciB0YWcgdG8gdjQzLjc2LjIgKGZvcmdlam8p-->Update renovate Docker tag to v43.76.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11697): <!--number 11697 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGdvb2dsZS9tb2RlbC12aWV3ZXIgdG8gdjQuMi4wIChmb3JnZWpvKQ==-->Update dependency @google/model-viewer to v4.2.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11695): <!--number 11695 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLXN3YWdnZXIvZ28tc3dhZ2dlci9jbWQvc3dhZ2dlciB0byB2MC4zMy4yIChmb3JnZWpvKQ==-->Update module github.com/go-swagger/go-swagger/cmd/swagger to v0.33.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11693): <!--number 11693 --><!--line 0 --><!--description VXBkYXRlIENvZGVNaXJyb3IgKGZvcmdlam8p-->Update CodeMirror (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11683): <!--number 11683 --><!--line 0 --><!--description Zml4KGkxOG4pOiByZXVzZSBzdHJpbmcgZm9yIHJlcG9zaXRvcnkgYWNjZXNzLCBmaXggY2FwaXRhbGl6YXRpb24gY29uc2lzdGVuY3k=-->fix(i18n): reuse string for repository access, fix capitalization consistency<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11675): <!--number 11675 --><!--line 0 --><!--description Zml4KHVpKTogaW1wcm92ZSBjb25zaXN0ZW5jeSBpbiBuZXcgcnVubmVyIG1hbmFnZW1lbnQgcGFnZXM=-->fix(ui): improve consistency in new runner management pages<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11682): <!--number 11682 --><!--line 0 --><!--description aW5jb3JyZWN0IERCIGVycm9yIGhhbmRsaW5nIGluICdQT1NUIC91c2Vycy97dXNlcm5hbWV9L3Rva2Vucyc=-->incorrect DB error handling in 'POST /users/{username}/tokens'<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11585): <!--number 11585 --><!--line 0 --><!--description Zml4KGlzc3VlLXNlYXJjaCk6IGRlbGV0ZSBpc3N1ZSBmcm9tIGluZGV4ZXIgb24gRGVsZXRlSXNzdWU=-->fix(issue-search): delete issue from indexer on DeleteIssue<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11672): <!--number 11672 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNvZGVtaXJyb3IvdmlldyB0byB2Ni4zOS4xNyAoZm9yZ2Vqbyk=-->Update dependency @codemirror/view to v6.39.17 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11335): <!--number 11335 --><!--line 0 --><!--description c2tpcCByZXBvIGF2YXRhciB1cGxvYWQgd2hlbiBubyBmaWxlIGlzIHNlbGVjdGVk-->skip repo avatar upload when no file is selected<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11478): <!--number 11478 --><!--line 0 --><!--description UlBNIHJlZ2lzdHJ5IGFkZHJlcG8gaW5zdHJ1Y3Rpb25z-->RPM registry addrepo instructions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11525): <!--number 11525 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBtb3JlIGRpYWdub3N0aWMgb3V0cHV0IHRvIGRiZnMgU3RhdCBlcnJvcg==-->chore: add more diagnostic output to dbfs Stat error<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11280): <!--number 11280 --><!--line 0 --><!--description Y2k6IGVuc3VyZSBjb3JyZWN0IG5vZGUgdmVyc2lvbg==-->ci: ensure correct node version<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11542): <!--number 11542 --><!--line 0 --><!--description Y2hvcmU6IHNraXAgc2hhMjU2IHJlcG8gZm9yIG9sZGVyIGdpdCB2ZXJzaW9ucw==-->chore: skip sha256 repo for older git versions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11176): <!--number 11176 --><!--line 0 --><!--description ZW5zdXJlIGNvbnNpc3RlbnQgc29ydCBvcmRlciBpbiBUZXN0RmVlZCBmaXh0dXJl-->ensure consistent sort order in TestFeed fixture<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11007): <!--number 11007 --><!--line 0 --><!--description Zml4IE5ld01vY2tXZWJTZXJ2ZXIoKTogSGVhZGVycyBuZXZlciByZWFjaGVkIHRoZSBodHRwIGNsaWVudA==-->fix NewMockWebServer(): Headers never reached the http client<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10798): <!--number 10798 --><!--line 0 --><!--description bWlncmF0aW9ucy9naXRodWI6IGF2b2lkIGdldHRpbmcgdGhlIGZpcnN0IGlzc3VlcyBwYWdlIHR3aWNl-->migrations/github: avoid getting the first issues page twice<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10846): <!--number 10846 --><!--line 0 --><!--description bWlncmF0aW9ucy9naXRodWI6IFdhaXQgJiByZXRyeSB3aGVuIHByaW1hcnkgcmF0ZSBsaW1pdCBpcyBoaXQ=-->migrations/github: Wait & retry when primary rate limit is hit<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11038): <!--number 11038 --><!--line 0 --><!--description ZGV0ZWN0IHJlbmFtZXMgd2hlbiB1c2luZyBkaWZmLXRyZWU=-->detect renames when using diff-tree<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10883): <!--number 10883 --><!--line 0 --><!--description Y2k6IHRpZSBnbyBjYWNoZSB0byBnbyB2ZXJzaW9uIGFuZCBhZGQgYE1ha2VmaWxlYCB0byBrZXkgaGFzaA==-->ci: tie go cache to go version and add `Makefile` to key hash<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10893): <!--number 10893 --><!--line 0 --><!--description cmV0cnkgQWN0aW9uUnVuIHVwZGF0ZXMgd2hlbiBvcHRpbWlzdGljLWNvbmN1cnJlbmN5LWNvbnRyb2wgaW5kaWNhdGVzIHJlY29yZCBjaGFuZ2Vk-->retry ActionRun updates when optimistic-concurrency-control indicates record changed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10481): <!--number 10481 --><!--line 0 --><!--description YWRkIE9JREMgd29ya2xvYWQgaWRlbnRpdHkgZmVkZXJhdGlvbiBzdXBwb3J0-->add OIDC workload identity federation support<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11662): <!--number 11662 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvb2NpL2dvbGFuZyBEb2NrZXIgdGFnIHRvIHYxLjI2IChmb3JnZWpvKSAtIGF1dG9jbG9zZWQ=-->Update data.forgejo.org/oci/golang Docker tag to v1.26 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11660): <!--number 11660 --><!--line 0 --><!--description VXBkYXRlIGRhdGEuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuMTEgKGZvcmdlam8p-->Update data.forgejo.org/forgejo/forgejo Docker tag to v11.0.11 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11663): <!--number 11663 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMTMuMCAoZm9yZ2Vqbyk=-->Update dependency mermaid to v11.13.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11657): <!--number 11657 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlcGxhY2UgV2l0aEF2YWlsYWJsZSB3aXRoIFdpdGhWaXNpYmxlIHdoZW4gZmV0Y2hpbmcgcnVubmVycw==-->refactor: replace WithAvailable with WithVisible when fetching runners<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11653): <!--number 11653 --><!--line 0 --><!--description Y3JlYXRlIHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VuIHVuZXhwZWN0ZWQgYmVoYXZpb3VyIHdpdGggYCJyZXBvc2l0b3JpZXMiOiBbXWA=-->create repo-specific access token unexpected behaviour with `"repositories": []`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11627): <!--number 11627 --><!--line 0 --><!--description VXBkYXRlIGxpbnRlcnMgKGZvcmdlam8p-->Update linters (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11320): <!--number 11320 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjYgKGZvcmdlam8p-->Update dependency go to v1.26 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11334): <!--number 11334 --><!--line 0 --><!--description Zml4KG1vZGVscyk6IGRlZHVwbGljYXRlIHByb2plY3Qgc29ydGluZyB2YWx1ZXMgYW5kIGFkZCB1bmlxdWUgY29uc3RyYWludHM=-->fix(models): deduplicate project sorting values and add unique constraints<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11644): <!--number 11644 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuOCAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.8 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11639): <!--number 11639 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNy4yIChmb3JnZWpvKSAtIGF1dG9jbG9zZWQ=-->Update module code.forgejo.org/forgejo/runner/v12 to v12.7.2 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11638): <!--number 11638 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kga2F0ZXggdG8gdjAuMTYuMzggKGZvcmdlam8p-->Update dependency katex to v0.16.38 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11630): <!--number 11630 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vY29kZS5mb3JnZWpvLm9yZy9mb3JnZWpvL3VwbG9hZC1hcnRpZmFjdCBhY3Rpb24gdG8gdjUgKGZvcmdlam8pIC0gYXV0b2Nsb3NlZA==-->Update https://code.forgejo.org/forgejo/upload-artifact action to v5 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11631): <!--number 11631 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL3VwbG9hZC1hcnRpZmFjdCBhY3Rpb24gdG8gdjUgKGZvcmdlam8p-->Update https://data.forgejo.org/forgejo/upload-artifact action to v5 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11629): <!--number 11629 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd3JhcC1hbnNpIHRvIHYxMCAoZm9yZ2Vqbyk=-->Update dependency wrap-ansi to v10 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11605): <!--number 11605 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgYXNjaWluZW1hLXBsYXllciB0byB2My4xNS4xIChmb3JnZWpvKQ==-->Update dependency asciinema-player to v3.15.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11624): <!--number 11624 --><!--line 0 --><!--description Y2hvcmUoZGVwcyk6IGJ1bXAgeG9ybSB0byB2MS4zLjktZm9yZ2Vqby44-->chore(deps): bump xorm to v1.3.9-forgejo.8<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11342): <!--number 11342 --><!--line 0 --><!--description Y2hvcmUocmVmYWN0b3IpOiBzcGxpdCBBZGRSZXBvc2l0b3J5IGFuZCBBZGRUZWFtTWVtYmVyIHRvIHJldHVybiB0aGUgaW5zZXJ0ZWQgdmFsdWU=-->chore(refactor): split AddRepository and AddTeamMember to return the inserted value<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11621): <!--number 11621 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ2xvYmFscyB0byB2MTcuNC4wIChmb3JnZWpvKQ==-->Update dependency globals to v17.4.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11588): <!--number 11588 --><!--line 0 --><!--description d2ViaG9vay9kaXNjb3JkOiBvbWl0IGVtcHR5IGVtYmVkcy5mb290ZXIgZnJvbSB0aGUgcGF5bG9hZCBmb3IgU3BhY2ViYXIgY29tcGF0aWJpbGl0eQ==-->webhook/discord: omit empty embeds.footer from the payload for Spacebar compatibility<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11601): <!--number 11601 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlcGxhY2UgQWN0aW9uUnVubmVyVG9rZW4uT3duZXJJRCAmIFJlcG9JRCB3aXRoIG9wdGlvbmFsLk9wdGlvbltpbnQ2NF0=-->refactor: replace ActionRunnerToken.OwnerID & RepoID with optional.Option[int64]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11593): <!--number 11593 --><!--line 0 --><!--description Y2k6IGRldGVjdCBhbmQgcHJldmVudCBlbXB0eSBgY2FzZWAgc3RhdGVtZW50cyBpbiBHbyBjb2Rl-->ci: detect and prevent empty `case` statements in Go code<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11599): <!--number 11599 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kga2F0ZXggdG8gdjAuMTYuMzcgKGZvcmdlam8p-->Update dependency katex to v0.16.37 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11595): <!--number 11595 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlbmFtZSBBY2Nlc3NUb2tlbkVycm9yIHRvIEFjY2Vzc1Rva2VuRXJyb3JSZXNwb25zZQ==-->refactor: rename AccessTokenError to AccessTokenErrorResponse<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11442): <!--number 11442 --><!--line 0 --><!--description ZW5mb3JjZSBwYWNrYWdlIHF1b3RhIGFnYWluc3QgcGFja2FnZSBvd25lciwgbm90IHVwbG9hZGVy-->enforce package quota against package owner, not uploader<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11144): <!--number 11144 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBjb21tZW50IGZvciBhcCBtaWdyYXRpb24=-->chore: add comment for ap migration<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9254): <!--number 9254 --><!--line 0 --><!--description ZmVhdChhY3Rpdml0eXB1Yik6IHVzZSBzdHJ1Y3R1cmUgQFByZWZlcnJlZFVzZXJuYW1lQGhvc3QudGxkOnBvcnQgZm9yIGFjdG9ycw==-->feat(activitypub): use structure @PreferredUsername@host.tld:port for actors<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11568): <!--number 11568 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21pbmlvL21pbmlvLWdvL3Y3IHRvIHY3LjAuOTkgKGZvcmdlam8pIC0gYXV0b2Nsb3NlZA==-->Update module github.com/minio/minio-go/v7 to v7.0.99 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11576): <!--number 11576 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kga2F0ZXggdG8gdjAuMTYuMzUgKGZvcmdlam8p-->Update dependency katex to v0.16.35 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11558): <!--number 11558 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDUuNCAoZm9yZ2Vqbyk=-->Update dependency webpack to v5.105.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11587): <!--number 11587 --><!--line 0 --><!--description Y2hvcmU6IGNsZWFudXAgTWFrZWZpbGU=-->chore: cleanup Makefile<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11583): <!--number 11583 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjE0LjAuMyBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v14.0.3 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11582): <!--number 11582 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjExLjAuMTEgW3NraXAgY2ld-->chore(release-notes): Forgejo v11.0.11 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11553): <!--number 11553 --><!--line 0 --><!--description Y2hvcmU6IHN1cHBvcnQgYE9wdGlvbltUXWAgYXMgYSB0eXBlIG9uIGRhdGFiYXNlIHNjaGVtYSBzdHJ1Y3Rz-->chore: support `Option[T]` as a type on database schema structs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11564): <!--number 11564 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWVucnkvZ28tZW5yeS92MiB0byB2Mi45LjUgKGZvcmdlam8p-->Update module github.com/go-enry/go-enry/v2 to v2.9.5 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11559): <!--number 11559 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuNyAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11562): <!--number 11562 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNy4xIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.7.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11481): <!--number 11481 --><!--line 0 --><!--description Y2hvcmUodHJlZXdpZGUpOiByZW5hbWUgU2FmZUhUTUwgdG8gVHJ1c3RIVE1M-->chore(treewide): rename SafeHTML to TrustHTML<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11563): <!--number 11563 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2JsZXZlc2VhcmNoL2JsZXZlL3YyIHRvIHYyLjUuNyAoZm9yZ2Vqbyk=-->Update module github.com/blevesearch/bleve/v2 to v2.5.7 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11368): <!--number 11368 --><!--line 0 --><!--description ZmVhdChhcGkpOiBtb3JlIHZlcmJvc2UgZXJyb3IgbWVzc2FnZXMgYW5kIHN3YWdnZXIgY29tbWVudHMgZm9yIHBvc3RpbmcgaXNzdWUgY29tbWVudHM=-->feat(api): more verbose error messages and swagger comments for posting issue comments<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11486): <!--number 11486 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby1jb250cmliL2dvLWxpYnJhdmF0YXIgZGlnZXN0IHRvIGFkZDQ5NGUgKGZvcmdlam8p-->Update code.forgejo.org/forgejo-contrib/go-libravatar digest to add494e (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11545): <!--number 11545 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdGFpbHdpbmRjc3MgdG8gdjMuNC4xOSAoZm9yZ2Vqbyk=-->Update dependency tailwindcss to v3.4.19 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11538): <!--number 11538 --><!--line 0 --><!--description Y2hvcmUoZGVwcyk6IHVwZ3JhZGUgeG9ybSB0byB2MS4zLjktZm9yZ2Vqby43-->chore(deps): upgrade xorm to v1.3.9-forgejo.7<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11549): <!--number 11549 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdWludDgtdG8tYmFzZTY0IHRvIHYwLjIuMSAoZm9yZ2Vqbyk=-->Update dependency uint8-to-base64 to v0.2.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11543): <!--number 11543 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS42LjEgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.6.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11470): <!--number 11470 --><!--line 0 --><!--description Zml4KHRlc3RzKTogZG8gbm90IGxlYWsgZ2xvYmFsIHJlcG9zaXRvcnkgdW5pdCBkZWZhdWx0cw==-->fix(tests): do not leak global repository unit defaults<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11523): <!--number 11523 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaW1hdGNoIHRvIHYxMC4yLjQgKGZvcmdlam8p-->Update dependency minimatch to v10.2.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11521): <!--number 11521 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOCAoZm9yZ2Vqbyk=-->Update dependency go to v1.25.8 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11520): <!--number 11520 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kga2F0ZXggdG8gdjAuMTYuMzMgKGZvcmdlam8p-->Update dependency katex to v0.16.33 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11519): <!--number 11519 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZGF5anMgdG8gdjEuMTEuMTkgKGZvcmdlam8p-->Update dependency dayjs to v1.11.19 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11517): <!--number 11517 --><!--line 0 --><!--description VXBkYXRlIENvZGVNaXJyb3IgKGZvcmdlam8p-->Update CodeMirror (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9873): <!--number 9873 --><!--line 0 --><!--description SGFuZGxlIGVycm9yIHR5cGVzIGNvbnNpc3RlbnRseQ==-->Handle error types consistently<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11450): <!--number 11450 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hcmtiYXRlcy9nb3RoIHRvIHYxLjgyLjAgKGZvcmdlam8p-->Update module github.com/markbates/goth to v1.82.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11385): <!--number 11385 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMTIuMyAoZm9yZ2Vqbyk=-->Update dependency mermaid to v11.12.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11508): <!--number 11508 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc3ZnbyB0byB2NC4wLjEgW1NFQ1VSSVRZXSAoZm9yZ2Vqbyk=-->Update dependency svgo to v4.0.1 [SECURITY] (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11388): <!--number 11388 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaW1hdGNoIHRvIHYxMC4yLjEgKGZvcmdlam8p-->Update dependency minimatch to v10.2.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11376): <!--number 11376 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS42LjAgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11384): <!--number 11384 --><!--line 0 --><!--description UmVwbGFjZSBOb2RlLmpzIHdpdGggZGF0YS5mb3JnZWpvLm9yZy9vY2kvbm9kZSAyNC10cml4aWUgKGZvcmdlam8p-->Replace Node.js with data.forgejo.org/oci/node 24-trixie (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11441): <!--number 11441 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaW1hdGNoIHRvIHYxMC4yLjMgW1NFQ1VSSVRZXSAoZm9yZ2Vqbyk=-->Update dependency minimatch to v10.2.3 [SECURITY] (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11359): <!--number 11359 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuNiAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.6 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11406): <!--number 11406 --><!--line 0 --><!--description UmV2ZXJ0ICJSZXBsYWNlIE5vZGUuanMgd2l0aCBkYXRhLmZvcmdlam8ub3JnL29jaS9ub2RlIDI0LXRyaXhpZSAoZm9yZ2VqbykgKCMxMTM4NCki-->Revert "Replace Node.js with data.forgejo.org/oci/node 24-trixie (forgejo) (#11384)"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11392): <!--number 11392 --><!--line 0 --><!--description Y2hvcmUocmVub3ZhdGUpOiBwcmVwYXJlIGZvciBvcGVyYXRvcg==-->chore(renovate): prepare for operator<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11363): <!--number 11363 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNy4wIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.7.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11243): <!--number 11243 --><!--line 0 --><!--description Y2hvcmUocmVub3ZhdGUpOiBkaXNhYmxlIG1ham9yIHVwZGF0ZXMgb24gc3RhYmxlIGJyYW5jaGVzIGJ5IGRlZmF1bHQ=-->chore(renovate): disable major updates on stable branches by default<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11293): <!--number 11293 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc29ydGFibGVqcyB0byB2MS4xNS43IChmb3JnZWpvKQ==-->Update dependency sortablejs to v1.15.7 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11233): <!--number 11233 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLXNxbGl0ZTMgdG8gdjEuMTQuMzQgKGZvcmdlam8p-->Update module github.com/mattn/go-sqlite3 to v1.14.34 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11350): <!--number 11350 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBmaWVsZCBlcGhlbWVyYWwgZnJvbSBydW5uZXIgcmVnaXN0cmF0aW9uIHJlc3BvbnNl-->chore: remove field ephemeral from runner registration response<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11218): <!--number 11218 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlcGxhY2UgYFZhbHVlKClgIGZyb20gT3B0aW9uW1RdIHdpdGggYEdldCgpYCAmIGBWYWx1ZU9yWmVyb1ZhbHVlKClg-->refactor: replace `Value()` from Option[T] with `Get()` & `ValueOrZeroValue()`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11222): <!--number 11222 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNi40IChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.6.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11319): <!--number 11319 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcy1sb2FkZXIgdG8gdjguMi4xIChmb3JnZWpvKQ==-->Update dependency postcss-loader to v8.2.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11226): <!--number 11226 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzYuMCAoZm9yZ2Vqbyk=-->Update module golang.org/x/image to v0.36.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11241): <!--number 11241 --><!--line 0 --><!--description ZmVhdCh1aSk6IHN1cHBvcnQgQzMgbGFuZ3VhZ2UgaGlnaGxpZ2h0aW5nIGluIGZpbGUgZWRpdG9y-->feat(ui): support C3 language highlighting in file editor<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11210): <!--number 11210 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcy1uZXN0aW5nIHRvIHYxNCAoZm9yZ2Vqbyk=-->Update dependency postcss-nesting to v14 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11201): <!--number 11201 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNvZGVtaXJyb3IvY29tbWFuZHMgdG8gdjYuMTAuMiAoZm9yZ2Vqbyk=-->Update dependency @codemirror/commands to v6.10.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11237): <!--number 11237 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUwLjAgKGZvcmdlam8p-->Update module golang.org/x/net to v0.50.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11333): <!--number 11333 --><!--line 0 --><!--description Zml4KGkxOG4pOiB1bmhhcmRjb2RlIGxhYmVsIGV4Y2x1c2lvbiB0b29sdGlwcw==-->fix(i18n): unhardcode label exclusion tooltips<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11235): <!--number 11235 --><!--line 0 --><!--description Y2hvcmUobGludCk6IGVuYWJsZSBuaWxuaWw=-->chore(lint): enable nilnil<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11325): <!--number 11325 --><!--line 0 --><!--description aTE4bigqKTogbWlncmF0ZSA5MiBzdHJpbmdzIHRvIGpzb24=-->i18n(*): migrate 92 strings to json<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11093): <!--number 11093 --><!--line 0 --><!--description Y29ycmVjdCBtYWxmb3JtZWQgQ3JlYXRlVGVhbU9wdGlvbiBleGFtcGxl-->correct malformed CreateTeamOption example<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11225): <!--number 11225 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvY3J5cHRvIHRvIHYwLjQ4LjAgKGZvcmdlam8p-->Update module golang.org/x/crypto to v0.48.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10979): <!--number 10979 --><!--line 0 --><!--description aTE4bigqKTogbWlncmF0ZSBpbmkgc2VjdGlvbiBbcGFja2FnZXNdIHRvIGpzb24=-->i18n(*): migrate ini section [packages] to json<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11345): <!--number 11345 --><!--line 0 --><!--description Y2hvcmUoaTE4bik6IGRlZHVwbGljYXRlIGNvbW1vbiBwYWNrYWdlcyByZWxhdGVkIHN0cmluZ3M=-->chore(i18n): deduplicate common packages related strings<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11277): <!--number 11277 --><!--line 0 --><!--description Q2hvcmUgbW9kdWxlcy9zZXNzaW9uL3ZpcnR1YWw6IGdjIF9vbGRfdWlkIGhhY2s=-->Chore modules/session/virtual: gc _old_uid hack<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11236): <!--number 11236 --><!--line 0 --><!--description VXBkYXRlIE5vZGUuanMgdG8gdjI0LjEzLjEgKGZvcmdlam8p-->Update Node.js to v24.13.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11156): <!--number 11156 --><!--line 0 --><!--description ZmVhdCh1aSk6IHN1cHBvcnQgYWRkaXRpb25hbCBqb2Igc3RhdHVzIHNlbGVjdGlvbiBpbiBkcm9wZG93biBtZW51IG9uIEFjdGlvbnMgdGFi-->feat(ui): support additional job status selection in dropdown menu on Actions tab<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11284): <!--number 11284 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDUuMiAoZm9yZ2Vqbyk=-->Update dependency webpack to v5.105.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11251): <!--number 11251 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNvZGVtaXJyb3IvdmlldyB0byB2Ni4zOS4xNCAoZm9yZ2Vqbyk=-->Update dependency @codemirror/view to v6.39.14 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11326): <!--number 11326 --><!--line 0 --><!--description VXNlclR5cGVSZW1vdGVVc2VyIGlzIGFuIGVsaWdpYmxlIG9yZ2FuaXphdGlvbiBtZW1iZXI=-->UserTypeRemoteUser is an eligible organization member<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11223): <!--number 11223 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2tsYXVzcG9zdC9jb21wcmVzcyB0byB2MS4xOC40IChmb3JnZWpvKQ==-->Update module github.com/klauspost/compress to v1.18.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11199): <!--number 11199 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0MyAoZm9yZ2VqbykgKG1ham9yKQ==-->Update renovate to v43 (forgejo) (major)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11318): <!--number 11318 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgYXNjaWluZW1hLXBsYXllciB0byB2My4xNC4xNSAoZm9yZ2Vqbyk=-->Update dependency asciinema-player to v3.14.15 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11142): <!--number 11142 --><!--line 0 --><!--description Y2k6IGludHJvZHVjZSBgc2VtZ3JlcGAgdG8gcHJldmVudCB1c2luZyBgeG9ybS5TeW5jKClgIGluY29ycmVjdGx5IGluIG5ldyBtaWdyYXRpb25z-->ci: introduce `semgrep` to prevent using `xorm.Sync()` incorrectly in new migrations<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11169): <!--number 11169 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS41LjIgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.5.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11197): <!--number 11197 --><!--line 0 --><!--description Y2hvcmUodWkpOiBhZGQgaW50ZWdyYXRpb24gdGVzdHMgZm9yIGZvb3RlciB0bXBsIGxvZ2lj-->chore(ui): add integration tests for footer tmpl logic<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11143): <!--number 11143 --><!--line 0 --><!--description c2hvdyBub3RlIHRoYXQgdXNlciBoYXMgbm8gU1NIIGtleXM=-->show note that user has no SSH keys<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11171): <!--number 11171 --><!--line 0 --><!--description cmVmbGVjdCBhbGxvd2VkIHVzZXJuYW1lIGNoYW5nZSBpbiBwcm9maWxlIHNldHRpbmc=-->reflect allowed username change in profile setting<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11136): <!--number 11136 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNvZGVtaXJyb3IvdmlldyB0byB2Ni4zOS4xMiAoZm9yZ2Vqbyk=-->Update dependency @codemirror/view to v6.39.12 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11170): <!--number 11170 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWNoaS9jaGkvdjUgdG8gdjUuMi41IChmb3JnZWpvKQ==-->Update module github.com/go-chi/chi/v5 to v5.2.5 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11184): <!--number 11184 --><!--line 0 --><!--description bmV3bHkgZXhwYW5kZWQgZHluYW1pYyBtYXRyaXggam9icyBjYW4gYmVjb21lIHN0dWNrIGluIGEgJ2Jsb2NrZWQnIHN0YXRl-->newly expanded dynamic matrix jobs can become stuck in a 'blocked' state<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11067): <!--number 11067 --><!--line 0 --><!--description UmVmYWN0b3Igand0eC9zaWduaW5na2V5OiBBZGQgSldUKCkgbWV0aG9kIGZvciBjb252ZW5pZW5jZS9jbGFyaXR5-->Refactor jwtx/signingkey: Add JWT() method for convenience/clarity<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11183): <!--number 11183 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDUuMCAoZm9yZ2Vqbyk=-->Update dependency webpack to v5.105.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11149): <!--number 11149 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuNyAoZm9yZ2Vqbyk=-->Update dependency go to v1.25.7 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11104): <!--number 11104 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuNCAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10552): <!--number 10552 --><!--line 0 --><!--description ZmVhdChpc3N1ZS1zZWFyY2gpOiBzdXBwb3J0IGZpbHRlcmluZyBmb3IgaXNzdWVzIHdpdGggbXVsdGlwbGUgYXNzaWduZWVz-->feat(issue-search): support filtering for issues with multiple assignees<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11448): <!--number 11448 --><!--line 0 --><!--description VXBkYXRlIGxpbnRlcnMgKGZvcmdlam8p-->Update linters (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11493): <!--number 11493 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHZpdGVzdC9lc2xpbnQtcGx1Z2luIHRvIHYxLjYuOSAoZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update dependency @vitest/eslint-plugin to v1.6.9 (forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11492): <!--number 11492 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vY2xvdWRmbGFyZS9jaXJjbCAoaW5kaXJlY3QpIHRvIHYxLjYuMyBbU0VDVVJJVFldIChmb3JnZWpvKQ==-->Update github.com/cloudflare/circl (indirect) to v1.6.3 [SECURITY] (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11485): <!--number 11485 --><!--line 0 --><!--description Y2hvcmU6IHVwZGF0ZSBsaWNlbnNlIHRlc3Q=-->chore: update license test<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11490): <!--number 11490 --><!--line 0 --><!--description Y2hvcmUocmVub3ZhdGUpOiB1cGRhdGUgY29uZmln-->chore(renovate): update config<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11158): <!--number 11158 --><!--line 0 --><!--description Y2hvcmU6IHVwZGF0ZSBsaWNlbnNlcyBhbmQgZ2l0aWdub3JlcyBbc2tpcCBjaV0=-->chore: update licenses and gitignores [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10311): <!--number 10311 --><!--line 0 --><!--description cmVmYWN0b3I6IHVzZSBzaWduYWwuTm90aWZ5Q29udGV4dCBvdmVyIGN1c3RvbSBpbXBsZW1lbnRhdGlvbg==-->refactor: use signal.NotifyContext over custom implementation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11477): <!--number 11477 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3ZhbHlhbGEvZmFzdGpzb24gdG8gdjEuNi4xMCAoZm9yZ2Vqbyk=-->Update module github.com/valyala/fastjson to v1.6.10 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11476): <!--number 11476 --><!--line 0 --><!--description Y2k6IGFkZCBgc2VtZ3JlcGAgZGV0ZWN0aW9uIGZvciBBUEkgY29kZSBpZ25vcmluZyByZXBvLXNwZWNpZmljIGFjY2VzcyB0b2tlbnM=-->ci: add `semgrep` detection for API code ignoring repo-specific access tokens<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11374): <!--number 11374 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc3dhZ2dlci11aS1kaXN0IHRvIHY1LjMxLjEgKGZvcmdlam8p-->Update dependency swagger-ui-dist to v5.31.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11462): <!--number 11462 --><!--line 0 --><!--description UmV2ZXJ0ICJmaXg6IGVuc3VyZSBhY3Rpb25zIGxvZ3MgYXJlIHRyYW5zZmVycmVkIHdoZW4gYSB0YXNrIGlzIGRvbmUgKCMxMDAwOCki-->Revert "fix: ensure actions logs are transferred when a task is done (#10008)"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11447): <!--number 11447 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUxLjAgW1NFQ1VSSVRZXSAoZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.51.0 [SECURITY] (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11451): <!--number 11451 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL1NhdmVUaGVSYnR6L3pzdGQtc2Vla2FibGUtZm9ybWF0LWdvL3BrZyB0byB2MC44LjAgKGZvcmdlam8p-->Update module github.com/SaveTheRbtz/zstd-seekable-format-go/pkg to v0.8.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11463): <!--number 11463 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLnN1cGVyc2VyaW91c2J1c2luZXNzLm9yZy9leGlmLXRlcm1pbmF0b3IgdG8gdjAuMTEuMSAoZm9yZ2Vqbyk=-->Update module code.superseriousbusiness.org/exif-terminator to v0.11.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11175): <!--number 11175 --><!--line 0 --><!--description QWRkIFRyYWNlIGxvZ2dpbmcgZm9yIEpXVCBzZXNzaW9u-->Add Trace logging for JWT session<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11449): <!--number 11449 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvbGFuZ2NpL2dvbGFuZ2NpLWxpbnQvdjIvY21kL2dvbGFuZ2NpLWxpbnQgdG8gdjIuMTAuMSAoZm9yZ2Vqbyk=-->Update module github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.10.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11434): <!--number 11434 --><!--line 0 --><!--description Y29yZSBpbmZyYXN0cnVjdHVyZSBmb3IgcmVwb3NpdG9yeS1zcGVjaWZpYyBhY2Nlc3MgdG9rZW5z-->core infrastructure for repository-specific access tokens<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11452): <!--number 11452 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBpbiBnaXQgb3BlcmF0aW9ucw==-->implement repo-specific access tokens in git operations<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11110): <!--number 11110 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgY3NzLWxvYWRlciB0byB2Ny4xLjMgKGZvcmdlam8p-->Update dependency css-loader to v7.1.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11121): <!--number 11121 --><!--line 0 --><!--description VXBkYXRlIHZpdGVzdCBtb25vcmVwbyB0byB2NC4wLjE4IChmb3JnZWpvKQ==-->Update vitest monorepo to v4.0.18 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11062): <!--number 11062 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21laWxpc2VhcmNoL21laWxpc2VhcmNoLWdvIHRvIHYwLjM2LjAgKGZvcmdlam8p-->Update module github.com/meilisearch/meilisearch-go to v0.36.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11103): <!--number 11103 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2NhY2hlIGFjdGlvbiB0byB2NS4wLjMgKGZvcmdlam8p-->Update https://data.forgejo.org/actions/cache action to v5.0.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10915): <!--number 10915 --><!--line 0 --><!--description d2ViL2F1dGg6IHNpZ251cCBwb2xpc2g=-->web/auth: signup polish<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10937): <!--number 10937 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3VyZmF2ZS9jbGkvdjMgdG8gdjMuNi4yIChmb3JnZWpvKQ==-->Update module github.com/urfave/cli/v3 to v3.6.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11090): <!--number 11090 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvbGFuZy1qd3Qvand0L3Y1IHRvIHY1LjMuMSAoZm9yZ2Vqbyk=-->Update module github.com/golang-jwt/jwt/v5 to v5.3.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11077): <!--number 11077 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi45My4xIChmb3JnZWpvKQ==-->Update renovate to v42.93.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10753): <!--number 10753 --><!--line 0 --><!--description Zml4IHR5cG9zIHRocm91Z2hvdXQgdGhlIGNvZGViYXNl-->fix typos throughout the codebase<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10922): <!--number 10922 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGdpdGh1Yi90ZXh0LWV4cGFuZGVyLWVsZW1lbnQgdG8gdjIuOS40IChmb3JnZWpvKQ==-->Update dependency @github/text-expander-element to v2.9.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11066): <!--number 11066 --><!--line 0 --><!--description UG9saXNoIGp3dHgvc2lnbmluZ2tleTogQXZvaWQgbG9nLkZhdGFsKCk=-->Polish jwtx/signingkey: Avoid log.Fatal()<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11092): <!--number 11092 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjE0LjAuMiBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v14.0.2 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10936): <!--number 10936 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2FsZWN0aG9tYXMvY2hyb21hL3YyIHRvIHYyLjIzLjEgKGZvcmdlam8p-->Update module github.com/alecthomas/chroma/v2 to v2.23.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11095): <!--number 11095 --><!--line 0 --><!--description InJldmVydCBVcGRhdGUgbW9kdWxlIGdpdGh1Yi5jb20vdXJmYXZlL2NsaS92MyB0byB2My42LjIgKGZvcmdlam8pICgjMTA5MzcpIg==-->"revert Update module github.com/urfave/cli/v3 to v3.6.2 (forgejo) (#10937)"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11147): <!--number 11147 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ2xvYmFscyB0byB2MTcuMy4wIChmb3JnZWpvKQ==-->Update dependency globals to v17.3.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11061): <!--number 11061 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ2xvYmFscyB0byB2MTcuMS4wIChmb3JnZWpvKQ==-->Update dependency globals to v17.1.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11111): <!--number 11111 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ2xvYmFscyB0byB2MTcuMi4wIChmb3JnZWpvKQ==-->Update dependency globals to v17.2.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11105): <!--number 11105 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWVucnkvZ28tZW5yeS92MiB0byB2Mi45LjQgKGZvcmdlam8p-->Update module github.com/go-enry/go-enry/v2 to v2.9.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11088): <!--number 11088 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNi4zIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.6.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11047): <!--number 11047 --><!--line 0 --><!--description TG9jayBmaWxlIG1haW50ZW5hbmNlIChmb3JnZWpvKQ==-->Lock file maintenance (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10975): <!--number 10975 --><!--line 0 --><!--description Y2k6IHVzZSBuZXdlciBmb3JnZWpvIGZvciByZWxlYXNlIHNpbXVsYXRpb24=-->ci: use newer forgejo for release simulation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10356): <!--number 10356 --><!--line 0 --><!--description ImRpc2FibGUgcm91dGVyIGxvZyIgaW5kaWNhdG9yIG9uIGNvbmZpZ3VyYXRpb24gc3VtbWFyeSBwYWdl-->"disable router log" indicator on configuration summary page<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10847): <!--number 10847 --><!--line 0 --><!--description SW1wcm92ZSBpc3N1ZSB0ZW1wbGF0ZXMgZm9yIG5ldyB3b3JrZmxvdw==-->Improve issue templates for new workflow<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11019): <!--number 11019 --><!--line 0 --><!--description Y2hvcmUodWkpOiBjaGFuZ2UgL2RldnRlc3QgdG8gLy0vZGVtbw==-->chore(ui): change /devtest to /-/demo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10919): <!--number 10919 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuMSAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10976): <!--number 10976 --><!--line 0 --><!--description Y2k6IGFkZCBuYW1lIHRvIHN0ZXA=-->ci: add name to step<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10987): <!--number 10987 --><!--line 0 --><!--description b3B0aW1pemF0aW9uOiB1c2UgZnMuUmVhZEZpbGU=-->optimization: use fs.ReadFile<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11035): <!--number 11035 --><!--line 0 --><!--description Rml4IHRlc3QgY2FzZXMgd2hlcmUgcmVxdWlyZS5FcnJvckNvbnRhaW5zKCkgaXMgaW50ZW5kZWQsIGJ1dCByZXF1aXJlLkVycm9yZigpIGlzIHVzZWQ=-->Fix test cases where require.ErrorContains() is intended, but require.Errorf() is used<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10890): <!--number 10890 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2NhY2hlIGFjdGlvbiB0byB2NS4wLjIgKGZvcmdlam8p-->Update https://data.forgejo.org/actions/cache action to v5.0.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11045): <!--number 11045 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3JlZGlzL2dvLXJlZGlzL3Y5IHRvIHY5LjE3LjMgKGZvcmdlam8p-->Update module github.com/redis/go-redis/v9 to v9.17.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10977): <!--number 10977 --><!--line 0 --><!--description InJldmVydCBVcGRhdGUgaHR0cHM6Ly9kYXRhLmZvcmdlam8ub3JnL2Zvcmdlam8vZm9yZ2Vqby1idWlsZC1wdWJsaXNoIGFjdGlvbiB0byB2NS41LjAi-->"revert Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.0"<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10999): <!--number 10999 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNi4wIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10889): <!--number 10889 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcy1odG1sIHRvIHYxLjguMSAoZm9yZ2Vqbyk=-->Update dependency postcss-html to v1.8.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10880): <!--number 10880 --><!--line 0 --><!--description ZGVsZXRlIGRlYWQgY29kZSBpbiBXYXRjaElmQXV0byBhbmQgZ2VuZXJhbCBtb2RlbCBkb2N1bWVudGF0aW9u-->delete dead code in WatchIfAuto and general model documentation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10972): <!--number 10972 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNS4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10966): <!--number 10966 --><!--line 0 --><!--description Zml4IHR5cG86IHNheSBnb29kIGJ5ZSB0byB0aGUgc2luZ2luZyBrZXk=-->fix typo: say good bye to the singing key<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10897): <!--number 10897 --><!--line 0 --><!--description ZXNjYXBlIEhUTUwgdGFncyBpbiBpbmxpbmUgY29kZSBibG9ja3MgaW4gZGVzY3JpcHRpb24=-->escape HTML tags in inline code blocks in description<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11004): <!--number 11004 --><!--line 0 --><!--description Zml4KGxvY2FsZSk6IHRvb2x0aXAgZm9yICJPd25lciIgcm9sZSBzaG91bGQgbm90IGltcGx5IHVuaXF1ZSBvd25lcg==-->fix(locale): tooltip for "Owner" role should not imply unique owner<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10934): <!--number 10934 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWluaS1jc3MtZXh0cmFjdC1wbHVnaW4gdG8gdjIuMTAuMCAoZm9yZ2Vqbyk=-->Update dependency mini-css-extract-plugin to v2.10.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11015): <!--number 11015 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNi4yIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.6.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10935): <!--number 10935 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9pbmZyYXN0cnVjdHVyZS9pc3N1ZS1hY3Rpb24gYWN0aW9uIHRvIHYxLjUuMCAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/infrastructure/issue-action action to v1.5.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11022): <!--number 11022 --><!--line 0 --><!--description Zml4IGNhc2UtaW5zZW5zaXRpdmUgd2hlbiB1c2luZyBibGV2ZQ==-->fix case-insensitive when using bleve<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11014): <!--number 11014 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuMyAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10980): <!--number 10980 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNS4xIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.5.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11005): <!--number 11005 --><!--line 0 --><!--description UmVwbGFjZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vZm9yZ2VqbyBEb2NrZXIgdGFnIHdpdGggZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8gKGZvcmdlam8p-->Replace code.forgejo.org/forgejo/forgejo Docker tag with data.forgejo.org/forgejo/forgejo (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10967): <!--number 10967 --><!--line 0 --><!--description cG9saXNoIG9hdXRoOiBEbyBub3QgcGFzcyB0aGUgZnVsbCBzaWduaW5nIGtleSB0byB0ZW1wbGF0ZQ==-->polish oauth: Do not pass the full signing key to template<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11037): <!--number 11037 --><!--line 0 --><!--description UG9saXNoIG1vZHVsZXMvc3RvcmFnZSB0ZXN0IHVzZSBvZiByZXF1aXJlLkVycm9yZigp-->Polish modules/storage test use of require.Errorf()<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10911): <!--number 10911 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNS4zIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.5.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10891): <!--number 10891 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2tsYXVzcG9zdC9jb21wcmVzcyB0byB2MS4xOC4zIChmb3JnZWpvKQ==-->Update module github.com/klauspost/compress to v1.18.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10854): <!--number 10854 --><!--line 0 --><!--description cmVjcmVhdGUtdGFibGVzIGRvZXNuJ3Qgd29yayBvbiBQb3N0Z3JlU1FMIHdpdGggbXVsdGlwbGUgRm9yZ2VqbyBzY2hlbWFz-->recreate-tables doesn't work on PostgreSQL with multiple Forgejo schemas<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10799): <!--number 10799 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNS4yIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.5.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10850): <!--number 10850 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuNiAoZm9yZ2Vqbyk=-->Update dependency go to v1.25.6 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10802): <!--number 10802 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjQ5LjAgKGZvcmdlam8p-->Update module golang.org/x/net to v0.49.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10828): <!--number 10828 --><!--line 0 --><!--description cGluIGdpdGh1Yi5jb20vdXJmYXZlL2NsaSB0byB2My41LjA=-->pin github.com/urfave/cli to v3.5.0<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10837): <!--number 10837 --><!--line 0 --><!--description W3NraXAgY2ldIGNob3JlKHJlbGVhc2UpOiBkZWxldGUgMTAwMzcgYW5kIDk4NDAgcmVsZWFzZSBub3Rlcw==-->[skip ci] chore(release): delete 10037 and 9840 release notes<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10894): <!--number 10894 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjExLjAuMTAgW3NraXAgY2ld-->chore(release-notes): Forgejo v11.0.10 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10841): <!--number 10841 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWNoaS9jaGkvdjUgdG8gdjUuMi40IChmb3JnZWpvKQ==-->Update module github.com/go-chi/chi/v5 to v5.2.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10842): <!--number 10842 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21pbmlvL21pbmlvLWdvL3Y3IHRvIHY3LjAuOTggKGZvcmdlam8p-->Update module github.com/minio/minio-go/v7 to v7.0.98 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10875): <!--number 10875 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNpdGF0aW9uLWpzL3BsdWdpbi1zb2Z0d2FyZS1mb3JtYXRzIHRvIHYwLjYuMiAoZm9yZ2Vqbyk=-->Update dependency @citation-js/plugin-software-formats to v0.6.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10832): <!--number 10832 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjE0LjAuMCBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v14.0.0 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10865): <!--number 10865 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS41LjEgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.5.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10896): <!--number 10896 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjEzLjAuNSBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v13.0.5 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10892): <!--number 10892 --><!--line 0 --><!--description VXBkYXRlIENvZGVNaXJyb3IgKGZvcmdlam8p-->Update CodeMirror (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10673): <!--number 10673 --><!--line 0 --><!--description Y2hvcmU6IHVwZGF0ZSBnb2YzL3YzIHYzLjExLjE1-->chore: update gof3/v3 v3.11.15<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10682): <!--number 10682 --><!--line 0 --><!--description YWN0aW9ucyB2YXJpYWJsZSBhbmQgc2VjcmV0IG5hbWVzIHZhbGlkYXRpb24=-->actions variable and secret names validation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10790): <!--number 10790 --><!--line 0 --><!--description Y2hvcmU6IFRlYWNoIE1ha2VmaWxlIHRvIGhhbmRsZSBub2RlIHByZS1yZWxlYXNlIHZlcnNpb25z-->chore: Teach Makefile to handle node pre-release versions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10867): <!--number 10867 --><!--line 0 --><!--description Y2k6IHVzZSBybmEgYmluYXJ5IGluc3RlYWQgb2Ygc291cmNl-->ci: use rna binary instead of source<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10821): <!--number 10821 --><!--line 0 --><!--description Y29uZmlnOiBMb3dlciBkZWZhdWx0IGBbZGF0YWJhc2VdLk1BWF9PUEVOX0NPTk5TYA==-->config: Lower default `[database].MAX_OPEN_CONNS`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10759): <!--number 10759 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgYXNjaWluZW1hLXBsYXllciB0byB2My4xNC4wIChmb3JnZWpvKQ==-->Update dependency asciinema-player to v3.14.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10895): <!--number 10895 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjE0LjAuMSBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v14.0.1 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10866): <!--number 10866 --><!--line 0 --><!--description W3NraXAgY2ldIGZpeChyZWxlYXNlKTogbW92ZSByZXZlcnRlZCB2MTQuMC4wIGZlYXR1cmUgbGluZSB0byBJbmNsdWRlZCBmb3IgY29tcGxldGVuZXNz-->[skip ci] fix(release): move reverted v14.0.0 feature line to Included for completeness<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10815): <!--number 10815 --><!--line 0 --><!--description bWFrZSBsYXN0Y29tbWl0IGF2YWlsYWJsZSBmb3Igbm9uLXNpZ25lZC1pbiB1c2Vycw==-->make lastcommit available for non-signed-in users<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10822): <!--number 10822 --><!--line 0 --><!--description VXBkYXRlIE5vZGUuanMgdG8gdjI0LjEzLjAgKGZvcmdlam8p-->Update Node.js to v24.13.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10761): <!--number 10761 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjEuMCAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10728): <!--number 10728 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjExLjAuOSBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v11.0.9 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10775): <!--number 10775 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ2xvYmFscyB0byB2MTcgKGZvcmdlam8p-->Update dependency globals to v17 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10756): <!--number 10756 --><!--line 0 --><!--description YWRkIGZvcmVpZ24ga2V5cyB0byB0aGUgYGFjdGlvbl9ydW5uZXJfdG9rZW5gIHRhYmxl-->add foreign keys to the `action_runner_token` table<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9380): <!--number 9380 --><!--line 0 --><!--description c3dhZ2dlcjogQWRkIGhlYWRlciBhbm5vdGF0aW9ucyBmb3IgYWNjdXJhdGUgQVBJIGRvY3VtZW50YXRpb24=-->swagger: Add header annotations for accurate API documentation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10731): <!--number 10731 --><!--line 0 --><!--description Y2hvcmUocmVub3ZhdGUpOiB1c2UgYGZvcmdlam8tcmVsZWFzZXNgIGRhdGFzb3VyY2U=-->chore(renovate): use `forgejo-releases` datasource<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10700): <!--number 10700 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3l1aW4vZ29sZG1hcmsgdG8gdjEuNy4xNCAoZm9yZ2Vqbyk=-->Update module github.com/yuin/goldmark to v1.7.14 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10795): <!--number 10795 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNS4xIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.5.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10701): <!--number 10701 --><!--line 0 --><!--description VXBkYXRlIENvZGVNaXJyb3IgKGZvcmdlam8p-->Update CodeMirror (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10780): <!--number 10780 --><!--line 0 --><!--description Y2hvcmU6IGNvcnJlY3Qgc3BlbGxpbmcgZXJyb3IgaW4gY2xlYW51cC1jb21taXQtc3RhdHVzIENMSSBkb2Nz-->chore: correct spelling error in cleanup-commit-status CLI docs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10749): <!--number 10749 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS41LjAgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.5.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10755): <!--number 10755 --><!--line 0 --><!--description ZmVhdChidWlsZCk6IHRlYWNoIGxpbnQtbG9jYWxlLXVzYWdlIGFib3V0IE9iamVjdFZlcmlmaWNhdGlvbi5SZWFzb24=-->feat(build): teach lint-locale-usage about ObjectVerification.Reason<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10738): <!--number 10738 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNS4wIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.5.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10762): <!--number 10762 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2FsZWN0aG9tYXMvY2hyb21hL3YyIHRvIHYyLjIyLjAgKGZvcmdlam8p-->Update module github.com/alecthomas/chroma/v2 to v2.22.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10726): <!--number 10726 --><!--line 0 --><!--description ZGlzYWJsZSBhY3Rpb25zIGVuZHBvaW50cyBvZiByZXBvc2l0b3J5IGlmIGFjdGlvbnMgYXJlIGRpc2FibGVk-->disable actions endpoints of repository if actions are disabled<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10716): <!--number 10716 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBAMHhsbHgwIHRvIGZlZGVyYXRpb24gY29kZW93bmVycw==-->chore: add @0xllx0 to federation codeowners<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10737): <!--number 10737 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS40LjMgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.4.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10740): <!--number 10740 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvc3lzIHRvIHYwLjQwLjAgKGZvcmdlam8p-->Update module golang.org/x/sys to v0.40.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10696): <!--number 10696 --><!--line 0 --><!--description cmV0YWluIEZvcmdlam8gQWN0aW9uJ3MgY29tbWl0X3N0YXR1cyBlbnRyaWVzIHdpdGggZGlzdGluY3QgZGVzY3JpcHRpb25z-->retain Forgejo Action's commit_status entries with distinct descriptions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10713): <!--number 10713 --><!--line 0 --><!--description cHJldmVudCBpbnRlcm1pdHRlbnQgdGVzdCBmYWlsdXJlcyBjYXVzZWQgYnkgdW5jYW5jZWxsYWJsZSB0YXNrcw==-->prevent intermittent test failures caused by uncancellable tasks<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10715): <!--number 10715 --><!--line 0 --><!--description Rml4IGVycm9yIG1lc3NhZ2VzIGluIHB1bGwuZ28=-->Fix error messages in pull.go<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10758): <!--number 10758 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGNvZGVtaXJyb3IvdmlldyB0byB2Ni4zOS45IChmb3JnZWpvKQ==-->Update dependency @codemirror/view to v6.39.9 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10730): <!--number 10730 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IEZvcmdlam8gdjEzLjAuNCBbc2tpcCBjaV0=-->chore(release-notes): Forgejo v13.0.4 [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10699): <!--number 10699 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQGxlemVyL2hpZ2hsaWdodCB0byB2MS4yLjMgKGZvcmdlam8p-->Update dependency @lezer/highlight to v1.2.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10707): <!--number 10707 --><!--line 0 --><!--description W3NraXAgY2ldIGNob3JlOiBVcGRhdGUgcHVsbCByZXF1ZXN0IHRlbXBsYXRlIHJlZ2FyZGluZyB0aGUgcmVsZWFzZSBub3Rlcw==-->[skip ci] chore: Update pull request template regarding the release notes<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10724): <!--number 10724 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWVucnkvZ28tZW5yeS92MiB0byB2Mi45LjMgKGZvcmdlam8p-->Update module github.com/go-enry/go-enry/v2 to v2.9.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10619): <!--number 10619 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL3NldHVwLWZvcmdlam8gYWN0aW9uIHRvIHYzLjAuNyAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/setup-forgejo action to v3.0.7 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10709): <!--number 10709 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3l1aW4vZ29sZG1hcmsgdG8gdjEuNy4xNiAoZm9yZ2Vqbyk=-->Update module github.com/yuin/goldmark to v1.7.16 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10752): <!--number 10752 --><!--line 0 --><!--description Y2hvcmU6IHJ1biByZW5vdmF0ZSBvbiB2MTQgYnJhbmNoLCByZW1vdmUgdjEz-->chore: run renovate on v14 branch, remove v13<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10706): <!--number 10706 --><!--line 0 --><!--description Y2hvcmU6IGFkZCBmYW1mbyB0byBDT0RFT1dORVJTIGZvciBmZWRlcmF0aW9uIGNvZGU=-->chore: add famfo to CODEOWNERS for federation code<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10785): <!--number 10785 --><!--line 0 --><!--description TG9jayBmaWxlIG1haW50ZW5hbmNlIChmb3JnZWpvKQ==-->Lock file maintenance (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10658): <!--number 10658 --><!--line 0 --><!--description ZHluYW1pYyBBY3Rpb24gam9icyBjYW4gc3RhbGwgYnkgbWFya2luZyB0aGVtc2VsdmVzIGJsb2NrZWQ=-->dynamic Action jobs can stall by marking themselves blocked<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10665): <!--number 10665 --><!--line 0 --><!--description c2ltdWx0YW5lb3VzbHkgZXhwZXJpZW5jaW5nIGEgUHJlRXhlY3V0aW9uRXJyb3IgYW5kIHVuYmxvY2tpbmcgYSBkaWZmZXJlbnQgam9iIGNhdXNlcyBlcnJvciBibG9ja2luZyBqb2IgZW1pdHRlciBxdWV1ZQ==-->simultaneously experiencing a PreExecutionError and unblocking a different job causes error blocking job emitter queue<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10632): <!--number 10632 --><!--line 0 --><!--description YnVpbGQtcmVsZWFzZSB3b3JrZmxvdyBzdG9wcyBpdHMgb3duIGVuZC10by1lbmQgY2hlY2tzIHdoZW4gcnVuIGNvbmN1cnJlbnRseQ==-->build-release workflow stops its own end-to-end checks when run concurrently<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10666): <!--number 10666 --><!--line 0 --><!--description cmUtcnVubmluZyBhbiBleHBhbmRlZCByZXVzYWJsZSB3b3JrZmxvdyBjYXVzZXMgZHVwbGljYXRlICJhdHRlbXB0IDEiIGpvYg==-->re-running an expanded reusable workflow causes duplicate "attempt 1" job<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10588): <!--number 10588 --><!--line 0 --><!--description TGlzdFRyYWNrZWRUaW1lcyBBUEkgaGFzIG5vIGRlZmluZWQgcmVjb3JkIG9yZGVyaW5n-->ListTrackedTimes API has no defined record ordering<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10661): <!--number 10661 --><!--line 0 --><!--description aTE4bihuZXh0KTogY29udmVydCBpbmRlbnRpb24gc3R5bGUgdG8gdGFiczogZW4sIGVkaXRvcmNvbmZpZw==-->i18n(next): convert indention style to tabs: en, editorconfig<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10591): <!--number 10591 --><!--line 0 --><!--description dGVzdDogcmVtb3ZlIGRpYWdub3N0aWMgb3V0cHV0IGluICdjb3B5IHRvIGV4cGVyaW1lbnRhbCc=-->test: remove diagnostic output in 'copy to experimental'<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10623): <!--number 10623 --><!--line 0 --><!--description TG9jayBmaWxlIG1haW50ZW5hbmNlIChmb3JnZWpvKQ==-->Lock file maintenance (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10579): <!--number 10579 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLW9wZW5hcGkvc3BlYyB0byB2MC4yMi4zIChmb3JnZWpvKQ==-->Update module github.com/go-openapi/spec to v0.22.3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10668): <!--number 10668 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL21hdHRuL2dvLXNxbGl0ZTMgdG8gdjEuMTQuMzMgKGZvcmdlam8p-->Update module github.com/mattn/go-sqlite3 to v1.14.33 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10610): <!--number 10610 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vYWN0aW9ucy1wcm90byB0byB2MC42LjAgKGZvcmdlam8p-->Update module code.forgejo.org/forgejo/actions-proto to v0.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10596): <!--number 10596 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2phY2tjL3BneC92NSB0byB2NS44LjAgKGZvcmdlam8p-->Update module github.com/jackc/pgx/v5 to v5.8.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10655): <!--number 10655 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuNC4wIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.4.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10583): <!--number 10583 --><!--line 0 --><!--description ZXhwZXJpbWVudGFsIHJlbGVhc2VzIGFyZSBub3QgYmVpbmcgY29waWVkIHRvIGZvcmdlam8tZXhwZXJpbWVudGFs-->experimental releases are not being copied to forgejo-experimental<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10678): <!--number 10678 --><!--line 0 --><!--description ZG9uJ3QgZHVwbGljYXRlIGNvbW1pdCBzdGF0dXMgcmVjb3JkcyBvbiB3b3JrZmxvd3Mgd2l0aCBlbXB0eSBuYW1l-->don't duplicate commit status records on workflows with empty name<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10638): <!--number 10638 --><!--line 0 --><!--description Y2hvcmUocmVsZWFzZS1ub3Rlcyk6IHRlYWNoIHJlbGVhc2Utbm90ZXMtYXNzaXN0YW50IHRoYXQgdjExLjAgaXMgTFRT-->chore(release-notes): teach release-notes-assistant that v11.0 is LTS<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10587): <!--number 10587 --><!--line 0 --><!--description dGVzdDogZml4IGludGVybWl0dGVudCBQb3N0Z3JlU1FMIGZhaWx1cmUgaW4gVGVzdEFkbWluVmlld1JlcG9z-->test: fix intermittent PostgreSQL failure in TestAdminViewRepos<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10581): <!--number 10581 --><!--line 0 --><!--description Y2hvcmUodWkpOiByZW1vdmUgb2Jzb2xldGUgY29kZSBmcm9tIGJ1dHRvbi1sZWdhY3kuY3Nz-->chore(ui): remove obsolete code from button-legacy.css<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10683): <!--number 10683 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9yZWxlYXNlLW5vdGVzLWFzc2lzdGFudCB0byB2MS40LjIgKGZvcmdlam8p-->Update dependency forgejo/release-notes-assistant to v1.4.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10662): <!--number 10662 --><!--line 0 --><!--description Y2hvcmUoY2xlYW51cCk6IG1vdmUgYWxsIHRlc3QgYmxhbmsgaW1wb3J0cyBpbiBhIHNpbmdsZSBwYWNrYWdl-->chore(cleanup): move all test blank imports in a single package<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10692): <!--number 10692 --><!--line 0 --><!--description Y2hvcmU6IGRvd25sb2FkIGdpdC1tYW4gb3ZlciBUTFM=-->chore: download git-man over TLS<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10586): <!--number 10586 --><!--line 0 --><!--description dXNlIFJVTk5FUl9URU1QIGluIGJ1aWxkLXJlbGVhc2UueW1s-->use RUNNER_TEMP in build-release.yml<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10608): <!--number 10608 --><!--line 0 --><!--description TG9jayBmaWxlIG1haW50ZW5hbmNlIChmb3JnZWpvKQ==-->Lock file maintenance (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10667): <!--number 10667 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZXNidWlsZC1sb2FkZXIgdG8gdjQuNC4yIChmb3JnZWpvKQ==-->Update dependency esbuild-loader to v4.4.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10626): <!--number 10626 --><!--line 0 --><!--description aW1wcm92ZSBEaXNjb3JkIHdlYmhvb2sgbWVzc2FnZSBmb3JtYXR0aW5n-->improve Discord webhook message formatting<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10656): <!--number 10656 --><!--line 0 --><!--description aW4tcHJvZ3Jlc3Mgam9iIGljb24gZG9lc24ndCByb3RhdGUgb24gcmVwbydzIGFjdGlvbiBsaXN0-->in-progress job icon doesn't rotate on repo's action list<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10535): <!--number 10535 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuMy4wIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.3.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10492): <!--number 10492 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDQuMCAoZm9yZ2Vqbyk=-->Update dependency webpack to v5.104.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10479): <!--number 10479 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2FsZWN0aG9tYXMvY2hyb21hL3YyIHRvIHYyLjIxLjEgKGZvcmdlam8p-->Update module github.com/alecthomas/chroma/v2 to v2.21.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10482): <!--number 10482 --><!--line 0 --><!--description Y2hvcmU6IDE0LjAgaXMgbm93IHN0YWJsZQ==-->chore: 14.0 is now stable<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10549): <!--number 10549 --><!--line 0 --><!--description Y2hvcmUoc2VhcmNoKTogbWlub3IgY29kZSBjbGVhbnVw-->chore(search): minor code cleanup<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10505): <!--number 10505 --><!--line 0 --><!--description VXBkYXRlIGdvLW9wZW5hcGkgcGFja2FnZXMgKGZvcmdlam8p-->Update go-openapi packages (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10575): <!--number 10575 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBjb2RlLmZvcmdlam8ub3JnL2Zvcmdlam8vcnVubmVyL3YxMiB0byB2MTIuMy4xIChmb3JnZWpvKQ==-->Update module code.forgejo.org/forgejo/runner/v12 to v12.3.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10545): <!--number 10545 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZXNidWlsZC1sb2FkZXIgdG8gdjQuNC4xIChmb3JnZWpvKQ==-->Update dependency esbuild-loader to v4.4.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10491): <!--number 10491 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgYXNjaWluZW1hLXBsYXllciB0byB2My4xMy41IChmb3JnZWpvKQ==-->Update dependency asciinema-player to v3.13.5 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10450): <!--number 10450 --><!--line 0 --><!--description Y2hvcmU6IHJldmlzZSBydW5uZXIgUkVTVCBBUEkgZW5kcG9pbnRz-->chore: revise runner REST API endpoints<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10538): <!--number 10538 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgd2VicGFjayB0byB2NS4xMDQuMSAoZm9yZ2Vqbyk=-->Update dependency webpack to v5.104.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10550): <!--number 10550 --><!--line 0 --><!--description cG9ydChnaXRlYSk6IEZpeCBwYXNzd29yZCBsZWFrIGluIGxvZyBtZXNzYWdlcyAoZ28tZ2l0ZWEvZ2l0ZWEhMzU1ODQp-->port(gitea): Fix password leak in log messages (go-gitea/gitea!35584)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10537): <!--number 10537 --><!--line 0 --><!--description cmVmYWN0b3I6IHNwbGl0IGBBY3Rpb25Kb2JTdGVwTGlzdGAgb3V0IG9mIGBSZXBvQWN0aW9uVmlld2A=-->refactor: split `ActionJobStepList` out of `RepoActionView`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10539): <!--number 10539 --><!--line 0 --><!--description Y2hvcmUodGVzdCk6IHNlcGFyYXRlIGFuZCBtb3ZlIGFyb3VuZCBpMThuIHRlc3Rpbmc=-->chore(test): separate and move around i18n testing<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10551): <!--number 10551 --><!--line 0 --><!--description Y2hvcmU6IGRvY3VtZW50LCB0ZXN0IHBhZ2luYXRpb24gb2YgYC9ydW5uZXJzYCBBUEkgZW5kcG9pbnQ=-->chore: document, test pagination of `/runners` API endpoint<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10518): <!--number 10518 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2NoZWNrb3V0IGFjdGlvbiB0byB2NiAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/checkout action to v6 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10490): <!--number 10490 --><!--line 0 --><!--description dGVzdDogaW5jcmVhc2UgdGVzdCBjb3ZlcmFnZSBvZiBydW5uZXIgbWFuYWdlbWVudA==-->test: increase test coverage of runner management<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8643): <!--number 8643 --><!--line 0 --><!--description bGlua2luZyBzaGExIGhhc2hlcyB3aXRoIHRyYWlsaW5nIHB1bmN0dWF0aW9u-->linking sha1 hashes with trailing punctuation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10519): <!--number 10519 --><!--line 0 --><!--description TG9jayBmaWxlIG1haW50ZW5hbmNlIChmb3JnZWpvKQ==-->Lock file maintenance (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10517): <!--number 10517 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9hY3Rpb25zL2NhY2hlIGFjdGlvbiB0byB2NSAoZm9yZ2Vqbyk=-->Update https://data.forgejo.org/actions/cache action to v5 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11409): <!--number 11409 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIERvY2tlciB0YWcgdG8gdjQzLjMxLjEgKGZvcmdlam8p-->Update renovate Docker tag to v43.31.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11321): <!--number 11321 --><!--line 0 --><!--description VXBkYXRlIHgvdG9vbHMgdG8gdjAuNDIuMCAoZm9yZ2Vqbyk=-->Update x/tools to v0.42.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11322): <!--number 11322 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZXNsaW50LXBsdWdpbi11bmljb3JuIHRvIHY2MyAoZm9yZ2Vqbyk=-->Update dependency eslint-plugin-unicorn to v63 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11302): <!--number 11302 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0My4xNS4xIChmb3JnZWpvKQ==-->Update renovate to v43.15.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11265): <!--number 11265 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdnVlIHRvIHYzLjUuMjggKGZvcmdlam8p-->Update dependency vue to v3.5.28 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11213): <!--number 11213 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdml0ZS1zdHJpbmctcGx1Z2luIHRvIHYyIChmb3JnZWpvKQ==-->Update dependency vite-string-plugin to v2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11207): <!--number 11207 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZXNsaW50LXBsdWdpbi1yZWdleHAgdG8gdjMgKGZvcmdlam8p-->Update dependency eslint-plugin-regexp to v3 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11202): <!--number 11202 --><!--line 0 --><!--description VXBkYXRlIGxpbnRlcnMgKGZvcmdlam8p-->Update linters (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11203): <!--number 11203 --><!--line 0 --><!--description VXBkYXRlIHgvdG9vbHMgdG8gdjAuNDEuMCAoZm9yZ2Vqbyk=-->Update x/tools to v0.41.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11129): <!--number 11129 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi45NS4yIChmb3JnZWpvKQ==-->Update renovate to v42.95.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11162): <!--number 11162 --><!--line 0 --><!--description TW9yZSBqd3R4IHJlZmFjdG9yaW5nOiBHZXRTaWduaW5nTWV0aG9kKCksIGZpeCBvcGVuIG1vZGUsIHNwbGl0IGxvYWRPckNyZWF0ZUFzeW1tZXRyaWNLZXkoKQ==-->More jwtx refactoring: GetSigningMethod(), fix open mode, split loadOrCreateAsymmetricKey()<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11118): <!--number 11118 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHN0eWxpc3RpYy9zdHlsZWxpbnQtcGx1Z2luIHRvIHY0LjAuMSAoZm9yZ2Vqbyk=-->Update dependency @stylistic/stylelint-plugin to v4.0.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11119): <!--number 11119 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHZpdGVzdC9lc2xpbnQtcGx1Z2luIHRvIHYxLjYuNiAoZm9yZ2Vqbyk=-->Update dependency @vitest/eslint-plugin to v1.6.6 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11120): <!--number 11120 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2VkaXRvcmNvbmZpZy1jaGVja2VyL2VkaXRvcmNvbmZpZy1jaGVja2VyL3YzL2NtZC9lZGl0b3Jjb25maWctY2hlY2tlciB0byB2My42LjEgKGZvcmdlam8p-->Update module github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker to v3.6.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10659): <!--number 10659 --><!--line 0 --><!--description aTE4bihuZXh0KTogY29udmVydCBpbmRlbnRpb24gdG8gdGFicw==-->i18n(next): convert indention to tabs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11044): <!--number 11044 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi45Mi4xMCAoZm9yZ2Vqbyk=-->Update renovate to v42.92.10 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10998): <!--number 10998 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdnVlIHRvIHYzLjUuMjcgKGZvcmdlam8p-->Update dependency vue to v3.5.27 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10918): <!--number 10918 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi44NC4yIChmb3JnZWpvKQ==-->Update renovate to v42.84.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10912): <!--number 10912 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3VyZmF2ZS9jbGkvdjMgdG8gdjMuNi4yIChmb3JnZWpvKQ==-->Update module github.com/urfave/cli/v3 to v3.6.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10784): <!--number 10784 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi43OC4yIChmb3JnZWpvKQ==-->Update renovate to v42.78.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10698): <!--number 10698 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi43MS4wIChmb3JnZWpvKQ==-->Update renovate to v42.71.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10618): <!--number 10618 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi42Ni4xMSAoZm9yZ2Vqbyk=-->Update renovate to v42.66.11 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10607): <!--number 10607 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHZpdGVzdC9lc2xpbnQtcGx1Z2luIHRvIHYxLjYuNCAoZm9yZ2Vqbyk=-->Update dependency @vitest/eslint-plugin to v1.6.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10605): <!--number 10605 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi42Ni45IChmb3JnZWpvKQ==-->Update renovate to v42.66.9 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10606): <!--number 10606 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdHlwZXNjcmlwdC1lc2xpbnQgdG8gdjguNTAuMSAoZm9yZ2Vqbyk=-->Update dependency typescript-eslint to v8.50.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10547): <!--number 10547 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgc3R5bGVsaW50LXZhbHVlLW5vLXVua25vd24tY3VzdG9tLXByb3BlcnRpZXMgdG8gdjYuMS4wIChmb3JnZWpvKQ==-->Update dependency stylelint-value-no-unknown-custom-properties to v6.1.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10546): <!--number 10546 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHZpdGVzdC9lc2xpbnQtcGx1Z2luIHRvIHYxLjUuNCAoZm9yZ2Vqbyk=-->Update dependency @vitest/eslint-plugin to v1.5.4 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10504): <!--number 10504 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgdnVlIHRvIHYzLjUuMjYgKGZvcmdlam8p-->Update dependency vue to v3.5.26 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10514): <!--number 10514 --><!--line 0 --><!--description VXBkYXRlIHJlbm92YXRlIHRvIHY0Mi42NC4xIChmb3JnZWpvKQ==-->Update renovate to v42.64.1 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10507): <!--number 10507 --><!--line 0 --><!--description VXBkYXRlIHZpdGVzdCBtb25vcmVwbyB0byB2NC4wLjE2IChmb3JnZWpvKQ==-->Update vitest monorepo to v4.0.16 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10511): <!--number 10511 --><!--line 0 --><!--description VXBkYXRlIHgvdG9vbHMgdG8gdjAuNDAuMCAoZm9yZ2Vqbyk=-->Update x/tools to v0.40.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10510): <!--number 10510 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL1B1ZXJraXRvQmlvL2dvcXVlcnkgdG8gdjEuMTEuMCAoZm9yZ2Vqbyk=-->Update module github.com/PuerkitoBio/goquery to v1.11.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10509): <!--number 10509 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvbGFuZ2NpL2dvbGFuZ2NpLWxpbnQvdjIvY21kL2dvbGFuZ2NpLWxpbnQgdG8gdjIuNy4yIChmb3JnZWpvKQ==-->Update module github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.7.2 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10508): <!--number 10508 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWFya2Rvd25saW50LWNsaSB0byB2MC40Ny4wIChmb3JnZWpvKQ==-->Update dependency markdownlint-cli to v0.47.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10506): <!--number 10506 --><!--line 0 --><!--description VXBkYXRlIGxpbnRlcnMgKGZvcmdlam8p-->Update linters (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10503): <!--number 10503 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgQHZpdGVqcy9wbHVnaW4tdnVlIHRvIHY2LjAuMyAoZm9yZ2Vqbyk=-->Update dependency @vitejs/plugin-vue to v6.0.3 (forgejo)<!--description-->
+- Already announced in the release notes of an older stable release
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 0 --><!--description LSBmaXg6IFBLQ0UgY2hhbGxlbmdlcyB0byBGb3JnZWpvJ3MgT0F1dGggaWRlbnRpdHkgcHJvdmlkZXIgd2VyZSBub3QgdmFsaWRhdGVkIHdoZW4gdXNpbmcgdGhlIGBTMjU2YCBhbGdvcml0aG0=-->- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 1 --><!--description LSBmaXg6IEZvcmdlam8gc3VwcG9ydHMgdXNpbmcgYW4gT0F1dGggQmVhcmVyIHRva2VuIHdpdGggSFRUUCBiYXNpYyBhdXRoZW50aWNhdGlvbiwgcmF0aGVyIHRoYW4gQmVhcmVyIHRva2VuIGF1dGhlbnRpY2F0aW9uLCBidXQgZGlkIG5vdCBwcm9wZXJseSBhcHBseSB0aGUgbGltaXRlZCBzY29wZXMgb2YgdGhlIE9BdXRoIGdyYW50-->- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 2 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYXR0YWNobWVudC1yZWxhdGVkIHdlYiBlbmRwb2ludHMgYWxsb3dlZCBtb2RpZnlpbmcgYXR0YWNobWVudHMgdGhhdCBhIHVzZXIgZGlkIG5vdCBvd24=-->- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 3 --><!--description LSBmaXg6IGVtYWlsIG5vdGlmaWNhdGlvbnMgZm9yIG5ldyByZWxlYXNlcyBjb3VsZCBiZSBzZW50IHRvIHVzZXJzIHRoYXQgbm8gbG9uZ2VyIGFjY2VzcyB0byB0aGUgcmVwb3NpdG9yeSwgb3IgdG8gaW5hY3RpdmUgdXNlcnM=-->- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 4 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gdXNlci9vcmctb3duZWQgcHJvamVjdHMgd291bGQgYWxsb3cgbW9kaWZpY2F0aW9ucyBvZiB0aGUgb3Blbi9jbG9zZWQgc3RhdGUgdG8gYmUgbWFkZSB0byBwcm9qZWN0cyB2aWEgaW5zZWN1cmUgZGlyZWN0IG9iamVjdCByZWZlcmVuY2Vz-->- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 5 --><!--description LSBmaXg6IG1pc3NpbmcgcGVybWlzc2lvbiBjaGVja3MgaW4gYSB3ZWIgZW5kcG9pbnQgYWxsb3dlZCBjYW5jZWxsYXRpb24gb2YgdGhlIGF1dG9tZXJnZSBvZiBhIFBS-->- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11513): <!--number 11513 --><!--line 6 --><!--description LSBmaXg6IHByZXZlbnQgYWRkaXRpb25hbCBwYXRoLXRyYXZlcnNhbHMgaW4gcG9zdC1sb2dpbiByZWRpcmVjdCBwYXJhbWV0ZXJzIHRoYXQgYWxsb3dlZCBmb3IgYXJiaXRyYXJ5IHJlZGlyZWN0cw==-->- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10719): <!--number 10719 --><!--line 0 --><!--description aGlkZSB1c2VyIHByb2ZpbGUgYW5vbnltb3VzIG9wdGlvbnMgb24gcHVibGljIHJlcG8gQVBJcw==-->hide user profile anonymous options on public repo APIs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10719): <!--number 10719 --><!--line 1 --><!--description aW5jb3JyZWN0IHdoaXRlc3BhY2UgaGFuZGxpbmcgb24gcHJlJnBvc3QgcmVjZWl2ZSBob29rcw==-->incorrect whitespace handling on pre&post receive hooks<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10719): <!--number 10719 --><!--line 2 --><!--description cmVkdWNlIG1lbW9yeSB1c2FnZSB3aGlsZSBwcm9jZXNzaW5nIGxhcmdlIGF0dGFjaG1lbnQgdXBsb2Fkcw==-->reduce memory usage while processing large attachment uploads<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10719): <!--number 10719 --><!--line 3 --><!--description bG9hZCByZXZpZXdlciBmb3IgcHVsbCByZXZpZXcgZGlzbWlzcyBhY3Rpb24gbm90aWZpZXI=-->load reviewer for pull review dismiss action notifier<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10719): <!--number 10719 --><!--line 4 --><!--description dXNlIGNvcnJlY3QgR1BHIGtleSBmb3IgZXhwb3J0-->use correct GPG key for export<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11393): <!--number 11393 --><!--line 0 --><!--description ZXh0ZW5kIGJhc2ljIGF1dGggdG8gL3YyLCBhbHdheXMgaW5jbHVkZSBXV1ctQXV0aGVudGljYXRlIGhlYWRlcg==-->extend basic auth to /v2, always include WWW-Authenticate header<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282): <!--number 11282 --><!--line 0 --><!--description cHJldmVudCBwYW5pYyB3aGVuIGltcG9ydGluZyBpc3N1ZXMgZnJvbSBHaXRMYWI=-->prevent panic when importing issues from GitLab<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282): <!--number 11282 --><!--line 1 --><!--description cHJldmVudCBwYW5pYyB3aGVuIGltcG9ydGluZyByZWxlYXNlcyB3aXRoIG1vcmUgdGhhbiA0IHJlbGVhc2UgYXNzZXRzIGZyb20gR2l0TGFi-->prevent panic when importing releases with more than 4 release assets from GitLab<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11282): <!--number 11282 --><!--line 2 --><!--description Y29ycmVjdCByZS1tYXBwaW5nIG9mIG1lcmdlLXJlcXVlc3QgbnVtYmVycyBtZW50aW9uZWQgaW4gR2l0TGFiIGNvbW1lbnRz-->correct re-mapping of merge-request numbers mentioned in GitLab comments<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11642): <!--number 11642 --><!--line 0 --><!--description ZG9uJ3QgdHJpcCBkZWxldGluZyBhdHRhY2htZW50IHdpdGggbWlzc2luZyBwZXJtaXNzaW9uIGVycm9y-->don't trip deleting attachment with missing permission error<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11145): <!--number 11145 --><!--line 0 --><!--description ZG9uJ3QgYWJhbmRvbiBBY3Rpb24gam9icyB3YWl0aW5nIGZvciBhcHByb3ZhbA==-->don't abandon Action jobs waiting for approval<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10812): <!--number 10812 --><!--line 0 --><!--description ZHJvcCBzcWxpdGUgc2hhcmVkIGNhY2hl-->drop sqlite shared cache<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11134): <!--number 11134 --><!--line 0 --><!--description Y2FuY2VsIHJ1bnMgcGVuZGluZyBhcHByb3ZhbCB3aGVuIGEgUFIgaXMgY2xvc2Vk-->cancel runs pending approval when a PR is closed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10568): <!--number 10568 --><!--line 0 --><!--description bWlncmF0aW9uOiB1cGRhdGUgZXhpc3RpbmcgZm9yZWlnbiBrZXkgbWlncmF0aW9ucyB0byBhdXRvbWF0aWNhbGx5IGZpeCBpbmNvbnNpc3RlbmNpZXM=-->migration: update existing foreign key migrations to automatically fix inconsistencies<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11623): <!--number 11623 --><!--line 0 --><!--description Y29tbWVudCBhdHRhY2htZW50IEFQSSBpcyBtb3JlIHJlc3RyaWN0aXZlIHRoYW4gdGhlIHdlYiBVSQ==-->comment attachment API is more restrictive than the web UI<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11614): <!--number 11614 --><!--line 0 --><!--description TWFrZSBvdmVyZmxvdy1tZW51IFdlYiBDb21wb25lbnQgc2Nyb2xsIC8gb3ZlcmZsb3cgd2l0aCBKUyBvZmY=-->Make overflow-menu Web Component scroll / overflow with JS off<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11547): <!--number 11547 --><!--line 0 --><!--description bW9kYWxzIG9uIHNtYWxsIHZpZXdwb3J0IGhlaWdodA==-->modals on small viewport height<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11381): <!--number 11381 --><!--line 0 --><!--description Zml4KHVpKTogaGFyZGNvZGUgc29ydCBvcHRpb25zIGluIHNlYXJjaCBzeW50YXggaGludCwgaW1wcm92ZSBsb29r-->fix(ui): hardcode sort options in search syntax hint, improve look<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11287): <!--number 11287 --><!--line 0 --><!--description Zml4KHVpKTogcHJldmVudCBsYWJlbCBvdmVyZmxvdyBpbiBQUiBDSSBjaGVja3Mgb24gbW9iaWxl-->fix(ui): prevent label overflow in PR CI checks on mobile<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11341): <!--number 11341 --><!--line 0 --><!--description Zml4KHVpL21kZSk6IGlucHV0cyBpbiB0YWJsZS9saW5rIGluc2VydGlvbiBtb2RhbHM=-->fix(ui/mde): inputs in table/link insertion modals<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11179): <!--number 11179 --><!--line 0 --><!--description aW1wcm92ZSBTUUxpdGUgImRhdGFiYXNlIGlzIGxvY2tlZCIgZXJyb3JzIGJ5IGluY3JlYXNpbmcgZGVmYXVsdCBgU1FMSVRFX1RJTUVPVVRg-->improve SQLite "database is locked" errors by increasing default `SQLITE_TIMEOUT`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11246): <!--number 11246 --><!--line 0 --><!--description Y2xlYW51cCBvZiBtdWx0aS1wbGF0Zm9ybSBjb250YWluZXIgaW1hZ2Vz-->cleanup of multi-platform container images<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10925): <!--number 10925 --><!--line 0 --><!--description Zml4KGFwaSk6IGRlZmF1bHQgbmV3IHJlbGVhc2UgJ3RpdGxlJyBmaWVsZCB0byBsYWJlbCBuYW1lLCBpZiBub3QgcHJvdmlkZWQ=-->fix(api): default new release 'title' field to label name, if not provided<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10969): <!--number 10969 --><!--line 0 --><!--description Zml4KHVpKTogdGlwcHkgbWVudSBzdHlsZXMgdG9vIGJyb2FkLCBhZmZlY3Rpbmcgc3dpdGNoIGluIFBSIHJldmlldw==-->fix(ui): tippy menu styles too broad, affecting switch in PR review<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10945): <!--number 10945 --><!--line 0 --><!--description cmVtb3ZlIGluZmluaXRlIGxvb3AgaW4gVXBkYXRlUnVuSm9iV2l0aG91dE5vdGlmaWNhdGlvbiB3aGVuIHJ1biBpbiB0cmFuc2FjdGlvbg==-->remove infinite loop in UpdateRunJobWithoutNotification when run in transaction<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11073): <!--number 11073 --><!--line 0 --><!--description YWxsb3cgdGVzdCBkZWxpdmVyeSBmb3Igd2ViaG9va3Mgbm90IGVuYWJsZWQgZm9yIHB1c2ggZXZlbnRz-->allow test delivery for webhooks not enabled for push events<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10948): <!--number 10948 --><!--line 0 --><!--description ZG9uJ3QgY2xvYmJlciBhdXRob3JpemVkX2tleXMgZmlsZSBkdXJpbmcgaW5zdGFsbGF0aW9u-->don't clobber authorized_keys file during installation<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10939): <!--number 10939 --><!--line 0 --><!--description Zml4KHVpKTogaW1wcm92ZSBmb3JjZS1wdXNoIGxheW91dCBhbGlnbm1lbnQ=-->fix(ui): improve force-push layout alignment<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10964): <!--number 10964 --><!--line 0 --><!--description Zml4KHVpKTogYWRkIG1pc3NpbmcgdHJhbnNsYXRpb24gZm9yIGNvZGUgc2VhcmNoIHdoZW4ga2V5d29yZCBpcyBlbXB0eSBzdHJpbmc=-->fix(ui): add missing translation for code search when keyword is empty string<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10888): <!--number 10888 --><!--line 0 --><!--description dXNlIEFMVEVSIFRBQkxFIGluIFNRTGl0ZSBEcm9wVGFibGVDb2x1bW5zKCksIGFsbG93aW5nIHVuZXhwZWN0ZWQgZGF0YWJhc2Ugc291cmNlcyB0byB3b3JrIGJldHRlciBpbiBtaWdyYXRpb25z-->use ALTER TABLE in SQLite DropTableColumns(), allowing unexpected database sources to work better in migrations<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10899): <!--number 10899 --><!--line 0 --><!--description ZG9uJ3QgcmV0dXJuIEFkZGl0aW9uYWxUYXNrcyBmcm9tIEZldGNoVGFzayBpZiB0aGVyZSBpcyBubyBUYXNr-->don't return AdditionalTasks from FetchTask if there is no Task<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10914): <!--number 10914 --><!--line 0 --><!--description c3RyaXAgbmV3bGluZXMgb24gb2cgaW1hZ2UgcmVuZGVyaW5n-->strip newlines on og image rendering<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11164): <!--number 11164 --><!--line 0 --><!--description d2hlbiBleHBhbmRpbmcgYSBkeW5hbWljIG1hdHJpeCwgb3JpZ2luYWwgJ25lZWRzJyBhY2Nlc3Mgd2FzIGxvc3Q=-->when expanding a dynamic matrix, original 'needs' access was lost<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10933): <!--number 10933 --><!--line 0 --><!--description dXNlIGFuIGFic29sdXRlIFVSTCBmb3IgY29tcGFyZSBsaW5rcyBpbiBhdG9tIGZlZWQ=-->use an absolute URL for compare links in atom feed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11063): <!--number 11063 --><!--line 0 --><!--description ZW1wdHkgZHluYW1pYyBtYXRyaXggY2FuIGxlYXZlIGFjdGlvbiBydW4gaGFuZ2luZyBpbmNvbXBsZXRl-->empty dynamic matrix can leave action run hanging incomplete<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10882): <!--number 10882 --><!--line 0 --><!--description Rml4IG5vdCBkZWNyZWFzaW5nIHdhdGNoIGNvdW50IHdoZW4gYmxvY2tpbmcgdXNlcg==-->Fix not decreasing watch count when blocking user<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10827): <!--number 10827 --><!--line 0 --><!--description cHJvcGVyIHN0eWxpbmcgZm9yIGdsb2JhbCB0aW1lIHRyYWNrZXIgcG9wdXA=-->proper styling for global time tracker popup<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10814): <!--number 10814 --><!--line 0 --><!--description Zml4KHVpKTogc2hvdyBzd2l0Y2ggZGVmYXVsdCBicmFuY2ggYnV0dG9uIGluIGJyYW5jaCBsaXN0IG9ubHkgZm9yIHJlcG8gYWRtaW5z-->fix(ui): show switch default branch button in branch list only for repo admins<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10863): <!--number 10863 --><!--line 0 --><!--description bWFrZSBjb25jdXJyZW5jeSBncm91cCBqb2IgY2FuY2VsbGF0aW9uIGVmZmVjdCBydW5zIHRoYXQgYXJlIGZhaWxlZA==-->make concurrency group job cancellation effect runs that are failed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10851): <!--number 10851 --><!--line 0 --><!--description dXNlIGBzdHJpY3Qtb3JpZ2luYCBhcyByZWZlcnJlciBwb2xpY3k=-->use `strict-origin` as referrer policy<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10648): <!--number 10648 --><!--line 0 --><!--description Zml4KHVpKTogYWN0aW9ucyBsaXN0IGxheW91dCBicmVha2FnZSB3aXRoIGxvbmcgY29udGVudA==-->fix(ui): actions list layout breakage with long content<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10686): <!--number 10686 --><!--line 0 --><!--description YWRkIGBmb3JnZWpvIGRvY3RvciBjbGVhbnVwLWNvbW1pdC1zdGF0dXNgIGNvbW1hbmQgdG8gcmVjb3ZlciBmcm9tICMxMDY3MQ==-->add `forgejo doctor cleanup-commit-status` command to recover from #10671<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10747): <!--number 10747 --><!--line 0 --><!--description Y29ycmVjdGx5IGNvbXB1dGUgcmVxdWlyZWQgY29tbWl0IHN0YXR1cw==-->correctly compute required commit status<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10744): <!--number 10744 --><!--line 0 --><!--description Zml4IDUwMCBlcnJvciBvbiBsYXJnZSAuZ2l0bW9kdWxlcw==-->fix 500 error on large .gitmodules<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10484): <!--number 10484 --><!--line 0 --><!--description ZGlzcGxheSBvcnBoYW4gYnJhbmNoZXMgc2VwYXJhdGVseSBpbiBjb21taXQgZ3JhcGg=-->display orphan branches separately in commit graph<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10652): <!--number 10652 --><!--line 0 --><!--description Zml4KHVpKTogcHVsbCByZXF1ZXN0IG1lcmdlIG1lbnUgaXRlbSBjbGlwcGluZyB0aGUgYXV0byBtZXJnZSB0aXA=-->fix(ui): pull request merge menu item clipping the auto merge tip<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10594): <!--number 10594 --><!--line 0 --><!--description YWxsb3cgQWN0aW9ucyB0cnVzdCBtYW5hZ2VtZW50IG9uIGNvbmZsaWN0ZWQgUFJz-->allow Actions trust management on conflicted PRs<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10572): <!--number 10572 --><!--line 0 --><!--description Zml4KHVpKTogcHJvY2VzcyBkeW5hbWljYWxseSBhZGRlZCBjb250ZW50IHZpYSBodG14-->fix(ui): process dynamically added content via htmx<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10556): <!--number 10556 --><!--line 0 --><!--description Zml4KHVpKTogZG9uJ3Qgc3RyZXRjaCBhY3Rpdml0eSB0b3AgYXV0aG9yIGltYWdl-->fix(ui): don't stretch activity top author image<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10486): <!--number 10486 --><!--line 0 --><!--description aWdub3JlIHByaXZhdGUgLnByb2ZpbGUgcmVwbyBvbiB1c2VyIHByb2ZpbGUgcGFnZQ==-->ignore private .profile repo on user profile page<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10521): <!--number 10521 --><!--line 0 --><!--description Zml4KHVpKTogYWRkIG1pc3Npbmcgc3BhY2UgYmVmb3JlICdDb21taXQnIGJhY2s=-->fix(ui): add missing space before 'Commit' back<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10520): <!--number 10520 --><!--line 0 --><!--description UHJldmVudCBmb3JtIHN1Ym1pc3Npb24gYnkgYnV0dG9ucyBpbiBVR0MgbWFya2Rvd24=-->Prevent form submission by buttons in UGC markdown<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10394): <!--number 10394 --><!--line 0 --><!--description YWx3YXlzIHNlYXJjaCBmb3IgaXNzdWUgcG9zdGVycyBieSB1c2VyIGFuZCBmdWxsIG5hbWU=-->always search for issue posters by user and full name<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/10489): <!--number 10489 --><!--line 0 --><!--description YWxpZ24gZHVlIGRhdGUgaWNvbiBpbiBpc3N1ZSBsaXN0-->align due date icon in issue list<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8244): <!--number 8244 --><!--line 0 --><!--description YWRkIGR5bmFtaWMgYXJpYS1sYWJlbCB0byBtb25vc3BhY2UgYnV0dG9uIGluIG1hcmtkb3duIGVkaXRvcg==-->add dynamic aria-label to monospace button in markdown editor<!--description-->
+<!--end release-notes-assistant-->

From 2c0c48f50e8a66ef007c1d92e7721e645e7138e1 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 16 Apr 2026 17:59:37 +0200
Subject: [PATCH 128/287] fix: continued API response processing after error in
 `/repos/search` API (#12143)

Prevent continued execution of some APIs with error responses that didn't correctly interrupt execution, resulting in bizarre outputs and possibly leaking secure data:

```
> GET /api/v1/repos/search?uid=-2&archived=false HTTP/2
> Host: example.org
> user-agent: curl/7.88.1
> accept: */*
> authorization: bearer ***
>
< HTTP/2 500
< server: nginx
< date: Thu, 16 Apr 2026 14:20:09 GMT
< content-type: application/json;charset=utf-8
< cache-control: max-age=0, private, must-revalidate, no-transform
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
<
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"message":"","url":"https://example.org/api/swagger"}
{"ok":true,"data":[{"id":68,"owner":{"id":1,"login":"mfenniak", ...
```

As these errors only occur on situations that shouldn't be reproducible (minus software bugs), test automation isn't practical.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12143
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Cyborus <cyborus@disroot.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 routers/api/v1/org/team.go  | 1 +
 routers/api/v1/repo/repo.go | 2 ++
 routers/api/v1/user/repo.go | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 489b22892a..bd76e4d37e 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -591,6 +591,7 @@ func GetTeamRepos(ctx *context.APIContext) {
 			// Due to the pagination of the API it doesn't make sense to skip it, as we wouldn't be giving the right
 			// number of results back to the API consumer.
 			ctx.Error(http.StatusInternalServerError, "InvalidAuthorizationReducer", "Repository was available from GetTeamRepositories, but not readable.")
+			return
 		}
 		repos[i] = convert.ToRepo(ctx, repo, permission)
 	}
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index 5c11a2380f..793281bc79 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -234,11 +234,13 @@ func Search(ctx *context.APIContext) {
 				OK:    false,
 				Error: err.Error(),
 			})
+			return
 		} else if !permission.HasAccess() {
 			// It shouldn't happen that a repo is returned from GetTeamRepositories which we have no access to at all.
 			// Due to the pagination of the API it doesn't make sense to skip it, as we wouldn't be giving the right
 			// number of results back to the API consumer.
 			ctx.Error(http.StatusInternalServerError, "InvalidAuthorizationReducer", "Repository was available from SearchRepository, but not readable.")
+			return
 		}
 
 		results[i] = convert.ToRepo(ctx, repo, permission)
diff --git a/routers/api/v1/user/repo.go b/routers/api/v1/user/repo.go
index 92d86e10b0..6897d06ca0 100644
--- a/routers/api/v1/user/repo.go
+++ b/routers/api/v1/user/repo.go
@@ -153,11 +153,13 @@ func ListMyRepos(ctx *context.APIContext) {
 		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, ctx.Reducer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermissionWithReducer", err)
+			return
 		} else if !permission.HasAccess() {
 			// It shouldn't happen that a repo is returned from SearchRepository which we have no access to at all. Due
 			// to the pagination of the API it doesn't make sense to skip it, as we wouldn't be giving the right number
 			// of results back to the API consumer.
 			ctx.Error(http.StatusInternalServerError, "InvalidAuthorizationReducer", "Repository was available from SearchRepository, but not readable.")
+			return
 		}
 		results[i] = convert.ToRepo(ctx, repo, permission)
 	}

From a4b575fd75ac5bf4c7ab3f9823d1d08f030f93ea Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 16 Apr 2026 19:26:28 +0200
Subject: [PATCH 129/287] fix: make /repos/search?uid=-2 return zero results,
 no repos with that owner (#12144)

API calls to `.../api/v1/repos/search?uid=-2&archived=false` currently do not apply the filter `uid` because of the negative value.  This can occur when APIs are interacting with `${{ forgejo.token }}` and believe they're operating as the Forgejo Actions user, which has UID -2.

In combination with the security checks that occur in the `/repos/search` API to validate that repositories accessed are visible to the user, this can result in 500 error responses when a more correct expectation would be to receive no repositories:

https://codeberg.org/forgejo/forgejo/src/commit/da8898822c528a245a4cbe3e0ca02928262a4d5e/routers/api/v1/repo/repo.go#L237-L242

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12144
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 models/repo/repo_list.go           | 2 +-
 tests/integration/api_repo_test.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/models/repo/repo_list.go b/models/repo/repo_list.go
index daa60c81e9..a0eb0ce7c2 100644
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@@ -361,7 +361,7 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {
 	}
 
 	// Restrict repositories to those the OwnerID owns or contributes to as per opts.Collaborate
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		accessCond := builder.NewCond()
 		if !opts.Collaborate.ValueOrZeroValue() {
 			accessCond = builder.Eq{"owner_id": opts.OwnerID}
diff --git a/tests/integration/api_repo_test.go b/tests/integration/api_repo_test.go
index 60c662c28a..29edff7ac0 100644
--- a/tests/integration/api_repo_test.go
+++ b/tests/integration/api_repo_test.go
@@ -149,6 +149,7 @@ func TestAPISearchRepo(t *testing.T) {
 	org3 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 18})
 	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20})
 	orgUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17})
+	actionsUser := user_model.NewActionsUser()
 
 	oldAPIDefaultNum := setting.API.DefaultPagingNum
 	defer func() {
@@ -266,6 +267,12 @@ func TestAPISearchRepo(t *testing.T) {
 			user:  {count: 1, includesPrivate: true},
 			user4: {count: 1, includesPrivate: true},
 		}},
+		{name: "ForgejoActionsUser/UID", requestURL: fmt.Sprintf("/api/v1/repos/search?uid=%d", actionsUser.ID), expectedResults: expectedResults{
+			nil:         {count: 0},
+			actionsUser: {count: 0},
+			user:        {count: 0},
+			user4:       {count: 0},
+		}},
 	}
 
 	for _, testCase := range testCases {

From 39f677c0db822e3f7e3306fcf4ab21d522188349 Mon Sep 17 00:00:00 2001
From: RahulGautamSingh <rahultesnik@gmail.com>
Date: Thu, 16 Apr 2026 19:51:46 +0200
Subject: [PATCH 130/287] feat(api): add base and head query filters to list
 pull requests endpoint (#12104)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves https://codeberg.org/forgejo/forgejo/issues/6919

Add `base` and `head` filter options to the `repoListPullRequests` API operation.

Co-authored-by: Rahul Gautam Singh <rere0095@Rahuls-MacBook-Air.local>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12104
Reviewed-by: Ellen Εμίλια Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Cyborus <cyborus@disroot.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: RahulGautamSingh <rahultesnik@gmail.com>
Co-committed-by: RahulGautamSingh <rahultesnik@gmail.com>
---
 models/issues/pull_list.go         | 10 ++++++
 routers/api/v1/repo/pull.go        | 10 ++++++
 templates/swagger/v1_json.tmpl     | 12 +++++++
 tests/integration/api_pull_test.go | 53 ++++++++++++++++++++++++++++++
 4 files changed, 85 insertions(+)

diff --git a/models/issues/pull_list.go b/models/issues/pull_list.go
index ddb813cf44..861ccace81 100644
--- a/models/issues/pull_list.go
+++ b/models/issues/pull_list.go
@@ -27,6 +27,8 @@ type PullRequestsOptions struct {
 	Labels      []int64
 	MilestoneID int64
 	PosterID    int64
+	BaseBranch  string
+	HeadBranch  string
 }
 
 func listPullRequestStatement(ctx context.Context, baseRepoID int64, opts *PullRequestsOptions) *xorm.Session {
@@ -51,6 +53,14 @@ func listPullRequestStatement(ctx context.Context, baseRepoID int64, opts *PullR
 		sess.And("issue.poster_id=?", opts.PosterID)
 	}
 
+	if opts.BaseBranch != "" {
+		sess.And("pull_request.base_branch=?", opts.BaseBranch)
+	}
+
+	if opts.HeadBranch != "" {
+		sess.And("pull_request.head_branch=?", opts.HeadBranch)
+	}
+
 	return sess
 }
 
diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go
index 1f82bfce1b..37be508512 100644
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -90,6 +90,14 @@ func ListPullRequests(ctx *context.APIContext) {
 	//   in: query
 	//   description: Filter by pull request author
 	//   type: string
+	// - name: base
+	//   in: query
+	//   description: Filter by base branch name
+	//   type: string
+	// - name: head
+	//   in: query
+	//   description: Filter by head branch name
+	//   type: string
 	// - name: page
 	//   in: query
 	//   description: Page number of results to return (1-based)
@@ -137,6 +145,8 @@ func ListPullRequests(ctx *context.APIContext) {
 		Labels:      labelIDs,
 		MilestoneID: ctx.FormInt64("milestone"),
 		PosterID:    posterID,
+		BaseBranch:  ctx.FormTrim("base"),
+		HeadBranch:  ctx.FormTrim("head"),
 	})
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "PullRequests", err)
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 8ca012823a..e872051b18 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -14003,6 +14003,18 @@
             "name": "poster",
             "in": "query"
           },
+          {
+            "type": "string",
+            "description": "Filter by base branch name",
+            "name": "base",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Filter by head branch name",
+            "name": "head",
+            "in": "query"
+          },
           {
             "minimum": 1,
             "type": "integer",
diff --git a/tests/integration/api_pull_test.go b/tests/integration/api_pull_test.go
index c1b64cdb39..17fab07f9e 100644
--- a/tests/integration/api_pull_test.go
+++ b/tests/integration/api_pull_test.go
@@ -178,6 +178,59 @@ func TestAPIPullsFiles(t *testing.T) {
 	})
 }
 
+func TestAPIViewPullsFilterByBaseHead(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	ctx := NewAPITestContext(t, "user2", repo.Name, auth_model.AccessTokenScopeReadRepository)
+
+	t.Run("FilterByBase", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&base=master", repo.OwnerName, repo.Name).
+			AddTokenAuth(ctx.Token)
+		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+		var pulls []*api.PullRequest
+		DecodeJSON(t, resp, &pulls)
+		assert.Len(t, pulls, 2)
+		for _, pr := range pulls {
+			assert.Equal(t, "master", pr.Base.Name)
+		}
+	})
+
+	t.Run("FilterByHead", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&head=branch2", repo.OwnerName, repo.Name).
+			AddTokenAuth(ctx.Token)
+		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+		var pulls []*api.PullRequest
+		DecodeJSON(t, resp, &pulls)
+		assert.Len(t, pulls, 1)
+		assert.Equal(t, "branch2", pulls[0].Head.Name)
+	})
+
+	t.Run("FilterByBaseAndHead", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&base=master&head=branch2", repo.OwnerName, repo.Name).
+			AddTokenAuth(ctx.Token)
+		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+		var pulls []*api.PullRequest
+		DecodeJSON(t, resp, &pulls)
+		assert.Len(t, pulls, 1)
+		assert.Equal(t, "master", pulls[0].Base.Name)
+		assert.Equal(t, "branch2", pulls[0].Head.Name)
+	})
+
+	t.Run("FilterByBaseNoMatch", func(t *testing.T) {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&base=nonexistent", repo.OwnerName, repo.Name).
+			AddTokenAuth(ctx.Token)
+		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+		var pulls []*api.PullRequest
+		DecodeJSON(t, resp, &pulls)
+		assert.Empty(t, pulls)
+	})
+}
+
 func TestAPIViewPullsByBaseHead(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})

From 6236a4cc9907424261e068e222ea4656d2bc59f1 Mon Sep 17 00:00:00 2001
From: Dominik Zyla <zylad@noreply.codeberg.org>
Date: Thu, 16 Apr 2026 19:52:56 +0200
Subject: [PATCH 131/287] feat: allow for getting 2fa enabled users via
 /api/v1/admin/users (#12091)

Allow for filtering users with 2fa enabled as admin. So that it is easy to audit users' settings compliance with iso27001, etc.

Resolves #11800

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12091
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Dominik Zyla <zylad@noreply.codeberg.org>
Co-committed-by: Dominik Zyla <zylad@noreply.codeberg.org>
---
 routers/api/v1/admin/user.go        | 17 +++++++++------
 templates/swagger/v1_json.tmpl      |  6 ++++++
 tests/integration/api_admin_test.go | 32 +++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index f30ba8b5dd..be02d3e198 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -416,6 +416,10 @@ func SearchUsers(ctx *context.APIContext) {
 	//   in: query
 	//   description: user's login name to search for
 	//   type: string
+	// - name: is_2fa_enabled
+	//   in: query
+	//   description: whether or not to filter users with the 2fa enabled
+	//   type: boolean
 	// - name: sort
 	//   in: query
 	//   description: sort order of results
@@ -446,12 +450,13 @@ func SearchUsers(ctx *context.APIContext) {
 	}
 
 	users, maxResults, err := user_model.SearchUsers(ctx, &user_model.SearchUserOptions{
-		Actor:       ctx.Doer,
-		Type:        user_model.UserTypeIndividual,
-		LoginName:   ctx.FormTrim("login_name"),
-		SourceID:    sourceID,
-		OrderBy:     utils.GetDbSearchOrder(ctx),
-		ListOptions: listOptions,
+		Actor:              ctx.Doer,
+		Type:               user_model.UserTypeIndividual,
+		LoginName:          ctx.FormTrim("login_name"),
+		IsTwoFactorEnabled: ctx.FormOptionalBool("is_2fa_enabled"),
+		SourceID:           sourceID,
+		OrderBy:            utils.GetDbSearchOrder(ctx),
+		ListOptions:        listOptions,
 	})
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "SearchUsers", err)
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index e872051b18..3401d42641 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -1509,6 +1509,12 @@
             "name": "login_name",
             "in": "query"
           },
+          {
+            "type": "boolean",
+            "description": "whether or not to filter users with the 2fa enabled",
+            "name": "is_2fa_enabled",
+            "in": "query"
+          },
           {
             "enum": [
               "oldest",
diff --git a/tests/integration/api_admin_test.go b/tests/integration/api_admin_test.go
index 70a921a0a4..513eac1155 100644
--- a/tests/integration/api_admin_test.go
+++ b/tests/integration/api_admin_test.go
@@ -169,6 +169,38 @@ func TestAPIListUsers(t *testing.T) {
 	assert.Len(t, users, numberOfUsers)
 }
 
+func TestAPIListUsersNo2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=0").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "28"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
+func TestAPIListUsers2FA(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUsername := "user1"
+	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
+
+	req := NewRequest(t, "GET", "/api/v1/admin/users?is_2fa_enabled=1").
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	total := resp.Header().Get("X-Total-Count")
+
+	numberOfUsers := "2"
+
+	assert.Equal(t, numberOfUsers, total)
+}
+
 func TestAPIListUsersNotLoggedIn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequest(t, "GET", "/api/v1/admin/users")

From c7b5026f59411175f7b46ffc627ebb944f9802e8 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 16 Apr 2026 23:42:08 +0200
Subject: [PATCH 132/287] chore: bump xorm to v1.3.9-forgejo.11 (#12153)

Should fix intermittent test failures in Forgejo's integration test suite, in [`TestPackageDebianConcurrent`](https://codeberg.org/forgejo-integration/forgejo/actions/runs/16661/jobs/3/attempt/1#jobstep-5-1271), where this error is occurring.  Will be backported to v15 as the same test is present there, to keep the LTS tests healthy.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12153
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 go.mod |  2 +-
 go.sum | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index 0088bd43ef..6db142399f 100644
--- a/go.mod
+++ b/go.mod
@@ -273,4 +273,4 @@ replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-2024121
 
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
 
-replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.10
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.11
diff --git a/go.sum b/go.sum
index 82b1a02a3e..9601411c69 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkA
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
 code.forgejo.org/go-chi/session v1.0.4 h1:WQ1NaVxcCpxYwCliEGypKclZnOCjh3p1fk8XciJc62U=
 code.forgejo.org/go-chi/session v1.0.4/go.mod h1:+sSTiomM5C8AUPtxZyTENIbcTz22kcVottKO0lnmDRk=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.10 h1:DCProZz7GP10ue7NoVr1vreuADhH9tEImYFye2+aDG8=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.10/go.mod h1:ly5tUt9l3b+y7HdXDM1UucQXuS58ahNxB9tPM5/6LfM=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.11 h1:EXJVQ4feAFMkpFwtHAHuXkK6TLNYqabR7QTzqL8uObY=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.11/go.mod h1:C18NeM/SazG/q4eqpWnoNks7GeCyRUNQIe2onniRViU=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
 code.superseriousbusiness.org/exif-terminator v0.11.2 h1:nkTdaghZb6I0oGYFhTLSALhA2ShgkPnYAJryE5IE9+0=
@@ -730,8 +730,8 @@ golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
@@ -991,14 +991,14 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
-modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
+modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
+modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
-modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
+modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
+modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
 mvdan.cc/xurls/v2 v2.6.0 h1:3NTZpeTxYVWNSokW3MKeyVkz/j7uYXYiMtXRUfmjbgI=
 mvdan.cc/xurls/v2 v2.6.0/go.mod h1:bCvEZ1XvdA6wDnxY7jPPjEmigDtvtvPXAD/Exa9IMSk=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

From 00269b3a0b8d2fe28b6d2da8674aefbc1524b6e8 Mon Sep 17 00:00:00 2001
From: Beowulf <beowulf@beocode.eu>
Date: Fri, 17 Apr 2026 01:41:56 +0200
Subject: [PATCH 133/287] fix: CodeMirror e2e test (#12151)

I tried a lot, but this seems to work. I know it is ugly, but checking and waiting after every action seems to make it stable. At least it succeeded five times in a row and the CI seemed to be under load due to the dependency updates. Maybe it is worth a try...

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12151
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 tests/e2e/codemirror.test.e2e.ts | 66 ++++++++++++--------------------
 1 file changed, 25 insertions(+), 41 deletions(-)

diff --git a/tests/e2e/codemirror.test.e2e.ts b/tests/e2e/codemirror.test.e2e.ts
index 466b9f1fd3..c3dc6f0fcd 100644
--- a/tests/e2e/codemirror.test.e2e.ts
+++ b/tests/e2e/codemirror.test.e2e.ts
@@ -21,17 +21,21 @@ async function enterFilename(page: Page, filename: string) {
 }
 
 async function pressEnter(page: Page) {
-  // eslint-disable-next-line playwright/no-wait-for-timeout
-  await page.waitForTimeout(5);
   await page.keyboard.press('Enter', {delay: 5});
-  // eslint-disable-next-line playwright/no-wait-for-timeout
-  await page.waitForTimeout(10);
 }
 
 async function type(page: Page, text: string) {
   await page.keyboard.type(text, {delay: 10});
 }
 
+async function validate(page: Page, expected: string) {
+  await expect(async () => {
+    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
+    expect(internal).toStrictEqual(expected);
+  }).toPass();
+  await expect(page.locator('#edit_area')).toHaveValue(expected);
+}
+
 test('New file editor', async ({page}) => {
   const response = await page.goto('/user2/repo1/_new/master', {waitUntil: 'domcontentloaded'});
   expect(response?.status()).toBe(200);
@@ -39,21 +43,19 @@ test('New file editor', async ({page}) => {
   await enterFilename(page, `f.txt`);
 
   const editor = page.locator('.cm-content');
-  const backingTextArea = page.locator('#edit_area');
 
   await editor.click();
+
   await type(page, 'This');
   await pressEnter(page);
+  await validate(page, 'This\n');
+
   await type(page, 'is');
   await pressEnter(page);
-  await type(page, 'Frogejo!');
+  await validate(page, 'This\nis\n');
 
-  const expected = 'This\nis\nFrogejo!';
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual(expected);
-  }).toPass();
-  await expect(backingTextArea).toHaveValue(expected);
+  await type(page, 'Frogejo!');
+  await validate(page, 'This\nis\nFrogejo!');
 });
 
 test('New file with autocomplete and indent', async ({page}) => {
@@ -63,26 +65,20 @@ test('New file with autocomplete and indent', async ({page}) => {
   await enterFilename(page, 'f.html');
 
   const editor = page.locator('.cm-content');
-  const backingTextArea = page.locator('#edit_area');
 
   await expect(editor).toHaveAttribute('data-language', 'html', {timeout: 3000});
 
   await editor.click();
   await type(page, '<html>');
   await pressEnter(page);
-  await type(page, '<hea');
-  await page.locator('.cm-tooltip-autocomplete').waitFor({state: 'visible'});
-  await pressEnter(page);
-  await type(page, '>');
-  await pressEnter(page);
-  await type(page, '<title>Frogejo is the future');
+  await validate(page, '<html>\n  \n</html>');
 
-  const expected = '<html>\n  <head>\n    <title>Frogejo is the future</title>\n  </head>\n</html>';
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual(expected);
-  }).toPass();
-  await expect(backingTextArea).toHaveValue(expected);
+  await type(page, '<head>');
+  await pressEnter(page);
+  await validate(page, '<html>\n  <head>\n    \n  </head>\n</html>');
+
+  await type(page, '<title>Frogejo is the future');
+  await validate(page, '<html>\n  <head>\n    <title>Frogejo is the future</title>\n  </head>\n</html>');
 });
 
 test('Preview for markdown file', async ({page}) => {
@@ -105,10 +101,7 @@ test('Set from query', async ({page}) => {
   const response = await page.goto('/user2/repo1/_new/master?value=This\\nis\\\\nFrogejo!', {waitUntil: 'domcontentloaded'});
   expect(response?.status()).toBe(200);
 
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual('This\nis\\nFrogejo!');
-  }).toPass();
+  await validate(page, 'This\nis\\nFrogejo!');
 });
 
 test('Search in file', async ({page}) => {
@@ -122,10 +115,7 @@ test('Search in file', async ({page}) => {
   const toggleByWord = page.locator('label[for="search_by_word"]');
   const nextButton = page.locator('button[aria-label="Next find"]');
 
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual('This\nis\nFrogejo!\nthIs');
-  }).toPass();
+  await validate(page, 'This\nis\nFrogejo!\nthIs');
 
   await editor.click();
 
@@ -180,10 +170,7 @@ test('Replace in file', async ({page}) => {
   const searchField = page.locator('.fj-search input[name="search"]');
   const replaceField = page.locator('.fj-search input[name="replace"]');
 
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual('This\nis\nFrogejo!\nthIs');
-  }).toPass();
+  await validate(page, 'This\nis\nFrogejo!\nthIs');
 
   await editor.click();
 
@@ -196,10 +183,7 @@ test('Replace in file', async ({page}) => {
 
   await page.getByRole('button', {name: 'Replace all'}).click();
 
-  await expect(async () => {
-    const internal = await page.evaluate(() => Array.from(window.codeEditors)[0].state.doc.toString());
-    expect(internal).toStrictEqual('ThBlub\nBlub\nFrogejo!\nthBlub');
-  }).toPass();
+  await validate(page, 'ThBlub\nBlub\nFrogejo!\nthBlub');
 });
 
 test('Do not open search if search button not available', async ({page}) => {

From b6b5592e7ff2c3b84fb61a18390a7dc820d7ff75 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 17 Apr 2026 06:59:26 +0200
Subject: [PATCH 134/287] Update Node.js to v24.15.0 (forgejo) (#12157)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12157
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .node-version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.node-version b/.node-version
index 045200741c..eefb690f4a 100644
--- a/.node-version
+++ b/.node-version
@@ -1 +1 @@
-24.14.1
\ No newline at end of file
+24.15.0
\ No newline at end of file

From 766c9c64f5a9f6c84b906ebd7cfad1aee87a203a Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Fri, 17 Apr 2026 15:24:58 +0200
Subject: [PATCH 135/287] fix(rna): prioritize breaking changes without a
 feature or bug label over non-breaking changes (#12124)

Related: https://codeberg.org/forgejo/website/pulls/843#issuecomment-13131897
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12124
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 release-notes-assistant.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/release-notes-assistant.sh b/release-notes-assistant.sh
index 4963edf286..9fdadc06f3 100755
--- a/release-notes-assistant.sh
+++ b/release-notes-assistant.sh
@@ -40,7 +40,7 @@ function test_main() {
   test "$(categorize)" = 'BB Breaking bug fixes'
 
   test_payload_labels $label_worth $label_breaking
-  test "$(categorize)" = 'ZB Breaking changes without a feature or bug label'
+  test "$(categorize)" = 'BC Breaking changes without a feature or bug label'
 
   test_payload_labels $label_worth $label_ui $label_feature
   test "$(categorize)" = 'CA User Interface features'
@@ -232,7 +232,7 @@ function categorize() {
     elif $is_bug; then
       echo -n BB Breaking bug fixes
     else
-      echo -n ZB Breaking changes without a feature or bug label
+      echo -n BC Breaking changes without a feature or bug label
     fi
   elif $is_ui; then
     if $is_feature; then

From 83459905d19d80c9d2b46fbaf269fd5b311b7d21 Mon Sep 17 00:00:00 2001
From: Alec Walsh <code@alecwalsh.name>
Date: Fri, 17 Apr 2026 17:17:29 +0200
Subject: [PATCH 136/287] Exclude SSH certificate principals from output when
 viewing user's SSH keys (#12079)

Fixes #11590

When viewing a user's SSH keys, SSH principals are now excluded from the output.  This would previously either result in a panic in [OmitEmail](https://codeberg.org/forgejo/forgejo/src/commit/cfd4d53e32/models/asymkey/ssh_key.go#L67), if the principal name didn't contain any spaces, or truncate the principal name, if it did contain spaces.

The TestExportUserSSHKeys test was also updated and fails if the fix(commit cfcbc33af0) is reverted.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing
  - [x] `make test`
  - [x] `make test-sqlite#TestExportUserSSHKeys`

I have also manually tested the change.

The full integration tests(`make test-sqlite`) report some errors, but I get the same errors without this PR(tested on commit [6a5dda7116](https://codeberg.org/forgejo/forgejo/commit/6a5dda711628a4ed826846f208839561b9a6b1c3)).

I have not tested with the other database backends.

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12079
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Alec Walsh <code@alecwalsh.name>
Co-committed-by: Alec Walsh <code@alecwalsh.name>
---
 models/fixtures/public_key.yml             | 33 ++++++++++++++++++++++
 routers/web/user/home.go                   |  3 ++
 tests/integration/api_private_serv_test.go |  4 +--
 tests/integration/user_test.go             | 14 +++++++++
 4 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/models/fixtures/public_key.yml b/models/fixtures/public_key.yml
index ae620ee2d1..a1c7f4feb6 100644
--- a/models/fixtures/public_key.yml
+++ b/models/fixtures/public_key.yml
@@ -9,3 +9,36 @@
   created_unix: 1559593109
   updated_unix: 1565224552
   login_source_id: 0
+-
+  id: 2
+  owner_id: 5
+  name: user5
+  fingerprint: ""
+  content: "user5"
+  mode: 2
+  type: 3
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0
+-
+  id: 3
+  owner_id: 9
+  name: user9@localhost
+  fingerprint: "SHA256:K3RfDvtQ/aYVzh6RfXGFxlffLLTRgksf9UQwTlwSM8M"
+  content: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN7KuFUnlztx/UM6PUTyiBAq5SeIqr+qSVFC6JzLQAh user9@localhost"
+  mode: 2
+  type: 1
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0
+-
+  id: 4
+  owner_id: 9
+  name: user9
+  fingerprint: ""
+  content: "user9"
+  mode: 2
+  type: 3
+  created_unix: 1775805112
+  updated_unix: 1775805112
+  login_source_id: 0
diff --git a/routers/web/user/home.go b/routers/web/user/home.go
index 60d6fc2bd0..4fe3f7c9a0 100644
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@@ -705,6 +705,9 @@ func ShowSSHKeys(ctx *context.Context) {
 
 	var buf bytes.Buffer
 	for i := range keys {
+		if keys[i].Type == asymkey_model.KeyTypePrincipal {
+			continue // Don't display SSH principals, only public keys
+		}
 		buf.WriteString(keys[i].OmitEmail())
 		buf.WriteString("\n")
 	}
diff --git a/tests/integration/api_private_serv_test.go b/tests/integration/api_private_serv_test.go
index 742d2d80d7..dd45f54c36 100644
--- a/tests/integration/api_private_serv_test.go
+++ b/tests/integration/api_private_serv_test.go
@@ -114,12 +114,12 @@ func TestAPIPrivateServ(t *testing.T) {
 		assert.Empty(t, results)
 
 		// Cannot pull from a private repo we're not associated with
-		results, extra = private.ServCommand(ctx, deployKey.ID, "user15", "big_test_private_2", perm.AccessModeRead, "git-upload-pack", "")
+		results, extra = private.ServCommand(ctx, deployKey.KeyID, "user15", "big_test_private_2", perm.AccessModeRead, "git-upload-pack", "")
 		require.Error(t, extra.Error)
 		assert.Empty(t, results)
 
 		// Cannot pull from a public repo we're not associated with
-		results, extra = private.ServCommand(ctx, deployKey.ID, "user15", "big_test_public_1", perm.AccessModeRead, "git-upload-pack", "")
+		results, extra = private.ServCommand(ctx, deployKey.KeyID, "user15", "big_test_public_1", perm.AccessModeRead, "git-upload-pack", "")
 		require.Error(t, extra.Error)
 		assert.Empty(t, results)
 
diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go
index 0f7c099c70..f968f8df81 100644
--- a/tests/integration/user_test.go
+++ b/tests/integration/user_test.go
@@ -1286,4 +1286,18 @@ func TestExportUserSSHKeys(t *testing.T) {
 
 		assert.Equal(t, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWVj0fQ5N8wNc0LVNA41wDLYJ89ZIbejrPfg/avyj3u/ZohAKsQclxG4Ju0VirduBFF9EOiuxoiFBRr3xRpqzpsZtnMPkWVWb+akZwBFAx8p+jKdy4QXR/SZqbVobrGwip2UjSrri1CtBxpJikojRIZfCnDaMOyd9Jp6KkujvniFzUWdLmCPxUE9zhTaPu0JsEP7MW0m6yx7ZUhHyfss+NtqmFTaDO+QlMR7L2QkDliN2Jl3Xa3PhuWnKJfWhdAq1Cw4oraKUOmIgXLkuiuxVQ6mD3AiFupkmfqdHq6h+uHHmyQqv3gU+/sD8GbGAhf6ftqhTsXjnv1Aj4R8NoDf9BS6KRkzkeun5UisSzgtfQzjOMEiJtmrep2ZQrMGahrXa+q4VKr0aKJfm+KlLfwm/JztfsBcqQWNcTURiCFqz+fgZw0Ey/de0eyMzldYTdXXNRYCKjs9bvBK+6SSXRM7AhftfQ0ZuoW5+gtinPrnmoOaSCEJbAiEiTO/BzOHgowiM=\n", resp.Body.String())
 	})
+
+	t.Run("No exported keys and SSH principal", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		resp := MakeRequest(t, NewRequest(t, "GET", "/user5.keys"), http.StatusOK)
+
+		assert.Equal(t, "# Note: This user hasn't uploaded any SSH keys.\n", resp.Body.String())
+	})
+
+	t.Run("Exported key and SSH principal", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		resp := MakeRequest(t, NewRequest(t, "GET", "/user9.keys"), http.StatusOK)
+
+		assert.Equal(t, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN7KuFUnlztx/UM6PUTyiBAq5SeIqr+qSVFC6JzLQAh\n", resp.Body.String())
+	})
 }

From 46d890c8e15930921a7a4d6aaca4d1249bdf3089 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Sat, 18 Apr 2026 00:56:08 +0200
Subject: [PATCH 137/287] fix: always include files set to be detectable for
 language stats (#11685)

- The documentation has the correct behavior about `linguist-detectable`: In cases where a file should be considered for language statistics, regardless of its category, the linguist-detectable attribute can be used.
- This patch follows that behavior by not skipping the file even if some heuristic would've said to skip the file.
- Document the conditions in more natural language.
- Resolves forgejo/forgejo#11248

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11685
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
---
 modules/git/fetch_test.go                     |   2 +-
 modules/git/grep_test.go                      |   2 +-
 modules/git/repo_language_stats.go            |  20 +++++++++++++-----
 modules/git/repo_language_stats_test.go       |  10 +++++++++
 ...1b1f6c24df14da4898b22c00ff8fb55303ac76.idx | Bin 1520 -> 0 bytes
 ...b1f6c24df14da4898b22c00ff8fb55303ac76.pack | Bin 2748 -> 0 bytes
 ...1b1f6c24df14da4898b22c00ff8fb55303ac76.rev | Bin 116 -> 0 bytes
 ...d0100ad5c382a7e8e1bacada4b66b927f29b72.idx | Bin 0 -> 1632 bytes
 ...0100ad5c382a7e8e1bacada4b66b927f29b72.pack | Bin 0 -> 3704 bytes
 ...d0100ad5c382a7e8e1bacada4b66b927f29b72.rev | Bin 0 -> 132 bytes
 .../repos/language_stats_repo/packed-refs     |   2 +-
 tests/integration/linguist_test.go            |   4 ++--
 12 files changed, 30 insertions(+), 10 deletions(-)
 delete mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.idx
 delete mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.pack
 delete mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.rev
 create mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.idx
 create mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.pack
 create mode 100644 modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.rev

diff --git a/modules/git/fetch_test.go b/modules/git/fetch_test.go
index 95a1fa387d..b7ead10d4a 100644
--- a/modules/git/fetch_test.go
+++ b/modules/git/fetch_test.go
@@ -26,7 +26,7 @@ func TestFetch(t *testing.T) {
 
 			fetchedCommitID, err := repo.Fetch(otherRepoPath, "refs/heads/master")
 			require.NoError(t, err)
-			assert.Equal(t, "95d3505f2db273e40be79f84416051ae85e9ea0d", fetchedCommitID)
+			assert.Equal(t, "5684d0c8cfdfb17fcd59101826efc9ff54b80df4", fetchedCommitID)
 
 			c, err := repo.getCommit(MustIDFromString(fetchedCommitID))
 			require.NoError(t, err)
diff --git a/modules/git/grep_test.go b/modules/git/grep_test.go
index 83ddb766af..5666a425f4 100644
--- a/modules/git/grep_test.go
+++ b/modules/git/grep_test.go
@@ -65,7 +65,7 @@ func TestGrepSearch(t *testing.T) {
 			return
 		}
 
-		res, err = GrepSearch(t.Context(), repo, "world", GrepOptions{MatchesPerFile: 1})
+		res, err = GrepSearch(t.Context(), repo, "world", GrepOptions{RefName: "95d3505f2db273e40be79f84416051ae85e9ea0d", MatchesPerFile: 1})
 		require.NoError(t, err)
 		assert.Equal(t, []*GrepResult{
 			{
diff --git a/modules/git/repo_language_stats.go b/modules/git/repo_language_stats.go
index ee4beb2f87..2832c4f572 100644
--- a/modules/git/repo_language_stats.go
+++ b/modules/git/repo_language_stats.go
@@ -168,11 +168,21 @@ func (repo *Repository) GetLanguageStats(commitID string) (map[string]int64, err
 			}
 		}
 
-		if isFalse(isDetectable) || isTrue(isVendored) || isTrue(isDocumentation) ||
-			(!isFalse(isVendored) && analyze.IsVendor(f.Name())) ||
-			enry.IsDotFile(f.Name()) ||
-			enry.IsConfiguration(f.Name()) ||
-			(!isFalse(isDocumentation) && enry.IsDocumentation(f.Name())) {
+		// Don't skip this file if it is explicitly set to be detectable.
+		// Skip this file if one of the following conditions holds:
+		// 1. Explicitly set to not be detectable.
+		// 2. Explicitly set that it is vendored.
+		// 3. Explicitly set that it is documentation.
+		// 4. Is not explicitly set to not be vendored and is by heuristic considered to be vendored.
+		// 5. It is considered to be a dot file.
+		// 6. It is considered to be a configuration file.
+		// 7. Is not explicitly set to not be documentation and is by heuristic considered to be documentation.
+		if !isTrue(isDetectable) &&
+			(isFalse(isDetectable) || isTrue(isVendored) || isTrue(isDocumentation) ||
+				(!isFalse(isVendored) && analyze.IsVendor(f.Name())) ||
+				enry.IsDotFile(f.Name()) ||
+				enry.IsConfiguration(f.Name()) ||
+				(!isFalse(isDocumentation) && enry.IsDocumentation(f.Name()))) {
 			continue
 		}
 
diff --git a/modules/git/repo_language_stats_test.go b/modules/git/repo_language_stats_test.go
index e3d8ba1f69..2bc57b56c5 100644
--- a/modules/git/repo_language_stats_test.go
+++ b/modules/git/repo_language_stats_test.go
@@ -34,6 +34,16 @@ func TestRepository_GetLanguageStats(t *testing.T) {
 		"Python": 67,
 		"Java":   112,
 	}, stats)
+
+	stats, err = gitRepo.GetLanguageStats("5684d0c8cfdfb17fcd59101826efc9ff54b80df4")
+	require.NoError(t, err)
+
+	assert.Equal(t, map[string]int64{
+		"Cobra":    67,
+		"Python":   67,
+		"Markdown": 15,
+		"Java":     112,
+	}, stats)
 }
 
 func TestMergeLanguageStats(t *testing.T) {
diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.idx b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.idx
deleted file mode 100644
index 186136cb126104a88a2d5b178914b1c1dbc86f17..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1520
zcmexg;-AdGz`z8=0|gj?79(SjTaYm`kWUU~0qP?MvjX*D!)!ot5N4+l<^Y<Dj5&e)
zp@6x7?&QXSd4S^7#=Jl?2NLrE?WY9u1ND=F1%T>lj^$n@L~4iL*%D*MH0Pj#qS4FW
zr8!F5R<U-3nR47{pU<XJaN_jwO`mqFO?%+BHQitPmQMSH+bcMNy-!LpnaH1tj$3>$
zGWSUHQy<+;ZN_Kyr#q>>`Soqr@AHf0mY%*LBx82dwV>7G6w{Z=RYtS@S3Ia(9Tt`(
zqTh4b>jZOhpLgd}kvyYWtPiIB(kWkHn{d;H@4#%U!|Uz`I!@O8QgZLmj8!Q<=4<Pp
zc^weCUl)0)YSLrjniRgit;u%;@@)TFUHH}beZkR33H}Xd``@+pF0IV{ZC>D>SRlRQ
z1;g5TpQm09h}Ydz{Dk}Y{1(TAz;&%JU-7P5B>lsuTbU)H*ZzccNrl5F*QA-J4z2$?
zW&NeM0_L$<-GzbD8>GagZ!KN@_~;j%b&-8$dR@KSG+a}!?S59Z?fsd3PbTes{r=<e
z13&7UUt0NY|G3!vre&q4gEK=2YuluKVW&jQ*jB%se4yBSzs#BE4m=9GnVi4ZU9;h`
zjR?#*zVT@Fvb&Q`w}r+U8)v$3J~_a^z-0i$z;cJ95m?;01G9c6ki7+nzX5SDkbey*
z?+BE82TTvZJjH1VEQ%C>VtGJ$26Jio9F_Ybw>)NS(qZ`DzcrY7O<6^|^kH*Z{o8Uv
P9(ikby)sPtbZa62Y)$41

diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.pack b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.pack
deleted file mode 100644
index 046061c688b93c0f08c8aef52e1d1e5470de40cf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2748
zcma)*Ss>Jl7sr2NCuVRhNx8^2X0djokll<y)^S6W7{pbL<&I@s5<)4m#aOasCyYuW
zp}*OzBd+C+C5G%vMC7k~AMVTl;s0>nzUO?;`J8iXjZ82A0B{_KaF!{7l<`EjvC3T7
zJSeLBQ#v9(PxVq3D8|t3g@CYE=P$A#&kU~izjpPrw3JuNmm(*x=8?QrF^`K$=1xv1
zc%?uKT(+Cft>di5PqMt%Gwp<pK)9~xvIY;J^S!Et+lP$%P)nPcWRm#Pv>QP!J-(?v
z*{y{zv}}J1vyY$jF${WQ{XgrZEHH6*$m6Tz{$b<F9~>(6Bv}-k2BZ~1lX?oSj=)(r
zjv{`75CYY|uJ}O5C`~aDc%y6i0eh$R$JA^94(<Hcu!idL2DgQWWg%xXIxj4dVszgf
z-iIVUos-5jVVQH_i*rlzRbQtMY5axclG{fH8aKnfdLz#hz%mw29r1PV^4+dCL}{j^
z1e=u!u~5J1ZhP-t6hg|?>3eu^^=HVXr|%PFGUgX>m6bK6)6RdHIdFZjKT~lwwp!t$
zYEEs5!HesSEZkwGp#6s4O2K)Ms7J2W=HA!$%5rLOyOz?B>~3Pt)aS7d;kCqBclXWP
zsIBeD-^X{}33NQX-fb6rhF{bWe5+O2mGH*WA!c?-@X86Tb(cRQOM=5f9Vsg<;o<I!
zmb+ysPuiH8dq!K@=6BtFxUNay+vFK7#j{2tdRiDWY$D<Xg1Lw^AmH@DKDR7|-;j;g
z*1=!QGb4}}PQjX`sa#VtS$ya17F;Zs{qPsQJ~4PNc@!pH3{C0Wum1}>j!&7=(X*m3
z&l$Ybp@jL#xX#Xqyo)kmmn>hE^Bk^eR!I^>Zs$dCIez!X7*8xGz72Rj`d!dFc<NTD
zty$1F>SD@xUXlryibvGDglEBU+!tsHuS5IxoN`w<m*Sntdx;N4YCh{+dbaUFTC>ca
z#6bJru<(O5$VEe5k`+wUl%C{Y8O_nIfB%`SG};)8R?C0F){$BnsH?0FywD<W=4Mrb
z5`we!KRB!C@cW_5QoK?6yKR1tYIg}Pn~LhpfrIbhVG%!APS`V6qSM1$3-^*quDe%)
z&ifNJV4yY*$L_P1x`~0Sw5SRb$0wLzJy&Om+!Up}7KryH8!hX6AuQZ|_#hUzR4MbN
z>r$`p&PMwKIa|Bv=EaRMI_=i0Wg7qCHXh1Wv<N~U2zmT=MKB#gAm!1F0y*Ub4F~j}
zueW5F$4k{KCsn$0$D&iy)a7j=4x62OHZg1Cj&Z^Ya}QE=%g)I=<Hn@R>O~}w_9){M
z@~b@#YdjN<x_CzFj$>}M=_|X<d+zr#M1m&CHONaV{#GYPzSnG>oE2bWUiKZWUdSq*
zYiZg8<+nn*Or=|kErPu#0w=9J!X`J_4Sz0gYU_85;|>3KM?5f;(ro<3E$w1CkZX3_
z<`YV7l{sL#8)>#SAXKaoMNQ^7$%$)z@tVLJtaUk_C$`<drf9k0zI~NFnp~a+mJ#8Q
zw+!Xrb%>V`=GE%ye%$MsO4-rKTNQ@&M=A|M6=tL)5BW;KDGS_pAFbVH#dyq$G=5_Z
zz3RNPiAh+$6)mEZIqjDs0zzwPTbB^WGfx&Djr1l&ss^opdG6(;b$ZHA=GCd3v)nI}
z_nnVFIK6EnQxT2D^XFSSl|JXBfmyltT#m%Di`mNyzT&Yly_fAHG&P@QrMK=JQTWyS
z&1^ADqepg)^%YtkUig@uRoh^C`jkTWc<*;=HrlY@O^<(1@pnCo5V3O*jbTDA&~1bZ
z8(dKiNQn3KC(cR~I76usu-8+_wlhtfkKR_c^9)_37L2}JPOS-)`zZ&4Jp1l!6n*}x
zKJ$a9cedVu$z15fhts|8bYHt!hk!Lcmm%|s2=}^+gh}VD+2m@`>4?CqX@L8xxlXEH
zP;fpht^R-ywd)G$OI9{Gpyp&%E0*f6s?iT3+gKr{<N-x~oF1bzEQwFnknG9Ae{w<_
zuQr}&?Hs(Howph=@@LUR{h*xdg0#0U%<M&h)L3D?Sc65$prne(l;GhFA&-%qwekuX
z+7v^wH68rkcT%dfo*}oHO>{CI3P@?$DGzaq)cs&s*LLmGM^hm4!OpV@*UPG#mj1ex
zO$3u)LTRa&!{0_Cll1+9QCk9Ir-nCIzm1Rk*cO!UdOm<90X9)EW{7lGSd}Ex$Gs<f
zd<y3ianWn}`nQzpj8sa0f`#JM5Wm9eQ6@E6v80<iBn@ingY*5aFS>g=q~&8mEw0)w
z>S@OYH=A#SdUL;n8rD{vS8i0(Y~934D7FwE^GX&1g?AoET>O37siM{7@YUou^^|?j
z`O$<XwXU44;;r+Jc|3}7nQB>#yJeC%qZ~Q>Yhsiy&(pVL5?<-Vj$)BWeCXy)tUdk{
zt@aP-!`k+1_N2g%42{+nnaV|FP?T{xtcyi2@7-YCms8;DV7}zLrhWZ!hER^-j+~px
zXwsX=l%U{ljeNctm-#byJ&2h^#qmc+fW`)IF3d~18cZN*X{)PiY1s8+`rv3d6iT&H
zMW7Kl0+zgT_>_2AX@z+BeRhNM(&t<cm%W^mK#Z}aCtBX*y|r{3XJZYx?#<5&I#+fv
zl(!~YSSe#cD$|-iY|TWJ!zn#|L$GV>7dl82>`7fGg+5=2rC7iAV5;P(u@%)4j$txT
z3<|~PS2Aip;qpsOjB(u||5BPj!sS}D*0cFJCEWaCM(KR%C&|T_V0E2}w!JUEjjU}Y
z&t>Mf$tm0j9U>Qsd&+j%l&3-s=KYrn!p;b{cu0m-+#I|yog-!dICgn<zu+N|h6Z66
z28N<GNIUj)?4i&xY797XAdauB?6%*cxU6ZAXv~AIZAVx3K}nG*l88VY&U|{noajoU
zfAW-tJk!)ar$$zJ!Q~48RU`7*r5wk|Gysmce?>fGKgdLL**AaIpkMp#2yTn|T{Kh)
z*wq1_F8`ta2e1knfke~j=wTWHid)y|-Y&&w3<MmBLsXp;;uI4XcHMY@pE)4It(*kX
z2}%zfi#irNsUU0+SX7M)ngQ#j_c`<*Cu32n2s?nvp372EP)&D~D3MT>^p;4EKDTfO
z1mrWs3mdrzBnK>(??(}!$TV(-K5>`i7}sPaYnN8{I1M63`vKlrrB98Do}N)vq0(Uk
zwwpk5Tx?gm_G@6?O?>$8DgWua$C^$b`oYfYwmorcX}p%jmZTx{i6*EI%VqvXFo4%z
zSg@X#K!T}QQz=$hR4*Ei#IFCafc))HId88LjS|mN$OI}H4(MWW6J2z@hf`@q^w#Z#
zU*o!pwmq$p+=cdWQ`DI>rrX<tLD9Dyg#l=r{CLq(?Ku47J4u!~AKe7VZe%xrYM>-r
z@-Nh$A2uVfa<Bh+XB@zgl@MYTbkCbWis&R{-npB7f1>IhYNh|8t0z5s{<Nd5cKF^K
zZJ#2xC(t@AxPpsSCy+2rdDl97xB(s_D0CGRCr2QGWPs_TWe@}OSVC;9v}(3{8(w=Q
z<rieq!)6sT?~iX%(Zy^p2)ONdbN}zPjYm_{9vtW)kpP7)aqGPF&jAW7u`yJ30~|Pd
KM0Vh;4*f4W|3eG_

diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.rev b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-371b1f6c24df14da4898b22c00ff8fb55303ac76.rev
deleted file mode 100644
index 7d8c6f3562cb7f404e217d88476d14054edda877..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 116
zcmWIYbctYKU|@t|ZXnGJ#9Tnk3&i|D%nrm%K+FonY(UHd#4JF}0mLAEAixR4eCE>f
sIV$%>Zh6euq{HyPe`_%FnzC!#o*g{p^>kaQuG6B;ywg|Kd}`_f04JCg+W-In

diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.idx b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.idx
new file mode 100644
index 0000000000000000000000000000000000000000..80e1ee36b5e03a9d7315b57de3ce8f7ff7ac4e2c
GIT binary patch
literal 1632
zcmexg;-AdGz`z8=0|gj?79(SjTaYm`kWUU~0qP?MvjX*D!)!ot5N0P4a{$#7gE@if
zkTDmKPcG&L>V;t*Ae)w$7ic~o4$Kb}r#2P<nmLeI5NJOoSO}<}6f6u>kBmite5zx)
zR|%2Yp?9{#m@&;csGw-{@^@*D(zaEs9bu*%H`?d3sT7<zeSFiW-D=YwxNS}M*S@9G
ze&O~Cj$rSTQcNcDr=sH)-;2yW()`p%cT=13S^eows&9UM+x7eWV!5TKZwSel-E=Kz
z^*F`!rE-<gZ2uJxDp!YvC5h<wT=qJ_oZRQ#IaMUjXcp^(X}@&J7ubfiTsU$5{>J*V
zkpdEG?@#^@*}?lI;ie7Wf!S7v*WC|voUHq$<ldnft5ST-*VaGtIv{kvF7i^<q{qTF
zDSXAsCsdYv^_Q+)<TX=aX2Rvl($o`WkB+V@`mp`5-mUnQcQ>mXnZ;iJ>D!uoM<CDk
zuhoTLjo%j>eU#weaJK(lYwyy^+~4K}?uiA`J6<rXo%ea_<$!qIO~p^RpU-b`ObA@p
z`tlX;szuU2e7coc5_;`VSeH~dd~!{idFs&mzf;y<dMjWao7G(yD7`^ST>941)sK&U
z(ODPSXQtQHyG_G2_1f-dRomX5+4p49-q-Ix9zXD-zWJq<@2j}i0y!QJ#IDT`DL6VS
zImG&k`=OZ1^ajKEy=e~43?Zy-llFz35;0?2{c`ewV(<O7l9P7JoO$lRqp+JvX5Z1s
zjEj5^x&KKP+i=-N1ZEuHc(i)i-RDYWYO%(~nc*uWE?i>~{mH<<`v!;)0*eA*S<BW4
zq+bHD2@sb7(-W|K;Jyr$4+GLMz+xu~$o>l~>NJ2wuNzQ$Cy?I?%;s7^dJ|C1?wSh%
sTvrb_Er0QF*Qs0HX*<<F%`Un&<;-36$-8Z}or`q3<K=mU8B*5*0LOM7+W-In

literal 0
HcmV?d00001

diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.pack b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.pack
new file mode 100644
index 0000000000000000000000000000000000000000..94b6852051163b7124c7849e1843320c7d57a1e8
GIT binary patch
literal 3704
zcmYL|cRUpSAII-xB|9_aYn^rH%(7SJ*<_SW93pb4v-eEmY>tMJ>|G>#-5{Hc>{T3&
zoJ4;5eIJkC?~l)a@7L%3dOcr{w~4xjJ^%n9yL>D;nn-l!IEJ}g8xXs!Y&;tLy&vvX
zi8Z8PVKO0S0Y0OpYmC54DTRv4X4>76$JKm?T+|J4@GvzbGCK9bCA6;&tjI7+r47g}
z6eYOv3?#@6Gnc;zI^*oJ*Odp-aOU?zRwNi6CLiba9wt*$2zH|)NODmktcDLqkJR$x
znBFasnmPLwZfMV6<X*g8%nJB@MS|Kls*_I`cteWO40dnY<>tXf_{L+E)SG7~!Aa%Y
zY_+$!<^zUM{}fjILC}~)$eorB)*}Yjk2KAj2#(z>zM-Biw;FC8+LaAp^86lw3f5ZT
zc9Urgf!k+4SWGHz?XlLQ8%TVKP0#BDM<0a9%bQnzkQUuLR<XO9{1td`Ah>=bctz+y
z(`1EhAa9L@N2e<NHbPP12VP^MRaED$hYjd3>v)zw@F$h`Xv<SC_HzM3g_XeVMPRvX
zon*+J0AU{LzMC0&i`z*oU&n~cW1rcnjlG8`IYo>d7($T8Jv}Mh88`wnmq1vCoaA!K
z%@$9c$VA`8CRtCH>1$_@HszuiD~BfYZ$a5FPbyOmmDbZ;TRqW%HczbOG(<rU?T?b|
z{PW2gMhA7A!i+P$hBn?9##K2GNXG;rZSE)YC&~kM#9wi~Biyw+UitZk-F|K!Cvy7P
z>=fpYgE(?0DC@o*NQy>h%S#n~@E7XPO!NtV<}g0Vu*J%<9L*87@4Z0!X_~trgkK}&
zlc6R?-@H^9a1z9o^Tk#ZOkd7*&yj8`)=Ym@icMrctT}W|`&3M8vTgUe%2sMwG&6zh
z*1(kg$l=VI#YMxovGD-wt~&HsHpY-DJN``__?zp&D$zV2A2OUtJUcyiz3Q^PW~L?x
z;pC{2V<D5-9%=V=kd&S9Y#cL~Wnr*Zl{f|+NU11iKVBGr7G7NisOc6ua%C~?ge@a0
zn>8nPy1wHQ%Vd4Ixs8YI+MTCPfYMdyrx{QiZZM-rzTp(yW_WJ9`CEpuE^x);yvoXb
z#Tzw0-3V8OOv&wK{|pk042%e~8~-Q008H_9$}&vyBArat(-&!WAyZ^Ma3LC(G{$1S
zmTv6A5nhb!#c=eoQu1^63*3<S$-cc~XP*7{a?<4+Dzq83{lfazGQ{EvL{+nak!rSe
zG>k4icX)u#ndBYcNXpsLLWHs(Aq#c|Xjf7F)FQODg@rDpoTe4R(?@OF#V>iChsr6-
zlu;cB?~N#}cL4Nsi|W|+XC{c~8Ld1=v*w~6`n3+ar@7^{y#~X0Mp`GnTt!a>id@?t
z*hgp6hmyt}PS{V+8+OCVglo|}x)2-y^;RTl@Ri*(Wbxre@O1{Hx5UY=o5(DtF)|pT
z?pWyc>&EG<xDkL%rmzKEUs+afyY-?pfIqWG;RiZWzVkeRAu)HI3*Klsu}-hJ{)4aL
zWceI-^>tJ6lM5BeM}a4<P+25Bw~j?uTuo=8ty6uNR7#4!Rw>=0?qm5Q*I$ZsP~IA4
z2M6+zOx}!)QzUoh#umK1ysBi`>YLU*@_w^h@A;!E1r$Z|s*6?XoEjG4=jF6!2THrI
zWP!{M`O?H+C*4B4;t<o;l7O7P(7dJZvt5jPiL3VZ#3#CkM<LJVjyq|(UO4rc`ro?B
ztVZwCCS-&Bq<1fJ^#|>PYtsAHUqg!h1D~2>c3Xpj?6>tur77v{6H>p_4`sBY?A^#6
z*%0k~L#;)t>P$+~`dXHWVs&B@+fWrGT$$d@N00GSlltC1{ZH+zV5q_ka5EQ{d}$?{
zTGn*ST5rb#p>UF}(#?Jm$W<hg(sNq-&2kQrvLvTufSI_h@<9$0=)rBXy28{Mrm|VQ
zW5??}S=B6@L<>DC2qriG<Enpmekbv>*SncNw66Y3K2J@w{C;D%Q|1biG{}V=!aC#M
z_(R}7MN+8lbsVh=^#+lHd>3L8UocgDms5Rn(9b1RYK9(yxj)qL0N3+IFnnkd&=40)
zFMKeQCsW(~eN%9zAsQxLn7%2;xjR}@Ug@pSN^|Q`MZBQcm9_!6K}1l((;ZH#FlAD^
z$IEIG(wYd8m>50#LqEyn0nQ72vzTb{!e=YyIogKwz)#jQR1yqqCo}Kk*OO25Cg8%}
zYnZ3&`zzU4vE`=-7PK<Bsv1cf7SdTl>?hBn0jlNPKYLY&-H#7Cl6g%`Bbv7lX7M<m
zk2|=l=SK*UO^}Ws?2OLg@dMfn1|+%wr|x})msV|5`Q3hNrgj`>tx!_AJw-Gu4JE;6
z6nx%nHAvLon=_AP6j)DAlP|r^X9b_-Dy?N=gPQ5yy~alvythX=Z!V7*N;@{suhjf#
zN{q3O$z<|dXsUv$?s^(<O#i7m<XENI)c^41f}oIHwBFkI3s~63(5uPSR;1(aI`6$;
z;1IY#+^qk)LzGeOnnS3CcZQy+aY{A(rr@&H8_n0cw3&{nuFwW(l0vlhM(K(q!?4fE
zIIh5(>spXh{?f*Al+hh3MsIiO6U-{iU`=HxdTu5%KE0=8RQKZ87^$QO`%;IU(=f-9
z1q4R$NQmH=h`<Ub`#E(neaaR^)XTjmi;)hiObx#m$3OP?67}QveIl6TvX(tkn1C>8
z8N=exxh#&Ni|OI`5K+JVpYL2Oq;D>HaDTj!$4~L$`Ki_A1!uG$WPxCoh^vKq7A5bl
z;OH0gW2`S&a*8&0w%l2xBZrO6f~BN#voqR`FECdnMzl=yC)8h>Hq^eCc5p#N9urLb
z@fk}3L36`@usJZbSDyww2aEnF=>)LcW{{jj<^%fF;elhjLSFH4?w+BmY_F_Du)*M#
zC20Gt#w#yBmv>N(+hJeLeAr2=^5(ss#{lK;<PXDd*eOr+GrQ&}jcTkvo$tRnY>#(0
zUA^bEM{PZ>Js)geqljFv%3gh5$-ErwZHEHb6SU>hl>Gb)!Km6ZYF&~I!<XkmDreZd
z>`G9HJV6|P7Sg^LpxHDEx(ZhsDhW)Y=22^MUPP=}!0r+nuC?`yCFB$kyr#dtov$6^
zwb|lwbq8zJz2cmGUCUChQ#{5l%(O&%{*caLI&ZJ+JvVM?h`lX?zT16)v!r&2mzWc3
zad+G+rS-Thz#>GxU#+IyacxQykd=J=X5PkFl&I$^U*3q+xbqa3W*qc61e&Dm;jep0
zGkar_NccTB=VtP%jO3gQP68N(fhPjEdIKxiC*14@gXWgtZo!H!J5Ik-oQBdcBk?*Q
zy8w^Zl`|9A=b+*~>^K*&@e73dnKCo!W<cvyd^Nn%G%UC4fMSz+8vE$93me#8R8Xc~
z)oj?f7+<8rI_vVB4j9yP#-{je+2Vbh#`(vE-x4XO&KooFjpDs|hee07<^`0X*evnv
zp{P=JxOyHhq9ruUoig`x6B;3S?HKfyDefupk);`84Obm5@}j!K(G2Z9H6+>A%3Z!K
z1Pr^I0q$MImkl2*Ch!VScTIetc9d~S&7{jyJLa|3m`VB+lH%vzCs|0nV!d%I${{o>
z6g2np0w8%nl@E5|dc%Z7OUp<|NK2ZI=zoF0AR;1I15q)U7+ly=<xTxsMTh?`UrjEJ
z^mV9JR%xL`Oc^aA!2cj%5@+ayWF=Yi46H`ZH2vbG&~XFB-*@m;b#ZodbbOtPx{n%6
zeKH=m*XdQ!^MgR8U^I1ZhS(cPwlI;F3b^hUa6RCfsJ;~O@Q8+^%}7Fs6!^@D6(gP3
zcj`DRUO=R1W=yYV#xVy-oB1J#oR(s!Kg;7)c+`kzcz0`Y_j0=Dm_b=!OJZ(dkn8(E
zkzZOtJhy0#%6-B@=YIY^b8abl=R=LjS@0KgkL94QyZ*=}>E*B4Q#X667{auceR<x|
z{f~mN3;=(AFHkEL60L<-q>tcX)EX_cxNpo?*@?}h-H+l>p`@Jhc}ua283HMrhCDvq
zz}O^#l4o2mnC#QSvIL<{Pda@q=k9azjW5LFneAjXD`<t?A&We}*SX1rysl4N3%>`>
zP(`BeS?=o&VK7$0U&OI6(={>xNR7OrgzOT$B!Db-Wi5GPz88gGbEa(aV3=<%{q4Cp
z=F#yam_nzP1QQVikmTrZmi?Xnw<ckj7!-!X!zOWJBJh2=zM~RE=BU>ND}$(2d@Lw&
zi)2d)_=k*Pvh4~IeGM}RvDCdBwh$IG60_8;5{3<dhw)$Tja-T?bw$NY0ocv;Y+(V>
z40E<(HX(Lbwv33|TfRU*;SlTV2J*k&Evf&00(h$#yMmvOLYv1n8t|B+YEn@QEV%#2
zT3!(q#^S-FCPcvV*y!F2nHIo?E$ifeQ~v9F&=8Lw$LT@zU7nbQ9{!lCUfg8Ii7AI_
z==SfFda8o~RGy5qwU=dpg$=P7154du7zFw+IflRBmdiKHgd=oWvjwsM@9WR-EV1*w
zc%>IhsJHmGqpka~y>E}44WSgT&0?3ZE2s(E&u3%IpUGZ(!Hf#ym}g{S5vjgOdU;c}
zG)=Zmwg9Y(AW!lCp$`5{G7T<s*;nX7&u=csTL^q{XZsQD(czC}pCJQ`8_<anfU#gC
z8psV;zDOh60j9FCYy>s$;oH|xpMUHf40N7^M{g?_rWtqBQ!(4PL|Y=!6?*7YY5;jE
zaOhI&hD7HN`e*q@<s{5k#OUshDB3vVb2e_8o5%$H`XuA#{LL9qUr75A9>aL4tS@lv
z8KeMET?f7-0OR=ow|D68-r16h)xIN0^@Ef<(4-g5!dk9VpVGXG7I^8uwqLeBJ_gnw
z(#MF8{iSU_h{5ZN4?&=#vDBrdPdv6+c{Kf)Ba?fN%;zGosN^#xC=`I%Wb+9bVWgSt
TiF&uS+=`vmhqnk3^AZ06PcRwE

literal 0
HcmV?d00001

diff --git a/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.rev b/modules/git/tests/repos/language_stats_repo/objects/pack/pack-7cd0100ad5c382a7e8e1bacada4b66b927f29b72.rev
new file mode 100644
index 0000000000000000000000000000000000000000..c2e2e3aeae5ba8e39983452d5e8a8abd4ec4b528
GIT binary patch
literal 132
zcmWIYbctYKU|@t|b|B3M#LPg<3&h+&%mu{4K+FNeOhC*E#B4y!55z1$%n8H-Kr95r
zAag)~2Z#l0E(ma4J>0bX#lu~vZh5EeRR1))C{Jz43h}7an;Ys{iZ=-wa+XI<&;$UT
Ct`-mg

literal 0
HcmV?d00001

diff --git a/modules/git/tests/repos/language_stats_repo/packed-refs b/modules/git/tests/repos/language_stats_repo/packed-refs
index 63e01583a4..b046027fce 100644
--- a/modules/git/tests/repos/language_stats_repo/packed-refs
+++ b/modules/git/tests/repos/language_stats_repo/packed-refs
@@ -1,2 +1,2 @@
 # pack-refs with: peeled fully-peeled sorted 
-95d3505f2db273e40be79f84416051ae85e9ea0d refs/heads/master
+5684d0c8cfdfb17fcd59101826efc9ff54b80df4 refs/heads/master
diff --git a/tests/integration/linguist_test.go b/tests/integration/linguist_test.go
index efeaaabb98..06ff1bd22f 100644
--- a/tests/integration/linguist_test.go
+++ b/tests/integration/linguist_test.go
@@ -156,8 +156,8 @@ func TestLinguistSupport(t *testing.T) {
 
 			langs := getFreshLanguageStats(t, repo, sha)
 			assert.Len(t, langs, 2)
-			assert.Equal(t, "C", langs[0].Language)
-			assert.Equal(t, "Markdown", langs[1].Language)
+			assert.Equal(t, "Markdown", langs[0].Language)
+			assert.Equal(t, "C", langs[1].Language)
 		})
 
 		// 4. Marking foo.c as documentation

From bacd8f365d9645f654725d189192d99ea7610475 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 18 Apr 2026 05:10:44 +0200
Subject: [PATCH 138/287] Update github.com/go-git/go-git/v5 (indirect) to
 v5.18.0 [SECURITY] (forgejo) (#12174)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `v5.17.1` → `v5.18.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.18.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.1/v5.18.0?slim=true) |

---

### go-git: Credential leak via cross-host redirect in smart HTTP transport
[GHSA-3xc5-wrhm-f963](https://github.com/advisories/GHSA-3xc5-wrhm-f963)

<details>
<summary>More information</summary>

#### Details
##### Impact
`go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

**Clients using `go-git` exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue.** The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

##### Patches
Users should upgrade to `v5.18.0`, or `v6.0.0-alpha.2`, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported `go-git` version.

The patched versions add support for configuring [followRedirects](https://git-scm.com/docs/git-config#Documentation/git-config.txt-httpfollowRedirects). In line with upstream behaviour, the default is now `initial`, while users can opt into `FollowRedirects` or `NoFollowRedirects` programmatically.

##### Credit
Thanks to the 3 separate reports from @&#8203;celinke97, @&#8203;N0zoM1z0 and @&#8203;AyushParkara. Thanks for finding and reporting this issue privately to the `go-git` project. :bow:

#### Severity
- CVSS Score: 4.7 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N`

#### References
- [https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963](https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963)
- [https://github.com/go-git/go-git](https://github.com/go-git/go-git)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-3xc5-wrhm-f963) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>

### [`v5.18.0`](https://github.com/go-git/go-git/releases/tag/v5.18.0)

[Compare Source](https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0)

#### What's Changed

- plumbing: transport/http, Add support for followRedirects policy by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;2004](https://github.com/go-git/go-git/pull/2004)

**Full Changelog**: <https://github.com/go-git/go-git/compare/v5.17.2...v5.18.0>

### [`v5.17.2`](https://github.com/go-git/go-git/releases/tag/v5.17.2)

[Compare Source](https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2)

#### What's Changed

- build: Update module github.com/go-git/go-git/v5 to v5.17.1 \[SECURITY] (releases/v5.x) by [@&#8203;go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#&#8203;1941](https://github.com/go-git/go-git/pull/1941)
- dotgit: skip writing pack files that already exist on disk by [@&#8203;pjbgf](https://github.com/pjbgf) in [#&#8203;1944](https://github.com/go-git/go-git/pull/1944)

:warning: This release fixes a bug ([#&#8203;1942](https://github.com/go-git/go-git/issues/1942)) that blocked some users from upgrading to `v5.17.1`. Thanks [@&#8203;pskrbasu](https://github.com/pskrbasu) for reporting it. :bow:

**Full Changelog**: <https://github.com/go-git/go-git/compare/v5.17.1...v5.17.2>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTEuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMS4wIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12174
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 6db142399f..3043c49651 100644
--- a/go.mod
+++ b/go.mod
@@ -175,7 +175,7 @@ require (
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.8.0 // indirect
-	github.com/go-git/go-git/v5 v5.17.1 // indirect
+	github.com/go-git/go-git/v5 v5.18.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect
diff --git a/go.sum b/go.sum
index 9601411c69..41c8d684b6 100644
--- a/go.sum
+++ b/go.sum
@@ -283,8 +283,8 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66D
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
 github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
-github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk=
-github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
+github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=

From a11d0db2e16a3be691abc00c31adce3412ad9988 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 18 Apr 2026 14:48:45 +0200
Subject: [PATCH 139/287] Update dependency webpack to v5.106.1 (forgejo)
 (#12109)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12109
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 41 ++++++++++++++---------------------------
 package.json      |  2 +-
 2 files changed, 15 insertions(+), 28 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e6c087cbd5..0e286628f7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -77,7 +77,7 @@
         "vue-chartjs": "5.3.3",
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
-        "webpack": "5.106.0",
+        "webpack": "5.106.2",
         "webpack-cli": "7.0.2",
         "wrap-ansi": "10.0.0"
       },
@@ -12101,27 +12101,6 @@
         "node": ">=8.6"
       }
     },
-    "node_modules/mime-db": {
-      "version": "1.52.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
-      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/mime-types": {
-      "version": "2.1.35",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
-      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "1.52.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/mini-css-extract-plugin": {
       "version": "2.10.0",
       "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.10.0.tgz",
@@ -16139,9 +16118,9 @@
       "license": "BSD-2-Clause"
     },
     "node_modules/webpack": {
-      "version": "5.106.0",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.106.0.tgz",
-      "integrity": "sha512-Pkx5joZ9RrdgO5LBkyX1L2ZAJeK/Taz3vqZ9CbcP0wS5LEMx5QkKsEwLl29QJfihZ+DKRBFldzy1O30pJ1MDpA==",
+      "version": "5.106.2",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.106.2.tgz",
+      "integrity": "sha512-wGN3qcrBQIFmQ/c0AiOAQBvrZ5lmY8vbbMv4Mxfgzqd/B6+9pXtLo73WuS1dSGXM5QYY3hZnIbvx+K1xxe6FyA==",
       "license": "MIT",
       "dependencies": {
         "@types/eslint-scope": "^3.7.7",
@@ -16160,9 +16139,8 @@
         "events": "^3.2.0",
         "glob-to-regexp": "^0.4.1",
         "graceful-fs": "^4.2.11",
-        "json-parse-even-better-errors": "^2.3.1",
         "loader-runner": "^4.3.1",
-        "mime-types": "^2.1.27",
+        "mime-db": "^1.54.0",
         "neo-async": "^2.6.2",
         "schema-utils": "^4.3.3",
         "tapable": "^2.3.0",
@@ -16286,6 +16264,15 @@
         "node": ">=4.0"
       }
     },
+    "node_modules/webpack/node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/whatwg-mimetype": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-3.0.0.tgz",
diff --git a/package.json b/package.json
index 0415b40868..969e77006c 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,7 @@
     "vue-chartjs": "5.3.3",
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",
-    "webpack": "5.106.0",
+    "webpack": "5.106.2",
     "webpack-cli": "7.0.2",
     "wrap-ansi": "10.0.0"
   },

From 9ccaf473eba2a4424ea6f35bd0475d3765b030c6 Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Sat, 18 Apr 2026 23:18:02 +0200
Subject: [PATCH 140/287] fix(i18n): don't log harmless missing translations as
 errors (#12183)

Followup to https://codeberg.org/forgejo/forgejo/pulls/6203

Currently it is logging an error wherever a template is rendered in language that doesn't have all plural strings covered. For example, Esperanto isn't well maintained.

Since more plural strings were migrated in v15 to new format, these errors became much more common. However, for all languages but the base one (English) they are completely harmless and just indicate an incomplete translation.

However, for base (English) they indicate a bug in either template or en-US.json, which should be still logged as an error.

The error is being logged by `LookupPluralByForm`, which is called by `TrPluralStringAllForms` and (`TrPluralString` through `LookupPluralByCount`). I originally intended to just pass log func directly to `LookupPluralByForm` from both, but since `TrPluralString` isn't calling `LookupPluralByForm` directly, it didn't look clean, so I went with passing a flag around instead and implemented logging logic in `LookupPluralByForm` itself.

I little concern is with that the so-called "default lang" is configurable, and if it is configured to something with less than 100% completion, it will cause fallback bugs, as well as a lot of logging of this as an error. But this is why changing "default lang" is a bad idea in the first place, and broken fallbacks should be greater concern than junk in the logs.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12183
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
---
 modules/translation/i18n/localestore.go | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/modules/translation/i18n/localestore.go b/modules/translation/i18n/localestore.go
index 89361088a4..d0f5841411 100644
--- a/modules/translation/i18n/localestore.go
+++ b/modules/translation/i18n/localestore.go
@@ -119,7 +119,7 @@ func (l *locale) LookupNewStyleMessage(trKey string) string {
 	return ""
 }
 
-func (l *locale) LookupPluralByCount(trKey string, count any) string {
+func (l *locale) LookupPluralByCount(trKey string, count any, isDefaultLang bool) string {
 	n, err := util.ToInt64(count)
 	if err != nil {
 		log.Error("Invalid plural count '%s'", count)
@@ -127,10 +127,10 @@ func (l *locale) LookupPluralByCount(trKey string, count any) string {
 	}
 
 	pluralForm := l.pluralRule(n)
-	return l.LookupPluralByForm(trKey, pluralForm)
+	return l.LookupPluralByForm(trKey, pluralForm, isDefaultLang)
 }
 
-func (l *locale) LookupPluralByForm(trKey string, pluralForm PluralFormIndex) string {
+func (l *locale) LookupPluralByForm(trKey string, pluralForm PluralFormIndex, isDefaultLang bool) string {
 	suffix := ""
 	switch pluralForm {
 	case PluralFormZero:
@@ -155,7 +155,14 @@ func (l *locale) LookupPluralByForm(trKey string, pluralForm PluralFormIndex) st
 		return result
 	}
 
-	log.Error("Missing translation for plural form %s", suffix)
+	// Severify depends on the lang. A missing string in default lang will affect
+	// all translations, while community translations may just be incomplete
+	logFunc := log.Debug
+	if isDefaultLang {
+		logFunc = log.Error
+	}
+
+	logFunc("Missing translation for key `%[1]s`, plural form `%[2]s`", trKey, suffix)
 	return ""
 }
 
@@ -266,11 +273,11 @@ func (l *locale) TrHTML(trKey string, trArgs ...any) template.HTML {
 }
 
 func (l *locale) TrPluralString(count any, trKey string, trArgs ...any) template.HTML {
-	message := l.LookupPluralByCount(trKey, count)
+	message := l.LookupPluralByCount(trKey, count, false)
 
 	if message == "" {
 		if defaultLang, ok := l.store.localeMap[l.store.defaultLang]; ok {
-			message = defaultLang.LookupPluralByCount(trKey, count)
+			message = defaultLang.LookupPluralByCount(trKey, count, true)
 		}
 		if message == "" {
 			message = trKey
@@ -294,7 +301,7 @@ func (l *locale) TrPluralStringAllForms(trKey string) ([]string, []string) {
 	allPresent := true
 
 	for i, form := range l.usedPluralForms {
-		result[i] = l.LookupPluralByForm(trKey, form)
+		result[i] = l.LookupPluralByForm(trKey, form, false)
 		if result[i] == "" {
 			allPresent = false
 		}
@@ -304,7 +311,7 @@ func (l *locale) TrPluralStringAllForms(trKey string) ([]string, []string) {
 		if hasDefaultLang {
 			fallback = make([]string, len(defaultLang.usedPluralForms))
 			for i, form := range defaultLang.usedPluralForms {
-				fallback[i] = defaultLang.LookupPluralByForm(trKey, form)
+				fallback[i] = defaultLang.LookupPluralByForm(trKey, form, true)
 			}
 		} else {
 			log.Error("Plural set for '%s' is incomplete and no fallback language is set.", trKey)

From f596bd032405adcfdfcc11229c92a97dfa25a8bd Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 19 Apr 2026 01:46:09 +0200
Subject: [PATCH 141/287] Update dependency swagger-ui-dist to v5.32.3
 (forgejo) (#12170)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 0e286628f7..a0eeb919d6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -64,7 +64,7 @@
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
         "sortablejs": "1.15.7",
-        "swagger-ui-dist": "5.32.2",
+        "swagger-ui-dist": "5.32.4",
         "tailwindcss": "3.4.19",
         "throttle-debounce": "5.0.0",
         "tinycolor2": "1.6.0",
@@ -14996,9 +14996,9 @@
       }
     },
     "node_modules/swagger-ui-dist": {
-      "version": "5.32.2",
-      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.2.tgz",
-      "integrity": "sha512-t6Ns52nS8LU2hqi0+rezMjFO1ZrCsCrnommXrU7Nfrg2va2dWahdvM6TuSwzdHpG29v6BHJyU1c/UWFhgVZzVQ==",
+      "version": "5.32.4",
+      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.4.tgz",
+      "integrity": "sha512-0AADFFQNJzExEN49SrD/34Nn9cxNxVLiydYl2MBwSZFPVXNkVwC/EFAjoezGGqE8oDegiDC+p47t8lKObCinMQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@scarf/scarf": "=1.4.0"
diff --git a/package.json b/package.json
index 969e77006c..c66dc318e2 100644
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",
     "sortablejs": "1.15.7",
-    "swagger-ui-dist": "5.32.2",
+    "swagger-ui-dist": "5.32.4",
     "tailwindcss": "3.4.19",
     "throttle-debounce": "5.0.0",
     "tinycolor2": "1.6.0",

From 4b8d118cceebe3b55123089ddf0d905bd7c6fdc2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 19 Apr 2026 01:46:45 +0200
Subject: [PATCH 142/287] Update dependency postcss to v8.5.10 (forgejo)
 (#12186)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12186
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a0eeb919d6..e4c056880b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -59,7 +59,7 @@
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
-        "postcss": "8.5.9",
+        "postcss": "8.5.10",
         "postcss-loader": "8.2.1",
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
@@ -12897,9 +12897,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.9",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
-      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
+      "version": "8.5.10",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.10.tgz",
+      "integrity": "sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==",
       "funding": [
         {
           "type": "opencollective",
diff --git a/package.json b/package.json
index c66dc318e2..0e0050c91c 100644
--- a/package.json
+++ b/package.json
@@ -58,7 +58,7 @@
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",
     "pdfobject": "2.3.0",
-    "postcss": "8.5.9",
+    "postcss": "8.5.10",
     "postcss-loader": "8.2.1",
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",

From 99299a5685442e53fcc20fc4414715730db41f25 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 19 Apr 2026 04:19:03 +0200
Subject: [PATCH 143/287] Update module github.com/jackc/pgx/v5 to v5.9.2
 (forgejo) (#12188)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `v5.9.1` → `v5.9.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fjackc%2fpgx%2fv5/v5.9.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fjackc%2fpgx%2fv5/v5.9.1/v5.9.2?slim=true) |

---

### Release Notes

<details>
<summary>jackc/pgx (github.com/jackc/pgx/v5)</summary>

### [`v5.9.2`](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2)

[Compare Source](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTEuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMS4wIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12188
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 3043c49651..3310a438b5 100644
--- a/go.mod
+++ b/go.mod
@@ -67,7 +67,7 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/huandu/xstrings v1.5.0
 	github.com/inbucket/html2text v1.0.0
-	github.com/jackc/pgx/v5 v5.9.1
+	github.com/jackc/pgx/v5 v5.9.2
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
diff --git a/go.sum b/go.sum
index 41c8d684b6..19a2fcb917 100644
--- a/go.sum
+++ b/go.sum
@@ -446,8 +446,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
-github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=

From 178a0a25f82579433875e607f8633248728e7654 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sun, 19 Apr 2026 04:24:09 +0200
Subject: [PATCH 144/287] chore: flag suspicious OwnerID comparisons (#12184)

Resources in Forgejo can also be owned by predefined system users like Ghost or Forgejo Actions. Those have negative user IDs, for example, -2 in the case of Forgejo Actions. `OwnerID` checks oftentimes do not take these users into account, because their existence and how they work isn't well known. A [semgrep](https://semgrep.dev/) check is added that flags such suspicious `OwnerID` checks.

See https://codeberg.org/forgejo/forgejo/pulls/12144 for background.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12184
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 .semgrep/config/logic.yaml          | 11 +++++++++
 .semgrep/tests/logic.go             | 35 +++++++++++++++++++++++++++++
 models/actions/run_job_list.go      |  2 +-
 models/actions/run_list.go          |  2 +-
 models/actions/runner.go            |  3 ++-
 models/actions/runner_list.go       |  1 +
 models/actions/schedule.go          |  2 +-
 models/actions/task_list.go         |  2 +-
 models/asymkey/gpg_key.go           |  2 +-
 models/asymkey/ssh_key.go           |  2 +-
 models/project/project.go           |  3 ++-
 models/repo/repo.go                 |  1 +
 routers/web/repo/setting/webhook.go |  2 +-
 13 files changed, 59 insertions(+), 9 deletions(-)
 create mode 100644 .semgrep/config/logic.yaml
 create mode 100644 .semgrep/tests/logic.go

diff --git a/.semgrep/config/logic.yaml b/.semgrep/config/logic.yaml
new file mode 100644
index 0000000000..85c43f5531
--- /dev/null
+++ b/.semgrep/config/logic.yaml
@@ -0,0 +1,11 @@
+rules:
+  - id: forgejo-logic-suspicious-OwnerID-check
+    pattern: |-
+      $X.OwnerID > 0
+    languages:
+      - go
+    severity: ERROR
+    message: >
+      Many resources like comments or runners cannot only be owned by regular users, which have positive IDs, but also
+      by predefined system users like Ghost or Forgejo Actions that have negative IDs. In those cases, ownership checks
+      should only exclude 0: `OwnerID != 0`.
diff --git a/.semgrep/tests/logic.go b/.semgrep/tests/logic.go
new file mode 100644
index 0000000000..32a2777ff6
--- /dev/null
+++ b/.semgrep/tests/logic.go
@@ -0,0 +1,35 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import "xorm.io/builder"
+
+type FindRunJobOptions struct {
+	RepoID  int64
+	OwnerID int64
+}
+
+func (opts FindRunJobOptions) Bad() builder.Cond {
+	cond := builder.NewCond()
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+	// ruleid:forgejo-logic-suspicious-OwnerID-check
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+	return cond
+}
+
+func (opts FindRunJobOptions) Good() builder.Cond {
+	cond := builder.NewCond()
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+	// ok:forgejo-logic-suspicious-OwnerID-check
+	if opts.OwnerID != 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+	return cond
+}
diff --git a/models/actions/run_job_list.go b/models/actions/run_job_list.go
index 207da30334..40a182082f 100644
--- a/models/actions/run_job_list.go
+++ b/models/actions/run_job_list.go
@@ -74,7 +74,7 @@ func (opts FindRunJobOptions) ToConds() builder.Cond {
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.CommitSHA != "" {
diff --git a/models/actions/run_list.go b/models/actions/run_list.go
index b296e2f477..11fa8441a5 100644
--- a/models/actions/run_list.go
+++ b/models/actions/run_list.go
@@ -85,7 +85,7 @@ func (opts FindRunOptions) ToConds() builder.Cond {
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.WorkflowID != "" {
diff --git a/models/actions/runner.go b/models/actions/runner.go
index 8061ccf37e..1a7fbb0b45 100644
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@@ -152,6 +152,7 @@ func (r *ActionRunner) Editable(ownerID, repoID int64) bool {
 
 // LoadAttributes loads the attributes of the runner
 func (r *ActionRunner) LoadAttributes(ctx context.Context) error {
+	// nosemgrep: forgejo-logic-suspicious-OwnerID-check (system users are not stored in the database)
 	if r.OwnerID > 0 {
 		var user user_model.User
 		has, err := db.GetEngine(ctx).ID(r.OwnerID).Get(&user)
@@ -214,7 +215,7 @@ func (opts FindRunnerOptions) ToConds() builder.Cond {
 			c = c.Or(builder.Eq{"repo_id": 0, "owner_id": 0})
 		}
 		cond = cond.And(c)
-	} else if opts.OwnerID > 0 { // OwnerID is ignored if RepoID is set
+	} else if opts.OwnerID != 0 { // OwnerID is ignored if RepoID is set
 		c := builder.NewCond().And(builder.Eq{"owner_id": opts.OwnerID})
 		if opts.WithVisible {
 			c = c.Or(builder.Eq{"repo_id": 0, "owner_id": 0})
diff --git a/models/actions/runner_list.go b/models/actions/runner_list.go
index 6a64c46596..4186ee60be 100644
--- a/models/actions/runner_list.go
+++ b/models/actions/runner_list.go
@@ -28,6 +28,7 @@ func (runners RunnerList) LoadOwners(ctx context.Context) error {
 		return err
 	}
 	for _, runner := range runners {
+		// nosemgrep: forgejo-logic-suspicious-OwnerID-check (system users are not stored in the database)
 		if runner.OwnerID > 0 && runner.Owner == nil {
 			runner.Owner = users[runner.OwnerID]
 		}
diff --git a/models/actions/schedule.go b/models/actions/schedule.go
index 8c410b9d38..bd6755621b 100644
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@@ -116,7 +116,7 @@ func (opts FindScheduleOptions) ToConds() builder.Cond {
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 
diff --git a/models/actions/task_list.go b/models/actions/task_list.go
index f85e17b41b..4c0e060497 100644
--- a/models/actions/task_list.go
+++ b/models/actions/task_list.go
@@ -65,7 +65,7 @@ func (opts FindTaskOptions) ToConds() builder.Cond {
 	if opts.RepoID > 0 {
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.CommitSHA != "" {
diff --git a/models/asymkey/gpg_key.go b/models/asymkey/gpg_key.go
index cae717011e..620e0ef0ae 100644
--- a/models/asymkey/gpg_key.go
+++ b/models/asymkey/gpg_key.go
@@ -81,7 +81,7 @@ func (opts FindGPGKeyOptions) ToConds() builder.Cond {
 		cond = cond.And(builder.Eq{"primary_key_id": ""})
 	}
 
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.KeyID != "" {
diff --git a/models/asymkey/ssh_key.go b/models/asymkey/ssh_key.go
index 7f76009e7f..ea05195b5d 100644
--- a/models/asymkey/ssh_key.go
+++ b/models/asymkey/ssh_key.go
@@ -190,7 +190,7 @@ type FindPublicKeyOptions struct {
 
 func (opts FindPublicKeyOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.Fingerprint != "" {
diff --git a/models/project/project.go b/models/project/project.go
index 3a36613b49..8f3d09b956 100644
--- a/models/project/project.go
+++ b/models/project/project.go
@@ -136,6 +136,7 @@ func ProjectLinkForRepo(repo *repo_model.Repository, projectID int64) string { /
 
 // Link returns the project's relative URL.
 func (p *Project) Link(ctx context.Context) string {
+	// nosemgrep: forgejo-logic-suspicious-OwnerID-check (system users are not stored in the database)
 	if p.OwnerID > 0 {
 		err := p.LoadOwner(ctx)
 		if err != nil {
@@ -224,7 +225,7 @@ func (opts SearchOptions) ToConds() builder.Cond {
 	if opts.Type > 0 {
 		cond = cond.And(builder.Eq{"type": opts.Type})
 	}
-	if opts.OwnerID > 0 {
+	if opts.OwnerID != 0 {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 
diff --git a/models/repo/repo.go b/models/repo/repo.go
index 0c45f483e4..1bd779b5a0 100644
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@@ -893,6 +893,7 @@ type CountRepositoryOptions struct {
 func CountRepositories(ctx context.Context, opts CountRepositoryOptions) (int64, error) {
 	sess := db.GetEngine(ctx).Where("id > 0")
 
+	// nosemgrep: forgejo-logic-suspicious-OwnerID-check (repositories cannot be owned by system users)
 	if opts.OwnerID > 0 {
 		sess.And("owner_id = ?", opts.OwnerID)
 	}
diff --git a/routers/web/repo/setting/webhook.go b/routers/web/repo/setting/webhook.go
index 9bd4422556..cf28983ba4 100644
--- a/routers/web/repo/setting/webhook.go
+++ b/routers/web/repo/setting/webhook.go
@@ -341,7 +341,7 @@ func checkWebhook(ctx *context.Context) (*ownerRepoCtx, *webhook.Webhook) {
 	var w *webhook.Webhook
 	if orCtx.RepoID > 0 {
 		w, err = webhook.GetWebhookByRepoID(ctx, orCtx.RepoID, ctx.ParamsInt64(":id"))
-	} else if orCtx.OwnerID > 0 {
+	} else if orCtx.OwnerID > 0 { // nosemgrep: forgejo-logic-suspicious-OwnerID-check (system users do not own webhooks)
 		w, err = webhook.GetWebhookByOwnerID(ctx, orCtx.OwnerID, ctx.ParamsInt64(":id"))
 	} else if orCtx.IsAdmin {
 		w, err = webhook.GetSystemOrDefaultWebhook(ctx, ctx.ParamsInt64(":id"))

From 6cd3f0263d48231a8df34f59aa059fb8878ecbcb Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sun, 19 Apr 2026 22:08:00 +0200
Subject: [PATCH 145/287] refactor: move rerun logic to services (#12141)

Move the logic for handling reruns of Forgejo Action workflows and individual jobs to services. That is a prerequisite for adding the corresponding HTTP API endpoints.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12141
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 models/actions/run.go                         |  20 +-
 models/actions/run_job.go                     |  14 +-
 models/actions/run_job_test.go                |  23 +-
 models/actions/run_test.go                    |  22 +-
 routers/web/repo/actions/view.go              | 131 +++-------
 routers/web/repo/actions/view_test.go         |   2 +-
 .../TestRerun_RerunAllJobs/action_run.yml     |  82 ++++++
 .../TestRerun_RerunAllJobs/action_run_job.yml | 227 ++++++++++++++++
 .../actions/TestRerun_RerunJob/action_run.yml |  82 ++++++
 .../TestRerun_RerunJob/action_run_job.yml     | 244 ++++++++++++++++++
 services/actions/rerun.go                     | 178 ++++++++++++-
 services/actions/rerun_test.go                | 237 ++++++++++++++++-
 12 files changed, 1122 insertions(+), 140 deletions(-)
 create mode 100644 services/actions/TestRerun_RerunAllJobs/action_run.yml
 create mode 100644 services/actions/TestRerun_RerunAllJobs/action_run_job.yml
 create mode 100644 services/actions/TestRerun_RerunJob/action_run.yml
 create mode 100644 services/actions/TestRerun_RerunJob/action_run_job.yml

diff --git a/models/actions/run.go b/models/actions/run.go
index a9c458c86d..fbbc5f8f01 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -255,19 +255,33 @@ func (run *ActionRun) IsDispatchedRun() bool {
 	return run.TriggerEvent == "workflow_dispatch"
 }
 
-// IsRunnable indicates whether this ActionRun can generally be run.
-func (run *ActionRun) IsRunnable() bool {
+// IsValid indicates whether this ActionRun is valid and can be run.
+func (run *ActionRun) IsValid() bool {
 	return run.PreExecutionErrorCode == 0 && run.PreExecutionError == ""
 }
 
 // CanBeRerun indicates whether this ActionRun can be rerun.
 func (run *ActionRun) CanBeRerun() bool {
-	if !run.IsRunnable() {
+	if !run.IsValid() {
 		return false
 	}
 	return run.Status.IsDone()
 }
 
+func (run *ActionRun) PrepareNextAttempt() error {
+	if run.Status != StatusUnknown && !run.Status.IsDone() {
+		return fmt.Errorf("cannot prepare next attempt because run %d is active: %s", run.ID, run.Status.String())
+	}
+
+	run.PreviousDuration = run.Duration()
+
+	run.Status = StatusWaiting
+	run.Started = 0
+	run.Stopped = 0
+
+	return nil
+}
+
 func actionsCountOpenCacheKey(repoID int64) string {
 	return fmt.Sprintf("Actions:CountOpenActionRuns:%d", repoID)
 }
diff --git a/models/actions/run_job.go b/models/actions/run_job.go
index 5d3a8aad80..0967ab87c3 100644
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@@ -141,12 +141,16 @@ func (job *ActionRunJob) PrepareNextAttempt(initialStatus Status) error {
 }
 
 // CanBeRerun answers whether this ActionRunJob can be rerun. Returns true if it is done and the Run it belongs to
-// is runnable. Returns false in all other cases, including when Run is nil.
-func (job *ActionRunJob) CanBeRerun() bool {
-	if job.Run == nil || !job.Run.IsRunnable() {
-		return false
+// is valid. Returns false in all other cases.
+func (job *ActionRunJob) CanBeRerun(ctx context.Context) (bool, error) {
+	if err := job.LoadRun(ctx); err != nil {
+		return false, fmt.Errorf("cannot load run %d of job %d: %w", job.RunID, job.ID, err)
 	}
-	return job.Status.IsDone()
+
+	if !job.Run.IsValid() {
+		return false, nil
+	}
+	return job.Status.IsDone(), nil
 }
 
 func GetRunJobByID(ctx context.Context, id int64) (*ActionRunJob, error) {
diff --git a/models/actions/run_job_test.go b/models/actions/run_job_test.go
index 6753fb0315..d9275a81ec 100644
--- a/models/actions/run_job_test.go
+++ b/models/actions/run_job_test.go
@@ -428,9 +428,10 @@ func TestAllNeedsExist(t *testing.T) {
 
 func TestActionRunJob_CanBeRerun(t *testing.T) {
 	testCases := []struct {
-		name       string
-		job        ActionRunJob
-		canBeRerun bool
+		name          string
+		job           ActionRunJob
+		canBeRerun    bool
+		expectedError string
 	}{
 		{
 			name:       "job with unknown status",
@@ -468,9 +469,9 @@ func TestActionRunJob_CanBeRerun(t *testing.T) {
 			canBeRerun: false,
 		},
 		{
-			name:       "ActionRun is nil",
-			job:        ActionRunJob{Run: nil, Status: StatusSuccess},
-			canBeRerun: false,
+			name:          "ActionRun is nil",
+			job:           ActionRunJob{ID: 12, Run: nil, Status: StatusSuccess},
+			expectedError: "cannot load run 0 of job 12",
 		},
 		{
 			name:       "with busy run but completed job",
@@ -489,7 +490,15 @@ func TestActionRunJob_CanBeRerun(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			assert.Equal(t, testCase.canBeRerun, testCase.job.CanBeRerun())
+			result, err := testCase.job.CanBeRerun(t.Context())
+
+			if testCase.expectedError == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, testCase.expectedError)
+			}
+
+			assert.Equal(t, testCase.canBeRerun, result)
 		})
 	}
 }
diff --git a/models/actions/run_test.go b/models/actions/run_test.go
index 9a5eb99537..959753107b 100644
--- a/models/actions/run_test.go
+++ b/models/actions/run_test.go
@@ -96,27 +96,27 @@ func TestIsManualRun(t *testing.T) {
 	assert.False(t, pushRun.IsDispatchedRun())
 }
 
-func TestActionRun_IsRunnable(t *testing.T) {
+func TestActionRun_IsValid(t *testing.T) {
 	testCases := []struct {
-		name       string
-		run        ActionRun
-		isRunnable bool
+		name    string
+		run     ActionRun
+		isValid bool
 	}{
 		{
-			name:       "valid run",
-			run:        ActionRun{},
-			isRunnable: true,
+			name:    "valid run",
+			run:     ActionRun{},
+			isValid: true,
 		},
 		{
-			name:       "with pre-execution error",
-			run:        ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput},
-			isRunnable: false,
+			name:    "with pre-execution error",
+			run:     ActionRun{PreExecutionErrorCode: ErrorCodeIncompleteRunsOnMissingOutput},
+			isValid: false,
 		},
 	}
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			assert.Equal(t, testCase.isRunnable, testCase.run.IsRunnable())
+			assert.Equal(t, testCase.isValid, testCase.run.IsValid())
 		})
 	}
 }
diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index 63db9d0997..b1b7b5f2df 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -314,11 +314,16 @@ func getViewResponse(ctx *app_context.Context, req *ViewRequest, runIndex, jobIn
 			// Ah, another job is still running. Keep the frontend polling enabled then.
 			done = false
 		}
+		canBeRerun, err := v.CanBeRerun(ctx)
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, err.Error())
+			return nil
+		}
 		resp.State.Run.Jobs = append(resp.State.Run.Jobs, &ViewJob{
 			ID:       v.ID,
 			Name:     v.Name,
 			Status:   v.Status.String(),
-			CanRerun: v.CanBeRerun() && ctx.Repo.CanWrite(unit.TypeActions),
+			CanRerun: canBeRerun && ctx.Repo.CanWrite(unit.TypeActions),
 			Duration: v.Duration().String(),
 		})
 	}
@@ -495,120 +500,48 @@ func Rerun(ctx *app_context.Context) {
 		ctx.Error(http.StatusInternalServerError, err.Error())
 		return
 	}
-	if jobIndexStr == "" && !run.CanBeRerun() {
-		ctx.JSONError(ctx.Locale.Tr("actions.workflow.rerun_impossible"))
-		return
-	}
 
-	// can not rerun job when workflow is disabled
-	cfgUnit := ctx.Repo.Repository.MustGetUnit(ctx, unit.TypeActions)
-	cfg := cfgUnit.ActionsConfig()
-	if cfg.IsWorkflowDisabled(run.WorkflowID) {
-		ctx.JSONError(ctx.Locale.Tr("actions.workflow.disabled"))
-		return
-	}
-
-	// reset run's start and stop time when it is done
-	if run.Status.IsDone() {
-		run.PreviousDuration = run.Duration()
-		run.Started = 0
-		run.Stopped = 0
-		if err := actions_service.UpdateRun(ctx, run, "started", "stopped", "previous_duration"); err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
+	var rerunJobs []*actions_model.ActionRunJob
+	if jobIndexStr == "" { // Rerun the entire workflow.
+		rerunJobs, err = actions_service.RerunAllJobs(ctx, run)
+	} else { // Rerun a single job
+		job, _ := getRunJobs(ctx, runIndex, jobIndex)
+		if ctx.Written() {
 			return
 		}
+		rerunJobs, err = actions_service.RerunJob(ctx, job)
 	}
 
-	job, jobs := getRunJobs(ctx, runIndex, jobIndex)
-	if ctx.Written() {
-		return
-	}
-
-	if jobIndexStr == "" { // rerun all jobs
-		var redirectURL string
-		for _, j := range jobs {
-			if !j.CanBeRerun() {
-				ctx.JSONError(ctx.Locale.Tr("actions.workflow.job_rerun_impossible"))
-				return
-			}
-
-			// if the job has needs, it should be set to "blocked" status to wait for other jobs
-			shouldBlock := len(j.Needs) > 0
-			if err := rerunJob(ctx, j, shouldBlock); err != nil {
-				ctx.Error(http.StatusInternalServerError, err.Error())
-				return
-			}
-			if redirectURL == "" {
-				redirectURL, err = j.HTMLURL(ctx)
-				if err != nil {
-					ctx.Error(http.StatusInternalServerError, err.Error())
-					return
-				}
-			}
+	if err != nil {
+		if errors.Is(err, actions_service.ErrRerunWorkflowInvalid) ||
+			errors.Is(err, actions_service.ErrRerunWorkflowStillRunning) {
+			ctx.JSONError(ctx.Locale.Tr("actions.workflow.rerun_impossible"))
+			return
 		}
-
-		if redirectURL != "" {
-			ctx.JSON(http.StatusOK, &redirectObject{Redirect: redirectURL})
-		} else {
-			ctx.Error(http.StatusInternalServerError, "unable to determine redirectURL for job rerun")
+		if errors.Is(err, actions_service.ErrRerunWorkflowDisabled) {
+			ctx.JSONError(ctx.Locale.Tr("actions.workflow.disabled"))
+			return
 		}
-		return
-	}
-
-	rerunJobs := actions_service.GetAllRerunJobs(job, jobs)
-
-	var redirectURL string
-	for _, j := range rerunJobs {
-		if !j.CanBeRerun() {
+		if errors.Is(err, actions_service.ErrRerunJobStillRunning) {
 			ctx.JSONError(ctx.Locale.Tr("actions.workflow.job_rerun_impossible"))
 			return
 		}
-
-		// jobs other than the specified one should be set to "blocked" status
-		shouldBlock := j.JobID != job.JobID
-		if err := rerunJob(ctx, j, shouldBlock); err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
-			return
-		}
-		if j.JobID == job.JobID {
-			redirectURL, err = j.HTMLURL(ctx)
-			if err != nil {
-				ctx.Error(http.StatusInternalServerError, err.Error())
-				return
-			}
-		}
+		ctx.Error(http.StatusInternalServerError, err.Error())
+		return
 	}
 
-	if redirectURL != "" {
-		ctx.JSON(http.StatusOK, &redirectObject{Redirect: redirectURL})
-	} else {
-		ctx.Error(http.StatusInternalServerError, "unable to determine redirectURL for job rerun")
-	}
-}
-
-func rerunJob(ctx *app_context.Context, job *actions_model.ActionRunJob, shouldBlock bool) error {
-	status := job.Status
-	if !status.IsDone() {
-		return nil
+	if len(rerunJobs) == 0 {
+		ctx.Error(http.StatusInternalServerError, "no jobs were rerun")
+		return
 	}
 
-	initialStatus := actions_model.StatusWaiting
-	if shouldBlock {
-		initialStatus = actions_model.StatusBlocked
-	}
-	if err := job.PrepareNextAttempt(initialStatus); err != nil {
-		return err
+	redirectURL, err := rerunJobs[0].HTMLURL(ctx)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, err.Error())
+		return
 	}
 
-	if err := db.WithTx(ctx, func(ctx context.Context) error {
-		_, err := actions_service.UpdateRunJob(ctx, job, builder.Eq{"status": status}, "handle", "attempt", "task_id", "status", "started", "stopped")
-		return err
-	}); err != nil {
-		return err
-	}
-
-	actions_service.CreateCommitStatus(ctx, job)
-	return nil
+	ctx.JSON(http.StatusOK, &redirectObject{Redirect: redirectURL})
 }
 
 func Logs(ctx *app_context.Context) {
diff --git a/routers/web/repo/actions/view_test.go b/routers/web/repo/actions/view_test.go
index 04d32f191b..0b66b7f7b8 100644
--- a/routers/web/repo/actions/view_test.go
+++ b/routers/web/repo/actions/view_test.go
@@ -554,7 +554,7 @@ func TestActionsRerun(t *testing.T) {
 			runIndex:     138575,
 			jobIndex:     1,
 			expectedCode: 400,
-			expectedBody: "{\"errorMessage\":\"actions.workflow.job_rerun_impossible\",\"renderFormat\":\"html\"}\n",
+			expectedBody: "{\"errorMessage\":\"actions.workflow.rerun_impossible\",\"renderFormat\":\"html\"}\n",
 		},
 	}
 	for _, tt := range tests {
diff --git a/services/actions/TestRerun_RerunAllJobs/action_run.yml b/services/actions/TestRerun_RerunAllJobs/action_run.yml
new file mode 100644
index 0000000000..386a62d926
--- /dev/null
+++ b/services/actions/TestRerun_RerunAllJobs/action_run.yml
@@ -0,0 +1,82 @@
+- id: 455620
+  title: Completed workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: test.yaml
+  workflow_directory: .forgejo/workflows
+  index: 110
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: 1ca7f0f9-81e7-4e27-85eb-b080c33d32d3
+  event: push
+  event_payload: "{}"
+  status: 1 # success
+  version: 4
+  started: 1776279254
+  stopped: 1776279265
+  previous_duration: 0
+  created: 1776263479
+  updated: 1776279265
+
+- id: 455630
+  title: Running workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: test.yaml
+  workflow_directory: .forgejo/workflows
+  index: 111
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  event: push
+  event_payload: "{}"
+  status: 6 # running
+  version: 2
+  started: 1776281360
+  stopped: 0
+  previous_duration: 0
+  created: 1776281359
+  updated: 1776281367
+
+- id: 455640
+  title: Invalid workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: invalid.yaml
+  workflow_directory: .forgejo/workflows
+  index: 112
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: 4055b3488bf960c9c9f5c1eb2d84e346faaad7dc
+  event: push
+  event_payload: "{}"
+  status: 2 # failure
+  version: 2
+  started: 0
+  stopped: 0
+  previous_duration: 0
+  created: 1776282729
+  updated: 1776282729
+  pre_execution_error_code: 1
+  pre_execution_error_details:
+    - "yaml: unmarshal errors:\n  line 7: cannot unmarshal !!map into []*model.Step"
+
+- id: 455650
+  title: Workflow with dependent jobs
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: dependent.yaml
+  workflow_directory: .forgejo/workflows
+  index: 113
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  event: push
+  event_payload: "{}"
+  status: 1 # success
+  version: 2
+  started: 1776331635
+  stopped: 1776331721
+  previous_duration: 0
+  created: 1776331495
+  updated: 1776331721
diff --git a/services/actions/TestRerun_RerunAllJobs/action_run_job.yml b/services/actions/TestRerun_RerunAllJobs/action_run_job.yml
new file mode 100644
index 0000000000..c04717ede9
--- /dev/null
+++ b/services/actions/TestRerun_RerunAllJobs/action_run_job.yml
@@ -0,0 +1,227 @@
+# Jobs of completed workflow run.
+- id: 683880
+  run_id: 455620
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: caller
+  attempt: 1
+  handle: 7ecf26bd-408d-485f-b162-f349f5fe95bc
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      caller:
+        name: caller
+        runs-on: []
+        if: false
+    __metadata:
+      workflow_call_inputs:
+        greet_target: Mona the Octocat
+      workflow_call_id: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller
+  needs: ["caller.callee"]
+  runs_on: []
+  task_id: 0
+  status: 1 # success
+  started: 0
+  stopped: 0
+  created: 1776263479
+  updated: 1776279265
+- id: 683881
+  run_id: 455620
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: callee
+  attempt: 1
+  handle: 24920992-6701-48cc-872d-d017b33ee90e
+  workflow_payload: |
+    "on":
+      workflow_call:
+        inputs:
+          greet_target:
+            default: Mona the Octocat
+            type: string
+    jobs:
+      caller.callee:
+        name: callee
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              echo "Hello ${{ inputs.greet_target }}"
+    __metadata:
+      workflow_call_parent: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller.callee
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 989
+  status: 1 # success
+  started: 1776279254
+  stopped: 1776279264
+  created: 1776263479
+  updated: 1776279264
+
+# Jobs of running workflow run.
+- id: 683890
+  run_id: 455630
+  repo_id: 62
+  owner_id: 2
+  commit_sha: 41569413fe943e3f4e8e9625e14c1e01d85581af
+  name: caller
+  attempt: 1
+  handle: 0185f661-3b6b-4f49-8a56-f6585c9c396e
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      caller:
+        name: caller
+        runs-on: []
+        if: false
+    __metadata:
+      workflow_call_inputs:
+        greet_target: Mona the Octocat
+      workflow_call_id: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller
+  needs: ["caller.callee"]
+  runs_on: []
+  task_id: 0
+  status: 7 # blocked
+  started: 0
+  stopped: 0
+  created: 1776281359
+  updated: 1776281359
+- id: 683891
+  run_id: 455630
+  repo_id: 62
+  owner_id: 2
+  commit_sha: 41569413fe943e3f4e8e9625e14c1e01d85581af
+  name: callee
+  attempt: 1
+  handle: 4ee3bdf7-69f6-4174-9ffd-eb4a250188bc
+  workflow_payload: |
+    "on":
+      workflow_call:
+        inputs:
+          greet_target:
+            default: Mona the Octocat
+            type: string
+    jobs:
+      caller.callee:
+        name: callee
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              echo "Hello ${{ inputs.greet_target }}"
+    __metadata:
+      workflow_call_parent: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller.callee
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 989
+  status: 6 # running
+  started: 1776281360
+  stopped: 0
+  created: 1776281359
+  updated: 1776281367
+
+# Jobs of invalid workflow.
+- id: 683900
+  run_id: 455640
+  repo_id: 62
+  owner_id: 2
+  commit_sha: 4055b3488bf960c9c9f5c1eb2d84e346faaad7dc
+  name: test
+  attempt: 1
+  handle: c60533ff-61b3-4f6f-9788-260911cda6ed
+  workflow_payload: ""
+  job_id:
+  needs: []
+  runs_on: []
+  task_id: 0
+  status: 2 # failure
+  started: 0
+  stopped: 0
+  created: 1776282729
+  updated: 1776282729
+
+# Jobs of workflow with dependent jobs.
+- id: 683910
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: lint
+  attempt: 1
+  handle: 0a721b46-36d1-4540-b070-d559cf87515b
+  workflow_payload: |
+    "on":
+        push:
+    jobs:
+        lint:
+            name: lint
+            runs-on: ubuntu-latest
+            steps:
+                - run: echo "Linting"
+  job_id: lint
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331495
+  stopped: 1776331523
+  created: 1776331495
+  updated: 1776331523
+- id: 683911
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: build
+  attempt: 1
+  handle: eec6b880-b013-4426-9361-8a4ad491ae91
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      build:
+        name: build
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Building"
+  job_id: build
+  needs: [lint]
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331693
+  stopped: 1776331721
+  created: 1776331495
+  updated: 1776331721
+- id: 683912
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: test
+  attempt: 1
+  handle: b6398b81-f644-4f4b-9ed9-0c596c090b2f
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      test:
+        name: test
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Testing"
+  job_id: test
+  needs: [build]
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331665
+  stopped: 1776331693
+  created: 1776331495
+  updated: 1776331693
diff --git a/services/actions/TestRerun_RerunJob/action_run.yml b/services/actions/TestRerun_RerunJob/action_run.yml
new file mode 100644
index 0000000000..bac9eb9531
--- /dev/null
+++ b/services/actions/TestRerun_RerunJob/action_run.yml
@@ -0,0 +1,82 @@
+- id: 455620
+  title: Completed workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: test.yaml
+  workflow_directory: .forgejo/workflows
+  index: 110
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: 1ca7f0f9-81e7-4e27-85eb-b080c33d32d3
+  event: push
+  event_payload: "{}"
+  status: 1 # success
+  version: 4
+  started: 1776279254
+  stopped: 1776279265
+  previous_duration: 0
+  created: 1776263479
+  updated: 1776279265
+
+- id: 455630
+  title: Running workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: test.yaml
+  workflow_directory: .forgejo/workflows
+  index: 111
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  event: push
+  event_payload: "{}"
+  status: 6 # running
+  version: 2
+  started: 1776281360
+  stopped: 0
+  previous_duration: 0
+  created: 1776281359
+  updated: 1776281367
+
+- id: 455640
+  title: Invalid workflow
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: invalid.yaml
+  workflow_directory: .forgejo/workflows
+  index: 112
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: 4055b3488bf960c9c9f5c1eb2d84e346faaad7dc
+  event: push
+  event_payload: "{}"
+  status: 2 # failure
+  version: 2
+  started: 0
+  stopped: 0
+  previous_duration: 0
+  created: 1776282729
+  updated: 1776282729
+  pre_execution_error_code: 1
+  pre_execution_error_details:
+    - "yaml: unmarshal errors:\n  line 7: cannot unmarshal !!map into []*model.Step"
+
+- id: 455650
+  title: Workflow with dependent jobs
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  workflow_id: dependent.yaml
+  workflow_directory: .forgejo/workflows
+  index: 113
+  trigger_user_id: 2
+  ref: refs/heads/main
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  event: push
+  event_payload: "{}"
+  status: 6 # running
+  version: 2
+  started: 1776331635
+  stopped: 0
+  previous_duration: 0
+  created: 1776331495
+  updated: 1776331721
diff --git a/services/actions/TestRerun_RerunJob/action_run_job.yml b/services/actions/TestRerun_RerunJob/action_run_job.yml
new file mode 100644
index 0000000000..7e219e6ffe
--- /dev/null
+++ b/services/actions/TestRerun_RerunJob/action_run_job.yml
@@ -0,0 +1,244 @@
+# Jobs of completed workflow run.
+- id: 683880
+  run_id: 455620
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: caller
+  attempt: 1
+  handle: 7ecf26bd-408d-485f-b162-f349f5fe95bc
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      caller:
+        name: caller
+        runs-on: []
+        if: false
+    __metadata:
+      workflow_call_inputs:
+        greet_target: Mona the Octocat
+      workflow_call_id: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller
+  needs: ["caller.callee"]
+  runs_on: []
+  task_id: 0
+  status: 1 # success
+  started: 0
+  stopped: 0
+  created: 1776263479
+  updated: 1776279265
+- id: 683881
+  run_id: 455620
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: callee
+  attempt: 1
+  handle: 24920992-6701-48cc-872d-d017b33ee90e
+  workflow_payload: |
+    "on":
+      workflow_call:
+        inputs:
+          greet_target:
+            default: Mona the Octocat
+            type: string
+    jobs:
+      caller.callee:
+        name: callee
+        runs-on: ubuntu-latest
+        steps:
+          - run: |
+              echo "Hello ${{ inputs.greet_target }}"
+    __metadata:
+      workflow_call_parent: d4f799b5a5d27e303ab97a546708c2aca6c1672b3bbc5defa0d73b251bca7955
+  job_id: caller.callee
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 989
+  status: 1 # success
+  started: 1776279254
+  stopped: 1776279264
+  created: 1776263479
+  updated: 1776279264
+
+# Jobs of running workflow run.
+- id: 683590
+  run_id: 455630
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: lint
+  attempt: 1
+  handle: d114a733-b364-4c08-b15d-77b6cc21a616
+  workflow_payload: |
+    "on":
+        push:
+    jobs:
+        lint:
+            name: lint
+            runs-on: ubuntu-latest
+            steps:
+                - run: echo "Linting"
+  job_id: lint
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331495
+  stopped: 1776331523
+  created: 1776331495
+  updated: 1776331523
+- id: 683591
+  run_id: 455630
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: build
+  attempt: 1
+  handle: afd58a3e-76e9-467a-9a9d-9d6250fcc905
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      build:
+        name: build
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Building"
+  job_id: build
+  needs: [lint]
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331693
+  stopped: 1776331721
+  created: 1776331495
+  updated: 1776331721
+- id: 683592
+  run_id: 455630
+  repo_id: 62
+  owner_id: 2
+  commit_sha: e36900942550acf94ddd8c0a3b91cc0165b4bd02
+  name: test
+  attempt: 1
+  handle: 2d9438cb-5067-4aff-9adb-9c1265fb42d5
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      test:
+        name: test
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Testing"
+  job_id: test
+  needs: [build]
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 6 # StatusRunning
+  started: 1776331665
+  stopped: 0
+  created: 1776331495
+  updated: 1776331693
+
+
+# Jobs of invalid workflow.
+- id: 683900
+  run_id: 455640
+  repo_id: 62
+  owner_id: 2
+  commit_sha: 4055b3488bf960c9c9f5c1eb2d84e346faaad7dc
+  name: test
+  attempt: 1
+  handle: c60533ff-61b3-4f6f-9788-260911cda6ed
+  workflow_payload: ""
+  job_id:
+  needs: []
+  runs_on: []
+  task_id: 0
+  status: 2 # failure
+  started: 0
+  stopped: 0
+  created: 1776282729
+  updated: 1776282729
+
+# Jobs of successful workflow run with dependent jobs.
+- id: 683910
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: lint
+  attempt: 1
+  handle: 0a721b46-36d1-4540-b070-d559cf87515b
+  workflow_payload: |
+    "on":
+        push:
+    jobs:
+        lint:
+            name: lint
+            runs-on: ubuntu-latest
+            steps:
+                - run: echo "Linting"
+  job_id: lint
+  needs: null
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331495
+  stopped: 1776331523
+  created: 1776331495
+  updated: 1776331523
+- id: 683911
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: build
+  attempt: 1
+  handle: eec6b880-b013-4426-9361-8a4ad491ae91
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      build:
+        name: build
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Building"
+  job_id: build
+  needs: []
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331693
+  stopped: 1776331721
+  created: 1776331495
+  updated: 1776331721
+- id: 683912
+  run_id: 455650
+  repo_id: 62
+  owner_id: 2
+  commit_sha: ae36c1d75cc82cb9f9e54a86c8137ed05c3bd66e
+  name: test
+  attempt: 1
+  handle: b6398b81-f644-4f4b-9ed9-0c596c090b2f
+  workflow_payload: |
+    "on":
+      push:
+    jobs:
+      test:
+        name: test
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "Testing"
+  job_id: test
+  needs: [build]
+  runs_on: ["ubuntu-latest"]
+  task_id: 0
+  status: 1 # success
+  started: 1776331665
+  stopped: 1776331693
+  created: 1776331495
+  updated: 1776331693
diff --git a/services/actions/rerun.go b/services/actions/rerun.go
index 61aede5d7c..59838e5f57 100644
--- a/services/actions/rerun.go
+++ b/services/actions/rerun.go
@@ -4,10 +4,30 @@
 package actions
 
 import (
+	"context"
+	"errors"
+	"fmt"
 	"slices"
 
 	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/db"
+	"forgejo.org/models/unit"
 	"forgejo.org/modules/container"
+
+	"xorm.io/builder"
+)
+
+var (
+	// ErrRerunWorkflowInvalid signals that the workflow cannot be run because it is invalid, for example, due to syntax
+	// errors.
+	ErrRerunWorkflowInvalid = errors.New("workflow is invalid")
+	// ErrRerunWorkflowDisabled indicates that the workflow cannot be run because it has been disabled by the user or
+	// Forgejo.
+	ErrRerunWorkflowDisabled = errors.New("workflow is disabled")
+	// ErrRerunWorkflowStillRunning signals that the workflow cannot be rerun because at least one job is still running.
+	ErrRerunWorkflowStillRunning = errors.New("workflow is still running")
+	// ErrRerunJobStillRunning signals that the job cannot be rerun because it is still running.
+	ErrRerunJobStillRunning = errors.New("job is still running")
 )
 
 // GetAllRerunJobs get all jobs that need to be rerun when job should be rerun
@@ -16,22 +36,154 @@ func GetAllRerunJobs(job *actions_model.ActionRunJob, allJobs []*actions_model.A
 	rerunJobsIDSet := make(container.Set[string])
 	rerunJobsIDSet.Add(job.JobID)
 
-	for {
-		found := false
-		for _, j := range allJobs {
-			if rerunJobsIDSet.Contains(j.JobID) {
-				continue
-			}
-			if slices.ContainsFunc(j.Needs, rerunJobsIDSet.Contains) {
-				found = true
-				rerunJobs = append(rerunJobs, j)
-				rerunJobsIDSet.Add(j.JobID)
-			}
+	for _, j := range allJobs {
+		if rerunJobsIDSet.Contains(j.JobID) {
+			continue
 		}
-		if !found {
-			break
+		if slices.ContainsFunc(j.Needs, rerunJobsIDSet.Contains) {
+			rerunJobs = append(rerunJobs, j)
+			rerunJobsIDSet.Add(j.JobID)
 		}
 	}
 
 	return rerunJobs
 }
+
+// RerunAllJobs reruns all jobs of the given run and returns them. For it to succeed, the workflow must be valid, and the
+// previous run must have completed.
+func RerunAllJobs(ctx context.Context, run *actions_model.ActionRun) ([]*actions_model.ActionRunJob, error) {
+	if !run.IsValid() {
+		return nil, ErrRerunWorkflowInvalid
+	}
+	if !run.Status.IsDone() {
+		return nil, ErrRerunWorkflowStillRunning
+	}
+
+	if err := run.LoadRepo(ctx); err != nil {
+		return nil, fmt.Errorf("cannot load repo of run %d: %w", run.ID, err)
+	}
+
+	actionsConfig := run.Repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+	if actionsConfig.IsWorkflowDisabled(run.WorkflowID) {
+		return nil, ErrRerunWorkflowDisabled
+	}
+
+	var rerunJobs []*actions_model.ActionRunJob
+	if err := db.WithTx(ctx, func(ctx context.Context) error {
+		if run.Status != actions_model.StatusUnknown && !run.Status.IsDone() {
+			return fmt.Errorf("cannot prepare next attempt because run %d is active: %s", run.ID, run.Status.String())
+		}
+
+		run.PreviousDuration = run.Duration()
+
+		run.Status = actions_model.StatusWaiting
+		run.Started = 0
+		run.Stopped = 0
+
+		// The columns have to be specified here to work around a xorm quirk: It won't update columns that are set to
+		// their zero value without AllCols().
+		if err := UpdateRun(ctx, run, "status", "started", "stopped", "previous_duration"); err != nil {
+			return fmt.Errorf("cannot update run %d: %w", run.ID, err)
+		}
+
+		jobs, err := actions_model.GetRunJobsByRunID(ctx, run.ID)
+		if err != nil {
+			return fmt.Errorf("could not load jobs of run %d: %w", run.ID, err)
+		}
+
+		for _, job := range jobs {
+			initialStatus := actions_model.StatusWaiting
+			if len(job.Needs) > 0 {
+				initialStatus = actions_model.StatusBlocked
+			}
+
+			if err := rerunSingleJob(ctx, job, initialStatus); err != nil {
+				return fmt.Errorf("could not rerun job %d of run %d: %w", job.ID, run.ID, err)
+			}
+
+			rerunJobs = append(rerunJobs, job)
+		}
+
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return rerunJobs, nil
+}
+
+// RerunJob reruns the given job and all its dependent jobs. It returns all jobs that were rerun. For it to succeed, the
+// workflow that defines this job must be valid, and the previous run must have completed. Dependent jobs that have not
+// completed yet are ignored.
+func RerunJob(ctx context.Context, job *actions_model.ActionRunJob) ([]*actions_model.ActionRunJob, error) {
+	if err := job.LoadAttributes(ctx); err != nil {
+		return nil, fmt.Errorf("cannot load attributes of job %d: %w", job.ID, err)
+	}
+	if !job.Run.IsValid() {
+		return nil, ErrRerunWorkflowInvalid
+	}
+
+	actionsConfig := job.Run.Repo.MustGetUnit(ctx, unit.TypeActions).ActionsConfig()
+	if actionsConfig.IsWorkflowDisabled(job.Run.WorkflowID) {
+		return nil, ErrRerunWorkflowDisabled
+	}
+
+	if !job.Status.IsDone() {
+		return nil, ErrRerunJobStillRunning
+	}
+
+	var rerunJobs []*actions_model.ActionRunJob
+	if err := db.WithTx(ctx, func(ctx context.Context) error {
+		jobs, err := actions_model.GetRunJobsByRunID(ctx, job.RunID)
+		if err != nil {
+			return fmt.Errorf("could not load jobs of run %d: %w", job.RunID, err)
+		}
+
+		for _, jobToRerun := range GetAllRerunJobs(job, jobs) {
+			canBeRerun, err := jobToRerun.CanBeRerun(ctx)
+			if err != nil {
+				return fmt.Errorf("cannot determine whether job %d can be rerun: %w", jobToRerun.ID, err)
+			}
+
+			// Skipping jobs that cannot be rerun is wrong. They should be cancelled and rerun, instead, because they
+			// are dependent jobs and the old results might be worthless, anyway. But we keep that behaviour for now,
+			// because changing it requires more rework.
+			if !canBeRerun {
+				continue
+			}
+
+			// The job that should be rerun cannot be blocked, even if it has needs.
+			initialStatus := actions_model.StatusWaiting
+			if len(jobToRerun.Needs) > 0 && jobToRerun.ID != job.ID {
+				initialStatus = actions_model.StatusBlocked
+			}
+
+			if err := rerunSingleJob(ctx, jobToRerun, initialStatus); err != nil {
+				return fmt.Errorf("cannot rerun job %d: %w", jobToRerun.ID, err)
+			}
+			rerunJobs = append(rerunJobs, jobToRerun)
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	return rerunJobs, nil
+}
+
+func rerunSingleJob(ctx context.Context, job *actions_model.ActionRunJob, initialStatus actions_model.Status) error {
+	oldStatus := job.Status
+
+	if err := job.PrepareNextAttempt(initialStatus); err != nil {
+		return err
+	}
+
+	// The columns have to be specified here to work around a xorm quirk: It won't update columns that are set to their
+	// zero value without AllCols().
+	if _, err := UpdateRunJob(ctx, job, builder.Eq{"status": oldStatus}, "handle", "attempt", "task_id", "status", "started", "stopped"); err != nil {
+		return err
+	}
+
+	CreateCommitStatus(ctx, job)
+
+	return nil
+}
diff --git a/services/actions/rerun_test.go b/services/actions/rerun_test.go
index 4b822e8da1..93a000afd1 100644
--- a/services/actions/rerun_test.go
+++ b/services/actions/rerun_test.go
@@ -5,13 +5,18 @@ package actions
 
 import (
 	"testing"
+	"time"
 
 	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/unit"
+	"forgejo.org/models/unittest"
+	"forgejo.org/modules/timeutil"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func TestGetAllRerunJobs(t *testing.T) {
+func TestRerun_GetAllRerunJobs(t *testing.T) {
 	job1 := &actions_model.ActionRunJob{JobID: "job1"}
 	job2 := &actions_model.ActionRunJob{JobID: "job2", Needs: []string{"job1"}}
 	job3 := &actions_model.ActionRunJob{JobID: "job3", Needs: []string{"job2"}}
@@ -46,3 +51,233 @@ func TestGetAllRerunJobs(t *testing.T) {
 		assert.ElementsMatch(t, tc.rerunJobs, rerunJobs)
 	}
 }
+
+func TestRerun_RerunAllJobs(t *testing.T) {
+	t.Run("Reruns completed workflow", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunAllJobs")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455620})
+
+		rerunJobs, err := RerunAllJobs(t.Context(), run)
+		require.NoError(t, err)
+
+		run = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455620})
+
+		assert.Equal(t, actions_model.StatusWaiting, run.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), run.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), run.Stopped)
+		assert.Equal(t, 11*time.Second, run.PreviousDuration)
+
+		assert.Len(t, rerunJobs, 2)
+		assert.Equal(t, int64(683880), rerunJobs[0].ID)
+		assert.Equal(t, int64(2), rerunJobs[0].Attempt)
+		assert.Equal(t, actions_model.StatusBlocked, rerunJobs[0].Status)
+		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[0].Started)
+		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[0].Stopped)
+
+		assert.Equal(t, int64(683881), rerunJobs[1].ID)
+		assert.Equal(t, int64(2), rerunJobs[1].Attempt)
+		assert.Equal(t, actions_model.StatusWaiting, rerunJobs[1].Status)
+		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[1].Started)
+		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[1].Stopped)
+	})
+
+	t.Run("Error if workflow running", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunAllJobs")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455630})
+
+		rerunJobs, err := RerunAllJobs(t.Context(), run)
+		require.ErrorContains(t, err, "workflow is still running")
+
+		run = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455630})
+
+		assert.Equal(t, actions_model.StatusRunning, run.Status)
+		assert.Equal(t, timeutil.TimeStamp(1776281360), run.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), run.Stopped)
+		assert.Equal(t, time.Duration(0), run.PreviousDuration)
+
+		assert.Empty(t, rerunJobs)
+	})
+
+	t.Run("Error if workflow invalid", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunAllJobs")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455640})
+
+		rerunJobs, err := RerunAllJobs(t.Context(), run)
+		require.ErrorContains(t, err, "workflow is invalid")
+
+		run = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455640})
+
+		assert.Equal(t, actions_model.StatusFailure, run.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), run.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), run.Stopped)
+		assert.Equal(t, time.Duration(0), run.PreviousDuration)
+
+		assert.Empty(t, rerunJobs)
+	})
+
+	t.Run("Error if workflow disabled", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunAllJobs")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455620})
+
+		// Disable workflow
+		require.NoError(t, run.LoadAttributes(t.Context()))
+		actionsConfig := run.Repo.MustGetUnit(t.Context(), unit.TypeActions).ActionsConfig()
+		actionsConfig.DisableWorkflow(run.WorkflowID)
+
+		rerunJobs, err := RerunAllJobs(t.Context(), run)
+		require.ErrorContains(t, err, "workflow is disabled")
+
+		run = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455620})
+
+		assert.Equal(t, actions_model.StatusSuccess, run.Status)
+		assert.Equal(t, timeutil.TimeStamp(1776279254), run.Started)
+		assert.Equal(t, timeutil.TimeStamp(1776279265), run.Stopped)
+		assert.Equal(t, time.Duration(0), run.PreviousDuration)
+
+		assert.Empty(t, rerunJobs)
+	})
+}
+
+func TestRerun_RerunJob(t *testing.T) {
+	t.Run("Rerun independent job", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683910})
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.NoError(t, err)
+
+		assert.Len(t, rerunJobs, 1)
+		assert.Equal(t, job.ID, rerunJobs[0].ID)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683910})
+
+		assert.Equal(t, int64(2), job.Attempt)
+		assert.Equal(t, actions_model.StatusWaiting, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+	})
+
+	t.Run("Rerun job needed by others", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683911})
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.NoError(t, err)
+
+		assert.Len(t, rerunJobs, 2)
+		assert.Equal(t, int64(683911), rerunJobs[0].ID)
+		assert.Equal(t, int64(683912), rerunJobs[1].ID)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683911})
+
+		assert.Equal(t, int64(2), job.Attempt)
+		assert.Equal(t, actions_model.StatusWaiting, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+
+		dependentJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683912})
+
+		assert.Equal(t, int64(2), dependentJob.Attempt)
+		assert.Equal(t, actions_model.StatusBlocked, dependentJob.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), dependentJob.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), dependentJob.Stopped)
+	})
+
+	t.Run("Rerun job with needs", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683912})
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.NoError(t, err)
+
+		assert.Len(t, rerunJobs, 1)
+		assert.Equal(t, int64(683912), rerunJobs[0].ID)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683912})
+
+		assert.Len(t, job.Needs, 1)
+		assert.Equal(t, int64(2), job.Attempt)
+		assert.Equal(t, actions_model.StatusWaiting, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+	})
+
+	t.Run("Error if workflow invalid", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683900})
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.ErrorContains(t, err, "workflow is invalid")
+		assert.Empty(t, rerunJobs)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683900})
+
+		assert.Equal(t, int64(1), job.Attempt)
+		assert.Equal(t, actions_model.StatusFailure, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+	})
+
+	t.Run("Error if workflow disabled", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683881})
+
+		// Disable workflow
+		require.NoError(t, job.LoadAttributes(t.Context()))
+		actionsConfig := job.Run.Repo.MustGetUnit(t.Context(), unit.TypeActions).ActionsConfig()
+		actionsConfig.DisableWorkflow(job.Run.WorkflowID)
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.ErrorContains(t, err, "workflow is disabled")
+		assert.Empty(t, rerunJobs)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683881})
+
+		assert.Equal(t, int64(1), job.Attempt)
+		assert.Equal(t, actions_model.StatusSuccess, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(1776279254), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(1776279264), job.Stopped)
+	})
+
+	t.Run("Error if job still running", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestRerun_RerunJob")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683592})
+
+		rerunJobs, err := RerunJob(t.Context(), job)
+
+		require.ErrorContains(t, err, "job is still running")
+		assert.Empty(t, rerunJobs)
+
+		job = unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683592})
+
+		assert.Equal(t, int64(1), job.Attempt)
+		assert.Equal(t, actions_model.StatusRunning, job.Status)
+		assert.Equal(t, timeutil.TimeStamp(1776331665), job.Started)
+		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+	})
+}

From 8b4aa4478ffae75e4b6d9f677cd69d2a5f1b17f9 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 20 Apr 2026 02:27:24 +0200
Subject: [PATCH 146/287] Update dependency clippie to v4.1.13 (forgejo)
 (#12192)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12192
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e4c056880b..56e4ce1605 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -43,7 +43,7 @@
         "chart.js": "4.5.1",
         "chartjs-adapter-dayjs-4": "1.0.4",
         "chartjs-plugin-zoom": "2.2.0",
-        "clippie": "4.1.10",
+        "clippie": "4.1.13",
         "css-loader": "7.1.3",
         "dayjs": "1.11.19",
         "dropzone": "6.0.0-beta.2",
@@ -6313,9 +6313,9 @@
       }
     },
     "node_modules/clippie": {
-      "version": "4.1.10",
-      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.10.tgz",
-      "integrity": "sha512-zUjK2fLH8/wju2lks5mH0u8wSRYCOJoHfT1KQ61+aCT5O1ouONnSrnKQ3BTKvIYLUYJarbLZo4FLHyce/SLF2g==",
+      "version": "4.1.13",
+      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.13.tgz",
+      "integrity": "sha512-0ofIc4H35mzuxkojnpUmDzWneL8XrGWuO3RbHbXmDdebzJYp2q8zIhenc85LMedIOoCuzWtFTqkOJETv2QYN7g==",
       "license": "BSD-2-Clause"
     },
     "node_modules/cliui": {
diff --git a/package.json b/package.json
index 0e0050c91c..a3bb47d52d 100644
--- a/package.json
+++ b/package.json
@@ -42,7 +42,7 @@
     "chart.js": "4.5.1",
     "chartjs-adapter-dayjs-4": "1.0.4",
     "chartjs-plugin-zoom": "2.2.0",
-    "clippie": "4.1.10",
+    "clippie": "4.1.13",
     "css-loader": "7.1.3",
     "dayjs": "1.11.19",
     "dropzone": "6.0.0-beta.2",

From c37b4d38b18254119d64c75075b73bd4ef1a5e92 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 20 Apr 2026 02:27:49 +0200
Subject: [PATCH 147/287] Update module github.com/go-webauthn/webauthn to
 v0.16.5 (forgejo) (#12193)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12193
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 3310a438b5..8b27668dfa 100644
--- a/go.mod
+++ b/go.mod
@@ -52,7 +52,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-openapi/spec v0.22.3
 	github.com/go-sql-driver/mysql v1.9.3
-	github.com/go-webauthn/webauthn v0.16.4
+	github.com/go-webauthn/webauthn v0.16.5
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
@@ -245,7 +245,7 @@ require (
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/tinylib/msgp v1.6.3 // indirect
+	github.com/tinylib/msgp v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
diff --git a/go.sum b/go.sum
index 19a2fcb917..e4b26aa113 100644
--- a/go.sum
+++ b/go.sum
@@ -324,8 +324,8 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.4 h1:R9jqR/cYZa7hRquFF7Za/8qoH/K/TIs1/Q/4CyGN+1Q=
-github.com/go-webauthn/webauthn v0.16.4/go.mod h1:SU2ljAgToTV/YLPI0C05QS4qn+e04WpB5g1RMfcZfS4=
+github.com/go-webauthn/webauthn v0.16.5 h1:x+vADHlaiIjta23kGhtwyCIlB5mayKx6SBlpwQ5NF9A=
+github.com/go-webauthn/webauthn v0.16.5/go.mod h1:mQC6L0lZ5Kiu35G70zeB2WnrW4+vbHjR8Koq4HdVaMg=
 github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
 github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4/FHQWkvVRmgijNXRfzkIDHh23ggEo=
@@ -654,8 +654,8 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
-github.com/tinylib/msgp v1.6.3 h1:bCSxiTz386UTgyT1i0MSCvdbWjVW+8sG3PjkGsZQt4s=
-github.com/tinylib/msgp v1.6.3/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
+github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=
+github.com/tinylib/msgp v1.6.4/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=

From d49da9d238724b34ee90fef3d369555bcb17106f Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 20 Apr 2026 02:28:47 +0200
Subject: [PATCH 148/287] Lock file maintenance (forgejo) (#12195)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12195
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json                  | 248 +++++++++++++++++------------
 web_src/fomantic/package-lock.json |  24 +--
 2 files changed, 159 insertions(+), 113 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 56e4ce1605..a2adf74362 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1709,29 +1709,43 @@
       }
     },
     "node_modules/@humanfs/core": {
-      "version": "0.19.1",
-      "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
-      "integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==",
+      "version": "0.19.2",
+      "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.2.tgz",
+      "integrity": "sha512-UhXNm+CFMWcbChXywFwkmhqjs3PRCmcSa/hfBgLIb7oQ5HNb1wS0icWsGtSAUNgefHeI+eBrA8I1fxmbHsGdvA==",
       "dev": true,
       "license": "Apache-2.0",
+      "dependencies": {
+        "@humanfs/types": "^0.15.0"
+      },
       "engines": {
         "node": ">=18.18.0"
       }
     },
     "node_modules/@humanfs/node": {
-      "version": "0.16.7",
-      "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.7.tgz",
-      "integrity": "sha512-/zUx+yOsIrG4Y43Eh2peDeKCxlRt/gET6aHfaKpuq267qXdYDFViVHfMaLyygZOnl0kGWxFIgsBy8QFuTLUXEQ==",
+      "version": "0.16.8",
+      "resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.8.tgz",
+      "integrity": "sha512-gE1eQNZ3R++kTzFUpdGlpmy8kDZD/MLyHqDwqjkVQI0JMdI1D51sy1H958PNXYkM2rAac7e5/CnIKZrHtPh3BQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@humanfs/core": "^0.19.1",
+        "@humanfs/core": "^0.19.2",
+        "@humanfs/types": "^0.15.0",
         "@humanwhocodes/retry": "^0.4.0"
       },
       "engines": {
         "node": ">=18.18.0"
       }
     },
+    "node_modules/@humanfs/types": {
+      "version": "0.15.0",
+      "resolved": "https://registry.npmjs.org/@humanfs/types/-/types-0.15.0.tgz",
+      "integrity": "sha512-ZZ1w0aoQkwuUuC7Yf+7sdeaNfqQiiLcSRbfI08oAxqLtpXQr9AIVX7Ay7HLDuiLYAaFPu8oBYNq/QIi9URHJ3Q==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18.18.0"
+      }
+    },
     "node_modules/@humanwhocodes/module-importer": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
@@ -2631,9 +2645,9 @@
       }
     },
     "node_modules/@lezer/lr": {
-      "version": "1.4.8",
-      "resolved": "https://registry.npmjs.org/@lezer/lr/-/lr-1.4.8.tgz",
-      "integrity": "sha512-bPWa0Pgx69ylNlMlPvBPryqeLYQjyJjqPx+Aupm5zydLIF3NE+6MMLT8Yi23Bd9cif9VS00aUebn+6fDIGBcDA==",
+      "version": "1.4.10",
+      "resolved": "https://registry.npmjs.org/@lezer/lr/-/lr-1.4.10.tgz",
+      "integrity": "sha512-rnCpTIBafOx4mRp43xOxDJbFipJm/c0cia/V5TiGlhmMa+wsSdoGmUN3w5Bqrks/09Q/D4tNAmWaT8p6NRi77A==",
       "license": "MIT",
       "dependencies": {
         "@lezer/common": "^1.0.0"
@@ -3181,9 +3195,9 @@
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.3.tgz",
-      "integrity": "sha512-xK9sGVbJWYb08+mTJt3/YV24WxvxpXcXtP6B172paPZ+Ts69Re9dAr7lKwJoeIx8OoeuimEiRZ7umkiUVClmmQ==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -3494,9 +3508,9 @@
       }
     },
     "node_modules/@stoplight/spectral-core": {
-      "version": "1.21.0",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-core/-/spectral-core-1.21.0.tgz",
-      "integrity": "sha512-oj4e/FrDLUhBRocIW+lRMKlJ/q/rDZw61HkLbTFsdMd+f/FTkli2xHNB1YC6n1mrMKjjvy7XlUuFkC7XxtgbWw==",
+      "version": "1.22.0",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-core/-/spectral-core-1.22.0.tgz",
+      "integrity": "sha512-4hTxMDs4TFUG4/jKjaZttA65gNuV2PCKI9+51I+J4nL6ylo17DlbW+sl6byKnBuV/85HxaV33ri5fEGlp8lTSA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3509,17 +3523,17 @@
         "@stoplight/types": "~13.6.0",
         "@types/es-aggregate-error": "^1.0.2",
         "@types/json-schema": "^7.0.11",
-        "ajv": "^8.17.1",
+        "ajv": "^8.18.0",
         "ajv-errors": "~3.0.0",
         "ajv-formats": "~2.1.1",
         "es-aggregate-error": "^1.0.7",
+        "expr-eval-fork": "^3.0.1",
         "jsonpath-plus": "^10.3.0",
-        "lodash": "~4.17.23",
+        "lodash": "^4.18.1",
         "lodash.topath": "^4.5.2",
-        "minimatch": "3.1.2",
+        "minimatch": "^3.1.4",
         "nimma": "0.2.3",
         "pony-cause": "^1.1.1",
-        "simple-eval": "1.0.1",
         "tslib": "^2.8.1"
       },
       "engines": {
@@ -3558,10 +3572,17 @@
         "concat-map": "0.0.1"
       }
     },
+    "node_modules/@stoplight/spectral-core/node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@stoplight/spectral-core/node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -3588,9 +3609,9 @@
       }
     },
     "node_modules/@stoplight/spectral-formatters": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-formatters/-/spectral-formatters-1.5.0.tgz",
-      "integrity": "sha512-lR7s41Z00Mf8TdXBBZQ3oi2uR8wqAtR6NO0KA8Ltk4FSpmAy0i6CKUmJG9hZQjanTnGmwpQkT/WP66p1GY3iXA==",
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-formatters/-/spectral-formatters-1.5.1.tgz",
+      "integrity": "sha512-mGXaiIrPglPokSnbFqbkWN3DoozIbwrZAA6OgqSIl+djeD5+e6PMELg0g6r3ot3ZzntO+6/GXaDnxEQ/p9M/EQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3601,7 +3622,7 @@
         "@types/markdown-escape": "^1.1.3",
         "chalk": "4.1.2",
         "cliui": "7.0.4",
-        "lodash": "^4.17.21",
+        "lodash": "^4.18.1",
         "markdown-escape": "^2.0.0",
         "node-sarif-builder": "^2.0.3",
         "strip-ansi": "6.0",
@@ -3612,10 +3633,17 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
+    "node_modules/@stoplight/spectral-formatters/node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@stoplight/spectral-functions": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-functions/-/spectral-functions-1.10.1.tgz",
-      "integrity": "sha512-obu8ZfoHxELOapfGsCJixKZXZcffjg+lSoNuttpmUFuDzVLT3VmH8QkPXfOGOL5Pz80BR35ClNAToDkdnYIURg==",
+      "version": "1.10.2",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-functions/-/spectral-functions-1.10.2.tgz",
+      "integrity": "sha512-PIfPUgTRo8EtAnL1MIrzhHoUuojSaE8shGSMaHS3BxGyc8d079BE5+TqJa1/WLUb9YT9JQnZ0Aj4xfi8NcJOIw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3624,17 +3652,24 @@
         "@stoplight/spectral-core": "^1.19.4",
         "@stoplight/spectral-formats": "^1.8.1",
         "@stoplight/spectral-runtime": "^1.1.2",
-        "ajv": "^8.17.1",
+        "ajv": "^8.18.0",
         "ajv-draft-04": "~1.0.0",
         "ajv-errors": "~3.0.0",
         "ajv-formats": "~2.1.1",
-        "lodash": "~4.17.21",
+        "lodash": "^4.18.1",
         "tslib": "^2.8.1"
       },
       "engines": {
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
+    "node_modules/@stoplight/spectral-functions/node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@stoplight/spectral-parsers": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-parsers/-/spectral-parsers-1.0.5.tgz",
@@ -3683,9 +3718,9 @@
       }
     },
     "node_modules/@stoplight/spectral-ruleset-bundler": {
-      "version": "1.6.3",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-ruleset-bundler/-/spectral-ruleset-bundler-1.6.3.tgz",
-      "integrity": "sha512-AQFRO6OCKg8SZJUupnr3+OzI1LrMieDTEUHsYgmaRpNiDRPvzImE3bzM1KyQg99q58kTQyZ8kpr7sG8Lp94RRA==",
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-ruleset-bundler/-/spectral-ruleset-bundler-1.7.0.tgz",
+      "integrity": "sha512-PpIdj5Wje0T7ktxY8EUzBWLU0+mGGQHznT8nlQxTMnRhWLNYsm6HvSZDXLtMi+86yqvTuf7loJy6JvLBDzHGAA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3702,7 +3737,7 @@
         "@stoplight/types": "^13.6.0",
         "@types/node": "*",
         "pony-cause": "1.1.1",
-        "rollup": "~2.79.2",
+        "rollup": "~2.80.0",
         "tslib": "^2.8.1",
         "validate-npm-package-name": "3.0.0"
       },
@@ -3711,9 +3746,9 @@
       }
     },
     "node_modules/@stoplight/spectral-ruleset-migrator": {
-      "version": "1.11.3",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-ruleset-migrator/-/spectral-ruleset-migrator-1.11.3.tgz",
-      "integrity": "sha512-+9Y1zFxYmSsneT5FPkgS1IlRQs0VgtdMT77f5xf6vzje9ezyhfs7oXwbZOCSZjEJew8iVZBKQtiOFndcBrdtqg==",
+      "version": "1.12.0",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-ruleset-migrator/-/spectral-ruleset-migrator-1.12.0.tgz",
+      "integrity": "sha512-KINmItys8OhdmjudgcIu7siuxQ4hDdbMsTPW/UkXhoiEosiwok1xAyaYLBfckH9zH85TZBkDDbIbsiMoDCIxBw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3725,7 +3760,7 @@
         "@stoplight/types": "^13.6.0",
         "@stoplight/yaml": "~4.2.3",
         "@types/node": "*",
-        "ajv": "^8.17.1",
+        "ajv": "^8.18.0",
         "ast-types": "0.14.2",
         "astring": "^1.9.0",
         "reserved": "0.1.2",
@@ -3760,9 +3795,9 @@
       "license": "Apache-2.0"
     },
     "node_modules/@stoplight/spectral-rulesets": {
-      "version": "1.22.0",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-rulesets/-/spectral-rulesets-1.22.0.tgz",
-      "integrity": "sha512-l2EY2jiKKLsvnPfGy+pXC0LeGsbJzcQP5G/AojHgf+cwN//VYxW1Wvv4WKFx/CLmLxc42mJYF2juwWofjWYNIQ==",
+      "version": "1.22.1",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-rulesets/-/spectral-rulesets-1.22.1.tgz",
+      "integrity": "sha512-DaaQJioKuYkRsOuKIJfX2ek7G7f6OCU3CI3K7ABaOcTFMiHj29SJLDdb04mCjXZFXMlXHjmCl2ZpKW6heieXpw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3775,21 +3810,28 @@
         "@stoplight/spectral-runtime": "^1.1.2",
         "@stoplight/types": "^13.6.0",
         "@types/json-schema": "^7.0.7",
-        "ajv": "^8.17.1",
+        "ajv": "^8.18.0",
         "ajv-formats": "~2.1.1",
         "json-schema-traverse": "^1.0.0",
         "leven": "3.1.0",
-        "lodash": "~4.17.21",
+        "lodash": "^4.18.1",
         "tslib": "^2.8.1"
       },
       "engines": {
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
+    "node_modules/@stoplight/spectral-rulesets/node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@stoplight/spectral-runtime": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-runtime/-/spectral-runtime-1.1.4.tgz",
-      "integrity": "sha512-YHbhX3dqW0do6DhiPSgSGQzr6yQLlWybhKwWx0cqxjMwxej3TqLv3BXMfIUYFKKUqIwH4Q2mV8rrMM8qD2N0rQ==",
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-runtime/-/spectral-runtime-1.1.5.tgz",
+      "integrity": "sha512-6/HSCQBKnI4M5qonCKos2W7oggXv+U/ml+m/cAd4eJAYfIVEmaLUo03qSWIIl4cBc5ujJPmn2WnCiRrz1++P7Q==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3797,7 +3839,7 @@
         "@stoplight/path": "^1.3.2",
         "@stoplight/types": "^13.6.0",
         "abort-controller": "^3.0.0",
-        "lodash": "^4.17.21",
+        "lodash": "^4.18.1",
         "node-fetch": "^2.7.0",
         "tslib": "^2.8.1"
       },
@@ -3805,6 +3847,13 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
+    "node_modules/@stoplight/spectral-runtime/node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@stoplight/types": {
       "version": "13.20.0",
       "resolved": "https://registry.npmjs.org/@stoplight/types/-/types-13.20.0.tgz",
@@ -5789,9 +5838,9 @@
       }
     },
     "node_modules/axe-core": {
-      "version": "4.11.2",
-      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.2.tgz",
-      "integrity": "sha512-byD6KPdvo72y/wj2T/4zGEvvlis+PsZsn/yPS3pEO+sFpcrqRpX/TJCxvVaEsNeMrfQbCr7w163YqoD9IYwHXw==",
+      "version": "4.11.3",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.3.tgz",
+      "integrity": "sha512-zBQouZixDTbo3jMGqHKyePxYxr1e5W8UdTmBQ7sNtaA9M2bE32daxxPLS/jojhKOHxQ7LWwPjfiwf/fhaJWzlg==",
       "dev": true,
       "license": "MPL-2.0",
       "engines": {
@@ -5828,9 +5877,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.18",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.18.tgz",
-      "integrity": "sha512-VSnGQAOLtP5mib/DPyg2/t+Tlv65NTBz83BJBJvmLVHHuKJVaDOBvJJykiT5TR++em5nfAySPccDZDa4oSrn8A==",
+      "version": "2.10.20",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz",
+      "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -6077,9 +6126,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001787",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001787.tgz",
-      "integrity": "sha512-mNcrMN9KeI68u7muanUpEejSLghOKlVhRqS/Za2IeyGllJ9I9otGpR9g3nsw7n4W378TE/LyIteA0+/FOZm4Kg==",
+      "version": "1.0.30001788",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001788.tgz",
+      "integrity": "sha512-6q8HFp+lOQtcf7wBK+uEenxymVWkGKkjFpCvw5W25cmMwEDU45p1xQFBQv8JDlMMry7eNxyBaR+qxgmTUZkIRQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -7505,9 +7554,9 @@
       }
     },
     "node_modules/dompurify": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.3.tgz",
-      "integrity": "sha512-Oj6pzI2+RqBfFG+qOaOLbFXLQ90ARpcGG6UePL82bJLtdsa6CYJD7nmiU8MW9nQNOtCHV3lZ/Bzq1X0QYbBZCA==",
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.0.tgz",
+      "integrity": "sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==",
       "license": "(MPL-2.0 OR Apache-2.0)",
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
@@ -7626,9 +7675,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.335",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
-      "integrity": "sha512-q9n5T4BR4Xwa2cwbrwcsDJtHD/enpQ5S1xF1IAtdqf5AAgqDFmR/aakqH3ChFdqd/QXJhS3rnnXFtexU7rax6Q==",
+      "version": "1.5.340",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz",
+      "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -8605,6 +8654,16 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/expr-eval-fork": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/expr-eval-fork/-/expr-eval-fork-3.0.3.tgz",
+      "integrity": "sha512-BhC+hbc5lIVjygr840n5DEkW3MQq7H9o+mc1/N7Z5uIiCFVyESLL5DIE7LNq4CYUNxy+XjA+3jRrL/h0Kt2xcg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.9.0"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -9042,9 +9101,9 @@
       }
     },
     "node_modules/get-tsconfig": {
-      "version": "4.13.7",
-      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
-      "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==",
+      "version": "4.14.0",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.14.0.tgz",
+      "integrity": "sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==",
       "license": "MIT",
       "dependencies": {
         "resolve-pkg-maps": "^1.0.0"
@@ -9385,9 +9444,9 @@
       }
     },
     "node_modules/hasown": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
-      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
       "license": "MIT",
       "dependencies": {
         "function-bind": "^1.1.2"
@@ -12101,6 +12160,15 @@
         "node": ">=8.6"
       }
     },
+    "node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/mini-css-extract-plugin": {
       "version": "2.10.0",
       "resolved": "https://registry.npmjs.org/mini-css-extract-plugin/-/mini-css-extract-plugin-2.10.0.tgz",
@@ -13773,9 +13841,9 @@
       "license": "MIT"
     },
     "node_modules/rollup": {
-      "version": "2.79.2",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz",
-      "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==",
+      "version": "2.80.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.80.0.tgz",
+      "integrity": "sha512-cIFJOD1DESzpjOBl763Kp1AH7UE/0fcdHe6rZXUdQ9c50uvgigvW97u3IcSeBwOkgqL/PXPBktBCh0KEu5L8XQ==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -14220,19 +14288,6 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
-    "node_modules/simple-eval": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/simple-eval/-/simple-eval-1.0.1.tgz",
-      "integrity": "sha512-LH7FpTAkeD+y5xQC4fzS+tFtaNlvt3Ib1zKzvhjv/Y+cioV4zIuw4IZr2yhRLu67CWL7FR9/6KXKnjRoZTvGGQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "jsep": "^1.3.6"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
     "node_modules/slash": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/slash/-/slash-3.0.0.tgz",
@@ -14462,9 +14517,9 @@
       }
     },
     "node_modules/std-env": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/std-env/-/std-env-4.0.0.tgz",
-      "integrity": "sha512-zUMPtQ/HBY3/50VbpkupYHbRroTRZJPRLvreamgErJVys0ceuzMkD44J/QjqhHjOzK42GQ3QZIeFG1OYfOtKqQ==",
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/std-env/-/std-env-4.1.0.tgz",
+      "integrity": "sha512-Rq7ybcX2RuC55r9oaPVEW7/xu3tj8u4GeBYHBWCychFtzMIr86A7e3PPEBPT37sHStKX3+TiX/Fr/ACmJLVlLQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -14835,9 +14890,9 @@
       }
     },
     "node_modules/stylis": {
-      "version": "4.3.6",
-      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.6.tgz",
-      "integrity": "sha512-yQ3rwFWRfwNUY7H5vpU0wfdkNSnvnJinhF9830Swlaxl03zsOjCfmX0ugac+3LtK0lYSgwL/KXc8oYL3mG4YFQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.4.0.tgz",
+      "integrity": "sha512-5Z9ZpRzfuH6l/UAvCPAPUo3665Nk2wLaZU3x+TLHKVzIz33+sbJqbtrYoC3KD4/uVOr2Zp+L0LySezP9OHV9yA==",
       "license": "MIT"
     },
     "node_modules/stylus": {
@@ -16264,15 +16319,6 @@
         "node": ">=4.0"
       }
     },
-    "node_modules/webpack/node_modules/mime-db": {
-      "version": "1.54.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
-      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
     "node_modules/whatwg-mimetype": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-3.0.0.tgz",
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index 18f0eaa586..9d6477ee33 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.18",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.18.tgz",
-      "integrity": "sha512-VSnGQAOLtP5mib/DPyg2/t+Tlv65NTBz83BJBJvmLVHHuKJVaDOBvJJykiT5TR++em5nfAySPccDZDa4oSrn8A==",
+      "version": "2.10.20",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz",
+      "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -1264,9 +1264,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001787",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001787.tgz",
-      "integrity": "sha512-mNcrMN9KeI68u7muanUpEejSLghOKlVhRqS/Za2IeyGllJ9I9otGpR9g3nsw7n4W378TE/LyIteA0+/FOZm4Kg==",
+      "version": "1.0.30001788",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001788.tgz",
+      "integrity": "sha512-6q8HFp+lOQtcf7wBK+uEenxymVWkGKkjFpCvw5W25cmMwEDU45p1xQFBQv8JDlMMry7eNxyBaR+qxgmTUZkIRQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -2020,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.335",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
-      "integrity": "sha512-q9n5T4BR4Xwa2cwbrwcsDJtHD/enpQ5S1xF1IAtdqf5AAgqDFmR/aakqH3ChFdqd/QXJhS3rnnXFtexU7rax6Q==",
+      "version": "1.5.340",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz",
+      "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -4454,9 +4454,9 @@
       }
     },
     "node_modules/hasown": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
-      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
       "license": "MIT",
       "dependencies": {
         "function-bind": "^1.1.2"

From 469cd0847e5bef42546ea3f3b260d936b39e3d9b Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 20 Apr 2026 03:08:30 +0200
Subject: [PATCH 149/287] Update
 https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0
 (forgejo) (#12156)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12156
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/build-release.yml   | 4 ++--
 .forgejo/workflows/publish-release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.forgejo/workflows/build-release.yml b/.forgejo/workflows/build-release.yml
index 5794558a85..ca259f7e7b 100644
--- a/.forgejo/workflows/build-release.yml
+++ b/.forgejo/workflows/build-release.yml
@@ -164,7 +164,7 @@ jobs:
 
       - name: build container & release
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -183,7 +183,7 @@ jobs:
 
       - name: build rootless container
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.6.0
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
diff --git a/.forgejo/workflows/publish-release.yml b/.forgejo/workflows/publish-release.yml
index 312ccfa9db..4695076581 100644
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@@ -44,7 +44,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v6
 
       - name: copy & sign
-        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.5.1
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.6.0
         with:
           from-forgejo: ${{ vars.FORGEJO }}
           to-forgejo: ${{ vars.FORGEJO }}

From f9b363091116968aacafb46a45d0c42cde7ce381 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 20 Apr 2026 03:37:57 +0200
Subject: [PATCH 150/287] Update renovate Docker tag to v43.132.0 (forgejo)
 (#12194)

Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index bc5c481a15..c744077a56 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasour
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.111.0 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.132.1 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

From a85c5277091f3e6faad88b3e2134924fa739cee8 Mon Sep 17 00:00:00 2001
From: ShellWen <me@shellwen.com>
Date: Mon, 20 Apr 2026 05:10:54 +0200
Subject: [PATCH 151/287] feat(api): add REST API endpoints for Actions
 artifacts (#12140)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(not applicable — Go-only change)

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

## Summary

Add public REST API endpoints under `/api/v1/` for listing, inspecting, downloading, and deleting Actions artifacts. Previously, artifacts could only be accessed through the web UI or the internal runner API.

### New endpoints

| Method | Path | Description |
|--------|------|-------------|
| `GET` | `/repos/{owner}/{repo}/actions/artifacts` | List all artifacts for a repository |
| `GET` | `/repos/{owner}/{repo}/actions/runs/{run_id}/artifacts` | List artifacts for a workflow run |
| `GET` | `/repos/{owner}/{repo}/actions/artifacts/{artifact_id}` | Get artifact metadata |
| `GET` | `/repos/{owner}/{repo}/actions/artifacts/{artifact_id}/zip` | Download artifact as zip |
| `DELETE` | `/repos/{owner}/{repo}/actions/artifacts/{artifact_id}` | Delete an artifact |

- List endpoints support `page`, `limit`, and `name` query parameters
- Both v1-v3 (multi-file, zip on-the-fly) and v4 (single zip) artifact backends are supported
- Expired artifacts are listed with `expired: true` but cannot be downloaded
- Delete requires write permission; all other endpoints require read permission

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12140
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: ShellWen <me@shellwen.com>
Co-committed-by: ShellWen <me@shellwen.com>
---
 models/actions/artifact.go                    | 113 +++++-
 modules/structs/action.go                     |  23 ++
 routers/api/v1/api.go                         |   7 +
 routers/api/v1/repo/action.go                 | 314 ++++++++++++++++
 routers/api/v1/swagger/repo.go                |  14 +
 routers/web/repo/actions/view.go              |  64 +---
 services/actions/download.go                  |  96 +++++
 services/convert/action.go                    |  16 +
 templates/swagger/v1_json.tmpl                | 341 ++++++++++++++++++
 .../api_repo_action_artifact_test.go          | 285 +++++++++++++++
 10 files changed, 1210 insertions(+), 63 deletions(-)
 create mode 100644 services/actions/download.go
 create mode 100644 tests/integration/api_repo_action_artifact_test.go

diff --git a/models/actions/artifact.go b/models/actions/artifact.go
index 492e3f6cea..25bf58705a 100644
--- a/models/actions/artifact.go
+++ b/models/actions/artifact.go
@@ -9,6 +9,7 @@ package actions
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 
 	"forgejo.org/models/db"
@@ -88,6 +89,13 @@ func CreateArtifact(ctx context.Context, t *ActionTask, artifactName, artifactPa
 	return artifact, nil
 }
 
+// IsV4 reports whether the artifact was uploaded via the v4 backend.
+// The v4 backend stores the whole artifact as a single zip file;
+// v1-v3 stores each file as a separate row.
+func (a *ActionArtifact) IsV4() bool {
+	return a.ArtifactName+".zip" == a.ArtifactPath && a.ContentEncoding == "application/zip"
+}
+
 func getArtifactByNameAndPath(ctx context.Context, runID int64, name, fpath string) (*ActionArtifact, error) {
 	var art ActionArtifact
 	has, err := db.GetEngine(ctx).Where("run_id = ? AND artifact_name = ? AND artifact_path = ?", runID, name, fpath).Get(&art)
@@ -150,11 +158,32 @@ type ActionArtifactMeta struct {
 	Status       ArtifactStatus
 }
 
+// AggregatedArtifact is the aggregated view of a logical artifact
+// (one or more rows sharing the same run_id + artifact_name), used by the
+// public API to represent a single artifact to clients.
+type AggregatedArtifact struct {
+	ID           int64              `xorm:"id"`
+	RunID        int64              `xorm:"run_id"`
+	RepoID       int64              `xorm:"-"`
+	ArtifactName string             `xorm:"artifact_name"`
+	FileSize     int64              `xorm:"file_size"`
+	Status       ArtifactStatus     `xorm:"status"`
+	CreatedUnix  timeutil.TimeStamp `xorm:"created_unix"`
+	UpdatedUnix  timeutil.TimeStamp `xorm:"updated_unix"`
+	ExpiredUnix  timeutil.TimeStamp `xorm:"expired_unix"`
+}
+
+// APIDownloadURL returns the download URL for this artifact under the given
+// repository API URL prefix (e.g. "https://host/api/v1/repos/owner/name").
+func (a *AggregatedArtifact) APIDownloadURL(repoAPIURL string) string {
+	return fmt.Sprintf("%s/actions/artifacts/%d/zip", repoAPIURL, a.ID)
+}
+
 // ListUploadedArtifactsMeta returns all uploaded artifacts meta of a run
 func ListUploadedArtifactsMeta(ctx context.Context, runID int64) ([]*ActionArtifactMeta, error) {
 	arts := make([]*ActionArtifactMeta, 0, 10)
 	return arts, db.GetEngine(ctx).Table("action_artifact").
-		Where("run_id=? AND (status=? OR status=?)", runID, ArtifactStatusUploadConfirmed, ArtifactStatusExpired).
+		Where(builder.Eq{"run_id": runID}.And(builder.In("status", ArtifactStatusUploadConfirmed, ArtifactStatusExpired))).
 		GroupBy("artifact_name").
 		Select("artifact_name, sum(file_size) as file_size, max(status) as status").
 		Find(&arts)
@@ -192,3 +221,85 @@ func SetArtifactDeleted(ctx context.Context, artifactID int64) error {
 	_, err := db.GetEngine(ctx).ID(artifactID).Cols("status").Update(&ActionArtifact{Status: int64(ArtifactStatusDeleted)})
 	return err
 }
+
+// aggregatedArtifactConds returns the common WHERE clause used by aggregated
+// artifact queries: restrict to visible statuses and apply the caller's filters.
+// The Status field on opts is ignored — visibility is fixed to UploadConfirmed/Expired.
+func aggregatedArtifactConds(opts FindArtifactsOptions) builder.Cond {
+	opts.Status = 0
+	return opts.ToConds().And(builder.In("status", ArtifactStatusUploadConfirmed, ArtifactStatusExpired))
+}
+
+const aggregatedArtifactSelect = "min(id) as id, run_id, artifact_name, sum(file_size) as file_size, max(status) as status, min(created_unix) as created_unix, max(updated_unix) as updated_unix, max(expired_unix) as expired_unix"
+
+// ListAggregatedArtifacts returns paginated aggregated artifacts.
+// Each result represents one logical artifact: a (run_id, artifact_name) group,
+// with ID = MIN(id), FileSize = SUM(file_size), Status = MAX(status), and
+// timestamps aggregated accordingly. Status filter in opts is ignored; results
+// are always restricted to UploadConfirmed and Expired statuses.
+func ListAggregatedArtifacts(ctx context.Context, opts FindArtifactsOptions) ([]*AggregatedArtifact, int64, error) {
+	cond := aggregatedArtifactConds(opts)
+
+	var countKeys []struct {
+		ID int64 `xorm:"id"`
+	}
+	if err := db.GetEngine(ctx).Table("action_artifact").
+		Where(cond).
+		GroupBy("run_id, artifact_name").
+		Select("min(id) as id").
+		Find(&countKeys); err != nil {
+		return nil, 0, err
+	}
+	total := int64(len(countKeys))
+
+	sess := db.GetEngine(ctx).Table("action_artifact").
+		Where(cond).
+		GroupBy("run_id, artifact_name").
+		Select(aggregatedArtifactSelect).
+		OrderBy("id DESC")
+
+	capacity := 10
+	if opts.PageSize > 0 {
+		sess = sess.Limit(opts.PageSize, (opts.Page-1)*opts.PageSize)
+		capacity = opts.PageSize
+	}
+
+	arts := make([]*AggregatedArtifact, 0, capacity)
+	return arts, total, sess.Find(&arts)
+}
+
+// GetAggregatedArtifactByID returns the aggregated artifact by its canonical ID
+// (MIN(id) of the group), scoped to the given repository. Returns util.ErrNotExist
+// when the ID does not exist, is not canonical for its group, or does not belong to repoID.
+// The repoID scoping is performed in the query so callers don't need a follow-up check.
+func GetAggregatedArtifactByID(ctx context.Context, repoID, artifactID int64) (*AggregatedArtifact, error) {
+	var art ActionArtifact
+	has, err := db.GetEngine(ctx).Where(builder.Eq{"id": artifactID, "repo_id": repoID}).Get(&art)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, util.ErrNotExist
+	}
+
+	cond := aggregatedArtifactConds(FindArtifactsOptions{
+		RunID:        art.RunID,
+		ArtifactName: art.ArtifactName,
+	})
+
+	meta := new(AggregatedArtifact)
+	has, err = db.GetEngine(ctx).Table("action_artifact").
+		Where(cond).
+		GroupBy("run_id, artifact_name").
+		Select(aggregatedArtifactSelect).
+		Get(meta)
+	if err != nil {
+		return nil, err
+	}
+	if !has || meta.ID != artifactID {
+		return nil, util.ErrNotExist
+	}
+
+	meta.RepoID = art.RepoID
+	return meta, nil
+}
diff --git a/modules/structs/action.go b/modules/structs/action.go
index cb6d76f3e3..1f015a08fb 100644
--- a/modules/structs/action.go
+++ b/modules/structs/action.go
@@ -88,3 +88,26 @@ type ListActionRunResponse struct {
 	Entries    []*ActionRun `json:"workflow_runs"`
 	TotalCount int64        `json:"total_count"`
 }
+
+// ActionArtifact represents an artifact of a workflow run
+// swagger:model
+type ActionArtifact struct {
+	// the artifact's ID
+	ID int64 `json:"id"`
+	// the artifact's name
+	Name string `json:"name"`
+	// the total size of the artifact in bytes
+	SizeInBytes int64 `json:"size_in_bytes"`
+	// the URL to download the artifact zip archive
+	ArchiveDownloadURL string `json:"archive_download_url"`
+	// whether the artifact has expired
+	Expired bool `json:"expired"`
+	// the ID of the workflow run that produced this artifact
+	RunID int64 `json:"run_id"`
+	// swagger:strfmt date-time
+	CreatedAt time.Time `json:"created_at"`
+	// swagger:strfmt date-time
+	UpdatedAt time.Time `json:"updated_at"`
+	// swagger:strfmt date-time
+	ExpiresAt time.Time `json:"expires_at"`
+}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index efd10b567f..715aa9003b 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1240,10 +1240,17 @@ func Routes() *web.Route {
 				}, reqToken(), reqAdmin())
 				m.Group("/actions", func() {
 					m.Get("/tasks", repo.ListActionTasks)
+					m.Group("/artifacts", func() {
+						m.Get("", repo.ListActionArtifacts)
+						m.Get("/{artifact_id}", repo.GetActionArtifact)
+						m.Delete("/{artifact_id}", reqToken(), reqRepoWriter(unit.TypeActions), repo.DeleteActionArtifact)
+						m.Get("/{artifact_id}/zip", repo.DownloadActionArtifact)
+					})
 					m.Group("/runs", func() {
 						m.Get("", repo.ListActionRuns)
 						m.Get("/{run_id}", repo.GetActionRun)
 						m.Get("/{run_id}/jobs", repo.ListActionRunJobs)
+						m.Get("/{run_id}/artifacts", repo.ListActionRunArtifacts)
 					})
 
 					m.Group("/workflows", func() {
diff --git a/routers/api/v1/repo/action.go b/routers/api/v1/repo/action.go
index ba430d2e64..63d9e830b7 100644
--- a/routers/api/v1/repo/action.go
+++ b/routers/api/v1/repo/action.go
@@ -1096,3 +1096,317 @@ func ListActionRunJobs(ctx *context.APIContext) {
 
 	ctx.JSON(http.StatusOK, response)
 }
+
+// ListActionArtifacts list artifacts for a repository
+func ListActionArtifacts(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/actions/artifacts repository ListActionArtifacts
+	// ---
+	// summary: List a repository's artifacts
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: name
+	//   in: query
+	//   description: filter by artifact name
+	//   type: string
+	// - name: page
+	//   in: query
+	//   description: page number of results to return (1-based)
+	//   type: integer
+	// - name: limit
+	//   in: query
+	//   description: page size of results, default maximum page size is 50
+	//   type: integer
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/ActionArtifactList"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+
+	opts := actions_model.FindArtifactsOptions{
+		ListOptions:  utils.GetListOptions(ctx),
+		RepoID:       ctx.Repo.Repository.ID,
+		ArtifactName: ctx.FormString("name"),
+	}
+
+	arts, total, err := actions_model.ListAggregatedArtifacts(ctx, opts)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "ListAggregatedArtifacts", err)
+		return
+	}
+
+	repoAPIURL := ctx.Repo.Repository.APIURL()
+
+	entries := make([]*api.ActionArtifact, len(arts))
+	for i, art := range arts {
+		entries[i] = convert.ToActionArtifact(repoAPIURL, art)
+	}
+
+	ctx.SetLinkHeader(int(total), opts.PageSize)
+	ctx.SetTotalCountHeader(total)
+	ctx.JSON(http.StatusOK, entries)
+}
+
+// ListActionRunArtifacts list artifacts for a workflow run
+func ListActionRunArtifacts(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/actions/runs/{run_id}/artifacts repository ListActionRunArtifacts
+	// ---
+	// summary: List artifacts of a workflow run
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: run_id
+	//   in: path
+	//   description: ID of the workflow run
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// - name: name
+	//   in: query
+	//   description: filter by artifact name
+	//   type: string
+	// - name: page
+	//   in: query
+	//   description: page number of results to return (1-based)
+	//   type: integer
+	// - name: limit
+	//   in: query
+	//   description: page size of results, default maximum page size is 50
+	//   type: integer
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/ActionArtifactList"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	runID := ctx.ParamsInt64(":run_id")
+	run, err := actions_model.GetRunByID(ctx, runID)
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetRunByID", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetRunByID", err)
+		}
+		return
+	}
+	if ctx.Repo.Repository.ID != run.RepoID {
+		ctx.Error(http.StatusNotFound, "GetRunByID", util.ErrNotExist)
+		return
+	}
+
+	opts := actions_model.FindArtifactsOptions{
+		ListOptions:  utils.GetListOptions(ctx),
+		RunID:        runID,
+		ArtifactName: ctx.FormString("name"),
+	}
+
+	arts, total, err := actions_model.ListAggregatedArtifacts(ctx, opts)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "ListAggregatedArtifacts", err)
+		return
+	}
+
+	repoAPIURL := ctx.Repo.Repository.APIURL()
+
+	entries := make([]*api.ActionArtifact, len(arts))
+	for i, art := range arts {
+		entries[i] = convert.ToActionArtifact(repoAPIURL, art)
+	}
+
+	ctx.SetLinkHeader(int(total), opts.PageSize)
+	ctx.SetTotalCountHeader(total)
+	ctx.JSON(http.StatusOK, entries)
+}
+
+// GetActionArtifact get an artifact by its ID
+func GetActionArtifact(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/actions/artifacts/{artifact_id} repository GetActionArtifact
+	// ---
+	// summary: Get an artifact by ID
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: artifact_id
+	//   in: path
+	//   description: ID of the artifact
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/ActionArtifact"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	meta, err := actions_model.GetAggregatedArtifactByID(ctx, ctx.Repo.Repository.ID, ctx.ParamsInt64(":artifact_id"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetAggregatedArtifactByID", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetAggregatedArtifactByID", err)
+		}
+		return
+	}
+
+	ctx.JSON(http.StatusOK, convert.ToActionArtifact(ctx.Repo.Repository.APIURL(), meta))
+}
+
+// DownloadActionArtifact download an artifact by its ID
+func DownloadActionArtifact(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/actions/artifacts/{artifact_id}/zip repository DownloadActionArtifact
+	// ---
+	// summary: Download an artifact
+	// produces:
+	// - application/zip
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: artifact_id
+	//   in: path
+	//   description: ID of the artifact
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// responses:
+	//   "200":
+	//     description: the artifact archive
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	meta, err := actions_model.GetAggregatedArtifactByID(ctx, ctx.Repo.Repository.ID, ctx.ParamsInt64(":artifact_id"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetAggregatedArtifactByID", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetAggregatedArtifactByID", err)
+		}
+		return
+	}
+
+	// Load all artifact rows for this logical artifact
+	artifacts, err := db.Find[actions_model.ActionArtifact](ctx, actions_model.FindArtifactsOptions{
+		RunID:        meta.RunID,
+		ArtifactName: meta.ArtifactName,
+	})
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "FindArtifacts", err)
+		return
+	}
+
+	for _, art := range artifacts {
+		if art.Status != int64(actions_model.ArtifactStatusUploadConfirmed) {
+			ctx.Error(http.StatusNotFound, "DownloadActionArtifact", errors.New("artifact not confirmed"))
+			return
+		}
+	}
+
+	if err := actions_service.ServeArtifact(ctx.Base, artifacts); err != nil {
+		ctx.Error(http.StatusInternalServerError, "ServeArtifact", err)
+		return
+	}
+}
+
+// DeleteActionArtifact marks an artifact for deletion
+func DeleteActionArtifact(ctx *context.APIContext) {
+	// swagger:operation DELETE /repos/{owner}/{repo}/actions/artifacts/{artifact_id} repository DeleteActionArtifact
+	// ---
+	// summary: Mark an artifact for deletion
+	// description: |
+	//   Marks the artifact for deletion. Storage space will be reclaimed
+	//   asynchronously by a background job.
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: artifact_id
+	//   in: path
+	//   description: ID of the artifact
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// responses:
+	//   "204":
+	//     description: artifact marked for deletion
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	meta, err := actions_model.GetAggregatedArtifactByID(ctx, ctx.Repo.Repository.ID, ctx.ParamsInt64(":artifact_id"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetAggregatedArtifactByID", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetAggregatedArtifactByID", err)
+		}
+		return
+	}
+
+	if err := actions_model.SetArtifactNeedDelete(ctx, meta.RunID, meta.ArtifactName); err != nil {
+		ctx.Error(http.StatusInternalServerError, "SetArtifactNeedDelete", err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
diff --git a/routers/api/v1/swagger/repo.go b/routers/api/v1/swagger/repo.go
index 5ad16b21ae..f93f523d8e 100644
--- a/routers/api/v1/swagger/repo.go
+++ b/routers/api/v1/swagger/repo.go
@@ -533,3 +533,17 @@ type swaggerActionRunJobList struct {
 	// in:body
 	Body []api.ActionRunJob `json:"body"`
 }
+
+// ActionArtifactList
+// swagger:response ActionArtifactList
+type swaggerActionArtifactList struct {
+	// in:body
+	Body []api.ActionArtifact `json:"body"`
+}
+
+// ActionArtifact
+// swagger:response ActionArtifact
+type swaggerActionArtifact struct {
+	// in:body
+	Body api.ActionArtifact `json:"body"`
+}
diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index b1b7b5f2df..31b757d2b3 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -5,13 +5,10 @@
 package actions
 
 import (
-	"archive/zip"
-	"compress/gzip"
 	"context"
 	"errors"
 	"fmt"
 	"html/template"
-	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -28,14 +25,11 @@ import (
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
-	"forgejo.org/modules/setting"
-	"forgejo.org/modules/storage"
 	"forgejo.org/modules/templates"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/translation"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
-	"forgejo.org/routers/common"
 	actions_service "forgejo.org/services/actions"
 	app_context "forgejo.org/services/context"
 
@@ -818,7 +812,6 @@ func ArtifactsDownloadView(ctx *app_context.Context) {
 		return
 	}
 
-	// if artifacts status is not uploaded-confirmed, treat it as not found
 	for _, art := range artifacts {
 		if art.Status != int64(actions_model.ArtifactStatusUploadConfirmed) {
 			ctx.Error(http.StatusNotFound, "artifact not found")
@@ -826,63 +819,10 @@ func ArtifactsDownloadView(ctx *app_context.Context) {
 		}
 	}
 
-	// Artifacts using the v4 backend are stored as a single combined zip file per artifact on the backend
-	// The v4 backend ensures ContentEncoding is set to "application/zip", which is not the case for the old backend
-	if len(artifacts) == 1 && artifacts[0].ArtifactName+".zip" == artifacts[0].ArtifactPath && artifacts[0].ContentEncoding == "application/zip" {
-		art := artifacts[0]
-		if setting.Actions.ArtifactStorage.MinioConfig.ServeDirect {
-			u, err := storage.ActionsArtifacts.URL(art.StoragePath, art.ArtifactPath, nil)
-
-			if u != nil && err == nil {
-				ctx.Redirect(u.String())
-				return
-			}
-		}
-		f, err := storage.ActionsArtifacts.Open(art.StoragePath)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
-			return
-		}
-		common.ServeContentByReadSeeker(ctx.Base, artifacts[0].ArtifactName+".zip", util.ToPointer(art.UpdatedUnix.AsTime()), f)
+	if err := actions_service.ServeArtifact(ctx.Base, artifacts); err != nil {
+		ctx.Error(http.StatusInternalServerError, err.Error())
 		return
 	}
-
-	// Artifacts using the v1-v3 backend are stored as multiple individual files per artifact on the backend
-	// Those need to be zipped for download
-	artifactName := artifacts[0].ArtifactName
-
-	ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.zip; filename*=UTF-8''%s.zip", url.PathEscape(artifactName), artifactName))
-	writer := zip.NewWriter(ctx.Resp)
-	defer writer.Close()
-	for _, art := range artifacts {
-		f, err := storage.ActionsArtifacts.Open(art.StoragePath)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
-			return
-		}
-
-		var r io.ReadCloser
-		if art.ContentEncoding == "gzip" {
-			r, err = gzip.NewReader(f)
-			if err != nil {
-				ctx.Error(http.StatusInternalServerError, err.Error())
-				return
-			}
-		} else {
-			r = f
-		}
-		defer r.Close()
-
-		w, err := writer.Create(art.ArtifactPath)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
-			return
-		}
-		if _, err := io.Copy(w, r); err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
-			return
-		}
-	}
 }
 
 func DisableWorkflowFile(ctx *app_context.Context) {
diff --git a/services/actions/download.go b/services/actions/download.go
new file mode 100644
index 0000000000..04aa1ca289
--- /dev/null
+++ b/services/actions/download.go
@@ -0,0 +1,96 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"archive/zip"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"net/url"
+
+	actions_model "forgejo.org/models/actions"
+	"forgejo.org/modules/httplib"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/storage"
+	"forgejo.org/modules/util"
+	"forgejo.org/services/context"
+)
+
+// ServeArtifact writes an artifact archive to the response. The given rows
+// must all belong to the same logical artifact (same run_id + artifact_name)
+// and be in ArtifactStatusUploadConfirmed; callers are responsible for
+// validating status and repository ownership beforehand.
+//
+// When the artifact was produced by the v4 backend (a single zip already
+// sitting in storage), it is streamed or redirected to directly. Otherwise
+// (v1-v3 backend) the archive is assembled on the fly from the individual
+// file rows, applying gzip decompression where needed.
+func ServeArtifact(base *context.Base, artifacts []*actions_model.ActionArtifact) error {
+	if len(artifacts) == 0 {
+		return errors.New("no artifacts to serve")
+	}
+
+	if len(artifacts) == 1 && artifacts[0].IsV4() {
+		return serveV4Artifact(base, artifacts[0])
+	}
+	return serveLegacyArtifact(base, artifacts)
+}
+
+func serveV4Artifact(base *context.Base, art *actions_model.ActionArtifact) error {
+	if setting.Actions.ArtifactStorage.MinioConfig.ServeDirect {
+		u, err := storage.ActionsArtifacts.URL(art.StoragePath, art.ArtifactPath, nil)
+		if u != nil && err == nil {
+			base.Redirect(u.String())
+			return nil
+		}
+	}
+	f, err := storage.ActionsArtifacts.Open(art.StoragePath)
+	if err != nil {
+		return err
+	}
+	httplib.ServeContentByReadSeeker(base.Req, base.Resp, art.ArtifactName+".zip", util.ToPointer(art.UpdatedUnix.AsTime()), f)
+	return nil
+}
+
+func serveLegacyArtifact(base *context.Base, artifacts []*actions_model.ActionArtifact) error {
+	name := artifacts[0].ArtifactName
+	base.Resp.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.zip; filename*=UTF-8''%s.zip", url.PathEscape(name), name))
+
+	writer := zip.NewWriter(base.Resp)
+	defer writer.Close()
+
+	for _, art := range artifacts {
+		if err := writeArtifactFile(writer, art); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func writeArtifactFile(writer *zip.Writer, art *actions_model.ActionArtifact) error {
+	f, err := storage.ActionsArtifacts.Open(art.StoragePath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	var r io.Reader = f
+	if art.ContentEncoding == "gzip" {
+		gz, err := gzip.NewReader(f)
+		if err != nil {
+			return err
+		}
+		defer gz.Close()
+		r = gz
+	}
+
+	w, err := writer.Create(art.ArtifactPath)
+	if err != nil {
+		return err
+	}
+	_, err = io.Copy(w, r)
+	return err
+}
diff --git a/services/convert/action.go b/services/convert/action.go
index 204139e3aa..dd21b9fb87 100644
--- a/services/convert/action.go
+++ b/services/convert/action.go
@@ -48,6 +48,22 @@ func ToActionRun(ctx context.Context, run *actions_model.ActionRun, doer *user_m
 	}
 }
 
+// ToActionArtifact converts an AggregatedArtifact to an API ActionArtifact.
+// repoAPIURL is the API URL prefix for the repository (e.g. from Repository.APIURL()).
+func ToActionArtifact(repoAPIURL string, art *actions_model.AggregatedArtifact) *api.ActionArtifact {
+	return &api.ActionArtifact{
+		ID:                 art.ID,
+		Name:               art.ArtifactName,
+		SizeInBytes:        art.FileSize,
+		ArchiveDownloadURL: art.APIDownloadURL(repoAPIURL),
+		Expired:            art.Status == actions_model.ArtifactStatusExpired,
+		RunID:              art.RunID,
+		CreatedAt:          art.CreatedUnix.AsTime(),
+		UpdatedAt:          art.UpdatedUnix.AsTime(),
+		ExpiresAt:          art.ExpiredUnix.AsTime(),
+	}
+}
+
 func ToActionRunJob(job *actions_model.ActionRunJob) *api.ActionRunJob {
 	if job == nil {
 		return nil
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 3401d42641..e74f0039a6 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -5460,6 +5460,209 @@
         }
       }
     },
+    "/repos/{owner}/{repo}/actions/artifacts": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "List a repository's artifacts",
+        "operationId": "ListActionArtifacts",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "filter by artifact name",
+            "name": "name",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "page number of results to return (1-based)",
+            "name": "page",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "page size of results, default maximum page size is 50",
+            "name": "limit",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/ActionArtifactList"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          }
+        }
+      }
+    },
+    "/repos/{owner}/{repo}/actions/artifacts/{artifact_id}": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Get an artifact by ID",
+        "operationId": "GetActionArtifact",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "ID of the artifact",
+            "name": "artifact_id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/ActionArtifact"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      },
+      "delete": {
+        "description": "Marks the artifact for deletion. Storage space will be reclaimed\nasynchronously by a background job.\n",
+        "tags": [
+          "repository"
+        ],
+        "summary": "Mark an artifact for deletion",
+        "operationId": "DeleteActionArtifact",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "ID of the artifact",
+            "name": "artifact_id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "artifact marked for deletion"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
+    "/repos/{owner}/{repo}/actions/artifacts/{artifact_id}/zip": {
+      "get": {
+        "produces": [
+          "application/zip"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Download an artifact",
+        "operationId": "DownloadActionArtifact",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "ID of the artifact",
+            "name": "artifact_id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "the artifact archive"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
     "/repos/{owner}/{repo}/actions/runners": {
       "get": {
         "produces": [
@@ -5888,6 +6091,74 @@
         }
       }
     },
+    "/repos/{owner}/{repo}/actions/runs/{run_id}/artifacts": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "List artifacts of a workflow run",
+        "operationId": "ListActionRunArtifacts",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "ID of the workflow run",
+            "name": "run_id",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "filter by artifact name",
+            "name": "name",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "page number of results to return (1-based)",
+            "name": "page",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "page size of results, default maximum page size is 50",
+            "name": "limit",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/ActionArtifactList"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
     "/repos/{owner}/{repo}/actions/runs/{run_id}/jobs": {
       "get": {
         "produces": [
@@ -22378,6 +22649,61 @@
       },
       "x-go-package": "forgejo.org/modules/structs"
     },
+    "ActionArtifact": {
+      "description": "ActionArtifact represents an artifact of a workflow run",
+      "type": "object",
+      "properties": {
+        "archive_download_url": {
+          "description": "the URL to download the artifact zip archive",
+          "type": "string",
+          "x-go-name": "ArchiveDownloadURL"
+        },
+        "created_at": {
+          "type": "string",
+          "format": "date-time",
+          "x-go-name": "CreatedAt"
+        },
+        "expired": {
+          "description": "whether the artifact has expired",
+          "type": "boolean",
+          "x-go-name": "Expired"
+        },
+        "expires_at": {
+          "type": "string",
+          "format": "date-time",
+          "x-go-name": "ExpiresAt"
+        },
+        "id": {
+          "description": "the artifact's ID",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "ID"
+        },
+        "name": {
+          "description": "the artifact's name",
+          "type": "string",
+          "x-go-name": "Name"
+        },
+        "run_id": {
+          "description": "the ID of the workflow run that produced this artifact",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "RunID"
+        },
+        "size_in_bytes": {
+          "description": "the total size of the artifact in bytes",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "SizeInBytes"
+        },
+        "updated_at": {
+          "type": "string",
+          "format": "date-time",
+          "x-go-name": "UpdatedAt"
+        }
+      },
+      "x-go-package": "forgejo.org/modules/structs"
+    },
     "ActionRun": {
       "description": "ActionRun represents an action run",
       "type": "object",
@@ -30431,6 +30757,21 @@
         }
       }
     },
+    "ActionArtifact": {
+      "description": "ActionArtifact",
+      "schema": {
+        "$ref": "#/definitions/ActionArtifact"
+      }
+    },
+    "ActionArtifactList": {
+      "description": "ActionArtifactList",
+      "schema": {
+        "type": "array",
+        "items": {
+          "$ref": "#/definitions/ActionArtifact"
+        }
+      }
+    },
     "ActionRun": {
       "description": "ActionRun",
       "schema": {
diff --git a/tests/integration/api_repo_action_artifact_test.go b/tests/integration/api_repo_action_artifact_test.go
new file mode 100644
index 0000000000..f6486557cf
--- /dev/null
+++ b/tests/integration/api_repo_action_artifact_test.go
@@ -0,0 +1,285 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "forgejo.org/models/auth"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	api "forgejo.org/modules/structs"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAPIListActionArtifacts(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	token := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+
+	t.Run("ListRepoArtifacts", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		var entries []*api.ActionArtifact
+		DecodeJSON(t, res, &entries)
+
+		// Fixture has 2 logical artifacts with confirmed status:
+		// "multi-file-download" (run 791, ids 19+20) and "artifact-v4-download" (run 792, id 22)
+		assert.Equal(t, "2", res.Header().Get("X-Total-Count"))
+		require.Len(t, entries, 2)
+
+		names := make([]string, len(entries))
+		for i, a := range entries {
+			names[i] = a.Name
+			assert.False(t, a.Expired)
+			assert.NotZero(t, a.SizeInBytes)
+			assert.Contains(t, a.ArchiveDownloadURL, "/actions/artifacts/")
+			assert.Contains(t, a.ArchiveDownloadURL, "/zip")
+		}
+		assert.ElementsMatch(t, []string{"multi-file-download", "artifact-v4-download"}, names)
+	})
+
+	t.Run("ListRepoArtifactsWithNameFilter", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts?name=multi-file-download", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		var entries []*api.ActionArtifact
+		DecodeJSON(t, res, &entries)
+
+		assert.Equal(t, "1", res.Header().Get("X-Total-Count"))
+		require.Len(t, entries, 1)
+		assert.Equal(t, "multi-file-download", entries[0].Name)
+		// multi-file-download has 2 rows of 1024 bytes each
+		assert.Equal(t, int64(2048), entries[0].SizeInBytes)
+	})
+
+	t.Run("ListRunArtifacts", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/791/artifacts", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		var entries []*api.ActionArtifact
+		DecodeJSON(t, res, &entries)
+
+		// run 791 has only "multi-file-download" (id=1 is pending, not listed)
+		assert.Equal(t, "1", res.Header().Get("X-Total-Count"))
+		require.Len(t, entries, 1)
+		assert.Equal(t, "multi-file-download", entries[0].Name)
+	})
+
+	t.Run("ListRunArtifactsNotFound", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/99999/artifacts", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+}
+
+func TestAPIGetActionArtifact(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	token := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+
+	t.Run("GetV1V3Artifact", func(t *testing.T) {
+		// id=19 is the MIN(id) for "multi-file-download" group
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/19", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		var art api.ActionArtifact
+		DecodeJSON(t, res, &art)
+
+		assert.Equal(t, int64(19), art.ID)
+		assert.Equal(t, "multi-file-download", art.Name)
+		assert.Equal(t, int64(2048), art.SizeInBytes)
+		assert.Equal(t, int64(791), art.RunID)
+		assert.False(t, art.Expired)
+	})
+
+	t.Run("GetV4Artifact", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		var art api.ActionArtifact
+		DecodeJSON(t, res, &art)
+
+		assert.Equal(t, int64(22), art.ID)
+		assert.Equal(t, "artifact-v4-download", art.Name)
+		assert.Equal(t, int64(1024), art.SizeInBytes)
+		assert.Equal(t, int64(792), art.RunID)
+		assert.False(t, art.Expired)
+	})
+
+	t.Run("GetNonCanonicalID", func(t *testing.T) {
+		// id=20 is part of "multi-file-download" but is NOT the MIN(id), so it should 404
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/20", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("GetPendingArtifact", func(t *testing.T) {
+		// id=1 has status=1 (upload pending), should not be accessible
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/1", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("GetNonExistent", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/99999", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("GetFromWrongRepository", func(t *testing.T) {
+		// artifact id=22 belongs to user5/repo4; requesting it through a repo
+		// the caller can access but that doesn't own the artifact must 404 —
+		// this is the load-bearing check that caller-side RepoID was replaced
+		// by a query-side constraint.
+		otherRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		otherUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: otherRepo.OwnerID})
+		otherToken := getUserToken(t, otherUser.LowerName, auth_model.AccessTokenScopeReadRepository)
+
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22", otherRepo.OwnerName, otherRepo.Name),
+		)
+		req.AddTokenAuth(otherToken)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+}
+
+func TestAPIActionArtifactsRequireRepoScope(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	wrongScopeToken := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadNotification)
+
+	endpoints := []struct {
+		name string
+		path string
+	}{
+		{"list repo", fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts", repo.OwnerName, repo.Name)},
+		{"list run", fmt.Sprintf("/api/v1/repos/%s/%s/actions/runs/791/artifacts", repo.OwnerName, repo.Name)},
+		{"get", fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/19", repo.OwnerName, repo.Name)},
+		{"download", fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/19/zip", repo.OwnerName, repo.Name)},
+	}
+
+	for _, ep := range endpoints {
+		t.Run(ep.name, func(t *testing.T) {
+			req := NewRequest(t, http.MethodGet, ep.path)
+			req.AddTokenAuth(wrongScopeToken)
+			MakeRequest(t, req, http.StatusForbidden)
+		})
+	}
+}
+
+func TestAPIDownloadActionArtifact(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	tests.PrepareArtifactsStorage(t)
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	token := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+
+	t.Run("DownloadV1V3Artifact", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/19/zip", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		assert.Contains(t, res.Header().Get("Content-Disposition"), "multi-file-download.zip")
+	})
+
+	t.Run("DownloadV4Artifact", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22/zip", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+
+		res := MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "bytes", res.Header().Get("Accept-Ranges"))
+	})
+
+	t.Run("DownloadPendingArtifact", func(t *testing.T) {
+		req := NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/1/zip", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+}
+
+func TestAPIDeleteActionArtifact(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	t.Run("DeleteRequiresWritePermission", func(t *testing.T) {
+		readToken := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+		req := NewRequest(t, http.MethodDelete,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(readToken)
+		MakeRequest(t, req, http.StatusForbidden)
+	})
+
+	t.Run("DeleteArtifact", func(t *testing.T) {
+		writeToken := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeWriteRepository)
+		req := NewRequest(t, http.MethodDelete,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(writeToken)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		// Verify the artifact is no longer accessible
+		readToken := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeReadRepository)
+		req = NewRequest(t, http.MethodGet,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/22", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(readToken)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("DeleteNonExistent", func(t *testing.T) {
+		writeToken := getUserToken(t, user.LowerName, auth_model.AccessTokenScopeWriteRepository)
+		req := NewRequest(t, http.MethodDelete,
+			fmt.Sprintf("/api/v1/repos/%s/%s/actions/artifacts/99999", repo.OwnerName, repo.Name),
+		)
+		req.AddTokenAuth(writeToken)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+}

From 23b541ce5ac03586fbed9b82d71cc23918d9a1dc Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 21 Apr 2026 01:50:24 +0200
Subject: [PATCH 152/287] Update module code.forgejo.org/forgejo/runner/v12 to
 v12.9.0 (forgejo) (#12211)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.8.2` → `v12.9.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.9.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.8.2/v12.9.0?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.9.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.9.0)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.8.2...v12.9.0)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1488): <!--number 1488 --><!--line 0 --><!--description ZmVhdDogdHJpbSB3aGl0ZXNwYWNlIGFyb3VuZCB0b2tlbiwgdmFsaWRhdGUgaXQ=-->feat: trim whitespace around token, validate it<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1481): <!--number 1481 --><!--line 0 --><!--description Zml4OiBpbnRlcnBvbGF0aW9uIG9mIGB3b3JrZmxvd19jYWxsYCBpbnB1dHM=-->fix: interpolation of `workflow_call` inputs<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1485): <!--number 1485 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTguMCBbU0VDVVJJVFld-->Update module github.com/go-git/go-git/v5 to v5.18.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1482): <!--number 1482 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjUuOQ==-->Update dependency go to v1.25.9<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1479): <!--number 1479 --><!--line 0 --><!--description VXBkYXRlIGdvLm9wZW50ZWxlbWV0cnkuaW8vb3RlbC9leHBvcnRlcnMvb3RscC9vdGxwdHJhY2Uvb3RscHRyYWNlaHR0cCAoaW5kaXJlY3QpIHRvIHYxLjQzLjAgW1NFQ1VSSVRZXQ==-->Update go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp (indirect) to v1.43.0 \[SECURITY]<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1478): <!--number 1478 --><!--line 0 --><!--description VXBkYXRlIGZvcmdlam8tcnVubmVyIHRvIHYxMi44LjI=-->Update forgejo-runner to v12.8.2<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12211
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 8b27668dfa..7b4bd07614 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.8.2
+	code.forgejo.org/forgejo/runner/v12 v12.9.0
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
diff --git a/go.sum b/go.sum
index e4b26aa113..445acfee2f 100644
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.8.2 h1:jhSs/gQQAz0OiHnSxMx297jreLctfm52/rcXlCFMb58=
-code.forgejo.org/forgejo/runner/v12 v12.8.2/go.mod h1:sgDAYfO4NJI1kUzGuD7klHuoFLQzWmZPw0erg7QlbJU=
+code.forgejo.org/forgejo/runner/v12 v12.9.0 h1:NjON7Io08kHxua/AorPuHQ1KXfx3lF8UjVBMvR7UMQQ=
+code.forgejo.org/forgejo/runner/v12 v12.9.0/go.mod h1:NEQXUvam9ofsTeSTAMnJXMyCZxKLoyQhVG6DAYSpOKw=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=

From 9c4fc72985661ec666b8e49a35609bc939f3fa66 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 21 Apr 2026 02:21:52 +0200
Subject: [PATCH 153/287] Update module connectrpc.com/connect to v1.19.2
 (forgejo) (#12210)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12210
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 7b4bd07614..33a8152647 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	code.superseriousbusiness.org/exif-terminator v0.11.2
 	code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0
 	codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570
-	connectrpc.com/connect v1.19.1
+	connectrpc.com/connect v1.19.2
 	github.com/42wim/httpsig v1.2.3
 	github.com/42wim/sshsig v0.0.0-20250502153856-5100632e8920
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358
diff --git a/go.sum b/go.sum
index 445acfee2f..c88371b4f5 100644
--- a/go.sum
+++ b/go.sum
@@ -54,8 +54,8 @@ code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4//
 code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A=
 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570 h1:TXbikPqa7YRtfU9vS6QJBg77pUvbEb6StRdZO8t1bEY=
 codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570/go.mod h1:IIAjsijsd8q1isWX8MACefDEgTQslQ4stk2AeeTt3kM=
-connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
-connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+connectrpc.com/connect v1.19.2 h1:McQ83FGdzL+t60peksi0gXC7MQ/iLKgLduAnThbM0mo=
+connectrpc.com/connect v1.19.2/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
 filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=

From 33d6ecfca667f51c99ef1b9a6fe2ff70cbc19a02 Mon Sep 17 00:00:00 2001
From: Robert Wolff <mahlzahn@posteo.de>
Date: Tue, 21 Apr 2026 19:13:56 +0200
Subject: [PATCH 154/287] fix(ui): allow creating files with name starting with
 dash (#12214)

Closes: #12204

The underlying git option was already changed in git 2.0.0 to use format `<mode>,<object>,<path>`. See https://github.com/git/git/commit/ec160ae12b0ae938ed5076b9f604e88976fc429c.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12214
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Robert Wolff <mahlzahn@posteo.de>
Co-committed-by: Robert Wolff <mahlzahn@posteo.de>
---
 services/repository/files/temp_repo.go      |  2 +-
 services/repository/files/temp_repo_test.go | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/services/repository/files/temp_repo.go b/services/repository/files/temp_repo.go
index 17a8467e01..d10689b1fc 100644
--- a/services/repository/files/temp_repo.go
+++ b/services/repository/files/temp_repo.go
@@ -189,7 +189,7 @@ func (t *TemporaryUploadRepository) HashObject(content io.Reader) (string, error
 
 // AddObjectToIndex adds the provided object hash to the index with the provided mode and path
 func (t *TemporaryUploadRepository) AddObjectToIndex(mode, objectHash, objectPath string) error {
-	if _, _, err := git.NewCommand(t.ctx, "update-index", "--add", "--replace", "--cacheinfo").AddDynamicArguments(mode, objectHash, objectPath).RunStdString(&git.RunOpts{Dir: t.basePath}); err != nil {
+	if _, _, err := git.NewCommand(t.ctx, "update-index", "--add", "--replace", "--cacheinfo").AddDynamicArguments(mode + "," + objectHash + "," + objectPath).RunStdString(&git.RunOpts{Dir: t.basePath}); err != nil {
 		stderr := err.Error()
 		if matched, _ := regexp.MatchString(".*Invalid path '.*", stderr); matched {
 			return models.ErrFilePathInvalid{
diff --git a/services/repository/files/temp_repo_test.go b/services/repository/files/temp_repo_test.go
index 852e762267..ac63dc677e 100644
--- a/services/repository/files/temp_repo_test.go
+++ b/services/repository/files/temp_repo_test.go
@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestRemoveFilesFromIndexSha256(t *testing.T) {
+func TestTemporaryUploadRepositoryRemoveFilesFromIndexSha256(t *testing.T) {
 	if git.CheckGitVersionAtLeast("2.42") != nil {
 		t.Skip("skipping because installed Git version doesn't support SHA256")
 	}
@@ -26,3 +26,13 @@ func TestRemoveFilesFromIndexSha256(t *testing.T) {
 	require.NoError(t, temp.Init("sha256"))
 	require.NoError(t, temp.RemoveFilesFromIndex("README.md"))
 }
+
+func TestTemporaryUploadRepositoryAddObjectToIndex(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+	temp, err := NewTemporaryUploadRepository(db.DefaultContext, repo)
+	require.NoError(t, err)
+	require.NoError(t, temp.Init("sha1"))
+	require.NoError(t, temp.AddObjectToIndex("100644", "e69de29bb2d1d6434b8b29ae775ad8c2e48c5391", "--test"))
+}

From 0034e55965262692f127d53a74fc176a37f0ef46 Mon Sep 17 00:00:00 2001
From: Nils Goroll <nils.goroll@uplex.de>
Date: Tue, 21 Apr 2026 19:39:33 +0200
Subject: [PATCH 155/287] chore: unify signing key configuration across modules
 (#11194)

## Context

the three commits in this series are the first step towards the goal of removing the special casing around `JWT_SECRET`, which is used for various modules via `GetGeneralTokenSigningSecret()`. Ultimately, I want to work towards enabling seamless migration away from general use of the common secret. To enable this, we need proper secret/key rotation support, that is, we need to allow for configuration of additional secrets/keys which are accepted for token validation, but not used to issue tokens.

I have this _Verifier_ support basically implemented, but this PR is not it.

This PR contains cleanup refactoring which I worked on before writing the _Verifier_ support, because I noticed that the existing secret/key handling across modules was inconsistent and required duplicated code.

I am submitting this part now to allow for incremental review of not too large a diff, and because these commits remained unchanged during two weeks since I moved on the the next task.

## The problem being addressed

Configuration of JWT signing secrets/keys was inconsistent:

Under `[oauth2]` the full configuration set was supported:

- `JWT_SIGNING_ALGORITHM` configured the algorithm
- `JWT_SECRET` configured a literal secret for symmetric algorithms
- `JWT_SECRET_URI` configured a `file:` uri of a secret for symmetric algorithms
- `JWT_SIGNING_PRIVATE_KEY_FILE` configured a file for asymmetric algorithms

For `[server]`, the LFS module only supported `LFS_JWT_SECRET`, and the signing method was hardcoded to `HS256`

For `[actions]`, only asymmetric signing methods were supported via `ID_TOKEN_SIGNING_ALGORITHM` and `ID_TOKEN_SIGNING_PRIVATE_KEY_FILE`.

## ini unification

The proposed code centralizes ini parsing to always support the following ini keys:

- `[pfx]SIGNING_ALGORITHM` determines the algorithm
- `[pfx]SECRET` is a literal secret for symmetric algorithms
- `[pfx]SECRET_URI` is the uri of a secret for symmetric algorithms
- `[pfx]SIGNING_PRIVATE_KEY_FILE` is a file with a private key for asymmetric algorithms

`[pfx]` is specific to the module and chosen to support the existing ini keys

Centralizing this code and unifying the ini keys will come handy for at least the following reasons:

- consistent behavior across modules is easier to understand
- less duplicated code
- easier to expand later, which is my main motivation

## implementation notes

as might be apparent by the _take3_ branch name, this is the third iteration of this patch series. The main reason why I abandoned the other two is that I first tried to move all the key initialization into the code called from settings.go when the ini file is parsed. But that lead to a lot of friction with test cases, because private key files which are configured, but do not exist will get created and hence require a writable `AppDataPath` and additional clean up.

To avoid a lot of noise and complications in test cases, I kept the existing two stage process, where

- the settings component creates missing symmetric signing keys and writes them to the .ini
- the settings component creates a simple configuration struct
- which is then used from the module init to create the actual key, which also includes creating a private key file if asymmetric crypto is configured and the key file does not exist.

I would have wished this patch was a net negative in terms of LOCs, but I hope it contributes to clarity and many added lines are in test cases.

## Commits

Because sometimes PRs are merged as squashes with the PR text remaining, I am repeating here the individual messages of the individual commits for future reference:

### Refactor signing key initalization and oauth2 use of it

This commit is the first in a series towards the goal of addressing the
FIXME comment in modules/setting/oauth2.go to remove
GeneralTokenSigningSecret

To do it properly, the task also requires addition of signing secret/key
rotation: We ultimately want to be able to change a signing key, but
continue to accept the previous one. This is particularly relevant to
offer a path from GeneralTokenSigningSecret aka JWT_SECRET to new,
specific component key configuration, where it should be possible to add
the former JWT_SECRET as a key accepted for verification to enable a
seamless transition.

This perspective, in turn, calls for refactoring of the existing secret
initialization code to centralize the common functions of parsing
signing key related configuration directives: The oauth2 module
currently is the only component accepting symmetric and asymmetric keys,
with the limitation of the symmetric key being also the
GeneralTokenSigningSecret. Other components either enforce HS256 or
public key algorithms.

We should really give the choice of algorithm selection and avoid code
duplication in other places, so this commit

- generalizes setting parsing into a configuration struct: A prefix can
  be provided, with which the common configuration directives are
  processed:

  - [pfx]SIGNING_ALGORITHM determines the algorithm
  - [pfx]SECRET is a literal secret for symmetric algorithms
  - [pfx]SECRET_URI is the uri of a secret for symmetric algorithms
  - [pfx]SIGNING_PRIVATE_KEY_FILE is a file with a private key for asymmetric algorithms

- which is then accepted by jwtx.InitSigningKey() to create an actual
  signing key

The reasons for the two stage process are explained in a long-ish
comment in modules/setting/security.go. In short, other options would
either violate sensible module boundaries or cause too much friction.
These other options have actually been tried, this is take 3 of the
proposed changes.

### Refactor services/lfs: Change token code to use SigningKey

This now also enables use of token algorithms other than HS256.

In this case, signing key initialization also happens during settings
initialization, because LFS is also used in CLI commands.

### Refactor api/actions to use new signingkey API

This now also enables use of symmetric token algorithms.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11194
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Nils Goroll <nils.goroll@uplex.de>
Co-committed-by: Nils Goroll <nils.goroll@uplex.de>
---
 cmd/serv.go                         |   3 +-
 custom/conf/app.example.ini         |   6 +-
 modules/generate/generate.go        |   2 +-
 modules/jwtx/signingkey.go          |  65 ++++++-----
 modules/jwtx/signingkey_test.go     | 104 +++++++++++------
 modules/setting/actions.go          |  27 ++---
 modules/setting/actions_test.go     |  34 ++++--
 modules/setting/lfs.go              |  26 ++---
 modules/setting/oauth2.go           |  37 +++---
 modules/setting/security.go         | 173 ++++++++++++++++++++++++++--
 modules/storage/storage.go          |   1 +
 release-notes/11194.md              |   1 +
 routers/api/actions/oidc.go         |   4 +-
 services/auth/source/oauth2/init.go |   2 +-
 services/lfs/server.go              |   5 +-
 services/lfs/server_test.go         |  38 +++++-
 services/repository/lfs_test.go     |  18 ++-
 17 files changed, 389 insertions(+), 157 deletions(-)
 create mode 100644 release-notes/11194.md

diff --git a/cmd/serv.go b/cmd/serv.go
index 0e0551d297..3a92b0e5fb 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -290,10 +290,9 @@ func runServ(ctx context.Context, c *cli.Command) error {
 			Op:     lfsVerb,
 			UserID: results.UserID,
 		}
-		token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 
 		// Sign and get the complete encoded token as a string using the secret
-		tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
+		tokenString, err := setting.LFS.SigningKey.JWT(claims)
 		if err != nil {
 			return fail(ctx, "Failed to sign JWT Token", "Failed to sign JWT token: %v", err)
 		}
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index b0f6bd3d44..7a85d1e7ae 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -313,6 +313,9 @@ RUN_USER = ; git
 ;LFS_START_SERVER = false
 ;;
 ;;
+;; see JWT_* under [oauth2]
+;LFS_JWT_SIGNING_ALGORITHM = HS256
+;LFS_JWT_SIGNING_PRIVATE_KEY_FILE = jwt/lfs_private.pem
 ;; LFS authentication secret, change this yourself
 ;LFS_JWT_SECRET =
 ;;
@@ -544,6 +547,7 @@ ENABLED = true
 ;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH.
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512.
 ;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
+;; XXX jwt/ is a misnomer, it should rather be oauth2/, because we use many JWTs
 ;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem
 ;;
 ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://forgejo.org/docs/latest/admin/command-line/#generate-secret
@@ -2790,7 +2794,7 @@ LEVEL = Info
 ;; server and database workload due to more complex database queries and more frequent server task querying; this
 ;; feature can be disabled to reduce performance impact
 ;CONCURRENCY_GROUP_QUEUE_ENABLED = true
-;; Algorithm used to sign ID tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA.
+;; Algorithm used to sign ID tokens. Valid values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA.
 ;; RS256 will ensure compatibility with all relying parties.
 ;; If a different algorithm is chosen, verify that relying parties of interest support the signing algorithm.
 ;ID_TOKEN_SIGNING_ALGORITHM = RS256
diff --git a/modules/generate/generate.go b/modules/generate/generate.go
index 2df808fe9e..0dd5d071de 100644
--- a/modules/generate/generate.go
+++ b/modules/generate/generate.go
@@ -37,7 +37,7 @@ func DecodeJwtSecret(src string) ([]byte, error) {
 	encoding := base64.RawURLEncoding
 	decoded := make([]byte, encoding.DecodedLen(len(src))+3)
 	if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("JwtSecret decode failed: %v", err)
 	} else if n != defaultJwtSecretLen {
 		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
 	}
diff --git a/modules/jwtx/signingkey.go b/modules/jwtx/signingkey.go
index 2aef70440d..be1115cb15 100644
--- a/modules/jwtx/signingkey.go
+++ b/modules/jwtx/signingkey.go
@@ -25,6 +25,20 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 )
 
+// The ...KeyCfg types are only used for handover from setting to signingkey
+// see comment in setting/security.go
+
+type SigningKeyCfg struct {
+	Algorithm      string
+	SecretBytes    *[]byte
+	PrivateKeyPath *string
+}
+
+type KeyCfg struct {
+	Signing *SigningKeyCfg
+	// more later
+}
+
 // ErrInvalidAlgorithmType represents an invalid algorithm error.
 type ErrInvalidAlgorithmType struct {
 	Algorithm string
@@ -399,50 +413,39 @@ func loadOrCreateAsymmetricKey(keyPath, algorithm string) (any, error) {
 	return loadAsymmetricKey(keyPath)
 }
 
-// InitSigningKey creates a signing key from settings or creates a random key.
-func InitSigningKey(getGeneralTokenSigningSecret func() []byte, keyPath, algorithm string) (SigningKey, error) {
+// InitSigningKey creates a signing key from SigningKeyCfg
+// cfgP is set to nil to mark that is has been processed
+func InitSigningKey(cfgP **SigningKeyCfg) (SigningKey, error) {
+	cfg := *cfgP
+	*cfgP = nil
 	var err error
 	var key SigningKey
 
-	key, err = InitSymmetricSigningKey(getGeneralTokenSigningSecret, algorithm)
-	if err != nil {
-		key, err = InitAsymmetricSigningKey(keyPath, algorithm)
-		if err != nil {
-			return nil, err
-		}
+	if IsValidSymmetricAlgorithm(cfg.Algorithm) {
+		key, err = CreateSigningKey(cfg.Algorithm, *cfg.SecretBytes)
+	} else if IsValidAsymmetricAlgorithm(cfg.Algorithm) {
+		key, err = InitAsymmetricSigningKey(*cfg.PrivateKeyPath, cfg.Algorithm)
+	} else {
+		// should never happen, setting.loadSigningKeyCfg() ensures
+		err = ErrInvalidAlgorithmType{Algorithm: cfg.Algorithm}
 	}
 
-	return key, nil
+	return key, err
 }
 
+var (
+	ValidSymmetricAlgorighms  = []string{"HS256", "HS384", "HS512"}
+	ValidAsymmetricAlgorithms = []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "EdDSA"}
+)
+
 // IsValidSymmetricAlgorithm checks if the passed in algorithm is a supported symettric algorithm.
 func IsValidSymmetricAlgorithm(algorithm string) bool {
-	validAlgs := []string{"HS256", "HS384", "HS512"}
-
-	return slices.Contains(validAlgs, algorithm)
-}
-
-// InitSymmetricSigningKey creates a symmetric signing key from settings.
-func InitSymmetricSigningKey(getGeneralTokenSigningSecret func() []byte, algorithm string) (SigningKey, error) {
-	var err error
-
-	if !IsValidSymmetricAlgorithm(algorithm) {
-		return nil, fmt.Errorf("invalid algorithm: %s", algorithm)
-	}
-
-	signingKey, err := CreateSigningKey(algorithm, getGeneralTokenSigningSecret())
-	if err != nil {
-		return nil, err
-	}
-
-	return signingKey, nil
+	return slices.Contains(ValidSymmetricAlgorighms, algorithm)
 }
 
 // IsValidAsymmetricAlgorithm checks if the passed in algorithm is a supported asymmetric algorithm.
 func IsValidAsymmetricAlgorithm(algorithm string) bool {
-	validAlgs := []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "EdDSA"}
-
-	return slices.Contains(validAlgs, algorithm)
+	return slices.Contains(ValidAsymmetricAlgorithms, algorithm)
 }
 
 // InitAsymmetricSigningKey creates an asymmetric signing key from settings or creates a random key.
diff --git a/modules/jwtx/signingkey_test.go b/modules/jwtx/signingkey_test.go
index eb30473cad..96f6613b84 100644
--- a/modules/jwtx/signingkey_test.go
+++ b/modules/jwtx/signingkey_test.go
@@ -18,6 +18,36 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func testSignVerify(t *testing.T, signKey, verifyKey SigningKey) {
+	t.Helper()
+	// test sign and verify
+	claimsIn := jwt.RegisteredClaims{
+		Issuer: "abc",
+		ID:     "0815",
+	}
+	token, err := signKey.JWT(claimsIn)
+	require.NoError(t, err)
+	require.NotEmpty(t, token)
+
+	var claimsOut jwt.RegisteredClaims
+	parsed, err := jwt.ParseWithClaims(token, &claimsOut, func(valToken *jwt.Token) (any, error) {
+		assert.NotNil(t, valToken.Method)
+		assert.Equal(t, signKey.SigningMethod().Alg(), valToken.Method.Alg())
+		assert.Equal(t, verifyKey.SigningMethod().Alg(), valToken.Method.Alg())
+		kid, ok := valToken.Header["kid"]
+		assert.True(t, ok)
+		assert.NotNil(t, kid)
+
+		return verifyKey.VerifyKey(), nil
+	})
+	require.NoError(t, err)
+	assert.NotNil(t, parsed)
+	assert.Equal(t, claimsIn, claimsOut)
+	assert.Equal(t, &claimsIn, parsed.Claims)
+}
+
+// creates private key
+// loads it back from the file
 func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 	loadKey := func(t *testing.T, keyPath, algorithm string) any {
 		t.Helper()
@@ -35,6 +65,21 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		return parsedKey
 	}
+	useKey := func(t *testing.T, keyPath, algorithm string) {
+		t.Helper()
+		// duplicates loadKey() to some extent, but uses SigningKey
+		cfg := &SigningKeyCfg{
+			Algorithm:      algorithm,
+			PrivateKeyPath: &keyPath,
+		}
+
+		key, err := InitSigningKey(&cfg)
+		require.NoError(t, err)
+		assert.NotNil(t, key)
+		assert.Nil(t, cfg)
+
+		testSignVerify(t, key, key)
+	}
 	t.Run("RSA-2048", func(t *testing.T) {
 		keyPath := filepath.Join(t.TempDir(), "jwt-rsa-2048.priv")
 		algorithm := "RS256"
@@ -43,6 +88,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
 		assert.Equal(t, 2048, rsaPrivateKey.N.BitLen())
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 
 		t.Run("Load key with differ specified algorithm", func(t *testing.T) {
 			algorithm = "EdDSA"
@@ -61,6 +109,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
 		assert.Equal(t, 3072, rsaPrivateKey.N.BitLen())
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 
 	t.Run("RSA-4096", func(t *testing.T) {
@@ -71,6 +122,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		rsaPrivateKey := parsedKey.(*rsa.PrivateKey)
 		assert.Equal(t, 4096, rsaPrivateKey.N.BitLen())
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 
 	t.Run("ECDSA-256", func(t *testing.T) {
@@ -81,6 +135,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
 		assert.Equal(t, 256, ecdsaPrivateKey.Params().BitSize)
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 
 	t.Run("ECDSA-384", func(t *testing.T) {
@@ -91,6 +148,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
 		assert.Equal(t, 384, ecdsaPrivateKey.Params().BitSize)
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 
 	t.Run("ECDSA-512", func(t *testing.T) {
@@ -101,6 +161,9 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 
 		ecdsaPrivateKey := parsedKey.(*ecdsa.PrivateKey)
 		assert.Equal(t, 521, ecdsaPrivateKey.Params().BitSize)
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 
 	t.Run("EdDSA", func(t *testing.T) {
@@ -110,47 +173,12 @@ func TestLoadOrCreateAsymmetricKey(t *testing.T) {
 		parsedKey := loadKey(t, keyPath, algorithm)
 
 		assert.NotNil(t, parsedKey.(ed25519.PrivateKey))
+		t.Run("Use", func(t *testing.T) {
+			useKey(t, keyPath, algorithm)
+		})
 	})
 }
 
-type testClaims struct {
-	Foo string `json:"Foo"`
-	jwt.RegisteredClaims
-}
-
-func TestJWTHasKid(t *testing.T) {
-	keyPath := filepath.Join(t.TempDir(), "jwt-rsa-2048.priv")
-	algorithm := "RS256"
-	key, err := InitAsymmetricSigningKey(keyPath, algorithm)
-	require.NoError(t, err)
-
-	claimsIn := testClaims{
-		Foo:              "bar",
-		RegisteredClaims: jwt.RegisteredClaims{},
-	}
-	token, err := key.JWT(&claimsIn)
-	require.NoError(t, err)
-
-	var claimsOut testClaims
-	parsed, err := jwt.ParseWithClaims(token, &claimsOut, func(valToken *jwt.Token) (any, error) {
-		assert.NotNil(t, valToken.Method)
-		assert.Equal(t, key.SigningMethod().Alg(), valToken.Method.Alg())
-		kid, ok := valToken.Header["kid"]
-		assert.True(t, ok)
-		assert.NotNil(t, kid)
-
-		return key.VerifyKey(), nil
-	})
-	require.NoError(t, err)
-	assert.NotNil(t, parsed)
-	assert.Equal(t, "bar", parsed.Claims.(*testClaims).Foo)
-	assert.Equal(t, "bar", claimsOut.Foo)
-	// dup to keyFunc above
-	kid, ok := parsed.Header["kid"]
-	assert.True(t, ok)
-	assert.NotNil(t, kid)
-}
-
 func TestCannotCreatePrivateKey(t *testing.T) {
 	_, err := InitAsymmetricSigningKey("/dev/directory-does-not-exist-and-you-should-not-have-permission-to-create/privatekey.pem", "RS256")
 	require.Error(t, err)
diff --git a/modules/setting/actions.go b/modules/setting/actions.go
index 2e0554195f..930e0d0bed 100644
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@@ -5,7 +5,6 @@ package setting
 
 import (
 	"fmt"
-	"path/filepath"
 	"strings"
 	"time"
 
@@ -28,17 +27,15 @@ var (
 		SkipWorkflowStrings          []string          `ini:"SKIP_WORKFLOW_STRINGS"`
 		LimitDispatchInputs          int64             `ini:"LIMIT_DISPATCH_INPUTS"`
 		ConcurrencyGroupQueueEnabled bool              `ini:"CONCURRENCY_GROUP_QUEUE_ENABLED"`
-		IDTokenSigningAlgorithm      idTokenAlgorithm  `ini:"ID_TOKEN_SIGNING_ALGORITHM"`
-		IDTokenSigningPrivateKeyFile string            `ini:"ID_TOKEN_SIGNING_PRIVATE_KEY_FILE"`
 		IDTokenExpirationTime        int64             `ini:"ID_TOKEN_EXPIRATION_TIME"`
+
+		KeyCfg *jwtx.KeyCfg
 	}{
 		Enabled:                      true,
 		DefaultActionsURL:            defaultActionsURLForgejo,
 		SkipWorkflowStrings:          []string{"[skip ci]", "[ci skip]", "[no ci]", "[skip actions]", "[actions skip]"},
 		LimitDispatchInputs:          100,
 		ConcurrencyGroupQueueEnabled: true,
-		IDTokenSigningAlgorithm:      "RS256",
-		IDTokenSigningPrivateKeyFile: "actions_id_token/private.pem",
 		IDTokenExpirationTime:        3600,
 	}
 )
@@ -76,15 +73,9 @@ func (c logCompression) IsZstd() bool {
 	return c == "" || strings.ToLower(string(c)) == "zstd"
 }
 
-type idTokenAlgorithm string
-
-func (c idTokenAlgorithm) IsValid() bool {
-	// Empty string implies RS256
-	return jwtx.IsValidAsymmetricAlgorithm(string(c)) || string(c) == ""
-}
-
 func loadActionsFrom(rootCfg ConfigProvider) error {
-	sec := rootCfg.Section("actions")
+	secName := "actions"
+	sec := rootCfg.Section(secName)
 	err := sec.MapTo(&Actions)
 	if err != nil {
 		return fmt.Errorf("failed to map Actions settings: %v", err)
@@ -120,13 +111,9 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 		return fmt.Errorf("invalid [actions] LOG_COMPRESSION: %q", Actions.LogCompression)
 	}
 
-	if !Actions.IDTokenSigningAlgorithm.IsValid() {
-		return fmt.Errorf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm)
+	Actions.KeyCfg, err = loadKeyCfg(rootCfg, secName, "ID_TOKEN_", "RS256", "actions_id_token/private.pem", onlyAsymmetric())
+	if err != nil {
+		return err
 	}
-
-	if !filepath.IsAbs(Actions.IDTokenSigningPrivateKeyFile) {
-		Actions.IDTokenSigningPrivateKeyFile = filepath.Join(AppDataPath, Actions.IDTokenSigningPrivateKeyFile)
-	}
-
 	return nil
 }
diff --git a/modules/setting/actions_test.go b/modules/setting/actions_test.go
index 7d32131d32..1bbd4d0251 100644
--- a/modules/setting/actions_test.go
+++ b/modules/setting/actions_test.go
@@ -4,7 +4,6 @@
 package setting
 
 import (
-	"fmt"
 	"path/filepath"
 	"testing"
 
@@ -176,8 +175,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "RS256", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/home/app/data/actions_id_token/private.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "RS256", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/home/app/data/actions_id_token/private.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 3600, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -190,8 +189,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "ES256", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "ES256", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/test/test.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 120, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -204,8 +203,8 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, loadActionsFrom(cfg))
 
-	assert.EqualValues(t, "EdDSA", Actions.IDTokenSigningAlgorithm)
-	assert.Equal(t, "/home/app/data/test/test.pem", Actions.IDTokenSigningPrivateKeyFile)
+	assert.Equal(t, "EdDSA", Actions.KeyCfg.Signing.Algorithm)
+	assert.Equal(t, "/home/app/data/test/test.pem", *Actions.KeyCfg.Signing.PrivateKeyPath)
 	assert.EqualValues(t, 123, Actions.IDTokenExpirationTime)
 
 	iniStr = `
@@ -215,6 +214,23 @@ func Test_getIDTokenSettingsForActions(t *testing.T) {
 	cfg, err = NewConfigProviderFromData(iniStr)
 	require.NoError(t, err)
 	err = loadActionsFrom(cfg)
-	require.ErrorContains(t, err,
-		fmt.Sprintf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm))
+	require.ErrorContains(t, err, "[actions] Unexpected algorithm: ID_TOKEN_SIGNING_ALGORITHM = HS256, needs to be one of [RS256 RS384 RS512 ES256 ES384 ES512 EdDSA]")
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SECRET = ABC
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	err = loadActionsFrom(cfg)
+	require.ErrorContains(t, err, "[actions] Invalid config key: ID_TOKEN_SECRET - must be removed")
+
+	iniStr = `
+  [actions]
+	ID_TOKEN_SECRET_URI = ABC
+	`
+	cfg, err = NewConfigProviderFromData(iniStr)
+	require.NoError(t, err)
+	err = loadActionsFrom(cfg)
+	require.ErrorContains(t, err, "[actions] Invalid config key: ID_TOKEN_SECRET_URI - must be removed")
 }
diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index 452bfae737..12f90cd092 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
 
-	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 )
 
 // LFS represents the server-side configuration for Git LFS.
@@ -16,13 +16,13 @@ import (
 // Could be refactored in the future while keeping backwards compatibility.
 var LFS = struct {
 	StartServer    bool          `ini:"LFS_START_SERVER"`
-	JWTSecretBytes []byte        `ini:"-"`
 	HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
 	MaxFileSize    int64         `ini:"LFS_MAX_FILE_SIZE"`
 	LocksPagingNum int           `ini:"LFS_LOCKS_PAGING_NUM"`
 	MaxBatchSize   int           `ini:"LFS_MAX_BATCH_SIZE"`
 
-	Storage *Storage
+	SigningKey jwtx.SigningKey
+	Storage    *Storage
 }{}
 
 // LFSClient represents configuration for Gitea's LFS clients, for example: mirroring upstream Git LFS
@@ -77,20 +77,14 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
 		return nil
 	}
 
-	jwtSecretBase64 := loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
-	LFS.JWTSecretBytes, err = generate.DecodeJwtSecret(jwtSecretBase64)
-	if err != nil {
-		LFS.JWTSecretBytes, jwtSecretBase64 = generate.NewJwtSecret()
-
-		// Save secret
-		saveCfg, err := rootCfg.PrepareSaving()
-		if err != nil {
-			return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
+	// TODO: #11024 check nil because settings loaded twice
+	if LFS.SigningKey == nil {
+		keyCfg, err := loadKeyCfg(rootCfg, "server", "LFS_JWT_", "HS256", "lfs/private.pem")
+		if err == nil {
+			LFS.SigningKey, err = jwtx.InitSigningKey(&keyCfg.Signing)
 		}
-		rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
-		saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
-		if err := saveCfg.Save(); err != nil {
-			return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
+		if err != nil {
+			return fmt.Errorf("lfs key initialization failed: %v", err)
 		}
 	}
 
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 9e95e1c6a9..8598b7b24d 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -5,10 +5,10 @@ package setting
 
 import (
 	"math"
-	"path/filepath"
 	"sync/atomic"
 
 	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/log"
 )
 
@@ -96,18 +96,15 @@ var OAuth2 = struct {
 	AccessTokenExpirationTime   int64
 	RefreshTokenExpirationTime  int64
 	InvalidateRefreshTokens     bool
-	JWTSigningAlgorithm         string `ini:"JWT_SIGNING_ALGORITHM"`
-	JWTSigningPrivateKeyFile    string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
 	MaxTokenLength              int
 	DefaultApplications         []string
 	EnableAdditionalGrantScopes bool
+	KeyCfg                      *jwtx.KeyCfg
 }{
 	Enabled:                     true,
 	AccessTokenExpirationTime:   3600,
 	RefreshTokenExpirationTime:  730,
 	InvalidateRefreshTokens:     true,
-	JWTSigningAlgorithm:         "RS256",
-	JWTSigningPrivateKeyFile:    "jwt/private.pem",
 	MaxTokenLength:              math.MaxInt16,
 	DefaultApplications:         []string{"git-credential-oauth", "git-credential-manager", "tea"},
 	EnableAdditionalGrantScopes: false,
@@ -126,30 +123,26 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 		OAuth2.Enabled = sec.Key("ENABLE").MustBool(OAuth2.Enabled)
 	}
 
-	if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
-		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
-	}
-
 	// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
 	// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
 	// Including: CSRF token, account validation token, etc ...
 	// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
-	jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
 	if InstallLock {
-		jwtSecretBytes, err := generate.DecodeJwtSecret(jwtSecretBase64)
+		signingKey, err := loadSymmeticSigningKeyCfg(rootCfg, sec, "JWT_")
 		if err != nil {
-			jwtSecretBytes, jwtSecretBase64 = generate.NewJwtSecret()
-			saveCfg, err := rootCfg.PrepareSaving()
-			if err != nil {
-				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
-			}
-			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
-			saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
-			if err := saveCfg.Save(); err != nil {
-				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
-			}
+			log.Fatal("%v", err)
 		}
-		generalSigningSecret.Store(&jwtSecretBytes)
+		generalSigningSecret.Store(signingKey)
+	}
+
+	if !OAuth2.Enabled {
+		return
+	}
+
+	var err error
+	OAuth2.KeyCfg, err = loadKeyCfg(rootCfg, "oauth2", "JWT_", "RS256", "jwt/private.pem")
+	if err != nil {
+		log.Fatal("oauth2 key initialization failed: %v", err)
 	}
 }
 
diff --git a/modules/setting/security.go b/modules/setting/security.go
index e00a6af0ee..586989101d 100644
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -4,12 +4,15 @@
 package setting
 
 import (
+	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"forgejo.org/modules/auth/password/hash"
 	"forgejo.org/modules/generate"
+	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 )
@@ -39,6 +42,31 @@ var (
 	DisableQueryAuthToken              bool
 )
 
+/*
+ * key loading is a two-stage process to avoid complications for unit tests:
+ *
+ * For symmetric keys, we want to add a random key to the configuration. We would
+ * not want to change the configuration after loading has completed to maintain
+ * isolation. So from this perspective, we would want to initialize keys only
+ * during setting.load...From()
+ *
+ * For asymmetric keys, we want to create a random private key _file_.
+ * Doing so during the setting load phase, however, creates key files for unit
+ * tests, because they usually complete the full settings load phase, but do not
+ * initialize modules which they do not need. Depending on the test case, it
+ * might not provide a writable AppDataPath, or it would leave private key files
+ * in the source tree. All of this can be avoided with
+ * specifically adjusting the ini loaded for unit tests, but adds considerable
+ * friction.
+ *
+ * So to avoid all this, we split key loading in two phases:
+ * - settings parse the config and save missing symmetric keys
+ * - module init takes the parsed config, creates missing asymmetric keys and
+ *   creates the actual signingkey objects
+ *
+ * jwtx.SigningKeyCfg and jwtx.KeyCfg are used for handover
+ */
+
 // loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
 // If the secret is loaded from uriKey (file), the file should be non-empty, to guarantee the behavior stable and clear.
 func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
@@ -53,16 +81,29 @@ func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
 	if uri == "" {
 		return verbatim
 	}
+	verbatim, err := loadSecretFromURI(uri)
+	if err == nil {
+		return verbatim
+	}
+	log.Fatal("%s: %w", uriKey, err)
+	// unreached
+	return ""
+}
 
+func loadSecretFromURI(uri string) (string, error) {
 	tempURI, err := url.Parse(uri)
 	if err != nil {
-		log.Fatal("Failed to parse %s (%s): %v", uriKey, uri, err)
+		return "", fmt.Errorf("Failed to parse %s: %v", uri, err)
 	}
 	switch tempURI.Scheme {
 	case "file":
-		buf, err := os.ReadFile(tempURI.RequestURI())
+		path := tempURI.RequestURI()
+		if !filepath.IsAbs(path) {
+			path = filepath.Join(AppDataPath, path)
+		}
+		buf, err := os.ReadFile(path)
 		if err != nil {
-			log.Fatal("Failed to read %s (%s): %v", uriKey, tempURI.RequestURI(), err)
+			return "", fmt.Errorf("Failed to read %s: %v", path, err)
 		}
 		val := strings.TrimSpace(string(buf))
 		if val == "" {
@@ -70,17 +111,135 @@ func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
 			// For example: if INTERNAL_TOKEN_URI=file:///empty-file,
 			// Then if the token is re-generated during installation and saved to INTERNAL_TOKEN
 			// Then INTERNAL_TOKEN and INTERNAL_TOKEN_URI both exist, that's a fatal error (they shouldn't)
-			log.Fatal("Failed to read %s (%s): the file is empty", uriKey, tempURI.RequestURI())
+			return "", fmt.Errorf("Failed to read %s: the file is empty", path)
 		}
-		return val
+		return val, nil
 
 	// only file URIs are allowed
 	default:
-		log.Fatal("Unsupported URI-Scheme %q (%q = %q)", tempURI.Scheme, uriKey, uri)
-		return ""
+		return "", fmt.Errorf("Unsupported URI-Scheme %q in %q", tempURI.Scheme, uri)
 	}
 }
 
+// createSymmeticSigningKey creates a new symmetric signing key and saves it to
+// the setting named cfgSecret (usually [PFX_]SECRET) in section cfgSection
+func createSymmeticSigningKeyCfg(rootCfg ConfigProvider, cfgSection, cfgSecret string) (*[]byte, error) {
+	jwtSecretBytes, jwtSecretBase64 := generate.NewJwtSecret()
+	saveCfg, err := rootCfg.PrepareSaving()
+	if err == nil {
+		rootCfg.Section(cfgSection).Key(cfgSecret).SetValue(jwtSecretBase64)
+		saveCfg.Section(cfgSection).Key(cfgSecret).SetValue(jwtSecretBase64)
+		err = saveCfg.Save()
+	}
+	if err != nil {
+		return nil, fmt.Errorf("save %s.%s failed: %v", cfgSection, cfgSecret, err)
+	}
+	return &jwtSecretBytes, nil
+}
+
+// loadSymmeticSigningKey loads a signing key and creates it unless present
+// loads from [pfx]SECRET_URI
+// loads from or saves to [pfx]SECRET
+// in section sec
+func loadSymmeticSigningKeyCfg(rootCfg ConfigProvider, sec ConfigSection, pfx string) (*[]byte, error) {
+	cfgSecretURI := pfx + "SECRET_URI"
+	cfgSecret := pfx + "SECRET"
+
+	secretBase64 := loadSecret(sec, cfgSecretURI, cfgSecret)
+	secret, err := generate.DecodeJwtSecret(secretBase64)
+	if err == nil {
+		return &secret, nil
+	}
+
+	log.Info("[%s] %s or %s failed loading: %v - creating new key", sec.Name(), cfgSecret, cfgSecretURI, err)
+	return createSymmeticSigningKeyCfg(rootCfg, sec.Name(), cfgSecret)
+}
+
+// loadAsymmeticSigningKey loads a signing key from [pfx]SIGNING_PRIVATE_KEY_FILE
+// or creates it if it does not exist
+func loadAsymmeticSigningKeyPath(sec ConfigSection, pfx, defaultFile string) *string {
+	cfgFile := pfx + "SIGNING_PRIVATE_KEY_FILE"
+	keyPath := sec.Key(cfgFile).MustString(defaultFile)
+	if !filepath.IsAbs(keyPath) {
+		keyPath = filepath.Join(AppDataPath, keyPath)
+	}
+	return &keyPath
+}
+
+type checkKeyCfg func(rootCfg ConfigProvider, cfgSection, pfx string) error
+
+func onlyAsymmetric() checkKeyCfg {
+	return func(rootCfg ConfigProvider, cfgSection, pfx string) error {
+		sec := rootCfg.Section(cfgSection)
+		cfgAlg := pfx + "SIGNING_ALGORITHM"
+
+		if sec.HasKey(cfgAlg) {
+			alg := sec.Key(cfgAlg).String()
+			if !jwtx.IsValidAsymmetricAlgorithm(alg) {
+				return fmt.Errorf("Unexpected algorithm: %s = %s, needs to be one of %v",
+					cfgAlg, alg, jwtx.ValidAsymmetricAlgorithms)
+			}
+		}
+
+		noCfg := []string{
+			pfx + "SECRET_URI",
+			pfx + "SECRET",
+		}
+
+		for _, cfg := range noCfg {
+			if sec.HasKey(cfg) {
+				return fmt.Errorf("Invalid config key: %s - must be removed", cfg)
+			}
+		}
+
+		return nil
+	}
+}
+
+// loadSigningKey() loads a or creates signing key based on settings in section cfgSection
+// [pfx]SIGNING_ALGORITHM determines the algorithm
+// [pfx]SECRET is a literal secret for symmetric algorithms
+// [pfx]SECRET_URI is the uri of a secret for symmetric algorithms
+// [pfx]SIGNING_PRIVATE_KEY_FILE is a file with a private key for asymmetric algorithms
+//
+// [pfx]SECRET might get written to literally in the config if needed but not present
+
+func loadSigningKeyCfg(rootCfg ConfigProvider, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile string, checks ...checkKeyCfg) (*jwtx.SigningKeyCfg, error) {
+	for _, check := range checks {
+		err := check(rootCfg, cfgSection, pfx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	sec := rootCfg.Section(cfgSection)
+	cfgAlg := pfx + "SIGNING_ALGORITHM"
+
+	algorithm := sec.Key(cfgAlg).MustString(defaultAlg)
+
+	cfg := jwtx.SigningKeyCfg{Algorithm: algorithm}
+	var err error
+
+	if jwtx.IsValidSymmetricAlgorithm(algorithm) {
+		cfg.SecretBytes, err = loadSymmeticSigningKeyCfg(rootCfg, sec, pfx)
+	} else if jwtx.IsValidAsymmetricAlgorithm(algorithm) {
+		cfg.PrivateKeyPath = loadAsymmeticSigningKeyPath(sec, pfx, defaultPrivateKeyFile)
+	} else {
+		err = fmt.Errorf("invalid algorithm: %s = %s", cfgAlg, algorithm)
+	}
+
+	return &cfg, err
+}
+
+func loadKeyCfg(rootCfg ConfigProvider, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile string, checks ...checkKeyCfg) (*jwtx.KeyCfg, error) {
+	signing, err := loadSigningKeyCfg(rootCfg, cfgSection, pfx, defaultAlg, defaultPrivateKeyFile, checks...)
+	if err != nil {
+		err = fmt.Errorf("[%s] %v", cfgSection, err)
+		return nil, err
+	}
+	return &jwtx.KeyCfg{Signing: signing}, nil
+}
+
 // generateSaveInternalToken generates and saves the internal token to app.ini
 func generateSaveInternalToken(rootCfg ConfigProvider) {
 	token, err := generate.NewInternalToken()
diff --git a/modules/storage/storage.go b/modules/storage/storage.go
index db081e0768..fe9222060f 100644
--- a/modules/storage/storage.go
+++ b/modules/storage/storage.go
@@ -164,6 +164,7 @@ func initLFS() (err error) {
 		LFS = DiscardStorage("LFS isn't enabled")
 		return nil
 	}
+
 	log.Info("Initialising LFS storage with type: %s", setting.LFS.Storage.Type)
 	LFS, err = NewStorage(setting.LFS.Storage.Type, setting.LFS.Storage)
 	return err
diff --git a/release-notes/11194.md b/release-notes/11194.md
new file mode 100644
index 0000000000..1ca37e04c3
--- /dev/null
+++ b/release-notes/11194.md
@@ -0,0 +1 @@
+Configuration of JSON Web Token (JWT) signing secrets in the `app.ini` file has been unified: `[pfx]SIGNING_ALGORITHM` determines the algorithm, `[pfx]SECRET` is a literal secret for symmetric algorithms, `[pfx]SECRET_URI` is the `file:` uri of a secret for symmetric algorithms `[pfx]SIGNING_PRIVATE_KEY_FILE` is the file with a private key for asymmetric algorithms. For the following configuration keys, the existing behavior is preserved: `[oauth2]` pfx = `JWT_`, `[actions]` pfx = `ID_TOKEN_` only supports asymmetric algorithms. `[server]` pfx = `LFS_JWT_` gained support for asymmetric algorithms. For consistency with `[pfx]SIGNING_PRIVATE_KEY_FILE`, `[pfx]SECRET_URI` now also accepts relative paths.
diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go
index d824030ca7..20cc44f36a 100644
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@@ -48,7 +48,7 @@ type OIDCContext struct {
 
 func InitOIDC() error {
 	var err error
-	jwtSigningKey, err = jwtx.InitAsymmetricSigningKey(setting.Actions.IDTokenSigningPrivateKeyFile, string(setting.Actions.IDTokenSigningAlgorithm))
+	jwtSigningKey, err = jwtx.InitSigningKey(&setting.Actions.KeyCfg.Signing)
 	if err != nil {
 		return err
 	}
@@ -118,7 +118,7 @@ func OIDCRoutes(prefix string) *web.Route {
 			SubjectTypesSupported:            []string{"public"},
 			ResponseTypesSupported:           []string{"id_token"},
 			ClaimsSupported:                  claimsSupported,
-			IDTokenSigningAlgValuesSupported: []string{string(setting.Actions.IDTokenSigningAlgorithm)},
+			IDTokenSigningAlgValuesSupported: []string{jwtSigningKey.SigningMethod().Alg()},
 			ScopesSupported:                  []string{"openid"},
 		},
 		jwks: map[string][]map[string]string{
diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go
index ac7853222c..6e0714b9b5 100644
--- a/services/auth/source/oauth2/init.go
+++ b/services/auth/source/oauth2/init.go
@@ -35,7 +35,7 @@ var DefaultSigningKey jwtx.SigningKey
 // Init initializes the oauth source
 func Init(ctx context.Context) error {
 	var err error
-	DefaultSigningKey, err = jwtx.InitSigningKey(setting.GetGeneralTokenSigningSecret, setting.OAuth2.JWTSigningPrivateKeyFile, setting.OAuth2.JWTSigningAlgorithm)
+	DefaultSigningKey, err = jwtx.InitSigningKey(&setting.OAuth2.KeyCfg.Signing)
 	if err != nil {
 		return err
 	}
diff --git a/services/lfs/server.go b/services/lfs/server.go
index cc8afc2aa8..ef0df4a0ab 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -580,10 +580,11 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 
 func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repository, mode perm.AccessMode) (*user_model.User, error) {
 	token, err := jwt.ParseWithClaims(tokenSHA, &Claims{}, func(t *jwt.Token) (any, error) {
-		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+		k := setting.LFS.SigningKey
+		if t.Method != k.SigningMethod() {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
 		}
-		return setting.LFS.JWTSecretBytes, nil
+		return k.VerifyKey(), nil
 	})
 	if err != nil {
 		return nil, errors.New("invalid token")
diff --git a/services/lfs/server_test.go b/services/lfs/server_test.go
index 13e7e73010..67c93f30bb 100644
--- a/services/lfs/server_test.go
+++ b/services/lfs/server_test.go
@@ -41,18 +41,23 @@ func getLFSAuthTokenWithBearer(opts authTokenOptions) (string, error) {
 		Op:     opts.Op,
 		UserID: opts.UserID,
 	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 
 	// Sign and get the complete encoded token as a string using the secret
-	tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
+	tokenString, err := setting.LFS.SigningKey.JWT(claims)
 	if err != nil {
 		return "", fmt.Errorf("failed to sign LFS JWT token: %w", err)
 	}
 	return "Bearer " + tokenString, nil
 }
 
-func TestAuthenticate(t *testing.T) {
+func testAuthenticate(t *testing.T, cfg string) {
 	require.NoError(t, unittest.PrepareTestDatabase())
+	var err error
+	setting.CfgProvider, err = setting.NewConfigProviderFromData(cfg)
+	require.NoError(t, err, "Config")
+	setting.LoadCommonSettings()
+	assert.True(t, setting.LFS.StartServer, "LFS_START_SERVER = true")
+	assert.NotNil(t, setting.LFS.SigningKey, "SigningKey initialized")
 	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 
 	token2, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 2, RepoID: 1})
@@ -80,3 +85,30 @@ func TestAuthenticate(t *testing.T) {
 		assert.True(t, authenticate(ctx, repo1, prefixBearer+token2, true, false))
 	})
 }
+
+type namedCfg struct {
+	name, cfg string
+}
+
+var iniCommon = `[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
+[oauth2]
+JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
+[server]
+LFS_START_SERVER = true
+	`
+
+var cfgVariants = []namedCfg{
+	{name: "HS256_default", cfg: `LFS_JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_`},
+	{name: "RS256", cfg: `LFS_JWT_SIGNING_ALGORITHM = RS256`},
+}
+
+func TestAuthenticate(t *testing.T) {
+	// TODO: #11024
+	setting.InstallLock = true
+	for _, v := range cfgVariants {
+		cfg := iniCommon + v.cfg
+		t.Run(v.name, func(t *testing.T) { testAuthenticate(t, cfg) })
+	}
+}
diff --git a/services/repository/lfs_test.go b/services/repository/lfs_test.go
index e38c38e29c..0224b71100 100644
--- a/services/repository/lfs_test.go
+++ b/services/repository/lfs_test.go
@@ -21,11 +21,25 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+var ini = `[security]
+INSTALL_LOCK = true
+INTERNAL_TOKEN = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
+[oauth2]
+JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
+[server]
+LFS_START_SERVER = true
+LFS_JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
+	`
+
 func TestGarbageCollectLFSMetaObjects(t *testing.T) {
+	var err error
+	setting.CfgProvider, err = setting.NewConfigProviderFromData(ini)
+	require.NoError(t, err, "Config")
+	setting.LoadCommonSettings()
+
 	unittest.PrepareTestEnv(t)
 
-	setting.LFS.StartServer = true
-	err := storage.Init()
+	err = storage.Init()
 	require.NoError(t, err)
 
 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "lfs")

From 529b14291dd859cf51a1c20de6fbf5ca15efffd0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 21 Apr 2026 19:49:54 +0200
Subject: [PATCH 156/287] Update dependency clippie to v4.1.14 (forgejo)
 (#12209)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12209
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a2adf74362..819f398d2b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -43,7 +43,7 @@
         "chart.js": "4.5.1",
         "chartjs-adapter-dayjs-4": "1.0.4",
         "chartjs-plugin-zoom": "2.2.0",
-        "clippie": "4.1.13",
+        "clippie": "4.1.14",
         "css-loader": "7.1.3",
         "dayjs": "1.11.19",
         "dropzone": "6.0.0-beta.2",
@@ -6362,9 +6362,9 @@
       }
     },
     "node_modules/clippie": {
-      "version": "4.1.13",
-      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.13.tgz",
-      "integrity": "sha512-0ofIc4H35mzuxkojnpUmDzWneL8XrGWuO3RbHbXmDdebzJYp2q8zIhenc85LMedIOoCuzWtFTqkOJETv2QYN7g==",
+      "version": "4.1.14",
+      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.14.tgz",
+      "integrity": "sha512-VMyejKiX9jtz57BP2YLZeH+662xKTlIAXBoaHVXdtuuDiSd2D1z/0GyclLGX4POXKK03/vYB6cHVWlSLDI2YBw==",
       "license": "BSD-2-Clause"
     },
     "node_modules/cliui": {
diff --git a/package.json b/package.json
index a3bb47d52d..e89587c8e7 100644
--- a/package.json
+++ b/package.json
@@ -42,7 +42,7 @@
     "chart.js": "4.5.1",
     "chartjs-adapter-dayjs-4": "1.0.4",
     "chartjs-plugin-zoom": "2.2.0",
-    "clippie": "4.1.13",
+    "clippie": "4.1.14",
     "css-loader": "7.1.3",
     "dayjs": "1.11.19",
     "dropzone": "6.0.0-beta.2",

From 4001ab027a2e26ca60465fd240813092aa3f73b4 Mon Sep 17 00:00:00 2001
From: zokki <zokki.softwareschmiede@gmail.com>
Date: Tue, 21 Apr 2026 19:55:16 +0200
Subject: [PATCH 157/287] fix: secret name-prefix regex (#12213)

Fixes: #12212
Sorry for this bug, I introduced it by not testing !10682 better. Now the `forbiddenPrefixPattern`-regex is compliant to the docu:
```
It cannot start with FORGEJO_, GITEA_, GITHUB_, or a number.
```

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12213
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: zokki <zokki.softwareschmiede@gmail.com>
Co-committed-by: zokki <zokki.softwareschmiede@gmail.com>
---
 models/secret/secret.go      | 2 +-
 models/secret/secret_test.go | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/models/secret/secret.go b/models/secret/secret.go
index 911d94d78a..758f346f22 100644
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@@ -20,7 +20,7 @@ import (
 
 var (
 	namePattern            = regexp.MustCompile("(?i)^[A-Z_][A-Z0-9_]*$")
-	forbiddenPrefixPattern = regexp.MustCompile("(?i)^FORGEJO_|GITEA_|GITHUB_")
+	forbiddenPrefixPattern = regexp.MustCompile("(?i)^(FORGEJO_|GITEA_|GITHUB_|[0-9])")
 
 	ErrInvalidName = util.NewInvalidArgumentErrorf("invalid secret name")
 )
diff --git a/models/secret/secret_test.go b/models/secret/secret_test.go
index 5c54b25967..e323986084 100644
--- a/models/secret/secret_test.go
+++ b/models/secret/secret_test.go
@@ -257,12 +257,18 @@ func TestSecretValidateName(t *testing.T) {
 		valid bool
 	}{
 		{"FORGEJO_", false},
+		{"PRE_FORGEJO_", true},
+		{"PRE_FORGEJO_SUF", true},
 		{"FORGEJO_123", false},
 		{"FORGEJO_ABC", false},
 		{"GITEA_", false},
+		{"PRE_GITEA_", true},
+		{"PRE_GITEA_SUF", true},
 		{"GITEA_123", false},
 		{"GITEA_ABC", false},
 		{"GITHUB_", false},
+		{"PRE_GITHUB_", true},
+		{"PRE_GITHUB_SUF", true},
 		{"GITHUB_123", false},
 		{"GITHUB_ABC", false},
 		{"123_TEST", false},

From 1b6fe54e08cec1bc67c9133a14d12c604f4d0fec Mon Sep 17 00:00:00 2001
From: Beowulf <beowulf@beocode.eu>
Date: Tue, 21 Apr 2026 21:16:57 +0200
Subject: [PATCH 158/287] fix(e2e): improve org-members, issue-sidebar and
 runner-management test (#12164)

Followup to https://codeberg.org/forgejo/forgejo/pulls/11848

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12164
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
---
 tests/e2e/issue-sidebar.test.e2e.ts     |  5 ++---
 tests/e2e/org-members.test.e2e.ts       | 17 +++++++++++++++--
 tests/e2e/runner-management.test.e2e.ts |  9 ++++++---
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/tests/e2e/issue-sidebar.test.e2e.ts b/tests/e2e/issue-sidebar.test.e2e.ts
index cf3fe607d2..d785a19e18 100644
--- a/tests/e2e/issue-sidebar.test.e2e.ts
+++ b/tests/e2e/issue-sidebar.test.e2e.ts
@@ -25,6 +25,8 @@ test.describe('Pull: Toggle WIP', () => {
   }
 
   async function check_wip({page}: {page: Page}, is: boolean) {
+    await page.waitForLoadState();
+
     const elemTitle = 'h1';
     const stateLabel = '.issue-state-label';
     await page.waitForLoadState('domcontentloaded');
@@ -66,7 +68,6 @@ test.describe('Pull: Toggle WIP', () => {
   });
 
   test('manual edit', async ({page}) => {
-    await page.goto('/user2/repo1/pulls/5');
     // manually edit title to another prefix
     await page.locator('#issue-title-edit-show').click();
     await page.locator('#issue-title-editor input').fill(`[WIP] ${prTitle}`);
@@ -78,7 +79,6 @@ test.describe('Pull: Toggle WIP', () => {
   });
 
   test('maximum title length', async ({page}) => {
-    await page.goto('/user2/repo1/pulls/5');
     // check maximum title length is handled gracefully
     const maxLenStr = prTitle + 'a'.repeat(240);
     await page.locator('#issue-title-edit-show').click();
@@ -95,7 +95,6 @@ test.describe('Pull: Toggle WIP', () => {
   });
 
   test('wip prefix casing', async ({page}) => {
-    await page.goto('/user2/repo1/pulls/5');
     await setTitle({page}, `wIP:${prTitle}`);
     await expect(page.locator('h1')).toContainText(`wIP:${prTitle}`);
     await check_wip({page}, true);
diff --git a/tests/e2e/org-members.test.e2e.ts b/tests/e2e/org-members.test.e2e.ts
index 7be6714639..69f2f31f8a 100644
--- a/tests/e2e/org-members.test.e2e.ts
+++ b/tests/e2e/org-members.test.e2e.ts
@@ -29,6 +29,8 @@ test('Toggle visibility', async ({page}) => {
 
   // Revert for repeatability
   await showUser2.click();
+  await expect(hideUser2).toBeVisible();
+  await expect(showUser2).toBeHidden();
 });
 
 test('Leave org', async ({page}) => {
@@ -50,7 +52,7 @@ test('Leave org', async ({page}) => {
   await expect(page.locator('.flash-error').getByText('You cannot remove the last user from the "owners" team.')).toBeVisible();
 });
 
-test('Add a new member to the org', async ({page}) => {
+test('Add and remove a new member to the org', async ({page}) => {
   page.goto('/org/org3/members');
 
   // Click the "Add member" button
@@ -72,6 +74,17 @@ test('Add a new member to the org', async ({page}) => {
   // Click the button
   await page.locator('#add-member-modal .actions button.ok').click();
 
-  // Getting error is enough to know that the correct request went though
+  // Verify that the user was added
   await expect(page.locator('.organization.members .list a').getByText('user5 (User Five)')).toBeVisible();
+
+  // Revert for repeatability
+  const removeButton = page.locator('.delete-button[data-url="/org/org3/members/action/remove"][data-datauid="5"]');
+  await expect(async () => {
+    await removeButton.click();
+    // A confirmation modal will appear
+    await expect(page.locator('.modal#remove-organization-member')).toBeVisible();
+    // Proceed removing from the org
+    await page.locator('.modal#remove-organization-member .actions button.ok').click();
+    await expect(page.locator('.organization.members .list a').getByText('user5 (User Five)')).toBeHidden();
+  }).toPass();
 });
diff --git a/tests/e2e/runner-management.test.e2e.ts b/tests/e2e/runner-management.test.e2e.ts
index 1dba606a1b..c7211dbe05 100644
--- a/tests/e2e/runner-management.test.e2e.ts
+++ b/tests/e2e/runner-management.test.e2e.ts
@@ -125,9 +125,12 @@ test.describe('Runners of user2', () => {
     const runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
     expect(runnerUUID).toMatch(uuidPattern);
 
-    await page.getByRole('button', {name: 'Copy runner token'}).click();
-    const runnerToken = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerToken).toMatch(tokenPattern);
+    let runnerToken;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner token'}).click();
+      runnerToken = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerToken).toMatch(tokenPattern);
+    }).toPass();
 
     await expect(page.getByRole('term')).toHaveText(['UUID', 'Token']);
     await expect(page.getByRole('definition')).toContainText([runnerUUID, runnerToken]);

From 2ed98ac848a3b25d0be5d365535c64a14a7a6476 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 22 Apr 2026 13:41:25 +0200
Subject: [PATCH 159/287] fix: resolve outer workflow call to success, not
 failure, on inner job skip (#12224)

If one or more of a workflow expansion's inner jobs are status "skipped", consider that as a success, rather than a failure.  Fixes https://code.forgejo.org/forgejo/runner/issues/1490.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12224
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 services/actions/job_emitter.go      |  7 +++--
 services/actions/job_emitter_test.go | 42 ++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/services/actions/job_emitter.go b/services/actions/job_emitter.go
index 593e17517a..0a9c297033 100644
--- a/services/actions/job_emitter.go
+++ b/services/actions/job_emitter.go
@@ -192,7 +192,7 @@ func (r *jobStatusResolver) resolve() map[int64]actions_model.Status {
 		if status != actions_model.StatusBlocked {
 			continue
 		}
-		allDone, allSucceed := true, true
+		allDone, allSucceed, allSucceedOrSkip := true, true, true
 		for _, need := range r.needs[id] {
 			needStatus := r.statuses[need]
 			if !needStatus.IsDone() {
@@ -201,13 +201,16 @@ func (r *jobStatusResolver) resolve() map[int64]actions_model.Status {
 			if needStatus.In(actions_model.StatusFailure, actions_model.StatusCancelled, actions_model.StatusSkipped) {
 				allSucceed = false
 			}
+			if needStatus.In(actions_model.StatusFailure, actions_model.StatusCancelled) {
+				allSucceedOrSkip = false
+			}
 		}
 		if allDone {
 			if isWorkflowCallOuterJob, _ := r.jobMap[id].IsWorkflowCallOuterJob(); isWorkflowCallOuterJob {
 				// If the dependent job was a workflow call outer job, then options aren't waiting/skipped, but rather
 				// success/failure.  checkJobsOfRun will do additional work in these cases to "finish" the workflow call
 				// job as well.
-				if allSucceed {
+				if allSucceedOrSkip {
 					isIncompleteMatrix, _, _ := r.jobMap[id].HasIncompleteMatrix()
 					isIncompleteWith, _, _, _ := r.jobMap[id].HasIncompleteWith()
 					if isIncompleteMatrix || isIncompleteWith {
diff --git a/services/actions/job_emitter_test.go b/services/actions/job_emitter_test.go
index 44e9163102..a7e3b7467b 100644
--- a/services/actions/job_emitter_test.go
+++ b/services/actions/job_emitter_test.go
@@ -146,6 +146,27 @@ jobs:
 					`
 name: test
 on: push
+jobs:
+  job2:
+    if: false
+    uses: ./.forgejo/workflows/reusable.yml
+__metadata:
+  workflow_call_id: b5a9f46f1f2513d7777fde50b169d323a6519e349cc175484c947ac315a209ed
+`)},
+			},
+			want: map[int64]actions_model.Status{
+				3: actions_model.StatusSuccess,
+			},
+		},
+		{
+			name: "unblocked workflow call outer job with success and skip",
+			jobs: actions_model.ActionJobList{
+				{ID: 1, JobID: "job1.innerjob1", Status: actions_model.StatusSuccess, Needs: []string{}},
+				{ID: 2, JobID: "job1.innerjob2", Status: actions_model.StatusSkipped, Needs: []string{}},
+				{ID: 3, JobID: "job1", Status: actions_model.StatusBlocked, Needs: []string{"job1.innerjob1", "job1.innerjob2"}, WorkflowPayload: []byte(
+					`
+name: test
+on: push
 jobs:
   job2:
     if: false
@@ -219,6 +240,27 @@ __metadata:
 					`
 name: test
 on: push
+jobs:
+  job2:
+    if: false
+    uses: ./.forgejo/workflows/reusable.yml
+__metadata:
+  workflow_call_id: b5a9f46f1f2513d7777fde50b169d323a6519e349cc175484c947ac315a209ed
+`)},
+			},
+			want: map[int64]actions_model.Status{
+				3: actions_model.StatusFailure,
+			},
+		},
+		{
+			name: "unblocked workflow call outer job with internal failure",
+			jobs: actions_model.ActionJobList{
+				{ID: 1, JobID: "job1.innerjob1", Status: actions_model.StatusSkipped, Needs: []string{}},
+				{ID: 2, JobID: "job1.innerjob2", Status: actions_model.StatusFailure, Needs: []string{}},
+				{ID: 3, JobID: "job1", Status: actions_model.StatusBlocked, Needs: []string{"job1.innerjob1", "job1.innerjob2"}, WorkflowPayload: []byte(
+					`
+name: test
+on: push
 jobs:
   job2:
     if: false

From 1ddd5faa5cf554829f2cab3a237dc004950c630b Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 22 Apr 2026 21:00:26 +0200
Subject: [PATCH 160/287] refactor: change authentication to return structured
 data (#12202)

Currently authentication methods return information in two forms: they return who was authenticated as a `*user_model.User`, and then they insert key-values into `ctx.Data` which has critical impact on how the authenticated request is treated.  This PR changes the authentication methods to return structured data in the form of an `AuthenticationResult`, with all the key-value information in `ctx.Data` being moved into methods on the `AuthenticationResult` interface.

Authentication workflows in Forgejo are a real mess.  This is the first step in trying to clean it up and make the code predictable and reasonable, and is both follow-up work that was identified from the repo-specific access tokens (where the `"ApiTokenReducer"` key-value was added), and is pre-requisite work to future JWT enhancements that are [being discussed](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-13268004).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
  - All changes, at least in theory, are refactors of existing logic and are not expected to have functional deviations -- existing regression tests are the only planned testing.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12202
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 .golangci.yml                                 | 15 ---
 routers/api/packages/api.go                   | 96 ++++++++++---------
 routers/api/packages/chef/auth.go             | 18 +++-
 routers/api/packages/conan/auth.go            | 31 ++++--
 routers/api/packages/conan/conan.go           |  3 +-
 routers/api/packages/container/auth.go        | 31 ++++--
 routers/api/packages/container/container.go   |  3 +-
 routers/api/packages/nuget/auth.go            | 20 +++-
 routers/api/shared/middleware.go              | 37 +++----
 routers/api/v1/api.go                         | 15 ++-
 routers/common/auth.go                        | 28 +++---
 routers/init.go                               |  4 +-
 routers/web/auth/auth.go                      |  3 +-
 routers/web/auth/linkaccount.go               |  4 +-
 routers/web/auth/oauth.go                     |  6 +-
 routers/web/auth/openid.go                    |  3 +-
 routers/web/repo/githttp.go                   |  5 +-
 routers/web/user/setting/account.go           |  4 +-
 routers/web/web.go                            | 23 +++--
 services/auth/interface.go                    | 76 +++++++++++++--
 .../{ => method}/additional_scopes_test.go    |  2 +-
 services/auth/{ => method}/auth.go            |  5 +-
 .../auth/method/auth_result_accesstoken.go    | 33 +++++++
 .../auth/method/auth_result_actionstask.go    | 31 ++++++
 .../auth/method/auth_result_basicpassword.go  | 24 +++++
 services/auth/method/auth_result_httpsign.go  | 20 ++++
 services/auth/method/auth_result_oauth.go     | 31 ++++++
 .../auth/method/auth_result_reverseproxy.go   | 24 +++++
 services/auth/method/auth_result_session.go   | 20 ++++
 services/auth/{ => method}/auth_test.go       |  2 +-
 services/auth/{ => method}/basic.go           | 49 ++++------
 services/auth/{ => method}/group.go           | 45 ++++-----
 services/auth/{ => method}/httpsign.go        | 25 ++---
 services/auth/method/main_test.go             | 14 +++
 services/auth/{ => method}/oauth2.go          | 87 +++++++++--------
 services/auth/{ => method}/oauth2_test.go     | 19 ++--
 services/auth/{ => method}/reverseproxy.go    | 23 ++---
 .../auth/{ => method}/reverseproxy_test.go    |  2 +-
 services/auth/{ => method}/session.go         | 22 ++---
 services/auth/{ => method}/signin.go          |  7 +-
 services/context/api.go                       |  7 +-
 services/context/context.go                   |  9 +-
 services/context/permission.go                | 14 +--
 services/lfs/server.go                        |  3 +-
 tests/integration/api_packages_chef_test.go   | 25 ++---
 45 files changed, 620 insertions(+), 348 deletions(-)
 rename services/auth/{ => method}/additional_scopes_test.go (98%)
 rename services/auth/{ => method}/auth.go (97%)
 create mode 100644 services/auth/method/auth_result_accesstoken.go
 create mode 100644 services/auth/method/auth_result_actionstask.go
 create mode 100644 services/auth/method/auth_result_basicpassword.go
 create mode 100644 services/auth/method/auth_result_httpsign.go
 create mode 100644 services/auth/method/auth_result_oauth.go
 create mode 100644 services/auth/method/auth_result_reverseproxy.go
 create mode 100644 services/auth/method/auth_result_session.go
 rename services/auth/{ => method}/auth_test.go (99%)
 rename services/auth/{ => method}/basic.go (81%)
 rename services/auth/{ => method}/group.go (52%)
 rename services/auth/{ => method}/httpsign.go (94%)
 create mode 100644 services/auth/method/main_test.go
 rename services/auth/{ => method}/oauth2.go (76%)
 rename services/auth/{ => method}/oauth2_test.go (87%)
 rename services/auth/{ => method}/reverseproxy.go (93%)
 rename services/auth/{ => method}/reverseproxy_test.go (99%)
 rename services/auth/{ => method}/session.go (77%)
 rename services/auth/{ => method}/signin.go (94%)

diff --git a/.golangci.yml b/.golangci.yml
index b16bb8beb2..5fa6c13860 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -347,21 +347,6 @@ linters:
       - path: services/actions/trust.go
         linters:
           - nilnil
-      - path: services/auth/basic.go
-        linters:
-          - nilnil
-      - path: services/auth/httpsign.go
-        linters:
-          - nilnil
-      - path: services/auth/oauth2.go
-        linters:
-          - nilnil
-      - path: services/auth/reverseproxy.go
-        linters:
-          - nilnil
-      - path: services/auth/session.go
-        linters:
-          - nilnil
       - path: services/contexttest/context_tests.go
         linters:
           - nilnil
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 0b46cc66b0..2163badb49 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -38,48 +38,46 @@ import (
 	"forgejo.org/routers/api/packages/swift"
 	"forgejo.org/routers/api/packages/vagrant"
 	"forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/context"
 )
 
 func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 	return func(ctx *context.Context) {
-		if ctx.Data["IsApiToken"] == true {
-			scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
-			if ok { // it's a personal access token but not oauth2 token
-				scopeMatched := false
-				var err error
-				switch accessMode {
-				case perm.AccessModeRead:
-					scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeReadPackage)
-					if err != nil {
-						ctx.Error(http.StatusInternalServerError, "HasScope", err.Error())
-						return
-					}
-				case perm.AccessModeWrite:
-					scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeWritePackage)
-					if err != nil {
-						ctx.Error(http.StatusInternalServerError, "HasScope", err.Error())
-						return
-					}
-				}
-				if !scopeMatched {
-					ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea Package API"`)
-					ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
-					return
-				}
-
-				// check if scope only applies to public resources
-				publicOnly, err := scope.PublicOnly()
+		if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
+			scopeMatched := false
+			var err error
+			switch accessMode {
+			case perm.AccessModeRead:
+				scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeReadPackage)
 				if err != nil {
-					ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
+					ctx.Error(http.StatusInternalServerError, "HasScope", err.Error())
 					return
 				}
+			case perm.AccessModeWrite:
+				scopeMatched, err = scope.HasScope(auth_model.AccessTokenScopeWritePackage)
+				if err != nil {
+					ctx.Error(http.StatusInternalServerError, "HasScope", err.Error())
+					return
+				}
+			}
+			if !scopeMatched {
+				ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea Package API"`)
+				ctx.Error(http.StatusUnauthorized, "reqPackageAccess", "user should have specific permission or be a site admin")
+				return
+			}
 
-				if publicOnly {
-					if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
-						ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public packages")
-						return
-					}
+			// check if scope only applies to public resources
+			publicOnly, err := scope.PublicOnly()
+			if err != nil {
+				ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
+				return
+			}
+
+			if publicOnly {
+				if ctx.Package != nil && ctx.Package.Owner.Visibility.IsPrivate() {
+					ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public packages")
+					return
 				}
 			}
 		}
@@ -116,38 +114,48 @@ func enforcePackagesQuota() func(ctx *context.Context) {
 
 func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	if setting.Service.EnableReverseProxyAuth {
-		authMethods = append(authMethods, &auth.ReverseProxy{})
+		authMethods = append(authMethods, &auth_method.ReverseProxy{})
 	}
-	authGroup := auth.NewGroup(authMethods...)
+	authGroup := auth_method.NewGroup(authMethods...)
 
 	r.Use(func(ctx *context.Context) {
-		var err error
-		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		authResult, err := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
 		if err != nil {
 			log.Info("Failed to verify user: %v", err)
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
 		}
+		if authResult == nil {
+			ctx.Error(http.StatusInternalServerError, "verifyAuth nil authentication result")
+			return
+		}
+		ctx.Doer = authResult.User()
 		ctx.IsSigned = ctx.Doer != nil
+		ctx.Authentication = authResult
 	})
 }
 
 func verifyContainerAuth(r *web.Route, authMethods []auth.Method) {
 	if setting.Service.EnableReverseProxyAuth {
-		authMethods = append(authMethods, &auth.ReverseProxy{})
+		authMethods = append(authMethods, &auth_method.ReverseProxy{})
 	}
-	authGroup := auth.NewGroup(authMethods...)
+	authGroup := auth_method.NewGroup(authMethods...)
 
 	r.Use(func(ctx *context.Context) {
-		var err error
-		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		authResult, err := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
 		if err != nil {
 			log.Info("Failed to verify user: %v", err)
 			container.APIUnauthorizedError(ctx)
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
 		}
+		if authResult == nil {
+			ctx.Error(http.StatusInternalServerError, "verifyContainerAuth nil authentication result")
+			return
+		}
+		ctx.Doer = authResult.User()
 		ctx.IsSigned = ctx.Doer != nil
+		ctx.Authentication = authResult
 	})
 }
 
@@ -159,8 +167,8 @@ func CommonRoutes() *web.Route {
 	r.Use(context.PackageContexter())
 
 	verifyAuth(r, []auth.Method{
-		&auth.OAuth2{},
-		&auth.Basic{},
+		&auth_method.OAuth2{},
+		&auth_method.Basic{},
 		&nuget.Auth{},
 		&conan.Auth{},
 		&chef.Auth{},
@@ -804,7 +812,7 @@ func ContainerRoutes() *web.Route {
 
 	r.Use(context.PackageContexter())
 
-	verifyContainerAuth(r, []auth.Method{&auth.Basic{}, &container.Auth{}})
+	verifyContainerAuth(r, []auth.Method{&auth_method.Basic{}, &container.Auth{}})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
 	r.Group("/token", func() {
diff --git a/routers/api/packages/chef/auth.go b/routers/api/packages/chef/auth.go
index 62523df02d..b9ff4b25f8 100644
--- a/routers/api/packages/chef/auth.go
+++ b/routers/api/packages/chef/auth.go
@@ -39,9 +39,19 @@ var (
 	versionPattern       = regexp.MustCompile(`version=(\d+\.\d+)`)
 	authorizationPattern = regexp.MustCompile(`\AX-Ops-Authorization-(\d+)`)
 
-	_ auth.Method = &Auth{}
+	_ auth.Method               = &Auth{}
+	_ auth.AuthenticationResult = &chefAuthenticationResult{}
 )
 
+type chefAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (r *chefAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
 // Documentation:
 // https://docs.chef.io/server/api_chef_server/#required-headers
 // https://github.com/chef-boneyard/chef-rfc/blob/master/rfc065-sign-v1.3.md
@@ -55,13 +65,13 @@ func (a *Auth) Name() string {
 
 // Verify extracts the user from the signed request
 // If the request is signed with the user private key the user is verified.
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	u, err := getUserFromRequest(req)
 	if err != nil {
 		return nil, err
 	}
 	if u == nil {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	pub, err := getUserPublicKey(req.Context(), u)
@@ -82,7 +92,7 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		return nil, err
 	}
 
-	return u, nil
+	return &chefAuthenticationResult{user: u}, nil
 }
 
 func getUserFromRequest(req *http.Request) (*user_model.User, error) {
diff --git a/routers/api/packages/conan/auth.go b/routers/api/packages/conan/auth.go
index 1f5af77304..df0283167f 100644
--- a/routers/api/packages/conan/auth.go
+++ b/routers/api/packages/conan/auth.go
@@ -6,13 +6,32 @@ package conan
 import (
 	"net/http"
 
+	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/packages"
 )
 
-var _ auth.Method = &Auth{}
+var (
+	_ auth.Method               = &Auth{}
+	_ auth.AuthenticationResult = &conanAuthenticationResult{}
+)
+
+type conanAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user  *user_model.User
+	scope optional.Option[auth_model.AccessTokenScope]
+}
+
+func (r *conanAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return r.scope
+}
+
+func (r *conanAuthenticationResult) User() *user_model.User {
+	return r.user
+}
 
 type Auth struct{}
 
@@ -21,7 +40,7 @@ func (a *Auth) Name() string {
 }
 
 // Verify extracts the user from the Bearer token
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	uid, scope, err := packages.ParseAuthorizationToken(req)
 	if err != nil {
 		log.Trace("ParseAuthorizationToken: %v", err)
@@ -29,13 +48,13 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 	}
 
 	if uid == 0 {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	// Propagate scope of the authorization token.
+	authScope := optional.None[auth_model.AccessTokenScope]()
 	if scope != "" {
-		store.GetData()["IsApiToken"] = true
-		store.GetData()["ApiTokenScope"] = scope
+		authScope = optional.Some(scope)
 	}
 
 	u, err := user_model.GetUserByID(req.Context(), uid)
@@ -44,5 +63,5 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		return nil, err
 	}
 
-	return u, nil
+	return &conanAuthenticationResult{user: u, scope: authScope}, nil
 }
diff --git a/routers/api/packages/conan/conan.go b/routers/api/packages/conan/conan.go
index 3a95a883c5..cc894aec2f 100644
--- a/routers/api/packages/conan/conan.go
+++ b/routers/api/packages/conan/conan.go
@@ -11,7 +11,6 @@ import (
 	"strings"
 	"time"
 
-	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	packages_model "forgejo.org/models/packages"
 	conan_model "forgejo.org/models/packages/conan"
@@ -119,7 +118,7 @@ func Authenticate(ctx *context.Context) {
 	}
 
 	// If there's an API scope, ensure it propagates.
-	scope, _ := ctx.Data.GetData()["ApiTokenScope"].(auth_model.AccessTokenScope)
+	scope := ctx.Authentication.Scope().ValueOrZeroValue()
 
 	token, err := packages_service.CreateAuthorizationToken(ctx.Doer, scope)
 	if err != nil {
diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go
index 71c237326e..67310de948 100644
--- a/routers/api/packages/container/auth.go
+++ b/routers/api/packages/container/auth.go
@@ -6,13 +6,32 @@ package container
 import (
 	"net/http"
 
+	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/packages"
 )
 
-var _ auth.Method = &Auth{}
+var (
+	_ auth.Method               = &Auth{}
+	_ auth.AuthenticationResult = &containerAuthenticationResult{}
+)
+
+type containerAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user  *user_model.User
+	scope optional.Option[auth_model.AccessTokenScope]
+}
+
+func (r *containerAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return r.scope
+}
+
+func (r *containerAuthenticationResult) User() *user_model.User {
+	return r.user
+}
 
 type Auth struct{}
 
@@ -22,7 +41,7 @@ func (a *Auth) Name() string {
 
 // Verify extracts the user from the Bearer token
 // If it's an anonymous session a ghost user is returned
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	uid, scope, err := packages.ParseAuthorizationToken(req)
 	if err != nil {
 		log.Trace("ParseAuthorizationToken: %v", err)
@@ -30,13 +49,13 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 	}
 
 	if uid == 0 {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	// Propagate scope of the authorization token.
+	authScope := optional.None[auth_model.AccessTokenScope]()
 	if scope != "" {
-		store.GetData()["IsApiToken"] = true
-		store.GetData()["ApiTokenScope"] = scope
+		authScope = optional.Some(scope)
 	}
 
 	u, err := user_model.GetPossibleUserByID(req.Context(), uid)
@@ -45,5 +64,5 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		return nil, err
 	}
 
-	return u, nil
+	return &containerAuthenticationResult{user: u, scope: authScope}, nil
 }
diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index 6781f511c8..eb81773b4c 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -13,7 +13,6 @@ import (
 	"regexp"
 	"strconv"
 
-	auth_model "forgejo.org/models/auth"
 	packages_model "forgejo.org/models/packages"
 	container_model "forgejo.org/models/packages/container"
 	user_model "forgejo.org/models/user"
@@ -158,7 +157,7 @@ func Authenticate(ctx *context.Context) {
 	}
 
 	// If there's an API scope, ensure it propagates.
-	scope, _ := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
+	scope := ctx.Authentication.Scope().ValueOrZeroValue()
 
 	token, err := packages_service.CreateAuthorizationToken(u, scope)
 	if err != nil {
diff --git a/routers/api/packages/nuget/auth.go b/routers/api/packages/nuget/auth.go
index 139f84a0c6..c33799734c 100644
--- a/routers/api/packages/nuget/auth.go
+++ b/routers/api/packages/nuget/auth.go
@@ -12,6 +12,20 @@ import (
 	"forgejo.org/services/auth"
 )
 
+var (
+	_ auth.Method               = &Auth{}
+	_ auth.AuthenticationResult = &nugetAuthenticationResult{}
+)
+
+type nugetAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (r *nugetAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
 var _ auth.Method = &Auth{}
 
 type Auth struct{}
@@ -21,14 +35,14 @@ func (a *Auth) Name() string {
 }
 
 // https://docs.microsoft.com/en-us/nuget/api/package-publish-resource#request-parameters
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataStore, sess auth.SessionStore) (*user_model.User, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	token, err := auth_model.GetAccessTokenBySHA(req.Context(), req.Header.Get("X-NuGet-ApiKey"))
 	if err != nil {
 		if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
 			log.Error("GetAccessTokenBySHA: %v", err)
 			return nil, err
 		}
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	u, err := user_model.GetUserByID(req.Context(), token.UID)
@@ -41,5 +55,5 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, store auth.DataS
 		log.Error("UpdateLastUsed:  %v", err)
 	}
 
-	return u, nil
+	return &nugetAuthenticationResult{user: u}, nil
 }
diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go
index f657dae026..7e935970ec 100644
--- a/routers/api/shared/middleware.go
+++ b/routers/api/shared/middleware.go
@@ -4,6 +4,7 @@
 package shared
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 
@@ -12,6 +13,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/routers/common"
 	"forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/authz"
 	"forgejo.org/services/context"
 
@@ -43,14 +45,14 @@ func Middlewares() (stack []any) {
 	)
 }
 
-func buildAuthGroup() *auth.Group {
-	group := auth.NewGroup(
-		&auth.OAuth2{},
-		&auth.HTTPSign{},
-		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
+func buildAuthGroup() *auth_method.Group {
+	group := auth_method.NewGroup(
+		&auth_method.OAuth2{},
+		&auth_method.HTTPSign{},
+		&auth_method.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
 	)
 	if setting.Service.EnableReverseProxyAuthAPI {
-		group.Add(&auth.ReverseProxy{})
+		group.Add(&auth_method.ReverseProxy{})
 	}
 
 	return group
@@ -63,15 +65,18 @@ func apiAuthentication(authMethod auth.Method) func(*context.APIContext) {
 			ctx.Error(http.StatusUnauthorized, "APIAuth", err)
 			return
 		}
-		ctx.Doer = ar.Doer
-		ctx.IsSigned = ar.Doer != nil
-		ctx.IsBasicAuth = ar.IsBasicAuth
+		if ar == nil {
+			ctx.Error(http.StatusInternalServerError, "apiAuthentication nil authentication result", errors.New("nil authentication result"))
+			return
+		}
+		ctx.Doer = ar.User()
+		ctx.IsSigned = ctx.Doer != nil
+		ctx.Authentication = ar
 	}
 }
 
 func apiAuthorization(ctx *context.APIContext) {
-	scope, scopeExists := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
-	if scopeExists {
+	if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
 		publicOnly, err := scope.PublicOnly()
 		if err != nil {
 			ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())
@@ -80,13 +85,13 @@ func apiAuthorization(ctx *context.APIContext) {
 		ctx.PublicOnly = publicOnly
 	}
 
-	reducer, reducerExists := ctx.Data["ApiTokenReducer"].(authz.AuthorizationReducer)
-	if reducerExists {
+	reducer := ctx.Authentication.Reducer()
+	if reducer != nil {
 		ctx.Reducer = reducer
 	} else {
-		// No "ApiTokenReducer" will be populated if the auth method wasn't an PAT.  In this case, we populate
-		// `ctx.Reducer` so no nil checks are needed, and we respect the scope `PublicOnly()` so that it it's safe to
-		// just rely on `ctx.Reducer` to account for public-only access:
+		// No Reducer will be populated if the auth method wasn't an PAT.  In this case, we populate `ctx.Reducer` so no
+		// nil checks are needed, and we respect the scope `PublicOnly()` so that it it's safe to just rely on
+		// `ctx.Reducer` to account for public-only access:
 		if ctx.PublicOnly {
 			ctx.Reducer = &authz.PublicReposAuthorizationReducer{}
 		} else {
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 715aa9003b..8910babc29 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -85,7 +85,6 @@ import (
 	"forgejo.org/routers/api/v1/settings"
 	"forgejo.org/routers/api/v1/user"
 	"forgejo.org/services/actions"
-	"forgejo.org/services/auth"
 	"forgejo.org/services/context"
 	"forgejo.org/services/forms"
 	redirect_service "forgejo.org/services/redirect"
@@ -180,8 +179,8 @@ func repoAssignment() func(ctx *context.APIContext) {
 		repo.Owner = owner
 		ctx.Repo.Repository = repo
 
-		if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID {
-			taskID := ctx.Data["ActionsTaskID"].(int64)
+		if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID && ctx.Authentication.ActionsTaskID().Has() {
+			_, taskID := ctx.Authentication.ActionsTaskID().Get()
 			task, err := actions_model.GetTaskByID(ctx, taskID)
 			if err != nil {
 				ctx.Error(http.StatusInternalServerError, "actions_model.GetTaskByID", err)
@@ -330,8 +329,8 @@ func tokenRequiresScopes(requiredScopeCategories ...auth_model.AccessTokenScopeC
 		}
 
 		// Need OAuth2 token to be present.
-		scope, scopeExists := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
-		if ctx.Data["IsApiToken"] != true || !scopeExists {
+		hasScope, scope := ctx.Authentication.Scope().Get()
+		if !hasScope {
 			return
 		}
 
@@ -372,7 +371,7 @@ func tokenRequiresRepoOwnerScope(ctx *context.APIContext) {
 func reqToken() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
 		// If actions token is present
-		if true == ctx.Data["IsActionsToken"] {
+		if ctx.Authentication.ActionsTaskID().Has() {
 			return
 		}
 
@@ -401,13 +400,13 @@ func reqUsersExploreEnabled() func(ctx *context.APIContext) {
 
 func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
-		if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName {
+		if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Authentication.IsReverseProxyAuthentication() {
 			return
 		}
 
 		// Require basic authorization method to be used and that basic
 		// authorization used password login to verify the user.
-		if passwordLogin, ok := ctx.Data["IsPasswordLogin"].(bool); !ok || !passwordLogin {
+		if !ctx.Authentication.IsPasswordAuthentication() {
 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth method not allowed")
 			return
 		}
diff --git a/routers/common/auth.go b/routers/common/auth.go
index d4b3b1fea7..014db93dad 100644
--- a/routers/common/auth.go
+++ b/routers/common/auth.go
@@ -4,32 +4,30 @@
 package common
 
 import (
-	user_model "forgejo.org/models/user"
+	"errors"
+
 	"forgejo.org/modules/web/middleware"
 	auth_service "forgejo.org/services/auth"
 	"forgejo.org/services/context"
 )
 
-type AuthResult struct {
-	Doer        *user_model.User
-	IsBasicAuth bool
-}
-
-func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authMethod auth_service.Method) (ar AuthResult, err error) {
-	ar.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, sessionStore)
+func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authMethod auth_service.Method) (ar auth_service.AuthenticationResult, err error) {
+	ar, err = authMethod.Verify(ctx.Req, ctx.Resp, sessionStore)
 	if err != nil {
 		return ar, err
 	}
-	if ar.Doer != nil {
-		if ctx.Locale.Language() != ar.Doer.Language {
+	if ar == nil {
+		return nil, errors.New("failure to retrieve AuthenticationResult - nil value")
+	}
+	doer := ar.User()
+	if doer != nil {
+		if ctx.Locale.Language() != doer.Language {
 			ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
 		}
-		ar.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth_service.BasicMethodName
-
 		ctx.Data["IsSigned"] = true
-		ctx.Data[middleware.ContextDataKeySignedUser] = ar.Doer
-		ctx.Data["SignedUserID"] = ar.Doer.ID
-		ctx.Data["IsAdmin"] = ar.Doer.IsAdmin
+		ctx.Data[middleware.ContextDataKeySignedUser] = doer
+		ctx.Data["SignedUserID"] = doer.ID
+		ctx.Data["IsAdmin"] = doer.IsAdmin
 	} else {
 		ctx.Data["IsSigned"] = false
 		ctx.Data["SignedUserID"] = int64(0)
diff --git a/routers/init.go b/routers/init.go
index adea646672..26cf0ace3e 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -33,7 +33,7 @@ import (
 	"forgejo.org/routers/private"
 	web_routers "forgejo.org/routers/web"
 	actions_service "forgejo.org/services/actions"
-	"forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/automerge"
 	"forgejo.org/services/cron"
@@ -160,7 +160,7 @@ func InitWebInstalled(ctx context.Context) {
 
 	mustInitCtx(ctx, ssh.Init)
 
-	auth.Init()
+	auth_method.Init()
 	mustInit(svg.Init)
 
 	actions_service.Init()
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
index e9312b3060..97b5ccbe6b 100644
--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
@@ -28,6 +28,7 @@ import (
 	"forgejo.org/modules/web"
 	"forgejo.org/modules/web/middleware"
 	auth_service "forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/context"
 	"forgejo.org/services/externalaccount"
@@ -213,7 +214,7 @@ func SignInPost(ctx *context.Context) {
 		}
 	}
 
-	u, source, err := auth_service.UserSignIn(ctx, form.UserName, form.Password)
+	u, source, err := auth_method.UserSignIn(ctx, form.UserName, form.Password)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) || errors.Is(err, util.ErrInvalidArgument) {
 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index d2cb0d29c7..e212ec58b2 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -16,7 +16,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
-	auth_service "forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/context"
 	"forgejo.org/services/externalaccount"
@@ -128,7 +128,7 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 		return
 	}
 
-	u, _, err := auth_service.UserSignIn(ctx, signInForm.UserName, signInForm.Password)
+	u, _, err := auth_method.UserSignIn(ctx, signInForm.UserName, signInForm.Password)
 	if err != nil {
 		handleSignInError(ctx, signInForm.UserName, &signInForm, tplLinkAccount, "UserLinkAccount", err)
 		return
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index eba2b441c4..dae71dd377 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -33,7 +33,7 @@ import (
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
 	"forgejo.org/modules/web/middleware"
-	auth_service "forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	source_service "forgejo.org/services/auth/source"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/context"
@@ -294,7 +294,7 @@ func ifOnlyPublicGroups(scopes string) bool {
 
 // InfoOAuth manages request for userinfo endpoint
 func InfoOAuth(ctx *context.Context) {
-	if ctx.Doer == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() {
+	if ctx.Doer == nil || !ctx.Authentication.IsOAuth2JWTAuthentication() {
 		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
 		return
@@ -316,7 +316,7 @@ func InfoOAuth(ctx *context.Context) {
 		}
 	}
 
-	_, grantScopes := auth_service.CheckOAuthAccessToken(ctx, token)
+	_, grantScopes := auth_method.CheckOAuthAccessToken(ctx, token)
 	onlyPublicGroups := ifOnlyPublicGroups(grantScopes)
 
 	groups, err := getOAuthGroupsForUser(ctx, ctx.Doer, onlyPublicGroups)
diff --git a/routers/web/auth/openid.go b/routers/web/auth/openid.go
index b2c4f3b68e..a15bf234c0 100644
--- a/routers/web/auth/openid.go
+++ b/routers/web/auth/openid.go
@@ -18,6 +18,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/web"
 	"forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/context"
 	"forgejo.org/services/forms"
 )
@@ -266,7 +267,7 @@ func ConnectOpenIDPost(ctx *context.Context) {
 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
 	ctx.Data["OpenID"] = oid
 
-	u, source, err := auth.UserSignIn(ctx, form.UserName, form.Password)
+	u, source, err := auth_method.UserSignIn(ctx, form.UserName, form.Password)
 	if err != nil {
 		handleSignInError(ctx, form.UserName, &form, tplConnectOID, "ConnectOpenIDPost", err)
 		return
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index de05d99a3e..936b108281 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -158,7 +158,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 			return nil
 		}
 
-		if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true && ctx.Data["IsActionsToken"] != true {
+		if ctx.Authentication.IsPasswordAuthentication() {
 			_, err = auth_model.GetTwoFactorByUID(ctx, ctx.Doer.ID)
 			if err == nil {
 				// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
@@ -187,8 +187,7 @@ func httpBase(ctx *context.Context) *serviceHandler {
 			// Because of special ref "refs/for" .. , need delay write permission check
 			accessMode = perm.AccessModeRead
 
-			if ctx.Data["IsActionsToken"] == true {
-				taskID := ctx.Data["ActionsTaskID"].(int64)
+			if hasTaskID, taskID := ctx.Authentication.ActionsTaskID().Get(); hasTaskID {
 				task, err := actions_model.GetTaskByID(ctx, taskID)
 				if err != nil {
 					ctx.ServerError("GetTaskByID", err)
diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go
index 5b0e8b4970..b84ef51940 100644
--- a/routers/web/user/setting/account.go
+++ b/routers/web/user/setting/account.go
@@ -19,7 +19,7 @@ import (
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/validation"
 	"forgejo.org/modules/web"
-	"forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/auth/source/db"
 	"forgejo.org/services/auth/source/smtp"
 	"forgejo.org/services/context"
@@ -274,7 +274,7 @@ func DeleteAccount(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsAccount"] = true
 
-	if _, _, err := auth.UserSignIn(ctx, ctx.Doer.Name, ctx.FormString("password")); err != nil {
+	if _, _, err := auth_method.UserSignIn(ctx, ctx.Doer.Name, ctx.FormString("password")); err != nil {
 		switch {
 		case user_model.IsErrUserNotExist(err):
 			loadAccountData(ctx)
diff --git a/routers/web/web.go b/routers/web/web.go
index 766c39fa57..492a578259 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -48,6 +48,7 @@ import (
 	user_setting "forgejo.org/routers/web/user/setting"
 	"forgejo.org/routers/web/user/setting/security"
 	auth_service "forgejo.org/services/auth"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/context"
 	"forgejo.org/services/forms"
 	"forgejo.org/services/lfs"
@@ -104,15 +105,15 @@ func optionsCorsHandler() func(next http.Handler) http.Handler {
 //
 // The Session plugin is expected to be executed second, in order to skip authentication
 // for users that have already signed in.
-func buildAuthGroup() *auth_service.Group {
-	group := auth_service.NewGroup()
-	group.Add(&auth_service.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
-	group.Add(&auth_service.Basic{})  // FIXME: this should be removed and only applied in download and git/lfs routers
+func buildAuthGroup() *auth_method.Group {
+	group := auth_method.NewGroup()
+	group.Add(&auth_method.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
+	group.Add(&auth_method.Basic{})  // FIXME: this should be removed and only applied in download and git/lfs routers
 
 	if setting.Service.EnableReverseProxyAuth {
-		group.Add(&auth_service.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
+		group.Add(&auth_method.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
 	}
-	group.Add(&auth_service.Session{})
+	group.Add(&auth_method.Session{})
 
 	return group
 }
@@ -125,9 +126,13 @@ func webAuth(authMethod auth_service.Method) func(*context.Context) {
 			ctx.Error(http.StatusUnauthorized, ctx.Locale.TrString("auth.unauthorized_credentials", "https://codeberg.org/forgejo/forgejo/issues/2809"))
 			return
 		}
-		ctx.Doer = ar.Doer
-		ctx.IsSigned = ar.Doer != nil
-		ctx.IsBasicAuth = ar.IsBasicAuth
+		if ar == nil {
+			ctx.Error(http.StatusInternalServerError, "webAuth nil authentication result")
+			return
+		}
+		ctx.Doer = ar.User()
+		ctx.IsSigned = ar.User() != nil
+		ctx.Authentication = ar
 		if ctx.Doer == nil {
 			// ensure the session uid is deleted
 			_ = ctx.Session.Delete("uid")
diff --git a/services/auth/interface.go b/services/auth/interface.go
index 12b04a7abf..73cbe5403f 100644
--- a/services/auth/interface.go
+++ b/services/auth/interface.go
@@ -7,9 +7,12 @@ import (
 	"context"
 	"net/http"
 
+	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/session"
 	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/authz"
 )
 
 // DataStore represents a data store
@@ -20,15 +23,11 @@ type SessionStore session.Store
 
 // Method represents an authentication method (plugin) for HTTP requests.
 type Method interface {
-	// Verify tries to verify the authentication data contained in the request.
-	// If verification is successful returns either an existing user object (with id > 0)
-	// or a new user object (with id = 0) populated with the information that was found
-	// in the authentication data (username or email).
-	// Second argument returns err if verification fails, otherwise
-	// First return argument returns nil if no matched verification condition
-	Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error)
-
-	Name() string
+	// Verify tries to verify the authentication data contained in the request. If verification is successful returns an
+	// AuthenticationResult implementation with details about the authentication, or, may return an
+	// AnonymousAuthentication if the authentication method doesn't indicate that the request is authenticated. An error
+	// is only returned if a failure occurred while checking authentication.
+	Verify(http *http.Request, w http.ResponseWriter, sess SessionStore) (AuthenticationResult, error)
 }
 
 // PasswordAuthenticator represents a source of authentication
@@ -45,3 +44,62 @@ type LocalTwoFASkipper interface {
 type SynchronizableSource interface {
 	Sync(ctx context.Context, updateExisting bool) error
 }
+
+type AuthenticationResult interface {
+	// May return `nil` to represent an anonymous, unauthenticated user.
+	User() *user_model.User
+
+	// Optional permission scope indicated by the authentication method
+	Scope() optional.Option[auth_model.AccessTokenScope]
+	// Optional authorization reducer indicated by the authentication method
+	Reducer() authz.AuthorizationReducer
+
+	// Identifies if the authentication involved the user's password. If so, and the user has 2FA enabled, some
+	// restrictions may be applied.
+	IsPasswordAuthentication() bool
+
+	// Identifies if the authentication was performed by a reverse proxy.
+	IsReverseProxyAuthentication() bool
+
+	// Identifies specifically that the OAuth2 JWT authentication method was used. If so, some related OAuth2 API
+	// endpoints may be accessible that otherwise wouldn't be.
+	IsOAuth2JWTAuthentication() bool
+
+	// If authenticated as an Actions task (using ${{ forgejo.token }}), then indicates the specific task that performed
+	// the authentication.
+	ActionsTaskID() optional.Option[int64]
+}
+
+type BaseAuthenticationResult struct{}
+
+func (*BaseAuthenticationResult) IsOAuth2JWTAuthentication() bool {
+	return false
+}
+
+func (*BaseAuthenticationResult) IsPasswordAuthentication() bool {
+	return false
+}
+
+func (*BaseAuthenticationResult) IsReverseProxyAuthentication() bool {
+	return false
+}
+
+func (*BaseAuthenticationResult) ActionsTaskID() optional.Option[int64] {
+	return optional.None[int64]()
+}
+
+func (*BaseAuthenticationResult) Reducer() authz.AuthorizationReducer {
+	return nil
+}
+
+func (*BaseAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return optional.None[auth_model.AccessTokenScope]()
+}
+
+type UnauthenticatedResult struct {
+	*BaseAuthenticationResult
+}
+
+func (*UnauthenticatedResult) User() *user_model.User {
+	return nil
+}
diff --git a/services/auth/additional_scopes_test.go b/services/auth/method/additional_scopes_test.go
similarity index 98%
rename from services/auth/additional_scopes_test.go
rename to services/auth/method/additional_scopes_test.go
index 9ab4e6e61f..2ed8af4b03 100644
--- a/services/auth/additional_scopes_test.go
+++ b/services/auth/method/additional_scopes_test.go
@@ -1,4 +1,4 @@
-package auth
+package method
 
 import (
 	"testing"
diff --git a/services/auth/auth.go b/services/auth/method/auth.go
similarity index 97%
rename from services/auth/auth.go
rename to services/auth/method/auth.go
index 14d78cdbc0..b2e89d51e9 100644
--- a/services/auth/auth.go
+++ b/services/auth/method/auth.go
@@ -2,7 +2,7 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"fmt"
@@ -17,6 +17,7 @@ import (
 	"forgejo.org/modules/session"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/auth"
 	user_service "forgejo.org/services/user"
 )
 
@@ -63,7 +64,7 @@ func isArchivePath(req *http.Request) bool {
 }
 
 // handleSignIn clears existing session variables and stores new ones for the specified user object
-func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *user_model.User) {
+func handleSignIn(resp http.ResponseWriter, req *http.Request, sess auth.SessionStore, user *user_model.User) {
 	// We need to regenerate the session...
 	newSess, err := session.RegenerateSession(resp, req)
 	if err != nil {
diff --git a/services/auth/method/auth_result_accesstoken.go b/services/auth/method/auth_result_accesstoken.go
new file mode 100644
index 0000000000..74b659c548
--- /dev/null
+++ b/services/auth/method/auth_result_accesstoken.go
@@ -0,0 +1,33 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/services/auth"
+	"forgejo.org/services/authz"
+)
+
+var _ auth.AuthenticationResult = &accessTokenAuthenticationResult{}
+
+type accessTokenAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user    *user_model.User
+	scope   auth_model.AccessTokenScope
+	reducer authz.AuthorizationReducer
+}
+
+func (r *accessTokenAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
+func (r *accessTokenAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return optional.Some(r.scope)
+}
+
+func (r *accessTokenAuthenticationResult) Reducer() authz.AuthorizationReducer {
+	return r.reducer
+}
diff --git a/services/auth/method/auth_result_actionstask.go b/services/auth/method/auth_result_actionstask.go
new file mode 100644
index 0000000000..b6a9dd1287
--- /dev/null
+++ b/services/auth/method/auth_result_actionstask.go
@@ -0,0 +1,31 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &actionsTaskTokenAuthenticationResult{}
+
+type actionsTaskTokenAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user   *user_model.User
+	taskID int64
+}
+
+func (r *actionsTaskTokenAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return optional.None[auth_model.AccessTokenScope]()
+}
+
+func (r *actionsTaskTokenAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
+func (r *actionsTaskTokenAuthenticationResult) ActionsTaskID() optional.Option[int64] {
+	return optional.Some(r.taskID)
+}
diff --git a/services/auth/method/auth_result_basicpassword.go b/services/auth/method/auth_result_basicpassword.go
new file mode 100644
index 0000000000..3364046cea
--- /dev/null
+++ b/services/auth/method/auth_result_basicpassword.go
@@ -0,0 +1,24 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &basicPaswordAuthenticationResult{}
+
+type basicPaswordAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (*basicPaswordAuthenticationResult) IsPasswordAuthentication() bool {
+	return true
+}
+
+func (r *basicPaswordAuthenticationResult) User() *user_model.User {
+	return r.user
+}
diff --git a/services/auth/method/auth_result_httpsign.go b/services/auth/method/auth_result_httpsign.go
new file mode 100644
index 0000000000..eb6fef7a14
--- /dev/null
+++ b/services/auth/method/auth_result_httpsign.go
@@ -0,0 +1,20 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &httpSignAuthenticationResult{}
+
+type httpSignAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (r *httpSignAuthenticationResult) User() *user_model.User {
+	return r.user
+}
diff --git a/services/auth/method/auth_result_oauth.go b/services/auth/method/auth_result_oauth.go
new file mode 100644
index 0000000000..ce451e6459
--- /dev/null
+++ b/services/auth/method/auth_result_oauth.go
@@ -0,0 +1,31 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &oAuth2JWTAuthenticationResult{}
+
+type oAuth2JWTAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user  *user_model.User
+	scope optional.Option[auth_model.AccessTokenScope]
+}
+
+func (*oAuth2JWTAuthenticationResult) IsOAuth2JWTAuthentication() bool {
+	return true
+}
+
+func (r *oAuth2JWTAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
+func (r *oAuth2JWTAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return r.scope
+}
diff --git a/services/auth/method/auth_result_reverseproxy.go b/services/auth/method/auth_result_reverseproxy.go
new file mode 100644
index 0000000000..cf575330e6
--- /dev/null
+++ b/services/auth/method/auth_result_reverseproxy.go
@@ -0,0 +1,24 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &reverseProxyAuthenticationResult{}
+
+type reverseProxyAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (r *reverseProxyAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
+func (*reverseProxyAuthenticationResult) IsReverseProxyAuthentication() bool {
+	return true
+}
diff --git a/services/auth/method/auth_result_session.go b/services/auth/method/auth_result_session.go
new file mode 100644
index 0000000000..71c591dacd
--- /dev/null
+++ b/services/auth/method/auth_result_session.go
@@ -0,0 +1,20 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &sessionAuthenticationResult{}
+
+type sessionAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user *user_model.User
+}
+
+func (r *sessionAuthenticationResult) User() *user_model.User {
+	return r.user
+}
diff --git a/services/auth/auth_test.go b/services/auth/method/auth_test.go
similarity index 99%
rename from services/auth/auth_test.go
rename to services/auth/method/auth_test.go
index 82308402d2..6e686feab8 100644
--- a/services/auth/auth_test.go
+++ b/services/auth/method/auth_test.go
@@ -2,7 +2,7 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"net/http"
diff --git a/services/auth/basic.go b/services/auth/method/basic.go
similarity index 81%
rename from services/auth/basic.go
rename to services/auth/method/basic.go
index 502d806a12..5b551135be 100644
--- a/services/auth/basic.go
+++ b/services/auth/method/basic.go
@@ -2,7 +2,7 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"errors"
@@ -14,48 +14,42 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/base"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/auth"
 	"forgejo.org/services/authz"
 )
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &Basic{}
+	_ auth.Method = &Basic{}
 )
 
-// BasicMethodName is the constant name of the basic authentication method
-const BasicMethodName = "basic"
-
 // Basic implements the Auth interface and authenticates requests (API requests
 // only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
 // header.
 type Basic struct{}
 
-// Name represents the name of auth method
-func (b *Basic) Name() string {
-	return BasicMethodName
-}
-
 // Verify extracts and validates Basic data (username and password/token) from the
 // "Authorization" header of the request and returns the corresponding user object for that
 // name/token on successful validation.
 // Returns nil if header is empty or validation fails.
-func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
 	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	baHead := req.Header.Get("Authorization")
 	if len(baHead) == 0 {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	auths := strings.SplitN(baHead, " ", 2)
 	if len(auths) != 2 || (strings.ToLower(auths[0]) != "basic") {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	uname, passwd, _ := base.BasicAuthDecode(auths[1])
@@ -83,13 +77,13 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 			return nil, err
 		}
 
-		store.GetData()["IsApiToken"] = true
+		var scope auth_model.AccessTokenScope
 		if grantScopes != "" {
-			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScope(grantScopes)
+			scope = auth_model.AccessTokenScope(grantScopes)
 		} else {
-			store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all
+			scope = auth_model.AccessTokenScopeAll // fallback to all
 		}
-		return u, nil
+		return &oAuth2JWTAuthenticationResult{user: u, scope: optional.Some(scope)}, nil
 	}
 
 	// check personal access token
@@ -106,17 +100,13 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 			log.Error("UpdateLastUsed:  %v", err)
 		}
 
-		store.GetData()["IsApiToken"] = true
-		store.GetData()["ApiTokenScope"] = token.Scope
-
 		reducer, err := authz.GetAuthorizationReducerForAccessToken(req.Context(), token)
 		if err != nil {
 			log.Error("authz.GetAuthorizationReducerForAccessToken: %v", err)
 			return nil, err
 		}
-		store.GetData()["ApiTokenReducer"] = reducer
 
-		return u, nil
+		return &accessTokenAuthenticationResult{user: u, scope: token.Scope, reducer: reducer}, nil
 	} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
 		log.Error("GetAccessTokenBySha: %v", err)
 	}
@@ -125,15 +115,11 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	task, err := actions_model.GetRunningTaskByToken(req.Context(), authToken)
 	if err == nil && task != nil {
 		log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-
-		store.GetData()["IsActionsToken"] = true
-		store.GetData()["ActionsTaskID"] = task.ID
-
-		return user_model.NewActionsUser(), nil
+		return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}, nil
 	}
 
 	if !setting.Service.EnableBasicAuth {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
@@ -155,7 +141,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 		return nil, errors.New("Basic authorization is not allowed while having security keys enrolled")
 	}
 
-	if skipper, ok := source.Cfg.(LocalTwoFASkipper); !ok || !skipper.IsSkipLocalTwoFA() {
+	if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); !ok || !skipper.IsSkipLocalTwoFA() {
 		if err := validateTOTP(req, u); err != nil {
 			return nil, err
 		}
@@ -163,8 +149,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 
 	log.Trace("Basic Authorization: Logged in user %-v", u)
 
-	store.GetData()["IsPasswordLogin"] = true
-	return u, nil
+	return &basicPaswordAuthenticationResult{user: u}, nil
 }
 
 func getOtpHeader(header http.Header) string {
diff --git a/services/auth/group.go b/services/auth/method/group.go
similarity index 52%
rename from services/auth/group.go
rename to services/auth/method/group.go
index b713301b50..a87f5d6a75 100644
--- a/services/auth/group.go
+++ b/services/auth/method/group.go
@@ -1,51 +1,41 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"net/http"
-	"strings"
 
-	user_model "forgejo.org/models/user"
+	"forgejo.org/services/auth"
 )
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &Group{}
+	_ auth.Method = &Group{}
 )
 
 // Group implements the Auth interface with serval Auth.
 type Group struct {
-	methods []Method
+	methods []auth.Method
 }
 
 // NewGroup creates a new auth group
-func NewGroup(methods ...Method) *Group {
+func NewGroup(methods ...auth.Method) *Group {
 	return &Group{
 		methods: methods,
 	}
 }
 
 // Add adds a new method to group
-func (b *Group) Add(method Method) {
+func (b *Group) Add(method auth.Method) {
 	b.methods = append(b.methods, method)
 }
 
-// Name returns group's methods name
-func (b *Group) Name() string {
-	names := make([]string, 0, len(b.methods))
-	for _, m := range b.methods {
-		names = append(names, m.Name())
-	}
-	return strings.Join(names, ",")
-}
-
-func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (b *Group) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	// Try to sign in with each of the enabled plugins
 	var retErr error
 	for _, m := range b.methods {
-		user, err := m.Verify(req, w, store, sess)
+		authResult, err := m.Verify(req, w, sess)
 		if err != nil {
 			if retErr == nil {
 				retErr = err
@@ -57,16 +47,17 @@ func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 			continue
 		}
 
-		// If any method returns a user, we can stop trying.
-		// Return the user and ignore any error returned by previous methods.
-		if user != nil {
-			if store.GetData()["AuthedMethod"] == nil {
-				store.GetData()["AuthedMethod"] = m.Name()
-			}
-			return user, nil
+		// If any method returns an authenticated result, we can stop trying. Return and ignore any error returned by
+		// previous methods.
+		if authResult.User() != nil {
+			return authResult, nil
 		}
 	}
 
-	// If no method returns a user, return the error returned by the first method.
-	return nil, retErr
+	if retErr != nil {
+		// If no method returns a user, return the error returned by the first method.
+		return nil, retErr
+	}
+
+	return &auth.UnauthenticatedResult{}, nil
 }
diff --git a/services/auth/httpsign.go b/services/auth/method/httpsign.go
similarity index 94%
rename from services/auth/httpsign.go
rename to services/auth/method/httpsign.go
index e776ccbbed..a5328bddcd 100644
--- a/services/auth/httpsign.go
+++ b/services/auth/method/httpsign.go
@@ -1,7 +1,7 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"bytes"
@@ -16,6 +16,7 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
+	"forgejo.org/services/auth"
 
 	"github.com/42wim/httpsig"
 	"golang.org/x/crypto/ssh"
@@ -23,7 +24,7 @@ import (
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &HTTPSign{}
+	_ auth.Method = &HTTPSign{}
 )
 
 // HTTPSign implements the Auth interface and authenticates requests (API requests
@@ -31,18 +32,13 @@ var (
 // more information can be found on https://github.com/go-fed/httpsig
 type HTTPSign struct{}
 
-// Name represents the name of auth method
-func (h *HTTPSign) Name() string {
-	return "httpsign"
-}
-
 // Verify extracts and validates HTTPsign from the Signature header of the request and returns
 // the corresponding user object on successful validation.
 // Returns nil if header is empty or validation fails.
-func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
 	sigHead := req.Header.Get("Signature")
 	if len(sigHead) == 0 {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	var (
@@ -53,14 +49,14 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
 	if len(req.Header.Get("X-Ssh-Certificate")) != 0 {
 		// Handle Signature signed by SSH certificates
 		if len(setting.SSH.TrustedUserCAKeys) == 0 {
-			return nil, nil
+			return &auth.UnauthenticatedResult{}, nil
 		}
 
 		publicKey, err = VerifyCert(req)
 		if err != nil {
 			log.Debug("VerifyCert on request from %s: failed: %v", req.RemoteAddr, err)
 			log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
-			return nil, nil
+			return &auth.UnauthenticatedResult{}, nil
 		}
 	} else {
 		// Handle Signature signed by Public Key
@@ -68,7 +64,7 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
 		if err != nil {
 			log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err)
 			log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
-			return nil, nil
+			return &auth.UnauthenticatedResult{}, nil
 		}
 	}
 
@@ -78,11 +74,8 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, store DataSt
 		return nil, err
 	}
 
-	store.GetData()["IsApiToken"] = true
-
 	log.Trace("HTTP Sign: Logged in user %-v", u)
-
-	return u, nil
+	return &httpSignAuthenticationResult{user: u}, nil
 }
 
 func VerifyPubKey(r *http.Request) (*asymkey_model.PublicKey, error) {
diff --git a/services/auth/method/main_test.go b/services/auth/method/main_test.go
new file mode 100644
index 0000000000..b5334990c3
--- /dev/null
+++ b/services/auth/method/main_test.go
@@ -0,0 +1,14 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package method
+
+import (
+	"testing"
+
+	"forgejo.org/models/unittest"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m)
+}
diff --git a/services/auth/oauth2.go b/services/auth/method/oauth2.go
similarity index 76%
rename from services/auth/oauth2.go
rename to services/auth/method/oauth2.go
index a23f586ffd..e80c4bc35c 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/method/oauth2.go
@@ -2,10 +2,11 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"context"
+	"errors"
 	"net/http"
 	"slices"
 	"strings"
@@ -15,17 +16,19 @@ import (
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/actions"
+	"forgejo.org/services/auth"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/authz"
 )
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &OAuth2{}
+	_ auth.Method = &OAuth2{}
 )
 
 // grantAdditionalScopes returns valid scopes coming from grant
@@ -113,11 +116,6 @@ func CheckTaskIsRunning(ctx context.Context, taskID int64) bool {
 // "Authorization" header.
 type OAuth2 struct{}
 
-// Name represents the name of auth method
-func (o *OAuth2) Name() string {
-	return "oauth2"
-}
-
 // parseToken returns the token from request, and a boolean value
 // representing whether the token exists or not
 func parseToken(req *http.Request) (string, bool) {
@@ -148,33 +146,39 @@ func parseToken(req *http.Request) (string, bool) {
 // userIDFromToken returns the user id corresponding to the OAuth token.
 // It will set 'IsApiToken' to true if the token is an API token and
 // set 'ApiTokenScope' to the scope of the access token
-func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store DataStore) (int64, error) {
+func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) (auth.AuthenticationResult, error) {
 	if tokenSHA == "" {
-		return 0, auth_model.ErrAccessTokenEmpty{}
+		return nil, auth_model.ErrAccessTokenEmpty{}
 	}
 	// Let's see if token is valid.
 	if strings.Contains(tokenSHA, ".") {
 		// First attempt to decode an actions JWT, returning the actions user
 		if taskID, err := actions.TokenToTaskID(tokenSHA); err == nil {
 			if CheckTaskIsRunning(ctx, taskID) {
-				store.GetData()["IsActionsToken"] = true
-				store.GetData()["ActionsTaskID"] = taskID
-				return user_model.ActionsUserID, nil
+				return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}, nil
 			}
 		}
 
 		// Otherwise, check if this is an OAuth access token
 		uid, grantScopes := CheckOAuthAccessToken(ctx, tokenSHA)
+		var accessTokenScope optional.Option[auth_model.AccessTokenScope]
 		if uid != 0 {
-			store.GetData()["IsApiToken"] = true
 			if grantScopes != "" {
-				store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScope(grantScopes)
+				accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes))
 			} else {
-				store.GetData()["ApiTokenScope"] = auth_model.AccessTokenScopeAll // fallback to all
+				accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all
 			}
 		}
-		return uid, nil
+		user, err := user_model.GetPossibleUserByID(ctx, uid)
+		if err != nil {
+			if !user_model.IsErrUserNotExist(err) {
+				log.Error("GetUserByName: %v", err)
+			}
+			return nil, err
+		}
+		return &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}, nil
 	}
+
 	t, err := auth_model.GetAccessTokenBySHA(ctx, tokenSHA)
 	if err != nil {
 		if auth_model.IsErrAccessTokenNotExist(err) {
@@ -182,68 +186,63 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 			task, err := actions_model.GetRunningTaskByToken(ctx, tokenSHA)
 			if err == nil && task != nil {
 				log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-
-				store.GetData()["IsActionsToken"] = true
-				store.GetData()["ActionsTaskID"] = task.ID
-
-				return user_model.ActionsUserID, nil
+				return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}, nil
 			}
 		} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
 			log.Error("GetAccessTokenBySHA: %v", err)
+			return nil, err
 		}
-		return 0, err
+		return nil, err
 	}
 	if err := t.UpdateLastUsed(ctx); err != nil {
 		log.Error("UpdateLastUsed: %v", err)
 	}
 	if t.UID == 0 {
-		return 0, auth_model.ErrAccessTokenNotExist{}
+		return nil, auth_model.ErrAccessTokenNotExist{}
 	}
-	store.GetData()["IsApiToken"] = true
-	store.GetData()["ApiTokenScope"] = t.Scope
 
 	reducer, err := authz.GetAuthorizationReducerForAccessToken(ctx, t)
 	if err != nil {
 		log.Error("authz.GetAuthorizationReducerForAccessToken: %v", err)
-		return 0, err
+		return nil, err
 	}
-	store.GetData()["ApiTokenReducer"] = reducer
 
-	return t.UID, nil
+	u, err := user_model.GetUserByID(ctx, t.UID)
+	if err != nil {
+		log.Error("GetUserByID:  %v", err)
+		return nil, err
+	}
+
+	return &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}, nil
 }
 
 // Verify extracts the user ID from the OAuth token in the query parameters
 // or the "Authorization" header and returns the corresponding user object for that ID.
 // If verification is successful returns an existing user object.
 // Returns nil if verification fails.
-func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
 		!isGitRawOrAttachPath(req) && !isArchivePath(req) {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	token, ok := parseToken(req)
 	if !ok {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
-	id, err := o.userIDFromToken(req.Context(), token, store)
+	auth, err := o.userIDFromToken(req.Context(), token)
 	if err != nil {
 		return nil, err
+	} else if auth.User() == nil {
+		// Having successfully found a token, it's now expected that the only valid outcomes are either errors that
+		// result in 401s (if the token wasn't valid), or valid authentication as a user. If we reach here, we've missed
+		// those expected outcomes and somehow returned an unauthenticated response even though a token was provided.
+		return nil, errors.New("unexpected unauthenticated result from userIDFromToken")
 	}
-	log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
-
-	user, err := user_model.GetPossibleUserByID(req.Context(), id)
-	if err != nil {
-		if !user_model.IsErrUserNotExist(err) {
-			log.Error("GetUserByName: %v", err)
-		}
-		return nil, err
-	}
-
-	log.Trace("OAuth2 Authorization: Logged in user %-v", user)
-	return user, nil
+	log.Trace("OAuth2 Authorization: Logged in user %-v", auth.User())
+	return auth, nil
 }
 
 func isAuthenticatedTokenRequest(req *http.Request) bool {
diff --git a/services/auth/oauth2_test.go b/services/auth/method/oauth2_test.go
similarity index 87%
rename from services/auth/oauth2_test.go
rename to services/auth/method/oauth2_test.go
index 67e42c3c56..c08ec57151 100644
--- a/services/auth/oauth2_test.go
+++ b/services/auth/method/oauth2_test.go
@@ -1,7 +1,7 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"net/http"
@@ -11,7 +11,6 @@ import (
 	"forgejo.org/models/auth"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/actions"
 
 	"github.com/stretchr/testify/assert"
@@ -33,14 +32,13 @@ func TestUserIDFromToken(t *testing.T) {
 		token, err := actions.CreateAuthorizationToken(task, map[string]any{}, false)
 		require.NoError(t, err)
 
-		ds := make(middleware.ContextData)
-
 		o := OAuth2{}
-		uid, err := o.userIDFromToken(t.Context(), token, ds)
+		authResult, err := o.userIDFromToken(t.Context(), token)
 		require.NoError(t, err)
-		assert.Equal(t, int64(user_model.ActionsUserID), uid)
-		assert.Equal(t, true, ds["IsActionsToken"])
-		assert.Equal(t, ds["ActionsTaskID"], int64(RunningTaskID))
+		assert.Equal(t, int64(user_model.ActionsUserID), authResult.User().ID)
+		isActionsToken, authTaskID := authResult.ActionsTaskID().Get()
+		assert.True(t, isActionsToken)
+		assert.Equal(t, int64(RunningTaskID), authTaskID)
 	})
 
 	t.Run("Actions error-JWT", func(t *testing.T) {
@@ -52,13 +50,12 @@ func TestUserIDFromToken(t *testing.T) {
 			"To short": {"abc", auth.ErrAccessTokenNotExist{Token: "abc"}},
 		}
 
-		ds := make(middleware.ContextData)
 		o := OAuth2{}
 		for name, c := range cases {
 			t.Run(name, func(t *testing.T) {
-				uid, err := o.userIDFromToken(t.Context(), c.Token, ds)
+				authResult, err := o.userIDFromToken(t.Context(), c.Token)
 				require.ErrorIs(t, err, c.Error)
-				assert.Equal(t, int64(0), uid)
+				assert.Nil(t, authResult)
 			})
 		}
 	})
diff --git a/services/auth/reverseproxy.go b/services/auth/method/reverseproxy.go
similarity index 93%
rename from services/auth/reverseproxy.go
rename to services/auth/method/reverseproxy.go
index eb9ceb8cf2..df6e626bcb 100644
--- a/services/auth/reverseproxy.go
+++ b/services/auth/method/reverseproxy.go
@@ -2,9 +2,10 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
+	"errors"
 	"net/http"
 	"strings"
 
@@ -12,14 +13,16 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/auth"
 
 	gouuid "github.com/google/uuid"
 )
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &ReverseProxy{}
+	_ auth.Method = &ReverseProxy{}
 )
 
 // ReverseProxyMethodName is the constant name of the ReverseProxy authentication method
@@ -37,11 +40,6 @@ func (r *ReverseProxy) getUserName(req *http.Request) string {
 	return strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))
 }
 
-// Name represents the name of auth method
-func (r *ReverseProxy) Name() string {
-	return ReverseProxyMethodName
-}
-
 // getUserFromAuthUser extracts the username from the "setting.ReverseProxyAuthUser" header
 // of the request and returns the corresponding user object for that name.
 // Verification of header data is not performed as it should have already been done by
@@ -52,7 +50,7 @@ func (r *ReverseProxy) Name() string {
 func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) (*user_model.User, error) {
 	username := r.getUserName(req)
 	if len(username) == 0 {
-		return nil, nil
+		return nil, util.ErrNotExist
 	}
 	log.Trace("ReverseProxy Authorization: Found username: %s", username)
 
@@ -104,15 +102,15 @@ func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User
 // First it will attempt to load it based on the username (see docs for getUserFromAuthUser),
 // and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).
 // Returns nil if the headers are empty or the user is not found.
-func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	user, err := r.getUserFromAuthUser(req)
-	if err != nil {
+	if err != nil && !errors.Is(err, util.ErrNotExist) {
 		return nil, err
 	}
 	if user == nil {
 		user = r.getUserFromAuthEmail(req)
 		if user == nil {
-			return nil, nil
+			return &auth.UnauthenticatedResult{}, nil
 		}
 	}
 
@@ -122,10 +120,9 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store Da
 			handleSignIn(w, req, sess, user)
 		}
 	}
-	store.GetData()["IsReverseProxy"] = true
 
 	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
-	return user, nil
+	return &reverseProxyAuthenticationResult{user: user}, nil
 }
 
 // isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
diff --git a/services/auth/reverseproxy_test.go b/services/auth/method/reverseproxy_test.go
similarity index 99%
rename from services/auth/reverseproxy_test.go
rename to services/auth/method/reverseproxy_test.go
index f6740a0134..fbcd412da5 100644
--- a/services/auth/reverseproxy_test.go
+++ b/services/auth/method/reverseproxy_test.go
@@ -1,7 +1,7 @@
 // Copyright 2024 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"net/http"
diff --git a/services/auth/session.go b/services/auth/method/session.go
similarity index 77%
rename from services/auth/session.go
rename to services/auth/method/session.go
index a15c24c940..540d544aa0 100644
--- a/services/auth/session.go
+++ b/services/auth/method/session.go
@@ -1,47 +1,43 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"net/http"
 
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/services/auth"
 )
 
 // Ensure the struct implements the interface.
 var (
-	_ Method = &Session{}
+	_ auth.Method = &Session{}
 )
 
 // Session checks if there is a user uid stored in the session and returns the user
 // object for that uid.
 type Session struct{}
 
-// Name represents the name of auth method
-func (s *Session) Name() string {
-	return "session"
-}
-
 // Verify checks if there is a user uid stored in the session and returns the user
 // object for that uid.
 // Returns nil if there is no user uid stored in the session.
-func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
+func (s *Session) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
 	if sess == nil {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	// Get user ID
 	uid := sess.Get("uid")
 	if uid == nil {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 	log.Trace("Session Authorization: Found user[%d]", uid)
 
 	id, ok := uid.(int64)
 	if !ok {
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	// Get user object
@@ -52,9 +48,9 @@ func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataSto
 			// Return the err as-is to keep current signed-in session, in case the err is something like context.Canceled. Otherwise non-existing user (nil, nil) will make the caller clear the signed-in session.
 			return nil, err
 		}
-		return nil, nil
+		return &auth.UnauthenticatedResult{}, nil
 	}
 
 	log.Trace("Session Authorization: Logged in user %-v", user)
-	return user, nil
+	return &sessionAuthenticationResult{user: user}, nil
 }
diff --git a/services/auth/signin.go b/services/auth/method/signin.go
similarity index 94%
rename from services/auth/signin.go
rename to services/auth/method/signin.go
index 495b3d387e..d664b16a8c 100644
--- a/services/auth/signin.go
+++ b/services/auth/method/signin.go
@@ -1,7 +1,7 @@
 // Copyright 2021 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package auth
+package method
 
 import (
 	"context"
@@ -12,6 +12,7 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/optional"
+	auth_service "forgejo.org/services/auth"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/auth/source/smtp"
 
@@ -65,7 +66,7 @@ func UserSignIn(ctx context.Context, username, password string) (*user_model.Use
 				return nil, nil, oauth2.ErrAuthSourceNotActivated
 			}
 
-			authenticator, ok := source.Cfg.(PasswordAuthenticator)
+			authenticator, ok := source.Cfg.(auth_service.PasswordAuthenticator)
 			if !ok {
 				return nil, nil, smtp.ErrUnsupportedLoginType
 			}
@@ -98,7 +99,7 @@ func UserSignIn(ctx context.Context, username, password string) (*user_model.Use
 			continue
 		}
 
-		authenticator, ok := source.Cfg.(PasswordAuthenticator)
+		authenticator, ok := source.Cfg.(auth_service.PasswordAuthenticator)
 		if !ok {
 			continue
 		}
diff --git a/services/context/api.go b/services/context/api.go
index 1064b1ab4a..a6af94dfde 100644
--- a/services/context/api.go
+++ b/services/context/api.go
@@ -25,6 +25,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/web"
 	web_types "forgejo.org/modules/web/types"
+	"forgejo.org/services/auth"
 	"forgejo.org/services/authz"
 
 	"code.forgejo.org/go-chi/cache"
@@ -36,9 +37,9 @@ type APIContext struct {
 
 	Cache cache.Cache
 
-	Doer        *user_model.User // current signed-in user
-	IsSigned    bool
-	IsBasicAuth bool
+	Doer           *user_model.User // current signed-in user
+	IsSigned       bool
+	Authentication auth.AuthenticationResult
 
 	ContextUser *user_model.User // the user which is being visited, in most cases it differs from Doer
 
diff --git a/services/context/context.go b/services/context/context.go
index 8ced686aac..af5ec26143 100644
--- a/services/context/context.go
+++ b/services/context/context.go
@@ -25,6 +25,7 @@ import (
 	"forgejo.org/modules/web"
 	"forgejo.org/modules/web/middleware"
 	web_types "forgejo.org/modules/web/types"
+	"forgejo.org/services/auth"
 
 	"code.forgejo.org/go-chi/cache"
 	"code.forgejo.org/go-chi/session"
@@ -51,9 +52,9 @@ type Context struct {
 
 	Link string // current request URL (without query string)
 
-	Doer        *user_model.User // current signed-in user
-	IsSigned    bool
-	IsBasicAuth bool
+	Doer           *user_model.User // current signed-in user
+	IsSigned       bool
+	Authentication auth.AuthenticationResult
 
 	ContextUser *user_model.User // the user which is being visited, in most cases it differs from Doer
 
@@ -112,6 +113,8 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
 		Link:  setting.AppSubURL + strings.TrimSuffix(base.Req.URL.EscapedPath(), "/"),
 		Repo:  &Repository{PullRequest: &PullRequest{}},
 		Org:   &Organization{},
+
+		Authentication: &auth.UnauthenticatedResult{},
 	}
 	ctx.TemplateContext = NewTemplateContextForWeb(ctx)
 	ctx.Flash = &middleware.Flash{DataStore: ctx, Values: url.Values{}}
diff --git a/services/context/permission.go b/services/context/permission.go
index f898bd98ae..44adbbd6d9 100644
--- a/services/context/permission.go
+++ b/services/context/permission.go
@@ -12,7 +12,6 @@ import (
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
 	"forgejo.org/modules/log"
-	"forgejo.org/services/authz"
 )
 
 // RequireRepoAdmin returns a middleware for requiring repository admin permission
@@ -125,12 +124,7 @@ func CheckRepoDelegateActionTrust(ctx *Context) bool {
 
 // CheckRepoScopedToken check whether personal access token has repo scope
 func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {
-	if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {
-		return
-	}
-
-	scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
-	if ok { // it's a personal access token but not oauth2 token
+	if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
 		var scopeMatched bool
 
 		requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)
@@ -159,8 +153,7 @@ func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_
 		}
 	}
 
-	reducer, ok := ctx.Data["ApiTokenReducer"].(authz.AuthorizationReducer)
-	if ok {
+	if reducer := ctx.Authentication.Reducer(); reducer != nil {
 		var accessMode perm.AccessMode
 		switch level {
 		case auth_model.Read:
@@ -184,8 +177,7 @@ func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_
 }
 
 func CheckRuntimeDeterminedScope(ctx *APIContext, scopeCategory auth_model.AccessTokenScopeCategory, level auth_model.AccessTokenScopeLevel, msg string) {
-	scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)
-	if ok {
+	if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
 		var scopeMatched bool
 
 		requiredScopes := auth_model.GetRequiredScopes(level, scopeCategory)
diff --git a/services/lfs/server.go b/services/lfs/server.go
index ef0df4a0ab..457602243e 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -539,8 +539,7 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 		accessMode = perm.AccessModeWrite
 	}
 
-	if ctx.Data["IsActionsToken"] == true {
-		taskID := ctx.Data["ActionsTaskID"].(int64)
+	if hasTaskID, taskID := ctx.Authentication.ActionsTaskID().Get(); hasTaskID {
 		task, err := actions_model.GetTaskByID(ctx, taskID)
 		if err != nil {
 			log.Error("Unable to GetTaskByID for task[%d] Error: %v", taskID, err)
diff --git a/tests/integration/api_packages_chef_test.go b/tests/integration/api_packages_chef_test.go
index cadf46b03f..b467f18e13 100644
--- a/tests/integration/api_packages_chef_test.go
+++ b/tests/integration/api_packages_chef_test.go
@@ -94,9 +94,10 @@ nwIDAQAB
 			defer tests.PrintCurrentTest(t)()
 
 			req := NewRequest(t, "POST", "/dummy")
-			u, err := auth.Verify(req.Request, nil, nil, nil)
-			assert.Nil(t, u)
+			u, err := auth.Verify(req.Request, nil, nil)
 			require.NoError(t, err)
+			require.NotNil(t, u)
+			assert.Nil(t, u.User())
 		})
 
 		t.Run("NotExistingUser", func(t *testing.T) {
@@ -104,7 +105,7 @@ nwIDAQAB
 
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", "not-existing-user")
-			u, err := auth.Verify(req.Request, nil, nil, nil)
+			u, err := auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 		})
@@ -114,12 +115,12 @@ nwIDAQAB
 
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", user.Name)
-			u, err := auth.Verify(req.Request, nil, nil, nil)
+			u, err := auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
 			req.SetHeader("X-Ops-Timestamp", "2023-01-01T00:00:00Z")
-			u, err = auth.Verify(req.Request, nil, nil, nil)
+			u, err = auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 		})
@@ -130,27 +131,27 @@ nwIDAQAB
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", user.Name).
 				SetHeader("X-Ops-Timestamp", time.Now().UTC().Format(time.RFC3339))
-			u, err := auth.Verify(req.Request, nil, nil, nil)
+			u, err := auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
 			req.SetHeader("X-Ops-Sign", "version=none")
-			u, err = auth.Verify(req.Request, nil, nil, nil)
+			u, err = auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
 			req.SetHeader("X-Ops-Sign", "version=1.4")
-			u, err = auth.Verify(req.Request, nil, nil, nil)
+			u, err = auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
 			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha2")
-			u, err = auth.Verify(req.Request, nil, nil, nil)
+			u, err = auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
 			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha256")
-			u, err = auth.Verify(req.Request, nil, nil, nil)
+			u, err = auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 		})
@@ -166,7 +167,7 @@ nwIDAQAB
 				SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha1").
 				SetHeader("X-Ops-Content-Hash", "unused").
 				SetHeader("X-Ops-Authorization-4", "dummy")
-			u, err := auth.Verify(req.Request, nil, nil, nil)
+			u, err := auth.Verify(req.Request, nil, nil)
 			assert.Nil(t, u)
 			require.Error(t, err)
 
@@ -257,7 +258,7 @@ nwIDAQAB
 					defer tests.PrintCurrentTest(t)()
 
 					signRequest(req, v)
-					u, err = auth.Verify(req.Request, nil, nil, nil)
+					u, err = auth.Verify(req.Request, nil, nil)
 					assert.NotNil(t, u)
 					require.NoError(t, err)
 				})

From 7a86a870c66565a6603d810f63012069712cf7d9 Mon Sep 17 00:00:00 2001
From: Robert Wolff <mahlzahn@posteo.de>
Date: Thu, 23 Apr 2026 00:35:11 +0200
Subject: [PATCH 161/287] fix: compare branches with names `diff` or `patch`
 (#12227)

Closes: Codeberg/Community#2538
Regression of: !5385

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12227
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 routers/web/repo/compare.go                       | 15 ++++++++-------
 .../user2/repo16.git/refs/heads/diff              |  1 +
 .../user2/repo16.git/refs/heads/patch             |  1 +
 tests/integration/compare_test.go                 | 10 ++++++++++
 4 files changed, 20 insertions(+), 7 deletions(-)
 create mode 100644 tests/gitea-repositories-meta/user2/repo16.git/refs/heads/diff
 create mode 100644 tests/gitea-repositories-meta/user2/repo16.git/refs/heads/patch

diff --git a/routers/web/repo/compare.go b/routers/web/repo/compare.go
index 41ad365ce1..d216403b53 100644
--- a/routers/web/repo/compare.go
+++ b/routers/web/repo/compare.go
@@ -231,13 +231,6 @@ func ParseCompareInfo(ctx *context.Context) *common.CompareInfo {
 	if infoPath == "" {
 		infos = []string{baseRepo.DefaultBranch, baseRepo.DefaultBranch}
 	} else {
-		infoPath, isDiff := strings.CutSuffix(infoPath, ".diff")
-		ctx.Data["ComparingDiff"] = isDiff
-		if !isDiff {
-			var isPatch bool
-			infoPath, isPatch = strings.CutSuffix(infoPath, ".patch")
-			ctx.Data["ComparingPatch"] = isPatch
-		}
 		infos = strings.SplitN(infoPath, "...", 2)
 		if len(infos) != 2 {
 			if infos = strings.SplitN(infoPath, "..", 2); len(infos) == 2 {
@@ -247,6 +240,14 @@ func ParseCompareInfo(ctx *context.Context) *common.CompareInfo {
 				infos = []string{baseRepo.DefaultBranch, infoPath}
 			}
 		}
+		var isDiff bool
+		infos[1], isDiff = strings.CutSuffix(infos[1], ".diff")
+		ctx.Data["ComparingDiff"] = isDiff
+		if !isDiff {
+			var isPatch bool
+			infos[1], isPatch = strings.CutSuffix(infos[1], ".patch")
+			ctx.Data["ComparingPatch"] = isPatch
+		}
 	}
 
 	ctx.Data["BaseName"] = baseRepo.OwnerName
diff --git a/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/diff b/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/diff
new file mode 100644
index 0000000000..4750a76432
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/diff
@@ -0,0 +1 @@
+f27c2b2b03dcab38beaf89b0ab4ff61f6de63441
diff --git a/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/patch b/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/patch
new file mode 100644
index 0000000000..4750a76432
--- /dev/null
+++ b/tests/gitea-repositories-meta/user2/repo16.git/refs/heads/patch
@@ -0,0 +1 @@
+f27c2b2b03dcab38beaf89b0ab4ff61f6de63441
diff --git a/tests/integration/compare_test.go b/tests/integration/compare_test.go
index 396c1c22ad..070f7e1b20 100644
--- a/tests/integration/compare_test.go
+++ b/tests/integration/compare_test.go
@@ -239,6 +239,16 @@ func TestCompareBranches(t *testing.T) {
 	diffChanges = []string{"test.txt"}
 
 	inspectCompare(t, htmlDoc, diffCount, diffChanges)
+
+	// Branches with name 'diff' or 'patch'
+	req = NewRequest(t, "GET", "/user2/repo16/compare/master..diff")
+	session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", "/user2/repo16/compare/master..diff.patch")
+	session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", "/user2/repo16/compare/master..patch")
+	session.MakeRequest(t, req, http.StatusOK)
+	req = NewRequest(t, "GET", "/user2/repo16/compare/master..patch.diff")
+	session.MakeRequest(t, req, http.StatusOK)
 }
 
 func TestCompareWithPRsDisabled(t *testing.T) {

From 9f7533c1f154e3e0f09823dd6bf54cb0799fe36c Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 23 Apr 2026 02:30:41 +0200
Subject: [PATCH 162/287] refactor: clarify four different outputs that
 authentication methods provide (#12231)

#12202 began a refactor of Forgejo's authentication implementations by providing structured data on an authentication success.  However, error cases were maintained as-is in that refactor, leaving a complex situation: what does returning an error from an authentication method mean?; does it mean that the authentication failed, or that a server error occurred?  Can another authentication still be tried?

This PR changes authentication methods so that they can return one of four things:
- `AuthenticationSuccess` with an authentication result.
- `AuthenticationNotAttempted` which indicates that no credentials relevant for this authentication method were presented.  If every method returned `AuthenticationNotAttempted`, then you would have an unauthenticated access.
- `AuthenticationAttemptedIncorrectCredential` which indicates that credentials were present and failed validation -- a situation indicating a `401 Unauthorized`.
- `AuthenticationError` which indicates that an internal server error occurred and failed authentication -- indicating a `500 Internal Server Error`.

This paves the way for one more refactor coming next: `basic.go` and `oauth2.go` perform 3-4 different authentications each (access tokens, oauth JWTs, actions tokens, actions JWTs, and username/password).  With the capability to return these more precise responses, these authentication methods can be split up into separate logic that isn't intertwined together.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
  - Relying on existing test suite, with changes for any compile errors -- the next refactor will simplify the auth methods so that they can be unit tested easily.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12231
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 routers/api/packages/api.go                 | 56 ++++++++++----
 routers/api/packages/chef/auth.go           | 19 +++--
 routers/api/packages/conan/auth.go          | 20 +++--
 routers/api/packages/container/auth.go      | 21 +++---
 routers/api/packages/nuget/auth.go          | 25 +++----
 routers/api/shared/middleware.go            | 20 ++++-
 routers/common/auth.go                      | 44 +++++------
 routers/web/web.go                          | 23 +++++-
 services/auth/interface.go                  | 46 ++++++++++--
 services/auth/method/basic.go               | 45 ++++++-----
 services/auth/method/group.go               | 45 +++++------
 services/auth/method/httpsign.go            | 15 ++--
 services/auth/method/oauth2.go              | 51 +++++--------
 services/auth/method/oauth2_test.go         | 15 +++-
 services/auth/method/reverseproxy.go        | 26 ++++---
 services/auth/method/session.go             | 16 ++--
 tests/integration/api_packages_chef_test.go | 82 ++++++++++++---------
 17 files changed, 340 insertions(+), 229 deletions(-)

diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 2163badb49..7096cd9e51 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -4,6 +4,7 @@
 package packages
 
 import (
+	"errors"
 	"net/http"
 	"regexp"
 	"strings"
@@ -119,19 +120,30 @@ func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	authGroup := auth_method.NewGroup(authMethods...)
 
 	r.Use(func(ctx *context.Context) {
-		authResult, err := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
-		if err != nil {
-			log.Info("Failed to verify user: %v", err)
+		output := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
+		var ar auth.AuthenticationResult
+		switch v := output.(type) {
+		case *auth.AuthenticationSuccess:
+			ar = v.Result
+		case *auth.AuthenticationNotAttempted:
+			ar = &auth.UnauthenticatedResult{}
+		case *auth.AuthenticationError:
+			ctx.ServerError("authentication error", v.Error)
+			return
+		case *auth.AuthenticationAttemptedIncorrectCredential:
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
-		}
-		if authResult == nil {
-			ctx.Error(http.StatusInternalServerError, "verifyAuth nil authentication result")
+		default:
+			ctx.ServerError("Verify failed", errors.New("unexpected result from Method.Verify"))
 			return
 		}
-		ctx.Doer = authResult.User()
+		if ar == nil {
+			ctx.ServerError("nil authentication result", errors.New("nil authentication result"))
+			return
+		}
+		ctx.Doer = ar.User()
 		ctx.IsSigned = ctx.Doer != nil
-		ctx.Authentication = authResult
+		ctx.Authentication = ar
 	})
 }
 
@@ -142,20 +154,32 @@ func verifyContainerAuth(r *web.Route, authMethods []auth.Method) {
 	authGroup := auth_method.NewGroup(authMethods...)
 
 	r.Use(func(ctx *context.Context) {
-		authResult, err := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
-		if err != nil {
-			log.Info("Failed to verify user: %v", err)
+		output := authGroup.Verify(ctx.Req, ctx.Resp, ctx.Session)
+		var ar auth.AuthenticationResult
+		switch v := output.(type) {
+		case *auth.AuthenticationSuccess:
+			ar = v.Result
+		case *auth.AuthenticationNotAttempted:
+			ar = &auth.UnauthenticatedResult{}
+		case *auth.AuthenticationError:
+			ctx.ServerError("authentication error", v.Error)
+			return
+		case *auth.AuthenticationAttemptedIncorrectCredential:
+			log.Info("Failed to verify user: %v", v.Error)
 			container.APIUnauthorizedError(ctx)
 			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
 			return
-		}
-		if authResult == nil {
-			ctx.Error(http.StatusInternalServerError, "verifyContainerAuth nil authentication result")
+		default:
+			ctx.ServerError("Verify failed", errors.New("unexpected result from Method.Verify"))
 			return
 		}
-		ctx.Doer = authResult.User()
+		if ar == nil {
+			ctx.ServerError("nil authentication result", errors.New("nil authentication result"))
+			return
+		}
+		ctx.Doer = ar.User()
 		ctx.IsSigned = ctx.Doer != nil
-		ctx.Authentication = authResult
+		ctx.Authentication = ar
 	})
 }
 
diff --git a/routers/api/packages/chef/auth.go b/routers/api/packages/chef/auth.go
index b9ff4b25f8..86e8254ba7 100644
--- a/routers/api/packages/chef/auth.go
+++ b/routers/api/packages/chef/auth.go
@@ -65,34 +65,37 @@ func (a *Auth) Name() string {
 
 // Verify extracts the user from the signed request
 // If the request is signed with the user private key the user is verified.
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
 	u, err := getUserFromRequest(req)
 	if err != nil {
-		return nil, err
+		if !user_model.IsErrUserNotExist(err) {
+			return &auth.AuthenticationError{Error: fmt.Errorf("chef auth getUserFromRequest: %w", err)}
+		}
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 	if u == nil {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	pub, err := getUserPublicKey(req.Context(), u)
 	if err != nil {
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("chef auth getUserPublicKey: %w", err)}
 	}
 
 	if err := verifyTimestamp(req); err != nil {
-		return nil, err
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
 	version, err := getSignVersion(req)
 	if err != nil {
-		return nil, err
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
 	if err := verifySignedHeaders(req, version, pub.(*rsa.PublicKey)); err != nil {
-		return nil, err
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
-	return &chefAuthenticationResult{user: u}, nil
+	return &auth.AuthenticationSuccess{Result: &chefAuthenticationResult{user: u}}
 }
 
 func getUserFromRequest(req *http.Request) (*user_model.User, error) {
diff --git a/routers/api/packages/conan/auth.go b/routers/api/packages/conan/auth.go
index df0283167f..a2f1833032 100644
--- a/routers/api/packages/conan/auth.go
+++ b/routers/api/packages/conan/auth.go
@@ -4,6 +4,7 @@
 package conan
 
 import (
+	"fmt"
 	"net/http"
 
 	auth_model "forgejo.org/models/auth"
@@ -40,15 +41,18 @@ func (a *Auth) Name() string {
 }
 
 // Verify extracts the user from the Bearer token
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
 	uid, scope, err := packages.ParseAuthorizationToken(req)
 	if err != nil {
 		log.Trace("ParseAuthorizationToken: %v", err)
-		return nil, err
-	}
-
-	if uid == 0 {
-		return &auth.UnauthenticatedResult{}, nil
+		// Errors from ParseAuthorizationToken are almost all from malformed incoming input, which we'll consider an
+		// auth failure:
+		// - `Authorization` header was present for all cases, so it's not `AuthenticationNotAttempted`
+		// - it's not `AuthenticationError` because malformed headers would cause errors, and this is intended for
+		//   server errors which should cause 500s
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: fmt.Errorf("conan auth JWT error: %w", err)}
+	} else if uid == 0 {
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	// Propagate scope of the authorization token.
@@ -60,8 +64,8 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.Sessio
 	u, err := user_model.GetUserByID(req.Context(), uid)
 	if err != nil {
 		log.Error("GetUserByID:  %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("conan auth GetUserByID failed: %w", err)}
 	}
 
-	return &conanAuthenticationResult{user: u, scope: authScope}, nil
+	return &auth.AuthenticationSuccess{Result: &conanAuthenticationResult{user: u, scope: authScope}}
 }
diff --git a/routers/api/packages/container/auth.go b/routers/api/packages/container/auth.go
index 67310de948..4f5a0c1524 100644
--- a/routers/api/packages/container/auth.go
+++ b/routers/api/packages/container/auth.go
@@ -4,6 +4,7 @@
 package container
 
 import (
+	"fmt"
 	"net/http"
 
 	auth_model "forgejo.org/models/auth"
@@ -41,15 +42,18 @@ func (a *Auth) Name() string {
 
 // Verify extracts the user from the Bearer token
 // If it's an anonymous session a ghost user is returned
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
 	uid, scope, err := packages.ParseAuthorizationToken(req)
 	if err != nil {
 		log.Trace("ParseAuthorizationToken: %v", err)
-		return nil, err
-	}
-
-	if uid == 0 {
-		return &auth.UnauthenticatedResult{}, nil
+		// Errors from ParseAuthorizationToken are almost all from malformed incoming input, which we'll consider an
+		// auth failure:
+		// - `Authorization` header was present for all cases, so it's not `AuthenticationNotAttempted`
+		// - it's not `AuthenticationError` because malformed headers would cause errors, and this is intended for
+		//   server errors which should cause 500s
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
+	} else if uid == 0 {
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	// Propagate scope of the authorization token.
@@ -60,9 +64,8 @@ func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.Sessio
 
 	u, err := user_model.GetPossibleUserByID(req.Context(), uid)
 	if err != nil {
-		log.Error("GetPossibleUserByID:  %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("container auth GetPossibleUserByID: %w", err)}
 	}
 
-	return &containerAuthenticationResult{user: u, scope: authScope}, nil
+	return &auth.AuthenticationSuccess{Result: &containerAuthenticationResult{user: u, scope: authScope}}
 }
diff --git a/routers/api/packages/nuget/auth.go b/routers/api/packages/nuget/auth.go
index c33799734c..b4642d3173 100644
--- a/routers/api/packages/nuget/auth.go
+++ b/routers/api/packages/nuget/auth.go
@@ -4,6 +4,7 @@
 package nuget
 
 import (
+	"fmt"
 	"net/http"
 
 	auth_model "forgejo.org/models/auth"
@@ -26,34 +27,30 @@ func (r *nugetAuthenticationResult) User() *user_model.User {
 	return r.user
 }
 
-var _ auth.Method = &Auth{}
-
 type Auth struct{}
 
-func (a *Auth) Name() string {
-	return "nuget"
-}
-
 // https://docs.microsoft.com/en-us/nuget/api/package-publish-resource#request-parameters
-func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
-	token, err := auth_model.GetAccessTokenBySHA(req.Context(), req.Header.Get("X-NuGet-ApiKey"))
+func (a *Auth) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
+	apiKey := req.Header.Get("X-NuGet-ApiKey")
+	if apiKey == "" {
+		return &auth.AuthenticationNotAttempted{}
+	}
+	token, err := auth_model.GetAccessTokenBySHA(req.Context(), apiKey)
 	if err != nil {
 		if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
-			log.Error("GetAccessTokenBySHA: %v", err)
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("nuget auth GetAccessTokenBySHA: %w", err)}
 		}
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
 	u, err := user_model.GetUserByID(req.Context(), token.UID)
 	if err != nil {
-		log.Error("GetUserByID:  %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("nuget auth GetUserByID: %w", err)}
 	}
 
 	if err := token.UpdateLastUsed(req.Context()); err != nil {
 		log.Error("UpdateLastUsed:  %v", err)
 	}
 
-	return &nugetAuthenticationResult{user: u}, nil
+	return &auth.AuthenticationSuccess{Result: &nugetAuthenticationResult{user: u}}
 }
diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go
index 7e935970ec..5a2debf3af 100644
--- a/routers/api/shared/middleware.go
+++ b/routers/api/shared/middleware.go
@@ -60,13 +60,25 @@ func buildAuthGroup() *auth_method.Group {
 
 func apiAuthentication(authMethod auth.Method) func(*context.APIContext) {
 	return func(ctx *context.APIContext) {
-		ar, err := common.AuthShared(ctx.Base, nil, authMethod)
-		if err != nil {
-			ctx.Error(http.StatusUnauthorized, "APIAuth", err)
+		output := common.AuthShared(ctx.Base, nil, authMethod)
+		var ar auth.AuthenticationResult
+		switch v := output.(type) {
+		case *auth.AuthenticationSuccess:
+			ar = v.Result
+		case *auth.AuthenticationNotAttempted:
+			ar = &auth.UnauthenticatedResult{}
+		case *auth.AuthenticationAttemptedIncorrectCredential:
+			ctx.Error(http.StatusUnauthorized, "APIAuth", v.Error)
+			return
+		case *auth.AuthenticationError:
+			ctx.ServerError("authentication error", v.Error)
+			return
+		default:
+			ctx.ServerError("authentication error", errors.New("unexpected result from common.AuthShared"))
 			return
 		}
 		if ar == nil {
-			ctx.Error(http.StatusInternalServerError, "apiAuthentication nil authentication result", errors.New("nil authentication result"))
+			ctx.ServerError("nil authentication result", errors.New("nil authentication result"))
 			return
 		}
 		ctx.Doer = ar.User()
diff --git a/routers/common/auth.go b/routers/common/auth.go
index 014db93dad..b8905b6201 100644
--- a/routers/common/auth.go
+++ b/routers/common/auth.go
@@ -4,35 +4,37 @@
 package common
 
 import (
-	"errors"
-
 	"forgejo.org/modules/web/middleware"
 	auth_service "forgejo.org/services/auth"
 	"forgejo.org/services/context"
 )
 
-func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authMethod auth_service.Method) (ar auth_service.AuthenticationResult, err error) {
-	ar, err = authMethod.Verify(ctx.Req, ctx.Resp, sessionStore)
-	if err != nil {
-		return ar, err
+func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authMethod auth_service.Method) auth_service.MethodOutput {
+	output := authMethod.Verify(ctx.Req, ctx.Resp, sessionStore)
+
+	var ar auth_service.AuthenticationResult
+	switch v := output.(type) {
+	case *auth_service.AuthenticationSuccess:
+		ar = v.Result
+	case *auth_service.AuthenticationNotAttempted:
+		ar = &auth_service.UnauthenticatedResult{}
 	}
-	if ar == nil {
-		return nil, errors.New("failure to retrieve AuthenticationResult - nil value")
-	}
-	doer := ar.User()
-	if doer != nil {
-		if ctx.Locale.Language() != doer.Language {
-			ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+	if ar != nil {
+		doer := ar.User()
+		if doer != nil {
+			if ctx.Locale.Language() != doer.Language {
+				ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+			}
+			ctx.Data["IsSigned"] = true
+			ctx.Data[middleware.ContextDataKeySignedUser] = doer
+			ctx.Data["SignedUserID"] = doer.ID
+			ctx.Data["IsAdmin"] = doer.IsAdmin
+		} else {
+			ctx.Data["IsSigned"] = false
+			ctx.Data["SignedUserID"] = int64(0)
 		}
-		ctx.Data["IsSigned"] = true
-		ctx.Data[middleware.ContextDataKeySignedUser] = doer
-		ctx.Data["SignedUserID"] = doer.ID
-		ctx.Data["IsAdmin"] = doer.IsAdmin
-	} else {
-		ctx.Data["IsSigned"] = false
-		ctx.Data["SignedUserID"] = int64(0)
 	}
-	return ar, nil
+	return output
 }
 
 // VerifyOptions contains required or check options
diff --git a/routers/web/web.go b/routers/web/web.go
index 492a578259..9d8ac332a8 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -6,6 +6,7 @@ package web
 
 import (
 	gocontext "context"
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -120,14 +121,28 @@ func buildAuthGroup() *auth_method.Group {
 
 func webAuth(authMethod auth_service.Method) func(*context.Context) {
 	return func(ctx *context.Context) {
-		ar, err := common.AuthShared(ctx.Base, ctx.Session, authMethod)
-		if err != nil {
-			log.Info("Failed to verify user: %v", err)
+		output := common.AuthShared(ctx.Base, ctx.Session, authMethod)
+		var ar auth_service.AuthenticationResult
+		switch v := output.(type) {
+		case *auth_service.AuthenticationSuccess:
+			ar = v.Result
+		case *auth_service.AuthenticationNotAttempted:
+			ar = &auth_service.UnauthenticatedResult{}
+		case *auth_service.AuthenticationAttemptedIncorrectCredential:
 			ctx.Error(http.StatusUnauthorized, ctx.Locale.TrString("auth.unauthorized_credentials", "https://codeberg.org/forgejo/forgejo/issues/2809"))
 			return
+		case *auth_service.AuthenticationError:
+			// Don't reveal the internal server error details to the user as they may contain sensitive details -- log
+			// the details, return a generic error.
+			log.Error("internal error during authentication: %v", v.Error)
+			ctx.ServerError("authentication error", errors.New("internal server error in authentication"))
+			return
+		default:
+			ctx.ServerError("authentication error", errors.New("unexpected result from common.AuthShared"))
+			return
 		}
 		if ar == nil {
-			ctx.Error(http.StatusInternalServerError, "webAuth nil authentication result")
+			ctx.ServerError("nil authentication result", errors.New("nil authentication result"))
 			return
 		}
 		ctx.Doer = ar.User()
diff --git a/services/auth/interface.go b/services/auth/interface.go
index 73cbe5403f..bbfe641520 100644
--- a/services/auth/interface.go
+++ b/services/auth/interface.go
@@ -23,13 +23,49 @@ type SessionStore session.Store
 
 // Method represents an authentication method (plugin) for HTTP requests.
 type Method interface {
-	// Verify tries to verify the authentication data contained in the request. If verification is successful returns an
-	// AuthenticationResult implementation with details about the authentication, or, may return an
-	// AnonymousAuthentication if the authentication method doesn't indicate that the request is authenticated. An error
-	// is only returned if a failure occurred while checking authentication.
-	Verify(http *http.Request, w http.ResponseWriter, sess SessionStore) (AuthenticationResult, error)
+	// Verify tries to validate credentials provided in the request, and returns one of the [MethodOutput] results
+	// indicating the result of its validation.
+	Verify(http *http.Request, w http.ResponseWriter, sess SessionStore) MethodOutput
 }
 
+// When attempting to authenticate with an authentication [Method], one of the MethodOutput implementations must be
+// returned. This interface serves as a enum of supported outputs, plus related values for each enum. Outputs are
+// [AuthenticationSuccess], [AuthenticationNotAttempted], [AuthenticationAttemptedWithFailure], and
+// [AuthenticationError].
+type MethodOutput interface {
+	isMethodOutput()
+}
+
+// Authentication positively identified the incoming request as successfully authenticated with the result in the
+// attached [AuthenticationResult]. For example, if a username and password were provided and we confirmed that those
+// credentials matched an existing user in the database, then AuthenticationSuccess would be returned.
+type AuthenticationSuccess struct {
+	Result AuthenticationResult
+}
+
+// Authentication method was not found to be applicable for the given request. For example, if a request did not contain
+// `Authorization: Basic ...`, then a basic authentication method would return AuthenticationNotAttempted to indicate
+// that this method didn't apply to the incoming request.
+type AuthenticationNotAttempted struct{}
+
+// Authentication method was attempted against the request and positively identified to be an incorrect credential. For
+// example, if a request contained `Authorization: Basic ...`, and the username and password that were provided were
+// found to not match any user, AuthenticationAttemptedIncorrectCredential would be returned. This is typically an
+// indicator of a `401 Unauthorized ...` response.
+type AuthenticationAttemptedIncorrectCredential struct {
+	Error error
+}
+
+// Authentication was attempted and an unexpected internal error occurred.
+type AuthenticationError struct {
+	Error error
+}
+
+func (*AuthenticationSuccess) isMethodOutput()                      {}
+func (*AuthenticationNotAttempted) isMethodOutput()                 {}
+func (*AuthenticationAttemptedIncorrectCredential) isMethodOutput() {}
+func (*AuthenticationError) isMethodOutput()                        {}
+
 // PasswordAuthenticator represents a source of authentication
 type PasswordAuthenticator interface {
 	Authenticate(ctx context.Context, user *user_model.User, login, password string) (*user_model.User, error)
diff --git a/services/auth/method/basic.go b/services/auth/method/basic.go
index 5b551135be..905deb0652 100644
--- a/services/auth/method/basic.go
+++ b/services/auth/method/basic.go
@@ -6,6 +6,7 @@ package method
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -19,6 +20,7 @@ import (
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/auth"
+	"forgejo.org/services/auth/source/db"
 	"forgejo.org/services/authz"
 )
 
@@ -36,20 +38,20 @@ type Basic struct{}
 // "Authorization" header of the request and returns the corresponding user object for that
 // name/token on successful validation.
 // Returns nil if header is empty or validation fails.
-func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
+func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
 	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	baHead := req.Header.Get("Authorization")
 	if len(baHead) == 0 {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	auths := strings.SplitN(baHead, " ", 2)
 	if len(auths) != 2 || (strings.ToLower(auths[0]) != "basic") {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	uname, passwd, _ := base.BasicAuthDecode(auths[1])
@@ -73,8 +75,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 
 		u, err := user_model.GetUserByID(req.Context(), uid)
 		if err != nil {
-			log.Error("GetUserByID:  %v", err)
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetUserByID: %w", err)}
 		}
 
 		var scope auth_model.AccessTokenScope
@@ -83,17 +84,16 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 		} else {
 			scope = auth_model.AccessTokenScopeAll // fallback to all
 		}
-		return &oAuth2JWTAuthenticationResult{user: u, scope: optional.Some(scope)}, nil
+		return &auth.AuthenticationSuccess{Result: &oAuth2JWTAuthenticationResult{user: u, scope: optional.Some(scope)}}
 	}
 
 	// check personal access token
 	token, err := auth_model.GetAccessTokenBySHA(req.Context(), authToken)
 	if err == nil {
-		log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)
+		log.Trace("Basic Authorization: Valid AccessToken for user[%d]", token.UID)
 		u, err := user_model.GetUserByID(req.Context(), token.UID)
 		if err != nil {
-			log.Error("GetUserByID:  %v", err)
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetUserByID for access token: %w", err)}
 		}
 
 		if err = token.UpdateLastUsed(req.Context()); err != nil {
@@ -102,11 +102,10 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 
 		reducer, err := authz.GetAuthorizationReducerForAccessToken(req.Context(), token)
 		if err != nil {
-			log.Error("authz.GetAuthorizationReducerForAccessToken: %v", err)
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetAuthorizationReducerForAccessToken: %w", err)}
 		}
 
-		return &accessTokenAuthenticationResult{user: u, scope: token.Scope, reducer: reducer}, nil
+		return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: token.Scope, reducer: reducer}}
 	} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
 		log.Error("GetAccessTokenBySha: %v", err)
 	}
@@ -115,41 +114,41 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 	task, err := actions_model.GetRunningTaskByToken(req.Context(), authToken)
 	if err == nil && task != nil {
 		log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-		return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}, nil
+		return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
 	}
 
 	if !setting.Service.EnableBasicAuth {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("basic authentication by username & password is disabled")}
 	}
 
 	log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
 	u, source, err := UserSignIn(req.Context(), uname, passwd)
 	if err != nil {
-		if !user_model.IsErrUserNotExist(err) {
-			log.Error("UserSignIn: %v", err)
+		if user_model.IsErrUserNotExist(err) || user_model.IsErrUserProhibitLogin(err) ||
+			errors.As(err, &db.ErrUserPasswordInvalid{}) || errors.As(err, &db.ErrUserPasswordNotSet{}) {
+			return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 		}
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("basic auth UserSignIn: %w", err)}
 	}
 
 	hashWebAuthn, err := auth_model.HasWebAuthnRegistrationsByUID(req.Context(), u.ID)
 	if err != nil {
-		log.Error("HasWebAuthnRegistrationsByUID: %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("basic auth HasWebAuthnRegistrationsByUID: %w", err)}
 	}
 
 	if hashWebAuthn {
-		return nil, errors.New("Basic authorization is not allowed while having security keys enrolled")
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("Basic authorization is not allowed while having security keys enrolled")}
 	}
 
 	if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); !ok || !skipper.IsSkipLocalTwoFA() {
 		if err := validateTOTP(req, u); err != nil {
-			return nil, err
+			return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 		}
 	}
 
 	log.Trace("Basic Authorization: Logged in user %-v", u)
 
-	return &basicPaswordAuthenticationResult{user: u}, nil
+	return &auth.AuthenticationSuccess{Result: &basicPaswordAuthenticationResult{user: u}}
 }
 
 func getOtpHeader(header http.Header) string {
diff --git a/services/auth/method/group.go b/services/auth/method/group.go
index a87f5d6a75..8082c1d837 100644
--- a/services/auth/method/group.go
+++ b/services/auth/method/group.go
@@ -4,6 +4,8 @@
 package method
 
 import (
+	"errors"
+	"fmt"
 	"net/http"
 
 	"forgejo.org/services/auth"
@@ -31,33 +33,34 @@ func (b *Group) Add(method auth.Method) {
 	b.methods = append(b.methods, method)
 }
 
-func (b *Group) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
-	// Try to sign in with each of the enabled plugins
-	var retErr error
+func (b *Group) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
+	var incorrectCredentials []error
+
 	for _, m := range b.methods {
-		authResult, err := m.Verify(req, w, sess)
-		if err != nil {
-			if retErr == nil {
-				retErr = err
-			}
-			// Try other methods if this one failed.
-			// Some methods may share the same protocol to detect if they are matched.
-			// For example, OAuth2 and conan.Auth both read token from "Authorization: Bearer <token>" header,
-			// If OAuth2 returns error, we should give conan.Auth a chance to try.
+		output := m.Verify(req, w, sess)
+
+		switch v := output.(type) {
+		case *auth.AuthenticationSuccess, *auth.AuthenticationError:
+			return v
+
+		case *auth.AuthenticationNotAttempted:
+			// Move on to the next supported authentication method.
 			continue
-		}
 
-		// If any method returns an authenticated result, we can stop trying. Return and ignore any error returned by
-		// previous methods.
-		if authResult.User() != nil {
-			return authResult, nil
+		case *auth.AuthenticationAttemptedIncorrectCredential:
+			// Move on to the next supported authentication method, but keep a record of this error.  If none of the
+			// other methods are able to authenticate the user, we'll report this as an incorrect credential (401) case.
+			incorrectCredentials = append(incorrectCredentials, v.Error)
+			continue
+
+		default:
+			return &auth.AuthenticationError{Error: fmt.Errorf("unexpected result from Method.Verify on method %v: %v", m, v)}
 		}
 	}
 
-	if retErr != nil {
-		// If no method returns a user, return the error returned by the first method.
-		return nil, retErr
+	if len(incorrectCredentials) != 0 {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.Join(incorrectCredentials...)}
 	}
 
-	return &auth.UnauthenticatedResult{}, nil
+	return &auth.AuthenticationNotAttempted{}
 }
diff --git a/services/auth/method/httpsign.go b/services/auth/method/httpsign.go
index a5328bddcd..7a80452b2b 100644
--- a/services/auth/method/httpsign.go
+++ b/services/auth/method/httpsign.go
@@ -35,10 +35,10 @@ type HTTPSign struct{}
 // Verify extracts and validates HTTPsign from the Signature header of the request and returns
 // the corresponding user object on successful validation.
 // Returns nil if header is empty or validation fails.
-func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
+func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
 	sigHead := req.Header.Get("Signature")
 	if len(sigHead) == 0 {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	var (
@@ -49,14 +49,14 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, _ auth.Sessi
 	if len(req.Header.Get("X-Ssh-Certificate")) != 0 {
 		// Handle Signature signed by SSH certificates
 		if len(setting.SSH.TrustedUserCAKeys) == 0 {
-			return &auth.UnauthenticatedResult{}, nil
+			return &auth.AuthenticationNotAttempted{}
 		}
 
 		publicKey, err = VerifyCert(req)
 		if err != nil {
 			log.Debug("VerifyCert on request from %s: failed: %v", req.RemoteAddr, err)
 			log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
-			return &auth.UnauthenticatedResult{}, nil
+			return &auth.AuthenticationNotAttempted{} // 401 is not expected on signature validation miss; return not attempted
 		}
 	} else {
 		// Handle Signature signed by Public Key
@@ -64,18 +64,17 @@ func (h *HTTPSign) Verify(req *http.Request, w http.ResponseWriter, _ auth.Sessi
 		if err != nil {
 			log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err)
 			log.Warn("Failed authentication attempt from %s", req.RemoteAddr)
-			return &auth.UnauthenticatedResult{}, nil
+			return &auth.AuthenticationNotAttempted{} // 401 is not expected on signature validation miss; return not attempted
 		}
 	}
 
 	u, err := user_model.GetUserByID(req.Context(), publicKey.OwnerID)
 	if err != nil {
-		log.Error("GetUserByID:  %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("httpsign GetUserByID: %w", err)}
 	}
 
 	log.Trace("HTTP Sign: Logged in user %-v", u)
-	return &httpSignAuthenticationResult{user: u}, nil
+	return &auth.AuthenticationSuccess{Result: &httpSignAuthenticationResult{user: u}}
 }
 
 func VerifyPubKey(r *http.Request) (*asymkey_model.PublicKey, error) {
diff --git a/services/auth/method/oauth2.go b/services/auth/method/oauth2.go
index e80c4bc35c..8e07a2ecca 100644
--- a/services/auth/method/oauth2.go
+++ b/services/auth/method/oauth2.go
@@ -6,7 +6,7 @@ package method
 
 import (
 	"context"
-	"errors"
+	"fmt"
 	"net/http"
 	"slices"
 	"strings"
@@ -146,16 +146,16 @@ func parseToken(req *http.Request) (string, bool) {
 // userIDFromToken returns the user id corresponding to the OAuth token.
 // It will set 'IsApiToken' to true if the token is an API token and
 // set 'ApiTokenScope' to the scope of the access token
-func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) (auth.AuthenticationResult, error) {
+func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) auth.MethodOutput {
 	if tokenSHA == "" {
-		return nil, auth_model.ErrAccessTokenEmpty{}
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: auth_model.ErrAccessTokenEmpty{}}
 	}
 	// Let's see if token is valid.
 	if strings.Contains(tokenSHA, ".") {
 		// First attempt to decode an actions JWT, returning the actions user
 		if taskID, err := actions.TokenToTaskID(tokenSHA); err == nil {
 			if CheckTaskIsRunning(ctx, taskID) {
-				return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}, nil
+				return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}}
 			}
 		}
 
@@ -171,12 +171,12 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) (auth.Aut
 		}
 		user, err := user_model.GetPossibleUserByID(ctx, uid)
 		if err != nil {
-			if !user_model.IsErrUserNotExist(err) {
-				log.Error("GetUserByName: %v", err)
+			if user_model.IsErrUserNotExist(err) {
+				return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 			}
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetPossibleUserByID: %w", err)}
 		}
-		return &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}, nil
+		return &auth.AuthenticationSuccess{Result: &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}}
 	}
 
 	t, err := auth_model.GetAccessTokenBySHA(ctx, tokenSHA)
@@ -186,63 +186,50 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) (auth.Aut
 			task, err := actions_model.GetRunningTaskByToken(ctx, tokenSHA)
 			if err == nil && task != nil {
 				log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-				return &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}, nil
+				return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
 			}
 		} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
-			log.Error("GetAccessTokenBySHA: %v", err)
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAccessTokenBySHA: %w", err)}
 		}
-		return nil, err
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 	if err := t.UpdateLastUsed(ctx); err != nil {
 		log.Error("UpdateLastUsed: %v", err)
 	}
 	if t.UID == 0 {
-		return nil, auth_model.ErrAccessTokenNotExist{}
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
 	reducer, err := authz.GetAuthorizationReducerForAccessToken(ctx, t)
 	if err != nil {
-		log.Error("authz.GetAuthorizationReducerForAccessToken: %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAuthorizationReducerForAccessToken: %w", err)}
 	}
 
 	u, err := user_model.GetUserByID(ctx, t.UID)
 	if err != nil {
-		log.Error("GetUserByID:  %v", err)
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetUserByID: %w", err)}
 	}
 
-	return &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}, nil
+	return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}}
 }
 
 // Verify extracts the user ID from the OAuth token in the query parameters
 // or the "Authorization" header and returns the corresponding user object for that ID.
 // If verification is successful returns an existing user object.
 // Returns nil if verification fails.
-func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) (auth.AuthenticationResult, error) {
+func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
 		!isGitRawOrAttachPath(req) && !isArchivePath(req) {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	token, ok := parseToken(req)
 	if !ok {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
-	auth, err := o.userIDFromToken(req.Context(), token)
-	if err != nil {
-		return nil, err
-	} else if auth.User() == nil {
-		// Having successfully found a token, it's now expected that the only valid outcomes are either errors that
-		// result in 401s (if the token wasn't valid), or valid authentication as a user. If we reach here, we've missed
-		// those expected outcomes and somehow returned an unauthenticated response even though a token was provided.
-		return nil, errors.New("unexpected unauthenticated result from userIDFromToken")
-	}
-	log.Trace("OAuth2 Authorization: Logged in user %-v", auth.User())
-	return auth, nil
+	return o.userIDFromToken(req.Context(), token)
 }
 
 func isAuthenticatedTokenRequest(req *http.Request) bool {
diff --git a/services/auth/method/oauth2_test.go b/services/auth/method/oauth2_test.go
index c08ec57151..5ad103fe58 100644
--- a/services/auth/method/oauth2_test.go
+++ b/services/auth/method/oauth2_test.go
@@ -12,6 +12,7 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/services/actions"
+	auth_service "forgejo.org/services/auth"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -33,8 +34,10 @@ func TestUserIDFromToken(t *testing.T) {
 		require.NoError(t, err)
 
 		o := OAuth2{}
-		authResult, err := o.userIDFromToken(t.Context(), token)
-		require.NoError(t, err)
+		output := o.userIDFromToken(t.Context(), token)
+		ar, authSuccess := output.(*auth_service.AuthenticationSuccess)
+		require.True(t, authSuccess, "expected type AuthenticationSuccess, but was: %#v", output)
+		authResult := ar.Result
 		assert.Equal(t, int64(user_model.ActionsUserID), authResult.User().ID)
 		isActionsToken, authTaskID := authResult.ActionsTaskID().Get()
 		assert.True(t, isActionsToken)
@@ -53,9 +56,13 @@ func TestUserIDFromToken(t *testing.T) {
 		o := OAuth2{}
 		for name, c := range cases {
 			t.Run(name, func(t *testing.T) {
-				authResult, err := o.userIDFromToken(t.Context(), c.Token)
+				output := o.userIDFromToken(t.Context(), c.Token)
+
+				ar, authFailure := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+				require.True(t, authFailure, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+				err := ar.Error
+
 				require.ErrorIs(t, err, c.Error)
-				assert.Nil(t, authResult)
 			})
 		}
 	})
diff --git a/services/auth/method/reverseproxy.go b/services/auth/method/reverseproxy.go
index df6e626bcb..0fda466875 100644
--- a/services/auth/method/reverseproxy.go
+++ b/services/auth/method/reverseproxy.go
@@ -6,6 +6,7 @@ package method
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -77,13 +78,13 @@ func (r *ReverseProxy) getEmail(req *http.Request) string {
 // If an email is available in the "setting.ReverseProxyAuthEmail" header an existing
 // user object is returned (populated with the email found in header).
 // Returns nil if header is empty or if "setting.EnableReverseProxyEmail" is disabled.
-func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User {
+func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) (*user_model.User, error) {
 	if !setting.Service.EnableReverseProxyEmail {
-		return nil
+		return nil, util.ErrNotExist
 	}
 	email := r.getEmail(req)
 	if len(email) == 0 {
-		return nil
+		return nil, util.ErrNotExist
 	}
 	log.Trace("ReverseProxy Authorization: Found email: %s", email)
 
@@ -93,24 +94,29 @@ func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User
 		if !user_model.IsErrUserNotExist(err) {
 			log.Error("GetUserByEmail: %v", err)
 		}
-		return nil
+		return nil, err
 	}
-	return user
+	return user, nil
 }
 
 // Verify attempts to load a user object based on headers sent by the reverse proxy.
 // First it will attempt to load it based on the username (see docs for getUserFromAuthUser),
 // and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).
 // Returns nil if the headers are empty or the user is not found.
-func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
+func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
 	user, err := r.getUserFromAuthUser(req)
 	if err != nil && !errors.Is(err, util.ErrNotExist) {
-		return nil, err
+		return &auth.AuthenticationError{Error: fmt.Errorf("reverse proxy getUserFromAuthUser: %w", err)}
 	}
 	if user == nil {
-		user = r.getUserFromAuthEmail(req)
+		user, err = r.getUserFromAuthEmail(req)
 		if user == nil {
-			return &auth.UnauthenticatedResult{}, nil
+			if errors.Is(err, util.ErrNotExist) {
+				// Not attempted is returned when no HTTP headers were provided, which is the cases that ErrNotExist
+				// represents:
+				return &auth.AuthenticationNotAttempted{}
+			}
+			return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("user not found")}
 		}
 	}
 
@@ -122,7 +128,7 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, sess aut
 	}
 
 	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
-	return &reverseProxyAuthenticationResult{user: user}, nil
+	return &auth.AuthenticationSuccess{Result: &reverseProxyAuthenticationResult{user: user}}
 }
 
 // isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
diff --git a/services/auth/method/session.go b/services/auth/method/session.go
index 540d544aa0..9166752853 100644
--- a/services/auth/method/session.go
+++ b/services/auth/method/session.go
@@ -4,6 +4,7 @@
 package method
 
 import (
+	"fmt"
 	"net/http"
 
 	user_model "forgejo.org/models/user"
@@ -23,34 +24,33 @@ type Session struct{}
 // Verify checks if there is a user uid stored in the session and returns the user
 // object for that uid.
 // Returns nil if there is no user uid stored in the session.
-func (s *Session) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) (auth.AuthenticationResult, error) {
+func (s *Session) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
 	if sess == nil {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	// Get user ID
 	uid := sess.Get("uid")
 	if uid == nil {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 	log.Trace("Session Authorization: Found user[%d]", uid)
 
 	id, ok := uid.(int64)
 	if !ok {
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationNotAttempted{}
 	}
 
 	// Get user object
 	user, err := user_model.GetUserByID(req.Context(), id)
 	if err != nil {
 		if !user_model.IsErrUserNotExist(err) {
-			log.Error("GetUserByID: %v", err)
 			// Return the err as-is to keep current signed-in session, in case the err is something like context.Canceled. Otherwise non-existing user (nil, nil) will make the caller clear the signed-in session.
-			return nil, err
+			return &auth.AuthenticationError{Error: fmt.Errorf("session auth GetUserByID: %w", err)}
 		}
-		return &auth.UnauthenticatedResult{}, nil
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
 	}
 
 	log.Trace("Session Authorization: Logged in user %-v", user)
-	return &sessionAuthenticationResult{user: user}, nil
+	return &auth.AuthenticationSuccess{Result: &sessionAuthenticationResult{user: user}}
 }
diff --git a/tests/integration/api_packages_chef_test.go b/tests/integration/api_packages_chef_test.go
index b467f18e13..6a07a38691 100644
--- a/tests/integration/api_packages_chef_test.go
+++ b/tests/integration/api_packages_chef_test.go
@@ -32,6 +32,7 @@ import (
 	chef_module "forgejo.org/modules/packages/chef"
 	"forgejo.org/modules/setting"
 	chef_router "forgejo.org/routers/api/packages/chef"
+	auth_service "forgejo.org/services/auth"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -94,10 +95,9 @@ nwIDAQAB
 			defer tests.PrintCurrentTest(t)()
 
 			req := NewRequest(t, "POST", "/dummy")
-			u, err := auth.Verify(req.Request, nil, nil)
-			require.NoError(t, err)
-			require.NotNil(t, u)
-			assert.Nil(t, u.User())
+			output := auth.Verify(req.Request, nil, nil)
+			_, authNotAttempted := output.(*auth_service.AuthenticationNotAttempted)
+			assert.True(t, authNotAttempted, "expected type AuthenticationNotAttempted, but was: %#v", output)
 		})
 
 		t.Run("NotExistingUser", func(t *testing.T) {
@@ -105,9 +105,11 @@ nwIDAQAB
 
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", "not-existing-user")
-			u, err := auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+
+			output := auth.Verify(req.Request, nil, nil)
+			ar, authError := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "user does not exist")
 		})
 
 		t.Run("Timestamp", func(t *testing.T) {
@@ -115,14 +117,16 @@ nwIDAQAB
 
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", user.Name)
-			u, err := auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output := auth.Verify(req.Request, nil, nil)
+			ar, authError := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "X-Ops-Timestamp header missing")
 
 			req.SetHeader("X-Ops-Timestamp", "2023-01-01T00:00:00Z")
-			u, err = auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output = auth.Verify(req.Request, nil, nil)
+			ar, authError = output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "time difference")
 		})
 
 		t.Run("SigningVersion", func(t *testing.T) {
@@ -131,29 +135,35 @@ nwIDAQAB
 			req := NewRequest(t, "POST", "/dummy").
 				SetHeader("X-Ops-Userid", user.Name).
 				SetHeader("X-Ops-Timestamp", time.Now().UTC().Format(time.RFC3339))
-			u, err := auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+
+			output := auth.Verify(req.Request, nil, nil)
+			ar, authError := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "X-Ops-Sign header missing")
 
 			req.SetHeader("X-Ops-Sign", "version=none")
-			u, err = auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output = auth.Verify(req.Request, nil, nil)
+			ar, authError = output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "invalid X-Ops-Sign header")
 
 			req.SetHeader("X-Ops-Sign", "version=1.4")
-			u, err = auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output = auth.Verify(req.Request, nil, nil)
+			ar, authError = output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "unsupported version")
 
 			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha2")
-			u, err = auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output = auth.Verify(req.Request, nil, nil)
+			ar, authError = output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "unsupported algorithm")
 
 			req.SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha256")
-			u, err = auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output = auth.Verify(req.Request, nil, nil)
+			ar, authError = output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "unsupported algorithm")
 		})
 
 		t.Run("SignedHeaders", func(t *testing.T) {
@@ -167,9 +177,10 @@ nwIDAQAB
 				SetHeader("X-Ops-Sign", "version=1.0;algorithm=sha1").
 				SetHeader("X-Ops-Content-Hash", "unused").
 				SetHeader("X-Ops-Authorization-4", "dummy")
-			u, err := auth.Verify(req.Request, nil, nil)
-			assert.Nil(t, u)
-			require.Error(t, err)
+			output := auth.Verify(req.Request, nil, nil)
+			ar, authError := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
+			require.True(t, authError, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
+			require.ErrorContains(t, ar.Error, "invalid X-Ops-Authorization headers")
 
 			signRequest := func(rw *RequestWrapper, version string) {
 				req := rw.Request
@@ -258,9 +269,12 @@ nwIDAQAB
 					defer tests.PrintCurrentTest(t)()
 
 					signRequest(req, v)
-					u, err = auth.Verify(req.Request, nil, nil)
-					assert.NotNil(t, u)
-					require.NoError(t, err)
+					output := auth.Verify(req.Request, nil, nil)
+					ar, authSuccess := output.(*auth_service.AuthenticationSuccess)
+					require.True(t, authSuccess, "expected type AuthenticationSuccess, but was: %#v", output)
+					assert.NotNil(t, ar)
+					assert.NotNil(t, ar.Result)
+					assert.EqualValues(t, 2, ar.Result.User().ID)
 				})
 			}
 		})

From a562140896d28c01ea7b572af1c27d59aca3d7e2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 24 Apr 2026 00:46:55 +0200
Subject: [PATCH 163/287] Update dependency htmx.org to v2.0.9 (forgejo)
 (#12248)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12248
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 819f398d2b..527811982e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -51,7 +51,7 @@
         "esbuild-loader": "4.4.3",
         "escape-goat": "4.0.0",
         "fast-glob": "3.3.3",
-        "htmx.org": "2.0.8",
+        "htmx.org": "2.0.9",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
         "katex": "0.16.45",
@@ -9539,9 +9539,9 @@
       }
     },
     "node_modules/htmx.org": {
-      "version": "2.0.8",
-      "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.8.tgz",
-      "integrity": "sha512-fm297iru0iWsNJlBrjvtN7V9zjaxd+69Oqjh4F/Vq9Wwi2kFisLcrLCiv5oBX0KLfOX/zG8AUo9ROMU5XUB44Q==",
+      "version": "2.0.9",
+      "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.9.tgz",
+      "integrity": "sha512-Vd8ZlGSshz2W2ej+gNpMqxX2PM0dfOn4lRgkTXgCT+cqZE/GwBQoYm3zGvlqf+hHXYCMYmmgae33m4/RPdTS0Q==",
       "license": "0BSD"
     },
     "node_modules/iconv-lite": {
diff --git a/package.json b/package.json
index e89587c8e7..de425537c8 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
     "esbuild-loader": "4.4.3",
     "escape-goat": "4.0.0",
     "fast-glob": "3.3.3",
-    "htmx.org": "2.0.8",
+    "htmx.org": "2.0.9",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
     "katex": "0.16.45",

From db622afd87f8f6b1d0ca4228b9eac7095cda3a58 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Fri, 24 Apr 2026 04:36:42 +0200
Subject: [PATCH 164/287] refactor: delegate to service for run cancellation
 (#12142)

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12142
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 routers/web/repo/actions/view.go | 41 +++++---------------------------
 services/actions/run.go          |  2 +-
 2 files changed, 7 insertions(+), 36 deletions(-)

diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index 31b757d2b3..9769f0f11a 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -5,7 +5,6 @@
 package actions
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"html/template"
@@ -26,14 +25,11 @@ import (
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/templates"
-	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/translation"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
 	actions_service "forgejo.org/services/actions"
 	app_context "forgejo.org/services/context"
-
-	"xorm.io/builder"
 )
 
 func RedirectToLatestAttempt(ctx *app_context.Context) {
@@ -591,40 +587,15 @@ func Logs(ctx *app_context.Context) {
 func Cancel(ctx *app_context.Context) {
 	runIndex := ctx.ParamsInt64("run")
 
-	_, jobs := getRunJobs(ctx, runIndex, -1)
-	if ctx.Written() {
-		return
-	}
-
-	if err := db.WithTx(ctx, func(ctx context.Context) error {
-		for _, job := range jobs {
-			status := job.Status
-			if status.IsDone() {
-				continue
-			}
-			if job.TaskID == 0 {
-				job.Status = actions_model.StatusCancelled
-				job.Stopped = timeutil.TimeStampNow()
-				n, err := actions_service.UpdateRunJob(ctx, job, builder.Eq{"task_id": 0}, "status", "stopped")
-				if err != nil {
-					return err
-				}
-				if n == 0 {
-					return errors.New("job has changed, try again")
-				}
-				continue
-			}
-			if err := actions_service.StopTask(ctx, job.TaskID, actions_model.StatusCancelled); err != nil {
-				return err
-			}
-		}
-		return nil
-	}); err != nil {
+	run, err := actions_model.GetRunByIndex(ctx, ctx.Repo.Repository.ID, runIndex)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, err.Error())
+		return
+	}
+	if err := actions_service.CancelRun(ctx, run); err != nil {
 		ctx.Error(http.StatusInternalServerError, err.Error())
 		return
 	}
-
-	actions_service.CreateCommitStatus(ctx, jobs...)
 
 	ctx.JSON(http.StatusOK, struct{}{})
 }
diff --git a/services/actions/run.go b/services/actions/run.go
index bee0b1581d..891d9d8f03 100644
--- a/services/actions/run.go
+++ b/services/actions/run.go
@@ -27,7 +27,7 @@ func killRun(ctx context.Context, run *actions_model.ActionRun, newStatus action
 			if job.TaskID == 0 {
 				job.Status = newStatus
 				job.Stopped = timeutil.TimeStampNow()
-				_, err := actions_model.UpdateRunJobWithoutNotification(ctx, job, nil, "status", "stopped")
+				_, err := UpdateRunJob(ctx, job, nil, "status", "stopped")
 				if err != nil {
 					return err
 				}

From ef5479af71c47d55e3aa63fa60debd26f7bed9c7 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Fri, 24 Apr 2026 18:19:58 +0200
Subject: [PATCH 165/287] refactor: split "basic" and "oauth2" authentication
 impl into smaller single-purpose components (#12236)

Forgejo's `basic` and `oauth2` authentication methods perform five distinct types of authentication:
- Username and password authentication
- Personal access tokens
- OAuth2 access tokens
- Forgejo Action's `${{ forgejo.token }}` -- task-based static tokens
- Forgejo Action's `${{ env.ACTIONS_RUNTIME_TOKEN }}` JWT, which is the authentication method used for `upload-artifact` (mirroring GitHub's implementation)

`basic` and `oauth2` both supported almost all of these methods, resulting in quite a bit of code duplication between them.  This PR splits personal access tokens into `access_token.go`, Action's task-based tokens into `action_task_token.go`, and Action's JWT tokens into `action_runtime_token.go`.

**Note:** There is one peculiar side-effect that is worth discussing.  Previously, `Authorization: Basic ...` was handled by one complex code path in basic.go, and `Authorization: Bearer ...` was handled by another in oauth2.go, and if authorization failed and a 401 was returned, a single error message would be returned to the user.  Now, as multiple authorization methods may look at `Authorization: Basic ...` and provide their own reason why authorization didn't work, a 401 response has multiple reasons for a lack of authorization listed:

```
401 Unauthorized
...

failure to authenticate with oauth2 access token: not a JWT
Basic authorization is not allowed while having security keys enrolled
access token does not exist [sha: notpassword]
task with token "notpassword": resource does not exist
```

A couple tests have been adapted to check that the result contains their expected response, rather than is equal-to or prefixed-with their expected result.  This is caused by the "auth group" joining together any "invalid credentials" errors, and, to a certain extent it is useful to understand why the authorization request failed.  But it's a bit obscure as well.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
  - Relying on integration testing for regression checks.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12236
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 routers/api/packages/api.go                   |  11 +-
 routers/api/shared/middleware.go              |   3 +
 routers/web/auth/oauth.go                     |  15 +-
 routers/web/web.go                            |   6 +
 services/auth/interface.go                    |  10 +-
 services/auth/method/access_token.go          |  78 ++++++
 services/auth/method/action_runtime_token.go  |  67 +++++
 .../auth/method/action_runtime_token_test.go  |  74 ++++++
 services/auth/method/action_task_token.go     |  67 +++++
 services/auth/method/auth_result_oauth.go     |   9 +-
 services/auth/method/basic.go                 |  71 +-----
 services/auth/method/oauth2.go                | 228 ++++++------------
 services/auth/method/oauth2_test.go           | 117 ---------
 services/auth/method/util.go                  |  71 ++++++
 services/auth/method/util_test.go             |  43 ++++
 tests/integration/api_twofa_test.go           |  12 +-
 16 files changed, 514 insertions(+), 368 deletions(-)
 create mode 100644 services/auth/method/access_token.go
 create mode 100644 services/auth/method/action_runtime_token.go
 create mode 100644 services/auth/method/action_runtime_token_test.go
 create mode 100644 services/auth/method/action_task_token.go
 delete mode 100644 services/auth/method/oauth2_test.go
 create mode 100644 services/auth/method/util.go
 create mode 100644 services/auth/method/util_test.go

diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 7096cd9e51..4a35948eca 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -193,6 +193,9 @@ func CommonRoutes() *web.Route {
 	verifyAuth(r, []auth.Method{
 		&auth_method.OAuth2{},
 		&auth_method.Basic{},
+		&auth_method.AccessToken{},
+		&auth_method.ActionRuntimeToken{},
+		&auth_method.ActionTaskToken{},
 		&nuget.Auth{},
 		&conan.Auth{},
 		&chef.Auth{},
@@ -836,7 +839,13 @@ func ContainerRoutes() *web.Route {
 
 	r.Use(context.PackageContexter())
 
-	verifyContainerAuth(r, []auth.Method{&auth_method.Basic{}, &container.Auth{}})
+	verifyContainerAuth(r, []auth.Method{
+		&auth_method.Basic{},
+		&auth_method.AccessToken{},
+		&auth_method.ActionRuntimeToken{},
+		&auth_method.ActionTaskToken{},
+		&container.Auth{},
+	})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
 	r.Group("/token", func() {
diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go
index 5a2debf3af..9dd1605783 100644
--- a/routers/api/shared/middleware.go
+++ b/routers/api/shared/middleware.go
@@ -50,6 +50,9 @@ func buildAuthGroup() *auth_method.Group {
 		&auth_method.OAuth2{},
 		&auth_method.HTTPSign{},
 		&auth_method.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API
+		&auth_method.AccessToken{},
+		&auth_method.ActionRuntimeToken{},
+		&auth_method.ActionTaskToken{},
 	)
 	if setting.Service.EnableReverseProxyAuthAPI {
 		group.Add(&auth_method.ReverseProxy{})
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index dae71dd377..6335f2ecc0 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -33,7 +33,6 @@ import (
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
 	"forgejo.org/modules/web/middleware"
-	auth_method "forgejo.org/services/auth/method"
 	source_service "forgejo.org/services/auth/source"
 	"forgejo.org/services/auth/source/oauth2"
 	"forgejo.org/services/context"
@@ -294,7 +293,9 @@ func ifOnlyPublicGroups(scopes string) bool {
 
 // InfoOAuth manages request for userinfo endpoint
 func InfoOAuth(ctx *context.Context) {
-	if ctx.Doer == nil || !ctx.Authentication.IsOAuth2JWTAuthentication() {
+	hasGrantScopes, grantScopes := ctx.Authentication.OAuth2GrantScopes().Get()
+
+	if ctx.Doer == nil || !hasGrantScopes {
 		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
 		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
 		return
@@ -308,17 +309,7 @@ func InfoOAuth(ctx *context.Context) {
 		Picture:  ctx.Doer.AvatarLink(ctx),
 	}
 
-	var token string
-	if auHead := ctx.Req.Header.Get("Authorization"); auHead != "" {
-		auths := strings.Fields(auHead)
-		if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
-			token = auths[1]
-		}
-	}
-
-	_, grantScopes := auth_method.CheckOAuthAccessToken(ctx, token)
 	onlyPublicGroups := ifOnlyPublicGroups(grantScopes)
-
 	groups, err := getOAuthGroupsForUser(ctx, ctx.Doer, onlyPublicGroups)
 	if err != nil {
 		ctx.ServerError("Oauth groups for user", err)
diff --git a/routers/web/web.go b/routers/web/web.go
index 9d8ac332a8..5839e7d30e 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -111,6 +111,12 @@ func buildAuthGroup() *auth_method.Group {
 	group.Add(&auth_method.OAuth2{}) // FIXME: this should be removed and only applied in download and oauth related routers
 	group.Add(&auth_method.Basic{})  // FIXME: this should be removed and only applied in download and git/lfs routers
 
+	// FIXME: extracted from OAuth2 & Basic -- these methods have internal URL filters that should be moved into
+	// middlewares (if we can figure out the right way to do that), similar to the notes on OAuth2 & Basic above.
+	group.Add(&auth_method.AccessToken{})
+	group.Add(&auth_method.ActionRuntimeToken{})
+	group.Add(&auth_method.ActionTaskToken{})
+
 	if setting.Service.EnableReverseProxyAuth {
 		group.Add(&auth_method.ReverseProxy{}) // reverseproxy should before Session, otherwise the header will be ignored if user has login
 	}
diff --git a/services/auth/interface.go b/services/auth/interface.go
index bbfe641520..a5ed33a79b 100644
--- a/services/auth/interface.go
+++ b/services/auth/interface.go
@@ -97,9 +97,9 @@ type AuthenticationResult interface {
 	// Identifies if the authentication was performed by a reverse proxy.
 	IsReverseProxyAuthentication() bool
 
-	// Identifies specifically that the OAuth2 JWT authentication method was used. If so, some related OAuth2 API
-	// endpoints may be accessible that otherwise wouldn't be.
-	IsOAuth2JWTAuthentication() bool
+	// Defined scopes of the [OAuth2Grant] as a comma-separated string, if authenticated via an OAuth access token JWT.
+	// Otherwise, None.
+	OAuth2GrantScopes() optional.Option[string]
 
 	// If authenticated as an Actions task (using ${{ forgejo.token }}), then indicates the specific task that performed
 	// the authentication.
@@ -108,8 +108,8 @@ type AuthenticationResult interface {
 
 type BaseAuthenticationResult struct{}
 
-func (*BaseAuthenticationResult) IsOAuth2JWTAuthentication() bool {
-	return false
+func (*BaseAuthenticationResult) OAuth2GrantScopes() optional.Option[string] {
+	return optional.None[string]()
 }
 
 func (*BaseAuthenticationResult) IsPasswordAuthentication() bool {
diff --git a/services/auth/method/access_token.go b/services/auth/method/access_token.go
new file mode 100644
index 0000000000..f1a5e8e766
--- /dev/null
+++ b/services/auth/method/access_token.go
@@ -0,0 +1,78 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"fmt"
+	"net/http"
+
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/auth"
+	"forgejo.org/services/authz"
+)
+
+var _ auth.Method = &AccessToken{}
+
+type AccessToken struct{}
+
+func (a *AccessToken) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
+	// Authentication previously was performed in a single routine for `Authorization: Basic ...` and `Authorization:
+	// Bearer ...`, and both routines had separate URL exclusion lists onto which they wouldn't apply.  That behaviour
+	// is maintained by cloning those conditions here and deciding whether to look at basic/bearer auth, or not.  In the
+	// future this should be removed and migrated to route-specific middleware.
+	legacySkipBasic := !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req)
+	legacySkipFormAndBearer := !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && !isGitRawOrAttachPath(req) && !isArchivePath(req)
+
+	maybeAuthToken := a.getTokenFromRequest(req, legacySkipBasic, legacySkipFormAndBearer)
+	if !maybeAuthToken.Has() {
+		return &auth.AuthenticationNotAttempted{}
+	}
+	_, authToken := maybeAuthToken.Get()
+
+	// check personal access token
+	token, err := auth_model.GetAccessTokenBySHA(req.Context(), authToken)
+	if auth_model.IsErrAccessTokenNotExist(err) || auth_model.IsErrAccessTokenEmpty(err) {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
+	} else if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("access token GetAccessTokenBySHA: %w", err)}
+	}
+
+	log.Trace("AccessToken: Valid AccessToken for user[%d]", token.UID)
+	u, err := user_model.GetUserByID(req.Context(), token.UID)
+	if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("access token GetUserByID: %w", err)}
+	}
+
+	if err = token.UpdateLastUsed(req.Context()); err != nil {
+		log.Error("UpdateLastUsed:  %v", err)
+	}
+
+	reducer, err := authz.GetAuthorizationReducerForAccessToken(req.Context(), token)
+	if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("access token GetAuthorizationReducerForAccessToken: %w", err)}
+	}
+
+	return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: token.Scope, reducer: reducer}}
+}
+
+func (a *AccessToken) getTokenFromRequest(req *http.Request, skipBasic, skipFormAndBearer bool) optional.Option[string] {
+	if !skipFormAndBearer {
+		if has, token := tokenFromForm(req).Get(); has {
+			return optional.Some(token)
+		}
+		if has, token := tokenFromAuthorizationBearer(req).Get(); has {
+			return optional.Some(token)
+		}
+	}
+	if !skipBasic {
+		if has, token := tokenFromAuthorizationBasic(req).Get(); has {
+			return optional.Some(token)
+		}
+	}
+	return optional.None[string]()
+}
diff --git a/services/auth/method/action_runtime_token.go b/services/auth/method/action_runtime_token.go
new file mode 100644
index 0000000000..2d15476424
--- /dev/null
+++ b/services/auth/method/action_runtime_token.go
@@ -0,0 +1,67 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	actions_model "forgejo.org/models/actions"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/actions"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.Method = &ActionRuntimeToken{}
+
+type ActionRuntimeToken struct{}
+
+func (a *ActionRuntimeToken) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
+	// In the future this should be removed and migrated to route-specific middleware:
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && !isGitRawOrAttachPath(req) && !isArchivePath(req) {
+		return &auth.AuthenticationNotAttempted{}
+	}
+
+	maybeAuthToken := a.getTokenFromRequest(req)
+	if !maybeAuthToken.Has() {
+		return &auth.AuthenticationNotAttempted{}
+	}
+	_, authToken := maybeAuthToken.Get()
+
+	taskID, err := actions.TokenToTaskID(authToken)
+	if err != nil {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
+	}
+
+	if !checkTaskIsRunning(req.Context(), taskID) {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("failure to authenticate with action runtime token: task is no longer running")}
+	}
+
+	return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}}
+}
+
+func (a *ActionRuntimeToken) getTokenFromRequest(req *http.Request) optional.Option[string] {
+	if has, token := tokenFromForm(req).Get(); has {
+		return optional.Some(token)
+	}
+	if has, token := tokenFromAuthorizationBearer(req).Get(); has {
+		return optional.Some(token)
+	}
+	return optional.None[string]()
+}
+
+// CheckTaskIsRunning verifies that the TaskID corresponds to a running task
+func checkTaskIsRunning(ctx context.Context, taskID int64) bool {
+	// Verify the task exists
+	task, err := actions_model.GetTaskByID(ctx, taskID)
+	if err != nil {
+		return false
+	}
+
+	// Verify that it's running
+	return task.Status == actions_model.StatusRunning
+}
diff --git a/services/auth/method/action_runtime_token_test.go b/services/auth/method/action_runtime_token_test.go
new file mode 100644
index 0000000000..f5bae45e96
--- /dev/null
+++ b/services/auth/method/action_runtime_token_test.go
@@ -0,0 +1,74 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package method
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"testing"
+
+	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/actions"
+	auth_service "forgejo.org/services/auth"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestActionRuntimeTokenVerify(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("Actions JWT", func(t *testing.T) {
+		const RunningTaskID = 47
+		task := &actions_model.ActionTask{
+			ID: RunningTaskID,
+			Job: &actions_model.ActionRunJob{
+				ID:    2,
+				RunID: 1,
+			},
+		}
+		token, err := actions.CreateAuthorizationToken(task, map[string]any{}, false)
+		require.NoError(t, err)
+
+		req := http.Request{
+			URL: &url.URL{Path: "/api/v1/"},
+			Header: map[string][]string{
+				"Authorization": {fmt.Sprintf("Bearer %s", token)},
+			},
+		}
+
+		o := ActionRuntimeToken{}
+		output := o.Verify(&req, nil, nil)
+		ar, authSuccess := output.(*auth_service.AuthenticationSuccess)
+		require.True(t, authSuccess, "expected type AuthenticationSuccess, but was: %#v", output)
+		authResult := ar.Result
+		assert.Equal(t, int64(user_model.ActionsUserID), authResult.User().ID)
+		isActionsToken, authTaskID := authResult.ActionsTaskID().Get()
+		assert.True(t, isActionsToken)
+		assert.Equal(t, int64(RunningTaskID), authTaskID)
+	})
+}
+
+func TestCheckTaskIsRunning(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	cases := map[string]struct {
+		TaskID   int64
+		Expected bool
+	}{
+		"Running":   {TaskID: 47, Expected: true},
+		"Missing":   {TaskID: 1, Expected: false},
+		"Cancelled": {TaskID: 46, Expected: false},
+	}
+
+	for name := range cases {
+		c := cases[name]
+		t.Run(name, func(t *testing.T) {
+			actual := checkTaskIsRunning(t.Context(), c.TaskID)
+			assert.Equal(t, c.Expected, actual)
+		})
+	}
+}
diff --git a/services/auth/method/action_task_token.go b/services/auth/method/action_task_token.go
new file mode 100644
index 0000000000..b5e1ab4f59
--- /dev/null
+++ b/services/auth/method/action_task_token.go
@@ -0,0 +1,67 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	actions_model "forgejo.org/models/actions"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/util"
+	"forgejo.org/modules/web/middleware"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.Method = &ActionTaskToken{}
+
+type ActionTaskToken struct{}
+
+func (a *ActionTaskToken) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
+	// Authentication previously was performed in a single routine for `Authorization: Basic ...` and `Authorization:
+	// Bearer ...`, and both routines had separate URL exclusion lists onto which they wouldn't apply.  That behaviour
+	// is maintained by cloning those conditions here and deciding whether to look at basic/bearer auth, or not.  In the
+	// future this should be removed and migrated to route-specific middleware.
+	legacySkipBasic := !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req)
+	legacySkipFormAndBearer := !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) && !isGitRawOrAttachPath(req) && !isArchivePath(req)
+
+	maybeAuthToken := a.getTokenFromRequest(req, legacySkipBasic, legacySkipFormAndBearer)
+	if !maybeAuthToken.Has() {
+		return &auth.AuthenticationNotAttempted{}
+	}
+	_, authToken := maybeAuthToken.Get()
+
+	// check task token
+	task, err := actions_model.GetRunningTaskByToken(req.Context(), authToken)
+	if err != nil && errors.Is(err, util.ErrNotExist) {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
+	} else if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("action task token GetRunningTaskByToken: %w", err)}
+	} else if task == nil {
+		return &auth.AuthenticationError{Error: errors.New("failed to retrieve non-nil task")}
+	}
+
+	log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
+	return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
+}
+
+func (a *ActionTaskToken) getTokenFromRequest(req *http.Request, skipBasic, skipFormAndBearer bool) optional.Option[string] {
+	if !skipFormAndBearer {
+		if has, token := tokenFromForm(req).Get(); has {
+			return optional.Some(token)
+		}
+		if has, token := tokenFromAuthorizationBearer(req).Get(); has {
+			return optional.Some(token)
+		}
+	}
+	if !skipBasic {
+		if has, token := tokenFromAuthorizationBasic(req).Get(); has {
+			return optional.Some(token)
+		}
+	}
+	return optional.None[string]()
+}
diff --git a/services/auth/method/auth_result_oauth.go b/services/auth/method/auth_result_oauth.go
index ce451e6459..392e616837 100644
--- a/services/auth/method/auth_result_oauth.go
+++ b/services/auth/method/auth_result_oauth.go
@@ -14,8 +14,9 @@ var _ auth.AuthenticationResult = &oAuth2JWTAuthenticationResult{}
 
 type oAuth2JWTAuthenticationResult struct {
 	*auth.BaseAuthenticationResult
-	user  *user_model.User
-	scope optional.Option[auth_model.AccessTokenScope]
+	user        *user_model.User
+	scope       optional.Option[auth_model.AccessTokenScope]
+	grantScopes string
 }
 
 func (*oAuth2JWTAuthenticationResult) IsOAuth2JWTAuthentication() bool {
@@ -29,3 +30,7 @@ func (r *oAuth2JWTAuthenticationResult) User() *user_model.User {
 func (r *oAuth2JWTAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
 	return r.scope
 }
+
+func (r *oAuth2JWTAuthenticationResult) OAuth2GrantScopes() optional.Option[string] {
+	return optional.Some(r.grantScopes)
+}
diff --git a/services/auth/method/basic.go b/services/auth/method/basic.go
index 905deb0652..8385bea2fd 100644
--- a/services/auth/method/basic.go
+++ b/services/auth/method/basic.go
@@ -10,18 +10,15 @@ import (
 	"net/http"
 	"strings"
 
-	actions_model "forgejo.org/models/actions"
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/base"
 	"forgejo.org/modules/log"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/auth/source/db"
-	"forgejo.org/services/authz"
 )
 
 // Ensure the struct implements the interface.
@@ -34,10 +31,8 @@ var (
 // header.
 type Basic struct{}
 
-// Verify extracts and validates Basic data (username and password/token) from the
-// "Authorization" header of the request and returns the corresponding user object for that
-// name/token on successful validation.
-// Returns nil if header is empty or validation fails.
+// Verify extracts and validates Basic data (username and password/token) from the "Authorization" header of the request
+// and returns the corresponding user object for that name/token on successful validation.
 func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
 	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
@@ -56,67 +51,6 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 
 	uname, passwd, _ := base.BasicAuthDecode(auths[1])
 
-	// Check if username or password is a token
-	isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
-	// Assume username is token
-	authToken := uname
-	if !isUsernameToken {
-		log.Trace("Basic Authorization: Attempting login for: %s", uname)
-		// Assume password is token
-		authToken = passwd
-	} else {
-		log.Trace("Basic Authorization: Attempting login with username as token")
-	}
-
-	// check oauth2 token
-	uid, grantScopes := CheckOAuthAccessToken(req.Context(), authToken)
-	if uid != 0 {
-		log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
-
-		u, err := user_model.GetUserByID(req.Context(), uid)
-		if err != nil {
-			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetUserByID: %w", err)}
-		}
-
-		var scope auth_model.AccessTokenScope
-		if grantScopes != "" {
-			scope = auth_model.AccessTokenScope(grantScopes)
-		} else {
-			scope = auth_model.AccessTokenScopeAll // fallback to all
-		}
-		return &auth.AuthenticationSuccess{Result: &oAuth2JWTAuthenticationResult{user: u, scope: optional.Some(scope)}}
-	}
-
-	// check personal access token
-	token, err := auth_model.GetAccessTokenBySHA(req.Context(), authToken)
-	if err == nil {
-		log.Trace("Basic Authorization: Valid AccessToken for user[%d]", token.UID)
-		u, err := user_model.GetUserByID(req.Context(), token.UID)
-		if err != nil {
-			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetUserByID for access token: %w", err)}
-		}
-
-		if err = token.UpdateLastUsed(req.Context()); err != nil {
-			log.Error("UpdateLastUsed:  %v", err)
-		}
-
-		reducer, err := authz.GetAuthorizationReducerForAccessToken(req.Context(), token)
-		if err != nil {
-			return &auth.AuthenticationError{Error: fmt.Errorf("basic auth GetAuthorizationReducerForAccessToken: %w", err)}
-		}
-
-		return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: token.Scope, reducer: reducer}}
-	} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
-		log.Error("GetAccessTokenBySha: %v", err)
-	}
-
-	// check task token
-	task, err := actions_model.GetRunningTaskByToken(req.Context(), authToken)
-	if err == nil && task != nil {
-		log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-		return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
-	}
-
 	if !setting.Service.EnableBasicAuth {
 		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("basic authentication by username & password is disabled")}
 	}
@@ -147,7 +81,6 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionS
 	}
 
 	log.Trace("Basic Authorization: Logged in user %-v", u)
-
 	return &auth.AuthenticationSuccess{Result: &basicPaswordAuthenticationResult{user: u}}
 }
 
diff --git a/services/auth/method/oauth2.go b/services/auth/method/oauth2.go
index 8e07a2ecca..9eeef6a6c1 100644
--- a/services/auth/method/oauth2.go
+++ b/services/auth/method/oauth2.go
@@ -5,25 +5,21 @@
 package method
 
 import (
-	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
 	"time"
 
-	actions_model "forgejo.org/models/actions"
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
-	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
-	"forgejo.org/services/actions"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/auth/source/oauth2"
-	"forgejo.org/services/authz"
 )
 
 // Ensure the struct implements the interface.
@@ -70,174 +66,86 @@ func grantAdditionalScopes(grantScopes string) string {
 	return ""
 }
 
-// CheckOAuthAccessToken returns uid of user from oauth token
-// + non default openid scopes requested
-func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) {
-	if !setting.OAuth2.Enabled {
-		return 0, ""
-	}
-	// JWT tokens require a "."
-	if !strings.Contains(accessToken, ".") {
-		return 0, ""
-	}
-	token, err := oauth2.ParseToken(accessToken, oauth2.DefaultSigningKey)
-	if err != nil {
-		log.Trace("oauth2.ParseToken: %v", err)
-		return 0, ""
-	}
-	var grant *auth_model.OAuth2Grant
-	if grant, err = auth_model.GetOAuth2GrantByID(ctx, token.GrantID); err != nil || grant == nil {
-		return 0, ""
-	}
-	if token.Type != oauth2.TypeAccessToken {
-		return 0, ""
-	}
-	if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
-		return 0, ""
-	}
-	grantScopes := grantAdditionalScopes(grant.Scope)
-	return grant.UserID, grantScopes
-}
-
-// CheckTaskIsRunning verifies that the TaskID corresponds to a running task
-func CheckTaskIsRunning(ctx context.Context, taskID int64) bool {
-	// Verify the task exists
-	task, err := actions_model.GetTaskByID(ctx, taskID)
-	if err != nil {
-		return false
-	}
-
-	// Verify that it's running
-	return task.Status == actions_model.StatusRunning
-}
-
-// OAuth2 implements the Auth interface and authenticates requests
-// (API requests only) by looking for an OAuth token in query parameters or the
-// "Authorization" header.
+// OAuth2 implements the Auth interface and authenticates requests (API requests only) by looking for an OAuth token in
+// query parameters or the "Authorization" header.
 type OAuth2 struct{}
 
-// parseToken returns the token from request, and a boolean value
-// representing whether the token exists or not
-func parseToken(req *http.Request) (string, bool) {
-	_ = req.ParseForm()
-	if !setting.DisableQueryAuthToken {
-		// Check token.
-		if token := req.Form.Get("token"); token != "" {
-			return token, true
-		}
-		// Check access token.
-		if token := req.Form.Get("access_token"); token != "" {
-			return token, true
-		}
-	} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
-		log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
-	}
-
-	// check header token
-	if auHead := req.Header.Get("Authorization"); auHead != "" {
-		auths := strings.Fields(auHead)
-		if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) {
-			return auths[1], true
-		}
-	}
-	return "", false
-}
-
-// userIDFromToken returns the user id corresponding to the OAuth token.
-// It will set 'IsApiToken' to true if the token is an API token and
-// set 'ApiTokenScope' to the scope of the access token
-func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string) auth.MethodOutput {
-	if tokenSHA == "" {
-		return &auth.AuthenticationAttemptedIncorrectCredential{Error: auth_model.ErrAccessTokenEmpty{}}
-	}
-	// Let's see if token is valid.
-	if strings.Contains(tokenSHA, ".") {
-		// First attempt to decode an actions JWT, returning the actions user
-		if taskID, err := actions.TokenToTaskID(tokenSHA); err == nil {
-			if CheckTaskIsRunning(ctx, taskID) {
-				return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: taskID}}
-			}
-		}
-
-		// Otherwise, check if this is an OAuth access token
-		uid, grantScopes := CheckOAuthAccessToken(ctx, tokenSHA)
-		var accessTokenScope optional.Option[auth_model.AccessTokenScope]
-		if uid != 0 {
-			if grantScopes != "" {
-				accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes))
-			} else {
-				accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all
-			}
-		}
-		user, err := user_model.GetPossibleUserByID(ctx, uid)
-		if err != nil {
-			if user_model.IsErrUserNotExist(err) {
-				return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
-			}
-			return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetPossibleUserByID: %w", err)}
-		}
-		return &auth.AuthenticationSuccess{Result: &oAuth2JWTAuthenticationResult{user: user, scope: accessTokenScope}}
-	}
-
-	t, err := auth_model.GetAccessTokenBySHA(ctx, tokenSHA)
-	if err != nil {
-		if auth_model.IsErrAccessTokenNotExist(err) {
-			// check task token
-			task, err := actions_model.GetRunningTaskByToken(ctx, tokenSHA)
-			if err == nil && task != nil {
-				log.Trace("Basic Authorization: Valid AccessToken for task[%d]", task.ID)
-				return &auth.AuthenticationSuccess{Result: &actionsTaskTokenAuthenticationResult{user: user_model.NewActionsUser(), taskID: task.ID}}
-			}
-		} else if !auth_model.IsErrAccessTokenNotExist(err) && !auth_model.IsErrAccessTokenEmpty(err) {
-			return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAccessTokenBySHA: %w", err)}
-		}
-		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
-	}
-	if err := t.UpdateLastUsed(ctx); err != nil {
-		log.Error("UpdateLastUsed: %v", err)
-	}
-	if t.UID == 0 {
-		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
-	}
-
-	reducer, err := authz.GetAuthorizationReducerForAccessToken(ctx, t)
-	if err != nil {
-		return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetAuthorizationReducerForAccessToken: %w", err)}
-	}
-
-	u, err := user_model.GetUserByID(ctx, t.UID)
-	if err != nil {
-		return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetUserByID: %w", err)}
-	}
-
-	return &auth.AuthenticationSuccess{Result: &accessTokenAuthenticationResult{user: u, scope: t.Scope, reducer: reducer}}
-}
-
-// Verify extracts the user ID from the OAuth token in the query parameters
-// or the "Authorization" header and returns the corresponding user object for that ID.
-// If verification is successful returns an existing user object.
-// Returns nil if verification fails.
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
+	if !setting.OAuth2.Enabled {
+		return &auth.AuthenticationNotAttempted{}
+	}
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
 		!isGitRawOrAttachPath(req) && !isArchivePath(req) {
 		return &auth.AuthenticationNotAttempted{}
 	}
 
-	token, ok := parseToken(req)
-	if !ok {
+	maybeAuthToken := o.getTokenFromRequest(req)
+	if !maybeAuthToken.Has() {
 		return &auth.AuthenticationNotAttempted{}
 	}
+	_, authToken := maybeAuthToken.Get()
 
-	return o.userIDFromToken(req.Context(), token)
+	token, err := oauth2.ParseToken(authToken, oauth2.DefaultSigningKey)
+	if err != nil {
+		log.Trace("oauth2.ParseToken: %v", err)
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: err}
+	}
+
+	var grant *auth_model.OAuth2Grant
+	if grant, err = auth_model.GetOAuth2GrantByID(req.Context(), token.GrantID); err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetOAuth2GrantByID: %w", err)}
+	} else if grant == nil {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("oauth2 grant not found or revoked")}
+	}
+	if token.Type != oauth2.TypeAccessToken {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("token was not an oauth2 access token")}
+	}
+	if token.ExpiresAt.Before(time.Now()) || token.IssuedAt.After(time.Now()) {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("token was expired")}
+	}
+	if grant.UserID == 0 {
+		return &auth.AuthenticationError{Error: errors.New("oauth2 invalid grant user id")}
+	}
+
+	var accessTokenScope optional.Option[auth_model.AccessTokenScope]
+	grantScopes := grantAdditionalScopes(grant.Scope)
+	if grantScopes != "" {
+		accessTokenScope = optional.Some(auth_model.AccessTokenScope(grantScopes))
+	} else {
+		accessTokenScope = optional.Some(auth_model.AccessTokenScopeAll) // fallback to all
+	}
+
+	user, err := user_model.GetPossibleUserByID(req.Context(), grant.UserID)
+	if err != nil {
+		if !user_model.IsErrUserNotExist(err) {
+			return &auth.AuthenticationError{Error: fmt.Errorf("oauth2 GetPossibleUserByID: %w", err)}
+		}
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("oauth2 grant owner does not exist")}
+	}
+
+	return &auth.AuthenticationSuccess{
+		Result: &oAuth2JWTAuthenticationResult{
+			user:        user,
+			scope:       accessTokenScope,
+			grantScopes: grantScopes,
+		},
+	}
+}
+
+func (*OAuth2) getTokenFromRequest(req *http.Request) optional.Option[string] {
+	if has, token := tokenFromForm(req).Get(); has {
+		return optional.Some(token)
+	}
+	if has, token := tokenFromAuthorizationBasic(req).Get(); has {
+		return optional.Some(token)
+	}
+	if has, token := tokenFromAuthorizationBearer(req).Get(); has {
+		return optional.Some(token)
+	}
+	return optional.None[string]()
 }
 
 func isAuthenticatedTokenRequest(req *http.Request) bool {
-	switch req.URL.Path {
-	case "/login/oauth/userinfo":
-		fallthrough
-	case "/login/oauth/introspect":
-		return true
-	}
-	return false
+	return req.URL.Path == "/login/oauth/userinfo"
 }
diff --git a/services/auth/method/oauth2_test.go b/services/auth/method/oauth2_test.go
deleted file mode 100644
index 5ad103fe58..0000000000
--- a/services/auth/method/oauth2_test.go
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package method
-
-import (
-	"net/http"
-	"testing"
-
-	actions_model "forgejo.org/models/actions"
-	"forgejo.org/models/auth"
-	"forgejo.org/models/unittest"
-	user_model "forgejo.org/models/user"
-	"forgejo.org/services/actions"
-	auth_service "forgejo.org/services/auth"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestUserIDFromToken(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	t.Run("Actions JWT", func(t *testing.T) {
-		const RunningTaskID = 47
-		task := &actions_model.ActionTask{
-			ID: RunningTaskID,
-			Job: &actions_model.ActionRunJob{
-				ID:    2,
-				RunID: 1,
-			},
-		}
-		token, err := actions.CreateAuthorizationToken(task, map[string]any{}, false)
-		require.NoError(t, err)
-
-		o := OAuth2{}
-		output := o.userIDFromToken(t.Context(), token)
-		ar, authSuccess := output.(*auth_service.AuthenticationSuccess)
-		require.True(t, authSuccess, "expected type AuthenticationSuccess, but was: %#v", output)
-		authResult := ar.Result
-		assert.Equal(t, int64(user_model.ActionsUserID), authResult.User().ID)
-		isActionsToken, authTaskID := authResult.ActionsTaskID().Get()
-		assert.True(t, isActionsToken)
-		assert.Equal(t, int64(RunningTaskID), authTaskID)
-	})
-
-	t.Run("Actions error-JWT", func(t *testing.T) {
-		cases := map[string]struct {
-			Token string
-			Error error
-		}{
-			"Empty":    {"", auth.ErrAccessTokenEmpty{}},
-			"To short": {"abc", auth.ErrAccessTokenNotExist{Token: "abc"}},
-		}
-
-		o := OAuth2{}
-		for name, c := range cases {
-			t.Run(name, func(t *testing.T) {
-				output := o.userIDFromToken(t.Context(), c.Token)
-
-				ar, authFailure := output.(*auth_service.AuthenticationAttemptedIncorrectCredential)
-				require.True(t, authFailure, "expected type AuthenticationAttemptedIncorrectCredential, but was: %#v", output)
-				err := ar.Error
-
-				require.ErrorIs(t, err, c.Error)
-			})
-		}
-	})
-}
-
-func TestCheckTaskIsRunning(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-	cases := map[string]struct {
-		TaskID   int64
-		Expected bool
-	}{
-		"Running":   {TaskID: 47, Expected: true},
-		"Missing":   {TaskID: 1, Expected: false},
-		"Cancelled": {TaskID: 46, Expected: false},
-	}
-
-	for name := range cases {
-		c := cases[name]
-		t.Run(name, func(t *testing.T) {
-			actual := CheckTaskIsRunning(t.Context(), c.TaskID)
-			assert.Equal(t, c.Expected, actual)
-		})
-	}
-}
-
-func TestParseToken(t *testing.T) {
-	cases := map[string]struct {
-		Header        string
-		ExpectedToken string
-		Expected      bool
-	}{
-		"Token Uppercase":   {Header: "Token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
-		"Token Lowercase":   {Header: "token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
-		"Token Unicode":     {Header: "to\u212Aen 1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
-		"Bearer Uppercase":  {Header: "Bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
-		"Bearer Lowercase":  {Header: "bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
-		"Missing type":      {Header: "1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
-		"Three Parts":       {Header: "abc 1234567890 test", ExpectedToken: "", Expected: false},
-		"Token Three Parts": {Header: "Token 1234567890 test", ExpectedToken: "", Expected: false},
-	}
-
-	for name := range cases {
-		c := cases[name]
-		t.Run(name, func(t *testing.T) {
-			req, _ := http.NewRequest("GET", "/", nil)
-			req.Header.Add("Authorization", c.Header)
-			ActualToken, ActualSuccess := parseToken(req)
-			assert.Equal(t, c.ExpectedToken, ActualToken)
-			assert.Equal(t, c.Expected, ActualSuccess)
-		})
-	}
-}
diff --git a/services/auth/method/util.go b/services/auth/method/util.go
new file mode 100644
index 0000000000..8f3d2d355d
--- /dev/null
+++ b/services/auth/method/util.go
@@ -0,0 +1,71 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"net/http"
+	"strings"
+
+	"forgejo.org/modules/base"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
+)
+
+func tokenFromForm(req *http.Request) optional.Option[string] {
+	_ = req.ParseForm()
+	if !setting.DisableQueryAuthToken {
+		// Check token.
+		if token := req.Form.Get("token"); token != "" {
+			return optional.Some(token)
+		}
+		// Check access token.
+		if token := req.Form.Get("access_token"); token != "" {
+			return optional.Some(token)
+		}
+	} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
+		log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
+	}
+	return optional.None[string]()
+}
+
+func tokenFromAuthorizationBearer(req *http.Request) optional.Option[string] {
+	authorization := req.Header.Get("Authorization")
+	if len(authorization) != 0 {
+		auths := strings.Fields(authorization)
+		if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) {
+			return optional.Some(auths[1])
+		}
+	}
+	return optional.None[string]()
+}
+
+func tokenFromAuthorizationBasic(req *http.Request) optional.Option[string] {
+	authorization := req.Header.Get("Authorization")
+	if len(authorization) != 0 {
+		auths := strings.SplitN(authorization, " ", 2)
+		if len(auths) == 2 && strings.ToLower(auths[0]) == "basic" {
+			uname, passwd, err := base.BasicAuthDecode(auths[1])
+			if err != nil {
+				// Client provided a `Authorization: Basic ...`, but then [...] either couldn't be base64 decoded, or
+				// didn't contain a ":" for username/password separation.  If we return `None`, it'll indicate to the
+				// caller that `Authorization: Basic [...]` wasn't present and skip authentication, so intead we'll
+				// return Some with an empty token to trigger a 401 error.
+				log.Debug("unexpected error in BasicAuthDecode(%q): %s", auths[1], err)
+				return optional.Some("")
+			}
+
+			// Usually we'll use the password as the access token (or oauth token), but if the password is empty or
+			// `x-oauth-basic`, we'll use the username as a token.  This behaviour is inherited from GitHub's OAuth Git
+			// over HTTPS behaviour.
+			if len(passwd) == 0 || passwd == "x-oauth-basic" {
+				return optional.Some(uname)
+			}
+
+			return optional.Some(passwd)
+		}
+	}
+	return optional.None[string]()
+}
diff --git a/services/auth/method/util_test.go b/services/auth/method/util_test.go
new file mode 100644
index 0000000000..9183701e4f
--- /dev/null
+++ b/services/auth/method/util_test.go
@@ -0,0 +1,43 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package method
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTokenFromAuthorizationBearer(t *testing.T) {
+	cases := map[string]struct {
+		Header        string
+		ExpectedToken string
+		Expected      bool
+	}{
+		"Token Uppercase":   {Header: "Token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Token Lowercase":   {Header: "token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Token Unicode":     {Header: "to\u212Aen 1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
+		"Bearer Uppercase":  {Header: "Bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Bearer Lowercase":  {Header: "bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Missing type":      {Header: "1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
+		"Three Parts":       {Header: "abc 1234567890 test", ExpectedToken: "", Expected: false},
+		"Token Three Parts": {Header: "Token 1234567890 test", ExpectedToken: "", Expected: false},
+	}
+
+	for name := range cases {
+		c := cases[name]
+		t.Run(name, func(t *testing.T) {
+			req, _ := http.NewRequest("GET", "/", nil)
+			req.Header.Add("Authorization", c.Header)
+			maybeToken := tokenFromAuthorizationBearer(req)
+			if hasToken, token := maybeToken.Get(); hasToken {
+				assert.True(t, c.Expected)
+				assert.Equal(t, c.ExpectedToken, token)
+			} else {
+				assert.False(t, c.Expected)
+			}
+		})
+	}
+}
diff --git a/tests/integration/api_twofa_test.go b/tests/integration/api_twofa_test.go
index ab173fc9f9..867dfe1e56 100644
--- a/tests/integration/api_twofa_test.go
+++ b/tests/integration/api_twofa_test.go
@@ -6,6 +6,7 @@ package integration
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -82,7 +83,7 @@ func TestAPIWebAuthn(t *testing.T) {
 
 	DecodeJSON(t, resp, &userParsed)
 
-	assert.Equal(t, "Basic authorization is not allowed while having security keys enrolled", userParsed.Message)
+	assert.Contains(t, userParsed.Message, "Basic authorization is not allowed while having security keys enrolled\n")
 }
 
 func TestAPIWithRequiredTwoFactor(t *testing.T) {
@@ -144,7 +145,14 @@ func TestAPIWithRequiredTwoFactor(t *testing.T) {
 			var response userResponse
 			DecodeJSON(t, resp, &response)
 
-			assert.True(t, strings.HasPrefix(response.Message, messagePrefix))
+			assert.True(t,
+				slices.ContainsFunc(
+					strings.Split(response.Message, "\n"),
+					func(msg string) bool {
+						return strings.HasPrefix(msg, messagePrefix)
+					},
+				),
+				"expected prefix %q, but response message was %q", messagePrefix, response.Message)
 		}
 	}
 

From 9d275907c5d383335ea79d51fcd955afe209fa12 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 24 Apr 2026 18:36:55 +0200
Subject: [PATCH 166/287] Update dependency @codemirror/view to v6.41.1
 (forgejo) (#12219)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12219
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 16 ++++++++--------
 package.json      |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 527811982e..fd1978bc31 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -28,9 +28,9 @@
         "@codemirror/lang-xml": "6.1.0",
         "@codemirror/lang-yaml": "6.1.3",
         "@codemirror/language": "6.12.3",
-        "@codemirror/search": "6.6.0",
+        "@codemirror/search": "6.7.0",
         "@codemirror/state": "6.6.0",
-        "@codemirror/view": "6.41.0",
+        "@codemirror/view": "6.41.1",
         "@github/markdown-toolbar-element": "2.2.3",
         "@github/quote-selection": "2.1.0",
         "@github/text-expander-element": "2.9.4",
@@ -754,9 +754,9 @@
       }
     },
     "node_modules/@codemirror/search": {
-      "version": "6.6.0",
-      "resolved": "https://registry.npmjs.org/@codemirror/search/-/search-6.6.0.tgz",
-      "integrity": "sha512-koFuNXcDvyyotWcgOnZGmY7LZqEOXZaaxD/j6n18TCLx2/9HieZJ5H6hs1g8FiRxBD0DNfs0nXn17g872RmYdw==",
+      "version": "6.7.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/search/-/search-6.7.0.tgz",
+      "integrity": "sha512-ZvGm99wc/s2cITtMT15LFdn8aH/aS+V+DqyGq/N5ZlV5vWtH+nILvC2nw0zX7ByNoHHDZ2IxxdW38O0tc5nVHg==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.0.0",
@@ -774,9 +774,9 @@
       }
     },
     "node_modules/@codemirror/view": {
-      "version": "6.41.0",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.41.0.tgz",
-      "integrity": "sha512-6H/qadXsVuDY219Yljhohglve8xf4B8xJkVOEWfA5uiYKiTFppjqsvsfR5iPA0RbvRBoOyTZpbLIxe9+0UR8xA==",
+      "version": "6.41.1",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.41.1.tgz",
+      "integrity": "sha512-ToDnWKbBnke+ZLrP6vgTTDScGi5H37YYuZGniQaBzxMVdtCxMrslsmtnOvbPZk4RX9bvkQqnWR/WS/35tJA0qg==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.6.0",
diff --git a/package.json b/package.json
index de425537c8..ef3638cff7 100644
--- a/package.json
+++ b/package.json
@@ -27,9 +27,9 @@
     "@codemirror/lang-xml": "6.1.0",
     "@codemirror/lang-yaml": "6.1.3",
     "@codemirror/language": "6.12.3",
-    "@codemirror/search": "6.6.0",
+    "@codemirror/search": "6.7.0",
     "@codemirror/state": "6.6.0",
-    "@codemirror/view": "6.41.0",
+    "@codemirror/view": "6.41.1",
     "@github/markdown-toolbar-element": "2.2.3",
     "@github/quote-selection": "2.1.0",
     "@github/text-expander-element": "2.9.4",

From 10643ceb9b821cec1fa0668e750117eed9e1312e Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 25 Apr 2026 01:06:51 +0200
Subject: [PATCH 167/287] Update dependency htmx.org to v2.0.10 (forgejo)
 (#12256)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12256
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fd1978bc31..5a0e0185ec 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -51,7 +51,7 @@
         "esbuild-loader": "4.4.3",
         "escape-goat": "4.0.0",
         "fast-glob": "3.3.3",
-        "htmx.org": "2.0.9",
+        "htmx.org": "2.0.10",
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
         "katex": "0.16.45",
@@ -9539,9 +9539,9 @@
       }
     },
     "node_modules/htmx.org": {
-      "version": "2.0.9",
-      "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.9.tgz",
-      "integrity": "sha512-Vd8ZlGSshz2W2ej+gNpMqxX2PM0dfOn4lRgkTXgCT+cqZE/GwBQoYm3zGvlqf+hHXYCMYmmgae33m4/RPdTS0Q==",
+      "version": "2.0.10",
+      "resolved": "https://registry.npmjs.org/htmx.org/-/htmx.org-2.0.10.tgz",
+      "integrity": "sha512-kdeJe7ZVwaS6QMz/ebBIVtZdpwen6L0OQ5GOhPV9MKBb196TCZeZu4yA7ZIQsaLKv7EpXz+So7KSXNuHXhj7Cw==",
       "license": "0BSD"
     },
     "node_modules/iconv-lite": {
diff --git a/package.json b/package.json
index ef3638cff7..05133d2045 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
     "esbuild-loader": "4.4.3",
     "escape-goat": "4.0.0",
     "fast-glob": "3.3.3",
-    "htmx.org": "2.0.9",
+    "htmx.org": "2.0.10",
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
     "katex": "0.16.45",

From cb1cb2c0af3b971aac3c94ed0eb9610af9e2d409 Mon Sep 17 00:00:00 2001
From: Henry Catalini Smith <henry@catalinismith.se>
Date: Sat, 25 Apr 2026 20:47:11 +0200
Subject: [PATCH 168/287] Improve repo file list table semantics for screen
 readers (second attempt) (#12232)

Unintentionally fixes forgejo/forgejo#11812 per tip https://codeberg.org/forgejo/forgejo/pulls/12232#issuecomment-13580345

---

This is a second attempt to fix https://codeberg.org/forgejo/forgejo/issues/11116. The [first attempt](https://codeberg.org/forgejo/forgejo/pulls/11846) introduced a [regression](https://codeberg.org/forgejo/forgejo/issues/12082) and needed to be [reverted](https://codeberg.org/forgejo/forgejo/pulls/12088).

What's different about this attempt is that several days of extra work have been invested in amending the CSS to ensure that no visual changes slip through as a side-effect of the structural changes to the HTML. This was surprisingly challenging, and I documented much of the journey in https://codeberg.org/henrycatalinismith/forgejo/issues/1.

In summary, the existing version of the "latest commit" row leans heavily on global styles that are universally applied to all `thead` elements inside `table` elements with the `ui` and `table` classes. The nature of the structural HTML changes necessary to fix the accessibility bug (this row can't be inside `thead`) is such that those universal styles no longer apply to this element and must be duplicated into new element-specific styles. Similarly, existing styles applying to non-`thead` table content has unwanted effects on this element once it moves into the `tbody` which needed to be counteracted.

The original PR already lays out the accessibility impact of this pull request in a good amount of details and so instead I'm going to use the space here to focus on comparing the visuals in the `forgejo` branch with those in this PR. There follow a few pretty boring identical before & after screenshots that are pixel-for-pixel identical with each other. I don't think you'll be able to spot any bugs by glancing at these and am more sharing them to provide an insight into where my attention has been during testing: the 380px wide mobile viewport, a larger desktop viewport, and the "commit message too long to fit in the available space" case. If you know of other troublesome cases for this code that aren't covered by what you see in these images then that could be a good thing to explore here.

Before | After
-|-
![](/attachments/a6f18efd-8b3b-426e-a0dc-70e9eda3fe73) | ![](/attachments/6297c663-cd5a-4849-a555-061257d59238)
![](/attachments/bbb90da2-afbf-4be5-9293-ec8b3a3dbb3a) | ![](/attachments/29103640-fce9-42c9-b91a-f9d6f9ba4db0)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12232
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 options/locale_next/locale_en-US.json |  4 ++++
 templates/repo/view_list.tmpl         | 18 +++++++++++------
 tests/integration/repo_test.go        |  4 ++--
 web_src/css/repo.css                  | 28 +++++++++++++++++++++++----
 4 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 85a21ef28d..f3ac162fac 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -52,6 +52,10 @@
 	"relativetime.1week": "last week",
 	"relativetime.1month": "last month",
 	"relativetime.1year": "last year",
+	"repo.files.caption": "Repository files (latest commit first)",
+	"repo.files.filename": "Filename",
+	"repo.files.last_commit_message": "Latest commit message",
+	"repo.files.last_commit_date": "Latest commit date",
 	"repo.issues.filter_poster.hint": "Filter by the author",
 	"repo.issues.filter_assignee.hint": "Filter by assigned user",
 	"repo.issues.filter_reviewers.hint": "Filter by user who reviewed",
diff --git a/templates/repo/view_list.tmpl b/templates/repo/view_list.tmpl
index ffd8b1a515..cc583d18c7 100644
--- a/templates/repo/view_list.tmpl
+++ b/templates/repo/view_list.tmpl
@@ -1,17 +1,23 @@
 <table id="repo-files-table" class="ui single line table tw-mt-0" {{if .HasFilesWithoutLatestCommit}}hx-indicator="tr.notready td.message span" hx-trigger="load" hx-swap="morph" hx-post="{{.LastCommitLoaderURL}}"{{end}}>
-	<thead>
+	<caption class="tw-sr-only">
+		{{ctx.Locale.Tr "repo.files.caption"}}
+	</caption>
+	<thead class="tw-sr-only">
+		<th>{{ctx.Locale.Tr "repo.files.filename"}}</th>
+		<th>{{ctx.Locale.Tr "repo.files.last_commit_message"}}</th>
+		<th>{{ctx.Locale.Tr "repo.files.last_commit_date"}}</th>
+	</thead>
+	<tbody>
 		<tr class="commit-list">
-			<th class="tw-overflow-hidden" colspan="2">
+			<td class="tw-overflow-hidden repo-files-table-latest-commit-cell repo-files-table-latest-commit-left" colspan="2">
 				<div class="tw-flex">
 					<div class="latest-commit">
 						{{template "repo/latest_commit" .}}
 					</div>
 				</div>
-			</th>
-			<th class="text grey right age">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</th>
+			</td>
+			<td class="text grey right age repo-files-table-latest-commit-cell tw-py-0">{{if .LatestCommit}}{{if .LatestCommit.Committer}}{{DateUtils.TimeSince .LatestCommit.Committer.When}}{{end}}{{end}}</td>
 		</tr>
-	</thead>
-	<tbody>
 		{{if .HasParentPath}}
 			<tr class="has-parent">
 				<td colspan="3"><a class="muted" href="{{.BranchLink}}{{if .ParentPath}}{{PathEscapeSegments .ParentPath}}{{end}}">{{svg "octicon-reply" 16 "tw-mr-2"}}..</a></td>
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 1b4a574f13..2f189bf7a8 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -70,7 +70,7 @@ func testViewRepo(t *testing.T) {
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	htmlDoc := NewHTMLParser(t, resp.Body)
-	files := htmlDoc.doc.Find("#repo-files-table  > TBODY > TR")
+	files := htmlDoc.doc.Find("#repo-files-table > tbody > tr:not(.commit-list)")
 
 	type file struct {
 		fileName   string
@@ -1039,7 +1039,7 @@ func TestRepoFilesList(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
-		filesList := htmlDoc.Find("#repo-files-table tbody tr").Map(func(_ int, s *goquery.Selection) string {
+		filesList := htmlDoc.Find("#repo-files-table tbody tr:not(.commit-list)").Map(func(_ int, s *goquery.Selection) string {
 			return s.AttrOr("data-entryname", "")
 		})
 
diff --git a/web_src/css/repo.css b/web_src/css/repo.css
index 00f159f33b..0619f154af 100644
--- a/web_src/css/repo.css
+++ b/web_src/css/repo.css
@@ -233,12 +233,22 @@ td .commit-summary {
 }
 
 /* this is what limits the commit table width to a value that works on all viewport sizes */
-#repo-files-table th:first-of-type {
+.repo-files-table-latest-commit-left {
   max-width: calc(calc(min(100vw, 1280px)) - 145px - calc(2 * var(--page-margin-x)));
 }
 
-.repository.file.list #repo-files-table thead th {
+.repo-files-table-latest-commit-cell {
   font-weight: var(--font-weight-normal);
+  background: var(--color-box-header);
+  text-align: inherit;
+  color: var(--color-text);
+  vertical-align: inherit;
+  border-left: none;
+  padding: 6px 5px 6px 10px;
+}
+
+.latest-commit .commit-summary {
+  white-space: nowrap;
 }
 
 .repository.file.list #repo-files-table tbody .svg {
@@ -246,6 +256,16 @@ td .commit-summary {
   margin-right: 5px;
 }
 
+@media (min-width: 767.98px) {
+  #repo-files-table tbody > tr.commit-list td {
+    border-bottom: 1px solid var(--color-secondary);
+  }
+
+  #repo-files-table tbody > tr:is(.entry, .has-parent):nth-child(2) td {
+    border-top: none;
+  }
+}
+
 .repository.file.list #repo-files-table tbody .svg.octicon-reply {
   margin-right: 10px;
 }
@@ -262,7 +282,7 @@ td .commit-summary {
   color: var(--color-secondary-dark-7);
 }
 
-.repository.file.list #repo-files-table td {
+.repository.file.list #repo-files-table td:not(.repo-files-table-latest-commit-cell) {
   padding-top: 0;
   padding-bottom: 0;
   overflow: initial;
@@ -328,7 +348,7 @@ td .commit-summary {
   padding-bottom: 8px;
 }
 
-.repository.file.list #repo-files-table td a {
+.repository.file.list #repo-files-table td a:not(.sha, .author-wrapper) {
   padding-top: 8px;
   padding-bottom: 8px;
 }

From 0d943086196e311ff150db05367bbd066c61577a Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 26 Apr 2026 14:11:23 +0200
Subject: [PATCH 169/287] Update dependency vue to v3.5.33 (forgejo) (#12264)

---
 package-lock.json | 110 +++++++++++++++++++++++-----------------------
 package.json      |   2 +-
 2 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5a0e0185ec..4fa5e76198 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -73,7 +73,7 @@
         "tributejs": "5.1.3",
         "uint8-to-base64": "0.2.1",
         "vanilla-colorful": "0.7.2",
-        "vue": "3.5.32",
+        "vue": "3.5.33",
         "vue-chartjs": "5.3.3",
         "vue-loader": "17.4.2",
         "vue3-calendar-heatmap": "2.0.5",
@@ -5177,42 +5177,42 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.32.tgz",
-      "integrity": "sha512-4x74Tbtqnda8s/NSD6e1Dr5p1c8HdMU5RWSjMSUzb8RTcUQqevDCxVAitcLBKT+ie3o0Dl9crc/S/opJM7qBGQ==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.33.tgz",
+      "integrity": "sha512-3PZLQwFw4Za3TC8t0FvTy3wI16Kt+pmwcgNZca4Pj9iWL2E72a/gZlpBtAJvEdDMdCxdG/qq0C7PN0bsJuv0Rw==",
       "license": "MIT",
       "dependencies": {
         "@babel/parser": "^7.29.2",
-        "@vue/shared": "3.5.32",
+        "@vue/shared": "3.5.33",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.32.tgz",
-      "integrity": "sha512-ybHAu70NtiEI1fvAUz3oXZqkUYEe5J98GjMDpTGl5iHb0T15wQYLR4wE3h9xfuTNA+Cm2f4czfe8B4s+CCH57Q==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.33.tgz",
+      "integrity": "sha512-PXq0yrfCLzzL07rbXO4awtXY1Z06LG2eu6Adg3RJFa/j3Cii217XxxLXG22N330gw7GmALCY0Z8RgXEviwgpjA==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.32",
-        "@vue/shared": "3.5.32"
+        "@vue/compiler-core": "3.5.33",
+        "@vue/shared": "3.5.33"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.32.tgz",
-      "integrity": "sha512-8UYUYo71cP/0YHMO814TRZlPuUUw3oifHuMR7Wp9SNoRSrxRQnhMLNlCeaODNn6kNTJsjFoQ/kqIj4qGvya4Xg==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.33.tgz",
+      "integrity": "sha512-UTUvRO9cY+rROrx/pvN9P5Z7FgA6QGfokUCfhQE4EnmUj3rVnK+CHI0LsEO1pg+I7//iRYMUfcNcCPe7tg0CoA==",
       "license": "MIT",
       "dependencies": {
         "@babel/parser": "^7.29.2",
-        "@vue/compiler-core": "3.5.32",
-        "@vue/compiler-dom": "3.5.32",
-        "@vue/compiler-ssr": "3.5.32",
-        "@vue/shared": "3.5.32",
+        "@vue/compiler-core": "3.5.33",
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/compiler-ssr": "3.5.33",
+        "@vue/shared": "3.5.33",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
-        "postcss": "^8.5.8",
+        "postcss": "^8.5.10",
         "source-map-js": "^1.2.1"
       }
     },
@@ -5226,63 +5226,63 @@
       }
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.32.tgz",
-      "integrity": "sha512-Gp4gTs22T3DgRotZ8aA/6m2jMR+GMztvBXUBEUOYOcST+giyGWJ4WvFd7QLHBkzTxkfOt8IELKNdpzITLbA2rw==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.33.tgz",
+      "integrity": "sha512-IErjYdnj1qIupG5xxiVIYiiRvDhGWV4zuh/RCrwfYpuL+HWQzeU6lCk/nF9r7olWMnjKxCAkOctT2qFWFkzb1A==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.32",
-        "@vue/shared": "3.5.32"
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/shared": "3.5.33"
       }
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.32.tgz",
-      "integrity": "sha512-/ORasxSGvZ6MN5gc+uE364SxFdJ0+WqVG0CENXaGW58TOCdrAW76WWaplDtECeS1qphvtBZtR+3/o1g1zL4xPQ==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.33.tgz",
+      "integrity": "sha512-p8UfIqyIhb0rYGlSgSBV+lPhF2iUSBcRy7enhTmPqKWadHy9kcOFYF1AejYBP9P+avnd3OBbD49DU4pLWX/94A==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.32"
+        "@vue/shared": "3.5.33"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.32.tgz",
-      "integrity": "sha512-pDrXCejn4UpFDFmMd27AcJEbHaLemaE5o4pbb7sLk79SRIhc6/t34BQA7SGNgYtbMnvbF/HHOftYBgFJtUoJUQ==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.33.tgz",
+      "integrity": "sha512-UpFF45RI9//a7rvq7RdOQblb4tup7hHG9QsmIrxkFQLzQ7R8/iNQ5LE15NhLZ1/WcHMU2b47u6P33CPUelHyIQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.32",
-        "@vue/shared": "3.5.32"
+        "@vue/reactivity": "3.5.33",
+        "@vue/shared": "3.5.33"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.32.tgz",
-      "integrity": "sha512-1CDVv7tv/IV13V8Nip1k/aaObVbWqRlVCVezTwx3K07p7Vxossp5JU1dcPNhJk3w347gonIUT9jQOGutyJrSVQ==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.33.tgz",
+      "integrity": "sha512-IOxMsAOwquhfITgmOgaPYl7/j8gKUxUFoflRc+u4LxyD3+783xne8vNta1PONVCvCV9A0w7hkyEepINDqfO0tw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.32",
-        "@vue/runtime-core": "3.5.32",
-        "@vue/shared": "3.5.32",
+        "@vue/reactivity": "3.5.33",
+        "@vue/runtime-core": "3.5.33",
+        "@vue/shared": "3.5.33",
         "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.32.tgz",
-      "integrity": "sha512-IOjm2+JQwRFS7W28HNuJeXQle9KdZbODFY7hFGVtnnghF51ta20EWAZJHX+zLGtsHhaU6uC9BGPV52KVpYryMQ==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.33.tgz",
+      "integrity": "sha512-0xylq/8/h44lVG0pZFknv1XIdEgymq2E9n59uTWJBG+dIgiT0TMCSsxrN7nO16Z0MU0MPjFcguBbZV8Itk52Hw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.32",
-        "@vue/shared": "3.5.32"
+        "@vue/compiler-ssr": "3.5.33",
+        "@vue/shared": "3.5.33"
       },
       "peerDependencies": {
-        "vue": "3.5.32"
+        "vue": "3.5.33"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.32.tgz",
-      "integrity": "sha512-ksNyrmRQzWJJ8n3cRDuSF7zNNontuJg1YHnmWRJd2AMu8Ij2bqwiiri2lH5rHtYPZjj4STkNcgcmiQqlOjiYGg==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.33.tgz",
+      "integrity": "sha512-5vR2QIlmaLG77Ygd4pMP6+SGQ5yox9VhtnbDWTy9DzMzdmeLxZ1QqxrywEZ9sa1AVubfIJyaCG3ytyWU81ufcQ==",
       "license": "MIT"
     },
     "node_modules/@vue/test-utils": {
@@ -16050,16 +16050,16 @@
       "license": "MIT"
     },
     "node_modules/vue": {
-      "version": "3.5.32",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.32.tgz",
-      "integrity": "sha512-vM4z4Q9tTafVfMAK7IVzmxg34rSzTFMyIe0UUEijUCkn9+23lj0WRfA83dg7eQZIUlgOSGrkViIaCfqSAUXsMw==",
+      "version": "3.5.33",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.33.tgz",
+      "integrity": "sha512-1AgChhx5w3ALgT4oK3acm2Es/7jyZhWSVUfs3rOBlGQC0rjEDkS7G4lWlJJGGNQD+BV3reCwbQrOe1mPNwKHBQ==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.32",
-        "@vue/compiler-sfc": "3.5.32",
-        "@vue/runtime-dom": "3.5.32",
-        "@vue/server-renderer": "3.5.32",
-        "@vue/shared": "3.5.32"
+        "@vue/compiler-dom": "3.5.33",
+        "@vue/compiler-sfc": "3.5.33",
+        "@vue/runtime-dom": "3.5.33",
+        "@vue/server-renderer": "3.5.33",
+        "@vue/shared": "3.5.33"
       },
       "peerDependencies": {
         "typescript": "*"
diff --git a/package.json b/package.json
index 05133d2045..74114e03f4 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
     "tributejs": "5.1.3",
     "uint8-to-base64": "0.2.1",
     "vanilla-colorful": "0.7.2",
-    "vue": "3.5.32",
+    "vue": "3.5.33",
     "vue-chartjs": "5.3.3",
     "vue-loader": "17.4.2",
     "vue3-calendar-heatmap": "2.0.5",

From b17ed16f31884bcaf49bd30f78a8968112020973 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 26 Apr 2026 15:13:32 +0200
Subject: [PATCH 170/287] fix: allow viewing Actions run triggered by deleted
 user (#12271)

Fixes #9371.  Manually reproduced and tested by setting `action_run.triggering_user_id` to a non-existent user ID.  Manually tested that runs can be cancelled in this state as well.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12271
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 models/actions/run.go      |  4 +++-
 models/actions/run_test.go | 12 +++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/models/actions/run.go b/models/actions/run.go
index fbbc5f8f01..862125224f 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -153,7 +153,9 @@ func (run *ActionRun) LoadAttributes(ctx context.Context) error {
 
 	if run.TriggerUser == nil {
 		u, err := user_model.GetPossibleUserByID(ctx, run.TriggerUserID)
-		if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			u = user_model.NewGhostUser()
+		} else if err != nil {
 			return err
 		}
 		run.TriggerUser = u
diff --git a/models/actions/run_test.go b/models/actions/run_test.go
index 959753107b..c87765ed72 100644
--- a/models/actions/run_test.go
+++ b/models/actions/run_test.go
@@ -19,9 +19,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestGetRunBefore(t *testing.T) {
-}
-
 func TestSetConcurrencyGroup(t *testing.T) {
 	run := ActionRun{}
 	run.SetConcurrencyGroup("abc123")
@@ -686,3 +683,12 @@ jobs:
 	assert.Zero(t, insertedJobs[1].TaskID)
 	assert.Equal(t, StatusWaiting, insertedJobs[1].Status)
 }
+
+func TestActionRunLoadAttributes(t *testing.T) {
+	run := &ActionRun{
+		RepoID:        10,
+		TriggerUserID: 1000,
+	}
+	require.NoError(t, run.LoadAttributes(t.Context()))
+	assert.Equal(t, "ghost", run.TriggerUser.LowerName)
+}

From 48218c654bfcb493ad39061b11b6224f33fded53 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 26 Apr 2026 20:52:42 +0200
Subject: [PATCH 171/287] feat: authorized integrations DB models and
 authentication implementation (#12261)

Authorized Integrations is a new feature to allow users to define external systems which can generate JSON Web Tokens (JWTs) that Forgejo will trust in order to perform API access on behalf of that user.  This is an authentication mechanism that requires zero preconfiguration of shared secrets, and instead establishes trust through short-lived secrets (JWTs) that are signed by the issuer, signatures are validated by comparison with published public keys, and a public-keys retrieved through well-known HTTP endpoints secured with TLS verification.

The primary goal of Authorized Integrations is to support a mechanism for Forgejo Actions to receive elevated, but controlled, additional access to Forgejo.  More details as to what the end result will look like are available in the [design proposal](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-13268004) on #3571.

This PR adds the core database storage and authentication verification for Authorized Integrations, with these capabilities:
- An Authorized Integration is resolved by a unique key of an "issuer" and an "audience".  The value of "issuer" is defined by the remote integration, and the value of "audience" will incorporate a unique identifier generated by Forgejo.
    - Example issuer: `https://token.actions.githubusercontent.com/` is the issuer for GitHub JWTs
    - Example audience: `https://forgejo.example.org/-/mfenniak/authorized-integration/6cc55ba0` is the expected format for a random audience field that Forgejo will generate.
- JWTs can contain any number of claims, which are represented as a JSON object; Forgejo can validate these with a flexible policy.
    - eg. a claim may be `{"sub": "repo:coolguy/forgejo-runner-testrepo:pull_request"}` indicating that an OIDC token was received from an Actions execution in a specific repo on a specific event.
    - Authorized Integrations support a `ClaimRules` system which allows claim equal, glob, and nested object inspection.
    - `{"claim":"sub","comparison":"eq","value":"repo:mfenniak/forgejo-runner-testrepo:pull_request"}` -- would validate that `sub` exactly equals the specific value
    - `{"claim":"sub","comparison":"glob","value":"repo:mfenniak/forgejo-runner-testrepo:*"}` -- would validate that `sub` matches the given string prefix but allow any event
- When a JWT is received on an incoming API call, Forgejo retrieves the Authorized Integration from the DB (if present), validates the token signature against a remote JWKS, validates the claims, and grants API access as the user with a permission scope defined on the Authorized Integration.

In addition to the unit testing provided here, this PR has been manually integration tested against three JWT issuing systems: Forgejo Actions, GitHub Actions, and AWS STS GetWebIdentityToken.

Careful consideration has been made of these security concerns:
- SSRF attacks against Forgejo are prevented by:
    - having a blocklist on remote HTTP validation requests which prevent access to internal network resources,
    - ensuring that authorized integrations are created by users with matching issuers, before attempting to validate tokens
- Resource utilization attacks against Forgejo are reduced by limiting the possible size of external metadata requests; when fetching `/.well-known/openid-configuration` and `jkws_uri`'s from remote, untrusted servers, a maximum response size of 16 kB is enforced
- Only well-known secure assymmetric JWT signing algorithms are supported -- in particular, the sketchy `none` JWT algorithm isn't supported.
- JWT validation is covered by extensive unit tests, covering validation of all JWT timestamps, validation of the issuers, validation of the issuer's documented supported signing algorithms.

This PR serves as a core, and many enhancements are required for this to be a usable system for users.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - Documentation updates for new config entries will be authored.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - Marking not visible as there's no mechanism to interact with this backend yet.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12261
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 custom/conf/app.example.ini                   |  23 +
 models/auth/authorized_integration.go         | 146 ++++
 .../authorized_integration_resource_repo.go   |  27 +
 models/auth/authorized_integration_test.go    |  81 ++
 .../v16a_add_authorized_integration.go        |  45 ++
 modules/jwtx/signingkey.go                    |  94 +++
 modules/setting/authorized_integration.go     |  21 +
 modules/setting/setting.go                    |   1 +
 routers/api/shared/middleware.go              |   1 +
 .../auth_result_authorized_integration.go     |  27 +
 .../auth/method/authorized_integration.go     | 348 +++++++++
 .../method/authorized_integration_claims.go   | 109 +++
 .../authorized_integration_claims_test.go     | 149 ++++
 .../method/authorized_integration_oidc.go     |  20 +
 .../authorized_integration_oidc_test.go       | 273 +++++++
 .../method/authorized_integration_test.go     | 723 ++++++++++++++++++
 16 files changed, 2088 insertions(+)
 create mode 100644 models/auth/authorized_integration.go
 create mode 100644 models/auth/authorized_integration_resource_repo.go
 create mode 100644 models/auth/authorized_integration_test.go
 create mode 100644 models/forgejo_migrations/v16a_add_authorized_integration.go
 create mode 100644 modules/setting/authorized_integration.go
 create mode 100644 services/auth/method/auth_result_authorized_integration.go
 create mode 100644 services/auth/method/authorized_integration.go
 create mode 100644 services/auth/method/authorized_integration_claims.go
 create mode 100644 services/auth/method/authorized_integration_claims_test.go
 create mode 100644 services/auth/method/authorized_integration_oidc.go
 create mode 100644 services/auth/method/authorized_integration_oidc_test.go
 create mode 100644 services/auth/method/authorized_integration_test.go

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 7a85d1e7ae..ae22c02609 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2823,3 +2823,26 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; storage type
 ;STORAGE_TYPE = local
+
+;; Authorized integrations are a capability for users to define external systems which can generate JWTs that Forgejo
+;; will trust in order to perform API access on behalf of that user. While validating a JWT from an external system,
+;; Forgejo makes outgoing HTTP requests to the JWT issuer.
+; [authorized_integration]
+;; Timeout for HTTP requests to remote servers. Default is 10 seconds.
+;REQUEST_TIMEOUT = 10s
+;
+;; Allowed domains for authorized integrations. Default is blank which means all domains will be allowed (except local
+;; networks, see ALLOW_LOCALNETWORKS).
+;; Multiple domains can be separated by commas.
+;; Wildcards are supported: "github.com, *.github.com"
+;ALLOWED_DOMAINS =
+;
+;; Blocklist for authorized integrations, default is blank.
+;; Multiple domains can be separated by commas.
+;; Wildcards are supported: "github.com, *.github.com"
+;BLOCKED_DOMAINS =
+;
+;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291.
+;; Default is false.
+;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.
+;ALLOW_LOCALNETWORKS = false
diff --git a/models/auth/authorized_integration.go b/models/auth/authorized_integration.go
new file mode 100644
index 0000000000..a8641d44ca
--- /dev/null
+++ b/models/auth/authorized_integration.go
@@ -0,0 +1,146 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package auth
+
+import (
+	"context"
+	"time"
+
+	"forgejo.org/models/db"
+	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/util"
+
+	"xorm.io/builder"
+)
+
+// An Authorized Integration allow users to define external systems which can generate JSON Web Tokens (JWTs) that
+// Forgejo will trust in order to perform API access on behalf of a user defined by the UserID field.
+//
+// When a JWT is received by Forgejo, the issuer (iss) and audience (aud) claims are used to lookup an authorized
+// integration with an exact match.  Together these fields serve as a unique key for the authorized issuer.  Duplicates
+// cannot be permitted because we would not know which user to authenticate the JWT as.
+type AuthorizedIntegration struct {
+	ID int64 `xorm:"pk autoincr"`
+
+	UserID           int64            `xorm:"NOT NULL REFERENCES(user, id)"`
+	Scope            AccessTokenScope `xorm:"NOT NULL"`
+	ResourceAllRepos bool             `xorm:"NOT NULL"` // flag for whether AuthorizedIntegrationResourceRepo instances will limit the resources this access token can access (false) or won't limit them (true).
+
+	// Exact-match `iss` claim of the JWT
+	Issuer string `xorm:"NOT NULL UNIQUE(s)"`
+	// Exact-match `aud` claim of the JWT
+	Audience   string      `xorm:"NOT NULL UNIQUE(s)"`
+	ClaimRules *ClaimRules `xorm:"NOT NULL JSON"`
+
+	CreatedUnix timeutil.TimeStamp `xorm:"NOT NULL created"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"NOT NULL updated"`
+}
+
+func init() {
+	db.RegisterModel(new(AuthorizedIntegration))
+}
+
+// An [AuthorizedIntegration] can validate the claims in a JWT against a set of rules defined by this structure.
+//
+// JWTs can contain any number of claims, which are represented as a JSON object.  A small number of common claims are
+// described in RFC7519 (sec 4.1) which defines JWTs, but most claims are entirely arbitrarily defined by the JWT
+// issuer.
+//
+// For example, eg. a claim may be {"sub": "repo:coolguy/forgejo-runner-testrepo:pull_request"} indicating that an OIDC
+// token was received from an Actions execution in a specific repo on a specific event.
+//
+// Validating the claims from a JWT issuer is a critical part of creating a secure [AuthorizedIssuer].  For example,
+// assume that we receive a JWT from a public hosting platform like Codeberg.  We will validate that it is a claim
+// created by the correct Issuer, Codeberg -- but anyone can do that through Forgejo Actions.  We will validate that it
+// has the correct audience -- but that's an *input* to Forgejo Actions, so anyone can create a claim on Codeberg with
+// an arbitrary audience.  The rest of the claims contain the critical information about who ran a Forgejo Action, on
+// which repository, and in response to which events, and those must be validated to ensure that an authorized issuer is
+// correctly authorized.
+//
+// Following that an example, a minimum claim rule that would be required for securely using Forgejo Actions would be
+// something like:
+//
+//	{
+//	  "rules": [{
+//	     "claim": "sub",
+//	     "comparison": "eq",
+//	     "value": "repo:forgejo/website:pull_request"
+//	  }]
+//	}
+//
+// This defines a single rule which says that the `sub` claim must be exactly equal to
+// "repo:forgejo/website:pull_request".  Forgejo Actions would generate this subject when an Action is running on the
+// repo forgejo/website in response to the pull_request event.
+//
+// Some JWT claims are JSON objects.  The [ClaimNested] comparison operator can be used to define rules that inspect the
+// object within a claim.  For example, AWS STS generates a claim "https://sts.amazonaws.com/": {...} with values inside
+// an object, like "aws_account".  A nested claim can inspect those values:
+//
+//	{
+//	  "rules":[{
+//	    "claim": "https://sts.amazonaws.com/",
+//	    "compare": "nest",
+//	    "nested": {"rules":[
+//	      {"claim": "aws_account", "compare": "eq", "value": "1234567890"},
+//	      {"claim": "lambda_source_function_arn", "compare": "eq", "value": "arn:aws:lambda:ca-central-1:1234567890:function:forgejo-oidc-accepting-test"}
+//	    ]}
+//	  }
+//
+// ]}
+//
+// This defines a rule that looks into the "https://sts..." claim and verifies the "aws_account" and
+// "lambda_source_function_arn" keys match specific known values.
+type ClaimRules struct {
+	Rules []ClaimRule `json:"rules"`
+}
+
+// Defines a single rule that will check the value of one JWT claim.
+type ClaimRule struct {
+	// The target claim, eg. "sub"
+	Claim string `json:"claim"`
+	// Comparison rule to use on this claim
+	Comparison ClaimComparison `json:"compare"`
+
+	// For Comparison of ClaimEqual or ClaimGlob, the specific value or glob to match against
+	Value string `json:"value,omitempty"`
+
+	// For ClaimNested, the rules to apply to the nested object
+	Nested *ClaimRules `json:"nested,omitempty"`
+}
+
+type ClaimComparison string
+
+const (
+	ClaimEqual  ClaimComparison = "eq"   // exactly equal claim
+	ClaimGlob   ClaimComparison = "glob" // glob match complete claim string
+	ClaimNested ClaimComparison = "nest" // recurse into a claim that is an map[string]any with it's own data fields
+)
+
+func GetAuthorizedIntegration(ctx context.Context, issuer, audience string) (*AuthorizedIntegration, error) {
+	var ai AuthorizedIntegration
+	found, err := db.GetEngine(ctx).Where("issuer = ? AND audience = ?", issuer, audience).Get(&ai)
+	if err != nil {
+		return nil, err
+	} else if !found {
+		return nil, util.ErrNotExist
+	}
+	return &ai, nil
+}
+
+// Bump the UpdatedUnix field of this authorized integration to now, tracking when it was last used for authentication.
+// To reduce database write workload, this is only tracked by one-minute intervals -- the UPDATE statement conditionally
+// avoids writes.
+func (ai *AuthorizedIntegration) UpdateLastUsed(ctx context.Context) error {
+	newTime := timeutil.TimeStampNow()
+	cnt, err := db.GetEngine(ctx).
+		Table(&AuthorizedIntegration{}).
+		Where(builder.Eq{"id": ai.ID}).
+		Where(builder.Lt{"updated_unix": newTime.AddDuration(-1 * time.Minute)}).
+		NoAutoTime().
+		Update(map[string]any{"updated_unix": newTime})
+	if cnt == 1 {
+		ai.UpdatedUnix = newTime
+	}
+	return err
+}
diff --git a/models/auth/authorized_integration_resource_repo.go b/models/auth/authorized_integration_resource_repo.go
new file mode 100644
index 0000000000..98960b5c8a
--- /dev/null
+++ b/models/auth/authorized_integration_resource_repo.go
@@ -0,0 +1,27 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package auth
+
+import (
+	"forgejo.org/models/db"
+	"forgejo.org/modules/timeutil"
+)
+
+// Represents a many-to-many join table which indicates specific repositories (RepoID) that can be accessed by an
+// authorized integration (IntegID).  An authorized integrations's ResourceAllRepos field must be false for records in
+// this table to become active.
+//
+// Model name is shortend (from AuthorizedIntegrationResourceRepo) to accomodate recreate-tables + MySQL, where the
+// "tmp_recreate_" + foreign key index name would exceed the max identifier length.
+type AuthorizedIntegResourceRepo struct {
+	ID      int64 `xorm:"pk autoincr"`
+	IntegID int64 `xorm:"NOT NULL REFERENCES(authorized_integration, id)"` // field name shortened (AuthorizationIntegrationID) for max identifier length
+	RepoID  int64 `xorm:"NOT NULL REFERENCES(repository, id)"`
+
+	CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
+}
+
+func init() {
+	db.RegisterModel(new(AuthorizedIntegResourceRepo))
+}
diff --git a/models/auth/authorized_integration_test.go b/models/auth/authorized_integration_test.go
new file mode 100644
index 0000000000..54cf97fcb5
--- /dev/null
+++ b/models/auth/authorized_integration_test.go
@@ -0,0 +1,81 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package auth_test
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	"forgejo.org/models/unittest"
+	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/util"
+
+	gouuid "github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func makeAuthorizedIntegration(t *testing.T) *auth_model.AuthorizedIntegration {
+	t.Helper()
+
+	ai := &auth_model.AuthorizedIntegration{
+		UserID:           2,
+		Scope:            auth_model.AccessTokenScopeAll,
+		ResourceAllRepos: true,
+		Issuer:           "https://example.org/",
+		Audience:         fmt.Sprintf("https://forgejo.example.org/api/actions/%s", gouuid.New().String()),
+		ClaimRules:       &auth_model.ClaimRules{},
+	}
+	_, err := db.GetEngine(t.Context()).Insert(ai)
+	require.NoError(t, err)
+
+	return ai
+}
+
+func TestGetAuthorizedIntegration(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	ai := makeAuthorizedIntegration(t)
+
+	get, err := auth_model.GetAuthorizedIntegration(t.Context(), "abc", "123")
+	require.ErrorIs(t, err, util.ErrNotExist)
+	assert.Nil(t, get)
+
+	get, err = auth_model.GetAuthorizedIntegration(t.Context(), ai.Issuer, ai.Audience)
+	require.NoError(t, err)
+	require.NotNil(t, get)
+	assert.Equal(t, ai.ID, get.ID)
+}
+
+func TestAuthorizedIntegrationUpdateLastUsed(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	ai := makeAuthorizedIntegration(t)
+	ai.UpdatedUnix = 0
+	cnt, err := db.GetEngine(t.Context()).ID(ai.ID).Cols("updated_unix").NoAutoTime().Update(ai)
+	require.NoError(t, err)
+	assert.EqualValues(t, 1, cnt)
+
+	timeutil.MockSet(time.Unix(1777130023, 0))
+	defer timeutil.MockUnset()
+
+	assert.EqualValues(t, 0, ai.UpdatedUnix)
+	require.NoError(t, ai.UpdateLastUsed(t.Context()))
+	assert.EqualValues(t, 1777130023, ai.UpdatedUnix) // object field updated
+	assert.EqualValues(t, 1777130023, unittest.AssertExistsAndLoadBean(t, &auth_model.AuthorizedIntegration{ID: ai.ID}).UpdatedUnix)
+
+	// nearly immediate redo should have same timestamp due to the 1 minute deduplication:
+	timeutil.MockSet(time.Unix(1777130025, 0))
+	require.NoError(t, ai.UpdateLastUsed(t.Context()))
+	assert.EqualValues(t, 1777130023, ai.UpdatedUnix)                                                                                // object field not updated
+	assert.EqualValues(t, 1777130023, unittest.AssertExistsAndLoadBean(t, &auth_model.AuthorizedIntegration{ID: ai.ID}).UpdatedUnix) // database field not updated
+
+	// but if it's a little while later..
+	timeutil.MockSet(time.Unix(1777131139, 0))
+	require.NoError(t, ai.UpdateLastUsed(t.Context()))
+	assert.EqualValues(t, 1777131139, ai.UpdatedUnix)                                                                                // object field updated
+	assert.EqualValues(t, 1777131139, unittest.AssertExistsAndLoadBean(t, &auth_model.AuthorizedIntegration{ID: ai.ID}).UpdatedUnix) // database field updated
+}
diff --git a/models/forgejo_migrations/v16a_add_authorized_integration.go b/models/forgejo_migrations/v16a_add_authorized_integration.go
new file mode 100644
index 0000000000..4cfd5219f4
--- /dev/null
+++ b/models/forgejo_migrations/v16a_add_authorized_integration.go
@@ -0,0 +1,45 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"forgejo.org/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "add authorized_integration tables",
+		Upgrade:     addAuthorizedIntegrationTables,
+	})
+}
+
+func addAuthorizedIntegrationTables(x *xorm.Engine) error {
+	type ClaimRules struct{}
+	type AuthorizedIntegration struct {
+		ID               int64              `xorm:"pk autoincr"`
+		UserID           int64              `xorm:"NOT NULL REFERENCES(user, id)"`
+		Scope            string             `xorm:"NOT NULL"`
+		ResourceAllRepos bool               `xorm:"NOT NULL"`
+		Issuer           string             `xorm:"NOT NULL UNIQUE(s)"`
+		Audience         string             `xorm:"NOT NULL UNIQUE(s)"`
+		ClaimRules       *ClaimRules        `xorm:"NOT NULL JSON"`
+		CreatedUnix      timeutil.TimeStamp `xorm:"NOT NULL created"`
+		UpdatedUnix      timeutil.TimeStamp `xorm:"NOT NULL updated"`
+	}
+	type AuthorizedIntegResourceRepo struct {
+		ID          int64              `xorm:"pk autoincr"`
+		IntegID     int64              `xorm:"NOT NULL REFERENCES(authorized_integration, id)"`
+		RepoID      int64              `xorm:"NOT NULL REFERENCES(repository, id)"`
+		CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
+	}
+
+	_, err := x.SyncWithOptions(
+		xorm.SyncOptions{IgnoreDropIndices: true},
+		new(AuthorizedIntegration),
+		new(AuthorizedIntegResourceRepo),
+	)
+	return err
+}
diff --git a/modules/jwtx/signingkey.go b/modules/jwtx/signingkey.go
index be1115cb15..db9cf03aa2 100644
--- a/modules/jwtx/signingkey.go
+++ b/modules/jwtx/signingkey.go
@@ -469,3 +469,97 @@ func InitAsymmetricSigningKey(keyPath, algorithm string) (SigningKey, error) {
 
 	return signingKey, nil
 }
+
+func requiredJWKStr(jwk map[string]any, key string) (string, error) {
+	vAny, ok := jwk[key]
+	if !ok {
+		return "", fmt.Errorf("JWK missing required field %q", key)
+	}
+	vStr, ok := vAny.(string)
+	if !ok {
+		return "", fmt.Errorf("JWK field %q must be string, but was %T", key, vAny)
+	}
+	return vStr, nil
+}
+
+// Reconstructs public key from a JWKS entry (such as those produced by [SigningKey.ToJWK]), parsing the JWK output and
+// returning a key object.  The key object produced must be usable for [jwt.SigningMethod] interface's [Verify] method,
+// for the related signing method -- an [rsa.PublicKey] object, an [ed25519.PublicKey] object, or [ecdsa.PublicKey]
+// object, with the currently supported asymmetric algorithms.
+func ParseJWKToPublicKey(jwk map[string]any) (any, error) {
+	kty := jwk["kty"]
+
+	switch kty {
+	case "RSA":
+		eStr, err := requiredJWKStr(jwk, "e")
+		if err != nil {
+			return nil, err
+		}
+		nStr, err := requiredJWKStr(jwk, "n")
+		if err != nil {
+			return nil, err
+		}
+		eBytes, err := base64.RawURLEncoding.DecodeString(eStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid RSA JWK 'e' field: %w", err)
+		}
+		nBytes, err := base64.RawURLEncoding.DecodeString(nStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid RSA JWK 'n' field: %w", err)
+		}
+		pubKey := &rsa.PublicKey{
+			E: int(new(big.Int).SetBytes(eBytes).Int64()),
+			N: new(big.Int).SetBytes(nBytes),
+		}
+		return pubKey, nil
+	case "OKP":
+		if jwk["crv"] != "Ed25519" {
+			return nil, fmt.Errorf("OKP curve %d is not supported; only Ed25519", jwk["crv"])
+		}
+		xStr, err := requiredJWKStr(jwk, "x")
+		if err != nil {
+			return nil, err
+		}
+		xBytes, err := base64.RawURLEncoding.DecodeString(xStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid EdDSA JWK 'x' field: %w", err)
+		}
+		return ed25519.PublicKey(xBytes), nil
+	case "EC":
+		xStr, err := requiredJWKStr(jwk, "x")
+		if err != nil {
+			return nil, err
+		}
+		yStr, err := requiredJWKStr(jwk, "y")
+		if err != nil {
+			return nil, err
+		}
+		var curve elliptic.Curve
+		switch jwk["crv"] {
+		case "P-256":
+			curve = elliptic.P256()
+		case "P-384":
+			curve = elliptic.P384()
+		case "P-521":
+			curve = elliptic.P521()
+		default:
+			return nil, fmt.Errorf("unsupported ECDSA curve in JWK: %s", jwk["crv"])
+		}
+		xBytes, err := base64.RawURLEncoding.DecodeString(xStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid ECDSA JWK 'x' field: %w", err)
+		}
+		yBytes, err := base64.RawURLEncoding.DecodeString(yStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid ECDSA JWK 'y' field: %w", err)
+		}
+		pubKey := &ecdsa.PublicKey{
+			Curve: curve,
+			X:     new(big.Int).SetBytes(xBytes),
+			Y:     new(big.Int).SetBytes(yBytes),
+		}
+		return pubKey, nil
+	default:
+		return nil, fmt.Errorf("unsupported key type in JWK: %s", kty)
+	}
+}
diff --git a/modules/setting/authorized_integration.go b/modules/setting/authorized_integration.go
new file mode 100644
index 0000000000..778232e3ad
--- /dev/null
+++ b/modules/setting/authorized_integration.go
@@ -0,0 +1,21 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package setting
+
+import "time"
+
+var AuthorizedIntegration = struct {
+	AllowedDomains     string
+	BlockedDomains     string
+	AllowLocalNetworks bool
+	RequestTimeout     time.Duration
+}{}
+
+func loadAuthorizedIntegrationFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("authorized_integration")
+	AuthorizedIntegration.AllowedDomains = sec.Key("ALLOWED_DOMAINS").MustString("")
+	AuthorizedIntegration.BlockedDomains = sec.Key("BLOCKED_DOMAINS").MustString("")
+	AuthorizedIntegration.AllowLocalNetworks = sec.Key("ALLOW_LOCALNETWORKS").MustBool(false)
+	AuthorizedIntegration.RequestTimeout = sec.Key("REQUEST_TIMEOUT").MustDuration(10 * time.Second)
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 44dad1fab1..bd3dec1f84 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -226,6 +226,7 @@ func LoadSettings() {
 	loadProjectFrom(CfgProvider)
 	loadMimeTypeMapFrom(CfgProvider)
 	loadF3From(CfgProvider)
+	loadAuthorizedIntegrationFrom(CfgProvider)
 }
 
 // LoadSettingsForInstall initializes the settings for install
diff --git a/routers/api/shared/middleware.go b/routers/api/shared/middleware.go
index 9dd1605783..f6dd30f8b8 100644
--- a/routers/api/shared/middleware.go
+++ b/routers/api/shared/middleware.go
@@ -53,6 +53,7 @@ func buildAuthGroup() *auth_method.Group {
 		&auth_method.AccessToken{},
 		&auth_method.ActionRuntimeToken{},
 		&auth_method.ActionTaskToken{},
+		&auth_method.AuthorizedIntegration{},
 	)
 	if setting.Service.EnableReverseProxyAuthAPI {
 		group.Add(&auth_method.ReverseProxy{})
diff --git a/services/auth/method/auth_result_authorized_integration.go b/services/auth/method/auth_result_authorized_integration.go
new file mode 100644
index 0000000000..6868b4848f
--- /dev/null
+++ b/services/auth/method/auth_result_authorized_integration.go
@@ -0,0 +1,27 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/optional"
+	"forgejo.org/services/auth"
+)
+
+var _ auth.AuthenticationResult = &authorizedIntegrationAuthenticationResult{}
+
+type authorizedIntegrationAuthenticationResult struct {
+	*auth.BaseAuthenticationResult
+	user  *user_model.User
+	scope auth_model.AccessTokenScope
+}
+
+func (r *authorizedIntegrationAuthenticationResult) User() *user_model.User {
+	return r.user
+}
+
+func (r *authorizedIntegrationAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
+	return optional.Some(r.scope)
+}
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
new file mode 100644
index 0000000000..2f29d406e3
--- /dev/null
+++ b/services/auth/method/authorized_integration.go
@@ -0,0 +1,348 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"slices"
+	"sync"
+	"time"
+
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/hostmatcher"
+	"forgejo.org/modules/json"
+	"forgejo.org/modules/jwtx"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/proxy"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
+	"forgejo.org/services/auth"
+
+	"github.com/gobwas/glob"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var (
+	_ auth.Method = &AuthorizedIntegration{}
+
+	aiHTTPClient   *http.Client
+	initHTTPClient sync.Once
+
+	errParseInternalServer = errors.New("internal server error")
+)
+
+// Restrict document size to prevent resource exhaustion attack with a malicious authorized integration; largest
+// real-world openid-configuration observed is about 1kB, largest JWKS is 6kB, so for both cases 16kB should be
+// sufficient. If this needs to change in the future, it could be moved to a config setting -- but until a reason comes
+// up it seems reasonable to keep microscopic settings out-of-sight.
+const authorizedIntegrationRequestBodyLimit = int64(16 * 1024)
+
+// Authenticates incoming requests by JWTs that are issued by an authorized integration.  Authorized integrations are
+// stored in the database in the [auth_model.AuthorizedIntegration] table.  Once authenticated, the request can perform
+// actions as the owner of the authorized integration, with limited access defined by the scope and resources stored on
+// the database record.
+//
+// Authorization is received from HTTP requests as a `Authorization: Bearer [...jwt...]` (or `Authorization: Token
+// [...jwt...]`).
+type AuthorizedIntegration struct {
+	// Permit the use of `Authorization: Basic ...`, in addition to the typical bearer/token authorization header.  If
+	// true, the basic password will be interpreted as a JWT token if present and valid.  The username is ignored.
+	PermitBasic bool
+
+	// For testing -- interpret JWTs with now as a fixed time.
+	fixedTime *time.Time
+}
+
+func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
+	hasToken, token := tokenFromAuthorizationBearer(req).Get()
+	if !hasToken {
+		if !a.PermitBasic {
+			return &auth.AuthenticationNotAttempted{}
+		}
+		hasBasic, basicToken := tokenFromAuthorizationBasic(req).Get()
+		if !hasBasic {
+			return &auth.AuthenticationNotAttempted{}
+		}
+		token = basicToken
+	}
+
+	var authorizedIntegration *auth_model.AuthorizedIntegration
+
+	parsedToken, err := jwt.ParseWithClaims(token, &flexibleClaims{},
+		func(t *jwt.Token) (any, error) {
+			keyID, ok := t.Header["kid"]
+			if !ok {
+				return nil, errors.New("failed finding key identifer (kid) in JWT headers")
+			}
+
+			issuer, err := t.Claims.GetIssuer()
+			if err != nil {
+				return nil, fmt.Errorf("failed getting `iss` claim: %w", err)
+			} else if len(issuer) == 0 {
+				return nil, fmt.Errorf("invalid `iss` claim: %q", issuer)
+			}
+			audienceArray, err := t.Claims.GetAudience()
+			if err != nil {
+				return nil, fmt.Errorf("failed getting `aud` claim: %w", err)
+			} else if len(audienceArray) != 1 {
+				return nil, fmt.Errorf("required one and only one `aud` claim, but received %d", len(audienceArray))
+			}
+			audience := audienceArray[0]
+			if len(audience) == 0 {
+				return nil, fmt.Errorf("invalid `aud` claim: %q", audience)
+			}
+
+			authorizedIntegration, err = auth_model.GetAuthorizedIntegration(req.Context(), issuer, audience)
+			if errors.Is(err, util.ErrNotExist) {
+				return nil, errors.New("matching authorized_integration not found")
+			} else if err != nil {
+				return nil, fmt.Errorf("failure reading authorized_integration: %w (%w)", err, errParseInternalServer)
+			}
+
+			// Do the claim check before accessing the issuer's OIDC metadata and JWKS, to reduce risk of resource
+			// utilization attack through invalid JWTs causing remote requests.
+			err = a.checkClaims(t.Claims.(*flexibleClaims), authorizedIntegration.ClaimRules)
+			if err != nil {
+				return nil, fmt.Errorf("claim mismatch: %w", err)
+			}
+
+			issuerURL, err := url.Parse(issuer)
+			if err != nil {
+				return nil, fmt.Errorf("failed parsing issuer: %w", err)
+			}
+
+			issuerOIDCURL := issuerURL.JoinPath(".well-known/openid-configuration")
+			var oidcConfig openIDConfiguration
+			// TODO: cache external OIDC configuration, with a fixed timeout (not LRU/MRU)
+			if err := a.fetchJSON(issuerOIDCURL.String(), &oidcConfig); err != nil {
+				return nil, fmt.Errorf("error when fetching .well-known/openid-configuration from %s: %w", issuerOIDCURL, err)
+			}
+
+			if oidcConfig.Issuer != issuer {
+				return nil, fmt.Errorf("issuer mismatch; expected %q, received %q from %s", issuer, oidcConfig.Issuer, issuerOIDCURL)
+			}
+			if !slices.Contains(oidcConfig.IDTokenSigningAlgValuesSupported, t.Method.Alg()) {
+				return nil, fmt.Errorf("issuer supports signature algorithms %#v, but received token with algorithm %s", oidcConfig.IDTokenSigningAlgValuesSupported, t.Method.Alg())
+			}
+
+			jwksURI, err := url.Parse(oidcConfig.JwksURI)
+			if err != nil {
+				return nil, fmt.Errorf("failed parsing jwks_uri: %w", err)
+			} else if jwksURI.Host != issuerURL.Host {
+				// Prevent SSRF which could occur if a malicious openid-connection response returned a jwks_uri field
+				// that causes Forgejo to access other hostnames.  This could be considered a valid case as well and we
+				// can rely on the config-based allowed and blocked domains for the [authorized_integration] section,
+				// but until a real-world case comes up where that is needed, this is a safety-first restriction.
+				return nil, fmt.Errorf("jwks_uri host mismatch: must be the same as issuer host %q, but was %q", issuerURL.Host, jwksURI.Host)
+			}
+			var keys openIDKeys
+			// TODO: cache JWKS, with a fixed timeout (not LRU/MRU)
+			if err := a.fetchJSON(oidcConfig.JwksURI, &keys); err != nil {
+				return nil, fmt.Errorf("error when fetching JWKS from %s: %w", oidcConfig.JwksURI, err)
+			}
+
+			for _, key := range keys.Keys {
+				if key["kid"] == keyID {
+					alg, algPresent := key["alg"] // "alg" is an optional field
+					if algPresent && alg != t.Method.Alg() {
+						return nil, fmt.Errorf("kid %q doesn't match expected algorithm %s, was %v", keyID, t.Method.Alg(), key["alg"])
+					}
+
+					use, usePresent := key["use"] // "use" is also an optional field
+					if usePresent && use != "sig" {
+						return nil, fmt.Errorf("kid %q isn't designated for signing usage, was %s", keyID, key["use"])
+					}
+
+					pub, err := jwtx.ParseJWKToPublicKey(key)
+					if err != nil {
+						return nil, fmt.Errorf("failed to parse JWKS: %w", err)
+					}
+					return pub, nil
+				}
+			}
+
+			return nil, errors.New("no key identified")
+		},
+		jwt.WithValidMethods(jwtx.ValidAsymmetricAlgorithms), // only asymetric algorithms, as JWKS must have a public key only
+		jwt.WithIssuedAt(),
+		jwt.WithTimeFunc(func() time.Time {
+			if a.fixedTime != nil {
+				return *a.fixedTime
+			}
+			return time.Now()
+		}),
+	)
+	if err != nil && errors.Is(err, errParseInternalServer) {
+		// Errors from parsing marked errParseInternalServer are AuthenticationError, not incorrect creds:
+		return &auth.AuthenticationError{Error: err}
+	} else if err != nil {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: fmt.Errorf("authorized integration: parse JWT error: %w", err)}
+	} else if !parsedToken.Valid {
+		return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("authorized integration: JWT not valid")}
+	} else if authorizedIntegration == nil { // shouldn't be possible, but overly safe
+		return &auth.AuthenticationError{Error: errors.New("authorized integration: nil authorized integration")}
+	}
+
+	u, err := user_model.GetUserByID(req.Context(), authorizedIntegration.UserID)
+	if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration: GetUserByID: %w", err)}
+	}
+
+	if err = authorizedIntegration.UpdateLastUsed(req.Context()); err != nil {
+		log.Error("UpdateLastUsed:  %v", err)
+	}
+
+	return &auth.AuthenticationSuccess{
+		Result: &authorizedIntegrationAuthenticationResult{
+			user:  u,
+			scope: authorizedIntegration.Scope,
+			// TODO: add repo-specific access with an authz reducer
+		},
+	}
+}
+
+func initAuthorizedIntegrationHTTPClient() {
+	blockList := hostmatcher.ParseSimpleMatchList("authorized_integration.BLOCKED_DOMAINS", setting.AuthorizedIntegration.BlockedDomains)
+
+	allowList := hostmatcher.ParseSimpleMatchList("authorized_integration.ALLOWED_DOMAINS", setting.AuthorizedIntegration.AllowedDomains)
+	if allowList.IsEmpty() {
+		// the default policy is that authorized integrations can access external hosts
+		allowList.AppendBuiltin(hostmatcher.MatchBuiltinExternal)
+	}
+	if setting.AuthorizedIntegration.AllowLocalNetworks {
+		allowList.AppendBuiltin(hostmatcher.MatchBuiltinPrivate)
+		allowList.AppendBuiltin(hostmatcher.MatchBuiltinLoopback)
+	}
+
+	aiHTTPClient = &http.Client{
+		Timeout: setting.AuthorizedIntegration.RequestTimeout,
+		Transport: &http.Transport{
+			Proxy:       proxy.Proxy(),
+			DialContext: hostmatcher.NewDialContext("authorized_integration", allowList, blockList, setting.Proxy.ProxyURLFixed),
+		},
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			// It might be possible to come up with some reasonable capability to support redirects -- such as
+			// keeping them within the same issuer host? -- but there are risks that this can be used for SSRF
+			// attacks.  In the face of those risks, and with a lack of real-world use-cases, disable redirects.
+			return errors.New("authorized integration: HTTP redirects are disabled")
+		},
+	}
+}
+
+func (a *AuthorizedIntegration) fetchJSON(urlString string, v any) error {
+	parsedURL, err := url.Parse(urlString)
+	if err != nil {
+		return fmt.Errorf("failed parsing URL %q: %w", urlString, err)
+	}
+	// Fetching openid-connect or JWKS needs to come from a source that is authentic, and therefore only `https` is
+	// supported.  This also protects against a trusted issuer being configured maliciously  as `file://` or a JKWS URI
+	// being `file://` -- the HTTP client won't permit that, but, extra safety doesn't hurt.
+	if parsedURL.Scheme != "https" {
+		return fmt.Errorf("unsupported URL scheme: %q", parsedURL.String())
+	}
+
+	initHTTPClient.Do(initAuthorizedIntegrationHTTPClient)
+
+	resp, err := aiHTTPClient.Get(parsedURL.String())
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("non-OK response code: %s", resp.Status)
+	}
+
+	body := io.LimitReader(resp.Body, authorizedIntegrationRequestBodyLimit)
+	decoder := json.NewDecoder(body)
+	err = decoder.Decode(&v)
+	if err != nil {
+		// If a decoding error is hit, decorate with information about the limited body size so that it doesn't look
+		// like the remote server provided an incomplete response. err should be something like `io.UnexpectedEOF` in
+		// this case, but it actually isn't, so don't bother trying to detect precisely.
+		return fmt.Errorf("failed to decode (response body restricted to %d bytes): %w", authorizedIntegrationRequestBodyLimit, err)
+	}
+	return nil
+}
+
+// Compare a map[string]any of incoming claims against an array of claim rules.  All rules must match successfully or
+// else an error with the mismatch detail is returned.
+func (a *AuthorizedIntegration) checkClaims(incomingClaims any, stored *auth_model.ClaimRules) error {
+	if stored == nil {
+		return nil
+	}
+
+	for _, rule := range stored.Rules {
+		var lhs any
+
+		if lhsClaim, isFlex := incomingClaims.(*flexibleClaims); isFlex {
+			switch rule.Claim {
+			case "iss":
+				lhs = lhsClaim.Issuer
+			case "sub":
+				lhs = lhsClaim.Subject
+			case "jti":
+				lhs = lhsClaim.ID
+			case "aud":
+				audienceArray, err := lhsClaim.GetAudience()
+				if err != nil {
+					return fmt.Errorf("failed getting `aud` claim: %w", err)
+				} else if len(audienceArray) != 1 {
+					return fmt.Errorf("required one and only one `aud` claim, but received %d", len(audienceArray))
+				}
+				lhs = audienceArray[0]
+			default:
+				v, present := lhsClaim.other[rule.Claim]
+				if !present {
+					return fmt.Errorf("claim rule on %q couldn't be satisfied: claim not found", rule.Claim)
+				}
+				lhs = v
+			}
+		} else if lhsMap, isMap := incomingClaims.(map[string]any); isMap {
+			v, present := lhsMap[rule.Claim]
+			if !present {
+				return fmt.Errorf("claim rule on %q couldn't be satisfied: claim not found", rule.Claim)
+			}
+			lhs = v
+		} else {
+			return fmt.Errorf("unexpected incoming claims type: %T", incomingClaims)
+		}
+
+		switch rule.Comparison {
+		case auth_model.ClaimEqual:
+			lhsStr, ok := lhs.(string)
+			if !ok {
+				return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
+			} else if lhsStr != rule.Value {
+				return fmt.Errorf("claim %q must be %q, but was %q", rule.Claim, rule.Value, lhsStr)
+			}
+		case auth_model.ClaimGlob:
+			lhsStr, ok := lhs.(string)
+			if !ok {
+				return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
+			}
+			r, err := glob.Compile(rule.Value)
+			if err != nil {
+				return fmt.Errorf("unable to parse glob for claim rule on %q; glob = %q, err = %w", rule.Claim, rule.Value, err)
+			}
+			if !r.Match(lhsStr) {
+				return fmt.Errorf("claim %q must match glob %q, but value %q did not match", rule.Claim, rule.Value, lhsStr)
+			}
+		case auth_model.ClaimNested:
+			lhsMap, ok := lhs.(map[string]any)
+			if !ok {
+				return fmt.Errorf("claim %q must be a map, but was %T", rule.Claim, lhs)
+			} else if err := a.checkClaims(lhsMap, rule.Nested); err != nil {
+				return fmt.Errorf("in nested claim %q: %w", rule.Claim, err)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/services/auth/method/authorized_integration_claims.go b/services/auth/method/authorized_integration_claims.go
new file mode 100644
index 0000000000..1518683ca8
--- /dev/null
+++ b/services/auth/method/authorized_integration_claims.go
@@ -0,0 +1,109 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"fmt"
+	"maps"
+
+	"forgejo.org/modules/json"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// Structure for inspecting the standard claims of a JWT (jwt.RegisteredClaims), which also stores any provided
+// service-defined claims in an unstructured map[string]any.
+type flexibleClaims struct {
+	jwt.RegisteredClaims
+	other map[string]any
+}
+
+// Populate a [flexibleClaims] from JSON data, implementing [json.Unmarshaler].
+func (a *flexibleClaims) UnmarshalJSON(b []byte) error {
+	var s map[string]any
+	if err := json.Unmarshal(b, &s); err != nil {
+		return err
+	}
+
+	var rc jwt.RegisteredClaims
+	other := map[string]any{}
+	for k, v := range s {
+		switch k {
+		case "iss":
+			str, ok := v.(string)
+			if !ok {
+				return fmt.Errorf("expected `iss` to be string, but was %v", v)
+			}
+			rc.Issuer = str
+		case "sub":
+			str, ok := v.(string)
+			if !ok {
+				return fmt.Errorf("expected `sub` to be string, but was %v", v)
+			}
+			rc.Subject = str
+		case "aud":
+			b, err := json.Marshal(v)
+			if err != nil {
+				return fmt.Errorf("uanble to return `aud` to []byte: %w", err)
+			}
+			if err := json.Unmarshal(b, &rc.Audience); err != nil {
+				return fmt.Errorf("uanble to decode `aud: %w", err)
+			}
+		case "exp":
+			b, err := json.Marshal(v)
+			if err != nil {
+				return fmt.Errorf("uanble to return `exp` to []byte: %w", err)
+			}
+			if err := json.Unmarshal(b, &rc.ExpiresAt); err != nil {
+				return fmt.Errorf("uanble to decode `exp: %w", err)
+			}
+		case "nbf":
+			b, err := json.Marshal(v)
+			if err != nil {
+				return fmt.Errorf("uanble to return `nbf` to []byte: %w", err)
+			}
+			if err := json.Unmarshal(b, &rc.NotBefore); err != nil {
+				return fmt.Errorf("uanble to decode `nbf: %w", err)
+			}
+		case "iat":
+			b, err := json.Marshal(v)
+			if err != nil {
+				return fmt.Errorf("uanble to return `iat` to []byte: %w", err)
+			}
+			if err := json.Unmarshal(b, &rc.IssuedAt); err != nil {
+				return fmt.Errorf("uanble to decode `iat: %w", err)
+			}
+		case "jti":
+			str, ok := v.(string)
+			if !ok {
+				return fmt.Errorf("expected `jti` to be string, but was %v", v)
+			}
+			rc.ID = str
+		default:
+			other[k] = v
+		}
+	}
+
+	a.RegisteredClaims = rc
+	a.other = other
+
+	return nil
+}
+
+// Marshal flexibleClaims to JSON, merging both the registered claims and the additional claims into a map.
+func (a flexibleClaims) MarshalJSON() ([]byte, error) {
+	rcJSON, err := json.Marshal(a.RegisteredClaims)
+	if err != nil {
+		return nil, err
+	}
+
+	var fullMap map[string]any
+	err = json.Unmarshal(rcJSON, &fullMap)
+	if err != nil {
+		return nil, err
+	}
+	maps.Copy(fullMap, a.other)
+
+	return json.Marshal(fullMap)
+}
diff --git a/services/auth/method/authorized_integration_claims_test.go b/services/auth/method/authorized_integration_claims_test.go
new file mode 100644
index 0000000000..399bb6138e
--- /dev/null
+++ b/services/auth/method/authorized_integration_claims_test.go
@@ -0,0 +1,149 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"testing"
+	"time"
+
+	"forgejo.org/modules/json"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Real-world Forgejo Actions claims, Forgejo v15
+const forgejoClaims = `
+{
+  "actor": "coolguy",
+  "aud": "https://example.org/-/coolguy/authorized-integration/346e1496",
+  "base_ref": "main",
+  "event_name": "pull_request",
+  "exp": 1776979110,
+  "head_ref": "forgejo-oidc-test",
+  "iat": 1776975510,
+  "iss": "https://example.org/api/actions",
+  "nbf": 1776975510,
+  "ref": "refs/pull/113/head",
+  "ref_protected": "false",
+  "ref_type": "",
+  "repository": "coolguy/test",
+  "repository_owner": "coolguy",
+  "run_attempt": "4",
+  "run_id": "3572",
+  "run_number": "2054",
+  "sha": "d4083cc0f4e7452dc00f7a5f73ec5486a549adb9",
+  "sub": "repo:coolguy/test:pull_request",
+  "workflow": "main.yml",
+  "workflow_ref": "coolguy/test/.forgejo/workflows/main.yml@refs/pull/113/head"
+}
+`
+
+// Real-world GitHub Actions claims
+const githubClaims = `
+{
+  "actor": "coolguy",
+  "actor_id": "91093",
+  "aud": "https://example.org/-/coolguy/authorized-integration/6cc55ba0",
+  "base_ref": "main",
+  "check_run_id": "72783197645",
+  "event_name": "pull_request",
+  "exp": 1776980496,
+  "head_ref": "github-oidc-test",
+  "iat": 1776980196,
+  "iss": "https://token.actions.githubusercontent.com",
+  "job_workflow_ref": "coolguy/forgejo-runner-testrepo/.github/workflows/main.yml@refs/pull/3/merge",
+  "job_workflow_sha": "62a34e2bf42fda53a0209bfd485dcab3013b1160",
+  "jti": "83545042-379e-4328-8e60-3b6d46594a5f",
+  "nbf": 1776979896,
+  "ref": "refs/pull/3/merge",
+  "ref_protected": "false",
+  "ref_type": "branch",
+  "repository": "coolguy/forgejo-runner-testrepo",
+  "repository_id": "1113890566",
+  "repository_owner": "coolguy",
+  "repository_owner_id": "91093",
+  "repository_visibility": "private",
+  "run_attempt": "8",
+  "run_id": "24846522812",
+  "run_number": "10",
+  "runner_environment": "github-hosted",
+  "sha": "62a34e2bf42fda53a0209bfd485dcab3013b1160",
+  "sub": "repo:coolguy/forgejo-runner-testrepo:pull_request",
+  "workflow": ".github/workflows/main.yml",
+  "workflow_ref": "coolguy/forgejo-runner-testrepo/.github/workflows/main.yml@refs/pull/3/merge",
+  "workflow_sha": "62a34e2bf42fda53a0209bfd485dcab3013b1160"
+}
+`
+
+// Real-world AWS Federated Web Identity claims
+const awsClaims = `
+{
+  "aud": "https://example.org/-/coolguy/authorized-integration/7895835c",
+  "sub": "arn:aws:iam::1234567890:role/service-role/forgejo-oidc-accepting-test-role-x7t3fgko",
+  "https://sts.amazonaws.com/": {
+    "aws_account": "1234567890",
+    "original_session_exp": "2026-04-24T09:34:34Z",
+    "source_region": "us-west-2",
+    "principal_id": "arn:aws:iam::1234567890:role/service-role/forgejo-oidc-accepting-test-role-x7t3fgko",
+    "lambda_source_function_arn": "arn:aws:lambda:us-west-2:1234567890:function:forgejo-oidc-accepting-test"
+  },
+  "iss": "https://a103a2cc-b461-473d-84fe-6c4f6d45af88.tokens.sts.global.api.aws",
+  "exp": 1776980375,
+  "iat": 1776980075,
+  "jti": "0afcbeb7-512d-479f-b596-703c03ae65a5"
+}
+`
+
+func TestFlexibleClaimsUnmarshal(t *testing.T) {
+	t.Run("Forgejo", func(t *testing.T) {
+		var retval flexibleClaims
+		data := []byte(forgejoClaims)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		// assert the claims that are handled specially in flexibleClaims UnmarshalJSON
+		assert.Equal(t, "https://example.org/api/actions", retval.Issuer)
+		assert.Equal(t, "repo:coolguy/test:pull_request", retval.Subject)
+		assert.Equal(t, jwt.ClaimStrings{"https://example.org/-/coolguy/authorized-integration/346e1496"}, retval.Audience)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 18, 30, 0, time.Local)}, retval.ExpiresAt)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 20, 18, 30, 0, time.Local)}, retval.NotBefore)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 20, 18, 30, 0, time.Local)}, retval.IssuedAt)
+		assert.Empty(t, retval.ID)
+		// short check that the 'other' claims were stored as well
+		assert.Equal(t, "d4083cc0f4e7452dc00f7a5f73ec5486a549adb9", retval.other["sha"])
+		assert.Len(t, retval.other, 15)
+	})
+	t.Run("GitHub", func(t *testing.T) {
+		var retval flexibleClaims
+		data := []byte(githubClaims)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		// assert the claims that are handled specially in flexibleClaims UnmarshalJSON
+		assert.Equal(t, "https://token.actions.githubusercontent.com", retval.Issuer)
+		assert.Equal(t, "repo:coolguy/forgejo-runner-testrepo:pull_request", retval.Subject)
+		assert.Equal(t, jwt.ClaimStrings{"https://example.org/-/coolguy/authorized-integration/6cc55ba0"}, retval.Audience)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 41, 36, 0, time.Local)}, retval.ExpiresAt)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 31, 36, 0, time.Local)}, retval.NotBefore)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 36, 36, 0, time.Local)}, retval.IssuedAt)
+		assert.Equal(t, "83545042-379e-4328-8e60-3b6d46594a5f", retval.ID)
+		// short check that the 'other' claims were stored as well
+		assert.Equal(t, "62a34e2bf42fda53a0209bfd485dcab3013b1160", retval.other["sha"])
+		assert.Len(t, retval.other, 24)
+	})
+	t.Run("AWS", func(t *testing.T) {
+		var retval flexibleClaims
+		data := []byte(awsClaims)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		// assert the claims that are handled specially in flexibleClaims UnmarshalJSON
+		assert.Equal(t, "https://a103a2cc-b461-473d-84fe-6c4f6d45af88.tokens.sts.global.api.aws", retval.Issuer)
+		assert.Equal(t, "arn:aws:iam::1234567890:role/service-role/forgejo-oidc-accepting-test-role-x7t3fgko", retval.Subject)
+		assert.Equal(t, jwt.ClaimStrings{"https://example.org/-/coolguy/authorized-integration/7895835c"}, retval.Audience)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 39, 35, 0, time.Local)}, retval.ExpiresAt)
+		assert.Nil(t, retval.NotBefore)
+		assert.Equal(t, &jwt.NumericDate{Time: time.Date(2026, time.April, 23, 21, 34, 35, 0, time.Local)}, retval.IssuedAt)
+		assert.Equal(t, "0afcbeb7-512d-479f-b596-703c03ae65a5", retval.ID)
+		// short check that the 'other' claims were stored as well
+		assert.Equal(t, "1234567890", retval.other["https://sts.amazonaws.com/"].(map[string]any)["aws_account"])
+		assert.Len(t, retval.other, 1)
+	})
+}
diff --git a/services/auth/method/authorized_integration_oidc.go b/services/auth/method/authorized_integration_oidc.go
new file mode 100644
index 0000000000..2e35b63ace
--- /dev/null
+++ b/services/auth/method/authorized_integration_oidc.go
@@ -0,0 +1,20 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+// Response structure for a JWT issuer's `${iss}/.well-known/openid-configuration` URL endpoint; this is pared down to
+// the relevant entries for authorized integrations to inspect from the remote issuer.
+type openIDConfiguration struct {
+	Issuer                           string   `json:"issuer"`
+	JwksURI                          string   `json:"jwks_uri"`
+	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
+}
+
+// Response structure for a JSON Web Key Set, which is typically read from the JwksURI field of [openIDConfiguration].
+type openIDKeys struct {
+	// Typically map[string]string, for fields like "kty", "alg", "use", "kid", "n", "e", but also string:any for fields
+	// like x5c which are []string. We currently don't parse any fields that aren't string, but we need to Unmarshal
+	// into this field successfully in those cases.
+	Keys []map[string]any `json:"keys"`
+}
diff --git a/services/auth/method/authorized_integration_oidc_test.go b/services/auth/method/authorized_integration_oidc_test.go
new file mode 100644
index 0000000000..b394ab0c01
--- /dev/null
+++ b/services/auth/method/authorized_integration_oidc_test.go
@@ -0,0 +1,273 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"testing"
+
+	"forgejo.org/modules/json"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Real-world Forgejo Actions .well-known/openid-configuration from Forgejo v15
+const forgejoOIDC = `
+{
+    "issuer": "https://example.org/api/actions",
+    "jwks_uri": "https://example.org/api/actions/.well-known/keys",
+    "subject_types_supported": [
+        "public"
+    ],
+    "response_types_supported": [
+        "id_token"
+    ],
+    "claims_supported": [
+        "sub",
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "nbf",
+        "actor",
+        "base_ref",
+        "event_name",
+        "head_ref",
+        "ref",
+        "ref_protected",
+        "ref_type",
+        "repository",
+        "repository_owner",
+        "run_attempt",
+        "run_id",
+        "run_number",
+        "sha",
+        "workflow",
+        "workflow_ref"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "scopes_supported": [
+        "openid"
+    ]
+}
+`
+
+// Real-world Forgejo Actions JWKS from Forgejo v15
+const forgejoJWKS = `
+{
+    "keys": [
+        {
+            "alg": "RS256",
+            "e": "AQAB",
+            "kid": "SNNttXGzw6l53JC158lXddjSjQ5bJ9bdTTqTi12gaLY",
+            "kty": "RSA",
+            "n": "7RL963BVzemasfImhlR3KUX97YdA7g3SBnq_ZLzcdxLXPGDhsnSoxMX7gY30b1qpQlML8yiAyz_gxUydiVlqpEEPypR9lfKtZXv4JTM-X2rccegcreUyfFJnFuzVUoY7SVEzAulLUwqP8MH8kxDI7JZRQ8_JIjm9IxEuWCSc3XnVxNCTS2XEdHsug_Kt6SQdcH8xL9U2w0EHAUna9KkLAl6_PzBg1JxIQDHQtfp_CN7YNyoyilH88XAGEeQm0fLz6GH7hhyw6y1b9NprYIxNrdD4Pb1b66j4K--bCJy530UmEAlfLbCiDCh4k78TPUnU_YwwT4ujC0t28zoHNB3Y0w",
+            "use": "sig"
+        }
+    ]
+}
+`
+
+// Real-world GitHub Actions /.well-known/openid-configuration
+const githubOIDC = `
+{
+    "issuer": "https://token.actions.githubusercontent.com",
+    "jwks_uri": "https://token.actions.githubusercontent.com/.well-known/jwks",
+    "subject_types_supported": [
+        "public",
+        "pairwise"
+    ],
+    "response_types_supported": [
+        "id_token"
+    ],
+    "claims_supported": [
+        "sub",
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "jti",
+        "nbf",
+        "ref",
+        "sha",
+        "repository",
+        "repository_id",
+        "repository_owner",
+        "repository_owner_id",
+        "enterprise",
+        "enterprise_id",
+        "run_id",
+        "run_number",
+        "run_attempt",
+        "actor",
+        "actor_id",
+        "workflow",
+        "workflow_ref",
+        "workflow_sha",
+        "head_ref",
+        "base_ref",
+        "event_name",
+        "ref_type",
+        "ref_protected",
+        "environment",
+        "environment_node_id",
+        "job_workflow_ref",
+        "job_workflow_sha",
+        "repository_visibility",
+        "runner_environment",
+        "issuer_scope",
+        "check_run_id"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256"
+    ],
+    "scopes_supported": [
+        "openid"
+    ]
+}
+`
+
+// Real-world GitHub Actions JWKS
+const githubJWKS = `
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "use": "sig",
+            "kid": "cc413527-173f-5a05-976e-9c52b1d7b431",
+            "n": "w4M936N3ZxNaEblcUoBm-xu0-V9JxNx5S7TmF0M3SBK-2bmDyAeDdeIOTcIVZHG-ZX9N9W0u1yWafgWewHrsz66BkxXq3bscvQUTAw7W3s6TEeYY7o9shPkFfOiU3x_KYgOo06SpiFdymwJflRs9cnbaU88i5fZJmUepUHVllP2tpPWTi-7UA3AdP3cdcCs5bnFfTRKzH2W0xqKsY_jIG95aQJRBDpbiesefjuyxcQnOv88j9tCKWzHpJzRKYjAUM6OPgN4HYnaSWrPJj1v41eEkFM1kORuj-GSH2qMVD02VklcqaerhQHIqM-RjeHsN7G05YtwYzomE5G-fZuwgvQ",
+            "e": "AQAB"
+        },
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "use": "sig",
+            "kid": "38826b17-6a30-5f9b-b169-8beb8202f723",
+            "n": "5Manmy-zwsk3wEftXNdKFZec4rSWENW4jTGevlvAcU9z3bgLBogQVvqYLtu9baVm2B3rfe5onadobq8po5UakJ0YsTiiEfXWdST7YI2Sdkvv-hOYMcZKYZ4dFvuSO1vQ2DgEkw_OZNiYI1S518MWEcNxnPU5u67zkawAGsLlmXNbOylgVfBRJrG8gj6scr-sBs4LaCa3kg5IuaCHe1pB-nSYHovGV_z0egE83C098FfwO1dNZBWeo4Obhb5Z-ZYFLJcZfngMY0zJnCVNmpHQWOgxfGikh3cwi4MYrFrbB4NTlxbrQ3bL-rGKR5X318veyDlo8Dyz2KWMobT4wB9U1Q",
+            "e": "AQAB",
+            "x5c": [
+                "MIIDKzCCAhOgAwIBAgIUDnwm6eRIqGFA3o/P1oBrChvx/nowDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAwwaYWN0aW9ucy5zZWxmLXNpZ25lZC5naXRodWIwHhcNMjQwMTIzMTUyNTM2WhcNMzQwMTIwMTUyNTM2WjAlMSMwIQYDVQQDDBphY3Rpb25zLnNlbGYtc2lnbmVkLmdpdGh1YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOTGp5svs8LJN8BH7VzXShWXnOK0lhDVuI0xnr5bwHFPc924CwaIEFb6mC7bvW2lZtgd633uaJ2naG6vKaOVGpCdGLE4ohH11nUk+2CNknZL7/oTmDHGSmGeHRb7kjtb0Ng4BJMPzmTYmCNUudfDFhHDcZz1Obuu85GsABrC5ZlzWzspYFXwUSaxvII+rHK/rAbOC2gmt5IOSLmgh3taQfp0mB6Lxlf89HoBPNwtPfBX8DtXTWQVnqODm4W+WfmWBSyXGX54DGNMyZwlTZqR0FjoMXxopId3MIuDGKxa2weDU5cW60N2y/qxikeV99fL3sg5aPA8s9iljKG0+MAfVNUCAwEAAaNTMFEwHQYDVR0OBBYEFIPALo5VanJ6E1B9eLQgGO+uGV65MB8GA1UdIwQYMBaAFIPALo5VanJ6E1B9eLQgGO+uGV65MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGS0hZE+DqKIRi49Z2KDOMOaSZnAYgqq6ws9HJHT09MXWlMHB8E/apvy2ZuFrcSu14ZLweJid+PrrooXEXEO6azEakzCjeUb9G1QwlzP4CkTcMGCw1Snh3jWZIuKaw21f7mp2rQ+YNltgHVDKY2s8AD273E8musEsWxJl80/MNvMie8Hfh4n4/Xl2r6t1YPmUJMoXAXdTBb0hkPy1fUu3r2T+1oi7Rw6kuVDfAZjaHupNHzJeDOg2KxUoK/GF2/M2qpVrd19Pv/JXNkQXRE4DFbErMmA7tXpp1tkXJRPhFui/Pv5H9cPgObEf9x6W4KnCXzT3ReeeRDKF8SqGTPELsc="
+            ],
+            "x5t": "ykNaY4qM_ta4k2TgZOCEYLkcYlA"
+        },
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "use": "sig",
+            "kid": "38E9B30B3A023A1B72309921A69A42FCC496C42C",
+            "n": "tEq2Fp9HcdT5MwMsB_UTm8j_woJJLi3sA-y0RX2tioTm581seyfvOH6lJ5JmHVtS-_fb8B2tRT1pznHQSNq14PsJdu9bp5egbWmIz-5RvhqoM-oKem_MJENCNFuqXijRLT47FRdfH3inqde1vJlA_JJHCqYMKIpHH7kqNFYcCpwr0vk80Hc2rTyL0uBXI7NqBZbtUgNoyucWO5O7QQrPNOmlr-GI8aFckFRfobCaCOiH9qW02FtkV74fwBGVCNhNf3a1CK81-O8xEGimvVydI_pQA5B8QqVuQjY_ntOu555HdirA0hKkY6fsE9eZCMFmWDHZ2kSWLjhabxWxIzSzXQ",
+            "e": "AQAB",
+            "x5c": [
+                "MIIDrDCCApSgAwIBAgIQbuIOJTcGQ4GOQs29F1/uLzANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTI1MDkxMTE5MzcxOFoXDTI3MDkxMTE5NDcxOFowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRKthafR3HU+TMDLAf1E5vI/8KCSS4t7APstEV9rYqE5ufNbHsn7zh+pSeSZh1bUvv32/AdrUU9ac5x0EjateD7CXbvW6eXoG1piM/uUb4aqDPqCnpvzCRDQjRbql4o0S0+OxUXXx94p6nXtbyZQPySRwqmDCiKRx+5KjRWHAqcK9L5PNB3Nq08i9LgVyOzagWW7VIDaMrnFjuTu0EKzzTppa/hiPGhXJBUX6Gwmgjoh/altNhbZFe+H8ARlQjYTX92tQivNfjvMRBopr1cnSP6UAOQfEKlbkI2P57TrueeR3YqwNISpGOn7BPXmQjBZlgx2dpEli44Wm8VsSM0s10CAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBQLxdObdnfWzaBcxau87tdSUtEuQjAdBgNVHQ4EFgQUC8XTm3Z31s2gXMWrvO7XUlLRLkIwDQYJKoZIhvcNAQELBQADggEBAD2Eo703wXQgB2vJn/RwTTcHGkeMkYXm0mWCxOSh4iCKVvqypBJrmLzRkMMJN0/10qIGciYWUl6EkL7yj48tpXXH01Ep0ONDdo9UYmKGp81Z4j3u3FBJTVQSdj2tnPOPZlYWaBkerIkcIeyWBRKvne1UBaobbk84epfBmUfAMFmyJEk+x+q7cqmsbjDtdrmhiWaInqCijpS2dW2MitJ5F7tBBS26SMTqLQteA2IOwIW1BMlYIPuSO3dKn/rYVS8RjL+x+MxP98vla5sichoEZwVWnXiXgFZ4n/asGqc+Da9q6ILLtInvgI5bi7kjJJ2ARTRC5/a+J/v3EL+t8SdnOO8="
+            ],
+            "x5t": "OOmzCzoCOhtyMJkhpppC_MSWxCw"
+        },
+        {
+            "kty": "RSA",
+            "alg": "RS256",
+            "use": "sig",
+            "kid": "4F3E9AD8C9A6F5EB3173006F4FA630E28F43DCE9",
+            "n": "tGevqhkBGn8NB0dKxs8Ddxhn-xZPm55svcSlkJZEOwDOXDLl_0-iVOVKNJfcHHLHvMqa6zh2DDcpAWZi2FpeBAJupsrymqwzllxOODWKWoVIoaIjOO7h1JLiF9Knwuq-o6BPtKdwOT-bOrXRzChMtQsc5C1Auex-D0Z6loObBuK1Lkm0RK9ISQsLqBEwq8g0OOupI_shU1r2rT2G0nkZ0CvxVlQeUGShFi8Mdys2s5LPqBwjC4LKwjk8moWQV32KEccbTPKxnG_539DxRglHJgHPHisSVGsfZIUXi2chtXdQHZPdVve8ZRmknCykZtkJ6K87llSUXi7oyzhCIZdiUQ",
+            "e": "AQAB",
+            "x5c": [
+                "MIIDrDCCApSgAwIBAgIQPQS35v3ITW6fNLO8GX5QBjANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTI1MDgwNjE0MTEzMloXDTI3MDgwNjE0MjEzMlowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRnr6oZARp/DQdHSsbPA3cYZ/sWT5uebL3EpZCWRDsAzlwy5f9PolTlSjSX3Bxyx7zKmus4dgw3KQFmYthaXgQCbqbK8pqsM5ZcTjg1ilqFSKGiIzju4dSS4hfSp8LqvqOgT7SncDk/mzq10cwoTLULHOQtQLnsfg9GepaDmwbitS5JtESvSEkLC6gRMKvINDjrqSP7IVNa9q09htJ5GdAr8VZUHlBkoRYvDHcrNrOSz6gcIwuCysI5PJqFkFd9ihHHG0zysZxv+d/Q8UYJRyYBzx4rElRrH2SFF4tnIbV3UB2T3Vb3vGUZpJwspGbZCeivO5ZUlF4u6Ms4QiGXYlECAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBRKoYOga736JYE15vT7b4gWjC1hwTAdBgNVHQ4EFgQUSqGDoGu9+iWBNeb0+2+IFowtYcEwDQYJKoZIhvcNAQELBQADggEBAJVZIPtoZUlvqgu+Pl0nj8WopA8iuy1m7JRg5fg+bOIGFhXFR8+mH8prpeodjUQ40q2Hq6IwnVir+G56zVwAPf2HHksqdp8be9qjkTjD0mJorPCt/lumrKoNGOVmYffYuIyr73hwsl8fN6sGjAyXLFBkozE4s5ssbeodFxiYE1A61SXnzldC00M7qWleMWjTUBixiZ+R/eroddkLNBGDv9ewDrTQv1ipNec89+Wi7Wb6SAXNxBADiC5kVlFylBgHo3oZNg3KFzZS01REyc4zdH7v1wfZzilLluI6ygTyYRYpJCsKrX5D9JW196f2PCzcs+VXMfneRDnvyfjep7Y1Pi8="
+            ],
+            "x5t": "Tz6a2Mmm9esxcwBvT6Yw4o9D3Ok"
+        }
+    ]
+}
+`
+
+// Real-world .well-known/openid-configuration extracted from a AWS Federated Web Identity endpoint.
+const awsOIDC = `
+{
+    "claims_supported": [
+        "sub",
+        "iss",
+        "aud",
+        "exp",
+        "iat",
+        "jti",
+        "https://sts.amazonaws.com/"
+    ],
+    "id_token_signing_alg_values_supported": [
+        "RS256",
+        "ES384"
+    ],
+    "issuer": "https://a103a2cc-b461-473d-84fe-6c4f6d45af88.tokens.sts.global.api.aws",
+    "jwks_uri": "https://a103a2cc-b461-473d-84fe-6c4f6d45af88.tokens.sts.global.api.aws/.well-known/jwks.json",
+    "subject_types_supported": [
+        "public"
+    ]
+}
+`
+
+// Real-world JWKS extracted from a AWS Federated Web Identity endpoint.
+const awsJWKS = `
+{
+    "keys": [
+        {
+            "e": "AQAB",
+            "kid": "RSA_0",
+            "kty": "RSA",
+            "n": "3AvB0UECoYssZEgSMTa4SYvfqstJxkhbBBSKAFRUW6f_McJ9CAXkTi6YkG0NGm77ZIRW12_gOLKZJUHWp9CMAbmk0O4sMIx8K6Ap7-6qjkt7FYvl4mkQVJd-pU-yE3SJn0S5xEbCYXulgrrGN8POysTblqN0BfrdDAYTVhWQ47rbm--3QrRcVN9XCjlMBVXYauaN6KlszKL6NTe7GWilauYBsVHw7d4ekliuEGGA6zJNGz595KD7yofRc1euFs86KgiFj0mpudCqG39jIlBJ4vZSJPw1Rsvhg8THqlxhmurVYr9TuckLJa5fpEL78xGs3Ar4GIM6w0sxLDbdY-KdCQ",
+            "use": "sig"
+        },
+        {
+            "alg": "ES384",
+            "crv": "P-384",
+            "kid": "EC384_0",
+            "kty": "EC",
+            "use": "sig",
+            "x": "ad_olFw0n3XBA114sefjlirPf2gX6bKqT-kD2lQzfQzkWW1TetKIUWah3md-UgV9",
+            "y": "w6GzW2Oen4G7Ei1bFaDkBpPSulvkSznb6YtG79NWK9UjgDqfN6am9lUs-bF8VN7v"
+        }
+    ]
+}
+`
+
+func TestParseOpenIDConfiguration(t *testing.T) {
+	t.Run("Forgejo", func(t *testing.T) {
+		var retval openIDConfiguration
+		data := []byte(forgejoOIDC)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Equal(t, "https://example.org/api/actions/.well-known/keys", retval.JwksURI)
+	})
+	t.Run("GitHub", func(t *testing.T) {
+		var retval openIDConfiguration
+		data := []byte(githubOIDC)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Equal(t, "https://token.actions.githubusercontent.com/.well-known/jwks", retval.JwksURI)
+	})
+	t.Run("AWS", func(t *testing.T) {
+		var retval openIDConfiguration
+		data := []byte(awsOIDC)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Equal(t, "https://a103a2cc-b461-473d-84fe-6c4f6d45af88.tokens.sts.global.api.aws/.well-known/jwks.json", retval.JwksURI)
+	})
+}
+
+func TestParseJSONWebKeySet(t *testing.T) {
+	t.Run("Forgejo", func(t *testing.T) {
+		var retval openIDKeys
+		data := []byte(forgejoJWKS)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Len(t, retval.Keys, 1)
+	})
+	t.Run("GitHub", func(t *testing.T) {
+		var retval openIDKeys
+		data := []byte(githubJWKS)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Len(t, retval.Keys, 4)
+	})
+	t.Run("AWS", func(t *testing.T) {
+		var retval openIDKeys
+		data := []byte(awsJWKS)
+		require.NoError(t, json.Unmarshal(data, &retval))
+		assert.Len(t, retval.Keys, 2)
+	})
+}
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
new file mode 100644
index 0000000000..46048573ad
--- /dev/null
+++ b/services/auth/method/authorized_integration_test.go
@@ -0,0 +1,723 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package method
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	"forgejo.org/modules/json"
+	"forgejo.org/modules/jwtx"
+	"forgejo.org/modules/test"
+	"forgejo.org/services/auth"
+
+	"github.com/golang-jwt/jwt/v5"
+	gouuid "github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckClaims(t *testing.T) {
+	ai := &AuthorizedIntegration{}
+	rules := func(rule ...auth_model.ClaimRule) *auth_model.ClaimRules {
+		return &auth_model.ClaimRules{Rules: rule}
+	}
+	eq := func(claim, value string) auth_model.ClaimRule {
+		return auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimEqual,
+			Value:      value,
+		}
+	}
+	glob := func(claim, value string) auth_model.ClaimRule {
+		return auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimGlob,
+			Value:      value,
+		}
+	}
+	nest := func(claim string, inner ...auth_model.ClaimRule) auth_model.ClaimRule {
+		return auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimNested,
+			Nested:     rules(inner...),
+		}
+	}
+
+	t.Run("nil claims", func(t *testing.T) {
+		require.NoError(t, ai.checkClaims(map[string]any{}, nil))
+	})
+
+	t.Run("flexibleClaims's fixed and other fields", func(t *testing.T) {
+		t.Run("iss", func(t *testing.T) {
+			c := &flexibleClaims{}
+			rules := rules(eq("iss", "https://example.org"))
+
+			c.Issuer = "https://example.org"
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c.Issuer = "https://other.example.org"
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"iss\" must be \"https://example.org\", but was \"https://other.example.org\"")
+		})
+
+		t.Run("sub", func(t *testing.T) {
+			c := &flexibleClaims{}
+			rules := rules(eq("sub", "my-stuff"))
+
+			c.Subject = "my-stuff"
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c.Subject = "my-other-stuff"
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"sub\" must be \"my-stuff\", but was \"my-other-stuff\"")
+		})
+
+		t.Run("jti", func(t *testing.T) {
+			c := &flexibleClaims{}
+			rules := rules(eq("jti", "7d9a2e85-6b8d-4b59-bca0-09d702476338"))
+
+			c.ID = "7d9a2e85-6b8d-4b59-bca0-09d702476338"
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c.ID = "8855d16c-cd5f-4ace-b626-5c5875e1a993"
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"jti\" must be \"7d9a2e85-6b8d-4b59-bca0-09d702476338\", but was \"8855d16c-cd5f-4ace-b626-5c5875e1a993\"")
+		})
+
+		t.Run("aud", func(t *testing.T) {
+			c := &flexibleClaims{}
+			rules := rules(eq("aud", "the-best-audience"))
+
+			c.Audience = jwt.ClaimStrings{"the-best-audience"}
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c.Audience = jwt.ClaimStrings{"something-else"}
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"aud\" must be \"the-best-audience\", but was \"something-else\"")
+
+			c.Audience = jwt.ClaimStrings{"aud1", "aud2"}
+			require.ErrorContains(t, ai.checkClaims(c, rules), "required one and only one `aud` claim, but received 2")
+		})
+
+		t.Run("arbitrary field", func(t *testing.T) {
+			c := &flexibleClaims{other: map[string]any{}}
+			rules := rules(eq("arbitrary", "abc"))
+
+			c.other["arbitrary"] = "abc"
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c.other["arbitrary"] = "123"
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be \"abc\", but was \"123\"")
+
+			delete(c.other, "arbitrary")
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim rule on \"arbitrary\" couldn't be satisfied: claim not found")
+		})
+	})
+
+	t.Run("map[string]any input", func(t *testing.T) {
+		t.Run("arbitrary field", func(t *testing.T) {
+			c := map[string]any{}
+			rules := rules(eq("arbitrary", "abc"))
+
+			c["arbitrary"] = "abc"
+			require.NoError(t, ai.checkClaims(c, rules))
+
+			c["arbitrary"] = "123"
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be \"abc\", but was \"123\"")
+
+			delete(c, "arbitrary")
+			require.ErrorContains(t, ai.checkClaims(c, rules), "claim rule on \"arbitrary\" couldn't be satisfied: claim not found")
+		})
+	})
+
+	t.Run("unexpected input", func(t *testing.T) {
+		c := map[string]int{}
+		rules := rules(eq("arbitrary", "abc"))
+		c["arbitrary"] = 123
+		require.ErrorContains(t, ai.checkClaims(c, rules), "unexpected incoming claims type: map[string]int")
+	})
+
+	t.Run("comparison ClaimEqual", func(t *testing.T) {
+		c := map[string]any{}
+		rules := rules(eq("arbitrary", "abc"))
+
+		c["arbitrary"] = "abc"
+		require.NoError(t, ai.checkClaims(c, rules))
+
+		c["arbitrary"] = "123"
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be \"abc\", but was \"123\"")
+
+		c["arbitrary"] = 123
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be a string, but was int")
+	})
+
+	t.Run("comparison ClaimGlob", func(t *testing.T) {
+		c := map[string]any{}
+		r := rules(glob("arbitrary", "*c"))
+
+		c["arbitrary"] = "abc"
+		require.NoError(t, ai.checkClaims(c, r))
+
+		c["arbitrary"] = "123"
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must match glob \"*c\", but value \"123\" did not match")
+
+		c["arbitrary"] = "this string contains a c or two but doesn't end with one" // ensure glob isn't OK w/ a partial match
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must match glob \"*c\", but value \"this string contains a c or two but doesn't end with one\" did not match")
+
+		c["arbitrary"] = 123
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must be a string, but was int")
+
+		r = rules(glob("arbitrary", "[abc"))
+		c["arbitrary"] = "abc"
+		require.ErrorContains(t, ai.checkClaims(c, r), "unable to parse glob for claim rule on \"arbitrary\"; glob = \"[abc\", err = unexpected end of input")
+	})
+
+	t.Run("comparison ClaimNested", func(t *testing.T) {
+		c := map[string]any{}
+		r := rules(nest("nest", eq("arbitrary", "abc")))
+
+		c["nest"] = map[string]any{"arbitrary": "abc"}
+		require.NoError(t, ai.checkClaims(c, r))
+
+		c["nest"] = map[string]any{"blah": "abc"}
+		require.ErrorContains(t, ai.checkClaims(c, r), "in nested claim \"nest\": claim rule on \"arbitrary\" couldn't be satisfied: claim not found")
+
+		c["nest"] = map[string]int{"blah": 123}
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"nest\" must be a map, but was map[string]int")
+	})
+
+	t.Run("multiple rules", func(t *testing.T) {
+		c := map[string]any{
+			"arb1": "abc",
+			"arb2": "123",
+			"arb3": "def",
+		}
+		rules := rules(
+			eq("arb1", "abc"),
+			eq("arb2", "123"),
+		)
+
+		require.NoError(t, ai.checkClaims(c, rules))
+
+		delete(c, "arb1")
+		require.ErrorContains(t, ai.checkClaims(c, rules), "\"arb1\"")
+
+		c["arb1"] = "abc"
+		delete(c, "arb2")
+		require.ErrorContains(t, ai.checkClaims(c, rules), "\"arb2\"")
+	})
+}
+
+func requireOutput[K auth.MethodOutput](t *testing.T, o auth.MethodOutput) K {
+	t.Helper()
+	k, isType := o.(K)
+	require.True(t, isType, "expected Verify output to be type %T, but was %T: %v", *new(K), o, o)
+	return k
+}
+
+func TestAuthorizedIntegration(t *testing.T) {
+	t.Run("no token", func(t *testing.T) {
+		ai := &AuthorizedIntegration{}
+		aiBasic := &AuthorizedIntegration{PermitBasic: true}
+		req := httptest.NewRequest("GET", "https://example.org", nil)
+		output := ai.Verify(req, nil, nil)
+		requireOutput[*auth.AuthenticationNotAttempted](t, output)
+		output = aiBasic.Verify(req, nil, nil)
+		requireOutput[*auth.AuthenticationNotAttempted](t, output)
+	})
+
+	t.Run("not a JWT", func(t *testing.T) {
+		ai := &AuthorizedIntegration{}
+		req := httptest.NewRequest("GET", "https://example.org", nil)
+		req.Header.Set("Authorization", "Bearer abc")
+		output := ai.Verify(req, nil, nil)
+		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+		require.ErrorContains(t, err, "parse JWT error")
+	})
+
+	t.Run("valid Bearer JWT", func(t *testing.T) {
+		ait := newAITester(t)
+		defer ait.close()
+		output := ait.bearerRequest()
+		success := requireOutput[*auth.AuthenticationSuccess](t, output)
+		res := success.Result
+		assert.EqualValues(t, 2, res.User().ID)
+		hasScope, scope := res.Scope().Get()
+		assert.True(t, hasScope)
+		assert.Equal(t, auth_model.AccessTokenScopeAll, scope)
+		assert.Nil(t, res.Reducer())
+	})
+
+	t.Run("valid Basic JWT", func(t *testing.T) {
+		t.Run("PermitBasic", func(t *testing.T) {
+			ait := newAITester(t,
+				aiTweak(func(ai *AuthorizedIntegration) {
+					ai.PermitBasic = true
+				}))
+			defer ait.close()
+			output := ait.basicRequest()
+			requireOutput[*auth.AuthenticationSuccess](t, output)
+		})
+
+		t.Run("!PermitBasic", func(t *testing.T) {
+			ait := newAITester(t,
+				aiTweak(func(ai *AuthorizedIntegration) {
+					ai.PermitBasic = false
+				}))
+			defer ait.close()
+			output := ait.basicRequest()
+			requireOutput[*auth.AuthenticationNotAttempted](t, output)
+		})
+	})
+
+	t.Run("JWT expiry", func(t *testing.T) {
+		ait := newAITester(t,
+			claimTweak(func(rc *flexibleClaims) {
+				rc.ExpiresAt = jwt.NewNumericDate(time.Date(2026, time.January, 1, 12, 0, 0, 0, time.Local))
+			}))
+		defer ait.close()
+		output := ait.bearerRequest()
+		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+		require.ErrorContains(t, err, "token is expired")
+	})
+
+	t.Run("JWT issued at", func(t *testing.T) {
+		ait := newAITester(t,
+			claimTweak(func(rc *flexibleClaims) {
+				rc.IssuedAt = jwt.NewNumericDate(time.Date(2027, time.January, 1, 12, 0, 0, 0, time.Local))
+			}))
+		defer ait.close()
+		output := ait.bearerRequest()
+		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+		require.ErrorContains(t, err, "token used before issued")
+	})
+
+	t.Run("JWT not before", func(t *testing.T) {
+		ait := newAITester(t,
+			claimTweak(func(rc *flexibleClaims) {
+				rc.NotBefore = jwt.NewNumericDate(time.Date(2027, time.January, 1, 12, 0, 0, 0, time.Local))
+			}))
+		defer ait.close()
+		output := ait.bearerRequest()
+		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+		require.ErrorContains(t, err, "token is not valid yet")
+	})
+
+	t.Run("issuer", func(t *testing.T) {
+		t.Run("missing in claim", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Issuer = ""
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "invalid `iss` claim")
+		})
+
+		t.Run("mismatch DB", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Issuer = "https://whoops.example.org"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "matching authorized_integration not found")
+		})
+
+		t.Run("mismatch openid metadata", func(t *testing.T) {
+			ait := newAITester(t,
+				openIDTweak(func(oidc *openIDConfiguration, _ *AuthorizedIntegrationTester) {
+					oidc.Issuer = "https://whoops.example.org"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "issuer mismatch")
+		})
+
+		t.Run("non-HTTPS issuer", func(t *testing.T) {
+			ait := newAITester(t,
+				aiDBTweak(func(aiDB *auth_model.AuthorizedIntegration) {
+					aiDB.Issuer = "http://whoops.example.org"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "unsupported URL scheme: \"http://")
+		})
+
+		t.Run("signing alg values supported doesn't include in-use alg", func(t *testing.T) {
+			ait := newAITester(t,
+				openIDTweak(func(oidc *openIDConfiguration, _ *AuthorizedIntegrationTester) {
+					oidc.IDTokenSigningAlgValuesSupported = []string{"WEIRD"}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, " issuer supports signature algorithms []string{\"WEIRD\"}, but received token with algorithm RS256")
+		})
+	})
+
+	t.Run("audience", func(t *testing.T) {
+		t.Run("missing in claim", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Audience = jwt.ClaimStrings{}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "required one and only one `aud` claim, but received 0")
+		})
+
+		t.Run("multiple in claim", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Audience = jwt.ClaimStrings{"abc", "def"}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "required one and only one `aud` claim, but received 2")
+		})
+
+		t.Run("mismatch DB", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Audience = jwt.ClaimStrings{"abc"}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "matching authorized_integration not found")
+		})
+	})
+
+	t.Run("checks claim rules", func(t *testing.T) {
+		ait := newAITester(t,
+			claimTweak(func(rc *flexibleClaims) {
+				rc.other["custom-claim"] = "oops wrong claim"
+			}))
+		defer ait.close()
+		output := ait.bearerRequest()
+		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+		require.ErrorContains(t, err, "claim \"custom-claim\" must be \"custom-claim-value\"")
+	})
+
+	t.Run("key algorithms", func(t *testing.T) {
+		for _, alg := range jwtx.ValidAsymmetricAlgorithms {
+			t.Run(alg, func(t *testing.T) {
+				ait := newAITester(t,
+					jwtxKeyTweak(func() jwtx.SigningKey {
+						keyPath := filepath.Join(t.TempDir(), fmt.Sprintf("jwt-%s.priv", alg))
+						jwtSigningKey, err := jwtx.InitAsymmetricSigningKey(keyPath, alg)
+						require.NoError(t, err)
+						return jwtSigningKey
+					}),
+					openIDTweak(func(oidc *openIDConfiguration, _ *AuthorizedIntegrationTester) {
+						oidc.IDTokenSigningAlgValuesSupported = []string{alg}
+					}),
+				)
+				defer ait.close()
+				output := ait.bearerRequest()
+				requireOutput[*auth.AuthenticationSuccess](t, output)
+			})
+		}
+	})
+
+	t.Run("JWKS", func(t *testing.T) {
+		t.Run("jwks_uri host mismatch", func(t *testing.T) {
+			ait := newAITester(t,
+				openIDTweak(func(oidc *openIDConfiguration, ait *AuthorizedIntegrationTester) {
+					oidc.JwksURI = "https://whoops.example.org/.keys"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "jwks_uri host mismatch: must be the same as issuer host")
+		})
+
+		t.Run("non-HTTPS JWKS address", func(t *testing.T) {
+			ait := newAITester(t,
+				openIDTweak(func(oidc *openIDConfiguration, ait *AuthorizedIntegrationTester) {
+					oidc.JwksURI = strings.ReplaceAll(ait.testServer.URL, "https://", "http://")
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "unsupported URL scheme: \"http://")
+		})
+
+		t.Run("missing key", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					keys.Keys = []map[string]any{}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "no key identified")
+		})
+
+		t.Run("alg missing", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					for k := range keys.Keys {
+						delete(keys.Keys[k], "alg")
+					}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			// per RFC7517 "alg" is optional
+			requireOutput[*auth.AuthenticationSuccess](t, output)
+		})
+
+		t.Run("alg mismatch", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					for k := range keys.Keys {
+						keys.Keys[k]["alg"] = "WEIRD"
+					}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "doesn't match expected algorithm RS256, was WEIRD")
+		})
+
+		t.Run("use missing", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					for k := range keys.Keys {
+						delete(keys.Keys[k], "use")
+					}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			// per RFC7517 "use" is optional
+			requireOutput[*auth.AuthenticationSuccess](t, output)
+		})
+
+		t.Run("use isn't 'sig'", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					for k := range keys.Keys {
+						keys.Keys[k]["use"] = "enc"
+					}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "isn't designated for signing usage, was enc")
+		})
+
+		t.Run("large JWKS document", func(t *testing.T) {
+			ait := newAITester(t,
+				jwksTweak(func(keys *openIDKeys) {
+					var keyContents map[string]any
+					for _, v := range keys.Keys {
+						keyContents = v
+					}
+					for range 128 {
+						keys.Keys = append(keys.Keys, keyContents)
+					}
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "failed to decode (response body restricted to 16384 bytes)")
+		})
+	})
+
+	t.Run("specific scopes", func(t *testing.T) {
+		ait := newAITester(t,
+			aiDBTweak(func(aiDB *auth_model.AuthorizedIntegration) {
+				aiDB.Scope = "read:repository,read:user"
+			}))
+		defer ait.close()
+		output := ait.bearerRequest()
+		success := requireOutput[*auth.AuthenticationSuccess](t, output)
+		res := success.Result
+		hasScope, scope := res.Scope().Get()
+		assert.True(t, hasScope)
+		readRepository, err := scope.HasScope(auth_model.AccessTokenScopeReadRepository)
+		require.NoError(t, err)
+		assert.True(t, readRepository, "read:repository")
+		readUser, err := scope.HasScope(auth_model.AccessTokenScopeReadUser)
+		require.NoError(t, err)
+		assert.True(t, readUser, "read:user")
+		writeAdmin, err := scope.HasScope(auth_model.AccessTokenScopeWriteAdmin)
+		require.NoError(t, err)
+		assert.False(t, writeAdmin, "write:admin")
+	})
+}
+
+type AuthorizedIntegrationTester struct {
+	t               *testing.T
+	ai              *AuthorizedIntegration
+	dbAI            *auth_model.AuthorizedIntegration
+	jwtSigningKey   jwtx.SigningKey
+	testServer      *httptest.Server
+	resetHTTPClient func()
+	tweaks          []tweak
+}
+
+func newAITester(t *testing.T, tweaks ...tweak) *AuthorizedIntegrationTester {
+	fixedTime := time.Date(2026, time.January, 1, 16, 0, 0, 0, time.Local)
+	ait := &AuthorizedIntegrationTester{
+		t: t,
+		ai: &AuthorizedIntegration{
+			fixedTime: &fixedTime,
+		},
+		tweaks: tweaks,
+	}
+	for _, tweak := range ait.tweaks {
+		if aiTweak, is := tweak.(aiTweak); is {
+			aiTweak(ait.ai)
+		}
+	}
+
+	var jwtSigningKey jwtx.SigningKey
+	for _, tweak := range ait.tweaks {
+		if jwtxKeyTweak, is := tweak.(jwtxKeyTweak); is {
+			jwtSigningKey = jwtxKeyTweak()
+		}
+	}
+	if jwtSigningKey == nil {
+		var err error
+		keyPath := filepath.Join(t.TempDir(), "jwt-rsa-2048.priv")
+		jwtSigningKey, err = jwtx.InitAsymmetricSigningKey(keyPath, "RS256")
+		require.NoError(t, err)
+	}
+	ait.jwtSigningKey = jwtSigningKey
+
+	ait.testServer = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/api/actions/.well-known/openid-configuration" {
+			retval := &openIDConfiguration{
+				Issuer:                           ait.dbAI.Issuer,
+				IDTokenSigningAlgValuesSupported: []string{"RS256"},
+				JwksURI:                          fmt.Sprintf("%s/.keys", ait.dbAI.Issuer),
+			}
+			for _, tweak := range ait.tweaks {
+				if tweak, is := tweak.(openIDTweak); is {
+					tweak(retval, ait)
+				}
+			}
+			err := json.NewEncoder(w).Encode(retval)
+			require.NoError(t, err)
+			return
+		}
+		if r.URL.Path == "/api/actions/.keys" {
+			jwk, err := ait.jwtSigningKey.ToJWK()
+			require.NoError(t, err)
+			jwk["use"] = "sig"
+			jwkMapAny := make(map[string]any, len(jwk))
+			for k, v := range jwk {
+				jwkMapAny[k] = v // convert map[string]string -> map[string]any
+			}
+			retval := &openIDKeys{
+				Keys: []map[string]any{jwkMapAny},
+			}
+			for _, tweak := range ait.tweaks {
+				if jwksTweak, is := tweak.(jwksTweak); is {
+					jwksTweak(retval)
+				}
+			}
+			_ = json.NewEncoder(w).Encode(retval) // no error checking -- some tests abort read
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+
+	// trust TLS cert of our mock client by inserting the test client for our test server into the global aiHTTPClient
+	ait.resetHTTPClient = test.MockVariableValue(&aiHTTPClient, ait.testServer.Client())
+	// prevent self-initialization of the HTTP client during unit testing -- this means that a real client cant' be
+	// created and aiHTTPClient will always be nil (other than when mocked), but that's fine because we don't want to do
+	// external HTTP traffic in these tests
+	initHTTPClient.Do(func() {})
+
+	ait.dbAI = &auth_model.AuthorizedIntegration{
+		UserID:   2,
+		Scope:    auth_model.AccessTokenScopeAll,
+		Issuer:   fmt.Sprintf("%s/api/actions", ait.testServer.URL),
+		Audience: fmt.Sprintf("https://forgejo.example.org/-/coolguy/authorized-integration/%s", gouuid.New().String()),
+		ClaimRules: &auth_model.ClaimRules{
+			Rules: []auth_model.ClaimRule{
+				{
+					Claim:      "custom-claim",
+					Comparison: auth_model.ClaimEqual,
+					Value:      "custom-claim-value",
+				},
+			},
+		},
+	}
+	for _, tweak := range ait.tweaks {
+		if tweak, is := tweak.(aiDBTweak); is {
+			tweak(ait.dbAI)
+		}
+	}
+	_, err := db.GetEngine(t.Context()).Insert(ait.dbAI)
+	require.NoError(t, err)
+
+	return ait
+}
+
+func (ait *AuthorizedIntegrationTester) signedJWT() string {
+	claims := flexibleClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:   ait.dbAI.Issuer,
+			Audience: jwt.ClaimStrings{ait.dbAI.Audience},
+		},
+		other: map[string]any{
+			"custom-claim": "custom-claim-value",
+		},
+	}
+	for _, tweak := range ait.tweaks {
+		if tweak, is := tweak.(claimTweak); is {
+			tweak(&claims)
+		}
+	}
+	signedToken, err := ait.jwtSigningKey.JWT(claims)
+	require.NoError(ait.t, err)
+	return signedToken
+}
+
+func (ait *AuthorizedIntegrationTester) bearerRequest() auth.MethodOutput {
+	signedToken := ait.signedJWT()
+	req := httptest.NewRequest("GET", "https://forgejo.example.org", nil)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken))
+	return ait.ai.Verify(req, nil, nil)
+}
+
+func (ait *AuthorizedIntegrationTester) basicRequest() auth.MethodOutput {
+	signedToken := ait.signedJWT()
+	req := httptest.NewRequest("GET", "https://forgejo.example.org", nil)
+	req.SetBasicAuth("", signedToken)
+	return ait.ai.Verify(req, nil, nil)
+}
+
+func (ait *AuthorizedIntegrationTester) close() {
+	ait.resetHTTPClient()
+	ait.testServer.Close()
+}
+
+type tweak any
+
+type claimTweak func(*flexibleClaims)
+
+type aiTweak func(*AuthorizedIntegration)
+
+type openIDTweak func(*openIDConfiguration, *AuthorizedIntegrationTester)
+
+type jwksTweak func(*openIDKeys)
+
+type aiDBTweak func(*auth_model.AuthorizedIntegration)
+
+type jwtxKeyTweak func() jwtx.SigningKey

From c9d8682f9037fbeb3f322718d8731c5e72906ef6 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 26 Apr 2026 22:06:16 +0200
Subject: [PATCH 172/287] test: add API integration testing for authorized
 integration authentication (#12266)

Built on #12261; one commit added.

Adds an integration test verifying that access to the API can be authenticated by an authorized integration.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12266
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 .deadcode-out                                 |  3 +
 .../auth/method/authorized_integration.go     | 10 +-
 .../auth_authorized_integration_test.go       | 53 ++++++++++
 tests/integration/integration_test.go         | 99 +++++++++++++++++++
 4 files changed, 162 insertions(+), 3 deletions(-)
 create mode 100644 tests/integration/auth_authorized_integration_test.go

diff --git a/.deadcode-out b/.deadcode-out
index b70be3e800..b8c236daf6 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -222,6 +222,9 @@ forgejo.org/modules/zstd
 forgejo.org/routers/web/org
 	MustEnableProjects
 
+forgejo.org/services/auth/method
+	OverrideAuthorizedIntegrationHTTPClient
+
 forgejo.org/services/context
 	GetPrivateContext
 
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index 2f29d406e3..60e210ee1c 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -35,6 +35,12 @@ var (
 	initHTTPClient sync.Once
 
 	errParseInternalServer = errors.New("internal server error")
+
+	// Allow mocking / overridding during tests:
+	GetAuthorizedIntegrationHTTPClient = func() *http.Client {
+		initHTTPClient.Do(initAuthorizedIntegrationHTTPClient)
+		return aiHTTPClient
+	}
 )
 
 // Restrict document size to prevent resource exhaustion attack with a malicious authorized integration; largest
@@ -247,9 +253,7 @@ func (a *AuthorizedIntegration) fetchJSON(urlString string, v any) error {
 		return fmt.Errorf("unsupported URL scheme: %q", parsedURL.String())
 	}
 
-	initHTTPClient.Do(initAuthorizedIntegrationHTTPClient)
-
-	resp, err := aiHTTPClient.Get(parsedURL.String())
+	resp, err := GetAuthorizedIntegrationHTTPClient().Get(parsedURL.String())
 	if err != nil {
 		return err
 	}
diff --git a/tests/integration/auth_authorized_integration_test.go b/tests/integration/auth_authorized_integration_test.go
new file mode 100644
index 0000000000..36fefe7cf9
--- /dev/null
+++ b/tests/integration/auth_authorized_integration_test.go
@@ -0,0 +1,53 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	auth_model "forgejo.org/models/auth"
+	api "forgejo.org/modules/structs"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIAuthWithAuthorizedIntegration(t *testing.T) {
+	t.Run("all access token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		ait := newAITester(t)
+		defer ait.close()
+		token := ait.signedJWT()
+
+		req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+		var user api.User
+		DecodeJSON(t, resp, &user)
+		assert.Equal(t, "user2", user.LoginName)
+
+		req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1").AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusOK)
+	})
+
+	t.Run("scope-limited access token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+			ai.Scope = auth_model.AccessTokenScopeReadUser
+		})
+		defer ait.close()
+		token := ait.signedJWT()
+
+		req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+		var user api.User
+		DecodeJSON(t, resp, &user)
+		assert.Equal(t, "user2", user.LoginName)
+
+		req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1").AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusForbidden)
+	})
+}
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index 6cde9be4df..ecd7d86073 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -33,13 +33,16 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/json"
+	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/keying"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
 	"forgejo.org/modules/testlogger"
 	"forgejo.org/modules/util"
 	"forgejo.org/modules/web"
 	"forgejo.org/routers"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/auth/source/remote"
 	app_context "forgejo.org/services/context"
 	"forgejo.org/services/mailer"
@@ -47,6 +50,8 @@ import (
 	"forgejo.org/tests"
 
 	"github.com/PuerkitoBio/goquery"
+	"github.com/golang-jwt/jwt/v5"
+	gouuid "github.com/google/uuid"
 	"github.com/markbates/goth"
 	"github.com/markbates/goth/gothic"
 	goth_github "github.com/markbates/goth/providers/github"
@@ -779,3 +784,97 @@ func SortMailerMessages(msgs []*mailer.Message) {
 		return strings.Compare(b.To, a.To)
 	})
 }
+
+type AuthorizedIntegrationTester struct {
+	t                       *testing.T
+	authorizedIntegration   *auth.AuthorizedIntegration
+	jwtSigningKey           jwtx.SigningKey
+	testServer              *httptest.Server
+	resetHTTPClient         func()
+	resetAllowLocalNetworks func()
+}
+
+func newAITester(t *testing.T, setupAI ...func(*auth.AuthorizedIntegration)) *AuthorizedIntegrationTester {
+	ait := &AuthorizedIntegrationTester{
+		t: t,
+	}
+
+	var jwtSigningKey jwtx.SigningKey
+	keyPath := filepath.Join(t.TempDir(), "jwt-rsa-2048.priv")
+	jwtSigningKey, err := jwtx.InitAsymmetricSigningKey(keyPath, "RS256")
+	require.NoError(t, err)
+	ait.jwtSigningKey = jwtSigningKey
+
+	ait.testServer = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/api/actions/.well-known/openid-configuration" {
+			retval := map[string]any{
+				"issuer":                                ait.authorizedIntegration.Issuer,
+				"jwks_uri":                              fmt.Sprintf("%s/.keys", ait.authorizedIntegration.Issuer),
+				"id_token_signing_alg_values_supported": []string{"RS256"},
+			}
+			err := json.NewEncoder(w).Encode(retval)
+			require.NoError(t, err)
+			return
+		}
+		if r.URL.Path == "/api/actions/.keys" {
+			jwk, err := ait.jwtSigningKey.ToJWK()
+			require.NoError(t, err)
+			jwk["use"] = "sig"
+			retval := map[string]any{
+				"keys": []map[string]string{jwk},
+			}
+			_ = json.NewEncoder(w).Encode(retval) // no error checking -- some tests abort read
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+
+	// trust TLS cert of our NewTLSServer  by inserting the test client for our test server in as the HTTP client to use
+	ait.resetHTTPClient = test.MockVariableValue(
+		&auth_method.GetAuthorizedIntegrationHTTPClient,
+		func() *http.Client {
+			return ait.testServer.Client()
+		})
+
+	ait.authorizedIntegration = &auth.AuthorizedIntegration{
+		UserID:   2,
+		Scope:    auth.AccessTokenScopeAll,
+		Issuer:   fmt.Sprintf("%s/api/actions", ait.testServer.URL),
+		Audience: fmt.Sprintf("https://forgejo.example.org/-/coolguy/authorized-integration/%s", gouuid.New().String()),
+		ClaimRules: &auth.ClaimRules{
+			Rules: []auth.ClaimRule{
+				{
+					Claim:      "custom-claim",
+					Comparison: auth.ClaimEqual,
+					Value:      "custom-claim-value",
+				},
+			},
+		},
+	}
+	for _, setup := range setupAI {
+		setup(ait.authorizedIntegration)
+	}
+	_, err = db.GetEngine(t.Context()).Insert(ait.authorizedIntegration)
+	require.NoError(t, err)
+
+	ait.resetAllowLocalNetworks = test.MockVariableValue(&setting.AuthorizedIntegration.AllowLocalNetworks, true)
+
+	return ait
+}
+
+func (ait *AuthorizedIntegrationTester) signedJWT() string {
+	claims := jwt.MapClaims{
+		"iss":          ait.authorizedIntegration.Issuer,
+		"aud":          ait.authorizedIntegration.Audience,
+		"custom-claim": "custom-claim-value",
+	}
+	signedToken, err := ait.jwtSigningKey.JWT(claims)
+	require.NoError(ait.t, err)
+	return signedToken
+}
+
+func (ait *AuthorizedIntegrationTester) close() {
+	ait.resetAllowLocalNetworks()
+	ait.resetHTTPClient()
+	ait.testServer.Close()
+}

From 900306e65a5f04965aa1feab13d31bd141ecb120 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 26 Apr 2026 23:54:41 +0200
Subject: [PATCH 173/287] feat: add repo-specific & public-only authz reducers
 to authorized integrations (#12267)

Built on #12266; one commit added.

Adds the ability to reduce the authorization scope of an authorized integration to public-only resources and repo-specific resources.  Backend only -- no frontend created yet.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12267
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 .../authorized_integ_resource_repo.yml        |  9 +++
 .../authorized_integration.yml                |  9 +++
 models/auth/access_token_resource.go          |  4 +
 .../authorized_integration_resource_repo.go   | 17 +++++
 ...thorized_integration_resource_repo_test.go | 40 ++++++++++
 .../auth_result_authorized_integration.go     | 10 ++-
 .../auth/method/authorized_integration.go     | 12 ++-
 .../method/authorized_integration_test.go     |  2 +-
 .../authorized_integ_resource_repo.yml        |  5 ++
 .../authorized_integration.yml                | 35 +++++++++
 services/authz/access_token.go                |  7 +-
 services/authz/access_token_test.go           |  2 +-
 services/authz/authorized_integration.go      | 33 +++++++++
 services/authz/authorized_integration_test.go | 46 ++++++++++++
 services/authz/specific_repos_reducer.go      | 11 ++-
 services/authz/specific_repos_reducer_test.go |  6 +-
 .../auth_authorized_integration_test.go       | 73 ++++++++++++++++++-
 tests/integration/integration_test.go         |  1 +
 18 files changed, 305 insertions(+), 17 deletions(-)
 create mode 100644 models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integ_resource_repo.yml
 create mode 100644 models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integration.yml
 create mode 100644 models/auth/authorized_integration_resource_repo_test.go
 create mode 100644 services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integ_resource_repo.yml
 create mode 100644 services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integration.yml
 create mode 100644 services/authz/authorized_integration.go
 create mode 100644 services/authz/authorized_integration_test.go

diff --git a/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integ_resource_repo.yml b/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integ_resource_repo.yml
new file mode 100644
index 0000000000..5e0ccf1130
--- /dev/null
+++ b/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integ_resource_repo.yml
@@ -0,0 +1,9 @@
+- integ_id: 1
+  repo_id: 1
+  created_unix: 1772158384
+- integ_id: 1
+  repo_id: 2
+  created_unix: 1772158384
+- integ_id: 1
+  repo_id: 3
+  created_unix: 1772158384
diff --git a/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integration.yml b/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integration.yml
new file mode 100644
index 0000000000..18e5e68054
--- /dev/null
+++ b/models/auth/TestGetRepositoriesAccessibleWithIntegration/authorized_integration.yml
@@ -0,0 +1,9 @@
+- id: 1
+  user_id: 2
+  scope: all
+  resource_all_repos: false
+  issuer: https://example.org/
+  audience: https://forgejo.example.org/-/user/integration/abcdef123
+  claim_rules: "{}"
+  created_unix: 1777153359
+  updated_unix: 1777153359
diff --git a/models/auth/access_token_resource.go b/models/auth/access_token_resource.go
index bf98c52b69..85978dd131 100644
--- a/models/auth/access_token_resource.go
+++ b/models/auth/access_token_resource.go
@@ -24,6 +24,10 @@ func init() {
 	db.RegisterModel(new(AccessTokenResourceRepo))
 }
 
+func (atr *AccessTokenResourceRepo) GetTargetRepoID() int64 {
+	return atr.RepoID
+}
+
 func GetRepositoriesAccessibleWithToken(ctx context.Context, accessTokenID int64) ([]*AccessTokenResourceRepo, error) {
 	var resources []*AccessTokenResourceRepo
 	err := db.GetEngine(ctx).
diff --git a/models/auth/authorized_integration_resource_repo.go b/models/auth/authorized_integration_resource_repo.go
index 98960b5c8a..9c48d16f98 100644
--- a/models/auth/authorized_integration_resource_repo.go
+++ b/models/auth/authorized_integration_resource_repo.go
@@ -4,6 +4,8 @@
 package auth
 
 import (
+	"context"
+
 	"forgejo.org/models/db"
 	"forgejo.org/modules/timeutil"
 )
@@ -25,3 +27,18 @@ type AuthorizedIntegResourceRepo struct {
 func init() {
 	db.RegisterModel(new(AuthorizedIntegResourceRepo))
 }
+
+func (air *AuthorizedIntegResourceRepo) GetTargetRepoID() int64 {
+	return air.RepoID
+}
+
+func GetRepositoriesAccessibleWithIntegration(ctx context.Context, aiID int64) ([]*AuthorizedIntegResourceRepo, error) {
+	var resources []*AuthorizedIntegResourceRepo
+	err := db.GetEngine(ctx).
+		Where("integ_id = ?", aiID).
+		Find(&resources)
+	if err != nil {
+		return nil, err
+	}
+	return resources, nil
+}
diff --git a/models/auth/authorized_integration_resource_repo_test.go b/models/auth/authorized_integration_resource_repo_test.go
new file mode 100644
index 0000000000..853cddb828
--- /dev/null
+++ b/models/auth/authorized_integration_resource_repo_test.go
@@ -0,0 +1,40 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package auth_test
+
+import (
+	"testing"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetRepositoriesAccessibleWithIntegration(t *testing.T) {
+	defer unittest.OverrideFixtures("models/auth/TestGetRepositoriesAccessibleWithIntegration")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("No Resources", func(t *testing.T) {
+		resources, err := auth_model.GetRepositoriesAccessibleWithIntegration(t.Context(), 999)
+		require.NoError(t, err)
+		assert.Empty(t, resources)
+	})
+
+	t.Run("Has Resources", func(t *testing.T) {
+		resources, err := auth_model.GetRepositoriesAccessibleWithIntegration(t.Context(), 1)
+		require.NoError(t, err)
+		require.Len(t, resources, 3)
+
+		// Verify all expected repo IDs are present
+		repoIDs := make([]int64, len(resources))
+		for i, res := range resources {
+			repoIDs[i] = res.RepoID
+		}
+		assert.Contains(t, repoIDs, int64(1))
+		assert.Contains(t, repoIDs, int64(2))
+		assert.Contains(t, repoIDs, int64(3))
+	})
+}
diff --git a/services/auth/method/auth_result_authorized_integration.go b/services/auth/method/auth_result_authorized_integration.go
index 6868b4848f..55efa95d18 100644
--- a/services/auth/method/auth_result_authorized_integration.go
+++ b/services/auth/method/auth_result_authorized_integration.go
@@ -8,14 +8,16 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/optional"
 	"forgejo.org/services/auth"
+	"forgejo.org/services/authz"
 )
 
 var _ auth.AuthenticationResult = &authorizedIntegrationAuthenticationResult{}
 
 type authorizedIntegrationAuthenticationResult struct {
 	*auth.BaseAuthenticationResult
-	user  *user_model.User
-	scope auth_model.AccessTokenScope
+	user    *user_model.User
+	scope   auth_model.AccessTokenScope
+	reducer authz.AuthorizationReducer
 }
 
 func (r *authorizedIntegrationAuthenticationResult) User() *user_model.User {
@@ -25,3 +27,7 @@ func (r *authorizedIntegrationAuthenticationResult) User() *user_model.User {
 func (r *authorizedIntegrationAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenScope] {
 	return optional.Some(r.scope)
 }
+
+func (r *authorizedIntegrationAuthenticationResult) Reducer() authz.AuthorizationReducer {
+	return r.reducer
+}
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index 60e210ee1c..000383d8c5 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -23,6 +23,7 @@ import (
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/util"
 	"forgejo.org/services/auth"
+	"forgejo.org/services/authz"
 
 	"github.com/gobwas/glob"
 	"github.com/golang-jwt/jwt/v5"
@@ -204,11 +205,16 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 		log.Error("UpdateLastUsed:  %v", err)
 	}
 
+	reducer, err := authz.GetAuthorizationReducerForAuthorizedIntegration(req.Context(), authorizedIntegration)
+	if err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration GetAuthorizationReducerForAuthorizedIntegration: %w", err)}
+	}
+
 	return &auth.AuthenticationSuccess{
 		Result: &authorizedIntegrationAuthenticationResult{
-			user:  u,
-			scope: authorizedIntegration.Scope,
-			// TODO: add repo-specific access with an authz reducer
+			user:    u,
+			scope:   authorizedIntegration.Scope,
+			reducer: reducer,
 		},
 	}
 }
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
index 46048573ad..f2afbd3896 100644
--- a/services/auth/method/authorized_integration_test.go
+++ b/services/auth/method/authorized_integration_test.go
@@ -250,7 +250,7 @@ func TestAuthorizedIntegration(t *testing.T) {
 		hasScope, scope := res.Scope().Get()
 		assert.True(t, hasScope)
 		assert.Equal(t, auth_model.AccessTokenScopeAll, scope)
-		assert.Nil(t, res.Reducer())
+		assert.NotNil(t, res.Reducer())
 	})
 
 	t.Run("valid Basic JWT", func(t *testing.T) {
diff --git a/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integ_resource_repo.yml b/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integ_resource_repo.yml
new file mode 100644
index 0000000000..d5d55d1d67
--- /dev/null
+++ b/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integ_resource_repo.yml
@@ -0,0 +1,5 @@
+-
+  id: 1
+  integ_id: 7
+  repo_id: 1
+  created_unix: 1772158384
diff --git a/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integration.yml b/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integration.yml
new file mode 100644
index 0000000000..7c173e5ea6
--- /dev/null
+++ b/services/authz/TestGetAuthorizationReducerForAuthorizedIntegration/authorized_integration.yml
@@ -0,0 +1,35 @@
+# all access
+-
+  id: 5
+  user_id: 2
+  scope: all
+  resource_all_repos: true
+  issuer: https://example.org/
+  audience: https://forgejo.example.org/-/user/integration/abcdef123
+  claim_rules: "{}"
+  created_unix: 1777153359
+  updated_unix: 1777153359
+
+# public-only
+-
+  id: 6
+  user_id: 2
+  scope: public-only,read:activitypub
+  resource_all_repos: true
+  issuer: https://example.org/
+  audience: https://forgejo.example.org/-/user/integration/abcdef1234
+  claim_rules: "{}"
+  created_unix: 1777153359
+  updated_unix: 1777153359
+
+# repo-specific
+-
+  id: 7
+  user_id: 2
+  scope: all
+  resource_all_repos: false
+  issuer: https://example.org/
+  audience: https://forgejo.example.org/-/user/integration/abcdef1235
+  claim_rules: "{}"
+  created_unix: 1777153359
+  updated_unix: 1777153359
diff --git a/services/authz/access_token.go b/services/authz/access_token.go
index 207fdd6546..1660881dab 100644
--- a/services/authz/access_token.go
+++ b/services/authz/access_token.go
@@ -25,7 +25,12 @@ func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_mode
 	if err != nil {
 		return nil, fmt.Errorf("GetRepositoriesAccessibleWithToken: %w", err)
 	}
-	return &SpecificReposAuthorizationReducer{resourceRepos: repos}, nil
+	// Cast slice into []RepoGetter
+	iface := make([]RepoGetter, len(repos))
+	for i, r := range repos {
+		iface[i] = r
+	}
+	return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
 }
 
 // A locale lookup string for the error -- eg. `access_token.error.invalid_something`
diff --git a/services/authz/access_token_test.go b/services/authz/access_token_test.go
index 8219e2a057..2e4d9e4453 100644
--- a/services/authz/access_token_test.go
+++ b/services/authz/access_token_test.go
@@ -42,7 +42,7 @@ func TestGetAuthorizationReducerForAccessToken(t *testing.T) {
 		require.NotNil(t, specific)
 
 		require.Len(t, specific.resourceRepos, 1)
-		assert.EqualValues(t, 1, specific.resourceRepos[0].RepoID)
+		assert.EqualValues(t, 1, specific.resourceRepos[0].GetTargetRepoID())
 	})
 }
 
diff --git a/services/authz/authorized_integration.go b/services/authz/authorized_integration.go
new file mode 100644
index 0000000000..c463c0aeca
--- /dev/null
+++ b/services/authz/authorized_integration.go
@@ -0,0 +1,33 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package authz
+
+import (
+	"context"
+	"fmt"
+
+	auth_model "forgejo.org/models/auth"
+)
+
+func GetAuthorizationReducerForAuthorizedIntegration(ctx context.Context, ai *auth_model.AuthorizedIntegration) (AuthorizationReducer, error) {
+	if ai.ResourceAllRepos {
+		if publicOnly, err := ai.Scope.PublicOnly(); err != nil {
+			return nil, fmt.Errorf("PublicOnly: %w", err)
+		} else if publicOnly {
+			return &PublicReposAuthorizationReducer{}, nil
+		}
+		return &AllAccessAuthorizationReducer{}, nil
+	}
+
+	repos, err := auth_model.GetRepositoriesAccessibleWithIntegration(ctx, ai.ID)
+	if err != nil {
+		return nil, fmt.Errorf("GetRepositoriesAccessibleWithIntegration: %w", err)
+	}
+	// Cast slice into []RepoGetter
+	iface := make([]RepoGetter, len(repos))
+	for i, r := range repos {
+		iface[i] = r
+	}
+	return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
+}
diff --git a/services/authz/authorized_integration_test.go b/services/authz/authorized_integration_test.go
new file mode 100644
index 0000000000..fe3ec697a4
--- /dev/null
+++ b/services/authz/authorized_integration_test.go
@@ -0,0 +1,46 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package authz
+
+import (
+	"testing"
+
+	"forgejo.org/models/auth"
+	"forgejo.org/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetAuthorizationReducerForAuthorizedIntegration(t *testing.T) {
+	defer unittest.OverrideFixtures("services/authz/TestGetAuthorizationReducerForAuthorizedIntegration")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("all access", func(t *testing.T) {
+		token := unittest.AssertExistsAndLoadBean(t, &auth.AuthorizedIntegration{ID: 5})
+		reducer, err := GetAuthorizationReducerForAuthorizedIntegration(t.Context(), token)
+		require.NoError(t, err)
+		assert.IsType(t, &AllAccessAuthorizationReducer{}, reducer)
+	})
+
+	t.Run("public resources only", func(t *testing.T) {
+		token := unittest.AssertExistsAndLoadBean(t, &auth.AuthorizedIntegration{ID: 6})
+		reducer, err := GetAuthorizationReducerForAuthorizedIntegration(t.Context(), token)
+		require.NoError(t, err)
+		assert.IsType(t, &PublicReposAuthorizationReducer{}, reducer)
+	})
+
+	t.Run("specific repos only", func(t *testing.T) {
+		token := unittest.AssertExistsAndLoadBean(t, &auth.AuthorizedIntegration{ID: 7})
+		reducer, err := GetAuthorizationReducerForAuthorizedIntegration(t.Context(), token)
+		require.NoError(t, err)
+
+		specific, ok := reducer.(*SpecificReposAuthorizationReducer)
+		require.True(t, ok)
+		require.NotNil(t, specific)
+
+		require.Len(t, specific.resourceRepos, 1)
+		assert.EqualValues(t, 1, specific.resourceRepos[0].GetTargetRepoID())
+	})
+}
diff --git a/services/authz/specific_repos_reducer.go b/services/authz/specific_repos_reducer.go
index dd085189af..b4e97f2a6b 100644
--- a/services/authz/specific_repos_reducer.go
+++ b/services/authz/specific_repos_reducer.go
@@ -7,7 +7,6 @@ import (
 	"context"
 	"fmt"
 
-	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/perm"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/structs"
@@ -19,12 +18,16 @@ import (
 // repositories that aren't listed among the specific repos, read-only access is permitted.  For all other repos, no
 // access is permitted.
 type SpecificReposAuthorizationReducer struct {
-	resourceRepos []*auth_model.AccessTokenResourceRepo
+	resourceRepos []RepoGetter
+}
+
+type RepoGetter interface {
+	GetTargetRepoID() int64
 }
 
 func (r *SpecificReposAuthorizationReducer) ReduceRepoAccess(ctx context.Context, repo *repo_model.Repository, accessMode perm.AccessMode) (perm.AccessMode, error) {
 	for _, tokenRepo := range r.resourceRepos {
-		if tokenRepo.RepoID == repo.ID {
+		if tokenRepo.GetTargetRepoID() == repo.ID {
 			// No restrictions as this repo is within the scope of the access token.
 			return accessMode, nil
 		}
@@ -47,7 +50,7 @@ func (r *SpecificReposAuthorizationReducer) ReduceRepoAccess(ctx context.Context
 func (r *SpecificReposAuthorizationReducer) RepoReadAccessFilter() builder.Cond {
 	repoIDs := make([]int64, len(r.resourceRepos))
 	for i, tokenRepo := range r.resourceRepos {
-		repoIDs[i] = tokenRepo.RepoID
+		repoIDs[i] = tokenRepo.GetTargetRepoID()
 	}
 	targetRepos := builder.In("repository.id", repoIDs)
 
diff --git a/services/authz/specific_repos_reducer_test.go b/services/authz/specific_repos_reducer_test.go
index 5db65eeca4..a7bd1545b0 100644
--- a/services/authz/specific_repos_reducer_test.go
+++ b/services/authz/specific_repos_reducer_test.go
@@ -20,11 +20,11 @@ func TestSpecificReposAuthorizationReducer(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 
 	reducer := &SpecificReposAuthorizationReducer{
-		resourceRepos: []*auth.AccessTokenResourceRepo{
-			{
+		resourceRepos: []RepoGetter{
+			&auth.AccessTokenResourceRepo{
 				RepoID: 1,
 			},
-			{
+			&auth.AccessTokenResourceRepo{
 				RepoID: 2,
 			},
 		},
diff --git a/tests/integration/auth_authorized_integration_test.go b/tests/integration/auth_authorized_integration_test.go
index 36fefe7cf9..668abc2630 100644
--- a/tests/integration/auth_authorized_integration_test.go
+++ b/tests/integration/auth_authorized_integration_test.go
@@ -4,18 +4,23 @@
 package integration
 
 import (
+	"fmt"
 	"net/http"
 	"testing"
 
 	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestAPIAuthWithAuthorizedIntegration(t *testing.T) {
-	t.Run("all access token", func(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("all access authorized integration", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		ait := newAITester(t)
@@ -32,7 +37,7 @@ func TestAPIAuthWithAuthorizedIntegration(t *testing.T) {
 		MakeRequest(t, req, http.StatusOK)
 	})
 
-	t.Run("scope-limited access token", func(t *testing.T) {
+	t.Run("scope-limited authorized integration", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
@@ -50,4 +55,68 @@ func TestAPIAuthWithAuthorizedIntegration(t *testing.T) {
 		req = NewRequest(t, "GET", "/api/v1/repos/user2/repo1").AddTokenAuth(token)
 		MakeRequest(t, req, http.StatusForbidden)
 	})
+
+	// Clone of TestAPICompareCommitsAccessTokenResources, but using an authorized integration rather than an access
+	// token, to test its application of an authorization reducer for public-only and repo-specific access. Any API test
+	// that uses repo-specific tokens could serve as a test here; this one is just relatively simple and succinct for
+	// the number of things being tested.
+	t.Run("authorization reducer", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// Using the compare API, will be testing that the base repo's security checks implement fine-grained access
+		// controls (and baselines with all and public-only).
+		testCase := func(t *testing.T, repo, token string, expectedStatus int) {
+			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/compare/master...master", repo)).AddTokenAuth(token)
+			MakeRequest(t, req, expectedStatus)
+		}
+
+		t.Run("all access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+				ai.Scope = auth_model.AccessTokenScopeReadRepository
+			})
+			defer ait.close()
+			allToken := ait.signedJWT()
+
+			testCase(t, "user2/repo1", allToken, http.StatusOK)  // public user2/repo1
+			testCase(t, "org3/repo3", allToken, http.StatusOK)   // private org3/repo3
+			testCase(t, "user2/repo20", allToken, http.StatusOK) // private user2/repo20
+		})
+
+		t.Run("public-only access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+				ai.Scope = auth_model.AccessTokenScope(fmt.Sprintf("%s,%s", auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadRepository))
+			})
+			defer ait.close()
+			publicOnlyToken := ait.signedJWT()
+
+			testCase(t, "user2/repo1", publicOnlyToken, http.StatusOK)        // public user2/repo1
+			testCase(t, "org3/repo3", publicOnlyToken, http.StatusNotFound)   // private org3/repo3
+			testCase(t, "user2/repo20", publicOnlyToken, http.StatusNotFound) // private user2/repo20
+		})
+
+		t.Run("specific repo access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+				ai.Scope = auth_model.AccessTokenScopeReadRepository
+				ai.ResourceAllRepos = false
+			})
+			defer ait.close()
+
+			_, err := db.GetEngine(t.Context()).Insert(&auth_model.AuthorizedIntegResourceRepo{
+				IntegID: ait.authorizedIntegration.ID,
+				RepoID:  3,
+			})
+			require.NoError(t, err)
+			repo3OnlyToken := ait.signedJWT()
+
+			testCase(t, "user2/repo1", repo3OnlyToken, http.StatusOK)        // public user2/repo1
+			testCase(t, "org3/repo3", repo3OnlyToken, http.StatusOK)         // private org3/repo3
+			testCase(t, "user2/repo20", repo3OnlyToken, http.StatusNotFound) // private user2/repo20, outside of fine-grain
+		})
+	})
 }
diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index ecd7d86073..c8bbaa9b2c 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -850,6 +850,7 @@ func newAITester(t *testing.T, setupAI ...func(*auth.AuthorizedIntegration)) *Au
 				},
 			},
 		},
+		ResourceAllRepos: true,
 	}
 	for _, setup := range setupAI {
 		setup(ait.authorizedIntegration)

From 94ef440a1c01745ad0bb1966df11596477efebd2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 27 Apr 2026 02:09:29 +0200
Subject: [PATCH 174/287] Lock file maintenance (forgejo) (#12279)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12279
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 package-lock.json                  | 298 ++++++++++++++---------------
 web_src/fomantic/package-lock.json |  24 +--
 2 files changed, 161 insertions(+), 161 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4fa5e76198..aecd83767d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -942,9 +942,9 @@
       }
     },
     "node_modules/@emnapi/core": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -954,9 +954,9 @@
       }
     },
     "node_modules/@emnapi/runtime": {
-      "version": "1.9.2",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+      "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
       "dev": true,
       "license": "MIT",
       "optional": true,
@@ -1550,9 +1550,9 @@
       }
     },
     "node_modules/@eslint/eslintrc/node_modules/ajv": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1781,14 +1781,14 @@
       "license": "MIT"
     },
     "node_modules/@iconify/utils": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/@iconify/utils/-/utils-3.1.0.tgz",
-      "integrity": "sha512-Zlzem1ZXhI1iHeeERabLNzBHdOa4VhQbqAcOQaMKuTuyZCpwKbC2R4Dd0Zo3g9EAc+Y4fiarO8HIHRAth7+skw==",
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/@iconify/utils/-/utils-3.1.1.tgz",
+      "integrity": "sha512-MwzoDtw9rO1x+qfgLTV/IVXsHDBqeYZoMIQC8SfxfYSlaSUG+oWiAcoiB1yajAda6mqblm4/1/w2E8tRu7a7Tw==",
       "license": "MIT",
       "dependencies": {
         "@antfu/install-pkg": "^1.1.0",
         "@iconify/types": "^2.0.0",
-        "mlly": "^1.8.0"
+        "mlly": "^1.8.2"
       }
     },
     "node_modules/@img/colour": {
@@ -2891,9 +2891,9 @@
       "license": "MIT"
     },
     "node_modules/@oxc-project/types": {
-      "version": "0.124.0",
-      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz",
-      "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==",
+      "version": "0.127.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.127.0.tgz",
+      "integrity": "sha512-aIYXQBo4lCbO4z0R3FHeucQHpF46l2LbMdxRvqvuRuW2OxdnSkcng5B8+K12spgLDj93rtN3+J2Vac/TIO+ciQ==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -2954,9 +2954,9 @@
       }
     },
     "node_modules/@rolldown/binding-android-arm64": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz",
-      "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.17.tgz",
+      "integrity": "sha512-s70pVGhw4zqGeFnXWvAzJDlvxhlRollagdCCKRgOsgUOH3N1l0LIxf83AtGzmb5SiVM4Hjl5HyarMRfdfj3DaQ==",
       "cpu": [
         "arm64"
       ],
@@ -2971,9 +2971,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-arm64": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz",
-      "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.17.tgz",
+      "integrity": "sha512-4ksWc9n0mhlZpZ9PMZgTGjeOPRu8MB1Z3Tz0Mo02eWfWCHMW1zN82Qz/pL/rC+yQa+8ZnutMF0JjJe7PjwasYw==",
       "cpu": [
         "arm64"
       ],
@@ -2988,9 +2988,9 @@
       }
     },
     "node_modules/@rolldown/binding-darwin-x64": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz",
-      "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.17.tgz",
+      "integrity": "sha512-SUSDOI6WwUVNcWxd02QEBjLdY1VPHvlEkw6T/8nYG322iYWCTxRb1vzk4E+mWWYehTp7ERibq54LSJGjmouOsw==",
       "cpu": [
         "x64"
       ],
@@ -3005,9 +3005,9 @@
       }
     },
     "node_modules/@rolldown/binding-freebsd-x64": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz",
-      "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.17.tgz",
+      "integrity": "sha512-hwnz3nw9dbJ05EDO/PvcjaaewqqDy7Y1rn1UO81l8iIK1GjenME75dl16ajbvSSMfv66WXSRCYKIqfgq2KCfxw==",
       "cpu": [
         "x64"
       ],
@@ -3022,9 +3022,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz",
-      "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.17.tgz",
+      "integrity": "sha512-IS+W7epTcwANmFSQFrS1SivEXHtl1JtuQA9wlxrZTcNi6mx+FDOYrakGevvvTwgj2JvWiK8B29/qD9BELZPyXQ==",
       "cpu": [
         "arm"
       ],
@@ -3039,9 +3039,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-gnu": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz",
-      "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.17.tgz",
+      "integrity": "sha512-e6usGaHKW5BMNZOymS1UcEYGowQMWcgZ71Z17Sl/h2+ZziNJ1a9n3Zvcz6LdRyIW5572wBCTH/Z+bKuZouGk9Q==",
       "cpu": [
         "arm64"
       ],
@@ -3059,9 +3059,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-arm64-musl": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz",
-      "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.17.tgz",
+      "integrity": "sha512-b/CgbwAJpmrRLp02RPfhbudf5tZnN9nsPWK82znefso832etkem8H7FSZwxrOI9djcdTP7U6YfNhbRnh7djErg==",
       "cpu": [
         "arm64"
       ],
@@ -3079,9 +3079,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-ppc64-gnu": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz",
-      "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.17.tgz",
+      "integrity": "sha512-4EII1iNGRUN5WwGbF/kOh/EIkoDN9HsupgLQoXfY+D1oyJm7/F4t5PYU5n8SWZgG0FEwakyM8pGgwcBYruGTlA==",
       "cpu": [
         "ppc64"
       ],
@@ -3099,9 +3099,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-s390x-gnu": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz",
-      "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.17.tgz",
+      "integrity": "sha512-AH8oq3XqQo4IibpVXvPeLDI5pzkpYn0WiZAfT05kFzoJ6tQNzwRdDYQ45M8I/gslbodRZwW8uxLhbSBbkv96rA==",
       "cpu": [
         "s390x"
       ],
@@ -3119,9 +3119,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-gnu": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz",
-      "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.17.tgz",
+      "integrity": "sha512-cLnjV3xfo7KslbU41Z7z8BH/E1y5mzUYzAqih1d1MDaIGZRCMqTijqLv76/P7fyHuvUcfGsIpqCdddbxLLK9rA==",
       "cpu": [
         "x64"
       ],
@@ -3139,9 +3139,9 @@
       }
     },
     "node_modules/@rolldown/binding-linux-x64-musl": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz",
-      "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.17.tgz",
+      "integrity": "sha512-0phclDw1spsL7dUB37sIARuis2tAgomCJXAHZlpt8PXZ4Ba0dRP1e+66lsRqrfhISeN9bEGNjQs+T/Fbd7oYGw==",
       "cpu": [
         "x64"
       ],
@@ -3159,9 +3159,9 @@
       }
     },
     "node_modules/@rolldown/binding-openharmony-arm64": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz",
-      "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.17.tgz",
+      "integrity": "sha512-0ag/hEgXOwgw4t8QyQvUCxvEg+V0KBcA6YuOx9g0r02MprutRF5dyljgm3EmR02O292UX7UeS6HzWHAl6KgyhA==",
       "cpu": [
         "arm64"
       ],
@@ -3176,9 +3176,9 @@
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz",
-      "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.17.tgz",
+      "integrity": "sha512-LEXei6vo0E5wTGwpkJ4KoT3OZJRnglwldt5ziLzOlc6qqb55z4tWNq2A+PFqCJuvWWdP53CVhG1Z9NtToDPJrA==",
       "cpu": [
         "wasm32"
       ],
@@ -3186,12 +3186,12 @@
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/core": "1.9.2",
-        "@emnapi/runtime": "1.9.2",
-        "@napi-rs/wasm-runtime": "^1.1.3"
+        "@emnapi/core": "1.10.0",
+        "@emnapi/runtime": "1.10.0",
+        "@napi-rs/wasm-runtime": "^1.1.4"
       },
       "engines": {
-        "node": ">=14.0.0"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
     "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
@@ -3214,9 +3214,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-arm64-msvc": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz",
-      "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.17.tgz",
+      "integrity": "sha512-gUmyzBl3SPMa6hrqFUth9sVfcLBlYsbMzBx5PlexMroZStgzGqlZ26pYG89rBb45Mnia+oil6YAIFeEWGWhoZA==",
       "cpu": [
         "arm64"
       ],
@@ -3231,9 +3231,9 @@
       }
     },
     "node_modules/@rolldown/binding-win32-x64-msvc": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz",
-      "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.17.tgz",
+      "integrity": "sha512-3hkiolcUAvPB9FLb3UZdfjVVNWherN1f/skkGWJP/fgSQhYUZpSIRr0/I8ZK9TkF3F7kxvJAk0+IcKvPHk9qQg==",
       "cpu": [
         "x64"
       ],
@@ -5512,9 +5512,9 @@
       }
     },
     "node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz",
+      "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -5877,9 +5877,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.20",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz",
-      "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==",
+      "version": "2.10.23",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.23.tgz",
+      "integrity": "sha512-xwVXGqevyKPsiuQdLj+dZMVjidjJV508TBqexND5HrF89cGdCYCJFB3qhcxRHSeMctdCfbR1jrxBajhDy7o29g==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -6126,9 +6126,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001788",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001788.tgz",
-      "integrity": "sha512-6q8HFp+lOQtcf7wBK+uEenxymVWkGKkjFpCvw5W25cmMwEDU45p1xQFBQv8JDlMMry7eNxyBaR+qxgmTUZkIRQ==",
+      "version": "1.0.30001791",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001791.tgz",
+      "integrity": "sha512-yk0l/YSrOnFZk3UROpDLQD9+kC1l4meK/wed583AXrzoarMGJcbRi2Q4RaUYbKxYAsZ8sWmaSa/DsLmdBeI1vQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -7554,9 +7554,9 @@
       }
     },
     "node_modules/dompurify": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.0.tgz",
-      "integrity": "sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==",
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.1.tgz",
+      "integrity": "sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==",
       "license": "(MPL-2.0 OR Apache-2.0)",
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
@@ -7675,9 +7675,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.340",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz",
-      "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==",
+      "version": "1.5.344",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.344.tgz",
+      "integrity": "sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -7697,13 +7697,13 @@
       }
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
-      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
+      "version": "5.21.0",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.21.0.tgz",
+      "integrity": "sha512-otxSQPw4lkOZWkHpB3zaEQs6gWYEsmX4xQF68ElXC/TWvGxGMSGOvoNbaLXm6/cS/fSfHtsEdw90y20PCd+sCA==",
       "license": "MIT",
       "dependencies": {
         "graceful-fs": "^4.2.4",
-        "tapable": "^2.3.0"
+        "tapable": "^2.3.3"
       },
       "engines": {
         "node": ">=10.13.0"
@@ -7863,9 +7863,9 @@
       }
     },
     "node_modules/es-module-lexer": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz",
-      "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.1.0.tgz",
+      "integrity": "sha512-n27zTYMjYu1aj4MjCWzSP7G9r75utsaoc8m61weK+W8JMBGGQybd43GstCXZ3WNmSFtGT9wi59qQTW6mhTR5LQ==",
       "license": "MIT"
     },
     "node_modules/es-object-atoms": {
@@ -8493,9 +8493,9 @@
       "license": "MIT"
     },
     "node_modules/eslint/node_modules/ajv": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz",
-      "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -10662,9 +10662,9 @@
       "license": "MIT"
     },
     "node_modules/jsonfile": {
-      "version": "6.2.0",
-      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.2.0.tgz",
-      "integrity": "sha512-FGuPw30AdOIUTRMC2OMRtQV+jkVj2cfPqSeWXv1NEAJ1qZ5zb1X6z1mFhbfOB/iy3ssJCD+3KuZ8r8C3uVFlAg==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.2.1.tgz",
+      "integrity": "sha512-zwOTdL3rFQ/lRdBnntKVOX6k5cKJwEc1HdilT71BWEu7J41gXIB2MRp+vxduPSwZJPWBxEzv4yH1wYLJGUHX4Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -11192,9 +11192,9 @@
       }
     },
     "node_modules/loader-runner": {
-      "version": "4.3.1",
-      "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-4.3.1.tgz",
-      "integrity": "sha512-IWqP2SCPhyVFTBtRcgMHdzlf9ul25NwaFx4wCEH/KjAXuuHY4yNjvPXsBokp8jCB936PyWRaPKUNh8NvylLp2Q==",
+      "version": "4.3.2",
+      "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-4.3.2.tgz",
+      "integrity": "sha512-DFEqQ3ihfS9blba08cLfYf1NRAIEm+dDjic073DRDc3/JspI/8wYmtDsHwd3+4hwvdxSK7PGaElfTmm0awWJ4w==",
       "license": "MIT",
       "engines": {
         "node": ">=6.11.5"
@@ -12361,9 +12361,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.37",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.37.tgz",
-      "integrity": "sha512-1h5gKZCF+pO/o3Iqt5Jp7wc9rH3eJJ0+nh/CIoiRwjRxde/hAHyLPXYN4V3CqKAbiZPSeJFSWHmJsbkicta0Eg==",
+      "version": "2.0.38",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.38.tgz",
+      "integrity": "sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==",
       "license": "MIT"
     },
     "node_modules/node-sarif-builder": {
@@ -13440,9 +13440,9 @@
       }
     },
     "node_modules/qified/node_modules/hookified": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/hookified/-/hookified-2.1.1.tgz",
-      "integrity": "sha512-AHb76R16GB5EsPBE2J7Ko5kiEyXwviB9P5SMrAKcuAu4vJPZttViAbj9+tZeaQE5zjDme+1vcHP78Yj/WoAveA==",
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/hookified/-/hookified-2.2.0.tgz",
+      "integrity": "sha512-p/LgFzRN5FeoD3DLS6bkUapeye6E4SI6yJs6KetENd18S+FBthqYq2amJUWpt5z0EQwwHemidjY5OqJGEKm5uA==",
       "dev": true,
       "license": "MIT"
     },
@@ -13800,14 +13800,14 @@
       "license": "Unlicense"
     },
     "node_modules/rolldown": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz",
-      "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.17.tgz",
+      "integrity": "sha512-ZrT53oAKrtA4+YtBWPQbtPOxIbVDbxT0orcYERKd63VJTF13zPcgXTvD4843L8pcsI7M6MErt8QtON6lrB9tyA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@oxc-project/types": "=0.124.0",
-        "@rolldown/pluginutils": "1.0.0-rc.15"
+        "@oxc-project/types": "=0.127.0",
+        "@rolldown/pluginutils": "1.0.0-rc.17"
       },
       "bin": {
         "rolldown": "bin/cli.mjs"
@@ -13816,27 +13816,27 @@
         "node": "^20.19.0 || >=22.12.0"
       },
       "optionalDependencies": {
-        "@rolldown/binding-android-arm64": "1.0.0-rc.15",
-        "@rolldown/binding-darwin-arm64": "1.0.0-rc.15",
-        "@rolldown/binding-darwin-x64": "1.0.0-rc.15",
-        "@rolldown/binding-freebsd-x64": "1.0.0-rc.15",
-        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15",
-        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15",
-        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15",
-        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15",
-        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15",
-        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15",
-        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15",
-        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15",
-        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15",
-        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15",
-        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15"
+        "@rolldown/binding-android-arm64": "1.0.0-rc.17",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.17",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.17",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.17",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.17",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.17",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.17",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.17",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.17",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.17",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.17",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.17",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.17",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.17",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.17"
       }
     },
     "node_modules/rolldown/node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-rc.15",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz",
-      "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==",
+      "version": "1.0.0-rc.17",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.17.tgz",
+      "integrity": "sha512-n8iosDOt6Ig1UhJ2AYqoIhHWh/isz0xpicHTzpKBeotdVsTEcxsSA/i3EVM7gQAj0rU27OLAxCjzlj15IWY7bg==",
       "dev": true,
       "license": "MIT"
     },
@@ -13924,15 +13924,15 @@
       "license": "BSD-3-Clause"
     },
     "node_modules/safe-array-concat": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.3.tgz",
-      "integrity": "sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==",
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/safe-array-concat/-/safe-array-concat-1.1.4.tgz",
+      "integrity": "sha512-wtZlHyOje6OZTGqAoaDKxFkgRtkF9CnHAVnCHKfuj200wAgL+bSJhdsCD2l0Qx/2ekEXjPWcyKkfGb5CPboslg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "call-bind": "^1.0.8",
-        "call-bound": "^1.0.2",
-        "get-intrinsic": "^1.2.6",
+        "call-bind": "^1.0.9",
+        "call-bound": "^1.0.4",
+        "get-intrinsic": "^1.3.0",
         "has-symbols": "^1.1.0",
         "isarray": "^2.0.5"
       },
@@ -15149,9 +15149,9 @@
       }
     },
     "node_modules/tapable": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
-      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.3.tgz",
+      "integrity": "sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==",
       "license": "MIT",
       "engines": {
         "node": ">=6"
@@ -15162,9 +15162,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.46.1",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.1.tgz",
-      "integrity": "sha512-vzCjQO/rgUuK9sf8VJZvjqiqiHFaZLnOiimmUuOKODxWL8mm/xua7viT7aqX7dgPY60otQjUotzFMmCB4VdmqQ==",
+      "version": "5.46.2",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.46.2.tgz",
+      "integrity": "sha512-uxfo9fPcSgLDYob/w1FuL0c99MWiJDnv+5qXSQc5+Ki5NjVNsYi66INnMFBjf6uFz6OnX12piJQPF4IpjJTNTw==",
       "license": "BSD-2-Clause",
       "dependencies": {
         "@jridgewell/source-map": "^0.3.3",
@@ -15180,9 +15180,9 @@
       }
     },
     "node_modules/terser-webpack-plugin": {
-      "version": "5.4.0",
-      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.4.0.tgz",
-      "integrity": "sha512-Bn5vxm48flOIfkdl5CaD2+1CiUVbonWQ3KQPyP7/EuIl9Gbzq/gQFOzaMFUEgVjB1396tcK0SG8XcNJ/2kDH8g==",
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/terser-webpack-plugin/-/terser-webpack-plugin-5.5.0.tgz",
+      "integrity": "sha512-UYhptBwhWvfIjKd/UuFo6D8uq9xpGLDK+z8EDsj/zWhrTaH34cKEbrkMKfV5YWqGBvAYA3tlzZbs2R+qYrbQJA==",
       "license": "MIT",
       "dependencies": {
         "@jridgewell/trace-mapping": "^0.3.25",
@@ -15780,17 +15780,17 @@
       "license": "MIT"
     },
     "node_modules/vite": {
-      "version": "8.0.8",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz",
-      "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==",
+      "version": "8.0.10",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.10.tgz",
+      "integrity": "sha512-rZuUu9j6J5uotLDs+cAA4O5H4K1SfPliUlQwqa6YEwSrWDZzP4rhm00oJR5snMewjxF5V/K3D4kctsUTsIU9Mw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "lightningcss": "^1.32.0",
         "picomatch": "^4.0.4",
-        "postcss": "^8.5.8",
-        "rolldown": "1.0.0-rc.15",
-        "tinyglobby": "^0.2.15"
+        "postcss": "^8.5.10",
+        "rolldown": "1.0.0-rc.17",
+        "tinyglobby": "^0.2.16"
       },
       "bin": {
         "vite": "bin/vite.js"
@@ -16283,9 +16283,9 @@
       }
     },
     "node_modules/webpack-sources": {
-      "version": "3.3.4",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.4.tgz",
-      "integrity": "sha512-7tP1PdV4vF+lYPnkMR0jMY5/la2ub5Fc/8VQrrU+lXkiM6C4TjVfGw7iKfyhnTQOsD+6Q/iKw0eFciziRgD58Q==",
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.4.0.tgz",
+      "integrity": "sha512-gHwIe1cgBvvfLeu1Yz/dcFpmHfKDVxxyqI+kzqmuxZED81z2ChxpyqPaWcNqigPywhaEke7AjSGga+kxY55gjQ==",
       "license": "MIT",
       "engines": {
         "node": ">=10.13.0"
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index 9d6477ee33..5aee001936 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.20",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.20.tgz",
-      "integrity": "sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==",
+      "version": "2.10.23",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.23.tgz",
+      "integrity": "sha512-xwVXGqevyKPsiuQdLj+dZMVjidjJV508TBqexND5HrF89cGdCYCJFB3qhcxRHSeMctdCfbR1jrxBajhDy7o29g==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -1264,9 +1264,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001788",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001788.tgz",
-      "integrity": "sha512-6q8HFp+lOQtcf7wBK+uEenxymVWkGKkjFpCvw5W25cmMwEDU45p1xQFBQv8JDlMMry7eNxyBaR+qxgmTUZkIRQ==",
+      "version": "1.0.30001791",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001791.tgz",
+      "integrity": "sha512-yk0l/YSrOnFZk3UROpDLQD9+kC1l4meK/wed583AXrzoarMGJcbRi2Q4RaUYbKxYAsZ8sWmaSa/DsLmdBeI1vQ==",
       "funding": [
         {
           "type": "opencollective",
@@ -2020,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.340",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.340.tgz",
-      "integrity": "sha512-908qahOGocRMinT2nM3ajCEM99H4iPdv84eagPP3FfZy/1ZGeOy2CZYzjhms81ckOPCXPlW7LkY4XpxD8r1DrA==",
+      "version": "1.5.344",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.344.tgz",
+      "integrity": "sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -6013,9 +6013,9 @@
       }
     },
     "node_modules/node-releases": {
-      "version": "2.0.37",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.37.tgz",
-      "integrity": "sha512-1h5gKZCF+pO/o3Iqt5Jp7wc9rH3eJJ0+nh/CIoiRwjRxde/hAHyLPXYN4V3CqKAbiZPSeJFSWHmJsbkicta0Eg==",
+      "version": "2.0.38",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.38.tgz",
+      "integrity": "sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==",
       "license": "MIT"
     },
     "node_modules/node.extend": {

From 5e5ad79d10f1a52a426db30f799f4239afbad637 Mon Sep 17 00:00:00 2001
From: Codeberg Translate <translate@codeberg.org>
Date: Mon, 27 Apr 2026 11:17:47 +0000
Subject: [PATCH 175/287] i18n: update of translations from Codeberg Translate

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: AshyPinguin <ashypinguin@noreply.codeberg.org>
Co-authored-by: Benedikt Straub <benedikt-straub@web.de>
Co-authored-by: Codeberg Translate <translate@codeberg.org>
Co-authored-by: Fjuro <fjuro@noreply.codeberg.org>
Co-authored-by: Goudarz Jafari <goudarz.jafari@gmail.com>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: Lauri Lepik <laurilepik@noreply.codeberg.org>
Co-authored-by: Lzebulon <lzebulon@noreply.codeberg.org>
Co-authored-by: PatoFlamejanteTV <patoflamejantetv@noreply.codeberg.org>
Co-authored-by: SomeTr <sometr@noreply.codeberg.org>
Co-authored-by: TAGerritsen <tagerritsen@noreply.codeberg.org>
Co-authored-by: Tamil <tamil@noreply.codeberg.org>
Co-authored-by: Wuzzy <wuzzy@disroot.org>
Co-authored-by: arifpedia <arifpedia@gmail.com>
Co-authored-by: artnay <artnay@noreply.codeberg.org>
Co-authored-by: augustd <augustd@noreply.codeberg.org>
Co-authored-by: fserrador <fserrador@noreply.codeberg.org>
Co-authored-by: gallegonovato <gallegonovato@noreply.codeberg.org>
Co-authored-by: mahlzahn <mahlzahn@posteo.de>
Co-authored-by: rdeavila <rdeavila@noreply.codeberg.org>
Co-authored-by: universish <universish@noreply.codeberg.org>
Co-authored-by: vmtj <vmtj@noreply.codeberg.org>
Co-authored-by: xtex <xtexchooser@duck.com>
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ca/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/cs/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/de/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/es/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/et/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/fr/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/id/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/mk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nds/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/nl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/pt_BR/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/ta/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/tr/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/uk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo-next/zh_Hans/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/es/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/et/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/fa/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/fi/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/fr/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/id/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/mk/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/nl/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/pt_BR/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ru/
Translate-URL: https://translate.codeberg.org/projects/forgejo/forgejo/ta/
Translation: Forgejo/forgejo
Translation: Forgejo/forgejo-next
---
 options/locale/locale_es-ES.ini       |  194 +-
 options/locale/locale_et.ini          |    3 +-
 options/locale/locale_fa-IR.ini       |    2 +-
 options/locale/locale_fi-FI.ini       |    2 +-
 options/locale/locale_fr-FR.ini       |    2 +-
 options/locale/locale_id-ID.ini       | 2779 ++++++++++++++++++++++---
 options/locale/locale_mk.ini          |   10 +-
 options/locale/locale_nl-NL.ini       |    2 +-
 options/locale/locale_pt-BR.ini       |    8 +-
 options/locale/locale_ru-RU.ini       |    2 +-
 options/locale/locale_ta.ini          |    6 +-
 options/locale_next/locale_bg.json    |    3 -
 options/locale_next/locale_ca.json    |  155 +-
 options/locale_next/locale_cs-CZ.json |    9 +-
 options/locale_next/locale_de-DE.json |   11 +-
 options/locale_next/locale_el-GR.json |    3 -
 options/locale_next/locale_es-ES.json |  133 +-
 options/locale_next/locale_et.json    |   16 +-
 options/locale_next/locale_fil.json   |    3 -
 options/locale_next/locale_fr-FR.json |    9 +-
 options/locale_next/locale_ga.json    |    3 -
 options/locale_next/locale_id-ID.json |  437 +++-
 options/locale_next/locale_kab.json   |    2 -
 options/locale_next/locale_mk.json    |   66 +-
 options/locale_next/locale_nds.json   |    9 +-
 options/locale_next/locale_nl-NL.json |   31 +-
 options/locale_next/locale_pt-BR.json |   45 +-
 options/locale_next/locale_pt-PT.json |    3 -
 options/locale_next/locale_ru-RU.json |   34 +-
 options/locale_next/locale_sv-SE.json |    3 -
 options/locale_next/locale_ta.json    |    2 +-
 options/locale_next/locale_tr-TR.json |  386 +++-
 options/locale_next/locale_uk-UA.json |   19 +-
 options/locale_next/locale_zh-CN.json |   52 +-
 34 files changed, 3880 insertions(+), 564 deletions(-)

diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index 5fb0a270eb..0d37055fea 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -80,9 +80,9 @@ rerun_all=Volver a ejecutar todos los trabajos
 save=Guardar
 add=Añadir
 add_all=Añadir todos
-remove=Eliminar
-remove_all=Eliminar todos
-remove_label_str=`Eliminar elemento "%s"`
+remove=Retirar
+remove_all=Retirar todos
+remove_label_str=`Retirar elemento "%s"`
 edit=Editar
 
 enabled=Activo
@@ -103,7 +103,7 @@ preview=Vista previa
 loading=Cargando…
 
 error=Error
-error404=La página a la que está intentando acceder <strong>no existe</strong>,<strong>ha sido eliminada</strong> o <strong>no está autorizado</strong> a verla.
+error404=La página a la que está intentando acceder <strong>no existe</strong>,<strong>ha sido retirada</strong> o <strong>no está autorizado</strong> a verla.
 go_back=Volver
 
 never=Nunca
@@ -202,7 +202,7 @@ table_modal.placeholder.content = Contenido
 link_modal.header = Añadir enlace
 link_modal.description = Descripción
 link_modal.paste_reminder = Pista: Con una URL en tu portapapeles, puedes pegar directamente en el editor para crear un enlace.
-link_modal.url = URL
+link_modal.url = Url
 
 [filter]
 string.asc=A - Z
@@ -384,8 +384,8 @@ manual_activation_only=Póngase en contacto con el administrador del sitio para
 remember_me=Recordar este dispositivo
 forgot_password_title=Contraseña olvidada
 forgot_password=¿Has olvidado tu contraseña?
-sign_up_successful=La cuenta se ha creado correctamente. ¡Le damos la bienvenida!
-confirmation_mail_sent_prompt=Se ha enviado un nuevo correo de confirmación a <b>%s</b>. Para completar el proceso de registro, revisa tu bandeja de entrada y sigue el enlace proporcionado dentro de los próximos %s. Si la dirección no es correcto, puedes iniciar sesión y solicitar otro correo de confirmación para ser enviado a una dirección diferente.
+sign_up_successful=La cuenta se ha creado correctamente. ¡Bienvenido!
+confirmation_mail_sent_prompt=Se ha enviado un nuevo correo electrónico de confirmación a <b>%s</b>. Para completar el registro, comprueba tu bandeja de entrada y sigue el enlace que aparece en el correo en un plazo de: %s. Si la dirección de correo electrónico no es correcta, puedes iniciar sesión y solicitar que se envíe otro correo electrónico de confirmación a otra dirección.
 must_change_password=Actualizar su contraseña
 allow_password_change=Obligar al usuario a cambiar la contraseña (recomendado)
 reset_password_mail_sent_prompt=Se ha enviado un correo de confirmación a <b>%s</b>. Para completar el proceso de recuperación de la cuenta, consulta tu bandeja de entrada y sigue el enlace proporcionado dentro de los próximos %s.
@@ -442,7 +442,7 @@ password_pwned_err=No se pudo completar la solicitud a HaveIBeenPwned
 change_unconfirmed_email = Si has proporcionado una dirección de correo electrónico errónea durante el registro, la puedes cambiar debajo y se enviará una confirmación a la nueva dirección.
 change_unconfirmed_email_error = No es posible cambiar la dirección de correo electrónico: %v
 change_unconfirmed_email_summary = Cambia la dirección de correo electrónico a quien se envía el correo de activación.
-last_admin = No puedes eliminar al último admin (administrador). Debe haber, al menos, un admin.
+last_admin = No puedes retirar el último admin (administrador). Debe haber, al menos, un admin.
 sign_up_button = Regístrate ahora.
 hint_login = ¿Ya tienes cuenta? <a href="%s">¡Ingresa ahora!</a>
 hint_register = ¿Necesitas una cuenta? <a href="%s">Regístrate ahora.</a>
@@ -516,7 +516,7 @@ admin.new_user.subject = Se acaba de registrar el nuevo usuario %s
 admin.new_user.user_info = Información del usuario
 admin.new_user.text = Por favor, <a href="%s">pulsa aquí</a> para gestionar este usuario desde el panel de administración.
 account_security_caution.text_1 = Si fuiste tú, puedes ignorar este correo.
-removed_security_key.subject = Se ha eliminado una clave de seguridad
+removed_security_key.subject = Se ha retirado una clave de seguridad
 removed_security_key.no_2fa = Ya no hay otros métodos 2FA configurados, lo que significa que ya no es necesario iniciar sesión en tu cuenta con 2FA.
 password_change.subject = Tu contraseña ha sido modificada
 password_change.text_1 = La contraseña de tu cuenta acaba de ser modificada.
@@ -527,7 +527,7 @@ totp_disabled.no_2fa = Ya no hay otros métodos 2FA configurados, lo que signifi
 account_security_caution.text_2 = Si no fuiste tú, tu cuenta está comprometida. Ponte en contacto con los administradores de este sitio.
 totp_enrolled.subject = Has activado TOTP como método 2FA
 totp_enrolled.text_1.no_webauthn = Acabas de activar TOTP para tu cuenta. Esto significa que para todos los futuros inicios de sesión en tu cuenta, debes utilizar TOTP como método 2FA.
-removed_security_key.text_1 = La clave de seguridad "%[1]s" acaba de ser eliminada de tu cuenta.
+removed_security_key.text_1 = La clave de seguridad "%[1]s" acaba de ser retirada de tu cuenta.
 primary_mail_change.text_1 = El correo principal de su cuenta acaba de cambiar a %[1]s. Esto significa que esta dirección de correo electrónico ya no recibirá notificaciones por correo electrónico de su cuenta.
 totp_enrolled.text_1.has_webauthn = Acabas de activar TOTP para tu cuenta. Esto significa que para todos los futuros inicios de sesión en tu cuenta, podrás utilizar TOTP como método 2FA o bien utilizar cualquiera de tus claves de seguridad.
 
@@ -603,7 +603,7 @@ enterred_invalid_owner_name=El nuevo nombre de usuario no es válido.
 enterred_invalid_password=La contraseña que ha introducido es incorrecta.
 user_not_exist=Este usuario no existe.
 team_not_exist=Este equipo no existe.
-last_org_owner=No puedes eliminar al último usuario del equipo de "propietarios". Todas las organizaciones deben tener al menos un propietario.
+last_org_owner=No puedes retirar el último usuario del equipo de "propietarios". Todas las organizaciones deben tener al menos un propietario.
 cannot_add_org_to_team=Una organización no puede ser añadida como miembro de un equipo.
 duplicate_invite_to_team=El usuario ya fue invitado como miembro del equipo.
 organization_leave_success=Ha abandonado correctamente la organización %s.
@@ -622,7 +622,7 @@ org_still_own_repo=Esta organización todavía posee uno o más repositorios, el
 org_still_own_packages=Esta organización todavía posee uno o más paquetes, elimínalos primero.
 
 target_branch_not_exist=La rama de destino no existe.
-admin_cannot_delete_self = No puedes eliminarte a ti mismo cuando eres un admin (administrador). Por favor, elimina primero tus privilegios de administrador.
+admin_cannot_delete_self = No puedes eliminarte a ti mismo cuando eres un admin (administrador). Por favor, primero retire los privilegios de administrador.
 username_error_no_dots = ` solo puede contener carácteres alfanuméricos ("0-9","a-z","A-Z"), guiones ("-"), y guiones bajos ("_"). No puede empezar o terminar con carácteres no alfanuméricos y también están prohibidos los carácteres no alfanuméricos consecutivos.`
 unsupported_login_type = No se admite el tipo de inicio de sesión para eliminar la cuenta.
 required_prefix = La entrada debe empezar por "%s"
@@ -738,7 +738,7 @@ comment_type_group_review_request=Revisión solicitada
 comment_type_group_pull_request_push=Confirmaciones añadidas
 comment_type_group_project=Proyecto
 comment_type_group_issue_ref=Referencia del incidente
-saved_successfully=Su configuración se ha guardado correctamente.
+saved_successfully=Tu configuración se guardó correctamente.
 privacy=Privacidad
 keep_activity_private=Ocultar actividad de la página de perfil
 lookup_avatar_by_mail=Buscar avatar por dirección de correo electrónico
@@ -772,8 +772,8 @@ activate_email=Enviar activación
 activations_pending=Activaciones pendientes
 can_not_add_email_activations_pending=Hay una activación pendiente, inténtelo de nuevo en unos minutos si desea agregar un nuevo correo electrónico.
 delete_email=Eliminar
-email_deletion=Eliminar dirección de correo electrónico
-email_deletion_desc=Esta dirección de correo electrónico y la información relacionada se eliminará de su cuenta. Las confirmaciones de Git hechas por esta dirección de correo electrónico permanecerán intactas. ¿Desea Continuar?
+email_deletion=Retirar dirección de correo-e
+email_deletion_desc=Esta dirección de correo electrónico y la información relacionada se retirará de su cuenta. Las confirmaciones de Git hechas por esta dirección de correo electrónico permanecerán intactas. ¿Desea Continuar?
 email_deletion_success=La dirección de correo electrónico ha sido eliminada.
 theme_update_success=Su tema fue actualizado.
 theme_update_error=El tema seleccionado no existe.
@@ -840,8 +840,8 @@ add_key_success=La clave SSH "%s" ha sido añadida.
 add_gpg_key_success=La clave GPG "%s" ha sido añadida.
 add_principal_success=El certificado SSH principal "%s" ha sido añadido.
 delete_key=Eliminar
-ssh_key_deletion=Eliminar clave SSH
-gpg_key_deletion=Eliminar clave GPG
+ssh_key_deletion=Retirar clave SSH
+gpg_key_deletion=Retirar clave GPG
 ssh_principal_deletion=Eliminar principal de certificado SSH
 ssh_key_deletion_desc=Eliminando una clave SSH se revoca su acceso a su cuenta. ¿Continuar?
 gpg_key_deletion_desc=Eliminando una clave GPG se des-verifican los commits firmados con ella. ¿Continuar?
@@ -2365,7 +2365,7 @@ settings.matrix.room_id=ID de sala
 settings.matrix.message_type=Tipo de mensaje
 settings.archive.button=Archivar repositorio
 settings.archive.header=Archivar este repositorio
-settings.archive.text=Archivar el repositorio lo hará de sólo lectura. Se ocultará del tablero. Nadie (¡ni siquiera tú!) será capaz de hacer nuevas confirmaciones, o abrir nuevas incidencias o solicitudes de incorporación de cambios.
+settings.archive.text=Archivar el repositorio lo hará de sólo lectura. Se ocultará del tablero. Nadie (¡ni siquiera tú!) será capaz de hacer nuevas confirmaciones, o abrir nuevas incidencias o solicitudes de incorporación de cambios. Se recomienda documentar el motivo del archivado para orientar a futuros desarrolladores que planeen bifurcar el repositorio.
 settings.archive.success=El repositorio ha sido archivado exitosamente.
 settings.archive.error=Ha ocurrido un error al intentar archivar el repositorio. Vea el registro para más detalles.
 settings.archive.error_ismirror=No puede archivar un repositorio replicado.
@@ -2742,6 +2742,7 @@ settings.enforce_on_admins = Aplicar esta regla para los administradores del rep
 settings.matrix.access_token_helper = Se recomienda configurar una cuenta de Matrix dedicada para esto. El token de acceso puede ser obtenido desde el cliente web Element (en una pestaña privada/incógnito) > Menú de usuario (arriba izquierda) > Todos los ajustes > Ayuda & Acerca de > Avanzado > Token de acceso (a la derecha, debajo de URL del servidor). Cierra la pestaña privada/incógnito (desconectarse invalidaría el token).
 settings.archive.mirrors_unavailable = Los espejos no están disponibles en repos archivados.
 release.summary_card_alt = Tarjeta de resumen de una release titulada "%s" en el repositorio %s
+settings.matrix.room_id_helper = El ID de Sala puede ser obtenido desde el cliente web Element > Ajustes de Sala > Avanzado > ID de sala interna. Ejemplo: %s.
 
 [graphs]
 component_loading = Cargando %s…
@@ -2789,7 +2790,7 @@ settings.permission=Permisos
 settings.repoadminchangeteam=El administrador del repositorio puede añadir y eliminar el acceso a equipos
 settings.visibility=Visibilidad
 settings.visibility.public=Público
-settings.visibility.limited=Limitado (visible solo para usuarios autenticados)
+settings.visibility.limited=Limitado (visible solo para usuarios accedidos)
 settings.visibility.limited_shortname=Limitado
 settings.visibility.private=Privado (Visible sólo para miembros de la organización)
 settings.visibility.private_shortname=Privado
@@ -2968,7 +2969,7 @@ dashboard.update_checker=Buscador de actualizaciones
 dashboard.delete_old_system_notices=Borrar todos los avisos antiguos del sistema de la base de datos
 dashboard.gc_lfs=Recoger basura meta-objetos LFS
 dashboard.stop_zombie_tasks=Detener tareas zombie
-dashboard.stop_endless_tasks=Detener tareas interminables
+dashboard.stop_endless_tasks=Detiene tareas de acciones interminables
 dashboard.cancel_abandoned_jobs=Cancelar trabajos abandonados
 dashboard.start_schedule_tasks=Iniciar tareas programadas
 dashboard.sync_branch.started=Inició la sincronización de ramas
@@ -3098,16 +3099,16 @@ auths.host=Servidor
 auths.port=Puerto
 auths.bind_dn=Bind DN
 auths.bind_password=Contraseña Bind
-auths.user_base=Base de búsqueda de usuarios
+auths.user_base=Base de búsqueda del usuario
 auths.user_dn=DN de Usuario
 auths.attribute_username=Atributo nombre de usuario
 auths.attribute_username_placeholder=Dejar vacío para usar el nombre de usuario introducido en Forgejo.
 auths.attribute_name=Atributo nombre
 auths.attribute_surname=Atributo apellido
-auths.attribute_mail=Atributo correo electrónico
-auths.attribute_ssh_public_key=Atributo Clave Pública SSH
-auths.attribute_avatar=Atributo del avatar
-auths.attributes_in_bind=Obtener atributos en el contexto de Bind DN
+auths.attribute_mail=Atributo correo-e
+auths.attribute_ssh_public_key=Atributo clave pública SSH
+auths.attribute_avatar=Atributo avatar
+auths.attributes_in_bind=Obtiene atributos en el contexto de bind DN
 auths.allow_deactivate_all=Permitir un resultado de búsqueda vacío para desactivar todos los usuarios
 auths.use_paged_search=Usar búsqueda paginada
 auths.search_page_size=Tamaño de página
@@ -3195,19 +3196,19 @@ config.app_name=Título de la instancia
 config.app_ver=Versión de Forgejo
 config.app_url=URL base
 config.custom_conf=Ruta del fichero de configuración
-config.custom_file_root_path=Ruta raíz de los archivos personalizada
-config.domain=Dominio del Servidor
-config.offline_mode=Modo offline
-config.disable_router_log=Deshabilitar Log del Router
-config.run_user=Ejecutar como usuario
+config.custom_file_root_path=Ruta raíz del archivo personalizado
+config.domain=Dominio del servidor
+config.offline_mode=Modo local
+config.disable_router_log=Inhabilitar bitácora de enrutado
+config.run_user=Usuario a ejecutar como
 config.run_mode=Modo de ejecución
 config.git_version=Versión de Git
-config.app_data_path=Ruta de datos de Forgejo
-config.repo_root_path=Ruta del Repositorio
+config.app_data_path=Ruta de datos de App
+config.repo_root_path=Ruta del repositorio raíz
 config.lfs_root_path=Ruta raíz de LFS
-config.log_file_root_path=Ruta de ficheros de registro
-config.script_type=Tipo de Script
-config.reverse_auth_user=Autenticación Inversa de Usuario
+config.log_file_root_path=Ruta bitácora
+config.script_type=Tipo de guion
+config.reverse_auth_user=Autenticación inversa de proxy del usuario
 
 config.ssh_config=Configuración SSH
 config.ssh_enabled=Habilitado
@@ -3217,16 +3218,16 @@ config.ssh_port=Puerto
 config.ssh_listen_port=Puerto de escucha
 config.ssh_root_path=Ruta raíz
 config.ssh_key_test_path=Ruta de la clave de prueba
-config.ssh_keygen_path=Ruta del generador de claves ('ssh-keygen')
-config.ssh_minimum_key_size_check=Tamaño mínimo de la clave de verificación
+config.ssh_keygen_path=Ruta del generador de claves ("ssh-keygen")
+config.ssh_minimum_key_size_check=Comprobante de tamaño de clave mínimo
 config.ssh_minimum_key_sizes=Tamaños de clave mínimos
 
 config.lfs_config=Configuración LFS
 config.lfs_enabled=Habilitado
 config.lfs_content_path=Ruta de contenido LFS
-config.lfs_http_auth_expiry=Caducidad de la autentificación HTTP LFS
+config.lfs_http_auth_expiry=Caducidad de la autenticación HTTP LFS
 
-config.db_config=Configuración de la Base de Datos
+config.db_config=Configuración de base de datos
 config.db_type=Tipo
 config.db_host=Host
 config.db_name=Nombre
@@ -3236,99 +3237,99 @@ config.db_ssl_mode=SSL
 config.db_path=Ruta
 
 config.service_config=Configuración del servicio
-config.register_email_confirm=Requerir confirmación de correo electrónico para registrarse
-config.disable_register=Deshabilitar auto-registro
-config.allow_only_internal_registration=Permitir el registro solo desde Forgejo
-config.allow_only_external_registration=Permitir el registro únicamente a través de servicios externos
-config.enable_openid_signup=Habilitar el auto-registro con OpenID
-config.enable_openid_signin=Habilitar el inicio de sesión con OpenID
-config.show_registration_button=Mostrar Botón de Registro
-config.require_sign_in_view=Requerir inicio de sesión obligatorio para ver páginas
-config.mail_notify=Habilitar las notificaciones por correo electrónico
+config.register_email_confirm=Requerir confirmación de correo-e para registrarse
+config.disable_register=Inhabilitar auto-registro
+config.allow_only_internal_registration=Concede registro solo por medio de Forgejo
+config.allow_only_external_registration=Concede registro solo a través de servicios externos
+config.enable_openid_signup=Habilitar auto-registro con OpenID
+config.enable_openid_signin=Habilitar inicio de sesión con OpenID
+config.show_registration_button=Mostrar botón de registro
+config.require_sign_in_view=Requiere inicio de sesión para ver contenido
+config.mail_notify=Habilitar notificaciones por correo-e
 config.enable_captcha=Activar CAPTCHA
-config.active_code_lives=Habilitar Vida del Código
-config.reset_password_code_lives=Caducidad del código de recuperación de cuenta
-config.default_keep_email_private=Ocultar direcciones de correo electrónico por defecto
-config.default_allow_create_organization=Permitir la creación de organizaciones por defecto
+config.active_code_lives=Código de activación del tiempo de vida
+config.reset_password_code_lives=Código de recuperación del tiempo de vida
+config.default_keep_email_private=Ocultar direcciones de correo-e por defecto
+config.default_allow_create_organization=Concede la creación de organizaciones por defecto
 config.enable_timetracking=Habilitar seguimiento de tiempo
 config.default_enable_timetracking=Habilitar seguimiento de tiempo por defecto
 config.allow_dots_in_usernames = Permite utilizar puntos en los nombres de usuario. No tiene efecto sobre cuentas existentes.
 config.default_allow_only_contributors_to_track_time=Deje que solo los colaboradores hagan un seguimiento del tiempo
-config.no_reply_address=Dominio de correos electrónicos ocultos
-config.default_visibility_organization=Visibilidad por defecto para nuevas organizaciones
+config.no_reply_address=Dominio de correo-e ocultos
+config.default_visibility_organization=Visibilidad por defecto para organizaciones nuevas
 config.default_enable_dependencies=Habilitar dependencias de incidencias por defecto
 
 config.webhook_config=Configuración de Webhooks
-config.queue_length=Tamaño de Cola de Envío
-config.deliver_timeout=Timeout de Entrega
-config.skip_tls_verify=Saltar verificación TLS
+config.queue_length=Longitud de cola
+config.deliver_timeout=Vencimiento de entrega
+config.skip_tls_verify=Omitir verificación TLS
 
-config.mailer_config=Configuración del servidor de correo
+config.mailer_config=Configuración del cartero
 config.mailer_enabled=Activado
 config.mailer_enable_helo=Habilitar HELO
 config.mailer_name=Nombre
 config.mailer_protocol=Protocolo
-config.mailer_smtp_addr=Dirección SMTP
+config.mailer_smtp_addr=Hospedaje SMTP
 config.mailer_smtp_port=Puerto SMTP
 config.mailer_user=Usuario
 config.mailer_use_sendmail=Usar Sendmail
 config.mailer_sendmail_path=Ruta de Sendmail
 config.mailer_sendmail_args=Argumentos adicionales por Sendmail
-config.mailer_sendmail_timeout=Tiempo de espera de Sendmail
+config.mailer_sendmail_timeout=Vencimiento de Sendmail
 config.mailer_use_dummy=Dummy
 config.test_email_placeholder=Correo electrónico (ej. test@ejemplo.com)
-config.send_test_mail=Enviar prueba de correo
+config.send_test_mail=Enviar prueba de correo-e
 config.send_test_mail_submit=Enviar
-config.test_mail_failed=Fallo al enviar un correo electrónico de prueba a "%s": %v
-config.test_mail_sent=Se ha enviado un correo electrónico de prueba a "%s".
+config.test_mail_failed=Fallo al enviar una prueba de correo-e a «%s»: %v
+config.test_mail_sent=Se ha enviado un correo-e de prueba a «%s».
 
 config.oauth_config=Configuración OAuth
 config.oauth_enabled=Activado
 
-config.cache_config=Configuración de la Caché
-config.cache_adapter=Adaptador de la Caché
-config.cache_interval=Intervalo de la Caché
-config.cache_conn=Conexión de la Caché
-config.cache_item_ttl=Período de vida para elementos de caché
+config.cache_config=Configuración de caché
+config.cache_adapter=Adaptador de caché
+config.cache_interval=Intervalo de caché
+config.cache_conn=Conexión de caché
+config.cache_item_ttl=TTL de elemento caché
 
-config.session_config=Configuración de la Sesión
-config.session_provider=Proveedor de la Sesión
-config.provider_config=Configuración del Proveedor
-config.cookie_name=Nombre de la Cookie
-config.gc_interval_time=Intervalo de tiempo del GC
-config.session_life_time=Tiempo de Vida de la Sesión
-config.https_only=Sólo HTTPS
+config.session_config=Configuración de sesión
+config.session_provider=Proveedor de sesión
+config.provider_config=Configuración de proveedor
+config.cookie_name=Nombre de cookie
+config.gc_interval_time=Tiempo de intervalo GC
+config.session_life_time=Tiempo de vida de sesión
+config.https_only=Solo HTTPS
 config.cookie_life_time=Tiempo de Vida de la Cookie
 
 config.picture_config=Configuración de imagen y avatar
 config.picture_service=Servicio de Imágen
 config.disable_gravatar=Desactivar Gravatar
-config.enable_federated_avatar=Habilitar Avatares Federados
+config.enable_federated_avatar=Habilitar avatares federados
 
 config.git_config=Configuración de Git
-config.git_disable_diff_highlight=Desactivar resaltado de sintaxis del Diff
-config.git_max_diff_lines=Líneas de Diff máximas (por un solo archivo)
-config.git_max_diff_line_characters=Carácteres de Diff máximos (para una sola línea)
-config.git_max_diff_files=Máximo de archivos de Diff (que se mostrarán)
+config.git_disable_diff_highlight=Inhabilitar resaltado de diff de sintaxis
+config.git_max_diff_lines=Líneas de diff máximas por archivo
+config.git_max_diff_line_characters=Caracteres de diff máx por línea
+config.git_max_diff_files=Diff de archivos máxima mostrada
 config.git_gc_args=Argumentos de GC
-config.git_migrate_timeout=Tiempo de espera de migración
-config.git_mirror_timeout=Tiempo de espera de actualización de réplicas
-config.git_clone_timeout=Tiempo de espera de operación de clones
-config.git_pull_timeout=Tiempo de espera de operación de pull
-config.git_gc_timeout=Tiempo de espera de operación de GC
+config.git_migrate_timeout=Vencimiento de migración
+config.git_mirror_timeout=Vencimiento de actualización de réplica
+config.git_clone_timeout=Vencimiento de operación de clonado
+config.git_pull_timeout=Vencimiento de operación de pull
+config.git_gc_timeout=Vencimiento de operación de GC
 
-config.log_config=Configuración del Log
+config.log_config=Configuración de bitácora
 config.logger_name_fmt=Registro: %s
 config.disabled_logger=Desactivado
 config.access_log_mode=Modo de registro del Acceso
-config.access_log_template=Plantilla de registro de acceso
+config.access_log_template=Plantilla de bitácora de acceso
 config.xorm_log_sql=Registrar SQL
 
 config.set_setting_failed=Error al configurar %s
 
 monitor.stats=Estadísticas
 
-monitor.cron=Tareas de Cron
+monitor.cron=Tareas de cron
 monitor.name=Nombre
 monitor.schedule=Agenda
 monitor.next=Siguiente
@@ -3354,9 +3355,9 @@ monitor.queue.type=Tipo
 monitor.queue.exemplar=Ejemplo
 monitor.queue.numberworkers=Número de trabajadores
 monitor.queue.activeworkers=Trabajadores activos
-monitor.queue.maxnumberworkers=Número máximo de trabajadores
+monitor.queue.maxnumberworkers=Nº máx de trabajadores
 monitor.queue.numberinqueue=Número en cola
-monitor.queue.review_add=Revisar / Añadir Trabajadores
+monitor.queue.review_add=Revisar / Añadir trabajadores
 monitor.queue.settings.title=Ajustes del grupo
 monitor.queue.settings.desc=Los grupos de trabajadores crecen dinámicamente en respuesta al bloqueo de cola de sus trabajadores.
 monitor.queue.settings.maxnumberworkers=Número máximo de trabajadores
@@ -3367,10 +3368,10 @@ monitor.queue.settings.changed=Ajustes actualizados
 monitor.queue.settings.remove_all_items=Eliminar todo
 monitor.queue.settings.remove_all_items_done=Todos los elementos en la cola han sido eliminados.
 
-notices.system_notice_list=Notificaciones del Sistema
-notices.view_detail_header=Ver detalles de notificación
+notices.system_notice_list=Notificaciones del sistema
+notices.view_detail_header=Detalles de notificación
 notices.operations=Operaciones
-notices.select_all=Sleccionar todo
+notices.select_all=Seleccionar todo
 notices.deselect_all=Deseleccionar todo
 notices.inverse_selection=Selección inversa
 notices.delete_selected=Eliminar seleccionado
@@ -3412,6 +3413,7 @@ self_check.database_collation_mismatch = Se espera que la base de datos use inte
 self_check.database_collation_case_insensitive = La base de datos está usando intercalación %s, que es una intercalación insensible. Aunque Forgejo podría funcionar, puede darse algún caso extraño en el que no funcione como se espera.
 self_check.database_inconsistent_collation_columns = La base de datos está usando intercalación %s, pero estas columnas están usando intercalaciones desparejadas. Esto puede causar algunos problemas inesperados.
 self_check.database_fix_mysql = Para usuarios de MySQL/MariaDB, podrían usar el comando "forgejo doctor convert" para arreglar los problemas de intercalación, o también podrían arreglarlos utilizando consultas SQL manuales, como "ALTER ... COLLATE ...".
+config.cache_test_failed = Incorrecto al probar la caché: %v.
 
 
 [action]
@@ -3507,8 +3509,8 @@ runs.no_runs=El flujo de trabajo no tiene ejecuciones todavía.
 
 workflow.disable=Desactivar flujo de trabajo
 workflow.disable_success=Flujo de trabajo "%s" desactivado exitosamente.
-workflow.enable=Activar flujo de trabajo
-workflow.enable_success=Flujo de trabajo '%s' habilitado con éxito.
+workflow.enable=Habilitar flujo
+workflow.enable_success=Flujo «%s» habilitado correctamente.
 workflow.disabled=El flujo de trabajo está deshabilitado.
 
 need_approval_desc=Necesita aprobación para ejecutar flujos de trabajo para el pull request del fork.
@@ -3545,7 +3547,7 @@ runs.no_workflows.help_no_write_access = Para aprender sobre Forgejo Actions, v
 type-1.display_name=Proyecto individual
 type-2.display_name=Proyecto de repositorio
 type-3.display_name=Proyecto de organización
-deleted.display_name = Proyecto borrado
+deleted.display_name = Proyecto eliminado
 
 [git.filemode]
 changed_filemode=%[1]s → %[2]s
diff --git a/options/locale/locale_et.ini b/options/locale/locale_et.ini
index a18e593213..7bb17324b8 100644
--- a/options/locale/locale_et.ini
+++ b/options/locale/locale_et.ini
@@ -141,6 +141,7 @@ copy_path = Kopeeri asukoht
 captcha = Robotilõks
 unpin = Lõpeta esiletõstmine
 powered_by = Siin on kasutusel %s
+collaborative = Koostöö
 
 [search]
 search = Otsi…
@@ -189,7 +190,7 @@ buttons.heading.tooltip = Lisa pealkiri
 buttons.italic.tooltip = Lisa kaldkirjas tekst (Ctrl+I / ⌘I)
 buttons.quote.tooltip = Tsiteeri teksti
 buttons.code.tooltip = Lisa kood
-buttons.link.tooltip = Lisa link
+buttons.link.tooltip = Lisa link (Ctrl+K / ⌘K)
 buttons.list.ordered.tooltip = Lisa nummerdatud nimekiri
 buttons.list.unordered.tooltip = Lisa nimekiri
 buttons.list.task.tooltip = Lisa ülesannete nimekiri
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
index 0e5fcc4e68..177970e7e3 100644
--- a/options/locale/locale_fa-IR.ini
+++ b/options/locale/locale_fa-IR.ini
@@ -7,7 +7,7 @@ sign_in=ورود
 sign_in_or=یا
 sign_out=خروج
 sign_up=ثبت نام
-link_account=پیوند به حساب
+link_account=پیوند به حساب‌کاربری
 register=ثبت نام
 version=نسخه
 powered_by=قدرت از %s
diff --git a/options/locale/locale_fi-FI.ini b/options/locale/locale_fi-FI.ini
index b741795e1a..8ac50b8437 100644
--- a/options/locale/locale_fi-FI.ini
+++ b/options/locale/locale_fi-FI.ini
@@ -2065,7 +2065,7 @@ settings.transfer_desc = Siirrä tämä tietovarasto käyttäjälle tai organisa
 settings.add_collaborator = Lisää avustaja
 settings.mirror_settings.push_mirror.none = Työntöpeilejä ei ole määritetty
 settings.collaborator_deletion_desc = Avustajan poistaminen peruuttaa hänen pääsynsä tähän tietovarastoon. Jatketaanko?
-settings.archive.text = Tietovaraston arkistointi asettaa sen pelkkään lukutilaan. Se piilotetaan kojelaudalta. Kukaan ei voi tehdä (et edes sinä) uusia kommitteja, tai avata ongelmia tai vetopyyntöjä.
+settings.archive.text = Tietovaraston arkistointi asettaa sen pelkkään lukutilaan. Se piilotetaan kojelaudalta. Kukaan ei voi tehdä (et edes sinä) uusia kommitteja, tai avata ongelmia tai vetopyyntöjä. Arkistoinnin syy on suositeltavaa kertoa, sillä kyseinen tieto auttaa tietovaraston haarauttamista harkitsevia kehittäjiä.
 settings.mirror_settings.docs = Määritä tietovarastosi synkronoimaan kommitit, tagit ja haarat automaattisesti toisen tietovaraston kanssa.
 settings.add_collaborator_duplicate = Avustaja on jo lisätty tähän tietovarastoon.
 settings.add_collaborator_blocked_them = Avustajaa ei voi lisätä, koska hän on estänyt tietovaraston omistajan.
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
index c513bc9ca5..543d03baa9 100644
--- a/options/locale/locale_fr-FR.ini
+++ b/options/locale/locale_fr-FR.ini
@@ -873,7 +873,7 @@ delete_token=Supprimer
 access_token_deletion=Supprimer le jeton d'accès
 access_token_deletion_desc=Supprimer un jeton révoquera l'accès à votre compte pour toutes les applications l'utilisant. Cette action est irréversible. Continuer ?
 delete_token_success=Ce jeton a été supprimé. Les applications l'utilisant n'ont plus accès à votre compte.
-repo_and_org_access=Accès aux Organisations et Dépôts
+repo_and_org_access=Accès aux dépôts et organisations
 permissions_public_only=Publique uniquement
 permissions_access_all=Tout (public, privé et limité)
 select_permissions=Sélectionner les autorisations
diff --git a/options/locale/locale_id-ID.ini b/options/locale/locale_id-ID.ini
index 297f110135..575609fffe 100644
--- a/options/locale/locale_id-ID.ini
+++ b/options/locale/locale_id-ID.ini
@@ -7,7 +7,7 @@ sign_in=Masuk
 sign_in_or=atau
 sign_out=Keluar
 sign_up=Daftar
-link_account=Tautkan Akun
+link_account=Hubungkan akun
 register=Daftar
 version=Versi
 powered_by=Diberdayakan oleh %s
@@ -16,16 +16,16 @@ template=Contoh
 language=Bahasa
 notifications=Notifikasi
 create_new=Buat…
-user_profile_and_more=Profil dan Pengaturan…
+user_profile_and_more=Profil dan pengaturan…
 signed_in_as=Masuk sebagai
 toc=Daftar Isi
 
 username=Nama Pengguna
-email=Alamat Email
+email=Alamat email
 password=Kata Sandi
 captcha=CAPTCHA
-twofa=Otentikasi Dua Faktor
-twofa_scratch=Kode Awal Dua Faktor
+twofa=Autentikasi dua faktor
+twofa_scratch=Kode gores dua faktor
 passcode=Kode Akses
 
 
@@ -33,8 +33,8 @@ repository=Repositori
 organization=Organisasi
 mirror=Duplikat
 new_mirror=Duplikat Baru
-new_fork=Fork Repositori Baru
-admin_panel=Administrasi Situs
+new_fork=Garpu repositori baru
+admin_panel=Administrasi situs
 settings=Pengaturan
 your_profile=Profil
 your_starred=Dibintangi
@@ -47,16 +47,16 @@ collaborative=Kolaboratif
 forks=Garpu
 
 activities=Aktivitas
-pull_requests=Tarik Permintaan
+pull_requests=Permintaan tarik
 issues=Masalah
 milestones=Tonggak
 
 cancel=Batal
 save=Simpan
 add=Tambah
-add_all=Tambah Semua
+add_all=Tambahkan semua
 remove=Buang
-remove_all=Buang Semua
+remove_all=Hapus semua
 edit=Edit
 
 enabled=Aktif
@@ -111,7 +111,7 @@ copy_success = Tersalin!
 copy_error = Gagal menyalin
 copy_type_unsupported = Tipe berkas ini tidak dapat disalin
 error = Gangguan
-error404 = Halaman yang akan kamu akses <strong>tidak dapat ditemukan</strong> atau <strong>kamu tidak memiliki akses </strong> untuk melihatnya.
+error404 = Halaman yang Anda coba buka <strong>tidak ada</strong>, <strong>telah dihapus</strong>, atau <strong>Anda tidak berwenang</strong> untuk melihatnya.
 go_back = Kembali
 invalid_data = Data invalid: %v
 never = Tidak Pernah
@@ -135,32 +135,75 @@ filter.private = Pribadi
 logo = Logo
 sign_in_with_provider = Masuk menggunakan %s
 active_stopwatch = Pelacak Waktu Aktif
+tracked_time_summary = Ringkasan waktu terlacak berdasarkan filter daftar isu
+enable_javascript = Situs web ini memerlukan JavaScript.
+licenses = Lisensi
+return_to_forgejo = Kembali ke Forgejo
+toggle_menu = Alihkan menu
+more_items = Item lainnya
+access_token = Token akses
+new_repo.title = Repositori baru
+new_migrate.title = Migrasi baru
+new_org.title = Organisasi baru
+new_repo.link = Repositori baru
+new_migrate.link = Migrasi baru
+new_org.link = Organisasi baru
+copy_path = Salin jalur
+error413 = Kuota Anda telah habis.
+confirm_delete_artifact = Apakah Anda yakin ingin menghapus artefak "%s"?
+concept_user_organization = Organisasi
+show_timestamps = Tampilkan stempel waktu
+show_log_seconds = Tampilkan detik
+filter.clear = Hapus filter
+filter.is_fork = Garpu
+filter.not_fork = Bukan garpu
+filter.is_mirror = Cermin
+filter.not_mirror = Bukan cermin
+filter.is_template = Templat
+filter.not_template = Bukan templat
 
 [aria]
 navbar = Bar Navigasi
 footer = Footer
 footer.links = Tautan
+footer.software = Tentang perangkat lunak ini
 
 [heatmap]
 number_of_contributions_in_the_last_12_months = %s Kontribusi pada 12 bulan terakhir
 less = Lebih sedikit
 more = Lebih banyak
+contributions_zero = Tidak ada kontribusi
+contributions_format = {contributions} pada {month} {day}, {year}
+contributions_one = kontribusi
+contributions_few = kontribusi
 
 [editor]
 buttons.heading.tooltip = Tambahkan heading
-buttons.bold.tooltip = Tambahkan teks Tebal
-buttons.italic.tooltip = Tambahkan teks Miring
+buttons.bold.tooltip = Tambahkan teks tebal (Ctrl+B / ⌘B)
+buttons.italic.tooltip = Tambahkan teks miring (Ctrl+I / ⌘I)
 buttons.quote.tooltip = Kutip teks
 buttons.code.tooltip = Tambah Kode
-buttons.link.tooltip = Tambahkan tautan
+buttons.link.tooltip = Tambahkan tautan (Ctrl+K / ⌘K)
 buttons.list.unordered.tooltip = Tambah daftar titik
 buttons.list.ordered.tooltip = Tambah daftar angka
 buttons.list.task.tooltip = Tambahkan daftar tugas
 buttons.mention.tooltip = Tandai pengguna atau tim
-buttons.ref.tooltip = Merujuk pada isu atau permintaan tarik
+buttons.ref.tooltip = Merujuk pada issue atau permintaan tarik
 buttons.switch_to_legacy.tooltip = Gunakan editor versi lama
 buttons.enable_monospace_font = Aktifkan font monospace
 buttons.disable_monospace_font = Non-Aktifkan font monospace
+buttons.indent.tooltip = Indentasi item satu tingkat
+buttons.unindent.tooltip = Hapus indentasi item satu tingkat
+buttons.new_table.tooltip = Tambahkan tabel
+table_modal.header = Tambahkan tabel
+table_modal.placeholder.header = Kepala
+table_modal.placeholder.content = Konten
+table_modal.label.rows = Baris
+table_modal.label.columns = Kolom
+link_modal.header = Tambahkan tautan
+link_modal.url = URL
+link_modal.description = Deskripsi
+link_modal.paste_reminder = Petunjuk: Dengan URL di clipboard Anda, Anda dapat menempelkannya langsung ke editor untuk membuat tautan.
 
 [filter]
 string.asc = A - Z
@@ -169,6 +212,9 @@ string.desc = Z - A
 [error]
 occurred = Terjadi kesalahan
 not_found = Target tidak dapat ditemukan.
+report_message = Jika Anda yakin ini adalah bug Forgejo, silakan cari issue di <a href="%s" target="_blank">Codeberg</a> atau buka issue baru jika diperlukan.
+network_error = Kesalahan jaringan
+server_internal = Kesalahan server internal
 
 [startpage]
 app_desc=Sebuah layanan hosting Git sendiri yang tanpa kesulitan
@@ -178,9 +224,11 @@ lightweight=Ringan
 lightweight_desc=Forgejo hanya membutuhkan persyaratan minimal dan bisa berjalan pada Raspberry Pi yang murah. Bisa menghemat listrik!
 license=Sumber Terbuka
 license_desc=Go get (Dapatkan kode sumber dari) <a target="_blank" rel="noopener noreferrer" href="%[1]s">Forgejo</a>! Mari bergabung dengan <a target="_blank" rel="noopener noreferrer" href="%[2]s">berkontribusi</a> untuk membuat proyek ini lebih baik. Jangan malu untuk menjadi kontributor!
+install_desc = Cukup <a target="_blank" rel="noopener noreferrer" href="%s">jalankan biner</a> untuk platform Anda, kirimkan dengan <a target="_blank" rel="noopener noreferrer" href="%s">Docker</a>, atau dapatkan dalam bentuk <a target="_blank" rel="noopener noreferrer" href="%s">paket</a>.
+platform_desc = Forgejo telah dikonfirmasi berjalan pada sistem operasi bebas seperti Linux dan FreeBSD, serta berbagai arsitektur CPU. Pilih yang Anda sukai!
 
 [install]
-title=Konfigurasi Awal
+title=Konfigurasi awal
 host=Host
 password=Kata Sandi
 db_schema=Schema
@@ -191,54 +239,160 @@ repo_path=Jalur akar repositori
 
 smtp_addr=Host SMTP
 smtp_port=Port SMTP
-register_confirm=Perlu Konfirmasi Email Saat Pendaftaran
-mail_notify=Aktifkan Notifikasi Email
+register_confirm=Wajibkan konfirmasi email untuk mendaftar
+mail_notify=Aktifkan notifikasi email
 disable_gravatar=Menonaktifkan Gravatar
-federated_avatar_lookup=Aktifkan pencarian avatar
-openid_signin=Aktifkan Login OpenID
-require_sign_in_view=Harus Login Untuk Melihat Halaman
+federated_avatar_lookup=Aktifkan avatar federasi
+openid_signin=Aktifkan masuk OpenID
+require_sign_in_view=Wajibkan masuk untuk melihat konten instans
 admin_password=Kata Sandi
-admin_email=Alamat Email
+admin_email=Alamat email
 
 email_title = Pengaturan email
 smtp_from = Kirim Email Sebagai
+install = Instalasi
+docker_helper = Jika Anda menjalankan Forgejo di dalam Docker, harap baca <a target="_blank" rel="noopener noreferrer" href="%s">dokumentasi</a> sebelum mengubah pengaturan apa pun.
+require_db_desc = Forgejo memerlukan MySQL, PostgreSQL, SQLite3, atau TiDB (protokol MySQL).
+db_title = Pengaturan basis data
+db_type = Jenis basis data
+user = Nama pengguna
+db_name = Nama basis data
+db_schema_helper = Biarkan kosong untuk default basis data ("public").
+sqlite_helper = Jalur file untuk basis data SQLite3.<br>Masukkan jalur absolut jika Anda menjalankan Forgejo sebagai layanan.
+reinstall_error = Anda mencoba menginstal ke basis data Forgejo yang sudah ada
+reinstall_confirm_message = Menginstal ulang dengan basis data Forgejo yang sudah ada dapat menyebabkan berbagai masalah. Dalam kebanyakan kasus, Anda sebaiknya menggunakan "app.ini" yang sudah ada untuk menjalankan Forgejo. Jika Anda mengetahui apa yang Anda lakukan, konfirmasikan hal berikut:
+reinstall_confirm_check_1 = Data yang dienkripsi oleh SECRET_KEY di app.ini mungkin hilang: pengguna mungkin tidak dapat masuk dengan 2FA/OTP & cermin mungkin tidak berfungsi dengan benar. Dengan mencentang kotak ini, Anda mengonfirmasi bahwa file app.ini saat ini berisi SECRET_KEY yang benar.
+reinstall_confirm_check_2 = Repositori dan pengaturan mungkin perlu disinkronkan ulang. Dengan mencentang kotak ini, Anda mengonfirmasi bahwa Anda akan menyinkronkan ulang hook untuk repositori dan file authorized_keys secara manual. Anda mengonfirmasi bahwa Anda akan memastikan pengaturan repositori dan cermin sudah benar.
+reinstall_confirm_check_3 = Anda mengonfirmasi bahwa Anda benar-benar yakin bahwa Forgejo ini berjalan dengan lokasi app.ini yang benar dan bahwa Anda yakin harus menginstal ulang. Anda mengonfirmasi bahwa Anda mengakui risiko-risiko di atas.
+err_empty_db_path = Jalur basis data SQLite3 tidak boleh kosong.
+no_admin_and_disable_registration = Anda tidak dapat menonaktifkan registrasi mandiri pengguna tanpa membuat akun administrator.
+err_empty_admin_password = Kata sandi administrator tidak boleh kosong.
+err_empty_admin_email = Email administrator tidak boleh kosong.
+err_admin_name_is_reserved = Nama pengguna administrator tidak valid, nama pengguna sudah dicadangkan
+err_admin_name_pattern_not_allowed = Nama pengguna administrator tidak valid, nama pengguna cocok dengan pola yang dicadangkan
+err_admin_name_is_invalid = Nama pengguna administrator tidak valid
+general_title = Pengaturan umum
+app_name = Judul instans
+app_name_helper = Masukkan nama instans Anda di sini. Nama ini akan ditampilkan di setiap halaman.
+app_slogan = Slogan instans
+app_slogan_helper = Masukkan slogan instans Anda di sini. Biarkan kosong untuk menonaktifkan.
+repo_path_helper = Repositori Git jarak jauh akan disimpan ke direktori ini.
+lfs_path = Jalur akar Git LFS
+lfs_path_helper = File yang dilacak oleh Git LFS akan disimpan di direktori ini. Biarkan kosong untuk menonaktifkan.
+run_user = Pengguna yang menjalankan
+run_user_helper = Nama pengguna sistem operasi yang menjalankan Forgejo. Perhatikan bahwa pengguna ini harus memiliki akses ke jalur akar repositori.
+domain = Domain server
+domain_helper = Domain atau alamat host untuk server.
+ssh_port = Port server SSH
+ssh_port_helper = Nomor port yang akan digunakan oleh server SSH. Biarkan kosong untuk menonaktifkan server SSH.
+http_port = Port dengar HTTP
+http_port_helper = Nomor port yang akan digunakan oleh server web Forgejo.
+app_url = URL dasar
+app_url_helper = Alamat dasar untuk URL kloning HTTP(S) dan notifikasi email.
+log_root_path = Jalur log
+log_root_path_helper = File log akan ditulis ke direktori ini.
+optional_title = Pengaturan opsional
+smtp_from_invalid = Alamat "Kirim Email Sebagai" tidak valid
+smtp_from_helper = Alamat email yang akan digunakan Forgejo. Masukkan alamat email biasa atau gunakan format "Nama" <email@example.com>.
+mailer_user = Nama pengguna SMTP
+mailer_password = Kata sandi SMTP
+server_service_title = Pengaturan server dan layanan pihak ketiga
+offline_mode = Aktifkan mode lokal
+offline_mode.description = Nonaktifkan jaringan pengiriman konten pihak ketiga dan sajikan semua sumber daya secara lokal.
+disable_gravatar.description = Nonaktifkan penggunaan Gravatar atau sumber avatar pihak ketiga lainnya. Gambar default akan digunakan untuk avatar pengguna kecuali mereka mengunggah avatar sendiri ke instans.
+federated_avatar_lookup.description = Cari avatar menggunakan Libravatar.
+disable_registration = Nonaktifkan registrasi mandiri
+disable_registration.description = Hanya administrator instans yang dapat membuat akun pengguna baru. Sangat disarankan untuk menonaktifkan registrasi kecuali Anda berniat mengelola instans publik untuk semua orang dan siap menghadapi akun spam dalam jumlah besar.
+allow_only_external_registration = Izinkan registrasi hanya melalui layanan eksternal
+allow_only_external_registration.description = Pengguna hanya dapat membuat akun baru dengan menggunakan layanan eksternal yang dikonfigurasi.
+openid_signin.description = Izinkan pengguna masuk melalui OpenID.
+openid_signup = Aktifkan registrasi mandiri OpenID
+openid_signup.description = Izinkan pengguna membuat akun melalui OpenID jika registrasi mandiri diaktifkan.
+enable_captcha = Aktifkan CAPTCHA pendaftaran
+enable_captcha.description = Wajibkan pengguna melewati CAPTCHA untuk membuat akun.
+require_sign_in_view.description = Batasi akses konten hanya untuk pengguna yang sudah masuk. Tamu hanya dapat mengunjungi halaman autentikasi.
+default_keep_email_private = Sembunyikan alamat email secara default
+default_keep_email_private.description = Aktifkan penyembunyian alamat email untuk pengguna baru secara default agar informasi ini tidak bocor segera setelah mendaftar.
+default_allow_create_organization = Izinkan pembuatan organisasi secara default
+default_allow_create_organization.description = Izinkan pengguna baru membuat organisasi secara default. Jika opsi ini dinonaktifkan, admin harus memberikan izin pembuatan organisasi kepada pengguna baru.
+default_enable_timetracking = Aktifkan pelacakan waktu secara default
+default_enable_timetracking.description = Izinkan penggunaan fitur pelacakan waktu untuk repositori baru secara default.
+admin_title = Pengaturan akun administrator
+admin_setting.description = Pembuatan akun administrator bersifat opsional. Pengguna pertama yang mendaftar akan otomatis menjadi administrator.
+admin_name = Nama pengguna administrator
+confirm_password = Konfirmasi kata sandi
+config_location_hint = Opsi konfigurasi ini akan disimpan di:
+install_btn_confirm = Instal Forgejo
+test_git_failed = Tidak dapat menguji perintah "git": %v
+sqlite3_not_available = Versi Forgejo ini tidak mendukung SQLite3. Silakan unduh versi biner resmi dari %s (bukan versi "gobuild").
+invalid_db_setting = Pengaturan basis data tidak valid: %v
+invalid_db_table = Tabel basis data "%s" tidak valid: %v
+invalid_repo_path = Jalur akar repositori tidak valid: %v
+invalid_app_data_path = Jalur data aplikasi tidak valid: %v
+run_user_not_match = Nama pengguna "pengguna yang menjalankan" bukan nama pengguna saat ini: %s -> %s
+internal_token_failed = Gagal membuat token internal: %v
+save_config_failed = Gagal menyimpan konfigurasi: %v
+enable_update_checker_helper_forgejo = Ini akan memeriksa versi Forgejo baru secara berkala dengan memeriksa catatan DNS TXT di release.forgejo.org.
+invalid_admin_setting = Pengaturan akun administrator tidak valid: %v
+invalid_log_root_path = Jalur log tidak valid: %v
+no_reply_address = Domain email tersembunyi
+no_reply_address_helper = Nama domain untuk pengguna dengan alamat email tersembunyi. Misalnya, nama pengguna "joe" akan dicatat di Git sebagai "joe@noreply.example.org" jika domain email tersembunyi diatur ke "noreply.example.org".
+password_algorithm = Algoritma hash kata sandi
+invalid_password_algorithm = Algoritma hash kata sandi tidak valid
+password_algorithm_helper = Atur algoritma hash kata sandi. Algoritma memiliki persyaratan dan kekuatan yang berbeda. Algoritma argon2 cukup aman tetapi menggunakan banyak memori dan mungkin tidak cocok untuk sistem kecil.
+enable_update_checker = Aktifkan pemeriksa pembaruan
+env_config_keys = Konfigurasi Lingkungan
+env_config_keys_prompt = Variabel lingkungan berikut juga akan diterapkan ke file konfigurasi Anda:
 
 [home]
 uname_holder=Nama pengguna atau alamat surel
 switch_dashboard_context=Alihkan dasbor konteks
 my_repos=Repositori
-my_orgs=Organisasi Saya
+my_orgs=Organisasi
 view_home=Lihat %s
 show_private=Pribadi
 
 issues.in_your_repos=Dalam repositori anda
 
 show_archived = Diarsipkan
+filter = Filter lainnya
+filter_by_team_repositories = Filter berdasarkan repositori tim
+feed_of = Umpan dari "%s"
+show_both_archived_unarchived = Menampilkan arsip dan non-arsip
+show_only_archived = Hanya menampilkan yang diarsipkan
+show_only_unarchived = Hanya menampilkan yang tidak diarsipkan
+show_both_private_public = Menampilkan publik dan privat
+show_only_private = Hanya menampilkan yang privat
+show_only_public = Hanya menampilkan yang publik
 
 [explore]
 repos=Repositori
 users=Pengguna
 organizations=Organisasi
 code=Kode
+go_to = Pergi ke
+code_last_indexed_at = Terakhir diindeks %s
+relevant_repositories_tooltip = Repositori yang merupakan garpu atau yang tidak memiliki topik, ikon, dan deskripsi disembunyikan.
+relevant_repositories = Hanya repositori yang relevan yang ditampilkan, <a href="%s">tampilkan hasil tanpa filter</a>.
 
 [auth]
 create_new_account=Daftar akun
 disable_register_prompt=Maaf, pendaftaran telah dinonaktifkan. Silakan hubungi administrator situs.
 disable_register_mail=Konfirmasi lewat email untuk pengguna baru dimatikan.
-forgot_password_title=Lupa Kata Sandi
+forgot_password_title=Lupa kata sandi
 forgot_password=Lupa kata sandi?
-confirmation_mail_sent_prompt=Surel konfirmasi baru telah dikirim ke <b>%s</b>. Silakan periksa kotak masuk anda dalam %s ke depan untuk menyelesaikan proses pendaftaran.
+confirmation_mail_sent_prompt=Email konfirmasi baru telah dikirimkan ke <b>%s</b>. Untuk menyelesaikan proses pendaftaran, silakan periksa kotak masuk Anda dan ikuti tautan yang diberikan dalam %s ke depan. Jika email salah, Anda dapat masuk dan meminta email konfirmasi lain dikirimkan ke alamat yang berbeda.
 must_change_password=Perbarui kata sandi Anda
 allow_password_change=Wajibkan pengguna untuk mengganti kata sandi (disarankan)
-reset_password_mail_sent_prompt=Surel konfirmasi berhasil dikirim ke <b>%s</b>. Silahkan cek akun email Anda dalam %s jam untuk menyelesaikan proses pemulihan akun.
-active_your_account=Aktifkan Akun Anda
+reset_password_mail_sent_prompt=Email konfirmasi telah dikirimkan ke <b>%s</b>. Untuk menyelesaikan proses pemulihan akun, silakan periksa kotak masuk Anda dan ikuti tautan yang diberikan dalam %s ke depan.
+active_your_account=Aktifkan akun Anda
 account_activated=Akun telah diaktifkan
-prohibit_login=Dilarang Masuk
+prohibit_login=Akun ditangguhkan
 resent_limit_prompt=Anda telah meminta sebuah aktivasi surel beberapa saat lalu. Silakan tunggu 3 menit dan coba lagi.
 has_unconfirmed_mail=Hai %s, anda memiliki sebuah alamat surel yang belum dikonfirmasi (<b>%s</b>). Jika anda belum menerima surel konfirmasi atau perlu untuk mengirim ulang yang baru, silakan klik pada tombol di bawah.
 resend_mail=Klik di sini untuk mengirim ulang surel aktivasi anda
-send_reset_mail=Kirim Surel Pemulihan Akun
-reset_password=Pemulihan Akun
+send_reset_mail=Kirim email pemulihan
+reset_password=Pemulihan akun
 invalid_code=Kode konfirmasi Anda tidak valid atau sudah kadaluarsa.
 reset_password_helper=Pulihkan Akun
 password_too_short=Panjang kata sandi tidak boleh kurang dari %d karakter.
@@ -264,20 +418,110 @@ email_domain_blacklisted=Anda tidak dapat mendaftar dengan alamat email.
 authorize_application=Izinkan aplikasi
 authorize_redirect_notice=Anda akan dialihkan ke %s apabila Anda mengizinkan aplikasi ini.
 authorize_application_created_by=Aplikasi ini dibuat oleh %s.
-authorize_application_description=Jika Anda memberikan akses, itu akan bisa mengakses dan menulis semua informasi akun Anda, termasuk repositori pribadi dan organisasi.
+authorize_application_description=Jika Anda memberikan akses, layanan tersebut akan dapat mengakses dan menulis ke semua informasi akun Anda, termasuk repositori privat dan organisasi.
 authorize_title=Izinkan "%s" untuk mengakses akun Anda?
 authorization_failed=Otorisasi gagal
+manual_activation_only = Hubungi administrator situs Anda untuk menyelesaikan aktivasi.
+remember_me = Ingat perangkat ini
+hint_login = Sudah punya akun? <a href="%s">Masuk sekarang!</a>
+hint_register = Belum punya akun? <a href="%s">Daftar sekarang.</a>
+sign_up_button = Daftar sekarang.
+sign_up_successful = Akun berhasil dibuat. Selamat datang!
+prohibit_login_desc = Akun Anda telah ditangguhkan dari interaksi dengan instans ini. Hubungi administrator instans untuk mendapatkan kembali akses.
+change_unconfirmed_email_summary = Ubah alamat email tujuan pengiriman email aktivasi.
+change_unconfirmed_email = Jika Anda memberikan alamat email yang salah saat pendaftaran, Anda dapat mengubahnya di bawah ini, dan konfirmasi akan dikirimkan ke alamat baru.
+change_unconfirmed_email_error = Tidak dapat mengubah alamat email: %v
+invalid_code_forgot_password = Kode konfirmasi Anda tidak valid atau telah kedaluwarsa. Klik <a href="%s">di sini</a> untuk memulai sesi baru.
+invalid_password = Kata sandi Anda tidak cocok dengan kata sandi yang digunakan saat membuat akun.
+reset_password_wrong_user = Anda masuk sebagai %s, tetapi tautan pemulihan akun ini ditujukan untuk %s
+unauthorized_credentials = Kredensial salah atau telah kedaluwarsa. Coba ulang perintah Anda atau lihat %s untuk informasi lebih lanjut
+use_onetime_code = Gunakan kode sekali pakai
+oauth_signup_title = Selesaikan akun baru
+oauth.signin.error = Terjadi kesalahan saat memproses permintaan otorisasi. Jika kesalahan ini terus berlanjut, silakan hubungi administrator situs.
+oauth.signin.error.access_denied = Permintaan otorisasi ditolak.
+oauth.signin.error.temporarily_unavailable = Otorisasi gagal karena server autentikasi sedang tidak tersedia untuk sementara. Silakan coba lagi nanti.
+openid_signin_desc = Masukkan URI OpenID Anda. Misalnya: alice.openid.example.org atau [https://openid.example.org/alice](https://openid.example.org/alice).
+disable_forgot_password_mail = Pemulihan akun dinonaktifkan karena tidak ada email yang dikonfigurasi. Silakan hubungi administrator situs Anda.
+disable_forgot_password_mail_admin = Pemulihan akun hanya tersedia jika email telah dikonfigurasi. Silakan atur email untuk mengaktifkan pemulihan akun.
+authorization_failed_desc = Otorisasi gagal karena kami mendeteksi permintaan yang tidak valid. Silakan hubungi pengelola aplikasi yang coba Anda otorisasi.
+password_pwned = Kata sandi yang Anda pilih terdapat dalam <a target="_blank" rel="noopener noreferrer" href="%s">daftar kata sandi yang dicuri</a> yang sebelumnya terekspos dalam kebocoran data publik. Silakan coba lagi dengan kata sandi yang berbeda dan pertimbangkan untuk mengubah kata sandi ini di tempat lain juga.
+password_pwned_err = Tidak dapat menyelesaikan permintaan ke HaveIBeenPwned
+last_admin = Anda tidak dapat menghapus admin terakhir. Harus ada setidaknya satu admin.
+back_to_sign_in = Kembali ke Masuk
+sign_in_openid = Lanjutkan dengan OpenID
 
 [mail]
 activate_account=Silakan aktifkan akun anda
 
 activate_email=Verifikasi alamat surel anda
 
-register_notify=Selamat Datang di %s
+register_notify=Selamat datang di %s
 
 reset_password=Pulihkan akun Anda
 
 register_success=Pendaftaran berhasil
+view_it_on = Lihat di %s
+reply = atau balas email ini secara langsung
+link_not_working_do_paste = Tautan tidak berfungsi? Coba salin dan tempel ke bilah URL browser Anda.
+hi_user_x = Hai <b>%s</b>,
+activate_account.text_1 = Hai <b>%[1]s</b>, terima kasih telah mendaftar di %s!
+activate_account.text_2 = Silakan klik tautan berikut untuk mengaktifkan akun Anda dalam <b>%s</b>:
+activate_email.text = Silakan klik tautan berikut untuk memverifikasi alamat email Anda dalam <b>%s</b>:
+admin.new_user.subject = Pengguna baru %s baru saja mendaftar
+admin.new_user.user_info = Informasi pengguna
+admin.new_user.text = Silakan <a href="%s">klik di sini</a> untuk mengelola pengguna ini dari panel admin.
+register_notify.text_1 = ini adalah email konfirmasi pendaftaran Anda untuk %s!
+register_notify.text_2 = Anda dapat masuk ke akun Anda menggunakan nama pengguna: %s
+register_notify.text_3 = Jika orang lain yang membuat akun ini untuk Anda, Anda perlu <a href="%s">mengatur kata sandi</a> terlebih dahulu.
+reset_password.text = Jika ini adalah Anda, silakan klik tautan berikut untuk memulihkan akun Anda dalam <b>%s</b>:
+password_change.subject = Kata sandi Anda telah diubah
+password_change.text_1 = Kata sandi untuk akun Anda baru saja diubah.
+primary_mail_change.subject = Email utama Anda telah diubah
+primary_mail_change.text_1 = Email utama akun Anda baru saja diubah ke %[1]s. Ini berarti alamat email ini tidak akan lagi menerima notifikasi email untuk akun Anda.
+totp_disabled.subject = TOTP telah dinonaktifkan
+totp_disabled.text_1 = Kata sandi sekali pakai berbasis waktu (TOTP) pada akun Anda baru saja dinonaktifkan.
+totp_disabled.no_2fa = Tidak ada metode 2FA lain yang dikonfigurasi lagi, artinya tidak lagi diperlukan untuk masuk ke akun Anda dengan 2FA.
+removed_security_key.subject = Kunci keamanan telah dihapus
+removed_security_key.text_1 = Kunci keamanan "%[1]s" baru saja dihapus dari akun Anda.
+removed_security_key.no_2fa = Tidak ada metode 2FA lain yang dikonfigurasi lagi, artinya tidak lagi diperlukan untuk masuk ke akun Anda dengan 2FA.
+account_security_caution.text_1 = Jika ini adalah tindakan Anda, Anda dapat mengabaikan email ini.
+account_security_caution.text_2 = Jika ini bukan tindakan Anda, akun Anda telah dibobol. Silakan hubungi admin situs ini.
+totp_enrolled.subject = Anda telah mengaktifkan TOTP sebagai metode 2FA
+totp_enrolled.text_1.no_webauthn = Anda baru saja mengaktifkan TOTP untuk akun Anda. Ini berarti untuk semua login mendatang ke akun Anda, Anda harus menggunakan TOTP sebagai metode 2FA.
+totp_enrolled.text_1.has_webauthn = Anda baru saja mengaktifkan TOTP untuk akun Anda. Ini berarti untuk semua login mendatang ke akun Anda, Anda dapat menggunakan TOTP sebagai metode 2FA atau menggunakan salah satu kunci keamanan Anda.
+issue_assigned.pull = @%[1]s menugaskan Anda ke permintaan tarik %[2]s di repositori %[3]s.
+issue_assigned.issue = @%[1]s menugaskan Anda ke issue %[2]s di repositori %[3]s.
+issue.x_mentioned_you = <b>@%s</b> menyebut Anda:
+issue.action.force_push = <b>%[1]s</b> melakukan force-push <b>%[2]s</b> dari %[3]s ke %[4]s.
+issue.action.push_1 = <b>@%[1]s</b> mendorong %[3]d commit ke %[2]s
+issue.action.push_n = <b>@%[1]s</b> mendorong %[3]d commit ke %[2]s
+issue.action.close = <b>@%[1]s</b> menutup #%[2]d.
+issue.action.reopen = <b>@%[1]s</b> membuka kembali #%[2]d.
+issue.action.merge = <b>@%[1]s</b> menggabungkan #%[2]d ke %[3]s.
+issue.action.approve = <b>@%[1]s</b> menyetujui permintaan tarik ini.
+issue.action.reject = <b>@%[1]s</b> meminta perubahan pada permintaan tarik ini.
+issue.action.review = <b>@%[1]s</b> mengomentari permintaan tarik ini.
+issue.action.review_dismissed = <b>@%[1]s</b> membatalkan ulasan terakhir dari %[2]s untuk permintaan tarik ini.
+issue.action.ready_for_review = <b>@%[1]s</b> menandai permintaan tarik ini siap untuk ditinjau.
+issue.action.new = <b>@%[1]s</b> membuat #%[2]d.
+issue.in_tree_path = Di %s:
+release.new.subject = %s di %s dirilis
+release.new.text = <b>@%[1]s</b> merilis %[2]s di %[3]s
+release.title = Judul: %s
+release.note = Catatan:
+release.downloads = Unduhan:
+release.download.zip = Kode Sumber (ZIP)
+release.download.targz = Kode Sumber (TAR.GZ)
+repo.transfer.subject_to = %s ingin mentransfer repositori "%s" ke %s
+repo.transfer.subject_to_you = %s ingin mentransfer repositori "%s" kepada Anda
+repo.transfer.to_you = Anda
+repo.transfer.body = Untuk menerima atau menolaknya, kunjungi %s atau abaikan saja.
+repo.collaborator.added.subject = %s menambahkan Anda ke %s sebagai kolaborator
+repo.collaborator.added.text = Anda telah ditambahkan sebagai kolaborator ke repositori:
+team_invite.subject = %[1]s mengundang Anda untuk bergabung dengan organisasi %[2]s
+team_invite.text_1 = %[1]s mengundang Anda untuk bergabung dengan tim %[2]s di organisasi %[3]s.
+team_invite.text_2 = Silakan klik tautan berikut untuk bergabung dengan tim:
+team_invite.text_3 = Catatan: Undangan ini ditujukan untuk %[1]s. Jika Anda tidak mengharapkan undangan ini, Anda dapat mengabaikan email ini.
 
 
 
@@ -290,6 +534,7 @@ yes=Ya
 no=Tidak
 cancel=Membatalkan
 modify=Perbarui
+confirm = Konfirmasi
 
 [form]
 UserName=Nama Pengguna
@@ -309,8 +554,8 @@ TreeName=Jalur berkas
 Content=Konten
 
 require_error=` tidak boleh kosong.`
-alpha_dash_error=` seharusnya hanya mengandung karakter alfanumerik, tanda pisah ('-'), dan tanda garis bawah ('_').`
-alpha_dash_dot_error=` seharusnya hanya mengandung karakter alfanumerik, tanda pisah ('-'), tanda garis bawah ('_'), dan titik ('.')`
+alpha_dash_error=` hanya boleh berisi karakter alfanumerik, tanda hubung ("-") dan garis bawah ("_").`
+alpha_dash_dot_error=` hanya boleh berisi karakter alfanumerik, tanda hubung ("-"), garis bawah ("_") dan titik (".").`
 git_ref_name_error=` harus berupa nama referensi Git yang baik dan benar.`
 size_error=` harus berukuran %s.`
 min_size_error=` harus berisi karakter %s setidaknya.`
@@ -349,19 +594,90 @@ auth_failed=Otentikasi gagal: %v
 
 
 target_branch_not_exist=Target cabang tidak ada.
+FullName = Nama lengkap
+Description = Deskripsi
+Pronouns = Kata ganti
+Biography = Biografi
+Website = Situs web
+Location = Lokasi
+Retype = Konfirmasi kata sandi
+To = Nama cabang
+AccessToken = Token akses
+url_error = `"%s" bukan URL yang valid.`
+include_error = ` harus mengandung substring "%s".`
+regex_pattern_error = ` pola regex tidak valid: %s.`
+username_error = ` hanya boleh berisi karakter alfanumerik ("0-9","a-z","A-Z"), tanda hubung ("-"), garis bawah ("_") dan titik ("."). Tidak boleh diawali atau diakhiri dengan karakter non-alfanumerik, dan karakter non-alfanumerik berurutan juga tidak diperbolehkan.`
+username_error_no_dots = ` hanya boleh berisi karakter alfanumerik ("0-9","a-z","A-Z"), tanda hubung ("-") dan garis bawah ("_"). Tidak boleh diawali atau diakhiri dengan karakter non-alfanumerik, dan karakter non-alfanumerik berurutan juga tidak diperbolehkan.`
+invalid_group_team_map_error = ` pemetaan tidak valid: %s`
+username_change_not_local_user = Pengguna non-lokal tidak diizinkan mengubah nama pengguna mereka.
+username_claiming_cooldown = Nama pengguna tidak dapat diklaim karena periode tenang belum berakhir. Dapat diklaim pada %[1]s.
+repository_force_private = Paksa Privat diaktifkan: repositori privat tidak dapat dijadikan publik.
+repository_files_already_exist = File sudah ada untuk repositori ini. Hubungi administrator sistem.
+repository_files_already_exist.adopt = File sudah ada untuk repositori ini dan hanya dapat Diadopsi.
+repository_files_already_exist.delete = File sudah ada untuk repositori ini. Anda harus menghapusnya.
+repository_files_already_exist.adopt_or_delete = File sudah ada untuk repositori ini. Adopsi atau hapus file tersebut.
+email_invalid = Alamat email tidak valid.
+email_domain_is_not_allowed = Domain alamat email pengguna <b>%s</b> bertentangan dengan EMAIL_DOMAIN_ALLOWLIST atau EMAIL_DOMAIN_BLOCKLIST. Pastikan Anda telah mengatur alamat email dengan benar.
+openid_been_used = Alamat OpenID "%s" sudah digunakan.
+enterred_invalid_org_name = Nama organisasi yang Anda masukkan tidak benar.
+unset_password = Pengguna yang masuk belum mengatur kata sandi.
+unsupported_login_type = Jenis login ini tidak mendukung penghapusan akun.
+last_org_owner = Anda tidak dapat menghapus pengguna terakhir dari tim "owners". Harus ada setidaknya satu pemilik untuk sebuah organisasi.
+duplicate_invite_to_team = Pengguna tersebut sudah diundang sebagai anggota tim.
+organization_leave_success = Anda telah berhasil keluar dari organisasi %s.
+invalid_ssh_principal = Principal tidak valid: %s
+must_use_public_key = Kunci yang Anda berikan adalah kunci privat. Jangan mengunggah kunci privat Anda ke mana pun. Gunakan kunci publik Anda sebagai gantinya.
+unable_verify_ssh_key = Tidak dapat memverifikasi kunci SSH, periksa kembali untuk kesalahan.
+still_own_repo = Akun Anda memiliki satu atau lebih repositori, hapus atau transfer terlebih dahulu.
+still_has_org = Akun Anda adalah anggota satu atau lebih organisasi, keluar terlebih dahulu.
+still_own_packages = Akun Anda memiliki satu atau lebih paket, hapus terlebih dahulu.
+org_still_own_repo = Organisasi ini masih memiliki satu atau lebih repositori, hapus atau transfer terlebih dahulu.
+org_still_own_packages = Organisasi ini masih memiliki satu atau lebih paket, hapus terlebih dahulu.
+admin_cannot_delete_self = Anda tidak dapat menghapus diri sendiri saat Anda adalah admin. Harap hapus hak admin Anda terlebih dahulu.
+required_prefix = Masukan harus dimulai dengan "%s"
 
 
 [user]
 change_avatar=Ganti avatar anda…
 repositories=Repositori
-activity=Aktivitas Publik
+activity=Aktivitas publik
 followers_few=%d pengikut
-starred=Repositori Terbintang
+starred=Repositori yang dibintangi
 overview=Tinjauan
 following_few=%d mengikuti
 follow=Ikuti
 unfollow=Berhenti Mengikuti
 user_bio=Biografi
+joined_on = Bergabung pada %s
+followers.title.one = Pengikut
+followers.title.few = Pengikut
+following.title.one = Mengikuti
+following.title.few = Mengikuti
+followers_one = %d pengikut
+following_one = %d mengikuti
+block_user = Blokir pengguna
+block_user.detail = Harap perhatikan bahwa memblokir pengguna memiliki efek lain, seperti:
+block_user.detail_1 = Anda akan berhenti saling mengikuti dan tidak akan dapat saling mengikuti.
+block_user.detail_2 = Pengguna ini tidak akan dapat berinteraksi dengan repositori yang Anda miliki, atau issue dan komentar yang telah Anda buat.
+block_user.detail_3 = Anda tidak akan dapat saling menambahkan sebagai kolaborator repositori.
+follow_blocked_user = Anda tidak dapat mengikuti pengguna ini karena Anda telah memblokir pengguna ini atau pengguna ini telah memblokir Anda.
+watched = Repositori yang dipantau
+code = Kode
+projects = Proyek
+block = Blokir
+unblock = Buka blokir
+email_visibility.limited = Alamat email Anda terlihat oleh semua pengguna yang terautentikasi
+show_on_map = Tampilkan tempat ini di peta
+settings = Pengaturan pengguna
+disabled_public_activity = Pengguna ini telah menonaktifkan visibilitas publik aktivitasnya.
+public_activity.visibility_hint.self_public = Aktivitas Anda terlihat oleh semua orang, kecuali interaksi di ruang privat. <a href="%s">Konfigurasi</a>.
+public_activity.visibility_hint.admin_public = Aktivitas ini terlihat oleh semua orang, tetapi sebagai administrator Anda juga dapat melihat interaksi di ruang privat.
+public_activity.visibility_hint.self_private = Aktivitas Anda hanya terlihat oleh Anda dan administrator instans. <a href="%s">Konfigurasi</a>.
+public_activity.visibility_hint.admin_private = Aktivitas ini terlihat oleh Anda karena Anda adalah administrator, tetapi pengguna menginginkannya tetap privat.
+public_activity.visibility_hint.self_private_profile = Aktivitas Anda hanya terlihat oleh Anda dan administrator instans karena profil Anda bersifat privat. <a href="%s">Konfigurasi</a>.
+form.name_reserved = Nama pengguna "%s" sudah dicadangkan.
+form.name_pattern_not_allowed = Pola "%s" tidak diperbolehkan dalam nama pengguna.
+form.name_chars_not_allowed = Nama pengguna "%s" mengandung karakter yang tidak valid.
 
 
 [settings]
@@ -375,16 +691,16 @@ applications=Aplikasi
 orgs=Organisasi
 repos=Repositori
 delete=Hapus akun
-twofa=Otentikasi Dua-Faktor
+twofa=Autentikasi dua faktor (TOTP)
 organization=Organisasi
 
 public_profile=Profil publik
 password_username_disabled=Pengguna non-lokal tidak diizinkan untuk mengubah nama pengguna mereka. Silakan hubungi administrator sistem anda untuk lebih lanjut.
-full_name=Nama Lengkap
+full_name=Nama lengkap
 website=Situs Web
 location=Lokasi
-update_theme=Perbarui Tema
-update_profile=Perbarui Profil
+update_theme=Ubah tema
+update_profile=Perbarui profil
 update_profile_success=Profil anda telah diperbarui.
 change_username=Nama pengguna Anda telah diganti.
 continue=Lanjutkan
@@ -393,51 +709,51 @@ language=Bahasa
 ui=Tema
 comment_type_group_title=Judul
 
-lookup_avatar_by_mail=Cari Avatar melalui Alamat Email
-enable_custom_avatar=Gunakan Avatar Pilihan
+lookup_avatar_by_mail=Cari avatar berdasarkan alamat email
+enable_custom_avatar=Gunakan avatar kustom
 choose_new_avatar=Pilih avatar baru
-update_avatar=Perbarui Avatar
-delete_current_avatar=Hapus Avatar Saat Ini
+update_avatar=Perbarui avatar
+delete_current_avatar=Hapus avatar saat ini
 uploaded_avatar_not_a_image=Berkas yang diunggah bukanlah gambar.
 update_avatar_success=Avatar Anda telah diperbarui.
 
 update_password=Perbarui kata sandi
-old_password=Kata Sandi Saat Ini
-new_password=Kata Sandi Baru
+old_password=Kata sandi saat ini
+new_password=Kata sandi baru
 password_incorrect=Kata sandi saat ini salah.
-change_password_success=Sandi Anda telah diperbarui. Mulai dari sekarang gunakan kata sandi yang baru.
+change_password_success=Kata sandi Anda telah diperbarui. Mulai sekarang, gunakan kata sandi baru Anda untuk masuk.
 password_change_disabled=Pengguna non-lokal tidak dapat mengganti kata sandi mereka melalui antarmuka web Forgejo.
 
-manage_emails=Kelola Alamat Surel
+manage_emails=Kelola alamat email
 manage_themes=Tema default
 manage_openid=Alamat OpenID
-theme_desc=Ini akan menjadi tema asal Anda pada keseluruhan situs.
+theme_desc=Tema ini akan digunakan untuk antarmuka web saat Anda masuk.
 primary=Utama
 activated=Diaktifkan
-primary_email=Buat Utama
+primary_email=Jadikan utama
 delete_email=Hapus
-email_deletion=Hapus Alamat Email
-email_deletion_desc=Alamat email dan informasi terkait akan dihapus dari akun. Git commit dengan alamat email ini akan tetap tidak berubah. Lanjutkan?
+email_deletion=Hapus alamat email
+email_deletion_desc=Alamat email ini dan informasi terkait akan dihapus dari akun Anda. Commit Git dengan alamat email ini akan tetap tidak berubah. Lanjutkan?
 email_deletion_success=Alamat email Anda telah dihapus.
 theme_update_success=Tema Anda diperbarui.
 theme_update_error=Thema yang dipilih tidak ada.
 openid_deletion=Hapus Alamat OpenID
 openid_deletion_desc=Menghapus alamat OpenID ini dari akun anda akan mencegah anda masuk dengan itu. Lanjutkan?
 openid_deletion_success=Alamat OpenID telah dihapus.
-add_new_email=Tambahkan alamat email baru
-add_new_openid=Tambahkan URI OpenID Baru
-add_email=Tambah Alamat Email
+add_new_email=Tambahkan alamat email
+add_new_openid=Tambahkan URI OpenID baru
+add_email=Tambahkan alamat email
 add_openid=Tambahkan bukaID URI baru
 add_email_success=Alamat surel telah ditambahkan.
 add_openid_success=Alamat OpenID telah ditambahkan.
-keep_email_private=Sembunyikan Alamat Surel
+keep_email_private=Sembunyikan alamat email
 openid_desc=OpenID memungkinkan anda melimpahkan autentikasi kepada penyedia eksternal.
 
-manage_ssh_keys=Mengelola Kunci SSH
-manage_gpg_keys=Mengelola Kunci GPG
-add_key=Tambahkan Kunci
-ssh_desc=Kunci publik SSH berikut terasosiasi dengan akun Anda. Kunci publik yang bersesuaian membolehkan akses penuh ke repositori Anda.
-gpg_desc=Kunci publik GPG berikut terasosiasi dengan akun Anda. Jaga kunci pribadi Anda aman oleh karena akan membolehkan komit untuk diverifikasi.
+manage_ssh_keys=Kelola kunci SSH
+manage_gpg_keys=Kelola kunci GPG
+add_key=Tambahkan kunci
+ssh_desc=Kunci SSH publik ini terkait dengan akun Anda. Kunci privat yang sesuai memungkinkan akses penuh ke repositori Anda. Kunci SSH yang telah diverifikasi dapat digunakan untuk memverifikasi commit Git yang ditandatangani dengan SSH.
+gpg_desc=Kunci GPG publik ini terkait dengan akun Anda dan digunakan untuk memverifikasi commit Anda. Jaga keamanan kunci privat Anda karena memungkinkan penandatanganan commit dengan identitas Anda.
 ssh_helper=<strong>Butuh bantuan?</strong> Lihatlah pada petunjuk GitHub untuk <a href="%s">menciptakan kunci SSH anda sendiri</a> atau pecahkan <a href="%s">permasalahan umum</a> yang mungkin anda hadapi menggunakan SSH.
 gpg_helper=<strong>Butuh bantuan?</strong> Lihatlah pada petunjuk GitHub <a href="%s">tentang GPG</a>.
 ssh_key_been_used=Kunci SSH ini telah ditambahkan ke peladen.
@@ -448,12 +764,12 @@ ssh_key_verify=Verifikasi
 ssh_token=Token
 subkeys=Subkunci
 key_id=ID Kunci
-key_name=Nama Kunci
+key_name=Nama kunci
 key_content=Konten
 principal_content=Konten
 delete_key=Hapus
-ssh_key_deletion=Hapus Kunci SSH
-gpg_key_deletion=Hapus Kunci GPG
+ssh_key_deletion=Hapus kunci SSH
+gpg_key_deletion=Hapus kunci GPG
 ssh_key_deletion_desc=Menghapus kunci SSH akan mencabut akses ke akun Anda. Lanjutkan?
 gpg_key_deletion_desc=Menghapus kunci GPG membatalkan verifikasi komit yang ditandatanganinya. Lanjutkan?
 ssh_key_deletion_success=Kunci SSH telah dihapus.
@@ -467,46 +783,46 @@ key_state_desc=Kunci ini telah digunakan 7 hari yang lalu
 token_state_desc=Token ini telah digunakan dalam 7 hari terakhir
 show_openid=Tampilkan pada profil
 hide_openid=Sembunyikan dari profil
-ssh_disabled=SSH Dimatikan
-manage_access_token=Kelola Token Akses
-generate_new_token=Hasilkan Token Baru
+ssh_disabled=SSH dinonaktifkan
+manage_access_token=Token akses
+generate_new_token=Buat token baru
 tokens_desc=Token berikut akan memberikan akses ke Akun Anda menggunakan API Forgejo.
-token_name=Nama Token
-generate_token=Hasilkan Token
+token_name=Nama token
+generate_token=Buat token
 generate_token_success=Token baru Anda telah dibuat. Salin sekarang oleh karena tidak akan ditampilkan lagi.
 delete_token=Hapus
-access_token_deletion=Hapus Token Akses
+access_token_deletion=Hapus token akses
 delete_token_success=Token telah dihapus. Aplikasi yang menggunakannya tidak lagi memiliki akses ke akun Anda.
 permission_read=Dibaca
 
-manage_oauth2_applications=Kelola Aplikasi OAuth2
+manage_oauth2_applications=Kelola aplikasi OAuth2
 edit_oauth2_application=Sunting Aplikasi OAuth2
 oauth2_applications_desc=Aplikasi OAuth2 memungkinkan aplikasi pihak ketiga Anda untuk autentikasi pengguna pada instans Forgejo ini dengan aman.
 remove_oauth2_application=Hapus Aplikasi OAuth2
 remove_oauth2_application_desc=Menghapus aplikasi OAuth2 akan mencabut akses ke semua token akses yang tertandatangani. Lanjutkan?
 remove_oauth2_application_success=Aplikasi telah dihapus.
 create_oauth2_application=Buat aplikasi OAuth2 baru
-create_oauth2_application_button=Buat Aplikasi
-oauth2_application_name=Nama Aplikasi
+create_oauth2_application_button=Buat aplikasi
+oauth2_application_name=Nama aplikasi
 save_application=Simpan
 oauth2_client_id=ID Klien
-oauth2_client_secret=Rahasia Klien
-oauth2_regenerate_secret=Buat Ulang Rahasia
+oauth2_client_secret=Rahasia klien
+oauth2_regenerate_secret=Buat ulang rahasia
 oauth2_regenerate_secret_hint=Anda kehilangan rahasia?
 oauth2_application_edit=Sunting
 oauth2_application_create_description=Aplikasi OAuth2 memberikan aplikasi pihak ketiga Anda akses akun pengguna pada instans ini.
 
-authorized_oauth2_applications=Aplikasi OAuth2 Terotorisasi
+authorized_oauth2_applications=Aplikasi OAuth2 yang diotorisasi
 revoke_key=Cabut
-revoke_oauth2_grant=Cabut Akses
+revoke_oauth2_grant=Cabut akses
 revoke_oauth2_grant_description=Mencabut akses untuk aplikasi pihak ketiga ini akan mencegahnya mengakses data Anda. Lanjutkan?
 
 twofa_desc=Autentikasi dua faktor menambah keamanan akun Anda.
 twofa_is_enrolled=Akun anda saat ini <strong>terdaftar</strong> dalam otentikasi dua-faktor.
 twofa_not_enrolled=Akun anda saat ini tidak terdaftar dalam otentikasi dua-faktor.
-twofa_disable=Matikan Autentikasi Dua Faktor
-twofa_scratch_token_regenerate=Buat Ulang Token Gosok
-twofa_enroll=Daftarkan ke Autentikasi Dua-Faktor
+twofa_disable=Nonaktifkan autentikasi dua faktor
+twofa_scratch_token_regenerate=Buat ulang kunci pemulihan sekali pakai
+twofa_enroll=Daftarkan autentikasi dua faktor
 twofa_disable_note=Anda bisa mematikan autentikasi dua-faktor bila diperlukan.
 twofa_disable_desc=Mematikan autentikasi dua-faktor akan membuat akun Anda kurang aman. Lanjutkan?
 regenerate_scratch_token_desc=Jika Anda salah tempatkan token gosok Anda atau sudah menggunakannya, Anda bisa setel ulang di sini.
@@ -516,58 +832,224 @@ or_enter_secret=Atau masukkan rahasia: %s
 passcode_invalid=Kode sandi salah. Coba lagi.
 
 
-manage_account_links=Kelola akun tertaut
+manage_account_links=Akun yang ditautkan
 manage_account_links_desc=Semua akun eksternal ini sementara tertaut dengan akun Forgejo Anda.
-link_account=Tautan Akun
-remove_account_link=Hapus Akun Tertaut
+link_account=Tautkan akun
+remove_account_link=Hapus akun yang ditautkan
 remove_account_link_desc=Menghapus akun tertaut akan membuat akun itu tidak bisa mengakses akun Forgejo Anda. Lanjutkan?
 remove_account_link_success=Akun tertaut sudah dihapus.
 
 
 orgs_none=Anda bukan anggota dari organisasi apapun.
 
-delete_account=Hapus Akun Anda
+delete_account=Hapus akun Anda
 delete_prompt=Langkah ini akan menghapus akun Anda secara permanen. <strong>Anda yakin?</strong>.
-confirm_delete_account=Konfirmasi Penghapusan
-delete_account_title=Hapus Akun Pengguna
+confirm_delete_account=Konfirmasi penghapusan
+delete_account_title=Hapus akun pengguna
 delete_account_desc=Apakah Anda yakin ingin menghapus secara permanen akun pengguna ini?
 
-email_notifications.enable=Aktifkan Pemberitahuan Surel
-email_notifications.disable=Nonaktifkan Email Notifikasi
-email_notifications.submit=Pasang Pengaturan Email
+email_notifications.enable=Aktifkan notifikasi email
+email_notifications.disable=Nonaktifkan notifikasi email
+email_notifications.submit=Atur preferensi email
 
 visibility.private=Pribadi
 
 visibility.public = Publik
+appearance = Tampilan
+webauthn = Autentikasi dua faktor (Kunci keamanan)
+blocked_users = Pengguna yang diblokir
+storage_overview = Ikhtisar penyimpanan
+quota = Kuota
+biography_placeholder = Ceritakan sedikit tentang diri Anda kepada orang lain! (Markdown didukung)
+location_placeholder = Bagikan perkiraan lokasi Anda kepada orang lain
+profile_desc = Tentang Anda
+pronouns = Kata ganti
+pronouns_unspecified = Tidak ditentukan
+update_language = Ubah bahasa
+update_language_not_found = Bahasa "%s" tidak tersedia.
+update_language_success = Bahasa telah diperbarui.
+change_username_prompt = Catatan: Mengubah nama pengguna Anda juga mengubah URL akun Anda.
+change_username_redirect_prompt = Nama pengguna lama akan melakukan pengalihan hingga seseorang mengklaimnya.
+change_username_redirect_prompt.with_cooldown.one = Nama pengguna lama akan tersedia untuk semua orang setelah periode tenang %[1]d hari. Anda masih dapat mengklaim ulang nama pengguna lama selama periode tenang.
+change_username_redirect_prompt.with_cooldown.few = Nama pengguna lama akan tersedia untuk semua orang setelah periode tenang %[1]d hari. Anda masih dapat mengklaim ulang nama pengguna lama selama periode tenang.
+language.title = Bahasa default
+language.description = Bahasa ini akan disimpan ke akun Anda dan digunakan sebagai default setelah Anda masuk.
+language.localization_project = Bantu kami menerjemahkan Forgejo ke dalam bahasa Anda! <a href="%s">Pelajari lebih lanjut</a>.
+hints = Petunjuk
+additional_repo_units_hint = Sarankan untuk mengaktifkan unit repositori tambahan
+additional_repo_units_hint_description = Tampilkan petunjuk "Aktifkan lebih banyak" untuk repositori yang tidak memiliki semua unit yang tersedia diaktifkan.
+update_hints = Perbarui petunjuk
+update_hints_success = Petunjuk telah diperbarui.
+hidden_comment_types = Jenis komentar tersembunyi
+hidden_comment_types_description = Jenis komentar yang dicentang di sini tidak akan ditampilkan di dalam halaman isu. Mencentang "Label" misalnya menghapus semua komentar "<user> menambahkan/menghapus <label>".
+hidden_comment_types.ref_tooltip = Komentar di mana issue ini direferensikan dari isu/komit/… lain
+hidden_comment_types.issue_ref_tooltip = Komentar di mana pengguna mengubah cabang/tag yang terkait dengan isu
+comment_type_group_reference = Referensi
+comment_type_group_label = Label
+comment_type_group_milestone = Tonggak pencapaian
+comment_type_group_assignee = Penugasan
+comment_type_group_branch = Cabang
+comment_type_group_time_tracking = Pelacakan waktu
+comment_type_group_deadline = Tenggat waktu
+comment_type_group_dependency = Ketergantungan
+comment_type_group_lock = Status kunci
+comment_type_group_review_request = Permintaan tinjauan
+comment_type_group_pull_request_push = Komit yang ditambahkan
+comment_type_group_project = Proyek
+comment_type_group_issue_ref = Referensi isu
+saved_successfully = Pengaturan Anda berhasil disimpan.
+privacy = Privasi
+keep_activity_private = Sembunyikan aktivitas dari halaman profil
+keep_activity_private.description = <a href="%s">Aktivitas publik</a> Anda hanya akan terlihat oleh Anda dan administrator instans.
+uploaded_avatar_is_too_big = Ukuran file yang diunggah (%d KiB) melebihi ukuran maksimum (%d KiB).
+update_user_avatar_success = Avatar pengguna telah diperbarui.
+change_password = Ubah kata sandi
+retype_new_password = Konfirmasi kata sandi baru
+email_desc = Alamat email utama Anda akan digunakan untuk notifikasi, pemulihan kata sandi, dan asalkan tidak disembunyikan, operasi Git berbasis web.
+requires_activation = Memerlukan aktivasi
+activate_email = Kirim aktivasi
+activations_pending = Aktivasi tertunda
+can_not_add_email_activations_pending = Ada aktivasi yang tertunda, coba lagi dalam beberapa menit jika Anda ingin menambahkan email baru.
+add_email_confirmation_sent = Email konfirmasi telah dikirimkan ke "%s". Untuk mengonfirmasi alamat email Anda, silakan periksa kotak masuk dan ikuti tautan yang diberikan dalam %s ke depan.
+email_preference_set_success = Preferensi email berhasil diatur.
+keep_email_private_popup = Alamat email tidak akan ditampilkan di halaman profil dan tidak akan menjadi default untuk commit yang dilakukan melalui antarmuka web, seperti unggahan file, pengeditan, dan commit penggabungan. Sebagai gantinya, alamat khusus %s dapat digunakan untuk menautkan commit ke akun pengguna. Opsi ini tidak akan memengaruhi commit yang sudah ada.
+keep_pronouns_private = Tampilkan kata ganti hanya kepada pengguna yang terautentikasi
+keep_pronouns_private.description = Ini akan menyembunyikan kata ganti Anda dari pengunjung yang belum masuk.
+manage_ssh_principals = Kelola Principal Sertifikat SSH
+principal_desc = Principal sertifikat SSH ini terkait dengan akun Anda dan memungkinkan akses penuh ke repositori Anda.
+key_content_ssh_placeholder = Dimulai dengan "ssh-ed25519", "ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "sk-ecdsa-sha2-nistp256@openssh.com", atau "sk-ssh-ed25519@openssh.com"
+key_content_gpg_placeholder = Dimulai dengan "-----BEGIN PGP PUBLIC KEY BLOCK-----"
+add_new_principal = Tambahkan principal
+ssh_key_name_used = Kunci SSH dengan nama yang sama sudah ada di akun Anda.
+ssh_principal_been_used = Principal ini sudah ditambahkan ke server.
+gpg_no_key_email_found = Kunci GPG ini tidak cocok dengan alamat email aktif yang terkait dengan akun Anda. Kunci ini tetap dapat ditambahkan jika Anda menandatangani token yang diberikan.
+gpg_key_matched_identities = Identitas yang Cocok:
+gpg_key_matched_identities_long = Identitas yang tertanam dalam kunci ini cocok dengan alamat email aktif berikut untuk pengguna ini. Commit yang cocok dengan alamat email ini dapat diverifikasi dengan kunci ini.
+gpg_key_verified = Kunci terverifikasi
+gpg_key_verified_long = Kunci telah diverifikasi dengan token dan dapat digunakan untuk memverifikasi commit yang cocok dengan alamat email aktif mana pun untuk pengguna ini selain identitas yang cocok untuk kunci ini.
+gpg_invalid_token_signature = Kunci GPG, tanda tangan, dan token yang diberikan tidak cocok atau token sudah kedaluwarsa.
+gpg_token_required = Anda harus memberikan tanda tangan untuk token di bawah ini
+gpg_token_help = Anda dapat membuat tanda tangan menggunakan:
+gpg_token_signature = Tanda tangan GPG berformat armor
+key_signature_gpg_placeholder = Dimulai dengan "-----BEGIN PGP SIGNATURE-----"
+verify_gpg_key_success = Kunci GPG "%s" telah diverifikasi.
+ssh_key_verified = Kunci terverifikasi
+ssh_key_verified_long = Kunci telah diverifikasi dengan token dan dapat digunakan untuk memverifikasi commit yang cocok dengan alamat email aktif mana pun untuk pengguna ini.
+ssh_invalid_token_signature = Kunci SSH, tanda tangan, atau token yang diberikan tidak cocok atau token sudah kedaluwarsa.
+ssh_token_required = Anda harus memberikan tanda tangan untuk token di bawah ini
+ssh_token_help = Anda dapat membuat tanda tangan menggunakan:
+ssh_token_help_ssh_agent = atau, jika Anda menggunakan agen SSH (dengan variabel SSH_AUTH_SOCK yang telah diatur):
+ssh_token_signature = Tanda tangan SSH berformat armor
+key_signature_ssh_placeholder = Dimulai dengan "-----BEGIN SSH SIGNATURE-----"
+verify_ssh_key_success = Kunci SSH "%s" telah diverifikasi.
+add_key_success = Kunci SSH "%s" telah ditambahkan.
+add_gpg_key_success = Kunci GPG "%s" telah ditambahkan.
+add_principal_success = Principal sertifikat SSH "%s" telah ditambahkan.
+ssh_principal_deletion = Hapus Principal Sertifikat SSH
+ssh_principal_deletion_desc = Menghapus Principal Sertifikat SSH akan mencabut aksesnya ke akun Anda. Lanjutkan?
+ssh_principal_deletion_success = Principal telah dihapus.
+added_on = Ditambahkan pada %s
+valid_until_date = Berlaku hingga %s
+principal_state_desc = Principal ini telah digunakan dalam 7 hari terakhir
+ssh_signonly = SSH saat ini dinonaktifkan sehingga kunci-kunci ini hanya digunakan untuk verifikasi tanda tangan komit.
+ssh_externally_managed = Kunci SSH ini dikelola secara eksternal untuk pengguna ini
+generate_token_name_duplicate = <strong>%s</strong> sudah digunakan sebagai nama aplikasi. Harap gunakan nama baru.
+access_token_deletion_desc = Menghapus token akan mencabut akses ke akun Anda untuk aplikasi yang menggunakannya. Tindakan ini tidak dapat dibatalkan. Lanjutkan?
+regenerate_token = Buat ulang
+access_token_regeneration = Buat ulang token akses
+access_token_regeneration_desc = Membuat ulang token akan mencabut akses ke akun Anda untuk aplikasi yang menggunakannya. Tindakan ini tidak dapat dibatalkan. Lanjutkan?
+regenerate_token_success = Token telah dibuat ulang. Aplikasi yang menggunakannya tidak lagi memiliki akses ke akun Anda dan harus diperbarui dengan token baru.
+repo_and_org_access = Akses repositori dan organisasi
+permissions_public_only = Publik saja
+permissions_access_all = Semua (publik, privat, dan terbatas)
+select_permissions = Pilih izin
+permission_no_access = Tanpa akses
+permission_write = Baca dan tulis
+access_token_desc = Izin token yang dipilih membatasi otorisasi hanya pada rute <a href="%s" target="_blank">API</a> yang sesuai. Baca <a href="%s" target="_blank">dokumentasi</a> untuk informasi lebih lanjut.
+at_least_one_permission = Anda harus memilih setidaknya satu izin untuk membuat token
+permissions_list = Izin:
+create_oauth2_application_success = Anda telah berhasil membuat aplikasi OAuth2 baru.
+update_oauth2_application_success = Anda telah berhasil memperbarui aplikasi OAuth2.
+oauth2_confidential_client = Klien rahasia. Pilih untuk aplikasi yang menjaga kerahasiaan rahasia, seperti aplikasi web. Jangan pilih untuk aplikasi native termasuk aplikasi desktop dan mobile.
+oauth2_redirect_uris = URI pengalihan. Harap gunakan baris baru untuk setiap URI.
+oauth2_application_remove_description = Menghapus aplikasi OAuth2 akan mencegahnya mengakses akun pengguna yang diotorisasi pada instans ini. Lanjutkan?
+oauth2_application_locked = Forgejo mendaftarkan beberapa aplikasi OAuth2 saat startup jika diaktifkan dalam konfigurasi. Untuk mencegah perilaku yang tidak terduga, aplikasi-aplikasi ini tidak dapat diedit maupun dihapus. Silakan merujuk ke dokumentasi OAuth2 untuk informasi lebih lanjut.
+authorized_oauth2_applications_description = Anda telah memberikan akses ke akun Forgejo pribadi Anda kepada aplikasi pihak ketiga ini. Harap cabut akses untuk aplikasi yang tidak lagi digunakan.
+revoke_oauth2_grant_success = Akses berhasil dicabut.
+twofa_recovery_tip = Jika Anda kehilangan perangkat, Anda dapat menggunakan kunci pemulihan sekali pakai untuk mendapatkan kembali akses ke akun Anda.
+twofa_scratch_token_regenerated = Kunci pemulihan sekali pakai Anda sekarang adalah %s. Simpan di tempat yang aman, karena tidak akan ditampilkan lagi.
+then_enter_passcode = Dan masukkan kode sandi yang ditampilkan di aplikasi:
+twofa_enrolled = Akun Anda telah berhasil didaftarkan. Simpan kunci pemulihan sekali pakai Anda (%s) di tempat yang aman, karena tidak akan ditampilkan lagi.
+twofa_failed_get_secret = Gagal mendapatkan rahasia.
+webauthn_desc = Kunci keamanan adalah perangkat keras yang berisi kunci kriptografi. Kunci ini dapat digunakan untuk autentikasi dua faktor. Kunci keamanan harus mendukung standar <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a>.
+webauthn_register_key = Tambahkan kunci keamanan
+webauthn_nickname = Nama panggilan
+webauthn_delete_key = Hapus kunci keamanan
+webauthn_delete_key_desc = Jika Anda menghapus kunci keamanan, Anda tidak dapat lagi masuk dengannya. Lanjutkan?
+webauthn_key_loss_warning = Jika Anda kehilangan semua kunci keamanan, Anda akan kehilangan akses ke akun Anda.
+webauthn_alternative_tip = Anda mungkin ingin mengonfigurasi metode autentikasi tambahan.
+hooks.desc = Tambahkan webhook yang akan dipicu untuk <strong>semua repositori</strong> yang Anda miliki.
+repos_none = Anda tidak memiliki repositori apa pun.
+blocked_users_none = Tidak ada pengguna yang diblokir.
+delete_with_all_comments = Akun Anda berusia kurang dari %s. Untuk menghindari komentar hantu, semua komentar isu/PR akan dihapus bersamanya.
+email_notifications.onmention = Hanya email saat disebut
+email_notifications.andyourown = Dan notifikasi Anda sendiri
+visibility = Visibilitas pengguna
+visibility.public_tooltip = Terlihat oleh semua orang
+visibility.limited = Terbatas
+visibility.limited_tooltip = Hanya terlihat oleh pengguna yang sudah masuk
+visibility.private_tooltip = Hanya terlihat oleh anggota organisasi yang telah Anda ikuti
+blocked_since = Diblokir sejak %s
+user_unblock_success = Pengguna telah berhasil dibuka blokirnya.
+user_block_success = Pengguna telah berhasil diblokir.
+user_block_yourself = Anda tidak dapat memblokir diri sendiri.
+quota.applies_to_user = Aturan kuota berikut berlaku untuk akun Anda
+quota.applies_to_org = Aturan kuota berikut berlaku untuk organisasi ini
+quota.rule.exceeded = Terlampaui
+quota.rule.exceeded.helper = Total ukuran objek untuk aturan ini telah melampaui kuota.
+quota.rule.no_limit = Tidak terbatas
+quota.sizes.all = Semua
+quota.sizes.repos.all = Repositori
+quota.sizes.repos.public = Repositori publik
+quota.sizes.repos.private = Repositori privat
+quota.sizes.git.all = Konten Git
+quota.sizes.git.lfs = Git LFS
+quota.sizes.assets.all = Aset
+quota.sizes.assets.attachments.all = Lampiran
+quota.sizes.assets.attachments.issues = Lampiran isu
+quota.sizes.assets.attachments.releases = Lampiran rilis
+quota.sizes.assets.artifacts = Artefak
+quota.sizes.assets.packages.all = Paket
+quota.sizes.wiki = Wiki
 
 [repo]
 owner=Pemilik
-repo_name=Nama Repositori
+repo_name=Nama repositori
 repo_name_helper=Nama repositori yang baik menggunakan kata kunci yang pendek, unik, dan bisa diingat.
 repo_size=Ukuran Repositori
 template=Templat
-template_select=Pilih template.
+template_select=Pilih templat
 template_helper=Buat repositori menjadi templat
 template_description=Repositori template membolehkan pengguna membuat repositori baru dengan struktur direktori, berkas, dan pengaturan opsional yang sama.
 visibility=Jarak pandang
 visibility_description=Hanya pemilik, atau anggota dari organisasi ini yang punya akses, yang dapat melihatnya.
 visibility_helper_forced=Admin situs Anda memaksa repositori baru menjadi pribadi.
-visibility_fork_helper=(Mengubah hal ini akan mempengaruhi semua garpu.)
+visibility_fork_helper=(Mengubah ini akan memengaruhi visibilitas semua garpu.)
 clone_helper=Butuh bantuan kloning? Kunjungi <a target="_blank" rel="noopener noreferrer" href="%s">Bantuan</a>.
-fork_repo=Cabang Gudang penyimpanan
-fork_from=Cabang Dari
+fork_repo=Garpu repositori
+fork_from=Garpu dari
 generate_repo=Buat Repositori
 repo_desc=Deskripsi
 repo_lang=Bahasa
-issue_labels=Label Masalah
-issue_labels_helper=Pilih serangkaian label masalah.
+issue_labels=Label
+issue_labels_helper=Pilih kumpulan label
 license=Lisensi
-license_helper=Pilih berkas lisensi.
+license_helper=Pilih file lisensi
 readme=README
-readme_helper=Pilih templat berkas README.
-auto_init=Inisialisasi Repositori (tambahkan .gitignore, lisensi, dan README)
-create_repo=Buat Gudang penyimpanan
-default_branch=Cabang Default
+readme_helper=Pilih templat file README
+auto_init=Inisialisasi repositori
+create_repo=Buat repositori
+default_branch=Cabang default
 mirror_prune=Memangkas
 mirror_last_synced=Sinkronisasi Terakhir
 watchers=Pengamat
@@ -585,14 +1067,14 @@ desc.template=Contoh
 template.webhooks=Webhooks
 template.topics=Topik
 template.avatar=Avatar
-template.issue_labels=Label Masalah
+template.issue_labels=Label isu
 
-migrate_repo=Migrasi Repositori
+migrate_repo=Migrasi repositori
 migrate.permission_denied=Anda tidak diizinkan untuk mengimpor repositori lokal.
 migrate.failed=Migrasi gagal: %v
 migrated_from=Termigrasi dari <a href="%[1]s">%[2]s</a>
-migrated_from_fake=Termigrasi Dari %[1]s
-migrate.migrating=Memigrasi dari <b>%s</b> ...
+migrated_from_fake=Dimigrasi dari %s
+migrate.migrating=Migrasi dari <b>%s</b> …
 migrate.migrating_failed=Migrasi dari <b>%s</b> gagal.
 
 mirror_from=duplikat dari
@@ -607,8 +1089,8 @@ star=Bintang
 fork=Garpu
 download_archive=Unduh Repositori
 
-no_desc=Tidak ada Deskripsi
-quick_guide=Panduan Cepat
+no_desc=Tidak ada deskripsi
+quick_guide=Panduan cepat
 clone_this_repo=Klon repositori ini
 create_new_repo_command=Membuat repositori baru pada baris perintah
 push_exist_repo=Mendorong sebuah repositori yang ada di baris perintah
@@ -620,7 +1102,7 @@ filter_branch_and_tag=Filter cabang atau tag
 branches=Cabang
 tags=Tag
 issues=Masalah
-pulls=Tarik Permintaan
+pulls=Permintaan tarik
 labels=Label
 
 milestones=Tonggak
@@ -629,34 +1111,34 @@ commit=Memperbuat
 releases=Rilis
 file_raw=Mentah
 file_history=Riwayat
-file_view_raw=Lihat Mentah
+file_view_raw=Lihat mentah
 file_permalink=Permalink
 file_too_large=Berkas terlalu besar untuk ditampilkan.
 
 stored_lfs=Tersimpan dengan GIT LFS
-commit_graph=Grafik Komit
+commit_graph=Grafik komit
 blame=Salahkan
 normal_view=Pandangan Normal
 line=baris
 lines=baris
 
-editor.new_file=Berkas Baru
-editor.upload_file=Unggah Berkas
-editor.edit_file=Sunting Berkas
-editor.preview_changes=Tinjau Perubahan
+editor.new_file=File baru
+editor.upload_file=Unggah file
+editor.edit_file=Edit file
+editor.preview_changes=Pratinjau perubahan
 editor.cannot_edit_lfs_files=Berkas LFS tidak dapat disunting dalam antarmuka web.
 editor.cannot_edit_non_text_files=Berkas biner tidak dapat disunting dalam antarmuka web.
-editor.edit_this_file=Sunting Berkas
+editor.edit_this_file=Edit file
 editor.this_file_locked=Berkas terkunci
 editor.must_be_on_a_branch=Anda harus berada pada sebuah cabang untuk membuat atau mengusulkan perubahan pada berkas ini.
 editor.fork_before_edit=Anda harus mencabangkan repositori ini untuk membuat atau mengusulkan perubahan pada berkas ini.
-editor.delete_this_file=Hapus Berkas
+editor.delete_this_file=Hapus file
 editor.must_have_write_access=Anda harus punya akses tulis untuk membuat atau mengusulkan perubahan pada berkas ini.
 editor.name_your_file=Nama berkas…
-editor.filename_help=Tambahkan direktori dengan mengetikkan nama direktori diikuti dengan garis miring ('/'). Hapus direktori dengan mengetikkan spasi balik pada awal bidang input.
+editor.filename_help=Tambahkan direktori dengan mengetik namanya diikuti garis miring ("/"). Hapus direktori dengan menekan backspace di awal kolom input.
 editor.or=atau
 editor.cancel_lower=Batalkan
-editor.commit_changes=Perubahan komitmen
+editor.commit_changes=Komit perubahan
 editor.add_tmpl=Tambahkan '<%s>'
 editor.commit_message_desc=Tambahkan deskripsi opsional yang panjang…
 editor.commit_directly_to_this_branch=Komitmen langsung ke <strong class="%[2]s">%[1]s</strong> cabang.
@@ -680,26 +1162,26 @@ commits.signed_by=Ditandai oleh
 
 projects.description_placeholder=Deskripsi
 projects.title=Judul
-projects.template.desc=Contoh
+projects.template.desc=Templat
 projects.column.edit_title=Nama
 projects.column.new_title=Nama
 
-issues.new=Masalah Baru
+issues.new=Isu baru
 issues.new.labels=Label
-issues.new.no_label=Tidak ada Label
+issues.new.no_label=Tidak ada label
 issues.new.clear_labels=Label yang jelas
 issues.new.milestone=Tolak ukur waktu
-issues.new.no_milestone=Tidak Ada Milestone
+issues.new.no_milestone=Tidak ada tonggak pencapaian
 issues.new.clear_milestone=Bersihkan milestone
-issues.new.open_milestone=Buka Milestone
-issues.new.closed_milestone=Tutup Milestone
-issues.no_ref=Tidak Ada Cabang/Tag Ditentukan
-issues.create=Buat Masalah
-issues.new_label=Label Baru
+issues.new.open_milestone=Tonggak pencapaian terbuka
+issues.new.closed_milestone=Tonggak pencapaian tertutup
+issues.no_ref=Tidak ada Cabang/Tag yang ditentukan
+issues.create=Buat isu
+issues.new_label=Label baru
 issues.new_label_desc_placeholder=Deskripsi
-issues.create_label=Buat Label
+issues.create_label=Buat label
 issues.label_templates.title=Muat sebuah label yang telah ditentukan
-issues.label_templates.helper=Pilih set label
+issues.label_templates.helper=Pilih prasetel label
 issues.add_milestone_at=`telah menambahkan ini ke <b>%s</b> milestone %s`
 issues.change_milestone_at=`telah mengubah milestone dari <b>%s</b> ke <b>%s</b> %s`
 issues.remove_milestone_at=`telah menghapus ini dari <b>%s</b> milestone %s`
@@ -741,14 +1223,14 @@ issues.num_comments=%d komentar
 issues.commented_at=`komentar <a href="#%s">%s</a>`
 issues.delete_comment_confirm=Apakah anda yakin anda ingin menghapus komentar ini?
 issues.context.copy_link=Salin tautan
-issues.context.quote_reply=Kutip Balasan
+issues.context.quote_reply=Kutip balasan
 issues.context.edit=Sunting
 issues.context.delete=Hapus
-issues.close_comment_issue=Komentar dan Tutup
+issues.close_comment_issue=Tutup dengan komentar
 issues.reopen_issue=Buka kembali
-issues.reopen_comment_issue=Komentar dan Buka Kembali
+issues.reopen_comment_issue=Buka kembali dengan komentar
 issues.create_comment=Komentar
-issues.commit_ref_at=`merujuk masalah dari komit %s`
+issues.commit_ref_at=`mereferensikan issue ini dari commit %s`
 issues.role.owner=Pemilik
 issues.role.member=Anggota
 issues.sign_in_require_desc=<a href="%s">Masuk</a> untuk bergabung dengan percakapan ini.
@@ -777,16 +1259,16 @@ issues.add_time_history=`tambah menghabiskan waktu %s`
 issues.add_time_hours=Jam
 issues.add_time_minutes=Menit
 issues.due_date_form_edit=Edit
-issues.due_date_form_remove=Menghapus
+issues.due_date_form_remove=Hapus
 issues.dependency.cancel=Membatalkan
 issues.dependency.remove=Menghapus
 
 
-pulls.new=Permintaan Tarik Baru
-pulls.compare_changes=Permintaan Tarik Baru
+pulls.new=Permintaan tarik baru
+pulls.compare_changes=Permintaan tarik baru
 pulls.filter_branch=Penyaringan cabang
 pulls.no_results=Hasil tidak ditemukan.
-pulls.create=Buat Permintaan Tarik
+pulls.create=Buat permintaan tarik
 pulls.tab_conversation=Percakapan
 pulls.tab_commits=Melakukan
 pulls.reopen_to_merge=Tolong buka kembali permintaan tarik ini untuk melaksanakan penggabungan.
@@ -801,17 +1283,17 @@ pulls.can_auto_merge_desc=Permintaan tarik ini dapat digabung secara otomatis.
 
 
 
-milestones.new=Milestone Baru
+milestones.new=Tonggak pencapaian baru
 milestones.closed=Tertutup %s
 milestones.no_due_date=Tidak ada jatuh tempo
 milestones.open=Buka
 milestones.close=Tutup
-milestones.create=Buat Milestone
+milestones.create=Buat tonggak pencapaian
 milestones.title=Judul
 milestones.desc=Deskripsi
-milestones.due_date=Jatuh Tempo (opsional)
+milestones.due_date=Tenggat waktu (opsional)
 milestones.clear=Bersihkan
-milestones.edit=Ubah Milestone
+milestones.edit=Edit tonggak pencapaian
 milestones.cancel=Batal
 milestones.filter_sort.least_complete=Paling tidak lengkap
 milestones.filter_sort.most_complete=Paling lengkap
@@ -825,11 +1307,11 @@ wiki.page=Halaman
 wiki.filter_page=Halaman Penyaring
 wiki.new_page=Halaman
 wiki.default_commit_message=Tulis catatan mengenai pembaruan halaman ini (opsional).
-wiki.save_page=Simpan Halaman
+wiki.save_page=Simpan halaman
 wiki.last_commit_info=%s halaman ini diedit %s
 wiki.edit_page_button=Menyunting
-wiki.new_page_button=Halaman Baru
-wiki.delete_page_button=Hapus Halaman
+wiki.new_page_button=Halaman baru
+wiki.delete_page_button=Hapus halaman
 wiki.page_already_exists=Halaman wiki dengan nama yang sama telah ada.
 wiki.pages=Halaman
 wiki.last_updated=Pembaruan terakhir %s
@@ -842,32 +1324,32 @@ activity.period.weekly=1 minggu
 activity.period.monthly=1 bulan
 activity.period.yearly=1 tahun
 activity.overview=Tinjauan
-activity.merged_prs_count_1=Mengabungkan Permintaan Tarik
-activity.merged_prs_count_n=Menggabungkan permintaan tarik
-activity.opened_prs_count_1=Meminta tarik usulan
-activity.opened_prs_count_n=Meminta di tarik usulan
+activity.merged_prs_count_1=Permintaan tarik yang digabungkan
+activity.merged_prs_count_n=Permintaan tarik yang digabungkan
+activity.opened_prs_count_1=Permintaan tarik yang diajukan
+activity.opened_prs_count_n=Permintaan tarik yang diajukan
 activity.title.user_1=%d pengguna
 activity.title.user_n=%d pengguna
-activity.title.prs_1=%d Tarik permintaan
-activity.title.prs_n=%d Tarik permintaan
+activity.title.prs_1=%d permintaan tarik
+activity.title.prs_n=%d permintaan tarik
 activity.title.prs_merged_by=%s dibuat oleh %s
 activity.title.prs_opened_by=%s Dikemukakan oleh %s
 activity.merged_prs_label=Bergabung
 activity.opened_prs_label=Dikemukakan
-activity.closed_issues_count_1=Masalah tertutup
-activity.closed_issues_count_n=Masalah tertutup
-activity.title.issues_1=%d Masalah
-activity.title.issues_n=%d Masalah
+activity.closed_issues_count_1=Isu yang ditutup
+activity.closed_issues_count_n=Isu yang ditutup
+activity.title.issues_1=%d isu
+activity.title.issues_n=%d isu
 activity.title.issues_created_by=%s dibuat oleh %s
 activity.closed_issue_label=Tertutup
-activity.new_issues_count_1=Masalah Baru
-activity.new_issues_count_n=Masala baru
+activity.new_issues_count_1=Isu baru
+activity.new_issues_count_n=Isu baru
 activity.new_issue_label=Terbuka
 activity.unresolved_conv_label=Buka
-activity.title.releases_1=%d Rilis
-activity.title.releases_n=%d Rilis
+activity.title.releases_1=%d rilis
+activity.title.releases_n=%d rilis
 activity.title.releases_published_by=%s dikeluarkan oleh %s
-activity.published_release_label=Dikeluarkan
+activity.published_release_label=Rilis
 
 contributors.contribution_type.commits=Melakukan
 
@@ -879,37 +1361,37 @@ settings.collaboration.read=Baca
 settings.collaboration.owner=Pemilik
 settings.collaboration.undefined=Tidak terdefinisi
 settings.hooks=Webhooks
-settings.githooks=Git kait
-settings.basic_settings=Pengaturan Dasar
-settings.mirror_settings=Pengaturan Duplikat
+settings.githooks=Hook Git
+settings.basic_settings=Pengaturan dasar
+settings.mirror_settings=Pengaturan cermin
 
 settings.site=Situs web
-settings.update_settings=Perbarui Pengaturan
-settings.advanced_settings=Pengaturan Lanjutan
-settings.external_wiki_url=URL Eksternal Wiki
-settings.external_tracker_url=URL Pelacak Masalah Eksternal
-settings.tracker_url_format=Format URL pelacak edisi Eksternal
+settings.update_settings=Simpan pengaturan
+settings.advanced_settings=Pengaturan lanjutan
+settings.external_wiki_url=URL wiki eksternal
+settings.external_tracker_url=URL pelacak issue eksternal
+settings.tracker_url_format=Format URL pelacak issue eksternal
 settings.tracker_issue_style.numeric=Numerik
 settings.tracker_issue_style.alphanumeric=Alfhanumerik
-settings.danger_zone=Zona Bahaya
+settings.danger_zone=Zona berbahaya
 settings.new_owner_has_same_repo=Pemilik baru sudah memiliki repositori dengan nama yang sama. Silakan pilih nama lain.
 settings.transfer.title=Transfer Kepemilikan
-settings.transfer_owner=Pemilik Baru
-settings.delete=Menghapus Repositori Ini
+settings.transfer_owner=Pemilik baru
+settings.delete=Hapus repositori ini
 settings.delete_notices_1=- Operasi ini <strong>TIDAK BISA</strong> dibatalkan.
 settings.delete_collaborator=Menghapus
 settings.teams=Tim
-settings.add_webhook=Tambahkan Webhook
-settings.webhook.test_delivery=Percobaan Pengiriman
+settings.add_webhook=Tambah webhook
+settings.webhook.test_delivery=Uji pengiriman
 settings.webhook.request=Permintaan
 settings.webhook.response=Tanggapan
 settings.webhook.headers=Tajuk
 settings.webhook.payload=Konten
 settings.webhook.body=Tubuh
 settings.githook_edit_desc=Jika hook tidak aktif, konten sampel akan dipaparkan. Meninggalkan konten dengan nilai kosong akan menonaktifkan hook ini.
-settings.githook_name=Nama Hook
-settings.githook_content=Konten Hook
-settings.update_githook=Perbarui Hook
+settings.githook_name=Nama hook
+settings.githook_content=Konten hook
+settings.update_githook=Perbarui hook
 settings.secret=Rahasia
 settings.slack_username=Nama pengguna
 settings.slack_icon_url=Ikon URL
@@ -921,16 +1403,16 @@ settings.event_fork=Garpu
 settings.event_wiki=Wiki
 settings.event_push=Dorong
 settings.event_repository=Repositori
-settings.event_issues=Masalah
-settings.event_pull_request=Tarik permintaan
-settings.update_webhook=Perbarui Webhook
-settings.recent_deliveries=Pengiriman Terakhir
-settings.hook_type=Jenis Hook
+settings.event_issues=Modifikasi
+settings.event_pull_request=Modifikasi
+settings.update_webhook=Perbarui webhook
+settings.recent_deliveries=Pengiriman terbaru
+settings.hook_type=Jenis hook
 settings.slack_token=Token
 settings.slack_domain=Domain
 settings.slack_channel=Saluran
-settings.deploy_keys=Kunci Deploy
-settings.add_deploy_key=Tambahkan Kunci Deploy
+settings.deploy_keys=Kunci deploy
+settings.add_deploy_key=Tambah kunci deploy
 settings.title=Judul
 settings.deploy_key_content=Konten
 settings.branches=Cabang
@@ -938,30 +1420,30 @@ settings.protected_branch=Perlindungan cabang
 settings.choose_branch=Pilih branch…
 settings.edit_protected_branch=Edit
 
-diff.browse_source=Telusuri Sumber
+diff.browse_source=Jelajahi sumber
 diff.parent=orang tua
 diff.commit=melakukan
-diff.data_not_available=Konten Diff Tidak Tersedia
-diff.show_split_view=Tampilan split
-diff.show_unified_view=Pandangan Terpadu
+diff.data_not_available=Konten diff tidak tersedia
+diff.show_split_view=Tampilan terpisah
+diff.show_unified_view=Tampilan terpadu
 diff.stats_desc=<strong> %d mengubah file</strong> dengan <strong>%d tambahan</strong> dan <strong>%d penghapusan</strong>
 diff.bin=TEMPAT SAMPAH
-diff.view_file=Melihat File
+diff.view_file=Lihat file
 diff.file_byte_size=Ukuran
 diff.file_suppressed=File diff ditekan karena terlalu besar
 
 release.releases=Rilis
-release.new_release=Baru Rilis
+release.new_release=Rilis baru
 release.draft=Rancangan
-release.prerelease=Pra-Rilis
+release.prerelease=Pra-rilis
 release.stable=Stabil
-release.edit=edit
-release.source_code=Sumber kode
+release.edit=Edit
+release.source_code=Kode sumber
 release.tag_name=Tag nama
 release.target=Target
 release.cancel=Membatalkan
-release.publish=Mempublikasikan Rilis
-release.save_draft=Simpan Draft
+release.publish=Terbitkan rilis
+release.save_draft=Simpan draf
 release.deletion_success=Rilis ini telah dihapus.
 release.downloads=Unduhan
 
@@ -980,20 +1462,1291 @@ desc.archived = Diarsipkan
 commitstatus.error = Gangguan
 projects.new = Proyek Baru
 milestones.filter_sort.name = Nama
+rss.must_be_on_branch = Anda harus berada di cabang untuk memiliki umpan RSS.
+admin.manage_flags = Kelola tanda
+admin.enabled_flags = Tanda yang diaktifkan untuk repositori:
+admin.update_flags = Perbarui tanda
+admin.failed_to_replace_flags = Gagal mengganti tanda repositori
+admin.flags_replaced = Tanda repositori telah diganti
+new_repo_helper = Repositori berisi semua file proyek, termasuk riwayat revisi. Sudah mengelola di tempat lain? <a href="%s">Migrasi repositori</a>.
+new_from_template = Gunakan templat
+new_from_template_description = Anda dapat memilih templat repositori yang sudah ada di instans ini dan menerapkan pengaturannya.
+new_advanced = Pengaturan lanjutan
+new_advanced_expand = Klik untuk memperluas
+owner_helper = Beberapa organisasi mungkin tidak muncul di menu tarik-turun karena batas jumlah repositori maksimum.
+size_format = %s: %s, %s: %s
+visibility_helper = Jadikan repositori privat
+already_forked = Anda sudah menggarpu %s
+fork_to_different_account = Garpu ke akun yang berbeda
+fork_visibility_helper = Visibilitas repositori yang digarpu tidak dapat diubah.
+fork_branch = Cabang yang akan dikloning ke garpu
+all_branches = Semua cabang
+fork_no_valid_owners = Repositori ini tidak dapat digarpu karena tidak ada pemilik yang valid.
+use_template = Gunakan templat ini
+open_with_editor = Buka dengan %s
+download_zip = Unduh ZIP
+download_tar = Unduh TAR.GZ
+download_bundle = Unduh BUNDLE
+repo_desc_helper = Masukkan deskripsi singkat (opsional)
+repo_gitignore_helper = Pilih templat .gitignore
+repo_gitignore_helper_desc = Pilih file mana yang tidak akan dilacak dari daftar templat untuk bahasa pemrograman umum. Artefak umum yang dihasilkan oleh alat build setiap bahasa disertakan dalam .gitignore secara default.
+license_helper_desc = Lisensi mengatur apa yang boleh dan tidak boleh dilakukan orang lain dengan kode Anda. Tidak yakin mana yang tepat untuk proyek Anda? Lihat <a target="_blank" rel="noopener noreferrer" href="%s">Pilih lisensi</a>.
+object_format = Format objek
+object_format_helper = Format objek repositori. Tidak dapat diubah setelah dibuat. SHA1 paling kompatibel.
+readme_helper_desc = Di sinilah Anda dapat menulis deskripsi lengkap untuk proyek Anda.
+auto_init_description = Mulai riwayat Git dengan README dan secara opsional tambahkan file Lisensi dan .gitignore.
+default_branch_label = default
+default_branch_helper = Cabang default adalah cabang dasar untuk permintaan tarik dan commit kode.
+mirror_prune_desc = Hapus referensi pelacakan jarak jauh yang sudah usang
+mirror_interval = Interval cermin (satuan waktu yang valid adalah "h", "m", "s"). 0 untuk menonaktifkan sinkronisasi berkala. (Interval minimum: %s)
+mirror_interval_invalid = Interval cermin tidak valid.
+mirror_public_key = Kunci SSH publik
+mirror_use_ssh.text = Gunakan autentikasi SSH
+mirror_use_ssh.helper = Forgejo akan mencerminkan repositori melalui Git over SSH dan membuat pasangan kunci untuk Anda saat memilih opsi ini. Anda harus memastikan bahwa kunci publik yang dihasilkan diotorisasi untuk mendorong ke repositori tujuan. Anda tidak dapat menggunakan otorisasi berbasis kata sandi saat memilih ini.
+mirror_use_ssh.not_available = Autentikasi SSH tidak tersedia.
+mirror_denied_combination = Tidak dapat menggunakan autentikasi kunci publik dan berbasis kata sandi secara bersamaan.
+mirror_sync = disinkronkan
+mirror_sync_on_commit = Sinkronkan saat commit didorong
+mirror_address = Klon dari URL
+mirror_address_desc = Masukkan kredensial yang diperlukan di bagian Otorisasi.
+mirror_address_url_invalid = URL yang diberikan tidak valid. Pastikan komponen URL telah di-escape dengan benar.
+mirror_address_protocol_invalid = URL yang diberikan tidak valid. Hanya lokasi http(s):// atau git:// yang dapat digunakan untuk pencerminan.
+mirror_lfs = Penyimpanan File Besar (LFS)
+mirror_lfs_desc = Aktifkan pencerminan data LFS.
+mirror_lfs_endpoint = Titik akhir LFS
+mirror_lfs_endpoint_desc = Sinkronisasi akan mencoba menggunakan URL klon untuk <a target="_blank" rel="noopener noreferrer" href="%s">menentukan server LFS</a>. Anda juga dapat menentukan titik akhir kustom jika data LFS repositori disimpan di tempat lain.
+mirror_password_placeholder = (Tidak berubah)
+mirror_password_blank_placeholder = (Tidak diatur)
+mirror_password_help = Ubah nama pengguna untuk menghapus kata sandi yang tersimpan.
+stars_remove_warning = Ini akan menghapus semua bintang dari repositori ini.
+stars = Bintang
+language_other = Lainnya
+adopt_search = Masukkan nama pengguna untuk mencari repositori yang tidak diadopsi… (biarkan kosong untuk menemukan semua)
+adopt_preexisting_label = Adopsi file
+adopt_preexisting = Adopsi file yang sudah ada sebelumnya
+adopt_preexisting_content = Buat repositori dari %s
+adopt_preexisting_success = File diadopsi dan repositori dibuat dari %s
+delete_preexisting = Hapus file yang sudah ada sebelumnya
+delete_preexisting_content = Hapus file di %s
+delete_preexisting_success = File yang tidak diadopsi di %s telah dihapus
+blame_prior = Lihat blame sebelum perubahan ini
+blame.ignore_revs = Mengabaikan revisi di <a href="%s">.git-blame-ignore-revs</a>. Klik <a href="%s">di sini untuk melewati</a> dan lihat tampilan blame normal.
+blame.ignore_revs.failed = Gagal mengabaikan revisi di <a href="%s">.git-blame-ignore-revs</a>.
+author_search_tooltip = Menampilkan maksimum 30 pengguna
+summary_card_alt = Kartu ringkasan repositori %s
+tree_path_not_found.commit = Jalur %[1]s tidak ada di commit %[2]s
+tree_path_not_found.branch = Jalur %[1]s tidak ada di cabang %[2]s
+tree_path_not_found.tag = Jalur %[1]s tidak ada di tag %[2]s
+transfer.accept = Terima transfer
+transfer.accept_desc = Transfer ke "%s"
+transfer.reject = Tolak transfer
+transfer.reject_desc = Batalkan transfer ke "%s"
+transfer.no_permission_to_accept = Anda tidak memiliki izin untuk menerima transfer ini.
+transfer.no_permission_to_reject = Anda tidak memiliki izin untuk menolak transfer ini.
+desc.internal = Internal
+desc.sha256 = SHA256
+template.items = Item templat
+template.git_content = Konten Git (Cabang default)
+template.git_hooks = Hook Git
+template.git_hooks_tooltip = Anda saat ini tidak dapat mengubah atau menghapus hook Git setelah ditambahkan. Pilih ini hanya jika Anda mempercayai repositori templat.
+template.one_item = Harus memilih setidaknya satu item templat
+template.invalid = Harus memilih repositori templat
+archive.title = Repositori ini diarsipkan. Anda dapat melihat file dan mengklonnya, tetapi Anda tidak dapat membuat perubahan apa pun pada statusnya, seperti mendorong dan membuat issue baru, permintaan tarik, atau komentar.
+archive.title_date = Repositori ini diarsipkan pada %s. Anda dapat melihat file dan mengklonnya, tetapi Anda tidak dapat membuat perubahan apa pun pada statusnya, seperti mendorong dan membuat issue baru, permintaan tarik, atau komentar.
+archive.nocomment = Pemberian komentar tidak dapat dilakukan karena repositori diarsipkan.
+archive.pull.noreview = Repositori ini diarsipkan. Anda tidak dapat meninjau permintaan tarik.
+sync_fork.branch_behind_one = Cabang ini tertinggal %[1]d commit dari %[2]s
+sync_fork.branch_behind_few = Cabang ini tertinggal %d commit dari %s
+sync_fork.button = Sinkronkan
+form.reach_limit_of_creation_1 = Pemilik telah mencapai batas %d repositori.
+form.reach_limit_of_creation_n = Pemilik telah mencapai batas %d repositori.
+form.name_reserved = Nama repositori "%s" sudah dicadangkan.
+form.name_pattern_not_allowed = Pola "%s" tidak diperbolehkan dalam nama repositori.
+form.string_too_long = String yang diberikan lebih panjang dari %d karakter.
+need_auth = Otorisasi
+migrate_options = Opsi migrasi
+migrate_options_mirror_helper = Repositori ini akan menjadi cermin
+migrate_options_lfs = Migrasi file LFS
+migrate_options_lfs_endpoint.label = Titik akhir LFS
+migrate_options_lfs_endpoint.description = Migrasi akan mencoba menggunakan remote Git Anda untuk <a target="_blank" rel="noopener noreferrer" href="%s">menentukan server LFS</a>. Anda juga dapat menentukan titik akhir kustom jika data LFS repositori disimpan di tempat lain.
+migrate_options_lfs_endpoint.description.local = Jalur server lokal juga didukung.
+migrate_options_lfs_endpoint.placeholder = Jika dibiarkan kosong, titik akhir akan diturunkan dari URL klon
+migrate.repo_desc_helper = Biarkan kosong untuk mengimpor deskripsi yang sudah ada
+migrate.clone_address = Migrasi / Klon dari URL
+migrate.clone_address_desc = URL "klon" HTTP(S) atau Git dari repositori yang sudah ada
+migrate.github_token_desc = Anda dapat memasukkan satu atau lebih token di sini yang dipisahkan koma untuk mempercepat migrasi dengan menghindari batas laju API GitHub. PERINGATAN: Penyalahgunaan fitur ini dapat melanggar kebijakan penyedia layanan dan dapat menyebabkan akun Anda diblokir.
+migrate.clone_local_path = atau jalur server lokal
+migrate.permission_denied_blocked = Anda tidak dapat mengimpor dari host yang tidak diizinkan, harap minta admin untuk memeriksa pengaturan ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS.
+migrate.invalid_local_path = Jalur lokal tidak valid. Jalur tidak ada atau bukan direktori.
+migrate.invalid_lfs_endpoint = Titik akhir LFS tidak valid.
+migrate.migrate_items_options = Token akses diperlukan untuk migrasi item tambahan
+migrate.migrate = Migrasi dari %s
+migrate.migrating_failed.error = Gagal migrasi: %s
+migrate.migrating_failed_no_addr = Migrasi gagal.
+watch_guest_user = Masuk untuk memantau repositori ini.
+star_guest_user = Masuk untuk membintangi repositori ini.
+subscribe.issue.guest.tooltip = Masuk untuk berlangganan issue ini.
+subscribe.pull.guest.tooltip = Masuk untuk berlangganan permintaan tarik ini.
+more_operations = Operasi lainnya
+cite_this_repo = Kutip repositori ini
+empty_message = Repositori ini tidak memiliki konten apa pun.
+broken_message = Data Git yang mendasari repositori ini tidak dapat dibaca. Hubungi administrator instans ini atau hapus repositori ini.
+code.desc = Akses kode sumber, file, komit, dan cabang.
+clear_ref = `Hapus referensi saat ini`
+find_tag = Temukan tag
+project = Proyek
+packages = Paket
+actions = Tindakan
+org_labels_desc = Label tingkat organisasi yang dapat digunakan dengan <strong>semua repositori</strong> di bawah organisasi ini
+org_labels_desc_manage = kelola
+released_this = merilis ini
+file.title = %s pada %s
+file_follow = Ikuti symlink
+file_view_source = Lihat sumber
+file_view_rendered = Lihat yang dirender
+invisible_runes_header = `File ini mengandung karakter Unicode tak terlihat`
+invisible_runes_description = `File ini mengandung karakter Unicode tak terlihat yang tidak dapat dibedakan oleh manusia tetapi mungkin diproses secara berbeda oleh komputer. Jika Anda rasa ini disengaja, Anda dapat mengabaikan peringatan ini. Gunakan tombol Escape untuk menampilkannya.`
+ambiguous_runes_header = `File ini mengandung karakter Unicode yang ambigu`
+ambiguous_runes_description = `File ini mengandung karakter Unicode yang mungkin tertukar dengan karakter lain. Jika Anda rasa ini disengaja, Anda dapat mengabaikan peringatan ini. Gunakan tombol Escape untuk menampilkannya.`
+invisible_runes_line = `Baris ini memiliki karakter Unicode tak terlihat`
+ambiguous_runes_line = `Baris ini memiliki karakter Unicode yang ambigu`
+ambiguous_character = `%[1]c [U+%04[1]X] dapat tertukar dengan %[2]c [U+%04[2]X]`
+escape_control_characters = Escape
+unescape_control_characters = Unescape
+file_copy_permalink = Salin tautan permanen
+view_git_blame = Lihat git blame
+video_not_supported_in_browser = Browser Anda tidak mendukung tag "video" HTML5.
+audio_not_supported_in_browser = Browser Anda tidak mendukung tag "audio" HTML5.
+symbolic_link = Tautan simbolis
+executable_file = File yang dapat dieksekusi
+vendored = Di-vendor
+generated = Dihasilkan
+commit_graph.select = Pilih cabang
+commit_graph.hide_pr_refs = Sembunyikan permintaan tarik
+commit_graph.monochrome = Mono
+commit_graph.color = Warna
+commit.contained_in = Komit ini terdapat di:
+commit.contained_in_default_branch = Komit ini adalah bagian dari cabang default
+commit.load_referencing_branches_and_tags = Muat cabang dan tag yang mereferensikan commit ini
+download_file = Unduh file
+from_comment = (komentar)
+no_eol.text = Tanpa EOL
+no_eol.tooltip = File ini tidak mengandung karakter akhir baris di bagian akhir.
+editor.add_file = Tambah file
+editor.file_delete_success = File "%s" telah dihapus.
+editor.commit_signed_changes = Komit perubahan yang ditandatangani
+editor.add_tmpl.filename = nama file
+editor.add = Tambah %s
+editor.update = Perbarui %s
+editor.delete = Hapus %s
+editor.patch = Terapkan patch
+editor.patching = Menerapkan patch:
+editor.fail_to_apply_patch = Tidak dapat menerapkan patch "%s"
+editor.new_patch = Patch baru
+editor.signoff_desc = Tambahkan trailer Signed-off-by oleh pembuat commit di akhir pesan log komit.
+editor.new_branch_name = Beri nama cabang baru untuk commit ini
+editor.filename_is_invalid = Nama file tidak valid: "%s".
+editor.invalid_commit_mail = Email tidak valid untuk membuat komit.
+editor.branch_does_not_exist = Cabang "%s" tidak ada di repositori ini.
+editor.branch_already_exists = Cabang "%s" sudah ada di repositori ini.
+editor.directory_is_a_file = Nama direktori "%s" sudah digunakan sebagai nama file di repositori ini.
+editor.file_is_a_symlink = `"%s" adalah tautan simbolis. Tautan simbolis tidak dapat diedit di editor web`
+editor.filename_is_a_directory = Nama file "%s" sudah digunakan sebagai nama direktori di repositori ini.
+editor.file_editing_no_longer_exists = File yang sedang diedit, "%s", tidak lagi ada di repositori ini.
+editor.file_deleting_no_longer_exists = File yang sedang dihapus, "%s", tidak lagi ada di repositori ini.
+editor.file_changed_while_editing = Konten file telah berubah sejak Anda membuka file. <a target="_blank" rel="noopener noreferrer" href="%s">Klik di sini</a> untuk melihatnya atau <strong>Komit perubahan lagi</strong> untuk menimpanya.
+editor.file_already_exists = File bernama "%s" sudah ada di repositori ini.
+editor.commit_id_not_matching = File berubah saat Anda sedang mengeditnya. Commit ke cabang baru lalu gabungkan.
+editor.push_out_of_date = Dorongan tampaknya sudah usang.
+editor.commit_empty_file_header = Komit file kosong
+editor.commit_empty_file_text = File yang akan Anda commit kosong. Lanjutkan?
+editor.fail_to_update_file = Gagal memperbarui/membuat file "%s".
+editor.fail_to_update_file_summary = Pesan kesalahan:
+editor.push_rejected_no_message = Perubahan ditolak oleh server tanpa pesan. Harap periksa hook Git.
+editor.push_rejected = Perubahan ditolak oleh server. Harap periksa hook Git.
+editor.push_rejected_summary = Pesan penolakan lengkap:
+editor.add_subdir = Tambah direktori…
+editor.unable_to_upload_files = Gagal mengunggah file ke "%s" dengan kesalahan: %v
+editor.upload_file_is_locked = File "%s" dikunci oleh %s.
+editor.upload_files_to_dir = Unggah file ke "%s"
+editor.cannot_commit_to_protected_branch = Tidak dapat melakukan commit ke cabang yang dilindungi "%s".
+editor.no_commit_to_branch = Tidak dapat melakukan commit langsung ke cabang karena:
+editor.user_no_push_to_branch = Pengguna tidak dapat mendorong ke cabang
+editor.require_signed_commit = Cabang memerlukan commit yang ditandatangani
+editor.cherry_pick = Cherry-pick %s ke:
+editor.revert = Revert %s ke:
+editor.commit_email = Email komit
+commits.no_commits = Tidak ada commit yang sama. "%s" dan "%s" memiliki riwayat yang sepenuhnya berbeda.
+commits.nothing_to_compare = Cabang-cabang ini sama.
+commits.search.tooltip = Anda dapat mengawali kata kunci dengan "author:", "committer:", "after:", atau "before:", misalnya "revert author:Alice before:2019-01-13".
+commits.search_branch = Cabang ini
+commits.search_all = Semua cabang
+commits.browse_further = Jelajahi lebih lanjut
+commits.renamed_from = Diubah nama dari %s
+commits.signed_by_untrusted_user = Ditandatangani oleh pengguna yang tidak dipercaya
+commits.signed_by_untrusted_user_unmatched = Ditandatangani oleh pengguna yang tidak dipercaya yang tidak cocok dengan pembuat komit
+commits.gpg_key_id = ID kunci GPG
+commits.ssh_key_fingerprint = Sidik jari kunci SSH
+commits.view_path = Lihat pada titik ini dalam riwayat
+commits.view_single_diff = Lihat perubahan pada file ini yang diperkenalkan dalam commit ini
+commit.operations = Operasi
+commit.revert = Revert
+commit.revert-header = Revert: %s
+commit.revert-content = Pilih cabang tujuan revert:
+commit.cherry-pick = Cherry-pick
+commit.cherry-pick-header = Cherry-pick: %s
+commit.cherry-pick-content = Pilih cabang tujuan cherry-pick:
+commitstatus.failure = Gagal
+commitstatus.pending = Tertunda
+commitstatus.success = Berhasil
+ext_issues = Isu eksternal
+projects = Proyek
+projects.description = Deskripsi (opsional)
+projects.create = Buat proyek
+projects.new_subheader = Koordinasikan, lacak, dan perbarui pekerjaan Anda di satu tempat, sehingga proyek tetap transparan dan sesuai jadwal.
+projects.create_success = Proyek "%s" telah dibuat.
+projects.deletion = Hapus proyek
+projects.deletion_desc = Menghapus proyek akan menghapusnya dari semua issue terkait. Lanjutkan?
+projects.deletion_success = Proyek telah dihapus.
+projects.edit = Edit proyek
+projects.edit_subheader = Proyek mengorganisasi issue dan melacak kemajuan.
+projects.modify = Edit proyek
+projects.edit_success = Proyek "%s" telah diperbarui.
+projects.type.none = Tidak ada
+projects.type.basic_kanban = Kanban dasar
+projects.type.bug_triage = Triase bug
+projects.template.desc_helper = Pilih templat proyek untuk memulai
+projects.column.edit = Edit kolom
+projects.column.new_submit = Buat kolom
+projects.column.new = Kolom baru
+projects.column.set_default = Jadikan default
+projects.column.set_default_desc = Jadikan kolom ini sebagai default untuk issue dan permintaan tarik yang tidak dikategorikan
+projects.column.delete = Hapus kolom
+projects.column.deletion_desc = Menghapus kolom proyek akan memindahkan semua issue terkait ke kolom default. Lanjutkan?
+projects.column.color = Warna
+projects.open = Buka
+projects.close = Tutup
+projects.column.assigned_to = Ditugaskan kepada
+projects.card_type.desc = Pratinjau kartu
+projects.card_type.images_and_text = Gambar dan teks
+projects.card_type.text_only = Teks saja
+issues.filter_assignees = Filter penugasan
+issues.filter_milestones = Filter tonggak pencapaian
+issues.filter_projects = Filter proyek
+issues.filter_labels = Filter label
+issues.filter_reviewers = Filter pengulas
+issues.filter_no_results = Tidak ada hasil
+issues.filter_no_results_placeholder = Coba sesuaikan filter pencarian Anda.
+issues.new.title_empty = Judul tidak boleh kosong
+issues.new.projects = Proyek
+issues.new.clear_projects = Hapus proyek
+issues.new.no_projects = Tidak ada proyek
+issues.new.open_projects = Proyek terbuka
+issues.new.closed_projects = Proyek tertutup
+issues.new.no_items = Tidak ada item
+issues.new.assignees = Penugasan
+issues.new.clear_assignees = Hapus penugasan
+issues.new.no_assignees = Tidak ada penugasan
+issues.new.assign_to_me = Tugaskan ke saya
+issues.new.no_reviewers = Tidak ada pengulas
+issues.edit.already_changed = Tidak dapat menyimpan perubahan pada isu. Tampaknya konten sudah diubah oleh pengguna lain. Harap segarkan halaman dan coba edit lagi untuk menghindari penimpaan perubahan mereka
+issues.choose.get_started = Mulai
+issues.choose.open_external_link = Buka
+issues.choose.blank = Default
+issues.choose.blank_about = Buat issue dari templat default.
+issues.choose.ignore_invalid_templates = Templat yang tidak valid telah diabaikan
+issues.choose.invalid_templates = %v templat tidak valid ditemukan
+issues.choose.invalid_config = Konfigurasi issue mengandung kesalahan:
+issues.new_label_placeholder = Nama label
+issues.label_templates.info = Belum ada label. Buat label dengan "Label baru" atau gunakan prasetel label:
+issues.label_templates.use = Gunakan prasetel label
+issues.label_templates.fail_to_load_file = Gagal memuat file templat label "%s": %v
+issues.add_label = menambahkan label %s %s
+issues.add_labels = menambahkan label %s %s
+issues.remove_label = menghapus label %s %s
+issues.remove_labels = menghapus label %s %s
+issues.add_remove_labels = menambahkan %s dan menghapus label %s %s
+issues.add_project_at = `menambahkan ini ke proyek <b>%s</b> %s`
+issues.change_project_at = `mengubah proyek dari <b>%s</b> menjadi <b>%s</b> %s`
+issues.remove_project_at = `menghapus ini dari proyek <b>%s</b> %s`
+issues.remove_assignee_at = `dibatalkan penugasannya oleh <b>%s</b> %s`
+issues.remove_self_assignment = `menghapus penugasan mereka %s`
+issues.change_title_at = `mengubah judul dari <b><strike>%s</strike></b> menjadi <b>%s</b> %s`
+issues.change_ref_at = `mengubah referensi dari <b><strike>%s</strike></b> menjadi <b>%s</b> %s`
+issues.remove_ref_at = `menghapus referensi <b>%s</b> %s`
+issues.add_ref_at = `menambahkan referensi <b>%s</b> %s`
+issues.filter_label_no_select = Semua label
+issues.filter_label_select_no_label = Tanpa label
+issues.filter_milestone_all = Semua tonggak pencapaian
+issues.filter_milestone_none = Tidak ada tonggak pencapaian
+issues.filter_milestone_open = Tonggak pencapaian terbuka
+issues.filter_milestone_closed = Tonggak pencapaian tertutup
+issues.filter_project = Proyek
+issues.filter_project_all = Semua proyek
+issues.filter_project_none = Tidak ada proyek
+issues.filter_assginee_no_select = Semua penugasan
+issues.filter_poster = Penulis
+issues.filter_poster_no_select = Semua penulis
+issues.filter_type.all_pull_requests = Semua permintaan tarik
+issues.filter_type.review_requested = Tinjauan diminta
+issues.filter_type.reviewed_by_you = Ditinjau oleh Anda
+issues.filter_sort.relevance = Relevansi
+issues.filter_sort.nearduedate = Tenggat waktu terdekat
+issues.filter_sort.farduedate = Tenggat waktu terjauh
+issues.filter_sort.moststars = Bintang terbanyak
+issues.filter_sort.feweststars = Bintang tersedikit
+issues.filter_sort.mostforks = Garpu terbanyak
+issues.filter_sort.fewestforks = Garpu tersedikit
+issues.action_check = Centang/Hapus centang
+issues.action_check_all = Centang/Hapus centang semua item
+pulls.merged_by = oleh <a href="%[2]s">%[3]s</a> digabungkan %[1]s
+pulls.merged_by_fake = oleh %[2]s digabungkan %[1]s
+issues.closed_by = oleh <a href="%[2]s">%[3]s</a> ditutup %[1]s
+issues.opened_by_fake = dibuka %[1]s oleh %[2]s
+issues.closed_by_fake = oleh %[2]s ditutup %[1]s
+issues.all_title = Semua
+issues.num_comments_1 = %d komentar
+issues.num_reviews_one = %d tinjauan
+issues.num_reviews_few = %d tinjauan
+issues.reaction.add = Tambah reaksi
+issues.reaction.alt_few = %[1]s bereaksi %[2]s.
+issues.reaction.alt_many = %[1]s dan %[2]d lainnya bereaksi %[3]s.
+issues.reaction.alt_remove = Hapus reaksi %[1]s dari komentar.
+issues.reaction.alt_add = Tambahkan reaksi %[1]s ke komentar.
+issues.context.menu = Menu komentar
+issues.context.reference_issue = Referensikan dalam issue baru
+issues.no_content = Tidak ada deskripsi yang diberikan.
+issues.close = Tutup isu
+issues.comment_pull_merged_at = menggabungkan commit %[1]s ke %[2]s %[3]s
+issues.comment_manually_pull_merged_at = menggabungkan commit %[1]s ke %[2]s %[3]s secara manual
+issues.closed_at = `menutup issue ini %s`
+issues.reopened_at = `membuka kembali issue ini %s`
+issues.ref_issue_from = `<a href="%[2]s">mereferensikan issue ini %[3]s</a> %[1]s`
+issues.ref_pull_from = `<a href="%[2]s">mereferensikan permintaan tarik ini %[3]s</a> %[1]s`
+issues.ref_closing_from = `<a href="%[2]s">mereferensikan issue ini dari permintaan tarik %[3]s yang akan menutupnya</a>, %[1]s`
+issues.ref_reopening_from = `<a href="%[2]s">mereferensikan issue ini dari permintaan tarik %[3]s yang akan membukanya kembali</a>, %[1]s`
+issues.ref_from = `dari %[1]s`
+issues.author = Penulis
+issues.author.tooltip.issue = Pengguna ini adalah penulis issue ini.
+issues.author.tooltip.pr = Pengguna ini adalah penulis permintaan tarik ini.
+issues.role.owner_helper = Pengguna ini adalah pemilik repositori ini.
+issues.role.member_helper = Pengguna ini adalah anggota organisasi yang memiliki repositori ini.
+issues.role.collaborator = Kolaborator
+issues.role.collaborator_helper = Pengguna ini telah diundang untuk berkolaborasi di repositori.
+issues.role.first_time_contributor = Kontributor pertama kali
+issues.role.first_time_contributor_helper = Ini adalah kontribusi pertama pengguna ini ke repositori.
+issues.role.contributor = Kontributor
+issues.role.contributor_helper = Pengguna ini sebelumnya pernah melakukan commit di repositori ini.
+issues.re_request_review = Minta tinjauan ulang
+issues.is_stale = Ada perubahan pada PR ini sejak tinjauan ini
+issues.remove_request_review = Hapus permintaan tinjauan
+issues.remove_request_review_block = Tidak dapat menghapus permintaan tinjauan
+issues.dismiss_review = Abaikan tinjauan
+issues.dismiss_review_warning = Apakah Anda yakin ingin mengabaikan tinjauan ini?
+issues.label_exclusive = Eksklusif
+issues.label_archive = Arsipkan label
+issues.label_archived_filter = Tampilkan label yang diarsipkan
+issues.label_archive_tooltip = Label yang diarsipkan dikecualikan secara default dari saran saat mencari berdasarkan label.
+issues.label_exclusive_desc = Beri nama label <code>lingkup/item</code> untuk membuatnya saling eksklusif dengan label <code>lingkup/</code> lainnya.
+issues.label_exclusive_warning = Label bertingkat yang bertentangan akan dihapus saat mengedit label issue atau permintaan tarik.
+issues.label_modify = Edit label
+issues.label_deletion = Hapus label
+issues.label_deletion_desc = Menghapus label akan menghapusnya dari semua isu. Lanjutkan?
+issues.label_deletion_success = Label telah dihapus.
+issues.archived_label_description = (Diarsipkan) %s
+issues.label.filter_sort.by_size = Ukuran terkecil
+issues.label.filter_sort.reverse_by_size = Ukuran terbesar
+issues.num_participants_one = %d peserta
+issues.unpin_issue = Lepas pin isu
+issues.max_pinned = Anda tidak dapat menyematkan lebih banyak isu
+issues.pin_comment = menyematkan ini %s
+issues.unpin_comment = melepas pin ini %s
+issues.lock = Kunci percakapan
+issues.unlock = Buka kunci percakapan
+issues.lock.unknown_reason = Tidak dapat mengunci issue dengan alasan yang tidak diketahui.
+issues.lock_duplicate = Isu tidak dapat dikunci dua kali.
+issues.unlock_error = Tidak dapat membuka kunci issue yang tidak dikunci.
+issues.lock_with_reason = dikunci sebagai <strong>%s</strong> dan percakapan dibatasi untuk kolaborator %s
+issues.lock_no_reason = dikunci dan percakapan dibatasi untuk kolaborator %s
+issues.unlock_comment = membuka kunci percakapan ini %s
+issues.lock_confirm = Kunci
+issues.unlock_confirm = Buka kunci
+issues.lock.notice_1 = - Pengguna lain tidak dapat menambahkan komentar baru ke issue ini.
+issues.lock.notice_2 = - Anda dan kolaborator lain yang memiliki akses ke repositori ini masih dapat meninggalkan komentar yang dapat dilihat orang lain.
+issues.lock.notice_3 = - Anda selalu dapat membuka kunci issue ini lagi di masa mendatang.
+issues.unlock.notice_1 = - Semua orang dapat berkomentar pada issue ini kembali.
+issues.unlock.notice_2 = - Anda selalu dapat mengunci issue ini lagi di masa mendatang.
+issues.lock.reason = Alasan penguncian
+issues.lock.title = Kunci percakapan
+issues.unlock.title = Buka kunci percakapan
+issues.comment_on_locked = Anda tidak dapat berkomentar pada issue yang dikunci.
+issues.delete.title = Hapus issue ini?
+issues.delete.text = Apakah Anda benar-benar ingin menghapus issue ini? (Ini akan menghapus semua konten secara permanen. Pertimbangkan untuk menutupnya, jika Anda ingin tetap menyimpannya sebagai arsip)
+issues.tracker = Pelacak waktu
+issues.start_tracking_short = Mulai pengatur waktu
+issues.start_tracking = Mulai pelacakan waktu
+issues.tracker_auto_close = Pengatur waktu akan dihentikan secara otomatis saat issue ini ditutup
+issues.tracking_already_started = `Anda sudah memulai pelacakan waktu pada <a href="%s">isu lain</a>!`
+issues.stop_tracking = Hentikan pengatur waktu
+issues.cancel_tracking = Buang
+issues.cancel_tracking_history = `membatalkan pelacakan waktu %s`
+issues.add_time = Tambah waktu secara manual
+issues.del_time = Hapus log waktu ini
+issues.add_time_short = Tambah waktu
+issues.del_time_history = `menghapus waktu yang dihabiskan %s`
+issues.add_time_sum_to_small = Tidak ada waktu yang dimasukkan.
+issues.time_spent_from_all_authors = `Total waktu yang dihabiskan: %s`
+issues.due_date = Tenggat waktu
+issues.push_commit_1 = menambahkan %d commit %s
+issues.push_commits_n = menambahkan %d commit %s
+issues.force_push_codes = `melakukan force-push %[1]s dari <a class="%[7]s" href="%[3]s"><code>%[2]s</code></a> %[8]s ke <a class="%[7]s" href="%[5]s"><code>%[4]s</code></a> %[9]s %[6]s`
+issues.force_push_compare = Bandingkan
+issues.due_date_form = yyyy-mm-dd
+issues.due_date_not_set = Belum ada tenggat waktu yang ditetapkan.
+issues.due_date_added = menambahkan tenggat waktu %s %s
+issues.due_date_modified = mengubah tenggat waktu dari %[2]s menjadi %[1]s %[3]s
+issues.due_date_remove = menghapus tenggat waktu %s %s
+issues.due_date_overdue = Terlambat
+issues.due_date_invalid = Tenggat waktu tidak valid atau di luar rentang. Gunakan format "yyyy-mm-dd".
+issues.dependency.title = Ketergantungan
+issues.dependency.issue_no_dependencies = Belum ada ketergantungan yang ditetapkan.
+issues.dependency.pr_no_dependencies = Belum ada ketergantungan yang ditetapkan.
+issues.dependency.no_permission_1 = Anda tidak memiliki izin untuk membaca %d ketergantungan
+issues.dependency.no_permission_n = Anda tidak memiliki izin untuk membaca %d ketergantungan
+issues.dependency.no_permission.can_remove = Anda tidak memiliki izin untuk membaca ketergantungan ini tetapi dapat menghapus ketergantungan ini
+issues.dependency.add = Tambah ketergantungan…
+issues.dependency.remove_info = Hapus ketergantungan ini
+issues.dependency.added_dependency = `menambahkan ketergantungan baru %s`
+issues.dependency.removed_dependency = `menghapus ketergantungan %s`
+issues.dependency.pr_closing_blockedby = Penutupan permintaan tarik ini diblokir oleh isu-isu berikut
+issues.dependency.issue_closing_blockedby = Penutupan issue ini diblokir oleh isu-isu berikut
+issues.dependency.issue_close_blocks = Isu ini memblokir penutupan isu-isu berikut
+issues.dependency.pr_close_blocks = Permintaan tarik ini memblokir penutupan isu-isu berikut
+issues.dependency.issue_close_blocked = Anda perlu menutup semua issue yang memblokir issue ini sebelum dapat menutupnya.
+issues.dependency.issue_batch_close_blocked = Tidak dapat menutup issue yang dipilih secara massal, karena issue #%d masih memiliki ketergantungan yang terbuka
+issues.dependency.pr_close_blocked = Anda perlu menutup semua issue yang memblokir permintaan tarik ini sebelum dapat menggabungkannya.
+issues.dependency.blocks_short = Memblokir
+issues.dependency.blocked_by_short = Bergantung pada
+issues.dependency.remove_header = Hapus Ketergantungan
+issues.dependency.issue_remove_text = Ini akan menghapus ketergantungan dari issue ini. Lanjutkan?
+issues.dependency.pr_remove_text = Ini akan menghapus ketergantungan dari permintaan tarik ini. Lanjutkan?
+issues.dependency.setting = Aktifkan ketergantungan untuk issue dan permintaan tarik
+issues.dependency.add_error_same_issue = Anda tidak dapat membuat issue bergantung pada dirinya sendiri.
+issues.dependency.add_error_dep_issue_not_exist = Isu yang bergantung tidak ada.
+issues.dependency.add_error_dep_not_exist = Ketergantungan tidak ada.
+issues.dependency.add_error_dep_exists = Ketergantungan sudah ada.
+issues.dependency.add_error_cannot_create_circular = Anda tidak dapat membuat ketergantungan dengan dua issue yang saling memblokir satu sama lain.
+issues.dependency.add_error_dep_not_same_repo = Kedua issue harus berada di repositori yang sama.
+issues.review.self.approval = Anda tidak dapat menyetujui permintaan tarik Anda sendiri.
+issues.review.self.rejection = Anda tidak dapat meminta perubahan pada permintaan tarik Anda sendiri.
+issues.review.approve = menyetujui perubahan ini %s
+issues.review.comment = meninjau %s
+issues.review.dismissed = mengabaikan tinjauan %s %s
+issues.review.dismissed_label = Diabaikan
+issues.review.left_comment = meninggalkan komentar
+issues.review.content.empty = Anda perlu meninggalkan komentar yang menunjukkan perubahan yang diminta.
+issues.review.reject = meminta perubahan %s
+issues.review.add_review_request = meminta tinjauan dari %[1]s %[2]s
+issues.review.add_review_requests = meminta tinjauan dari %[1]s %[2]s
+issues.review.remove_review_request = menghapus permintaan tinjauan untuk %[1]s %[2]s
+issues.review.remove_review_requests = menghapus permintaan tinjauan untuk %[1]s %[2]s
+issues.review.remove_review_request_self = menolak untuk meninjau %s
+issues.review.add_remove_review_requests = meminta tinjauan dari %[1]s dan menghapus permintaan tinjauan untuk %[2]s %[3]s
+issues.review.pending = Tertunda
+issues.review.pending.tooltip = Komentar ini saat ini tidak terlihat oleh pengguna lain. Untuk mengirimkan komentar tertunda Anda, pilih "%s" -> "%s/%s/%s" di bagian atas halaman.
+issues.review.reviewers = Pengulas
+issues.review.outdated = Kedaluwarsa
+issues.review.outdated_description = Konten telah berubah sejak komentar ini dibuat
+issues.review.option.show_outdated_comments = Tampilkan komentar kedaluwarsa
+issues.review.option.hide_outdated_comments = Sembunyikan komentar kedaluwarsa
+issues.review.show_outdated = Tampilkan yang kedaluwarsa
+issues.review.hide_outdated = Sembunyikan yang kedaluwarsa
+issues.review.show_resolved = Tampilkan yang diselesaikan
+issues.review.hide_resolved = Sembunyikan yang diselesaikan
+issues.review.resolve_conversation = Tandai percakapan sebagai selesai
+issues.review.un_resolve_conversation = Batalkan penyelesaian percakapan
+issues.review.resolved_by = menandai percakapan ini sebagai selesai
+issues.reference_issue.body = Isi
+issues.content_history.edited = diedit
+issues.content_history.created = dibuat
+issues.content_history.delete_from_history = Hapus dari riwayat
+issues.content_history.delete_from_history_confirm = Hapus dari riwayat?
+issues.content_history.options = Opsi
+issues.blocked_by_user = Anda tidak dapat membuat issue di repositori ini karena Anda diblokir oleh pemilik repositori.
+comment.blocked_by_user = Pemberian komentar tidak dapat dilakukan karena Anda diblokir oleh pemilik repositori atau penulisnya.
+issues.summary_card_alt = Kartu ringkasan issue berjudul "%s" di repositori %s
+compare.compare_base = dasar
+compare.compare_head = bandingkan
+pulls.view = Lihat permintaan tarik
+pulls.edit.already_changed = Tidak dapat menyimpan perubahan pada permintaan tarik. Tampaknya konten sudah diubah oleh pengguna lain. Harap segarkan halaman dan coba edit lagi untuk menghindari penimpaan perubahan mereka
+pulls.sign_in_require = <a href="%s">Masuk</a> untuk membuat permintaan tarik baru.
+pulls.allow_edits_from_maintainers = Izinkan pengeditan dari pemelihara
+pulls.allow_edits_from_maintainers_desc = Pengguna dengan akses tulis ke cabang dasar juga dapat mendorong ke cabang ini
+pulls.allow_edits_from_maintainers_err = Pembaruan gagal
+pulls.compare_changes_desc = Pilih cabang tujuan penggabungan dan cabang sumber penarikan.
+pulls.has_viewed_file = Dilihat
+pulls.has_changed_since_last_review = Berubah sejak tinjauan terakhir Anda
+pulls.viewed_files_label = %[1]d / %[2]d file dilihat
+pulls.expand_files = Perluas semua file
+pulls.collapse_files = Ciutkan semua file
+pulls.compare_base = gabungkan ke
+pulls.compare_compare = tarik dari
+pulls.switch_comparison_type = Alihkan jenis perbandingan
+pulls.switch_head_and_base = Tukar head dan base
+pulls.show_all_commits = Tampilkan semua komit
+pulls.show_changes_since_your_last_review = Tampilkan perubahan sejak tinjauan terakhir Anda
+pulls.showing_only_single_commit = Hanya menampilkan perubahan commit %[1]s
+pulls.showing_specified_commit_range = Hanya menampilkan perubahan antara %[1]s..%[2]s
+pulls.select_commit_hold_shift_for_range = Pilih komit. Tahan shift + klik untuk memilih rentang
+pulls.filter_changes_by_commit = Filter berdasarkan komit
+pulls.nothing_to_compare = Cabang-cabang ini sama. Tidak perlu membuat permintaan tarik.
+pulls.nothing_to_compare_have_tag = Cabang/tag yang dipilih sama.
+pulls.nothing_to_compare_and_allow_empty_pr = Cabang-cabang ini sama. PR ini akan kosong.
+pulls.has_pull_request = `Permintaan tarik antara cabang-cabang ini sudah ada: <a href="%[1]s">%[2]s#%[3]d</a>`
+pulls.change_target_branch_at = `mengubah cabang target dari <b>%s</b> menjadi <b>%s</b> %s`
+pulls.tab_files = File yang diubah
+pulls.cant_reopen_deleted_branch = Permintaan tarik ini tidak dapat dibuka kembali karena cabangnya telah dihapus.
+pulls.merged_success = Permintaan tarik berhasil digabungkan dan ditutup
+pulls.closed = Permintaan tarik ditutup
+pulls.manually_merged = Digabungkan secara manual
+pulls.merged_info_text = Cabang %s sekarang dapat dihapus.
+pulls.is_closed = Permintaan tarik telah ditutup.
+pulls.title_wip_desc = `<a href="#">Mulai judul dengan <strong>%s</strong></a> untuk mencegah permintaan tarik digabungkan secara tidak sengaja.`
+pulls.cannot_merge_work_in_progress = Permintaan tarik ini ditandai sebagai pekerjaan yang sedang berjalan.
+pulls.still_in_progress = Masih dalam proses?
+pulls.add_prefix = Tambahkan awalan <strong>%s</strong>
+pulls.ready_for_review = Siap untuk ditinjau?
+pulls.remove_prefix = Hapus awalan <strong>%s</strong>
+pulls.data_broken = Permintaan tarik ini rusak karena informasi garpu yang hilang.
+pulls.files_conflicted = Permintaan tarik ini memiliki perubahan yang berkonflik dengan cabang target.
+pulls.is_checking = Pemeriksaan konflik penggabungan sedang berlangsung. Coba lagi dalam beberapa saat.
+pulls.is_ancestor = Cabang ini sudah termasuk dalam cabang target. Tidak ada yang perlu digabungkan.
+pulls.is_empty = Perubahan pada cabang ini sudah ada di cabang target. Ini akan menjadi commit kosong.
+pulls.required_status_check_failed = Beberapa pemeriksaan yang diperlukan tidak berhasil.
+pulls.required_status_check_missing = Beberapa pemeriksaan yang diperlukan tidak ada.
+pulls.required_status_check_administrator = Sebagai administrator, Anda masih dapat menggabungkan permintaan tarik ini.
+pulls.blocked_by_approvals = Permintaan tarik ini belum mendapat cukup persetujuan. %d dari %d persetujuan diberikan.
+pulls.blocked_by_rejection = Permintaan tarik ini memiliki perubahan yang diminta oleh pengulas resmi.
+pulls.blocked_by_official_review_requests = Permintaan tarik ini diblokir karena tidak mendapat persetujuan dari satu atau lebih pengulas resmi.
+pulls.blocked_by_outdated_branch = Permintaan tarik ini diblokir karena sudah kedaluwarsa.
+pulls.blocked_by_changed_protected_files_1 = Permintaan tarik ini diblokir karena mengubah file yang dilindungi:
+pulls.blocked_by_changed_protected_files_n = Permintaan tarik ini diblokir karena mengubah file-file yang dilindungi:
+pulls.cannot_auto_merge_desc = Permintaan tarik ini tidak dapat digabungkan secara otomatis karena konflik.
+pulls.cannot_auto_merge_helper = Gabungkan secara manual untuk menyelesaikan konflik.
+pulls.num_conflicting_files_1 = %d file berkonflik
+pulls.num_conflicting_files_n = %d file berkonflik
+pulls.approve_count_1 = %d persetujuan
+pulls.approve_count_n = %d persetujuan
+pulls.reject_count_1 = %d permintaan perubahan
+pulls.reject_count_n = %d permintaan perubahan
+pulls.waiting_count_1 = %d tinjauan yang ditunggu
+pulls.waiting_count_n = %d tinjauan yang ditunggu
+pulls.wrong_commit_id = id commit harus berupa id commit pada cabang target
+pulls.blocked_by_user = Anda tidak dapat membuat permintaan tarik di repositori ini karena Anda diblokir oleh pemilik repositori.
+pulls.no_merge_desc = Permintaan tarik ini tidak dapat digabungkan karena semua opsi penggabungan repositori dinonaktifkan.
+pulls.no_merge_helper = Aktifkan opsi penggabungan di pengaturan repositori atau gabungkan permintaan tarik secara manual.
+pulls.no_merge_wip = Permintaan tarik ini tidak dapat digabungkan karena ditandai sebagai pekerjaan yang sedang berjalan.
+pulls.no_merge_not_ready = Permintaan tarik ini belum siap untuk digabungkan, periksa status tinjauan dan pemeriksaan status.
+pulls.no_merge_access = Anda tidak berwenang untuk menggabungkan permintaan tarik ini.
+pulls.merge_pull_request = Buat commit gabungan
+pulls.rebase_merge_pull_request = Rebase lalu fast-forward
+pulls.rebase_merge_commit_pull_request = Rebase lalu buat commit gabungan
+pulls.squash_merge_pull_request = Buat commit squash
+pulls.fast_forward_only_merge_pull_request = Fast-forward saja
+pulls.merge_manually = Digabungkan secara manual
+pulls.merge_commit_id = ID commit gabungan
+pulls.require_signed_wont_sign = Cabang memerlukan commit yang ditandatangani tetapi penggabungan ini tidak akan ditandatangani
+pulls.invalid_merge_option = Anda tidak dapat menggunakan opsi penggabungan ini untuk permintaan tarik ini.
+pulls.merge_conflict = Penggabungan gagal: Terjadi konflik saat menggabungkan. Petunjuk: Coba strategi yang berbeda
+pulls.merge_conflict_summary = Pesan kesalahan
+pulls.rebase_conflict = Penggabungan gagal: Terjadi konflik saat melakukan rebase komit: %[1]s. Petunjuk: Coba strategi yang berbeda
+pulls.rebase_conflict_summary = Pesan kesalahan
+pulls.unrelated_histories = Penggabungan gagal: Head dan base penggabungan tidak memiliki riwayat yang sama. Petunjuk: Coba strategi yang berbeda
+pulls.merge_out_of_date = Penggabungan gagal: Saat menghasilkan penggabungan, base diperbarui. Petunjuk: Coba lagi.
+pulls.head_out_of_date = Penggabungan gagal: Saat menghasilkan penggabungan, head diperbarui. Petunjuk: Coba lagi.
+pulls.has_merged = Gagal: Permintaan tarik telah digabungkan, Anda tidak dapat menggabungkan lagi atau mengubah cabang target.
+pulls.push_rejected = Dorongan gagal: Dorongan ditolak. Tinjau hook Git untuk repositori ini.
+pulls.push_rejected_summary = Pesan penolakan lengkap
+pulls.push_rejected_no_message = Dorongan gagal: Dorongan ditolak tetapi tidak ada pesan jarak jauh. Tinjau hook Git untuk repositori ini
+pulls.open_unmerged_pull_exists = `Anda tidak dapat melakukan operasi buka kembali karena ada permintaan tarik yang tertunda (#%d) dengan properti yang identik.`
+pulls.status_checking = Beberapa pemeriksaan sedang tertunda
+pulls.status_checks_success = Semua pemeriksaan berhasil
+pulls.status_checks_warning = Beberapa pemeriksaan melaporkan peringatan
+pulls.status_checks_failure = Beberapa pemeriksaan gagal
+pulls.status_checks_error = Beberapa pemeriksaan melaporkan kesalahan
+pulls.status_checks_requested = Diperlukan
+pulls.status_checks_details = Detail
+pulls.status_checks_hide_all = Sembunyikan semua pemeriksaan
+pulls.status_checks_show_all = Tampilkan semua pemeriksaan
+pulls.update_branch = Perbarui cabang dengan penggabungan
+pulls.update_branch_rebase = Perbarui cabang dengan rebase
+pulls.update_branch_success = Pembaruan cabang berhasil
+pulls.update_not_allowed = Anda tidak diizinkan memperbarui cabang
+pulls.outdated_with_base_branch = Cabang ini tidak mutakhir dengan cabang dasar
+pulls.close = Tutup permintaan tarik
+pulls.closed_at = `menutup permintaan tarik ini %s`
+pulls.reopened_at = `membuka kembali permintaan tarik ini %s`
+pulls.commit_ref_at = `mereferensikan permintaan tarik ini dari commit %s`
+pulls.cmd_instruction_hint = Lihat instruksi baris perintah
+pulls.cmd_instruction_checkout_title = Checkout
+pulls.cmd_instruction_checkout_desc = Dari repositori proyek Anda, checkout cabang baru dan uji perubahan.
+pulls.cmd_instruction_merge_title = Gabungkan
+pulls.cmd_instruction_merge_desc = Gabungkan perubahan dan perbarui di Forgejo.
+pulls.cmd_instruction_merge_warning = <b>Peringatan:</b> Pengaturan "Deteksi otomatis penggabungan manual" tidak diaktifkan untuk repositori ini, Anda harus menandai permintaan tarik ini sebagai digabungkan secara manual setelahnya.
+pulls.clear_merge_message = Hapus pesan gabungan
+pulls.clear_merge_message_hint = Menghapus pesan gabungan hanya akan menghapus konten pesan commit dan mempertahankan trailer git yang dihasilkan seperti "Co-Authored-By …".
+pulls.reopen_failed.head_branch = Permintaan tarik tidak dapat dibuka kembali, karena cabang head tidak ada lagi.
+pulls.reopen_failed.base_branch = Permintaan tarik tidak dapat dibuka kembali, karena cabang dasar tidak ada lagi.
+pulls.made_using_agit = AGit
+pulls.agit_explanation = Dibuat menggunakan alur kerja AGit. AGit memungkinkan kontributor mengusulkan perubahan menggunakan "git push" tanpa membuat garpu atau cabang baru.
+pulls.editable = Dapat diedit
+pulls.editable_explanation = Permintaan tarik ini mengizinkan pengeditan dari pemelihara. Anda dapat berkontribusi langsung ke dalamnya.
+pulls.auto_merge_button_when_succeed = (Saat pemeriksaan berhasil)
+pulls.auto_merge_when_succeed = Gabungkan otomatis saat semua pemeriksaan berhasil
+pulls.auto_merge_newly_scheduled = Permintaan tarik dijadwalkan untuk digabungkan saat semua pemeriksaan berhasil.
+pulls.auto_merge_has_pending_schedule = %[1]s menjadwalkan permintaan tarik ini untuk digabungkan otomatis saat semua pemeriksaan berhasil %[2]s.
+pulls.auto_merge_cancel_schedule = Batalkan penggabungan otomatis
+pulls.auto_merge_not_scheduled = Permintaan tarik ini tidak dijadwalkan untuk digabungkan otomatis.
+pulls.auto_merge_canceled_schedule = Penggabungan otomatis dibatalkan untuk permintaan tarik ini.
+pulls.auto_merge_newly_scheduled_comment = `menjadwalkan permintaan tarik ini untuk digabungkan otomatis saat semua pemeriksaan berhasil %[1]s`
+pulls.auto_merge_canceled_schedule_comment = `membatalkan penggabungan otomatis permintaan tarik ini saat semua pemeriksaan berhasil %[1]s`
+pulls.delete_after_merge.head_branch.is_default = Cabang head yang ingin Anda hapus adalah cabang default dan tidak dapat dihapus.
+pulls.delete_after_merge.head_branch.is_protected = Cabang head yang ingin Anda hapus adalah cabang yang dilindungi dan tidak dapat dihapus.
+pulls.delete_after_merge.head_branch.insufficient_branch = Anda tidak memiliki izin untuk menghapus cabang head.
+pulls.delete.title = Hapus permintaan tarik ini?
+pulls.delete.text = Apakah Anda benar-benar ingin menghapus permintaan tarik ini? (Ini akan menghapus semua konten secara permanen. Pertimbangkan untuk menutupnya, jika Anda ingin tetap menyimpannya sebagai arsip)
+pulls.recently_pushed_new_branches = Anda mendorong ke cabang <a href="%[3]s"><strong>%[1]s</strong></a> %[2]s
+pull.deleted_branch = (dihapus):%s
+comments.edit.already_changed = Tidak dapat menyimpan perubahan pada komentar. Tampaknya konten sudah diubah oleh pengguna lain. Harap segarkan halaman dan coba edit lagi untuk menghindari penimpaan perubahan mereka
+milestones.update_ago = Diperbarui %s
+milestones.new_subheader = Tonggak pencapaian dapat membantu Anda mengorganisasi issue dan melacak kemajuannya.
+milestones.completeness = <strong>%d%%</strong> Selesai
+milestones.invalid_due_date_format = Format tenggat waktu harus "yyyy-mm-dd".
+milestones.create_success = Tonggak pencapaian "%s" telah dibuat.
+milestones.edit_subheader = Tonggak pencapaian mengorganisasi issue dan melacak kemajuan.
+milestones.modify = Perbarui tonggak pencapaian
+milestones.edit_success = Tonggak pencapaian "%s" telah diperbarui.
+milestones.deletion = Hapus tonggak pencapaian
+milestones.deletion_desc = Menghapus tonggak pencapaian akan menghapusnya dari semua issue terkait. Lanjutkan?
+milestones.deletion_success = Tonggak pencapaian telah dihapus.
+milestones.filter_sort.earliest_due_data = Tenggat waktu terdekat
+milestones.filter_sort.latest_due_date = Tenggat waktu terjauh
+signing.will_sign = Komit ini akan ditandatangani dengan kunci "%s".
+signing.wont_sign.error = Terjadi kesalahan saat memeriksa apakah commit dapat ditandatangani.
+signing.wont_sign.nokey = Instans ini tidak memiliki kunci untuk menandatangani commit ini.
+signing.wont_sign.never = Komit tidak pernah ditandatangani.
+signing.wont_sign.always = Komit selalu ditandatangani.
+signing.wont_sign.pubkey = Komit tidak akan ditandatangani karena Anda tidak memiliki kunci publik yang terkait dengan akun Anda.
+signing.wont_sign.twofa = Anda harus mengaktifkan autentikasi dua faktor agar commit dapat ditandatangani.
+signing.wont_sign.parentsigned = Komit tidak akan ditandatangani karena commit induk tidak ditandatangani.
+signing.wont_sign.basesigned = Penggabungan tidak akan ditandatangani karena commit dasar tidak ditandatangani.
+signing.wont_sign.headsigned = Penggabungan tidak akan ditandatangani karena commit head tidak ditandatangani.
+signing.wont_sign.commitssigned = Penggabungan tidak akan ditandatangani karena semua commit terkait tidak ditandatangani.
+signing.wont_sign.approved = Penggabungan tidak akan ditandatangani karena PR belum disetujui.
+signing.wont_sign.not_signed_in = Anda belum masuk.
+ext_wiki = Wiki Eksternal
+wiki.welcome = Selamat datang di wiki.
+wiki.welcome_desc = Wiki memungkinkan Anda menulis dan berbagi dokumentasi dengan kolaborator.
+wiki.create_first_page = Buat halaman pertama
+wiki.page_title = Judul halaman
+wiki.page_content = Konten halaman
+wiki.cancel = Batal
+wiki.file_revision = Revisi halaman
+wiki.wiki_page_revisions = Revisi halaman
+wiki.back_to_wiki = Kembali ke halaman wiki
+wiki.delete_page_notice_1 = Menghapus halaman wiki "%s" tidak dapat dibatalkan. Lanjutkan?
+wiki.reserved_page = Nama halaman wiki "%s" sudah dipesan.
+wiki.page_name_desc = Masukkan nama untuk halaman Wiki ini. Beberapa nama khusus adalah: "Home", "_Sidebar", dan "_Footer".
+wiki.original_git_entry_tooltip = Lihat file Git asli alih-alih menggunakan tautan yang mudah dibaca.
+wiki.search = Cari wiki
+wiki.no_search_results = Tidak ada hasil
+activity.navbar.pulse = Aktivitas
+activity.navbar.code_frequency = Frekuensi kode
+activity.navbar.contributors = Kontributor
+activity.navbar.recent_commits = Komit terbaru
+activity.period.quarterly = 3 bulan
+activity.period.semiyearly = 6 bulan
+activity.title.issues_closed_from = %s ditutup dari %s
+activity.title.unresolved_conv_1 = %d percakapan yang belum diselesaikan
+activity.title.unresolved_conv_n = %d percakapan yang belum diselesaikan
+activity.unresolved_conv_desc = Isu dan permintaan tarik yang baru-baru ini berubah ini belum diselesaikan.
+activity.published_prerelease_label = Pra-rilis
+activity.published_tag_label = Tag
+activity.no_git_activity = Tidak ada aktivitas commit dalam periode ini.
+activity.git_stats_exclude_merges = Tidak termasuk penggabungan,
+activity.git_stats_author_1 = %d penulis
+activity.git_stats_author_n = %d penulis
+activity.git_stats_pushed_1 = telah mendorong
+activity.git_stats_pushed_n = telah mendorong
+activity.git_stats_commit_1 = %d komit
+activity.git_stats_commit_n = %d komit
+activity.git_stats_push_to_branch = ke %s dan
+activity.git_stats_push_to_all_branches = ke semua cabang.
+activity.git_stats_on_default_branch = Pada %s,
+activity.git_stats_file_1 = %d file
+activity.git_stats_file_n = %d file
+activity.git_stats_files_changed_1 = telah berubah
+activity.git_stats_files_changed_n = telah berubah
+activity.git_stats_additions = dan telah terjadi
+activity.git_stats_addition_1 = %d penambahan
+activity.git_stats_addition_n = %d penambahan
+activity.git_stats_and_deletions = dan
+activity.git_stats_deletion_1 = %d penghapusan
+activity.git_stats_deletion_n = %d penghapusan
+activity.commit = Aktivitas komit
+contributors.contribution_type.filter_label = Jenis kontribusi:
+contributors.contribution_type.additions = Penambahan
+contributors.contribution_type.deletions = Penghapusan
+settings.collaboration = Kolaborator
+settings.collaboration.admin = Administrator
+settings.federation_settings = Pengaturan Federasi
+settings.federation_apapiurl = URL Federasi repositori ini. Salin dan tempel ini ke Pengaturan Federasi repositori lain sebagai URL Repositori yang Diikuti.
+settings.federation_following_repos = URL Repositori yang Diikuti. Dipisahkan oleh ";", tanpa spasi.
+settings.federation_not_enabled = Federasi tidak diaktifkan pada instans Anda.
+settings.mirror_settings.docs = Atur repositori Anda agar secara otomatis menyinkronkan komit, tag, dan cabang dengan repositori lain.
+settings.mirror_settings.docs.disabled_pull_mirror.instructions = Atur proyek Anda agar secara otomatis mendorong komit, tag, dan cabang ke repositori lain. Cermin tarik telah dinonaktifkan oleh administrator situs Anda.
+settings.mirror_settings.docs.disabled_push_mirror.instructions = Atur proyek Anda agar secara otomatis menarik komit, tag, dan cabang dari repositori lain.
+settings.mirror_settings.docs.disabled_push_mirror.pull_mirror_warning = Saat ini, hal ini hanya dapat dilakukan di menu "Migrasi Baru". Untuk informasi lebih lanjut, silakan lihat:
+settings.mirror_settings.docs.disabled_push_mirror.info = Cermin dorong telah dinonaktifkan oleh administrator situs Anda.
+settings.mirror_settings.docs.no_new_mirrors = Repositori Anda mencerminkan perubahan ke atau dari repositori lain. Harap diperhatikan bahwa Anda tidak dapat membuat cermin baru saat ini.
+settings.mirror_settings.docs.can_still_use = Meskipun Anda tidak dapat mengubah cermin yang ada atau membuat yang baru, Anda masih dapat menggunakan cermin yang ada.
+settings.mirror_settings.docs.pull_mirror_instructions = Untuk menyiapkan cermin tarik, silakan lihat:
+settings.mirror_settings.docs.more_information_if_disabled = Anda dapat mengetahui lebih lanjut tentang cermin dorong dan tarik di sini:
+settings.mirror_settings.docs.doc_link_title = Bagaimana cara mencerminkan repositori?
+settings.mirror_settings.docs.doc_link_pull_section = bagian "Menarik dari repositori jarak jauh" dalam dokumentasi.
+settings.mirror_settings.docs.pulling_remote_title = Menarik dari repositori jarak jauh
+settings.mirror_settings.mirrored_repository = Repositori yang dicerminkan
+settings.mirror_settings.pushed_repository = Repositori yang didorong
+settings.mirror_settings.direction = Arah
+settings.mirror_settings.direction.pull = Tarik
+settings.mirror_settings.direction.push = Dorong
+settings.mirror_settings.last_update = Pembaruan terakhir
+settings.mirror_settings.push_mirror.none = Tidak ada cermin dorong yang dikonfigurasi
+settings.mirror_settings.push_mirror.remote_url = URL repositori Git jarak jauh
+settings.mirror_settings.push_mirror.add = Tambah cermin dorong
+settings.mirror_settings.push_mirror.edit_sync_time = Edit interval sinkronisasi cermin
+settings.mirror_settings.push_mirror.none_ssh = Tidak ada
+settings.units.units = Unit
+settings.units.overview = Ikhtisar
+settings.units.add_more = Aktifkan lebih banyak
+settings.sync_mirror = Sinkronkan sekarang
+settings.mirror_settings.push_mirror.copy_public_key = Salin kunci publik
+settings.pull_mirror_sync_in_progress = Sedang menarik perubahan dari jarak jauh %s saat ini.
+settings.pull_mirror_sync_quota_exceeded = Kuota terlampaui, tidak menarik perubahan.
+settings.push_mirror_sync_in_progress = Sedang mendorong perubahan ke jarak jauh %s saat ini.
+settings.update_mirror_settings = Perbarui pengaturan cermin
+settings.branches.switch_default_branch = Ganti cabang default
+settings.branches.update_default_branch = Perbarui cabang default
+settings.branches.add_new_rule = Tambah aturan baru
+settings.wiki_desc = Aktifkan wiki repositori
+settings.wiki_globally_editable = Izinkan siapa saja mengedit wiki
+settings.use_internal_wiki = Gunakan wiki bawaan
+settings.use_external_wiki = Gunakan wiki eksternal
+settings.external_wiki_url_error = URL wiki eksternal bukan URL yang valid.
+settings.external_wiki_url_desc = Pengunjung diarahkan ke URL wiki eksternal saat mengklik tab wiki.
+settings.issues_desc = Aktifkan pelacak issue repositori
+settings.use_internal_issue_tracker = Gunakan pelacak issue bawaan
+settings.use_external_issue_tracker = Gunakan pelacak issue eksternal
+settings.external_tracker_url_error = URL pelacak issue eksternal bukan URL yang valid.
+settings.external_tracker_url_desc = Pengunjung diarahkan ke URL pelacak issue eksternal saat mengklik tab isu.
+settings.tracker_url_format_error = Format URL pelacak issue eksternal bukan URL yang valid.
+settings.tracker_issue_style = Format Nomor pelacak issue eksternal
+settings.tracker_issue_style.regexp = Ekspresi Reguler
+settings.tracker_issue_style.regexp_pattern = Pola Ekspresi Reguler
+settings.tracker_issue_style.regexp_pattern_desc = Grup yang ditangkap pertama akan digunakan sebagai pengganti <code>{index}</code>.
+settings.tracker_url_format_desc = Gunakan placeholder <code>{user}</code>, <code>{repo}</code>, dan <code>{index}</code> untuk nama pengguna, nama repositori, dan indeks isu.
+settings.enable_timetracker = Aktifkan pelacakan waktu
+settings.allow_only_contributors_to_track_time = Biarkan hanya kontributor yang melacak waktu
+settings.pulls_desc = Aktifkan permintaan tarik repositori
+settings.pulls.ignore_whitespace = Abaikan spasi untuk konflik
+settings.pulls.enable_autodetect_manual_merge = Aktifkan deteksi otomatis penggabungan manual (Catatan: Dalam beberapa kasus khusus, kesalahan penilaian dapat terjadi)
+settings.pulls.allow_rebase_update = Aktifkan pembaruan cabang permintaan tarik dengan rebase
+settings.default_update_style_desc = Gaya pembaruan default yang digunakan untuk memperbarui permintaan tarik yang tertinggal dari cabang dasar.
+settings.pulls.default_delete_branch_after_merge = Hapus cabang permintaan tarik setelah penggabungan secara default
+settings.pulls.default_allow_edits_from_maintainers = Izinkan pengeditan dari pemelihara secara default
+settings.releases_desc = Aktifkan rilis repositori
+settings.packages_desc = Aktifkan registri paket repositori
+settings.projects_desc = Aktifkan proyek repositori
+settings.actions_desc = Aktifkan pipeline CI/CD terintegrasi dengan Forgejo Actions
+settings.admin_settings = Pengaturan administrator
+settings.admin_enable_health_check = Aktifkan pemeriksaan kesehatan repositori (git fsck)
+settings.admin_code_indexer = Pengindeks kode
+settings.admin_stats_indexer = Pengindeks statistik kode
+settings.admin_indexer_commit_sha = Komit yang terindeks terakhir
+settings.admin_indexer_unindexed = Belum diindeks
+settings.reindex_button = Tambahkan ke antrian pengindeksan ulang
+settings.reindex_requested = Pengindeksan ulang diminta
+settings.admin_enable_close_issues_via_commit_in_any_branch = Tutup issue melalui commit yang dibuat di cabang non-default
+settings.new_owner_blocked_doer = Pemilik baru telah memblokir Anda.
+settings.convert = Konversi ke repositori biasa
+settings.convert_desc = Anda dapat mengonversi cermin ini menjadi repositori biasa. Tindakan ini tidak dapat dibatalkan.
+settings.convert_notices_1 = Operasi ini akan mengonversi cermin menjadi repositori biasa dan tidak dapat dibatalkan.
+settings.convert_confirm = Konversi repositori
+settings.convert_succeed = Cermin telah dikonversi menjadi repositori biasa.
+settings.convert_fork = Konversi ke repositori biasa
+settings.convert_fork_desc = Anda dapat mengonversi garpu ini menjadi repositori biasa. Tindakan ini tidak dapat dibatalkan.
+settings.convert_fork_notices_1 = Operasi ini akan mengonversi garpu menjadi repositori biasa dan tidak dapat dibatalkan.
+settings.convert_fork_confirm = Konversi repositori
+settings.convert_fork_succeed = Garpu telah dikonversi menjadi repositori biasa.
+settings.transfer.button = Alihkan kepemilikan
+settings.transfer.modal.title = Alihkan kepemilikan
+settings.transfer.rejected = Pengalihan repositori ditolak.
+settings.transfer.success = Pengalihan repositori berhasil.
+settings.transfer_abort = Batalkan pengalihan
+settings.transfer_abort_invalid = Anda tidak dapat membatalkan pengalihan repositori yang tidak ada.
+settings.transfer_abort_success = Pengalihan repositori ke %s berhasil dibatalkan.
+settings.transfer_desc = Alihkan repositori ini ke pengguna atau ke organisasi yang Anda miliki hak administratornya.
+settings.enter_repo_name = Masukkan nama pemilik dan repositori persis seperti yang ditampilkan:
+settings.confirmation_string = String konfirmasi
+settings.transfer_in_progress = Saat ini sedang ada pengalihan yang berlangsung. Harap batalkan jika Anda ingin mengalihkan repositori ini ke pengguna lain.
+settings.transfer_notices_1 = - Anda akan kehilangan akses ke repositori jika mengalihkannya ke pengguna individu.
+settings.transfer_notices_2 = - Anda akan tetap memiliki akses ke repositori jika mengalihkannya ke organisasi yang Anda (ikut) miliki.
+settings.transfer_notices_3 = - Jika repositori bersifat privat dan dialihkan ke pengguna individu, tindakan ini memastikan bahwa pengguna tersebut memiliki setidaknya izin baca (dan mengubah izin jika diperlukan).
+settings.transfer_perform = Lakukan pengalihan
+settings.transfer_started = Repositori ini telah ditandai untuk pengalihan dan menunggu konfirmasi dari "%s"
+settings.transfer_succeed = Repositori telah dialihkan.
+settings.transfer_quota_exceeded = Pemilik baru (%s) melebihi kuota. Repositori tidak dialihkan.
+settings.signing_settings = Pengaturan verifikasi penandatanganan
+settings.trust_model = Model kepercayaan tanda tangan
+settings.trust_model.default = Model kepercayaan default
+settings.trust_model.default.desc = Gunakan model kepercayaan repositori default untuk instalasi ini.
+settings.trust_model.collaborator = Kolaborator
+settings.trust_model.collaborator.long = Kolaborator: Percayai tanda tangan oleh kolaborator
+settings.trust_model.collaborator.desc = Tanda tangan valid oleh kolaborator repositori ini akan ditandai "dipercaya" - (baik cocok dengan pembuat commit maupun tidak). Selain itu, tanda tangan valid akan ditandai "tidak dipercaya" jika tanda tangan cocok dengan pembuat commit dan "tidak cocok" jika tidak.
+settings.trust_model.committer = Pembuat komit
+settings.trust_model.committer.long = Pembuat komit: Percayai tanda tangan yang cocok dengan pembuat commit (Ini cocok dengan GitHub dan akan memaksa commit yang ditandatangani Forgejo memiliki Forgejo sebagai pembuat komit)
+settings.trust_model.committer.desc = Tanda tangan valid hanya akan ditandai "dipercaya" jika cocok dengan pembuat komit, selain itu akan ditandai "tidak cocok". Ini memaksa Forgejo menjadi pembuat commit pada commit yang ditandatangani dengan pembuat commit sebenarnya ditandai sebagai Co-authored-by: dan Co-committed-by: trailer dalam komit. Kunci Forgejo default harus cocok dengan Pengguna dalam basis data.
+settings.trust_model.collaboratorcommitter = Kolaborator+Pembuat komit
+settings.trust_model.collaboratorcommitter.long = Kolaborator+Pembuat komit: Percayai tanda tangan oleh kolaborator yang cocok dengan pembuat komit
+settings.trust_model.collaboratorcommitter.desc = Tanda tangan valid oleh kolaborator repositori ini akan ditandai "dipercaya" jika cocok dengan pembuat komit. Selain itu, tanda tangan valid akan ditandai "tidak dipercaya" jika tanda tangan cocok dengan pembuat commit dan "tidak cocok" selain itu. Ini akan memaksa Forgejo ditandai sebagai pembuat commit pada commit yang ditandatangani dengan pembuat commit sebenarnya ditandai sebagai Co-Authored-By: dan Co-Committed-By: trailer dalam komit. Kunci Forgejo default harus cocok dengan Pengguna dalam basis data.
+settings.wiki_rename_branch_main = Normalkan nama cabang Wiki
+settings.wiki_rename_branch_main_desc = Ubah nama cabang yang digunakan secara internal oleh Wiki menjadi "%s". Perubahan ini permanen dan tidak dapat dibatalkan.
+settings.wiki_rename_branch_main_notices_1 = Operasi ini <strong>TIDAK DAPAT</strong> dibatalkan.
+settings.wiki_rename_branch_main_notices_2 = Ini akan secara permanen mengubah nama cabang internal wiki repositori %s. Checkout yang ada perlu diperbarui.
+settings.wiki_branch_rename_success = Nama cabang wiki repositori telah berhasil dinormalkan.
+settings.wiki_branch_rename_failure = Gagal menormalkan nama cabang wiki repositori.
+settings.confirm_wiki_branch_rename = Ubah nama cabang wiki
+settings.wiki_delete = Hapus data wiki
+settings.wiki_delete_desc = Menghapus data wiki repositori bersifat permanen dan tidak dapat dibatalkan.
+settings.wiki_delete_notices_1 = - Ini akan menghapus secara permanen dan menonaktifkan wiki repositori untuk %s.
+settings.confirm_wiki_delete = Hapus data wiki
+settings.wiki_deletion_success = Data wiki repositori telah dihapus.
+settings.delete_desc = Menghapus repositori bersifat permanen dan tidak dapat dibatalkan.
+settings.delete_notices_2 = - Operasi ini akan menghapus secara permanen repositori <strong>%s</strong> termasuk kode, isu, komentar, data wiki, dan pengaturan kolaborator.
+settings.delete_notices_fork_1 = - Garpu dari repositori ini akan menjadi independen setelah penghapusan.
+settings.deletion_success = Repositori telah dihapus.
+settings.update_settings_success = Pengaturan repositori telah diperbarui.
+settings.update_settings_no_unit = Repositori harus mengizinkan setidaknya beberapa jenis interaksi.
+settings.confirm_delete = Hapus repositori
+settings.add_collaborator = Tambah kolaborator
+settings.add_collaborator_success = Kolaborator telah ditambahkan.
+settings.add_collaborator_inactive_user = Tidak dapat menambahkan pengguna yang tidak aktif sebagai kolaborator.
+settings.add_collaborator_owner = Tidak dapat menambahkan pemilik sebagai kolaborator.
+settings.add_collaborator_duplicate = Kolaborator sudah ditambahkan ke repositori ini.
+settings.add_collaborator_blocked_our = Tidak dapat menambahkan kolaborator, karena pemilik repositori telah memblokir mereka.
+settings.add_collaborator_blocked_them = Tidak dapat menambahkan kolaborator, karena mereka telah memblokir pemilik repositori.
+settings.collaborator_deletion = Hapus kolaborator
+settings.collaborator_deletion_desc = Menghapus kolaborator akan mencabut akses mereka ke repositori ini. Lanjutkan?
+settings.remove_collaborator_success = Kolaborator telah dihapus.
+settings.org_not_allowed_to_be_collaborator = Organisasi tidak dapat ditambahkan sebagai kolaborator.
+settings.change_team_access_not_allowed = Perubahan akses tim untuk repositori telah dibatasi hanya untuk pemilik organisasi
+settings.team_not_in_organization = Tim tidak berada dalam organisasi yang sama dengan repositori
+settings.add_team = Tambah tim
+settings.add_team_duplicate = Tim sudah memiliki akses ke repositori
+settings.add_team_success = Tim sekarang memiliki akses ke repositori.
+settings.change_team_permission_tip = Izin tim diatur di halaman pengaturan tim dan tidak dapat diubah per repositori
+settings.delete_team_tip = Tim ini memiliki akses ke semua repositori dan tidak dapat dihapus
+settings.remove_team_success = Akses tim ke repositori telah dihapus.
+settings.add_webhook.invalid_channel_name = Nama saluran webhook tidak boleh kosong dan tidak boleh hanya berisi karakter #.
+settings.add_webhook.invalid_path = Jalur tidak boleh mengandung bagian yang berupa "." atau ".." atau string kosong. Tidak boleh diawali atau diakhiri dengan garis miring.
+settings.hooks_desc = Webhook secara otomatis membuat permintaan HTTP POST ke server saat peristiwa Forgejo tertentu terpicu. Baca selengkapnya di <a target="_blank" rel="noopener noreferrer" href="%s">panduan webhook</a>.
+settings.webhook_deletion = Hapus webhook
+settings.webhook_deletion_desc = Menghapus webhook akan menghapus pengaturan dan riwayat pengirimannya. Lanjutkan?
+settings.webhook_deletion_success = Webhook telah dihapus.
+settings.webhook.test_delivery_desc = Uji webhook ini dengan peristiwa palsu.
+settings.webhook.test_delivery_desc_disabled = Untuk menguji webhook ini dengan peristiwa palsu, aktifkan terlebih dahulu.
+settings.webhook.replay.description = Putar ulang webhook ini.
+settings.webhook.replay.description_disabled = Untuk memutar ulang webhook ini, aktifkan terlebih dahulu.
+settings.webhook.delivery.success = Sebuah peristiwa telah ditambahkan ke antrian pengiriman. Mungkin perlu beberapa detik sebelum muncul di riwayat pengiriman.
+settings.githooks_desc = Hook Git ditenagai oleh Git itu sendiri. Anda dapat mengedit file hook di bawah ini untuk menyiapkan operasi khusus.
+settings.add_webhook_desc = Forgejo akan mengirimkan permintaan <code>POST</code> dengan Content-Type yang ditentukan ke URL target. Baca selengkapnya di <a target="_blank" rel="noopener noreferrer" href="%s">panduan webhook</a>.
+settings.payload_url = URL target
+settings.http_method = Metode HTTP
+settings.content_type = Jenis konten POST
+settings.slack_color = Warna
+settings.discord_icon_url.exceeds_max_length = URL ikon harus kurang dari atau sama dengan 2048 karakter
+settings.event_desc = Picu pada:
+settings.event_push_only = Peristiwa dorong
+settings.event_send_everything = Semua peristiwa
+settings.event_choose = Peristiwa khusus…
+settings.event_header_repository = Peristiwa repositori
+settings.event_create_desc = Cabang atau tag dibuat.
+settings.event_delete_desc = Cabang atau tag dihapus.
+settings.event_fork_desc = Repositori digarpu.
+settings.event_wiki_desc = Halaman wiki dibuat, diubah nama, diedit, atau dihapus.
+settings.event_release = Rilis
+settings.event_release_desc = Rilis diterbitkan, diperbarui, atau dihapus di repositori.
+settings.event_push_desc = Git push ke repositori.
+settings.event_repository_desc = Repositori dibuat atau dihapus.
+settings.event_header_issue = Peristiwa isu
+settings.event_issues_desc = Isu dibuka, ditutup, dibuka kembali, atau diedit.
+settings.event_issue_assign = Penugasan
+settings.event_issue_assign_desc = Isu ditugaskan atau dibatalkan penugasannya.
+settings.event_issue_label = Label
+settings.event_issue_label_desc = Label issue ditambahkan atau dihapus.
+settings.event_issue_milestone = Tonggak pencapaian
+settings.event_issue_milestone_desc = Tonggak pencapaian ditambahkan, dihapus, atau dimodifikasi.
+settings.event_issue_comment = Komentar
+settings.event_issue_comment_desc = Komentar issue dibuat, diedit, atau dihapus.
+settings.event_header_pull_request = Peristiwa permintaan tarik
+settings.event_pull_request_desc = Permintaan tarik dibuka, ditutup, dibuka kembali, atau diedit.
+settings.event_pull_request_assign = Penugasan
+settings.event_pull_request_assign_desc = Permintaan tarik ditugaskan atau dibatalkan penugasannya.
+settings.event_pull_request_label = Label
+settings.event_pull_request_label_desc = Label permintaan tarik ditambahkan atau dihapus.
+settings.event_pull_request_milestone = Tonggak pencapaian
+settings.event_pull_request_milestone_desc = Tonggak pencapaian ditambahkan, dihapus, atau dimodifikasi.
+settings.event_pull_request_comment = Komentar
+settings.event_pull_request_comment_desc = Komentar permintaan tarik dibuat, diedit, atau dihapus.
+settings.event_pull_request_review = Tinjauan
+settings.event_pull_request_review_desc = Permintaan tarik disetujui, ditolak, atau komentar tinjauan ditambahkan.
+settings.event_pull_request_sync = Disinkronkan
+settings.event_pull_request_sync_desc = Cabang diperbarui secara otomatis dengan cabang target.
+settings.event_pull_request_review_request = Permintaan tinjauan
+settings.event_pull_request_review_request_desc = Tinjauan permintaan tarik diminta atau permintaan tinjauan dihapus.
+settings.event_pull_request_approvals = Persetujuan permintaan tarik
+settings.event_pull_request_merge = Penggabungan permintaan tarik
+settings.event_pull_request_enforcement = Penegakan
+settings.event_header_action = Peristiwa Jalankan Aksi
+settings.event_action_failure = Kegagalan
+settings.event_action_failure_desc = Jalankan Aksi berakhir dengan kegagalan.
+settings.event_action_recover = Pemulihan
+settings.event_action_recover_desc = Jalankan Aksi berhasil setelah Jalankan Aksi terakhir dalam alur kerja yang sama gagal.
+settings.event_action_success = Berhasil
+settings.event_action_success_desc = Jalankan Aksi berhasil.
+settings.event_package = Paket
+settings.event_package_desc = Paket dibuat atau dihapus di repositori.
+settings.branch_filter = Filter cabang
+settings.branch_filter_desc = Daftar putih cabang untuk peristiwa dorong, pembuatan cabang, dan penghapusan cabang, ditentukan sebagai pola glob. Jika kosong atau <code>*</code>, peristiwa untuk semua cabang akan dilaporkan. Lihat dokumentasi <a href="%[1]s">%[2]s</a> untuk sintaks. Contoh: <code>master</code>, <code>{master,release*}</code>.
+settings.authorization_header = Header otorisasi
+settings.authorization_header_desc = Akan disertakan sebagai header otorisasi untuk permintaan jika ada. Contoh: %s.
+settings.active = Aktif
+settings.active_helper = Informasi tentang peristiwa yang dipicu akan dikirim ke URL webhook ini.
+settings.add_hook_success = Webhook telah ditambahkan.
+settings.update_hook_success = Webhook telah diperbarui.
+settings.delete_webhook = Hapus webhook
+settings.add_web_hook_desc = Integrasikan <a target="_blank" rel="noreferrer" href="%s">%s</a> ke dalam repositori Anda.
+settings.graphql_url = URL GraphQL
+settings.web_hook_name_gitea = Gitea
+settings.web_hook_name_forgejo = Forgejo
+settings.web_hook_name_gogs = Gogs
+settings.web_hook_name_slack = Slack
+settings.web_hook_name_discord = Discord
+settings.web_hook_name_dingtalk = DingTalk
+settings.web_hook_name_telegram = Telegram
+settings.web_hook_name_matrix = Matrix
+settings.web_hook_name_msteams = Microsoft Teams
+settings.web_hook_name_feishu = Feishu / Lark Suite
+settings.web_hook_name_feishu_only = Feishu
+settings.web_hook_name_larksuite_only = Lark Suite
+settings.web_hook_name_wechatwork = WeCom (Wechat Work)
+settings.web_hook_name_packagist = Packagist
+settings.packagist_username = Nama pengguna Packagist
+settings.packagist_api_token = Token API
+settings.packagist_package_url = URL paket Packagist
+settings.web_hook_name_sourcehut_builds = SourceHut Builds
+settings.sourcehut_builds.manifest_path = Jalur manifes build
+settings.sourcehut_builds.visibility = Visibilitas pekerjaan
+settings.sourcehut_builds.secrets = Rahasia
+settings.sourcehut_builds.secrets_helper = Berikan pekerjaan akses ke rahasia build (memerlukan izin SECRETS:RO)
+settings.sourcehut_builds.access_token_helper = Token akses yang memiliki izin JOBS:RW. Buat <a target="_blank" rel="noopener noreferrer" href="%s">token builds.sr.ht</a> atau <a target="_blank" rel="noopener noreferrer" href="%s">token builds.sr.ht dengan akses rahasia</a> di meta.sr.ht.
+settings.deploy_key_desc = Kunci deploy dapat memiliki akses hanya-baca atau baca-tulis ke repositori.
+settings.is_writable = Aktifkan akses tulis
+settings.is_writable_info = Izinkan kunci deploy ini untuk <strong>mendorong</strong> ke repositori.
+settings.no_deploy_keys = Belum ada kunci deploy.
+settings.key_been_used = Kunci deploy dengan konten yang identik sudah digunakan.
+settings.key_name_used = Kunci deploy dengan nama yang sama sudah ada.
+settings.add_key_success = Kunci deploy "%s" telah ditambahkan.
+settings.deploy_key_deletion = Hapus kunci deploy
+settings.deploy_key_deletion_desc = Menghapus kunci deploy akan mencabut aksesnya ke repositori ini. Lanjutkan?
+settings.deploy_key_deletion_success = Kunci deploy telah dihapus.
+settings.protected_branch.save_rule = Simpan aturan
+settings.protected_branch.delete_rule = Hapus aturan
+settings.branch_protection = Aturan perlindungan untuk cabang "<b>%s</b>"
+settings.protect_new_rule = Buat aturan perlindungan cabang baru
+settings.protect_disable_push = Nonaktifkan dorong
+settings.protect_disable_push_desc = Tidak ada pendorongan yang diizinkan ke cabang ini.
+settings.protect_enable_push = Aktifkan dorong
+settings.protect_enable_push_desc = Siapa pun dengan akses tulis akan diizinkan untuk mendorong ke cabang ini (tetapi tidak force push).
+settings.protect_enable_merge = Aktifkan penggabungan
+settings.protect_enable_merge_desc = Siapa pun dengan akses tulis akan diizinkan untuk menggabungkan permintaan tarik ke cabang ini.
+settings.protect_whitelist_committers = Daftar putih dorong yang dibatasi
+settings.protect_whitelist_committers_desc = Hanya pengguna atau tim yang masuk daftar putih yang diizinkan untuk mendorong ke cabang ini (tetapi tidak force push).
+settings.protect_whitelist_deploy_keys = Masukkan kunci deploy dengan akses tulis ke daftar putih untuk mendorong.
+settings.protect_whitelist_users = Pengguna yang masuk daftar putih untuk mendorong
+settings.protect_whitelist_teams = Tim yang masuk daftar putih untuk mendorong
+settings.protect_merge_whitelist_committers = Aktifkan daftar putih penggabungan
+settings.protect_merge_whitelist_committers_desc = Izinkan hanya pengguna atau tim yang masuk daftar putih untuk menggabungkan permintaan tarik ke cabang ini.
+settings.protect_merge_whitelist_users = Pengguna yang masuk daftar putih untuk penggabungan
+settings.protect_merge_whitelist_teams = Tim yang masuk daftar putih untuk penggabungan
+settings.protect_check_status_contexts = Aktifkan pemeriksaan status
+settings.protect_status_check_patterns = Pola pemeriksaan status
+settings.protect_status_check_patterns_desc = Masukkan pola untuk menentukan pemeriksaan status mana yang harus lulus sebelum cabang dapat digabungkan ke cabang yang cocok dengan aturan ini. Setiap baris menentukan satu pola. Pola tidak boleh kosong.
+settings.protect_check_status_contexts_desc = Wajibkan pemeriksaan status lulus sebelum penggabungan. Jika diaktifkan, commit harus terlebih dahulu didorong ke cabang lain, kemudian digabungkan atau didorong langsung ke cabang yang cocok dengan aturan ini setelah pemeriksaan status lulus. Jika tidak ada konteks yang cocok, commit terakhir harus berhasil terlepas dari konteksnya.
+settings.protect_check_status_contexts_list = Pemeriksaan status yang ditemukan dalam seminggu terakhir untuk repositori ini
+settings.protect_status_check_matched = Cocok
+settings.protect_invalid_status_check_pattern = Pola pemeriksaan status tidak valid: "%s".
+settings.protect_no_valid_status_check_patterns = Tidak ada pola pemeriksaan status yang valid.
+settings.protect_required_approvals = Persetujuan yang diperlukan
+settings.protect_required_approvals_desc = Izinkan penggabungan permintaan tarik hanya dengan cukup ulasan positif.
+settings.protect_approvals_whitelist_enabled = Batasi persetujuan untuk pengguna atau tim yang masuk daftar putih
+settings.protect_approvals_whitelist_enabled_desc = Hanya ulasan dari pengguna atau tim yang masuk daftar putih yang akan dihitung untuk persetujuan yang diperlukan. Tanpa daftar putih persetujuan, ulasan dari siapa pun dengan akses tulis akan dihitung untuk persetujuan yang diperlukan.
+settings.protect_approvals_whitelist_users = Pengulas yang masuk daftar putih
+settings.protect_approvals_whitelist_teams = Tim yang masuk daftar putih untuk ulasan
+settings.dismiss_stale_approvals = Abaikan persetujuan lama
+settings.dismiss_stale_approvals_desc = Ketika commit baru yang mengubah konten permintaan tarik didorong ke cabang, persetujuan lama akan diabaikan.
+settings.ignore_stale_approvals = Abaikan persetujuan yang sudah basi
+settings.ignore_stale_approvals_desc = Jangan hitung persetujuan yang dibuat pada commit yang lebih lama (ulasan basi) terhadap jumlah persetujuan yang dimiliki PR. Tidak relevan jika ulasan basi sudah diabaikan.
+settings.require_signed_commits = Wajibkan commit yang ditandatangani
+settings.require_signed_commits_desc = Tolak pendorongan ke cabang ini jika tidak ditandatangani atau tidak dapat diverifikasi.
+settings.protect_branch_name_pattern = Pola nama cabang yang dilindungi
+settings.protect_branch_name_pattern_desc = Pola nama cabang yang dilindungi. Lihat <a href="%s">dokumentasi</a> untuk sintaks pola. Contoh: main, release/**
+settings.protect_patterns = Pola
+settings.protect_protected_file_patterns = Pola file yang dilindungi (dipisahkan menggunakan titik koma ";")
+settings.protect_protected_file_patterns_desc = File yang dilindungi tidak diizinkan untuk diubah secara langsung meskipun pengguna memiliki hak untuk menambah, mengedit, atau menghapus file di cabang ini. Beberapa pola dapat dipisahkan menggunakan titik koma (";"). Lihat dokumentasi <a href="%[1]s">%[2]s</a> untuk sintaks pola. Contoh: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
+settings.protect_unprotected_file_patterns = Pola file yang tidak dilindungi (dipisahkan menggunakan titik koma ";")
+settings.protect_unprotected_file_patterns_desc = File yang tidak dilindungi yang diizinkan untuk diubah secara langsung jika pengguna memiliki akses tulis, melewati pembatasan dorong. Beberapa pola dapat dipisahkan menggunakan titik koma (";"). Lihat dokumentasi <a href="%[1]s">%[2]s</a> untuk sintaks pola. Contoh: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
+settings.update_protect_branch_success = Perlindungan cabang untuk aturan "%s" telah diperbarui.
+settings.remove_protected_branch_success = Perlindungan cabang untuk aturan "%s" telah dihapus.
+settings.remove_protected_branch_failed = Penghapusan aturan perlindungan cabang "%s" gagal.
+settings.protected_branch_deletion = Hapus perlindungan cabang
+settings.protected_branch_deletion_desc = Menonaktifkan perlindungan cabang memungkinkan pengguna dengan izin tulis untuk mendorong ke cabang. Lanjutkan?
+settings.block_rejected_reviews = Blokir penggabungan pada ulasan yang ditolak
+settings.block_rejected_reviews_desc = Penggabungan tidak akan mungkin dilakukan ketika ada perubahan yang diminta oleh pengulas resmi, meskipun sudah ada cukup persetujuan.
+settings.block_on_official_review_requests = Blokir penggabungan pada permintaan tinjauan resmi
+settings.block_on_official_review_requests_desc = Penggabungan tidak akan mungkin dilakukan ketika ada permintaan tinjauan resmi, meskipun sudah ada cukup persetujuan.
+settings.block_outdated_branch = Blokir penggabungan jika permintaan tarik sudah ketinggalan
+settings.block_outdated_branch_desc = Penggabungan tidak akan mungkin dilakukan ketika cabang head tertinggal dari cabang dasar.
+settings.enforce_on_admins = Terapkan aturan ini untuk administrator repositori
+settings.enforce_on_admins_desc = Administrator repositori tidak dapat melewati aturan ini.
+settings.default_branch_desc = Pilih cabang repositori default untuk permintaan tarik dan commit kode:
+settings.merge_style_desc = Gaya penggabungan
+settings.default_merge_style_desc = Gaya penggabungan default
+settings.no_protected_branch = Tidak ada cabang yang dilindungi.
+settings.protected_branch_required_rule_name = Nama aturan diperlukan
+settings.protected_branch_duplicate_rule_name = Sudah ada aturan untuk kumpulan cabang ini
+settings.protected_branch_required_approvals_min = Persetujuan yang diperlukan tidak boleh negatif.
+settings.tags = Tag
+settings.tags.protection = Perlindungan tag
+settings.tags.protection.pattern = Pola tag
+settings.tags.protection.allowed = Diizinkan
+settings.tags.protection.allowed.users = Pengguna yang diizinkan
+settings.tags.protection.allowed.teams = Tim yang diizinkan
+settings.tags.protection.allowed.noone = Tidak ada
+settings.tags.protection.create = Tambah aturan
+settings.tags.protection.none = Tidak ada tag yang dilindungi.
+settings.tags.protection.pattern.description = Anda dapat menggunakan nama tunggal, pola glob, atau ekspresi reguler untuk mencocokkan beberapa tag. Baca selengkapnya di <a target="_blank" rel="noopener" href="%s">panduan tag yang dilindungi</a>.
+settings.bot_token = Token bot
+settings.chat_id = ID obrolan
+settings.thread_id = ID utas
+settings.matrix.homeserver_url = URL Homeserver
+settings.matrix.room_id = ID ruangan
+settings.matrix.message_type = Jenis pesan
+settings.matrix.access_token_helper = Disarankan untuk menyiapkan akun Matrix khusus untuk ini. Token akses dapat diambil dari klien web Element (di tab pribadi/incognito) > Menu pengguna (kiri atas) > Semua pengaturan > Bantuan & Tentang > Lanjutan > Token Akses (tepat di bawah URL Homeserver). Tutup tab pribadi/incognito (keluar akan membatalkan token).
+settings.matrix.room_id_helper = ID Ruangan dapat diambil dari klien web Element > Pengaturan Ruangan > Lanjutan > ID ruangan internal. Contoh: %s.
+settings.archive.button = Arsipkan repositori
+settings.archive.header = Arsipkan repositori ini
+settings.archive.text = Mengarsipkan repositori akan membuatnya sepenuhnya hanya-baca. Repositori akan disembunyikan dari dasbor. Tidak ada seorang pun (bahkan Anda!) yang dapat membuat commit baru, atau membuka issue atau permintaan tarik baru. Mendokumentasikan alasan pengarsipan disarankan untuk memandu pengembang di masa mendatang yang berencana melakukan fork repositori.
+settings.archive.success = Repositori berhasil diarsipkan.
+settings.archive.error = Terjadi kesalahan saat mencoba mengarsipkan repositori. Lihat log untuk detail selengkapnya.
+settings.archive.error_ismirror = Anda tidak dapat mengarsipkan repositori yang dicerminkan.
+settings.archive.branchsettings_unavailable = Pengaturan cabang tidak tersedia di repositori yang diarsipkan.
+settings.archive.tagsettings_unavailable = Pengaturan tag tidak tersedia di repositori yang diarsipkan.
+settings.archive.mirrors_unavailable = Cermin tidak tersedia di repositori yang diarsipkan.
+settings.unarchive.button = Batalkan pengarsipan repositori
+settings.unarchive.header = Batalkan pengarsipan repositori ini
+settings.unarchive.text = Membatalkan pengarsipan repositori akan memulihkan kemampuannya untuk menerima commit dan dorongan, serta issue dan permintaan tarik baru.
+settings.unarchive.success = Repositori berhasil dibatalkan pengarsipannya.
+settings.unarchive.error = Terjadi kesalahan saat mencoba membatalkan pengarsipan repositori. Lihat log untuk detail selengkapnya.
+settings.update_avatar_success = Avatar repositori telah diperbarui.
+settings.lfs = LFS
+settings.lfs_filelist = File LFS yang tersimpan di repositori ini
+settings.lfs_no_lfs_files = Tidak ada file LFS yang tersimpan di repositori ini
+settings.lfs_findcommits = Temukan komit
+settings.lfs_lfs_file_no_commits = Tidak ada commit yang ditemukan untuk file LFS ini
+settings.lfs_noattribute = Jalur ini tidak memiliki atribut lockable di cabang default
+settings.lfs_delete = Hapus file LFS dengan OID %s
+settings.lfs_delete_warning = Menghapus file LFS dapat menyebabkan kesalahan "objek tidak ada" saat checkout. Apakah Anda yakin?
+settings.lfs_findpointerfiles = Temukan file pointer
+settings.lfs_locks = Kunci
+settings.lfs_invalid_locking_path = Jalur tidak valid: %s
+settings.lfs_invalid_lock_directory = Tidak dapat mengunci direktori: %s
+settings.lfs_lock_already_exists = Kunci sudah ada: %s
+settings.lfs_lock = Kunci
+settings.lfs_lock_path = Jalur file untuk dikunci…
+settings.lfs_locks_no_locks = Tidak ada kunci
+settings.lfs_lock_file_no_exist = File yang dikunci tidak ada di cabang default
+settings.lfs_force_unlock = Paksa buka kunci
+settings.lfs_pointers.found = Ditemukan %d pointer blob - %d terkait, %d tidak terkait (%d tidak ada di penyimpanan)
+settings.lfs_pointers.sha = Hash blob
+settings.lfs_pointers.oid = OID
+settings.lfs_pointers.inRepo = Di repositori
+settings.lfs_pointers.exists = Ada di penyimpanan
+settings.lfs_pointers.accessible = Dapat diakses oleh pengguna
+settings.lfs_pointers.associateAccessible = Kaitkan %d OID yang dapat diakses
+settings.rename_branch_failed_protected = Tidak dapat mengubah nama cabang %s karena merupakan cabang yang dilindungi.
+settings.rename_branch_failed_exist = Tidak dapat mengubah nama cabang karena cabang target %s sudah ada.
+settings.rename_branch_failed_not_exist = Tidak dapat mengubah nama cabang %s karena tidak ada.
+settings.rename_branch_success = Cabang %s berhasil diubah namanya menjadi %s.
+settings.rename_branch = Ubah nama cabang
+diff.git-notes = Catatan
+diff.git-notes.add = Tambah catatan
+diff.git-notes.remove-header = Hapus catatan
+diff.git-notes.remove-body = Catatan ini akan dihapus.
+diff.options_button = Opsi diff
+diff.download_patch = Unduh file patch
+diff.download_diff = Unduh file diff
+diff.whitespace_button = Spasi
+diff.whitespace_show_everything = Tampilkan semua perubahan
+diff.whitespace_ignore_all_whitespace = Abaikan spasi saat membandingkan baris
+diff.whitespace_ignore_amount_changes = Abaikan perubahan jumlah spasi
+diff.whitespace_ignore_at_eol = Abaikan perubahan spasi di akhir baris
+diff.stats_desc_file = %d perubahan: %d penambahan dan %d penghapusan
+diff.bin_not_shown = File biner tidak ditampilkan.
+diff.file_before = Sebelum
+diff.file_after = Sesudah
+diff.file_image_width = Lebar
+diff.file_image_height = Tinggi
+diff.file_suppressed_line_too_long = Diff file disembunyikan karena satu atau lebih baris terlalu panjang
+diff.too_many_files = Beberapa file tidak ditampilkan karena terlalu banyak file yang berubah dalam diff ini
+diff.show_more = Tampilkan lebih banyak
+diff.load = Muat diff
+diff.generated = dihasilkan
+diff.vendored = di-vendor
+diff.comment.add_line_comment = Tambah komentar baris
+diff.comment.placeholder = Tinggalkan komentar
+diff.comment.markdown_info = Pemformatan dengan Markdown didukung.
+diff.comment.add_single_comment = Tambah komentar tunggal
+diff.comment.add_review_comment = Tambah komentar
+diff.comment.start_review = Mulai tinjauan
+diff.comment.reply = Balas
+diff.review = Selesaikan tinjauan
+diff.review.header = Kirim tinjauan
+diff.review.placeholder = Komentar tinjauan
+diff.review.comment = Komentar
+diff.review.approve = Setujui
+diff.review.self_reject = Penulis permintaan tarik tidak dapat meminta perubahan pada permintaan tarik mereka sendiri
+diff.review.reject = Minta perubahan
+diff.review.self_approve = Penulis permintaan tarik tidak dapat menyetujui permintaan tarik mereka sendiri
+diff.committed_by = di-commit oleh
+diff.protected = Dilindungi
+diff.image.side_by_side = Berdampingan
+diff.image.swipe = Geser
+diff.image.overlay = Tumpang tindih
+diff.show_file_tree = Tampilkan pohon file
+diff.hide_file_tree = Sembunyikan pohon file
+release.detail = Detail rilis
+release.tags = Tag
+release.compare = Bandingkan
+release.ahead.commits = <strong>%d</strong> komit
+release.ahead.target = ke %s sejak rilis ini
+release.new_subheader = Rilis mengorganisasi versi proyek.
+release.edit_subheader = Rilis mengorganisasi versi proyek.
+release.tag_helper = Pilih tag yang sudah ada atau buat tag baru.
+release.tag_helper_new = Tag baru. Tag ini akan dibuat dari target.
+release.tag_helper_existing = Tag yang sudah ada.
+release.title = Judul rilis
+release.title_empty = Judul tidak boleh kosong.
+release.message = Deskripsikan rilis ini
+release.prerelease_desc = Tandai sebagai pra-rilis
+release.prerelease_helper = Tandai rilis ini tidak cocok untuk penggunaan produksi.
+release.edit_release = Perbarui rilis
+release.delete_release = Hapus rilis
+release.delete_tag = Hapus tag
+release.deletion = Hapus rilis
+release.deletion_desc = Menghapus rilis hanya menghapusnya dari Forgejo. Ini tidak akan memengaruhi tag Git, konten repositori, atau riwayatnya. Lanjutkan?
+release.deletion_tag_desc = Akan menghapus tag ini dari repositori. Konten dan riwayat repositori tidak berubah. Lanjutkan?
+release.deletion_tag_success = Tag telah dihapus.
+release.tag_name_already_exist = Rilis dengan nama tag ini sudah ada.
+release.tag_name_invalid = Nama tag tidak valid.
+release.tag_name_protected = Nama tag dilindungi.
+release.add_tag_msg = Gunakan judul dan konten rilis sebagai pesan tag.
+release.hide_archive_links = Sembunyikan arsip yang dihasilkan secara otomatis
+release.hide_archive_links_helper = Sembunyikan arsip kode sumber yang dihasilkan secara otomatis untuk rilis ini. Misalnya, jika Anda mengunggah sendiri.
+release.add_tag = Buat tag
+release.releases_for = Rilis untuk %s
+release.tags_for = Tag untuk %s
+release.system_generated = Lampiran ini dihasilkan secara otomatis.
+release.type_attachment = Lampiran
+release.type_external_asset = Aset eksternal
+release.asset_name = Nama aset
+release.asset_external_url = URL eksternal
+release.add_external_asset = Tambah aset eksternal
+release.invalid_external_url = URL eksternal tidak valid: "%s"
+release.summary_card_alt = Kartu ringkasan rilis berjudul "%s" di repositori %s
+branch.name = Nama cabang
+branch.already_exists = Cabang bernama "%s" sudah ada.
+branch.delete = Hapus cabang "%s"
+branch.delete_desc = Menghapus cabang bersifat permanen. Meskipun cabang yang dihapus mungkin masih ada untuk sementara waktu sebelum benar-benar dihapus, tindakan ini TIDAK DAPAT dibatalkan dalam sebagian besar kasus. Lanjutkan?
+branch.deletion_success = Cabang "%s" telah dihapus.
+branch.deletion_failed = Gagal menghapus cabang "%s".
+branch.delete_branch_has_new_commits = Cabang "%s" tidak dapat dihapus karena commit baru telah ditambahkan setelah penggabungan.
+branch.create_from = dari "%s"
+branch.create_success = Cabang "%s" telah dibuat.
+branch.branch_already_exists = Cabang "%s" sudah ada di repositori ini.
+branch.branch_name_conflict = Nama cabang "%s" berkonflik dengan cabang yang sudah ada "%s".
+branch.tag_collision = Cabang "%s" tidak dapat dibuat karena tag dengan nama yang sama sudah ada di repositori.
+branch.restore_success = Cabang "%s" telah dipulihkan.
+branch.restore_failed = Gagal memulihkan cabang "%s".
+branch.protected_deletion_failed = Cabang "%s" dilindungi. Tidak dapat dihapus.
+branch.default_deletion_failed = Cabang "%s" adalah cabang default. Tidak dapat dihapus.
+branch.restore = Pulihkan cabang "%s"
+branch.download = Unduh cabang "%s"
+branch.rename = Ubah nama cabang "%s"
+branch.included_desc = Cabang ini adalah bagian dari cabang default
+branch.included = Disertakan
+branch.create_new_branch = Buat cabang dari cabang:
+branch.confirm_create_branch = Buat cabang
+branch.warning_rename_default_branch = Anda sedang mengubah nama cabang default.
+branch.rename_branch_to = Mengubah nama cabang "%s".
+branch.create_branch_operation = Buat cabang
+branch.new_branch = Buat cabang baru
+branch.new_branch_from = Buat cabang baru dari "%s"
+branch.renamed = Cabang %s diubah namanya menjadi %s.
+tag.create_tag = Buat tag %s
+tag.create_tag_operation = Buat tag
+tag.confirm_create_tag = Buat tag
+tag.create_tag_from = Buat tag baru dari "%s"
+tag.create_success = Tag "%s" telah dibuat.
+topic.manage_topics = Kelola topik
+topic.count_prompt = Anda tidak dapat memilih lebih dari 25 topik
+topic.format_prompt = Topik harus diawali dengan huruf atau angka, dapat mengandung tanda hubung ("-") dan titik ("."), panjang maksimal 35 karakter. Huruf harus menggunakan huruf kecil.
+find_file.go_to_file = Temukan file
+find_file.no_matching = Tidak ada file yang cocok ditemukan
+error.csv.too_large = Tidak dapat merender file ini karena terlalu besar.
+error.csv.unexpected = Tidak dapat merender file ini karena mengandung karakter tak terduga di baris %d kolom %d.
+error.csv.invalid_field_count = Tidak dapat merender file ini karena memiliki jumlah kolom yang salah di baris %d.
 
 [graphs]
+component_loading = Memuat %s…
+component_loading_failed = Tidak dapat memuat %s
+component_loading_info = Ini mungkin membutuhkan waktu sebentar…
+component_failed_to_load = Terjadi kesalahan yang tidak terduga.
+code_frequency.what = frekuensi kode
+contributors.what = kontribusi
+recent_commits.what = komit terbaru
 
 [org]
-org_name_holder=Nama Organisasi
-org_full_name_holder=Organisasi Nama Lengkap
-create_org=Buat Organisasi
+org_name_holder=Nama organisasi
+org_full_name_holder=Nama lengkap organisasi
+create_org=Buat organisasi
 repo_updated=Diperbarui %s
 members=Anggota
 teams=Tim
 lower_members=anggota
 lower_repositories=repositori
-create_new_team=Tim Baru
-create_team=Buat Tim Baru
+create_new_team=Tim baru
+create_team=Buat tim
 org_desc=Deskripsi
 team_name=Nama tim
 team_desc=Deskripsi
@@ -1005,17 +2758,17 @@ settings.website=Situs web
 settings.location=Lokasi
 settings.visibility.private_shortname=Pribadi
 
-settings.update_settings=Perbarui Setelan
+settings.update_settings=Perbarui pengaturan
 settings.update_setting_success=Pengaturan organisasi telah diperbarui.
-settings.delete=Menghapus Organisasi
-settings.delete_account=Menghapus Organisasi Ini
-settings.confirm_delete_account=Konfirmasi Penghapusan
-settings.delete_org_title=Menghapus Organisasi
+settings.delete=Hapus organisasi
+settings.delete_account=Hapus organisasi ini
+settings.confirm_delete_account=Konfirmasi penghapusan
+settings.delete_org_title=Hapus organisasi
 settings.hooks_desc=Tambahkan webhooks yang akan dipicu untuk <strong>semua repositori</strong> di bawah organisasi ini.
 
 
 members.membership_visibility=Visibilitas Keanggotaan:
-members.member_role=Peran Anggota:
+members.member_role=Peran anggota:
 members.owner=Pemilik
 members.member=Anggota
 members.remove=Menghapus
@@ -1029,18 +2782,81 @@ teams.read_access=Dibaca
 teams.no_desc=Tim ini tidak memiliki keterangan
 teams.settings=Pengaturan
 teams.members=Anggota tim
-teams.update_settings=Memperbarui pengaturan
-teams.add_team_member=Tambahkan Anggota Tim
+teams.update_settings=Perbarui pengaturan
+teams.add_team_member=Tambah anggota tim
 teams.delete_team_success=Tim sudah di hapus.
 teams.repositories=Tim repositori
 settings.visibility.public = Publik
+org_name_helper = Nama organisasi sebaiknya singkat dan mudah diingat.
+open_dashboard = Buka dasbor
+code = Kode
+team_name_helper = Nama tim sebaiknya singkat dan mudah diingat.
+team_desc_helper = Deskripsikan tujuan atau peran tim.
+team_permission_desc = Izin
+team_unit_desc = Izinkan akses ke bagian repositori
+team_unit_disabled = (Dinonaktifkan)
+follow_blocked_user = Anda tidak dapat mengikuti organisasi ini karena organisasi ini telah memblokir Anda.
+form.name_reserved = Nama organisasi "%s" sudah dipesan.
+form.name_pattern_not_allowed = Pola "%s" tidak diizinkan dalam nama organisasi.
+form.create_org_not_allowed = Anda tidak diizinkan membuat organisasi.
+settings.options = Organisasi
+settings.email = Email kontak
+settings.permission = Izin
+settings.repoadminchangeteam = Admin repositori dapat menambah dan menghapus akses untuk tim
+settings.visibility = Visibilitas
+settings.visibility.limited = Terbatas (hanya terlihat oleh pengguna yang masuk)
+settings.visibility.limited_shortname = Terbatas
+settings.visibility.private = Privat (hanya terlihat oleh anggota organisasi)
+settings.change_orgname_prompt = Catatan: Mengubah nama organisasi juga akan mengubah URL organisasi Anda dan membebaskan nama lama.
+settings.change_orgname_redirect_prompt = Nama lama akan diarahkan ulang sampai diklaim.
+settings.change_orgname_redirect_prompt.with_cooldown.one = Nama organisasi lama akan tersedia untuk semua orang setelah masa tunggu %[1]d hari. Anda masih dapat mengklaim kembali nama lama selama masa tunggu.
+settings.change_orgname_redirect_prompt.with_cooldown.few = Nama organisasi lama akan tersedia untuk semua orang setelah masa tunggu %[1]d hari. Anda masih dapat mengklaim kembali nama lama selama masa tunggu.
+settings.update_avatar_success = Avatar organisasi telah diperbarui.
+settings.delete_prompt = Organisasi akan dihapus secara permanen. Tindakan ini <strong>TIDAK DAPAT</strong> dibatalkan!
+settings.delete_org_desc = Organisasi ini akan dihapus secara permanen. Lanjutkan?
+settings.labels_desc = Tambahkan label yang dapat digunakan pada issue untuk <strong>semua repositori</strong> di bawah organisasi ini.
+members.public_helper = Sembunyikan
+members.private = Tersembunyi
+members.private_helper = Tampilkan
+members.remove.detail = Hapus %[1]s dari %[2]s?
+members.leave.detail = Apakah Anda yakin ingin meninggalkan organisasi "%s"?
+teams.leave.detail = Apakah Anda yakin ingin meninggalkan tim "%s"?
+teams.can_create_org_repo = Buat repositori
+teams.can_create_org_repo_helper = Anggota dapat membuat repositori baru di organisasi. Pembuat akan mendapatkan akses administrator ke repositori baru.
+teams.none_access = Tanpa akses
+teams.none_access_helper = Opsi "tanpa akses" hanya berpengaruh pada repositori privat.
+teams.general_access = Akses khusus
+teams.general_access_helper = Izin anggota akan ditentukan berdasarkan tabel izin di bawah ini.
+teams.write_access = Tulis
+teams.admin_access = Akses administrator
+teams.admin_access_helper = Anggota dapat menarik dan mendorong ke repositori tim serta menambahkan kolaborator ke repositori tersebut.
+teams.owners_permission_desc = Pemilik memiliki akses penuh ke <strong>semua repositori</strong> dan memiliki <strong>akses administrator</strong> ke organisasi.
+teams.delete_team = Hapus tim
+teams.invite_team_member = Undang ke %s
+teams.invite_team_member.list = Undangan yang tertunda
+teams.delete_team_title = Hapus tim
+teams.delete_team_desc = Menghapus tim akan mencabut akses repositori dari anggotanya. Lanjutkan?
+teams.admin_permission_desc = Tim ini memberikan akses <strong>Administrator</strong>: anggota dapat membaca, mendorong, dan menambahkan kolaborator ke repositori tim.
+teams.remove_all_repos_desc = Ini akan menghapus semua repositori dari tim.
+teams.add_all_repos_desc = Ini akan menambahkan semua repositori organisasi ke tim.
+teams.add_nonexistent_repo = Repositori yang ingin Anda tambahkan tidak ada, silakan buat terlebih dahulu.
+teams.add_duplicate_users = Pengguna sudah menjadi anggota tim.
+teams.repos.none = Tidak ada repositori yang dapat diakses oleh tim ini.
+teams.members.none = Tidak ada anggota di tim ini.
+teams.specific_repositories = Repositori tertentu
+teams.specific_repositories_helper = Anggota hanya akan memiliki akses ke repositori yang secara eksplisit ditambahkan ke tim. Memilih ini <strong>tidak akan</strong> secara otomatis menghapus repositori yang sudah ditambahkan dengan <i>Semua repositori</i>.
+teams.all_repositories = Semua repositori
+teams.all_repositories_helper = Tim memiliki akses ke semua repositori. Memilih ini akan <strong>menambahkan semua</strong> repositori yang ada ke tim.
+teams.invite.title = Anda telah diundang untuk bergabung dengan tim <strong>%s</strong> di organisasi <strong>%s</strong>.
+teams.invite.by = Diundang oleh %s
+teams.invite.description = Silakan klik tombol di bawah ini untuk bergabung dengan tim.
 
 [admin]
 dashboard=Dasbor
 organizations=Organisasi
 repositories=Repositori
 config=Konfigurasi
-notices=Pemberitahuan Sistem
+notices=Pemberitahuan sistem
 monitor=Memantau
 first_page=Pertama
 last_page=Terakhir
@@ -1053,51 +2869,51 @@ dashboard.clean_unbind_oauth=Bersihkan koneksi OAuth yang tidak terikat
 dashboard.clean_unbind_oauth_success=Semua koneksi OAuth yang tidak terikat telah dihapus.
 dashboard.reinit_missing_repos=Menginstal kembali semua repositori Git yang hilang dimana ada catatan
 dashboard.sync_external_users=Sinkronkan data pengguna eksternal
-dashboard.server_uptime=Waktu tambahan server
-dashboard.current_goroutine=Goroutin saat ini
+dashboard.server_uptime=Waktu aktif server
+dashboard.current_goroutine=Goroutine saat ini
 dashboard.current_memory_usage=Penggunaan memori saat ini
-dashboard.total_memory_allocated=Total memori dialokasikan
-dashboard.memory_obtained=Memori yang didapat
-dashboard.pointer_lookup_times=Menunjukkan waktu pencarian
-dashboard.current_heap_usage=Penggunaan tumpukan saat ini
-dashboard.heap_memory_obtained=Tumpukan memori yang didapat
-dashboard.heap_memory_idle=Tumpukan memori yang menganggur
-dashboard.heap_memory_in_use=Tumpukan memori yang digunakan
-dashboard.heap_memory_released=Tumpukan memori dirilis
-dashboard.heap_objects=Benda tumpukan
-dashboard.bootstrap_stack_usage=Penggunaan bootstrap Stack
-dashboard.stack_memory_obtained=Memori Stack Didapat
+dashboard.total_memory_allocated=Total memori yang dialokasikan
+dashboard.memory_obtained=Memori yang diperoleh
+dashboard.pointer_lookup_times=Jumlah pencarian pointer
+dashboard.current_heap_usage=Penggunaan heap saat ini
+dashboard.heap_memory_obtained=Memori heap yang diperoleh
+dashboard.heap_memory_idle=Memori heap yang menganggur
+dashboard.heap_memory_in_use=Memori heap yang digunakan
+dashboard.heap_memory_released=Memori heap yang dilepaskan
+dashboard.heap_objects=Objek heap
+dashboard.bootstrap_stack_usage=Penggunaan stack bootstrap
+dashboard.stack_memory_obtained=Memori stack yang diperoleh
 dashboard.mspan_structures_usage=Penggunaan struktur MSpan
-dashboard.mspan_structures_obtained=Struktur MSpan didapatkan
+dashboard.mspan_structures_obtained=Struktur MSpan yang diperoleh
 dashboard.mcache_structures_usage=Penggunaan struktur MCache
-dashboard.mcache_structures_obtained=Struktur MCache didapatkan
-dashboard.profiling_bucket_hash_table_obtained=Profil Meja Bucket Hash Yang Diperoleh
-dashboard.gc_metadata_obtained=Metadata GC didapatkan
-dashboard.other_system_allocation_obtained=Alokasi Sistem Lainnya Yang Diperoleh
-dashboard.next_gc_recycle=Selanjutnya GC Recycle
-dashboard.last_gc_time=Sejak waktu GC terakhir
-dashboard.total_gc_pause=Total GC di jeda
-dashboard.last_gc_pause=GC di jeda terakhir
-dashboard.gc_times=Waktu GC
+dashboard.mcache_structures_obtained=Struktur MCache yang diperoleh
+dashboard.profiling_bucket_hash_table_obtained=Tabel hash bucket pemrofilan yang diperoleh
+dashboard.gc_metadata_obtained=Metadata GC yang diperoleh
+dashboard.other_system_allocation_obtained=Alokasi sistem lainnya yang diperoleh
+dashboard.next_gc_recycle=Daur ulang GC berikutnya
+dashboard.last_gc_time=Waktu sejak GC terakhir
+dashboard.total_gc_pause=Total jeda GC
+dashboard.last_gc_pause=Jeda GC terakhir
+dashboard.gc_times=Jumlah GC
 
-users.full_name=Nama Lengkap
+users.full_name=Nama lengkap
 users.activated=Diaktifkan
 users.admin=Pengelola
 users.repos=Repo
 users.created=Dibuat
 users.edit=Edit
-users.auth_source=Sumber Otentikasi
+users.auth_source=Sumber autentikasi
 users.local=Lokal
 users.list_status_filter.is_admin=Pengelola
 
 emails.activated=Diaktifkan
 
-orgs.org_manage_panel=Manajemen Organisasi
+orgs.org_manage_panel=Kelola organisasi
 orgs.name=Nama
 orgs.teams=Tim
 orgs.members=Anggota
 
-repos.repo_manage_panel=Manajemen Repositori
+repos.repo_manage_panel=Kelola repositori
 repos.owner=Pemilik
 repos.name=Nama
 repos.private=Pribadi
@@ -1116,26 +2932,26 @@ auths.name=Nama
 auths.type=Jenis
 auths.enabled=Aktif
 auths.updated=Diperbarui
-auths.auth_type=Jenis otentikasi
-auths.auth_name=Nama otentikasi
+auths.auth_type=Jenis autentikasi
+auths.auth_name=Nama autentikasi
 auths.security_protocol=Protokol keamanan
 auths.domain=Domain
 auths.host=Host
 auths.port=Port
 auths.bind_dn=Mengikat DN
-auths.bind_password=Mengikat kata sandi
+auths.bind_password=Kata sandi bind
 auths.user_base=Basis pencarian pengguna
 auths.user_dn=Pengguna DN
-auths.filter=Menyaring pengguna
-auths.admin_filter=Menyaring admin
+auths.filter=Filter pengguna
+auths.admin_filter=Filter admin
 auths.ms_ad_sa=Pencarian atribut MS AD
-auths.smtp_auth=Jenis otentikasi SMTP
+auths.smtp_auth=Jenis autentikasi SMTP
 auths.smtphost=Host SMTP
 auths.smtpport=Port SMTP
 auths.allowed_domains=Domain yang diizinkan
 auths.skip_tls_verify=Lewati verifikasi TLS
 auths.pam_service_name=Nama layanan PAM
-auths.oauth2_provider=Penyediaan OAuth2
+auths.oauth2_provider=Penyedia OAuth2
 auths.oauth2_clientID=ID klien (kunci)
 auths.oauth2_clientSecret=Rahasia klien
 auths.openIdConnectAutoDiscoveryURL=Buka ID yang terhubung langsung dengan jelajah otomatis URL
@@ -1144,34 +2960,34 @@ auths.oauth2_authURL=Mengizinkan URL
 auths.oauth2_profileURL=Profil URL
 auths.oauth2_emailURL=Email URL
 auths.tips=Cara
-auths.tips.oauth2.general=Otentikasi OAuth2
-auths.tip.oauth2_provider=Penyediaan OAuth2
+auths.tips.oauth2.general=Autentikasi OAuth2
+auths.tip.oauth2_provider=Penyedia OAuth2
 auths.tip.dropbox=Membuat aplikasi baru di %s
 auths.tip.facebook=`Daftarkan sebuah aplikasi baru di %s dan tambakan produk "Facebook Masuk"`
 auths.tip.github=Mendaftar aplikasi OAuth baru di %s
 auths.tip.openid_connect=Gunakan membuka ID yang terhubung ke jelajah URL (<server>/.well-known/openid-configuration) untuk menentukan titik akhir
-auths.delete=Menghapus Otentikasi Sumber
-auths.delete_auth_title=Menghapus Otentikasi Sumber
+auths.delete=Hapus sumber autentikasi
+auths.delete_auth_title=Hapus sumber autentikasi
 
-config.server_config=Pengaturan Server
+config.server_config=Konfigurasi server
 config.app_ver=Versi Forgejo
 config.custom_conf=Jalur berkas konfigurasi
-config.disable_router_log=Menonaktifkan router log
-config.run_mode=Jalankan mode
+config.disable_router_log=Nonaktifkan log router
+config.run_mode=Mode jalankan
 config.git_version=Versi Git
-config.repo_root_path=Jalur akar repositori
+config.repo_root_path=Jalur root repositori
 config.lfs_root_path=Path Root LFS
 config.script_type=Jenis skrip
-config.reverse_auth_user=Mengembalikan pengguna otentikasi
+config.reverse_auth_user=Pengguna autentikasi proxy terbalik
 
 config.ssh_config=Konfigurasi SSH
 config.ssh_enabled=Aktif
 config.ssh_port=Port
-config.ssh_listen_port=Listen Port
-config.ssh_root_path=Path Induk
-config.ssh_key_test_path=Path Key Test
-config.ssh_keygen_path=Path Keygen ('ssh-keygen')
-config.ssh_minimum_key_size_check=Periksa ukuran kunci minimum
+config.ssh_listen_port=Port dengar
+config.ssh_root_path=Jalur root
+config.ssh_key_test_path=Jalur uji kunci
+config.ssh_keygen_path=Jalur Keygen ("ssh-keygen")
+config.ssh_minimum_key_size_check=Pemeriksaan ukuran kunci minimum
 config.ssh_minimum_key_sizes=Ukuran kunci minimum
 
 config.lfs_config=Konfigurasi LFS
@@ -1187,18 +3003,18 @@ config.db_ssl_mode=SSL
 config.db_path=Jalur
 
 config.service_config=Konfigurasi layanan
-config.register_email_confirm=Perlu Konfirmasi Email Saat Pendaftaran
-config.enable_openid_signin=Aktifkan Login OpenID
-config.show_registration_button=Tampilkan tombol mendaftar
-config.require_sign_in_view=Harus Login Untuk Melihat Halaman
-config.mail_notify=Aktifkan Notifikasi Email
+config.register_email_confirm=Wajibkan konfirmasi email untuk mendaftar
+config.enable_openid_signin=Aktifkan masuk OpenID
+config.show_registration_button=Tampilkan tombol daftar
+config.require_sign_in_view=Wajibkan masuk untuk melihat konten
+config.mail_notify=Aktifkan pemberitahuan email
 config.enable_captcha=Aktifkan CAPTCHA
-config.active_code_lives=Kode aktif hidup
+config.active_code_lives=Waktu kedaluwarsa kode aktivasi
 
-config.webhook_config=Konfigurasi Webhook
+config.webhook_config=Konfigurasi webhook
 config.queue_length=Panjang antrian
-config.deliver_timeout=Berikan waktu habis
-config.skip_tls_verify=Melewatkan verifikasi TLS
+config.deliver_timeout=Batas waktu pengiriman
+config.skip_tls_verify=Lewati verifikasi TLS
 
 config.mailer_enabled=Diaktifkan
 config.mailer_name=Nama
@@ -1207,7 +3023,7 @@ config.mailer_user=Pengguna
 config.mailer_use_sendmail=Menggunakan Sendmail
 config.mailer_sendmail_path=Jalur Sendmail
 config.mailer_sendmail_args=Argumen tambahan untuk Sendmail
-config.send_test_mail=Kirim Email Percobaan
+config.send_test_mail=Kirim email uji
 
 config.oauth_config=Konfigurasi OAuth
 config.oauth_enabled=Diaktifkan
@@ -1217,39 +3033,39 @@ config.cache_adapter=Adaptor cache
 config.cache_interval=Interval cache
 config.cache_conn=Koneksi cache
 
-config.session_config=Sesi konfigurasi
-config.session_provider=Sesi penyedia
+config.session_config=Konfigurasi sesi
+config.session_provider=Penyedia sesi
 config.provider_config=Konfigurasi penyedia
 config.cookie_name=Nama cookie
 config.gc_interval_time=Waktu interval GC
-config.session_life_time=Sesi jangka waktu
+config.session_life_time=Masa berlaku sesi
 config.https_only=Hanya HTTPS
 config.cookie_life_time=Jangka waktu cookie
 
-config.picture_config=Pengaturan Foto dan Avatar
+config.picture_config=Konfigurasi gambar dan avatar
 config.picture_service=Gambar layanan
 config.disable_gravatar=Menonaktifkan Gravatar
-config.enable_federated_avatar=Aktifkan pencarian avatar
+config.enable_federated_avatar=Aktifkan avatar terfederasi
 
 config.git_config=Konfigurasi Git
-config.git_disable_diff_highlight=Menonaktifkan Diff Syntax utama
-config.git_max_diff_lines=Garis Max Diff (untuk berkas tunggal)
-config.git_max_diff_line_characters=Karakter Max Diff (untuk garis tunggal)
-config.git_max_diff_files=Berkas Max Diff (untuk ditampilkan)
+config.git_disable_diff_highlight=Nonaktifkan penyorotan sintaks diff
+config.git_max_diff_lines=Maks baris diff per file
+config.git_max_diff_line_characters=Maks karakter diff per baris
+config.git_max_diff_files=Maks file diff yang ditampilkan
 config.git_gc_args=Argumen GC
-config.git_migrate_timeout=Batas Waktu Migrasi
-config.git_mirror_timeout=Waktu habis untuk memperbarui cermin
-config.git_clone_timeout=Waktu habis operasi klon
-config.git_pull_timeout=Waktu habis tarik operasi
-config.git_gc_timeout=Waktu habis operasi GC
+config.git_migrate_timeout=Batas waktu migrasi
+config.git_mirror_timeout=Batas waktu pembaruan cermin
+config.git_clone_timeout=Batas waktu operasi klon
+config.git_pull_timeout=Batas waktu operasi tarik
+config.git_gc_timeout=Batas waktu operasi GC
 
-config.log_config=Catat konfigurasi
+config.log_config=Konfigurasi log
 config.disabled_logger=Nonaktif
 config.xorm_log_sql=Catatan SQL
 
 
 
-monitor.cron=Tugas Cron
+monitor.cron=Tugas cron
 monitor.name=Nama
 monitor.schedule=Jadwal
 monitor.next=Waktu selanjutnya
@@ -1259,28 +3075,28 @@ monitor.desc=Deskripsi
 monitor.start=Waktu mulai
 monitor.execute_time=Waktu pelaksanaan
 monitor.process.cancel=Batalkan proses
-monitor.process.cancel_desc=Membatalkan sebuah proses bisa mengakibatkan hilangnya data
+monitor.process.cancel_desc=Membatalkan proses dapat menyebabkan kehilangan data
 
 monitor.queues=Antrian
 monitor.queue=Antrian: %s
 monitor.queue.name=Nama
 monitor.queue.type=Tipe
 monitor.queue.exemplar=Contoh Tipe
-monitor.queue.numberworkers=Jumlah Worker
-monitor.queue.maxnumberworkers=Jumlah Maks. Worker
-monitor.queue.settings.title=Pengaturan Kelompok
+monitor.queue.numberworkers=Jumlah pekerja
+monitor.queue.maxnumberworkers=Jumlah maksimum pekerja
+monitor.queue.settings.title=Pengaturan pool
 monitor.queue.settings.maxnumberworkers=Jumlah Maks. Worker
 monitor.queue.settings.maxnumberworkers.error=Jumlah maks. worker haruslah sebuah angka
-monitor.queue.settings.submit=Perbarui Pengaturan
+monitor.queue.settings.submit=Perbarui pengaturan
 monitor.queue.settings.changed=Pengaturan diperbarui
 
 notices.system_notice_list=Pemberitahuan sistem
-notices.view_detail_header=Lihat rincian pemberitahuan
+notices.view_detail_header=Detail pemberitahuan
 notices.select_all=Pilih semua
-notices.deselect_all=Tidak pilih semua
-notices.inverse_selection=Seleksi terbalik
+notices.deselect_all=Batalkan pilihan semua
+notices.inverse_selection=Balik pilihan
 notices.delete_selected=Hapus yang dipilih
-notices.delete_all=Menghapus semua pemberitahuan
+notices.delete_all=Hapus semua pemberitahuan
 notices.type=Jenis
 notices.type_1=Repositori
 notices.desc=Deskripsi
@@ -1290,6 +3106,291 @@ notices.delete_success=Laporan sistem telah dihapus.
 
 config_settings = Pengaturan
 users.list_status_filter.menu_text = Saring
+self_check = Pemeriksaan mandiri
+identity_access = Identitas & akses
+users = Akun pengguna
+assets = Aset kode
+hooks = Webhook
+integrations = Integrasi
+authentication = Sumber autentikasi
+emails = Email pengguna
+config_summary = Ringkasan
+settings = Pengaturan admin
+dashboard.new_version_hint = Forgejo %s kini tersedia, Anda menjalankan %s. Periksa <a target="_blank" rel="noreferrer" href="%s">blog</a> untuk detail selengkapnya.
+dashboard.statistic = Ringkasan
+dashboard.operations = Operasi pemeliharaan
+dashboard.system_status = Status sistem
+dashboard.task.started = Tugas Dimulai: %[1]s
+dashboard.task.process = Tugas: %[1]s
+dashboard.task.cancelled = Tugas: %[1]s dibatalkan: %[3]s
+dashboard.task.error = Kesalahan dalam Tugas: %[1]s: %[3]s
+dashboard.task.finished = Tugas: %[1]s yang dimulai oleh %[2]s telah selesai
+dashboard.task.unknown = Tugas tidak dikenal: %[1]s
+dashboard.cron.started = Cron Dimulai: %[1]s
+dashboard.cron.process = Cron: %[1]s
+dashboard.cron.cancelled = Cron: %[1]s dibatalkan: %[3]s
+dashboard.cron.error = Kesalahan dalam Cron: %s: %[3]s
+dashboard.cron.finished = Cron: %[1]s telah selesai
+dashboard.delete_inactive_accounts = Hapus semua akun yang belum diaktifkan
+dashboard.delete_inactive_accounts.started = Tugas hapus semua akun yang belum diaktifkan dimulai.
+dashboard.delete_repo_archives = Hapus semua arsip repositori (ZIP, TAR.GZ, dll.)
+dashboard.delete_repo_archives.started = Tugas hapus semua arsip repositori dimulai.
+dashboard.delete_missing_repos = Hapus semua repositori yang file Git-nya hilang
+dashboard.delete_missing_repos.started = Tugas hapus semua repositori yang file Git-nya hilang dimulai.
+dashboard.delete_generated_repository_avatars = Hapus avatar repositori yang dihasilkan secara otomatis
+dashboard.sync_repo_branches = Sinkronkan cabang yang terlewat dari data Git ke basis data
+dashboard.sync_repo_tags = Sinkronkan tag dari data Git ke basis data
+dashboard.update_mirrors = Perbarui cermin
+dashboard.repo_health_check = Periksa kesehatan semua repositori
+dashboard.check_repo_stats = Periksa semua statistik repositori
+dashboard.archive_cleanup = Hapus arsip repositori lama
+dashboard.deleted_branches_cleanup = Bersihkan cabang yang dihapus
+dashboard.update_migration_poster_id = Perbarui ID pembuat migrasi
+dashboard.git_gc_repos = Lakukan pengumpulan sampah pada semua repositori
+dashboard.resync_all_sshkeys = Perbarui file ".ssh/authorized_keys" dengan kunci SSH Forgejo.
+dashboard.resync_all_sshprincipals = Perbarui file ".ssh/authorized_principals" dengan prinsipal SSH Forgejo.
+dashboard.resync_all_hooks = Sinkronkan ulang hook Git dari semua repositori (pre-receive, update, post-receive, proc-receive, …)
+dashboard.cleanup_hook_task_table = Bersihkan tabel hook_task
+dashboard.cleanup_packages = Bersihkan paket yang kedaluwarsa
+dashboard.cleanup_actions = Bersihkan log dan artefak yang kedaluwarsa dari aksi
+dashboard.memory_allocate_times = Alokasi memori
+dashboard.memory_free_times = Pembebasan memori
+dashboard.delete_old_actions = Hapus semua aktivitas lama dari basis data
+dashboard.delete_old_actions.started = Hapus semua aktivitas lama dari basis data dimulai.
+dashboard.update_checker = Pemeriksa pembaruan
+dashboard.delete_old_system_notices = Hapus semua pemberitahuan sistem lama dari basis data
+dashboard.gc_lfs = Lakukan pengumpulan sampah pada objek meta LFS
+dashboard.stop_zombie_tasks = Hentikan tugas aksi yang terhenti
+dashboard.stop_endless_tasks = Hentikan tugas aksi yang tidak berakhir
+dashboard.cancel_abandoned_jobs = Batalkan pekerjaan aksi yang terbengkalai
+dashboard.start_schedule_tasks = Mulai tugas aksi terjadwal
+dashboard.sync_branch.started = Sinkronisasi cabang dimulai
+dashboard.sync_tag.started = Sinkronisasi tag dimulai
+dashboard.rebuild_issue_indexer = Bangun ulang pengindeks isu
+users.user_manage_panel = Kelola akun pengguna
+users.new_account = Buat akun pengguna
+users.name = Nama pengguna
+users.restricted = Dibatasi
+users.reserved = Dicadangkan
+users.bot = Bot
+users.remote = Jarak jauh
+users.2fa = 2FA
+users.last_login = Masuk terakhir
+users.never_login = Belum pernah masuk
+users.send_register_notify = Beri tahu tentang pendaftaran melalui email
+users.new_success = Akun pengguna "%s" telah dibuat.
+users.auth_login_name = Nama masuk autentikasi
+users.password_helper = Biarkan kata sandi kosong untuk mempertahankannya.
+users.update_profile_success = Akun pengguna telah diperbarui.
+users.edit_account = Edit akun pengguna
+users.max_repo_creation = Jumlah maksimum repositori
+users.max_repo_creation_desc = (Masukkan -1 untuk menggunakan batas default global.)
+users.is_activated = Akun diaktifkan
+users.activated.description = Penyelesaian verifikasi email. Pemilik akun yang belum diaktifkan tidak akan dapat masuk hingga verifikasi email selesai.
+users.prohibit_login = Akun ditangguhkan
+users.block.description = Blokir pengguna ini agar tidak dapat berinteraksi dengan layanan ini melalui akunnya dan larang masuk.
+users.is_admin = Akun administrator
+users.admin.description = Berikan pengguna ini akses penuh ke semua fitur administratif yang tersedia melalui antarmuka web dan API.
+users.is_restricted = Akun dibatasi
+users.restricted.description = Hanya izinkan interaksi dengan repositori dan organisasi tempat pengguna ini ditambahkan sebagai kolaborator. Ini mencegah akses ke repositori publik di instans ini.
+users.allow_git_hook = Dapat membuat hook Git
+users.allow_git_hook_tooltip = Hook Git dijalankan sebagai pengguna OS yang menjalankan Forgejo dan akan memiliki tingkat akses host yang sama. Akibatnya, pengguna dengan hak istimewa hook Git khusus ini dapat mengakses dan memodifikasi semua repositori Forgejo serta basis data yang digunakan oleh Forgejo. Dengan demikian, mereka juga dapat memperoleh hak istimewa administrator Forgejo.
+users.allow_import_local = Dapat mengimpor repositori lokal
+users.local_import.description = Izinkan mengimpor repositori dari sistem file lokal server. Ini dapat menjadi masalah keamanan.
+users.allow_create_organization = Dapat membuat organisasi
+users.organization_creation.description = Izinkan pembuatan organisasi baru.
+users.update_profile = Perbarui akun pengguna
+users.delete_account = Hapus akun pengguna
+users.cannot_delete_self = Anda tidak dapat menghapus diri sendiri
+users.still_own_repo = Pengguna ini masih memiliki satu atau lebih repositori. Hapus atau alihkan repositori tersebut terlebih dahulu.
+users.still_has_org = Pengguna ini adalah anggota organisasi. Hapus pengguna dari semua organisasi terlebih dahulu.
+users.purge = Hapus paksa pengguna
+users.purge_help = Hapus paksa pengguna beserta semua repositori, organisasi, dan paket yang dimilikinya. Semua komentar dan issue yang diposting oleh pengguna ini juga akan dihapus.
+users.still_own_packages = Pengguna ini masih memiliki satu atau lebih paket, hapus paket tersebut terlebih dahulu.
+users.deletion_success = Akun pengguna telah dihapus.
+users.reset_2fa = Atur ulang 2FA
+users.list_status_filter.reset = Atur ulang
+users.list_status_filter.is_active = Aktif
+users.list_status_filter.not_active = Tidak aktif
+users.list_status_filter.not_admin = Bukan admin
+users.list_status_filter.is_restricted = Dibatasi
+users.list_status_filter.not_restricted = Tidak dibatasi
+users.list_status_filter.is_prohibit_login = Larang masuk
+users.list_status_filter.not_prohibit_login = Izinkan masuk
+users.list_status_filter.is_2fa_enabled = 2FA diaktifkan
+users.list_status_filter.not_2fa_enabled = 2FA dinonaktifkan
+users.details = Detail pengguna
+emails.email_manage_panel = Kelola email pengguna
+emails.primary = Utama
+emails.filter_sort.email = Email
+emails.filter_sort.email_reverse = Email (terbalik)
+emails.filter_sort.name = Nama pengguna
+emails.filter_sort.name_reverse = Nama pengguna (terbalik)
+emails.updated = Email diperbarui
+emails.not_updated = Gagal memperbarui alamat email yang diminta: %v
+emails.duplicate_active = Alamat email ini sudah aktif untuk pengguna lain.
+emails.change_email_header = Perbarui properti email
+emails.change_email_text = Apakah Anda yakin ingin memperbarui alamat email ini?
+emails.delete = Hapus alamat email
+emails.delete_desc = Apakah Anda yakin ingin menghapus alamat email ini?
+emails.deletion_success = Alamat email telah dihapus.
+emails.delete_primary_email_error = Anda tidak dapat menghapus email utama.
+orgs.new_orga = Organisasi baru
+repos.unadopted = Repositori yang tidak diadopsi
+repos.unadopted.no_more = Tidak ada repositori yang tidak diadopsi.
+repos.lfs_size = Ukuran LFS
+packages.package_manage_panel = Kelola paket
+packages.total_size = Total ukuran: %s
+packages.unreferenced_size = Ukuran yang tidak direferensikan: %s
+packages.cleanup = Bersihkan data yang kedaluwarsa
+packages.cleanup.success = Data yang kedaluwarsa berhasil dibersihkan
+packages.creator = Pembuat
+packages.version = Versi
+packages.published = Diterbitkan
+defaulthooks = Webhook default
+defaulthooks.desc = Webhook secara otomatis membuat permintaan HTTP POST ke server saat peristiwa Forgejo tertentu terpicu. Webhook yang didefinisikan di sini adalah default dan akan disalin ke semua repositori baru. Baca selengkapnya di <a target="_blank" rel="noopener" href="%s">panduan webhook</a>.
+defaulthooks.add_webhook = Tambah Webhook Default
+defaulthooks.update_webhook = Perbarui Webhook Default
+systemhooks = Webhook sistem
+systemhooks.desc = Webhook secara otomatis membuat permintaan HTTP POST ke server saat peristiwa Forgejo tertentu terpicu. Webhook yang didefinisikan di sini akan berlaku pada semua repositori di sistem, jadi harap pertimbangkan dampak kinerja yang mungkin terjadi. Baca selengkapnya di <a target="_blank" rel="noopener" href="%s">panduan webhook</a>.
+systemhooks.add_webhook = Tambah Webhook Sistem
+systemhooks.update_webhook = Perbarui Webhook Sistem
+auths.auth_manage_panel = Kelola sumber autentikasi
+auths.new = Tambah sumber autentikasi
+auths.syncenabled = Aktifkan sinkronisasi pengguna
+auths.attribute_username = Atribut nama pengguna
+auths.attribute_username_placeholder = Biarkan kosong untuk menggunakan nama pengguna yang dimasukkan di Forgejo.
+auths.attribute_name = Atribut nama depan
+auths.attribute_surname = Atribut nama belakang
+auths.attribute_mail = Atribut email
+auths.attribute_ssh_public_key = Atribut kunci SSH publik
+auths.attribute_avatar = Atribut avatar
+auths.attributes_in_bind = Ambil atribut dalam konteks bind DN
+auths.default_domain_name = Nama domain default yang digunakan untuk alamat email
+auths.allow_deactivate_all = Izinkan hasil pencarian kosong untuk menonaktifkan semua pengguna
+auths.use_paged_search = Gunakan pencarian terpaginasi
+auths.search_page_size = Ukuran halaman
+auths.restricted_filter = Filter terbatas
+auths.restricted_filter_helper = Biarkan kosong agar tidak menetapkan pengguna mana pun sebagai terbatas. Gunakan tanda bintang ("*") untuk menetapkan semua pengguna yang tidak cocok dengan filter Admin sebagai terbatas.
+auths.verify_group_membership = Verifikasi keanggotaan grup di LDAP (biarkan filter kosong untuk dilewati)
+auths.group_search_base = DN basis pencarian grup
+auths.group_attribute_list_users = Atribut grup yang berisi daftar pengguna
+auths.user_attribute_in_group = Atribut pengguna yang terdaftar dalam grup
+auths.map_group_to_team = Petakan grup LDAP ke tim Organisasi (biarkan kolom kosong untuk dilewati)
+auths.map_group_to_team_removal = Hapus pengguna dari tim yang disinkronkan jika pengguna tidak termasuk dalam grup LDAP yang sesuai
+auths.enable_ldap_groups = Aktifkan grup LDAP
+auths.allowed_domains_helper = Biarkan kosong untuk mengizinkan semua domain. Pisahkan beberapa domain dengan koma (",").
+auths.force_smtps = Paksa SMTPS
+auths.force_smtps_helper = SMTPS selalu digunakan pada port 465. Atur ini untuk memaksa SMTPS pada port lain. (Jika tidak, STARTTLS akan digunakan pada port lain jika didukung oleh host.)
+auths.helo_hostname = Nama host HELO
+auths.helo_hostname_helper = Nama host yang dikirimkan dengan HELO. Biarkan kosong untuk mengirimkan nama host saat ini.
+auths.disable_helo = Nonaktifkan HELO
+auths.pam_email_domain = Domain email PAM (opsional)
+auths.oauth2_icon_url = URL ikon
+auths.oauth2_use_custom_url = Gunakan URL Kustom Sebagai Pengganti URL Default
+auths.skip_local_two_fa = Lewati 2FA lokal
+auths.skip_local_two_fa_helper = Membiarkan tidak diatur berarti pengguna lokal yang telah mengaktifkan 2FA tetap harus melewati 2FA untuk masuk
+auths.oauth2_tenant = Tenant
+auths.oauth2_scopes = Cakupan tambahan
+auths.oauth2_required_claim_name = Nama klaim yang diperlukan
+auths.oauth2_required_claim_name_helper = Tetapkan nama ini untuk membatasi login dari sumber ini hanya untuk pengguna yang memiliki klaim dengan nama ini
+auths.oauth2_required_claim_value = Nilai klaim yang diperlukan
+auths.oauth2_required_claim_value_helper = Tetapkan nilai ini untuk membatasi login dari sumber ini hanya untuk pengguna yang memiliki klaim dengan nama dan nilai ini
+auths.oauth2_group_claim_name = Nama klaim yang menyediakan nama grup untuk sumber ini. (Opsional)
+auths.oauth2_admin_group = Nilai klaim grup untuk pengguna administrator. (Opsional - memerlukan nama klaim di atas)
+auths.oauth2_restricted_group = Nilai klaim grup untuk pengguna terbatas. (Opsional - memerlukan nama klaim di atas)
+auths.oauth2_map_group_to_team = Petakan grup yang diklaim ke tim organisasi. (Opsional - memerlukan nama klaim di atas)
+auths.oauth2_map_group_to_team_removal = Hapus pengguna dari tim yang disinkronkan jika pengguna tidak termasuk dalam grup yang sesuai.
+auths.tips.gmail_settings = Pengaturan Gmail:
+auths.tips.oauth2.general.tip = Saat mendaftarkan autentikasi OAuth2 baru, URL callback/pengalihan harus berupa:
+auths.tip.bitbucket = Daftarkan konsumen OAuth baru di %s dan tambahkan izin "Akun" - "Baca"
+auths.tip.nextcloud = Daftarkan konsumen OAuth baru di instans Anda menggunakan menu berikut "Pengaturan -> Keamanan -> Klien OAuth 2.0"
+auths.tip.gitlab_new = Daftarkan aplikasi baru di %s
+auths.tip.google_plus = Dapatkan kredensial klien OAuth2 dari konsol Google API di %s
+auths.tip.twitter = Buka %s, buat aplikasi, dan pastikan opsi "Izinkan aplikasi ini digunakan untuk Masuk dengan Twitter" diaktifkan
+auths.tip.discord = Daftarkan aplikasi baru di %s
+auths.tip.gitea = Daftarkan aplikasi OAuth2 baru. Panduan dapat ditemukan di %s
+auths.tip.yandex = Buat aplikasi baru di %s. Pilih izin berikut dari bagian "Yandex.Passport API": "Akses ke alamat email", "Akses ke avatar pengguna", dan "Akses ke nama pengguna, nama depan dan belakang, jenis kelamin"
+auths.tip.mastodon = Masukkan URL instans kustom untuk instans mastodon yang ingin Anda autentikasi (atau gunakan yang default)
+auths.edit = Edit sumber autentikasi
+auths.activated = Sumber autentikasi ini diaktifkan
+auths.new_success = Autentikasi "%s" telah ditambahkan.
+auths.update_success = Sumber autentikasi telah diperbarui.
+auths.update = Perbarui sumber autentikasi
+auths.delete_auth_desc = Menghapus sumber autentikasi mencegah pengguna menggunakannya untuk masuk. Lanjutkan?
+auths.still_in_used = Sumber autentikasi masih digunakan. Konversi atau hapus pengguna yang menggunakan sumber autentikasi ini terlebih dahulu.
+auths.deletion_success = Sumber autentikasi telah dihapus.
+auths.login_source_exist = Sumber autentikasi "%s" sudah ada.
+auths.unable_to_initialize_openid = Tidak dapat menginisialisasi Penyedia OpenID Connect: %s
+auths.invalid_openIdConnectAutoDiscoveryURL = URL Penemuan Otomatis tidak valid (ini harus berupa URL valid yang dimulai dengan http:// atau https://)
+config.app_name = Judul instans
+config.app_slogan = Slogan instans
+config.app_url = URL dasar
+config.custom_file_root_path = Jalur root berkas kustom
+config.domain = Domain server
+config.offline_mode = Mode lokal
+config.run_user = Pengguna untuk dijalankan sebagai
+config.app_data_path = Jalur data aplikasi
+config.log_file_root_path = Jalur log
+config.ssh_start_builtin_server = Gunakan server bawaan
+config.ssh_domain = Domain server SSH
+config.lfs_content_path = Jalur konten LFS
+config.lfs_http_auth_expiry = Waktu kedaluwarsa autentikasi HTTP LFS
+config.disable_register = Nonaktifkan pendaftaran mandiri
+config.allow_only_internal_registration = Izinkan pendaftaran hanya melalui Forgejo sendiri
+config.allow_only_external_registration = Izinkan pendaftaran hanya melalui layanan eksternal
+config.enable_openid_signup = Aktifkan pendaftaran mandiri OpenID
+config.reset_password_code_lives = Waktu kedaluwarsa kode pemulihan
+config.default_keep_email_private = Sembunyikan alamat email secara default
+config.default_allow_create_organization = Izinkan pembuatan organisasi secara default
+config.enable_timetracking = Aktifkan pelacakan waktu
+config.default_enable_timetracking = Aktifkan pelacakan waktu secara default
+config.allow_dots_in_usernames = Izinkan pengguna menggunakan titik dalam nama pengguna mereka. Tidak memengaruhi akun yang sudah ada.
+config.default_allow_only_contributors_to_track_time = Biarkan hanya kontributor yang melacak waktu
+config.no_reply_address = Domain email tersembunyi
+config.default_visibility_organization = Visibilitas default organisasi baru
+config.default_enable_dependencies = Aktifkan ketergantungan issue secara default
+config.mailer_config = Konfigurasi mailer
+config.mailer_enable_helo = Aktifkan HELO
+config.mailer_protocol = Protokol
+config.mailer_smtp_addr = Host SMTP
+config.mailer_sendmail_timeout = Batas waktu Sendmail
+config.mailer_use_dummy = Dummy
+config.test_email_placeholder = Email (mis. test@example.com)
+config.send_test_mail_submit = Kirim
+config.test_mail_failed = Gagal mengirim email uji ke "%s": %v
+config.test_mail_sent = Email uji telah dikirim ke "%s".
+config.cache_item_ttl = TTL item cache
+config.cache_test = Uji Cache
+config.cache_test_failed = Gagal memeriksa cache: %v.
+config.cache_test_slow = Uji cache berhasil, tetapi respons lambat: %s.
+config.cache_test_succeeded = Uji cache berhasil, mendapat respons dalam %s.
+config.open_with_editor_app_help = Editor "Buka dengan" untuk menu klon. Jika dibiarkan kosong, default akan digunakan. Perluas untuk melihat default.
+config.logger_name_fmt = Logger: %s
+config.access_log_template = Templat log akses
+config.set_setting_failed = Pengaturan %s gagal diatur
+monitor.stats = Statistik
+monitor.execute_times = Eksekusi
+monitor.stacktrace = Jejak tumpukan
+monitor.processes_count = %d Proses
+monitor.download_diagnosis_report = Unduh laporan diagnosis
+monitor.duration = Durasi (dtk)
+monitor.last_execution_result = Hasil
+monitor.process.cancel_notices = Batalkan: <strong>%s</strong>?
+monitor.queue.activeworkers = Pekerja aktif
+monitor.queue.numberinqueue = Jumlah dalam antrian
+monitor.queue.review_add = Tinjau / tambah pekerja
+monitor.queue.settings.desc = Pool berkembang secara dinamis sebagai respons terhadap pemblokiran antrian pekerja mereka.
+monitor.queue.settings.maxnumberworkers.placeholder = Saat ini %[1]d
+monitor.queue.settings.remove_all_items = Hapus semua
+monitor.queue.settings.remove_all_items_done = Semua item dalam antrian telah dihapus.
+notices.operations = Operasi
+notices.type_2 = Tugas
+self_check.no_problem_found = Belum ditemukan masalah.
+self_check.database_collation_mismatch = Basis data diharapkan menggunakan kolasi: %s
+self_check.database_collation_case_insensitive = Basis data menggunakan kolasi %s, yang merupakan kolasi tidak sensitif. Meskipun Forgejo dapat berfungsi dengannya, mungkin ada beberapa kasus langka yang tidak berjalan sesuai harapan.
+self_check.database_inconsistent_collation_columns = Basis data menggunakan kolasi %s, tetapi kolom-kolom ini menggunakan kolasi yang tidak cocok. Hal ini mungkin menyebabkan beberapa masalah yang tidak terduga.
+self_check.database_fix_mysql = Untuk pengguna MySQL/MariaDB, Anda dapat menggunakan perintah "forgejo doctor convert" untuk memperbaiki masalah kolasi, atau Anda juga dapat memperbaiki masalah tersebut secara manual dengan SQL "ALTER ... COLLATE ...".
 
 [action]
 create_repo=repositori dibuat <a href="%s">%s</a>
@@ -1298,6 +3399,31 @@ transfer_repo=ditransfer repositori <code>%s</code> ke <a href="%s">%s</a>
 delete_tag=tag dihapus %[2]s dari <a href="%[1]s">%[3]s</a>
 delete_branch=cabang dihapus <code>%[2]s</code> dari <a href="%[1]s">%[3]s</a>
 compare_commits=Bandingkan %d melakukan
+commit_repo = mendorong ke <a href="%s">%s</a> di <a href="%s">%s</a>
+create_issue = `membuka issue <a href="%[1]s">%[3]s#%[2]s</a>`
+close_issue = `menutup issue <a href="%[1]s">%[3]s#%[2]s</a>`
+reopen_issue = `membuka kembali issue <a href="%[1]s">%[3]s#%[2]s</a>`
+create_pull_request = `membuat permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+close_pull_request = `menutup permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+reopen_pull_request = `membuka kembali permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+comment_issue = `berkomentar pada issue <a href="%[1]s">%[3]s#%[2]s</a>`
+comment_pull = `berkomentar pada permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+merge_pull_request = `menggabungkan permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+auto_merge_pull_request = `menggabungkan secara otomatis permintaan tarik <a href="%[1]s">%[3]s#%[2]s</a>`
+push_tag = mendorong tag <a href="%s">%s</a> ke <a href="%s">%s</a>
+compare_branch = Bandingkan
+compare_commits_general = Bandingkan komit
+mirror_sync_push = menyinkronkan commit ke <a href="%s">%s</a> di <a href="%s">%s</a> dari cermin
+mirror_sync_create = menyinkronkan referensi baru <a href="%s">%s</a> ke <a href="%s">%s</a> dari cermin
+mirror_sync_delete = menyinkronkan dan menghapus referensi <code>%s</code> di <a href="%s">%s</a> dari cermin
+approve_pull_request = `menyetujui <a href="%[1]s">%[3]s#%[2]s</a>`
+reject_pull_request = `menyarankan perubahan untuk <a href="%[1]s">%[3]s#%[2]s</a>`
+publish_release = `merilis <a href="%[2]s">%[4]s</a> di <a href="%[1]s">%[3]s</a>`
+review_dismissed = `mengabaikan tinjauan dari <b>%[4]s</b> untuk <a href="%[1]s">%[3]s#%[2]s</a>`
+review_dismissed_reason = Alasan:
+create_branch = membuat cabang <a href="%[2]s">%[3]s</a> di <a href="%[1]s">%[4]s</a>
+starred_repo = memberi bintang pada <a href="%[1]s">%[2]s</a>
+watched_repo = mulai memantau <a href="%[1]s">%[2]s</a>
 
 [tool]
 now=sekarang
@@ -1328,12 +3454,26 @@ raw_minutes=menit
 [units]
 error.no_unit_allowed_repo=Anda tidak diijinkan untuk melihat semua unit dari repositori ini.
 error.unit_not_allowed=Anda tidak diizinkan untuk mengunjungi unit repositori ini.
+unit = Unit
 
 [packages]
 conan.details.repository=Repositori
 owner.settings.cleanuprules.enabled=Aktif
+owner.settings.cleanuprules.keep.count.1 = 1 versi per paket
+owner.settings.cleanuprules.keep.count.n = %d versi per paket
 
 [secrets]
+secrets = Rahasia
+description = Rahasia akan diteruskan ke aksi tertentu dan tidak dapat dibaca selain itu.
+none = Belum ada rahasia.
+creation = Tambah rahasia
+creation.success = Rahasia "%s" telah ditambahkan.
+creation.failed = Gagal menambahkan rahasia.
+deletion = Hapus rahasia
+deletion.description = Menghapus rahasia bersifat permanen dan tidak dapat dibatalkan. Lanjutkan?
+deletion.success = Rahasia telah dihapus.
+deletion.failed = Gagal menghapus rahasia.
+management = Kelola rahasia
 
 [actions]
 runs.no_runs = Alur kerja belum berjalan.
@@ -1356,11 +3496,26 @@ variables.creation.failed = Gagal menambahkan variabel.
 variables.creation.success = Variabel "%s" telah ditambahkan.
 variables.update.failed = Gagal mengedit variabel.
 variables.update.success = Variabel telah diedit.
+runs.no_workflows.help_write_access = Tidak tahu cara memulai dengan Forgejo Actions? Lihat <a target="_blank" rel="noopener noreferrer" href="%s">panduan memulai cepat di dokumentasi pengguna</a> untuk menulis alur kerja pertama Anda, lalu <a target="_blank" rel="noopener noreferrer" href="%s">siapkan runner Forgejo</a> untuk menjalankan pekerjaan Anda.
+runs.no_workflows.help_no_write_access = Untuk mempelajari Forgejo Actions, lihat <a target="_blank" rel="noopener noreferrer" href="%s">dokumentasi</a>.
+runs.expire_log_message = Log telah dihapus karena sudah terlalu lama.
+workflow.disable_success = Alur kerja "%s" berhasil dinonaktifkan.
+workflow.enable_success = Alur kerja "%s" berhasil diaktifkan.
+workflow.dispatch.trigger_found = Alur kerja ini memiliki pemicu peristiwa <c>workflow_dispatch</c>.
+workflow.dispatch.use_from = Gunakan alur kerja dari
+workflow.dispatch.run = Jalankan alur kerja
+workflow.dispatch.success = Permintaan jalankan alur kerja berhasil dikirim.
+workflow.dispatch.input_required = Wajib mengisi nilai untuk input "%s".
+workflow.dispatch.invalid_input_type = Jenis input tidak valid "%s".
+workflow.dispatch.warn_input_limit = Hanya menampilkan %d input pertama.
+variables.management = Kelola variabel
+variables.not_found = Gagal menemukan variabel.
 
 [projects]
 type-1.display_name = Proyek Individu
 type-2.display_name = Proyek Repositori
 type-3.display_name = Proyek Organisasi
+deleted.display_name = Proyek yang dihapus
 
 [git.filemode]
 changed_filemode = %[1]s → %[2]s
@@ -1371,7 +3526,7 @@ symbolic_link = Symbolic link
 submodule = Submodule
 
 [search]
-search = Cari...
+search = Cari…
 type_tooltip = Tipe pencarian
 fuzzy_tooltip = Termasuk juga hasil yang mendekati kata pencarian
 exact_tooltip = Hanya menampilkan hasil yang cocok dengan istilah pencarian
@@ -1382,3 +3537,45 @@ team_kind = Cari tim…
 code_kind = Cari kode…
 code_search_unavailable = Pencarian kode saat ini tidak tersedia. Silahkan hubungi administrator.
 branch_kind = Cari cabang…
+union = Gabungan
+union_tooltip = Sertakan hasil yang cocok dengan kata kunci apa pun yang dipisahkan oleh spasi
+exact = Tepat
+regexp = RegExp
+regexp_tooltip = Interpretasikan istilah pencarian sebagai ekspresi reguler
+package_kind = Cari paket…
+project_kind = Cari proyek…
+commit_kind = Cari komit…
+runner_kind = Cari runner…
+no_results = Tidak ditemukan hasil yang cocok.
+issue_kind = Cari isu…
+pull_kind = Cari permintaan tarik…
+keyword_search_unavailable = Pencarian berdasarkan kata kunci saat ini tidak tersedia. Silakan hubungi administrator situs.
+
+
+[repo.permissions]
+code.read = <b>Baca:</b> Akses dan klon kode repositori.
+code.write = <b>Tulis:</b> Dorong ke repositori, buat cabang dan tag.
+issues.read = <b>Baca:</b> Baca dan buat issue serta komentar.
+issues.write = <b>Tulis:</b> Tutup issue dan kelola metadata seperti label, tonggak pencapaian, penugasan, tenggat waktu, dan ketergantungan.
+pulls.read = <b>Baca:</b> Baca dan buat permintaan tarik.
+pulls.write = <b>Tulis:</b> Tutup permintaan tarik dan kelola metadata seperti label, tonggak pencapaian, penugasan, tenggat waktu, dan ketergantungan.
+releases.read = <b>Baca:</b> Lihat dan unduh rilis.
+releases.write = <b>Tulis:</b> Terbitkan, edit, dan hapus rilis beserta asetnya.
+wiki.read = <b>Baca:</b> Baca wiki terintegrasi beserta riwayatnya.
+wiki.write = <b>Tulis:</b> Buat, perbarui, dan hapus halaman di wiki terintegrasi.
+projects.read = <b>Baca:</b> Akses papan proyek repositori.
+projects.write = <b>Tulis:</b> Buat proyek dan kolom serta edit proyek dan kolom tersebut.
+packages.read = <b>Baca:</b> Lihat dan unduh paket yang ditetapkan ke repositori.
+packages.write = <b>Tulis:</b> Terbitkan dan hapus paket yang ditetapkan ke repositori.
+actions.read = <b>Baca:</b> Lihat jalankan alur kerja beserta lognya.
+actions.write = <b>Tulis:</b> Picu, mulai ulang, dan batalkan alur kerja. Kelola delegasi kepercayaan ke pembuat permintaan tarik.
+ext_issues = Akses tautan ke pelacak issue eksternal. Izin dikelola secara eksternal.
+ext_wiki = Akses tautan ke wiki eksternal. Izin dikelola secara eksternal.
+
+[markup]
+filepreview.line = Baris %[1]d di %[2]s
+filepreview.lines = Baris %[1]d hingga %[2]d di %[3]s
+filepreview.truncated = Pratinjau telah dipotong
+
+[translation_meta]
+test = Ini adalah string uji. Tidak ditampilkan di antarmuka Forgejo tetapi digunakan untuk keperluan pengujian. Silakan masukkan "ok" untuk menghemat waktu (atau fakta menarik pilihan Anda) demi mencapai angka penyelesaian 100% yang memuaskan :)
\ No newline at end of file
diff --git a/options/locale/locale_mk.ini b/options/locale/locale_mk.ini
index b776d0b80b..499739ab1f 100644
--- a/options/locale/locale_mk.ini
+++ b/options/locale/locale_mk.ini
@@ -96,4 +96,12 @@ copy = Копирање
 copy_url = Копирајте УРЛ
 copy_hash = Копирајте Хеш
 copy_path = Копирајте патека
-copy_content = Копирајте содржина
\ No newline at end of file
+copy_content = Копирајте содржина
+go_back = Иди назад
+pin = Пин
+archived = Архивирано
+concept_system_global = Глобално
+concept_user_individual = Индивидуално
+concept_code_repository = репозиториум
+concept_user_organization = организација
+copy_success = Копирано!
\ No newline at end of file
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
index c8e8428628..aab4dbd684 100644
--- a/options/locale/locale_nl-NL.ini
+++ b/options/locale/locale_nl-NL.ini
@@ -953,7 +953,7 @@ valid_until_date = Geldig tot %s
 ssh_signonly = SSH is momenteel gedeactiveerd waardoor deze sleutels alleen gebruikt kunnen worden voor commit handtekening verificatie.
 added_on = Toegevoegd op %s
 permissions_public_only = Alleen publiek
-repo_and_org_access = Repository en Organisatie Toegang
+repo_and_org_access = Repository- en organisatietoegang
 at_least_one_permission = Je moet minstens één machtiging kiezen om een token te kunnen creëren
 permission_write = Lees en schrijf
 oauth2_client_secret_hint = Dit geheim zal niet meer worden getoond nadat u deze pagina heeft verlaten of vernieuwd. Zorg ervoor dat u het heeft opgeslagen.
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index 273c68fd8f..779b328087 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -1934,8 +1934,8 @@ activity.merged_prs_label=Merge aplicado
 activity.opened_prs_label=Proposto
 activity.closed_issues_count_1=Issue fechada
 activity.closed_issues_count_n=Issues fechadas
-activity.title.issues_1=%d issue
-activity.title.issues_n=%d issues
+activity.title.issues_1=%d problema
+activity.title.issues_n=%d problemas
 activity.title.issues_closed_from=%s fechada por %s
 activity.title.issues_created_by=%s criada por %s
 activity.closed_issue_label=Fechado
@@ -1947,7 +1947,7 @@ activity.title.unresolved_conv_n=%d conversas não resolvidas
 activity.unresolved_conv_desc=Estas issues foram recentemente alteradas e pull requests ainda não foram resolvidos.
 activity.unresolved_conv_label=Aberta
 activity.title.releases_1=%d release
-activity.title.releases_n=%d releases
+activity.title.releases_n=%d lançamentos
 activity.title.releases_published_by=%s publicada(s) por %s
 activity.published_release_label=Release
 activity.no_git_activity=Não houve nenhuma atividade de commit neste período.
@@ -2652,7 +2652,7 @@ settings.federation_following_repos = URLs de Repositórios Seguidores. Separado
 settings.mirror_settings.docs.disabled_push_mirror.info = Espelhos de pull foram desativados pelo administrador do seu site.
 settings.mirror_settings.push_mirror.none_ssh = Nenhum
 settings.protect_status_check_patterns_desc = Insira padrões para especificar quais verificações de status devem passar com sucesso antes que merges possam ser feitos em branches aos quais esta regra se aplica. Cada linha especifica um padrão. Padrões não podem estar vazios.
-settings.archive.text = Arquivar o repositório irá torná-lo somente para leitura. Ele ficará oculto do painel de controle. Ninguém (nem mesmo você) poderá fazer novos commits, nem abrir questões ou propostas de revisão.
+settings.archive.text = Arquivar o repositório o tornará inteiramente apenas para leitura. Ele será ocultado do painel de controle. Ninguém (nem mesmo você!) poderá fazer novos commits ou abrir issues ou pull requests. Recomenda-se documentar o motivo do arquivamento para orientar futuros desenvolvedores que planejem fazer um fork do repositório.
 settings.add_key_success = A chave de deploy "%s" foi adicionada.
 settings.protect_invalid_status_check_pattern = Padrão de verificação de status inválido: "%s".
 settings.web_hook_name_sourcehut_builds = Builds do SourceHut
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index 5affdffb25..0e9ec2d653 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -168,7 +168,7 @@ footer.software=О программе
 footer.links=Ссылки
 
 [heatmap]
-number_of_contributions_in_the_last_12_months=Принимал(а) участие %s раз за последние 12 месяцев
+number_of_contributions_in_the_last_12_months=%s действий за последние 12 месяцев
 contributions_zero=Действий не было
 contributions_format = {contributions} {day} {month} {year}
 contributions_one=действие
diff --git a/options/locale/locale_ta.ini b/options/locale/locale_ta.ini
index 74fef432c4..8b1b7a2679 100644
--- a/options/locale/locale_ta.ini
+++ b/options/locale/locale_ta.ini
@@ -183,7 +183,7 @@ buttons.bold.tooltip = தடிமனான உரையைச் சேர்
 buttons.italic.tooltip = சாய்வு உரையைச் சேர்க்கவும் (Ctrl+I / ⌘I)
 buttons.quote.tooltip = மேற்கோள் உரை
 buttons.code.tooltip = குறியீட்டைச் சேர்க்கவும்
-buttons.link.tooltip = இணைப்பைச் சேர்க்கவும்
+buttons.link.tooltip = இணைப்பைச் சேர்
 buttons.list.unordered.tooltip = புல்லட் பட்டியலைச் சேர்க்கவும்
 buttons.list.ordered.tooltip = எண்ணிடப்பட்ட பட்டியலைச் சேர்க்கவும்
 buttons.list.task.tooltip = பணிகளின் பட்டியலைச் சேர்க்கவும்
@@ -219,7 +219,7 @@ server_internal = உள் சர்வர் பிழை
 [startpage]
 app_desc = வலியற்ற, சுயமாக வழங்கும் Git பணி
 install = நிறுவ எளிதானது
-install_desc = உங்கள் இயங்குதளத்திற்கு <a target="_blank" rel="noopener noreferrer" href="%[1]s">பைனரியை இயக்கவும்</a>, அதை <a target="_blank" rel="noopener noreferrer" href="%[2]s">Docker</a> மூலம் அனுப்பவும் அல்லது <a target="_blank" rel="noopener noreferrer" href="%[3]s">தொகுக்கப்பட்டது</a>.
+install_desc = உங்கள் இயங்குதளத்திற்கு <a target="_blank" rel="noopener noreferrer" href="%[1]s">பைனரியை இயக்கவும்</a>, அதை <a target="_blank" rel="noopener noreferrer" href="%[2]s">டாக்கர்</a> மூலம் அனுப்பவும் அல்லது <a target="_blank" rel="noopener noreferrer" href="%[3]s">தொகுக்கப்பட்டது</a>.
 platform = குறுக்கு மேடை
 platform_desc = Forgejo லினக்ச் மற்றும் ஃப்ரீபிஎச்டி போன்ற லிப்ரே இயங்குதளங்கள் மற்றும் வெவ்வேறு சிபியு கட்டமைப்புகளில் இயங்குவது உறுதிசெய்யப்பட்டுள்ளது. நீங்கள் விரும்பும் ஒன்றைத் தேர்ந்தெடுங்கள்!
 lightweight = இலகுரக
@@ -2424,7 +2424,7 @@ settings.matrix.access_token_helper = இதற்காக பிரத்ய
 settings.matrix.room_id_helper = அறை ஐடியை உறுப்பு வலை வாங்கி > அறை அமைப்புகள் > மேம்பட்ட > உள் அறை ஐடியிலிருந்து மீட்டெடுக்கலாம். எடுத்துக்காட்டு: %s.
 settings.archive.button = காப்பக ரெப்போ
 settings.archive.header = இந்த ரெப்போவை காப்பகப்படுத்தவும்
-settings.archive.text = ரெப்போவைக் காப்பகப்படுத்தினால், அதை முழுவதுமாகப் படிக்க மட்டுமே செய்யும். இது டாச்போர்டில் இருந்து மறைக்கப்படும். எவராலும் (நீங்கள் கூட இல்லை!) புதிய பொறுப்புகளைச் செய்யவோ அல்லது ஏதேனும் சிக்கல்களைத் திறக்கவோ அல்லது கோரிக்கைகளை இழுக்கவோ முடியாது.
+settings.archive.text = ரெப்போவைக் காப்பகப்படுத்தினால், அதை முழுவதுமாகப் படிக்க மட்டுமே செய்யும். இது டாச்போர்டிலிருந்து மறைக்கப்படும். எவராலும் (நீங்கள் கூட இல்லை!) புதிய பொறுப்புகளைச் செய்யவோ அல்லது ஏதேனும் சிக்கல்களைத் திறக்கவோ அல்லது கோரிக்கைகளை இழுக்கவோ முடியாது. காப்பகத்திற்கான காரணத்தை ஆவணப்படுத்துவது எதிர்கால டெவலப்பர்களுக்கு வழிகாட்டுவதற்கு பரிந்துரைக்கப்படுகிறது.
 settings.archive.success = ரெப்போ வெற்றிகரமாக காப்பகப்படுத்தப்பட்டது.
 settings.archive.error = ரெப்போவை காப்பகப்படுத்த முயற்சிக்கும்போது பிழை ஏற்பட்டது. மேலும் விவரங்களுக்கு பதிவைப் பார்க்கவும்.
 settings.archive.error_ismirror = பிரதிபலித்த ரெப்போவை நீங்கள் காப்பகப்படுத்த முடியாது.
diff --git a/options/locale_next/locale_bg.json b/options/locale_next/locale_bg.json
index 625961ffca..5fdfec07d7 100644
--- a/options/locale_next/locale_bg.json
+++ b/options/locale_next/locale_bg.json
@@ -424,11 +424,8 @@
 	"avatar.constraints_hint": "Персонализираната профилна снимка не трябва да надвишава размер от %[1]s или да бъде по-голяма от %[2]dx%[3]d пиксела",
 	"user.ghost.tooltip": "Този потребител е изтрит или не може да бъде съпоставен.",
 	"og.repo.summary_card.alt_description": "Карта с обобщение на хранилище %[1]s, описано като: %[2]s",
-	"actions.runners.list_runners.details_column": "Подробности",
 	"actions.runners.list_runners.edit_column": "Редактиране",
 	"actions.runners.list_runners.delete_column": "Изтриване",
-	"actions.runners.list_runners.details_button": "Подробности",
-	"actions.runners.list_runners.details_button_aria": "Показване на подробности за %s",
 	"actions.runners.list_runners.delete_button": "Изтриване",
 	"actions.runners.list_runners.delete_button_aria": "Изтриване на %s",
 	"actions.runners.list_runners.edit_button": "Редактиране",
diff --git a/options/locale_next/locale_ca.json b/options/locale_next/locale_ca.json
index faf20f2864..554b1320aa 100644
--- a/options/locale_next/locale_ca.json
+++ b/options/locale_next/locale_ca.json
@@ -434,5 +434,158 @@
 	"packages.debian.repository.distributions": "Distribucions",
 	"packages.debian.repository.components": "Components",
 	"packages.generic.download": "Baixeu el paquet des de la línia de comandes:",
-	"packages.go.install": "Instal·leu el paquet des de la línia de comandes:"
+	"packages.go.install": "Instal·leu el paquet des de la línia de comandes:",
+	"admin.dashboard.actions_action_user": "Anul·la la confiança del Forgejo Actions als usuaris inactius",
+	"user.activitypub_feed.feed": "Fil del Fedivers",
+	"user.activitypub_feed.is_empty": "El vostre fil del fedivers és buit.",
+	"user.activitypub_feed.hint": "Aquest fil mostra activitats dels comptes del fedivers que seguiu, així com publicacions federades que us mencionen.",
+	"packages.alpine.registry": "Configureu aquest registre afegint l'URL en el vostre fitxer <code>/etc/apk/repositories</code>:",
+	"packages.alpine.registry.key": "Baixeu la clau pública RSA del registre al directori <code>/etc/apk/keys/</code> per verificar la signatura d'índex:",
+	"packages.arch.pacman.conf": "Afegiu el servidor amb la distribució i arquitectura relacionades a <code>/etc/pacman.conf</code> :",
+	"packages.composer.dependencies.development": "Dependències de desenvolupament",
+	"packages.conan.install": "Per instal·lar el paquet mitjançant Conan, executeu la següent comanda:",
+	"packages.conda.install": "Per instal·lar el paquet mitjançant Conda, executeu la següent comanda:",
+	"packages.container.layers": "Capes d'imatge",
+	"packages.maven.install2": "Executeu amb la línia de comandes:",
+	"packages.maven.download": "Per baixar la dependència, executeu amb la línia de comandes:",
+	"packages.nuget.install": "Per instal·lar el paquet mitjançant NuGet, executeu la següent comanda:",
+	"packages.npm.install": "Per instal·lar el paquet mitjançant npm, executeu la següent comanda:",
+	"packages.npm.install2": "o afegiu-lo al fitxer package.json:",
+	"packages.npm.dependencies.development": "Dependències de desenvolupament",
+	"packages.npm.dependencies.bundle": "Dependències empaquetades",
+	"packages.npm.dependencies.optional": "Dependències opcionals",
+	"packages.npm.details.tag": "Etiqueta",
+	"packages.pypi.requires": "Requereix el Python",
+	"packages.pypi.install": "Per instal·lar el paquet mitjançant pip, executeu la següent comanda:",
+	"packages.rpm.distros.redhat": "en distribucions basades en RedHat",
+	"packages.rpm.distros.suse": "en distribucions basades en SUSE",
+	"packages.rpm.repository.multiple_groups": "Aquest paquet és disponible en diversos grups.",
+	"packages.alt.install": "Instal·leu el paquet",
+	"packages.alt.setup": "Afegiu un repositori a la llista de repositoris connectats (escolliu l'arquitectura pertinent enlloc de \"_arch_\"):",
+	"packages.alt.repository.multiple_groups": "Aquest paquet és disponible en diversos grups.",
+	"packages.rubygems.install": "Per instal·lar el paquet mitjançant gem, executeu la següent comanda:",
+	"packages.rubygems.install2": "o afegiu-lo a la Gemfile:",
+	"packages.rubygems.dependencies.runtime": "Dependències d'execució",
+	"packages.rubygems.dependencies.development": "Dependències de desenvolupament",
+	"packages.rubygems.required.ruby": "Requereix la versió de Ruby",
+	"packages.rubygems.required.rubygems": "Requereix la versió de RubyGem",
+	"packages.settings.link": "Enllaça aquest paquet a un repositori",
+	"packages.settings.link.description": "Si enllaceu un paquet amb un repositori, el paquet s'enllistarà al llistat de paquets del repositori.",
+	"packages.settings.link.select": "Selecciona un repositori",
+	"packages.settings.link.button": "Modifica l'enllaç del repositori",
+	"packages.settings.link.success": "L'enllaç del repositori s'ha modificat satisfactòriament.",
+	"packages.settings.link.error": "No s'ha pogut modificar l'enllaç del repositori.",
+	"packages.settings.delete": "Elimina el paquet",
+	"packages.settings.delete.description": "Eliminar un paquet és permanent i no es pot desfer.",
+	"packages.settings.delete.notice": "Esteu a punt d'eliminar %s (%s). Aquesta operació no es pot desfer, n'esteu segurs?",
+	"packages.settings.delete.success": "S'ha eliminat el paquet.",
+	"packages.settings.delete.error": "No s'ha pogut eliminar el paquet.",
+	"packages.owner.settings.cargo.initialize": "Inicialitza l'índex",
+	"packages.owner.settings.cargo.initialize.description": "Cal un repositori Git d'índex especial per usar el registre del Cargo. Usar aquesta opció (re)crearà el repositori i el configurarà automàticament.",
+	"packages.owner.settings.cargo.initialize.error": "No s'ha pogut inicialitzar l'índex del Cargo: %v",
+	"packages.owner.settings.cargo.initialize.success": "S'ha creat l'índex del Cargo satisfactòriament.",
+	"packages.owner.settings.cargo.rebuild": "Recrea l'índex",
+	"packages.owner.settings.cargo.rebuild.description": "Recrear pot ser útil si l'índex no està sincronitzat amb els paquets Cargo desats.",
+	"repo.files.caption": "Fitxers del repositori (darrer commit primer)",
+	"repo.files.filename": "Nom del fitxer",
+	"repo.files.last_commit_message": "Missatge del darrer commit",
+	"repo.files.last_commit_date": "Data del darrer commit",
+	"packages.cargo.registry": "Configureu aquest registre en el fitxer de configuració de Cargo (per exemple <code>~/.cargo/config.toml</code>):",
+	"packages.cargo.install": "Per instal·lar el paquet amb Cargo, executeu la comanda:",
+	"packages.chef.registry": "Configureu aquest registre en el vostre fitxer <code>~/.chef/config.rb</code>:",
+	"packages.composer.registry": "Configureu aquest registre en el vostre fitxer <code>~/.composer/config.json</code>:",
+	"packages.composer.install": "Per instal·lar el paquet amb Composer, executeu la comanda:",
+	"packages.conda.registry": "Configureu aquest registre com a un repositori Conda en el vostre fitxer <code>.condarc</code>:",
+	"packages.cran.registry": "Configureu aquest registre en el vostre fitxer <code>Rprofile.site</code>:",
+	"packages.maven.registry": "Configureu aquest registre en el fitxer <code>pom.xml</code> del vostre projecte:",
+	"packages.maven.install": "Per usar el paquet afegiu el següent en el bloc <code>dependencies</code> del fitxer <code>pom.xml</code>:",
+	"packages.npm.registry": "Configureu aquest registre en el fitxer <code>.npmrc</code> del vostre projecte:",
+	"packages.swift.install": "Afegiu el paquet en el vostre fitxer <code>Package.swift</code>:",
+	"packages.swift.install2": "i executeu la comanda:",
+	"packages.vagrant.install": "Per afegir una caixa Vagrant, executeu la comanda:",
+	"packages.owner.settings.cargo.title": "Índex de registre de Cargo",
+	"packages.owner.settings.cargo.rebuild.error": "No s'ha pogut reconstruir l'índex de Cargo: %v",
+	"packages.owner.settings.cargo.rebuild.success": "S'ha reconstruït l'índex de Cargo satisfactòriament.",
+	"packages.owner.settings.cargo.rebuild.no_index": "No es pot reconstruir, no s'ha inicialitzat l'índex.",
+	"packages.owner.settings.cleanuprules.title": "Normes de neteja",
+	"packages.owner.settings.cleanuprules.add": "Afegeix norma de neteja",
+	"packages.owner.settings.cleanuprules.edit": "Edita norma de neteja",
+	"packages.owner.settings.cleanuprules.none": "Encara no hi ha normes de neteja.",
+	"packages.owner.settings.cleanuprules.preview": "Resum de les normes de neteja",
+	"packages.owner.settings.cleanuprules.preview.overview": "%d paquets programats per eliminar.",
+	"packages.owner.settings.cleanuprules.preview.none": "La norma de neteja no coincideix amb cap paquet.",
+	"packages.owner.settings.cleanuprules.pattern_full_match": "Aplica el patró al nom sencer del paquet",
+	"packages.owner.settings.cleanuprules.keep.count": "Manté el més recent",
+	"packages.owner.settings.cleanuprules.keep.pattern": "Manté les versions coincidents",
+	"packages.owner.settings.cleanuprules.keep.pattern.container": "La versió <code>latest</code> sempre es manté per paquets Container.",
+	"packages.owner.settings.cleanuprules.keep.title": "Les versions que coincideixen amb aquestes normes es mantenen, malgrat coincideixin amb una norma d'eliminació més avall.",
+	"packages.owner.settings.cleanuprules.remove.title": "Les versions que coincideixen amb aquestes normes s'eliminaran, a no ser que una norma més amunt la mantingui.",
+	"packages.owner.settings.cleanuprules.remove.days": "Elimina versions més antigues que",
+	"packages.owner.settings.cleanuprules.remove.pattern": "Elimina versions coincidents",
+	"packages.owner.settings.cleanuprules.success.update": "S'ha actualitzat la norma de neteja.",
+	"packages.owner.settings.cleanuprules.success.delete": "S'ha eliminat la norma de neteja.",
+	"packages.owner.settings.chef.title": "Registre xef",
+	"packages.owner.settings.chef.keypair": "Genera parella de claus",
+	"packages.owner.settings.chef.keypair.description": "Les peticions enviades al registre Xef s'han de signar criptogràficament com a mesura d'autenticació. Quan es genera una parella de claus, només la clau pública es desa a Forgejo. La clau privada es mostra a vós per ser usada com a «knive». Generar una nova parella de claus reescriurà l'antiga.",
+	"access_token.error.specified_repos_none": "Els testimonis d'accés amb repositoris específics han de tenir almenys un repositori.",
+	"access_token.error.specified_repos_and_public_only": "Els testimonis d'accés amb repositoris específics no es poden combinar amb l'àmbit només-públic.",
+	"access_token.error.specified_repos_and_invalid_scope": "Els testimonis d'accés amb repositoris específics només es poden usar amb els àmbits read:issue, write:issue, read:repository, i write:repository.",
+	"actions.status.unknown": "Desconegut",
+	"actions.status.waiting": "Esperant",
+	"actions.status.running": "En execució",
+	"actions.status.success": "Succés",
+	"actions.status.failure": "Falla",
+	"actions.status.cancelled": "Cancel·lat",
+	"actions.status.skipped": "Ignorat",
+	"actions.status.blocked": "Bloquejat",
+	"actions.actions": "Accions",
+	"actions.runners": "Executors",
+	"actions.runners.runner_manage_panel": "Gestiona executors",
+	"actions.runners.new": "Crea un nou executor",
+	"actions.runners.new_notice": "Com iniciar un executor",
+	"actions.runners.status": "Estat",
+	"actions.runners.status.unspecified": "Desconegut",
+	"actions.runners.status.idle": "En repòs",
+	"actions.runners.status.active": "Actiu",
+	"actions.runners.status.offline": "Fora de línia",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Testimoni",
+	"actions.runners.ephemeral": "Efímer",
+	"actions.runners.version": "Versió",
+	"actions.runners.last_online": "Darrer temps en línia",
+	"actions.runners.list_runners.edit_column": "Edita",
+	"actions.runners.list_runners.delete_column": "Elimina",
+	"actions.runners.list_runners.delete_button": "Elimina",
+	"actions.runners.list_runners.delete_button_aria": "Elimina %s",
+	"actions.runners.list_runners.edit_button": "Edita",
+	"actions.runners.list_runners.edit_button_aria": "Edita %s",
+	"actions.runners.runner_title": "Executor %s",
+	"actions.runners.ephemeral.yes": "sí",
+	"actions.runners.ephemeral.no": "no",
+	"actions.runners.task_list_repo": "Tasques recents d'aquest repositori en aquest executor",
+	"actions.runners.task_list_org": "Tasques recents d'aquest executor en aquesta organització",
+	"actions.runners.task_list_admin": "Tasques recents d'aquest executor",
+	"actions.runners.task_list_user": "Tasques recents d'aquest usuari en aquest executor",
+	"actions.runners.task_list.no_tasks": "Encara no hi ha tasques.",
+	"actions.runners.task_list.run": "Executa",
+	"actions.runners.task_list.status": "Estat",
+	"actions.runners.task_list.done_at": "Realitzat a",
+	"actions.runners.edit_runner_button": "Edita executor",
+	"actions.runners.create_runner.page_title": "Crea un nou executor",
+	"actions.runners.create_runner.title": "Crea un nou executor",
+	"actions.runners.create_runner.properties_fieldset": "Propietats",
+	"actions.runners.create_runner.name_label": "Nom",
+	"actions.runners.create_runner.description_label": "Descripció",
+	"actions.runners.create_runner.create_button": "Crea",
+	"actions.runners.create_runner.cancel_button": "Cancel·la",
+	"actions.runners.edit_runner.page_title": "Edita executor %s",
+	"actions.runners.edit_runner.title": "Edita executor %s",
+	"actions.runners.edit_runner.properties_fieldset": "Propietats",
+	"actions.runners.edit_runner.properties_options": "Opcions",
+	"actions.runners.edit_runner.name_label": "Nom",
+	"actions.runners.edit_runner.description_label": "Descripció",
+	"actions.runners.edit_runner.regenerate_token_label": "Regenera testimoni",
+	"actions.runners.edit_runner.regenerate_token_help": "El testimoni actual s'invalidarà immediatament. Rebreu un nou testimoni en la pàgina següent.",
+	"actions.runners.edit_runner.save_button": "Desa",
+	"actions.runners.edit_runner.cancel_button": "Cancel·la"
 }
diff --git a/options/locale_next/locale_cs-CZ.json b/options/locale_next/locale_cs-CZ.json
index 05f501b5cd..b025aa8ccb 100644
--- a/options/locale_next/locale_cs-CZ.json
+++ b/options/locale_next/locale_cs-CZ.json
@@ -560,11 +560,8 @@
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Token",
 	"actions.runners.ephemeral": "Dočasný",
-	"actions.runners.list_runners.details_column": "Podrobnosti",
 	"actions.runners.list_runners.edit_column": "Upravit",
 	"actions.runners.list_runners.delete_column": "Odstranit",
-	"actions.runners.list_runners.details_button": "Podrobnosti",
-	"actions.runners.list_runners.details_button_aria": "Zobrazit podrobnosti %s",
 	"actions.runners.list_runners.delete_button": "Odstranit",
 	"actions.runners.list_runners.delete_button_aria": "Odstranit %s",
 	"actions.runners.list_runners.edit_button": "Upravit",
@@ -681,5 +678,9 @@
 	"user.activitypub_feed.is_empty": "Váš kanál Fediverse je prázdný.",
 	"user.activitypub_feed.hint": "Tento kanál zobrazuje aktivity z účtů Fediverse, které sledujete, a z federovaných příspěvků, které vás zmínily.",
 	"user.activitypub_feed.posted_on": "Zveřejněno na %[1]s",
-	"user.activitypub_feed.original_source": "Původní zdroj"
+	"user.activitypub_feed.original_source": "Původní zdroj",
+	"repo.files.caption": "Soubory repozitáře (poslední revize jako první)",
+	"repo.files.filename": "Název souboru",
+	"repo.files.last_commit_message": "Zpráva poslední revize",
+	"repo.files.last_commit_date": "Datum poslední revize"
 }
diff --git a/options/locale_next/locale_de-DE.json b/options/locale_next/locale_de-DE.json
index 45d8e5b233..5e4b3784d7 100644
--- a/options/locale_next/locale_de-DE.json
+++ b/options/locale_next/locale_de-DE.json
@@ -19,7 +19,7 @@
 	"gpg.error.extract_sign": "Die Signatur konnte nicht extrahiert werden",
 	"gpg.error.generate_hash": "Es konnte kein Hash vom Commit generiert werden",
 	"gpg.error.no_committer_account": "Es ist kein Account mit der E-Mail-Adresse des Committers verbunden",
-	"gpg.error.no_gpg_keys_found": "Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden",
+	"gpg.error.no_gpg_keys_found": "Es konnte kein bekannter Schlüssel zu dieser Signatur in der Datenbank gefunden werden",
 	"gpg.error.not_signed_commit": "Kein signierter Commit",
 	"gpg.error.failed_retrieval_gpg_keys": "Fehler beim Abrufen eines Schlüssels des Committer-Kontos",
 	"gpg.error.probable_bad_signature": "WARNHINWEIS! Obwohl ein Schlüssel mit dieser ID in der Datenbank existiert, verifiziert er nicht diesen Commit! Dieser Commit ist VERDÄCHTIG.",
@@ -541,11 +541,8 @@
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Token",
 	"actions.runners.ephemeral": "Vorübergehend",
-	"actions.runners.list_runners.details_column": "Details",
 	"actions.runners.list_runners.edit_column": "Bearbeiten",
 	"actions.runners.list_runners.delete_column": "Löschen",
-	"actions.runners.list_runners.details_button": "Details",
-	"actions.runners.list_runners.details_button_aria": "Details für %s anzeigen",
 	"actions.runners.list_runners.delete_button": "Löschen",
 	"actions.runners.list_runners.delete_button_aria": "%s löschen",
 	"actions.runners.list_runners.edit_button": "Bearbeiten",
@@ -661,5 +658,9 @@
 	"user.activitypub_feed.is_empty": "Dein Fediverse-Feed ist leer.",
 	"user.activitypub_feed.hint": "Dieser Feed zeigt Aktivitäten aus Fediverse-Konten, denen du folgst sowie föderierten Posts, die dich erwähnt haben.",
 	"user.activitypub_feed.posted_on": "Auf %[1]s gepostet",
-	"user.activitypub_feed.original_source": "Ursprüngliche Quelle"
+	"user.activitypub_feed.original_source": "Ursprüngliche Quelle",
+	"repo.files.caption": "Repository-Dateien (neuester Commit zuerst)",
+	"repo.files.filename": "Dateiname",
+	"repo.files.last_commit_message": "Letzte Commit-Nachricht",
+	"repo.files.last_commit_date": "Letztes Commit-Datum"
 }
diff --git a/options/locale_next/locale_el-GR.json b/options/locale_next/locale_el-GR.json
index e755e6d90a..f29e36bb2b 100644
--- a/options/locale_next/locale_el-GR.json
+++ b/options/locale_next/locale_el-GR.json
@@ -502,13 +502,10 @@
 	"actions.runners.create_runner.description_label": "Περιγραφή",
 	"actions.runners.ephemeral.yes": "ναι",
 	"actions.runners.ephemeral.no": "όχι",
-	"actions.runners.list_runners.details_column": "Λεπτομέρειες",
 	"actions.runners.list_runners.edit_column": "Επεξεργασία",
 	"actions.runners.list_runners.delete_column": "Διαγραφή",
 	"actions.runners.list_runners.delete_button": "Διαγραφή",
 	"actions.runners.uuid": "UUID",
-	"actions.runners.list_runners.details_button": "Λεπτομέρειες",
-	"actions.runners.list_runners.details_button_aria": "Εμφάνιση λεπτομερειών για %s",
 	"actions.runners.list_runners.delete_button_aria": "Διαγραφή %s",
 	"actions.runners.list_runners.edit_button": "Επεξεργασία",
 	"actions.runners.list_runners.edit_button_aria": "Επεξεργασία %s",
diff --git a/options/locale_next/locale_es-ES.json b/options/locale_next/locale_es-ES.json
index 1d39325ed3..93003c4477 100644
--- a/options/locale_next/locale_es-ES.json
+++ b/options/locale_next/locale_es-ES.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s commit",
-		"other": "%s commits"
+		"many": "%s commits",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "%s rama",
-		"other": "%s ramas"
+		"many": "%s ramas",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "%s etiqueta",
-		"other": "%s etiquetas"
+		"many": "%s etiquetas",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "%s lanzamiento",
-		"other": "%s versiones"
+		"many": "%s versiones",
+		"other": ""
 	},
 	"actions.actions": "Acciones",
 	"actions.status.unknown": "Desconocido",
@@ -47,7 +51,7 @@
 	"actions.runners.task_list.done_at": "Hecho en",
 	"actions.runners.update_runner.success": "Nodo actualizado correctamente",
 	"actions.runners.update_runner.failed": "Fallo al actualizar el nodo",
-	"actions.runners.delete_runner.success": "Nodo eliminado con éxito",
+	"actions.runners.delete_runner.success": "Nodo eliminado correctamente",
 	"actions.runners.delete_runner.failed": "Fallo al eliminar el nodo",
 	"actions.runners.delete_runner.header": "Confirma para eliminar el nodo",
 	"actions.runners.delete_runner.notice": "Si una tarea se está ejecutando en este nodo, se terminará y marcará como fallida. Puede romper el flujo de trabajo en curso.",
@@ -87,7 +91,7 @@
 	"dropzone.default_message": "Suelte archivos o haga clic aquí para subir.",
 	"dropzone.invalid_input_type": "No puede subir archivos de este tipo.",
 	"dropzone.file_too_big": "El tamaño del archivo ({{filesize}} MB) excede el tamaño máximo de ({{maxFilesize}} MB).",
-	"dropzone.remove_file": "Eliminar archivo",
+	"dropzone.remove_file": "Retirar archivo",
 	"munits.data.b": "B",
 	"munits.data.kib": "KiB",
 	"munits.data.mib": "MiB",
@@ -229,16 +233,16 @@
 	"packages.owner.settings.cleanuprules.edit": "Editar regla de limpieza",
 	"packages.owner.settings.cleanuprules.none": "No hay reglas de limpieza disponibles. Por favor, consulte la documentación.",
 	"packages.owner.settings.cleanuprules.preview": "Vista previa de regla de limpieza",
-	"packages.owner.settings.cleanuprules.preview.overview": "%d paquetes están programados para ser eliminados.",
+	"packages.owner.settings.cleanuprules.preview.overview": "%d paquetes están planificados para ser retirados.",
 	"packages.owner.settings.cleanuprules.preview.none": "Regla de limpieza no coincide con ningún paquete.",
 	"packages.owner.settings.cleanuprules.pattern_full_match": "Aplicar patrón al nombre completo del paquete",
 	"packages.owner.settings.cleanuprules.keep.title": "Las versiones que coinciden con estas reglas son reales, incluso si coinciden con una regla de eliminación a continuación.",
 	"packages.owner.settings.cleanuprules.keep.count": "Mantener el más reciente",
 	"packages.owner.settings.cleanuprules.keep.pattern": "Mantener las versiones coincidentes",
 	"packages.owner.settings.cleanuprules.keep.pattern.container": "La <code>última</code> versión siempre es guardada en los paquetes de contenedor.",
-	"packages.owner.settings.cleanuprules.remove.title": "Se eliminan las versiones que coinciden con estas reglas, a menos que una regla anterior indique mantenerlas.",
-	"packages.owner.settings.cleanuprules.remove.days": "Eliminar versiones anteriores a",
-	"packages.owner.settings.cleanuprules.remove.pattern": "Eliminar versiones coincidentes",
+	"packages.owner.settings.cleanuprules.remove.title": "Se retiran las versiones que coinciden con estas reglas, a menos que una regla anterior indique mantenerlas.",
+	"packages.owner.settings.cleanuprules.remove.days": "Retirar versiones anteriores a",
+	"packages.owner.settings.cleanuprules.remove.pattern": "Retirar versiones coincidentes",
 	"packages.owner.settings.cleanuprules.success.update": "Regla de limpieza ha sido actualizada.",
 	"packages.owner.settings.cleanuprules.success.delete": "Regla de limpieza ha sido eliminada.",
 	"packages.owner.settings.chef.title": "Registro de Chef",
@@ -446,5 +450,112 @@
 	"mail.issue.action.close_by_commit": "%[1]s cerró %[2]s en la confirmación %[3]s.",
 	"repo.diff.commit.next-short": "Siguiente",
 	"admin.config.global_2fa_requirement.all": "Todos los usuarios",
-	"admin.config.global_2fa_requirement.admin": "Administradores"
+	"admin.config.global_2fa_requirement.admin": "Administradores",
+	"repo.pulls.auto_merge.no_permission": "No tiene permisos para cancelar esta fusión automática de solicitud de incorporación.",
+	"repo.pulls.poster_trust_always": "Siempre aprobar",
+	"repo.pulls.maintainers_can_edit": "Los mantenedores pueden editar esta solicitud de incorporación de cambios.",
+	"repo.pulls.maintainers_cannot_edit": "Los mantenedores no pueden editar esta solicitud de incorporación de cambios.",
+	"migrate.select.title": "Migrar repositorio",
+	"search.fuzzy": "Difuso",
+	"search.fuzzy_tooltip": "Incluir resultados es una coincidencia aproximada para el término de búsqueda",
+	"install.ssh_authorized_keys_unexpected_key": "Habilitar SSH para Forgejo en conflicto con el archivo localizado en %s que contiene claves SSH existentes. Sugerencia: utilice un sistema dedicado de usuario para Forgejo, o inhabilite SSH.",
+	"keys.verify.token.hint": "El token siempre es válido por 1 minuto. <a href=\"%[1]s\">Obtenga uno nuevo si caduca</a>.",
+	"admin.federation.federation": "Federación",
+	"admin.federation.hosts": "Hospedajes",
+	"admin.federation.hosts.title": "Hospedajes de la Federación",
+	"admin.federation.hosts.manage_panel": "Gestionar hospedajes de federación",
+	"admin.federation.hosts.details_panel": "Detalles de hospedajes de federación",
+	"admin.federation.hosts.show_details": "Muestra detalles del hospedaje",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.port": "Puerto",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Creado",
+	"admin.federation.host.updated": "Actualizado",
+	"admin.federation.host.latest_activity": "Actividad última",
+	"admin.federation.users": "Usuarios",
+	"admin.federation.users.title": "Usuarios federados",
+	"admin.federation.users.manage_panel": "Gestionar usuarios federados",
+	"admin.federation.users.show_local_user": "Muestra detalles de usuario local",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID de usuario local",
+	"admin.federation.user.external_id": "ID de usuario externo",
+	"admin.federation.user.inbox_path": "Ruta de buzón",
+	"admin.config.federation": "Configuración de federación",
+	"admin.config.federation.enabled": "Habilitado",
+	"admin.config.federation.share_user_statistics": "Compartir estadísticas de usuario con otros huéspedes",
+	"admin.config.federation.max_size": "Tamaño máximo de respuesta concedida",
+	"admin.config.federation.signature_enforced": "Requiere firmas HTTP",
+	"admin.config.federation.signature_algorithms": "Algoritmo de firma",
+	"admin.config.federation.digest_algorithm": "Algoritmo digest de firma",
+	"admin.config.federation.get_headers": "Cabeceras GET firmadas",
+	"admin.config.federation.post_headers": "Cabeceras POST firmadas",
+	"moderation.report.mark_as_handled": "Marcar como manipulado",
+	"moderation.users.cannot_suspend_self": "No se puede suspenderse para sí.",
+	"moderation.users.cannot_delete_admins": "Los usuarios con privilegios admin no pueden ser eliminados.",
+	"mail.actions.run_info_cur_status": "Este estado de ejecución: %[1]s (acaba de actualizarlo desde %[2]s)",
+	"mail.actions.run_info_previous_status": "Estado precio de ejecución: %[1]s",
+	"repo.diff.commit.previous-short": "Ant",
+	"discussion.locked": "Esta discusión ha sido bloqueada. Comentar está limitado a los contribuidores.",
+	"discussion.sidebar.reference": "Referencia",
+	"editor.textarea.tab_hint": "Línea ya sangrado. Presione <kbd>Tab</kbd> de nuevo o <kbd>Esc</kbd> para abandonar el editor.",
+	"editor.textarea.shift_tab_hint": "Ningún sangrado en esta línea. Pulse <kbd>Mayús</kbd> + <kbd>Tab</kbd> de nuevo o <kbd>Esc</kbd> para abandonar el editor.",
+	"admin.auths.allow_username_change": "Concede cambio de nombre de usuario",
+	"admin.auths.allow_username_change.description": "Concede a usuarios cambiar su nombre de usuario en los ajustes del perfil",
+	"admin.dashboard.cleanup_offline_runners": "Vaciar ejecutantes desconectados",
+	"admin.dashboard.remove_resolved_reports": "Retirar reportes resueltos",
+	"admin.dashboard.actions_action_user": "Revocar confianza de Acción Forgejo a usuarios inactivos",
+	"admin.dashboard.transfer_lingering_logs": "Registros de acción de transferencia de tareas de acciones finalizadas desde la base de datos al almacenaje",
+	"admin.config.security": "Configuración de seguridad",
+	"admin.config.global_2fa_requirement.title": "Requerimiento de dos factores globales",
+	"admin.config.global_2fa_requirement.none": "No",
+	"settings.visibility.description": "Efectos de visibilidad del perfil de habilidad de otros para acceder a sus repositorios no privados. <a href=\"%s\" target=\"_blank\">Aprender más</a>.",
+	"settings.twofa_unroll_unavailable": "Se requiere autenticación de dos factores para su cuenta y no puede ser inhabilitado.",
+	"settings.twofa_reenroll": "Re‐inscribirse autenticación de dos factores",
+	"settings.twofa_reenroll.description": "Re‐inscribirse su autenticación de dos factores",
+	"settings.must_enable_2fa": "Esta instancia de Forfejo requiere que los usuarios habiliten autenticación de dos factores porque pueden acceder a sus cuentas.",
+	"settings.specific_repo_access": "Acceso al repositorio",
+	"settings.new_access_token": "Nuevo token de acceso",
+	"settings.permissions_access_specific_repositories": "Repositorios específicos",
+	"settings.access_token.selected_repositories": {
+		"one": "Repositorio seleccionado (%d)",
+		"many": "Repositorios seleccionados (%d)",
+		"other": "Repositorios seleccionados (%d)"
+	},
+	"settings.access_token.available_repositories": "Repositorios disponibles",
+	"settings.access_token.no_repositories_selected": "Ningún repositorio seleccionado.",
+	"settings.access_token.no_repositories_found": "Ningún repositorio encontrado.",
+	"settings.access_token.remove": "Retirar %s",
+	"settings.access_token.resource_all_help": "Concede acceso a todos los repositorios.",
+	"settings.access_token.resource_public_only_help": "Limita acceso a repositorios y organizaciones que son públicas.",
+	"settings.access_token.resource_specific_repo_help": "Limita acceso a un listado específico de repositorios. Está permitido el acceso de solo lectura a todos los repositorios públicos. Solo pueden ser habilitados los permisos que concedan acceso al repositorios e incidencias.",
+	"settings.access_token.admin_disabled": "Los permisos administrativos están inhabilitados.",
+	"error.must_enable_2fa": "Esta instancia de Forgejo requiere usuarios para habilitar autenticación de dos factores antes que puedan acceder a sus cuentas. Habilítela en: %s",
+	"avatar.constraints_hint": "El avatar personal puede superar %[1]s en tamaño o sea mayor que %[2]dx%[3]d píxeles",
+	"user.activitypub_feed.posted_on": "Publicado en %[1]s",
+	"user.activitypub_feed.original_source": "Fuente original",
+	"user.ghost.tooltip": "Este usuario ha sido eliminado, o no puede ser emparejado.",
+	"og.repo.summary_card.alt_description": "Ficha resumen del repositorio %[1]s, descrito como: %[2]s",
+	"repo.commit.load_tags_failed": "La carga de etiquetas falló debido a un error interno",
+	"compare.branches.title": "Comparar ramificaciones",
+	"migrate.pagure.description": "Migra datos desde pagure.io u otras instancias Pagure.",
+	"migrate.pagure.incorrect_url": "Ha sido proporcionada una URL de repositorio origen incorrecta",
+	"migrate.pagure.project_url": "URL de proyecto en Pagure",
+	"migrate.pagure.project_example": "La URL del proyecto Pagure, p.e., https://pagure.io/pagure",
+	"migrate.pagure.token_label": "Token de API Pagure",
+	"migrate.pagure.private_issues.summary": "Incidencias privadas (Opcional)",
+	"packages.common.install": "Para instalar el paquete, ejecute el siguiente comando:",
+	"packages.common.registry": "Configure este registro desde la línea de comando:",
+	"packages.common.repository": "Informe de repositorio",
+	"packages.alt.setup": "Añada un repositorio al listado de repositorios conectados (elija la arquitectura necesaria en vez de \"_arch_\"):",
+	"packages.owner.settings.cargo.rebuild.no_index": "No se puede reconstruir, ningún índice está inicializado.",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Token",
+	"actions.runners.ephemeral": "Ephemeral",
+	"actions.runners.version": "Versión",
+	"actions.runners.list_runners.edit_column": "Editar",
+	"actions.runners.list_runners.delete_column": "Eliminar",
+	"teams.remove_all_repos.modal.header": "Retira todos los repositorios",
+	"admin.auths.oauth2_quota_group_map_removal": "Retire los usuarios desde los grupos de cuota sincronizados si el usuario no pertenece al grupo correspondiente.",
+	"actions.runners.list_runners.delete_button": "Eliminar",
+	"actions.runners.list_runners.delete_button_aria": "Eliminar"
 }
diff --git a/options/locale_next/locale_et.json b/options/locale_next/locale_et.json
index d7138925cf..bf84f24ef4 100644
--- a/options/locale_next/locale_et.json
+++ b/options/locale_next/locale_et.json
@@ -73,5 +73,19 @@
 		"other": "%s koodiharu"
 	},
 	"compare.branches.title": "Võrdle alamharusid",
-	"repo.settings.push_mirror.branch_filter.label": "Alamharude filter (kui soovid)"
+	"repo.settings.push_mirror.branch_filter.label": "Alamharude filter (kui soovid)",
+	"repo.issues.filter_poster.hint": "Filtreeri autori põhjal",
+	"repo.issues.filter_assignee.hint": "Filtreeri määratud kasutaja põjal",
+	"repo.issues.filter_reviewers.hint": "Filtreeri ülevaataja põhjal",
+	"repo.issues.filter_mention.hint": "Filtreeri mainitud kasutaja põhjal",
+	"repo.issues.filter_modified.hint": "Filter viimati muudetud kuupäeva põhjal",
+	"repo.issues.filter_sort.hint_with_placeholder": "Sordi: %s",
+	"issues.updated": "uuendatud %s",
+	"repo.pulls.poster_requires_approval": "Mõned töövood <a href=\"%[1]s\">ootavad läbivaatamist</a>.",
+	"repo.pulls.poster_trust_deny": "Keeldu",
+	"repo.pulls.poster_trust_deny.tooltip": "Töövood, mis ootavad heakskiitu, tühistatakse.",
+	"repo.pulls.poster_trust_once": "Luba üks kord",
+	"repo.pulls.poster_trust_always": "Luba alati",
+	"repo.pulls.poster_trust_revoke": "Tühista",
+	"migrate.select.title": "Migreeri hoidla"
 }
diff --git a/options/locale_next/locale_fil.json b/options/locale_next/locale_fil.json
index 5d03276981..5afeb6ae3b 100644
--- a/options/locale_next/locale_fil.json
+++ b/options/locale_next/locale_fil.json
@@ -556,11 +556,8 @@
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Token",
 	"actions.runners.ephemeral": "Ephemeral",
-	"actions.runners.list_runners.details_column": "Mga detalye",
 	"actions.runners.list_runners.edit_column": "I-edit",
 	"actions.runners.list_runners.delete_column": "Burahin",
-	"actions.runners.list_runners.details_button": "Mga detalye",
-	"actions.runners.list_runners.details_button_aria": "Ipakita ang mga detalye ng %s",
 	"actions.runners.list_runners.delete_button": "Burahin",
 	"actions.runners.list_runners.delete_button_aria": "Burahin ang %s",
 	"actions.runners.list_runners.edit_button": "I-edit",
diff --git a/options/locale_next/locale_fr-FR.json b/options/locale_next/locale_fr-FR.json
index 0fd20579db..d5da596307 100644
--- a/options/locale_next/locale_fr-FR.json
+++ b/options/locale_next/locale_fr-FR.json
@@ -545,10 +545,8 @@
 	"issues.filters.labels.unexclude": "Enlever les exclusions",
 	"repo.pulls.auto_merge.no_permission": "Vous n'avez pas la permission d'annuler la fusion automatique de cette pull request.",
 	"settings.specific_repo_access": "Accès au dépôt",
-	"actions.runners.list_runners.details_column": "Détails",
 	"actions.runners.list_runners.edit_column": "Modifier",
 	"actions.runners.list_runners.delete_column": "Supprimer",
-	"actions.runners.list_runners.details_button_aria": "Afficher les détails de %s",
 	"actions.runners.create_runner.properties_fieldset": "Propriétés",
 	"actions.runners.create_runner.create_button": "Créer",
 	"actions.runners.edit_runner.properties_fieldset": "Propriétés",
@@ -559,7 +557,6 @@
 	"settings.new_access_token": "Nouveau jeton d'accès",
 	"actions.runners.uuid": "UUID",
 	"actions.runners.ephemeral": "Éphémère",
-	"actions.runners.list_runners.details_button": "Détails",
 	"actions.runners.list_runners.delete_button": "Supprimer",
 	"actions.runners.list_runners.delete_button_aria": "Supprimer %s",
 	"actions.runners.list_runners.edit_button": "Modifier",
@@ -635,5 +632,9 @@
 	"admin.config.federation.enabled": "Activé",
 	"settings.access_token.resource_all_help": "Autoriser l'accès à toutes les ressources.",
 	"user.activitypub_feed.posted_on": "Posté sur %[1]s",
-	"actions.runners.version": "Version"
+	"actions.runners.version": "Version",
+	"repo.files.filename": "Fichier",
+	"repo.files.last_commit_message": "Dernier message de commit",
+	"repo.files.last_commit_date": "Date du dernier commit",
+	"admin.federation.host.created": "Créé"
 }
diff --git a/options/locale_next/locale_ga.json b/options/locale_next/locale_ga.json
index 70003eface..0a011e349b 100644
--- a/options/locale_next/locale_ga.json
+++ b/options/locale_next/locale_ga.json
@@ -654,11 +654,8 @@
 	"actions.runners.token": "Comhartha",
 	"actions.runners.ephemeral": "Sealadach",
 	"actions.runners.version": "Leagan",
-	"actions.runners.list_runners.details_column": "Sonraí",
 	"actions.runners.list_runners.edit_column": "Cuir in Eagar",
 	"actions.runners.list_runners.delete_column": "Scrios",
-	"actions.runners.list_runners.details_button": "Sonraí",
-	"actions.runners.list_runners.details_button_aria": "Taispeáin sonraí %s",
 	"actions.runners.list_runners.delete_button": "Scrios",
 	"actions.runners.list_runners.delete_button_aria": "Scrios %s",
 	"actions.runners.list_runners.edit_button": "Cuir in Eagar",
diff --git a/options/locale_next/locale_id-ID.json b/options/locale_next/locale_id-ID.json
index db7579d252..9c21ad9cc7 100644
--- a/options/locale_next/locale_id-ID.json
+++ b/options/locale_next/locale_id-ID.json
@@ -11,14 +11,14 @@
 	"notification.mark_as_unread": "Tandai sebagai belum dibaca",
 	"notification.mark_all_as_read": "Tandai semua sudah dibaca",
 	"dropzone.default_message": "Jatuhkan berkas disini atau klik untuk mengunggah.",
-	"dropzone.invalid_input_type": "Anda tidak bisa mengunggah berkas jenis ini.",
+	"dropzone.invalid_input_type": "File jenis ini tidak dapat diunggah.",
 	"dropzone.file_too_big": "Ukuran berkas ({{filesize}} MB) melebihi ukuran maksimum ({{maxFilesize}} MB).",
 	"dropzone.remove_file": "Hilangkan berkas",
 	"packages.filter.type": "Jenis",
 	"packages.alpine.repository.branches": "Cabang",
 	"packages.alpine.repository.repositories": "Repositori",
 	"repo.pulls.merged_title_desc": "commit %[1]d telah digabungkan dari <code>%[2]s</code> menjadi <code>%[3]s</code> %[4]s",
-	"repo.pulls.title_desc": "ingin menggabungkan komit %[1]d dari <code>%[2]s</code> menuju <code id=\"%[4]s\">%[3]s</code>",
+	"repo.pulls.title_desc": "ingin menggabungkan commit %[1]d dari <code>%[2]s</code> menuju <code id=\"%[4]s\">%[3]s</code>",
 	"moderation.abuse_category.malware": "Perangkat pembahaya",
 	"pulse.n_active_issues": "%s Masalah Aktif",
 	"pulse.n_active_prs": "%s Tarik permintaan aktif",
@@ -167,5 +167,436 @@
 	"actions.runners.task_list.run": "Lari",
 	"actions.runners.task_list.repository": "Repositori",
 	"actions.runners.task_list.commit": "Memperbuat",
-	"meta.last_line": "Terima kasih telah menerjemahkan Forgejo! Baris ini tidak terlihat oleh pengguna, tetapi memiliki fungsi lain dalam manajemen terjemahan. Anda dapat menambahkan fakta menarik dalam terjemahan alih-alih menerjemahkannya."
+	"meta.last_line": "Terima kasih telah menerjemahkan Forgejo! Baris ini tidak terlihat oleh pengguna, tetapi memiliki fungsi lain dalam manajemen terjemahan. Anda dapat menambahkan fakta menarik dalam terjemahan alih-alih menerjemahkannya.",
+	"fork.n_forks": "%s fork",
+	"stars.n_stars": "%s bintang",
+	"watch.n_watchers": "%s pengamat",
+	"repo.issues.filter_poster.hint": "Filter berdasarkan penulis",
+	"repo.issues.filter_assignee.hint": "Filter berdasarkan pengguna yang ditugaskan",
+	"repo.issues.filter_reviewers.hint": "Filter berdasarkan pengguna yang meninjau",
+	"repo.issues.filter_mention.hint": "Filter berdasarkan pengguna yang disebutkan",
+	"repo.issues.filter_modified.hint": "Filter berdasarkan tanggal terakhir diubah",
+	"repo.issues.filter_sort.hint_with_placeholder": "Urutkan berdasarkan: %s",
+	"issues.updated": "diperbarui %s",
+	"issues.filters.labels.exclude": "Kecualikan label",
+	"issues.filters.labels.unexclude": "Hapus pengecualian",
+	"repo.pulls.auto_merge.no_permission": "Anda tidak memiliki izin untuk membatalkan penggabungan otomatis permintaan tarik ini.",
+	"repo.pulls.poster_manage_approval": "Kelola persetujuan",
+	"repo.pulls.poster_requires_approval": "Beberapa alur kerja <a href=\"%[1]s\">menunggu untuk ditinjau</a>.",
+	"repo.pulls.poster_requires_approval.tooltip": "Penulis permintaan tarik ini tidak dipercaya untuk menjalankan alur kerja yang dipicu oleh permintaan tarik yang dibuat dari repositori yang di-fork atau dengan AGit. Alur kerja yang dipicu oleh peristiwa `pull_request` tidak akan berjalan sampai disetujui.",
+	"repo.pulls.poster_is_trusted": "Penulis permintaan tarik ini <a href=\"%[1]s\">selalu dipercaya untuk menjalankan alur kerja</a>.",
+	"repo.pulls.poster_is_trusted.tooltip": "Penulis permintaan tarik ini secara eksplisit dipercaya untuk menjalankan alur kerja yang dipicu oleh peristiwa `pull_request`.",
+	"repo.pulls.poster_trust_deny": "Tolak",
+	"repo.pulls.poster_trust_deny.tooltip": "Alur kerja yang menunggu persetujuan akan dibatalkan.",
+	"repo.pulls.poster_trust_once": "Setujui sekali",
+	"repo.pulls.poster_trust_once.tooltip": "Alur kerja yang dipicu oleh peristiwa `pull_request` akan berjalan pada commit ini tetapi perlu disetujui untuk semua commit mendatang yang didorong ke permintaan tarik ini.",
+	"repo.pulls.poster_trust_always": "Selalu setujui",
+	"repo.pulls.poster_trust_always.tooltip": "Alur kerja yang dipicu oleh peristiwa `pull_request` akan berjalan pada commit ini dan tidak perlu lagi menyetujui jalannya dari permintaan tarik ini atau permintaan tarik mendatang yang dibuat oleh pengguna yang sama.",
+	"repo.pulls.poster_trust_revoke": "Cabut",
+	"repo.pulls.poster_trust_revoke.tooltip": "Penulis permintaan tarik ini tidak lagi dipercaya untuk menjalankan alur kerja yang dipicu oleh peristiwa `pull_request`, setiap jalannya harus disetujui secara manual.",
+	"repo.view.gitmodules_too_large": "File .gitmodules terlalu besar dan akan diabaikan (misalnya pada pemanggilan API)",
+	"migrate.select.title": "Migrasi repositori",
+	"migrate.items.labels": "Label",
+	"migrate.items.merge_requests": "Permintaan gabung",
+	"migrate.in_progress.git": "Migrasi data Git",
+	"migrate.in_progress.topics": "Migrasi topik",
+	"migrate.in_progress.milestones": "Migrasi tonggak pencapaian",
+	"migrate.in_progress.labels": "Migrasi label",
+	"migrate.in_progress.releases": "Migrasi rilis",
+	"migrate.in_progress.issues": "Migrasi isu",
+	"migrate.in_progress.pulls": "Migrasi permintaan tarik",
+	"migrate.cancel.title": "Batalkan migrasi",
+	"migrate.cancel.confirmation": "Apakah Anda ingin membatalkan migrasi ini?",
+	"search.syntax": "Sintaks pencarian",
+	"search.fuzzy": "Fuzzy",
+	"search.fuzzy_tooltip": "Sertakan hasil yang kira-kira cocok dengan kata kunci pencarian",
+	"install.ssh_authorized_keys_inspection_error": "Gagal memeriksa file authorized_keys yang ada: %v",
+	"install.ssh_authorized_keys_unexpected_key": "Mengaktifkan SSH untuk Forgejo berkonflik dengan file yang terletak di %s yang berisi kunci SSH yang ada. Saran: gunakan pengguna sistem khusus untuk Forgejo, atau nonaktifkan SSH.",
+	"keys.verify.token.hint": "Token hanya berlaku selama 1 menit. <a href=\"%s\">Dapatkan yang baru jika sudah kedaluwarsa</a>.",
+	"admin.federation.federation": "Federasi",
+	"admin.federation.hosts": "Host",
+	"admin.federation.hosts.title": "Host federasi",
+	"admin.federation.hosts.manage_panel": "Kelola host federasi",
+	"admin.federation.hosts.details_panel": "Detail host federasi",
+	"admin.federation.hosts.show_details": "Tampilkan detail host",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Skema",
+	"admin.federation.host.port": "Port",
+	"admin.federation.host.software_name": "Perangkat lunak",
+	"admin.federation.host.created": "Dibuat",
+	"admin.federation.host.updated": "Diperbarui",
+	"admin.federation.host.latest_activity": "Aktivitas terbaru",
+	"admin.federation.users": "Pengguna",
+	"admin.federation.users.title": "Pengguna terfederasi",
+	"admin.federation.users.manage_panel": "Kelola pengguna terfederasi",
+	"admin.federation.users.show_local_user": "Tampilkan detail pengguna lokal",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID pengguna lokal",
+	"admin.federation.user.external_id": "ID pengguna eksternal",
+	"admin.federation.user.inbox_path": "Jalur kotak masuk",
+	"admin.config.federation": "Konfigurasi federasi",
+	"admin.config.federation.enabled": "Diaktifkan",
+	"admin.config.federation.share_user_statistics": "Bagikan statistik pengguna dengan host lain",
+	"admin.config.federation.max_size": "Ukuran respons maksimum yang diizinkan",
+	"admin.config.federation.signature_enforced": "Wajibkan tanda tangan HTTP",
+	"admin.config.federation.signature_algorithms": "Algoritma tanda tangan",
+	"admin.config.federation.digest_algorithm": "Algoritma intisari tanda tangan",
+	"admin.config.federation.get_headers": "Header GET yang ditandatangani",
+	"admin.config.federation.post_headers": "Header POST yang ditandatangani",
+	"moderation.report.mark_as_handled": "Tandai sebagai ditangani",
+	"moderation.report.mark_as_ignored": "Tandai sebagai diabaikan",
+	"moderation.action.account.delete": "Hapus akun",
+	"moderation.action.account.suspend": "Tangguhkan akun",
+	"moderation.action.repo.delete": "Hapus repositori",
+	"moderation.action.issue.delete": "Hapus isu",
+	"moderation.action.comment.delete": "Hapus komentar",
+	"moderation.unknown_action": "Aksi tidak dikenal",
+	"moderation.users.cannot_suspend_self": "Anda tidak dapat menangguhkan diri sendiri.",
+	"moderation.users.cannot_suspend_admins": "Pengguna dengan hak istimewa admin tidak dapat ditangguhkan.",
+	"moderation.users.cannot_suspend_org": "Organisasi tidak dapat ditangguhkan.",
+	"moderation.users.already_suspended": "Akun pengguna sudah ditangguhkan.",
+	"moderation.users.suspend_success": "Akun pengguna telah ditangguhkan.",
+	"moderation.users.cannot_delete_admins": "Pengguna dengan hak istimewa admin tidak dapat dihapus.",
+	"moderation.issue.deletion_success": "Isu telah dihapus.",
+	"moderation.comment.deletion_success": "Komentar telah dihapus.",
+	"admin.dashboard.actions_action_user": "Cabut kepercayaan Forgejo Actions untuk pengguna yang tidak aktif",
+	"admin.dashboard.transfer_lingering_logs": "Transfer log aksi dari pekerjaan aksi yang selesai dari basis data ke penyimpanan",
+	"settings.specific_repo_access": "Akses repositori",
+	"settings.new_access_token": "Token akses baru",
+	"settings.permissions_access_specific_repositories": "Repositori tertentu",
+	"settings.access_token.selected_repositories": "Repositori yang dipilih (%d)",
+	"settings.access_token.available_repositories": "Repositori yang tersedia",
+	"settings.access_token.no_repositories_selected": "Tidak ada repositori yang dipilih.",
+	"settings.access_token.no_repositories_found": "Tidak ada repositori yang ditemukan.",
+	"settings.access_token.remove": "Hapus %s",
+	"settings.access_token.resource_all_help": "Izinkan akses ke semua sumber daya.",
+	"settings.access_token.resource_public_only_help": "Batasi akses ke repositori dan organisasi yang bersifat publik.",
+	"settings.access_token.resource_specific_repo_help": "Batasi akses ke daftar repositori tertentu. Akses hanya-baca diizinkan untuk semua repositori publik. Hanya izin yang memungkinkan akses ke repositori dan issue yang dapat diaktifkan.",
+	"settings.access_token.admin_disabled": "Izin administratif dinonaktifkan.",
+	"user.activitypub_feed.feed": "Umpan Fediverse",
+	"user.activitypub_feed.no_activity": "Tidak ada aktivitas fediverse",
+	"user.activitypub_feed.is_empty": "Umpan fediverse Anda kosong.",
+	"user.activitypub_feed.hint": "Umpan ini menampilkan aktivitas dari akun fediverse yang Anda ikuti, serta postingan terfederasi yang menyebut Anda.",
+	"user.activitypub_feed.posted_on": "Diposting pada %s",
+	"user.activitypub_feed.original_source": "Sumber asli",
+	"release.n_downloads": "%s unduhan",
+	"gpg.default_key": "Ditandatangani dengan kunci default",
+	"gpg.error.no_committer_account": "Tidak ada akun yang terhubung ke alamat email pembuat komit",
+	"gpg.error.failed_retrieval_gpg_keys": "Gagal mengambil kunci yang terlampir pada akun pembuat komit",
+	"gpg.error.probable_bad_signature": "PERINGATAN! Meskipun ada kunci dengan ID ini di basis data, kunci tersebut tidak memverifikasi commit ini! Commit ini MENCURIGAKAN.",
+	"gpg.error.probable_bad_default_signature": "PERINGATAN! Meskipun kunci default memiliki ID ini, kunci tersebut tidak memverifikasi commit ini! Commit ini MENCURIGAKAN.",
+	"notification.no_unread": "Tidak ada pemberitahuan yang belum dibaca.",
+	"notification.no_read": "Tidak ada pemberitahuan yang sudah dibaca.",
+	"notification.subscriptions": "Langganan",
+	"notification.watching": "Sedang diamati",
+	"notification.no_subscriptions": "Anda tidak memiliki langganan.",
+	"munits.data.b": "B",
+	"munits.data.kib": "KiB",
+	"munits.data.mib": "MiB",
+	"munits.data.gib": "GiB",
+	"munits.data.tib": "TiB",
+	"munits.data.pib": "PiB",
+	"munits.data.eib": "EiB",
+	"counters.n_commits": "%s komit",
+	"counters.n_branches": "%s cabang",
+	"counters.n_tags": "%s tag",
+	"counters.n_releases": "%s rilis",
+	"packages.title": "Paket",
+	"packages.empty": "Belum ada paket.",
+	"packages.empty.documentation": "Untuk informasi lebih lanjut tentang registri paket, lihat <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">dokumentasi</a>.",
+	"packages.empty.repo": "Apakah Anda mengunggah paket tetapi tidak muncul di sini? Buka <a href=\"%[1]s\">pengaturan paket</a> dan tautkan ke repositori ini.",
+	"packages.registry.documentation": "Untuk informasi lebih lanjut tentang registri %s, lihat <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">dokumentasi</a>.",
+	"packages.filter.type.all": "Semua",
+	"packages.filter.no_result": "Filter Anda tidak menghasilkan hasil apa pun.",
+	"packages.filter.container.tagged": "Diberi tag",
+	"packages.filter.container.untagged": "Tanpa tag",
+	"packages.published_by": "Diterbitkan %[1]s oleh <a href=\"%[2]s\">%[3]s</a>",
+	"packages.published_by_in": "Diterbitkan %[1]s oleh <a href=\"%[2]s\">%[3]s</a> in <a href=\"%[4]s\"><strong>%[5]s</strong></a>",
+	"packages.pub.install": "Untuk menginstal paket menggunakan Dart, jalankan perintah berikut:",
+	"packages.installation": "Instalasi",
+	"packages.about": "Tentang paket ini",
+	"packages.requirements": "Persyaratan",
+	"packages.dependencies": "Ketergantungan",
+	"packages.keywords": "Kata kunci",
+	"packages.details": "Detail",
+	"packages.details.author": "Penulis",
+	"packages.details.project_site": "Situs web proyek",
+	"packages.details.repository_site": "Situs web repositori",
+	"packages.details.documentation_site": "Situs web dokumentasi",
+	"packages.details.license": "Lisensi",
+	"packages.assets": "Aset",
+	"packages.versions": "Versi",
+	"packages.versions.view_all": "Lihat semua",
+	"packages.dependency.id": "ID",
+	"packages.dependency.version": "Versi",
+	"packages.search_in_external_registry": "Cari di %s",
+	"packages.common.install": "Untuk menginstal paket, jalankan perintah berikut:",
+	"packages.common.registry": "Siapkan registri ini dari baris perintah:",
+	"packages.common.repository": "Info repositori",
+	"packages.alpine.registry": "Siapkan registri ini dengan menambahkan URL di file <code>/etc/apk/repositories</code> Anda:",
+	"packages.alpine.registry.key": "Unduh kunci RSA publik registri ke folder <code>/etc/apk/keys/</code> untuk memverifikasi tanda tangan indeks:",
+	"packages.alpine.registry.info": "Pilih $branch dan $repository dari daftar di bawah ini.",
+	"packages.alpine.repository.architectures": "Arsitektur",
+	"packages.arch.pacman.helper.gpg": "Tambahkan sertifikat kepercayaan untuk pacman:",
+	"packages.arch.pacman.repo.multi": "%s memiliki versi yang sama di berbagai distribusi.",
+	"packages.arch.pacman.repo.multi.item": "Konfigurasi untuk %s",
+	"packages.arch.pacman.conf": "Tambahkan server dengan distribusi dan arsitektur terkait ke <code>/etc/pacman.conf</code>:",
+	"packages.arch.pacman.sync": "Sinkronkan paket dengan pacman:",
+	"packages.arch.version.properties": "Properti versi",
+	"packages.arch.version.description": "Deskripsi",
+	"packages.arch.version.provides": "Menyediakan",
+	"packages.arch.version.groups": "Grup",
+	"packages.arch.version.optdepends": "Ketergantungan opsional",
+	"packages.arch.version.makedepends": "Ketergantungan pembuatan",
+	"packages.arch.version.checkdepends": "Ketergantungan pemeriksaan",
+	"packages.arch.version.conflicts": "Konflik",
+	"packages.arch.version.replaces": "Menggantikan",
+	"packages.arch.version.backup": "Cadangan",
+	"packages.cargo.registry": "Siapkan registri ini di file konfigurasi Cargo (misalnya <code>~/.cargo/config.toml</code>):",
+	"packages.cargo.install": "Untuk menginstal paket menggunakan Cargo, jalankan perintah berikut:",
+	"packages.chef.registry": "Siapkan registri ini di file <code>~/.chef/config.rb</code> Anda:",
+	"packages.composer.registry": "Siapkan registri ini di file <code>~/.composer/config.json</code> Anda:",
+	"packages.composer.install": "Untuk menginstal paket menggunakan Composer, jalankan perintah berikut:",
+	"packages.composer.dependencies.development": "Ketergantungan pengembangan",
+	"packages.conan.install": "Untuk menginstal paket menggunakan Conan, jalankan perintah berikut:",
+	"packages.conda.registry": "Siapkan registri ini sebagai repositori Conda di file <code>.condarc</code> Anda:",
+	"packages.conda.install": "Untuk menginstal paket menggunakan Conda, jalankan perintah berikut:",
+	"packages.container.images.title": "Gambar",
+	"packages.container.details.type": "Jenis gambar",
+	"packages.container.details.platform": "Platform",
+	"packages.container.pull": "Tarik gambar dari baris perintah:",
+	"packages.container.digest": "Intisari",
+	"packages.container.multi_arch": "OS / Arsitektur",
+	"packages.container.layers": "Lapisan gambar",
+	"packages.container.labels": "Label",
+	"packages.container.labels.key": "Kunci",
+	"packages.container.labels.value": "Nilai",
+	"packages.cran.registry": "Siapkan registri ini di file <code>Rprofile.site</code> Anda:",
+	"packages.debian.registry.info": "Pilih $distribution dan $component dari daftar di bawah ini.",
+	"packages.debian.repository.distributions": "Distribusi",
+	"packages.debian.repository.components": "Komponen",
+	"packages.debian.repository.architectures": "Arsitektur",
+	"packages.generic.download": "Unduh paket dari baris perintah:",
+	"packages.go.install": "Instal paket dari baris perintah:",
+	"packages.maven.registry": "Siapkan registri ini di file <code>pom.xml</code> proyek Anda:",
+	"packages.maven.install": "Untuk menggunakan paket, sertakan yang berikut ini di blok <code>dependencies</code> dalam file <code>pom.xml</code>:",
+	"packages.maven.install2": "Jalankan melalui baris perintah:",
+	"packages.maven.download": "Untuk mengunduh ketergantungan, jalankan melalui baris perintah:",
+	"packages.nuget.install": "Untuk menginstal paket menggunakan NuGet, jalankan perintah berikut:",
+	"packages.nuget.dependency.framework": "Kerangka Target",
+	"packages.npm.registry": "Siapkan registri ini di file <code>.npmrc</code> proyek Anda:",
+	"packages.npm.install": "Untuk menginstal paket menggunakan npm, jalankan perintah berikut:",
+	"packages.npm.install2": "atau tambahkan ke file package.json:",
+	"packages.npm.dependencies.development": "Ketergantungan pengembangan",
+	"packages.npm.dependencies.bundle": "Ketergantungan terbundel",
+	"packages.npm.dependencies.peer": "Ketergantungan sejawat",
+	"packages.npm.dependencies.optional": "Ketergantungan opsional",
+	"packages.npm.details.tag": "Tag",
+	"packages.pypi.requires": "Memerlukan Python",
+	"packages.pypi.install": "Untuk menginstal paket menggunakan pip, jalankan perintah berikut:",
+	"packages.rpm.distros.redhat": "pada distribusi berbasis RedHat",
+	"packages.rpm.distros.suse": "pada distribusi berbasis SUSE",
+	"packages.rpm.repository.architectures": "Arsitektur",
+	"packages.rpm.repository.multiple_groups": "Paket ini tersedia dalam beberapa grup.",
+	"packages.alt.install": "Instal paket",
+	"packages.alt.setup": "Tambahkan repositori ke daftar repositori yang terhubung (pilih arsitektur yang diperlukan sebagai pengganti \"_arch_\"):",
+	"packages.alt.repository.architectures": "Arsitektur",
+	"packages.alt.repository.multiple_groups": "Paket ini tersedia dalam beberapa grup.",
+	"packages.rubygems.install": "Untuk menginstal paket menggunakan gem, jalankan perintah berikut:",
+	"packages.rubygems.install2": "atau tambahkan ke Gemfile:",
+	"packages.rubygems.dependencies.runtime": "Ketergantungan runtime",
+	"packages.rubygems.dependencies.development": "Ketergantungan pengembangan",
+	"packages.rubygems.required.ruby": "Memerlukan versi Ruby",
+	"packages.rubygems.required.rubygems": "Memerlukan versi RubyGem",
+	"packages.swift.install": "Tambahkan paket di file <code>Package.swift</code> Anda:",
+	"packages.swift.install2": "dan jalankan perintah berikut:",
+	"packages.vagrant.install": "Untuk menambahkan kotak Vagrant, jalankan perintah berikut:",
+	"packages.settings.link": "Tautkan paket ini ke repositori",
+	"packages.settings.link.description": "Jika Anda menautkan paket dengan repositori, paket tersebut akan tercantum dalam daftar paket repositori.",
+	"packages.settings.link.select": "Pilih repositori",
+	"packages.settings.link.button": "Perbarui tautan repositori",
+	"packages.settings.link.success": "Tautan repositori berhasil diperbarui.",
+	"packages.settings.link.error": "Gagal memperbarui tautan repositori.",
+	"packages.settings.delete": "Hapus paket",
+	"packages.settings.delete.description": "Menghapus paket bersifat permanen dan tidak dapat dibatalkan.",
+	"packages.settings.delete.notice": "Anda akan menghapus %s (%s). Operasi ini tidak dapat dibatalkan, apakah Anda yakin?",
+	"packages.settings.delete.success": "Paket telah dihapus.",
+	"packages.settings.delete.error": "Gagal menghapus paket.",
+	"packages.owner.settings.cargo.title": "Indeks registri Cargo",
+	"packages.owner.settings.cargo.initialize": "Inisialisasi indeks",
+	"packages.owner.settings.cargo.initialize.description": "Repositori Git indeks khusus diperlukan untuk menggunakan registri Cargo. Menggunakan opsi ini akan membuat ulang repositori dan mengonfigurasinya secara otomatis.",
+	"packages.owner.settings.cargo.initialize.error": "Gagal menginisialisasi indeks Cargo: %v",
+	"packages.owner.settings.cargo.initialize.success": "Indeks Cargo berhasil dibuat.",
+	"packages.owner.settings.cargo.rebuild": "Bangun ulang indeks",
+	"packages.owner.settings.cargo.rebuild.description": "Membangun ulang dapat berguna jika indeks tidak tersinkronisasi dengan paket Cargo yang tersimpan.",
+	"packages.owner.settings.cargo.rebuild.error": "Gagal membangun ulang indeks Cargo: %v",
+	"packages.owner.settings.cargo.rebuild.success": "Indeks Cargo berhasil dibangun ulang.",
+	"packages.owner.settings.cargo.rebuild.no_index": "Tidak dapat membangun ulang, tidak ada indeks yang diinisialisasi.",
+	"packages.owner.settings.cleanuprules.title": "Aturan pembersihan",
+	"packages.owner.settings.cleanuprules.add": "Tambah aturan pembersihan",
+	"packages.owner.settings.cleanuprules.edit": "Edit aturan pembersihan",
+	"packages.owner.settings.cleanuprules.none": "Belum ada aturan pembersihan.",
+	"packages.owner.settings.cleanuprules.preview": "Pratinjau aturan pembersihan",
+	"packages.owner.settings.cleanuprules.preview.overview": "%d paket dijadwalkan untuk dihapus.",
+	"packages.owner.settings.cleanuprules.preview.none": "Aturan pembersihan tidak cocok dengan paket mana pun.",
+	"packages.owner.settings.cleanuprules.pattern_full_match": "Terapkan pola ke nama paket lengkap",
+	"packages.owner.settings.cleanuprules.keep.title": "Versi yang cocok dengan aturan ini dipertahankan, meskipun cocok dengan aturan penghapusan di bawah.",
+	"packages.owner.settings.cleanuprules.keep.count": "Pertahankan yang paling baru",
+	"packages.owner.settings.cleanuprules.keep.pattern": "Pertahankan versi yang cocok dengan",
+	"packages.owner.settings.cleanuprules.keep.pattern.container": "Versi <code>latest</code> selalu dipertahankan untuk paket Container.",
+	"packages.owner.settings.cleanuprules.remove.title": "Versi yang cocok dengan aturan ini dihapus, kecuali ada aturan di atas yang menyatakan untuk mempertahankannya.",
+	"packages.owner.settings.cleanuprules.remove.days": "Hapus versi yang lebih lama dari",
+	"packages.owner.settings.cleanuprules.remove.pattern": "Hapus versi yang cocok dengan",
+	"packages.owner.settings.cleanuprules.success.update": "Aturan pembersihan telah diperbarui.",
+	"packages.owner.settings.cleanuprules.success.delete": "Aturan pembersihan telah dihapus.",
+	"packages.owner.settings.chef.title": "Registri Chef",
+	"packages.owner.settings.chef.keypair": "Buat pasangan kunci",
+	"packages.owner.settings.chef.keypair.description": "Permintaan yang dikirim ke registri Chef harus ditandatangani secara kriptografis sebagai sarana autentikasi. Saat membuat pasangan kunci, hanya kunci publik yang disimpan di Forgejo. Kunci privat diberikan kepada Anda untuk digunakan dengan knife. Membuat pasangan kunci baru akan menimpa yang sebelumnya.",
+	"access_token.error.specified_repos_none": "Token akses dengan repositori tertentu harus memiliki setidaknya satu repositori.",
+	"access_token.error.specified_repos_and_public_only": "Token akses dengan repositori tertentu tidak dapat digabungkan dengan cakupan hanya-publik.",
+	"access_token.error.specified_repos_and_invalid_scope": "Token akses dengan repositori tertentu hanya dapat digunakan dengan cakupan read:issue, write:issue, read:repository, dan write:repository.",
+	"actions.status.diagnostics.waiting": "Menunggu runner dengan label berikut: %s",
+	"actions.status.unknown": "Tidak diketahui",
+	"actions.status.waiting": "Menunggu",
+	"actions.status.running": "Berjalan",
+	"actions.status.success": "Berhasil",
+	"actions.status.failure": "Gagal",
+	"actions.status.cancelled": "Dibatalkan",
+	"actions.status.skipped": "Dilewati",
+	"actions.status.blocked": "Diblokir",
+	"actions.actions": "Aksi",
+	"actions.runners": "Runner",
+	"actions.runners.runner_manage_panel": "Kelola runner",
+	"actions.runners.new": "Buat runner baru",
+	"actions.runners.new_notice": "Cara memulai runner",
+	"actions.runners.status": "Status",
+	"actions.runners.status.unspecified": "Tidak diketahui",
+	"actions.runners.status.idle": "Siaga",
+	"actions.runners.status.active": "Aktif",
+	"actions.runners.status.offline": "Luring",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Token",
+	"actions.runners.ephemeral": "Sementara",
+	"actions.runners.labels": "Label",
+	"actions.runners.version": "Versi",
+	"actions.runners.last_online": "Waktu terakhir daring",
+	"actions.runners.list_runners.edit_column": "Edit",
+	"actions.runners.list_runners.delete_column": "Hapus",
+	"actions.runners.list_runners.delete_button": "Hapus",
+	"actions.runners.list_runners.delete_button_aria": "Hapus %s",
+	"actions.runners.list_runners.edit_button": "Edit",
+	"actions.runners.list_runners.edit_button_aria": "Edit %s",
+	"actions.runners.runner_title": "Runner %s",
+	"actions.runners.ephemeral.yes": "ya",
+	"actions.runners.ephemeral.no": "tidak",
+	"actions.runners.task_list_repo": "Tugas terkini repositori ini pada runner ini",
+	"actions.runners.task_list_org": "Tugas terkini pada runner ini dalam organisasi ini",
+	"actions.runners.task_list_admin": "Tugas terkini pada runner ini",
+	"actions.runners.task_list_user": "Tugas terkini pengguna ini pada runner ini",
+	"actions.runners.task_list.no_tasks": "Belum ada tugas.",
+	"actions.runners.task_list.status": "Status",
+	"actions.runners.task_list.done_at": "Selesai pada",
+	"actions.runners.edit_runner_button": "Edit runner",
+	"actions.runners.create_runner.page_title": "Buat runner baru",
+	"actions.runners.create_runner.title": "Buat runner baru",
+	"actions.runners.create_runner.properties_fieldset": "Properti",
+	"actions.runners.create_runner.name_label": "Nama",
+	"actions.runners.create_runner.description_label": "Deskripsi",
+	"actions.runners.create_runner.create_button": "Buat",
+	"actions.runners.create_runner.cancel_button": "Batal",
+	"actions.runners.edit_runner.page_title": "Edit runner %s",
+	"actions.runners.edit_runner.title": "Edit runner %s",
+	"actions.runners.edit_runner.properties_fieldset": "Properti",
+	"actions.runners.edit_runner.properties_options": "Opsi",
+	"actions.runners.edit_runner.name_label": "Nama",
+	"actions.runners.edit_runner.description_label": "Deskripsi",
+	"actions.runners.edit_runner.regenerate_token_label": "Buat ulang token",
+	"actions.runners.edit_runner.regenerate_token_help": "Token yang ada akan segera menjadi tidak valid. Anda akan menerima token baru di halaman berikutnya.",
+	"actions.runners.edit_runner.save_button": "Simpan",
+	"actions.runners.edit_runner.cancel_button": "Batal",
+	"actions.runners.runner_setup.title": "Siapkan runner %s",
+	"actions.runners.show_registration_token": "Tampilkan token pendaftaran",
+	"actions.runners.update_runner.success": "Runner berhasil diedit",
+	"actions.runners.update_runner.failed": "Gagal mengedit runner",
+	"actions.runners.delete_runner.header": "Konfirmasi untuk menghapus runner ini",
+	"actions.runners.delete_runner.notice": "Jika ada tugas yang sedang berjalan pada runner ini, tugas tersebut akan dihentikan dan ditandai sebagai gagal. Hal ini dapat merusak alur kerja pembangunan.",
+	"actions.runners.delete_runner.success": "Runner berhasil dihapus",
+	"actions.runners.delete_runner.failed": "Gagal menghapus runner",
+	"actions.runners.runner_details.page_title": "Runner %s",
+	"actions.runners.runner_details.labels_note": "Label runner didefinisikan dalam file konfigurasi Forgejo Runner atau diteruskan sebagai opsi baris perintah. Label diperbarui setiap kali Forgejo Runner membangun koneksi ke Forgejo.",
+	"actions.runners.runner_setup.page_title": "Siapkan runner %s",
+	"actions.runners.runner_setup.list_of_runners_link": "Daftar runner",
+	"actions.runners.runner_setup.last_chance_copying_token": "Salin token sekarang karena Anda tidak akan dapat melihatnya lagi!",
+	"actions.runners.runner_setup.button_copy_uuid_aria": "Salin UUID runner",
+	"actions.runners.runner_setup.button_copy_token_aria": "Salin token runner",
+	"actions.runners.runner_setup.heading_using_configuration": "Menggunakan file konfigurasi runner",
+	"actions.runners.runner_setup.configuration_snippet_aria": "Cuplikan untuk disisipkan ke konfigurasi runner",
+	"actions.runners.runner_setup.program_options_snippet_aria": "Cara memanggil forgejo-runner",
+	"actions.runners.runner_setup.instruction_replace_connection_name": "Ganti nama koneksi (<code>forgejo</code> dalam contoh) dengan nilai yang Anda inginkan.",
+	"actions.runners.runner_setup.heading_using_options": "Menggunakan opsi program",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Untuk mengonfigurasi Forgejo Runner yang berjalan dalam container atau konfigurasi lanjutan, lihat <a href=\"%s\">dokumentasi</a>.",
+	"actions.runners.none": "Tidak ada runner yang tersedia",
+	"actions.runners.reset_registration_token.token": "Token Pendaftaran (Tidak Direkomendasikan)",
+	"actions.runners.reset_registration_token.button": "Atur ulang token pendaftaran",
+	"actions.runners.reset_registration_token.success": "Token pendaftaran runner berhasil diatur ulang",
+	"actions.runs.all_workflows": "Semua alur kerja",
+	"actions.runs.scheduled_description": "Jalankan terjadwal dari commit <a href=\"%[1]s\">%[2]s</a>",
+	"actions.runs.workflow_dispatch_description": "Jalankan commit <a href=\"%[1]s\">%[2]s</a> dipicu oleh <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> didorong oleh <a href=\"%[3]s\">%[4]s</a>",
+	"actions.runs.workflow": "Alur kerja",
+	"actions.runs.invalid_workflow_helper": "File konfigurasi alur kerja tidak valid. Silakan periksa file konfigurasi Anda: %s",
+	"actions.runs.no_job_without_needs": "Alur kerja harus berisi setidaknya satu pekerjaan tanpa ketergantungan.",
+	"actions.runs.no_job": "Alur kerja harus berisi setidaknya satu pekerjaan",
+	"actions.runs.all_runs_link": "semua jalankan",
+	"actions.workflow.persistent_incomplete_matrix": "Tidak dapat mengevaluasi `strategy.matrix` dari pekerjaan %[1]s karena ekspresi `needs` yang tidak valid. Mungkin mereferensikan pekerjaan yang tidak ada dalam daftar 'needs'-nya (%[2]s), atau keluaran yang tidak ada pada salah satu pekerjaan tersebut.",
+	"actions.workflow.incomplete_matrix_missing_job": "Tidak dapat mengevaluasi `strategy.matrix` dari pekerjaan %[1]s: pekerjaan %[2]s tidak ada dalam daftar `needs` dari pekerjaan %[1]s (%[3]s).",
+	"actions.workflow.incomplete_matrix_missing_output": "Tidak dapat mengevaluasi `strategy.matrix` dari pekerjaan %[1]s: pekerjaan %[2]s tidak memiliki keluaran %[3]s.",
+	"actions.workflow.incomplete_matrix_unknown_cause": "Tidak dapat mengevaluasi `strategy.matrix` dari pekerjaan %[1]s: kesalahan tidak diketahui.",
+	"actions.workflow.incomplete_runson_missing_job": "Tidak dapat mengevaluasi `runs-on` dari pekerjaan %[1]s: pekerjaan %[2]s tidak ada dalam daftar `needs` dari pekerjaan %[1]s (%[3]s).",
+	"actions.workflow.incomplete_runson_missing_output": "Tidak dapat mengevaluasi `runs-on` dari pekerjaan %[1]s: pekerjaan %[2]s tidak memiliki output %[3]s.",
+	"actions.workflow.incomplete_runson_missing_matrix_dimension": "Tidak dapat mengevaluasi `runs-on` dari pekerjaan %[1]s: dimensi matriks %[2]s tidak ada.",
+	"actions.workflow.incomplete_runson_unknown_cause": "Tidak dapat mengevaluasi `runs-on` dari pekerjaan %[1]s: kesalahan tidak diketahui.",
+	"actions.workflow.incomplete_with_missing_job": "Tidak dapat mengevaluasi `with` dari pekerjaan %[1]s: pekerjaan %[2]s tidak ada dalam daftar `needs` dari pekerjaan %[1]s (%[3]s).",
+	"actions.workflow.incomplete_with_missing_output": "Tidak dapat mengevaluasi `with` dari pekerjaan %[1]s: pekerjaan %[2]s tidak memiliki output %[3]s.",
+	"actions.workflow.incomplete_with_missing_matrix_dimension": "Tidak dapat mengevaluasi `with` dari pekerjaan %[1]s: dimensi matriks %[2]s tidak ada.",
+	"actions.workflow.incomplete_with_unknown_cause": "Tidak dapat mengevaluasi `with` dari pekerjaan %[1]s: kesalahan tidak diketahui.",
+	"actions.workflow.unknown_job_in_needs": "Job dengan ID %[1]s merujuk pada pekerjaan yang tidak dikenal dalam `needs`: %[2]s.",
+	"actions.workflow.rerun_impossible": "Alur kerja tidak dapat dijalankan ulang.",
+	"actions.workflow.job_rerun_impossible": "Job tidak dapat dijalankan ulang.",
+	"actions.secrets.creation.name_description": "Nama secret hanya boleh mengandung huruf, angka, dan garis bawah. Tidak boleh diawali dengan FORGEJO_, GITEA_, GITHUB_, atau angka. Forgejo akan otomatis mengubahnya menjadi huruf kapital.",
+	"actions.secrets.creation.value_description": "Nilai secret dapat berupa teks apa pun. Karakter khusus tetap dipertahankan. CRLF (jeda baris gaya Windows) secara otomatis dikonversi menjadi LF. Enkode nilai dengan Base64 jika jeda baris perlu dipertahankan.",
+	"actions.variables.mutation.name_description": "Nama variabel hanya boleh mengandung huruf, angka, dan garis bawah. Tidak boleh diberi nama CI atau diawali dengan FORGEJO_, GITEA_, GITHUB_, atau angka. Forgejo akan otomatis mengubahnya menjadi huruf kapital.",
+	"actions.variables.mutation.value_description": "Nilai variabel dapat berupa teks apa pun. Karakter khusus tetap dipertahankan. CRLF (jeda baris gaya Windows) secara otomatis dikonversi menjadi LF. Enkode nilai dengan Base64 jika jeda baris perlu dipertahankan.",
+	"actions.secrets.edit_button": "Ubah secret \"%s\"",
+	"actions.secrets.mutation.header": "Ubah secret \"%s\"",
+	"actions.secrets.mutation.success_message": "Secret \"%s\" telah diperbarui.",
+	"actions.secrets.mutation.failure_message": "Secret \"%s\" tidak dapat diperbarui.",
+	"actions.secrets.mutation.name_description": "Nama secret hanya boleh mengandung huruf, angka, dan garis bawah. Tidak boleh diawali dengan FORGEJO_, GITEA_, GITHUB_, atau angka. Forgejo akan otomatis mengubahnya menjadi huruf kapital.",
+	"actions.secrets.mutation.value_description": "Nilai yang ada tidak akan ditampilkan. Biarkan kolom kosong jika Anda tidak ingin mengubahnya. Karakter khusus tetap dipertahankan. CRLF (jeda baris gaya Windows) secara otomatis dikonversi menjadi LF. Enkode nilai dengan Base64 jika jeda baris perlu dipertahankan.",
+	"teams.add_all_repos.modal.header": "Tambahkan semua repositori",
+	"teams.remove_all_repos.modal.header": "Hapus semua repositori",
+	"members.add_member": "Tambahkan anggota",
+	"members.user": "Pengguna",
+	"members.user_already_member": "Pengguna ini sudah menjadi anggota organisasi.",
+	"members.no_team_selected": "Anggota organisasi harus tergabung dalam setidaknya satu tim.",
+	"pulls.manual_merge.helper": "Pembantu penggabungan manual",
+	"pulls.manual_merge.helpder.description": "Gunakan pesan commit penggabungan ini saat menyelesaikan penggabungan secara manual.",
+	"pulls.manual_merge.commit.title": "Judul commit penggabungan",
+	"pulls.manual_merge.commit.body": "Isi commit penggabungan",
+	"pulls.manual_merge.copy.button": "Salin pesan commit penggabungan",
+	"admin.auths.oauth2_quota_group_claim_name": "Klaim nama yang menyediakan nama grup dari sumber ini untuk digunakan dalam manajemen kuota. (Opsional)",
+	"admin.auths.oauth2_quota_group_map": "Petakan grup yang diklaim ke grup kuota. (Opsional - memerlukan nama klaim di atas)",
+	"admin.auths.oauth2_quota_group_map_removal": "Hapus pengguna dari grup kuota yang disinkronkan jika pengguna tidak termasuk dalam grup yang sesuai.",
+	"editor.search": "Cari",
+	"editor.find_previous": "Temuan sebelumnya",
+	"editor.find_next": "Temuan berikutnya",
+	"editor.replace": "Ganti",
+	"editor.replace_all": "Ganti semua",
+	"editor.toggle_case": "Aktifkan/nonaktifkan sensitivitas huruf besar-kecil",
+	"editor.toggle_regex": "Aktifkan/nonaktifkan penggunaan ekspresi reguler",
+	"editor.toggle_whole_word": "Aktifkan/nonaktifkan pencocokan kata utuh",
+	"form.RunnerName": "Nama",
+	"graphs.recent_commits.title": "Jumlah commit dalam satu tahun terakhir",
+	"graphs.code_frequency.title": "Frekuensi kode sepanjang riwayat {0}"
 }
diff --git a/options/locale_next/locale_kab.json b/options/locale_next/locale_kab.json
index 01329826e9..01a3daa718 100644
--- a/options/locale_next/locale_kab.json
+++ b/options/locale_next/locale_kab.json
@@ -111,12 +111,10 @@
 	"actions.runners.token": "Tiddest",
 	"actions.runners.list_runners.edit_column": "Ẓreg",
 	"actions.runners.list_runners.delete_column": "Kkes",
-	"actions.runners.list_runners.details_button": "Talqayt",
 	"actions.runners.list_runners.delete_button": "Kkes",
 	"actions.runners.list_runners.edit_button": "Ẓreg",
 	"actions.runners.ephemeral.yes": "ih",
 	"actions.runners.ephemeral.no": "uhu",
-	"actions.runners.list_runners.details_column": "Talqayt",
 	"actions.runners.create_runner.name_label": "Isem",
 	"actions.runners.create_runner.description_label": "Aglam",
 	"actions.runners.create_runner.create_button": "Snulfu-d",
diff --git a/options/locale_next/locale_mk.json b/options/locale_next/locale_mk.json
index c4c884f041..e24ba5b473 100644
--- a/options/locale_next/locale_mk.json
+++ b/options/locale_next/locale_mk.json
@@ -1,4 +1,68 @@
 {
 	"home.welcome.no_activity": "Нема активност",
-	"home.welcome.activity_hint": "Сè уште нема ништо во вашиот фид. Вашите активности и дејства од репозиториумите што ги следите ќе се појават овде."
+	"home.welcome.activity_hint": "Сè уште нема ништо во вашиот фид. Вашите активности и дејства од репозиториумите што ги следите ќе се појават овде.",
+	"home.explore_repos": "Истражи репозиториуми",
+	"home.explore_users": "Истражи корисници",
+	"home.explore_orgs": "Истражи организации",
+	"fork.n_forks": {
+		"one": "%s форк",
+		"other": "%s форкови"
+	},
+	"stars.list.none": "Никој не го означи овој репо со ѕвездичка.",
+	"stars.n_stars": {
+		"one": "%s ѕвезда",
+		"other": "%s ѕвезди"
+	},
+	"watch.list.none": "Никој не го гледа ова репо.",
+	"watch.n_watchers": {
+		"one": "%s гледач",
+		"other": "%s гледачи"
+	},
+	"followers.incoming.list.self.none": "Никој не го следи вашиот профил.",
+	"followers.incoming.list.none": "Никој не го следи овој корисник.",
+	"followers.outgoing.list.self.none": "Не следите никого.",
+	"followers.outgoing.list.none": "%s не следи никого.",
+	"relativetime.now": "сега",
+	"relativetime.future": "во иднина",
+	"relativetime.mins": {
+		"one": "пред %d минута",
+		"other": "пред %d минути"
+	},
+	"relativetime.hours": {
+		"one": "пред %d час",
+		"other": "пред %d часа"
+	},
+	"relativetime.days": {
+		"one": "пред %d ден",
+		"other": "пред %d дена"
+	},
+	"relativetime.weeks": {
+		"one": "пред %d недела",
+		"other": "пред %d недели"
+	},
+	"relativetime.months": {
+		"one": "пред %d месец",
+		"other": "пред %d месеци"
+	},
+	"relativetime.years": {
+		"one": "пред %d година",
+		"other": "пред %d години"
+	},
+	"relativetime.1day": "вчера",
+	"relativetime.1week": "последна недела",
+	"relativetime.1month": "последен месец",
+	"relativetime.1year": "псоледна година",
+	"repo.issues.filter_poster.hint": "Филтрирајте по автор",
+	"repo.issues.filter_assignee.hint": "Филтрирајте по доделен корисник",
+	"repo.issues.filter_reviewers.hint": "Филтрирајте по корисник кој прегледаше",
+	"repo.issues.filter_mention.hint": "Филтрирајте по споменат корисник",
+	"repo.issues.filter_modified.hint": "Филтрирајте по датум на последна измена",
+	"repo.issues.filter_sort.hint_with_placeholder": "Сортирајте по: %s",
+	"gpg.error.probable_bad_signature": "ПРЕДУПРЕДУВАЊЕ! Иако во базата на податоци постои клуч со овој идентификатор, тој не го потврдува овојто извршење! Извршењето е СОМНИТЕЛНО.",
+	"gpg.error.probable_bad_default_signature": "ПРЕДУПРЕДУВАЊЕ! Иако стандардниот клуч го има овој ИД, тој не го потврдува овојто извршење! Извршењето е СОМНИТЕЛНО.",
+	"notification.notifications": "Нотификации",
+	"notification.unread": "Непрочитано",
+	"notification.read": "Прочитано",
+	"notification.no_unread": "Нема непрочитани нотификации.",
+	"notification.no_read": "Нема прочитени нотификации."
 }
diff --git a/options/locale_next/locale_nds.json b/options/locale_next/locale_nds.json
index 8a4cde599f..b148c0efdb 100644
--- a/options/locale_next/locale_nds.json
+++ b/options/locale_next/locale_nds.json
@@ -540,11 +540,8 @@
 	"settings.specific_repo_access": "Repositoriums-Togang",
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Teken",
-	"actions.runners.list_runners.details_column": "Mehr Informationen",
 	"actions.runners.list_runners.edit_column": "Bewarken",
 	"actions.runners.list_runners.delete_column": "Lösken",
-	"actions.runners.list_runners.details_button": "Mehr Informationen",
-	"actions.runners.list_runners.details_button_aria": "Mehr Informatioonen över %s wiesen",
 	"actions.runners.list_runners.delete_button": "Lösken",
 	"actions.runners.list_runners.delete_button_aria": "%s lösken",
 	"actions.runners.list_runners.edit_button": "Bewarken",
@@ -661,5 +658,9 @@
 	"user.activitypub_feed.is_empty": "Dien Fediversum-Schuuv is leeg.",
 	"user.activitypub_feed.hint": "Deeser Schuuv wiest Doon vun Fediversums-Konten, wat du nagahst, un ok verdeelte Kommentaren, wat di benöömt hebben.",
 	"user.activitypub_feed.posted_on": "Up %[1]s schreven",
-	"user.activitypub_feed.original_source": "Eerste Quell"
+	"user.activitypub_feed.original_source": "Eerste Quell",
+	"repo.files.caption": "Repositoriums-Dateien (lestes Kommitteren toeerst)",
+	"repo.files.filename": "Dateinaam",
+	"repo.files.last_commit_message": "Leste Kommitterens-Naricht",
+	"repo.files.last_commit_date": "Lestes Kommitterens-Datum"
 }
diff --git a/options/locale_next/locale_nl-NL.json b/options/locale_next/locale_nl-NL.json
index 7764ee840f..a413e22cae 100644
--- a/options/locale_next/locale_nl-NL.json
+++ b/options/locale_next/locale_nl-NL.json
@@ -543,13 +543,13 @@
 	"settings.access_token.resource_public_only_help": "Toegang tot repositories en organisaties die openbaar zijn beperken.",
 	"actions.runners.list_runners.delete_column": "Verwijder",
 	"admin.federation.host.software_name": "Software",
-	"repo.pulls.auto_merge.no_permission": "U heeft geen rechten voor het afbreken van deze pull requets's auto merge",
-	"migrate.select.title": "Migreer repositorie",
+	"repo.pulls.auto_merge.no_permission": "U heeft niet de permissie om deze pull request auto merge uit te zetten.",
+	"migrate.select.title": "Migreer repository",
 	"admin.federation.federation": "Federeren",
 	"admin.federation.hosts": "Servers",
-	"admin.federation.hosts.title": "Federeerservers",
-	"admin.federation.hosts.manage_panel": "Beheer federeerservers",
-	"admin.federation.hosts.details_panel": "Federeerserver details",
+	"admin.federation.hosts.title": "Federatie servers",
+	"admin.federation.hosts.manage_panel": "Federatie servers beheren",
+	"admin.federation.hosts.details_panel": "Federatie server details",
 	"admin.federation.hosts.show_details": "Toon server details",
 	"admin.federation.host.id": "ID",
 	"admin.federation.host.fqdn": "FQDN",
@@ -575,13 +575,13 @@
 	"admin.config.federation.digest_algorithm": "Handtekening-hashalgoritme",
 	"admin.config.federation.get_headers": "Ondertekende GET headers",
 	"admin.config.federation.post_headers": "Ondertekende POST headers",
-	"settings.new_access_token": "Nieuw acces token",
+	"settings.new_access_token": "Nieuwe toegangstoken",
 	"settings.access_token.selected_repositories": {
-		"one": "Geselecteerde repositorie (%d)",
+		"one": "Geselecteerde repository (%d)",
 		"other": "Geselecteerde repositories (%d)"
 	},
 	"settings.access_token.resource_specific_repo_help": "Beperk toegang tot een specifieke lijst aan repositories. Alleen-lezen toegang is toegestaan voor alle openbare repositories. Alleen permissies die toegang geven tot repositories en issues kunnen aangezet worden.",
-	"settings.access_token.admin_disabled": "Beheerrechten zijn uitgeschakeld.",
+	"settings.access_token.admin_disabled": "Adminstratische permissies zijn uitgezet.",
 	"user.activitypub_feed.no_activity": "Geen fediverse-activiteit",
 	"user.activitypub_feed.is_empty": "Uw fediverse-feed is leeg.",
 	"user.activitypub_feed.hint": "Deze feed toont activiteiten van fediverse accounts die u volgt, alsook van gefedereerde boodschappen die u vermelden.",
@@ -632,7 +632,7 @@
 	"actions.runs.scheduled_description": "Geplande run van commit <a href=\"%[1]s\">%[2]s</a>",
 	"actions.runs.workflow_dispatch_description": "Run van commit <a href=\"%[1]s\">%[2]s</a> getriggerd door <a href=\"%[3]s\">%[4]s</a>",
 	"actions.runs.on_push_description": "Commit <a href=\"%[1]s\">%[2]s</a> gepusht door <a href=\"%[3]s\">%[4]s</a>",
-	"actions.workflow.unknown_job_in_needs": "Taak met ID %[1]s refereert aan onbekende taken in `nodig`: %[2]s.",
+	"actions.workflow.unknown_job_in_needs": "Taak met ID %[1]s refereert aan onbekende taken in `needs`: %[2]s.",
 	"actions.workflow.rerun_impossible": "De workflow kan niet opnieuw gedraaid worden.",
 	"actions.workflow.job_rerun_impossible": "De taak kan niet opnieuw gedraaid worden.",
 	"actions.secrets.edit_button": "Wijzig geheim \"%s\"",
@@ -647,5 +647,16 @@
 	"members.no_team_selected": "Organisatieleden moeten bij minimaal één team zijn aangesloten.",
 	"form.RunnerName": "Naam",
 	"graphs.recent_commits.title": "Aantal commits in het afgelopen jaar",
-	"graphs.code_frequency.title": "Codefrequentie over de geschiedenis van {0}"
+	"graphs.code_frequency.title": "Codefrequentie over de geschiedenis van {0}",
+	"user.activitypub_feed.feed": "Fediverse feed",
+	"user.activitypub_feed.original_source": "Oorspronkelijke bron",
+	"access_token.error.specified_repos_none": "Toegangstokens met opgegeven repositories moeten ten minste één repository bevatten.",
+	"access_token.error.specified_repos_and_public_only": "Toegangstokens voor bepaalde repositories kunnen niet worden gecombineerd met het bereik 'alleen openbaar'.",
+	"access_token.error.specified_repos_and_invalid_scope": "Toegangstokens voor bepaalde repositories kunnen alleen worden gebruikt met de reikwijdtes read:issue, write:issue, read:repository en write:repository.",
+	"actions.runners.token": "Token",
+	"actions.runners.ephemeral": "Eenmalig",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.list_runners.edit_column": "Aanpassen",
+	"actions.runners.version": "Versie",
+	"actions.runners.list_runners.delete_button": "Verwijderen"
 }
diff --git a/options/locale_next/locale_pt-BR.json b/options/locale_next/locale_pt-BR.json
index ab46f4b038..d285deaa70 100644
--- a/options/locale_next/locale_pt-BR.json
+++ b/options/locale_next/locale_pt-BR.json
@@ -1,19 +1,23 @@
 {
 	"counters.n_commits": {
 		"one": "%s commit",
-		"other": "%s commits"
+		"many": "%s commits",
+		"other": ""
 	},
 	"counters.n_branches": {
 		"one": "%s ramo",
-		"other": "%s ramos"
+		"many": "%s ramos",
+		"other": ""
 	},
 	"counters.n_tags": {
 		"one": "%s etiqueta",
-		"other": "%s etiquetas"
+		"many": "%s etiquetas",
+		"other": ""
 	},
 	"counters.n_releases": {
 		"one": "%s versão",
-		"other": "%s versões"
+		"many": "%s versões",
+		"other": ""
 	},
 	"gpg.default_key": "Assinado com a chave padrão",
 	"gpg.error.extract_sign": "Falha ao extrair assinatura",
@@ -562,5 +566,36 @@
 	"actions.runners.create_runner.page_title": "Criar novo executor",
 	"actions.runners.edit_runner_button": "Editar executor",
 	"actions.runners.task_list_user": "Tarefas recentes deste usuário neste executor",
-	"actions.runners.task_list_admin": "Tarefas recentes neste executor"
+	"actions.runners.task_list_admin": "Tarefas recentes neste executor",
+	"repo.pulls.auto_merge.no_permission": "Você não tem permissão para cancelar a mesclagem automática deste pull request.",
+	"migrate.select.title": "Migrar repositório",
+	"admin.federation.federation": "Federação",
+	"admin.federation.hosts": "Hosts",
+	"admin.federation.hosts.title": "Hosts federados",
+	"admin.federation.hosts.manage_panel": "Gerenciar hosts federados",
+	"admin.federation.hosts.details_panel": "Detalhes dos hosts federados",
+	"admin.federation.hosts.show_details": "Mostrar detalhes do host",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "Schema",
+	"admin.federation.host.port": "Porta",
+	"admin.federation.host.software_name": "Software",
+	"admin.federation.host.created": "Criado em",
+	"admin.federation.host.updated": "Atualizado em",
+	"admin.federation.host.latest_activity": "Última atividade",
+	"admin.federation.users": "Usuários",
+	"admin.federation.users.title": "Usuários federados",
+	"admin.federation.users.manage_panel": "Gerenciar usuários federados",
+	"admin.federation.users.show_local_user": "Mostrar detalhes do usuário local",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "ID do usuário local",
+	"admin.federation.user.external_id": "ID do usuário externo",
+	"access_token.error.specified_repos_and_invalid_scope": "Tokens de acesso com repositórios especificados só podem ser usados com os escopos read:issue, write:issue, read:repository e write:repository.",
+	"actions.runners.uuid": "UUID",
+	"actions.runners.token": "Token",
+	"actions.runners.ephemeral": "Efêmero",
+	"actions.runners.version": "Versão",
+	"actions.runners.list_runners.edit_column": "Editar",
+	"actions.runners.list_runners.delete_column": "Remover",
+	"actions.runners.list_runners.delete_button": "Remover"
 }
diff --git a/options/locale_next/locale_pt-PT.json b/options/locale_next/locale_pt-PT.json
index 5112d30036..f4d2365fab 100644
--- a/options/locale_next/locale_pt-PT.json
+++ b/options/locale_next/locale_pt-PT.json
@@ -566,11 +566,8 @@
 	"actions.runners.runner_setup.button_copy_token_aria": "Copiar token do executor",
 	"actions.runners.reset_registration_token.token": "Token de Registo (Obsoleto)",
 	"actions.runners.ephemeral": "Efémero",
-	"actions.runners.list_runners.details_column": "Detalhes",
 	"actions.runners.list_runners.edit_column": "Editar",
 	"actions.runners.list_runners.delete_column": "Eliminar",
-	"actions.runners.list_runners.details_button": "Detalhes",
-	"actions.runners.list_runners.details_button_aria": "Mostrar detalhes de %s",
 	"actions.runners.list_runners.delete_button": "Eliminar",
 	"actions.runners.list_runners.delete_button_aria": "Eliminar %s",
 	"actions.runners.list_runners.edit_button": "Editar",
diff --git a/options/locale_next/locale_ru-RU.json b/options/locale_next/locale_ru-RU.json
index 957ab7b848..1eae5ff170 100644
--- a/options/locale_next/locale_ru-RU.json
+++ b/options/locale_next/locale_ru-RU.json
@@ -560,7 +560,6 @@
 	"actions.runners.uuid": "УУИД",
 	"actions.runners.token": "Токен",
 	"actions.runners.ephemeral": "Одноразовый",
-	"actions.runners.list_runners.details_column": "Свойства",
 	"actions.runners.list_runners.delete_column": "Удаление",
 	"actions.runners.runner_setup.list_of_runners_link": "Список исполнителей",
 	"actions.runners.runner_setup.last_chance_copying_token": "Скопируйте токен сейчас – потом он не будет отображаться!",
@@ -601,8 +600,6 @@
 	"settings.access_token.resource_specific_repo_help": "Разрешить доступ только к списку выбранных репозиториев. Доступ на чтение разрешён для всех публичных репозиториев. Могут быть выбраны только разрешения, относящиеся к репозиториям и задачам.",
 	"settings.access_token.admin_disabled": "Административные разрешения выключены.",
 	"actions.runners.list_runners.edit_column": "Правка",
-	"actions.runners.list_runners.details_button": "Свойства",
-	"actions.runners.list_runners.details_button_aria": "Открыть свойства %s",
 	"actions.runners.list_runners.delete_button": "Удалить",
 	"actions.runners.list_runners.delete_button_aria": "Удалить %s",
 	"actions.runners.list_runners.edit_button": "Изменить",
@@ -641,5 +638,34 @@
 	"actions.runners.edit_runner.cancel_button": "Отмена",
 	"actions.workflow.rerun_impossible": "Раб. поток невозможно выполнить повторно.",
 	"actions.workflow.job_rerun_impossible": "Задание невозможно выполнить повторно.",
-	"actions.runners.runner_setup.instruction_advanced_configurations": "Для настройки исполнителя Forgejo Действий в контейнерах и др. расширенных настроек, обратитесь к <a href=\"%s\">документации</a>."
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Для настройки исполнителя Forgejo Действий в контейнерах и др. расширенных настроек, обратитесь к <a href=\"%s\">документации</a>.",
+	"actions.runs.on_push_description": "Коммит <a href=\"%[1]s\">%[2]s</a>, отправленный <a href=\"%[3]s\">%[4]s</a>",
+	"repo.files.caption": "Файлы репозитория (в начале последний коммит)",
+	"repo.files.filename": "Имя файла",
+	"repo.files.last_commit_message": "Текст последнего коммита",
+	"repo.files.last_commit_date": "Дата последнего коммита",
+	"admin.federation.host.software_name": "ПО",
+	"admin.federation.users.title": "Пользователи федерации",
+	"admin.federation.user.user_id": "ИД локального пользователя",
+	"admin.federation.user.external_id": "ИД внешнего пользователя",
+	"admin.federation.hosts": "Узлы",
+	"admin.federation.hosts.title": "Узлы федерации",
+	"admin.federation.hosts.manage_panel": "Управлять узлами федерации",
+	"admin.federation.hosts.details_panel": "Подробности об узле федерации",
+	"admin.federation.hosts.show_details": "Показать подробности об узле",
+	"admin.federation.users.manage_panel": "Управлять пользователями федерации",
+	"admin.federation.users.show_local_user": "Показать подробности локального пользователя",
+	"admin.config.federation.share_user_statistics": "Делиться статистикой пользователей с другими узлами",
+	"admin.config.federation.get_headers": "Подписанные заголовки GET",
+	"admin.config.federation.post_headers": "Подписанные заголовки POST",
+	"admin.config.federation.digest_algorithm": "Алгоритм хеширования для подписей",
+	"user.activitypub_feed.no_activity": "Нет активности из Федивёрса",
+	"user.activitypub_feed.hint": "В этой ленте будут появляться активности пользователей Федивёрса, на которых вы подписаны, а также записи, в которых вы упомянуты.",
+	"user.activitypub_feed.posted_on": "Опубликовано %[1]s",
+	"user.activitypub_feed.original_source": "Первоисточник",
+	"actions.runners.runner_setup.title": "Настройка исполнителя %s",
+	"actions.runners.runner_setup.page_title": "Настройка исполнителя %s",
+	"actions.secrets.edit_button": "Изменить секрет «%s»",
+	"actions.secrets.mutation.success_message": "Секрет «%s» был изменён.",
+	"actions.secrets.mutation.name_description": "Название секрета может содержать только буквы, цифры и нижние подчёркивания. Оно не может начинаться на FORGEJO_, GITEA_, GITHUB_, или на цифру. Оно будет сохранено в верхнем регистре."
 }
diff --git a/options/locale_next/locale_sv-SE.json b/options/locale_next/locale_sv-SE.json
index eace1abac5..9ed58f488b 100644
--- a/options/locale_next/locale_sv-SE.json
+++ b/options/locale_next/locale_sv-SE.json
@@ -540,10 +540,8 @@
 	"settings.specific_repo_access": "Kodförrådsåtkomst",
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "Token",
-	"actions.runners.list_runners.details_column": "Detaljer",
 	"actions.runners.list_runners.edit_column": "Redigera",
 	"actions.runners.list_runners.delete_column": "Ta bort",
-	"actions.runners.list_runners.details_button_aria": "Visa detaljer för %",
 	"actions.runners.list_runners.delete_button_aria": "Ta bort %s",
 	"actions.runners.list_runners.edit_button": "Redigera",
 	"actions.runners.list_runners.edit_button_aria": "Redigera %s",
@@ -580,7 +578,6 @@
 	"actions.runners.runner_setup.configuration_snippet_aria": "Textavsnitt att infoga i körarens konfiguration",
 	"actions.runners.runner_setup.program_options_snippet_aria": "Hur man anropar forgejo-runner",
 	"actions.runners.ephemeral": "Tillfällig",
-	"actions.runners.list_runners.details_button": "Detaljer",
 	"actions.runners.list_runners.delete_button": "Ta bort",
 	"actions.runners.runner_setup.instruction_replace_connection_name": "Ersätt anslutningsnamnet (<code>forgejo</code> i exemplet) med ett värde.",
 	"actions.runners.runner_setup.heading_using_options": "Använder programval",
diff --git a/options/locale_next/locale_ta.json b/options/locale_next/locale_ta.json
index 03aae7e0ef..a318e08cef 100644
--- a/options/locale_next/locale_ta.json
+++ b/options/locale_next/locale_ta.json
@@ -293,7 +293,7 @@
 	"repo.issue_indexer.title": "வெளியீட்டு அட்டவணை",
 	"search.milestone_kind": "மைல்கற்களைத் தேடு…",
 	"repo.settings.push_mirror.branch_filter.label": "கிளை வடிகட்டி (விரும்பினால்)",
-	"repo.settings.push_mirror.branch_filter.description": "கிளைகள் பிரதிபலிக்க வேண்டும். அனைத்து கிளைகளையும் பிரதிபலிக்க காலியாக விடவும். தொடரியலுக்கு <a href=\"%[1]s\">%[2]s ஆவணத்தைப்</a> பார்க்கவும். எடுத்துக்காட்டுகள்: <code>main, release/*</code>",
+	"repo.settings.push_mirror.branch_filter.description": "கிளைகள் பிரதிபலிக்க வேண்டும். அனைத்து கிளைகளையும் பிரதிபலிக்கக் காலியாக விடவும். தொடரியலுக்கு <a href=\"%[1]s\">%[2]s ஆவணத்தைப்</a> பார்க்கவும். எடுத்துக்காட்டுகள்: <code>main, release/*</code>",
 	"incorrect_root_url": "இந்த Forgejo நிகழ்வு \"%s\" இல் வழங்குவதற்காக கட்டமைக்கப்பட்டுள்ளது. நீங்கள் தற்போது Forgejo ஐ வேறொரு முகவரி மூலம் பார்க்கிறீர்கள், இது பயன்பாட்டின் சில பகுதிகளை உடைக்கக்கூடும். app.ini இல் உள்ள ROOT_URL அமைப்பு வழியாக Forgejo நிர்வாகிகளால் நியமன முகவரி கட்டுப்படுத்தப்படுகிறது.",
 	"themes.names.forgejo-auto": "Forgejo (கணினி கருப்பொருள் பின்பற்றவும்)",
 	"themes.names.forgejo-light": "ஃபோர்சோ ஒளி",
diff --git a/options/locale_next/locale_tr-TR.json b/options/locale_next/locale_tr-TR.json
index 2c11db6ff4..086237d764 100644
--- a/options/locale_next/locale_tr-TR.json
+++ b/options/locale_next/locale_tr-TR.json
@@ -1,65 +1,65 @@
 {
 	"counters.n_commits": {
-		"one": "%s katkı",
-		"other": "%s gönderi"
+		"one": "%s değişiklik(commit)",
+		"other": "%s değişiklikler(commits)"
 	},
 	"counters.n_branches": {
 		"one": "%s dal",
-		"other": "%s dal"
+		"other": "%s dallar"
 	},
 	"counters.n_tags": {
 		"one": "%s etiket",
-		"other": "%s etiket"
+		"other": "%s etiketler"
 	},
 	"counters.n_releases": {
-		"one": "%s sürüm",
-		"other": "%s sürüm"
+		"one": "%s yayın",
+		"other": "%s yayınlar"
 	},
-	"gpg.default_key": "Varsayılan anahtarla imzalanmış",
-	"gpg.error.extract_sign": "İmza çıkarılamadı",
-	"gpg.error.generate_hash": "İşlemenin sağlama kodu oluşturulamadı",
-	"gpg.error.no_committer_account": "İşleyicinin e-posta adresine bağlı hesap yok",
-	"gpg.error.no_gpg_keys_found": "Veri tabanında bu imza için bilinen anahtar bulunamadı",
-	"gpg.error.not_signed_commit": "İmzalı bir işleme değil",
-	"gpg.error.failed_retrieval_gpg_keys": "İşleyicin hesabına bağlı herhangi bir anahtar alınamadı",
-	"gpg.error.probable_bad_signature": "UYARI! Veritabanında bu kimliğe sahip bir anahtar olmasına rağmen, bu işlemeyi doğrulamaz! Bu işleme ŞÜPHELİDİR.",
-	"gpg.error.probable_bad_default_signature": "UYARI! Varsayılan anahtarın bu kimliği olmasına rağmen, bu işlemeyi doğrulamaz! Bu işleme ŞÜPHELİDİR.",
+	"gpg.default_key": "Varsayılan anahtarla imzalandı",
+	"gpg.error.extract_sign": "İmza çıkartılamadı",
+	"gpg.error.generate_hash": "Değişikliğin(commit) karma değeri(sağlama değeri veya hash) oluşturulamadı",
+	"gpg.error.no_committer_account": "Değiştirici'nin(committer) e-posta adresiyle ilişkili hiçbir hesap bulunmuyor",
+	"gpg.error.no_gpg_keys_found": "Veritabanında bu imzaya ait bilinen bir anahtar bulunamadı",
+	"gpg.error.not_signed_commit": "İmzalanmamış bir değişiklik(commit)",
+	"gpg.error.failed_retrieval_gpg_keys": "Değiştirici'nin(committer) hesabına bağlı herhangi bir anahtar alınamadı",
+	"gpg.error.probable_bad_signature": "UYARI! Veritabanında bu kimliğe sahip bir anahtar bulunmasına rağmen, bu değişiklik(commit) doğrulanmamıştır! Bu değişiklik(commit) ŞÜPHELİDİR.",
+	"gpg.error.probable_bad_default_signature": "UYARI! Varsayılan anahtar bu kimliğe sahip olsa da, bu değişikliği(commit) doğrulamıyor! Bu değişiklik(commit) ŞÜPHELİ.",
 	"notification.notifications": "Bildirimler",
 	"notification.unread": "Okunmamış",
 	"notification.read": "Okunmuş",
-	"notification.no_unread": "Okunmamış bildirim yok.",
-	"notification.no_read": "Okunmuş bildirim yok.",
-	"notification.pin": "Pin bildirimi",
+	"notification.no_unread": "Okunmamış herhangi bir bildirim yok.",
+	"notification.no_read": "Okunmuş herhangi bir bildirim yok.",
+	"notification.pin": "Bildirimi sabitle",
 	"notification.mark_as_read": "Okundu olarak işaretle",
 	"notification.mark_as_unread": "Okunmadı olarak işaretle",
 	"notification.mark_all_as_read": "Tümünü okundu olarak işaretle",
 	"notification.subscriptions": "Abonelikler",
 	"notification.watching": "İzleniyor",
-	"notification.no_subscriptions": "Abonelik yok",
-	"dropzone.default_message": "Dosyaları buraya bırakın veya yüklemek için tıklayın.",
-	"dropzone.invalid_input_type": "Bu tür dosyaları yükleyemezsiniz.",
-	"dropzone.file_too_big": "Dosya boyutu ({{filesize}} MB) maksimum boyutu ({{maxFilesize}} MB) aşıyor.",
-	"dropzone.remove_file": "Dosya Kaldır",
+	"notification.no_subscriptions": "Hiç aboneliğiniz yok.",
+	"dropzone.default_message": "Dosyaları sürükleyip bırakın ya da yüklemek için buraya tıklayın.",
+	"dropzone.invalid_input_type": "Bu tür dosyalar yüklenemez.",
+	"dropzone.file_too_big": "Dosya boyutunuz ({{filesize}} MB), ({{maxFilesize}} MB) olan maksimum boyutu aşıyor.",
+	"dropzone.remove_file": "Dosyayı Kaldır",
 	"munits.data.b": "B",
-	"munits.data.kib": "KiB",
-	"munits.data.mib": "MiB",
-	"munits.data.gib": "GiB",
-	"munits.data.tib": "TiB",
-	"munits.data.pib": "PiB",
+	"munits.data.kib": "Kilobayt",
+	"munits.data.mib": "Megabayt",
+	"munits.data.gib": "Gigabayt",
+	"munits.data.tib": "TiB(TeraByte)",
+	"munits.data.pib": "Petabayt",
 	"munits.data.eib": "EiB",
 	"packages.title": "Paketler",
 	"packages.empty": "Henüz hiçbir paket yok.",
-	"packages.empty.documentation": "Paket deposu hakkında daha fazla bilgi için, <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">belgeye</a> bakabilirsiniz.",
-	"packages.empty.repo": "Bir paket yüklediniz ama burada gösterilmiyor mu? <a href=\"%[1]s\">Paket ayarları</a>na gidin ve bu depoya bağlantı verin.",
-	"packages.registry.documentation": "%s kütüğü hakkında daha fazla bilgi için, <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">belgeye</a> bakabilirsiniz.",
+	"packages.empty.documentation": "Paket kayıt defteri hakkında daha fazla bilgi için <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">belgelere</a> bakın.",
+	"packages.empty.repo": "Bir paket yüklediniz, ama burada görünmüyor mu? <a href=\"%[1]s\">Paket Ayarları</a> sayfasına gidin ve paketi bu depoya bağlayın(link).",
+	"packages.registry.documentation": "%s kayıt defteri hakkında daha fazla bilgi için <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"%s\">belgelere</a> bakın.",
 	"packages.filter.type": "Tür",
 	"packages.filter.type.all": "Tümü",
-	"packages.filter.no_result": "Filtreniz herhangi bir sonuç döndürmedi.",
-	"packages.filter.container.tagged": "Etiketlenmiş",
-	"packages.filter.container.untagged": "Etiketlenmemiş",
-	"packages.published_by": "%[1]s, <a href=\"%[2]s\">%[3]s</a> tarafından yayınlandı",
-	"packages.published_by_in": "%[1]s, <a href=\"%[2]s\">%[3]s</a> tarafından <a href=\"%[4]s\"><strong>%[5]s</strong></a> içerisinde yayınlanmış",
-	"packages.pub.install": "Paketi Dart ile kurmak için, şu komutu çalıştırın:",
+	"packages.filter.no_result": "Filtreniz ile herhangi bir sonuç bulunamadı.",
+	"packages.filter.container.tagged": "Etiketlendi",
+	"packages.filter.container.untagged": "Etiketlenmedi",
+	"packages.published_by": "<a href=\"%[2]s\">%[3]s</a> tarafından %[1]s yayınlandı",
+	"packages.published_by_in": "<a href=\"%[2]s\">%[3]s</a> tarafından <a href=\"%[4]s\"><strong>%[5]s</strong></a> 'de %[1]s yayınlandı",
+	"packages.pub.install": "Paketi Dart kullanarak yüklemek için aşağıdaki komutu çalıştırın:",
 	"packages.installation": "Kurulum",
 	"packages.about": "Bu paket hakkında",
 	"packages.requirements": "Gereksinimler",
@@ -68,16 +68,16 @@
 	"packages.details": "Ayrıntılar",
 	"packages.details.author": "Yazar",
 	"packages.details.project_site": "Proje Web Sitesi",
-	"packages.details.repository_site": "Depo Sitesi",
-	"packages.details.documentation_site": "Belge Sitesi",
+	"packages.details.repository_site": "Depo Web Sitesi",
+	"packages.details.documentation_site": "Dökümantasyon web sitesi",
 	"packages.details.license": "Lisans",
 	"packages.assets": "Varlıklar",
 	"packages.versions": "Sürümler",
-	"packages.versions.view_all": "Tümünü görüntüle",
-	"packages.dependency.id": "Kimlik",
+	"packages.versions.view_all": "Tümünü göster",
+	"packages.dependency.id": "ID",
 	"packages.dependency.version": "Sürüm",
-	"packages.alpine.registry": "Bu kütüğü, <code>/etc/apk/repositories</code> dosyanıza url'yi ekleyerek kurun:",
-	"packages.alpine.registry.key": "Kütüğün açık RSA anahtarını, indeks imzasını doğrulamak için <code>/etc/apk/keys/</code> dizinine indirin:",
+	"packages.alpine.registry": "<code>/etc/apk/repositories</code> dosyanıza şu url'yi ekleyerek bu kayıt defterini kurun:",
+	"packages.alpine.registry.key": "Dizin imzasını doğrulamak için kayıt defterinin RSA halka açık anahtarınızı <code>/etc/apk/keys/</code> dizinine indirin:",
 	"packages.alpine.registry.info": "Aşağıdaki listeden $branch ve $repository seçin.",
 	"packages.alpine.repository.branches": "Dallar",
 	"packages.alpine.repository.repositories": "Depolar",
@@ -94,7 +94,7 @@
 	"packages.container.details.type": "Görüntü Türü",
 	"packages.container.details.platform": "Platform",
 	"packages.container.pull": "Görüntüyü komut satırını kullanarak çekin:",
-	"packages.container.digest": "Özet:",
+	"packages.container.digest": "Özeti",
 	"packages.container.multi_arch": "İşletim Sistemi / Mimari",
 	"packages.container.layers": "Görüntü Katmanları",
 	"packages.container.labels": "Etiketler",
@@ -178,19 +178,19 @@
 	"packages.owner.settings.chef.keypair.description": "Chef kayıt defterine gönderilen istekler kimlik doğrulama yöntemi olarak kriptografik olarak imzalanmalıdır. Bir anahtar çifti oluştururken, yalnızca genel anahtar Forgejo'da saklanır. Özel anahtar size knife ile kullanılmak üzere sağlanır. Yeni bir anahtar çifti oluşturmak öncekini geçersiz kılar.",
 	"fork.n_forks": {
 		"one": "%s çatal",
-		"other": "%s çatal"
+		"other": "%s çatallar"
 	},
 	"stars.n_stars": {
 		"one": "%s yıldız",
-		"other": "%s yıldız"
+		"other": "%s yıldızlar"
 	},
 	"repo.pulls.merged_title_desc": {
-		"one": "%[4]s, <code>%[2]s</code> içindeki %[1]d katkıyı <code>%[3]s</code> ile birleştirdi",
-		"other": "%[4]s, <code>%[2]s</code> içindeki %[1]d katkıyı <code>%[3]s</code> ile birleştirdi"
+		"one": "<code>%[2]s</code> 'nden gelen %[1]d değişikliği(commit'i), <code>%[3]s</code> 'ine %[4]s olarak birleştirildi",
+		"other": "<code>%[2]s</code> 'nden gelen %[1]d değişiklikleri(commit'leri), <code>%[3]s</code> 'ine %[4]s olarak birleştirildi"
 	},
 	"repo.pulls.title_desc": {
-		"one": "<code>%[2]s</code> içindeki %[1]d katkıyı <code id=\"%[4]s\">%[3]s</code> ile birleştirmek istiyor",
-		"other": "<code>%[2]s</code> içindeki %[1]d katkıyı <code id=\"%[4]s\">%[3]s</code> ile birleştirmek istiyor"
+		"one": "<code>%[2]s</code> 'nden gelen %[1]d değişikliği(commit'i) <code id=\"%[4]s\">%[3]s</code> ile birleştirmek istiyor",
+		"other": "<code>%[2]s</code> 'nden gelen %[1]d değişiklikleri(commit'leri) <code id=\"%[4]s\">%[3]s</code> ile birleştirmek istiyor"
 	},
 	"search.milestone_kind": "Kilometre taşlarını ara…",
 	"moderation.abuse_category.malware": "Kötü amaçlı yazılım",
@@ -221,13 +221,13 @@
 	"migrate.cancel.confirmation": "Bu göçü iptal etmek istiyor musunuz?",
 	"pulse.n_active_issues": {
 		"one": "%s aktif sorun",
-		"other": "%s aktif sorun"
+		"other": "%s aktif sorunlar"
 	},
 	"pulse.n_active_prs": {
 		"one": "%s aktif birleştirme isteği",
-		"other": "%s aktif birleştirme isteği"
+		"other": "%s aktif birleştirme istekleri"
 	},
-	"home.welcome.no_activity": "Etkinlik yok",
+	"home.welcome.no_activity": "Etkinlik(aktivite) yok",
 	"home.welcome.activity_hint": "Akışınızda henüz bir şey yok. Eylemleriniz ve izlediğiniz depolardaki etkinlikler burada gözükecek.",
 	"home.explore_repos": "Depoları keşfet",
 	"home.explore_users": "Kullanıcıları keşfet",
@@ -250,34 +250,34 @@
 	"repo.form.cannot_create": "Depo oluşturabileceğiniz her yer, depo sınırlarına ulaştılar.",
 	"migrate.form.error.url_credentials": "URL, kimlik bilgileri içeriyor; bu bilgileri sırasıyla kullanıcı adı ve şifre alanlarına koyunuz",
 	"watch.n_watchers": {
-		"one": "%s izleyen",
-		"other": "%s izleyen"
+		"one": "%s izlemeye alan",
+		"other": "%s izlemeye alanlar"
 	},
 	"migrate.forgejo.description": "codeberg.org veya diğer Forgejo oluşumlarından veri aktar.",
 	"repo.issue_indexer.title": "Sorun Endeksleyici",
 	"relativetime.mins": {
 		"one": "%d dakika önce",
-		"other": "%d dakika önce"
+		"other": "%d dakikalar önce"
 	},
 	"relativetime.hours": {
 		"one": "%d saat önce",
-		"other": "%d saat önce"
+		"other": "%d saatler önce"
 	},
 	"relativetime.days": {
 		"one": "%d gün önce",
-		"other": "%d gün önce"
+		"other": "%d günler önce"
 	},
 	"relativetime.weeks": {
 		"one": "%d hafta önce",
-		"other": "%d hafta önce"
+		"other": "%d haftalar önce"
 	},
 	"relativetime.months": {
 		"one": "%d ay önce",
-		"other": "%d ay önce"
+		"other": "%d aylar önce"
 	},
 	"relativetime.years": {
 		"one": "%d yıl önce",
-		"other": "%d yıl önce"
+		"other": "%d yıllar önce"
 	},
 	"repo.settings.push_mirror.branch_filter.label": "Dal süzgeci (isteğe bağlı)",
 	"repo.settings.push_mirror.branch_filter.description": "Yansıtılıcak dallar. Tüm dalları yansıtmak için boş bırakın. Sözdizimi için <a href=\"%[1]s\">$[2]s dokümantasyonuna</a> başvurun. Örneğin: <code>main, release/*</code>",
@@ -348,21 +348,21 @@
 	"error.must_enable_2fa": "Bu Forgejo oluşumu, kullanıcıların hesaplarına erişebilmek için iki aşamalı girişi etkinleştirmelerini zorunlu kılıyor. Etkinleştirmek için: %s",
 	"avatar.constraints_hint": "Özel profil resmi, boyut olarak %[1]s ve piksel olarak %[2]dx%[3]d sınırını aşmamalı",
 	"user.ghost.tooltip": "Bu kullanıcı ya silinmiş ya da bulunamadı.",
-	"og.repo.summary_card.alt_description": "%[1]s deposunun -%[2]s açıklamalı- özet kartı",
+	"og.repo.summary_card.alt_description": "%[1]s deposunun özet kartı; açıklaması: %[2]s",
 	"repo.commit.load_tags_failed": "Etiketlerin yüklenmesi dahili bir hata sebebiyle başarısız oldu",
 	"compare.branches.title": "Dalları karşılaştır",
 	"migrate.pagure.description": "pagure.io veya diğer Pagure oluşumlarından veri aktar.",
-	"migrate.pagure.incorrect_url": "Kaynak depo URL'si yanlış verilmiş",
-	"migrate.pagure.project_url": "Pagure proje URL'si",
-	"migrate.pagure.project_example": "Pagure proje URL'si, örneğin: https://pagure.io/pagure",
-	"migrate.pagure.token_label": "Pagure API Jetonu",
+	"migrate.pagure.incorrect_url": "Hatalı kaynak deposu URL'si girilmiş",
+	"migrate.pagure.project_url": "Pagure projesinin URL'si",
+	"migrate.pagure.project_example": "Pagure projesinin URL'si, örneğin https://pagure.io/pagure",
+	"migrate.pagure.token_label": "Pagure API Jetonu(Token)",
 	"migrate.pagure.private_issues.summary": "Gizli Sorunlar (İsteğe Bağlı)",
-	"migrate.pagure.private_issues.description": "Bu özellik, Pagure projenizdeki gizli sorunları arşivlemek amacıyla onları ikinci bir depoya saklamak için tasarlandı. Öncelikle herkese açık olan tüm içerikleri içe aktarmak için normal bir aktarma yapın (jetonsuz). Sonrasında korumak istediğiniz gizli sorunlar var ise onları arşivlemek için bu jeton ayarını kullanarak ayrı bir depo oluşturun.",
-	"migrate.pagure.private_issues.warning": "Eğer gizli sorunları içe aktarmak için API anahtarı kullanıyorsanız yukarıda depo görünürlüğünü Gizli'ye alın. Bu, gizli içeriklerin kazara herkese açık bir depoda ifşa olmasını önler.",
-	"migrate.pagure.token.placeholder": "Sadece gizli sorunlar arşivi oluşturmak için",
+	"migrate.pagure.private_issues.description": "Bu özellik, arşivleme amacıyla Pagure projenizdeki yalnızca gizli sorunları içeren ikinci bir depo oluşturmak üzere tasarlanmıştır. Öncelikle, tüm genel içeriği içe aktarmak için (jeton(token) kullanmadan) normal bir aktarım işlemi gerçekleştirin. Ardından, saklamak istediğiniz özel sorunlar varsa, bu özel sorunları arşivlemek için bu jeton(token) seçeneğini kullanarak ayrı bir depo oluşturun.",
+	"migrate.pagure.private_issues.warning": "Özel sorunları içe aktarmak için API anahtarını kullanıyorsanız, yukarıdaki depo görünürlüğünü mutlaka \"Gizli\" olarak ayarlayın. Bu, gizli (ya da özel) içeriğin yanlışlıkla genel bir depoda ifşa edilmesini önler.",
+	"migrate.pagure.token.placeholder": "Yalnızca gizli sorun arşivi oluşturmak için",
 	"release.n_downloads": {
-		"one": "%s indirme",
-		"other": "%s indirme"
+		"one": "indirme sayısı %s",
+		"other": "İndirmelerin sayısı %s"
 	},
 	"actions.runs.run_attempt_label": "Çalıştırma girişimi #%[1]s (%[2]s)",
 	"actions.runs.viewing_out_of_date_run": "Bu işin %[1]s çalışmış olan eski bir çalıştırmasını görüntülüyorsun.",
@@ -405,14 +405,14 @@
 	"actions.runners.labels": "Etiketler",
 	"actions.runners.last_online": "Son Görülme Zamanı",
 	"actions.runners.runner_title": "Çalıştırıcı %s",
-	"actions.runners.task_list.no_tasks": "Henüz bir görev yok.",
+	"actions.runners.task_list.no_tasks": "Henüz bir takım görevler yok.",
 	"actions.runners.task_list.run": "Çalıştır",
 	"actions.runners.task_list.status": "Durum",
 	"actions.runners.task_list.repository": "Depo",
 	"actions.runners.task_list.commit": "İşle",
 	"actions.runners.task_list.done_at": "Tamamlanma zamanı",
-	"actions.runners.update_runner.success": "Çalıştırıcı başarıyla güncellendi",
-	"actions.runners.update_runner.failed": "Çalıştırıcı güncellenemedi",
+	"actions.runners.update_runner.success": "Çalıştırıcı başarıyla düzenlendi",
+	"actions.runners.update_runner.failed": "Çalıştırıcı düzenlenemedi",
 	"actions.runners.delete_runner.success": "Çalıştırıcı başarıyla silindi",
 	"actions.runners.delete_runner.failed": "Çalıştırıcı silinemedi",
 	"actions.runners.delete_runner.header": "Çalıştırıcıyı silmeyi onaylayın",
@@ -422,5 +422,241 @@
 	"actions.runners.reset_registration_token.success": "Çalıştırıcı kayıt belirteci başarıyla sıfırlandı",
 	"teams.add_all_repos.modal.header": "Tüm depoları ekle",
 	"teams.remove_all_repos.modal.header": "Tüm depoları kaldır",
-	"meta.last_line": "Steve Jobs ile Nejat İşler'in kardeş olduğunu biliyor muydunuz."
+	"meta.last_line": "Steve Jobs ile Nejat İşler'in kardeş olduğunu biliyor muydunuz.",
+	"repo.issues.filter_poster.hint": "Yazara göre filtrele",
+	"repo.issues.filter_assignee.hint": "Atanan kullanıcıya göre filtrele",
+	"repo.issues.filter_reviewers.hint": "Yorum yapan kullanıcıya göre filtrele",
+	"repo.issues.filter_mention.hint": "Bahsedilen kullanıcıya göre filtrele",
+	"repo.issues.filter_modified.hint": "Son değiştirilme tarihine göre filtrele",
+	"repo.issues.filter_sort.hint_with_placeholder": "Sıralama: %s",
+	"issues.filters.labels.exclude": "Etiketi hariç tut",
+	"issues.filters.labels.unexclude": "Kesin olarak hariç tut",
+	"repo.pulls.auto_merge.no_permission": "Bu çekme isteğinin otomatik birleştirilmesini iptal etme izniniz yok.",
+	"repo.pulls.poster_manage_approval": "Onay Yönetimi",
+	"repo.pulls.poster_requires_approval": "Bazı iş akışları <a href=\"%[1]s\">incelenmeyi bekliyor</a>.",
+	"repo.pulls.poster_requires_approval.tooltip": "Bu çekme isteğinin yazarı, çatallanmış bir depodan oluşturulan veya AGit ile oluşturulan bir çekme isteği tarafından tetiklenen iş akışlarını çalıştırma konusunda güvenilir bulunmamaktadır. `pull_request` olayıyla tetiklenen iş akışları, onaylanana kadar çalıştırılmayacaktır.",
+	"repo.pulls.poster_is_trusted": "Bu çekme isteği'nin yazarı <a href=\"%[1]s\">her zaman güvenilir kabul edilir, workflows</a>iş akışlarını çalıştırma konusunda.",
+	"repo.pulls.poster_is_trusted.tooltip": "Bu çekme isteğinin yazarı, `pull_request` olayları tarafından tetiklenen iş akışlarını çalıştırma konusunda açıkça güvenilir kabul edilmektedir.",
+	"repo.pulls.poster_trust_deny": "Reddet (Kabul etme)",
+	"repo.pulls.poster_trust_deny.tooltip": "Onay bekleyen iş akışları iptal edilecektir.",
+	"repo.pulls.poster_trust_once": "Tek seferlik onayla",
+	"repo.pulls.poster_trust_once.tooltip": "Bir `pull_request` olayıyla tetiklenen iş akışları bu commit üzerinde çalışacak, ancak bu pull request'e gönderilecek tüm gelecekteki commit'ler için onaylanması gerekecektir.",
+	"repo.pulls.poster_trust_always": "Her zaman onayla",
+	"repo.pulls.poster_trust_always.tooltip": "Bir `pull_request` olayıyla tetiklenen iş akışları bu commit üzerinde çalışacak ve bu pull request'ten veya aynı kullanıcı tarafından oluşturulan gelecekteki pull request'lerden gelen çalıştırmaları onaylamaya gerek kalmayacaktır.",
+	"repo.pulls.poster_trust_revoke": "Geri al",
+	"repo.pulls.poster_trust_revoke.tooltip": "Bu çekme isteğinin yazarı, artık `pull_request` olayıyla tetiklenen iş akışlarını çalıştırma konusunda güvenilir kabul edilmeyecek; her çalıştırma işlemi manuel olarak onaylanmalıdır.",
+	"repo.view.gitmodules_too_large": ".gitmodules dosyası çok büyük ve (örneğin API çağrılarında) göz ardı edilecektir",
+	"migrate.select.title": "Depoyu taşı",
+	"search.syntax": "Arama sözdizimi",
+	"search.fuzzy": "Bulanık(belirsiz)",
+	"search.fuzzy_tooltip": "\"Sonuçları dahil et\" seçeneği, arama terimiyle yaklaşık eşleşmeleri gösterir",
+	"install.ssh_authorized_keys_inspection_error": "Mevcut authorized_keys dosyası incelenemedi: %v",
+	"install.ssh_authorized_keys_unexpected_key": "Forgejo için SSH'yi etkinleştirmek, mevcut SSH anahtarlarını içeren %s konumundaki dosyayla çakışıyor. Öneriler: Forgejo için ayrı bir sistem kullanıcısı oluşturun veya SSH'yi devre dışı bırakın.",
+	"keys.verify.token.hint": "Bu jeton(token) sadece 1 dakika geçerlidir. <a href=\"%[1]s\">Süresi dolduysa yenisini alın</a>.",
+	"admin.federation.federation": "Federasyon(Birlik)",
+	"admin.federation.hosts": "Ev sahipleri",
+	"admin.federation.hosts.title": "Federasyon Barındırıcıları(host)",
+	"admin.federation.hosts.manage_panel": "Federasyon Barındırıcılarını(host) Yönet",
+	"admin.federation.hosts.details_panel": "Federasyon barındırıcı (host) bilgileri",
+	"admin.federation.hosts.show_details": "Barındırıcının(host) ayrıntılarını göster",
+	"admin.federation.host.id": "Kimliği(ID)",
+	"admin.federation.host.fqdn": "Tam Etki Alanı Adı(FQDN)",
+	"admin.federation.host.schema": "Şema",
+	"admin.federation.host.port": "Bağlantı Noktası(Port)",
+	"admin.federation.host.software_name": "Yazılım",
+	"admin.federation.host.created": "Yaratıldı",
+	"admin.federation.host.updated": "Güncellendi",
+	"admin.federation.host.latest_activity": "Son etkinlikler(akvititeler)",
+	"admin.federation.users": "Kullanıcılar",
+	"admin.federation.users.title": "Birleşik(Federe) kullanıcılar",
+	"admin.federation.users.manage_panel": "Birleşik(Federe) Kullanıcıları Yönet",
+	"admin.federation.users.show_local_user": "Yerel(lokal) kullanıcının detaylarını göster",
+	"admin.federation.user.id": "Kullanıcı Kimliği(ID)",
+	"admin.federation.user.user_id": "Yerel(lokal) Kullanıcı Kimliği(ID)",
+	"admin.federation.user.external_id": "Harici Kullanıcı Kimliği(ID)",
+	"admin.federation.user.inbox_path": "Gelen kutusu yolu",
+	"admin.config.federation": "Birlik(Federasyon) yapılandırması",
+	"admin.config.federation.enabled": "Etkin(Aktif)",
+	"admin.config.federation.share_user_statistics": "Kullanıcı istatistiklerini diğer barındırıcılarla(host) paylaş",
+	"admin.config.federation.max_size": "İzin verilen maksimum yanıt boyutu",
+	"admin.config.federation.signature_enforced": "HTTP imzalarını zorunlu kıl",
+	"admin.config.federation.signature_algorithms": "İmza algoritmaları",
+	"admin.config.federation.digest_algorithm": "İmza özet algoritması",
+	"admin.config.federation.get_headers": "İmzalı GET başlıkları",
+	"admin.config.federation.post_headers": "İmzalı POST başlıkları",
+	"moderation.report.mark_as_handled": "\"Çözüldü\" olarak işaretle",
+	"moderation.report.mark_as_ignored": "\"Yoksay\" olarak işaretle",
+	"moderation.action.account.delete": "Hesabı sil",
+	"moderation.action.account.suspend": "Hesabı askıya al",
+	"moderation.action.repo.delete": "Depoyu sil",
+	"moderation.action.issue.delete": "Sorunu sil",
+	"moderation.action.comment.delete": "Yorumu sil",
+	"moderation.unknown_action": "Bilinmeyen eylem",
+	"moderation.users.cannot_suspend_self": "Kendinizi askıya alamazsınız.",
+	"moderation.users.cannot_suspend_admins": "Yönetici ayrıcalıklarına sahip kullanıcılar askıya alınamaz.",
+	"moderation.users.cannot_suspend_org": "Kuruluşlar(Organizasyonlar) askıya alınamaz.",
+	"moderation.users.already_suspended": "Kullanıcı hesabı zaten askıya alınmış durumda.",
+	"moderation.users.suspend_success": "Kullanıcı hesabı askıya alındı.",
+	"moderation.users.cannot_delete_admins": "Yönetici ayrıcalıklarına sahip kullanıcılar silinemez.",
+	"moderation.issue.deletion_success": "Bu Sorun silindi.",
+	"moderation.comment.deletion_success": "Yorum silindi.",
+	"admin.dashboard.actions_action_user": "Etkin olmayan kullanıcılar için Forgejo Actions güvenini iptal et",
+	"admin.dashboard.transfer_lingering_logs": "Tamamlanan işlerin eylem günlüklerini veritabanından depolama alanına aktarın",
+	"settings.specific_repo_access": "Depoya erişim",
+	"settings.new_access_token": "Yeni erişim jetonu(token)",
+	"settings.permissions_access_specific_repositories": "Belirli depolar",
+	"settings.access_token.selected_repositories": {
+		"one": "Seçilen depo (%d)",
+		"other": "Seçilen depolar (%d)"
+	},
+	"settings.access_token.available_repositories": "Kullanılabilir depolar",
+	"settings.access_token.no_repositories_selected": "Hiçbir depo seçilmedi.",
+	"settings.access_token.no_repositories_found": "Herhangi bir depo bulunamadı.",
+	"settings.access_token.remove": "%s'yi kaldır",
+	"settings.access_token.resource_all_help": "Tüm kaynaklara erişime izin ver.",
+	"settings.access_token.resource_public_only_help": "Herkese açık depolara ve kuruluşlara(organizasyonlara) erişimi sınırlayın.",
+	"settings.access_token.resource_specific_repo_help": "Belirli bir depo listesine erişimi sınırlayın. Tüm genel depolara salt okunur erişim izni verilir. Yalnızca depolara ve sorunlara erişim izni veren izinler etkinleştirilebilir.",
+	"settings.access_token.admin_disabled": "Yönetici izinleri devre dışı bırakılmıştır.",
+	"user.activitypub_feed.feed": "Fediverse(Birlik-Evreni) Akışı",
+	"user.activitypub_feed.no_activity": "Fediverse(Birlik-Evreni) etkinliği(aktivitesi) yok",
+	"user.activitypub_feed.is_empty": "Senin Fediverse(Birlik-Evreni) akışın boş.",
+	"user.activitypub_feed.hint": "Bu akış, takip ettiğiniz Fediverse(Birlik-Evreni) hesaplarının etkinliklerini ve adınızın geçtiği federasyon gönderilerini gösterir.",
+	"user.activitypub_feed.posted_on": "%[1] ’de yayınlandı",
+	"user.activitypub_feed.original_source": "Köken(Orijinal) kaynak",
+	"packages.search_in_external_registry": "%s içinde ara",
+	"packages.common.install": "Paketi yüklemek için aşağıdaki komutu çalıştırın:",
+	"packages.common.registry": "Bu kayıt defterini komut satırından kurun:",
+	"packages.common.repository": "Depo bilgisi",
+	"packages.arch.pacman.helper.gpg": "pacman için güven sertifikası ekleyin:",
+	"packages.arch.pacman.repo.multi": "%s ’nin farklı dağıtımlarda aynı sürümü bulunmaktadır.",
+	"packages.arch.pacman.repo.multi.item": "%s için yapılandır",
+	"packages.arch.pacman.conf": "İlgili dağıtım ve mimariye sahip sunucuyu <code>/etc/pacman.conf</code> ’a ekleyin:",
+	"packages.arch.pacman.sync": "Şu paketi pacman ile senkronize et:",
+	"packages.arch.version.properties": "Sürüm özellikleri",
+	"packages.arch.version.description": "Açıklama",
+	"packages.arch.version.provides": "Temin eder",
+	"packages.arch.version.groups": "Topluluk",
+	"packages.arch.version.optdepends": "İsteğe bağlı bağımlılıklar",
+	"packages.arch.version.makedepends": "Bağımlılıkları oluştur",
+	"packages.arch.version.checkdepends": "Bağımlılıkları kontrol et",
+	"packages.arch.version.conflicts": "Anlaşmazlıklar",
+	"packages.arch.version.replaces": "Değiştirir",
+	"packages.arch.version.backup": "Yedekle",
+	"packages.container.images.title": "Görüntüler",
+	"packages.alt.install": "Paketi yükle",
+	"packages.alt.setup": "Bağlı depolar listesine bir depo ekleyin (\"_arch_\" yerine gerekli mimariyi seçin):",
+	"packages.alt.repository.architectures": "Mimariler",
+	"packages.alt.repository.multiple_groups": "Bu paket çeşitli gruplarda mevcuttur.",
+	"packages.owner.settings.cargo.rebuild.no_index": "Yeniden derlenemiyor, hiçbir dizin başlatılmamış.",
+	"access_token.error.specified_repos_none": "Belirtilen depolara sahip erişim jetonları’nda(token) en az bir depo bulunmalıdır.",
+	"access_token.error.specified_repos_and_public_only": "Belirtilen depolara sahip erişim jetonları(token’lar), sadece-herkese-açık kapsamıyla birleştirilemez.",
+	"access_token.error.specified_repos_and_invalid_scope": "Belirtilen depolara sahip erişim jetonları yalnızca read:issue, write:issue, read:repository ve write:repository kapsamlarıyla kullanılabilir.",
+	"actions.status.diagnostics.waiting": {
+		"one": "Aşağıdaki etikete sahip bir koşucu bekleniyor: %s",
+		"other": "Aşağıdaki etiketlere sahip bir koşucu bekleniyor: %s"
+	},
+	"actions.runners.uuid": "Evrensel Benzersiz Kimlik Tanımlayıcı(UUID)",
+	"actions.runners.token": "Jeton(Token)",
+	"actions.runners.ephemeral": "Geçici",
+	"actions.runners.version": "Sürümü",
+	"actions.runners.list_runners.edit_column": "Düzenle",
+	"actions.runners.list_runners.delete_column": "Silin",
+	"actions.runners.list_runners.delete_button": "Silin",
+	"actions.runners.list_runners.delete_button_aria": "%s ’i sil",
+	"actions.runners.list_runners.edit_button": "Düzelt",
+	"actions.runners.list_runners.edit_button_aria": "%s ’i düzelt",
+	"actions.runners.ephemeral.yes": "evet",
+	"actions.runners.ephemeral.no": "hayır",
+	"actions.runners.task_list_repo": "Bu çalıştırıcıdaki bu deponun görevlerini yeniden düzenle",
+	"actions.runners.task_list_org": "Bu kuruluşun(organizasyonun) bu çalıştırıcısındaki görevleri yeniden düzenle",
+	"actions.runners.task_list_admin": "Bu iş parçacığındaki son görevler",
+	"actions.runners.task_list_user": "Bu kullanıcının bu çalıştırıcıdaki son görevleri",
+	"actions.runners.edit_runner_button": "Koşucuyu(runner) düzenle",
+	"actions.runners.create_runner.page_title": "Yeni koşucu(runner) oluştur",
+	"issues.updated": "güncellenenler %s",
+	"actions.runners.create_runner.title": "Yeni çalıştırıcı oluştur",
+	"actions.runners.create_runner.properties_fieldset": "Özellikler",
+	"actions.runners.create_runner.name_label": "Adı",
+	"actions.runners.create_runner.description_label": "Açıklamasının",
+	"actions.runners.create_runner.create_button": "Yarat",
+	"actions.runners.create_runner.cancel_button": "İptal et",
+	"actions.runners.edit_runner.page_title": "%s çalıştırıcısını düzenle",
+	"actions.runners.edit_runner.title": "%s çalıştırıcısını düzenle",
+	"actions.runners.edit_runner.properties_fieldset": "Özellikler",
+	"actions.runners.edit_runner.properties_options": "Seçenekler",
+	"actions.runners.edit_runner.name_label": "Adı",
+	"actions.runners.edit_runner.description_label": "Açıklama",
+	"actions.runners.edit_runner.regenerate_token_label": "Jeton’u(token) yeniden oluştur",
+	"actions.runners.edit_runner.regenerate_token_help": "Mevcut jeton(token) hemen geçersiz hale getirilecektir. Bir sonraki sayfada yeni bir jeton(token) alacaksınız.",
+	"actions.runners.edit_runner.save_button": "Kaydet",
+	"actions.runners.edit_runner.cancel_button": "İptal et",
+	"actions.runners.runner_setup.title": "%s çalıştırıcısını belirleyin",
+	"actions.runners.show_registration_token": "Kayıt jetonunu(token) göster",
+	"actions.runners.runner_details.page_title": "%s çalıştırıcısı",
+	"actions.runners.runner_details.labels_note": "Çalıştırıcı'nın etiketleri, Forgejo Runner(Çalıştırıcısı)'ın yapılandırma dosyasında tanımlanır veya komut satırı seçeneği olarak geçirilir. Forgejo Runner, Forgejo ile her bağlantı kurduğunda bu etiketler güncellenir.",
+	"actions.runners.runner_setup.page_title": "%s çalıştırıcısını belirleyin",
+	"actions.runners.runner_setup.list_of_runners_link": "Çalıştırıcılar Listesi",
+	"actions.runners.runner_setup.last_chance_copying_token": "Jetonu(token’ı) şimdi kopyalayın, çünkü bir daha göremeyeceksiniz!",
+	"actions.runners.runner_setup.button_copy_uuid_aria": "Çalıştırıcı UUID'sini kopyalayın",
+	"actions.runners.runner_setup.button_copy_token_aria": "Çalıştırıcı jetonunu(token'ını) kopyalayın",
+	"actions.runners.runner_setup.heading_using_configuration": "Çalıştırıcının yapılandırma dosyasını kullanın",
+	"actions.runners.runner_setup.configuration_snippet_aria": "Çalıştırıcının yapılandırmasına eklenecek kod parçacığı",
+	"actions.runners.runner_setup.program_options_snippet_aria": "forgejo-runner nasıl çağrılır",
+	"actions.runners.runner_setup.instruction_replace_connection_name": "Bağlantı adını (<code>forgejo</code> örneğindeki) istediğiniz bir değerle değiştirin.",
+	"actions.runners.runner_setup.heading_using_options": "Program seçeneklerini kullan",
+	"actions.runners.runner_setup.instruction_advanced_configurations": "Konteynerlerde çalışan Forgejo Runner'ı yapılandırmak veya gelişmiş yapılandırmalar hakkında bilgi almak için <a href=\"%s\">documentation</a> 'a bakın.",
+	"actions.runners.reset_registration_token.token": "Kayıt Jeton(Token)'u (Kullanımdan kaldırıldı)",
+	"actions.runs.scheduled_description": "<a href=\"%[1]s\">%[2]s</a> değişikliğin (commit'in) planlanmış çalıştırılması",
+	"actions.runs.workflow_dispatch_description": "<a href=\"%[3]s\">%[4]s</a> tarafından tetiklenen <a href=\"%[1]s\">%[2]s</a> değişikliğini(commit'i) çalıştır",
+	"actions.runs.on_push_description": "<a href=\"%[1]s\">%[2]s</a> değişikliği(commit'i) <a href=\"%[3]s\">%[4]s</a> tarafından aktarıldı(itildi)",
+	"actions.runs.workflow": "İş akışı",
+	"actions.runs.all_runs_link": "tüm çalıştırmalar",
+	"actions.workflow.persistent_incomplete_matrix": "Geçersiz bir `needs` ifadesi nedeniyle %[1]s işinin `strategy.matrix` öğesi değerlendirilemedi. Bu ifade, 'needs' listesinde bulunmayan bir işi (%[2]s) veya bu işlerden birinde mevcut olmayan bir çıktıyı referans alıyor olabilir.",
+	"actions.workflow.incomplete_matrix_missing_job": "%[1]s işinin `strategy.matrix` öğesi değerlendirilemiyor: %[2]s işi, %[1]s (%[3]s) işinin `needs` listesinde yer almıyor.",
+	"actions.workflow.incomplete_matrix_missing_output": "%[1]s işinin `strategy.matrix` öğesi değerlendirilemiyor: %[2]s işinde %[3]s çıktısı eksik.",
+	"actions.workflow.incomplete_matrix_unknown_cause": "%[1]s işinin `strategy.matrix` öğesi değerlendirilemedi: bilinmeyen bir hata.",
+	"actions.workflow.incomplete_runson_missing_job": "%[1]s işinin `runs-on` öğesi değerlendirilemiyor: %[2]s işi, %[1]s (%[3]s) işinin `needs` listesinde yer almıyor.",
+	"actions.workflow.incomplete_runson_missing_output": "%[1]s işinin `runs-on` değeri değerlendirilemiyor: %[2]s işinde %[3]s çıktısı eksik.",
+	"actions.workflow.incomplete_runson_missing_matrix_dimension": "%[1]s işinin `runs-on` değeri değerlendirilemiyor: %[2]s boyutlu matris mevcut değil.",
+	"actions.workflow.incomplete_runson_unknown_cause": "%[1]s işinin `runs-on` değeri değerlendirilemedi: bilinmeyen bir hata.",
+	"actions.workflow.incomplete_with_missing_job": "%[1]s işinin `with` koşulu değerlendirilemedi: %[2]s işi, %[1]s (%[3]s) işinin `needs` listesinde yer almıyor.",
+	"actions.workflow.incomplete_with_missing_output": "%[1]s işinin `with` komutu değerlendirilemiyor: %[2]s işinde %[3]s çıktısı eksik.",
+	"actions.workflow.incomplete_with_missing_matrix_dimension": "%[1]s işinin `with` ifadesi değerlendirilemiyor: %[2]s boyutunda bir matris mevcut değil.",
+	"actions.workflow.incomplete_with_unknown_cause": "%[1]s işinin `with` komutu değerlendirilemedi: bilinmeyen bir hata.",
+	"actions.workflow.unknown_job_in_needs": "%[1]s ID'li iş, `needs` içindeki bilinmeyen işlere atıfta bulunuyor: %[2]s.",
+	"actions.workflow.rerun_impossible": "İş akışı yeniden çalıştırılamaz.",
+	"actions.workflow.job_rerun_impossible": "İş yeniden çalıştırılamaz.",
+	"actions.secrets.creation.name_description": "Bir gizli bilginin adı yalnızca harfler, rakamlar ve alt çizgilerden oluşabilir. Ad, FORGEJO_, GITEA_, GITHUB_ veya bir rakamla başlayamaz. Forgejo, adı otomatik olarak büyük harfe dönüştürür.",
+	"actions.secrets.creation.value_description": "Bir gizli bilginin değeri herhangi bir metin olabilir. Özel karakterler korunur. CRLF (Windows tarzı satır sonları) otomatik olarak LF'ye dönüştürülür. Satır sonlarının korunması gerekiyorsa, değeri Base64 ile kodlayın.",
+	"actions.variables.mutation.name_description": "Bir değişkenin adı yalnızca harfler, rakamlar ve alt çizgilerden oluşabilir. Adı CI olamaz veya FORGEJO_, GITEA_, GITHUB_ ya da bir rakamla başlayamaz. Forgejo, adı otomatik olarak büyük harfe dönüştürür.",
+	"actions.variables.mutation.value_description": "Bir değişken'in değeri herhangi bir metin olabilir. Özel karakterler korunur. CRLF (Windows tarzı satır sonları) otomatik olarak LF'ye dönüştürülür. Satır sonlarının korunması gerekiyorsa, değeri Base64 ile kodlayın.",
+	"actions.secrets.edit_button": "\"%s\" gizli bilgisini düzenle",
+	"actions.secrets.mutation.header": "\"%s\" gizli bilgisini düzenle",
+	"actions.secrets.mutation.success_message": "\"%s\" gizli bilgisi güncellendi.",
+	"actions.secrets.mutation.failure_message": "\"%s\" gizli bilgisi güncellenemedi.",
+	"actions.secrets.mutation.name_description": "Bir gizli bilginin adı yalnızca harfler, rakamlar ve alt çizgilerden oluşabilir. Ad, FORGEJO_, GITEA_, GITHUB_ veya bir rakamla başlayamaz. Forgejo, adı otomatik olarak büyük harfe dönüştürür.",
+	"actions.secrets.mutation.value_description": "Mevcut değer gösterilmeyecektir. Değiştirmek istemiyorsanız alanı boş bırakın. Özel karakterler korunur. CRLF (Windows tarzı satır sonları) otomatik olarak LF'ye dönüştürülür. Satır sonlarının korunması gerekiyorsa değeri Base64 ile kodlayın.",
+	"members.add_member": "Üye ekle",
+	"members.user": "Kullanıcı",
+	"members.user_already_member": "Bu kullanıcı zaten kuruluşun(organizasyonun) bir üyesidir.",
+	"members.no_team_selected": "Kuruluş(organizasyon) üyeleri en az bir takıma üye olmalıdır.",
+	"pulls.manual_merge.helper": "Elle(manuel) birleştirme yardımcısı",
+	"pulls.manual_merge.helpder.description": "Birleştirme işlemini kendiniz elle(manuel olarak) tamamlarken bu birleştirmenin değişiklik(commit) mesajını kullanın.",
+	"pulls.manual_merge.commit.title": "Birleştirme değişikliğinin(commit'in) başlığı",
+	"pulls.manual_merge.commit.body": "Birleştirme değişikliğinin(commit'in) içeriği",
+	"pulls.manual_merge.copy.button": "Birleştirme değişikliği(commit'i) mesajını kopyala",
+	"admin.auths.oauth2_quota_group_claim_name": "Kota yönetimi için bu kaynağa ilişkin topluluk adlarını belirten bir ad tanımlayın. (İsteğe bağlı)",
+	"admin.auths.oauth2_quota_group_map": "Kümeleri kota kümelerine eşleştirin. (İsteğe bağlı – yukarıda bir eşleştirme adı belirtilmelidir)",
+	"admin.auths.oauth2_quota_group_map_removal": "Kullanıcı ilgili kümeye dahil değilse, senkronize edilen kota kümelerinden kullanıcıları kaldırın.",
+	"editor.search": "Ara",
+	"editor.find_previous": "Önceki bulgu",
+	"editor.find_next": "Sonraki bulgu",
+	"editor.replace": "Yer değiştir",
+	"editor.replace_all": "Tümünü yer değiştir",
+	"editor.toggle_case": "Büyük/küçük harf duyarlılığını aç/kapat",
+	"editor.toggle_regex": "Düzenli ifadeler kullanma özelliğini aç/kapat",
+	"editor.toggle_whole_word": "Tam kelime eşleştirme özelliğini aç/kapat",
+	"form.RunnerName": "Adı",
+	"graphs.recent_commits.title": "Geçtiğimiz yılki değişiklik(commit) sayısı",
+	"graphs.code_frequency.title": "{0} yıllık tarih boyunca kod sıklığı"
 }
diff --git a/options/locale_next/locale_uk-UA.json b/options/locale_next/locale_uk-UA.json
index ba1b832e4c..343490ec2e 100644
--- a/options/locale_next/locale_uk-UA.json
+++ b/options/locale_next/locale_uk-UA.json
@@ -563,8 +563,6 @@
 	"actions.runners.create_runner.description_label": "Опис",
 	"actions.runners.edit_runner.description_label": "Опис",
 	"actions.runners.runner_details.page_title": "Ранер %s",
-	"actions.runners.list_runners.details_column": "Подробиці",
-	"actions.runners.list_runners.details_button": "Подробиці",
 	"actions.runners.list_runners.edit_column": "Редагувати",
 	"actions.runners.list_runners.edit_button": "Редагувати",
 	"actions.runners.list_runners.edit_button_aria": "Редагувати %s",
@@ -592,7 +590,6 @@
 	"actions.runners.runner_setup.list_of_runners_link": "Список ранерів",
 	"actions.runners.runner_setup.button_copy_uuid_aria": "Копіювати UUID ранера",
 	"actions.runners.runner_setup.button_copy_token_aria": "Копіювати токен ранера",
-	"actions.runners.list_runners.details_button_aria": "Показати дані про %s",
 	"actions.runners.runner_setup.title": "Налаштувати ранер %s",
 	"actions.runners.runner_setup.page_title": "Налаштувати ранер %s",
 	"actions.runners.edit_runner.regenerate_token_help": "Існуючий токен негайно втратить чинність. Ви отримаєте новий токен на наступній сторінці.",
@@ -663,23 +660,27 @@
 	"actions.workflow.rerun_impossible": "Робочий потік неможливо перезапустити.",
 	"actions.workflow.job_rerun_impossible": "Завдання неможливо перезапустити.",
 	"actions.workflow.unknown_job_in_needs": "Завдання з ID %[1]s посилається на невідомі завдання в `needs`: %[2]s.",
-	"admin.config.federation.digest_algorithm": "Алгоритм контрольної суми підпису",
+	"admin.config.federation.digest_algorithm": "Алгоритм хешування для підписів",
 	"admin.config.federation.max_size": "Максимальний розмір відповіді",
 	"admin.config.federation.share_user_statistics": "Ділитися статистикою користувачів з іншими хостами",
 	"admin.federation.user.inbox_path": "Шлях до вхідних",
 	"admin.federation.hosts.manage_panel": "Керування хостами федерації",
-	"admin.federation.hosts.details_panel": "Інформація про хост",
+	"admin.federation.hosts.details_panel": "Інформація про хост федерації",
 	"admin.federation.hosts.show_details": "Показати дані про хост",
-	"admin.federation.users.show_local_user": "Показати дані про локальних користувачів",
+	"admin.federation.users.show_local_user": "Показати дані про локального користувача",
 	"admin.federation.host.latest_activity": "Остання активність",
 	"admin.federation.users.title": "Користувачі федерації",
 	"admin.federation.users.manage_panel": "Керування користувачами федерації",
-	"admin.federation.user.user_id": "Локальний ID користувача",
-	"admin.federation.user.external_id": "Зовнішній ID користувача",
+	"admin.federation.user.user_id": "ID локального користувача",
+	"admin.federation.user.external_id": "ID зовнішнього користувача",
 	"user.activitypub_feed.feed": "Стрічка Федісвіту",
 	"user.activitypub_feed.posted_on": "Опубліковано %[1]s",
 	"user.activitypub_feed.no_activity": "Немає подій Федісвіту",
 	"user.activitypub_feed.is_empty": "Ваша стрічка Федісвіту порожня.",
 	"user.activitypub_feed.original_source": "Першоджерело",
-	"user.activitypub_feed.hint": "У цій стрічці відображається діяльність облікових записів Федісвіту, на які ви підписані, а також федеративні публікації, в яких вас згадано."
+	"user.activitypub_feed.hint": "У цій стрічці відображається діяльність облікових записів Федісвіту, на які ви підписані, а також федеративні публікації, в яких вас згадано.",
+	"repo.files.filename": "Назва файлу",
+	"repo.files.last_commit_message": "Повідомлення останнього коміту",
+	"repo.files.last_commit_date": "Дата останнього коміту",
+	"repo.files.caption": "Файли репозиторію (спочатку останній коміт)"
 }
diff --git a/options/locale_next/locale_zh-CN.json b/options/locale_next/locale_zh-CN.json
index 68a5344621..2f5cce7bb0 100644
--- a/options/locale_next/locale_zh-CN.json
+++ b/options/locale_next/locale_zh-CN.json
@@ -274,7 +274,7 @@
 	"admin.auths.allow_username_change.description": "允许用户在个人设置中更改用户名",
 	"admin.moderation.moderation_reports": "举报",
 	"admin.moderation.reports": "举报",
-	"admin.moderation.no_open_reports": "目前没有打开的举报。",
+	"admin.moderation.no_open_reports": "暂无开启中的举报。",
 	"admin.moderation.deleted_content_ref": "类型为%[1]v、ID为%[2]d的举报不存在",
 	"repo.commit.load_tags_failed": "由于内部错误，无法加载标签",
 	"admin.auths.allow_username_change": "允许更改用户名",
@@ -484,11 +484,8 @@
 	"actions.runners.uuid": "UUID",
 	"actions.runners.token": "令牌",
 	"actions.runners.ephemeral": "一次性",
-	"actions.runners.list_runners.details_column": "详情",
 	"actions.runners.list_runners.edit_column": "编辑",
 	"actions.runners.list_runners.delete_column": "删除",
-	"actions.runners.list_runners.details_button": "详情",
-	"actions.runners.list_runners.details_button_aria": "显示%s的细节",
 	"actions.runners.list_runners.delete_button": "删除",
 	"actions.runners.list_runners.delete_button_aria": "删除%s",
 	"actions.runners.list_runners.edit_button": "编辑",
@@ -560,5 +557,50 @@
 	"members.user": "用户",
 	"members.user_already_member": "该用户已是组织成员。",
 	"members.no_team_selected": "组织成员至少要属于一个团队。",
-	"migrate.select.title": "迁移仓库"
+	"migrate.select.title": "迁移仓库",
+	"admin.federation.federation": "联邦",
+	"admin.federation.hosts": "主机",
+	"admin.federation.hosts.title": "联邦主机",
+	"admin.federation.hosts.manage_panel": "管理联邦主机",
+	"admin.federation.hosts.details_panel": "联邦主机信息",
+	"admin.federation.hosts.show_details": "显示主机信息",
+	"admin.federation.host.id": "ID",
+	"admin.federation.host.fqdn": "FQDN",
+	"admin.federation.host.schema": "方案",
+	"admin.federation.host.port": "端口",
+	"admin.federation.host.software_name": "软件",
+	"admin.federation.host.created": "创建时间",
+	"admin.federation.host.updated": "更新时间",
+	"admin.federation.host.latest_activity": "最后活动时间",
+	"admin.federation.users": "用户数",
+	"admin.federation.users.title": "联合的用户",
+	"admin.federation.users.manage_panel": "管理联合的用户",
+	"admin.federation.users.show_local_user": "显示本地用户信息",
+	"admin.federation.user.id": "ID",
+	"admin.federation.user.user_id": "本地用户ID",
+	"admin.federation.user.external_id": "外部用户ID",
+	"admin.federation.user.inbox_path": "收件箱路径",
+	"admin.config.federation": "联邦配置",
+	"admin.config.federation.enabled": "启用",
+	"admin.config.federation.share_user_statistics": "与其他主机共享用户统计信息",
+	"admin.config.federation.max_size": "允许的最大响应大小",
+	"admin.config.federation.signature_enforced": "强制要求HTTP签名",
+	"admin.config.federation.signature_algorithms": "签名算法",
+	"admin.config.federation.digest_algorithm": "签名摘要算法",
+	"admin.config.federation.get_headers": "GET请求中要签名的请求头",
+	"admin.config.federation.post_headers": "POST请求中要签名的请求头",
+	"user.activitypub_feed.feed": "联邦订阅源",
+	"user.activitypub_feed.no_activity": "没有联邦活动",
+	"user.activitypub_feed.is_empty": "你的联邦订阅源是空的。",
+	"user.activitypub_feed.hint": "此订阅源展示你关注的联邦账户的活动和提到你的联邦活动。",
+	"user.activitypub_feed.posted_on": "发布于%[1]s",
+	"user.activitypub_feed.original_source": "原始来源",
+	"actions.runners.version": "版本",
+	"actions.workflow.unknown_job_in_needs": "ID为“%[1]s”的任务在`needs`中引用了未知任务“%[2]s”。",
+	"actions.workflow.rerun_impossible": "工作流无法重新运行。",
+	"actions.workflow.job_rerun_impossible": "任务无法重新运行。",
+	"repo.files.caption": "仓库文件（优先显示最新提交）",
+	"repo.files.filename": "文件名",
+	"repo.files.last_commit_message": "最新提交消息",
+	"repo.files.last_commit_date": "最新提交日期"
 }

From 90c4397d5792cfb306776b7c7635ecf53f9da38a Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 27 Apr 2026 14:58:51 +0200
Subject: [PATCH 176/287] Update renovate Docker tag to v43.141.6 (forgejo)
 (#12278)

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index c744077a56..99aaaac8d8 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasour
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.132.1 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.141.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...

From f05ff7ec5b312aae314197d67d306241125364c6 Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Mon, 27 Apr 2026 16:07:51 +0200
Subject: [PATCH 177/287] chore(i18n): move 89 strings to JSON (#12280)

Previous similar PR: https://codeberg.org/forgejo/forgejo/pulls/11879.

Moved strings from INI to JSON. Some directly, some with keys updated to be consistent. The latter was done carefully, making sure all usages are updated, and was tested locally.

There are more deletions than insertions because some languages also had some extra empty lines removed.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12280
Reviewed-by: Robert Wolff <mahlzahn@posteo.de>
---
 options/locale/locale_ar.ini            |  36 ---------
 options/locale/locale_bg.ini            |  30 -------
 options/locale/locale_ca.ini            |  71 +----------------
 options/locale/locale_cs-CZ.ini         |  91 ---------------------
 options/locale/locale_da.ini            |  89 ---------------------
 options/locale/locale_de-DE.ini         |  90 ---------------------
 options/locale/locale_el-GR.ini         |  90 ---------------------
 options/locale/locale_en-US.ini         | 102 ++----------------------
 options/locale/locale_eo.ini            |  20 +----
 options/locale/locale_es-ES.ini         |  90 ---------------------
 options/locale/locale_et.ini            |  17 ----
 options/locale/locale_eu.ini            |  12 ---
 options/locale/locale_fa-IR.ini         |  80 -------------------
 options/locale/locale_fi-FI.ini         |  79 ------------------
 options/locale/locale_fil.ini           |  89 ---------------------
 options/locale/locale_fr-FR.ini         |  90 ---------------------
 options/locale/locale_ga-IE.ini         |  89 ---------------------
 options/locale/locale_gl.ini            |  12 ---
 options/locale/locale_he.ini            |  12 ---
 options/locale/locale_hi.ini            |  12 ---
 options/locale/locale_hu-HU.ini         |  48 -----------
 options/locale/locale_id-ID.ini         |  92 ---------------------
 options/locale/locale_is-IS.ini         |  29 -------
 options/locale/locale_it-IT.ini         |  92 ---------------------
 options/locale/locale_ja-JP.ini         |  90 ---------------------
 options/locale/locale_ka.ini            |  10 ---
 options/locale/locale_kab.ini           |   5 --
 options/locale/locale_ko-KR.ini         |  48 -----------
 options/locale/locale_kw.ini            |  15 ----
 options/locale/locale_lt.ini            |  13 ---
 options/locale/locale_lv-LV.ini         |  90 ---------------------
 options/locale/locale_mk.ini            |  15 ----
 options/locale/locale_nb_NO.ini         |  12 ---
 options/locale/locale_nds.ini           |  89 ---------------------
 options/locale/locale_nl-NL.ini         |  95 ----------------------
 options/locale/locale_pl-PL.ini         |  91 ---------------------
 options/locale/locale_pt-BR.ini         |  91 ---------------------
 options/locale/locale_pt-PT.ini         |  90 ---------------------
 options/locale/locale_ro.ini            |  12 ---
 options/locale/locale_ru-RU.ini         |  90 ---------------------
 options/locale/locale_si-LK.ini         |  55 -------------
 options/locale/locale_sk-SK.ini         |  12 ---
 options/locale/locale_sl.ini            |  12 ---
 options/locale/locale_sr-SP.ini         |  44 ----------
 options/locale/locale_sv-SE.ini         |  97 +---------------------
 options/locale/locale_ta.ini            |  89 ---------------------
 options/locale/locale_th.ini            |  89 ---------------------
 options/locale/locale_tr-TR.ini         |  86 --------------------
 options/locale/locale_uk-UA.ini         |  91 ---------------------
 options/locale/locale_vi.ini            |  12 ---
 options/locale/locale_zh-CN.ini         |  90 ---------------------
 options/locale/locale_zh-HK.ini         |  42 ----------
 options/locale/locale_zh-TW.ini         |  93 ---------------------
 options/locale_next/locale_ar.json      |  36 +++++++++
 options/locale_next/locale_bg.json      |  30 +++++++
 options/locale_next/locale_ca.json      |  69 ++++++++++++++++
 options/locale_next/locale_cs-CZ.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_da.json      |  89 +++++++++++++++++++++
 options/locale_next/locale_de-DE.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_el-GR.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_en-US.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_eo.json      |  18 +++++
 options/locale_next/locale_es-ES.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_et.json      |  17 ++++
 options/locale_next/locale_eu.json      |  12 +++
 options/locale_next/locale_fa-IR.json   |  75 +++++++++++++++++
 options/locale_next/locale_fi-FI.json   |  76 ++++++++++++++++++
 options/locale_next/locale_fil.json     |  89 +++++++++++++++++++++
 options/locale_next/locale_fr-FR.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_ga.json      |  89 +++++++++++++++++++++
 options/locale_next/locale_gl.json      |  12 +++
 options/locale_next/locale_he.json      |  12 +++
 options/locale_next/locale_hi.json      |  12 +++
 options/locale_next/locale_hu-HU.json   |  45 +++++++++++
 options/locale_next/locale_id-ID.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_is-IS.json   |  26 ++++++
 options/locale_next/locale_it-IT.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_ja-JP.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_ka.json      |  10 +++
 options/locale_next/locale_kab.json     |   5 ++
 options/locale_next/locale_ko-KR.json   |  45 +++++++++++
 options/locale_next/locale_kw.json      |  12 +++
 options/locale_next/locale_lt.json      |  13 +++
 options/locale_next/locale_lv-LV.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_mk.json      |  12 +++
 options/locale_next/locale_nb_NO.json   |  12 +++
 options/locale_next/locale_nds.json     |  89 +++++++++++++++++++++
 options/locale_next/locale_nl-NL.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_pl-PL.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_pt-BR.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_pt-PT.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_ro.json      |  12 +++
 options/locale_next/locale_ru-RU.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_si-LK.json   |  53 ++++++++++++
 options/locale_next/locale_sk-SK.json   |  12 +++
 options/locale_next/locale_sl.json      |  12 +++
 options/locale_next/locale_sr-SP.json   |  38 +++++++++
 options/locale_next/locale_sv-SE.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_ta.json      |  89 +++++++++++++++++++++
 options/locale_next/locale_th.json      |  89 +++++++++++++++++++++
 options/locale_next/locale_tr-TR.json   |  85 ++++++++++++++++++++
 options/locale_next/locale_uk-UA.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_vi.json      |  12 +++
 options/locale_next/locale_zh-CN.json   |  89 +++++++++++++++++++++
 options/locale_next/locale_zh-HK.json   |  39 +++++++++
 options/locale_next/locale_zh-TW.json   |  89 +++++++++++++++++++++
 routers/web/admin/queue.go              |   2 +-
 templates/admin/queue_manage.tmpl       |   2 +-
 templates/admin/system_status.tmpl      |  56 ++++++-------
 templates/user/auth/webauthn.tmpl       |   8 +-
 templates/user/auth/webauthn_error.tmpl |  16 ++--
 111 files changed, 3087 insertions(+), 3164 deletions(-)

diff --git a/options/locale/locale_ar.ini b/options/locale/locale_ar.ini
index 9d719a4e5e..587ec0490c 100644
--- a/options/locale/locale_ar.ini
+++ b/options/locale/locale_ar.ini
@@ -1,9 +1,7 @@
 [common]
 language = لغة
 passcode = رمز المرور
-webauthn_error_timeout = طال وقت الوصول قبل أن يُقرأ مفتاحك. من فضلك أعد تحميل الصفحة وحاول مجدداً.
 cancel = ألغِ
-webauthn_sign_in = اضغط الزر على مفتاحك الأمني إذا لم يكن لدى مفتاح الأمن الخاص بك أي زر، إعادة تشغيله.
 captcha = كابتشا
 create_new = أنشئ…
 preview = عاين
@@ -22,7 +20,6 @@ mirrors = المرايا
 explore = إكتشف
 return_to_forgejo = العودة إلى فورجيو
 write = اكتب
-webauthn_error_unknown = حدث خطأ غير معروف. من فضلك حاول مجدداً.
 twofa = المصادقة الثنائية
 version = الإصدار
 copy_success = تم النسخ!
@@ -30,14 +27,12 @@ help = مساعدة
 loading = جارٍ التحميل…
 copy_type_unsupported = هذا النوع من الملفات لا يمكن نسخه
 pin = ثبّت
-webauthn_error_empty = يلزم أن تضع اسم لهذا المفتاح.
 confirm_delete_selected = تأكيد حذف جميع العناصر المحددة؟
 name = الاسم
 artifacts = الآثار
 sign_in_or = أو
 show_log_seconds = إظهار الثواني
 show_full_screen = املأ الشاشة
-webauthn_use_twofa = استخدم رمز المصادقة الموجود على هاتفك
 unpin = ألغِ التثبيت
 edit = حرر
 concept_code_repository = المستودع
@@ -60,12 +55,10 @@ admin_panel = إدارة الموقع
 copy_error = فشل النسخ
 new_mirror = مرآة جديدة
 re_type = تأكيد كلمة المرور
-webauthn_unsupported_browser = متصفحك لا يدعم ويب آوثن حالياً.
 copy = انسخ
 enabled = مُفَعَّل
 rerun = أعِد التشغيل
 milestones = أهداف
-webauthn_error_insecure = ويب آوثن يدعم فقط الاتصالات الآمنة. للاختبار على HTTP، يمكنك استخدام "localhost" أو "127.0.0.1"
 show_timestamps = إظهار الطوابع الزمنية
 rss_feed = موجز RSS
 never = أبدًا
@@ -79,7 +72,6 @@ sources = المصادر
 notifications = التنبيهات
 pull_requests = طلبات السحب
 repository = مستودع
-webauthn_error = تعذر قراءة مفتاحك الأمني.
 add_all = أضف الكل
 new_fork = اشتقاق جديد لمستودع
 new_project_column = عمود جديد
@@ -89,17 +81,13 @@ organization = منظمة
 save = احفظ
 sign_in_with_provider = سجل الدخول بـ %s
 ok = وافق
-webauthn_error_unable_to_process = الخادم لا يمكنه معالجة طلبك.
 register = سجل
 mirror = مرآة
 username = إسم المستخدم
 access_token = رمز الوصول
 download_logs = تنزيل السجلات
-webauthn_insert_key = أدخل مفتاحك الأمني
 password = كلمة المرور
-webauthn_error_duplicated = المفتاح الأمني غير مسموح له هذا الطلب. يرجى التأكد من أن المفتاح غير مسجل بالفعل.
 template = قالب
-webauthn_press_button = من فضلك اضغط الزر على مفتاحك الأمني…
 unknown = مجهول
 signed_in_as = مسجل كـ
 sign_up = سجل
@@ -1825,7 +1813,6 @@ dashboard.sync_repo_tags = زامن الوسوم من بيانات جِت إلى
 self_check = فحص ذاتي
 self_check.database_collation_case_insensitive = تستخدم قاعدة البيانات تجميع %s ، وهو تجميع غير حساس. على الرغم من أن فورجيو يمكن أن يعمل معها قد تكون هناك حالات نادرة لا تعمل كما هو متوقع.
 monitor.process.cancel_desc = قد يسبب إلغاء العملية فقدانًا للبيانات
-monitor.queue.type = النوع
 monitor.process.cancel_notices = أتريد إلغاء: <strong>%s</strong>؟
 dashboard.operations = عمليات الصيانة
 repositories = المستودعات
@@ -1836,7 +1823,6 @@ monitor.desc = الوصف
 monitor.start = وقت البدء
 dashboard.system_status = حالة النظام
 dashboard.delete_generated_repository_avatars = احذف الصورة الرمزية المولّدة للمستودع
-monitor.queue.name = الاسم
 monitor.process.cancel = ألغِ العملية
 monitor.last_execution_result = النتيجة
 users = حسابات المستخدمين
@@ -1845,14 +1831,11 @@ dashboard.operation_name = اسم العملية
 notices.type_1 = المستودع
 notices.desc = الوصف
 notices.type = النوع
-monitor.queue.settings.submit = حدّث الإعدادات
-monitor.queue.settings.changed = تم تحديث الإعدادات
 auths.security_protocol = بروتوكول الأمان
 auths.port = المنفذ
 auths.attribute_username_placeholder = اتركه فارغاً لاستخدام اسم المستخدم المُدخل في فورجيو.
 auths.host = المضيف
 auths.domain = النطاق
-users.list_status_filter.is_restricted = مقيَّد
 users.reserved = محجوز
 systemhooks.add_webhook = إضافة خطاف ويب النظام
 repos.owner = المالك
@@ -1880,7 +1863,6 @@ auths.type = النوع
 users.purge_help = حذف مستخدم بالقوة وكل مستودعاته ومنظماته وحزمه. كل تعليقاته والمسائل التي أنشأها ستُحذف أيضا.
 users.admin = المدير
 emails.email_manage_panel = إدارة بريد المستخدم
-users.list_status_filter.not_restricted = غير مقيد
 users.name = اسم المستخدم
 packages.repository = المستودع
 orgs.teams = الفِرق
@@ -1898,18 +1880,14 @@ packages.package_manage_panel = إدارة الحزم
 auths.auth_name = اسم الاستيثاق
 users.details = تفاصيل المستخدم
 orgs.name = الاسم
-users.list_status_filter.is_active = مفعّل
 users.repos = المستودعات
 defaulthooks.update_webhook = تحديث خطاف الويب المبدئي
 users.allow_git_hook = يستطيع عمل خطاطيف جت
 users.password_helper = اترك كلمة المرور فارغة لإبقائها بلا تغيير.
 dashboard.update_checker = فاحص التحديث
-users.list_status_filter.not_active = معطّل
 users.update_profile = حدّث حساب المستخدم
-users.list_status_filter.not_admin = غير مدير
 systemhooks = خطاطيف ويب النظام
 users.never_login = لم يلج قَط
-users.list_status_filter.is_admin = مدير
 users.allow_create_organization = يستطيع إنشاء منظمات
 users.restricted = مقيَّد
 users.delete_account = احذف حساب المستخدم
@@ -2058,23 +2036,9 @@ relevant_repositories = يتم اظهار المستودعات المتعلقة
 code_last_indexed_at = فُهرس آخر مرة %s
 
 [actions]
-variables.none = لا توجد متغيرات بعد.
-variables.deletion = أزل المتغير
-variables.creation = أضف متغيرا
-variables.management = إدارة المتغيرات
-variables = المتغيرات
-variables.deletion.description = إزالة المتغيرات عملية نهائية لا يمكن التراجع عنها. أتريد الاستمرار؟
 runs.empty_commit_message = (رسالة إيداع فارغة)
-variables.edit = عدّل المتغير
-variables.update.success = عُدِّل المتغير.
-variables.update.failed = فشل تعديل المتغير.
-variables.deletion.failed = فشل حذف المتغير.
-variables.creation.failed = فشل إضافة المتغير.
-variables.creation.success = تم إضافة المتغير "%s".
-variables.deletion.success = تم حذف المتغير.
 variables.id_not_exist = المتغير ذو المعرّف %d ليس موجودا.
 unit.desc = أدر الإجراءات
-variables.description = تمرر المتغيرات إلى إجراءات معينة ولا يمكن قراءتها بطريقة أخرى.
 
 [modal]
 no = لا
diff --git a/options/locale/locale_bg.ini b/options/locale/locale_bg.ini
index be9ef509d7..7e931f061d 100644
--- a/options/locale/locale_bg.ini
+++ b/options/locale/locale_bg.ini
@@ -111,8 +111,6 @@ toggle_menu = Превключване на менюто
 confirm_delete_artifact = Сигурни ли сте, че искате да изтриете артефакта „%s“?
 more_items = Още елементи
 twofa_scratch = Резервен код за двуфакторно удостоверяване
-webauthn_use_twofa = Използвайте двуфакторен код от телефона си
-webauthn_error_insecure = WebAuthn поддържа само сигурни връзки. За тестване през HTTP можете да използвате произход „localhost“ или „127.0.0.1“
 error413 = Изчерпали сте квотата си.
 go_back = Връщане
 invalid_data = Невалидни данни: %v
@@ -123,19 +121,9 @@ show_full_screen = Показване на цял екран
 show_timestamps = Показване на времеви отпечатъци
 rerun = Повторно изпълнение
 copy_type_unsupported = Този тип файл не може да бъде копиран
-webauthn_error_unknown = Възникна неизвестна грешка. Моля, опитайте отново.
-webauthn_error_unable_to_process = Сървърът не можа да обработи заявката ви.
-webauthn_error_empty = Трябва да зададете име за този ключ.
-webauthn_error_timeout = Времето за изчакване изтече преди ключът ви да бъде прочетен. Моля, презаредете страницата и опитайте отново.
 return_to_forgejo = Връщане към Forgejo
 unknown = Неизвестно
 confirm_delete_selected = Потвърждавате ли изтриването на всички избрани елементи?
-webauthn_insert_key = Поставете вашия ключ за сигурност
-webauthn_press_button = Моля, натиснете бутона на вашия ключ за сигурност…
-webauthn_sign_in = Натиснете бутона на вашия ключ за сигурност. Ако ключът ви за сигурност няма бутон, поставете го отново.
-webauthn_error = Неуспешно прочитане на вашия ключ за сигурност.
-webauthn_unsupported_browser = Вашият браузър в момента не поддържа WebAuthn.
-webauthn_error_duplicated = Ключът за сигурност не е разрешен за тази заявка. Моля, уверете се, че ключът не е вече регистриран.
 tracked_time_summary = Обобщение на проследеното време въз основа на филтрите в списъка със задачи
 active_stopwatch = Активен тракер за време
 access_token = Токен за достъп
@@ -2160,7 +2148,6 @@ auths.port = Порт
 auths.type = Тип
 config.ssh_config = SSH конфигурация
 monitor.stats = Статистика
-monitor.queue = Опашка: %s
 config = Конфигурация
 config.mailer_user = Потребител
 config.enable_captcha = Включване на CAPTCHA
@@ -2170,7 +2157,6 @@ config.git_config = Git конфигурация
 config.mailer_protocol = Протокол
 users.bot = Бот
 config.db_path = Път
-monitor.queues = Опашки
 config.server_config = Сървърна конфигурация
 packages.size = Размер
 settings = Админ. настройки
@@ -2195,7 +2181,6 @@ packages.total_size = Общ размер: %s
 dashboard.new_version_hint = Forgejo %s вече е наличен, вие изпълнявате %s. Проверете <a target="_blank" rel="noreferrer" href="%s">блога</a> за повече подробности.
 total = Общо: %d
 config.db_type = Тип
-monitor.queue.type = Тип
 notices.type = Тип
 users.prohibit_login = Замразен акаунт
 
@@ -2436,20 +2421,7 @@ relevant_repositories = Показани са само подходящи хра
 relevant_repositories_tooltip = Хранилищата, които са разклонения или нямат тема, икона или описание, са скрити.
 
 [actions]
-variables = Променливи
-variables.none = Все още няма променливи.
-variables.creation.failed = Неуспешно добавяне на променлива.
-variables.update.failed = Неуспешно редактиране на променлива.
-variables.creation.success = Променливата „%s“ е добавена.
-variables.deletion.success = Променливата е премахната.
-variables.edit = Редактиране на променливата
-variables.deletion = Премахване на променливата
-variables.update.success = Променливата е редактирана.
-variables.creation = Добавяне на променлива
-variables.deletion.failed = Неуспешно премахване на променлива.
 runs.no_workflows.help_no_write_access = За да научите повече за Forgejo Actions, вижте <a target="_blank" rel="noopener noreferrer" href="%s">документацията</a>.
-variables.management = Управление на променливи
-variables.not_found = Променливата не е открита.
 variables.id_not_exist = Променлива с идентификатор %d не съществува.
 unit.desc = Управление на интегрирани CI/CD pipelines с Forgejo Actions.
 
@@ -2515,8 +2487,6 @@ type_tooltip = Тип търсене
 runner_kind = Търсене на изпълнители…
 
 [markup]
-filepreview.lines = Редове от %[1]d до %[2]d в %[3]s
-filepreview.line = Ред %[1]d в %[2]s
 
 [munits.data]
 
diff --git a/options/locale/locale_ca.ini b/options/locale/locale_ca.ini
index c18b662900..fc77e81569 100644
--- a/options/locale/locale_ca.ini
+++ b/options/locale/locale_ca.ini
@@ -37,17 +37,6 @@ captcha = CAPTCHA
 twofa = Autenticació de doble factor
 twofa_scratch = Codi de rascar de doble-factor
 passcode = Codi de pas
-webauthn_insert_key = Inseriu la vostra clau de seguretat
-webauthn_sign_in = Premeu el botó a la vostra clau de seguretat. Si no en té, torneu-la a inserir.
-webauthn_press_button = Si us plau, premeu el botó a la vostra clau de seguretat…
-webauthn_use_twofa = Utilitza un codi de doble factor des del teu mòbil
-webauthn_error = No s'ha pogut llegir la clau de seguretat.
-webauthn_unsupported_browser = El teu navegador no suprta WebAuthn.
-webauthn_error_unknown = Hi ha hagut un error desconegut. Si us plau torneu-ho a intentar.
-webauthn_error_insecure = WebAuthn només suporta connexions segures. Per provar sobre HTTP, podeu utilitzar l'origen "localhost" o "127.0.0.1"
-webauthn_error_unable_to_process = El servidor no ha pogut processar la vostra sol·licitud.
-webauthn_error_duplicated = La clau de seguretat no és permesa per aquesta sol·licitud. Si us plau, assegureu-vos que la clau encara no ha estat registrada.
-webauthn_error_empty = S'ha d'anomenar aquesta clau.
 repository = Repositori
 organization = Organització
 mirror = Mirall
@@ -85,7 +74,6 @@ disabled = Deshabilitat
 filter.public = Públic
 filter.private = Privat
 show_full_screen = Mostra a pantalla completa
-webauthn_error_timeout = Temps d'espera finalitzar abans que la seva clau pogués ser llegida. Siusplau recarregueu la pàgina i torneu-ho a intentar.
 remove_label_str = Esborra l'element "%s"
 error413 = Ha exhaurit la quota.
 cancel = Canceŀlar
@@ -2638,9 +2626,6 @@ normal_file = Fitxer normal
 directory = Directori
 
 [markup]
-filepreview.truncated = La vista prèvia s'ha truncat
-filepreview.line = Línia %[1]d a %[2]s
-filepreview.lines = Línies %[1]d a %[2]d en %[3]s
 
 [translation_meta]
 test = Aquest és un text de prova. No es mostra a l'interfície d'usuari de Forgejo, però s'utilitza amb finalitats de prova. Pots introduir "d'acord" per a estalviar temps (o alguna frase divertida al teu gust) i arribar a la dolça fita del 100% :)
@@ -2758,7 +2743,6 @@ dashboard.delete_missing_repos = Suprimir tots els repositoris que no tinguin el
 dashboard.delete_missing_repos.started = S'ha iniciat la tasca per suprimir tots els repositoris que no tinguin els fitxers de Git.
 dashboard.update_mirrors = Actualitzar les rèpliques
 dashboard.archive_cleanup = Suprimir els arxius de repositori antics
-dashboard.memory_allocate_times = Assignacions de memòria
 orgs.name = Nom
 orgs.teams = Equips
 repos.name = Nom
@@ -2768,9 +2752,7 @@ auths.name = Nom
 config.db_name = Nom
 config.mailer_name = Nom
 monitor.name = Nom
-monitor.queue.name = Nom
 notices.type = Tipus
-monitor.queue.type = Tipus
 config.db_type = Tipus
 auths.type = Tipus
 packages.type = Tipus
@@ -2796,7 +2778,6 @@ users.activated = Activat
 emails.activated = Activat
 emails.filter_sort.email = Correu electrònic
 users.admin = Administrador
-users.list_status_filter.is_admin = Administrador
 notices.desc = Descripció
 packages.name = Nom
 packages.version = Versió
@@ -2854,30 +2835,6 @@ dashboard.sync_external_users = Sincronitzar dades d'usuari externes
 dashboard.cleanup_hook_task_table = Netejar la taula hook_task
 dashboard.cleanup_packages = Netejar paquets caducats
 dashboard.cleanup_actions = Netejar registres i artefactes d'accions caducats
-dashboard.server_uptime = Temps de funcionament del servidor
-dashboard.current_goroutine = Goroutines actuals
-dashboard.current_memory_usage = Ús de memòria actual
-dashboard.total_memory_allocated = Total de memòria adjudicada
-dashboard.memory_obtained = Memòria rebuda
-dashboard.pointer_lookup_times = Temps de consulta dels punters
-dashboard.memory_free_times = Alliberaments de memòria
-dashboard.current_heap_usage = Ús del heap actual
-dashboard.heap_memory_obtained = Memòria de heap rebuda
-dashboard.heap_memory_idle = Memòria del heap en repòs
-dashboard.heap_memory_in_use = Memòria del heap en ús
-dashboard.heap_memory_released = Memòria del heap alliberada
-dashboard.heap_objects = Objectes del heap
-dashboard.bootstrap_stack_usage = Ús de l'arrancada de la pila (stack)
-dashboard.stack_memory_obtained = Memòria de la pila (stack) rebuda
-dashboard.mspan_structures_usage = Ús de les estructures MSpan
-dashboard.mspan_structures_obtained = Estructures MSpan rebudes
-dashboard.mcache_structures_usage = Ús de les estructures MCache
-dashboard.mcache_structures_obtained = Estructures MCache rebudes
-dashboard.gc_metadata_obtained = Metadades del GC rebudes
-dashboard.next_gc_recycle = Proper cicle de GC
-dashboard.last_gc_time = Temps des del darrer GC
-dashboard.total_gc_pause = Pausa total de GC
-dashboard.last_gc_pause = Darrera pausa de GC
 dashboard.delete_old_actions = Eliminar totes les activitats antigues de la base de dades
 dashboard.delete_old_actions.started = Eliminar totes les activitats antigues des que s'ha iniciat la base de dades.
 dashboard.delete_old_system_notices = Eliminar totes les notificacions de sistema antigues de la base de dades
@@ -2934,15 +2891,6 @@ users.purge = Purgar usuari
 users.purge_help = Elimina forçosament l'usuari i tots els seus repositoris, organitzacions i paquets. També s'eliminaran tots els seus comentaris i incidències.
 users.still_own_packages = Aquest usuari encara té un o més paquets. Elimineu-los abans.
 users.deletion_success = S'ha eliminat l'usuari.
-users.list_status_filter.menu_text = Filtrar
-users.list_status_filter.reset = Restaurar
-users.list_status_filter.is_active = Actiu
-users.list_status_filter.not_active = Inactiu
-users.list_status_filter.not_admin = No administrador
-users.list_status_filter.is_restricted = Restringit
-users.list_status_filter.not_restricted = No restringit
-users.list_status_filter.is_prohibit_login = Inici de sessió prohibit
-users.list_status_filter.not_prohibit_login = Inici de sessió permès
 users.details = Detalls d'usuari
 emails.email_manage_panel = Gestionar correus d'usuari
 emails.primary = Principal
@@ -3122,7 +3070,7 @@ config.send_test_mail = Envia un correu de prova
 config.send_test_mail_submit = Envia
 config.test_mail_failed = No s'ha pogut enviar el correu de prova a "%s": %v
 config.test_mail_sent = S'ha enviat un correu de prova a "%s".
-config.cache_config =
+config.cache_config = 
 config.cache_adapter =Adaptador de la memòria cau
 config.cache_interval =Interval de la memòria cau
 config.cache_conn =Connexió de la memòria cau
@@ -3144,8 +3092,6 @@ config.enable_federated_avatar = Habilita els avatars federats
 dashboard.operation_switch = Intercanvia
 users.2fa = A2F
 users.reset_2fa = Restableix l'A2F
-users.list_status_filter.is_2fa_enabled = A2F activada
-users.list_status_filter.not_2fa_enabled = A2F desactivada
 auths.group_search_base = DN base de cerca de grup
 auths.group_attribute_list_users = Atribut de grup amb la llista d'usuaris
 auths.user_attribute_in_group = Atribut d'usuari llistat en el grup
@@ -3168,21 +3114,6 @@ auths.tip.openid_connect = Usa l'URL d'OpenID Connect Discovery (<server>/.well-
 dashboard.update_checker = Comprovador d'actualització
 
 [actions]
-variables = Variables
-variables.management = Gestionar variables
-variables.creation = Afegir variables
-variables.none = Encara no hi ha variables.
-variables.deletion = Eliminar variable
-variables.deletion.description = Eliminar una variable és permanent i no es pot desfer. Continua?
-variables.description = Les variables es passaran a certes accions i no es poden llegir altrament.
-variables.edit = Editar variable
-variables.not_found = No s'ha trobat la variable.
-variables.deletion.failed = No s'ha pogut eliminar la variable.
-variables.deletion.success = S'ha canviar el nom de la variable.
-variables.creation.failed = No s'ha pogut afegir la variable.
-variables.creation.success = S'ha afegit la variable "%s".
-variables.update.failed = No s'ha pogut editar la variable.
-variables.update.success = S'ha editat la variable.
 runs.no_workflows.help_write_access = No sabeu com començar amb Forgejo Actions? Feu un cop d'ull als <a target="_blank" rel="noopener noreferrer" href="%s">primers passos a la documentació d'usuari</a> per escriure el vostre primer flux de treball, llavors <a target="_blank" rel="noopener noreferrer" href="%s">configureu un runner Forgejo</a> per a executar els vostres treballs.
 runs.no_workflows.help_no_write_access = Per saber-ne més sobre Forgejo Actions, vegeu <a target="_blank" rel="noopener noreferrer" href="%s">la documentació</a>.
 
diff --git a/options/locale/locale_cs-CZ.ini b/options/locale/locale_cs-CZ.ini
index ef5c1ff762..95457b6dcb 100644
--- a/options/locale/locale_cs-CZ.ini
+++ b/options/locale/locale_cs-CZ.ini
@@ -37,18 +37,6 @@ twofa=Dvoufázové ověření
 twofa_scratch=Dvoufaktorový kód
 passcode=Přístupový kód
 
-webauthn_insert_key=Vložte svůj bezpečnostní klíč
-webauthn_sign_in=Stiskněte tlačítko na svém bezpečnostním klíči. Pokud bezpečnostní klíč nemá žádné tlačítko, vložte jej znovu.
-webauthn_press_button=Stiskněte tlačítko na bezpečnostním klíči…
-webauthn_use_twofa=Použít dvoufaktorový kód z vašeho telefonu
-webauthn_error=Nepodařilo se přečíst váš bezpečnostní klíč.
-webauthn_unsupported_browser=Váš prohlížeč momentálně nepodporuje WebAuthn.
-webauthn_error_unknown=Došlo k neznámé chybě. Opakujte akci.
-webauthn_error_insecure=WebAuthn podporuje pouze zabezpečená připojení. Pro testování přes HTTP můžete použít výchozí „localhost“ nebo „127.0.0.1“
-webauthn_error_unable_to_process=Server nemohl zpracovat váš požadavek.
-webauthn_error_duplicated=Bezpečnostní klíč není pro tento požadavek povolen. Ujistěte se prosím, zda klíč již není registrován.
-webauthn_error_empty=Musíte nastavit název tohoto klíče.
-webauthn_error_timeout=Požadavek vypršel dříve, než se podařilo přečíst váš klíč. Znovu načtěte tuto stránku a akci opakujte.
 repository=Repozitář
 organization=Organizace
 mirror=Zrcadlo
@@ -2935,34 +2923,6 @@ dashboard.reinit_missing_repos=Znovu inicializovat všechny chybějící repozit
 dashboard.sync_external_users=Synchronizovat externí uživatelská data
 dashboard.cleanup_hook_task_table=Vyčistit tabulku hook_task
 dashboard.cleanup_packages=Vyčistit prošlé balíčky
-dashboard.server_uptime=Doba provozu serveru
-dashboard.current_goroutine=Aktuální goroutines
-dashboard.current_memory_usage=Aktuální využití paměti
-dashboard.total_memory_allocated=Celková přidělená paměť
-dashboard.memory_obtained=Získaná paměť
-dashboard.pointer_lookup_times=Časy vyhledávání ukazatelů
-dashboard.memory_allocate_times=Alokace paměti
-dashboard.memory_free_times=Uvolnění paměti
-dashboard.current_heap_usage=Aktuální využití paměti zásobníku
-dashboard.heap_memory_obtained=Získaná paměť zásobníku
-dashboard.heap_memory_idle=Nečinná paměť zásobníku
-dashboard.heap_memory_in_use=Používaná paměť zásobníku
-dashboard.heap_memory_released=Uvolněná paměť zásobníku
-dashboard.heap_objects=Objekty zásobníku
-dashboard.bootstrap_stack_usage=Využití zásobníku prvotního zavedení
-dashboard.stack_memory_obtained=Celková získaná pamět zásobníku
-dashboard.mspan_structures_usage=Užití struktur MSpan
-dashboard.mspan_structures_obtained=Získané struktury MSpan
-dashboard.mcache_structures_usage=Využití struktur MCache
-dashboard.mcache_structures_obtained=Získané struktury MCache
-dashboard.profiling_bucket_hash_table_obtained=Získaná profilovací bucket hash tabulka
-dashboard.gc_metadata_obtained=Získaná metadata GC
-dashboard.other_system_allocation_obtained=Získaná alokace ostatních systémových prostředků
-dashboard.next_gc_recycle=Příští recyklace GC
-dashboard.last_gc_time=Doba od posledního GC
-dashboard.total_gc_pause=Celková pauza GC
-dashboard.last_gc_pause=Poslední pauza GC
-dashboard.gc_times=Časy GC
 dashboard.delete_old_actions=Odstranit všechny staré aktivity z databáze
 dashboard.delete_old_actions.started=Spuštěno odstraňování všech starých aktivit z databáze.
 dashboard.update_checker=Kontrola aktualizací
@@ -3019,18 +2979,6 @@ users.purge_help=Vynuceně odstranit uživatele a všechny repositáře, organiz
 users.still_own_packages=Tento uživatel stále vlastní jeden nebo více balíčků, nejprve odstraňte tyto balíčky.
 users.deletion_success=Uživatelský účet byl smazán.
 users.reset_2fa=Resetovat 2FA
-users.list_status_filter.menu_text=Filtr
-users.list_status_filter.reset=Obnovit
-users.list_status_filter.is_active=Aktivní
-users.list_status_filter.not_active=Neaktivní
-users.list_status_filter.is_admin=Administrátor
-users.list_status_filter.not_admin=Není administrátor
-users.list_status_filter.is_restricted=Omezeno
-users.list_status_filter.not_restricted=Není omezen
-users.list_status_filter.is_prohibit_login=Zakázat přihlášení
-users.list_status_filter.not_prohibit_login=Povolit přihlášení
-users.list_status_filter.is_2fa_enabled=2FA povoleno
-users.list_status_filter.not_2fa_enabled=2FA zakázáno
 users.details=Podrobnosti o uživateli
 
 emails.email_manage_panel=Správa uživatelských e-mailů
@@ -3344,24 +3292,6 @@ monitor.process.cancel_desc=Zrušení procesu může způsobit ztrátu dat
 monitor.process.cancel_notices=Zrušit: <strong>%s</strong>?
 monitor.process.children=Potomek
 
-monitor.queues=Fronty
-monitor.queue=Fronta: %s
-monitor.queue.name=Název
-monitor.queue.type=Typ
-monitor.queue.exemplar=Typ vzoru
-monitor.queue.numberworkers=Počet workerů
-monitor.queue.maxnumberworkers=Maximální počet workerů
-monitor.queue.numberinqueue=Číslo ve frontě
-monitor.queue.review_add=Posoudit / přidat workery
-monitor.queue.settings.title=Nastavení poolu
-monitor.queue.settings.maxnumberworkers=Maximální počet workerů
-monitor.queue.settings.maxnumberworkers.placeholder=V současné době %[1]d
-monitor.queue.settings.maxnumberworkers.error=Maximální počet workerů musí být číslo
-monitor.queue.settings.submit=Upravit nastavení
-monitor.queue.settings.changed=Nastavení upravena
-monitor.queue.settings.remove_all_items=Odstranit vše
-monitor.queue.settings.remove_all_items_done=Všechny položky ve frontě byly odstraněny.
-
 notices.system_notice_list=Systémová oznámení
 notices.view_detail_header=Podrobnosti oznámení
 notices.operations=Operace
@@ -3377,7 +3307,6 @@ notices.desc=Popis
 notices.op=Op.
 notices.delete_success=Systémové upozornění bylo smazáno.
 dashboard.sync_repo_branches = Synchronizovat vynechané větve z dat Gitu do databáze
-monitor.queue.activeworkers = Aktivní workery
 defaulthooks.desc = Webhooky automaticky vytvářejí žádosti HTTP POST na server, kde se spustí určité události Forgejo. Webhooky zde definované jsou výchozí a budou zkopírovány do všech nových repozitářů. Více informací zjistíte v <a target="_blank" rel="noopener" href="%s">návodu webhooků</a>.
 systemhooks.desc = Webhooky automaticky vytvářejí žádosti HTTP POST na server, kde se spustí určité události Forgejo. Webhooky zde definované budou aktivní u všech repozitářů v systému, zvažte tedy prosím všechny vlivy na výkon, které může tato funkce způsobit. Více informací zjistíte v <a target="_blank" rel="noopener" href="%s">návodu webhooků</a>.
 assets = Assety kódu
@@ -3392,8 +3321,6 @@ self_check.database_fix_mysql=Pro uživatele MySQL/MariaDB můžete použít př
 self_check = Vlastní kontrola
 self_check.database_collation_case_insensitive=Databáze používá collation %s, což je collation nerozlišující velká a malá písmena. Ačkoli s ní Forgejo může pracovat, mohou se vyskytnout vzácné případy, kdy nebude fungovat podle očekávání.
 auths.oauth2_map_group_to_team = Zmapovat zabrané skupiny u týmů organizací (volitelné - vyžaduje název claimu výše)
-monitor.queue.settings.desc = Pooly dynamicky rostou podle blokování fronty jejich workerů.
-
 auths.tips.gmail_settings = Nastavení služby Gmail:
 config_summary = Souhrn
 config.open_with_editor_app_help = Editory v nabídce „Otevřít pomocí“ v nabídce klonování. Ponechte prázdné pro použití výchozího editoru (zobrazíte jej rozšířením).
@@ -3516,21 +3443,7 @@ workflow.enable_success=Workflow „%s“ byl úspěšně aktivován.
 workflow.disabled=Workflow je zakázán.
 
 
-variables=Proměnné
-variables.management=Správa proměnných
-variables.creation=Přidat proměnnou
-variables.none=Zatím zde nejsou žádné proměnné.
-variables.deletion=Odstranit proměnnou
-variables.deletion.description=Odstranění proměnné je trvalé a nelze jej vrátit zpět. Pokračovat?
-variables.description=Proměnné budou předány určitým akcím a nelze je přečíst jinak.
 variables.id_not_exist = Proměnná s id %d neexistuje.
-variables.edit=Upravit proměnnou
-variables.deletion.failed=Nepodařilo se odstranit proměnnou.
-variables.deletion.success=Proměnná byla odstraněna.
-variables.creation.failed=Přidání proměnné se nezdařilo.
-variables.creation.success=Proměnná „%s“ byla přidána.
-variables.update.failed=Úprava proměnné se nezdařila.
-variables.update.success=Proměnná byla upravena.
 need_approval_desc = Potřebovat schválení pro spouštění workflowů pro žádosti o sloučení forků.
 workflow.dispatch.use_from = Použít workflow z
 workflow.dispatch.run = Spustit workflow
@@ -3542,7 +3455,6 @@ workflow.dispatch.success = Žádost o spuštění workflow byla úspěšně ode
 runs.expire_log_message = Protokoly byly smazány, protože byly příliš staré.
 runs.no_workflows.help_no_write_access = Pro více informací o Forgejo Actions se podívejte do <a target="_blank" rel="noopener noreferrer" href="%s">dokumentace</a>.
 runs.no_workflows.help_write_access = Nevíte, jak začít s Forgejo Actions? Podívejte se na <a target="_blank" rel="noopener noreferrer" href="%s">rychlý začátek v uživatelské dokumentaci</a> pro vytvoření vašeho prvního workflow. Poté <a target="_blank" rel="noopener noreferrer" href="%s">nastavte runner Forgejo</a> pro provádění vašich úloh.
-variables.not_found = Nepodařilo se najít proměnnou.
 
 [projects]
 type-1.display_name=Samostatný projekt
@@ -3588,9 +3500,6 @@ regexp = RegExp
 regexp_tooltip = Interpretovat hledaný výraz jako regulární výraz
 
 [markup]
-filepreview.lines = Řádky %[1]d až %[2]d v souboru %[3]s
-filepreview.line = Řádek %[1]d v souboru %[2]s
-filepreview.truncated = Náhled byl zkrácen
 
 [munits.data]
 
diff --git a/options/locale/locale_da.ini b/options/locale/locale_da.ini
index 83f5b14ea2..6efa9bcec3 100644
--- a/options/locale/locale_da.ini
+++ b/options/locale/locale_da.ini
@@ -35,14 +35,6 @@ re_type = Bekræft adgangskode
 captcha = CAPTCHA
 twofa = To-faktor autentificering
 twofa_scratch = To-faktor skrabekode
-webauthn_sign_in = Tryk på knappen på din sikkerhedsnøgle. Hvis din sikkerhedsnøgle ikke har nogen knap, skal du indsætte den igen.
-webauthn_use_twofa = Brug en tofaktorkode fra din telefon
-webauthn_error = Kunne ikke læse din sikkerhedsnøgle.
-webauthn_unsupported_browser = Din browser understøtter i øjeblikket ikke WebAuthn.
-webauthn_error_unknown = Der opstod en ukendt fejl. Prøv venligst igen.
-webauthn_error_unable_to_process = Serveren kunne ikke behandle din anmodning.
-webauthn_error_duplicated = Sikkerhedsnøglen er ikke tilladt for denne anmodning. Sørg for, at nøglen ikke allerede er registreret.
-webauthn_error_empty = Du skal angive et navn for denne nøgle.
 organization = Organisation
 mirror = Mirror
 new_mirror = Ny mirror
@@ -112,11 +104,7 @@ show_timestamps = Vis tidsstempler
 show_log_seconds = Vis sekunder
 tracked_time_summary = Opsummering af sporet tid baseret på filtre af problemliste
 signed_in_as = Logget ind som
-webauthn_error_insecure = WebAuthn understøtter kun sikre forbindelser. Til test over HTTP kan du bruge oprindelsen "localhost" eller "127.0.0.1"
 invalid_data = Ugyldige data: %v
-webauthn_insert_key = Indsæt din sikkerhedsnøgle
-webauthn_press_button = Tryk venligst på knappen på din sikkerhedsnøgle…
-webauthn_error_timeout = Timeout nået, før din nøgle kunne læses. Genindlæs denne side og prøv igen.
 enabled = Aktiveret
 locked = Låst
 copy_hash = Kopiér hash
@@ -2854,7 +2842,6 @@ config.db_name = Navn
 users.full_name = Fulde navn
 users.activated = Aktiveret
 repos.name = Navn
-monitor.queue.name = Navn
 repos.private = Privat
 config.default_enable_timetracking = Aktiver tidsregistrering som standard
 config.enable_timetracking = Aktiver tidsregistrering
@@ -2863,11 +2850,6 @@ config.allow_dots_in_usernames = Tillad brugere at bruge prikker i deres brugern
 auths.oauth2_icon_url = Icon URL
 users.edit = Redigere
 users.auth_source = Godkendelseskilde
-monitor.queue.settings.maxnumberworkers.placeholder = I øjeblikket %[1]d
-monitor.queue.settings.submit = Opdater indstillinger
-monitor.queue.settings.changed = Indstillinger opdateret
-monitor.queue.settings.remove_all_items = Slet alle
-monitor.queue.settings.remove_all_items_done = Alle varer i køen er blevet fjernet.
 notices.system_notice_list = Systemmeddelelser
 dashboard.delete_repo_archives = Slet alle depoters arkiver (ZIP, TAR.GZ osv..)
 organizations = Organisationer
@@ -2898,8 +2880,6 @@ dashboard.clean_unbind_oauth = Rens ubundne OAuth-forbindelser
 dashboard.delete_inactive_accounts.started = Slet alle uaktiverede konti opgave startet.
 dashboard.delete_missing_repos = Slet alle depoter, der mangler deres Git-filer
 dashboard.update_migration_poster_id = Opdater migrationsplakat-id'er
-dashboard.memory_obtained = Hukommelse opnået
-dashboard.pointer_lookup_times = Pointer-opslagstider
 hooks = Webhooks
 dashboard.cron.finished = Cron: %[1]s er færdig
 dashboard.delete_inactive_accounts = Slet alle uaktiverede konti
@@ -2908,10 +2888,6 @@ notices = Systemmeddelelser
 config_summary = Oversigt
 dashboard.system_status = System status
 dashboard.update_mirrors = Opdater spejle
-dashboard.server_uptime = Server oppetid
-dashboard.current_goroutine = Nuværende goroutiner
-dashboard.current_memory_usage = Aktuel hukommelsesbrug
-dashboard.total_memory_allocated = Samlet hukommelse tildelt
 integrations = Integrationer
 dashboard.operations = Vedligeholdelses operationer
 dashboard.repo_health_check = Sundhedstjek alle depoter
@@ -2947,16 +2923,6 @@ users.update_profile = Opdater brugerkonto
 users.still_has_org = Denne bruger er medlem af en organisation. Fjern først brugeren fra enhver organisation.
 users.purge_help = Tvangsslet brugeren og eventuelle depoter, organisationer og pakker, der ejes af brugeren. Alle kommentarer og problemer indsendt af denne bruger vil også blive slettet.
 users.is_admin = Administrator konto
-dashboard.mspan_structures_obtained = Mspan strukturer opnået
-dashboard.mcache_structures_usage = MCache strukturer brug
-dashboard.mspan_structures_usage = MSpan strukturer brug
-dashboard.mcache_structures_obtained = MCache-strukturer opnået
-dashboard.profiling_bucket_hash_table_obtained = Profilering bucket hash tabel opnået
-dashboard.gc_metadata_obtained = GC-metadata opnået
-dashboard.other_system_allocation_obtained = Anden systemallokering opnået
-dashboard.next_gc_recycle = Næste GC genbrug
-dashboard.total_gc_pause = Total GC-pause
-dashboard.last_gc_time = Tid siden sidste GC
 dashboard.delete_old_system_notices = Slet alle gamle systemmeddelelser fra databasen
 dashboard.gc_lfs = Affaldssamler LFS-metaobjekter
 dashboard.start_schedule_tasks = Start planlæg handlingsopgaver
@@ -2968,12 +2934,6 @@ users.created = Oprettet
 users.max_repo_creation = Maksimalt antal depoter
 users.prohibit_login = Suspenderet konto
 users.is_restricted = Begrænset konto
-dashboard.memory_allocate_times = Hukommelsestildelinger
-dashboard.memory_free_times = Hukommelses frigørelse
-dashboard.current_heap_usage = Nuværende heap-brug
-dashboard.heap_memory_obtained = Heap-hukommelse opnået
-dashboard.heap_objects = Heap genstande
-dashboard.bootstrap_stack_usage = Brug af bootstrap-stak
 dashboard.update_checker = Opdateringskontrol
 dashboard.delete_old_actions.started = Slet alle gamle aktiviteter fra den påbegyndte database.
 dashboard.stop_zombie_tasks = Stop zombiehandlingsopgaver
@@ -2987,19 +2947,10 @@ users.organization_creation.description = Tillad oprettelse af nye organisatione
 users.delete_account = Slet brugerkonto
 users.cannot_delete_self = Du kan ikke slette dig selv
 users.still_own_repo = Denne bruger ejer stadig et eller flere arkiver. Slet eller overfør disse depoter først.
-users.list_status_filter.is_admin = Admin
 users.block.description = Bloker denne bruger i at interagere med denne tjeneste via deres konto, og forbyd at logge ind.
 users.restricted.description = Tillad kun interaktion med de depoter og organisationer, hvor denne bruger er tilføjet som en samarbejdspartner. Dette forhindrer adgang til offentlige arkiver i denne instans.
-users.list_status_filter.menu_text = Filter
-dashboard.heap_memory_idle = Heap hukommelse inaktiv
-dashboard.heap_memory_in_use = Heap hukommelse i brug
-dashboard.heap_memory_released = Heap-hukommelse frigivet
-dashboard.stack_memory_obtained = Stakhukommelse opnået
-dashboard.last_gc_pause = Sidste GC-pause
-dashboard.gc_times = GC times
 dashboard.delete_old_actions = Slet alle gamle aktiviteter fra databasen
 users.allow_create_organization = Kan skabe organisationer
-users.list_status_filter.not_admin = Ikke admin
 users.allow_import_local = Kan importere lokale depoter
 users.send_register_notify = Giv besked om tilmelding via e-mail
 users.local = Lokal
@@ -3014,9 +2965,6 @@ users.max_repo_creation_desc = (Indtast -1 for at bruge den globale standardgræ
 users.is_activated = Aktiveret konto
 users.edit_account = Rediger brugerkonto
 packages.version = Version
-users.list_status_filter.reset = Nulstil
-users.list_status_filter.is_active = Aktiv
-users.list_status_filter.not_active = Inaktiv
 users.purge = Udrens bruger
 users.user_manage_panel = Administrer brugerkonti
 users.new_account = Opret brugerkonto
@@ -3030,25 +2978,19 @@ emails.not_updated = Kunne ikke opdatere den anmodede e-mailadresse: %v
 packages.package_manage_panel = Administrer pakker
 packages.total_size = Samlet størrelse: %s
 packages.unreferenced_size = Ikke-referencestørrelse: %s
-users.list_status_filter.is_2fa_enabled = 2FA aktiveret
-users.list_status_filter.not_2fa_enabled = 2FA deaktiveret
 emails.filter_sort.email_reverse = E-mail (omvendt)
 emails.filter_sort.name_reverse = Brugernavn (omvendt)
 emails.delete = Slet e-mail
 emails.delete_desc = Er du sikker på, at du vil slette denne e-mailadresse?
 emails.deletion_success = E-mailadressen er blevet slettet.
-users.list_status_filter.is_restricted = Begrænset
 emails.duplicate_active = Denne e-mailadresse er allerede aktiv for en anden bruger.
 emails.change_email_header = Opdater e-mail-egenskaber
 emails.change_email_text = Er du sikker på, at du vil opdatere denne e-mailadresse?
 repos.issues = Problemer
 repos.size = Størrelse
 repos.lfs_size = LFS størrelse
-users.list_status_filter.not_restricted = Ikke begrænset
 users.details = Brugeroplysninger
 emails.email_manage_panel = Administrer bruger-e-mails
-users.list_status_filter.is_prohibit_login = Forbyd login
-users.list_status_filter.not_prohibit_login = Tillad login
 emails.delete_primary_email_error = Du kan ikke slette den primære e-mail.
 orgs.org_manage_panel = Administrer organisationer
 repos.repo_manage_panel = Administrer depoter
@@ -3113,8 +3055,6 @@ self_check.database_collation_case_insensitive = Databasen bruger en sortering %
 config.git_max_diff_line_characters = Maks. diff-tegn pr. linje
 config.access_log_template = Skabelon til adgangslog
 monitor.process.children = Børn
-monitor.queues = Køer
-monitor.queue.settings.desc = Puljer vokser dynamisk som reaktion på deres blokering af arbejderkø.
 auths.auth_manage_panel = Administrer godkendelseskilder
 auths.auth_type = Godkendelsestype
 auths.map_group_to_team_removal = Fjern brugere fra synkroniserede teams, hvis brugeren ikke tilhører den tilsvarende LDAP-gruppe
@@ -3141,8 +3081,6 @@ monitor.stacktrace = Stakspor
 monitor.execute_time = Udførelsestid
 monitor.last_execution_result = Resultat
 monitor.process.cancel_notices = Annuller: <strong>%s</strong>?
-monitor.queue.type = Type
-monitor.queue.exemplar = Eksempler type
 auths.auth_name = Godkendelsesnavn
 auths.attribute_username = Brugernavn attribut
 auths.attribute_username_placeholder = Lad stå tomt for at bruge brugernavnet indtastet i Forgejo.
@@ -3185,13 +3123,11 @@ config.cache_test_slow = Cachetest lykkedes, men svaret er langsomt: %s.
 config.gc_interval_time = GC interval tid
 config.git_max_diff_files = Max diff filer vist
 config.git_gc_args = GC argumenter
-monitor.queue.settings.maxnumberworkers.error = Max antal arbejdere skal være et tal
 notices.inverse_selection = Omvendt valg
 notices.delete_selected = Slet valgte
 auths.allowed_domains_helper = Lad være tomt for at tillade alle domæner. Adskil flere domæner med et komma (",").
 auths.skip_local_two_fa = Spring over lokal 2FA
 auths.oauth2_required_claim_value_helper = Indstil denne værdi for at begrænse login fra denne kilde til brugere med et krav med dette navn og denne værdi
-monitor.queue.settings.maxnumberworkers = Max antal arbejdere
 notices.delete_all = Slet alle meddelelser
 auths.smtp_auth = SMTP-godkendelsestype
 config.default_visibility_organization = Standardsynlighed for nye organisationer
@@ -3290,7 +3226,6 @@ auths.attributes_in_bind = Hent attributter i bind DN-kontekst
 config.app_name = Instans titel
 config.app_slogan = instans slogan
 config.cache_interval = Cache interval
-monitor.queue.settings.title = Pool indstillinger
 notices.type = Type
 notices.type_2 = Opgave
 config.db_schema = Skematisk
@@ -3309,12 +3244,6 @@ monitor.execute_times = Udførelser
 monitor.download_diagnosis_report = Hent diagnoserapport
 monitor.process.cancel = Annuller processen
 monitor.process.cancel_desc = Annullering af en proces kan medføre tab af data
-monitor.queue = Kø: %s
-monitor.queue.numberworkers = Antal arbejdere
-monitor.queue.activeworkers = Aktive arbejdere
-monitor.queue.maxnumberworkers = Max antal arbejdere
-monitor.queue.numberinqueue = Nummer i kø
-monitor.queue.review_add = Gennemgå / tilføj arbejdere
 config.git_pull_timeout = Pull Operation timeout
 config.git_clone_timeout = Klone Operation timeout
 config.git_gc_timeout = GC Operation timeout
@@ -3348,15 +3277,9 @@ owner.settings.cleanuprules.keep.count.n = %d versioner pr. pakke
 
 [actions]
 unit.desc = Administrer integrerede CI/CD-pipelines med Forgejo Actions.
-variables.not_found = Variablen kunne ikke findes.
 workflow.enable = Aktiver arbejdsgang
 workflow.enable_success = Arbejdsgangen "%s" blev aktiveret.
-variables.none = Der er ingen variabler endnu.
-variables.edit = Rediger variabel
-variables.deletion.success = Variablen er blevet fjernet.
-variables.creation.failed = Kunne ikke tilføje variabel.
 runs.no_workflows.help_write_access = Ved du ikke, hvordan du starter med Forgejo Actions? Tjek <a target="_blank" rel="noopener noreferrer" href="%s">hurtigstarten i brugerdokumentationen</a> for at skrive dit første workflow, og <a target="_blank" rel="noopener noreferrer" href="%s">opsæt en Forgejo-løber</a> til at udføre dine opgaver.
-variables.update.success = Variablen er blevet redigeret.
 workflow.disable_success = Arbejdsgangen "%s" blev deaktiveret.
 workflow.disable = Deaktiver arbejdsgang
 workflow.dispatch.use_from = Brug arbejdsgangen fra
@@ -3366,20 +3289,11 @@ workflow.dispatch.warn_input_limit = Viser kun de første %d input.
 workflow.dispatch.success = Kørsel af arbejdsgang blev anmodet om.
 workflow.dispatch.input_required = Kræv værdi for input "%s".
 workflow.dispatch.invalid_input_type = Ugyldig inputtype "%s".
-variables.creation = Tilføj variabel
 need_approval_desc = Har brug for godkendelse for at køre arbejdsgange for fork pull-anmodning.
 runs.empty_commit_message = (tom commit besked)
 runs.expire_log_message = Logfiler er blevet renset, fordi de var for gamle.
-variables = Variabler
-variables.management = Administrer variabler
-variables.creation.success = Variablen "%s" er blevet tilføjet.
-variables.update.failed = Variablen kunne ikke redigeres.
 runs.no_workflows.help_no_write_access = For at lære om Forgejo Actions, se <a target="_blank" rel="noopener noreferrer" href="%s">dokumentationen</a>.
-variables.deletion = Fjern variabel
 variables.id_not_exist = Variabel med ID %d findes ikke.
-variables.deletion.description = Fjernelse af en variabel er permanent og kan ikke fortrydes. Vil du fortsætte?
-variables.description = Variabler vil blive videregivet til visse handlinger og kan ikke læses på anden vis.
-variables.deletion.failed = Variablen kunne ikke fjernes.
 workflow.dispatch.run = Kør arbejdsgang
 runs.no_runs = Workflowet har ingen kørsler endnu.
 
@@ -3465,9 +3379,6 @@ deleted.display_name = Slettet projekt
 type-1.display_name = Individuelt projekt
 
 [markup]
-filepreview.line = Linje %[1]d i %[2]s
-filepreview.lines = Linjer %[1]d til %[2]d i %[3]s
-filepreview.truncated = Forhåndsvisningen er blevet afkortet
 
 [git.filemode]
 symbolic_link = Symbolsk link
diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
index d777732c65..4a356b1f6e 100644
--- a/options/locale/locale_de-DE.ini
+++ b/options/locale/locale_de-DE.ini
@@ -36,18 +36,6 @@ twofa=Zwei-Faktor-Authentifizierung
 twofa_scratch=Zwei-Faktor-Einmalpasswort
 passcode=PIN
 
-webauthn_insert_key=Hardware-Sicherheitsschlüssel einstecken
-webauthn_sign_in=Drücke den Knopf auf deinem Sicherheitsschlüssel. Wenn dein Sicherheitsschlüssel keinen Knopf hat, stecke ihn erneut ein.
-webauthn_press_button=Drücke den Knopf auf deinem Sicherheitsschlüssel …
-webauthn_use_twofa=Zwei-Faktor-Authentifizierung via Handy verwenden
-webauthn_error=Dein Sicherheitsschlüssel konnte nicht gelesen werden.
-webauthn_unsupported_browser=Dein Browser unterstützt derzeit kein WebAuthn.
-webauthn_error_unknown=Ein unbekannter Fehler ist aufgetreten. Bitte versuche es erneut.
-webauthn_error_insecure=WebAuthn unterstützt nur sichere Verbindungen. Zum Testen über HTTP kannst du „localhost“ oder „127.0.0.1“ als Host verwenden
-webauthn_error_unable_to_process=Der Server konnte deine Anfrage nicht bearbeiten.
-webauthn_error_duplicated=Für diese Anfrage ist der Sicherheitsschlüssel nicht erlaubt. Bitte stell sicher, dass er nicht bereits registriert ist.
-webauthn_error_empty=Du musst einen Namen für diesen Schlüssel festlegen.
-webauthn_error_timeout=Das Zeitlimit wurde erreicht, bevor dein Schlüssel gelesen werden konnte. Bitte lade die Seite erneut.
 repository=Repository
 organization=Organisation
 mirror=Spiegel
@@ -2936,34 +2924,6 @@ dashboard.sync_external_users=Externe Benutzerdaten synchronisieren
 dashboard.cleanup_hook_task_table=Hook-Task-Tabelle bereinigen
 dashboard.cleanup_packages=Veraltete Pakete bereinigen
 dashboard.cleanup_actions=Abgelaufene Logs und Artefakte von Actions bereinigen
-dashboard.server_uptime=Server-Uptime
-dashboard.current_goroutine=Aktuelle Goroutinen
-dashboard.current_memory_usage=Aktuelle Speichernutzung
-dashboard.total_memory_allocated=Zugeteilter Gesamtspeicher
-dashboard.memory_obtained=Erhaltener Speicher
-dashboard.pointer_lookup_times=Anzahl Zeigerlookups
-dashboard.memory_allocate_times=Speicheranforderungen
-dashboard.memory_free_times=Speicherfreigaben
-dashboard.current_heap_usage=Aktuelle Heap-Auslastung
-dashboard.heap_memory_obtained=Erhaltener Heap-Arbeitsspeicher
-dashboard.heap_memory_idle=Unbenutzter Heap-Arbeitsspeicher
-dashboard.heap_memory_in_use=Benutzter-Heap-Arbeitsspeicher
-dashboard.heap_memory_released=Freigegebener Heap-Arbeitsspeicher
-dashboard.heap_objects=Heap-Objekte
-dashboard.bootstrap_stack_usage=Bootstrap-Stack-Auslastung
-dashboard.stack_memory_obtained=Erhaltener Stack-Arbeitsspeicher
-dashboard.mspan_structures_usage=MSpan-Structures-Auslastung
-dashboard.mspan_structures_obtained=Erhaltene MSpan-Structures
-dashboard.mcache_structures_usage=MCache-Structures-Auslastung
-dashboard.mcache_structures_obtained=Erhaltene MCache-Structures
-dashboard.profiling_bucket_hash_table_obtained=Erhaltene Analysesatz-Hashtabellen
-dashboard.gc_metadata_obtained=Erhaltene GC-Metadaten
-dashboard.other_system_allocation_obtained=Andere erhaltene System-Allokationen
-dashboard.next_gc_recycle=Nächster GC-Zyklus
-dashboard.last_gc_time=Seit letztem GC-Zyklus
-dashboard.total_gc_pause=Gesamte GC-Pause
-dashboard.last_gc_pause=Letzte GC-Pause
-dashboard.gc_times=GC-Zeiten
 dashboard.delete_old_actions=Alle alten Aktivitäten aus der Datenbank löschen
 dashboard.delete_old_actions.started=Löschen aller alten Aktivitäten aus der Datenbank gestartet.
 dashboard.update_checker=Update-Checker
@@ -3020,18 +2980,6 @@ users.purge_help=Das Löschen des Benutzers inklusive all seiner Repositorys, Or
 users.still_own_packages=Dieser Benutzer besitzt noch ein oder mehrere Pakete, lösche diese Pakete zuerst.
 users.deletion_success=Das Konto wurde gelöscht.
 users.reset_2fa=2FA zurücksetzen
-users.list_status_filter.menu_text=Filter
-users.list_status_filter.reset=Zurücksetzen
-users.list_status_filter.is_active=Aktiv
-users.list_status_filter.not_active=Inaktiv
-users.list_status_filter.is_admin=Administrator
-users.list_status_filter.not_admin=Nicht-Administrator
-users.list_status_filter.is_restricted=Eingeschränkt
-users.list_status_filter.not_restricted=Unbegrenzt
-users.list_status_filter.is_prohibit_login=Anmelden verbieten
-users.list_status_filter.not_prohibit_login=Anmelden erlaubt
-users.list_status_filter.is_2fa_enabled=2FA aktiviert
-users.list_status_filter.not_2fa_enabled=2FA deaktiviert
 users.details=Benutzerdetails
 
 emails.email_manage_panel=Benutzer-E-Mails verwalten
@@ -3349,26 +3297,6 @@ monitor.process.cancel_desc=Abbrechen eines Prozesses kann Datenverlust verursac
 monitor.process.cancel_notices=Abbrechen: <strong>%s</strong>?
 monitor.process.children=Subprozesse
 
-monitor.queues=Warteschlangen
-monitor.queue=Warteschlange: %s
-monitor.queue.name=Name
-monitor.queue.type=Typ
-monitor.queue.exemplar=Beispieltyp
-monitor.queue.numberworkers=Anzahl der Worker
-monitor.queue.activeworkers=Aktive Worker
-monitor.queue.maxnumberworkers=Maximale Anzahl der Worker
-monitor.queue.numberinqueue=Anzahl in der Warteschlange
-monitor.queue.review_add=Worker hinzufügen/prüfen
-monitor.queue.settings.title=Pool-Einstellungen
-monitor.queue.settings.desc=Pools wachsen dynamisch basierend auf der Blockierung der Arbeitswarteschlange.
-monitor.queue.settings.maxnumberworkers=Maximale Anzahl an Workern
-monitor.queue.settings.maxnumberworkers.placeholder=Derzeit %[1]d
-monitor.queue.settings.maxnumberworkers.error=Die Anzahl der Worker muss eine Zahl sein
-monitor.queue.settings.submit=Einstellungen aktualisieren
-monitor.queue.settings.changed=Einstellungen aktualisiert
-monitor.queue.settings.remove_all_items=Alle entfernen
-monitor.queue.settings.remove_all_items_done=Alle Elemente in der Warteschlange wurden entfernt.
-
 notices.system_notice_list=Systemmitteilungen
 notices.view_detail_header=Meldungsdetails ansehen
 notices.operations=Operationen
@@ -3516,20 +3444,6 @@ workflow.disabled=Workflow ist deaktiviert.
 
 need_approval_desc=Um Workflows für den Pull-Request eines Forks auszuführen, ist eine Genehmigung erforderlich.
 
-variables=Variablen
-variables.management=Variablen verwalten
-variables.creation=Variable hinzufügen
-variables.none=Es gibt noch keine Variablen.
-variables.deletion=Variable entfernen
-variables.deletion.description=Das Entfernen einer Variable ist dauerhaft und kann nicht rückgängig gemacht werden. Fortfahren?
-variables.description=Variablen werden an bestimmte Aktionen übergeben und können nicht anderweitig gelesen werden.
-variables.edit=Variable bearbeiten
-variables.deletion.failed=Fehler beim Entfernen der Variable.
-variables.deletion.success=Die Variable wurde entfernt.
-variables.creation.failed=Fehler beim Hinzufügen der Variable.
-variables.creation.success=Die Variable „%s“ wurde hinzugefügt.
-variables.update.failed=Fehler beim Bearbeiten der Variable.
-variables.update.success=Die Variable wurde bearbeitet.
 runs.empty_commit_message = (leere Commit-Nachricht)
 variables.id_not_exist = Variable mit ID %d existiert nicht.
 workflow.dispatch.use_from = Workflow benutzen von
@@ -3542,7 +3456,6 @@ workflow.dispatch.success = Ausführung des Workflows wurde erfolgreich angefrag
 runs.expire_log_message = Logs wurden gelöscht, weil sie zu alt waren.
 runs.no_workflows.help_write_access = Keine Ahnung, wie man mit Forgejo Actions anfangen soll? Schau im <a target="_blank" rel="noopener noreferrer" href="%s">Schnellstart in der Benutzerdokumentation</a> vorbei, um deinen ersten Workflow zu schreiben, dann <a target="_blank" rel="noopener noreferrer" href="%s">setze einen Forgejo-Runner auf</a>, um deine Jobs auszuführen.
 runs.no_workflows.help_no_write_access = Um mehr über Forgejo Actions zu erfahren, siehe <a target="_blank" rel="noopener noreferrer" href="%s">die Dokumentation</a>.
-variables.not_found = Die Variable wurde nicht gefunden.
 
 [projects]
 type-1.display_name=Individuelles Projekt
@@ -3588,9 +3501,6 @@ regexp = RegExp
 regexp_tooltip = Suchbegriff als regulären Ausdruck interpretieren
 
 [markup]
-filepreview.line = Zeile %[1]d in %[2]s
-filepreview.truncated = Vorschau wurde gekürzt
-filepreview.lines = Zeilen %[1]d bis %[2]d in %[3]s
 
 [munits.data]
 
diff --git a/options/locale/locale_el-GR.ini b/options/locale/locale_el-GR.ini
index a4c2cb14f6..4ad57c7bb5 100644
--- a/options/locale/locale_el-GR.ini
+++ b/options/locale/locale_el-GR.ini
@@ -37,18 +37,6 @@ twofa=Πιστοποίηση δύο παραγόντων
 twofa_scratch=Κωδικός μίας χρήσης (για πιστοποίηση δύο παραγόντων / 2FA)
 passcode=Κωδικός
 
-webauthn_insert_key=Εισάγετε το κλειδί ασφαλείας σας
-webauthn_sign_in=Πατήστε το κουμπί στο κλειδί ασφαλείας σας. Αν το κλειδί ασφαλείας σας δεν έχει κουμπί, αποσυνδέστε το και συνδέστε το ξανά.
-webauthn_press_button=Παρακαλώ πατήστε το κουμπί στο κλειδί ασφαλείας…
-webauthn_use_twofa=Χρησιμοποιήστε έναν κωδικό δύο παραγόντων από το τηλέφωνό σας
-webauthn_error=Δεν ήταν δυνατή η επικοινωνία με το κλειδί ασφαλείας σας.
-webauthn_unsupported_browser=Το πρόγραμμα περιήγησής σας δεν υποστηρίζει επί του παρόντος WebAuthn.
-webauthn_error_unknown=Παρουσιάστηκε ένα άγνωστο σφάλμα. Παρακαλώ προσπαθήστε ξανά.
-webauthn_error_insecure=Το WebAuthn υποστηρίζει μόνο ασφαλές συνδέσεις. Αν θέλετε να διεξάγετε δοκιμές μέσω HTTP, μπορείτε να χρησιμοποιήσετε την προέλευση «localhost» ή «127.0.0.1»
-webauthn_error_unable_to_process=Ο διακομιστής δεν μπόρεσε να επεξεργαστεί το αίτημά σας.
-webauthn_error_duplicated=Το κλειδί ασφαλείας δεν επιτρέπεται για αυτό το αίτημα. Βεβαιωθείτε ότι το κλειδί δεν έχει ήδη καταχωρηθεί.
-webauthn_error_empty=Πρέπει να ορίσετε ένα όνομα για αυτό το κλειδί.
-webauthn_error_timeout=Το χρονικό όριο έφτασε πριν το κλειδί να διαβαστεί. Παρακαλώ ανανεώστε τη σελίδα και προσπαθήστε ξανά.
 repository=Αποθετήριο
 organization=Οργανισμός
 mirror=Αντίγραφο
@@ -2935,34 +2923,6 @@ dashboard.sync_external_users=Συγχρονισμός δεδομένων εξω
 dashboard.cleanup_hook_task_table=Εκκαθάριση πίνακα hook_task
 dashboard.cleanup_packages=Εκκαθάριση ληγμένων πακέτων
 dashboard.cleanup_actions=Καθαρισμός ληγμένων καταγραφών και συνημμένων από τις δράσεις
-dashboard.server_uptime=Uptime διακομιστή
-dashboard.current_goroutine=Τρέχουσες goroutines
-dashboard.current_memory_usage=Τρέχουσα χρήση μνήμης
-dashboard.total_memory_allocated=Συνολική χρησιμοποιούμενη μνήμη
-dashboard.memory_obtained=Μνήμη που λαμβάνεται
-dashboard.pointer_lookup_times=Πλήθος αναζητήσεων δείκτη
-dashboard.memory_allocate_times=Κατανομές μνήμης
-dashboard.memory_free_times=Ελευθερώσεις μνήμης
-dashboard.current_heap_usage=Τρέχουσα χρήση heap
-dashboard.heap_memory_obtained=Μνήμη heap που λαμβάνεται
-dashboard.heap_memory_idle=Αδρανής μνήμη heap
-dashboard.heap_memory_in_use=Μνήμη heap σε χρήση
-dashboard.heap_memory_released=Μνήμη heap που απελευθερώθηκε
-dashboard.heap_objects=Αντικείμενα στο heap
-dashboard.bootstrap_stack_usage=Χρήση στοίβας bootstrap
-dashboard.stack_memory_obtained=Μνήμη στοίβας που λαμβάνεται
-dashboard.mspan_structures_usage=Χρήση δομών MSpan
-dashboard.mspan_structures_obtained=Δομές MSpan που έχουν ληφθεί
-dashboard.mcache_structures_usage=Χρήση δομών MCache
-dashboard.mcache_structures_obtained=Δομές MCache που έχουν ληφθεί
-dashboard.profiling_bucket_hash_table_obtained=Profiling bucket hash table που έχει ληφθεί
-dashboard.gc_metadata_obtained=Μεταδεδομένα GC που έχουν ληφθεί
-dashboard.other_system_allocation_obtained=Άλλες κατανομές συστήματος που έχουν ληφθεί
-dashboard.next_gc_recycle=Επόμενη ανακύκλωση GC
-dashboard.last_gc_time=Χρόνος από την τελευταία φορά που έγινε GC
-dashboard.total_gc_pause=Σύνολο παύσης GC
-dashboard.last_gc_pause=Τελευταία παύση GC
-dashboard.gc_times=Χρόνοι GC
 dashboard.delete_old_actions=Διαγραφή όλων των παλιών δραστηριοτήτων από τη βάση δεδομένων
 dashboard.delete_old_actions.started=Ξεκίνησε η διαγραφή όλων των παλιών δραστηριοτήτων από τη βάση δεδομένων.
 dashboard.update_checker=Ελεγκτής ενημερώσεων
@@ -3019,18 +2979,6 @@ users.purge_help=Εξαναγκαστική διαγραφή χρήστη καθ
 users.still_own_packages=Αυτός ο χρήστης εξακολουθεί να κατέχει ένα ή περισσότερα πακέτα, διαγράψτε αυτά τα πακέτα πρώτα.
 users.deletion_success=Ο λογαριασμός χρήστη έχει διαγραφεί.
 users.reset_2fa=Επαναφορά 2FA
-users.list_status_filter.menu_text=Φίλτρο
-users.list_status_filter.reset=Επαναφορά
-users.list_status_filter.is_active=Ενεργό
-users.list_status_filter.not_active=Ανενεργό
-users.list_status_filter.is_admin=Διαχειριστής
-users.list_status_filter.not_admin=Χωρίς δικαιώματα διαχειριστή
-users.list_status_filter.is_restricted=Περιορισμένος
-users.list_status_filter.not_restricted=Χωρίς περιορισμούς
-users.list_status_filter.is_prohibit_login=Απαγορευμένη σύνδεση
-users.list_status_filter.not_prohibit_login=Επιτρέπεται η σύνδεση
-users.list_status_filter.is_2fa_enabled=Με ενεργοποιημένο 2FA
-users.list_status_filter.not_2fa_enabled=Χωρίς 2FA
 users.details=Λεπτομέρειες χρήστη
 
 emails.email_manage_panel=Διαχείριση email χρηστών
@@ -3350,26 +3298,6 @@ monitor.process.cancel_desc=Η ακύρωση μιας διαδικασίας μ
 monitor.process.cancel_notices=Ακύρωση: <strong>%s</strong>;
 monitor.process.children=Θυγατρικές
 
-monitor.queues=Ουρές
-monitor.queue=Ουρά: %s
-monitor.queue.name=Όνομα
-monitor.queue.type=Τύπος
-monitor.queue.exemplar=Τύπος Υποδείγματος
-monitor.queue.numberworkers=Αριθμός εργατών
-monitor.queue.activeworkers=Ενεργοί εργάτες
-monitor.queue.maxnumberworkers=Μέγιστος αριθμός εργατών
-monitor.queue.numberinqueue=Πλήθος ουράς
-monitor.queue.review_add=Εξέταση / προσθήκη εργατών
-monitor.queue.settings.title=Ρυθμίσεις δεξαμενής
-monitor.queue.settings.desc=Οι δεξαμενές αυξάνονται δυναμικά όταν υπάρχει φραγή της ουράς των εργατών τους.
-monitor.queue.settings.maxnumberworkers=Μέγιστος Αριθμός Εργατών
-monitor.queue.settings.maxnumberworkers.placeholder=Αυτή τη στιγμή %[1]d
-monitor.queue.settings.maxnumberworkers.error=Ο μέγιστος αριθμός εργατών πρέπει να είναι αριθμός
-monitor.queue.settings.submit=Ενημέρωση ρυθμίσεων
-monitor.queue.settings.changed=Οι ρυθμίσεις ενημερώθηκαν
-monitor.queue.settings.remove_all_items=Αφαίρεση όλων
-monitor.queue.settings.remove_all_items_done=Όλα τα αντικείμενα στην ουρά αφαιρέθηκαν.
-
 notices.system_notice_list=Ειδοποιήσεις συστήματος
 notices.view_detail_header=Προβολή λεπτομερειών ειδοποίησης
 notices.operations=Λειτουργίες
@@ -3516,20 +3444,6 @@ workflow.disabled=Η ροή εργασιών είναι απενεργοποιη
 
 need_approval_desc=Πρέπει να εγκριθεί η εκτέλεση ροών εργασίας για pull request από fork.
 
-variables=Μεταβλητές
-variables.management=Διαχείριση μεταβλητών
-variables.creation=Προσθήκη μεταβλητή
-variables.none=Δεν υπάρχουν ακόμα μεταβλητές.
-variables.deletion=Αφαίρεση μεταβλητής
-variables.deletion.description=Η αφαίρεση μιας μεταβλητής είναι μόνιμη και δεν μπορεί να αναιρεθεί. Συνέχεια;
-variables.description=Η μεταβλητές θα δίνονται σε ορισμένες δράσεις και δεν μπορούν να διαβαστούν αλλιώς.
-variables.edit=Επεξεργασία Μεταβλητής
-variables.deletion.failed=Αποτυχία αφαίρεσης της μεταβλητής.
-variables.deletion.success=Η μεταβλητή έχει αφαιρεθεί.
-variables.creation.failed=Αποτυχία προσθήκης μεταβλητής.
-variables.creation.success=Η μεταβλητή «%s» προστέθηκε.
-variables.update.failed=Αποτυχία επεξεργασίας μεταβλητής.
-variables.update.success=Η μεταβλητή έχει τροποποιηθεί.
 variables.id_not_exist = Η μεταβλητή με id %d δεν υπάρχει.
 workflow.dispatch.trigger_found = Αυτή η ροή εργασίας έχει ένα «event trigger» <c>workflow_dispatch</c>.
 workflow.dispatch.success = Η εκτέλεση της ροής εργασίας αιτήθηκε επιτυχώς.
@@ -3541,7 +3455,6 @@ workflow.dispatch.invalid_input_type = Μη έγκυρο είδος εισόδο
 runs.no_workflows.help_write_access = Δεν γνωρίζεται πώς να ξεκινήσετε με τις Δράσεις Forgejo; Δείτε την <a target="_blank" rel="noopener noreferrer" href="%s"> γρήγορη εκκίνηση στην τεκμηρίωση χρήστη</a> για να γράψετε την πρώτη σας ροή εργασίας, στη συνέχεια <a target="_blank" rel="noopener noreferrer" href="%s"> ορίστε έναν εκτελεστή Forgejo</a> για να εκτελέσετε τις εργασίες σας.
 runs.no_workflows.help_no_write_access = Για να μάθετε για τις Δράσεις Forgejo, δείτε <a target="_blank" rel="noopener noreferrer" href="%s"> την τεκμηρίωση</a>.
 workflow.dispatch.warn_input_limit = Προβολή μόνο των πρώτων %d εισόδων.
-variables.not_found = Αποτυχία εύρεσης της μεταβλητής.
 
 [projects]
 type-1.display_name=Ατομικό έργο
@@ -3589,9 +3502,6 @@ regexp_tooltip = Ερμηνεία του όρου αναζήτησης ως κα
 [munits.data]
 
 [markup]
-filepreview.line = Γραμμή %[1]d στο αρχείο %[2]s
-filepreview.lines = Γραμμές %[1]d έως %[2]d στο αρχείο %[3]s
-filepreview.truncated = Η προεπισκόπηση έχει περικοπεί
 
 [translation_meta]
 test = ok
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 1fdced67c2..a74cf843e9 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -38,19 +38,6 @@ twofa = Two-factor authentication
 twofa_scratch = Two-factor scratch code
 passcode = Passcode
 
-webauthn_insert_key = Insert your security key
-webauthn_sign_in = Press the button on your security key. If your security key has no button, re-insert it.
-webauthn_press_button = Please press the button on your security key…
-webauthn_use_twofa = Use a two-factor code from your phone
-webauthn_error = Could not read your security key.
-webauthn_unsupported_browser = Your browser does not currently support WebAuthn.
-webauthn_error_unknown = An unknown error occurred. Please retry.
-webauthn_error_insecure = WebAuthn only supports secure connections. For testing over HTTP, you can use the origin "localhost" or "127.0.0.1"
-webauthn_error_unable_to_process = The server could not process your request.
-webauthn_error_duplicated = The security key is not permitted for this request. Please make sure that the key is not already registered.
-webauthn_error_empty = You must set a name for this key.
-webauthn_error_timeout = Timeout reached before your key could be read. Please reload this page and retry.
-
 repository = Repository
 new_fork = New repository fork
 new_project_column = New column
@@ -2953,34 +2940,6 @@ dashboard.sync_external_users = Synchronize external user data
 dashboard.cleanup_hook_task_table = Clean up hook_task table
 dashboard.cleanup_packages = Clean up expired packages
 dashboard.cleanup_actions = Clean up expired logs and artifacts from actions
-dashboard.server_uptime = Server uptime
-dashboard.current_goroutine = Current goroutines
-dashboard.current_memory_usage = Current memory usage
-dashboard.total_memory_allocated = Total memory allocated
-dashboard.memory_obtained = Memory obtained
-dashboard.pointer_lookup_times = Pointer lookup times
-dashboard.memory_allocate_times = Memory allocations
-dashboard.memory_free_times = Memory frees
-dashboard.current_heap_usage = Current heap usage
-dashboard.heap_memory_obtained = Heap memory obtained
-dashboard.heap_memory_idle = Heap memory idle
-dashboard.heap_memory_in_use = Heap memory in use
-dashboard.heap_memory_released = Heap memory released
-dashboard.heap_objects = Heap objects
-dashboard.bootstrap_stack_usage = Bootstrap stack usage
-dashboard.stack_memory_obtained = Stack memory obtained
-dashboard.mspan_structures_usage = MSpan structures usage
-dashboard.mspan_structures_obtained = MSpan structures obtained
-dashboard.mcache_structures_usage = MCache structures usage
-dashboard.mcache_structures_obtained = MCache structures obtained
-dashboard.profiling_bucket_hash_table_obtained = Profiling bucket hash table obtained
-dashboard.gc_metadata_obtained = GC metadata obtained
-dashboard.other_system_allocation_obtained = Other system allocation obtained
-dashboard.next_gc_recycle = Next GC recycle
-dashboard.last_gc_time = Time since last GC
-dashboard.total_gc_pause = Total GC pause
-dashboard.last_gc_pause = Last GC pause
-dashboard.gc_times = GC times
 dashboard.delete_old_actions = Delete all old activities from database
 dashboard.delete_old_actions.started = Delete all old activities from database started.
 dashboard.update_checker = Update checker
@@ -3044,18 +3003,6 @@ users.purge_help = Forcibly delete user and any repositories, organizations, and
 users.still_own_packages = This user still owns one or more packages, delete these packages first.
 users.deletion_success = The user account has been deleted.
 users.reset_2fa = Reset 2FA
-users.list_status_filter.menu_text = Filter
-users.list_status_filter.reset = Reset
-users.list_status_filter.is_active = Active
-users.list_status_filter.not_active = Inactive
-users.list_status_filter.is_admin = Admin
-users.list_status_filter.not_admin = Not admin
-users.list_status_filter.is_restricted = Restricted
-users.list_status_filter.not_restricted = Not restricted
-users.list_status_filter.is_prohibit_login = Prohibit login
-users.list_status_filter.not_prohibit_login = Allow login
-users.list_status_filter.is_2fa_enabled = 2FA enabled
-users.list_status_filter.not_2fa_enabled = 2FA disabled
 users.details = User details
 
 emails.email_manage_panel = Manage user emails
@@ -3106,13 +3053,13 @@ packages.published = Published
 
 defaulthooks = Default webhooks
 defaulthooks.desc = Webhooks automatically make HTTP POST requests to a server when certain Forgejo events trigger. Webhooks defined here are defaults and will be copied into all new repositories. Read more in the <a target="_blank" rel="noopener" href="%s">webhooks guide</a>.
-defaulthooks.add_webhook = Add Default Webhook
-defaulthooks.update_webhook = Update Default Webhook
+defaulthooks.add_webhook = Add default webhook
+defaulthooks.update_webhook = Update default webhook
 
 systemhooks = System webhooks
 systemhooks.desc = Webhooks automatically make HTTP POST requests to a server when certain Forgejo events trigger. Webhooks defined here will act on all repositories on the system, so please consider any performance implications this may have. Read more in the <a target="_blank" rel="noopener" href="%s">webhooks guide</a>.
-systemhooks.add_webhook = Add System Webhook
-systemhooks.update_webhook = Update System Webhook
+systemhooks.add_webhook = Add system webhook
+systemhooks.update_webhook = Update system webhook
 
 auths.auth_manage_panel = Manage authentication sources
 auths.new = Add authentication source
@@ -3375,26 +3322,6 @@ monitor.process.cancel = Cancel process
 monitor.process.cancel_desc = Canceling a process may cause data loss
 monitor.process.cancel_notices = Cancel: <strong>%s</strong>?
 
-monitor.queues = Queues
-monitor.queue = Queue: %s
-monitor.queue.name = Name
-monitor.queue.type = Type
-monitor.queue.exemplar = Exemplar Type
-monitor.queue.numberworkers = Number of workers
-monitor.queue.activeworkers = Active workers
-monitor.queue.maxnumberworkers = Max Number of workers
-monitor.queue.numberinqueue = Number in queue
-monitor.queue.review_add = Review / add workers
-monitor.queue.settings.title = Pool settings
-monitor.queue.settings.desc = Pools dynamically grow in response to their worker queue blocking.
-monitor.queue.settings.maxnumberworkers = Max Number of workers
-monitor.queue.settings.maxnumberworkers.placeholder = Currently %[1]d
-monitor.queue.settings.maxnumberworkers.error = Max number of workers must be a number
-monitor.queue.settings.submit = Update settings
-monitor.queue.settings.changed = Settings updated
-monitor.queue.settings.remove_all_items = Remove all
-monitor.queue.settings.remove_all_items_done = All items in the queue have been removed.
-
 notices.system_notice_list = System notices
 notices.view_detail_header = Notice details
 notices.operations = Operations
@@ -3410,7 +3337,7 @@ notices.desc = Description
 notices.op = Op.
 notices.delete_success = The system notices have been deleted.
 
-self_check.no_problem_found = No problem found yet.
+self_check.no_problem_found = No problems found yet.
 self_check.database_collation_mismatch = Expect database to use collation: %s
 self_check.database_collation_case_insensitive = Database is using a collation %s, which is an insensitive collation. Although Forgejo could work with it, there might be some rare cases which don't work as expected.
 self_check.database_inconsistent_collation_columns = Database is using collation %s, but these columns are using mismatched collations. It might cause some unexpected problems.
@@ -3520,22 +3447,6 @@ workflow.dispatch.warn_input_limit = Only displaying the first %d inputs.
 
 need_approval_desc = Need approval to run workflows for fork pull request.
 
-variables = Variables
-variables.management = Manage variables
-variables.creation = Add variable
-variables.none = There are no variables yet.
-variables.deletion = Remove variable
-variables.deletion.description = Removing a variable is permanent and cannot be undone. Continue?
-variables.description = Variables will be passed to certain actions and cannot be read otherwise.
-variables.edit = Edit Variable
-variables.not_found = Failed to find the variable.
-variables.deletion.failed = Failed to remove variable.
-variables.deletion.success = The variable has been removed.
-variables.creation.failed = Failed to add variable.
-variables.creation.success = The variable "%s" has been added.
-variables.update.failed = Failed to edit variable.
-variables.update.success = The variable has been edited.
-
 [projects]
 deleted.display_name = Deleted project
 type-1.display_name = Individual project
@@ -3551,9 +3462,6 @@ symbolic_link = Symbolic link
 submodule = Submodule
 
 [markup]
-filepreview.line = Line %[1]d in %[2]s
-filepreview.lines = Lines %[1]d to %[2]d in %[3]s
-filepreview.truncated = Preview has been truncated
 
 [translation_meta]
 test = This is a test string. It is not displayed in Forgejo UI but is used for testing purposes. Feel free to enter "ok" to save time (or a fun fact of your choice) to hit that sweet 100% completion mark :)
diff --git a/options/locale/locale_eo.ini b/options/locale/locale_eo.ini
index a6b3a57428..be27ad3749 100644
--- a/options/locale/locale_eo.ini
+++ b/options/locale/locale_eo.ini
@@ -2,8 +2,6 @@
 tracked_time_summary = Resumo de trakita tempo bazita sur filtriloj de temolisto
 language = Lingvo
 passcode = Paskodo
-webauthn_error_timeout = Tempo elĉerpiĝis antaŭ legiĝo de via ŝlosilo. Bonvolu reenlegi la retpaĝon kaj reprovi.
-webauthn_sign_in = Premu la butonon sur via sekurŝlosilo. Se mankas butono, elprenu kaj reenmetu vian sekurŝlosilon.
 captcha = Testo de homeco
 create_new = Krei…
 licenses = Permesiloj
@@ -11,13 +9,10 @@ sign_in = Saluti
 user_profile_and_more = Profilo kaj agordoj…
 explore = Esplori
 return_to_forgejo = Reiri al Forgejo
-webauthn_error_unknown = Eraris pro nekonata kialo. Bonvolu reprovi.
 twofa = Duobla aŭtentikigo
 version = Versio
 help = Helpo
-webauthn_error_empty = Vi devas agordi nomon por la ŝlosilo.
 sign_in_or = aŭ
-webauthn_use_twofa = Uzi dumanieran salutkodon de via poŝtelefono
 page = Paĝo
 link_account = Ligi konton
 your_profile = Profilo
@@ -26,23 +21,16 @@ settings = Agordoj
 logo = Emblemo
 toc = Enhavotabelo
 admin_panel = Retejadministrado
-webauthn_unsupported_browser = Via retfoliumilo ne jam subtenas la salutmanieron WebAuthn.
-webauthn_error_insecure = La salutmaniero WebAuthn sole subtenas sekurajn konektiĝojn. Testante HTTP’e, oni uzu la retadreson «localhost» aŭ «127.0.0.1»
 new_project = Novan projekton
 notifications = Sciigoj
 repository = Deponejo
-webauthn_error = Ne povis legi vian sekurŝlosilon.
 active_stopwatch = Aktiva tempotrakilo
 organization = Organizaĵo
 sign_in_with_provider = Saluti per %s
-webauthn_error_unable_to_process = La servilo ne povis trakti vian peton.
 register = Registriĝi
 username = Uzantonomo
-webauthn_insert_key = Enmetu vian sekurŝlosilon
 password = Pasvorto
-webauthn_error_duplicated = La sekurŝlosilo ne rajtas fari tiun ĉi peton. Bonvolu certigi ke la ŝlosilo estas ne jam registrita.
 template = Ŝablono
-webauthn_press_button = Bonvolu premi la butonon sur via sekurŝlosilo…
 signed_in_as = Salutinta kiel
 sign_up = Registriĝi
 enable_javascript = Ĉi tiu retejo bezonas JavaSkripton.
@@ -772,7 +760,7 @@ enable_custom_avatar = Uzi propran profilbildon
 change_password = Ŝanĝi pasvorton
 keep_pronouns_private = Montri pronomojn nur al la aŭtentikigitaj uzantoj
 keep_pronouns_private.description = Tio maskos viajn pronomojn kontraŭ neaŭtentikigitaj vizitantoj.
-add_new_principal =
+add_new_principal = 
 gpg_token_required = Vi devas disponigi signaturon por la malsupran ĵetono
 gpg_token = Ĵetono
 gpg_token_help = Vi povas generi signaturon uzante:
@@ -962,14 +950,8 @@ runner_kind = Serĉi rulantojn…
 pull_kind = Serĉi tirpetojn…
 
 [markup]
-filepreview.truncated = La superrigardo estas mallongigita
-filepreview.line = Linio %[1]d en %[2]s
-filepreview.lines = Linioj %[1]d ĝis %[2]d en %[3]s
 
 [actions]
-variables.creation.success = La variablo "%s" estas aldonita.
-variables.update.failed = Ne eblas redakti la variablon.
-variables.update.success = La variablo estas redaktita.
 
 [projects]
 deleted.display_name = Forigita projekto
diff --git a/options/locale/locale_es-ES.ini b/options/locale/locale_es-ES.ini
index 0d37055fea..b0a9f6ce09 100644
--- a/options/locale/locale_es-ES.ini
+++ b/options/locale/locale_es-ES.ini
@@ -36,18 +36,6 @@ twofa=Autenticación de doble factor
 twofa_scratch=Código de respaldo
 passcode=Código de acceso
 
-webauthn_insert_key=Introduzca su clave de seguridad
-webauthn_sign_in=Presione el botón en su clave de seguridad. Si su clave de seguridad no tiene ningún botón, vuelva a insertarla.
-webauthn_press_button=Por favor, presione el botón en su clave de seguridad…
-webauthn_use_twofa=Utilice un código de doble factor desde su teléfono móvil
-webauthn_error=No se pudo leer su llave de seguridad.
-webauthn_unsupported_browser=Actualmente su navegador no soporta WebAuthn.
-webauthn_error_unknown=Ha ocurrido un error desconocido. Por favor, inténtelo de nuevo.
-webauthn_error_insecure=WebAuthn sólo soporta conexiones seguras. Para probar sobre HTTP, puede utilizar el origen "localhost" o "127.0.0.1"
-webauthn_error_unable_to_process=El servidor no pudo procesar su solicitud.
-webauthn_error_duplicated=La clave de seguridad no está permitida para esta solicitud. Por favor, asegúrese de que la clave no está ya registrada.
-webauthn_error_empty=Debe establecer un nombre para esta clave.
-webauthn_error_timeout=Tiempo de espera máximo alcanzado antes de que su clave pudiese ser leída. Por favor, cargue la página y vuelva a intentarlo.
 repository=Repositorio
 organization=Organización
 mirror=Réplica
@@ -2935,34 +2923,6 @@ dashboard.sync_external_users=Sincronizar datos de usuario externo
 dashboard.cleanup_hook_task_table=Limpiar la tabla hook_task
 dashboard.cleanup_packages=Limpiar paquetes caducados
 dashboard.cleanup_actions=Acciones de limpieza de registros expirados y artefactos
-dashboard.server_uptime=Tiempo de actividad del servidor
-dashboard.current_goroutine=Gorutinas actuales
-dashboard.current_memory_usage=Uso actual de memoria
-dashboard.total_memory_allocated=Total de Memoria Reservada
-dashboard.memory_obtained=Memoria obtenida
-dashboard.pointer_lookup_times=Tiempos de búsqueda de punteros
-dashboard.memory_allocate_times=Asignaciones de memoria
-dashboard.memory_free_times=Liberaciones de memoria
-dashboard.current_heap_usage=Uso actual de Heap
-dashboard.heap_memory_obtained=Memoria de Heap obtenida
-dashboard.heap_memory_idle=Memoria de Heap inactiva
-dashboard.heap_memory_in_use=Memoria de Heap en uso
-dashboard.heap_memory_released=Memoria de Heap liberada
-dashboard.heap_objects=Objetos en el Heap
-dashboard.bootstrap_stack_usage=Uso de la pila de Bootstrap
-dashboard.stack_memory_obtained=Memoria de pila obtenida
-dashboard.mspan_structures_usage=Uso de estructuras MSpan
-dashboard.mspan_structures_obtained=Estructuras MSpan obtenidas
-dashboard.mcache_structures_usage=Uso de estructuras MCache
-dashboard.mcache_structures_obtained=Estructuras MCache obtenidas
-dashboard.profiling_bucket_hash_table_obtained=Profiling bucket hash table obtenido
-dashboard.gc_metadata_obtained=Metadatos obtenidos del recolector de basura
-dashboard.other_system_allocation_obtained=Otros recursos asignados del sistema
-dashboard.next_gc_recycle=Siguiente reciclaje del recolector de basura
-dashboard.last_gc_time=Tiempo desde la última recolección de basura
-dashboard.total_gc_pause=Pausa total por el recolector de basura
-dashboard.last_gc_pause=Última pausa por el recolector de basura
-dashboard.gc_times=Ejecuciones del recolector de basura
 dashboard.delete_old_actions=Eliminar todas las actividades antiguas de la base de datos
 dashboard.delete_old_actions.started=Eliminar todas las actividades antiguas de la base de datos iniciadas.
 dashboard.update_checker=Buscador de actualizaciones
@@ -3019,18 +2979,6 @@ users.purge_help=Borrar forzosamente el usuario y cualquier repositorio, organiz
 users.still_own_packages=Este usuario todavía posee uno o más paquetes, elimina estos paquetes primero.
 users.deletion_success=La cuenta de usuario ha sido eliminada.
 users.reset_2fa=Reiniciar 2FA
-users.list_status_filter.menu_text=Filtro
-users.list_status_filter.reset=Reiniciar
-users.list_status_filter.is_active=Activo
-users.list_status_filter.not_active=Inactivo
-users.list_status_filter.is_admin=Administrador
-users.list_status_filter.not_admin=No admin
-users.list_status_filter.is_restricted=Restringido
-users.list_status_filter.not_restricted=No restringido
-users.list_status_filter.is_prohibit_login=Prohibido el inicio de sesión
-users.list_status_filter.not_prohibit_login=Permitir el inicio de sesión
-users.list_status_filter.is_2fa_enabled=2FA habilitado
-users.list_status_filter.not_2fa_enabled=2FA deshabilitado
 users.details=Detalles del usuario
 
 emails.email_manage_panel=Administrar direcciones de correo electrónico del usuario
@@ -3348,26 +3296,6 @@ monitor.process.cancel_desc=Cancelar un proceso puede ocasionar una pérdida de
 monitor.process.cancel_notices=Cancelar: <strong>%s</strong>?
 monitor.process.children=Hijos
 
-monitor.queues=Colas
-monitor.queue=Cola: %s
-monitor.queue.name=Nombre
-monitor.queue.type=Tipo
-monitor.queue.exemplar=Ejemplo
-monitor.queue.numberworkers=Número de trabajadores
-monitor.queue.activeworkers=Trabajadores activos
-monitor.queue.maxnumberworkers=Nº máx de trabajadores
-monitor.queue.numberinqueue=Número en cola
-monitor.queue.review_add=Revisar / Añadir trabajadores
-monitor.queue.settings.title=Ajustes del grupo
-monitor.queue.settings.desc=Los grupos de trabajadores crecen dinámicamente en respuesta al bloqueo de cola de sus trabajadores.
-monitor.queue.settings.maxnumberworkers=Número máximo de trabajadores
-monitor.queue.settings.maxnumberworkers.placeholder=Actualmente %[1]d
-monitor.queue.settings.maxnumberworkers.error=El número máximo de trabajadores debe ser un número
-monitor.queue.settings.submit=Actualizar ajustes
-monitor.queue.settings.changed=Ajustes actualizados
-monitor.queue.settings.remove_all_items=Eliminar todo
-monitor.queue.settings.remove_all_items_done=Todos los elementos en la cola han sido eliminados.
-
 notices.system_notice_list=Notificaciones del sistema
 notices.view_detail_header=Detalles de notificación
 notices.operations=Operaciones
@@ -3515,20 +3443,6 @@ workflow.disabled=El flujo de trabajo está deshabilitado.
 
 need_approval_desc=Necesita aprobación para ejecutar flujos de trabajo para el pull request del fork.
 
-variables=Variables
-variables.management=Gestión de variables
-variables.creation=Añadir variable
-variables.none=Aún no hay variables.
-variables.deletion=Eliminar variable
-variables.deletion.description=Eliminar una variable es permanente y no se puede deshacer. ¿Continuar?
-variables.description=Las variables se pasarán a ciertas acciones y no se podrán leer de otro modo.
-variables.edit=Editar variable
-variables.deletion.failed=No se pudo eliminar la variable.
-variables.deletion.success=La variable ha sido eliminada.
-variables.creation.failed=No se pudo agregar la variable.
-variables.creation.success=La variable "%s" ha sido añadida.
-variables.update.failed=Error al editar la variable.
-variables.update.success=La variable ha sido editada.
 variables.id_not_exist = Variable con id %d no existe.
 runs.empty_commit_message = (mensaje de commit vacío)
 runs.expire_log_message = Los registros han sido eliminados porque eran demasiado antiguos.
@@ -3536,7 +3450,6 @@ workflow.dispatch.run = Correr flujo de trabajo
 workflow.dispatch.use_from = Usar el flujo de trabajo de
 workflow.dispatch.invalid_input_type = Tipo de entrada inválida "%s".
 workflow.dispatch.success = La ejecución del flujo de trabajo se ha solicitado correctamente.
-variables.not_found = No se ha encontrado la variable.
 workflow.dispatch.input_required = Se requiere valor para la entrada "%s".
 workflow.dispatch.trigger_found = Este flujo de trabajo tiene un disparador de eventos <c>workflow_dispatch</c>.
 workflow.dispatch.warn_input_limit = Sólo se muestran las primeras %d entradas.
@@ -3587,9 +3500,6 @@ regexp_tooltip = Interpretar los términos de búsqueda como una expresión regu
 regexp = Expresión Regular
 
 [markup]
-filepreview.lines = Líneas %[1]d a %[2]d en %[3]s
-filepreview.line = Línea %[1]d en %[2]s
-filepreview.truncated = La vista previa se ha truncado
 
 [repo.permissions]
 pulls.read = <b>Lectura:</b> Leer y crear pull requests.
diff --git a/options/locale/locale_et.ini b/options/locale/locale_et.ini
index 7bb17324b8..6b3374ce4c 100644
--- a/options/locale/locale_et.ini
+++ b/options/locale/locale_et.ini
@@ -26,8 +26,6 @@ enable_javascript = See veebileht eeldab JavaScripti kasutamise lubamist.
 toc = Sisukord
 licenses = Litsentsid
 username = Kasutajanimi
-webauthn_error_unable_to_process = Server ei saanud sinu päringut töödelda.
-webauthn_error_duplicated = Turvavõti ei ole selle päringu puhul lubatud. Palun veendu, et võti ei ole juba registreeritud.
 return_to_forgejo = Tagasi Forgejo'sse
 toggle_menu = Lülita menüü sisse/välja
 more_items = Rohkem objekte
@@ -38,16 +36,6 @@ re_type = Kinnita salasõna
 twofa = Kahefaktoriline autentimine
 twofa_scratch = Kahefaktoriline kriipsukood
 passcode = Salakood
-webauthn_insert_key = Sisesta oma turvavõti
-webauthn_sign_in = Vajuta turvavõtme nuppu. Kui sinu turvavõtmel ei ole nuppu, sisesta see uuesti.
-webauthn_press_button = Palun vajuta turvavõtme nuppu…
-webauthn_use_twofa = Sisesta oma telefonist kahefaktorilise autentimise kood
-webauthn_error = Sinu turvavõtit ei saanud lugeda.
-webauthn_unsupported_browser = Sinu veebibrauser ei toeta praegu WebAuthn-liidestust.
-webauthn_error_unknown = Tekkis tundmatu viga. Palun proovi uuesti.
-webauthn_error_insecure = WebAuthn toetab ainult turvalisi ühendusi. HTTP kaudu testimiseks võid kasutada lähteaadressina „localhost“ või „127.0.0.1“
-webauthn_error_empty = Palun lisa sellele võtmele täisnimi.
-webauthn_error_timeout = Päring aegus enne võtme lugemist. Palun laadi see lehekülg uuesti ja proovi uuesti.
 repository = Hoidla
 organization = Organisatsioon
 new_fork = Uus lähekoodihoidla haru
@@ -555,11 +543,6 @@ template.git_content = Giti sisu (vaikimisi alamharu)
 mirror_denied_combination = Salasõnapõhist ja avaliku võtme põhist autentimist ei saa samal ajal kasutada.
 
 [actions]
-variables = Muutujad
-variables.deletion = Eemalda muutuja
-variables.creation = Lisa muutuja
-variables.none = Muutujaid veel pole.
-variables.management = Halda muutujaid
 
 [admin]
 users.password_helper = Kui sa ei taha salasõna muuta, siis jäta väli tühjaks.
diff --git a/options/locale/locale_eu.ini b/options/locale/locale_eu.ini
index cb4fe075f7..af0a54e418 100644
--- a/options/locale/locale_eu.ini
+++ b/options/locale/locale_eu.ini
@@ -33,18 +33,6 @@ captcha = CAPTCHA
 twofa = Bi faktoreko autentifikazioa
 twofa_scratch = Bi faktoreko marradura-kodea
 passcode = Pasakodea
-webauthn_insert_key = Sartu zure segurtasun-gakoa
-webauthn_sign_in = Sakatu botoia zure segurtasun-gakoan. Zure segurtasun-gakoak ez badu botoirik, sartu berriro.
-webauthn_press_button = Mesedez, sakatu botoia zure segurtasun-gakoan…
-webauthn_use_twofa = Erabili zure telefonoko bi faktoreko kodea
-webauthn_error = Ezin izan da irakurri zure segurtasun-gakoa.
-webauthn_unsupported_browser = Zure nabigatzaileak ez du WebAuthn onartzen.
-webauthn_error_unknown = Akats ezezagun bat gertatu da. Mesedez, saiatu berriro.
-webauthn_error_insecure = WebAuthnek konexio seguruak baino ez ditu onartzen. HTTP bidez probatzeko, "localhost" edo "127.0.0.1" jatorria erabil daiteke
-webauthn_error_unable_to_process = Zerbitzariak ezin izan du zure eskaera prozesatu.
-webauthn_error_duplicated = Segurtasun-gakorik ez da onartzen eskaera honetarako. Mesedez, ziurtatu giltza ea dagoela erregistratuta.
-webauthn_error_empty = Gako honetarako izen bat jarri behar duzu.
-webauthn_error_timeout = Zure gakoa irakurri aurretik denbora-muga gainditu da. Kargatu berriro orrialde hau eta saiatu berriro.
 repository = Biltegia
 new_fork = Biltegi-adar berria
 new_project_column = Zutabe berria
diff --git a/options/locale/locale_fa-IR.ini b/options/locale/locale_fa-IR.ini
index 177970e7e3..bf358b8a8d 100644
--- a/options/locale/locale_fa-IR.ini
+++ b/options/locale/locale_fa-IR.ini
@@ -98,10 +98,6 @@ name=نام
 logo = نشان
 sign_in_with_provider = ورود با %s
 enable_javascript = این وب‌گاه به جاوا اسکریپت نیاز دارد.
-webauthn_press_button = لطفاً دکمۀ روی کلید امنیتی را فشار دهید…
-webauthn_unsupported_browser = مرورگر شما در حال حاضر از WebAuthn پشتیبانی نمی‌کند.
-webauthn_error_unknown = خطایی ناشناخته رخ داد. لطفاً دوباره سعی کنید.
-webauthn_error_unable_to_process = کارساز نتوانست درخواست شما را پردازش کند.
 new_project_column = ستون جدید
 retry = سعی دوباره
 rerun = اجرای دوباره
@@ -113,17 +109,10 @@ locked = قفل شده
 copy_hash = رونوشت هش
 unknown = نامشخص
 copy_type_unsupported = این نوع از فایل نمی‌تواند رونوشت شود
-webauthn_insert_key = کلید امنیتی خود را وارد کنید
-webauthn_sign_in = دکمۀ روی کلید امنیتی را فشار دهید. اگر کلید امنیتی شما دکمه‌ای ندارد، آن را دوباره وارد کنید.
-webauthn_use_twofa = از یک کد دومرحله‌ای از تلفنتان استفاده کنید
-webauthn_error = کلید امنیتی شما نتوانست خوانده شود.
 more_items = موارد بیشتر
-webauthn_error_duplicated = کلید امنیتی برای این درخواست مجاز نیست. لطفاً مطمئن شوید که این کلید در حال حاضر ثبت نشده است.
-webauthn_error_timeout = مهلت زمانی قبل از اینکه کلید شما خوانده شود تمام شد. لطفاً این صفحه را تازه‌سازی کرده و مجدد تلاش کنید.
 new_org.link = سازمان جدید
 new_org.title = سازمان جدید
 new_migrate.link = مهاجرت جدید
-webauthn_error_empty = شما باید یک نام برای این کلید انتخاب کنید.
 new_repo.title = مخزن جدید
 new_migrate.title = مهاجرت جدید
 new_repo.link = مخزن جدید
@@ -155,7 +144,6 @@ filter.not_archived = بایگانی نشده
 copy_content = رونوشت درون‌مایه
 invalid_data = داده نامعتبر: %v
 copy_generic = رونوشت در بریده‌دان
-webauthn_error_insecure = احرازوب فقط از روش‌های ایمن ممکن است. برای آزمودن بر روی اچ‌تی‌تی‌پی می‌توانید از «میزبان‌محلی» یا «۱۲۷.۰.۰.۱» استفاده کنید.
 show_log_seconds = نمایش ثانیه‌ها
 confirm_delete_selected = تایید می‌کنید که همه موارد گزینش شده حذف شوند؟
 filter.clear = پاک‌کردن پالایه‌ها
@@ -2100,34 +2088,6 @@ dashboard.resync_all_hooks=همگام سازی مجدد hook های pre-receive
 dashboard.reinit_missing_repos=تمامی مخازنی که سوابقشان وجود دارند مجدداً گیت آنها مفقود شده است مجدداً مقدمات آنها فراهم شود
 dashboard.sync_external_users=همگام سازی اطلاعات کاربر خارجی
 dashboard.cleanup_hook_task_table=جدول hook_task تمیز کردن
-dashboard.server_uptime=فعالیت بی‌وقفه سرور
-dashboard.current_goroutine=Goroutine های فعلی
-dashboard.current_memory_usage=میزان مصرف فعلی از حافظه
-dashboard.total_memory_allocated=کل حافظه اختصاص داده شده
-dashboard.memory_obtained=حافظه به دست آمده
-dashboard.pointer_lookup_times=اشاره‌گر زمان‌های جستجو
-dashboard.memory_allocate_times=تخصیص یافتن حافظه
-dashboard.memory_free_times=آزادسازی حافظه
-dashboard.current_heap_usage=میزان مصرف توده فعلی
-dashboard.heap_memory_obtained=حافظه به دست آمده برای توده
-dashboard.heap_memory_idle=بیکار بوده حافظه توده
-dashboard.heap_memory_in_use=حافظه توده در حال استفاده
-dashboard.heap_memory_released=حافظه توده آزاد شد
-dashboard.heap_objects=شی توده یا Heap
-dashboard.bootstrap_stack_usage=میزان استفاده از پشته توسط راهنداز
-dashboard.stack_memory_obtained=حافظه پشته به دست آمده
-dashboard.mspan_structures_usage=میزان استفاده‌ی ساختار های MSpan
-dashboard.mspan_structures_obtained=ساختار های MSpan به دست آمده
-dashboard.mcache_structures_usage=میزان استفاده از ساختار های MCache
-dashboard.mcache_structures_obtained=ساختار های MCache به دست آمده
-dashboard.profiling_bucket_hash_table_obtained=Profiling Bucket Hash Table به دست آمده
-dashboard.gc_metadata_obtained=متادیتاهای بدست امده از GC
-dashboard.other_system_allocation_obtained=تخصیص های حافظه در سایر قسمت های سیستم
-dashboard.next_gc_recycle=بازیافت GC بعدی
-dashboard.last_gc_time=زمان از آخرین GC
-dashboard.total_gc_pause=کل زمان مکث GC
-dashboard.last_gc_pause=واپسین مکث در GC
-dashboard.gc_times=زمان های GC
 dashboard.delete_old_actions=تمام اقدامات قدیمی را از پایگاه داده حذف کنید
 dashboard.delete_old_actions.started=حذف تمام اقدامات قدیمی از پایگاه داده شروع شده است.
 
@@ -2167,19 +2127,6 @@ users.still_own_repo=این کاربر هنوز صاحب یک یا چند مخز
 users.still_has_org=این کاربر عضو یک سازمان است. ابتدا کاربر را از هر سازمان متعلق حذف کنید.
 users.deletion_success=حساب کاربری حذف شد.
 users.reset_2fa=2FA را بازنشانی کنید
-users.list_status_filter.menu_text=فیلتر
-users.list_status_filter.reset=شروع دوباره
-users.list_status_filter.is_active=فعال
-users.list_status_filter.not_active=غیرفعال
-users.list_status_filter.is_admin=ادمین
-users.list_status_filter.not_admin=غیرادمین
-users.list_status_filter.is_restricted=محصور
-users.list_status_filter.not_restricted=محدود نشده است
-users.list_status_filter.is_prohibit_login=ورود را ممنوع شود
-users.list_status_filter.not_prohibit_login=اجازه ورود
-users.list_status_filter.is_2fa_enabled=2FA فعال است
-users.list_status_filter.not_2fa_enabled=2FA غیرفعال است
-
 emails.email_manage_panel=مدیریت ایمیل کاربر
 emails.primary=اولیه
 emails.activated=فعال شده
@@ -2447,20 +2394,6 @@ monitor.process.cancel_desc=لغو کردن یک فرآیند ممکن است ب
 monitor.process.cancel_notices=لغو: <strong>%s</strong>؟
 monitor.process.children=فرزندان
 
-monitor.queues=صف ها
-monitor.queue=صف: %s
-monitor.queue.name=نام
-monitor.queue.type=نوع
-monitor.queue.exemplar=نوع نمونه
-monitor.queue.numberworkers=تعداد کارگران
-monitor.queue.maxnumberworkers=بیشینه تعداد کارگران
-monitor.queue.settings.title=تنظیمات استخر
-monitor.queue.settings.maxnumberworkers=بیشینه تعداد کارگران
-monitor.queue.settings.maxnumberworkers.placeholder=در حال حاضر %[1]v
-monitor.queue.settings.maxnumberworkers.error=حداکثر تعداد کارگران باید یک عدد باشد
-monitor.queue.settings.submit=بالا بردن ساماندهی
-monitor.queue.settings.changed=تنظیمات تازه شد
-
 notices.system_notice_list=هشدارهای سامانه
 notices.view_detail_header=مشاهده جزئیات اخطار
 notices.select_all=انتخاب همه
@@ -2548,19 +2481,6 @@ owner.settings.cleanuprules.enabled=فعال شده
 [secrets]
 
 [actions]
-variables.edit = تغییر متغیر
-variables.deletion.success = متغیر حذف شد.
-variables.deletion = حذف متغیر
-variables.creation.success = متغیر "%s" ایجاد شد.
-variables = متغیرها
-variables.management = مدیریت متغیرها
-variables.update.failed = عدم موفقیت در تغییر متغیر
-variables.update.success = تغییر متغیر با موفقیت انجام شد.
-variables.creation = افزودن متغیر
-variables.none = هیچ متغیری هنوز وجود ندارد.
-
-
-
 
 [projects]
 type-1.display_name = پروژه ی مستقل
diff --git a/options/locale/locale_fi-FI.ini b/options/locale/locale_fi-FI.ini
index 8ac50b8437..5e89ce5b5d 100644
--- a/options/locale/locale_fi-FI.ini
+++ b/options/locale/locale_fi-FI.ini
@@ -33,18 +33,6 @@ twofa=Kaksivaiheinen todennus
 twofa_scratch=Kaksivaiheinen kertakäyttöinen koodi
 passcode=Pääsykoodi
 
-webauthn_insert_key=Aseta turva-avaimesi
-webauthn_sign_in=Paina turva-avaimesi painiketta. Jos turva-avaimessasi ei ole painiketta, irrota se ja aseta uudelleen.
-webauthn_press_button=Paina turva-avaimesi painiketta…
-webauthn_use_twofa=Käytä kaksivaihesta todennusta puhelimestasi
-webauthn_error=Turva-avainta ei voitu lukea.
-webauthn_unsupported_browser=Selaimesi ei tällä hetkellä tue WebAuthnia.
-webauthn_error_unknown=Tuntematon virhe. Yritä uudelleen.
-webauthn_error_insecure=WebAuthn tukee vain turvallisia yhteyksiä. Testaamista varten HTTP-välityksellä voit käyttää alkuperää "localhost" tai "127.0.0.1"
-webauthn_error_unable_to_process=Palvelin ei pystynyt käsittelemään pyyntöä.
-webauthn_error_duplicated=Turva-avainta ei ole sallittu tässä pyynnössä. Varmista, ettei avainta ole jo rekisteröity.
-webauthn_error_empty=Sinun täytyy asettaa nimi tälle avaimelle.
-webauthn_error_timeout=Aikakatkaisu ennen kuin avaintasi voitiin lukea. Lataa tämä sivu uudelleen ja yritä uudelleen.
 repository=Tietovarasto
 organization=Organisaatio
 mirror=Peili
@@ -2716,33 +2704,6 @@ dashboard.operation_switch=Vaihda
 dashboard.operation_run=Suorita
 dashboard.delete_inactive_accounts=Poista kaikki aktivoimattomat tilit
 dashboard.delete_repo_archives=Poista kaikki tietovarastojen arkistot (ZIP, TAR.GZ, jne.)
-dashboard.server_uptime=Palvelimen uptime
-dashboard.current_goroutine=Nykyiset goroutinet
-dashboard.current_memory_usage=Nykyinen muistinkäyttö
-dashboard.total_memory_allocated=Yhteensä muistia varattu
-dashboard.memory_obtained=Muistia saatu
-dashboard.pointer_lookup_times=Osoittimen hakuajat
-dashboard.current_heap_usage=Nykyinen heapin käyttö
-dashboard.heap_memory_obtained=Heap-muisti saatu
-dashboard.heap_memory_idle=Heap-muisti tyhjäkäynnillä
-dashboard.heap_memory_in_use=Heap-muisti käytössä
-dashboard.heap_memory_released=Heap-muisti vapautettu
-dashboard.heap_objects=Heap-objektit
-dashboard.bootstrap_stack_usage=Bootstrap-pinon käyttö
-dashboard.stack_memory_obtained=Pinonmuisti saatu
-dashboard.mspan_structures_usage=MSpan-rakenteiden käyttö
-dashboard.mspan_structures_obtained=MSpan-rakenteet saatu
-dashboard.mcache_structures_usage=MCache-rakenteiden käyttö
-dashboard.mcache_structures_obtained=MCache-rakenteet saatu
-dashboard.profiling_bucket_hash_table_obtained=Profilointiämpäritiivistetaulukko saatu
-dashboard.gc_metadata_obtained=Roskienkeruumetatiedot saatu
-dashboard.other_system_allocation_obtained=Muu järjestestelmän varaus saatu
-dashboard.next_gc_recycle=Seuraava roskienkeruukierrätys
-dashboard.last_gc_time=Aika edellisestä roskienkeruusta
-dashboard.total_gc_pause=Yhteensä roskienkeruutauko
-dashboard.last_gc_pause=Viimeinen roskienkeruutauko
-dashboard.gc_times=Roskienkeruuajat
-
 users.user_manage_panel=Käyttäjätilien hallinta
 users.new_account=Luo käyttäjätili
 users.name=Käyttäjänimi
@@ -2770,19 +2731,6 @@ users.allow_git_hook=Voi luoda Git-koukkuja
 users.allow_create_organization=Voi luoda organisaatioita
 users.update_profile=Päivitä käyttäjätili
 users.delete_account=Poista käyttäjätili
-users.list_status_filter.menu_text=Suodata
-users.list_status_filter.reset=Tyhjennä
-users.list_status_filter.is_active=Aktiivinen
-users.list_status_filter.not_active=Ei-aktiivinen
-users.list_status_filter.is_admin=Ylläpitäjä
-users.list_status_filter.not_admin=Ei ylläpitäjä
-users.list_status_filter.is_restricted=Rajoitettu
-users.list_status_filter.not_restricted=Ei rajoitettu
-users.list_status_filter.is_prohibit_login=Kirjautuminen estetty
-users.list_status_filter.not_prohibit_login=Kirjautuminen sallittu
-users.list_status_filter.is_2fa_enabled=2FA käytössä
-users.list_status_filter.not_2fa_enabled=2FA ei käytössä
-
 emails.email_manage_panel=Käyttäjien sähköpostien hallinta
 emails.primary=Ensisijainen
 emails.activated=Aktivoitu
@@ -2937,12 +2885,6 @@ monitor.desc=Kuvaus
 monitor.start=Alkamisaika
 monitor.execute_time=Suoritusaika
 
-monitor.queues=Jonot
-monitor.queue=Jono: %s
-monitor.queue.name=Nimi
-monitor.queue.type=Tyyppi
-monitor.queue.settings.submit=Päivitä asetukset
-
 notices.system_notice_list=Järjestelmän ilmoitukset
 notices.select_all=Valitse kaikki
 notices.deselect_all=Poista kaikki valinnat
@@ -2972,7 +2914,6 @@ users.new_success = Käyttäjätili "%s" on luotu.
 config.disable_register = Poista itserekisteröinti käytöstä
 config.enable_openid_signin = Ota OpenID-kirjautuminen käyttöön
 config.enable_openid_signup = Ota OpenID-itserekisteröinti käyttöön
-monitor.queue.settings.changed = Asetukset päivitetty
 config.db_schema = Skeema
 settings = Ylläpitäjän asetukset
 emails.delete = Poista sähköpostiosoite
@@ -2995,7 +2936,6 @@ auths.oauth2_provider = OAuth2-palveluntarjoaja
 auths.tips.gmail_settings = Gmail-asetukset:
 config.mailer_sendmail_path = Sendmail-polku
 config_settings = Asetukset
-monitor.queue.settings.remove_all_items = Poista kaikki
 config.skip_tls_verify = Ohita TLS-vahvistus
 dashboard.new_version_hint = Forgejo %s on nyt saatavilla. Käytössäsi on %s. Lue lisätietoja <a target="_blank" rel="noreferrer" href="%s">blogista</a>.
 defaulthooks.add_webhook = Lisää oletusarvoinen webkoukku
@@ -3097,7 +3037,6 @@ dashboard.update_checker = Päivitysten tarkistaja
 auths.allowed_domains_helper = Jätä tyhjäksi salliaksesi kaikki verkkotunnukset. Erota useat verkkotunnukset pilkulla (",").
 auths.activated = Tämä todennuslähde on aktivoitu
 auths.login_source_of_type_exist = Tätä tyyppiä oleva todennuslähde on jo olemassa.
-dashboard.memory_allocate_times = Muistiallokaatiot
 users.send_register_notify = Ilmoita rekisteröitymisestä sähköpostitse
 config.offline_mode = Paikallinen tila
 config.cache_item_ttl = Välimuistitietueen TTL
@@ -3128,14 +3067,12 @@ monitor.process.cancel_notices = Perutaanko: <strong>%s</strong>?
 config.enable_federated_avatar = Ota federoidut profiilikuvat käyttöön
 notices.operations = Toimenpiteet
 config.xorm_log_sql = Lokita SQL
-monitor.queue.settings.remove_all_items_done = Kaikki jonossa olleet tietueet on poistettu.
 config.logger_name_fmt = Lokittaja: %s
 config.git_max_diff_line_characters = Diff-merkkejä enintään riviä kohden
 config.git_max_diff_files = Diff-tiedostoja enintään näytettäväksi
 config.access_log_mode = Pääsylokin tila
 config.picture_config = Kuvan ja avatarin asetukset
 notices.delete_success = Järjestelmäilmoitukset on poistettu.
-monitor.queue.settings.maxnumberworkers.placeholder = Tällä hetkellä %[1]d
 auths.force_smtps_helper = SMTPS:ää käytetään aina portissa 465. Aseta tämä pakottaaksesi SMTPS toisiin portteihin. (Muuten STARTTLS:ää käytetään toisiin portteihin, jos palvelin tukee sitä.)
 dashboard.resync_all_sshprincipals = Päivitä ".ssh/authorized_principals"-tiedosto Forgejon SSH-prinsipaaleilla.
 auths.verify_group_membership = Vahvista ryhmäjäsenyys LDAP:issa (jätä suodatin tyhjäksi ohittaaksesi)
@@ -3225,24 +3162,10 @@ creation.value_placeholder = Syötä mitä tahansa sisältöä. Tyhjätila aluss
 
 [actions]
 runs.empty_commit_message = (tyhjä kommittiviesti)
-variables.deletion = Poista muuttuja
 workflow.dispatch.input_required = Arvo syötteelle "%s" vaadittu.
-variables.description = Muuttujat asetetaan tietyille toiminnoille eikä niitä voida lukea muutoin.
-variables.none = Ei muuttujia vielä.
-variables.deletion.description = Muuttujan poistaminen on lopullista, eikä sitä voi perua. Jatketaanko?
 workflow.dispatch.invalid_input_type = Syötetyyppi "%s" ei kelpaa.
 workflow.dispatch.warn_input_limit = Näytetään vain ensimmäiset %d syötettä.
-variables = Muuttujat
-variables.management = Hallitse muuttujia
-variables.creation = Lisää muuttuja
 runs.expire_log_message = Lokitiedostot on tyhjätty vanhenemisen vuoksi.
-variables.deletion.success = Muuttuja poistettu.
-variables.edit = Muokkaa muuttujaa
-variables.creation.success = Muuttuja "%s" lisätty.
-variables.deletion.failed = Muuttujan poisto epäonnistui.
-variables.creation.failed = Muuttujan lisäys epäonnistui.
-variables.update.failed = Muuttujan muokkaus epäonnistui.
-variables.update.success = Muuttuja muokattu.
 variables.id_not_exist = Muuttujaa tunnisteella %d ei ole olemassa.
 workflow.dispatch.run = Suorita työnkulku
 workflow.enable = Ota työnkulku käyttöön
@@ -3253,7 +3176,6 @@ workflow.disable_success = Työnkulku "%s" on poistettu käytöstä.
 unit.desc = Hallitse integroituja CI-/CD-putkia Forgejo Actionsia hyödyntäen.
 runs.no_workflows.help_no_write_access = Lisätietoja Forgejo Actionsista on saatavilla <a target="_blank" rel="noopener noreferrer" href="%s">dokumentaatiosta</a>.
 runs.no_runs = Työnkululla ei ole vielä suorituksia.
-variables.not_found = Muuttujaa ei löytynyt.
 runs.no_workflows.help_write_access = Etkö tiedä, miten aloittaa Forgejo Actionsin käyttö? Lue <a target="_blank" rel="noopener noreferrer" href="%s">pikaopas</a> kirjoittaaksesi ensimmäisen työnkulun, sen jälkeen <a target="_blank" rel="noopener noreferrer" href="%s">määritä Forgejo-ajaja</a> suorittamaan asettamiasi töitä.
 workflow.dispatch.success = Työnkulun suoritusta pyydettiin onnistuneesti.
 workflow.dispatch.trigger_found = Tällä työnkululla on <c>workflow_dispatch</c>-tapahtumaliipaisin.
@@ -3314,7 +3236,6 @@ projects.read = <b>Lue:</b> Pääsy tietovaraston projektitauluille.
 wiki.write = <b>Kirjoita:</b> Luo, päivitä ja poista integroidun wikin sivuja.
 
 [markup]
-filepreview.truncated = Esikatselu on typistetty
 
 [translation_meta]
 test = Tämä on testimerkkijono. Sitä ei näytetä Forgejo-käyttöliittymässä, mutta sitä käytetään testaustarkoituksiin. Voit vapaasti kirjoittaa "selvä" säästääksesi aikaa (tai käyttää hauskaa faktaa) ja saavuttaaksesi sen makean 100 %:n valmistumisrajan :)
\ No newline at end of file
diff --git a/options/locale/locale_fil.ini b/options/locale/locale_fil.ini
index e63c5f0307..68a6efddee 100644
--- a/options/locale/locale_fil.ini
+++ b/options/locale/locale_fil.ini
@@ -43,9 +43,6 @@ sign_up = Magrehistro
 link_account = Mag-link ng account
 template = Template
 tracked_time_summary = Buod ng mga nakasubaybay na oras base sa filter ng listahan ng isyu
-webauthn_sign_in = Pindutin ang button ng iyong security key. Kung walang button ang iyong security key, ilagay muli.
-webauthn_error_insecure = Sinusuportahan lamang ng WebAuthn ang mga secure na koneksyon. Para sa pagsubok sa HTTP, pwede mo gamitin ang origin na "localhost" o "127.0.0.1"
-webauthn_error_timeout = Naabot ang timeout bago mabasa ang iyong key. Mangyaring i-reload ang page na ito at subukan muli.
 view = Itignan
 disabled = Naka-disable
 copy_url = Kopyahin ang URL
@@ -64,15 +61,6 @@ re_type = Kumpirmahin ang password
 captcha = CAPTCHA
 twofa = Authentikasyong two-factor
 passcode = Passcode
-webauthn_insert_key = Ilagay ang iyong security key
-webauthn_press_button = Pindutin ang button ng iyong security key…
-webauthn_use_twofa = Gumamit ng two-factor code galing sa iyong telepono
-webauthn_error = Hindi mabasa ang iyong security key.
-webauthn_unsupported_browser = Kasalukuyang hindi sinusuportahan ng iyong browser ang WebAuthn.
-webauthn_error_unknown = May nangyaring hindi alam na error. Magyaring subukan muli.
-webauthn_error_unable_to_process = Hindi maproseso ng server ang iyong hiling.
-webauthn_error_duplicated = Hindi pinapayagan ang security key na ito para sa hiling na ito. Mangyaring siguraduhin na ang key na ito ay hindi ito nakarehistro na.
-webauthn_error_empty = Kailangan mong maglapat ng pangalan para sa key na ito.
 repository = Repositoryo
 organization = Organisasyon
 mirror = Salamin
@@ -2685,7 +2673,6 @@ emails.updated = Napalitan na ang email
 emails.not_updated = Nabigong baguhin ang hinihiling na email address: %v
 monitor.next = Susunod na oras
 monitor.last_execution_result = Resulta
-dashboard.last_gc_time = Oras noong huling GC
 users.last_login = Huling nag sign-in
 first_page = Una
 last_page = Huli
@@ -2704,8 +2691,6 @@ config_settings = Mga setting
 dashboard.statistic = Buod
 dashboard.task.error = Error sa Utos: %[1]s: %[3]s
 users.full_name = Buong pangalan
-users.list_status_filter.menu_text = Isaasyos
-users.list_status_filter.not_2fa_enabled = Naka-disable ang 2FA
 users.never_login = Hindi nag-sign in kailanman
 dashboard.system_status = Status ng sistema
 dashboard.operation_switch = Palitan
@@ -2731,20 +2716,6 @@ dashboard.resync_all_hooks = I-resychronize ang mga Git hook ng lahat ng mga rep
 dashboard.cleanup_hook_task_table = Linisin ang hook_task table
 dashboard.cleanup_packages = Linisin ang mga na-expire na package
 dashboard.cleanup_actions = Linisin ang mga nag-expire na log at artifact mula sa mga aksyon
-dashboard.server_uptime = Uptime ng server
-dashboard.current_goroutine = Mga kasalukuyang goroutine
-dashboard.total_memory_allocated = Kabuuan na na-allocate na memory
-dashboard.memory_obtained = Mga nakuhang memory
-dashboard.pointer_lookup_times = Oras ng pointer lookup
-dashboard.memory_free_times = Mga memory free
-dashboard.current_heap_usage = Kasalukuyang paggamit ng heap
-dashboard.heap_memory_obtained = Nakuhang heap memory
-dashboard.heap_memory_idle = Idle ng heap memory
-dashboard.heap_objects = Mga heap object
-dashboard.bootstrap_stack_usage = Paggamit ng bootstrap stack
-dashboard.stack_memory_obtained = Nakuhang stack memory
-dashboard.profiling_bucket_hash_table_obtained = Mga nakuhang profiling bucket hash table
-dashboard.gc_metadata_obtained = Nakuhang GC metadata
 dashboard.delete_old_actions = Burahin ang lahat ng mga lumang aktibidad mula sa database
 dashboard.stop_endless_tasks = Itigil ang mga hindi natatapos na aksyon ng task
 dashboard.cancel_abandoned_jobs = Kanselahin ang mga naiwang aksyon ng trabaho
@@ -2763,16 +2734,7 @@ users.update_profile = I-update ang user account
 users.delete_account = Burahin ang user account
 users.cannot_delete_self = Hindi mo maaaring burahin ang sarili mo
 users.still_own_repo = Ang user na ito ay nagmamay-ari pa ng isa o higit pang mga repositoryo. Burahin o ilipat sila muna.
-users.list_status_filter.is_active = Aktibo
-users.list_status_filter.not_active = Hindi aktibo
-users.list_status_filter.is_admin = Tagapangasiwa
-users.list_status_filter.not_admin = Hindi tagapangasiwa
-users.list_status_filter.is_restricted = Pinaghihigpitan
-users.list_status_filter.is_prohibit_login = Pinagbawalan ang pag-login
-users.list_status_filter.not_prohibit_login = Pinapayagan ang pag-login
-users.list_status_filter.is_2fa_enabled = Naka-enable ang 2FA
 users.details = Mga detalye ng user
-dashboard.memory_allocate_times = Mga allocation ng memory
 users.edit = I-edit
 users = Mga user account
 organizations = Mga organisasyon
@@ -2805,13 +2767,7 @@ dashboard.reinit_missing_repos = Muling pagsasaayos ng lahat ng nawawalang mga r
 users.allow_git_hook_tooltip = Ang mga Git hook ay tinatakbo bilang OS user na tinatakbo ang Forgejo at may katulad na level ng pag-access ng host. Bilang isang resulta, ang mga gumagamit na may espesyal na pribilehiyo ng Git hook na ito ay maaaring ma-access at baguhin ang lahat ng mga repositori ng Forgejo pati na rin ang database na ginamit ng Forgejo. Dahil dito nakakamit din nila ang mga pribilehiyo ng Forgejo Administrator.
 dashboard.delete_repo_archives = Burahin ang lahat ng mga archive ng mga repositoryo (ZIP, TAR.GZ, atbp..)
 dashboard.sync_external_users = I-synchronize ang panlabas na user data
-dashboard.heap_memory_released = Mga na-release na heap memory
-dashboard.other_system_allocation_obtained = Ibang allocation ng sistema na nakuha
 users.allow_git_hook = Makakagawa ng mga Git hook
-dashboard.current_memory_usage = Kasalukuyang paggamit ng memory
-dashboard.gc_times = Mga oras ng GC
-users.list_status_filter.reset = I-reset
-users.list_status_filter.not_restricted = Hindi pinaghihigpitan
 config_summary = Buod
 dashboard.new_version_hint = Available na ang Forgejo %s, tumatakbo ka ng %s. Suriin ang <a target="_blank" rel="noreferrer" href="%s">blog</a> para sa karagdagang detalye.
 dashboard.operations = Mga operasyon ng pagpapanatili
@@ -2823,11 +2779,6 @@ dashboard.sync_repo_tags = I-sync ang mga tag mula sa Git data sa database
 dashboard.update_mirrors = I-update ang mga mirror
 dashboard.repo_health_check = Suriin ang kalusugan ng lahat ng mga repositoryo
 dashboard.check_repo_stats = Suriin ang lahat ng istatistika ng repositoryo
-dashboard.mspan_structures_usage = Paggamit ng MSpan structure
-dashboard.mspan_structures_obtained = Mga nakuhang MSpan structure
-dashboard.mcache_structures_usage = Paggamit ng MCache structure
-dashboard.next_gc_recycle = Susunod na GC recycle
-dashboard.mcache_structures_obtained = Mga nakuhang MCache structure
 dashboard.delete_old_actions.started = Nasimula na ang burahin ang lahat ng mga lumang aktibidad mula sa database.
 dashboard.update_checker = Tagasuri ng update
 dashboard.delete_old_system_notices = Burahin ang lahat ng mga lumang paunawa ng sistema mula sa database
@@ -2843,11 +2794,8 @@ users.is_activated = Naka-activate na account
 users.prohibit_login = Sinuspending account
 emails.email_manage_panel = Ipamahala ang mga email ng user
 self_check = Pansariling pagsusuri
-dashboard.total_gc_pause = Kabuuang GC pause
-dashboard.last_gc_pause = Huling GC pause
 users.still_has_org = Ang user na ito ay isang miyembro ng isang organisasyon. Tanggalin ang user sa anumang mga organisasyon muna.
 users.deletion_success = Binura na ang user account.
-dashboard.heap_memory_in_use = Ginagamit na heap memory
 emails.filter_sort.name = Username
 emails.primary = Pauna
 emails.filter_sort.email = Email
@@ -3017,8 +2965,6 @@ auths.allowed_domains = Mga pinapayagang domain
 auths.helo_hostname_helper = Hostname na pinapadala sa pamamagitan ng HELO. Iwanang walang laman para ipadala ang kasalukuyang hostname.
 auths.disable_helo = I-disable ang HELO
 auths.oauth2_profileURL = URL ng profile
-monitor.queue.settings.maxnumberworkers.placeholder = Kasalukuyang %[1]d
-monitor.queue.settings.remove_all_items = Tanggalin lahat
 users.block.description = Harangan ang tagagamit na ito mula sa pag-interact sa serbisyong ito sa pamamagitan ng kanilang mga account at pagbawalan ang pag-sign in.
 monitor.cron = Mga cron task
 config.mailer_sendmail_timeout = Timeout ng Sendmail
@@ -3037,13 +2983,9 @@ config.provider_config = Config ng provider
 config.cache_test_slow = Matagumpay ang pagsubok ng cache, ngunit mabagal ang tugon: %s.
 config.picture_config = Configuration ng larawan at avatar
 config.disabled_logger = Naka-disable
-monitor.queue.settings.submit = I-update ang mga setting
 auths.tips = Mga tip
 config.test_mail_sent = Ang isang test email ay ipinadala kay "%s".
 monitor.process.cancel = Kanselahin ang proseso
-monitor.queues = Mga queue
-monitor.queue.exemplar = Uri ng Exemplar
-monitor.queue.numberworkers = Numero ng mga worker
 config.enable_openid_signup = I-enable ang OpenID na pansariling pagrehistro
 config.session_config = Configuration ng session
 monitor.name = Pangalan
@@ -3054,9 +2996,6 @@ config.git_gc_args = Mga argument ng GC
 config.git_migrate_timeout = Timeout ng paglipat
 config.cache_config = Configuration ng cache
 config.git_pull_timeout = Timeout ng operasyon ng paghila
-monitor.queue.settings.maxnumberworkers = Pinakamaraming numero ng worker
-monitor.queue.settings.title = Mga setting ng pool
-monitor.queue.settings.desc = Dinamikang lumalaki ang mga pool tugon sa kanilang worker queue blocking.
 auths.tip.google_plus = Kumuha ng OAuth2 client credentials mula sa Google API console sa %s
 config.mail_notify = Paganahin ang mga email notification
 config.active_code_lives = Oras ng pag-expire ng activation code
@@ -3066,7 +3005,6 @@ users.organization_creation.description = Payagan ang paggawa ng mga bagong orga
 auths.delete_auth_title = Burahin ang source ng authentikasyon
 auths.delete_auth_desc = Ang pagtanggal ng authentication source ay pumipigil sa mga user na gamitin ito upang mag-sign in. Magpatuloy?
 auths.login_source_of_type_exist = Umiiral na ang authentication source na may ganitong uri.
-monitor.queue.settings.maxnumberworkers.error = Dapat numero ang pinakamaraming numero ng mga worker
 self_check.no_problem_found = Wala pang mga problema na nahanap.
 self_check.database_collation_mismatch = Inaasahan ang database na gamitin ang collation: %s
 auths.oauth2_admin_group = Group claim value para sa mga tagapangasiwa. (Opsyonal - kinakailangan ang claim name sa itaas)
@@ -3125,11 +3063,6 @@ monitor.desc = Paglalarawan
 monitor.start = Oras ng pagsimula
 monitor.execute_time = Oras ng pag-execute
 monitor.process.children = Mga anak
-monitor.queue = Queue: %s
-monitor.queue.type = Uri
-monitor.queue.maxnumberworkers = Pinakamaraming numero ng worker
-monitor.queue.numberinqueue = Number sa queue
-monitor.queue.review_add = Suriin / magdagdag ng mga worker
 self_check.database_collation_case_insensitive = Gumagamit ang database ng collation %s, na isang insensitive na collation. Bagama't maaaring gumana ang Forgejo dito, maaaring may ilang bihirang kaso na hindi gumagana gaya ng inaasahan.
 auths.tips.oauth2.general.tip = Kapag nagrerehistro ng bagong OAuth2 na authentication, ang callback/redirect URL ay dapat na:
 auths.activated = Na-activate na ang source ng authentikasyon
@@ -3143,14 +3076,11 @@ config.default_enable_timetracking = I-enable ang pagsubaybay ng oras bilang def
 auths.deletion_success = Binura na ang authentication source.
 auths.login_source_exist = Umiiral na ang authentication source na "%s".
 auths.still_in_used = Ginagamit pa ang authentication source. I-convert o burahin ang mga user na gumagamit ng authentication source na ito muna.
-monitor.queue.settings.remove_all_items_done = Tinanggal na ang lahat ng mga item sa queue.
-monitor.queue.settings.changed = Na-update ang mga setting
 auths.oauth2_map_group_to_team_removal = Tanggalin ang user sa mga naka-synchronize na team kung ang user ay hindi kasama sa katumbas na groupo.
 config.cache_test_succeeded = Matagumpay ang pagsubok ng cache, nakakuha ng tugon sa %s.
 config.open_with_editor_app_help = Ang mga "Open with" editor para sa clone menu. Kung iniwang walang laman, ang default ang gagamitin. I-expand para makita ang default.
 config.set_setting_failed = Nabigo ang pagtakda ng setting na %s
 monitor.download_diagnosis_report = I-download ang ulat ng diagnosis
-monitor.queue.activeworkers = Mga aktibong worker
 self_check.database_inconsistent_collation_columns = Gumagamit ang database ng collation %s, ngunit ang mga column na ito ay gumagamit ng hindi tugmang collations. Maaaring magdulot ito ng ilang hindi inaasahang problema.
 auths.tip.twitter = Pumunta sa %s, gumawa ng application at siguraduhing naka-enable ang "Payagan ang application na gamitin para Mag-sign in sa Twitter" na opsyon
 auths.tip.gitea = Magrehistro ng bagong OAuth2 na application. Ang guide ay mahahanap sa %s
@@ -3175,7 +3105,6 @@ config.gc_interval_time = Oras ng pagitan ng GC
 config.cookie_life_time = Lifetime ng cookie
 config.git_clone_timeout = Timeout ng operasyon na pag-clone
 monitor.process.cancel_desc = Ang pagkansela ng proseso ay maaaring magdulot ng pagkawalan ng data
-monitor.queue.name = Pangalan
 auths.oauth2_required_claim_value_helper = Itakda ang value na ito upang i-restrict ang pag-login mula sa pinagmulang ito sa mga user na may claim na may ganitong pangalan at value
 auths.tip.bitbucket = Magrehistro ng bagong OAuth consumer sa %s at idagdag ang pahintulot na "Account" - "Read"
 config.require_sign_in_view = Kailanganin ang pag-sign in para itignan ang nilalaman
@@ -3319,39 +3248,24 @@ owner.settings.cleanuprules.enabled = Naka-enable
 [actions]
 workflow.dispatch.trigger_found = Mayroong <c>workflow_dispatch</c> na trigger ang workflow na ito.
 unit.desc = Ipamahala ang mga pinag-sasamang CI/CD pipeline sa pamamagitan ng Forgejo Actions.
-variables.update.failed = Nabigong baguhin ang variable.
-variables.update.success = Nabago na ang variable.
-variables.edit = Baguhin ang Variable
 workflow.enable = I-enable ang workflow
 workflow.disabled = Naka-disable ang workflow.
 need_approval_desc = Kailangan ng pag-apruba para tumakbo ng mga workflow para sa fork na hiling sa paghila.
-variables = Mga variable
 runs.no_runs = Wala pang mga pagtatakbo ang workflow na ito sa ngayon.
-variables.creation = Magdagdag ng variable
-variables.none = Wala pang mga variable sa ngayon.
-variables.deletion = Tanggalin ang variable
-variables.deletion.description = Permanente ang pagtanggal ng isang variable at hindi ito mababalik. Magpatuloy?
 runs.empty_commit_message = (walang laman na mensahe ng commit)
 workflow.enable_success = Matagumpay na na-enable ang workflow na "%s".
 workflow.dispatch.run = Patakbuhin ang workflow
 workflow.dispatch.success = Matagumpay na nahiling ang pagtakbo ng workflow.
-variables.management = Ipamahala ang mga variable
-variables.deletion.failed = Nabigong tanggalin ang variable.
 workflow.disable = I-disable ang workflow
 workflow.disable_success = Matagumpay na na-disable ang workflow na "%s".
-variables.creation.failed = Nabigong idagdag ang variable.
 workflow.dispatch.use_from = Gamitin ang workflow mula sa
 workflow.dispatch.invalid_input_type = Hindi wastong input type "%s".
 workflow.dispatch.input_required = Kumailangan ng value para sa input na "%s".
 workflow.dispatch.warn_input_limit = Pinapakita lamang ang unang %d na mga input.
-variables.description = Ipapasa ang mga variable sa ilang mga aksyon at hindi mababasa kung hindi man.
 variables.id_not_exist = Hindi umiiral ang variable na may ID na %d.
-variables.deletion.success = Tinanggal na ang variable.
-variables.creation.success = Nadagdag na ang variable na "%s".
 runs.expire_log_message = Na-purge ang mga log dahil masyado silang luma.
 runs.no_workflows.help_write_access = Hindi alam kung paano magsimula sa Forgejo Actions? Tignan ang <a target="_blank" rel="noopener noreferrer" href="%s">mabilisang pagsimula sa user documentation</a> para magsimulang magsulat ng unang workflow, at <a target="_blank" rel="noopener noreferrer" href="%s">mag-setup ng Forgejo runner</a> para patakbuhin ang mga job.
 runs.no_workflows.help_no_write_access = Para matuto tungkol sa Forgejo Actions, tignan ang <a target="_blank" rel="noopener noreferrer" href="%s">dokumentasyon</a>.
-variables.not_found = Nabigong hanapin ang variable.
 
 [action]
 commit_repo = itinulak sa <a href="%[2]s">%[3]s</a> sa <a href="%[1]s">%[4]s</a>
@@ -3435,9 +3349,6 @@ management = Ipamahala ang mga secret
 deletion.description = Ang pagtanggal ng sikreto ay permanente at hindi mababawi. Magpatuloy?
 
 [markup]
-filepreview.line = Linya %[1]d sa %[2]s
-filepreview.truncated = Na-truncate ang preview
-filepreview.lines = Mga linya %[1]d hanggang %[2]d sa %[3]s
 
 [projects]
 deleted.display_name = Binurang proyekto
diff --git a/options/locale/locale_fr-FR.ini b/options/locale/locale_fr-FR.ini
index 543d03baa9..2558b99f74 100644
--- a/options/locale/locale_fr-FR.ini
+++ b/options/locale/locale_fr-FR.ini
@@ -37,18 +37,6 @@ twofa=Authentification à deux facteurs
 twofa_scratch=Code de secours pour l'authentification à deux facteurs
 passcode=Code d'accès
 
-webauthn_insert_key=Insérez votre clé de sécurité
-webauthn_sign_in=Appuyez sur le bouton de votre clé de sécurité. Si votre clé de sécurité n'a pas de bouton, réinsérez-la.
-webauthn_press_button=Veuillez appuyer sur le bouton de votre clé de sécurité…
-webauthn_use_twofa=Utilisez l'authentification à deux facteurs avec votre téléphone
-webauthn_error=Impossible de lire votre clé de sécurité.
-webauthn_unsupported_browser=Votre navigateur ne prend actuellement pas en charge WebAuthn.
-webauthn_error_unknown=Une erreur indéterminée s'est produite. Veuillez réessayer.
-webauthn_error_insecure=`WebAuthn ne prend en charge que les connexions sécurisées. Pour les tests via HTTP, vous pouvez utiliser l'origine "localhost" ou "127.0.0.1"`
-webauthn_error_unable_to_process=Le serveur n'a pas pu traiter votre demande.
-webauthn_error_duplicated=La clé de sécurité n'est pas autorisée pour cette demande. Veuillez vous assurer que la clé n'est pas déjà enregistrée.
-webauthn_error_empty=Vous devez définir un nom pour cette clé.
-webauthn_error_timeout=Le délai d'attente imparti a été atteint avant que votre clé ne puisse être lue. Veuillez recharger la page pour réessayer.
 repository=Dépôt
 organization=Organisation
 mirror=Miroir
@@ -2936,34 +2924,6 @@ dashboard.sync_external_users=Synchroniser les données de l’utilisateur exter
 dashboard.cleanup_hook_task_table=Nettoyer la table hook_task
 dashboard.cleanup_packages=Nettoyer des paquets expirés
 dashboard.cleanup_actions=Nettoyer les journaux et les artefacts des actions obsolètes
-dashboard.server_uptime=Uptime du serveur
-dashboard.current_goroutine=Goroutines actuelles
-dashboard.current_memory_usage=Utilisation Mémoire actuelle
-dashboard.total_memory_allocated=Mémoire totale allouée
-dashboard.memory_obtained=Mémoire obtenue
-dashboard.pointer_lookup_times=Nombre de Consultations Pointeur
-dashboard.memory_allocate_times=Allocations de mémoire
-dashboard.memory_free_times=Nombre de libérations de mémoire
-dashboard.current_heap_usage=Utilisation Tas (Heap)
-dashboard.heap_memory_obtained=Mémoire tas (Heap) obtenue
-dashboard.heap_memory_idle=Mémoire tas (Heap) au repos
-dashboard.heap_memory_in_use=Utilisation mémoire tas (Heap)
-dashboard.heap_memory_released=Mémoire tas (Heap) libérée
-dashboard.heap_objects=Objets tas (Heap)
-dashboard.bootstrap_stack_usage=Utilisation pile bootstrap
-dashboard.stack_memory_obtained=Mémoire pile obtenue
-dashboard.mspan_structures_usage=Utilisation des structures MSpan
-dashboard.mspan_structures_obtained=Structures MSpan obtenues
-dashboard.mcache_structures_usage=Utilisation des structures MCache
-dashboard.mcache_structures_obtained=Structures MCache obtenues
-dashboard.profiling_bucket_hash_table_obtained=Profilage de seau de table de hashage obtenu
-dashboard.gc_metadata_obtained=Métadonnées GC obtenues
-dashboard.other_system_allocation_obtained=Autres allocation système obtenue
-dashboard.next_gc_recycle=Prochain recyclage GC
-dashboard.last_gc_time=Temps depuis le dernier GC
-dashboard.total_gc_pause=Pause totale GC
-dashboard.last_gc_pause=Dernière pause GC
-dashboard.gc_times=Nombres de GC
 dashboard.delete_old_actions=Supprimer toutes les anciennes activités de la base de données
 dashboard.delete_old_actions.started=Suppression de toutes les anciennes activités de la base de données démarrée.
 dashboard.update_checker=Vérificateur de mise à jour
@@ -3021,18 +2981,6 @@ users.purge_help=Éradique l’utilisateur et tous ses dépôts, organisations e
 users.still_own_packages=Cet utilisateur possède encore un ou plusieurs paquets. Supprimez d’abord ces paquets.
 users.deletion_success=Le compte a été supprimé.
 users.reset_2fa=Réinitialiser l'authentification à deux facteurs
-users.list_status_filter.menu_text=Filtrer
-users.list_status_filter.reset=Réinitialiser
-users.list_status_filter.is_active=Actif
-users.list_status_filter.not_active=Inactif
-users.list_status_filter.is_admin=Administrateur
-users.list_status_filter.not_admin=Non administrateur
-users.list_status_filter.is_restricted=Restreint
-users.list_status_filter.not_restricted=Non restreint
-users.list_status_filter.is_prohibit_login=Interdit de connexion
-users.list_status_filter.not_prohibit_login=Autorisé à se connecter
-users.list_status_filter.is_2fa_enabled=2FA Activé
-users.list_status_filter.not_2fa_enabled=2FA désactivé
 users.details=Informations de l’utilisateur
 
 emails.email_manage_panel=Gestion des courriels des utilisateurs
@@ -3352,26 +3300,6 @@ monitor.process.cancel_desc=L'annulation d'un processus peut entraîner une pert
 monitor.process.cancel_notices=Annuler : <strong>%s</strong> ?
 monitor.process.children=Enfant
 
-monitor.queues=Files d'attente
-monitor.queue=File d'attente : %s
-monitor.queue.name=Nom
-monitor.queue.type=Type
-monitor.queue.exemplar=Type d'exemple
-monitor.queue.numberworkers=Nombre de processus
-monitor.queue.activeworkers=Processus actifs
-monitor.queue.maxnumberworkers=Nombre maximal de processus
-monitor.queue.numberinqueue=Position dans la queue
-monitor.queue.review_add=Examiner / ajouter des processus
-monitor.queue.settings.title=Paramètres du réservoir
-monitor.queue.settings.desc=Les bassins croissent proportionnellement au besoin de leurs exécuteurs.
-monitor.queue.settings.maxnumberworkers=Nombre maximale de processus
-monitor.queue.settings.maxnumberworkers.placeholder=Actuellement %[1]d
-monitor.queue.settings.maxnumberworkers.error=Le nombre de processus doit être un nombre
-monitor.queue.settings.submit=Appliquer les paramètres
-monitor.queue.settings.changed=Paramètres mis à jour
-monitor.queue.settings.remove_all_items=Tout effacer
-monitor.queue.settings.remove_all_items_done=Tous les éléments de la file d'attente ont été effacés.
-
 notices.system_notice_list=Notifications systèmes
 notices.view_detail_header=Voir les détails de la notification
 notices.operations=Opérations
@@ -3514,21 +3442,7 @@ workflow.disabled=Le flux de travail est désactivé.
 
 need_approval_desc=Besoin d’approbation pour exécuter des flux de travail pour une demande d’ajout de bifurcation.
 
-variables=Variables
-variables.management=Gestion des variables
-variables.creation=Ajouter une variable
-variables.none=Il n'y a pas encore de variables.
-variables.deletion=Retirer la variable
-variables.deletion.description=La suppression d’une variable est permanente et ne peut être défaite. Continuer ?
-variables.description=Les variables sont passées aux actions et ne peuvent être lues autrement.
 variables.id_not_exist = La variable numéro %d n’existe pas.
-variables.edit=Modifier la variable
-variables.deletion.failed=Impossible de retirer la variable.
-variables.deletion.success=La variable a bien été retirée.
-variables.creation.failed=Impossible d'ajouter la variable.
-variables.creation.success=La variable « %s » a été ajoutée.
-variables.update.failed=Impossible d’éditer la variable.
-variables.update.success=La variable a bien été modifiée.
 workflow.dispatch.use_from = Utiliser un workflow depuis
 workflow.dispatch.trigger_found = Ce workflow a un déclencheur d'événement <c>workflow_dispatch</c>.
 workflow.dispatch.run = Exécuter le workflow
@@ -3539,7 +3453,6 @@ workflow.dispatch.warn_input_limit = Affichage des %d premiers champs seulement.
 runs.expire_log_message = Les journaux ont été purgés car ils étaient trop anciens.
 runs.no_workflows.help_write_access = Vous ne savez pas par où commencer avec Forgejo Actions ? Regardez la section <a target="_blank" rel="noopener noreferrer" href="%s"> démarrage rapide dans la documentation utilisateur</a> pour écrire votre premier workflow, puis <a target="_blank" rel="noopener noreferrer" href="%s">mettre en place un Forgejo runner</a> pour exécuter vos jobs.
 runs.no_workflows.help_no_write_access = Pour en savoir plus sur Forgejo Actions, consultez <a target="_blank" rel="noopener noreferrer" href="%s">la documentation</a>.
-variables.not_found = La variable n'a pas été trouvée.
 
 [projects]
 type-1.display_name=Projet personnel
@@ -3588,9 +3501,6 @@ regexp = RegExp
 [munits.data]
 
 [markup]
-filepreview.line = Ligne %[1]d dans %[2]s
-filepreview.lines = Lignes %[1]d jusqu'à %[2]d dans %[3]s
-filepreview.truncated = L'aperçu a été tronqué
 
 [repo.permissions]
 pulls.write = <b>Écrire :</b> Fermer des demandes de tirage et gérer les métadonnées telles que les étiquettes, les jalons, les assignés, les dates d'échéance et les dépendances.
diff --git a/options/locale/locale_ga-IE.ini b/options/locale/locale_ga-IE.ini
index 1b9135785b..76ebcd1b91 100644
--- a/options/locale/locale_ga-IE.ini
+++ b/options/locale/locale_ga-IE.ini
@@ -35,18 +35,6 @@ captcha = CAPTCHA
 twofa = Fíordheimhniú Dhá-Fhachtóir
 twofa_scratch = Cód Scratch Dhá-Fhachtóra
 passcode = Paschód
-webauthn_insert_key = Cuir isteach d'eochair slándála
-webauthn_sign_in = Brúigh an cnaipe ar d'eochair slándála. Mura bhfuil aon chnaipe ag d'eochair slándála, cuir isteach é arís.
-webauthn_press_button = Brúigh an cnaipe ar d'eochair slándála le do thoil…
-webauthn_use_twofa = Úsáid cód dhá fhachtóir ó do ghuthán
-webauthn_error = Ní fhéadfaí do eochair slándála a léamh.
-webauthn_unsupported_browser = Ní thacaíonn do bhrabhsálaí le WebAuthn faoi láthair.
-webauthn_error_unknown = Tharla earráid anaithnid. Déan iarracht arís.
-webauthn_error_insecure = Ní thacaíonn WebAuthn ach le naisc slán. Le haghaidh tástála thar HTTP, is féidir leat an bunús “localhost” nó "127.0.0.1" a úsáid
-webauthn_error_unable_to_process = Ní fhéadfadh an freastalaí d'iarratas a phróiseáil.
-webauthn_error_duplicated = Ní cheadaítear an eochair slándála don iarratas seo. Déan cinnte le do thoil nach bhfuil an eochair cláraithe cheana féin.
-webauthn_error_empty = Ní mór duit ainm a shocrú don eochair seo.
-webauthn_error_timeout = Sroicheadh an teorainn ama sula bhféadfaí d’eochair a léamh. Athlódáil an leathanach seo, le do thoil, agus déan iarracht arís.
 repository = Stór
 organization = Eagraíocht
 mirror = Scáthán
@@ -2848,33 +2836,6 @@ dashboard.reinit_missing_repos = Aththosaigh gach stórais Git atá in easnamh a
 dashboard.sync_external_users = Sioncrónaigh sonraí úsáideoirí seachtracha
 dashboard.cleanup_hook_task_table = Glan suas an tábla hook_task
 dashboard.cleanup_packages = Glan suas pacáistí atá imithe in éag
-dashboard.server_uptime = Aga fónaimh Freastalaí
-dashboard.current_goroutine = Goroutines Reatha
-dashboard.current_memory_usage = Úsáid Cuimhne Reatha
-dashboard.total_memory_allocated = Cuimhne Iomlán Leithdháilte
-dashboard.memory_obtained = Cuimhne Faighte
-dashboard.pointer_lookup_times = Amanna Cuardaigh Pointeora
-dashboard.memory_allocate_times = Leithdháiltí Cuimhne
-dashboard.memory_free_times = Saorálann Cuimhne
-dashboard.current_heap_usage = Úsáid Charn Reatha
-dashboard.heap_memory_obtained = Cuimhne Charn Faighte
-dashboard.heap_memory_idle = Díomhaoin Cuimhne Carn
-dashboard.heap_memory_in_use = Cuimhne Carm In Úsáid
-dashboard.heap_memory_released = Cuimhne Carn Eisithe
-dashboard.heap_objects = Cuspóirí Carn
-dashboard.bootstrap_stack_usage = Úsáid Staca Bootstrap
-dashboard.stack_memory_obtained = Cuimhne Staca Faighte
-dashboard.mspan_structures_usage = Úsáid Struchtúir MSpan
-dashboard.mspan_structures_obtained = Struchtúir MSpan a Faightear
-dashboard.mcache_structures_usage = Úsáid Struchtúir MCache
-dashboard.mcache_structures_obtained = Struchtúir MCache a Faightear
-dashboard.profiling_bucket_hash_table_obtained = Tábla Hash Buicéad Próifílithe a Faightear
-dashboard.gc_metadata_obtained = Meiteashonraí GC faighte
-dashboard.other_system_allocation_obtained = Leithdháileadh Córais Eile a Fuarthas
-dashboard.next_gc_recycle = Athchúrsáil GC Eile
-dashboard.total_gc_pause = Sos Iomlán GC
-dashboard.last_gc_pause = Sos GC Deireanach
-dashboard.gc_times = Amanna GC
 dashboard.delete_old_actions = Scrios gach sean-ghníomhaíocht ón mbunachar
 dashboard.delete_old_actions.started = Scrios na sean-ghníomhaíocht go léir ón mbunachar sonraí tosaithe.
 dashboard.update_checker = Seiceoir nuashonraithe
@@ -2912,18 +2873,6 @@ users.purge = Úsáideoir a Ghlanadh
 users.still_own_packages = Tá pacáiste amháin nó níos mó fós ag an úsáideoir seo, scrios na pacáistí seo ar dtús.
 users.deletion_success = Scriosadh an cuntas úsáideora.
 users.reset_2fa = Athshocraigh 2FA
-users.list_status_filter.menu_text = Scagaire
-users.list_status_filter.reset = Athshocraigh
-users.list_status_filter.is_active = Gníomhach
-users.list_status_filter.not_active = Neamhghníomhach
-users.list_status_filter.is_admin = Riarachán
-users.list_status_filter.not_admin = Ní Riarachán
-users.list_status_filter.is_restricted = Srianta
-users.list_status_filter.not_restricted = Gan Srian
-users.list_status_filter.is_prohibit_login = Cosc ar Logáil Isteach
-users.list_status_filter.not_prohibit_login = Ceadaigh Logáil isteach
-users.list_status_filter.is_2fa_enabled = 2FA Cumasaithe
-users.list_status_filter.not_2fa_enabled = 2FA faoi mhíchumas
 users.details = Sonraí Úsáideora
 emails.primary = Bunscoile
 emails.activated = Gníomhachtaithe
@@ -3187,25 +3136,6 @@ monitor.execute_time = Am Forghníomhaithe
 monitor.last_execution_result = Toradh
 monitor.process.cancel = Cealaigh próiseas
 monitor.process.children = Leanaí
-monitor.queues = Scuaineanna
-monitor.queue = Scuaine: %s
-monitor.queue.name = Ainm
-monitor.queue.type = Cineál
-monitor.queue.exemplar = Cineál Eiseamláire
-monitor.queue.numberworkers = Líon na nOibrithe
-monitor.queue.activeworkers = Oibrithe Gníomhacha
-monitor.queue.maxnumberworkers = Líon Uasta na nOibrithe
-monitor.queue.numberinqueue = Uimhir i scuaine
-monitor.queue.review_add = Athbhreithniú / Cuir Oibrithe leis
-monitor.queue.settings.title = Socruithe Linn
-monitor.queue.settings.desc = Fásann linnte go dinimiciúil mar fhreagra ar a gcuid scuaine oibrithe a bhlocáil.
-monitor.queue.settings.maxnumberworkers = Uaslíon na n-oibrithe
-monitor.queue.settings.maxnumberworkers.placeholder = Faoi láthair %[1]d
-monitor.queue.settings.maxnumberworkers.error = Caithfidh uaslíon na n-oibrithe a bheith ina uimhir
-monitor.queue.settings.submit = Nuashonrú Socruithe
-monitor.queue.settings.changed = Socruithe Nuashonraithe
-monitor.queue.settings.remove_all_items = Bain gach
-monitor.queue.settings.remove_all_items_done = Baineadh na míreanna go léir sa scuaine.
 notices.system_notice_list = Fógraí Córais
 notices.operations = Oibríochtaí
 notices.select_all = Roghnaigh Gach
@@ -3230,7 +3160,6 @@ dashboard.resync_all_sshkeys = Nuashonraigh an comhad ".ssh/authorized_keys" le
 dashboard.resync_all_sshprincipals = Nuashonraigh an comhad ".ssh/authorized_principals" le príomhoidí SSH Forgejo.
 dashboard.resync_all_hooks = Athshioncrónaigh crúcaí Git na stórtha uile (réamhghlacadh, nuashonrú, iarghlacadh, próiseasghlacadh, ...)
 dashboard.cleanup_actions = Glan suas logaí agus déantáin atá imithe in éag ó ghníomhartha
-dashboard.last_gc_time = Am ó GC deireanach
 dashboard.stop_zombie_tasks = Stop tascanna gníomhartha zombie
 dashboard.stop_endless_tasks = Stop tascanna gníomhartha gan teorainn
 dashboard.cancel_abandoned_jobs = Cealaigh poist gníomhartha tréigthe
@@ -3399,20 +3328,7 @@ workflow.disable = Díchumasaigh sreabhadh oibre
 workflow.enable = Cumasaigh sreabhadh oibre
 workflow.disabled = Tá an sreabhadh oibre díchumasaithe.
 need_approval_desc = Teastaíonn faomhadh chun sreafaí oibre a rith le haghaidh iarratas tarraingt forc.
-variables = Athróga
-variables.creation = Cuir Athróg leis
-variables.none = Níl aon athróga ann fós.
-variables.deletion = Bain athróg
-variables.deletion.description = Tá athróg a bhaint buan agus ní féidir é a chur ar ais. Lean ar aghaidh?
-variables.description = Cuirfear athróga chuig gníomhartha áirithe agus ní féidir iad a léamh ar mhalairt eile.
 variables.id_not_exist = Níl athróg le ID %d ann.
-variables.edit = Cuir Athróg in Eagar
-variables.deletion.failed = Theip ar athróg a bhaint.
-variables.deletion.success = Tá an athróg bainte.
-variables.creation.failed = Theip ar athróg a chur leis.
-variables.creation.success = Tá an athróg "%s" curtha leis.
-variables.update.failed = Theip ar athróg a chur in eagar.
-variables.update.success = Tá an t-athróg curtha in eagar.
 runs.no_workflows.help_write_access = Nach bhfuil a fhios agat conas tosú le Gníomhartha Forgejo? Féach ar an <a target="_blank" rel="noopener noreferrer" href="%s">tús tapa sa doiciméadacht úsáideora</a> chun do chéad sreabhadh oibre a scríobh, ansin <a target="_blank" rel="noopener noreferrer" href="%s">bunaigh rithire Forgejo</a> chun do phoist a fhorghníomhú.
 runs.no_workflows.help_no_write_access = Chun tuilleadh eolais a fháil faoi Ghníomhartha Forgejo, féach ar <a target="_blank" rel="noopener noreferrer" href="%s">an doiciméadacht</a>.
 workflow.disable_success = Sreabhadh oibre "%s" díchumasaithe go rathúil.
@@ -3424,8 +3340,6 @@ workflow.dispatch.success = Iarradh an sreabhadh oibre go rathúil.
 workflow.dispatch.input_required = Éilítear luach don ionchur "%s".
 workflow.dispatch.invalid_input_type = Cineál ionchuir neamhbhailí "%s".
 workflow.dispatch.warn_input_limit = Ag taispeáint na chéad %d ionchur amháin.
-variables.management = Bainistigh athróga
-variables.not_found = Theip ar an athróg a aimsiú.
 
 [projects]
 deleted.display_name = Tionscadal scriosta
@@ -3463,9 +3377,6 @@ ext_issues = Rochtain ar an nasc chuig rianaitheoir saincheisteanna seachtrach.
 ext_wiki = Rochtain ar an nasc chuig vicí seachtrach. Déantar na ceadanna a bhainistiú go seachtrach.
 
 [markup]
-filepreview.line = Líne %[1]d i %[2]s
-filepreview.lines = Línte %[1]d go %[2]d i %[3]s
-filepreview.truncated = Tá an réamhamharc giorraithe
 
 [translation_meta]
 test = Is teaghrán tástála é seo. Ní thaispeántar é i gcomhéadan úsáideora Forgejo ach úsáidtear é chun críocha tástála. Ná bíodh drogall ort "ceart go leor" a iontráil chun am a shábháil (nó fíric spraíúil de do rogha féin) chun an marc críochnaithe 100% sin a bhaint amach :)
\ No newline at end of file
diff --git a/options/locale/locale_gl.ini b/options/locale/locale_gl.ini
index 7ccafc81f4..43257512b9 100644
--- a/options/locale/locale_gl.ini
+++ b/options/locale/locale_gl.ini
@@ -31,15 +31,6 @@ re_type = Confirme o contrasinal
 captcha = CAPTCHA
 twofa = Autenticación de dobre factor
 passcode = Código de acceso
-webauthn_insert_key = Insira a súa chave de seguridade
-webauthn_press_button = Prema o botón da súa chave de seguridade…
-webauthn_use_twofa = Use o Código de Dous Factores do seu Teléfono
-webauthn_error = Non se puido ler a súa clave de seguridade.
-webauthn_unsupported_browser = O seu navegador non soporta WebAuthn actualmente.
-webauthn_error_unknown = Produciuse un erro descoñecido. Ténteo de novo.
-webauthn_error_unable_to_process = O servidor non puido procesar a súa solicitude.
-webauthn_error_duplicated = A clave de seguridade non está permitida para esta solicitude. Asegúrese de que a clave non estea xa rexistrada.
-webauthn_error_empty = Debe definir un nome para esta clave.
 repository = Repositorio
 organization = Organización
 mirror = Espello
@@ -96,13 +87,10 @@ copy_content = Copiar contido
 language = Linguaxe
 copy_hash = Copiar hash
 twofa_scratch = Código Scratch de Dous Factores
-webauthn_sign_in = Prema o botón da súa chave de seguridade. Se a súa chave de seguridade non ten ningún botón, volva inserila.
 issues = Incidencias
 disabled = Desactivado
 error404 = A páxina á que estás tentando acceder <strong>non existe</strong> ou <strong>non tes autorización</strong> para vela.
 tracked_time_summary = Resumo do tempo de seguimento baseado nos filtros da lista de incidencias
-webauthn_error_insecure = WebAuthn só admite conexións seguras. Para probar a través de HTTP, pode usar a orixe "localhost" ou "127.0.0.1"
-webauthn_error_timeout = Alcanzouse o límite de tempo antes de que se puidera ler a súa clave. Volva cargar esta páxina e ténteo de novo.
 remove = Quitar
 view = Ver
 copy_type_unsupported = Este tipo de ficheiro non se pode copiar
diff --git a/options/locale/locale_he.ini b/options/locale/locale_he.ini
index b176332689..6e6252229d 100644
--- a/options/locale/locale_he.ini
+++ b/options/locale/locale_he.ini
@@ -1,5 +1,4 @@
 [common]
-webauthn_error_unable_to_process = שרת זה נכשל בעיבוד בקשתך.
 help = עזרה
 logo = לוגו
 sign_in_with_provider = כניסה דרך %s
@@ -29,9 +28,6 @@ access_token = קוד גישה
 captcha = CAPTCHA
 twofa_scratch = קוד אימות דו־שלבי
 passcode = קוד כניסה
-webauthn_error_unknown = שגיאה לא ידועה, אפשר לנסות שוב.
-webauthn_error_empty = שם המפתח הוא שדה חובה.
-webauthn_error_timeout = קריאת מפתחך לקחה יותר מדי זמן. אפשר לטעון מחדש את הדף ולנסות שוב.
 organization = ארגון
 mirror = מראה
 new_mirror = מראה חדשה
@@ -101,8 +97,6 @@ twofa = אימות דו־שלבי
 pull_requests = בקשות מיזוג
 powered_by = רץ על %s
 copy_generic = העתקה לCtrl + C
-webauthn_unsupported_browser = הדפדפן שלך לא תומך בWebAuthn.
-webauthn_error_insecure = הפרוטוקול WebAuthn לא תומך בחיבורים לא מאובטחים, למעט דרך "localhost" או "127.0.0.1"
 settings = הגדרות
 your_settings = הגדרות
 new_org.link = ארגון חדש
@@ -115,9 +109,6 @@ copy_content = העתקת תוכן
 copy_type_unsupported = אי אפשר להעתיק קבצים מסוג זה
 concept_system_global = גלובלי
 concept_user_individual = אישי
-webauthn_insert_key = יש להכניס את מפתח אבטחך
-webauthn_press_button = נא ללחוץ על הכפתור שעל מפתח האבטחה…
-webauthn_error = קריאת מפתח האבטחה נכשלה.
 repository = קרפיף
 new_repo.title = קרפיף חדש
 new_migrate.title = יבוא קרפיף
@@ -128,8 +119,6 @@ disabled = כבוי
 copy_path = העתקת מיקום קובץ
 invalid_data = הבנת הקלט נכשלה: %v
 concept_code_repository = קרפיף
-webauthn_sign_in = יש ללחוץ על הכפתור שעל מפתח האבטחה. אם אין כפתור, אפשר להוציא את המפתח ולחבר אותו שוב.
-webauthn_error_duplicated = מפתח האבטחה לא יכול לשמש לבקשה זו. נא לוודא שהמפתח לא רשום.
 dashboard = מבט על
 remove_label_str = הסרת "%s"
 explore = קטלוגים
@@ -139,7 +128,6 @@ confirm_delete_artifact = למחוק את הארטיפקט "%s"?
 toggle_menu = הצגת\הסתרת תפריט
 re_type = סיסמה (שוב)
 tracked_time_summary = סיכום זמן מעקב בהתבסס על מסננים של רשימת סוגיות
-webauthn_use_twofa = השתמש בקוד אימות דו־שלבי מהטלפון שלך
 error413 = מיצית את ההגבלה שלך.
 
 [search]
diff --git a/options/locale/locale_hi.ini b/options/locale/locale_hi.ini
index 10a759689e..42d427f071 100644
--- a/options/locale/locale_hi.ini
+++ b/options/locale/locale_hi.ini
@@ -41,14 +41,6 @@ settings = सेटिंग्स
 your_settings = आपकी सेटिंग्स
 return_to_forgejo = फ़ोर्जेगो पे वापस जाएं
 access_token = एक्सेस टोकन
-webauthn_insert_key = अपनी सिक्योरिटी की डालें
-webauthn_press_button = अपनी सिक्योरिटी की पर बटन दबाएं…
-webauthn_use_twofa = अपने फ़ोन से दो फैक्टर कोड लाएं
-webauthn_unsupported_browser = आपका ब्राउज़र वेबौथ सपोर्ट नहीं करता।
-webauthn_error_unknown = कोई अंजान एरर हुई, फिर से कोशिश करें।
-webauthn_error_unable_to_process = सर्वर आपकी रिक्वेस्ट प्रोसेस नहीं कर पाया।
-webauthn_error_empty = कृपया इस चाभी का नाम रखें।
-webauthn_error_timeout = आपकी की पढ़ने से पहले टाइमआउट हो गया। पृष्ट रीलोड करें और फिर कोशिश करें।
 new_project = नया प्रोजेक्ट
 test = टेस्ट
 locked = लॉक्ड
@@ -88,13 +80,9 @@ remove_label_str = हटाएं आइटम “%s”
 edit = संपादित करना
 view = देखें
 disabled = असक्षम किया गया
-webauthn_sign_in = सिक्योरिटी की का बटन दबाएं, नहीं है तो फिर से प्लग करें।
-webauthn_error_insecure = वेबौथ पर सिर्फ सुरक्षित कनेक्शन हो. HTTP टेस्ट के लिए ओरिजिन “लोकलहोस्ट” या “127.0.0.1”
 new_repo.title = नई रिपॉजिटरी
 pull_requests = पुल्ल करें
 enabled = सक्षम किया गया
-webauthn_error = सिक्योरिटी की रीड नहीं हो पा रही।
-webauthn_error_duplicated = सिक्योरिटी की इस रिक्वेस्ट के लिए नहीं है। कृपया देखें की पहले से रजिस्टर्ड तो नहीं।
 new_migrate.title = नया प्रवासन
 activities = गतिविधियाँ
 rerun_all = फिर से सारे काम करें
diff --git a/options/locale/locale_hu-HU.ini b/options/locale/locale_hu-HU.ini
index 481159fd3c..df48fcd03b 100644
--- a/options/locale/locale_hu-HU.ini
+++ b/options/locale/locale_hu-HU.ini
@@ -92,14 +92,7 @@ filter = Szűrő
 filter.is_archived = Archivált
 logo = Logó
 sign_in_with_provider = Bejelentkezés %s fiókkal
-webauthn_insert_key = Helyezze be biztonsági kulcsát
-webauthn_press_button = Nyomja meg a biztonsági kulcsán található gombot…
 access_token = Hozzáférési token
-webauthn_error = A biztonsági kulcsának beolvasása sikertelen volt.
-webauthn_unsupported_browser = A böngészője jelenleg nem támogatja a WebAuthn protokollt.
-webauthn_error_unknown = Ismeretlen hiba történt. Próbálja újra.
-webauthn_error_unable_to_process = A kiszolgáló nem tudta feldolgozni a kérését.
-webauthn_error_empty = Nevet kell adnia ennek a kulcsnak.
 new_project_column = Új oszlop
 never = Soha
 unknown = Ismeretlen
@@ -122,12 +115,8 @@ view = Megtekintés
 ok = OK
 copy_generic = Másolás vágólapra
 copy_url = Webcím másolása
-webauthn_error_insecure = A WebAuthn csak biztonságos kapcsolatokat támogat. HTTP-n keresztüli tesztelés esetén használja a „localhost” vagy a „127.0.0.1” forrást.
 filter.clear = Szűrők törlése
 enable_javascript = Az oldal működéséhez engedélyezni kell a JavaScriptet.
-webauthn_sign_in = Nyomja meg a biztonsági kulcsán található gombot. Ha nincs rajta gomb, próbálja meg újra behelyezni.
-webauthn_use_twofa = Kétlépcsős hitelesítési kód használata telefonról
-webauthn_error_timeout = Időtúllépés a kulcs beolvasása során. Töltse be újra ezt az oldalt, és próbálkozzon újra.
 copy_branch = Elágazás nevének másolása
 test = Tesztelés
 copy_type_unsupported = Ezt a fájltípust nem lehet másolni
@@ -152,7 +141,6 @@ new_migrate.link = Új migráció
 new_org.title = Új szervezet
 new_org.link = Új szervezet
 filter.is_fork = Másolatok
-webauthn_error_duplicated = A biztonsági kulcs nem engedélyezett ehhez a kéréshez. Győződjön meg róla, hogy a kulcs nincs-e már regisztrálva.
 filter.is_mirror = Tükrök
 
 [aria]
@@ -1298,34 +1286,6 @@ dashboard.clean_unbind_oauth_success=Az összes megszüntetett OAuth kapcsolat t
 dashboard.delete_generated_repository_avatars=Generált tároló avatarok törlése
 dashboard.reinit_missing_repos=Az összes Git tároló újra-inicializálása amihez léteznek bejegyzések
 dashboard.sync_external_users=Külső felhasználói adatok szinkronizálása
-dashboard.server_uptime=Kiszolgáló futási ideje
-dashboard.current_goroutine=Jelenlegi Goroutinok
-dashboard.current_memory_usage=Jelenlegi memória használat
-dashboard.total_memory_allocated=Összes lefoglalt memória
-dashboard.memory_obtained=Megszerzett Memória
-dashboard.pointer_lookup_times=Pointer Lookup Idők
-dashboard.memory_allocate_times=Memóriafoglalások
-dashboard.current_heap_usage=Aktuális Heap Használat
-dashboard.heap_memory_obtained=Heap Memória Megszerezve
-dashboard.heap_memory_idle=Tétlen Heap Memória
-dashboard.heap_memory_in_use=Használatban lévő Heap Memória
-dashboard.heap_memory_released=Elengedett Heap Memória
-dashboard.heap_objects=Heap Objektumok
-dashboard.bootstrap_stack_usage=Bootstrap Stack Használat
-dashboard.stack_memory_obtained=Stack Memória Megszerezve
-dashboard.mspan_structures_usage=MSpan Struktúrák Használata
-dashboard.mspan_structures_obtained=MSpan Struktúrák Megszerezve
-dashboard.mcache_structures_usage=MCache Struktúrák Használata
-dashboard.mcache_structures_obtained=MCache Struktúrák Megszerezve
-dashboard.profiling_bucket_hash_table_obtained=Profilozó Vödrös Hash Tábla Megszerezve
-dashboard.gc_metadata_obtained=GC Metaadat Megszerezve
-dashboard.other_system_allocation_obtained=Másik Rendszer Allokáció Megszerezve
-dashboard.next_gc_recycle=Következő GC Újrahasznosítás
-dashboard.last_gc_time=Utolsó GC óta eltelt idő
-dashboard.total_gc_pause=Teljes GC szünet
-dashboard.last_gc_pause=Utolsó GC szünet
-dashboard.gc_times=GC Idők
-
 users.new_account=Felhasználó létrehozása
 users.name=Felhasználónév
 users.full_name=Teljes név
@@ -1347,10 +1307,6 @@ users.allow_create_organization=Létrehozhat szervezeteket
 users.update_profile=Fiók frissítése
 users.delete_account=Fiók törlése
 users.still_has_org=Ez a felhasználó tagja egy szervezetnek. Először el kell távolítani a felhasználót az összes szervezetből.
-users.list_status_filter.is_active=Aktív
-users.list_status_filter.is_admin=Rendszergazda
-users.list_status_filter.is_restricted=Korlátozott
-
 emails.primary=Elsődleges
 emails.activated=Aktivált
 emails.filter_sort.email=Email
@@ -1568,10 +1524,6 @@ monitor.process.cancel=Folyamat megszakítása
 monitor.process.cancel_desc=Egy folyamat megszakítása adatvesztést okozhat
 monitor.process.cancel_notices=Megszakítás: <strong>%s</strong>?
 
-monitor.queue.name=Név
-monitor.queue.type=Típus
-monitor.queue.settings.submit=Beállítások frissítése
-
 notices.system_notice_list=Rendszer Értesítések
 notices.view_detail_header=Értesítés Részletei
 notices.select_all=Összes Kijelölése
diff --git a/options/locale/locale_id-ID.ini b/options/locale/locale_id-ID.ini
index 575609fffe..2379f3edfe 100644
--- a/options/locale/locale_id-ID.ini
+++ b/options/locale/locale_id-ID.ini
@@ -80,18 +80,6 @@ concept_code_repository=Repositori
 name=Nama
 
 re_type = Konfirmasi Kata Sandi
-webauthn_insert_key = Masukkan kunci keamanan anda
-webauthn_sign_in = Tekan tombol pada kunci keamanan Anda. Jika kunci keamanan Anda tidak memiliki tombol, masukkan kembali.
-webauthn_press_button = Silakan tekan tombol pada kunci keamanan Anda…
-webauthn_use_twofa = Gunakan kode dua faktor dari telepon Anda
-webauthn_error = Tidak dapat membaca kunci keamanan Anda.
-webauthn_unsupported_browser = Browser Anda saat ini tidak mendukung WebAuthn.
-webauthn_error_unknown = Terdapat kesalahan yang tidak diketahui. Mohon coba lagi.
-webauthn_error_insecure = `WebAuthn hanya mendukung koneksi aman. Untuk pengujian melalui HTTP, Anda dapat menggunakan "localhost" atau "127.0.0.1"`
-webauthn_error_unable_to_process = Server tidak dapat memproses permintaan Anda.
-webauthn_error_duplicated = Kunci keamanan tidak diperbolehkan untuk permintaan ini. Pastikan bahwa kunci ini belum terdaftar sebelumnya.
-webauthn_error_empty = Anda harus menetapkan nama untuk kunci ini.
-webauthn_error_timeout = Waktu habis sebelum kunci Anda dapat dibaca. Mohon muat ulang halaman ini dan coba lagi.
 new_project = Proyek Baru
 new_project_column = Kolom Baru
 ok = Oke
@@ -2869,33 +2857,6 @@ dashboard.clean_unbind_oauth=Bersihkan koneksi OAuth yang tidak terikat
 dashboard.clean_unbind_oauth_success=Semua koneksi OAuth yang tidak terikat telah dihapus.
 dashboard.reinit_missing_repos=Menginstal kembali semua repositori Git yang hilang dimana ada catatan
 dashboard.sync_external_users=Sinkronkan data pengguna eksternal
-dashboard.server_uptime=Waktu aktif server
-dashboard.current_goroutine=Goroutine saat ini
-dashboard.current_memory_usage=Penggunaan memori saat ini
-dashboard.total_memory_allocated=Total memori yang dialokasikan
-dashboard.memory_obtained=Memori yang diperoleh
-dashboard.pointer_lookup_times=Jumlah pencarian pointer
-dashboard.current_heap_usage=Penggunaan heap saat ini
-dashboard.heap_memory_obtained=Memori heap yang diperoleh
-dashboard.heap_memory_idle=Memori heap yang menganggur
-dashboard.heap_memory_in_use=Memori heap yang digunakan
-dashboard.heap_memory_released=Memori heap yang dilepaskan
-dashboard.heap_objects=Objek heap
-dashboard.bootstrap_stack_usage=Penggunaan stack bootstrap
-dashboard.stack_memory_obtained=Memori stack yang diperoleh
-dashboard.mspan_structures_usage=Penggunaan struktur MSpan
-dashboard.mspan_structures_obtained=Struktur MSpan yang diperoleh
-dashboard.mcache_structures_usage=Penggunaan struktur MCache
-dashboard.mcache_structures_obtained=Struktur MCache yang diperoleh
-dashboard.profiling_bucket_hash_table_obtained=Tabel hash bucket pemrofilan yang diperoleh
-dashboard.gc_metadata_obtained=Metadata GC yang diperoleh
-dashboard.other_system_allocation_obtained=Alokasi sistem lainnya yang diperoleh
-dashboard.next_gc_recycle=Daur ulang GC berikutnya
-dashboard.last_gc_time=Waktu sejak GC terakhir
-dashboard.total_gc_pause=Total jeda GC
-dashboard.last_gc_pause=Jeda GC terakhir
-dashboard.gc_times=Jumlah GC
-
 users.full_name=Nama lengkap
 users.activated=Diaktifkan
 users.admin=Pengelola
@@ -2904,8 +2865,6 @@ users.created=Dibuat
 users.edit=Edit
 users.auth_source=Sumber autentikasi
 users.local=Lokal
-users.list_status_filter.is_admin=Pengelola
-
 emails.activated=Diaktifkan
 
 orgs.org_manage_panel=Kelola organisasi
@@ -3077,19 +3036,6 @@ monitor.execute_time=Waktu pelaksanaan
 monitor.process.cancel=Batalkan proses
 monitor.process.cancel_desc=Membatalkan proses dapat menyebabkan kehilangan data
 
-monitor.queues=Antrian
-monitor.queue=Antrian: %s
-monitor.queue.name=Nama
-monitor.queue.type=Tipe
-monitor.queue.exemplar=Contoh Tipe
-monitor.queue.numberworkers=Jumlah pekerja
-monitor.queue.maxnumberworkers=Jumlah maksimum pekerja
-monitor.queue.settings.title=Pengaturan pool
-monitor.queue.settings.maxnumberworkers=Jumlah Maks. Worker
-monitor.queue.settings.maxnumberworkers.error=Jumlah maks. worker haruslah sebuah angka
-monitor.queue.settings.submit=Perbarui pengaturan
-monitor.queue.settings.changed=Pengaturan diperbarui
-
 notices.system_notice_list=Pemberitahuan sistem
 notices.view_detail_header=Detail pemberitahuan
 notices.select_all=Pilih semua
@@ -3105,7 +3051,6 @@ notices.delete_success=Laporan sistem telah dihapus.
 
 
 config_settings = Pengaturan
-users.list_status_filter.menu_text = Saring
 self_check = Pemeriksaan mandiri
 identity_access = Identitas & akses
 users = Akun pengguna
@@ -3153,8 +3098,6 @@ dashboard.resync_all_hooks = Sinkronkan ulang hook Git dari semua repositori (pr
 dashboard.cleanup_hook_task_table = Bersihkan tabel hook_task
 dashboard.cleanup_packages = Bersihkan paket yang kedaluwarsa
 dashboard.cleanup_actions = Bersihkan log dan artefak yang kedaluwarsa dari aksi
-dashboard.memory_allocate_times = Alokasi memori
-dashboard.memory_free_times = Pembebasan memori
 dashboard.delete_old_actions = Hapus semua aktivitas lama dari basis data
 dashboard.delete_old_actions.started = Hapus semua aktivitas lama dari basis data dimulai.
 dashboard.update_checker = Pemeriksa pembaruan
@@ -3209,16 +3152,6 @@ users.purge_help = Hapus paksa pengguna beserta semua repositori, organisasi, da
 users.still_own_packages = Pengguna ini masih memiliki satu atau lebih paket, hapus paket tersebut terlebih dahulu.
 users.deletion_success = Akun pengguna telah dihapus.
 users.reset_2fa = Atur ulang 2FA
-users.list_status_filter.reset = Atur ulang
-users.list_status_filter.is_active = Aktif
-users.list_status_filter.not_active = Tidak aktif
-users.list_status_filter.not_admin = Bukan admin
-users.list_status_filter.is_restricted = Dibatasi
-users.list_status_filter.not_restricted = Tidak dibatasi
-users.list_status_filter.is_prohibit_login = Larang masuk
-users.list_status_filter.not_prohibit_login = Izinkan masuk
-users.list_status_filter.is_2fa_enabled = 2FA diaktifkan
-users.list_status_filter.not_2fa_enabled = 2FA dinonaktifkan
 users.details = Detail pengguna
 emails.email_manage_panel = Kelola email pengguna
 emails.primary = Utama
@@ -3377,13 +3310,6 @@ monitor.download_diagnosis_report = Unduh laporan diagnosis
 monitor.duration = Durasi (dtk)
 monitor.last_execution_result = Hasil
 monitor.process.cancel_notices = Batalkan: <strong>%s</strong>?
-monitor.queue.activeworkers = Pekerja aktif
-monitor.queue.numberinqueue = Jumlah dalam antrian
-monitor.queue.review_add = Tinjau / tambah pekerja
-monitor.queue.settings.desc = Pool berkembang secara dinamis sebagai respons terhadap pemblokiran antrian pekerja mereka.
-monitor.queue.settings.maxnumberworkers.placeholder = Saat ini %[1]d
-monitor.queue.settings.remove_all_items = Hapus semua
-monitor.queue.settings.remove_all_items_done = Semua item dalam antrian telah dihapus.
 notices.operations = Operasi
 notices.type_2 = Tugas
 self_check.no_problem_found = Belum ditemukan masalah.
@@ -3482,20 +3408,7 @@ workflow.disable = Nonaktifkan Alur Kerja
 workflow.enable = Aktifkan Alur Kerja
 workflow.disabled = Alur kerja dinonaktifkan.
 need_approval_desc = Butuh persetujuan untuk menjalankan alur kerja untuk pull request fork.
-variables = Variabel
-variables.creation = Tambah Variabel
-variables.none = Belum ada variabel.
-variables.deletion = Hapus variabel
-variables.deletion.description = Menghapus variabel bersifat permanen dan tidak dapat dibatalkan. Lanjutkan?
-variables.description = Variabel akan diteruskan ke beberapa tindakan dan tidak dapat dibaca sebaliknya.
 variables.id_not_exist = Variabel dengan ID %d tidak ada.
-variables.edit = Edit Variabel
-variables.deletion.failed = Gagal menghapus variabel.
-variables.deletion.success = Variabel telah dihapus.
-variables.creation.failed = Gagal menambahkan variabel.
-variables.creation.success = Variabel "%s" telah ditambahkan.
-variables.update.failed = Gagal mengedit variabel.
-variables.update.success = Variabel telah diedit.
 runs.no_workflows.help_write_access = Tidak tahu cara memulai dengan Forgejo Actions? Lihat <a target="_blank" rel="noopener noreferrer" href="%s">panduan memulai cepat di dokumentasi pengguna</a> untuk menulis alur kerja pertama Anda, lalu <a target="_blank" rel="noopener noreferrer" href="%s">siapkan runner Forgejo</a> untuk menjalankan pekerjaan Anda.
 runs.no_workflows.help_no_write_access = Untuk mempelajari Forgejo Actions, lihat <a target="_blank" rel="noopener noreferrer" href="%s">dokumentasi</a>.
 runs.expire_log_message = Log telah dihapus karena sudah terlalu lama.
@@ -3508,8 +3421,6 @@ workflow.dispatch.success = Permintaan jalankan alur kerja berhasil dikirim.
 workflow.dispatch.input_required = Wajib mengisi nilai untuk input "%s".
 workflow.dispatch.invalid_input_type = Jenis input tidak valid "%s".
 workflow.dispatch.warn_input_limit = Hanya menampilkan %d input pertama.
-variables.management = Kelola variabel
-variables.not_found = Gagal menemukan variabel.
 
 [projects]
 type-1.display_name = Proyek Individu
@@ -3573,9 +3484,6 @@ ext_issues = Akses tautan ke pelacak issue eksternal. Izin dikelola secara ekste
 ext_wiki = Akses tautan ke wiki eksternal. Izin dikelola secara eksternal.
 
 [markup]
-filepreview.line = Baris %[1]d di %[2]s
-filepreview.lines = Baris %[1]d hingga %[2]d di %[3]s
-filepreview.truncated = Pratinjau telah dipotong
 
 [translation_meta]
 test = Ini adalah string uji. Tidak ditampilkan di antarmuka Forgejo tetapi digunakan untuk keperluan pengujian. Silakan masukkan "ok" untuk menghemat waktu (atau fakta menarik pilihan Anda) demi mencapai angka penyelesaian 100% yang memuaskan :)
\ No newline at end of file
diff --git a/options/locale/locale_is-IS.ini b/options/locale/locale_is-IS.ini
index 805024281b..e22dfefcc1 100644
--- a/options/locale/locale_is-IS.ini
+++ b/options/locale/locale_is-IS.ini
@@ -33,18 +33,6 @@ twofa=Tvíþætt Auðkenning
 twofa_scratch=Tveggja-Þátta Skrapkóði
 passcode=Aðgangstala
 
-webauthn_insert_key=Settu öryggislykilinn þinn inn
-webauthn_sign_in=Ýttu á hnappinn á öryggislyklinum þínum. Ef öryggislykillinn þinn hefur engan hnapp skaltu setja hann aftur inn.
-webauthn_press_button=Vinsamlegast ýttu á hnappinn á öryggislyklinum þínum…
-webauthn_use_twofa=Notaðu tveggja-þátta kóða úr símanum þínum
-webauthn_error=Gat ekki lesið öryggislykilinn þinn.
-webauthn_unsupported_browser=Vafrinn þinn styður ekki WebAuthn eins og er.
-webauthn_error_unknown=Óþekkt villa kom upp. Vinsamlegast reyndu aftur.
-webauthn_error_insecure=WebAuthn styður aðeins öruggar tengingar. Til að prófa yfir HTTP geturðu notað upprunann „localhost“ eða „127.0.0.1“
-webauthn_error_unable_to_process=Netþjónninn gat ekki ráðið við beiðni þína.
-webauthn_error_duplicated=Öryggislykillinn er ekki leyfður fyrir þessa beiðni. Gakktu úr skugga um að lykillinn sé ekki þegar skráður.
-webauthn_error_empty=Þú verður að setja nafn fyrir þennan lykil.
-webauthn_error_timeout=Tímamörk náð áður en hægt var að lesa lykilinn þinn. Vinsamlegast endurhlaðið þessa síðu og reyndu aftur.
 repository=Hugbúnaðarsafn
 organization=Stofnun
 mirror=Speglun
@@ -1119,9 +1107,6 @@ dashboard.statistic=Yfirlit
 dashboard.operation_switch=Skipta
 dashboard.operation_run=Keyra
 dashboard.update_mirrors=Uppfæra Speglanir
-dashboard.server_uptime=Uppitími Netþjóns
-dashboard.total_memory_allocated=Heildarminni úthlutað
-
 users.name=Notandanafn
 users.full_name=Fullt Nafn
 users.admin=Stjórnandi
@@ -1130,14 +1115,6 @@ users.repos=Söfn
 users.created=Búið til
 users.edit=Breyta
 users.local=Staðbundið
-users.list_status_filter.menu_text=Sía
-users.list_status_filter.reset=Endurstilla
-users.list_status_filter.is_active=Virkt
-users.list_status_filter.is_admin=Stjórnandi
-users.list_status_filter.is_prohibit_login=Stöðva Innskráningu
-users.list_status_filter.not_prohibit_login=Leyfa Innskráningu
-users.list_status_filter.not_2fa_enabled=Tvíþætt Auðkenning Óvirk
-
 emails.primary=Aðal
 emails.filter_sort.email=Tölvupóstur
 emails.filter_sort.name=Notandanafn
@@ -1217,12 +1194,6 @@ monitor.name=Heiti
 monitor.desc=Lýsing
 monitor.process.children=Börn
 
-monitor.queues=Raðir
-monitor.queue.name=Heiti
-monitor.queue.type=Tegund
-monitor.queue.settings.submit=Uppfæra Stillingar
-monitor.queue.settings.changed=Stillingar Uppfærðar
-
 notices.type=Tegund
 notices.type_1=Hugbúnaðarsafn
 notices.type_2=Verkefni
diff --git a/options/locale/locale_it-IT.ini b/options/locale/locale_it-IT.ini
index 3eb67a2f59..3b8475ba67 100644
--- a/options/locale/locale_it-IT.ini
+++ b/options/locale/locale_it-IT.ini
@@ -34,18 +34,6 @@ twofa=Autenticazione a due fattori
 twofa_scratch=Codice di recupero per l'autenticazione a due fattori
 passcode=Codice di sicurezza
 
-webauthn_insert_key=Inserisci la tua chiave di sicurezza
-webauthn_sign_in=Premi il pulsante sul tasto di sicurezza. Se il tasto di sicurezza non ha pulsante, reinseriscilo.
-webauthn_press_button=Premi il pulsante sulla chiave di sicurezza…
-webauthn_use_twofa=Usa un codice a due fattori dal tuo telefono
-webauthn_error=Impossibile leggere la tua chiave di sicurezza.
-webauthn_unsupported_browser=Il tuo browser al momento non supporta WebAuthn.
-webauthn_error_unknown=Si è verificato un errore sconosciuto. Riprova.
-webauthn_error_insecure=WebAuthn supporta solo connessioni sicure. Per il test su HTTP, è possibile utilizzare l'origine "localhost" o "127.0.0.1"
-webauthn_error_unable_to_process=Il server non può elaborare la richiesta.
-webauthn_error_duplicated=La chiave di sicurezza non è consentita per questa richiesta. Assicurati che la chiave non sia già registrata.
-webauthn_error_empty=Devi impostare un nome per questa chiave.
-webauthn_error_timeout=Timeout raggiunto prima che la tua chiave possa essere letta. Ricarica la pagina e riprova.
 repository=Repositorio
 organization=Organizzazione
 mirror=Mirror
@@ -2927,34 +2915,6 @@ dashboard.reinit_missing_repos=Reinizializza tutti i repository Git mancanti per
 dashboard.sync_external_users=Sincronizza dati utente esterno
 dashboard.cleanup_hook_task_table=Pulisci tabella hook_task
 dashboard.cleanup_packages=Pulizia pacchetti scaduti
-dashboard.server_uptime=Tempo di attività
-dashboard.current_goroutine=Goroutine attuali
-dashboard.current_memory_usage=Utilizzo di memoria attuale
-dashboard.total_memory_allocated=Memoria allocata totale
-dashboard.memory_obtained=Memoria ottenuta
-dashboard.pointer_lookup_times=Tempi di ricerca del puntatore
-dashboard.memory_allocate_times=Allocazioni di memoria
-dashboard.memory_free_times=Rilasci di memoria
-dashboard.current_heap_usage=Utilizzo heap attuale
-dashboard.heap_memory_obtained=Memoria heap ottenuta
-dashboard.heap_memory_idle=Memoria heap inattiva
-dashboard.heap_memory_in_use=Memoria heap in uso
-dashboard.heap_memory_released=Memoria heap rilasciata
-dashboard.heap_objects=Oggetti dell'heap
-dashboard.bootstrap_stack_usage=Utilizzo pila iniziale
-dashboard.stack_memory_obtained=Memoria pila ottenuta
-dashboard.mspan_structures_usage=Utilizzo strutture MSpan
-dashboard.mspan_structures_obtained=Strutture MSpan ottenute
-dashboard.mcache_structures_usage=Utilizzo di strutture MCache
-dashboard.mcache_structures_obtained=Strutture MCache ottenute
-dashboard.profiling_bucket_hash_table_obtained=Tabelle hash del secchio di profilazione ottenute
-dashboard.gc_metadata_obtained=Metadata del GC ottenuto
-dashboard.other_system_allocation_obtained=Altre allocazioni di sistema ottenute
-dashboard.next_gc_recycle=Prossimo riciclaggio GC
-dashboard.last_gc_time=Dall'ultimo GC
-dashboard.total_gc_pause=Pausa totale del GC
-dashboard.last_gc_pause=Ultima pausa del GC
-dashboard.gc_times=Esecuzioni GC
 dashboard.delete_old_actions=Elimina tutte le vecchie azioni dal database
 dashboard.delete_old_actions.started=Elimina tutte le vecchie azioni dal database iniziate.
 dashboard.update_checker=Controllore dell'aggiornamento
@@ -2999,19 +2959,6 @@ users.purge=Elimina utente
 users.purge_help=Eliminare forzatamente l'utente e tutti i progetti, le organizzazioni e i pacchetti di proprietà dell'utente. Anche tutti i commenti e le segnalazioni verranno eliminati.
 users.deletion_success=L'account utente è stato eliminato.
 users.reset_2fa=Resetta 2FA
-users.list_status_filter.menu_text=Filtro
-users.list_status_filter.reset=Ripristina
-users.list_status_filter.is_active=Attivo
-users.list_status_filter.not_active=Inattivo
-users.list_status_filter.is_admin=Amministratore
-users.list_status_filter.not_admin=Non amministratore
-users.list_status_filter.is_restricted=Limitato
-users.list_status_filter.not_restricted=Non limitato
-users.list_status_filter.is_prohibit_login=Accesso vietato
-users.list_status_filter.not_prohibit_login=Accesso consentito
-users.list_status_filter.is_2fa_enabled=2FA abilitato
-users.list_status_filter.not_2fa_enabled=2FA disabilitato
-
 emails.email_manage_panel=Gestisci email dell'utente
 emails.primary=Primario
 emails.activated=Attivato
@@ -3304,21 +3251,6 @@ monitor.process.cancel_desc=Annullare un processo potrebbe causare una perdita d
 monitor.process.cancel_notices=Annulla: <strong>%s</strong>?
 monitor.process.children=Figli
 
-monitor.queues=Code
-monitor.queue=Coda: %s
-monitor.queue.name=Nome
-monitor.queue.type=Tipo
-monitor.queue.exemplar=Tipo di esemplare
-monitor.queue.numberworkers=Numero di lavoratori
-monitor.queue.maxnumberworkers=Massimo numero di lavoratori
-monitor.queue.numberinqueue=Numero in coda
-monitor.queue.settings.title=Impostazioni piscina
-monitor.queue.settings.maxnumberworkers=Massimo numero di workers
-monitor.queue.settings.maxnumberworkers.placeholder=Attualmente %[1]d
-monitor.queue.settings.maxnumberworkers.error=Il numero massimo di lavoratori deve essere un numero
-monitor.queue.settings.submit=Aggiorna impostazioni
-monitor.queue.settings.changed=Impostazioni aggiornate
-
 notices.system_notice_list=Avvisi di sistema
 notices.view_detail_header=Visualizza dettagli dell'avviso
 notices.select_all=Seleziona tutto
@@ -3357,7 +3289,6 @@ auths.tip.gitea = Registra una nuova applicazione OAuth2. La guida può essere t
 config.test_mail_sent = Una email di prova è stata inviata a "%s".
 monitor.processes_count = %d processi
 monitor.download_diagnosis_report = Scarica relazione diagnostica
-monitor.queue.activeworkers = Lavoratori attivi
 config.app_data_path = Percorso dati dell'applicazione
 packages.cleanup = Pulisci dati scaduti
 dashboard.cleanup_actions = Pulisci log scaduti e artefatti dalle azioni
@@ -3385,12 +3316,8 @@ auths.new_success = L'autenticazione "%s" è stata aggiunta.
 auths.tips.gmail_settings = Impostazioni Gmail:
 config.test_mail_failed = Impossibile inviare email di prova a "%s": %v
 users.details = Dettagli dell'utente
-monitor.queue.review_add = Revisiona / aggiungi lavoratori
 self_check.no_problem_found = Non c'è ancora nessuna segnalazione.
 self_check.database_inconsistent_collation_columns = La base di dati sta usando la collazione %s ma queste colonne usano una collazione diversa. Potrebbe causare problemi imprevisti.
-monitor.queue.settings.remove_all_items = Rimuovi tutto
-monitor.queue.settings.desc = Le piscine crescono dinamicamente in risposta al blocco dei lavoratori in coda.
-monitor.queue.settings.remove_all_items_done = Tutti gli elementi in coda sono stati rimossi.
 self_check.database_collation_mismatch = Pretendi che la base di dati usi la collazione: %s
 self_check.database_fix_mysql = Per utenti MySQL/MariaDB, potresti usare il comando "forgejo doctor convert" per risolvere problemi di collazione, o potresti risolvere il problema manualmente tramite SQL con "ALTER ... COLLATE ...".
 self_check.database_collation_case_insensitive = La base di dati sta usando la collazione %s, che è una collazione insensibile. Nonostante Forgejo potrebbe lavorarci, ci potrebbero essere rari casi che non vanno come previsto.
@@ -3504,29 +3431,15 @@ creation.success = Il segreto "%s" è stato aggiungo.
 deletion.success = Il segreto è stato rimosso.
 
 [actions]
-variables = Variabili
 unit.desc = Gestisci azioni
 workflow.enable = Abilita flusso di lavoro
-variables.update.success = La variabile è stata modificata.
-variables.update.failed = Impossibile modificare la variabile.
-variables.creation.failed = Errore nell'aggiunta della variabile.
-variables.deletion.success = La variabile è stata rimossa.
-variables.deletion.failed = Impossibile rimuovere la variabile.
-variables.edit = Modifica variabile
 variables.id_not_exist = La variabile con ID %s non esiste.
-variables.deletion.description = La rimozione di una variabile è permanente e non può essere annullata. Continuare?
-variables.deletion = Rimuovi variabile
-variables.none = Non ci sono ancora variabili.
-variables.creation = Aggiungi variabile
-variables.management = Gestisci variabili
 workflow.disabled = Il flusso di lavoro è disabilitato.
 workflow.enable_success = Il flusso di lavoro "%s" è stato abilitato correttamente.
 workflow.disable_success = Il flusso di lavoro "%s" è stato disabilitato con successo.
 workflow.disable = Disabilita flusso di lavoro
 runs.empty_commit_message = (messaggio di commit vuoto)
 runs.no_runs = Il flusso di lavoro non è stato ancora eseguito.
-variables.creation.success = La variabile "%s" è stata aggiunta.
-variables.description = Le variabili saranno passate a determinate azioni e non possono essere lette altrimenti.
 need_approval_desc = È necessaria l'approvazione per eseguire flussi di lavoro per richieste di modifica da fork.
 workflow.dispatch.trigger_found = Questo flusso di lavoro ha un rilevatore di eventi <c>workflow_dispatch</c>.
 workflow.dispatch.run = Esegui flusso di lavoro
@@ -3535,7 +3448,6 @@ workflow.dispatch.input_required = Richiedi valore per l'ingresso "%s".
 workflow.dispatch.invalid_input_type = Tipo ingresso "%s" non valido.
 workflow.dispatch.warn_input_limit = Visualizzati solo i primi %d ingressi.
 workflow.dispatch.use_from = Usa flusso di lavoro da
-variables.not_found = Non è stato possibile trovare la variabile.
 runs.expire_log_message = I log sono stati eliminati in quanto troppo vecchi.
 runs.no_workflows.help_no_write_access = Per saperne di più su Forgejo Actions, consulta <a target="_blank" rel="noopener noreferrer" href="%s">la documentazione</a>.
 runs.no_workflows.help_write_access = Non sai come iniziare con Forgejo Actions? Dai un'occhiata alla <a target="_blank" rel="noopener noreferrer" href="%s"> guida rapida nella documentazione utente</a> per scrivere il tuo primo flusso di lavoro, poi <a target="_blank" rel="noopener noreferrer" href="%s"> configura un esecutore Forgejo</a> per eseguire i tuoi incarichi.
@@ -3589,10 +3501,6 @@ union = Parole chiavi
 [munits.data]
 
 [markup]
-filepreview.lines = Linee da %[1]d a %[2]d in %[3]s
-filepreview.truncated = L'anteprima è stata troncata
-filepreview.line = Linea %[1]d in %[2]s
-
 
 [repo.permissions]
 issues.write = <b>Scrittura:</b> Chiudere segnalazioni e gestire metadati come etichette, traguardi, assegnatarɜ, scadenze e dipendenze.
diff --git a/options/locale/locale_ja-JP.ini b/options/locale/locale_ja-JP.ini
index 5a1acddeef..f4cbb22f49 100644
--- a/options/locale/locale_ja-JP.ini
+++ b/options/locale/locale_ja-JP.ini
@@ -37,18 +37,6 @@ twofa=2要素認証
 twofa_scratch=2要素認証スクラッチコード
 passcode=パスコード
 
-webauthn_insert_key=セキュリティキーを挿入
-webauthn_sign_in=セキュリティキーのボタンを押してください。セキュリティキーにボタンが無い場合は、挿入しなおしてください。
-webauthn_press_button=セキュリティキーのボタンを押してください…
-webauthn_use_twofa=携帯電話から2要素認証コードを使用する
-webauthn_error=セキュリティキーを読み取ることができません。
-webauthn_unsupported_browser=お使いのブラウザは現在 WebAuthn をサポートしていません。
-webauthn_error_unknown=不明なエラーが発生しました。 もう一度やり直してください。
-webauthn_error_insecure=WebAuthn はセキュアな接続のみをサポートしています。HTTP 経由でテストする場合は、"localhost" または "127.0.0.1" のオリジンが使用できます
-webauthn_error_unable_to_process=サーバーがリクエストを処理できませんでした。
-webauthn_error_duplicated=このリクエストに対しては、許可されていないセキュリティキーです。 キーが未登録であることを確認してください。
-webauthn_error_empty=このキーに名前を設定する必要があります。
-webauthn_error_timeout=キーを読み取る前にタイムアウトになりました。 このページをリロードしてもう一度やり直してください。
 repository=リポジトリ
 organization=組織
 mirror=ミラー
@@ -2901,34 +2889,6 @@ dashboard.sync_external_users=外部ユーザーデータの同期
 dashboard.cleanup_hook_task_table=hook_taskテーブルのクリーンアップ
 dashboard.cleanup_packages=期限切れパッケージのクリーンアップ
 dashboard.cleanup_actions=Actionsから期限切れのログとアーティファクトのクリーンアップする
-dashboard.server_uptime=サーバーの稼働時間
-dashboard.current_goroutine=現在のGoroutine数
-dashboard.current_memory_usage=現在のメモリ使用量
-dashboard.total_memory_allocated=メモリ割当量の累計
-dashboard.memory_obtained=メモリ取得量
-dashboard.pointer_lookup_times=ポインタ参照回数
-dashboard.memory_allocate_times=メモリ割当回数
-dashboard.memory_free_times=メモリ解放回数
-dashboard.current_heap_usage=現在のヒープ使用量
-dashboard.heap_memory_obtained=ヒープ用メモリ取得量
-dashboard.heap_memory_idle=未使用のヒープ容量
-dashboard.heap_memory_in_use=使用中のヒープ容量
-dashboard.heap_memory_released=解放済みヒープ容量
-dashboard.heap_objects=ヒープオブジェクト数
-dashboard.bootstrap_stack_usage=スタック使用量
-dashboard.stack_memory_obtained=スタック用メモリ取得量
-dashboard.mspan_structures_usage=MSpan構造体の使用量
-dashboard.mspan_structures_obtained=MSpan構造体用取得量
-dashboard.mcache_structures_usage=MCache構造体の使用量
-dashboard.mcache_structures_obtained=MCache構造体用取得量
-dashboard.profiling_bucket_hash_table_obtained=バケットハッシュテーブルのプロファイリング割当量
-dashboard.gc_metadata_obtained=GCメタデータ用取得量
-dashboard.other_system_allocation_obtained=その他システム割当用取得量
-dashboard.next_gc_recycle=次回のGCリサイクル
-dashboard.last_gc_time=前回GCからの時間
-dashboard.total_gc_pause=GC停止時間の合計
-dashboard.last_gc_pause=前回のGC停止時間
-dashboard.gc_times=GC実行回数
 dashboard.delete_old_actions=データベースから古い操作履歴をすべて削除
 dashboard.delete_old_actions.started=データベースからの古い操作履歴の削除を開始しました。
 dashboard.update_checker=更新チェック
@@ -2985,18 +2945,6 @@ users.purge_help=強制的にユーザーとそのユーザーが所有してい
 users.still_own_packages=このユーザーはまだ1つ以上のパッケージを所有しています。先にそれらのパッケージを削除してください。
 users.deletion_success=ユーザーアカウントを削除しました。
 users.reset_2fa=2要素認証をリセット
-users.list_status_filter.menu_text=フィルター
-users.list_status_filter.reset=リセット
-users.list_status_filter.is_active=有効
-users.list_status_filter.not_active=無効
-users.list_status_filter.is_admin=管理者
-users.list_status_filter.not_admin=非管理者
-users.list_status_filter.is_restricted=制限あり
-users.list_status_filter.not_restricted=制限なし
-users.list_status_filter.is_prohibit_login=ログインを禁止
-users.list_status_filter.not_prohibit_login=ログインを許可
-users.list_status_filter.is_2fa_enabled=2要素認証有効
-users.list_status_filter.not_2fa_enabled=2要素認証無効
 users.details=ユーザーの詳細
 
 emails.email_manage_panel=ユーザーのメールアドレスを管理
@@ -3316,26 +3264,6 @@ monitor.process.cancel_desc=処理をキャンセルするとデータが失わ
 monitor.process.cancel_notices=キャンセル: <strong>%s</strong>?
 monitor.process.children=子プロセス
 
-monitor.queues=キュー
-monitor.queue=キュー: %s
-monitor.queue.name=キュー名
-monitor.queue.type=種類
-monitor.queue.exemplar=要素の型
-monitor.queue.numberworkers=ワーカー数
-monitor.queue.activeworkers=使用ワーカー数
-monitor.queue.maxnumberworkers=ワーカー数上限
-monitor.queue.numberinqueue=キュー内の数
-monitor.queue.review_add=ワーカーの確認 / 追加
-monitor.queue.settings.title=プール設定
-monitor.queue.settings.desc=プールはワーカーキューの待機状態に応じて動的に大きくなります。
-monitor.queue.settings.maxnumberworkers=ワーカー数上限
-monitor.queue.settings.maxnumberworkers.placeholder=現在の設定 %[1]d
-monitor.queue.settings.maxnumberworkers.error=ワーカー数上限は数値にしてください
-monitor.queue.settings.submit=設定を更新
-monitor.queue.settings.changed=設定を更新しました
-monitor.queue.settings.remove_all_items=すべて削除
-monitor.queue.settings.remove_all_items_done=キュー内のすべての項目を削除しました。
-
 notices.system_notice_list=システム通知
 notices.view_detail_header=通知の詳細
 notices.operations=操作
@@ -3481,20 +3409,6 @@ workflow.disabled=ワークフローは無効です。
 
 need_approval_desc=フォークプルリクエストのワークフローを実行するには承認が必要です。
 
-variables=変数
-variables.management=変数の管理
-variables.creation=変数の追加
-variables.none=変数はまだありません。
-variables.deletion=変数を削除
-variables.deletion.description=変数の削除は恒久的で元に戻すことはできません。 続行しますか？
-variables.description=変数は特定のActionsに渡されます。 それ以外で読み出されることはありません。
-variables.edit=変数の編集
-variables.deletion.failed=変数を削除できませんでした。
-variables.deletion.success=変数を削除しました。
-variables.creation.failed=変数を追加できませんでした。
-variables.creation.success=変数 "%s" を追加しました。
-variables.update.failed=変数を更新できませんでした。
-variables.update.success=変数を更新しました。
 variables.id_not_exist = idが%dの変数は存在しません。
 workflow.dispatch.run = ワークフローを実行
 workflow.dispatch.success = ワークフローの実行が正常にリクエストされました。
@@ -3504,7 +3418,6 @@ workflow.dispatch.input_required = 入力 "%s" に値が必要です。
 workflow.dispatch.invalid_input_type = 入力タイプ「%s」が無効です。
 workflow.dispatch.warn_input_limit = 最初の %d 個の入力のみを表示します。
 runs.expire_log_message = ログは古すぎるため消去されています。
-variables.not_found = 変数が見つかりませんでした。
 runs.no_workflows.help_no_write_access = Forgejoアクションの詳細については、<a target="_blank" rel="noopener noreferrer" href="%s">ドキュメント</a>を参照してください。
 runs.no_workflows.help_write_access = Forgejo アクションの始め方がわからない場合は、<a target="_blank" rel="noopener noreferrer" href="%s">ユーザードキュメントのクイック スタート</a>を参照して最初のワークフローを作成し、次に <a target="_blank" rel="noopener noreferrer" href="%s">Forgejo ランナーをセットアップ</a>してジョブを実行して下さい。
 
@@ -3556,9 +3469,6 @@ union = フレーズ一致
 [munits.data]
 
 [markup]
-filepreview.lines = %[3]s の %[1]d 行目から %[2]d 行目
-filepreview.line = %[2]s の %[1]d 行目
-filepreview.truncated = プレビューは途中から省略されています
 
 [repo.permissions]
 actions.write = <b>書き込み:</b> 保留中の CI/CD パイプラインを手動でトリガー、再起動、キャンセル、または承認します。
diff --git a/options/locale/locale_ka.ini b/options/locale/locale_ka.ini
index f5dff16977..d99ab6a667 100644
--- a/options/locale/locale_ka.ini
+++ b/options/locale/locale_ka.ini
@@ -641,10 +641,6 @@ users.repos = რეპოები
 users.created = შეიქმნა
 users.edit = ჩასწორება
 users.local = ლოკალური
-users.list_status_filter.reset = ჩამოყრა
-users.list_status_filter.is_active = აქტიურია
-users.list_status_filter.is_admin = ადმინი
-users.list_status_filter.is_restricted = შეზღუდული
 emails.primary = ძირითადი
 emails.activated = გააქტიურებულია
 emails.filter_sort.email = ელფოსტა
@@ -695,17 +691,12 @@ monitor.stacktrace = სტეკის დატრეისება
 monitor.desc = აღწერა
 monitor.last_execution_result = შედეგი
 monitor.process.children = შვილები
-monitor.queues = რიგები
-monitor.queue.name = სახელი
-monitor.queue.type = ტიპი
 notices.operations = ოპერაციები
 notices.type = ტიპი
 notices.type_1 = რეპოზიტორია
 notices.type_2 = ამოცანა
 notices.desc = აღწერა
 notices.op = ოპ.
-users.list_status_filter.menu_text = ფილტრი
-users.list_status_filter.not_active = არააქტიურია
 config.send_test_mail_submit = გაგზავნა
 packages.creator = შემქმნელი
 dashboard.operation_switch = გადართვა
@@ -738,7 +729,6 @@ owner.settings.cleanuprules.enabled = ჩართულია
 secrets = საიდუმლოები
 
 [actions]
-variables = ცვლადები
 
 [git.filemode]
 directory = საქაღალდე
diff --git a/options/locale/locale_kab.ini b/options/locale/locale_kab.ini
index ebd2af5f63..71d7d508a1 100644
--- a/options/locale/locale_kab.ini
+++ b/options/locale/locale_kab.ini
@@ -424,7 +424,6 @@ auths.name = Isem
 config.db_name = Isem
 config.mailer_name = Isem
 monitor.name = Isem
-monitor.queue.name = Isem
 repositories = Ikufan
 dashboard = Tafelwit n usenqed
 organizations = Tuddsiwin
@@ -442,7 +441,6 @@ orgs.teams = Igrawen
 orgs.members = Imttekkiyen
 repos.owner = Bab-is
 config.mailer_user = Aseqdac
-users.list_status_filter.is_admin = Anedbal
 users.admin = Anedbal
 repos.size = Tiddi
 packages.owner = Bab-is
@@ -467,7 +465,6 @@ config.mailer_smtp_port = Tawwurt n SMTP
 config.mailer_use_sendmail = Seqdec Sendmail
 config.https_only = HTTPS kan
 config.git_config = Tawila n Git
-monitor.queue.settings.remove_all_items = Kkes-iten akk
 auths.oauth2_profileURL = URL n umaɣnu
 users.update_profile = Leqqem amiḍan n useqdac
 auths.type = Anaw
@@ -482,8 +479,6 @@ config.db_schema = Azenziɣ
 config.db_path = Abrid
 config.mailer_enabled = D urmid
 config.mailer_protocol = Aneggaf
-users.list_status_filter.is_active = D urmid
-users.list_status_filter.not_active = D arurmid
 monitor.stats = Tiddadanin
 config.enable_captcha = Sermed CAPTCHA
 notices.select_all = Fren-iten akk
diff --git a/options/locale/locale_ko-KR.ini b/options/locale/locale_ko-KR.ini
index 7a45572463..7d8ddcf5b6 100644
--- a/options/locale/locale_ko-KR.ini
+++ b/options/locale/locale_ko-KR.ini
@@ -88,31 +88,19 @@ toc = 목차
 licenses = 라이센스
 return_to_forgejo = Forgejo로 돌아가기
 access_token = 액세스 토큰
-webauthn_error_unable_to_process = 서버가 귀하의 요청을 처리할 수 없습니다.
-webauthn_error_duplicated = 이 요청에는 보안 키가 허용되지 않습니다. 키가 이미 등록되어 있는지 확인하세요.
 remove_label_str = "%s" 항목 제거
 disabled = 비활성화됨
 locked = 잠김
 filter = 필터
 filter.not_fork = 포크가 아님
 filter.is_mirror = 미러
-webauthn_press_button = 보안 키의 버튼을 누르세요…
 toggle_menu = 토글 메뉴
-webauthn_error = 보안 키를 읽을 수 없습니다.
-webauthn_unsupported_browser = 현재 귀하의 브라우저는 웹 인증을 지원하지 않습니다.
-webauthn_insert_key = 보안 키를 입력하세요
-webauthn_sign_in = 보안 키에 있는 버튼을 누르세요. 만약 보안 키에 버튼이 없다면 다시 입력하세요.
-webauthn_use_twofa = 휴대전화 2단계 코드 사용
 retry = 다시 시도하기
 rerun = 다시 실행하기
 rerun_all = 모든 작업을 다시 실행하기
 copy = 복사
 new_project_column = 새 열
 more_items = 더 보기
-webauthn_error_unknown = 알 수 없는 오류가 발생했습니다. 다시 시도해주세요.
-webauthn_error_insecure = 웹 인증은 안전한 연결만 지원합니다. HTTP에서 테스트할 경우, "localhost" 또는 "127.0.0.1" 오리진을 사용할 수 있습니다.
-webauthn_error_empty = 키의 이름을 설정해야 합니다.
-webauthn_error_timeout = 키를 읽기 전에 시간이 초과되었습니다. 페이지를 새로 고치고 다시 시도해주세요.
 copy_generic = 클립보드에 복사
 copy_url = URL 복사
 copy_hash = 해시 복사
@@ -1471,35 +1459,6 @@ dashboard.operation_switch=스위치
 dashboard.operation_run=실행
 dashboard.git_gc_repos=모든 저장소 가비지 콜렉트
 dashboard.sync_external_users=외부 사용자 데이터 동기화
-dashboard.server_uptime=서버를 켠 시간
-dashboard.current_goroutine=현재 Go루틴
-dashboard.current_memory_usage=현재 메모리 사용율
-dashboard.total_memory_allocated=전체 할당 메모리
-dashboard.memory_obtained=메모리 확보
-dashboard.pointer_lookup_times=포인터 조회 시간
-dashboard.memory_allocate_times=사용 메모리
-dashboard.memory_free_times=가용 메모리
-dashboard.current_heap_usage=현재 힙 사용현황
-dashboard.heap_memory_obtained=힙 메모리 확보
-dashboard.heap_memory_idle=힙 메모리 유휴
-dashboard.heap_memory_in_use=힙 메모리 사용중
-dashboard.heap_memory_released=힙 메모리 풀림
-dashboard.heap_objects=힙 객체
-dashboard.bootstrap_stack_usage=부트스트랩 스택 사용현황
-dashboard.stack_memory_obtained=스택 메모리 확보
-dashboard.mspan_structures_usage=MSpan 구조 사용현황
-dashboard.mspan_structures_obtained=MSpan 구조 확보
-dashboard.mcache_structures_usage=MCache 구조 사용현황
-dashboard.mcache_structures_obtained=MCache 구조 확보
-dashboard.profiling_bucket_hash_table_obtained=버켓 해시 테이블 확보 프로파일링
-dashboard.gc_metadata_obtained=가비지 콜렉션 메타 데이터 확보
-dashboard.other_system_allocation_obtained=기타 시스템 할당 확보
-dashboard.next_gc_recycle=다음 가비지 콜렉션 순환
-dashboard.last_gc_time=마지막 가비지 콜렉션 시간
-dashboard.total_gc_pause=모든 가비지 콜렉션 중지
-dashboard.last_gc_pause=마지막 가비지 콜렉션 중지
-dashboard.gc_times=가비지 콜렉션 시간
-
 users.user_manage_panel=사용자 계정 관리
 users.new_account=사용자 계정 생성
 users.name=사용자명
@@ -1528,9 +1487,6 @@ users.allow_create_organization=조직 생성 허용
 users.update_profile=사용자 계정 갱신
 users.delete_account=사용자 계정 삭제
 users.deletion_success=사용자 계정이 삭제되었습니다.
-users.list_status_filter.is_active=사용
-users.list_status_filter.is_admin=관리자
-
 emails.activated=활성화됨
 
 orgs.org_manage_panel=조직 관리
@@ -1725,10 +1681,6 @@ monitor.desc=설명
 monitor.start=시작 시간
 monitor.execute_time=실행 시간
 
-monitor.queue.name=이름
-monitor.queue.type=유형
-monitor.queue.settings.submit=설정 업데이트
-
 notices.system_notice_list=시스템 공지
 notices.view_detail_header=알림 세부정보 보기
 notices.select_all=모두 선택
diff --git a/options/locale/locale_kw.ini b/options/locale/locale_kw.ini
index 6c6c21f9d8..ac8dd8a41a 100644
--- a/options/locale/locale_kw.ini
+++ b/options/locale/locale_kw.ini
@@ -1,6 +1,3 @@
-
-
-
 [common]
 home = Tre
 dashboard = Skostel
@@ -37,18 +34,6 @@ captcha = CAPTCHA
 twofa = Gwirheans dewkamm
 twofa_scratch = Kod kravas dewkamm
 passcode = Kod-tremena
-webauthn_insert_key = Gorra a-bervedh agas alhwedh sawder
-webauthn_sign_in = Tavewgh an boton war agas alhwedh sawder. Mar nyns eus boton, gorrewgh a-bervedh arta.
-webauthn_press_button = Mar pleg gwaskewgh an boton war agas alhwedh sawder…
-webauthn_use_twofa = Devnydhyer kod dewkamm dhyworth agas klapkodh
-webauthn_error = Ny yllir redya agas alhwedh sawder.
-webauthn_unsupported_browser = Ny skoodhya a-lemmyn agas peurell WebAuthn.
-webauthn_error_unknown = Yth esa error ankoth. Mar pleg assayewgh arta.
-webauthn_error_insecure = WebAuthn a skoodh junyans saw yn unnik. Rag ow previ dres HTTP. ty a yll devnydhya an devedhyans "localhost" po "127.0.0.1"
-webauthn_error_unable_to_process = Ny yllir an servell argerdhes agas govyn.
-webauthn_error_duplicated = Nyns yw an alhwedh sawder gesys rag an govyn ma. Mar pleg, surhewgh nyns yw an alhwedh kovskrifys seulabrys.
-webauthn_error_empty = Res yw dhywgh settya hanow rag an alhwedh ma.
-webauthn_error_timeout = Termyn yn-mes hedhys kyns agas alhwedh y hyllys redys. Daskargewgh an folen ma mar pleg hag assayewgh arta.
 repository = Gwithva
 new_fork = Forgh gwithva nowydh
 new_project_column = Koloven nowydh
diff --git a/options/locale/locale_lt.ini b/options/locale/locale_lt.ini
index 11fa4a0a4f..72a726f9f6 100644
--- a/options/locale/locale_lt.ini
+++ b/options/locale/locale_lt.ini
@@ -32,14 +32,6 @@ re_type = Patvirtinti slaptažodį
 twofa = Dvigubas tapatybės nustatymas
 twofa_scratch = Dvigubo ženklo kodas
 passcode = PIN kodas
-webauthn_sign_in = Paspauskite saugumo rakto mygtuką. Jei saugumo raktas neturi mygtuko, įkiškite jį iš naujo.
-webauthn_press_button = Paspauskite saugumo rakto mygtuką…
-webauthn_error = Nepavyko nuskaityti saugumo rakto.
-webauthn_unsupported_browser = Jūsų naršyklė šiuo metu nepalaiko „WebAuthn“.
-webauthn_error_unknown = Įvyko nežinoma klaida. Bandykite dar kartą.
-webauthn_error_unable_to_process = Serveris negalėjo apdoroti jūsų prašymo.
-webauthn_error_duplicated = Saugumo raktas neleidžiamas šiai prašymai. Įsitikinkite, kad raktas dar nėra užregistruotas.
-webauthn_error_empty = Turite nustatyti šio rakto pavadinimą.
 repository = Saugykla
 organization = Organizacija
 mirror = Dubliuojančioji tinklavietė
@@ -106,15 +98,11 @@ confirm_delete_artifact = Ar tikrai norite ištrinti artefaktą „%s“?
 archived = Archyvuota
 concept_system_global = Globalus
 enable_javascript = Šiai svetainei reikalingas „JavaScript“.
-webauthn_insert_key = Įkiškite savo saugumo raktą
-webauthn_use_twofa = Naudoti dvigubą kodą iš telefono
-webauthn_error_timeout = Baigėsi laikas, per kurį nebuvo galima nuskaityti rakto. Perkraukite šį puslapį ir bandykite dar kartą.
 your_starred = Pažymėti žvaigždutę
 remove = Pašalinti
 copy_generic = Kopijuoti į iškarpinę
 captcha = Saugos testas (CAPTCHA)
 your_profile = Profilis
-webauthn_error_insecure = „WebAuthn“ palaiko tik saugius ryšius. Bandymams per HTTP galite naudoti „localhost“ arba „127.0.0.0.1“.
 collaborative = Bendradarbiavimas
 home = Pagrindinis
 page = Puslapis
@@ -191,7 +179,6 @@ type-2.display_name = Saugyklos projektas
 type-3.display_name = Organizacijos projektas
 
 [markup]
-filepreview.truncated = Peržiūra buvo sutrumpinta
 
 [mail]
 reset_password.text = Jei tai buvote jūs, spustelėkite toliau esančią nuorodą, kad atkurtumėte savo paskyrą per <b>%s</b>:
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
index 6531335974..79a2e1a08f 100644
--- a/options/locale/locale_lv-LV.ini
+++ b/options/locale/locale_lv-LV.ini
@@ -37,18 +37,6 @@ twofa=Divpakāpju pieteikšanās
 twofa_scratch=Divpakāpju vienreiz izmantojamais kods
 passcode=Kods
 
-webauthn_insert_key=Jāievieto sava drošības atslēga
-webauthn_sign_in=Jānospiež poga uz drošības atslēgas. Ja tai nav pogas, drošības atslēga ir atkārtoti jāievieto.
-webauthn_press_button=Lūgums nospiest pogu uz savas drošības atslēgas…
-webauthn_use_twofa=Izmantot divpakāpju kodu no sava tālruņa
-webauthn_error=Nevar nolasīt drošības atslēgu.
-webauthn_unsupported_browser=Pārlūks pašlaik nenodrošina WebAuthn.
-webauthn_error_unknown=Atgadījās nezināma kļūda. Lūgums mēģināt vēlreiz.
-webauthn_error_insecure=WebAuthn atbalsta tikai drošus savienojumus. Pārbaudīšanai ar HTTP var izmantot pirmavotu "localhost" vai "127.0.0.1"
-webauthn_error_unable_to_process=Serveris nevarēja apstrādāt pieprasījumu.
-webauthn_error_duplicated=Drošības atslēga nav atļauta šim pieprasījumam. Lūgums pārliecināties, ka šī atslēga nav jau reģistrēta.
-webauthn_error_empty=Jānorāda šīs atslēgas nosaukums.
-webauthn_error_timeout=Iestājās noildze, pirms varēja nolasīt atslēgu. Lūgums pārlādēt šo lapu un mēģināt vēlreiz.
 repository=Glabātava
 organization=Apvienība
 mirror=Spoguļglabātava
@@ -2940,34 +2928,6 @@ dashboard.sync_external_users=Sinhronizēt ārējo lietotāju datus
 dashboard.cleanup_hook_task_table=Iztīrīt tabulu hook_task
 dashboard.cleanup_packages=Notīrīt novecojušās pakotnes
 dashboard.cleanup_actions=Notīrīt darbību izbeigušos žurnālus un artefaktus
-dashboard.server_uptime=Servera darbības laiks
-dashboard.current_goroutine=Pašreizējās gorutīnas
-dashboard.current_memory_usage=Pašreizējais atmiņas lietojums
-dashboard.total_memory_allocated=Kopējā iedalītā atmiņa
-dashboard.memory_obtained=Iegūtā atmiņa
-dashboard.pointer_lookup_times=Rādītāju uzmeklēšanas reizes
-dashboard.memory_allocate_times=Atmiņas iedalīšanas
-dashboard.memory_free_times=Atmiņas atbrīvošanas
-dashboard.current_heap_usage=Pašreizējais grēdas lietojums
-dashboard.heap_memory_obtained=Iegūtā grēdas atmiņa
-dashboard.heap_memory_idle=Neizmantotā grēdas atmiņa
-dashboard.heap_memory_in_use=Izmantotā grēdas atmiņa
-dashboard.heap_memory_released=Atbrīvotā grēdas atmiņa
-dashboard.heap_objects=Grēdas objekti
-dashboard.bootstrap_stack_usage=Sākumielādētāja viengala rindas lietojums
-dashboard.stack_memory_obtained=Iegūtā viengala rindas atmiņa
-dashboard.mspan_structures_usage=MSpan struktūru lietojums
-dashboard.mspan_structures_obtained=Iegūtās MSpan struktūras
-dashboard.mcache_structures_usage=MCache struktūru lietojums
-dashboard.mcache_structures_obtained=Iegūtās MCache struktūras
-dashboard.profiling_bucket_hash_table_obtained=Iegūtā profilēšanas groza jaucējtabula
-dashboard.gc_metadata_obtained=Iegūtie GC metadati
-dashboard.other_system_allocation_obtained=Citas iegūtās sistēmas sadales
-dashboard.next_gc_recycle=Nākamā GC atkritne
-dashboard.last_gc_time=Laiks kopš pēdējās GC
-dashboard.total_gc_pause=Kopējais GC pārtraukums
-dashboard.last_gc_pause=Pedējais GC pārtraukums
-dashboard.gc_times=GC reizes
 dashboard.delete_old_actions=Izdzēst visas novecojušās darbības no datubāzes
 dashboard.delete_old_actions.started=Uzsākta visu novecojušo darbību izdzēšana no datubāzes.
 dashboard.update_checker=Atjauninājumu pārbaudītājs
@@ -3024,18 +2984,6 @@ users.purge_help=Veikt lietotāja un visu tam piederošo glabātavu, apvienību
 users.still_own_packages=Šim lietotājam pieder viena vai vairākas pakotnes, tās nepieciešams izdzēst.
 users.deletion_success=Lietotāja konts tika izdzēsts.
 users.reset_2fa=Atiestatīt 2FA
-users.list_status_filter.menu_text=Atlasīt
-users.list_status_filter.reset=Atiestatīt
-users.list_status_filter.is_active=Aktīvs
-users.list_status_filter.not_active=Neaktīvs
-users.list_status_filter.is_admin=Pārvaldītājs
-users.list_status_filter.not_admin=Nav pārvaldītājs
-users.list_status_filter.is_restricted=Ierobežots
-users.list_status_filter.not_restricted=Nav ierobežots
-users.list_status_filter.is_prohibit_login=Neļaut pieteikšanos
-users.list_status_filter.not_prohibit_login=Atļaut pieteikšanos
-users.list_status_filter.is_2fa_enabled=2FA iespējota
-users.list_status_filter.not_2fa_enabled=2FA atspējota
 users.details=Lietotāja informācija
 
 emails.email_manage_panel=Pārvaldīt lietotāju e-pasta adreses
@@ -3354,26 +3302,6 @@ monitor.process.cancel_desc=Procesa atcelšana var radīt datu zaudējumus
 monitor.process.cancel_notices=Atcelt: <strong>%s</strong>?
 monitor.process.children=Apakšprocesi
 
-monitor.queues=Rindsaraksti
-monitor.queue=Rindsaraksts: %s
-monitor.queue.name=Nosaukums
-monitor.queue.type=Veids
-monitor.queue.exemplar=Eksemplāra veids
-monitor.queue.numberworkers=Strādņu skaits
-monitor.queue.activeworkers=Darbojošies strādņi
-monitor.queue.maxnumberworkers=Lielākais pieļaujamais strādņu skaits
-monitor.queue.numberinqueue=Skaits rindsarakstā
-monitor.queue.review_add=Pārskatīt/pievienot strādņus
-monitor.queue.settings.title=Pūla iestatījumi
-monitor.queue.settings.desc=Pūli dinamiski palielinās atkarībā no to strādņu rindu aizturēšanas.
-monitor.queue.settings.maxnumberworkers=Maksimālais strādņu skaits
-monitor.queue.settings.maxnumberworkers.placeholder=Pašalaik %[1]d
-monitor.queue.settings.maxnumberworkers.error=Lielākajam pieļaujamajam strādņu skaitam ir jābūt skaitlim
-monitor.queue.settings.submit=Atjaunināt iestatījumus
-monitor.queue.settings.changed=Iestatījumi atjaunināti
-monitor.queue.settings.remove_all_items=Noņemt visus
-monitor.queue.settings.remove_all_items_done=Visi rindsaraksta vienumi tika noņemti.
-
 notices.system_notice_list=Sistēmas paziņojumi
 notices.view_detail_header=Apskatīt paziņojuma informāciju
 notices.operations=Darbības
@@ -3520,21 +3448,7 @@ workflow.disabled=Darbplūsma ir atspējota.
 
 need_approval_desc=Nepieciešams apstiprinājums, lai izpildītu darbplūsmas izmaiņu pieprasījumos no atzarojumiem.
 
-variables=Mainīgie
-variables.management=Pārvaldīt mainīgos
-variables.creation=Pievienot mainīgo
-variables.none=Vēl nav neviena mainīgā.
-variables.deletion=Noņemt mainīgo
-variables.deletion.description=Mainīgā noņemšana ir neatgriezeniska un nav atsaucama. Turpināt?
-variables.description=Mainīgie tiks padoti noteiktām darbībām, un citādāk tos nevar nolasīt.
 variables.id_not_exist=Mainīgais ar identifikatoru %d nepastāv.
-variables.edit=Labot mainīgo
-variables.deletion.failed=Neizdevās noņemt mainīgo.
-variables.deletion.success=Mainīgais tika noņemts.
-variables.creation.failed=Neizdevās pievienot mainīgo.
-variables.creation.success=Mainīgais "%s" tika pievienots.
-variables.update.failed=Neizdevās labot mainīgo.
-variables.update.success=Mainīgais tika labots.
 workflow.dispatch.invalid_input_type = Nederīgs ievades mainīgā veids "%s".
 workflow.dispatch.run = Izpildīt darbplūsmu
 workflow.dispatch.success = Darbplūsmas izpildīšana tika sekmīgi pieprasīta.
@@ -3545,7 +3459,6 @@ runs.no_workflows.help_no_write_access = Lai uzzinātu par Forgejo Acties, jāie
 runs.no_workflows.help_write_access = Nav skaidrs, kā sākt izmantot Forgejo Actions? Jāieskatās <a target="_blank" rel="noopener noreferrer" href="%s">ātrajā ievadā lietotāja dokumentācijā</a>, lai uzrakstītu savu pirmo darbplūsmu, tad <a target="_blank" rel="noopener noreferrer" href="%s">jāiestata Forgejo izpildītājs</a>, lai izpildītu savus darbus.
 workflow.dispatch.warn_input_limit = Attēlo tikai pirmos %d ievades mainīgos.
 workflow.dispatch.trigger_found = Šai darbplūsmai ir <c>workflow_dispatch</c> notikuma izraisītājs.
-variables.not_found = Neizdevās atrast mainīgo.
 
 [projects]
 type-1.display_name=Atsevišķs projekts
@@ -3614,9 +3527,6 @@ projects.read = <b>Lasīt</b>: piekļūt glabātavas projektu dēļiem.
 [munits.data]
 
 [markup]
-filepreview.line = %[1]d. rinda %[2]s
-filepreview.lines = %[1]d. līdz %[2]d. rinda %[3]s
-filepreview.truncated = Priekšskatījums tika saīsināts
 
 [translation_meta]
 test = Šī ir pārbaudes virkne. Tā netiek attēlota Forgejo saskarnē, bet tiek izmantota pārbaudes nolūkiem. Droši var ievadīt "ok", lai ietaupītu laiku (vai kādu jautru faktu pēc izvēles), lai sasniegtu to saldo 100% pabeigšanas atzīmi.
\ No newline at end of file
diff --git a/options/locale/locale_mk.ini b/options/locale/locale_mk.ini
index 499739ab1f..856593f398 100644
--- a/options/locale/locale_mk.ini
+++ b/options/locale/locale_mk.ini
@@ -1,6 +1,3 @@
-
-
-
 [common]
 home = Дома
 dashboard = Контролна табла
@@ -40,18 +37,6 @@ captcha = Капча
 twofa = Двофакторска автентификација
 twofa_scratch = Двофакторски исцртан код
 passcode = Шифра
-webauthn_insert_key = Вметнете го вашиот безбедносен клуч
-webauthn_sign_in = Притиснете го копчето на вашиот безбедносен клуч. Ако вашиот безбедносен клуч нема копче, повторно вметнете го.
-webauthn_press_button = Притиснете го копчето на вашиот безбедносен клуч…
-webauthn_use_twofa = Користете еден двофакторски код од вашиот телефон
-webauthn_error = Неможно да се чита бесбедносен клуч.
-webauthn_unsupported_browser = Вашиот прелистувач во моментов не ја поддржува WebAuthn.
-webauthn_error_unknown = Се случи непозната грешка. Ве молиме обидете се повторно.
-webauthn_error_insecure = WebAuthn поддржува само сигурни врски. За тестирање преку HTTP, можете да го користите изворот "localhost" или "127.0.0.1"
-webauthn_error_unable_to_process = Серверот не можеше да ја обработи вашето барање.
-webauthn_error_duplicated = Безбедносниот клуч не е дозволен за овој барање. Ве молиме уверете се дека клучот не е веќе регистриран.
-webauthn_error_empty = Мора да е поставено име за овој клуч.
-webauthn_error_timeout = Времето истечало пред да може да се прочита вашиот клуч. Ве молиме освежете ја оваа страница и обидете се повторно.
 repository = Репозиториум
 new_fork = нов форк на репозиториум
 new_project_column = Нова колумна
diff --git a/options/locale/locale_nb_NO.ini b/options/locale/locale_nb_NO.ini
index 268302b1e7..bb9c6eaefb 100644
--- a/options/locale/locale_nb_NO.ini
+++ b/options/locale/locale_nb_NO.ini
@@ -27,18 +27,12 @@ download_logs = Last ned logger
 copy_hash = Kopier hash
 more_items = Flere elementer
 passcode = Adgangskode
-webauthn_insert_key = Skriv inn din sikkerhetsnøkkel
-webauthn_use_twofa = Bruk tofaktorkode fra din mobil
 organization = Organisasjon
 mirror = Speil
 new_mirror = Ny speiling
 repository = Depot
 new_project = Nytt prosjekt
 new_project_column = Ny kolonne
-webauthn_error = Klarte ikke lese sikkerhetsnøkkelen.
-webauthn_unsupported_browser = Nettleseren din støtter ikke WebAuthn.
-webauthn_error_unknown = En ukjent feil oppstod. Vennligst prøv igjen.
-webauthn_error_insecure = WebAuhn støtter kun sikre forbindelser. For testing over HTTP kan du bruke verten "localhost" eller "127.0.0.1"
 admin_panel = Nettsideadministrasjon
 settings = Innstillinger
 your_profile = Profil
@@ -122,15 +116,9 @@ sign_in_or = eller
 sign_out = Logg ut
 sign_up = Opprett konto
 confirm_delete_artifact = Er du sikker på at du vil slette artefakten "%s" ?
-webauthn_sign_in = Trykk på knappen på sikkerhetsnøkkelen din. Dersom nøkkelen din ikke har en knapp, sett den inn på nytt.
 copy_path = Kopier sti
-webauthn_error_unable_to_process = Tjeneren kunne ikke behandle forespørselen din.
-webauthn_error_empty = Du må gi nøkkelen et navn.
 toggle_menu = Åpne/lukke meny
 twofa_scratch = To-faktor skrapekode
-webauthn_press_button = Vennligst trykk på knappen på sikkerhetsnøkkelen…
-webauthn_error_duplicated = Sikkerhetsnøkkelen er ikke tillatt for denne forespørselen. Vennligst sørg for at nøkkelen ikke allerede er registrert.
-webauthn_error_timeout = Et tidsavbrudd oppsto før nøkkelen din kunne leses. Vennligst last inn siden på nytt og prøv igjen.
 new_fork = Ny forgrening av depot
 collaborative = Samarbeidende
 error413 = Du har brukt opp kvoten din.
diff --git a/options/locale/locale_nds.ini b/options/locale/locale_nds.ini
index 358ad5dc6a..2476d7c16f 100644
--- a/options/locale/locale_nds.ini
+++ b/options/locale/locale_nds.ini
@@ -28,14 +28,7 @@ access_token = Togang-Teken
 captcha = CAPTCHA
 twofa = Twee-Faktooren-Anmellen
 twofa_scratch = Twee-Faktooren-Eenmaalpasswoord
-webauthn_insert_key = Steek dienen Sekerheids-Slötel in
-webauthn_press_button = Bidde drück de Knoop up dienem Sekerheids-Slötel …
-webauthn_use_twofa = Bruuk eene Twee-Faktooren-Tahl vun dienem Telefoon
-webauthn_error = Kunn dienen Sekerheids-Slötel nich lesen.
-webauthn_unsupported_browser = Dien Browser unnerstütt stedenwies WebAuthn nich.
-webauthn_error_unknown = Een unbekannter Fehler is uptreden. Bidde versöök dat noch eenmaal.
 passcode = Pass-Tahl
-webauthn_error_empty = Du muttst de Slötel eenen Naam geven.
 repository = Repositorium
 organization = Vereenigung
 new_fork = Neje Repositoriums-Gabel
@@ -47,12 +40,7 @@ register = Registreren
 licenses = Lizenzen
 email = E-Mail-Adress
 re_type = Passwoord utwiesen
-webauthn_error_unable_to_process = De Server kunn diene Anfraag nich verarbeiden.
 new_mirror = Nejer Spegel
-webauthn_sign_in = Drück de Knoop up dienem Sekerheids-Slötel. Wenn dien Slötel keenen Knoop hett, steek ’t ut un weer in.
-webauthn_error_insecure = WebAuthn unnerstütt blots seker Verbinnens. Wenn du över HTTP testen willst, kannst du de Quell »localhost« of »127.0.0.1« bruken
-webauthn_error_duplicated = De Sekerheids-Slötel is för deese Anfraag nich verlöövt. Bidde wees wiss, dat de Slötel nich al vermarkt is.
-webauthn_error_timeout = Tied överweggahn ehr dien Slötel lesen worden kunn. Bidde laad deese Sied neei un versöök dat noch eenmaal.
 mirror = Spegel
 new_project = Nejes Projekt
 new_project_column = Neje Rieg
@@ -2741,9 +2729,6 @@ dashboard.resync_all_sshprincipals = De ».ssh/authorized_principals«-Datei mit
 dashboard.reinit_missing_repos = All fehlend Git-Repositoriums neei inrichten, för wat dat Uptekens gifft
 dashboard.cleanup_packages = Avlopen Paketen uprümen
 dashboard.cleanup_actions = Avlopen Utgaven un Objekten vun Aktioonen uprümen
-dashboard.current_goroutine = Stedenwies Go-Routinen
-dashboard.total_memory_allocated = Spieker towiesen all tosamen
-dashboard.memory_allocate_times = Spieker-Towiesens
 dashboard.system_status = Systeem-Tostand
 dashboard.operation_switch = Wesseln
 dashboard.operation_run = Utföhren
@@ -2764,8 +2749,6 @@ dashboard.operation_name = Aktioons-Naam
 dashboard.cron.process = Tiedplaan: %[1]s
 dashboard.cron.cancelled = Tiedplaan: %[1]s ofbroken: %[3]s
 dashboard.resync_all_sshkeys = De ».ssh/authorized_keys«-Datei mit de SSH-Slötels vun Forgejo vernejen.
-dashboard.memory_obtained = Spieker erhollen
-dashboard.pointer_lookup_times = Wieser-Nakiek-Tieden
 dashboard.task.started = Hett Upgaav begunnen: %[1]s
 dashboard.delete_inactive_accounts = All nich aktiveerten Konten lösken
 dashboard.delete_repo_archives.started = Upgaav, um all Repositoriums-Archiven to lösken, begunnen.
@@ -2776,25 +2759,6 @@ dashboard.sync_repo_branches = Fehlend Twiegen vun Git-Daten to de Datenbank spe
 dashboard.update_migration_poster_id = Umtreck-Autor-IDs vernejen
 dashboard.cleanup_hook_task_table = hook_task-Tabell uprümen
 dashboard.sync_external_users = Frömde Brukerdaten vernejen
-dashboard.server_uptime = Server-Bedrievstied
-dashboard.current_memory_usage = Stedenwies Spiekerbruuk
-dashboard.heap_memory_obtained = Hoopspieker erhollen
-dashboard.current_heap_usage = Stedenwies Hoopbruuk
-dashboard.heap_memory_idle = Hoopspieker mit nix to doon
-dashboard.heap_memory_released = Hoopspieker freeigeven
-dashboard.heap_objects = Hoopobjekten
-dashboard.bootstrap_stack_usage = Bootstrap-Stapelbruuk
-dashboard.stack_memory_obtained = Stapelspieker erhollen
-dashboard.mspan_structures_usage = MSpan-Struktuuren-Bruuk
-dashboard.mspan_structures_obtained = MSpan-Struktuuren erhollen
-dashboard.mcache_structures_usage = MCache-Struktuuren-Bruuk
-dashboard.gc_metadata_obtained = Wiedere Informatioonen för GC erhollen
-dashboard.other_system_allocation_obtained = Anner Systeemtowiesens erhollen
-dashboard.next_gc_recycle = Anner GC-Müllavhalen
-dashboard.last_gc_time = Tied siet lestem GC
-dashboard.total_gc_pause = GC-Paus all tosamen
-dashboard.last_gc_pause = Leste GC-Paus
-dashboard.gc_times = GC-Tieden
 dashboard.delete_old_actions = All olles Doon ut de Datenbank lösken
 dashboard.update_checker = Vernejens-Sööker
 dashboard.delete_old_system_notices = All ollen Systeemnarichten ut de Datenbank lösken
@@ -2830,16 +2794,12 @@ users.is_admin = Chefkonto
 users.admin.description = Deesem Bruker kumpleten Togriep to all Chef-Aktioonen geven, wat mit de Internett-Schnittstee un de API gahn.
 users.is_restricted = Begrenztes Konto
 users.allow_git_hook = Kann Git-Hakens maken
-dashboard.memory_free_times = Spieker-Freeigevens
 users.bot = Bot
 users.2fa = 2FA
-dashboard.profiling_bucket_hash_table_obtained = Profileren-Emmer-Prüfsummtabell erhollen
 dashboard.sync_tag.started = Mark-Vernejen begunnen
 dashboard.rebuild_issue_indexer = Gefall-Indizerer neei bauen
 users.activated.description = Of dat E-Mail-Utwiesen ofsluten is. De Eegner vun eenem nich aktiveerten Konto kann sik nich anmellen, bit dat E-Mail-Utwiesen ofsluten is.
-dashboard.heap_memory_in_use = Hoopspieker bruukt
 users.max_repo_creation_desc = (Giff -1 in, um de Normaalweert vun de Instanz to bruken.)
-dashboard.mcache_structures_obtained = MCache-Struktuuren erhollen
 dashboard.start_schedule_tasks = Aktioonen-Upgaven mit Tiedplaan begünnen
 users.remote = Frömd
 users.max_repo_creation = Hoogste Tahl vun Repositoriums
@@ -2859,12 +2819,6 @@ users.still_has_org = De Bruker is noch een Liddmaat vun eener Vereenigung. Doo
 users.purge = Bruker wegschüren
 users.purge_help = Mit Dwang de Bruker un all siene Repositoriums, Vereenigungen un Paketen lösken. All Kommentaren un Gefallens, wat deeser Bruker maakt hett, worden ok lösket.
 users.still_own_packages = Deeser Bruker is noch Eegner vun een of mehr Paketen, löske eerst deese Paketen.
-users.list_status_filter.menu_text = Filter
-users.list_status_filter.not_active = Nich aktiiv
-users.list_status_filter.is_restricted = Begrenzt
-users.list_status_filter.not_restricted = Unbegrenzt
-users.list_status_filter.is_2fa_enabled = 2FA anknipst
-users.list_status_filter.not_2fa_enabled = 2FA utknipst
 users.details = Bruker-Informatioonen
 emails.email_manage_panel = Bruker-E-Mails verwalten
 emails.primary = Höövd
@@ -2976,17 +2930,11 @@ auths.skip_local_two_fa = Stedenwies 2FA överspringen
 auths.oauth2_tenant = Inwohner
 auths.oauth2_scopes = Wiedere Rebeeten
 users.deletion_success = Dat Brukerkonto is lösket worden.
-users.list_status_filter.is_admin = Chef
 auths.syncenabled = Bruker-Vernejen anknipsen
 users.reset_2fa = 2FA torüggsetten
-users.list_status_filter.is_prohibit_login = Anmellen verseggen
-users.list_status_filter.not_admin = Keen Chef
 auths.auth_type = Anmellens-Aard
 auths.restricted_filter_helper = Laat dat leeg, wenn keene Brukers begrenzt wesen sallen. Bruuk eenen Steern (»*«), um all Brukers, wat nich up de Chef-Filter passen, as begrenzt to setten.
 auths.force_smtps_helper = SMTPS word alltieden up Poort 465 bruukt. Sett dat, um SMTPS up anner Poorten to dwingen. (Anners word up anner Poorten STARTTLS bruukt, wenn de Host dat unnerstütt.)
-users.list_status_filter.reset = Torüggsetten
-users.list_status_filter.is_active = Aktiiv
-users.list_status_filter.not_prohibit_login = Anmellen verlöven
 auths.auth_name = Anmellens-Naam
 auths.map_group_to_team = LDAP-Gruppens up Vereenigungs-Klottjen avbillen (laat dat Feld leeg, um dat to överspringen)
 auths.allowed_domains_helper = Laat dat leeg, um all Domänens to verlöven. Trenn mennig Domänen mit eenem Komma (»,«).
@@ -3160,20 +3108,6 @@ monitor.process.cancel = Prozess ofbreken
 monitor.process.cancel_desc = Wenn een Prozess ofbroken word, könen Daten verloren gahn
 monitor.process.cancel_notices = Ofbreken: <strong>%s</strong>?
 monitor.process.children = Kinners
-monitor.queues = Slangen
-monitor.queue = Slang: %s
-monitor.queue.name = Naam
-monitor.queue.activeworkers = Aktiiv Rieters
-monitor.queue.maxnumberworkers = Hoogste Tahl vun Rieters
-monitor.queue.numberinqueue = Tahl in de Slang
-monitor.queue.review_add = Rieters nakieken / hentofögen
-monitor.queue.settings.title = Vörraad-Instellens
-monitor.queue.settings.maxnumberworkers = Hoogste Tahl vun Rieters
-monitor.queue.settings.maxnumberworkers.placeholder = Stedenwies %[1]d
-monitor.queue.settings.maxnumberworkers.error = Hoogste Tahl vun Rieters mutt eene Tahl wesen
-monitor.queue.settings.submit = Instellens vernejen
-monitor.queue.settings.changed = Instellens verneeit
-monitor.queue.settings.remove_all_items = All wegdoon
 notices.system_notice_list = Systeem-Narichtens
 notices.operations = Doon
 notices.select_all = All utkören
@@ -3186,7 +3120,6 @@ notices.type_1 = Repositorium
 notices.type_2 = Upgaav
 notices.desc = Beschrieven
 notices.op = Up.
-monitor.queue.exemplar = Musteraard
 notices.view_detail_header = Naricht-Informatioonen
 self_check.no_problem_found = Noch keen Probleem funnen.
 self_check.database_collation_mismatch = Verwacht, dat de Datenbank deese Kollatioon bruukt: %s
@@ -3196,10 +3129,8 @@ self_check.database_inconsistent_collation_columns = Datenbank bruukt Kollatioon
 config.log_file_root_path = Utgaav-Padd
 config.reset_password_code_lives = Ofloops-Düür vun de Torügghalens-Teken
 config.allow_dots_in_usernames = Brukers verlöven, Punkten in hör Brukernamen to bruken. Ännert nix an bestahn Konten.
-monitor.queue.numberworkers = Tahl vun Rieters
 config.set_setting_failed = Instellen %s to setten fehlslagen
 monitor.execute_times = Utföhrens
-monitor.queue.settings.desc = Vörraden wassen as nödig, wenn hör Rieters-Slang blockeert.
 auths.tip.openid_connect = Bruuk de Utförsken-URL för OpenID-Verbinnen (<server>/.well-known/openid-configuration), um de Ennpunkten antogeven
 auths.login_source_of_type_exist = Eenen Anmellens-Quell vun deeser Aard gifft dat al.
 config.mailer_protocol = Protokoll
@@ -3209,8 +3140,6 @@ config.app_data_path = Programmdatenpadd
 config.service_config = Deenst-Inrichten
 config.enable_openid_signup = OpenID-Sülvst-Registreren anknipsen
 config.cache_test_slow = Tüskenspieker-Test daankregen, aver de Antwoord is langsaam: %s.
-monitor.queue.type = Aard
-monitor.queue.settings.remove_all_items_done = All Dingen in de Slang sünd wegdaan worden.
 auths.tip.mastodon = Giff eene eegene Instanz-URL för de Mastodon-Instanz, mit wat du anmellen willst, in (of bruuk de Normaalweert)
 notices.delete_success = De Systeem-Narichtens sünd wegdaan worden.
 config.repo_root_path = Repositoriums-Ruut-Padd
@@ -3439,28 +3368,13 @@ workflow.dispatch.input_required = Weert för Ingaav »%s« nödig.
 workflow.dispatch.invalid_input_type = Ungültige Ingaav-Aard »%s«.
 workflow.dispatch.warn_input_limit = Blots de eersten %d Ingaven worden wiesen.
 need_approval_desc = Warkwiesen vun eenem Haalvörslag ut eener Gabel mutten eerst tostimmt worden.
-variables = Variaabeln
-variables.management = Variaabeln verwalten
-variables.none = Dat gifft noch keene Variaabeln.
-variables.deletion = Variaabel wegdoon
-variables.description = Variaabeln worden an wisse Aktioonen övergeven un könen anners nich lesen worden.
 variables.id_not_exist = Variaabel mit ID %d gifft dat nich.
-variables.edit = Variaabel bewarken
-variables.deletion.failed = Kunn Variaabel nich wegdoon.
-variables.deletion.success = De Variaabel is wegdaan worden.
-variables.creation.failed = Kunn Variaabel nich hentofögen.
-variables.creation.success = De Variaabel »%s« is hentoföögt worden.
-variables.update.success = De Variaabel is bewarkt worden.
 workflow.disable = Warkwies utknipsen
-variables.creation = Variaabel hentofögen
-variables.update.failed = Kunn Variaabel nich bewarken.
 workflow.disable_success = Warkwies »%s« is utknipst worden.
 workflow.dispatch.success = Warkwies-Utföhren is vörmarkt worden.
-variables.deletion.description = Eene Variaabel wegtodoon is för all Tieden un kann nich torüggnohmen worden. Wiedermaken?
 unit.desc = Verwalt integreerte CI-/CD-Affolgens mit Forgejo-Aktioonen.
 runs.no_workflows.help_write_access = Weetst du nich, wo man mit Forgejo-Aktioonen begünnen sall? Kiek de <a target="_blank" rel="noopener noreferrer" href="%s">Fixanwies in de Bruker-Dokumenteren</a> an, um diene eerste Warkwies to schrieven, un <a target="_blank" rel="noopener noreferrer" href="%s">richt dann dienen eersten Forgejo-Loper in</a>, um diene Upgavens uttoföhren.
 runs.no_workflows.help_no_write_access = Um mehr över Forgejo-Aktioonen to lehren, kiek <a target="_blank" rel="noopener noreferrer" href="%s">de Dokumenteren</a> an.
-variables.not_found = Kunn de Variaabel nich finnen.
 
 [projects]
 deleted.display_name = Lösket Projekt
@@ -3477,9 +3391,6 @@ symbolic_link = Symbolisk Verwies
 submodule = Unnermoduul
 
 [markup]
-filepreview.lines = Riegen %[1]d bit %[2]d in %[3]s
-filepreview.truncated = Utkiek is ofsneden worden
-filepreview.line = Rieg %[1]d in %[2]s
 
 [translation_meta]
 test = Moin!
diff --git a/options/locale/locale_nl-NL.ini b/options/locale/locale_nl-NL.ini
index aab4dbd684..50d5dfd7d8 100644
--- a/options/locale/locale_nl-NL.ini
+++ b/options/locale/locale_nl-NL.ini
@@ -34,18 +34,6 @@ twofa=Tweefactorauthenticatie
 twofa_scratch=Tweefactor krascode
 passcode=Code
 
-webauthn_insert_key=Sluit uw beveiligingssleutel aan
-webauthn_sign_in=Druk op de knop van uw beveiligingssleutel. Als uw beveiligingssleutel geen knop heeft, sluit deze dan opnieuw aan.
-webauthn_press_button=Druk alstublieft op de knop van uw beveiligingssleutel…
-webauthn_use_twofa=Gebruik een tweefactor code van uw telefoon
-webauthn_error=Kon uw beveiligingssleutel niet lezen.
-webauthn_unsupported_browser=Uw browser ondersteunt momenteel geen WebAuthn.
-webauthn_error_unknown=Er is een onbekende fout opgetreden. Probeer het opnieuw.
-webauthn_error_insecure=WebAuthn ondersteunt alleen beveiligde verbindingen. Om te testen via HTTP, kan je als systeemnaam "localhost" of "127.0.0.1" gebruiken
-webauthn_error_unable_to_process=De server kon uw verzoek niet verwerken.
-webauthn_error_duplicated=De beveiligingssleutel is voor dit verzoek niet toegestaan. Controleer alstublieft of de sleutel niet al is geregistreerd.
-webauthn_error_empty=U moet een naam voor deze sleutel instellen.
-webauthn_error_timeout=Time-out bereikt voordat uw sleutel kon worden gelezen. Herlaad deze pagina en probeer het opnieuw.
 repository=Repository
 organization=Organisatie
 mirror=Kopie
@@ -2919,34 +2907,6 @@ dashboard.resync_all_sshprincipals=Update het ".ssh/authorized_principals" besta
 dashboard.resync_all_hooks=Git hooks van alle repositories opnieuw synchroniseren (pre-receive, update en, post-receive hooks van alle repositories, proc-receive, ...)
 dashboard.reinit_missing_repos=Herinitialiseer alle ontbrekende Git repositories waarvoor records bestaan
 dashboard.sync_external_users=Externe gebruikersgegevens synchroniseren
-dashboard.server_uptime=Uptime server
-dashboard.current_goroutine=Huidige goroutines
-dashboard.current_memory_usage=Huidig geheugen gebruik
-dashboard.total_memory_allocated=Totaal toegewezen geheugen
-dashboard.memory_obtained=Geheugen gebruikt
-dashboard.pointer_lookup_times=Aanwijzer Lookup keer
-dashboard.memory_allocate_times=Geheugentoewijzingen
-dashboard.memory_free_times=Geheugen vrjigemaakt
-dashboard.current_heap_usage=Huidige heap gebruik
-dashboard.heap_memory_obtained=Heap geheugen verkregen
-dashboard.heap_memory_idle=Heap geheugen inactief
-dashboard.heap_memory_in_use=Heap geheugen in gebruik
-dashboard.heap_memory_released=Heap geheugen vrijgegeven
-dashboard.heap_objects=Heap-objecten
-dashboard.bootstrap_stack_usage=Bootstrap Stack gebruik
-dashboard.stack_memory_obtained=Stapel geheugen verkregen
-dashboard.mspan_structures_usage=MSpan structuren gebruik
-dashboard.mspan_structures_obtained=MSpan structuren verkregen
-dashboard.mcache_structures_usage=MCache structuren gebruik
-dashboard.mcache_structures_obtained=MCache structuren verkregen
-dashboard.profiling_bucket_hash_table_obtained=Profilering emmer hashtabel verkregen
-dashboard.gc_metadata_obtained=GC metadada verkregen
-dashboard.other_system_allocation_obtained=Andere systeem toewijzing verkregen
-dashboard.next_gc_recycle=Volgende GC recycle
-dashboard.last_gc_time=Sinds vorige GC verwerkingstijd
-dashboard.total_gc_pause=Totaal GC verwerkingstijd
-dashboard.last_gc_pause=Laatste GC verwerkingstijd
-dashboard.gc_times=GC verwerkingen
 dashboard.delete_old_system_notices=Verwijder alle oude systeemmededelingen uit de database
 
 users.user_manage_panel=Gebruikersaccounts beheren
@@ -2984,12 +2944,6 @@ users.delete_account=Gebruikersaccount verwijderen
 users.still_own_repo=Deze gebruiker is nog steeds eigenaar van één of meerdere repositories. Verwijder of draag eerst deze repositories over.
 users.still_has_org=Deze gebruiker is lid van een organisatie. Verwijder de gebruiker eerst uit alle organisaties.
 users.deletion_success=De gebruiker is verwijderd.
-users.list_status_filter.menu_text=Filter
-users.list_status_filter.is_active=Actief
-users.list_status_filter.not_active=Inactief
-users.list_status_filter.is_admin=Beheerder
-users.list_status_filter.is_restricted=Beperkt
-
 emails.email_manage_panel=Gebruikersmails beheren
 emails.primary=Primair
 emails.activated=Geactiveerd
@@ -3233,20 +3187,6 @@ monitor.process.cancel=Annuleer proces
 monitor.process.cancel_desc=Annuleren van een proces kan gegevensverlies veroorzaken
 monitor.process.cancel_notices=Annuleer: <strong>%s</strong>?
 
-monitor.queues=Wachtrijen
-monitor.queue=Wachtrij: %s
-monitor.queue.name=Naam
-monitor.queue.type=Type
-monitor.queue.exemplar=Type voorbeeld
-monitor.queue.numberworkers=Aantal werkers
-monitor.queue.maxnumberworkers=Maximum aantal werkers
-monitor.queue.settings.title=Pool instellingen
-monitor.queue.settings.maxnumberworkers=Maximum aantal workers
-monitor.queue.settings.maxnumberworkers.placeholder=Momenteel %[1]d
-monitor.queue.settings.maxnumberworkers.error=Maximaal aantal workers moet een nummer zijn
-monitor.queue.settings.submit=Instellingen bijwerken
-monitor.queue.settings.changed=Instellingen bijgewerkt
-
 notices.system_notice_list=Systeemmeldingen
 notices.view_detail_header=Bekijk notificatie details
 notices.select_all=Alles selecteren
@@ -3260,12 +3200,6 @@ notices.type_2=Taak
 notices.desc=Beschrijving
 notices.op=Op.
 notices.delete_success=De systeemmeldingen zijn verwijderd.
-monitor.queue.activeworkers = Actieve werkers
-monitor.queue.numberinqueue = Aantal in wachtrij
-monitor.queue.review_add = Werkers beoordelen of toevoegen
-monitor.queue.settings.desc = Pools groeien dynamisch in reactie op het blokkeren van hun wachtrijen.
-monitor.queue.settings.remove_all_items = Alles verwijderen
-monitor.queue.settings.remove_all_items_done = Alle items in de wachtrij zijn verwijderd.
 notices.operations = Operaties
 self_check.no_problem_found = Nog geen probleem gevonden.
 self_check.database_collation_mismatch = Verwacht dat de database collatie gebruikt: %s
@@ -3274,12 +3208,6 @@ users.cannot_delete_self = Je kunt jezelf niet verwijderen
 users.purge = Gebruiker wissen
 users.still_own_packages = Deze gebruiker bezit nog steeds één of meerdere pakketten, verwijder deze pakketten eerst.
 users.reset_2fa = 2FA opnieuw instellen
-users.list_status_filter.reset = Reset
-users.list_status_filter.not_admin = Niet beheerder
-users.list_status_filter.not_restricted = Niet beperkt
-users.list_status_filter.is_prohibit_login = Inloggen verbieden
-users.list_status_filter.not_prohibit_login = Inloggen toestaan
-users.list_status_filter.is_2fa_enabled = 2FA ingeschakeld
 users.details = Gebruikersgegevens
 emails.change_email_text = Weet je zeker dat je dit e-mailadres wilt bijwerken?
 repos.lfs_size = LFS grootte
@@ -3305,7 +3233,6 @@ packages.cleanup = Verlopen gegevens opschonen
 defaulthooks.add_webhook = Standaard webhook toevoegen
 auths.oauth2_required_claim_value_helper = Stel deze waarde in om het aanmelden vanuit deze bron te beperken tot gebruikers met een claim met deze naam en waarde
 users.remote = Externe
-users.list_status_filter.not_2fa_enabled = 2FA uitgeschakeld
 users.reserved = Gereserveerd
 defaulthooks.desc = Webhooks doen automatisch HTTP POST verzoeken naar een server wanneer bepaalde Forgejo gebeurtenissen zich voordoen. Webhooks defined here are defaults and will be copied into all new repositories. Read more in the <a target="_blank" rel="noopener" href="%s">webhooks guide</a>.
 auths.verify_group_membership = Controleer het groepslidmaatschap in LDAP (laat het filter leeg om over te slaan)
@@ -3500,7 +3427,6 @@ creation.name_placeholder = hoofdlettergevoelig, alleen alfanumerieke tekens of
 deletion.failed = Mislukt om geheim te verwijderen.
 
 [actions]
-variables.update.failed = Mislukt bij het bewerken van variabele.
 runs.no_runs = De workflow heeft nog geen runs.
 runs.empty_commit_message = (leeg commit bericht)
 workflow.disable = Workflow uitschakelen
@@ -3508,22 +3434,9 @@ workflow.enable = Workflow inschakelen
 workflow.enable_success = Workflow "%s" is succesvol ingeschakeld.
 workflow.disabled = Workflow is uitgeschakeld.
 need_approval_desc = Heb goedkeuring nodig om workflows uit te voeren voor fork pull request.
-variables = Variabelen
-variables.management = Variabelenbeheer
-variables.creation = Variabele toevoegen
-variables.deletion = Variabel verwijderen
-variables.deletion.description = Een variabele verwijderen is permanent en kan niet ongedaan worden gemaakt. Doorgaan?
 variables.id_not_exist = Variabele met ID %d bestaat niet.
-variables.edit = Variabele bewerken
-variables.deletion.failed = Mislukt om variabele te verwijderen.
-variables.deletion.success = De variabele is verwijderd.
-variables.creation.failed = Mislukt om variable toe te voegen.
-variables.creation.success = De variabele "%s" is toegevoegd.
-variables.update.success = De variabele is bewerkt.
 unit.desc = Beheer geïntegreerde CI/CD-pijplijnen met Forgejo Actions.
 workflow.disable_success = Workflow "%s" is succesvol uitgeschakeld.
-variables.none = Er zijn nog geen variabelen.
-variables.description = Variabelen worden doorgegeven aan bepaalde acties en kunnen anders niet worden gelezen.
 workflow.dispatch.trigger_found = Deze workflow heeft een <c>workflow_dispatch</c> event trigger.
 workflow.dispatch.success = Workflow-run is met succes aangevraagd.
 workflow.dispatch.use_from = Gebruik workflow van
@@ -3534,10 +3447,6 @@ workflow.dispatch.input_required = Waarde vereist voor invoer “%s”.
 runs.expire_log_message = Logs zijn verwijderd omdat ze te oud waren.
 runs.no_workflows.help_no_write_access = Om meer te weten te komen over Forgejo Acties, zie <a target="_blank" rel="noopener noreferrer" href="%s">de documentatie</a>.
 runs.no_workflows.help_write_access = Weet je niet hoe je moet beginnen met Forgejo Actions? Bekijk de <a target="_blank" rel="noopener noreferrer" href="%s">snelstart in de gebruikersdocumentatie</a> om je eerste workflow te schrijven en <a target="_blank" rel="noopener noreferrer" href="%s">stel vervolgens een Forgejo runner in</a> om je jobs uit te voeren.
-variables.not_found = De variabele kon niet gevonden worden.
-
-
-
 
 [projects]
 type-1.display_name = Individueel project
@@ -3585,10 +3494,6 @@ regexp = RegExp
 [munits.data]
 
 [markup]
-filepreview.line = Lijn %[1]d in %[2]s
-filepreview.lines = Lijnen %[1]d naar %[2]d in %[3]s
-filepreview.truncated = Voorbeeld is ingekort
-
 
 [translation_meta]
 test = Oké
diff --git a/options/locale/locale_pl-PL.ini b/options/locale/locale_pl-PL.ini
index 955ba44bce..7354373710 100644
--- a/options/locale/locale_pl-PL.ini
+++ b/options/locale/locale_pl-PL.ini
@@ -33,18 +33,6 @@ twofa=Uwierzytelnianie dwuskładnikowe
 twofa_scratch=Kod jednorazowy uwierzytelniania dwuskładnikowego
 passcode=Kod dostępu
 
-webauthn_insert_key=Podłącz swój klucz bezpieczeństwa
-webauthn_sign_in=Naciśnij przycisk na swoim kluczu bezpieczeństwa. Jeśli go nie posiada, podłącz go ponownie.
-webauthn_press_button=Naciśnij przycisk na swoim kluczu bezpieczeństwa…
-webauthn_use_twofa=Użyj kodu uwierzytelniania dwuskładnikowego ze swojego telefonu
-webauthn_error=Nie można odczytać Twojego klucza bezpieczeństwa.
-webauthn_unsupported_browser=Twoja przeglądarka nie obsługuje obecnie WebAuthn.
-webauthn_error_unknown=Wystąpił nieznany błąd. Spróbuj ponownie.
-webauthn_error_insecure=`WebAuthn obsługuje tylko bezpieczne połączenia. Do testowania przez HTTP można użyć "localhost" lub "127.0.0.1"`
-webauthn_error_unable_to_process=Serwer nie mógł obsłużyć Twojego żądania.
-webauthn_error_duplicated=Klucz bezpieczeństwa nie jest dozwolony dla tego żądania. Upewnij się, że klucz nie jest już zarejestrowany.
-webauthn_error_empty=Musisz ustawić nazwę dla tego klucza.
-webauthn_error_timeout=Osiągnięto limit czasu zanim Twój klucz może zostać odczytany. Odśwież stronę i spróbuj ponownie.
 repository=Repozytorium
 organization=Organizacja
 mirror=Kopia lustrzana
@@ -2924,34 +2912,6 @@ dashboard.resync_all_hooks=Ponownie synchronizuj hooki Git we wszystkich repozyt
 dashboard.reinit_missing_repos=Ponownie zainicjalizuj wszystkie brakujące repozytoria Git, dla których istnieją rekordy
 dashboard.sync_external_users=Synchronizuj zewnętrzne dane użytkownika
 dashboard.cleanup_hook_task_table=Wyczyść tabelę hook_task
-dashboard.server_uptime=Czas pracy serwera
-dashboard.current_goroutine=Bieżące goroutines
-dashboard.current_memory_usage=Bieżące użycie pamięci
-dashboard.total_memory_allocated=Całkowita przydzielona pamięć
-dashboard.memory_obtained=Pamięć uzyskana
-dashboard.pointer_lookup_times=Czas określania wskaźników
-dashboard.memory_allocate_times=Alokacje pamięci
-dashboard.memory_free_times=Zwolnienie pamięci
-dashboard.current_heap_usage=Bieżące użycie sterty
-dashboard.heap_memory_obtained=Uzyskana pamięć sterty
-dashboard.heap_memory_idle=Bezczynna pamięć sterty
-dashboard.heap_memory_in_use=Używana pamięć sterty
-dashboard.heap_memory_released=Zwolniona pamięć sterty
-dashboard.heap_objects=Ilość obiektów na stercie
-dashboard.bootstrap_stack_usage=Użycie stosu bootstrap
-dashboard.stack_memory_obtained=Uzyskana pamięć stosu
-dashboard.mspan_structures_usage=Użycie struktur MSpan
-dashboard.mspan_structures_obtained=Uzyskane struktury MSpan
-dashboard.mcache_structures_usage=Użycie struktur MCache
-dashboard.mcache_structures_obtained=Uzyskane struktury MCache
-dashboard.profiling_bucket_hash_table_obtained=Uzyskana tablica haszująca profilowania
-dashboard.gc_metadata_obtained=Ilość metadanych uzyskanych przez GC
-dashboard.other_system_allocation_obtained=Inne uzyskane alokacje systemowe
-dashboard.next_gc_recycle=Następne wywołanie GC
-dashboard.last_gc_time=Czas od ostatniego wywołania GC
-dashboard.total_gc_pause=Sumaryczny czas wstrzymania przez GC
-dashboard.last_gc_pause=Ostatnie wstrzymanie przez GC
-dashboard.gc_times=Ilość wywołań GC
 dashboard.delete_old_actions=Usuń wszystkie stare akcje z bazy danych
 dashboard.delete_old_actions.started=Usuwanie wszystkich starych akcji z bazy danych rozpoczęte.
 
@@ -2991,10 +2951,6 @@ users.still_own_repo=Ten użytkownik jest właścicielem jednego lub większej i
 users.still_has_org=Ten użytkownik jest członkiem organizacji. Musisz go najpierw usunąć ze wszystkich organizacji.
 users.deletion_success=Konto użytkownika zostało usunięte.
 users.reset_2fa=Zresetuj 2FA
-users.list_status_filter.is_active=Aktywne
-users.list_status_filter.is_admin=Administrator
-users.list_status_filter.is_restricted=Ograniczone
-
 emails.email_manage_panel=Zarządzanie adresami e-mail
 emails.primary=Podstawowy
 emails.activated=Aktywowany
@@ -3249,20 +3205,6 @@ monitor.process.cancel=Anuluj proces
 monitor.process.cancel_desc=Anulowanie procesu może spowodować utratę danych
 monitor.process.cancel_notices=Anuluj: <strong>%s</strong>?
 
-monitor.queues=Kolejki
-monitor.queue=Kolejka: %s
-monitor.queue.name=Nazwa
-monitor.queue.type=Typ
-monitor.queue.exemplar=Przykładowy typ
-monitor.queue.numberworkers=Liczba procesów pracujących
-monitor.queue.maxnumberworkers=Maksymalna Liczba procesów pracujących
-monitor.queue.settings.title=Ustawienia puli
-monitor.queue.settings.maxnumberworkers=Maksymalna liczba procesów pracujących
-monitor.queue.settings.maxnumberworkers.placeholder=Obecnie %[1]d
-monitor.queue.settings.maxnumberworkers.error=Maksymalna liczba procesów pracujących musi być liczbą
-monitor.queue.settings.submit=Aktualizuj ustawienia
-monitor.queue.settings.changed=Zaktualizowano ustawienia
-
 notices.system_notice_list=Powiadomienia systemu
 notices.view_detail_header=Szczegóły powiadomienia
 notices.select_all=Wybierz wszystkie
@@ -3280,17 +3222,14 @@ monitor.last_execution_result = Wynik
 monitor.process.children = Dzieci
 integrations = Integracje
 users.bot = Bot
-users.list_status_filter.menu_text = Filtr
 packages.version = Wersja
 packages.creator = Twórca
-users.list_status_filter.not_active = Nieaktywne
 notices.operations = Operacje
 config.send_test_mail_submit = Wyślij
 packages.published = Opublikowane
 config.mailer_protocol = Protokół
 monitor.stats = Statystyki
 users.remote = Zdalnie
-users.list_status_filter.reset = Zresetuj
 config_summary = Podsumowanie
 config_settings = Ustawienia
 assets = Zasoby kodu
@@ -3311,10 +3250,6 @@ dashboard.stop_zombie_tasks = Zatrzymaj zadania zombi akcji
 users.cannot_delete_self = Nie możesz usunąć sam(a) siebie
 packages.cleanup.success = Pomyślnie wyczyszczono przedawnione dane
 dashboard.sync_tag.started = Synchronizacja tagu rozpoczęta
-users.list_status_filter.not_restricted = Nie ograniczony
-users.list_status_filter.is_prohibit_login = Zabroń logowania
-users.list_status_filter.not_prohibit_login = Zezwól na logowanie
-users.list_status_filter.is_2fa_enabled = 2FA włączone
 dashboard.gc_lfs = Wywołaj GC na metaobiektach LFS
 dashboard.stop_endless_tasks = Zatrzymaj niekończące się zadania akcji
 repos.lfs_size = Wielkość LFS
@@ -3330,8 +3265,6 @@ users.restricted.description = Zezwól tylko na interakcje z repozytoriami i org
 users.local_import.description = Zezwól na importowanie repozytoriów z lokalnego systemu plików serwera. To może być problemem zabezpieczeń.
 users.organization_creation.description = Zezwól na tworzenie nowych organizacji.
 users.still_own_packages = Ten użytkownik nadal jest właścicielem jednego lub więcej pakietów, usuń najpierw te pakiety.
-users.list_status_filter.not_admin = Nie administrator
-users.list_status_filter.not_2fa_enabled = 2FA wyłączone
 emails.change_email_text = Czy jesteś pewien(-na), że chcesz zaktualizować ten adres e-mail?
 emails.delete = Usuń adres e-mail
 emails.delete_desc = Czy jesteś pewien(-na), że chcesz usunąć ten adres e-mail?
@@ -3343,9 +3276,6 @@ dashboard.new_version_hint = Forgejo %s jest już dostępne, w tej chwili korzys
 identity_access = Tożsamość i dostęp
 dashboard.cron.cancelled = Cron: %[1]s anulowany: %[3]s
 config.domain = Domena serwera
-monitor.queue.activeworkers = Aktywne procesy pracujące
-monitor.queue.settings.remove_all_items = Usuń wszystkie
-monitor.queue.settings.desc = Pule rosną dynamicznie w odpowiedzi na blokadę kolejki procesów pracujących.
 config.mailer_config = Konfiguracja Mailer
 auths.tip.gitea = Zarejestruj nową aplikację OAuth2. Przewodnik można znaleźć na %s
 auths.unable_to_initialize_openid = Nie można zainicjalizować Dostawcy Uwierzytelniania OpenID Connect: %s
@@ -3353,7 +3283,6 @@ auths.force_smtps = Wymuś SMTPS
 auths.helo_hostname = Nazwa hosta HELO
 self_check = Autoweryfikacja
 config.mailer_enable_helo = Włącz HELO
-monitor.queue.settings.remove_all_items_done = Wszystkie elementy w kolejce zostały usunięte.
 auths.tips.gmail_settings = Ustawienia Gmail:
 auths.map_group_to_team_removal = Usuń użytkowników z synchronizowanych zespołów jeżeli użytkownik nie należy do odpowiadającej grupy LDAP
 auths.enable_ldap_groups = Włącz grupy LDAP
@@ -3370,8 +3299,6 @@ config.mailer_use_dummy = Testowa
 config.cache_test_failed = Nie udało się zbadać pamięci podręcznej: %v.
 config.cache_test = Przetestuj Pamięć Podręczną
 monitor.processes_count = %d Procesów
-monitor.queue.numberinqueue = Liczba w kolejce
-monitor.queue.review_add = Sprawdź / dodaj procesy pracujące
 self_check.no_problem_found = Nie znaleziono jeszcze żadnych problemów.
 config.cache_test_succeeded = Test pamięci podręcznej zakończony powodzeniem, otrzymano odpowiedź w ciągu %s.
 auths.login_source_exist = Źródło uwierzytelniania "%s" już istnieje.
@@ -3503,28 +3430,13 @@ management = Zarządzaj sekretami
 deletion.failed = Nie udało się usunąć sekretu.
 
 [actions]
-variables = Zmienne
 variables.id_not_exist = Zmienna o ID %d nie istnieje.
-variables.edit = Edytuj Zmienną
-variables.update.failed = Nie udało się zmienić zmiennej.
-variables.creation.success = Zmienna "%s" została dodana.
-variables.creation.failed = Nie udało się dodać zmiennej.
-variables.deletion.success = Zmienna została usunięta.
-variables.update.success = Zmienna została zmieniona.
-variables.deletion.failed = Nie udało się usunąć zmiennej.
 runs.no_workflows.help_write_access = Nie wiesz jak zacząć z Forgejo Actions? Sprawdź <a target="_blank" rel="noopener noreferrer" href="%s">szybki start w dokumentacji użytkownika</a> i napisz swój pierwszy proces pracy, a następnie <a target="_blank" rel="noopener noreferrer" href="%s">skonfiguruj runnera Forgejo</a> by wykonywał twoje zadania.
-variables.deletion.description = Usunięcie zmiennej jest permanentne i nie może zostać cofnięte. Kontynuować?
-variables.deletion = Usuń zmienną
-variables.management = Zarządzaj zmiennymi
 runs.expire_log_message = Logi zostały oczyszczone ponieważ były za stare.
-variables.none = Nie ma jeszcze zmiennych.
 runs.empty_commit_message = (pusta wiadomość commita)
-variables.creation = Dodaj zmienną
 runs.no_workflows.help_no_write_access = By dowiedzieć się o Forgejo Actions, zobacz <a target="_blank" rel="noopener noreferrer" href="%s">dokumentację</a>.
-variables.description = Zmienne będą przekazane pewnym akcjom, nie mogą być odczytane inaczej.
 workflow.disable = Wyłącz proces pracy
 unit.desc = Zarządzaj zintegrowanymi procesami CI/CD z Forgejo Actions.
-variables.not_found = Nie udało się znaleźć zmiennej.
 runs.no_runs = Ten proces pracy nie ma jeszcze uruchomień.
 workflow.dispatch.use_from = Wykorzystaj proces pracy z
 workflow.disabled = Proces pracy jest wyłączony.
@@ -3587,9 +3499,6 @@ regexp_tooltip = Interpretuj wyszukiwane hasło jako wyrażenie regularne
 
 
 [markup]
-filepreview.lines = Linie %[1]d do %[2]d w %[3]s
-filepreview.truncated = Podgląd został przycięty
-filepreview.line = Linia %[1]d w %[2]s
 
 [translation_meta]
 test = Litwo, Ojczyzno moja! ty jesteś jak zdrowie; ile cię trzeba cenić, ten tylko się dowie, kto cię stracił. Dziś piękność twą w całej ozdobie widzę i opisuję, bo tęsknię po tobie :)
diff --git a/options/locale/locale_pt-BR.ini b/options/locale/locale_pt-BR.ini
index 779b328087..7e505b6920 100644
--- a/options/locale/locale_pt-BR.ini
+++ b/options/locale/locale_pt-BR.ini
@@ -36,18 +36,6 @@ twofa=Autenticação de dois fatores
 twofa_scratch=Código de uso único da autenticação de dois fatores
 passcode=Senha
 
-webauthn_insert_key=Insira sua chave de segurança
-webauthn_sign_in=Pressione o botão na sua chave de segurança. Caso a sua chave de segurança não possuir um botão, insira-a novamente.
-webauthn_press_button=Pressione o botão na sua chave de segurança…
-webauthn_use_twofa=Use um código de duas etapas do seu telefone
-webauthn_error=Não foi possível ler sua chave de segurança.
-webauthn_unsupported_browser=Seu navegador não oferece suporte ao WebAuthn.
-webauthn_error_unknown=Ocorreu um erro desconhecido. Tente novamente.
-webauthn_error_insecure=WebAuthn suporta apenas conexões seguras. Para testar via HTTP, você pode usar a origem "localhost" ou "127.0.0.1"
-webauthn_error_unable_to_process=O servidor não pôde processar sua solicitação.
-webauthn_error_duplicated=A chave de segurança não é permitida para esta solicitação. Por favor, certifique-se que a chave já não está registrada.
-webauthn_error_empty=Você deve definir um nome para esta chave.
-webauthn_error_timeout=Não foi possível ler a sua chave de segurança antes do tempo limite. Atualize a página e tente novamente.
 repository=Repositório
 organization=Organização
 mirror=Espelhamento
@@ -2932,34 +2920,6 @@ dashboard.reinit_missing_repos=Reinicializar todos os repositórios Git perdidos
 dashboard.sync_external_users=Sincronizar dados de usuário externo
 dashboard.cleanup_hook_task_table=Limpar tabela hook_task
 dashboard.cleanup_packages=Limpar pacotes expirados
-dashboard.server_uptime=Tempo de atividade do servidor
-dashboard.current_goroutine=Goroutines atuais
-dashboard.current_memory_usage=Uso de memória atual
-dashboard.total_memory_allocated=Total de memória alocada
-dashboard.memory_obtained=Memória obtida
-dashboard.pointer_lookup_times=Número de consultas a ponteiros
-dashboard.memory_allocate_times=Alocações de memória
-dashboard.memory_free_times=Liberações de memória
-dashboard.current_heap_usage=Uso atual da heap
-dashboard.heap_memory_obtained=Memória de heap obtida
-dashboard.heap_memory_idle=Memória de heap ociosa
-dashboard.heap_memory_in_use=Memória de heap em uso
-dashboard.heap_memory_released=Memória de heap liberada
-dashboard.heap_objects=Objetos na heap
-dashboard.bootstrap_stack_usage=Uso de pilha bootstrap
-dashboard.stack_memory_obtained=Memória de pilha obtida
-dashboard.mspan_structures_usage=Uso de estruturas MSpan
-dashboard.mspan_structures_obtained=Estruturas MSpan obtidas
-dashboard.mcache_structures_usage=Uso de estruturas MCache
-dashboard.mcache_structures_obtained=Estruturas MCache obtidas
-dashboard.profiling_bucket_hash_table_obtained=Hash table de profiling bucket obtida
-dashboard.gc_metadata_obtained=Metadados do GC obtidos
-dashboard.other_system_allocation_obtained=Outra alocação de sistema obtida
-dashboard.next_gc_recycle=Próxima reciclagem do GC
-dashboard.last_gc_time=Tempo desde última GC
-dashboard.total_gc_pause=Pausa total de GC
-dashboard.last_gc_pause=Última pausa de GC
-dashboard.gc_times=Número de execuções do GC
 dashboard.delete_old_actions=Excluir todas as atividades antigas do banco de dados
 dashboard.delete_old_actions.started=A exclusão de todas as atividades antigas do banco de dados foi iniciada.
 dashboard.update_checker=Verificador de atualização
@@ -3011,18 +2971,6 @@ users.purge_help=Exclua forçosamente o usuário e quaisquer repositórios, orga
 users.still_own_packages=Este usuário é dono de um ou mais pacotes. Exclua estes pacotes antes de continuar.
 users.deletion_success=A conta de usuário foi excluída.
 users.reset_2fa=Reinicializar 2FA
-users.list_status_filter.menu_text=Filtro
-users.list_status_filter.reset=Reset
-users.list_status_filter.is_active=Ativo
-users.list_status_filter.not_active=Inativo
-users.list_status_filter.is_admin=Administrador
-users.list_status_filter.not_admin=Não administrador
-users.list_status_filter.is_restricted=Restrito
-users.list_status_filter.not_restricted=Não restrito
-users.list_status_filter.is_prohibit_login=Proibir login
-users.list_status_filter.not_prohibit_login=Permitir login
-users.list_status_filter.is_2fa_enabled=Autenticação de dois fatores ativada
-users.list_status_filter.not_2fa_enabled=Autenticação em duas etapas desativada
 users.details=Detalhes do usuário
 
 emails.email_manage_panel=Gerenciar e-mails de usuários
@@ -3336,23 +3284,6 @@ monitor.process.cancel_desc=Cancelar um processo pode causar perda de dados
 monitor.process.cancel_notices=Cancelar: <strong>%s</strong>?
 monitor.process.children=Descendentes
 
-monitor.queues=Filas
-monitor.queue=Fila: %s
-monitor.queue.name=Nome
-monitor.queue.type=Tipo
-monitor.queue.exemplar=Tipo de modelo
-monitor.queue.numberworkers=Número de workers
-monitor.queue.maxnumberworkers=Número máximo de workers
-monitor.queue.numberinqueue=Número na fila
-monitor.queue.settings.title=Configurações do pool
-monitor.queue.settings.maxnumberworkers=Número máximo de executores
-monitor.queue.settings.maxnumberworkers.placeholder=Atualmente %[1]d
-monitor.queue.settings.maxnumberworkers.error=Número máximo de executores deve ser um número
-monitor.queue.settings.submit=Atualizar configurações
-monitor.queue.settings.changed=Configurações atualizadas
-monitor.queue.settings.remove_all_items=Remover tudo
-monitor.queue.settings.remove_all_items_done=Todos os itens da fila foram removidos.
-
 notices.system_notice_list=Avisos do sistema
 notices.view_detail_header=Detalhes do aviso
 notices.operations=Operações
@@ -3389,15 +3320,12 @@ dashboard.task.cancelled = Tarefa: %[1]s cancelada: %[3]s
 dashboard.sync_branch.started = Sincronização de ramos iniciada
 dashboard.sync_repo_branches = Sincronizar ramos perdidos do Git para o banco de dados
 packages.cleanup.success = Os dados expirados foram limpos com sucesso
-monitor.queue.activeworkers = Processos ativos
 systemhooks.desc = Os webhooks fazem automaticamente solicitações HTTP POST para um servidor quando certos eventos Forgejo são acionados. Os webhooks definidos aqui atuarão em todos os repositórios do sistema, então, considere quaisquer implicações de desempenho que isso possa ter. Leia mais no <a target="_blank" rel="noopener" href="%s">guia de webhooks</a>.
 defaulthooks.desc = Os webhooks fazem automaticamente solicitações HTTP POST para um servidor quando certos eventos Forgejo são acionados. Os webhooks definidos aqui são padrões e serão copiados para todos os novos repositórios. Leia mais no <a target="_blank" rel="noopener" href="%s">guia de webhooks</a>.
 self_check.database_fix_mysql = Para usuários do MySQL/MariaDB, você pode usar o comando "forgejo doctor convert" para corrigir os problemas de ordenamento, ou também pode corrigir o problema usando "ALTER ... COLLATE ..." SQLs manualmente.
-monitor.queue.settings.desc = Os pools crescem dinamicamente quando as filas de seus workers ficam bloqueadas.
 config.cache_test_succeeded = Teste de cache bem-sucedido, obteve uma resposta em %s.
 self_check.database_inconsistent_collation_columns = O banco de dados está usando o ordenamento %s, mas essas colunas estão usando ordenamentos incompatíveis. Isso pode causar alguns problemas inesperados.
 dashboard.rebuild_issue_indexer = Reconstruir indexador de problemas
-monitor.queue.review_add = Revisar / adicionar workers
 assets = Ativos de código
 config.open_with_editor_app_help = Os editores "Abrir com" para o menu clone. Se deixado em branco, o padrão será usado. Expanda para ver o padrão.
 config.cache_test_slow = Teste de cache bem-sucedido, mas a resposta é lenta: %s.
@@ -3510,21 +3438,8 @@ management=Gerenciamento de segredos
 unit.desc=Gerenciar pipelines integradas de CI/CD com Forgejo Actions.
 
 need_approval_desc=Precisa de aprovação para executar workflows para pull request do fork.
-variables.edit = Editar variável
-variables.deletion.success = A variável foi removida.
-variables.creation.success = A variável "%s" foi adicionada.
-variables.update.success = A variável foi editada.
-variables.creation = Adicionar variável
-variables.deletion = Remover variável
-variables.management = Gerenciar variáveis
-variables.none = Ainda não há variáveis.
-variables.update.failed = Falha ao editar a variável.
 runs.empty_commit_message = (mensagem de commit vazia)
-variables = Variáveis
 variables.id_not_exist = A variável com o ID %d não existe.
-variables.deletion.failed = Falha ao remover a variável.
-variables.creation.failed = Falha ao adicionar a variável.
-variables.description = As variáveis serão passadas para certas Actions e não poderão ser lidas de outra forma.
 workflow.dispatch.trigger_found = Este workflow tem um disparador de evento <c>workflow_dispatch</c>.
 workflow.dispatch.run = Executar workflow
 runs.no_runs = O workflow ainda não foi executado.
@@ -3538,12 +3453,9 @@ workflow.enable_success = Workflow "%s" ativado com sucesso.
 workflow.dispatch.success = Execução do workflow solicitada com sucesso.
 workflow.dispatch.input_required = Exigir um valor para a entrada "%s".
 workflow.dispatch.invalid_input_type = Tipo de entrada "%s" inválido.
-variables.deletion.description = Apagar uma variável é permanente e não pode ser desfeito. Continuar?
 runs.expire_log_message = Os logs foram apagados pois eram antigos demais.
 runs.no_workflows.help_no_write_access = Para aprender sobre as Actions do Forgejo, veja <a target="_blank" rel="noopener noreferrer" href="%s">a documentação</a>.
 runs.no_workflows.help_write_access = Não sabe como começar a usar as Actions do Forgejo? Veja o <a target="_blank" rel="noopener noreferrer" href="%s">guia de como começar na documentação do usuário</a> para escrever seu primeiro workflow, depois <a target="_blank" rel="noopener noreferrer" href="%s">configure um runner do Forgejo</a> para executar trabalhos.
-variables.not_found = Não foi possível encontrar a variável.
-
 
 [projects]
 type-1.display_name=Projeto individual
@@ -3591,9 +3503,6 @@ regexp = ExpReg
 [munits.data]
 
 [markup]
-filepreview.line = Linha %[1]d em %[2]s
-filepreview.lines = Linhas %[1]d a %[2]d em %[3]s
-filepreview.truncated = Pré-visualização truncada
 
 [repo.permissions]
 pulls.write = <b>Escrita:</b> Encerrar propostas de revisão e gerir metadados como rótulos, marcos, responsáveis, prazos e dependências.
diff --git a/options/locale/locale_pt-PT.ini b/options/locale/locale_pt-PT.ini
index ddba7440d5..cede616bce 100644
--- a/options/locale/locale_pt-PT.ini
+++ b/options/locale/locale_pt-PT.ini
@@ -37,18 +37,6 @@ twofa=Autenticação de dois fatores
 twofa_scratch=Código de uso único de dois fatores
 passcode=Código
 
-webauthn_insert_key=Insira a sua chave de segurança
-webauthn_sign_in=Pressione o botão da sua chave de segurança. Se a sua chave de segurança não tiver um botão, insira-a novamente.
-webauthn_press_button=Por favor, prima o botão da sua chave de segurança…
-webauthn_use_twofa=Usar um código de dois passos do seu telefone
-webauthn_error=Não foi possível ler a sua chave de segurança.
-webauthn_unsupported_browser=O seu navegador não oferece suporte ao WebAuthn.
-webauthn_error_unknown=Ocorreu um erro desconhecido. Tente novamente, por favor.
-webauthn_error_insecure=`WebAuthn apenas suporta conexões seguras. Para testar sobre HTTP, pode usar a origem "localhost" ou "127.0.0.1"`
-webauthn_error_unable_to_process=O servidor não conseguiu processar o seu pedido.
-webauthn_error_duplicated=A chave de segurança não é permitida neste pedido. Certifique-se de que a chave não está já registada.
-webauthn_error_empty=Você tem que definir um nome para esta chave.
-webauthn_error_timeout=O tempo limite foi atingido antes que a sua chave pudesse ser lida. Recarregue esta página e tente novamente.
 repository=Repositório
 organization=Organização
 mirror=Réplica
@@ -2938,34 +2926,6 @@ dashboard.sync_external_users=Sincronizar dados externos do utilizador
 dashboard.cleanup_hook_task_table=Limpar tabela hook_task
 dashboard.cleanup_packages=Limpar pacotes expirados
 dashboard.cleanup_actions=Limpar registos e artefactos expirados das operações
-dashboard.server_uptime=Tempo em funcionamento contínuo do servidor
-dashboard.current_goroutine=Goroutines em execução
-dashboard.current_memory_usage=Utilização de memória corrente
-dashboard.total_memory_allocated=Total de memória alocada
-dashboard.memory_obtained=Memória obtida
-dashboard.pointer_lookup_times=N. º de consultas a ponteiros
-dashboard.memory_allocate_times=Alocações de memória
-dashboard.memory_free_times=Libertações de memória
-dashboard.current_heap_usage=Uso corrente da heap
-dashboard.heap_memory_obtained=Memória heap obtida
-dashboard.heap_memory_idle=Memória heap em repouso
-dashboard.heap_memory_in_use=Memória heap em uso
-dashboard.heap_memory_released=Memória heap libertada
-dashboard.heap_objects=Elementos heap
-dashboard.bootstrap_stack_usage=Uso da pilha de arranque
-dashboard.stack_memory_obtained=Memória da pilha obtida
-dashboard.mspan_structures_usage=Uso das estruturas MSpan
-dashboard.mspan_structures_obtained=Estruturas MSpan obtidas
-dashboard.mcache_structures_usage=Uso das estruturas MCache
-dashboard.mcache_structures_obtained=Estruturas MCache obtidas
-dashboard.profiling_bucket_hash_table_obtained=Perfil obtido da tabela de hash do balde
-dashboard.gc_metadata_obtained=Metadados obtidos da recolha de lixo
-dashboard.other_system_allocation_obtained=Outras alocações de sistema obtidas
-dashboard.next_gc_recycle=Próxima reciclagem da recolha de lixo
-dashboard.last_gc_time=Tempo decorrido desde a última recolha de lixo
-dashboard.total_gc_pause=Pausa total da recolha de lixo
-dashboard.last_gc_pause=Última pausa da recolha de lixo
-dashboard.gc_times=N.º de recolhas de lixo
 dashboard.delete_old_actions=Eliminar todos os trabalhos antigos da base de dados
 dashboard.delete_old_actions.started=Foi iniciado o processo de eliminação de todos os trabalhos antigos da base de dados.
 dashboard.update_checker=Verificador de novas versões
@@ -3023,18 +2983,6 @@ users.purge_help=Eliminar o utilizador à força, juntamente com todos os seus r
 users.still_own_packages=Este utilizador ainda possui um ou mais pacotes, elimine esses pacotes primeiro.
 users.deletion_success=A conta de utilizador foi eliminada.
 users.reset_2fa=Reinicializar a autenticação em dois passos
-users.list_status_filter.menu_text=Filtro
-users.list_status_filter.reset=Reiniciar
-users.list_status_filter.is_active=Ligado
-users.list_status_filter.not_active=Desligado
-users.list_status_filter.is_admin=Administrador
-users.list_status_filter.not_admin=Não Administrador
-users.list_status_filter.is_restricted=Restrito
-users.list_status_filter.not_restricted=Não restrito/a
-users.list_status_filter.is_prohibit_login=Proibir início de sessão
-users.list_status_filter.not_prohibit_login=Permitir início de sessão
-users.list_status_filter.is_2fa_enabled=Autenticação em dois passos habilitada
-users.list_status_filter.not_2fa_enabled=Autenticação em dois passos desabilitada
 users.details=Detalhes do utilizador
 
 emails.email_manage_panel=Gerir endereços de email do utilizador
@@ -3353,26 +3301,6 @@ monitor.process.cancel_desc=Cancelar um processo pode resultar na perda de dados
 monitor.process.cancel_notices=Cancelar: <strong>%s</strong>?
 monitor.process.children=Descendentes
 
-monitor.queues=Filas
-monitor.queue=Fila: %s
-monitor.queue.name=Nome
-monitor.queue.type=Tipo
-monitor.queue.exemplar=Tipo de exemplar
-monitor.queue.numberworkers=N.º de trabalhadores
-monitor.queue.activeworkers=Trabalhadores operantes
-monitor.queue.maxnumberworkers=N.º máximo de trabalhadores
-monitor.queue.numberinqueue=N.º na fila
-monitor.queue.review_add=Rever / adicionar trabalhadores
-monitor.queue.settings.title=Configurações do agregado
-monitor.queue.settings.desc=Agregados crescem dinamicamente em resposta aos bloqueios da sua fila de trabalhadores.
-monitor.queue.settings.maxnumberworkers=N.º máximo de trabalhadores
-monitor.queue.settings.maxnumberworkers.placeholder=De momento %[1]d
-monitor.queue.settings.maxnumberworkers.error=O número máximo de trabalhadores tem que ser um número
-monitor.queue.settings.submit=Modificar configurações
-monitor.queue.settings.changed=Configurações modificadas
-monitor.queue.settings.remove_all_items=Remover tudo
-monitor.queue.settings.remove_all_items_done=Todos os itens da fila foram removidos.
-
 notices.system_notice_list=Notificações do sistema
 notices.view_detail_header=Detalhes da notificação
 notices.operations=Operações
@@ -3517,21 +3445,7 @@ workflow.disabled=A sequência de trabalho está desabilitada.
 
 need_approval_desc=É necessária aprovação para executar sequências de trabalho para a derivação do pedido de integração.
 
-variables=Variáveis
-variables.management=Gerir variáveis
-variables.creation=Adicionar variável
-variables.none=Ainda não há variáveis.
-variables.deletion=Remover variável
-variables.deletion.description=Remover uma variável é permanente e não pode ser revertido. Quer continuar?
-variables.description=As variáveis serão transmitidas a certas operações e não poderão ser lidas de outra forma.
 variables.id_not_exist=A variável com o ID %d não existe.
-variables.edit=Editar variável
-variables.deletion.failed=Falha ao remover a variável.
-variables.deletion.success=A variável foi removida.
-variables.creation.failed=Falha ao adicionar a variável.
-variables.creation.success=A variável "%s" foi adicionada.
-variables.update.failed=Falha ao editar a variável.
-variables.update.success=A variável foi editada.
 workflow.dispatch.use_from = Usar sequência de trabalho de
 workflow.dispatch.run = Executar sequência de trabalho
 workflow.dispatch.input_required = Exigir valor para a entrada "%s".
@@ -3542,7 +3456,6 @@ workflow.dispatch.invalid_input_type = Tipo de entrada "%s" inválido.
 runs.expire_log_message = Os registos foram purgados por serem demasiado antigos.
 runs.no_workflows.help_no_write_access = Para aprender sobre Forgejo Actions, veja<a target="_blank" rel="noopener noreferrer" href="%s">a documentação</a>.
 runs.no_workflows.help_write_access = Não sabe como começar com o Forgejo Actions? Consulte o <a target="_blank" rel="noopener noreferrer" href="%s">início rápido na documentação do utilizador</a> para escrever a sua primeira sequência de trabalho, depois <a target="_blank" rel="noopener noreferrer" href="%s">prepare um executor Forgejo</a> para executar os seus trabalhos.
-variables.not_found = Não foi possível encontrar a variável.
 
 [projects]
 type-1.display_name=Projeto individual
@@ -3590,9 +3503,6 @@ regexp = ExpReg
 [munits.data]
 
 [markup]
-filepreview.lines = Linhas %[1]d até %[2]d em %[3]s
-filepreview.line = Linha %[1]d em %[2]s
-filepreview.truncated = A previsão foi truncada
 
 [translation_meta]
 test = ok :)
diff --git a/options/locale/locale_ro.ini b/options/locale/locale_ro.ini
index e2b404808c..ec266dfd90 100644
--- a/options/locale/locale_ro.ini
+++ b/options/locale/locale_ro.ini
@@ -28,14 +28,6 @@ password = Parolă
 access_token = Token de acces
 captcha = CAPTCHA
 twofa = Autentificare prin doi factori
-webauthn_insert_key = Inserează cheia de securitate
-webauthn_press_button = Apasă butonul de pe cheia de securitate…
-webauthn_use_twofa = Folosește un cod de verificare de pe telefon
-webauthn_error = Cheia de securitate nu a putut fi citită.
-webauthn_unsupported_browser = Browserul tău nu are abilități WebAuthn pe moment.
-webauthn_error_unable_to_process = Serverul nu a putut procesa cererea.
-webauthn_error_duplicated = Cheia de securitate nu este permisă pentru această cerere. Asigură-te că cheia nu este înregistrată deja.
-webauthn_error_empty = Trebuie să setezi un nume pentru această cheie.
 organization = Organizație
 mirror = Oglindă
 settings = Setări
@@ -79,9 +71,7 @@ filter = Filtru
 filter.clear = Șterge filtre
 filter.is_archived = Arhivat
 enable_javascript = Acest site are nevoie de JavaScript.
-webauthn_error_unknown = O eroare necunoscută a apărut. Te rog reîncearcă.
 re_type = Confirmă parola
-webauthn_sign_in = Apasă butonul de pe cheia de securitate. Dacă cheia de securitate nu are un buton, reintrodu-o.
 new_mirror = Oglindă nouă
 new_project = Proiect nou
 remove_label_str = Șterge elementul "%s"
@@ -92,8 +82,6 @@ error404 = Pagina pe care încercați să o vizitați fie <strong>nu există</st
 filter.not_archived = Nearhivat
 activities = Activități
 confirm_delete_selected = Ștergi toate elementele selectate?
-webauthn_error_insecure = WebAuthn funcționează doar prin conexiuni securizate. Pentru a testa folosind HTTP, poți folosi "localhost" sau "127.0.0.1" ca origine
-webauthn_error_timeout = Limita de timp a fost depășită înainte ca cheia ta să poată fi citită. Reîncarcă pagina și reîncearcă.
 copy_error = Copiere eșuată
 concept_user_individual = Individual
 unknown = Necunoscut
diff --git a/options/locale/locale_ru-RU.ini b/options/locale/locale_ru-RU.ini
index 0e9ec2d653..43e21a0c18 100644
--- a/options/locale/locale_ru-RU.ini
+++ b/options/locale/locale_ru-RU.ini
@@ -36,18 +36,6 @@ twofa=Двухфакторная аутентификация
 twofa_scratch=Код восстановления 2ФА
 passcode=Код
 
-webauthn_insert_key=Вставьте ваш токен авторизации
-webauthn_sign_in=Подтвердите действие на токене авторизации. Если на вашем токене нет кнопки, вставьте его заново.
-webauthn_press_button=Подтвердите действие на токене авторизации…
-webauthn_use_twofa=Используйте двухфакторный код с вашего телефона
-webauthn_error=Не удалось прочитать токен авторизации.
-webauthn_unsupported_browser=Ваш браузер в настоящее время не поддерживает WebAuthn.
-webauthn_error_unknown=Произошла неизвестная ошибка. Повторите попытку.
-webauthn_error_insecure=WebAuthn поддерживает только безопасные соединения. Для тестирования по HTTP можно использовать "localhost" или "127.0.0.1"
-webauthn_error_unable_to_process=Сервер не смог обработать ваш запрос.
-webauthn_error_duplicated=Этот токен авторизации не разрешен для выполнения этого запроса. Убедитесь, что токен не был зарегистрирован ранее.
-webauthn_error_empty=Необходимо задать имя для этого ключа.
-webauthn_error_timeout=Время истекло раньше, чем ключ был прочитан. Перезагрузите эту страницу и повторите попытку.
 repository=Репозиторий
 organization=Организация
 mirror=Зеркало
@@ -2935,34 +2923,6 @@ dashboard.reinit_missing_repos=Переинициализировать все 
 dashboard.sync_external_users=Синхронизировать данные сторонних пользователей
 dashboard.cleanup_hook_task_table=Очистить таблицу hook_task
 dashboard.cleanup_packages=Удалить устаревшие пакеты
-dashboard.server_uptime=Время работы
-dashboard.current_goroutine=Выполняемые goroutines
-dashboard.current_memory_usage=Текущее использование памяти
-dashboard.total_memory_allocated=Всего памяти выделялось
-dashboard.memory_obtained=Получено памяти
-dashboard.pointer_lookup_times=Поисков указателя
-dashboard.memory_allocate_times=Выделений памяти
-dashboard.memory_free_times=Высвобождений памяти
-dashboard.current_heap_usage=Текущее использование кучи
-dashboard.heap_memory_obtained=Получено динамической памяти
-dashboard.heap_memory_idle=Простаивающая динамическая память
-dashboard.heap_memory_in_use=Используемая динамическая память
-dashboard.heap_memory_released=Освобождено динамической памяти
-dashboard.heap_objects=Объектов динамической памяти
-dashboard.bootstrap_stack_usage=Использование стека загрузчика
-dashboard.stack_memory_obtained=Стековой памяти выделялось
-dashboard.mspan_structures_usage=Использование структур MSpan
-dashboard.mspan_structures_obtained=Структур MSpan выделялось
-dashboard.mcache_structures_usage=Использование структур MCache
-dashboard.mcache_structures_obtained=Получено структур MCache
-dashboard.profiling_bucket_hash_table_obtained=Хеш-таблиц получено при профайлинге
-dashboard.gc_metadata_obtained=Метаданных сборщика мусора создавалось
-dashboard.other_system_allocation_obtained=Прочие системные выделения памяти
-dashboard.next_gc_recycle=Следующее высвобождение сборщиком мусора
-dashboard.last_gc_time=Прошло с последнего сбора мусора
-dashboard.total_gc_pause=Итоговая задержка сборщика
-dashboard.last_gc_pause=Последняя пауза сборщика
-dashboard.gc_times=Сборок мусора
 dashboard.delete_old_actions=Удалить все старые активности из базы данных
 dashboard.delete_old_actions.started=Запущено удаление всех старых активностей из БД.
 dashboard.update_checker=Проверка обновлений
@@ -3016,18 +2976,6 @@ users.purge_help=Принудительно удалить все данные,
 users.still_own_packages=Этот пользователь всё ещё владеет одним или несколькими пакетами, сначала удалите их.
 users.deletion_success=Учётная запись успешно удалена.
 users.reset_2fa=Сброс 2ФА
-users.list_status_filter.menu_text=Фильтр
-users.list_status_filter.reset=Сбросить
-users.list_status_filter.is_active=Активные
-users.list_status_filter.not_active=Неактивные
-users.list_status_filter.is_admin=Администраторы
-users.list_status_filter.not_admin=Не администраторы
-users.list_status_filter.is_restricted=Ограниченные
-users.list_status_filter.not_restricted=Не ограниченные
-users.list_status_filter.is_prohibit_login=Вход запрещён
-users.list_status_filter.not_prohibit_login=Вход разрешён
-users.list_status_filter.is_2fa_enabled=2ФА включена
-users.list_status_filter.not_2fa_enabled=2ФА отключена
 users.details=О пользователе
 
 emails.email_manage_panel=Управление адресами эл. почты пользователей
@@ -3343,25 +3291,6 @@ monitor.process.cancel_desc=Отмена процесса может приве
 monitor.process.cancel_notices=Отменить: <strong>%s</strong>?
 monitor.process.children=Потомки
 
-monitor.queues=Очереди
-monitor.queue=Очередь: %s
-monitor.queue.name=Имя
-monitor.queue.type=Тип
-monitor.queue.exemplar=Тип образца
-monitor.queue.numberworkers=Количество обработчиков
-monitor.queue.activeworkers=Активные обработчики
-monitor.queue.maxnumberworkers=Макс. количество обработчиков
-monitor.queue.numberinqueue=Позиция в очереди
-monitor.queue.settings.title=Настройки пула
-monitor.queue.settings.desc=Пулы динамически растут в зависимости от блокировки очередей их рабочих.
-monitor.queue.settings.maxnumberworkers=Макс. количество обработчиков
-monitor.queue.settings.maxnumberworkers.placeholder=В настоящий момент %[1]d
-monitor.queue.settings.maxnumberworkers.error=Максимальное количество обработчиков должно быть числом
-monitor.queue.settings.submit=Обновить настройки
-monitor.queue.settings.changed=Настройки обновлены
-monitor.queue.settings.remove_all_items=Удалить все
-monitor.queue.settings.remove_all_items_done=Все элементы в очереди были удалены.
-
 notices.system_notice_list=Системные оповещения
 notices.view_detail_header=Подробности уведомления
 notices.operations=Операции
@@ -3400,7 +3329,6 @@ config.open_with_editor_app_help = Приложения для "Открыть 
 config_settings = Настройки
 auths.tips.gmail_settings = Настройки Gmail:
 auths.tip.gitlab_new = Создайте новое приложение в %s
-monitor.queue.review_add = Подробности / добавить обработчики
 auths.default_domain_name = Домен по умолчанию для адресов эл. почты
 config.app_slogan = Лозунг сервера
 config.cache_test = Проверить кэш
@@ -3522,20 +3450,6 @@ workflow.disabled=Рабочий поток выключен.
 
 need_approval_desc=Требуется одобрение, чтобы запустить рабочие потоки для запроса на слияние.
 
-variables=Переменные
-variables.management=Управление переменными
-variables.creation=Добавить переменную
-variables.none=Переменных пока нет.
-variables.deletion=Удалить переменную
-variables.deletion.description=Удаление переменной необратимо, его нельзя отменить. Продолжить?
-variables.description=Переменные будут передаваться определенным действиям и не могут быть прочитаны иначе.
-variables.edit=Изменить переменную
-variables.deletion.failed=Не удалось удалить переменную.
-variables.deletion.success=Переменная удалена.
-variables.creation.failed=Не удалось добавить переменную.
-variables.creation.success=Переменная «%s» добавлена.
-variables.update.failed=Не удалось изменить переменную.
-variables.update.success=Переменная изменена.
 variables.id_not_exist = Переменная с идентификатором %d не существует.
 workflow.dispatch.trigger_found = Этот рабочий поток срабатывает на события <c>workflow_dispatch</c>.
 workflow.dispatch.use_from = Использовать рабочий поток из
@@ -3547,7 +3461,6 @@ workflow.dispatch.warn_input_limit = Отображаются только пе
 runs.expire_log_message = Журнал был удалён из-за старости.
 runs.no_workflows.help_write_access = Не знаете, как начать использовать Действия Forgejo? Ознакомьтесь с <a target="_blank" rel="noopener noreferrer" href="%s">руководством по быстрому старту в документации</a> и создайте первый рабочий поток, затем <a target="_blank" rel="noopener noreferrer" href="%s">настройте исполнитель Forgejo</a>, который будет выполнять задачи.
 runs.no_workflows.help_no_write_access = Ознакомьтесь с <a target="_blank" rel="noopener noreferrer" href="%s">документацией</a>, чтобы узнать про Действия Forgejo.
-variables.not_found = Не удалось найти переменную.
 
 [projects]
 type-1.display_name=Индивидуальный проект
@@ -3594,9 +3507,6 @@ regexp_tooltip = Поисковый запрос будет воспринят 
 
 
 [markup]
-filepreview.line = Строка %[1]d в %[2]s
-filepreview.lines = Строки с %[1]d по %[2]d в %[3]s
-filepreview.truncated = Предпросмотр был обрезан
 
 [translation_meta]
 test = Wake up :)
diff --git a/options/locale/locale_si-LK.ini b/options/locale/locale_si-LK.ini
index 38bcbdbe6d..bc07de0e6f 100644
--- a/options/locale/locale_si-LK.ini
+++ b/options/locale/locale_si-LK.ini
@@ -1954,34 +1954,6 @@ dashboard.resync_all_hooks=පෙර ලැබීමට, යාවත්කා
 dashboard.reinit_missing_repos=අතුරුදහන් වූ සියලුම ගිට් නිධි නැවත ආරම්භ කිරීම
 dashboard.sync_external_users=බාහිර පරිශීලක දත්ත සමමුහූර්තනය
 dashboard.cleanup_hook_task_table=පිරිසිදු hook_task වගුව
-dashboard.server_uptime=සේවාදායකය යාවත්කාලීන කිරීම
-dashboard.current_goroutine=වත්මන් ගෝර්අවුට්ලයින්
-dashboard.current_memory_usage=වත්මන් මතක භාවිතය
-dashboard.total_memory_allocated=මුළු මතකය වෙන් කර ඇත
-dashboard.memory_obtained=ලබා ගත් මතකය
-dashboard.pointer_lookup_times=පොයින්ටර් Lookup ටයිම්ස්
-dashboard.memory_allocate_times=මතක ප්රතිපාදන
-dashboard.memory_free_times=මතක නිදහස්
-dashboard.current_heap_usage=වත්මන් heap භාවිතය
-dashboard.heap_memory_obtained=ලබා ගත් ගොඩක් මතකය
-dashboard.heap_memory_idle=ගොඩක් මතකය අලස
-dashboard.heap_memory_in_use=භාවිතයේ දී ගොඩක් මතකය
-dashboard.heap_memory_released=ගොඩක් මතකය නිකුත්
-dashboard.heap_objects=ගොඩක් වස්තු
-dashboard.bootstrap_stack_usage=Bootstrap Stack භාවිතය
-dashboard.stack_memory_obtained=ලබා මතකය ගොඩගසන්න
-dashboard.mspan_structures_usage=MsPan ව්යුහයන් භාවිතය
-dashboard.mspan_structures_obtained=ලබා ගත් MsPan ව්යුහයන්
-dashboard.mcache_structures_usage=මැචේ ව්යුහයන් භාවිතය
-dashboard.mcache_structures_obtained=ලබා ගත් මැචේ ව්යුහයන්
-dashboard.profiling_bucket_hash_table_obtained=ලබා භාජනයට හැෂ් වගුව පැතිකඩ
-dashboard.gc_metadata_obtained=ලබාගත් GC පාර-දත්ත
-dashboard.other_system_allocation_obtained=ලබා ගත් වෙනත් පද්ධති ප්රතිපාදන
-dashboard.next_gc_recycle=ඊලඟ GC, ප්රතිචක්රීකරණ
-dashboard.last_gc_time=පසුගිය GC වේලාව
-dashboard.total_gc_pause=මුළු GC විරාමය
-dashboard.last_gc_pause=අවසන් GC විරාමය
-dashboard.gc_times=GC ටයිම්ස්
 dashboard.delete_old_actions=සියලු පැරණි ක්රියා දත්ත සමුදායෙන් මකන්න
 dashboard.delete_old_actions.started=දත්ත සමුදාය ආරම්භ සිට සියලු පැරණි ක්රියා මකන්න.
 
@@ -2020,19 +1992,6 @@ users.still_own_repo=මෙම පරිශීලකයා තවමත් ග
 users.still_has_org=මෙම පරිශීලකයා සංවිධානයක සාමාජිකයෙකි. පළමුව ඕනෑම ආයතනයකින් පරිශීලකයා ඉවත් කරන්න.
 users.deletion_success=පරිශීලක ගිණුම මකා දමා ඇත.
 users.reset_2fa=2fa යළි පිහිටුවන්න
-users.list_status_filter.menu_text=පෙරහන
-users.list_status_filter.reset=යළි සකසන්න
-users.list_status_filter.is_active=ක්රියාකාරී
-users.list_status_filter.not_active=අක්රිය
-users.list_status_filter.is_admin=පරිපාලක
-users.list_status_filter.not_admin=පරිපාලක නොවන
-users.list_status_filter.is_restricted=සීමා
-users.list_status_filter.not_restricted=සීමා කර නැත
-users.list_status_filter.is_prohibit_login=ලොගින් වන්න තහනම්
-users.list_status_filter.not_prohibit_login=ලොගින් වන්න ඉඩ
-users.list_status_filter.is_2fa_enabled=2FA සක්රීය
-users.list_status_filter.not_2fa_enabled=2FA ආබාධිත
-
 emails.email_manage_panel=පරිශීලක විද්යුත් කළමනාකරණය
 emails.primary=ප්රාථමික
 emails.activated=සක්රිය
@@ -2297,20 +2256,6 @@ monitor.process.cancel=ක්රියාවලිය අවලංගු කර
 monitor.process.cancel_desc=ක්රියාවලියක් අවලංගු කිරීම දත්ත අහිමි වීමට හේතු විය හැක
 monitor.process.cancel_notices=<strong>%s</strong>: අවලංගු කරන්නද?
 
-monitor.queues=පෝලිම්
-monitor.queue=පෝලිම: %s
-monitor.queue.name=නම
-monitor.queue.type=වර්ගය
-monitor.queue.exemplar=ආදර්ශ වර්ගය
-monitor.queue.numberworkers=කම්කරුවන් සංඛ්යාව
-monitor.queue.maxnumberworkers=මැක්ස් කම්කරු සංඛ්යාව
-monitor.queue.settings.title=තටාකය සැකසුම්
-monitor.queue.settings.maxnumberworkers=මැක්ස් කම්කරුවන් සංඛ්යාව
-monitor.queue.settings.maxnumberworkers.placeholder=වත්මන්%[1]d
-monitor.queue.settings.maxnumberworkers.error=මැක්ස් කම්කරුවන්ගේ සංඛ්යාව අංකයක් විය යුතුය
-monitor.queue.settings.submit=සැකසුම් යාවත්කාල කරන්න
-monitor.queue.settings.changed=සැකසුම් යාවත්කාල කෙරිණි
-
 notices.system_notice_list=පද්ධතියේ දැන්වීම්
 notices.view_detail_header=දැන්වීමේ විස්තර දකින්න
 notices.select_all=සියල්ල තෝරන්න
diff --git a/options/locale/locale_sk-SK.ini b/options/locale/locale_sk-SK.ini
index cab953088e..829d8eaffe 100644
--- a/options/locale/locale_sk-SK.ini
+++ b/options/locale/locale_sk-SK.ini
@@ -37,18 +37,6 @@ twofa=Dvoj-faktorové overenie
 twofa_scratch=Dvojfaktorový dočasný kód
 passcode=Prístupový kód
 
-webauthn_insert_key=Zadajte bezpečnostný kľúč
-webauthn_sign_in=Stlačte tlačidlo na vašom bezpečnostnom kľúči. Ak váš kľúč nemá tlačidlo, vyberte a zasunte ho znova.
-webauthn_press_button=Stlačte, prosím, tlačidlo na vašom bezpečnostnom kľúči…
-webauthn_use_twofa=Použite kód dvojfaktorového overenia z vášho telefónu
-webauthn_error=Nie je možné prečítať váš bezpečnostný kód.
-webauthn_unsupported_browser=Váš prehliadač aktuálne nepodporuje WebAuthn.
-webauthn_error_unknown=Vyskytla sa neznáma chyba. Skúste to znova.
-webauthn_error_insecure=`WebAuthn podporuje iba bezpečné spojenia. Na testovanie cez HTTP môžete použiť "localhost" alebo "127.0.0.1"`
-webauthn_error_unable_to_process=Server nemohol spracovať vašu požiadavku.
-webauthn_error_duplicated=Bezpečnostný kľúč nie je pre túto požiadavku povolený. Uistite sa, že kľúč ešte nie je zaregistrovaný.
-webauthn_error_empty=Musíte nastaviť meno pre tento kľúč.
-webauthn_error_timeout=Vypršal čas na čítanie vašeho kľúča. Znova načítajte túto stránku a skúste to opäť.
 repository=Repozitár
 organization=Organizácia
 mirror=Zrkadlo
diff --git a/options/locale/locale_sl.ini b/options/locale/locale_sl.ini
index ec58b597df..ca991b53b4 100644
--- a/options/locale/locale_sl.ini
+++ b/options/locale/locale_sl.ini
@@ -1,9 +1,7 @@
 [common]
 language = Jezik
 passcode = Vstopna koda
-webauthn_error_timeout = Preden je bilo mogoče prebrati vaš ključ, je bil dosežen časovni rok. Ponovno naložite to stran in poskusite znova.
 cancel = Prekliči
-webauthn_sign_in = Pritisnite gumb na varnostnem ključu. Če varnostni ključ nima gumba, ga ponovno vstavite.
 create_new = Ustvari …
 disabled = Invalidi
 go_back = Pojdi nazaj
@@ -19,18 +17,15 @@ your_settings = Nastavitve
 explore = Razišči
 return_to_forgejo = Nazaj na Forgejo
 write = Napišite
-webauthn_error_unknown = Zgodila se je neznana napaka. Prosimo, poskusite znova.
 twofa = Dvofaktorsko preverjanje pristnosti
 version = Verzija
 copy_success = Kopirano!
 help = Pomoč
 copy_type_unsupported = Te vrste datotek ni mogoče kopirati
-webauthn_error_empty = Za ta ključ morate nastaviti ime.
 confirm_delete_selected = Potrdite brisanje vseh izbranih elementov?
 name = Ime
 sign_in_or = ali
 show_log_seconds = Prikaži sekunde
-webauthn_use_twofa = Uporaba kode z dvema faktorjema iz telefona
 edit = Uredi
 page = Stran
 concept_system_global = Globalno
@@ -51,7 +46,6 @@ admin_panel = Administracija spletnega mesta
 copy_error = Kopiranje ni uspelo
 new_mirror = Novo ogledalo
 re_type = Potrdite geslo
-webauthn_unsupported_browser = Vaš brskalnik trenutno ne podpira WebAuthna.
 copy = Kopiraj
 enabled = Omogočeno
 show_timestamps = Prikaži časovne žige
@@ -64,7 +58,6 @@ value = Vrednost
 concept_user_individual = Individualno
 notifications = Obvestila
 repository = Repository
-webauthn_error = Vašega varnostnega ključa ni bilo mogoče prebrati.
 add_all = Dodaj vse
 new_fork = Nova vilica repozitorija
 new_project_column = Nova kolumna
@@ -73,16 +66,12 @@ active_stopwatch = Aktivno sledenje času
 organization = Organizacija
 save = Shrani
 sign_in_with_provider = Prijava s/z %s
-webauthn_error_unable_to_process = Strežnik ni mogel obdelati vaše zahteve.
 register = Registracija
 mirror = Zrcalo
 access_token = Token za dostop
 download_logs = Prenos dnevnikov
-webauthn_insert_key = Vnesite varnostni ključ
 password = Geslo
-webauthn_error_duplicated = Varnostni ključ za to zahtevo ni dovoljen. Prepričajte se, da ključ še ni registriran.
 template = Predloga
-webauthn_press_button = Pritisnite gumb na varnostnem ključu…
 unknown = Neznano
 sign_up = Registracija
 enable_javascript = To spletno mesto zahteva JavaScript.
@@ -94,7 +83,6 @@ preview = Predogled
 mirrors = Ogledala
 loading = Nalaganje…
 show_full_screen = Prikaži celoten zaslon
-webauthn_error_insecure = WebAuthn podpira samo varne povezave. Za testiranje prek protokola HTTP lahko uporabite izvor "localhost" ali "127.0.0.1"
 username = Uporabniško ime
 tracked_time_summary = Povzetek spremljanega časa na podlagi filtrov seznama zadev
 email = E-poštni naslov
diff --git a/options/locale/locale_sr-SP.ini b/options/locale/locale_sr-SP.ini
index d55a963222..7e2fea2e88 100644
--- a/options/locale/locale_sr-SP.ini
+++ b/options/locale/locale_sr-SP.ini
@@ -36,23 +36,6 @@ link_account = Повежите рачун
 powered_by = Успостављено са %s
 notifications = Обавештења
 passcode = ПИН ко̑д
-webauthn_insert_key = Прикључите Ваш физички сигурносни кључ
-webauthn_sign_in = Притисните дугме на Вашем сигурносном кључу. Уколико Ваш кључ нема дугме, искључите и поново укључите га.
-webauthn_press_button = Молимо притисните дугме на Вашем сигурносном кључу…
-webauthn_use_twofa = Користите дво-факторски ко̑д са вашег мобитела
-webauthn_error = Сигурносни кључ се не да исчитати.
-webauthn_unsupported_browser = Ваш веб-прегледач тренутно не подржава "WebAuthn".
-webauthn_error_unknown = Непозната грешка се догодила. Молимо Вас да покушате поново.
-webauthn_error_insecure = "WebAuthn" једино подржава сигурне везе. За тестирање путем ХТТП, можете корисити извор "localhost" или "127.0.0.1"
-webauthn_error_unable_to_process = Сервер не може обрадити Ваш захтев.
-webauthn_error_duplicated = Сигурносни кључ није дозвољен за овај захтев. Уверите се да кључ није већ регистрован.
-webauthn_error_empty = Морате унети име за овај кључ.
-webauthn_error_timeout = Захтев је истекао пре што је очитавање Вашег кључа успео. Молимо Вас да актуализирате ову веб-страницу и покушате поново.
-
-
-
-
-
 
 [error]
 
@@ -566,33 +549,6 @@ total=Укупно: %d
 dashboard.operation_name=Име операције
 dashboard.operation_switch=Пребаци
 dashboard.operation_run=Покрени
-dashboard.server_uptime=Време непрекидног рада сервера
-dashboard.current_goroutine=Тренутнe Goroutine
-dashboard.current_memory_usage=Тренутна употреба меморије
-dashboard.total_memory_allocated=Укупно меморије алоцирано
-dashboard.memory_obtained=Коришћена меморија
-dashboard.pointer_lookup_times=Захтева показивача
-dashboard.current_heap_usage=Тренутна употреба динамичке меморије
-dashboard.heap_memory_obtained=Слободно динамичке меморије
-dashboard.heap_memory_idle=Некориштена динамичка меморија
-dashboard.heap_memory_in_use=Динамичка меморија у употреби
-dashboard.heap_memory_released=Ослобођено динамичке меморије
-dashboard.heap_objects=Објекти динамичке меморије
-dashboard.bootstrap_stack_usage=Коришћење стек меморије
-dashboard.stack_memory_obtained=Слободно стек меморије
-dashboard.mspan_structures_usage=Употреба структуре MSpan
-dashboard.mspan_structures_obtained=Добијено структуре MSpan
-dashboard.mcache_structures_usage=Употреба структурa MCache
-dashboard.mcache_structures_obtained=Добијено структурa MCache
-dashboard.profiling_bucket_hash_table_obtained=Хеш-табела постигнуто за Profiling Bucket
-dashboard.gc_metadata_obtained=Добијених метаподатака cакупљању смећа
-dashboard.other_system_allocation_obtained=Добијено друга системска меморија
-dashboard.next_gc_recycle=Следећа рециклажа cакупљању смећа
-dashboard.last_gc_time=Времена од прошлог cакупљању смећа
-dashboard.total_gc_pause=Укупно време cакупљању смећа
-dashboard.last_gc_pause=Задња пауза у cакупљању смећа
-dashboard.gc_times=Времена cакупљању смећа
-
 users.activated=Активиран
 users.admin=Администратор
 users.repos=репоси
diff --git a/options/locale/locale_sv-SE.ini b/options/locale/locale_sv-SE.ini
index 3e96385031..d786a17f0f 100644
--- a/options/locale/locale_sv-SE.ini
+++ b/options/locale/locale_sv-SE.ini
@@ -91,7 +91,6 @@ sign_in_with_provider = Logga in med %s
 enable_javascript = Denna webbplats kräver JavaScript.
 ok = OK
 more_items = Fler objekt
-webauthn_sign_in = Tryck på knappen på din säkerhetsnyckel. Om din säkerhetsnyckel inte har en knapp, dra ut den och sätt in den igen.
 new_project_column = Ny kolumn
 copy_type_unsupported = Den här filtypen kan inte kopieras
 error = Fel
@@ -103,12 +102,6 @@ copy = Kopiera
 copy_url = Kopiera URL
 copy_error = Kopiering misslyckades
 copy_content = Kopiera innehåll
-webauthn_insert_key = Skriv in din säkerhetsnyckel
-webauthn_press_button = Vänligen tryck på knappen på din säkerhetsnyckel…
-webauthn_error = Det gick inte att läsa din säkerhetsnyckel.
-webauthn_unsupported_browser = Din webbläsare har ännu inte stöd för WebAuthn.
-webauthn_error_unknown = Ett okänt fel har inträffat. Vänligen försök igen.
-webauthn_error_empty = Du måste ange ett namn för den här nyckeln.
 new_org.title = Ny organisation
 new_org.link = Ny organisation
 test = Test
@@ -152,14 +145,9 @@ active_stopwatch = Spårning av aktiv tid
 tracked_time_summary = Sammanfattning av spårad tid baserat på filter av ärendelistan
 toggle_menu = Växla meny
 confirm_delete_selected = Bekräfta för att ta bort alla valda objekt?
-webauthn_error_timeout = Det gick inte att läsa din nyckel innan tidsgränsen nåddes. Läs om denna sida och försök igen.
 filter.is_fork = Avgreningar
-webauthn_error_duplicated = Säkerhetsnyckeln är inte tillåten för denna begäran. Se till att nyckeln inte redan är registrerad.
 filter.not_fork = Ej avgreningar
 remove_label_str = Ta bort objektet "%s"
-webauthn_use_twofa = Använd en tvåfaktorskod från din telefon
-webauthn_error_insecure = WebAuthn stöder endast säkra anslutningar. För testning över HTTP kan du använda "localhost" eller "127.0.0.1"
-webauthn_error_unable_to_process = Servern kunde inte hantera din begäran.
 copy_generic = Kopiera till urklipp
 
 [aria]
@@ -2890,35 +2878,6 @@ dashboard.git_gc_repos=Rensa skräpfiler i samtliga kodförråd
 dashboard.resync_all_hooks=Återsynkronisera pre-receive-, update- och post-receive-krokar för alla kodförråd
 dashboard.reinit_missing_repos=Återinitialisera alla saknade kodförråd för vilka det finns poster
 dashboard.sync_external_users=Synkronisera extern användardata
-dashboard.server_uptime=Serverns upptid
-dashboard.current_goroutine=Aktuella gorutiner
-dashboard.current_memory_usage=Nuvarande minnesanvändning
-dashboard.total_memory_allocated=Total minnesanvändning
-dashboard.memory_obtained=Minnesåtgång
-dashboard.pointer_lookup_times=Pekaruppslagstider
-dashboard.memory_allocate_times=Minneallokeringar
-dashboard.memory_free_times=Minnesfrigörelser
-dashboard.current_heap_usage=Nuvarande heapanvändning
-dashboard.heap_memory_obtained=Heapminne som erhållits
-dashboard.heap_memory_idle=Heapminne som är inaktivt
-dashboard.heap_memory_in_use=Heapminne som används
-dashboard.heap_memory_released=Frigjort heap-minne
-dashboard.heap_objects=Heapobjekt
-dashboard.bootstrap_stack_usage=Bootstrap Stack-användning
-dashboard.stack_memory_obtained=Stackminne som erhålls
-dashboard.mspan_structures_usage=MSpan strukturanvändning
-dashboard.mspan_structures_obtained=MSpan strukturer som erhållits
-dashboard.mcache_structures_usage=MCache strukturanvändning
-dashboard.mcache_structures_obtained=MCache-strukturer som erhållits
-dashboard.profiling_bucket_hash_table_obtained=Profilering av Bucket Hash Table erhållen
-dashboard.gc_metadata_obtained=Metainformation om Skräpsamlaren Ihopsamlad
-dashboard.other_system_allocation_obtained=Övriga Systemallokeringar
-dashboard.next_gc_recycle=Nästa Skräpsamlarrunda
-dashboard.last_gc_time=Tidpunkt för senaste skräpsamling
-dashboard.total_gc_pause=Total tid för pauser vid skräpsamling
-dashboard.last_gc_pause=Senaste paus vid skräpsamling
-dashboard.gc_times=Skräpsamlingstider
-
 users.user_manage_panel=Hantera användarkonton
 users.new_account=Skapa användarkonto
 users.name=Användarnamn
@@ -2950,9 +2909,6 @@ users.delete_account=Ta bort användarkontot
 users.still_own_repo=Denna användare äger fortfarande ett eller flera kodförråd. Ta bort eller överför dessa kodförråd först.
 users.still_has_org=Denna användare är medlem i en eller flera organisationer. Ta bort användaren från dessa först.
 users.deletion_success=Användarkontot har blivit borttaget.
-users.list_status_filter.is_active=Aktiv
-users.list_status_filter.is_admin=Administratör
-
 emails.primary=Primär
 emails.activated=Aktiverad
 emails.filter_sort.email=E-post
@@ -3168,15 +3124,6 @@ monitor.desc=Beskrivning
 monitor.start=Starttid
 monitor.execute_time=Exekveringstid
 
-monitor.queues=Köer
-monitor.queue=Kö: %s
-monitor.queue.name=Namn
-monitor.queue.type=Typ
-monitor.queue.numberworkers=Antal arbetare
-monitor.queue.maxnumberworkers=Max antal arbetare
-monitor.queue.settings.submit=Uppdatera inställningar
-monitor.queue.settings.changed=Inställningar uppdaterade
-
 notices.system_notice_list=Systemnotiser
 notices.view_detail_header=Notisdetaljer
 notices.select_all=Markera alla
@@ -3200,7 +3147,6 @@ users.is_restricted = Begränsat konto
 self_check.database_inconsistent_collation_columns = Databasen använder kollateringen %s, men de här kolumner använder felanpassade kollateringar. Det kan komma att orsaka oväntade problem.
 hooks = webbkrokar
 integrations = Integrationer
-users.list_status_filter.menu_text = Filter
 packages.creator = Skapare
 packages.version = Version
 config.mailer_protocol = Protokoll
@@ -3209,8 +3155,6 @@ monitor.stats = Statistik
 monitor.last_execution_result = Resultat
 config_settings = Inställningar
 settings = Admininställningar
-users.list_status_filter.not_admin = Inte admin
-users.list_status_filter.not_prohibit_login = Tillåt inloggning
 users.details = Användardetaljer
 emails.updated = E-post uppdaterad
 packages.package_manage_panel = Hantera paket
@@ -3218,7 +3162,6 @@ auths.force_smtps = Tvinga SMTPS
 auths.oauth2_icon_url = Ikon-URL
 config.domain = Serverdomän
 config.lfs_config = LFS-konfiguration
-monitor.queue.settings.remove_all_items = Ta bort alla
 auths.tips.gmail_settings = Gmail-inställningar:
 self_check = Självkontroll
 identity_access = Identitet & åtkomst
@@ -3280,13 +3223,6 @@ users.purge = Rensa användare
 users.purge_help = Tvångsradera användare och alla kodförråd, organisationer och paket som ägs av användaren. Alla kommentarer och ärenden skapade av den här användare kommer också raderas.
 users.still_own_packages = den här användare äger fortfarande ett eller flera paket, radera de här paket först.
 users.reset_2fa = Återställ 2FA
-users.list_status_filter.reset = Återställ
-users.list_status_filter.not_active = Inaktiv
-users.list_status_filter.is_restricted = Begränsad
-users.list_status_filter.not_restricted = Ej begränsad
-users.list_status_filter.is_prohibit_login = Förbjud inloggning
-users.list_status_filter.is_2fa_enabled = 2FA aktiverad
-users.list_status_filter.not_2fa_enabled = 2FA inaktiverad
 emails.email_manage_panel = Hantera användares e-postadresser
 emails.not_updated = Det gick inte att uppdatera den begärda e-postadressen: %v
 emails.duplicate_active = den här e-postadress är redan aktiv för en annan användare.
@@ -3387,16 +3323,6 @@ monitor.duration = Varaktighet (s)
 monitor.process.cancel = Avbryt process
 monitor.process.cancel_desc = Att avbryta en process kan orsaka dataförlust
 monitor.process.cancel_notices = Avbryt: <strong>%s</strong>?
-monitor.queue.exemplar = Exempeltyp
-monitor.queue.activeworkers = Aktiva arbetare
-monitor.queue.numberinqueue = Antal i kö
-monitor.queue.review_add = Granska / lägg till arbetare
-monitor.queue.settings.title = Poolinställningar
-monitor.queue.settings.desc = Pooler växer dynamiskt som svar på att deras arbetarkö blockeras.
-monitor.queue.settings.maxnumberworkers = Max antal arbetare
-monitor.queue.settings.maxnumberworkers.placeholder = För närvarande %[1]d
-monitor.queue.settings.maxnumberworkers.error = Max antal arbetare måste vara ett tal
-monitor.queue.settings.remove_all_items_done = Alla objekt i kön har tagits bort.
 notices.operations = Åtgärder
 self_check.no_problem_found = Inga problem hittades ännu.
 self_check.database_collation_mismatch = Förväntar att databasen använder kollatering: %s
@@ -3489,11 +3415,6 @@ deletion.success = Hemligheten har tagits bort.
 deletion.failed = Misslyckades med att ta bort hemlighet.
 
 [actions]
-variables = Variabler
-variables.management = Hantera variabler
-variables.creation = Lägg till variabel
-variables.deletion = Ta bort variabel
-variables.edit = Redigera variabel
 runs.no_workflows.help_write_access = Vet du inte hur du kommer igång med Forgejo Actions? Se <a target="_blank" rel="noopener noreferrer" href="%s">snabbstarten i användardokumentationen</a> för att skriva ditt första arbetsflöde, sedan <a target="_blank" rel="noopener noreferrer" href="%s">konfigurera en Forgejo-körare</a> för att köra dina jobb.
 runs.no_workflows.help_no_write_access = För att lära dig mer om Forgejo Actions, se <a target="_blank" rel="noopener noreferrer" href="%s">dokumentationen</a>.
 runs.no_runs = Arbetsflödet har inga körningar ännu.
@@ -3512,19 +3433,6 @@ workflow.dispatch.input_required = Värde krävs för indata "%s".
 workflow.dispatch.invalid_input_type = Ogiltig indatatyp "%s".
 workflow.dispatch.warn_input_limit = Visar endast de första %d indatafälten.
 need_approval_desc = Godkännande krävs för att köra arbetsflöden för ändringsförfrågningar från avgreningar.
-variables.none = Det finns inga variabler ännu.
-variables.deletion.description = Borttagning av en variabel är permanent och kan inte ångras. Vill du fortsätta?
-variables.description = Variabler skickas till vissa actions och kan inte läsas annars.
-variables.not_found = Misslyckades med att hitta variabeln.
-variables.deletion.failed = Misslyckades med att ta bort variabel.
-variables.deletion.success = Variabeln har tagits bort.
-variables.creation.failed = Misslyckades med att lägga till variabel.
-variables.creation.success = Variabeln "%s" har lagts till.
-variables.update.failed = Misslyckades med att redigera variabel.
-variables.update.success = Variabeln har redigerats.
-
-
-
 
 [projects]
 type-1.display_name = Individuellt projekt
@@ -3595,7 +3503,4 @@ actions.write = <b>Skriv:</b> Starta, starta om, och avbryt arbetsflöden. Hante
 ext_issues = Åtkomst till länken till ett externt ärendehanteringssystem. Behörigheterna hanteras externt.
 ext_wiki = Åtkomst till länken till en extern wiki. Behörigheterna hanteras externt.
 
-[markup]
-filepreview.line = Rad %[1]d i %[2]s
-filepreview.lines = Rad %[1]d till %[2]d i %[3]s
-filepreview.truncated = Förhandsgranskningen har avkortats
\ No newline at end of file
+[markup]
\ No newline at end of file
diff --git a/options/locale/locale_ta.ini b/options/locale/locale_ta.ini
index 8b1b7a2679..8801c32888 100644
--- a/options/locale/locale_ta.ini
+++ b/options/locale/locale_ta.ini
@@ -36,18 +36,6 @@ captcha = கேப்ட்சா
 twofa = இரண்டு காரணி ஏற்பு
 twofa_scratch = இரண்டு காரணி கீறல் குறியீடு
 passcode = கடவுக்குறியீடு
-webauthn_insert_key = உங்கள் பாதுகாப்பு விசையைச் செருகவும்
-webauthn_sign_in = உங்கள் பாதுகாப்பு விசையில் உள்ள பொத்தானை அழுத்தவும். உங்கள் பாதுகாப்பு விசையில் பொத்தான் இல்லை என்றால், அதை மீண்டும் செருகவும்.
-webauthn_press_button = உங்கள் பாதுகாப்பு விசையில் உள்ள பொத்தானை அழுத்தவும்…
-webauthn_use_twofa = உங்கள் ஃபோனில் இருந்து இரண்டு காரணி குறியீட்டைப் பயன்படுத்தவும்
-webauthn_error = உங்கள் பாதுகாப்பு விசையைப் படிக்க முடியவில்லை.
-webauthn_unsupported_browser = உங்கள் உலாவி தற்போது WebAuthn ஐ ஆதரிக்கவில்லை.
-webauthn_error_unknown = அறியப்படாத பிழை ஏற்பட்டது. மீண்டும் முயற்சிக்கவும்.
-webauthn_error_insecure = WebAuthn பாதுகாப்பான இணைப்புகளை மட்டுமே ஆதரிக்கிறது. HTTP மூலம் சோதனை செய்ய, நீங்கள் "localhost" அல்லது "127.0.0.1" மூலத்தைப் பயன்படுத்தலாம்
-webauthn_error_unable_to_process = சேவையகத்தால் உங்கள் கோரிக்கையைச் செயல்படுத்த முடியவில்லை.
-webauthn_error_duplicated = இந்தக் கோரிக்கைக்கு பாதுகாப்பு விசை அனுமதிக்கப்படவில்லை. விசை ஏற்கனவே பதிவு செய்யப்படவில்லை என்பதை உறுதிப்படுத்தவும்.
-webauthn_error_empty = இந்த விசைக்கு நீங்கள் ஒரு பெயரை அமைக்க வேண்டும்.
-webauthn_error_timeout = உங்கள் விசையைப் படிக்கும் முன் காலாவதியானது. இந்தப் பக்கத்தை மீண்டும் ஏற்றி மீண்டும் முயற்சிக்கவும்.
 repository = களஞ்சியம்
 new_fork = புதிய களஞ்சிய போர்க்
 new_project_column = புதிய நெடுவரிசை
@@ -2821,34 +2809,6 @@ dashboard.sync_external_users = வெளிப்புற பயனர் த
 dashboard.cleanup_hook_task_table = ஊக்_டாச்க் டேபிளை தூய்மை செய்யவும்
 dashboard.cleanup_packages = காலாவதியான தொகுப்புகளை தூய்மை செய்யவும்
 dashboard.cleanup_actions = செயல்களில் இருந்து காலாவதியான பதிவுகள் மற்றும் கலைப்பொருட்களை தூய்மை செய்யவும்
-dashboard.server_uptime = சேவையக இயக்க நேரம்
-dashboard.current_goroutine = தற்போதைய goroutines
-dashboard.current_memory_usage = தற்போதைய நினைவக பயன்பாடு
-dashboard.total_memory_allocated = மொத்த நினைவகம் ஒதுக்கப்பட்டது
-dashboard.memory_obtained = நினைவகம் கிடைத்தது
-dashboard.pointer_lookup_times = சுட்டி தேடுதல் நேரங்கள்
-dashboard.memory_allocate_times = நினைவக ஒதுக்கீடு
-dashboard.memory_free_times = நினைவகம் இலவசம்
-dashboard.current_heap_usage = தற்போதைய குவியல் பயன்பாடு
-dashboard.heap_memory_obtained = குவியல் நினைவகம் கிடைத்தது
-dashboard.heap_memory_idle = குவியல் நினைவகம் செயலற்றது
-dashboard.heap_memory_in_use = குவியல் நினைவகம் பயன்பாட்டில் உள்ளது
-dashboard.heap_memory_released = குவியல் நினைவகம் வெளியிடப்பட்டது
-dashboard.heap_objects = குவியல் பொருள்கள்
-dashboard.bootstrap_stack_usage = தொடக்கவார் ச்டாக் பயன்பாடு
-dashboard.stack_memory_obtained = அடுக்கு நினைவகம் பெறப்பட்டது
-dashboard.mspan_structures_usage = MSpan கட்டமைப்புகளின் பயன்பாடு
-dashboard.mspan_structures_obtained = MSpan கட்டமைப்புகள் பெறப்பட்டன
-dashboard.mcache_structures_usage = MCache கட்டமைப்புகளின் பயன்பாடு
-dashboard.mcache_structures_obtained = MCache கட்டமைப்புகள் பெறப்பட்டன
-dashboard.profiling_bucket_hash_table_obtained = விவரக்குறிப்பு பக்கெட் ஆச் அட்டவணை பெறப்பட்டது
-dashboard.gc_metadata_obtained = GC மேனிலை தரவு பெறப்பட்டது
-dashboard.other_system_allocation_obtained = பிற அமைப்பு ஒதுக்கீடு பெறப்பட்டது
-dashboard.next_gc_recycle = அடுத்த GC மறுசுழற்சி
-dashboard.last_gc_time = கடந்த சிசி முதல் நேரம்
-dashboard.total_gc_pause = மொத்த GC இடைநிறுத்தம்
-dashboard.last_gc_pause = கடைசி GC இடைநிறுத்தம்
-dashboard.gc_times = GC முறை
 dashboard.delete_old_actions = தரவுத்தளத்திலிருந்து அனைத்து பழைய செயல்பாடுகளையும் நீக்கவும்
 dashboard.delete_old_actions.started = தொடங்கப்பட்ட தரவுத்தளத்திலிருந்து அனைத்து பழைய செயல்பாடுகளையும் நீக்கவும்.
 dashboard.update_checker = புதுப்பிப்பு சரிபார்ப்பு
@@ -2911,18 +2871,6 @@ users.purge_help = பயனரை வலுக்கட்டாயமாக 
 users.still_own_packages = இந்தப் பயனர் இன்னும் ஒன்று அல்லது அதற்கு மேற்பட்ட தொகுப்புகளை வைத்திருக்கிறார், முதலில் இந்தத் தொகுப்புகளை நீக்கவும்.
 users.deletion_success = பயனர் கணக்கு நீக்கப்பட்டது.
 users.reset_2fa = 2FA ஐ மீட்டமைக்கவும்
-users.list_status_filter.menu_text = வடிப்பி
-users.list_status_filter.reset = மீட்டமை
-users.list_status_filter.is_active = செயலில்
-users.list_status_filter.not_active = செயலற்றது
-users.list_status_filter.is_admin = நிர்வாகி
-users.list_status_filter.not_admin = நிர்வாகி அல்ல
-users.list_status_filter.is_restricted = கட்டுப்படுத்தப்பட்டது
-users.list_status_filter.not_restricted = கட்டுப்படுத்தப்படவில்லை
-users.list_status_filter.is_prohibit_login = நுழைவதைத் தடைசெய்க
-users.list_status_filter.not_prohibit_login = உள்நுழைவை அனுமதிக்கவும்
-users.list_status_filter.is_2fa_enabled = 2FA இயக்கப்பட்டது
-users.list_status_filter.not_2fa_enabled = 2FA முடக்கப்பட்டுள்ளது
 users.details = பயனர் விவரங்கள்
 emails.email_manage_panel = பயனர் மின்னஞ்சல்களை நிர்வகிக்கவும்
 emails.primary = முதன்மை
@@ -3218,25 +3166,6 @@ monitor.last_execution_result = முடிவு
 monitor.process.cancel = செயல்முறையை நீக்கறல்
 monitor.process.cancel_desc = செயல்முறையை ரத்து செய்வது தரவு இழப்பை ஏற்படுத்தக்கூடும்
 monitor.process.cancel_notices = ரத்துசெய்: <strong>%s</strong>?
-monitor.queues = வால்கள்
-monitor.queue = வரிசை: %s
-monitor.queue.name = பெயர்
-monitor.queue.type = வகை
-monitor.queue.exemplar = முன்மாதிரி வகை
-monitor.queue.numberworkers = தொழிலாளர்களின் எண்ணிக்கை
-monitor.queue.activeworkers = சுறுசுறுப்பான தொழிலாளர்கள்
-monitor.queue.maxnumberworkers = தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை
-monitor.queue.numberinqueue = வரிசையில் உள்ள எண்
-monitor.queue.review_add = தொழிலாளர்களை மதிப்பாய்வு செய்யவும் / சேர்க்கவும்
-monitor.queue.settings.title = குளம் அமைப்புகள்
-monitor.queue.settings.desc = பணியாளர்களின் வரிசை தடுப்பிற்கு பதிலளிக்கும் வகையில் குளங்கள் மாறும் வகையில் வளரும்.
-monitor.queue.settings.maxnumberworkers = தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை
-monitor.queue.settings.maxnumberworkers.placeholder = தற்போது %[1]d
-monitor.queue.settings.maxnumberworkers.error = தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை ஒரு எண்ணாக இருக்க வேண்டும்
-monitor.queue.settings.submit = அமைப்புகளைப் புதுப்பிக்கவும்
-monitor.queue.settings.changed = அமைப்புகள் புதுப்பிக்கப்பட்டன
-monitor.queue.settings.remove_all_items = அனைத்தையும் அகற்று
-monitor.queue.settings.remove_all_items_done = வரிசையில் இருந்த அனைத்து பொருட்களும் அகற்றப்பட்டன.
 notices.system_notice_list = கணினி அறிவிப்புகள்
 notices.view_detail_header = அறிவிப்பு விவரங்கள்
 notices.operations = செயல்பாடுகள்
@@ -3360,21 +3289,6 @@ workflow.dispatch.input_required = "%s" உள்ளீட்டிற்கு
 workflow.dispatch.invalid_input_type = தவறான உள்ளீடு வகை "%s".
 workflow.dispatch.warn_input_limit = முதல் %d உள்ளீடுகளை மட்டும் காட்டுகிறது.
 need_approval_desc = ஃபோர்க் புல் கோரிக்கைக்கான பணிப்பாய்வுகளை இயக்க ஒப்புதல் தேவை.
-variables = மாறிகள்
-variables.management = மாறிகளை நிர்வகிக்கவும்
-variables.creation = மாறியைச் சேர்க்கவும்
-variables.none = இதுவரை மாறிகள் எதுவும் இல்லை.
-variables.deletion = மாறியை அகற்று
-variables.deletion.description = மாறியை அகற்றுவது நிரந்தரமானது மற்றும் செயல்தவிர்க்க முடியாது. தொடரவா?
-variables.description = சில செயல்களுக்கு மாறிகள் அனுப்பப்படும், இல்லையெனில் படிக்க முடியாது.
-variables.edit = திருத்து மாறி
-variables.not_found = மாறியைக் கண்டறிய முடியவில்லை.
-variables.deletion.failed = மாறியை அகற்ற முடியவில்லை.
-variables.deletion.success = மாறி நீக்கப்பட்டது.
-variables.creation.failed = மாறியைச் சேர்ப்பதில் தோல்வி.
-variables.creation.success = "%s" மாறி சேர்க்கப்பட்டது.
-variables.update.failed = மாறியை திருத்த முடியவில்லை.
-variables.update.success = மாறி திருத்தப்பட்டது.
 
 [projects]
 deleted.display_name = நீக்கப்பட்ட திட்டம்
@@ -3391,9 +3305,6 @@ symbolic_link = குறியீட்டு இணைப்பு
 submodule = துணைத் தொகுதி
 
 [markup]
-filepreview.line = %[2]s இல் வரி %[1]d
-filepreview.lines = %[3]s இல் %[1]d முதல் %[2]d வரையிலான கோடுகள்
-filepreview.truncated = முன்னோட்டம் துண்டிக்கப்பட்டது
 
 [translation_meta]
 test = இது ஒரு சோதனை சரம். இது Forgejo இடைமுகம் இல் காட்டப்படவில்லை, ஆனால் சோதனை நோக்கங்களுக்காகப் பயன்படுத்தப்படுகிறது. அந்த இனிமையான 100% நிறைவுக் குறியைப் பெற, நேரத்தைச் சேமிக்க (அல்லது உங்கள் விருப்பத்தின் வேடிக்கையான உண்மை) "சரி" என உள்ளிடவும் :)
\ No newline at end of file
diff --git a/options/locale/locale_th.ini b/options/locale/locale_th.ini
index d873f72e47..ef25055540 100644
--- a/options/locale/locale_th.ini
+++ b/options/locale/locale_th.ini
@@ -35,18 +35,6 @@ captcha = แคปช่า
 twofa = การยืนยันตัวตนแบบสองปัจจัย
 twofa_scratch = รหัสสำรองสำหรับการยืนยันตัวตนแบบสองปัจจัย
 passcode = รหัสผ่าน
-webauthn_insert_key = โปรดเสียบคีย์ความปลอดภัยของคุณ
-webauthn_sign_in = กดปุ่มบนคีย์ความปลอดภัยของคุณ หากคีย์ความปลอดภัยของคุณไม่มีปุ่ม ให้เสียบใหม่อีกครั้ง
-webauthn_press_button = กรุณากดปุ่มบนคีย์ความปลอดภัยของคุณ…
-webauthn_use_twofa = ใช้รหัสสองปัจจัยจากโทรศัพท์ของคุณ
-webauthn_error = ไม่สามารถอ่านคีย์ความปลอดภัยของคุณได้
-webauthn_unsupported_browser = เบราว์เซอร์ของคุณไม่รองรับ WebAuthn ในขณะนี้
-webauthn_error_unknown = เกิดข้อผิดพลาดที่ไม่รู้จัก กรุณาลองใหม่อีกครั้ง
-webauthn_error_insecure = WebAuthn รองรับเฉพาะการเชื่อมต่อที่ปลอดภัยเท่านั้น สำหรับการทดสอบผ่าน HTTP คุณสามารถใช้ต้นทาง "localhost" หรือ "127.0.0.1"
-webauthn_error_unable_to_process = เซิร์ฟเวอร์ไม่สามารถประมวลผลคำขอของคุณได้
-webauthn_error_duplicated = ไม่อนุญาตให้ใช้คีย์ความปลอดภัยสำหรับคำขอนี้ โปรดตรวจสอบให้แน่ใจว่าคีย์ยังไม่ได้ลงทะเบียน
-webauthn_error_empty = คุณต้องตั้งชื่อสำหรับคีย์นี้
-webauthn_error_timeout = หมดเวลาก่อนที่จะอ่านคีย์ของคุณได้ กรุณาโหลดหน้านี้ใหม่แล้วลองอีกครั้ง
 repository = ที่เก็บ
 new_fork = แยกที่เก็บใหม่
 new_project_column = คอลัมน์ใหม่
@@ -2821,34 +2809,6 @@ dashboard.sync_external_users = ซิงโครไนซ์ข้อมูล
 dashboard.cleanup_hook_task_table = ล้างตาราง hook_task
 dashboard.cleanup_packages = ล้างแพ็คเกจที่หมดอายุ
 dashboard.cleanup_actions = ล้างบันทึกและอาร์ติแฟกต์ที่หมดอายุจากการดำเนินการ
-dashboard.server_uptime = เวลาทำงานของเซิร์ฟเวอร์
-dashboard.current_goroutine = Goroutine ปัจจุบัน
-dashboard.current_memory_usage = การใช้หน่วยความจำปัจจุบัน
-dashboard.total_memory_allocated = หน่วยความจำที่จัดสรรทั้งหมด
-dashboard.memory_obtained = หน่วยความจำที่ได้รับ
-dashboard.pointer_lookup_times = เวลาค้นหาพอยน์เตอร์
-dashboard.memory_allocate_times = การจัดสรรหน่วยความจำ
-dashboard.memory_free_times = การปล่อยหน่วยความจำ
-dashboard.current_heap_usage = การใช้ฮีปปัจจุบัน
-dashboard.heap_memory_obtained = หน่วยความจำฮีปที่ได้รับ
-dashboard.heap_memory_idle = หน่วยความจำฮีปที่ไม่ได้ใช้งาน
-dashboard.heap_memory_in_use = หน่วยความจำฮีปที่ใช้งานอยู่
-dashboard.heap_memory_released = หน่วยความจำฮีปที่ปล่อยแล้ว
-dashboard.heap_objects = อ็อบเจกต์ฮีป
-dashboard.bootstrap_stack_usage = การใช้สแต็ก Bootstrap
-dashboard.stack_memory_obtained = หน่วยความจำสแต็กที่ได้รับ
-dashboard.mspan_structures_usage = การใช้โครงสร้าง MSpan
-dashboard.mspan_structures_obtained = โครงสร้าง MSpan ที่ได้รับ
-dashboard.mcache_structures_usage = การใช้โครงสร้าง MCache
-dashboard.mcache_structures_obtained = โครงสร้าง MCache ที่ได้รับ
-dashboard.profiling_bucket_hash_table_obtained = ตารางแฮชบัคเก็ตการทำโปรไฟล์ที่ได้รับ
-dashboard.gc_metadata_obtained = ข้อมูลเมตา GC ที่ได้รับ
-dashboard.other_system_allocation_obtained = การจัดสรรระบบอื่น ๆ ที่ได้รับ
-dashboard.next_gc_recycle = การรีไซเคิล GC ถัดไป
-dashboard.last_gc_time = เวลาตั้งแต่ GC ครั้งล่าสุด
-dashboard.total_gc_pause = การหยุด GC ทั้งหมด
-dashboard.last_gc_pause = การหยุด GC ครั้งล่าสุด
-dashboard.gc_times = เวลา GC
 dashboard.delete_old_actions = ลบกิจกรรมเก่าทั้งหมดออกจากฐานข้อมูล
 dashboard.delete_old_actions.started = เริ่มลบกิจกรรมเก่าทั้งหมดออกจากฐานข้อมูลแล้ว
 dashboard.update_checker = ตัวตรวจสอบการอัปเดต
@@ -2911,18 +2871,6 @@ users.purge_help = ลบผู้ใช้และที่เก็บ อง
 users.still_own_packages = ผู้ใช้นี้ยังคงเป็นเจ้าของแพ็คเกจอย่างน้อยหนึ่งรายการ ลบแพ็คเกจเหล่านี้ก่อน
 users.deletion_success = บัญชีผู้ใช้ถูกลบแล้ว
 users.reset_2fa = รีเซ็ต 2FA
-users.list_status_filter.menu_text = ตัวกรอง
-users.list_status_filter.reset = รีเซ็ต
-users.list_status_filter.is_active = ใช้งาน
-users.list_status_filter.not_active = ไม่ใช้งาน
-users.list_status_filter.is_admin = ผู้ดูแลระบบ
-users.list_status_filter.not_admin = ไม่ใช่ผู้ดูแลระบบ
-users.list_status_filter.is_restricted = จำกัด
-users.list_status_filter.not_restricted = ไม่จำกัด
-users.list_status_filter.is_prohibit_login = ห้ามเข้าสู่ระบบ
-users.list_status_filter.not_prohibit_login = อนุญาตให้เข้าสู่ระบบ
-users.list_status_filter.is_2fa_enabled = เปิดใช้งาน 2FA
-users.list_status_filter.not_2fa_enabled = ปิดใช้งาน 2FA
 users.details = รายละเอียดผู้ใช้
 emails.email_manage_panel = จัดการอีเมลผู้ใช้
 emails.primary = หลัก
@@ -3218,25 +3166,6 @@ monitor.last_execution_result = ผลลัพธ์
 monitor.process.cancel = ยกเลิกกระบวนการ
 monitor.process.cancel_desc = การยกเลิกกระบวนการอาจทำให้ข้อมูลสูญหาย
 monitor.process.cancel_notices = ยกเลิก: <strong>%s</strong>?
-monitor.queues = คิว
-monitor.queue = คิว: %s
-monitor.queue.name = ชื่อ
-monitor.queue.type = ประเภท
-monitor.queue.exemplar = ประเภทตัวอย่าง
-monitor.queue.numberworkers = จำนวนผู้ปฏิบัติงาน
-monitor.queue.activeworkers = ผู้ปฏิบัติงานที่ใช้งานอยู่
-monitor.queue.maxnumberworkers = จำนวนผู้ปฏิบัติงานสูงสุด
-monitor.queue.numberinqueue = จำนวนในคิว
-monitor.queue.review_add = ตรวจสอบ / เพิ่มผู้ปฏิบัติงาน
-monitor.queue.settings.title = การตั้งค่าพูล
-monitor.queue.settings.desc = พูลจะขยายตัวแบบไดนามิกเพื่อตอบสนองต่อการบล็อกคิวของผู้ปฏิบัติงาน
-monitor.queue.settings.maxnumberworkers = จำนวนผู้ปฏิบัติงานสูงสุด
-monitor.queue.settings.maxnumberworkers.placeholder = ปัจจุบัน %[1]d
-monitor.queue.settings.maxnumberworkers.error = จำนวนผู้ปฏิบัติงานสูงสุดต้องเป็นตัวเลข
-monitor.queue.settings.submit = อัปเดตการตั้งค่า
-monitor.queue.settings.changed = อัปเดตการตั้งค่าแล้ว
-monitor.queue.settings.remove_all_items = ลบทั้งหมด
-monitor.queue.settings.remove_all_items_done = ลบรายการทั้งหมดในคิวแล้ว
 notices.system_notice_list = ประกาศของระบบ
 notices.view_detail_header = รายละเอียดประกาศ
 notices.operations = การดำเนินการ
@@ -3360,21 +3289,6 @@ workflow.dispatch.input_required = ต้องการค่าสำหรั
 workflow.dispatch.invalid_input_type = ประเภทอินพุต "%s" ไม่ถูกต้อง
 workflow.dispatch.warn_input_limit = แสดงเฉพาะ %d อินพุตแรกเท่านั้น
 need_approval_desc = ต้องการการอนุมัติเพื่อเรียกใช้เวิร์กโฟลว์สำหรับคำขอดึงที่แยกมา
-variables = ตัวแปร
-variables.management = จัดการตัวแปร
-variables.creation = เพิ่มตัวแปร
-variables.none = ยังไม่มีตัวแปร
-variables.deletion = ลบตัวแปร
-variables.deletion.description = การลบตัวแปรเป็นการกระทำถาวรและไม่สามารถยกเลิกได้ ดำเนินการต่อหรือไม่?
-variables.description = ตัวแปรจะถูกส่งต่อไปยังการดำเนินการบางอย่างและไม่สามารถอ่านได้
-variables.edit = แก้ไขตัวแปร
-variables.not_found = ไม่พบตัวแปร
-variables.deletion.failed = ไม่สามารถลบตัวแปรได้
-variables.deletion.success = ลบตัวแปรแล้ว
-variables.creation.failed = ไม่สามารถเพิ่มตัวแปรได้
-variables.creation.success = เพิ่มตัวแปร "%s" แล้ว
-variables.update.failed = ไม่สามารถแก้ไขตัวแปรได้
-variables.update.success = แก้ไขตัวแปรแล้ว
 
 [projects]
 deleted.display_name = โปรเจกต์ที่ถูกลบ
@@ -3391,9 +3305,6 @@ symbolic_link = ลิงก์สัญลักษณ์
 submodule = โมดูลย่อย
 
 [markup]
-filepreview.line = บรรทัดที่ %[1]d ใน %[2]s
-filepreview.lines = บรรทัดที่ %[1]d ถึง %[2]d ใน %[3]s
-filepreview.truncated = ตัวอย่างถูกตัดทอน
 
 [translation_meta]
 test = ok
\ No newline at end of file
diff --git a/options/locale/locale_tr-TR.ini b/options/locale/locale_tr-TR.ini
index def4980a19..766a17df43 100644
--- a/options/locale/locale_tr-TR.ini
+++ b/options/locale/locale_tr-TR.ini
@@ -37,18 +37,6 @@ twofa=İki aşamalı doğrulama
 twofa_scratch=İki aşamalı kazınmış kod
 passcode=Şifre
 
-webauthn_insert_key=Güvenlik anahtarınızı ekleyin
-webauthn_sign_in=Güvenlik anahtarınızdaki düğmeye basın. Eğer düğme yoksa güvenlik anahtarınızı tekrar ekleyin.
-webauthn_press_button=Lütfen güvenlik anahtarınızdaki düğmeye basın…
-webauthn_use_twofa=Telefonunuzdan iki aşamalı doğrulama kodu kullanın
-webauthn_error=Güvenlik anahtarınız okunamıyor.
-webauthn_unsupported_browser=Tarayıcınız henüz WebAuthn desteklemiyor.
-webauthn_error_unknown=Bilinmeyen bir hata oluştu. Lütfen tekrar deneyin.
-webauthn_error_insecure=WebAuthn sadece güvenli bağlantıyı destekler. HTTP üzerinden test etmek için "localhost" veya "127.0.0.1" adreslerini kullanabilirsiniz.
-webauthn_error_unable_to_process=Sunucu isteğinizi işleyemedi.
-webauthn_error_duplicated=Güvenlik anahtarının bu istek için izni yok. Anahtarın halihazırda kayıtlı olmadığından emin olun.
-webauthn_error_empty=Bu anahtar için bir isim belirlemelisiniz.
-webauthn_error_timeout=Anahtarınız okunamadan zaman aşımı oldu. Lütfen sayfayı yenileyin ve tekrar deneyin.
 repository=Depo
 organization=Organizasyon
 mirror=Yansı
@@ -2864,34 +2852,6 @@ dashboard.sync_external_users=Harici kullanıcı verisini senkronize et
 dashboard.cleanup_hook_task_table=Hook_task tablosunu temizleme
 dashboard.cleanup_packages=Süresi dolmuş paketleri temizleme
 dashboard.cleanup_actions=Eylemlerin süresi geçmiş günlük ve yapılarını temizle
-dashboard.server_uptime=Sunucunun Ayakta Kalma Süresi
-dashboard.current_goroutine=Güncel Goroutine'ler
-dashboard.current_memory_usage=Güncel Bellek Kullanımı
-dashboard.total_memory_allocated=Bellekte Ayrılan Toplam Yer
-dashboard.memory_obtained=Elde Edilen Bellek
-dashboard.pointer_lookup_times=İşaret Arama Zamanları
-dashboard.memory_allocate_times=Bellek Ayırmaları
-dashboard.memory_free_times=Bellek Boşaltmaları
-dashboard.current_heap_usage=Güncel Yığın Kullanımı
-dashboard.heap_memory_obtained=Elde Edilen Yığın Belleği
-dashboard.heap_memory_idle=Boştaki Yığın Belleği
-dashboard.heap_memory_in_use=Kullanımdaki Yığın Belleği
-dashboard.heap_memory_released=Serbest Bırakılmış Yığın Belleği
-dashboard.heap_objects=Yığın Nesneleri
-dashboard.bootstrap_stack_usage=İlk Yığın Kullanımı
-dashboard.stack_memory_obtained=Elde Edilen Yığın Belleği
-dashboard.mspan_structures_usage=Kullanımdaki MSpan Yapıları
-dashboard.mspan_structures_obtained=Elde Edilen MSpan Yapıları
-dashboard.mcache_structures_usage=Kullanılan MCache Yapıları
-dashboard.mcache_structures_obtained=Elde Edilen MCache Yapıları
-dashboard.profiling_bucket_hash_table_obtained=Elde Edilen Bucket Hash Tablosu Profilleme
-dashboard.gc_metadata_obtained=Elde Edilen GC Metadata
-dashboard.other_system_allocation_obtained=Elde Edilen Diğer Sistem Ayırmaları
-dashboard.next_gc_recycle=Sonraki GC Döngüsü
-dashboard.last_gc_time=Son GC Zamanından Beri
-dashboard.total_gc_pause=Toplam GC Durması
-dashboard.last_gc_pause=Son GC Durması
-dashboard.gc_times=GC Zamanları
 dashboard.delete_old_actions=Veritabanından tüm eski eylemleri sil
 dashboard.delete_old_actions.started=Veritabanından başlatılan tüm eski eylemleri silin.
 dashboard.update_checker=Denetleyiciyi güncelle
@@ -2948,18 +2908,6 @@ users.purge_help=Kullanıcıyı ve sahip olduğu herhangi bir depoyu, organizasy
 users.still_own_packages=Kullanıcının bir veya daha fazla paketi var, önce bu paketleri silin.
 users.deletion_success=Kullanıcı hesabı silindi.
 users.reset_2fa=2FD'yi sıfırla
-users.list_status_filter.menu_text=Filtre
-users.list_status_filter.reset=Sıfırla
-users.list_status_filter.is_active=Etkin
-users.list_status_filter.not_active=Etkin değil
-users.list_status_filter.is_admin=Yönetici
-users.list_status_filter.not_admin=Yönetici Değil
-users.list_status_filter.is_restricted=Kısıtlanmış
-users.list_status_filter.not_restricted=Kısıtlanmamış
-users.list_status_filter.is_prohibit_login=Oturum Açmayı Önle
-users.list_status_filter.not_prohibit_login=Oturum Açmaya İzin Ver
-users.list_status_filter.is_2fa_enabled=2FA Etkin
-users.list_status_filter.not_2fa_enabled=2FA Devre Dışı
 users.details=Kullanıcı Ayrıntıları
 
 emails.email_manage_panel=Kullanıcı E-posta Yönetimi
@@ -3278,26 +3226,6 @@ monitor.process.cancel_desc=Bir işlemi iptal etmek veri kaybına neden olabilir
 monitor.process.cancel_notices=İptal et: <strong>%s</strong>?
 monitor.process.children=Çocuklar
 
-monitor.queues=Kuyruklar
-monitor.queue=Kuyruk: %s
-monitor.queue.name=İsim
-monitor.queue.type=Tür
-monitor.queue.exemplar=Örnek Türü
-monitor.queue.numberworkers=Çalışan Sayısı
-monitor.queue.activeworkers=Etkin Çalışanlar
-monitor.queue.maxnumberworkers=En Fazla Çalışan Sayısı
-monitor.queue.numberinqueue=Kuyruktaki Sayı
-monitor.queue.review_add=Çalışanları İncele / Ekle
-monitor.queue.settings.title=Havuz Ayarları
-monitor.queue.settings.desc=Havuzlar, çalışan kuyruğu tıkanmasına bir yanıt olarak dinamik olarak büyürler.
-monitor.queue.settings.maxnumberworkers=En fazla çalışan Sayısı
-monitor.queue.settings.maxnumberworkers.placeholder=Şu anda %[1]d
-monitor.queue.settings.maxnumberworkers.error=En fazla çalışan sayısı bir sayı olmalıdır
-monitor.queue.settings.submit=Ayarları Güncelle
-monitor.queue.settings.changed=Ayarlar güncellendi
-monitor.queue.settings.remove_all_items=Tümünü kaldır
-monitor.queue.settings.remove_all_items_done=Kuyruktaki tüm öğeler kaldırıldı.
-
 notices.system_notice_list=Sistem Bildirimleri
 notices.view_detail_header=Bildirim Ayrıntılarını Görüntüle
 notices.operations=İşlemler
@@ -3431,20 +3359,6 @@ workflow.disabled=İş akışı devre dışı.
 
 need_approval_desc=Değişiklik isteği çatalında iş akışı çalıştırmak için onay gerekiyor.
 
-variables=Değişkenler
-variables.management=Değişken Yönetimi
-variables.creation=Değişken ekle
-variables.none=Henüz hiçbir değişken yok.
-variables.deletion=Değişkeni kaldır
-variables.deletion.description=Bir değişkeni kaldırma kalıcıdır ve geri alınamaz. Devam edilsin mi?
-variables.description=Değişkenler belirli işlemlere aktarılacaktır, bunun dışında okunamaz.
-variables.edit=Değişkeni Düzenle
-variables.deletion.failed=Değişken kaldırılamadı.
-variables.deletion.success=Değişken kaldırıldı.
-variables.creation.failed=Değişken eklenemedi.
-variables.creation.success=`"%s" değişkeni eklendi.`
-variables.update.failed=Değişken düzenlenemedi.
-variables.update.success=Değişken düzenlendi.
 variables.id_not_exist = %d kimlikli değişken mevcut değil.
 runs.expire_log_message = Günlükler, çok eski oldukları için temizlendiler.
 
diff --git a/options/locale/locale_uk-UA.ini b/options/locale/locale_uk-UA.ini
index 3c9a7d4f61..7f713b9d87 100644
--- a/options/locale/locale_uk-UA.ini
+++ b/options/locale/locale_uk-UA.ini
@@ -98,13 +98,6 @@ logo = Логотип
 sign_in_with_provider = Увійти через %s
 tracked_time_summary = Підсумок відстеженого часу з урахуванням фільтрів списку задач
 enable_javascript = Цей вебсайт потребує JavaScript.
-webauthn_press_button = Натисніть кнопку на ключі безпеки…
-webauthn_use_twofa = Введіть код підтвердження з телефону
-webauthn_error = Не вдалося розпізнати ключ безпеки.
-webauthn_error_unknown = Сталася невідома помилка. Будь ласка, повторіть спробу.
-webauthn_error_unable_to_process = Сервер не зміг обробити запит.
-webauthn_error_duplicated = Запит із наданим ключем безпеки відхилено. Впевніться, що цей ключ не є вже зареєстрованим.
-webauthn_error_empty = Ключ слід якось назвати.
 new_project_column = Новий стовпчик
 retry = Повторити
 rerun = Перезапустити
@@ -122,12 +115,7 @@ concept_system_global = Для всіх
 concept_user_individual = Для особи
 confirm_delete_selected = Точно видалити все вибране?
 value = Значення
-webauthn_insert_key = Під’єднайте ключ безпеки
 download_logs = Завантажити журнали
-webauthn_sign_in = Натисніть кнопку на ключі безпеки. Якщо ключ безпеки не має кнопки, від’єднайте його і під’єднайте ще раз.
-webauthn_unsupported_browser = Ваш браузер наразі не підтримує WebAuthn.
-webauthn_error_insecure = WebAuthn підтримує лише захищені з’єднання. Для тестування через HTTP можете використати origin-рядок «localhost» чи «127.0.0.1»
-webauthn_error_timeout = Ключ не встиг зчитатись протягом відведеного терміну. Будь ласка, перезавантажте сторінку й повторіть спробу.
 locked = Заблоковано
 filter.is_template = Шаблони
 test = Тест
@@ -2929,34 +2917,6 @@ dashboard.resync_all_hooks=Пересинхронізувати Git-хуки в
 dashboard.reinit_missing_repos=Переініціалізувати всі Git-репозиторії, для яких існують записи
 dashboard.sync_external_users=Синхронізувати дані зовнішніх користувачів
 dashboard.cleanup_hook_task_table=Очистити таблицю hook_task
-dashboard.server_uptime=Час роботи сервера
-dashboard.current_goroutine=Поточна кількість goroutines
-dashboard.current_memory_usage=Поточне використання пам’яті
-dashboard.total_memory_allocated=Виділено пам’яті загалом
-dashboard.memory_obtained=Отримано пам’яті
-dashboard.pointer_lookup_times=Пошуків вказівника
-dashboard.memory_allocate_times=Виділень пам’яті
-dashboard.memory_free_times=Звільнень пам’яті
-dashboard.current_heap_usage=Поточне використання динамічної пам’яті
-dashboard.heap_memory_obtained=Отримано динамічної пам’яті
-dashboard.heap_memory_idle=Динамічної пам’яті простоює
-dashboard.heap_memory_in_use=Динамічної пам’яті використовується
-dashboard.heap_memory_released=Звільнено динамічної пам’яті
-dashboard.heap_objects=Об’єктів динамічної пам’яті
-dashboard.bootstrap_stack_usage=Використання стеку bootstrap
-dashboard.stack_memory_obtained=Отримано пам’яті стеком
-dashboard.mspan_structures_usage=Використання структур MSpan
-dashboard.mspan_structures_obtained=Отримано структур MSpan
-dashboard.mcache_structures_usage=Використання структур MCache
-dashboard.mcache_structures_obtained=Отримано структур MCache
-dashboard.profiling_bucket_hash_table_obtained=Отримано хеш-таблиць профілювання
-dashboard.gc_metadata_obtained=Отримано метаданих збирача сміття
-dashboard.other_system_allocation_obtained=Отримано інших виділень пам’яті
-dashboard.next_gc_recycle=Наступний цикл збирача сміття
-dashboard.last_gc_time=З останнього запуску збирача сміття
-dashboard.total_gc_pause=Загальна пауза збирача сміття
-dashboard.last_gc_pause=Остання пауза збирача сміття
-dashboard.gc_times=Кількість запусків збирача сміття
 dashboard.delete_old_actions=Видалити всі старі активності з бази даних
 dashboard.delete_old_actions.started=Розпочато видалення всіх старих активностей з бази даних.
 
@@ -2996,19 +2956,6 @@ users.still_own_repo=Цьому користувачу досі належать
 users.still_has_org=Цей користувач є учасником однієї або декількох організацій. Спочатку видаліть користувача з усіх організацій.
 users.deletion_success=Обліковий запис користувача видалено.
 users.reset_2fa=Скинути 2FA
-users.list_status_filter.menu_text=Фільтр
-users.list_status_filter.reset=Скинути
-users.list_status_filter.is_active=Активні
-users.list_status_filter.not_active=Неактивні
-users.list_status_filter.is_admin=Адміністратор
-users.list_status_filter.not_admin=Не адміністратор
-users.list_status_filter.is_restricted=З обмеженнями
-users.list_status_filter.not_restricted=Без обмежень
-users.list_status_filter.is_prohibit_login=Вхід заборонено
-users.list_status_filter.not_prohibit_login=Вхід дозволено
-users.list_status_filter.is_2fa_enabled=2FA увімкнено
-users.list_status_filter.not_2fa_enabled=2FA вимкнено
-
 emails.email_manage_panel=Керування електронними адресами користувачів
 emails.primary=Головний
 emails.activated=Активовано
@@ -3275,20 +3222,6 @@ monitor.process.cancel_desc=Скасування процесу може при
 monitor.process.cancel_notices=Скасувати: <strong>%s</strong>?
 monitor.process.children=Дочірні процеси
 
-monitor.queues=Черги
-monitor.queue=Черга: %s
-monitor.queue.name=Назва
-monitor.queue.type=Тип
-monitor.queue.exemplar=Приклад типу
-monitor.queue.numberworkers=Кількість обробників
-monitor.queue.maxnumberworkers=Максимальна кількість обробників
-monitor.queue.settings.title=Налаштування пулу
-monitor.queue.settings.maxnumberworkers=Максимальна кількість обробників
-monitor.queue.settings.maxnumberworkers.placeholder=Поточний %[1]d
-monitor.queue.settings.maxnumberworkers.error=Максимальна кількість обробників має бути числом
-monitor.queue.settings.submit=Оновити налаштування
-monitor.queue.settings.changed=Налаштування оновлено
-
 notices.system_notice_list=Сповіщення системи
 notices.view_detail_header=Подробиці сповіщення
 notices.select_all=Вибрати все
@@ -3331,12 +3264,6 @@ users.new_success = Обліковий запис «%s» створено.
 config_settings = Налаштування
 self_check.no_problem_found = Проблем поки що не виявлено.
 config_summary = Підсумок
-monitor.queue.review_add = Переглянути / додати обробники
-monitor.queue.activeworkers = Активні обробники
-monitor.queue.numberinqueue = Номер у черзі
-monitor.queue.settings.desc = Пули динамічно зростають у відповідь на блокування черг їхніх обробників.
-monitor.queue.settings.remove_all_items_done = Усі елементи в черзі видалено.
-monitor.queue.settings.remove_all_items = Видалити всі
 config.app_slogan = Гасло екземпляра
 auths.tip.gitea = Зареєструйте нову програму OAuth. Інструкцію можна знайти на %s
 auths.tip.gitlab_new = Зареєструйте нову програму на %s
@@ -3507,21 +3434,7 @@ creation.value_placeholder = Уведіть довільний вміст. Пр
 description = Секрети передаються певним діям і не можуть бути прочитані інакше.
 
 [actions]
-variables.update.failed = Не вдалося змінити змінну.
-variables.update.success = Змінну змінено.
-variables.creation = Додати змінну
-variables.none = Змінних ще немає.
-variables.deletion = Видалити змінну
-variables = Змінні
-variables.deletion.success = Змінну видалено.
-variables.creation.failed = Не вдалося додати змінну.
-variables.deletion.failed = Не вдалося видалити змінну.
-variables.creation.success = Змінну «%s» додано.
-variables.description = Змінні передаються певним діям і не можуть бути прочитані інакше.
-variables.deletion.description = Видалення змінної є остаточним і його неможливо скасувати. Продовжити?
-variables.management = Керування змінними
 variables.id_not_exist = Змінної з ідентифікатором %d не існує.
-variables.edit = Редагувати змінну
 runs.expire_log_message = Журнали очищено, тому що вони були занадто старі.
 runs.empty_commit_message = (порожнє повідомлення коміту)
 workflow.enable_success = Робочий потік «%s» успішно ввімкнено.
@@ -3530,7 +3443,6 @@ workflow.disable_success = Робочий потік «%s» успішно ви
 workflow.disabled = Робочий потік вимкнено.
 workflow.enable = Увімкнути робочий потік
 need_approval_desc = Потрібне схвалення для запуску робочих потоків для запиту на злиття.
-variables.not_found = Не вдалося знайти змінну.
 runs.no_workflows.help_no_write_access = Щоб дізнатися більше про Дії Forgejo, читайте <a target="_blank" rel="noopener noreferrer" href="%s">документацію</a>.
 runs.no_workflows.help_write_access = Не знаєте, як почати роботу з Діями Forgejo? Перегляньте <a target="_blank" rel="noopener noreferrer" href="%s">посібник для початківців у документації</a>, щоб написати свій перший робочий потік, а потім <a target="_blank" rel="noopener noreferrer" href="%s">налаштуйте ранер Forgejo</a> для виконання завдань.
 unit.desc = Керування вбудованими конвеєрами CI/CD з Діями Forgejo.
@@ -3587,9 +3499,6 @@ pull_kind = Шукати запити на злиття…
 runner_kind = Шукати ранери…
 
 [markup]
-filepreview.truncated = Перегляд було урізано
-filepreview.line = Рядок %[1]d в %[2]s
-filepreview.lines = Рядки з %[1]d по %[2]d в %[3]s
 
 [translation_meta]
 test = Це тестовий текст. Він не відображається в інтерфейсі користувача Forgejo, а використовується з метою тестування
diff --git a/options/locale/locale_vi.ini b/options/locale/locale_vi.ini
index 3c51eb51b9..f8f5eba9d5 100644
--- a/options/locale/locale_vi.ini
+++ b/options/locale/locale_vi.ini
@@ -24,18 +24,8 @@ password = Mật khẩu
 access_token = Mã truy cập
 captcha = CAPTCHA
 twofa = Xác thực hai lớp
-webauthn_insert_key = Cắm khóa bảo mật của bạn vào
 copy_hash = Sao chép chuỗi băm
 sign_in_with_provider = Đăng nhập bằng %s
-webauthn_press_button = Hãy nhấn nút trên khóa bảo mật…
-webauthn_use_twofa = Dùng mã xác thực hai lớp ở trên điện thoại
-webauthn_error = Không thể đọc khóa bảo mật của bạn.
-webauthn_unsupported_browser = Trình duyệt của bạn hiện không hỗ trợ WebAuthn.
-webauthn_error_unknown = Có lỗi xảy ra. Vui lòng thử lại.
-webauthn_error_insecure = WebAuthn chỉ hỗ trợ kết nối mã hóa. Nếu đang thử nghiệm, bạn có thể dùng "localhost" hoặc "127.0.0.1"
-webauthn_error_unable_to_process = Máy chủ không thể xử lý yêu cầu của bạn.
-webauthn_error_empty = Bạn phải đặt tên cho khóa này.
-webauthn_error_timeout = Hết thời gian đọc khóa mất rồi. Hãy tải lại trang và thử lại.
 copy_type_unsupported = Không thể sao chép loại tệp này
 repository = Kho mã
 organization = Tổ chức
@@ -79,7 +69,6 @@ pin = Ghim
 archived = Đã lưu trữ
 signed_in_as = Đăng nhập bằng
 re_type = Xác nhận mật khẩu
-webauthn_sign_in = Nhấn nút trên khóa bảo mật, nếu không có nút thì bạn hãy rút ra rồi cắm lại.
 new_org.link = Tạo tổ chức
 error404 = Trang bạn đang tìm <strong>không tồn tại</strong>, <strong>đã bị xoá</strong> hoặc <strong>bạn không có quyền</strong> để xem nó.
 edit = Chỉnh sửa
@@ -89,7 +78,6 @@ logo = Logo
 toc = Mục lục
 user_profile_and_more = Hồ sơ và cài đặt…
 passcode = Mã xác thực
-webauthn_error_duplicated = Khóa bảo mật không được phép cho yêu cầu này. Vui lòng đảm bảo rằng khóa chưa được đăng ký trước đó.
 mirror = Bản sao
 new_mirror = Tạo bản sao mới
 your_starred = Đã đánh sao
diff --git a/options/locale/locale_zh-CN.ini b/options/locale/locale_zh-CN.ini
index 87087e3d20..2a6686b2ec 100644
--- a/options/locale/locale_zh-CN.ini
+++ b/options/locale/locale_zh-CN.ini
@@ -37,18 +37,6 @@ twofa=两步验证
 twofa_scratch=两步验证备用验证码
 passcode=验证码
 
-webauthn_insert_key=插入安全密钥
-webauthn_sign_in=按下安全密钥上的按钮。如果安全密钥没有按钮，请重新插入它。
-webauthn_press_button=请按下安全密钥上的按钮……
-webauthn_use_twofa=使用来自手机中的两步验证码
-webauthn_error=无法读取安全密钥。
-webauthn_unsupported_browser=你的浏览器目前不支持WebAuthn。
-webauthn_error_unknown=发生未知错误。请重试。
-webauthn_error_insecure=WebAuthn仅支持安全连接。如果要在HTTP协议上进行测试，请使用"localhost"或"127.0.0.1"作为访问来源
-webauthn_error_unable_to_process=服务器无法处理您的请求。
-webauthn_error_duplicated=此安全密钥未被许可用于这个请求。请确保该密钥尚未注册。
-webauthn_error_empty=您必须为此密钥设置一个名称。
-webauthn_error_timeout=未能在允许的时限内读取密钥。请重新加载此页面并重试。
 repository=仓库
 organization=组织
 mirror=镜像
@@ -2939,34 +2927,6 @@ dashboard.sync_external_users=同步外部用户数据
 dashboard.cleanup_hook_task_table=清理hook_task表
 dashboard.cleanup_packages=清理过期的软件包
 dashboard.cleanup_actions=清理过期的Actions日志和制品
-dashboard.server_uptime=服务运行时间
-dashboard.current_goroutine=当前Goroutines数量
-dashboard.current_memory_usage=当前内存使用量
-dashboard.total_memory_allocated=所有被分配的内存
-dashboard.memory_obtained=内存占用量
-dashboard.pointer_lookup_times=指针查找次数
-dashboard.memory_allocate_times=内存分配次数
-dashboard.memory_free_times=内存释放次数
-dashboard.current_heap_usage=当前Heap内存使用量
-dashboard.heap_memory_obtained=Heap内存占用量
-dashboard.heap_memory_idle=Heap内存空闲量
-dashboard.heap_memory_in_use=正在使用的Heap内存
-dashboard.heap_memory_released=被释放的Heap内存
-dashboard.heap_objects=Heap对象数量
-dashboard.bootstrap_stack_usage=启动Stack使用量
-dashboard.stack_memory_obtained=被分配的Stack内存
-dashboard.mspan_structures_usage=MSpan结构内存使用量
-dashboard.mspan_structures_obtained=被分配的MSpan结构内存
-dashboard.mcache_structures_usage=MCache结构内存使用量
-dashboard.mcache_structures_obtained=被分配的MCache结构内存
-dashboard.profiling_bucket_hash_table_obtained=被分配的剖析哈希表内存
-dashboard.gc_metadata_obtained=被分配的GC元数据内存
-dashboard.other_system_allocation_obtained=其它被分配的系统内存
-dashboard.next_gc_recycle=下次GC内存回收量
-dashboard.last_gc_time=距离上次GC时间
-dashboard.total_gc_pause=GC暂停时间总量
-dashboard.last_gc_pause=上次GC暂停时间
-dashboard.gc_times=GC执行次数
 dashboard.delete_old_actions=从数据库中删除所有旧操作记录
 dashboard.delete_old_actions.started=已开始从数据库中删除所有旧操作记录。
 dashboard.update_checker=更新检查器
@@ -3024,18 +2984,6 @@ users.purge_help=强制删除用户和用户拥有的任何仓库、组织和软
 users.still_own_packages=此用户仍然拥有一个或多个软件包，请先删除这些软件包。
 users.deletion_success=用户帐户已被删除。
 users.reset_2fa=重置两步验证
-users.list_status_filter.menu_text=过滤
-users.list_status_filter.reset=重置
-users.list_status_filter.is_active=已激活
-users.list_status_filter.not_active=未激活
-users.list_status_filter.is_admin=管理员
-users.list_status_filter.not_admin=非管理员
-users.list_status_filter.is_restricted=受限
-users.list_status_filter.not_restricted=不受限
-users.list_status_filter.is_prohibit_login=禁止登录
-users.list_status_filter.not_prohibit_login=允许登录
-users.list_status_filter.is_2fa_enabled=已启用2FA
-users.list_status_filter.not_2fa_enabled=未启用2FA
 users.details=用户详情
 
 emails.email_manage_panel=管理用户邮件地址
@@ -3355,26 +3303,6 @@ monitor.process.cancel_desc=中止一个进程可能导致数据丢失
 monitor.process.cancel_notices=中止：<strong>%s</strong>？
 monitor.process.children=子进程
 
-monitor.queues=队列
-monitor.queue=队列：%s
-monitor.queue.name=名称
-monitor.queue.type=类型
-monitor.queue.exemplar=数据类型
-monitor.queue.numberworkers=worker数量
-monitor.queue.activeworkers=活跃worker
-monitor.queue.maxnumberworkers=最大worker数量
-monitor.queue.numberinqueue=队列中的数量
-monitor.queue.review_add=审查/添加worker
-monitor.queue.settings.title=池设置
-monitor.queue.settings.desc=因为工作者队列阻塞，池正在动态扩展。
-monitor.queue.settings.maxnumberworkers=最大工作者数量
-monitor.queue.settings.maxnumberworkers.placeholder=当前%[1]d
-monitor.queue.settings.maxnumberworkers.error=最大工作者数必须是数字
-monitor.queue.settings.submit=更新设置
-monitor.queue.settings.changed=设置已更新
-monitor.queue.settings.remove_all_items=移除全部
-monitor.queue.settings.remove_all_items_done=队列中的所有项目已被移除。
-
 notices.system_notice_list=系统通知
 notices.view_detail_header=通知详情
 notices.operations=操作
@@ -3517,21 +3445,7 @@ workflow.disabled=工作流已禁用。
 
 need_approval_desc=该工作流由派生仓库的合并请求所触发，需要批准方可运行。
 
-variables=变量
-variables.management=管理变量
-variables.creation=添加变量
-variables.none=目前还没有变量。
-variables.deletion=删除变量
-variables.deletion.description=删除变量是永久性的，无法撤消。继续吗？
-variables.description=变量将被传给特定的Action，其它情况将不能被读取。
 variables.id_not_exist=ID为 %d 的变量不存在。
-variables.edit=编辑变量
-variables.deletion.failed=删除变量失败。
-variables.deletion.success=变量已被删除。
-variables.creation.failed=添加变量失败。
-variables.creation.success=变量 “%s” 添加成功。
-variables.update.failed=编辑变量失败。
-variables.update.success=该变量已被编辑。
 workflow.dispatch.trigger_found = 此工作流有<c>workflow_dispatch</c>事件触发器。
 workflow.dispatch.use_from = 使用工作流
 workflow.dispatch.invalid_input_type = 输入类型“%s”无效。
@@ -3542,7 +3456,6 @@ workflow.dispatch.input_required = 需要输入“%s”的值。
 runs.expire_log_message = 已清除日志，因为它们太旧了。
 runs.no_workflows.help_write_access = 不知道如何上手Forgejo Actions？查看<a target="_blank" rel="noopener noreferrer" href="%s">用户文档的快速上手部分</a>来编写你的第一个工作流，然后<a target="_blank" rel="noopener noreferrer" href="%s">配置一个Forgejo运行器</a>来运行你的任务。
 runs.no_workflows.help_no_write_access = 欲了解关于Forgejo Actions的更多信息，请参见<a target="_blank" rel="noopener noreferrer" href="%s">文档</a>。
-variables.not_found = 找不到变量。
 
 [projects]
 type-1.display_name=个人项目
@@ -3591,9 +3504,6 @@ regexp_tooltip = 将搜索内容解释为正则表达式
 [munits.data]
 
 [markup]
-filepreview.line = %[2]s中的第%[1]d行
-filepreview.lines = %[3]s中的第%[1]d到%[2]d行
-filepreview.truncated = 预览已被截断
 
 [translation_meta]
 test = 好的
diff --git a/options/locale/locale_zh-HK.ini b/options/locale/locale_zh-HK.ini
index 790012ecd9..becef6d682 100644
--- a/options/locale/locale_zh-HK.ini
+++ b/options/locale/locale_zh-HK.ini
@@ -70,19 +70,10 @@ return_to_forgejo = 返來 Forgejo
 username = 用戶名
 captcha = 驗證碼
 toggle_menu = 切換選單
-webauthn_insert_key = 插入安全密鑰
 twofa = 兩步驟驗證
-webauthn_sign_in = 撳下安全密鑰嘅掣。如果安全密鑰冇掣，請再插入。
-webauthn_press_button = 請撳下安全密鑰嘅掣…
 more_items = 多啲嘢
-webauthn_use_twofa = 用手機嘅兩步驟驗證
-webauthn_error = 唔可以讀取安全密鑰。
-webauthn_unsupported_browser = 你嘅瀏覽器唔支援 WebAuthn。
-webauthn_error_unknown = 發生未知嘅錯誤，請再試下。
-webauthn_error_unable_to_process = 伺服器唔可以執行你嘅請求。
 logo = 標識
 enable_javascript = 本網站需要 JavaScript。
-webauthn_error_empty = 你要起名呢條鎖匙。
 your_starred = 已加星號
 active_stopwatch = 活動時間追蹤器
 rerun = 重新執行
@@ -822,33 +813,6 @@ dashboard.clean_unbind_oauth=清理未綁定OAuth的連結
 dashboard.clean_unbind_oauth_success=所有未綁定 OAuth 的連結已刪除。
 dashboard.reinit_missing_repos=重新初始化所有遺失具已存在記錄的Git 儲存庫
 dashboard.sync_external_users=同步外部使用者資料
-dashboard.server_uptime=服務執行時間
-dashboard.current_goroutine=當前 Goroutines 數量
-dashboard.current_memory_usage=當前內存使用量
-dashboard.total_memory_allocated=所有被分配的內存
-dashboard.memory_obtained=內存佔用量
-dashboard.pointer_lookup_times=指針查找次數
-dashboard.current_heap_usage=當前 Heap 內存使用量
-dashboard.heap_memory_obtained=Heap 內存佔用量
-dashboard.heap_memory_idle=Heap 內存空閒量
-dashboard.heap_memory_in_use=正在使用的 Heap 內存
-dashboard.heap_memory_released=被釋放的 Heap 內存
-dashboard.heap_objects=Heap 對象數量
-dashboard.bootstrap_stack_usage=啟動 Stack 使用量
-dashboard.stack_memory_obtained=被分配的 Stack 內存
-dashboard.mspan_structures_usage=MSpan 結構內存使用量
-dashboard.mspan_structures_obtained=被分配的 MSpan 結構內存
-dashboard.mcache_structures_usage=MCache 結構內存使用量
-dashboard.mcache_structures_obtained=被分配的 MCache 結構內存
-dashboard.profiling_bucket_hash_table_obtained=被分配的剖析哈希表內存
-dashboard.gc_metadata_obtained=被分配的垃圾收集元資料內存
-dashboard.other_system_allocation_obtained=其它被分配的系統內存
-dashboard.next_gc_recycle=下次垃圾收集內存回收量
-dashboard.last_gc_time=距離上次垃圾收集時間
-dashboard.total_gc_pause=垃圾收集暫停時間總量
-dashboard.last_gc_pause=上次垃圾收集暫停時間
-dashboard.gc_times=垃圾收集執行次數
-
 users.full_name=組織全名
 users.activated=已啟用
 users.admin=管理員
@@ -857,8 +821,6 @@ users.created=建立時間
 users.edit=編輯
 users.auth_source=認證源
 users.local=本地
-users.list_status_filter.is_admin=管理員
-
 emails.activated=已啟用
 
 orgs.org_manage_panel=組織管理
@@ -1009,10 +971,6 @@ monitor.desc=進程描述
 monitor.start=開始時間
 monitor.execute_time=已執行時間
 
-monitor.queue.name=組織名稱
-monitor.queue.type=認證類型
-monitor.queue.settings.submit=更新設定
-
 notices.system_notice_list=系統提示管理
 notices.view_detail_header=查看提示細節
 notices.select_all=選取全部
diff --git a/options/locale/locale_zh-TW.ini b/options/locale/locale_zh-TW.ini
index 09052f05b2..7f55fd662d 100644
--- a/options/locale/locale_zh-TW.ini
+++ b/options/locale/locale_zh-TW.ini
@@ -35,18 +35,6 @@ twofa=兩步驟驗證
 twofa_scratch=兩步驟驗證備用驗證碼
 passcode=驗證碼
 
-webauthn_insert_key=插入您的安全金鑰
-webauthn_sign_in=按下您安全金鑰上的按鈕。如果您的安全金鑰沒有按鈕，請重新插入。
-webauthn_press_button=請按下您安全金鑰上的按鈕…
-webauthn_use_twofa=使用來自手機的兩步驟驗證碼
-webauthn_error=無法讀取您的安全金鑰。
-webauthn_unsupported_browser=您的瀏覽器還不支援 WebAuthn。
-webauthn_error_unknown=發生未知的錯誤，請再試一次。
-webauthn_error_insecure=WebAuthn 只支援安全連線。想在 HTTP 上測試，您可以使用「localhost」或「127.0.0.1」
-webauthn_error_unable_to_process=伺服器無法處理您的請求。
-webauthn_error_duplicated=此安全金鑰無法允許這個請求。請確保該金鑰尚未被註冊。
-webauthn_error_empty=您必須命名此金鑰。
-webauthn_error_timeout=在成功讀取金鑰之前已逾時，請重新載入此頁面並重試。
 repository=儲存庫
 organization=組織
 mirror=鏡像
@@ -2928,34 +2916,6 @@ dashboard.reinit_missing_repos=重新初始化所有記錄存在但遺失的 Git
 dashboard.sync_external_users=同步外部使用者資料
 dashboard.cleanup_hook_task_table=清理 hook_task 資料表
 dashboard.cleanup_packages=清理過期的軟體包
-dashboard.server_uptime=伺服器運作時間
-dashboard.current_goroutine=目前的 Goroutines
-dashboard.current_memory_usage=目前記憶體使用量
-dashboard.total_memory_allocated=所有被分配的記憶體
-dashboard.memory_obtained=獲得的記憶體
-dashboard.pointer_lookup_times=指標尋找次數
-dashboard.memory_allocate_times=記憶體分配次數
-dashboard.memory_free_times=記憶體釋放次數
-dashboard.current_heap_usage=目前 Heap 記憶體使用量
-dashboard.heap_memory_obtained=獲得的 Heap 記憶體
-dashboard.heap_memory_idle=Heap 記憶體閒置量
-dashboard.heap_memory_in_use=正在使用的 Heap 記憶體
-dashboard.heap_memory_released=被釋放的 Heap 記憶體
-dashboard.heap_objects=Heap 物件數量
-dashboard.bootstrap_stack_usage=啟動 Stack 使用量
-dashboard.stack_memory_obtained=獲得的 Stack 記憶體
-dashboard.mspan_structures_usage=MSpan 結構使用量
-dashboard.mspan_structures_obtained=獲得的 MSpan 結構
-dashboard.mcache_structures_usage=MCache 結構使用量
-dashboard.mcache_structures_obtained=獲得的 MCache 結構
-dashboard.profiling_bucket_hash_table_obtained=被分配的剖析雜湊表
-dashboard.gc_metadata_obtained=被分配 GC Metadata
-dashboard.other_system_allocation_obtained=其他獲得的系統記憶體
-dashboard.next_gc_recycle=下次 GC 記憶體回收量
-dashboard.last_gc_time=距離上次 GC 時間
-dashboard.total_gc_pause=總 GC 暫停時間
-dashboard.last_gc_pause=上次 GC 暫停時間
-dashboard.gc_times=GC 執行次數
 dashboard.delete_old_actions=從資料庫刪除所有舊操作紀錄
 dashboard.delete_old_actions.started=從資料庫刪除所有舊操作紀錄的任務已啟動。
 dashboard.update_checker=更新檢查器
@@ -3006,19 +2966,6 @@ users.purge_help=強制刪除使用者和其所擁有的所有儲存庫、組織
 users.still_own_packages=此使用者仍然擁有至少一個軟體包，請先刪除這些軟體包。
 users.deletion_success=已刪除該使用者帳號。
 users.reset_2fa=重設兩步驟驗證
-users.list_status_filter.menu_text=篩選
-users.list_status_filter.reset=重設
-users.list_status_filter.is_active=已啟用
-users.list_status_filter.not_active=未啟用
-users.list_status_filter.is_admin=管理員
-users.list_status_filter.not_admin=非管理員
-users.list_status_filter.is_restricted=受限
-users.list_status_filter.not_restricted=未受限制
-users.list_status_filter.is_prohibit_login=禁止登入
-users.list_status_filter.not_prohibit_login=允許登入
-users.list_status_filter.is_2fa_enabled=已啟用兩步驟驗證
-users.list_status_filter.not_2fa_enabled=未啟用兩步驟驗證
-
 emails.email_manage_panel=使用者電子信箱管理
 emails.primary=主要
 emails.activated=已啟用
@@ -3320,21 +3267,6 @@ monitor.process.cancel_desc=結束處理程序可能造成資料遺失
 monitor.process.cancel_notices=結束: <strong>%s</strong>?
 monitor.process.children=子程序
 
-monitor.queues=佇列
-monitor.queue=佇列: %s
-monitor.queue.name=名稱
-monitor.queue.type=類型
-monitor.queue.exemplar=型別
-monitor.queue.numberworkers=工作者數量
-monitor.queue.maxnumberworkers=最大工作者數量
-monitor.queue.numberinqueue=佇列中的數量
-monitor.queue.settings.title=集區設定
-monitor.queue.settings.maxnumberworkers=最大工作者數量
-monitor.queue.settings.maxnumberworkers.placeholder=目前 %[1]d
-monitor.queue.settings.maxnumberworkers.error=最大工作者數量必須是數字
-monitor.queue.settings.submit=更新設定
-monitor.queue.settings.changed=已更新設定
-
 notices.system_notice_list=系統提示
 notices.view_detail_header=提示詳情
 notices.operations=操作
@@ -3357,7 +3289,6 @@ dashboard.cron.cancelled = 定時作業：%[1]s 已被取消：%[3]s
 dashboard.cleanup_actions = 清理過期的 Action 日誌和物件
 users.bot = 機器人
 users.remote = 遠端
-monitor.queue.settings.remove_all_items_done = 已移除佇列中所有項目。
 config.access_log_template = 存取日誌範本
 monitor.stats = 統計資料
 self_check.no_problem_found = 未發現任何問題。
@@ -3370,7 +3301,6 @@ repos.lfs_size = LFS 大小
 packages.cleanup = 清除過期的資料
 packages.cleanup.success = 已成功清除過期資料
 monitor.processes_count = %d 個程序
-monitor.queue.settings.remove_all_items = 全部移除
 identity_access = 身分和存取
 config.cache_test = 測試快取
 config_settings = 設定
@@ -3390,7 +3320,6 @@ users.organization_creation.description = 允許建立新組織。
 config.app_slogan = 站點口號
 self_check = 自助檢查
 config.logger_name_fmt = 日誌：%s
-monitor.queue.review_add = 審閱／增加 Worker
 self_check.database_fix_mysql = 對於 MySQL／MariaDB 的使用者，你可以使用命令「forgejo doctor convert」來修復排序規則問題，或者你也可以手動透過「ALTER ... COLLATE ...」SQL 修復問題。
 monitor.duration = 持續時間（秒）
 systemhooks.desc = 當某些 Forgejo 事件觸發時，Webhook 會自動向伺服器發出 HTTP POST 請求。此處定義的 Webhook 將作用於系統上的所有儲存庫，因此請考慮這可能產生的任何效能影響。更多資訊請參考<a target="_blank" rel="noopener" href="%s">Webhook 指南</a>。
@@ -3415,9 +3344,6 @@ users.admin.description = 授予此使用者透過網頁介面和 API 提供的
 auths.tip.gitea = 註冊一個新的 OAuth2 應用程式。指南可在 %s 找到
 
 
-monitor.queue.activeworkers = 活躍工作者
-monitor.queue.settings.desc = 集區會根據工作者佇列的阻塞情況動態增長。
-
 [action]
 create_repo=建立了儲存庫 <a href="%s">%s</a>
 rename_repo=重新命名儲存庫 <code>%[1]s</code> 為 <a href="%[2]s">%[3]s</a>
@@ -3515,21 +3441,7 @@ workflow.enable=啟用工作流程
 workflow.enable_success=已成功啟用工作流程「%s」。
 
 need_approval_desc=需要核可才能執行來自分叉儲存庫的合併請求工作流程。
-variables.edit = 編輯變數
-variables = 變數
-variables.management = 變數管理
 variables.id_not_exist = ID 為 %d 的變數不存在。
-variables.description = 變數會被傳給特定的 Actions，除此之外它們無法被讀取。
-variables.creation.failed = 變數新增失敗。
-variables.update.success = 該變數已被編輯。
-variables.deletion.failed = 變數刪除失敗。
-variables.deletion.success = 該變數已被刪除。
-variables.creation = 新增變數
-variables.none = 目前沒有變數。
-variables.deletion = 刪除變數
-variables.deletion.description = 刪除變數是永久且不可取消的。要繼續嗎？
-variables.creation.success = 已新增變數 「%s」。
-variables.update.failed = 編輯變數失敗。
 runs.empty_commit_message = （空白的提交訊息）
 workflow.disabled = 工作流程已被停用。
 workflow.dispatch.input_required = 需要輸入「%s」的值。
@@ -3542,8 +3454,6 @@ workflow.dispatch.success = 已成功請求工作流程運行。
 workflow.dispatch.use_from = 使用工作流程自
 runs.no_workflows.help_no_write_access = 要了解 Forgejo Actions，請參閱<a target="_blank" rel="noopener noreferrer" href="%s">文件</a>。
 runs.no_workflows.help_write_access = 不知道如何開始使用 Forgejo Actions？查看<a target="_blank" rel="noopener noreferrer" href="%s">使用者文件中的快速入門</a>來編寫你的第一個工作流程，然後<a target="_blank" rel="noopener noreferrer" href="%s">設定 Forgejo Runner</a>來執行你的工作。
-variables.not_found = 找不到變數。
-
 
 [projects]
 type-2.display_name = 儲存庫專案
@@ -3591,9 +3501,6 @@ union_tooltip = 包含與任何空格分隔的關鍵字相符的結果
 [munits.data]
 
 [markup]
-filepreview.truncated = 預覽已被截斷
-filepreview.lines = %[3]s 中的第 %[1]d 至 %[2]d 行
-filepreview.line = %[2]s 中的第 %[1]d 行
 
 [translation_meta]
 test = 好的
diff --git a/options/locale_next/locale_ar.json b/options/locale_next/locale_ar.json
index 7861f67193..a2358fd17b 100644
--- a/options/locale_next/locale_ar.json
+++ b/options/locale_next/locale_ar.json
@@ -1,4 +1,40 @@
 {
+	"admin.monitor.queue.settings.changed": "تم تحديث الإعدادات",
+	"admin.monitor.queue.settings.submit": "حدّث الإعدادات",
+	"admin.monitor.queue.type": "النوع",
+	"admin.monitor.queue.name": "الاسم",
+	"admin.users.list_status_filter.not_restricted": "غير مقيد",
+	"admin.users.list_status_filter.is_restricted": "مقيَّد",
+	"admin.users.list_status_filter.not_admin": "غير مدير",
+	"admin.users.list_status_filter.is_admin": "مدير",
+	"admin.users.list_status_filter.not_active": "معطّل",
+	"admin.users.list_status_filter.is_active": "مفعّل",
+	"actions.variables.update.success": "عُدِّل المتغير.",
+	"actions.variables.update.failed": "فشل تعديل المتغير.",
+	"actions.variables.creation.success": "تم إضافة المتغير \"%s\".",
+	"actions.variables.creation.failed": "فشل إضافة المتغير.",
+	"actions.variables.deletion.success": "تم حذف المتغير.",
+	"actions.variables.deletion.failed": "فشل حذف المتغير.",
+	"actions.variables.edit": "عدّل المتغير",
+	"actions.variables.description": "تمرر المتغيرات إلى إجراءات معينة ولا يمكن قراءتها بطريقة أخرى.",
+	"actions.variables.deletion.description": "إزالة المتغيرات عملية نهائية لا يمكن التراجع عنها. أتريد الاستمرار؟",
+	"actions.variables.deletion": "أزل المتغير",
+	"actions.variables.none": "لا توجد متغيرات بعد.",
+	"actions.variables.creation": "أضف متغيرا",
+	"actions.variables.management": "إدارة المتغيرات",
+	"actions.variables": "المتغيرات",
+	"webauthn.error.timeout": "طال وقت الوصول قبل أن يُقرأ مفتاحك. من فضلك أعد تحميل الصفحة وحاول مجدداً.",
+	"webauthn.error.empty": "يلزم أن تضع اسم لهذا المفتاح.",
+	"webauthn.error.duplicated": "المفتاح الأمني غير مسموح له هذا الطلب. يرجى التأكد من أن المفتاح غير مسجل بالفعل.",
+	"webauthn.error.unable_to_process": "الخادم لا يمكنه معالجة طلبك.",
+	"webauthn.error.insecure": "ويب آوثن يدعم فقط الاتصالات الآمنة. للاختبار على HTTP، يمكنك استخدام \"localhost\" أو \"127.0.0.1\"",
+	"webauthn.error.unknown": "حدث خطأ غير معروف. من فضلك حاول مجدداً.",
+	"webauthn.unsupported_browser": "متصفحك لا يدعم ويب آوثن حالياً.",
+	"webauthn.error": "تعذر قراءة مفتاحك الأمني.",
+	"webauthn.use_twofa": "استخدم رمز المصادقة الموجود على هاتفك",
+	"webauthn.press_button": "من فضلك اضغط الزر على مفتاحك الأمني…",
+	"webauthn.sign_in": "اضغط الزر على مفتاحك الأمني إذا لم يكن لدى مفتاح الأمن الخاص بك أي زر، إعادة تشغيله.",
+	"webauthn.insert_key": "أدخل مفتاحك الأمني",
 	"counters.n_commits": {
 		"one": "%s إيداع",
 		"other": "%s إيداعات"
diff --git a/options/locale_next/locale_bg.json b/options/locale_next/locale_bg.json
index 5fdfec07d7..9b833c070d 100644
--- a/options/locale_next/locale_bg.json
+++ b/options/locale_next/locale_bg.json
@@ -1,4 +1,34 @@
 {
+	"admin.monitor.queue.type": "Тип",
+	"admin.monitor.queue": "Опашка: %s",
+	"admin.monitor.queues": "Опашки",
+	"markup.filepreview.lines": "Редове от %[1]d до %[2]d в %[3]s",
+	"markup.filepreview.line": "Ред %[1]d в %[2]s",
+	"actions.variables.update.success": "Променливата е редактирана.",
+	"actions.variables.update.failed": "Неуспешно редактиране на променлива.",
+	"actions.variables.creation.success": "Променливата „%s“ е добавена.",
+	"actions.variables.creation.failed": "Неуспешно добавяне на променлива.",
+	"actions.variables.deletion.success": "Променливата е премахната.",
+	"actions.variables.deletion.failed": "Неуспешно премахване на променлива.",
+	"actions.variables.not_found": "Променливата не е открита.",
+	"actions.variables.edit": "Редактиране на променливата",
+	"actions.variables.deletion": "Премахване на променливата",
+	"actions.variables.none": "Все още няма променливи.",
+	"actions.variables.creation": "Добавяне на променлива",
+	"actions.variables.management": "Управление на променливи",
+	"actions.variables": "Променливи",
+	"webauthn.error.timeout": "Времето за изчакване изтече преди ключът ви да бъде прочетен. Моля, презаредете страницата и опитайте отново.",
+	"webauthn.error.empty": "Трябва да зададете име за този ключ.",
+	"webauthn.error.duplicated": "Ключът за сигурност не е разрешен за тази заявка. Моля, уверете се, че ключът не е вече регистриран.",
+	"webauthn.error.unable_to_process": "Сървърът не можа да обработи заявката ви.",
+	"webauthn.error.insecure": "WebAuthn поддържа само сигурни връзки. За тестване през HTTP можете да използвате произход „localhost“ или „127.0.0.1“",
+	"webauthn.error.unknown": "Възникна неизвестна грешка. Моля, опитайте отново.",
+	"webauthn.unsupported_browser": "Вашият браузър в момента не поддържа WebAuthn.",
+	"webauthn.error": "Неуспешно прочитане на вашия ключ за сигурност.",
+	"webauthn.use_twofa": "Използвайте двуфакторен код от телефона си",
+	"webauthn.press_button": "Моля, натиснете бутона на вашия ключ за сигурност…",
+	"webauthn.sign_in": "Натиснете бутона на вашия ключ за сигурност. Ако ключът ви за сигурност няма бутон, поставете го отново.",
+	"webauthn.insert_key": "Поставете вашия ключ за сигурност",
 	"counters.n_commits": {
 		"one": "%s подаване",
 		"other": "%s подавания"
diff --git a/options/locale_next/locale_ca.json b/options/locale_next/locale_ca.json
index 554b1320aa..95db3f2943 100644
--- a/options/locale_next/locale_ca.json
+++ b/options/locale_next/locale_ca.json
@@ -1,4 +1,73 @@
 {
+	"admin.monitor.queue.type": "Tipus",
+	"admin.monitor.queue.name": "Nom",
+	"admin.users.list_status_filter.not_2fa_enabled": "A2F desactivada",
+	"admin.users.list_status_filter.is_2fa_enabled": "A2F activada",
+	"admin.users.list_status_filter.not_prohibit_login": "Inici de sessió permès",
+	"admin.users.list_status_filter.is_prohibit_login": "Inici de sessió prohibit",
+	"admin.users.list_status_filter.not_restricted": "No restringit",
+	"admin.users.list_status_filter.is_restricted": "Restringit",
+	"admin.users.list_status_filter.not_admin": "No administrador",
+	"admin.users.list_status_filter.is_admin": "Administrador",
+	"admin.users.list_status_filter.not_active": "Inactiu",
+	"admin.users.list_status_filter.is_active": "Actiu",
+	"admin.users.list_status_filter.reset": "Restaurar",
+	"admin.users.list_status_filter.menu_text": "Filtrar",
+	"admin.system_status.last_gc_pause": "Darrera pausa de GC",
+	"admin.system_status.total_gc_pause": "Pausa total de GC",
+	"admin.system_status.last_gc_time": "Temps des del darrer GC",
+	"admin.system_status.next_gc_recycle": "Proper cicle de GC",
+	"admin.system_status.gc_metadata_obtained": "Metadades del GC rebudes",
+	"admin.system_status.mcache_structures_obtained": "Estructures MCache rebudes",
+	"admin.system_status.mcache_structures_usage": "Ús de les estructures MCache",
+	"admin.system_status.mspan_structures_obtained": "Estructures MSpan rebudes",
+	"admin.system_status.mspan_structures_usage": "Ús de les estructures MSpan",
+	"admin.system_status.stack_memory_obtained": "Memòria de la pila (stack) rebuda",
+	"admin.system_status.bootstrap_stack_usage": "Ús de l'arrancada de la pila (stack)",
+	"admin.system_status.heap_objects": "Objectes del heap",
+	"admin.system_status.heap_memory_released": "Memòria del heap alliberada",
+	"admin.system_status.heap_memory_in_use": "Memòria del heap en ús",
+	"admin.system_status.heap_memory_idle": "Memòria del heap en repòs",
+	"admin.system_status.heap_memory_obtained": "Memòria de heap rebuda",
+	"admin.system_status.current_heap_usage": "Ús del heap actual",
+	"admin.system_status.memory_free_times": "Alliberaments de memòria",
+	"admin.system_status.memory_allocate_times": "Assignacions de memòria",
+	"admin.system_status.pointer_lookup_times": "Temps de consulta dels punters",
+	"admin.system_status.memory_obtained": "Memòria rebuda",
+	"admin.system_status.total_memory_allocated": "Total de memòria adjudicada",
+	"admin.system_status.current_memory_usage": "Ús de memòria actual",
+	"admin.system_status.current_goroutine": "Goroutines actuals",
+	"admin.system_status.server_uptime": "Temps de funcionament del servidor",
+	"markup.filepreview.truncated": "La vista prèvia s'ha truncat",
+	"markup.filepreview.lines": "Línies %[1]d a %[2]d en %[3]s",
+	"markup.filepreview.line": "Línia %[1]d a %[2]s",
+	"actions.variables.update.success": "S'ha editat la variable.",
+	"actions.variables.update.failed": "No s'ha pogut editar la variable.",
+	"actions.variables.creation.success": "S'ha afegit la variable \"%s\".",
+	"actions.variables.creation.failed": "No s'ha pogut afegir la variable.",
+	"actions.variables.deletion.success": "S'ha canviar el nom de la variable.",
+	"actions.variables.deletion.failed": "No s'ha pogut eliminar la variable.",
+	"actions.variables.not_found": "No s'ha trobat la variable.",
+	"actions.variables.edit": "Editar variable",
+	"actions.variables.description": "Les variables es passaran a certes accions i no es poden llegir altrament.",
+	"actions.variables.deletion.description": "Eliminar una variable és permanent i no es pot desfer. Continua?",
+	"actions.variables.deletion": "Eliminar variable",
+	"actions.variables.none": "Encara no hi ha variables.",
+	"actions.variables.creation": "Afegir variables",
+	"actions.variables.management": "Gestionar variables",
+	"actions.variables": "Variables",
+	"webauthn.error.timeout": "Temps d'espera finalitzar abans que la seva clau pogués ser llegida. Siusplau recarregueu la pàgina i torneu-ho a intentar.",
+	"webauthn.error.empty": "S'ha d'anomenar aquesta clau.",
+	"webauthn.error.duplicated": "La clau de seguretat no és permesa per aquesta sol·licitud. Si us plau, assegureu-vos que la clau encara no ha estat registrada.",
+	"webauthn.error.unable_to_process": "El servidor no ha pogut processar la vostra sol·licitud.",
+	"webauthn.error.insecure": "WebAuthn només suporta connexions segures. Per provar sobre HTTP, podeu utilitzar l'origen \"localhost\" o \"127.0.0.1\"",
+	"webauthn.error.unknown": "Hi ha hagut un error desconegut. Si us plau torneu-ho a intentar.",
+	"webauthn.unsupported_browser": "El teu navegador no suprta WebAuthn.",
+	"webauthn.error": "No s'ha pogut llegir la clau de seguretat.",
+	"webauthn.use_twofa": "Utilitza un codi de doble factor des del teu mòbil",
+	"webauthn.press_button": "Si us plau, premeu el botó a la vostra clau de seguretat…",
+	"webauthn.sign_in": "Premeu el botó a la vostra clau de seguretat. Si no en té, torneu-la a inserir.",
+	"webauthn.insert_key": "Inseriu la vostra clau de seguretat",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commits",
diff --git a/options/locale_next/locale_cs-CZ.json b/options/locale_next/locale_cs-CZ.json
index b025aa8ccb..c62f8c5cc8 100644
--- a/options/locale_next/locale_cs-CZ.json
+++ b/options/locale_next/locale_cs-CZ.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Všechny položky ve frontě byly odstraněny.",
+	"admin.monitor.queue.settings.remove_all_items": "Odstranit vše",
+	"admin.monitor.queue.settings.changed": "Nastavení upravena",
+	"admin.monitor.queue.settings.submit": "Upravit nastavení",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Maximální počet workerů musí být číslo",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "V současné době %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Maximální počet workerů",
+	"admin.monitor.queue.settings.description": "Pooly dynamicky rostou podle blokování fronty jejich workerů.",
+	"admin.monitor.queue.settings.title": "Nastavení poolu",
+	"admin.monitor.queue.review_add": "Posoudit / přidat workery",
+	"admin.monitor.queue.numberinqueue": "Číslo ve frontě",
+	"admin.monitor.queue.maxnumberworkers": "Maximální počet workerů",
+	"admin.monitor.queue.activeworkers": "Aktivní workery",
+	"admin.monitor.queue.numberworkers": "Počet workerů",
+	"admin.monitor.queue.exemplar": "Typ vzoru",
+	"admin.monitor.queue.type": "Typ",
+	"admin.monitor.queue.name": "Název",
+	"admin.monitor.queue": "Fronta: %s",
+	"admin.monitor.queues": "Fronty",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA zakázáno",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA povoleno",
+	"admin.users.list_status_filter.not_prohibit_login": "Povolit přihlášení",
+	"admin.users.list_status_filter.is_prohibit_login": "Zakázat přihlášení",
+	"admin.users.list_status_filter.not_restricted": "Není omezen",
+	"admin.users.list_status_filter.is_restricted": "Omezeno",
+	"admin.users.list_status_filter.not_admin": "Není administrátor",
+	"admin.users.list_status_filter.is_admin": "Administrátor",
+	"admin.users.list_status_filter.not_active": "Neaktivní",
+	"admin.users.list_status_filter.is_active": "Aktivní",
+	"admin.users.list_status_filter.reset": "Obnovit",
+	"admin.users.list_status_filter.menu_text": "Filtr",
+	"admin.system_status.gc_times": "Časy GC",
+	"admin.system_status.last_gc_pause": "Poslední pauza GC",
+	"admin.system_status.total_gc_pause": "Celková pauza GC",
+	"admin.system_status.last_gc_time": "Doba od posledního GC",
+	"admin.system_status.next_gc_recycle": "Příští recyklace GC",
+	"admin.system_status.other_system_allocation_obtained": "Získaná alokace ostatních systémových prostředků",
+	"admin.system_status.gc_metadata_obtained": "Získaná metadata GC",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Získaná profilovací bucket hash tabulka",
+	"admin.system_status.mcache_structures_obtained": "Získané struktury MCache",
+	"admin.system_status.mcache_structures_usage": "Využití struktur MCache",
+	"admin.system_status.mspan_structures_obtained": "Získané struktury MSpan",
+	"admin.system_status.mspan_structures_usage": "Užití struktur MSpan",
+	"admin.system_status.stack_memory_obtained": "Celková získaná pamět zásobníku",
+	"admin.system_status.bootstrap_stack_usage": "Využití zásobníku prvotního zavedení",
+	"admin.system_status.heap_objects": "Objekty zásobníku",
+	"admin.system_status.heap_memory_released": "Uvolněná paměť zásobníku",
+	"admin.system_status.heap_memory_in_use": "Používaná paměť zásobníku",
+	"admin.system_status.heap_memory_idle": "Nečinná paměť zásobníku",
+	"admin.system_status.heap_memory_obtained": "Získaná paměť zásobníku",
+	"admin.system_status.current_heap_usage": "Aktuální využití paměti zásobníku",
+	"admin.system_status.memory_free_times": "Uvolnění paměti",
+	"admin.system_status.memory_allocate_times": "Alokace paměti",
+	"admin.system_status.pointer_lookup_times": "Časy vyhledávání ukazatelů",
+	"admin.system_status.memory_obtained": "Získaná paměť",
+	"admin.system_status.total_memory_allocated": "Celková přidělená paměť",
+	"admin.system_status.current_memory_usage": "Aktuální využití paměti",
+	"admin.system_status.current_goroutine": "Aktuální goroutines",
+	"admin.system_status.server_uptime": "Doba provozu serveru",
+	"markup.filepreview.truncated": "Náhled byl zkrácen",
+	"markup.filepreview.lines": "Řádky %[1]d až %[2]d v souboru %[3]s",
+	"markup.filepreview.line": "Řádek %[1]d v souboru %[2]s",
+	"actions.variables.update.success": "Proměnná byla upravena.",
+	"actions.variables.update.failed": "Úprava proměnné se nezdařila.",
+	"actions.variables.creation.success": "Proměnná „%s“ byla přidána.",
+	"actions.variables.creation.failed": "Přidání proměnné se nezdařilo.",
+	"actions.variables.deletion.success": "Proměnná byla odstraněna.",
+	"actions.variables.deletion.failed": "Nepodařilo se odstranit proměnnou.",
+	"actions.variables.not_found": "Nepodařilo se najít proměnnou.",
+	"actions.variables.edit": "Upravit proměnnou",
+	"actions.variables.description": "Proměnné budou předány určitým akcím a nelze je přečíst jinak.",
+	"actions.variables.deletion.description": "Odstranění proměnné je trvalé a nelze jej vrátit zpět. Pokračovat?",
+	"actions.variables.deletion": "Odstranit proměnnou",
+	"actions.variables.none": "Zatím zde nejsou žádné proměnné.",
+	"actions.variables.creation": "Přidat proměnnou",
+	"actions.variables.management": "Správa proměnných",
+	"actions.variables": "Proměnné",
+	"webauthn.error.timeout": "Požadavek vypršel dříve, než se podařilo přečíst váš klíč. Znovu načtěte tuto stránku a akci opakujte.",
+	"webauthn.error.empty": "Musíte nastavit název tohoto klíče.",
+	"webauthn.error.duplicated": "Bezpečnostní klíč není pro tento požadavek povolen. Ujistěte se prosím, zda klíč již není registrován.",
+	"webauthn.error.unable_to_process": "Server nemohl zpracovat váš požadavek.",
+	"webauthn.error.insecure": "WebAuthn podporuje pouze zabezpečená připojení. Pro testování přes HTTP můžete použít výchozí „localhost“ nebo „127.0.0.1“",
+	"webauthn.error.unknown": "Došlo k neznámé chybě. Opakujte akci.",
+	"webauthn.unsupported_browser": "Váš prohlížeč momentálně nepodporuje WebAuthn.",
+	"webauthn.error": "Nepodařilo se přečíst váš bezpečnostní klíč.",
+	"webauthn.use_twofa": "Použít dvoufaktorový kód z vašeho telefonu",
+	"webauthn.press_button": "Stiskněte tlačítko na bezpečnostním klíči…",
+	"webauthn.sign_in": "Stiskněte tlačítko na svém bezpečnostním klíči. Pokud bezpečnostní klíč nemá žádné tlačítko, vložte jej znovu.",
+	"webauthn.insert_key": "Vložte svůj bezpečnostní klíč",
 	"counters.n_commits": {
 		"one": "%s revize",
 		"few": "%s revize",
diff --git a/options/locale_next/locale_da.json b/options/locale_next/locale_da.json
index 3244a0cc7c..d863f0529d 100644
--- a/options/locale_next/locale_da.json
+++ b/options/locale_next/locale_da.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Alle varer i køen er blevet fjernet.",
+	"admin.monitor.queue.settings.remove_all_items": "Slet alle",
+	"admin.monitor.queue.settings.changed": "Indstillinger opdateret",
+	"admin.monitor.queue.settings.submit": "Opdater indstillinger",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Max antal arbejdere skal være et tal",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "I øjeblikket %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Max antal arbejdere",
+	"admin.monitor.queue.settings.description": "Puljer vokser dynamisk som reaktion på deres blokering af arbejderkø.",
+	"admin.monitor.queue.settings.title": "Pool indstillinger",
+	"admin.monitor.queue.review_add": "Gennemgå / tilføj arbejdere",
+	"admin.monitor.queue.numberinqueue": "Nummer i kø",
+	"admin.monitor.queue.maxnumberworkers": "Max antal arbejdere",
+	"admin.monitor.queue.activeworkers": "Aktive arbejdere",
+	"admin.monitor.queue.numberworkers": "Antal arbejdere",
+	"admin.monitor.queue.exemplar": "Eksempler type",
+	"admin.monitor.queue.type": "Type",
+	"admin.monitor.queue.name": "Navn",
+	"admin.monitor.queue": "Kø: %s",
+	"admin.monitor.queues": "Køer",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA deaktiveret",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA aktiveret",
+	"admin.users.list_status_filter.not_prohibit_login": "Tillad login",
+	"admin.users.list_status_filter.is_prohibit_login": "Forbyd login",
+	"admin.users.list_status_filter.not_restricted": "Ikke begrænset",
+	"admin.users.list_status_filter.is_restricted": "Begrænset",
+	"admin.users.list_status_filter.not_admin": "Ikke admin",
+	"admin.users.list_status_filter.is_admin": "Admin",
+	"admin.users.list_status_filter.not_active": "Inaktiv",
+	"admin.users.list_status_filter.is_active": "Aktiv",
+	"admin.users.list_status_filter.reset": "Nulstil",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.system_status.gc_times": "GC times",
+	"admin.system_status.last_gc_pause": "Sidste GC-pause",
+	"admin.system_status.total_gc_pause": "Total GC-pause",
+	"admin.system_status.last_gc_time": "Tid siden sidste GC",
+	"admin.system_status.next_gc_recycle": "Næste GC genbrug",
+	"admin.system_status.other_system_allocation_obtained": "Anden systemallokering opnået",
+	"admin.system_status.gc_metadata_obtained": "GC-metadata opnået",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilering bucket hash tabel opnået",
+	"admin.system_status.mcache_structures_obtained": "MCache-strukturer opnået",
+	"admin.system_status.mcache_structures_usage": "MCache strukturer brug",
+	"admin.system_status.mspan_structures_obtained": "Mspan strukturer opnået",
+	"admin.system_status.mspan_structures_usage": "MSpan strukturer brug",
+	"admin.system_status.stack_memory_obtained": "Stakhukommelse opnået",
+	"admin.system_status.bootstrap_stack_usage": "Brug af bootstrap-stak",
+	"admin.system_status.heap_objects": "Heap genstande",
+	"admin.system_status.heap_memory_released": "Heap-hukommelse frigivet",
+	"admin.system_status.heap_memory_in_use": "Heap hukommelse i brug",
+	"admin.system_status.heap_memory_idle": "Heap hukommelse inaktiv",
+	"admin.system_status.heap_memory_obtained": "Heap-hukommelse opnået",
+	"admin.system_status.current_heap_usage": "Nuværende heap-brug",
+	"admin.system_status.memory_free_times": "Hukommelses frigørelse",
+	"admin.system_status.memory_allocate_times": "Hukommelsestildelinger",
+	"admin.system_status.pointer_lookup_times": "Pointer-opslagstider",
+	"admin.system_status.memory_obtained": "Hukommelse opnået",
+	"admin.system_status.total_memory_allocated": "Samlet hukommelse tildelt",
+	"admin.system_status.current_memory_usage": "Aktuel hukommelsesbrug",
+	"admin.system_status.current_goroutine": "Nuværende goroutiner",
+	"admin.system_status.server_uptime": "Server oppetid",
+	"markup.filepreview.truncated": "Forhåndsvisningen er blevet afkortet",
+	"markup.filepreview.lines": "Linjer %[1]d til %[2]d i %[3]s",
+	"markup.filepreview.line": "Linje %[1]d i %[2]s",
+	"actions.variables.update.success": "Variablen er blevet redigeret.",
+	"actions.variables.update.failed": "Variablen kunne ikke redigeres.",
+	"actions.variables.creation.success": "Variablen \"%s\" er blevet tilføjet.",
+	"actions.variables.creation.failed": "Kunne ikke tilføje variabel.",
+	"actions.variables.deletion.success": "Variablen er blevet fjernet.",
+	"actions.variables.deletion.failed": "Variablen kunne ikke fjernes.",
+	"actions.variables.not_found": "Variablen kunne ikke findes.",
+	"actions.variables.edit": "Rediger variabel",
+	"actions.variables.description": "Variabler vil blive videregivet til visse handlinger og kan ikke læses på anden vis.",
+	"actions.variables.deletion.description": "Fjernelse af en variabel er permanent og kan ikke fortrydes. Vil du fortsætte?",
+	"actions.variables.deletion": "Fjern variabel",
+	"actions.variables.none": "Der er ingen variabler endnu.",
+	"actions.variables.creation": "Tilføj variabel",
+	"actions.variables.management": "Administrer variabler",
+	"actions.variables": "Variabler",
+	"webauthn.error.timeout": "Timeout nået, før din nøgle kunne læses. Genindlæs denne side og prøv igen.",
+	"webauthn.error.empty": "Du skal angive et navn for denne nøgle.",
+	"webauthn.error.duplicated": "Sikkerhedsnøglen er ikke tilladt for denne anmodning. Sørg for, at nøglen ikke allerede er registreret.",
+	"webauthn.error.unable_to_process": "Serveren kunne ikke behandle din anmodning.",
+	"webauthn.error.insecure": "WebAuthn understøtter kun sikre forbindelser. Til test over HTTP kan du bruge oprindelsen \"localhost\" eller \"127.0.0.1\"",
+	"webauthn.error.unknown": "Der opstod en ukendt fejl. Prøv venligst igen.",
+	"webauthn.unsupported_browser": "Din browser understøtter i øjeblikket ikke WebAuthn.",
+	"webauthn.error": "Kunne ikke læse din sikkerhedsnøgle.",
+	"webauthn.use_twofa": "Brug en tofaktorkode fra din telefon",
+	"webauthn.press_button": "Tryk venligst på knappen på din sikkerhedsnøgle…",
+	"webauthn.sign_in": "Tryk på knappen på din sikkerhedsnøgle. Hvis din sikkerhedsnøgle ikke har nogen knap, skal du indsætte den igen.",
+	"webauthn.insert_key": "Indsæt din sikkerhedsnøgle",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"other": "%s commits"
diff --git a/options/locale_next/locale_de-DE.json b/options/locale_next/locale_de-DE.json
index 5e4b3784d7..b2ab8e138e 100644
--- a/options/locale_next/locale_de-DE.json
+++ b/options/locale_next/locale_de-DE.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Alle Elemente in der Warteschlange wurden entfernt.",
+	"admin.monitor.queue.settings.remove_all_items": "Alle entfernen",
+	"admin.monitor.queue.settings.changed": "Einstellungen aktualisiert",
+	"admin.monitor.queue.settings.submit": "Einstellungen aktualisieren",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Die Anzahl der Worker muss eine Zahl sein",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Derzeit %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Maximale Anzahl an Workern",
+	"admin.monitor.queue.settings.description": "Pools wachsen dynamisch basierend auf der Blockierung der Arbeitswarteschlange.",
+	"admin.monitor.queue.settings.title": "Pool-Einstellungen",
+	"admin.monitor.queue.review_add": "Worker hinzufügen/prüfen",
+	"admin.monitor.queue.numberinqueue": "Anzahl in der Warteschlange",
+	"admin.monitor.queue.maxnumberworkers": "Maximale Anzahl der Worker",
+	"admin.monitor.queue.activeworkers": "Aktive Worker",
+	"admin.monitor.queue.numberworkers": "Anzahl der Worker",
+	"admin.monitor.queue.exemplar": "Beispieltyp",
+	"admin.monitor.queue.type": "Typ",
+	"admin.monitor.queue.name": "Name",
+	"admin.monitor.queue": "Warteschlange: %s",
+	"admin.monitor.queues": "Warteschlangen",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA deaktiviert",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA aktiviert",
+	"admin.users.list_status_filter.not_prohibit_login": "Anmelden erlaubt",
+	"admin.users.list_status_filter.is_prohibit_login": "Anmelden verbieten",
+	"admin.users.list_status_filter.not_restricted": "Unbegrenzt",
+	"admin.users.list_status_filter.is_restricted": "Eingeschränkt",
+	"admin.users.list_status_filter.not_admin": "Nicht-Administrator",
+	"admin.users.list_status_filter.is_admin": "Administrator",
+	"admin.users.list_status_filter.not_active": "Inaktiv",
+	"admin.users.list_status_filter.is_active": "Aktiv",
+	"admin.users.list_status_filter.reset": "Zurücksetzen",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.system_status.gc_times": "GC-Zeiten",
+	"admin.system_status.last_gc_pause": "Letzte GC-Pause",
+	"admin.system_status.total_gc_pause": "Gesamte GC-Pause",
+	"admin.system_status.last_gc_time": "Seit letztem GC-Zyklus",
+	"admin.system_status.next_gc_recycle": "Nächster GC-Zyklus",
+	"admin.system_status.other_system_allocation_obtained": "Andere erhaltene System-Allokationen",
+	"admin.system_status.gc_metadata_obtained": "Erhaltene GC-Metadaten",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Erhaltene Analysesatz-Hashtabellen",
+	"admin.system_status.mcache_structures_obtained": "Erhaltene MCache-Structures",
+	"admin.system_status.mcache_structures_usage": "MCache-Structures-Auslastung",
+	"admin.system_status.mspan_structures_obtained": "Erhaltene MSpan-Structures",
+	"admin.system_status.mspan_structures_usage": "MSpan-Structures-Auslastung",
+	"admin.system_status.stack_memory_obtained": "Erhaltener Stack-Arbeitsspeicher",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap-Stack-Auslastung",
+	"admin.system_status.heap_objects": "Heap-Objekte",
+	"admin.system_status.heap_memory_released": "Freigegebener Heap-Arbeitsspeicher",
+	"admin.system_status.heap_memory_in_use": "Benutzter-Heap-Arbeitsspeicher",
+	"admin.system_status.heap_memory_idle": "Unbenutzter Heap-Arbeitsspeicher",
+	"admin.system_status.heap_memory_obtained": "Erhaltener Heap-Arbeitsspeicher",
+	"admin.system_status.current_heap_usage": "Aktuelle Heap-Auslastung",
+	"admin.system_status.memory_free_times": "Speicherfreigaben",
+	"admin.system_status.memory_allocate_times": "Speicheranforderungen",
+	"admin.system_status.pointer_lookup_times": "Anzahl Zeigerlookups",
+	"admin.system_status.memory_obtained": "Erhaltener Speicher",
+	"admin.system_status.total_memory_allocated": "Zugeteilter Gesamtspeicher",
+	"admin.system_status.current_memory_usage": "Aktuelle Speichernutzung",
+	"admin.system_status.current_goroutine": "Aktuelle Goroutinen",
+	"admin.system_status.server_uptime": "Server-Uptime",
+	"markup.filepreview.truncated": "Vorschau wurde gekürzt",
+	"markup.filepreview.lines": "Zeilen %[1]d bis %[2]d in %[3]s",
+	"markup.filepreview.line": "Zeile %[1]d in %[2]s",
+	"actions.variables.update.success": "Die Variable wurde bearbeitet.",
+	"actions.variables.update.failed": "Fehler beim Bearbeiten der Variable.",
+	"actions.variables.creation.success": "Die Variable „%s“ wurde hinzugefügt.",
+	"actions.variables.creation.failed": "Fehler beim Hinzufügen der Variable.",
+	"actions.variables.deletion.success": "Die Variable wurde entfernt.",
+	"actions.variables.deletion.failed": "Fehler beim Entfernen der Variable.",
+	"actions.variables.not_found": "Die Variable wurde nicht gefunden.",
+	"actions.variables.edit": "Variable bearbeiten",
+	"actions.variables.description": "Variablen werden an bestimmte Aktionen übergeben und können nicht anderweitig gelesen werden.",
+	"actions.variables.deletion.description": "Das Entfernen einer Variable ist dauerhaft und kann nicht rückgängig gemacht werden. Fortfahren?",
+	"actions.variables.deletion": "Variable entfernen",
+	"actions.variables.none": "Es gibt noch keine Variablen.",
+	"actions.variables.creation": "Variable hinzufügen",
+	"actions.variables.management": "Variablen verwalten",
+	"actions.variables": "Variablen",
+	"webauthn.error.timeout": "Das Zeitlimit wurde erreicht, bevor dein Schlüssel gelesen werden konnte. Bitte lade die Seite erneut.",
+	"webauthn.error.empty": "Du musst einen Namen für diesen Schlüssel festlegen.",
+	"webauthn.error.duplicated": "Für diese Anfrage ist der Sicherheitsschlüssel nicht erlaubt. Bitte stell sicher, dass er nicht bereits registriert ist.",
+	"webauthn.error.unable_to_process": "Der Server konnte deine Anfrage nicht bearbeiten.",
+	"webauthn.error.insecure": "WebAuthn unterstützt nur sichere Verbindungen. Zum Testen über HTTP kannst du „localhost“ oder „127.0.0.1“ als Host verwenden",
+	"webauthn.error.unknown": "Ein unbekannter Fehler ist aufgetreten. Bitte versuche es erneut.",
+	"webauthn.unsupported_browser": "Dein Browser unterstützt derzeit kein WebAuthn.",
+	"webauthn.error": "Dein Sicherheitsschlüssel konnte nicht gelesen werden.",
+	"webauthn.use_twofa": "Zwei-Faktor-Authentifizierung via Handy verwenden",
+	"webauthn.press_button": "Drücke den Knopf auf deinem Sicherheitsschlüssel …",
+	"webauthn.sign_in": "Drücke den Knopf auf deinem Sicherheitsschlüssel. Wenn dein Sicherheitsschlüssel keinen Knopf hat, stecke ihn erneut ein.",
+	"webauthn.insert_key": "Hardware-Sicherheitsschlüssel einstecken",
 	"counters.n_commits": {
 		"one": "%s Commit",
 		"other": "%s Commits"
diff --git a/options/locale_next/locale_el-GR.json b/options/locale_next/locale_el-GR.json
index f29e36bb2b..ee9e48e977 100644
--- a/options/locale_next/locale_el-GR.json
+++ b/options/locale_next/locale_el-GR.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Όλα τα αντικείμενα στην ουρά αφαιρέθηκαν.",
+	"admin.monitor.queue.settings.remove_all_items": "Αφαίρεση όλων",
+	"admin.monitor.queue.settings.changed": "Οι ρυθμίσεις ενημερώθηκαν",
+	"admin.monitor.queue.settings.submit": "Ενημέρωση ρυθμίσεων",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Ο μέγιστος αριθμός εργατών πρέπει να είναι αριθμός",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Αυτή τη στιγμή %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Μέγιστος Αριθμός Εργατών",
+	"admin.monitor.queue.settings.description": "Οι δεξαμενές αυξάνονται δυναμικά όταν υπάρχει φραγή της ουράς των εργατών τους.",
+	"admin.monitor.queue.settings.title": "Ρυθμίσεις δεξαμενής",
+	"admin.monitor.queue.review_add": "Εξέταση / προσθήκη εργατών",
+	"admin.monitor.queue.numberinqueue": "Πλήθος ουράς",
+	"admin.monitor.queue.maxnumberworkers": "Μέγιστος αριθμός εργατών",
+	"admin.monitor.queue.activeworkers": "Ενεργοί εργάτες",
+	"admin.monitor.queue.numberworkers": "Αριθμός εργατών",
+	"admin.monitor.queue.exemplar": "Τύπος Υποδείγματος",
+	"admin.monitor.queue.type": "Τύπος",
+	"admin.monitor.queue.name": "Όνομα",
+	"admin.monitor.queue": "Ουρά: %s",
+	"admin.monitor.queues": "Ουρές",
+	"admin.users.list_status_filter.not_2fa_enabled": "Χωρίς 2FA",
+	"admin.users.list_status_filter.is_2fa_enabled": "Με ενεργοποιημένο 2FA",
+	"admin.users.list_status_filter.not_prohibit_login": "Επιτρέπεται η σύνδεση",
+	"admin.users.list_status_filter.is_prohibit_login": "Απαγορευμένη σύνδεση",
+	"admin.users.list_status_filter.not_restricted": "Χωρίς περιορισμούς",
+	"admin.users.list_status_filter.is_restricted": "Περιορισμένος",
+	"admin.users.list_status_filter.not_admin": "Χωρίς δικαιώματα διαχειριστή",
+	"admin.users.list_status_filter.is_admin": "Διαχειριστής",
+	"admin.users.list_status_filter.not_active": "Ανενεργό",
+	"admin.users.list_status_filter.is_active": "Ενεργό",
+	"admin.users.list_status_filter.reset": "Επαναφορά",
+	"admin.users.list_status_filter.menu_text": "Φίλτρο",
+	"admin.system_status.gc_times": "Χρόνοι GC",
+	"admin.system_status.last_gc_pause": "Τελευταία παύση GC",
+	"admin.system_status.total_gc_pause": "Σύνολο παύσης GC",
+	"admin.system_status.last_gc_time": "Χρόνος από την τελευταία φορά που έγινε GC",
+	"admin.system_status.next_gc_recycle": "Επόμενη ανακύκλωση GC",
+	"admin.system_status.other_system_allocation_obtained": "Άλλες κατανομές συστήματος που έχουν ληφθεί",
+	"admin.system_status.gc_metadata_obtained": "Μεταδεδομένα GC που έχουν ληφθεί",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profiling bucket hash table που έχει ληφθεί",
+	"admin.system_status.mcache_structures_obtained": "Δομές MCache που έχουν ληφθεί",
+	"admin.system_status.mcache_structures_usage": "Χρήση δομών MCache",
+	"admin.system_status.mspan_structures_obtained": "Δομές MSpan που έχουν ληφθεί",
+	"admin.system_status.mspan_structures_usage": "Χρήση δομών MSpan",
+	"admin.system_status.stack_memory_obtained": "Μνήμη στοίβας που λαμβάνεται",
+	"admin.system_status.bootstrap_stack_usage": "Χρήση στοίβας bootstrap",
+	"admin.system_status.heap_objects": "Αντικείμενα στο heap",
+	"admin.system_status.heap_memory_released": "Μνήμη heap που απελευθερώθηκε",
+	"admin.system_status.heap_memory_in_use": "Μνήμη heap σε χρήση",
+	"admin.system_status.heap_memory_idle": "Αδρανής μνήμη heap",
+	"admin.system_status.heap_memory_obtained": "Μνήμη heap που λαμβάνεται",
+	"admin.system_status.current_heap_usage": "Τρέχουσα χρήση heap",
+	"admin.system_status.memory_free_times": "Ελευθερώσεις μνήμης",
+	"admin.system_status.memory_allocate_times": "Κατανομές μνήμης",
+	"admin.system_status.pointer_lookup_times": "Πλήθος αναζητήσεων δείκτη",
+	"admin.system_status.memory_obtained": "Μνήμη που λαμβάνεται",
+	"admin.system_status.total_memory_allocated": "Συνολική χρησιμοποιούμενη μνήμη",
+	"admin.system_status.current_memory_usage": "Τρέχουσα χρήση μνήμης",
+	"admin.system_status.current_goroutine": "Τρέχουσες goroutines",
+	"admin.system_status.server_uptime": "Uptime διακομιστή",
+	"markup.filepreview.truncated": "Η προεπισκόπηση έχει περικοπεί",
+	"markup.filepreview.lines": "Γραμμές %[1]d έως %[2]d στο αρχείο %[3]s",
+	"markup.filepreview.line": "Γραμμή %[1]d στο αρχείο %[2]s",
+	"actions.variables.update.success": "Η μεταβλητή έχει τροποποιηθεί.",
+	"actions.variables.update.failed": "Αποτυχία επεξεργασίας μεταβλητής.",
+	"actions.variables.creation.success": "Η μεταβλητή «%s» προστέθηκε.",
+	"actions.variables.creation.failed": "Αποτυχία προσθήκης μεταβλητής.",
+	"actions.variables.deletion.success": "Η μεταβλητή έχει αφαιρεθεί.",
+	"actions.variables.deletion.failed": "Αποτυχία αφαίρεσης της μεταβλητής.",
+	"actions.variables.not_found": "Αποτυχία εύρεσης της μεταβλητής.",
+	"actions.variables.edit": "Επεξεργασία Μεταβλητής",
+	"actions.variables.description": "Η μεταβλητές θα δίνονται σε ορισμένες δράσεις και δεν μπορούν να διαβαστούν αλλιώς.",
+	"actions.variables.deletion.description": "Η αφαίρεση μιας μεταβλητής είναι μόνιμη και δεν μπορεί να αναιρεθεί. Συνέχεια;",
+	"actions.variables.deletion": "Αφαίρεση μεταβλητής",
+	"actions.variables.none": "Δεν υπάρχουν ακόμα μεταβλητές.",
+	"actions.variables.creation": "Προσθήκη μεταβλητή",
+	"actions.variables.management": "Διαχείριση μεταβλητών",
+	"actions.variables": "Μεταβλητές",
+	"webauthn.error.timeout": "Το χρονικό όριο έφτασε πριν το κλειδί να διαβαστεί. Παρακαλώ ανανεώστε τη σελίδα και προσπαθήστε ξανά.",
+	"webauthn.error.empty": "Πρέπει να ορίσετε ένα όνομα για αυτό το κλειδί.",
+	"webauthn.error.duplicated": "Το κλειδί ασφαλείας δεν επιτρέπεται για αυτό το αίτημα. Βεβαιωθείτε ότι το κλειδί δεν έχει ήδη καταχωρηθεί.",
+	"webauthn.error.unable_to_process": "Ο διακομιστής δεν μπόρεσε να επεξεργαστεί το αίτημά σας.",
+	"webauthn.error.insecure": "Το WebAuthn υποστηρίζει μόνο ασφαλές συνδέσεις. Αν θέλετε να διεξάγετε δοκιμές μέσω HTTP, μπορείτε να χρησιμοποιήσετε την προέλευση «localhost» ή «127.0.0.1»",
+	"webauthn.error.unknown": "Παρουσιάστηκε ένα άγνωστο σφάλμα. Παρακαλώ προσπαθήστε ξανά.",
+	"webauthn.unsupported_browser": "Το πρόγραμμα περιήγησής σας δεν υποστηρίζει επί του παρόντος WebAuthn.",
+	"webauthn.error": "Δεν ήταν δυνατή η επικοινωνία με το κλειδί ασφαλείας σας.",
+	"webauthn.use_twofa": "Χρησιμοποιήστε έναν κωδικό δύο παραγόντων από το τηλέφωνό σας",
+	"webauthn.press_button": "Παρακαλώ πατήστε το κουμπί στο κλειδί ασφαλείας…",
+	"webauthn.sign_in": "Πατήστε το κουμπί στο κλειδί ασφαλείας σας. Αν το κλειδί ασφαλείας σας δεν έχει κουμπί, αποσυνδέστε το και συνδέστε το ξανά.",
+	"webauthn.insert_key": "Εισάγετε το κλειδί ασφαλείας σας",
 	"counters.n_commits": {
 		"one": "%s υποβολή",
 		"other": "%s υποβολές"
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index f3ac162fac..9631c43ad4 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -180,6 +180,65 @@
 	"admin.moderation.reports": "Reports",
 	"admin.moderation.no_open_reports": "There are currently no open reports.",
 	"admin.moderation.deleted_content_ref": "Reported content with type %[1]v and id %[2]d no longer exists",
+	"admin.system_status.server_uptime": "Server uptime",
+	"admin.system_status.current_goroutine": "Current goroutines",
+	"admin.system_status.current_memory_usage": "Current memory usage",
+	"admin.system_status.total_memory_allocated": "Total memory allocated",
+	"admin.system_status.memory_obtained": "Memory obtained",
+	"admin.system_status.pointer_lookup_times": "Pointer lookup times",
+	"admin.system_status.memory_allocate_times": "Memory allocations",
+	"admin.system_status.memory_free_times": "Memory frees",
+	"admin.system_status.current_heap_usage": "Current heap usage",
+	"admin.system_status.heap_memory_obtained": "Heap memory obtained",
+	"admin.system_status.heap_memory_idle": "Heap memory idle",
+	"admin.system_status.heap_memory_in_use": "Heap memory in use",
+	"admin.system_status.heap_memory_released": "Heap memory released",
+	"admin.system_status.heap_objects": "Heap objects",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap stack usage",
+	"admin.system_status.stack_memory_obtained": "Stack memory obtained",
+	"admin.system_status.mspan_structures_usage": "MSpan structures usage",
+	"admin.system_status.mspan_structures_obtained": "MSpan structures obtained",
+	"admin.system_status.mcache_structures_usage": "MCache structures usage",
+	"admin.system_status.mcache_structures_obtained": "MCache structures obtained",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profiling bucket hash table obtained",
+	"admin.system_status.gc_metadata_obtained": "GC metadata obtained",
+	"admin.system_status.other_system_allocation_obtained": "Other system allocation obtained",
+	"admin.system_status.next_gc_recycle": "Next GC recycle",
+	"admin.system_status.last_gc_time": "Time since last GC",
+	"admin.system_status.total_gc_pause": "Total GC pause",
+	"admin.system_status.last_gc_pause": "Last GC pause",
+	"admin.system_status.gc_times": "GC times",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.users.list_status_filter.reset": "Reset",
+	"admin.users.list_status_filter.is_active": "Active",
+	"admin.users.list_status_filter.not_active": "Inactive",
+	"admin.users.list_status_filter.is_admin": "Admin",
+	"admin.users.list_status_filter.not_admin": "Not admin",
+	"admin.users.list_status_filter.is_restricted": "Restricted",
+	"admin.users.list_status_filter.not_restricted": "Not restricted",
+	"admin.users.list_status_filter.is_prohibit_login": "Prohibit login",
+	"admin.users.list_status_filter.not_prohibit_login": "Allow login",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA enabled",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA disabled",
+	"admin.monitor.queues": "Queues",
+	"admin.monitor.queue": "Queue: %s",
+	"admin.monitor.queue.name": "Name",
+	"admin.monitor.queue.type": "Type",
+	"admin.monitor.queue.exemplar": "Exemplar Type",
+	"admin.monitor.queue.numberworkers": "Number of workers",
+	"admin.monitor.queue.activeworkers": "Active workers",
+	"admin.monitor.queue.maxnumberworkers": "Max Number of workers",
+	"admin.monitor.queue.numberinqueue": "Number in queue",
+	"admin.monitor.queue.review_add": "Review / add workers",
+	"admin.monitor.queue.settings.title": "Pool settings",
+	"admin.monitor.queue.settings.description": "Pools dynamically grow in response to their worker queue blocking.",
+	"admin.monitor.queue.settings.maxnumberworkers": "Max Number of workers",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Currently %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Max number of workers must be a number",
+	"admin.monitor.queue.settings.submit": "Update settings",
+	"admin.monitor.queue.settings.changed": "Settings updated",
+	"admin.monitor.queue.settings.remove_all_items": "Remove all",
+	"admin.monitor.queue.settings.remove_all_items.success": "All items in the queue have been removed.",
 	"moderation.report.mark_as_handled": "Mark as handled",
 	"moderation.report.mark_as_ignored": "Mark as ignored",
 	"moderation.action.account.delete": "Delete account",
@@ -259,6 +318,18 @@
 	"settings.access_token.resource_public_only_help": "Limit access to repositories and organizations that are public.",
 	"settings.access_token.resource_specific_repo_help": "Limit access to a specific list of repositories. Read-only access is permitted to all public repositories. Only permissions that allow access to repositories and issues can be enabled.",
 	"settings.access_token.admin_disabled": "Administrative permissions are disabled.",
+	"webauthn.insert_key": "Insert your security key",
+	"webauthn.sign_in": "Press the button on your security key. If your security key has no button, re-insert it.",
+	"webauthn.press_button": "Please press the button on your security key…",
+	"webauthn.use_twofa": "Use a two-factor code from your phone",
+	"webauthn.error": "Could not read your security key.",
+	"webauthn.error.unknown": "An unknown error occurred. Please retry.",
+	"webauthn.error.insecure": "WebAuthn only supports secure connections. For testing over HTTP, you can use the origin \"localhost\" or \"127.0.0.1\"",
+	"webauthn.error.unable_to_process": "The server could not process your request.",
+	"webauthn.error.duplicated": "The security key is not permitted for this request. Please make sure that the key is not already registered.",
+	"webauthn.error.empty": "You must set a name for this key.",
+	"webauthn.error.timeout": "Timeout reached before your key could be read. Please reload this page and retry.",
+	"webauthn.unsupported_browser": "Your browser does not currently support WebAuthn.",
 	"error.must_enable_2fa": "This Forgejo instance requires users to enable two-factor authentication before they can access their accounts. Enable it at: %s",
 	"avatar.constraints_hint": "Custom avatar may not exceed %[1]s in size or be larger than %[2]dx%[3]d pixels",
 	"user.activitypub_feed.feed": "Fediverse Feed",
@@ -623,6 +694,21 @@
 	"actions.secrets.creation.value_description": "The value of a secret can be any text. Special characters are retained. CRLF (Windows-style line breaks) is automatically converted to LF. Encode the value with Base64 if linebreaks should be retained.",
 	"actions.variables.mutation.name_description": "The name of a variable can only contain letters, numbers, and underscores. It cannot be named CI or start with FORGEJO_, GITEA_, GITHUB_, or a number. Forgejo will automatically convert it to uppercase.",
 	"actions.variables.mutation.value_description": "A variable's value can be any text. Special characters are retained. CRLF (Windows-style line breaks) is automatically converted to LF. Encode the value with Base64 if linebreaks should be retained.",
+	"actions.variables": "Variables",
+	"actions.variables.management": "Manage variables",
+	"actions.variables.creation": "Add variable",
+	"actions.variables.creation.failed": "Failed to add variable.",
+	"actions.variables.creation.success": "The variable \"%s\" has been added.",
+	"actions.variables.none": "There are no variables yet.",
+	"actions.variables.deletion": "Remove variable",
+	"actions.variables.deletion.description": "Removing a variable is permanent and cannot be undone. Continue?",
+	"actions.variables.deletion.failed": "Failed to remove variable.",
+	"actions.variables.deletion.success": "The variable has been removed.",
+	"actions.variables.description": "Variables will be passed to certain actions and cannot be read otherwise.",
+	"actions.variables.edit": "Edit Variable",
+	"actions.variables.not_found": "Failed to find the variable.",
+	"actions.variables.update.failed": "Failed to edit variable.",
+	"actions.variables.update.success": "The variable has been edited.",
 	"actions.secrets.edit_button": "Edit secret \"%s\"",
 	"actions.secrets.mutation.header": "Edit secret \"%s\"",
 	"actions.secrets.mutation.success_message": "The secret \"%s\" has been updated.",
@@ -659,6 +745,9 @@
 	"editor.toggle_case": "Toggle case sensitivity",
 	"editor.toggle_regex": "Toggle using regular expressions",
 	"editor.toggle_whole_word": "Toggle matching whole words",
+	"markup.filepreview.line": "Line %[1]d in %[2]s",
+	"markup.filepreview.lines": "Lines %[1]d to %[2]d in %[3]s",
+	"markup.filepreview.truncated": "Preview has been truncated",
 	"form.RunnerName": "Name",
 	"graphs.recent_commits.title": "Number of commits in the past year",
 	"graphs.code_frequency.title": "Code frequency over the history of {0}",
diff --git a/options/locale_next/locale_eo.json b/options/locale_next/locale_eo.json
index 721b708a63..2a6d16e1f5 100644
--- a/options/locale_next/locale_eo.json
+++ b/options/locale_next/locale_eo.json
@@ -1,4 +1,22 @@
 {
+	"markup.filepreview.truncated": "La superrigardo estas mallongigita",
+	"markup.filepreview.lines": "Linioj %[1]d ĝis %[2]d en %[3]s",
+	"markup.filepreview.line": "Linio %[1]d en %[2]s",
+	"actions.variables.update.success": "La variablo estas redaktita.",
+	"actions.variables.update.failed": "Ne eblas redakti la variablon.",
+	"actions.variables.creation.success": "La variablo \"%s\" estas aldonita.",
+	"webauthn.error.timeout": "Tempo elĉerpiĝis antaŭ legiĝo de via ŝlosilo. Bonvolu reenlegi la retpaĝon kaj reprovi.",
+	"webauthn.error.empty": "Vi devas agordi nomon por la ŝlosilo.",
+	"webauthn.error.duplicated": "La sekurŝlosilo ne rajtas fari tiun ĉi peton. Bonvolu certigi ke la ŝlosilo estas ne jam registrita.",
+	"webauthn.error.unable_to_process": "La servilo ne povis trakti vian peton.",
+	"webauthn.error.insecure": "La salutmaniero WebAuthn sole subtenas sekurajn konektiĝojn. Testante HTTP’e, oni uzu la retadreson «localhost» aŭ «127.0.0.1»",
+	"webauthn.error.unknown": "Eraris pro nekonata kialo. Bonvolu reprovi.",
+	"webauthn.unsupported_browser": "Via retfoliumilo ne jam subtenas la salutmanieron WebAuthn.",
+	"webauthn.error": "Ne povis legi vian sekurŝlosilon.",
+	"webauthn.use_twofa": "Uzi dumanieran salutkodon de via poŝtelefono",
+	"webauthn.press_button": "Bonvolu premi la butonon sur via sekurŝlosilo…",
+	"webauthn.sign_in": "Premu la butonon sur via sekurŝlosilo. Se mankas butono, elprenu kaj reenmetu vian sekurŝlosilon.",
+	"webauthn.insert_key": "Enmetu vian sekurŝlosilon",
 	"packages.npm.details.tag": "Etikedo",
 	"fork.n_forks": {
 		"one": "%s disbranĉigo",
diff --git a/options/locale_next/locale_es-ES.json b/options/locale_next/locale_es-ES.json
index 93003c4477..a98e2e3d66 100644
--- a/options/locale_next/locale_es-ES.json
+++ b/options/locale_next/locale_es-ES.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Todos los elementos en la cola han sido eliminados.",
+	"admin.monitor.queue.settings.remove_all_items": "Eliminar todo",
+	"admin.monitor.queue.settings.changed": "Ajustes actualizados",
+	"admin.monitor.queue.settings.submit": "Actualizar ajustes",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "El número máximo de trabajadores debe ser un número",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Actualmente %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Número máximo de trabajadores",
+	"admin.monitor.queue.settings.description": "Los grupos de trabajadores crecen dinámicamente en respuesta al bloqueo de cola de sus trabajadores.",
+	"admin.monitor.queue.settings.title": "Ajustes del grupo",
+	"admin.monitor.queue.review_add": "Revisar / Añadir trabajadores",
+	"admin.monitor.queue.numberinqueue": "Número en cola",
+	"admin.monitor.queue.maxnumberworkers": "Nº máx de trabajadores",
+	"admin.monitor.queue.activeworkers": "Trabajadores activos",
+	"admin.monitor.queue.numberworkers": "Número de trabajadores",
+	"admin.monitor.queue.exemplar": "Ejemplo",
+	"admin.monitor.queue.type": "Tipo",
+	"admin.monitor.queue.name": "Nombre",
+	"admin.monitor.queue": "Cola: %s",
+	"admin.monitor.queues": "Colas",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA deshabilitado",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA habilitado",
+	"admin.users.list_status_filter.not_prohibit_login": "Permitir el inicio de sesión",
+	"admin.users.list_status_filter.is_prohibit_login": "Prohibido el inicio de sesión",
+	"admin.users.list_status_filter.not_restricted": "No restringido",
+	"admin.users.list_status_filter.is_restricted": "Restringido",
+	"admin.users.list_status_filter.not_admin": "No admin",
+	"admin.users.list_status_filter.is_admin": "Administrador",
+	"admin.users.list_status_filter.not_active": "Inactivo",
+	"admin.users.list_status_filter.is_active": "Activo",
+	"admin.users.list_status_filter.reset": "Reiniciar",
+	"admin.users.list_status_filter.menu_text": "Filtro",
+	"admin.system_status.gc_times": "Ejecuciones del recolector de basura",
+	"admin.system_status.last_gc_pause": "Última pausa por el recolector de basura",
+	"admin.system_status.total_gc_pause": "Pausa total por el recolector de basura",
+	"admin.system_status.last_gc_time": "Tiempo desde la última recolección de basura",
+	"admin.system_status.next_gc_recycle": "Siguiente reciclaje del recolector de basura",
+	"admin.system_status.other_system_allocation_obtained": "Otros recursos asignados del sistema",
+	"admin.system_status.gc_metadata_obtained": "Metadatos obtenidos del recolector de basura",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profiling bucket hash table obtenido",
+	"admin.system_status.mcache_structures_obtained": "Estructuras MCache obtenidas",
+	"admin.system_status.mcache_structures_usage": "Uso de estructuras MCache",
+	"admin.system_status.mspan_structures_obtained": "Estructuras MSpan obtenidas",
+	"admin.system_status.mspan_structures_usage": "Uso de estructuras MSpan",
+	"admin.system_status.stack_memory_obtained": "Memoria de pila obtenida",
+	"admin.system_status.bootstrap_stack_usage": "Uso de la pila de Bootstrap",
+	"admin.system_status.heap_objects": "Objetos en el Heap",
+	"admin.system_status.heap_memory_released": "Memoria de Heap liberada",
+	"admin.system_status.heap_memory_in_use": "Memoria de Heap en uso",
+	"admin.system_status.heap_memory_idle": "Memoria de Heap inactiva",
+	"admin.system_status.heap_memory_obtained": "Memoria de Heap obtenida",
+	"admin.system_status.current_heap_usage": "Uso actual de Heap",
+	"admin.system_status.memory_free_times": "Liberaciones de memoria",
+	"admin.system_status.memory_allocate_times": "Asignaciones de memoria",
+	"admin.system_status.pointer_lookup_times": "Tiempos de búsqueda de punteros",
+	"admin.system_status.memory_obtained": "Memoria obtenida",
+	"admin.system_status.total_memory_allocated": "Total de Memoria Reservada",
+	"admin.system_status.current_memory_usage": "Uso actual de memoria",
+	"admin.system_status.current_goroutine": "Gorutinas actuales",
+	"admin.system_status.server_uptime": "Tiempo de actividad del servidor",
+	"markup.filepreview.truncated": "La vista previa se ha truncado",
+	"markup.filepreview.lines": "Líneas %[1]d a %[2]d en %[3]s",
+	"markup.filepreview.line": "Línea %[1]d en %[2]s",
+	"actions.variables.update.success": "La variable ha sido editada.",
+	"actions.variables.update.failed": "Error al editar la variable.",
+	"actions.variables.creation.success": "La variable \"%s\" ha sido añadida.",
+	"actions.variables.creation.failed": "No se pudo agregar la variable.",
+	"actions.variables.deletion.success": "La variable ha sido eliminada.",
+	"actions.variables.deletion.failed": "No se pudo eliminar la variable.",
+	"actions.variables.not_found": "No se ha encontrado la variable.",
+	"actions.variables.edit": "Editar variable",
+	"actions.variables.description": "Las variables se pasarán a ciertas acciones y no se podrán leer de otro modo.",
+	"actions.variables.deletion.description": "Eliminar una variable es permanente y no se puede deshacer. ¿Continuar?",
+	"actions.variables.deletion": "Eliminar variable",
+	"actions.variables.none": "Aún no hay variables.",
+	"actions.variables.creation": "Añadir variable",
+	"actions.variables.management": "Gestión de variables",
+	"actions.variables": "Variables",
+	"webauthn.error.timeout": "Tiempo de espera máximo alcanzado antes de que su clave pudiese ser leída. Por favor, cargue la página y vuelva a intentarlo.",
+	"webauthn.error.empty": "Debe establecer un nombre para esta clave.",
+	"webauthn.error.duplicated": "La clave de seguridad no está permitida para esta solicitud. Por favor, asegúrese de que la clave no está ya registrada.",
+	"webauthn.error.unable_to_process": "El servidor no pudo procesar su solicitud.",
+	"webauthn.error.insecure": "WebAuthn sólo soporta conexiones seguras. Para probar sobre HTTP, puede utilizar el origen \"localhost\" o \"127.0.0.1\"",
+	"webauthn.error.unknown": "Ha ocurrido un error desconocido. Por favor, inténtelo de nuevo.",
+	"webauthn.unsupported_browser": "Actualmente su navegador no soporta WebAuthn.",
+	"webauthn.error": "No se pudo leer su llave de seguridad.",
+	"webauthn.use_twofa": "Utilice un código de doble factor desde su teléfono móvil",
+	"webauthn.press_button": "Por favor, presione el botón en su clave de seguridad…",
+	"webauthn.sign_in": "Presione el botón en su clave de seguridad. Si su clave de seguridad no tiene ningún botón, vuelva a insertarla.",
+	"webauthn.insert_key": "Introduzca su clave de seguridad",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commits",
diff --git a/options/locale_next/locale_et.json b/options/locale_next/locale_et.json
index bf84f24ef4..c3246e4185 100644
--- a/options/locale_next/locale_et.json
+++ b/options/locale_next/locale_et.json
@@ -1,4 +1,21 @@
 {
+	"actions.variables.deletion": "Eemalda muutuja",
+	"actions.variables.none": "Muutujaid veel pole.",
+	"actions.variables.creation": "Lisa muutuja",
+	"actions.variables.management": "Halda muutujaid",
+	"actions.variables": "Muutujad",
+	"webauthn.error.timeout": "Päring aegus enne võtme lugemist. Palun laadi see lehekülg uuesti ja proovi uuesti.",
+	"webauthn.error.empty": "Palun lisa sellele võtmele täisnimi.",
+	"webauthn.error.duplicated": "Turvavõti ei ole selle päringu puhul lubatud. Palun veendu, et võti ei ole juba registreeritud.",
+	"webauthn.error.unable_to_process": "Server ei saanud sinu päringut töödelda.",
+	"webauthn.error.insecure": "WebAuthn toetab ainult turvalisi ühendusi. HTTP kaudu testimiseks võid kasutada lähteaadressina „localhost“ või „127.0.0.1“",
+	"webauthn.error.unknown": "Tekkis tundmatu viga. Palun proovi uuesti.",
+	"webauthn.unsupported_browser": "Sinu veebibrauser ei toeta praegu WebAuthn-liidestust.",
+	"webauthn.error": "Sinu turvavõtit ei saanud lugeda.",
+	"webauthn.use_twofa": "Sisesta oma telefonist kahefaktorilise autentimise kood",
+	"webauthn.press_button": "Palun vajuta turvavõtme nuppu…",
+	"webauthn.sign_in": "Vajuta turvavõtme nuppu. Kui sinu turvavõtmel ei ole nuppu, sisesta see uuesti.",
+	"webauthn.insert_key": "Sisesta oma turvavõti",
 	"counters.n_branches": {
 		"one": "%s alamharu",
 		"other": "%s alamharu"
diff --git a/options/locale_next/locale_eu.json b/options/locale_next/locale_eu.json
index e1940e1e14..463859b1a4 100644
--- a/options/locale_next/locale_eu.json
+++ b/options/locale_next/locale_eu.json
@@ -1,3 +1,15 @@
 {
+	"webauthn.error.timeout": "Zure gakoa irakurri aurretik denbora-muga gainditu da. Kargatu berriro orrialde hau eta saiatu berriro.",
+	"webauthn.error.empty": "Gako honetarako izen bat jarri behar duzu.",
+	"webauthn.error.duplicated": "Segurtasun-gakorik ez da onartzen eskaera honetarako. Mesedez, ziurtatu giltza ea dagoela erregistratuta.",
+	"webauthn.error.unable_to_process": "Zerbitzariak ezin izan du zure eskaera prozesatu.",
+	"webauthn.error.insecure": "WebAuthnek konexio seguruak baino ez ditu onartzen. HTTP bidez probatzeko, \"localhost\" edo \"127.0.0.1\" jatorria erabil daiteke",
+	"webauthn.error.unknown": "Akats ezezagun bat gertatu da. Mesedez, saiatu berriro.",
+	"webauthn.unsupported_browser": "Zure nabigatzaileak ez du WebAuthn onartzen.",
+	"webauthn.error": "Ezin izan da irakurri zure segurtasun-gakoa.",
+	"webauthn.use_twofa": "Erabili zure telefonoko bi faktoreko kodea",
+	"webauthn.press_button": "Mesedez, sakatu botoia zure segurtasun-gakoan…",
+	"webauthn.sign_in": "Sakatu botoia zure segurtasun-gakoan. Zure segurtasun-gakoak ez badu botoirik, sartu berriro.",
+	"webauthn.insert_key": "Sartu zure segurtasun-gakoa",
 	"meta.last_line": " "
 }
diff --git a/options/locale_next/locale_fa-IR.json b/options/locale_next/locale_fa-IR.json
index 75190f2fbf..91c2e5f3bd 100644
--- a/options/locale_next/locale_fa-IR.json
+++ b/options/locale_next/locale_fa-IR.json
@@ -1,4 +1,79 @@
 {
+	"admin.monitor.queue.settings.changed": "تنظیمات تازه شد",
+	"admin.monitor.queue.settings.submit": "بالا بردن ساماندهی",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "حداکثر تعداد کارگران باید یک عدد باشد",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "در حال حاضر %[1]v",
+	"admin.monitor.queue.settings.maxnumberworkers": "بیشینه تعداد کارگران",
+	"admin.monitor.queue.settings.title": "تنظیمات استخر",
+	"admin.monitor.queue.maxnumberworkers": "بیشینه تعداد کارگران",
+	"admin.monitor.queue.numberworkers": "تعداد کارگران",
+	"admin.monitor.queue.exemplar": "نوع نمونه",
+	"admin.monitor.queue.type": "نوع",
+	"admin.monitor.queue.name": "نام",
+	"admin.monitor.queue": "صف: %s",
+	"admin.monitor.queues": "صف ها",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA غیرفعال است",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA فعال است",
+	"admin.users.list_status_filter.not_prohibit_login": "اجازه ورود",
+	"admin.users.list_status_filter.is_prohibit_login": "ورود را ممنوع شود",
+	"admin.users.list_status_filter.not_restricted": "محدود نشده است",
+	"admin.users.list_status_filter.is_restricted": "محصور",
+	"admin.users.list_status_filter.not_admin": "غیرادمین",
+	"admin.users.list_status_filter.is_admin": "ادمین",
+	"admin.users.list_status_filter.not_active": "غیرفعال",
+	"admin.users.list_status_filter.is_active": "فعال",
+	"admin.users.list_status_filter.reset": "شروع دوباره",
+	"admin.users.list_status_filter.menu_text": "فیلتر",
+	"admin.system_status.gc_times": "زمان های GC",
+	"admin.system_status.last_gc_pause": "واپسین مکث در GC",
+	"admin.system_status.total_gc_pause": "کل زمان مکث GC",
+	"admin.system_status.last_gc_time": "زمان از آخرین GC",
+	"admin.system_status.next_gc_recycle": "بازیافت GC بعدی",
+	"admin.system_status.other_system_allocation_obtained": "تخصیص های حافظه در سایر قسمت های سیستم",
+	"admin.system_status.gc_metadata_obtained": "متادیتاهای بدست امده از GC",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profiling Bucket Hash Table به دست آمده",
+	"admin.system_status.mcache_structures_obtained": "ساختار های MCache به دست آمده",
+	"admin.system_status.mcache_structures_usage": "میزان استفاده از ساختار های MCache",
+	"admin.system_status.mspan_structures_obtained": "ساختار های MSpan به دست آمده",
+	"admin.system_status.mspan_structures_usage": "میزان استفاده‌ی ساختار های MSpan",
+	"admin.system_status.stack_memory_obtained": "حافظه پشته به دست آمده",
+	"admin.system_status.bootstrap_stack_usage": "میزان استفاده از پشته توسط راهنداز",
+	"admin.system_status.heap_objects": "شی توده یا Heap",
+	"admin.system_status.heap_memory_released": "حافظه توده آزاد شد",
+	"admin.system_status.heap_memory_in_use": "حافظه توده در حال استفاده",
+	"admin.system_status.heap_memory_idle": "بیکار بوده حافظه توده",
+	"admin.system_status.heap_memory_obtained": "حافظه به دست آمده برای توده",
+	"admin.system_status.current_heap_usage": "میزان مصرف توده فعلی",
+	"admin.system_status.memory_free_times": "آزادسازی حافظه",
+	"admin.system_status.memory_allocate_times": "تخصیص یافتن حافظه",
+	"admin.system_status.pointer_lookup_times": "اشاره‌گر زمان‌های جستجو",
+	"admin.system_status.memory_obtained": "حافظه به دست آمده",
+	"admin.system_status.total_memory_allocated": "کل حافظه اختصاص داده شده",
+	"admin.system_status.current_memory_usage": "میزان مصرف فعلی از حافظه",
+	"admin.system_status.current_goroutine": "Goroutine های فعلی",
+	"admin.system_status.server_uptime": "فعالیت بی‌وقفه سرور",
+	"actions.variables.update.success": "تغییر متغیر با موفقیت انجام شد.",
+	"actions.variables.update.failed": "عدم موفقیت در تغییر متغیر",
+	"actions.variables.creation.success": "متغیر \"%s\" ایجاد شد.",
+	"actions.variables.deletion.success": "متغیر حذف شد.",
+	"actions.variables.edit": "تغییر متغیر",
+	"actions.variables.deletion": "حذف متغیر",
+	"actions.variables.none": "هیچ متغیری هنوز وجود ندارد.",
+	"actions.variables.creation": "افزودن متغیر",
+	"actions.variables.management": "مدیریت متغیرها",
+	"actions.variables": "متغیرها",
+	"webauthn.error.timeout": "مهلت زمانی قبل از اینکه کلید شما خوانده شود تمام شد. لطفاً این صفحه را تازه‌سازی کرده و مجدد تلاش کنید.",
+	"webauthn.error.empty": "شما باید یک نام برای این کلید انتخاب کنید.",
+	"webauthn.error.duplicated": "کلید امنیتی برای این درخواست مجاز نیست. لطفاً مطمئن شوید که این کلید در حال حاضر ثبت نشده است.",
+	"webauthn.error.unable_to_process": "کارساز نتوانست درخواست شما را پردازش کند.",
+	"webauthn.error.insecure": "احرازوب فقط از روش‌های ایمن ممکن است. برای آزمودن بر روی اچ‌تی‌تی‌پی می‌توانید از «میزبان‌محلی» یا «۱۲۷.۰.۰.۱» استفاده کنید.",
+	"webauthn.error.unknown": "خطایی ناشناخته رخ داد. لطفاً دوباره سعی کنید.",
+	"webauthn.unsupported_browser": "مرورگر شما در حال حاضر از WebAuthn پشتیبانی نمی‌کند.",
+	"webauthn.error": "کلید امنیتی شما نتوانست خوانده شود.",
+	"webauthn.use_twofa": "از یک کد دومرحله‌ای از تلفنتان استفاده کنید",
+	"webauthn.press_button": "لطفاً دکمۀ روی کلید امنیتی را فشار دهید…",
+	"webauthn.sign_in": "دکمۀ روی کلید امنیتی را فشار دهید. اگر کلید امنیتی شما دکمه‌ای ندارد، آن را دوباره وارد کنید.",
+	"webauthn.insert_key": "کلید امنیتی خود را وارد کنید",
 	"actions.runners.name": "نام",
 	"actions.runners.owner_type": "نوع",
 	"actions.runners.description": "شرح",
diff --git a/options/locale_next/locale_fi-FI.json b/options/locale_next/locale_fi-FI.json
index 7993d9ae12..11de17d613 100644
--- a/options/locale_next/locale_fi-FI.json
+++ b/options/locale_next/locale_fi-FI.json
@@ -1,4 +1,80 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Kaikki jonossa olleet tietueet on poistettu.",
+	"admin.monitor.queue.settings.remove_all_items": "Poista kaikki",
+	"admin.monitor.queue.settings.changed": "Asetukset päivitetty",
+	"admin.monitor.queue.settings.submit": "Päivitä asetukset",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Tällä hetkellä %[1]d",
+	"admin.monitor.queue.type": "Tyyppi",
+	"admin.monitor.queue.name": "Nimi",
+	"admin.monitor.queue": "Jono: %s",
+	"admin.monitor.queues": "Jonot",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA ei käytössä",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA käytössä",
+	"admin.users.list_status_filter.not_prohibit_login": "Kirjautuminen sallittu",
+	"admin.users.list_status_filter.is_prohibit_login": "Kirjautuminen estetty",
+	"admin.users.list_status_filter.not_restricted": "Ei rajoitettu",
+	"admin.users.list_status_filter.is_restricted": "Rajoitettu",
+	"admin.users.list_status_filter.not_admin": "Ei ylläpitäjä",
+	"admin.users.list_status_filter.is_admin": "Ylläpitäjä",
+	"admin.users.list_status_filter.not_active": "Ei-aktiivinen",
+	"admin.users.list_status_filter.is_active": "Aktiivinen",
+	"admin.users.list_status_filter.reset": "Tyhjennä",
+	"admin.users.list_status_filter.menu_text": "Suodata",
+	"admin.system_status.gc_times": "Roskienkeruuajat",
+	"admin.system_status.last_gc_pause": "Viimeinen roskienkeruutauko",
+	"admin.system_status.total_gc_pause": "Yhteensä roskienkeruutauko",
+	"admin.system_status.last_gc_time": "Aika edellisestä roskienkeruusta",
+	"admin.system_status.next_gc_recycle": "Seuraava roskienkeruukierrätys",
+	"admin.system_status.other_system_allocation_obtained": "Muu järjestestelmän varaus saatu",
+	"admin.system_status.gc_metadata_obtained": "Roskienkeruumetatiedot saatu",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilointiämpäritiivistetaulukko saatu",
+	"admin.system_status.mcache_structures_obtained": "MCache-rakenteet saatu",
+	"admin.system_status.mcache_structures_usage": "MCache-rakenteiden käyttö",
+	"admin.system_status.mspan_structures_obtained": "MSpan-rakenteet saatu",
+	"admin.system_status.mspan_structures_usage": "MSpan-rakenteiden käyttö",
+	"admin.system_status.stack_memory_obtained": "Pinonmuisti saatu",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap-pinon käyttö",
+	"admin.system_status.heap_objects": "Heap-objektit",
+	"admin.system_status.heap_memory_released": "Heap-muisti vapautettu",
+	"admin.system_status.heap_memory_in_use": "Heap-muisti käytössä",
+	"admin.system_status.heap_memory_idle": "Heap-muisti tyhjäkäynnillä",
+	"admin.system_status.heap_memory_obtained": "Heap-muisti saatu",
+	"admin.system_status.current_heap_usage": "Nykyinen heapin käyttö",
+	"admin.system_status.memory_allocate_times": "Muistiallokaatiot",
+	"admin.system_status.pointer_lookup_times": "Osoittimen hakuajat",
+	"admin.system_status.memory_obtained": "Muistia saatu",
+	"admin.system_status.total_memory_allocated": "Yhteensä muistia varattu",
+	"admin.system_status.current_memory_usage": "Nykyinen muistinkäyttö",
+	"admin.system_status.current_goroutine": "Nykyiset goroutinet",
+	"admin.system_status.server_uptime": "Palvelimen uptime",
+	"markup.filepreview.truncated": "Esikatselu on typistetty",
+	"actions.variables.update.success": "Muuttuja muokattu.",
+	"actions.variables.update.failed": "Muuttujan muokkaus epäonnistui.",
+	"actions.variables.creation.success": "Muuttuja \"%s\" lisätty.",
+	"actions.variables.creation.failed": "Muuttujan lisäys epäonnistui.",
+	"actions.variables.deletion.success": "Muuttuja poistettu.",
+	"actions.variables.deletion.failed": "Muuttujan poisto epäonnistui.",
+	"actions.variables.not_found": "Muuttujaa ei löytynyt.",
+	"actions.variables.edit": "Muokkaa muuttujaa",
+	"actions.variables.description": "Muuttujat asetetaan tietyille toiminnoille eikä niitä voida lukea muutoin.",
+	"actions.variables.deletion.description": "Muuttujan poistaminen on lopullista, eikä sitä voi perua. Jatketaanko?",
+	"actions.variables.deletion": "Poista muuttuja",
+	"actions.variables.none": "Ei muuttujia vielä.",
+	"actions.variables.creation": "Lisää muuttuja",
+	"actions.variables.management": "Hallitse muuttujia",
+	"actions.variables": "Muuttujat",
+	"webauthn.error.timeout": "Aikakatkaisu ennen kuin avaintasi voitiin lukea. Lataa tämä sivu uudelleen ja yritä uudelleen.",
+	"webauthn.error.empty": "Sinun täytyy asettaa nimi tälle avaimelle.",
+	"webauthn.error.duplicated": "Turva-avainta ei ole sallittu tässä pyynnössä. Varmista, ettei avainta ole jo rekisteröity.",
+	"webauthn.error.unable_to_process": "Palvelin ei pystynyt käsittelemään pyyntöä.",
+	"webauthn.error.insecure": "WebAuthn tukee vain turvallisia yhteyksiä. Testaamista varten HTTP-välityksellä voit käyttää alkuperää \"localhost\" tai \"127.0.0.1\"",
+	"webauthn.error.unknown": "Tuntematon virhe. Yritä uudelleen.",
+	"webauthn.unsupported_browser": "Selaimesi ei tällä hetkellä tue WebAuthnia.",
+	"webauthn.error": "Turva-avainta ei voitu lukea.",
+	"webauthn.use_twofa": "Käytä kaksivaihesta todennusta puhelimestasi",
+	"webauthn.press_button": "Paina turva-avaimesi painiketta…",
+	"webauthn.sign_in": "Paina turva-avaimesi painiketta. Jos turva-avaimessasi ei ole painiketta, irrota se ja aseta uudelleen.",
+	"webauthn.insert_key": "Aseta turva-avaimesi",
 	"counters.n_commits": {
 		"one": "%s kommitti",
 		"other": "%s kommittia"
diff --git a/options/locale_next/locale_fil.json b/options/locale_next/locale_fil.json
index 5afeb6ae3b..0b3a418f44 100644
--- a/options/locale_next/locale_fil.json
+++ b/options/locale_next/locale_fil.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Tinanggal na ang lahat ng mga item sa queue.",
+	"admin.monitor.queue.settings.remove_all_items": "Tanggalin lahat",
+	"admin.monitor.queue.settings.changed": "Na-update ang mga setting",
+	"admin.monitor.queue.settings.submit": "I-update ang mga setting",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Dapat numero ang pinakamaraming numero ng mga worker",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Kasalukuyang %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Pinakamaraming numero ng worker",
+	"admin.monitor.queue.settings.description": "Dinamikang lumalaki ang mga pool tugon sa kanilang worker queue blocking.",
+	"admin.monitor.queue.settings.title": "Mga setting ng pool",
+	"admin.monitor.queue.review_add": "Suriin / magdagdag ng mga worker",
+	"admin.monitor.queue.numberinqueue": "Number sa queue",
+	"admin.monitor.queue.maxnumberworkers": "Pinakamaraming numero ng worker",
+	"admin.monitor.queue.activeworkers": "Mga aktibong worker",
+	"admin.monitor.queue.numberworkers": "Numero ng mga worker",
+	"admin.monitor.queue.exemplar": "Uri ng Exemplar",
+	"admin.monitor.queue.type": "Uri",
+	"admin.monitor.queue.name": "Pangalan",
+	"admin.monitor.queue": "Queue: %s",
+	"admin.monitor.queues": "Mga queue",
+	"admin.users.list_status_filter.not_2fa_enabled": "Naka-disable ang 2FA",
+	"admin.users.list_status_filter.is_2fa_enabled": "Naka-enable ang 2FA",
+	"admin.users.list_status_filter.not_prohibit_login": "Pinapayagan ang pag-login",
+	"admin.users.list_status_filter.is_prohibit_login": "Pinagbawalan ang pag-login",
+	"admin.users.list_status_filter.not_restricted": "Hindi pinaghihigpitan",
+	"admin.users.list_status_filter.is_restricted": "Pinaghihigpitan",
+	"admin.users.list_status_filter.not_admin": "Hindi tagapangasiwa",
+	"admin.users.list_status_filter.is_admin": "Tagapangasiwa",
+	"admin.users.list_status_filter.not_active": "Hindi aktibo",
+	"admin.users.list_status_filter.is_active": "Aktibo",
+	"admin.users.list_status_filter.reset": "I-reset",
+	"admin.users.list_status_filter.menu_text": "Isaasyos",
+	"admin.system_status.gc_times": "Mga oras ng GC",
+	"admin.system_status.last_gc_pause": "Huling GC pause",
+	"admin.system_status.total_gc_pause": "Kabuuang GC pause",
+	"admin.system_status.last_gc_time": "Oras noong huling GC",
+	"admin.system_status.next_gc_recycle": "Susunod na GC recycle",
+	"admin.system_status.other_system_allocation_obtained": "Ibang allocation ng sistema na nakuha",
+	"admin.system_status.gc_metadata_obtained": "Nakuhang GC metadata",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Mga nakuhang profiling bucket hash table",
+	"admin.system_status.mcache_structures_obtained": "Mga nakuhang MCache structure",
+	"admin.system_status.mcache_structures_usage": "Paggamit ng MCache structure",
+	"admin.system_status.mspan_structures_obtained": "Mga nakuhang MSpan structure",
+	"admin.system_status.mspan_structures_usage": "Paggamit ng MSpan structure",
+	"admin.system_status.stack_memory_obtained": "Nakuhang stack memory",
+	"admin.system_status.bootstrap_stack_usage": "Paggamit ng bootstrap stack",
+	"admin.system_status.heap_objects": "Mga heap object",
+	"admin.system_status.heap_memory_released": "Mga na-release na heap memory",
+	"admin.system_status.heap_memory_in_use": "Ginagamit na heap memory",
+	"admin.system_status.heap_memory_idle": "Idle ng heap memory",
+	"admin.system_status.heap_memory_obtained": "Nakuhang heap memory",
+	"admin.system_status.current_heap_usage": "Kasalukuyang paggamit ng heap",
+	"admin.system_status.memory_free_times": "Mga memory free",
+	"admin.system_status.memory_allocate_times": "Mga allocation ng memory",
+	"admin.system_status.pointer_lookup_times": "Oras ng pointer lookup",
+	"admin.system_status.memory_obtained": "Mga nakuhang memory",
+	"admin.system_status.total_memory_allocated": "Kabuuan na na-allocate na memory",
+	"admin.system_status.current_memory_usage": "Kasalukuyang paggamit ng memory",
+	"admin.system_status.current_goroutine": "Mga kasalukuyang goroutine",
+	"admin.system_status.server_uptime": "Uptime ng server",
+	"markup.filepreview.truncated": "Na-truncate ang preview",
+	"markup.filepreview.lines": "Mga linya %[1]d hanggang %[2]d sa %[3]s",
+	"markup.filepreview.line": "Linya %[1]d sa %[2]s",
+	"actions.variables.update.success": "Nabago na ang variable.",
+	"actions.variables.update.failed": "Nabigong baguhin ang variable.",
+	"actions.variables.creation.success": "Nadagdag na ang variable na \"%s\".",
+	"actions.variables.creation.failed": "Nabigong idagdag ang variable.",
+	"actions.variables.deletion.success": "Tinanggal na ang variable.",
+	"actions.variables.deletion.failed": "Nabigong tanggalin ang variable.",
+	"actions.variables.not_found": "Nabigong hanapin ang variable.",
+	"actions.variables.edit": "Baguhin ang Variable",
+	"actions.variables.description": "Ipapasa ang mga variable sa ilang mga aksyon at hindi mababasa kung hindi man.",
+	"actions.variables.deletion.description": "Permanente ang pagtanggal ng isang variable at hindi ito mababalik. Magpatuloy?",
+	"actions.variables.deletion": "Tanggalin ang variable",
+	"actions.variables.none": "Wala pang mga variable sa ngayon.",
+	"actions.variables.creation": "Magdagdag ng variable",
+	"actions.variables.management": "Ipamahala ang mga variable",
+	"actions.variables": "Mga variable",
+	"webauthn.error.timeout": "Naabot ang timeout bago mabasa ang iyong key. Mangyaring i-reload ang page na ito at subukan muli.",
+	"webauthn.error.empty": "Kailangan mong maglapat ng pangalan para sa key na ito.",
+	"webauthn.error.duplicated": "Hindi pinapayagan ang security key na ito para sa hiling na ito. Mangyaring siguraduhin na ang key na ito ay hindi ito nakarehistro na.",
+	"webauthn.error.unable_to_process": "Hindi maproseso ng server ang iyong hiling.",
+	"webauthn.error.insecure": "Sinusuportahan lamang ng WebAuthn ang mga secure na koneksyon. Para sa pagsubok sa HTTP, pwede mo gamitin ang origin na \"localhost\" o \"127.0.0.1\"",
+	"webauthn.error.unknown": "May nangyaring hindi alam na error. Magyaring subukan muli.",
+	"webauthn.unsupported_browser": "Kasalukuyang hindi sinusuportahan ng iyong browser ang WebAuthn.",
+	"webauthn.error": "Hindi mabasa ang iyong security key.",
+	"webauthn.use_twofa": "Gumamit ng two-factor code galing sa iyong telepono",
+	"webauthn.press_button": "Pindutin ang button ng iyong security key…",
+	"webauthn.sign_in": "Pindutin ang button ng iyong security key. Kung walang button ang iyong security key, ilagay muli.",
+	"webauthn.insert_key": "Ilagay ang iyong security key",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"other": "%s mga commit"
diff --git a/options/locale_next/locale_fr-FR.json b/options/locale_next/locale_fr-FR.json
index d5da596307..68d76f83f3 100644
--- a/options/locale_next/locale_fr-FR.json
+++ b/options/locale_next/locale_fr-FR.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Tous les éléments de la file d'attente ont été effacés.",
+	"admin.monitor.queue.settings.remove_all_items": "Tout effacer",
+	"admin.monitor.queue.settings.changed": "Paramètres mis à jour",
+	"admin.monitor.queue.settings.submit": "Appliquer les paramètres",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Le nombre de processus doit être un nombre",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Actuellement %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Nombre maximale de processus",
+	"admin.monitor.queue.settings.description": "Les bassins croissent proportionnellement au besoin de leurs exécuteurs.",
+	"admin.monitor.queue.settings.title": "Paramètres du réservoir",
+	"admin.monitor.queue.review_add": "Examiner / ajouter des processus",
+	"admin.monitor.queue.numberinqueue": "Position dans la queue",
+	"admin.monitor.queue.maxnumberworkers": "Nombre maximal de processus",
+	"admin.monitor.queue.activeworkers": "Processus actifs",
+	"admin.monitor.queue.numberworkers": "Nombre de processus",
+	"admin.monitor.queue.exemplar": "Type d'exemple",
+	"admin.monitor.queue.type": "Type",
+	"admin.monitor.queue.name": "Nom",
+	"admin.monitor.queue": "File d'attente : %s",
+	"admin.monitor.queues": "Files d'attente",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA désactivé",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA Activé",
+	"admin.users.list_status_filter.not_prohibit_login": "Autorisé à se connecter",
+	"admin.users.list_status_filter.is_prohibit_login": "Interdit de connexion",
+	"admin.users.list_status_filter.not_restricted": "Non restreint",
+	"admin.users.list_status_filter.is_restricted": "Restreint",
+	"admin.users.list_status_filter.not_admin": "Non administrateur",
+	"admin.users.list_status_filter.is_admin": "Administrateur",
+	"admin.users.list_status_filter.not_active": "Inactif",
+	"admin.users.list_status_filter.is_active": "Actif",
+	"admin.users.list_status_filter.reset": "Réinitialiser",
+	"admin.users.list_status_filter.menu_text": "Filtrer",
+	"admin.system_status.gc_times": "Nombres de GC",
+	"admin.system_status.last_gc_pause": "Dernière pause GC",
+	"admin.system_status.total_gc_pause": "Pause totale GC",
+	"admin.system_status.last_gc_time": "Temps depuis le dernier GC",
+	"admin.system_status.next_gc_recycle": "Prochain recyclage GC",
+	"admin.system_status.other_system_allocation_obtained": "Autres allocation système obtenue",
+	"admin.system_status.gc_metadata_obtained": "Métadonnées GC obtenues",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilage de seau de table de hashage obtenu",
+	"admin.system_status.mcache_structures_obtained": "Structures MCache obtenues",
+	"admin.system_status.mcache_structures_usage": "Utilisation des structures MCache",
+	"admin.system_status.mspan_structures_obtained": "Structures MSpan obtenues",
+	"admin.system_status.mspan_structures_usage": "Utilisation des structures MSpan",
+	"admin.system_status.stack_memory_obtained": "Mémoire pile obtenue",
+	"admin.system_status.bootstrap_stack_usage": "Utilisation pile bootstrap",
+	"admin.system_status.heap_objects": "Objets tas (Heap)",
+	"admin.system_status.heap_memory_released": "Mémoire tas (Heap) libérée",
+	"admin.system_status.heap_memory_in_use": "Utilisation mémoire tas (Heap)",
+	"admin.system_status.heap_memory_idle": "Mémoire tas (Heap) au repos",
+	"admin.system_status.heap_memory_obtained": "Mémoire tas (Heap) obtenue",
+	"admin.system_status.current_heap_usage": "Utilisation Tas (Heap)",
+	"admin.system_status.memory_free_times": "Nombre de libérations de mémoire",
+	"admin.system_status.memory_allocate_times": "Allocations de mémoire",
+	"admin.system_status.pointer_lookup_times": "Nombre de Consultations Pointeur",
+	"admin.system_status.memory_obtained": "Mémoire obtenue",
+	"admin.system_status.total_memory_allocated": "Mémoire totale allouée",
+	"admin.system_status.current_memory_usage": "Utilisation Mémoire actuelle",
+	"admin.system_status.current_goroutine": "Goroutines actuelles",
+	"admin.system_status.server_uptime": "Uptime du serveur",
+	"markup.filepreview.truncated": "L'aperçu a été tronqué",
+	"markup.filepreview.lines": "Lignes %[1]d jusqu'à %[2]d dans %[3]s",
+	"markup.filepreview.line": "Ligne %[1]d dans %[2]s",
+	"actions.variables.update.success": "La variable a bien été modifiée.",
+	"actions.variables.update.failed": "Impossible d’éditer la variable.",
+	"actions.variables.creation.success": "La variable « %s » a été ajoutée.",
+	"actions.variables.creation.failed": "Impossible d'ajouter la variable.",
+	"actions.variables.deletion.success": "La variable a bien été retirée.",
+	"actions.variables.deletion.failed": "Impossible de retirer la variable.",
+	"actions.variables.not_found": "La variable n'a pas été trouvée.",
+	"actions.variables.edit": "Modifier la variable",
+	"actions.variables.description": "Les variables sont passées aux actions et ne peuvent être lues autrement.",
+	"actions.variables.deletion.description": "La suppression d’une variable est permanente et ne peut être défaite. Continuer ?",
+	"actions.variables.deletion": "Retirer la variable",
+	"actions.variables.none": "Il n'y a pas encore de variables.",
+	"actions.variables.creation": "Ajouter une variable",
+	"actions.variables.management": "Gestion des variables",
+	"actions.variables": "Variables",
+	"webauthn.error.timeout": "Le délai d'attente imparti a été atteint avant que votre clé ne puisse être lue. Veuillez recharger la page pour réessayer.",
+	"webauthn.error.empty": "Vous devez définir un nom pour cette clé.",
+	"webauthn.error.duplicated": "La clé de sécurité n'est pas autorisée pour cette demande. Veuillez vous assurer que la clé n'est pas déjà enregistrée.",
+	"webauthn.error.unable_to_process": "Le serveur n'a pas pu traiter votre demande.",
+	"webauthn.error.insecure": "`WebAuthn ne prend en charge que les connexions sécurisées. Pour les tests via HTTP, vous pouvez utiliser l'origine \"localhost\" ou \"127.0.0.1\"`",
+	"webauthn.error.unknown": "Une erreur indéterminée s'est produite. Veuillez réessayer.",
+	"webauthn.unsupported_browser": "Votre navigateur ne prend actuellement pas en charge WebAuthn.",
+	"webauthn.error": "Impossible de lire votre clé de sécurité.",
+	"webauthn.use_twofa": "Utilisez l'authentification à deux facteurs avec votre téléphone",
+	"webauthn.press_button": "Veuillez appuyer sur le bouton de votre clé de sécurité…",
+	"webauthn.sign_in": "Appuyez sur le bouton de votre clé de sécurité. Si votre clé de sécurité n'a pas de bouton, réinsérez-la.",
+	"webauthn.insert_key": "Insérez votre clé de sécurité",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commits",
diff --git a/options/locale_next/locale_ga.json b/options/locale_next/locale_ga.json
index 0a011e349b..0ef3186852 100644
--- a/options/locale_next/locale_ga.json
+++ b/options/locale_next/locale_ga.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Baineadh na míreanna go léir sa scuaine.",
+	"admin.monitor.queue.settings.remove_all_items": "Bain gach",
+	"admin.monitor.queue.settings.changed": "Socruithe Nuashonraithe",
+	"admin.monitor.queue.settings.submit": "Nuashonrú Socruithe",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Caithfidh uaslíon na n-oibrithe a bheith ina uimhir",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Faoi láthair %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Uaslíon na n-oibrithe",
+	"admin.monitor.queue.settings.description": "Fásann linnte go dinimiciúil mar fhreagra ar a gcuid scuaine oibrithe a bhlocáil.",
+	"admin.monitor.queue.settings.title": "Socruithe Linn",
+	"admin.monitor.queue.review_add": "Athbhreithniú / Cuir Oibrithe leis",
+	"admin.monitor.queue.numberinqueue": "Uimhir i scuaine",
+	"admin.monitor.queue.maxnumberworkers": "Líon Uasta na nOibrithe",
+	"admin.monitor.queue.activeworkers": "Oibrithe Gníomhacha",
+	"admin.monitor.queue.numberworkers": "Líon na nOibrithe",
+	"admin.monitor.queue.exemplar": "Cineál Eiseamláire",
+	"admin.monitor.queue.type": "Cineál",
+	"admin.monitor.queue.name": "Ainm",
+	"admin.monitor.queue": "Scuaine: %s",
+	"admin.monitor.queues": "Scuaineanna",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA faoi mhíchumas",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA Cumasaithe",
+	"admin.users.list_status_filter.not_prohibit_login": "Ceadaigh Logáil isteach",
+	"admin.users.list_status_filter.is_prohibit_login": "Cosc ar Logáil Isteach",
+	"admin.users.list_status_filter.not_restricted": "Gan Srian",
+	"admin.users.list_status_filter.is_restricted": "Srianta",
+	"admin.users.list_status_filter.not_admin": "Ní Riarachán",
+	"admin.users.list_status_filter.is_admin": "Riarachán",
+	"admin.users.list_status_filter.not_active": "Neamhghníomhach",
+	"admin.users.list_status_filter.is_active": "Gníomhach",
+	"admin.users.list_status_filter.reset": "Athshocraigh",
+	"admin.users.list_status_filter.menu_text": "Scagaire",
+	"admin.system_status.gc_times": "Amanna GC",
+	"admin.system_status.last_gc_pause": "Sos GC Deireanach",
+	"admin.system_status.total_gc_pause": "Sos Iomlán GC",
+	"admin.system_status.last_gc_time": "Am ó GC deireanach",
+	"admin.system_status.next_gc_recycle": "Athchúrsáil GC Eile",
+	"admin.system_status.other_system_allocation_obtained": "Leithdháileadh Córais Eile a Fuarthas",
+	"admin.system_status.gc_metadata_obtained": "Meiteashonraí GC faighte",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Tábla Hash Buicéad Próifílithe a Faightear",
+	"admin.system_status.mcache_structures_obtained": "Struchtúir MCache a Faightear",
+	"admin.system_status.mcache_structures_usage": "Úsáid Struchtúir MCache",
+	"admin.system_status.mspan_structures_obtained": "Struchtúir MSpan a Faightear",
+	"admin.system_status.mspan_structures_usage": "Úsáid Struchtúir MSpan",
+	"admin.system_status.stack_memory_obtained": "Cuimhne Staca Faighte",
+	"admin.system_status.bootstrap_stack_usage": "Úsáid Staca Bootstrap",
+	"admin.system_status.heap_objects": "Cuspóirí Carn",
+	"admin.system_status.heap_memory_released": "Cuimhne Carn Eisithe",
+	"admin.system_status.heap_memory_in_use": "Cuimhne Carm In Úsáid",
+	"admin.system_status.heap_memory_idle": "Díomhaoin Cuimhne Carn",
+	"admin.system_status.heap_memory_obtained": "Cuimhne Charn Faighte",
+	"admin.system_status.current_heap_usage": "Úsáid Charn Reatha",
+	"admin.system_status.memory_free_times": "Saorálann Cuimhne",
+	"admin.system_status.memory_allocate_times": "Leithdháiltí Cuimhne",
+	"admin.system_status.pointer_lookup_times": "Amanna Cuardaigh Pointeora",
+	"admin.system_status.memory_obtained": "Cuimhne Faighte",
+	"admin.system_status.total_memory_allocated": "Cuimhne Iomlán Leithdháilte",
+	"admin.system_status.current_memory_usage": "Úsáid Cuimhne Reatha",
+	"admin.system_status.current_goroutine": "Goroutines Reatha",
+	"admin.system_status.server_uptime": "Aga fónaimh Freastalaí",
+	"markup.filepreview.truncated": "Tá an réamhamharc giorraithe",
+	"markup.filepreview.lines": "Línte %[1]d go %[2]d i %[3]s",
+	"markup.filepreview.line": "Líne %[1]d i %[2]s",
+	"actions.variables.update.success": "Tá an t-athróg curtha in eagar.",
+	"actions.variables.update.failed": "Theip ar athróg a chur in eagar.",
+	"actions.variables.creation.success": "Tá an athróg \"%s\" curtha leis.",
+	"actions.variables.creation.failed": "Theip ar athróg a chur leis.",
+	"actions.variables.deletion.success": "Tá an athróg bainte.",
+	"actions.variables.deletion.failed": "Theip ar athróg a bhaint.",
+	"actions.variables.not_found": "Theip ar an athróg a aimsiú.",
+	"actions.variables.edit": "Cuir Athróg in Eagar",
+	"actions.variables.description": "Cuirfear athróga chuig gníomhartha áirithe agus ní féidir iad a léamh ar mhalairt eile.",
+	"actions.variables.deletion.description": "Tá athróg a bhaint buan agus ní féidir é a chur ar ais. Lean ar aghaidh?",
+	"actions.variables.deletion": "Bain athróg",
+	"actions.variables.none": "Níl aon athróga ann fós.",
+	"actions.variables.creation": "Cuir Athróg leis",
+	"actions.variables.management": "Bainistigh athróga",
+	"actions.variables": "Athróga",
+	"webauthn.error.timeout": "Sroicheadh an teorainn ama sula bhféadfaí d’eochair a léamh. Athlódáil an leathanach seo, le do thoil, agus déan iarracht arís.",
+	"webauthn.error.empty": "Ní mór duit ainm a shocrú don eochair seo.",
+	"webauthn.error.duplicated": "Ní cheadaítear an eochair slándála don iarratas seo. Déan cinnte le do thoil nach bhfuil an eochair cláraithe cheana féin.",
+	"webauthn.error.unable_to_process": "Ní fhéadfadh an freastalaí d'iarratas a phróiseáil.",
+	"webauthn.error.insecure": "Ní thacaíonn WebAuthn ach le naisc slán. Le haghaidh tástála thar HTTP, is féidir leat an bunús “localhost” nó \"127.0.0.1\" a úsáid",
+	"webauthn.error.unknown": "Tharla earráid anaithnid. Déan iarracht arís.",
+	"webauthn.unsupported_browser": "Ní thacaíonn do bhrabhsálaí le WebAuthn faoi láthair.",
+	"webauthn.error": "Ní fhéadfaí do eochair slándála a léamh.",
+	"webauthn.use_twofa": "Úsáid cód dhá fhachtóir ó do ghuthán",
+	"webauthn.press_button": "Brúigh an cnaipe ar d'eochair slándála le do thoil…",
+	"webauthn.sign_in": "Brúigh an cnaipe ar d'eochair slándála. Mura bhfuil aon chnaipe ag d'eochair slándála, cuir isteach é arís.",
+	"webauthn.insert_key": "Cuir isteach d'eochair slándála",
 	"gpg.default_key": "Sínithe leis an eochair réamhshocraithe",
 	"gpg.error.extract_sign": "Theip ar an síniú a bhaint",
 	"gpg.error.generate_hash": "Theip ar hash gealltanas a ghiniúint",
diff --git a/options/locale_next/locale_gl.json b/options/locale_next/locale_gl.json
index 1ab14bedc5..7878b0a7f1 100644
--- a/options/locale_next/locale_gl.json
+++ b/options/locale_next/locale_gl.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Alcanzouse o límite de tempo antes de que se puidera ler a súa clave. Volva cargar esta páxina e ténteo de novo.",
+	"webauthn.error.empty": "Debe definir un nome para esta clave.",
+	"webauthn.error.duplicated": "A clave de seguridade non está permitida para esta solicitude. Asegúrese de que a clave non estea xa rexistrada.",
+	"webauthn.error.unable_to_process": "O servidor non puido procesar a súa solicitude.",
+	"webauthn.error.insecure": "WebAuthn só admite conexións seguras. Para probar a través de HTTP, pode usar a orixe \"localhost\" ou \"127.0.0.1\"",
+	"webauthn.error.unknown": "Produciuse un erro descoñecido. Ténteo de novo.",
+	"webauthn.unsupported_browser": "O seu navegador non soporta WebAuthn actualmente.",
+	"webauthn.error": "Non se puido ler a súa clave de seguridade.",
+	"webauthn.use_twofa": "Use o Código de Dous Factores do seu Teléfono",
+	"webauthn.press_button": "Prema o botón da súa chave de seguridade…",
+	"webauthn.sign_in": "Prema o botón da súa chave de seguridade. Se a súa chave de seguridade non ten ningún botón, volva inserila.",
+	"webauthn.insert_key": "Insira a súa chave de seguridade",
 	"relativetime.now": "agora",
 	"relativetime.future": "máis adiante",
 	"repo.form.cannot_create": "Todos os espazos onde podes crear repositorios chegaron ao límite de repositorios creados.",
diff --git a/options/locale_next/locale_he.json b/options/locale_next/locale_he.json
index 3837b8a1de..c8fafcf414 100644
--- a/options/locale_next/locale_he.json
+++ b/options/locale_next/locale_he.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "קריאת מפתחך לקחה יותר מדי זמן. אפשר לטעון מחדש את הדף ולנסות שוב.",
+	"webauthn.error.empty": "שם המפתח הוא שדה חובה.",
+	"webauthn.error.duplicated": "מפתח האבטחה לא יכול לשמש לבקשה זו. נא לוודא שהמפתח לא רשום.",
+	"webauthn.error.unable_to_process": "שרת זה נכשל בעיבוד בקשתך.",
+	"webauthn.error.insecure": "הפרוטוקול WebAuthn לא תומך בחיבורים לא מאובטחים, למעט דרך \"localhost\" או \"127.0.0.1\"",
+	"webauthn.error.unknown": "שגיאה לא ידועה, אפשר לנסות שוב.",
+	"webauthn.unsupported_browser": "הדפדפן שלך לא תומך בWebAuthn.",
+	"webauthn.error": "קריאת מפתח האבטחה נכשלה.",
+	"webauthn.use_twofa": "השתמש בקוד אימות דו־שלבי מהטלפון שלך",
+	"webauthn.press_button": "נא ללחוץ על הכפתור שעל מפתח האבטחה…",
+	"webauthn.sign_in": "יש ללחוץ על הכפתור שעל מפתח האבטחה. אם אין כפתור, אפשר להוציא את המפתח ולחבר אותו שוב.",
+	"webauthn.insert_key": "יש להכניס את מפתח אבטחך",
 	"fork.n_forks": {
 		"one": "מזלוג אחד",
 		"two": "%s מזלוגים",
diff --git a/options/locale_next/locale_hi.json b/options/locale_next/locale_hi.json
index 79b6fdeb42..86919e5eb4 100644
--- a/options/locale_next/locale_hi.json
+++ b/options/locale_next/locale_hi.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "आपकी की पढ़ने से पहले टाइमआउट हो गया। पृष्ट रीलोड करें और फिर कोशिश करें।",
+	"webauthn.error.empty": "कृपया इस चाभी का नाम रखें।",
+	"webauthn.error.duplicated": "सिक्योरिटी की इस रिक्वेस्ट के लिए नहीं है। कृपया देखें की पहले से रजिस्टर्ड तो नहीं।",
+	"webauthn.error.unable_to_process": "सर्वर आपकी रिक्वेस्ट प्रोसेस नहीं कर पाया।",
+	"webauthn.error.insecure": "वेबौथ पर सिर्फ सुरक्षित कनेक्शन हो. HTTP टेस्ट के लिए ओरिजिन “लोकलहोस्ट” या “127.0.0.1”",
+	"webauthn.error.unknown": "कोई अंजान एरर हुई, फिर से कोशिश करें।",
+	"webauthn.unsupported_browser": "आपका ब्राउज़र वेबौथ सपोर्ट नहीं करता।",
+	"webauthn.error": "सिक्योरिटी की रीड नहीं हो पा रही।",
+	"webauthn.use_twofa": "अपने फ़ोन से दो फैक्टर कोड लाएं",
+	"webauthn.press_button": "अपनी सिक्योरिटी की पर बटन दबाएं…",
+	"webauthn.sign_in": "सिक्योरिटी की का बटन दबाएं, नहीं है तो फिर से प्लग करें।",
+	"webauthn.insert_key": "अपनी सिक्योरिटी की डालें",
 	"fork.n_forks": {
 		"one": "%s फोर्क",
 		"other": "%s फोर्कस"
diff --git a/options/locale_next/locale_hu-HU.json b/options/locale_next/locale_hu-HU.json
index f43220464c..4f28acaa45 100644
--- a/options/locale_next/locale_hu-HU.json
+++ b/options/locale_next/locale_hu-HU.json
@@ -1,4 +1,49 @@
 {
+	"admin.monitor.queue.settings.submit": "Beállítások frissítése",
+	"admin.monitor.queue.type": "Típus",
+	"admin.monitor.queue.name": "Név",
+	"admin.users.list_status_filter.is_restricted": "Korlátozott",
+	"admin.users.list_status_filter.is_admin": "Rendszergazda",
+	"admin.users.list_status_filter.is_active": "Aktív",
+	"admin.system_status.gc_times": "GC Idők",
+	"admin.system_status.last_gc_pause": "Utolsó GC szünet",
+	"admin.system_status.total_gc_pause": "Teljes GC szünet",
+	"admin.system_status.last_gc_time": "Utolsó GC óta eltelt idő",
+	"admin.system_status.next_gc_recycle": "Következő GC Újrahasznosítás",
+	"admin.system_status.other_system_allocation_obtained": "Másik Rendszer Allokáció Megszerezve",
+	"admin.system_status.gc_metadata_obtained": "GC Metaadat Megszerezve",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilozó Vödrös Hash Tábla Megszerezve",
+	"admin.system_status.mcache_structures_obtained": "MCache Struktúrák Megszerezve",
+	"admin.system_status.mcache_structures_usage": "MCache Struktúrák Használata",
+	"admin.system_status.mspan_structures_obtained": "MSpan Struktúrák Megszerezve",
+	"admin.system_status.mspan_structures_usage": "MSpan Struktúrák Használata",
+	"admin.system_status.stack_memory_obtained": "Stack Memória Megszerezve",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap Stack Használat",
+	"admin.system_status.heap_objects": "Heap Objektumok",
+	"admin.system_status.heap_memory_released": "Elengedett Heap Memória",
+	"admin.system_status.heap_memory_in_use": "Használatban lévő Heap Memória",
+	"admin.system_status.heap_memory_idle": "Tétlen Heap Memória",
+	"admin.system_status.heap_memory_obtained": "Heap Memória Megszerezve",
+	"admin.system_status.current_heap_usage": "Aktuális Heap Használat",
+	"admin.system_status.memory_allocate_times": "Memóriafoglalások",
+	"admin.system_status.pointer_lookup_times": "Pointer Lookup Idők",
+	"admin.system_status.memory_obtained": "Megszerzett Memória",
+	"admin.system_status.total_memory_allocated": "Összes lefoglalt memória",
+	"admin.system_status.current_memory_usage": "Jelenlegi memória használat",
+	"admin.system_status.current_goroutine": "Jelenlegi Goroutinok",
+	"admin.system_status.server_uptime": "Kiszolgáló futási ideje",
+	"webauthn.error.timeout": "Időtúllépés a kulcs beolvasása során. Töltse be újra ezt az oldalt, és próbálkozzon újra.",
+	"webauthn.error.empty": "Nevet kell adnia ennek a kulcsnak.",
+	"webauthn.error.duplicated": "A biztonsági kulcs nem engedélyezett ehhez a kéréshez. Győződjön meg róla, hogy a kulcs nincs-e már regisztrálva.",
+	"webauthn.error.unable_to_process": "A kiszolgáló nem tudta feldolgozni a kérését.",
+	"webauthn.error.insecure": "A WebAuthn csak biztonságos kapcsolatokat támogat. HTTP-n keresztüli tesztelés esetén használja a „localhost” vagy a „127.0.0.1” forrást.",
+	"webauthn.error.unknown": "Ismeretlen hiba történt. Próbálja újra.",
+	"webauthn.unsupported_browser": "A böngészője jelenleg nem támogatja a WebAuthn protokollt.",
+	"webauthn.error": "A biztonsági kulcsának beolvasása sikertelen volt.",
+	"webauthn.use_twofa": "Kétlépcsős hitelesítési kód használata telefonról",
+	"webauthn.press_button": "Nyomja meg a biztonsági kulcsán található gombot…",
+	"webauthn.sign_in": "Nyomja meg a biztonsági kulcsán található gombot. Ha nincs rajta gomb, próbálja meg újra behelyezni.",
+	"webauthn.insert_key": "Helyezze be biztonsági kulcsát",
 	"migrate.items.wiki": "Wiki",
 	"migrate.items.milestones": "Mérföldkövek",
 	"migrate.items.labels": "Címkék",
diff --git a/options/locale_next/locale_id-ID.json b/options/locale_next/locale_id-ID.json
index 9c21ad9cc7..d0e58fcbb4 100644
--- a/options/locale_next/locale_id-ID.json
+++ b/options/locale_next/locale_id-ID.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Semua item dalam antrian telah dihapus.",
+	"admin.monitor.queue.settings.remove_all_items": "Hapus semua",
+	"admin.monitor.queue.settings.changed": "Pengaturan diperbarui",
+	"admin.monitor.queue.settings.submit": "Perbarui pengaturan",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Jumlah maks. worker haruslah sebuah angka",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Saat ini %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Jumlah Maks. Worker",
+	"admin.monitor.queue.settings.description": "Pool berkembang secara dinamis sebagai respons terhadap pemblokiran antrian pekerja mereka.",
+	"admin.monitor.queue.settings.title": "Pengaturan pool",
+	"admin.monitor.queue.review_add": "Tinjau / tambah pekerja",
+	"admin.monitor.queue.numberinqueue": "Jumlah dalam antrian",
+	"admin.monitor.queue.maxnumberworkers": "Jumlah maksimum pekerja",
+	"admin.monitor.queue.activeworkers": "Pekerja aktif",
+	"admin.monitor.queue.numberworkers": "Jumlah pekerja",
+	"admin.monitor.queue.exemplar": "Contoh Tipe",
+	"admin.monitor.queue.type": "Tipe",
+	"admin.monitor.queue.name": "Nama",
+	"admin.monitor.queue": "Antrian: %s",
+	"admin.monitor.queues": "Antrian",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA dinonaktifkan",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA diaktifkan",
+	"admin.users.list_status_filter.not_prohibit_login": "Izinkan masuk",
+	"admin.users.list_status_filter.is_prohibit_login": "Larang masuk",
+	"admin.users.list_status_filter.not_restricted": "Tidak dibatasi",
+	"admin.users.list_status_filter.is_restricted": "Dibatasi",
+	"admin.users.list_status_filter.not_admin": "Bukan admin",
+	"admin.users.list_status_filter.is_admin": "Pengelola",
+	"admin.users.list_status_filter.not_active": "Tidak aktif",
+	"admin.users.list_status_filter.is_active": "Aktif",
+	"admin.users.list_status_filter.reset": "Atur ulang",
+	"admin.users.list_status_filter.menu_text": "Saring",
+	"admin.system_status.gc_times": "Jumlah GC",
+	"admin.system_status.last_gc_pause": "Jeda GC terakhir",
+	"admin.system_status.total_gc_pause": "Total jeda GC",
+	"admin.system_status.last_gc_time": "Waktu sejak GC terakhir",
+	"admin.system_status.next_gc_recycle": "Daur ulang GC berikutnya",
+	"admin.system_status.other_system_allocation_obtained": "Alokasi sistem lainnya yang diperoleh",
+	"admin.system_status.gc_metadata_obtained": "Metadata GC yang diperoleh",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Tabel hash bucket pemrofilan yang diperoleh",
+	"admin.system_status.mcache_structures_obtained": "Struktur MCache yang diperoleh",
+	"admin.system_status.mcache_structures_usage": "Penggunaan struktur MCache",
+	"admin.system_status.mspan_structures_obtained": "Struktur MSpan yang diperoleh",
+	"admin.system_status.mspan_structures_usage": "Penggunaan struktur MSpan",
+	"admin.system_status.stack_memory_obtained": "Memori stack yang diperoleh",
+	"admin.system_status.bootstrap_stack_usage": "Penggunaan stack bootstrap",
+	"admin.system_status.heap_objects": "Objek heap",
+	"admin.system_status.heap_memory_released": "Memori heap yang dilepaskan",
+	"admin.system_status.heap_memory_in_use": "Memori heap yang digunakan",
+	"admin.system_status.heap_memory_idle": "Memori heap yang menganggur",
+	"admin.system_status.heap_memory_obtained": "Memori heap yang diperoleh",
+	"admin.system_status.current_heap_usage": "Penggunaan heap saat ini",
+	"admin.system_status.memory_free_times": "Pembebasan memori",
+	"admin.system_status.memory_allocate_times": "Alokasi memori",
+	"admin.system_status.pointer_lookup_times": "Jumlah pencarian pointer",
+	"admin.system_status.memory_obtained": "Memori yang diperoleh",
+	"admin.system_status.total_memory_allocated": "Total memori yang dialokasikan",
+	"admin.system_status.current_memory_usage": "Penggunaan memori saat ini",
+	"admin.system_status.current_goroutine": "Goroutine saat ini",
+	"admin.system_status.server_uptime": "Waktu aktif server",
+	"markup.filepreview.truncated": "Pratinjau telah dipotong",
+	"markup.filepreview.lines": "Baris %[1]d hingga %[2]d di %[3]s",
+	"markup.filepreview.line": "Baris %[1]d di %[2]s",
+	"actions.variables.update.success": "Variabel telah diedit.",
+	"actions.variables.update.failed": "Gagal mengedit variabel.",
+	"actions.variables.creation.success": "Variabel \"%s\" telah ditambahkan.",
+	"actions.variables.creation.failed": "Gagal menambahkan variabel.",
+	"actions.variables.deletion.success": "Variabel telah dihapus.",
+	"actions.variables.deletion.failed": "Gagal menghapus variabel.",
+	"actions.variables.not_found": "Gagal menemukan variabel.",
+	"actions.variables.edit": "Edit Variabel",
+	"actions.variables.description": "Variabel akan diteruskan ke beberapa tindakan dan tidak dapat dibaca sebaliknya.",
+	"actions.variables.deletion.description": "Menghapus variabel bersifat permanen dan tidak dapat dibatalkan. Lanjutkan?",
+	"actions.variables.deletion": "Hapus variabel",
+	"actions.variables.none": "Belum ada variabel.",
+	"actions.variables.creation": "Tambah Variabel",
+	"actions.variables.management": "Kelola variabel",
+	"actions.variables": "Variabel",
+	"webauthn.error.timeout": "Waktu habis sebelum kunci Anda dapat dibaca. Mohon muat ulang halaman ini dan coba lagi.",
+	"webauthn.error.empty": "Anda harus menetapkan nama untuk kunci ini.",
+	"webauthn.error.duplicated": "Kunci keamanan tidak diperbolehkan untuk permintaan ini. Pastikan bahwa kunci ini belum terdaftar sebelumnya.",
+	"webauthn.error.unable_to_process": "Server tidak dapat memproses permintaan Anda.",
+	"webauthn.error.insecure": "`WebAuthn hanya mendukung koneksi aman. Untuk pengujian melalui HTTP, Anda dapat menggunakan \"localhost\" atau \"127.0.0.1\"`",
+	"webauthn.error.unknown": "Terdapat kesalahan yang tidak diketahui. Mohon coba lagi.",
+	"webauthn.unsupported_browser": "Browser Anda saat ini tidak mendukung WebAuthn.",
+	"webauthn.error": "Tidak dapat membaca kunci keamanan Anda.",
+	"webauthn.use_twofa": "Gunakan kode dua faktor dari telepon Anda",
+	"webauthn.press_button": "Silakan tekan tombol pada kunci keamanan Anda…",
+	"webauthn.sign_in": "Tekan tombol pada kunci keamanan Anda. Jika kunci keamanan Anda tidak memiliki tombol, masukkan kembali.",
+	"webauthn.insert_key": "Masukkan kunci keamanan anda",
 	"gpg.error.extract_sign": "Gagal untuk mengambil tanda tangan",
 	"gpg.error.generate_hash": "Gagal untuk menghasilkan hash komit",
 	"gpg.error.no_gpg_keys_found": "Tidak diketahui kunci yang ditemukan di database signature",
diff --git a/options/locale_next/locale_is-IS.json b/options/locale_next/locale_is-IS.json
index 0b3dca401f..fceede90e6 100644
--- a/options/locale_next/locale_is-IS.json
+++ b/options/locale_next/locale_is-IS.json
@@ -1,4 +1,30 @@
 {
+	"admin.monitor.queue.settings.changed": "Stillingar Uppfærðar",
+	"admin.monitor.queue.settings.submit": "Uppfæra Stillingar",
+	"admin.monitor.queue.type": "Tegund",
+	"admin.monitor.queue.name": "Heiti",
+	"admin.monitor.queues": "Raðir",
+	"admin.users.list_status_filter.not_2fa_enabled": "Tvíþætt Auðkenning Óvirk",
+	"admin.users.list_status_filter.not_prohibit_login": "Leyfa Innskráningu",
+	"admin.users.list_status_filter.is_prohibit_login": "Stöðva Innskráningu",
+	"admin.users.list_status_filter.is_admin": "Stjórnandi",
+	"admin.users.list_status_filter.is_active": "Virkt",
+	"admin.users.list_status_filter.reset": "Endurstilla",
+	"admin.users.list_status_filter.menu_text": "Sía",
+	"admin.system_status.total_memory_allocated": "Heildarminni úthlutað",
+	"admin.system_status.server_uptime": "Uppitími Netþjóns",
+	"webauthn.error.timeout": "Tímamörk náð áður en hægt var að lesa lykilinn þinn. Vinsamlegast endurhlaðið þessa síðu og reyndu aftur.",
+	"webauthn.error.empty": "Þú verður að setja nafn fyrir þennan lykil.",
+	"webauthn.error.duplicated": "Öryggislykillinn er ekki leyfður fyrir þessa beiðni. Gakktu úr skugga um að lykillinn sé ekki þegar skráður.",
+	"webauthn.error.unable_to_process": "Netþjónninn gat ekki ráðið við beiðni þína.",
+	"webauthn.error.insecure": "WebAuthn styður aðeins öruggar tengingar. Til að prófa yfir HTTP geturðu notað upprunann „localhost“ eða „127.0.0.1“",
+	"webauthn.error.unknown": "Óþekkt villa kom upp. Vinsamlegast reyndu aftur.",
+	"webauthn.unsupported_browser": "Vafrinn þinn styður ekki WebAuthn eins og er.",
+	"webauthn.error": "Gat ekki lesið öryggislykilinn þinn.",
+	"webauthn.use_twofa": "Notaðu tveggja-þátta kóða úr símanum þínum",
+	"webauthn.press_button": "Vinsamlegast ýttu á hnappinn á öryggislyklinum þínum…",
+	"webauthn.sign_in": "Ýttu á hnappinn á öryggislyklinum þínum. Ef öryggislykillinn þinn hefur engan hnapp skaltu setja hann aftur inn.",
+	"webauthn.insert_key": "Settu öryggislykilinn þinn inn",
 	"actions.runners.name": "Heiti",
 	"actions.runners.owner_type": "Tegund",
 	"actions.runners.description": "Lýsing",
diff --git a/options/locale_next/locale_it-IT.json b/options/locale_next/locale_it-IT.json
index 38e74714bc..0efdd472c6 100644
--- a/options/locale_next/locale_it-IT.json
+++ b/options/locale_next/locale_it-IT.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Tutti gli elementi in coda sono stati rimossi.",
+	"admin.monitor.queue.settings.remove_all_items": "Rimuovi tutto",
+	"admin.monitor.queue.settings.changed": "Impostazioni aggiornate",
+	"admin.monitor.queue.settings.submit": "Aggiorna impostazioni",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Il numero massimo di lavoratori deve essere un numero",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Attualmente %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Massimo numero di workers",
+	"admin.monitor.queue.settings.description": "Le piscine crescono dinamicamente in risposta al blocco dei lavoratori in coda.",
+	"admin.monitor.queue.settings.title": "Impostazioni piscina",
+	"admin.monitor.queue.review_add": "Revisiona / aggiungi lavoratori",
+	"admin.monitor.queue.numberinqueue": "Numero in coda",
+	"admin.monitor.queue.maxnumberworkers": "Massimo numero di lavoratori",
+	"admin.monitor.queue.activeworkers": "Lavoratori attivi",
+	"admin.monitor.queue.numberworkers": "Numero di lavoratori",
+	"admin.monitor.queue.exemplar": "Tipo di esemplare",
+	"admin.monitor.queue.type": "Tipo",
+	"admin.monitor.queue.name": "Nome",
+	"admin.monitor.queue": "Coda: %s",
+	"admin.monitor.queues": "Code",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA disabilitato",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA abilitato",
+	"admin.users.list_status_filter.not_prohibit_login": "Accesso consentito",
+	"admin.users.list_status_filter.is_prohibit_login": "Accesso vietato",
+	"admin.users.list_status_filter.not_restricted": "Non limitato",
+	"admin.users.list_status_filter.is_restricted": "Limitato",
+	"admin.users.list_status_filter.not_admin": "Non amministratore",
+	"admin.users.list_status_filter.is_admin": "Amministratore",
+	"admin.users.list_status_filter.not_active": "Inattivo",
+	"admin.users.list_status_filter.is_active": "Attivo",
+	"admin.users.list_status_filter.reset": "Ripristina",
+	"admin.users.list_status_filter.menu_text": "Filtro",
+	"admin.system_status.gc_times": "Esecuzioni GC",
+	"admin.system_status.last_gc_pause": "Ultima pausa del GC",
+	"admin.system_status.total_gc_pause": "Pausa totale del GC",
+	"admin.system_status.last_gc_time": "Dall'ultimo GC",
+	"admin.system_status.next_gc_recycle": "Prossimo riciclaggio GC",
+	"admin.system_status.other_system_allocation_obtained": "Altre allocazioni di sistema ottenute",
+	"admin.system_status.gc_metadata_obtained": "Metadata del GC ottenuto",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Tabelle hash del secchio di profilazione ottenute",
+	"admin.system_status.mcache_structures_obtained": "Strutture MCache ottenute",
+	"admin.system_status.mcache_structures_usage": "Utilizzo di strutture MCache",
+	"admin.system_status.mspan_structures_obtained": "Strutture MSpan ottenute",
+	"admin.system_status.mspan_structures_usage": "Utilizzo strutture MSpan",
+	"admin.system_status.stack_memory_obtained": "Memoria pila ottenuta",
+	"admin.system_status.bootstrap_stack_usage": "Utilizzo pila iniziale",
+	"admin.system_status.heap_objects": "Oggetti dell'heap",
+	"admin.system_status.heap_memory_released": "Memoria heap rilasciata",
+	"admin.system_status.heap_memory_in_use": "Memoria heap in uso",
+	"admin.system_status.heap_memory_idle": "Memoria heap inattiva",
+	"admin.system_status.heap_memory_obtained": "Memoria heap ottenuta",
+	"admin.system_status.current_heap_usage": "Utilizzo heap attuale",
+	"admin.system_status.memory_free_times": "Rilasci di memoria",
+	"admin.system_status.memory_allocate_times": "Allocazioni di memoria",
+	"admin.system_status.pointer_lookup_times": "Tempi di ricerca del puntatore",
+	"admin.system_status.memory_obtained": "Memoria ottenuta",
+	"admin.system_status.total_memory_allocated": "Memoria allocata totale",
+	"admin.system_status.current_memory_usage": "Utilizzo di memoria attuale",
+	"admin.system_status.current_goroutine": "Goroutine attuali",
+	"admin.system_status.server_uptime": "Tempo di attività",
+	"markup.filepreview.truncated": "L'anteprima è stata troncata",
+	"markup.filepreview.lines": "Linee da %[1]d a %[2]d in %[3]s",
+	"markup.filepreview.line": "Linea %[1]d in %[2]s",
+	"actions.variables.update.success": "La variabile è stata modificata.",
+	"actions.variables.update.failed": "Impossibile modificare la variabile.",
+	"actions.variables.creation.success": "La variabile \"%s\" è stata aggiunta.",
+	"actions.variables.creation.failed": "Errore nell'aggiunta della variabile.",
+	"actions.variables.deletion.success": "La variabile è stata rimossa.",
+	"actions.variables.deletion.failed": "Impossibile rimuovere la variabile.",
+	"actions.variables.not_found": "Non è stato possibile trovare la variabile.",
+	"actions.variables.edit": "Modifica variabile",
+	"actions.variables.description": "Le variabili saranno passate a determinate azioni e non possono essere lette altrimenti.",
+	"actions.variables.deletion.description": "La rimozione di una variabile è permanente e non può essere annullata. Continuare?",
+	"actions.variables.deletion": "Rimuovi variabile",
+	"actions.variables.none": "Non ci sono ancora variabili.",
+	"actions.variables.creation": "Aggiungi variabile",
+	"actions.variables.management": "Gestisci variabili",
+	"actions.variables": "Variabili",
+	"webauthn.error.timeout": "Timeout raggiunto prima che la tua chiave possa essere letta. Ricarica la pagina e riprova.",
+	"webauthn.error.empty": "Devi impostare un nome per questa chiave.",
+	"webauthn.error.duplicated": "La chiave di sicurezza non è consentita per questa richiesta. Assicurati che la chiave non sia già registrata.",
+	"webauthn.error.unable_to_process": "Il server non può elaborare la richiesta.",
+	"webauthn.error.insecure": "WebAuthn supporta solo connessioni sicure. Per il test su HTTP, è possibile utilizzare l'origine \"localhost\" o \"127.0.0.1\"",
+	"webauthn.error.unknown": "Si è verificato un errore sconosciuto. Riprova.",
+	"webauthn.unsupported_browser": "Il tuo browser al momento non supporta WebAuthn.",
+	"webauthn.error": "Impossibile leggere la tua chiave di sicurezza.",
+	"webauthn.use_twofa": "Usa un codice a due fattori dal tuo telefono",
+	"webauthn.press_button": "Premi il pulsante sulla chiave di sicurezza…",
+	"webauthn.sign_in": "Premi il pulsante sul tasto di sicurezza. Se il tasto di sicurezza non ha pulsante, reinseriscilo.",
+	"webauthn.insert_key": "Inserisci la tua chiave di sicurezza",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commit",
diff --git a/options/locale_next/locale_ja-JP.json b/options/locale_next/locale_ja-JP.json
index 5ad5f68868..f462ff4e74 100644
--- a/options/locale_next/locale_ja-JP.json
+++ b/options/locale_next/locale_ja-JP.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "キュー内のすべての項目を削除しました。",
+	"admin.monitor.queue.settings.remove_all_items": "すべて削除",
+	"admin.monitor.queue.settings.changed": "設定を更新しました",
+	"admin.monitor.queue.settings.submit": "設定を更新",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "ワーカー数上限は数値にしてください",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "現在の設定 %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "ワーカー数上限",
+	"admin.monitor.queue.settings.description": "プールはワーカーキューの待機状態に応じて動的に大きくなります。",
+	"admin.monitor.queue.settings.title": "プール設定",
+	"admin.monitor.queue.review_add": "ワーカーの確認 / 追加",
+	"admin.monitor.queue.numberinqueue": "キュー内の数",
+	"admin.monitor.queue.maxnumberworkers": "ワーカー数上限",
+	"admin.monitor.queue.activeworkers": "使用ワーカー数",
+	"admin.monitor.queue.numberworkers": "ワーカー数",
+	"admin.monitor.queue.exemplar": "要素の型",
+	"admin.monitor.queue.type": "種類",
+	"admin.monitor.queue.name": "キュー名",
+	"admin.monitor.queue": "キュー: %s",
+	"admin.monitor.queues": "キュー",
+	"admin.users.list_status_filter.not_2fa_enabled": "2要素認証無効",
+	"admin.users.list_status_filter.is_2fa_enabled": "2要素認証有効",
+	"admin.users.list_status_filter.not_prohibit_login": "ログインを許可",
+	"admin.users.list_status_filter.is_prohibit_login": "ログインを禁止",
+	"admin.users.list_status_filter.not_restricted": "制限なし",
+	"admin.users.list_status_filter.is_restricted": "制限あり",
+	"admin.users.list_status_filter.not_admin": "非管理者",
+	"admin.users.list_status_filter.is_admin": "管理者",
+	"admin.users.list_status_filter.not_active": "無効",
+	"admin.users.list_status_filter.is_active": "有効",
+	"admin.users.list_status_filter.reset": "リセット",
+	"admin.users.list_status_filter.menu_text": "フィルター",
+	"admin.system_status.gc_times": "GC実行回数",
+	"admin.system_status.last_gc_pause": "前回のGC停止時間",
+	"admin.system_status.total_gc_pause": "GC停止時間の合計",
+	"admin.system_status.last_gc_time": "前回GCからの時間",
+	"admin.system_status.next_gc_recycle": "次回のGCリサイクル",
+	"admin.system_status.other_system_allocation_obtained": "その他システム割当用取得量",
+	"admin.system_status.gc_metadata_obtained": "GCメタデータ用取得量",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "バケットハッシュテーブルのプロファイリング割当量",
+	"admin.system_status.mcache_structures_obtained": "MCache構造体用取得量",
+	"admin.system_status.mcache_structures_usage": "MCache構造体の使用量",
+	"admin.system_status.mspan_structures_obtained": "MSpan構造体用取得量",
+	"admin.system_status.mspan_structures_usage": "MSpan構造体の使用量",
+	"admin.system_status.stack_memory_obtained": "スタック用メモリ取得量",
+	"admin.system_status.bootstrap_stack_usage": "スタック使用量",
+	"admin.system_status.heap_objects": "ヒープオブジェクト数",
+	"admin.system_status.heap_memory_released": "解放済みヒープ容量",
+	"admin.system_status.heap_memory_in_use": "使用中のヒープ容量",
+	"admin.system_status.heap_memory_idle": "未使用のヒープ容量",
+	"admin.system_status.heap_memory_obtained": "ヒープ用メモリ取得量",
+	"admin.system_status.current_heap_usage": "現在のヒープ使用量",
+	"admin.system_status.memory_free_times": "メモリ解放回数",
+	"admin.system_status.memory_allocate_times": "メモリ割当回数",
+	"admin.system_status.pointer_lookup_times": "ポインタ参照回数",
+	"admin.system_status.memory_obtained": "メモリ取得量",
+	"admin.system_status.total_memory_allocated": "メモリ割当量の累計",
+	"admin.system_status.current_memory_usage": "現在のメモリ使用量",
+	"admin.system_status.current_goroutine": "現在のGoroutine数",
+	"admin.system_status.server_uptime": "サーバーの稼働時間",
+	"markup.filepreview.truncated": "プレビューは途中から省略されています",
+	"markup.filepreview.lines": "%[3]s の %[1]d 行目から %[2]d 行目",
+	"markup.filepreview.line": "%[2]s の %[1]d 行目",
+	"actions.variables.update.success": "変数を更新しました。",
+	"actions.variables.update.failed": "変数を更新できませんでした。",
+	"actions.variables.creation.success": "変数 \"%s\" を追加しました。",
+	"actions.variables.creation.failed": "変数を追加できませんでした。",
+	"actions.variables.deletion.success": "変数を削除しました。",
+	"actions.variables.deletion.failed": "変数を削除できませんでした。",
+	"actions.variables.not_found": "変数が見つかりませんでした。",
+	"actions.variables.edit": "変数の編集",
+	"actions.variables.description": "変数は特定のActionsに渡されます。 それ以外で読み出されることはありません。",
+	"actions.variables.deletion.description": "変数の削除は恒久的で元に戻すことはできません。 続行しますか？",
+	"actions.variables.deletion": "変数を削除",
+	"actions.variables.none": "変数はまだありません。",
+	"actions.variables.creation": "変数の追加",
+	"actions.variables.management": "変数の管理",
+	"actions.variables": "変数",
+	"webauthn.error.timeout": "キーを読み取る前にタイムアウトになりました。 このページをリロードしてもう一度やり直してください。",
+	"webauthn.error.empty": "このキーに名前を設定する必要があります。",
+	"webauthn.error.duplicated": "このリクエストに対しては、許可されていないセキュリティキーです。 キーが未登録であることを確認してください。",
+	"webauthn.error.unable_to_process": "サーバーがリクエストを処理できませんでした。",
+	"webauthn.error.insecure": "WebAuthn はセキュアな接続のみをサポートしています。HTTP 経由でテストする場合は、\"localhost\" または \"127.0.0.1\" のオリジンが使用できます",
+	"webauthn.error.unknown": "不明なエラーが発生しました。 もう一度やり直してください。",
+	"webauthn.unsupported_browser": "お使いのブラウザは現在 WebAuthn をサポートしていません。",
+	"webauthn.error": "セキュリティキーを読み取ることができません。",
+	"webauthn.use_twofa": "携帯電話から2要素認証コードを使用する",
+	"webauthn.press_button": "セキュリティキーのボタンを押してください…",
+	"webauthn.sign_in": "セキュリティキーのボタンを押してください。セキュリティキーにボタンが無い場合は、挿入しなおしてください。",
+	"webauthn.insert_key": "セキュリティキーを挿入",
 	"counters.n_commits": {
 		"one": "%s のコミット",
 		"other": "%s のコミット"
diff --git a/options/locale_next/locale_ka.json b/options/locale_next/locale_ka.json
index 7f8a474f4e..bfd0bbf460 100644
--- a/options/locale_next/locale_ka.json
+++ b/options/locale_next/locale_ka.json
@@ -1,4 +1,14 @@
 {
+	"admin.monitor.queue.type": "ტიპი",
+	"admin.monitor.queue.name": "სახელი",
+	"admin.monitor.queues": "რიგები",
+	"admin.users.list_status_filter.is_restricted": "შეზღუდული",
+	"admin.users.list_status_filter.is_admin": "ადმინი",
+	"admin.users.list_status_filter.not_active": "არააქტიურია",
+	"admin.users.list_status_filter.is_active": "აქტიურია",
+	"admin.users.list_status_filter.reset": "ჩამოყრა",
+	"admin.users.list_status_filter.menu_text": "ფილტრი",
+	"actions.variables": "ცვლადები",
 	"migrate.items.wiki": "ვიკი",
 	"migrate.items.milestones": "მისაღწევი გეგმები",
 	"migrate.items.labels": "ჭდეები",
diff --git a/options/locale_next/locale_kab.json b/options/locale_next/locale_kab.json
index 01a3daa718..5d874fb42d 100644
--- a/options/locale_next/locale_kab.json
+++ b/options/locale_next/locale_kab.json
@@ -1,4 +1,9 @@
 {
+	"admin.monitor.queue.settings.remove_all_items": "Kkes-iten akk",
+	"admin.monitor.queue.name": "Isem",
+	"admin.users.list_status_filter.is_admin": "Anedbal",
+	"admin.users.list_status_filter.not_active": "D arurmid",
+	"admin.users.list_status_filter.is_active": "D urmid",
 	"actions.runners.name": "Isem",
 	"actions.runners.description": "Aglam",
 	"actions.runners.task_list.repository": "Akufi",
diff --git a/options/locale_next/locale_ko-KR.json b/options/locale_next/locale_ko-KR.json
index 0c725dfef2..b6f638bf0f 100644
--- a/options/locale_next/locale_ko-KR.json
+++ b/options/locale_next/locale_ko-KR.json
@@ -1,4 +1,49 @@
 {
+	"admin.monitor.queue.settings.submit": "설정 업데이트",
+	"admin.monitor.queue.type": "유형",
+	"admin.monitor.queue.name": "이름",
+	"admin.users.list_status_filter.is_admin": "관리자",
+	"admin.users.list_status_filter.is_active": "사용",
+	"admin.system_status.gc_times": "가비지 콜렉션 시간",
+	"admin.system_status.last_gc_pause": "마지막 가비지 콜렉션 중지",
+	"admin.system_status.total_gc_pause": "모든 가비지 콜렉션 중지",
+	"admin.system_status.last_gc_time": "마지막 가비지 콜렉션 시간",
+	"admin.system_status.next_gc_recycle": "다음 가비지 콜렉션 순환",
+	"admin.system_status.other_system_allocation_obtained": "기타 시스템 할당 확보",
+	"admin.system_status.gc_metadata_obtained": "가비지 콜렉션 메타 데이터 확보",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "버켓 해시 테이블 확보 프로파일링",
+	"admin.system_status.mcache_structures_obtained": "MCache 구조 확보",
+	"admin.system_status.mcache_structures_usage": "MCache 구조 사용현황",
+	"admin.system_status.mspan_structures_obtained": "MSpan 구조 확보",
+	"admin.system_status.mspan_structures_usage": "MSpan 구조 사용현황",
+	"admin.system_status.stack_memory_obtained": "스택 메모리 확보",
+	"admin.system_status.bootstrap_stack_usage": "부트스트랩 스택 사용현황",
+	"admin.system_status.heap_objects": "힙 객체",
+	"admin.system_status.heap_memory_released": "힙 메모리 풀림",
+	"admin.system_status.heap_memory_in_use": "힙 메모리 사용중",
+	"admin.system_status.heap_memory_idle": "힙 메모리 유휴",
+	"admin.system_status.heap_memory_obtained": "힙 메모리 확보",
+	"admin.system_status.current_heap_usage": "현재 힙 사용현황",
+	"admin.system_status.memory_free_times": "가용 메모리",
+	"admin.system_status.memory_allocate_times": "사용 메모리",
+	"admin.system_status.pointer_lookup_times": "포인터 조회 시간",
+	"admin.system_status.memory_obtained": "메모리 확보",
+	"admin.system_status.total_memory_allocated": "전체 할당 메모리",
+	"admin.system_status.current_memory_usage": "현재 메모리 사용율",
+	"admin.system_status.current_goroutine": "현재 Go루틴",
+	"admin.system_status.server_uptime": "서버를 켠 시간",
+	"webauthn.error.timeout": "키를 읽기 전에 시간이 초과되었습니다. 페이지를 새로 고치고 다시 시도해주세요.",
+	"webauthn.error.empty": "키의 이름을 설정해야 합니다.",
+	"webauthn.error.duplicated": "이 요청에는 보안 키가 허용되지 않습니다. 키가 이미 등록되어 있는지 확인하세요.",
+	"webauthn.error.unable_to_process": "서버가 귀하의 요청을 처리할 수 없습니다.",
+	"webauthn.error.insecure": "웹 인증은 안전한 연결만 지원합니다. HTTP에서 테스트할 경우, \"localhost\" 또는 \"127.0.0.1\" 오리진을 사용할 수 있습니다.",
+	"webauthn.error.unknown": "알 수 없는 오류가 발생했습니다. 다시 시도해주세요.",
+	"webauthn.unsupported_browser": "현재 귀하의 브라우저는 웹 인증을 지원하지 않습니다.",
+	"webauthn.error": "보안 키를 읽을 수 없습니다.",
+	"webauthn.use_twofa": "휴대전화 2단계 코드 사용",
+	"webauthn.press_button": "보안 키의 버튼을 누르세요…",
+	"webauthn.sign_in": "보안 키에 있는 버튼을 누르세요. 만약 보안 키에 버튼이 없다면 다시 입력하세요.",
+	"webauthn.insert_key": "보안 키를 입력하세요",
 	"migrate.items.wiki": "위키",
 	"migrate.items.milestones": "마일스톤",
 	"migrate.items.issues": "이슈",
diff --git a/options/locale_next/locale_kw.json b/options/locale_next/locale_kw.json
index 00322101ea..5287b1d0f5 100644
--- a/options/locale_next/locale_kw.json
+++ b/options/locale_next/locale_kw.json
@@ -1,3 +1,15 @@
 {
+	"webauthn.error.timeout": "Termyn yn-mes hedhys kyns agas alhwedh y hyllys redys. Daskargewgh an folen ma mar pleg hag assayewgh arta.",
+	"webauthn.error.empty": "Res yw dhywgh settya hanow rag an alhwedh ma.",
+	"webauthn.error.duplicated": "Nyns yw an alhwedh sawder gesys rag an govyn ma. Mar pleg, surhewgh nyns yw an alhwedh kovskrifys seulabrys.",
+	"webauthn.error.unable_to_process": "Ny yllir an servell argerdhes agas govyn.",
+	"webauthn.error.insecure": "WebAuthn a skoodh junyans saw yn unnik. Rag ow previ dres HTTP. ty a yll devnydhya an devedhyans \"localhost\" po \"127.0.0.1\"",
+	"webauthn.error.unknown": "Yth esa error ankoth. Mar pleg assayewgh arta.",
+	"webauthn.unsupported_browser": "Ny skoodhya a-lemmyn agas peurell WebAuthn.",
+	"webauthn.error": "Ny yllir redya agas alhwedh sawder.",
+	"webauthn.use_twofa": "Devnydhyer kod dewkamm dhyworth agas klapkodh",
+	"webauthn.press_button": "Mar pleg gwaskewgh an boton war agas alhwedh sawder…",
+	"webauthn.sign_in": "Tavewgh an boton war agas alhwedh sawder. Mar nyns eus boton, gorrewgh a-bervedh arta.",
+	"webauthn.insert_key": "Gorra a-bervedh agas alhwedh sawder",
 	"home.welcome.no_activity": "Nyns eys aktivita"
 }
diff --git a/options/locale_next/locale_lt.json b/options/locale_next/locale_lt.json
index bd3d3d0e54..a60c96a4ae 100644
--- a/options/locale_next/locale_lt.json
+++ b/options/locale_next/locale_lt.json
@@ -1,4 +1,17 @@
 {
+	"markup.filepreview.truncated": "Peržiūra buvo sutrumpinta",
+	"webauthn.error.timeout": "Baigėsi laikas, per kurį nebuvo galima nuskaityti rakto. Perkraukite šį puslapį ir bandykite dar kartą.",
+	"webauthn.error.empty": "Turite nustatyti šio rakto pavadinimą.",
+	"webauthn.error.duplicated": "Saugumo raktas neleidžiamas šiai prašymai. Įsitikinkite, kad raktas dar nėra užregistruotas.",
+	"webauthn.error.unable_to_process": "Serveris negalėjo apdoroti jūsų prašymo.",
+	"webauthn.error.insecure": "„WebAuthn“ palaiko tik saugius ryšius. Bandymams per HTTP galite naudoti „localhost“ arba „127.0.0.0.1“.",
+	"webauthn.error.unknown": "Įvyko nežinoma klaida. Bandykite dar kartą.",
+	"webauthn.unsupported_browser": "Jūsų naršyklė šiuo metu nepalaiko „WebAuthn“.",
+	"webauthn.error": "Nepavyko nuskaityti saugumo rakto.",
+	"webauthn.use_twofa": "Naudoti dvigubą kodą iš telefono",
+	"webauthn.press_button": "Paspauskite saugumo rakto mygtuką…",
+	"webauthn.sign_in": "Paspauskite saugumo rakto mygtuką. Jei saugumo raktas neturi mygtuko, įkiškite jį iš naujo.",
+	"webauthn.insert_key": "Įkiškite savo saugumo raktą",
 	"search.milestone_kind": "Ieškoti gairių...",
 	"meta.last_line": " "
 }
diff --git a/options/locale_next/locale_lv-LV.json b/options/locale_next/locale_lv-LV.json
index 0482456367..066ecfaea4 100644
--- a/options/locale_next/locale_lv-LV.json
+++ b/options/locale_next/locale_lv-LV.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Visi rindsaraksta vienumi tika noņemti.",
+	"admin.monitor.queue.settings.remove_all_items": "Noņemt visus",
+	"admin.monitor.queue.settings.changed": "Iestatījumi atjaunināti",
+	"admin.monitor.queue.settings.submit": "Atjaunināt iestatījumus",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Lielākajam pieļaujamajam strādņu skaitam ir jābūt skaitlim",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Pašalaik %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Maksimālais strādņu skaits",
+	"admin.monitor.queue.settings.description": "Pūli dinamiski palielinās atkarībā no to strādņu rindu aizturēšanas.",
+	"admin.monitor.queue.settings.title": "Pūla iestatījumi",
+	"admin.monitor.queue.review_add": "Pārskatīt/pievienot strādņus",
+	"admin.monitor.queue.numberinqueue": "Skaits rindsarakstā",
+	"admin.monitor.queue.maxnumberworkers": "Lielākais pieļaujamais strādņu skaits",
+	"admin.monitor.queue.activeworkers": "Darbojošies strādņi",
+	"admin.monitor.queue.numberworkers": "Strādņu skaits",
+	"admin.monitor.queue.exemplar": "Eksemplāra veids",
+	"admin.monitor.queue.type": "Veids",
+	"admin.monitor.queue.name": "Nosaukums",
+	"admin.monitor.queue": "Rindsaraksts: %s",
+	"admin.monitor.queues": "Rindsaraksti",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA atspējota",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA iespējota",
+	"admin.users.list_status_filter.not_prohibit_login": "Atļaut pieteikšanos",
+	"admin.users.list_status_filter.is_prohibit_login": "Neļaut pieteikšanos",
+	"admin.users.list_status_filter.not_restricted": "Nav ierobežots",
+	"admin.users.list_status_filter.is_restricted": "Ierobežots",
+	"admin.users.list_status_filter.not_admin": "Nav pārvaldītājs",
+	"admin.users.list_status_filter.is_admin": "Pārvaldītājs",
+	"admin.users.list_status_filter.not_active": "Neaktīvs",
+	"admin.users.list_status_filter.is_active": "Aktīvs",
+	"admin.users.list_status_filter.reset": "Atiestatīt",
+	"admin.users.list_status_filter.menu_text": "Atlasīt",
+	"admin.system_status.gc_times": "GC reizes",
+	"admin.system_status.last_gc_pause": "Pedējais GC pārtraukums",
+	"admin.system_status.total_gc_pause": "Kopējais GC pārtraukums",
+	"admin.system_status.last_gc_time": "Laiks kopš pēdējās GC",
+	"admin.system_status.next_gc_recycle": "Nākamā GC atkritne",
+	"admin.system_status.other_system_allocation_obtained": "Citas iegūtās sistēmas sadales",
+	"admin.system_status.gc_metadata_obtained": "Iegūtie GC metadati",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Iegūtā profilēšanas groza jaucējtabula",
+	"admin.system_status.mcache_structures_obtained": "Iegūtās MCache struktūras",
+	"admin.system_status.mcache_structures_usage": "MCache struktūru lietojums",
+	"admin.system_status.mspan_structures_obtained": "Iegūtās MSpan struktūras",
+	"admin.system_status.mspan_structures_usage": "MSpan struktūru lietojums",
+	"admin.system_status.stack_memory_obtained": "Iegūtā viengala rindas atmiņa",
+	"admin.system_status.bootstrap_stack_usage": "Sākumielādētāja viengala rindas lietojums",
+	"admin.system_status.heap_objects": "Grēdas objekti",
+	"admin.system_status.heap_memory_released": "Atbrīvotā grēdas atmiņa",
+	"admin.system_status.heap_memory_in_use": "Izmantotā grēdas atmiņa",
+	"admin.system_status.heap_memory_idle": "Neizmantotā grēdas atmiņa",
+	"admin.system_status.heap_memory_obtained": "Iegūtā grēdas atmiņa",
+	"admin.system_status.current_heap_usage": "Pašreizējais grēdas lietojums",
+	"admin.system_status.memory_free_times": "Atmiņas atbrīvošanas",
+	"admin.system_status.memory_allocate_times": "Atmiņas iedalīšanas",
+	"admin.system_status.pointer_lookup_times": "Rādītāju uzmeklēšanas reizes",
+	"admin.system_status.memory_obtained": "Iegūtā atmiņa",
+	"admin.system_status.total_memory_allocated": "Kopējā iedalītā atmiņa",
+	"admin.system_status.current_memory_usage": "Pašreizējais atmiņas lietojums",
+	"admin.system_status.current_goroutine": "Pašreizējās gorutīnas",
+	"admin.system_status.server_uptime": "Servera darbības laiks",
+	"markup.filepreview.truncated": "Priekšskatījums tika saīsināts",
+	"markup.filepreview.lines": "%[1]d. līdz %[2]d. rinda %[3]s",
+	"markup.filepreview.line": "%[1]d. rinda %[2]s",
+	"actions.variables.update.success": "Mainīgais tika labots.",
+	"actions.variables.update.failed": "Neizdevās labot mainīgo.",
+	"actions.variables.creation.success": "Mainīgais \"%s\" tika pievienots.",
+	"actions.variables.creation.failed": "Neizdevās pievienot mainīgo.",
+	"actions.variables.deletion.success": "Mainīgais tika noņemts.",
+	"actions.variables.deletion.failed": "Neizdevās noņemt mainīgo.",
+	"actions.variables.not_found": "Neizdevās atrast mainīgo.",
+	"actions.variables.edit": "Labot mainīgo",
+	"actions.variables.description": "Mainīgie tiks padoti noteiktām darbībām, un citādāk tos nevar nolasīt.",
+	"actions.variables.deletion.description": "Mainīgā noņemšana ir neatgriezeniska un nav atsaucama. Turpināt?",
+	"actions.variables.deletion": "Noņemt mainīgo",
+	"actions.variables.none": "Vēl nav neviena mainīgā.",
+	"actions.variables.creation": "Pievienot mainīgo",
+	"actions.variables.management": "Pārvaldīt mainīgos",
+	"actions.variables": "Mainīgie",
+	"webauthn.error.timeout": "Iestājās noildze, pirms varēja nolasīt atslēgu. Lūgums pārlādēt šo lapu un mēģināt vēlreiz.",
+	"webauthn.error.empty": "Jānorāda šīs atslēgas nosaukums.",
+	"webauthn.error.duplicated": "Drošības atslēga nav atļauta šim pieprasījumam. Lūgums pārliecināties, ka šī atslēga nav jau reģistrēta.",
+	"webauthn.error.unable_to_process": "Serveris nevarēja apstrādāt pieprasījumu.",
+	"webauthn.error.insecure": "WebAuthn atbalsta tikai drošus savienojumus. Pārbaudīšanai ar HTTP var izmantot pirmavotu \"localhost\" vai \"127.0.0.1\"",
+	"webauthn.error.unknown": "Atgadījās nezināma kļūda. Lūgums mēģināt vēlreiz.",
+	"webauthn.unsupported_browser": "Pārlūks pašlaik nenodrošina WebAuthn.",
+	"webauthn.error": "Nevar nolasīt drošības atslēgu.",
+	"webauthn.use_twofa": "Izmantot divpakāpju kodu no sava tālruņa",
+	"webauthn.press_button": "Lūgums nospiest pogu uz savas drošības atslēgas…",
+	"webauthn.sign_in": "Jānospiež poga uz drošības atslēgas. Ja tai nav pogas, drošības atslēga ir atkārtoti jāievieto.",
+	"webauthn.insert_key": "Jāievieto sava drošības atslēga",
 	"counters.n_commits": {
 		"zero": "%s iesūtījumu",
 		"one": "%s iesūtījums",
diff --git a/options/locale_next/locale_mk.json b/options/locale_next/locale_mk.json
index e24ba5b473..cd4b0f830c 100644
--- a/options/locale_next/locale_mk.json
+++ b/options/locale_next/locale_mk.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Времето истечало пред да може да се прочита вашиот клуч. Ве молиме освежете ја оваа страница и обидете се повторно.",
+	"webauthn.error.empty": "Мора да е поставено име за овој клуч.",
+	"webauthn.error.duplicated": "Безбедносниот клуч не е дозволен за овој барање. Ве молиме уверете се дека клучот не е веќе регистриран.",
+	"webauthn.error.unable_to_process": "Серверот не можеше да ја обработи вашето барање.",
+	"webauthn.error.insecure": "WebAuthn поддржува само сигурни врски. За тестирање преку HTTP, можете да го користите изворот \"localhost\" или \"127.0.0.1\"",
+	"webauthn.error.unknown": "Се случи непозната грешка. Ве молиме обидете се повторно.",
+	"webauthn.unsupported_browser": "Вашиот прелистувач во моментов не ја поддржува WebAuthn.",
+	"webauthn.error": "Неможно да се чита бесбедносен клуч.",
+	"webauthn.use_twofa": "Користете еден двофакторски код од вашиот телефон",
+	"webauthn.press_button": "Притиснете го копчето на вашиот безбедносен клуч…",
+	"webauthn.sign_in": "Притиснете го копчето на вашиот безбедносен клуч. Ако вашиот безбедносен клуч нема копче, повторно вметнете го.",
+	"webauthn.insert_key": "Вметнете го вашиот безбедносен клуч",
 	"home.welcome.no_activity": "Нема активност",
 	"home.welcome.activity_hint": "Сè уште нема ништо во вашиот фид. Вашите активности и дејства од репозиториумите што ги следите ќе се појават овде.",
 	"home.explore_repos": "Истражи репозиториуми",
diff --git a/options/locale_next/locale_nb_NO.json b/options/locale_next/locale_nb_NO.json
index d18da5792b..1cc4caa13c 100644
--- a/options/locale_next/locale_nb_NO.json
+++ b/options/locale_next/locale_nb_NO.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Et tidsavbrudd oppsto før nøkkelen din kunne leses. Vennligst last inn siden på nytt og prøv igjen.",
+	"webauthn.error.empty": "Du må gi nøkkelen et navn.",
+	"webauthn.error.duplicated": "Sikkerhetsnøkkelen er ikke tillatt for denne forespørselen. Vennligst sørg for at nøkkelen ikke allerede er registrert.",
+	"webauthn.error.unable_to_process": "Tjeneren kunne ikke behandle forespørselen din.",
+	"webauthn.error.insecure": "WebAuhn støtter kun sikre forbindelser. For testing over HTTP kan du bruke verten \"localhost\" eller \"127.0.0.1\"",
+	"webauthn.error.unknown": "En ukjent feil oppstod. Vennligst prøv igjen.",
+	"webauthn.unsupported_browser": "Nettleseren din støtter ikke WebAuthn.",
+	"webauthn.error": "Klarte ikke lese sikkerhetsnøkkelen.",
+	"webauthn.use_twofa": "Bruk tofaktorkode fra din mobil",
+	"webauthn.press_button": "Vennligst trykk på knappen på sikkerhetsnøkkelen…",
+	"webauthn.sign_in": "Trykk på knappen på sikkerhetsnøkkelen din. Dersom nøkkelen din ikke har en knapp, sett den inn på nytt.",
+	"webauthn.insert_key": "Skriv inn din sikkerhetsnøkkel",
 	"relativetime.1day": "i går",
 	"moderation.abuse_category.other_violations": "Andre regel overtredelser",
 	"moderation.report_remarks": "Kommentar",
diff --git a/options/locale_next/locale_nds.json b/options/locale_next/locale_nds.json
index b148c0efdb..15d3326530 100644
--- a/options/locale_next/locale_nds.json
+++ b/options/locale_next/locale_nds.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "All Dingen in de Slang sünd wegdaan worden.",
+	"admin.monitor.queue.settings.remove_all_items": "All wegdoon",
+	"admin.monitor.queue.settings.changed": "Instellens verneeit",
+	"admin.monitor.queue.settings.submit": "Instellens vernejen",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Hoogste Tahl vun Rieters mutt eene Tahl wesen",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Stedenwies %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Hoogste Tahl vun Rieters",
+	"admin.monitor.queue.settings.description": "Vörraden wassen as nödig, wenn hör Rieters-Slang blockeert.",
+	"admin.monitor.queue.settings.title": "Vörraad-Instellens",
+	"admin.monitor.queue.review_add": "Rieters nakieken / hentofögen",
+	"admin.monitor.queue.numberinqueue": "Tahl in de Slang",
+	"admin.monitor.queue.maxnumberworkers": "Hoogste Tahl vun Rieters",
+	"admin.monitor.queue.activeworkers": "Aktiiv Rieters",
+	"admin.monitor.queue.numberworkers": "Tahl vun Rieters",
+	"admin.monitor.queue.exemplar": "Musteraard",
+	"admin.monitor.queue.type": "Aard",
+	"admin.monitor.queue.name": "Naam",
+	"admin.monitor.queue": "Slang: %s",
+	"admin.monitor.queues": "Slangen",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA utknipst",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA anknipst",
+	"admin.users.list_status_filter.not_prohibit_login": "Anmellen verlöven",
+	"admin.users.list_status_filter.is_prohibit_login": "Anmellen verseggen",
+	"admin.users.list_status_filter.not_restricted": "Unbegrenzt",
+	"admin.users.list_status_filter.is_restricted": "Begrenzt",
+	"admin.users.list_status_filter.not_admin": "Keen Chef",
+	"admin.users.list_status_filter.is_admin": "Chef",
+	"admin.users.list_status_filter.not_active": "Nich aktiiv",
+	"admin.users.list_status_filter.is_active": "Aktiiv",
+	"admin.users.list_status_filter.reset": "Torüggsetten",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.system_status.gc_times": "GC-Tieden",
+	"admin.system_status.last_gc_pause": "Leste GC-Paus",
+	"admin.system_status.total_gc_pause": "GC-Paus all tosamen",
+	"admin.system_status.last_gc_time": "Tied siet lestem GC",
+	"admin.system_status.next_gc_recycle": "Anner GC-Müllavhalen",
+	"admin.system_status.other_system_allocation_obtained": "Anner Systeemtowiesens erhollen",
+	"admin.system_status.gc_metadata_obtained": "Wiedere Informatioonen för GC erhollen",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profileren-Emmer-Prüfsummtabell erhollen",
+	"admin.system_status.mcache_structures_obtained": "MCache-Struktuuren erhollen",
+	"admin.system_status.mcache_structures_usage": "MCache-Struktuuren-Bruuk",
+	"admin.system_status.mspan_structures_obtained": "MSpan-Struktuuren erhollen",
+	"admin.system_status.mspan_structures_usage": "MSpan-Struktuuren-Bruuk",
+	"admin.system_status.stack_memory_obtained": "Stapelspieker erhollen",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap-Stapelbruuk",
+	"admin.system_status.heap_objects": "Hoopobjekten",
+	"admin.system_status.heap_memory_released": "Hoopspieker freeigeven",
+	"admin.system_status.heap_memory_in_use": "Hoopspieker bruukt",
+	"admin.system_status.heap_memory_idle": "Hoopspieker mit nix to doon",
+	"admin.system_status.heap_memory_obtained": "Hoopspieker erhollen",
+	"admin.system_status.current_heap_usage": "Stedenwies Hoopbruuk",
+	"admin.system_status.memory_free_times": "Spieker-Freeigevens",
+	"admin.system_status.memory_allocate_times": "Spieker-Towiesens",
+	"admin.system_status.pointer_lookup_times": "Wieser-Nakiek-Tieden",
+	"admin.system_status.memory_obtained": "Spieker erhollen",
+	"admin.system_status.total_memory_allocated": "Spieker towiesen all tosamen",
+	"admin.system_status.current_memory_usage": "Stedenwies Spiekerbruuk",
+	"admin.system_status.current_goroutine": "Stedenwies Go-Routinen",
+	"admin.system_status.server_uptime": "Server-Bedrievstied",
+	"markup.filepreview.truncated": "Utkiek is ofsneden worden",
+	"markup.filepreview.lines": "Riegen %[1]d bit %[2]d in %[3]s",
+	"markup.filepreview.line": "Rieg %[1]d in %[2]s",
+	"actions.variables.update.success": "De Variaabel is bewarkt worden.",
+	"actions.variables.update.failed": "Kunn Variaabel nich bewarken.",
+	"actions.variables.creation.success": "De Variaabel »%s« is hentoföögt worden.",
+	"actions.variables.creation.failed": "Kunn Variaabel nich hentofögen.",
+	"actions.variables.deletion.success": "De Variaabel is wegdaan worden.",
+	"actions.variables.deletion.failed": "Kunn Variaabel nich wegdoon.",
+	"actions.variables.not_found": "Kunn de Variaabel nich finnen.",
+	"actions.variables.edit": "Variaabel bewarken",
+	"actions.variables.description": "Variaabeln worden an wisse Aktioonen övergeven un könen anners nich lesen worden.",
+	"actions.variables.deletion.description": "Eene Variaabel wegtodoon is för all Tieden un kann nich torüggnohmen worden. Wiedermaken?",
+	"actions.variables.deletion": "Variaabel wegdoon",
+	"actions.variables.none": "Dat gifft noch keene Variaabeln.",
+	"actions.variables.creation": "Variaabel hentofögen",
+	"actions.variables.management": "Variaabeln verwalten",
+	"actions.variables": "Variaabeln",
+	"webauthn.error.timeout": "Tied överweggahn ehr dien Slötel lesen worden kunn. Bidde laad deese Sied neei un versöök dat noch eenmaal.",
+	"webauthn.error.empty": "Du muttst de Slötel eenen Naam geven.",
+	"webauthn.error.duplicated": "De Sekerheids-Slötel is för deese Anfraag nich verlöövt. Bidde wees wiss, dat de Slötel nich al vermarkt is.",
+	"webauthn.error.unable_to_process": "De Server kunn diene Anfraag nich verarbeiden.",
+	"webauthn.error.insecure": "WebAuthn unnerstütt blots seker Verbinnens. Wenn du över HTTP testen willst, kannst du de Quell »localhost« of »127.0.0.1« bruken",
+	"webauthn.error.unknown": "Een unbekannter Fehler is uptreden. Bidde versöök dat noch eenmaal.",
+	"webauthn.unsupported_browser": "Dien Browser unnerstütt stedenwies WebAuthn nich.",
+	"webauthn.error": "Kunn dienen Sekerheids-Slötel nich lesen.",
+	"webauthn.use_twofa": "Bruuk eene Twee-Faktooren-Tahl vun dienem Telefoon",
+	"webauthn.press_button": "Bidde drück de Knoop up dienem Sekerheids-Slötel …",
+	"webauthn.sign_in": "Drück de Knoop up dienem Sekerheids-Slötel. Wenn dien Slötel keenen Knoop hett, steek ’t ut un weer in.",
+	"webauthn.insert_key": "Steek dienen Sekerheids-Slötel in",
 	"counters.n_commits": {
 		"one": "%s Kommitteren",
 		"other": "%s Kommitterens"
diff --git a/options/locale_next/locale_nl-NL.json b/options/locale_next/locale_nl-NL.json
index a413e22cae..dc49ebdccb 100644
--- a/options/locale_next/locale_nl-NL.json
+++ b/options/locale_next/locale_nl-NL.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Alle items in de wachtrij zijn verwijderd.",
+	"admin.monitor.queue.settings.remove_all_items": "Alles verwijderen",
+	"admin.monitor.queue.settings.changed": "Instellingen bijgewerkt",
+	"admin.monitor.queue.settings.submit": "Instellingen bijwerken",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Maximaal aantal workers moet een nummer zijn",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Momenteel %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Maximum aantal workers",
+	"admin.monitor.queue.settings.description": "Pools groeien dynamisch in reactie op het blokkeren van hun wachtrijen.",
+	"admin.monitor.queue.settings.title": "Pool instellingen",
+	"admin.monitor.queue.review_add": "Werkers beoordelen of toevoegen",
+	"admin.monitor.queue.numberinqueue": "Aantal in wachtrij",
+	"admin.monitor.queue.maxnumberworkers": "Maximum aantal werkers",
+	"admin.monitor.queue.activeworkers": "Actieve werkers",
+	"admin.monitor.queue.numberworkers": "Aantal werkers",
+	"admin.monitor.queue.exemplar": "Type voorbeeld",
+	"admin.monitor.queue.type": "Type",
+	"admin.monitor.queue.name": "Naam",
+	"admin.monitor.queue": "Wachtrij: %s",
+	"admin.monitor.queues": "Wachtrijen",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA uitgeschakeld",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA ingeschakeld",
+	"admin.users.list_status_filter.not_prohibit_login": "Inloggen toestaan",
+	"admin.users.list_status_filter.is_prohibit_login": "Inloggen verbieden",
+	"admin.users.list_status_filter.not_restricted": "Niet beperkt",
+	"admin.users.list_status_filter.is_restricted": "Beperkt",
+	"admin.users.list_status_filter.not_admin": "Niet beheerder",
+	"admin.users.list_status_filter.is_admin": "Beheerder",
+	"admin.users.list_status_filter.not_active": "Inactief",
+	"admin.users.list_status_filter.is_active": "Actief",
+	"admin.users.list_status_filter.reset": "Reset",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.system_status.gc_times": "GC verwerkingen",
+	"admin.system_status.last_gc_pause": "Laatste GC verwerkingstijd",
+	"admin.system_status.total_gc_pause": "Totaal GC verwerkingstijd",
+	"admin.system_status.last_gc_time": "Sinds vorige GC verwerkingstijd",
+	"admin.system_status.next_gc_recycle": "Volgende GC recycle",
+	"admin.system_status.other_system_allocation_obtained": "Andere systeem toewijzing verkregen",
+	"admin.system_status.gc_metadata_obtained": "GC metadada verkregen",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilering emmer hashtabel verkregen",
+	"admin.system_status.mcache_structures_obtained": "MCache structuren verkregen",
+	"admin.system_status.mcache_structures_usage": "MCache structuren gebruik",
+	"admin.system_status.mspan_structures_obtained": "MSpan structuren verkregen",
+	"admin.system_status.mspan_structures_usage": "MSpan structuren gebruik",
+	"admin.system_status.stack_memory_obtained": "Stapel geheugen verkregen",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap Stack gebruik",
+	"admin.system_status.heap_objects": "Heap-objecten",
+	"admin.system_status.heap_memory_released": "Heap geheugen vrijgegeven",
+	"admin.system_status.heap_memory_in_use": "Heap geheugen in gebruik",
+	"admin.system_status.heap_memory_idle": "Heap geheugen inactief",
+	"admin.system_status.heap_memory_obtained": "Heap geheugen verkregen",
+	"admin.system_status.current_heap_usage": "Huidige heap gebruik",
+	"admin.system_status.memory_free_times": "Geheugen vrjigemaakt",
+	"admin.system_status.memory_allocate_times": "Geheugentoewijzingen",
+	"admin.system_status.pointer_lookup_times": "Aanwijzer Lookup keer",
+	"admin.system_status.memory_obtained": "Geheugen gebruikt",
+	"admin.system_status.total_memory_allocated": "Totaal toegewezen geheugen",
+	"admin.system_status.current_memory_usage": "Huidig geheugen gebruik",
+	"admin.system_status.current_goroutine": "Huidige goroutines",
+	"admin.system_status.server_uptime": "Uptime server",
+	"markup.filepreview.truncated": "Voorbeeld is ingekort",
+	"markup.filepreview.lines": "Lijnen %[1]d naar %[2]d in %[3]s",
+	"markup.filepreview.line": "Lijn %[1]d in %[2]s",
+	"actions.variables.update.success": "De variabele is bewerkt.",
+	"actions.variables.update.failed": "Mislukt bij het bewerken van variabele.",
+	"actions.variables.creation.success": "De variabele \"%s\" is toegevoegd.",
+	"actions.variables.creation.failed": "Mislukt om variable toe te voegen.",
+	"actions.variables.deletion.success": "De variabele is verwijderd.",
+	"actions.variables.deletion.failed": "Mislukt om variabele te verwijderen.",
+	"actions.variables.not_found": "De variabele kon niet gevonden worden.",
+	"actions.variables.edit": "Variabele bewerken",
+	"actions.variables.description": "Variabelen worden doorgegeven aan bepaalde acties en kunnen anders niet worden gelezen.",
+	"actions.variables.deletion.description": "Een variabele verwijderen is permanent en kan niet ongedaan worden gemaakt. Doorgaan?",
+	"actions.variables.deletion": "Variabel verwijderen",
+	"actions.variables.none": "Er zijn nog geen variabelen.",
+	"actions.variables.creation": "Variabele toevoegen",
+	"actions.variables.management": "Variabelenbeheer",
+	"actions.variables": "Variabelen",
+	"webauthn.error.timeout": "Time-out bereikt voordat uw sleutel kon worden gelezen. Herlaad deze pagina en probeer het opnieuw.",
+	"webauthn.error.empty": "U moet een naam voor deze sleutel instellen.",
+	"webauthn.error.duplicated": "De beveiligingssleutel is voor dit verzoek niet toegestaan. Controleer alstublieft of de sleutel niet al is geregistreerd.",
+	"webauthn.error.unable_to_process": "De server kon uw verzoek niet verwerken.",
+	"webauthn.error.insecure": "WebAuthn ondersteunt alleen beveiligde verbindingen. Om te testen via HTTP, kan je als systeemnaam \"localhost\" of \"127.0.0.1\" gebruiken",
+	"webauthn.error.unknown": "Er is een onbekende fout opgetreden. Probeer het opnieuw.",
+	"webauthn.unsupported_browser": "Uw browser ondersteunt momenteel geen WebAuthn.",
+	"webauthn.error": "Kon uw beveiligingssleutel niet lezen.",
+	"webauthn.use_twofa": "Gebruik een tweefactor code van uw telefoon",
+	"webauthn.press_button": "Druk alstublieft op de knop van uw beveiligingssleutel…",
+	"webauthn.sign_in": "Druk op de knop van uw beveiligingssleutel. Als uw beveiligingssleutel geen knop heeft, sluit deze dan opnieuw aan.",
+	"webauthn.insert_key": "Sluit uw beveiligingssleutel aan",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"other": "%s commits"
diff --git a/options/locale_next/locale_pl-PL.json b/options/locale_next/locale_pl-PL.json
index 08f6f99c96..41e84196d8 100644
--- a/options/locale_next/locale_pl-PL.json
+++ b/options/locale_next/locale_pl-PL.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Wszystkie elementy w kolejce zostały usunięte.",
+	"admin.monitor.queue.settings.remove_all_items": "Usuń wszystkie",
+	"admin.monitor.queue.settings.changed": "Zaktualizowano ustawienia",
+	"admin.monitor.queue.settings.submit": "Aktualizuj ustawienia",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Maksymalna liczba procesów pracujących musi być liczbą",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Obecnie %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Maksymalna liczba procesów pracujących",
+	"admin.monitor.queue.settings.description": "Pule rosną dynamicznie w odpowiedzi na blokadę kolejki procesów pracujących.",
+	"admin.monitor.queue.settings.title": "Ustawienia puli",
+	"admin.monitor.queue.review_add": "Sprawdź / dodaj procesy pracujące",
+	"admin.monitor.queue.numberinqueue": "Liczba w kolejce",
+	"admin.monitor.queue.maxnumberworkers": "Maksymalna Liczba procesów pracujących",
+	"admin.monitor.queue.activeworkers": "Aktywne procesy pracujące",
+	"admin.monitor.queue.numberworkers": "Liczba procesów pracujących",
+	"admin.monitor.queue.exemplar": "Przykładowy typ",
+	"admin.monitor.queue.type": "Typ",
+	"admin.monitor.queue.name": "Nazwa",
+	"admin.monitor.queue": "Kolejka: %s",
+	"admin.monitor.queues": "Kolejki",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA wyłączone",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA włączone",
+	"admin.users.list_status_filter.not_prohibit_login": "Zezwól na logowanie",
+	"admin.users.list_status_filter.is_prohibit_login": "Zabroń logowania",
+	"admin.users.list_status_filter.not_restricted": "Nie ograniczony",
+	"admin.users.list_status_filter.is_restricted": "Ograniczone",
+	"admin.users.list_status_filter.not_admin": "Nie administrator",
+	"admin.users.list_status_filter.is_admin": "Administrator",
+	"admin.users.list_status_filter.not_active": "Nieaktywne",
+	"admin.users.list_status_filter.is_active": "Aktywne",
+	"admin.users.list_status_filter.reset": "Zresetuj",
+	"admin.users.list_status_filter.menu_text": "Filtr",
+	"admin.system_status.gc_times": "Ilość wywołań GC",
+	"admin.system_status.last_gc_pause": "Ostatnie wstrzymanie przez GC",
+	"admin.system_status.total_gc_pause": "Sumaryczny czas wstrzymania przez GC",
+	"admin.system_status.last_gc_time": "Czas od ostatniego wywołania GC",
+	"admin.system_status.next_gc_recycle": "Następne wywołanie GC",
+	"admin.system_status.other_system_allocation_obtained": "Inne uzyskane alokacje systemowe",
+	"admin.system_status.gc_metadata_obtained": "Ilość metadanych uzyskanych przez GC",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Uzyskana tablica haszująca profilowania",
+	"admin.system_status.mcache_structures_obtained": "Uzyskane struktury MCache",
+	"admin.system_status.mcache_structures_usage": "Użycie struktur MCache",
+	"admin.system_status.mspan_structures_obtained": "Uzyskane struktury MSpan",
+	"admin.system_status.mspan_structures_usage": "Użycie struktur MSpan",
+	"admin.system_status.stack_memory_obtained": "Uzyskana pamięć stosu",
+	"admin.system_status.bootstrap_stack_usage": "Użycie stosu bootstrap",
+	"admin.system_status.heap_objects": "Ilość obiektów na stercie",
+	"admin.system_status.heap_memory_released": "Zwolniona pamięć sterty",
+	"admin.system_status.heap_memory_in_use": "Używana pamięć sterty",
+	"admin.system_status.heap_memory_idle": "Bezczynna pamięć sterty",
+	"admin.system_status.heap_memory_obtained": "Uzyskana pamięć sterty",
+	"admin.system_status.current_heap_usage": "Bieżące użycie sterty",
+	"admin.system_status.memory_free_times": "Zwolnienie pamięci",
+	"admin.system_status.memory_allocate_times": "Alokacje pamięci",
+	"admin.system_status.pointer_lookup_times": "Czas określania wskaźników",
+	"admin.system_status.memory_obtained": "Pamięć uzyskana",
+	"admin.system_status.total_memory_allocated": "Całkowita przydzielona pamięć",
+	"admin.system_status.current_memory_usage": "Bieżące użycie pamięci",
+	"admin.system_status.current_goroutine": "Bieżące goroutines",
+	"admin.system_status.server_uptime": "Czas pracy serwera",
+	"markup.filepreview.truncated": "Podgląd został przycięty",
+	"markup.filepreview.lines": "Linie %[1]d do %[2]d w %[3]s",
+	"markup.filepreview.line": "Linia %[1]d w %[2]s",
+	"actions.variables.update.success": "Zmienna została zmieniona.",
+	"actions.variables.update.failed": "Nie udało się zmienić zmiennej.",
+	"actions.variables.creation.success": "Zmienna \"%s\" została dodana.",
+	"actions.variables.creation.failed": "Nie udało się dodać zmiennej.",
+	"actions.variables.deletion.success": "Zmienna została usunięta.",
+	"actions.variables.deletion.failed": "Nie udało się usunąć zmiennej.",
+	"actions.variables.not_found": "Nie udało się znaleźć zmiennej.",
+	"actions.variables.edit": "Edytuj Zmienną",
+	"actions.variables.description": "Zmienne będą przekazane pewnym akcjom, nie mogą być odczytane inaczej.",
+	"actions.variables.deletion.description": "Usunięcie zmiennej jest permanentne i nie może zostać cofnięte. Kontynuować?",
+	"actions.variables.deletion": "Usuń zmienną",
+	"actions.variables.none": "Nie ma jeszcze zmiennych.",
+	"actions.variables.creation": "Dodaj zmienną",
+	"actions.variables.management": "Zarządzaj zmiennymi",
+	"actions.variables": "Zmienne",
+	"webauthn.error.timeout": "Osiągnięto limit czasu zanim Twój klucz może zostać odczytany. Odśwież stronę i spróbuj ponownie.",
+	"webauthn.error.empty": "Musisz ustawić nazwę dla tego klucza.",
+	"webauthn.error.duplicated": "Klucz bezpieczeństwa nie jest dozwolony dla tego żądania. Upewnij się, że klucz nie jest już zarejestrowany.",
+	"webauthn.error.unable_to_process": "Serwer nie mógł obsłużyć Twojego żądania.",
+	"webauthn.error.insecure": "`WebAuthn obsługuje tylko bezpieczne połączenia. Do testowania przez HTTP można użyć \"localhost\" lub \"127.0.0.1\"`",
+	"webauthn.error.unknown": "Wystąpił nieznany błąd. Spróbuj ponownie.",
+	"webauthn.unsupported_browser": "Twoja przeglądarka nie obsługuje obecnie WebAuthn.",
+	"webauthn.error": "Nie można odczytać Twojego klucza bezpieczeństwa.",
+	"webauthn.use_twofa": "Użyj kodu uwierzytelniania dwuskładnikowego ze swojego telefonu",
+	"webauthn.press_button": "Naciśnij przycisk na swoim kluczu bezpieczeństwa…",
+	"webauthn.sign_in": "Naciśnij przycisk na swoim kluczu bezpieczeństwa. Jeśli go nie posiada, podłącz go ponownie.",
+	"webauthn.insert_key": "Podłącz swój klucz bezpieczeństwa",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commity"
diff --git a/options/locale_next/locale_pt-BR.json b/options/locale_next/locale_pt-BR.json
index d285deaa70..ea5832a8e4 100644
--- a/options/locale_next/locale_pt-BR.json
+++ b/options/locale_next/locale_pt-BR.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Todos os itens da fila foram removidos.",
+	"admin.monitor.queue.settings.remove_all_items": "Remover tudo",
+	"admin.monitor.queue.settings.changed": "Configurações atualizadas",
+	"admin.monitor.queue.settings.submit": "Atualizar configurações",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Número máximo de executores deve ser um número",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Atualmente %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Número máximo de executores",
+	"admin.monitor.queue.settings.description": "Os pools crescem dinamicamente quando as filas de seus workers ficam bloqueadas.",
+	"admin.monitor.queue.settings.title": "Configurações do pool",
+	"admin.monitor.queue.review_add": "Revisar / adicionar workers",
+	"admin.monitor.queue.numberinqueue": "Número na fila",
+	"admin.monitor.queue.maxnumberworkers": "Número máximo de workers",
+	"admin.monitor.queue.activeworkers": "Processos ativos",
+	"admin.monitor.queue.numberworkers": "Número de workers",
+	"admin.monitor.queue.exemplar": "Tipo de modelo",
+	"admin.monitor.queue.type": "Tipo",
+	"admin.monitor.queue.name": "Nome",
+	"admin.monitor.queue": "Fila: %s",
+	"admin.monitor.queues": "Filas",
+	"admin.users.list_status_filter.not_2fa_enabled": "Autenticação em duas etapas desativada",
+	"admin.users.list_status_filter.is_2fa_enabled": "Autenticação de dois fatores ativada",
+	"admin.users.list_status_filter.not_prohibit_login": "Permitir login",
+	"admin.users.list_status_filter.is_prohibit_login": "Proibir login",
+	"admin.users.list_status_filter.not_restricted": "Não restrito",
+	"admin.users.list_status_filter.is_restricted": "Restrito",
+	"admin.users.list_status_filter.not_admin": "Não administrador",
+	"admin.users.list_status_filter.is_admin": "Administrador",
+	"admin.users.list_status_filter.not_active": "Inativo",
+	"admin.users.list_status_filter.is_active": "Ativo",
+	"admin.users.list_status_filter.reset": "Reset",
+	"admin.users.list_status_filter.menu_text": "Filtro",
+	"admin.system_status.gc_times": "Número de execuções do GC",
+	"admin.system_status.last_gc_pause": "Última pausa de GC",
+	"admin.system_status.total_gc_pause": "Pausa total de GC",
+	"admin.system_status.last_gc_time": "Tempo desde última GC",
+	"admin.system_status.next_gc_recycle": "Próxima reciclagem do GC",
+	"admin.system_status.other_system_allocation_obtained": "Outra alocação de sistema obtida",
+	"admin.system_status.gc_metadata_obtained": "Metadados do GC obtidos",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Hash table de profiling bucket obtida",
+	"admin.system_status.mcache_structures_obtained": "Estruturas MCache obtidas",
+	"admin.system_status.mcache_structures_usage": "Uso de estruturas MCache",
+	"admin.system_status.mspan_structures_obtained": "Estruturas MSpan obtidas",
+	"admin.system_status.mspan_structures_usage": "Uso de estruturas MSpan",
+	"admin.system_status.stack_memory_obtained": "Memória de pilha obtida",
+	"admin.system_status.bootstrap_stack_usage": "Uso de pilha bootstrap",
+	"admin.system_status.heap_objects": "Objetos na heap",
+	"admin.system_status.heap_memory_released": "Memória de heap liberada",
+	"admin.system_status.heap_memory_in_use": "Memória de heap em uso",
+	"admin.system_status.heap_memory_idle": "Memória de heap ociosa",
+	"admin.system_status.heap_memory_obtained": "Memória de heap obtida",
+	"admin.system_status.current_heap_usage": "Uso atual da heap",
+	"admin.system_status.memory_free_times": "Liberações de memória",
+	"admin.system_status.memory_allocate_times": "Alocações de memória",
+	"admin.system_status.pointer_lookup_times": "Número de consultas a ponteiros",
+	"admin.system_status.memory_obtained": "Memória obtida",
+	"admin.system_status.total_memory_allocated": "Total de memória alocada",
+	"admin.system_status.current_memory_usage": "Uso de memória atual",
+	"admin.system_status.current_goroutine": "Goroutines atuais",
+	"admin.system_status.server_uptime": "Tempo de atividade do servidor",
+	"markup.filepreview.truncated": "Pré-visualização truncada",
+	"markup.filepreview.lines": "Linhas %[1]d a %[2]d em %[3]s",
+	"markup.filepreview.line": "Linha %[1]d em %[2]s",
+	"actions.variables.update.success": "A variável foi editada.",
+	"actions.variables.update.failed": "Falha ao editar a variável.",
+	"actions.variables.creation.success": "A variável \"%s\" foi adicionada.",
+	"actions.variables.creation.failed": "Falha ao adicionar a variável.",
+	"actions.variables.deletion.success": "A variável foi removida.",
+	"actions.variables.deletion.failed": "Falha ao remover a variável.",
+	"actions.variables.not_found": "Não foi possível encontrar a variável.",
+	"actions.variables.edit": "Editar variável",
+	"actions.variables.description": "As variáveis serão passadas para certas Actions e não poderão ser lidas de outra forma.",
+	"actions.variables.deletion.description": "Apagar uma variável é permanente e não pode ser desfeito. Continuar?",
+	"actions.variables.deletion": "Remover variável",
+	"actions.variables.none": "Ainda não há variáveis.",
+	"actions.variables.creation": "Adicionar variável",
+	"actions.variables.management": "Gerenciar variáveis",
+	"actions.variables": "Variáveis",
+	"webauthn.error.timeout": "Não foi possível ler a sua chave de segurança antes do tempo limite. Atualize a página e tente novamente.",
+	"webauthn.error.empty": "Você deve definir um nome para esta chave.",
+	"webauthn.error.duplicated": "A chave de segurança não é permitida para esta solicitação. Por favor, certifique-se que a chave já não está registrada.",
+	"webauthn.error.unable_to_process": "O servidor não pôde processar sua solicitação.",
+	"webauthn.error.insecure": "WebAuthn suporta apenas conexões seguras. Para testar via HTTP, você pode usar a origem \"localhost\" ou \"127.0.0.1\"",
+	"webauthn.error.unknown": "Ocorreu um erro desconhecido. Tente novamente.",
+	"webauthn.unsupported_browser": "Seu navegador não oferece suporte ao WebAuthn.",
+	"webauthn.error": "Não foi possível ler sua chave de segurança.",
+	"webauthn.use_twofa": "Use um código de duas etapas do seu telefone",
+	"webauthn.press_button": "Pressione o botão na sua chave de segurança…",
+	"webauthn.sign_in": "Pressione o botão na sua chave de segurança. Caso a sua chave de segurança não possuir um botão, insira-a novamente.",
+	"webauthn.insert_key": "Insira sua chave de segurança",
 	"counters.n_commits": {
 		"one": "%s commit",
 		"many": "%s commits",
diff --git a/options/locale_next/locale_pt-PT.json b/options/locale_next/locale_pt-PT.json
index f4d2365fab..9be71cfa06 100644
--- a/options/locale_next/locale_pt-PT.json
+++ b/options/locale_next/locale_pt-PT.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Todos os itens da fila foram removidos.",
+	"admin.monitor.queue.settings.remove_all_items": "Remover tudo",
+	"admin.monitor.queue.settings.changed": "Configurações modificadas",
+	"admin.monitor.queue.settings.submit": "Modificar configurações",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "O número máximo de trabalhadores tem que ser um número",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "De momento %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "N.º máximo de trabalhadores",
+	"admin.monitor.queue.settings.description": "Agregados crescem dinamicamente em resposta aos bloqueios da sua fila de trabalhadores.",
+	"admin.monitor.queue.settings.title": "Configurações do agregado",
+	"admin.monitor.queue.review_add": "Rever / adicionar trabalhadores",
+	"admin.monitor.queue.numberinqueue": "N.º na fila",
+	"admin.monitor.queue.maxnumberworkers": "N.º máximo de trabalhadores",
+	"admin.monitor.queue.activeworkers": "Trabalhadores operantes",
+	"admin.monitor.queue.numberworkers": "N.º de trabalhadores",
+	"admin.monitor.queue.exemplar": "Tipo de exemplar",
+	"admin.monitor.queue.type": "Tipo",
+	"admin.monitor.queue.name": "Nome",
+	"admin.monitor.queue": "Fila: %s",
+	"admin.monitor.queues": "Filas",
+	"admin.users.list_status_filter.not_2fa_enabled": "Autenticação em dois passos desabilitada",
+	"admin.users.list_status_filter.is_2fa_enabled": "Autenticação em dois passos habilitada",
+	"admin.users.list_status_filter.not_prohibit_login": "Permitir início de sessão",
+	"admin.users.list_status_filter.is_prohibit_login": "Proibir início de sessão",
+	"admin.users.list_status_filter.not_restricted": "Não restrito/a",
+	"admin.users.list_status_filter.is_restricted": "Restrito",
+	"admin.users.list_status_filter.not_admin": "Não Administrador",
+	"admin.users.list_status_filter.is_admin": "Administrador",
+	"admin.users.list_status_filter.not_active": "Desligado",
+	"admin.users.list_status_filter.is_active": "Ligado",
+	"admin.users.list_status_filter.reset": "Reiniciar",
+	"admin.users.list_status_filter.menu_text": "Filtro",
+	"admin.system_status.gc_times": "N.º de recolhas de lixo",
+	"admin.system_status.last_gc_pause": "Última pausa da recolha de lixo",
+	"admin.system_status.total_gc_pause": "Pausa total da recolha de lixo",
+	"admin.system_status.last_gc_time": "Tempo decorrido desde a última recolha de lixo",
+	"admin.system_status.next_gc_recycle": "Próxima reciclagem da recolha de lixo",
+	"admin.system_status.other_system_allocation_obtained": "Outras alocações de sistema obtidas",
+	"admin.system_status.gc_metadata_obtained": "Metadados obtidos da recolha de lixo",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Perfil obtido da tabela de hash do balde",
+	"admin.system_status.mcache_structures_obtained": "Estruturas MCache obtidas",
+	"admin.system_status.mcache_structures_usage": "Uso das estruturas MCache",
+	"admin.system_status.mspan_structures_obtained": "Estruturas MSpan obtidas",
+	"admin.system_status.mspan_structures_usage": "Uso das estruturas MSpan",
+	"admin.system_status.stack_memory_obtained": "Memória da pilha obtida",
+	"admin.system_status.bootstrap_stack_usage": "Uso da pilha de arranque",
+	"admin.system_status.heap_objects": "Elementos heap",
+	"admin.system_status.heap_memory_released": "Memória heap libertada",
+	"admin.system_status.heap_memory_in_use": "Memória heap em uso",
+	"admin.system_status.heap_memory_idle": "Memória heap em repouso",
+	"admin.system_status.heap_memory_obtained": "Memória heap obtida",
+	"admin.system_status.current_heap_usage": "Uso corrente da heap",
+	"admin.system_status.memory_free_times": "Libertações de memória",
+	"admin.system_status.memory_allocate_times": "Alocações de memória",
+	"admin.system_status.pointer_lookup_times": "N. º de consultas a ponteiros",
+	"admin.system_status.memory_obtained": "Memória obtida",
+	"admin.system_status.total_memory_allocated": "Total de memória alocada",
+	"admin.system_status.current_memory_usage": "Utilização de memória corrente",
+	"admin.system_status.current_goroutine": "Goroutines em execução",
+	"admin.system_status.server_uptime": "Tempo em funcionamento contínuo do servidor",
+	"markup.filepreview.truncated": "A previsão foi truncada",
+	"markup.filepreview.lines": "Linhas %[1]d até %[2]d em %[3]s",
+	"markup.filepreview.line": "Linha %[1]d em %[2]s",
+	"actions.variables.update.success": "A variável foi editada.",
+	"actions.variables.update.failed": "Falha ao editar a variável.",
+	"actions.variables.creation.success": "A variável \"%s\" foi adicionada.",
+	"actions.variables.creation.failed": "Falha ao adicionar a variável.",
+	"actions.variables.deletion.success": "A variável foi removida.",
+	"actions.variables.deletion.failed": "Falha ao remover a variável.",
+	"actions.variables.not_found": "Não foi possível encontrar a variável.",
+	"actions.variables.edit": "Editar variável",
+	"actions.variables.description": "As variáveis serão transmitidas a certas operações e não poderão ser lidas de outra forma.",
+	"actions.variables.deletion.description": "Remover uma variável é permanente e não pode ser revertido. Quer continuar?",
+	"actions.variables.deletion": "Remover variável",
+	"actions.variables.none": "Ainda não há variáveis.",
+	"actions.variables.creation": "Adicionar variável",
+	"actions.variables.management": "Gerir variáveis",
+	"actions.variables": "Variáveis",
+	"webauthn.error.timeout": "O tempo limite foi atingido antes que a sua chave pudesse ser lida. Recarregue esta página e tente novamente.",
+	"webauthn.error.empty": "Você tem que definir um nome para esta chave.",
+	"webauthn.error.duplicated": "A chave de segurança não é permitida neste pedido. Certifique-se de que a chave não está já registada.",
+	"webauthn.error.unable_to_process": "O servidor não conseguiu processar o seu pedido.",
+	"webauthn.error.insecure": "`WebAuthn apenas suporta conexões seguras. Para testar sobre HTTP, pode usar a origem \"localhost\" ou \"127.0.0.1\"`",
+	"webauthn.error.unknown": "Ocorreu um erro desconhecido. Tente novamente, por favor.",
+	"webauthn.unsupported_browser": "O seu navegador não oferece suporte ao WebAuthn.",
+	"webauthn.error": "Não foi possível ler a sua chave de segurança.",
+	"webauthn.use_twofa": "Usar um código de dois passos do seu telefone",
+	"webauthn.press_button": "Por favor, prima o botão da sua chave de segurança…",
+	"webauthn.sign_in": "Pressione o botão da sua chave de segurança. Se a sua chave de segurança não tiver um botão, insira-a novamente.",
+	"webauthn.insert_key": "Insira a sua chave de segurança",
 	"counters.n_commits": {
 		"one": "%s cometimento",
 		"many": "%s cometimentos",
diff --git a/options/locale_next/locale_ro.json b/options/locale_next/locale_ro.json
index 0f3e8af7ee..6f22c9a600 100644
--- a/options/locale_next/locale_ro.json
+++ b/options/locale_next/locale_ro.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Limita de timp a fost depășită înainte ca cheia ta să poată fi citită. Reîncarcă pagina și reîncearcă.",
+	"webauthn.error.empty": "Trebuie să setezi un nume pentru această cheie.",
+	"webauthn.error.duplicated": "Cheia de securitate nu este permisă pentru această cerere. Asigură-te că cheia nu este înregistrată deja.",
+	"webauthn.error.unable_to_process": "Serverul nu a putut procesa cererea.",
+	"webauthn.error.insecure": "WebAuthn funcționează doar prin conexiuni securizate. Pentru a testa folosind HTTP, poți folosi \"localhost\" sau \"127.0.0.1\" ca origine",
+	"webauthn.error.unknown": "O eroare necunoscută a apărut. Te rog reîncearcă.",
+	"webauthn.unsupported_browser": "Browserul tău nu are abilități WebAuthn pe moment.",
+	"webauthn.error": "Cheia de securitate nu a putut fi citită.",
+	"webauthn.use_twofa": "Folosește un cod de verificare de pe telefon",
+	"webauthn.press_button": "Apasă butonul de pe cheia de securitate…",
+	"webauthn.sign_in": "Apasă butonul de pe cheia de securitate. Dacă cheia de securitate nu are un buton, reintrodu-o.",
+	"webauthn.insert_key": "Inserează cheia de securitate",
 	"meta.last_line": " ",
 	"packages.empty": "Momentan nu există pachete."
 }
diff --git a/options/locale_next/locale_ru-RU.json b/options/locale_next/locale_ru-RU.json
index 1eae5ff170..cb55dc14ac 100644
--- a/options/locale_next/locale_ru-RU.json
+++ b/options/locale_next/locale_ru-RU.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Все элементы в очереди были удалены.",
+	"admin.monitor.queue.settings.remove_all_items": "Удалить все",
+	"admin.monitor.queue.settings.changed": "Настройки обновлены",
+	"admin.monitor.queue.settings.submit": "Обновить настройки",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Максимальное количество обработчиков должно быть числом",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "В настоящий момент %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Макс. количество обработчиков",
+	"admin.monitor.queue.settings.description": "Пулы динамически растут в зависимости от блокировки очередей их рабочих.",
+	"admin.monitor.queue.settings.title": "Настройки пула",
+	"admin.monitor.queue.review_add": "Подробности / добавить обработчики",
+	"admin.monitor.queue.numberinqueue": "Позиция в очереди",
+	"admin.monitor.queue.maxnumberworkers": "Макс. количество обработчиков",
+	"admin.monitor.queue.activeworkers": "Активные обработчики",
+	"admin.monitor.queue.numberworkers": "Количество обработчиков",
+	"admin.monitor.queue.exemplar": "Тип образца",
+	"admin.monitor.queue.type": "Тип",
+	"admin.monitor.queue.name": "Имя",
+	"admin.monitor.queue": "Очередь: %s",
+	"admin.monitor.queues": "Очереди",
+	"admin.users.list_status_filter.not_2fa_enabled": "2ФА отключена",
+	"admin.users.list_status_filter.is_2fa_enabled": "2ФА включена",
+	"admin.users.list_status_filter.not_prohibit_login": "Вход разрешён",
+	"admin.users.list_status_filter.is_prohibit_login": "Вход запрещён",
+	"admin.users.list_status_filter.not_restricted": "Не ограниченные",
+	"admin.users.list_status_filter.is_restricted": "Ограниченные",
+	"admin.users.list_status_filter.not_admin": "Не администраторы",
+	"admin.users.list_status_filter.is_admin": "Администраторы",
+	"admin.users.list_status_filter.not_active": "Неактивные",
+	"admin.users.list_status_filter.is_active": "Активные",
+	"admin.users.list_status_filter.reset": "Сбросить",
+	"admin.users.list_status_filter.menu_text": "Фильтр",
+	"admin.system_status.gc_times": "Сборок мусора",
+	"admin.system_status.last_gc_pause": "Последняя пауза сборщика",
+	"admin.system_status.total_gc_pause": "Итоговая задержка сборщика",
+	"admin.system_status.last_gc_time": "Прошло с последнего сбора мусора",
+	"admin.system_status.next_gc_recycle": "Следующее высвобождение сборщиком мусора",
+	"admin.system_status.other_system_allocation_obtained": "Прочие системные выделения памяти",
+	"admin.system_status.gc_metadata_obtained": "Метаданных сборщика мусора создавалось",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Хеш-таблиц получено при профайлинге",
+	"admin.system_status.mcache_structures_obtained": "Получено структур MCache",
+	"admin.system_status.mcache_structures_usage": "Использование структур MCache",
+	"admin.system_status.mspan_structures_obtained": "Структур MSpan выделялось",
+	"admin.system_status.mspan_structures_usage": "Использование структур MSpan",
+	"admin.system_status.stack_memory_obtained": "Стековой памяти выделялось",
+	"admin.system_status.bootstrap_stack_usage": "Использование стека загрузчика",
+	"admin.system_status.heap_objects": "Объектов динамической памяти",
+	"admin.system_status.heap_memory_released": "Освобождено динамической памяти",
+	"admin.system_status.heap_memory_in_use": "Используемая динамическая память",
+	"admin.system_status.heap_memory_idle": "Простаивающая динамическая память",
+	"admin.system_status.heap_memory_obtained": "Получено динамической памяти",
+	"admin.system_status.current_heap_usage": "Текущее использование кучи",
+	"admin.system_status.memory_free_times": "Высвобождений памяти",
+	"admin.system_status.memory_allocate_times": "Выделений памяти",
+	"admin.system_status.pointer_lookup_times": "Поисков указателя",
+	"admin.system_status.memory_obtained": "Получено памяти",
+	"admin.system_status.total_memory_allocated": "Всего памяти выделялось",
+	"admin.system_status.current_memory_usage": "Текущее использование памяти",
+	"admin.system_status.current_goroutine": "Выполняемые goroutines",
+	"admin.system_status.server_uptime": "Время работы",
+	"markup.filepreview.truncated": "Предпросмотр был обрезан",
+	"markup.filepreview.lines": "Строки с %[1]d по %[2]d в %[3]s",
+	"markup.filepreview.line": "Строка %[1]d в %[2]s",
+	"actions.variables.update.success": "Переменная изменена.",
+	"actions.variables.update.failed": "Не удалось изменить переменную.",
+	"actions.variables.creation.success": "Переменная «%s» добавлена.",
+	"actions.variables.creation.failed": "Не удалось добавить переменную.",
+	"actions.variables.deletion.success": "Переменная удалена.",
+	"actions.variables.deletion.failed": "Не удалось удалить переменную.",
+	"actions.variables.not_found": "Не удалось найти переменную.",
+	"actions.variables.edit": "Изменить переменную",
+	"actions.variables.description": "Переменные будут передаваться определенным действиям и не могут быть прочитаны иначе.",
+	"actions.variables.deletion.description": "Удаление переменной необратимо, его нельзя отменить. Продолжить?",
+	"actions.variables.deletion": "Удалить переменную",
+	"actions.variables.none": "Переменных пока нет.",
+	"actions.variables.creation": "Добавить переменную",
+	"actions.variables.management": "Управление переменными",
+	"actions.variables": "Переменные",
+	"webauthn.error.timeout": "Время истекло раньше, чем ключ был прочитан. Перезагрузите эту страницу и повторите попытку.",
+	"webauthn.error.empty": "Необходимо задать имя для этого ключа.",
+	"webauthn.error.duplicated": "Этот токен авторизации не разрешен для выполнения этого запроса. Убедитесь, что токен не был зарегистрирован ранее.",
+	"webauthn.error.unable_to_process": "Сервер не смог обработать ваш запрос.",
+	"webauthn.error.insecure": "WebAuthn поддерживает только безопасные соединения. Для тестирования по HTTP можно использовать \"localhost\" или \"127.0.0.1\"",
+	"webauthn.error.unknown": "Произошла неизвестная ошибка. Повторите попытку.",
+	"webauthn.unsupported_browser": "Ваш браузер в настоящее время не поддерживает WebAuthn.",
+	"webauthn.error": "Не удалось прочитать токен авторизации.",
+	"webauthn.use_twofa": "Используйте двухфакторный код с вашего телефона",
+	"webauthn.press_button": "Подтвердите действие на токене авторизации…",
+	"webauthn.sign_in": "Подтвердите действие на токене авторизации. Если на вашем токене нет кнопки, вставьте его заново.",
+	"webauthn.insert_key": "Вставьте ваш токен авторизации",
 	"counters.n_commits": {
 		"one": "%s коммит",
 		"few": "%s коммита",
diff --git a/options/locale_next/locale_si-LK.json b/options/locale_next/locale_si-LK.json
index b8cb8a863a..2e6decc0e9 100644
--- a/options/locale_next/locale_si-LK.json
+++ b/options/locale_next/locale_si-LK.json
@@ -1,4 +1,57 @@
 {
+	"admin.monitor.queue.settings.changed": "සැකසුම් යාවත්කාල කෙරිණි",
+	"admin.monitor.queue.settings.submit": "සැකසුම් යාවත්කාල කරන්න",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "මැක්ස් කම්කරුවන්ගේ සංඛ්යාව අංකයක් විය යුතුය",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "වත්මන්%[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "මැක්ස් කම්කරුවන් සංඛ්යාව",
+	"admin.monitor.queue.settings.title": "තටාකය සැකසුම්",
+	"admin.monitor.queue.maxnumberworkers": "මැක්ස් කම්කරු සංඛ්යාව",
+	"admin.monitor.queue.numberworkers": "කම්කරුවන් සංඛ්යාව",
+	"admin.monitor.queue.exemplar": "ආදර්ශ වර්ගය",
+	"admin.monitor.queue.type": "වර්ගය",
+	"admin.monitor.queue.name": "නම",
+	"admin.monitor.queue": "පෝලිම: %s",
+	"admin.monitor.queues": "පෝලිම්",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA ආබාධිත",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA සක්රීය",
+	"admin.users.list_status_filter.not_prohibit_login": "ලොගින් වන්න ඉඩ",
+	"admin.users.list_status_filter.is_prohibit_login": "ලොගින් වන්න තහනම්",
+	"admin.users.list_status_filter.not_restricted": "සීමා කර නැත",
+	"admin.users.list_status_filter.is_restricted": "සීමා",
+	"admin.users.list_status_filter.not_admin": "පරිපාලක නොවන",
+	"admin.users.list_status_filter.is_admin": "පරිපාලක",
+	"admin.users.list_status_filter.not_active": "අක්රිය",
+	"admin.users.list_status_filter.is_active": "ක්රියාකාරී",
+	"admin.users.list_status_filter.reset": "යළි සකසන්න",
+	"admin.users.list_status_filter.menu_text": "පෙරහන",
+	"admin.system_status.gc_times": "GC ටයිම්ස්",
+	"admin.system_status.last_gc_pause": "අවසන් GC විරාමය",
+	"admin.system_status.total_gc_pause": "මුළු GC විරාමය",
+	"admin.system_status.last_gc_time": "පසුගිය GC වේලාව",
+	"admin.system_status.next_gc_recycle": "ඊලඟ GC, ප්රතිචක්රීකරණ",
+	"admin.system_status.other_system_allocation_obtained": "ලබා ගත් වෙනත් පද්ධති ප්රතිපාදන",
+	"admin.system_status.gc_metadata_obtained": "ලබාගත් GC පාර-දත්ත",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "ලබා භාජනයට හැෂ් වගුව පැතිකඩ",
+	"admin.system_status.mcache_structures_obtained": "ලබා ගත් මැචේ ව්යුහයන්",
+	"admin.system_status.mcache_structures_usage": "මැචේ ව්යුහයන් භාවිතය",
+	"admin.system_status.mspan_structures_obtained": "ලබා ගත් MsPan ව්යුහයන්",
+	"admin.system_status.mspan_structures_usage": "MsPan ව්යුහයන් භාවිතය",
+	"admin.system_status.stack_memory_obtained": "ලබා මතකය ගොඩගසන්න",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap Stack භාවිතය",
+	"admin.system_status.heap_objects": "ගොඩක් වස්තු",
+	"admin.system_status.heap_memory_released": "ගොඩක් මතකය නිකුත්",
+	"admin.system_status.heap_memory_in_use": "භාවිතයේ දී ගොඩක් මතකය",
+	"admin.system_status.heap_memory_idle": "ගොඩක් මතකය අලස",
+	"admin.system_status.heap_memory_obtained": "ලබා ගත් ගොඩක් මතකය",
+	"admin.system_status.current_heap_usage": "වත්මන් heap භාවිතය",
+	"admin.system_status.memory_free_times": "මතක නිදහස්",
+	"admin.system_status.memory_allocate_times": "මතක ප්රතිපාදන",
+	"admin.system_status.pointer_lookup_times": "පොයින්ටර් Lookup ටයිම්ස්",
+	"admin.system_status.memory_obtained": "ලබා ගත් මතකය",
+	"admin.system_status.total_memory_allocated": "මුළු මතකය වෙන් කර ඇත",
+	"admin.system_status.current_memory_usage": "වත්මන් මතක භාවිතය",
+	"admin.system_status.current_goroutine": "වත්මන් ගෝර්අවුට්ලයින්",
+	"admin.system_status.server_uptime": "සේවාදායකය යාවත්කාලීන කිරීම",
 	"actions.runners.name": "නම",
 	"actions.runners.owner_type": "වර්ගය",
 	"actions.runners.description": "සවිස්තරය",
diff --git a/options/locale_next/locale_sk-SK.json b/options/locale_next/locale_sk-SK.json
index 4be4418e1a..f7c2c1c5a4 100644
--- a/options/locale_next/locale_sk-SK.json
+++ b/options/locale_next/locale_sk-SK.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Vypršal čas na čítanie vašeho kľúča. Znova načítajte túto stránku a skúste to opäť.",
+	"webauthn.error.empty": "Musíte nastaviť meno pre tento kľúč.",
+	"webauthn.error.duplicated": "Bezpečnostný kľúč nie je pre túto požiadavku povolený. Uistite sa, že kľúč ešte nie je zaregistrovaný.",
+	"webauthn.error.unable_to_process": "Server nemohol spracovať vašu požiadavku.",
+	"webauthn.error.insecure": "`WebAuthn podporuje iba bezpečné spojenia. Na testovanie cez HTTP môžete použiť \"localhost\" alebo \"127.0.0.1\"`",
+	"webauthn.error.unknown": "Vyskytla sa neznáma chyba. Skúste to znova.",
+	"webauthn.unsupported_browser": "Váš prehliadač aktuálne nepodporuje WebAuthn.",
+	"webauthn.error": "Nie je možné prečítať váš bezpečnostný kód.",
+	"webauthn.use_twofa": "Použite kód dvojfaktorového overenia z vášho telefónu",
+	"webauthn.press_button": "Stlačte, prosím, tlačidlo na vašom bezpečnostnom kľúči…",
+	"webauthn.sign_in": "Stlačte tlačidlo na vašom bezpečnostnom kľúči. Ak váš kľúč nemá tlačidlo, vyberte a zasunte ho znova.",
+	"webauthn.insert_key": "Zadajte bezpečnostný kľúč",
 	"actions.runners.labels": "Štítky",
 	"gpg.error.no_committer_account": "Žiadny účet nie je prepojený s e-mailovou adresou prispievateľa",
 	"gpg.error.not_signed_commit": "Nie je podpísaný commit",
diff --git a/options/locale_next/locale_sl.json b/options/locale_next/locale_sl.json
index 0fcc19880f..61c89d24fa 100644
--- a/options/locale_next/locale_sl.json
+++ b/options/locale_next/locale_sl.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Preden je bilo mogoče prebrati vaš ključ, je bil dosežen časovni rok. Ponovno naložite to stran in poskusite znova.",
+	"webauthn.error.empty": "Za ta ključ morate nastaviti ime.",
+	"webauthn.error.duplicated": "Varnostni ključ za to zahtevo ni dovoljen. Prepričajte se, da ključ še ni registriran.",
+	"webauthn.error.unable_to_process": "Strežnik ni mogel obdelati vaše zahteve.",
+	"webauthn.error.insecure": "WebAuthn podpira samo varne povezave. Za testiranje prek protokola HTTP lahko uporabite izvor \"localhost\" ali \"127.0.0.1\"",
+	"webauthn.error.unknown": "Zgodila se je neznana napaka. Prosimo, poskusite znova.",
+	"webauthn.unsupported_browser": "Vaš brskalnik trenutno ne podpira WebAuthna.",
+	"webauthn.error": "Vašega varnostnega ključa ni bilo mogoče prebrati.",
+	"webauthn.use_twofa": "Uporaba kode z dvema faktorjema iz telefona",
+	"webauthn.press_button": "Pritisnite gumb na varnostnem ključu…",
+	"webauthn.sign_in": "Pritisnite gumb na varnostnem ključu. Če varnostni ključ nima gumba, ga ponovno vstavite.",
+	"webauthn.insert_key": "Vnesite varnostni ključ",
 	"actions.runners.runner_manage_panel": "Upravljanje tekačev",
 	"packages.owner.settings.chef.keypair.description": "Za preverjanje pristnosti v registru Chef je potreben par ključev. Če ste par ključev ustvarili že prej, se pri ustvarjanju novega para ključev stari par ključev zavrže.",
 	"meta.last_line": " "
diff --git a/options/locale_next/locale_sr-SP.json b/options/locale_next/locale_sr-SP.json
index 1ec60d3df7..b4f0454546 100644
--- a/options/locale_next/locale_sr-SP.json
+++ b/options/locale_next/locale_sr-SP.json
@@ -1,4 +1,42 @@
 {
+	"admin.system_status.gc_times": "Времена cакупљању смећа",
+	"admin.system_status.last_gc_pause": "Задња пауза у cакупљању смећа",
+	"admin.system_status.total_gc_pause": "Укупно време cакупљању смећа",
+	"admin.system_status.last_gc_time": "Времена од прошлог cакупљању смећа",
+	"admin.system_status.next_gc_recycle": "Следећа рециклажа cакупљању смећа",
+	"admin.system_status.other_system_allocation_obtained": "Добијено друга системска меморија",
+	"admin.system_status.gc_metadata_obtained": "Добијених метаподатака cакупљању смећа",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Хеш-табела постигнуто за Profiling Bucket",
+	"admin.system_status.mcache_structures_obtained": "Добијено структурa MCache",
+	"admin.system_status.mcache_structures_usage": "Употреба структурa MCache",
+	"admin.system_status.mspan_structures_obtained": "Добијено структуре MSpan",
+	"admin.system_status.mspan_structures_usage": "Употреба структуре MSpan",
+	"admin.system_status.stack_memory_obtained": "Слободно стек меморије",
+	"admin.system_status.bootstrap_stack_usage": "Коришћење стек меморије",
+	"admin.system_status.heap_objects": "Објекти динамичке меморије",
+	"admin.system_status.heap_memory_released": "Ослобођено динамичке меморије",
+	"admin.system_status.heap_memory_in_use": "Динамичка меморија у употреби",
+	"admin.system_status.heap_memory_idle": "Некориштена динамичка меморија",
+	"admin.system_status.heap_memory_obtained": "Слободно динамичке меморије",
+	"admin.system_status.current_heap_usage": "Тренутна употреба динамичке меморије",
+	"admin.system_status.pointer_lookup_times": "Захтева показивача",
+	"admin.system_status.memory_obtained": "Коришћена меморија",
+	"admin.system_status.total_memory_allocated": "Укупно меморије алоцирано",
+	"admin.system_status.current_memory_usage": "Тренутна употреба меморије",
+	"admin.system_status.current_goroutine": "Тренутнe Goroutine",
+	"admin.system_status.server_uptime": "Време непрекидног рада сервера",
+	"webauthn.error.timeout": "Захтев је истекао пре што је очитавање Вашег кључа успео. Молимо Вас да актуализирате ову веб-страницу и покушате поново.",
+	"webauthn.error.empty": "Морате унети име за овај кључ.",
+	"webauthn.error.duplicated": "Сигурносни кључ није дозвољен за овај захтев. Уверите се да кључ није већ регистрован.",
+	"webauthn.error.unable_to_process": "Сервер не може обрадити Ваш захтев.",
+	"webauthn.error.insecure": "\"WebAuthn\" једино подржава сигурне везе. За тестирање путем ХТТП, можете корисити извор \"localhost\" или \"127.0.0.1\"",
+	"webauthn.error.unknown": "Непозната грешка се догодила. Молимо Вас да покушате поново.",
+	"webauthn.unsupported_browser": "Ваш веб-прегледач тренутно не подржава \"WebAuthn\".",
+	"webauthn.error": "Сигурносни кључ се не да исчитати.",
+	"webauthn.use_twofa": "Користите дво-факторски ко̑д са вашег мобитела",
+	"webauthn.press_button": "Молимо притисните дугме на Вашем сигурносном кључу…",
+	"webauthn.sign_in": "Притисните дугме на Вашем сигурносном кључу. Уколико Ваш кључ нема дугме, искључите и поново укључите га.",
+	"webauthn.insert_key": "Прикључите Ваш физички сигурносни кључ",
 	"dropzone.remove_file": "Уклони датотеку",
 	"moderation.abuse_category.malware": "Малвер",
 	"home.welcome.no_activity": "Без активности",
diff --git a/options/locale_next/locale_sv-SE.json b/options/locale_next/locale_sv-SE.json
index 9ed58f488b..953bb8fe44 100644
--- a/options/locale_next/locale_sv-SE.json
+++ b/options/locale_next/locale_sv-SE.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Alla objekt i kön har tagits bort.",
+	"admin.monitor.queue.settings.remove_all_items": "Ta bort alla",
+	"admin.monitor.queue.settings.changed": "Inställningar uppdaterade",
+	"admin.monitor.queue.settings.submit": "Uppdatera inställningar",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Max antal arbetare måste vara ett tal",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "För närvarande %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Max antal arbetare",
+	"admin.monitor.queue.settings.description": "Pooler växer dynamiskt som svar på att deras arbetarkö blockeras.",
+	"admin.monitor.queue.settings.title": "Poolinställningar",
+	"admin.monitor.queue.review_add": "Granska / lägg till arbetare",
+	"admin.monitor.queue.numberinqueue": "Antal i kö",
+	"admin.monitor.queue.maxnumberworkers": "Max antal arbetare",
+	"admin.monitor.queue.activeworkers": "Aktiva arbetare",
+	"admin.monitor.queue.numberworkers": "Antal arbetare",
+	"admin.monitor.queue.exemplar": "Exempeltyp",
+	"admin.monitor.queue.type": "Typ",
+	"admin.monitor.queue.name": "Namn",
+	"admin.monitor.queue": "Kö: %s",
+	"admin.monitor.queues": "Köer",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA inaktiverad",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA aktiverad",
+	"admin.users.list_status_filter.not_prohibit_login": "Tillåt inloggning",
+	"admin.users.list_status_filter.is_prohibit_login": "Förbjud inloggning",
+	"admin.users.list_status_filter.not_restricted": "Ej begränsad",
+	"admin.users.list_status_filter.is_restricted": "Begränsad",
+	"admin.users.list_status_filter.not_admin": "Inte admin",
+	"admin.users.list_status_filter.is_admin": "Administratör",
+	"admin.users.list_status_filter.not_active": "Inaktiv",
+	"admin.users.list_status_filter.is_active": "Aktiv",
+	"admin.users.list_status_filter.reset": "Återställ",
+	"admin.users.list_status_filter.menu_text": "Filter",
+	"admin.system_status.gc_times": "Skräpsamlingstider",
+	"admin.system_status.last_gc_pause": "Senaste paus vid skräpsamling",
+	"admin.system_status.total_gc_pause": "Total tid för pauser vid skräpsamling",
+	"admin.system_status.last_gc_time": "Tidpunkt för senaste skräpsamling",
+	"admin.system_status.next_gc_recycle": "Nästa Skräpsamlarrunda",
+	"admin.system_status.other_system_allocation_obtained": "Övriga Systemallokeringar",
+	"admin.system_status.gc_metadata_obtained": "Metainformation om Skräpsamlaren Ihopsamlad",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Profilering av Bucket Hash Table erhållen",
+	"admin.system_status.mcache_structures_obtained": "MCache-strukturer som erhållits",
+	"admin.system_status.mcache_structures_usage": "MCache strukturanvändning",
+	"admin.system_status.mspan_structures_obtained": "MSpan strukturer som erhållits",
+	"admin.system_status.mspan_structures_usage": "MSpan strukturanvändning",
+	"admin.system_status.stack_memory_obtained": "Stackminne som erhålls",
+	"admin.system_status.bootstrap_stack_usage": "Bootstrap Stack-användning",
+	"admin.system_status.heap_objects": "Heapobjekt",
+	"admin.system_status.heap_memory_released": "Frigjort heap-minne",
+	"admin.system_status.heap_memory_in_use": "Heapminne som används",
+	"admin.system_status.heap_memory_idle": "Heapminne som är inaktivt",
+	"admin.system_status.heap_memory_obtained": "Heapminne som erhållits",
+	"admin.system_status.current_heap_usage": "Nuvarande heapanvändning",
+	"admin.system_status.memory_free_times": "Minnesfrigörelser",
+	"admin.system_status.memory_allocate_times": "Minneallokeringar",
+	"admin.system_status.pointer_lookup_times": "Pekaruppslagstider",
+	"admin.system_status.memory_obtained": "Minnesåtgång",
+	"admin.system_status.total_memory_allocated": "Total minnesanvändning",
+	"admin.system_status.current_memory_usage": "Nuvarande minnesanvändning",
+	"admin.system_status.current_goroutine": "Aktuella gorutiner",
+	"admin.system_status.server_uptime": "Serverns upptid",
+	"markup.filepreview.truncated": "Förhandsgranskningen har avkortats",
+	"markup.filepreview.lines": "Rad %[1]d till %[2]d i %[3]s",
+	"markup.filepreview.line": "Rad %[1]d i %[2]s",
+	"actions.variables.update.success": "Variabeln har redigerats.",
+	"actions.variables.update.failed": "Misslyckades med att redigera variabel.",
+	"actions.variables.creation.success": "Variabeln \"%s\" har lagts till.",
+	"actions.variables.creation.failed": "Misslyckades med att lägga till variabel.",
+	"actions.variables.deletion.success": "Variabeln har tagits bort.",
+	"actions.variables.deletion.failed": "Misslyckades med att ta bort variabel.",
+	"actions.variables.not_found": "Misslyckades med att hitta variabeln.",
+	"actions.variables.edit": "Redigera variabel",
+	"actions.variables.description": "Variabler skickas till vissa actions och kan inte läsas annars.",
+	"actions.variables.deletion.description": "Borttagning av en variabel är permanent och kan inte ångras. Vill du fortsätta?",
+	"actions.variables.deletion": "Ta bort variabel",
+	"actions.variables.none": "Det finns inga variabler ännu.",
+	"actions.variables.creation": "Lägg till variabel",
+	"actions.variables.management": "Hantera variabler",
+	"actions.variables": "Variabler",
+	"webauthn.error.timeout": "Det gick inte att läsa din nyckel innan tidsgränsen nåddes. Läs om denna sida och försök igen.",
+	"webauthn.error.empty": "Du måste ange ett namn för den här nyckeln.",
+	"webauthn.error.duplicated": "Säkerhetsnyckeln är inte tillåten för denna begäran. Se till att nyckeln inte redan är registrerad.",
+	"webauthn.error.unable_to_process": "Servern kunde inte hantera din begäran.",
+	"webauthn.error.insecure": "WebAuthn stöder endast säkra anslutningar. För testning över HTTP kan du använda \"localhost\" eller \"127.0.0.1\"",
+	"webauthn.error.unknown": "Ett okänt fel har inträffat. Vänligen försök igen.",
+	"webauthn.unsupported_browser": "Din webbläsare har ännu inte stöd för WebAuthn.",
+	"webauthn.error": "Det gick inte att läsa din säkerhetsnyckel.",
+	"webauthn.use_twofa": "Använd en tvåfaktorskod från din telefon",
+	"webauthn.press_button": "Vänligen tryck på knappen på din säkerhetsnyckel…",
+	"webauthn.sign_in": "Tryck på knappen på din säkerhetsnyckel. Om din säkerhetsnyckel inte har en knapp, dra ut den och sätt in den igen.",
+	"webauthn.insert_key": "Skriv in din säkerhetsnyckel",
 	"counters.n_commits": {
 		"one": "%s incheckning",
 		"other": "%s incheckningar"
diff --git a/options/locale_next/locale_ta.json b/options/locale_next/locale_ta.json
index a318e08cef..44dd41629c 100644
--- a/options/locale_next/locale_ta.json
+++ b/options/locale_next/locale_ta.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "வரிசையில் இருந்த அனைத்து பொருட்களும் அகற்றப்பட்டன.",
+	"admin.monitor.queue.settings.remove_all_items": "அனைத்தையும் அகற்று",
+	"admin.monitor.queue.settings.changed": "அமைப்புகள் புதுப்பிக்கப்பட்டன",
+	"admin.monitor.queue.settings.submit": "அமைப்புகளைப் புதுப்பிக்கவும்",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை ஒரு எண்ணாக இருக்க வேண்டும்",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "தற்போது %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை",
+	"admin.monitor.queue.settings.description": "பணியாளர்களின் வரிசை தடுப்பிற்கு பதிலளிக்கும் வகையில் குளங்கள் மாறும் வகையில் வளரும்.",
+	"admin.monitor.queue.settings.title": "குளம் அமைப்புகள்",
+	"admin.monitor.queue.review_add": "தொழிலாளர்களை மதிப்பாய்வு செய்யவும் / சேர்க்கவும்",
+	"admin.monitor.queue.numberinqueue": "வரிசையில் உள்ள எண்",
+	"admin.monitor.queue.maxnumberworkers": "தொழிலாளர்களின் அதிகபட்ச எண்ணிக்கை",
+	"admin.monitor.queue.activeworkers": "சுறுசுறுப்பான தொழிலாளர்கள்",
+	"admin.monitor.queue.numberworkers": "தொழிலாளர்களின் எண்ணிக்கை",
+	"admin.monitor.queue.exemplar": "முன்மாதிரி வகை",
+	"admin.monitor.queue.type": "வகை",
+	"admin.monitor.queue.name": "பெயர்",
+	"admin.monitor.queue": "வரிசை: %s",
+	"admin.monitor.queues": "வால்கள்",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA முடக்கப்பட்டுள்ளது",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA இயக்கப்பட்டது",
+	"admin.users.list_status_filter.not_prohibit_login": "உள்நுழைவை அனுமதிக்கவும்",
+	"admin.users.list_status_filter.is_prohibit_login": "நுழைவதைத் தடைசெய்க",
+	"admin.users.list_status_filter.not_restricted": "கட்டுப்படுத்தப்படவில்லை",
+	"admin.users.list_status_filter.is_restricted": "கட்டுப்படுத்தப்பட்டது",
+	"admin.users.list_status_filter.not_admin": "நிர்வாகி அல்ல",
+	"admin.users.list_status_filter.is_admin": "நிர்வாகி",
+	"admin.users.list_status_filter.not_active": "செயலற்றது",
+	"admin.users.list_status_filter.is_active": "செயலில்",
+	"admin.users.list_status_filter.reset": "மீட்டமை",
+	"admin.users.list_status_filter.menu_text": "வடிப்பி",
+	"admin.system_status.gc_times": "GC முறை",
+	"admin.system_status.last_gc_pause": "கடைசி GC இடைநிறுத்தம்",
+	"admin.system_status.total_gc_pause": "மொத்த GC இடைநிறுத்தம்",
+	"admin.system_status.last_gc_time": "கடந்த சிசி முதல் நேரம்",
+	"admin.system_status.next_gc_recycle": "அடுத்த GC மறுசுழற்சி",
+	"admin.system_status.other_system_allocation_obtained": "பிற அமைப்பு ஒதுக்கீடு பெறப்பட்டது",
+	"admin.system_status.gc_metadata_obtained": "GC மேனிலை தரவு பெறப்பட்டது",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "விவரக்குறிப்பு பக்கெட் ஆச் அட்டவணை பெறப்பட்டது",
+	"admin.system_status.mcache_structures_obtained": "MCache கட்டமைப்புகள் பெறப்பட்டன",
+	"admin.system_status.mcache_structures_usage": "MCache கட்டமைப்புகளின் பயன்பாடு",
+	"admin.system_status.mspan_structures_obtained": "MSpan கட்டமைப்புகள் பெறப்பட்டன",
+	"admin.system_status.mspan_structures_usage": "MSpan கட்டமைப்புகளின் பயன்பாடு",
+	"admin.system_status.stack_memory_obtained": "அடுக்கு நினைவகம் பெறப்பட்டது",
+	"admin.system_status.bootstrap_stack_usage": "தொடக்கவார் ச்டாக் பயன்பாடு",
+	"admin.system_status.heap_objects": "குவியல் பொருள்கள்",
+	"admin.system_status.heap_memory_released": "குவியல் நினைவகம் வெளியிடப்பட்டது",
+	"admin.system_status.heap_memory_in_use": "குவியல் நினைவகம் பயன்பாட்டில் உள்ளது",
+	"admin.system_status.heap_memory_idle": "குவியல் நினைவகம் செயலற்றது",
+	"admin.system_status.heap_memory_obtained": "குவியல் நினைவகம் கிடைத்தது",
+	"admin.system_status.current_heap_usage": "தற்போதைய குவியல் பயன்பாடு",
+	"admin.system_status.memory_free_times": "நினைவகம் இலவசம்",
+	"admin.system_status.memory_allocate_times": "நினைவக ஒதுக்கீடு",
+	"admin.system_status.pointer_lookup_times": "சுட்டி தேடுதல் நேரங்கள்",
+	"admin.system_status.memory_obtained": "நினைவகம் கிடைத்தது",
+	"admin.system_status.total_memory_allocated": "மொத்த நினைவகம் ஒதுக்கப்பட்டது",
+	"admin.system_status.current_memory_usage": "தற்போதைய நினைவக பயன்பாடு",
+	"admin.system_status.current_goroutine": "தற்போதைய goroutines",
+	"admin.system_status.server_uptime": "சேவையக இயக்க நேரம்",
+	"markup.filepreview.truncated": "முன்னோட்டம் துண்டிக்கப்பட்டது",
+	"markup.filepreview.lines": "%[3]s இல் %[1]d முதல் %[2]d வரையிலான கோடுகள்",
+	"markup.filepreview.line": "%[2]s இல் வரி %[1]d",
+	"actions.variables.update.success": "மாறி திருத்தப்பட்டது.",
+	"actions.variables.update.failed": "மாறியை திருத்த முடியவில்லை.",
+	"actions.variables.creation.success": "\"%s\" மாறி சேர்க்கப்பட்டது.",
+	"actions.variables.creation.failed": "மாறியைச் சேர்ப்பதில் தோல்வி.",
+	"actions.variables.deletion.success": "மாறி நீக்கப்பட்டது.",
+	"actions.variables.deletion.failed": "மாறியை அகற்ற முடியவில்லை.",
+	"actions.variables.not_found": "மாறியைக் கண்டறிய முடியவில்லை.",
+	"actions.variables.edit": "திருத்து மாறி",
+	"actions.variables.description": "சில செயல்களுக்கு மாறிகள் அனுப்பப்படும், இல்லையெனில் படிக்க முடியாது.",
+	"actions.variables.deletion.description": "மாறியை அகற்றுவது நிரந்தரமானது மற்றும் செயல்தவிர்க்க முடியாது. தொடரவா?",
+	"actions.variables.deletion": "மாறியை அகற்று",
+	"actions.variables.none": "இதுவரை மாறிகள் எதுவும் இல்லை.",
+	"actions.variables.creation": "மாறியைச் சேர்க்கவும்",
+	"actions.variables.management": "மாறிகளை நிர்வகிக்கவும்",
+	"actions.variables": "மாறிகள்",
+	"webauthn.error.timeout": "உங்கள் விசையைப் படிக்கும் முன் காலாவதியானது. இந்தப் பக்கத்தை மீண்டும் ஏற்றி மீண்டும் முயற்சிக்கவும்.",
+	"webauthn.error.empty": "இந்த விசைக்கு நீங்கள் ஒரு பெயரை அமைக்க வேண்டும்.",
+	"webauthn.error.duplicated": "இந்தக் கோரிக்கைக்கு பாதுகாப்பு விசை அனுமதிக்கப்படவில்லை. விசை ஏற்கனவே பதிவு செய்யப்படவில்லை என்பதை உறுதிப்படுத்தவும்.",
+	"webauthn.error.unable_to_process": "சேவையகத்தால் உங்கள் கோரிக்கையைச் செயல்படுத்த முடியவில்லை.",
+	"webauthn.error.insecure": "WebAuthn பாதுகாப்பான இணைப்புகளை மட்டுமே ஆதரிக்கிறது. HTTP மூலம் சோதனை செய்ய, நீங்கள் \"localhost\" அல்லது \"127.0.0.1\" மூலத்தைப் பயன்படுத்தலாம்",
+	"webauthn.error.unknown": "அறியப்படாத பிழை ஏற்பட்டது. மீண்டும் முயற்சிக்கவும்.",
+	"webauthn.unsupported_browser": "உங்கள் உலாவி தற்போது WebAuthn ஐ ஆதரிக்கவில்லை.",
+	"webauthn.error": "உங்கள் பாதுகாப்பு விசையைப் படிக்க முடியவில்லை.",
+	"webauthn.use_twofa": "உங்கள் ஃபோனில் இருந்து இரண்டு காரணி குறியீட்டைப் பயன்படுத்தவும்",
+	"webauthn.press_button": "உங்கள் பாதுகாப்பு விசையில் உள்ள பொத்தானை அழுத்தவும்…",
+	"webauthn.sign_in": "உங்கள் பாதுகாப்பு விசையில் உள்ள பொத்தானை அழுத்தவும். உங்கள் பாதுகாப்பு விசையில் பொத்தான் இல்லை என்றால், அதை மீண்டும் செருகவும்.",
+	"webauthn.insert_key": "உங்கள் பாதுகாப்பு விசையைச் செருகவும்",
 	"counters.n_commits": {
 		"one": "%s உறுதி",
 		"other": "%s உறுதியளிக்கிறது"
diff --git a/options/locale_next/locale_th.json b/options/locale_next/locale_th.json
index 01dcb1522a..71d798c512 100644
--- a/options/locale_next/locale_th.json
+++ b/options/locale_next/locale_th.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "ลบรายการทั้งหมดในคิวแล้ว",
+	"admin.monitor.queue.settings.remove_all_items": "ลบทั้งหมด",
+	"admin.monitor.queue.settings.changed": "อัปเดตการตั้งค่าแล้ว",
+	"admin.monitor.queue.settings.submit": "อัปเดตการตั้งค่า",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "จำนวนผู้ปฏิบัติงานสูงสุดต้องเป็นตัวเลข",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "ปัจจุบัน %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "จำนวนผู้ปฏิบัติงานสูงสุด",
+	"admin.monitor.queue.settings.description": "พูลจะขยายตัวแบบไดนามิกเพื่อตอบสนองต่อการบล็อกคิวของผู้ปฏิบัติงาน",
+	"admin.monitor.queue.settings.title": "การตั้งค่าพูล",
+	"admin.monitor.queue.review_add": "ตรวจสอบ / เพิ่มผู้ปฏิบัติงาน",
+	"admin.monitor.queue.numberinqueue": "จำนวนในคิว",
+	"admin.monitor.queue.maxnumberworkers": "จำนวนผู้ปฏิบัติงานสูงสุด",
+	"admin.monitor.queue.activeworkers": "ผู้ปฏิบัติงานที่ใช้งานอยู่",
+	"admin.monitor.queue.numberworkers": "จำนวนผู้ปฏิบัติงาน",
+	"admin.monitor.queue.exemplar": "ประเภทตัวอย่าง",
+	"admin.monitor.queue.type": "ประเภท",
+	"admin.monitor.queue.name": "ชื่อ",
+	"admin.monitor.queue": "คิว: %s",
+	"admin.monitor.queues": "คิว",
+	"admin.users.list_status_filter.not_2fa_enabled": "ปิดใช้งาน 2FA",
+	"admin.users.list_status_filter.is_2fa_enabled": "เปิดใช้งาน 2FA",
+	"admin.users.list_status_filter.not_prohibit_login": "อนุญาตให้เข้าสู่ระบบ",
+	"admin.users.list_status_filter.is_prohibit_login": "ห้ามเข้าสู่ระบบ",
+	"admin.users.list_status_filter.not_restricted": "ไม่จำกัด",
+	"admin.users.list_status_filter.is_restricted": "จำกัด",
+	"admin.users.list_status_filter.not_admin": "ไม่ใช่ผู้ดูแลระบบ",
+	"admin.users.list_status_filter.is_admin": "ผู้ดูแลระบบ",
+	"admin.users.list_status_filter.not_active": "ไม่ใช้งาน",
+	"admin.users.list_status_filter.is_active": "ใช้งาน",
+	"admin.users.list_status_filter.reset": "รีเซ็ต",
+	"admin.users.list_status_filter.menu_text": "ตัวกรอง",
+	"admin.system_status.gc_times": "เวลา GC",
+	"admin.system_status.last_gc_pause": "การหยุด GC ครั้งล่าสุด",
+	"admin.system_status.total_gc_pause": "การหยุด GC ทั้งหมด",
+	"admin.system_status.last_gc_time": "เวลาตั้งแต่ GC ครั้งล่าสุด",
+	"admin.system_status.next_gc_recycle": "การรีไซเคิล GC ถัดไป",
+	"admin.system_status.other_system_allocation_obtained": "การจัดสรรระบบอื่น ๆ ที่ได้รับ",
+	"admin.system_status.gc_metadata_obtained": "ข้อมูลเมตา GC ที่ได้รับ",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "ตารางแฮชบัคเก็ตการทำโปรไฟล์ที่ได้รับ",
+	"admin.system_status.mcache_structures_obtained": "โครงสร้าง MCache ที่ได้รับ",
+	"admin.system_status.mcache_structures_usage": "การใช้โครงสร้าง MCache",
+	"admin.system_status.mspan_structures_obtained": "โครงสร้าง MSpan ที่ได้รับ",
+	"admin.system_status.mspan_structures_usage": "การใช้โครงสร้าง MSpan",
+	"admin.system_status.stack_memory_obtained": "หน่วยความจำสแต็กที่ได้รับ",
+	"admin.system_status.bootstrap_stack_usage": "การใช้สแต็ก Bootstrap",
+	"admin.system_status.heap_objects": "อ็อบเจกต์ฮีป",
+	"admin.system_status.heap_memory_released": "หน่วยความจำฮีปที่ปล่อยแล้ว",
+	"admin.system_status.heap_memory_in_use": "หน่วยความจำฮีปที่ใช้งานอยู่",
+	"admin.system_status.heap_memory_idle": "หน่วยความจำฮีปที่ไม่ได้ใช้งาน",
+	"admin.system_status.heap_memory_obtained": "หน่วยความจำฮีปที่ได้รับ",
+	"admin.system_status.current_heap_usage": "การใช้ฮีปปัจจุบัน",
+	"admin.system_status.memory_free_times": "การปล่อยหน่วยความจำ",
+	"admin.system_status.memory_allocate_times": "การจัดสรรหน่วยความจำ",
+	"admin.system_status.pointer_lookup_times": "เวลาค้นหาพอยน์เตอร์",
+	"admin.system_status.memory_obtained": "หน่วยความจำที่ได้รับ",
+	"admin.system_status.total_memory_allocated": "หน่วยความจำที่จัดสรรทั้งหมด",
+	"admin.system_status.current_memory_usage": "การใช้หน่วยความจำปัจจุบัน",
+	"admin.system_status.current_goroutine": "Goroutine ปัจจุบัน",
+	"admin.system_status.server_uptime": "เวลาทำงานของเซิร์ฟเวอร์",
+	"markup.filepreview.truncated": "ตัวอย่างถูกตัดทอน",
+	"markup.filepreview.lines": "บรรทัดที่ %[1]d ถึง %[2]d ใน %[3]s",
+	"markup.filepreview.line": "บรรทัดที่ %[1]d ใน %[2]s",
+	"actions.variables.update.success": "แก้ไขตัวแปรแล้ว",
+	"actions.variables.update.failed": "ไม่สามารถแก้ไขตัวแปรได้",
+	"actions.variables.creation.success": "เพิ่มตัวแปร \"%s\" แล้ว",
+	"actions.variables.creation.failed": "ไม่สามารถเพิ่มตัวแปรได้",
+	"actions.variables.deletion.success": "ลบตัวแปรแล้ว",
+	"actions.variables.deletion.failed": "ไม่สามารถลบตัวแปรได้",
+	"actions.variables.not_found": "ไม่พบตัวแปร",
+	"actions.variables.edit": "แก้ไขตัวแปร",
+	"actions.variables.description": "ตัวแปรจะถูกส่งต่อไปยังการดำเนินการบางอย่างและไม่สามารถอ่านได้",
+	"actions.variables.deletion.description": "การลบตัวแปรเป็นการกระทำถาวรและไม่สามารถยกเลิกได้ ดำเนินการต่อหรือไม่?",
+	"actions.variables.deletion": "ลบตัวแปร",
+	"actions.variables.none": "ยังไม่มีตัวแปร",
+	"actions.variables.creation": "เพิ่มตัวแปร",
+	"actions.variables.management": "จัดการตัวแปร",
+	"actions.variables": "ตัวแปร",
+	"webauthn.error.timeout": "หมดเวลาก่อนที่จะอ่านคีย์ของคุณได้ กรุณาโหลดหน้านี้ใหม่แล้วลองอีกครั้ง",
+	"webauthn.error.empty": "คุณต้องตั้งชื่อสำหรับคีย์นี้",
+	"webauthn.error.duplicated": "ไม่อนุญาตให้ใช้คีย์ความปลอดภัยสำหรับคำขอนี้ โปรดตรวจสอบให้แน่ใจว่าคีย์ยังไม่ได้ลงทะเบียน",
+	"webauthn.error.unable_to_process": "เซิร์ฟเวอร์ไม่สามารถประมวลผลคำขอของคุณได้",
+	"webauthn.error.insecure": "WebAuthn รองรับเฉพาะการเชื่อมต่อที่ปลอดภัยเท่านั้น สำหรับการทดสอบผ่าน HTTP คุณสามารถใช้ต้นทาง \"localhost\" หรือ \"127.0.0.1\"",
+	"webauthn.error.unknown": "เกิดข้อผิดพลาดที่ไม่รู้จัก กรุณาลองใหม่อีกครั้ง",
+	"webauthn.unsupported_browser": "เบราว์เซอร์ของคุณไม่รองรับ WebAuthn ในขณะนี้",
+	"webauthn.error": "ไม่สามารถอ่านคีย์ความปลอดภัยของคุณได้",
+	"webauthn.use_twofa": "ใช้รหัสสองปัจจัยจากโทรศัพท์ของคุณ",
+	"webauthn.press_button": "กรุณากดปุ่มบนคีย์ความปลอดภัยของคุณ…",
+	"webauthn.sign_in": "กดปุ่มบนคีย์ความปลอดภัยของคุณ หากคีย์ความปลอดภัยของคุณไม่มีปุ่ม ให้เสียบใหม่อีกครั้ง",
+	"webauthn.insert_key": "โปรดเสียบคีย์ความปลอดภัยของคุณ",
 	"counters.n_commits": {
 		"one": "%s คอมมิต",
 		"other": "%s คอมมิต"
diff --git a/options/locale_next/locale_tr-TR.json b/options/locale_next/locale_tr-TR.json
index 086237d764..5528274be5 100644
--- a/options/locale_next/locale_tr-TR.json
+++ b/options/locale_next/locale_tr-TR.json
@@ -1,4 +1,89 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Kuyruktaki tüm öğeler kaldırıldı.",
+	"admin.monitor.queue.settings.remove_all_items": "Tümünü kaldır",
+	"admin.monitor.queue.settings.changed": "Ayarlar güncellendi",
+	"admin.monitor.queue.settings.submit": "Ayarları Güncelle",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "En fazla çalışan sayısı bir sayı olmalıdır",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Şu anda %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "En fazla çalışan Sayısı",
+	"admin.monitor.queue.settings.description": "Havuzlar, çalışan kuyruğu tıkanmasına bir yanıt olarak dinamik olarak büyürler.",
+	"admin.monitor.queue.settings.title": "Havuz Ayarları",
+	"admin.monitor.queue.review_add": "Çalışanları İncele / Ekle",
+	"admin.monitor.queue.numberinqueue": "Kuyruktaki Sayı",
+	"admin.monitor.queue.maxnumberworkers": "En Fazla Çalışan Sayısı",
+	"admin.monitor.queue.activeworkers": "Etkin Çalışanlar",
+	"admin.monitor.queue.numberworkers": "Çalışan Sayısı",
+	"admin.monitor.queue.exemplar": "Örnek Türü",
+	"admin.monitor.queue.type": "Tür",
+	"admin.monitor.queue.name": "İsim",
+	"admin.monitor.queue": "Kuyruk: %s",
+	"admin.monitor.queues": "Kuyruklar",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA Devre Dışı",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA Etkin",
+	"admin.users.list_status_filter.not_prohibit_login": "Oturum Açmaya İzin Ver",
+	"admin.users.list_status_filter.is_prohibit_login": "Oturum Açmayı Önle",
+	"admin.users.list_status_filter.not_restricted": "Kısıtlanmamış",
+	"admin.users.list_status_filter.is_restricted": "Kısıtlanmış",
+	"admin.users.list_status_filter.not_admin": "Yönetici Değil",
+	"admin.users.list_status_filter.is_admin": "Yönetici",
+	"admin.users.list_status_filter.not_active": "Etkin değil",
+	"admin.users.list_status_filter.is_active": "Etkin",
+	"admin.users.list_status_filter.reset": "Sıfırla",
+	"admin.users.list_status_filter.menu_text": "Filtre",
+	"admin.system_status.gc_times": "GC Zamanları",
+	"admin.system_status.last_gc_pause": "Son GC Durması",
+	"admin.system_status.total_gc_pause": "Toplam GC Durması",
+	"admin.system_status.last_gc_time": "Son GC Zamanından Beri",
+	"admin.system_status.next_gc_recycle": "Sonraki GC Döngüsü",
+	"admin.system_status.other_system_allocation_obtained": "Elde Edilen Diğer Sistem Ayırmaları",
+	"admin.system_status.gc_metadata_obtained": "Elde Edilen GC Metadata",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Elde Edilen Bucket Hash Tablosu Profilleme",
+	"admin.system_status.mcache_structures_obtained": "Elde Edilen MCache Yapıları",
+	"admin.system_status.mcache_structures_usage": "Kullanılan MCache Yapıları",
+	"admin.system_status.mspan_structures_obtained": "Elde Edilen MSpan Yapıları",
+	"admin.system_status.mspan_structures_usage": "Kullanımdaki MSpan Yapıları",
+	"admin.system_status.stack_memory_obtained": "Elde Edilen Yığın Belleği",
+	"admin.system_status.bootstrap_stack_usage": "İlk Yığın Kullanımı",
+	"admin.system_status.heap_objects": "Yığın Nesneleri",
+	"admin.system_status.heap_memory_released": "Serbest Bırakılmış Yığın Belleği",
+	"admin.system_status.heap_memory_in_use": "Kullanımdaki Yığın Belleği",
+	"admin.system_status.heap_memory_idle": "Boştaki Yığın Belleği",
+	"admin.system_status.heap_memory_obtained": "Elde Edilen Yığın Belleği",
+	"admin.system_status.current_heap_usage": "Güncel Yığın Kullanımı",
+	"admin.system_status.memory_free_times": "Bellek Boşaltmaları",
+	"admin.system_status.memory_allocate_times": "Bellek Ayırmaları",
+	"admin.system_status.pointer_lookup_times": "İşaret Arama Zamanları",
+	"admin.system_status.memory_obtained": "Elde Edilen Bellek",
+	"admin.system_status.total_memory_allocated": "Bellekte Ayrılan Toplam Yer",
+	"admin.system_status.current_memory_usage": "Güncel Bellek Kullanımı",
+	"admin.system_status.current_goroutine": "Güncel Goroutine'ler",
+	"admin.system_status.server_uptime": "Sunucunun Ayakta Kalma Süresi",
+	"actions.variables.update.success": "Değişken düzenlendi.",
+	"actions.variables.update.failed": "Değişken düzenlenemedi.",
+	"actions.variables.creation.success": "`\"%s\" değişkeni eklendi.`",
+	"actions.variables.creation.failed": "Değişken eklenemedi.",
+	"actions.variables.deletion.success": "Değişken kaldırıldı.",
+	"actions.variables.deletion.failed": "Değişken kaldırılamadı.",
+	"actions.variables.edit": "Değişkeni Düzenle",
+	"actions.variables.description": "Değişkenler belirli işlemlere aktarılacaktır, bunun dışında okunamaz.",
+	"actions.variables.deletion.description": "Bir değişkeni kaldırma kalıcıdır ve geri alınamaz. Devam edilsin mi?",
+	"actions.variables.deletion": "Değişkeni kaldır",
+	"actions.variables.none": "Henüz hiçbir değişken yok.",
+	"actions.variables.creation": "Değişken ekle",
+	"actions.variables.management": "Değişken Yönetimi",
+	"actions.variables": "Değişkenler",
+	"webauthn.error.timeout": "Anahtarınız okunamadan zaman aşımı oldu. Lütfen sayfayı yenileyin ve tekrar deneyin.",
+	"webauthn.error.empty": "Bu anahtar için bir isim belirlemelisiniz.",
+	"webauthn.error.duplicated": "Güvenlik anahtarının bu istek için izni yok. Anahtarın halihazırda kayıtlı olmadığından emin olun.",
+	"webauthn.error.unable_to_process": "Sunucu isteğinizi işleyemedi.",
+	"webauthn.error.insecure": "WebAuthn sadece güvenli bağlantıyı destekler. HTTP üzerinden test etmek için \"localhost\" veya \"127.0.0.1\" adreslerini kullanabilirsiniz.",
+	"webauthn.error.unknown": "Bilinmeyen bir hata oluştu. Lütfen tekrar deneyin.",
+	"webauthn.unsupported_browser": "Tarayıcınız henüz WebAuthn desteklemiyor.",
+	"webauthn.error": "Güvenlik anahtarınız okunamıyor.",
+	"webauthn.use_twofa": "Telefonunuzdan iki aşamalı doğrulama kodu kullanın",
+	"webauthn.press_button": "Lütfen güvenlik anahtarınızdaki düğmeye basın…",
+	"webauthn.sign_in": "Güvenlik anahtarınızdaki düğmeye basın. Eğer düğme yoksa güvenlik anahtarınızı tekrar ekleyin.",
+	"webauthn.insert_key": "Güvenlik anahtarınızı ekleyin",
 	"counters.n_commits": {
 		"one": "%s değişiklik(commit)",
 		"other": "%s değişiklikler(commits)"
diff --git a/options/locale_next/locale_uk-UA.json b/options/locale_next/locale_uk-UA.json
index 343490ec2e..9913d47281 100644
--- a/options/locale_next/locale_uk-UA.json
+++ b/options/locale_next/locale_uk-UA.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "Усі елементи в черзі видалено.",
+	"admin.monitor.queue.settings.remove_all_items": "Видалити всі",
+	"admin.monitor.queue.settings.changed": "Налаштування оновлено",
+	"admin.monitor.queue.settings.submit": "Оновити налаштування",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "Максимальна кількість обробників має бути числом",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "Поточний %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "Максимальна кількість обробників",
+	"admin.monitor.queue.settings.description": "Пули динамічно зростають у відповідь на блокування черг їхніх обробників.",
+	"admin.monitor.queue.settings.title": "Налаштування пулу",
+	"admin.monitor.queue.review_add": "Переглянути / додати обробники",
+	"admin.monitor.queue.numberinqueue": "Номер у черзі",
+	"admin.monitor.queue.maxnumberworkers": "Максимальна кількість обробників",
+	"admin.monitor.queue.activeworkers": "Активні обробники",
+	"admin.monitor.queue.numberworkers": "Кількість обробників",
+	"admin.monitor.queue.exemplar": "Приклад типу",
+	"admin.monitor.queue.type": "Тип",
+	"admin.monitor.queue.name": "Назва",
+	"admin.monitor.queue": "Черга: %s",
+	"admin.monitor.queues": "Черги",
+	"admin.users.list_status_filter.not_2fa_enabled": "2FA вимкнено",
+	"admin.users.list_status_filter.is_2fa_enabled": "2FA увімкнено",
+	"admin.users.list_status_filter.not_prohibit_login": "Вхід дозволено",
+	"admin.users.list_status_filter.is_prohibit_login": "Вхід заборонено",
+	"admin.users.list_status_filter.not_restricted": "Без обмежень",
+	"admin.users.list_status_filter.is_restricted": "З обмеженнями",
+	"admin.users.list_status_filter.not_admin": "Не адміністратор",
+	"admin.users.list_status_filter.is_admin": "Адміністратор",
+	"admin.users.list_status_filter.not_active": "Неактивні",
+	"admin.users.list_status_filter.is_active": "Активні",
+	"admin.users.list_status_filter.reset": "Скинути",
+	"admin.users.list_status_filter.menu_text": "Фільтр",
+	"admin.system_status.gc_times": "Кількість запусків збирача сміття",
+	"admin.system_status.last_gc_pause": "Остання пауза збирача сміття",
+	"admin.system_status.total_gc_pause": "Загальна пауза збирача сміття",
+	"admin.system_status.last_gc_time": "З останнього запуску збирача сміття",
+	"admin.system_status.next_gc_recycle": "Наступний цикл збирача сміття",
+	"admin.system_status.other_system_allocation_obtained": "Отримано інших виділень пам’яті",
+	"admin.system_status.gc_metadata_obtained": "Отримано метаданих збирача сміття",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "Отримано хеш-таблиць профілювання",
+	"admin.system_status.mcache_structures_obtained": "Отримано структур MCache",
+	"admin.system_status.mcache_structures_usage": "Використання структур MCache",
+	"admin.system_status.mspan_structures_obtained": "Отримано структур MSpan",
+	"admin.system_status.mspan_structures_usage": "Використання структур MSpan",
+	"admin.system_status.stack_memory_obtained": "Отримано пам’яті стеком",
+	"admin.system_status.bootstrap_stack_usage": "Використання стеку bootstrap",
+	"admin.system_status.heap_objects": "Об’єктів динамічної пам’яті",
+	"admin.system_status.heap_memory_released": "Звільнено динамічної пам’яті",
+	"admin.system_status.heap_memory_in_use": "Динамічної пам’яті використовується",
+	"admin.system_status.heap_memory_idle": "Динамічної пам’яті простоює",
+	"admin.system_status.heap_memory_obtained": "Отримано динамічної пам’яті",
+	"admin.system_status.current_heap_usage": "Поточне використання динамічної пам’яті",
+	"admin.system_status.memory_free_times": "Звільнень пам’яті",
+	"admin.system_status.memory_allocate_times": "Виділень пам’яті",
+	"admin.system_status.pointer_lookup_times": "Пошуків вказівника",
+	"admin.system_status.memory_obtained": "Отримано пам’яті",
+	"admin.system_status.total_memory_allocated": "Виділено пам’яті загалом",
+	"admin.system_status.current_memory_usage": "Поточне використання пам’яті",
+	"admin.system_status.current_goroutine": "Поточна кількість goroutines",
+	"admin.system_status.server_uptime": "Час роботи сервера",
+	"markup.filepreview.truncated": "Перегляд було урізано",
+	"markup.filepreview.lines": "Рядки з %[1]d по %[2]d в %[3]s",
+	"markup.filepreview.line": "Рядок %[1]d в %[2]s",
+	"actions.variables.update.success": "Змінну змінено.",
+	"actions.variables.update.failed": "Не вдалося змінити змінну.",
+	"actions.variables.creation.success": "Змінну «%s» додано.",
+	"actions.variables.creation.failed": "Не вдалося додати змінну.",
+	"actions.variables.deletion.success": "Змінну видалено.",
+	"actions.variables.deletion.failed": "Не вдалося видалити змінну.",
+	"actions.variables.not_found": "Не вдалося знайти змінну.",
+	"actions.variables.edit": "Редагувати змінну",
+	"actions.variables.description": "Змінні передаються певним діям і не можуть бути прочитані інакше.",
+	"actions.variables.deletion.description": "Видалення змінної є остаточним і його неможливо скасувати. Продовжити?",
+	"actions.variables.deletion": "Видалити змінну",
+	"actions.variables.none": "Змінних ще немає.",
+	"actions.variables.creation": "Додати змінну",
+	"actions.variables.management": "Керування змінними",
+	"actions.variables": "Змінні",
+	"webauthn.error.timeout": "Ключ не встиг зчитатись протягом відведеного терміну. Будь ласка, перезавантажте сторінку й повторіть спробу.",
+	"webauthn.error.empty": "Ключ слід якось назвати.",
+	"webauthn.error.duplicated": "Запит із наданим ключем безпеки відхилено. Впевніться, що цей ключ не є вже зареєстрованим.",
+	"webauthn.error.unable_to_process": "Сервер не зміг обробити запит.",
+	"webauthn.error.insecure": "WebAuthn підтримує лише захищені з’єднання. Для тестування через HTTP можете використати origin-рядок «localhost» чи «127.0.0.1»",
+	"webauthn.error.unknown": "Сталася невідома помилка. Будь ласка, повторіть спробу.",
+	"webauthn.unsupported_browser": "Ваш браузер наразі не підтримує WebAuthn.",
+	"webauthn.error": "Не вдалося розпізнати ключ безпеки.",
+	"webauthn.use_twofa": "Введіть код підтвердження з телефону",
+	"webauthn.press_button": "Натисніть кнопку на ключі безпеки…",
+	"webauthn.sign_in": "Натисніть кнопку на ключі безпеки. Якщо ключ безпеки не має кнопки, від’єднайте його і під’єднайте ще раз.",
+	"webauthn.insert_key": "Під’єднайте ключ безпеки",
 	"counters.n_commits": {
 		"one": "%s коміт",
 		"few": "%s коміти",
diff --git a/options/locale_next/locale_vi.json b/options/locale_next/locale_vi.json
index 79148e1fee..28b84ca6ec 100644
--- a/options/locale_next/locale_vi.json
+++ b/options/locale_next/locale_vi.json
@@ -1,4 +1,16 @@
 {
+	"webauthn.error.timeout": "Hết thời gian đọc khóa mất rồi. Hãy tải lại trang và thử lại.",
+	"webauthn.error.empty": "Bạn phải đặt tên cho khóa này.",
+	"webauthn.error.duplicated": "Khóa bảo mật không được phép cho yêu cầu này. Vui lòng đảm bảo rằng khóa chưa được đăng ký trước đó.",
+	"webauthn.error.unable_to_process": "Máy chủ không thể xử lý yêu cầu của bạn.",
+	"webauthn.error.insecure": "WebAuthn chỉ hỗ trợ kết nối mã hóa. Nếu đang thử nghiệm, bạn có thể dùng \"localhost\" hoặc \"127.0.0.1\"",
+	"webauthn.error.unknown": "Có lỗi xảy ra. Vui lòng thử lại.",
+	"webauthn.unsupported_browser": "Trình duyệt của bạn hiện không hỗ trợ WebAuthn.",
+	"webauthn.error": "Không thể đọc khóa bảo mật của bạn.",
+	"webauthn.use_twofa": "Dùng mã xác thực hai lớp ở trên điện thoại",
+	"webauthn.press_button": "Hãy nhấn nút trên khóa bảo mật…",
+	"webauthn.sign_in": "Nhấn nút trên khóa bảo mật, nếu không có nút thì bạn hãy rút ra rồi cắm lại.",
+	"webauthn.insert_key": "Cắm khóa bảo mật của bạn vào",
 	"counters.n_branches": {
 		"one": "%s nhánh",
 		"other": "%s nhánh"
diff --git a/options/locale_next/locale_zh-CN.json b/options/locale_next/locale_zh-CN.json
index 2f5cce7bb0..bd7fbcf3d2 100644
--- a/options/locale_next/locale_zh-CN.json
+++ b/options/locale_next/locale_zh-CN.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "队列中的所有项目已被移除。",
+	"admin.monitor.queue.settings.remove_all_items": "移除全部",
+	"admin.monitor.queue.settings.changed": "设置已更新",
+	"admin.monitor.queue.settings.submit": "更新设置",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "最大工作者数必须是数字",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "当前%[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "最大工作者数量",
+	"admin.monitor.queue.settings.description": "因为工作者队列阻塞，池正在动态扩展。",
+	"admin.monitor.queue.settings.title": "池设置",
+	"admin.monitor.queue.review_add": "审查/添加worker",
+	"admin.monitor.queue.numberinqueue": "队列中的数量",
+	"admin.monitor.queue.maxnumberworkers": "最大worker数量",
+	"admin.monitor.queue.activeworkers": "活跃worker",
+	"admin.monitor.queue.numberworkers": "worker数量",
+	"admin.monitor.queue.exemplar": "数据类型",
+	"admin.monitor.queue.type": "类型",
+	"admin.monitor.queue.name": "名称",
+	"admin.monitor.queue": "队列：%s",
+	"admin.monitor.queues": "队列",
+	"admin.users.list_status_filter.not_2fa_enabled": "未启用2FA",
+	"admin.users.list_status_filter.is_2fa_enabled": "已启用2FA",
+	"admin.users.list_status_filter.not_prohibit_login": "允许登录",
+	"admin.users.list_status_filter.is_prohibit_login": "禁止登录",
+	"admin.users.list_status_filter.not_restricted": "不受限",
+	"admin.users.list_status_filter.is_restricted": "受限",
+	"admin.users.list_status_filter.not_admin": "非管理员",
+	"admin.users.list_status_filter.is_admin": "管理员",
+	"admin.users.list_status_filter.not_active": "未激活",
+	"admin.users.list_status_filter.is_active": "已激活",
+	"admin.users.list_status_filter.reset": "重置",
+	"admin.users.list_status_filter.menu_text": "过滤",
+	"admin.system_status.gc_times": "GC执行次数",
+	"admin.system_status.last_gc_pause": "上次GC暂停时间",
+	"admin.system_status.total_gc_pause": "GC暂停时间总量",
+	"admin.system_status.last_gc_time": "距离上次GC时间",
+	"admin.system_status.next_gc_recycle": "下次GC内存回收量",
+	"admin.system_status.other_system_allocation_obtained": "其它被分配的系统内存",
+	"admin.system_status.gc_metadata_obtained": "被分配的GC元数据内存",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "被分配的剖析哈希表内存",
+	"admin.system_status.mcache_structures_obtained": "被分配的MCache结构内存",
+	"admin.system_status.mcache_structures_usage": "MCache结构内存使用量",
+	"admin.system_status.mspan_structures_obtained": "被分配的MSpan结构内存",
+	"admin.system_status.mspan_structures_usage": "MSpan结构内存使用量",
+	"admin.system_status.stack_memory_obtained": "被分配的Stack内存",
+	"admin.system_status.bootstrap_stack_usage": "启动Stack使用量",
+	"admin.system_status.heap_objects": "Heap对象数量",
+	"admin.system_status.heap_memory_released": "被释放的Heap内存",
+	"admin.system_status.heap_memory_in_use": "正在使用的Heap内存",
+	"admin.system_status.heap_memory_idle": "Heap内存空闲量",
+	"admin.system_status.heap_memory_obtained": "Heap内存占用量",
+	"admin.system_status.current_heap_usage": "当前Heap内存使用量",
+	"admin.system_status.memory_free_times": "内存释放次数",
+	"admin.system_status.memory_allocate_times": "内存分配次数",
+	"admin.system_status.pointer_lookup_times": "指针查找次数",
+	"admin.system_status.memory_obtained": "内存占用量",
+	"admin.system_status.total_memory_allocated": "所有被分配的内存",
+	"admin.system_status.current_memory_usage": "当前内存使用量",
+	"admin.system_status.current_goroutine": "当前Goroutines数量",
+	"admin.system_status.server_uptime": "服务运行时间",
+	"markup.filepreview.truncated": "预览已被截断",
+	"markup.filepreview.lines": "%[3]s中的第%[1]d到%[2]d行",
+	"markup.filepreview.line": "%[2]s中的第%[1]d行",
+	"actions.variables.update.success": "该变量已被编辑。",
+	"actions.variables.update.failed": "编辑变量失败。",
+	"actions.variables.creation.success": "变量 “%s” 添加成功。",
+	"actions.variables.creation.failed": "添加变量失败。",
+	"actions.variables.deletion.success": "变量已被删除。",
+	"actions.variables.deletion.failed": "删除变量失败。",
+	"actions.variables.not_found": "找不到变量。",
+	"actions.variables.edit": "编辑变量",
+	"actions.variables.description": "变量将被传给特定的Action，其它情况将不能被读取。",
+	"actions.variables.deletion.description": "删除变量是永久性的，无法撤消。继续吗？",
+	"actions.variables.deletion": "删除变量",
+	"actions.variables.none": "目前还没有变量。",
+	"actions.variables.creation": "添加变量",
+	"actions.variables.management": "管理变量",
+	"actions.variables": "变量",
+	"webauthn.error.timeout": "未能在允许的时限内读取密钥。请重新加载此页面并重试。",
+	"webauthn.error.empty": "您必须为此密钥设置一个名称。",
+	"webauthn.error.duplicated": "此安全密钥未被许可用于这个请求。请确保该密钥尚未注册。",
+	"webauthn.error.unable_to_process": "服务器无法处理您的请求。",
+	"webauthn.error.insecure": "WebAuthn仅支持安全连接。如果要在HTTP协议上进行测试，请使用\"localhost\"或\"127.0.0.1\"作为访问来源",
+	"webauthn.error.unknown": "发生未知错误。请重试。",
+	"webauthn.unsupported_browser": "你的浏览器目前不支持WebAuthn。",
+	"webauthn.error": "无法读取安全密钥。",
+	"webauthn.use_twofa": "使用来自手机中的两步验证码",
+	"webauthn.press_button": "请按下安全密钥上的按钮……",
+	"webauthn.sign_in": "按下安全密钥上的按钮。如果安全密钥没有按钮，请重新插入它。",
+	"webauthn.insert_key": "插入安全密钥",
 	"counters.n_commits": "%s笔提交",
 	"counters.n_branches": "%s个分支",
 	"counters.n_tags": "%s个标签",
diff --git a/options/locale_next/locale_zh-HK.json b/options/locale_next/locale_zh-HK.json
index d81aa3f202..5f1dc8f7e1 100644
--- a/options/locale_next/locale_zh-HK.json
+++ b/options/locale_next/locale_zh-HK.json
@@ -1,4 +1,43 @@
 {
+	"admin.monitor.queue.settings.submit": "更新設定",
+	"admin.monitor.queue.type": "認證類型",
+	"admin.monitor.queue.name": "組織名稱",
+	"admin.users.list_status_filter.is_admin": "管理員",
+	"admin.system_status.gc_times": "垃圾收集執行次數",
+	"admin.system_status.last_gc_pause": "上次垃圾收集暫停時間",
+	"admin.system_status.total_gc_pause": "垃圾收集暫停時間總量",
+	"admin.system_status.last_gc_time": "距離上次垃圾收集時間",
+	"admin.system_status.next_gc_recycle": "下次垃圾收集內存回收量",
+	"admin.system_status.other_system_allocation_obtained": "其它被分配的系統內存",
+	"admin.system_status.gc_metadata_obtained": "被分配的垃圾收集元資料內存",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "被分配的剖析哈希表內存",
+	"admin.system_status.mcache_structures_obtained": "被分配的 MCache 結構內存",
+	"admin.system_status.mcache_structures_usage": "MCache 結構內存使用量",
+	"admin.system_status.mspan_structures_obtained": "被分配的 MSpan 結構內存",
+	"admin.system_status.mspan_structures_usage": "MSpan 結構內存使用量",
+	"admin.system_status.stack_memory_obtained": "被分配的 Stack 內存",
+	"admin.system_status.bootstrap_stack_usage": "啟動 Stack 使用量",
+	"admin.system_status.heap_objects": "Heap 對象數量",
+	"admin.system_status.heap_memory_released": "被釋放的 Heap 內存",
+	"admin.system_status.heap_memory_in_use": "正在使用的 Heap 內存",
+	"admin.system_status.heap_memory_idle": "Heap 內存空閒量",
+	"admin.system_status.heap_memory_obtained": "Heap 內存佔用量",
+	"admin.system_status.current_heap_usage": "當前 Heap 內存使用量",
+	"admin.system_status.pointer_lookup_times": "指針查找次數",
+	"admin.system_status.memory_obtained": "內存佔用量",
+	"admin.system_status.total_memory_allocated": "所有被分配的內存",
+	"admin.system_status.current_memory_usage": "當前內存使用量",
+	"admin.system_status.current_goroutine": "當前 Goroutines 數量",
+	"admin.system_status.server_uptime": "服務執行時間",
+	"webauthn.error.empty": "你要起名呢條鎖匙。",
+	"webauthn.error.unable_to_process": "伺服器唔可以執行你嘅請求。",
+	"webauthn.error.unknown": "發生未知嘅錯誤，請再試下。",
+	"webauthn.unsupported_browser": "你嘅瀏覽器唔支援 WebAuthn。",
+	"webauthn.error": "唔可以讀取安全密鑰。",
+	"webauthn.use_twofa": "用手機嘅兩步驟驗證",
+	"webauthn.press_button": "請撳下安全密鑰嘅掣…",
+	"webauthn.sign_in": "撳下安全密鑰嘅掣。如果安全密鑰冇掣，請再插入。",
+	"webauthn.insert_key": "插入安全密鑰",
 	"migrate.items.wiki": "維基",
 	"migrate.items.milestones": "里程碑",
 	"migrate.items.labels": "標籤",
diff --git a/options/locale_next/locale_zh-TW.json b/options/locale_next/locale_zh-TW.json
index ac46e41245..c2d5063457 100644
--- a/options/locale_next/locale_zh-TW.json
+++ b/options/locale_next/locale_zh-TW.json
@@ -1,4 +1,93 @@
 {
+	"admin.monitor.queue.settings.remove_all_items.success": "已移除佇列中所有項目。",
+	"admin.monitor.queue.settings.remove_all_items": "全部移除",
+	"admin.monitor.queue.settings.changed": "已更新設定",
+	"admin.monitor.queue.settings.submit": "更新設定",
+	"admin.monitor.queue.settings.maxnumberworkers.error": "最大工作者數量必須是數字",
+	"admin.monitor.queue.settings.maxnumberworkers.placeholder": "目前 %[1]d",
+	"admin.monitor.queue.settings.maxnumberworkers": "最大工作者數量",
+	"admin.monitor.queue.settings.description": "集區會根據工作者佇列的阻塞情況動態增長。",
+	"admin.monitor.queue.settings.title": "集區設定",
+	"admin.monitor.queue.review_add": "審閱／增加 Worker",
+	"admin.monitor.queue.numberinqueue": "佇列中的數量",
+	"admin.monitor.queue.maxnumberworkers": "最大工作者數量",
+	"admin.monitor.queue.activeworkers": "活躍工作者",
+	"admin.monitor.queue.numberworkers": "工作者數量",
+	"admin.monitor.queue.exemplar": "型別",
+	"admin.monitor.queue.type": "類型",
+	"admin.monitor.queue.name": "名稱",
+	"admin.monitor.queue": "佇列: %s",
+	"admin.monitor.queues": "佇列",
+	"admin.users.list_status_filter.not_2fa_enabled": "未啟用兩步驟驗證",
+	"admin.users.list_status_filter.is_2fa_enabled": "已啟用兩步驟驗證",
+	"admin.users.list_status_filter.not_prohibit_login": "允許登入",
+	"admin.users.list_status_filter.is_prohibit_login": "禁止登入",
+	"admin.users.list_status_filter.not_restricted": "未受限制",
+	"admin.users.list_status_filter.is_restricted": "受限",
+	"admin.users.list_status_filter.not_admin": "非管理員",
+	"admin.users.list_status_filter.is_admin": "管理員",
+	"admin.users.list_status_filter.not_active": "未啟用",
+	"admin.users.list_status_filter.is_active": "已啟用",
+	"admin.users.list_status_filter.reset": "重設",
+	"admin.users.list_status_filter.menu_text": "篩選",
+	"admin.system_status.gc_times": "GC 執行次數",
+	"admin.system_status.last_gc_pause": "上次 GC 暫停時間",
+	"admin.system_status.total_gc_pause": "總 GC 暫停時間",
+	"admin.system_status.last_gc_time": "距離上次 GC 時間",
+	"admin.system_status.next_gc_recycle": "下次 GC 記憶體回收量",
+	"admin.system_status.other_system_allocation_obtained": "其他獲得的系統記憶體",
+	"admin.system_status.gc_metadata_obtained": "被分配 GC Metadata",
+	"admin.system_status.profiling_bucket_hash_table_obtained": "被分配的剖析雜湊表",
+	"admin.system_status.mcache_structures_obtained": "獲得的 MCache 結構",
+	"admin.system_status.mcache_structures_usage": "MCache 結構使用量",
+	"admin.system_status.mspan_structures_obtained": "獲得的 MSpan 結構",
+	"admin.system_status.mspan_structures_usage": "MSpan 結構使用量",
+	"admin.system_status.stack_memory_obtained": "獲得的 Stack 記憶體",
+	"admin.system_status.bootstrap_stack_usage": "啟動 Stack 使用量",
+	"admin.system_status.heap_objects": "Heap 物件數量",
+	"admin.system_status.heap_memory_released": "被釋放的 Heap 記憶體",
+	"admin.system_status.heap_memory_in_use": "正在使用的 Heap 記憶體",
+	"admin.system_status.heap_memory_idle": "Heap 記憶體閒置量",
+	"admin.system_status.heap_memory_obtained": "獲得的 Heap 記憶體",
+	"admin.system_status.current_heap_usage": "目前 Heap 記憶體使用量",
+	"admin.system_status.memory_free_times": "記憶體釋放次數",
+	"admin.system_status.memory_allocate_times": "記憶體分配次數",
+	"admin.system_status.pointer_lookup_times": "指標尋找次數",
+	"admin.system_status.memory_obtained": "獲得的記憶體",
+	"admin.system_status.total_memory_allocated": "所有被分配的記憶體",
+	"admin.system_status.current_memory_usage": "目前記憶體使用量",
+	"admin.system_status.current_goroutine": "目前的 Goroutines",
+	"admin.system_status.server_uptime": "伺服器運作時間",
+	"markup.filepreview.truncated": "預覽已被截斷",
+	"markup.filepreview.lines": "%[3]s 中的第 %[1]d 至 %[2]d 行",
+	"markup.filepreview.line": "%[2]s 中的第 %[1]d 行",
+	"actions.variables.update.success": "該變數已被編輯。",
+	"actions.variables.update.failed": "編輯變數失敗。",
+	"actions.variables.creation.success": "已新增變數 「%s」。",
+	"actions.variables.creation.failed": "變數新增失敗。",
+	"actions.variables.deletion.success": "該變數已被刪除。",
+	"actions.variables.deletion.failed": "變數刪除失敗。",
+	"actions.variables.not_found": "找不到變數。",
+	"actions.variables.edit": "編輯變數",
+	"actions.variables.description": "變數會被傳給特定的 Actions，除此之外它們無法被讀取。",
+	"actions.variables.deletion.description": "刪除變數是永久且不可取消的。要繼續嗎？",
+	"actions.variables.deletion": "刪除變數",
+	"actions.variables.none": "目前沒有變數。",
+	"actions.variables.creation": "新增變數",
+	"actions.variables.management": "變數管理",
+	"actions.variables": "變數",
+	"webauthn.error.timeout": "在成功讀取金鑰之前已逾時，請重新載入此頁面並重試。",
+	"webauthn.error.empty": "您必須命名此金鑰。",
+	"webauthn.error.duplicated": "此安全金鑰無法允許這個請求。請確保該金鑰尚未被註冊。",
+	"webauthn.error.unable_to_process": "伺服器無法處理您的請求。",
+	"webauthn.error.insecure": "WebAuthn 只支援安全連線。想在 HTTP 上測試，您可以使用「localhost」或「127.0.0.1」",
+	"webauthn.error.unknown": "發生未知的錯誤，請再試一次。",
+	"webauthn.unsupported_browser": "您的瀏覽器還不支援 WebAuthn。",
+	"webauthn.error": "無法讀取您的安全金鑰。",
+	"webauthn.use_twofa": "使用來自手機的兩步驟驗證碼",
+	"webauthn.press_button": "請按下您安全金鑰上的按鈕…",
+	"webauthn.sign_in": "按下您安全金鑰上的按鈕。如果您的安全金鑰沒有按鈕，請重新插入。",
+	"webauthn.insert_key": "插入您的安全金鑰",
 	"counters.n_commits": {
 		"one": "%s 個提交",
 		"other": "%s 個提交"
diff --git a/routers/web/admin/queue.go b/routers/web/admin/queue.go
index 03bbfe5af4..377f03450f 100644
--- a/routers/web/admin/queue.go
+++ b/routers/web/admin/queue.go
@@ -84,6 +84,6 @@ func QueueRemoveAllItems(ctx *context.Context) {
 		return
 	}
 
-	ctx.Flash.Success(ctx.Tr("admin.monitor.queue.settings.remove_all_items_done"))
+	ctx.Flash.Success(ctx.Tr("admin.monitor.queue.settings.remove_all_items.success"))
 	ctx.Redirect(setting.AppSubURL + "/admin/monitor/queue/" + strconv.FormatInt(qid, 10))
 }
diff --git a/templates/admin/queue_manage.tmpl b/templates/admin/queue_manage.tmpl
index a793fe1350..7686755d6d 100644
--- a/templates/admin/queue_manage.tmpl
+++ b/templates/admin/queue_manage.tmpl
@@ -44,7 +44,7 @@
 			{{ctx.Locale.Tr "admin.monitor.queue.settings.title"}}
 		</h4>
 		<div class="ui attached segment">
-			<p>{{ctx.Locale.Tr "admin.monitor.queue.settings.desc"}}</p>
+			<p>{{ctx.Locale.Tr "admin.monitor.queue.settings.description"}}</p>
 			<form method="post" action="{{.Link}}/set">
 				<div class="ui form">
 					<div class="inline field">
diff --git a/templates/admin/system_status.tmpl b/templates/admin/system_status.tmpl
index d9856ccd0b..c1dd838290 100644
--- a/templates/admin/system_status.tmpl
+++ b/templates/admin/system_status.tmpl
@@ -1,62 +1,62 @@
 <dl class="admin-dl-horizontal">
-	<dt>{{ctx.Locale.Tr "admin.dashboard.server_uptime"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.server_uptime"}}</dt>
 	<dd><relative-time format="duration" datetime="{{.SysStatus.StartTime}}">{{.SysStatus.StartTime}}</relative-time></dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.current_goroutine"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.current_goroutine"}}</dt>
 	<dd>{{.SysStatus.NumGoroutine}}</dd>
 	<div class="divider"></div>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.current_memory_usage"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.current_memory_usage"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MemAllocated}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.total_memory_allocated"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.total_memory_allocated"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MemTotal}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.memory_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.memory_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MemSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.pointer_lookup_times"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.pointer_lookup_times"}}</dt>
 	<dd>{{.SysStatus.Lookups}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.memory_allocate_times"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.memory_allocate_times"}}</dt>
 	<dd>{{.SysStatus.MemMallocs}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.memory_free_times"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.memory_free_times"}}</dt>
 	<dd>{{.SysStatus.MemFrees}}</dd>
 	<div class="divider"></div>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.current_heap_usage"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.current_heap_usage"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.HeapAlloc}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.heap_memory_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.heap_memory_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.HeapSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.heap_memory_idle"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.heap_memory_idle"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.HeapIdle}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.heap_memory_in_use"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.heap_memory_in_use"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.HeapInuse}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.heap_memory_released"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.heap_memory_released"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.HeapReleased}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.heap_objects"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.heap_objects"}}</dt>
 	<dd>{{.SysStatus.HeapObjects}}</dd>
 	<div class="divider"></div>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.bootstrap_stack_usage"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.bootstrap_stack_usage"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.StackInuse}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.stack_memory_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.stack_memory_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.StackSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.mspan_structures_usage"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.mspan_structures_usage"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MSpanInuse}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.mspan_structures_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.mspan_structures_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MSpanSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.mcache_structures_usage"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.mcache_structures_usage"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MCacheInuse}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.mcache_structures_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.mcache_structures_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.MCacheSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.profiling_bucket_hash_table_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.profiling_bucket_hash_table_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.BuckHashSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.gc_metadata_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.gc_metadata_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.GCSys}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.other_system_allocation_obtained"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.other_system_allocation_obtained"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.OtherSys}}</dd>
 	<div class="divider"></div>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.next_gc_recycle"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.next_gc_recycle"}}</dt>
 	<dd>{{ctx.Locale.TrSize .SysStatus.NextGC}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.last_gc_time"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.last_gc_time"}}</dt>
 	<dd><relative-time format="duration" datetime="{{.SysStatus.LastGCTime}}">{{.SysStatus.LastGCTime}}</relative-time></dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.total_gc_pause"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.total_gc_pause"}}</dt>
 	<dd>{{.SysStatus.PauseTotalNs}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.last_gc_pause"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.last_gc_pause"}}</dt>
 	<dd>{{.SysStatus.PauseNs}}</dd>
-	<dt>{{ctx.Locale.Tr "admin.dashboard.gc_times"}}</dt>
+	<dt>{{ctx.Locale.Tr "admin.system_status.gc_times"}}</dt>
 	<dd>{{.SysStatus.NumGC}}</dd>
 </dl>
diff --git a/templates/user/auth/webauthn.tmpl b/templates/user/auth/webauthn.tmpl
index 1b84765323..00cb88621d 100644
--- a/templates/user/auth/webauthn.tmpl
+++ b/templates/user/auth/webauthn.tmpl
@@ -6,17 +6,17 @@
 			<h3 class="ui top attached header">{{ctx.Locale.Tr "twofa"}}</h3>
 			<div class="ui attached segment">
 				{{svg "octicon-key" 56}}
-				<h3>{{ctx.Locale.Tr "webauthn_insert_key"}}</h3>
+				<h3>{{ctx.Locale.Tr "webauthn.insert_key"}}</h3>
 				{{template "base/alert" .}}
-				<p>{{ctx.Locale.Tr "webauthn_sign_in"}}</p>
+				<p>{{ctx.Locale.Tr "webauthn.sign_in"}}</p>
 			</div>
 			<div class="ui attached segment tw-flex tw-items-center tw-justify-center tw-gap-1 tw-py-2">
 				<div class="is-loading tw-w-[40px] tw-h-[40px]"></div>
-				{{ctx.Locale.Tr "webauthn_press_button"}}
+				{{ctx.Locale.Tr "webauthn.press_button"}}
 			</div>
 			{{if .HasTwoFactor}}
 				<div class="ui attached segment">
-					<a href="{{AppSubUrl}}/user/two_factor">{{ctx.Locale.Tr "webauthn_use_twofa"}}</a>
+					<a href="{{AppSubUrl}}/user/two_factor">{{ctx.Locale.Tr "webauthn.use_twofa"}}</a>
 				</div>
 			{{end}}
 		</div>
diff --git a/templates/user/auth/webauthn_error.tmpl b/templates/user/auth/webauthn_error.tmpl
index 511ff7c287..db54251096 100644
--- a/templates/user/auth/webauthn_error.tmpl
+++ b/templates/user/auth/webauthn_error.tmpl
@@ -1,13 +1,13 @@
 <div id="webauthn-error" class="ui negative message tw-hidden">
-	<div class="header">{{ctx.Locale.Tr "webauthn_error"}}</div>
+	<div class="header">{{ctx.Locale.Tr "webauthn.error"}}</div>
 	<div id="webauthn-error-msg" class="tw-pt-2"></div>
 	<div class="tw-hidden">
-		<div data-webauthn-error-msg="browser">{{ctx.Locale.Tr "webauthn_unsupported_browser"}}</div>
-		<div data-webauthn-error-msg="unknown">{{ctx.Locale.Tr "webauthn_error_unknown"}}</div>
-		<div data-webauthn-error-msg="insecure">{{ctx.Locale.Tr "webauthn_error_insecure"}}</div>
-		<div data-webauthn-error-msg="unable-to-process">{{ctx.Locale.Tr "webauthn_error_unable_to_process"}}</div>
-		<div data-webauthn-error-msg="duplicated">{{ctx.Locale.Tr "webauthn_error_duplicated"}}</div>
-		<div data-webauthn-error-msg="empty">{{ctx.Locale.Tr "webauthn_error_empty"}}</div>
-		<div data-webauthn-error-msg="timeout">{{ctx.Locale.Tr "webauthn_error_timeout"}}</div>
+		<div data-webauthn-error-msg="browser">{{ctx.Locale.Tr "webauthn.unsupported_browser"}}</div>
+		<div data-webauthn-error-msg="unknown">{{ctx.Locale.Tr "webauthn.error.unknown"}}</div>
+		<div data-webauthn-error-msg="insecure">{{ctx.Locale.Tr "webauthn.error.insecure"}}</div>
+		<div data-webauthn-error-msg="unable-to-process">{{ctx.Locale.Tr "webauthn.error.unable_to_process"}}</div>
+		<div data-webauthn-error-msg="duplicated">{{ctx.Locale.Tr "webauthn.error.duplicated"}}</div>
+		<div data-webauthn-error-msg="empty">{{ctx.Locale.Tr "webauthn.error.empty"}}</div>
+		<div data-webauthn-error-msg="timeout">{{ctx.Locale.Tr "webauthn.error.timeout"}}</div>
 	</div>
 </div>

From 73b30acbd0e96cd1afdd01bf2aebcb5153a27367 Mon Sep 17 00:00:00 2001
From: Gabor Pihaj <gabor.pihaj@gmail.com>
Date: Mon, 27 Apr 2026 22:34:46 +0200
Subject: [PATCH 178/287] feat: replace repo based server-side hooks with
 centralised hooks (#10397)

This PR is replacing repository based hooks hooks with centralised files, this way the files don't need to be copied into every repository, only one line of config need to be added in the repository.

Closes: #3523

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10397
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 Makefile                                      |   6 +-
 cmd/admin.go                                  |   1 -
 cmd/admin_regenerate.go                       |  31 +--
 cmd/main_test.go                              |   8 +-
 models/unittest/testdb.go                     |  38 ++-
 modules/git/git.go                            |  10 +
 .../hooks.go => git/hook_generate.go}         | 122 +++------
 modules/repository/init.go                    |   2 -
 release-notes/10397.md                        |   1 +
 routers/init.go                               |   2 -
 routers/install/routes_test.go                |   2 +-
 services/cron/tasks_extended.go               |  11 -
 services/doctor/misc.go                       |  33 ---
 services/repository/adopt.go                  |   4 -
 services/repository/fork.go                   |   4 -
 services/repository/hooks.go                  |  38 ---
 services/repository/migrate.go                |   8 -
 services/wiki/wiki.go                         |   2 -
 tests/install.ini.tmpl                        |   0
 tests/integration/api_admin_test.go           |   4 +-
 tests/integration/api_issue_config_test.go    | 245 +++++++++---------
 tests/integration/empty_repo_test.go          | 149 +++++------
 tests/integration/git_hooks_test.go           |  99 +++++++
 tests/integration/git_test.go                 |   1 +
 .../repo_mergecommit_revert_test.go           |  34 +--
 tests/unittest.ini.tmpl                       |   2 +
 26 files changed, 418 insertions(+), 439 deletions(-)
 rename modules/{repository/hooks.go => git/hook_generate.go} (60%)
 create mode 100644 release-notes/10397.md
 create mode 100644 tests/install.ini.tmpl
 create mode 100644 tests/integration/git_hooks_test.go
 create mode 100644 tests/unittest.ini.tmpl

diff --git a/Makefile b/Makefile
index 99aaaac8d8..a499443ddd 100644
--- a/Makefile
+++ b/Makefile
@@ -562,12 +562,12 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
 
 .PHONY: test-remote-cacher
 test-remote-cacher:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
+	GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
 
 .PHONY: test-frontend
 test-frontend: node_modules
@@ -592,7 +592,7 @@ test-check:
 .PHONY: test\#%
 test\#%: | compute-go-test-packages
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@TZ=UTC $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@TZ=UTC GITEA_ROOT="$(CURDIR)" $(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
 
 coverage-merge:
 	rm -fr coverage/merged ; mkdir -p coverage/merged
diff --git a/cmd/admin.go b/cmd/admin.go
index 60b25eb971..fe212cc388 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -47,7 +47,6 @@ func subcmdRegenerate() *cli.Command {
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
 		Commands: []*cli.Command{
-			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}
diff --git a/cmd/admin_regenerate.go b/cmd/admin_regenerate.go
index 4d14df317d..4620a7106d 100644
--- a/cmd/admin_regenerate.go
+++ b/cmd/admin_regenerate.go
@@ -7,36 +7,15 @@ import (
 	"context"
 
 	asymkey_model "forgejo.org/models/asymkey"
-	"forgejo.org/modules/graceful"
-	repo_service "forgejo.org/services/repository"
 
 	"github.com/urfave/cli/v3"
 )
 
-var (
-	microcmdRegenHooks = &cli.Command{
-		Name:   "hooks",
-		Usage:  "Regenerate git-hooks",
-		Before: noDanglingArgs,
-		Action: runRegenerateHooks,
-	}
-
-	microcmdRegenKeys = &cli.Command{
-		Name:   "keys",
-		Usage:  "Regenerate authorized_keys file",
-		Before: noDanglingArgs,
-		Action: runRegenerateKeys,
-	}
-)
-
-func runRegenerateHooks(ctx context.Context, c *cli.Command) error {
-	ctx, cancel := installSignals(ctx)
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
+var microcmdRegenKeys = &cli.Command{
+	Name:   "keys",
+	Usage:  "Regenerate authorized_keys file",
+	Before: noDanglingArgs,
+	Action: runRegenerateKeys,
 }
 
 func runRegenerateKeys(ctx context.Context, c *cli.Command) error {
diff --git a/cmd/main_test.go b/cmd/main_test.go
index 1ec3471343..ca6a56f4af 100644
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -62,7 +63,12 @@ func runTestApp(app *cli.Command, args ...string) (runResult, error) {
 }
 
 func TestCliCmd(t *testing.T) {
-	defaultWorkPath := filepath.Dir(setting.AppPath)
+	path, err := os.Executable()
+	if err != nil {
+		panic(err)
+	}
+
+	defaultWorkPath := filepath.Dir(path)
 	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
 	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")
 
diff --git a/models/unittest/testdb.go b/models/unittest/testdb.go
index 8e212bc0a3..c926a85df6 100644
--- a/models/unittest/testdb.go
+++ b/models/unittest/testdb.go
@@ -47,10 +47,29 @@ func fatalTestError(fmtStr string, args ...any) {
 
 // InitSettings initializes config provider and load common settings for tests
 func InitSettings() {
-	if setting.CustomConf == "" {
-		setting.CustomConf = filepath.Join(setting.CustomPath, "conf/app-unittest-tmp.ini")
-		_ = os.Remove(setting.CustomConf)
+	InitCustomSettings("unittest.ini")
+}
+
+func InitCustomSettings(confFileName string) {
+	root := base.SetupGiteaRoot()
+	if root == "" {
+		fatalTestError("Environment variable $GITEA_ROOT not set")
 	}
+	setting.AppPath = filepath.Join(root, "gitea")
+	if setting.CustomConf == "" {
+		templateFile := confFileName + ".tmpl"
+		content, err := os.ReadFile(filepath.Join(root, "tests", templateFile))
+		if err != nil {
+			log.Fatalf("couldn't read config template: %s", templateFile)
+		}
+		err = os.WriteFile(filepath.Join(root, "tests", confFileName), content, 0o644)
+		if err != nil {
+			log.Fatalf("couldn't write config: %s", confFileName)
+		}
+		setting.CustomConf = filepath.Join(root, "tests", confFileName)
+	}
+	os.Setenv("GITEA_CONF", setting.CustomConf)
+
 	setting.InitCfgProvider(setting.CustomConf)
 	setting.LoadCommonSettings()
 
@@ -72,9 +91,10 @@ func InitSettings() {
 
 // TestOptions represents test options
 type TestOptions struct {
-	FixtureFiles []string
-	SetUp        func() error // SetUp will be executed before all tests in this package
-	TearDown     func() error // TearDown will be executed after all tests in this package
+	FixtureFiles    []string
+	SetUp           func() error // SetUp will be executed before all tests in this package
+	TearDown        func() error // TearDown will be executed after all tests in this package
+	IniFileOverride string
 }
 
 // MainTest a reusable TestMain(..) function for unit tests that need to use a
@@ -97,7 +117,11 @@ func MainTest(m *testing.M, testOpts ...*TestOptions) {
 
 	giteaRoot = searchDir
 	setting.CustomPath = filepath.Join(giteaRoot, "custom")
-	InitSettings()
+	if len(testOpts) == 0 || testOpts[0].IniFileOverride == "" {
+		InitSettings()
+	} else {
+		InitCustomSettings(testOpts[0].IniFileOverride)
+	}
 
 	fixturesDir = filepath.Join(giteaRoot, "models", "fixtures")
 	var opts FixturesOptions
diff --git a/modules/git/git.go b/modules/git/git.go
index 650fd3b5af..7f8674d099 100644
--- a/modules/git/git.go
+++ b/modules/git/git.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -200,6 +201,11 @@ func InitFull(ctx context.Context) (err error) {
 	_, err = exec.LookPath("ssh")
 	HasSSHExecutable = err == nil
 
+	err = InitDelegateHooks(HomeDir())
+	if err != nil {
+		return nil
+	}
+
 	return syncGitConfig()
 }
 
@@ -229,6 +235,10 @@ func syncGitConfig() (err error) {
 		}
 	}
 
+	if err := configSet("core.hooksPath", path.Join(HomeDir(), "hooks")); err != nil {
+		return err
+	}
+
 	// Set git some configurations - these must be set to these values for forgejo to work correctly
 	if err := configSet("core.quotePath", "false"); err != nil {
 		return err
diff --git a/modules/repository/hooks.go b/modules/git/hook_generate.go
similarity index 60%
rename from modules/repository/hooks.go
rename to modules/git/hook_generate.go
index 0f5e3afc34..2af2487ab3 100644
--- a/modules/repository/hooks.go
+++ b/modules/git/hook_generate.go
@@ -1,7 +1,7 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package repository
+package git
 
 import (
 	"fmt"
@@ -21,14 +21,25 @@ func getHookTemplates() (hookNames, hookTpls, giteaHookTpls []string) {
 data=$(cat)
 exitcodes=""
 hookname=$(basename $0)
-GIT_DIR=${GIT_DIR:-$(dirname $0)/..}
 
-for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
+for hook in $(dirname $0)/${hookname}.d/*; do
   test -x "${hook}" && test -f "${hook}" || continue
   echo "${data}" | "${hook}"
   exitcodes="${exitcodes} $?"
 done
 
+# Custom hooks
+custom_hooks_dir="./hooks/${hookname}.d"
+if [ -d "${custom_hooks_dir}" ]; then
+  for hook in ${custom_hooks_dir}/*; do
+    if [ $(basename "${hook}") != "gitea" ]; then
+      test -x "${hook}" && test -f "${hook}" || continue
+      echo "${data}" | "${hook}"
+      exitcodes="${exitcodes} $?"
+    fi
+  done
+fi
+
 for i in ${exitcodes}; do
   [ ${i} -eq 0 ] || exit ${i}
 done
@@ -39,14 +50,25 @@ done
 # AUTO GENERATED BY GITEA, DO NOT MODIFY
 exitcodes=""
 hookname=$(basename $0)
-GIT_DIR=${GIT_DIR:-$(dirname $0/..)}
 
-for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
+for hook in $(dirname $0)/${hookname}.d/*; do
   test -x "${hook}" && test -f "${hook}" || continue
   "${hook}" $1 $2 $3
   exitcodes="${exitcodes} $?"
 done
 
+# Custom hooks
+custom_hooks_dir="./hooks/${hookname}.d"
+if [ -d "${custom_hooks_dir}" ]; then
+  for hook in ${custom_hooks_dir}/*; do
+    if [ $(basename "${hook}") != "gitea" ]; then
+      test -x "${hook}" && test -f "${hook}" || continue
+      "${hook}" $1 $2 $3
+      exitcodes="${exitcodes} $?"
+    fi
+  done
+fi
+
 for i in ${exitcodes}; do
   [ ${i} -eq 0 ] || exit ${i}
 done
@@ -58,14 +80,24 @@ done
 data=$(cat)
 exitcodes=""
 hookname=$(basename $0)
-GIT_DIR=${GIT_DIR:-$(dirname $0)/..}
 
-for hook in ${GIT_DIR}/hooks/${hookname}.d/*; do
+for hook in $(dirname $0)/${hookname}.d/*; do
   test -x "${hook}" && test -f "${hook}" || continue
   echo "${data}" | "${hook}"
   exitcodes="${exitcodes} $?"
 done
 
+# Custom hooks
+custom_hooks_dir="./hooks/${hookname}.d"
+if [ -d "${custom_hooks_dir}" ]; then
+  for hook in ${custom_hooks_dir}/*; do
+    if [ $(basename "${hook}") != "gitea" ]; then
+      test -x "${hook}" && test -f "${hook}" || continue
+      echo "${data}" | "${hook}"
+      exitcodes="${exitcodes} $?"
+    fi
+  done
+fi
 for i in ${exitcodes}; do
   [ ${i} -eq 0 ] || exit ${i}
 done
@@ -104,10 +136,9 @@ done
 	return hookNames, hookTpls, giteaHookTpls
 }
 
-// CreateDelegateHooks creates all the hooks scripts for the repo
-func CreateDelegateHooks(repoPath string) (err error) {
+func InitDelegateHooks(path string) (err error) {
 	hookNames, hookTpls, giteaHookTpls := getHookTemplates()
-	hookDir := filepath.Join(repoPath, "hooks")
+	hookDir := filepath.Join(path, "hooks")
 
 	for i, hookName := range hookNames {
 		oldHookPath := filepath.Join(hookDir, hookName)
@@ -144,14 +175,6 @@ func CreateDelegateHooks(repoPath string) (err error) {
 	return nil
 }
 
-func checkExecutable(filename string) bool {
-	fileInfo, err := os.Stat(filename)
-	if err != nil {
-		return false
-	}
-	return (fileInfo.Mode() & 0o100) > 0
-}
-
 func ensureExecutable(filename string) error {
 	fileInfo, err := os.Stat(filename)
 	if err != nil {
@@ -163,66 +186,3 @@ func ensureExecutable(filename string) error {
 	mode := fileInfo.Mode() | 0o100
 	return os.Chmod(filename, mode)
 }
-
-// CheckDelegateHooks checks the hooks scripts for the repo
-func CheckDelegateHooks(repoPath string) ([]string, error) {
-	hookNames, hookTpls, giteaHookTpls := getHookTemplates()
-
-	hookDir := filepath.Join(repoPath, "hooks")
-	results := make([]string, 0, 10)
-
-	for i, hookName := range hookNames {
-		oldHookPath := filepath.Join(hookDir, hookName)
-		newHookPath := filepath.Join(hookDir, hookName+".d", "gitea")
-
-		cont := false
-		isExist, err := util.IsExist(oldHookPath)
-		if err != nil {
-			results = append(results, fmt.Sprintf("unable to check if %s exists. Error: %v", oldHookPath, err))
-		}
-		if err == nil && !isExist {
-			results = append(results, fmt.Sprintf("old hook file %s does not exist", oldHookPath))
-			cont = true
-		}
-		isExist, err = util.IsExist(oldHookPath + ".d")
-		if err != nil {
-			results = append(results, fmt.Sprintf("unable to check if %s exists. Error: %v", oldHookPath+".d", err))
-		}
-		if err == nil && !isExist {
-			results = append(results, fmt.Sprintf("hooks directory %s does not exist", oldHookPath+".d"))
-			cont = true
-		}
-		isExist, err = util.IsExist(newHookPath)
-		if err != nil {
-			results = append(results, fmt.Sprintf("unable to check if %s exists. Error: %v", newHookPath, err))
-		}
-		if err == nil && !isExist {
-			results = append(results, fmt.Sprintf("new hook file %s does not exist", newHookPath))
-			cont = true
-		}
-		if cont {
-			continue
-		}
-		contents, err := os.ReadFile(oldHookPath)
-		if err != nil {
-			return results, err
-		}
-		if string(contents) != hookTpls[i] {
-			results = append(results, fmt.Sprintf("old hook file %s is out of date", oldHookPath))
-		}
-		if !checkExecutable(oldHookPath) {
-			results = append(results, fmt.Sprintf("old hook file %s is not executable", oldHookPath))
-		}
-		contents, err = os.ReadFile(newHookPath)
-		if err != nil {
-			return results, err
-		}
-		if string(contents) != giteaHookTpls[i] {
-			results = append(results, fmt.Sprintf("new hook file %s is out of date", newHookPath))
-		}
-		if !checkExecutable(newHookPath) {
-			results = append(results, fmt.Sprintf("new hook file %s is not executable", newHookPath))
-		}
-	}
-	return results, nil
-}
diff --git a/modules/repository/init.go b/modules/repository/init.go
index 66a65599a8..16d366c6f0 100644
--- a/modules/repository/init.go
+++ b/modules/repository/init.go
@@ -138,8 +138,6 @@ func CheckInitRepository(ctx context.Context, owner, name, objectFormatName stri
 	// Init git bare new repository.
 	if err = git.InitRepository(ctx, repoPath, true, objectFormatName); err != nil {
 		return fmt.Errorf("git.InitRepository: %w", err)
-	} else if err = CreateDelegateHooks(repoPath); err != nil {
-		return fmt.Errorf("createDelegateHooks: %w", err)
 	}
 	return nil
 }
diff --git a/release-notes/10397.md b/release-notes/10397.md
new file mode 100644
index 0000000000..0560c173b9
--- /dev/null
+++ b/release-notes/10397.md
@@ -0,0 +1 @@
+feat: replace repository based server-side hooks with centralised hooks. Migration guide is available in [Admin docs](https://forgejo.org/docs/latest/admin/upgrade/#when-upgrading-from--known-problematic-versions-or-upgrade-paths).
diff --git a/routers/init.go b/routers/init.go
index 26cf0ace3e..f272d60d63 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -92,8 +92,6 @@ func syncAppConfForGit(ctx context.Context) error {
 	}
 
 	if updated {
-		log.Info("re-sync repository hooks ...")
-		mustInitCtx(ctx, repo_service.SyncRepositoryHooks)
 		return system.AppState.Set(ctx, runtimeState)
 	}
 	return nil
diff --git a/routers/install/routes_test.go b/routers/install/routes_test.go
index 9b10f05b3b..d4409b36d0 100644
--- a/routers/install/routes_test.go
+++ b/routers/install/routes_test.go
@@ -34,5 +34,5 @@ func TestRoutes(t *testing.T) {
 }
 
 func TestMain(m *testing.M) {
-	unittest.MainTest(m)
+	unittest.MainTest(m, &unittest.TestOptions{IniFileOverride: "install.ini"})
 }
diff --git a/services/cron/tasks_extended.go b/services/cron/tasks_extended.go
index 5cc5d4eb14..fc89fa020f 100644
--- a/services/cron/tasks_extended.go
+++ b/services/cron/tasks_extended.go
@@ -86,16 +86,6 @@ func registerRewriteAllPrincipalKeys() {
 	})
 }
 
-func registerRepositoryUpdateHook() {
-	RegisterTaskFatal("resync_all_hooks", &BaseConfig{
-		Enabled:    false,
-		RunAtStart: false,
-		Schedule:   "@every 72h",
-	}, func(ctx context.Context, _ *user_model.User, _ Config) error {
-		return repo_service.SyncRepositoryHooks(ctx)
-	})
-}
-
 func registerReinitMissingRepositories() {
 	RegisterTaskFatal("reinit_missing_repos", &BaseConfig{
 		Enabled:    false,
@@ -251,7 +241,6 @@ func initExtendedTasks() {
 	registerGarbageCollectRepositories()
 	registerRewriteAllPublicKeys()
 	registerRewriteAllPrincipalKeys()
-	registerRepositoryUpdateHook()
 	registerReinitMissingRepositories()
 	registerDeleteMissingRepositories()
 	registerRemoveRandomAvatars()
diff --git a/services/doctor/misc.go b/services/doctor/misc.go
index 9b9c96b52b..323606edf1 100644
--- a/services/doctor/misc.go
+++ b/services/doctor/misc.go
@@ -18,7 +18,6 @@ import (
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/log"
-	"forgejo.org/modules/repository"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
 	"forgejo.org/modules/util"
@@ -48,31 +47,6 @@ func checkScriptType(ctx context.Context, logger log.Logger, autofix bool) error
 	return nil
 }
 
-func checkHooks(ctx context.Context, logger log.Logger, autofix bool) error {
-	if err := iterateRepositories(ctx, func(repo *repo_model.Repository) error {
-		results, err := repository.CheckDelegateHooks(repo.RepoPath())
-		if err != nil {
-			logger.Critical("Unable to check delegate hooks for repo %-v. ERROR: %v", repo, err)
-			return fmt.Errorf("Unable to check delegate hooks for repo %-v. ERROR: %w", repo, err)
-		}
-		if len(results) > 0 && autofix {
-			logger.Warn("Regenerated hooks for %s", repo.FullName())
-			if err := repository.CreateDelegateHooks(repo.RepoPath()); err != nil {
-				logger.Critical("Unable to recreate delegate hooks for %-v. ERROR: %v", repo, err)
-				return fmt.Errorf("Unable to recreate delegate hooks for %-v. ERROR: %w", repo, err)
-			}
-		}
-		for _, result := range results {
-			logger.Warn(result)
-		}
-		return nil
-	}); err != nil {
-		logger.Critical("Errors noted whilst checking delegate hooks.")
-		return err
-	}
-	return nil
-}
-
 func checkUserStarNum(ctx context.Context, logger log.Logger, autofix bool) error {
 	if autofix {
 		if err := models.DoctorUserStarNum(ctx); err != nil {
@@ -261,13 +235,6 @@ func init() {
 		Run:       checkScriptType,
 		Priority:  5,
 	})
-	Register(&Check{
-		Title:     "Check if hook files are up-to-date and executable",
-		Name:      "hooks",
-		IsDefault: false,
-		Run:       checkHooks,
-		Priority:  6,
-	})
 	Register(&Check{
 		Title:     "Recalculate Stars number for all user",
 		Name:      "recalculate-stars-number",
diff --git a/services/repository/adopt.go b/services/repository/adopt.go
index 3651b018e6..1949a62acf 100644
--- a/services/repository/adopt.go
+++ b/services/repository/adopt.go
@@ -117,10 +117,6 @@ func adoptRepository(ctx context.Context, repoPath string, repo *repo_model.Repo
 		return fmt.Errorf("adoptRepository: path does not already exist: %s", repoPath)
 	}
 
-	if err := repo_module.CreateDelegateHooks(repoPath); err != nil {
-		return fmt.Errorf("createDelegateHooks: %w", err)
-	}
-
 	repo.IsEmpty = false
 
 	if len(defaultBranch) > 0 {
diff --git a/services/repository/fork.go b/services/repository/fork.go
index 9d15b6207d..a51a290c05 100644
--- a/services/repository/fork.go
+++ b/services/repository/fork.go
@@ -164,10 +164,6 @@ func ForkRepositoryIfNotExists(ctx context.Context, doer, owner *user_model.User
 			return fmt.Errorf("git update-server-info: %w", err)
 		}
 
-		if err = repo_module.CreateDelegateHooks(repoPath); err != nil {
-			return fmt.Errorf("createDelegateHooks: %w", err)
-		}
-
 		gitRepo, err := gitrepo.OpenRepository(txCtx, repo)
 		if err != nil {
 			return fmt.Errorf("OpenRepository: %w", err)
diff --git a/services/repository/hooks.go b/services/repository/hooks.go
index d3021414cf..808b49212e 100644
--- a/services/repository/hooks.go
+++ b/services/repository/hooks.go
@@ -5,51 +5,13 @@ package repository
 
 import (
 	"context"
-	"fmt"
 
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/webhook"
 	"forgejo.org/modules/gitrepo"
-	"forgejo.org/modules/log"
-	repo_module "forgejo.org/modules/repository"
-
-	"xorm.io/builder"
 )
 
-// SyncRepositoryHooks rewrites all repositories' pre-receive, update and post-receive hooks
-// to make sure the binary and custom conf path are up-to-date.
-func SyncRepositoryHooks(ctx context.Context) error {
-	log.Trace("Doing: SyncRepositoryHooks")
-
-	if err := db.Iterate(
-		ctx,
-		builder.Gt{"id": 0},
-		func(ctx context.Context, repo *repo_model.Repository) error {
-			select {
-			case <-ctx.Done():
-				return db.ErrCancelledf("before sync repository hooks for %s", repo.FullName())
-			default:
-			}
-
-			if err := repo_module.CreateDelegateHooks(repo.RepoPath()); err != nil {
-				return fmt.Errorf("SyncRepositoryHook: %w", err)
-			}
-			if repo.HasWiki() {
-				if err := repo_module.CreateDelegateHooks(repo.WikiPath()); err != nil {
-					return fmt.Errorf("SyncRepositoryHook: %w", err)
-				}
-			}
-			return nil
-		},
-	); err != nil {
-		return err
-	}
-
-	log.Trace("Finished: SyncRepositoryHooks")
-	return nil
-}
-
 // GenerateGitHooks generates git hooks from a template repository
 func GenerateGitHooks(ctx context.Context, templateRepo, generateRepo *repo_model.Repository) error {
 	generateGitRepo, err := gitrepo.OpenRepository(ctx, generateRepo)
diff --git a/services/repository/migrate.go b/services/repository/migrate.go
index 46b48d02d3..e4c73dde8c 100644
--- a/services/repository/migrate.go
+++ b/services/repository/migrate.go
@@ -258,14 +258,6 @@ func cleanUpMigrateGitConfig(ctx context.Context, repoPath string) error {
 // CleanUpMigrateInfo finishes migrating repository and/or wiki with things that don't need to be done for mirrors.
 func CleanUpMigrateInfo(ctx context.Context, repo *repo_model.Repository) (*repo_model.Repository, error) {
 	repoPath := repo.RepoPath()
-	if err := repo_module.CreateDelegateHooks(repoPath); err != nil {
-		return repo, fmt.Errorf("createDelegateHooks: %w", err)
-	}
-	if repo.HasWiki() {
-		if err := repo_module.CreateDelegateHooks(repo.WikiPath()); err != nil {
-			return repo, fmt.Errorf("createDelegateHooks.(wiki): %w", err)
-		}
-	}
 
 	_, _, err := git.NewCommand(ctx, "remote", "rm", "origin").RunStdString(&git.RunOpts{Dir: repoPath})
 	if err != nil && !git.IsRemoteNotExistError(err) {
diff --git a/services/wiki/wiki.go b/services/wiki/wiki.go
index cf1477e72c..984c394f0e 100644
--- a/services/wiki/wiki.go
+++ b/services/wiki/wiki.go
@@ -42,8 +42,6 @@ func InitWiki(ctx context.Context, repo *repo_model.Repository) error {
 
 	if err := git.InitRepository(ctx, repo.WikiPath(), true, repo.ObjectFormatName); err != nil {
 		return fmt.Errorf("InitRepository: %w", err)
-	} else if err = repo_module.CreateDelegateHooks(repo.WikiPath()); err != nil {
-		return fmt.Errorf("createDelegateHooks: %w", err)
 	} else if _, _, err = git.NewCommand(ctx, "symbolic-ref", "HEAD").AddDynamicArguments(git.BranchPrefix + branch).RunStdString(&git.RunOpts{Dir: repo.WikiPath()}); err != nil {
 		return fmt.Errorf("unable to set default wiki branch to %s: %w", branch, err)
 	}
diff --git a/tests/install.ini.tmpl b/tests/install.ini.tmpl
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tests/integration/api_admin_test.go b/tests/integration/api_admin_test.go
index 513eac1155..e3cab38d9d 100644
--- a/tests/integration/api_admin_test.go
+++ b/tests/integration/api_admin_test.go
@@ -426,11 +426,11 @@ func TestAPICron(t *testing.T) {
 			AddTokenAuth(token)
 		resp := MakeRequest(t, req, http.StatusOK)
 
-		assert.Equal(t, "31", resp.Header().Get("X-Total-Count"))
+		assert.Equal(t, "30", resp.Header().Get("X-Total-Count"))
 
 		var crons []api.Cron
 		DecodeJSON(t, resp, &crons)
-		assert.Len(t, crons, 31)
+		assert.Len(t, crons, 30)
 	})
 
 	t.Run("Execute", func(t *testing.T) {
diff --git a/tests/integration/api_issue_config_test.go b/tests/integration/api_issue_config_test.go
index 99b2829fbf..eecf00e406 100644
--- a/tests/integration/api_issue_config_test.go
+++ b/tests/integration/api_issue_config_test.go
@@ -7,6 +7,7 @@ package integration
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"
 
 	repo_model "forgejo.org/models/repo"
@@ -44,169 +45,169 @@ func getIssueConfig(t *testing.T, owner, repo string) api.IssueConfig {
 }
 
 func TestAPIRepoGetIssueConfig(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
+		owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
-	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+		t.Run("Default", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
 
-	t.Run("Default", func(t *testing.T) {
-		defer tests.PrintCurrentTest(t)()
+			issueConfig := getIssueConfig(t, owner.Name, repo.Name)
 
-		issueConfig := getIssueConfig(t, owner.Name, repo.Name)
+			assert.True(t, issueConfig.BlankIssuesEnabled)
+			assert.Empty(t, issueConfig.ContactLinks)
+		})
 
-		assert.True(t, issueConfig.BlankIssuesEnabled)
-		assert.Empty(t, issueConfig.ContactLinks)
-	})
+		t.Run("DisableBlankIssues", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
 
-	t.Run("DisableBlankIssues", func(t *testing.T) {
-		defer tests.PrintCurrentTest(t)()
+			config := make(map[string]any)
+			config["blank_issues_enabled"] = false
 
-		config := make(map[string]any)
-		config["blank_issues_enabled"] = false
+			createIssueConfig(t, owner, repo, config)
 
-		createIssueConfig(t, owner, repo, config)
+			issueConfig := getIssueConfig(t, owner.Name, repo.Name)
 
-		issueConfig := getIssueConfig(t, owner.Name, repo.Name)
+			assert.False(t, issueConfig.BlankIssuesEnabled)
+			assert.Empty(t, issueConfig.ContactLinks)
+		})
 
-		assert.False(t, issueConfig.BlankIssuesEnabled)
-		assert.Empty(t, issueConfig.ContactLinks)
-	})
+		t.Run("ContactLinks", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
 
-	t.Run("ContactLinks", func(t *testing.T) {
-		defer tests.PrintCurrentTest(t)()
+			contactLink := make(map[string]string)
+			contactLink["name"] = "TestName"
+			contactLink["url"] = "https://example.com"
+			contactLink["about"] = "TestAbout"
 
-		contactLink := make(map[string]string)
-		contactLink["name"] = "TestName"
-		contactLink["url"] = "https://example.com"
-		contactLink["about"] = "TestAbout"
+			config := make(map[string]any)
+			config["contact_links"] = []map[string]string{contactLink}
 
-		config := make(map[string]any)
-		config["contact_links"] = []map[string]string{contactLink}
+			createIssueConfig(t, owner, repo, config)
 
-		createIssueConfig(t, owner, repo, config)
+			issueConfig := getIssueConfig(t, owner.Name, repo.Name)
 
-		issueConfig := getIssueConfig(t, owner.Name, repo.Name)
+			assert.True(t, issueConfig.BlankIssuesEnabled)
+			assert.Len(t, issueConfig.ContactLinks, 1)
 
-		assert.True(t, issueConfig.BlankIssuesEnabled)
-		assert.Len(t, issueConfig.ContactLinks, 1)
+			assert.Equal(t, "TestName", issueConfig.ContactLinks[0].Name)
+			assert.Equal(t, "https://example.com", issueConfig.ContactLinks[0].URL)
+			assert.Equal(t, "TestAbout", issueConfig.ContactLinks[0].About)
+		})
 
-		assert.Equal(t, "TestName", issueConfig.ContactLinks[0].Name)
-		assert.Equal(t, "https://example.com", issueConfig.ContactLinks[0].URL)
-		assert.Equal(t, "TestAbout", issueConfig.ContactLinks[0].About)
-	})
+		t.Run("Full", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
 
-	t.Run("Full", func(t *testing.T) {
-		defer tests.PrintCurrentTest(t)()
+			contactLink := make(map[string]string)
+			contactLink["name"] = "TestName"
+			contactLink["url"] = "https://example.com"
+			contactLink["about"] = "TestAbout"
 
-		contactLink := make(map[string]string)
-		contactLink["name"] = "TestName"
-		contactLink["url"] = "https://example.com"
-		contactLink["about"] = "TestAbout"
+			config := make(map[string]any)
+			config["blank_issues_enabled"] = false
+			config["contact_links"] = []map[string]string{contactLink}
 
-		config := make(map[string]any)
-		config["blank_issues_enabled"] = false
-		config["contact_links"] = []map[string]string{contactLink}
+			createIssueConfig(t, owner, repo, config)
 
-		createIssueConfig(t, owner, repo, config)
+			issueConfig := getIssueConfig(t, owner.Name, repo.Name)
 
-		issueConfig := getIssueConfig(t, owner.Name, repo.Name)
+			assert.False(t, issueConfig.BlankIssuesEnabled)
+			assert.Len(t, issueConfig.ContactLinks, 1)
 
-		assert.False(t, issueConfig.BlankIssuesEnabled)
-		assert.Len(t, issueConfig.ContactLinks, 1)
-
-		assert.Equal(t, "TestName", issueConfig.ContactLinks[0].Name)
-		assert.Equal(t, "https://example.com", issueConfig.ContactLinks[0].URL)
-		assert.Equal(t, "TestAbout", issueConfig.ContactLinks[0].About)
+			assert.Equal(t, "TestName", issueConfig.ContactLinks[0].Name)
+			assert.Equal(t, "https://example.com", issueConfig.ContactLinks[0].URL)
+			assert.Equal(t, "TestAbout", issueConfig.ContactLinks[0].About)
+		})
 	})
 }
 
 func TestAPIRepoIssueConfigPaths(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
+		owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
-	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
-
-	templateConfigCandidates := []string{
-		".forgejo/ISSUE_TEMPLATE/config",
-		".forgejo/issue_template/config",
-		".gitea/ISSUE_TEMPLATE/config",
-		".gitea/issue_template/config",
-		".github/ISSUE_TEMPLATE/config",
-		".github/issue_template/config",
-		"docs/issue_template/config",
-	}
-
-	for _, candidate := range templateConfigCandidates {
-		for _, extension := range []string{".yaml", ".yml"} {
-			fullPath := candidate + extension
-			t.Run(fullPath, func(t *testing.T) {
-				defer tests.PrintCurrentTest(t)()
-
-				configMap := make(map[string]any)
-				configMap["blank_issues_enabled"] = false
-
-				configData, err := yaml.Marshal(configMap)
-				require.NoError(t, err)
-
-				_, err = createFileInBranch(owner, repo, fullPath, repo.DefaultBranch, string(configData))
-				require.NoError(t, err)
-
-				issueConfig := getIssueConfig(t, owner.Name, repo.Name)
-
-				assert.False(t, issueConfig.BlankIssuesEnabled)
-				assert.Empty(t, issueConfig.ContactLinks)
-
-				err = deleteFileInBranch(owner, repo, fullPath, repo.DefaultBranch)
-				require.NoError(t, err)
-			})
+		templateConfigCandidates := []string{
+			".forgejo/ISSUE_TEMPLATE/config",
+			".forgejo/issue_template/config",
+			".gitea/ISSUE_TEMPLATE/config",
+			".gitea/issue_template/config",
+			".github/ISSUE_TEMPLATE/config",
+			".github/issue_template/config",
+			"docs/issue_template/config",
 		}
-	}
+
+		for _, candidate := range templateConfigCandidates {
+			for _, extension := range []string{".yaml", ".yml"} {
+				fullPath := candidate + extension
+				t.Run(fullPath, func(t *testing.T) {
+					defer tests.PrintCurrentTest(t)()
+
+					configMap := make(map[string]any)
+					configMap["blank_issues_enabled"] = false
+
+					configData, err := yaml.Marshal(configMap)
+					require.NoError(t, err)
+
+					_, err = createFileInBranch(owner, repo, fullPath, repo.DefaultBranch, string(configData))
+					require.NoError(t, err)
+
+					issueConfig := getIssueConfig(t, owner.Name, repo.Name)
+
+					assert.False(t, issueConfig.BlankIssuesEnabled)
+					assert.Empty(t, issueConfig.ContactLinks)
+
+					err = deleteFileInBranch(owner, repo, fullPath, repo.DefaultBranch)
+					require.NoError(t, err)
+				})
+			}
+		}
+	})
 }
 
 func TestAPIRepoValidateIssueConfig(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
+		owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 
-	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 49})
-	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issue_config/validate", owner.Name, repo.Name)
 
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issue_config/validate", owner.Name, repo.Name)
+		t.Run("Valid", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
 
-	t.Run("Valid", func(t *testing.T) {
-		defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", urlStr)
+			resp := MakeRequest(t, req, http.StatusOK)
 
-		req := NewRequest(t, "GET", urlStr)
-		resp := MakeRequest(t, req, http.StatusOK)
+			var issueConfigValidation api.IssueConfigValidation
+			DecodeJSON(t, resp, &issueConfigValidation)
 
-		var issueConfigValidation api.IssueConfigValidation
-		DecodeJSON(t, resp, &issueConfigValidation)
+			assert.True(t, issueConfigValidation.Valid)
+			assert.Empty(t, issueConfigValidation.Message)
+		})
 
-		assert.True(t, issueConfigValidation.Valid)
-		assert.Empty(t, issueConfigValidation.Message)
-	})
+		t.Run("Invalid", func(t *testing.T) {
+			dirs := []string{".gitea", ".forgejo", "docs"}
+			for _, dir := range dirs {
+				t.Run(dir, func(t *testing.T) {
+					defer tests.PrintCurrentTest(t)()
+					defer func() {
+						deleteFileInBranch(owner, repo, fmt.Sprintf("%s/ISSUE_TEMPLATE/config.yaml", dir), repo.DefaultBranch)
+					}()
 
-	t.Run("Invalid", func(t *testing.T) {
-		dirs := []string{".gitea", ".forgejo", "docs"}
-		for _, dir := range dirs {
-			t.Run(dir, func(t *testing.T) {
-				defer tests.PrintCurrentTest(t)()
-				defer func() {
-					deleteFileInBranch(owner, repo, fmt.Sprintf("%s/ISSUE_TEMPLATE/config.yaml", dir), repo.DefaultBranch)
-				}()
+					config := make(map[string]any)
+					config["blank_issues_enabled"] = "Test"
 
-				config := make(map[string]any)
-				config["blank_issues_enabled"] = "Test"
+					createIssueConfigInDirectory(t, owner, repo, dir, config)
 
-				createIssueConfigInDirectory(t, owner, repo, dir, config)
+					req := NewRequest(t, "GET", urlStr)
+					resp := MakeRequest(t, req, http.StatusOK)
 
-				req := NewRequest(t, "GET", urlStr)
-				resp := MakeRequest(t, req, http.StatusOK)
+					var issueConfigValidation api.IssueConfigValidation
+					DecodeJSON(t, resp, &issueConfigValidation)
 
-				var issueConfigValidation api.IssueConfigValidation
-				DecodeJSON(t, resp, &issueConfigValidation)
-
-				assert.False(t, issueConfigValidation.Valid)
-				assert.NotEmpty(t, issueConfigValidation.Message)
-			})
-		}
+					assert.False(t, issueConfigValidation.Valid)
+					assert.NotEmpty(t, issueConfigValidation.Message)
+				})
+			}
+		})
 	})
 }
diff --git a/tests/integration/empty_repo_test.go b/tests/integration/empty_repo_test.go
index 67be6a29a5..fe7c131331 100644
--- a/tests/integration/empty_repo_test.go
+++ b/tests/integration/empty_repo_test.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"mime/multipart"
 	"net/http"
+	"net/url"
 	"testing"
 
 	auth_model "forgejo.org/models/auth"
@@ -44,96 +45,96 @@ func TestEmptyRepo(t *testing.T) {
 }
 
 func TestEmptyRepoAddFile(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		session := loginUser(t, "user30")
+		req := NewRequest(t, "GET", "/user30/empty/_new/"+setting.Repository.DefaultBranch)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		doc := NewHTMLParser(t, resp.Body).Find(`input[name="commit_choice"]`)
+		assert.Empty(t, doc.AttrOr("checked", "_no_"))
+		req = NewRequestWithValues(t, "POST", "/user30/empty/_new/"+setting.Repository.DefaultBranch, map[string]string{
+			"commit_choice":  "direct",
+			"tree_path":      "test-file.md",
+			"content":        "newly-added-test-file",
+			"commit_mail_id": "32",
+		})
 
-	session := loginUser(t, "user30")
-	req := NewRequest(t, "GET", "/user30/empty/_new/"+setting.Repository.DefaultBranch)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	doc := NewHTMLParser(t, resp.Body).Find(`input[name="commit_choice"]`)
-	assert.Empty(t, doc.AttrOr("checked", "_no_"))
-	req = NewRequestWithValues(t, "POST", "/user30/empty/_new/"+setting.Repository.DefaultBranch, map[string]string{
-		"commit_choice":  "direct",
-		"tree_path":      "test-file.md",
-		"content":        "newly-added-test-file",
-		"commit_mail_id": "32",
+		resp = session.MakeRequest(t, req, http.StatusSeeOther)
+		redirect := test.RedirectURL(resp)
+		assert.Equal(t, "/user30/empty/src/branch/"+setting.Repository.DefaultBranch+"/test-file.md", redirect)
+
+		req = NewRequest(t, "GET", redirect)
+		resp = session.MakeRequest(t, req, http.StatusOK)
+		assert.Contains(t, resp.Body.String(), "newly-added-test-file")
 	})
-
-	resp = session.MakeRequest(t, req, http.StatusSeeOther)
-	redirect := test.RedirectURL(resp)
-	assert.Equal(t, "/user30/empty/src/branch/"+setting.Repository.DefaultBranch+"/test-file.md", redirect)
-
-	req = NewRequest(t, "GET", redirect)
-	resp = session.MakeRequest(t, req, http.StatusOK)
-	assert.Contains(t, resp.Body.String(), "newly-added-test-file")
 }
 
 func TestEmptyRepoUploadFile(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		session := loginUser(t, "user30")
+		req := NewRequest(t, "GET", "/user30/empty/_new/"+setting.Repository.DefaultBranch)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		doc := NewHTMLParser(t, resp.Body).Find(`input[name="commit_choice"]`)
+		assert.Empty(t, doc.AttrOr("checked", "_no_"))
 
-	session := loginUser(t, "user30")
-	req := NewRequest(t, "GET", "/user30/empty/_new/"+setting.Repository.DefaultBranch)
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	doc := NewHTMLParser(t, resp.Body).Find(`input[name="commit_choice"]`)
-	assert.Empty(t, doc.AttrOr("checked", "_no_"))
+		body := &bytes.Buffer{}
+		mpForm := multipart.NewWriter(body)
+		file, _ := mpForm.CreateFormFile("file", "uploaded-file.txt")
+		_, _ = io.Copy(file, bytes.NewBufferString("newly-uploaded-test-file"))
+		_ = mpForm.Close()
 
-	body := &bytes.Buffer{}
-	mpForm := multipart.NewWriter(body)
-	file, _ := mpForm.CreateFormFile("file", "uploaded-file.txt")
-	_, _ = io.Copy(file, bytes.NewBufferString("newly-uploaded-test-file"))
-	_ = mpForm.Close()
+		req = NewRequestWithBody(t, "POST", "/user30/empty/upload-file", body)
+		req.Header.Add("Content-Type", mpForm.FormDataContentType())
+		resp = session.MakeRequest(t, req, http.StatusOK)
+		respMap := map[string]string{}
+		require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &respMap))
+		filesFullpathKey := fmt.Sprintf("files_fullpath[%s]", respMap["uuid"])
+		req = NewRequestWithValues(t, "POST", "/user30/empty/_upload/"+setting.Repository.DefaultBranch, map[string]string{
+			"commit_choice":  "direct",
+			"files":          respMap["uuid"],
+			filesFullpathKey: "uploaded-file.txt",
+			"tree_path":      "",
+			"commit_mail_id": "-1",
+		})
+		resp = session.MakeRequest(t, req, http.StatusSeeOther)
+		redirect := test.RedirectURL(resp)
+		assert.Equal(t, "/user30/empty/src/branch/"+setting.Repository.DefaultBranch+"/", redirect)
 
-	req = NewRequestWithBody(t, "POST", "/user30/empty/upload-file", body)
-	req.Header.Add("Content-Type", mpForm.FormDataContentType())
-	resp = session.MakeRequest(t, req, http.StatusOK)
-	respMap := map[string]string{}
-	require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &respMap))
-	filesFullpathKey := fmt.Sprintf("files_fullpath[%s]", respMap["uuid"])
-	req = NewRequestWithValues(t, "POST", "/user30/empty/_upload/"+setting.Repository.DefaultBranch, map[string]string{
-		"commit_choice":  "direct",
-		"files":          respMap["uuid"],
-		filesFullpathKey: "uploaded-file.txt",
-		"tree_path":      "",
-		"commit_mail_id": "-1",
+		req = NewRequest(t, "GET", redirect)
+		resp = session.MakeRequest(t, req, http.StatusOK)
+		assert.Contains(t, resp.Body.String(), "uploaded-file.txt")
 	})
-	resp = session.MakeRequest(t, req, http.StatusSeeOther)
-	redirect := test.RedirectURL(resp)
-	assert.Equal(t, "/user30/empty/src/branch/"+setting.Repository.DefaultBranch+"/", redirect)
-
-	req = NewRequest(t, "GET", redirect)
-	resp = session.MakeRequest(t, req, http.StatusOK)
-	assert.Contains(t, resp.Body.String(), "uploaded-file.txt")
 }
 
 func TestEmptyRepoAddFileByAPI(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
+	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
+		session := loginUser(t, "user30")
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
-	session := loginUser(t, "user30")
-	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user30/empty/contents/new-file.txt", &api.CreateFileOptions{
+			FileOptions: api.FileOptions{
+				NewBranchName: "new_branch",
+				Message:       "init",
+			},
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("newly-added-api-file")),
+		}).AddTokenAuth(token)
 
-	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user30/empty/contents/new-file.txt", &api.CreateFileOptions{
-		FileOptions: api.FileOptions{
-			NewBranchName: "new_branch",
-			Message:       "init",
-		},
-		ContentBase64: base64.StdEncoding.EncodeToString([]byte("newly-added-api-file")),
-	}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+		var fileResponse api.FileResponse
+		DecodeJSON(t, resp, &fileResponse)
+		expectedHTMLURL := setting.AppURL + "user30/empty/src/branch/new_branch/new-file.txt"
+		assert.Equal(t, expectedHTMLURL, *fileResponse.Content.HTMLURL)
 
-	resp := MakeRequest(t, req, http.StatusCreated)
-	var fileResponse api.FileResponse
-	DecodeJSON(t, resp, &fileResponse)
-	expectedHTMLURL := setting.AppURL + "user30/empty/src/branch/new_branch/new-file.txt"
-	assert.Equal(t, expectedHTMLURL, *fileResponse.Content.HTMLURL)
+		req = NewRequest(t, "GET", "/user30/empty/src/branch/new_branch/new-file.txt")
+		resp = session.MakeRequest(t, req, http.StatusOK)
+		assert.Contains(t, resp.Body.String(), "newly-added-api-file")
 
-	req = NewRequest(t, "GET", "/user30/empty/src/branch/new_branch/new-file.txt")
-	resp = session.MakeRequest(t, req, http.StatusOK)
-	assert.Contains(t, resp.Body.String(), "newly-added-api-file")
-
-	req = NewRequest(t, "GET", "/api/v1/repos/user30/empty").
-		AddTokenAuth(token)
-	resp = session.MakeRequest(t, req, http.StatusOK)
-	var apiRepo api.Repository
-	DecodeJSON(t, resp, &apiRepo)
-	assert.Equal(t, "new_branch", apiRepo.DefaultBranch)
+		req = NewRequest(t, "GET", "/api/v1/repos/user30/empty").
+			AddTokenAuth(token)
+		resp = session.MakeRequest(t, req, http.StatusOK)
+		var apiRepo api.Repository
+		DecodeJSON(t, resp, &apiRepo)
+		assert.Equal(t, "new_branch", apiRepo.DefaultBranch)
+	})
 }
 
 func TestEmptyRepoAPIRequestsReturn404(t *testing.T) {
diff --git a/tests/integration/git_hooks_test.go b/tests/integration/git_hooks_test.go
new file mode 100644
index 0000000000..05d2223aee
--- /dev/null
+++ b/tests/integration/git_hooks_test.go
@@ -0,0 +1,99 @@
+// Copyright 2026 The Forgejo Authors c/o Codeberg e.V.. All rights reserved.
+// SPDX-License-Identifier: MIT
+package integration
+
+import (
+	"fmt"
+	"net/url"
+	"os"
+	"path"
+	"testing"
+
+	"forgejo.org/models/auth"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/git"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCustomGitHooks(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+		owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+		httpContext := NewAPITestContext(t, owner.Name, repo.Name, auth.AccessTokenScopeReadRepository)
+
+		dstPath := t.TempDir()
+
+		u.Path = httpContext.GitPath()
+		u.User = url.UserPassword(owner.Name, userPassword)
+
+		doGitClone(dstPath, u)(t)
+
+		customHooksDir := path.Join(repo.RepoPath(), "hooks")
+
+		hookNames := []string{"pre-receive", "update", "post-receive"}
+
+		for _, hookName := range hookNames {
+			customPath := path.Join(customHooksDir, hookName+".d")
+			err := os.MkdirAll(customPath, 0x755)
+			require.NoError(t, err)
+
+			err = os.WriteFile(path.Join(customPath, "append-proof"), customGitHookTpl(hookName), 0x755)
+			require.NoError(t, err)
+
+			// The legacy, already existing gitea script might be there in the hooks directory in old installations,
+			// here it's ensured that these scripts filtered out when custom hooks run
+			err = os.WriteFile(path.Join(customPath, "gitea"), customGitHookGiteaTpl(), 0x755)
+			require.NoError(t, err)
+		}
+
+		fd, err := os.Create(path.Join(dstPath, "hooks-test.txt"))
+		require.NoError(t, err)
+
+		err = fd.Close()
+		require.NoError(t, err)
+
+		_, _, err = git.NewCommand(git.DefaultContext, "checkout", "master").RunStdString(&git.RunOpts{Dir: dstPath})
+		require.NoError(t, err)
+
+		err = os.WriteFile(path.Join(dstPath, "hooks-test.txt"), []byte("test"), 0x644)
+		require.NoError(t, err)
+
+		_, _, err = git.NewCommand(git.DefaultContext, "add", "hooks-test.txt").RunStdString(&git.RunOpts{Dir: dstPath})
+		require.NoError(t, err)
+
+		_, _, err = git.NewCommand(git.DefaultContext, "commit", "-m", "Add hooks-test.txt").RunStdString(&git.RunOpts{Dir: dstPath})
+		require.NoError(t, err)
+
+		_, _, err = git.NewCommand(git.DefaultContext, "push", "origin", "master").RunStdString(&git.RunOpts{Dir: dstPath})
+		require.NoError(t, err)
+
+		data, err := os.ReadFile(path.Join(customHooksDir, "hooks-proof.txt"))
+		require.NoError(t, err)
+
+		require.Equal(t, `pre-receive
+update
+post-receive
+`, string(data))
+	})
+}
+
+func customGitHookTpl(hookName string) []byte {
+	hookStr := fmt.Sprintf(`#!/usr/bin/env sh
+echo "%s" >> $(dirname $0)/../hooks-proof.txt
+`, hookName)
+
+	return []byte(hookStr)
+}
+
+func customGitHookGiteaTpl() []byte {
+	hookStr := `#!/usr/bin/env sh
+echo "legacy gitea script shouldn't be called!"
+exit 1
+`
+
+	return []byte(hookStr)
+}
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index a5a242b912..dc86f4a4c2 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -201,6 +201,7 @@ func standardCommitAndPushTest(t *testing.T, dstPath string) (little, big string
 func lfsCommitAndPushTest(t *testing.T, dstPath string) (littleLFS, bigLFS string) {
 	t.Run("LFS", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
+		defer git.NewCommand(git.DefaultContext, "lfs").AddArguments("uninstall").Run(&git.RunOpts{Dir: dstPath})
 		prefix := "lfs-data-file-"
 		err := git.NewCommand(git.DefaultContext, "lfs").AddArguments("install").Run(&git.RunOpts{Dir: dstPath})
 		require.NoError(t, err)
diff --git a/tests/integration/repo_mergecommit_revert_test.go b/tests/integration/repo_mergecommit_revert_test.go
index 9ddf39eaaa..8cbe8a8142 100644
--- a/tests/integration/repo_mergecommit_revert_test.go
+++ b/tests/integration/repo_mergecommit_revert_test.go
@@ -5,29 +5,29 @@ package integration
 
 import (
 	"net/http"
+	"net/url"
 	"testing"
 
-	"forgejo.org/tests"
-
 	"github.com/stretchr/testify/assert"
 )
 
 func TestRepoMergeCommitRevert(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
-	session := loginUser(t, "user2")
+	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
+		session := loginUser(t, "user2")
 
-	req := NewRequestWithValues(t, "POST", "/user2/test_commit_revert/_cherrypick/deebcbc752e540bab4ce3ee713d3fc8fdc35b2f7/main", map[string]string{
-		"last_commit":     "deebcbc752e540bab4ce3ee713d3fc8fdc35b2f7",
-		"page_has_posted": "true",
-		"revert":          "true",
-		"commit_summary":  "reverting test commit",
-		"commit_message":  "test message",
-		"commit_choice":   "direct",
-		"new_branch_name": "test-revert-branch-1",
-		"commit_mail_id":  "-1",
+		req := NewRequestWithValues(t, "POST", "/user2/test_commit_revert/_cherrypick/deebcbc752e540bab4ce3ee713d3fc8fdc35b2f7/main", map[string]string{
+			"last_commit":     "deebcbc752e540bab4ce3ee713d3fc8fdc35b2f7",
+			"page_has_posted": "true",
+			"revert":          "true",
+			"commit_summary":  "reverting test commit",
+			"commit_message":  "test message",
+			"commit_choice":   "direct",
+			"new_branch_name": "test-revert-branch-1",
+			"commit_mail_id":  "-1",
+		})
+		resp := session.MakeRequest(t, req, http.StatusSeeOther)
+
+		// A successful revert redirects to the main branch
+		assert.Equal(t, "/user2/test_commit_revert/src/branch/main", resp.Header().Get("Location"))
 	})
-	resp := session.MakeRequest(t, req, http.StatusSeeOther)
-
-	// A successful revert redirects to the main branch
-	assert.Equal(t, "/user2/test_commit_revert/src/branch/main", resp.Header().Get("Location"))
 }
diff --git a/tests/unittest.ini.tmpl b/tests/unittest.ini.tmpl
new file mode 100644
index 0000000000..a2925b42e7
--- /dev/null
+++ b/tests/unittest.ini.tmpl
@@ -0,0 +1,2 @@
+[security]
+INSTALL_LOCK = true

From 93296305f906ad7c00cd4a2fd1d0cb3c588fe8e0 Mon Sep 17 00:00:00 2001
From: Nils Goroll <nils.goroll@uplex.de>
Date: Mon, 27 Apr 2026 23:05:18 +0200
Subject: [PATCH 179/287] fix test: revert unneeded test change with unintended
 consequences (#12281)

... from #11194 / 0034e55965262692f127d53a74fc176a37f0ef46

Revert a test code change left over from an intermediate development step which is not needed, because the LFS JWT config is tested in lfs.TestAuthenticate()

Fixes #12263

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [X] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [X] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [X] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [X] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12281
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 services/repository/lfs_test.go | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

diff --git a/services/repository/lfs_test.go b/services/repository/lfs_test.go
index 0224b71100..969516ef5a 100644
--- a/services/repository/lfs_test.go
+++ b/services/repository/lfs_test.go
@@ -15,31 +15,18 @@ import (
 	"forgejo.org/modules/lfs"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"
+	"forgejo.org/modules/test"
 	repo_service "forgejo.org/services/repository"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-var ini = `[security]
-INSTALL_LOCK = true
-INTERNAL_TOKEN = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
-[oauth2]
-JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
-[server]
-LFS_START_SERVER = true
-LFS_JWT_SECRET = ForgejoForgejoForgejoForgejoForgejoForgejo_	# don't use in prod
-	`
-
 func TestGarbageCollectLFSMetaObjects(t *testing.T) {
-	var err error
-	setting.CfgProvider, err = setting.NewConfigProviderFromData(ini)
-	require.NoError(t, err, "Config")
-	setting.LoadCommonSettings()
-
 	unittest.PrepareTestEnv(t)
 
-	err = storage.Init()
+	defer test.MockVariableValue(&setting.LFS.StartServer, true)()
+	err := storage.Init()
 	require.NoError(t, err)
 
 	repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "lfs")

From 9977df96d5b2967bc34716a4b3dcd34c287d80da Mon Sep 17 00:00:00 2001
From: Gabor Pihaj <gabor.pihaj@gmail.com>
Date: Mon, 27 Apr 2026 23:54:21 +0200
Subject: [PATCH 180/287] fix: "Follow symlink" to work with arbitrary links
 (#12246)

This change introduces a Path method on the TreeEntry struct, that
collects the path by moving upwards in the tree.

The existing FollowSymlink(s) methods interface has been changed, the
previously returned string has been removed, as after the fix it wasn't
used anywhere.

Fixes: #9931

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12246
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/base/tool.go           |  2 +-
 modules/git/tree_entry.go      | 65 ++++++++++++++++++++++++++--------
 modules/git/tree_entry_test.go | 46 ++++++++++++++++++++++++
 routers/web/repo/view.go       | 11 +++---
 tests/integration/repo_test.go |  2 +-
 5 files changed, 105 insertions(+), 21 deletions(-)
 create mode 100644 modules/git/tree_entry_test.go

diff --git a/modules/base/tool.go b/modules/base/tool.go
index ada73df7da..1cc053ba58 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -103,7 +103,7 @@ func Int64sToStrings(ints []int64) []string {
 func EntryIcon(entry *git.TreeEntry) string {
 	switch {
 	case entry.IsLink():
-		te, _, err := entry.FollowLink()
+		te, err := entry.FollowLink()
 		if err != nil {
 			log.Debug(err.Error())
 			return "file-symlink-file"
diff --git a/modules/git/tree_entry.go b/modules/git/tree_entry.go
index 5e3bb8ac21..0b3564178b 100644
--- a/modules/git/tree_entry.go
+++ b/modules/git/tree_entry.go
@@ -5,6 +5,7 @@
 package git
 
 import (
+	"fmt"
 	"io"
 	"sort"
 	"strings"
@@ -136,11 +137,11 @@ func (te *TreeEntry) LinkTarget() (string, error) {
 }
 
 // FollowLink returns the entry pointed to by a symlink
-func (te *TreeEntry) FollowLink() (*TreeEntry, string, error) {
+func (te *TreeEntry) FollowLink() (*TreeEntry, error) {
 	// read the link
 	lnk, err := te.LinkTarget()
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 
 	t := te.ptree
@@ -151,35 +152,33 @@ func (te *TreeEntry) FollowLink() (*TreeEntry, string, error) {
 	}
 
 	if t == nil {
-		return nil, "", ErrBadLink{te.Name(), "points outside of repo"}
+		return nil, ErrBadLink{te.Name(), "points outside of repo"}
 	}
 
 	target, err := t.GetTreeEntryByPath(lnk)
 	if err != nil {
 		if IsErrNotExist(err) {
-			return nil, "", ErrBadLink{te.Name(), "broken link"}
+			return nil, ErrBadLink{te.Name(), "broken link"}
 		}
-		return nil, "", err
+		return nil, err
 	}
-	return target, lnk, nil
+	return target, nil
 }
 
 // FollowLinks returns the entry ultimately pointed to by a symlink
-func (te *TreeEntry) FollowLinks() (*TreeEntry, string, error) {
+func (te *TreeEntry) FollowLinks() (*TreeEntry, error) {
 	if !te.IsLink() {
-		return nil, "", ErrBadLink{te.Name(), "not a symlink"}
+		return nil, ErrBadLink{te.Name(), "not a symlink"}
 	}
 	entry := te
-	entryLink := ""
 	for range 999 {
 		if entry.IsLink() {
-			next, link, err := entry.FollowLink()
-			entryLink = link
+			next, err := entry.FollowLink()
 			if err != nil {
-				return nil, "", err
+				return nil, err
 			}
 			if next.ID == entry.ID {
-				return nil, "", ErrBadLink{
+				return nil, ErrBadLink{
 					entry.Name(),
 					"recursive link",
 				}
@@ -190,12 +189,12 @@ func (te *TreeEntry) FollowLinks() (*TreeEntry, string, error) {
 		}
 	}
 	if entry.IsLink() {
-		return nil, "", ErrBadLink{
+		return nil, ErrBadLink{
 			te.Name(),
 			"too many levels of symbolic links",
 		}
 	}
-	return entry, entryLink, nil
+	return entry, nil
 }
 
 // returns the Tree pointed to by this TreeEntry, or nil if this is not a tree
@@ -208,6 +207,42 @@ func (te *TreeEntry) Tree() *Tree {
 	return t
 }
 
+// returns the calulcated path within the tree of this TreeEntry, or an error if it can be determined
+func (te *TreeEntry) Path() (string, error) {
+	targetPath := te.Name()
+	parentTree := te.ptree
+	if parentTree == nil {
+		return "", fmt.Errorf("couldn't find the parent tree of the entry")
+	}
+
+	prevID := parentTree.ID
+	parentTree = parentTree.ptree
+	for parentTree != nil {
+		entries, err := parentTree.ListEntries()
+		if err != nil {
+			return "", fmt.Errorf("couldn't list entries: %v", err)
+		}
+
+		var matchingEntry *TreeEntry
+		for _, entry := range entries {
+			if entry.ID == prevID {
+				matchingEntry = entry
+				break
+			}
+		}
+
+		if matchingEntry == nil {
+			return "", fmt.Errorf("this shouldn't happen: couldn't find entry (ID: %s) in tree (ID: %s)", prevID, parentTree.ID)
+		}
+
+		targetPath = matchingEntry.name + "/" + targetPath
+		prevID = parentTree.ID
+		parentTree = parentTree.ptree
+	}
+
+	return targetPath, nil
+}
+
 // GetSubJumpablePathName return the full path of subdirectory jumpable ( contains only one directory )
 func (te *TreeEntry) GetSubJumpablePathName() string {
 	if te.IsSubmodule() || !te.IsDir() {
diff --git a/modules/git/tree_entry_test.go b/modules/git/tree_entry_test.go
new file mode 100644
index 0000000000..325d3686f0
--- /dev/null
+++ b/modules/git/tree_entry_test.go
@@ -0,0 +1,46 @@
+// Copyright 2015 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTreeEntry_Path(t *testing.T) {
+	repo, err := openRepositoryWithDefaultContext(filepath.Join(testReposDir, "templates_repo"))
+	require.NoError(t, err)
+	defer repo.Close()
+
+	tests := []struct {
+		name string // description of this test case
+		path string
+	}{
+		{
+			name: "Top level dir",
+			path: ".forgejo",
+		},
+		{
+			name: "File in subdir",
+			path: ".forgejo/default_merge_message/MERGE_TEMPLATE.md",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tree, err := repo.GetTree("HEAD^{tree}")
+			require.NoError(t, err)
+
+			te, err := tree.GetTreeEntryByPath(tt.path)
+			require.NoError(t, err)
+
+			got, gotErr := te.Path()
+			require.NoError(t, gotErr, "Path() failed: %v", gotErr)
+			assert.Equal(t, tt.path, got, "Path() = %v, want %v", got, tt.path)
+		})
+	}
+}
diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go
index 287cd1b6aa..df0255279a 100644
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -120,7 +120,7 @@ func FindReadmeFileInEntries(ctx *context.Context, entries []*git.TreeEntry, try
 			log.Debug("Potential readme file: %s", entry.Name())
 			if readmeFiles[i] == nil || base.NaturalSortLess(readmeFiles[i].Name(), entry.Blob().Name()) {
 				if entry.IsLink() {
-					target, _, err := entry.FollowLinks()
+					target, err := entry.FollowLinks()
 					if err != nil && !git.IsErrBadLink(err) {
 						return "", nil, err
 					} else if target != nil && (target.IsExecutable() || target.IsRegular()) {
@@ -270,7 +270,7 @@ func getFileReader(ctx gocontext.Context, repoID int64, blob *git.Blob) ([]byte,
 func renderReadmeFile(ctx *context.Context, subfolder string, readmeFile *git.TreeEntry) {
 	target := readmeFile
 	if readmeFile != nil && readmeFile.IsLink() {
-		target, _, _ = readmeFile.FollowLinks()
+		target, _ = readmeFile.FollowLinks()
 	}
 	if target == nil {
 		// if findReadmeFile() failed and/or gave us a broken symlink (which it shouldn't)
@@ -398,11 +398,14 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry) {
 	ctx.Data["OpenGraphNoDescription"] = true
 
 	if entry.IsLink() {
-		_, link, err := entry.FollowLinks()
+		target, err := entry.FollowLinks()
 		// Errors should be allowed, because this shouldn't
 		// block rendering invalid symlink files.
 		if err == nil {
-			ctx.Data["SymlinkURL"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL() + "/" + util.PathEscapeSegments(link)
+			targetPath, err := target.Path()
+			if err == nil {
+				ctx.Data["SymlinkURL"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL() + "/" + util.PathEscapeSegments(targetPath)
+			}
 		}
 	}
 
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 2f189bf7a8..299299ff0b 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -1079,7 +1079,7 @@ func TestRepoFollowSymlink(t *testing.T) {
 
 	t.Run("Normal", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
-		assertCase(t, "/user2/readme-test/src/branch/symlink/up/back/down/down/README.md", "/user2/readme-test/src/branch/symlink/down/side/../left/right/../reelmein", true)
+		assertCase(t, "/user2/readme-test/src/branch/symlink/up/back/down/down/README.md", "/user2/readme-test/src/branch/symlink/up/down/left/reelmein", true)
 	})
 
 	t.Run("Broken symlink", func(t *testing.T) {

From 2425ae7725f51b186d79afd1125deb30a68c4327 Mon Sep 17 00:00:00 2001
From: Christian Drexler <christian@konsolenknecht.de>
Date: Tue, 28 Apr 2026 02:11:26 +0200
Subject: [PATCH 181/287] feat: enable compression on zip dump (#12296)

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12296
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 cmd/dump.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/dump.go b/cmd/dump.go
index 25459c7731..9fe326dfbb 100644
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -112,7 +112,10 @@ func getArchiverByType(outType string) (archives.ArchiverAsync, error) {
 	var archiver archives.ArchiverAsync
 	switch outType {
 	case "zip":
-		archiver = archives.Zip{}
+		archiver = archives.Zip{
+			Compression:          8,
+			SelectiveCompression: false,
+		}
 	case "tar":
 		archiver = archives.Tar{}
 	case "tar.sz":

From 37412e6a00ae23d577469efc704b48cc961810c8 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 28 Apr 2026 02:13:06 +0200
Subject: [PATCH 182/287] feat: cache OIDC metadata & JWKS when read by
 authorized integration (#12275)

Enhances authorized integrations (#12261) with a cache of the remote OpenID Connect descriptor file and JSON Web Key Set (JWKS), improving runtime performance and reducing intermittent reliability risks.  By default a 10 minute cache is used, configurable through `[authorized_integration].CACHE_TTL`.

To mock the cache for testing, mockery code generation is added, and a previous manually generated mock for `AuthorizationReducer` was replaced with the code generation.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - Authorized integrations are not yet exposed to end-users.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12275
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 .deadcode-out                                 |    3 -
 .mockery.yml                                  |   16 +
 Makefile                                      |   12 +-
 custom/conf/app.example.ini                   |    4 +
 go.mod                                        |    1 -
 modules/cache/mocks.go                        |  497 +++++++
 modules/nosql/manager.go                      |    2 +
 modules/nosql/mocks.go                        | 1240 +++++++++++++++++
 modules/queue/base_redis_test.go              |   62 +-
 modules/queue/mock/redisuniversalclient.go    |  344 -----
 modules/setting/authorized_integration.go     |    2 +
 .../auth/method/authorized_integration.go     |   81 +-
 .../method/authorized_integration_test.go     |  100 ++
 services/authz/authorization_reducer.go       |    2 +
 services/authz/authorization_reducer_mock.go  |  252 +++-
 15 files changed, 2156 insertions(+), 462 deletions(-)
 create mode 100644 .mockery.yml
 create mode 100644 modules/cache/mocks.go
 create mode 100644 modules/nosql/mocks.go
 delete mode 100644 modules/queue/mock/redisuniversalclient.go

diff --git a/.deadcode-out b/.deadcode-out
index b8c236daf6..b70be3e800 100644
--- a/.deadcode-out
+++ b/.deadcode-out
@@ -222,9 +222,6 @@ forgejo.org/modules/zstd
 forgejo.org/routers/web/org
 	MustEnableProjects
 
-forgejo.org/services/auth/method
-	OverrideAuthorizedIntegrationHTTPClient
-
 forgejo.org/services/context
 	GetPrivateContext
 
diff --git a/.mockery.yml b/.mockery.yml
new file mode 100644
index 0000000000..7c98b29508
--- /dev/null
+++ b/.mockery.yml
@@ -0,0 +1,16 @@
+formatter: gofmt
+template: testify
+packages:
+  forgejo.org/modules/nosql:
+    config:
+      filename: mocks.go # make mocks public so that external packages can use
+  forgejo.org/services/authz:
+    config:
+      filename: authorization_reducer_mock.go # make mocks public so that external packages can use
+  code.forgejo.org/go-chi/cache:
+    interfaces:
+      Cache:
+        config:
+          pkgname: cache
+          dir: modules/cache
+          filename: mocks.go # make mocks public, not `_test.go`, so that external packages can mock caching
diff --git a/Makefile b/Makefile
index a499443ddd..a17f79d3a9 100644
--- a/Makefile
+++ b/Makefile
@@ -47,8 +47,8 @@ GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datas
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.6.0 # renovate: datasource=go
 RENOVATE_NPM_PACKAGE ?= renovate@43.141.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
 DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
@@ -245,7 +245,7 @@ help:
 	@echo " - generate-license                 update license files"
 	@echo " - generate-gitignore               update gitignore files"
 	@echo " - generate-manpage                 generate manpage"
-	@echo " - generate-gomock                  generate gomock files"
+	@echo " - generate-mockery                 generate mockery files"
 	@echo " - generate-forgejo-api             generate the forgejo API from spec"
 	@echo " - forgejo-api-validate             check if the forgejo API matches the specs"
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
@@ -968,8 +968,8 @@ deps-tools:
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
 	$(GO) install $(GOVULNCHECK_PACKAGE)
-	$(GO) install $(GOMOCK_PACKAGE)
 	$(GO) install $(ERRORTYPE_PACKAGE)
+	$(GO) install $(MOCKERY_PACKAGE)
 
 node_modules: package-lock.json
 	npm install --no-save
@@ -1024,9 +1024,9 @@ generate-license:
 generate-gitignore:
 	$(GO) run build/generate-gitignores.go
 
-.PHONY: generate-gomock
-generate-gomock:
-	$(GO) run $(GOMOCK_PACKAGE) -package mock -destination ./modules/queue/mock/redisuniversalclient.go forgejo.org/modules/nosql RedisClient
+.PHONY: generate-mockery
+generate-mockery:
+	$(GO) run $(MOCKERY_PACKAGE)
 
 .PHONY: generate-images
 generate-images: | node_modules
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index ae22c02609..40dd7d56db 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2846,3 +2846,7 @@ LEVEL = Info
 ;; Default is false.
 ;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.
 ;ALLOW_LOCALNETWORKS = false
+;
+;; Remote requests are cached after being received for the cache time-to-live (TTL). Default is 10 minutes.
+;; Caching uses the configured adapter in the [cache] config section.
+;CACHE_TTL = 10m
diff --git a/go.mod b/go.mod
index 33a8152647..f228f4bc1d 100644
--- a/go.mod
+++ b/go.mod
@@ -100,7 +100,6 @@ require (
 	github.com/yuin/goldmark v1.8.2
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.143.2
-	go.uber.org/mock v0.6.0
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.50.0
 	golang.org/x/image v0.39.0
diff --git a/modules/cache/mocks.go b/modules/cache/mocks.go
new file mode 100644
index 0000000000..8bfec19d6b
--- /dev/null
+++ b/modules/cache/mocks.go
@@ -0,0 +1,497 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package cache
+
+import (
+	"code.forgejo.org/go-chi/cache"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockCache creates a new instance of MockCache. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockCache(t interface {
+	mock.TestingT
+	Cleanup(func())
+},
+) *MockCache {
+	mock := &MockCache{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockCache is an autogenerated mock type for the Cache type
+type MockCache struct {
+	mock.Mock
+}
+
+type MockCache_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockCache) EXPECT() *MockCache_Expecter {
+	return &MockCache_Expecter{mock: &_m.Mock}
+}
+
+// Decr provides a mock function for the type MockCache
+func (_mock *MockCache) Decr(key string) error {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Decr")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(string) error); ok {
+		r0 = returnFunc(key)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Decr_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Decr'
+type MockCache_Decr_Call struct {
+	*mock.Call
+}
+
+// Decr is a helper method to define mock.On call
+//   - key string
+func (_e *MockCache_Expecter) Decr(key any) *MockCache_Decr_Call {
+	return &MockCache_Decr_Call{Call: _e.mock.On("Decr", key)}
+}
+
+func (_c *MockCache_Decr_Call) Run(run func(key string)) *MockCache_Decr_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_Decr_Call) Return(err error) *MockCache_Decr_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Decr_Call) RunAndReturn(run func(key string) error) *MockCache_Decr_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Delete provides a mock function for the type MockCache
+func (_mock *MockCache) Delete(key string) error {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Delete")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(string) error); ok {
+		r0 = returnFunc(key)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Delete_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Delete'
+type MockCache_Delete_Call struct {
+	*mock.Call
+}
+
+// Delete is a helper method to define mock.On call
+//   - key string
+func (_e *MockCache_Expecter) Delete(key any) *MockCache_Delete_Call {
+	return &MockCache_Delete_Call{Call: _e.mock.On("Delete", key)}
+}
+
+func (_c *MockCache_Delete_Call) Run(run func(key string)) *MockCache_Delete_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_Delete_Call) Return(err error) *MockCache_Delete_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Delete_Call) RunAndReturn(run func(key string) error) *MockCache_Delete_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Flush provides a mock function for the type MockCache
+func (_mock *MockCache) Flush() error {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Flush")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func() error); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Flush_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Flush'
+type MockCache_Flush_Call struct {
+	*mock.Call
+}
+
+// Flush is a helper method to define mock.On call
+func (_e *MockCache_Expecter) Flush() *MockCache_Flush_Call {
+	return &MockCache_Flush_Call{Call: _e.mock.On("Flush")}
+}
+
+func (_c *MockCache_Flush_Call) Run(run func()) *MockCache_Flush_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCache_Flush_Call) Return(err error) *MockCache_Flush_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Flush_Call) RunAndReturn(run func() error) *MockCache_Flush_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Get provides a mock function for the type MockCache
+func (_mock *MockCache) Get(key string) any {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Get")
+	}
+
+	var r0 any
+	if returnFunc, ok := ret.Get(0).(func(string) any); ok {
+		r0 = returnFunc(key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(any)
+		}
+	}
+	return r0
+}
+
+// MockCache_Get_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Get'
+type MockCache_Get_Call struct {
+	*mock.Call
+}
+
+// Get is a helper method to define mock.On call
+//   - key string
+func (_e *MockCache_Expecter) Get(key any) *MockCache_Get_Call {
+	return &MockCache_Get_Call{Call: _e.mock.On("Get", key)}
+}
+
+func (_c *MockCache_Get_Call) Run(run func(key string)) *MockCache_Get_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_Get_Call) Return(v any) *MockCache_Get_Call {
+	_c.Call.Return(v)
+	return _c
+}
+
+func (_c *MockCache_Get_Call) RunAndReturn(run func(key string) any) *MockCache_Get_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Incr provides a mock function for the type MockCache
+func (_mock *MockCache) Incr(key string) error {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Incr")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(string) error); ok {
+		r0 = returnFunc(key)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Incr_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Incr'
+type MockCache_Incr_Call struct {
+	*mock.Call
+}
+
+// Incr is a helper method to define mock.On call
+//   - key string
+func (_e *MockCache_Expecter) Incr(key any) *MockCache_Incr_Call {
+	return &MockCache_Incr_Call{Call: _e.mock.On("Incr", key)}
+}
+
+func (_c *MockCache_Incr_Call) Run(run func(key string)) *MockCache_Incr_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_Incr_Call) Return(err error) *MockCache_Incr_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Incr_Call) RunAndReturn(run func(key string) error) *MockCache_Incr_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// IsExist provides a mock function for the type MockCache
+func (_mock *MockCache) IsExist(key string) bool {
+	ret := _mock.Called(key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for IsExist")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func(string) bool); ok {
+		r0 = returnFunc(key)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockCache_IsExist_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsExist'
+type MockCache_IsExist_Call struct {
+	*mock.Call
+}
+
+// IsExist is a helper method to define mock.On call
+//   - key string
+func (_e *MockCache_Expecter) IsExist(key any) *MockCache_IsExist_Call {
+	return &MockCache_IsExist_Call{Call: _e.mock.On("IsExist", key)}
+}
+
+func (_c *MockCache_IsExist_Call) Run(run func(key string)) *MockCache_IsExist_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_IsExist_Call) Return(b bool) *MockCache_IsExist_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockCache_IsExist_Call) RunAndReturn(run func(key string) bool) *MockCache_IsExist_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Ping provides a mock function for the type MockCache
+func (_mock *MockCache) Ping() error {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Ping")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func() error); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Ping_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Ping'
+type MockCache_Ping_Call struct {
+	*mock.Call
+}
+
+// Ping is a helper method to define mock.On call
+func (_e *MockCache_Expecter) Ping() *MockCache_Ping_Call {
+	return &MockCache_Ping_Call{Call: _e.mock.On("Ping")}
+}
+
+func (_c *MockCache_Ping_Call) Run(run func()) *MockCache_Ping_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockCache_Ping_Call) Return(err error) *MockCache_Ping_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Ping_Call) RunAndReturn(run func() error) *MockCache_Ping_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Put provides a mock function for the type MockCache
+func (_mock *MockCache) Put(key string, val any, timeout int64) error {
+	ret := _mock.Called(key, val, timeout)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Put")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(string, any, int64) error); ok {
+		r0 = returnFunc(key, val, timeout)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_Put_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Put'
+type MockCache_Put_Call struct {
+	*mock.Call
+}
+
+// Put is a helper method to define mock.On call
+//   - key string
+//   - val any
+//   - timeout int64
+func (_e *MockCache_Expecter) Put(key, val, timeout any) *MockCache_Put_Call {
+	return &MockCache_Put_Call{Call: _e.mock.On("Put", key, val, timeout)}
+}
+
+func (_c *MockCache_Put_Call) Run(run func(key string, val any, timeout int64)) *MockCache_Put_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 string
+		if args[0] != nil {
+			arg0 = args[0].(string)
+		}
+		var arg1 any
+		if args[1] != nil {
+			arg1 = args[1].(any)
+		}
+		var arg2 int64
+		if args[2] != nil {
+			arg2 = args[2].(int64)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_Put_Call) Return(err error) *MockCache_Put_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_Put_Call) RunAndReturn(run func(key string, val any, timeout int64) error) *MockCache_Put_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// StartAndGC provides a mock function for the type MockCache
+func (_mock *MockCache) StartAndGC(opt cache.Options) error {
+	ret := _mock.Called(opt)
+
+	if len(ret) == 0 {
+		panic("no return value specified for StartAndGC")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func(cache.Options) error); ok {
+		r0 = returnFunc(opt)
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockCache_StartAndGC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'StartAndGC'
+type MockCache_StartAndGC_Call struct {
+	*mock.Call
+}
+
+// StartAndGC is a helper method to define mock.On call
+//   - opt cache.Options
+func (_e *MockCache_Expecter) StartAndGC(opt any) *MockCache_StartAndGC_Call {
+	return &MockCache_StartAndGC_Call{Call: _e.mock.On("StartAndGC", opt)}
+}
+
+func (_c *MockCache_StartAndGC_Call) Run(run func(opt cache.Options)) *MockCache_StartAndGC_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 cache.Options
+		if args[0] != nil {
+			arg0 = args[0].(cache.Options)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockCache_StartAndGC_Call) Return(err error) *MockCache_StartAndGC_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockCache_StartAndGC_Call) RunAndReturn(run func(opt cache.Options) error) *MockCache_StartAndGC_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/modules/nosql/manager.go b/modules/nosql/manager.go
index 7eea069e09..748afe7587 100644
--- a/modules/nosql/manager.go
+++ b/modules/nosql/manager.go
@@ -30,6 +30,8 @@ type Manager struct {
 // RedisClient is a subset of redis.UniversalClient, it exposes less methods
 // to avoid generating machine code for unused methods. New method definitions
 // should be copied from the definitions in the Redis library github.com/redis/go-redis.
+//
+//mockery:generate: true
 type RedisClient interface {
 	// redis.GenericCmdable
 	Del(ctx context.Context, keys ...string) *redis.IntCmd
diff --git a/modules/nosql/mocks.go b/modules/nosql/mocks.go
new file mode 100644
index 0000000000..39d0d1fea3
--- /dev/null
+++ b/modules/nosql/mocks.go
@@ -0,0 +1,1240 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package nosql
+
+import (
+	"context"
+	"time"
+
+	"github.com/redis/go-redis/v9"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockRedisClient creates a new instance of MockRedisClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockRedisClient(t interface {
+	mock.TestingT
+	Cleanup(func())
+},
+) *MockRedisClient {
+	mock := &MockRedisClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockRedisClient is an autogenerated mock type for the RedisClient type
+type MockRedisClient struct {
+	mock.Mock
+}
+
+type MockRedisClient_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockRedisClient) EXPECT() *MockRedisClient_Expecter {
+	return &MockRedisClient_Expecter{mock: &_m.Mock}
+}
+
+// Close provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Close() error {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Close")
+	}
+
+	var r0 error
+	if returnFunc, ok := ret.Get(0).(func() error); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Error(0)
+	}
+	return r0
+}
+
+// MockRedisClient_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
+type MockRedisClient_Close_Call struct {
+	*mock.Call
+}
+
+// Close is a helper method to define mock.On call
+func (_e *MockRedisClient_Expecter) Close() *MockRedisClient_Close_Call {
+	return &MockRedisClient_Close_Call{Call: _e.mock.On("Close")}
+}
+
+func (_c *MockRedisClient_Close_Call) Run(run func()) *MockRedisClient_Close_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Close_Call) Return(err error) *MockRedisClient_Close_Call {
+	_c.Call.Return(err)
+	return _c
+}
+
+func (_c *MockRedisClient_Close_Call) RunAndReturn(run func() error) *MockRedisClient_Close_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// DBSize provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) DBSize(ctx context.Context) *redis.IntCmd {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DBSize")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_DBSize_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DBSize'
+type MockRedisClient_DBSize_Call struct {
+	*mock.Call
+}
+
+// DBSize is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRedisClient_Expecter) DBSize(ctx any) *MockRedisClient_DBSize_Call {
+	return &MockRedisClient_DBSize_Call{Call: _e.mock.On("DBSize", ctx)}
+}
+
+func (_c *MockRedisClient_DBSize_Call) Run(run func(ctx context.Context)) *MockRedisClient_DBSize_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_DBSize_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_DBSize_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_DBSize_Call) RunAndReturn(run func(ctx context.Context) *redis.IntCmd) *MockRedisClient_DBSize_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Decr provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Decr(ctx context.Context, key string) *redis.IntCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Decr")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Decr_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Decr'
+type MockRedisClient_Decr_Call struct {
+	*mock.Call
+}
+
+// Decr is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) Decr(ctx, key any) *MockRedisClient_Decr_Call {
+	return &MockRedisClient_Decr_Call{Call: _e.mock.On("Decr", ctx, key)}
+}
+
+func (_c *MockRedisClient_Decr_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_Decr_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Decr_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_Decr_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Decr_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.IntCmd) *MockRedisClient_Decr_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Del provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Del(ctx context.Context, keys ...string) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(keys) > 0 {
+		tmpRet = _mock.Called(ctx, keys)
+	} else {
+		tmpRet = _mock.Called(ctx)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for Del")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, ...string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, keys...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Del_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Del'
+type MockRedisClient_Del_Call struct {
+	*mock.Call
+}
+
+// Del is a helper method to define mock.On call
+//   - ctx context.Context
+//   - keys ...string
+func (_e *MockRedisClient_Expecter) Del(ctx any, keys ...any) *MockRedisClient_Del_Call {
+	return &MockRedisClient_Del_Call{Call: _e.mock.On("Del",
+		append([]any{ctx}, keys...)...)}
+}
+
+func (_c *MockRedisClient_Del_Call) Run(run func(ctx context.Context, keys ...string)) *MockRedisClient_Del_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 []string
+		var variadicArgs []string
+		if len(args) > 1 {
+			variadicArgs = args[1].([]string)
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Del_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_Del_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Del_Call) RunAndReturn(run func(ctx context.Context, keys ...string) *redis.IntCmd) *MockRedisClient_Del_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Exists provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Exists(ctx context.Context, keys ...string) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(keys) > 0 {
+		tmpRet = _mock.Called(ctx, keys)
+	} else {
+		tmpRet = _mock.Called(ctx)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for Exists")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, ...string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, keys...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Exists_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exists'
+type MockRedisClient_Exists_Call struct {
+	*mock.Call
+}
+
+// Exists is a helper method to define mock.On call
+//   - ctx context.Context
+//   - keys ...string
+func (_e *MockRedisClient_Expecter) Exists(ctx any, keys ...any) *MockRedisClient_Exists_Call {
+	return &MockRedisClient_Exists_Call{Call: _e.mock.On("Exists",
+		append([]any{ctx}, keys...)...)}
+}
+
+func (_c *MockRedisClient_Exists_Call) Run(run func(ctx context.Context, keys ...string)) *MockRedisClient_Exists_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 []string
+		var variadicArgs []string
+		if len(args) > 1 {
+			variadicArgs = args[1].([]string)
+		}
+		arg1 = variadicArgs
+		run(
+			arg0,
+			arg1...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Exists_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_Exists_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Exists_Call) RunAndReturn(run func(ctx context.Context, keys ...string) *redis.IntCmd) *MockRedisClient_Exists_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// FlushDB provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) FlushDB(ctx context.Context) *redis.StatusCmd {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for FlushDB")
+	}
+
+	var r0 *redis.StatusCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *redis.StatusCmd); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StatusCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_FlushDB_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FlushDB'
+type MockRedisClient_FlushDB_Call struct {
+	*mock.Call
+}
+
+// FlushDB is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRedisClient_Expecter) FlushDB(ctx any) *MockRedisClient_FlushDB_Call {
+	return &MockRedisClient_FlushDB_Call{Call: _e.mock.On("FlushDB", ctx)}
+}
+
+func (_c *MockRedisClient_FlushDB_Call) Run(run func(ctx context.Context)) *MockRedisClient_FlushDB_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_FlushDB_Call) Return(statusCmd *redis.StatusCmd) *MockRedisClient_FlushDB_Call {
+	_c.Call.Return(statusCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_FlushDB_Call) RunAndReturn(run func(ctx context.Context) *redis.StatusCmd) *MockRedisClient_FlushDB_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Get provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Get(ctx context.Context, key string) *redis.StringCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Get")
+	}
+
+	var r0 *redis.StringCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.StringCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StringCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Get_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Get'
+type MockRedisClient_Get_Call struct {
+	*mock.Call
+}
+
+// Get is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) Get(ctx, key any) *MockRedisClient_Get_Call {
+	return &MockRedisClient_Get_Call{Call: _e.mock.On("Get", ctx, key)}
+}
+
+func (_c *MockRedisClient_Get_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_Get_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Get_Call) Return(stringCmd *redis.StringCmd) *MockRedisClient_Get_Call {
+	_c.Call.Return(stringCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Get_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.StringCmd) *MockRedisClient_Get_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// HDel provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) HDel(ctx context.Context, key string, fields ...string) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(fields) > 0 {
+		tmpRet = _mock.Called(ctx, key, fields)
+	} else {
+		tmpRet = _mock.Called(ctx, key)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for HDel")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, ...string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key, fields...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_HDel_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'HDel'
+type MockRedisClient_HDel_Call struct {
+	*mock.Call
+}
+
+// HDel is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - fields ...string
+func (_e *MockRedisClient_Expecter) HDel(ctx, key any, fields ...any) *MockRedisClient_HDel_Call {
+	return &MockRedisClient_HDel_Call{Call: _e.mock.On("HDel",
+		append([]any{ctx, key}, fields...)...)}
+}
+
+func (_c *MockRedisClient_HDel_Call) Run(run func(ctx context.Context, key string, fields ...string)) *MockRedisClient_HDel_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 []string
+		var variadicArgs []string
+		if len(args) > 2 {
+			variadicArgs = args[2].([]string)
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_HDel_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_HDel_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_HDel_Call) RunAndReturn(run func(ctx context.Context, key string, fields ...string) *redis.IntCmd) *MockRedisClient_HDel_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// HKeys provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) HKeys(ctx context.Context, key string) *redis.StringSliceCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for HKeys")
+	}
+
+	var r0 *redis.StringSliceCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.StringSliceCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StringSliceCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_HKeys_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'HKeys'
+type MockRedisClient_HKeys_Call struct {
+	*mock.Call
+}
+
+// HKeys is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) HKeys(ctx, key any) *MockRedisClient_HKeys_Call {
+	return &MockRedisClient_HKeys_Call{Call: _e.mock.On("HKeys", ctx, key)}
+}
+
+func (_c *MockRedisClient_HKeys_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_HKeys_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_HKeys_Call) Return(stringSliceCmd *redis.StringSliceCmd) *MockRedisClient_HKeys_Call {
+	_c.Call.Return(stringSliceCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_HKeys_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.StringSliceCmd) *MockRedisClient_HKeys_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// HSet provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) HSet(ctx context.Context, key string, values ...any) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(values) > 0 {
+		tmpRet = _mock.Called(ctx, key, values)
+	} else {
+		tmpRet = _mock.Called(ctx, key)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for HSet")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, ...any) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key, values...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_HSet_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'HSet'
+type MockRedisClient_HSet_Call struct {
+	*mock.Call
+}
+
+// HSet is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - values ...any
+func (_e *MockRedisClient_Expecter) HSet(ctx, key any, values ...any) *MockRedisClient_HSet_Call {
+	return &MockRedisClient_HSet_Call{Call: _e.mock.On("HSet",
+		append([]any{ctx, key}, values...)...)}
+}
+
+func (_c *MockRedisClient_HSet_Call) Run(run func(ctx context.Context, key string, values ...any)) *MockRedisClient_HSet_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 []any
+		var variadicArgs []any
+		if len(args) > 2 {
+			variadicArgs = args[2].([]any)
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_HSet_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_HSet_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_HSet_Call) RunAndReturn(run func(ctx context.Context, key string, values ...any) *redis.IntCmd) *MockRedisClient_HSet_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Incr provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Incr(ctx context.Context, key string) *redis.IntCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Incr")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Incr_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Incr'
+type MockRedisClient_Incr_Call struct {
+	*mock.Call
+}
+
+// Incr is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) Incr(ctx, key any) *MockRedisClient_Incr_Call {
+	return &MockRedisClient_Incr_Call{Call: _e.mock.On("Incr", ctx, key)}
+}
+
+func (_c *MockRedisClient_Incr_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_Incr_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Incr_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_Incr_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Incr_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.IntCmd) *MockRedisClient_Incr_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LLen provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) LLen(ctx context.Context, key string) *redis.IntCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for LLen")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_LLen_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LLen'
+type MockRedisClient_LLen_Call struct {
+	*mock.Call
+}
+
+// LLen is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) LLen(ctx, key any) *MockRedisClient_LLen_Call {
+	return &MockRedisClient_LLen_Call{Call: _e.mock.On("LLen", ctx, key)}
+}
+
+func (_c *MockRedisClient_LLen_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_LLen_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_LLen_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_LLen_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_LLen_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.IntCmd) *MockRedisClient_LLen_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// LPop provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) LPop(ctx context.Context, key string) *redis.StringCmd {
+	ret := _mock.Called(ctx, key)
+
+	if len(ret) == 0 {
+		panic("no return value specified for LPop")
+	}
+
+	var r0 *redis.StringCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string) *redis.StringCmd); ok {
+		r0 = returnFunc(ctx, key)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StringCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_LPop_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LPop'
+type MockRedisClient_LPop_Call struct {
+	*mock.Call
+}
+
+// LPop is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+func (_e *MockRedisClient_Expecter) LPop(ctx, key any) *MockRedisClient_LPop_Call {
+	return &MockRedisClient_LPop_Call{Call: _e.mock.On("LPop", ctx, key)}
+}
+
+func (_c *MockRedisClient_LPop_Call) Run(run func(ctx context.Context, key string)) *MockRedisClient_LPop_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		run(
+			arg0,
+			arg1,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_LPop_Call) Return(stringCmd *redis.StringCmd) *MockRedisClient_LPop_Call {
+	_c.Call.Return(stringCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_LPop_Call) RunAndReturn(run func(ctx context.Context, key string) *redis.StringCmd) *MockRedisClient_LPop_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Ping provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Ping(ctx context.Context) *redis.StatusCmd {
+	ret := _mock.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Ping")
+	}
+
+	var r0 *redis.StatusCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context) *redis.StatusCmd); ok {
+		r0 = returnFunc(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StatusCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Ping_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Ping'
+type MockRedisClient_Ping_Call struct {
+	*mock.Call
+}
+
+// Ping is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockRedisClient_Expecter) Ping(ctx any) *MockRedisClient_Ping_Call {
+	return &MockRedisClient_Ping_Call{Call: _e.mock.On("Ping", ctx)}
+}
+
+func (_c *MockRedisClient_Ping_Call) Run(run func(ctx context.Context)) *MockRedisClient_Ping_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		run(
+			arg0,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Ping_Call) Return(statusCmd *redis.StatusCmd) *MockRedisClient_Ping_Call {
+	_c.Call.Return(statusCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Ping_Call) RunAndReturn(run func(ctx context.Context) *redis.StatusCmd) *MockRedisClient_Ping_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RPush provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) RPush(ctx context.Context, key string, values ...any) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(values) > 0 {
+		tmpRet = _mock.Called(ctx, key, values)
+	} else {
+		tmpRet = _mock.Called(ctx, key)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for RPush")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, ...any) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key, values...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_RPush_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RPush'
+type MockRedisClient_RPush_Call struct {
+	*mock.Call
+}
+
+// RPush is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - values ...any
+func (_e *MockRedisClient_Expecter) RPush(ctx, key any, values ...any) *MockRedisClient_RPush_Call {
+	return &MockRedisClient_RPush_Call{Call: _e.mock.On("RPush",
+		append([]any{ctx, key}, values...)...)}
+}
+
+func (_c *MockRedisClient_RPush_Call) Run(run func(ctx context.Context, key string, values ...any)) *MockRedisClient_RPush_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 []any
+		var variadicArgs []any
+		if len(args) > 2 {
+			variadicArgs = args[2].([]any)
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_RPush_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_RPush_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_RPush_Call) RunAndReturn(run func(ctx context.Context, key string, values ...any) *redis.IntCmd) *MockRedisClient_RPush_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SAdd provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) SAdd(ctx context.Context, key string, members ...any) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(members) > 0 {
+		tmpRet = _mock.Called(ctx, key, members)
+	} else {
+		tmpRet = _mock.Called(ctx, key)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for SAdd")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, ...any) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key, members...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_SAdd_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SAdd'
+type MockRedisClient_SAdd_Call struct {
+	*mock.Call
+}
+
+// SAdd is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - members ...any
+func (_e *MockRedisClient_Expecter) SAdd(ctx, key any, members ...any) *MockRedisClient_SAdd_Call {
+	return &MockRedisClient_SAdd_Call{Call: _e.mock.On("SAdd",
+		append([]any{ctx, key}, members...)...)}
+}
+
+func (_c *MockRedisClient_SAdd_Call) Run(run func(ctx context.Context, key string, members ...any)) *MockRedisClient_SAdd_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 []any
+		var variadicArgs []any
+		if len(args) > 2 {
+			variadicArgs = args[2].([]any)
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_SAdd_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_SAdd_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_SAdd_Call) RunAndReturn(run func(ctx context.Context, key string, members ...any) *redis.IntCmd) *MockRedisClient_SAdd_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SIsMember provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) SIsMember(ctx context.Context, key string, member any) *redis.BoolCmd {
+	ret := _mock.Called(ctx, key, member)
+
+	if len(ret) == 0 {
+		panic("no return value specified for SIsMember")
+	}
+
+	var r0 *redis.BoolCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, any) *redis.BoolCmd); ok {
+		r0 = returnFunc(ctx, key, member)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.BoolCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_SIsMember_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SIsMember'
+type MockRedisClient_SIsMember_Call struct {
+	*mock.Call
+}
+
+// SIsMember is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - member any
+func (_e *MockRedisClient_Expecter) SIsMember(ctx, key, member any) *MockRedisClient_SIsMember_Call {
+	return &MockRedisClient_SIsMember_Call{Call: _e.mock.On("SIsMember", ctx, key, member)}
+}
+
+func (_c *MockRedisClient_SIsMember_Call) Run(run func(ctx context.Context, key string, member any)) *MockRedisClient_SIsMember_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 any
+		if args[2] != nil {
+			arg2 = args[2].(any)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_SIsMember_Call) Return(boolCmd *redis.BoolCmd) *MockRedisClient_SIsMember_Call {
+	_c.Call.Return(boolCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_SIsMember_Call) RunAndReturn(run func(ctx context.Context, key string, member any) *redis.BoolCmd) *MockRedisClient_SIsMember_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SRem provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) SRem(ctx context.Context, key string, members ...any) *redis.IntCmd {
+	var tmpRet mock.Arguments
+	if len(members) > 0 {
+		tmpRet = _mock.Called(ctx, key, members)
+	} else {
+		tmpRet = _mock.Called(ctx, key)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for SRem")
+	}
+
+	var r0 *redis.IntCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, ...any) *redis.IntCmd); ok {
+		r0 = returnFunc(ctx, key, members...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.IntCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_SRem_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SRem'
+type MockRedisClient_SRem_Call struct {
+	*mock.Call
+}
+
+// SRem is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - members ...any
+func (_e *MockRedisClient_Expecter) SRem(ctx, key any, members ...any) *MockRedisClient_SRem_Call {
+	return &MockRedisClient_SRem_Call{Call: _e.mock.On("SRem",
+		append([]any{ctx, key}, members...)...)}
+}
+
+func (_c *MockRedisClient_SRem_Call) Run(run func(ctx context.Context, key string, members ...any)) *MockRedisClient_SRem_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 []any
+		var variadicArgs []any
+		if len(args) > 2 {
+			variadicArgs = args[2].([]any)
+		}
+		arg2 = variadicArgs
+		run(
+			arg0,
+			arg1,
+			arg2...,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_SRem_Call) Return(intCmd *redis.IntCmd) *MockRedisClient_SRem_Call {
+	_c.Call.Return(intCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_SRem_Call) RunAndReturn(run func(ctx context.Context, key string, members ...any) *redis.IntCmd) *MockRedisClient_SRem_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Set provides a mock function for the type MockRedisClient
+func (_mock *MockRedisClient) Set(ctx context.Context, key string, value any, expiration time.Duration) *redis.StatusCmd {
+	ret := _mock.Called(ctx, key, value, expiration)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Set")
+	}
+
+	var r0 *redis.StatusCmd
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, any, time.Duration) *redis.StatusCmd); ok {
+		r0 = returnFunc(ctx, key, value, expiration)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*redis.StatusCmd)
+		}
+	}
+	return r0
+}
+
+// MockRedisClient_Set_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Set'
+type MockRedisClient_Set_Call struct {
+	*mock.Call
+}
+
+// Set is a helper method to define mock.On call
+//   - ctx context.Context
+//   - key string
+//   - value any
+//   - expiration time.Duration
+func (_e *MockRedisClient_Expecter) Set(ctx, key, value, expiration any) *MockRedisClient_Set_Call {
+	return &MockRedisClient_Set_Call{Call: _e.mock.On("Set", ctx, key, value, expiration)}
+}
+
+func (_c *MockRedisClient_Set_Call) Run(run func(ctx context.Context, key string, value any, expiration time.Duration)) *MockRedisClient_Set_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 any
+		if args[2] != nil {
+			arg2 = args[2].(any)
+		}
+		var arg3 time.Duration
+		if args[3] != nil {
+			arg3 = args[3].(time.Duration)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+			arg3,
+		)
+	})
+	return _c
+}
+
+func (_c *MockRedisClient_Set_Call) Return(statusCmd *redis.StatusCmd) *MockRedisClient_Set_Call {
+	_c.Call.Return(statusCmd)
+	return _c
+}
+
+func (_c *MockRedisClient_Set_Call) RunAndReturn(run func(ctx context.Context, key string, value any, expiration time.Duration) *redis.StatusCmd) *MockRedisClient_Set_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/modules/queue/base_redis_test.go b/modules/queue/base_redis_test.go
index bf3ad5b97b..297a49229a 100644
--- a/modules/queue/base_redis_test.go
+++ b/modules/queue/base_redis_test.go
@@ -7,18 +7,17 @@ import (
 	"context"
 	"testing"
 
-	"forgejo.org/modules/queue/mock"
+	"forgejo.org/modules/nosql"
+	queue_mock "forgejo.org/modules/queue/mock"
 	"forgejo.org/modules/setting"
 
 	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/suite"
-	"go.uber.org/mock/gomock"
 )
 
 type baseRedisUnitTestSuite struct {
 	suite.Suite
-
-	mockController *gomock.Controller
 }
 
 func TestBaseRedis(t *testing.T) {
@@ -26,7 +25,6 @@ func TestBaseRedis(t *testing.T) {
 }
 
 func (suite *baseRedisUnitTestSuite) SetupSuite() {
-	suite.mockController = gomock.NewController(suite.T())
 }
 
 func (suite *baseRedisUnitTestSuite) TestBasic() {
@@ -71,39 +69,47 @@ func (suite *baseRedisUnitTestSuite) TestBasic() {
 			}
 
 			// Configure expectations.
-			mockRedisStore := mock.NewInMemoryMockRedis()
-			redisClient := mock.NewMockRedisClient(suite.mockController)
+			mockRedisStore := queue_mock.NewInMemoryMockRedis()
+			redisClient := nosql.NewMockRedisClient(suite.T())
 
 			redisClient.EXPECT().
-				Ping(gomock.Any()).
-				Times(1).
-				Return(&redis.StatusCmd{})
+				Ping(mock.Anything).
+				Return(&redis.StatusCmd{}).
+				Times(1)
 			redisClient.EXPECT().
-				LLen(gomock.Any(), testCase.QueueName).
-				Times(1).
-				DoAndReturn(mockRedisStore.LLen)
+				LLen(mock.Anything, testCase.QueueName).
+				RunAndReturn(mockRedisStore.LLen).
+				Times(1)
 			redisClient.EXPECT().
-				LPop(gomock.Any(), testCase.QueueName).
-				Times(1).
-				DoAndReturn(mockRedisStore.LPop)
+				LPop(mock.Anything, testCase.QueueName).
+				RunAndReturn(mockRedisStore.LPop).
+				Times(1)
 			redisClient.EXPECT().
-				RPush(gomock.Any(), testCase.QueueName, gomock.Any()).
-				Times(1).
-				DoAndReturn(mockRedisStore.RPush)
+				RPush(mock.Anything, testCase.QueueName, mock.Anything).
+				RunAndReturn(func(ctx context.Context, key string, values ...any) *redis.IntCmd {
+					return mockRedisStore.RPush(ctx, key, values[0].([]byte))
+				}).
+				Times(1)
 
 			if testCase.Unique {
 				redisClient.EXPECT().
-					SAdd(gomock.Any(), testCase.QueueName+"_unique", gomock.Any()).
-					Times(1).
-					DoAndReturn(mockRedisStore.SAdd)
+					SAdd(mock.Anything, testCase.QueueName+"_unique", mock.Anything).
+					RunAndReturn(func(ctx context.Context, key string, members ...any) *redis.IntCmd {
+						return mockRedisStore.SAdd(ctx, key, members[0].([]byte))
+					}).
+					Times(1)
 				redisClient.EXPECT().
-					SRem(gomock.Any(), testCase.QueueName+"_unique", gomock.Any()).
-					Times(1).
-					DoAndReturn(mockRedisStore.SRem)
+					SRem(mock.Anything, testCase.QueueName+"_unique", mock.Anything).
+					RunAndReturn(func(ctx context.Context, key string, members ...any) *redis.IntCmd {
+						return mockRedisStore.SRem(ctx, key, members[0].([]byte))
+					}).
+					Times(1)
 				redisClient.EXPECT().
-					SIsMember(gomock.Any(), testCase.QueueName+"_unique", gomock.Any()).
-					Times(2).
-					DoAndReturn(mockRedisStore.SIsMember)
+					SIsMember(mock.Anything, testCase.QueueName+"_unique", mock.Anything).
+					RunAndReturn(func(ctx context.Context, key string, member any) *redis.BoolCmd {
+						return mockRedisStore.SIsMember(ctx, key, member.([]byte))
+					}).
+					Times(2)
 			}
 
 			client, err := newBaseRedisGeneric(
diff --git a/modules/queue/mock/redisuniversalclient.go b/modules/queue/mock/redisuniversalclient.go
deleted file mode 100644
index a19e639ac1..0000000000
--- a/modules/queue/mock/redisuniversalclient.go
+++ /dev/null
@@ -1,344 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: forgejo.org/modules/nosql (interfaces: RedisClient)
-//
-// Generated by this command:
-//
-//	mockgen -package mock -destination ./modules/queue/mock/redisuniversalclient.go forgejo.org/modules/nosql RedisClient
-//
-
-// Package mock is a generated GoMock package.
-package mock
-
-import (
-	context "context"
-	reflect "reflect"
-	time "time"
-
-	redis "github.com/redis/go-redis/v9"
-	gomock "go.uber.org/mock/gomock"
-)
-
-// MockRedisClient is a mock of RedisClient interface.
-type MockRedisClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockRedisClientMockRecorder
-	isgomock struct{}
-}
-
-// MockRedisClientMockRecorder is the mock recorder for MockRedisClient.
-type MockRedisClientMockRecorder struct {
-	mock *MockRedisClient
-}
-
-// NewMockRedisClient creates a new mock instance.
-func NewMockRedisClient(ctrl *gomock.Controller) *MockRedisClient {
-	mock := &MockRedisClient{ctrl: ctrl}
-	mock.recorder = &MockRedisClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockRedisClient) EXPECT() *MockRedisClientMockRecorder {
-	return m.recorder
-}
-
-// Close mocks base method.
-func (m *MockRedisClient) Close() error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Close")
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// Close indicates an expected call of Close.
-func (mr *MockRedisClientMockRecorder) Close() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockRedisClient)(nil).Close))
-}
-
-// DBSize mocks base method.
-func (m *MockRedisClient) DBSize(ctx context.Context) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DBSize", ctx)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// DBSize indicates an expected call of DBSize.
-func (mr *MockRedisClientMockRecorder) DBSize(ctx any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DBSize", reflect.TypeOf((*MockRedisClient)(nil).DBSize), ctx)
-}
-
-// Decr mocks base method.
-func (m *MockRedisClient) Decr(ctx context.Context, key string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Decr", ctx, key)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// Decr indicates an expected call of Decr.
-func (mr *MockRedisClientMockRecorder) Decr(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Decr", reflect.TypeOf((*MockRedisClient)(nil).Decr), ctx, key)
-}
-
-// Del mocks base method.
-func (m *MockRedisClient) Del(ctx context.Context, keys ...string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx}
-	for _, a := range keys {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Del", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// Del indicates an expected call of Del.
-func (mr *MockRedisClientMockRecorder) Del(ctx any, keys ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx}, keys...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Del", reflect.TypeOf((*MockRedisClient)(nil).Del), varargs...)
-}
-
-// Exists mocks base method.
-func (m *MockRedisClient) Exists(ctx context.Context, keys ...string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx}
-	for _, a := range keys {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Exists", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// Exists indicates an expected call of Exists.
-func (mr *MockRedisClientMockRecorder) Exists(ctx any, keys ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx}, keys...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exists", reflect.TypeOf((*MockRedisClient)(nil).Exists), varargs...)
-}
-
-// FlushDB mocks base method.
-func (m *MockRedisClient) FlushDB(ctx context.Context) *redis.StatusCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FlushDB", ctx)
-	ret0, _ := ret[0].(*redis.StatusCmd)
-	return ret0
-}
-
-// FlushDB indicates an expected call of FlushDB.
-func (mr *MockRedisClientMockRecorder) FlushDB(ctx any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FlushDB", reflect.TypeOf((*MockRedisClient)(nil).FlushDB), ctx)
-}
-
-// Get mocks base method.
-func (m *MockRedisClient) Get(ctx context.Context, key string) *redis.StringCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Get", ctx, key)
-	ret0, _ := ret[0].(*redis.StringCmd)
-	return ret0
-}
-
-// Get indicates an expected call of Get.
-func (mr *MockRedisClientMockRecorder) Get(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockRedisClient)(nil).Get), ctx, key)
-}
-
-// HDel mocks base method.
-func (m *MockRedisClient) HDel(ctx context.Context, key string, fields ...string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, key}
-	for _, a := range fields {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "HDel", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// HDel indicates an expected call of HDel.
-func (mr *MockRedisClientMockRecorder) HDel(ctx, key any, fields ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, key}, fields...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HDel", reflect.TypeOf((*MockRedisClient)(nil).HDel), varargs...)
-}
-
-// HKeys mocks base method.
-func (m *MockRedisClient) HKeys(ctx context.Context, key string) *redis.StringSliceCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "HKeys", ctx, key)
-	ret0, _ := ret[0].(*redis.StringSliceCmd)
-	return ret0
-}
-
-// HKeys indicates an expected call of HKeys.
-func (mr *MockRedisClientMockRecorder) HKeys(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HKeys", reflect.TypeOf((*MockRedisClient)(nil).HKeys), ctx, key)
-}
-
-// HSet mocks base method.
-func (m *MockRedisClient) HSet(ctx context.Context, key string, values ...any) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, key}
-	for _, a := range values {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "HSet", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// HSet indicates an expected call of HSet.
-func (mr *MockRedisClientMockRecorder) HSet(ctx, key any, values ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, key}, values...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HSet", reflect.TypeOf((*MockRedisClient)(nil).HSet), varargs...)
-}
-
-// Incr mocks base method.
-func (m *MockRedisClient) Incr(ctx context.Context, key string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Incr", ctx, key)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// Incr indicates an expected call of Incr.
-func (mr *MockRedisClientMockRecorder) Incr(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Incr", reflect.TypeOf((*MockRedisClient)(nil).Incr), ctx, key)
-}
-
-// LLen mocks base method.
-func (m *MockRedisClient) LLen(ctx context.Context, key string) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "LLen", ctx, key)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// LLen indicates an expected call of LLen.
-func (mr *MockRedisClientMockRecorder) LLen(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LLen", reflect.TypeOf((*MockRedisClient)(nil).LLen), ctx, key)
-}
-
-// LPop mocks base method.
-func (m *MockRedisClient) LPop(ctx context.Context, key string) *redis.StringCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "LPop", ctx, key)
-	ret0, _ := ret[0].(*redis.StringCmd)
-	return ret0
-}
-
-// LPop indicates an expected call of LPop.
-func (mr *MockRedisClientMockRecorder) LPop(ctx, key any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LPop", reflect.TypeOf((*MockRedisClient)(nil).LPop), ctx, key)
-}
-
-// Ping mocks base method.
-func (m *MockRedisClient) Ping(ctx context.Context) *redis.StatusCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Ping", ctx)
-	ret0, _ := ret[0].(*redis.StatusCmd)
-	return ret0
-}
-
-// Ping indicates an expected call of Ping.
-func (mr *MockRedisClientMockRecorder) Ping(ctx any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockRedisClient)(nil).Ping), ctx)
-}
-
-// RPush mocks base method.
-func (m *MockRedisClient) RPush(ctx context.Context, key string, values ...any) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, key}
-	for _, a := range values {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RPush", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// RPush indicates an expected call of RPush.
-func (mr *MockRedisClientMockRecorder) RPush(ctx, key any, values ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, key}, values...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RPush", reflect.TypeOf((*MockRedisClient)(nil).RPush), varargs...)
-}
-
-// SAdd mocks base method.
-func (m *MockRedisClient) SAdd(ctx context.Context, key string, members ...any) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, key}
-	for _, a := range members {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SAdd", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// SAdd indicates an expected call of SAdd.
-func (mr *MockRedisClientMockRecorder) SAdd(ctx, key any, members ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, key}, members...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SAdd", reflect.TypeOf((*MockRedisClient)(nil).SAdd), varargs...)
-}
-
-// SIsMember mocks base method.
-func (m *MockRedisClient) SIsMember(ctx context.Context, key string, member any) *redis.BoolCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SIsMember", ctx, key, member)
-	ret0, _ := ret[0].(*redis.BoolCmd)
-	return ret0
-}
-
-// SIsMember indicates an expected call of SIsMember.
-func (mr *MockRedisClientMockRecorder) SIsMember(ctx, key, member any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SIsMember", reflect.TypeOf((*MockRedisClient)(nil).SIsMember), ctx, key, member)
-}
-
-// SRem mocks base method.
-func (m *MockRedisClient) SRem(ctx context.Context, key string, members ...any) *redis.IntCmd {
-	m.ctrl.T.Helper()
-	varargs := []any{ctx, key}
-	for _, a := range members {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SRem", varargs...)
-	ret0, _ := ret[0].(*redis.IntCmd)
-	return ret0
-}
-
-// SRem indicates an expected call of SRem.
-func (mr *MockRedisClientMockRecorder) SRem(ctx, key any, members ...any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]any{ctx, key}, members...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SRem", reflect.TypeOf((*MockRedisClient)(nil).SRem), varargs...)
-}
-
-// Set mocks base method.
-func (m *MockRedisClient) Set(ctx context.Context, key string, value any, expiration time.Duration) *redis.StatusCmd {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Set", ctx, key, value, expiration)
-	ret0, _ := ret[0].(*redis.StatusCmd)
-	return ret0
-}
-
-// Set indicates an expected call of Set.
-func (mr *MockRedisClientMockRecorder) Set(ctx, key, value, expiration any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Set", reflect.TypeOf((*MockRedisClient)(nil).Set), ctx, key, value, expiration)
-}
diff --git a/modules/setting/authorized_integration.go b/modules/setting/authorized_integration.go
index 778232e3ad..0a84f44afe 100644
--- a/modules/setting/authorized_integration.go
+++ b/modules/setting/authorized_integration.go
@@ -10,6 +10,7 @@ var AuthorizedIntegration = struct {
 	BlockedDomains     string
 	AllowLocalNetworks bool
 	RequestTimeout     time.Duration
+	CacheTTL           time.Duration
 }{}
 
 func loadAuthorizedIntegrationFrom(rootCfg ConfigProvider) {
@@ -18,4 +19,5 @@ func loadAuthorizedIntegrationFrom(rootCfg ConfigProvider) {
 	AuthorizedIntegration.BlockedDomains = sec.Key("BLOCKED_DOMAINS").MustString("")
 	AuthorizedIntegration.AllowLocalNetworks = sec.Key("ALLOW_LOCALNETWORKS").MustBool(false)
 	AuthorizedIntegration.RequestTimeout = sec.Key("REQUEST_TIMEOUT").MustDuration(10 * time.Second)
+	AuthorizedIntegration.CacheTTL = sec.Key("CACHE_TTL").MustDuration(10 * time.Minute)
 }
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index 000383d8c5..f908780e09 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -4,6 +4,8 @@
 package method
 
 import (
+	"bufio"
+	"bytes"
 	"errors"
 	"fmt"
 	"io"
@@ -15,6 +17,7 @@ import (
 
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/cache"
 	"forgejo.org/modules/hostmatcher"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/jwtx"
@@ -42,6 +45,7 @@ var (
 		initHTTPClient.Do(initAuthorizedIntegrationHTTPClient)
 		return aiHTTPClient
 	}
+	getCache = cache.GetCache
 )
 
 // Restrict document size to prevent resource exhaustion attack with a malicious authorized integration; largest
@@ -126,8 +130,7 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 
 			issuerOIDCURL := issuerURL.JoinPath(".well-known/openid-configuration")
 			var oidcConfig openIDConfiguration
-			// TODO: cache external OIDC configuration, with a fixed timeout (not LRU/MRU)
-			if err := a.fetchJSON(issuerOIDCURL.String(), &oidcConfig); err != nil {
+			if err := authorizedIntegrationFetchJSON(issuerOIDCURL.String(), &oidcConfig); err != nil {
 				return nil, fmt.Errorf("error when fetching .well-known/openid-configuration from %s: %w", issuerOIDCURL, err)
 			}
 
@@ -149,8 +152,7 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 				return nil, fmt.Errorf("jwks_uri host mismatch: must be the same as issuer host %q, but was %q", issuerURL.Host, jwksURI.Host)
 			}
 			var keys openIDKeys
-			// TODO: cache JWKS, with a fixed timeout (not LRU/MRU)
-			if err := a.fetchJSON(oidcConfig.JwksURI, &keys); err != nil {
+			if err := authorizedIntegrationFetchJSON(oidcConfig.JwksURI, &keys); err != nil {
 				return nil, fmt.Errorf("error when fetching JWKS from %s: %w", oidcConfig.JwksURI, err)
 			}
 
@@ -247,7 +249,56 @@ func initAuthorizedIntegrationHTTPClient() {
 	}
 }
 
-func (a *AuthorizedIntegration) fetchJSON(urlString string, v any) error {
+func authorizedIntegrationCacheKey(urlString string) string {
+	return fmt.Sprintf("auth-int-remote:%s", urlString)
+}
+
+func authorizedIntegrationCacheGetJSON[K any](urlString string, v *K) bool {
+	conn := getCache()
+	if conn == nil {
+		return false
+	}
+
+	cachedAny := conn.Get(authorizedIntegrationCacheKey(urlString))
+	if cachedAny == nil {
+		return false
+	}
+	cachedBytes, ok := cachedAny.([]byte)
+	if !ok {
+		cachedString, ok := cachedAny.(string)
+		if !ok {
+			log.Error("cached content was not []byte or string, but was %T", cachedAny)
+			return false
+		}
+		cachedBytes = []byte(cachedString)
+	}
+
+	err := json.Unmarshal(cachedBytes, &v)
+	if err != nil {
+		// This error case shouldn't occur, as we only store data in the cache once we're sure we could unmarshal it.
+		// If it does occur, log and fallback to treating as uncached.
+		log.Error("failed to Unmarshal cached content: %s", err)
+		// Caller may reuse `v` in a future unmarshal/decode call, and failure here may have polluted it.
+		var zeroValue K
+		*v = zeroValue
+		return false
+	}
+
+	return true
+}
+
+func authorizedIntegrationCacheSetJSON(urlString string, buf []byte) {
+	conn := getCache()
+	if conn == nil {
+		return
+	}
+	err := conn.Put(authorizedIntegrationCacheKey(urlString), buf, int64(setting.AuthorizedIntegration.CacheTTL.Seconds()))
+	if err != nil {
+		log.Error("failed to put cache: %s", err)
+	}
+}
+
+func authorizedIntegrationFetchJSON[K any](urlString string, v *K) error {
 	parsedURL, err := url.Parse(urlString)
 	if err != nil {
 		return fmt.Errorf("failed parsing URL %q: %w", urlString, err)
@@ -259,6 +310,11 @@ func (a *AuthorizedIntegration) fetchJSON(urlString string, v any) error {
 		return fmt.Errorf("unsupported URL scheme: %q", parsedURL.String())
 	}
 
+	// Check our cache, save a remote HTTP interaction.
+	if authorizedIntegrationCacheGetJSON(urlString, v) {
+		return nil
+	}
+
 	resp, err := GetAuthorizedIntegrationHTTPClient().Get(parsedURL.String())
 	if err != nil {
 		return err
@@ -269,15 +325,24 @@ func (a *AuthorizedIntegration) fetchJSON(urlString string, v any) error {
 		return fmt.Errorf("non-OK response code: %s", resp.Status)
 	}
 
-	body := io.LimitReader(resp.Body, authorizedIntegrationRequestBodyLimit)
-	decoder := json.NewDecoder(body)
-	err = decoder.Decode(&v)
+	bodyReader := io.LimitReader(resp.Body, authorizedIntegrationRequestBodyLimit)
+	var buf bytes.Buffer
+	_, err = io.Copy(bufio.NewWriter(&buf), bodyReader)
+	if err != nil {
+		return fmt.Errorf("read from remote error: %w", err)
+	}
+
+	err = json.Unmarshal(buf.Bytes(), &v)
 	if err != nil {
 		// If a decoding error is hit, decorate with information about the limited body size so that it doesn't look
 		// like the remote server provided an incomplete response. err should be something like `io.UnexpectedEOF` in
 		// this case, but it actually isn't, so don't bother trying to detect precisely.
 		return fmt.Errorf("failed to decode (response body restricted to %d bytes): %w", authorizedIntegrationRequestBodyLimit, err)
 	}
+
+	// Successfully decoded the response -- cache the raw bytes for later access.
+	authorizedIntegrationCacheSetJSON(urlString, buf.Bytes())
+
 	return nil
 }
 
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
index f2afbd3896..28524b7a6c 100644
--- a/services/auth/method/authorized_integration_test.go
+++ b/services/auth/method/authorized_integration_test.go
@@ -14,14 +14,18 @@ import (
 
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
+	"forgejo.org/modules/cache"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/jwtx"
+	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
 	"forgejo.org/services/auth"
 
+	mc "code.forgejo.org/go-chi/cache"
 	"github.com/golang-jwt/jwt/v5"
 	gouuid "github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 )
 
@@ -557,6 +561,102 @@ func TestAuthorizedIntegration(t *testing.T) {
 		require.NoError(t, err)
 		assert.False(t, writeAdmin, "write:admin")
 	})
+
+	t.Run("cache", func(t *testing.T) {
+		t.Run("miss and store", func(t *testing.T) {
+			c := cache.NewMockCache(t)
+			defer test.MockVariableValue(&getCache, func() mc.Cache { return c })()
+			defer test.MockVariableValue(&setting.AuthorizedIntegration.CacheTTL, 10*time.Minute)()
+
+			var cacheKey string
+			c.On("Get", mock.AnythingOfType("string")).
+				Run(func(args mock.Arguments) {
+					key := args.Get(0).(string)
+					assert.True(t, strings.HasPrefix(key, "auth-int-remote:https://"), "key %s should have key prefix", key)
+					cacheKey = key
+				}).Return(nil)
+			c.On("Put", mock.Anything, mock.Anything, mock.Anything).
+				Once().
+				Run(func(args mock.Arguments) {
+					putKey := args.Get(0).(string)
+					assert.Equal(t, cacheKey, putKey)
+					putContents := args.Get(1).([]byte)
+					assert.Contains(t, string(putContents), "\"issuer\":")
+					assert.Contains(t, string(putContents), "\"jwks_uri\":")
+					assert.EqualValues(t, 600, args.Get(2))
+				}).Return(nil)
+			c.On("Put", mock.Anything, mock.Anything, mock.Anything).
+				Once().
+				Run(func(args mock.Arguments) {
+					putKey := args.Get(0).(string)
+					assert.Equal(t, cacheKey, putKey)
+					putContents := args.Get(1).([]byte)
+					assert.Contains(t, string(putContents), "\"alg\":\"RS256\"")
+					assert.Contains(t, string(putContents), "\"kty\":\"RSA\"")
+					assert.EqualValues(t, 600, args.Get(2))
+				}).Return(nil)
+
+			ait := newAITester(t)
+			defer ait.close()
+			output := ait.bearerRequest()
+			requireOutput[*auth.AuthenticationSuccess](t, output)
+		})
+
+		t.Run("hit", func(t *testing.T) {
+			var oidcMetadata []byte
+			var jwksData []byte
+			ait := newAITester(t,
+				openIDTweak(func(oi *openIDConfiguration, ait *AuthorizedIntegrationTester) {
+					var err error
+					oidcMetadata, err = json.Marshal(oi)
+					require.NoError(t, err)
+				}),
+				jwksTweak(func(oi *openIDKeys) {
+					var err error
+					jwksData, err = json.Marshal(oi)
+					require.NoError(t, err)
+				}),
+			)
+			defer ait.close()
+			ait.bearerRequest() // populate oidcMetadata & jwksData by making a request
+
+			t.Run("cache returns []byte", func(t *testing.T) {
+				c := cache.NewMockCache(t)
+				defer test.MockVariableValue(&getCache, func() mc.Cache { return c })()
+
+				c.On("Get",
+					mock.MatchedBy(func(key string) bool {
+						return strings.Contains(key, ".well-known/openid-configuration")
+					})).
+					Return(oidcMetadata)
+				c.On("Get",
+					mock.MatchedBy(func(key string) bool {
+						return strings.Contains(key, ".keys")
+					})).
+					Return(jwksData)
+
+				ait.bearerRequest()
+			})
+
+			t.Run("cache returns string", func(t *testing.T) {
+				c := cache.NewMockCache(t)
+				defer test.MockVariableValue(&getCache, func() mc.Cache { return c })()
+
+				c.On("Get",
+					mock.MatchedBy(func(key string) bool {
+						return strings.Contains(key, ".well-known/openid-configuration")
+					})).
+					Return(string(oidcMetadata))
+				c.On("Get",
+					mock.MatchedBy(func(key string) bool {
+						return strings.Contains(key, ".keys")
+					})).
+					Return(string(jwksData))
+
+				ait.bearerRequest()
+			})
+		})
+	})
 }
 
 type AuthorizedIntegrationTester struct {
diff --git a/services/authz/authorization_reducer.go b/services/authz/authorization_reducer.go
index 7485f74f40..f2bc8d4f71 100644
--- a/services/authz/authorization_reducer.go
+++ b/services/authz/authorization_reducer.go
@@ -9,6 +9,8 @@ import (
 
 // Defines an API for reducing available permissions to specific resources.  Typically associated with a fine-grained
 // access tokens and provides methods to reduce authorization that the access token provides down to specific resources.
+//
+//mockery:generate: true
 type AuthorizationReducer interface {
 	// Incorporate all the methods of [RepositoryAuthorizationReducer], which allows reducing permissions related to
 	// repositories specifically.
diff --git a/services/authz/authorization_reducer_mock.go b/services/authz/authorization_reducer_mock.go
index 79562917c4..c31030b29a 100644
--- a/services/authz/authorization_reducer_mock.go
+++ b/services/authz/authorization_reducer_mock.go
@@ -1,86 +1,19 @@
-// Code generated by mockery v2.53.5. DO NOT EDIT.
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
 
 package authz
 
 import (
-	context "context"
+	"context"
 
 	"forgejo.org/models/perm"
-	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/repo"
 
 	mock "github.com/stretchr/testify/mock"
 	"xorm.io/builder"
 )
 
-// MockAuthorizationReducer is an autogenerated mock type for the AuthorizationReducer type
-type MockAuthorizationReducer struct {
-	mock.Mock
-}
-
-// AllowAdminOverride provides a mock function with no fields
-func (_m *MockAuthorizationReducer) AllowAdminOverride() bool {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for AllowAdminOverride")
-	}
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func() bool); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(bool)
-	}
-
-	return r0
-}
-
-// ReduceRepoAccess provides a mock function with given fields: ctx, repo, accessMode
-func (_m *MockAuthorizationReducer) ReduceRepoAccess(ctx context.Context, repo *repo_model.Repository, accessMode perm.AccessMode) (perm.AccessMode, error) {
-	ret := _m.Called(ctx, repo, accessMode)
-
-	if len(ret) == 0 {
-		panic("no return value specified for ReduceRepoAccess")
-	}
-
-	var r0 perm.AccessMode
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *repo_model.Repository, perm.AccessMode) (perm.AccessMode, error)); ok {
-		return rf(ctx, repo, accessMode)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *repo_model.Repository, perm.AccessMode) perm.AccessMode); ok {
-		r0 = rf(ctx, repo, accessMode)
-	} else {
-		r0 = ret.Get(0).(perm.AccessMode)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *repo_model.Repository, perm.AccessMode) error); ok {
-		r1 = rf(ctx, repo, accessMode)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// RepoFilter provides a mock function with given fields: accessMode
-func (_m *MockAuthorizationReducer) RepoReadAccessFilter() builder.Cond {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for AllowAdminOverride")
-	}
-
-	var r0 builder.Cond
-	if rf, ok := ret.Get(0).(func() builder.Cond); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(builder.Cond)
-	}
-
-	return r0
-}
-
 // NewMockAuthorizationReducer creates a new instance of MockAuthorizationReducer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
 // The first argument is typically a *testing.T value.
 func NewMockAuthorizationReducer(t interface {
@@ -95,3 +28,178 @@ func NewMockAuthorizationReducer(t interface {
 
 	return mock
 }
+
+// MockAuthorizationReducer is an autogenerated mock type for the AuthorizationReducer type
+type MockAuthorizationReducer struct {
+	mock.Mock
+}
+
+type MockAuthorizationReducer_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockAuthorizationReducer) EXPECT() *MockAuthorizationReducer_Expecter {
+	return &MockAuthorizationReducer_Expecter{mock: &_m.Mock}
+}
+
+// AllowAdminOverride provides a mock function for the type MockAuthorizationReducer
+func (_mock *MockAuthorizationReducer) AllowAdminOverride() bool {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for AllowAdminOverride")
+	}
+
+	var r0 bool
+	if returnFunc, ok := ret.Get(0).(func() bool); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+	return r0
+}
+
+// MockAuthorizationReducer_AllowAdminOverride_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AllowAdminOverride'
+type MockAuthorizationReducer_AllowAdminOverride_Call struct {
+	*mock.Call
+}
+
+// AllowAdminOverride is a helper method to define mock.On call
+func (_e *MockAuthorizationReducer_Expecter) AllowAdminOverride() *MockAuthorizationReducer_AllowAdminOverride_Call {
+	return &MockAuthorizationReducer_AllowAdminOverride_Call{Call: _e.mock.On("AllowAdminOverride")}
+}
+
+func (_c *MockAuthorizationReducer_AllowAdminOverride_Call) Run(run func()) *MockAuthorizationReducer_AllowAdminOverride_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_AllowAdminOverride_Call) Return(b bool) *MockAuthorizationReducer_AllowAdminOverride_Call {
+	_c.Call.Return(b)
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_AllowAdminOverride_Call) RunAndReturn(run func() bool) *MockAuthorizationReducer_AllowAdminOverride_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ReduceRepoAccess provides a mock function for the type MockAuthorizationReducer
+func (_mock *MockAuthorizationReducer) ReduceRepoAccess(ctx context.Context, repo1 *repo.Repository, accessMode perm.AccessMode) (perm.AccessMode, error) {
+	ret := _mock.Called(ctx, repo1, accessMode)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ReduceRepoAccess")
+	}
+
+	var r0 perm.AccessMode
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *repo.Repository, perm.AccessMode) (perm.AccessMode, error)); ok {
+		return returnFunc(ctx, repo1, accessMode)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, *repo.Repository, perm.AccessMode) perm.AccessMode); ok {
+		r0 = returnFunc(ctx, repo1, accessMode)
+	} else {
+		r0 = ret.Get(0).(perm.AccessMode)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, *repo.Repository, perm.AccessMode) error); ok {
+		r1 = returnFunc(ctx, repo1, accessMode)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// MockAuthorizationReducer_ReduceRepoAccess_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReduceRepoAccess'
+type MockAuthorizationReducer_ReduceRepoAccess_Call struct {
+	*mock.Call
+}
+
+// ReduceRepoAccess is a helper method to define mock.On call
+//   - ctx context.Context
+//   - repo1 *repo.Repository
+//   - accessMode perm.AccessMode
+func (_e *MockAuthorizationReducer_Expecter) ReduceRepoAccess(ctx, repo1, accessMode any) *MockAuthorizationReducer_ReduceRepoAccess_Call {
+	return &MockAuthorizationReducer_ReduceRepoAccess_Call{Call: _e.mock.On("ReduceRepoAccess", ctx, repo1, accessMode)}
+}
+
+func (_c *MockAuthorizationReducer_ReduceRepoAccess_Call) Run(run func(ctx context.Context, repo1 *repo.Repository, accessMode perm.AccessMode)) *MockAuthorizationReducer_ReduceRepoAccess_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 *repo.Repository
+		if args[1] != nil {
+			arg1 = args[1].(*repo.Repository)
+		}
+		var arg2 perm.AccessMode
+		if args[2] != nil {
+			arg2 = args[2].(perm.AccessMode)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_ReduceRepoAccess_Call) Return(accessMode1 perm.AccessMode, err error) *MockAuthorizationReducer_ReduceRepoAccess_Call {
+	_c.Call.Return(accessMode1, err)
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_ReduceRepoAccess_Call) RunAndReturn(run func(ctx context.Context, repo1 *repo.Repository, accessMode perm.AccessMode) (perm.AccessMode, error)) *MockAuthorizationReducer_ReduceRepoAccess_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// RepoReadAccessFilter provides a mock function for the type MockAuthorizationReducer
+func (_mock *MockAuthorizationReducer) RepoReadAccessFilter() builder.Cond {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for RepoReadAccessFilter")
+	}
+
+	var r0 builder.Cond
+	if returnFunc, ok := ret.Get(0).(func() builder.Cond); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(builder.Cond)
+		}
+	}
+	return r0
+}
+
+// MockAuthorizationReducer_RepoReadAccessFilter_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'RepoReadAccessFilter'
+type MockAuthorizationReducer_RepoReadAccessFilter_Call struct {
+	*mock.Call
+}
+
+// RepoReadAccessFilter is a helper method to define mock.On call
+func (_e *MockAuthorizationReducer_Expecter) RepoReadAccessFilter() *MockAuthorizationReducer_RepoReadAccessFilter_Call {
+	return &MockAuthorizationReducer_RepoReadAccessFilter_Call{Call: _e.mock.On("RepoReadAccessFilter")}
+}
+
+func (_c *MockAuthorizationReducer_RepoReadAccessFilter_Call) Run(run func()) *MockAuthorizationReducer_RepoReadAccessFilter_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_RepoReadAccessFilter_Call) Return(cond builder.Cond) *MockAuthorizationReducer_RepoReadAccessFilter_Call {
+	_c.Call.Return(cond)
+	return _c
+}
+
+func (_c *MockAuthorizationReducer_RepoReadAccessFilter_Call) RunAndReturn(run func() builder.Cond) *MockAuthorizationReducer_RepoReadAccessFilter_Call {
+	_c.Call.Return(run)
+	return _c
+}

From 6171e7ef7ad14527d1233b2849c7d40ecd02d033 Mon Sep 17 00:00:00 2001
From: viceice <michael.kriese@gmx.de>
Date: Tue, 28 Apr 2026 16:15:08 +0200
Subject: [PATCH 183/287] chore: support 4 releases (#12303)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12303
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 .release-notes-assistant.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.release-notes-assistant.yaml b/.release-notes-assistant.yaml
index 93b0e3d0b2..e6704424e9 100644
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@@ -5,7 +5,7 @@ branch-find-version: 'v(?P<version>\d+\.\d+)/forgejo'
 branch-to-version: '${version}.0'
 branch-from-version: 'v%[1]d.%[2]d/forgejo'
 tag-from-version: 'v%[1]d.%[2]d.%[3]d'
-supported-release-count: 3
+supported-release-count: 4
 branch-known:
   - 'v11.0/forgejo'
   - 'v15.0/forgejo'

From abcfb4669199e811cb74dd7a30b21ba5bb914f5e Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Tue, 28 Apr 2026 18:56:52 +0200
Subject: [PATCH 184/287] chore: fix rna config (#12304)

@viceice was getting error 500 trying to post this PR an hour ago. This commit is solely authored by him.

Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12304
---
 .release-notes-assistant.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.release-notes-assistant.yaml b/.release-notes-assistant.yaml
index e6704424e9..f942778fe7 100644
--- a/.release-notes-assistant.yaml
+++ b/.release-notes-assistant.yaml
@@ -5,10 +5,10 @@ branch-find-version: 'v(?P<version>\d+\.\d+)/forgejo'
 branch-to-version: '${version}.0'
 branch-from-version: 'v%[1]d.%[2]d/forgejo'
 tag-from-version: 'v%[1]d.%[2]d.%[3]d'
-supported-release-count: 4
+supported-release-count: 3
 branch-known:
+# replace with v15 when v11 becomes EOL
   - 'v11.0/forgejo'
-  - 'v15.0/forgejo'
 cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
 render-header: |
 

From 70f7260e66f60528dfa3c3c68d224b971bbc14ab Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 28 Apr 2026 21:32:45 +0200
Subject: [PATCH 185/287] feat: add CLI command 'admin user
 create-authorized-integration' (#12299)

Allows the creation of an authorized integration as a Forgejo administrator, either for development testing or to support server-automation.  Clipping out the CLI config options, looks like:

```
NAME:
   forgejo admin user create-authorized-integration - Create an authorized integration for a specific user

USAGE:
   forgejo admin user create-authorized-integration [options]

OPTIONS:
   --username string, -u string                               Username
   --issuer string                                            JWT issuer ('iss' claim), example: https://forgejo.example.org/api/actions
   --claim-eq string=string [ --claim-eq string=string ]      Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"
   --claim-glob string=string [ --claim-glob string=string ]  Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"
   --scope string [ --scope string ]                          One-or-more scopes to apply to access token, examples: "all", "read:issue", "write:repository" (default: "all")
   --repo string [ --repo string ]                            Zero-or-more specific repositories that can be accessed, or "all" to allow access to all repositories, example: "owner1/repo1" (default: "all")
```

As an example, this will create an authorized integration that will permit Codeberg's Forgejo Actions to generate trusted JWTs that can access the local user `mfenniak`:
```bash
$ ./forgejo admin user create-authorized-integration \
    --username mfenniak \
    --issuer https://codeberg.org/api/actions \
    --claim-eq sub=repo:mfenniak/forgejo-runner-testrepo:pull_request \
    --scope read:user

{
  "message": "Authorized integration was successfully created.",
  "issuer": "https://codeberg.org/api/actions",
  "audience": "u:1:c97d83bc-fa4e-4db3-b898-414cd5b6ce33",
  "claim_rules": [
    {
      "description": "\"sub\" = \"repo:mfenniak/forgejo-runner-testrepo:pull_request\"",
      "claim": "sub",
      "compare": "eq",
      "value": "repo:mfenniak/forgejo-runner-testrepo:pull_request"
    }
  ]
}
```

The output is a JSON document to aid in use in automation.  The `audience` field is the audience generated by Forgejo that must be used by the remote to generate the JWT.  Continuing this example to the client-side, a matching Forgejo Action like this in the `mfenniak/forgejo-runner-testrepo` repo, for a `pull_request` event, then it will be able to access the Forgejo server that the authorized integration was created on like this:

```yaml
on:
  pull_request:

enable-openid-connect: true

jobs:
  job1:
    runs-on: docker
    steps:
      - name: Fetch JWT
        id: jwt
        run: |
          set -eux -o pipefail
          set +x
          jwt=$(curl --fail \
            -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=u:1:c97d83bc-fa4e-4db3-b898-414cd5b6ce33" \
            | jq -r ".value")
          echo "::add-mask::$jwt"
          set -x
          echo "jwt=$jwt" >> $FORGEJO_OUTPUT

      - name: API call to Forgejo
        run: |
          curl \
            -v --fail \
            -H "Authorization: bearer ${{ steps.jwt.outputs.jwt }}" \
            "https://example.org/api/v1/user" | jq
```

CLI command is tested manually.  Supporting functions have associated unit tests.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
    - CLI update should be automatic in docs -- more detailed Authorized Integration documentation is on my project plan.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12299
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 cmd/admin_user.go                             |   1 +
 ...in_user_generate_authorized_integration.go | 204 ++++++++++++++++++
 models/auth/authorized_integration.go         |  35 +++
 .../authorized_integration_resource_repo.go   |  12 ++
 ...thorized_integration_resource_repo_test.go |  51 +++++
 models/auth/authorized_integration_test.go    |  39 +++-
 services/authz/access_token.go                |  15 +-
 services/authz/authorized_integration.go      |   7 +
 services/authz/authorized_integration_test.go |  53 +++++
 9 files changed, 401 insertions(+), 16 deletions(-)
 create mode 100644 cmd/admin_user_generate_authorized_integration.go

diff --git a/cmd/admin_user.go b/cmd/admin_user.go
index f4f6fb49af..ea62bd3a45 100644
--- a/cmd/admin_user.go
+++ b/cmd/admin_user.go
@@ -17,6 +17,7 @@ func subcmdUser() *cli.Command {
 			microcmdUserChangePassword(),
 			microcmdUserDelete(),
 			microcmdUserGenerateAccessToken(),
+			microcmdUserCreateAuthorizedIntegration(),
 			microcmdUserMustChangePassword(),
 			microcmdUserResetMFA(),
 		},
diff --git a/cmd/admin_user_generate_authorized_integration.go b/cmd/admin_user_generate_authorized_integration.go
new file mode 100644
index 0000000000..5f3e13a48e
--- /dev/null
+++ b/cmd/admin_user_generate_authorized_integration.go
@@ -0,0 +1,204 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package cmd
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	"forgejo.org/models/repo"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/json"
+	"forgejo.org/services/authz"
+
+	"github.com/urfave/cli/v3"
+)
+
+func microcmdUserCreateAuthorizedIntegration() *cli.Command {
+	return &cli.Command{
+		Name:  "create-authorized-integration",
+		Usage: "Create an authorized integration for a specific user",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:     "username",
+				Aliases:  []string{"u"},
+				Usage:    "Username",
+				Required: true,
+			},
+
+			// JWT validation:
+			&cli.StringFlag{
+				Name:     "issuer",
+				Usage:    `JWT issuer ('iss' claim), example: https://forgejo.example.org/api/actions`,
+				Required: true,
+			},
+			&cli.StringMapFlag{
+				Name:  "claim-eq",
+				Value: map[string]string{},
+				Usage: `Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"`,
+			},
+			&cli.StringMapFlag{
+				Name:  "claim-glob",
+				Value: map[string]string{},
+				Usage: `Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"`,
+			},
+			// nested claim support omitted for now -- pretty complex for a CLI
+
+			// Permissions available on successful auth:
+			&cli.StringSliceFlag{
+				Name:  "scope",
+				Value: []string{"all"},
+				Usage: `One-or-more scopes to apply to access token, examples: "all", "read:issue", "write:repository"`,
+			},
+			&cli.StringSliceFlag{
+				Name:  "repo",
+				Value: []string{"all"},
+				Usage: `Zero-or-more specific repositories that can be accessed, or "all" to allow access to all repositories, example: "owner1/repo1"`,
+			},
+		},
+		Before: noDanglingArgs,
+		Action: runCreateAuthorizedIntegration,
+	}
+}
+
+func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
+	if !c.IsSet("username") {
+		return errors.New("you must provide a username to generate a token for")
+	}
+
+	ctx, cancel := installSignals(ctx)
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	user, err := user_model.GetUserByName(ctx, c.String("username"))
+	if err != nil {
+		return err
+	}
+
+	ai := &auth_model.AuthorizedIntegration{
+		UserID: user.ID,
+	}
+
+	var rules []auth_model.ClaimRule
+	ai.Issuer = c.String("issuer")
+	for claim, value := range c.StringMap("claim-eq") {
+		rules = append(rules, auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimEqual,
+			Value:      value,
+		})
+	}
+	for claim, value := range c.StringMap("claim-glob") {
+		rules = append(rules, auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimGlob,
+			Value:      value,
+		})
+	}
+	ai.ClaimRules = &auth_model.ClaimRules{Rules: rules}
+
+	scopes := strings.Join(c.StringSlice("scope"), ",")
+	accessTokenScope, err := auth_model.AccessTokenScope(scopes).Normalize()
+	if err != nil {
+		return fmt.Errorf("invalid access token scope provided: %w", err)
+	}
+	ai.Scope = accessTokenScope
+
+	allRepos := false
+	repos := []*repo.Repository{}
+	for _, repoName := range c.StringSlice("repo") {
+		if repoName == "all" {
+			allRepos = true
+		} else {
+			split := strings.Split(repoName, "/")
+			if len(split) != 2 {
+				return fmt.Errorf("invalid repo name: %q", split)
+			}
+			owner := split[0]
+			name := split[1]
+			repo, err := repo.GetRepositoryByOwnerAndName(ctx, owner, name)
+			if err != nil {
+				return err
+			}
+			repos = append(repos, repo)
+		}
+	}
+	ai.ResourceAllRepos = allRepos
+
+	rr := make([]*auth_model.AuthorizedIntegResourceRepo, len(repos))
+	for i := range repos {
+		rr[i] = &auth_model.AuthorizedIntegResourceRepo{RepoID: repos[i].ID}
+	}
+	if err := authz.ValidateAuthorizedIntegration(ai, rr); err != nil {
+		return err
+	}
+
+	err = db.WithTx(ctx, func(ctx context.Context) error {
+		if err := auth_model.InsertAuthorizedIntegration(ctx, ai); err != nil {
+			return err
+		}
+		if !allRepos {
+			if err := auth_model.InsertAuthorizedIntegrationResourceRepos(ctx, ai.ID, rr); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	type ClaimRuleDescription struct {
+		Description string                     `json:"description"`
+		Claim       string                     `json:"claim"`
+		Comparison  auth_model.ClaimComparison `json:"compare"`
+		Value       string                     `json:"value"`
+	}
+	output := struct {
+		Message    string                 `json:"message"`
+		Issuer     string                 `json:"issuer"`
+		Audience   string                 `json:"audience"`
+		ClaimRules []ClaimRuleDescription `json:"claim_rules"`
+	}{
+		Message:  "Authorized integration was successfully created.",
+		Issuer:   ai.Issuer,
+		Audience: ai.Audience,
+	}
+	for _, cr := range ai.ClaimRules.Rules {
+		var description string
+		switch cr.Comparison {
+		case auth_model.ClaimEqual:
+			description = fmt.Sprintf("%q = %q", cr.Claim, cr.Value)
+		case auth_model.ClaimGlob:
+			description = fmt.Sprintf("%q matches %q", cr.Claim, cr.Value)
+		}
+		output.ClaimRules = append(output.ClaimRules, ClaimRuleDescription{
+			Description: description,
+			Claim:       cr.Claim,
+			Comparison:  cr.Comparison,
+			Value:       cr.Value,
+		})
+	}
+
+	raw, err := json.Marshal(output)
+	if err != nil {
+		return err
+	}
+	var indent bytes.Buffer
+	if err := json.Indent(&indent, raw, "", "  "); err != nil {
+		return err
+	}
+	os.Stdout.Write(indent.Bytes())
+
+	return nil
+}
diff --git a/models/auth/authorized_integration.go b/models/auth/authorized_integration.go
index a8641d44ca..e4cc8cedb0 100644
--- a/models/auth/authorized_integration.go
+++ b/models/auth/authorized_integration.go
@@ -5,12 +5,15 @@ package auth
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"time"
 
 	"forgejo.org/models/db"
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 
+	gouuid "github.com/google/uuid"
 	"xorm.io/builder"
 )
 
@@ -128,6 +131,16 @@ func GetAuthorizedIntegration(ctx context.Context, issuer, audience string) (*Au
 	return &ai, nil
 }
 
+func InsertAuthorizedIntegration(ctx context.Context, ai *AuthorizedIntegration) error {
+	if ai.Audience != "" {
+		return errors.New("audience cannot be provided, and must be generated by NewAuthorizedIntegration")
+	} else if err := ai.generateAudience(); err != nil {
+		return err
+	}
+	_, err := db.GetEngine(ctx).Insert(ai)
+	return err
+}
+
 // Bump the UpdatedUnix field of this authorized integration to now, tracking when it was last used for authentication.
 // To reduce database write workload, this is only tracked by one-minute intervals -- the UPDATE statement conditionally
 // avoids writes.
@@ -144,3 +157,25 @@ func (ai *AuthorizedIntegration) UpdateLastUsed(ctx context.Context) error {
 	}
 	return err
 }
+
+// Generates the `aud` claim that the remote JWT generator must use to match this authorized integration.  The `aud`
+// claim is an arbitrary value in a JWT claim, but Forgejo is faced with a few hard and soft requirements:
+//
+//   - Hard requirement: each authorized integration must have a unique `aud`, as it is used to find the DB record that
+//     authenticates a request.
+//   - If authentication is failing, being able to inspect the `aud` claim can be useful to identify the intent.
+//   - Inspection should have a stable meaning -- eg. if it included the username, and the user was renamed, the `aud`
+//     value which can't be changed would continue to reference the old username causing confusion when inspecting it.
+//   - Forgejo & GitHub Actions uses a URL $ACTIONS_ID_TOKEN_REQUEST_URL&audience=... to generate a JWT for the running
+//     action, so it should only consist of safe characters for URL encoding.
+//   - It should be relatively short, as it's encoded into the JWT and increases its size.
+//
+// Meeting these requirements decently well is a combination of the owner's ID, a guid, and a "u:" prefix that makes the
+// fact that it's an `aud` claim value a little bit identifiable.
+func (ai *AuthorizedIntegration) generateAudience() error {
+	if ai.UserID == 0 {
+		return errors.New("UserID must be initialized")
+	}
+	ai.Audience = fmt.Sprintf("u:%d:%s", ai.UserID, gouuid.New().String())
+	return nil
+}
diff --git a/models/auth/authorized_integration_resource_repo.go b/models/auth/authorized_integration_resource_repo.go
index 9c48d16f98..77445b60ae 100644
--- a/models/auth/authorized_integration_resource_repo.go
+++ b/models/auth/authorized_integration_resource_repo.go
@@ -42,3 +42,15 @@ func GetRepositoriesAccessibleWithIntegration(ctx context.Context, aiID int64) (
 	}
 	return resources, nil
 }
+
+func InsertAuthorizedIntegrationResourceRepos(ctx context.Context, aiID int64, resources []*AuthorizedIntegResourceRepo) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		for _, resourceRepo := range resources {
+			resourceRepo.IntegID = aiID
+			if err := db.Insert(ctx, resourceRepo); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
diff --git a/models/auth/authorized_integration_resource_repo_test.go b/models/auth/authorized_integration_resource_repo_test.go
index 853cddb828..15c5b4854f 100644
--- a/models/auth/authorized_integration_resource_repo_test.go
+++ b/models/auth/authorized_integration_resource_repo_test.go
@@ -38,3 +38,54 @@ func TestGetRepositoriesAccessibleWithIntegration(t *testing.T) {
 		assert.Contains(t, repoIDs, int64(3))
 	})
 }
+
+func TestInsertAuthorizedIntegration(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	ai1 := makeAuthorizedIntegration(t)
+	ai2 := makeAuthorizedIntegration(t)
+	ai3 := makeAuthorizedIntegration(t)
+
+	t.Run("blank insert", func(t *testing.T) {
+		err := auth_model.InsertAuthorizedIntegrationResourceRepos(t.Context(), ai1.ID, nil)
+		require.NoError(t, err)
+	})
+
+	t.Run("multiple insert", func(t *testing.T) {
+		resRepo1 := &auth_model.AuthorizedIntegResourceRepo{
+			IntegID: ai2.ID,
+			RepoID:  1,
+		}
+		resRepo3 := &auth_model.AuthorizedIntegResourceRepo{
+			IntegID: ai2.ID,
+			RepoID:  3,
+		}
+		err := auth_model.InsertAuthorizedIntegrationResourceRepos(t.Context(), ai2.ID,
+			[]*auth_model.AuthorizedIntegResourceRepo{resRepo1, resRepo3})
+		require.NoError(t, err)
+
+		unittest.AssertCount(t, &auth_model.AuthorizedIntegResourceRepo{IntegID: ai2.ID}, 2)
+	})
+
+	t.Run("in tx", func(t *testing.T) {
+		// Pre-condition: count is 0.
+		unittest.AssertCount(t, &auth_model.AuthorizedIntegResourceRepo{IntegID: ai3.ID}, 0)
+
+		// Verify that InsertAuthorizedIntegrationResourceRepos performs inserts in a TX by having a second one with an invalid
+		// RepoID, causing a foreign key violation
+		resRepo1 := &auth_model.AuthorizedIntegResourceRepo{
+			IntegID: ai3.ID,
+			RepoID:  1,
+		}
+		resRepo3 := &auth_model.AuthorizedIntegResourceRepo{
+			IntegID: ai3.ID,
+			RepoID:  30000, // invalid
+		}
+		err := auth_model.InsertAuthorizedIntegrationResourceRepos(t.Context(), ai3.ID,
+			[]*auth_model.AuthorizedIntegResourceRepo{resRepo1, resRepo3})
+		require.ErrorContains(t, err, "foreign key")
+
+		// Count remains 0; the first record was not inserted.
+		unittest.AssertCount(t, &auth_model.AuthorizedIntegResourceRepo{IntegID: ai3.ID}, 0)
+	})
+}
diff --git a/models/auth/authorized_integration_test.go b/models/auth/authorized_integration_test.go
index 54cf97fcb5..d705f1a144 100644
--- a/models/auth/authorized_integration_test.go
+++ b/models/auth/authorized_integration_test.go
@@ -4,7 +4,6 @@
 package auth_test
 
 import (
-	"fmt"
 	"testing"
 	"time"
 
@@ -14,25 +13,20 @@ import (
 	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 
-	gouuid "github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
 func makeAuthorizedIntegration(t *testing.T) *auth_model.AuthorizedIntegration {
 	t.Helper()
-
 	ai := &auth_model.AuthorizedIntegration{
 		UserID:           2,
 		Scope:            auth_model.AccessTokenScopeAll,
 		ResourceAllRepos: true,
 		Issuer:           "https://example.org/",
-		Audience:         fmt.Sprintf("https://forgejo.example.org/api/actions/%s", gouuid.New().String()),
 		ClaimRules:       &auth_model.ClaimRules{},
 	}
-	_, err := db.GetEngine(t.Context()).Insert(ai)
-	require.NoError(t, err)
-
+	require.NoError(t, auth_model.InsertAuthorizedIntegration(t.Context(), ai))
 	return ai
 }
 
@@ -79,3 +73,34 @@ func TestAuthorizedIntegrationUpdateLastUsed(t *testing.T) {
 	assert.EqualValues(t, 1777131139, ai.UpdatedUnix)                                                                                // object field updated
 	assert.EqualValues(t, 1777131139, unittest.AssertExistsAndLoadBean(t, &auth_model.AuthorizedIntegration{ID: ai.ID}).UpdatedUnix) // database field updated
 }
+
+func TestNewAuthorizedIntegration(t *testing.T) {
+	ai := &auth_model.AuthorizedIntegration{
+		UserID:           2,
+		Scope:            auth_model.AccessTokenScopeAll,
+		ResourceAllRepos: true,
+		Issuer:           "https://example.org/",
+		ClaimRules:       &auth_model.ClaimRules{},
+	}
+	require.NoError(t, auth_model.InsertAuthorizedIntegration(t.Context(), ai))
+	assert.Contains(t, ai.Audience, "u:2:")
+
+	ai = &auth_model.AuthorizedIntegration{
+		UserID:           2,
+		Scope:            auth_model.AccessTokenScopeAll,
+		ResourceAllRepos: true,
+		Issuer:           "https://example.org/",
+		Audience:         "I made my own audience",
+		ClaimRules:       &auth_model.ClaimRules{},
+	}
+	require.ErrorContains(t, auth_model.InsertAuthorizedIntegration(t.Context(), ai), "audience cannot be provided")
+
+	ai = &auth_model.AuthorizedIntegration{
+		// Forgot to set UserID
+		Scope:            auth_model.AccessTokenScopeAll,
+		ResourceAllRepos: true,
+		Issuer:           "https://example.org/",
+		ClaimRules:       &auth_model.ClaimRules{},
+	}
+	require.ErrorContains(t, auth_model.InsertAuthorizedIntegration(t.Context(), ai), "UserID must be initialized")
+}
diff --git a/services/authz/access_token.go b/services/authz/access_token.go
index 1660881dab..5a6d876cf6 100644
--- a/services/authz/access_token.go
+++ b/services/authz/access_token.go
@@ -33,14 +33,11 @@ func GetAuthorizationReducerForAccessToken(ctx context.Context, token *auth_mode
 	return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
 }
 
-// A locale lookup string for the error -- eg. `access_token.error.invalid_something`
-type AccessTokenValidationFailure string
-
 // Validate that an access token's state is valid for creation.  For example, that it doesn't have a conflicting set of
 // resources (public-only and specific repositories), and other similar checks.
 func ValidateAccessToken(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
 	// Other validations may be added here in the future.
-	return validateRepositoryResource(token, repoResources)
+	return validateRepositoryResource(token.ResourceAllRepos, token.Scope, len(repoResources))
 }
 
 var (
@@ -49,19 +46,19 @@ var (
 	ErrSpecifiedReposInvalidScope = errors.New("specified repository access token: invalid scope")
 )
 
-func validateRepositoryResource(token *auth_model.AccessToken, repoResources []*auth_model.AccessTokenResourceRepo) error {
+func validateRepositoryResource(resourceAllRepos bool, scope auth_model.AccessTokenScope, numRepoResources int) error {
 	// Access tokens with broad access to all resources don't have any relevant validation rules to apply.
-	if token.ResourceAllRepos {
+	if resourceAllRepos {
 		return nil
 	}
 
 	// Repo-specific access token must have at least one repository.
-	if len(repoResources) == 0 {
+	if numRepoResources == 0 {
 		return ErrSpecifiedReposNone
 	}
 
 	// Can't have public-only and specified repos -- that's a combination that doesn't make sense.
-	if publicOnly, err := token.Scope.PublicOnly(); err != nil {
+	if publicOnly, err := scope.PublicOnly(); err != nil {
 		return err
 	} else if publicOnly {
 		return ErrSpecifiedReposNoPublicOnly
@@ -71,7 +68,7 @@ func validateRepositoryResource(token *auth_model.AccessToken, repoResources []*
 	// support repositories as a resource.  For example, if you had a repo-specific token but then gave it
 	// `write:organization`, it would be able to do operations like delete an organization -- permission checks on the
 	// repository resources wouldn't be applicable to the organization resources.
-	for _, scope := range token.Scope.StringSlice() {
+	for _, scope := range scope.StringSlice() {
 		switch auth_model.AccessTokenScope(scope) {
 		case auth_model.AccessTokenScopeReadIssue,
 			auth_model.AccessTokenScopeWriteIssue,
diff --git a/services/authz/authorized_integration.go b/services/authz/authorized_integration.go
index c463c0aeca..33099c7401 100644
--- a/services/authz/authorized_integration.go
+++ b/services/authz/authorized_integration.go
@@ -31,3 +31,10 @@ func GetAuthorizationReducerForAuthorizedIntegration(ctx context.Context, ai *au
 	}
 	return &SpecificReposAuthorizationReducer{resourceRepos: iface}, nil
 }
+
+// Validate that an authorized integration's state is valid for creation.  For example, that it doesn't have a
+// conflicting set of resources (public-only and specific repositories), and other similar checks.
+func ValidateAuthorizedIntegration(ai *auth_model.AuthorizedIntegration, repoResources []*auth_model.AuthorizedIntegResourceRepo) error {
+	// Other validations may be added here in the future.
+	return validateRepositoryResource(ai.ResourceAllRepos, ai.Scope, len(repoResources))
+}
diff --git a/services/authz/authorized_integration_test.go b/services/authz/authorized_integration_test.go
index fe3ec697a4..cb46a2479f 100644
--- a/services/authz/authorized_integration_test.go
+++ b/services/authz/authorized_integration_test.go
@@ -4,6 +4,7 @@
 package authz
 
 import (
+	"strings"
 	"testing"
 
 	"forgejo.org/models/auth"
@@ -44,3 +45,55 @@ func TestGetAuthorizationReducerForAuthorizedIntegration(t *testing.T) {
 		assert.EqualValues(t, 1, specific.resourceRepos[0].GetTargetRepoID())
 	})
 }
+
+func TestValidateAuthorizedIntegration(t *testing.T) {
+	t.Run("valid - all access", func(t *testing.T) {
+		ai := &auth.AuthorizedIntegration{
+			ResourceAllRepos: true,
+			Scope:            auth.AccessTokenScopeReadRepository,
+		}
+		err := ValidateAuthorizedIntegration(ai, nil)
+		require.NoError(t, err)
+	})
+
+	t.Run("valid - specified repos", func(t *testing.T) {
+		ai := &auth.AuthorizedIntegration{
+			ResourceAllRepos: false,
+			Scope:            auth.AccessTokenScopeReadRepository,
+		}
+		resources := []*auth.AuthorizedIntegResourceRepo{{RepoID: 12}}
+		err := ValidateAuthorizedIntegration(ai, resources)
+		require.NoError(t, err)
+	})
+
+	t.Run("invalid - no specified repos", func(t *testing.T) {
+		ai := &auth.AuthorizedIntegration{
+			ResourceAllRepos: false,
+			Scope:            auth.AccessTokenScopeReadRepository,
+		}
+		resources := []*auth.AuthorizedIntegResourceRepo{}
+		err := ValidateAuthorizedIntegration(ai, resources)
+		require.ErrorIs(t, err, ErrSpecifiedReposNone)
+	})
+
+	t.Run("invalid - specified repos & public-only", func(t *testing.T) {
+		ai := &auth.AuthorizedIntegration{
+			ResourceAllRepos: false,
+			Scope:            auth.AccessTokenScope(strings.Join([]string{string(auth.AccessTokenScopePublicOnly), string(auth.AccessTokenScopeReadRepository)}, ",")),
+		}
+		resources := []*auth.AuthorizedIntegResourceRepo{{RepoID: 12}}
+		err := ValidateAuthorizedIntegration(ai, resources)
+		require.ErrorIs(t, err, ErrSpecifiedReposNoPublicOnly)
+	})
+
+	t.Run("invalid - specified repos unsupported scopes", func(t *testing.T) {
+		ai := &auth.AuthorizedIntegration{
+			ResourceAllRepos: false,
+			Scope:            auth.AccessTokenScopeReadAdmin,
+		}
+		resources := []*auth.AuthorizedIntegResourceRepo{{RepoID: 12}}
+		err := ValidateAuthorizedIntegration(ai, resources)
+		require.ErrorIs(t, err, ErrSpecifiedReposInvalidScope)
+		require.ErrorContains(t, err, string(auth.AccessTokenScopeReadAdmin))
+	})
+}

From 733a390ecd1609a72f4123c9ab5101b85f3437e9 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 29 Apr 2026 05:26:22 +0200
Subject: [PATCH 186/287] fix: verify PR author has write access to head to
 support allow maintainers edit (#12292)

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12292
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 models/issues/pull_list.go            |  47 +++++++++++-
 release-notes/12293.md                |   1 +
 release-notes/12294.md                |   1 +
 release-notes/12295.md                |   1 +
 services/pull/pull.go                 |   4 +-
 tests/integration/pull_update_test.go | 102 ++++++++++++++++++++++++++
 6 files changed, 153 insertions(+), 3 deletions(-)
 create mode 100644 release-notes/12293.md
 create mode 100644 release-notes/12294.md
 create mode 100644 release-notes/12295.md

diff --git a/models/issues/pull_list.go b/models/issues/pull_list.go
index 861ccace81..10e39c6a49 100644
--- a/models/issues/pull_list.go
+++ b/models/issues/pull_list.go
@@ -73,7 +73,7 @@ func GetUnmergedPullRequestsByHeadInfoMax(ctx context.Context, repoID, olderThan
 }
 
 // GetUnmergedPullRequestsByHeadInfo returns all pull requests that are open and has not been merged
-func GetUnmergedPullRequestsByHeadInfo(ctx context.Context, repoID int64, branch string) ([]*PullRequest, error) {
+func GetUnmergedPullRequestsByHeadInfo(ctx context.Context, repoID int64, branch string) (PullRequestList, error) {
 	prs := make([]*PullRequest, 0, 2)
 	sess := db.GetEngine(ctx).
 		Join("INNER", "issue", "issue.id = pull_request.issue_id").
@@ -92,18 +92,44 @@ func CanMaintainerWriteToBranch(ctx context.Context, p access_model.Permission,
 	}
 
 	prs, err := GetUnmergedPullRequestsByHeadInfo(ctx, p.Units[0].RepoID, branch)
+	// All these error cases return `false` to defer to the safer choice of not allowing write access on an error.
 	if err != nil {
+		log.Error("GetUnmergedPullRequestsByHeadInfo failed: %s", err)
+		return false
+	} else if issues, err := prs.LoadIssues(ctx); err != nil {
+		log.Error("LoadIssues failed: %s", err)
+		return false
+	} else if err := issues.LoadPosters(ctx); err != nil {
+		log.Error("LoadPosters failed: %s", err)
+		return false
+	} else if err := prs.LoadHeadRepos(ctx); err != nil {
+		log.Error("LoadHeadRepos failed: %s", err)
 		return false
 	}
 
 	for _, pr := range prs {
 		if pr.AllowMaintainerEdit {
+			// PR Poster must have write access to the head, so that when they turned on "AllowMaintainerEdit" they
+			// delegated that write access to the maintainers of the PR base.  If they don't currently have write
+			// access, they can't delegate that access.
+			poster := pr.Issue.Poster
+			posterHeadPerm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, poster)
+			if err != nil {
+				log.Error("GetUserRepoPermission failed: %s", err)
+				continue
+			}
+			if !posterHeadPerm.CanWrite(unit.TypeCode) {
+				continue
+			}
+
 			err = pr.LoadBaseRepo(ctx)
 			if err != nil {
+				log.Error("LoadBaseRepo failed: %s", err)
 				continue
 			}
 			prPerm, err := access_model.GetUserRepoPermission(ctx, pr.BaseRepo, user)
 			if err != nil {
+				log.Error("GetUserRepoPermission failed: %s", err)
 				continue
 			}
 			if prPerm.CanWrite(unit.TypeCode) {
@@ -250,6 +276,25 @@ func (prs PullRequestList) LoadIssues(ctx context.Context) (IssueList, error) {
 	return issueList, nil
 }
 
+func (prs PullRequestList) LoadHeadRepos(ctx context.Context) error {
+	repoIDs := []int64{}
+	for _, pr := range prs {
+		repoIDs = append(repoIDs, pr.HeadRepoID)
+	}
+	repos, err := db.GetByIDs(ctx, "id", repoIDs, &repo_model.Repository{})
+	if err != nil {
+		return err
+	}
+	for _, pr := range prs {
+		repo, ok := repos[pr.HeadRepoID]
+		if !ok {
+			return fmt.Errorf("unable to find repo %d", pr.HeadRepoID)
+		}
+		pr.HeadRepo = repo
+	}
+	return nil
+}
+
 // GetIssueIDs returns all issue ids
 func (prs PullRequestList) GetIssueIDs() []int64 {
 	return container.FilterSlice(prs, func(pr *PullRequest) (int64, bool) {
diff --git a/release-notes/12293.md b/release-notes/12293.md
new file mode 100644
index 0000000000..0052eced48
--- /dev/null
+++ b/release-notes/12293.md
@@ -0,0 +1 @@
+When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
diff --git a/release-notes/12294.md b/release-notes/12294.md
new file mode 100644
index 0000000000..0052eced48
--- /dev/null
+++ b/release-notes/12294.md
@@ -0,0 +1 @@
+When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
diff --git a/release-notes/12295.md b/release-notes/12295.md
new file mode 100644
index 0000000000..0052eced48
--- /dev/null
+++ b/release-notes/12295.md
@@ -0,0 +1 @@
+When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.
diff --git a/services/pull/pull.go b/services/pull/pull.go
index 617d5d0806..7c078a0058 100644
--- a/services/pull/pull.go
+++ b/services/pull/pull.go
@@ -534,7 +534,7 @@ func CloseBranchPulls(ctx context.Context, doer *user_model.User, repoID int64,
 	}
 
 	prs = append(prs, prs2...)
-	if err := issues_model.PullRequestList(prs).LoadAttributes(ctx); err != nil {
+	if err := prs.LoadAttributes(ctx); err != nil {
 		return err
 	}
 
@@ -564,7 +564,7 @@ func CloseRepoBranchesPulls(ctx context.Context, doer *user_model.User, repo *re
 			return err
 		}
 
-		if err = issues_model.PullRequestList(prs).LoadAttributes(ctx); err != nil {
+		if err = prs.LoadAttributes(ctx); err != nil {
 			return err
 		}
 
diff --git a/tests/integration/pull_update_test.go b/tests/integration/pull_update_test.go
index 42f9e841e1..d013dfeb95 100644
--- a/tests/integration/pull_update_test.go
+++ b/tests/integration/pull_update_test.go
@@ -4,6 +4,7 @@
 package integration
 
 import (
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -130,6 +131,107 @@ func TestAPIPullUpdateBranchProtection(t *testing.T) {
 	})
 }
 
+func TestAPIPullAllowMaintainerEditRestrictedHead(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, giteaURL *url.URL) {
+		baseRepoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+		realBaseRepo, _, cleanup := tests.CreateDeclarativeRepo(t, baseRepoOwner, "base-repo", nil, nil, nil)
+		defer cleanup()
+
+		forkUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		forkRepo, err := repo_service.ForkRepositoryAndUpdates(t.Context(), forkUser, forkUser, repo_service.ForkRepoOptions{
+			BaseRepo:    realBaseRepo,
+			Name:        "repo-pr-update",
+			Description: "desc",
+		})
+		require.NoError(t, err)
+		assert.NotNil(t, forkRepo)
+
+		_, err = files_service.ChangeRepoFiles(git.DefaultContext, forkRepo, forkUser, &files_service.ChangeRepoFilesOptions{
+			Files: []*files_service.ChangeRepoFile{
+				{
+					Operation:     "create",
+					TreePath:      "File_B",
+					ContentReader: strings.NewReader("File B"),
+				},
+			},
+			Message:   "Add File on PR branch",
+			OldBranch: "main",
+			NewBranch: "main",
+			Author: &files_service.IdentityOptions{
+				Name:  forkUser.Name,
+				Email: forkUser.Email,
+			},
+			Committer: &files_service.IdentityOptions{
+				Name:  forkUser.Name,
+				Email: forkUser.Email,
+			},
+			Dates: &files_service.CommitDateOptions{
+				Author:    time.Now(),
+				Committer: time.Now(),
+			},
+		})
+		require.NoError(t, err)
+
+		// Create a pull request that is unexpectedly backwards -- normally we'd request a branch from the fork to be
+		// merged into the original base repo. But there's nothing preventing us from creating a pull request for the
+		// base to be pulled into the fork:
+
+		pullIssue := &issues_model.Issue{
+			RepoID:   forkRepo.ID,
+			Title:    "Pull Base into Fork",
+			PosterID: forkUser.ID,
+			Poster:   forkUser,
+			IsPull:   true,
+		}
+		pullRequest := &issues_model.PullRequest{
+			HeadRepoID:          realBaseRepo.ID,
+			BaseRepoID:          forkRepo.ID,
+			HeadBranch:          "main",
+			BaseBranch:          "main",
+			HeadRepo:            realBaseRepo,
+			BaseRepo:            forkRepo,
+			Type:                issues_model.PullRequestGitea,
+			AllowMaintainerEdit: true,
+		}
+		err = pull_service.NewPullRequest(git.DefaultContext, forkRepo, pullIssue, nil, nil, pullRequest, nil)
+		require.NoError(t, err)
+
+		// forkUser is the owner of forkRepo, and therefore a maintainer of forkRepo.  `AllowMaintainerEdit` should
+		// allow forkUser to edit the head of the PR... except that, in this case, the owner of the PR delegated that
+		// edit access but they never had that edit access.  Try to modify the head repo & branch to see.
+		session := loginUser(t, forkUser.LoginName)
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		// Attempt modification by editing the realBase's main branch via API:
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/contents/File_A", realBaseRepo.OwnerName, realBaseRepo.Name),
+			&api.CreateFileOptions{
+				FileOptions: api.FileOptions{
+					BranchName:    "main",
+					NewBranchName: "main",
+					Message:       "illegal change",
+					Author: api.Identity{
+						Name:  forkUser.FullName,
+						Email: forkUser.Email,
+					},
+					Committer: api.Identity{
+						Name:  forkUser.FullName,
+						Email: forkUser.Email,
+					},
+				},
+				ContentBase64: base64.StdEncoding.EncodeToString([]byte("Some content.")),
+			}).
+			AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusForbidden)
+
+		// Modify by "updating" the PR, which would pull the base into the head, even though we don't have access to
+		// write the head:
+		req = NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update", forkRepo.OwnerName, forkRepo.Name, pullIssue.Index).
+			AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusInternalServerError) // probably should be Forbidden
+	})
+}
+
 func TestAPIViewUpdateSettings(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, giteaURL *url.URL) {
 		// Create PR to test

From 7d2a9bb0fccba7606f5c128f29d40540802b2654 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Wed, 29 Apr 2026 14:36:54 +0200
Subject: [PATCH 187/287] chore(release-notes): Forgejo v11.0.13 [skip ci]
 (#12312)

https://codeberg.org/forgejo/forgejo/milestone/75468
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12312
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 release-notes-published/11.0.13.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 release-notes-published/11.0.13.md

diff --git a/release-notes-published/11.0.13.md b/release-notes-published/11.0.13.md
new file mode 100644
index 0000000000..2db924f20b
--- /dev/null
+++ b/release-notes-published/11.0.13.md
@@ -0,0 +1,15 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12295): <!--number 12295 --><!--line 0 --><!--description V2hlbiBhIHB1bGwgcmVxdWVzdCBpcyBvcGVuZWQsIHRoZSBhdXRob3IgaXMgYWJsZSB0byBtYXJrIHRoYXQgcHVsbCByZXF1ZXN0IHRvICJBbGxvdyBlZGl0cyBmcm9tIG1haW50YWluZXJzIiwgd2hpY2ggZ3JhbnRzIHRoZSBtYWludGFpbmVycyBvZiB0aGUgcHVsbCByZXF1ZXN0J3MgcmVwbyBhY2Nlc3MgdG8gZWRpdCB0aGUgcHVsbCByZXF1ZXN0IGJyYW5jaCBjb250ZW50cy4gIEl0IGlzIHBvc3NpYmxlIHRvIGNyZWF0ZSBhIHB1bGwgcmVxdWVzdCB3aGVyZSB0aGUgcHVsbCByZXF1ZXN0IGF1dGhvciBkb2VzIG5vdCBoYXZlIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2guICBEdWUgdG8gYSBtaXNzaW5nIHNlY3VyaXR5IGNoZWNrIGZvciB0aGlzIGNhc2UsIG1haW50YWluZXJzIG9mIHRoZSBwdWxsIHJlcXVlc3QgcmVwbyB3b3VsZCBiZSBncmFudGVkIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2gsIGV2ZW4gaWYgdGhlIGF1dGhvciBvZiB0aGUgcHVsbCByZXF1ZXN0IGRpZCBub3QgaGF2ZSB0aGF0IGFiaWxpdHkuICBCeSBleHBsb2l0aW5nIHRoaXMgbWlzc2luZyBzZWN1cml0eSBjaGVjaywgYSB1c2VyIGNhbiBlZGl0IGFueSBicmFuY2ggaW4gYSByZXBvc2l0b3J5IGlmIHRoZXkncmUgYWJsZSB0byBmb3JrIHRoYXQgcmVwb3NpdG9yeS4gIFRoZSBpc3N1ZSBpcyBiZWluZyBmaXhlZCBieSByZXN0cmljdGluZyB0aGUgc2NvcGUgb2YgIkFsbG93IGVkaXRzIGZyb20gbWFpbnRhaW5lcnMiIHRvIG9ubHkgZ3JhbnQgdGhhdCBhY2Nlc3MgaWYgdGhlIHB1bGwgcmVxdWVzdCBhdXRob3IgYWxzbyBoYWQgYWNjZXNzIHRvIGVkaXQgdGhlIGJyYW5jaC4=-->When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12156) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12315)): <!--number 12315 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNi4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12253): <!--number 12253 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcyB0byB2OC41LjEwIFtTRUNVUklUWV0gKHYxMS4wL2Zvcmdlam8p-->Update dependency postcss to v8.5.10 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12222): <!--number 12222 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzkuMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.39.0 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12175): <!--number 12175 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2dvLWdpdC9nby1naXQvdjUgdG8gdjUuMTguMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKSAtIGF1dG9jbG9zZWQ=-->Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (v11.0/forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12148)): <!--number 12148 --><!--line 0 --><!--description Zml4OiBtYWtlIC9yZXBvcy9zZWFyY2g/dWlkPS0yIHJldHVybiB6ZXJvIHJlc3VsdHMsIG5vIHJlcG9zIHdpdGggdGhhdCBvd25lcg==-->fix: make /repos/search?uid=-2 return zero results, no repos with that owner<!--description-->
+<!--end release-notes-assistant-->

From cc5f118af85b5fa9a0d371d8a6672cc0e907a2df Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Wed, 29 Apr 2026 14:37:20 +0200
Subject: [PATCH 188/287] chore(release-notes): Forgejo v14.0.5 [skip ci]
 (#12313)

https://codeberg.org/forgejo/forgejo/milestone/75498
Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12313
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 release-notes-published/14.0.5.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 release-notes-published/14.0.5.md

diff --git a/release-notes-published/14.0.5.md b/release-notes-published/14.0.5.md
new file mode 100644
index 0000000000..4794bfb96d
--- /dev/null
+++ b/release-notes-published/14.0.5.md
@@ -0,0 +1,17 @@
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12294): <!--number 12294 --><!--line 0 --><!--description V2hlbiBhIHB1bGwgcmVxdWVzdCBpcyBvcGVuZWQsIHRoZSBhdXRob3IgaXMgYWJsZSB0byBtYXJrIHRoYXQgcHVsbCByZXF1ZXN0IHRvICJBbGxvdyBlZGl0cyBmcm9tIG1haW50YWluZXJzIiwgd2hpY2ggZ3JhbnRzIHRoZSBtYWludGFpbmVycyBvZiB0aGUgcHVsbCByZXF1ZXN0J3MgcmVwbyBhY2Nlc3MgdG8gZWRpdCB0aGUgcHVsbCByZXF1ZXN0IGJyYW5jaCBjb250ZW50cy4gIEl0IGlzIHBvc3NpYmxlIHRvIGNyZWF0ZSBhIHB1bGwgcmVxdWVzdCB3aGVyZSB0aGUgcHVsbCByZXF1ZXN0IGF1dGhvciBkb2VzIG5vdCBoYXZlIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2guICBEdWUgdG8gYSBtaXNzaW5nIHNlY3VyaXR5IGNoZWNrIGZvciB0aGlzIGNhc2UsIG1haW50YWluZXJzIG9mIHRoZSBwdWxsIHJlcXVlc3QgcmVwbyB3b3VsZCBiZSBncmFudGVkIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2gsIGV2ZW4gaWYgdGhlIGF1dGhvciBvZiB0aGUgcHVsbCByZXF1ZXN0IGRpZCBub3QgaGF2ZSB0aGF0IGFiaWxpdHkuICBCeSBleHBsb2l0aW5nIHRoaXMgbWlzc2luZyBzZWN1cml0eSBjaGVjaywgYSB1c2VyIGNhbiBlZGl0IGFueSBicmFuY2ggaW4gYSByZXBvc2l0b3J5IGlmIHRoZXkncmUgYWJsZSB0byBmb3JrIHRoYXQgcmVwb3NpdG9yeS4gIFRoZSBpc3N1ZSBpcyBiZWluZyBmaXhlZCBieSByZXN0cmljdGluZyB0aGUgc2NvcGUgb2YgIkFsbG93IGVkaXRzIGZyb20gbWFpbnRhaW5lcnMiIHRvIG9ubHkgZ3JhbnQgdGhhdCBhY2Nlc3MgaWYgdGhlIHB1bGwgcmVxdWVzdCBhdXRob3IgYWxzbyBoYWQgYWNjZXNzIHRvIGVkaXQgdGhlIGJyYW5jaC4=-->When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.<!--description-->
+- Localization
+  - Backport of translations from Codeberg Translate: [#12305](https://codeberg.org/forgejo/forgejo/pulls/12305) (backport of [#12128](https://codeberg.org/forgejo/forgejo/pulls/12128))
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12156) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12316)): <!--number 12316 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNi4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12254): <!--number 12254 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcyB0byB2OC41LjEwIFtTRUNVUklUWV0gKHYxNC4wL2Zvcmdlam8p-->Update dependency postcss to v8.5.10 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12223): <!--number 12223 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzkuMCBbU0VDVVJJVFldICh2MTQuMC9mb3JnZWpvKQ==-->Update module golang.org/x/image to v0.39.0 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12176): <!--number 12176 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tZ2l0L2dvLWdpdC92NSAoaW5kaXJlY3QpIHRvIHY1LjE4LjAgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v14.0/forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12133): <!--number 12133 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2phY2tjL3BneC92NSB0byB2NS45LjAgW1NFQ1VSSVRZXSAodjE0LjAvZm9yZ2Vqbyk=-->Update module github.com/jackc/pgx/v5 to v5.9.0 [SECURITY] (v14.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12149)): <!--number 12149 --><!--line 0 --><!--description Zml4OiBtYWtlIC9yZXBvcy9zZWFyY2g/dWlkPS0yIHJldHVybiB6ZXJvIHJlc3VsdHMsIG5vIHJlcG9zIHdpdGggdGhhdCBvd25lcg==-->fix: make /repos/search?uid=-2 return zero results, no repos with that owner<!--description-->
+<!--end release-notes-assistant-->

From 993b419fe3e9dd4125968b64388b9cd9fd81f753 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Wed, 29 Apr 2026 14:37:45 +0200
Subject: [PATCH 189/287] chore(release-notes): Forgejo v15.0.1 (#12314)

https://codeberg.org/forgejo/forgejo/milestone/76566
Co-authored-by: viceice <michael.kriese@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12314
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 release-notes-published/15.0.1.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 release-notes-published/15.0.1.md

diff --git a/release-notes-published/15.0.1.md b/release-notes-published/15.0.1.md
new file mode 100644
index 0000000000..4d05ed923c
--- /dev/null
+++ b/release-notes-published/15.0.1.md
@@ -0,0 +1,29 @@
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12293): <!--number 12293 --><!--line 0 --><!--description V2hlbiBhIHB1bGwgcmVxdWVzdCBpcyBvcGVuZWQsIHRoZSBhdXRob3IgaXMgYWJsZSB0byBtYXJrIHRoYXQgcHVsbCByZXF1ZXN0IHRvICJBbGxvdyBlZGl0cyBmcm9tIG1haW50YWluZXJzIiwgd2hpY2ggZ3JhbnRzIHRoZSBtYWludGFpbmVycyBvZiB0aGUgcHVsbCByZXF1ZXN0J3MgcmVwbyBhY2Nlc3MgdG8gZWRpdCB0aGUgcHVsbCByZXF1ZXN0IGJyYW5jaCBjb250ZW50cy4gIEl0IGlzIHBvc3NpYmxlIHRvIGNyZWF0ZSBhIHB1bGwgcmVxdWVzdCB3aGVyZSB0aGUgcHVsbCByZXF1ZXN0IGF1dGhvciBkb2VzIG5vdCBoYXZlIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2guICBEdWUgdG8gYSBtaXNzaW5nIHNlY3VyaXR5IGNoZWNrIGZvciB0aGlzIGNhc2UsIG1haW50YWluZXJzIG9mIHRoZSBwdWxsIHJlcXVlc3QgcmVwbyB3b3VsZCBiZSBncmFudGVkIHRoZSBhYmlsaXR5IHRvIGVkaXQgdGhlIHB1bGwgcmVxdWVzdCBicmFuY2gsIGV2ZW4gaWYgdGhlIGF1dGhvciBvZiB0aGUgcHVsbCByZXF1ZXN0IGRpZCBub3QgaGF2ZSB0aGF0IGFiaWxpdHkuICBCeSBleHBsb2l0aW5nIHRoaXMgbWlzc2luZyBzZWN1cml0eSBjaGVjaywgYSB1c2VyIGNhbiBlZGl0IGFueSBicmFuY2ggaW4gYSByZXBvc2l0b3J5IGlmIHRoZXkncmUgYWJsZSB0byBmb3JrIHRoYXQgcmVwb3NpdG9yeS4gIFRoZSBpc3N1ZSBpcyBiZWluZyBmaXhlZCBieSByZXN0cmljdGluZyB0aGUgc2NvcGUgb2YgIkFsbG93IGVkaXRzIGZyb20gbWFpbnRhaW5lcnMiIHRvIG9ubHkgZ3JhbnQgdGhhdCBhY2Nlc3MgaWYgdGhlIHB1bGwgcmVxdWVzdCBhdXRob3IgYWxzbyBoYWQgYWNjZXNzIHRvIGVkaXQgdGhlIGJyYW5jaC4=-->When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.<!--description-->
+- Localization
+  - Backport of translations from Codeberg Translate: [#12306](https://codeberg.org/forgejo/forgejo/pulls/12306) (backport of [#12128](https://codeberg.org/forgejo/forgejo/pulls/12128))
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11685) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12171)): <!--number 12171 --><!--line 0 --><!--description Zml4OiBhbHdheXMgaW5jbHVkZSBmaWxlcyBzZXQgdG8gYmUgZGV0ZWN0YWJsZSBmb3IgbGFuZ3VhZ2Ugc3RhdHM=-->fix: always include files set to be detectable for language stats<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12079) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12166)): <!--number 12166 --><!--line 0 --><!--description RXhjbHVkZSBTU0ggY2VydGlmaWNhdGUgcHJpbmNpcGFscyBmcm9tIG91dHB1dCB3aGVuIHZpZXdpbmcgdXNlcidzIFNTSCBrZXlz-->Exclude SSH certificate principals from output when viewing user's SSH keys<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12156) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12317)): <!--number 12317 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNi4wIChmb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.6.0 (forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12271) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12272)): <!--number 12272 --><!--line 0 --><!--description Zml4OiBhbGxvdyB2aWV3aW5nIEFjdGlvbnMgcnVuIHRyaWdnZXJlZCBieSBkZWxldGVkIHVzZXI=-->fix: allow viewing Actions run triggered by deleted user<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12255): <!--number 12255 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgcG9zdGNzcyB0byB2OC41LjEwIFtTRUNVUklUWV0gKHYxNS4wL2Zvcmdlam8p-->Update dependency postcss to v8.5.10 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12235): <!--number 12235 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL2phY2tjL3BneC92NSB0byB2NS45LjIgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2Vqbyk=-->Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12227) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12233)): <!--number 12233 --><!--line 0 --><!--description Zml4OiBjb21wYXJlIGJyYW5jaGVzIHdpdGggbmFtZXMgYGRpZmZgIG9yIGBwYXRjaGA=-->fix: compare branches with names `diff` or `patch`<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12224) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12229)): <!--number 12229 --><!--line 0 --><!--description Zml4OiByZXNvbHZlIG91dGVyIHdvcmtmbG93IGNhbGwgdG8gc3VjY2Vzcywgbm90IGZhaWx1cmUsIG9uIGlubmVyIGpvYiBza2lw-->fix: resolve outer workflow call to success, not failure, on inner job skip<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12218): <!--number 12218 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvaW1hZ2UgdG8gdjAuMzkuMCAodjE1LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/image to v0.39.0 (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12213) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12216)): <!--number 12216 --><!--line 0 --><!--description Zml4OiBzZWNyZXQgbmFtZS1wcmVmaXggcmVnZXg=-->fix: secret name-prefix regex<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12214) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12215)): <!--number 12215 --><!--line 0 --><!--description Zml4KHVpKTogYWxsb3cgY3JlYXRpbmcgZmlsZXMgd2l0aCBuYW1lIHN0YXJ0aW5nIHdpdGggZGFzaA==-->fix(ui): allow creating files with name starting with dash<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12151) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12199)): <!--number 12199 --><!--line 0 --><!--description Zml4OiBDb2RlTWlycm9yIGUyZSB0ZXN0-->fix: CodeMirror e2e test<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12183) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12185)): <!--number 12185 --><!--line 0 --><!--description Zml4KGkxOG4pOiBkb24ndCBsb2cgaGFybWxlc3MgbWlzc2luZyB0cmFuc2xhdGlvbnMgYXMgZXJyb3Jz-->fix(i18n): don't log harmless missing translations as errors<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12177): <!--number 12177 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tZ2l0L2dvLWdpdC92NSAoaW5kaXJlY3QpIHRvIHY1LjE4LjAgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2VqbykgLSBhdXRvY2xvc2Vk-->Update github.com/go-git/go-git/v5 (indirect) to v5.18.0 [SECURITY] (v15.0/forgejo) - autoclosed<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12154): <!--number 12154 --><!--line 0 --><!--description Y2hvcmU6IGJ1bXAgeG9ybSB0byB2MS4zLjktZm9yZ2Vqby4xMQ==-->chore: bump xorm to v1.3.9-forgejo.11<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12144) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12150)): <!--number 12150 --><!--line 0 --><!--description Zml4OiBtYWtlIC9yZXBvcy9zZWFyY2g/dWlkPS0yIHJldHVybiB6ZXJvIHJlc3VsdHMsIG5vIHJlcG9zIHdpdGggdGhhdCBvd25lcg==-->fix: make /repos/search?uid=-2 return zero results, no repos with that owner<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12143) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12147)): <!--number 12147 --><!--line 0 --><!--description Zml4OiBjb250aW51ZWQgQVBJIHJlc3BvbnNlIHByb2Nlc3NpbmcgYWZ0ZXIgZXJyb3IgaW4gYC9yZXBvcy9zZWFyY2hgIEFQSQ==-->fix: continued API response processing after error in `/repos/search` API<!--description-->
+<!--end release-notes-assistant-->

From be3fe4ff60c85f5c8749c16325b9e804ad0d951a Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 29 Apr 2026 19:13:01 +0200
Subject: [PATCH 190/287] feat: allow Authorized Integrations to authenticate
 to Forgejo's package registries (#12310)

Enables and tests the usage of Authorized Integrations to access the package registries.  Specific testing includes:
- Container registry -- automated testing and manual testing
- Generic registry, w/ detailed authorization tests -- automated testing
- Conan registry -- automated testing (uses an "authenticate" endpoint that required updates)
- npm registry -- manual testing with a Forgejo Action publishing packages

For the container & conan registeries, where the client uses an authentication endpoint to request a temporary access token, the expiry of the temporary access token is restricted to the expiry of the authorized integration's JWT for the authorized integration in order to prevent an escalation of privileges.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12310
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 routers/api/packages/api.go                   |  6 +++
 routers/api/packages/conan/conan.go           |  3 +-
 routers/api/packages/container/container.go   |  3 +-
 services/auth/interface.go                    |  9 ++++
 .../auth_result_authorized_integration.go     | 12 ++++--
 .../auth/method/authorized_integration.go     | 16 ++++++--
 .../method/authorized_integration_test.go     | 35 ++++++++++++----
 services/packages/auth.go                     | 13 +++++-
 tests/integration/api_packages_conan_test.go  | 39 ++++++++++++++++++
 .../api_packages_container_test.go            | 22 ++++++++++
 tests/integration/api_packages_test.go        | 41 +++++++++++++++++--
 11 files changed, 178 insertions(+), 21 deletions(-)

diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 4a35948eca..7106521e85 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -199,6 +199,7 @@ func CommonRoutes() *web.Route {
 		&nuget.Auth{},
 		&conan.Auth{},
 		&chef.Auth{},
+		&auth_method.AuthorizedIntegration{},
 	})
 
 	r.Group("/{username}", func() {
@@ -845,6 +846,11 @@ func ContainerRoutes() *web.Route {
 		&auth_method.ActionRuntimeToken{},
 		&auth_method.ActionTaskToken{},
 		&container.Auth{},
+		&auth_method.AuthorizedIntegration{
+			// `docker login` can't send a bearer token, so enable reading a token from the password field of
+			// `Authorization: Basic ...`.
+			PermitBasic: true,
+		},
 	})
 
 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
diff --git a/routers/api/packages/conan/conan.go b/routers/api/packages/conan/conan.go
index cc894aec2f..5829c432ad 100644
--- a/routers/api/packages/conan/conan.go
+++ b/routers/api/packages/conan/conan.go
@@ -119,8 +119,9 @@ func Authenticate(ctx *context.Context) {
 
 	// If there's an API scope, ensure it propagates.
 	scope := ctx.Authentication.Scope().ValueOrZeroValue()
+	exp := ctx.Authentication.ExpiresAt()
 
-	token, err := packages_service.CreateAuthorizationToken(ctx.Doer, scope)
+	token, err := packages_service.CreateAuthorizationToken(ctx.Doer, scope, exp)
 	if err != nil {
 		apiError(ctx, http.StatusInternalServerError, err)
 		return
diff --git a/routers/api/packages/container/container.go b/routers/api/packages/container/container.go
index eb81773b4c..df14ca6280 100644
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@@ -158,8 +158,9 @@ func Authenticate(ctx *context.Context) {
 
 	// If there's an API scope, ensure it propagates.
 	scope := ctx.Authentication.Scope().ValueOrZeroValue()
+	exp := ctx.Authentication.ExpiresAt()
 
-	token, err := packages_service.CreateAuthorizationToken(u, scope)
+	token, err := packages_service.CreateAuthorizationToken(u, scope, exp)
 	if err != nil {
 		apiError(ctx, http.StatusInternalServerError, err)
 		return
diff --git a/services/auth/interface.go b/services/auth/interface.go
index a5ed33a79b..ca0bb661ba 100644
--- a/services/auth/interface.go
+++ b/services/auth/interface.go
@@ -11,6 +11,7 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/session"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/authz"
 )
@@ -104,6 +105,10 @@ type AuthenticationResult interface {
 	// If authenticated as an Actions task (using ${{ forgejo.token }}), then indicates the specific task that performed
 	// the authentication.
 	ActionsTaskID() optional.Option[int64]
+
+	// If the authentication method used has a limited time validity, such as a JWT with an `exp` claim, that expiry
+	// time can be accessed through this method.  Otherwise, returns None.
+	ExpiresAt() optional.Option[timeutil.TimeStamp]
 }
 
 type BaseAuthenticationResult struct{}
@@ -132,6 +137,10 @@ func (*BaseAuthenticationResult) Scope() optional.Option[auth_model.AccessTokenS
 	return optional.None[auth_model.AccessTokenScope]()
 }
 
+func (*BaseAuthenticationResult) ExpiresAt() optional.Option[timeutil.TimeStamp] {
+	return optional.None[timeutil.TimeStamp]()
+}
+
 type UnauthenticatedResult struct {
 	*BaseAuthenticationResult
 }
diff --git a/services/auth/method/auth_result_authorized_integration.go b/services/auth/method/auth_result_authorized_integration.go
index 55efa95d18..aed06e76a3 100644
--- a/services/auth/method/auth_result_authorized_integration.go
+++ b/services/auth/method/auth_result_authorized_integration.go
@@ -7,6 +7,7 @@ import (
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/optional"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/authz"
 )
@@ -15,9 +16,10 @@ var _ auth.AuthenticationResult = &authorizedIntegrationAuthenticationResult{}
 
 type authorizedIntegrationAuthenticationResult struct {
 	*auth.BaseAuthenticationResult
-	user    *user_model.User
-	scope   auth_model.AccessTokenScope
-	reducer authz.AuthorizationReducer
+	user      *user_model.User
+	scope     auth_model.AccessTokenScope
+	reducer   authz.AuthorizationReducer
+	expiresAt optional.Option[timeutil.TimeStamp]
 }
 
 func (r *authorizedIntegrationAuthenticationResult) User() *user_model.User {
@@ -31,3 +33,7 @@ func (r *authorizedIntegrationAuthenticationResult) Scope() optional.Option[auth
 func (r *authorizedIntegrationAuthenticationResult) Reducer() authz.AuthorizationReducer {
 	return r.reducer
 }
+
+func (r *authorizedIntegrationAuthenticationResult) ExpiresAt() optional.Option[timeutil.TimeStamp] {
+	return r.expiresAt
+}
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index f908780e09..368e1fe036 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -22,8 +22,10 @@ import (
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/proxy"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/modules/util"
 	"forgejo.org/services/auth"
 	"forgejo.org/services/authz"
@@ -212,11 +214,19 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 		return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration GetAuthorizationReducerForAuthorizedIntegration: %w", err)}
 	}
 
+	var optionalExp optional.Option[timeutil.TimeStamp]
+	if exp, err := parsedToken.Claims.GetExpirationTime(); err != nil {
+		return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration GetExpirationTime: %w", err)}
+	} else if exp != nil {
+		optionalExp = optional.Some(timeutil.TimeStamp(exp.Unix()))
+	}
+
 	return &auth.AuthenticationSuccess{
 		Result: &authorizedIntegrationAuthenticationResult{
-			user:    u,
-			scope:   authorizedIntegration.Scope,
-			reducer: reducer,
+			user:      u,
+			scope:     authorizedIntegration.Scope,
+			reducer:   reducer,
+			expiresAt: optionalExp,
 		},
 	}
 }
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
index 28524b7a6c..16b09ae9ad 100644
--- a/services/auth/method/authorized_integration_test.go
+++ b/services/auth/method/authorized_integration_test.go
@@ -19,6 +19,7 @@ import (
 	"forgejo.org/modules/jwtx"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
+	"forgejo.org/modules/timeutil"
 	"forgejo.org/services/auth"
 
 	mc "code.forgejo.org/go-chi/cache"
@@ -255,6 +256,8 @@ func TestAuthorizedIntegration(t *testing.T) {
 		assert.True(t, hasScope)
 		assert.Equal(t, auth_model.AccessTokenScopeAll, scope)
 		assert.NotNil(t, res.Reducer())
+		hasExpiry, _ := res.ExpiresAt().Get()
+		assert.False(t, hasExpiry)
 	})
 
 	t.Run("valid Basic JWT", func(t *testing.T) {
@@ -280,14 +283,30 @@ func TestAuthorizedIntegration(t *testing.T) {
 	})
 
 	t.Run("JWT expiry", func(t *testing.T) {
-		ait := newAITester(t,
-			claimTweak(func(rc *flexibleClaims) {
-				rc.ExpiresAt = jwt.NewNumericDate(time.Date(2026, time.January, 1, 12, 0, 0, 0, time.Local))
-			}))
-		defer ait.close()
-		output := ait.bearerRequest()
-		err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
-		require.ErrorContains(t, err, "token is expired")
+		t.Run("JWT expired", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.ExpiresAt = jwt.NewNumericDate(time.Date(2026, time.January, 1, 12, 0, 0, 0, time.Local))
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "token is expired")
+		})
+
+		t.Run("JWT will expire", func(t *testing.T) {
+			ait := newAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.ExpiresAt = jwt.NewNumericDate(time.Date(2026, time.January, 1, 20, 0, 0, 0, time.UTC))
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			success := requireOutput[*auth.AuthenticationSuccess](t, output)
+			res := success.Result
+			hasExpiry, expiry := res.ExpiresAt().Get()
+			assert.True(t, hasExpiry)
+			assert.Equal(t, timeutil.TimeStamp(1767297600), expiry)
+		})
 	})
 
 	t.Run("JWT issued at", func(t *testing.T) {
diff --git a/services/packages/auth.go b/services/packages/auth.go
index 205125cf8b..9b5ee9f627 100644
--- a/services/packages/auth.go
+++ b/services/packages/auth.go
@@ -13,7 +13,9 @@ import (
 	auth_model "forgejo.org/models/auth"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/timeutil"
 
 	"github.com/golang-jwt/jwt/v5"
 )
@@ -24,12 +26,19 @@ type packageClaims struct {
 	Scope  auth_model.AccessTokenScope
 }
 
-func CreateAuthorizationToken(u *user_model.User, scope auth_model.AccessTokenScope) (string, error) {
+func CreateAuthorizationToken(u *user_model.User, scope auth_model.AccessTokenScope, maxExpiry optional.Option[timeutil.TimeStamp]) (string, error) {
 	now := time.Now()
 
+	// Don't allow package registry authentication to create a credential that exceeds the lifetime of whatever
+	// credential was used to authenticate; cap it at the incoming credential's expiry.
+	expiry := now.Add(24 * time.Hour)
+	if has, maxExp := maxExpiry.Get(); has && expiry.Unix() > maxExp.AsTime().Unix() {
+		expiry = maxExp.AsTime()
+	}
+
 	claims := packageClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
+			ExpiresAt: jwt.NewNumericDate(expiry),
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		UserID: u.ID,
diff --git a/tests/integration/api_packages_conan_test.go b/tests/integration/api_packages_conan_test.go
index 0e4e4a75e3..4184762e71 100644
--- a/tests/integration/api_packages_conan_test.go
+++ b/tests/integration/api_packages_conan_test.go
@@ -563,6 +563,45 @@ func TestPackageConan(t *testing.T) {
 			})
 		})
 
+		t.Run("Authorized Integration Authentication", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			testCase := func(t *testing.T, scope auth_model.AccessTokenScope, expectedStatusCode int) {
+				t.Helper()
+
+				ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+					ai.Scope = scope
+				})
+				defer ait.close()
+				token := ait.signedJWT()
+
+				req := NewRequest(t, "GET", fmt.Sprintf("%s/v2/users/authenticate", url)).
+					AddTokenAuth(token)
+				resp := MakeRequest(t, req, http.StatusOK)
+
+				body := resp.Body.String()
+				assert.NotEmpty(t, body)
+
+				recipeURL := fmt.Sprintf("%s/v2/conans/%s/%s/%s/%s/revisions/%s", url, "TestScope", version1, "testing", channel1, revision1)
+
+				req = NewRequestWithBody(t, "PUT", fmt.Sprintf("%s/files/%s", recipeURL, conanfileName), strings.NewReader("Doesn't need to be valid")).
+					AddTokenAuth("Bearer " + body)
+				MakeRequest(t, req, expectedStatusCode)
+			}
+
+			t.Run("Read permission", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				testCase(t, auth_model.AccessTokenScopeReadPackage, http.StatusUnauthorized)
+			})
+
+			t.Run("Write permission", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+
+				testCase(t, auth_model.AccessTokenScopeWritePackage, http.StatusCreated)
+			})
+		})
+
 		t.Run("Authenticate", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index 70e3f40d6c..550436990a 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -198,6 +198,28 @@ func TestPackageContainer(t *testing.T) {
 
 			assert.Empty(t, resp.Header().Get("WWW-Authenticate"))
 		})
+
+		t.Run("Basic authentication w/ Authorized Integration", func(t *testing.T) {
+			ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+				ai.Scope = auth_model.AccessTokenScopeReadPackage
+			})
+			defer ait.close()
+			token := ait.signedJWT()
+
+			req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
+			req.SetBasicAuth(user.Name, token)
+
+			resp := MakeRequest(t, req, http.StatusOK)
+
+			tokenResponse := &TokenResponse{}
+			DecodeJSON(t, resp, &tokenResponse)
+
+			assert.NotEmpty(t, tokenResponse.Token)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%sv2", setting.AppURL)).
+				AddTokenAuth(fmt.Sprintf("Bearer %s", tokenResponse.Token))
+			MakeRequest(t, req, http.StatusOK)
+		})
 	})
 
 	t.Run("DetermineSupport", func(t *testing.T) {
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index e79f977c86..904ae4f065 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -417,9 +417,44 @@ func TestPackageAccess(t *testing.T) {
 			{limitedOrgNoMember, http.StatusOK},
 			{publicOrgNoMember, http.StatusOK},
 		} {
-			req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
-				AddTokenAuth(tokenReadPackage)
-			MakeRequest(t, req, target.ExpectedStatus)
+			t.Run(target.Owner.Name, func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
+					AddTokenAuth(tokenReadPackage)
+				MakeRequest(t, req, target.ExpectedStatus)
+			})
+		}
+	})
+
+	t.Run("Authorized Integration", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		ait := newAITester(t, func(ai *auth_model.AuthorizedIntegration) {
+			ai.Scope = auth_model.AccessTokenScopeReadPackage
+			ai.UserID = user.ID
+		})
+		defer ait.close()
+		token := ait.signedJWT()
+
+		for _, target := range []Target{
+			{admin, http.StatusOK},
+			{inactive, http.StatusOK},
+			{user, http.StatusOK},
+			{limitedUser, http.StatusOK},
+			{privateUser, http.StatusForbidden},
+			{privateOrgMember, http.StatusOK},
+			{limitedOrgMember, http.StatusOK},
+			{publicOrgMember, http.StatusOK},
+			{privateOrgNoMember, http.StatusForbidden},
+			{limitedOrgNoMember, http.StatusOK},
+			{publicOrgNoMember, http.StatusOK},
+		} {
+			t.Run(target.Owner.Name, func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s", target.Owner.Name)).
+					AddTokenAuth(token)
+				MakeRequest(t, req, target.ExpectedStatus)
+			})
 		}
 	})
 }

From bc7c8e3c845de4e789d6dfe0285889dbd3e6fc11 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 29 Apr 2026 19:49:55 +0200
Subject: [PATCH 191/287] fix: markdown rendering panic when code blocks do not
 have languages (#12325)

When attempting to render a markdown code block that does not have a language set in it, Forgejo will fail to render and log an error:
```
2026/04/29 08:47:47 ...markdown/markdown.go:162:func1() [W] Unable to render markdown due to panic in goldmark: runtime error: invalid memory address or nil pointer dereference
```

This is a regression introduced by #12056.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
    - pre-release regression

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12325
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/markup/markdown/markdown_test.go            | 8 ++++++++
 modules/markup/markdown/transform_codeblock_lang.go | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index fc4a515f72..1f75799900 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -1511,4 +1511,12 @@ func TestCodeblockLanguageStripping(t *testing.T) {
 			"```",
 		`<pre class="code-block"><code class="chroma language-rust display"><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{}</span><span class="w">
 </span></code></pre>`)
+
+	// No language identifier
+	test(
+		"```\n"+
+			"fn main() {}\n"+
+			"```",
+		`<pre class="code-block"><code class="chroma language-text display">fn main() {}
+</code></pre>`)
 }
diff --git a/modules/markup/markdown/transform_codeblock_lang.go b/modules/markup/markdown/transform_codeblock_lang.go
index 2c90373c4e..5263ec4ffc 100644
--- a/modules/markup/markdown/transform_codeblock_lang.go
+++ b/modules/markup/markdown/transform_codeblock_lang.go
@@ -11,6 +11,9 @@ import (
 )
 
 func (g *ASTTransformer) transformCodeblockLanguage(v *ast.FencedCodeBlock, reader text.Reader) {
+	if v.Info == nil {
+		return
+	}
 	src := reader.Source()
 	info := v.Info.Segment.Value(src)
 	// Strip language after commas

From 32c9bbee082645d4cf717d0f1e01776373aee683 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 30 Apr 2026 03:05:44 +0200
Subject: [PATCH 192/287] Update data.forgejo.org/forgejo/forgejo Docker tag to
 v11.0.13 (forgejo) (#12336)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12336
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index 723af018c4..dca71823b8 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -2,7 +2,7 @@ name: Integration tests for the release process
 enable-email-notifications: true
 
 env:
-  FORGEJO_VERSION: 11.0.12 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
+  FORGEJO_VERSION: 11.0.13 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
 
 on:
   push:

From fd0a2086b0a0ffc7539fbaa46b5f7682ef94d482 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 30 Apr 2026 03:31:02 +0200
Subject: [PATCH 193/287] Update dependency postcss to v8.5.12 (forgejo)
 (#12337)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12337
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index aecd83767d..a6a5d2941e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -59,7 +59,7 @@
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
-        "postcss": "8.5.10",
+        "postcss": "8.5.12",
         "postcss-loader": "8.2.1",
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
@@ -12965,9 +12965,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.10",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.10.tgz",
-      "integrity": "sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==",
+      "version": "8.5.12",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
+      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
       "funding": [
         {
           "type": "opencollective",
diff --git a/package.json b/package.json
index 74114e03f4..1dcd4f24a5 100644
--- a/package.json
+++ b/package.json
@@ -58,7 +58,7 @@
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",
     "pdfobject": "2.3.0",
-    "postcss": "8.5.10",
+    "postcss": "8.5.12",
     "postcss-loader": "8.2.1",
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",

From 5c05973994b025575139827eb81baa2dec98be33 Mon Sep 17 00:00:00 2001
From: Beowulf <beowulf@beocode.eu>
Date: Thu, 30 Apr 2026 09:26:41 +0200
Subject: [PATCH 194/287] chore: no longer run renovate on v14 branch [skip ci]
 (#11975)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11975
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 .forgejo/renovate.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.forgejo/renovate.json b/.forgejo/renovate.json
index ee6b7212ce..765319324b 100644
--- a/.forgejo/renovate.json
+++ b/.forgejo/renovate.json
@@ -9,7 +9,6 @@
   "baseBranchPatterns": [
     "$default",
     "/^v11\\.\\d+/forgejo$/",
-    "/^v14\\.\\d+/forgejo$/",
     "/^v15\\.\\d+/forgejo$/"
   ],
   "postUpdateOptions": ["gomodTidy", "gomodUpdateImportPaths", "npmDedupe"],

From 81c46e4a7c6fa132c7094119fc08467a28d475e9 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 30 Apr 2026 16:36:00 +0200
Subject: [PATCH 195/287] Update module github.com/mattn/go-sqlite3 to v1.14.44
 (forgejo) (#12340)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) | `v1.14.42` → `v1.14.44` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fmattn%2fgo-sqlite3/v1.14.44?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fmattn%2fgo-sqlite3/v1.14.42/v1.14.44?slim=true) |

---

### Release Notes

<details>
<summary>mattn/go-sqlite3 (github.com/mattn/go-sqlite3)</summary>

### [`v1.14.44`](https://github.com/mattn/go-sqlite3/compare/v1.14.43...v1.14.44)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.43...v1.14.44)

### [`v1.14.43`](https://github.com/mattn/go-sqlite3/compare/v1.14.42...v1.14.43)

[Compare Source](https://github.com/mattn/go-sqlite3/compare/v1.14.42...v1.14.43)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12340
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index f228f4bc1d..e387ee28c8 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.21
-	github.com/mattn/go-sqlite3 v1.14.42
+	github.com/mattn/go-sqlite3 v1.14.44
 	github.com/meilisearch/meilisearch-go v0.36.0
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
diff --git a/go.sum b/go.sum
index c88371b4f5..119648c89b 100644
--- a/go.sum
+++ b/go.sum
@@ -517,8 +517,8 @@ github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkEN
 github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
-github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
-github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
+github.com/mattn/go-sqlite3 v1.14.44 h1:3VSe+xafpbzsLbdr2AWlAZk9yRHiBhTBakioXaCKTF8=
+github.com/mattn/go-sqlite3 v1.14.44/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
 github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=

From 25e7a0b91b5feb8fe2491d1cfbd280ed93521bab Mon Sep 17 00:00:00 2001
From: Zachary Spector <public@zacharyspector.com>
Date: Thu, 30 Apr 2026 16:58:28 +0200
Subject: [PATCH 196/287] feat: support simple JSON API for PyPI package
 registry (#12095)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR extends Forĝejo's PyPI package index to support [the simple JSON repository API](https://packaging.python.org/en/latest/specifications/simple-repository-api/#json-serialization). Since the existing implementation was for the HTML serialization of the same simple API, no new endpoint has been added. Instead, Forĝejo chooses between serialization schemes based on the "Accept" header in the request. This, together with CORS, will make Forĝejo compatible with [micropip](https://github.com/pyodide/micropip).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12095): <!--number 12095 --><!--line 0 --><!--description SG9zdGVkIFB5UEkgcGFja2FnZXMgbWF5IGJlIGFjY2Vzc2VkIHZpYSB0aGUgW3NpbXBsZSBKU09OIEFQSV0oaHR0cHM6Ly9wYWNrYWdpbmcucHl0aG9uLm9yZy9lbi9sYXRlc3Qvc3BlY2lmaWNhdGlvbnMvc2ltcGxlLXJlcG9zaXRvcnktYXBpLyNqc29uLXNlcmlhbGl6YXRpb24pIGluIGFkZGl0aW9uIHRvIHRoZSBzaW1wbGUgSFRNTCBBUEkgYWxyZWFkeSBhdmFpbGFibGUu-->Hosted PyPI packages may be accessed via the [simple JSON API](https://packaging.python.org/en/latest/specifications/simple-repository-api/#json-serialization) in addition to the simple HTML API already available.<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12095
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 modules/packages/pypi/metadata.go           | 23 ++++++
 release-notes/12095.md                      |  1 +
 routers/api/packages/pypi/pypi.go           | 86 ++++++++++++++++++++-
 tests/integration/api_packages_pypi_test.go | 28 ++++++-
 4 files changed, 133 insertions(+), 5 deletions(-)
 create mode 100644 release-notes/12095.md

diff --git a/modules/packages/pypi/metadata.go b/modules/packages/pypi/metadata.go
index 125728c4f1..0aa90aeca5 100644
--- a/modules/packages/pypi/metadata.go
+++ b/modules/packages/pypi/metadata.go
@@ -13,3 +13,26 @@ type Metadata struct {
 	License         string `json:"license,omitempty"`
 	RequiresPython  string `json:"requires_python,omitempty"`
 }
+
+type FileHashesJSON struct {
+	SHA256 string `json:"sha256"`
+}
+
+type FileJSON struct {
+	Filename       string         `json:"filename"`
+	URL            string         `json:"url"`
+	Hashes         FileHashesJSON `json:"hashes"`
+	RequiresPython string         `json:"requires-python"`
+	Size           int64          `json:"size"`
+}
+
+type PackageMetaJSON struct {
+	APIVersion string `json:"api-version"`
+}
+
+type PackageJSON struct {
+	Name     string          `json:"name"`
+	Meta     PackageMetaJSON `json:"meta"`
+	Versions []string        `json:"versions"`
+	Files    []FileJSON      `json:"files"`
+}
diff --git a/release-notes/12095.md b/release-notes/12095.md
new file mode 100644
index 0000000000..3930b07f46
--- /dev/null
+++ b/release-notes/12095.md
@@ -0,0 +1 @@
+Hosted PyPI packages may be accessed via the [simple JSON API](https://packaging.python.org/en/latest/specifications/simple-repository-api/#json-serialization) in addition to the simple HTML API already available.
diff --git a/routers/api/packages/pypi/pypi.go b/routers/api/packages/pypi/pypi.go
index 360632570e..5d8bf5d45f 100644
--- a/routers/api/packages/pypi/pypi.go
+++ b/routers/api/packages/pypi/pypi.go
@@ -8,11 +8,14 @@ import (
 	"io"
 	"net/http"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
 	"unicode"
 
 	packages_model "forgejo.org/models/packages"
+	"forgejo.org/modules/json"
+	"forgejo.org/modules/log"
 	packages_module "forgejo.org/modules/packages"
 	pypi_module "forgejo.org/modules/packages/pypi"
 	"forgejo.org/modules/setting"
@@ -44,8 +47,14 @@ func apiError(ctx *context.Context, status int, obj any) {
 	})
 }
 
-// PackageMetadata returns the metadata for a single package
-func PackageMetadata(ctx *context.Context) {
+func contentTypeSupported(ctyps []string, v string) bool {
+	return slices.ContainsFunc(ctyps, func(ctyp string) bool {
+		return strings.HasPrefix(ctyp, v)
+	})
+}
+
+// HTMLPackageMetadata returns the metadata for a single package in Simple HTML per PEP691
+func HTMLPackageMetadata(ctx *context.Context) {
 	packageName := normalizer.Replace(ctx.Params("id"))
 
 	pvs, err := packages_model.GetVersionsByPackageName(ctx, ctx.Package.Owner.ID, packages_model.TypePyPI, packageName)
@@ -72,9 +81,82 @@ func PackageMetadata(ctx *context.Context) {
 	ctx.Data["RegistryURL"] = setting.AppURL + "api/packages/" + ctx.Package.Owner.Name + "/pypi"
 	ctx.Data["PackageDescriptor"] = pds[0]
 	ctx.Data["PackageDescriptors"] = pds
+	// Content-Type headers need to be in this order for the page to show in the browser
+	ctx.Resp.Header().Set("Content-Type", "application/vnd.pypi.simple.v1+html")
+	ctx.Resp.Header().Add("Content-Type", "text/html")
 	ctx.HTML(http.StatusOK, "api/packages/pypi/simple")
 }
 
+// JSONPackageMetadata returns the metadata for a single package in Simple JSON per PEP691
+func JSONPackageMetadata(ctx *context.Context) {
+	packageName := normalizer.Replace(ctx.Params("id"))
+
+	pvs, err := packages_model.GetVersionsByPackageName(ctx, ctx.Package.Owner.ID, packages_model.TypePyPI, packageName)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	if len(pvs) == 0 {
+		apiError(ctx, http.StatusNotFound, err)
+		return
+	}
+
+	pds, err := packages_model.GetPackageDescriptors(ctx, pvs)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	// sort package descriptors by version to mimic PyPI format
+	slices.SortFunc(pds, func(a, b *packages_model.PackageDescriptor) int {
+		return strings.Compare(a.Version.Version, b.Version.Version)
+	})
+	registryURL := setting.AppURL + "api/packages/" + ctx.Package.Owner.Name + "/pypi"
+	versions := make([]string, len(pvs))
+	for i, pv := range pvs {
+		versions[i] = pv.Version
+	}
+	var fileCounter int
+	for _, pd := range pds {
+		fileCounter += len(pd.Files)
+	}
+	files := make([]pypi_module.FileJSON, fileCounter)
+	var i int
+	for _, pd := range pds {
+		for _, file := range pd.Files {
+			files[i] = pypi_module.FileJSON{
+				Filename:       file.File.Name,
+				URL:            registryURL + "/files/" + pd.Package.LowerName + "/" + pd.Version.Version + "/" + file.File.Name,
+				RequiresPython: pd.Metadata.(*pypi_module.Metadata).RequiresPython,
+				Hashes:         pypi_module.FileHashesJSON{SHA256: file.Blob.HashSHA256},
+				Size:           file.Blob.Size,
+			}
+			i++
+		}
+	}
+	content := pypi_module.PackageJSON{
+		Name:     pds[0].Package.Name,
+		Meta:     pypi_module.PackageMetaJSON{APIVersion: "1.4"},
+		Versions: versions,
+		Files:    files,
+	}
+	ctx.Resp.Header().Set("Content-Type", "application/vnd.pypi.simple.v1+json")
+	ctx.Resp.Header().Add("Content-Type", "application/json")
+	if err := json.NewEncoder(ctx.Resp).Encode(content); err != nil {
+		log.Error("Render JSON failed: %v", err)
+		apiError(ctx, http.StatusInternalServerError, err)
+	}
+}
+
+func PackageMetadata(ctx *context.Context) {
+	ctyp := ctx.Req.Header["Accept"]
+	if contentTypeSupported(ctyp, "application/vnd.pypi.simple.v1+json") {
+		JSONPackageMetadata(ctx)
+	} else {
+		HTMLPackageMetadata(ctx)
+	}
+}
+
 // DownloadPackageFile serves the content of a package
 func DownloadPackageFile(ctx *context.Context) {
 	packageName := normalizer.Replace(ctx.Params("id"))
diff --git a/tests/integration/api_packages_pypi_test.go b/tests/integration/api_packages_pypi_test.go
index f025f8e577..45aa41c573 100644
--- a/tests/integration/api_packages_pypi_test.go
+++ b/tests/integration/api_packages_pypi_test.go
@@ -17,6 +17,7 @@ import (
 	"forgejo.org/models/packages"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/json"
 	"forgejo.org/modules/packages/pypi"
 	"forgejo.org/tests"
 
@@ -211,19 +212,20 @@ func TestPackagePyPI(t *testing.T) {
 		assert.Equal(t, int64(2), pvs[0].DownloadCount)
 	})
 
-	t.Run("PackageMetadata", func(t *testing.T) {
+	hrefMatcher := regexp.MustCompile(fmt.Sprintf(`%s/files/%s/%s/test\..+#sha256=%s`, root, regexp.QuoteMeta(packageName), regexp.QuoteMeta(packageVersion), hashSHA256))
+
+	t.Run("PackageMetadataHTML", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		req := NewRequest(t, "GET", fmt.Sprintf("%s/simple/%s", root, packageName)).
 			AddBasicAuth(user.Name)
+		req.Header["Accept"] = []string{"application/vnd.pypi.simple.v1+html"}
 		resp := MakeRequest(t, req, http.StatusOK)
 
 		htmlDoc := NewHTMLParser(t, resp.Body)
 		nodes := htmlDoc.doc.Find("a").Nodes
 		assert.Len(t, nodes, 2)
 
-		hrefMatcher := regexp.MustCompile(fmt.Sprintf(`%s/files/%s/%s/test\..+#sha256=%s`, root, regexp.QuoteMeta(packageName), regexp.QuoteMeta(packageVersion), hashSHA256))
-
 		for _, a := range nodes {
 			for _, att := range a.Attr {
 				switch att.Key {
@@ -237,4 +239,24 @@ func TestPackagePyPI(t *testing.T) {
 			}
 		}
 	})
+
+	t.Run("PackageMetadataJSON", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/simple/%s", root, packageName)).
+			AddBasicAuth(user.Name)
+		req.Header["Accept"] = []string{"application/vnd.pypi.simple.v1+json"}
+		resp := MakeRequest(t, req, http.StatusOK)
+		assert.Greater(t, resp.Body.Len(), 3)
+		txt := make([]byte, resp.Body.Len())
+		resp.Body.Read(txt)
+		var obj pypi.PackageJSON
+		require.NoError(t, json.Unmarshal(txt, &obj))
+		assert.Equal(t, packageName, obj.Name)
+		assert.Equal(t, pypi.PackageMetaJSON{APIVersion: "1.4"}, obj.Meta)
+		for _, filed := range obj.Files {
+			hrefMatcher = regexp.MustCompile(fmt.Sprintf(`%s/files/%s/%s/test\.(tar\.gz)|(whl)`, root, regexp.QuoteMeta(packageName), regexp.QuoteMeta(packageVersion)))
+			assert.Regexp(t, hrefMatcher, filed.URL[21:])
+		}
+	})
 }

From 065a3a23f465c93f2f01d03eae32617768e40832 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 30 Apr 2026 17:29:39 +0200
Subject: [PATCH 197/287] chore: extend length of integration test's
 logUnexpectedResponse (#12348)

I've observed intermittent failures in [`TestAPIAuthWithAuthorizedIntegration`](https://codeberg.org/forgejo/forgejo/actions/runs/156485/jobs/8/attempt/1#jobstep-5-1950):
```
    auth_authorized_integration_test.go:70:
        	Error Trace:	/workspace/forgejo/forgejo/tests/integration/integration_test.go:657
        	            				/workspace/forgejo/forgejo/tests/integration/auth_authorized_integration_test.go:70
        	            				/workspace/forgejo/forgejo/tests/integration/auth_authorized_integration_test.go:117
        	Error:      	Not equal:
        	            	expected: 200
        	            	actual  : 401
        	Test:       	TestAPIAuthWithAuthorizedIntegration/authorization_reducer/specific_repo_access_token
        	Messages:   	Request: GET /api/v1/repos/user2/repo1/compare/master...master
    auth_authorized_integration_test.go:70: Response length:  1801
```

I *suspect* that the cause is time-related errors in the Authorized Integration JWT, but I can't validate this because I can't reproduce the issue in local testing, and the response isn't displayed, and is just "Response length:  1801".  This PR increases the size of responses that the integration tests' `logUnexpectedResponse` will output.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12348
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 tests/integration/integration_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/integration_test.go b/tests/integration/integration_test.go
index c8bbaa9b2c..a75768bbaa 100644
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@@ -713,7 +713,7 @@ func logUnexpectedResponse(t testing.TB, recorder *httptest.ResponseRecorder) {
 		}
 
 		return
-	} else if len(respBytes) < 500 {
+	} else if len(respBytes) < 2048 {
 		// if body is short, just log the whole thing
 		t.Log("Response: ", string(respBytes))
 		return

From e0777227d3a2263fc2589edba531dc3b7e06e5df Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 30 Apr 2026 18:14:25 +0200
Subject: [PATCH 198/287] Update module github.com/meilisearch/meilisearch-go
 to v0.36.2 (forgejo) (#12110)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12110
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index e387ee28c8..fbd61df592 100644
--- a/go.mod
+++ b/go.mod
@@ -76,7 +76,7 @@ require (
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.21
 	github.com/mattn/go-sqlite3 v1.14.44
-	github.com/meilisearch/meilisearch-go v0.36.0
+	github.com/meilisearch/meilisearch-go v0.36.2
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/minio/minio-go/v7 v7.0.99
diff --git a/go.sum b/go.sum
index 119648c89b..2641bb63ff 100644
--- a/go.sum
+++ b/go.sum
@@ -519,8 +519,8 @@ github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebG
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.14.44 h1:3VSe+xafpbzsLbdr2AWlAZk9yRHiBhTBakioXaCKTF8=
 github.com/mattn/go-sqlite3 v1.14.44/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
-github.com/meilisearch/meilisearch-go v0.36.0 h1:N1etykTektXt5KPcSbhBO0d5Xx5NaKj4pJWEM7WA5dI=
-github.com/meilisearch/meilisearch-go v0.36.0/go.mod h1:HBfHzKMxcSbTOvqdfuRA/yf6Vk9IivcwKocWRuW7W78=
+github.com/meilisearch/meilisearch-go v0.36.2 h1:MYaMPCpdLh2aYPt+zK+19mLoA4dfBY3S1L7T0FADCjU=
+github.com/meilisearch/meilisearch-go v0.36.2/go.mod h1:hWcR0MuWLSzHfbz9GGzIr3s9rnXLm1jqkmHkJPbUSvM=
 github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
 github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
 github.com/mholt/archives v0.1.5 h1:Fh2hl1j7VEhc6DZs2DLMgiBNChUux154a1G+2esNvzQ=

From 68be312467f24fe5ad7d66cb78bbb172a2288baa Mon Sep 17 00:00:00 2001
From: minhn <minh160302@noreply.codeberg.org>
Date: Thu, 30 Apr 2026 18:39:01 +0200
Subject: [PATCH 199/287] fix: `repoGetAllCommits` should allow for the use of
 `limit` with `path` (#11752)

Pass down the `limit` value to use in the `rev-list` command.

Issue: https://codeberg.org/forgejo/forgejo/issues/11405

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11752
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/git/repo_commit.go      |  7 +++++-
 modules/git/repo_commit_test.go | 38 +++++++++++++++++++++++++++++++++
 routers/api/v1/repo/commits.go  |  3 ++-
 templates/swagger/v1_json.tmpl  |  2 +-
 4 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/modules/git/repo_commit.go b/modules/git/repo_commit.go
index 0ebdb0f8a0..99ffac7afb 100644
--- a/modules/git/repo_commit.go
+++ b/modules/git/repo_commit.go
@@ -217,10 +217,15 @@ type CommitsByFileAndRangeOptions struct {
 	File     string
 	Not      string
 	Page     int
+	PageSize int
 }
 
 // CommitsByFileAndRange return the commits according revision file and the page
 func (repo *Repository) CommitsByFileAndRange(opts CommitsByFileAndRangeOptions) ([]*Commit, error) {
+	if opts.PageSize <= 0 {
+		opts.PageSize = setting.Git.CommitsRangeSize
+	}
+
 	skip := (opts.Page - 1) * setting.Git.CommitsRangeSize
 
 	stdoutReader, stdoutWriter := io.Pipe()
@@ -231,7 +236,7 @@ func (repo *Repository) CommitsByFileAndRange(opts CommitsByFileAndRangeOptions)
 	go func() {
 		stderr := strings.Builder{}
 		gitCmd := NewCommand(repo.Ctx, "rev-list").
-			AddOptionFormat("--max-count=%d", setting.Git.CommitsRangeSize).
+			AddOptionFormat("--max-count=%d", opts.PageSize).
 			AddOptionFormat("--skip=%d", skip)
 		gitCmd.AddDynamicArguments(opts.Revision)
 
diff --git a/modules/git/repo_commit_test.go b/modules/git/repo_commit_test.go
index 99cde92300..401848a975 100644
--- a/modules/git/repo_commit_test.go
+++ b/modules/git/repo_commit_test.go
@@ -200,6 +200,44 @@ func TestCommitsByFileAndRange(t *testing.T) {
 	}
 }
 
+func TestCommitsByFileAndRangeWithPageSize(t *testing.T) {
+	bareRepo1Path := filepath.Join(testReposDir, "repo1_bare")
+	bareRepo1, err := openRepositoryWithDefaultContext(bareRepo1Path)
+	require.NoError(t, err)
+	defer bareRepo1.Close()
+	defer test.MockVariableValue(&setting.Git.CommitsRangeSize, 2)()
+
+	testCases := []struct {
+		File                string
+		Page                int
+		PageSize            int
+		ExpectedCommitCount int
+	}{
+		{"file1.txt", 1, 1, 1},
+		{"file2.txt", 1, 1, 1},
+		{"file*.txt", 1, 2, 2},
+		{"file*.txt", 1, 1, 1},
+		{"foo", 1, 2, 2},
+		{"foo", 1, 1, 1},
+		{"foo", 2, 1, 1},
+		{"foo", 3, 0, 0},
+		{"foo", 3, 2, 0},
+		{"f*", 1, 2, 2},
+		{"f*", 2, 2, 2},
+		{"f*", 3, 1, 1},
+	}
+	for _, testCase := range testCases {
+		commits, err := bareRepo1.CommitsByFileAndRange(CommitsByFileAndRangeOptions{
+			Revision: "master",
+			File:     testCase.File,
+			Page:     testCase.Page,
+			PageSize: testCase.PageSize,
+		})
+		require.NoError(t, err)
+		assert.Len(t, commits, testCase.ExpectedCommitCount, "file: '%s', page: %d", testCase.File, testCase.Page)
+	}
+}
+
 func TestGetCommitsFromIDs(t *testing.T) {
 	bareRepo1, err := openRepositoryWithDefaultContext(filepath.Join(testReposDir, "repo1_bare"))
 	require.NoError(t, err)
diff --git a/routers/api/v1/repo/commits.go b/routers/api/v1/repo/commits.go
index 4221e59f17..4d89eb182d 100644
--- a/routers/api/v1/repo/commits.go
+++ b/routers/api/v1/repo/commits.go
@@ -135,7 +135,7 @@ func GetAllCommits(ctx *context.APIContext) {
 	//   type: integer
 	// - name: limit
 	//   in: query
-	//   description: page size of results (ignored if used with 'path')
+	//   description: page size of results
 	//   type: integer
 	// - name: not
 	//   in: query
@@ -244,6 +244,7 @@ func GetAllCommits(ctx *context.APIContext) {
 				File:     path,
 				Not:      not,
 				Page:     listOptions.Page,
+				PageSize: listOptions.PageSize,
 			})
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "CommitsByFileAndRange", err)
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index e74f0039a6..45159b7c71 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -7734,7 +7734,7 @@
           },
           {
             "type": "integer",
-            "description": "page size of results (ignored if used with 'path')",
+            "description": "page size of results",
             "name": "limit",
             "in": "query"
           },

From cc60e3d69364768007417d84e00756a74539ec60 Mon Sep 17 00:00:00 2001
From: jvoisin <jvoisin@noreply.codeberg.org>
Date: Thu, 30 Apr 2026 19:24:13 +0200
Subject: [PATCH 200/287] fix(oauth): only accept refresh tokens as refresh
 tokens (#12291)

`handleRefreshToken` never checked `token.Type == TypeRefreshToken`. When
`InvalidateRefreshTokens` is disabled, an access token could be submitted as a
`refresh_token` and exchanged for a new token pair.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: jvoisin <julien.voisin@dustri.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12291
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 routers/web/auth/oauth.go       | 10 ++++++++++
 tests/integration/oauth_test.go | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 6335f2ecc0..914e181259 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -783,6 +783,16 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
 		})
 		return
 	}
+
+	// Reject tokens that are not refresh tokens (e.g. access tokens submitted as refresh tokens)
+	if token.Type != oauth2.TypeRefreshToken {
+		handleAccessTokenError(ctx, AccessTokenErrorResponse{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "token is not a refresh token",
+		})
+		return
+	}
+
 	// get grant before increasing counter
 	grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID)
 	if err != nil || grant == nil {
diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
index 27c66f0e5a..3f14324cf7 100644
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@@ -455,6 +455,18 @@ func TestRefreshTokenInvalidation(t *testing.T) {
 	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
 	assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)
 
+	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "refresh_token",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"refresh_token": parsed.AccessToken,
+	})
+	resp = MakeRequest(t, req, http.StatusBadRequest)
+	require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &parsedError))
+	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
+	assert.Equal(t, "token is not a refresh token", parsedError.ErrorDescription)
+
 	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
 		"grant_type":    "refresh_token",
 		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",

From 3e74c5224f6cec8cc8ef456509341254f41e458e Mon Sep 17 00:00:00 2001
From: UweKrause <uwekrause@noreply.codeberg.org>
Date: Fri, 1 May 2026 00:20:15 +0200
Subject: [PATCH 201/287] chore: rename devcontainer name (#12356)

I had some trouble getting the devcontainer run. I use docker buildx / BuildKit.
Error was: `docker buildx build failed: ERROR: failed to build: invalid tag "gitea_-5cc3cd41d1b58674-features": invalid reference format`.

I renamed the container to not contain spaces and then it worked.

AI agreement:
I asked Claude code (Sonnet 4.6) to analyze the problem and it told me that buildx/BuildKit seems to check more strict for names.
So it guided me to the solution to rename the container.
I then myself changed the name and verified that the devcontainer starts.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12356
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 .devcontainer/devcontainer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 0db96fc73a..46b85ad93d 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,5 +1,5 @@
 {
-  "name": "Gitea DevContainer",
+  "name": "forgejo-dev",
   "image": "mcr.microsoft.com/devcontainers/go:1.26-trixie",
   "features": {
     // installs nodejs into container

From 75cfa31af5d6893f39a3fb59f5001d6edad65c82 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Fri, 1 May 2026 01:24:32 +0200
Subject: [PATCH 202/287] fix: set `repo_id` for migrated attachment (#12357)

Was not required until ce0a3767230bf0ed2a16f69fd3eb0afe0dff6168 added extra checks which did require `repo_id` of the attachment to be set correctly.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12357
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 models/repo/release.go      | 1 +
 models/repo/release_test.go | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/models/repo/release.go b/models/repo/release.go
index edd628fa0f..8aa447bda8 100644
--- a/models/repo/release.go
+++ b/models/repo/release.go
@@ -608,6 +608,7 @@ func InsertReleases(ctx context.Context, rels ...*Release) error {
 		if len(rel.Attachments) > 0 {
 			for i := range rel.Attachments {
 				rel.Attachments[i].ReleaseID = rel.ID
+				rel.Attachments[i].RepoID = rel.RepoID
 			}
 
 			if _, err := sess.NoAutoTime().Insert(rel.Attachments); err != nil {
diff --git a/models/repo/release_test.go b/models/repo/release_test.go
index 69f9333589..940de757c7 100644
--- a/models/repo/release_test.go
+++ b/models/repo/release_test.go
@@ -20,11 +20,14 @@ func TestMigrate_InsertReleases(t *testing.T) {
 		UUID: "a0eebc91-9c0c-4ef7-bb6e-6bb9bd380a12",
 	}
 	r := &Release{
+		RepoID:      1001,
 		Attachments: []*Attachment{a},
 	}
 
 	err := InsertReleases(db.DefaultContext, r)
 	require.NoError(t, err)
+
+	assert.EqualValues(t, 1001, unittest.AssertExistsAndLoadBean(t, &Attachment{UUID: "a0eebc91-9c0c-4ef7-bb6e-6bb9bd380a12"}).RepoID)
 }
 
 func TestReleaseLoadRepo(t *testing.T) {

From 254a44b97b40323e71c955cd9d6f561bea55ec90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mauritz=20Sj=C3=B6din?= <mauritz.sjodin@protonmail.com>
Date: Fri, 1 May 2026 01:53:10 +0200
Subject: [PATCH 203/287] feat: show breadcrumb path in path filtered commit
 history view (#12116)

Resolves forgejo/forgejo#8754

Add the breadcrumb path that already exists when browsing directories to the commit history of files/directories.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12116
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 routers/web/repo/commit.go                    | 12 ++++++++++++
 templates/repo/commits.tmpl                   |  1 +
 templates/repo/filepath.tmpl                  | 17 +++++++++++++++++
 templates/repo/home.tmpl                      | 15 +--------------
 tests/integration/repo_commits_search_test.go |  1 +
 tests/integration/repo_commits_test.go        |  1 +
 tests/integration/view_test.go                | 15 +++++++++++----
 7 files changed, 44 insertions(+), 18 deletions(-)
 create mode 100644 templates/repo/filepath.tmpl

diff --git a/routers/web/repo/commit.go b/routers/web/repo/commit.go
index 5b8f35f5b1..082716adbc 100644
--- a/routers/web/repo/commit.go
+++ b/routers/web/repo/commit.go
@@ -45,10 +45,19 @@ const (
 func RefCommits(ctx *context.Context) {
 	switch {
 	case len(ctx.Repo.TreePath) == 0:
+		ctx.Data["TreeNames"] = []string{}
 		Commits(ctx)
 	case ctx.Repo.TreePath == "search":
+		ctx.Data["TreeNames"] = []string{}
 		SearchCommits(ctx)
 	default:
+		treeNames := strings.Split(ctx.Repo.TreePath, "/")
+		paths := make([]string, len(treeNames))
+		for i := range treeNames {
+			paths[i] = strings.Join(treeNames[:i+1], "/")
+		}
+		ctx.Data["TreeNames"] = treeNames
+		ctx.Data["Paths"] = paths
 		FileHistory(ctx)
 	}
 }
@@ -272,6 +281,9 @@ func FileHistory(ctx *context.Context) {
 		}
 	}
 
+	branchLink := ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
+	ctx.Data["BranchLink"] = branchLink
+
 	ctx.Data["Commits"] = git_model.ParseCommitsWithStatus(ctx, commits, ctx.Repo.Repository)
 
 	ctx.Data["Username"] = ctx.Repo.Owner.Name
diff --git a/templates/repo/commits.tmpl b/templates/repo/commits.tmpl
index e6efe1ff54..b9ea9c790a 100644
--- a/templates/repo/commits.tmpl
+++ b/templates/repo/commits.tmpl
@@ -10,6 +10,7 @@
 					{{svg "octicon-git-branch"}}
 					{{ctx.Locale.Tr "repo.commit_graph"}}
 				</a>
+				{{template "repo/filepath" .}}
 			</div>
 		</div>
 		{{template "repo/commits_table" .}}
diff --git a/templates/repo/filepath.tmpl b/templates/repo/filepath.tmpl
new file mode 100644
index 0000000000..6473ffd356
--- /dev/null
+++ b/templates/repo/filepath.tmpl
@@ -0,0 +1,17 @@
+{{$n := len .TreeNames}}
+{{$l := Eval $n "-" 1}}
+{{$showFilePath := (gt $n 0)}}
+{{if $showFilePath}}
+	<span class="breadcrumb repo-path tw-ml-1">
+		<a class="section" href="{{$.BranchLink}}" title="{{.Repository.Name}}">{{StringUtils.EllipsisString .Repository.Name 30}}</a>
+		{{- range $i, $v := .TreeNames -}}
+			<span class="breadcrumb-divider">/</span>
+			{{- if eq $i $l -}}
+				<span class="active section" title="{{$v}}">{{$v}}</span>
+				<button class="btn interact-fg tw-p-2" data-clipboard-text="{{$.TreePath}}" data-tooltip-content="{{ctx.Locale.Tr "copy_path"}}">{{svg "octicon-copy" 14}}</button>
+			{{- else -}}
+				{{$p := index $.Paths $i}}<span class="section"><a href="{{$.BranchLink}}/{{PathEscapeSegments $p}}" title="{{$v}}">{{$v}}</a></span>
+			{{- end -}}
+		{{- end -}}
+	</span>
+{{end}}
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index eb27af5d54..601605ba44 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -102,20 +102,7 @@
 						{{ctx.Locale.Tr "repo.use_template"}}
 					</a>
 				{{end}}
-				{{if (not $isHomepage)}}
-					<span class="breadcrumb repo-path tw-ml-1">
-						<a class="section" href="{{.RepoLink}}/src/{{.BranchNameSubURL}}" title="{{.Repository.Name}}">{{StringUtils.EllipsisString .Repository.Name 30}}</a>
-						{{- range $i, $v := .TreeNames -}}
-							<span class="breadcrumb-divider">/</span>
-							{{- if eq $i $l -}}
-								<span class="active section" title="{{$v}}">{{$v}}</span>
-								<button class="btn interact-fg tw-p-2" data-clipboard-text="{{$.TreePath}}" data-tooltip-content="{{ctx.Locale.Tr "copy_path"}}">{{svg "octicon-copy" 14}}</button>
-							{{- else -}}
-								{{$p := index $.Paths $i}}<span class="section"><a href="{{$.BranchLink}}/{{PathEscapeSegments $p}}" title="{{$v}}">{{$v}}</a></span>
-							{{- end -}}
-						{{- end -}}
-					</span>
-				{{end}}
+				{{template "repo/filepath" .}}
 			</div>
 			<div class="tw-flex tw-items-center max-[390px]:tw-w-full">
 				<!-- Only show clone panel in repository home page -->
diff --git a/tests/integration/repo_commits_search_test.go b/tests/integration/repo_commits_search_test.go
index 5d7d215678..30ee0e55ef 100644
--- a/tests/integration/repo_commits_search_test.go
+++ b/tests/integration/repo_commits_search_test.go
@@ -24,6 +24,7 @@ func testRepoCommitsSearch(t *testing.T, query, commit string) {
 	doc := NewHTMLParser(t, resp.Body)
 	sel := doc.doc.Find("#commits-table tbody tr td.sha a")
 	assert.Equal(t, commit, strings.TrimSpace(sel.Text()))
+	doc.AssertElement(t, ".repo-path", false)
 }
 
 func TestRepoCommitsSearch(t *testing.T) {
diff --git a/tests/integration/repo_commits_test.go b/tests/integration/repo_commits_test.go
index d2bb4e8849..26522fe481 100644
--- a/tests/integration/repo_commits_test.go
+++ b/tests/integration/repo_commits_test.go
@@ -34,6 +34,7 @@ func TestRepoCommits(t *testing.T) {
 	commitURL, exists := doc.doc.Find("#commits-table tbody tr td.sha a").Attr("href")
 	assert.True(t, exists)
 	assert.NotEmpty(t, commitURL)
+	doc.AssertElement(t, ".repo-path", false)
 }
 
 func doTestRepoCommitWithStatus(t *testing.T, state string, classes ...string) {
diff --git a/tests/integration/view_test.go b/tests/integration/view_test.go
index bc858e71e8..fee9393409 100644
--- a/tests/integration/view_test.go
+++ b/tests/integration/view_test.go
@@ -139,7 +139,7 @@ func TestCommitListActions(t *testing.T) {
 			[]*files_service.ChangeRepoFile{
 				{
 					Operation:     "create",
-					TreePath:      "test.sh",
+					TreePath:      "test/test.sh",
 					ContentReader: strings.NewReader("Hello there!"),
 				},
 			},
@@ -162,7 +162,7 @@ func TestCommitListActions(t *testing.T) {
 			htmlDoc.AssertElement(t, fmt.Sprintf(".commit-list a[href^='/%s/src/commit/']", repo.FullName()), false)
 		})
 
-		fileDiffSelector := fmt.Sprintf(".commit-list a[href='/%s/commit/%s?files=test.sh']", repo.FullName(), commitID)
+		fileDiffSelector := fmt.Sprintf(".commit-list a[href='/%s/commit/%s?files=test/test.sh']", repo.FullName(), commitID)
 		t.Run("Commit list", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
@@ -177,12 +177,19 @@ func TestCommitListActions(t *testing.T) {
 		t.Run("File history", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
-			req := NewRequest(t, "GET", repo.Link()+"/commits/branch/main/test.sh")
+			req := NewRequest(t, "GET", repo.Link()+"/commits/branch/main/test/test.sh")
 			resp := session.MakeRequest(t, req, http.StatusOK)
 			htmlDoc := NewHTMLParser(t, resp.Body)
 
-			htmlDoc.AssertElement(t, fmt.Sprintf(".commit-list a[href='/%s/src/commit/%s/test.sh']", repo.FullName(), commitID), true)
+			htmlDoc.AssertElement(t, fmt.Sprintf(".commit-list a[href='/%s/src/commit/%s/test/test.sh']", repo.FullName(), commitID), true)
 			htmlDoc.AssertElement(t, fileDiffSelector, true)
+
+			htmlDoc.AssertElement(t, ".repo-path", true)
+			htmlDoc.AssertElement(t, fmt.Sprintf(".repo-path a[href='/%s/src/branch/main'][title='%s']", repo.FullName(), repo.Name), true)
+			assert.Equal(t, 2, htmlDoc.Find(".repo-path .breadcrumb-divider").Length())
+			htmlDoc.AssertElement(t, fmt.Sprintf(".repo-path .section a[href='/%s/src/branch/main/test'][title='test']", repo.FullName()), true)
+			htmlDoc.AssertElement(t, ".repo-path .active[title='test.sh']", true)
+			htmlDoc.AssertElement(t, ".repo-path button[data-clipboard-text='test/test.sh']", true)
 		})
 	})
 }

From eb58d6c9d0d2b0aab55eef86d6ff597c065e4235 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 1 May 2026 01:58:09 +0200
Subject: [PATCH 204/287] Update dependency @axe-core/playwright to v4.11.2
 (forgejo) (#12358)

---
 package-lock.json | 10 +++++-----
 package.json      |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a6a5d2941e..e04d4747e4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -82,7 +82,7 @@
         "wrap-ansi": "10.0.0"
       },
       "devDependencies": {
-        "@axe-core/playwright": "4.11.1",
+        "@axe-core/playwright": "4.11.2",
         "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
         "@playwright/test": "1.58.2",
         "@stoplight/spectral-cli": "6.15.0",
@@ -163,13 +163,13 @@
       }
     },
     "node_modules/@axe-core/playwright": {
-      "version": "4.11.1",
-      "resolved": "https://registry.npmjs.org/@axe-core/playwright/-/playwright-4.11.1.tgz",
-      "integrity": "sha512-mKEfoUIB1MkVTht0BGZFXtSAEKXMJoDkyV5YZ9jbBmZCcWDz71tegNsdTkIN8zc/yMi5Gm2kx7Z5YQ9PfWNAWw==",
+      "version": "4.11.2",
+      "resolved": "https://registry.npmjs.org/@axe-core/playwright/-/playwright-4.11.2.tgz",
+      "integrity": "sha512-iP6hfNl9G0j/SEUSo8M7D80RbcDo9KRAAfDP4IT5OHB+Wm6zUHIrm8Y51BKI+Oyqduvipf9u1hcRy57zCBKzWQ==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
-        "axe-core": "~4.11.1"
+        "axe-core": "~4.11.3"
       },
       "peerDependencies": {
         "playwright-core": ">= 1.0.0"
diff --git a/package.json b/package.json
index 1dcd4f24a5..68829a112f 100644
--- a/package.json
+++ b/package.json
@@ -81,7 +81,7 @@
     "wrap-ansi": "10.0.0"
   },
   "devDependencies": {
-    "@axe-core/playwright": "4.11.1",
+    "@axe-core/playwright": "4.11.2",
     "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
     "@playwright/test": "1.58.2",
     "@stoplight/spectral-cli": "6.15.0",

From 1acf630dbf9fa751d2ba006f9d855baac0a5fe19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=CE=88=CE=BB=CE=BB=CE=B5=CE=BD=20=CE=95=CE=BC=CE=AF=CE=BB?=
 =?UTF-8?q?=CE=B9=CE=B1=20=CE=86=CE=BD=CE=BD=CE=B1=20Zscheile?=
 <fogti+devel@ytrizja.de>
Date: Fri, 1 May 2026 02:46:01 +0200
Subject: [PATCH 205/287] feat(build): Support go "fmt" format strings as
 masked usage patterns (#12013)

This idea is perhaps a bit more far-fetched. It implements the ability in `lint-locale-usage` to basically fully handle "printf" invocations by transforming format strings to regexps when "%" wildcards are present.

Currently, it doesn't cache the transformation from format string to compiled regex because this doesn't make a performance difference (yet), given that most of these wildcards are only hit once or twice.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12013
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 .../allowed-masked-usage.txt                  |  20 --
 build/lint-locale-usage/bin/handle-go.go      | 260 ++++++++++--------
 .../bin/lint-locale-usage.go                  |  63 ++++-
 build/lint-locale-usage/handle-go.go          |  45 ++-
 build/lint-locale-usage/handle-tmpl.go        |  12 +-
 build/lint-locale-usage/handler.go            |   1 +
 models/project/project.go                     |   2 +-
 models/project/template.go                    |   2 +-
 models/system/notice.go                       |   2 +
 templates/repo/issue/view_content.tmpl        |   8 +-
 .../repo/issue/view_content/comments.tmpl     |  10 +-
 11 files changed, 263 insertions(+), 162 deletions(-)

diff --git a/build/lint-locale-usage/allowed-masked-usage.txt b/build/lint-locale-usage/allowed-masked-usage.txt
index ca899c7d38..205d3c3cca 100644
--- a/build/lint-locale-usage/allowed-masked-usage.txt
+++ b/build/lint-locale-usage/allowed-masked-usage.txt
@@ -6,32 +6,12 @@ translation_meta.test
 # this also gets instantiated as a Messenger once
 repo.migrate.migrating_failed.error
 
-# models/system/notice.go: func (n *Notice) TrStr() string
-admin.notices.type_1
-admin.notices.type_2
-
 # modules/setting/ui.go
 themes.names.
 
 # services/context/context.go
 relativetime.
 
-# templates/repo/issue/view_content.tmpl: indirection via $closeTranslationKey
-repo.issues.close
-repo.pulls.close
-
-# templates/repo/issue/view_content/comments.tmpl: indirection via $refTr
-repo.issues.ref_closing_from
-repo.issues.ref_issue_from
-repo.issues.ref_pull_from
-repo.issues.ref_reopening_from
-
-# templates/repo/issue/view_content/comments.tmpl: ctx.Locale.Tr (printf "projects.type-%d.display_name" .OldProject.Type)
-projects.
-projects.type-1.display_name
-projects.type-2.display_name
-projects.type-3.display_name
-
 # templates/repo/settings/webhook/link_menu.tmpl, templates/webhook/new.tmpl: repo.settings.web_hook_name_
 # tests/integration/repo_archive_text_test.go
 repo.settings.
diff --git a/build/lint-locale-usage/bin/handle-go.go b/build/lint-locale-usage/bin/handle-go.go
index ffa6b13165..5b68543e9d 100644
--- a/build/lint-locale-usage/bin/handle-go.go
+++ b/build/lint-locale-usage/bin/handle-go.go
@@ -37,144 +37,172 @@ func HandleGoFile(handler llu.Handler, fname string, src any) error {
 	}
 
 	ast.Inspect(node, func(n ast.Node) bool {
-		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
+		return HandleGoNode(handler, fset, fname, n)
+	})
 
-		switch n2 := n.(type) {
-		case *ast.CallExpr:
-			if len(n2.Args) == 0 {
-				return true
+	return nil
+}
+
+func HandleGoNode(handler llu.Handler, fset *token.FileSet, fname string, n ast.Node) bool {
+	// search for function calls of the form `anything.Tr(any-string-lit, ...)`
+
+	switch n2 := n.(type) {
+	case *ast.CallExpr:
+		if len(n2.Args) == 0 {
+			return true
+		}
+		funSel, ok := n2.Fun.(*ast.SelectorExpr)
+		if !ok {
+			return true
+		}
+
+		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
+		if !ok {
+			return true
+		}
+
+		var gotUnexpectedInvoke *int
+
+		for _, argNum := range ltf {
+			if len(n2.Args) <= int(argNum) {
+				argc := len(n2.Args)
+				gotUnexpectedInvoke = &argc
+			} else {
+				handler.HandleGoTrArgument(fset, n2.Args[int(argNum)], "")
 			}
-			funSel, ok := n2.Fun.(*ast.SelectorExpr)
-			if !ok {
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
+		}
+
+	case *ast.CompositeLit:
+		if strings.HasSuffix(fname, "models/unit/unit.go") {
+			lluUnit.HandleCompositeUnit(handler, fset, n2)
+		} else if strings.Contains(fname, "models/asymkey/") {
+			lluAsymKey.HandleCompositeErrorReason(handler, fset, n2)
+		}
+
+	case *ast.FuncDecl:
+		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKeyWeak"); matchInsPrefix != nil {
+			results := n2.Type.Results.List
+			if len(results) != 1 {
+				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
 				return true
 			}
 
-			ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
-			if !ok {
-				return true
-			}
-
-			var gotUnexpectedInvoke *int
-
-			for _, argNum := range ltf {
-				if len(n2.Args) <= int(argNum) {
-					argc := len(n2.Args)
-					gotUnexpectedInvoke = &argc
-				} else {
-					handler.HandleGoTrArgument(fset, n2.Args[int(argNum)], "")
+			ast.Inspect(n2.Body, func(n ast.Node) bool {
+				// search for return stmts
+				// TODO: what about nested functions?
+				if ret, ok := n.(*ast.ReturnStmt); ok {
+					for _, res := range ret.Results {
+						ast.Inspect(res, func(n ast.Node) bool {
+							if expr, ok := n.(ast.Expr); ok {
+								handler.HandleGoTrArgument(fset, expr, *matchInsPrefix)
+							}
+							return true
+						})
+					}
+					return false
 				}
+				return true
+			})
+		}
+
+		if matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey"); matchInsPrefix != nil {
+			results := n2.Type.Results.List
+			if len(results) != 1 {
+				handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
+				return true
 			}
 
-			if gotUnexpectedInvoke != nil {
-				handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
-			}
-
-		case *ast.CompositeLit:
-			if strings.HasSuffix(fname, "models/unit/unit.go") {
-				lluUnit.HandleCompositeUnit(handler, fset, n2)
-			} else if strings.Contains(fname, "models/asymkey/") {
-				lluAsymKey.HandleCompositeErrorReason(handler, fset, n2)
-			}
-
-		case *ast.FuncDecl:
-			matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, "llu:returnsTrKey")
-			if matchInsPrefix != nil {
-				results := n2.Type.Results.List
-				if len(results) != 1 {
-					handler.OnWarning(fset, n2.Type.Func, fmt.Sprintf("function %s has unexpected return type; expected single return value", n2.Name.Name))
-					return true
+			ast.Inspect(n2.Body, func(n ast.Node) bool {
+				// search for return stmts
+				if ret, ok := n.(*ast.ReturnStmt); ok {
+					for _, res := range ret.Results {
+						handler.HandleGoTrArgument(fset, res, *matchInsPrefix)
+					}
+					return false
+				} else if _, ok := n.(*ast.FuncDecl); ok {
+					ast.Inspect(n, func(n2 ast.Node) bool {
+						return HandleGoNode(handler, fset, fname, n2)
+					})
+					// don't search inside nested functions for return stmts
+					return false
 				}
+				return true
+			})
+		}
 
-				ast.Inspect(n2.Body, func(n ast.Node) bool {
-					// search for return stmts
-					// TODO: what about nested functions?
-					if ret, ok := n.(*ast.ReturnStmt); ok {
-						for _, res := range ret.Results {
-							ast.Inspect(res, func(n ast.Node) bool {
-								if expr, ok := n.(ast.Expr); ok {
-									handler.HandleGoTrArgument(fset, expr, *matchInsPrefix)
-								}
-								return true
-							})
-						}
+		if strings.HasSuffix(fname, "services/migrations/migrate.go") {
+			lluMigrate.HandleMessengerInFunc(handler, fset, n2)
+		}
+		return true
+	case *ast.GenDecl:
+		switch n2.Tok {
+		case token.CONST, token.VAR:
+			matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
+			if matchInsPrefix == nil {
+				return true
+			}
+			for _, spec := range n2.Specs {
+				// interpret all contained strings as message IDs
+				ast.Inspect(spec, func(n ast.Node) bool {
+					if argLit, ok := n.(*ast.BasicLit); ok {
+						handler.HandleGoTrBasicLit(fset, argLit, *matchInsPrefix)
 						return false
 					}
 					return true
 				})
 			}
 
-			if strings.HasSuffix(fname, "services/migrations/migrate.go") {
-				lluMigrate.HandleMessengerInFunc(handler, fset, n2)
-			}
-			return true
-		case *ast.GenDecl:
-			switch n2.Tok {
-			case token.CONST, token.VAR:
-				matchInsPrefix := handler.HandleGoCommentGroup(fset, n2.Doc, " llu:TrKeys")
-				if matchInsPrefix == nil {
-					return true
-				}
-				for _, spec := range n2.Specs {
-					// interpret all contained strings as message IDs
-					ast.Inspect(spec, func(n ast.Node) bool {
-						if argLit, ok := n.(*ast.BasicLit); ok {
-							handler.HandleGoTrBasicLit(fset, argLit, *matchInsPrefix)
-							return false
-						}
-						return true
-					})
-				}
+		case token.TYPE:
+			// modules/web/middleware/binding.go:Validate uses the convention that structs
+			// entries can have tags.
+			// In particular, `locale:$msgid` should be handled; any fields with `form:-` shouldn't.
+			// Problem: we don't know which structs are forms, actually.
 
-			case token.TYPE:
-				// modules/web/middleware/binding.go:Validate uses the convention that structs
-				// entries can have tags.
-				// In particular, `locale:$msgid` should be handled; any fields with `form:-` shouldn't.
-				// Problem: we don't know which structs are forms, actually.
-
-				for _, spec := range n2.Specs {
-					tspec := spec.(*ast.TypeSpec)
-					structNode, ok := tspec.Type.(*ast.StructType)
-					if !ok || !(strings.HasSuffix(tspec.Name.Name, "Form") ||
-						(tspec.Doc != nil &&
-							slices.ContainsFunc(tspec.Doc.List, func(c *ast.Comment) bool {
-								return c.Text == "// swagger:model"
-							}))) {
+			for _, spec := range n2.Specs {
+				tspec := spec.(*ast.TypeSpec)
+				structNode, ok := tspec.Type.(*ast.StructType)
+				if !ok || !(strings.HasSuffix(tspec.Name.Name, "Form") ||
+					(tspec.Doc != nil &&
+						slices.ContainsFunc(tspec.Doc.List, func(c *ast.Comment) bool {
+							return c.Text == "// swagger:model"
+						}))) {
+					continue
+				}
+				for _, field := range structNode.Fields.List {
+					if field.Names == nil {
 						continue
 					}
-					for _, field := range structNode.Fields.List {
-						if field.Names == nil {
-							continue
-						}
-						if len(field.Names) != 1 {
-							handler.OnWarning(fset, field.Type.Pos(), "unsupported multiple field names")
-							continue
-						}
-						msgidPos := field.Names[0].NamePos
-						msgid := "form." + field.Names[0].Name
-						if field.Tag != nil && field.Tag.Kind == token.STRING {
-							rawTag, err := strconv.Unquote(field.Tag.Value)
-							if err != nil {
-								handler.OnWarning(fset, field.Tag.ValuePos, "invalid tag value encountered")
-								continue
-							}
-							tag := reflect.StructTag(rawTag)
-							if tag.Get("form") == "-" {
-								continue
-							}
-							tmp := tag.Get("locale")
-							if len(tmp) != 0 {
-								msgidPos = field.Tag.ValuePos
-								msgid = tmp
-							}
-						}
-						handler.OnMsgid(fset, msgidPos, msgid, true)
+					if len(field.Names) != 1 {
+						handler.OnWarning(fset, field.Type.Pos(), "unsupported multiple field names")
+						continue
 					}
+					msgidPos := field.Names[0].NamePos
+					msgid := "form." + field.Names[0].Name
+					if field.Tag != nil && field.Tag.Kind == token.STRING {
+						rawTag, err := strconv.Unquote(field.Tag.Value)
+						if err != nil {
+							handler.OnWarning(fset, field.Tag.ValuePos, "invalid tag value encountered")
+							continue
+						}
+						tag := reflect.StructTag(rawTag)
+						if tag.Get("form") == "-" {
+							continue
+						}
+						tmp := tag.Get("locale")
+						if len(tmp) != 0 {
+							msgidPos = field.Tag.ValuePos
+							msgid = tmp
+						}
+					}
+					handler.OnMsgid(fset, msgidPos, msgid, true)
 				}
 			}
 		}
+	}
 
-		return true
-	})
-
-	return nil
+	return true
 }
diff --git a/build/lint-locale-usage/bin/lint-locale-usage.go b/build/lint-locale-usage/bin/lint-locale-usage.go
index 311e632461..f04b14f3b2 100644
--- a/build/lint-locale-usage/bin/lint-locale-usage.go
+++ b/build/lint-locale-usage/bin/lint-locale-usage.go
@@ -13,6 +13,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"regexp"
 	"sort"
 	"strings"
 
@@ -44,12 +45,57 @@ type StringTrie interface {
 
 type StringTrieMap map[string]StringTrie
 
+func printfPatternToRegex(key string) (string, bool) {
+	parts := strings.Split(key, "%")
+	if len(parts) < 2 {
+		return key, false
+	}
+	var pattern strings.Builder
+	pattern.WriteString("^")
+	pattern.WriteString(parts[0])
+	skip := false
+	for _, part := range parts[1:] {
+		if skip {
+			skip = false
+			continue
+		}
+		if len(part) == 0 {
+			// "%%"
+			pattern.WriteString("%")
+			continue
+		}
+		switch part[0] {
+		case 'd':
+			pattern.WriteString("[0-9]+")
+		default:
+			pattern.WriteString("[A-Za-z0-9]*")
+		}
+		pattern.WriteString(part[1:])
+	}
+	pattern.WriteString("$")
+	return pattern.String(), true
+}
+
 func (m StringTrieMap) Matches(key []string) bool {
 	if len(key) == 0 || m == nil {
 		return true
 	}
 	value, ok := m[key[0]]
 	if !ok {
+		for altKey, value := range m {
+			// TODO: cache mapping $printfFormatString -> $regexpCompileOutput
+			pattern, found := printfPatternToRegex(altKey)
+			if !found {
+				continue
+			}
+			matched, err := regexp.MatchString(pattern, key[0])
+			if err != nil {
+				panic(fmt.Sprintf("unable to compile regexp '%s': %s", pattern, err.Error()))
+			}
+			if matched && (value == nil || value.Matches(key[1:])) {
+				return true
+			}
+		}
 		return false
 	}
 	if value == nil {
@@ -101,7 +147,7 @@ func ParseAllowedMaskedUsages(fname string, usedMsgids container.Set[string], al
 		if line == "" || strings.HasPrefix(line, "#") {
 			continue
 		}
-		if linePrefix, found := strings.CutSuffix(line, "."); found {
+		if linePrefix, found := strings.CutSuffix(line, "."); found || strings.Contains(line, "%") {
 			allowedMaskedPrefixes.Insert(strings.Split(linePrefix, "."))
 		} else {
 			if !chkMsgid(line) {
@@ -145,9 +191,14 @@ func Usage() {
 
 	fmt.Fprintf(outp, "\nSpecial Go doc comments:\n")
 	for _, i := range []string{
+		"//llu:returnsTrKeyWeak",
+		"\tcan be used in front of functions to indicate",
+		"\tthat the function returns message IDs (allows nesting inside complicated function calls)",
+		"\tWARNING: this currently doesn't support nested functions properly",
+		"",
 		"//llu:returnsTrKey",
 		"\tcan be used in front of functions to indicate",
-		"\tthat the function returns message IDs",
+		"\tthat the function returns message IDs (doesn't allow nesting inside complicated function calls)",
 		"\tWARNING: this currently doesn't support nested functions properly",
 		"",
 		"//llu:returnsTrKeySuffix prefix.",
@@ -260,6 +311,10 @@ func main() {
 	}
 
 	handler := llu.Handler{
+		OnMsgidPattern: func(fset *token.FileSet, pos token.Pos, msgidPattern string) {
+			msgidPatternSplit := strings.Split(msgidPattern, ".")
+			allowedMaskedPrefixes.Insert(msgidPatternSplit)
+		},
 		OnMsgidPrefix: func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool) {
 			msgidPrefixSplit := strings.Split(msgidPrefix, ".")
 			if !truncated {
@@ -270,6 +325,10 @@ func main() {
 			}
 		},
 		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string, weak bool) {
+			if strings.Contains(msgid, "%") {
+				fmt.Printf("%s:\tunexpected msgid pattern: %s\n", fset.Position(pos).String(), msgid)
+				return
+			}
 			if !msgids.Contains(msgid) {
 				if weak && allowWeakMissingMsgids {
 					return
diff --git a/build/lint-locale-usage/handle-go.go b/build/lint-locale-usage/handle-go.go
index 44229e52f7..a8e478a6ef 100644
--- a/build/lint-locale-usage/handle-go.go
+++ b/build/lint-locale-usage/handle-go.go
@@ -34,12 +34,14 @@ func (handler Handler) HandleGoTrBasicLit(fset *token.FileSet, argLit *ast.Basic
 }
 
 func (handler Handler) HandleGoTrArgument(fset *token.FileSet, n ast.Expr, prefix string) {
-	if argLit, ok := n.(*ast.BasicLit); ok {
-		handler.HandleGoTrBasicLit(fset, argLit, prefix)
-	} else if argBinExpr, ok := n.(*ast.BinaryExpr); ok {
-		if argBinExpr.Op != token.ADD {
+	switch n := n.(type) {
+	case *ast.BasicLit:
+		handler.HandleGoTrBasicLit(fset, n, prefix)
+
+	case *ast.BinaryExpr:
+		if n.Op != token.ADD {
 			// pass
-		} else if argLit, ok := argBinExpr.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
+		} else if argLit, ok := n.X.(*ast.BasicLit); ok && argLit.Kind == token.STRING {
 			// extract string content
 			arg, err := strconv.Unquote(argLit.Value)
 			if err != nil {
@@ -53,6 +55,39 @@ func (handler Handler) HandleGoTrArgument(fset *token.FileSet, n ast.Expr, prefi
 			}
 			handler.OnMsgidPrefix(fset, argLit.ValuePos, prep, trunc)
 		}
+
+	case *ast.CallExpr:
+		if selExpr, ok := n.Fun.(*ast.SelectorExpr); ok {
+			if xIdent, xok := selExpr.X.(*ast.Ident); !xok || xIdent.Name != "fmt" {
+				return
+			}
+			if selExpr.Sel.Name != "Sprintf" {
+				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function encountered: %s", selExpr.Sel.Name))
+				return
+			}
+			if len(n.Args) == 0 {
+				handler.OnWarning(fset, selExpr.Sel.NamePos, fmt.Sprintf("unexpected formatting function invocation (no arguments) of '%s'", selExpr.Sel.Name))
+				return
+			}
+
+			if argLit, ok := n.Args[0].(*ast.BasicLit); ok && argLit.Kind == token.STRING {
+				// extract string content
+				arg, err := strconv.Unquote(argLit.Value)
+				if err != nil {
+					return
+				}
+				if strings.Contains(arg, " ") {
+					handler.OnWarning(fset, argLit.ValuePos, fmt.Sprintf(
+						"formatting function invocation of '%s' with weird msgid format string: %s",
+						selExpr.Sel.Name,
+						arg,
+					))
+					return
+				}
+				// found interesting strings
+				handler.OnMsgidPattern(fset, argLit.ValuePos, prefix+arg)
+			}
+		}
 	}
 }
 
diff --git a/build/lint-locale-usage/handle-tmpl.go b/build/lint-locale-usage/handle-tmpl.go
index 7fbda8ffd5..e37c1eb486 100644
--- a/build/lint-locale-usage/handle-tmpl.go
+++ b/build/lint-locale-usage/handle-tmpl.go
@@ -150,16 +150,12 @@ func (handler Handler) handleTemplateMsgid(fset *token.FileSet, node tmplParser.
 			handler.OnMsgid(fset, stringPos, msgidPrefix, false)
 		} else {
 			if nodeIdent.Ident == "printf" {
-				parts := strings.SplitN(msgidPrefix, "%", 2)
-				if len(parts) != 2 {
-					handler.OnWarning(
-						fset,
-						stringPos,
-						fmt.Sprintf("unsupported invocation of locate function (format string doesn't match \"prefix%%smth\" pattern): %s", nodeString.String()),
-					)
+				// found interesting strings
+				if !(strings.HasSuffix(msgidPrefix, ".%s") && strings.Count(msgidPrefix, "%") == 1) {
+					handler.OnMsgidPattern(fset, stringPos, msgidPrefix)
 					return
 				}
-				msgidPrefix = parts[0]
+				msgidPrefix = strings.TrimSuffix(msgidPrefix, "%s")
 			}
 
 			msgidPrefixFin, truncated := PrepareMsgidPrefix(msgidPrefix)
diff --git a/build/lint-locale-usage/handler.go b/build/lint-locale-usage/handler.go
index 6673ac3a4d..ef517cd040 100644
--- a/build/lint-locale-usage/handler.go
+++ b/build/lint-locale-usage/handler.go
@@ -47,6 +47,7 @@ func InitLocaleTrFunctions() map[string][]uint {
 type Handler struct {
 	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string, weak bool)
 	OnMsgidPrefix      func(fset *token.FileSet, pos token.Pos, msgidPrefix string, truncated bool)
+	OnMsgidPattern     func(fset *token.FileSet, pos token.Pos, msgidPattern string)
 	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
 	OnWarning          func(fset *token.FileSet, pos token.Pos, msg string)
 	LocaleTrFunctions  map[string][]uint
diff --git a/models/project/project.go b/models/project/project.go
index 8f3d09b956..be1b9d59c6 100644
--- a/models/project/project.go
+++ b/models/project/project.go
@@ -184,7 +184,7 @@ func init() {
 
 // GetCardConfig retrieves the types of configurations project column cards could have
 //
-//llu:returnsTrKey
+//llu:returnsTrKeyWeak
 func GetCardConfig() []CardConfig {
 	return []CardConfig{
 		{CardTypeTextOnly, "repo.projects.card_type.text_only"},
diff --git a/models/project/template.go b/models/project/template.go
index 278cf5b781..3d55cd27f2 100644
--- a/models/project/template.go
+++ b/models/project/template.go
@@ -27,7 +27,7 @@ const (
 
 // GetTemplateConfigs retrieves the template configs of configurations project columns could have
 //
-//llu:returnsTrKey
+//llu:returnsTrKeyWeak
 func GetTemplateConfigs() []TemplateConfig {
 	return []TemplateConfig{
 		{TemplateTypeNone, "repo.projects.type.none"},
diff --git a/models/system/notice.go b/models/system/notice.go
index b1fdd2e4f2..7801686889 100644
--- a/models/system/notice.go
+++ b/models/system/notice.go
@@ -38,6 +38,8 @@ func init() {
 }
 
 // TrStr returns a translation format string.
+//
+//llu:returnsTrKey
 func (n *Notice) TrStr() string {
 	return fmt.Sprintf("admin.notices.type_%d", n.Type)
 }
diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl
index 08a8daade9..235112b47b 100644
--- a/templates/repo/issue/view_content.tmpl
+++ b/templates/repo/issue/view_content.tmpl
@@ -110,14 +110,14 @@
 												</span>
 											</button>
 										{{else}}
-											{{$closeTranslationKey := "repo.issues.close"}}
+											{{$closeTranslation := ctx.Locale.Tr "repo.issues.close"}}
 											{{if .Issue.IsPull}}
-												{{$closeTranslationKey = "repo.pulls.close"}}
+												{{$closeTranslation = ctx.Locale.Tr "repo.pulls.close"}}
 											{{end}}
-											<button id="status-button" class="secondary button" data-status="{{ctx.Locale.Tr $closeTranslationKey}}" data-status-and-comment="{{ctx.Locale.Tr "repo.issues.close_comment_issue"}}" name="status" value="close">
+											<button id="status-button" class="secondary button" data-status="{{$closeTranslation}}" data-status-and-comment="{{ctx.Locale.Tr "repo.issues.close_comment_issue"}}" name="status" value="close">
 												{{svg "octicon-issue-closed"}}
 												<span>
-													{{ctx.Locale.Tr $closeTranslationKey}}
+													{{$closeTranslation}}
 												</span>
 											</button>
 										{{end}}
diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index bde6a0b5b2..b3de7ed155 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -129,13 +129,13 @@
 			{{if ne .RefRepoID .Issue.RepoID}}
 				{{$refFrom = ctx.Locale.Tr "repo.issues.ref_from" .RefRepo.FullName}}
 			{{end}}
-			{{$refTr := "repo.issues.ref_issue_from"}}
+			{{$refTr := "issue"}}
 			{{if .Issue.IsPull}}
-				{{$refTr = "repo.issues.ref_pull_from"}}
+				{{$refTr = "pull"}}
 			{{else if eq .RefAction 1}}
-				{{$refTr = "repo.issues.ref_closing_from"}}
+				{{$refTr = "closing"}}
 			{{else if eq .RefAction 2}}
-				{{$refTr = "repo.issues.ref_reopening_from"}}
+				{{$refTr = "reopening"}}
 			{{end}}
 			<div class="timeline-item event" id="{{.HashTag}}">
 				<span class="badge">{{svg "octicon-bookmark"}}</span>
@@ -143,7 +143,7 @@
 				{{if eq .RefAction 3}}<del>{{end}}
 				<span class="text grey muted-links">
 					{{template "shared/user/authorlink" .Poster}}
-					{{ctx.Locale.Tr $refTr $createdStr (.RefCommentLink ctx) $refFrom}}
+					{{ctx.Locale.Tr (printf "repo.issues.ref_%s_from" $refTr) $createdStr (.RefCommentLink ctx) $refFrom}}
 				</span>
 				{{if eq .RefAction 3}}</del>{{end}}
 

From 948f8cc61a98f9bd4a018260d32bac69586195f1 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 1 May 2026 04:14:12 +0200
Subject: [PATCH 206/287] Update dependency @stoplight/spectral-cli to v6.15.1
 (forgejo) (#12359)

---
 package-lock.json | 51 ++++++++---------------------------------------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 44 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e04d4747e4..9fc22b22ad 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -85,7 +85,7 @@
         "@axe-core/playwright": "4.11.2",
         "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
         "@playwright/test": "1.58.2",
-        "@stoplight/spectral-cli": "6.15.0",
+        "@stoplight/spectral-cli": "6.15.1",
         "@stylistic/eslint-plugin": "5.10.0",
         "@stylistic/stylelint-plugin": "4.0.1",
         "@vitejs/plugin-vue": "6.0.5",
@@ -3444,9 +3444,9 @@
       }
     },
     "node_modules/@stoplight/spectral-cli": {
-      "version": "6.15.0",
-      "resolved": "https://registry.npmjs.org/@stoplight/spectral-cli/-/spectral-cli-6.15.0.tgz",
-      "integrity": "sha512-FVeQIuqQQnnLfa8vy+oatTKUve7uU+3SaaAfdjpX/B+uB1NcfkKRJYhKT9wMEehDRaMPL5AKIRYMCFerdEbIpw==",
+      "version": "6.15.1",
+      "resolved": "https://registry.npmjs.org/@stoplight/spectral-cli/-/spectral-cli-6.15.1.tgz",
+      "integrity": "sha512-ev72bUglbaZvFSMWCP5o1Iso5NGgbLZOAuedvRxYrUMey9dVCR83i033tSFvDv6cpj86HsbEmiilh8vwrY/asQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -3464,7 +3464,7 @@
         "chalk": "4.1.2",
         "fast-glob": "~3.2.12",
         "hpagent": "~1.2.0",
-        "lodash": "~4.17.21",
+        "lodash": "^4.18.1",
         "pony-cause": "^1.1.1",
         "stacktracey": "^2.1.8",
         "tslib": "^2.8.1",
@@ -3572,13 +3572,6 @@
         "concat-map": "0.0.1"
       }
     },
-    "node_modules/@stoplight/spectral-core/node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-core/node_modules/minimatch": {
       "version": "3.1.5",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
@@ -3633,13 +3626,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-formatters/node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-functions": {
       "version": "1.10.2",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-functions/-/spectral-functions-1.10.2.tgz",
@@ -3663,13 +3649,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-functions/node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-parsers": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-parsers/-/spectral-parsers-1.0.5.tgz",
@@ -3821,13 +3800,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-rulesets/node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/spectral-runtime": {
       "version": "1.1.5",
       "resolved": "https://registry.npmjs.org/@stoplight/spectral-runtime/-/spectral-runtime-1.1.5.tgz",
@@ -3847,13 +3819,6 @@
         "node": "^16.20 || ^18.18 || >= 20.17"
       }
     },
-    "node_modules/@stoplight/spectral-runtime/node_modules/lodash": {
-      "version": "4.18.1",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
-      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@stoplight/types": {
       "version": "13.20.0",
       "resolved": "https://registry.npmjs.org/@stoplight/types/-/types-13.20.0.tgz",
@@ -11235,9 +11200,9 @@
       }
     },
     "node_modules/lodash": {
-      "version": "4.17.23",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
-      "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
       "dev": true,
       "license": "MIT"
     },
diff --git a/package.json b/package.json
index 68829a112f..c54633e526 100644
--- a/package.json
+++ b/package.json
@@ -84,7 +84,7 @@
     "@axe-core/playwright": "4.11.2",
     "@eslint-community/eslint-plugin-eslint-comments": "4.7.1",
     "@playwright/test": "1.58.2",
-    "@stoplight/spectral-cli": "6.15.0",
+    "@stoplight/spectral-cli": "6.15.1",
     "@stylistic/eslint-plugin": "5.10.0",
     "@stylistic/stylelint-plugin": "4.0.1",
     "@vitejs/plugin-vue": "6.0.5",

From b5e7a72e10a5e87d275caec9dcf4b456f6120c74 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 1 May 2026 05:41:56 +0200
Subject: [PATCH 207/287] Update dependency @vue/test-utils to v2.4.9 (forgejo)
 (#12361)

---
 package-lock.json | 26 ++++++++++++++++++--------
 package.json      |  2 +-
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9fc22b22ad..d15dd099b0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -91,7 +91,7 @@
         "@vitejs/plugin-vue": "6.0.5",
         "@vitest/coverage-v8": "4.1.2",
         "@vitest/eslint-plugin": "1.6.13",
-        "@vue/test-utils": "2.4.6",
+        "@vue/test-utils": "2.4.9",
         "eslint": "9.39.4",
         "eslint-import-resolver-typescript": "4.4.4",
         "eslint-plugin-array-func": "5.1.1",
@@ -5251,14 +5251,24 @@
       "license": "MIT"
     },
     "node_modules/@vue/test-utils": {
-      "version": "2.4.6",
-      "resolved": "https://registry.npmjs.org/@vue/test-utils/-/test-utils-2.4.6.tgz",
-      "integrity": "sha512-FMxEjOpYNYiFe0GkaHsnJPXFHxQ6m4t8vI/ElPGpMWxZKpmRvQ33OIrvRXemy6yha03RxhOlQuy+gZMC3CQSow==",
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@vue/test-utils/-/test-utils-2.4.9.tgz",
+      "integrity": "sha512-YwgowiO1mPleZqpgAGfxvWu/A5A8nkLrbyH2SqiQRkyzCIaDzzo27/2uS/F1g7fRLvl8BUY0+Sr1eC+6+IHfrw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "js-beautify": "^1.14.9",
-        "vue-component-type-helpers": "^2.0.0"
+        "vue-component-type-helpers": "^3.0.0"
+      },
+      "peerDependencies": {
+        "@vue/compiler-dom": "3.x",
+        "@vue/server-renderer": "3.x",
+        "vue": "3.x"
+      },
+      "peerDependenciesMeta": {
+        "@vue/server-renderer": {
+          "optional": true
+        }
       }
     },
     "node_modules/@webassemblyjs/ast": {
@@ -16046,9 +16056,9 @@
       }
     },
     "node_modules/vue-component-type-helpers": {
-      "version": "2.2.12",
-      "resolved": "https://registry.npmjs.org/vue-component-type-helpers/-/vue-component-type-helpers-2.2.12.tgz",
-      "integrity": "sha512-YbGqHZ5/eW4SnkPNR44mKVc6ZKQoRs/Rux1sxC6rdwXb4qpbOSYfDr9DsTHolOTGmIKgM9j141mZbBeg05R1pw==",
+      "version": "3.2.7",
+      "resolved": "https://registry.npmjs.org/vue-component-type-helpers/-/vue-component-type-helpers-3.2.7.tgz",
+      "integrity": "sha512-+gPp5YGmhfsj1IN+xUo7y0fb4clfnOiiUA39y07yW1VzCRjzVgwLbtmdWlghh7mXrPsEaYc7rrIir/HT6C8vYQ==",
       "dev": true,
       "license": "MIT"
     },
diff --git a/package.json b/package.json
index c54633e526..3c5e2f062b 100644
--- a/package.json
+++ b/package.json
@@ -90,7 +90,7 @@
     "@vitejs/plugin-vue": "6.0.5",
     "@vitest/coverage-v8": "4.1.2",
     "@vitest/eslint-plugin": "1.6.13",
-    "@vue/test-utils": "2.4.6",
+    "@vue/test-utils": "2.4.9",
     "eslint": "9.39.4",
     "eslint-import-resolver-typescript": "4.4.4",
     "eslint-plugin-array-func": "5.1.1",

From cb05be1a09425acc403c291502435e4933f235d2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 1 May 2026 06:58:54 +0200
Subject: [PATCH 208/287] Update dependency swagger-ui-dist to v5.32.5
 (forgejo) (#12363)

---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d15dd099b0..6a67c83fe6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -64,7 +64,7 @@
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
         "sortablejs": "1.15.7",
-        "swagger-ui-dist": "5.32.4",
+        "swagger-ui-dist": "5.32.5",
         "tailwindcss": "3.4.19",
         "throttle-debounce": "5.0.0",
         "tinycolor2": "1.6.0",
@@ -15026,9 +15026,9 @@
       }
     },
     "node_modules/swagger-ui-dist": {
-      "version": "5.32.4",
-      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.4.tgz",
-      "integrity": "sha512-0AADFFQNJzExEN49SrD/34Nn9cxNxVLiydYl2MBwSZFPVXNkVwC/EFAjoezGGqE8oDegiDC+p47t8lKObCinMQ==",
+      "version": "5.32.5",
+      "resolved": "https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-5.32.5.tgz",
+      "integrity": "sha512-7/FQfWe9A4qoyYFdAwy0chD0uDYidDp/ZT9VQ9LZlgD4AnnHJk8/+ytAA1HkJYOPySmK6helPDdJQMlcumt7HA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@scarf/scarf": "=1.4.0"
diff --git a/package.json b/package.json
index 3c5e2f062b..9d0a453585 100644
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",
     "sortablejs": "1.15.7",
-    "swagger-ui-dist": "5.32.4",
+    "swagger-ui-dist": "5.32.5",
     "tailwindcss": "3.4.19",
     "throttle-debounce": "5.0.0",
     "tinycolor2": "1.6.0",

From 67250869d365114528fc3505435bf801698d2387 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 1 May 2026 15:50:41 +0200
Subject: [PATCH 209/287] Update dependency @vitejs/plugin-vue to v6.0.6
 (forgejo) (#12360)

---
 package-lock.json | 16 ++++++++--------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6a67c83fe6..fe96fe60f6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -88,7 +88,7 @@
         "@stoplight/spectral-cli": "6.15.1",
         "@stylistic/eslint-plugin": "5.10.0",
         "@stylistic/stylelint-plugin": "4.0.1",
-        "@vitejs/plugin-vue": "6.0.5",
+        "@vitejs/plugin-vue": "6.0.6",
         "@vitest/coverage-v8": "4.1.2",
         "@vitest/eslint-plugin": "1.6.13",
         "@vue/test-utils": "2.4.9",
@@ -3248,9 +3248,9 @@
       }
     },
     "node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-rc.2",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
-      "integrity": "sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==",
+      "version": "1.0.0-rc.13",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.13.tgz",
+      "integrity": "sha512-3ngTAv6F/Py35BsYbeeLeecvhMKdsKm4AoOETVhAA+Qc8nrA2I0kF7oa93mE9qnIurngOSpMnQ0x2nQY2FPviA==",
       "dev": true,
       "license": "MIT"
     },
@@ -4913,13 +4913,13 @@
       }
     },
     "node_modules/@vitejs/plugin-vue": {
-      "version": "6.0.5",
-      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.5.tgz",
-      "integrity": "sha512-bL3AxKuQySfk1iGcBsQnoRVexTPJq0Z/ixFVM8OhVJAP6ZXXXLtM7NFKWhLl30Kg7uTBqIaPXbh+nuQCuBDedg==",
+      "version": "6.0.6",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.6.tgz",
+      "integrity": "sha512-u9HHgfrq3AjXlysn0eINFnWQOJQLO9WN6VprZ8FXl7A2bYisv3Hui9Ij+7QZ41F/WYWarHjwBbXtD7dKg3uxbg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@rolldown/pluginutils": "1.0.0-rc.2"
+        "@rolldown/pluginutils": "1.0.0-rc.13"
       },
       "engines": {
         "node": "^20.19.0 || >=22.12.0"
diff --git a/package.json b/package.json
index 9d0a453585..0669dc04c1 100644
--- a/package.json
+++ b/package.json
@@ -87,7 +87,7 @@
     "@stoplight/spectral-cli": "6.15.1",
     "@stylistic/eslint-plugin": "5.10.0",
     "@stylistic/stylelint-plugin": "4.0.1",
-    "@vitejs/plugin-vue": "6.0.5",
+    "@vitejs/plugin-vue": "6.0.6",
     "@vitest/coverage-v8": "4.1.2",
     "@vitest/eslint-plugin": "1.6.13",
     "@vue/test-utils": "2.4.9",

From 7fc236c58941b530fb88ff51b84d92070981ee78 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Fri, 1 May 2026 17:42:34 +0200
Subject: [PATCH 210/287] feat: allow Forgejo Actions to be used an Authorized
 Integration in-memory with internal issuer (#12364)

Allow JWTs that are generated by Forgejo Actions to be validated within Forgejo in-memory.  Without any special support for this internal access situation, these problems would occur:

1. Forgejo would need to make an HTTP request to itself to get the valid public key for the JWT, in order to validate its signature.  This is a waste of resources, and introduces a self-DoS risk.
2. Forgejo would need to be available via TLS in order for Actions to make service calls to Forgejo with that JWT, due to the TLS requirement for public key fetching.  This would be a blocker for writing end-to-end tests for Forgejo, but also would affect users who do not host Forgejo with TLS.
3. Authorized Integrations would need to be saved with the `issuer` URL of Forgejo.  If Forgejo's own `setting.AppURL` changed, all the persisted records in the database would become incorrect.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12364
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 .mockery.yml                                  |   1 +
 ...in_user_generate_authorized_integration.go |  10 +-
 routers/api/actions/oidc.go                   |  15 ++
 .../auth/method/authorized_integration.go     |  55 +++++++-
 .../method/authorized_integration_test.go     | 113 ++++++++++++++-
 services/auth/method/mocks_test.go            | 129 ++++++++++++++++++
 .../integration/api_actions_id_token_test.go  |  36 +++++
 7 files changed, 355 insertions(+), 4 deletions(-)
 create mode 100644 services/auth/method/mocks_test.go

diff --git a/.mockery.yml b/.mockery.yml
index 7c98b29508..2e9427cd77 100644
--- a/.mockery.yml
+++ b/.mockery.yml
@@ -4,6 +4,7 @@ packages:
   forgejo.org/modules/nosql:
     config:
       filename: mocks.go # make mocks public so that external packages can use
+  forgejo.org/services/auth/method:
   forgejo.org/services/authz:
     config:
       filename: authorization_reducer_mock.go # make mocks public so that external packages can use
diff --git a/cmd/admin_user_generate_authorized_integration.go b/cmd/admin_user_generate_authorized_integration.go
index 5f3e13a48e..fc159d90ae 100644
--- a/cmd/admin_user_generate_authorized_integration.go
+++ b/cmd/admin_user_generate_authorized_integration.go
@@ -23,8 +23,14 @@ import (
 
 func microcmdUserCreateAuthorizedIntegration() *cli.Command {
 	return &cli.Command{
-		Name:  "create-authorized-integration",
-		Usage: "Create an authorized integration for a specific user",
+		Name: "create-authorized-integration",
+		Description: `Creates an authorized integration. Authorized integrations allow Forgejo to
+receive JWTs from external sources, validate their claims against
+user-defined rules, and grant access to Forgejo's API on behalf of a user.
+
+The issuer may be set to "urn:forgejo:authorized-integrations:actions"
+to support JWTs from the local instance's Forgejo Actions, utilizing the
+enable-openid-connect flag in a workflow.`,
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:     "username",
diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go
index 20cc44f36a..fc82bc299f 100644
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@@ -14,6 +14,7 @@ import (
 	"forgejo.org/modules/web"
 	web_types "forgejo.org/modules/web/types"
 	actions_service "forgejo.org/services/actions"
+	auth_method "forgejo.org/services/auth/method"
 	"forgejo.org/services/context"
 )
 
@@ -66,6 +67,7 @@ func init() {
 	web.RegisterResponseStatusProvider[*OIDCContext](func(req *http.Request) web_types.ResponseStatusProvider {
 		return req.Context().Value(oidcContextKey).(*OIDCContext)
 	})
+	auth_method.RegisterInternalIssuer("api/actions", internalIssuer{})
 }
 
 func OIDCContexter() func(next http.Handler) http.Handler {
@@ -143,3 +145,16 @@ func (o *oidcRoutes) configuration(ctx *OIDCContext) {
 func (o *oidcRoutes) keys(ctx *OIDCContext) {
 	ctx.JSON(http.StatusOK, o.jwks)
 }
+
+// Register Actions OIDC as an internal issuer for authorized integrations.  This allows an authorized integration to
+// have the value `urn:forgejo:authorized-integrations:actions` as an issuer, and perform JWT signature validation
+// against the in-memory signing key defined in this module.
+type internalIssuer struct{}
+
+func (internalIssuer) IssuerPlaceholder() string {
+	return "urn:forgejo:authorized-integrations:actions"
+}
+
+func (internalIssuer) SigningKey() jwtx.SigningKey {
+	return jwtSigningKey
+}
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index 368e1fe036..7c24c3c8c3 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"net/url"
 	"slices"
+	"strings"
 	"sync"
 	"time"
 
@@ -48,8 +49,40 @@ var (
 		return aiHTTPClient
 	}
 	getCache = cache.GetCache
+
+	internalIssuers = make(map[string]InternalIssuer)
 )
 
+// Authorized Integrations can verify the signature of JWTs that the application itself generated without requiring
+// remote access, and in a manner that is flexible to changes in [setting.AppURL].
+//
+// For example, Forgejo Actions is often used to access Forgejo with a JWT, by setting `enable-openid-connect: true` in
+// a workflow.  Without any special support for this internal access situation, problems would occur:
+//
+// 1. Forgejo would need to make an HTTP request to itself to get the valid public key for the JWT, in order to validate
+// its signature.  This is a waste of resources, and introduces a self-DoS risk.
+//
+// 2. Forgejo would need to be available via TLS in order for Actions to make service calls to Forgejo with that JWT
+// (due to the TLS requirement for public key fetching).
+//
+// 3. Authorized Integrations would need to be saved with the `issuer` URL of Forgejo.  If Forgejo's own
+// [setting.AppURL] changed, all the persisted records in the database would become incorrect.
+//
+// Internal Issuers work by registering a URL suffix like "/api/actions".  When a JWT is received with an issuer
+// matching [setting.AppURL] and the registered URL suffix, then the [InternalIssuer] interface is used to access the
+// JWT public key, and the value to be saved in the Authorized Integrations table as the issuer.
+func RegisterInternalIssuer(urlSuffix string, internalIssuer InternalIssuer) {
+	internalIssuers[urlSuffix] = internalIssuer
+}
+
+//mockery:generate: true
+type InternalIssuer interface {
+	// Signing key used to validate a JWT from this internal issuer.
+	SigningKey() jwtx.SigningKey
+	// Value to store in [auth_model.AuthorizedIntegration]'s Issuer field to reflect the use of this internal issuer.
+	IssuerPlaceholder() string
+}
+
 // Restrict document size to prevent resource exhaustion attack with a malicious authorized integration; largest
 // real-world openid-configuration observed is about 1kB, largest JWKS is 6kB, so for both cases 16kB should be
 // sufficient. If this needs to change in the future, it could be moved to a config setting -- but until a reason comes
@@ -111,7 +144,19 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 				return nil, fmt.Errorf("invalid `aud` claim: %q", audience)
 			}
 
-			authorizedIntegration, err = auth_model.GetAuthorizedIntegration(req.Context(), issuer, audience)
+			// Check if there's an internal issuer that matches the JWT's issuer, and if so, change `queryIssuer` to the
+			// internal issuer's placeholder, and store `internalIssuer` for later:
+			queryIssuer := issuer
+			var internalIssuer InternalIssuer
+			issuerSuffix := strings.TrimPrefix(issuer, setting.AppURL)
+			if issuer != issuerSuffix { // TrimPrefix will return a different string when the prefix was present
+				if ii, ok := internalIssuers[issuerSuffix]; ok {
+					internalIssuer = ii
+					queryIssuer = internalIssuer.IssuerPlaceholder()
+				}
+			}
+
+			authorizedIntegration, err = auth_model.GetAuthorizedIntegration(req.Context(), queryIssuer, audience)
 			if errors.Is(err, util.ErrNotExist) {
 				return nil, errors.New("matching authorized_integration not found")
 			} else if err != nil {
@@ -125,6 +170,14 @@ func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter,
 				return nil, fmt.Errorf("claim mismatch: %w", err)
 			}
 
+			// If an internal issuer was found earlier, then we can skip the JWKS fetch and just use its in-memory
+			// signing key to validate the JWT.  It is critical we do this after the `checkClaims` above so that we
+			// don't miss important validation of the JWT.
+			if internalIssuer != nil {
+				key := internalIssuer.SigningKey().VerifyKey()
+				return key, nil
+			}
+
 			issuerURL, err := url.Parse(issuer)
 			if err != nil {
 				return nil, fmt.Errorf("failed parsing issuer: %w", err)
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
index 16b09ae9ad..6bce1259c2 100644
--- a/services/auth/method/authorized_integration_test.go
+++ b/services/auth/method/authorized_integration_test.go
@@ -676,6 +676,89 @@ func TestAuthorizedIntegration(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("internal issuer", func(t *testing.T) {
+		t.Run("success", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t)
+			defer ait.close()
+			output := ait.bearerRequest()
+			requireOutput[*auth.AuthenticationSuccess](t, output)
+		})
+
+		t.Run("mismatched issuer app URL", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Issuer = "https://example.org/fake-jwt-issuer" // correct suffix, incorrect prefix
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "matching authorized_integration not found")
+			ait.ii.ExpectedCalls = nil // InternalIssuer should have zero calls
+		})
+
+		t.Run("mismatched issuer URL suffix", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.Issuer = setting.AppURL + "/fake-jwt-issuer-123" // correct prefix, incorrect suffix
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "matching authorized_integration not found")
+			ait.ii.ExpectedCalls = nil // InternalIssuer should have zero calls
+		})
+
+		t.Run("mismatched DB issuer placeholder", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t,
+				aiDBTweak(func(ai *auth_model.AuthorizedIntegration) {
+					ai.Issuer = "urn:forgejo:authorized-issuer:internal:bad-choice-here"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "matching authorized_integration not found")
+			ait.ii.ExpectedCalls = nil // InternalIssuer should have zero calls
+		})
+
+		t.Run("checks claim rules", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.other["custom-claim"] = "oops wrong claim"
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "claim \"custom-claim\" must be \"custom-claim-value\"")
+			ait.ii.ExpectedCalls = []*mock.Call{ait.ii.ExpectedCalls[0]} // drop call to SigningKey() -- won't occur due to claim mismatch
+		})
+
+		t.Run("JWT times checked", func(t *testing.T) {
+			ait := newInternalIssuerAITester(t,
+				claimTweak(func(rc *flexibleClaims) {
+					rc.ExpiresAt = jwt.NewNumericDate(time.Date(2026, time.January, 1, 12, 0, 0, 0, time.Local))
+				}))
+			defer ait.close()
+			output := ait.bearerRequest()
+			err := requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "token is expired")
+		})
+
+		t.Run("signed by incorrect JWT key", func(t *testing.T) {
+			keyPath := filepath.Join(t.TempDir(), "jwt-rsa-2048-bad-key.priv")
+			badSigningKey, err := jwtx.InitAsymmetricSigningKey(keyPath, "RS256")
+			require.NoError(t, err)
+
+			ait := newInternalIssuerAITester(t, jwtClientSignatureTweak(func() jwtx.SigningKey {
+				return badSigningKey
+			}))
+			defer ait.close()
+
+			output := ait.bearerRequest()
+			err = requireOutput[*auth.AuthenticationAttemptedIncorrectCredential](t, output).Error
+			require.ErrorContains(t, err, "crypto/rsa: verification error")
+		})
+	})
 }
 
 type AuthorizedIntegrationTester struct {
@@ -686,6 +769,7 @@ type AuthorizedIntegrationTester struct {
 	testServer      *httptest.Server
 	resetHTTPClient func()
 	tweaks          []tweak
+	ii              *MockInternalIssuer
 }
 
 func newAITester(t *testing.T, tweaks ...tweak) *AuthorizedIntegrationTester {
@@ -788,6 +872,25 @@ func newAITester(t *testing.T, tweaks ...tweak) *AuthorizedIntegrationTester {
 	return ait
 }
 
+func newInternalIssuerAITester(t *testing.T, tweaks ...tweak) *AuthorizedIntegrationTester {
+	innerTweaks := []tweak{
+		claimTweak(func(rc *flexibleClaims) {
+			rc.Issuer = setting.AppURL + "/fake-jwt-issuer"
+		}),
+		aiDBTweak(func(ai *auth_model.AuthorizedIntegration) {
+			ai.Issuer = "urn:forgejo:authorized-issuer:internal:test1"
+		}),
+	}
+	innerTweaks = append(innerTweaks, tweaks...)
+	ait := newAITester(t, innerTweaks...)
+	ii := NewMockInternalIssuer(t)
+	internalIssuers["/fake-jwt-issuer"] = ii
+	ii.On("IssuerPlaceholder").Return("urn:forgejo:authorized-issuer:internal:test1")
+	ii.On("SigningKey").Return(ait.jwtSigningKey)
+	ait.ii = ii
+	return ait
+}
+
 func (ait *AuthorizedIntegrationTester) signedJWT() string {
 	claims := flexibleClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
@@ -803,7 +906,13 @@ func (ait *AuthorizedIntegrationTester) signedJWT() string {
 			tweak(&claims)
 		}
 	}
-	signedToken, err := ait.jwtSigningKey.JWT(claims)
+	clientSigningKey := ait.jwtSigningKey
+	for _, tweak := range ait.tweaks {
+		if tweak, is := tweak.(jwtClientSignatureTweak); is {
+			clientSigningKey = tweak()
+		}
+	}
+	signedToken, err := clientSigningKey.JWT(claims)
 	require.NoError(ait.t, err)
 	return signedToken
 }
@@ -840,3 +949,5 @@ type jwksTweak func(*openIDKeys)
 type aiDBTweak func(*auth_model.AuthorizedIntegration)
 
 type jwtxKeyTweak func() jwtx.SigningKey
+
+type jwtClientSignatureTweak func() jwtx.SigningKey
diff --git a/services/auth/method/mocks_test.go b/services/auth/method/mocks_test.go
new file mode 100644
index 0000000000..46648c8cba
--- /dev/null
+++ b/services/auth/method/mocks_test.go
@@ -0,0 +1,129 @@
+// Code generated by mockery; DO NOT EDIT.
+// github.com/vektra/mockery
+// template: testify
+
+package method
+
+import (
+	"forgejo.org/modules/jwtx"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// NewMockInternalIssuer creates a new instance of MockInternalIssuer. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockInternalIssuer(t interface {
+	mock.TestingT
+	Cleanup(func())
+},
+) *MockInternalIssuer {
+	mock := &MockInternalIssuer{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
+
+// MockInternalIssuer is an autogenerated mock type for the InternalIssuer type
+type MockInternalIssuer struct {
+	mock.Mock
+}
+
+type MockInternalIssuer_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockInternalIssuer) EXPECT() *MockInternalIssuer_Expecter {
+	return &MockInternalIssuer_Expecter{mock: &_m.Mock}
+}
+
+// IssuerPlaceholder provides a mock function for the type MockInternalIssuer
+func (_mock *MockInternalIssuer) IssuerPlaceholder() string {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for IssuerPlaceholder")
+	}
+
+	var r0 string
+	if returnFunc, ok := ret.Get(0).(func() string); ok {
+		r0 = returnFunc()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+	return r0
+}
+
+// MockInternalIssuer_IssuerPlaceholder_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerPlaceholder'
+type MockInternalIssuer_IssuerPlaceholder_Call struct {
+	*mock.Call
+}
+
+// IssuerPlaceholder is a helper method to define mock.On call
+func (_e *MockInternalIssuer_Expecter) IssuerPlaceholder() *MockInternalIssuer_IssuerPlaceholder_Call {
+	return &MockInternalIssuer_IssuerPlaceholder_Call{Call: _e.mock.On("IssuerPlaceholder")}
+}
+
+func (_c *MockInternalIssuer_IssuerPlaceholder_Call) Run(run func()) *MockInternalIssuer_IssuerPlaceholder_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInternalIssuer_IssuerPlaceholder_Call) Return(s string) *MockInternalIssuer_IssuerPlaceholder_Call {
+	_c.Call.Return(s)
+	return _c
+}
+
+func (_c *MockInternalIssuer_IssuerPlaceholder_Call) RunAndReturn(run func() string) *MockInternalIssuer_IssuerPlaceholder_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// SigningKey provides a mock function for the type MockInternalIssuer
+func (_mock *MockInternalIssuer) SigningKey() jwtx.SigningKey {
+	ret := _mock.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for SigningKey")
+	}
+
+	var r0 jwtx.SigningKey
+	if returnFunc, ok := ret.Get(0).(func() jwtx.SigningKey); ok {
+		r0 = returnFunc()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(jwtx.SigningKey)
+		}
+	}
+	return r0
+}
+
+// MockInternalIssuer_SigningKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SigningKey'
+type MockInternalIssuer_SigningKey_Call struct {
+	*mock.Call
+}
+
+// SigningKey is a helper method to define mock.On call
+func (_e *MockInternalIssuer_Expecter) SigningKey() *MockInternalIssuer_SigningKey_Call {
+	return &MockInternalIssuer_SigningKey_Call{Call: _e.mock.On("SigningKey")}
+}
+
+func (_c *MockInternalIssuer_SigningKey_Call) Run(run func()) *MockInternalIssuer_SigningKey_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockInternalIssuer_SigningKey_Call) Return(signingKey jwtx.SigningKey) *MockInternalIssuer_SigningKey_Call {
+	_c.Call.Return(signingKey)
+	return _c
+}
+
+func (_c *MockInternalIssuer_SigningKey_Call) RunAndReturn(run func() jwtx.SigningKey) *MockInternalIssuer_SigningKey_Call {
+	_c.Call.Return(run)
+	return _c
+}
diff --git a/tests/integration/api_actions_id_token_test.go b/tests/integration/api_actions_id_token_test.go
index 53a0a5b269..0fd478b9d2 100644
--- a/tests/integration/api_actions_id_token_test.go
+++ b/tests/integration/api_actions_id_token_test.go
@@ -6,13 +6,16 @@ package integration
 import (
 	"crypto/rsa"
 	"encoding/base64"
+	"fmt"
 	"math/big"
 	"net/http"
 	"testing"
 
 	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	"forgejo.org/modules/setting"
+	api "forgejo.org/modules/structs"
 	actions_service "forgejo.org/services/actions"
 	"forgejo.org/tests"
 
@@ -188,4 +191,37 @@ func TestActionsIDToken(t *testing.T) {
 		resp = MakeRequest(t, req, http.StatusBadRequest)
 		assert.Contains(t, resp.Body.String(), "run-id does not match")
 	})
+
+	t.Run("authorized integration internal issuer", func(t *testing.T) {
+		// Create an Authorized Integration which is set-up to be validated with the in-memory Actions' JWT signing key:
+		ai := &auth.AuthorizedIntegration{
+			UserID: 2,
+			Scope:  auth.AccessTokenScopeAll,
+			Issuer: "urn:forgejo:authorized-integrations:actions",
+			ClaimRules: &auth.ClaimRules{
+				Rules: []auth.ClaimRule{
+					{
+						Claim:      "sub",
+						Comparison: auth.ClaimEqual,
+						Value:      "repo:user5/repo4:ref:refs/heads/master",
+					},
+				},
+			},
+			ResourceAllRepos: true,
+		}
+		require.NoError(t, auth.InsertAuthorizedIntegration(t.Context(), ai))
+
+		// Create a JWT from the Actions system:
+		var getResponse getTokenResponse
+		req = NewRequest(t, "GET", fmt.Sprintf("/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=%s", ai.Audience)).AddTokenAuth(token)
+		resp = MakeRequest(t, req, http.StatusOK)
+		DecodeJSON(t, resp, &getResponse)
+
+		// Should be able to make a Forgejo API call with the JWT, authenticated by the Authorized Integration:
+		req := NewRequest(t, "GET", "/api/v1/user").AddTokenAuth(getResponse.Value)
+		resp := MakeRequest(t, req, http.StatusOK)
+		var user api.User
+		DecodeJSON(t, resp, &user)
+		assert.Equal(t, "user2", user.LoginName)
+	})
 }

From d867b25e72b940728f82327925d474ecd68a3256 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Fri, 1 May 2026 22:07:22 +0200
Subject: [PATCH 211/287] chore: replace `github.com/robfig/cron/v3` (#12365)

github.com/robfig/cron is used for parsing cron schedules of scheduled Forgejo Actions workflows. It has not seen an update in roughly six years and looks abandoned. There are multiple code paths that trigger panics instead of errors. It is replaced by github.com/gdgvda/cron, which is one of the few maintained forks. github.com/gdgvda/cron was picked because its behaviour is fully backwards-compatible and the developers are responsive.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12365
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 assets/go-licenses.json            |  5 +++++
 go.mod                             |  3 ++-
 go.sum                             |  2 ++
 models/actions/schedule_spec.go    | 15 ++++++---------
 services/actions/schedule_tasks.go |  2 +-
 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index 330b5cbed6..41b1135033 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -549,6 +549,11 @@
     "path": "github.com/fxamacker/cbor/v2/LICENSE",
     "licenseText": "MIT License\n\nCopyright (c) 2019-present Faye Amacker\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE."
   },
+  {
+    "name": "github.com/gdgvda/cron",
+    "path": "github.com/gdgvda/cron/LICENSE",
+    "licenseText": "Copyright (C) 2012 Rob Figueiredo\nAll Rights Reserved.\n\nMIT LICENSE\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n"
+  },
   {
     "name": "github.com/gliderlabs/ssh",
     "path": "github.com/gliderlabs/ssh/LICENSE",
diff --git a/go.mod b/go.mod
index fbd61df592..3813849121 100644
--- a/go.mod
+++ b/go.mod
@@ -42,6 +42,7 @@ require (
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
 	github.com/fsnotify/fsnotify v1.9.0
+	github.com/gdgvda/cron v0.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc
 	github.com/go-ap/jsonld v0.0.0-20251216162253-e38fa664ea77
@@ -88,7 +89,6 @@ require (
 	github.com/pquerna/otp v1.5.0
 	github.com/prometheus/client_golang v1.21.1
 	github.com/redis/go-redis/v9 v9.17.3
-	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sergi/go-diff v1.4.0
 	github.com/stretchr/testify v1.11.1
@@ -238,6 +238,7 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rhysd/actionlint v1.7.10 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/sorairolake/lzip-go v0.3.8 // indirect
diff --git a/go.sum b/go.sum
index 2641bb63ff..34aa5f4f7a 100644
--- a/go.sum
+++ b/go.sum
@@ -253,6 +253,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
 github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gdgvda/cron v0.7.0 h1:LFPZUTbCb5ZpzYxavbQDDbjd6nwTwkiNUWyulOdlY2I=
+github.com/gdgvda/cron v0.7.0/go.mod h1:caBF+mzTZGtQqFE05T1m6u9OmCASY3EK51XAICf3wio=
 github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc h1:yLe7YJhK+XNjNV4SqDxAjpWAgft+KU+XwKZS4AKEUV0=
 github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc/go.mod h1:jUs8eczo1EAT4ByRpZ4mQmNvjarw9eNf7Nm5udpMRhY=
 github.com/go-ap/errors v0.0.0-20260208110149-e1b309365966 h1:tV+3kZgqFMKVUf+JPKBV400ISM8440+6y/SQCS0WZwQ=
diff --git a/models/actions/schedule_spec.go b/models/actions/schedule_spec.go
index bcaee8bd6f..864fb5e2db 100644
--- a/models/actions/schedule_spec.go
+++ b/models/actions/schedule_spec.go
@@ -13,7 +13,7 @@ import (
 	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 
-	"github.com/robfig/cron/v3"
+	"github.com/gdgvda/cron"
 )
 
 // ActionScheduleSpec represents a schedule spec of a workflow file
@@ -53,16 +53,14 @@ func NewActionScheduleSpec(cron string, tz optional.Option[string], referenceTim
 // Parse parses the spec and returns a cron.Schedule
 // Unlike the default cron parser, Parse uses UTC timezone as the default if none is specified.
 func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
-	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
-	schedule, err := parser.Parse(s.Spec)
+	parser, err := cron.NewDefaultParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
 	if err != nil {
 		return nil, err
 	}
 
-	specSchedule, ok := schedule.(*cron.SpecSchedule)
-	// If it's not a spec schedule, like "@every 5m", timezone is not relevant
-	if !ok {
-		return schedule, nil
+	schedule, err := parser.Parse(s.Spec)
+	if err != nil {
+		return nil, err
 	}
 
 	// If `timezone` is not defined in the workflow, but the spec includes a timezone, use it.
@@ -81,8 +79,7 @@ func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
 		location = time.UTC
 	}
 
-	specSchedule.Location = location
-	return specSchedule, nil
+	return schedule.WithLocation(location), nil
 }
 
 func init() {
diff --git a/services/actions/schedule_tasks.go b/services/actions/schedule_tasks.go
index 4c9de4d7f6..fab9ae8df5 100644
--- a/services/actions/schedule_tasks.go
+++ b/services/actions/schedule_tasks.go
@@ -22,7 +22,7 @@ import (
 
 	"code.forgejo.org/forgejo/runner/v12/act/jobparser"
 	act_model "code.forgejo.org/forgejo/runner/v12/act/model"
-	"github.com/robfig/cron/v3"
+	"github.com/gdgvda/cron"
 	"xorm.io/builder"
 )
 

From 9d323c51252f6cb41a39f2ad56a8c728941936e0 Mon Sep 17 00:00:00 2001
From: Nils Goroll <nils.goroll@uplex.de>
Date: Fri, 1 May 2026 22:10:10 +0200
Subject: [PATCH 212/287] chore: remove #11024 workarounds (#12301)

remove two workarounds which are not required any more

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12301
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/setting/lfs.go      | 15 ++++++---------
 services/lfs/server_test.go |  2 --
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index 12f90cd092..a97ed8d40f 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -77,15 +77,12 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
 		return nil
 	}
 
-	// TODO: #11024 check nil because settings loaded twice
-	if LFS.SigningKey == nil {
-		keyCfg, err := loadKeyCfg(rootCfg, "server", "LFS_JWT_", "HS256", "lfs/private.pem")
-		if err == nil {
-			LFS.SigningKey, err = jwtx.InitSigningKey(&keyCfg.Signing)
-		}
-		if err != nil {
-			return fmt.Errorf("lfs key initialization failed: %v", err)
-		}
+	keyCfg, err := loadKeyCfg(rootCfg, "server", "LFS_JWT_", "HS256", "lfs/private.pem")
+	if err == nil {
+		LFS.SigningKey, err = jwtx.InitSigningKey(&keyCfg.Signing)
+	}
+	if err != nil {
+		return fmt.Errorf("lfs key initialization failed: %v", err)
 	}
 
 	return nil
diff --git a/services/lfs/server_test.go b/services/lfs/server_test.go
index 67c93f30bb..065387ce08 100644
--- a/services/lfs/server_test.go
+++ b/services/lfs/server_test.go
@@ -105,8 +105,6 @@ var cfgVariants = []namedCfg{
 }
 
 func TestAuthenticate(t *testing.T) {
-	// TODO: #11024
-	setting.InstallLock = true
 	for _, v := range cfgVariants {
 		cfg := iniCommon + v.cfg
 		t.Run(v.name, func(t *testing.T) { testAuthenticate(t, cfg) })

From c1dc213c9b7496d6e86ae3b1c26320239cf2b8d6 Mon Sep 17 00:00:00 2001
From: Arseniy Terekhin <senyai@gmail.com>
Date: Fri, 1 May 2026 22:13:38 +0200
Subject: [PATCH 213/287] feat: add missing tooltips in `lfs_pointers.tmpl`
 (#12139)

Having tooltip only for `lfs_pointers.accessible` is fine in English, but not in other languages. For other languages the text is truncated.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12139
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 templates/repo/settings/lfs_pointers.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/repo/settings/lfs_pointers.tmpl b/templates/repo/settings/lfs_pointers.tmpl
index fd25509e95..96eece9187 100644
--- a/templates/repo/settings/lfs_pointers.tmpl
+++ b/templates/repo/settings/lfs_pointers.tmpl
@@ -21,8 +21,8 @@
 					<tr>
 						<th class="three wide">{{ctx.Locale.Tr "repo.settings.lfs_pointers.sha"}}</th>
 						<th class="four wide">{{ctx.Locale.Tr "repo.settings.lfs_pointers.oid"}}</th>
-						<th class="two wide">{{ctx.Locale.Tr "repo.settings.lfs_pointers.inRepo"}}</th>
-						<th class="two wide">{{ctx.Locale.Tr "repo.settings.lfs_pointers.exists"}}</th>
+						<th class="two wide" data-tooltip-content="{{ctx.Locale.Tr "repo.settings.lfs_pointers.inRepo"}}">{{ctx.Locale.Tr "repo.settings.lfs_pointers.inRepo"}}</th>
+						<th class="two wide" data-tooltip-content="{{ctx.Locale.Tr "repo.settings.lfs_pointers.exists"}}">{{ctx.Locale.Tr "repo.settings.lfs_pointers.exists"}}</th>
 						<th class="two wide" data-tooltip-content="{{ctx.Locale.Tr "repo.settings.lfs_pointers.accessible"}}">{{ctx.Locale.Tr "repo.settings.lfs_pointers.accessible"}}</th>
 						<th class="three wide"></th>
 					</tr>

From 07a6b6ce826630285b808366956c15a977c70fb7 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Fri, 1 May 2026 22:51:48 +0200
Subject: [PATCH 214/287] chore: make use of go1.26 features (#12369)

Allows us to make use of Go features introduced in v1.26.

I require a feature from v1.26 for a PR I want to make later.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12369
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 go.mod                                       |  2 +-
 models/asymkey/gpg_key_test.go               |  3 +-
 models/user/moderation.go                    |  4 +-
 modules/git/blame.go                         |  2 +-
 modules/jwtx/signingkey.go                   |  4 +-
 modules/util/util.go                         |  5 --
 modules/util/util_test.go                    | 31 +++---------
 routers/api/actions/artifactsv4.go           |  2 +-
 routers/api/actions/oidc.go                  |  3 +-
 routers/web/repo/attachment.go               |  3 +-
 services/actions/download.go                 |  3 +-
 services/migrations/codebase_test.go         |  6 +--
 services/migrations/gitea_downloader_test.go | 16 +++---
 services/migrations/github_test.go           | 16 +++---
 services/migrations/gitlab_test.go           | 10 ++--
 services/migrations/main_test.go             |  4 --
 services/migrations/pagure_test.go           | 52 +++++++++-----------
 17 files changed, 66 insertions(+), 100 deletions(-)

diff --git a/go.mod b/go.mod
index 3813849121..d4b54ad8bf 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module forgejo.org
 
-go 1.25.0
+go 1.26.0
 
 toolchain go1.26.2
 
diff --git a/models/asymkey/gpg_key_test.go b/models/asymkey/gpg_key_test.go
index d265f438eb..2da3bbe6e0 100644
--- a/models/asymkey/gpg_key_test.go
+++ b/models/asymkey/gpg_key_test.go
@@ -11,7 +11,6 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/timeutil"
-	"forgejo.org/modules/util"
 
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/stretchr/testify/assert"
@@ -458,7 +457,7 @@ epiDVQ==
 func TestTryGetKeyIDFromSignature(t *testing.T) {
 	assert.Empty(t, tryGetKeyIDFromSignature(&packet.Signature{}))
 	assert.Equal(t, "038D1A3EADDBEA9C", tryGetKeyIDFromSignature(&packet.Signature{
-		IssuerKeyId: util.ToPointer(uint64(0x38D1A3EADDBEA9C)),
+		IssuerKeyId: new(uint64(0x38D1A3EADDBEA9C)),
 	}))
 	assert.Equal(t, "038D1A3EADDBEA9C", tryGetKeyIDFromSignature(&packet.Signature{
 		IssuerFingerprint: []uint8{0xb, 0x23, 0x24, 0xc7, 0xe6, 0xfe, 0x4f, 0x3a, 0x6, 0x26, 0xc1, 0x21, 0x3, 0x8d, 0x1a, 0x3e, 0xad, 0xdb, 0xea, 0x9c},
diff --git a/models/user/moderation.go b/models/user/moderation.go
index 765414acc0..fe8eef1806 100644
--- a/models/user/moderation.go
+++ b/models/user/moderation.go
@@ -89,8 +89,8 @@ var userDataColumnNames = sync.OnceValue(func() []string {
 	mapper := new(names.GonicMapper)
 	udType := reflect.TypeFor[UserData]()
 	columnNames := make([]string, 0, udType.NumField())
-	for i := 0; i < udType.NumField(); i++ {
-		columnNames = append(columnNames, mapper.Obj2Table(udType.Field(i).Name))
+	for field := range udType.Fields() {
+		columnNames = append(columnNames, mapper.Obj2Table(field.Name))
 	}
 	return columnNames
 })
diff --git a/modules/git/blame.go b/modules/git/blame.go
index 868edab2b8..881ef04302 100644
--- a/modules/git/blame.go
+++ b/modules/git/blame.go
@@ -207,5 +207,5 @@ func tryCreateBlameIgnoreRevsFile(commit *Commit) *string {
 		return nil
 	}
 
-	return util.ToPointer(f.Name())
+	return new(f.Name())
 }
diff --git a/modules/jwtx/signingkey.go b/modules/jwtx/signingkey.go
index db9cf03aa2..f82f694d19 100644
--- a/modules/jwtx/signingkey.go
+++ b/modules/jwtx/signingkey.go
@@ -253,8 +253,8 @@ func (key ecdsaSigningKey) ToJWK() (map[string]string, error) {
 		"alg": key.SigningMethod().Alg(),
 		"kid": key.id,
 		"crv": pubKey.Params().Name,
-		"x":   base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()),
-		"y":   base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()),
+		"x":   base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()), //nolint:staticcheck // no easy replacement. JWTX specification mandates marshalling to x, even if unsafe.
+		"y":   base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()), //nolint:staticcheck // no easy replacement. JWTX specification mandates marshalling to y, even if unsafe.
 	}, nil
 }
 
diff --git a/modules/util/util.go b/modules/util/util.go
index f21936fb5f..996a566830 100644
--- a/modules/util/util.go
+++ b/modules/util/util.go
@@ -215,11 +215,6 @@ func ToFloat64(number any) (float64, error) {
 	return value, nil
 }
 
-// ToPointer returns the pointer of a copy of any given value
-func ToPointer[T any](val T) *T {
-	return &val
-}
-
 // Iif is an "inline-if", it returns "trueVal" if "condition" is true, otherwise "falseVal"
 func Iif[T any](condition bool, trueVal, falseVal T) T {
 	if condition {
diff --git a/modules/util/util_test.go b/modules/util/util_test.go
index 24fca75e7b..fae4f6673d 100644
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -5,10 +5,10 @@
 package util_test
 
 import (
-	"bytes"
 	"crypto/rand"
 	"strings"
 	"testing"
+	"testing/cryptotest"
 
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/util"
@@ -211,42 +211,25 @@ func TestToTitleCase(t *testing.T) {
 	assert.Equal(t, `Foo Bar Baz`, util.ToTitleCase(`FOO BAR BAZ`))
 }
 
-func TestToPointer(t *testing.T) {
-	assert.Equal(t, "abc", *util.ToPointer("abc"))
-	assert.Equal(t, 123, *util.ToPointer(123))
-	abc := "abc"
-	assert.NotSame(t, &abc, util.ToPointer(abc))
-	val123 := 123
-	assert.NotSame(t, &val123, util.ToPointer(val123))
-}
-
 func TestReserveLineBreakForTextarea(t *testing.T) {
 	assert.Equal(t, "test\ndata", util.ReserveLineBreakForTextarea("test\r\ndata"))
 	assert.Equal(t, "test\ndata\n", util.ReserveLineBreakForTextarea("test\r\ndata\r\n"))
 }
 
 const (
-	testPublicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4\n"
+	testPublicKey  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHX8yEKexoMqBPPwG4pGAhhjo5CyiHLiJZ7p3jg0aJZM\n"
 	testPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz
-c2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TWMJulDV8d3IZkElUxuAAA
-AIggISIjICEiIwAAAAtzc2gtZWQyNTUxOQAAACADoQe/884Qvh1w3RjnS8CZZ+TW
-MJulDV8d3IZkElUxuAAAAEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0e
-HwOhB7/zzhC+HXDdGOdLwJln5NYwm6UNXx3chmQSVTG4AAAAAAECAwQF
+c2gtZWQyNTUxOQAAACB1/MhCnsaDKgTz8BuKRgIYY6OQsohy4iWe6d44NGiWTAAA
+AIhNLlZvTS5WbwAAAAtzc2gtZWQyNTUxOQAAACB1/MhCnsaDKgTz8BuKRgIYY6OQ
+sohy4iWe6d44NGiWTAAAAEDZh37ObTaKrBpvQZ7GJ8drG/sfo3xBoR6kat1qSNiU
+dHX8yEKexoMqBPPwG4pGAhhjo5CyiHLiJZ7p3jg0aJZMAAAAAAECAwQF
 -----END OPENSSH PRIVATE KEY-----` + "\n"
 )
 
 func TestGeneratingEd25519Keypair(t *testing.T) {
 	defer test.MockProtect(&rand.Reader)()
-
-	// Only 32 bytes needs to be provided to generate a ed25519 keypair.
-	// And another 32 bytes are required, which is included as random value
-	// in the OpenSSH format.
-	b := make([]byte, 64)
-	for i := range 64 {
-		b[i] = byte(i)
-	}
-	rand.Reader = bytes.NewReader(b)
+	cryptotest.SetGlobalRandom(t, 0)
 
 	publicKey, privateKey, err := util.GenerateSSHKeypair()
 	require.NoError(t, err)
diff --git a/routers/api/actions/artifactsv4.go b/routers/api/actions/artifactsv4.go
index 97da6c1735..56fe5cb2cc 100644
--- a/routers/api/actions/artifactsv4.go
+++ b/routers/api/actions/artifactsv4.go
@@ -562,7 +562,7 @@ func (r *artifactV4Routes) downloadArtifact(ctx *ArtifactContext) {
 		return
 	}
 
-	common.ServeContentByReadSeeker(ctx.Base, artifactName, util.ToPointer(artifact.UpdatedUnix.AsTime()), file)
+	common.ServeContentByReadSeeker(ctx.Base, artifactName, new(artifact.UpdatedUnix.AsTime()), file)
 }
 
 func (r *artifactV4Routes) deleteArtifact(ctx *ArtifactContext) {
diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go
index fc82bc299f..23b6fec16c 100644
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@@ -103,8 +103,7 @@ func OIDCRoutes(prefix string) *web.Route {
 	// and inspecting the names of the json struct tags
 	rt := reflect.TypeFor[actions_service.IDTokenCustomClaims]()
 
-	for i := 0; i < rt.NumField(); i++ {
-		f := rt.Field(i)
+	for f := range rt.Fields() {
 		v := strings.Split(f.Tag.Get("json"), ",")[0]
 		if v == "" || v == "-" {
 			continue
diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index 5b2eaef889..5497738f0b 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -13,7 +13,6 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"
-	"forgejo.org/modules/util"
 	"forgejo.org/routers/common"
 	"forgejo.org/services/attachment"
 	"forgejo.org/services/context"
@@ -154,7 +153,7 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 	}
 	defer fr.Close()
 
-	common.ServeContentByReadSeeker(ctx.Base, attach.Name, util.ToPointer(attach.CreatedUnix.AsTime()), fr)
+	common.ServeContentByReadSeeker(ctx.Base, attach.Name, new(attach.CreatedUnix.AsTime()), fr)
 }
 
 // GetAttachment serve attachments
diff --git a/services/actions/download.go b/services/actions/download.go
index 04aa1ca289..34de121220 100644
--- a/services/actions/download.go
+++ b/services/actions/download.go
@@ -15,7 +15,6 @@ import (
 	"forgejo.org/modules/httplib"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/storage"
-	"forgejo.org/modules/util"
 	"forgejo.org/services/context"
 )
 
@@ -51,7 +50,7 @@ func serveV4Artifact(base *context.Base, art *actions_model.ActionArtifact) erro
 	if err != nil {
 		return err
 	}
-	httplib.ServeContentByReadSeeker(base.Req, base.Resp, art.ArtifactName+".zip", util.ToPointer(art.UpdatedUnix.AsTime()), f)
+	httplib.ServeContentByReadSeeker(base.Req, base.Resp, art.ArtifactName+".zip", new(art.UpdatedUnix.AsTime()), f)
 	return nil
 }
 
diff --git a/services/migrations/codebase_test.go b/services/migrations/codebase_test.go
index 315c7be709..5d90f7e8a2 100644
--- a/services/migrations/codebase_test.go
+++ b/services/migrations/codebase_test.go
@@ -55,12 +55,12 @@ func TestCodebaseDownloadRepo(t *testing.T) {
 	assertMilestonesEqual(t, []*base.Milestone{
 		{
 			Title:    "Milestone1",
-			Deadline: timePtr(time.Date(2021, time.September, 16, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2021, time.September, 16, 0, 0, 0, 0, time.UTC)),
 		},
 		{
 			Title:    "Milestone2",
-			Deadline: timePtr(time.Date(2021, time.September, 17, 0, 0, 0, 0, time.UTC)),
-			Closed:   timePtr(time.Date(2021, time.September, 17, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2021, time.September, 17, 0, 0, 0, 0, time.UTC)),
+			Closed:   new(time.Date(2021, time.September, 17, 0, 0, 0, 0, time.UTC)),
 			State:    "closed",
 		},
 	}, milestones)
diff --git a/services/migrations/gitea_downloader_test.go b/services/migrations/gitea_downloader_test.go
index a4a4f29ddb..3db81bb158 100644
--- a/services/migrations/gitea_downloader_test.go
+++ b/services/migrations/gitea_downloader_test.go
@@ -93,16 +93,16 @@ func TestGiteaDownloadRepo(t *testing.T) {
 		{
 			Title:    "V2 Finalize",
 			Created:  time.Unix(0, 0),
-			Deadline: timePtr(time.Unix(1599263999, 0)),
-			Updated:  timePtr(time.Date(2022, 11, 13, 5, 29, 15, 0, time.UTC)),
+			Deadline: new(time.Unix(1599263999, 0)),
+			Updated:  new(time.Date(2022, 11, 13, 5, 29, 15, 0, time.UTC)),
 			State:    "open",
 		},
 		{
 			Title:       "V1",
 			Description: "Generate Content",
 			Created:     time.Unix(0, 0),
-			Updated:     timePtr(time.Unix(0, 0)),
-			Closed:      timePtr(time.Unix(1598985406, 0)),
+			Updated:     new(time.Unix(0, 0)),
+			Closed:      new(time.Unix(1598985406, 0)),
 			State:       "closed",
 		},
 	}, milestones)
@@ -178,7 +178,7 @@ func TestGiteaDownloadRepo(t *testing.T) {
 					Content:  "laugh",
 				},
 			},
-			Closed: timePtr(time.Date(2020, 9, 1, 15, 49, 34, 0, time.UTC)),
+			Closed: new(time.Date(2020, 9, 1, 15, 49, 34, 0, time.UTC)),
 		},
 		{
 			Number:      2,
@@ -197,7 +197,7 @@ func TestGiteaDownloadRepo(t *testing.T) {
 				Color:       "d4c5f9",
 				Description: "",
 			}},
-			Closed: timePtr(time.Unix(1598969497, 0)),
+			Closed: new(time.Unix(1598969497, 0)),
 		},
 	}, issues)
 
@@ -244,7 +244,7 @@ func TestGiteaDownloadRepo(t *testing.T) {
 		IsLocked:    false,
 		Created:     time.Unix(1598982759, 0),
 		Updated:     time.Unix(1599023425, 0),
-		Closed:      timePtr(time.Date(2020, 9, 1, 17, 55, 33, 0, time.UTC)),
+		Closed:      new(time.Date(2020, 9, 1, 17, 55, 33, 0, time.UTC)),
 		Assignees:   []string{"techknowlogick"},
 		Base: base.PullRequestBranch{
 			CloneURL:  "",
@@ -261,7 +261,7 @@ func TestGiteaDownloadRepo(t *testing.T) {
 			OwnerName: "6543-forks",
 		},
 		Merged:         true,
-		MergedTime:     timePtr(time.Unix(1598982934, 0)),
+		MergedTime:     new(time.Unix(1598982934, 0)),
 		MergeCommitSHA: "827aa28a907853e5ddfa40c8f9bc52471a2685fd",
 		PatchURL:       server.URL + "/gitea/test_repo/pulls/12.patch",
 	}, prs[1])
diff --git a/services/migrations/github_test.go b/services/migrations/github_test.go
index 29a78f53fc..288eb4febb 100644
--- a/services/migrations/github_test.go
+++ b/services/migrations/github_test.go
@@ -163,24 +163,24 @@ func TestGitHubDownloadRepo(t *testing.T) {
 			Title:       "1.0.0",
 			Description: "Version 1",
 			Created:     time.Date(2025, 8, 7, 12, 48, 56, 0, time.UTC),
-			Updated:     timePtr(time.Date(2025, time.August, 12, 12, 34, 20, 0, time.UTC)),
+			Updated:     new(time.Date(2025, time.August, 12, 12, 34, 20, 0, time.UTC)),
 			State:       "open",
 		},
 		{
 			Title:       "0.9.0",
 			Description: "A milestone",
-			Deadline:    timePtr(time.Date(2025, 8, 1, 7, 0, 0, 0, time.UTC)),
+			Deadline:    new(time.Date(2025, 8, 1, 7, 0, 0, 0, time.UTC)),
 			Created:     time.Date(2025, 8, 7, 12, 54, 20, 0, time.UTC),
-			Updated:     timePtr(time.Date(2025, 8, 12, 11, 29, 52, 0, time.UTC)),
-			Closed:      timePtr(time.Date(2025, 8, 7, 12, 54, 38, 0, time.UTC)),
+			Updated:     new(time.Date(2025, 8, 12, 11, 29, 52, 0, time.UTC)),
+			Closed:      new(time.Date(2025, 8, 7, 12, 54, 38, 0, time.UTC)),
 			State:       "closed",
 		},
 		{
 			Title:       "1.1.0",
 			Description: "We can do that",
-			Deadline:    timePtr(time.Date(2025, 8, 31, 7, 0, 0, 0, time.UTC)),
+			Deadline:    new(time.Date(2025, 8, 31, 7, 0, 0, 0, time.UTC)),
 			Created:     time.Date(2025, 8, 7, 12, 50, 58, 0, time.UTC),
-			Updated:     timePtr(time.Date(2025, 8, 7, 12, 53, 15, 0, time.UTC)),
+			Updated:     new(time.Date(2025, 8, 7, 12, 53, 15, 0, time.UTC)),
 			State:       "open",
 		},
 	}, milestones)
@@ -372,8 +372,8 @@ func TestGitHubDownloadRepo(t *testing.T) {
 			State:      "closed",
 			Created:    time.Date(2025, time.August, 7, 13, 1, 36, 0, time.UTC),
 			Updated:    time.Date(2025, time.August, 12, 12, 47, 35, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.August, 7, 13, 2, 19, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(2025, time.August, 7, 13, 2, 19, 0, time.UTC)),
+			Closed:     new(time.Date(2025, time.August, 7, 13, 2, 19, 0, time.UTC)),
+			MergedTime: new(time.Date(2025, time.August, 7, 13, 2, 19, 0, time.UTC)),
 			Labels: []*base.Label{
 				{
 					Name:        "bug",
diff --git a/services/migrations/gitlab_test.go b/services/migrations/gitlab_test.go
index 37fdea9475..029a4ecce1 100644
--- a/services/migrations/gitlab_test.go
+++ b/services/migrations/gitlab_test.go
@@ -57,14 +57,14 @@ func TestGitlabDownloadRepo(t *testing.T) {
 		{
 			Title:   "1.0.0",
 			Created: time.Date(2024, 9, 3, 13, 53, 8, 516000000, time.UTC),
-			Updated: timePtr(time.Date(2024, 9, 3, 20, 3, 57, 786000000, time.UTC)),
-			Closed:  timePtr(time.Date(2024, 9, 3, 20, 3, 57, 786000000, time.UTC)),
+			Updated: new(time.Date(2024, 9, 3, 20, 3, 57, 786000000, time.UTC)),
+			Closed:  new(time.Date(2024, 9, 3, 20, 3, 57, 786000000, time.UTC)),
 			State:   "closed",
 		},
 		{
 			Title:   "1.1.0",
 			Created: time.Date(2024, 9, 3, 13, 52, 48, 414000000, time.UTC),
-			Updated: timePtr(time.Date(2024, 9, 3, 14, 52, 14, 93000000, time.UTC)),
+			Updated: new(time.Date(2024, 9, 3, 14, 52, 14, 93000000, time.UTC)),
 			State:   "active",
 		},
 	}, milestones)
@@ -260,7 +260,7 @@ func TestGitlabDownloadRepo(t *testing.T) {
 					Content:  "hearts",
 				},
 			},
-			Closed: timePtr(time.Date(2024, 9, 3, 14, 43, 10, 906000000, time.UTC)),
+			Closed: new(time.Date(2024, 9, 3, 14, 43, 10, 906000000, time.UTC)),
 		},
 	}, issues)
 	issues, isEnd, err = downloader.GetIssues(2, 3)
@@ -297,7 +297,7 @@ func TestGitlabDownloadRepo(t *testing.T) {
 					Content:  "open_mouth",
 				},
 			},
-			Closed: timePtr(time.Date(2024, 9, 3, 14, 43, 10, 708000000, time.UTC)),
+			Closed: new(time.Date(2024, 9, 3, 14, 43, 10, 708000000, time.UTC)),
 		},
 	}, issues)
 
diff --git a/services/migrations/main_test.go b/services/migrations/main_test.go
index d304f345cf..44ab3f3fc8 100644
--- a/services/migrations/main_test.go
+++ b/services/migrations/main_test.go
@@ -19,10 +19,6 @@ func TestMain(m *testing.M) {
 	unittest.MainTest(m)
 }
 
-func timePtr(t time.Time) *time.Time {
-	return &t
-}
-
 func assertTimeEqual(t *testing.T, expected, actual time.Time) {
 	assert.Equal(t, expected.UTC(), actual.UTC())
 }
diff --git a/services/migrations/pagure_test.go b/services/migrations/pagure_test.go
index bac3eb24ad..3217e10300 100644
--- a/services/migrations/pagure_test.go
+++ b/services/migrations/pagure_test.go
@@ -85,7 +85,7 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			Milestone:  "Milestone BBBB",
 			Created:    time.Date(2023, time.October, 13, 4, 1, 16, 0, time.UTC),
 			Updated:    time.Date(2025, time.June, 25, 6, 25, 57, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.June, 25, 6, 22, 59, 0, time.UTC)),
+			Closed:     new(time.Date(2025, time.June, 25, 6, 22, 59, 0, time.UTC)),
 			Labels: []*base.Label{
 				{
 					Name: "cccc",
@@ -111,7 +111,7 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			Milestone:  "Milestone AAAA",
 			Created:    time.Date(2023, time.October, 13, 3, 57, 42, 0, time.UTC),
 			Updated:    time.Date(2025, time.June, 25, 6, 25, 45, 0, time.UTC),
-			Closed:     timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			Closed:     new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
 			Labels: []*base.Label{
 				{
 					Name: "aaaa",
@@ -219,8 +219,8 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			State:      "closed",
 			Created:    time.Date(2025, time.May, 19, 6, 12, 45, 0, time.UTC),
 			Updated:    time.Date(2025, time.May, 19, 6, 17, 11, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.May, 19, 6, 17, 11, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(2025, time.May, 19, 6, 17, 11, 0, time.UTC)),
+			Closed:     new(time.Date(2025, time.May, 19, 6, 17, 11, 0, time.UTC)),
+			MergedTime: new(time.Date(2025, time.May, 19, 6, 17, 11, 0, time.UTC)),
 			Merged:     true,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/10.patch",
 			Labels: []*base.Label{
@@ -249,8 +249,8 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			State:      "closed",
 			Created:    time.Date(2025, time.May, 19, 6, 12, 41, 0, time.UTC),
 			Updated:    time.Date(2025, time.May, 19, 6, 14, 3, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.May, 19, 6, 14, 3, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(2025, time.May, 19, 6, 14, 3, 0, time.UTC)),
+			Closed:     new(time.Date(2025, time.May, 19, 6, 14, 3, 0, time.UTC)),
+			MergedTime: new(time.Date(2025, time.May, 19, 6, 14, 3, 0, time.UTC)),
 			Merged:     true,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/9.patch",
 			Labels: []*base.Label{
@@ -279,8 +279,8 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			State:      "closed",
 			Created:    time.Date(2025, time.May, 5, 6, 45, 32, 0, time.UTC),
 			Updated:    time.Date(2025, time.May, 5, 6, 54, 13, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.May, 5, 6, 54, 13, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(2025, time.May, 5, 6, 54, 13, 0, time.UTC)), // THIS IS WRONG
+			Closed:     new(time.Date(2025, time.May, 5, 6, 54, 13, 0, time.UTC)),
+			MergedTime: new(time.Date(2025, time.May, 5, 6, 54, 13, 0, time.UTC)), // THIS IS WRONG
 			Merged:     false,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/8.patch",
 			Labels: []*base.Label{
@@ -308,9 +308,9 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			PosterID:   -1,
 			State:      "closed",
 			Created:    time.Date(2025, time.May, 5, 6, 45, 6, 0, time.UTC),
-			Updated:    time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC),          // IT SHOULD BE NIL
-			Closed:     timePtr(time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC)), // IT is CLOSED, Not MERGED so SHOULD NOT BE NIL
-			MergedTime: timePtr(time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC)), // THIS IS WRONG
+			Updated:    time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC),      // IT SHOULD BE NIL
+			Closed:     new(time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC)), // IT is CLOSED, Not MERGED so SHOULD NOT BE NIL
+			MergedTime: new(time.Date(2025, time.May, 5, 6, 54, 3, 0, time.UTC)), // THIS IS WRONG
 			Merged:     false,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/7.patch",
 			Labels: []*base.Label{
@@ -339,8 +339,8 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			State:      "open",
 			Created:    time.Date(2025, time.May, 5, 6, 44, 30, 0, time.UTC),
 			Updated:    time.Date(2025, time.May, 19, 8, 30, 50, 0, time.UTC),
-			Closed:     timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			Closed:     new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			MergedTime: new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
 			Merged:     false,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/6.patch",
 			Labels: []*base.Label{
@@ -369,8 +369,8 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 			State:      "open",
 			Created:    time.Date(2025, time.May, 5, 6, 43, 57, 0, time.UTC),
 			Updated:    time.Date(2025, time.May, 19, 6, 29, 45, 0, time.UTC),
-			Closed:     timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
-			MergedTime: timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			Closed:     new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			MergedTime: new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
 			Merged:     false,
 			PatchURL:   server.URL + "/protop2g-test-srce/pull-request/5.patch",
 			Labels: []*base.Label{
@@ -428,22 +428,22 @@ func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
 	dict := map[string]*base.Milestone{
 		"Milestone AAAA": {
 			Title:    "Milestone AAAA",
-			Deadline: timePtr(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
 			State:    "open",
 		},
 		"Milestone BBBB": {
 			Title:    "Milestone BBBB",
-			Deadline: timePtr(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
 			State:    "closed",
 		},
 		"Milestone CCCC": {
 			Title:    "Milestone CCCC",
-			Deadline: timePtr(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
 			State:    "open",
 		},
 		"Milestone DDDD": {
 			Title:    "Milestone DDDD",
-			Deadline: timePtr(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
+			Deadline: new(time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC)),
 			State:    "closed",
 		},
 	}
@@ -524,7 +524,7 @@ func TestPagureDownloadRepoWithPrivateIssues(t *testing.T) {
 			Milestone:  "Milestone DDDD",
 			Created:    time.Date(2023, time.November, 21, 8, 6, 56, 0, time.UTC),
 			Updated:    time.Date(2025, time.June, 25, 6, 26, 26, 0, time.UTC),
-			Closed:     timePtr(time.Date(2025, time.June, 25, 6, 23, 51, 0, time.UTC)),
+			Closed:     new(time.Date(2025, time.June, 25, 6, 23, 51, 0, time.UTC)),
 			Labels: []*base.Label{
 				{
 					Name: "gggg",
@@ -550,7 +550,7 @@ func TestPagureDownloadRepoWithPrivateIssues(t *testing.T) {
 			Milestone:  "Milestone CCCC",
 			Created:    time.Date(2023, time.November, 21, 8, 3, 57, 0, time.UTC),
 			Updated:    time.Date(2025, time.June, 25, 6, 26, 7, 0, time.UTC),
-			Closed:     timePtr(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
+			Closed:     new(time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC)),
 			Labels: []*base.Label{
 				{
 					Name: "eeee",
@@ -649,17 +649,17 @@ func TestProcessDate(t *testing.T) {
 		},
 		{
 			name:     "empty string",
-			input:    strPtr(""),
+			input:    new(""),
 			expected: time.Time{},
 		},
 		{
 			name:     "unix timestamp",
-			input:    strPtr("1609459200"),
+			input:    new("1609459200"),
 			expected: time.Unix(1609459200, 0),
 		},
 		{
 			name:     "YYYY-MM-DD format",
-			input:    strPtr("2025-12-12"),
+			input:    new("2025-12-12"),
 			expected: time.Date(2025, time.December, 12, 0, 0, 0, 0, time.UTC),
 		},
 	}
@@ -671,7 +671,3 @@ func TestProcessDate(t *testing.T) {
 		})
 	}
 }
-
-func strPtr(s string) *string {
-	return &s
-}

From 731334e973a7f4389b7f2994cd4bd186df2a242c Mon Sep 17 00:00:00 2001
From: Thomas Teixeira <thomas.teixeira@startmail.com>
Date: Sat, 2 May 2026 01:29:40 +0200
Subject: [PATCH 215/287] fix(web): org projects assignment in issue view
 (#7999)

Allows user to assign organization projects to their new issues, using the project sidebar selector, even when repository's projects are disabled.
Moreover, the project sidebar selector is now hidden if no projects (repository-wide + organization-wide) are available.

Fixes forgejo/forgejo#5666

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7999
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 routers/web/repo/issue.go                     |  40 ++++--
 routers/web/repo/issue_test.go                |   3 +
 routers/web/repo/projects.go                  |   2 +-
 routers/web/web.go                            |  31 ++++-
 services/context/org.go                       |  43 +++---
 templates/repo/issue/new_form.tmpl            |   2 +-
 .../repo/issue/view_content/sidebar.tmpl      |   6 +-
 .../test_assign_project_repo.git/HEAD         |   1 +
 .../test_assign_project_repo.git/config       |   6 +
 .../test_assign_project_repo.git/description  |   1 +
 .../test_assign_project_repo.git/info/exclude |   6 +
 .../20/ade30d25e0ecaeec84e7f542a8456900858240 | Bin 0 -> 84 bytes
 .../27/74debeea6dc742cc4971a92db0e08b95b60588 | Bin 0 -> 51 bytes
 .../2a/47ca4b614a9f5a43abbd5ad851a54a616ffee6 | Bin 0 -> 760 bytes
 .../2f/9b22fd3159a43b7b4e5dd806fcd544edf8716f | Bin 0 -> 37 bytes
 .../d2/2b4d4daa5be07329fcef6ed458f00cf3392da0 | Bin 0 -> 814 bytes
 .../d5/6a3073c1dbb7b15963110a049d50cdb5db99fc | Bin 0 -> 42 bytes
 .../ec/f0db3c1ec806522de4b491fb9a3c7457398c61 | Bin 0 -> 62 bytes
 .../ee/16d127df463aa491e08958120f2108b02468df | Bin 0 -> 84 bytes
 .../refs/heads/master                         |   1 +
 .../refs/heads/test_branch                    |   1 +
 .../fixtures/TestAssignProject/access.yml     |   5 +
 .../TestAssignProject/collaboration.yml       |   5 +
 .../fixtures/TestAssignProject/project.yml    |  51 ++++++++
 .../fixtures/TestAssignProject/repo_unit.yml  |  35 +++++
 .../fixtures/TestAssignProject/repository.yml |  30 +++++
 .../fixtures/TestAssignProject/team.yml       |  32 +++++
 .../fixtures/TestAssignProject/team_repo.yml  |  11 ++
 .../fixtures/TestAssignProject/team_unit.yml  |  35 +++++
 .../fixtures/TestAssignProject/team_user.yml  |  11 ++
 .../fixtures/TestAssignProject/user.yml       |  37 ++++++
 tests/integration/issue_test.go               | 112 ++++++++++++++++
 tests/integration/project_test.go             | 122 ++++++++++++++++++
 33 files changed, 593 insertions(+), 36 deletions(-)
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/HEAD
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/config
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/description
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/info/exclude
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/20/ade30d25e0ecaeec84e7f542a8456900858240
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/27/74debeea6dc742cc4971a92db0e08b95b60588
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2a/47ca4b614a9f5a43abbd5ad851a54a616ffee6
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2f/9b22fd3159a43b7b4e5dd806fcd544edf8716f
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d2/2b4d4daa5be07329fcef6ed458f00cf3392da0
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d5/6a3073c1dbb7b15963110a049d50cdb5db99fc
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ec/f0db3c1ec806522de4b491fb9a3c7457398c61
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ee/16d127df463aa491e08958120f2108b02468df
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/master
 create mode 100644 tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/test_branch
 create mode 100644 tests/integration/fixtures/TestAssignProject/access.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/collaboration.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/project.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/repo_unit.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/repository.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/team.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/team_repo.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/team_unit.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/team_user.yml
 create mode 100644 tests/integration/fixtures/TestAssignProject/user.yml

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index bb4185f785..e1ee785ce4 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -604,7 +604,7 @@ func retrieveProjects(ctx *context.Context, repo *repo_model.Repository) {
 		repoOwnerType = project_model.TypeOrganization
 	}
 	var err error
-	projects, err := db.Find[project_model.Project](ctx, project_model.SearchOptions{
+	repositoryProjects, err := db.Find[project_model.Project](ctx, project_model.SearchOptions{
 		ListOptions: db.ListOptionsAll,
 		RepoID:      repo.ID,
 		IsClosed:    optional.Some(false),
@@ -614,7 +614,7 @@ func retrieveProjects(ctx *context.Context, repo *repo_model.Repository) {
 		ctx.ServerError("GetProjects", err)
 		return
 	}
-	projects2, err := db.Find[project_model.Project](ctx, project_model.SearchOptions{
+	ownerProjects, err := db.Find[project_model.Project](ctx, project_model.SearchOptions{
 		ListOptions: db.ListOptionsAll,
 		OwnerID:     repo.OwnerID,
 		IsClosed:    optional.Some(false),
@@ -625,9 +625,10 @@ func retrieveProjects(ctx *context.Context, repo *repo_model.Repository) {
 		return
 	}
 
-	ctx.Data["OpenProjects"] = append(projects, projects2...)
+	ownerHasOpenProjects := len(ownerProjects) > 0
+	ctx.Data["OpenProjects"] = append(repositoryProjects, ownerProjects...)
 
-	projects, err = db.Find[project_model.Project](ctx, project_model.SearchOptions{
+	repositoryProjects, err = db.Find[project_model.Project](ctx, project_model.SearchOptions{
 		ListOptions: db.ListOptionsAll,
 		RepoID:      repo.ID,
 		IsClosed:    optional.Some(true),
@@ -637,7 +638,7 @@ func retrieveProjects(ctx *context.Context, repo *repo_model.Repository) {
 		ctx.ServerError("GetProjects", err)
 		return
 	}
-	projects2, err = db.Find[project_model.Project](ctx, project_model.SearchOptions{
+	ownerProjects, err = db.Find[project_model.Project](ctx, project_model.SearchOptions{
 		ListOptions: db.ListOptionsAll,
 		OwnerID:     repo.OwnerID,
 		IsClosed:    optional.Some(true),
@@ -648,7 +649,8 @@ func retrieveProjects(ctx *context.Context, repo *repo_model.Repository) {
 		return
 	}
 
-	ctx.Data["ClosedProjects"] = append(projects, projects2...)
+	ctx.Data["OwnerHasProjects"] = ownerHasOpenProjects || len(ownerProjects) > 0
+	ctx.Data["ClosedProjects"] = append(repositoryProjects, ownerProjects...)
 }
 
 // repoReviewerSelection items to bee shown
@@ -968,6 +970,14 @@ func NewIssue(ctx *context.Context) {
 
 	isProjectsEnabled := ctx.Repo.CanRead(unit.TypeProjects)
 	ctx.Data["IsProjectsEnabled"] = isProjectsEnabled
+
+	// Individuals always have projects unit enabled
+	isOwnerProjectsEnabled := true
+	if ctx.Repo.Owner.IsOrganization() {
+		isOwnerProjectsEnabled = ctx.Org.CanReadUnit(ctx, unit.TypeProjects)
+	}
+	ctx.Data["IsOwnerProjectsEnabled"] = isOwnerProjectsEnabled
+
 	ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled
 	upload.AddUploadContext(ctx, "comment")
 
@@ -983,7 +993,7 @@ func NewIssue(ctx *context.Context) {
 	}
 
 	projectID := ctx.FormInt64("project")
-	if projectID > 0 && isProjectsEnabled {
+	if projectID > 0 && (isProjectsEnabled || isOwnerProjectsEnabled) {
 		project, err := project_model.GetProjectByID(ctx, projectID)
 		if err != nil {
 			log.Error("GetProjectByID: %d: %v", projectID, err)
@@ -1276,9 +1286,9 @@ func NewIssuePost(ctx *context.Context) {
 	}
 
 	if projectID > 0 {
-		if !ctx.Repo.CanRead(unit.TypeProjects) {
+		if !ctx.Repo.CanRead(unit.TypeProjects) || (ctx.ContextUser.IsOrganization() && !ctx.Org.CanReadUnit(ctx, unit.TypeProjects)) {
 			// User must also be able to see the project.
-			ctx.Error(http.StatusBadRequest, "user hasn't permissions to read projects")
+			ctx.Error(http.StatusForbidden, "user doesn't have permissions to read projects")
 			return
 		}
 		if err := issues_model.IssueAssignOrRemoveProject(ctx, issue, ctx.Doer, projectID, 0); err != nil {
@@ -1477,7 +1487,8 @@ func ViewIssue(ctx *context.Context) {
 	}
 
 	ctx.Data["IsModerationEnabled"] = setting.Moderation.Enabled
-	ctx.Data["IsProjectsEnabled"] = ctx.Repo.CanRead(unit.TypeProjects)
+	isProjectsEnabled := ctx.Repo.CanRead(unit.TypeProjects)
+	ctx.Data["IsProjectsEnabled"] = isProjectsEnabled
 	ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled
 	upload.AddUploadContext(ctx, "comment")
 
@@ -1546,6 +1557,7 @@ func ViewIssue(ctx *context.Context) {
 	}
 	ctx.Data["Labels"] = labels
 
+	isOwnerProjectsEnabled := true
 	if repo.Owner.IsOrganization() {
 		orgLabels, err := issues_model.GetLabelsByOrgID(ctx, repo.Owner.ID, ctx.FormString("sort"), db.ListOptions{})
 		if err != nil {
@@ -1553,9 +1565,11 @@ func ViewIssue(ctx *context.Context) {
 			return
 		}
 		ctx.Data["OrgLabels"] = orgLabels
-
 		labels = append(labels, orgLabels...)
+
+		isOwnerProjectsEnabled = ctx.Org.CanReadUnit(ctx, unit.TypeProjects)
 	}
+	ctx.Data["IsOwnerProjectsEnabled"] = isOwnerProjectsEnabled
 
 	hasSelected := false
 	for i := range labels {
@@ -1569,7 +1583,9 @@ func ViewIssue(ctx *context.Context) {
 	// Check milestone and assignee.
 	if ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) {
 		RetrieveRepoMilestonesAndAssignees(ctx, repo)
-		retrieveProjects(ctx, repo)
+		if isProjectsEnabled || isOwnerProjectsEnabled {
+			retrieveProjects(ctx, repo)
+		}
 
 		if ctx.Written() {
 			return
diff --git a/routers/web/repo/issue_test.go b/routers/web/repo/issue_test.go
index 3644dd131f..e2c812084d 100644
--- a/routers/web/repo/issue_test.go
+++ b/routers/web/repo/issue_test.go
@@ -74,6 +74,9 @@ func TestNewIssueValidateProject(t *testing.T) {
 			contexttest.LoadUser(t, ctx, testCase.userID)
 			contexttest.LoadRepo(t, ctx, testCase.repoID)
 			contexttest.LoadGitRepo(t, ctx)
+			if ctx.Repo.Owner.IsOrganization() {
+				contexttest.LoadOrganization(t, ctx, ctx.Repo.Owner.ID)
+			}
 
 			NewIssue(ctx)
 
diff --git a/routers/web/repo/projects.go b/routers/web/repo/projects.go
index 98e4c35fa2..f007dfa7ba 100644
--- a/routers/web/repo/projects.go
+++ b/routers/web/repo/projects.go
@@ -400,7 +400,7 @@ func UpdateIssueProject(ctx *context.Context) {
 		return
 	}
 	if _, err := issues.LoadRepositories(ctx); err != nil {
-		ctx.ServerError("LoadProjects", err)
+		ctx.ServerError("LoadRepositories", err)
 		return
 	}
 
diff --git a/routers/web/web.go b/routers/web/web.go
index 5839e7d30e..c77c8629b9 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -906,6 +906,29 @@ func registerRoutes(m *web.Route) {
 		}
 	}
 
+	reqRepoOrOwnerProjectReader := func(ctx *context.Context) {
+		unitType := unit.TypeProjects
+		if ctx.ContextUser == nil || ctx.Doer == nil {
+			ctx.NotFound(unitType.String(), nil)
+			return
+		}
+
+		switch {
+		case ctx.ContextUser.IsIndividual():
+			if ctx.Doer.ID == ctx.ContextUser.ID || ctx.Doer.IsAdmin {
+				return
+			}
+		case ctx.ContextUser.IsOrganization():
+			if ctx.Org.Organization.UnitPermission(ctx, ctx.Doer, unitType) >= perm.AccessModeRead {
+				return
+			}
+		default:
+			ctx.NotFound(unitType.String(), nil)
+			return
+		}
+		reqRepoProjectsReader(ctx)
+	}
+
 	individualPermsChecker := func(ctx *context.Context) {
 		// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
 		if ctx.ContextUser.IsIndividual() {
@@ -1255,7 +1278,7 @@ func registerRoutes(m *web.Route) {
 		}
 		m.Group("/issues", func() {
 			m.Group("/new", func() {
-				m.Combo("").Get(context.RepoRef(), repo.NewIssue).
+				m.Combo("", context.EnsureOrg()).Get(context.RepoRef(), repo.NewIssue).
 					Post(web.Bind(forms.CreateIssueForm{}), repo.NewIssuePost)
 				m.Get("/choose", context.RepoRef(), repo.NewIssueChooseTemplate)
 			})
@@ -1301,7 +1324,7 @@ func registerRoutes(m *web.Route) {
 
 			m.Post("/labels", reqRepoIssuesOrPullsWriter, repo.UpdateIssueLabel)
 			m.Post("/milestone", reqRepoIssuesOrPullsWriter, repo.UpdateIssueMilestone)
-			m.Post("/projects", reqRepoIssuesOrPullsWriter, reqRepoProjectsReader, repo.UpdateIssueProject)
+			m.Post("/projects", reqRepoIssuesOrPullsWriter, context.EnsureOrg(), reqRepoOrOwnerProjectReader, repo.UpdateIssueProject)
 			m.Post("/assignee", reqRepoIssuesOrPullsWriter, repo.UpdateIssueAssignee)
 			m.Post("/request_review", reqRepoIssuesOrPullsReader, repo.UpdatePullReviewRequest)
 			m.Post("/dismiss_review", reqRepoAdmin, web.Bind(forms.DismissReviewForm{}), repo.DismissReview)
@@ -1427,7 +1450,7 @@ func registerRoutes(m *web.Route) {
 		m.Group("", func() {
 			m.Get("/issues/posters", repo.IssuePosters) // it can't use {type:issues|pulls} because other routes like "/pulls/{index}" has higher priority
 			m.Get("/{type:^(issues|pulls)$}", repo.Issues)
-			m.Get("/{type:^(issues|pulls)$}/{index}", repo.ViewIssue)
+			m.Get("/{type:^(issues|pulls)$}/{index}", context.EnsureOrg(), repo.ViewIssue)
 			m.Group("/{type:^(issues|pulls)$}/{index}/content-history", func() {
 				m.Get("/overview", repo.GetContentHistoryOverview)
 				m.Get("/list", repo.GetContentHistoryList)
@@ -1600,7 +1623,7 @@ func registerRoutes(m *web.Route) {
 
 		m.Get("/pulls/posters", repo.PullPosters)
 		m.Group("/pulls/{index}", func() {
-			m.Get("", repo.SetWhitespaceBehavior, repo.GetPullDiffStats, repo.ViewIssue)
+			m.Get("", repo.SetWhitespaceBehavior, repo.GetPullDiffStats, context.EnsureOrg(), repo.ViewIssue)
 			m.Get(".diff", repo.DownloadPullDiff)
 			m.Get(".patch", repo.DownloadPullPatch)
 			m.Group("/commits", func() {
diff --git a/services/context/org.go b/services/context/org.go
index c7d06b9bcc..adc6e33494 100644
--- a/services/context/org.go
+++ b/services/context/org.go
@@ -64,6 +64,32 @@ func GetOrganizationByParams(ctx *Context) {
 	}
 }
 
+func ensureIsOrg(ctx *Context) bool {
+	switch {
+	// Getting Organization from params
+	case ctx.ContextUser == nil:
+		if ctx.Org.Organization == nil {
+			GetOrganizationByParams(ctx)
+		}
+		return !ctx.Written()
+	// Getting Organization from ContextUser
+	case ctx.ContextUser.IsOrganization():
+		if ctx.Org == nil {
+			ctx.Org = &Organization{}
+		}
+		ctx.Org.Organization = (*organization.Organization)(ctx.ContextUser)
+		return true
+	}
+	// ContextUser is an individual User
+	return false
+}
+
+func EnsureOrg() func(*Context) {
+	return func(ctx *Context) {
+		ensureIsOrg(ctx)
+	}
+}
+
 // HandleOrgAssignment handles organization assignment
 func HandleOrgAssignment(ctx *Context, args ...bool) {
 	var (
@@ -87,24 +113,9 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 
 	var err error
 
-	if ctx.ContextUser == nil {
-		// if Organization is not defined, get it from params
-		if ctx.Org.Organization == nil {
-			GetOrganizationByParams(ctx)
-			if ctx.Written() {
-				return
-			}
-		}
-	} else if ctx.ContextUser.IsOrganization() {
-		if ctx.Org == nil {
-			ctx.Org = &Organization{}
-		}
-		ctx.Org.Organization = (*organization.Organization)(ctx.ContextUser)
-	} else {
-		// ContextUser is an individual User
+	if !ensureIsOrg(ctx) {
 		return
 	}
-
 	org := ctx.Org.Organization
 
 	// Handle Visibility
diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl
index 10a5978d52..5f5820fb07 100644
--- a/templates/repo/issue/new_form.tmpl
+++ b/templates/repo/issue/new_form.tmpl
@@ -78,7 +78,7 @@
 			</div>
 		</div>
 
-		{{if .IsProjectsEnabled}}
+		{{if or .IsProjectsEnabled (and .OwnerHasProjects .IsOwnerProjectsEnabled)}}
 		<div class="divider"></div>
 
 		<input id="project_id" name="project_id" type="hidden" value="{{.project_id}}">
diff --git a/templates/repo/issue/view_content/sidebar.tmpl b/templates/repo/issue/view_content/sidebar.tmpl
index 72e214c5aa..9d8db413fa 100644
--- a/templates/repo/issue/view_content/sidebar.tmpl
+++ b/templates/repo/issue/view_content/sidebar.tmpl
@@ -14,8 +14,10 @@
 	{{template "repo/issue/view_content/sidebar/milestones" .}}
 	<div class="divider"></div>
 
-	{{template "repo/issue/view_content/sidebar/projects" .}}
-	<div class="divider"></div>
+	{{if or .IsProjectsEnabled (and .OwnerHasProjects .IsOwnerProjectsEnabled)}}
+		{{template "repo/issue/view_content/sidebar/projects" .}}
+		<div class="divider"></div>
+	{{end}}
 
 	{{template "repo/issue/view_content/sidebar/assignees" dict "isExistingIssue" true "." .}}
 	<div class="divider"></div>
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/HEAD b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/HEAD
new file mode 100644
index 0000000000..cb089cd89a
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/HEAD
@@ -0,0 +1 @@
+ref: refs/heads/master
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/config b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/config
new file mode 100644
index 0000000000..e6da231579
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/config
@@ -0,0 +1,6 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = true
+	ignorecase = true
+	precomposeunicode = true
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/description b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/description
new file mode 100644
index 0000000000..498b267a8c
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/description
@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/info/exclude b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/info/exclude
new file mode 100644
index 0000000000..a5196d1be8
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/info/exclude
@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/20/ade30d25e0ecaeec84e7f542a8456900858240 b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/20/ade30d25e0ecaeec84e7f542a8456900858240
new file mode 100644
index 0000000000000000000000000000000000000000..9f3ffe5f27eab55ddf77a4eef3620a63549a1a32
GIT binary patch
literal 84
zcmV-a0IUCa0V^p=O;s>6XD~D{Ff%bx2y%6F@paY9O<}m2Wl((Z_V$gD$%0%ga|6z9
qy*=}fi2)EOq~s?vsF&Q^_bT_e(;3ggmAV@qbWh#J+5rIM${q^x(I*%H

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/27/74debeea6dc742cc4971a92db0e08b95b60588 b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/27/74debeea6dc742cc4971a92db0e08b95b60588
new file mode 100644
index 0000000000000000000000000000000000000000..5d9226f7a1240630524be4a3f27f4f31b1972c4c
GIT binary patch
literal 51
zcmV-30L=e*0V^p=O;s>9VK6i>Ff%bxNXbvu%S~a>pRM%QFmj1?wO{NFwm(;0-u@`e
J2LKmL5A5=Z6&nBm

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2a/47ca4b614a9f5a43abbd5ad851a54a616ffee6 b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2a/47ca4b614a9f5a43abbd5ad851a54a616ffee6
new file mode 100644
index 0000000000000000000000000000000000000000..ca60d2314fcda692990183d659d83ee440c1b995
GIT binary patch
literal 760
zcmV<U0tfwg0hN=<4x?5OMYHBB-X0~)la!7En9(*f7}#NWV8DPeli};*bhf=oZAv=Q
zy;Yl&4_#N!K;YTm<~M|Z#IpiYctJ7{hj|8J&eM=98Jf&^nqdVT=NX=)aU@&j$M6Qr
z1m6_+^XK{-ezNZMgn#5i_ZJ{&fum`jW(k1eJdPt@`aLzn{}rlU)l^sD_kTxHG{XXp
z<^bQ&EHMZ@<tIk~0&3UDB~g@QQPd>YOx;klMR72dt4;0R+*~O8>}``PUZ2-qtxFX@
zzcQJ_^G_pOnRY=y&KS-~OX8!%s4VQG3+deL$vl6&<XkU!zi!PIU2)%ET+BS)*ALnT
zl2V+fNUd7*v>|{~De2HSfz`)_^n-GuEXHwgRaeKV9=$9fPOJ1R0w&iIoy1PPw<ecR
zA@pYDaIP5;&=12#mZ;gGdhzCFEe^M~rYIq~8@^wEo|jX?)j`0k_=t&juZbAx<wbeA
z`Qj%r{Rsisqqh8edvmpJc{Gc=U4j^zX>U+nK$I{bkEo7A`*gjm6CvD_e$1?jz#N~O
za$_(}1e~skAZ#g_cMrB?V4Go^>n-WyBM+oNMmAPyk=}4>>B#PS@I$%`bj(%?W<D}+
zoW4JlCPB4?JKKkMO#JAD=ch3yG~2VgmZ7n~8w;0D)n*I%P}o}Yyc-iu?(Qe`V=HrH
z1a#{Db|qKnmnpW~Hnxi+x+T)_s>#cq$vH`uuPA-Xd;t|(ab9y}n`qJEc`7=3+E55E
z$e1f~*2Cub*`mHJ?;X>J)^ki#5tAz#O#)(g5k031yqQOfK2UuUvU(xh?s>+q2#7WU
zPQ_aDQ+K*Pm0NN_6;C(xXkDE?Y6;G%0+#1q=Fn1)S{}>pfgYb)I$r|Fv`LJBTSVP(
zb>$Z|pyzbAWM`N|X)pQxLk(E=9`8a`Kus_6?#{1_diM>Af6P%>n&^txCj_v@gI-fg
qUZ|GWE4B7C{oDJ4oXQ&c&k4mk{mKZW?!Q*Q-a`ZP8Tki~F*%6l+<SNc

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2f/9b22fd3159a43b7b4e5dd806fcd544edf8716f b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/2f/9b22fd3159a43b7b4e5dd806fcd544edf8716f
new file mode 100644
index 0000000000000000000000000000000000000000..e98d752dadfa1bff7f581b3d38bf5967cc6049b3
GIT binary patch
literal 37
tcmb<m^geacKghr+B_Pb>q`%%--?Q3*9;fw#G`w_Am_K7;=uqdh2LKN*4QBuV

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d2/2b4d4daa5be07329fcef6ed458f00cf3392da0 b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d2/2b4d4daa5be07329fcef6ed458f00cf3392da0
new file mode 100644
index 0000000000000000000000000000000000000000..e319f8ce3447ea6a2a5c36db6841d582ed4fd02c
GIT binary patch
literal 814
zcmV+}1JV3=0hN<E535!XMpN@EZjTc7P0EXc*^Lbb8?fD7;F^8M82I&ZUX(6PrWxss
zW;DfjlCEir8Biq8{W6aT0fZ<%rD!32u{;AID^Z9PB~GMh@<mgm7?U*1i|GsN;fUH9
z(2x}p$i_UyLg~dpmVt4caxfJ+3UVyuDgO0Bh{xc2&btx3Cp6OF_n+-gw8EyZ(QirD
z`~fJQq$P%9L=NDjNRrr>et(<M|60oWY$`JF>)&<I49fu*;{vXh;mEhZ*M4#gV4(1<
z{UFN+C6iOV(6s$?uwV`KCoV=osP*wWPVI$d9;K$sHEz>&B`aCw{mU`%owRF4;Pzn%
z@u^AqrtIh8?4O&RxUMO+3wpTC<MGO#-Ai82I?r~d7QHU-Hatyc@x3s_N~zjz`f;X^
z{S>10PEVuvM4oI{lE(FLu}mbB_3ly;d=}h>m*a}70U@7KwMj5g?@Ptm9v&D}q^RpA
z@wF3D?oP{r!GEMHLslWW$BeUIoJcp><1kNB*vr(AJ@%-}Fz^xFHPNcBHG?5);#}+;
z1D?{03~4{OdsRKh*D*6wWz%hwL&b4r?-{wsyORf6To4#=$DLWSqszS^Ay!mpG!KQ(
zllokZj<LkgT)8@@Rk@A5QCgOu_x=-g<Z@VVRo{C12?Js(HhGhgahSMfA+t`<j6yUK
z7D`HT&~KM>EQ~eozR#B3YHdCylD01>Z<6TBD2jpsFS7EG2?TCo%v<+7hRJ%;1%Zm4
z!4Bh>S>!JXRe`GSi!Y>n7UybKW_iz4#)R@d!a!R*Z+<Q8?cL{azQ@-YPrtc^oD!%}
zGQ77kINKqMl(mNTBrBX?E1G&aYs$&Xa{GaS=@Tb(e0uheTyD91yWc;bM0APUM<ZN^
zKHT*FSWqtSQ{m^LDOEK#n;keK(?8q1GItE@Jllp<x2AnmKgts-*EjELo98B`sj&xv
zJj=uxe;(cqXVtOd-B9lfu|6?M3*CpfU;rl~g#4g!?E6Yc)IprK^lG4{SZ=hWZlm<*
srsBn^Tgk0xC?0O{_<?~RlNEg9_|px|QUA*rY(~=z{xK5!3!Uy(*O(@ucmMzZ

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d5/6a3073c1dbb7b15963110a049d50cdb5db99fc b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/d5/6a3073c1dbb7b15963110a049d50cdb5db99fc
new file mode 100644
index 0000000000000000000000000000000000000000..eff3c9833edabef54391c6c050778ee88eaa207b
GIT binary patch
literal 42
ycmb<m^geacKghr=B_K@0OZSBNvqwdqx_)}6bTm$$IUnqCTEB^lnc?j{o+JQiKM@iD

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ec/f0db3c1ec806522de4b491fb9a3c7457398c61 b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ec/f0db3c1ec806522de4b491fb9a3c7457398c61
new file mode 100644
index 0000000000000000000000000000000000000000..ed431f70d3a5a65adb22bad8207ed5490b719d8c
GIT binary patch
literal 62
zcmV-E0Kxxw0ZYosPf{>7W>8irN-fAY=HhZmElw`VEGWs$&r?XtFM<gxD=U<w7MCa_
U=jY~TmT++y8UfV;07NMf{S$5&p8x;=

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ee/16d127df463aa491e08958120f2108b02468df b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/objects/ee/16d127df463aa491e08958120f2108b02468df
new file mode 100644
index 0000000000000000000000000000000000000000..e177f69e372b98fa032e3df92ea436869c89ed60
GIT binary patch
literal 84
zcmV-a0IUCa0V^p=O;s>6XD~D{Ff%bx2y%6F@paY9O<{QR;kJ$33AP~JCtD`|o@G-K
qZrPJ)VgLjRDf!6^>LvH~y~;iAbjGuArS66Y-BY)*b^rk6+8wjRASSs0

literal 0
HcmV?d00001

diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/master b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/master
new file mode 100644
index 0000000000..ccee722d52
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/master
@@ -0,0 +1 @@
+2a47ca4b614a9f5a43abbd5ad851a54a616ffee6
diff --git a/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/test_branch b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/test_branch
new file mode 100644
index 0000000000..dfe0c6a128
--- /dev/null
+++ b/tests/gitea-repositories-meta/test_assign_project_org/test_assign_project_repo.git/refs/heads/test_branch
@@ -0,0 +1 @@
+d22b4d4daa5be07329fcef6ed458f00cf3392da0
diff --git a/tests/integration/fixtures/TestAssignProject/access.yml b/tests/integration/fixtures/TestAssignProject/access.yml
new file mode 100644
index 0000000000..9dec50f0ac
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/access.yml
@@ -0,0 +1,5 @@
+-
+  id: 1001
+  user_id: 5
+  repo_id: 1001
+  mode: 2
diff --git a/tests/integration/fixtures/TestAssignProject/collaboration.yml b/tests/integration/fixtures/TestAssignProject/collaboration.yml
new file mode 100644
index 0000000000..a26149d60e
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/collaboration.yml
@@ -0,0 +1,5 @@
+-
+  id: 1001
+  repo_id: 1001
+  user_id: 5
+  mode: 2
diff --git a/tests/integration/fixtures/TestAssignProject/project.yml b/tests/integration/fixtures/TestAssignProject/project.yml
new file mode 100644
index 0000000000..20b75ddb69
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/project.yml
@@ -0,0 +1,51 @@
+# team 1001 projects
+-
+  id: 1001
+  title: project1001
+  owner_id: 3
+  repo_id: 0
+  is_closed: false
+  board_type: 0
+  type: 3
+  creator_id: 5
+  created_unix: 1688973030
+  updated_unix: 1688973030
+
+# team 1002 projects
+-
+  id: 1002
+  title: project1002
+  owner_id: 0
+  repo_id: 1001
+  is_closed: false
+  board_type: 0
+  type: 2
+  creator_id: 5
+  created_unix: 1688973030
+  updated_unix: 1688973030
+
+# user 5 project
+-
+  id: 1003
+  title: project1003
+  owner_id: 5
+  repo_id: 0
+  is_closed: false
+  board_type: 0
+  type: 1
+  creator_id: 5
+  created_unix: 1688973030
+  updated_unix: 1688973030
+
+# org 1001 disabled project
+-
+  id: 1004
+  title: project1004
+  owner_id: 1001
+  repo_id: 0
+  is_closed: false
+  board_type: 0
+  type: 3
+  creator_id: 5
+  created_unix: 1688973030
+  updated_unix: 1688973030
diff --git a/tests/integration/fixtures/TestAssignProject/repo_unit.yml b/tests/integration/fixtures/TestAssignProject/repo_unit.yml
new file mode 100644
index 0000000000..d3fad496aa
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/repo_unit.yml
@@ -0,0 +1,35 @@
+-
+  id: 1001
+  repo_id: 3
+  type: 8
+  created_unix: 946684810
+
+-
+  id: 1002
+  repo_id: 3
+  type: 2
+  created_unix: 946684810
+
+-
+  id: 1003
+  repo_id: 3
+  type: 3
+  created_unix: 946684810
+
+-
+  id: 1004
+  repo_id: 1001
+  type: 8
+  created_unix: 946684810
+
+-
+  id: 1005
+  repo_id: 1001
+  type: 2
+  created_unix: 946684810
+
+-
+  id: 1006
+  repo_id: 1001
+  type: 3
+  created_unix: 946684810
diff --git a/tests/integration/fixtures/TestAssignProject/repository.yml b/tests/integration/fixtures/TestAssignProject/repository.yml
new file mode 100644
index 0000000000..3a2d6d637a
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/repository.yml
@@ -0,0 +1,30 @@
+-
+  id: 1001
+  owner_id: 1001
+  owner_name: test_assign_project_org
+  lower_name: test_assign_project_repo
+  name: test_assign_project_repo
+  default_branch: master
+  num_watches: 4
+  num_stars: 0
+  num_forks: 0
+  num_milestones: 3
+  num_closed_milestones: 1
+  num_projects: 1
+  num_closed_projects: 0
+  is_private: false
+  is_empty: false
+  is_archived: false
+  is_mirror: false
+  status: 0
+  is_fork: false
+  fork_id: 0
+  is_template: false
+  template_id: 0
+  size: 7597
+  is_fsck_enabled: true
+  close_issues_via_commit_in_any_branch: false
+  created_unix: 1731254961
+  updated_unix: 1731254961
+  topics: '[]'
+
diff --git a/tests/integration/fixtures/TestAssignProject/team.yml b/tests/integration/fixtures/TestAssignProject/team.yml
new file mode 100644
index 0000000000..6f295a3c65
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/team.yml
@@ -0,0 +1,32 @@
+-
+  id: 1001
+  org_id: 3
+  lower_name: writers
+  name: Writers
+  authorize: 2 # writer
+  num_repos: 3
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: true
+
+-
+  id: 1002
+  org_id: 1001
+  lower_name: writers
+  name: Writers
+  authorize: 2 # writer
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: true
+
+-
+  id: 1003
+  org_id: 1001
+  lower_name: owners
+  name: Owners
+  authorize: 4
+  num_repos: 0
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: true
diff --git a/tests/integration/fixtures/TestAssignProject/team_repo.yml b/tests/integration/fixtures/TestAssignProject/team_repo.yml
new file mode 100644
index 0000000000..9b34a817d9
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/team_repo.yml
@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  repo_id: 3
+
+-
+  id: 1002
+  org_id: 1001
+  team_id: 1002
+  repo_id: 1001
diff --git a/tests/integration/fixtures/TestAssignProject/team_unit.yml b/tests/integration/fixtures/TestAssignProject/team_unit.yml
new file mode 100644
index 0000000000..d156983090
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/team_unit.yml
@@ -0,0 +1,35 @@
+-
+  id: 1001
+  team_id: 1001
+  type: 8
+  access_mode: 2
+
+-
+  id: 1002
+  team_id: 1002
+  type: 8
+  access_mode: 1
+
+-
+  id: 1003
+  team_id: 1001
+  type: 2
+  access_mode: 2
+
+-
+  id: 1004
+  team_id: 1001
+  type: 3
+  access_mode: 2
+
+-
+  id: 1005
+  team_id: 1002
+  type: 2
+  access_mode: 2
+
+-
+  id: 1006
+  team_id: 1002
+  type: 3
+  access_mode: 2
diff --git a/tests/integration/fixtures/TestAssignProject/team_user.yml b/tests/integration/fixtures/TestAssignProject/team_user.yml
new file mode 100644
index 0000000000..8061f1b9d8
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/team_user.yml
@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  uid: 5
+
+-
+  id: 1002
+  org_id: 23
+  team_id: 1002
+  uid: 5
diff --git a/tests/integration/fixtures/TestAssignProject/user.yml b/tests/integration/fixtures/TestAssignProject/user.yml
new file mode 100644
index 0000000000..8ad7bd0e67
--- /dev/null
+++ b/tests/integration/fixtures/TestAssignProject/user.yml
@@ -0,0 +1,37 @@
+-
+  id: 1001
+  lower_name: test_assign_project_org
+  name: test_assign_project_org
+  full_name: ' <<<< >> >> > >> > >>> >> '
+  email: org1001@example.com
+  keep_email_private: false
+  email_notifications_preference: onmention
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: test_assign_project_org
+  type: 1
+  salt: ZogKvWdyEx
+  max_repo_creation: 1000
+  is_active: false
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: ""
+  avatar_email: org1001@example.com
+  use_custom_avatar: true
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 1
+  num_teams: 1
+  num_members: 1
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: false
+  created_unix: 1672578020
diff --git a/tests/integration/issue_test.go b/tests/integration/issue_test.go
index d764870bab..c0ecf6b3bc 100644
--- a/tests/integration/issue_test.go
+++ b/tests/integration/issue_test.go
@@ -19,6 +19,7 @@ import (
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
+	org_model "forgejo.org/models/organization"
 	project_model "forgejo.org/models/project"
 	repo_model "forgejo.org/models/repo"
 	unit_model "forgejo.org/models/unit"
@@ -31,6 +32,7 @@ import (
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/translation"
+	repo_service "forgejo.org/services/repository"
 	files_service "forgejo.org/services/repository/files"
 	user_service "forgejo.org/services/user"
 	"forgejo.org/tests"
@@ -1661,3 +1663,113 @@ func TestIssueUrlHandling(t *testing.T) {
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 }
+
+func TestIssueProjectSidebarMissing(t *testing.T) {
+	const (
+		repoID = 4
+		userID = 5
+	)
+	defer unittest.OverrideFixtures("tests/integration/fixtures/TestAssignProject/")()
+	defer tests.PrepareTestEnv(t)()
+
+	ctx := t.Context()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
+	session := loginUser(t, user.Name)
+
+	issueURL := testNewIssue(t, session, user.Name, repo.Name, "Hello", "World")
+	t.Run("Sidebar showing - user project available", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", true)
+	})
+
+	// Enable repository's project unit
+	projectUnit := repo_model.RepoUnit{
+		RepoID: repo.ID,
+		Type:   unit_model.TypeProjects,
+	}
+	require.NoError(t, repo_service.UpdateRepositoryUnits(db.DefaultContext, repo, []repo_model.RepoUnit{projectUnit}, nil))
+
+	t.Run("Sidebar showing - repository project unit on", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", true)
+	})
+
+	project_model.DeleteProjectByID(ctx, 1003)
+	// Disable repository's project unit
+	require.NoError(t, repo_service.UpdateRepositoryUnits(db.DefaultContext, repo, nil, []unit_model.Type{unit_model.TypeProjects}))
+	t.Run("Sidebar missing", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", false)
+	})
+
+	// Team with project available
+	team := unittest.AssertExistsAndLoadBean(t, &org_model.Team{ID: 1001})
+	require.NoError(t, team.LoadMembers(ctx))
+	require.NoError(t, team.LoadRepositories(ctx))
+
+	user = team.Members[0]
+	repo = team.Repos[0]
+	org := team.GetOrg(ctx)
+	session = loginUser(t, user.Name)
+
+	issueURL = testNewIssue(t, session, org.Name, repo.Name, "Hello", "World")
+	t.Run("Sidebar showing - org on & repo on", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", true)
+	})
+
+	// Disable repository project unit
+	require.NoError(t, repo_service.UpdateRepositoryUnits(ctx, repo, nil, []unit_model.Type{unit_model.TypeProjects}))
+	t.Run("Sidebar showing - org on & repo off", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", true)
+	})
+
+	// Team with project disabled
+	team = unittest.AssertExistsAndLoadBean(t, &org_model.Team{ID: 1002})
+	require.NoError(t, team.LoadMembers(ctx))
+	require.NoError(t, team.LoadRepositories(ctx))
+
+	user = team.Members[0]
+	repo = team.Repos[0]
+	org = team.GetOrg(ctx)
+	session = loginUser(t, user.Name)
+
+	require.NoError(t, project_model.DeleteProjectByID(db.DefaultContext, 1004))
+
+	issueURL = testNewIssue(t, session, org.Name, repo.Name, "Hello", "World")
+	t.Run("Sidebar showing - org off & repo on", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", true)
+	})
+
+	// Disable repository project unit
+	require.NoError(t, repo_service.UpdateRepositoryUnits(ctx, repo, nil, []unit_model.Type{unit_model.TypeProjects}))
+	t.Run("Sidebar missing - org off & repo off", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		req := NewRequest(t, "GET", issueURL)
+		resp := session.MakeRequest(t, req, http.StatusOK)
+		htmlDoc := NewHTMLParser(t, resp.Body)
+		htmlDoc.AssertElement(t, ".select-project.dropdown", false)
+	})
+}
diff --git a/tests/integration/project_test.go b/tests/integration/project_test.go
index 629793602b..7583075b5f 100644
--- a/tests/integration/project_test.go
+++ b/tests/integration/project_test.go
@@ -7,12 +7,20 @@ package integration
 import (
 	"fmt"
 	"net/http"
+	"path"
+	"strconv"
+	"strings"
 	"testing"
 
 	"forgejo.org/models/db"
+	issues_model "forgejo.org/models/issues"
+	org_model "forgejo.org/models/organization"
 	project_model "forgejo.org/models/project"
 	repo_model "forgejo.org/models/repo"
+	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -160,3 +168,117 @@ func TestChangeStatusProject(t *testing.T) {
 		})
 	})
 }
+
+func TestAssignProject(t *testing.T) {
+	defer unittest.OverrideFixtures("tests/integration/fixtures/TestAssignProject/")()
+	defer tests.PrepareTestEnv(t)()
+
+	ctx := t.Context()
+
+	newTestIssue := func(t *testing.T, session *TestSession, owner *user_model.User, repo *repo_model.Repository) (*issues_model.Issue, string, string) {
+		t.Helper()
+
+		issueURL := testNewIssue(t, session, owner.Name, repo.Name, "Hello", "World")
+		indexStr := issueURL[strings.LastIndexByte(issueURL, '/')+1:]
+		index, err := strconv.Atoi(indexStr)
+		require.NoError(t, err, "Invalid issue href: %s", issueURL)
+
+		issue := &issues_model.Issue{RepoID: repo.ID, Index: int64(index)}
+		unittest.AssertExistsAndLoadBean(t, issue)
+
+		issueID := strconv.FormatInt(issue.ID, 10)
+		return issue, indexStr, issueID
+	}
+
+	updateIssueProject := func(t *testing.T, session *TestSession, projectID, issueID, owner, repo string, expectedStatus int) {
+		t.Helper()
+
+		req := NewRequestWithValues(t, "POST", path.Join(owner, repo, "issues", "projects"), map[string]string{
+			"issue_ids": issueID,
+			"id":        projectID,
+		})
+		session.MakeRequest(t, req, expectedStatus)
+	}
+
+	// User
+	t.Run("UserProjectOn+RepoProjectOff", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+		session := loginUser(tt, user.Name)
+		issue, _, issueID := newTestIssue(tt, session, user, repo)
+
+		updateIssueProject(tt, session, "1003", issueID, user.Name, repo.Name, http.StatusOK)
+		require.NoError(tt, issue.LoadProject(db.DefaultContext))
+		require.NotNil(tt, issue.Project)
+		require.Equal(tt, int64(1003), issue.Project.ID)
+	})
+
+	// Team 1001 - enabled project unit
+	team := unittest.AssertExistsAndLoadBean(t, &org_model.Team{ID: 1001})
+	require.NoError(t, team.LoadMembers(ctx))
+	require.NoError(t, team.LoadRepositories(ctx))
+
+	user := team.Members[0]
+	repo := team.Repos[0]
+	org := team.GetOrg(ctx)
+
+	session := loginUser(t, user.Name)
+
+	t.Run("OrgProjectOn+RepoProjectOn", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		issue, _, issueID := newTestIssue(tt, session, org.AsUser(), repo)
+
+		updateIssueProject(tt, session, "1001", issueID, org.Name, repo.Name, http.StatusOK)
+
+		require.NoError(tt, issue.LoadProject(db.DefaultContext))
+		require.NotNil(tt, issue.Project)
+		require.Equal(tt, int64(1001), issue.Project.ID)
+	})
+
+	// Disable repository project unit
+	require.NoError(t, repo_service.UpdateRepositoryUnits(ctx, repo, nil, []unit_model.Type{unit_model.TypeProjects}))
+	t.Run("OrgProjectOn+RepoProjectOff", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		issue, _, issueID := newTestIssue(tt, session, org.AsUser(), repo)
+
+		updateIssueProject(tt, session, "1001", issueID, org.Name, repo.Name, http.StatusOK)
+		require.NoError(tt, issue.LoadProject(db.DefaultContext))
+		require.NotNil(tt, issue.Project)
+		require.Equal(tt, int64(1001), issue.Project.ID)
+	})
+
+	// Team 1002 - disabled project unit
+	team = unittest.AssertExistsAndLoadBean(t, &org_model.Team{ID: 1002})
+	require.NoError(t, team.LoadMembers(ctx))
+	require.NoError(t, team.LoadRepositories(ctx))
+
+	user = team.Members[0]
+	repo = team.Repos[0]
+	org = team.GetOrg(ctx)
+
+	session = loginUser(t, user.Name)
+
+	t.Run("OrgProjectOff+RepoProjectOn", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		issue, _, issueID := newTestIssue(tt, session, org.AsUser(), repo)
+
+		updateIssueProject(tt, session, "1002", issueID, org.Name, repo.Name, http.StatusOK)
+		require.NoError(tt, issue.LoadProject(db.DefaultContext))
+		require.NotNil(tt, issue.Project)
+		require.Equal(tt, int64(1002), issue.Project.ID)
+	})
+
+	// Disable repository project unit
+	require.NoError(t, repo_service.UpdateRepositoryUnits(ctx, repo, nil, []unit_model.Type{unit_model.TypeProjects}))
+	t.Run("OrgProjectOff+RepoProjectOff", func(tt *testing.T) {
+		defer tests.PrintCurrentTest(tt)()
+		issue, _, issueID := newTestIssue(tt, session, org.AsUser(), repo)
+
+		updateIssueProject(tt, session, "1002", issueID, org.Name, repo.Name, http.StatusOK)
+		require.NoError(tt, issue.LoadProject(db.DefaultContext))
+		require.NotNil(tt, issue.Project)
+		require.Equal(tt, int64(1002), issue.Project.ID)
+	})
+}

From b6658076a96977cc1bc6d0b141d881d4589b74bf Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 2 May 2026 03:07:26 +0200
Subject: [PATCH 216/287] Update dependency clippie to v4.1.15 (forgejo)
 (#12371)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12371
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index fe96fe60f6..28d3bdb364 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -43,7 +43,7 @@
         "chart.js": "4.5.1",
         "chartjs-adapter-dayjs-4": "1.0.4",
         "chartjs-plugin-zoom": "2.2.0",
-        "clippie": "4.1.14",
+        "clippie": "4.1.15",
         "css-loader": "7.1.3",
         "dayjs": "1.11.19",
         "dropzone": "6.0.0-beta.2",
@@ -6337,9 +6337,9 @@
       }
     },
     "node_modules/clippie": {
-      "version": "4.1.14",
-      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.14.tgz",
-      "integrity": "sha512-VMyejKiX9jtz57BP2YLZeH+662xKTlIAXBoaHVXdtuuDiSd2D1z/0GyclLGX4POXKK03/vYB6cHVWlSLDI2YBw==",
+      "version": "4.1.15",
+      "resolved": "https://registry.npmjs.org/clippie/-/clippie-4.1.15.tgz",
+      "integrity": "sha512-K4z5MF32z7Gr1fUcfuUZvmrzpdNs5q8zAm2yqsWhA8mZ9Q6GL4HNdR2k3h3ubEEEGoyb8fvMA48LDr2MKYDASA==",
       "license": "BSD-2-Clause"
     },
     "node_modules/cliui": {
diff --git a/package.json b/package.json
index 0669dc04c1..6fe61d62f1 100644
--- a/package.json
+++ b/package.json
@@ -42,7 +42,7 @@
     "chart.js": "4.5.1",
     "chartjs-adapter-dayjs-4": "1.0.4",
     "chartjs-plugin-zoom": "2.2.0",
-    "clippie": "4.1.14",
+    "clippie": "4.1.15",
     "css-loader": "7.1.3",
     "dayjs": "1.11.19",
     "dropzone": "6.0.0-beta.2",

From 8edcb8d4dbc96db19399c2017acf87d661b9c291 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 04:06:51 +0200
Subject: [PATCH 217/287] Update module github.com/fsnotify/fsnotify to v1.10.0
 (forgejo) (#12374)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12374
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index d4b54ad8bf..b1282504d9 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/editorconfig/editorconfig-core-go/v2 v2.6.4
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
-	github.com/fsnotify/fsnotify v1.9.0
+	github.com/fsnotify/fsnotify v1.10.0
 	github.com/gdgvda/cron v0.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc
diff --git a/go.sum b/go.sum
index 34aa5f4f7a..a286b590d0 100644
--- a/go.sum
+++ b/go.sum
@@ -249,8 +249,8 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
-github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fsnotify/fsnotify v1.10.0 h1:Xx/5Ydg9CeBDX/wi4VJqStNtohYjitZhhlHt4h3St1M=
+github.com/fsnotify/fsnotify v1.10.0/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo=
 github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
 github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gdgvda/cron v0.7.0 h1:LFPZUTbCb5ZpzYxavbQDDbjd6nwTwkiNUWyulOdlY2I=

From ee8ad6581c08c20bdbf2b6a5bb290d2d0b5ad308 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 04:07:02 +0200
Subject: [PATCH 218/287] Update module github.com/klauspost/compress to
 v1.18.6 (forgejo) (#12372)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12372
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index b1282504d9..9fe44c95f0 100644
--- a/go.mod
+++ b/go.mod
@@ -72,7 +72,7 @@ require (
 	github.com/jhillyerd/enmime/v2 v2.2.0
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.18.5
+	github.com/klauspost/compress v1.18.6
 	github.com/klauspost/cpuid/v2 v2.2.11
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.21
diff --git a/go.sum b/go.sum
index a286b590d0..864dc04863 100644
--- a/go.sum
+++ b/go.sum
@@ -480,8 +480,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
+github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=

From 7e205c571892c3060c2d939bdbb2f1972b22b472 Mon Sep 17 00:00:00 2001
From: "steven.guiheux" <steven.guiheux@ovhcloud.com>
Date: Sun, 3 May 2026 04:41:12 +0200
Subject: [PATCH 219/287] fix: get tag must return the tag signature instead of
 commit signature (#12351)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Fix: `GET /api/v1/repos/{owner}/{repo}/git/tags/{sha}` returns empty verification for signed tags

### Problem

When an annotated tag is signed (GPG or SSH) but the underlying commit is **not** signed, the API endpoint `GET /repos/{owner}/{repo}/git/tags/{sha}` returns an empty `verification.signature` field.

This is because `ToAnnotatedTag` was calling `ToVerification(ctx, c)` with the **commit** object, which checks the commit's signature — not the tag's own signature. Since the commit is unsigned, the API returns `signature: ""` and `verified: false`.

This causes issues for tools that rely on the tag signature from the API to validate that a tag push event is from a trusted source.

### Fix

`ToAnnotatedTag` now checks if the tag has its own signature (`t.Signature != nil`). If so, it uses `ParseTagWithSignature` to verify the tag's signature and populates the `verification` field from the tag. Otherwise, it falls back to the commit signature (existing behavior for unsigned/lightweight tags).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12351
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 routers/api/v1/repo/tag.go       |  2 +-
 services/convert/convert.go      | 24 +++++++-
 services/convert/convert_test.go | 99 ++++++++++++++++++++++++++++++++
 3 files changed, 122 insertions(+), 3 deletions(-)

diff --git a/routers/api/v1/repo/tag.go b/routers/api/v1/repo/tag.go
index 9d0609aaa0..80e34938a7 100644
--- a/routers/api/v1/repo/tag.go
+++ b/routers/api/v1/repo/tag.go
@@ -122,7 +122,7 @@ func GetAnnotatedTag(ctx *context.APIContext) {
 			ctx.Error(http.StatusBadRequest, "GetAnnotatedTag", err)
 		}
 
-		convertedAnnotatedTag, err := convert.ToAnnotatedTag(ctx, ctx.Repo.Repository, tag, commit)
+		convertedAnnotatedTag, err := convert.ToAnnotatedTag(ctx, ctx.Repo.GitRepo, ctx.Repo.Repository, tag, commit)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "ToAnnotatedTag", err)
 			return
diff --git a/services/convert/convert.go b/services/convert/convert.go
index 65fa701ffe..1f52511188 100644
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@@ -397,12 +397,32 @@ func ToTeams(ctx context.Context, teams []*organization.Team, loadOrgs bool) ([]
 }
 
 // ToAnnotatedTag convert git.Tag to api.AnnotatedTag
-func ToAnnotatedTag(ctx context.Context, repo *repo_model.Repository, t *git.Tag, c *git.Commit) (*api.AnnotatedTag, error) {
+func ToAnnotatedTag(ctx context.Context, gitRepo *git.Repository, repo *repo_model.Repository, t *git.Tag, c *git.Commit) (*api.AnnotatedTag, error) {
 	archiveDownloadCount, err := repo_model.GetArchiveDownloadCountForTagName(ctx, repo.ID, t.Name)
 	if err != nil {
 		return nil, err
 	}
 
+	// Use the tag's own signature if the tag is signed, otherwise fall back to commit signature.
+	var verification *api.PayloadCommitVerification
+	if t.Signature != nil {
+		verif := asymkey_model.ParseTagWithSignature(ctx, gitRepo, t)
+		verification = &api.PayloadCommitVerification{
+			Verified:  verif.Verified,
+			Reason:    verif.Reason,
+			Signature: t.Signature.Signature,
+			Payload:   t.Signature.Payload,
+		}
+		if verif.SigningUser != nil {
+			verification.Signer = &api.PayloadUser{
+				Name:  verif.SigningUser.Name,
+				Email: verif.SigningEmail,
+			}
+		}
+	} else {
+		verification = ToVerification(ctx, c)
+	}
+
 	return &api.AnnotatedTag{
 		Tag:                  t.Name,
 		SHA:                  t.ID.String(),
@@ -410,7 +430,7 @@ func ToAnnotatedTag(ctx context.Context, repo *repo_model.Repository, t *git.Tag
 		Message:              t.Message,
 		URL:                  util.URLJoin(repo.APIURL(), "git/tags", t.ID.String()),
 		Tagger:               ToCommitUser(t.Tagger),
-		Verification:         ToVerification(ctx, c),
+		Verification:         verification,
 		ArchiveDownloadCount: archiveDownloadCount,
 	}, nil
 }
diff --git a/services/convert/convert_test.go b/services/convert/convert_test.go
index 6b870e0540..de964eb07a 100644
--- a/services/convert/convert_test.go
+++ b/services/convert/convert_test.go
@@ -5,14 +5,17 @@ package convert
 
 import (
 	"testing"
+	"time"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/util"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -106,6 +109,102 @@ uf51WIBywxztet6vi+jYJK1jFoY4iA==
 	})
 }
 
+func TestToAnnotatedTag(t *testing.T) {
+	defer unittest.OverrideFixtures("models/fixtures/TestParseCommitWithSSHSignature")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	// Align user email for predictable test results (same as TestToVerification).
+	userModel := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userModel.Email = "secret-email@example.com"
+	db.GetEngine(t.Context()).ID(userModel.ID).Cols("email").Update(userModel)
+
+	headRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	sha1 := git.Sha1ObjectFormat
+
+	tagSHA := sha1.EmptyObjectID()
+	commitSHA := git.MustIDFromString("e20aa0bcd2878f65a93de68a3eed9045d6efdd74")
+	tagger := &git.Signature{Name: "user2", Email: "user2@example.com", When: time.Unix(1699707877, 0)}
+
+	t.Run("Unsigned tag falls back to commit signature (GPG)", func(t *testing.T) {
+		tag := &git.Tag{
+			Name:    "v2.0.0",
+			ID:      tagSHA,
+			Object:  commitSHA,
+			Type:    "commit",
+			Tagger:  tagger,
+			Message: "Lightweight tag\n",
+			// No Signature → unsigned tag
+		}
+
+		commitPayload := `tree e20aa0bcd2878f65a93de68a3eed9045d6efdd74
+parent 5cd9b9847563eb730d63d23c1f1b84868e52ae7d
+author user2 <user2+committer@example.com> 1759956520 -0600
+committer user2 <user2+committer@example.com> 1759956520 -0600
+
+Add content
+`
+		commitGPGSig := `-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEdlqhn25IEoMmvK5vmDaXTfEZWRMFAmjmzigACgkQmDaXTfEZ
+WROC4ggAs8mD8csA6FV5e2v/4HcxuaZKCN+D8Gvku2JUigODQCA+NOX0FF2jDnCh
+tXylBPB4HJw1spKkDLtOpnCUSOniBdl9NcZjnBt6sP/OSnEfLznXFra+9fCHzsu0
+9uhDn3Wn1iHWXQ2ZglUwVS0ja6pNgEip8wNZBysv8+XbO1CEEW0m7zQA6tunzIwp
+yiPZDUJrKtpKAK0+v19EccT2VjYAa+Vo+p3/E0piaTYNbsTqtFRy63tdjDkf+mo+
+l/PaPhrMqdnbxv3/sd/63VCNdvPH3f0+OuydcC7mXyysmvap99EC+QKnpsrm7RAP
+uf51WIBywxztet6vi+jYJK1jFoY4iA==
+=Lnrt
+-----END PGP SIGNATURE-----`
+
+		commit := &git.Commit{
+			ID: commitSHA,
+			Committer: &git.Signature{
+				Email: "user2@example.com",
+			},
+			Signature: &git.ObjectSignature{
+				Payload:   commitPayload,
+				Signature: commitGPGSig,
+			},
+		}
+
+		result, err := ToAnnotatedTag(t.Context(), nil, headRepo, tag, commit)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+
+		// Should fall back to commit verification (tag has no signature)
+		assert.Equal(t, commitGPGSig, result.Verification.Signature, "should use the commit GPG signature")
+		assert.Equal(t, commitPayload, result.Verification.Payload, "should use the commit payload")
+		assert.True(t, result.Verification.Verified, "commit signature should be verified")
+		assert.Equal(t, "v2.0.0", result.Tag)
+		assert.Equal(t, tagSHA.String(), result.SHA)
+		assert.Equal(t, util.URLJoin(headRepo.APIURL(), "git/tags", tagSHA.String()), result.URL)
+	})
+
+	t.Run("Unsigned tag, unsigned commit", func(t *testing.T) {
+		tag := &git.Tag{
+			Name:    "v3.0.0",
+			ID:      tagSHA,
+			Object:  commitSHA,
+			Type:    "commit",
+			Tagger:  tagger,
+			Message: "No signature\n",
+		}
+
+		commit := &git.Commit{
+			ID:        commitSHA,
+			Committer: &git.Signature{Email: "user2@example.com"},
+			// No Signature
+		}
+
+		result, err := ToAnnotatedTag(t.Context(), nil, headRepo, tag, commit)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+
+		assert.False(t, result.Verification.Verified, "should not be verified")
+		assert.Empty(t, result.Verification.Signature, "should have no signature")
+		assert.Equal(t, "v3.0.0", result.Tag)
+	})
+}
+
 func TestToActionRunner(t *testing.T) {
 	testCases := []struct {
 		name           string

From 743b3b4cd90c2dc23381e96014d061d27ab89f51 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 05:15:10 +0200
Subject: [PATCH 220/287] Update module github.com/minio/minio-go/v7 to v7.1.0
 (forgejo) (#11959)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11959
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 assets/go-licenses.json | 5 +++++
 go.mod                  | 4 ++--
 go.sum                  | 6 ++++--
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index 41b1135033..355648c18d 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -1184,6 +1184,11 @@
     "path": "github.com/zeebo/blake3/LICENSE",
     "licenseText": "This work is released into the public domain with CC0 1.0.\n\n-------------------------------------------------------------------------------\n\nCreative Commons Legal Code\n\nCC0 1.0 Universal\n\n    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE\n    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN\n    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS\n    INFORMATION ON AN \"AS-IS\" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES\n    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS\n    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM\n    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED\n    HEREUNDER.\n\nStatement of Purpose\n\nThe laws of most jurisdictions throughout the world automatically confer\nexclusive Copyright and Related Rights (defined below) upon the creator\nand subsequent owner(s) (each and all, an \"owner\") of an original work of\nauthorship and/or a database (each, a \"Work\").\n\nCertain owners wish to permanently relinquish those rights to a Work for\nthe purpose of contributing to a commons of creative, cultural and\nscientific works (\"Commons\") that the public can reliably and without fear\nof later claims of infringement build upon, modify, incorporate in other\nworks, reuse and redistribute as freely as possible in any form whatsoever\nand for any purposes, including without limitation commercial purposes.\nThese owners may contribute to the Commons to promote the ideal of a free\nculture and the further production of creative, cultural and scientific\nworks, or to gain reputation or greater distribution for their Work in\npart through the use and efforts of others.\n\nFor these and/or other purposes and motivations, and without any\nexpectation of additional consideration or compensation, the person\nassociating CC0 with a Work (the \"Affirmer\"), to the extent that he or she\nis an owner of Copyright and Related Rights in the Work, voluntarily\nelects to apply CC0 to the Work and publicly distribute the Work under its\nterms, with knowledge of his or her Copyright and Related Rights in the\nWork and the meaning and intended legal effect of CC0 on those rights.\n\n1. Copyright and Related Rights. A Work made available under CC0 may be\nprotected by copyright and related or neighboring rights (\"Copyright and\nRelated Rights\"). Copyright and Related Rights include, but are not\nlimited to, the following:\n\n  i. the right to reproduce, adapt, distribute, perform, display,\n     communicate, and translate a Work;\n ii. moral rights retained by the original author(s) and/or performer(s);\niii. publicity and privacy rights pertaining to a person's image or\n     likeness depicted in a Work;\n iv. rights protecting against unfair competition in regards to a Work,\n     subject to the limitations in paragraph 4(a), below;\n  v. rights protecting the extraction, dissemination, use and reuse of data\n     in a Work;\n vi. database rights (such as those arising under Directive 96/9/EC of the\n     European Parliament and of the Council of 11 March 1996 on the legal\n     protection of databases, and under any national implementation\n     thereof, including any amended or successor version of such\n     directive); and\nvii. other similar, equivalent or corresponding rights throughout the\n     world based on applicable law or treaty, and any national\n     implementations thereof.\n\n2. Waiver. To the greatest extent permitted by, but not in contravention\nof, applicable law, Affirmer hereby overtly, fully, permanently,\nirrevocably and unconditionally waives, abandons, and surrenders all of\nAffirmer's Copyright and Related Rights and associated claims and causes\nof action, whether now known or unknown (including existing as well as\nfuture claims and causes of action), in the Work (i) in all territories\nworldwide, (ii) for the maximum duration provided by applicable law or\ntreaty (including future time extensions), (iii) in any current or future\nmedium and for any number of copies, and (iv) for any purpose whatsoever,\nincluding without limitation commercial, advertising or promotional\npurposes (the \"Waiver\"). Affirmer makes the Waiver for the benefit of each\nmember of the public at large and to the detriment of Affirmer's heirs and\nsuccessors, fully intending that such Waiver shall not be subject to\nrevocation, rescission, cancellation, termination, or any other legal or\nequitable action to disrupt the quiet enjoyment of the Work by the public\nas contemplated by Affirmer's express Statement of Purpose.\n\n3. Public License Fallback. Should any part of the Waiver for any reason\nbe judged legally invalid or ineffective under applicable law, then the\nWaiver shall be preserved to the maximum extent permitted taking into\naccount Affirmer's express Statement of Purpose. In addition, to the\nextent the Waiver is so judged Affirmer hereby grants to each affected\nperson a royalty-free, non transferable, non sublicensable, non exclusive,\nirrevocable and unconditional license to exercise Affirmer's Copyright and\nRelated Rights in the Work (i) in all territories worldwide, (ii) for the\nmaximum duration provided by applicable law or treaty (including future\ntime extensions), (iii) in any current or future medium and for any number\nof copies, and (iv) for any purpose whatsoever, including without\nlimitation commercial, advertising or promotional purposes (the\n\"License\"). The License shall be deemed effective as of the date CC0 was\napplied by Affirmer to the Work. Should any part of the License for any\nreason be judged legally invalid or ineffective under applicable law, such\npartial invalidity or ineffectiveness shall not invalidate the remainder\nof the License, and in such case Affirmer hereby affirms that he or she\nwill not (i) exercise any of his or her remaining Copyright and Related\nRights in the Work or (ii) assert any associated claims and causes of\naction with respect to the Work, in either case contrary to Affirmer's\nexpress Statement of Purpose.\n\n4. Limitations and Disclaimers.\n\n a. No trademark or patent rights held by Affirmer are waived, abandoned,\n    surrendered, licensed or otherwise affected by this document.\n b. Affirmer offers the Work as-is and makes no representations or\n    warranties of any kind concerning the Work, express, implied,\n    statutory or otherwise, including without limitation warranties of\n    title, merchantability, fitness for a particular purpose, non\n    infringement, or the absence of latent or other defects, accuracy, or\n    the present or absence of errors, whether or not discoverable, all to\n    the greatest extent permissible under applicable law.\n c. Affirmer disclaims responsibility for clearing rights of other persons\n    that may apply to the Work or any use thereof, including without\n    limitation any person's Copyright and Related Rights in the Work.\n    Further, Affirmer disclaims responsibility for obtaining any necessary\n    consents, permissions or other rights required for any use of the\n    Work.\n d. Affirmer understands and acknowledges that Creative Commons is not a\n    party to this document and has no duty or obligation with respect to\n    this CC0 or use of the Work.\n"
   },
+  {
+    "name": "github.com/zeebo/xxh3",
+    "path": "github.com/zeebo/xxh3/LICENSE",
+    "licenseText": "BSD 2-Clause License\n\nCopyright (c) 2012-2014, Yann Collet\nCopyright (c) 2019, Jeff Wendling\nAll rights reserved.\n\nxxHash Library\n\nRedistribution and use in source and binary forms, with or without modification,\nare permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n  list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice, this\n  list of conditions and the following disclaimer in the documentation and/or\n  other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND\nANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\n(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\nLOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON\nANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
+  },
   {
     "name": "gitlab.com/gitlab-org/api/client-go",
     "path": "gitlab.com/gitlab-org/api/client-go/LICENSE",
diff --git a/go.mod b/go.mod
index 9fe44c95f0..9cd3aea8e2 100644
--- a/go.mod
+++ b/go.mod
@@ -80,7 +80,7 @@ require (
 	github.com/meilisearch/meilisearch-go v0.36.2
 	github.com/mholt/archives v0.1.5
 	github.com/microcosm-cc/bluemonday v1.0.27
-	github.com/minio/minio-go/v7 v7.0.99
+	github.com/minio/minio-go/v7 v7.1.0
 	github.com/msteinert/pam/v2 v2.1.0
 	github.com/niklasfasching/go-org v1.9.1
 	github.com/olivere/elastic/v7 v7.0.32
@@ -247,8 +247,8 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tinylib/msgp v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/zeebo/assert v1.3.0 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
+	github.com/zeebo/xxh3 v1.1.0 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
diff --git a/go.sum b/go.sum
index 864dc04863..49cc3e4a7b 100644
--- a/go.sum
+++ b/go.sum
@@ -537,8 +537,8 @@ github.com/minio/crc64nvme v1.1.1 h1:8dwx/Pz49suywbO+auHCBpCtlW1OfpcLN7wYgVR6wAI
 github.com/minio/crc64nvme v1.1.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.99 h1:2vH/byrwUkIpFQFOilvTfaUpvAX3fEFhEzO+DR3DlCE=
-github.com/minio/minio-go/v7 v7.0.99/go.mod h1:EtGNKtlX20iL2yaYnxEigaIvj0G0GwSDnifnG8ClIdw=
+github.com/minio/minio-go/v7 v7.1.0 h1:QEt5IStDpxgGjEdtOgpiZ5QhmSl3ax7qy61vi2SwHO8=
+github.com/minio/minio-go/v7 v7.1.0/go.mod h1:Dm7WS1AgLmBa0NcQD6SeJnJf+K/EUW3GR7Ks6olB3OA=
 github.com/minio/minlz v1.0.1 h1:OUZUzXcib8diiX+JYxyRLIdomyZYzHct6EShOKtQY2A=
 github.com/minio/minlz v1.0.1/go.mod h1:qT0aEB35q79LLornSzeDH75LBf3aH1MV+jB5w9Wasec=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -684,6 +684,8 @@ github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
 github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
+github.com/zeebo/xxh3 v1.1.0 h1:s7DLGDK45Dyfg7++yxI0khrfwq9661w9EN78eP/UZVs=
+github.com/zeebo/xxh3 v1.1.0/go.mod h1:IisAie1LELR4xhVinxWS5+zf1lA4p0MW4T+w+W07F5s=
 gitlab.com/gitlab-org/api/client-go v0.143.2 h1:tfmUW8u+G/DGKOB/FDR0c06f0RVUAEe0ym8WpLoiHXI=
 gitlab.com/gitlab-org/api/client-go v0.143.2/go.mod h1:gJn5yLx9vYGXr73Yv0ueHWCVl+fL8iUOgJFxC7qV+iM=
 go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=

From a2557f0f42bac6a4910347b898a8d31a1f1f2500 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 05:57:54 +0200
Subject: [PATCH 221/287] Update module github.com/caddyserver/certmagic to
 v0.25.3 (forgejo) (#12257)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12257
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 assets/go-licenses.json |  2 +-
 go.mod                  | 18 ++++++++---------
 go.sum                  | 44 ++++++++++++++++++++++++-----------------
 3 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index 355648c18d..e98b67581d 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -1212,7 +1212,7 @@
   {
     "name": "go.uber.org/zap",
     "path": "go.uber.org/zap/LICENSE",
-    "licenseText": "Copyright (c) 2016-2017 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n"
+    "licenseText": "Copyright (c) 2016-2024 Uber Technologies, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n"
   },
   {
     "name": "go.uber.org/zap/exp/zapslog",
diff --git a/go.mod b/go.mod
index 9cd3aea8e2..0adf767790 100644
--- a/go.mod
+++ b/go.mod
@@ -31,7 +31,7 @@ require (
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/blevesearch/bleve/v2 v2.5.7
 	github.com/buildkite/terminal-to-html/v3 v3.16.8
-	github.com/caddyserver/certmagic v0.24.0
+	github.com/caddyserver/certmagic v0.25.3
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
@@ -73,7 +73,7 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/klauspost/compress v1.18.6
-	github.com/klauspost/cpuid/v2 v2.2.11
+	github.com/klauspost/cpuid/v2 v2.3.0
 	github.com/markbates/goth v1.82.0
 	github.com/mattn/go-isatty v0.0.21
 	github.com/mattn/go-sqlite3 v1.14.44
@@ -152,7 +152,7 @@ require (
 	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20250403215159-8d39553ac7cf // indirect
-	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/caddyserver/zerossl v0.1.5 // indirect
 	github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.6.3 // indirect
@@ -207,14 +207,14 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/libdns/libdns v1.0.0 // indirect
+	github.com/libdns/libdns v1.1.1 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/markbates/going v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-runewidth v0.0.17 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/mholt/acmez/v3 v3.1.2 // indirect
-	github.com/miekg/dns v1.1.63 // indirect
+	github.com/mholt/acmez/v3 v3.1.6 // indirect
+	github.com/miekg/dns v1.1.72 // indirect
 	github.com/mikelolasagasti/xz v1.0.1 // indirect
 	github.com/minio/crc64nvme v1.1.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
@@ -252,13 +252,13 @@ require (
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
 	go.uber.org/zap/exp v0.3.0 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
-	golang.org/x/tools v0.43.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index 49cc3e4a7b..242a4c5f4d 100644
--- a/go.sum
+++ b/go.sum
@@ -46,6 +46,8 @@ code.forgejo.org/xorm/xorm v1.3.9-forgejo.11 h1:EXJVQ4feAFMkpFwtHAHuXkK6TLNYqabR
 code.forgejo.org/xorm/xorm v1.3.9-forgejo.11/go.mod h1:C18NeM/SazG/q4eqpWnoNks7GeCyRUNQIe2onniRViU=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
+code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
+code.pfad.fr/check v1.1.0/go.mod h1:NiUH13DtYsb7xp5wll0U4SXx7KhXQVCtRgdC96IPfoM=
 code.superseriousbusiness.org/exif-terminator v0.11.2 h1:nkTdaghZb6I0oGYFhTLSALhA2ShgkPnYAJryE5IE9+0=
 code.superseriousbusiness.org/exif-terminator v0.11.2/go.mod h1:/Z+3DHSrefCzzN5ePkGjVYKFErRimoeUf694Gz8Pn/Y=
 code.superseriousbusiness.org/go-jpeg-image-structure/v2 v2.3.0 h1:r9uq8StaSHYKJ8DklR9Xy+E9c40G1Z8yj5TRGi8L6+4=
@@ -161,10 +163,10 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/buildkite/terminal-to-html/v3 v3.16.8 h1:QN/daUob6cmK8GcdKnwn9+YTlPr1vNj+oeAIiJK6fPc=
 github.com/buildkite/terminal-to-html/v3 v3.16.8/go.mod h1:+k1KVKROZocrTLsEQ9PEf9A+8+X8uaVV5iO1ZIOwKYM=
-github.com/caddyserver/certmagic v0.24.0 h1:EfXTWpxHAUKgDfOj6MHImJN8Jm4AMFfMT6ITuKhrDF0=
-github.com/caddyserver/certmagic v0.24.0/go.mod h1:xPT7dC1DuHHnS2yuEQCEyks+b89sUkMENh8dJF+InLE=
-github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
-github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
+github.com/caddyserver/certmagic v0.25.3 h1:mGf5ba8F7xA4c5jfDZZbK2buY1VEkbnwpMDixaju94A=
+github.com/caddyserver/certmagic v0.25.3/go.mod h1:YVs43D5+H/Dckt4bTga1KSO/xYfFBfVZainGDywYPAA=
+github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
+github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a h1:MISbI8sU/PSK/ztvmWKFcI7UGb5/HQT7B+i3a2myKgI=
 github.com/cention-sany/utf7 v0.0.0-20170124080048-26cad61bd60a/go.mod h1:2GxOXOlEPAMFPfp014mK1SWq8G8BN8o7/dfYqJrVGn8=
@@ -291,6 +293,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
 github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
@@ -484,8 +488,8 @@ github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXD
 github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.11 h1:0OwqZRYI2rFrjS4kvkDnqJkKHdHaRnCm68/DY4OxRzU=
-github.com/klauspost/cpuid/v2 v2.2.11/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/crc32 v1.3.0 h1:sSmTt3gUt81RP655XGZPElI0PelVTZ6YwCRnPSupoFM=
 github.com/klauspost/crc32 v1.3.0/go.mod h1:D7kQaZhnkX/Y0tstFGf8VUzv2UofNGqCjnC3zdHB0Hw=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
@@ -502,8 +506,12 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
-github.com/libdns/libdns v1.0.0 h1:IvYaz07JNz6jUQ4h/fv2R4sVnRnm77J/aOuC9B+TQTA=
-github.com/libdns/libdns v1.0.0/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
+github.com/letsencrypt/challtestsrv v1.4.2 h1:0ON3ldMhZyWlfVNYYpFuWRTmZNnyfiL9Hh5YzC3JVwU=
+github.com/letsencrypt/challtestsrv v1.4.2/go.mod h1:GhqMqcSoeGpYd5zX5TgwA6er/1MbWzx/o7yuuVya+Wk=
+github.com/letsencrypt/pebble/v2 v2.10.0 h1:Wq6gYXlsY6ubqI3hhxsTzdyotvfdjFBxuwYqCLCnj/U=
+github.com/letsencrypt/pebble/v2 v2.10.0/go.mod h1:Sk8cmUIPcIdv2nINo+9PB4L+ZBhzY+F9A1a/h/xmWiQ=
+github.com/libdns/libdns v1.1.1 h1:wPrHrXILoSHKWJKGd0EiAVmiJbFShguILTg9leS/P/U=
+github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
@@ -523,14 +531,14 @@ github.com/mattn/go-sqlite3 v1.14.44 h1:3VSe+xafpbzsLbdr2AWlAZk9yRHiBhTBakioXaCK
 github.com/mattn/go-sqlite3 v1.14.44/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/meilisearch/meilisearch-go v0.36.2 h1:MYaMPCpdLh2aYPt+zK+19mLoA4dfBY3S1L7T0FADCjU=
 github.com/meilisearch/meilisearch-go v0.36.2/go.mod h1:hWcR0MuWLSzHfbz9GGzIr3s9rnXLm1jqkmHkJPbUSvM=
-github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc=
-github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
+github.com/mholt/acmez/v3 v3.1.6 h1:eGVQNObP0pBN4sxqrXeg7MYqTOWyoiYpQqITVWlrevk=
+github.com/mholt/acmez/v3 v3.1.6/go.mod h1:5nTPosTGosLxF3+LU4ygbgMRFDhbAVpqMI4+a4aHLBY=
 github.com/mholt/archives v0.1.5 h1:Fh2hl1j7VEhc6DZs2DLMgiBNChUux154a1G+2esNvzQ=
 github.com/mholt/archives v0.1.5/go.mod h1:3TPMmBLPsgszL+1As5zECTuKwKvIfj6YcwWPpeTAXF4=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
-github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
+github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/mikelolasagasti/xz v1.0.1 h1:Q2F2jX0RYJUG3+WsM+FJknv+6eVjsjXNDV0KJXZzkD0=
 github.com/mikelolasagasti/xz v1.0.1/go.mod h1:muAirjiOUxPRXwm9HdDtB3uoRPrGnL85XHtokL9Hcgc=
 github.com/minio/crc64nvme v1.1.1 h1:8dwx/Pz49suywbO+auHCBpCtlW1OfpcLN7wYgVR6wAI=
@@ -703,8 +711,8 @@ go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
+go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
 go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
@@ -761,8 +769,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -912,8 +920,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From e9710af24f1d13e21324292cde302471bcdc360c Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 06:22:22 +0200
Subject: [PATCH 222/287] Update module code.forgejo.org/forgejo/runner/v12 to
 v12.10.0 (forgejo) (#12392)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12392
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 assets/go-licenses.json | 25 -------------------------
 go.mod                  |  8 ++------
 go.sum                  | 14 ++------------
 3 files changed, 4 insertions(+), 43 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index e98b67581d..e3c20b807e 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -609,21 +609,6 @@
     "path": "github.com/go-fed/httpsig/LICENSE",
     "licenseText": "BSD 3-Clause License\n\nCopyright (c) 2018, go-fed\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n  list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n  this list of conditions and the following disclaimer in the documentation\n  and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holder nor the names of its\n  contributors may be used to endorse or promote products derived from\n  this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
   },
-  {
-    "name": "github.com/go-git/gcfg",
-    "path": "github.com/go-git/gcfg/LICENSE",
-    "licenseText": "Copyright (c) 2012 Péter Surányi. Portions Copyright (c) 2009 The Go\nAuthors. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n   * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n   * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n   * Neither the name of Google Inc. nor the names of its\ncontributors may be used to endorse or promote products derived from\nthis software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
-  },
-  {
-    "name": "github.com/go-git/go-billy/v5",
-    "path": "github.com/go-git/go-billy/v5/LICENSE",
-    "licenseText": "                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"{}\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright 2017 Sourced Technologies S.L.\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
-  },
-  {
-    "name": "github.com/go-git/go-git/v5",
-    "path": "github.com/go-git/go-git/v5/LICENSE",
-    "licenseText": "                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"{}\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright 2018 Sourced Technologies, S.L.\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
-  },
   {
     "name": "github.com/go-ini/ini",
     "path": "github.com/go-ini/ini/LICENSE",
@@ -809,11 +794,6 @@
     "path": "github.com/jackc/puddle/v2/LICENSE",
     "licenseText": "Copyright (c) 2018 Jack Christensen\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n"
   },
-  {
-    "name": "github.com/jbenet/go-context/io",
-    "path": "github.com/jbenet/go-context/io/LICENSE",
-    "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2014 Juan Batiz-Benet\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n"
-  },
   {
     "name": "github.com/jhillyerd/enmime/v2",
     "path": "github.com/jhillyerd/enmime/v2/LICENSE",
@@ -1294,11 +1274,6 @@
     "path": "gopkg.in/ini.v1/LICENSE",
     "licenseText": "Apache License\nVersion 2.0, January 2004\nhttp://www.apache.org/licenses/\n\nTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n1. Definitions.\n\n\"License\" shall mean the terms and conditions for use, reproduction, and\ndistribution as defined by Sections 1 through 9 of this document.\n\n\"Licensor\" shall mean the copyright owner or entity authorized by the copyright\nowner that is granting the License.\n\n\"Legal Entity\" shall mean the union of the acting entity and all other entities\nthat control, are controlled by, or are under common control with that entity.\nFor the purposes of this definition, \"control\" means (i) the power, direct or\nindirect, to cause the direction or management of such entity, whether by\ncontract or otherwise, or (ii) ownership of fifty percent (50%) or more of the\noutstanding shares, or (iii) beneficial ownership of such entity.\n\n\"You\" (or \"Your\") shall mean an individual or Legal Entity exercising\npermissions granted by this License.\n\n\"Source\" form shall mean the preferred form for making modifications, including\nbut not limited to software source code, documentation source, and configuration\nfiles.\n\n\"Object\" form shall mean any form resulting from mechanical transformation or\ntranslation of a Source form, including but not limited to compiled object code,\ngenerated documentation, and conversions to other media types.\n\n\"Work\" shall mean the work of authorship, whether in Source or Object form, made\navailable under the License, as indicated by a copyright notice that is included\nin or attached to the work (an example is provided in the Appendix below).\n\n\"Derivative Works\" shall mean any work, whether in Source or Object form, that\nis based on (or derived from) the Work and for which the editorial revisions,\nannotations, elaborations, or other modifications represent, as a whole, an\noriginal work of authorship. For the purposes of this License, Derivative Works\nshall not include works that remain separable from, or merely link (or bind by\nname) to the interfaces of, the Work and Derivative Works thereof.\n\n\"Contribution\" shall mean any work of authorship, including the original version\nof the Work and any modifications or additions to that Work or Derivative Works\nthereof, that is intentionally submitted to Licensor for inclusion in the Work\nby the copyright owner or by an individual or Legal Entity authorized to submit\non behalf of the copyright owner. For the purposes of this definition,\n\"submitted\" means any form of electronic, verbal, or written communication sent\nto the Licensor or its representatives, including but not limited to\ncommunication on electronic mailing lists, source code control systems, and\nissue tracking systems that are managed by, or on behalf of, the Licensor for\nthe purpose of discussing and improving the Work, but excluding communication\nthat is conspicuously marked or otherwise designated in writing by the copyright\nowner as \"Not a Contribution.\"\n\n\"Contributor\" shall mean Licensor and any individual or Legal Entity on behalf\nof whom a Contribution has been received by Licensor and subsequently\nincorporated within the Work.\n\n2. Grant of Copyright License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable copyright license to reproduce, prepare Derivative Works of,\npublicly display, publicly perform, sublicense, and distribute the Work and such\nDerivative Works in Source or Object form.\n\n3. Grant of Patent License.\n\nSubject to the terms and conditions of this License, each Contributor hereby\ngrants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,\nirrevocable (except as stated in this section) patent license to make, have\nmade, use, offer to sell, sell, import, and otherwise transfer the Work, where\nsuch license applies only to those patent claims licensable by such Contributor\nthat are necessarily infringed by their Contribution(s) alone or by combination\nof their Contribution(s) with the Work to which such Contribution(s) was\nsubmitted. If You institute patent litigation against any entity (including a\ncross-claim or counterclaim in a lawsuit) alleging that the Work or a\nContribution incorporated within the Work constitutes direct or contributory\npatent infringement, then any patent licenses granted to You under this License\nfor that Work shall terminate as of the date such litigation is filed.\n\n4. Redistribution.\n\nYou may reproduce and distribute copies of the Work or Derivative Works thereof\nin any medium, with or without modifications, and in Source or Object form,\nprovided that You meet the following conditions:\n\nYou must give any other recipients of the Work or Derivative Works a copy of\nthis License; and\nYou must cause any modified files to carry prominent notices stating that You\nchanged the files; and\nYou must retain, in the Source form of any Derivative Works that You distribute,\nall copyright, patent, trademark, and attribution notices from the Source form\nof the Work, excluding those notices that do not pertain to any part of the\nDerivative Works; and\nIf the Work includes a \"NOTICE\" text file as part of its distribution, then any\nDerivative Works that You distribute must include a readable copy of the\nattribution notices contained within such NOTICE file, excluding those notices\nthat do not pertain to any part of the Derivative Works, in at least one of the\nfollowing places: within a NOTICE text file distributed as part of the\nDerivative Works; within the Source form or documentation, if provided along\nwith the Derivative Works; or, within a display generated by the Derivative\nWorks, if and wherever such third-party notices normally appear. The contents of\nthe NOTICE file are for informational purposes only and do not modify the\nLicense. You may add Your own attribution notices within Derivative Works that\nYou distribute, alongside or as an addendum to the NOTICE text from the Work,\nprovided that such additional attribution notices cannot be construed as\nmodifying the License.\nYou may add Your own copyright statement to Your modifications and may provide\nadditional or different license terms and conditions for use, reproduction, or\ndistribution of Your modifications, or for any such Derivative Works as a whole,\nprovided Your use, reproduction, and distribution of the Work otherwise complies\nwith the conditions stated in this License.\n\n5. Submission of Contributions.\n\nUnless You explicitly state otherwise, any Contribution intentionally submitted\nfor inclusion in the Work by You to the Licensor shall be under the terms and\nconditions of this License, without any additional terms or conditions.\nNotwithstanding the above, nothing herein shall supersede or modify the terms of\nany separate license agreement you may have executed with Licensor regarding\nsuch Contributions.\n\n6. Trademarks.\n\nThis License does not grant permission to use the trade names, trademarks,\nservice marks, or product names of the Licensor, except as required for\nreasonable and customary use in describing the origin of the Work and\nreproducing the content of the NOTICE file.\n\n7. Disclaimer of Warranty.\n\nUnless required by applicable law or agreed to in writing, Licensor provides the\nWork (and each Contributor provides its Contributions) on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,\nincluding, without limitation, any warranties or conditions of TITLE,\nNON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are\nsolely responsible for determining the appropriateness of using or\nredistributing the Work and assume any risks associated with Your exercise of\npermissions under this License.\n\n8. Limitation of Liability.\n\nIn no event and under no legal theory, whether in tort (including negligence),\ncontract, or otherwise, unless required by applicable law (such as deliberate\nand grossly negligent acts) or agreed to in writing, shall any Contributor be\nliable to You for damages, including any direct, indirect, special, incidental,\nor consequential damages of any character arising as a result of this License or\nout of the use or inability to use the Work (including but not limited to\ndamages for loss of goodwill, work stoppage, computer failure or malfunction, or\nany and all other commercial damages or losses), even if such Contributor has\nbeen advised of the possibility of such damages.\n\n9. Accepting Warranty or Additional Liability.\n\nWhile redistributing the Work or Derivative Works thereof, You may choose to\noffer, and charge a fee for, acceptance of support, warranty, indemnity, or\nother liability obligations and/or rights consistent with this License. However,\nin accepting such obligations, You may act only on Your own behalf and on Your\nsole responsibility, not on behalf of any other Contributor, and only if You\nagree to indemnify, defend, and hold each Contributor harmless for any liability\nincurred by, or claims asserted against, such Contributor by reason of your\naccepting any such warranty or additional liability.\n\nEND OF TERMS AND CONDITIONS\n\nAPPENDIX: How to apply the Apache License to your work\n\nTo apply the Apache License to your work, attach the following boilerplate\nnotice, with the fields enclosed by brackets \"[]\" replaced with your own\nidentifying information. (Don't include the brackets!) The text should be\nenclosed in the appropriate comment syntax for the file format. We also\nrecommend that a file or class name and description of purpose be included on\nthe same \"printed page\" as the copyright notice for easier identification within\nthird-party archives.\n\n   Copyright 2014 Unknwon\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n     http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
   },
-  {
-    "name": "gopkg.in/warnings.v0",
-    "path": "gopkg.in/warnings.v0/LICENSE",
-    "licenseText": "Copyright (c) 2016 Péter Surányi.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are\nmet:\n\n   * Redistributions of source code must retain the above copyright\nnotice, this list of conditions and the following disclaimer.\n   * Redistributions in binary form must reproduce the above\ncopyright notice, this list of conditions and the following disclaimer\nin the documentation and/or other materials provided with the\ndistribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\n\"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\nLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR\nA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT\nOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\nSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT\nLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\nDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\nTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
-  },
   {
     "name": "gopkg.in/yaml.v2",
     "path": "gopkg.in/yaml.v2/LICENSE",
diff --git a/go.mod b/go.mod
index 0adf767790..d38060a6b1 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.9.0
+	code.forgejo.org/forgejo/runner/v12 v12.10.0
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
@@ -172,9 +172,6 @@ require (
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.8.0 // indirect
-	github.com/go-git/go-git/v5 v5.18.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect
@@ -203,7 +200,6 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
@@ -229,6 +225,7 @@ require (
 	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/olekukonko/tablewriter v1.0.7 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/onsi/gomega v1.34.1 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -260,7 +257,6 @@ require (
 	golang.org/x/time v0.15.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 242a4c5f4d..170b500020 100644
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.9.0 h1:NjON7Io08kHxua/AorPuHQ1KXfx3lF8UjVBMvR7UMQQ=
-code.forgejo.org/forgejo/runner/v12 v12.9.0/go.mod h1:NEQXUvam9ofsTeSTAMnJXMyCZxKLoyQhVG6DAYSpOKw=
+code.forgejo.org/forgejo/runner/v12 v12.10.0 h1:FgUrG7cfaV/3HcbKYu+r8VY42XKpv44Q0ZcaZM3Eng0=
+code.forgejo.org/forgejo/runner/v12 v12.10.0/go.mod h1:NEQXUvam9ofsTeSTAMnJXMyCZxKLoyQhVG6DAYSpOKw=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=
@@ -283,12 +283,6 @@ github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxI
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
 github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
-github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=
-github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
-github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM=
-github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
@@ -456,8 +450,6 @@ github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
 github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -982,8 +974,6 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

From 555d88070d97fe56fce222bd081c3c3b08202991 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Sun, 3 May 2026 06:42:14 +0200
Subject: [PATCH 223/287] feat: migrate show-modal to native dialogs (#10287)

Test coverage:

|Modal|Test|
|-|-|
|admin: adopt unadopted|missing, not needed|
|admin: delete unadopted|missing, not needed|
|admin: delete user|e2e added: `Admin: delete a user`|
|delete package|missing|
|new project|?|
|edit project col|?|
|default project col|?|
|delete project col|?|
|commit cherry-pick|?|
|commit delete note|?|
|fork redirect|?|
|lock/unlock issue|?|
|dismiss PR review|?|
|migration delete|?|
|migration cancel|?|
|lfs delete|?|
|convert mirror|?|
|convert fork|?|
|transfer repo|?|
|delete repo|?|
|archive repo|integration present, selectors adjusted|
|delete wiki|?|
|rename wiki branch|?|
|push mirror edit|?|
|mde: new table|e2e present, selectors adjusted|
|mde: new link|e2e present, selectors adjusted|
|actions: add secret|?|
|actions: edit variable|?|

Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10287
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 templates/admin/repo/unadopted.tmpl           |  60 ++--
 templates/admin/user/edit.tmpl                |  33 +-
 templates/package/settings.tmpl               |  18 +-
 templates/projects/view.tmpl                  | 117 ++++---
 templates/repo/commit_header.tmpl             |  55 +--
 templates/repo/header_fork.tmpl               |  32 +-
 .../issue/view_content/sidebar/actions.tmpl   |  90 ++---
 .../view_content/sidebar/pull_reviewers.tmpl  |  34 +-
 templates/repo/migrate/migrating.tmpl         |  77 ++--
 templates/repo/settings/lfs.tmpl              |  18 +-
 templates/repo/settings/options.tmpl          | 328 +++++++++---------
 .../repo/settings/push_mirror_sync_modal.tmpl |  48 +--
 templates/shared/combomarkdowneditor.tmpl     |  82 ++---
 templates/shared/secrets/add_list.tmpl        | 118 +++----
 templates/shared/variables/variable_list.tmpl |  61 ++--
 tests/e2e/admin-ui.test.e2e.ts                |  26 ++
 tests/e2e/clipboard-copy.test.e2e.ts          |  16 +-
 tests/e2e/issue-comment-dropzone.test.e2e.ts  |   6 +-
 tests/e2e/issue-sidebar.test.e2e.ts           |   7 +-
 tests/e2e/markdown-editor.test.e2e.ts         |  14 +-
 tests/e2e/modal.test.e2e.ts                   |  24 --
 tests/e2e/repo-code.test.e2e.ts               |  12 +-
 tests/e2e/runner-management.test.e2e.ts       |  47 ++-
 tests/integration/repo_archive_text_test.go   |   2 +-
 web_src/js/features/common-global.js          |  48 +--
 .../js/features/comp/ComboMarkdownEditor.js   |  38 +-
 web_src/js/features/repo-legacy.js            |   4 +-
 web_src/js/features/show-modal.ts             |  54 +++
 web_src/js/modules/modal.ts                   |  13 +-
 web_src/js/types.d.ts                         |   6 +
 30 files changed, 777 insertions(+), 711 deletions(-)
 create mode 100644 web_src/js/features/show-modal.ts

diff --git a/templates/admin/repo/unadopted.tmpl b/templates/admin/repo/unadopted.tmpl
index d7e57c7c14..bc74f24a58 100644
--- a/templates/admin/repo/unadopted.tmpl
+++ b/templates/admin/repo/unadopted.tmpl
@@ -24,37 +24,37 @@
 								<span class="tw-flex-1"> {{svg "octicon-file-directory-fill"}} {{$dir}}</span>
 								<div>
 									<button class="ui button primary show-modal tw-p-2" data-modal="#adopt-unadopted-modal-{{$dirI}}">{{svg "octicon-plus"}} {{ctx.Locale.Tr "repo.adopt_preexisting_label"}}</button>
-									<div class="ui g-modal-confirm modal" id="adopt-unadopted-modal-{{$dirI}}">
-										<div class="header">
-											<span class="label">{{ctx.Locale.Tr "repo.adopt_preexisting"}}</span>
-										</div>
-										<div class="content">
-											<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
-										</div>
-										<form class="ui form" method="post" action="{{AppSubUrl}}/admin/repos/unadopted">
-											<input type="hidden" name="id" value="{{$dir}}">
-											<input type="hidden" name="action" value="adopt">
-											<input type="hidden" name="q" value="{{$.Keyword}}">
-											<input type="hidden" name="page" value="{{$.CurrentPage}}">
-											{{template "base/modal_actions_confirm"}}
-										</form>
-									</div>
+									<dialog id="adopt-unadopted-modal-{{$dirI}}">
+										<article>
+											<header>{{ctx.Locale.Tr "repo.adopt_preexisting"}}</header>
+											<div class="content">
+												<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
+											</div>
+											<form class="ui form" method="post" action="{{AppSubUrl}}/admin/repos/unadopted">
+												<input type="hidden" name="id" value="{{$dir}}">
+												<input type="hidden" name="action" value="adopt">
+												<input type="hidden" name="q" value="{{$.Keyword}}">
+												<input type="hidden" name="page" value="{{$.CurrentPage}}">
+												{{template "base/modal_actions_confirm"}}
+											</form>
+										</article>
+									</dialog>
 									<button class="ui button red show-modal tw-p-2" data-modal="#delete-unadopted-modal-{{$dirI}}">{{svg "octicon-x"}} {{ctx.Locale.Tr "repo.delete_preexisting_label"}}</button>
-									<div class="ui g-modal-confirm modal" id="delete-unadopted-modal-{{$dirI}}">
-										<div class="header">
-											<span class="label">{{ctx.Locale.Tr "repo.delete_preexisting"}}</span>
-										</div>
-										<div class="content">
-											<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
-										</div>
-										<form class="ui form" method="post" action="{{AppSubUrl}}/admin/repos/unadopted">
-											<input type="hidden" name="id" value="{{$dir}}">
-											<input type="hidden" name="action" value="delete">
-											<input type="hidden" name="q" value="{{$.Keyword}}">
-											<input type="hidden" name="page" value="{{$.CurrentPage}}">
-											{{template "base/modal_actions_confirm"}}
-										</form>
-									</div>
+									<dialog id="delete-unadopted-modal-{{$dirI}}">
+										<article>
+											<header>{{ctx.Locale.Tr "repo.delete_preexisting"}}</header>
+											<div class="content">
+												<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
+											</div>
+											<form class="ui form" method="post" action="{{AppSubUrl}}/admin/repos/unadopted">
+												<input type="hidden" name="id" value="{{$dir}}">
+												<input type="hidden" name="action" value="delete">
+												<input type="hidden" name="q" value="{{$.Keyword}}">
+												<input type="hidden" name="page" value="{{$.CurrentPage}}">
+												{{template "base/modal_actions_confirm"}}
+											</form>
+										</article>
+									</dialog>
 								</div>
 							</div>
 						{{end}}
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 1d29a991cd..f18317e694 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -224,24 +224,23 @@
 		</div>
 	</div>
 
-<div class="ui g-modal-confirm delete modal" id="delete-user-modal">
-	<div class="header">
-		{{svg "octicon-trash"}}
-		{{ctx.Locale.Tr "settings.delete_account_title"}}
-	</div>
-	<form class="ui form" method="post" action="./delete">
-		<div class="content">
-			<p>{{ctx.Locale.Tr "settings.delete_account_desc"}}</p>
-			<div class="field">
-				<div class="ui checkbox">
-					<label for="purge">{{ctx.Locale.Tr "admin.users.purge"}}</label>
-					<input name="purge" type="checkbox">
+<dialog id="delete-user-modal">
+	<article>
+		<header>{{svg "octicon-trash"}} {{ctx.Locale.Tr "settings.delete_account_title"}}</header>
+		<form class="ui form" method="post" action="./delete">
+			<div class="content">
+				<p>{{ctx.Locale.Tr "settings.delete_account_desc"}}</p>
+				<div class="field">
+					<div class="ui checkbox">
+						<label for="purge">{{ctx.Locale.Tr "admin.users.purge"}}</label>
+						<input name="purge" type="checkbox">
+					</div>
+					<p class="help">{{ctx.Locale.Tr "admin.users.purge_help"}}</p>
 				</div>
-				<p class="help">{{ctx.Locale.Tr "admin.users.purge_help"}}</p>
 			</div>
-		</div>
-		{{template "base/modal_actions_confirm" .}}
-	</form>
-</div>
+			{{template "base/modal_actions_confirm" .}}
+		</form>
+	</article>
+</dialog>
 
 {{template "admin/layout_footer" .}}
diff --git a/templates/package/settings.tmpl b/templates/package/settings.tmpl
index 515eddd85b..b60bb08d1e 100644
--- a/templates/package/settings.tmpl
+++ b/templates/package/settings.tmpl
@@ -53,20 +53,20 @@
 					<div class="flex-item-trailing">
 						<button class="ui basic red show-modal button" data-modal="#delete-package-modal">{{ctx.Locale.Tr "packages.settings.delete"}}</button>
 					</div>
-					<div class="ui tiny modal" id="delete-package-modal">
-						<div class="header">
-							{{ctx.Locale.Tr "packages.settings.delete"}}
-						</div>
-						<div class="content">
-							<div class="ui warning message tw-break-anywhere">
-								{{ctx.Locale.Tr "packages.settings.delete.notice" .PackageDescriptor.Package.Name .PackageDescriptor.Version.Version}}
+					<dialog id="delete-package-modal">
+						<article>
+							<header>{{ctx.Locale.Tr "packages.settings.delete"}}</header>
+							<div class="content">
+								<div class="ui warning message tw-break-anywhere">
+									{{ctx.Locale.Tr "packages.settings.delete.notice" .PackageDescriptor.Package.Name .PackageDescriptor.Version.Version}}
+								</div>
 							</div>
 							<form class="ui form" action="{{.Link}}" method="post">
 								<input type="hidden" name="action" value="delete">
 								{{template "base/modal_actions_confirm" .}}
 							</form>
-						</div>
-					</div>
+						</article>
+					</dialog>
 				</div>
 			</div>
 		</div>
diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl
index 64def9cbca..3f7c91b35d 100644
--- a/templates/projects/view.tmpl
+++ b/templates/projects/view.tmpl
@@ -29,32 +29,31 @@
 					{{ctx.Locale.Tr "new_project_column"}}
 				</button>
 			</div>
-			<div class="ui small modal new-project-column-modal" id="new-project-column-item">
-				<div class="header">
-					{{ctx.Locale.Tr "repo.projects.column.new"}}
-				</div>
-				<div class="content">
+			<dialog id="new-project-column-item">
+				<article>
+					<header>{{ctx.Locale.Tr "repo.projects.column.new"}}</header>
 					<form class="ui form">
-						<div class="required field">
-							<label for="new_project_column">{{ctx.Locale.Tr "repo.projects.column.new_title"}}</label>
-							<input class="new-project-column" id="new_project_column" name="title" required>
-						</div>
+						<div class="content">
+							<div class="required field">
+								<label for="new_project_column">{{ctx.Locale.Tr "repo.projects.column.new_title"}}</label>
+								<input class="new-project-column" id="new_project_column" name="title" required>
+							</div>
 
-						<div class="field color-field">
-							<label for="new_project_column_color_picker">{{ctx.Locale.Tr "repo.projects.column.color"}}</label>
-							<div class="js-color-picker-input column">
-								<input maxlength="7" placeholder="#c320f6" id="new_project_column_color_picker" name="color">
-								{{template "repo/issue/label_precolors"}}
+							<div class="field color-field">
+								<label for="new_project_column_color_picker">{{ctx.Locale.Tr "repo.projects.column.color"}}</label>
+								<div class="js-color-picker-input column">
+									<input maxlength="7" placeholder="#c320f6" id="new_project_column_color_picker" name="color">
+									{{template "repo/issue/label_precolors"}}
+								</div>
 							</div>
 						</div>
-
-						<div class="text right actions">
-							<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+						<div class="actions">
+							<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
 							<button data-url="{{$.Link}}" class="ui primary button" id="new_project_column_submit">{{ctx.Locale.Tr "repo.projects.column.new_submit"}}</button>
 						</div>
 					</form>
-				</div>
-			</div>
+				</article>
+			</dialog>
 		{{end}}
 	</div>
 
@@ -101,54 +100,54 @@
 									</a>
 								{{end}}
 
-								<div class="ui small modal edit-project-column-modal" id="edit-project-column-modal-{{.ID}}">
-									<div class="header">
-										{{ctx.Locale.Tr "repo.projects.column.edit"}}
-									</div>
-									<div class="content">
+								<dialog class="edit-project-column-modal" id="edit-project-column-modal-{{.ID}}">
+									<article>
+										<header>{{ctx.Locale.Tr "repo.projects.column.edit"}}</header>
 										<form class="ui form">
-											<div class="required field">
-												<label for="new_project_column_title">{{ctx.Locale.Tr "repo.projects.column.edit_title"}}</label>
-												<input class="project-column-title-input" id="new_project_column_title" name="title" value="{{.Title}}" required>
-											</div>
-
-											<div class="field color-field">
-												<label for="new_project_column_color">{{ctx.Locale.Tr "repo.projects.column.color"}}</label>
-												<div class="js-color-picker-input column">
-													<input maxlength="7" placeholder="#c320f6" id="new_project_column_color" name="color" value="{{.Color}}">
-													{{template "repo/issue/label_precolors"}}
+											<div class="content">
+												<div class="required field">
+													<label for="new_project_column_title">{{ctx.Locale.Tr "repo.projects.column.edit_title"}}</label>
+													<input class="project-column-title-input" id="new_project_column_title" name="title" value="{{.Title}}" required>
 												</div>
-											</div>
 
-											<div class="text right actions">
-												<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+												<div class="field color-field">
+													<label for="new_project_column_color">{{ctx.Locale.Tr "repo.projects.column.color"}}</label>
+													<div class="js-color-picker-input column">
+														<input maxlength="7" placeholder="#c320f6" id="new_project_column_color" name="color" value="{{.Color}}">
+														{{template "repo/issue/label_precolors"}}
+													</div>
+												</div>
+
+											</div>
+											<div class="actions">
+												<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
 												<button data-url="{{$.Link}}/{{.ID}}" class="ui primary button edit-project-column-button">{{ctx.Locale.Tr "repo.projects.column.edit"}}</button>
 											</div>
 										</form>
-									</div>
-								</div>
+									</article>
+								</dialog>
 
-								<div class="ui g-modal-confirm modal default-project-column-modal" id="default-project-column-modal-{{.ID}}">
-									<div class="header">
-										<span id="default-project-column-header"></span>
-									</div>
-									<div class="content">
-										<label id="default-project-column-content"></label>
-									</div>
-									{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
-								</div>
+								<dialog class="default-project-column-modal" id="default-project-column-modal-{{.ID}}">
+									<article>
+										<header><span id="default-project-column-header"></span></header>
+										<div class="content">
+											<label id="default-project-column-content"></label>
+										</div>
+										{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
+									</article>
+								</dialog>
 
-								<div class="ui g-modal-confirm modal" id="delete-project-column-modal-{{.ID}}">
-									<div class="header">
-										{{ctx.Locale.Tr "repo.projects.column.delete"}}
-									</div>
-									<div class="content">
-										<label>
-											{{ctx.Locale.Tr "repo.projects.column.deletion_desc"}}
-										</label>
-									</div>
-									{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
-								</div>
+								<dialog id="delete-project-column-modal-{{.ID}}">
+									<article>
+										<header>{{ctx.Locale.Tr "repo.projects.column.delete"}}</header>
+										<div class="content">
+											<label>
+												{{ctx.Locale.Tr "repo.projects.column.deletion_desc"}}
+											</label>
+										</div>
+										{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
+									</article>
+								</dialog>
 							</div>
 						</div>
 					{{end}}
diff --git a/templates/repo/commit_header.tmpl b/templates/repo/commit_header.tmpl
index dacbf43b59..3ccdebc5f1 100644
--- a/templates/repo/commit_header.tmpl
+++ b/templates/repo/commit_header.tmpl
@@ -55,25 +55,28 @@
 								data-modal-cherry-pick-header="{{ctx.Locale.Tr "repo.commit.cherry-pick-header" (ShortSha .CommitID)}}"
 								data-modal-cherry-pick-content="{{ctx.Locale.Tr "repo.commit.cherry-pick-content"}}"
 								data-modal-cherry-pick-submit="{{ctx.Locale.Tr "repo.commit.cherry-pick"}}">{{ctx.Locale.Tr "repo.commit.cherry-pick"}}</div>
-							<div class="ui g-modal-confirm modal" id="cherry-pick-modal">
-								<div class="header">
-									<span id="cherry-pick-header"></span>
-								</div>
-								<div class="content">
-									<p id="cherry-pick-content" class="branch-dropdown"></p>
-									{{template "repo/branch_dropdown" dict "root" .
-										"noTag" true "disableCreateBranch" true
-										"branchForm" "branch-dropdown-form"
-										"branchURLPrefix" (printf "%s/_cherrypick/%s/" $.RepoLink .CommitID) "branchURLSuffix" ""
-										"setAction" true "submitForm" true}}
+							<dialog id="cherry-pick-modal">
+								<article>
+									<header><span id="cherry-pick-header"></span></header>
+									<div class="content">
+										<p id="cherry-pick-content" class="branch-dropdown"></p>
+										{{template "repo/branch_dropdown" dict "root" .
+											"noTag" true "disableCreateBranch" true
+											"branchForm" "branch-dropdown-form"
+											"branchURLPrefix" (printf "%s/_cherrypick/%s/" $.RepoLink .CommitID) "branchURLSuffix" ""
+											"setAction" true "submitForm" true}}
+									</div>
 									<form method="get" action="{{$.RepoLink}}/_cherrypick/{{.CommitID}}/{{PathEscapeSegments $.Repository.DefaultBranch}}" id="branch-dropdown-form">
 										<input type="hidden" name="ref" value="{{$.Repository.DefaultBranch}}">
 										<input type="hidden" name="refType" value="branch">
 										<input type="hidden" id="cherry-pick-type" name="cherry-pick-type"><br>
-										<button type="submit" id="cherry-pick-submit" class="ui primary button"></button>
+										<div class="actions">
+											<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+											<button type="submit" id="cherry-pick-submit" class="ui primary button"></button>
+										</div>
 									</form>
-								</div>
-							</div>
+								</article>
+							</dialog>
 							<dialog id="create-branch-modal">
 								<article>
 									<header>{{ctx.Locale.Tr "repo.branch.new_branch"}}</header>
@@ -284,20 +287,20 @@
 				<button id="commit-notes-edit-button" class="ui tiny primary button tw-py-[6px] tw-px-[10px]">{{ctx.Locale.Tr "edit"}}</button>
 				<button class="ui tiny button red show-modal tw-py-[6px] tw-px-[10px]" data-modal="#delete-note-modal">{{ctx.Locale.Tr "remove"}}</button>
 			</div>
-			<div class="ui small modal" id="delete-note-modal">
-				<div class="header">
-					{{ctx.Locale.Tr "repo.diff.git-notes.remove-header"}}
-				</div>
-				<div class="content">
-					<p>{{ctx.Locale.Tr "repo.diff.git-notes.remove-body"}}</p>
-					<div class="text right actions">
-						<form action="{{.Link}}/notes/remove" method="post">
+			<dialog id="delete-note-modal">
+				<article>
+					<header>{{ctx.Locale.Tr "repo.diff.git-notes.remove-header"}}</header>
+					<div class="content">
+						<p>{{ctx.Locale.Tr "repo.diff.git-notes.remove-body"}}</p>
+					</div>
+					<form action="{{.Link}}/notes/remove" method="post">
+						<div class="text right actions">
 							<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
 							<button type="submit" class="ui red button">{{ctx.Locale.Tr "remove"}}</button>
-						</form>
-					</div>
-				</div>
-			</div>
+						</div>
+					</form>
+				</article>
+			</dialog>
 		{{end}}
 	</div>
 	<div id="commit-notes-display-area" class="ui bottom attached info segment git-notes">
diff --git a/templates/repo/header_fork.tmpl b/templates/repo/header_fork.tmpl
index 0001be1025..95df5f4227 100644
--- a/templates/repo/header_fork.tmpl
+++ b/templates/repo/header_fork.tmpl
@@ -26,24 +26,24 @@
 		>
 			{{svg "octicon-repo-forked"}}<span class="text not-mobile">{{ctx.Locale.Tr "repo.fork"}}</span>
 		</a>
-		<div class="ui small modal" id="fork-repo-modal">
-			<div class="header">
-				{{ctx.Locale.Tr "repo.already_forked" .Name}}
-			</div>
-			<div class="content tw-text-left">
-				<div class="ui list">
-					{{range $.UserAndOrgForks}}
-						<div class="ui item tw-py-2">
-							<a href="{{.Link}}">{{svg "octicon-repo-forked" 16 "tw-mr-2"}}{{.FullName}}</a>
-						</div>
+		<dialog id="fork-repo-modal">
+			<article>
+				<header>{{ctx.Locale.Tr "repo.already_forked" .Name}}</header>
+				<div class="content tw-text-left">
+					<div class="ui list">
+						{{range $.UserAndOrgForks}}
+							<div class="ui item tw-py-2">
+								<a href="{{.Link}}">{{svg "octicon-repo-forked" 16 "tw-mr-2"}}{{.FullName}}</a>
+							</div>
+						{{end}}
+					</div>
+					{{if $.CanSignedUserFork}}
+					<div class="divider"></div>
+					<a href="{{$.RepoLink}}/fork">{{ctx.Locale.Tr "repo.fork_to_different_account"}}</a>
 					{{end}}
 				</div>
-				{{if $.CanSignedUserFork}}
-				<div class="divider"></div>
-				<a href="{{$.RepoLink}}/fork">{{ctx.Locale.Tr "repo.fork_to_different_account"}}</a>
-				{{end}}
-			</div>
-		</div>
+			</article>
+		</dialog>
 		<a class="ui basic label" href="{{.Link}}/forks"
 			aria-label="{{ctx.Locale.TrPluralString .NumForks "fork.n_forks" (printf "%d" .NumForks)}}"
 			>
diff --git a/templates/repo/issue/view_content/sidebar/actions.tmpl b/templates/repo/issue/view_content/sidebar/actions.tmpl
index d9fda9b296..0147e10193 100644
--- a/templates/repo/issue/view_content/sidebar/actions.tmpl
+++ b/templates/repo/issue/view_content/sidebar/actions.tmpl
@@ -21,32 +21,32 @@
 		{{ctx.Locale.Tr "repo.issues.lock"}}
 	{{end}}
 </button>
-<div class="ui tiny modal" id="lock">
-	<div class="header">
-		{{if .Issue.IsLocked}}
-			{{ctx.Locale.Tr "repo.issues.unlock.title"}}
-		{{else}}
-			{{ctx.Locale.Tr "repo.issues.lock.title"}}
-		{{end}}
-	</div>
-	<div class="content">
-		<div class="ui warning message">
+<dialog class="tw-overflow-visible" id="lock">
+	<article>
+		<header>
 			{{if .Issue.IsLocked}}
-				{{ctx.Locale.Tr "repo.issues.unlock.notice_1"}}<br>
-				{{ctx.Locale.Tr "repo.issues.unlock.notice_2"}}<br>
+				{{ctx.Locale.Tr "repo.issues.unlock.title"}}
 			{{else}}
-				{{ctx.Locale.Tr "repo.issues.lock.notice_1"}}<br>
-				{{ctx.Locale.Tr "repo.issues.lock.notice_2"}}<br>
-				{{ctx.Locale.Tr "repo.issues.lock.notice_3"}}<br>
+				{{ctx.Locale.Tr "repo.issues.lock.title"}}
 			{{end}}
+		</header>
+		<div class="content">
+			<div class="ui warning message">
+				{{if .Issue.IsLocked}}
+					{{ctx.Locale.Tr "repo.issues.unlock.notice_1"}}<br>
+					{{ctx.Locale.Tr "repo.issues.unlock.notice_2"}}<br>
+				{{else}}
+					{{ctx.Locale.Tr "repo.issues.lock.notice_1"}}<br>
+					{{ctx.Locale.Tr "repo.issues.lock.notice_2"}}<br>
+					{{ctx.Locale.Tr "repo.issues.lock.notice_3"}}<br>
+				{{end}}
+			</div>
 		</div>
-
-		<form class="ui form form-fetch-action" action="{{.Issue.Link}}{{if .Issue.IsLocked}}/unlock{{else}}/lock{{end}}"
-			method="post">
-
+		<form class="ui form form-fetch-action" action="{{.Issue.Link}}{{if .Issue.IsLocked}}/unlock{{else}}/lock{{end}}" method="post">
+			<div class="content">
 			{{if not .Issue.IsLocked}}
 				<div class="field">
-					<strong> {{ctx.Locale.Tr "repo.issues.lock.reason"}} </strong>
+					<strong>{{ctx.Locale.Tr "repo.issues.lock.reason"}}</strong>
 				</div>
 
 				<div class="field">
@@ -70,10 +70,10 @@
 					</div>
 				</div>
 			{{end}}
-
-			<div class="text right actions">
-				<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-				<button class="ui red button">
+			</div>
+			<div class="actions">
+				<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+				<button type="submit" class="ui red button">
 					{{if .Issue.IsLocked}}
 						{{ctx.Locale.Tr "repo.issues.unlock_confirm"}}
 					{{else}}
@@ -82,30 +82,32 @@
 				</button>
 			</div>
 		</form>
-	</div>
-</div>
+	</article>
+</dialog>
 <button class="tw-mt-1 fluid ui show-modal button" data-modal="#sidebar-delete-issue">
 	{{svg "octicon-trash"}}
 	{{ctx.Locale.Tr "repo.issues.delete"}}
 </button>
-<div class="ui g-modal-confirm modal" id="sidebar-delete-issue">
-	<div class="header">
-		{{if .Issue.IsPull}}
-			{{ctx.Locale.Tr "repo.pulls.delete.title"}}
-		{{else}}
-			{{ctx.Locale.Tr "repo.issues.delete.title"}}
-		{{end}}
-	</div>
-	<div class="content">
-		<p>
+<dialog id="sidebar-delete-issue">
+	<article>
+		<header>
 			{{if .Issue.IsPull}}
-				{{ctx.Locale.Tr "repo.pulls.delete.text"}}
+				{{ctx.Locale.Tr "repo.pulls.delete.title"}}
 			{{else}}
-				{{ctx.Locale.Tr "repo.issues.delete.text"}}
+				{{ctx.Locale.Tr "repo.issues.delete.title"}}
 			{{end}}
-		</p>
-	</div>
-	<form action="{{.Issue.Link}}/delete" method="post">
-		{{template "base/modal_actions_confirm" .}}
-	</form>
-</div>
+		</header>
+		<div class="content">
+			<p>
+				{{if .Issue.IsPull}}
+					{{ctx.Locale.Tr "repo.pulls.delete.text"}}
+				{{else}}
+					{{ctx.Locale.Tr "repo.issues.delete.text"}}
+				{{end}}
+			</p>
+		</div>
+		<form action="{{.Issue.Link}}/delete" method="post">
+			{{template "base/modal_actions_confirm" .}}
+		</form>
+	</article>
+</dialog>
diff --git a/templates/repo/issue/view_content/sidebar/pull_reviewers.tmpl b/templates/repo/issue/view_content/sidebar/pull_reviewers.tmpl
index c770c95ac1..9a633a32ed 100644
--- a/templates/repo/issue/view_content/sidebar/pull_reviewers.tmpl
+++ b/templates/repo/issue/view_content/sidebar/pull_reviewers.tmpl
@@ -15,27 +15,29 @@
 								<a href="#" class="ui muted icon tw-flex tw-items-center show-modal" data-tooltip-content="{{ctx.Locale.Tr "repo.issues.dismiss_review"}}" data-modal="#dismiss-review-modal-{{.Review.ID}}">
 									{{svg "octicon-x" 20}}
 								</a>
-								<div class="ui small modal" id="dismiss-review-modal-{{.Review.ID}}">
-									<div class="header">
-										{{ctx.Locale.Tr "repo.issues.dismiss_review"}}
-									</div>
-									<div class="content">
-										<div class="ui warning message">
-											{{ctx.Locale.Tr "repo.issues.dismiss_review_warning"}}
+								<dialog id="dismiss-review-modal-{{.Review.ID}}">
+									<article>
+										<header>{{ctx.Locale.Tr "repo.issues.dismiss_review"}}</header>
+										<div class="content">
+											<div class="ui warning message">
+												{{ctx.Locale.Tr "repo.issues.dismiss_review_warning"}}
+											</div>
 										</div>
 										<form class="ui form dismiss-review-form" id="dismiss-review-{{.Review.ID}}" action="{{$.RepoLink}}/issues/dismiss_review" method="post">
-											<input type="hidden" name="review_id" value="{{.Review.ID}}">
-											<div class="field">
-												<label for="message">{{ctx.Locale.Tr "action.review_dismissed_reason"}}</label>
-												<input id="message" name="message">
+											<div class="content">
+												<input type="hidden" name="review_id" value="{{.Review.ID}}">
+												<div class="field">
+													<label for="message">{{ctx.Locale.Tr "action.review_dismissed_reason"}}</label>
+													<input id="message" name="message">
+												</div>
 											</div>
-											<div class="text right actions">
-												<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-												<button class="ui red button" type="submit">{{ctx.Locale.Tr "ok"}}</button>
+											<div class="actions">
+												<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+												<button type="submit" class="ui red button">{{ctx.Locale.Tr "ok"}}</button>
 											</div>
 										</form>
-									</div>
-								</div>
+									</article>
+								</dialog>
 							{{end}}
 							{{if .Review.Stale}}
 								<span data-tooltip-content="{{ctx.Locale.Tr "repo.issues.is_stale"}}">
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index 6b2db26aaf..baac203cb8 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -51,49 +51,50 @@
 	</div>
 </div>
 
-<div class="ui small modal" id="delete-repo-modal">
-	<div class="header">
-		{{ctx.Locale.Tr "repo.settings.delete"}}
-	</div>
-	<div class="content">
-		<div class="ui warning message">
-			{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
-			{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName}}
-			{{if .Repository.NumForks}}<br>
-			{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
-			{{end}}
+<dialog id="delete-repo-modal">
+	<article>
+		<header>{{ctx.Locale.Tr "repo.settings.delete"}}</header>
+		<div class="content">
+			<div class="ui warning message">
+				{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
+				{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName}}
+				{{if .Repository.NumForks}}<br>
+				{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
+				{{end}}
+			</div>
 		</div>
 		<form class="ui form" action="{{.Link}}/settings" method="post">
-			<input type="hidden" name="action" value="delete">
-			<div class="field">
-				<label>
-					{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
-					<span class="text red">{{.Repository.FullName}}</span>
-				</label>
+			<div class="content">
+				<input type="hidden" name="action" value="delete">
+				<div class="field">
+					<label>
+						{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
+						<span class="text red">{{.Repository.FullName}}</span>
+					</label>
+				</div>
+				<div class="required field">
+					<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
+					<input id="repo_name_to_delete" name="repo_name" required>
+				</div>
 			</div>
-			<div class="required field">
-				<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-				<input id="repo_name_to_delete" name="repo_name" required>
-			</div>
-
-			<div class="text right actions">
-				<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-				<button class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_delete"}}</button>
+			<div class="actions">
+				<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+				<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_delete"}}</button>
 			</div>
 		</form>
-	</div>
-</div>
+	</article>
+</dialog>
 
-<div class="ui g-modal-confirm modal" id="cancel-repo-modal">
-	<div class="header">
-		{{ctx.Locale.Tr "migrate.cancel.title"}}
-	</div>
-	<form action="{{.Link}}/settings/migrate/cancel" method="post">
-		<div class="content">
-			{{ctx.Locale.Tr "migrate.cancel.confirmation"}}
-		</div>
-		{{template "base/modal_actions_confirm" .}}
-	</form>
-</div>
+<dialog id="cancel-repo-modal">
+	<article>
+		<header>{{ctx.Locale.Tr "migrate.cancel.title"}}</header>
+		<form action="{{.Link}}/settings/migrate/cancel" method="post">
+			<div class="content">
+				{{ctx.Locale.Tr "migrate.cancel.confirmation"}}
+			</div>
+			{{template "base/modal_actions_confirm" .}}
+		</form>
+	</article>
+</dialog>
 
 {{template "base/footer" .}}
diff --git a/templates/repo/settings/lfs.tmpl b/templates/repo/settings/lfs.tmpl
index 2d17e29848..a004685c60 100644
--- a/templates/repo/settings/lfs.tmpl
+++ b/templates/repo/settings/lfs.tmpl
@@ -34,19 +34,17 @@
 		</table>
 		{{template "base/paginate" .}}
 		{{range .LFSFiles}}
-			<div class="ui g-modal-confirm modal" id="delete-{{.Oid}}">
-				<div class="header">
-					{{ctx.Locale.Tr "repo.settings.lfs_delete" .Oid}}
-				</div>
-				<div class="content">
-					<p>
-						{{ctx.Locale.Tr "repo.settings.lfs_delete_warning"}}
-					</p>
+			<dialog id="delete-{{.Oid}}">
+				<article>
+					<header>{{ctx.Locale.Tr "repo.settings.lfs_delete" .Oid}}</header>
+					<div class="content">
+						<p>{{ctx.Locale.Tr "repo.settings.lfs_delete_warning"}}</p>
+					</div>
 					<form class="ui form" action="{{$.Link}}/delete/{{.Oid}}" method="post">
 						{{template "base/modal_actions_confirm"}}
 					</form>
-				</div>
-			</div>
+				</article>
+			</dialog>
 		{{end}}
 	</div>
 {{template "repo/settings/layout_footer" .}}
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index 137be0f334..ae7c7311db 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -559,46 +559,80 @@
 
 {{if .Permission.IsOwner}}
 	{{if .Repository.IsMirror}}
-		<div class="ui small modal" id="convert-mirror-repo-modal">
-			<div class="header">
-				{{ctx.Locale.Tr "repo.settings.convert"}}
-			</div>
-			<div class="content">
-				<div class="ui warning message">
-					{{ctx.Locale.Tr "repo.settings.convert_notices_1"}}
+		<dialog id="convert-mirror-repo-modal">
+			<article>
+				<header>{{ctx.Locale.Tr "repo.settings.convert"}}</header>
+				<div class="content">
+					<div class="ui warning message">
+						{{ctx.Locale.Tr "repo.settings.convert_notices_1"}}
+					</div>
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					<input type="hidden" name="action" value="convert">
-					<div class="field">
-						<label>
-							{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
-							<span class="text red">{{.Repository.FullName}}</span>
-						</label>
+					<div class="content">
+						<input type="hidden" name="action" value="convert">
+						<div class="field">
+							<label>
+								{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
+								<span class="text red">{{.Repository.FullName}}</span>
+							</label>
+						</div>
+						<div class="required field">
+							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
+							<input name="repo_name" required maxlength="100">
+						</div>
 					</div>
-					<div class="required field">
-						<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-						<input name="repo_name" required maxlength="100">
-					</div>
-
-					<div class="text right actions">
-						<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-						<button class="ui red button">{{ctx.Locale.Tr "repo.settings.convert_confirm"}}</button>
+					<div class="actions">
+						<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+						<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.convert_confirm"}}</button>
 					</div>
 				</form>
-			</div>
-		</div>
+			</article>
+		</dialog>
 	{{end}}
 	{{if and .Repository.IsFork .Repository.Owner.CanCreateRepo}}
-		<div class="ui small modal" id="convert-fork-repo-modal">
-			<div class="header">
-				{{ctx.Locale.Tr "repo.settings.convert_fork"}}
-			</div>
-			<div class="content">
-				<div class="ui warning message">
-					{{ctx.Locale.Tr "repo.settings.convert_fork_notices_1"}}
+		<dialog id="convert-fork-repo-modal">
+			<article>
+				<header>{{ctx.Locale.Tr "repo.settings.convert_fork"}}</header>
+				<div class="content">
+					<div class="ui warning message">
+						{{ctx.Locale.Tr "repo.settings.convert_fork_notices_1"}}
+					</div>
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					<input type="hidden" name="action" value="convert_fork">
+					<div class="content">
+						<input type="hidden" name="action" value="convert_fork">
+						<div class="field">
+							<label>
+								{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
+								<span class="text red">{{.Repository.FullName}}</span>
+							</label>
+						</div>
+						<div class="required field">
+							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
+							<input name="repo_name" required>
+						</div>
+					</div>
+					<div class="actions">
+						<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+						<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.convert_fork_confirm"}}</button>
+					</div>
+				</form>
+			</article>
+		</dialog>
+	{{end}}
+	<dialog id="transfer-repo-modal">
+		<article>
+			<header>{{ctx.Locale.Tr "repo.settings.transfer.modal.title"}}</header>
+			<div class="content">
+				<div class="ui warning message">
+					{{ctx.Locale.Tr "repo.settings.transfer_notices_1"}} <br>
+					{{ctx.Locale.Tr "repo.settings.transfer_notices_2"}} <br>
+					{{ctx.Locale.Tr "repo.settings.transfer_notices_3"}}
+				</div>
+			</div>
+			<form class="ui form" action="{{.Link}}" method="post">
+				<div class="content">
+					<input type="hidden" name="action" value="transfer">
 					<div class="field">
 						<label>
 							{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
@@ -609,127 +643,66 @@
 						<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
 						<input name="repo_name" required>
 					</div>
-
-					<div class="text right actions">
-						<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-						<button class="ui red button">{{ctx.Locale.Tr "repo.settings.convert_fork_confirm"}}</button>
+					<div class="required field">
+						<label for="new_owner_name">{{ctx.Locale.Tr "repo.settings.transfer_owner"}}</label>
+						<input id="new_owner_name" name="new_owner_name" required>
 					</div>
-				</form>
-			</div>
-		</div>
-	{{end}}
-	<div class="ui small modal" id="transfer-repo-modal">
-		<div class="header">
-			{{ctx.Locale.Tr "repo.settings.transfer.modal.title"}}
-		</div>
-		<div class="content">
-			<div class="ui warning message">
-				{{ctx.Locale.Tr "repo.settings.transfer_notices_1"}} <br>
-				{{ctx.Locale.Tr "repo.settings.transfer_notices_2"}} <br>
-				{{ctx.Locale.Tr "repo.settings.transfer_notices_3"}}
-			</div>
-			<form class="ui form" action="{{.Link}}" method="post">
-				<input type="hidden" name="action" value="transfer">
-				<div class="field">
-					<label>
-						{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
-						<span class="text red">{{.Repository.FullName}}</span>
-					</label>
 				</div>
-				<div class="required field">
-					<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-					<input name="repo_name" required>
-				</div>
-				<div class="required field">
-					<label for="new_owner_name">{{ctx.Locale.Tr "repo.settings.transfer_owner"}}</label>
-					<input id="new_owner_name" name="new_owner_name" required>
-				</div>
-
-				<div class="text right actions">
-					<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-					<button class="ui red button">{{ctx.Locale.Tr "repo.settings.transfer_perform"}}</button>
+				<div class="actions">
+					<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+					<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.transfer_perform"}}</button>
 				</div>
 			</form>
-		</div>
-	</div>
+		</article>
+	</dialog>
 
-	<div class="ui small modal" id="delete-repo-modal">
-		<div class="header">
-			{{ctx.Locale.Tr "repo.settings.delete"}}
-		</div>
-		<div class="content">
-			<div class="ui warning message">
-				{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
-				{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName}}
-				{{if .Repository.NumForks}}<br>
-				{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
-				{{end}}
+	<dialog id="delete-repo-modal">
+		<article>
+			<header>{{ctx.Locale.Tr "repo.settings.delete"}}</header>
+			<div class="content">
+				<div class="ui warning message">
+					{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
+					{{ctx.Locale.Tr "repo.settings.delete_notices_2" .Repository.FullName}}
+					{{if .Repository.NumForks}}<br>
+					{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
+					{{end}}
+				</div>
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				<input type="hidden" name="action" value="delete">
-				<div class="field">
-					<label>
-						{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
-						<span class="text red">{{.Repository.FullName}}</span>
-					</label>
+				<div class="content">
+					<input type="hidden" name="action" value="delete">
+					<div class="field">
+						<label>
+							{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
+							<span class="text red">{{.Repository.FullName}}</span>
+						</label>
+					</div>
+					<div class="required field">
+						<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
+						<input id="repo_name_to_delete" name="repo_name" required>
+					</div>
 				</div>
-				<div class="required field">
-					<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-					<input id="repo_name_to_delete" name="repo_name" required>
-				</div>
-
-				<div class="text right actions">
-					<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-					<button class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_delete"}}</button>
+				<div class="actions">
+					<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+					<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_delete"}}</button>
 				</div>
 			</form>
-		</div>
-	</div>
+		</article>
+	</dialog>
 
 	{{if .Repository.UnitEnabled $.Context $.UnitTypeWiki}}
-	<div class="ui small modal" id="delete-wiki-modal">
-		<div class="header">
-			{{ctx.Locale.Tr "repo.settings.wiki_delete"}}
-		</div>
-		<div class="content">
-			<div class="ui warning message">
-				{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
-				{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" .Repository.Name}}
-			</div>
-			<form class="ui form" action="{{.Link}}" method="post">
-				<input type="hidden" name="action" value="delete-wiki">
-				<div class="field">
-					<label>
-						{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
-						<span class="text red">{{.Repository.FullName}}</span>
-					</label>
-				</div>
-				<div class="required field">
-					<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-					<input name="repo_name" required>
-				</div>
-
-				<div class="text right actions">
-					<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-					<button class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_wiki_delete"}}</button>
-				</div>
-			</form>
-		</div>
-	</div>
-	{{if ne $.Repository.GetWikiBranchName .DefaultWikiBranchName}}
-		<div class="ui small modal" id="rename-wiki-branch-modal">
-			<div class="header">
-				{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main"}}
-			</div>
+	<dialog id="delete-wiki-modal">
+		<article>
+			<header>{{ctx.Locale.Tr "repo.settings.wiki_delete"}}</header>
 			<div class="content">
 				<div class="ui warning message">
-					<ul>
-						<li>{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main_notices_1"}}</li>
-						<li>{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main_notices_2" .Repository.Name}}</li>
-					</ul>
+					{{ctx.Locale.Tr "repo.settings.delete_notices_1"}}<br>
+					{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" .Repository.Name}}
 				</div>
-				<form class="ui form" action="{{.Link}}" method="post">
-					<input type="hidden" name="action" value="rename-wiki-branch">
+			</div>
+			<form class="ui form" action="{{.Link}}" method="post">
+				<div class="content">
+					<input type="hidden" name="action" value="delete-wiki">
 					<div class="field">
 						<label>
 							{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
@@ -740,40 +713,75 @@
 						<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
 						<input name="repo_name" required>
 					</div>
-
-					<div class="text right actions">
-						<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-						<button class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_wiki_branch_rename"}}</button>
+				</div>
+				<div class="actions">
+					<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+					<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_wiki_delete"}}</button>
+				</div>
+			</form>
+		</article>
+	</dialog>
+	{{if ne $.Repository.GetWikiBranchName .DefaultWikiBranchName}}
+		<dialog id="rename-wiki-branch-modal">
+			<article>
+				<header>{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main"}}</header>
+				<div class="content">
+					<div class="ui warning message">
+						<ul>
+							<li>{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main_notices_1"}}</li>
+							<li>{{ctx.Locale.Tr "repo.settings.wiki_rename_branch_main_notices_2" .Repository.Name}}</li>
+						</ul>
+					</div>
+				</div>
+				<form class="ui form" action="{{.Link}}" method="post">
+					<div class="content">
+						<input type="hidden" name="action" value="rename-wiki-branch">
+						<div class="field">
+							<label>
+								{{ctx.Locale.Tr "repo.settings.enter_repo_name"}}
+								<span class="text red">{{.Repository.FullName}}</span>
+							</label>
+						</div>
+						<div class="required field">
+							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
+							<input name="repo_name" required>
+						</div>
+					</div>
+					<div class="actions">
+						<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+						<button type="submit" class="ui red button">{{ctx.Locale.Tr "repo.settings.confirm_wiki_branch_rename"}}</button>
 					</div>
 				</form>
-			</div>
-		</div>
+			</article>
+		</dialog>
 	{{end}}
 	{{end}}
 
 	{{if not .Repository.IsMirror}}
-		<div class="ui g-modal-confirm modal" id="archive-repo-modal">
-			<div class="header">
-				{{if .Repository.IsArchived}}
-					{{ctx.Locale.Tr "repo.settings.unarchive.header"}}
-				{{else}}
-					{{ctx.Locale.Tr "repo.settings.archive.header"}}
-				{{end}}
-			</div>
-			<div class="content">
-				<div class="ui warning message">
+		<dialog id="archive-repo-modal">
+			<article>
+				<header>
 					{{if .Repository.IsArchived}}
-						{{ctx.Locale.Tr "repo.settings.unarchive.text"}}
+						{{ctx.Locale.Tr "repo.settings.unarchive.header"}}
 					{{else}}
-						{{ctx.Locale.Tr "repo.settings.archive.text"}}
+						{{ctx.Locale.Tr "repo.settings.archive.header"}}
 					{{end}}
+				</header>
+				<div class="content">
+					<div class="ui warning message">
+						{{if .Repository.IsArchived}}
+							{{ctx.Locale.Tr "repo.settings.unarchive.text"}}
+						{{else}}
+							{{ctx.Locale.Tr "repo.settings.archive.text"}}
+						{{end}}
+					</div>
 				</div>
 				<form action="{{.Link}}" method="post">
 					<input type="hidden" name="action" value="{{if .Repository.IsArchived}}unarchive{{else}}archive{{end}}">
 					<input type="hidden" name="repo_id" value="{{.Repository.ID}}">
 					<div class="text right actions">
-						<button class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
-						<button class="ui red button">
+						<button type="button" class="ui cancel button">{{ctx.Locale.Tr "settings.cancel"}}</button>
+						<button type="submit" class="ui red button">
 							{{if .Repository.IsArchived}}
 								{{ctx.Locale.Tr "repo.settings.unarchive.button"}}
 							{{else}}
@@ -781,9 +789,9 @@
 							{{end}}
 						</button>
 					</div>
-			</form>
-			</div>
-		</div>
+				</form>
+			</article>
+		</dialog>
 	{{end}}
 {{end}}
 
diff --git a/templates/repo/settings/push_mirror_sync_modal.tmpl b/templates/repo/settings/push_mirror_sync_modal.tmpl
index 441bed1abc..64e8440fff 100644
--- a/templates/repo/settings/push_mirror_sync_modal.tmpl
+++ b/templates/repo/settings/push_mirror_sync_modal.tmpl
@@ -1,29 +1,29 @@
-<div class="ui small modal" id="push-mirror-edit-modal">
-	<div class="header">
-		{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.edit_sync_time"}}
-	</div>
-	<div class="content">
+<dialog id="push-mirror-edit-modal">
+	<article>
+		<header>{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.edit_sync_time"}}</header>
 		<form class="ui form ignore-dirty" method="post">
-			<input type="hidden" name="action" value="push-mirror-update">
-			<input type="hidden" name="push_mirror_id" id="push-mirror-edit-id">
-			<div class="field">
-				<label for="name">{{ctx.Locale.Tr "repo.settings.mirror_settings.mirrored_repository"}}</label>
-				<div class="ui small input">
-					<input id="push-mirror-edit-address" readonly>
+			<div class="content">
+				<input type="hidden" name="action" value="push-mirror-update">
+				<input type="hidden" name="push_mirror_id" id="push-mirror-edit-id">
+				<div class="field">
+					<label for="name">{{ctx.Locale.Tr "repo.settings.mirror_settings.mirrored_repository"}}</label>
+					<div class="ui small input">
+						<input id="push-mirror-edit-address" readonly>
+					</div>
 				</div>
-			</div>
-			<div class="inline field">
-				<label for="push-mirror-edit-interval">{{ctx.Locale.Tr "repo.mirror_interval" .MinimumMirrorInterval}}</label>
-				<div class="ui small input">
-					<input id="push-mirror-edit-interval" name="push_mirror_interval" autofocus>
+				<div class="inline field">
+					<label for="push-mirror-edit-interval">{{ctx.Locale.Tr "repo.mirror_interval" .MinimumMirrorInterval}}</label>
+					<div class="ui small input">
+						<input id="push-mirror-edit-interval" name="push_mirror_interval" autofocus>
+					</div>
 				</div>
-			</div>
-			<div class="field">
-				<label for="push-mirror-edit-branch-filter">{{ctx.Locale.Tr "repo.settings.push_mirror.branch_filter.label"}}</label>
-				<div class="ui small input">
-					<input id="push-mirror-edit-branch-filter" name="push_mirror_branch_filter" maxlength="2048">
+				<div class="field">
+					<label for="push-mirror-edit-branch-filter">{{ctx.Locale.Tr "repo.settings.push_mirror.branch_filter.label"}}</label>
+					<div class="ui small input">
+						<input id="push-mirror-edit-branch-filter" name="push_mirror_branch_filter" maxlength="2048">
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.settings.push_mirror.branch_filter.description" "https://forgejo.org/docs/latest/user/repo-mirror/#branch-filter" "Forgejo"}}</p>
 				</div>
-				<p class="help">{{ctx.Locale.Tr "repo.settings.push_mirror.branch_filter.description" "https://forgejo.org/docs/latest/user/repo-mirror/#branch-filter" "Forgejo"}}</p>
 			</div>
 			<div class="actions">
 				<button class="ui small basic cancel button">
@@ -36,5 +36,5 @@
 				</button>
 			</div>
 		</form>
-	</div>
-</div>
+	</article>
+</dialog>
diff --git a/templates/shared/combomarkdowneditor.tmpl b/templates/shared/combomarkdowneditor.tmpl
index c1ec50ab70..42840a3825 100644
--- a/templates/shared/combomarkdowneditor.tmpl
+++ b/templates/shared/combomarkdowneditor.tmpl
@@ -64,55 +64,57 @@ Template Attributes:
 		{{ctx.Locale.Tr "loading"}}
 	</div>
 
-	<div class="ui small modal tw-w-fit" data-modal-name="new-markdown-table">
-		<div class="header">{{ctx.Locale.Tr "editor.table_modal.header"}}</div>
+	<dialog data-modal-name="new-markdown-table">
+		<article>
+			<header>{{ctx.Locale.Tr "editor.table_modal.header"}}</header>
 
-		<div class="ui form content" data-selector-name="form">
-			<input type="hidden" name="table-header" value="{{ctx.Locale.Tr "editor.table_modal.placeholder.header"}}" disabled>
-			<input type="hidden" name="table-content" value="{{ctx.Locale.Tr "editor.table_modal.placeholder.content"}}" disabled>
-			<table>
-				<tbody>
-					<tr>
-						<td><label>{{ctx.Locale.Tr "editor.table_modal.label.rows"}}</label></td>
-						<td><input type="number" name="table-rows" class="js-enable" min="1" value="2" disabled required></td>
-					</tr>
-					<tr>
-						<td><label>{{ctx.Locale.Tr "editor.table_modal.label.columns"}}</label></td>
-						<td><input type="number" name="table-columns" class="js-enable" min="1" value="2" disabled required></td>
-					</tr>
-				</tbody>
-			</table>
-		</div>
+			<div class="ui form content" data-selector-name="form">
+				<input type="hidden" name="table-header" value="{{ctx.Locale.Tr "editor.table_modal.placeholder.header"}}" disabled>
+				<input type="hidden" name="table-content" value="{{ctx.Locale.Tr "editor.table_modal.placeholder.content"}}" disabled>
+				<table>
+					<tbody>
+						<tr>
+							<td><label>{{ctx.Locale.Tr "editor.table_modal.label.rows"}}</label></td>
+							<td><input type="number" name="table-rows" class="js-enable" min="1" value="2" disabled required></td>
+						</tr>
+						<tr>
+							<td><label>{{ctx.Locale.Tr "editor.table_modal.label.columns"}}</label></td>
+							<td><input type="number" name="table-columns" class="js-enable" min="1" value="2" disabled required></td>
+						</tr>
+					</tbody>
+				</table>
+			</div>
 
-		<div class="text right actions">
-			<button class="ui cancel button" data-selector-name="cancel-button">{{ctx.Locale.Tr "cancel"}}</button>
-			<button class="ui primary button" data-selector-name="ok-button">{{ctx.Locale.Tr "ok"}}</button>
-		</div>
-	</div>
+			<div class="actions">
+				<button class="ui cancel button" data-selector-name="cancel-button">{{ctx.Locale.Tr "cancel"}}</button>
+				<button class="ui primary button" data-selector-name="ok-button">{{ctx.Locale.Tr "ok"}}</button>
+			</div>
+		</article>
+	</dialog>
 
-	<div class="ui small modal" data-modal-name="new-markdown-link">
-		<div class="header">{{ctx.Locale.Tr "editor.link_modal.header"}}</div>
-
-		<fieldset class="content">
+	<dialog data-modal-name="new-markdown-link">
+		<article>
+			<header>{{ctx.Locale.Tr "editor.link_modal.header"}}</header>
 			<div class="ui form" data-selector-name="form">
-				<label>
-					{{ctx.Locale.Tr "editor.link_modal.url"}}
-					<input name="link-url" class="js-enable" disabled required dir="auto" autocomplete="off">
-				</label>
-				<label>
-					{{ctx.Locale.Tr "editor.link_modal.description"}}
-					<input name="link-description" class="js-enable" disabled required dir="auto" autocomplete="off">
-				</label>
+				<div class="content">
+					<label>
+						{{ctx.Locale.Tr "editor.link_modal.url"}}
+						<input name="link-url" class="js-enable" disabled required dir="auto" autocomplete="off">
+					</label>
+					<label>
+						{{ctx.Locale.Tr "editor.link_modal.description"}}
+						<input name="link-description" class="js-enable" disabled required dir="auto" autocomplete="off">
+					</label>
 
-				<div class="help">
-					{{ctx.Locale.Tr "editor.link_modal.paste_reminder"}}
+					<div class="help">
+						{{ctx.Locale.Tr "editor.link_modal.paste_reminder"}}
+					</div>
 				</div>
-
 				<div class="text right actions">
 					<button class="ui cancel button" data-selector-name="cancel-button">{{ctx.Locale.Tr "cancel"}}</button>
 					<button class="ui primary button" data-selector-name="ok-button">{{ctx.Locale.Tr "ok"}}</button>
 				</div>
 			</div>
-		</fieldset>
-	</div>
+		</article>
+	</dialog>
 </div>
diff --git a/templates/shared/secrets/add_list.tmpl b/templates/shared/secrets/add_list.tmpl
index d4550bfb47..d2eb74b406 100644
--- a/templates/shared/secrets/add_list.tmpl
+++ b/templates/shared/secrets/add_list.tmpl
@@ -57,63 +57,63 @@
 </div>
 
 {{/* Add secret dialog */}}
-<div class="ui small modal" id="add-secret-modal">
-	<div class="header">
-		<span id="actions-modal-header"></span>
-	</div>
-	<form class="ui form form-fetch-action" method="post">
-		<fieldset class="content">
-			<div class="field">
-				{{ctx.Locale.Tr "secrets.description"}}
-			</div>
-			<div class="field">
-				<label class="required" for="secret-name">{{ctx.Locale.Tr "name"}}</label>
-				<input autofocus required
-					id="secret-name"
-					name="name"
-					value="{{.name}}"
-					pattern="^(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
-				>
-				<p id="name-description" class="help">{{ctx.Locale.Tr "actions.secrets.creation.name_description"}}</p>
-			</div>
-			<div class="field">
-				<label class="required" for="secret-data">{{ctx.Locale.Tr "value"}}</label>
-				<textarea required
-					id="secret-data"
-					name="data"
-				></textarea>
-				<p id="secret-data-description" class="help">{{ctx.Locale.Tr "actions.secrets.creation.value_description"}}</p>
-			</div>
-		</fieldset>
-		{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
-	</form>
-</div>
+<dialog id="add-secret-modal">
+	<article>
+		<header><span id="actions-modal-header"></span></header>
+		<form class="ui form form-fetch-action" method="post">
+			<fieldset class="content">
+				<div class="field">
+					{{ctx.Locale.Tr "secrets.description"}}
+				</div>
+				<div class="field">
+					<label class="required" for="secret-name">{{ctx.Locale.Tr "name"}}</label>
+					<input autofocus required
+						id="secret-name"
+						name="name"
+						value="{{.name}}"
+						pattern="^(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
+					>
+					<p id="name-description" class="help">{{ctx.Locale.Tr "actions.secrets.creation.name_description"}}</p>
+				</div>
+				<div class="field">
+					<label class="required" for="secret-data">{{ctx.Locale.Tr "value"}}</label>
+					<textarea required
+						id="secret-data"
+						name="data"
+					></textarea>
+					<p id="secret-data-description" class="help">{{ctx.Locale.Tr "actions.secrets.creation.value_description"}}</p>
+				</div>
+			</fieldset>
+			{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
+		</form>
+	</article>
+</dialog>
 {{/* Edit secret dialog */}}
-<div class="ui small modal" id="edit-secret-modal">
-	<div class="header">
-		<span id="actions-modal-header"></span>
-	</div>
-	<form class="ui form form-fetch-action" method="post">
-		<fieldset class="content">
-			<div class="field">
-				{{ctx.Locale.Tr "secrets.description"}}
-			</div>
-			<div class="field">
-				<label class="required" for="dialog-secret-name">{{ctx.Locale.Tr "name"}}</label>
-				<input autofocus required
-					id="dialog-secret-name"
-					name="name"
-					value="{{.name}}"
-					pattern="^(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
-				>
-				<p id="name-description" class="help">{{ctx.Locale.Tr "actions.secrets.mutation.name_description"}}</p>
-			</div>
-			<div class="field">
-				<label for="dialog-secret-data">{{ctx.Locale.Tr "value"}}</label>
-				<textarea id="dialog-secret-data" name="data"></textarea>
-				<p id="secret-data-description" class="help">{{ctx.Locale.Tr "actions.secrets.mutation.value_description"}}</p>
-			</div>
-		</fieldset>
-		{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
-	</form>
-</div>
+<dialog id="edit-secret-modal">
+	<article>
+		<header><span id="actions-modal-header"></span></header>
+		<form class="ui form form-fetch-action" method="post">
+			<fieldset class="content">
+				<div class="field">
+					{{ctx.Locale.Tr "secrets.description"}}
+				</div>
+				<div class="field">
+					<label class="required" for="dialog-secret-name">{{ctx.Locale.Tr "name"}}</label>
+					<input autofocus required
+						id="dialog-secret-name"
+						name="name"
+						value="{{.name}}"
+						pattern="^(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
+					>
+					<p id="name-description" class="help">{{ctx.Locale.Tr "actions.secrets.mutation.name_description"}}</p>
+				</div>
+				<div class="field">
+					<label for="dialog-secret-data">{{ctx.Locale.Tr "value"}}</label>
+					<textarea id="dialog-secret-data" name="data"></textarea>
+					<p id="secret-data-description" class="help">{{ctx.Locale.Tr "actions.secrets.mutation.value_description"}}</p>
+				</div>
+			</fieldset>
+			{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
+		</form>
+	</article>
+</dialog>
diff --git a/templates/shared/variables/variable_list.tmpl b/templates/shared/variables/variable_list.tmpl
index 82acb66d14..5f310d91a3 100644
--- a/templates/shared/variables/variable_list.tmpl
+++ b/templates/shared/variables/variable_list.tmpl
@@ -59,33 +59,34 @@
 </div>
 
 {{/** Edit variable dialog */}}
-<div class="ui small modal" id="edit-variable-modal">
-	<div class="header"></div>
-	<form class="ui form form-fetch-action" method="post">
-		<fieldset class="content">
-			<div class="field">
-				{{ctx.Locale.Tr "actions.variables.description"}}
-			</div>
-			<div class="field">
-				<label for="dialog-variable-name">{{ctx.Locale.Tr "name"}}</label>
-				<input autofocus required
-					name="name"
-					id="dialog-variable-name"
-					value="{{.name}}"
-					pattern="^(?!CI$)(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
-				>
-				<p id="name-description" class="help">{{ctx.Locale.Tr "actions.variables.mutation.name_description"}}</p>
-			</div>
-			<div class="field">
-				<label for="dialog-variable-data">{{ctx.Locale.Tr "value"}}</label>
-				<textarea required
-					name="data"
-					id="dialog-variable-data"
-				></textarea>
-				<p id="data-description" class="help">{{ctx.Locale.Tr "actions.variables.mutation.value_description"}}</p>
-			</div>
-		</fieldset>
-		{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
-	</form>
-</div>
-
+<dialog id="edit-variable-modal">
+	<article>
+		<header></header>
+		<form class="ui form form-fetch-action" method="post">
+			<fieldset class="content">
+				<div class="field">
+					{{ctx.Locale.Tr "actions.variables.description"}}
+				</div>
+				<div class="field">
+					<label for="dialog-variable-name">{{ctx.Locale.Tr "name"}}</label>
+					<input autofocus required
+						name="name"
+						id="dialog-variable-name"
+						value="{{.name}}"
+						pattern="^(?!CI$)(?!FORGEJO_|GITEA_|GITHUB_)[a-zA-Z_][a-zA-Z0-9_]*$"
+					>
+					<p id="name-description" class="help">{{ctx.Locale.Tr "actions.variables.mutation.name_description"}}</p>
+				</div>
+				<div class="field">
+					<label for="dialog-variable-data">{{ctx.Locale.Tr "value"}}</label>
+					<textarea required
+						name="data"
+						id="dialog-variable-data"
+					></textarea>
+					<p id="data-description" class="help">{{ctx.Locale.Tr "actions.variables.mutation.value_description"}}</p>
+				</div>
+			</fieldset>
+			{{template "base/modal_actions_confirm" (dict "ModalButtonTypes" "confirm")}}
+		</form>
+		</article>
+</dialog>
diff --git a/tests/e2e/admin-ui.test.e2e.ts b/tests/e2e/admin-ui.test.e2e.ts
index 8fcd3456a3..84145dd0cf 100644
--- a/tests/e2e/admin-ui.test.e2e.ts
+++ b/tests/e2e/admin-ui.test.e2e.ts
@@ -56,3 +56,29 @@ test('Admin email list', async ({page}) => {
     await expect(page.locator('[data-uid="9"] svg')).toHaveClass(/octicon-check/);
   }
 });
+
+test('Admin: delete a user', async ({page}) => {
+  const response = await page.goto('/admin/users/1/edit');
+  expect(response?.status()).toBe(200);
+
+  const modal = page.locator('#delete-user-modal');
+  const okButton = page.locator('#delete-user-modal .primary.button');
+
+  // Check that modal appears after clicking
+  await expect(modal).toBeHidden();
+  await expect(okButton).toBeHidden();
+  await page.locator('[data-modal="#delete-user-modal"]').click();
+  await expect(modal).toBeVisible();
+  await expect(okButton).toBeVisible();
+
+  // Agree with deletion
+  await okButton.click();
+
+  // Should have been redirected to /admin/users/1
+  await expect(page).toHaveURL(/\/admin\/users\/1$/);
+
+  // This test doesn't actually delete a user as it attempts to delete the doer and
+  // receives an error. This is enough to test that the request reaches the correct
+  // endpoint without causing e2e retry headache
+  await expect(page.locator('#flash-message')).toBeVisible();
+});
diff --git a/tests/e2e/clipboard-copy.test.e2e.ts b/tests/e2e/clipboard-copy.test.e2e.ts
index fd1118da2b..6cd9836316 100644
--- a/tests/e2e/clipboard-copy.test.e2e.ts
+++ b/tests/e2e/clipboard-copy.test.e2e.ts
@@ -16,8 +16,12 @@ test('copy src file path to clipboard', async ({page}) => {
   expect(response?.status()).toBe(200);
 
   await page.click('[data-clipboard-text]');
-  const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
-  expect(clipboardText).toContain('README.md');
+
+  await expect(async () => {
+    const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
+    expect(clipboardText).toContain('README.md');
+  }).toPass();
+
   await expect(page.getByText('Copied')).toBeVisible();
   await screenshot(page, page.getByText('Copied'), 50);
 });
@@ -27,8 +31,12 @@ test('copy diff file path to clipboard', async ({page}) => {
   expect(response?.status()).toBe(200);
 
   await page.click('[data-clipboard-text]');
-  const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
-  expect(clipboardText).toContain('README.md');
+
+  await expect(async () => {
+    const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
+    expect(clipboardText).toContain('README.md');
+  }).toPass();
+
   await expect(page.getByText('Copied')).toBeVisible();
   await screenshot(page, page.getByText('Copied'), 50);
 });
diff --git a/tests/e2e/issue-comment-dropzone.test.e2e.ts b/tests/e2e/issue-comment-dropzone.test.e2e.ts
index 40bd238dc1..739490f6ad 100644
--- a/tests/e2e/issue-comment-dropzone.test.e2e.ts
+++ b/tests/e2e/issue-comment-dropzone.test.e2e.ts
@@ -48,8 +48,10 @@ async function assertCopy(page: Page, startWith: string) {
   const copyLink = preview.locator('.octicon-copy').locator('..');
   await copyLink.click();
 
-  const clipboardContent = await page.evaluate(() => navigator.clipboard.readText());
-  expect(clipboardContent).toContain(startWith);
+  await expect(async () => {
+    const clipboardContent = await page.evaluate(() => navigator.clipboard.readText());
+    expect(clipboardContent).toContain(startWith);
+  }).toPass();
 }
 
 test('Paste image in new comment', async ({page}) => {
diff --git a/tests/e2e/issue-sidebar.test.e2e.ts b/tests/e2e/issue-sidebar.test.e2e.ts
index d785a19e18..3324595438 100644
--- a/tests/e2e/issue-sidebar.test.e2e.ts
+++ b/tests/e2e/issue-sidebar.test.e2e.ts
@@ -379,6 +379,9 @@ test('Issue: Reference', async ({page}) => {
   );
 
   await page.getByRole('button', {name: 'Copy'}).click();
-  const reference = await page.evaluate(() => navigator.clipboard.readText());
-  expect(reference).toBe('user2/repo1#1');
+
+  await expect(async () => {
+    const reference = await page.evaluate(() => navigator.clipboard.readText());
+    expect(reference).toBe('user2/repo1#1');
+  }).toPass();
 });
diff --git a/tests/e2e/markdown-editor.test.e2e.ts b/tests/e2e/markdown-editor.test.e2e.ts
index 5274b25a73..acc7a00a24 100644
--- a/tests/e2e/markdown-editor.test.e2e.ts
+++ b/tests/e2e/markdown-editor.test.e2e.ts
@@ -367,7 +367,7 @@ test('Markdown insert table', async ({page}) => {
     const newTableButton = area.locator('button[data-md-action="new-table"]');
     await newTableButton.click();
 
-    const newTableModal = page.locator('[data-modal-name="new-markdown-table"].active');
+    const newTableModal = page.locator('[data-modal-name="new-markdown-table"][open]');
     await expect(newTableModal).toBeVisible();
     await screenshot(page);
 
@@ -417,9 +417,9 @@ test('Markdown insert link', async ({page}) => {
     const newLinkButton = area.locator('button[data-md-action="new-link"]');
     await newLinkButton.click();
 
-    const newLinkModal = page.locator('[data-modal-name="new-markdown-link"].active');
+    const newLinkModal = page.locator('[data-modal-name="new-markdown-link"][open]');
     await expect(newLinkModal).toBeVisible();
-    await accessibilityCheck({page}, ['[data-modal-name="new-markdown-link"].active'], [], []);
+    await accessibilityCheck({page}, ['[data-modal-name="new-markdown-link"][open]'], [], []);
     await screenshot(page);
 
     const urlInput = newLinkModal.locator('input[name="link-url"]');
@@ -455,9 +455,9 @@ test('Markdown insert link', async ({page}) => {
 
     await textarea.press('ControlOrMeta+KeyK');
 
-    const newLinkModal = page.locator('[data-modal-name="new-markdown-link"].active');
+    const newLinkModal = page.locator('[data-modal-name="new-markdown-link"][open]');
     await expect(newLinkModal).toBeVisible();
-    await accessibilityCheck({page}, ['[data-modal-name="new-markdown-link"].active'], [], []);
+    await accessibilityCheck({page}, ['[data-modal-name="new-markdown-link"][open]'], [], []);
     await screenshot(page);
 
     const urlInput = newLinkModal.locator('input[name="link-url"]');
@@ -579,7 +579,7 @@ test('Multiple combo markdown: insert table', async ({page}) => {
   const newTableButtonOne = page.locator('[for="_combo_markdown_editor_0"] button[data-md-action="new-table"]');
   await newTableButtonOne.click();
 
-  const newTableModalOne = page.locator('div[data-markdown-table-modal-id="0"]');
+  const newTableModalOne = page.locator('dialog[data-markdown-table-modal-id="0"]');
   await expect(newTableModalOne).toBeVisible();
 
   await newTableModalOne.locator('input[name="table-rows"]').fill('3');
@@ -601,7 +601,7 @@ test('Multiple combo markdown: insert table', async ({page}) => {
   const newTableButtonTwo = page.locator('[for="_combo_markdown_editor_1"] button[data-md-action="new-table"]');
   await newTableButtonTwo.click();
 
-  const newTableModalTwo = page.locator('div[data-markdown-table-modal-id="1"]');
+  const newTableModalTwo = page.locator('dialog[data-markdown-table-modal-id="1"]');
   await expect(newTableModalTwo).toBeVisible();
 
   await newTableModalTwo.locator('input[name="table-rows"]').fill('2');
diff --git a/tests/e2e/modal.test.e2e.ts b/tests/e2e/modal.test.e2e.ts
index 40fe33e9a6..28161a2012 100644
--- a/tests/e2e/modal.test.e2e.ts
+++ b/tests/e2e/modal.test.e2e.ts
@@ -103,27 +103,3 @@ test('Dialog modal: width', async ({page, isMobile}) => {
     expect(width).toBe(800);
   }
 });
-
-test('Dialog modal: short viewport', async ({page, isMobile}) => {
-  test.skip(isMobile);
-
-  // Small height for viewport.
-  await page.setViewportSize({
-    width: 1000,
-    height: 200,
-  });
-
-  await page.goto('/user2/repo1/settings');
-
-  // Open modal with long content
-  const deleteModal = page.locator('#delete-repo-modal');
-  await expect(deleteModal).toBeHidden();
-  await page.getByRole('button', {name: 'Delete this repository'}).click();
-  await expect(deleteModal).toBeVisible();
-
-  // Scroll to the bottom.
-  const scrollY = await page.evaluate(() => document.querySelector('.ui.dimmer').scrollHeight);
-  await page.mouse.wheel(0, scrollY);
-  const scrollTop = await page.evaluate(() => document.querySelector('.ui.dimmer').scrollTop);
-  expect(scrollTop).toBeGreaterThan(0);
-});
diff --git a/tests/e2e/repo-code.test.e2e.ts b/tests/e2e/repo-code.test.e2e.ts
index 7f9ca147ea..d84fb58b1a 100644
--- a/tests/e2e/repo-code.test.e2e.ts
+++ b/tests/e2e/repo-code.test.e2e.ts
@@ -148,11 +148,13 @@ test('Copy line permalink', async ({page}) => {
   const response = await page.goto('/user2/repo1/src/branch/master/README.md?display=source#L1');
   expect(response?.status()).toBe(200);
 
-  await page.locator('.code-line-button').click();
-  // eslint-disable-next-line playwright/no-force-option
-  await page.locator('.tippy-box .copy-line-permalink').click({force: true});
-  const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
-  expect(clipboardText).toContain('README.md?display=source#L1');
+  await expect(async () => {
+    await page.locator('.code-line-button').click();
+    // eslint-disable-next-line playwright/no-force-option
+    await page.locator('.tippy-box .copy-line-permalink').click({force: true});
+    const clipboardText = await page.evaluate(() => navigator.clipboard.readText());
+    expect(clipboardText).toContain('README.md?display=source#L1');
+  }).toPass();
 });
 
 test('Line menu styles', async ({page}) => {
diff --git a/tests/e2e/runner-management.test.e2e.ts b/tests/e2e/runner-management.test.e2e.ts
index c7211dbe05..02edbd6e87 100644
--- a/tests/e2e/runner-management.test.e2e.ts
+++ b/tests/e2e/runner-management.test.e2e.ts
@@ -121,9 +121,12 @@ test.describe('Runners of user2', () => {
     await expect(page).toHaveTitle(/^Set up runner runner-991301 .*/);
     await expect(page.getByRole('heading', {name: 'Set up runner runner-991301'})).toBeVisible();
 
-    await page.getByRole('button', {name: 'Copy runner UUID'}).click();
-    const runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerUUID).toMatch(uuidPattern);
+    let runnerUUID;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner UUID'}).click();
+      runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerUUID).toMatch(uuidPattern);
+    }).toPass();
 
     let runnerToken;
     await expect(async () => {
@@ -230,14 +233,20 @@ test.describe('Runners of user2', () => {
     await expect(page).toHaveTitle(/^Set up runner runner-2 .*/);
     await expect(page.getByRole('heading', {name: 'Set up runner runner-2'})).toBeVisible();
 
-    await page.getByRole('button', {name: 'Copy runner UUID'}).click();
-    const runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerUUID).toEqual('3a20ad8d-d5d6-4b7b-ba55-841ac8264c17');
+    let runnerUUID;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner UUID'}).click();
+      runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerUUID).toEqual('3a20ad8d-d5d6-4b7b-ba55-841ac8264c17');
+    }).toPass();
 
-    await page.getByRole('button', {name: 'Copy runner token'}).click();
-    const runnerToken = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerToken).not.toEqual('9730f9d2c6c731f07582788d1a1fe72a6b999a17');
-    expect(runnerToken).toMatch(tokenPattern);
+    let runnerToken;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner token'}).click();
+      runnerToken = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerToken).not.toEqual('9730f9d2c6c731f07582788d1a1fe72a6b999a17');
+      expect(runnerToken).toMatch(tokenPattern);
+    }).toPass();
 
     await expect(page.getByRole('term')).toHaveText(['UUID', 'Token']);
     await expect(page.getByRole('definition')).toContainText([runnerUUID, runnerToken]);
@@ -427,13 +436,19 @@ test.describe('Global runners', () => {
     await expect(page).toHaveTitle(/^Set up runner runner-473465 .*/);
     await expect(page.getByRole('heading', {name: 'Set up runner runner-473465'})).toBeVisible();
 
-    await page.getByRole('button', {name: 'Copy runner UUID'}).click();
-    const runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerUUID).toMatch(uuidPattern);
+    let runnerUUID;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner UUID'}).click();
+      runnerUUID = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerUUID).toMatch(uuidPattern);
+    }).toPass();
 
-    await page.getByRole('button', {name: 'Copy runner token'}).click();
-    const runnerToken = await page.evaluate(() => navigator.clipboard.readText());
-    expect(runnerToken).toMatch(tokenPattern);
+    let runnerToken;
+    await expect(async () => {
+      await page.getByRole('button', {name: 'Copy runner token'}).click();
+      runnerToken = await page.evaluate(() => navigator.clipboard.readText());
+      expect(runnerToken).toMatch(tokenPattern);
+    }).toPass();
 
     await expect(page.getByRole('term')).toHaveText(['UUID', 'Token']);
     await expect(page.getByRole('definition')).toContainText([runnerUUID, runnerToken]);
diff --git a/tests/integration/repo_archive_text_test.go b/tests/integration/repo_archive_text_test.go
index f0e88a8343..5a76e1e47b 100644
--- a/tests/integration/repo_archive_text_test.go
+++ b/tests/integration/repo_archive_text_test.go
@@ -63,7 +63,7 @@ func testRepoArchiveElements(t *testing.T, tr translation.Locale, doc *HTMLDoc,
 
 	// Test modal
 	modal := doc.Find("#archive-repo-modal")
-	testRepoArchiveElement(t, tr, modal, ".header", opType+".header")
+	testRepoArchiveElement(t, tr, modal, "header", opType+".header")
 	testRepoArchiveElement(t, tr, modal, ".message", opType+".text")
 	testRepoArchiveElement(t, tr, modal, ".button.red", opType+".button")
 }
diff --git a/web_src/js/features/common-global.js b/web_src/js/features/common-global.js
index 93a970caa0..fe644e099e 100644
--- a/web_src/js/features/common-global.js
+++ b/web_src/js/features/common-global.js
@@ -13,6 +13,7 @@ import {showErrorToast} from '../modules/toast.js';
 import {request, POST, GET} from '../modules/fetch.js';
 import '../htmx.js';
 import {initTab} from '../modules/tab.ts';
+import {initGlobalShowModal} from './show-modal.ts';
 
 const {appUrl, appSubUrl, i18n} = window.config;
 
@@ -439,53 +440,6 @@ export function initGlobalLinkActions() {
   });
 }
 
-export function initGlobalShowModal() {
-  // A ".show-modal" button will show a modal dialog defined by its "data-modal" attribute.
-  // Each "data-modal-{target}" attribute will be filled to target element's value or text-content.
-  // * First, try to query '#target'
-  // * Then, try to query '.target'
-  // * Then, try to query 'target' as HTML tag
-  // If there is a ".{attr}" part like "data-modal-form.action", then the form's "action" attribute will be set.
-  $('.show-modal').on('click', function (e) {
-    e.preventDefault();
-    const modalSelector = this.getAttribute('data-modal');
-    const $modal = $(modalSelector);
-    if (!$modal.length) {
-      throw new Error('no modal for this action');
-    }
-    const modalAttrPrefix = 'data-modal-';
-    for (const attrib of this.attributes) {
-      if (!attrib.name.startsWith(modalAttrPrefix)) {
-        continue;
-      }
-
-      const attrTargetCombo = attrib.name.substring(modalAttrPrefix.length);
-      const [attrTargetName, attrTargetAttr] = attrTargetCombo.split('.');
-      // try to find target by: "#target" -> ".target" -> "target tag"
-      let $attrTarget = $modal.find(`#${attrTargetName}`);
-      if (!$attrTarget.length) $attrTarget = $modal.find(`.${attrTargetName}`);
-      if (!$attrTarget.length) $attrTarget = $modal.find(`${attrTargetName}`);
-      if (!$attrTarget.length) continue; // TODO: show errors in dev mode to remind developers that there is a bug
-
-      if (attrTargetAttr) {
-        $attrTarget[0][attrTargetAttr] = attrib.value;
-      } else if ($attrTarget[0].matches('input, textarea')) {
-        $attrTarget.val(attrib.value); // FIXME: add more supports like checkbox
-      } else {
-        $attrTarget.text(attrib.value); // FIXME: it should be more strict here, only handle div/span/p
-      }
-    }
-
-    $modal.modal('setting', {
-      onApprove: () => {
-        // "form-fetch-action" can handle network errors gracefully,
-        // so keep the modal dialog to make users can re-submit the form if anything wrong happens.
-        if ($modal.find('.form-fetch-action').length) return false;
-      },
-    }).modal('show');
-  });
-}
-
 export function initGlobalButtons() {
   // There are many "cancel button" elements in modal dialogs, Fomantic UI expects they are button-like elements but never submit a form.
   // However, Gitea misuses the modal dialog and put the cancel buttons inside forms, so we must prevent the form submission.
diff --git a/web_src/js/features/comp/ComboMarkdownEditor.js b/web_src/js/features/comp/ComboMarkdownEditor.js
index b4bc443c0e..b42d054ae9 100644
--- a/web_src/js/features/comp/ComboMarkdownEditor.js
+++ b/web_src/js/features/comp/ComboMarkdownEditor.js
@@ -96,8 +96,8 @@ class ComboMarkdownEditor {
     this.textareaMarkdownToolbar.querySelector('button[data-md-action="unindent"]')?.addEventListener('click', () => {
       this.indentSelection(true, false);
     });
-    this.textareaMarkdownToolbar.querySelector('button[data-md-action="new-table"]')?.setAttribute('data-modal', `div[data-markdown-table-modal-id="${this.elementIdSuffix}"]`);
-    this.textareaMarkdownToolbar.querySelector('button[data-md-action="new-link"]')?.setAttribute('data-modal', `div[data-markdown-link-modal-id="${this.elementIdSuffix}"]`);
+    this.textareaMarkdownToolbar.querySelector('button[data-md-action="new-table"]')?.setAttribute('data-modal', `dialog[data-markdown-table-modal-id="${this.elementIdSuffix}"]`);
+    this.textareaMarkdownToolbar.querySelector('button[data-md-action="new-link"]')?.setAttribute('data-modal', `dialog[data-markdown-link-modal-id="${this.elementIdSuffix}"]`);
 
     // Find all data-md-ctrl-shortcut elements in the markdown toolbar.
     const shortcutKeys = new Map();
@@ -263,7 +263,7 @@ class ComboMarkdownEditor {
 
   addNewTable(event) {
     const elementId = event.target.getAttribute('data-element-id');
-    const newTableModal = document.querySelector(`div[data-markdown-table-modal-id="${elementId}"]`);
+    const newTableModal = document.querySelector(`dialog[data-markdown-table-modal-id="${elementId}"]`);
     const form = newTableModal.querySelector('div[data-selector-name="form"]');
 
     // Validate input fields
@@ -295,8 +295,9 @@ class ComboMarkdownEditor {
   }
 
   setupTableInserter() {
-    const newTableModal = this.container.querySelector('div[data-modal-name="new-markdown-table"]');
+    const newTableModal = this.container.querySelector('dialog[data-modal-name="new-markdown-table"]');
     newTableModal.setAttribute('data-markdown-table-modal-id', this.elementIdSuffix);
+    document.body.append(newTableModal); // Contains form elements, avoid conflict with form of comment editor.
 
     const button = newTableModal.querySelector('button[data-selector-name="ok-button"]');
     button.setAttribute('data-element-id', this.elementIdSuffix);
@@ -305,7 +306,7 @@ class ComboMarkdownEditor {
 
   addNewLink(event) {
     const elementId = event.target.getAttribute('data-element-id');
-    const newLinkModal = document.querySelector(`div[data-markdown-link-modal-id="${elementId}"]`);
+    const newLinkModal = document.querySelector(`dialog[data-markdown-link-modal-id="${elementId}"]`);
     const form = newLinkModal.querySelector('div[data-selector-name="form"]');
 
     // Validate input fields
@@ -330,25 +331,22 @@ class ComboMarkdownEditor {
   }
 
   setupLinkInserter() {
-    const newLinkModal = this.container.querySelector('div[data-modal-name="new-markdown-link"]');
+    const newLinkModal = this.container.querySelector('dialog[data-modal-name="new-markdown-link"]');
     newLinkModal.setAttribute('data-markdown-link-modal-id', this.elementIdSuffix);
     const textarea = document.getElementById(`_combo_markdown_editor_${this.elementIdSuffix}`);
+    document.body.append(newLinkModal); // Contains form elements, avoid conflict with form of comment editor.
 
-    $(newLinkModal).modal({
-      // Pre-fill the description field from the selection to create behavior similar
-      // to pasting an URL over selected text.
-      onShow: () => {
-        const start = textarea.selectionStart;
-        const end = textarea.selectionEnd;
+    newLinkModal.$modal = {onShow: () => {
+      const start = textarea.selectionStart;
+      const end = textarea.selectionEnd;
 
-        if (start !== end) {
-          const selection = textarea.value.slice(start ?? undefined, end ?? undefined);
-          newLinkModal.querySelector('input[name="link-description"]').value = selection;
-        } else {
-          newLinkModal.querySelector('input[name="link-description"]').value = '';
-        }
-      },
-    });
+      if (start !== end) {
+        const selection = textarea.value.slice(start ?? undefined, end ?? undefined);
+        newLinkModal.querySelector('input[name="link-description"]').value = selection;
+      } else {
+        newLinkModal.querySelector('input[name="link-description"]').value = '';
+      }
+    }};
 
     const button = newLinkModal.querySelector('button[data-selector-name="ok-button"]');
     button.setAttribute('data-element-id', this.elementIdSuffix);
diff --git a/web_src/js/features/repo-legacy.js b/web_src/js/features/repo-legacy.js
index 523ce555c4..e0d4daebef 100644
--- a/web_src/js/features/repo-legacy.js
+++ b/web_src/js/features/repo-legacy.js
@@ -27,7 +27,7 @@ import {attachRefIssueContextPopup} from './contextpopup.js';
 import {POST} from '../modules/fetch.js';
 import {MarkdownQuote} from '@github/quote-selection';
 import {toAbsoluteUrl} from '../utils.js';
-import {initDropzone, initGlobalShowModal, initDisabledInputs} from './common-global.js';
+import {initDropzone, initDisabledInputs} from './common-global.js';
 
 export function initRepoCommentForm() {
   const $commentForm = $('.comment.form');
@@ -386,8 +386,6 @@ async function onEditContent(event) {
     tabEditor?.click();
   }
 
-  initGlobalShowModal();
-
   // Show write/preview tab and copy raw content as needed
   showElem(editContentZone);
   hideElem(renderContent);
diff --git a/web_src/js/features/show-modal.ts b/web_src/js/features/show-modal.ts
new file mode 100644
index 0000000000..9f58b83479
--- /dev/null
+++ b/web_src/js/features/show-modal.ts
@@ -0,0 +1,54 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+import {showModal} from '../modules/modal.ts';
+
+// Initialize all elements that have the `show-modal` class. The modal ID that
+// is specified in the `data-modal` attribute will be shown. The shown modal
+// can be modified by adding more attributes:
+// * `data-modal-$TARGET="$VALUE"`, If $TARGET contains a dot then its split
+// as $TARGET and $ATTR. $TARGET will first be queried as an identifier, then as
+// a classname and then as an element tag name in the modal element. If $ATTR
+// exists then the target element will have attribute $ATTR set to value $VALUE,
+// otherwise if the element is of type input or textarea then the value is set
+// to $VALUE otherwise the textContent of that element is set to $VALUE.
+export function initGlobalShowModal() {
+  document.addEventListener('click', (e) => {
+    if (!(e.target instanceof Element)) {
+      return;
+    }
+    const target = e.target.closest('.show-modal');
+    if (!target) {
+      return;
+    }
+    e.preventDefault();
+
+    const modal = document.querySelector<HTMLDialogElement>(target.getAttribute('data-modal'));
+    if (!modal) {
+      throw new Error('No modal found for this action');
+    }
+
+    const modalAttrPrefix = 'data-modal-';
+    for (const attrib of (target as HTMLElement).attributes) {
+      if (!attrib.name.startsWith(modalAttrPrefix)) {
+        continue;
+      }
+
+      const attrTargetCombo = attrib.name.substring(modalAttrPrefix.length);
+      const [attrTargetName, attrTargetAttr] = attrTargetCombo.split('.');
+
+      // try to find target by: "#target" -> ".target" -> "target tag"
+      const attrTarget = modal.querySelector(`#${attrTargetName}, .${attrTargetName}, ${attrTargetName}`);
+
+      if (attrTargetAttr) {
+        attrTarget.setAttribute(attrTargetAttr, attrib.value);
+      } else if (attrTarget instanceof HTMLInputElement || attrTarget instanceof HTMLTextAreaElement) {
+        attrTarget.value = attrib.value; // FIXME: add more supports like checkbox
+      } else {
+        attrTarget.textContent = attrib.value; // FIXME: it should be more strict here, only handle div/span/p
+      }
+    }
+
+    showModal(modal, undefined);
+  });
+}
diff --git a/web_src/js/modules/modal.ts b/web_src/js/modules/modal.ts
index b6fef12b2b..f82239ed95 100644
--- a/web_src/js/modules/modal.ts
+++ b/web_src/js/modules/modal.ts
@@ -3,8 +3,14 @@
 
 // showModal will show the given modal and run `onApprove` if the approve/ok/yes
 // button is pressed.
-export function showModal(modalID: string, onApprove: () => void) {
-  const modal = document.getElementById(modalID) as HTMLDialogElement;
+export function showModal(modalID: string | HTMLDialogElement, onApprove: () => void) {
+  let modal: HTMLDialogElement;
+  if (typeof modalID === 'string') {
+    modal = document.getElementById(modalID) as HTMLDialogElement;
+  } else {
+    modal = modalID;
+  }
+
   // Move the modal to `<body>`, to avoid inheriting any bad CSS or if the
   // parent becomes `display: hidden`.
   document.body.append(modal);
@@ -15,6 +21,9 @@ export function showModal(modalID: string, onApprove: () => void) {
   }, {once: true, passive: true});
   modal.querySelector('.ok')?.addEventListener('click', onApprove, {passive: true});
 
+  // Call a `onShow` callback if one is registered for this element.
+  modal?.$modal?.onShow();
+
   // The modal is ready to be shown.
   modal.showModal();
 }
diff --git a/web_src/js/types.d.ts b/web_src/js/types.d.ts
index d464f25fe9..3d3e83f465 100644
--- a/web_src/js/types.d.ts
+++ b/web_src/js/types.d.ts
@@ -14,3 +14,9 @@ type CodeMirrorLanguage = typeof import('@codemirror/language');
 type CodeMirrorSearch = typeof import('@codemirror/search');
 type CodeMirrorState = typeof import('@codemirror/state');
 type CodeMirrorView = typeof import('@codemirror/view');
+
+interface HTMLDialogElement {
+  $modal?: {
+    onShow?: () => void;
+  }
+}

From d63724ceab806a7b2adad07e8652ed12047fb667 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 3 May 2026 07:29:02 +0200
Subject: [PATCH 224/287] Update module github.com/blevesearch/bleve/v2 to
 v2.6.0 (forgejo) (#12373)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12373
---
 assets/go-licenses.json | 10 ++++++
 go.mod                  | 33 ++++++++++----------
 go.sum                  | 68 ++++++++++++++++++++---------------------
 3 files changed, 61 insertions(+), 50 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index e3c20b807e..c7ab5d3e95 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -389,6 +389,11 @@
     "path": "github.com/blevesearch/zapx/v16/LICENSE",
     "licenseText": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License."
   },
+  {
+    "name": "github.com/blevesearch/zapx/v17",
+    "path": "github.com/blevesearch/zapx/v17/LICENSE",
+    "licenseText": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License."
+  },
   {
     "name": "github.com/bmatcuk/doublestar/v4",
     "path": "github.com/bmatcuk/doublestar/v4/LICENSE",
@@ -954,6 +959,11 @@
     "path": "github.com/modern-go/reflect2/LICENSE",
     "licenseText": "                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
   },
+  {
+    "name": "github.com/mschoch/smat",
+    "path": "github.com/mschoch/smat/LICENSE",
+    "licenseText": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License."
+  },
   {
     "name": "github.com/munnerz/goautoneg",
     "path": "github.com/munnerz/goautoneg/LICENSE",
diff --git a/go.mod b/go.mod
index d38060a6b1..669aef9172 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.8.0
 	github.com/alecthomas/chroma/v2 v2.23.1
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
-	github.com/blevesearch/bleve/v2 v2.5.7
+	github.com/blevesearch/bleve/v2 v2.6.0
 	github.com/buildkite/terminal-to-html/v3 v3.16.8
 	github.com/caddyserver/certmagic v0.25.3
 	github.com/chi-middleware/proxy v1.1.1
@@ -121,31 +121,32 @@ require (
 	code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 // indirect
 	filippo.io/edwards25519 v1.1.1 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
-	github.com/RoaringBitmap/roaring/v2 v2.4.5 // indirect
+	github.com/RoaringBitmap/roaring/v2 v2.14.5 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.22.0 // indirect
-	github.com/blevesearch/bleve_index_api v1.2.11 // indirect
-	github.com/blevesearch/geo v0.2.4 // indirect
-	github.com/blevesearch/go-faiss v1.0.26 // indirect
+	github.com/bits-and-blooms/bitset v1.24.2 // indirect
+	github.com/blevesearch/bleve_index_api v1.3.11 // indirect
+	github.com/blevesearch/geo v0.2.5 // indirect
+	github.com/blevesearch/go-faiss v1.1.0 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/gtreap v0.1.1 // indirect
-	github.com/blevesearch/mmap-go v1.0.4 // indirect
-	github.com/blevesearch/scorch_segment_api/v2 v2.3.13 // indirect
+	github.com/blevesearch/mmap-go v1.2.0 // indirect
+	github.com/blevesearch/scorch_segment_api/v2 v2.4.7 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
 	github.com/blevesearch/upsidedown_store_api v1.0.2 // indirect
-	github.com/blevesearch/vellum v1.1.0 // indirect
-	github.com/blevesearch/zapx/v11 v11.4.2 // indirect
-	github.com/blevesearch/zapx/v12 v12.4.2 // indirect
-	github.com/blevesearch/zapx/v13 v13.4.2 // indirect
-	github.com/blevesearch/zapx/v14 v14.4.2 // indirect
-	github.com/blevesearch/zapx/v15 v15.4.2 // indirect
-	github.com/blevesearch/zapx/v16 v16.2.8 // indirect
+	github.com/blevesearch/vellum v1.2.0 // indirect
+	github.com/blevesearch/zapx/v11 v11.4.3 // indirect
+	github.com/blevesearch/zapx/v12 v12.4.3 // indirect
+	github.com/blevesearch/zapx/v13 v13.4.3 // indirect
+	github.com/blevesearch/zapx/v14 v14.4.3 // indirect
+	github.com/blevesearch/zapx/v15 v15.4.3 // indirect
+	github.com/blevesearch/zapx/v16 v16.3.4 // indirect
+	github.com/blevesearch/zapx/v17 v17.1.2 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
 	github.com/bodgit/plumbing v1.3.0 // indirect
 	github.com/bodgit/sevenzip v1.6.1 // indirect
@@ -187,7 +188,7 @@ require (
 	github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
diff --git a/go.sum b/go.sum
index 170b500020..0064361008 100644
--- a/go.sum
+++ b/go.sum
@@ -77,8 +77,8 @@ github.com/ProtonMail/go-crypto v1.4.1 h1:9RfcZHqEQUvP8RzecWEUafnZVtEvrBVL9BiF67
 github.com/ProtonMail/go-crypto v1.4.1/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
 github.com/PuerkitoBio/goquery v1.12.0 h1:pAcL4g3WRXekcB9AU/y1mbKez2dbY2AajVhtkO8RIBo=
 github.com/PuerkitoBio/goquery v1.12.0/go.mod h1:802ej+gV2y7bbIhOIoPY5sT183ZW0YFofScC4q/hIpQ=
-github.com/RoaringBitmap/roaring/v2 v2.4.5 h1:uGrrMreGjvAtTBobc0g5IrW1D5ldxDQYe2JW2gggRdg=
-github.com/RoaringBitmap/roaring/v2 v2.4.5/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
+github.com/RoaringBitmap/roaring/v2 v2.14.5 h1:ckd0o545JqDPeVJDgeFoaM21eBixUnlWfYgjE5VnyWw=
+github.com/RoaringBitmap/roaring/v2 v2.14.5/go.mod h1:eq4wdNXxtJIS/oikeCzdX1rBzek7ANzbth041hrU8Q4=
 github.com/STARRY-S/zip v0.2.3 h1:luE4dMvRPDOWQdeDdUxUoZkzUIpTccdKdhHHsQJ1fm4=
 github.com/STARRY-S/zip v0.2.3/go.mod h1:lqJ9JdeRipyOQJrYSOtpNAiaesFO6zVDsE8GIGFaoSk=
 github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.8.0 h1:tgjwQrDH5m6jIYB7kac5IQZmfUzQNseac/e3H4VoCNE=
@@ -103,47 +103,48 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
-github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4=
-github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.24.2 h1:M7/NzVbsytmtfHbumG+K2bremQPMJuqv1JD3vOaFxp0=
+github.com/bits-and-blooms/bitset v1.24.2/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4pJSv7WO+VECIWUQ7OJYSoTrMh4=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
-github.com/blevesearch/bleve/v2 v2.5.7 h1:2d9YrL5zrX5EBBW++GOaEKjE+NPWeZGaX77IM26m1Z8=
-github.com/blevesearch/bleve/v2 v2.5.7/go.mod h1:yj0NlS7ocGC4VOSAedqDDMktdh2935v2CSWOCDMHdSA=
-github.com/blevesearch/bleve_index_api v1.2.11 h1:bXQ54kVuwP8hdrXUSOnvTQfgK0KI1+f9A0ITJT8tX1s=
-github.com/blevesearch/bleve_index_api v1.2.11/go.mod h1:rKQDl4u51uwafZxFrPD1R7xFOwKnzZW7s/LSeK4lgo0=
-github.com/blevesearch/geo v0.2.4 h1:ECIGQhw+QALCZaDcogRTNSJYQXRtC8/m8IKiA706cqk=
-github.com/blevesearch/geo v0.2.4/go.mod h1:K56Q33AzXt2YExVHGObtmRSFYZKYGv0JEN5mdacJJR8=
-github.com/blevesearch/go-faiss v1.0.26 h1:4dRLolFgjPyjkaXwff4NfbZFdE/dfywbzDqporeQvXI=
-github.com/blevesearch/go-faiss v1.0.26/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
+github.com/blevesearch/bleve/v2 v2.6.0 h1:Cyd3dd4q5tCbOV8MnKUVRUDYMHOir9xn12NZzXVSEd4=
+github.com/blevesearch/bleve/v2 v2.6.0/go.mod h1:gLmI8lWgHgrIYf7UpUX7JISI1CaqC6VScu46mHThuAY=
+github.com/blevesearch/bleve_index_api v1.3.11 h1:x29vbV8OjWfLcrDVd7Lr1q+BkLNS0JWNEig0MCVnKH4=
+github.com/blevesearch/bleve_index_api v1.3.11/go.mod h1:xvd48t5XMeeioWQ5/jZvgLrV98flT2rdvEJ3l/ki4Ko=
+github.com/blevesearch/geo v0.2.5 h1:yJg9FX1oRwLnjXSXF+ECHfXFTF4diF02Ca/qUGVjJhE=
+github.com/blevesearch/geo v0.2.5/go.mod h1:Jhq7WE2K6mJTx1xS44M2pUO6Io+wjCSHh1+co3YOgH4=
+github.com/blevesearch/go-faiss v1.1.0 h1:xM7Jc0ZUCv5lssG9Ohj3Jv0SdTpxcUABU1dDt9XVsc4=
+github.com/blevesearch/go-faiss v1.1.0/go.mod h1:OMGQwOaRRYxrmeNdMrXJPvVx8gBnvE5RYrr0BahNnkk=
 github.com/blevesearch/go-porterstemmer v1.0.3 h1:GtmsqID0aZdCSNiY8SkuPJ12pD4jI+DdXTAn4YRcHCo=
 github.com/blevesearch/go-porterstemmer v1.0.3/go.mod h1:angGc5Ht+k2xhJdZi511LtmxuEf0OVpvUUNrwmM1P7M=
 github.com/blevesearch/gtreap v0.1.1 h1:2JWigFrzDMR+42WGIN/V2p0cUvn4UP3C4Q5nmaZGW8Y=
 github.com/blevesearch/gtreap v0.1.1/go.mod h1:QaQyDRAT51sotthUWAH4Sj08awFSSWzgYICSZ3w0tYk=
-github.com/blevesearch/mmap-go v1.0.4 h1:OVhDhT5B/M1HNPpYPBKIEJaD0F3Si+CrEKULGCDPWmc=
-github.com/blevesearch/mmap-go v1.0.4/go.mod h1:EWmEAOmdAS9z/pi/+Toxu99DnsbhG1TIxUoRmJw/pSs=
-github.com/blevesearch/scorch_segment_api/v2 v2.3.13 h1:ZPjv/4VwWvHJZKeMSgScCapOy8+DdmsmRyLmSB88UoY=
-github.com/blevesearch/scorch_segment_api/v2 v2.3.13/go.mod h1:ENk2LClTehOuMS8XzN3UxBEErYmtwkE7MAArFTXs9Vc=
+github.com/blevesearch/mmap-go v1.2.0 h1:l33nNKPFcBjJUMwem6sAYJPUzhUCABoK9FxZDGiFNBI=
+github.com/blevesearch/mmap-go v1.2.0/go.mod h1:Vd6+20GBhEdwJnU1Xohgt88XCD/CTWcqbCNxkZpyBo0=
+github.com/blevesearch/scorch_segment_api/v2 v2.4.7 h1:GlMzW08hcsM3DnLUxhyF/1PcDal1qtvvIuytuph5djw=
+github.com/blevesearch/scorch_segment_api/v2 v2.4.7/go.mod h1://IJ7tG3QCf0cWW/aVSXqy77tc1AvLu3fcJLYEvOAFs=
 github.com/blevesearch/segment v0.9.1 h1:+dThDy+Lvgj5JMxhmOVlgFfkUtZV2kw49xax4+jTfSU=
 github.com/blevesearch/segment v0.9.1/go.mod h1:zN21iLm7+GnBHWTao9I+Au/7MBiL8pPFtJBJTsk6kQw=
 github.com/blevesearch/snowballstem v0.9.0 h1:lMQ189YspGP6sXvZQ4WZ+MLawfV8wOmPoD/iWeNXm8s=
 github.com/blevesearch/snowballstem v0.9.0/go.mod h1:PivSj3JMc8WuaFkTSRDW2SlrulNWPl4ABg1tC/hlgLs=
 github.com/blevesearch/upsidedown_store_api v1.0.2 h1:U53Q6YoWEARVLd1OYNc9kvhBMGZzVrdmaozG2MfoB+A=
 github.com/blevesearch/upsidedown_store_api v1.0.2/go.mod h1:M01mh3Gpfy56Ps/UXHjEO/knbqyQ1Oamg8If49gRwrQ=
-github.com/blevesearch/vellum v1.1.0 h1:CinkGyIsgVlYf8Y2LUQHvdelgXr6PYuvoDIajq6yR9w=
-github.com/blevesearch/vellum v1.1.0/go.mod h1:QgwWryE8ThtNPxtgWJof5ndPfx0/YMBh+W2weHKPw8Y=
-github.com/blevesearch/zapx/v11 v11.4.2 h1:l46SV+b0gFN+Rw3wUI1YdMWdSAVhskYuvxlcgpQFljs=
-github.com/blevesearch/zapx/v11 v11.4.2/go.mod h1:4gdeyy9oGa/lLa6D34R9daXNUvfMPZqUYjPwiLmekwc=
-github.com/blevesearch/zapx/v12 v12.4.2 h1:fzRbhllQmEMUuAQ7zBuMvKRlcPA5ESTgWlDEoB9uQNE=
-github.com/blevesearch/zapx/v12 v12.4.2/go.mod h1:TdFmr7afSz1hFh/SIBCCZvcLfzYvievIH6aEISCte58=
-github.com/blevesearch/zapx/v13 v13.4.2 h1:46PIZCO/ZuKZYgxI8Y7lOJqX3Irkc3N8W82QTK3MVks=
-github.com/blevesearch/zapx/v13 v13.4.2/go.mod h1:knK8z2NdQHlb5ot/uj8wuvOq5PhDGjNYQQy0QDnopZk=
-github.com/blevesearch/zapx/v14 v14.4.2 h1:2SGHakVKd+TrtEqpfeq8X+So5PShQ5nW6GNxT7fWYz0=
-github.com/blevesearch/zapx/v14 v14.4.2/go.mod h1:rz0XNb/OZSMjNorufDGSpFpjoFKhXmppH9Hi7a877D8=
-github.com/blevesearch/zapx/v15 v15.4.2 h1:sWxpDE0QQOTjyxYbAVjt3+0ieu8NCE0fDRaFxEsp31k=
-github.com/blevesearch/zapx/v15 v15.4.2/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
-github.com/blevesearch/zapx/v16 v16.2.8 h1:SlnzF0YGtSlrsOE3oE7EgEX6BIepGpeqxs1IjMbHLQI=
-github.com/blevesearch/zapx/v16 v16.2.8/go.mod h1:murSoCJPCk25MqURrcJaBQ1RekuqSCSfMjXH4rHyA14=
+github.com/blevesearch/vellum v1.2.0 h1:xkDiOEsHc2t3Cp0NsNZZ36pvc130sCzcGKOPMzXe+e0=
+github.com/blevesearch/vellum v1.2.0/go.mod h1:uEcfBJz7mAOf0Kvq6qoEKQQkLODBF46SINYNkZNae4k=
+github.com/blevesearch/zapx/v11 v11.4.3 h1:PTZOO5loKpHC/x/GzmPZNa9cw7GZIQxd5qRjwij9tHY=
+github.com/blevesearch/zapx/v11 v11.4.3/go.mod h1:4gdeyy9oGa/lLa6D34R9daXNUvfMPZqUYjPwiLmekwc=
+github.com/blevesearch/zapx/v12 v12.4.3 h1:eElXvAaAX4m04t//CGBQAtHNPA+Q6A1hHZVrN3LSFYo=
+github.com/blevesearch/zapx/v12 v12.4.3/go.mod h1:TdFmr7afSz1hFh/SIBCCZvcLfzYvievIH6aEISCte58=
+github.com/blevesearch/zapx/v13 v13.4.3 h1:qsdhRhaSpVnqDFlRiH9vG5+KJ+dE7KAW9WyZz/KXAiE=
+github.com/blevesearch/zapx/v13 v13.4.3/go.mod h1:knK8z2NdQHlb5ot/uj8wuvOq5PhDGjNYQQy0QDnopZk=
+github.com/blevesearch/zapx/v14 v14.4.3 h1:GY4Hecx0C6UTmiNC2pKdeA2rOKiLR5/rwpU9WR51dgM=
+github.com/blevesearch/zapx/v14 v14.4.3/go.mod h1:rz0XNb/OZSMjNorufDGSpFpjoFKhXmppH9Hi7a877D8=
+github.com/blevesearch/zapx/v15 v15.4.3 h1:iJiMJOHrz216jyO6lS0m9RTCEkprUnzvqAI2lc/0/CU=
+github.com/blevesearch/zapx/v15 v15.4.3/go.mod h1:1pssev/59FsuWcgSnTa0OeEpOzmhtmr/0/11H0Z8+Nw=
+github.com/blevesearch/zapx/v16 v16.3.4 h1:hDAqA8qusZTNbPEL7//w5P65UZ2de6yhSeUaTbp0Po0=
+github.com/blevesearch/zapx/v16 v16.3.4/go.mod h1:zqkPPqs9GS9FzVWzCO3Wf1X044yWAV17+4zb+FTiEHg=
+github.com/blevesearch/zapx/v17 v17.1.2 h1:avbOk2igaASNoiy0BE/jPgcxAnRI2PGeydeP4hg7Ikk=
+github.com/blevesearch/zapx/v17 v17.1.2/go.mod h1:WQObxKrqUX7cd0G1GMvDfc/bmZzQvoy7APOPimx7DiI=
 github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE=
 github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bodgit/plumbing v1.3.0 h1:pf9Itz1JOQgn7vEOE7v7nlEfBykYqvUYioC61TwWCFU=
@@ -368,8 +369,8 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
-github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
+github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
@@ -983,7 +984,6 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=

From 9b88e77c19fb15e9bb6e40a4d4b37ed9ad2f5313 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 3 May 2026 15:46:58 +0200
Subject: [PATCH 225/287] feat: expose immutable identifiers in Forgejo Actions
 JWTs (#12355)

Protect OIDC tokens generated by Forgejo Actions from threats arising when users or repositories are renamed or deleted, freeing their names up for reuse by another user.  In this threat environment, relying on the name of users and repositories in validating JWT claims is unsafe because they can change.

Adds three new claims to Actions' OIDC tokens:
- `actor_id` -- the immutable identifier of the actor who triggered an Action run
- `repository_id` -- the immutable identifier of the repository on which the Action is running
- `repository_owner_id` -- the immutable identifier of the owner of the repository on which the Action is running

Repositories will change their subject (`sub`) OIDC claims to include these immutable identifiers.  Existing repositories will not change, in order to maintain compatibility with existing JWT usage.  The new format will be applied to new repositories, or can be applied by disabling and enabling the Actions unit.  The new format embeds the identifiers:
- **Existing repos:** `repo:my-org/my-repo:ref:refs/heads/main`
- **New repos:** `repo:my-org-123456/my-repo-456789:ref:refs/heads/main`

Fixes #12244.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - New fields will be added to documentation soon.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12355
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 ...d_oidcsubjectformat_actions_unit_config.go |  68 ++++++++++
 ...csubjectformat_actions_unit_config_test.go |  61 +++++++++
 .../repo_unit.yml                             |  14 ++
 models/repo/repo_unit.go                      |  34 +++++
 services/actions/auth.go                      |  91 ++++++++-----
 services/actions/auth_test.go                 | 125 +++++++++++++-----
 services/actions/context.go                   |  28 ++--
 services/actions/context_test.go              |  10 +-
 services/actions/task.go                      |  20 ++-
 services/actions/task_test.go                 |  12 +-
 .../auth/method/action_runtime_token_test.go  |   3 +-
 .../api_actions_artifact_v4_test.go           |  15 ++-
 .../integration/api_actions_id_token_test.go  |  11 +-
 tests/integration/api_actions_oidc_test.go    |   7 +-
 14 files changed, 394 insertions(+), 105 deletions(-)
 create mode 100644 models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config.go
 create mode 100644 models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config_test.go
 create mode 100644 models/gitea_migrations/fixtures/Test_setOIDCSubjectFormatLegacy15/repo_unit.yml

diff --git a/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config.go b/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config.go
new file mode 100644
index 0000000000..efe737ad5a
--- /dev/null
+++ b/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config.go
@@ -0,0 +1,68 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"context"
+	"fmt"
+
+	"forgejo.org/models/db"
+	"forgejo.org/modules/json"
+	"forgejo.org/modules/optional"
+
+	"xorm.io/builder"
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "add OIDCSubjectFormat=legacy-forgejo-v15 to all existing repositories with actions enabled",
+		Upgrade:     setOIDCSubjectFormatLegacy15,
+	})
+}
+
+func setOIDCSubjectFormatLegacy15(x *xorm.Engine) error {
+	type Type int
+	const TypeActions Type = 10 // 10 Actions
+	type ActionsConfig struct {
+		DisabledWorkflows []string `json:",omitempty"`
+		OIDCSubjectFormat string
+	}
+	type RepoUnit struct { //revive:disable-line:exported
+		ID     int64                   `xorm:"pk"`
+		Type   Type                    `xorm:"INDEX(s)"`
+		Config optional.Option[string] `xorm:"TEXT"`
+	}
+
+	return db.Iterate(
+		db.DefaultContext,
+		builder.Eq{"type": TypeActions},
+		func(ctx context.Context, unit *RepoUnit) error {
+			has, config := unit.Config.Get()
+			if !has {
+				config = "{}"
+			}
+			var actionsConfig ActionsConfig
+			if err := json.Unmarshal([]byte(config), &actionsConfig); err != nil {
+				return fmt.Errorf("failed to parse Actions config %q: %w", config, err)
+			}
+
+			actionsConfig.OIDCSubjectFormat = "legacy-forgejo-v15"
+
+			configBytes, err := json.Marshal(actionsConfig)
+			if err != nil {
+				return fmt.Errorf("failed to convert Actions config to JSON: %w", err)
+			}
+			r, err := db.GetEngine(ctx).
+				ID(unit.ID).
+				Cols("config").
+				Update(&RepoUnit{Config: optional.Some(string(configBytes))})
+			if err != nil {
+				return err
+			} else if r != 1 {
+				return fmt.Errorf("UPDATE expected to affect 1 row, but was %d", r)
+			}
+			return nil
+		})
+}
diff --git a/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config_test.go b/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config_test.go
new file mode 100644
index 0000000000..865c0e394b
--- /dev/null
+++ b/models/forgejo_migrations/v16a_add_oidcsubjectformat_actions_unit_config_test.go
@@ -0,0 +1,61 @@
+// Copyright 2026 The Forgejo Authors.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"testing"
+
+	"forgejo.org/models/db"
+	migration_tests "forgejo.org/models/gitea_migrations/test"
+	"forgejo.org/modules/timeutil"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"xorm.io/xorm/convert"
+)
+
+func Test_setOIDCSubjectFormatLegacy15(t *testing.T) {
+	type Type int
+	type UnitAccessMode int
+	type RepoUnit struct { //revive:disable-line:exported
+		ID                 int64
+		RepoID             int64              `xorm:"INDEX(s)"`
+		Type               Type               `xorm:"INDEX(s)"`
+		Config             convert.Conversion `xorm:"TEXT"`
+		CreatedUnix        timeutil.TimeStamp `xorm:"INDEX CREATED"`
+		DefaultPermissions UnitAccessMode     `xorm:"NOT NULL DEFAULT 0"`
+	}
+	x, deferable := migration_tests.PrepareTestEnv(t, 0, new(RepoUnit))
+	defer deferable()
+	if x == nil || t.Failed() {
+		return
+	}
+
+	require.NoError(t, setOIDCSubjectFormatLegacy15(x))
+
+	var records []map[string]string
+	require.NoError(t,
+		db.GetEngine(t.Context()).
+			Table("repo_unit").
+			Select("`id`, `repo_id`, `config`").
+			OrderBy("`id`").
+			Find(&records))
+	assert.Equal(t, []map[string]string{
+		{
+			"config":  "{\"OIDCSubjectFormat\":\"legacy-forgejo-v15\"}",
+			"id":      "1",
+			"repo_id": "4",
+		},
+		{
+			"config":  "{\"DisabledWorkflows\":[\"renovate.yml\"],\"OIDCSubjectFormat\":\"legacy-forgejo-v15\"}",
+			"id":      "2",
+			"repo_id": "5",
+		},
+		{
+			"config":  "",
+			"id":      "3",
+			"repo_id": "6",
+		},
+	}, records)
+}
diff --git a/models/gitea_migrations/fixtures/Test_setOIDCSubjectFormatLegacy15/repo_unit.yml b/models/gitea_migrations/fixtures/Test_setOIDCSubjectFormatLegacy15/repo_unit.yml
new file mode 100644
index 0000000000..bcd732bc1e
--- /dev/null
+++ b/models/gitea_migrations/fixtures/Test_setOIDCSubjectFormatLegacy15/repo_unit.yml
@@ -0,0 +1,14 @@
+- id: 1
+  repo_id: 4
+  type: 10 # actions
+  # config - null
+  created_unix: 1773518296
+- id: 2
+  repo_id: 5
+  type: 10 # actions
+  config: '{"DisabledWorkflows":["renovate.yml"]}'
+  created_unix: 1773518296
+- id: 3
+  repo_id: 6
+  type: 1 # code
+  created_unix: 1773518296
diff --git a/models/repo/repo_unit.go b/models/repo/repo_unit.go
index 3db6dc95e8..2cde375775 100644
--- a/models/repo/repo_unit.go
+++ b/models/repo/repo_unit.go
@@ -220,8 +220,42 @@ func (cfg *PullRequestsConfig) GetDefaultUpdateStyle() UpdateStyle {
 	return UpdateStyleMerge
 }
 
+// Represents the current format for `sub` claim generation when using `enable-openid-connect: true` on an Action.
+//
+// We try to follow GitHub's format for the `sub` claim because it should allow third-party integrations, which may have
+// existing knowledge and code that works with GitHub's OIDC tokens, to reuse that knowledge and code in the future to
+// implement Forgejo support.  As GitHub's format changes, we may implement those format changes to maintain that
+// familarity.  Forgejo isn't required to do so, though -- if future changes from GitHub don't make sense for Forgejo,
+// or vice-versa, this format matching effort may be discarded.
+type OIDCSubjectFormat string
+
+var (
+	// Default is the current, most preferred method of generating an `sub` JWT claim for an Actions JWT token.  It is
+	// an empty string which allows [ActionsConfig] to always default to the current preferred default value for new
+	// repositories.  At present, it is a `sub` claim that contains information about the repository owner and
+	// repository where the action occurred, their immutable identifiers (ID numbers), and the event that triggered the
+	// Action.
+	//
+	// Immutable identifiers have been added since OIDCSubjectFormatLegacyForgejo15.  The intent of adding them is to
+	// protect resource servers which may be requiring a specific subject claim from having that claim be impersonated
+	// when a user or repository are renamed or deleted.  For example, if a JWT from my-org/my-repo is trusted, but then
+	// my-org is deleted and a new user takes ownership of the name my-org, they should not be granted the same trust.
+	//
+	// Example: repo:my-org-123456/my-repo-456789:ref:refs/heads/main
+	OIDCSubjectFormatDefault OIDCSubjectFormat // defaults to ""
+
+	// The `sub` JWT claim generation that was shipped in Forgejo 15.  Contains information about the repository owner
+	// and repository where the action occurred and the event that triggered the Action.
+	//
+	// Example: repo:my-org/my-repo:ref:refs/heads/main
+	OIDCSubjectFormatLegacyForgejo15 OIDCSubjectFormat = "legacy-forgejo-v15"
+)
+
 type ActionsConfig struct {
 	DisabledWorkflows []string
+
+	// Format of the OIDC 'sub' claim that will be used when `enable-openid-connect` is true in an Action.
+	OIDCSubjectFormat OIDCSubjectFormat `json:",omitempty"`
 }
 
 func (cfg *ActionsConfig) EnableWorkflow(file string) {
diff --git a/services/actions/auth.go b/services/actions/auth.go
index c147643504..2b276cc347 100644
--- a/services/actions/auth.go
+++ b/services/actions/auth.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
@@ -30,21 +31,24 @@ type AuthorizationTokenClaims struct {
 }
 
 type IDTokenCustomClaims struct {
-	Actor           string `json:"actor"`
-	BaseRef         string `json:"base_ref"`
-	EventName       string `json:"event_name"`
-	HeadRef         string `json:"head_ref"`
-	Ref             string `json:"ref"`
-	RefProtected    string `json:"ref_protected"`
-	RefType         string `json:"ref_type"`
-	Repository      string `json:"repository"`
-	RepositoryOwner string `json:"repository_owner"`
-	RunAttempt      string `json:"run_attempt"`
-	RunID           string `json:"run_id"`
-	RunNumber       string `json:"run_number"`
-	Sha             string `json:"sha"`
-	Workflow        string `json:"workflow"`
-	WorkflowRef     string `json:"workflow_ref"`
+	Actor             string `json:"actor"`
+	ActorID           string `json:"actor_id"`
+	BaseRef           string `json:"base_ref"`
+	EventName         string `json:"event_name"`
+	HeadRef           string `json:"head_ref"`
+	Ref               string `json:"ref"`
+	RefProtected      string `json:"ref_protected"`
+	RefType           string `json:"ref_type"`
+	Repository        string `json:"repository"`
+	RepositoryID      string `json:"repository_id"`
+	RepositoryOwner   string `json:"repository_owner"`
+	RepositoryOwnerID string `json:"repository_owner_id"`
+	RunAttempt        string `json:"run_attempt"`
+	RunID             string `json:"run_id"`
+	RunNumber         string `json:"run_number"`
+	Sha               string `json:"sha"`
+	Workflow          string `json:"workflow"`
+	WorkflowRef       string `json:"workflow_ref"`
 }
 
 type actionsCacheScope struct {
@@ -59,7 +63,7 @@ const (
 	actionsCachePermissionWrite
 )
 
-func CreateAuthorizationToken(task *actions_model.ActionTask, gitGtx map[string]any, enableOpenIDConnect bool) (string, error) {
+func CreateAuthorizationToken(task *actions_model.ActionTask, gitGtx map[string]any, enableOpenIDConnect bool, actionsConfig *repo_model.ActionsConfig) (string, error) {
 	now := time.Now()
 	taskID := task.ID
 	runID := task.Job.RunID
@@ -96,7 +100,16 @@ func CreateAuthorizationToken(task *actions_model.ActionTask, gitGtx map[string]
 		}
 
 		claims.OIDCExtra = oidcExtra
-		claims.OIDCSub = generateOIDCSub(gitGtx)
+
+		switch actionsConfig.OIDCSubjectFormat {
+		case repo_model.OIDCSubjectFormatDefault:
+			claims.OIDCSub = generateOIDCSub(gitGtx)
+		case repo_model.OIDCSubjectFormatLegacyForgejo15:
+			claims.OIDCSub = legacyGenerateOIDCSub(gitGtx)
+		default:
+			return "", fmt.Errorf("unexpected oidc subject format: %q", actionsConfig.OIDCSubjectFormat)
+		}
+
 		claims.Scp = fmt.Sprintf("%s generate_id_token:%s", claims.Scp, runIDJobID)
 	}
 
@@ -120,21 +133,24 @@ func generateOIDCExtra(gitCtx map[string]any) (string, error) {
 	}
 
 	claims := IDTokenCustomClaims{
-		Actor:           ctxVal("actor"),
-		BaseRef:         ctxVal("base_ref"),
-		EventName:       ctxVal("event_name"),
-		HeadRef:         ctxVal("head_ref"),
-		Ref:             ctxVal("ref"),
-		RefProtected:    ctxVal("ref_protected"),
-		RefType:         ctxVal("ref_type"),
-		Repository:      ctxVal("repository"),
-		RepositoryOwner: ctxVal("repository_owner"),
-		RunAttempt:      ctxVal("run_attempt"),
-		RunID:           ctxVal("run_id"),
-		RunNumber:       ctxVal("run_number"),
-		Sha:             ctxVal("sha"),
-		Workflow:        ctxVal("workflow"),
-		WorkflowRef:     ctxVal("workflow_ref"),
+		Actor:             ctxVal("actor"),
+		ActorID:           ctxVal("actor_id"),
+		BaseRef:           ctxVal("base_ref"),
+		EventName:         ctxVal("event_name"),
+		HeadRef:           ctxVal("head_ref"),
+		Ref:               ctxVal("ref"),
+		RefProtected:      ctxVal("ref_protected"),
+		RefType:           ctxVal("ref_type"),
+		Repository:        ctxVal("repository"),
+		RepositoryID:      ctxVal("repository_id"),
+		RepositoryOwner:   ctxVal("repository_owner"),
+		RepositoryOwnerID: ctxVal("repository_owner_id"),
+		RunAttempt:        ctxVal("run_attempt"),
+		RunID:             ctxVal("run_id"),
+		RunNumber:         ctxVal("run_number"),
+		Sha:               ctxVal("sha"),
+		Workflow:          ctxVal("workflow"),
+		WorkflowRef:       ctxVal("workflow_ref"),
 	}
 
 	ret, err := json.Marshal(claims)
@@ -146,6 +162,17 @@ func generateOIDCExtra(gitCtx map[string]any) (string, error) {
 }
 
 func generateOIDCSub(gitCtx map[string]any) string {
+	nameParts := strings.SplitN(gitCtx["repository"].(string), "/", 2)
+	repoName := nameParts[1]
+	switch gitCtx["event_name"] {
+	case "pull_request":
+		return fmt.Sprintf("repo:%s-%s/%s-%s:pull_request", gitCtx["repository_owner"], gitCtx["repository_owner_id"], repoName, gitCtx["repository_id"])
+	default:
+		return fmt.Sprintf("repo:%s-%s/%s-%s:ref:%s", gitCtx["repository_owner"], gitCtx["repository_owner_id"], repoName, gitCtx["repository_id"], gitCtx["ref"])
+	}
+}
+
+func legacyGenerateOIDCSub(gitCtx map[string]any) string {
 	switch gitCtx["event_name"] {
 	case "pull_request":
 		return fmt.Sprintf("repo:%s:pull_request", gitCtx["repository"])
diff --git a/services/actions/auth_test.go b/services/actions/auth_test.go
index 82d4d2efd3..ce75efb655 100644
--- a/services/actions/auth_test.go
+++ b/services/actions/auth_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/setting"
 
@@ -39,28 +40,32 @@ func TestCreateAuthorizationToken(t *testing.T) {
 			name:                "enableOpenIDConnect true",
 			enableOpenIDConnect: true,
 			gitCtx: map[string]any{
-				"actor":            "user1",
-				"base_ref":         "master",
-				"event_name":       "push",
-				"head_ref":         "master",
-				"ref":              "refs/heads/master",
-				"ref_protected":    "false",
-				"ref_type":         "branch",
-				"repository":       "mpminardi/testing",
-				"repository_owner": "mpminardi",
-				"run_attempt":      "1",
-				"run_id":           "1",
-				"run_number":       "1",
-				"sha":              "pretend-sha",
-				"workflow":         "test.yml",
-				"workflow_ref":     "pretend-ref",
+				"actor":               "user1",
+				"actor_id":            "123",
+				"base_ref":            "master",
+				"event_name":          "push",
+				"head_ref":            "master",
+				"ref":                 "refs/heads/master",
+				"ref_protected":       "false",
+				"ref_type":            "branch",
+				"repository":          "mpminardi/testing",
+				"repository_id":       "456",
+				"repository_owner":    "mpminardi",
+				"repository_owner_id": "789",
+				"run_attempt":         "1",
+				"run_id":              "1",
+				"run_number":          "1",
+				"sha":                 "pretend-sha",
+				"workflow":            "test.yml",
+				"workflow_ref":        "pretend-ref",
 			},
 		},
 	}
 
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			token, err := CreateAuthorizationToken(task, tc.gitCtx, tc.enableOpenIDConnect)
+			token, err := CreateAuthorizationToken(task, tc.gitCtx, tc.enableOpenIDConnect,
+				&repo_model.ActionsConfig{})
 			require.NoError(t, err)
 			assert.NotEmpty(t, token)
 			claims := jwt.MapClaims{}
@@ -87,7 +92,7 @@ func TestCreateAuthorizationToken(t *testing.T) {
 				assert.Contains(t, scp, "generate_id_token:1:2")
 				oidcSubClaim, ok := claims["oidc_sub"]
 				assert.True(t, ok, "Has oidc_sub claim in jwt token")
-				assert.Equal(t, "repo:mpminardi/testing:ref:refs/heads/master", oidcSubClaim)
+				assert.Equal(t, "repo:mpminardi-789/testing-456:ref:refs/heads/master", oidcSubClaim)
 				oidcExtraClaim, ok := claims["oidc_extra"]
 				assert.True(t, ok, "Has oidc_extra claim in jwt token")
 				val, err := json.Marshal(tc.gitCtx)
@@ -100,6 +105,27 @@ func TestCreateAuthorizationToken(t *testing.T) {
 				_, ok = claims["oidc_extra"]
 				assert.False(t, ok, "Does not have oidc_extra claim in jwt token")
 			}
+
+			token, err = CreateAuthorizationToken(task, tc.gitCtx, tc.enableOpenIDConnect,
+				&repo_model.ActionsConfig{OIDCSubjectFormat: repo_model.OIDCSubjectFormatLegacyForgejo15})
+			require.NoError(t, err)
+			assert.NotEmpty(t, token)
+			claims = jwt.MapClaims{}
+			_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
+				return setting.GetGeneralTokenSigningSecret(), nil
+			})
+			require.NoError(t, err)
+			if tc.enableOpenIDConnect {
+				oidcSubClaim, ok := claims["oidc_sub"]
+				assert.True(t, ok, "Has oidc_sub claim in jwt token")
+				assert.Equal(t, "repo:mpminardi/testing:ref:refs/heads/master", oidcSubClaim)
+			} else {
+				assert.NotContains(t, scp, "generate_id_token")
+				_, ok := claims["oidc_sub"]
+				assert.False(t, ok, "Does not have oidc_sub claim in jwt token")
+				_, ok = claims["oidc_extra"]
+				assert.False(t, ok, "Does not have oidc_extra claim in jwt token")
+			}
 		})
 	}
 }
@@ -112,7 +138,7 @@ func TestParseAuthorizationToken(t *testing.T) {
 			RunID: 1,
 		},
 	}
-	token, err := CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 	assert.NotEmpty(t, token)
 	headers := http.Header{}
@@ -133,23 +159,26 @@ func TestParseAuthorizationTokenClaims(t *testing.T) {
 		},
 	}
 	gitCtx := map[string]any{
-		"actor":            "user1",
-		"base_ref":         "master",
-		"event_name":       "push",
-		"head_ref":         "master",
-		"ref":              "refs/heads/master",
-		"ref_protected":    "false",
-		"ref_type":         "branch",
-		"repository":       "mpminardi/testing",
-		"repository_owner": "mpminardi",
-		"run_attempt":      "1",
-		"run_id":           "1",
-		"run_number":       "1",
-		"sha":              "pretend-sha",
-		"workflow":         "test.yml",
-		"workflow_ref":     "pretend-ref",
+		"actor":               "user1",
+		"actor_id":            "123",
+		"base_ref":            "master",
+		"event_name":          "push",
+		"head_ref":            "master",
+		"ref":                 "refs/heads/master",
+		"ref_protected":       "false",
+		"ref_type":            "branch",
+		"repository":          "mpminardi/testing",
+		"repository_id":       "456",
+		"repository_owner":    "mpminardi",
+		"repository_owner_id": "789",
+		"run_attempt":         "1",
+		"run_id":              "1",
+		"run_number":          "1",
+		"sha":                 "pretend-sha",
+		"workflow":            "test.yml",
+		"workflow_ref":        "pretend-ref",
 	}
-	token, err := CreateAuthorizationToken(task, gitCtx, true)
+	token, err := CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{OIDCSubjectFormat: repo_model.OIDCSubjectFormatLegacyForgejo15})
 	require.NoError(t, err)
 	assert.NotEmpty(t, token)
 	headers := http.Header{}
@@ -180,6 +209,32 @@ func TestParseAuthorizationTokenNoAuthHeader(t *testing.T) {
 func TestGenerateOIDCSub(t *testing.T) {
 	t.Run("pull_request event", func(t *testing.T) {
 		sub := generateOIDCSub(map[string]any{
+			"event_name":          "pull_request",
+			"repository":          "mpminardi/testing",
+			"ref":                 "refs/heads/master",
+			"repository_owner":    "mpminardi",
+			"repository_owner_id": "123",
+			"repository_id":       "456",
+		})
+		assert.Equal(t, "repo:mpminardi-123/testing-456:pull_request", sub)
+	})
+
+	t.Run("other event", func(t *testing.T) {
+		sub := generateOIDCSub(map[string]any{
+			"event_name":          "random",
+			"repository":          "mpminardi/testing",
+			"ref":                 "refs/heads/master",
+			"repository_owner":    "mpminardi",
+			"repository_owner_id": "123",
+			"repository_id":       "456",
+		})
+		assert.Equal(t, "repo:mpminardi-123/testing-456:ref:refs/heads/master", sub)
+	})
+}
+
+func TestLegacyGenerateOIDCSub(t *testing.T) {
+	t.Run("pull_request event", func(t *testing.T) {
+		sub := legacyGenerateOIDCSub(map[string]any{
 			"event_name": "pull_request",
 			"repository": "mpminardi/testing",
 			"ref":        "refs/heads/master",
@@ -189,7 +244,7 @@ func TestGenerateOIDCSub(t *testing.T) {
 	})
 
 	t.Run("other event", func(t *testing.T) {
-		sub := generateOIDCSub(map[string]any{
+		sub := legacyGenerateOIDCSub(map[string]any{
 			"event_name": "random",
 			"repository": "mpminardi/testing",
 			"ref":        "refs/heads/master",
diff --git a/services/actions/context.go b/services/actions/context.go
index 0313b11031..ecd7f44da2 100644
--- a/services/actions/context.go
+++ b/services/actions/context.go
@@ -6,6 +6,7 @@ package actions
 import (
 	"context"
 	"fmt"
+	"strconv"
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
@@ -97,18 +98,21 @@ func GenerateGiteaContext(run *actions_model.ActionRun, job *actions_model.Actio
 	gitContext, _ := githubContextToMap(gitContextObj)
 
 	// standard contexts, see https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
-	gitContext["action_status"] = ""                                    // string, For a composite action, the current result of the composite action.
-	gitContext["actor"] = run.TriggerUser.Name                          // string, The username of the user that triggered the initial workflow run. If the workflow run is a re-run, this value may differ from github.triggering_actor. Any workflow re-runs will use the privileges of github.actor, even if the actor initiating the re-run (github.triggering_actor) has different privileges.
-	gitContext["env"] = ""                                              // string, Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions."
-	gitContext["path"] = ""                                             // string, Path on the runner to the file that sets system PATH variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions."
-	gitContext["ref_protected"] = false                                 // boolean, true if branch protections are configured for the ref that triggered the workflow run.
-	gitContext["repository_owner"] = run.Repo.OwnerName                 // string, The repository owner's name. For example, Codertocat.
-	gitContext["repository"] = run.Repo.OwnerName + "/" + run.Repo.Name // string, The owner and repository name. For example, Codertocat/Hello-World.
-	gitContext["repositoryUrl"] = run.Repo.HTMLURL()                    // string, The Git URL to the repository. For example, git://github.com/codertocat/hello-world.git.
-	gitContext["secret_source"] = "Actions"                             // string, The source of a secret used in a workflow. Possible values are None, Actions, Dependabot, or Codespaces.
-	gitContext["server_url"] = setting.AppURL                           // string, The URL of the GitHub server. For example: https://github.com.
-	gitContext["triggering_actor"] = ""                                 // string, The username of the user that initiated the workflow run. If the workflow run is a re-run, this value may differ from github.actor. Any workflow re-runs will use the privileges of github.actor, even if the actor initiating the re-run (github.triggering_actor) has different privileges.
-	gitContext["workflow"] = run.WorkflowID                             // string, The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository.
+	gitContext["action_status"] = ""                                            // string, For a composite action, the current result of the composite action.
+	gitContext["actor"] = run.TriggerUser.Name                                  // string, The username of the user that triggered the initial workflow run. If the workflow run is a re-run, this value may differ from github.triggering_actor. Any workflow re-runs will use the privileges of github.actor, even if the actor initiating the re-run (github.triggering_actor) has different privileges.
+	gitContext["actor_id"] = strconv.FormatInt(run.TriggerUserID, 10)           // string, Immutable unique identifier of the triggering user (unlike actor, which can be renamed)
+	gitContext["env"] = ""                                                      // string, Path on the runner to the file that sets environment variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions."
+	gitContext["path"] = ""                                                     // string, Path on the runner to the file that sets system PATH variables from workflow commands. This file is unique to the current step and is a different file for each step in a job. For more information, see "Workflow commands for GitHub Actions."
+	gitContext["ref_protected"] = false                                         // boolean, true if branch protections are configured for the ref that triggered the workflow run.
+	gitContext["repository_owner"] = run.Repo.OwnerName                         // string, The repository owner's name. For example, Codertocat.
+	gitContext["repository_owner_id"] = strconv.FormatInt(run.Repo.OwnerID, 10) // string, Immutable unique identifier for the repository owner (unlike repository_owner, which can change with a user rename)
+	gitContext["repository"] = run.Repo.OwnerName + "/" + run.Repo.Name         // string, The owner and repository name. For example, Codertocat/Hello-World.
+	gitContext["repository_id"] = strconv.FormatInt(run.RepoID, 10)             // string, Immutable unique identifier for the repository (unlike repository, which can be renamed)
+	gitContext["repositoryUrl"] = run.Repo.HTMLURL()                            // string, The Git URL to the repository. For example, git://github.com/codertocat/hello-world.git.
+	gitContext["secret_source"] = "Actions"                                     // string, The source of a secret used in a workflow. Possible values are None, Actions, Dependabot, or Codespaces.
+	gitContext["server_url"] = setting.AppURL                                   // string, The URL of the GitHub server. For example: https://github.com.
+	gitContext["triggering_actor"] = ""                                         // string, The username of the user that initiated the workflow run. If the workflow run is a re-run, this value may differ from github.actor. Any workflow re-runs will use the privileges of github.actor, even if the actor initiating the re-run (github.triggering_actor) has different privileges.
+	gitContext["workflow"] = run.WorkflowID                                     // string, The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository.
 
 	// additional contexts
 	gitContext["gitea_default_actions_url"] = setting.Actions.DefaultActionsURL.URL()
diff --git a/services/actions/context_test.go b/services/actions/context_test.go
index 665f207219..5abd8afb00 100644
--- a/services/actions/context_test.go
+++ b/services/actions/context_test.go
@@ -36,12 +36,13 @@ func TestFindTaskNeeds(t *testing.T) {
 
 func TestGenerateGiteaContext(t *testing.T) {
 	testUser := &user.User{
-		ID:   1,
+		ID:   123,
 		Name: "testuser",
 	}
 
 	testRepo := &repo.Repository{
-		ID:        1,
+		ID:        456,
+		OwnerID:   789,
 		OwnerName: "testowner",
 		Name:      "testrepo",
 	}
@@ -56,7 +57,9 @@ func TestGenerateGiteaContext(t *testing.T) {
 		run := &actions_model.ActionRun{
 			ID:                1,
 			Index:             42,
+			TriggerUserID:     testUser.ID,
 			TriggerUser:       testUser,
+			RepoID:            testRepo.ID,
 			Repo:              testRepo,
 			TriggerEvent:      "push",
 			Ref:               "refs/heads/main",
@@ -70,12 +73,15 @@ func TestGenerateGiteaContext(t *testing.T) {
 		require.NoError(t, err)
 
 		assert.Equal(t, "testuser", context["actor"])
+		assert.Equal(t, "123", context["actor_id"])
 		assert.Equal(t, setting.AppURL+"api/v1", context["api_url"])
 		assert.Equal(t, "push", context["event_name"])
 		assert.Equal(t, "refs/heads/main", context["ref"])
 		assert.Equal(t, "main", context["ref_name"])
 		assert.Equal(t, "branch", context["ref_type"])
+		assert.Equal(t, "789", context["repository_owner_id"])
 		assert.Equal(t, "testowner/testrepo", context["repository"])
+		assert.Equal(t, "456", context["repository_id"])
 		assert.Equal(t, "testowner", context["repository_owner"])
 		assert.Equal(t, "abc123def456", context["sha"])
 		assert.Equal(t, "42", context["run_number"])
diff --git a/services/actions/task.go b/services/actions/task.go
index ce43180b7b..f2525e1b3a 100644
--- a/services/actions/task.go
+++ b/services/actions/task.go
@@ -10,6 +10,8 @@ import (
 
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/db"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unit"
 	actions_module "forgejo.org/modules/actions"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/timeutil"
@@ -68,7 +70,12 @@ func PickTask(ctx context.Context, runner *actions_model.ActionRunner, requestKe
 			return fmt.Errorf("findTaskNeeds: %w", err)
 		}
 
-		taskContext, err := generateTaskContext(t)
+		unit, err := t.Job.Run.Repo.GetUnit(ctx, unit.TypeActions)
+		if err != nil {
+			return fmt.Errorf("GetUnit: %w", err)
+		}
+
+		taskContext, err := generateTaskContext(t, unit.ActionsConfig())
 		if err != nil {
 			return fmt.Errorf("generateTaskContext: %w", err)
 		}
@@ -128,7 +135,12 @@ func RecoverTasks(ctx context.Context, tasks []*actions_model.ActionTask) ([]*ru
 				return fmt.Errorf("findTaskNeeds: %w", err)
 			}
 
-			taskContext, err := generateTaskContext(t)
+			unit, err := t.Job.Run.Repo.GetUnit(ctx, unit.TypeActions)
+			if err != nil {
+				return fmt.Errorf("GetUnit: %w", err)
+			}
+
+			taskContext, err := generateTaskContext(t, unit.ActionsConfig())
 			if err != nil {
 				return fmt.Errorf("generateTaskContext: %w", err)
 			}
@@ -151,7 +163,7 @@ func RecoverTasks(ctx context.Context, tasks []*actions_model.ActionTask) ([]*ru
 	return retval, nil
 }
 
-func generateTaskContext(t *actions_model.ActionTask) (*structpb.Struct, error) {
+func generateTaskContext(t *actions_model.ActionTask, ac *repo_model.ActionsConfig) (*structpb.Struct, error) {
 	run := t.Job.Run
 	gitCtx, err := GenerateGiteaContext(run, t.Job)
 	if err != nil {
@@ -170,7 +182,7 @@ func generateTaskContext(t *actions_model.ActionTask) (*structpb.Struct, error)
 		enableOpenIDConnect = false
 	}
 
-	giteaRuntimeToken, err := CreateAuthorizationToken(t, gitCtx, enableOpenIDConnect)
+	giteaRuntimeToken, err := CreateAuthorizationToken(t, gitCtx, enableOpenIDConnect, ac)
 	if err != nil {
 		return nil, err
 	}
diff --git a/services/actions/task_test.go b/services/actions/task_test.go
index f725a93674..0c2630f3a6 100644
--- a/services/actions/task_test.go
+++ b/services/actions/task_test.go
@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	actions_model "forgejo.org/models/actions"
-	"forgejo.org/models/repo"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/user"
 
 	"github.com/stretchr/testify/require"
@@ -27,7 +27,7 @@ jobs:
 		Name: "testuser",
 	}
 
-	testRepo := &repo.Repository{
+	testRepo := &repo_model.Repository{
 		ID:        1,
 		OwnerName: "testowner",
 		Name:      "testrepo",
@@ -60,7 +60,7 @@ jobs:
 	t.Run("openid connect enabled", func(t *testing.T) {
 		task := createTask(fmt.Sprintf(workflowFormat, "true"), false, "push")
 
-		taskContext, err := generateTaskContext(task)
+		taskContext, err := generateTaskContext(task, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 		require.NotEmpty(t, taskContext.Fields["forgejo_actions_id_token_request_token"].GetStringValue())
 		require.NotEmpty(t, taskContext.Fields["forgejo_actions_id_token_request_url"].GetStringValue())
@@ -70,7 +70,7 @@ jobs:
 	t.Run("openid connect enabled from fork with pull_request_target event", func(t *testing.T) {
 		task := createTask(fmt.Sprintf(workflowFormat, "true"), true, "pull_request_target")
 
-		taskContext, err := generateTaskContext(task)
+		taskContext, err := generateTaskContext(task, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 		require.NotEmpty(t, taskContext.Fields["forgejo_actions_id_token_request_token"].GetStringValue())
 		require.NotEmpty(t, taskContext.Fields["forgejo_actions_id_token_request_url"].GetStringValue())
@@ -80,7 +80,7 @@ jobs:
 	t.Run("openid connect enabled from fork with pull_request event", func(t *testing.T) {
 		task := createTask(fmt.Sprintf(workflowFormat, "true"), true, "pull_request")
 
-		taskContext, err := generateTaskContext(task)
+		taskContext, err := generateTaskContext(task, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 		require.Empty(t, taskContext.Fields["forgejo_actions_id_token_request_token"].GetStringValue())
 		require.Empty(t, taskContext.Fields["forgejo_actions_id_token_request_url"].GetStringValue())
@@ -90,7 +90,7 @@ jobs:
 	t.Run("openid connect disabled", func(t *testing.T) {
 		task := createTask(fmt.Sprintf(workflowFormat, "false"), false, "push")
 
-		taskContext, err := generateTaskContext(task)
+		taskContext, err := generateTaskContext(task, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 		require.Empty(t, taskContext.Fields["forgejo_actions_id_token_request_token"].GetStringValue())
 		require.Empty(t, taskContext.Fields["forgejo_actions_id_token_request_url"].GetStringValue())
diff --git a/services/auth/method/action_runtime_token_test.go b/services/auth/method/action_runtime_token_test.go
index f5bae45e96..4a4db62b3f 100644
--- a/services/auth/method/action_runtime_token_test.go
+++ b/services/auth/method/action_runtime_token_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/services/actions"
@@ -31,7 +32,7 @@ func TestActionRuntimeTokenVerify(t *testing.T) {
 				RunID: 1,
 			},
 		}
-		token, err := actions.CreateAuthorizationToken(task, map[string]any{}, false)
+		token, err := actions.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 
 		req := http.Request{
diff --git a/tests/integration/api_actions_artifact_v4_test.go b/tests/integration/api_actions_artifact_v4_test.go
index 62be33d552..707f980a07 100644
--- a/tests/integration/api_actions_artifact_v4_test.go
+++ b/tests/integration/api_actions_artifact_v4_test.go
@@ -15,6 +15,7 @@ import (
 	"time"
 
 	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/storage"
 	"forgejo.org/routers/api/actions"
 	actions_service "forgejo.org/services/actions"
@@ -43,7 +44,7 @@ func uploadArtifact(t *testing.T, body string) string {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -103,7 +104,7 @@ func TestActionsArtifactV4UploadSingleFileWrongChecksum(t *testing.T) {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -154,7 +155,7 @@ func TestActionsArtifactV4UploadSingleFileWithRetentionDays(t *testing.T) {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -209,7 +210,7 @@ func TestActionsArtifactV4UploadSingleFileWithPotentialHarmfulBlockID(t *testing
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -279,7 +280,7 @@ func TestActionsArtifactV4UploadSingleFileWithChunksOutOfOrder(t *testing.T) {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -351,7 +352,7 @@ func TestActionsArtifactV4DownloadSingle(t *testing.T) {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// acquire artifact upload url
@@ -419,7 +420,7 @@ func TestActionsArtifactV4Delete(t *testing.T) {
 			RunID: 792,
 		},
 	}
-	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false)
+	token, err := actions_service.CreateAuthorizationToken(task, map[string]any{}, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// delete artifact by name
diff --git a/tests/integration/api_actions_id_token_test.go b/tests/integration/api_actions_id_token_test.go
index 0fd478b9d2..f686682159 100644
--- a/tests/integration/api_actions_id_token_test.go
+++ b/tests/integration/api_actions_id_token_test.go
@@ -14,6 +14,7 @@ import (
 	actions_model "forgejo.org/models/actions"
 	"forgejo.org/models/auth"
 	"forgejo.org/models/db"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	actions_service "forgejo.org/services/actions"
@@ -48,9 +49,9 @@ func TestActionsIDToken(t *testing.T) {
 	gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
 	require.NoError(t, err)
 
-	token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true)
+	token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
-	tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false)
+	tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false, &repo_model.ActionsConfig{})
 	require.NoError(t, err)
 
 	// get JWKs information
@@ -90,7 +91,7 @@ func TestActionsIDToken(t *testing.T) {
 			assert.Equal(t, "792", claims["run_id"])
 			assert.Equal(t, "188", claims["run_number"])
 			assert.Equal(t, "c2d72f548424103f01ee1dc02889c1e2bff816b0", claims["sha"])
-			assert.Equal(t, "repo:user5/repo4:ref:refs/heads/master", claims["sub"])
+			assert.Equal(t, "repo:user5-5/repo4-4:ref:refs/heads/master", claims["sub"])
 			assert.Equal(t, "artifact.yaml", claims["workflow"])
 			assert.Equal(t, "user5/repo4/.forgejo/workflows/artifact.yaml@refs/heads/master", claims["workflow_ref"])
 		}
@@ -157,7 +158,7 @@ func TestActionsIDToken(t *testing.T) {
 		gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
 		require.NoError(t, err)
 
-		token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true)
+		token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 
 		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/abcde/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
@@ -178,7 +179,7 @@ func TestActionsIDToken(t *testing.T) {
 		gitCtx, err := actions_service.GenerateGiteaContext(task.Job.Run, task.Job)
 		require.NoError(t, err)
 
-		token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true)
+		token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true, &repo_model.ActionsConfig{})
 		require.NoError(t, err)
 
 		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/abcde/idtoken?placeholder=true&audience=testingAud").AddTokenAuth(token)
diff --git a/tests/integration/api_actions_oidc_test.go b/tests/integration/api_actions_oidc_test.go
index 71e96d7531..8bf3336986 100644
--- a/tests/integration/api_actions_oidc_test.go
+++ b/tests/integration/api_actions_oidc_test.go
@@ -45,7 +45,12 @@ func TestActionsOIDC(t *testing.T) {
 	assert.Equal(t, setting.AppURL+"api/actions/.well-known/keys", config.JwksURI)
 	assert.Equal(t, []string{"public"}, config.SubjectTypesSupported)
 	assert.Equal(t, []string{"id_token"}, config.ResponseTypesSupported)
-	assert.Equal(t, []string{"sub", "aud", "exp", "iat", "iss", "nbf", "actor", "base_ref", "event_name", "head_ref", "ref", "ref_protected", "ref_type", "repository", "repository_owner", "run_attempt", "run_id", "run_number", "sha", "workflow", "workflow_ref"}, config.ClaimsSupported)
+	assert.Equal(t, []string{
+		"sub", "aud", "exp", "iat", "iss", "nbf", "actor", "actor_id", "base_ref", "event_name",
+		"head_ref", "ref", "ref_protected", "ref_type", "repository", "repository_id", "repository_owner",
+		"repository_owner_id", "run_attempt", "run_id", "run_number", "sha", "workflow", "workflow_ref",
+	},
+		config.ClaimsSupported)
 	assert.Equal(t, []string{"RS256"}, config.IDTokenSigningAlgValuesSupported)
 	assert.Equal(t, []string{"openid"}, config.ScopesSupported)
 

From e89312de9bdbf82b427fca92a8915d0a74e1d0e8 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 3 May 2026 19:55:40 +0200
Subject: [PATCH 226/287] ci: fix merge conflict in test between #12355 &
 #12364 (#12401)

Both #12355 and #12364 passed CIs individually, but when combined a new test added in #12364 was broken by the change in #12355.  Fixes the authorized integration test to use the new immutable subject format.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12401
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 tests/integration/api_actions_id_token_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/api_actions_id_token_test.go b/tests/integration/api_actions_id_token_test.go
index f686682159..d4a1657a8e 100644
--- a/tests/integration/api_actions_id_token_test.go
+++ b/tests/integration/api_actions_id_token_test.go
@@ -204,7 +204,7 @@ func TestActionsIDToken(t *testing.T) {
 					{
 						Claim:      "sub",
 						Comparison: auth.ClaimEqual,
-						Value:      "repo:user5/repo4:ref:refs/heads/master",
+						Value:      "repo:user5-5/repo4-4:ref:refs/heads/master",
 					},
 				},
 			},

From d27cd9f7220345526e6d99a82fec71deaacf1c43 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 4 May 2026 00:54:05 +0200
Subject: [PATCH 227/287] Update dependency postcss to v8.5.13 (forgejo)
 (#12405)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12405
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 28d3bdb364..3ab1e706d2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -59,7 +59,7 @@
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
-        "postcss": "8.5.12",
+        "postcss": "8.5.13",
         "postcss-loader": "8.2.1",
         "postcss-nesting": "14.0.0",
         "pretty-ms": "9.0.0",
@@ -12940,9 +12940,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.12",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
-      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
+      "version": "8.5.13",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz",
+      "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==",
       "funding": [
         {
           "type": "opencollective",
diff --git a/package.json b/package.json
index 6fe61d62f1..f2d22f6d7c 100644
--- a/package.json
+++ b/package.json
@@ -58,7 +58,7 @@
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",
     "pdfobject": "2.3.0",
-    "postcss": "8.5.12",
+    "postcss": "8.5.13",
     "postcss-loader": "8.2.1",
     "postcss-nesting": "14.0.0",
     "pretty-ms": "9.0.0",

From 76b83c4467a11f84f08829c90786366d91e02507 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 4 May 2026 02:05:26 +0200
Subject: [PATCH 228/287] Update renovate Docker tag to v43.160.6 (forgejo)
 (#12404)

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a17f79d3a9..5a353c59cf 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datas
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.141.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.160.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/

From 780526b1a852ea10bf8457a95bb87bab60d4b117 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 4 May 2026 02:43:19 +0200
Subject: [PATCH 229/287] Update module github.com/go-sql-driver/mysql to
 v1.10.0 (forgejo) (#12376)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12376
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 669aef9172..1ccdc5b53e 100644
--- a/go.mod
+++ b/go.mod
@@ -52,7 +52,7 @@ require (
 	github.com/go-enry/go-enry/v2 v2.9.6
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-openapi/spec v0.22.3
-	github.com/go-sql-driver/mysql v1.9.3
+	github.com/go-sql-driver/mysql v1.10.0
 	github.com/go-webauthn/webauthn v0.16.5
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
@@ -119,7 +119,7 @@ require (
 require (
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 // indirect
-	filippo.io/edwards25519 v1.1.1 // indirect
+	filippo.io/edwards25519 v1.2.0 // indirect
 	git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 // indirect
 	github.com/RoaringBitmap/roaring/v2 v2.14.5 // indirect
 	github.com/STARRY-S/zip v0.2.3 // indirect
diff --git a/go.sum b/go.sum
index 0064361008..bb15d173bb 100644
--- a/go.sum
+++ b/go.sum
@@ -59,8 +59,8 @@ codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570/go.mod h1:IIAjsi
 connectrpc.com/connect v1.19.2 h1:McQ83FGdzL+t60peksi0gXC7MQ/iLKgLduAnThbM0mo=
 connectrpc.com/connect v1.19.2/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
-filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:EXuID2Zs0pAQhH8yz+DNjUbjppKQzKFAn28TMYPB6IU=
 github.com/42wim/httpsig v1.2.3 h1:xb0YyWhkYj57SPtfSttIobJUPJZB9as1nsfo7KWVcEs=
@@ -318,8 +318,8 @@ github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxE
 github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=
 github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
 github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
-github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
-github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/go-sql-driver/mysql v1.10.0 h1:Q+1LV8DkHJvSYAdR83XzuhDaTykuDx0l6fkXxoWCWfw=
+github.com/go-sql-driver/mysql v1.10.0/go.mod h1:M+cqaI7+xxXGG9swrdeUIoPG3Y3KCkF0pZej+SK+nWk=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=

From ed32a0fb5aceff105d6111c4d8108070f2c8e168 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 4 May 2026 03:50:11 +0200
Subject: [PATCH 230/287] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.10 (forgejo) (#12406)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | patch | `v3.1.9` → `v3.1.10` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.10`](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.9...v3.1.10)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.9...v3.1.10)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12406
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index dca71823b8..d649342588 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v6
 
       - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.9
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.10
         with:
           user: root
           password: admin1234

From 0b2415a05a5009098fb5bff4ecc4d3eee2aa2de9 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 4 May 2026 05:15:07 +0200
Subject: [PATCH 231/287] Update module github.com/redis/go-redis/v9 to v9.19.0
 (forgejo) (#12309)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12309
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 assets/go-licenses.json | 5 -----
 go.mod                  | 3 +--
 go.sum                  | 6 ++----
 3 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index c7ab5d3e95..7f1498042c 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -464,11 +464,6 @@
     "path": "github.com/davecgh/go-spew/spew/LICENSE",
     "licenseText": "ISC License\n\nCopyright (c) 2012-2016 Dave Collins \u003cdave@davec.name\u003e\n\nPermission to use, copy, modify, and/or distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n"
   },
-  {
-    "name": "github.com/dgryski/go-rendezvous",
-    "path": "github.com/dgryski/go-rendezvous/LICENSE",
-    "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2017-2020 Damian Gryski \u003cdamian@gryski.com\u003e\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n"
-  },
   {
     "name": "github.com/djherbis/buffer",
     "path": "github.com/djherbis/buffer/LICENSE.txt",
diff --git a/go.mod b/go.mod
index 1ccdc5b53e..ef81dae8b1 100644
--- a/go.mod
+++ b/go.mod
@@ -88,7 +88,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/pquerna/otp v1.5.0
 	github.com/prometheus/client_golang v1.21.1
-	github.com/redis/go-redis/v9 v9.17.3
+	github.com/redis/go-redis/v9 v9.19.0
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/sergi/go-diff v1.4.0
 	github.com/stretchr/testify v1.11.1
@@ -159,7 +159,6 @@ require (
 	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
-	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/dsoprea/go-iptc v0.0.0-20200609062250-162ae6b44feb // indirect
 	github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect
diff --git a/go.sum b/go.sum
index bb15d173bb..8821c51435 100644
--- a/go.sum
+++ b/go.sum
@@ -194,8 +194,6 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0=
 github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/djherbis/buffer v1.1.0/go.mod h1:VwN8VdFkMY0DCALdY8o00d3IZ6Amz/UNVMWcSaJT44o=
 github.com/djherbis/buffer v1.2.0 h1:PH5Dd2ss0C7CRRhQCZ2u7MssF+No9ide8Ye71nPHcrQ=
 github.com/djherbis/buffer v1.2.0/go.mod h1:fjnebbZjCUpPinBRD+TDwXSOeNQ7fPQWLfGQqiAiUyE=
@@ -608,8 +606,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.17.3 h1:fN29NdNrE17KttK5Ndf20buqfDZwGNgoUr9qjl1DQx4=
-github.com/redis/go-redis/v9 v9.17.3/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
+github.com/redis/go-redis/v9 v9.19.0 h1:XPVaaPSnG6RhYf7p+rmSa9zZfeVAnWsH5h3lxthOm/k=
+github.com/redis/go-redis/v9 v9.19.0/go.mod h1:v/M13XI1PVCDcm01VtPFOADfZtHf8YW3baQf57KlIkA=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rhysd/actionlint v1.7.10 h1:FL3XIEs72G4/++168vlv5FKOWMSWvWIQw1kBCadyOcM=

From 525a377c24efa1da71de623477db9175730f43c2 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 5 May 2026 02:58:47 +0200
Subject: [PATCH 232/287] feat: add name & description columns to authorized
 integration DB table (#12413)

User interfaces for authorized integrations will benefit from having a name field, to allow a list of authorized integrations to have an identifiable user-entered label.

I've also added a "description" column which is a `LONGTEXT` field.  My thought for this field is that if I were creating authorized integrations, I'd like to be able to write down where they're used, what they're used for, and how the remote system is configured.  For example, if it was an authorized integration to allow AWS -> Forgejo integration, the AWS side can be complicated -- IAM roles which are assumed, resources like EC2 instances or Lambdas that can access the roles -- and this would provide a natural place to make some notes to help me remember how the remote is configured.  I expect to represent this as a `<textarea>` in the Authorized Integration, optional, possibly markdown-formatted to allow links & bullet-points.

Manually tested migration with PG backend, and manually tested creation of authorized integrations with the CLI updates.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12413
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 ...in_user_generate_authorized_integration.go | 31 +++++++---
 models/auth/authorized_integration.go         |  3 +
 ...authorized_integration_name_description.go | 60 +++++++++++++++++++
 3 files changed, 86 insertions(+), 8 deletions(-)
 create mode 100644 models/forgejo_migrations/v16b_authorized_integration_name_description.go

diff --git a/cmd/admin_user_generate_authorized_integration.go b/cmd/admin_user_generate_authorized_integration.go
index fc159d90ae..ca39ac1b6f 100644
--- a/cmd/admin_user_generate_authorized_integration.go
+++ b/cmd/admin_user_generate_authorized_integration.go
@@ -38,6 +38,15 @@ enable-openid-connect flag in a workflow.`,
 				Usage:    "Username",
 				Required: true,
 			},
+			&cli.StringFlag{
+				Name:     "name",
+				Usage:    "Name of the authorized integration for later identification",
+				Required: true,
+			},
+			&cli.StringFlag{
+				Name:  "description",
+				Usage: "Optional description for the authorized integration",
+			},
 
 			// JWT validation:
 			&cli.StringFlag{
@@ -92,7 +101,9 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 	}
 
 	ai := &auth_model.AuthorizedIntegration{
-		UserID: user.ID,
+		UserID:      user.ID,
+		Name:        c.String("name"),
+		Description: c.String("description"),
 	}
 
 	var rules []auth_model.ClaimRule
@@ -171,14 +182,18 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 		Value       string                     `json:"value"`
 	}
 	output := struct {
-		Message    string                 `json:"message"`
-		Issuer     string                 `json:"issuer"`
-		Audience   string                 `json:"audience"`
-		ClaimRules []ClaimRuleDescription `json:"claim_rules"`
+		Message     string                 `json:"message"`
+		Name        string                 `json:"name"`
+		Description string                 `json:"description,omitempty"`
+		Issuer      string                 `json:"issuer"`
+		Audience    string                 `json:"audience"`
+		ClaimRules  []ClaimRuleDescription `json:"claim_rules"`
 	}{
-		Message:  "Authorized integration was successfully created.",
-		Issuer:   ai.Issuer,
-		Audience: ai.Audience,
+		Message:     "Authorized integration was successfully created.",
+		Name:        ai.Name,
+		Description: ai.Description,
+		Issuer:      ai.Issuer,
+		Audience:    ai.Audience,
 	}
 	for _, cr := range ai.ClaimRules.Rules {
 		var description string
diff --git a/models/auth/authorized_integration.go b/models/auth/authorized_integration.go
index e4cc8cedb0..ca5e103146 100644
--- a/models/auth/authorized_integration.go
+++ b/models/auth/authorized_integration.go
@@ -30,6 +30,9 @@ type AuthorizedIntegration struct {
 	Scope            AccessTokenScope `xorm:"NOT NULL"`
 	ResourceAllRepos bool             `xorm:"NOT NULL"` // flag for whether AuthorizedIntegrationResourceRepo instances will limit the resources this access token can access (false) or won't limit them (true).
 
+	Name        string // short name for lists of authorized integrations
+	Description string `xorm:"LONGTEXT"` // long description, optional to document relevant details of the integration
+
 	// Exact-match `iss` claim of the JWT
 	Issuer string `xorm:"NOT NULL UNIQUE(s)"`
 	// Exact-match `aud` claim of the JWT
diff --git a/models/forgejo_migrations/v16b_authorized_integration_name_description.go b/models/forgejo_migrations/v16b_authorized_integration_name_description.go
new file mode 100644
index 0000000000..3f5450310f
--- /dev/null
+++ b/models/forgejo_migrations/v16b_authorized_integration_name_description.go
@@ -0,0 +1,60 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package forgejo_migrations
+
+import (
+	"context"
+	"fmt"
+
+	"forgejo.org/models/db"
+	"forgejo.org/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func init() {
+	registerMigration(&Migration{
+		Description: "add name & description to authorized_integration",
+		Upgrade:     addAuthorizedIntegrationNameDescription,
+	})
+}
+
+func addAuthorizedIntegrationNameDescription(x *xorm.Engine) error {
+	type AuthorizedIntegration struct {
+		// New fields:
+		Name        string
+		Description string `xorm:"LONGTEXT"`
+
+		// Existing fields, used for UPDATE in migration:
+		ID          int64              `xorm:"pk autoincr"`
+		Issuer      string             `xorm:"NOT NULL UNIQUE(s)"`
+		Audience    string             `xorm:"NOT NULL UNIQUE(s)"`
+		CreatedUnix timeutil.TimeStamp `xorm:"NOT NULL created"`
+		// don't include `UpdatedUnix`, so the updated timestamp isn't bumped when Name is set in migration
+	}
+
+	_, err := x.SyncWithOptions(
+		xorm.SyncOptions{IgnoreDropIndices: true},
+		new(AuthorizedIntegration),
+	)
+	if err != nil {
+		return err
+	}
+
+	// As v16a has creating this table, v16b will likely have no records for any users.  But for developers working on
+	// v16, populate "Name" with a quick computed value:
+	return db.Iterate(db.DefaultContext, nil, func(ctx context.Context, ai *AuthorizedIntegration) error {
+		ai.Name = fmt.Sprintf("%s created %s", ai.Issuer, ai.CreatedUnix.FormatDate())
+		r, err := db.GetEngine(ctx).
+			ID(ai.ID).
+			Cols("name").
+			Update(ai)
+		if err != nil {
+			return err
+		} else if r != 1 {
+			return fmt.Errorf("UPDATE expected to affect 1 row, but was %d", r)
+		}
+		return nil
+	})
+}

From c1ac671b555663c333528433f1c5e943ce9621a3 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 5 May 2026 02:59:34 +0200
Subject: [PATCH 233/287] feat: reusable workflow outer job is skipped if 'if:'
 block skips workflow (#12412)

Follow-up to https://code.forgejo.org/forgejo/runner/pulls/1509 -- improves the UX in Forgejo when a reusable workflow is skipped, marking the workflow as skipped rather than succeeded.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12412
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 modules/actions/task_state.go        |  2 ++
 modules/actions/task_state_test.go   | 15 +++++++++++++++
 services/actions/job_emitter.go      | 19 ++++++++++++++-----
 services/actions/job_emitter_test.go | 21 +++++++++++++++++++++
 4 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/modules/actions/task_state.go b/modules/actions/task_state.go
index 77bfc747ee..889a0b0364 100644
--- a/modules/actions/task_state.go
+++ b/modules/actions/task_state.go
@@ -111,6 +111,8 @@ func fullStepsOfEmptySteps(task *actions_model.ActionTask) []*actions_model.Acti
 		preStep.Status = task.Status
 		if preStep.Status.IsSuccess() {
 			postStep.Status = actions_model.StatusSuccess
+		} else if preStep.Status.IsSkipped() {
+			postStep.Status = actions_model.StatusSkipped
 		} else {
 			postStep.Status = actions_model.StatusCancelled
 		}
diff --git a/modules/actions/task_state_test.go b/modules/actions/task_state_test.go
index e18de4573f..084de1c709 100644
--- a/modules/actions/task_state_test.go
+++ b/modules/actions/task_state_test.go
@@ -156,6 +156,21 @@ func TestFullSteps(t *testing.T) {
 				{Name: postStepName, Status: actions_model.StatusSuccess, LogIndex: 90, LogLength: 10, Started: 10090, Stopped: 10100},
 			},
 		},
+		{
+			// situation occurs with a reusable workflow's outer job which has no steps
+			name: "skipped task w/ zero steps",
+			task: &actions_model.ActionTask{
+				Steps:     []*actions_model.ActionTaskStep{},
+				Status:    actions_model.StatusSkipped,
+				Started:   0,
+				Stopped:   0,
+				LogLength: 0,
+			},
+			want: []*actions_model.ActionTaskStep{
+				{Name: preStepName, Status: actions_model.StatusSkipped, LogIndex: 0, LogLength: 0, Started: 0, Stopped: 0},
+				{Name: postStepName, Status: actions_model.StatusSkipped, LogIndex: 0, LogLength: 0, Started: 0, Stopped: 0},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/services/actions/job_emitter.go b/services/actions/job_emitter.go
index 0a9c297033..faaf9d2cdf 100644
--- a/services/actions/job_emitter.go
+++ b/services/actions/job_emitter.go
@@ -77,7 +77,7 @@ func checkJobsOfRun(ctx context.Context, runID int64, recursionCount int) error
 				job.Status = status
 				updateColumns := []string{"status"}
 
-				if status == actions_model.StatusWaiting {
+				if status.IsWaiting() {
 					behaviour, err := tryHandleIncompleteMatrix(ctx, job, jobs)
 					switch behaviour {
 					case behaviourError:
@@ -95,7 +95,7 @@ func checkJobsOfRun(ctx context.Context, runID int64, recursionCount int) error
 						// Stop processing any other jobs in this run.
 						return nil
 					}
-				} else if status == actions_model.StatusSuccess || status == actions_model.StatusFailure {
+				} else if status.IsSuccess() || status.IsFailure() || status.IsSkipped() {
 					// Transition to these states can be triggered by workflow call outer jobs
 					additionalColumns, err := tryHandleWorkflowCallOuterJob(ctx, job)
 					if err != nil {
@@ -192,7 +192,7 @@ func (r *jobStatusResolver) resolve() map[int64]actions_model.Status {
 		if status != actions_model.StatusBlocked {
 			continue
 		}
-		allDone, allSucceed, allSucceedOrSkip := true, true, true
+		allDone, allSucceed, allSucceedOrSkip, allSkip := true, true, true, true
 		for _, need := range r.needs[id] {
 			needStatus := r.statuses[need]
 			if !needStatus.IsDone() {
@@ -204,12 +204,15 @@ func (r *jobStatusResolver) resolve() map[int64]actions_model.Status {
 			if needStatus.In(actions_model.StatusFailure, actions_model.StatusCancelled) {
 				allSucceedOrSkip = false
 			}
+			if !needStatus.IsSkipped() {
+				allSkip = false
+			}
 		}
 		if allDone {
 			if isWorkflowCallOuterJob, _ := r.jobMap[id].IsWorkflowCallOuterJob(); isWorkflowCallOuterJob {
 				// If the dependent job was a workflow call outer job, then options aren't waiting/skipped, but rather
-				// success/failure.  checkJobsOfRun will do additional work in these cases to "finish" the workflow call
-				// job as well.
+				// success/skip/failure.  checkJobsOfRun will do additional work in these cases to "finish" the workflow
+				// call job as well.
 				if allSucceedOrSkip {
 					isIncompleteMatrix, _, _ := r.jobMap[id].HasIncompleteMatrix()
 					isIncompleteWith, _, _, _ := r.jobMap[id].HasIncompleteWith()
@@ -221,6 +224,12 @@ func (r *jobStatusResolver) resolve() map[int64]actions_model.Status {
 						// `tryHandleIncompleteMatrix` to be reparsed, replaced with a full job definition, with new
 						// `needs` that contain its inner jobs:
 						ret[id] = actions_model.StatusWaiting
+					} else if allSkip {
+						// All of the inner jobs are skipped -- this most likely occurs because an outer job's `if:`
+						// condition was false, and that condition was populated to all the inner jobs.  Even if that's
+						// not the case, it's effectively true that the reusable workflow was skipped if all the inner
+						// jobs had their own `if:` conditions that were skipped.
+						ret[id] = actions_model.StatusSkipped
 					} else {
 						// This job is done by virtue of its inner jobs being done successfully.
 						ret[id] = actions_model.StatusSuccess
diff --git a/services/actions/job_emitter_test.go b/services/actions/job_emitter_test.go
index a7e3b7467b..d6696b3482 100644
--- a/services/actions/job_emitter_test.go
+++ b/services/actions/job_emitter_test.go
@@ -179,6 +179,27 @@ __metadata:
 				3: actions_model.StatusSuccess,
 			},
 		},
+		{
+			name: "unblocked workflow call outer job with only skip",
+			jobs: actions_model.ActionJobList{
+				{ID: 1, JobID: "job1.innerjob1", Status: actions_model.StatusSkipped, Needs: []string{}},
+				{ID: 2, JobID: "job1.innerjob2", Status: actions_model.StatusSkipped, Needs: []string{}},
+				{ID: 3, JobID: "job1", Status: actions_model.StatusBlocked, Needs: []string{"job1.innerjob1", "job1.innerjob2"}, WorkflowPayload: []byte(
+					`
+name: test
+on: push
+jobs:
+  job2:
+    if: false
+    uses: ./.forgejo/workflows/reusable.yml
+__metadata:
+  workflow_call_id: b5a9f46f1f2513d7777fde50b169d323a6519e349cc175484c947ac315a209ed
+`)},
+			},
+			want: map[int64]actions_model.Status{
+				3: actions_model.StatusSkipped,
+			},
+		},
 		{
 			name: "unblocked workflow call outer job, incomplete `with`",
 			jobs: actions_model.ActionJobList{

From 6f5bef54b0c0cbd64a8a9fe613d26ab3d764d8e5 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 5 May 2026 09:43:48 +0200
Subject: [PATCH 234/287] Update dependency globals to v17.6.0 (forgejo)
 (#12417)

---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3ab1e706d2..0dd4fd4ffc 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -107,7 +107,7 @@
         "eslint-plugin-vue": "10.8.0",
         "eslint-plugin-vue-scoped-css": "2.12.0",
         "eslint-plugin-wc": "3.1.0",
-        "globals": "17.5.0",
+        "globals": "17.6.0",
         "happy-dom": "20.8.9",
         "license-checker-rseidelsohn": "4.4.2",
         "markdownlint-cli": "0.48.0",
@@ -9200,9 +9200,9 @@
       }
     },
     "node_modules/globals": {
-      "version": "17.5.0",
-      "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
-      "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
+      "version": "17.6.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-17.6.0.tgz",
+      "integrity": "sha512-sepffkT8stwnIYbsMBpoCHJuJM5l98FUF2AnE07hfvE0m/qp3R586hw4jF4uadbhvg1ooIdzuu7CsfD2jzCaNA==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package.json b/package.json
index f2d22f6d7c..c5ff835d69 100644
--- a/package.json
+++ b/package.json
@@ -106,7 +106,7 @@
     "eslint-plugin-vue": "10.8.0",
     "eslint-plugin-vue-scoped-css": "2.12.0",
     "eslint-plugin-wc": "3.1.0",
-    "globals": "17.5.0",
+    "globals": "17.6.0",
     "happy-dom": "20.8.9",
     "license-checker-rseidelsohn": "4.4.2",
     "markdownlint-cli": "0.48.0",

From c07ea09050513832093aefaf5db2fd5493c6df4a Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Tue, 5 May 2026 12:41:42 +0200
Subject: [PATCH 235/287] fix: cleanup data before migration retry (#12370)

In the case you hit some API error (Github ratelimit was often a problem) or the instance restarted in the middle of your migration, you would be left with data on the disk and/or database. Upon retrying the migration the migration code would (rightfully) fail because it's trying to migrate stuff that already exists.

This was hit so often on Codeberg it was better to force people to delete and start whole migration process again: https://codeberg.org/Codeberg-Infrastructure/forgejo/commit/28ee60c91f237268aa526086d0cce7a8f5380a9b

Delete the repository data before retrying to solve this.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12370
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 models/repo.go                                | 23 ++------
 routers/api/v1/repo/key.go                    |  2 +-
 routers/api/v1/repo/migrate.go                |  2 +-
 routers/web/repo/migrate.go                   |  2 -
 routers/web/repo/setting/deploy_key.go        |  2 +-
 services/asymkey/deploy_key.go                | 16 ++----
 services/cron/tasks_extended.go               |  4 +-
 services/doctor/repository.go                 |  4 +-
 services/repository/check.go                  |  5 +-
 services/repository/create.go                 |  2 +-
 services/repository/create_test.go            |  4 +-
 services/repository/delete.go                 | 43 ++++++++++-----
 services/repository/repository.go             |  2 +-
 .../fixtures/TestRetryMigrateTask/issue.yml   | 16 ++++++
 .../TestRetryMigrateTask/repo_unit.yml        | 34 ++++++++++++
 .../fixtures/TestRetryMigrateTask/task.yml    | 22 ++++++++
 services/task/task.go                         | 18 ++++---
 services/task/task_test.go                    | 52 +++++++++++++++++++
 tests/integration/api_repo_test.go            |  2 +-
 .../ephemeral_actions_runner_deletion_test.go |  3 +-
 tests/integration/git_push_test.go            |  4 +-
 21 files changed, 191 insertions(+), 71 deletions(-)
 create mode 100644 services/task/fixtures/TestRetryMigrateTask/issue.yml
 create mode 100644 services/task/fixtures/TestRetryMigrateTask/repo_unit.yml
 create mode 100644 services/task/fixtures/TestRetryMigrateTask/task.yml

diff --git a/models/repo.go b/models/repo.go
index 1b9cc8fa60..6a4da96b95 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -14,10 +14,8 @@ import (
 	asymkey_model "forgejo.org/models/asymkey"
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
-	access_model "forgejo.org/models/perm/access"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unit"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/services/stats"
 
@@ -277,7 +275,7 @@ func DoctorUserStarNum(ctx context.Context) (err error) {
 }
 
 // DeleteDeployKey delete deploy keys
-func DeleteDeployKey(ctx context.Context, doer *user_model.User, id int64) error {
+func DeleteDeployKey(ctx context.Context, id, repoID int64) error {
 	key, err := asymkey_model.GetDeployKeyByID(ctx, id)
 	if err != nil {
 		if asymkey_model.IsErrDeployKeyNotExist(err) {
@@ -286,21 +284,10 @@ func DeleteDeployKey(ctx context.Context, doer *user_model.User, id int64) error
 		return fmt.Errorf("GetDeployKeyByID: %w", err)
 	}
 
-	// Check if user has access to delete this key.
-	if !doer.IsAdmin {
-		repo, err := repo_model.GetRepositoryByID(ctx, key.RepoID)
-		if err != nil {
-			return fmt.Errorf("GetRepositoryByID: %w", err)
-		}
-		has, err := access_model.IsUserRepoAdmin(ctx, repo, doer)
-		if err != nil {
-			return fmt.Errorf("GetUserRepoPermission: %w", err)
-		} else if !has {
-			return asymkey_model.ErrKeyAccessDenied{
-				UserID: doer.ID,
-				KeyID:  key.ID,
-				Note:   "deploy",
-			}
+	if key.RepoID != repoID {
+		return asymkey_model.ErrKeyAccessDenied{
+			KeyID: key.ID,
+			Note:  "deploy",
 		}
 	}
 
diff --git a/routers/api/v1/repo/key.go b/routers/api/v1/repo/key.go
index 36fe2080d4..caa482cf9b 100644
--- a/routers/api/v1/repo/key.go
+++ b/routers/api/v1/repo/key.go
@@ -279,7 +279,7 @@ func DeleteDeploykey(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if err := asymkey_service.DeleteDeployKey(ctx, ctx.Doer, ctx.ParamsInt64(":id")); err != nil {
+	if err := asymkey_service.DeleteDeployKey(ctx, ctx.ParamsInt64(":id"), ctx.Repo.Repository.ID); err != nil {
 		if asymkey_model.IsErrKeyAccessDenied(err) {
 			ctx.Error(http.StatusForbidden, "", "You do not have access to this key")
 		} else {
diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go
index 272806bfb0..7ec4f901a3 100644
--- a/routers/api/v1/repo/migrate.go
+++ b/routers/api/v1/repo/migrate.go
@@ -205,7 +205,7 @@ func Migrate(ctx *context.APIContext) {
 		}
 
 		if repo != nil {
-			if errDelete := repo_service.DeleteRepositoryDirectly(ctx, ctx.Doer, repo.ID); errDelete != nil {
+			if errDelete := repo_service.DeleteRepositoryDirectly(ctx, repo.ID, repo_service.DeleteRepositoryOpts{}); errDelete != nil {
 				log.Error("DeleteRepository: %v", errDelete)
 			}
 		}
diff --git a/routers/web/repo/migrate.go b/routers/web/repo/migrate.go
index cbccb10b06..4397c49e9e 100644
--- a/routers/web/repo/migrate.go
+++ b/routers/web/repo/migrate.go
@@ -269,7 +269,6 @@ func setMigrationContextData(ctx *context.Context, serviceType structs.GitServic
 func MigrateRetryPost(ctx *context.Context) {
 	ok, err := quota_model.EvaluateForUser(ctx, ctx.Repo.Repository.OwnerID, quota_model.LimitSubjectSizeReposAll)
 	if err != nil {
-		log.Error("quota_model.EvaluateForUser: %v", err)
 		ctx.ServerError("quota_model.EvaluateForUser", err)
 		return
 	}
@@ -287,7 +286,6 @@ func MigrateRetryPost(ctx *context.Context) {
 	}
 
 	if err := task.RetryMigrateTask(ctx, ctx.Repo.Repository.ID); err != nil {
-		log.Error("Retry task failed: %v", err)
 		ctx.ServerError("task.RetryMigrateTask", err)
 		return
 	}
diff --git a/routers/web/repo/setting/deploy_key.go b/routers/web/repo/setting/deploy_key.go
index c59f0e90c2..879a21aaa5 100644
--- a/routers/web/repo/setting/deploy_key.go
+++ b/routers/web/repo/setting/deploy_key.go
@@ -99,7 +99,7 @@ func DeployKeysPost(ctx *context.Context) {
 
 // DeleteDeployKey response for deleting a deploy key
 func DeleteDeployKey(ctx *context.Context) {
-	if err := asymkey_service.DeleteDeployKey(ctx, ctx.Doer, ctx.FormInt64("id")); err != nil {
+	if err := asymkey_service.DeleteDeployKey(ctx, ctx.FormInt64("id"), ctx.Repo.Repository.ID); err != nil {
 		ctx.Flash.Error("DeleteDeployKey: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("repo.settings.deploy_key_deletion_success"))
diff --git a/services/asymkey/deploy_key.go b/services/asymkey/deploy_key.go
index 4a2cb53eec..518a2a54ec 100644
--- a/services/asymkey/deploy_key.go
+++ b/services/asymkey/deploy_key.go
@@ -9,21 +9,13 @@ import (
 	"forgejo.org/models"
 	asymkey_model "forgejo.org/models/asymkey"
 	"forgejo.org/models/db"
-	user_model "forgejo.org/models/user"
 )
 
 // DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
-func DeleteDeployKey(ctx context.Context, doer *user_model.User, id int64) error {
-	dbCtx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	if err := models.DeleteDeployKey(dbCtx, doer, id); err != nil {
-		return err
-	}
-	if err := committer.Commit(); err != nil {
+func DeleteDeployKey(ctx context.Context, id, repoID int64) error {
+	if err := db.WithTx(ctx, func(ctx context.Context) error {
+		return models.DeleteDeployKey(ctx, id, repoID)
+	}); err != nil {
 		return err
 	}
 
diff --git a/services/cron/tasks_extended.go b/services/cron/tasks_extended.go
index fc89fa020f..0cca72afe9 100644
--- a/services/cron/tasks_extended.go
+++ b/services/cron/tasks_extended.go
@@ -101,8 +101,8 @@ func registerDeleteMissingRepositories() {
 		Enabled:    false,
 		RunAtStart: false,
 		Schedule:   "@every 72h",
-	}, func(ctx context.Context, user *user_model.User, _ Config) error {
-		return repo_service.DeleteMissingRepositories(ctx, user)
+	}, func(ctx context.Context, _ *user_model.User, _ Config) error {
+		return repo_service.DeleteMissingRepositories(ctx)
 	})
 }
 
diff --git a/services/doctor/repository.go b/services/doctor/repository.go
index cd51483d88..a3d845f980 100644
--- a/services/doctor/repository.go
+++ b/services/doctor/repository.go
@@ -7,7 +7,6 @@ import (
 	"context"
 
 	"forgejo.org/models/db"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/storage"
 	repo_service "forgejo.org/services/repository"
@@ -39,7 +38,6 @@ func deleteOrphanedRepos(ctx context.Context) (int64, error) {
 	batchSize := db.MaxBatchInsertSize("repository")
 	e := db.GetEngine(ctx)
 	var deleted int64
-	adminUser := &user_model.User{IsAdmin: true}
 
 	for {
 		select {
@@ -60,7 +58,7 @@ func deleteOrphanedRepos(ctx context.Context) (int64, error) {
 			}
 
 			for _, id := range ids {
-				if err := repo_service.DeleteRepositoryDirectly(ctx, adminUser, id, true); err != nil {
+				if err := repo_service.DeleteRepositoryDirectly(ctx, id, repo_service.DeleteRepositoryOpts{IgnoreOrgTeams: true}); err != nil {
 					return deleted, err
 				}
 				deleted++
diff --git a/services/repository/check.go b/services/repository/check.go
index 7e680f3c58..1c9e16e02c 100644
--- a/services/repository/check.go
+++ b/services/repository/check.go
@@ -12,7 +12,6 @@ import (
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
 	system_model "forgejo.org/models/system"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/log"
 	repo_module "forgejo.org/modules/repository"
@@ -146,7 +145,7 @@ func gatherMissingRepoRecords(ctx context.Context) (repo_model.RepositoryList, e
 }
 
 // DeleteMissingRepositories deletes all repository records that lost Git files.
-func DeleteMissingRepositories(ctx context.Context, doer *user_model.User) error {
+func DeleteMissingRepositories(ctx context.Context) error {
 	repos, err := gatherMissingRepoRecords(ctx)
 	if err != nil {
 		return err
@@ -163,7 +162,7 @@ func DeleteMissingRepositories(ctx context.Context, doer *user_model.User) error
 		default:
 		}
 		log.Trace("Deleting %d/%d...", repo.OwnerID, repo.ID)
-		if err := DeleteRepositoryDirectly(ctx, doer, repo.ID); err != nil {
+		if err := DeleteRepositoryDirectly(ctx, repo.ID, DeleteRepositoryOpts{}); err != nil {
 			log.Error("Failed to DeleteRepository %-v: Error: %v", repo, err)
 			if err2 := system_model.CreateRepositoryNotice("Failed to DeleteRepository %s [%d]: Error: %v", repo.FullName(), repo.ID, err); err2 != nil {
 				log.Error("CreateRepositoryNotice: %v", err)
diff --git a/services/repository/create.go b/services/repository/create.go
index b7232b27cc..43458bed5d 100644
--- a/services/repository/create.go
+++ b/services/repository/create.go
@@ -308,7 +308,7 @@ func CreateRepositoryDirectly(ctx context.Context, doer, u *user_model.User, opt
 		return nil
 	}); err != nil {
 		if rollbackRepo != nil {
-			if errDelete := DeleteRepositoryDirectly(ctx, doer, rollbackRepo.ID); errDelete != nil {
+			if errDelete := DeleteRepositoryDirectly(ctx, rollbackRepo.ID, DeleteRepositoryOpts{}); errDelete != nil {
 				log.Error("Rollback deleteRepository: %v", errDelete)
 			}
 		}
diff --git a/services/repository/create_test.go b/services/repository/create_test.go
index bd14a5e520..4669199151 100644
--- a/services/repository/create_test.go
+++ b/services/repository/create_test.go
@@ -130,7 +130,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	}
 
 	// Remove repo and check teams repositories.
-	require.NoError(t, DeleteRepositoryDirectly(db.DefaultContext, user, repoIDs[0]), "DeleteRepository")
+	require.NoError(t, DeleteRepositoryDirectly(db.DefaultContext, repoIDs[0], DeleteRepositoryOpts{}), "DeleteRepository")
 	teamRepos[0] = repoIDs[1:]
 	teamRepos[1] = repoIDs[1:]
 	teamRepos[3] = repoIDs[1:3]
@@ -142,7 +142,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	// Wipe created items.
 	for i, rid := range repoIDs {
 		if i > 0 { // first repo already deleted.
-			require.NoError(t, DeleteRepositoryDirectly(db.DefaultContext, user, rid), "DeleteRepository %d", i)
+			require.NoError(t, DeleteRepositoryDirectly(db.DefaultContext, rid, DeleteRepositoryOpts{}), "DeleteRepository %d", i)
 		}
 	}
 	require.NoError(t, organization.DeleteOrganization(db.DefaultContext, org), "DeleteOrganization")
diff --git a/services/repository/delete.go b/services/repository/delete.go
index 8766204f34..8544a86604 100644
--- a/services/repository/delete.go
+++ b/services/repository/delete.go
@@ -38,9 +38,17 @@ import (
 	"xorm.io/builder"
 )
 
+type DeleteRepositoryOpts struct {
+	// Don't modify teams if they are attached to this repository.
+	IgnoreOrgTeams bool
+	// Keep migration-related beans. Should only be used to cleanup data to
+	// start another migration.
+	KeepMigrationBeans bool
+}
+
 // DeleteRepository deletes a repository for a user or organization.
 // make sure if you call this func to close open sessions (sqlite will otherwise get a deadlock)
-func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID int64, ignoreOrgTeams ...bool) error {
+func DeleteRepositoryDirectly(ctx context.Context, repoID int64, opts DeleteRepositoryOpts) error {
 	ctx, committer, err := db.TxContext(ctx)
 	if err != nil {
 		return err
@@ -75,7 +83,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID
 	// In case owner is a organization, we have to change repo specific teams
 	// if ignoreOrgTeams is not true
 	var org *user_model.User
-	if len(ignoreOrgTeams) == 0 || !ignoreOrgTeams[0] {
+	if !opts.IgnoreOrgTeams {
 		if org, err = user_model.GetUserByID(ctx, repo.OwnerID); err != nil {
 			return err
 		}
@@ -88,7 +96,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID
 	}
 	needRewriteKeysFile := len(deployKeys) > 0
 	for _, dKey := range deployKeys {
-		if err := models.DeleteDeployKey(ctx, doer, dKey.ID); err != nil {
+		if err := models.DeleteDeployKey(ctx, dKey.ID, repoID); err != nil {
 			return fmt.Errorf("deleteDeployKeys: %w", err)
 		}
 	}
@@ -173,9 +181,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID
 		&repo_model.Release{RepoID: repoID},
 		&repo_model.RepoIndexerStatus{RepoID: repoID},
 		&repo_model.Redirect{RedirectRepoID: repoID},
-		&repo_model.RepoUnit{RepoID: repoID},
 		&repo_model.Star{RepoID: repoID},
-		&admin_model.Task{RepoID: repoID},
 		&repo_model.Watch{RepoID: repoID},
 		&webhook.Webhook{RepoID: repoID},
 		&secret_model.Secret{RepoID: repoID},
@@ -195,18 +201,29 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, repoID
 		return fmt.Errorf("deleteBeans: %w", err)
 	}
 
+	if !opts.KeepMigrationBeans {
+		if err := db.DeleteBeans(ctx,
+			&admin_model.Task{RepoID: repoID},
+			&repo_model.RepoUnit{RepoID: repoID},
+		); err != nil {
+			return fmt.Errorf("deleteBeans: %w", err)
+		}
+	}
+
 	// Delete Pulls and related objects
 	if err := issues_model.DeletePullsByBaseRepoID(ctx, repoID); err != nil {
 		return err
 	}
 
-	if cnt, err := sess.ID(repoID).Delete(&repo_model.Repository{}); err != nil {
-		return err
-	} else if cnt != 1 {
-		return repo_model.ErrRepoNotExist{
-			ID:        repoID,
-			OwnerName: "",
-			Name:      "",
+	if !opts.KeepMigrationBeans {
+		if cnt, err := sess.ID(repoID).Delete(&repo_model.Repository{}); err != nil {
+			return err
+		} else if cnt != 1 {
+			return repo_model.ErrRepoNotExist{
+				ID:        repoID,
+				OwnerName: "",
+				Name:      "",
+			}
 		}
 	}
 
@@ -491,7 +508,7 @@ func DeleteOwnerRepositoriesDirectly(ctx context.Context, owner *user_model.User
 			break
 		}
 		for _, repo := range repos {
-			if err := DeleteRepositoryDirectly(ctx, owner, repo.ID); err != nil {
+			if err := DeleteRepositoryDirectly(ctx, repo.ID, DeleteRepositoryOpts{}); err != nil {
 				return fmt.Errorf("unable to delete repository %s for %s[%d]. Error: %w", repo.Name, owner.Name, owner.ID, err)
 			}
 		}
diff --git a/services/repository/repository.go b/services/repository/repository.go
index 0d5ce647e0..8b206f79d3 100644
--- a/services/repository/repository.go
+++ b/services/repository/repository.go
@@ -63,7 +63,7 @@ func DeleteRepository(ctx context.Context, doer *user_model.User, repo *repo_mod
 		notify_service.DeleteRepository(ctx, doer, repo)
 	}
 
-	return DeleteRepositoryDirectly(ctx, doer, repo.ID)
+	return DeleteRepositoryDirectly(ctx, repo.ID, DeleteRepositoryOpts{})
 }
 
 // PushCreateRepo creates a repository when a new repository is pushed to an appropriate namespace
diff --git a/services/task/fixtures/TestRetryMigrateTask/issue.yml b/services/task/fixtures/TestRetryMigrateTask/issue.yml
new file mode 100644
index 0000000000..3fa46ff7d1
--- /dev/null
+++ b/services/task/fixtures/TestRetryMigrateTask/issue.yml
@@ -0,0 +1,16 @@
+-
+  id: 1001
+  repo_id: 20
+  index: 1
+  poster_id: 1
+  original_author_id: 0
+  name: eepy
+  content: I am part of a migration.
+  milestone_id: 0
+  priority: 0
+  is_closed: false
+  is_pull: false
+  num_comments: 0
+  created_unix: 1777647620
+  updated_unix: 1777647620
+  is_locked: false
diff --git a/services/task/fixtures/TestRetryMigrateTask/repo_unit.yml b/services/task/fixtures/TestRetryMigrateTask/repo_unit.yml
new file mode 100644
index 0000000000..f8e2ae5c84
--- /dev/null
+++ b/services/task/fixtures/TestRetryMigrateTask/repo_unit.yml
@@ -0,0 +1,34 @@
+-
+  id: 1001
+  repo_id: 20
+  type: 1
+  config: "{}"
+  created_unix: 1777646333
+
+-
+  id: 1002
+  repo_id: 20
+  type: 2
+  config: "{\"EnableTimetracker\":false,\"AllowOnlyContributorsToTrackTime\":false}"
+  created_unix: 1777646333
+
+-
+  id: 1003
+  repo_id: 20
+  type: 3
+  config: "{\"IgnoreWhitespaceConflicts\":true,\"AllowMerge\":true,\"AllowRebase\":false,\"AllowRebaseMerge\":true,\"AllowSquash\":false}"
+  created_unix: 1777646333
+
+-
+  id: 1004
+  repo_id: 20
+  type: 4
+  config: "{}"
+  created_unix: 1777646333
+
+-
+  id: 1005
+  repo_id: 20
+  type: 5
+  config: "{}"
+  created_unix: 1777646333
diff --git a/services/task/fixtures/TestRetryMigrateTask/task.yml b/services/task/fixtures/TestRetryMigrateTask/task.yml
new file mode 100644
index 0000000000..92bb0283b4
--- /dev/null
+++ b/services/task/fixtures/TestRetryMigrateTask/task.yml
@@ -0,0 +1,22 @@
+-
+  id: 1001
+  doer_id: 2
+  owner_id: 2
+  repo_id: 1
+  type: 0
+  status: 4
+  start_time: 1777645339
+  end_time: 1777645339
+  created: 1777645339
+
+-
+  id: 1002
+  doer_id: 2
+  owner_id: 2
+  repo_id: 20
+  type: 0
+  status: 3
+  message: 'canceled'
+  start_time: 1777645339
+  end_time: 1777645339
+  created: 1777645339
diff --git a/services/task/task.go b/services/task/task.go
index 0012b12cb0..695b321228 100644
--- a/services/task/task.go
+++ b/services/task/task.go
@@ -133,25 +133,31 @@ func CreateMigrateTask(ctx context.Context, doer, u *user_model.User, opts base.
 	return task, nil
 }
 
-// RetryMigrateTask retry a migrate task
+// RetryMigrateTask will retry the migration.
+// All data, from a previous migration, is deleted before it's retried.
 func RetryMigrateTask(ctx context.Context, repoID int64) error {
 	migratingTask, err := admin_model.GetMigratingTask(ctx, repoID)
 	if err != nil {
-		log.Error("GetMigratingTask: %v", err)
-		return err
+		return fmt.Errorf("GetMigratingTask: %w", err)
 	}
 	if migratingTask.Status == structs.TaskStatusQueued || migratingTask.Status == structs.TaskStatusRunning {
 		return nil
 	}
 
-	// TODO Need to removing the storage/database garbage brought by the failed task
+	// The migration is being retried, it could've failed for a variety of cases.
+	// In most cases however, some data already got uploaded to the disk or
+	// database. The migration code makes the assumption this is not the case and
+	// if we do not clean it up, the retry attempt will fail with absolute
+	// certainty.
+	if err := repo_service.DeleteRepositoryDirectly(ctx, repoID, repo_service.DeleteRepositoryOpts{IgnoreOrgTeams: true, KeepMigrationBeans: true}); err != nil {
+		return fmt.Errorf("DeleteRepositoryDirectly: %v", err)
+	}
 
 	// Reset task status and messages
 	migratingTask.Status = structs.TaskStatusQueued
 	migratingTask.Message = ""
 	if err = migratingTask.UpdateCols(ctx, "status", "message"); err != nil {
-		log.Error("task.UpdateCols failed: %v", err)
-		return err
+		return fmt.Errorf("task.UpdateCols: %w", err)
 	}
 
 	return taskQueue.Push(migratingTask)
diff --git a/services/task/task_test.go b/services/task/task_test.go
index 50ab1394a4..7444f6df5d 100644
--- a/services/task/task_test.go
+++ b/services/task/task_test.go
@@ -1,12 +1,21 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
 package task
 
 import (
 	"testing"
 
 	admin_model "forgejo.org/models/admin"
+	issues_model "forgejo.org/models/issues"
+	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/migration"
+	"forgejo.org/modules/queue"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/structs"
+	"forgejo.org/modules/test"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -50,3 +59,46 @@ func TestCreateMigrateTask(t *testing.T) {
 		assert.Equal(t, "https://admin:password@example.com", config.CloneAddr)
 	})
 }
+
+func TestRetryMigrateTask(t *testing.T) {
+	defer unittest.OverrideFixtures("services/task/fixtures/TestRetryMigrateTask/")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("Migrate task does not exist", func(t *testing.T) {
+		err := RetryMigrateTask(t.Context(), 100)
+		require.ErrorIs(t, err, admin_model.ErrTaskDoesNotExist{RepoID: 100})
+	})
+
+	t.Run("Normal", func(t *testing.T) {
+		// Override the task queue temporarily.
+		called := false
+		testQueue, err := queue.NewWorkerPoolQueueWithContext(t.Context(), "task", setting.QueueSettings{Type: "immediate"}, func(items ...*admin_model.Task) []*admin_model.Task {
+			if assert.Len(t, items, 1) {
+				assert.Empty(t, items[0].Message)
+				assert.Equal(t, structs.TaskStatusQueued, items[0].Status)
+				assert.EqualValues(t, 1002, items[0].ID)
+			}
+			called = true
+			return nil
+		}, true)
+		require.NoError(t, err)
+		defer test.MockVariableValue(&taskQueue, testQueue)()
+
+		// Preconditions.
+		unittest.AssertExistsIf(t, true, &repo_model.Repository{ID: 20})
+		unittest.AssertExistsIf(t, true, &admin_model.Task{RepoID: 20, Status: structs.TaskStatusFailed})
+		unittest.AssertExistsIf(t, true, &issues_model.Issue{RepoID: 20})
+		unittest.AssertCount(t, &repo_model.RepoUnit{RepoID: 20}, 5)
+
+		require.NoError(t, RetryMigrateTask(t.Context(), 20))
+
+		// Verify queue was called.
+		assert.True(t, called)
+		// Verify some beans were NOT deleted.
+		unittest.AssertExistsIf(t, true, &repo_model.Repository{ID: 20})
+		unittest.AssertExistsIf(t, true, &admin_model.Task{RepoID: 20, Status: structs.TaskStatusQueued})
+		unittest.AssertCount(t, &repo_model.RepoUnit{RepoID: 20}, 5)
+		// Verify some beans were deleted.
+		unittest.AssertExistsIf(t, false, &issues_model.Issue{RepoID: 20})
+	})
+}
diff --git a/tests/integration/api_repo_test.go b/tests/integration/api_repo_test.go
index 29edff7ac0..afa99cc17f 100644
--- a/tests/integration/api_repo_test.go
+++ b/tests/integration/api_repo_test.go
@@ -957,7 +957,7 @@ func TestAPIRepoTransfer(t *testing.T) {
 
 	// cleanup
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
-	_ = repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID)
+	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, repo.ID, repo_service.DeleteRepositoryOpts{}))
 }
 
 // This test verifies that a repo-specific access token with `write:repository` scope is not a sufficient to transfer a
diff --git a/tests/integration/ephemeral_actions_runner_deletion_test.go b/tests/integration/ephemeral_actions_runner_deletion_test.go
index 9e995c4864..54448bd47a 100644
--- a/tests/integration/ephemeral_actions_runner_deletion_test.go
+++ b/tests/integration/ephemeral_actions_runner_deletion_test.go
@@ -116,8 +116,7 @@ func TestEphemeralRunnerDeletionOnRepositoryDeletion(t *testing.T) {
 		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 10054})
 		assert.Equal(t, actions_model.StatusRunning, task.Status)
 
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
-		err = repo_service.DeleteRepositoryDirectly(t.Context(), user, task.RepoID, true)
+		err = repo_service.DeleteRepositoryDirectly(t.Context(), task.RepoID, repo_service.DeleteRepositoryOpts{IgnoreOrgTeams: true})
 		require.NoError(t, err)
 
 		_, err = actions_model.GetRunnerByID(t.Context(), 10000008)
diff --git a/tests/integration/git_push_test.go b/tests/integration/git_push_test.go
index c7c4f6750e..3a8c653efb 100644
--- a/tests/integration/git_push_test.go
+++ b/tests/integration/git_push_test.go
@@ -201,7 +201,7 @@ func runTestGitPush(t *testing.T, u *url.URL, objectFormat git.ObjectFormat, git
 		assert.Equal(t, commitID, branch.CommitID)
 	}
 
-	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
+	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, repo.ID, repo_service.DeleteRepositoryOpts{}))
 }
 
 func TestOptionsGitPush(t *testing.T) {
@@ -310,6 +310,6 @@ func testOptionsGitPush(t *testing.T, u *url.URL) {
 			assert.True(t, logFiltered[0])
 		})
 
-		require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
+		require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, repo.ID, repo_service.DeleteRepositoryOpts{}))
 	})
 }

From 0af17c5f8a072b93525e0af77b8a13b0a7f316bb Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 5 May 2026 17:56:41 +0200
Subject: [PATCH 236/287] chore(renovate): run end-to-end tests on runner
 updates (#12423)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12423
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 .forgejo/renovate.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.forgejo/renovate.json b/.forgejo/renovate.json
index 765319324b..758ae282a8 100644
--- a/.forgejo/renovate.json
+++ b/.forgejo/renovate.json
@@ -138,6 +138,13 @@
       ],
       "automerge": true
     },
+    {
+      "description": "Run end-to-end tests for some dependencies",
+      "matchPackageNames": [
+        "code.forgejo.org/forgejo/runner/**"
+      ],
+      "addLabels": ["run-end-to-end-tests"]
+    },
     {
       "description": "Disable indirect updates for stable branches",
       "matchBaseBranches": ["/^v\\d+\\.\\d+\\/forgejo$/"],

From 4cebc5d1d526c8676ecd5d6fd23c8838d9905d07 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 5 May 2026 22:39:01 +0200
Subject: [PATCH 237/287] Update module code.forgejo.org/forgejo/runner/v12 to
 v12.10.1 (forgejo) (#12426)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [code.forgejo.org/forgejo/runner/v12](https://code.forgejo.org/forgejo/runner) | `v12.10.0` → `v12.10.1` | ![age](https://developer.mend.io/api/mc/badges/age/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/code.forgejo.org%2fforgejo%2frunner%2fv12/v12.10.0/v12.10.1?slim=true) |

---

### Release Notes

<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner/v12)</summary>

### [`v12.10.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v12.10.1)

[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v12.10.0...v12.10.1)

- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)

Release Notes

***

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/forgejo/runner-->

- features
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1509): <!--number 1509 --><!--line 0 --><!--description ZmVhdDogbWVyZ2UgcmV1c2FibGUgZXhwYW5zaW9uIGNhbGxlcidzICdpZicgaW50byBleHBhbmRlZCBqb2Jz-->feat: merge reusable expansion caller's 'if' into expanded jobs<!--description-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1510): <!--number 1510 --><!--line 0 --><!--description Zml4OiB3b3JrZmxvdy1sZXZlbCAnZW52JyBpcyBsb3N0IGR1cmluZyBqb2IgcGFyc2luZw==-->fix: workflow-level 'env' is lost during job parsing<!--description-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1511): <!--number 1511 --><!--line 0 --><!--description Y2hvcmU6IHVzZSBzcGVjaWZpYyB2ZXJzaW9uIG9mIGdvZnVtcHQsIG5vdCBsYXRlc3Q=-->chore: use specific version of gofumpt, not latest<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1508): <!--number 1508 --><!--line 0 --><!--description Y2hvcmU6IGluY3JlYXNlIHRoZSBsZW5ndGggb2YgdGhlIGNhY2hlIHRva2VuIGtleQ==-->chore: increase the length of the cache token key<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1504): <!--number 1504 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBnby1naXQ=-->chore: remove go-git<!--description-->
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1506): <!--number 1506 --><!--line 0 --><!--description cmVmYWN0b3I6IGRyb3AgdW51c2VkIENvbm5lY3RUb05ldHdvcmsgZnJvbSBDb250YWluZXIgaW50ZXJmYWNl-->refactor: drop unused ConnectToNetwork from Container interface<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12426
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index ef81dae8b1..2b2307f945 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	code.forgejo.org/forgejo/go-rpmutils v1.0.0
 	code.forgejo.org/forgejo/levelqueue v1.0.0
 	code.forgejo.org/forgejo/reply v1.0.2
-	code.forgejo.org/forgejo/runner/v12 v12.10.0
+	code.forgejo.org/forgejo/runner/v12 v12.10.1
 	code.forgejo.org/go-chi/binding v1.0.1
 	code.forgejo.org/go-chi/cache v1.0.1
 	code.forgejo.org/go-chi/captcha v1.0.2
diff --git a/go.sum b/go.sum
index 8821c51435..188cd0010f 100644
--- a/go.sum
+++ b/go.sum
@@ -30,8 +30,8 @@ code.forgejo.org/forgejo/levelqueue v1.0.0 h1:9krYpU6BM+j/1Ntj6m+VCAIu0UNnne1/Uf
 code.forgejo.org/forgejo/levelqueue v1.0.0/go.mod h1:fmG6zhVuqim2rxSFOoasgXO8V2W/k9U31VVYqLIRLhQ=
 code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
 code.forgejo.org/forgejo/reply v1.0.2/go.mod h1:RyZUfzQLc+fuLIGjTSQWDAJWPiL4WtKXB/FifT5fM7U=
-code.forgejo.org/forgejo/runner/v12 v12.10.0 h1:FgUrG7cfaV/3HcbKYu+r8VY42XKpv44Q0ZcaZM3Eng0=
-code.forgejo.org/forgejo/runner/v12 v12.10.0/go.mod h1:NEQXUvam9ofsTeSTAMnJXMyCZxKLoyQhVG6DAYSpOKw=
+code.forgejo.org/forgejo/runner/v12 v12.10.1 h1:qRKjWItVDc2lEMl3jGlKyFpqgX4xHeOdEyl/irO/Nk8=
+code.forgejo.org/forgejo/runner/v12 v12.10.1/go.mod h1:A51GyZJlril5cIpVMvOn3NqE8upOE6ePjwC6s31kRHk=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616 h1:kEZL84+02jY9RxXM4zHBWZ3Fml0B09cmP1LGkDsCfIA=
 code.forgejo.org/forgejo/ssh v0.0.0-20241211213324-5fc306ca0616/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 code.forgejo.org/go-chi/binding v1.0.1 h1:coKNI+X1NzRN7X85LlrpvBRqk0TXpJ+ja28vusQWEuY=

From 59787fc2a00b90aefd5d2b00c8bf719a0b7f8045 Mon Sep 17 00:00:00 2001
From: Gabor Pihaj <gabor.pihaj@gmail.com>
Date: Wed, 6 May 2026 04:47:15 +0200
Subject: [PATCH 238/287] fix: return the error when InitDelegateHooks fail
 (#12427)

This pr PR is fixing a type introduced in #10397. In case of an error during the creation of the centralised hooks `git.InitFull` would have returned early, missing some of the configuration steps

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12427
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 modules/git/git.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/git/git.go b/modules/git/git.go
index 7f8674d099..ea3e2a1320 100644
--- a/modules/git/git.go
+++ b/modules/git/git.go
@@ -203,7 +203,7 @@ func InitFull(ctx context.Context) (err error) {
 
 	err = InitDelegateHooks(HomeDir())
 	if err != nil {
-		return nil
+		return err
 	}
 
 	return syncGitConfig()

From 09aaa129a2386dd5d3ac71e0280ff4a86469e569 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 6 May 2026 05:22:06 +0200
Subject: [PATCH 239/287] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.11 (forgejo) (#12429)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | patch | `v3.1.10` → `v3.1.11` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.11`](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.10...v3.1.11)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.10...v3.1.11)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12429
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index d649342588..0c17898d43 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v6
 
       - id: forgejo
-        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.10
+        uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.11
         with:
           user: root
           password: admin1234

From 1cdef7d39f1fcb3bae527cd97b60f7dee8e0bee0 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Wed, 6 May 2026 12:02:58 +0200
Subject: [PATCH 240/287] chore: upgrade xorm to v1.3.9-forgejo.12 (#12430)

Upgrading to bring https://code.forgejo.org/xorm/xorm/pulls/106 into Forgejo.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12430
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod |  2 +-
 go.sum | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index 2b2307f945..23053c61ea 100644
--- a/go.mod
+++ b/go.mod
@@ -269,4 +269,4 @@ replace github.com/gliderlabs/ssh => code.forgejo.org/forgejo/ssh v0.0.0-2024121
 
 replace git.sr.ht/~mariusor/go-xsd-duration => code.forgejo.org/forgejo/go-xsd-duration v0.0.0-20220703122237-02e73435a078
 
-replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.11
+replace xorm.io/xorm v1.3.9 => code.forgejo.org/xorm/xorm v1.3.9-forgejo.12
diff --git a/go.sum b/go.sum
index 188cd0010f..bb519fd975 100644
--- a/go.sum
+++ b/go.sum
@@ -42,8 +42,8 @@ code.forgejo.org/go-chi/captcha v1.0.2 h1:vyHDPXkpjDv8bLO9NqtWzZayzstD/WpJ5xwEkA
 code.forgejo.org/go-chi/captcha v1.0.2/go.mod h1:lxiPLcJ76UCZHoH31/Wbum4GUi2NgjfFZLrJkKv1lLE=
 code.forgejo.org/go-chi/session v1.0.4 h1:WQ1NaVxcCpxYwCliEGypKclZnOCjh3p1fk8XciJc62U=
 code.forgejo.org/go-chi/session v1.0.4/go.mod h1:+sSTiomM5C8AUPtxZyTENIbcTz22kcVottKO0lnmDRk=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.11 h1:EXJVQ4feAFMkpFwtHAHuXkK6TLNYqabR7QTzqL8uObY=
-code.forgejo.org/xorm/xorm v1.3.9-forgejo.11/go.mod h1:C18NeM/SazG/q4eqpWnoNks7GeCyRUNQIe2onniRViU=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.12 h1:EodlU2MGu/EeAdUpEOe+X4cU/qlnJol1ucJ0sHUCM1o=
+code.forgejo.org/xorm/xorm v1.3.9-forgejo.12/go.mod h1:ozQINrM8b7uYFMBB/w19nUTTLcda3RKTQ8HspocVKdg=
 code.gitea.io/sdk/gitea v0.21.0 h1:69n6oz6kEVHRo1+APQQyizkhrZrLsTLXey9142pfkD4=
 code.gitea.io/sdk/gitea v0.21.0/go.mod h1:tnBjVhuKJCn8ibdyyhvUyxrR1Ca2KHEoTWoukNhXQPA=
 code.pfad.fr/check v1.1.0 h1:GWvjdzhSEgHvEHe2uJujDcpmZoySKuHQNrZMfzfO0bE=
@@ -991,14 +991,14 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
-modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 mvdan.cc/xurls/v2 v2.6.0 h1:3NTZpeTxYVWNSokW3MKeyVkz/j7uYXYiMtXRUfmjbgI=
 mvdan.cc/xurls/v2 v2.6.0/go.mod h1:bCvEZ1XvdA6wDnxY7jPPjEmigDtvtvPXAD/Exa9IMSk=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

From 8bb8ae30e16935bb69db347c8c58bb30fdbbfc15 Mon Sep 17 00:00:00 2001
From: Victor Gonzalez <victor@vgr.cl>
Date: Wed, 6 May 2026 14:10:50 +0200
Subject: [PATCH 241/287] fix: append color picker popup to dialog element
 (#12344)

---
 web_src/js/features/colorpicker.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web_src/js/features/colorpicker.js b/web_src/js/features/colorpicker.js
index 6d00d908c9..33aa86375f 100644
--- a/web_src/js/features/colorpicker.js
+++ b/web_src/js/features/colorpicker.js
@@ -49,6 +49,7 @@ function initPicker(el) {
     content: picker,
     placement: 'bottom-start',
     interactive: true,
+    appendTo: input.closest('dialog') ?? document.body,
     onShow() {
       updatePicker(picker, input.value);
     },

From 5ccb9e815a6badffb5f023bd234125988be569d6 Mon Sep 17 00:00:00 2001
From: Victor Gonzalez <victor@vgr.cl>
Date: Wed, 6 May 2026 14:24:41 +0200
Subject: [PATCH 242/287] tests: add e2e test for color picker visibility in
 new label dialog (#12344)

Signed-off-by: Victor Gonzalez <victor@vgr.cl>
---
 tests/e2e/label-colorpicker.test.e2e.ts | 35 +++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 tests/e2e/label-colorpicker.test.e2e.ts

diff --git a/tests/e2e/label-colorpicker.test.e2e.ts b/tests/e2e/label-colorpicker.test.e2e.ts
new file mode 100644
index 0000000000..da2dee7c92
--- /dev/null
+++ b/tests/e2e/label-colorpicker.test.e2e.ts
@@ -0,0 +1,35 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+// @watch start
+// web_src/js/features/colorpicker.js
+// templates/repo/issue/labels/label_new.tmpl
+// @watch end
+
+import {expect} from '@playwright/test';
+import {test} from './utils_e2e.ts';
+
+test.use({user: 'user2'});
+
+test('Color picker is visible above the new label dialog', async ({page}) => {
+  const response = await page.goto('/user2/repo1/labels');
+  expect(response?.status()).toBe(200);
+
+  // Open the "New label" dialog
+  await page.getByRole('button', {name: 'New label'}).click();
+  const dialog = page.locator('dialog#new-label-modal');
+  await expect(dialog).toBeVisible();
+
+  // Click the color preview square to open the color picker popup
+  const colorInput = dialog.locator('.js-color-picker-input input[name="color"]');
+  await colorInput.click();
+
+  // The hex-color-picker should be visible and not hidden behind the dialog
+  const picker = dialog.locator('hex-color-picker');
+  await expect(picker).toBeVisible();
+
+  // Verify the picker tippy popup is a descendant of the dialog element,
+  // not appended to document.body (which would render below the dialog top layer)
+  const pickerInDialog = dialog.locator('.tippy-box hex-color-picker');
+  await expect(pickerInDialog).toBeVisible();
+});

From 69cf1f3333cdb420dca6d07d74b5e0269c428057 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 6 May 2026 14:55:06 +0200
Subject: [PATCH 243/287] Lock file maintenance (forgejo) (#12408)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12408
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json                  | 94 +++++++++++++++---------------
 web_src/fomantic/package-lock.json | 12 ++--
 2 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 0dd4fd4ffc..778ccdde62 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -214,9 +214,9 @@
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.29.2",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
-      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+      "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
       "license": "MIT",
       "dependencies": {
         "@babel/types": "^7.29.0"
@@ -922,9 +922,9 @@
       }
     },
     "node_modules/@discoveryjs/json-ext": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-1.0.0.tgz",
-      "integrity": "sha512-dDlz3W405VMFO4w5kIP9DOmELBcvFQGmLoKSdIRstBDubKFYwaNHV1NnlzMCQpXQFGWVALmeMORAuiLx18AvZQ==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-1.1.0.tgz",
+      "integrity": "sha512-Xc3VhU02wqZ1HvHRJUwL09HkZSTvidqY5Ya0NXBSYOxAp+Ln9dcJr9fySI+CkONzP3PekQo9WdzCv0PGER/mOA==",
       "license": "MIT",
       "engines": {
         "node": ">=14.17.0"
@@ -5813,9 +5813,9 @@
       }
     },
     "node_modules/axe-core": {
-      "version": "4.11.3",
-      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.3.tgz",
-      "integrity": "sha512-zBQouZixDTbo3jMGqHKyePxYxr1e5W8UdTmBQ7sNtaA9M2bE32daxxPLS/jojhKOHxQ7LWwPjfiwf/fhaJWzlg==",
+      "version": "4.11.4",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.11.4.tgz",
+      "integrity": "sha512-KunSNx+TVpkAw/6ULfhnx+HWRecjqZGTOyquAoWHYLRSdK1tB5Ihce1ZW+UY3fj33bYAFWPu7W/GRSmmrCGuxA==",
       "dev": true,
       "license": "MPL-2.0",
       "engines": {
@@ -5852,9 +5852,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.23",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.23.tgz",
-      "integrity": "sha512-xwVXGqevyKPsiuQdLj+dZMVjidjJV508TBqexND5HrF89cGdCYCJFB3qhcxRHSeMctdCfbR1jrxBajhDy7o29g==",
+      "version": "2.10.27",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.27.tgz",
+      "integrity": "sha512-zEs/ufmZoUd7WftKpKyXaT6RFxpQ5Qm9xytKRHvJfxFV9DFJkZph9RvJ1LcOUi0Z1ZVijMte65JbILeV+8QQEA==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -6241,12 +6241,12 @@
       }
     },
     "node_modules/chevrotain-allstar": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.1.tgz",
-      "integrity": "sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==",
+      "version": "0.4.3",
+      "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.3.tgz",
+      "integrity": "sha512-2X4mkroolSMKqW+H22pyPMUVDqYZzPhephTmg/NODKb1IGYPHfxfhcW0EjS7wcPJNbze2i4vBWT7zT5FKF2lrQ==",
       "license": "MIT",
       "dependencies": {
-        "lodash-es": "^4.17.21"
+        "lodash-es": "^4.18.1"
       },
       "peerDependencies": {
         "chevrotain": "^12.0.0"
@@ -6721,9 +6721,9 @@
       "license": "MIT"
     },
     "node_modules/cytoscape": {
-      "version": "3.33.2",
-      "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.2.tgz",
-      "integrity": "sha512-sj4HXd3DokGhzZAdjDejGvTPLqlt84vNFN8m7bGsOzDY5DyVcxIb2ejIXat2Iy7HxWhdT/N1oKyheJ5YdpsGuw==",
+      "version": "3.33.3",
+      "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.3.tgz",
+      "integrity": "sha512-Gej7U+OKR+LZ8kvX7rb2HhCYJ0IhvEFsnkud4SB1PR+BUY/TsSO0dmOW59WEVLu51b1Rm+gQRKoz4bLYxGSZ2g==",
       "license": "MIT",
       "engines": {
         "node": ">=0.10"
@@ -7529,9 +7529,9 @@
       }
     },
     "node_modules/dompurify": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.1.tgz",
-      "integrity": "sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.2.tgz",
+      "integrity": "sha512-lHeS9SA/IKeIFFyYciHBr2n0v1VMPlSj843HdLOwjb2OxNwdq9Xykxqhk+FE42MzAdHvInbAolSE4mhahPpjXA==",
       "license": "(MPL-2.0 OR Apache-2.0)",
       "optionalDependencies": {
         "@types/trusted-types": "^2.0.7"
@@ -7650,9 +7650,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.344",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.344.tgz",
-      "integrity": "sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==",
+      "version": "1.5.349",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.349.tgz",
+      "integrity": "sha512-QsWVGyRuY07Aqb234QytTfwd5d9AJlfNIQ5wIOl1L+PZDzI9d9+Fn0FRale/QYlFxt/bUnB0/nLd1jFPGxGK1A==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {
@@ -10751,14 +10751,14 @@
       "license": "MIT"
     },
     "node_modules/langium": {
-      "version": "4.2.2",
-      "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.2.tgz",
-      "integrity": "sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.3.tgz",
+      "integrity": "sha512-sOPIi4hISFnY7twwV97ca1TsxpBtXq0URu/LL1AvxwccPG/RIBBlKS7a/f/EL6w8lTNaS0EFs/F+IdSOaqYpng==",
       "license": "MIT",
       "dependencies": {
         "@chevrotain/regexp-to-ast": "~12.0.0",
         "chevrotain": "~12.0.0",
-        "chevrotain-allstar": "~0.4.1",
+        "chevrotain-allstar": "~0.4.3",
         "vscode-languageserver": "~9.0.1",
         "vscode-languageserver-textdocument": "~1.0.11",
         "vscode-uri": "~3.1.0"
@@ -12249,9 +12249,9 @@
       }
     },
     "node_modules/nanoid": {
-      "version": "3.3.11",
-      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
-      "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+      "version": "3.3.12",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz",
+      "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==",
       "funding": [
         {
           "type": "github",
@@ -15251,9 +15251,9 @@
       "license": "MIT"
     },
     "node_modules/tinyexec": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.1.tgz",
-      "integrity": "sha512-VKS/ZaQhhkKFMANmAOhhXVoIfBXblQxGX1myCQ2faQrfmobMftXeJPcZGp0gS07ocvGJWDLZGyOZDadDBqYIJg==",
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.2.tgz",
+      "integrity": "sha512-dAqSqE/RabpBKI8+h26GfLq6Vb3JVXs30XYQjdMjaj/c2tS8IYYMbIzP599KtRj7c57/wYApb3QjgRgXmrCukA==",
       "license": "MIT",
       "engines": {
         "node": ">=18"
@@ -15570,9 +15570,9 @@
       "license": "MIT"
     },
     "node_modules/ufo": {
-      "version": "1.6.3",
-      "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.6.3.tgz",
-      "integrity": "sha512-yDJTmhydvl5lJzBmy/hyOAA0d+aqCBuwl818haVdYCRrWV84o7YyeVm4QlVHStqNrrJSTb6jKuFAVqAFsr+K3Q==",
+      "version": "1.6.4",
+      "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.6.4.tgz",
+      "integrity": "sha512-JFNbkD1Svwe0KvGi8GOeLcP4kAWQ609twvCdcHxq1oSL8svv39ZuSvajcD8B+5D0eL4+s1Is2D/O6KN3qcTeRA==",
       "license": "MIT"
     },
     "node_modules/uint8-to-base64": {
@@ -15715,9 +15715,9 @@
       }
     },
     "node_modules/uuid": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz",
+      "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
@@ -16258,9 +16258,9 @@
       }
     },
     "node_modules/webpack-sources": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.4.0.tgz",
-      "integrity": "sha512-gHwIe1cgBvvfLeu1Yz/dcFpmHfKDVxxyqI+kzqmuxZED81z2ChxpyqPaWcNqigPywhaEke7AjSGga+kxY55gjQ==",
+      "version": "3.4.1",
+      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.4.1.tgz",
+      "integrity": "sha512-eACpxRN02yaawnt+uUNIF7Qje6A9zArxBbcAJjK1PK3S9Ycg5jIuJ8pW4q8EMnwNZCEGltcjkRx1QzOxOkKD8A==",
       "license": "MIT",
       "engines": {
         "node": ">=10.13.0"
@@ -16512,9 +16512,9 @@
       }
     },
     "node_modules/wrap-ansi/node_modules/string-width": {
-      "version": "8.2.0",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.2.0.tgz",
-      "integrity": "sha512-6hJPQ8N0V0P3SNmP6h2J99RLuzrWz2gvT7VnK5tKvrNqJoyS9W4/Fb8mo31UiPvy00z7DQXkP2hnKBVav76thw==",
+      "version": "8.2.1",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.2.1.tgz",
+      "integrity": "sha512-IIaP0g3iy9Cyy18w3M9YcaDudujEAVHKt3a3QJg1+sr/oX96TbaGUubG0hJyCjCBThFH+tFpcIyoUHUn1ogaLA==",
       "license": "MIT",
       "dependencies": {
         "get-east-asian-width": "^1.5.0",
diff --git a/web_src/fomantic/package-lock.json b/web_src/fomantic/package-lock.json
index 5aee001936..9d6dadbfb6 100644
--- a/web_src/fomantic/package-lock.json
+++ b/web_src/fomantic/package-lock.json
@@ -1032,9 +1032,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.23",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.23.tgz",
-      "integrity": "sha512-xwVXGqevyKPsiuQdLj+dZMVjidjJV508TBqexND5HrF89cGdCYCJFB3qhcxRHSeMctdCfbR1jrxBajhDy7o29g==",
+      "version": "2.10.27",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.27.tgz",
+      "integrity": "sha512-zEs/ufmZoUd7WftKpKyXaT6RFxpQ5Qm9xytKRHvJfxFV9DFJkZph9RvJ1LcOUi0Z1ZVijMte65JbILeV+8QQEA==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -2020,9 +2020,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.344",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.344.tgz",
-      "integrity": "sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==",
+      "version": "1.5.349",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.349.tgz",
+      "integrity": "sha512-QsWVGyRuY07Aqb234QytTfwd5d9AJlfNIQ5wIOl1L+PZDzI9d9+Fn0FRale/QYlFxt/bUnB0/nLd1jFPGxGK1A==",
       "license": "ISC"
     },
     "node_modules/emoji-regex": {

From bf958fa3558fc8af4c9dfa4b0e126424a071cca2 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Thu, 7 May 2026 18:10:02 +0200
Subject: [PATCH 244/287] fix: make package cleanup work again (#12446)

- Regression of forgejo/forgejo!11776 (and forgejo/forgejo!11881)
- Scope of the transaction is moved to a per-package cleanup rule basis.
This is also a enhancement for scaling (already deployed on Codeberg for a while).
- Package cleanup is now run with `RetryTx`, because rebuilding
  repository files runs `RetryTx` and it could indicate to retry the whole
  transaction.
- Previously it would error and say running `RetryTx` in a
  transaction was not possible, this is now possible. Nested `RetryTx` is
  always allowed, matching of which errors to retry is still the responsible
  of the inner `RetryTx`.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12446
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 models/db/context.go                   |  50 ++++++++---
 models/db/context_test.go              |  44 ++++++++++
 services/packages/cleanup/cleanup.go   | 116 +++++++++++--------------
 tests/integration/api_packages_test.go |  36 ++++++++
 4 files changed, 171 insertions(+), 75 deletions(-)

diff --git a/models/db/context.go b/models/db/context.go
index 18237bb2a2..b51861d896 100644
--- a/models/db/context.go
+++ b/models/db/context.go
@@ -510,31 +510,57 @@ type RetryConfig struct {
 	AttemptCount int
 }
 
+var ErrNestedRetryTxFailure = errors.New("(nested)")
+
+type nestedRetryTxState int
+
+var nestedRetryTx nestedRetryTxState
+
 // Execute the given function in a transaction. RetryConfig will retry the function on an error, if it matches the
 // ErrorIs parameter, up to the total of AttemptCount number of tries. RetryTx cannot be invoked when already within a
 // transaction and will return an error immediately.
+//
+// ErrNestedRetryTxFailure is an error type that will occur when RetryTx is nested within each other, and indicates that
+// an inner RetryTx encountered an error that matched its error list.
 func RetryTx(ctx context.Context, config RetryConfig, f func(ctx context.Context) error) error {
-	if InTransaction(ctx) {
+	matchError := func(err error) bool {
+		for _, possibleError := range config.ErrorIs {
+			if errors.Is(err, possibleError) {
+				return true
+			}
+		}
+		return false
+	}
+
+	// Accept `ErrNestedRetryTxFailure` as error to retry on, means that a nested
+	// RetryTx indicated to retry the whole transaction.
+	config.ErrorIs = append(config.ErrorIs, ErrNestedRetryTxFailure)
+
+	withinRetryTx, present := ctx.Value(nestedRetryTx).(bool)
+	if present && withinRetryTx {
+		// If a caller already started `RetryTx`, then we assume we don't have to actually perform retries here -- we
+		// can attempt the requested function once, and if an error is returned that matches the configured error list,
+		// we'll return that error + ErrNestedRetryTxFailure wrapping.
+		err := f(ctx)
+		if err == nil {
+			return nil
+		} else if matchError(err) {
+			return fmt.Errorf("nested RetryTx; internal Tx failed with error that won't be retried: %w %w", err, ErrNestedRetryTxFailure)
+		}
+		return err
+	} else if InTransaction(ctx) {
 		return errors.New("unsupported operation: attempted to use RetryTx while already within a transaction")
 	} else if config.AttemptCount == 0 {
 		return errors.New("unsupported operation: attempted to use RetryTx with 0 attempts")
 	}
 
+	innerCtx := context.WithValue(ctx, nestedRetryTx, true)
 	var lastError error
 	for range config.AttemptCount {
-		err := WithTx(ctx, f)
+		err := WithTx(innerCtx, f)
 		if err == nil {
 			return nil
-		}
-
-		foundMatch := false
-		for _, possibleError := range config.ErrorIs {
-			if errors.Is(err, possibleError) {
-				foundMatch = true
-				break
-			}
-		}
-		if !foundMatch {
+		} else if !matchError(err) {
 			return err
 		}
 
diff --git a/models/db/context_test.go b/models/db/context_test.go
index 60ef8462cc..59ef1e7754 100644
--- a/models/db/context_test.go
+++ b/models/db/context_test.go
@@ -275,4 +275,48 @@ func TestRetryTx(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, 2, attemptCount)
 	})
+
+	t.Run("nested", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return db.RetryTx(ctx, db.RetryConfig{
+				AttemptCount: 2,
+				ErrorIs:      []error{testError},
+			}, func(ctx context.Context) error {
+				if attemptCount == 2 {
+					return nil
+				}
+				return testError
+			})
+		})
+
+		require.NoError(t, err)
+		assert.Equal(t, 2, attemptCount)
+	})
+
+	t.Run("inner RetryTx decides on error", func(t *testing.T) {
+		attemptCount := 0
+		testError := errors.New("hello")
+		err := db.RetryTx(t.Context(), db.RetryConfig{
+			AttemptCount: 2,
+			ErrorIs:      []error{},
+		}, func(ctx context.Context) error {
+			attemptCount++
+			return db.RetryTx(ctx, db.RetryConfig{
+				AttemptCount: 2,
+			}, func(ctx context.Context) error {
+				if attemptCount == 2 {
+					return nil
+				}
+				return testError
+			})
+		})
+
+		require.ErrorIs(t, err, testError)
+		assert.Equal(t, 1, attemptCount)
+	})
 }
diff --git a/services/packages/cleanup/cleanup.go b/services/packages/cleanup/cleanup.go
index 3c177abca4..d244bf921d 100644
--- a/services/packages/cleanup/cleanup.go
+++ b/services/packages/cleanup/cleanup.go
@@ -33,78 +33,68 @@ func CleanupTask(ctx context.Context, olderThan time.Duration) error {
 	return CleanupExpiredData(ctx, olderThan)
 }
 
-func ExecuteCleanupRules(outerCtx context.Context) error {
-	ctx, committer, err := db.TxContext(outerCtx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	err = packages_model.IterateEnabledCleanupRules(ctx, func(ctx context.Context, pcr *packages_model.PackageCleanupRule) error {
-		select {
-		case <-outerCtx.Done():
-			return db.ErrCancelledf("While processing package cleanup rules")
-		default:
-		}
-
-		versionsToRemove, err := GetCleanupTargets(ctx, pcr, true)
-		if err != nil {
-			return fmt.Errorf("CleanupRule [%d]: GetCleanupTargets failed: %w", pcr.ID, err)
-		}
-
-		anyVersionDeleted := false
-		packageWithVersionDeleted := make(map[int64]bool) // set of Package.ID's where at least one package version was removed
-		for _, ct := range versionsToRemove {
-			if err := packages_service.DeletePackageVersionAndReferences(ctx, ct.PackageVersion); err != nil {
-				return fmt.Errorf("CleanupRule [%d]: DeletePackageVersionAndReferences failed: %w", pcr.ID, err)
+func ExecuteCleanupRules(ctx context.Context) error {
+	return packages_model.IterateEnabledCleanupRules(ctx, func(ctx context.Context, pcr *packages_model.PackageCleanupRule) error {
+		// We have no errors to retry on, because we have no evidence we need any in
+		// this area. What we do retry on is when a nested `db.RetryTx` indicates to
+		// retry the whole transaction.
+		return db.RetryTx(ctx, db.RetryConfig{
+			AttemptCount: 3,
+		}, func(ctx context.Context) error {
+			versionsToRemove, err := GetCleanupTargets(ctx, pcr, true)
+			if err != nil {
+				return fmt.Errorf("CleanupRule [%d]: GetCleanupTargets failed: %w", pcr.ID, err)
 			}
-			packageWithVersionDeleted[ct.Package.ID] = true
-			anyVersionDeleted = true
-		}
 
-		if pcr.Type == packages_model.TypeCargo {
-			for packageID := range packageWithVersionDeleted {
-				owner, err := user_model.GetUserByID(ctx, pcr.OwnerID)
-				if err != nil {
-					return fmt.Errorf("GetUserByID failed: %w", err)
+			anyVersionDeleted := false
+			packageWithVersionDeleted := make(map[int64]bool) // set of Package.ID's where at least one package version was removed
+			for _, ct := range versionsToRemove {
+				if err := packages_service.DeletePackageVersionAndReferences(ctx, ct.PackageVersion); err != nil {
+					return fmt.Errorf("CleanupRule [%d]: DeletePackageVersionAndReferences failed: %w", pcr.ID, err)
 				}
-				if err := cargo_service.UpdatePackageIndexIfExists(ctx, owner, owner, packageID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: cargo.UpdatePackageIndexIfExists failed: %w", pcr.ID, err)
+				packageWithVersionDeleted[ct.Package.ID] = true
+				anyVersionDeleted = true
+			}
+
+			if pcr.Type == packages_model.TypeCargo {
+				for packageID := range packageWithVersionDeleted {
+					owner, err := user_model.GetUserByID(ctx, pcr.OwnerID)
+					if err != nil {
+						return fmt.Errorf("GetUserByID failed: %w", err)
+					}
+					if err := cargo_service.UpdatePackageIndexIfExists(ctx, owner, owner, packageID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: cargo.UpdatePackageIndexIfExists failed: %w", pcr.ID, err)
+					}
 				}
 			}
-		}
 
-		if anyVersionDeleted {
-			switch pcr.Type {
-			case packages_model.TypeDebian:
-				if err := debian_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: debian.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
-				}
-			case packages_model.TypeAlpine:
-				if err := alpine_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: alpine.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
-				}
-			case packages_model.TypeRpm:
-				if err := rpm_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: rpm.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
-				}
-			case packages_model.TypeArch:
-				if err := arch_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: arch.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
-				}
-			case packages_model.TypeAlt:
-				if err := alt_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
-					return fmt.Errorf("CleanupRule [%d]: alt.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+			if anyVersionDeleted {
+				switch pcr.Type {
+				case packages_model.TypeDebian:
+					if err := debian_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: debian.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+					}
+				case packages_model.TypeAlpine:
+					if err := alpine_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: alpine.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+					}
+				case packages_model.TypeRpm:
+					if err := rpm_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: rpm.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+					}
+				case packages_model.TypeArch:
+					if err := arch_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: arch.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+					}
+				case packages_model.TypeAlt:
+					if err := alt_service.BuildAllRepositoryFiles(ctx, pcr.OwnerID); err != nil {
+						return fmt.Errorf("CleanupRule [%d]: alt.BuildAllRepositoryFiles failed: %w", pcr.ID, err)
+					}
 				}
 			}
-		}
-		return nil
+			return nil
+		})
 	})
-	if err != nil {
-		return err
-	}
-
-	return committer.Commit()
 }
 
 type CleanupTarget struct {
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index 904ae4f065..44c0057941 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -527,6 +527,42 @@ func TestPackageCleanup(t *testing.T) {
 
 	duration, _ := time.ParseDuration("-1h")
 
+	t.Run("Debian", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		// Debian does a repository rebuild.
+
+		distribution := "forgejo"
+		component := "main"
+		architecture := "amd64"
+		packageName := "runner"
+		packageDescription := "Forgejo Runner"
+
+		rootURL := fmt.Sprintf("/api/packages/%s/debian", user.Name)
+		uploadURL := fmt.Sprintf("%s/pool/%s/%s/upload", rootURL, distribution, component)
+
+		req := NewRequestWithBody(t, "PUT", uploadURL,
+			createDebianArchive(packageName, "1.0.0", architecture, packageDescription)).
+			AddBasicAuth(user.Name)
+		MakeRequest(t, req, http.StatusCreated)
+
+		resp := MakeRequest(t, NewRequestf(t, "GET", "%s/dists/%s/%s/binary-%s/Packages", rootURL, distribution, component, architecture), http.StatusOK)
+		assert.Contains(t, resp.Body.String(), "pool/forgejo/main/runner_1.0.0_amd64.deb")
+
+		pcr, err := packages_model.InsertCleanupRule(t.Context(), &packages_model.PackageCleanupRule{
+			Enabled:       true,
+			RemovePattern: `.+`,
+			OwnerID:       user.ID,
+			Type:          packages_model.TypeDebian,
+		})
+		require.NoError(t, err)
+
+		require.NoError(t, packages_cleanup_service.CleanupTask(t.Context(), duration))
+
+		MakeRequest(t, NewRequestf(t, "GET", "%s/dists/%s/%s/binary-%s/Packages", rootURL, distribution, component, architecture), http.StatusNotFound)
+
+		require.NoError(t, packages_model.DeleteCleanupRuleByID(t.Context(), pcr.ID))
+	})
+
 	t.Run("Common", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 

From 326ae6ad672c3cffad4f56d30364cfdfd1a448a7 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 7 May 2026 20:04:54 +0200
Subject: [PATCH 245/287] Update go toolchain directive to v1.26.3 (forgejo)
 (#12454)

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 23053c61ea..a6e9db2b28 100644
--- a/go.mod
+++ b/go.mod
@@ -2,7 +2,7 @@ module forgejo.org
 
 go 1.26.0
 
-toolchain go1.26.2
+toolchain go1.26.3
 
 require (
 	code.forgejo.org/f3/gof3/v3 v3.11.15

From f55f3481f28c9aa402448d192c7e8dfac59c2cc9 Mon Sep 17 00:00:00 2001
From: Gabor Pihaj <gabor.pihaj@gmail.com>
Date: Thu, 7 May 2026 22:01:13 +0200
Subject: [PATCH 246/287] test: fix flaky integration test (#12441)

See #12353 for more details

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12441
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 tests/integration/git_test.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index dc86f4a4c2..954a0fd359 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -201,9 +201,12 @@ func standardCommitAndPushTest(t *testing.T, dstPath string) (little, big string
 func lfsCommitAndPushTest(t *testing.T, dstPath string) (littleLFS, bigLFS string) {
 	t.Run("LFS", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
-		defer git.NewCommand(git.DefaultContext, "lfs").AddArguments("uninstall").Run(&git.RunOpts{Dir: dstPath})
+
+		err := git.NewCommand(git.DefaultContext, "config", "core.hooksPath", "$GIT/.hooks").AddArguments("--local").Run(&git.RunOpts{Dir: dstPath})
+		require.NoError(t, err)
+
 		prefix := "lfs-data-file-"
-		err := git.NewCommand(git.DefaultContext, "lfs").AddArguments("install").Run(&git.RunOpts{Dir: dstPath})
+		err = git.NewCommand(git.DefaultContext, "lfs").AddArguments("install").Run(&git.RunOpts{Dir: dstPath})
 		require.NoError(t, err)
 		_, _, err = git.NewCommand(git.DefaultContext, "lfs").AddArguments("track").AddDynamicArguments(prefix + "*").RunStdString(&git.RunOpts{Dir: dstPath})
 		require.NoError(t, err)
@@ -232,6 +235,7 @@ func lfsCommitAndPushTest(t *testing.T, dstPath string) (littleLFS, bigLFS strin
 			lockTest(t, dstPath)
 		})
 	})
+
 	return littleLFS, bigLFS
 }
 

From 5022be3029ea975a88ca462a17e1e536e5363254 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Fri, 8 May 2026 00:40:01 +0200
Subject: [PATCH 247/287] fix(activitypub): cover all routes with signature
 checks (#12339)

This changes the ReqHTTPSignature middleware to cover the entire activitypub
route group to not miss any new routes again in the future. Further, this adds
a tests iterating through all activitypub routes to test that the signature
verification is actually done.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12339
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
---
 routers/api/v1/api.go                         | 45 ++++++++--------
 .../integration/api_activitypub_actor_test.go |  3 ++
 .../api_activitypub_person_test.go            |  1 +
 .../api_federation_httpsig_test.go            | 53 +++++++++++++++++++
 4 files changed, 78 insertions(+), 24 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 8910babc29..55ea6762e3 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -873,31 +873,28 @@ func Routes() *web.Route {
 		if setting.Federation.Enabled {
 			m.Get("/nodeinfo", misc.NodeInfo)
 			m.Group("/activitypub", func() {
-				m.Group("/user-id/{user-id}", func() {
-					m.Get("", activitypub.ReqHTTPSignature(), activitypub.Person)
-					m.Post("/inbox",
-						activitypub.ReqHTTPSignature(),
-						bind(ap.Activity{}),
-						activitypub.PersonInbox)
-					m.Group("/activities/{activity-id}", func() {
-						m.Get("", activitypub.PersonActivityNote)
-						m.Get("/activity", activitypub.PersonActivity)
+				// The instance actor must always be fetchable without signatures
+				m.Get("/actor", activitypub.Actor)
+				m.Group("", func() {
+					m.Group("/actor", func() {
+						m.Post("/inbox", activitypub.ActorInbox)
+						m.Get("/outbox", activitypub.ActorOutbox)
 					})
-					m.Get("/outbox", activitypub.ReqHTTPSignature(), activitypub.PersonFeed)
-				}, context.UserIDAssignmentAPI(), checkTokenPublicOnly())
-				m.Group("/actor", func() {
-					m.Get("", activitypub.Actor)
-					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.ActorInbox)
-					m.Get("/outbox", activitypub.ActorOutbox)
-				})
-				m.Group("/repository-id/{repository-id}", func() {
-					m.Get("", activitypub.ReqHTTPSignature(), activitypub.Repository)
-					m.Post("/inbox",
-						bind(ap.Activity{}),
-						activitypub.ReqHTTPSignature(),
-						activitypub.RepositoryInbox)
-					m.Get("/outbox", activitypub.ReqHTTPSignature(), activitypub.RepositoryOutbox)
-				}, context.RepositoryIDAssignmentAPI())
+					m.Group("/user-id/{user-id}", func() {
+						m.Get("", activitypub.Person)
+						m.Post("/inbox", bind(ap.Activity{}), activitypub.PersonInbox)
+						m.Get("/outbox", activitypub.PersonFeed)
+						m.Group("/activities/{activity-id}", func() {
+							m.Get("", activitypub.PersonActivityNote)
+							m.Get("/activity", activitypub.PersonActivity)
+						})
+					}, context.UserIDAssignmentAPI(), checkTokenPublicOnly())
+					m.Group("/repository-id/{repository-id}", func() {
+						m.Get("", activitypub.Repository)
+						m.Post("/inbox", bind(ap.Activity{}), activitypub.RepositoryInbox)
+						m.Get("/outbox", activitypub.RepositoryOutbox)
+					}, context.RepositoryIDAssignmentAPI())
+				}, activitypub.ReqHTTPSignature())
 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))
 		}
 
diff --git a/tests/integration/api_activitypub_actor_test.go b/tests/integration/api_activitypub_actor_test.go
index 2a758f5424..25c55e75a8 100644
--- a/tests/integration/api_activitypub_actor_test.go
+++ b/tests/integration/api_activitypub_actor_test.go
@@ -49,6 +49,9 @@ func TestActivityPubActor(t *testing.T) {
 	assert.Regexp(t, "^-----BEGIN PUBLIC KEY-----", pubKeyPem)
 
 	t.Run("ActorOutboxEmpty", func(t *testing.T) {
+		// /inbox and /outbox routes also require signature checks
+		defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
+
 		req := NewRequest(t, "GET", actor.Outbox.GetID().String())
 		resp := MakeRequest(t, req, http.StatusOK)
 
diff --git a/tests/integration/api_activitypub_person_test.go b/tests/integration/api_activitypub_person_test.go
index c0f297a7d3..75746d1a17 100644
--- a/tests/integration/api_activitypub_person_test.go
+++ b/tests/integration/api_activitypub_person_test.go
@@ -80,6 +80,7 @@ func TestActivityPubPerson(t *testing.T) {
 func TestActivityPubMissingPerson(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&setting.Federation.SignatureEnforced, false)()
 	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
 
 	req := NewRequest(t, "GET", "/api/v1/activitypub/user-id/999999999")
diff --git a/tests/integration/api_federation_httpsig_test.go b/tests/integration/api_federation_httpsig_test.go
index 2f62efb2af..431676acee 100644
--- a/tests/integration/api_federation_httpsig_test.go
+++ b/tests/integration/api_federation_httpsig_test.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"testing"
 	"time"
 
@@ -20,6 +21,7 @@ import (
 	"forgejo.org/routers"
 	"forgejo.org/services/contexttest"
 
+	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -94,3 +96,54 @@ func TestFederationHttpSigValidation(t *testing.T) {
 		})
 	})
 }
+
+func TestFederationAllRoutesCovered(t *testing.T) {
+	defer test.MockVariableValue(&setting.Federation.Enabled, true)()
+	defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+	routes := routers.NormalRoutes().R.Routes()
+
+	var r *chi.Route
+	for _, route := range routes {
+		if route.Pattern == "/api/v1/*" {
+			r = &route
+			break
+		}
+	}
+
+	require.NotNil(t, r)
+
+	ranOne := false
+	for _, route := range r.SubRoutes.Routes() {
+		if !strings.HasPrefix(route.Pattern, "/activitypub/") {
+			continue
+		}
+
+		ranOne = true
+		if route.Pattern == "/activitypub/actor" {
+			// unsigned request to the actor should always succed
+			req := NewRequest(t, "GET", fmt.Sprintf("%sapi/v1/activitypub/actor", setting.AppURL))
+			MakeRequest(t, req, http.StatusOK)
+		} else {
+			// this just puts in something for the replacements to be able to make a request
+			url := fmt.Sprintf("%sapi/v1%s", setting.AppURL, route.Pattern)
+			for strings.Contains(url, "{") {
+				before, after, _ := strings.Cut(url, "/{")
+				_, after, _ = strings.Cut(after, "}/")
+				url = fmt.Sprintf("%s/1/%s", before, after)
+			}
+
+			var req *RequestWrapper
+			if strings.Contains(route.Pattern, "inbox") {
+				req = NewRequestWithJSON(t, "POST", url, "{}")
+			} else {
+				req = NewRequest(t, "GET", url)
+			}
+
+			resp := MakeRequest(t, req, http.StatusBadRequest)
+			assert.Contains(t, resp.Body.String(), "request signature verification failed")
+		}
+	}
+
+	require.True(t, ranOne)
+}

From 115f8594cf029d4d74e7b9f1cdbfc088509cf102 Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Fri, 8 May 2026 01:52:46 +0200
Subject: [PATCH 248/287] fix: paginate team members list (#12447)

Fixes #12103.

Paginate the list of team members on the page for that team.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12447
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 models/organization/team.go        | 10 +++++--
 routers/web/org/teams.go           | 10 ++++++-
 templates/org/team/members.tmpl    |  1 +
 tests/integration/org_team_test.go | 48 ++++++++++++++++++++++++++++++
 4 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 tests/integration/org_team_test.go

diff --git a/models/organization/team.go b/models/organization/team.go
index 209471e013..b7b93821ad 100644
--- a/models/organization/team.go
+++ b/models/organization/team.go
@@ -161,10 +161,16 @@ func (t *Team) LoadRepositories(ctx context.Context) (err error) {
 	return err
 }
 
-// LoadMembers returns paginated members in team of organization.
+// LoadMembers loads the members of the team in t.Members.
 func (t *Team) LoadMembers(ctx context.Context) (err error) {
+	return t.LoadPaginatedMembers(ctx, db.ListOptionsAll)
+}
+
+// LoadPaginatedMembers loads paginated members of the team in t.Members.
+func (t *Team) LoadPaginatedMembers(ctx context.Context, listOptions db.ListOptions) (err error) {
 	t.Members, err = GetTeamMembers(ctx, &SearchMembersOptions{
-		TeamID: t.ID,
+		ListOptions: listOptions,
+		TeamID:      t.ID,
 	})
 	return err
 }
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 1785623855..1b76a6abf9 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -377,10 +377,18 @@ func TeamMembers(ctx *context.Context) {
 		return
 	}
 
-	if err := ctx.Org.Team.LoadMembers(ctx); err != nil {
+	page := max(ctx.FormInt("page"), 1)
+	total := ctx.Org.Team.NumMembers
+	pager := context.NewPagination(total, setting.UI.MembersPagingNum, page, 5)
+	opts := db.ListOptions{}
+	opts.Page = page
+	opts.PageSize = setting.UI.MembersPagingNum
+
+	if err := ctx.Org.Team.LoadPaginatedMembers(ctx, opts); err != nil {
 		ctx.ServerError("GetMembers", err)
 		return
 	}
+	ctx.Data["Page"] = pager
 	ctx.Data["Units"] = unit_model.Units
 
 	invites, err := org_model.GetInvitesByTeamID(ctx, ctx.Org.Team.ID)
diff --git a/templates/org/team/members.tmpl b/templates/org/team/members.tmpl
index 60667e963d..e027db68da 100644
--- a/templates/org/team/members.tmpl
+++ b/templates/org/team/members.tmpl
@@ -49,6 +49,7 @@
 							</div>
 						{{end}}
 					</div>
+					{{template "base/paginate" .}}
 				</div>
 				{{if and .Invites $.IsOrganizationOwner}}
 				<h4 class="ui top attached header">{{ctx.Locale.Tr "org.teams.invite_team_member.list"}}</h4>
diff --git a/tests/integration/org_team_test.go b/tests/integration/org_team_test.go
new file mode 100644
index 0000000000..2ed3025785
--- /dev/null
+++ b/tests/integration/org_team_test.go
@@ -0,0 +1,48 @@
+// Copyright 2026 The Forgejo Authors
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"testing"
+
+	"forgejo.org/models/db"
+	"forgejo.org/models/organization"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPaginatedMembers(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	// To make sure that pagination kicks in even though the test team has few members
+	defer test.MockVariableValue(&setting.UI.MembersPagingNum, 2)()
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 17})
+	team := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 9})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29})
+
+	assert.GreaterOrEqual(t, org.NumMembers, 3)
+	isOrgMember, err := organization.IsOrganizationMember(db.DefaultContext, org.ID, user.ID)
+	require.NoError(t, err)
+	assert.True(t, isOrgMember)
+	isTeamMember, err := organization.IsTeamMember(db.DefaultContext, team.OrgID, team.ID, user.ID)
+	require.NoError(t, err)
+	assert.True(t, isTeamMember)
+	assert.Equal(t, org.ID, team.OrgID)
+
+	session := loginUser(t, user.Name)
+
+	teamURL := fmt.Sprintf("/org/%s/teams/%s", org.Name, team.LowerName)
+	newVar := session.MakeRequest(t, NewRequest(t, "GET", teamURL), http.StatusOK).Body
+	doc := NewHTMLParser(t, newVar)
+	assert.Contains(t, strings.TrimSpace(doc.Find("a.item.navigation:contains('Next')").AttrOr("href", "")), fmt.Sprintf("%s?page=2", teamURL))
+}

From ffd10d37a6771a16ffbc1222bd7c307970c75a13 Mon Sep 17 00:00:00 2001
From: Akashdeep Dhar <akashdeep.dhar@gmail.com>
Date: Fri, 8 May 2026 04:43:33 +0200
Subject: [PATCH 249/287] fix: ensure moving all commits in a pull request for
 pagure migration (#12433)

While the changes were conveyed in the pull request in its entirety, the commit
history of a pull request having more than one commit was bugged and the log
would have shown just the presence of the most recent commit event, having the
entire changes contained in a pull request.

This is a problem that was mostly noticed in the closed pull request, so it is
not as bad as it looks. Even then, if we are migrating closed pull requests, we
should do it the right way. We do not want to retain these pull requests for
archival purposes if they are not accurate.

Signed-off-by: Akashdeep Dhar <akashdeep.dhar@gmail.com>

Fixes https://forge.fedoraproject.org/forge/forge/issues/556

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12433
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 services/migrations/pagure.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/migrations/pagure.go b/services/migrations/pagure.go
index 6573871e0d..0bcbfb6d3e 100644
--- a/services/migrations/pagure.go
+++ b/services/migrations/pagure.go
@@ -153,6 +153,7 @@ type PagurePRResponse struct {
 	Requests []struct {
 		Branch         string     `json:"branch"`
 		BranchFrom     string     `json:"branch_from"`
+		CommitStart    string     `json:"commit_start"`
 		CommitStop     string     `json:"commit_stop"`
 		DateCreated    string     `json:"date_created"`
 		FullURL        string     `json:"full_url"`
@@ -560,7 +561,7 @@ func (d *PagureDownloader) GetPullRequests(page, perPage int) ([]*base.PullReque
 		}
 		mergedtime := processDate(&pr.ClosedAt)
 
-		err = d.callAPI("/api/0/"+d.repoName+"/c/"+pr.CommitStop+"/info", nil, &commit)
+		err = d.callAPI("/api/0/"+d.repoName+"/c/"+pr.CommitStart+"/info", nil, &commit)
 		if err != nil {
 			return nil, false, err
 		}

From 3a35c5353ecbb43429474a7db3dcfa23df550279 Mon Sep 17 00:00:00 2001
From: Thanos Apollo <public@thanosapollo.org>
Date: Fri, 8 May 2026 04:46:57 +0200
Subject: [PATCH 250/287] feat: expose AGit topic branch in API PR head label
 (#12352)

For Agit-flow pull requests, `head.label` was explicitly set to an empty
string.  The head branch name (which contains the Agit topic,
e.g. `user2/my-topic`) was already populated from `pr.HeadBranch` but then
discarded.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12352
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Cyborus <cyborus@disroot.org>
---
 services/convert/pull.go      | 1 -
 tests/integration/git_test.go | 2 ++
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/convert/pull.go b/services/convert/pull.go
index 41cbcc25aa..4856c58736 100644
--- a/services/convert/pull.go
+++ b/services/convert/pull.go
@@ -177,7 +177,6 @@ func ToAPIPullRequest(ctx context.Context, pr *issues_model.PullRequest, doer *u
 		}
 		apiPullRequest.Head.RepoID = pr.BaseRepoID
 		apiPullRequest.Head.Repository = apiPullRequest.Base.Repository
-		apiPullRequest.Head.Name = ""
 	}
 
 	if pr.HeadRepo != nil && pr.Flow == issues_model.PullRequestFlowGithub {
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go
index 954a0fd359..83853883c1 100644
--- a/tests/integration/git_test.go
+++ b/tests/integration/git_test.go
@@ -860,6 +860,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, headBranch string
 			assert.False(t, prMsg.HasMerged)
 			assert.Contains(t, "Testing commit 1", prMsg.Body)
 			assert.Equal(t, commit, prMsg.Head.Sha)
+			assert.Equal(t, "user2/"+headBranch, prMsg.Head.Name)
 
 			_, _, err = git.NewCommand(git.DefaultContext, "push", "origin").AddDynamicArguments("HEAD:refs/for/master/test/" + headBranch).RunStdString(&git.RunOpts{Dir: dstPath})
 			require.NoError(t, err)
@@ -878,6 +879,7 @@ func doCreateAgitFlowPull(dstPath string, ctx *APITestContext, headBranch string
 			prMsg = doAPIGetPullRequest(*ctx, ctx.Username, ctx.Reponame, pr2.Index)(t)
 
 			assert.Equal(t, "user2/test/"+headBranch, pr2.HeadBranch)
+			assert.Equal(t, "user2/test/"+headBranch, prMsg.Head.Name)
 			assert.False(t, prMsg.HasMerged)
 		})
 

From 6132d0e4069e0043c41302e300c6d3a5ab7b8ccc Mon Sep 17 00:00:00 2001
From: Thomas Kolar <thomas.kolar@uni-ak.ac.at>
Date: Fri, 8 May 2026 05:52:59 +0200
Subject: [PATCH 251/287] fix: Prevent unremovable review requests after
 submitting pending reviews (#12302)

Some notes:
- I didn't write integration tests because it's a pure bugfix that addresses implementation details of the model layer.
  - I can see interpretations of "it involves interactions with a live Forgejo server" that would cover this PR, but they don't make sense to me in context.
- I didn't add anything to the documentation because it's a pure bugfix - the system should always have worked this way
  - there's no value in confusing people trying to figure out how the system works now with how it didn't work in the past
- However, there IS value in informing people who may have gotten bitten by this in the past, so I think a release note makes sense
- These fixes are closely related, and the changes small, so I decided to make just one PR.
  - From a user perspective, this is just one issue, and I think in terms of release notes, it makes more sense to have just this one.
- Technically, fixing only one of the underlying issues would be enough. Since this is a case of invalid states being representable, it makes sense to both try to prevent it happening in the first place, and deal with it gracefully if it does happen.
  - At the very least, fixing #12245 is required unless we want to live with data generated in the past being broken

Fixes #12243
Fixes #12245

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12302
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
---
 models/issues/review.go      | 15 +++++--
 models/issues/review_test.go | 76 ++++++++++++++++++++++++++++++++++++
 release-notes/12302.md       |  1 +
 3 files changed, 89 insertions(+), 3 deletions(-)
 create mode 100644 release-notes/12302.md

diff --git a/models/issues/review.go b/models/issues/review.go
index 5370117a81..6ff36615db 100644
--- a/models/issues/review.go
+++ b/models/issues/review.go
@@ -457,6 +457,11 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 			if official, err = IsOfficialReviewer(ctx, issue, doer); err != nil {
 				return nil, nil, err
 			}
+			// delete previous review requests from the same user
+			reviewCond := builder.Eq{"reviewer_id": doer.ID, "issue_id": issue.ID}
+			if _, err := sess.Where(reviewCond.And(builder.Eq{"type": ReviewTypeRequest})).Delete(new(Review)); err != nil {
+				return nil, nil, err
+			}
 		}
 
 		review.Official = official
@@ -511,10 +516,14 @@ func SubmitReview(ctx context.Context, doer *user_model.User, issue *Issue, revi
 
 // GetReviewByIssueIDAndUserID get the latest review of reviewer for a pull request
 func GetReviewByIssueIDAndUserID(ctx context.Context, issueID, userID int64) (*Review, error) {
+	return GetReviewByIssueIDUserIDAndTypes(ctx, issueID, userID, []ReviewType{ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest})
+}
+
+func GetReviewByIssueIDUserIDAndTypes(ctx context.Context, issueID, userID int64, types []ReviewType) (*Review, error) {
 	review := new(Review)
 
 	has, err := db.GetEngine(ctx).Where(
-		builder.In("type", ReviewTypeApprove, ReviewTypeReject, ReviewTypeRequest).
+		builder.In("type", types).
 			And(builder.Eq{"issue_id": issueID, "reviewer_id": userID, "original_author_id": 0})).
 		Desc("id").
 		Get(review)
@@ -707,12 +716,12 @@ func RemoveReviewRequest(ctx context.Context, issue *Issue, reviewer, doer *user
 	}
 	defer committer.Close()
 
-	review, err := GetReviewByIssueIDAndUserID(ctx, issue.ID, reviewer.ID)
+	review, err := GetReviewByIssueIDUserIDAndTypes(ctx, issue.ID, reviewer.ID, []ReviewType{ReviewTypeRequest})
 	if err != nil && !IsErrReviewNotExist(err) {
 		return nil, err
 	}
 
-	if review == nil || review.Type != ReviewTypeRequest {
+	if review == nil {
 		return nil, nil
 	}
 
diff --git a/models/issues/review_test.go b/models/issues/review_test.go
index bdeaae5ea3..e035be617b 100644
--- a/models/issues/review_test.go
+++ b/models/issues/review_test.go
@@ -321,6 +321,82 @@ func TestAddReviewRequest(t *testing.T) {
 	assert.True(t, issues_model.IsErrReviewRequestOnClosedPR(err))
 }
 
+func TestSubmitPendingReviewDeletesReviewRequest(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
+	require.NoError(t, pull.LoadIssue(db.DefaultContext))
+	issue := pull.Issue
+	require.NoError(t, issue.LoadRepo(db.DefaultContext))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	reviewRequest, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeRequest,
+	})
+	require.NoError(t, err)
+
+	// creating a pending review should NOT remove review requests
+	reviewPending, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypePending,
+	})
+	require.NoError(t, err)
+	unittest.AssertExistsIf(t, true, &issues_model.Review{ID: reviewRequest.ID})
+	// submitting a pending review to finish it SHOULD remove review requests
+	_, _, err = issues_model.SubmitReview(
+		db.DefaultContext,
+		reviewer,
+		issue,
+		issues_model.ReviewTypeReject,
+		"test content",
+		reviewPending.CommitID,
+		false,
+		[]string{},
+	)
+	require.NoError(t, err)
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: reviewRequest.ID})
+}
+
+// this test is for handling a state correctly that should never exist, but is representable and was
+// achievable thanks to #12243
+func TestReviewRequestDeletesReviewRequestsBeforeRejectedReviews(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	sess := db.GetEngine(db.DefaultContext)
+
+	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 1})
+	require.NoError(t, pull.LoadIssue(db.DefaultContext))
+	issue := pull.Issue
+	require.NoError(t, issue.LoadRepo(db.DefaultContext))
+	reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	// this one will end up being a ReviewTypeRequest. We are initially creating it as
+	// ReviewTypeReject to avoid it being deleted on making the actual rejected review
+	reviewRequest, err := issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeReject,
+	})
+	require.NoError(t, err)
+	// this review is an actual rejected review that somehow managed to be saved without deleting
+	// reviewRequest. This is a state that is representable and is/was achievable thanks to #12243
+	_, err = issues_model.CreateReview(db.DefaultContext, issues_model.CreateReviewOptions{
+		Issue:    issue,
+		Reviewer: reviewer,
+		Type:     issues_model.ReviewTypeReject,
+	})
+	require.NoError(t, err)
+	reviewRequest.Type = issues_model.ReviewTypeRequest
+	_, err = sess.ID(reviewRequest.ID).Cols("type").Update(reviewRequest)
+	require.NoError(t, err)
+
+	_, err = issues_model.RemoveReviewRequest(db.DefaultContext, issue, reviewer, doer)
+	require.NoError(t, err)
+	unittest.AssertNotExistsBean(t, &issues_model.Review{ID: reviewRequest.ID})
+}
+
 func TestAddTeamReviewRequest(t *testing.T) {
 	defer unittest.OverrideFixtures("models/fixtures/TestAddTeamReviewRequest")()
 	require.NoError(t, unittest.PrepareTestDatabase())
diff --git a/release-notes/12302.md b/release-notes/12302.md
new file mode 100644
index 0000000000..b51bab427d
--- /dev/null
+++ b/release-notes/12302.md
@@ -0,0 +1 @@
+fix: When a review was created as pending and then submitted, the review request wasn't deleted. These review requests couldn't be removed, as the now existing review shadowed the review request. Now, review requests get deleted when a pending review from that reviewer gets submitted, and broken review requests in already existing data can be normally removed via the UI.

From 49f9cc7c4d0ee9bebf663f17d41a3814ee126ce9 Mon Sep 17 00:00:00 2001
From: Nirmal Kumar R <tildezero@gmail.com>
Date: Fri, 8 May 2026 08:01:34 +0200
Subject: [PATCH 252/287] chore: dialog modal max-width rendering failure
 (#12469)

The dialog element shrink wrap up to the max-width boundary. The
`long-modal` is set to strictly fit the `800px` width in the test.
However with Playwright minor font rendering differences makes the
dialog modal width resulting in `797px`.

Test fails at: [expect(width).toBe(800);](https://codeberg.org/forgejo/forgejo/src/commit/6132d0e4069e0043c41302e300c6d3a5ab7b8ccc/tests/e2e/modal.test.e2e.ts#L103)

The fix is to increase the content of the `#long-model` element in
`templates/demo/model.tmpl` to 300 characters length instead of the
current `100` characters length ensures that the dialog modal will always
hit the `800px` max-width.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12469
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 templates/demo/modal.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/demo/modal.tmpl b/templates/demo/modal.tmpl
index 746d82b229..af4c1295ef 100644
--- a/templates/demo/modal.tmpl
+++ b/templates/demo/modal.tmpl
@@ -30,7 +30,7 @@
 	<dialog id="long-modal">
 		<article>
 			<header>Long modal</header>
-			<div class="content">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</div>
+			<div class="content">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</div>
 			<footer class="actions">
 					<button class="secondary button cancel">{{ctx.Locale.Tr "settings.cancel"}}</button>
 			</footer>

From 029565865021232c3c281156028efe34172eb961 Mon Sep 17 00:00:00 2001
From: Gergely Nagy <forgejo@gergo.csillger.hu>
Date: Fri, 8 May 2026 08:08:10 +0200
Subject: [PATCH 253/287] Federated user activity following (#4767)

This is a implementation of #4277.

The core idea is that any activity (where activity is defined as anything that ends up in the `action` table) will be wrapped in an `ap.Note`, and sent to followers. Similarly, the inbox of local users now accepts such Notes. Additionally, there's now a "Feeds" tab on the user profile page, which displays the received notes.

# Preview

![Preview](/attachments/9ce6a138-a748-447e-8e8b-d6143564ee4e)

# How to Try?

The PR can be tried using a single Forgejo instance, but two distinct ones probably shows how it works better. For the sake of simplicity, lets try with a single instance. This is how to get started:

1. Enable federation
2. Subscribe one user to another (or to themselves):
    ```
    curl -s -H "authorization: Bearer ${TOKEN}" -XPOST \
         http://localhost:3000/api/v1/user/activitypub/follow \
         --json '{"target": "http://localhost:3000/api/v1/activitypub/user-id/1"}'
    ```

    This makes the first user follow themselves.
3. Create a repo, open an issue, or basically do anything that results in an activity recorded.
4. Visit `http://localhost:3000/{username}?tab=feed` to see the feed in action.

If you want to try with multiple instances, then it's very similar: you just change the `actor_id` to the IRI of the user you want to follow the first instance's user with, and then you can look at the feed tab of this user on the second instance, after you performed some activity on the first.

## Trying with Mastodon / GoToSocial

To try with Mastodon or GoToSocial, you will likely need to bring your Forgejo instance public, and behind https. Once your Forgejo instance is up, you can search for `@yourusername@forgejo.your.domain.example.com`, and simply follow your Forgejo account. Creating any activity will then happily federate to Mastodon & GoToSocial.

You can also copy & paste the Forge user's web profile URL (eg, `https://forgejo.your.domain.example.com/yourusername`) into your fedi client of choice, and it will discover the profile that way too.

# Testing

* test: https://codeberg.org/meissa/federation/src/branch/federated-user-activity-following/doc/user-activity-following/manual-test.md
* Proof of gts->forgejo: https://social.meissa-gmbh.de/@meissa/114499541149466596
* Proof of forgejo->gts: https://social.meissa-gmbh.de/@meissa/114505225265720094

## Architecture decisions

There are a number of ways user activity federation could be implemented. One way - which I explored first - is to wrap each activity, and send those, and let the client render it. The advantage of this would be that we'd be able to have references to other objects (comments, repos, etc). The disadvantage is that doing this requires making all of these things addressable, and that's a lot of work. Another disadvantage is that this requires every client to know how to display it.

Another way, chosen here, is to send a rendered HTML `ap.Note` instead, with an `AttributedTo` (`ap.Person`) property, which describes the activity that happened in a HTML note. This is much simpler to implement, and has the huge advantage that it is also easier to display. In fact, once we have http signatures, we should be able to federate user activity to Mastodon, too! (Though this also requires figuring out how Mastodon wants to follow a user...)

Since user activity federation is mostly cosmetic, as in, it's there for the user to see, rather than for programs to take actions based upon this activity, I believe that sending an `ap.Note` is preferable over a more machine-oriented approach.

## Limitations & TODO

### FederatedUser

We should be caching the Avatar in a similar way. For that, though, we also need to store the last activity of a federated user, so we can expire old avatars from the cache. The avatar refresh part will be covered by #4778.

### Notes

While sending out notes, the `AttributedTo` property is set to an `ap.Person`, based on the originating local user. This is currently unused. The idea is that once following is implemented properly (see above), we'll be able to link this  to a FederatedUser (and thus to ExternalUser & User), which will allow us to display avatars and such, too.

### Display

The template used for displaying the received activities is currently incredibly simplistic. That's probably ok, it doesn't need to be fantastic.

### TODO

- [x] Fix the crashes on certain ops:
  - [x] Issue/PR close & reopen
- [x] Figure out a better way to implement follows
- [x] Store the `AttributedTo` part of the note, too, the ID of it.
- [x] Make sure only those activities are sent out that need to be.
      Currently, pretty much any activity is sent out, even private ones. We should be a bit smarter about that.
- [x] Make the ids used in the AP messages deterministic
      The IDs used in the AP messages are currently UUIDs, and we do not store them, so all the IRIs are "invalid": the objects they refer to don't exist outside of the AP message itself. We should be able to reconstruct the Note objects and Create activities from their IDs.
- [x] Make it possible to follow Forgejo account from Mastodon and GtS
  - [x] Mastodon without `AUTHORIZED_FETCH` works
  - [x] GoToSocial can follow
  - [x] Mastodon with `AUTHORIZED_FETCH` can follow
- ~~Create a cron job to refresh federated user avatars~~
- [x] Implement unfollowing
- [x] Add a `<link rel="alternate" type="application/activity+json" href="...">` to profile pages
      This lets Mastodon & most other Fedi frontends discover the AP profile just by pasting a Forgejo user's web profile page into a search box, without having to know the corresponding AP actor URL
- [x] Make it easier to make a local user follow a remote AP actor
- ~~Rebase on top of #4778 by @realaravinth, once that is ready~~
- [x] Create an API endpoint to list the AP feed
- [x] Create a DB migration for the new stuff
- [x] Make swagger stuff happy
- [x] Clean up the commit history
- [x] ~~Tests~~ Opting for manual testing for now.

Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-authored-by: jerger <jerger@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4767
Reviewed-by: jerger <jerger@noreply.codeberg.org>
Reviewed-by: elle <0xllx0@noreply.codeberg.org>
---
 routers/web/user/profile.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/web/user/profile.go b/routers/web/user/profile.go
index ec3cb4a5d3..1c5392ba83 100644
--- a/routers/web/user/profile.go
+++ b/routers/web/user/profile.go
@@ -1,6 +1,6 @@
 // Copyright 2015 The Gogs Authors. All rights reserved.
 // Copyright 2019 The Gitea Authors. All rights reserved.
-// Copyright 2023 The Forgejo Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
 package user

From 0b3192b8af2488208b2a0efefa5fa2d7405dfc9e Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 9 May 2026 02:23:00 +0200
Subject: [PATCH 254/287] Update module golang.org/x/crypto to v0.51.0
 (forgejo) (#12483)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) | [`v0.50.0` → `v0.51.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.50.0...refs/tags/v0.51.0) | ![age](https://developer.mend.io/api/mc/badges/age/go/golang.org%2fx%2fcrypto/v0.51.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/golang.org%2fx%2fcrypto/v0.50.0/v0.51.0?slim=true) |

---

> ⚠️ **Warning**
>
> Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2779) for more information.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC42IiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12483
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 go.mod |  6 +++---
 go.sum | 16 ++++++++--------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/go.mod b/go.mod
index a6e9db2b28..a6d10b5e2e 100644
--- a/go.mod
+++ b/go.mod
@@ -101,13 +101,13 @@ require (
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	gitlab.com/gitlab-org/api/client-go v0.143.2
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/crypto v0.50.0
+	golang.org/x/crypto v0.51.0
 	golang.org/x/image v0.39.0
 	golang.org/x/net v0.53.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.43.0
-	golang.org/x/text v0.36.0
+	golang.org/x/sys v0.44.0
+	golang.org/x/text v0.37.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.67.0
diff --git a/go.sum b/go.sum
index bb519fd975..220748373c 100644
--- a/go.sum
+++ b/go.sum
@@ -723,8 +723,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -850,8 +850,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -861,8 +861,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -876,8 +876,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=

From 92863bb1035530b97609e720a04b62dfe5bd98f0 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sat, 9 May 2026 02:31:03 +0200
Subject: [PATCH 255/287] feat: expose run_id in ...actions/runners/jobs
 endpoint (#12480)

Include `run_id` in the responses emitted by all `...actions/runners/jobs` endpoints. Helps with correlating pending jobs with other jobs and the runs they belong to.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12480
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 modules/structs/action.go                   | 2 ++
 services/convert/action.go                  | 1 +
 templates/swagger/v1_json.tmpl              | 6 ++++++
 tests/integration/api_admin_actions_test.go | 1 +
 tests/integration/api_org_actions_test.go   | 1 +
 tests/integration/api_repo_actions_test.go  | 3 +++
 tests/integration/api_user_actions_test.go  | 1 +
 7 files changed, 15 insertions(+)

diff --git a/modules/structs/action.go b/modules/structs/action.go
index 1f015a08fb..82c530cdf9 100644
--- a/modules/structs/action.go
+++ b/modules/structs/action.go
@@ -12,6 +12,8 @@ import (
 type ActionRunJob struct {
 	// Identifier of this job.
 	ID int64 `json:"id"`
+	// Identifier of the workflow run this job belongs to.
+	RunID int64 `json:"run_id"`
 	// How many times the job has been attempted including the current attempt.
 	Attempt int64 `json:"attempt"`
 	// Opaque identifier that uniquely identifies a single attempt of a job.
diff --git a/services/convert/action.go b/services/convert/action.go
index dd21b9fb87..da40ac7916 100644
--- a/services/convert/action.go
+++ b/services/convert/action.go
@@ -71,6 +71,7 @@ func ToActionRunJob(job *actions_model.ActionRunJob) *api.ActionRunJob {
 
 	return &api.ActionRunJob{
 		ID:      job.ID,
+		RunID:   job.RunID,
 		Attempt: job.Attempt,
 		Handle:  job.Handle,
 		RepoID:  job.RepoID,
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 45159b7c71..e0afb22d54 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -22873,6 +22873,12 @@
           "format": "int64",
           "x-go-name": "RepoID"
         },
+        "run_id": {
+          "description": "Identifier of the workflow run this job belongs to.",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "RunID"
+        },
         "runs_on": {
           "description": "the action run job labels to run on",
           "type": "array",
diff --git a/tests/integration/api_admin_actions_test.go b/tests/integration/api_admin_actions_test.go
index 173e22ca91..67fc643761 100644
--- a/tests/integration/api_admin_actions_test.go
+++ b/tests/integration/api_admin_actions_test.go
@@ -46,6 +46,7 @@ func TestAPIAdminActionsGetJobs(t *testing.T) {
 
 		expected := api.ActionRunJob{
 			ID:      393,
+			RunID:   891,
 			Attempt: 1,
 			Handle:  "18e9cf40-c2f6-409f-b832-b945ea7dc79b",
 			RepoID:  1,
diff --git a/tests/integration/api_org_actions_test.go b/tests/integration/api_org_actions_test.go
index 08de84cdf2..eb96435a45 100644
--- a/tests/integration/api_org_actions_test.go
+++ b/tests/integration/api_org_actions_test.go
@@ -37,6 +37,7 @@ func TestActionsAPISearchActionJobs_OrgRunner(t *testing.T) {
 
 	job395 := api.ActionRunJob{
 		ID:      395,
+		RunID:   891,
 		Attempt: 1,
 		Handle:  "40317a2f-2f00-4a82-8cc4-57347989a493",
 		RepoID:  1,
diff --git a/tests/integration/api_repo_actions_test.go b/tests/integration/api_repo_actions_test.go
index ccf333191e..605d55c469 100644
--- a/tests/integration/api_repo_actions_test.go
+++ b/tests/integration/api_repo_actions_test.go
@@ -52,6 +52,7 @@ func TestActionsAPISearchActionJobs_RepoRunner(t *testing.T) {
 
 	job393 := api.ActionRunJob{
 		ID:      393,
+		RunID:   891,
 		Attempt: 1,
 		Handle:  "18e9cf40-c2f6-409f-b832-b945ea7dc79b",
 		RepoID:  1,
@@ -713,6 +714,7 @@ func TestActionsAPIListActionRunJobs(t *testing.T) {
 				if expected.ID == 195 {
 					assert.Equal(t, &api.ActionRunJob{
 						ID:      195,
+						RunID:   793,
 						Attempt: 1,
 						Handle:  "",
 						RepoID:  4,
@@ -726,6 +728,7 @@ func TestActionsAPIListActionRunJobs(t *testing.T) {
 				} else if expected.ID == 197 {
 					assert.Equal(t, &api.ActionRunJob{
 						ID:      197,
+						RunID:   895,
 						Attempt: 0,
 						Handle:  "",
 						RepoID:  4,
diff --git a/tests/integration/api_user_actions_test.go b/tests/integration/api_user_actions_test.go
index b9a0b16ab4..91bd8c4be1 100644
--- a/tests/integration/api_user_actions_test.go
+++ b/tests/integration/api_user_actions_test.go
@@ -38,6 +38,7 @@ func TestActionsAPISearchActionJobs_UserRunner(t *testing.T) {
 
 	job394 := api.ActionRunJob{
 		ID:      394,
+		RunID:   891,
 		Attempt: 2,
 		Handle:  "a723d3e3-49a1-4e6b-947f-e987e60bfbd6",
 		RepoID:  1,

From 4e40724199ace81506300ab3f5d3108f8766ab1b Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 9 May 2026 04:38:55 +0200
Subject: [PATCH 256/287] Update module golang.org/x/tools/cmd/deadcode to
 v0.45.0 (forgejo) (#12488)

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 5a353c59cf..2680bb8b62 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,7 @@ SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.33.2 # renova
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datasource=go
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
-DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.44.0 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.45.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
 RENOVATE_NPM_PACKAGE ?= renovate@43.160.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go

From 508bb7f2aed62479b03335b3591bd890260cfe37 Mon Sep 17 00:00:00 2001
From: limiting-factor <limiting-factor@posteo.com>
Date: Sat, 9 May 2026 04:46:56 +0200
Subject: [PATCH 257/287] fix: in actions_service cancelJobsForRun is bugous
 use killRun instead (#12366)

The cancelJobsForRun function is redundant with the killRun function and has bugs:

- It does not use a transaction and may fail in a non-recoverable way
- It does not update the commit status of the run
-  It does not set NeedRemoval to false if needed

Remove the cancelJobsForRun function and use killRun instead (fixing forgejo/forgejo#12386). Both calls are covered by existing tests:

- TestCancelPreviousJobs
- TestCancelPreviousWithConcurrencyGroup

A new integration test TestActionsPullRequestTrustPushCancel is added to verify that the NeedApproval field is set to false whenever a run is cancelled (fixing forgejo/forgejo#12350).

Closes forgejo/forgejo#12350
Closes forgejo/forgejo#12386

---

Reverting the change fails the test at

https://codeberg.org/limiting-factor/forgejo/src/commit/b6178e5634c230006a3c2b791ec8e06f09367e2d/tests/integration/actions_trust_test.go#L520-L533

with:

```
TAGS='sqlite sqlite_unlock_notify' make 'test-sqlite#TestActionsPullRequestTrustPushCancel'
...
    actions_trust_test.go:523:
        	Error Trace:	/home/limiting-factor/forgejo/tests/integration/actions_trust_test.go:523
        	            				/home/limiting-factor/forgejo/tests/integration/git_helper_for_declarative_test.go:98
        	            				/home/limiting-factor/forgejo/tests/integration/actions_trust_test.go:476
        	Error:      	Should be false
        	Test:       	TestActionsPullRequestTrustPushCancel
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12366): <!--number 12366 --><!--line 0 --><!--description V2hlbiB0aGUgYXV0aG9yIG9mIGEgcHVsbCByZXF1ZXN0IGlzIFtkZW5pZWQgdGhlIHJpZ2h0IHRvIHJ1biBBY3Rpb25zXShodHRwczovL2Zvcmdlam8ub3JnL2RvY3MvbmV4dC91c2VyL2FjdGlvbnMvc2VjdXJpdHktcHVsbC1yZXF1ZXN0LykgYnkgY2xpY2tpbmcgb24gdGhlICJEZW55IiBidXR0b24gb24gdGhlIHB1bGwgcmVxdWVzdCB0cnVzdCBtYW5hZ2VtZW50IHBhbmVsLCB0aGUgd29ya2Zsb3cgcnVucyBjcmVhdGVkIGZvciBhbGwgY29tbWl0cyBwdXNoZWQgdG8gdGhlIHB1bGwgcmVxdWVzdCBhcmUgY2FuY2VsbGVkLiBCZWZvcmUgdGhhdCwgcnVucyB0aGF0IHdlcmUgYXV0b21hdGljYWxseSBjYW5jZWxsZWQgYmVjYXVzZSBhIG5ld2VyIGNvbW1pdCB3YXMgcHVzaGVkIHRvIHRoZSBwdWxsIHJlcXVlc3QgW3dlcmUgc3R1Y2sgaW4gYSBzdGF0ZSB3YWl0aW5nIGZvciBhcHByb3ZhbF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2lzc3Vlcy8xMjM1MCku-->When the author of a pull request is [denied the right to run Actions](https://forgejo.org/docs/next/user/actions/security-pull-request/) by clicking on the "Deny" button on the pull request trust management panel, the workflow runs created for all commits pushed to the pull request are cancelled. Before that, runs that were automatically cancelled because a newer commit was pushed to the pull request [were stuck in a state waiting for approval](https://codeberg.org/forgejo/forgejo/issues/12350).<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12366
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 models/actions/run.go                   |  4 +-
 release-notes/12366.md                  |  1 +
 services/actions/schedule_tasks.go      | 63 +++----------------------
 tests/integration/actions_trust_test.go | 62 ++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 59 deletions(-)
 create mode 100644 release-notes/12366.md

diff --git a/models/actions/run.go b/models/actions/run.go
index 862125224f..692dab841b 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -347,7 +347,7 @@ func UpdateRunApprovalByID(ctx context.Context, id int64, approval ApprovalType,
 func GetRunsNotDoneByRepoIDAndPullRequestPosterID(ctx context.Context, repoID, pullRequestPosterID int64) ([]*ActionRun, error) {
 	var runs []*ActionRun
 	// performance relies on indexes on repo_id and status
-	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_poster_id=?", repoID, pullRequestPosterID).And(builder.In("status", []Status{StatusUnknown, StatusWaiting, StatusRunning, StatusBlocked})).Find(&runs); err != nil {
+	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_poster_id=?", repoID, pullRequestPosterID).And(builder.In("status", PendingStatuses())).Find(&runs); err != nil {
 		return nil, err
 	}
 	return runs, nil
@@ -356,7 +356,7 @@ func GetRunsNotDoneByRepoIDAndPullRequestPosterID(ctx context.Context, repoID, p
 func GetRunsNotDoneByRepoIDAndPullRequestID(ctx context.Context, repoID, pullRequestID int64) ([]*ActionRun, error) {
 	var runs []*ActionRun
 	// performance relies on indexes on repo_id and status
-	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_id=?", repoID, pullRequestID).And(builder.In("status", []Status{StatusUnknown, StatusWaiting, StatusRunning, StatusBlocked})).Find(&runs); err != nil {
+	if err := db.GetEngine(ctx).Where("repo_id=? AND pull_request_id=?", repoID, pullRequestID).And(builder.In("status", PendingStatuses())).Find(&runs); err != nil {
 		return nil, err
 	}
 	return runs, nil
diff --git a/release-notes/12366.md b/release-notes/12366.md
new file mode 100644
index 0000000000..12cc3c478d
--- /dev/null
+++ b/release-notes/12366.md
@@ -0,0 +1 @@
+When the author of a pull request is [denied the right to run Actions](https://forgejo.org/docs/next/user/actions/security-pull-request/) by clicking on the "Deny" button on the pull request trust management panel, the workflow runs created for all commits pushed to the pull request are cancelled. Before that, runs that were automatically cancelled because a newer commit was pushed to the pull request [were stuck in a state waiting for approval](https://codeberg.org/forgejo/forgejo/issues/12350).
diff --git a/services/actions/schedule_tasks.go b/services/actions/schedule_tasks.go
index fab9ae8df5..a1e9874984 100644
--- a/services/actions/schedule_tasks.go
+++ b/services/actions/schedule_tasks.go
@@ -23,7 +23,6 @@ import (
 	"code.forgejo.org/forgejo/runner/v12/act/jobparser"
 	act_model "code.forgejo.org/forgejo/runner/v12/act/model"
 	"github.com/gdgvda/cron"
-	"xorm.io/builder"
 )
 
 // StartScheduleTasks start the task
@@ -220,7 +219,7 @@ func CancelPreviousJobs(ctx context.Context, repoID int64, ref, workflowID strin
 	// Iterate over each found run and cancel its associated jobs.
 	errorSlice := []error{}
 	for _, run := range runs {
-		err := cancelJobsForRun(ctx, run.ID)
+		err := killRun(ctx, run, actions_model.StatusCancelled)
 		errorSlice = append(errorSlice, err)
 	}
 	err = errors.Join(errorSlice...)
@@ -236,21 +235,21 @@ func CancelPreviousWithConcurrencyGroup(ctx context.Context, repoID int64, concu
 	// Find all runs in the concurrency group which have at least one job that is still pending; we can't use the run's
 	// status for this because runs are set to failed if a single job is marked as failed, even if other jobs are still
 	// running.
-	runIDs := make([]int64, 0, 10)
+	runs := make([]*actions_model.ActionRun, 0, 10)
 	if err := db.GetEngine(ctx).Table("action_run").
 		Join("INNER", "action_run_job", "action_run_job.run_id = action_run.id").
 		Where("action_run.repo_id = ? AND action_run.concurrency_group = ?", repoID, strings.ToLower(concurrencyGroup)).
 		In("action_run_job.status", actions_model.PendingStatuses()).
 		Distinct("action_run.id").
-		Select("action_run.id").
-		Find(&runIDs); err != nil {
+		Select("action_run.id,action_run.need_approval").
+		Find(&runs); err != nil {
 		return err
 	}
 
 	// Iterate over each found run and cancel its associated jobs.
 	errorSlice := []error{}
-	for _, runID := range runIDs {
-		err := cancelJobsForRun(ctx, runID)
+	for _, run := range runs {
+		err := killRun(ctx, run, actions_model.StatusCancelled)
 		errorSlice = append(errorSlice, err)
 	}
 	err := errors.Join(errorSlice...)
@@ -261,56 +260,6 @@ func CancelPreviousWithConcurrencyGroup(ctx context.Context, repoID int64, concu
 	return nil
 }
 
-func cancelJobsForRun(ctx context.Context, runID int64) error {
-	// Find all jobs associated with the current run.
-	jobs, err := db.Find[actions_model.ActionRunJob](ctx, actions_model.FindRunJobOptions{
-		RunID: runID,
-	})
-	if err != nil {
-		return err
-	}
-
-	// Iterate over each job and attempt to cancel it.
-	errorSlice := []error{}
-	for _, job := range jobs {
-		// Skip jobs that are already in a terminal state (completed, cancelled, etc.).
-		status := job.Status
-		if status.IsDone() {
-			continue
-		}
-
-		// If the job has no associated task (probably an error), set its status to 'Cancelled' and stop it.
-		if job.TaskID == 0 {
-			job.Status = actions_model.StatusCancelled
-			job.Stopped = timeutil.TimeStampNow()
-
-			// Update the job's status and stopped time in the database.
-			n, err := UpdateRunJob(ctx, job, builder.Eq{"task_id": 0}, "status", "stopped")
-			if err != nil {
-				errorSlice = append(errorSlice, err)
-				continue
-			}
-
-			// If the update affected 0 rows, it means the job has changed in the meantime, so we need to try again.
-			if n == 0 {
-				errorSlice = append(errorSlice, errors.New("job has changed, try again"))
-				continue
-			}
-
-			// Continue with the next job.
-			continue
-		}
-
-		// If the job has an associated task, try to stop the task, effectively cancelling the job.
-		if err := StopTask(ctx, job.TaskID, actions_model.StatusCancelled); err != nil {
-			errorSlice = append(errorSlice, err)
-			continue
-		}
-	}
-
-	return errors.Join(errorSlice...)
-}
-
 func CleanRepoScheduleTasks(ctx context.Context, repo *repo_model.Repository, cancelPreviousJobs bool) error {
 	// If actions disabled when there is schedule task, this will remove the outdated schedule tasks
 	// There is no other place we can do this because the app.ini will be changed manually
diff --git a/tests/integration/actions_trust_test.go b/tests/integration/actions_trust_test.go
index c150bd6c2e..c1449aeda2 100644
--- a/tests/integration/actions_trust_test.go
+++ b/tests/integration/actions_trust_test.go
@@ -471,3 +471,65 @@ func TestActionsPullRequestTrustCancelOnClose(t *testing.T) {
 		}
 	})
 }
+
+func TestActionsPullRequestTrustPushCancel(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		ownerUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		ownerSession := loginUser(t, ownerUser.Name)
+
+		regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+
+		baseRepo, f := actionsTrustTestCreateBaseRepo(t, ownerUser)
+		defer f()
+
+		forkedRepo, pullRequest, addFileToForkedResp := actionsTrustTestCreatePullRequestFromForkedRepo(t, ownerUser, baseRepo, regularUser)
+		pullRequestLink := pullRequest.Issue.Link()
+
+		// there is one commit in the pull request and it is blocked from running actions pending approval
+		{
+			actionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, CommitSHA: addFileToForkedResp.Commit.SHA})
+			assert.True(t, actionRun.NeedApproval)
+			assert.Equal(t, actions_model.StatusWaiting, actionRun.Status)
+			actionRunJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: actionRun.ID, RepoID: baseRepo.ID})
+			assert.Equal(t, actions_model.StatusBlocked, actionRunJob.Status)
+		}
+
+		// another commit is pushed to the head branch of the pull request
+		otherFileInForkResp := actionsTrustTestRepoModify(t, regularUser, baseRepo, forkedRepo, "add_file_one.txt")
+
+		// there are two commits
+		// - the oldest one switched from Blocked to Cancelled and no longer needs approval
+		// - the newest one is Blocked and pending approval
+		{
+			actionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, CommitSHA: addFileToForkedResp.Commit.SHA})
+			assert.False(t, actionRun.NeedApproval)
+			assert.Equal(t, actions_model.StatusCancelled, actionRun.Status)
+			actionRunJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: actionRun.ID, RepoID: baseRepo.ID})
+			assert.Equal(t, actions_model.StatusCancelled, actionRunJob.Status)
+
+			otherActionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, CommitSHA: otherFileInForkResp.Commit.SHA})
+			assert.True(t, otherActionRun.NeedApproval)
+			assert.Equal(t, actions_model.StatusWaiting, otherActionRun.Status)
+			otherActionRunJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: otherActionRun.ID, RepoID: baseRepo.ID})
+			assert.Equal(t, actions_model.StatusBlocked, otherActionRunJob.Status)
+		}
+
+		actionsTrustTestAssertTrustPanel(t, ownerSession, pullRequestLink)
+		actionsTrustTestClickTrustPanel(t, ownerSession, pullRequestLink, string(actions_service.UserTrustDenied))
+
+		// there are two commits, both are Cancelled and not pending approval
+		{
+			actionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, CommitSHA: addFileToForkedResp.Commit.SHA})
+			assert.False(t, actionRun.NeedApproval)
+			assert.Equal(t, actions_model.StatusCancelled, actionRun.Status)
+			actionRunJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: actionRun.ID, RepoID: baseRepo.ID})
+			assert.Equal(t, actions_model.StatusCancelled, actionRunJob.Status)
+
+			otherActionRun := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{RepoID: baseRepo.ID, CommitSHA: otherFileInForkResp.Commit.SHA})
+			assert.False(t, otherActionRun.NeedApproval)
+			assert.Equal(t, actions_model.StatusCancelled, otherActionRun.Status)
+			otherActionRunJob := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: otherActionRun.ID, RepoID: baseRepo.ID})
+			assert.Equal(t, actions_model.StatusCancelled, otherActionRunJob.Status)
+		}
+	})
+}

From 169ea1d9917b2b1a7363d7cfb81d216881f37993 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Sat, 9 May 2026 05:02:57 +0200
Subject: [PATCH 258/287] fix(activitypub): only return public activities on
 request (#12382)

The endpoint returning individual activities was missing access control checks, since IDs are sequential, this is not ideal.

Fixes #12333

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12382
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 models/activities/action.go                   | 33 +++++++++++++++++
 models/activities/action_test.go              | 25 +++++++++++++
 models/activities/error.go                    | 14 ++++++++
 .../fixtures/TestIsPrivate/action.yml         |  7 ++++
 .../fixtures/TestIsPrivate/user.yml           | 36 +++++++++++++++++++
 models/fixtures/action.yml                    |  2 +-
 routers/api/v1/activitypub/person.go          | 11 ++++++
 services/convert/activitypub_user_action.go   |  5 +++
 services/federation/user_activity.go          | 19 +++++-----
 ...ivitypub_person_inbox_useractivity_test.go | 18 +++++++---
 10 files changed, 154 insertions(+), 16 deletions(-)
 create mode 100644 models/activities/error.go
 create mode 100644 models/activities/fixtures/TestIsPrivate/action.yml
 create mode 100644 models/activities/fixtures/TestIsPrivate/user.yml

diff --git a/models/activities/action.go b/models/activities/action.go
index 6b3fabfae0..9b67bd67f6 100644
--- a/models/activities/action.go
+++ b/models/activities/action.go
@@ -812,3 +812,36 @@ func FixActionCreatedUnixString(ctx context.Context) (int64, error) {
 	}
 	return 0, nil
 }
+
+func (a *Action) IsActionPrivate(ctx context.Context) (bool, error) {
+	if a.IsPrivate {
+		return true, nil
+	}
+
+	a.loadRepo(ctx)
+	if a.Repo == nil {
+		return true, repo_model.ErrRepoNotExist{}
+	}
+
+	repo := a.Repo
+	err := repo.LoadOwner(ctx)
+	if err != nil {
+		return true, err
+	}
+
+	if repo.IsPrivate || repo.Owner.KeepActivityPrivate || repo.Owner.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	a.LoadActUser(ctx)
+	if a.ActUser == nil {
+		return true, user_model.ErrUserNotExist{}
+	}
+
+	user := a.ActUser
+	if user.KeepActivityPrivate || user.Visibility != structs.VisibleTypePublic {
+		return true, nil
+	}
+
+	return false, nil
+}
diff --git a/models/activities/action_test.go b/models/activities/action_test.go
index bfc07f58ae..592fdf71e3 100644
--- a/models/activities/action_test.go
+++ b/models/activities/action_test.go
@@ -371,3 +371,28 @@ func TestGetIssueInfos(t *testing.T) {
 		assert.Equal(t, test.field3, issueInfos[2])
 	}
 }
+
+func TestIsPrivate(t *testing.T) {
+	defer unittest.OverrideFixtures("models/activities/fixtures/TestIsPrivate")()
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	tt := []struct {
+		activityID int64
+		private    bool
+	}{
+		{1, true},  // private repo
+		{3, false}, // public activities, public repo
+		{11, true}, // private activities
+	}
+
+	for _, test := range tt {
+		ctx := t.Context()
+		action, err := activities_model.GetActivityByID(ctx, test.activityID)
+		require.NoError(t, err)
+
+		private, err := action.IsActionPrivate(ctx)
+		require.NoError(t, err)
+
+		assert.Equal(t, test.private, private, "action ID: %d", test.activityID)
+	}
+}
diff --git a/models/activities/error.go b/models/activities/error.go
new file mode 100644
index 0000000000..85896e97d9
--- /dev/null
+++ b/models/activities/error.go
@@ -0,0 +1,14 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package activities
+
+import "fmt"
+
+type ErrActivityPrivate struct {
+	id int64
+}
+
+func (err ErrActivityPrivate) Error() string {
+	return fmt.Sprintf("Activity with id %d is private", err.id)
+}
diff --git a/models/activities/fixtures/TestIsPrivate/action.yml b/models/activities/fixtures/TestIsPrivate/action.yml
new file mode 100644
index 0000000000..681cea1939
--- /dev/null
+++ b/models/activities/fixtures/TestIsPrivate/action.yml
@@ -0,0 +1,7 @@
+- id: 11
+  user_id: 44
+  op_type: 1 # create repo
+  act_user_id: 44 # private user activities
+  repo_id: 60 # public
+  is_private: false
+  created_unix: 1680454039
diff --git a/models/activities/fixtures/TestIsPrivate/user.yml b/models/activities/fixtures/TestIsPrivate/user.yml
new file mode 100644
index 0000000000..dd7bf1a657
--- /dev/null
+++ b/models/activities/fixtures/TestIsPrivate/user.yml
@@ -0,0 +1,36 @@
+- id: 44
+  lower_name: user44
+  name: user44
+  full_name: user44
+  email: user44@example.com
+  keep_email_private: false
+  email_notifications_preference: enabled
+  passwd: ZogKvWdyEx:password
+  passwd_hash_algo: dummy
+  must_change_password: false
+  login_source: 0
+  login_name: user44
+  type: 0
+  salt: ZogKvWdyEx
+  max_repo_creation: -1
+  is_active: true
+  is_admin: false
+  is_restricted: false
+  allow_git_hook: false
+  allow_import_local: false
+  allow_create_organization: true
+  prohibit_login: false
+  avatar: ""
+  avatar_email: user44@example.com
+  use_custom_avatar: true
+  num_followers: 0
+  num_following: 0
+  num_stars: 0
+  num_repos: 0
+  num_teams: 0
+  num_members: 0
+  visibility: 0
+  repo_admin_change_team_access: false
+  theme: ""
+  keep_activity_private: true
+  created_unix: 1672578380
diff --git a/models/fixtures/action.yml b/models/fixtures/action.yml
index f1592d4569..c776218be0 100644
--- a/models/fixtures/action.yml
+++ b/models/fixtures/action.yml
@@ -81,4 +81,4 @@
   act_user_id: 40
   repo_id: 60 # public
   is_private: false
-  created_unix: 1577404800 # end of heatmap
\ No newline at end of file
+  created_unix: 1577404800 # end of heatmap
diff --git a/routers/api/v1/activitypub/person.go b/routers/api/v1/activitypub/person.go
index 8fa9e5f226..82725f2757 100644
--- a/routers/api/v1/activitypub/person.go
+++ b/routers/api/v1/activitypub/person.go
@@ -148,6 +148,17 @@ func getActivity(ctx *context.APIContext, id int64) (*forgefed.ForgeUserActivity
 		return nil, err
 	}
 
+	private, err := action.IsActionPrivate(ctx)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "action.IsActionPrivate", err.Error())
+		return nil, err
+	}
+
+	if private {
+		ctx.NotFound()
+		return nil, activities.ErrActivityPrivate{}
+	}
+
 	actions := activities.ActionList{action}
 	if err := actions.LoadAttributes(ctx); err != nil {
 		ctx.Error(http.StatusInternalServerError, "action.LoadAttributes", err.Error())
diff --git a/services/convert/activitypub_user_action.go b/services/convert/activitypub_user_action.go
index 6db3834ef2..4d7d04f252 100644
--- a/services/convert/activitypub_user_action.go
+++ b/services/convert/activitypub_user_action.go
@@ -13,6 +13,7 @@ import (
 
 	activities_model "forgejo.org/models/activities"
 	issues_model "forgejo.org/models/issues"
+	"forgejo.org/models/repo"
 	fm "forgejo.org/modules/forgefed"
 	"forgejo.org/modules/json"
 	"forgejo.org/modules/markup"
@@ -20,6 +21,10 @@ import (
 )
 
 func ActionToForgeUserActivity(ctx context.Context, action *activities_model.Action) (fm.ForgeUserActivity, error) {
+	if action.Repo == nil {
+		return fm.ForgeUserActivity{}, repo.ErrRepoNotExist{}
+	}
+
 	render := func(format string, args ...any) string {
 		return fmt.Sprintf(`<a href="%s" rel="nofollow">%s</a> %s`, action.ActUser.HTMLURL(), action.GetActDisplayName(ctx), fmt.Sprintf(format, args...))
 	}
diff --git a/services/federation/user_activity.go b/services/federation/user_activity.go
index 0db2aee4ec..7d6fb4ebb4 100644
--- a/services/federation/user_activity.go
+++ b/services/federation/user_activity.go
@@ -9,8 +9,8 @@ import (
 	activities_model "forgejo.org/models/activities"
 	"forgejo.org/models/forgefed"
 	"forgejo.org/models/user"
+	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
-	"forgejo.org/modules/structs"
 	"forgejo.org/services/convert"
 
 	ap "github.com/go-ap/activitypub"
@@ -64,17 +64,16 @@ func NotifyActivityPubFollowers(ctx context.Context, actions []activities_model.
 		return nil
 	}
 	for _, act := range actions {
-		if act.Repo != nil {
-			if act.Repo.IsPrivate {
-				continue
-			}
-			if act.Repo.Owner.KeepActivityPrivate || act.Repo.Owner.Visibility != structs.VisibleTypePublic {
-				continue
-			}
-		}
-		if act.ActUser.KeepActivityPrivate || act.ActUser.Visibility != structs.VisibleTypePublic {
+		private, err := act.IsActionPrivate(ctx)
+		if err != nil {
+			log.Error("Failed to check if action is private: %s", err.Error())
 			continue
 		}
+
+		if private {
+			continue
+		}
+
 		if err := SendUserActivity(ctx, act.ActUser, &act); err != nil {
 			return err
 		}
diff --git a/tests/integration/api_activitypub_person_inbox_useractivity_test.go b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
index fa51050045..025bba024a 100644
--- a/tests/integration/api_activitypub_person_inbox_useractivity_test.go
+++ b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
@@ -23,6 +23,7 @@ import (
 	"forgejo.org/services/federation"
 	"forgejo.org/tests"
 
+	ap "github.com/go-ap/activitypub"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -159,15 +160,22 @@ func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
 
-		// distant request activity & activity note
-		localUser2ActivityNote := fmt.Sprintf("%v/activities/1", localUser2URL)
-		localUser2Activity := fmt.Sprintf("%v/activities/1/activity", localUser2URL)
+		// ID of create activity and note delivered to distant
+		activity, err := ap.UnmarshalJSON([]byte(mock.LastPost))
+		require.NoError(t, err)
 
-		resp, err = c.Get(localUser2ActivityNote)
+		createNote := activity.(*ap.Create)
+		localUser2ActivityNote, err := createNote.Object.GetID().URL()
+		require.NoError(t, err)
+
+		localUser2Activity, err := createNote.GetID().URL()
+		require.NoError(t, err)
+
+		resp, err = c.Get(localUser2ActivityNote.String())
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
 
-		resp, err = c.Get(localUser2Activity)
+		resp, err = c.Get(localUser2Activity.String())
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
 

From 9a5d9397a47ef231b3c5af815e40645503c29d42 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sat, 9 May 2026 23:53:35 +0200
Subject: [PATCH 259/287] chore: update flake.lock; add gnupg as dependency
 (#12497)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add `gnupg` as part of the Nix-based development environment, which is a dependency for a small number of integration tests like `TestInstanceSigning`.  Bumps `flake.lock` from its current 2025-11-12 to current 2026-05-05 pin, bringing updated tools referenced in `shell.nix`.

```
$ nix flake update
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c5ae371f1a6a7fd27823bc500d9390b38c05fa55?narHash=sha256-4PqRErxfe%2B2toFJFgcRKZ0UI9NSIOJa%2B7RXVtBhy4KE%3D' (2025-11-12)
  → 'github:nixos/nixpkgs/549bd84d6279f9852cae6225e372cc67fb91a4c1?narHash=sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9%2BhrDTkDU%3D' (2026-05-05)
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12497
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 flake.lock | 6 +++---
 shell.nix  | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4ff76cf2ca..c6670e17b9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1762977756,
-        "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
diff --git a/shell.nix b/shell.nix
index 7d457e8e73..94b5cf708e 100644
--- a/shell.nix
+++ b/shell.nix
@@ -25,5 +25,6 @@ pkgs.mkShell {
 
     # tests
     openssh
+    gnupg
   ];
 }

From d2a7fc1458ecf6a74c8380cf069d994afa6e0db7 Mon Sep 17 00:00:00 2001
From: Stefan Gehn <stefan@srcbox.net>
Date: Sun, 10 May 2026 00:39:51 +0200
Subject: [PATCH 260/287] fix: Use notify in systemd forgejo.service example
 [skip-ci] (#10212)

Use notify as systemd service in the example configuration.
Notifying systemd on successful startup is supported since
Forgejo 1.20.0 already.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10212
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 contrib/systemd/forgejo.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/systemd/forgejo.service b/contrib/systemd/forgejo.service
index ee019e11ea..36dc2a3a5b 100644
--- a/contrib/systemd/forgejo.service
+++ b/contrib/systemd/forgejo.service
@@ -52,7 +52,7 @@ After=network.target
 # Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
 # LimitNOFILE=524288:524288
 RestartSec=2s
-Type=simple
+Type=notify
 User=git
 Group=git
 WorkingDirectory=/var/lib/forgejo/

From 3fc3942356482f9281ffb1f4a71883a9302f7a99 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 10 May 2026 01:32:13 +0200
Subject: [PATCH 261/287] Update CodeMirror (forgejo) (#12498)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12498
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 16 ++++++++--------
 package.json      |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 778ccdde62..5cc3fc5137 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,7 +9,7 @@
         "@citation-js/core": "0.7.21",
         "@citation-js/plugin-bibtex": "0.7.21",
         "@citation-js/plugin-software-formats": "0.6.2",
-        "@codemirror/autocomplete": "6.20.1",
+        "@codemirror/autocomplete": "6.20.2",
         "@codemirror/commands": "6.10.3",
         "@codemirror/lang-cpp": "6.0.3",
         "@codemirror/lang-css": "6.3.1",
@@ -30,7 +30,7 @@
         "@codemirror/language": "6.12.3",
         "@codemirror/search": "6.7.0",
         "@codemirror/state": "6.6.0",
-        "@codemirror/view": "6.41.1",
+        "@codemirror/view": "6.42.0",
         "@github/markdown-toolbar-element": "2.2.3",
         "@github/quote-selection": "2.1.0",
         "@github/text-expander-element": "2.9.4",
@@ -495,9 +495,9 @@
       }
     },
     "node_modules/@codemirror/autocomplete": {
-      "version": "6.20.1",
-      "resolved": "https://registry.npmjs.org/@codemirror/autocomplete/-/autocomplete-6.20.1.tgz",
-      "integrity": "sha512-1cvg3Vz1dSSToCNlJfRA2WSI4ht3K+WplO0UMOgmUYPivCyy2oueZY6Lx7M9wThm7SDUBViRmuT+OG/i8+ON9A==",
+      "version": "6.20.2",
+      "resolved": "https://registry.npmjs.org/@codemirror/autocomplete/-/autocomplete-6.20.2.tgz",
+      "integrity": "sha512-G5FPkgIiLjOgZMjqVjvuKQ1rGPtHogLldJr33eFJdVLtmwY+giGrlv/ewljLz6b9BSQLkjxuwBc6g6omDM+YxQ==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/language": "^6.0.0",
@@ -774,9 +774,9 @@
       }
     },
     "node_modules/@codemirror/view": {
-      "version": "6.41.1",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.41.1.tgz",
-      "integrity": "sha512-ToDnWKbBnke+ZLrP6vgTTDScGi5H37YYuZGniQaBzxMVdtCxMrslsmtnOvbPZk4RX9bvkQqnWR/WS/35tJA0qg==",
+      "version": "6.42.0",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.42.0.tgz",
+      "integrity": "sha512-+PJEyndSCrsS2oLH3DfWoLBcF3xfeyGXtLnpXqHY01kL3TogyCLD12hNvSu73ww2KFftrx3Rd0nGOigbSkU3Hw==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.6.0",
diff --git a/package.json b/package.json
index c5ff835d69..bd3a5eb376 100644
--- a/package.json
+++ b/package.json
@@ -8,7 +8,7 @@
     "@citation-js/core": "0.7.21",
     "@citation-js/plugin-bibtex": "0.7.21",
     "@citation-js/plugin-software-formats": "0.6.2",
-    "@codemirror/autocomplete": "6.20.1",
+    "@codemirror/autocomplete": "6.20.2",
     "@codemirror/commands": "6.10.3",
     "@codemirror/lang-cpp": "6.0.3",
     "@codemirror/lang-css": "6.3.1",
@@ -29,7 +29,7 @@
     "@codemirror/language": "6.12.3",
     "@codemirror/search": "6.7.0",
     "@codemirror/state": "6.6.0",
-    "@codemirror/view": "6.41.1",
+    "@codemirror/view": "6.42.0",
     "@github/markdown-toolbar-element": "2.2.3",
     "@github/quote-selection": "2.1.0",
     "@github/text-expander-element": "2.9.4",

From 0cdbef74f0d29e94040b5ad52053dd49cd70bc3b Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 10 May 2026 02:21:17 +0200
Subject: [PATCH 262/287] chore: PGP sign .well-known/security.txt [skip ci]
 (#12502)

Sign the distributed version of `.well-known/security.txt`, just like https://forgejo.org/.well-known/security.txt is signed.

```
$ gpg --verify ./security.txt
gpg: Signature made Sat 09 May 2026 05:59:29 PM MDT
gpg:                using EDDSA key 1B638BDF10969D627926B8D9F585D0F99E1FB56F
gpg: Good signature from "Forgejo Security <security@forgejo.org>" [unknown]
Primary key fingerprint: 1B63 8BDF 1096 9D62 7926  B8D9 F585 D0F9 9E1F B56F
```

In the future this signature will have to be updated before the key expires; but as the expiry is already documented in the file this isn't significantly different than the current state.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12502
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 public/.well-known/security.txt | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/public/.well-known/security.txt b/public/.well-known/security.txt
index 1e148b001f..d15de1abcc 100644
--- a/public/.well-known/security.txt
+++ b/public/.well-known/security.txt
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
 # This site is running a Forgejo instance.
 # Forgejo-related security problems should be reported to the Forgejo security team.
 # Security problems related to this instance should be reported to its administration.
@@ -6,3 +9,11 @@ Contact: mailto:security@forgejo.org
 Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/1B638BDF10969D627926B8D9F585D0F99E1FB56F
 Preferred-Languages: en
 Expires: 2027-06-09T23:59:59.000Z
+
+-----BEGIN PGP SIGNATURE-----
+
+iHUEARYKAB0WIQQbY4vfEJadYnkmuNn1hdD5nh+1bwUCaf/KYQAKCRD1hdD5nh+1
+b37sAPsF31EEYpvm21M88Kxjv/YOOJlP2xV94Q94JoYzh5iFqgD/X/1HHOBJHDvc
+YR0b3rrGDFxhSl32BOnHF0yuZO8Nugw=
+=sEiA
+-----END PGP SIGNATURE-----

From a4d623148ddeac655bebadb5327ce01ed5e79905 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 10 May 2026 03:02:17 +0200
Subject: [PATCH 263/287] Update dependency forgejo/release-notes-assistant to
 v1.7.0 (forgejo) (#12501)

---
 .forgejo/workflows/release-notes-assistant-milestones.yml | 2 +-
 .forgejo/workflows/release-notes-assistant.yml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/release-notes-assistant-milestones.yml b/.forgejo/workflows/release-notes-assistant-milestones.yml
index 8d7df5f18d..f075406335 100644
--- a/.forgejo/workflows/release-notes-assistant-milestones.yml
+++ b/.forgejo/workflows/release-notes-assistant-milestones.yml
@@ -6,7 +6,7 @@ on:
 
 env:
   RNA_WORKDIR: /srv/rna
-  RNA_VERSION: v1.6.1 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.7.0 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
 
 jobs:
   release-notes:
diff --git a/.forgejo/workflows/release-notes-assistant.yml b/.forgejo/workflows/release-notes-assistant.yml
index 34d73624ec..e85f11b7f8 100644
--- a/.forgejo/workflows/release-notes-assistant.yml
+++ b/.forgejo/workflows/release-notes-assistant.yml
@@ -8,7 +8,7 @@ on:
       - labeled
 
 env:
-  RNA_VERSION: v1.6.1 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+  RNA_VERSION: v1.7.0 # renovate: datasource=forgejo-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
 
 jobs:
   release-notes:

From e5eb5f8e631c682309b25ec35cbe9110410c926d Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 10 May 2026 04:52:02 +0200
Subject: [PATCH 264/287] feat: allow Authorized Integrations to have multiple
 values for a claim match (#12482)

Adds new Authorized Integration claim comparison rules for "in a list" and "in a list of globs", which would be required to permit multiple Forgejo Action events to match a JWT (per [design work](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-14510514), [comment](https://codeberg.org/forgejo/forgejo/issues/3571#issuecomment-14512185)).

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12482
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 ...in_user_generate_authorized_integration.go | 46 +++++++++++-
 models/auth/authorized_integration.go         | 11 ++-
 .../auth/method/authorized_integration.go     | 26 +++++++
 .../method/authorized_integration_test.go     | 73 +++++++++++++++++++
 4 files changed, 152 insertions(+), 4 deletions(-)

diff --git a/cmd/admin_user_generate_authorized_integration.go b/cmd/admin_user_generate_authorized_integration.go
index ca39ac1b6f..05d7bcc07a 100644
--- a/cmd/admin_user_generate_authorized_integration.go
+++ b/cmd/admin_user_generate_authorized_integration.go
@@ -31,6 +31,12 @@ user-defined rules, and grant access to Forgejo's API on behalf of a user.
 The issuer may be set to "urn:forgejo:authorized-integrations:actions"
 to support JWTs from the local instance's Forgejo Actions, utilizing the
 enable-openid-connect flag in a workflow.`,
+
+		// `--claim-in sub=v1,v2,v3` needs to be parsed as a single parameter so that we can comma-split the value into
+		// an array.  To accomplish this, we disable urfave 's slice flag separator, which would cause this to be
+		// treated as "sub=v1", "v2=?", and "v3=?", resulting in an error of missing values.
+		DisableSliceFlagSeparator: true,
+
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:     "username",
@@ -59,11 +65,21 @@ enable-openid-connect flag in a workflow.`,
 				Value: map[string]string{},
 				Usage: `Zero-or-more claim equality checks, formatted as claim=value, example: "actor=someuser"`,
 			},
+			&cli.StringMapFlag{
+				Name:  "claim-in",
+				Value: map[string]string{},
+				Usage: `Zero-or-more claim equality in list checks, formatted as claim=value1,value2,... example: "actor=user1,user2"`,
+			},
 			&cli.StringMapFlag{
 				Name:  "claim-glob",
 				Value: map[string]string{},
 				Usage: `Zero-or-more claim glob checks, formatted as claim=value, example: "sub=repo:forgejo/*:pull_request"`,
 			},
+			&cli.StringMapFlag{
+				Name:  "claim-glob-in",
+				Value: map[string]string{},
+				Usage: `Zero-or-more claim glob in list checks, formatted as claim=va*ue1,va*ue2,... example: "sub=repo:*/*:pull_request,repo:*/*:refs:*"`,
+			},
 			// nested claim support omitted for now -- pretty complex for a CLI
 
 			// Permissions available on successful auth:
@@ -115,6 +131,17 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 			Value:      value,
 		})
 	}
+	for claim, value := range c.StringMap("claim-in") {
+		values := []string{}
+		for s := range strings.SplitSeq(value, ",") {
+			values = append(values, strings.TrimSpace(s))
+		}
+		rules = append(rules, auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimIn,
+			Values:     values,
+		})
+	}
 	for claim, value := range c.StringMap("claim-glob") {
 		rules = append(rules, auth_model.ClaimRule{
 			Claim:      claim,
@@ -122,6 +149,17 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 			Value:      value,
 		})
 	}
+	for claim, value := range c.StringMap("claim-glob-in") {
+		values := []string{}
+		for s := range strings.SplitSeq(value, ",") {
+			values = append(values, strings.TrimSpace(s))
+		}
+		rules = append(rules, auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimGlobIn,
+			Values:     values,
+		})
+	}
 	ai.ClaimRules = &auth_model.ClaimRules{Rules: rules}
 
 	scopes := strings.Join(c.StringSlice("scope"), ",")
@@ -179,7 +217,8 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 		Description string                     `json:"description"`
 		Claim       string                     `json:"claim"`
 		Comparison  auth_model.ClaimComparison `json:"compare"`
-		Value       string                     `json:"value"`
+		Value       string                     `json:"value,omitempty"`
+		Values      []string                   `json:"values,omitempty"`
 	}
 	output := struct {
 		Message     string                 `json:"message"`
@@ -200,14 +239,19 @@ func runCreateAuthorizedIntegration(ctx context.Context, c *cli.Command) error {
 		switch cr.Comparison {
 		case auth_model.ClaimEqual:
 			description = fmt.Sprintf("%q = %q", cr.Claim, cr.Value)
+		case auth_model.ClaimIn:
+			description = fmt.Sprintf("%q in %q", cr.Claim, cr.Values)
 		case auth_model.ClaimGlob:
 			description = fmt.Sprintf("%q matches %q", cr.Claim, cr.Value)
+		case auth_model.ClaimGlobIn:
+			description = fmt.Sprintf("%q matches in %q", cr.Claim, cr.Values)
 		}
 		output.ClaimRules = append(output.ClaimRules, ClaimRuleDescription{
 			Description: description,
 			Claim:       cr.Claim,
 			Comparison:  cr.Comparison,
 			Value:       cr.Value,
+			Values:      cr.Values,
 		})
 	}
 
diff --git a/models/auth/authorized_integration.go b/models/auth/authorized_integration.go
index ca5e103146..61f0725efb 100644
--- a/models/auth/authorized_integration.go
+++ b/models/auth/authorized_integration.go
@@ -111,6 +111,9 @@ type ClaimRule struct {
 	// For Comparison of ClaimEqual or ClaimGlob, the specific value or glob to match against
 	Value string `json:"value,omitempty"`
 
+	// For Comparison of ClaimIn or ClaimGlobIn, an array of values to match against
+	Values []string `json:"values,omitempty"`
+
 	// For ClaimNested, the rules to apply to the nested object
 	Nested *ClaimRules `json:"nested,omitempty"`
 }
@@ -118,9 +121,11 @@ type ClaimRule struct {
 type ClaimComparison string
 
 const (
-	ClaimEqual  ClaimComparison = "eq"   // exactly equal claim
-	ClaimGlob   ClaimComparison = "glob" // glob match complete claim string
-	ClaimNested ClaimComparison = "nest" // recurse into a claim that is an map[string]any with it's own data fields
+	ClaimEqual  ClaimComparison = "eq"      // exactly equal claim
+	ClaimIn     ClaimComparison = "in"      // exactly equal any of the options in a list
+	ClaimGlob   ClaimComparison = "glob"    // glob match complete claim string
+	ClaimGlobIn ClaimComparison = "glob-in" // glob match any of the options in a list
+	ClaimNested ClaimComparison = "nest"    // recurse into a claim that is an map[string]any with it's own data fields
 )
 
 func GetAuthorizedIntegration(ctx context.Context, issuer, audience string) (*AuthorizedIntegration, error) {
diff --git a/services/auth/method/authorized_integration.go b/services/auth/method/authorized_integration.go
index 7c24c3c8c3..d9fb0c10cc 100644
--- a/services/auth/method/authorized_integration.go
+++ b/services/auth/method/authorized_integration.go
@@ -460,6 +460,13 @@ func (a *AuthorizedIntegration) checkClaims(incomingClaims any, stored *auth_mod
 			} else if lhsStr != rule.Value {
 				return fmt.Errorf("claim %q must be %q, but was %q", rule.Claim, rule.Value, lhsStr)
 			}
+		case auth_model.ClaimIn:
+			lhsStr, ok := lhs.(string)
+			if !ok {
+				return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
+			} else if !slices.Contains(rule.Values, lhsStr) {
+				return fmt.Errorf("claim %q must be one of %q, but was %q", rule.Claim, rule.Values, lhsStr)
+			}
 		case auth_model.ClaimGlob:
 			lhsStr, ok := lhs.(string)
 			if !ok {
@@ -472,6 +479,25 @@ func (a *AuthorizedIntegration) checkClaims(incomingClaims any, stored *auth_mod
 			if !r.Match(lhsStr) {
 				return fmt.Errorf("claim %q must match glob %q, but value %q did not match", rule.Claim, rule.Value, lhsStr)
 			}
+		case auth_model.ClaimGlobIn:
+			lhsStr, ok := lhs.(string)
+			if !ok {
+				return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
+			}
+			matched := false
+			for _, g := range rule.Values {
+				r, err := glob.Compile(g)
+				if err != nil {
+					return fmt.Errorf("unable to parse glob for claim rule on %q; glob = %q, err = %w", rule.Claim, g, err)
+				}
+				if r.Match(lhsStr) {
+					matched = true
+					break
+				}
+			}
+			if !matched {
+				return fmt.Errorf("claim %q must glob match one of %q, but value %q did not match", rule.Claim, rule.Values, lhsStr)
+			}
 		case auth_model.ClaimNested:
 			lhsMap, ok := lhs.(map[string]any)
 			if !ok {
diff --git a/services/auth/method/authorized_integration_test.go b/services/auth/method/authorized_integration_test.go
index 6bce1259c2..7ffd686e9b 100644
--- a/services/auth/method/authorized_integration_test.go
+++ b/services/auth/method/authorized_integration_test.go
@@ -42,6 +42,13 @@ func TestCheckClaims(t *testing.T) {
 			Value:      value,
 		}
 	}
+	in := func(claim string, values []string) auth_model.ClaimRule {
+		return auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimIn,
+			Values:     values,
+		}
+	}
 	glob := func(claim, value string) auth_model.ClaimRule {
 		return auth_model.ClaimRule{
 			Claim:      claim,
@@ -49,6 +56,13 @@ func TestCheckClaims(t *testing.T) {
 			Value:      value,
 		}
 	}
+	globIn := func(claim string, values []string) auth_model.ClaimRule {
+		return auth_model.ClaimRule{
+			Claim:      claim,
+			Comparison: auth_model.ClaimGlobIn,
+			Values:     values,
+		}
+	}
 	nest := func(claim string, inner ...auth_model.ClaimRule) auth_model.ClaimRule {
 		return auth_model.ClaimRule{
 			Claim:      claim,
@@ -161,6 +175,32 @@ func TestCheckClaims(t *testing.T) {
 		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be a string, but was int")
 	})
 
+	t.Run("comparison ClaimIn", func(t *testing.T) {
+		c := map[string]any{}
+		rules := rules(in("arbitrary", []string{"abc", "def"}))
+
+		c["arbitrary"] = "abc"
+		require.NoError(t, ai.checkClaims(c, rules))
+		c["arbitrary"] = "def"
+		require.NoError(t, ai.checkClaims(c, rules))
+
+		c["arbitrary"] = "123"
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be one of [\"abc\" \"def\"], but was \"123\"")
+
+		c["arbitrary"] = 123
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be a string, but was int")
+	})
+
+	t.Run("comparison ClaimIn empty", func(t *testing.T) {
+		c := map[string]any{}
+		rules := rules(in("arbitrary", []string{}))
+
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim rule on \"arbitrary\" couldn't be satisfied: claim not found")
+
+		c["arbitrary"] = "abc"
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must be one of [], but was \"abc\"")
+	})
+
 	t.Run("comparison ClaimGlob", func(t *testing.T) {
 		c := map[string]any{}
 		r := rules(glob("arbitrary", "*c"))
@@ -182,6 +222,39 @@ func TestCheckClaims(t *testing.T) {
 		require.ErrorContains(t, ai.checkClaims(c, r), "unable to parse glob for claim rule on \"arbitrary\"; glob = \"[abc\", err = unexpected end of input")
 	})
 
+	t.Run("comparison ClaimGlobIn", func(t *testing.T) {
+		c := map[string]any{}
+		r := rules(globIn("arbitrary", []string{"*c", "*def*"}))
+
+		c["arbitrary"] = "abc"
+		require.NoError(t, ai.checkClaims(c, r))
+		c["arbitrary"] = "abcdef"
+		require.NoError(t, ai.checkClaims(c, r))
+
+		c["arbitrary"] = "123"
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must glob match one of [\"*c\" \"*def*\"], but value \"123\" did not match")
+
+		c["arbitrary"] = "this string contains a c or two but doesn't end with one" // ensure glob isn't OK w/ a partial match
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must glob match one of [\"*c\" \"*def*\"], but value \"this string contains a c or two but doesn't end with one\" did not match")
+
+		c["arbitrary"] = 123
+		require.ErrorContains(t, ai.checkClaims(c, r), "claim \"arbitrary\" must be a string, but was int")
+
+		r = rules(globIn("arbitrary", []string{"[abc"}))
+		c["arbitrary"] = "abc"
+		require.ErrorContains(t, ai.checkClaims(c, r), "unable to parse glob for claim rule on \"arbitrary\"; glob = \"[abc\", err = unexpected end of input")
+	})
+
+	t.Run("comparison ClaimGlobIn empty", func(t *testing.T) {
+		c := map[string]any{}
+		rules := rules(globIn("arbitrary", []string{}))
+
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim rule on \"arbitrary\" couldn't be satisfied: claim not found")
+
+		c["arbitrary"] = "abc"
+		require.ErrorContains(t, ai.checkClaims(c, rules), "claim \"arbitrary\" must glob match one of [], but value \"abc\" did not match")
+	})
+
 	t.Run("comparison ClaimNested", func(t *testing.T) {
 		c := map[string]any{}
 		r := rules(nest("nest", eq("arbitrary", "abc")))

From a8cae6d511d3277ca2d766fad6a6168d69017b03 Mon Sep 17 00:00:00 2001
From: moritzdietz <moritzdietz@noreply.codeberg.org>
Date: Sun, 10 May 2026 21:42:21 +0200
Subject: [PATCH 265/287] fix: Disable spellcheck on repo name field (#12506)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fairly new to Forgejo but I just ran into this when trying to create a couple repositories.
I noticed that the input field for the repository name in several areas of the UI is prone to have annoying auto-capitalization, spellchecking and other browser features which try to correct the user input.

I as a user would like to not have the browser interfere with my input especially in dialogs where I want to have something "custom".
For fields where the repo name is used to validate an action (Danger Zone) this is even more frustrating.

So, to me, this is a quality of live improvement fix.

I checked the docs for these three attributes and none of them seem to have a negative side effect for the user:

1. https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/autocorrect
2. https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/autocapitalize
3. https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/spellcheck

## List of URLs where this applies:
1. `/repo/migrate`
2. `/repo/create`
3. `/<user>/<repo slug>/settings`
4. In general things in the "Danger zone" section where the repo name is used to validate the action
5. …

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12506
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
---
 templates/org/team/repositories.tmpl  |  2 +-
 templates/repo/create_basic.tmpl      |  2 +-
 templates/repo/migrate/codebase.tmpl  |  2 +-
 templates/repo/migrate/git.tmpl       |  2 +-
 templates/repo/migrate/gitbucket.tmpl |  2 +-
 templates/repo/migrate/gitea.tmpl     |  2 +-
 templates/repo/migrate/github.tmpl    |  2 +-
 templates/repo/migrate/gitlab.tmpl    |  2 +-
 templates/repo/migrate/gogs.tmpl      |  2 +-
 templates/repo/migrate/migrating.tmpl |  2 +-
 templates/repo/migrate/onedev.tmpl    |  2 +-
 templates/repo/migrate/pagure.tmpl    |  2 +-
 templates/repo/pulls/fork.tmpl        |  2 +-
 templates/repo/settings/options.tmpl  | 14 +++++++-------
 14 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/templates/org/team/repositories.tmpl b/templates/org/team/repositories.tmpl
index f0f6eef0d1..782e8ca004 100644
--- a/templates/org/team/repositories.tmpl
+++ b/templates/org/team/repositories.tmpl
@@ -13,7 +13,7 @@
 						<form class="ui form ignore-dirty tw-flex-1 tw-flex" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/repo/add" method="post">
 							<div id="search-repo-box" data-uid="{{.Org.ID}}" class="ui search">
 								<div class="ui input">
-									<input class="prompt" name="repo_name" placeholder="{{ctx.Locale.Tr "search.repo_kind"}}" autocomplete="off" required>
+									<input class="prompt" name="repo_name" placeholder="{{ctx.Locale.Tr "search.repo_kind"}}" autocomplete="off" autocorrect="off" autocapitalize="none" spellcheck="false" required>
 								</div>
 							</div>
 							<button class="ui primary button tw-ml-2">{{ctx.Locale.Tr "add"}}</button>
diff --git a/templates/repo/create_basic.tmpl b/templates/repo/create_basic.tmpl
index 90545c2769..72024f19c9 100644
--- a/templates/repo/create_basic.tmpl
+++ b/templates/repo/create_basic.tmpl
@@ -35,7 +35,7 @@
 </label>
 <label {{if .Err_RepoName}}class="field error"{{end}}>
 	{{ctx.Locale.Tr "repo.repo_name"}}
-	<input name="repo_name" value="{{.repo_name}}" required maxlength="100">
+	<input name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 	<span class="help">{{ctx.Locale.Tr "repo.repo_name_helper"}}</span>
 </label>
 <label>
diff --git a/templates/repo/migrate/codebase.tmpl b/templates/repo/migrate/codebase.tmpl
index 037185b8a0..2a8bfff448 100644
--- a/templates/repo/migrate/codebase.tmpl
+++ b/templates/repo/migrate/codebase.tmpl
@@ -88,7 +88,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/git.tmpl b/templates/repo/migrate/git.tmpl
index fc0a569add..bf35a68d9e 100644
--- a/templates/repo/migrate/git.tmpl
+++ b/templates/repo/migrate/git.tmpl
@@ -56,7 +56,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/gitbucket.tmpl b/templates/repo/migrate/gitbucket.tmpl
index 33a14b678f..78db4a1100 100644
--- a/templates/repo/migrate/gitbucket.tmpl
+++ b/templates/repo/migrate/gitbucket.tmpl
@@ -104,7 +104,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/gitea.tmpl b/templates/repo/migrate/gitea.tmpl
index fd59124841..5fa2213763 100644
--- a/templates/repo/migrate/gitea.tmpl
+++ b/templates/repo/migrate/gitea.tmpl
@@ -100,7 +100,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/github.tmpl b/templates/repo/migrate/github.tmpl
index ab1be1f575..719f8c4d33 100644
--- a/templates/repo/migrate/github.tmpl
+++ b/templates/repo/migrate/github.tmpl
@@ -102,7 +102,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/gitlab.tmpl b/templates/repo/migrate/gitlab.tmpl
index a406091394..f945df3d52 100644
--- a/templates/repo/migrate/gitlab.tmpl
+++ b/templates/repo/migrate/gitlab.tmpl
@@ -99,7 +99,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/gogs.tmpl b/templates/repo/migrate/gogs.tmpl
index e70976c730..40a5969308 100644
--- a/templates/repo/migrate/gogs.tmpl
+++ b/templates/repo/migrate/gogs.tmpl
@@ -99,7 +99,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index baac203cb8..aec8c4dc68 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -74,7 +74,7 @@
 				</div>
 				<div class="required field">
 					<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-					<input id="repo_name_to_delete" name="repo_name" required>
+					<input id="repo_name_to_delete" name="repo_name" autocorrect="off" autocapitalize="none" spellcheck="false" required>
 				</div>
 			</div>
 			<div class="actions">
diff --git a/templates/repo/migrate/onedev.tmpl b/templates/repo/migrate/onedev.tmpl
index 377fbf2881..3846286429 100644
--- a/templates/repo/migrate/onedev.tmpl
+++ b/templates/repo/migrate/onedev.tmpl
@@ -88,7 +88,7 @@
 
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/migrate/pagure.tmpl b/templates/repo/migrate/pagure.tmpl
index 6f48cbc7fe..261e289d51 100644
--- a/templates/repo/migrate/pagure.tmpl
+++ b/templates/repo/migrate/pagure.tmpl
@@ -22,7 +22,7 @@
 					</div>
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100">
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					{{template "repo/migrate/options" .}}
 					<div id="migrate_items">
diff --git a/templates/repo/pulls/fork.tmpl b/templates/repo/pulls/fork.tmpl
index 52e0a61222..262c1759ee 100644
--- a/templates/repo/pulls/fork.tmpl
+++ b/templates/repo/pulls/fork.tmpl
@@ -40,7 +40,7 @@
 					</div>
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{ctx.Locale.Tr "repo.repo_name"}}</label>
-						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required>
+						<input id="repo_name" name="repo_name" value="{{.repo_name}}" required autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.visibility"}}</label>
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index ae7c7311db..6c8e59622f 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -9,7 +9,7 @@
 				<input type="hidden" name="action" value="update">
 				<div class="required field {{if .Err_RepoName}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.repo_name"}}</label>
-					<input name="repo_name" value="{{.Repository.Name}}" data-repo-name="{{.Repository.Name}}" autofocus required>
+					<input name="repo_name" value="{{.Repository.Name}}" data-repo-name="{{.Repository.Name}}" autofocus required autocorrect="off" autocapitalize="none" spellcheck="false">
 				</div>
 				<div class="inline field">
 					<label>{{ctx.Locale.Tr "repo.repo_size"}}</label>
@@ -578,7 +578,7 @@
 						</div>
 						<div class="required field">
 							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-							<input name="repo_name" required maxlength="100">
+							<input name="repo_name" required maxlength="100" autocorrect="off" autocapitalize="none" spellcheck="false">
 						</div>
 					</div>
 					<div class="actions">
@@ -609,7 +609,7 @@
 						</div>
 						<div class="required field">
 							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-							<input name="repo_name" required>
+							<input name="repo_name" required autocorrect="off" autocapitalize="none" spellcheck="false">
 						</div>
 					</div>
 					<div class="actions">
@@ -641,7 +641,7 @@
 					</div>
 					<div class="required field">
 						<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-						<input name="repo_name" required>
+						<input name="repo_name" required autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 					<div class="required field">
 						<label for="new_owner_name">{{ctx.Locale.Tr "repo.settings.transfer_owner"}}</label>
@@ -679,7 +679,7 @@
 					</div>
 					<div class="required field">
 						<label for="repo_name_to_delete">{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-						<input id="repo_name_to_delete" name="repo_name" required>
+						<input id="repo_name_to_delete" name="repo_name" autocorrect="off" autocapitalize="none" spellcheck="false" required>
 					</div>
 				</div>
 				<div class="actions">
@@ -711,7 +711,7 @@
 					</div>
 					<div class="required field">
 						<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-						<input name="repo_name" required>
+						<input name="repo_name" required autocorrect="off" autocapitalize="none" spellcheck="false">
 					</div>
 				</div>
 				<div class="actions">
@@ -744,7 +744,7 @@
 						</div>
 						<div class="required field">
 							<label>{{ctx.Locale.Tr "repo.settings.confirmation_string"}}</label>
-							<input name="repo_name" required>
+							<input name="repo_name" required autocorrect="off" autocapitalize="none" spellcheck="false">
 						</div>
 					</div>
 					<div class="actions">

From 6b75654cc2b7161c64c5c0633fe8b00a96b6bc35 Mon Sep 17 00:00:00 2001
From: Cameron Radmore <radmorecameron@gmail.com>
Date: Mon, 11 May 2026 00:20:45 +0200
Subject: [PATCH 266/287] chore: enforce RTL-friendly logical CSS properties
 with a linter (#12491)

Related issue: https://codeberg.org/forgejo/forgejo/issues/8581

This should be a nice first step towards RTL support. Future PRs can look at updating the tailwind classes, changing some of the icons (arrow left might need to become arrow right in some cases for example, and updating the template files)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12491
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
---
 package-lock.json                             |  11 +
 package.json                                  |   1 +
 stylelint.config.js                           |  11 +
 web_src/css/actions.css                       |  13 +-
 web_src/css/admin.css                         |   4 +-
 web_src/css/base.css                          |  77 ++---
 web_src/css/chroma/base.css                   |   4 +-
 web_src/css/codemirror/base.css               |   2 +-
 web_src/css/dashboard.css                     |  13 +-
 web_src/css/editor/combomarkdowneditor.css    |   6 +-
 web_src/css/editor/fileeditor.css             |   8 +-
 web_src/css/explore.css                       |   4 +-
 web_src/css/features/codeeditor.css           |   4 +-
 web_src/css/features/colorpicker.css          |   4 +-
 web_src/css/features/gitgraph.css             |  10 +-
 web_src/css/features/heatmap.css              |   6 +-
 web_src/css/features/imagediff.css            |  10 +-
 web_src/css/features/projects.css             |  14 +-
 web_src/css/features/tribute.css              |   4 +-
 web_src/css/form.css                          |  32 +-
 web_src/css/home.css                          |   8 +-
 web_src/css/install.css                       |  14 +-
 web_src/css/issues.css                        |   8 +-
 web_src/css/markup/codecopy.css               |   4 +-
 web_src/css/markup/content.css                |  54 +--
 web_src/css/markup/filepreview.css            |   2 +-
 web_src/css/modules/animations.css            |   2 +-
 web_src/css/modules/button-legacy.css         |  14 +-
 web_src/css/modules/button.css                |   2 +-
 web_src/css/modules/card.css                  |   8 +-
 web_src/css/modules/checkbox.css              |  14 +-
 web_src/css/modules/comment.css               |  10 +-
 web_src/css/modules/container.css             |  15 +-
 web_src/css/modules/dialog.css                |  14 +-
 web_src/css/modules/divider.css               |   4 +-
 web_src/css/modules/grid.css                  |  78 ++---
 web_src/css/modules/hashbox.css               |  14 +-
 web_src/css/modules/header.css                |  11 +-
 web_src/css/modules/input.css                 |  33 +-
 web_src/css/modules/label.css                 |   8 +-
 web_src/css/modules/list.css                  |  10 +-
 web_src/css/modules/message.css               |   5 +-
 web_src/css/modules/modal.css                 |  12 +-
 web_src/css/modules/navbar.css                |   8 +-
 web_src/css/modules/segment.css               |   9 +-
 web_src/css/modules/select.css                |   2 +-
 web_src/css/modules/switch.css                |  10 +-
 web_src/css/modules/table.css                 |  27 +-
 web_src/css/modules/tippy.css                 |   8 +-
 web_src/css/modules/toast.css                 |  16 +-
 web_src/css/modules/user-cards.css            |   2 +-
 web_src/css/org.css                           |  20 +-
 web_src/css/repo.css                          | 319 +++++++++---------
 web_src/css/repo/file-view.css                |   6 +-
 web_src/css/repo/issue-label.css              |   4 +-
 web_src/css/repo/issue-list.css               |  12 +-
 web_src/css/repo/linebutton.css               |   2 +-
 web_src/css/repo/list-header.css              |   5 +-
 web_src/css/repo/release-tag.css              |  25 +-
 web_src/css/repo/wiki.css                     |  10 +-
 web_src/css/review.css                        |  17 +-
 web_src/css/shared/repoorg.css                |   4 +-
 web_src/css/standalone/swagger.css            |   4 +-
 web_src/css/themes/theme-forgejo-dark.css     |   2 +-
 web_src/css/themes/theme-forgejo-light.css    |   2 +-
 web_src/css/user.css                          |   2 +-
 web_src/js/components/ActionJobStep.vue       |  10 +-
 web_src/js/components/DashboardRepoList.vue   |  10 +-
 web_src/js/components/DiffCommitSelector.vue  |   2 +-
 web_src/js/components/DiffFileTree.vue        |   2 +-
 web_src/js/components/DiffFileTreeItem.vue    |   6 +-
 .../js/components/PullRequestMergeForm.vue    |   9 +-
 web_src/js/components/RepoActionView.vue      |  14 +-
 .../js/components/RepoBranchTagSelector.vue   |   4 +-
 74 files changed, 556 insertions(+), 599 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5cc3fc5137..35fe4a8bbc 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -116,6 +116,7 @@
         "stylelint": "16.26.1",
         "stylelint-declaration-block-no-ignored-properties": "2.8.0",
         "stylelint-declaration-strict-value": "1.11.1",
+        "stylelint-plugin-logical-css": "2.1.0",
         "stylelint-value-no-unknown-custom-properties": "6.1.1",
         "svgo": "4.0.1",
         "typescript": "5.9.3",
@@ -14758,6 +14759,16 @@
         "stylelint": ">=16 <=17"
       }
     },
+    "node_modules/stylelint-plugin-logical-css": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/stylelint-plugin-logical-css/-/stylelint-plugin-logical-css-2.1.0.tgz",
+      "integrity": "sha512-625OT+p5y2kkGBaRV7uTYscuH0m1UueMXh0WcidrXgwF2DOnKov+un9tvuyNG+SUC07W0ibcn+fZvQs/keskww==",
+      "dev": true,
+      "license": "MIT",
+      "peerDependencies": {
+        "stylelint": "^14.0.0 || ^15.0.0 || ^16.0.0 || ^17.0.0"
+      }
+    },
     "node_modules/stylelint-value-no-unknown-custom-properties": {
       "version": "6.1.1",
       "resolved": "https://registry.npmjs.org/stylelint-value-no-unknown-custom-properties/-/stylelint-value-no-unknown-custom-properties-6.1.1.tgz",
diff --git a/package.json b/package.json
index bd3a5eb376..6b83ddb0c3 100644
--- a/package.json
+++ b/package.json
@@ -115,6 +115,7 @@
     "stylelint": "16.26.1",
     "stylelint-declaration-block-no-ignored-properties": "2.8.0",
     "stylelint-declaration-strict-value": "1.11.1",
+    "stylelint-plugin-logical-css": "2.1.0",
     "stylelint-value-no-unknown-custom-properties": "6.1.1",
     "svgo": "4.0.1",
     "typescript": "5.9.3",
diff --git a/stylelint.config.js b/stylelint.config.js
index 18f9af68b7..b7cc162669 100644
--- a/stylelint.config.js
+++ b/stylelint.config.js
@@ -11,6 +11,7 @@ export default {
   plugins: [
     'stylelint-declaration-strict-value',
     'stylelint-declaration-block-no-ignored-properties',
+    'stylelint-plugin-logical-css',
     'stylelint-value-no-unknown-custom-properties',
     '@stylistic/stylelint-plugin',
   ],
@@ -173,6 +174,16 @@ export default {
     'keyframe-selector-notation': null,
     'keyframes-name-pattern': null,
     'length-zero-no-unit': [true, {ignore: ['custom-properties']}, {ignoreFunctions: ['var']}],
+    'logical-css/require-logical-keywords': true,
+    'logical-css/require-logical-properties': [true, {
+      fix: true,
+      ignore: [ // ignore properties not related to RTL support
+        'height', 'min-height', 'max-height', 'width', 'min-width', 'max-width', 'top', 'bottom',
+        'margin-bottom', 'margin-top', 'padding-bottom', 'padding-top',
+        'border-top', 'border-top-style', 'border-top-width', 'border-bottom', 'border-bottom-style', 'border-bottom-width',
+        'scroll-margin-top', 'scroll-margin-bottom', 'scroll-padding-top', 'scroll-padding-bottom'],
+      severity: 'error',
+    }],
     'max-nesting-depth': null,
     'media-feature-name-allowed-list': null,
     'media-feature-name-disallowed-list': null,
diff --git a/web_src/css/actions.css b/web_src/css/actions.css
index cb96bdeac6..82149378b9 100644
--- a/web_src/css/actions.css
+++ b/web_src/css/actions.css
@@ -3,11 +3,11 @@
 }
 
 .runner-container .ui.table.segment {
-  overflow-x: auto;
+  overflow-inline: auto;
 }
 
 .runner-container .runner-ops > a {
-  margin-left: 0.5em;
+  margin-inline-start: 0.5em;
 }
 
 .runner-container .runner-ops-delete {
@@ -124,7 +124,7 @@
   flex: none;
   font-weight: var(--font-weight-medium);
   width: 12rem;
-  padding-right: 1.5rem;
+  padding-inline-end: 1.5rem;
 }
 
 .runner-container dl dd {
@@ -178,12 +178,11 @@
 }
 #workflow_dispatch_dropdown .menu {
   max-height: 500px;
-  overflow-x: auto;
+  overflow-inline: auto;
 }
 @media (max-width: 640px) or (767.98px < width < 854px) {
   #workflow_dispatch_dropdown .menu {
-    left: auto;
-    right: 0;
+    inset-inline: auto 0;
   }
 }
 
@@ -210,7 +209,7 @@
 .ui.vertical.menu.actions-menu .item .error {
   display: flex;
   align-items: center;
-  margin-left: 1rem;
+  margin-inline-start: 1rem;
 }
 
 .ui.vertical.menu.actions-menu .item .label {
diff --git a/web_src/css/admin.css b/web_src/css/admin.css
index 873b1bf91e..1c041dd6f0 100644
--- a/web_src/css/admin.css
+++ b/web_src/css/admin.css
@@ -24,7 +24,7 @@
 }
 
 .admin dl.admin-dl-horizontal dd {
-  margin-left: auto;
+  margin-inline-start: auto;
   width: calc(100% - 300px - 1em);
   min-width: 100px;
 }
@@ -36,7 +36,7 @@
 }
 
 .admin .ui.table.segment {
-  overflow-x: auto; /* if the screen width is small, many wide tables (eg: user list) need scroll bars */
+  overflow-inline: auto; /* if the screen width is small, many wide tables (eg: user list) need scroll bars */
 }
 
 .admin .table th {
diff --git a/web_src/css/base.css b/web_src/css/base.css
index 0ac81dca26..0f1b122fa6 100644
--- a/web_src/css/base.css
+++ b/web_src/css/base.css
@@ -74,7 +74,7 @@ body {
   tab-size: var(--tab-size);
   display: flex;
   flex-direction: column;
-  overflow-x: visible;
+  overflow-inline: visible;
   overflow-wrap: break-word;
   text-autospace: normal;
   text-spacing-trim: normal;
@@ -390,7 +390,7 @@ a.label,
 }
 
 .ui.menu .item > .svg {
-  margin-right: 0.35em;
+  margin-inline-end: 0.35em;
 }
 
 .ui.menu .dropdown.item:hover,
@@ -479,7 +479,7 @@ a.label,
   margin-bottom: -0.25rem;
 }
 .ui.dropdown .menu > .item > svg {
-  margin-right: .78rem; /* use the same margin as for <img> */
+  margin-inline-end: .78rem; /* use the same margin as for <img> */
 }
 
 .ui.selection.dropdown .menu > .item {
@@ -508,9 +508,8 @@ a.label,
 
 /* extend fomantic style '.ui.dropdown > .text > img' to include svg.img */
 .ui.dropdown > .text > .img {
-  margin-left: 0;
+  margin-inline: 0 0.78571429rem;
   float: none;
-  margin-right: 0.78571429rem;
 }
 
 .ui.dropdown > .text > .description,
@@ -521,13 +520,11 @@ a.label,
 /* replace item margin on secondary menu items with gap and remove both the
    negative margins on the menu as well as margin on the items */
 .ui.secondary.menu {
-  margin-left: 0;
-  margin-right: 0;
+  margin-inline: 0;
   gap: .35714286em;
 }
 .ui.secondary.menu .item {
-  margin-left: 0;
-  margin-right: 0;
+  margin-inline: 0;
 }
 
 .ui.secondary.menu .dropdown.item:hover,
@@ -769,15 +766,15 @@ img.ui.avatar,
 }
 
 .ui .text.left {
-  text-align: left !important;
+  text-align: start !important;
 }
 
 .ui .text.right {
-  text-align: right !important;
+  text-align: end !important;
 }
 
 .ui .text.truncate {
-  overflow-x: hidden;
+  overflow-inline: hidden;
   text-overflow: ellipsis;
   white-space: nowrap;
   display: inline-block;
@@ -788,14 +785,13 @@ img.ui.avatar,
 }
 
 .ui .message > ul {
-  margin-left: auto;
-  margin-right: auto;
+  margin-inline: auto;
   display: table;
-  text-align: left;
+  text-align: start;
 }
 
 .ui .header > i + .content {
-  padding-left: 0.75rem;
+  padding-inline-start: 0.75rem;
   vertical-align: middle;
 }
 
@@ -808,7 +804,7 @@ img.ui.avatar,
 }
 
 .ui .form .sub.field {
-  margin-left: 25px;
+  margin-inline-start: 25px;
 }
 
 .ui .button.truncate {
@@ -818,11 +814,11 @@ img.ui.avatar,
   text-overflow: ellipsis;
   vertical-align: top;
   white-space: nowrap;
-  margin-right: 6px;
+  margin-inline-end: 6px;
 }
 
 .ui.status.buttons .svg {
-  margin-right: 4px;
+  margin-inline-end: 4px;
 }
 
 .ui.inline.delete-button {
@@ -902,14 +898,13 @@ img.ui.avatar,
 }
 
 .ui.pagination.menu.narrow .item {
-  padding-left: 8px;
-  padding-right: 8px;
+  padding-inline: 8px;
   min-width: 1em;
   text-align: center;
 }
 
 .ui.pagination.menu.narrow .item .icon {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 .ui.floating.dropdown .overflow.menu .scrolling.menu.items {
@@ -933,7 +928,7 @@ img.ui.avatar,
 
 .color-preview {
   display: inline-block;
-  margin-left: 0.4em;
+  margin-inline-start: 0.4em;
   height: 0.67em;
   width: 0.67em;
   border-radius: var(--border-radius);
@@ -949,35 +944,35 @@ img.ui.avatar,
 }
 
 blockquote.attention-note {
-  border-left-color: var(--color-blue-dark-1);
+  border-inline-start-color: var(--color-blue-dark-1);
 }
 strong.attention-note, svg.attention-note {
   color: var(--color-blue-dark-1);
 }
 
 blockquote.attention-tip {
-  border-left-color: var(--color-success-text);
+  border-inline-start-color: var(--color-success-text);
 }
 strong.attention-tip, svg.attention-tip {
   color: var(--color-success-text);
 }
 
 blockquote.attention-important {
-  border-left-color: var(--color-violet-dark-1);
+  border-inline-start-color: var(--color-violet-dark-1);
 }
 strong.attention-important, svg.attention-important {
   color: var(--color-violet-dark-1);
 }
 
 blockquote.attention-warning {
-  border-left-color: var(--color-warning-text);
+  border-inline-start-color: var(--color-warning-text);
 }
 strong.attention-warning, svg.attention-warning {
   color: var(--color-warning-text);
 }
 
 blockquote.attention-caution {
-  border-left-color: var(--color-red-dark-1);
+  border-inline-start-color: var(--color-red-dark-1);
 }
 strong.attention-caution, svg.attention-caution {
   color: var(--color-red-dark-1);
@@ -990,7 +985,7 @@ strong.attention-caution, svg.attention-caution {
 overflow-menu {
   border-bottom: 1px solid var(--color-secondary) !important;
   display: flex;
-  overflow-x: auto;
+  overflow-inline: auto;
 }
 
 overflow-menu .overflow-menu-items {
@@ -1008,7 +1003,7 @@ overflow-menu .overflow-menu-items .item > .svg {
 }
 
 overflow-menu .ui.label {
-  margin-left: 7px !important; /* save some space */
+  margin-inline-start: 7px !important; /* save some space */
 }
 
 .activity-bar-graph {
@@ -1058,7 +1053,7 @@ overflow-menu .ui.label {
 
 .lines-num {
   padding: 0 8px;
-  text-align: right !important;
+  text-align: end !important;
   color: var(--color-text-light-2);
   width: 1%;
   font-family: var(--fonts-monospace);
@@ -1105,7 +1100,7 @@ overflow-menu .ui.label {
 .lines-code ol li {
   display: block;
   width: calc(100% - 1ch);
-  padding-left: 1ch;
+  padding-inline-start: 1ch;
 }
 
 .code-inner {
@@ -1156,7 +1151,7 @@ overflow-menu .ui.label {
 .blame-avatar {
   display: flex;
   align-items: center;
-  margin-right: 4px;
+  margin-inline-end: 4px;
 }
 
 .top-line-blame {
@@ -1201,7 +1196,7 @@ table th[data-sortt-desc]:hover {
 
 table th[data-sortt-asc] .svg,
 table th[data-sortt-desc] .svg {
-  margin-left: 0.25rem;
+  margin-inline-start: 0.25rem;
 }
 
 .ui.dropdown .menu .item {
@@ -1291,7 +1286,7 @@ table th[data-sortt-desc] .svg {
 .flash-error details code,
 .flash-warning details code {
   display: block;
-  text-align: left;
+  text-align: start;
 }
 
 .truncated-item-container {
@@ -1320,7 +1315,7 @@ table th[data-sortt-desc] .svg {
   display: flex;
   flex-direction: column;
   justify-content: center;
-  margin-left: 1em;
+  margin-inline-start: 1em;
 }
 
 .precolors .color {
@@ -1341,13 +1336,13 @@ table th[data-sortt-desc] .svg {
 
 .ui.dropdown.mini.button,
 .ui.dropdown.tiny.button {
-  padding-right: 20px;
+  padding-inline-end: 20px;
 }
 .ui.dropdown.button {
-  padding-right: 22px;
+  padding-inline-end: 22px;
 }
 .ui.dropdown.large.button {
-  padding-right: 24px;
+  padding-inline-end: 24px;
 }
 
 /* Gitea uses SVG images instead of Fomantic builtin "<i>" font icons, so we need to reset the icon styles */
@@ -1370,11 +1365,11 @@ table th[data-sortt-desc] .svg {
 }
 
 .ui.ui.dropdown > .dropdown.icon {
-  right: 0.5em;
+  inset-inline-end: 0.5em;
 }
 
 .ui.ui.dropdown > .remove.icon {
-  right: 2em;
+  inset-inline-end: 2em;
 }
 
 .btn,
diff --git a/web_src/css/chroma/base.css b/web_src/css/chroma/base.css
index bce13332f8..deac36063b 100644
--- a/web_src/css/chroma/base.css
+++ b/web_src/css/chroma/base.css
@@ -25,13 +25,13 @@
 
 /* LineNumbersTable */
 .chroma .lnt {
-  margin-right: 0.4em;
+  margin-inline-end: 0.4em;
   padding: 0 0.4em;
 }
 
 /* LineNumbers */
 .chroma .ln {
-  margin-right: 0.4em;
+  margin-inline-end: 0.4em;
   padding: 0 0.4em;
 }
 
diff --git a/web_src/css/codemirror/base.css b/web_src/css/codemirror/base.css
index aedf7d8560..556639e71f 100644
--- a/web_src/css/codemirror/base.css
+++ b/web_src/css/codemirror/base.css
@@ -15,7 +15,7 @@
 }
 
 .EasyMDEContainer .CodeMirror.CodeMirror-fullscreen.CodeMirror-focused {
-  border-right: 1px solid var(--color-primary) !important;
+  border-inline-end: 1px solid var(--color-primary) !important;
 }
 
 .CodeMirror-cursor {
diff --git a/web_src/css/dashboard.css b/web_src/css/dashboard.css
index 9c81ccc38a..44f56efaf9 100644
--- a/web_src/css/dashboard.css
+++ b/web_src/css/dashboard.css
@@ -17,7 +17,7 @@
 
 .dashboard.feeds .filter.menu .item,
 .dashboard.issues .filter.menu .item {
-  text-align: left;
+  text-align: start;
   display: flex;
   align-items: center;
   justify-content: space-between;
@@ -32,15 +32,14 @@
 .dashboard.feeds .filter.menu .jump.item,
 .dashboard.issues .filter.menu .jump.item {
   margin: 1px;
-  padding-right: 0;
+  padding-inline-end: 0;
 }
 
 .dashboard.feeds .filter.menu .menu,
 .dashboard.issues .filter.menu .menu {
   max-height: 300px;
-  overflow-x: auto;
-  right: 0 !important;
-  left: auto !important;
+  overflow-inline: auto;
+  inset-inline: auto 0 !important;
 }
 
 @media (max-width: 767.98px) {
@@ -64,11 +63,11 @@
 }
 
 .dashboard .secondary-nav .right.menu div.item {
-  padding-left: 0.5rem;
+  padding-inline-start: 0.5rem;
 }
 
 .dashboard .secondary-nav .org-visibility .label {
-  margin-left: 5px;
+  margin-inline-start: 5px;
 }
 
 .dashboard .secondary-nav .ui.dropdown {
diff --git a/web_src/css/editor/combomarkdowneditor.css b/web_src/css/editor/combomarkdowneditor.css
index 77af4cb87b..2a1593b091 100644
--- a/web_src/css/editor/combomarkdowneditor.css
+++ b/web_src/css/editor/combomarkdowneditor.css
@@ -47,7 +47,7 @@
   display: block;
   width: 100%;
   max-height: calc(100vh - var(--min-height-textarea));
-  resize: vertical;
+  resize: block;
 }
 
 .combo-markdown-editor .CodeMirror-scroll {
@@ -127,7 +127,7 @@ text-expander .suggestions li:hover {
 
 text-expander .suggestions .fullname {
   font-weight: var(--font-weight-normal);
-  margin-left: 4px;
+  margin-inline-start: 4px;
   color: var(--color-text-light-1);
 }
 
@@ -140,5 +140,5 @@ text-expander .suggestions li[aria-selected="true"] span {
 text-expander .suggestions img {
   width: 24px;
   height: 24px;
-  margin-right: 8px;
+  margin-inline-end: 8px;
 }
diff --git a/web_src/css/editor/fileeditor.css b/web_src/css/editor/fileeditor.css
index 444ee8c7e7..287a4c7caa 100644
--- a/web_src/css/editor/fileeditor.css
+++ b/web_src/css/editor/fileeditor.css
@@ -7,8 +7,8 @@
 }
 
 .repository.file.editor .tab[data-tab="write"] .CodeMirror {
-  border-left: 0;
-  border-right: 0;
+  border-inline-start: 0;
+  border-inline-end: 0;
   border-bottom: 0;
 }
 
@@ -36,8 +36,8 @@
 }
 
 .editor-toolbar i.separator {
-  border-left: none;
-  border-right-color: var(--color-secondary);
+  border-inline-start: none;
+  border-inline-end-color: var(--color-secondary);
 }
 
 .editor-toolbar button:hover {
diff --git a/web_src/css/explore.css b/web_src/css/explore.css
index 5cdee823c0..0a09592eeb 100644
--- a/web_src/css/explore.css
+++ b/web_src/css/explore.css
@@ -5,7 +5,7 @@
 .explore .secondary-nav .svg {
   width: 16px;
   text-align: center;
-  margin-right: 5px;
+  margin-inline-end: 5px;
 }
 
 .ui.repository.branches .info {
@@ -27,5 +27,5 @@
 
 /* fix alignment of PR popup in branches table */
 .ui.repository.branches table .ui.popup {
-  text-align: left;
+  text-align: start;
 }
diff --git a/web_src/css/features/codeeditor.css b/web_src/css/features/codeeditor.css
index afa6637654..9b45e4e669 100644
--- a/web_src/css/features/codeeditor.css
+++ b/web_src/css/features/codeeditor.css
@@ -16,7 +16,7 @@
   #editor-bar {
     gap: var(--button-spacing);
     .switch {
-      overflow-x: scroll;
+      overflow-inline: scroll;
     }
   }
 }
@@ -24,7 +24,7 @@
 .cm-panel.fj-search {
   position: absolute;
   top: 0;
-  right: 0;
+  inset-inline-end: 0;
   background-color: var(--color-body);
   box-shadow: 0 6px 18px var(--color-shadow);
   border-radius: 0.3rem;
diff --git a/web_src/css/features/colorpicker.css b/web_src/css/features/colorpicker.css
index b7436783df..30b6bc7cc2 100644
--- a/web_src/css/features/colorpicker.css
+++ b/web_src/css/features/colorpicker.css
@@ -6,14 +6,14 @@
 .js-color-picker-input input {
   padding-top: 8px !important;
   padding-bottom: 8px !important;
-  padding-left: 32px !important;
+  padding-inline-start: 32px !important;
 }
 
 .js-color-picker-input .preview-square {
   position: absolute;
   aspect-ratio: 1;
   height: 16px;
-  left: 10px;
+  inset-inline-start: 10px;
   top: 50%;
   transform: translateY(-50%);
   border-radius: 2px;
diff --git a/web_src/css/features/gitgraph.css b/web_src/css/features/gitgraph.css
index 9f44e884b7..1ba09118d8 100644
--- a/web_src/css/features/gitgraph.css
+++ b/web_src/css/features/gitgraph.css
@@ -1,5 +1,5 @@
 #git-graph-content {
-  overflow-x: auto;
+  overflow-inline: auto;
   width: 100%;
   min-height: 250px;
 }
@@ -25,7 +25,7 @@
   }
 
   #git-graph-heading-left {
-    margin-right: 1rem;
+    margin-inline-end: 1rem;
   }
 
   #git-graph-heading h2 {
@@ -102,8 +102,8 @@
 
 #git-graph-container #rel-container {
   max-width: 30%;
-  overflow-x: auto;
-  float: left;
+  overflow-inline: auto;
+  float: inline-start;
 }
 
 #git-graph-container #rev-list {
@@ -117,7 +117,7 @@
 
 #git-graph-container #rev-list .commit-refs .button {
   padding: 2px 4px;
-  margin-right: 0.25em;
+  margin-inline-end: 0.25em;
   display: inline-block;
   max-width: 200px;
   overflow: hidden;
diff --git a/web_src/css/features/heatmap.css b/web_src/css/features/heatmap.css
index c064590c46..f2b0609186 100644
--- a/web_src/css/features/heatmap.css
+++ b/web_src/css/features/heatmap.css
@@ -40,19 +40,19 @@
   font-size: 11px;
   position: absolute;
   bottom: 0;
-  left: 25px;
+  inset-inline-start: 25px;
 }
 
 @media (max-width: 1200px) {
   #user-heatmap .total-contributions {
-    left: 21px;
+    inset-inline-start: 21px;
   }
 }
 
 @media (max-width: 1000px) {
   #user-heatmap .total-contributions {
     font-size: 10px;
-    left: 17px;
+    inset-inline-start: 17px;
     bottom: -4px;
   }
 }
diff --git a/web_src/css/features/imagediff.css b/web_src/css/features/imagediff.css
index c8ead2ba4a..95ff384f19 100644
--- a/web_src/css/features/imagediff.css
+++ b/web_src/css/features/imagediff.css
@@ -54,28 +54,28 @@
 
 .image-diff-container .diff-swipe .swipe-frame .swipe-container {
   position: absolute;
-  right: 0;
+  inset-inline-end: 0;
   display: block;
-  border-left: 2px solid var(--color-secondary-dark-8);
+  border-inline-start: 2px solid var(--color-secondary-dark-8);
   height: 100%;
   overflow: hidden;
 }
 
 .image-diff-container .diff-swipe .swipe-frame .swipe-container .after-container {
   position: absolute;
-  right: 0;
+  inset-inline-end: 0;
 }
 
 .image-diff-container .diff-swipe .swipe-frame .swipe-bar {
   position: absolute;
   height: 100%;
   top: 0;
-  left: 0;
+  inset-inline-start: 0;
 }
 
 .image-diff-container .diff-swipe .swipe-frame .swipe-bar .handle {
   background: var(--color-secondary-dark-8);
-  left: -5px;
+  inset-inline-start: -5px;
   height: 12px;
   width: 12px;
   position: absolute;
diff --git a/web_src/css/features/projects.css b/web_src/css/features/projects.css
index 3a1808dfe3..939357d429 100644
--- a/web_src/css/features/projects.css
+++ b/web_src/css/features/projects.css
@@ -2,7 +2,7 @@
   display: flex;
   flex-direction: row;
   flex-wrap: nowrap;
-  overflow-x: auto;
+  overflow-inline: auto;
   margin: 0 0.5em;
 }
 
@@ -15,7 +15,7 @@
   width: 320px;
   height: calc(100vh - 450px);
   min-height: 60vh;
-  overflow-y: scroll;
+  overflow-block: scroll;
   flex: 0 0 auto;
   overflow: visible;
   display: flex;
@@ -57,7 +57,7 @@
   padding: 0 !important;
   flex-wrap: nowrap !important;
   flex-direction: column;
-  overflow-x: auto;
+  overflow-inline: auto;
   gap: .25rem;
 }
 
@@ -68,11 +68,11 @@
 }
 
 .project-column:first-child {
-  margin-left: auto !important;
+  margin-inline-start: auto !important;
 }
 
 .project-column:last-child {
-  margin-right: auto !important;
+  margin-inline-end: auto !important;
 }
 
 .card-attachment-images {
@@ -87,8 +87,8 @@
   display: inline-block;
   max-height: 50px;
   border-radius: var(--border-radius);
-  text-align: left;
-  margin-right: 2px;
+  text-align: start;
+  margin-inline-end: 2px;
   aspect-ratio: 1;
 }
 
diff --git a/web_src/css/features/tribute.css b/web_src/css/features/tribute.css
index bd843675e1..f18d2bfea2 100644
--- a/web_src/css/features/tribute.css
+++ b/web_src/css/features/tribute.css
@@ -17,7 +17,7 @@
 .tribute-container li span.fullname {
   font-weight: var(--font-weight-normal);
   font-size: 0.8rem;
-  margin-left: 3px;
+  margin-inline-start: 3px;
 }
 
 .tribute-container li.highlight,
@@ -33,7 +33,7 @@
 
 .tribute-item .emoji,
 .tribute-item img[src*="/avatar/"] {
-  margin-right: 0.5rem;
+  margin-inline-end: 0.5rem;
 }
 
 .tribute-container img {
diff --git a/web_src/css/form.css b/web_src/css/form.css
index 5263d61d5d..b870d3ec0a 100644
--- a/web_src/css/form.css
+++ b/web_src/css/form.css
@@ -47,7 +47,7 @@ fieldset label + .ui.dropdown {
 
 fieldset label > input[type="checkbox"],
 fieldset label > input[type="radio"] {
-  margin-right: 0.75em;
+  margin-inline-end: 0.75em;
   margin-top: 0 !important;
   vertical-align: initial !important; /* overrides a semantic.css rule, remove when obsolete */
 }
@@ -298,7 +298,7 @@ input:-webkit-autofill:active,
   .h-captcha-style {
     margin: 0 auto !important;
     width: 304px;
-    padding-left: 30px;
+    padding-inline-start: 30px;
   }
   .g-recaptcha-style iframe,
   .h-captcha-style iframe {
@@ -351,10 +351,10 @@ input:-webkit-autofill:active,
   .user.link-account form .header,
   .user.signin form .header,
   .user.signup form .header {
-    padding-left: 280px !important;
+    padding-inline-start: 280px !important;
   }
   .user.activate form .inline.field > label {
-    text-align: right;
+    text-align: end;
     width: 250px !important;
     word-wrap: break-word;
   }
@@ -364,7 +364,7 @@ input:-webkit-autofill:active,
   .user.link-account form .help,
   .user.signin form .help,
   .user.signup form .help {
-    margin-left: 265px !important;
+    margin-inline-start: 265px !important;
   }
   .user.activate form .optional .title,
   .user.forgot.password form .optional .title,
@@ -372,7 +372,7 @@ input:-webkit-autofill:active,
   .user.link-account form .optional .title,
   .user.signin form .optional .title,
   .user.signup form .optional .title {
-    margin-left: 250px !important;
+    margin-inline-start: 250px !important;
   }
 }
 
@@ -383,7 +383,7 @@ input:-webkit-autofill:active,
   .user.link-account form .optional .title,
   .user.signin form .optional .title,
   .user.signup form .optional .title {
-    margin-left: 15px;
+    margin-inline-start: 15px;
   }
   .user.activate form .inline.field > label,
   .user.forgot.password form .inline.field > label,
@@ -401,7 +401,7 @@ input:-webkit-autofill:active,
 .user.link-account form .header,
 .user.signin form .header,
 .user.signup form .header {
-  padding-left: 0 !important;
+  padding-inline-start: 0 !important;
   text-align: center;
 }
 
@@ -474,22 +474,22 @@ input:-webkit-autofill:active,
   .repository.new.repo form .header,
   .repository.new.migrate form .header,
   .repository.new.fork form .header {
-    padding-left: 280px !important;
+    padding-inline-start: 280px !important;
   }
   .repository.new.migrate form .inline.field > label,
   .repository.new.fork form .inline.field > label {
-    text-align: right;
+    text-align: end;
     width: 250px !important;
     word-wrap: break-word;
   }
   .repository.new.migrate form .help,
   .repository.new.fork form .help {
-    margin-left: 265px !important;
+    margin-inline-start: 265px !important;
   }
   .repository.new.repo form .optional .title,
   .repository.new.migrate form .optional .title,
   .repository.new.fork form .optional .title {
-    margin-left: 250px !important;
+    margin-inline-start: 250px !important;
   }
   .repository.new.migrate form .inline.field > input,
   .repository.new.fork form .inline.field > input,
@@ -503,7 +503,7 @@ input:-webkit-autofill:active,
   .repository.new.repo form .optional .title,
   .repository.new.migrate form .optional .title,
   .repository.new.fork form .optional .title {
-    margin-left: 15px;
+    margin-inline-start: 15px;
   }
   .repository.new.repo form .inline.field > label,
   .repository.new.migrate form .inline.field > label,
@@ -514,14 +514,14 @@ input:-webkit-autofill:active,
 
 .repository.new.migrate form .dropdown .text,
 .repository.new.fork form .dropdown .text {
-  margin-right: 0 !important;
+  margin-inline-end: 0 !important;
 }
 
 .moderation.new-report form .header,
 .repository.new.repo form .header,
 .repository.new.migrate form .header,
 .repository.new.fork form .header {
-  padding-left: 0 !important;
+  padding-inline-start: 0 !important;
   text-align: center;
 }
 
@@ -557,7 +557,7 @@ input:-webkit-autofill:active,
 
 @media (min-width: 768px) {
   .repository.new.repo .ui.form #auto-init {
-    margin-left: 265px !important;
+    margin-inline-start: 265px !important;
   }
 }
 
diff --git a/web_src/css/home.css b/web_src/css/home.css
index 84dd793612..462a1fb6a5 100644
--- a/web_src/css/home.css
+++ b/web_src/css/home.css
@@ -68,14 +68,14 @@
 }
 
 .page-footer .right-links > a {
-  border-left: 1px solid var(--color-secondary-dark-1);
-  padding-left: 8px;
-  margin-left: 8px;
+  border-inline-start: 1px solid var(--color-secondary-dark-1);
+  padding-inline-start: 8px;
+  margin-inline-start: 8px;
 }
 
 .page-footer .ui.dropdown.language .menu {
   max-height: min(500px, calc(100vh - 60px));
-  overflow-y: auto;
+  overflow-block: auto;
   margin-bottom: 10px;
 }
 
diff --git a/web_src/css/install.css b/web_src/css/install.css
index df2a7cb53f..eea8db43a9 100644
--- a/web_src/css/install.css
+++ b/web_src/css/install.css
@@ -4,16 +4,16 @@
 }
 
 .page-content.install form.ui.form .inline.field > label {
-  text-align: right;
+  text-align: end;
   width: 30%;
-  padding-right: 10px;
-  margin-right: 0;
+  padding-inline-end: 10px;
+  margin-inline-end: 0;
 }
 
 .page-content.install .ui.form .field > .help,
 .page-content.install .ui.form .field > .ui.checkbox:first-child,
 .page-content.install .ui.form .field > .right-content {
-  margin-left: calc(30% + 5px);
+  margin-inline-start: calc(30% + 5px);
   width: auto;
 }
 
@@ -34,20 +34,20 @@
 }
 
 .page-content.install form.ui.form .field {
-  text-align: left;
+  text-align: start;
 }
 
 .page-content.install .ui .reinstall-message {
   width: 70%;
   margin: 20px auto;
   color: var(--color-red);
-  text-align: left;
+  text-align: start;
   font-weight: var(--font-weight-semibold);
 }
 
 .page-content.install .ui .reinstall-confirm {
   width: 70%;
-  text-align: left;
+  text-align: start;
   margin: 10px auto;
 }
 
diff --git a/web_src/css/issues.css b/web_src/css/issues.css
index 28539e5eb3..9d5301b58d 100644
--- a/web_src/css/issues.css
+++ b/web_src/css/issues.css
@@ -9,7 +9,7 @@
 .menu .item:has(> .label-filter-item) .label-exclude-item-btn {
   opacity: 0;
   position: absolute;
-  right: 0;
+  inset-inline-end: 0;
   height: 100%;
   width: 40px;
   background: none;
@@ -34,13 +34,13 @@
   max-width: 288px;
 
   @media (any-hover: none) {
-    padding-right: 50px !important;
+    padding-inline-end: 50px !important;
   }
 
   &:hover,
   &.selected,
   &:has(.label-exclude-item-btn.active) {
-    padding-right: 50px !important;
+    padding-inline-end: 50px !important;
 
     .label-exclude-item-btn {
       opacity: 1;
@@ -51,7 +51,7 @@
 .menu:has(> .item[data-selected])
 .item:not([data-selected])
 > .label-filter-item {
-  padding-left: 27px;
+  padding-inline-start: 27px;
 }
 
 .menu .item .label-filter-item {
diff --git a/web_src/css/markup/codecopy.css b/web_src/css/markup/codecopy.css
index e3017ae962..665413d717 100644
--- a/web_src/css/markup/codecopy.css
+++ b/web_src/css/markup/codecopy.css
@@ -6,7 +6,7 @@
 .markup .code-copy {
   position: absolute;
   top: 8px;
-  right: 6px;
+  inset-inline-end: 6px;
   padding: 9px;
   visibility: hidden;
   animation: fadeout 0.2s both;
@@ -14,7 +14,7 @@
 
 /* adjustments for comment content having only 14px font size */
 .repository.view.issue .comment-list .comment .markup .code-copy {
-  right: 5px;
+  inset-inline-end: 5px;
   padding: 8px;
 }
 
diff --git a/web_src/css/markup/content.css b/web_src/css/markup/content.css
index 931f33d064..bc1f4bca78 100644
--- a/web_src/css/markup/content.css
+++ b/web_src/css/markup/content.css
@@ -23,9 +23,9 @@
 }
 
 .markup .anchor {
-  float: left;
-  padding-right: 4px;
-  margin-left: -20px;
+  float: inline-start;
+  padding-inline-end: 4px;
+  margin-inline-start: -20px;
   color: inherit;
 }
 
@@ -144,7 +144,7 @@
 
 .markup ul,
 .markup ol {
-  padding-left: 2em;
+  padding-inline-start: 2em;
 }
 
 .markup ul.no-list,
@@ -167,11 +167,11 @@
 }
 
 .markup ol .task-list-item input[type="checkbox"] {
-  margin-left: 0;
+  margin-inline-start: 0;
 }
 
 .markup .task-list-item input[type="checkbox"] + p {
-  margin-left: -0.2em;
+  margin-inline-start: -0.2em;
   display: inline;
 }
 
@@ -267,10 +267,10 @@
 }
 
 .markup blockquote {
-  margin-left: 0;
+  margin-inline-start: 0;
   padding: 0 15px;
   color: var(--color-text-light-2);
-  border-left: 0.25em solid var(--color-secondary);
+  border-inline-start: 0.25em solid var(--color-secondary);
 }
 
 .markup blockquote > :first-child {
@@ -328,12 +328,12 @@
 
 .markup img[align="right"],
 .markup video[align="right"] {
-  padding-left: 20px;
+  padding-inline-start: 20px;
 }
 
 .markup img[align="left"],
 .markup video[align="left"] {
-  padding-right: 28px;
+  padding-inline-end: 28px;
 }
 
 .markup .emoji {
@@ -347,7 +347,7 @@
 
 .markup span.frame > span {
   display: block;
-  float: left;
+  float: inline-start;
   width: auto;
   padding: 7px;
   margin: 13px 0 0;
@@ -358,7 +358,7 @@
 .markup span.frame span img,
 .markup span.frame span video {
   display: block;
-  float: left;
+  float: inline-start;
 }
 
 .markup span.frame span span {
@@ -397,19 +397,19 @@
   display: block;
   margin: 13px 0 0;
   overflow: hidden;
-  text-align: right;
+  text-align: end;
 }
 
 .markup span.align-right span img,
 .markup span.align-right span video {
   margin: 0;
-  text-align: right;
+  text-align: end;
 }
 
 .markup span.float-left {
   display: block;
-  float: left;
-  margin-right: 13px;
+  float: inline-start;
+  margin-inline-end: 13px;
   overflow: hidden;
 }
 
@@ -419,8 +419,8 @@
 
 .markup span.float-right {
   display: block;
-  float: right;
-  margin-left: 13px;
+  float: inline-end;
+  margin-inline-start: 13px;
   overflow: hidden;
 }
 
@@ -428,7 +428,7 @@
   display: block;
   margin: 13px auto 0;
   overflow: hidden;
-  text-align: right;
+  text-align: end;
 }
 
 .markup code,
@@ -508,15 +508,15 @@
 .markup .ui.list .list,
 .markup ol.ui.list ol,
 .markup ul.ui.list ul {
-  padding-left: 2em;
+  padding-inline-start: 2em;
 }
 
 .file-revisions-btn {
   display: block;
-  float: left;
+  float: inline-start;
   margin-bottom: 2px !important;
   padding: 11px !important;
-  margin-right: 10px !important;
+  margin-inline-end: 10px !important;
 }
 
 .file-revisions-btn i {
@@ -538,20 +538,20 @@
   display: block !important; /* override fomantic .ui.form .error.message {display: none} */
   border: none !important;
   margin-bottom: 0 !important;
-  border-bottom-left-radius: 0 !important;
-  border-bottom-right-radius: 0 !important;
+  border-bottom-left-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-bottom-right-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
   box-shadow: none !important;
   font-size: 85% !important;
   white-space: pre-wrap !important;
   padding: 0.5rem 1rem !important;
-  text-align: left !important;
+  text-align: start !important;
 }
 
 .markup-block-error + pre {
   border-top: none !important;
   margin-top: 0 !important;
-  border-top-left-radius: 0 !important;
-  border-top-right-radius: 0 !important;
+  border-top-left-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
 }
 
 .file-view.markup {
diff --git a/web_src/css/markup/filepreview.css b/web_src/css/markup/filepreview.css
index d2ec16ea8b..1c0fad5170 100644
--- a/web_src/css/markup/filepreview.css
+++ b/web_src/css/markup/filepreview.css
@@ -18,7 +18,7 @@
 
 .markup .file-preview-box .header {
   padding: .5rem;
-  padding-left: 1rem;
+  padding-inline-start: 1rem;
   border: 1px solid var(--color-secondary);
   border-bottom: none;
   border-radius: 0.28571429rem 0.28571429rem 0 0;
diff --git a/web_src/css/modules/animations.css b/web_src/css/modules/animations.css
index a820787b16..8efea4d959 100644
--- a/web_src/css/modules/animations.css
+++ b/web_src/css/modules/animations.css
@@ -28,7 +28,7 @@ lazy-webc::after,
   content: "";
   position: absolute;
   display: block;
-  left: 50%;
+  inset-inline-start: 50%;
   top: 50%;
   height: min(4em, 66.6%);
   width: fit-content; /* compat: safari - https://bugs.webkit.org/show_bug.cgi?id=267625 */
diff --git a/web_src/css/modules/button-legacy.css b/web_src/css/modules/button-legacy.css
index 8683d9ed58..f0451dec99 100644
--- a/web_src/css/modules/button-legacy.css
+++ b/web_src/css/modules/button-legacy.css
@@ -60,7 +60,7 @@ And the default buttons always have borders now (not the same as Fomantic UI's d
 It needs some tricks to tweak the left/right borders with active state */
 
 .ui.buttons .button {
-  border-right: none;
+  border-inline-end: none;
 }
 
 .ui.buttons .button:hover {
@@ -68,27 +68,27 @@ It needs some tricks to tweak the left/right borders with active state */
 }
 
 .ui.buttons .button:hover + .button {
-  border-left: 1px solid var(--color-secondary-dark-2);
+  border-inline-start: 1px solid var(--color-secondary-dark-2);
 }
 
 /* TODO: these "tw-hidden" selectors are only used by "blame.tmpl" buttons: Raw/Normal View/History/Unescape, need to be refactored to a clear solution later */
 .ui.buttons .button:first-child,
 .ui.buttons .button.tw-hidden:first-child + .button {
-  border-left: 1px solid var(--color-light-border);
+  border-inline-start: 1px solid var(--color-light-border);
 }
 
 .ui.buttons .button:last-child,
 .ui.buttons .button:nth-last-child(2):has(+ .button.tw-hidden) {
-  border-right: 1px solid var(--color-light-border);
+  border-inline-end: 1px solid var(--color-light-border);
 }
 
 .ui.buttons .button.active {
-  border-left: 1px solid var(--color-light-border);
-  border-right: 1px solid var(--color-light-border);
+  border-inline-start: 1px solid var(--color-light-border);
+  border-inline-end: 1px solid var(--color-light-border);
 }
 
 .ui.buttons .button.active + .button {
-  border-left: none;
+  border-inline-start: none;
 }
 
 .ui.basic.buttons .button,
diff --git a/web_src/css/modules/button.css b/web_src/css/modules/button.css
index 011e89c32f..07152b4d99 100644
--- a/web_src/css/modules/button.css
+++ b/web_src/css/modules/button.css
@@ -100,7 +100,7 @@
 /* Fomantic buttons have annoying margins to set distance between elements. In
  * the button-row/sequence helpers this is set by flex+gap */
 .button-row .ui.button {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 .button-sequence .ui.button {
   margin: 0 !important;
diff --git a/web_src/css/modules/card.css b/web_src/css/modules/card.css
index 2406def681..e71a90cdf8 100644
--- a/web_src/css/modules/card.css
+++ b/web_src/css/modules/card.css
@@ -119,16 +119,14 @@ a.ui.card:hover {
 .ui.cards > .card > .extra,
 .ui.card > .extra {
   color: var(--color-text);
-  border-top-color: var(--color-secondary-light-1) !important;
+  border-block-start-color: var(--color-secondary-light-1) !important;
 }
 
 .ui.three.cards {
-  margin-left: -1em;
-  margin-right: -1em;
+  margin-inline: -1em;
 }
 
 .ui.three.cards > .card {
   width: calc(33.33333333333333% - 2em);
-  margin-left: 1em;
-  margin-right: 1em;
+  margin-inline: 1em;
 }
diff --git a/web_src/css/modules/checkbox.css b/web_src/css/modules/checkbox.css
index 8d73573bfa..ab0fdf9348 100644
--- a/web_src/css/modules/checkbox.css
+++ b/web_src/css/modules/checkbox.css
@@ -21,7 +21,7 @@ input[type="radio"] {
 .ui.checkbox input[type="radio"] {
   position: absolute;
   top: 1px;
-  left: 0;
+  inset-inline-start: 0;
   width: var(--checkbox-size);
   height: var(--checkbox-size);
 }
@@ -41,7 +41,7 @@ input[type="radio"] {
 
 .ui.checkbox label,
 .ui.radio.checkbox label {
-  margin-left: 1.85714em;
+  margin-inline-start: 1.85714em;
 }
 
 .ui.checkbox + label {
@@ -72,7 +72,7 @@ input[type="radio"] {
 }
 .ui.toggle.checkbox label {
   min-height: 1.5rem;
-  padding-left: 4.5rem;
+  padding-inline-start: 4.5rem;
   padding-top: 0.15em;
 }
 .ui.toggle.checkbox label::before {
@@ -84,7 +84,7 @@ input[type="radio"] {
   width: 49px;
   height: 21px;
   border-radius: 500rem;
-  left: 0;
+  inset-inline-start: 0;
 }
 .ui.toggle.checkbox label::after {
   background: var(--color-white);
@@ -96,15 +96,15 @@ input[type="radio"] {
   width: 18px;
   height: 18px;
   top: 1.5px;
-  left: 1.5px;
+  inset-inline-start: 1.5px;
   border-radius: 500rem;
   transition: background 0.3s ease, left 0.3s ease;
 }
 .ui.toggle.checkbox input ~ label::after {
-  left: 1.5px;
+  inset-inline-start: 1.5px;
 }
 .ui.toggle.checkbox input:checked ~ label::after {
-  left: 29px;
+  inset-inline-start: 29px;
 }
 .ui.toggle.checkbox input:focus ~ label::before,
 .ui.toggle.checkbox label::before {
diff --git a/web_src/css/modules/comment.css b/web_src/css/modules/comment.css
index 799eeb8574..0a470eda71 100644
--- a/web_src/css/modules/comment.css
+++ b/web_src/css/modules/comment.css
@@ -36,7 +36,7 @@
 .ui.comments .comment > .comments::before {
   position: absolute;
   top: 0;
-  left: 0;
+  inset-inline-start: 0;
 }
 
 .ui.comments .comment > .comments .comment {
@@ -46,7 +46,7 @@
 }
 
 .ui.comments .comment .avatar {
-  float: left;
+  float: inline-start;
   width: 2.5em;
 }
 
@@ -55,7 +55,7 @@
 }
 
 .ui.comments .comment > .avatar ~ .content {
-  margin-left: 3.5em;
+  margin-inline-start: 3.5em;
 }
 
 .ui.comments .comment .author {
@@ -69,7 +69,7 @@
 
 .ui.comments .comment .metadata {
   display: inline-block;
-  margin-left: 0.5em;
+  margin-inline-start: 0.5em;
   font-size: 0.875em;
 }
 
@@ -79,7 +79,7 @@
 }
 
 .ui.comments .comment .metadata > :last-child {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 .ui.comments .comment .text {
diff --git a/web_src/css/modules/container.css b/web_src/css/modules/container.css
index 95c71b207f..057c8c1be9 100644
--- a/web_src/css/modules/container.css
+++ b/web_src/css/modules/container.css
@@ -11,8 +11,7 @@
   .ui.ui.ui.container:not(.fluid) {
     --container-width: auto;
     width: var(--container-width);
-    margin-left: 1em;
-    margin-right: 1em;
+    margin-inline: 1em;
   }
 }
 
@@ -20,8 +19,7 @@
   .ui.ui.ui.container:not(.fluid) {
     --container-width: 723px;
     width: var(--container-width);
-    margin-left: auto;
-    margin-right: auto;
+    margin-inline: auto;
   }
 }
 
@@ -29,8 +27,7 @@
   .ui.ui.ui.container:not(.fluid) {
     --container-width: 933px;
     width: var(--container-width);
-    margin-left: auto;
-    margin-right: auto;
+    margin-inline: auto;
   }
 }
 
@@ -38,8 +35,7 @@
   .ui.ui.ui.container:not(.fluid) {
     --container-width: 1127px;
     width: var(--container-width);
-    margin-left: auto;
-    margin-right: auto;
+    margin-inline: auto;
   }
 }
 
@@ -57,8 +53,7 @@
   --container-width: 1280px;
   width: var(--container-width);
   max-width: calc(100% - calc(2 * var(--page-margin-x)));
-  margin-left: auto;
-  margin-right: auto;
+  margin-inline: auto;
 }
 
 .ui.container.fluid.padded {
diff --git a/web_src/css/modules/dialog.css b/web_src/css/modules/dialog.css
index 3f9a1a44bf..e80acdf2a8 100644
--- a/web_src/css/modules/dialog.css
+++ b/web_src/css/modules/dialog.css
@@ -6,7 +6,7 @@ dialog {
   align-items: center;
   justify-content: center;
   position: fixed;
-  text-align: left;
+  text-align: start;
   border: none;
   background: var(--color-body);
   box-shadow:
@@ -57,8 +57,8 @@ dialog header {
   margin: 0;
   padding: 1.25rem 1.5rem;
   box-shadow: none;
-  border-top-left-radius: var(--border-radius);
-  border-top-right-radius: var(--border-radius);
+  border-top-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
   border-bottom: 1px solid var(--color-secondary);
 }
 
@@ -89,8 +89,8 @@ dialog .actions {
 }
 
 dialog footer {
-  border-bottom-left-radius: var(--border-radius);
-  border-bottom-right-radius: var(--border-radius);
+  border-bottom-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+  border-bottom-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
 }
 
 /* positive/negative action buttons */
@@ -98,7 +98,7 @@ dialog .actions .ui.button {
   display: inline-flex;
   align-items: center;
   padding: 10px 12px;
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 dialog .actions .ui.button.danger {
@@ -109,5 +109,5 @@ dialog .actions .ui.button.danger {
 }
 
 dialog .actions .ui.button .svg {
-  margin-right: 5px;
+  margin-inline-end: 5px;
 }
diff --git a/web_src/css/modules/divider.css b/web_src/css/modules/divider.css
index acc8408f37..9cba544569 100644
--- a/web_src/css/modules/divider.css
+++ b/web_src/css/modules/divider.css
@@ -30,11 +30,11 @@ h4.divider {
 }
 
 .divider.divider-text::before {
-  margin-right: .75em;
+  margin-inline-end: .75em;
 }
 
 .divider.divider-text::after {
-  margin-left: .75em;
+  margin-inline-start: .75em;
 }
 
 .ui.dropdown .menu > .divider {
diff --git a/web_src/css/modules/grid.css b/web_src/css/modules/grid.css
index 1df9a116f7..9b64b414ad 100644
--- a/web_src/css/modules/grid.css
+++ b/web_src/css/modules/grid.css
@@ -22,12 +22,10 @@
 }
 
 .ui.relaxed.grid {
-  margin-left: -1.5rem;
-  margin-right: -1.5rem;
+  margin-inline: -1.5rem;
 }
 .ui[class*="very relaxed"].grid {
-  margin-left: -2.5rem;
-  margin-right: -2.5rem;
+  margin-inline: -2.5rem;
 }
 
 .ui.grid + .grid {
@@ -39,13 +37,11 @@
   position: relative;
   display: inline-block;
   width: 6.25%;
-  padding-left: 1rem;
-  padding-right: 1rem;
+  padding-inline: 1rem;
   vertical-align: top;
 }
 .ui.grid > * {
-  padding-left: 1rem;
-  padding-right: 1rem;
+  padding-inline: 1rem;
 }
 
 .ui.grid > .row {
@@ -103,46 +99,36 @@
 @media only screen and (max-width: 767.98px) {
   .ui.page.grid {
     width: auto;
-    padding-left: 0;
-    padding-right: 0;
-    margin-left: 0;
-    margin-right: 0;
+    padding-inline: 0;
+    margin-inline: 0;
   }
 }
 @media only screen and (min-width: 768px) and (max-width: 991.98px) {
   .ui.page.grid {
     width: auto;
-    margin-left: 0;
-    margin-right: 0;
-    padding-left: 2em;
-    padding-right: 2em;
+    margin-inline: 0;
+    padding-inline: 2em;
   }
 }
 @media only screen and (min-width: 992px) and (max-width: 1199.98px) {
   .ui.page.grid {
     width: auto;
-    margin-left: 0;
-    margin-right: 0;
-    padding-left: 3%;
-    padding-right: 3%;
+    margin-inline: 0;
+    padding-inline: 3%;
   }
 }
 @media only screen and (min-width: 1200px) and (max-width: 1919.98px) {
   .ui.page.grid {
     width: auto;
-    margin-left: 0;
-    margin-right: 0;
-    padding-left: 15%;
-    padding-right: 15%;
+    margin-inline: 0;
+    padding-inline: 15%;
   }
 }
 @media only screen and (min-width: 1920px) {
   .ui.page.grid {
     width: auto;
-    margin-left: 0;
-    margin-right: 0;
-    padding-left: 23%;
-    padding-right: 23%;
+    margin-inline: 0;
+    padding-inline: 23%;
   }
 }
 
@@ -371,37 +357,32 @@
 .ui.centered.grid > .column:not(.aligned):not(.justified):not(.row),
 .ui.centered.grid > .row > .column:not(.aligned):not(.justified),
 .ui.grid .centered.row > .column:not(.aligned):not(.justified) {
-  text-align: left;
+  text-align: start;
 }
 .ui.grid > .centered.column,
 .ui.grid > .row > .centered.column {
   display: block;
-  margin-left: auto;
-  margin-right: auto;
+  margin-inline: auto;
 }
 
 .ui.relaxed.grid > .column:not(.row),
 .ui.relaxed.grid > .row > .column,
 .ui.grid > .relaxed.row > .column {
-  padding-left: 1.5rem;
-  padding-right: 1.5rem;
+  padding-inline: 1.5rem;
 }
 .ui[class*="very relaxed"].grid > .column:not(.row),
 .ui[class*="very relaxed"].grid > .row > .column,
 .ui.grid > [class*="very relaxed"].row > .column {
-  padding-left: 2.5rem;
-  padding-right: 2.5rem;
+  padding-inline: 2.5rem;
 }
 
 .ui.relaxed.grid .row + .ui.divider,
 .ui.grid .relaxed.row + .ui.divider {
-  margin-left: 1.5rem;
-  margin-right: 1.5rem;
+  margin-inline: 1.5rem;
 }
 .ui[class*="very relaxed"].grid .row + .ui.divider,
 .ui.grid [class*="very relaxed"].row + .ui.divider {
-  margin-left: 2.5rem;
-  margin-right: 2.5rem;
+  margin-inline: 2.5rem;
 }
 
 .ui[class*="middle aligned"].grid > .column:not(.row),
@@ -419,7 +400,7 @@
 .ui.grid > [class*="left aligned"].row > .column,
 .ui.grid > [class*="left aligned"].column.column,
 .ui.grid > .row > [class*="left aligned"].column.column {
-  text-align: left;
+  text-align: start;
   align-self: inherit;
 }
 
@@ -440,7 +421,7 @@
 .ui.grid > [class*="right aligned"].row > .column,
 .ui.grid > [class*="right aligned"].column.column,
 .ui.grid > .row > [class*="right aligned"].column.column {
-  text-align: right;
+  text-align: end;
   align-self: inherit;
 }
 
@@ -470,8 +451,7 @@
 @media only screen and (max-width: 767.98px) {
   .ui.stackable.grid {
     width: auto;
-    margin-left: 0 !important;
-    margin-right: 0 !important;
+    margin-inline: 0 !important;
   }
   .ui.stackable.grid > .row > .wide.column,
   .ui.stackable.grid > .wide.column,
@@ -492,25 +472,21 @@
 
   .ui.container > .ui.stackable.grid > .column,
   .ui.container > .ui.stackable.grid > .row > .column {
-    padding-left: 0 !important;
-    padding-right: 0 !important;
+    padding-inline: 0 !important;
   }
 
   .ui.grid .ui.stackable.grid,
   .ui.segment:not(.vertical) .ui.stackable.page.grid {
-    margin-left: -1rem !important;
-    margin-right: -1rem !important;
+    margin-inline: -1rem !important;
   }
 }
 
 .ui.ui.ui.compact.grid > .column:not(.row),
 .ui.ui.ui.compact.grid > .row > .column {
-  padding-left: 0.5rem;
-  padding-right: 0.5rem;
+  padding-inline: 0.5rem;
 }
 .ui.ui.ui.compact.grid > * {
-  padding-left: 0.5rem;
-  padding-right: 0.5rem;
+  padding-inline: 0.5rem;
 }
 
 .ui.ui.ui.compact.grid > .row {
diff --git a/web_src/css/modules/hashbox.css b/web_src/css/modules/hashbox.css
index 316ac1f655..1095862716 100644
--- a/web_src/css/modules/hashbox.css
+++ b/web_src/css/modules/hashbox.css
@@ -31,9 +31,9 @@
   color: var(--color-text);
   background: var(--color-light);
   padding: 0.25rem 0.33rem;
-  border-left: 1px solid var(--color-light-border);
-  border-top-right-radius: inherit;
-  border-bottom-right-radius: inherit;
+  border-inline-start: 1px solid var(--color-light-border);
+  border-start-end-radius: inherit;
+  border-end-end-radius: inherit;
 }
 
 .sha.label .signature-author {
@@ -53,7 +53,7 @@
 }
 
 .sha.label.isSigned.isWarning .signature {
-  border-left: 1px solid var(--color-red-badge);
+  border-inline-start: 1px solid var(--color-red-badge);
   color: var(--color-red-badge);
 }
 
@@ -67,7 +67,7 @@
 }
 
 .sha.label.isSigned.isVerified .signature {
-  border-left: 1px solid var(--color-green-badge);
+  border-inline-start: 1px solid var(--color-green-badge);
   color: var(--color-green-badge);
 }
 
@@ -81,7 +81,7 @@
 }
 
 .sha.label.isSigned.isVerifiedUntrusted .signature {
-  border-left: 1px solid var(--color-yellow-badge);
+  border-inline-start: 1px solid var(--color-yellow-badge);
   color: var(--color-yellow-badge);
 }
 
@@ -95,7 +95,7 @@
 }
 
 .sha.label.isSigned.isVerifiedUnmatched .signature {
-  border-left: 1px solid var(--color-orange-badge);
+  border-inline-start: 1px solid var(--color-orange-badge);
   color: var(--color-orange-badge);
 }
 
diff --git a/web_src/css/modules/header.css b/web_src/css/modules/header.css
index f45e970018..308960031b 100644
--- a/web_src/css/modules/header.css
+++ b/web_src/css/modules/header.css
@@ -20,7 +20,7 @@
 }
 
 .ui.header .ui.label {
-  margin-left: 0.25rem;
+  margin-inline-start: 0.25rem;
   vertical-align: middle;
 }
 
@@ -49,7 +49,7 @@
 .ui.header > i.icon:only-child {
   display: inline-block;
   padding: 0;
-  margin-right: 0.75rem;
+  margin-inline-end: 0.75rem;
 }
 
 .ui.header + p {
@@ -120,7 +120,7 @@ h4.ui.header .sub.header {
 /* fix misaligned right buttons on box headers */
 .ui.attached.header > .ui.right {
   position: absolute;
-  right: 0.78571429rem;
+  inset-inline-end: 0.78571429rem;
   top: 0;
   bottom: 0;
   display: flex;
@@ -136,8 +136,7 @@ h4.ui.header .sub.header {
 
 /* open dropdown menus to the left in right-attached headers */
 .ui.attached.header > .ui.right .ui.dropdown .menu {
-  right: 0;
-  left: auto;
+  inset-inline: auto 0;
 }
 
 /* if a .top.attached.header is followed by a .segment, add some margin */
@@ -147,7 +146,7 @@ h4.ui.header .sub.header {
 }
 
 .ui.dividing.header {
-  border-bottom-color: var(--color-secondary);
+  border-block-end-color: var(--color-secondary);
 }
 
 .ui.dividing.header .sub.header {
diff --git a/web_src/css/modules/input.css b/web_src/css/modules/input.css
index 18b785ac82..64a8b68685 100644
--- a/web_src/css/modules/input.css
+++ b/web_src/css/modules/input.css
@@ -49,7 +49,7 @@
   position: absolute;
   text-align: center;
   top: 0;
-  right: 0;
+  inset-inline-end: 0;
   margin: 0;
   height: 100%;
   width: 2.67142857em;
@@ -71,29 +71,26 @@
 
 .ui.ui.ui.ui.icon.input > textarea,
 .ui.ui.ui.ui.icon.input > input {
-  padding-right: 2.67142857em;
+  padding-inline-end: 2.67142857em;
 }
 .ui.icon.input > i.link.icon {
   cursor: pointer;
 }
 .ui.icon.input > i.circular.icon {
   top: 0.35em;
-  right: 0.5em;
+  inset-inline-end: 0.5em;
 }
 
 .ui[class*="left icon"].input > i.icon {
-  right: auto;
-  left: 1px;
+  inset-inline: 1px auto;
   border-radius: 0.28571429rem 0 0 0.28571429rem;
 }
 .ui[class*="left icon"].input > i.circular.icon {
-  right: auto;
-  left: 0.5em;
+  inset-inline: 0.5em auto;
 }
 .ui.ui.ui.ui[class*="left icon"].input > textarea,
 .ui.ui.ui.ui[class*="left icon"].input > input {
-  padding-left: 2.67142857em;
-  padding-right: 1em;
+  padding-inline: 2.67142857em 1em;
 }
 
 .ui.icon.input > textarea:focus ~ .icon,
@@ -125,9 +122,9 @@
 }
 
 .ui.action.input:not([class*="left action"]) > input {
-  border-top-right-radius: 0;
-  border-bottom-right-radius: 0;
-  border-right-color: transparent;
+  border-start-end-radius: 0;
+  border-end-end-radius: 0;
+  border-inline-end-color: transparent;
 }
 
 .ui.action.input > .dropdown:first-child,
@@ -171,18 +168,18 @@
   min-width: 10em;
 }
 .ui.action.input:not([class*="left action"]) > .ui.dropdown.selection:not(:focus) {
-  border-right: none;
+  border-inline-end: none;
 }
 .ui.action.input:not([class*="left action"]) > .ui.dropdown.selection:not(.active):hover {
   border-color: var(--color-input-border);
 }
 .ui.action.input:not([class*="left action"]) .ui.dropdown.selection.upward.visible {
-  border-bottom-left-radius: 0 !important;
-  border-bottom-right-radius: 0 !important;
+  border-bottom-left-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-bottom-right-radius: 0 !important; /* stylelint-disable-line logical-css/require-logical-properties */
 }
 .ui.action.input:not([class*="left action"]) > input,
 .ui.action.input:not([class*="left action"]) > input:hover {
-  border-right: none;
+  border-inline-end: none;
 }
 .ui.action.input:not([class*="left action"]) > input:focus + .ui.dropdown.selection,
 .ui.action.input:not([class*="left action"]) > input:focus + .ui.dropdown.selection:hover,
@@ -190,8 +187,8 @@
 .ui.action.input:not([class*="left action"]) > input:focus + .button:hover,
 .ui.action.input:not([class*="left action"]) > input:focus + .icon + .button,
 .ui.action.input:not([class*="left action"]) > input:focus + .icon + .button:hover {
-  border-left-color: var(--color-primary);
+  border-inline-start-color: var(--color-primary);
 }
 .ui.action.input:not([class*="left action"]) > input:focus {
-  border-right-color: var(--color-primary);
+  border-inline-end-color: var(--color-primary);
 }
diff --git a/web_src/css/modules/label.css b/web_src/css/modules/label.css
index 4dc469631d..689577a8a6 100644
--- a/web_src/css/modules/label.css
+++ b/web_src/css/modules/label.css
@@ -19,10 +19,10 @@
 }
 
 .ui.label:first-child {
-  margin-left: 0;
+  margin-inline-start: 0;
 }
 .ui.label:last-child {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 a.ui.label {
@@ -45,7 +45,7 @@ a.ui.label {
 }
 
 .ui.label > .color-icon {
-  margin-left: 0;
+  margin-inline-start: 0;
 }
 
 .ui.label > .icon {
@@ -57,7 +57,7 @@ a.ui.label {
   display: inline-block;
   vertical-align: top;
   font-weight: var(--font-weight-medium);
-  margin-left: 1em;
+  margin-inline-start: 1em;
   opacity: 0.8;
 }
 .ui.label > .detail .icon {
diff --git a/web_src/css/modules/list.css b/web_src/css/modules/list.css
index 32c71e802b..f9e3186ce3 100644
--- a/web_src/css/modules/list.css
+++ b/web_src/css/modules/list.css
@@ -51,7 +51,7 @@
   min-width: 1.55em;
   padding-top: 0;
   transition: color 0.1s ease;
-  padding-right: 0.28571429em;
+  padding-inline-end: 0.28571429em;
   vertical-align: top;
 }
 .ui.list .list > .item > i.icon:only-child,
@@ -69,7 +69,7 @@
 }
 .ui.list .list > .item > .image:not(:only-child):not(img),
 .ui.list > .item > .image:not(:only-child):not(img) {
-  padding-right: 0.5em;
+  padding-inline-end: 0.5em;
 }
 .ui.list .list > .item > .image img,
 .ui.list > .item > .image img {
@@ -102,8 +102,8 @@
 }
 .ui.list .list > .item > .content > .list,
 .ui.list > .item > .content > .list {
-  margin-left: 0;
-  padding-left: 0;
+  margin-inline-start: 0;
+  padding-inline-start: 0;
 }
 
 .ui.list .list > .item .header,
@@ -128,7 +128,7 @@
 
 .ui.list .list > .item [class*="right floated"],
 .ui.list > .item [class*="right floated"] {
-  float: right;
+  float: inline-end;
   margin: 0 0 0 1em;
 }
 
diff --git a/web_src/css/modules/message.css b/web_src/css/modules/message.css
index c62dbddd25..91b9ed9976 100644
--- a/web_src/css/modules/message.css
+++ b/web_src/css/modules/message.css
@@ -23,8 +23,7 @@
 .ui.attached.message {
   margin-bottom: -1px;
   border-radius: var(--border-radius) var(--border-radius) 0 0;
-  margin-left: -1px;
-  margin-right: -1px;
+  margin-inline: -1px;
 }
 
 .ui.attached + .ui.attached.message:not(.top):not(.bottom) {
@@ -105,7 +104,7 @@
   cursor: pointer;
   position: absolute;
   top: 9px;
-  right: 9px;
+  inset-inline-end: 9px;
   opacity: .7;
 }
 
diff --git a/web_src/css/modules/modal.css b/web_src/css/modules/modal.css
index 54a4ef81ca..e1b5f11236 100644
--- a/web_src/css/modules/modal.css
+++ b/web_src/css/modules/modal.css
@@ -20,8 +20,8 @@
   color: var(--color-text-dark);
   background: var(--color-body);
   border-color: var(--color-secondary);
-  border-top-left-radius: var(--border-radius);
-  border-top-right-radius: var(--border-radius);
+  border-top-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
   vertical-align: middle;
 }
 
@@ -58,12 +58,12 @@ These inconsistent layouts should be refactored to simple ones.
   background: var(--color-secondary-bg);
   border-color: var(--color-secondary);
   padding: 1rem;
-  text-align: right;
+  text-align: end;
 }
 
 .ui.modal .content > .actions {
   padding-top: 1em; /* if the "actions" is in the "content", some paddings are already added by the "content" */
-  text-align: right;
+  text-align: end;
 }
 
 /* positive/negative action buttons */
@@ -71,7 +71,7 @@ These inconsistent layouts should be refactored to simple ones.
   display: inline-flex;
   align-items: center;
   padding: 10px 12px 10px 10px;
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 .ui.modal .actions > .ui.button.danger {
@@ -82,5 +82,5 @@ These inconsistent layouts should be refactored to simple ones.
 }
 
 .ui.modal .actions > .ui.button .svg {
-  margin-right: 5px;
+  margin-inline-end: 5px;
 }
diff --git a/web_src/css/modules/navbar.css b/web_src/css/modules/navbar.css
index 0c58441dfe..bf9752fd8a 100644
--- a/web_src/css/modules/navbar.css
+++ b/web_src/css/modules/navbar.css
@@ -41,7 +41,7 @@
 
 #navbar .secondary.menu > .item > .svg,
 #navbar .right.menu > .item > .svg {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 /* icon with notification counter - positioned relative container */
@@ -69,7 +69,7 @@
   }
   #navbar .navbar-mobile-right {
     display: flex;
-    margin-left: auto !important;
+    margin-inline-start: auto !important;
     width: auto !important;
   }
   #navbar .navbar-mobile-right > .item {
@@ -119,7 +119,7 @@
     min-height: 48px;
   }
   #navbar #mobile-notifications-icon {
-    margin-right: 6px !important;
+    margin-inline-end: 6px !important;
   }
 }
 
@@ -151,7 +151,7 @@
   background: var(--color-primary);
   border: 2px solid var(--color-nav-bg);
   position: absolute;
-  left: 6px;
+  inset-inline-start: 6px;
   top: -9px;
   min-width: 17px;
   height: 17px;
diff --git a/web_src/css/modules/segment.css b/web_src/css/modules/segment.css
index 76638cb639..b54db40d90 100644
--- a/web_src/css/modules/segment.css
+++ b/web_src/css/modules/segment.css
@@ -103,14 +103,14 @@
   border-radius: 0;
   border: none;
   box-shadow: none;
-  border-left: 1px solid var(--color-secondary);
+  border-inline-start: 1px solid var(--color-secondary);
 }
 
 .ui.segments > .horizontal.segments:first-child {
   border-top: none;
 }
 .ui.horizontal.segments:not(.stackable) > .segment:first-child {
-  border-left: none;
+  border-inline-start: none;
 }
 .ui.horizontal.segments > .segment:first-child {
   border-radius: 0.28571429rem 0 0 0.28571429rem;
@@ -126,7 +126,7 @@
 }
 
 .ui[class*="left aligned"].segment {
-  text-align: left;
+  text-align: start;
 }
 .ui[class*="center aligned"].segment {
   text-align: center;
@@ -190,8 +190,7 @@
   padding-bottom: 0;
 }
 .ui.fitted.segment:not(.vertically) {
-  padding-left: 0;
-  padding-right: 0;
+  padding-inline: 0;
 }
 
 .ui.segments .segment,
diff --git a/web_src/css/modules/select.css b/web_src/css/modules/select.css
index 1d7d749d4a..7b4b88ada7 100644
--- a/web_src/css/modules/select.css
+++ b/web_src/css/modules/select.css
@@ -11,7 +11,7 @@
 .gitea-select::after {
   position: absolute;
   top: 12px;
-  right: 8px;
+  inset-inline-end: 8px;
   pointer-events: none;
   content: "";
   width: 14px;
diff --git a/web_src/css/modules/switch.css b/web_src/css/modules/switch.css
index dee30f4ca3..c2bea9cef2 100644
--- a/web_src/css/modules/switch.css
+++ b/web_src/css/modules/switch.css
@@ -41,7 +41,7 @@
 
   &.active {
     z-index: 2;
-    padding-left: var(--switch-padding-inline);
+    padding-inline-start: var(--switch-padding-inline);
     background: var(--color-active);
     outline: 1px solid var(--color-input-border);
   }
@@ -55,12 +55,12 @@
 /* Corner rounding aid: item that has to crawl under it's active neighbor,
 so when it is hovered, there are no ugly unpainted v/^ shapes between them */
 .switch > .item:has(+ .active.item) { /* Active neighbor is next item */
-  margin-right: calc(-1 * var(--border-radius));
-  padding-right: calc(var(--switch-padding-inline) + var(--border-radius));
+  margin-inline-end: calc(-1 * var(--border-radius));
+  padding-inline-end: calc(var(--switch-padding-inline) + var(--border-radius));
 }
 .switch > .active.item + .item { /* Active neighbor is previous item */
-  margin-left: calc(-1 * var(--border-radius));
-  padding-left: calc(var(--switch-padding-inline) + var(--border-radius));
+  margin-inline-start: calc(-1 * var(--border-radius));
+  padding-inline-start: calc(var(--switch-padding-inline) + var(--border-radius));
 }
 
 /* Make counters embedded into items more visible on brighter backgrounds */
diff --git a/web_src/css/modules/table.css b/web_src/css/modules/table.css
index 801a58d84d..39787be15a 100644
--- a/web_src/css/modules/table.css
+++ b/web_src/css/modules/table.css
@@ -35,10 +35,10 @@
   vertical-align: inherit;
   font-weight: var(--font-weight-normal);
   border-bottom: 1px solid var(--color-secondary);
-  border-left: none;
+  border-inline-start: none;
 }
 .ui.table > thead > tr > th:first-child {
-  border-left: none;
+  border-inline-start: none;
 }
 .ui.table > thead > tr:first-child > th:first-child {
   border-radius: 0.28571429rem 0 0;
@@ -62,7 +62,7 @@
 }
 .ui.table > tfoot > tr > th:first-child,
 .ui.table > tfoot > tr > td:first-child {
-  border-left: none;
+  border-inline-start: none;
 }
 .ui.table > tfoot > tr:first-child > th:first-child,
 .ui.table > tfoot > tr:first-child > td:first-child {
@@ -154,7 +154,7 @@
 
 .ui.table[class*="left aligned"],
 .ui.table [class*="left aligned"] {
-  text-align: left;
+  text-align: start;
 }
 
 .ui.table[class*="center aligned"],
@@ -164,7 +164,7 @@
 
 .ui.table[class*="right aligned"],
 .ui.table [class*="right aligned"] {
-  text-align: right;
+  text-align: end;
 }
 
 .ui.table[class*="top aligned"],
@@ -301,7 +301,7 @@
 .ui.basic.table > tfoot > tr > th,
 .ui.basic.table > tr > th {
   background: transparent;
-  border-left: none;
+  border-inline-start: none;
 }
 .ui.basic.table > tbody > tr {
   border-bottom: 1px solid var(--color-secondary);
@@ -325,7 +325,7 @@
 .ui[class*="very basic"].table:not(.striped) > tr > td:first-child,
 .ui[class*="very basic"].table:not(.striped) > tbody > tr > td:first-child,
 .ui[class*="very basic"].table:not(.striped) > tfoot > tr > td:first-child {
-  padding-left: 0;
+  padding-inline-start: 0;
 }
 .ui[class*="very basic"].table:not(.striped) > tr > th:last-child,
 .ui[class*="very basic"].table:not(.striped) > thead > tr > th:last-child,
@@ -334,7 +334,7 @@
 .ui[class*="very basic"].table:not(.striped) > tr > td:last-child,
 .ui[class*="very basic"].table:not(.striped) > tbody > tr > td:last-child,
 .ui[class*="very basic"].table:not(.striped) > tfoot > tr > td:last-child {
-  padding-right: 0;
+  padding-inline-end: 0;
 }
 .ui[class*="very basic"].table:not(.striped) > thead > tr:first-child > th {
   padding-top: 0;
@@ -347,7 +347,7 @@
 .ui.celled.table > tr > td,
 .ui.celled.table > tbody > tr > td,
 .ui.celled.table > tfoot > tr > td {
-  border-left: 1px solid var(--color-secondary-alpha-50);
+  border-inline-start: 1px solid var(--color-secondary-alpha-50);
 }
 .ui.celled.table > tr > th:first-child,
 .ui.celled.table > thead > tr > th:first-child,
@@ -356,15 +356,14 @@
 .ui.celled.table > tr > td:first-child,
 .ui.celled.table > tbody > tr > td:first-child,
 .ui.celled.table > tfoot > tr > td:first-child {
-  border-left: none;
+  border-inline-start: none;
 }
 
 .ui.compact.table > tr > th,
 .ui.compact.table > thead > tr > th,
 .ui.compact.table > tbody > tr > th,
 .ui.compact.table > tfoot > tr > th {
-  padding-left: 0.7em;
-  padding-right: 0.7em;
+  padding-inline: 0.7em;
 }
 .ui.compact.table > tr > td,
 .ui.compact.table > tbody > tr > td,
@@ -376,10 +375,10 @@
 .ui.table > thead > tr > th:first-of-type,
 .ui.table > tbody > tr > td:first-of-type,
 .ui.table > tr > td:first-of-type {
-  padding-left: 10px;
+  padding-inline-start: 10px;
 }
 .ui.table > thead > tr > th:last-of-type,
 .ui.table > tbody > tr > td:last-of-type,
 .ui.table > tr > td:last-of-type {
-  padding-right: 10px;
+  padding-inline-end: 10px;
 }
diff --git a/web_src/css/modules/tippy.css b/web_src/css/modules/tippy.css
index ab894d46c5..a44b10674a 100644
--- a/web_src/css/modules/tippy.css
+++ b/web_src/css/modules/tippy.css
@@ -140,25 +140,25 @@
 }
 
 .tippy-box[data-placement^="left"] > .tippy-svg-arrow {
-  right: 0;
+  inset-inline-end: 0;
 }
 
 .tippy-box[data-placement^="left"] > .tippy-svg-arrow::after,
 .tippy-box[data-placement^="left"] > .tippy-svg-arrow > svg {
   transform: rotate(90deg);
   top: calc(50% - 3px);
-  left: 11px;
+  inset-inline-start: 11px;
 }
 
 .tippy-box[data-placement^="right"] > .tippy-svg-arrow {
-  left: 0;
+  inset-inline-start: 0;
 }
 
 .tippy-box[data-placement^="right"] > .tippy-svg-arrow::after,
 .tippy-box[data-placement^="right"] > .tippy-svg-arrow > svg {
   transform: rotate(-90deg);
   top: calc(50% - 3px);
-  right: 11px;
+  inset-inline-end: 11px;
 }
 
 .tippy-svg-arrow {
diff --git a/web_src/css/modules/toast.css b/web_src/css/modules/toast.css
index 2a9f78e017..25b21c46b2 100644
--- a/web_src/css/modules/toast.css
+++ b/web_src/css/modules/toast.css
@@ -44,11 +44,11 @@
 }
 
 .toastify-right {
-  right: 15px;
+  inset-inline-end: 15px;
 }
 
 .toastify-left {
-  left: 15px;
+  inset-inline-start: 15px;
 }
 
 .toastify-top {
@@ -60,18 +60,14 @@
 }
 
 .toastify-center {
-  margin-left: auto;
-  margin-right: auto;
-  left: 0;
-  right: 0;
+  margin-inline: auto;
+  inset-inline: 0;
 }
 
 @media (max-width: 360px) {
   .toastify-right, .toastify-left {
-    margin-left: auto;
-    margin-right: auto;
-    left: 0;
-    right: 0;
+    margin-inline: auto;
+    inset-inline: 0;
     max-width: fit-content;
   }
 }
diff --git a/web_src/css/modules/user-cards.css b/web_src/css/modules/user-cards.css
index d89ea4588c..f545c7d2db 100644
--- a/web_src/css/modules/user-cards.css
+++ b/web_src/css/modules/user-cards.css
@@ -41,7 +41,7 @@
 .user-cards .card .avatar {
   width: 48px;
   height: 48px;
-  margin-right: 14px;
+  margin-inline-end: 14px;
 }
 
 .user-cards .card .name {
diff --git a/web_src/css/org.css b/web_src/css/org.css
index 78cf2e2c61..1ea22dcdbb 100644
--- a/web_src/css/org.css
+++ b/web_src/css/org.css
@@ -15,18 +15,18 @@
     width: 800px !important;
   }
   .organization.new.org form .header {
-    padding-left: 280px !important;
+    padding-inline-start: 280px !important;
   }
   .organization.new.org form .inline.field > label {
-    text-align: right;
+    text-align: end;
     width: 250px !important;
     word-wrap: break-word;
   }
   .organization.new.org form .help {
-    margin-left: 265px !important;
+    margin-inline-start: 265px !important;
   }
   .organization.new.org form .optional .title {
-    margin-left: 250px !important;
+    margin-inline-start: 250px !important;
   }
   .organization.new.org form .inline.field > input,
   .organization.new.org form .inline.field > textarea {
@@ -36,7 +36,7 @@
 
 @media (max-width: 767.98px) {
   .organization.new.org form .optional .title {
-    margin-left: 15px;
+    margin-inline-start: 15px;
   }
   .organization.new.org form .inline.field > label {
     display: block;
@@ -44,7 +44,7 @@
 }
 
 .organization.new.org form .header {
-  padding-left: 0 !important;
+  padding-inline-start: 0 !important;
   text-align: center;
 }
 
@@ -151,7 +151,7 @@
 .page-content.organization .members .ui.avatar {
   width: 48px;
   height: 48px;
-  margin-right: 5px;
+  margin-inline-end: 5px;
   margin-bottom: 5px;
 }
 
@@ -161,12 +161,12 @@
 }
 
 .organization.invite #invite-box #search-user-box input {
-  margin-left: 0;
+  margin-inline-start: 0;
   width: 300px;
 }
 
 .organization.invite #invite-box .ui.button {
-  margin-left: 5px;
+  margin-inline-start: 5px;
   margin-top: -3px;
 }
 
@@ -205,5 +205,5 @@
 
 #add-member-modal .team-list {
   max-height: 300px;
-  overflow-y: auto;
+  overflow-block: auto;
 }
diff --git a/web_src/css/repo.css b/web_src/css/repo.css
index 0619f154af..85158b4d6e 100644
--- a/web_src/css/repo.css
+++ b/web_src/css/repo.css
@@ -71,13 +71,13 @@
 .repository .issue-content-right #deadlineForm input {
   width: 12.8rem;
   border-radius: var(--border-radius) 0 0 var(--border-radius);
-  border-right: 0;
+  border-inline-end: 0;
   white-space: nowrap;
 }
 
 .repository .issue-content-right .filter.menu {
   max-height: 500px;
-  overflow-x: auto;
+  overflow-inline: auto;
 }
 
 .repository .filter.menu .label-filter .menu .info {
@@ -86,9 +86,8 @@
   font-size: 12px;
   width: 100%;
   white-space: nowrap;
-  margin-left: 10px;
-  margin-right: 8px;
-  text-align: left;
+  margin-inline: 10px 8px;
+  text-align: start;
 }
 
 .repository .filter.menu .label-filter .menu .info code {
@@ -102,20 +101,19 @@
 .repository .filter.menu .ui.dropdown .menu {
   max-height: 500px;
   max-width: 300px;
-  overflow-x: hidden;
-  right: 0;
-  left: auto;
+  overflow-inline: hidden;
+  inset-inline: auto 0;
 }
 
 /* the label-filter is the first dropdown, it shouldn't be shown leftward, otherwise it may go out the viewport (left side) */
 .repository .filter.menu .ui.dropdown.label-filter .menu {
   min-width: max-content;
-  right: unset;
-  left: 0;
+  inset-inline-end: unset;
+  inset-inline-start: 0;
 }
 
 .repository .select-label .desc {
-  padding-left: 23px;
+  padding-inline-start: 23px;
   white-space: normal;
   display: block;
   margin-top: 2px;
@@ -152,7 +150,7 @@
 
 .repository .ui.action.input.clone-panel > button + button,
 .repository .ui.action.input.clone-panel > button + input {
-  margin-left: -1px; /* make the borders overlap to avoid double borders */
+  margin-inline-start: -1px; /* make the borders overlap to avoid double borders */
 }
 
 .repository .clone-panel > button:first-of-type {
@@ -166,8 +164,7 @@
 /* Dropdown alignment */
 .repository .clone-panel .dropdown .menu,
 .repository .folder-actions .dropdown .menu {
-  right: 0 !important;
-  left: auto !important;
+  inset-inline: auto 0 !important;
 }
 
 .repository.file.list .repo-description {
@@ -215,7 +212,7 @@ td .commit-summary {
 }
 
 .latest-commit .commit-status {
-  margin-right: 0.25em;
+  margin-inline-end: 0.25em;
 }
 
 @media (max-width: 767.98px) {
@@ -223,7 +220,7 @@ td .commit-summary {
     display: none;
   }
   .latest-commit .commit-summary {
-    margin-left: 8px;
+    margin-inline-start: 8px;
   }
 }
 
@@ -243,7 +240,7 @@ td .commit-summary {
   text-align: inherit;
   color: var(--color-text);
   vertical-align: inherit;
-  border-left: none;
+  border-inline-start: none;
   padding: 6px 5px 6px 10px;
 }
 
@@ -252,8 +249,7 @@ td .commit-summary {
 }
 
 .repository.file.list #repo-files-table tbody .svg {
-  margin-left: 3px;
-  margin-right: 5px;
+  margin-inline: 3px 5px;
 }
 
 @media (min-width: 767.98px) {
@@ -267,7 +263,7 @@ td .commit-summary {
 }
 
 .repository.file.list #repo-files-table tbody .svg.octicon-reply {
-  margin-right: 10px;
+  margin-inline-end: 10px;
 }
 
 .repository.file.list #repo-files-table tbody .svg.octicon-file-directory-fill,
@@ -354,8 +350,7 @@ td .commit-summary {
 }
 
 .repository.file.list #repo-files-table td .at {
-  margin-left: 3px;
-  margin-right: 3px;
+  margin-inline: 3px;
 }
 
 .repository.file.list #repo-files-table td > * {
@@ -367,11 +362,11 @@ td .commit-summary {
 }
 
 .repository.file.list #repo-files-table tr:last-of-type td:first-child {
-  border-bottom-left-radius: var(--border-radius);
+  border-end-start-radius: var(--border-radius);
 }
 
 .repository.file.list #repo-files-table tr:last-of-type td:last-child {
-  border-bottom-right-radius: var(--border-radius);
+  border-end-end-radius: var(--border-radius);
 }
 
 .repository.file.list #repo-files-table tr:hover {
@@ -419,8 +414,8 @@ td .commit-summary {
 }
 
 .code-search + #repo-files-table {
-  border-top-left-radius: 0;
-  border-top-right-radius: 0;
+  border-top-left-radius: 0; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: 0; /* stylelint-disable-line logical-css/require-logical-properties */
 }
 
 .view-raw {
@@ -476,7 +471,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.file.list .non-diff-file-content .csv {
-  overflow-x: auto;
+  overflow-inline: auto;
   padding: 0 !important;
 }
 
@@ -493,7 +488,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.file.list .sidebar {
-  padding-left: 0;
+  padding-inline-start: 0;
 }
 
 .repository.file.list .sidebar .svg {
@@ -508,20 +503,20 @@ citation-information .tab:not(.active) {
   vertical-align: middle !important;
   width: auto !important;
   padding: 7px 8px !important;
-  margin-right: 5px !important;
+  margin-inline-end: 5px !important;
 }
 
 .repository.file.editor .tabular.menu .svg {
-  margin-right: 5px;
+  margin-inline-end: 5px;
 }
 
 .repository.file.editor .commit-form-wrapper {
-  padding-left: 64px;
+  padding-inline-start: 64px;
 }
 
 .repository.file.editor .commit-form-wrapper .commit-avatar {
-  float: left;
-  margin-left: -64px;
+  float: inline-start;
+  margin-inline-start: -64px;
   width: 3em;
   height: auto;
 }
@@ -537,7 +532,7 @@ citation-information .tab:not(.active) {
 
 .repository.file.editor .commit-form-wrapper .commit-form::before,
 .repository.file.editor .commit-form-wrapper .commit-form::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -548,13 +543,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.file.editor .commit-form-wrapper .commit-form::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .repository.file.editor .commit-form-wrapper .commit-form::after {
-  border-right-color: var(--color-box-body);
+  border-inline-end-color: var(--color-box-body);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -571,18 +566,18 @@ citation-information .tab:not(.active) {
 
 .repository.file.editor .commit-form-wrapper .commit-form .quick-pull-choice .new-branch-name-input {
   position: relative;
-  margin-left: 25px;
+  margin-inline-start: 25px;
 }
 
 .repository.file.editor .commit-form-wrapper .commit-form .quick-pull-choice .new-branch-name-input input {
   width: 240px !important;
-  padding-left: 26px !important;
+  padding-inline-start: 26px !important;
 }
 
 .repository.file.editor .commit-form-wrapper .commit-form .quick-pull-choice .octicon-git-branch {
   position: absolute;
   top: 9px;
-  left: 10px;
+  inset-inline-start: 10px;
   color: var(--color-grey);
 }
 
@@ -596,12 +591,12 @@ citation-information .tab:not(.active) {
 }
 
 .repository.new.issue .comment.form .content {
-  margin-left: 4em;
+  margin-inline-start: 4em;
 }
 
 .repository.new.issue .comment.form .content::before,
 .repository.new.issue .comment.form .content::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -612,13 +607,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.new.issue .comment.form .content::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .repository.new.issue .comment.form .content::after {
-  border-right-color: var(--color-box-body);
+  border-inline-end-color: var(--color-box-body);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -660,7 +655,7 @@ citation-information .tab:not(.active) {
     display: none;
   }
   .comment.form .issue-content-left .content {
-    margin-left: 0 !important;
+    margin-inline-start: 0 !important;
   }
   .comment.form .issue-content-left .content::before,
   .comment.form .issue-content-left .content::after,
@@ -670,7 +665,7 @@ citation-information .tab:not(.active) {
   }
 
   .repository.view.issue .issue-title.edit-active h1 {
-    padding-right: 0;
+    padding-inline-end: 0;
   }
 }
 
@@ -689,7 +684,7 @@ citation-information .tab:not(.active) {
   font-size: 32px;
   line-height: 40px;
   margin: 0;
-  padding-right: 0.5rem;
+  padding-inline-end: 0.5rem;
 }
 
 .repository.view.issue .issue-title .ui.input {
@@ -706,7 +701,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .issue-title .label {
-  margin-right: 10px;
+  margin-inline-end: 10px;
 }
 
 .issue-state-label {
@@ -719,7 +714,7 @@ citation-information .tab:not(.active) {
 }
 
 .issue-state-label .svg {
-  margin-right: 4px;
+  margin-inline-end: 4px;
 }
 
 .repository.view.issue .pull-desc code {
@@ -734,7 +729,7 @@ citation-information .tab:not(.active) {
   vertical-align: middle;
   position: relative;
   top: -2px;
-  right: 1px;
+  inset-inline-end: 1px;
 }
 
 .repository.view.issue .pull.tabs.container {
@@ -744,12 +739,12 @@ citation-information .tab:not(.active) {
 
 .repository.view.issue .pull.tabular.menu {
   margin-bottom: 0;
-  overflow-x: auto;
-  overflow-y: hidden;
+  overflow-inline: auto;
+  overflow-block: hidden;
 }
 
 .repository.view.issue .pull.tabular.menu .svg {
-  margin-right: 5px;
+  margin-inline-end: 5px;
 }
 
 .repository.view.issue .merge.box .branch-update.grid .row {
@@ -768,7 +763,7 @@ citation-information .tab:not(.active) {
   margin-bottom: 14px;
   top: 0;
   bottom: 0;
-  left: 96px;
+  inset-inline-start: 96px;
   width: 2px;
   background-color: var(--color-timeline);
   z-index: -1;
@@ -777,8 +772,8 @@ citation-information .tab:not(.active) {
 .repository.view.issue .comment-list .timeline {
   position: relative;
   display: block;
-  margin-left: 40px;
-  padding-left: 16px;
+  margin-inline-start: 40px;
+  padding-inline-start: 16px;
 }
 
 .repository.view.issue .comment-list .timeline::before { /* ciara */
@@ -789,7 +784,7 @@ citation-information .tab:not(.active) {
   margin-bottom: 14px;
   top: 0;
   bottom: 0;
-  left: 30px;
+  inset-inline-start: 30px;
   width: 2px;
   background-color: var(--color-timeline);
   z-index: -1;
@@ -810,13 +805,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .timeline-item {
-  margin-left: 16px;
+  margin-inline-start: 16px;
   position: relative;
 }
 
 .repository.view.issue .comment-list .timeline-item .timeline-avatar {
   position: absolute;
-  left: -68px;
+  inset-inline-start: -68px;
 }
 
 /* Don't show the mobile oriented avatar ".inline-timeline-avatar" on desktop. Desktop uses the avatar with class ".timeline-avatar" */
@@ -843,9 +838,8 @@ citation-information .tab:not(.active) {
   background-color: var(--color-timeline);
   border-radius: var(--border-radius-full);
   display: flex;
-  float: left;
-  margin-left: -33px;
-  margin-right: 8px;
+  float: inline-start;
+  margin-inline: -33px 8px;
   color: var(--color-text);
   align-items: center;
   justify-content: center;
@@ -862,7 +856,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .timeline-item.comment > .content {
-  margin-left: -16px;
+  margin-inline-start: -16px;
 }
 
 .repository.view.issue .comment-list .timeline-item.event > .text {
@@ -871,13 +865,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .timeline-item.commits-list {
-  padding-left: 15px;
+  padding-inline-start: 15px;
   padding-top: 0;
 }
 
 .repository.view.issue .comment-list .timeline-item.commits-list .ui.avatar,
 .repository.view.issue .comment-list .timeline-item.event .ui.avatar {
-  margin-right: 0.25em;
+  margin-inline-end: 0.25em;
 }
 
 .repository.view.issue .comment-list .timeline-item .aggregated-actions .badge {
@@ -931,7 +925,7 @@ citation-information .tab:not(.active) {
 
 @media (max-width: 767.98px) {
   .repository.view.issue .comment-list .timeline-item .ui.segments {
-    margin-left: -2rem;
+    margin-inline-start: -2rem;
   }
 }
 
@@ -940,13 +934,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .comment > .content > div:first-child {
-  border-top-left-radius: 4px;
-  border-top-right-radius: 4px;
+  border-top-left-radius: 4px; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: 4px; /* stylelint-disable-line logical-css/require-logical-properties */
 }
 
 .repository.view.issue .comment-list .comment > .content > div:last-child {
-  border-bottom-left-radius: 4px;
-  border-bottom-right-radius: 4px;
+  border-bottom-left-radius: 4px; /* stylelint-disable-line logical-css/require-logical-properties */
+  border-bottom-right-radius: 4px; /* stylelint-disable-line logical-css/require-logical-properties */
 }
 
 .repository.view.issue .comment-list .comment .comment-container {
@@ -968,13 +962,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .comment .merge-section .divider {
-  margin-left: -1rem;
+  margin-inline-start: -1rem;
   width: calc(100% + 2rem);
 }
 
 .repository.view.issue .comment-list .comment .merge-section.no-header::before,
 .repository.view.issue .comment-list .comment .merge-section.no-header::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -985,13 +979,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .comment .merge-section.no-header::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .repository.view.issue .comment-list .comment .merge-section.no-header::after {
-  border-right-color: var(--color-box-body);
+  border-inline-end-color: var(--color-box-body);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -1060,7 +1054,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .code-comment .comment-content {
-  margin-left: calc(20px + 0.5rem);
+  margin-inline-start: calc(20px + 0.5rem);
 }
 
 .repository.view.issue .comment-list .code-comment .add-reaction {
@@ -1087,14 +1081,14 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .comment > .avatar ~ .content {
-  margin-left: 42px;
+  margin-inline-start: 42px;
 }
 
 .repository.view.issue .comment-list .comment-code-cloud .segment.reactions {
   gap: var(--button-spacing);
   flex-wrap: wrap;
   width: unset !important;
-  margin-left: calc(20px + 0.5rem) !important;
+  margin-inline-start: calc(20px + 0.5rem) !important;
   margin-top: 1rem !important;
   margin-bottom: -1rem !important;
   border-top: none !important;
@@ -1123,12 +1117,12 @@ citation-information .tab:not(.active) {
 }
 
 .repository.view.issue .comment-list .event {
-  padding-left: 15px;
+  padding-inline-start: 15px;
 }
 
 .repository.view.issue .comment-list .event .detail {
   margin-top: 4px;
-  margin-left: 15px;
+  margin-inline-start: 15px;
 }
 
 .repository.view.issue .comment-list .event .detail .text {
@@ -1157,7 +1151,7 @@ citation-information .tab:not(.active) {
 
 .repository .comment.form .content .form::before,
 .repository .comment.form .content .form::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -1168,13 +1162,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository .comment.form .content .form::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .repository .comment.form .content .form::after {
-  border-right-color: var(--color-box-body);
+  border-inline-end-color: var(--color-box-body);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -1189,7 +1183,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository.compare.pull .show-form-container {
-  text-align: left;
+  text-align: start;
 }
 
 .repository .choose.branch {
@@ -1220,7 +1214,7 @@ citation-information .tab:not(.active) {
 
 .repository.compare.pull .comment.form .content::before,
 .repository.compare.pull .comment.form .content::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -1231,13 +1225,13 @@ citation-information .tab:not(.active) {
 }
 
 .repository.compare.pull .comment.form .content::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .repository.compare.pull .comment.form .content::after {
-  border-right-color: var(--color-box-body);
+  border-inline-end-color: var(--color-box-body);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -1261,14 +1255,14 @@ citation-information .tab:not(.active) {
 
 .repository.branches .commit-divergence .bar-group {
   position: relative;
-  float: left;
+  float: inline-start;
   padding-bottom: 6px;
   width: 50%;
   max-width: 90px;
 }
 
 .repository.branches .commit-divergence .bar-group:last-child {
-  border-left: 1px solid var(--color-secondary-dark-2);
+  border-inline-start: 1px solid var(--color-secondary-dark-2);
 }
 
 .repository.branches .commit-divergence .count {
@@ -1276,11 +1270,11 @@ citation-information .tab:not(.active) {
 }
 
 .repository.branches .commit-divergence .count.count-ahead {
-  text-align: left;
+  text-align: start;
 }
 
 .repository.branches .commit-divergence .count.count-behind {
-  text-align: right;
+  text-align: end;
 }
 
 .repository.branches .commit-divergence .bar {
@@ -1290,11 +1284,11 @@ citation-information .tab:not(.active) {
 }
 
 .repository.branches .commit-divergence .bar.bar-behind {
-  right: 0;
+  inset-inline-end: 0;
 }
 
 .repository.branches .commit-divergence .bar.bar-ahead {
-  left: 0;
+  inset-inline-start: 0;
 }
 
 .repository.commits .header .search input {
@@ -1334,7 +1328,7 @@ citation-information .tab:not(.active) {
   padding: 5px !important;
   overflow: hidden;
   font-size: 12px;
-  text-align: left;
+  text-align: start;
   white-space: nowrap;
   border: 1px solid var(--color-secondary);
 }
@@ -1348,10 +1342,10 @@ citation-information .tab:not(.active) {
   border-bottom: none !important;
 }
 .repository .data-table tr :is(td,th):first-child {
-  border-left: none !important;
+  border-inline-start: none !important;
 }
 .repository .data-table tr :is(td,th):last-child {
-  border-right: none !important;
+  border-inline-end: none !important;
 }
 
 .repository .data-table td {
@@ -1395,7 +1389,7 @@ citation-information .tab:not(.active) {
   white-space: nowrap;
   vertical-align: top;
   cursor: pointer;
-  text-align: right;
+  text-align: end;
   background: var(--color-body);
   border: 0;
 }
@@ -1419,8 +1413,7 @@ citation-information .tab:not(.active) {
   }
 }
 .repository .diff-detail-box .diff-detail-stats strong {
-  margin-left: 0.25rem;
-  margin-right: 0.25rem;
+  margin-inline: 0.25rem;
 }
 
 /* Because the translations contain the <strong> we need to style with nth-of-type */
@@ -1451,15 +1444,14 @@ citation-information .tab:not(.active) {
 
 .diff-detail-actions > *,
 .diff-detail-actions .button {
-  margin-left: 0 !important;
-  margin-right: 0 !important;
+  margin-inline: 0 !important;
 }
 
 .repository .diff-detail-box span.status {
   display: inline-block;
   width: 12px;
   height: 12px;
-  margin-right: 8px;
+  margin-inline-end: 8px;
   vertical-align: middle;
 }
 
@@ -1499,7 +1491,7 @@ citation-information .tab:not(.active) {
 .repository .diff-box .header:not(.resolved-placeholder) .button {
   padding: 0 1.125em;
   flex: 0 0 auto;
-  margin-right: 0;
+  margin-inline-end: 0;
   height: 30px;
 }
 
@@ -1525,7 +1517,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository .diff-file-box .file-body.file-code .lines-num {
-  text-align: right;
+  text-align: end;
   width: 1%;
   min-width: 50px;
 }
@@ -1565,7 +1557,7 @@ citation-information .tab:not(.active) {
 
 .repository .diff-file-box .code-diff tbody tr [data-line-num]::before {
   content: attr(data-line-num);
-  text-align: right;
+  text-align: end;
 }
 
 .repository .diff-file-box .code-diff tbody tr .lines-type-marker {
@@ -1575,12 +1567,12 @@ citation-information .tab:not(.active) {
 
 .repository .diff-file-box .code-diff tbody tr [data-type-marker]::before {
   content: attr(data-type-marker);
-  text-align: right;
+  text-align: end;
   display: inline-block;
 }
 
 .repository .diff-file-box .code-diff-split .tag-code .lines-code code.code-inner {
-  padding-left: 10px !important;
+  padding-inline-start: 10px !important;
 }
 
 .repository .diff-file-box .code-diff-split table,
@@ -1589,7 +1581,7 @@ citation-information .tab:not(.active) {
 }
 
 .repository .diff-file-box.file-content {
-  clear: right;
+  clear: inline-end;
 }
 
 .repository .diff-file-box.file-content .image-diff img {
@@ -1683,7 +1675,7 @@ details.repo-search-result summary::marker {
 /* if the element is for a checkbox, then it should have a padding-left to align to the checkbox's text */
 .repository.settings.branches .branch-protection .ui.checkbox .help,
 .repository.settings.branches .branch-protection .checkbox-sub-item {
-  padding-left: 26px;
+  padding-inline-start: 26px;
 }
 
 .repository.settings.branches .branch-protection .status-check-matched-mark {
@@ -1692,8 +1684,8 @@ details.repo-search-result summary::marker {
 }
 
 .repository .ui.attached.isSigned.isWarning {
-  border-left: 1px solid var(--color-error-border);
-  border-right: 1px solid var(--color-error-border);
+  border-inline-start: 1px solid var(--color-error-border);
+  border-inline-end: 1px solid var(--color-error-border);
 }
 
 .repository .ui.attached.isSigned.isWarning.top,
@@ -1717,8 +1709,8 @@ details.repo-search-result summary::marker {
 }
 
 .repository .ui.attached.isSigned.isVerified {
-  border-left: 1px solid var(--color-success-border);
-  border-right: 1px solid var(--color-success-border);
+  border-inline-start: 1px solid var(--color-success-border);
+  border-inline-end: 1px solid var(--color-success-border);
 }
 
 .repository .ui.attached.isSigned.isVerified.top,
@@ -1743,8 +1735,8 @@ details.repo-search-result summary::marker {
 
 .repository .ui.attached.isSigned.isVerifiedUntrusted,
 .repository .ui.attached.isSigned.isVerifiedUnmatched {
-  border-left: 1px solid var(--color-warning-border);
-  border-right: 1px solid var(--color-warning-border);
+  border-inline-start: 1px solid var(--color-warning-border);
+  border-inline-end: 1px solid var(--color-warning-border);
 }
 
 .repository .ui.attached.isSigned.isVerifiedUntrusted.top,
@@ -1775,8 +1767,7 @@ details.repo-search-result summary::marker {
 
 .repository .segment.reactions.dropdown .menu,
 .repository .select-reaction.dropdown .menu {
-  right: 0 !important;
-  left: auto !important;
+  inset-inline: auto 0 !important;
   min-width: 170px;
 }
 
@@ -1787,7 +1778,7 @@ details.repo-search-result summary::marker {
 
 .repository .segment.reactions.dropdown .menu > .item,
 .repository .select-reaction.dropdown .menu > .item {
-  float: left;
+  float: inline-start;
   margin: 4px;
   font-size: 20px;
   width: 34px;
@@ -1816,7 +1807,7 @@ details.repo-search-result summary::marker {
   display: flex !important;
   align-items: center;
   border: 0;
-  border-right: 1px solid;
+  border-inline-end: 1px solid;
   border-radius: 0;
   margin: 0;
   font-size: 12px;
@@ -1826,7 +1817,7 @@ details.repo-search-result summary::marker {
 }
 
 .repository .segment.reactions .ui.label:first-of-type {
-  border-bottom-left-radius: 3px;
+  border-end-start-radius: 3px;
 }
 
 .repository .segment.reactions .ui.label.disabled {
@@ -1845,7 +1836,7 @@ details.repo-search-result summary::marker {
 }
 
 .repository .segment.reactions .reaction-count {
-  margin-left: 0.5rem;
+  margin-inline-start: 0.5rem;
 }
 
 .repository .segment.reactions .select-reaction {
@@ -1912,7 +1903,7 @@ details.repo-search-result summary::marker {
 
 #search-user-box .results .result .image {
   order: 0;
-  margin-right: 12px;
+  margin-inline-end: 12px;
   width: 2em;
   height: 2em;
   min-width: 2em;
@@ -2005,7 +1996,7 @@ details.repo-search-result summary::marker {
 }
 
 .comment:target .header::before {
-  border-right-color: var(--color-primary) !important;
+  border-inline-end-color: var(--color-primary) !important;
   filter: drop-shadow(-3px 0 0 var(--color-primary-alpha-30)) !important;
 }
 
@@ -2041,7 +2032,7 @@ details.repo-search-result summary::marker {
 
 .comment-header::before,
 .comment-header::after {
-  right: 100%;
+  inset-inline-end: 100%;
   top: 20px;
   border: solid transparent;
   content: " ";
@@ -2052,13 +2043,13 @@ details.repo-search-result summary::marker {
 }
 
 .comment-header::before {
-  border-right-color: var(--color-secondary);
+  border-inline-end-color: var(--color-secondary);
   border-width: 9px;
   margin-top: -9px;
 }
 
 .comment-header::after {
-  border-right-color: var(--color-box-header);
+  border-inline-end-color: var(--color-box-header);
   border-width: 8px;
   margin-top: -8px;
 }
@@ -2070,12 +2061,12 @@ details.repo-search-result summary::marker {
 
 .comment-header.arrow-top::before {
   top: -9px;
-  left: 6px;
+  inset-inline-start: 6px;
 }
 
 .comment-header.arrow-top::after {
   top: -8px;
-  left: 7px;
+  inset-inline-start: 7px;
 }
 
 .comment-header-right.actions a:not(.label) {
@@ -2120,13 +2111,13 @@ details.repo-search-result summary::marker {
 }
 
 .stats-table .table-cell:first-child {
-  border-top-left-radius: 4px;
-  border-bottom-left-radius: 4px;
+  border-start-start-radius: 4px;
+  border-end-start-radius: 4px;
 }
 
 .stats-table .table-cell:last-child {
-  border-top-right-radius: 4px;
-  border-bottom-right-radius: 4px;
+  border-start-end-radius: 4px;
+  border-end-end-radius: 4px;
 }
 
 .labels-list {
@@ -2150,15 +2141,15 @@ details.repo-search-result summary::marker {
 }
 
 .ui.label.scope-left {
-  border-bottom-right-radius: 0;
-  border-top-right-radius: 0;
-  margin-right: 0;
+  border-end-end-radius: 0;
+  border-start-end-radius: 0;
+  margin-inline-end: 0;
 }
 
 .ui.label.scope-right {
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-  margin-left: 0;
+  border-end-start-radius: 0;
+  border-start-start-radius: 0;
+  margin-inline-start: 0;
 }
 
 .archived-label {
@@ -2180,7 +2171,7 @@ details.repo-search-result summary::marker {
 }
 
 .repo-button-row .button.dropdown:not(.icon) {
-  padding-right: 22px !important; /* normal buttons have !important paddings, so we need to override it for dropdown (Add File) icons */
+  padding-inline-end: 22px !important; /* normal buttons have !important paddings, so we need to override it for dropdown (Add File) icons */
 }
 
 .repo-button-row .button strong {
@@ -2257,14 +2248,14 @@ tbody.commit-list {
 }
 
 .git-notes.top {
-  text-align: left;
+  text-align: start;
 }
 
 .comment-diff-data {
   background: var(--color-code-bg);
   min-height: 12em;
   max-height: calc(100vh - 10.5rem);
-  overflow-y: auto;
+  overflow-block: auto;
   tab-size: 4;
 }
 
@@ -2295,14 +2286,14 @@ tbody.commit-list {
 }
 
 .repo-topics .repo-topic:last-of-type {
-  margin-right: 0.5rem;
+  margin-inline-end: 0.5rem;
 }
 
 #new-dependency-drop-list.ui.selection.dropdown {
   min-width: 0;
   width: 100%;
   border-radius: var(--border-radius) 0 0 var(--border-radius);
-  border-right: 0;
+  border-inline-end: 0;
   white-space: nowrap;
 }
 
@@ -2349,7 +2340,7 @@ tbody.commit-list {
   align-items: center;
   display: flex;
   justify-content: space-between;
-  overflow-x: auto;
+  overflow-inline: auto;
   padding: 6px 12px !important;
   font-size: 13px !important;
   min-height: 46px;
@@ -2367,9 +2358,9 @@ tbody.commit-list {
 }
 
 .file-info-entry + .file-info-entry {
-  border-left: 1px solid currentcolor;
-  margin-left: 8px;
-  padding-left: 8px;
+  border-inline-start: 1px solid currentcolor;
+  margin-inline-start: 8px;
+  padding-inline-start: 8px;
 }
 
 #diff-container {
@@ -2406,7 +2397,7 @@ tbody.commit-list {
   top: 47px;
   max-height: calc(100vh - 47px);
   height: 100%;
-  overflow-y: auto;
+  overflow-block: auto;
 }
 
 .ui.message.unicode-escape-prompt {
@@ -2418,8 +2409,8 @@ tbody.commit-list {
 
 /* fomantic's last-child selector does not work with hidden last child */
 .ui.buttons .unescape-button {
-  border-top-right-radius: 0.28571429rem;
-  border-bottom-right-radius: 0.28571429rem;
+  border-start-end-radius: 0.28571429rem;
+  border-end-end-radius: 0.28571429rem;
 }
 
 .webhook-info {
@@ -2467,7 +2458,7 @@ tbody.commit-list {
 }
 
 .diff-file-name .ui.label {
-  margin-left: 0 !important;
+  margin-inline-start: 0 !important;
 }
 
 .diff-stats-bar {
@@ -2483,8 +2474,7 @@ tbody.commit-list {
 }
 
 .ui.form .right .ui.button {
-  margin-left: 0.25em;
-  margin-right: 0;
+  margin-inline: 0.25em 0;
 }
 
 .removed-code {
@@ -2532,7 +2522,7 @@ tbody.commit-list {
 
 .code-diff-split tbody tr td:nth-child(5),
 .code-diff-split tbody tr td.add-comment-right {
-  border-left: 1px solid var(--color-secondary);
+  border-inline-start: 1px solid var(--color-secondary);
 }
 
 .commits-table .commits-table-right form {
@@ -2555,7 +2545,7 @@ tbody.commit-list {
   .repository.file.list #repo-files-table .commit-list td.age,
   .repository.file.list #repo-files-table .entry th.age,
   .repository.file.list #repo-files-table .commit-list th.age {
-    margin-left: auto;
+    margin-inline-start: auto;
   }
   .repository.file.list #repo-files-table .entry td.message,
   .repository.file.list #repo-files-table .commit-list td.message,
@@ -2565,19 +2555,18 @@ tbody.commit-list {
   }
   .repository.view.issue .comment-list .timeline,
   .repository.view.issue .comment-list .timeline-item {
-    margin-left: 0;
+    margin-inline-start: 0;
   }
   .repository.view.issue .comment-list .timeline::before {
-    left: 14px;
+    inset-inline-start: 14px;
   }
   .repository.view.issue .comment-list .timeline .inline-timeline-avatar {
     display: flex;
     margin-bottom: auto;
-    margin-left: 6px;
-    margin-right: 2px;
+    margin-inline: 6px 2px;
   }
   .repository.view.issue .comment-list .timeline .comment-header {
-    padding-left: 4px;
+    padding-inline-start: 4px;
   }
   .repository.view.issue .comment-list .timeline .comment-header::before,
   .repository.view.issue .comment-list .timeline .comment-header::after {
@@ -2591,7 +2580,7 @@ tbody.commit-list {
   }
   .commit-header-row .ui.horizontal.list {
     width: 100%;
-    overflow-x: auto;
+    overflow-inline: auto;
     margin-top: 2px;
   }
   .commit-header-row .ui.horizontal.list .item {
@@ -2621,7 +2610,7 @@ tbody.commit-list {
     order: 2; /* the "search" button */
   }
   .commit-table {
-    overflow-x: auto;
+    overflow-inline: auto;
   }
   .commit-table td.sha,
   .commit-table th.sha {
@@ -2634,7 +2623,7 @@ tbody.commit-list {
     flex-wrap: wrap;
   }
   .comment-header .comment-header-right {
-    margin-left: auto;
+    margin-inline-start: auto;
   }
 }
 
@@ -2666,7 +2655,7 @@ tbody.commit-list {
 
 .commit-status-list {
   max-height: 240px; /* fit exactly 6 items, commit-status-item.height * 6 */
-  overflow-x: hidden;
+  overflow-inline: hidden;
   transition: max-height .2s;
 }
 
@@ -2699,7 +2688,7 @@ tbody.commit-list {
 }
 
 .commit-status-item .status-details > span {
-  padding-right: 0.5em; /* To avoid scrollbar occlusion */
+  padding-inline-end: 0.5em; /* To avoid scrollbar occlusion */
 }
 
 .search-fullname {
@@ -2742,8 +2731,8 @@ tbody.commit-list {
 .repository .issue-content .issue-content-right .ui.grid .column.muted .text.black {
   border-color: var(--color-secondary);
   background: var(--color-menu);
-  border-top-left-radius: var(--border-radius);
-  border-top-right-radius: var(--border-radius);
+  border-top-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+  border-top-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
 }
 .repository .issue-content .issue-content-right .ui.dropdown  .scrolling.menu {
   border-top: none;
diff --git a/web_src/css/repo/file-view.css b/web_src/css/repo/file-view.css
index 2ce7f3ec0f..4f967744db 100644
--- a/web_src/css/repo/file-view.css
+++ b/web_src/css/repo/file-view.css
@@ -8,7 +8,7 @@
 }
 
 .lines-code {
-  padding-left: 5px;
+  padding-inline-start: 5px;
 }
 
 .file-view tr.active .lines-num,
@@ -18,7 +18,7 @@
 }
 
 .file-view tr.active:last-of-type .lines-code {
-  border-bottom-right-radius: var(--border-radius);
+  border-end-end-radius: var(--border-radius);
 }
 
 .file-view tr.active .lines-num {
@@ -32,7 +32,7 @@
 .file-view tr.active .lines-num::before {
   content: "";
   position: absolute;
-  left: 0;
+  inset-inline-start: 0;
   width: 2px;
   height: 100%;
   background: var(--color-highlight-fg);
diff --git a/web_src/css/repo/issue-label.css b/web_src/css/repo/issue-label.css
index 9b4b144a00..ed34116bbd 100644
--- a/web_src/css/repo/issue-label.css
+++ b/web_src/css/repo/issue-label.css
@@ -34,7 +34,7 @@
 
 .issue-label-list .item a {
   font-size: 12px;
-  padding-right: 10px;
+  padding-inline-end: 10px;
   color: var(--color-text-light);
 }
 
@@ -47,6 +47,6 @@
 }
 
 .archived-label-hint {
-  float: right;
+  float: inline-end;
   margin: -12px;
 }
diff --git a/web_src/css/repo/issue-list.css b/web_src/css/repo/issue-list.css
index 7f1b8c31cd..24bcb68afa 100644
--- a/web_src/css/repo/issue-list.css
+++ b/web_src/css/repo/issue-list.css
@@ -18,7 +18,7 @@
 }
 
 .issue-list-new.button {
-  margin-right: 0;
+  margin-inline-end: 0;
 }
 
 .list-header-issues {
@@ -31,7 +31,7 @@
   }
   .issue-list-new {
     order: 1;
-    margin-left: auto !important;
+    margin-inline-start: auto !important;
   }
   .issue-list-search {
     order: 2 !important;
@@ -44,8 +44,8 @@
    **/
   .issue-list-toolbar-right .filter.menu {
     flex-wrap: nowrap;
-    overflow-x: auto;
-    overflow-y: hidden;
+    overflow-inline: auto;
+    overflow-block: hidden;
   }
 
   /* The following few CSS was created with care and built with the information
@@ -89,7 +89,7 @@
 }
 
 #issue-list .issue-meta .checklist progress {
-  margin-left: 2px;
+  margin-inline-start: 2px;
   width: 80px;
   height: 6px;
   display: inline-block;
@@ -104,7 +104,7 @@
 }
 
 .archived-label-filter {
-  margin-left: 10px;
+  margin-inline-start: 10px;
   font-size: 12px;
   display: flex !important;
   margin-bottom: 8px;
diff --git a/web_src/css/repo/linebutton.css b/web_src/css/repo/linebutton.css
index d32899a06b..d46b8787dc 100644
--- a/web_src/css/repo/linebutton.css
+++ b/web_src/css/repo/linebutton.css
@@ -9,7 +9,7 @@
   padding: 1px 4px !important;
   position: absolute;
   font-family: var(--fonts-regular);
-  left: 0;
+  inset-inline-start: 0;
   transform: translateX(calc(-50% + 6px));
   cursor: pointer;
 }
diff --git a/web_src/css/repo/list-header.css b/web_src/css/repo/list-header.css
index 4f8e39db64..6acc4df668 100644
--- a/web_src/css/repo/list-header.css
+++ b/web_src/css/repo/list-header.css
@@ -8,8 +8,7 @@
 .list-header-sort {
   display: flex;
   align-items: center;
-  padding-left: 1rem;
-  padding-right: 1rem;
+  padding-inline: 1rem;
 }
 
 .list-header-search {
@@ -35,6 +34,6 @@
   }
   .list-header-sort {
     order: 2;
-    margin-left: auto;
+    margin-inline-start: auto;
   }
 }
diff --git a/web_src/css/repo/release-tag.css b/web_src/css/repo/release-tag.css
index b421b13562..713a268594 100644
--- a/web_src/css/repo/release-tag.css
+++ b/web_src/css/repo/release-tag.css
@@ -1,6 +1,6 @@
 #release-list {
   margin-top: 10px; /* Overriding browser default for <ul>, same value as divider */
-  padding-left: 0; /* Unset browser default */
+  padding-inline-start: 0; /* Unset browser default */
 }
 
 #release-list > li {
@@ -24,7 +24,7 @@
       grid-column: 1;
       grid-row: 1 / span 2;
       flex-direction: column;
-      text-align: right;
+      text-align: end;
 
       /* Align contents of meta column with release name */
       padding-top: 11px;
@@ -37,7 +37,7 @@
     }
     :is(.detail, .release-title-wrap) {
       /* Line separating columns on wide screen */
-      border-left: 1px solid var(--color-secondary);
+      border-inline-start: 1px solid var(--color-secondary);
       padding-inline-start: 1rem;
       margin-inline-start: 1rem;
     }
@@ -75,7 +75,7 @@
     order: 2 !important;
   }
   .release-list-buttons {
-    margin-left: auto;
+    margin-inline-start: auto;
   }
 }
 
@@ -104,7 +104,7 @@
 /* List of downloads */
 #release-list > li .detail .download .list {
   /* Override <ul> default */
-  padding-left: 0;
+  padding-inline-start: 0;
   /* Compensate emptiness that opener provides when <details> is closed */
   padding-block-end: 1rem;
 
@@ -124,14 +124,14 @@
 
   :is(li:first-child, .start-gap + hr + li) {
     border-top: 1px solid var(--color-secondary);
-    border-top-left-radius: var(--border-radius);
-    border-top-right-radius: var(--border-radius);
+    border-top-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+    border-top-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
   }
 
   :is(li:last-child, .start-gap) {
     border-bottom: 1px solid var(--color-secondary);
-    border-bottom-left-radius: var(--border-radius);
-    border-bottom-right-radius: var(--border-radius);
+    border-bottom-left-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
+    border-bottom-right-radius: var(--border-radius); /* stylelint-disable-line logical-css/require-logical-properties */
   }
 }
 
@@ -156,8 +156,7 @@
 }
 
 .repository.new.release .target .at {
-  margin-left: -5px;
-  margin-right: 5px;
+  margin-inline: -5px 5px;
 }
 
 .repository.new.release .target .selection.dropdown {
@@ -174,7 +173,7 @@
 }
 
 .ui.ui.ui.tag-label {
-  margin-left: 0.25rem;
+  margin-inline-start: 0.25rem;
   padding: 0.2rem 0.4rem;
   gap: 0.3rem;
 }
@@ -194,7 +193,7 @@
 
 .repository .release-tag-name .ui.label.isSigned .avatar,
 .repository .release-title-wrap .ui.label.isSigned .avatar {
-  margin-left: .5rem;
+  margin-inline-start: .5rem;
 }
 
 .repository .release-tag-name .ui.label.isSigned.isVerified,
diff --git a/web_src/css/repo/wiki.css b/web_src/css/repo/wiki.css
index 3246e64634..11f1b09ab5 100644
--- a/web_src/css/repo/wiki.css
+++ b/web_src/css/repo/wiki.css
@@ -3,7 +3,7 @@
 }
 
 .repository.wiki .wiki-pages-list .wiki-git-entry {
-  margin-left: 10px;
+  margin-inline-start: 10px;
   display: none;
 }
 
@@ -33,13 +33,13 @@
 }
 
 .repository.wiki .wiki-content-main.with-sidebar {
-  float: left;
+  float: inline-start;
   width: 80%;
   max-width: calc(100% - 150px - 1em); /* match the min-width of .wiki-content-sidebar */
 }
 
 .repository.wiki .wiki-content-sidebar {
-  float: right;
+  float: inline-end;
   width: calc(20% - 1em);
   min-width: 150px;
 }
@@ -59,8 +59,8 @@
 }
 
 .repository.wiki .wiki-content-toc ul ul {
-  border-left:  1px var(--color-secondary);
-  border-left-style: dashed;
+  border-inline-start:  1px var(--color-secondary);
+  border-inline-start-style: dashed;
 }
 
 @media (max-width: 767.98px) {
diff --git a/web_src/css/review.css b/web_src/css/review.css
index 5e3b6734c4..b8df53daf3 100644
--- a/web_src/css/review.css
+++ b/web_src/css/review.css
@@ -15,7 +15,7 @@
 .ui.button.add-code-comment {
   padding: 2px;
   position: absolute;
-  margin-left: -22px;
+  margin-inline-start: -22px;
   z-index: 5;
   opacity: 0;
   transition: transform 0.1s ease-in-out;
@@ -36,7 +36,7 @@
 }
 
 .repository .diff-file-box .code-diff td.lines-escape {
-  padding-left: 0 !important;
+  padding-inline-start: 0 !important;
 }
 
 .diff-file-box .lines-code:hover .ui.button.add-code-comment {
@@ -52,8 +52,7 @@
 .repository .diff-file-box .code-diff .add-code-comment .add-comment-left,
 .repository .diff-file-box .code-diff .add-code-comment .add-comment-right,
 .repository .diff-file-box .code-diff .add-code-comment .lines-type-marker {
-  padding-left: 0 !important;
-  padding-right: 0 !important;
+  padding-inline: 0 !important;
 }
 
 .add-comment-left.add-comment-right .ui.attached.header {
@@ -86,7 +85,7 @@
 }
 
 .add-comment .comment-code-cloud form {
-  margin-left: 42px;
+  margin-inline-start: 42px;
 }
 
 @media (max-width: 767.98px) {
@@ -109,13 +108,13 @@
     flex-shrink: 0;
   }
   .comment-code-cloud .comments .comment .avatar ~ .content {
-    margin-left: 1em;
+    margin-inline-start: 1em;
   }
   .comment-code-cloud .comments .comment img.avatar {
     margin: 0 !important;
   }
   .comment-code-cloud .comments .comment .comment-content {
-    margin-left: 0 !important;
+    margin-inline-start: 0 !important;
   }
   .comment-code-cloud .comments .comment.code-comment {
     padding: 0 0 0.5rem !important;
@@ -180,7 +179,7 @@
 }
 
 .diff-file-body .comment-form {
-  margin-left: 3em;
+  margin-inline-start: 3em;
 }
 
 .diff-file-body.binary {
@@ -271,7 +270,7 @@
 }
 
 .viewed-file-form input {
-  margin-right: 4px;
+  margin-inline-end: 4px;
 }
 
 .viewed-file-checked-form {
diff --git a/web_src/css/shared/repoorg.css b/web_src/css/shared/repoorg.css
index 5573ae47b8..71720cb00f 100644
--- a/web_src/css/shared/repoorg.css
+++ b/web_src/css/shared/repoorg.css
@@ -2,7 +2,7 @@
 .organization .head .ui.header .text {
   vertical-align: middle;
   font-size: 1.6rem;
-  margin-left: 15px;
+  margin-inline-start: 15px;
 }
 
 .repository .ui.tabs.container,
@@ -13,6 +13,6 @@
 
 .repository .head .ui.header .org-visibility .label,
 .organization .head .ui.header .org-visibility .label {
-  margin-left: 5px;
+  margin-inline-start: 5px;
   margin-top: 5px;
 }
diff --git a/web_src/css/standalone/swagger.css b/web_src/css/standalone/swagger.css
index c32e392036..34241a2d91 100644
--- a/web_src/css/standalone/swagger.css
+++ b/web_src/css/standalone/swagger.css
@@ -14,7 +14,7 @@ body {
   text-decoration: none;
   position: absolute;
   top: 1rem;
-  right: 1.5rem;
+  inset-inline-end: 1.5rem;
   display: flex;
   align-items: center;
 }
@@ -26,7 +26,7 @@ body {
 .swagger-back-link svg {
   color: inherit;
   fill: currentcolor;
-  margin-right: 0.5rem;
+  margin-inline-end: 0.5rem;
 }
 
 @media (prefers-color-scheme: dark) {
diff --git a/web_src/css/themes/theme-forgejo-dark.css b/web_src/css/themes/theme-forgejo-dark.css
index 974f920158..33d1674587 100644
--- a/web_src/css/themes/theme-forgejo-dark.css
+++ b/web_src/css/themes/theme-forgejo-dark.css
@@ -336,7 +336,7 @@ i.grey.icon.icon.icon.icon {
 #review-box .review-comments-counter {
   background-color: var(--color-shadow) !important;
   color: var(--color-white) !important;
-  margin-left: 0.5em;
+  margin-inline-start: 0.5em;
 }
 .ui.basic.labels .primary.label,
 .ui.ui.ui.basic.primary.label {
diff --git a/web_src/css/themes/theme-forgejo-light.css b/web_src/css/themes/theme-forgejo-light.css
index da89f0db73..e41a7b1aca 100644
--- a/web_src/css/themes/theme-forgejo-light.css
+++ b/web_src/css/themes/theme-forgejo-light.css
@@ -307,7 +307,7 @@
 }
 #review-box .review-comments-counter {
   background-color: var(--color-label-bg) !important;
-  margin-left: 0.5em;
+  margin-inline-start: 0.5em;
 }
 .ui.basic.labels .primary.label,
 .ui.ui.ui.basic.primary.label {
diff --git a/web_src/css/user.css b/web_src/css/user.css
index 71ac2b364b..b71c270804 100644
--- a/web_src/css/user.css
+++ b/web_src/css/user.css
@@ -75,7 +75,7 @@
 }
 
 .user.settings .iconFloat {
-  float: left;
+  float: inline-start;
 }
 
 .user-orgs {
diff --git a/web_src/js/components/ActionJobStep.vue b/web_src/js/components/ActionJobStep.vue
index 600f1ce344..af2bf49afe 100644
--- a/web_src/js/components/ActionJobStep.vue
+++ b/web_src/js/components/ActionJobStep.vue
@@ -235,7 +235,7 @@ export default {
 }
 
 .job-step-summary .step-summary-duration {
-  margin-left: 16px;
+  margin-inline-start: 16px;
 }
 
 .job-step-summary.selected {
@@ -263,7 +263,7 @@ export default {
   flex: 1;
   word-break: break-all;
   white-space: break-spaces;
-  margin-left: 10px;
+  margin-inline-start: 10px;
   overflow-wrap: anywhere;
   color: var(--color-console-fg);
 }
@@ -281,7 +281,7 @@ export default {
 .job-log-line .line-num, .log-time-seconds {
   width: 48px;
   color: var(--color-text-light-3);
-  text-align: right;
+  text-align: end;
   user-select: none;
 }
 
@@ -291,13 +291,13 @@ export default {
 }
 
 .log-time-seconds {
-  padding-right: 2px;
+  padding-inline-end: 2px;
 }
 
 .job-log-line .log-time,
 .log-time-stamp {
   color: var(--color-text-light-3);
-  margin-left: 10px;
+  margin-inline-start: 10px;
   white-space: nowrap;
 }
 
diff --git a/web_src/js/components/DashboardRepoList.vue b/web_src/js/components/DashboardRepoList.vue
index 9bc655df32..3dcfeb2c73 100644
--- a/web_src/js/components/DashboardRepoList.vue
+++ b/web_src/js/components/DashboardRepoList.vue
@@ -466,7 +466,7 @@ export default {
 ul {
   list-style: none;
   margin: 0;
-  padding-left: 0;
+  padding-inline-start: 0;
 }
 
 ul li {
@@ -487,8 +487,7 @@ ul li:not(:last-child) {
 }
 
 .repos-filter .item {
-  padding-left: 6px !important;
-  padding-right: 6px !important;
+  padding-inline: 6px !important;
 }
 
 .repo-list-link {
@@ -505,15 +504,14 @@ ul li:not(:last-child) {
 
 .repo-list-icon {
   min-width: 16px;
-  margin-right: 2px;
+  margin-inline-end: 2px;
 }
 
 /* octicon-mirror has no padding inside the SVG */
 .repo-list-icon.octicon-mirror {
   width: 14px;
   min-width: 14px;
-  margin-left: 1px;
-  margin-right: 3px;
+  margin-inline: 1px 3px;
 }
 
 .repo-owner-name-list li.active {
diff --git a/web_src/js/components/DiffCommitSelector.vue b/web_src/js/components/DiffCommitSelector.vue
index bf388de5c4..d6715b0015 100644
--- a/web_src/js/components/DiffCommitSelector.vue
+++ b/web_src/js/components/DiffCommitSelector.vue
@@ -275,7 +275,7 @@ export default {
   }
 
   #diff-commit-selector-menu {
-    overflow-x: hidden;
+    overflow-inline: hidden;
     max-height: 450px;
   }
 
diff --git a/web_src/js/components/DiffFileTree.vue b/web_src/js/components/DiffFileTree.vue
index cddfee1e04..94c74d724d 100644
--- a/web_src/js/components/DiffFileTree.vue
+++ b/web_src/js/components/DiffFileTree.vue
@@ -139,6 +139,6 @@ export default {
   display: flex;
   flex-direction: column;
   gap: 1px;
-  margin-right: .5rem;
+  margin-inline-end: .5rem;
 }
 </style>
diff --git a/web_src/js/components/DiffFileTreeItem.vue b/web_src/js/components/DiffFileTreeItem.vue
index 0f6e54363f..2087b26fd1 100644
--- a/web_src/js/components/DiffFileTreeItem.vue
+++ b/web_src/js/components/DiffFileTreeItem.vue
@@ -61,12 +61,12 @@ a, a:hover {
   display: flex;
   flex-direction: column;
   gap: 1px;
-  margin-left: 13px;
-  border-left: 1px solid var(--color-secondary);
+  margin-inline-start: 13px;
+  border-inline-start: 1px solid var(--color-secondary);
 }
 
 .sub-items .item-file {
-  padding-left: 18px;
+  padding-inline-start: 18px;
 }
 
 .item-file.selected {
diff --git a/web_src/js/components/PullRequestMergeForm.vue b/web_src/js/components/PullRequestMergeForm.vue
index 56265b10dd..d37aeafa9a 100644
--- a/web_src/js/components/PullRequestMergeForm.vue
+++ b/web_src/js/components/PullRequestMergeForm.vue
@@ -203,8 +203,7 @@ export default {
   position: static;
 }
 .ui.merge-button > .ui.dropdown:last-child > .menu:not(.left) {
-  left: 0;
-  right: auto;
+  inset-inline: 0 auto;
 }
 .ui.merge-button .ui.dropdown .menu > .item {
   display: flex;
@@ -227,7 +226,7 @@ export default {
 }
 .auto-merge-small .auto-merge-tip {
   display: none;
-  left: 38px;
+  inset-inline-start: 38px;
   top: -0.5px;
   bottom: -1px;
   position: absolute;
@@ -235,8 +234,8 @@ export default {
   color: var(--color-info-text);
   background-color: var(--color-info-bg);
   border: 1px solid var(--color-info-border);
-  border-left: none;
-  padding-right: 1rem;
+  border-inline-start: none;
+  padding-inline-end: 1rem;
 }
 
 .menu .item:has(.auto-merge-small:hover) {
diff --git a/web_src/js/components/RepoActionView.vue b/web_src/js/components/RepoActionView.vue
index 5c00eecc6b..bd7404ddaf 100644
--- a/web_src/js/components/RepoActionView.vue
+++ b/web_src/js/components/RepoActionView.vue
@@ -638,7 +638,7 @@ export default {
   display: flex;
   align-items: center;
   gap: var(--button-spacing);
-  margin-left: auto;
+  margin-inline-start: auto;
 }
 
 .action-info-summary-actions > button {
@@ -656,12 +656,12 @@ export default {
   display: flex;
   flex-wrap: wrap;
   gap: 5px;
-  margin-left: 28px;
+  margin-inline-start: 28px;
 }
 
 @media (max-width: 767.98px) {
   .action-commit-summary {
-    margin-left: 0;
+    margin-inline-start: 0;
     margin-top: 8px;
   }
 }
@@ -675,7 +675,7 @@ export default {
   position: sticky;
   top: 12px;
   max-height: 100vh;
-  overflow-y: auto;
+  overflow-block: auto;
   background: var(--color-body);
   z-index: 2; /* above .job-info-header */
 }
@@ -701,12 +701,12 @@ export default {
 }
 
 .job-artifacts-list {
-  padding-left: 12px;
+  padding-inline-start: 12px;
   list-style: none;
 }
 
 .job-artifacts-icon {
-  padding-right: 3px;
+  padding-inline-end: 3px;
 }
 
 .job-brief-list {
@@ -827,7 +827,7 @@ export default {
 }
 
 .action-view-right .ui.dropdown.dark-dropdown .menu > .divider {
-  border-top-color: var(--color-console-menu-border);
+  border-block-start-color: var(--color-console-menu-border);
 }
 
 .action-view-right .ui.pointing.dropdown.dark-dropdown > .menu:not(.hidden)::after {
diff --git a/web_src/js/components/RepoBranchTagSelector.vue b/web_src/js/components/RepoBranchTagSelector.vue
index bee9cfb8e5..5f81f49dbc 100644
--- a/web_src/js/components/RepoBranchTagSelector.vue
+++ b/web_src/js/components/RepoBranchTagSelector.vue
@@ -287,8 +287,8 @@ export default {
 .branch-tag-item.active {
   border-color: var(--color-secondary);
   background: var(--color-menu);
-  border-top-left-radius: var(--border-radius);
-  border-top-right-radius: var(--border-radius);
+  border-start-start-radius: var(--border-radius);
+  border-start-end-radius: var(--border-radius);
 }
 
 .branch-tag-divider {

From c25cbd6fc495615e3bc9a250a96f1673877df351 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 02:30:23 +0200
Subject: [PATCH 267/287] Update renovate Docker tag to v43.170.19 (forgejo)
 (#12513)

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 2680bb8b62..d8e3838abb 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datas
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.45.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.160.6 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.170.19 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/

From a59879402e2e9788b3bd99f776dcae12c144fefd Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 02:38:10 +0200
Subject: [PATCH 268/287] Update dependency @codemirror/view to v6.42.1
 (forgejo) (#12514)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12514
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 8 ++++----
 package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 35fe4a8bbc..ba47ad58cf 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -30,7 +30,7 @@
         "@codemirror/language": "6.12.3",
         "@codemirror/search": "6.7.0",
         "@codemirror/state": "6.6.0",
-        "@codemirror/view": "6.42.0",
+        "@codemirror/view": "6.42.1",
         "@github/markdown-toolbar-element": "2.2.3",
         "@github/quote-selection": "2.1.0",
         "@github/text-expander-element": "2.9.4",
@@ -775,9 +775,9 @@
       }
     },
     "node_modules/@codemirror/view": {
-      "version": "6.42.0",
-      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.42.0.tgz",
-      "integrity": "sha512-+PJEyndSCrsS2oLH3DfWoLBcF3xfeyGXtLnpXqHY01kL3TogyCLD12hNvSu73ww2KFftrx3Rd0nGOigbSkU3Hw==",
+      "version": "6.42.1",
+      "resolved": "https://registry.npmjs.org/@codemirror/view/-/view-6.42.1.tgz",
+      "integrity": "sha512-ToN3oFc0nsxNUYVF5P0ztLgbC4UPPjPtA9aKYhkOKQaZASpOUo6ISXyQLP66ctVwlDc+j6Jv0uK5IFALkiXztg==",
       "license": "MIT",
       "dependencies": {
         "@codemirror/state": "^6.6.0",
diff --git a/package.json b/package.json
index 6b83ddb0c3..4ce4ec8b66 100644
--- a/package.json
+++ b/package.json
@@ -29,7 +29,7 @@
     "@codemirror/language": "6.12.3",
     "@codemirror/search": "6.7.0",
     "@codemirror/state": "6.6.0",
-    "@codemirror/view": "6.42.0",
+    "@codemirror/view": "6.42.1",
     "@github/markdown-toolbar-element": "2.2.3",
     "@github/quote-selection": "2.1.0",
     "@github/text-expander-element": "2.9.4",

From dcf1e7ce0927c188f363f3e2f358ec6e92dac233 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 03:07:16 +0200
Subject: [PATCH 269/287] Update module github.com/fsnotify/fsnotify to v1.10.1
 (forgejo) (#12416)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12416
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index a6d10b5e2e..f2437cd3a6 100644
--- a/go.mod
+++ b/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/editorconfig/editorconfig-core-go/v2 v2.6.4
 	github.com/emersion/go-imap v1.2.1
 	github.com/felixge/fgprof v0.9.5
-	github.com/fsnotify/fsnotify v1.10.0
+	github.com/fsnotify/fsnotify v1.10.1
 	github.com/gdgvda/cron v0.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-ap/activitypub v0.0.0-20260208110334-902f6cf8c2cc
diff --git a/go.sum b/go.sum
index 220748373c..794d5521fc 100644
--- a/go.sum
+++ b/go.sum
@@ -250,8 +250,8 @@ github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.10.0 h1:Xx/5Ydg9CeBDX/wi4VJqStNtohYjitZhhlHt4h3St1M=
-github.com/fsnotify/fsnotify v1.10.0/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo=
+github.com/fsnotify/fsnotify v1.10.1 h1:b0/UzAf9yR5rhf3RPm9gf3ehBPpf0oZKIjtpKrx59Ho=
+github.com/fsnotify/fsnotify v1.10.1/go.mod h1:TLheqan6HD6GBK6PrDWyDPBaEV8LspOxvPSjC+bVfgo=
 github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
 github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gdgvda/cron v0.7.0 h1:LFPZUTbCb5ZpzYxavbQDDbjd6nwTwkiNUWyulOdlY2I=

From 3f0a8b442443c3b732a379c6e2aa6b569a0f52b5 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 03:37:09 +0200
Subject: [PATCH 270/287] Update module golang.org/x/image to v0.40.0 (forgejo)
 (#12484)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12484
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index f2437cd3a6..b08174e4e6 100644
--- a/go.mod
+++ b/go.mod
@@ -102,7 +102,7 @@ require (
 	gitlab.com/gitlab-org/api/client-go v0.143.2
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.51.0
-	golang.org/x/image v0.39.0
+	golang.org/x/image v0.40.0
 	golang.org/x/net v0.53.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
diff --git a/go.sum b/go.sum
index 794d5521fc..9acba7ed5c 100644
--- a/go.sum
+++ b/go.sum
@@ -737,8 +737,8 @@ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
-golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=
+golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
+golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

From 6b516e27210ff307034a94159808f18e6820291e Mon Sep 17 00:00:00 2001
From: Nirmal Kumar R <tildezero@gmail.com>
Date: Mon, 11 May 2026 04:31:13 +0200
Subject: [PATCH 271/287] fix(e2e): Flaky tests on Toggle WIP + Dependency
 dropdown (#12473)

There are two test groups in `issue-sidebar.test.e2e.ts` which behaves
flaky on CI:
 - Toggle WIP
 - Dependency dropdown

1. **Toggle WIP**:
There is a race-condition happening with this test execution, when we
toggle the WIP status "Still in progress?" / "Ready for review?", there
is a page reload that happens once we select either of the option and
when we use window.WaitForLoadState('domcontentloaded')` it just check
the state of the current dom and not the reloading of the page.

To mitigate this, we need to use a promise call with
`page.WaitForEvent('load')` wherever necessary. This change has been
applied in the `setTitle` and `toggle_wip_to` helper functions.

Also there is a refactor logic where we remove the repetitive call for
click and save events on `manual edit` and `maximum_title_length` and
consistently use the setTitle.

2. **Dependency dropdown**
There is flakiness with this code:
```
await input.fill('1');
await expect(items.first()).toContainText(first);
```

We register the issues via `postIssue` in the `declare_repo_test.go`
file. And the catch is about this issue popping up for the above logic:
```
postIssue(repo, user, 500, "first issue here", "an issue created earlier")
postIssue(repo, user, 400, "second issue here (not 1)", "not the right issue, but in the right repo")
```

On each issue creation, the frontend shows the index as `#1`, `#2`,
respectively.

The issue is when we search for 1, the indexer implementation finds the
highest scoring with relevant sorting order. These are the two issues
that pops up in the first two results.
```
  #1 first issue here
  #2 second issue here (not 1)
```

In the above results, sometimes the #2 issue will be shown as the first
item in the dropdown results because it contains the exact match `1` in
(not 1). Hence the solution is to remove the `(not 1)` from the second
issue to fix this flakiness behaviour.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12473
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 tests/e2e/declare_repos_test.go     |  2 +-
 tests/e2e/issue-sidebar.test.e2e.ts | 20 +++++++-------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/tests/e2e/declare_repos_test.go b/tests/e2e/declare_repos_test.go
index 85e3fcbda8..e72f260299 100644
--- a/tests/e2e/declare_repos_test.go
+++ b/tests/e2e/declare_repos_test.go
@@ -117,7 +117,7 @@ body:
 			}),
 		}, []FileChanges{}, func(user *user_model.User, repo *repo_model.Repository) {
 			postIssue(repo, user, 500, "first issue here", "an issue created earlier")
-			postIssue(repo, user, 400, "second issue here (not 1)", "not the right issue, but in the right repo")
+			postIssue(repo, user, 400, "second issue here", "not the right issue, but in the right repo")
 			postIssue(repo, user, 300, "third issue here", "depends on things")
 			postIssue(repo, user, 200, "unrelated issue", "shrug emoji")
 			postIssue(repo, user, 100, "newest issue", "very new")
diff --git a/tests/e2e/issue-sidebar.test.e2e.ts b/tests/e2e/issue-sidebar.test.e2e.ts
index 3324595438..1a382c44d7 100644
--- a/tests/e2e/issue-sidebar.test.e2e.ts
+++ b/tests/e2e/issue-sidebar.test.e2e.ts
@@ -16,20 +16,18 @@ test.describe('Pull: Toggle WIP', () => {
   const prTitle = 'pull5';
 
   async function toggle_wip_to({page}: {page: Page}, should: boolean) {
-    await page.waitForLoadState('domcontentloaded');
+    const loadPromise = page.waitForEvent('load');
     if (should) {
       await page.getByText('Still in progress?').click();
     } else {
       await page.getByText('Ready for review?').click();
     }
+    await loadPromise;
   }
 
   async function check_wip({page}: {page: Page}, is: boolean) {
-    await page.waitForLoadState();
-
     const elemTitle = 'h1';
     const stateLabel = '.issue-state-label';
-    await page.waitForLoadState('domcontentloaded');
     await expect(page.locator(elemTitle)).toContainText(prTitle);
     await expect(page.locator(elemTitle)).toContainText('#5');
     const wipRegex = /(wip|\[WIP\])/i;
@@ -45,16 +43,16 @@ test.describe('Pull: Toggle WIP', () => {
   async function setTitle({page}: {page: Page}, title: string) {
     await page.locator('#issue-title-edit-show').click();
     await page.locator('#issue-title-editor input').fill(title);
+    const loadPromise = page.waitForEvent('load');
     await page.getByText('Save').click();
+    await loadPromise;
   }
 
   test.beforeEach(async ({page}) => {
     const response = await page.goto('/user2/repo1/pulls/5');
     expect(response?.status()).toBe(200); // Status OK
     // ensure original title
-    await page.locator('#issue-title-edit-show').click();
-    await page.locator('#issue-title-editor input').fill(prTitle);
-    await page.getByText('Save').click();
+    await setTitle({page}, prTitle);
     await check_wip({page}, false);
   });
 
@@ -69,9 +67,7 @@ test.describe('Pull: Toggle WIP', () => {
 
   test('manual edit', async ({page}) => {
     // manually edit title to another prefix
-    await page.locator('#issue-title-edit-show').click();
-    await page.locator('#issue-title-editor input').fill(`[WIP] ${prTitle}`);
-    await page.getByText('Save').click();
+    await setTitle({page}, `[WIP] ${prTitle}`);
     await check_wip({page}, true);
     // remove again
     await toggle_wip_to({page}, false);
@@ -81,9 +77,7 @@ test.describe('Pull: Toggle WIP', () => {
   test('maximum title length', async ({page}) => {
     // check maximum title length is handled gracefully
     const maxLenStr = prTitle + 'a'.repeat(240);
-    await page.locator('#issue-title-edit-show').click();
-    await page.locator('#issue-title-editor input').fill(maxLenStr);
-    await page.getByText('Save').click();
+    await setTitle({page}, maxLenStr);
     await expect(page.locator('h1')).toContainText(maxLenStr);
     await check_wip({page}, false);
     await toggle_wip_to({page}, true);

From b21b173f6efd98518559bffd0fd8bb7dfeb579b1 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 05:22:59 +0200
Subject: [PATCH 272/287] Update module golang.org/x/net to v0.54.0 (forgejo)
 (#12485)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12485
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index b08174e4e6..bffbfa66cb 100644
--- a/go.mod
+++ b/go.mod
@@ -103,7 +103,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.51.0
 	golang.org/x/image v0.40.0
-	golang.org/x/net v0.53.0
+	golang.org/x/net v0.54.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/sys v0.44.0
diff --git a/go.sum b/go.sum
index 9acba7ed5c..8595a4a6b5 100644
--- a/go.sum
+++ b/go.sum
@@ -792,8 +792,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

From 2d5dd62cf34eb6f1ce5183df9e800ed508847bd1 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 06:33:45 +0200
Subject: [PATCH 273/287] Update renovate Docker tag to v43.170.20 (forgejo)
 (#12516)

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index d8e3838abb..80779cfecc 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ GO_LICENSES_PACKAGE ?= github.com/google/go-licenses/v2@v2.0.1 # renovate: datas
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
 DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.45.0 # renovate: datasource=go
 ERRORTYPE_PACKAGE ?= fillmore-labs.com/errortype@v0.0.11 # renovate: datasource=go
-RENOVATE_NPM_PACKAGE ?= renovate@43.170.19 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
+RENOVATE_NPM_PACKAGE ?= renovate@43.170.20 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 MOCKERY_PACKAGE ?= github.com/vektra/mockery/v3@v3.7.0 # renovate: datasource=go
 
 # https://github.com/disposable-email-domains/disposable-email-domains/commits/main/

From 03312e4f46c1a5f75d471af4e60ea785bed0639f Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Mon, 11 May 2026 16:02:36 +0200
Subject: [PATCH 274/287] feat: make it possible to remove workflow runs
 (#12478)

Add the ability to remove workflow runs, either using the UI or the HTTP API. Workflow runs can only be removed once a workflow run has completed. For security reasons, only a repository administrator or a token with `write:repository` permissions can remove runs.

Resolves https://codeberg.org/forgejo/forgejo/issues/2184.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12478): <!--number 12478 --><!--line 0 --><!--description bWFrZSBpdCBwb3NzaWJsZSB0byByZW1vdmUgd29ya2Zsb3cgcnVucw==-->make it possible to remove workflow runs<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12478
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 models/actions/artifact.go                    |   9 ++
 models/actions/run.go                         |   7 +
 models/actions/run_job.go                     |   7 +
 models/actions/runner.go                      |   7 +
 models/actions/runner_test.go                 |  59 +++++++++
 models/actions/task.go                        |  30 +++++
 options/locale_next/locale_en-US.json         |   5 +
 routers/api/v1/api.go                         |  12 +-
 routers/api/v1/repo/action.go                 |  62 +++++++++
 routers/web/repo/actions/view.go              |  28 ++++
 routers/web/web.go                            |   1 +
 .../TestDeleteJobsOfRun/action_run.yml        |   5 +
 .../TestDeleteJobsOfRun/action_run_job.yml    |   7 +
 .../TestDeleteJobsOfRun/action_task.yml       |  11 ++
 .../action_task_output.yml                    |  14 ++
 .../TestDeleteJobsOfRun/action_task_step.yml  |   9 ++
 .../actions/TestDeleteRun/action_artifact.yml |   9 ++
 services/actions/TestDeleteRun/action_run.yml |   5 +
 .../actions/TestDeleteRun/action_run_job.yml  |   7 +
 .../actions/TestDeleteRun/action_task.yml     |  11 ++
 .../TestDeleteRun/action_task_output.yml      |  14 ++
 .../TestDeleteRun/action_task_step.yml        |   9 ++
 .../actions/TestDeleteTask/action_runner.yml  |   6 +
 .../actions/TestDeleteTask/action_task.yml    |  16 +++
 .../TestDeleteTask/action_task_output.yml     |  14 ++
 .../TestDeleteTask/action_task_step.yml       |  14 ++
 services/actions/job.go                       |  47 +++++++
 services/actions/job_test.go                  |  45 +++++++
 services/actions/run.go                       |  28 ++++
 services/actions/run_test.go                  |  39 ++++++
 services/actions/task.go                      |  37 ++++++
 services/actions/task_test.go                 |  91 +++++++++++++
 templates/repo/actions/view.tmpl              |   3 +
 templates/swagger/v1_json.tmpl                |  49 +++++++
 tests/integration/actions_run_test.go         | 123 ++++++++++++++++++
 tests/integration/actions_view_test.go        |  68 +++++++++-
 tests/integration/api_repo_actions_test.go    | 115 ++++++++++++++++
 .../TestActionRunDeletion/action_artifact.yml |   9 ++
 .../TestActionRunDeletion/action_run.yml      |  11 ++
 .../TestActionRunDeletion/action_run_job.yml  |   7 +
 .../TestActionRunDeletion/action_runner.yml   |   5 +
 .../TestActionRunDeletion/action_task.yml     |  12 ++
 .../action_task_output.yml                    |  14 ++
 .../action_task_step.yml                      |   9 ++
 .../TestActionRunDeletion/collaboration.yml   |   4 +
 .../TestActionViewRunDeletion/action_run.yml  |  11 ++
 .../action_run_job.yml                        |   7 +
 .../TestActionViewRunDeletion/action_task.yml |  11 ++
 .../action_task_step.yml                      |   9 ++
 .../collaboration.yml                         |   4 +
 .../action_artifact.yml                       |   9 ++
 .../action_run.yml                            |   9 ++
 .../action_run_job.yml                        |   7 +
 .../action_runner.yml                         |   5 +
 .../action_task.yml                           |  12 ++
 .../action_task_output.yml                    |  14 ++
 .../action_task_step.yml                      |   9 ++
 web_src/js/components/RepoActionView.test.js  |   3 +
 web_src/js/components/RepoActionView.vue      |  20 +++
 web_src/js/features/repo-action-view.ts       |   3 +
 60 files changed, 1221 insertions(+), 6 deletions(-)
 create mode 100644 services/actions/TestDeleteJobsOfRun/action_run.yml
 create mode 100644 services/actions/TestDeleteJobsOfRun/action_run_job.yml
 create mode 100644 services/actions/TestDeleteJobsOfRun/action_task.yml
 create mode 100644 services/actions/TestDeleteJobsOfRun/action_task_output.yml
 create mode 100644 services/actions/TestDeleteJobsOfRun/action_task_step.yml
 create mode 100644 services/actions/TestDeleteRun/action_artifact.yml
 create mode 100644 services/actions/TestDeleteRun/action_run.yml
 create mode 100644 services/actions/TestDeleteRun/action_run_job.yml
 create mode 100644 services/actions/TestDeleteRun/action_task.yml
 create mode 100644 services/actions/TestDeleteRun/action_task_output.yml
 create mode 100644 services/actions/TestDeleteRun/action_task_step.yml
 create mode 100644 services/actions/TestDeleteTask/action_runner.yml
 create mode 100644 services/actions/TestDeleteTask/action_task.yml
 create mode 100644 services/actions/TestDeleteTask/action_task_output.yml
 create mode 100644 services/actions/TestDeleteTask/action_task_step.yml
 create mode 100644 services/actions/job.go
 create mode 100644 services/actions/job_test.go
 create mode 100644 tests/integration/actions_run_test.go
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_artifact.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_run.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_run_job.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_runner.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_task.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_task_output.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/action_task_step.yml
 create mode 100644 tests/integration/fixtures/TestActionRunDeletion/collaboration.yml
 create mode 100644 tests/integration/fixtures/TestActionViewRunDeletion/action_run.yml
 create mode 100644 tests/integration/fixtures/TestActionViewRunDeletion/action_run_job.yml
 create mode 100644 tests/integration/fixtures/TestActionViewRunDeletion/action_task.yml
 create mode 100644 tests/integration/fixtures/TestActionViewRunDeletion/action_task_step.yml
 create mode 100644 tests/integration/fixtures/TestActionViewRunDeletion/collaboration.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_artifact.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run_job.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_runner.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_output.yml
 create mode 100644 tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_step.yml

diff --git a/models/actions/artifact.go b/models/actions/artifact.go
index 25bf58705a..20b96f829c 100644
--- a/models/actions/artifact.go
+++ b/models/actions/artifact.go
@@ -222,6 +222,15 @@ func SetArtifactDeleted(ctx context.Context, artifactID int64) error {
 	return err
 }
 
+// SetArtifactsOfRunDeleted marks all artifacts of the given run as deleted.
+func SetArtifactsOfRunDeleted(ctx context.Context, runID int64) error {
+	_, err := db.GetEngine(ctx).
+		Where("run_id=?", runID).
+		Cols("status").
+		Update(&ActionArtifact{Status: int64(ArtifactStatusPendingDeletion)})
+	return err
+}
+
 // aggregatedArtifactConds returns the common WHERE clause used by aggregated
 // artifact queries: restrict to visible statuses and apply the caller's filters.
 // The Status field on opts is ignored — visibility is fixed to UploadConfirmed/Expired.
diff --git a/models/actions/run.go b/models/actions/run.go
index 692dab841b..09eddc3269 100644
--- a/models/actions/run.go
+++ b/models/actions/run.go
@@ -612,4 +612,11 @@ func ComputeRunStatus(ctx context.Context, runID int64) (run *ActionRun, columns
 	return run, columns, nil
 }
 
+// DeleteRun removes the given run. It is the caller's responsibility to handle the run's dependencies like artifacts or
+// jobs. Nothing happens if the run does not exist.
+func DeleteRun(ctx context.Context, runID int64) error {
+	_, err := db.GetEngine(ctx).Delete(&ActionRun{ID: runID})
+	return err
+}
+
 type ActionRunIndex db.ResourceIndex
diff --git a/models/actions/run_job.go b/models/actions/run_job.go
index 0967ab87c3..e64b62805c 100644
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@@ -365,3 +365,10 @@ func (job *ActionRunJob) AllNeedsExist(allExistingJobIDs container.Set[string])
 
 	return unknownJobIDs, len(unknownJobIDs) == 0
 }
+
+// DeleteJob removes the given job. Removing all associated tasks is up to the caller. If the given job does not exist,
+// nothing happens.
+func DeleteJob(ctx context.Context, jobID int64) error {
+	_, err := db.GetEngine(ctx).Delete(&ActionRunJob{ID: jobID})
+	return err
+}
diff --git a/models/actions/runner.go b/models/actions/runner.go
index 1a7fbb0b45..f324adec52 100644
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@@ -396,6 +396,13 @@ func FixRunnersWithoutBelongingRepo(ctx context.Context) (int64, error) {
 	return res.RowsAffected()
 }
 
+// DeleteEphemeralRunner removes the ephemeral runner with the given ID. If the runner with the given ID is not an
+// ephemeral runner, nothing happens.
+func DeleteEphemeralRunner(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).Where(builder.Eq{"id": id, "ephemeral": true}).Delete(&ActionRunner{})
+	return err
+}
+
 func DeleteOfflineRunners(ctx context.Context, olderThan timeutil.TimeStamp, globalOnly bool) error {
 	log.Info("Doing: DeleteOfflineRunners")
 
diff --git a/models/actions/runner_test.go b/models/actions/runner_test.go
index acca9b1761..31e9706851 100644
--- a/models/actions/runner_test.go
+++ b/models/actions/runner_test.go
@@ -479,3 +479,62 @@ func TestRunner_FindRunnerOptionsToConds(t *testing.T) {
 		})
 	}
 }
+
+func TestDeleteEphemeralRunner(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	persistentRunnerOne := &ActionRunner{
+		ID:        606526,
+		UUID:      "d53a1222-ae7a-4430-97f8-8fcb6efd04c9",
+		Name:      "persistent-runner-one",
+		OwnerID:   2,
+		RepoID:    0,
+		Ephemeral: false,
+		TokenHash: "J9YDsQL",
+	}
+	persistentRunnerTwo := &ActionRunner{
+		ID:        606527,
+		UUID:      "3dc23067-b2fd-4daf-b428-dddad80d7f37",
+		Name:      "persistent-runner-two",
+		OwnerID:   2,
+		RepoID:    0,
+		Ephemeral: false,
+		TokenHash: "jvIylZtHsS",
+	}
+	ephemeralRunnerOne := &ActionRunner{
+		ID:        606528,
+		UUID:      "2d9bc0a1-7019-4ed3-ba67-6415415ac2a9",
+		Name:      "ephemeral-runner-one",
+		OwnerID:   2,
+		RepoID:    0,
+		Ephemeral: true,
+		TokenHash: "t9C8L0kM3W",
+	}
+	ephemeralRunnerTwo := &ActionRunner{
+		ID:        606529,
+		UUID:      "da7a03f8-ab39-4c54-9ec9-2bd312fe3be1",
+		Name:      "ephemeral-runner-two",
+		OwnerID:   2,
+		RepoID:    0,
+		Ephemeral: true,
+		TokenHash: "g9oTOFM",
+	}
+
+	require.NoError(t, CreateRunner(t.Context(), persistentRunnerOne))
+	require.NoError(t, CreateRunner(t.Context(), persistentRunnerTwo))
+	require.NoError(t, CreateRunner(t.Context(), ephemeralRunnerOne))
+	require.NoError(t, CreateRunner(t.Context(), ephemeralRunnerTwo))
+
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: persistentRunnerOne.ID})
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: persistentRunnerTwo.ID})
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: ephemeralRunnerOne.ID})
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: ephemeralRunnerTwo.ID})
+
+	require.NoError(t, DeleteEphemeralRunner(t.Context(), persistentRunnerOne.ID))
+	require.NoError(t, DeleteEphemeralRunner(t.Context(), ephemeralRunnerOne.ID))
+
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: persistentRunnerOne.ID})
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: persistentRunnerTwo.ID})
+	unittest.AssertNotExistsBean(t, &ActionRunner{ID: ephemeralRunnerOne.ID})
+	unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: ephemeralRunnerTwo.ID})
+}
diff --git a/models/actions/task.go b/models/actions/task.go
index ed2cab60e8..d056c786c4 100644
--- a/models/actions/task.go
+++ b/models/actions/task.go
@@ -192,6 +192,15 @@ func HasTaskForRunner(ctx context.Context, runnerID int64) (bool, error) {
 	return db.GetEngine(ctx).Where("runner_id = ?", runnerID).Exist(&ActionTask{})
 }
 
+func GetTasksOfJob(ctx context.Context, jobID int64) ([]*ActionTask, error) {
+	var tasks []*ActionTask
+	err := db.GetEngine(ctx).Where("job_id=?", jobID).Find(&tasks)
+	if err != nil {
+		return nil, fmt.Errorf("cannot fetch tasks of job %d: %w", jobID, err)
+	}
+	return tasks, nil
+}
+
 func GetTaskByJobAttempt(ctx context.Context, jobID, attempt int64) (*ActionTask, error) {
 	var task ActionTask
 	has, err := db.GetEngine(ctx).Where("job_id=?", jobID).Where("attempt=?", attempt).Get(&task)
@@ -497,6 +506,27 @@ func UpdateTask(ctx context.Context, task *ActionTask, cols ...string) error {
 	return err
 }
 
+// DeleteTask removes the given task including all its steps and outputs. Removing logs and ephemeral runners is the
+// caller's responsibility.
+func DeleteTask(ctx context.Context, taskID int64) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		var err error
+		_, err = db.GetEngine(ctx).Delete(&ActionTaskStep{TaskID: taskID})
+		if err != nil {
+			return fmt.Errorf("unable to delete steps of task %d: %w", taskID, err)
+		}
+		_, err = db.GetEngine(ctx).Delete(&ActionTaskOutput{TaskID: taskID})
+		if err != nil {
+			return fmt.Errorf("unable to delete outputs of task %d: %w", taskID, err)
+		}
+		_, err = db.GetEngine(ctx).Delete(&ActionTask{ID: taskID})
+		if err != nil {
+			return fmt.Errorf("unable to delete task %d: %w", taskID, err)
+		}
+		return nil
+	})
+}
+
 func FindOldTasksToExpire(ctx context.Context, olderThan timeutil.TimeStamp, limit int) ([]*ActionTask, error) {
 	e := db.GetEngine(ctx)
 
diff --git a/options/locale_next/locale_en-US.json b/options/locale_next/locale_en-US.json
index 9631c43ad4..614f3c1ce9 100644
--- a/options/locale_next/locale_en-US.json
+++ b/options/locale_next/locale_en-US.json
@@ -672,6 +672,11 @@
 	"actions.runs.no_results": "No results matched.",
 	"actions.runs.no_workflows": "There are no workflows yet.",
 	"actions.runs.all_runs_link": "all runs",
+	"actions.runs.delete.error_could_not_load_run": "Could not load run to delete.",
+	"actions.runs.delete.error_could_not_delete_run": "Could not delete run.",
+	"actions.runs.delete.button": "Delete run",
+	"actions.runs.delete.error": "Could not delete the workflow run.",
+	"actions.runs.delete.confirm_action": "Do you really want to delete this workflow run?",
 	"actions.workflow.job_parsing_error": "Unable to parse jobs in workflow: %v",
 	"actions.workflow.event_detection_error": "Unable to parse supported events in workflow: %v",
 	"actions.workflow.persistent_incomplete_matrix": "Unable to evaluate `strategy.matrix` of job %[1]s due to a `needs` expression that was invalid. It may reference a job that is not in it's 'needs' list (%[2]s), or an output that doesn't exist on one of those jobs.",
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 55ea6762e3..d1488d2fc2 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -450,9 +450,16 @@ func reqSelfOrAdmin() func(ctx *context.APIContext) {
 	}
 }
 
-// reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin
-func reqAdmin() func(ctx *context.APIContext) {
+// reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin. If one or more
+// unitTypes are given, it also requires that at least one the respective unitTypes is enabled.
+func reqAdmin(unitTypes ...unit.Type) func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
+		if len(unitTypes) > 0 && !slices.ContainsFunc(unitTypes, func(unitType unit.Type) bool {
+			return ctx.Repo.Repository.UnitEnabled(ctx, unitType)
+		}) {
+			ctx.NotFound()
+			return
+		}
 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")
 			return
@@ -1245,6 +1252,7 @@ func Routes() *web.Route {
 					m.Group("/runs", func() {
 						m.Get("", repo.ListActionRuns)
 						m.Get("/{run_id}", repo.GetActionRun)
+						m.Delete("/{run_id}", reqToken(), reqAdmin(unit.TypeActions), repo.DeleteActionRun)
 						m.Get("/{run_id}/jobs", repo.ListActionRunJobs)
 						m.Get("/{run_id}/artifacts", repo.ListActionRunArtifacts)
 					})
diff --git a/routers/api/v1/repo/action.go b/routers/api/v1/repo/action.go
index 63d9e830b7..b0c65009c6 100644
--- a/routers/api/v1/repo/action.go
+++ b/routers/api/v1/repo/action.go
@@ -1032,6 +1032,68 @@ func GetActionRun(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, convert.ToActionRun(ctx, run, ctx.Doer))
 }
 
+// DeleteActionRun removes a completed workflow run.
+func DeleteActionRun(ctx *context.APIContext) {
+	// swagger:operation DELETE /repos/{owner}/{repo}/actions/runs/{run_id} repository DeleteActionRun
+	// ---
+	// summary: Delete a completed workflow run.
+	// description: >
+	//   Remove a particular workflow run. The workflow run must have completed (succeeded, failed, cancelled) for the
+	//   operation to succeed. Otherwise, an error is returned.
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: run_id
+	//   in: path
+	//   description: id of the action run
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// responses:
+	//   "204":
+	//     description: Workflow run has been removed
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	run, err := actions_model.GetRunByID(ctx, ctx.ParamsInt64(":run_id"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetRunById", err)
+			return
+		}
+
+		ctx.Error(http.StatusInternalServerError, "GetRunByID", err)
+		return
+	}
+
+	if ctx.Repo.Repository.ID != run.RepoID {
+		ctx.Error(http.StatusNotFound, "GetRunById", util.ErrNotExist)
+		return
+	}
+
+	err = actions_service.DeleteRun(ctx, run.ID)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "DeleteRun", err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
 // ListActionRunJobs return a filtered list of jobs that belong to a single workflow run
 func ListActionRunJobs(ctx *context.APIContext) {
 	// swagger:operation GET /repos/{owner}/{repo}/actions/runs/{run_id}/jobs repository ListActionRunJobs
diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go
index 9769f0f11a..4bd7f12637 100644
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@@ -168,6 +168,7 @@ type ViewRunInfo struct {
 	CanApprove        bool          `json:"canApprove"` // the run needs an approval and the doer has permission to approve
 	CanRerun          bool          `json:"canRerun"`
 	CanDeleteArtifact bool          `json:"canDeleteArtifact"`
+	CanDelete         bool          `json:"canDelete"`
 	Done              bool          `json:"done"`
 	Jobs              []*ViewJob    `json:"jobs"`
 	Commit            ViewCommit    `json:"commit"`
@@ -288,6 +289,7 @@ func getViewResponse(ctx *app_context.Context, req *ViewRequest, runIndex, jobIn
 	resp.State.Run.CanApprove = run.NeedApproval && ctx.Repo.CanWrite(unit.TypeActions)
 	resp.State.Run.CanRerun = run.CanBeRerun() && ctx.Repo.CanWrite(unit.TypeActions)
 	resp.State.Run.CanDeleteArtifact = run.Status.IsDone() && ctx.Repo.CanWrite(unit.TypeActions)
+	resp.State.Run.CanDelete = run.Status.IsDone() && ctx.IsUserRepoAdmin()
 	resp.State.Run.Jobs = make([]*ViewJob, 0, len(jobs)) // marshal to '[]' instead of 'null' in json
 	resp.State.Run.Status = run.Status.String()
 	resp.State.Run.PreExecutionError = actions_model.TranslatePreExecutionError(ctx.Locale, run)
@@ -600,6 +602,32 @@ func Cancel(ctx *app_context.Context) {
 	ctx.JSON(http.StatusOK, struct{}{})
 }
 
+func DeleteRun(ctx *app_context.Context) {
+	runIndex := ctx.ParamsInt64("run")
+
+	run, err := actions_model.GetRunByIndex(ctx, ctx.Repo.Repository.ID, runIndex)
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			log.Debug("Run at index %d in repository %d does not exist", runIndex, ctx.Repo.Repository.ID)
+			ctx.JSONOK()
+			return
+		}
+
+		log.Debug("Could not load run at index %d in repository %d: %s", runIndex, ctx.Repo.Repository.ID, err)
+		errorMessage := ctx.Locale.Tr("actions.runs.delete.error_could_not_load_run")
+		ctx.JSON(http.StatusInternalServerError, map[string]any{"message": errorMessage})
+		return
+	}
+	if err = actions_service.DeleteRun(ctx, run.ID); err != nil {
+		log.Debug("Could not delete run %d: %s", run.ID, err)
+		errorMessage := ctx.Locale.Tr("actions.runs.delete.error_could_not_delete_run")
+		ctx.JSON(http.StatusInternalServerError, map[string]any{"message": errorMessage})
+		return
+	}
+
+	ctx.JSONOK()
+}
+
 // getRunJobs gets the jobs of runIndex, and returns jobs[jobIndex], jobs.
 // Any error will be written to the ctx.
 // It never returns a nil job of an empty jobs, if the jobIndex is out of range, it will be treated as 0.
diff --git a/routers/web/web.go b/routers/web/web.go
index c77c8629b9..c19ecfd411 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1535,6 +1535,7 @@ func registerRoutes(m *web.Route) {
 						})
 					})
 					m.Post("/cancel", reqRepoActionsWriter, actions.Cancel)
+					m.Post("/delete", reqRepoAdmin, actions.DeleteRun)
 					m.Get("/artifacts", actions.ArtifactsView)
 					m.Get("/artifacts/{artifact_name_or_id}", actions.ArtifactsDownloadView)
 					m.Delete("/artifacts/{artifact_name}", reqRepoActionsWriter, actions.ArtifactsDeleteView)
diff --git a/services/actions/TestDeleteJobsOfRun/action_run.yml b/services/actions/TestDeleteJobsOfRun/action_run.yml
new file mode 100644
index 0000000000..e1f2dcc9cf
--- /dev/null
+++ b/services/actions/TestDeleteJobsOfRun/action_run.yml
@@ -0,0 +1,5 @@
+- id: 34901
+  status: 2 # StatusFailure
+
+- id: 34902
+  status: 5 # StatusWaiting
\ No newline at end of file
diff --git a/services/actions/TestDeleteJobsOfRun/action_run_job.yml b/services/actions/TestDeleteJobsOfRun/action_run_job.yml
new file mode 100644
index 0000000000..3cc196d9fe
--- /dev/null
+++ b/services/actions/TestDeleteJobsOfRun/action_run_job.yml
@@ -0,0 +1,7 @@
+- id: 47301
+  run_id: 34901
+  status: 2 # StatusFailure
+
+- id: 47302
+  run_id: 34902
+  status: 5 # StatusWaiting
diff --git a/services/actions/TestDeleteJobsOfRun/action_task.yml b/services/actions/TestDeleteJobsOfRun/action_task.yml
new file mode 100644
index 0000000000..57d0f680b7
--- /dev/null
+++ b/services/actions/TestDeleteJobsOfRun/action_task.yml
@@ -0,0 +1,11 @@
+- id: 87601
+  job_id: 47301
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 2 # StatusFailure
+
+- id: 87602
+  job_id: 47302
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 5 # StatusWaiting
diff --git a/services/actions/TestDeleteJobsOfRun/action_task_output.yml b/services/actions/TestDeleteJobsOfRun/action_task_output.yml
new file mode 100644
index 0000000000..6244bc9405
--- /dev/null
+++ b/services/actions/TestDeleteJobsOfRun/action_task_output.yml
@@ -0,0 +1,14 @@
+- id: 90041
+  task_id: 87601
+  output_key: one
+  output_value: a
+
+- id: 90042
+  task_id: 87601
+  output_key: two
+  output_value: b
+
+- id: 90043
+  task_id: 87602
+  output_key: three
+  output_value: c
diff --git a/services/actions/TestDeleteJobsOfRun/action_task_step.yml b/services/actions/TestDeleteJobsOfRun/action_task_step.yml
new file mode 100644
index 0000000000..b438f959ba
--- /dev/null
+++ b/services/actions/TestDeleteJobsOfRun/action_task_step.yml
@@ -0,0 +1,9 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 1 # StatusSuccess
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 6 # StatusRunning
diff --git a/services/actions/TestDeleteRun/action_artifact.yml b/services/actions/TestDeleteRun/action_artifact.yml
new file mode 100644
index 0000000000..73697d9d69
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_artifact.yml
@@ -0,0 +1,9 @@
+- id: 19401
+  run_id: 34901
+  status: 2 # ArtifactStatusUploadConfirmed
+- id: 19402
+  run_id: 34901
+  status: 1 # ArtifactStatusUploadPending
+- id: 19403
+  run_id: 34902
+  status: 2 # ArtifactStatusUploadConfirmed
diff --git a/services/actions/TestDeleteRun/action_run.yml b/services/actions/TestDeleteRun/action_run.yml
new file mode 100644
index 0000000000..e1f2dcc9cf
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_run.yml
@@ -0,0 +1,5 @@
+- id: 34901
+  status: 2 # StatusFailure
+
+- id: 34902
+  status: 5 # StatusWaiting
\ No newline at end of file
diff --git a/services/actions/TestDeleteRun/action_run_job.yml b/services/actions/TestDeleteRun/action_run_job.yml
new file mode 100644
index 0000000000..3cc196d9fe
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_run_job.yml
@@ -0,0 +1,7 @@
+- id: 47301
+  run_id: 34901
+  status: 2 # StatusFailure
+
+- id: 47302
+  run_id: 34902
+  status: 5 # StatusWaiting
diff --git a/services/actions/TestDeleteRun/action_task.yml b/services/actions/TestDeleteRun/action_task.yml
new file mode 100644
index 0000000000..57d0f680b7
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_task.yml
@@ -0,0 +1,11 @@
+- id: 87601
+  job_id: 47301
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 2 # StatusFailure
+
+- id: 87602
+  job_id: 47302
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 5 # StatusWaiting
diff --git a/services/actions/TestDeleteRun/action_task_output.yml b/services/actions/TestDeleteRun/action_task_output.yml
new file mode 100644
index 0000000000..6244bc9405
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_task_output.yml
@@ -0,0 +1,14 @@
+- id: 90041
+  task_id: 87601
+  output_key: one
+  output_value: a
+
+- id: 90042
+  task_id: 87601
+  output_key: two
+  output_value: b
+
+- id: 90043
+  task_id: 87602
+  output_key: three
+  output_value: c
diff --git a/services/actions/TestDeleteRun/action_task_step.yml b/services/actions/TestDeleteRun/action_task_step.yml
new file mode 100644
index 0000000000..b438f959ba
--- /dev/null
+++ b/services/actions/TestDeleteRun/action_task_step.yml
@@ -0,0 +1,9 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 1 # StatusSuccess
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 6 # StatusRunning
diff --git a/services/actions/TestDeleteTask/action_runner.yml b/services/actions/TestDeleteTask/action_runner.yml
new file mode 100644
index 0000000000..862b715ab6
--- /dev/null
+++ b/services/actions/TestDeleteTask/action_runner.yml
@@ -0,0 +1,6 @@
+- id: 41601
+  uuid: 61a71de6-8127-40c9-a30e-63647e93edad
+  ephemeral: true
+- id: 41602
+  uuid: fae04d20-98ae-4b69-8439-213dac373e19
+  ephemeral: false
\ No newline at end of file
diff --git a/services/actions/TestDeleteTask/action_task.yml b/services/actions/TestDeleteTask/action_task.yml
new file mode 100644
index 0000000000..f9b979f437
--- /dev/null
+++ b/services/actions/TestDeleteTask/action_task.yml
@@ -0,0 +1,16 @@
+- id: 87601
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 1 # StatusSuccess
+  runner_id: 41601
+
+- id: 87602
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 6 # StatusRunning
+
+- id: 87603
+  log_filename: somebody/somerepo/15631/87603.log.zst
+  log_in_storage: false
+  status: 2 # StatusFailure
+  runner_id: 41602
diff --git a/services/actions/TestDeleteTask/action_task_output.yml b/services/actions/TestDeleteTask/action_task_output.yml
new file mode 100644
index 0000000000..6244bc9405
--- /dev/null
+++ b/services/actions/TestDeleteTask/action_task_output.yml
@@ -0,0 +1,14 @@
+- id: 90041
+  task_id: 87601
+  output_key: one
+  output_value: a
+
+- id: 90042
+  task_id: 87601
+  output_key: two
+  output_value: b
+
+- id: 90043
+  task_id: 87602
+  output_key: three
+  output_value: c
diff --git a/services/actions/TestDeleteTask/action_task_step.yml b/services/actions/TestDeleteTask/action_task_step.yml
new file mode 100644
index 0000000000..8050e4002d
--- /dev/null
+++ b/services/actions/TestDeleteTask/action_task_step.yml
@@ -0,0 +1,14 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 1 # StatusSuccess
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 6 # StatusRunning
+
+- id: 98803
+  name: echo OK
+  task_id: 87603
+  status: 2 # StatusFailure
diff --git a/services/actions/job.go b/services/actions/job.go
new file mode 100644
index 0000000000..6ee8260ac7
--- /dev/null
+++ b/services/actions/job.go
@@ -0,0 +1,47 @@
+// Copyright 2026 The Forgejo Authors.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"context"
+	"fmt"
+
+	"forgejo.org/models/actions"
+	"forgejo.org/models/db"
+)
+
+// deleteJobsOfRun removes all jobs that belong to the given run, including its associated tasks. Each job has to be
+// completed for the operation to succeed.
+func deleteJobsOfRun(ctx context.Context, runID int64) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		jobs, err := actions.GetRunJobsByRunID(ctx, runID)
+		if err != nil {
+			return fmt.Errorf("unable to load jobs of run %d: %w", runID, err)
+		}
+
+		for _, job := range jobs {
+			if !job.Status.IsDone() {
+				return fmt.Errorf("unable to delete job %d because it has not completed yet", job.ID)
+			}
+
+			tasks, err := actions.GetTasksOfJob(ctx, job.ID)
+			if err != nil {
+				return err
+			}
+			for _, task := range tasks {
+				err = deleteTask(ctx, task.ID)
+				if err != nil {
+					return err
+				}
+			}
+
+			err = actions.DeleteJob(ctx, job.ID)
+			if err != nil {
+				return fmt.Errorf("unable to delete job %d of run %d: %w", job.ID, job.RunID, err)
+			}
+		}
+
+		return nil
+	})
+}
diff --git a/services/actions/job_test.go b/services/actions/job_test.go
new file mode 100644
index 0000000000..b669bce301
--- /dev/null
+++ b/services/actions/job_test.go
@@ -0,0 +1,45 @@
+// Copyright 2026 The Forgejo Authors.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package actions
+
+import (
+	"testing"
+
+	actions_model "forgejo.org/models/actions"
+	"forgejo.org/models/unittest"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestDeleteJobsOfRun(t *testing.T) {
+	t.Run("Deletes completed job", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteJobsOfRun")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 47301, RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionTask{JobID: job.ID}, 1)
+
+		require.NoError(t, deleteJobsOfRun(t.Context(), run.ID))
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 47302})
+		unittest.AssertCount(t, &actions_model.ActionTask{JobID: job.ID}, 0)
+	})
+
+	t.Run("Error if job has not completed", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteJobsOfRun")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34902})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 47302, RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionTask{JobID: job.ID}, 1)
+
+		err := deleteJobsOfRun(t.Context(), run.ID)
+		require.ErrorContains(t, err, "unable to delete job 47302 because it has not completed yet")
+
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertCount(t, &actions_model.ActionTask{JobID: job.ID}, 1)
+	})
+}
diff --git a/services/actions/run.go b/services/actions/run.go
index 891d9d8f03..d0e874ff54 100644
--- a/services/actions/run.go
+++ b/services/actions/run.go
@@ -5,6 +5,7 @@ package actions
 
 import (
 	"context"
+	"fmt"
 	"slices"
 	"strings"
 
@@ -203,3 +204,30 @@ func checkJobRunsOnStaticMatrixError(ctx context.Context, job *actions_model.Act
 
 	return true, nil
 }
+
+// DeleteRun removes a particular run including all associated artifacts, jobs, tasks, and logs. The run has to be
+// completed for the operation to succeed.
+func DeleteRun(ctx context.Context, runID int64) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		run, err := actions_model.GetRunByID(ctx, runID)
+		if err != nil {
+			return fmt.Errorf("unable to load run %d: %w", runID, err)
+		}
+
+		if !run.Status.IsDone() {
+			return fmt.Errorf("cannot delete run %d because it has not completed yet", run.ID)
+		}
+
+		err = actions_model.SetArtifactsOfRunDeleted(ctx, runID)
+		if err != nil {
+			return fmt.Errorf("unable to delete artifacts of run %d: %w", run.ID, err)
+		}
+
+		err = deleteJobsOfRun(ctx, run.ID)
+		if err != nil {
+			return fmt.Errorf("unable to delete jobs of run %d: %w", run.ID, err)
+		}
+
+		return actions_model.DeleteRun(ctx, run.ID)
+	})
+}
diff --git a/services/actions/run_test.go b/services/actions/run_test.go
index 61e580aed1..19cad919db 100644
--- a/services/actions/run_test.go
+++ b/services/actions/run_test.go
@@ -160,3 +160,42 @@ func TestActions_consistencyCheckRun(t *testing.T) {
 		})
 	}
 }
+
+func TestDeleteRun(t *testing.T) {
+	t.Run("Removes run and its dependencies", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteRun")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 2)
+
+		require.NoError(t, DeleteRun(t.Context(), run.ID))
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{ID: run.ID})
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID:  run.ID,
+			Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 2)
+	})
+
+	t.Run("Error if run not done", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteRun")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34902})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 1)
+
+		err := DeleteRun(t.Context(), run.ID)
+		require.ErrorContains(t, err, "cannot delete run 34902 because it has not completed yet")
+
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID:  run.ID,
+			Status: int64(actions_model.ArtifactStatusUploadConfirmed),
+		}, 1)
+	})
+}
diff --git a/services/actions/task.go b/services/actions/task.go
index f2525e1b3a..a08403ad08 100644
--- a/services/actions/task.go
+++ b/services/actions/task.go
@@ -367,3 +367,40 @@ func convertTimestamp(timestamp *timestamppb.Timestamp) timeutil.TimeStamp {
 	}
 	return timeutil.TimeStamp(timestamp.AsTime().Unix())
 }
+
+// deleteTask removes the given task with all associated steps, outputs, logs, and ephemeral runners, if any. For
+// deleteTask to succeed, it must have completed. If it has not, an error is returned. If the given task does not exist,
+// nothing happens.
+func deleteTask(ctx context.Context, taskID int64) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		task, err := actions_model.GetTaskByID(ctx, taskID)
+		if err != nil {
+			if errors.Is(err, util.ErrNotExist) {
+				return nil
+			}
+			return fmt.Errorf("unable to load task %d: %w", taskID, err)
+		}
+
+		if !task.Status.IsDone() {
+			return fmt.Errorf("unable to remove task %d because it has not completed yet", taskID)
+		}
+
+		err = actions_module.RemoveLogs(ctx, task.LogInStorage, task.LogFilename)
+		if err != nil {
+			return fmt.Errorf("unable to remove logs of task %d: %w", taskID, err)
+		}
+
+		// Whether an ephemeral runner has been used is determined based on whether it is assigned to a task.
+		// Consequently, ephemeral runners have to be cleaned up before any task can be removed.
+		err = actions_model.DeleteEphemeralRunner(ctx, task.RunnerID)
+		if err != nil {
+			return fmt.Errorf("unable to cleanup ephemeral runners before removing task %d: %w", taskID, err)
+		}
+		err = actions_model.DeleteTask(ctx, task.ID)
+		if err != nil {
+			return fmt.Errorf("unable to remove task %d: %w", task.ID, err)
+		}
+
+		return nil
+	})
+}
diff --git a/services/actions/task_test.go b/services/actions/task_test.go
index 0c2630f3a6..375359b5e8 100644
--- a/services/actions/task_test.go
+++ b/services/actions/task_test.go
@@ -6,8 +6,12 @@ import (
 
 	actions_model "forgejo.org/models/actions"
 	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
 	"forgejo.org/models/user"
+	"forgejo.org/modules/actions"
 
+	runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -97,3 +101,90 @@ jobs:
 		require.NotEmpty(t, taskContext.Fields["gitea_runtime_token"].GetStringValue())
 	})
 }
+
+func TestDeleteTask(t *testing.T) {
+	t.Run("Task removed with logs and ephemeral runner", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteTask")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 87601})
+		runner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 41601})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 2)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 1)
+
+		_, err := actions.WriteLogs(t.Context(), task.LogFilename, 0, []*runnerv1.LogRow{{Content: "OK"}})
+		require.NoError(t, err)
+
+		logExists, err := actions.ExistsLogs(t.Context(), task.LogFilename)
+		require.NoError(t, err)
+		assert.True(t, logExists)
+
+		require.NoError(t, deleteTask(t.Context(), task.ID))
+
+		logExists, err = actions.ExistsLogs(t.Context(), task.LogFilename)
+		require.NoError(t, err)
+		assert.False(t, logExists)
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionTask{ID: task.ID})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 0)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 0)
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunner{ID: runner.ID})
+
+		// Verify that other tasks have been left alone.
+		otherTask := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 87602})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: otherTask.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: otherTask.ID}, 1)
+	})
+
+	t.Run("Task removed and persistent runner kept", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteTask")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 87603})
+		runner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 41602})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 0)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 1)
+
+		_, err := actions.WriteLogs(t.Context(), task.LogFilename, 0, []*runnerv1.LogRow{{Content: "OK"}})
+		require.NoError(t, err)
+
+		logExists, err := actions.ExistsLogs(t.Context(), task.LogFilename)
+		require.NoError(t, err)
+		assert.True(t, logExists)
+
+		require.NoError(t, deleteTask(t.Context(), task.ID))
+
+		logExists, err = actions.ExistsLogs(t.Context(), task.LogFilename)
+		require.NoError(t, err)
+		assert.False(t, logExists)
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionTask{ID: task.ID})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 0)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 0)
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: runner.ID})
+	})
+
+	t.Run("No error if task does not exist", func(t *testing.T) {
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionTask{ID: 87601})
+		require.NoError(t, deleteTask(t.Context(), 87601))
+	})
+
+	t.Run("Error if task is not done", func(t *testing.T) {
+		defer unittest.OverrideFixtures("services/actions/TestDeleteTask")()
+		require.NoError(t, unittest.PrepareTestDatabase())
+
+		task := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: 87602})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 1)
+
+		err := deleteTask(t.Context(), task.ID)
+		require.ErrorContains(t, err, "unable to remove task 87602 because it has not completed yet")
+
+		// Verify nothing has been deleted.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: task.ID})
+		unittest.AssertCount(t, &actions_model.ActionTaskOutput{TaskID: task.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionTaskStep{TaskID: task.ID}, 1)
+	})
+}
diff --git a/templates/repo/actions/view.tmpl b/templates/repo/actions/view.tmpl
index 04aced83d1..e005ee412d 100644
--- a/templates/repo/actions/view.tmpl
+++ b/templates/repo/actions/view.tmpl
@@ -17,6 +17,9 @@
 		data-locale-cancel="{{ctx.Locale.Tr "cancel"}}"
 		data-locale-rerun="{{ctx.Locale.Tr "rerun"}}"
 		data-locale-rerun-all="{{ctx.Locale.Tr "rerun_all"}}"
+		data-locale-delete="{{ctx.Locale.Tr "actions.runs.delete.button"}}"
+		data-locale-delete-error="{{ctx.Locale.Tr "actions.runs.delete.error"}}"
+		data-locale-confirm-delete="{{ctx.Locale.Tr "actions.runs.delete.confirm_action"}}"
 		data-locale-status-unknown="{{ctx.Locale.Tr "actions.status.unknown"}}"
 		data-locale-status-waiting="{{ctx.Locale.Tr "actions.status.waiting"}}"
 		data-locale-status-running="{{ctx.Locale.Tr "actions.status.running"}}"
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index e0afb22d54..a0e6cc8e4a 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -6089,6 +6089,55 @@
             "$ref": "#/responses/notFound"
           }
         }
+      },
+      "delete": {
+        "description": "Remove a particular workflow run. The workflow run must have completed (succeeded, failed, cancelled) for the operation to succeed. Otherwise, an error is returned.\n",
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Delete a completed workflow run.",
+        "operationId": "DeleteActionRun",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "id of the action run",
+            "name": "run_id",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "Workflow run has been removed"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
       }
     },
     "/repos/{owner}/{repo}/actions/runs/{run_id}/artifacts": {
diff --git a/tests/integration/actions_run_test.go b/tests/integration/actions_run_test.go
new file mode 100644
index 0000000000..64210f1a71
--- /dev/null
+++ b/tests/integration/actions_run_test.go
@@ -0,0 +1,123 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestActionRunDeletion(t *testing.T) {
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	repo62 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 62, OwnerID: user2.ID})
+
+	sessUser2 := loginUser(t, user2.Name)
+	sessUser5 := loginUser(t, user5.Name)
+
+	t.Run("Run removed", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionRunDeletion")()
+		defer tests.PrepareTestEnv(t)()
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 2)
+		runner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 41601})
+
+		requestURL := fmt.Sprintf("/%s/actions/runs/%d/delete", repo1.FullName(), run.Index)
+		request := NewRequest(t, "POST", requestURL)
+		response := sessUser2.MakeRequest(t, request, http.StatusOK)
+		assert.JSONEq(t, `{"ok":true}`, response.Body.String())
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{ID: run.ID})
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID:  run.ID,
+			Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 2)
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunner{ID: runner.ID})
+	})
+
+	t.Run("Error if run has not completed", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionRunDeletion")()
+		defer tests.PrepareTestEnv(t)()
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34902})
+
+		requestURL := fmt.Sprintf("/%s/actions/runs/%d/delete", repo1.FullName(), run.Index)
+		request := NewRequest(t, "POST", requestURL)
+		response := sessUser2.MakeRequest(t, request, http.StatusInternalServerError)
+		assert.JSONEq(t, `{"message":"Could not delete run."}`, response.Body.String())
+
+		// Verify that the run still exists.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+
+	t.Run("Nothing happens if run does not belong to repository", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionRunDeletion")()
+		defer tests.PrepareTestEnv(t)()
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+
+		requestURL := fmt.Sprintf("/%s/actions/runs/%d/delete", repo62.FullName(), run.Index)
+		request := NewRequest(t, "POST", requestURL)
+		response := sessUser2.MakeRequest(t, request, http.StatusOK)
+		assert.JSONEq(t, `{"ok":true}`, response.Body.String())
+
+		// Verify that the run still exists.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+
+	t.Run("Nothing happens if run does not exist", func(t *testing.T) {
+		defer tests.PrepareTestEnv(t)()
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{Index: 260871})
+
+		requestURL := fmt.Sprintf("/%s/actions/runs/%d/delete", repo1.FullName(), 260871)
+		request := NewRequest(t, "POST", requestURL)
+		response := sessUser2.MakeRequest(t, request, http.StatusOK)
+		assert.JSONEq(t, `{"ok":true}`, response.Body.String())
+	})
+
+	t.Run("Removal requires ownership", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionRunDeletion")()
+		defer tests.PrepareTestEnv(t)()
+
+		isCollaborator, err := repo_model.IsCollaborator(t.Context(), repo1.ID, user5.ID)
+		require.NoError(t, err)
+		require.True(t, isCollaborator)
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+
+		requestURL := fmt.Sprintf("/%s/actions/runs/%d/delete", repo1.FullName(), run.Index)
+		request := NewRequest(t, "POST", requestURL)
+		MakeRequest(t, request, http.StatusNotFound)
+
+		// Verify that run still exists
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+
+		request = NewRequest(t, "POST", requestURL)
+		sessUser5.MakeRequest(t, request, http.StatusNotFound)
+
+		// Verify that run still exists
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+
+		request = NewRequest(t, "POST", requestURL)
+		sessUser2.MakeRequest(t, request, http.StatusOK)
+
+		// Verify that run no longer exists
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+}
diff --git a/tests/integration/actions_view_test.go b/tests/integration/actions_view_test.go
index 5275198eff..16a79581dc 100644
--- a/tests/integration/actions_view_test.go
+++ b/tests/integration/actions_view_test.go
@@ -14,6 +14,7 @@ import (
 	"testing"
 
 	actions_model "forgejo.org/models/actions"
+	repo_model "forgejo.org/models/repo"
 	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
@@ -147,7 +148,7 @@ func TestActionViewsView(t *testing.T) {
 			runIndex:          187,
 			jobIndex:          0,
 			attempt:           1,
-			expectedJSON:      "{\"state\":{\"run\":{\"preExecutionError\":\"\",\"link\":\"/user5/repo4/actions/runs/187\",\"title\":\"update actions\",\"titleHTML\":\"update actions\",\"status\":\"success\",\"canCancel\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"description\":\"Commit <a href=\\\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\\\">c2d72f5484</a> pushed by <a href=\\\"/user1\\\">user1</a>\",\"done\":true,\"jobs\":[{\"id\":192,\"name\":\"job_2\",\"status\":\"success\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"c2d72f5484\",\"link\":\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\",\"pusher\":{\"displayName\":\"user1\",\"link\":\"/user1\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}}},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Success\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"success\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"success\"}],\"allAttempts\":[{\"number\":3,\"time_since_started_html\":\"_time_\",\"status\":\"running\",\"status_diagnostics\":[\"Running\"]},{\"number\":2,\"time_since_started_html\":\"_time_\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]},{\"number\":1,\"time_since_started_html\":\"_time_\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
+			expectedJSON:      "{\"state\":{\"run\":{\"preExecutionError\":\"\",\"link\":\"/user5/repo4/actions/runs/187\",\"title\":\"update actions\",\"titleHTML\":\"update actions\",\"status\":\"success\",\"canCancel\":false,\"canDelete\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"description\":\"Commit <a href=\\\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\\\">c2d72f5484</a> pushed by <a href=\\\"/user1\\\">user1</a>\",\"done\":true,\"jobs\":[{\"id\":192,\"name\":\"job_2\",\"status\":\"success\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"c2d72f5484\",\"link\":\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\",\"pusher\":{\"displayName\":\"user1\",\"link\":\"/user1\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}}},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Success\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"success\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"success\"}],\"allAttempts\":[{\"number\":3,\"time_since_started_html\":\"_time_\",\"status\":\"running\",\"status_diagnostics\":[\"Running\"]},{\"number\":2,\"time_since_started_html\":\"_time_\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]},{\"number\":1,\"time_since_started_html\":\"_time_\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
 			expectedArtifacts: "{\"artifacts\":[{\"name\":\"multi-file-download\",\"size\":2048,\"status\":\"completed\"}]}\n",
 		},
 		{
@@ -156,7 +157,7 @@ func TestActionViewsView(t *testing.T) {
 			runIndex:          209,
 			jobIndex:          0,
 			attempt:           1,
-			expectedJSON:      "{\"state\":{\"run\":{\"link\":\"/user5/repo4/actions/runs/209\",\"title\":\"A scheduled workflow\",\"titleHTML\":\"A scheduled workflow\",\"status\":\"waiting\",\"description\":\"Scheduled run of commit \\u003ca href=\\\"/user5/repo4/commit/64357baca84bfff631e7dfae5a3433b26d005646\\\"\\u003e64357baca8\\u003c/a\\u003e\",\"canCancel\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"done\":false,\"jobs\":[{\"id\":2153,\"name\":\"job_2\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"64357baca8\",\"link\":\"/user5/repo4/commit/64357baca84bfff631e7dfae5a3433b26d005646\",\"pusher\":{\"displayName\":\"forgejo-actions\",\"link\":\"/forgejo-actions\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}},\"preExecutionError\":\"\"},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Waiting for a runner with the following labels: debian, gpu\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"success\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"success\"}],\"allAttempts\":[{\"number\":1,\"time_since_started_html\":\"-\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
+			expectedJSON:      "{\"state\":{\"run\":{\"link\":\"/user5/repo4/actions/runs/209\",\"title\":\"A scheduled workflow\",\"titleHTML\":\"A scheduled workflow\",\"status\":\"waiting\",\"description\":\"Scheduled run of commit \\u003ca href=\\\"/user5/repo4/commit/64357baca84bfff631e7dfae5a3433b26d005646\\\"\\u003e64357baca8\\u003c/a\\u003e\",\"canCancel\":false,\"canDelete\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"done\":false,\"jobs\":[{\"id\":2153,\"name\":\"job_2\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"64357baca8\",\"link\":\"/user5/repo4/commit/64357baca84bfff631e7dfae5a3433b26d005646\",\"pusher\":{\"displayName\":\"forgejo-actions\",\"link\":\"/forgejo-actions\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}},\"preExecutionError\":\"\"},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Waiting for a runner with the following labels: debian, gpu\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"success\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"success\"}],\"allAttempts\":[{\"number\":1,\"time_since_started_html\":\"-\",\"status\":\"success\",\"status_diagnostics\":[\"Success\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
 			expectedArtifacts: "{\"artifacts\":[]}\n",
 		},
 		{
@@ -165,7 +166,7 @@ func TestActionViewsView(t *testing.T) {
 			runIndex:          210,
 			jobIndex:          0,
 			attempt:           1,
-			expectedJSON:      "{\"state\":{\"run\":{\"link\":\"/user5/repo4/actions/runs/210\",\"title\":\"A triggered run\",\"titleHTML\":\"A triggered run\",\"status\":\"waiting\",\"description\":\"Run of commit \\u003ca href=\\\"/user5/repo4/commit/f4100ac14112a3740490afb22b07b69b0b5d4e8b\\\"\\u003ef4100ac141\\u003c/a\\u003e triggered by \\u003ca href=\\\"/user29\\\"\\u003euser29\\u003c/a\\u003e\",\"canCancel\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"done\":false,\"jobs\":[{\"id\":2154,\"name\":\"mirror\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"f4100ac141\",\"link\":\"/user5/repo4/commit/f4100ac14112a3740490afb22b07b69b0b5d4e8b\",\"pusher\":{\"displayName\":\"user29\",\"link\":\"/user29\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}},\"preExecutionError\":\"\"},\"currentJob\":{\"title\":\"mirror\",\"details\":[\"Waiting for a runner with the following label: windows\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"running\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"waiting\"}],\"allAttempts\":[{\"number\":1,\"time_since_started_html\":\"-\",\"status\":\"waiting\",\"status_diagnostics\":[\"Waiting for a runner with the following label: windows\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
+			expectedJSON:      "{\"state\":{\"run\":{\"link\":\"/user5/repo4/actions/runs/210\",\"title\":\"A triggered run\",\"titleHTML\":\"A triggered run\",\"status\":\"waiting\",\"description\":\"Run of commit \\u003ca href=\\\"/user5/repo4/commit/f4100ac14112a3740490afb22b07b69b0b5d4e8b\\\"\\u003ef4100ac141\\u003c/a\\u003e triggered by \\u003ca href=\\\"/user29\\\"\\u003euser29\\u003c/a\\u003e\",\"canCancel\":false,\"canDelete\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"done\":false,\"jobs\":[{\"id\":2154,\"name\":\"mirror\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"f4100ac141\",\"link\":\"/user5/repo4/commit/f4100ac14112a3740490afb22b07b69b0b5d4e8b\",\"pusher\":{\"displayName\":\"user29\",\"link\":\"/user29\"},\"branch\":{\"name\":\"master\",\"link\":\"/user5/repo4/src/branch/master\",\"isDeleted\":false}},\"preExecutionError\":\"\"},\"currentJob\":{\"title\":\"mirror\",\"details\":[\"Waiting for a runner with the following label: windows\"],\"steps\":[{\"summary\":\"Set up job\",\"duration\":\"_duration_\",\"status\":\"running\"},{\"summary\":\"Complete job\",\"duration\":\"_duration_\",\"status\":\"waiting\"}],\"allAttempts\":[{\"number\":1,\"time_since_started_html\":\"-\",\"status\":\"waiting\",\"status_diagnostics\":[\"Waiting for a runner with the following label: windows\"]}]}},\"logs\":{\"stepsLog\":[]}}\n",
 			expectedArtifacts: "{\"artifacts\":[]}\n",
 		},
 	}
@@ -229,7 +230,7 @@ func TestActionViewsViewAttemptOutOfRange(t *testing.T) {
 		re = regexp.MustCompile(pattern)
 		actualClean = re.ReplaceAllString(actualClean, `"time_since_started_html":"_time_"`)
 
-		return assert.JSONEq(t, "{\"state\":{\"run\":{\"preExecutionError\":\"\",\"link\":\"/user5/repo4/actions/runs/190\",\"title\":\"job output\",\"titleHTML\":\"job output\",\"status\":\"success\",\"canCancel\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"description\":\"Commit <a href=\\\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\\\">c2d72f5484</a> pushed by <a href=\\\"/user1\\\">user1</a>\",\"done\":false,\"jobs\":[{\"id\":396,\"name\":\"job_2\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"c2d72f5484\",\"link\":\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\",\"pusher\":{\"displayName\":\"user1\",\"link\":\"/user1\"},\"branch\":{\"name\":\"test\",\"link\":\"/user5/repo4/src/branch/test\",\"isDeleted\":true}}},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Waiting for a runner with the following label: fedora\"],\"steps\":[],\"allAttempts\":null}},\"logs\":{\"stepsLog\":[]}}\n", actualClean)
+		return assert.JSONEq(t, "{\"state\":{\"run\":{\"preExecutionError\":\"\",\"link\":\"/user5/repo4/actions/runs/190\",\"title\":\"job output\",\"titleHTML\":\"job output\",\"status\":\"success\",\"canCancel\":false,\"canDelete\":false,\"canApprove\":false,\"canRerun\":false,\"canDeleteArtifact\":false,\"description\":\"Commit <a href=\\\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\\\">c2d72f5484</a> pushed by <a href=\\\"/user1\\\">user1</a>\",\"done\":false,\"jobs\":[{\"id\":396,\"name\":\"job_2\",\"status\":\"waiting\",\"canRerun\":false,\"duration\":\"_duration_\"}],\"commit\":{\"localeWorkflow\":\"Workflow\",\"localeAllRuns\":\"all runs\",\"shortSHA\":\"c2d72f5484\",\"link\":\"/user5/repo4/commit/c2d72f548424103f01ee1dc02889c1e2bff816b0\",\"pusher\":{\"displayName\":\"user1\",\"link\":\"/user1\"},\"branch\":{\"name\":\"test\",\"link\":\"/user5/repo4/src/branch/test\",\"isDeleted\":true}}},\"currentJob\":{\"title\":\"job_2\",\"details\":[\"Waiting for a runner with the following label: fedora\"],\"steps\":[],\"allAttempts\":null}},\"logs\":{\"stepsLog\":[]}}\n", actualClean)
 	})
 	htmlDoc.AssertAttrEqual(t, selector, "data-initial-artifacts-response", "{\"artifacts\":[]}\n")
 }
@@ -258,3 +259,62 @@ func TestActionTabAccessibleFromRepo(t *testing.T) {
 		return true
 	})
 }
+
+func TestActionViewRunDeletion(t *testing.T) {
+	defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionViewRunDeletion")()
+	defer tests.PrepareTestEnv(t)()
+
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+
+	sessionUser2 := loginUser(t, user2.Name)
+	sessionUser5 := loginUser(t, user5.Name)
+
+	isCollaborator, err := repo_model.IsCollaborator(t.Context(), repo1.ID, user5.ID)
+	require.NoError(t, err)
+	require.True(t, isCollaborator)
+
+	testCases := []struct {
+		name       string
+		sess       *TestSession
+		requestURL string
+		canDelete  bool
+	}{
+		{
+			name:       "Repo owner can delete completed run",
+			sess:       sessionUser2,
+			requestURL: fmt.Sprintf("/%s/actions/runs/3161/jobs/0/attempt/1", repo1.FullName()),
+			canDelete:  true,
+		},
+		{
+			name:       "Collaborator cannot delete completed run",
+			sess:       sessionUser5,
+			requestURL: fmt.Sprintf("/%s/actions/runs/3161/jobs/0/attempt/1", repo1.FullName()),
+			canDelete:  false,
+		},
+		{
+			name:       "Repo owner cannot delete running run",
+			sess:       sessionUser2,
+			requestURL: fmt.Sprintf("/%s/actions/runs/3162/jobs/0/attempt/1", repo1.FullName()),
+			canDelete:  false,
+		},
+		{
+			name:       "Collaborator cannot delete running run",
+			sess:       sessionUser5,
+			requestURL: fmt.Sprintf("/%s/actions/runs/3162/jobs/0/attempt/1", repo1.FullName()),
+			canDelete:  false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			req := NewRequest(t, "GET", testCase.requestURL)
+			resp := testCase.sess.MakeRequest(t, req, http.StatusOK)
+			htmlDoc := NewHTMLParser(t, resp.Body)
+			htmlDoc.AssertAttrPredicate(t, "#repo-action-view", "data-initial-post-response", func(actual string) bool {
+				return assert.Contains(t, actual, fmt.Sprintf(`"canDelete":%t`, testCase.canDelete))
+			})
+		})
+	}
+}
diff --git a/tests/integration/api_repo_actions_test.go b/tests/integration/api_repo_actions_test.go
index 605d55c469..1331ba0959 100644
--- a/tests/integration/api_repo_actions_test.go
+++ b/tests/integration/api_repo_actions_test.go
@@ -671,6 +671,121 @@ func TestAPIRepoActionsRunnerOperations(t *testing.T) {
 	})
 }
 
+func TestActionsAPIDeleteActionRun(t *testing.T) {
+	t.Run("Run removed", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionsAPIDeleteActionRun")()
+		defer tests.PrepareTestEnv(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+		session := loginUser(t, user2.Name)
+		writeToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{RunID: run.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 2)
+		runner := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunner{ID: 41601})
+
+		requestURL := fmt.Sprintf("/api/v1/repos/%s/actions/runs/%d", repo1.FullName(), run.ID)
+		request := NewRequest(t, "DELETE", requestURL)
+		request.AddTokenAuth(writeToken)
+		MakeRequest(t, request, http.StatusNoContent)
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{ID: run.ID})
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunJob{ID: job.ID})
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID:  run.ID,
+			Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 2)
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRunner{ID: runner.ID})
+	})
+
+	t.Run("Error if run has not completed", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionsAPIDeleteActionRun")()
+		defer tests.PrepareTestEnv(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+		session := loginUser(t, user2.Name)
+		writeToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34902})
+
+		requestURL := fmt.Sprintf("/api/v1/repos/%s/actions/runs/%d", repo1.FullName(), run.ID)
+		request := NewRequest(t, "DELETE", requestURL)
+		request.AddTokenAuth(writeToken)
+		MakeRequest(t, request, http.StatusInternalServerError)
+
+		// Verify that the run still exists.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+
+	t.Run("Not found if run does not belong to repository", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionsAPIDeleteActionRun")()
+		defer tests.PrepareTestEnv(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo62 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 62, OwnerID: user2.ID})
+		session := loginUser(t, user2.Name)
+		writeToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+
+		requestURL := fmt.Sprintf("/api/v1/repos/%s/actions/runs/%d", repo62.FullName(), run.ID)
+		request := NewRequest(t, "DELETE", requestURL)
+		request.AddTokenAuth(writeToken)
+		MakeRequest(t, request, http.StatusNotFound)
+
+		// Verify that the run still exists.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+
+	t.Run("No found if run does not exist", func(t *testing.T) {
+		defer tests.PrepareTestEnv(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+		session := loginUser(t, user2.Name)
+		writeToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+
+		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{ID: 260871})
+
+		requestURL := fmt.Sprintf("/api/v1/repos/%s/actions/runs/260871", repo1.FullName())
+		request := NewRequest(t, "DELETE", requestURL)
+		request.AddTokenAuth(writeToken)
+		MakeRequest(t, request, http.StatusNotFound)
+	})
+
+	t.Run("Run removal requires write token", func(t *testing.T) {
+		defer unittest.OverrideFixtures("tests/integration/fixtures/TestActionsAPIDeleteActionRun")()
+		defer tests.PrepareTestEnv(t)()
+
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user2.ID})
+		session := loginUser(t, user2.Name)
+		readToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
+
+		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 34901})
+
+		requestURL := fmt.Sprintf("/api/v1/repos/%s/actions/runs/%d", repo1.FullName(), run.ID)
+		request := NewRequest(t, "DELETE", requestURL)
+		request.AddTokenAuth(readToken)
+		response := MakeRequest(t, request, http.StatusForbidden)
+
+		type errorResponse struct {
+			Message string `json:"message"`
+		}
+
+		var errorMessage *errorResponse
+		DecodeJSON(t, response, &errorMessage)
+
+		assert.Equal(t, "token does not have at least one of required scope(s): [write:repository]", errorMessage.Message)
+
+		// Verify that the run still exists.
+		unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: run.ID})
+	})
+}
+
 func TestActionsAPIListActionRunJobs(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_artifact.yml b/tests/integration/fixtures/TestActionRunDeletion/action_artifact.yml
new file mode 100644
index 0000000000..73697d9d69
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_artifact.yml
@@ -0,0 +1,9 @@
+- id: 19401
+  run_id: 34901
+  status: 2 # ArtifactStatusUploadConfirmed
+- id: 19402
+  run_id: 34901
+  status: 1 # ArtifactStatusUploadPending
+- id: 19403
+  run_id: 34902
+  status: 2 # ArtifactStatusUploadConfirmed
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_run.yml b/tests/integration/fixtures/TestActionRunDeletion/action_run.yml
new file mode 100644
index 0000000000..b097261695
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_run.yml
@@ -0,0 +1,11 @@
+- id: 34901
+  repo_id: 1
+  owner_id: 2
+  index: 3161
+  status: 2 # StatusFailure
+
+- id: 34902
+  repo_id: 1
+  owner_id: 2
+  index: 3162
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_run_job.yml b/tests/integration/fixtures/TestActionRunDeletion/action_run_job.yml
new file mode 100644
index 0000000000..3cc196d9fe
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_run_job.yml
@@ -0,0 +1,7 @@
+- id: 47301
+  run_id: 34901
+  status: 2 # StatusFailure
+
+- id: 47302
+  run_id: 34902
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_runner.yml b/tests/integration/fixtures/TestActionRunDeletion/action_runner.yml
new file mode 100644
index 0000000000..5462b8e0ec
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_runner.yml
@@ -0,0 +1,5 @@
+- id: 41601
+  owner_id: 0
+  repo_id: 1
+  uuid: 61a71de6-8127-40c9-a30e-63647e93edad
+  ephemeral: true
\ No newline at end of file
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_task.yml b/tests/integration/fixtures/TestActionRunDeletion/action_task.yml
new file mode 100644
index 0000000000..746486e834
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_task.yml
@@ -0,0 +1,12 @@
+- id: 87601
+  job_id: 47301
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 2 # StatusFailure
+  runner_id: 41601
+
+- id: 87602
+  job_id: 47302
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_task_output.yml b/tests/integration/fixtures/TestActionRunDeletion/action_task_output.yml
new file mode 100644
index 0000000000..6244bc9405
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_task_output.yml
@@ -0,0 +1,14 @@
+- id: 90041
+  task_id: 87601
+  output_key: one
+  output_value: a
+
+- id: 90042
+  task_id: 87601
+  output_key: two
+  output_value: b
+
+- id: 90043
+  task_id: 87602
+  output_key: three
+  output_value: c
diff --git a/tests/integration/fixtures/TestActionRunDeletion/action_task_step.yml b/tests/integration/fixtures/TestActionRunDeletion/action_task_step.yml
new file mode 100644
index 0000000000..e001b9f3a9
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/action_task_step.yml
@@ -0,0 +1,9 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 2 # StatusFailure
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionRunDeletion/collaboration.yml b/tests/integration/fixtures/TestActionRunDeletion/collaboration.yml
new file mode 100644
index 0000000000..117d26490b
--- /dev/null
+++ b/tests/integration/fixtures/TestActionRunDeletion/collaboration.yml
@@ -0,0 +1,4 @@
+- id: 393701
+  repo_id: 1
+  user_id: 5
+  mode: 2 # write
diff --git a/tests/integration/fixtures/TestActionViewRunDeletion/action_run.yml b/tests/integration/fixtures/TestActionViewRunDeletion/action_run.yml
new file mode 100644
index 0000000000..325aeb38c2
--- /dev/null
+++ b/tests/integration/fixtures/TestActionViewRunDeletion/action_run.yml
@@ -0,0 +1,11 @@
+- id: 34901
+  repo_id: 1
+  owner_id: 2
+  index: 3161
+  status: 1 # StatusSuccess
+
+- id: 34902
+  repo_id: 1
+  owner_id: 2
+  index: 3162
+  status: 6 # StatusRunning
diff --git a/tests/integration/fixtures/TestActionViewRunDeletion/action_run_job.yml b/tests/integration/fixtures/TestActionViewRunDeletion/action_run_job.yml
new file mode 100644
index 0000000000..79e5cd1502
--- /dev/null
+++ b/tests/integration/fixtures/TestActionViewRunDeletion/action_run_job.yml
@@ -0,0 +1,7 @@
+- id: 47301
+  run_id: 34901
+  status: 1 # StatusSuccess
+
+- id: 47302
+  run_id: 34902
+  status: 6 # StatusRunning
diff --git a/tests/integration/fixtures/TestActionViewRunDeletion/action_task.yml b/tests/integration/fixtures/TestActionViewRunDeletion/action_task.yml
new file mode 100644
index 0000000000..1a86ffd28e
--- /dev/null
+++ b/tests/integration/fixtures/TestActionViewRunDeletion/action_task.yml
@@ -0,0 +1,11 @@
+- id: 87601
+  job_id: 47301
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 1 # StatusSuccess
+
+- id: 87602
+  job_id: 47302
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 6 # StatusRunning
diff --git a/tests/integration/fixtures/TestActionViewRunDeletion/action_task_step.yml b/tests/integration/fixtures/TestActionViewRunDeletion/action_task_step.yml
new file mode 100644
index 0000000000..b438f959ba
--- /dev/null
+++ b/tests/integration/fixtures/TestActionViewRunDeletion/action_task_step.yml
@@ -0,0 +1,9 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 1 # StatusSuccess
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 6 # StatusRunning
diff --git a/tests/integration/fixtures/TestActionViewRunDeletion/collaboration.yml b/tests/integration/fixtures/TestActionViewRunDeletion/collaboration.yml
new file mode 100644
index 0000000000..117d26490b
--- /dev/null
+++ b/tests/integration/fixtures/TestActionViewRunDeletion/collaboration.yml
@@ -0,0 +1,4 @@
+- id: 393701
+  repo_id: 1
+  user_id: 5
+  mode: 2 # write
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_artifact.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_artifact.yml
new file mode 100644
index 0000000000..73697d9d69
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_artifact.yml
@@ -0,0 +1,9 @@
+- id: 19401
+  run_id: 34901
+  status: 2 # ArtifactStatusUploadConfirmed
+- id: 19402
+  run_id: 34901
+  status: 1 # ArtifactStatusUploadPending
+- id: 19403
+  run_id: 34902
+  status: 2 # ArtifactStatusUploadConfirmed
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run.yml
new file mode 100644
index 0000000000..c388610d33
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run.yml
@@ -0,0 +1,9 @@
+- id: 34901
+  repo_id: 1
+  owner_id: 2
+  status: 2 # StatusFailure
+
+- id: 34902
+  repo_id: 1
+  owner_id: 2
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run_job.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run_job.yml
new file mode 100644
index 0000000000..3cc196d9fe
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_run_job.yml
@@ -0,0 +1,7 @@
+- id: 47301
+  run_id: 34901
+  status: 2 # StatusFailure
+
+- id: 47302
+  run_id: 34902
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_runner.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_runner.yml
new file mode 100644
index 0000000000..5462b8e0ec
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_runner.yml
@@ -0,0 +1,5 @@
+- id: 41601
+  owner_id: 0
+  repo_id: 1
+  uuid: 61a71de6-8127-40c9-a30e-63647e93edad
+  ephemeral: true
\ No newline at end of file
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task.yml
new file mode 100644
index 0000000000..746486e834
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task.yml
@@ -0,0 +1,12 @@
+- id: 87601
+  job_id: 47301
+  log_filename: somebody/somerepo/15631/87601.log.zst
+  log_in_storage: false
+  status: 2 # StatusFailure
+  runner_id: 41601
+
+- id: 87602
+  job_id: 47302
+  log_filename: somebody/somerepo/15632/87602.log.zst
+  log_in_storage: false
+  status: 5 # StatusWaiting
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_output.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_output.yml
new file mode 100644
index 0000000000..6244bc9405
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_output.yml
@@ -0,0 +1,14 @@
+- id: 90041
+  task_id: 87601
+  output_key: one
+  output_value: a
+
+- id: 90042
+  task_id: 87601
+  output_key: two
+  output_value: b
+
+- id: 90043
+  task_id: 87602
+  output_key: three
+  output_value: c
diff --git a/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_step.yml b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_step.yml
new file mode 100644
index 0000000000..b438f959ba
--- /dev/null
+++ b/tests/integration/fixtures/TestActionsAPIDeleteActionRun/action_task_step.yml
@@ -0,0 +1,9 @@
+- id: 98801
+  name: echo OK
+  task_id: 87601
+  status: 1 # StatusSuccess
+
+- id: 98802
+  name: echo OK
+  task_id: 87602
+  status: 6 # StatusRunning
diff --git a/web_src/js/components/RepoActionView.test.js b/web_src/js/components/RepoActionView.test.js
index fb6af25dd0..574be2992b 100644
--- a/web_src/js/components/RepoActionView.test.js
+++ b/web_src/js/components/RepoActionView.test.js
@@ -6,6 +6,8 @@ const testLocale = {
   approve: 'Locale Approve',
   cancel: 'Locale Cancel',
   rerun: 'Locale Re-run',
+  delete: 'Locale Delete',
+  confirmDelete: '',
   artifactsTitle: 'artifactTitleHere',
   areYouSure: '',
   confirmDeleteArtifact: '',
@@ -168,6 +170,7 @@ function configureForMultipleAttemptTests({viewHistorical}) {
       canApprove: true,
       canCancel: true,
       canRerun: true,
+      canDelete: false,
       status: 'success',
       commit: {
         pusher: {},
diff --git a/web_src/js/components/RepoActionView.vue b/web_src/js/components/RepoActionView.vue
index bd7404ddaf..5550d84c85 100644
--- a/web_src/js/components/RepoActionView.vue
+++ b/web_src/js/components/RepoActionView.vue
@@ -4,6 +4,7 @@ import ActionRunStatus from './ActionRunStatus.vue';
 import ActionJobStepList from './ActionJobStepList.vue';
 import {toggleElem} from '../utils/dom.js';
 import {GET, POST, DELETE} from '../modules/fetch.js';
+import {showErrorToast} from '../modules/toast.js';
 
 export default {
   name: 'RepoActionView',
@@ -86,6 +87,7 @@ export default {
         canCancel: false,
         canApprove: false,
         canRerun: false,
+        canDelete: false,
         done: false,
         preExecutionError: '',
         jobs: [
@@ -237,6 +239,21 @@ export default {
       }
     },
 
+    async deleteRun() {
+      if (!window.confirm(this.locale.confirmDelete)) {
+        return;
+      }
+
+      const response = await POST(`${this.run.link}/delete`);
+
+      if (response.ok) {
+        window.location.href = this.workflowURL;
+        return;
+      }
+
+      showErrorToast(this.locale.deleteError, {duration: 5000});
+    },
+
     // cancel a run
     cancelRun() {
       POST(`${this.run.link}/cancel`);
@@ -474,6 +491,9 @@ export default {
           {{ locale.approve }}
         </button>
         <div class="action-info-summary-actions" v-else>
+          <button id="delete-run" class="ui basic small compact button red" @click="deleteRun()" v-if="run.canDelete">
+            {{ locale.delete }}
+          </button>
           <button class="ui basic small compact button red" @click="cancelRun()" v-if="canCancel">
             {{ locale.cancel }}
           </button>
diff --git a/web_src/js/features/repo-action-view.ts b/web_src/js/features/repo-action-view.ts
index 946927bf06..34cce9edc4 100644
--- a/web_src/js/features/repo-action-view.ts
+++ b/web_src/js/features/repo-action-view.ts
@@ -29,6 +29,9 @@ export async function initRepositoryActionView() {
       approve: el.getAttribute('data-locale-approve'),
       cancel: el.getAttribute('data-locale-cancel'),
       rerun: el.getAttribute('data-locale-rerun'),
+      delete: el.getAttribute('data-locale-delete'),
+      confirmDelete: el.getAttribute('data-locale-confirm-delete'),
+      deleteError: el.getAttribute('data-locale-delete-error'),
       artifactsTitle: el.getAttribute('data-locale-artifacts-title'),
       areYouSure: el.getAttribute('data-locale-are-you-sure'),
       confirmDeleteArtifact: el.getAttribute('data-locale-confirm-delete-artifact'),

From ba1c3e0288bc35d82812275b3d1b31a10aea011d Mon Sep 17 00:00:00 2001
From: "steven.guiheux" <steven.guiheux@ovhcloud.com>
Date: Mon, 11 May 2026 16:55:22 +0200
Subject: [PATCH 275/287] feat(api): add admin routes to manage user access
 tokens (#12323)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Feature Request: Admin API route to manage access tokens for any user
## Problem
The existing API route to create access tokens (POST /api/v1/users/{username}/tokens) requires Basic authentication (username + password) via the reqBasicOrRevProxyAuth() middleware. This is by design: a token should not be created from another token.

However, this creates a blocker for environments where Basic authentication is disabled (ENABLE_BASIC_AUTHENTICATION = false), typically when authentication is delegated to an external SSO provider (e.g., OpenID Connect).

In such setups, bot/service accounts are provisioned by an external system that needs to:

Create a user via POST /api/v1/admin/users (works fine with an admin token)
Create an access token for that user (currently impossible without Basic auth or direct CLI/DB access)
The only workaround today is to SSH into the Forgejo server and run:

This is not suitable when the provisioning system has no direct access to the Forgejo host.

## Proposed solution
Add new admin-only API routes under the existing /api/v1/admin/users/{username} group to manage access tokens:

| Method |	Route |	Description |
|:-------- |:--------:| --------:|
| GET	| /api/v1/admin/users/{username}/tokens |	List access tokens for a user|
|POST	| /api/v1/admin/users/{username}/tokens |	Create an access token for a user|
|DELETE |	/api/v1/admin/users/{username}/tokens/{id} |	Delete an access token for a user|

These routes would:

Require a site admin token (reqToken() + reqSiteAdmin()) — no Basic auth needed
Use the AccessTokenScopeCategoryAdmin token scope
Reuse the existing handler logic from user.CreateAccessToken / user.ListAccessTokens / user.DeleteAccessToken
Accept the same request/response payloads as the existing user-facing routes

### Why this belongs in the admin API
It follows the existing pattern: admins can already create users, repos, orgs, SSH keys, and emails for any user via the admin API
It does not weaken security: only site administrators can call it, and it requires a valid admin-scoped token
It fills a gap: the admin CLI command forgejo admin user generate-access-token already provides this capability, but only locally

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Features
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12323): <!--number 12323 --><!--line 0 --><!--description ZmVhdChhcGkpOiBhZGQgYWRtaW4gcm91dGVzIHRvIG1hbmFnZSB1c2VyIGFjY2VzcyB0b2tlbnM=-->feat(api): add admin routes to manage user access tokens<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12323
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 routers/api/v1/admin/user_token.go            | 107 ++++++
 routers/api/v1/api.go                         |   5 +
 routers/api/v1/user/app.go                    | 208 +----------
 routers/api/v1/utils/access_token.go          | 234 +++++++++++++
 templates/swagger/v1_json.tmpl                | 129 +++++++
 .../integration/api_admin_user_token_test.go  | 330 ++++++++++++++++++
 6 files changed, 808 insertions(+), 205 deletions(-)
 create mode 100644 routers/api/v1/admin/user_token.go
 create mode 100644 routers/api/v1/utils/access_token.go
 create mode 100644 tests/integration/api_admin_user_token_test.go

diff --git a/routers/api/v1/admin/user_token.go b/routers/api/v1/admin/user_token.go
new file mode 100644
index 0000000000..852c29c69d
--- /dev/null
+++ b/routers/api/v1/admin/user_token.go
@@ -0,0 +1,107 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package admin
+
+import (
+	"forgejo.org/routers/api/v1/utils"
+	"forgejo.org/services/context"
+)
+
+// ListUserAccessTokens lists all access tokens for a given user.
+// This endpoint is admin-only and does not require Basic auth.
+func ListUserAccessTokens(ctx *context.APIContext) {
+	// swagger:operation GET /admin/users/{username}/tokens admin adminListUserAccessTokens
+	// ---
+	// summary: List the specified user's access tokens
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: username
+	//   in: path
+	//   description: username of user
+	//   type: string
+	//   required: true
+	// - name: page
+	//   in: query
+	//   description: page number of results to return (1-based)
+	//   type: integer
+	// - name: limit
+	//   in: query
+	//   description: page size of results
+	//   type: integer
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/AccessTokenList"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	utils.ListAccessTokens(ctx)
+}
+
+// CreateUserAccessToken creates a new access token for a given user.
+// This endpoint is admin-only and does not require Basic auth.
+func CreateUserAccessToken(ctx *context.APIContext) {
+	// swagger:operation POST /admin/users/{username}/tokens admin adminCreateUserAccessToken
+	// ---
+	// summary: Create an access token for the specified user
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: username
+	//   in: path
+	//   description: username of user
+	//   required: true
+	//   type: string
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/CreateAccessTokenOption"
+	// responses:
+	//   "201":
+	//     "$ref": "#/responses/AccessToken"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	utils.CreateAccessToken(ctx)
+}
+
+// DeleteUserAccessToken deletes an access token for a given user.
+// This endpoint is admin-only and does not require Basic auth.
+func DeleteUserAccessToken(ctx *context.APIContext) {
+	// swagger:operation DELETE /admin/users/{username}/tokens/{token} admin adminDeleteUserAccessToken
+	// ---
+	// summary: Delete an access token for the specified user
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: username
+	//   in: path
+	//   description: username of user
+	//   type: string
+	//   required: true
+	// - name: token
+	//   in: path
+	//   description: token to be deleted, identified by ID and if not available by name
+	//   type: string
+	//   required: true
+	// responses:
+	//   "204":
+	//     "$ref": "#/responses/empty"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/error"
+
+	utils.DeleteAccessToken(ctx)
+}
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index d1488d2fc2..2ec7617215 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1697,6 +1697,11 @@ func Routes() *web.Route {
 					m.Combo("/emails").
 						Get(admin.ListUserEmails).
 						Delete(bind(api.DeleteEmailOption{}), admin.DeleteUserEmails)
+					m.Group("/tokens", func() {
+						m.Combo("").Get(admin.ListUserAccessTokens).
+							Post(bind(api.CreateAccessTokenOption{}), admin.CreateUserAccessToken)
+						m.Combo("/{id}").Delete(admin.DeleteUserAccessToken)
+					})
 					if setting.Quota.Enabled {
 						m.Group("/quota", func() {
 							m.Get("", admin.GetUserQuota)
diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go
index 8d8ead9234..90d72c76aa 100644
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@@ -5,24 +5,13 @@
 package user
 
 import (
-	"cmp"
-	stdCtx "context"
-	"errors"
-	"fmt"
 	"net/http"
-	"slices"
-	"strconv"
-	"strings"
 
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
-	access_model "forgejo.org/models/perm/access"
-	repo_model "forgejo.org/models/repo"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/web"
 	"forgejo.org/routers/api/v1/utils"
-	"forgejo.org/routers/web/shared/user"
-	"forgejo.org/services/authz"
 	"forgejo.org/services/context"
 	"forgejo.org/services/convert"
 )
@@ -56,63 +45,7 @@ func ListAccessTokens(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	opts := auth_model.ListAccessTokensOptions{UserID: ctx.ContextUser.ID, ListOptions: utils.GetListOptions(ctx)}
-
-	tokens, count, err := db.FindAndCount[auth_model.AccessToken](ctx, opts)
-	if err != nil {
-		ctx.InternalServerError(err)
-		return
-	}
-
-	// Load all the AccessTokenResourceRepo for the tokens that we're returning:
-	repoModelsByTokenID, err := repo_model.BulkGetRepositoriesForAccessTokens(ctx, tokens,
-		func(repo *repo_model.Repository) (bool, error) {
-			// Repos associated with a repo-specific access token should already be visible to the token owner, but it's
-			// possible that access has changed, such as a removed collaborator on a repo -- don't provide info on that
-			// repo if so.
-			permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, ctx.Reducer)
-			if err != nil {
-				return false, err
-			}
-			return permission.HasAccess(), nil
-		})
-	if err != nil {
-		ctx.InternalServerError(err)
-		return
-	}
-	// Convert map[int64]*Repository -> map[int64]*RepositoryMeta...
-	reposByTokenID := make(map[int64][]*api.RepositoryMeta)
-	for tokenID, repoModels := range repoModelsByTokenID {
-		repos := make([]*api.RepositoryMeta, len(repoModels))
-		for i, repo := range repoModels {
-			repos[i] = &api.RepositoryMeta{
-				ID:       repo.ID,
-				Name:     repo.Name,
-				Owner:    repo.OwnerName,
-				FullName: repo.FullName(),
-			}
-		}
-		reposByTokenID[tokenID] = repos
-	}
-
-	apiTokens := make([]*api.AccessToken, len(tokens))
-	for i := range tokens {
-		apiTokens[i] = &api.AccessToken{
-			ID:             tokens[i].ID,
-			Name:           tokens[i].Name,
-			TokenLastEight: tokens[i].TokenLastEight,
-			Scopes:         tokens[i].Scope.StringSlice(),
-			Repositories:   reposByTokenID[tokens[i].ID],
-		}
-		// Provide a consistent sort order on repositories, helpful for test consistency.  Hard to do any earlier
-		// because of the bulk loading maps.
-		slices.SortFunc(apiTokens[i].Repositories, func(a, b *api.RepositoryMeta) int {
-			return cmp.Compare(a.ID, b.ID)
-		})
-	}
-
-	ctx.SetTotalCountHeader(count)
-	ctx.JSON(http.StatusOK, &apiTokens)
+	utils.ListAccessTokens(ctx)
 }
 
 // CreateAccessToken creates an access token
@@ -144,104 +77,7 @@ func CreateAccessToken(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	form := web.GetForm(ctx).(*api.CreateAccessTokenOption)
-
-	t := &auth_model.AccessToken{
-		UID:  ctx.ContextUser.ID,
-		Name: form.Name,
-	}
-
-	exist, err := auth_model.AccessTokenByNameExists(ctx, t)
-	if err != nil {
-		ctx.InternalServerError(err)
-		return
-	}
-	if exist {
-		ctx.Error(http.StatusBadRequest, "AccessTokenByNameExists", errors.New("access token name has been used already"))
-		return
-	}
-
-	scope, err := auth_model.AccessTokenScope(strings.Join(form.Scopes, ",")).Normalize()
-	if err != nil {
-		ctx.Error(http.StatusBadRequest, "AccessTokenScope.Normalize", fmt.Errorf("invalid access token scope provided: %w", err))
-		return
-	}
-	if scope == "" {
-		ctx.Error(http.StatusBadRequest, "AccessTokenScope", "access token must have a scope")
-		return
-	}
-	t.Scope = scope
-
-	var resourceRepos []*auth_model.AccessTokenResourceRepo
-	var tokenRepositories []*api.RepositoryMeta
-
-	if form.Repositories != nil {
-		repos := make([]*repo_model.Repository, len(form.Repositories))
-		for i, repoTarget := range form.Repositories {
-			repo, err := repo_model.GetRepositoryByOwnerAndName(ctx, repoTarget.Owner, repoTarget.Name)
-			if err != nil && repo_model.IsErrRepoNotExist(err) {
-				ctx.Error(http.StatusBadRequest, "GetRepositoryByOwnerAndName", fmt.Errorf("repository %s/%s does not exist", repoTarget.Owner, repoTarget.Name))
-				return
-			} else if err != nil {
-				ctx.ServerError("GetRepositoryByOwnerAndName", err)
-				return
-			}
-			permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, ctx.Reducer)
-			if err != nil {
-				ctx.ServerError("GetUserRepoPermissionWithReducer", err)
-				return
-			} else if !permission.HasAccess() {
-				// Prevent data existence probing -- ensure this error is the exact same as the !IsErrRepoNotExist case above
-				ctx.Error(http.StatusBadRequest, "GetRepositoryByOwnerAndName", fmt.Errorf("repository %s/%s does not exist", repoTarget.Owner, repoTarget.Name))
-				return
-			}
-			repos[i] = repo
-		}
-
-		for _, repo := range repos {
-			resourceRepos = append(resourceRepos, &auth_model.AccessTokenResourceRepo{RepoID: repo.ID})
-			tokenRepositories = append(tokenRepositories, &api.RepositoryMeta{
-				ID:       repo.ID,
-				Name:     repo.Name,
-				Owner:    repo.OwnerName,
-				FullName: repo.FullName(),
-			})
-		}
-
-		t.ResourceAllRepos = false
-	} else {
-		// token has access to all repository resources
-		t.ResourceAllRepos = true
-	}
-
-	if err := authz.ValidateAccessToken(t, resourceRepos); err != nil {
-		s := user.TranslateAccessTokenValidationError(ctx.Base, err)
-		if has, str := s.Get(); has {
-			ctx.Error(http.StatusBadRequest, "ValidateAccessToken", str)
-			return
-		}
-		ctx.ServerError("ValidateAccessToken", err)
-		return
-	}
-
-	err = db.WithTx(ctx, func(ctx stdCtx.Context) error {
-		if err := auth_model.NewAccessToken(ctx, t); err != nil {
-			return err
-		}
-		return auth_model.InsertAccessTokenResourceRepos(ctx, t.ID, resourceRepos)
-	})
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "NewAccessToken", err)
-		return
-	}
-	ctx.JSON(http.StatusCreated, &api.AccessToken{
-		Name:           t.Name,
-		Token:          t.Token,
-		ID:             t.ID,
-		TokenLastEight: t.TokenLastEight,
-		Scopes:         t.Scope.StringSlice(),
-		Repositories:   tokenRepositories,
-	})
+	utils.CreateAccessToken(ctx)
 }
 
 // DeleteAccessToken deletes an access token
@@ -272,45 +108,7 @@ func DeleteAccessToken(ctx *context.APIContext) {
 	//   "422":
 	//     "$ref": "#/responses/error"
 
-	token := ctx.Params(":id")
-	tokenID, _ := strconv.ParseInt(token, 0, 64)
-
-	if tokenID == 0 {
-		tokens, err := db.Find[auth_model.AccessToken](ctx, auth_model.ListAccessTokensOptions{
-			Name:   token,
-			UserID: ctx.ContextUser.ID,
-		})
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "ListAccessTokens", err)
-			return
-		}
-
-		switch len(tokens) {
-		case 0:
-			ctx.NotFound()
-			return
-		case 1:
-			tokenID = tokens[0].ID
-		default:
-			ctx.Error(http.StatusUnprocessableEntity, "DeleteAccessTokenByID", fmt.Errorf("multiple matches for token name '%s'", token))
-			return
-		}
-	}
-	if tokenID == 0 {
-		ctx.Error(http.StatusInternalServerError, "Invalid TokenID", nil)
-		return
-	}
-
-	if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.ContextUser.ID); err != nil {
-		if auth_model.IsErrAccessTokenNotExist(err) {
-			ctx.NotFound()
-		} else {
-			ctx.Error(http.StatusInternalServerError, "DeleteAccessTokenByID", err)
-		}
-		return
-	}
-
-	ctx.Status(http.StatusNoContent)
+	utils.DeleteAccessToken(ctx)
 }
 
 // CreateOauth2Application is the handler to create a new OAuth2 Application for the authenticated user
diff --git a/routers/api/v1/utils/access_token.go b/routers/api/v1/utils/access_token.go
new file mode 100644
index 0000000000..a0f6b7449b
--- /dev/null
+++ b/routers/api/v1/utils/access_token.go
@@ -0,0 +1,234 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package utils
+
+import (
+	"cmp"
+	stdCtx "context"
+	"errors"
+	"fmt"
+	"net/http"
+	"slices"
+	"strconv"
+	"strings"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	access_model "forgejo.org/models/perm/access"
+	repo_model "forgejo.org/models/repo"
+	api "forgejo.org/modules/structs"
+	"forgejo.org/modules/web"
+	"forgejo.org/routers/web/shared/user"
+	"forgejo.org/services/authz"
+	"forgejo.org/services/context"
+)
+
+// DeleteAccessToken deletes an access token for a user identified by ctx.ContextUser.
+// Shared logic between user and admin token deletion endpoints.
+func DeleteAccessToken(ctx *context.APIContext) {
+	token := ctx.Params(":id")
+	tokenID, _ := strconv.ParseInt(token, 0, 64)
+
+	if tokenID == 0 {
+		tokens, err := db.Find[auth_model.AccessToken](ctx, auth_model.ListAccessTokensOptions{
+			Name:   token,
+			UserID: ctx.ContextUser.ID,
+		})
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, "ListAccessTokens", err)
+			return
+		}
+
+		switch len(tokens) {
+		case 0:
+			ctx.NotFound()
+			return
+		case 1:
+			tokenID = tokens[0].ID
+		default:
+			ctx.Error(http.StatusUnprocessableEntity, "DeleteAccessTokenByID", fmt.Errorf("multiple matches for token name '%s'", token))
+			return
+		}
+	}
+	if tokenID == 0 {
+		ctx.Error(http.StatusInternalServerError, "Invalid TokenID", nil)
+		return
+	}
+
+	if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.ContextUser.ID); err != nil {
+		if auth_model.IsErrAccessTokenNotExist(err) {
+			ctx.NotFound()
+		} else {
+			ctx.Error(http.StatusInternalServerError, "DeleteAccessTokenByID", err)
+		}
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// ListAccessTokens lists access tokens for a user identified by ctx.ContextUser.
+// Shared logic between user and admin token listing endpoints.
+func ListAccessTokens(ctx *context.APIContext) {
+	opts := auth_model.ListAccessTokensOptions{UserID: ctx.ContextUser.ID, ListOptions: GetListOptions(ctx)}
+
+	tokens, count, err := db.FindAndCount[auth_model.AccessToken](ctx, opts)
+	if err != nil {
+		ctx.InternalServerError(err)
+		return
+	}
+
+	// Load all the AccessTokenResourceRepo for the tokens that we're returning:
+	repoModelsByTokenID, err := repo_model.BulkGetRepositoriesForAccessTokens(ctx, tokens,
+		func(repo *repo_model.Repository) (bool, error) {
+			// Repos associated with a repo-specific access token should already be visible to the token owner, but it's
+			// possible that access has changed, such as a removed collaborator on a repo -- don't provide info on that
+			// repo if so.
+			permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, ctx.Reducer)
+			if err != nil {
+				return false, err
+			}
+			return permission.HasAccess(), nil
+		})
+	if err != nil {
+		ctx.InternalServerError(err)
+		return
+	}
+	// Convert map[int64]*Repository -> map[int64]*RepositoryMeta...
+	reposByTokenID := make(map[int64][]*api.RepositoryMeta)
+	for tokenID, repoModels := range repoModelsByTokenID {
+		repos := make([]*api.RepositoryMeta, len(repoModels))
+		for i, repo := range repoModels {
+			repos[i] = &api.RepositoryMeta{
+				ID:       repo.ID,
+				Name:     repo.Name,
+				Owner:    repo.OwnerName,
+				FullName: repo.FullName(),
+			}
+		}
+		reposByTokenID[tokenID] = repos
+	}
+
+	apiTokens := make([]*api.AccessToken, len(tokens))
+	for i := range tokens {
+		apiTokens[i] = &api.AccessToken{
+			ID:             tokens[i].ID,
+			Name:           tokens[i].Name,
+			TokenLastEight: tokens[i].TokenLastEight,
+			Scopes:         tokens[i].Scope.StringSlice(),
+			Repositories:   reposByTokenID[tokens[i].ID],
+		}
+		// Provide a consistent sort order on repositories, helpful for test consistency.  Hard to do any earlier
+		// because of the bulk loading maps.
+		slices.SortFunc(apiTokens[i].Repositories, func(a, b *api.RepositoryMeta) int {
+			return cmp.Compare(a.ID, b.ID)
+		})
+	}
+
+	ctx.SetTotalCountHeader(count)
+	ctx.JSON(http.StatusOK, &apiTokens)
+}
+
+// CreateAccessToken creates an access token for a user identified by ctx.ContextUser.
+// Shared logic between user and admin token creation endpoints.
+func CreateAccessToken(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*api.CreateAccessTokenOption)
+
+	t := &auth_model.AccessToken{
+		UID:  ctx.ContextUser.ID,
+		Name: form.Name,
+	}
+
+	exist, err := auth_model.AccessTokenByNameExists(ctx, t)
+	if err != nil {
+		ctx.InternalServerError(err)
+		return
+	}
+	if exist {
+		ctx.Error(http.StatusBadRequest, "AccessTokenByNameExists", errors.New("access token name has been used already"))
+		return
+	}
+
+	scope, err := auth_model.AccessTokenScope(strings.Join(form.Scopes, ",")).Normalize()
+	if err != nil {
+		ctx.Error(http.StatusBadRequest, "AccessTokenScope.Normalize", fmt.Errorf("invalid access token scope provided: %w", err))
+		return
+	}
+	if scope == "" {
+		ctx.Error(http.StatusBadRequest, "AccessTokenScope", "access token must have a scope")
+		return
+	}
+	t.Scope = scope
+
+	var resourceRepos []*auth_model.AccessTokenResourceRepo
+	var tokenRepositories []*api.RepositoryMeta
+
+	if form.Repositories != nil {
+		repos := make([]*repo_model.Repository, len(form.Repositories))
+		for i, repoTarget := range form.Repositories {
+			repo, err := repo_model.GetRepositoryByOwnerAndName(ctx, repoTarget.Owner, repoTarget.Name)
+			if err != nil && repo_model.IsErrRepoNotExist(err) {
+				ctx.Error(http.StatusBadRequest, "GetRepositoryByOwnerAndName", fmt.Errorf("repository %s/%s does not exist", repoTarget.Owner, repoTarget.Name))
+				return
+			} else if err != nil {
+				ctx.ServerError("GetRepositoryByOwnerAndName", err)
+				return
+			}
+			permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, ctx.Reducer)
+			if err != nil {
+				ctx.ServerError("GetUserRepoPermissionWithReducer", err)
+				return
+			} else if !permission.HasAccess() {
+				// Prevent data existence probing -- ensure this error is the exact same as the !IsErrRepoNotExist case above
+				ctx.Error(http.StatusBadRequest, "GetRepositoryByOwnerAndName", fmt.Errorf("repository %s/%s does not exist", repoTarget.Owner, repoTarget.Name))
+				return
+			}
+			repos[i] = repo
+		}
+
+		for _, repo := range repos {
+			resourceRepos = append(resourceRepos, &auth_model.AccessTokenResourceRepo{RepoID: repo.ID})
+			tokenRepositories = append(tokenRepositories, &api.RepositoryMeta{
+				ID:       repo.ID,
+				Name:     repo.Name,
+				Owner:    repo.OwnerName,
+				FullName: repo.FullName(),
+			})
+		}
+
+		t.ResourceAllRepos = false
+	} else {
+		// token has access to all repository resources
+		t.ResourceAllRepos = true
+	}
+
+	if err := authz.ValidateAccessToken(t, resourceRepos); err != nil {
+		s := user.TranslateAccessTokenValidationError(ctx.Base, err)
+		if has, str := s.Get(); has {
+			ctx.Error(http.StatusBadRequest, "ValidateAccessToken", str)
+			return
+		}
+		ctx.ServerError("ValidateAccessToken", err)
+		return
+	}
+
+	err = db.WithTx(ctx, func(ctx stdCtx.Context) error {
+		if err := auth_model.NewAccessToken(ctx, t); err != nil {
+			return err
+		}
+		return auth_model.InsertAccessTokenResourceRepos(ctx, t.ID, resourceRepos)
+	})
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "NewAccessToken", err)
+		return
+	}
+	ctx.JSON(http.StatusCreated, &api.AccessToken{
+		Name:           t.Name,
+		Token:          t.Token,
+		ID:             t.ID,
+		TokenLastEight: t.TokenLastEight,
+		Scopes:         t.Scope.StringSlice(),
+		Repositories:   tokenRepositories,
+	})
+}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index a0e6cc8e4a..fa9750db72 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -2043,6 +2043,135 @@
         }
       }
     },
+    "/admin/users/{username}/tokens": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "admin"
+        ],
+        "summary": "List the specified user's access tokens",
+        "operationId": "adminListUserAccessTokens",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "username of user",
+            "name": "username",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "integer",
+            "description": "page number of results to return (1-based)",
+            "name": "page",
+            "in": "query"
+          },
+          {
+            "type": "integer",
+            "description": "page size of results",
+            "name": "limit",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/AccessTokenList"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      },
+      "post": {
+        "consumes": [
+          "application/json"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "admin"
+        ],
+        "summary": "Create an access token for the specified user",
+        "operationId": "adminCreateUserAccessToken",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "username of user",
+            "name": "username",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/CreateAccessTokenOption"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "$ref": "#/responses/AccessToken"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          }
+        }
+      }
+    },
+    "/admin/users/{username}/tokens/{token}": {
+      "delete": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "admin"
+        ],
+        "summary": "Delete an access token for the specified user",
+        "operationId": "adminDeleteUserAccessToken",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "username of user",
+            "name": "username",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "token to be deleted, identified by ID and if not available by name",
+            "name": "token",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "204": {
+            "$ref": "#/responses/empty"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          },
+          "404": {
+            "$ref": "#/responses/notFound"
+          },
+          "422": {
+            "$ref": "#/responses/error"
+          }
+        }
+      }
+    },
     "/gitignore/templates": {
       "get": {
         "produces": [
diff --git a/tests/integration/api_admin_user_token_test.go b/tests/integration/api_admin_user_token_test.go
new file mode 100644
index 0000000000..5f9f26208b
--- /dev/null
+++ b/tests/integration/api_admin_user_token_test.go
@@ -0,0 +1,330 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	api "forgejo.org/modules/structs"
+	"forgejo.org/tests"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAPIAdminCreateUserAccessToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
+	targetUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
+
+	token := getUserToken(t, adminUser.Name, auth_model.AccessTokenScopeWriteAdmin)
+
+	t.Run("Create token for another user", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "admin-created-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+
+		var newToken api.AccessToken
+		DecodeJSON(t, resp, &newToken)
+
+		assert.Equal(t, "admin-created-token", newToken.Name)
+		assert.NotEmpty(t, newToken.Token)
+		assert.NotEmpty(t, newToken.TokenLastEight)
+		assert.Contains(t, newToken.Scopes, "all")
+
+		// Verify the token exists in DB
+		unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{
+			ID:   newToken.ID,
+			Name: newToken.Name,
+			UID:  targetUser.ID,
+		})
+	})
+
+	t.Run("Create token with duplicate name", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "admin-created-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusBadRequest)
+	})
+
+	t.Run("Create token without scopes", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "empty-scope-token",
+			Scopes: []string{},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusBadRequest)
+	})
+
+	t.Run("Create token with invalid scope", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "invalid-scope-token",
+			Scopes: []string{"invalid-scope"},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusBadRequest)
+	})
+
+	t.Run("Create token for nonexistent user", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := "/api/v1/admin/users/nonexistentuser/tokens"
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "some-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("Non-admin cannot create token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		normalToken := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteAdmin)
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "unauthorized-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(normalToken)
+		MakeRequest(t, req, http.StatusForbidden)
+	})
+}
+
+func TestAPIAdminListUserAccessTokens(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
+	targetUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
+
+	token := getUserToken(t, adminUser.Name, auth_model.AccessTokenScopeWriteAdmin)
+
+	// First, create a token for the target user
+	createURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+	req := NewRequestWithJSON(t, "POST", createURL, api.CreateAccessTokenOption{
+		Name:   "list-test-token",
+		Scopes: []string{"all"},
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	t.Run("List tokens for user", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		listURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequest(t, "GET", listURL).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		var tokens []*api.AccessToken
+		DecodeJSON(t, resp, &tokens)
+
+		// user2 has at least the token we just created plus any fixture tokens
+		require.NotEmpty(t, tokens)
+
+		found := false
+		for _, tk := range tokens {
+			if tk.Name == "list-test-token" {
+				found = true
+				assert.NotEmpty(t, tk.TokenLastEight)
+				break
+			}
+		}
+		assert.True(t, found, "should find the admin-created token in the list")
+	})
+
+	t.Run("Non-admin cannot list tokens", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		normalToken := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteAdmin)
+		listURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequest(t, "GET", listURL).AddTokenAuth(normalToken)
+		MakeRequest(t, req, http.StatusForbidden)
+	})
+}
+
+func TestAPIAdminCreateRepoSpecificToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
+	targetUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
+
+	token := getUserToken(t, adminUser.Name, auth_model.AccessTokenScopeWriteAdmin)
+
+	t.Run("Create repo-specific token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "admin-repo-specific-token",
+			Scopes: []string{string(auth_model.AccessTokenScopeReadRepository)},
+			Repositories: []*api.RepoTargetOption{
+				{
+					Owner: "user2",
+					Name:  "repo2",
+				},
+			},
+		}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+
+		var newToken api.AccessToken
+		DecodeJSON(t, resp, &newToken)
+
+		assert.Equal(t, "admin-repo-specific-token", newToken.Name)
+		assert.NotEmpty(t, newToken.Token)
+		assert.NotEmpty(t, newToken.Repositories)
+	})
+
+	t.Run("Create token targeting invalid repo", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		urlStr := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateAccessTokenOption{
+			Name:   "admin-invalid-repo-token",
+			Scopes: []string{string(auth_model.AccessTokenScopeReadRepository)},
+			Repositories: []*api.RepoTargetOption{
+				{
+					Owner: "user10000",
+					Name:  "repo70000",
+				},
+			},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusBadRequest)
+	})
+
+	t.Run("List repo-specific token returns repositories", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// Create a repo-specific token
+		createURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", createURL, api.CreateAccessTokenOption{
+			Name:   "admin-list-repo-token",
+			Scopes: []string{string(auth_model.AccessTokenScopeReadRepository)},
+			Repositories: []*api.RepoTargetOption{
+				{
+					Owner: "user2",
+					Name:  "repo2",
+				},
+			},
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusCreated)
+
+		// List tokens and verify repositories are returned
+		listURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req = NewRequest(t, "GET", listURL).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusOK)
+
+		var tokens []*api.AccessToken
+		DecodeJSON(t, resp, &tokens)
+
+		found := false
+		for _, tk := range tokens {
+			if tk.Name == "admin-list-repo-token" {
+				found = true
+				assert.NotEmpty(t, tk.Repositories, "admin-listed token should have repositories populated")
+				break
+			}
+		}
+		assert.True(t, found, "should find the repo-specific token in the admin list")
+	})
+}
+
+func TestAPIAdminDeleteUserAccessToken(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
+	targetUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
+
+	token := getUserToken(t, adminUser.Name, auth_model.AccessTokenScopeWriteAdmin)
+
+	t.Run("Delete token by ID", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// Create a token first
+		createURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", createURL, api.CreateAccessTokenOption{
+			Name:   "delete-by-id-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+
+		var newToken api.AccessToken
+		DecodeJSON(t, resp, &newToken)
+
+		// Delete it
+		deleteURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens/%d", targetUser.Name, newToken.ID)
+		req = NewRequest(t, "DELETE", deleteURL).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		// Verify it's gone
+		unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: newToken.ID})
+	})
+
+	t.Run("Delete token by name", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// Create a token first
+		createURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", createURL, api.CreateAccessTokenOption{
+			Name:   "delete-by-name-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+
+		var newToken api.AccessToken
+		DecodeJSON(t, resp, &newToken)
+
+		// Delete by name
+		deleteURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens/%s", targetUser.Name, "delete-by-name-token")
+		req = NewRequest(t, "DELETE", deleteURL).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNoContent)
+
+		// Verify it's gone
+		unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: newToken.ID})
+	})
+
+	t.Run("Delete nonexistent token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		deleteURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens/%d", targetUser.Name, 999999)
+		req := NewRequest(t, "DELETE", deleteURL).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusNotFound)
+	})
+
+	t.Run("Non-admin cannot delete token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		// Create a token as admin
+		createURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens", targetUser.Name)
+		req := NewRequestWithJSON(t, "POST", createURL, api.CreateAccessTokenOption{
+			Name:   "non-admin-delete-token",
+			Scopes: []string{"all"},
+		}).AddTokenAuth(token)
+		resp := MakeRequest(t, req, http.StatusCreated)
+
+		var newToken api.AccessToken
+		DecodeJSON(t, resp, &newToken)
+
+		// Try to delete as non-admin
+		normalToken := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteAdmin)
+		deleteURL := fmt.Sprintf("/api/v1/admin/users/%s/tokens/%d", targetUser.Name, newToken.ID)
+		req = NewRequest(t, "DELETE", deleteURL).AddTokenAuth(normalToken)
+		MakeRequest(t, req, http.StatusForbidden)
+	})
+}

From cbaf97b867989e9d03dd277555f73ecca69318a8 Mon Sep 17 00:00:00 2001
From: Marten Lienen <ml@martenlienen.com>
Date: Mon, 11 May 2026 20:21:29 +0200
Subject: [PATCH 276/287] feat: render org-mode file links with line numbers
 (#12496)

This change renders file links in org-mode like `./module.el::20` as a link to the 20th
line, for example. It also strips off other search types that are not currently supported
in forgejo like regex search to avoid generating invalid URLs.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12496
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/markup/orgmode/orgmode.go      | 11 ++++++++
 modules/markup/orgmode/orgmode_test.go | 37 ++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/modules/markup/orgmode/orgmode.go b/modules/markup/orgmode/orgmode.go
index b9d7b21db0..dd92ca90d0 100644
--- a/modules/markup/orgmode/orgmode.go
+++ b/modules/markup/orgmode/orgmode.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"html"
 	"io"
+	"strconv"
 	"strings"
 
 	"forgejo.org/modules/highlight"
@@ -159,6 +160,16 @@ func (r *Writer) resolveLink(node org.Node) string {
 		switch l.Kind() {
 		case "image", "video":
 			base = r.Ctx.Links.ResolveMediaLink(r.Ctx.IsWiki)
+		case "regular":
+			// Convert line search syntax to line links
+			target, search, found := strings.Cut(link, "::")
+			if found {
+				if _, err := strconv.Atoi(search); err == nil {
+					link = target + "#L" + search
+				} else {
+					link = target
+				}
+			}
 		}
 
 		link = util.URLJoin(base, link)
diff --git a/modules/markup/orgmode/orgmode_test.go b/modules/markup/orgmode/orgmode_test.go
index 723d78e745..2cd4eada22 100644
--- a/modules/markup/orgmode/orgmode_test.go
+++ b/modules/markup/orgmode/orgmode_test.go
@@ -89,6 +89,43 @@ func TestRender_BaseLinks(t *testing.T) {
 		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/deep/nested/folder/src">./src/</a></p>`)
 }
 
+func TestRender_SearchSuffix(t *testing.T) {
+	setting.AppURL = AppURL
+	setting.AppSubURL = AppSubURL
+
+	test := func(input, expected string) {
+		buffer, err := RenderString(&markup.RenderContext{
+			Ctx: git.DefaultContext,
+			Links: markup.Links{
+				Base:       setting.AppSubURL,
+				BranchPath: "branch/main",
+			},
+		}, input)
+		require.NoError(t, err)
+		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(buffer))
+	}
+
+	// `::N` line search becomes an `#L<n>` anchor.
+	test("[[./file.el::35][line 35]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.el#L35">line 35</a></p>`)
+	test("[[file:./file.el::35][line 35]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.el#L35">line 35</a></p>`)
+
+	// Other search types are ignored.
+	test("[[./file.org::*Heading][heading]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.org">heading</a></p>`)
+	test("[[./file.org::#custom-id][heading]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.org">heading</a></p>`)
+	test("[[./file.el::/regex/][regex]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.el">regex</a></p>`)
+	test("[[file:./file.el::][no search]]",
+		`<p><a href="http://localhost:3000/gogits/gogs/src/branch/main/file.el">no search</a></p>`)
+
+	// Absolute URLs that happen to contain `::` are unchanged.
+	test("[[https://example.com/foo::35][ext]]",
+		`<p><a href="https://example.com/foo::35">ext</a></p>`)
+}
+
 func TestRender_Media(t *testing.T) {
 	setting.AppURL = AppURL
 	setting.AppSubURL = AppSubURL

From efe52db86f552a46dadbaa2bd91e867e545d761a Mon Sep 17 00:00:00 2001
From: Robert Wolff <mahlzahn@posteo.de>
Date: Mon, 11 May 2026 20:24:24 +0200
Subject: [PATCH 277/287] fix(ui): use tab width from `.editorconfig` when
 editing files (#11418)

Resolves #11411.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11418
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 routers/web/repo/editor.go              | 20 ++++++++++++++++----
 templates/repo/editor/diff_preview.tmpl |  2 +-
 web_src/js/features/codemirror.ts       |  2 +-
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/routers/web/repo/editor.go b/routers/web/repo/editor.go
index fb1aaf042a..5a6e99f8aa 100644
--- a/routers/web/repo/editor.go
+++ b/routers/web/repo/editor.go
@@ -30,6 +30,8 @@ import (
 	"forgejo.org/services/context/upload"
 	"forgejo.org/services/forms"
 	files_service "forgejo.org/services/repository/files"
+
+	"github.com/editorconfig/editorconfig-core-go/v2"
 )
 
 const (
@@ -223,13 +225,22 @@ func editFile(ctx *context.Context, isNewFile bool) {
 	ctx.Data["last_commit"] = ctx.Repo.CommitID
 	ctx.Data["PreviewableExtensions"] = strings.Join(markup.PreviewableExtensions(), ",")
 	ctx.Data["LineWrapExtensions"] = strings.Join(setting.Repository.Editor.LineWrapExtensions, ",")
-	ctx.Data["EditorconfigJson"] = GetEditorConfig(ctx, treePath)
+	ctx.Data["EditorconfigJson"] = GetEditorConfigJSON(ctx, treePath)
 
 	ctx.HTML(http.StatusOK, tplEditFile)
 }
 
-// GetEditorConfig returns a editorconfig JSON string for given treePath or "null"
-func GetEditorConfig(ctx *context.Context, treePath string) string {
+// GetEditorConfig returns a editorconfig object for given treePath or nil
+func GetEditorConfig(ctx *context.Context, treePath string) (ec *editorconfig.Editorconfig) {
+	ec, _, err := ctx.Repo.GetEditorconfig()
+	if err == nil {
+		return ec
+	}
+	return nil
+}
+
+// GetEditorConfigJSON returns a editorconfig JSON string for given treePath or "null"
+func GetEditorConfigJSON(ctx *context.Context, treePath string) string {
 	ec, _, err := ctx.Repo.GetEditorconfig()
 	if err == nil {
 		def, err := ec.GetDefinitionForFilename(treePath)
@@ -274,7 +285,7 @@ func editFilePost(ctx *context.Context, form forms.EditRepoFileForm, isNewFile b
 	ctx.Data["last_commit"] = ctx.Repo.CommitID
 	ctx.Data["PreviewableExtensions"] = strings.Join(markup.PreviewableExtensions(), ",")
 	ctx.Data["LineWrapExtensions"] = strings.Join(setting.Repository.Editor.LineWrapExtensions, ",")
-	ctx.Data["EditorconfigJson"] = GetEditorConfig(ctx, form.TreePath)
+	ctx.Data["EditorconfigJson"] = GetEditorConfigJSON(ctx, form.TreePath)
 
 	if ctx.HasError() {
 		ctx.HTML(http.StatusOK, tplEditFile)
@@ -458,6 +469,7 @@ func DiffPreviewPost(ctx *context.Context) {
 		return
 	}
 	ctx.Data["File"] = diff.Files[0]
+	ctx.Data["Editorconfig"] = GetEditorConfig(ctx, treePath)
 
 	ctx.HTML(http.StatusOK, tplEditDiffPreview)
 }
diff --git a/templates/repo/editor/diff_preview.tmpl b/templates/repo/editor/diff_preview.tmpl
index e2e922be34..be36e84053 100644
--- a/templates/repo/editor/diff_preview.tmpl
+++ b/templates/repo/editor/diff_preview.tmpl
@@ -1,4 +1,4 @@
-<div class="diff-file-box">
+<div class="diff-file-box {{TabSizeClass $.Editorconfig .File.Name}}">
 	<div class="ui attached table segment">
 		<div class="file-body file-code code-diff code-diff-unified unicode-escaped">
 			<table>
diff --git a/web_src/js/features/codemirror.ts b/web_src/js/features/codemirror.ts
index f61449dccf..6c5bbd9217 100644
--- a/web_src/js/features/codemirror.ts
+++ b/web_src/js/features/codemirror.ts
@@ -188,7 +188,7 @@ export async function createCodemirror(
       codemirrorAutocomplete.autocompletion(),
       codemirrorCommands.history(),
       tabSize.of(
-        codemirrorState.EditorState.tabSize.of(editorOpts.tabSize || 4),
+        codemirrorState.EditorState.tabSize.of(editorOpts.indentSize || 4),
       ),
       wordWrap.of(
         editorOpts.wordWrap ? codemirrorView.EditorView.lineWrapping : [],

From 753e289da58fd2e1044725f5f4cc42b0818b1d90 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Mon, 11 May 2026 21:45:56 +0200
Subject: [PATCH 278/287] fix: wipe run artifacts before rerun (#12523)

Forgejo Actions keeps one set of artifacts per workflow run -- those of the latest workflow run. If a particular workflow run is rerun, Forgejo is supposed to remove outdated artifacts. However, it does not do that. As a result, the user is presented a mix of outdated and new artifacts, even within the same archive.

This is remedied by wiping the artifacts before each rerun. The same happens when only one or more jobs are rerun, which also matches the behaviour of GitHub Actions. In the example below, when only rerunning `artifacts-two`, `many-artifacts-one` would disappear and a new version of `many-artifacts-two` would be made available.

Reproducer:

```yaml
on:
  push:
jobs:
  artifacts-one:
    runs-on: ubuntu-latest
    steps:
      - run: mkdir -p artifacts-one
      - run: |
          if [[ "${{ github.run_attempt}}" == 1 ]] ; then echo "${{ github.run_attempt}}" > artifacts-one/ONE; fi
          echo "${{ github.run_attempt}}" > artifacts-one/TWO
      - uses: forgejo/upload-artifact@v4
        with:
          name: many-artifacts-one
          path: artifacts-one/
  artifacts-two:
    runs-on: ubuntu-latest
    steps:
      - run: mkdir -p artifacts-two
      - run: |
          if [[ "${{ github.run_attempt}}" == 1 ]] ; then echo "${{ github.run_attempt}}" > artifacts-two/ONE; fi
          echo "${{ github.run_attempt}}" > artifacts-two/TWO
      - uses: forgejo/upload-artifact@v4
        with:
          name: many-artifacts-two
          path: artifacts-two/
```

Resolves https://codeberg.org/forgejo/forgejo/issues/12163.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

(can be removed for JavaScript changes)

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Tests for JavaScript changes

(can be removed for Go changes)

- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12523
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
---
 .../action_artifact.yml                       | 11 ++++++
 .../TestRerun_RerunJob/action_artifact.yml    | 11 ++++++
 services/actions/rerun.go                     | 14 +++++++
 services/actions/rerun_test.go                | 38 +++++++++++++++++++
 4 files changed, 74 insertions(+)
 create mode 100644 services/actions/TestRerun_RerunAllJobs/action_artifact.yml
 create mode 100644 services/actions/TestRerun_RerunJob/action_artifact.yml

diff --git a/services/actions/TestRerun_RerunAllJobs/action_artifact.yml b/services/actions/TestRerun_RerunAllJobs/action_artifact.yml
new file mode 100644
index 0000000000..58ffe67e8d
--- /dev/null
+++ b/services/actions/TestRerun_RerunAllJobs/action_artifact.yml
@@ -0,0 +1,11 @@
+- id: 59220
+  run_id: 455620
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  status: 2 # ArtifactStatusUploadConfirmed
+
+- id: 59230
+  run_id: 455630
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  status: 2 # ArtifactStatusUploadConfirmed
\ No newline at end of file
diff --git a/services/actions/TestRerun_RerunJob/action_artifact.yml b/services/actions/TestRerun_RerunJob/action_artifact.yml
new file mode 100644
index 0000000000..5f59c87183
--- /dev/null
+++ b/services/actions/TestRerun_RerunJob/action_artifact.yml
@@ -0,0 +1,11 @@
+- id: 59240
+  run_id: 455640
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  status: 2 # ArtifactStatusUploadConfirmed
+
+- id: 59250
+  run_id: 455650
+  repo_id: 62 # test_workflows
+  owner_id: 2 # user2
+  status: 2 # ArtifactStatusUploadConfirmed
\ No newline at end of file
diff --git a/services/actions/rerun.go b/services/actions/rerun.go
index 59838e5f57..4ca32276d1 100644
--- a/services/actions/rerun.go
+++ b/services/actions/rerun.go
@@ -74,6 +74,12 @@ func RerunAllJobs(ctx context.Context, run *actions_model.ActionRun) ([]*actions
 			return fmt.Errorf("cannot prepare next attempt because run %d is active: %s", run.ID, run.Status.String())
 		}
 
+		// Wipe all artifacts before a rerun to prevent stale artifacts from polluting artifacts collected during the
+		// rerun.
+		if err := actions_model.SetArtifactsOfRunDeleted(ctx, run.ID); err != nil {
+			return fmt.Errorf("cannot remove artifacts of previous run of run %d: %w", run.ID, err)
+		}
+
 		run.PreviousDuration = run.Duration()
 
 		run.Status = actions_model.StatusWaiting
@@ -138,6 +144,14 @@ func RerunJob(ctx context.Context, job *actions_model.ActionRunJob) ([]*actions_
 			return fmt.Errorf("could not load jobs of run %d: %w", job.RunID, err)
 		}
 
+		// Wipe all artifacts before a rerun to prevent stale artifacts from polluting the artifacts collected during
+		// the rerun. Because artifacts are bound to a run and not to a job, it is not possible to only remove the
+		// artifacts of the jobs that are going to be rerun. That means that artifacts created by jobs that are not
+		// rerun will be lost. That matches GitHub Actions' behaviour as of May 2026.
+		if err := actions_model.SetArtifactsOfRunDeleted(ctx, job.RunID); err != nil {
+			return fmt.Errorf("cannot remove artifacts of previous run of run %d: %w", job.RunID, err)
+		}
+
 		for _, jobToRerun := range GetAllRerunJobs(job, jobs) {
 			canBeRerun, err := jobToRerun.CanBeRerun(ctx)
 			if err != nil {
diff --git a/services/actions/rerun_test.go b/services/actions/rerun_test.go
index 93a000afd1..fcd638e448 100644
--- a/services/actions/rerun_test.go
+++ b/services/actions/rerun_test.go
@@ -59,6 +59,11 @@ func TestRerun_RerunAllJobs(t *testing.T) {
 
 		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455620})
 
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: run.ID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
+
 		rerunJobs, err := RerunAllJobs(t.Context(), run)
 		require.NoError(t, err)
 
@@ -81,6 +86,10 @@ func TestRerun_RerunAllJobs(t *testing.T) {
 		assert.Equal(t, actions_model.StatusWaiting, rerunJobs[1].Status)
 		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[1].Started)
 		assert.Equal(t, timeutil.TimeStamp(0), rerunJobs[1].Stopped)
+
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: run.ID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 1)
 	})
 
 	t.Run("Error if workflow running", func(t *testing.T) {
@@ -89,6 +98,11 @@ func TestRerun_RerunAllJobs(t *testing.T) {
 
 		run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 455630})
 
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: run.ID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
+
 		rerunJobs, err := RerunAllJobs(t.Context(), run)
 		require.ErrorContains(t, err, "workflow is still running")
 
@@ -100,6 +114,11 @@ func TestRerun_RerunAllJobs(t *testing.T) {
 		assert.Equal(t, time.Duration(0), run.PreviousDuration)
 
 		assert.Empty(t, rerunJobs)
+
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: run.ID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: run.ID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
 	})
 
 	t.Run("Error if workflow invalid", func(t *testing.T) {
@@ -153,6 +172,11 @@ func TestRerun_RerunJob(t *testing.T) {
 
 		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683910})
 
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: job.RunID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: job.RunID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
+
 		rerunJobs, err := RerunJob(t.Context(), job)
 
 		require.NoError(t, err)
@@ -166,6 +190,10 @@ func TestRerun_RerunJob(t *testing.T) {
 		assert.Equal(t, actions_model.StatusWaiting, job.Status)
 		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
 		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: job.RunID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 1)
 	})
 
 	t.Run("Rerun job needed by others", func(t *testing.T) {
@@ -225,6 +253,11 @@ func TestRerun_RerunJob(t *testing.T) {
 
 		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 683900})
 
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: job.RunID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: job.RunID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
+
 		rerunJobs, err := RerunJob(t.Context(), job)
 
 		require.ErrorContains(t, err, "workflow is invalid")
@@ -236,6 +269,11 @@ func TestRerun_RerunJob(t *testing.T) {
 		assert.Equal(t, actions_model.StatusFailure, job.Status)
 		assert.Equal(t, timeutil.TimeStamp(0), job.Started)
 		assert.Equal(t, timeutil.TimeStamp(0), job.Stopped)
+
+		unittest.AssertCount(t, &actions_model.ActionArtifact{RunID: job.RunID}, 1)
+		unittest.AssertCount(t, &actions_model.ActionArtifact{
+			RunID: job.RunID, Status: int64(actions_model.ArtifactStatusPendingDeletion),
+		}, 0)
 	})
 
 	t.Run("Error if workflow disabled", func(t *testing.T) {

From 88fd372d9a608d9fc545b2ae1105c01005c54aa0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 11 May 2026 23:54:58 +0200
Subject: [PATCH 279/287] Update dependency mermaid to v11.15.0 [SECURITY]
 (forgejo) (#12526)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12526
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 package-lock.json | 164 +++++++---------------------------------------
 package.json      |   2 +-
 2 files changed, 25 insertions(+), 141 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ba47ad58cf..93eea24572 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -55,7 +55,7 @@
         "idiomorph": "0.3.0",
         "jquery": "3.7.1",
         "katex": "0.16.45",
-        "mermaid": "11.14.0",
+        "mermaid": "11.15.0",
         "mini-css-extract-plugin": "2.10.0",
         "minimatch": "10.2.5",
         "pdfobject": "2.3.0",
@@ -328,41 +328,10 @@
         "@keyv/serialize": "^1.1.1"
       }
     },
-    "node_modules/@chevrotain/cst-dts-gen": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-12.0.0.tgz",
-      "integrity": "sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@chevrotain/gast": "12.0.0",
-        "@chevrotain/types": "12.0.0"
-      }
-    },
-    "node_modules/@chevrotain/gast": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-12.0.0.tgz",
-      "integrity": "sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@chevrotain/types": "12.0.0"
-      }
-    },
-    "node_modules/@chevrotain/regexp-to-ast": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-12.0.0.tgz",
-      "integrity": "sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==",
-      "license": "Apache-2.0"
-    },
     "node_modules/@chevrotain/types": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-12.0.0.tgz",
-      "integrity": "sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==",
-      "license": "Apache-2.0"
-    },
-    "node_modules/@chevrotain/utils": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-12.0.0.tgz",
-      "integrity": "sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==",
+      "version": "11.1.2",
+      "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.1.2.tgz",
+      "integrity": "sha512-U+HFai5+zmJCkK86QsaJtoITlboZHBqrVketcO2ROv865xfCMSFpELQoz1GkX5GzME8pTa+3kbKrZHQtI0gdbw==",
       "license": "Apache-2.0"
     },
     "node_modules/@citation-js/core": {
@@ -2803,12 +2772,12 @@
       }
     },
     "node_modules/@mermaid-js/parser": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.0.tgz",
-      "integrity": "sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.1.tgz",
+      "integrity": "sha512-VuHdsYMK1bT6X2JbcAaWAhugTRvRBRyuZgd+c22swUeI9g/ntaxF7CY7dYarhZovofCbUNO0G7JesfmNtjYOCw==",
       "license": "MIT",
       "dependencies": {
-        "langium": "^4.0.0"
+        "@chevrotain/types": "~11.1.1"
       }
     },
     "node_modules/@monogrid/gainmap-js": {
@@ -6225,34 +6194,6 @@
         "chart.js": ">=3.2.0"
       }
     },
-    "node_modules/chevrotain": {
-      "version": "12.0.0",
-      "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-12.0.0.tgz",
-      "integrity": "sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@chevrotain/cst-dts-gen": "12.0.0",
-        "@chevrotain/gast": "12.0.0",
-        "@chevrotain/regexp-to-ast": "12.0.0",
-        "@chevrotain/types": "12.0.0",
-        "@chevrotain/utils": "12.0.0"
-      },
-      "engines": {
-        "node": ">=22.0.0"
-      }
-    },
-    "node_modules/chevrotain-allstar": {
-      "version": "0.4.3",
-      "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.3.tgz",
-      "integrity": "sha512-2X4mkroolSMKqW+H22pyPMUVDqYZzPhephTmg/NODKb1IGYPHfxfhcW0EjS7wcPJNbze2i4vBWT7zT5FKF2lrQ==",
-      "license": "MIT",
-      "dependencies": {
-        "lodash-es": "^4.18.1"
-      },
-      "peerDependencies": {
-        "chevrotain": "^12.0.0"
-      }
-    },
     "node_modules/chokidar": {
       "version": "3.6.0",
       "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
@@ -7891,6 +7832,16 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/es-toolkit": {
+      "version": "1.46.1",
+      "resolved": "https://registry.npmjs.org/es-toolkit/-/es-toolkit-1.46.1.tgz",
+      "integrity": "sha512-5eNtXOs3tbfxXOj04tjjseeWkRWaoCjdEI+96DgwzZoe6c9juL49pXlzAFTI72aWC9Y8p7168g6XIKjh7k6pyQ==",
+      "license": "MIT",
+      "workspaces": [
+        "docs",
+        "benchmarks"
+      ]
+    },
     "node_modules/esbuild": {
       "version": "0.27.7",
       "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.7.tgz",
@@ -10751,24 +10702,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/langium": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.3.tgz",
-      "integrity": "sha512-sOPIi4hISFnY7twwV97ca1TsxpBtXq0URu/LL1AvxwccPG/RIBBlKS7a/f/EL6w8lTNaS0EFs/F+IdSOaqYpng==",
-      "license": "MIT",
-      "dependencies": {
-        "@chevrotain/regexp-to-ast": "~12.0.0",
-        "chevrotain": "~12.0.0",
-        "chevrotain-allstar": "~0.4.3",
-        "vscode-languageserver": "~9.0.1",
-        "vscode-languageserver-textdocument": "~1.0.11",
-        "vscode-uri": "~3.1.0"
-      },
-      "engines": {
-        "node": ">=20.10.0",
-        "npm": ">=10.2.3"
-      }
-    },
     "node_modules/layout-base": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/layout-base/-/layout-base-1.0.2.tgz",
@@ -11547,14 +11480,14 @@
       }
     },
     "node_modules/mermaid": {
-      "version": "11.14.0",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.14.0.tgz",
-      "integrity": "sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==",
+      "version": "11.15.0",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.15.0.tgz",
+      "integrity": "sha512-pTMbcf3rWdtLiYGpmoTjHEpeY8seiy6sR+9nD7LOs8KfUbHE4lOUAprTRqRAcWSQ6MQpdX+YEsxShtGsINtPtw==",
       "license": "MIT",
       "dependencies": {
         "@braintree/sanitize-url": "^7.1.1",
         "@iconify/utils": "^3.0.2",
-        "@mermaid-js/parser": "^1.1.0",
+        "@mermaid-js/parser": "^1.1.1",
         "@types/d3": "^7.4.3",
         "@upsetjs/venn.js": "^2.0.0",
         "cytoscape": "^3.33.1",
@@ -11565,14 +11498,14 @@
         "dagre-d3-es": "7.0.14",
         "dayjs": "^1.11.19",
         "dompurify": "^3.3.1",
+        "es-toolkit": "^1.45.1",
         "katex": "^0.16.25",
         "khroma": "^2.1.0",
-        "lodash-es": "^4.17.23",
         "marked": "^16.3.0",
         "roughjs": "^4.6.6",
         "stylis": "^4.3.6",
         "ts-dedent": "^2.2.0",
-        "uuid": "^11.1.0"
+        "uuid": "^11.1.0 || ^12 || ^13 || ^14.0.0"
       }
     },
     "node_modules/mermaid/node_modules/marked": {
@@ -15986,55 +15919,6 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
-    "node_modules/vscode-jsonrpc": {
-      "version": "8.2.0",
-      "resolved": "https://registry.npmjs.org/vscode-jsonrpc/-/vscode-jsonrpc-8.2.0.tgz",
-      "integrity": "sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=14.0.0"
-      }
-    },
-    "node_modules/vscode-languageserver": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/vscode-languageserver/-/vscode-languageserver-9.0.1.tgz",
-      "integrity": "sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==",
-      "license": "MIT",
-      "dependencies": {
-        "vscode-languageserver-protocol": "3.17.5"
-      },
-      "bin": {
-        "installServerIntoExtension": "bin/installServerIntoExtension"
-      }
-    },
-    "node_modules/vscode-languageserver-protocol": {
-      "version": "3.17.5",
-      "resolved": "https://registry.npmjs.org/vscode-languageserver-protocol/-/vscode-languageserver-protocol-3.17.5.tgz",
-      "integrity": "sha512-mb1bvRJN8SVznADSGWM9u/b07H7Ecg0I3OgXDuLdn307rl/J3A9YD6/eYOssqhecL27hK1IPZAsaqh00i/Jljg==",
-      "license": "MIT",
-      "dependencies": {
-        "vscode-jsonrpc": "8.2.0",
-        "vscode-languageserver-types": "3.17.5"
-      }
-    },
-    "node_modules/vscode-languageserver-textdocument": {
-      "version": "1.0.12",
-      "resolved": "https://registry.npmjs.org/vscode-languageserver-textdocument/-/vscode-languageserver-textdocument-1.0.12.tgz",
-      "integrity": "sha512-cxWNPesCnQCcMPeenjKKsOCKQZ/L6Tv19DTRIGuLWe32lyzWhihGVJ/rcckZXJxfdKCFvRLS3fpBIsV/ZGX4zA==",
-      "license": "MIT"
-    },
-    "node_modules/vscode-languageserver-types": {
-      "version": "3.17.5",
-      "resolved": "https://registry.npmjs.org/vscode-languageserver-types/-/vscode-languageserver-types-3.17.5.tgz",
-      "integrity": "sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg==",
-      "license": "MIT"
-    },
-    "node_modules/vscode-uri": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
-      "integrity": "sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==",
-      "license": "MIT"
-    },
     "node_modules/vue": {
       "version": "3.5.33",
       "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.33.tgz",
diff --git a/package.json b/package.json
index 4ce4ec8b66..323dbb1de3 100644
--- a/package.json
+++ b/package.json
@@ -54,7 +54,7 @@
     "idiomorph": "0.3.0",
     "jquery": "3.7.1",
     "katex": "0.16.45",
-    "mermaid": "11.14.0",
+    "mermaid": "11.15.0",
     "mini-css-extract-plugin": "2.10.0",
     "minimatch": "10.2.5",
     "pdfobject": "2.3.0",

From 5b6c702f419a23e9c116b20ba0c7c26c1ff84ba8 Mon Sep 17 00:00:00 2001
From: TurtleArmy <turtlearmy@noreply.codeberg.org>
Date: Tue, 12 May 2026 00:53:09 +0200
Subject: [PATCH 280/287] feat(ui): support Pandoc style code blocks (#12099)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This resolves https://codeberg.org/forgejo/forgejo/issues/11107.

Codeberg doesn't support [Pandoc style code blocks](https://pandoc.org/MANUAL.html#extension-fenced_code_attributes), so only the two of these 3 will have syntax highlighting.

\`\`\`haskell
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
\`\`\`

\`\`\`haskell {.numberLines}
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
\`\`\`

\`\`\`{.numberLines .haskell}
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
\`\`\`

```haskell
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
```

```haskell {.numberLines}
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
```

```{.numberLines .haskell}
qsort []     = []
qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++
               qsort (filter (>= x) xs)
```

This PR adds syntax highlighting to the examples with Pandoc style code blocks. It also adds redundant code to explicitly handle the second case with the trailing attribute syntax, which might be unnecessary since it already works, but I think should be fine to leave in.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12099
Reviewed-by: Ellen Εμίλια Άννα Zscheile <fogti@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
---
 modules/markup/markdown/markdown_test.go      | 32 +++++++++++++++++--
 .../markdown/transform_codeblock_lang.go      | 27 ++++++++++++++++
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/modules/markup/markdown/markdown_test.go b/modules/markup/markdown/markdown_test.go
index 1f75799900..3aee7a372d 100644
--- a/modules/markup/markdown/markdown_test.go
+++ b/modules/markup/markdown/markdown_test.go
@@ -1489,14 +1489,14 @@ func TestCallout(t *testing.T) {
 </blockquote>`)
 }
 
-func TestCodeblockLanguageStripping(t *testing.T) {
+func TestCodeblockLanguageTransformation(t *testing.T) {
 	test := func(input, expected string) {
 		buffer, err := markdown.RenderString(&markup.RenderContext{Ctx: git.DefaultContext}, input)
 		require.NoError(t, err)
 		assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(string(buffer)))
 	}
 
-	// Unstripped
+	// No transformation
 	test(
 		"```rust\n"+
 			"fn main() {}\n"+
@@ -1504,7 +1504,7 @@ func TestCodeblockLanguageStripping(t *testing.T) {
 		`<pre class="code-block"><code class="chroma language-rust display"><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{}</span><span class="w">
 </span></code></pre>`)
 
-	// Stripped
+	// Comma stripped
 	test(
 		"```rust,ignore\n"+
 			"fn main() {}\n"+
@@ -1512,6 +1512,32 @@ func TestCodeblockLanguageStripping(t *testing.T) {
 		`<pre class="code-block"><code class="chroma language-rust display"><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{}</span><span class="w">
 </span></code></pre>`)
 
+	// Pandoc stripping
+	// https://pandoc.org/MANUAL.html#extension-fenced_code_attributes
+	test(
+		"```haskell {.numberLines}\n"+
+			"qsort []     = []\n"+
+			"qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++\n"+
+			"               qsort (filter (>= x) xs)\n"+
+			"```",
+		`<pre class="code-block"><code class="chroma language-haskell display"><span class="nf">qsort</span> <span class="kt">[]</span>     <span class="ow">=</span> <span class="kt">[]</span>
+<span class="nf">qsort</span> <span class="p">(</span><span class="n">x</span><span class="kt">:</span><span class="n">xs</span><span class="p">)</span> <span class="ow">=</span> <span class="n">qsort</span> <span class="p">(</span><span class="n">filter</span> <span class="p">(</span><span class="o">&lt;</span> <span class="n">x</span><span class="p">)</span> <span class="n">xs</span><span class="p">)</span> <span class="o">++</span> <span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">++</span>
+               <span class="n">qsort</span> <span class="p">(</span><span class="n">filter</span> <span class="p">(</span><span class="o">&gt;=</span> <span class="n">x</span><span class="p">)</span> <span class="n">xs</span><span class="p">)</span>
+</code></pre>`)
+
+	// Pandoc language extracting
+	// https://pandoc.org/MANUAL.html#extension-fenced_code_attributes
+	test(
+		"```   { #mycode .numberLines .haskell startFrom=\"100\" }   \n"+
+			"qsort []     = []\n"+
+			"qsort (x:xs) = qsort (filter (< x) xs) ++ [x] ++\n"+
+			"               qsort (filter (>= x) xs)\n"+
+			"```",
+		`<pre class="code-block"><code class="chroma language-haskell display"><span class="nf">qsort</span> <span class="kt">[]</span>     <span class="ow">=</span> <span class="kt">[]</span>
+<span class="nf">qsort</span> <span class="p">(</span><span class="n">x</span><span class="kt">:</span><span class="n">xs</span><span class="p">)</span> <span class="ow">=</span> <span class="n">qsort</span> <span class="p">(</span><span class="n">filter</span> <span class="p">(</span><span class="o">&lt;</span> <span class="n">x</span><span class="p">)</span> <span class="n">xs</span><span class="p">)</span> <span class="o">++</span> <span class="p">[</span><span class="n">x</span><span class="p">]</span> <span class="o">++</span>
+               <span class="n">qsort</span> <span class="p">(</span><span class="n">filter</span> <span class="p">(</span><span class="o">&gt;=</span> <span class="n">x</span><span class="p">)</span> <span class="n">xs</span><span class="p">)</span>
+</code></pre>`)
+
 	// No language identifier
 	test(
 		"```\n"+
diff --git a/modules/markup/markdown/transform_codeblock_lang.go b/modules/markup/markdown/transform_codeblock_lang.go
index 5263ec4ffc..f730265b15 100644
--- a/modules/markup/markdown/transform_codeblock_lang.go
+++ b/modules/markup/markdown/transform_codeblock_lang.go
@@ -6,6 +6,7 @@ package markdown
 import (
 	"bytes"
 
+	"github.com/alecthomas/chroma/v2/lexers"
 	"github.com/yuin/goldmark/ast"
 	"github.com/yuin/goldmark/text"
 )
@@ -16,6 +17,32 @@ func (g *ASTTransformer) transformCodeblockLanguage(v *ast.FencedCodeBlock, read
 	}
 	src := reader.Source()
 	info := v.Info.Segment.Value(src)
+
+	// Parse Pandoc style attributes
+	// https://pandoc.org/MANUAL.html#extension-fenced_code_attributes
+	//
+	// For example,
+	// ```{.haskell .numberLines}
+	// ...
+	// ```
+	// Should have a language of "haskell", not "{.haskell .numberLines}"
+	if trimmed := bytes.TrimSpace(info); bytes.HasPrefix(trimmed, []byte{'{'}) && bytes.HasSuffix(trimmed, []byte{'}'}) {
+		attributes := trimmed[1 : len(trimmed)-1]
+		for attribute := range bytes.SplitSeq(attributes, []byte{' '}) {
+			if class, found := bytes.CutPrefix(attribute, []byte{'.'}); found {
+				if lexer := lexers.Get(string(class)); lexer != nil {
+					lang := class
+					langInx := bytes.Index(info, lang)
+					start := v.Info.Segment.Start + langInx
+					end := start + len(lang)
+					v.Info = ast.NewTextSegment(text.NewSegment(start, end))
+					return
+				}
+			}
+		}
+		return
+	}
+
 	// Strip language after commas
 	//
 	// For example,

From 32b8d732b81f8fffdea787bee044b59a03d10547 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 12 May 2026 04:54:25 +0200
Subject: [PATCH 281/287] 2026-05-12 security patches (#12493)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493
---
 models/auth/oauth2.go                         |  51 ++--
 models/auth/oauth2_test.go                    |  55 ++++-
 release-notes/12494.md                        |   6 +
 release-notes/12495.md                        |   6 +
 routers/api/actions/artifactsv4.go            |  14 +-
 routers/web/auth/oauth.go                     |  20 ++
 routers/web/repo/attachment.go                |  36 ++-
 routers/web/repo/githttp.go                   |   6 +-
 services/context/permission.go                |  18 ++
 services/context/repo.go                      |  10 +-
 services/lfs/server.go                        |  14 ++
 services/lfs/server_test.go                   |  69 ++++++
 tests/integration/attachment_test.go          | 227 ++++++++++++++++++
 tests/integration/download_test.go            | 109 ++++++++-
 .../attachment.yml                            |  12 +
 .../TestGetAttachmentViaAPITokens/issue.yml   |  16 ++
 tests/integration/oauth_test.go               |  85 ++++++-
 tests/integration/wiki_test.go                | 187 +++++++++++++--
 18 files changed, 900 insertions(+), 41 deletions(-)
 create mode 100644 release-notes/12494.md
 create mode 100644 release-notes/12495.md
 create mode 100644 tests/integration/fixtures/TestGetAttachmentViaAPITokens/attachment.yml
 create mode 100644 tests/integration/fixtures/TestGetAttachmentViaAPITokens/issue.yml

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 9acd9a46b0..9ef89cb624 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -6,6 +6,7 @@ package auth
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base32"
 	"encoding/base64"
 	"errors"
@@ -151,9 +152,9 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 	// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1
 	contains := func(s string) bool {
-		s = strings.TrimSuffix(strings.ToLower(s), "/")
+		s = strings.TrimSuffix(util.ToUpperASCII(s), "/")
 		for _, u := range app.RedirectURIs {
-			if strings.TrimSuffix(strings.ToLower(u), "/") == s {
+			if strings.TrimSuffix(util.ToUpperASCII(u), "/") == s {
 				return true
 			}
 		}
@@ -408,26 +409,41 @@ func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (*url.URL
 	return redirect, err
 }
 
-// Invalidate deletes the auth code from the database to invalidate this code
+// Invalidate deletes the auth code from the database to invalidate this code.
+// It returns an error if the code was already invalidated (i.e., no rows were deleted),
+// which prevents authorization code replay attacks.
 func (code *OAuth2AuthorizationCode) Invalidate(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
-	return err
+	affected, err := db.GetEngine(ctx).ID(code.ID).NoAutoCondition().Delete(code)
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return fmt.Errorf("authorization code already used or does not exist")
+	}
+	return nil
 }
 
-// ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE implementation.
+// ValidateCodeChallenge validates the given verifier against the saved code challenge. This is part of the PKCE
+// implementation. If a code challenge was set during authorization, a valid verifier MUST be provided.
 func (code *OAuth2AuthorizationCode) ValidateCodeChallenge(verifier string) bool {
+	// If no PKCE was used during authorization, no verifier is needed.
+	if code.CodeChallengeMethod == "" && code.CodeChallenge == "" {
+		return true
+	}
+	// A challenge was set but no verifier provided: reject outright, no comparison or hashing is required.
+	if verifier == "" {
+		return false
+	}
 	switch code.CodeChallengeMethod {
 	case "S256":
 		// base64url(SHA256(verifier)) see https://tools.ietf.org/html/rfc7636#section-4.6
 		h := sha256.Sum256([]byte(verifier))
 		hashedVerifier := base64.RawURLEncoding.EncodeToString(h[:])
-		return hashedVerifier == code.CodeChallenge
+		return subtle.ConstantTimeCompare([]byte(hashedVerifier), []byte(code.CodeChallenge)) == 1
 	case "plain":
-		return verifier == code.CodeChallenge
-	case "":
-		return true
+		return subtle.ConstantTimeCompare([]byte(verifier), []byte(code.CodeChallenge)) == 1
 	default:
-		// unsupported method -> return false
+		// unsupported or empty method with a non-empty challenge -> reject
 		return false
 	}
 }
@@ -490,16 +506,19 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(ctx context.Context, redi
 }
 
 // IncreaseCounter increases the counter and updates the grant
+// IncreaseCounter atomically increments the counter only if it still matches
+// the value loaded into this grant. Returns an error if the counter was already
+// changed by a concurrent request (refresh token replay).
 func (grant *OAuth2Grant) IncreaseCounter(ctx context.Context) error {
-	_, err := db.GetEngine(ctx).ID(grant.ID).Incr("counter").Update(new(OAuth2Grant))
+	affected, err := db.GetEngine(ctx).Where("id = ? AND counter = ?", grant.ID, grant.Counter).
+		Incr("counter").Update(new(OAuth2Grant))
 	if err != nil {
 		return err
 	}
-	updatedGrant, err := GetOAuth2GrantByID(ctx, grant.ID)
-	if err != nil {
-		return err
+	if affected == 0 {
+		return fmt.Errorf("grant counter changed unexpectedly (possible replay)")
 	}
-	grant.Counter = updatedGrant.Counter
+	grant.Counter++
 	return nil
 }
 
diff --git a/models/auth/oauth2_test.go b/models/auth/oauth2_test.go
index 9c6836ed0d..aa474393c1 100644
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@@ -75,6 +75,13 @@ func TestOAuth2Application_ContainsRedirect_Slash(t *testing.T) {
 	assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other"))
 }
 
+func TestOAuth2Application_ContainsRedirect_Normalization(t *testing.T) {
+	app := &auth_model.OAuth2Application{RedirectURIs: []string{"https://website.com"}}
+	assert.True(t, app.ContainsRedirectURI("https://website.com"))
+	assert.True(t, app.ContainsRedirectURI("https://webSITE.com"))  // ascii uppercase I
+	assert.False(t, app.ContainsRedirectURI("https://websİte.com")) // U+0130 as I, Latin Capital Letter I with Dot Above
+}
+
 func TestOAuth2Application_ValidateClientSecret(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})
@@ -147,9 +154,18 @@ func TestGetOAuth2GrantByID(t *testing.T) {
 func TestOAuth2Grant_IncreaseCounter(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 1})
+
+	// First increment succeeds
 	require.NoError(t, grant.IncreaseCounter(db.DefaultContext))
 	assert.Equal(t, int64(2), grant.Counter)
 	unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 2})
+
+	// Simulate a stale grant (counter still 1): must fail (concurrent replay)
+	grant.Counter = 1
+	require.Error(t, grant.IncreaseCounter(db.DefaultContext), "stale counter must be rejected")
+
+	// Counter in DB should be unchanged
+	unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 2})
 }
 
 func TestOAuth2Grant_ScopeContains(t *testing.T) {
@@ -232,12 +248,33 @@ func TestOAuth2AuthorizationCode_ValidateCodeChallenge(t *testing.T) {
 	}
 	assert.False(t, code.ValidateCodeChallenge("foiwgjioriogeiogjerger"))
 
-	// test no code challenge
+	// test no PKCE at all (no challenge set, no verifier needed)
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "",
+		CodeChallenge:       "",
+	}
+	assert.True(t, code.ValidateCodeChallenge(""))
+
+	// test PKCE required: challenge was set but verifier is empty
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "S256",
+		CodeChallenge:       "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg",
+	}
+	assert.False(t, code.ValidateCodeChallenge(""), "PKCE required: S256 challenge set but empty verifier must be rejected")
+
+	code = &auth_model.OAuth2AuthorizationCode{
+		CodeChallengeMethod: "plain",
+		CodeChallenge:       "test123",
+	}
+	assert.False(t, code.ValidateCodeChallenge(""), "PKCE required: plain challenge set but empty verifier must be rejected")
+
+	// test challenge stored but method empty (malformed: should reject)
 	code = &auth_model.OAuth2AuthorizationCode{
 		CodeChallengeMethod: "",
 		CodeChallenge:       "foierjiogerogerg",
 	}
-	assert.True(t, code.ValidateCodeChallenge(""))
+	assert.False(t, code.ValidateCodeChallenge(""), "challenge present with empty method must be rejected")
+	assert.False(t, code.ValidateCodeChallenge("foierjiogerogerg"), "challenge present with empty method must be rejected even with matching verifier")
 }
 
 func TestOAuth2AuthorizationCode_GenerateRedirectURI(t *testing.T) {
@@ -262,6 +299,20 @@ func TestOAuth2AuthorizationCode_Invalidate(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
 }
 
+func TestOAuth2AuthorizationCode_Invalidate_DoubleUse(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+	code := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
+
+	// First invalidation should succeed
+	require.NoError(t, code.Invalidate(db.DefaultContext))
+	unittest.AssertNotExistsBean(t, &auth_model.OAuth2AuthorizationCode{Code: "authcode"})
+
+	// Second invalidation of the same code must fail (replay prevention)
+	err := code.Invalidate(db.DefaultContext)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "authorization code already used")
+}
+
 func TestOAuth2AuthorizationCode_TableName(t *testing.T) {
 	assert.Equal(t, "oauth2_authorization_code", new(auth_model.OAuth2AuthorizationCode).TableName())
 }
diff --git a/release-notes/12494.md b/release-notes/12494.md
new file mode 100644
index 0000000000..a26776b47c
--- /dev/null
+++ b/release-notes/12494.md
@@ -0,0 +1,6 @@
+- fix: prevent git write to wiki repo from unauthorized user via git HTTP
+- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
+- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
+- fix: implementing missing OAuth validation checks, improve protections against race conditions
+- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
+- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
diff --git a/release-notes/12495.md b/release-notes/12495.md
new file mode 100644
index 0000000000..a26776b47c
--- /dev/null
+++ b/release-notes/12495.md
@@ -0,0 +1,6 @@
+- fix: prevent git write to wiki repo from unauthorized user via git HTTP
+- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
+- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
+- fix: implementing missing OAuth validation checks, improve protections against race conditions
+- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
+- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
diff --git a/routers/api/actions/artifactsv4.go b/routers/api/actions/artifactsv4.go
index 56fe5cb2cc..c3d3c37e79 100644
--- a/routers/api/actions/artifactsv4.go
+++ b/routers/api/actions/artifactsv4.go
@@ -89,6 +89,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/binary"
 	"encoding/xml"
 	"fmt"
 	"io"
@@ -163,11 +164,20 @@ func ArtifactsV4Routes(prefix string) *web.Route {
 
 func (r artifactV4Routes) buildSignature(endp, expires, artifactName string, taskID, artifactID int64) []byte {
 	mac := hmac.New(sha256.New, setting.GetGeneralTokenSigningSecret())
+	// For each string field, write the length of the string first to prevent user-controlled strings from bleeding into
+	// each other and causing a signature match when it isn't expected.
+	_ = binary.Write(mac, binary.BigEndian, int64(len(endp)))
 	mac.Write([]byte(endp))
+	_ = binary.Write(mac, binary.BigEndian, int64(len(expires)))
 	mac.Write([]byte(expires))
+	_ = binary.Write(mac, binary.BigEndian, int64(len(artifactName)))
 	mac.Write([]byte(artifactName))
-	fmt.Fprint(mac, taskID)
-	fmt.Fprint(mac, artifactID)
+
+	// Write TaskID & ArtifactID as binary values to prevent them from bleeding together; eg. TaskID="2" &
+	// ArtifactID="18" could look the same in the signature as TaskID="21" and ArtifactID="8" if they're written as
+	// strings.
+	_ = binary.Write(mac, binary.BigEndian, taskID)
+	_ = binary.Write(mac, binary.BigEndian, artifactID)
 	return mac.Sum(nil)
 }
 
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 914e181259..828027c0a8 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -803,6 +803,16 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server
 		return
 	}
 
+	// Ensure the refresh token's grant belongs to the requesting client.
+	// This prevents cross-client token usage (RFC 6749 Section 10.4).
+	if grant.ApplicationID != app.ID {
+		handleAccessTokenError(ctx, AccessTokenErrorResponse{
+			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
+			ErrorDescription: "refresh token was not issued to this client",
+		})
+		return
+	}
+
 	// check if token got already used
 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
 		handleAccessTokenError(ctx, AccessTokenErrorResponse{
@@ -863,6 +873,15 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 		})
 		return
 	}
+	// Per RFC 6749 §4.1.3, if redirect_uri was included in the authorization request,
+	// it MUST be identical to the value included in the token request.
+	if authorizationCode.RedirectURI != "" && form.RedirectURI != authorizationCode.RedirectURI {
+		handleAccessTokenError(ctx, AccessTokenErrorResponse{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "redirect_uri does not match the authorization request",
+		})
+		return
+	}
 	// check if granted for this application
 	if authorizationCode.Grant.ApplicationID != app.ID {
 		handleAccessTokenError(ctx, AccessTokenErrorResponse{
@@ -877,6 +896,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
 			ErrorDescription: "cannot proceed your request",
 		})
+		return
 	}
 	resp, tokenErr := newAccessTokenResponse(ctx, authorizationCode.Grant, serverKey, clientKey)
 	if tokenErr != nil {
diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index 5497738f0b..65be51ba08 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"forgejo.org/models/auth"
 	access_model "forgejo.org/models/perm/access"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/modules/httpcache"
@@ -98,6 +99,30 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 		return
 	}
 
+	// Some paths like `/attachment/{uuid}` can be accessed with API authentication mechanisms, which can have limited
+	// scopes (eg. user access tokens, OAuth grants).  There's no middleware on these routes that enforce API scopes
+	// because (a) they're not API endpoints, and (b) the scoped required is dependant on the attachment.
+	if hasScope, scope := ctx.Authentication.Scope().Get(); hasScope {
+		var requiredScope auth.AccessTokenScope
+		if attach.ReleaseID != 0 {
+			requiredScope = auth.AccessTokenScopeReadRepository
+		} else if attach.IssueID != 0 {
+			requiredScope = auth.AccessTokenScopeReadIssue
+		} else {
+			ctx.ServerError("UnidentifiedAttachmentResource", fmt.Errorf("unable to identify resource for attachment id=%d", attach.ID))
+			return
+		}
+		allow, err := scope.HasScope(requiredScope)
+		if err != nil {
+			ctx.ServerError("checking scope failed", err)
+			return
+		}
+		if !allow {
+			ctx.Error(http.StatusForbidden, "scopedAccessCheck", fmt.Sprintf("token does not have at least one of required scope(s): %v", requiredScope))
+			return
+		}
+	}
+
 	repository, unitType, err := repo_service.LinkedRepository(ctx, attach)
 	if err != nil {
 		ctx.ServerError("LinkedRepository", err)
@@ -110,7 +135,16 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 			return
 		}
 	} else { // If we have the repository we check access
-		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
+		// Some paths like `/attachment/{uuid}` can be accessed with API authentication mechanisms, and therefore *may*
+		// have AuthorizationReducers that need to be enforced:
+		reducer := ctx.Authentication.Reducer()
+		var perm access_model.Permission
+		var err error
+		if reducer != nil {
+			perm, err = access_model.GetUserRepoPermissionWithReducer(ctx, repository, ctx.Doer, reducer)
+		} else {
+			perm, err = access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
+		}
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
 			return
diff --git a/routers/web/repo/githttp.go b/routers/web/repo/githttp.go
index 936b108281..6703676745 100644
--- a/routers/web/repo/githttp.go
+++ b/routers/web/repo/githttp.go
@@ -184,8 +184,10 @@ func httpBase(ctx *context.Context) *serviceHandler {
 		}
 
 		if repoExist {
-			// Because of special ref "refs/for" .. , need delay write permission check
-			accessMode = perm.AccessModeRead
+			if !isWiki {
+				// Because of special ref "refs/for" .. , need delay write permission check
+				accessMode = perm.AccessModeRead
+			}
 
 			if hasTaskID, taskID := ctx.Authentication.ActionsTaskID().Get(); hasTaskID {
 				task, err := actions_model.GetTaskByID(ctx, taskID)
diff --git a/services/context/permission.go b/services/context/permission.go
index 44adbbd6d9..ad6843b440 100644
--- a/services/context/permission.go
+++ b/services/context/permission.go
@@ -4,6 +4,7 @@
 package context
 
 import (
+	"fmt"
 	"net/http"
 	"slices"
 
@@ -57,6 +58,23 @@ func RequireRepoWriterOr(unitTypes ...unit.Type) func(ctx *Context) {
 // RequireRepoReader returns a middleware for requiring repository read to the specify unitType
 func RequireRepoReader(unitType unit.Type) func(ctx *Context) {
 	return func(ctx *Context) {
+		// Typically checks for authentication scopes won't be relevant for non-API requests where this middleware is
+		// used; but, some paths like `/user/repo/raw/...` can be accessed with API authentication mechanisms.  In those
+		// edge cases, check that `read:repository` scope is present if the authentication method indicates a limited
+		// scope.
+		hasScope, scope := ctx.Authentication.Scope().Get()
+		if hasScope {
+			allow, err := scope.HasScope(auth_model.AccessTokenScopeReadRepository)
+			if err != nil {
+				ctx.ServerError("checking scope failed", err)
+				return
+			}
+			if !allow {
+				ctx.Error(http.StatusForbidden, "scopedAccessCheck", fmt.Sprintf("token does not have at least one of required scope(s): %v", auth_model.AccessTokenScopeReadRepository))
+				return
+			}
+		}
+
 		if !ctx.Repo.CanRead(unitType) {
 			if log.IsTrace() {
 				if ctx.IsSigned {
diff --git a/services/context/repo.go b/services/context/repo.go
index 583eb35474..f39b6d342d 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -375,7 +375,15 @@ func repoAssignment(ctx *Context, repo *repo_model.Repository) {
 		return
 	}
 
-	ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+	// Typically checks for authorization reducers won't be relevant for non-API requests where this middleware is used;
+	// but, some paths like `/user/repo/raw/...` can be accessed with API authentication mechanisms.  In those edge
+	// cases, initialize `ctx.Repo.Permission` based upon the reduced permission set available.
+	authorizationReducer := ctx.Authentication.Reducer()
+	if authorizationReducer == nil {
+		ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
+	} else {
+		ctx.Repo.Permission, err = access_model.GetUserRepoPermissionWithReducer(ctx, repo, ctx.Doer, authorizationReducer)
+	}
 	if err != nil {
 		ctx.ServerError("GetUserRepoPermission", err)
 		return
diff --git a/services/lfs/server.go b/services/lfs/server.go
index 457602243e..1dfd58a3c0 100644
--- a/services/lfs/server.go
+++ b/services/lfs/server.go
@@ -607,6 +607,20 @@ func handleLFSToken(ctx stdCtx.Context, tokenSHA string, target *repo_model.Repo
 		log.Error("Unable to GetUserById[%d]: Error: %v", claims.UserID, err)
 		return nil, err
 	}
+
+	if !u.IsAccessAllowed(ctx) {
+		return nil, errors.New("user access is blocked")
+	}
+
+	repoPerm, err := access_model.GetUserRepoPermission(ctx, target, u)
+	if err != nil {
+		log.Error("Unable to GetUserRepoPermission[%d]: Error: %v", claims.UserID, err)
+		return nil, err
+	}
+	if !repoPerm.CanAccess(mode, unit.TypeCode) {
+		return nil, errors.New("user does not have access to the repository")
+	}
+
 	return u, nil
 }
 
diff --git a/services/lfs/server_test.go b/services/lfs/server_test.go
index 065387ce08..875a99603e 100644
--- a/services/lfs/server_test.go
+++ b/services/lfs/server_test.go
@@ -78,6 +78,75 @@ func testAuthenticate(t *testing.T, cfg string) {
 		assert.EqualValues(t, 2, u.ID)
 	})
 
+	t.Run("handleLFSToken nonexistent user", func(t *testing.T) {
+		tokenMissing, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 999, RepoID: 1})
+		_, tokenMissing, _ = strings.Cut(tokenMissing, " ")
+
+		u, err := handleLFSToken(ctx, tokenMissing, repo1, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "user does not exist")
+		assert.Nil(t, u)
+	})
+
+	t.Run("handleLFSToken nonexistent repo", func(t *testing.T) {
+		tokenBadRepo, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 2, RepoID: 999})
+		_, tokenBadRepo, _ = strings.Cut(tokenBadRepo, " ")
+		badRepo := &repo_model.Repository{ID: 999}
+
+		u, err := handleLFSToken(ctx, tokenBadRepo, badRepo, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Nil(t, u)
+	})
+
+	t.Run("handleLFSToken blocked user", func(t *testing.T) {
+		tokenBlocked, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 37, RepoID: 1})
+		_, tokenBlocked, _ = strings.Cut(tokenBlocked, " ")
+
+		u, err := handleLFSToken(ctx, tokenBlocked, repo1, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "user access is blocked")
+		assert.Nil(t, u)
+	})
+
+	t.Run("handleLFSToken no repo access", func(t *testing.T) {
+		repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+		tokenNoAccess, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 10, RepoID: 2})
+		_, tokenNoAccess, _ = strings.Cut(tokenNoAccess, " ")
+
+		u, err := handleLFSToken(ctx, tokenNoAccess, repo2, perm_model.AccessModeRead)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "does not have access to the repository")
+		assert.Nil(t, u)
+	})
+
+	t.Run("handleLFSToken upload write access allowed", func(t *testing.T) {
+		tokenUploadRW, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "upload", UserID: 2, RepoID: 1})
+		_, tokenUploadRW, _ = strings.Cut(tokenUploadRW, " ")
+
+		u, err := handleLFSToken(ctx, tokenUploadRW, repo1, perm_model.AccessModeWrite)
+		require.NoError(t, err)
+		assert.EqualValues(t, 2, u.ID)
+	})
+
+	t.Run("handleLFSToken upload read-only access denied", func(t *testing.T) {
+		tokenUploadRO, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "upload", UserID: 10, RepoID: 1})
+		_, tokenUploadRO, _ = strings.Cut(tokenUploadRO, " ")
+
+		u, err := handleLFSToken(ctx, tokenUploadRO, repo1, perm_model.AccessModeWrite)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "does not have access to the repository")
+		assert.Nil(t, u)
+	})
+
+	t.Run("handleLFSToken download read-only access allowed", func(t *testing.T) {
+		tokenDownloadRO, _ := getLFSAuthTokenWithBearer(authTokenOptions{Op: "download", UserID: 10, RepoID: 1})
+		_, tokenDownloadRO, _ = strings.Cut(tokenDownloadRO, " ")
+
+		u, err := handleLFSToken(ctx, tokenDownloadRO, repo1, perm_model.AccessModeRead)
+		require.NoError(t, err)
+		assert.EqualValues(t, 10, u.ID)
+	})
+
 	t.Run("authenticate", func(t *testing.T) {
 		const prefixBearer = "Bearer "
 		assert.False(t, authenticate(ctx, repo1, "", true, false))
diff --git a/tests/integration/attachment_test.go b/tests/integration/attachment_test.go
index 4e29407c2a..06c1bb82ca 100644
--- a/tests/integration/attachment_test.go
+++ b/tests/integration/attachment_test.go
@@ -13,9 +13,13 @@ import (
 	"strings"
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
 	repo_model "forgejo.org/models/repo"
+	unit_model "forgejo.org/models/unit"
+	"forgejo.org/models/unittest"
 	"forgejo.org/modules/storage"
 	"forgejo.org/modules/test"
+	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -131,3 +135,226 @@ func TestGetAttachment(t *testing.T) {
 		})
 	}
 }
+
+// Access under `/attachments/{uuid}` and `/{user}/{repo}/attachments/{uuid}` is permitted for API tokens.  Those API
+// tokens then need to have the read:issue or read:repository and the correct resource scopes to permit access, though.
+func TestGetAttachmentViaAPITokens(t *testing.T) {
+	defer unittest.OverrideFixtures("tests/integration/fixtures/TestGetAttachmentViaAPITokens")()
+	defer tests.PrepareTestEnv(t)()
+
+	// Create attachment data for an attachment added by this test's fixture.
+	_, err := storage.Attachments.Save(repo_model.AttachmentRelativePath("d962b49e-e32a-4b72-922d-33b551b629e2"), strings.NewReader("hello universe"), -1)
+	require.NoError(t, err)
+
+	// Enable Issues unit on repo 16, one of our test targets.
+	repo_service.UpdateRepositoryUnits(t.Context(),
+		unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 16}),
+		[]repo_model.RepoUnit{{
+			RepoID: 16,
+			Type:   unit_model.TypeIssues,
+		}}, nil)
+
+	t.Run("attachments", func(t *testing.T) {
+		t.Run("no read:issue scope", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+			allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadMisc)
+
+			t.Run("denied public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+			t.Run("denied private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+			// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+			t.Run("denied private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+		})
+
+		t.Run("all access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+			allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("allowed private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+			t.Run("allowed private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello universe", resp.Body.String())
+			})
+		})
+
+		t.Run("public-only access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user2")
+			publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadIssue)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(publicOnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("denied private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(publicOnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+			t.Run("denied private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(publicOnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+		})
+
+		t.Run("specific repo access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
+				[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadIssue},
+				[]int64{2},
+			)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(repo2OnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(repo2OnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(repo2OnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+		})
+	})
+
+	t.Run("user-repo-attachments", func(t *testing.T) {
+		t.Run("no read:issue scope", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+			allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadMisc)
+
+			t.Run("denied public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+			t.Run("denied private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+			// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+			t.Run("denied private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
+				MakeRequest(t, req, http.StatusForbidden)
+			})
+		})
+
+		t.Run("all access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			session := loginUser(t, "user2")
+			allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("allowed private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+			t.Run("allowed private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(allToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello universe", resp.Body.String())
+			})
+		})
+
+		t.Run("public-only access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user2")
+			publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadIssue)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(publicOnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("denied private repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(publicOnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+			t.Run("denied private repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(publicOnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+		})
+
+		t.Run("specific repo access token", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
+				[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadIssue},
+				[]int64{2},
+			)
+
+			t.Run("allowed public repo1", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo1/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11").AddTokenAuth(repo2OnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo2/attachments/a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a12").AddTokenAuth(repo2OnlyToken)
+				resp := MakeRequest(t, req, http.StatusOK)
+				assert.Equal(t, "hello world", resp.Body.String())
+			})
+			t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
+				defer tests.PrintCurrentTest(t)()
+				req := NewRequest(t, "GET", "/user2/repo16/attachments/d962b49e-e32a-4b72-922d-33b551b629e2").AddTokenAuth(repo2OnlyToken)
+				MakeRequest(t, req, http.StatusNotFound)
+			})
+		})
+	})
+}
diff --git a/tests/integration/download_test.go b/tests/integration/download_test.go
index d5e68402c5..70acc7f16f 100644
--- a/tests/integration/download_test.go
+++ b/tests/integration/download_test.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"testing"
 
+	auth_model "forgejo.org/models/auth"
 	"forgejo.org/modules/setting"
 	"forgejo.org/tests"
 
@@ -15,7 +16,6 @@ import (
 
 func TestDownloadByID(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
-
 	session := loginUser(t, "user2")
 
 	// Request raw blob
@@ -91,3 +91,110 @@ func TestDownloadRawTextFileWithMimeTypeMapping(t *testing.T) {
 	delete(setting.MimeTypeMap.Map, ".xml")
 	setting.MimeTypeMap.Enabled = false
 }
+
+// Access under `/raw` is permitted for API tokens.  Those API tokens then need to have the read:repository and the
+// correct resource scopes to permit access, though.  The below series of tests covers the middleware combinations on
+// the entire `/user/repo/raw/*` URL tree as they use a common middleware implementation.
+func TestDownloadAccessViaAPITokens(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("no read:repository scope", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		session := loginUser(t, "user2")
+		allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadMisc)
+
+		t.Run("denied public repo1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f").AddTokenAuth(allToken)
+			MakeRequest(t, req, http.StatusForbidden)
+		})
+		t.Run("denied private repo2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo2/raw/blob/1032bbf17fbc0d9c95bb5418dabe8f8c99278700").AddTokenAuth(allToken)
+			MakeRequest(t, req, http.StatusForbidden)
+		})
+		// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+		t.Run("denied private repo16", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo16/raw/blob/69554a64c1e6030f051e5c3f94bfbd773cd6a324").AddTokenAuth(allToken)
+			MakeRequest(t, req, http.StatusForbidden)
+		})
+	})
+
+	t.Run("all access token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		session := loginUser(t, "user2")
+		allToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
+
+		t.Run("allowed public repo1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f").AddTokenAuth(allToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String())
+		})
+		t.Run("allowed private repo2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo2/raw/blob/1032bbf17fbc0d9c95bb5418dabe8f8c99278700").AddTokenAuth(allToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "tree ba1aed4e2ea2443d76cec241b96be4ec990852ec\nparent 205ac761f3326a7ebe416e8673760016450b5cec\nauthor Jimmy Praet <jimmy.praet@telenet.be> 1624996449 +0200\ncommitter Jimmy Praet <jimmy.praet@telenet.be> 1624996449 +0200\n\nAdd test.xml\n", resp.Body.String())
+		})
+		// repo16 is a second repo used in fine-grain testing below, so we include it in other tests as a baseline
+		t.Run("allowed private repo16", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo16/raw/blob/69554a64c1e6030f051e5c3f94bfbd773cd6a324").AddTokenAuth(allToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "tree 24f83a471f77579fea57bac7255d6e64e70fce1c\nparent 27566bd5738fc8b4e3fef3c5e72cce608537bd95\nauthor User2 <user2@example.com> 1502042309 +0200\ncommitter User2 <user2@example.com> 1502042309 +0200\n\nnot signed commit\n", resp.Body.String())
+		})
+	})
+
+	t.Run("public-only access token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		session := loginUser(t, "user2")
+		publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeReadRepository)
+
+		t.Run("allowed public repo1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f").AddTokenAuth(publicOnlyToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String())
+		})
+		t.Run("denied private repo2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo2/raw/blob/1032bbf17fbc0d9c95bb5418dabe8f8c99278700").AddTokenAuth(publicOnlyToken)
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("denied private repo16", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo16/raw/blob/69554a64c1e6030f051e5c3f94bfbd773cd6a324").AddTokenAuth(publicOnlyToken)
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+	})
+
+	t.Run("specific repo access token", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		repo2OnlyToken := createFineGrainedRepoAccessToken(t, "user2",
+			[]auth_model.AccessTokenScope{auth_model.AccessTokenScopeReadRepository},
+			[]int64{2},
+		)
+
+		t.Run("allowed public repo1", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f").AddTokenAuth(repo2OnlyToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String())
+		})
+		t.Run("allowed inside fine-grain repo2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo2/raw/blob/1032bbf17fbc0d9c95bb5418dabe8f8c99278700").AddTokenAuth(repo2OnlyToken)
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Equal(t, "tree ba1aed4e2ea2443d76cec241b96be4ec990852ec\nparent 205ac761f3326a7ebe416e8673760016450b5cec\nauthor Jimmy Praet <jimmy.praet@telenet.be> 1624996449 +0200\ncommitter Jimmy Praet <jimmy.praet@telenet.be> 1624996449 +0200\n\nAdd test.xml\n", resp.Body.String())
+		})
+		t.Run("denied private outside fine-grain repo16", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/user2/repo16/raw/blob/69554a64c1e6030f051e5c3f94bfbd773cd6a324").AddTokenAuth(repo2OnlyToken)
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+	})
+}
diff --git a/tests/integration/fixtures/TestGetAttachmentViaAPITokens/attachment.yml b/tests/integration/fixtures/TestGetAttachmentViaAPITokens/attachment.yml
new file mode 100644
index 0000000000..334b33cefa
--- /dev/null
+++ b/tests/integration/fixtures/TestGetAttachmentViaAPITokens/attachment.yml
@@ -0,0 +1,12 @@
+-
+  id: 50
+  uuid: d962b49e-e32a-4b72-922d-33b551b629e2
+  repo_id: 16
+  issue_id: 50
+  release_id: 0
+  uploader_id: 0
+  comment_id: 0
+  name: attach1
+  download_count: 0
+  size: 0
+  created_unix: 946684800
diff --git a/tests/integration/fixtures/TestGetAttachmentViaAPITokens/issue.yml b/tests/integration/fixtures/TestGetAttachmentViaAPITokens/issue.yml
new file mode 100644
index 0000000000..7a876ef5b2
--- /dev/null
+++ b/tests/integration/fixtures/TestGetAttachmentViaAPITokens/issue.yml
@@ -0,0 +1,16 @@
+-
+  id: 50
+  repo_id: 16
+  index: 1
+  poster_id: 1
+  original_author_id: 0
+  name: issue1
+  content: content for the first issue
+  milestone_id: 0
+  priority: 0
+  is_closed: false
+  is_pull: false
+  num_comments: 3
+  created_unix: 946684800
+  updated_unix: 978307200
+  is_locked: false
diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
index 3f14324cf7..d87d725dbd 100644
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@@ -194,12 +194,45 @@ func TestAccessTokenExchange(t *testing.T) {
 	assert.Greater(t, len(parsed.RefreshToken), 10)
 }
 
+func TestAccessTokenExchangeRedirectURIMismatch(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// The auth code fixture has redirect_uri="a", but we send a different
+	// URI that is registered with the app ("https://example.com/xyzzy").
+	// Per RFC 6749 §4.1.3, this must be rejected.
+	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "authorization_code",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "https://example.com/xyzzy",
+		"code":          "authcode",
+		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
+	})
+	resp := MakeRequest(t, req, http.StatusBadRequest)
+
+	var parsedError auth.AccessTokenErrorResponse
+	require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &parsedError))
+	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
+	assert.Equal(t, "redirect_uri does not match the authorization request", parsedError.ErrorDescription)
+
+	// Using the correct redirect_uri ("a") should succeed
+	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "authorization_code",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"code":          "authcode",
+		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
+	})
+	MakeRequest(t, req, http.StatusOK)
+}
+
 func TestAccessTokenExchangeWithPublicClient(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
 		"grant_type":    "authorization_code",
 		"client_id":     "ce5a1322-42a7-11ed-b878-0242ac120002",
-		"redirect_uri":  "http://127.0.0.1",
+		"redirect_uri":  "http://127.0.0.1/",
 		"code":          "authcodepublic",
 		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
 	})
@@ -497,6 +530,56 @@ func TestRefreshTokenInvalidation(t *testing.T) {
 	assert.Equal(t, "token was already used", parsedError.ErrorDescription)
 }
 
+func TestRefreshTokenCrossClientUsage(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// Step 1: Obtain a refresh token via app 1 (confidential client)
+	req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "authorization_code",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"code":          "authcode",
+		"code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
+	})
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	type tokenResponse struct {
+		AccessToken  string `json:"access_token"`
+		TokenType    string `json:"token_type"`
+		ExpiresIn    int64  `json:"expires_in"`
+		RefreshToken string `json:"refresh_token"`
+	}
+	parsed := new(tokenResponse)
+	require.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
+	assert.NotEmpty(t, parsed.RefreshToken)
+
+	// Step 2: Try to use the refresh token with app 2 (different client): must fail
+	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "refresh_token",
+		"client_id":     "ce5a1322-42a7-11ed-b878-0242ac120002",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "b",
+		"refresh_token": parsed.RefreshToken,
+	})
+	resp = MakeRequest(t, req, http.StatusBadRequest)
+
+	var parsedError auth.AccessTokenErrorResponse
+	require.NoError(t, json.Unmarshal(resp.Body.Bytes(), &parsedError))
+	assert.Equal(t, "invalid_grant", string(parsedError.ErrorCode))
+	assert.Equal(t, "refresh token was not issued to this client", parsedError.ErrorDescription)
+
+	// Step 3: Using the refresh token with the correct app 1 should still work
+	req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "refresh_token",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"refresh_token": parsed.RefreshToken,
+	})
+	MakeRequest(t, req, http.StatusOK)
+}
+
 func TestSignInOAuthCallbackSignIn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
diff --git a/tests/integration/wiki_test.go b/tests/integration/wiki_test.go
index 47986177d7..1fd9378852 100644
--- a/tests/integration/wiki_test.go
+++ b/tests/integration/wiki_test.go
@@ -4,19 +4,29 @@
 package integration
 
 import (
+	"encoding/base64"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 
+	auth_model "forgejo.org/models/auth"
+	unit_model "forgejo.org/models/unit"
+	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
+	"forgejo.org/modules/optional"
+	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/util"
 	"forgejo.org/tests"
 
 	"github.com/PuerkitoBio/goquery"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -24,7 +34,16 @@ import (
 func assertFileExist(t *testing.T, p string) {
 	exist, err := util.IsExist(p)
 	require.NoError(t, err)
-	assert.True(t, exist)
+	if !assert.True(t, exist) {
+		dir := filepath.Dir(p)
+		t.Logf("Listing files that were present in dir path %s", dir)
+		entries, err := os.ReadDir(dir)
+		require.NoError(t, err)
+		for _, e := range entries {
+			t.Logf("file in path %s -> %s", dir, e.Name())
+		}
+		t.Logf("End of %d entries in directory %s", len(entries), dir)
+	}
 }
 
 func assertFileEqual(t *testing.T, p string, content []byte) {
@@ -33,24 +52,162 @@ func assertFileEqual(t *testing.T, p string, content []byte) {
 	assert.Equal(t, content, bs)
 }
 
-func TestRepoCloneWiki(t *testing.T) {
-	onApplicationRun(t, func(t *testing.T, u *url.URL) {
-		dstPath := t.TempDir()
+type (
+	RepoWikiMethod    string
+	RepoWikiAuth      string
+	RepoWikiTarget    string
+	RepoWikiOperation string
+)
 
-		r := fmt.Sprintf("%suser2/repo1.wiki.git", u.String())
-		u, _ = url.Parse(r)
-		u.User = url.UserPassword("user2", userPassword)
-		t.Run("Clone", func(t *testing.T) {
-			require.NoError(t, git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), u.String(), dstPath, git.CloneRepoOptions{}))
-			assertFileEqual(t, filepath.Join(dstPath, "Home.md"), []byte("# Home page\n\nThis is the home page!\n"))
-			assertFileExist(t, filepath.Join(dstPath, "Page-With-Image.md"))
-			assertFileExist(t, filepath.Join(dstPath, "Page-With-Spaced-Name.md"))
-			assertFileExist(t, filepath.Join(dstPath, "images"))
-			assertFileExist(t, filepath.Join(dstPath, "jpeg.jpg"))
-		})
+const (
+	RepoWikiSSH  RepoWikiMethod = "SSH"
+	RepoWikiHTTP RepoWikiMethod = "HTTP"
+
+	RepoWikiAnonymous                 RepoWikiAuth = "Anonymous"
+	RepoWikiAuthenticated             RepoWikiAuth = "Authenticated"
+	RepoWikiAuthenticatedNonOwnerUser RepoWikiAuth = "Authenticated-NonOwner"
+
+	RepoWikiPublic  RepoWikiTarget = "Public"
+	RepoWikiPrivate RepoWikiTarget = "Private"
+
+	RepoWikiRead  RepoWikiOperation = "Read"
+	RepoWikiWrite RepoWikiOperation = "Write"
+)
+
+func TestRepoWikiGitOperation(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		for _, method := range []RepoWikiMethod{RepoWikiSSH, RepoWikiHTTP} {
+			for _, auth := range []RepoWikiAuth{RepoWikiAnonymous, RepoWikiAuthenticated, RepoWikiAuthenticatedNonOwnerUser} {
+				for _, target := range []RepoWikiTarget{RepoWikiPublic, RepoWikiPrivate} {
+					for _, operation := range []RepoWikiOperation{RepoWikiRead, RepoWikiWrite} {
+						t.Run(fmt.Sprintf("%s/%s/%s/%s", method, auth, target, operation), func(t *testing.T) {
+							defer tests.PrintCurrentTest(t)()
+							doRepoWikiGitOperation(t, u, method, auth, target, operation)
+						})
+					}
+				}
+			}
+		}
 	})
 }
 
+func doRepoWikiGitOperation(t *testing.T, serverURL *url.URL, method RepoWikiMethod, auth RepoWikiAuth, target RepoWikiTarget, operation RepoWikiOperation) {
+	repo := "repo1"
+	if target == RepoWikiPrivate {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		privateRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user2, tests.DeclarativeRepoOptions{
+			IsPrivate:    optional.Some(true),
+			EnabledUnits: optional.Some([]unit_model.Type{unit_model.TypeWiki}),
+		})
+		defer reset()
+
+		session := loginUser(t, user2.LoginName)
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/new", user2.LoginName, privateRepo.Name)
+		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateWikiPageOptions{
+			Title:         "Page With Image",
+			ContentBase64: base64.StdEncoding.EncodeToString([]byte("# Page With Image\n\n![Gitea Logo](./raw/jpeg.jpg)\n")),
+			Message:       "",
+		}).AddTokenAuth(token)
+		MakeRequest(t, req, http.StatusCreated)
+
+		repo = privateRepo.Name
+	}
+
+	dstPath := t.TempDir()
+	r := fmt.Sprintf("%suser2/%s.wiki.git", serverURL.String(), repo)
+	testURL, err := url.Parse(r)
+	require.NoError(t, err)
+
+	if method == RepoWikiHTTP {
+		switch auth {
+		case RepoWikiAnonymous:
+			// no-op
+		case RepoWikiAuthenticated:
+			testURL.User = url.UserPassword("user2", userPassword)
+		case RepoWikiAuthenticatedNonOwnerUser:
+			testURL.User = url.UserPassword("user20", userPassword)
+		default:
+			t.Fatalf("unexpected auth = %s", auth)
+		}
+
+		doRepoWikiGitOperationInner(t, testURL, dstPath, auth, target, operation)
+	} else if method == RepoWikiSSH {
+		var user string
+		switch auth {
+		case RepoWikiAnonymous:
+			t.Skip() // anonymous ssh is not supported
+		case RepoWikiAuthenticated:
+			user = "user2" // owner of the repo
+		case RepoWikiAuthenticatedNonOwnerUser:
+			user = "user20" // not the owner of the repo, not a collaborator
+		default:
+			t.Fatalf("unexpected auth = %s", auth)
+		}
+
+		keyname := "my-testing-key"
+		withKeyFile(t, keyname, func(keyFile string) {
+			baseAPITestContext := NewAPITestContext(t, user, repo, auth_model.AccessTokenScopeWriteUser)
+			t.Run("CreateUserKey", doAPICreateUserKey(baseAPITestContext, fmt.Sprintf("test-key-%s", uuid.New().String()), keyFile, func(t *testing.T, pk api.PublicKey) {}))
+
+			baseAPITestContext.Username = "user2" // target repo owner to compose URLs
+			baseAPITestContext.Reponame = fmt.Sprintf("%s.wiki", repo)
+			testURL = createSSHUrl(baseAPITestContext.GitPath(), testURL)
+
+			doRepoWikiGitOperationInner(t, testURL, dstPath, auth, target, operation)
+		})
+	} else {
+		t.Fatalf("unexpected method = %s", method)
+	}
+}
+
+func doRepoWikiGitOperationInner(t *testing.T, gitURL *url.URL, dstPath string, auth RepoWikiAuth, target RepoWikiTarget, operation RepoWikiOperation) {
+	err := git.CloneWithArgs(t.Context(), git.AllowLFSFiltersArgs(), gitURL.String(), dstPath, git.CloneRepoOptions{})
+	if target == RepoWikiPrivate && (auth == RepoWikiAnonymous || auth == RepoWikiAuthenticatedNonOwnerUser) {
+		require.Error(t, err, "clone must fail; auth %s shouldn't be able to access private repo")
+		return // no other test conditions to satisfy if the clone failed
+	}
+	require.NoError(t, err, "clone must succeed; auth %s should be able to access a public repo")
+
+	assertFileExist(t, filepath.Join(dstPath, "Page-With-Image.md"))
+	assertFileEqual(t, filepath.Join(dstPath, "Page-With-Image.md"), []byte("# Page With Image\n\n![Gitea Logo](./raw/jpeg.jpg)\n"))
+
+	if operation == RepoWikiWrite {
+		f, err := os.OpenFile(filepath.Join(dstPath, "Home.md"), os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0o644)
+		defer f.Close()
+		require.NoError(t, err)
+		_, err = io.WriteString(f, fmt.Sprintf("# Home Page Edited!\n%s", uuid.New().String()))
+		require.NoError(t, err)
+		err = f.Close()
+		require.NoError(t, err)
+
+		err = git.AddChanges(dstPath, true)
+		require.NoError(t, err)
+		err = git.CommitChanges(dstPath, git.CommitChangesOptions{Message: "Changes made!"})
+		require.NoError(t, err)
+
+		// don't use git.Push() because it doesn't support credential helper, and 'origin' would have had its URL saved
+		// with the creds stripped in dstPath so we need the credential helper to be configured.
+		cmd := git.NewCommand(t.Context())
+		if gitURL.Scheme == "http" {
+			_, credCleanup, err := cmd.AddAuthCredentialHelperForRemote(gitURL.String())
+			require.NoError(t, err)
+			defer credCleanup()
+		}
+		cmd.AddArguments("push", "origin")
+
+		stdout, stderr, err := cmd.RunStdString(&git.RunOpts{
+			Dir:     dstPath,
+			Timeout: 2 * time.Second,
+		})
+		if auth == RepoWikiAuthenticated {
+			require.NoError(t, err, "stdout = %q, stderr = %q", stdout, stderr)
+		} else {
+			require.Error(t, err, "push must fail as authentication mode %s doesn't allow write, but succeeded.  stdout = %q, stderr = %q", auth, stdout, stderr)
+		}
+	}
+}
+
 func Test_RepoWikiPages(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 

From 9d37ac68ee71f0d17f25adc099357834a18090a7 Mon Sep 17 00:00:00 2001
From: Nirmal Kumar R <tildezero@gmail.com>
Date: Tue, 12 May 2026 05:05:16 +0200
Subject: [PATCH 282/287] fix(e2e): Missing await on page.goto in org-members
 tests (#12525)

These tests are failing in the Last Two Days in the latest test report.

Error:
```
61 |
      62 |   // A modal dialog appears
    > 63 |   await expect(page.locator('#add-member-modal')).toBeVisible();
         |                                                   ^
      64 |
      65 |   // Fill in the name of the user to add
      66 |   await page.locator('#search-user-box input').fill('user5');
        at /workspace/forgejo/forgejo/tests/e2e/org-members.test.e2e.ts:63:51
```

The `page.goto` in the tests are unawaited, which leads to the page not
fully loaded to proceed with the next lines to check for visibility.

The fix is to add `await` on `page.goto()` in all the missing places in
this test file - `org-members.test.e2e.ts`.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12525
Reviewed-by: Otto <otto@codeberg.org>
---
 tests/e2e/org-members.test.e2e.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/e2e/org-members.test.e2e.ts b/tests/e2e/org-members.test.e2e.ts
index 69f2f31f8a..c8833991bb 100644
--- a/tests/e2e/org-members.test.e2e.ts
+++ b/tests/e2e/org-members.test.e2e.ts
@@ -12,7 +12,7 @@ import {test} from './utils_e2e.ts';
 test.use({user: 'user2'});
 
 test('Toggle visibility', async ({page}) => {
-  page.goto('/org/org3/members');
+  await page.goto('/org/org3/members');
 
   // Button "Make hidden" for user2's row
   const hideUser2 = page.locator('.link-action[data-url="/org/org3/members/action/private?uid=2"]');
@@ -34,7 +34,7 @@ test('Toggle visibility', async ({page}) => {
 });
 
 test('Leave org', async ({page}) => {
-  page.goto('/org/org3/members');
+  await page.goto('/org/org3/members');
 
   // Button "Leave" for user2's row
   const leaveButton = page.locator('.delete-button[data-url="/org/org3/members/action/leave"]');
@@ -53,7 +53,7 @@ test('Leave org', async ({page}) => {
 });
 
 test('Add and remove a new member to the org', async ({page}) => {
-  page.goto('/org/org3/members');
+  await page.goto('/org/org3/members');
 
   // Click the "Add member" button
   const newMemberButton = page.locator('#add-org-member-button');

From a6e141f805ce138074b8fa64cc92c9d0402f95e5 Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Tue, 12 May 2026 09:08:47 +0200
Subject: [PATCH 283/287] chore(release-notes): Forgejo v11.0.14 [skip ci]
 (#12535)

https://codeberg.org/forgejo/forgejo/milestone/84476
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12535
Reviewed-by: Beowulf <beowulf@beocode.eu>
---
 release-notes-published/11.0.14.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 release-notes-published/11.0.14.md

diff --git a/release-notes-published/11.0.14.md b/release-notes-published/11.0.14.md
new file mode 100644
index 0000000000..1c7bf69e3f
--- /dev/null
+++ b/release-notes-published/11.0.14.md
@@ -0,0 +1,17 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 0 --><!--description LSBmaXg6IHByZXZlbnQgZ2l0IHdyaXRlIHRvIHdpa2kgcmVwbyBmcm9tIHVuYXV0aG9yaXplZCB1c2VyIHZpYSBnaXQgSFRUUA==-->fix: prevent git write to wiki repo from unauthorized user via git HTTP<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 1 --><!--description LSBmaXg6IHByZXZlbnQgTEZTIGF1dGhvcml6YXRpb24gdG9rZW4gZnJvbSBiZWluZyB1c2VkIGZvciByZWFkL3dyaXRlIGFjY2VzcyBhZnRlciB1c2VyJ3MgYWNjZXNzIGlzIHJlc3RyaWN0ZWQgZnJvbSBGb3JnZWpv-->fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 2 --><!--description LSBmaXg6IHByZXZlbnQgc2NvcGVkIEFQSSBhY2Nlc3MgKE9BdXRoIHRva2VucywgQWNjZXNzIHRva2VucykgZnJvbSBhY2Nlc3NpbmcgcmVzb3VyY2VzIGJleW9uZCB0aGVpciBwZXJtaXR0ZWQgc2NvcGUgdmlhIG5vbi1BUEkgZW5kcG9pbnRzIChlLmcuIC91c2VyL3JlcG8vcmF3Ly4uLik=-->fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 3 --><!--description LSBmaXg6IGltcGxlbWVudGluZyBtaXNzaW5nIE9BdXRoIHZhbGlkYXRpb24gY2hlY2tzLCBpbXByb3ZlIHByb3RlY3Rpb25zIGFnYWluc3QgcmFjZSBjb25kaXRpb25z-->fix: implementing missing OAuth validation checks, improve protections against race conditions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 4 --><!--description LSBmaXg6IHByZXZlbnQgT0F1dGggcmVkaXJlY3QgVVJJIHNwb29maW5nIHZpYSBub24tYXNjaWkgY2FzZSBjb2xsaXNpb24=-->fix: prevent OAuth redirect URI spoofing via non-ascii case collision<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12495): <!--number 12495 --><!--line 5 --><!--description LSBmaXg6IHN0cmVuZ3RoZW4gQWN0aW9ucyBBcnRpZmFjdCBWNCBzaWduYXR1cmUgYWxnb3JpdGhtIGFnYWluc3Qgc3Bvb2ZpbmcgYXR0YWNrcw==-->fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12527): <!--number 12527 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMTUuMCBbU0VDVVJJVFldICh2MTEuMC9mb3JnZWpvKQ==-->Update dependency mermaid to v11.15.0 [SECURITY] (v11.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12463): <!--number 12463 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUzLjAgW1NFQ1VSSVRZXSAodjExLjAvZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.53.0 [SECURITY] (v11.0/forgejo)<!--description-->
+<!--end release-notes-assistant-->

From 0e577ed6c97cb5648adb43402abcc7dd52a2feed Mon Sep 17 00:00:00 2001
From: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
Date: Tue, 12 May 2026 09:10:46 +0200
Subject: [PATCH 284/287] chore(release-notes): Forgejo v15.0.2 (#12536)

https://codeberg.org/forgejo/forgejo/milestone/84479
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12536
Reviewed-by: Beowulf <beowulf@beocode.eu>
---
 release-notes-published/15.0.2.md | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 release-notes-published/15.0.2.md

diff --git a/release-notes-published/15.0.2.md b/release-notes-published/15.0.2.md
new file mode 100644
index 0000000000..c5c8c14648
--- /dev/null
+++ b/release-notes-published/15.0.2.md
@@ -0,0 +1,33 @@
+
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Security bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 0 --><!--description LSBmaXg6IHByZXZlbnQgZ2l0IHdyaXRlIHRvIHdpa2kgcmVwbyBmcm9tIHVuYXV0aG9yaXplZCB1c2VyIHZpYSBnaXQgSFRUUA==-->fix: prevent git write to wiki repo from unauthorized user via git HTTP<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 1 --><!--description LSBmaXg6IHByZXZlbnQgTEZTIGF1dGhvcml6YXRpb24gdG9rZW4gZnJvbSBiZWluZyB1c2VkIGZvciByZWFkL3dyaXRlIGFjY2VzcyBhZnRlciB1c2VyJ3MgYWNjZXNzIGlzIHJlc3RyaWN0ZWQgZnJvbSBGb3JnZWpv-->fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 2 --><!--description LSBmaXg6IHByZXZlbnQgc2NvcGVkIEFQSSBhY2Nlc3MgKE9BdXRoIHRva2VucywgQWNjZXNzIHRva2VucykgZnJvbSBhY2Nlc3NpbmcgcmVzb3VyY2VzIGJleW9uZCB0aGVpciBwZXJtaXR0ZWQgc2NvcGUgdmlhIG5vbi1BUEkgZW5kcG9pbnRzIChlLmcuIC91c2VyL3JlcG8vcmF3Ly4uLik=-->fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 3 --><!--description LSBmaXg6IGltcGxlbWVudGluZyBtaXNzaW5nIE9BdXRoIHZhbGlkYXRpb24gY2hlY2tzLCBpbXByb3ZlIHByb3RlY3Rpb25zIGFnYWluc3QgcmFjZSBjb25kaXRpb25z-->fix: implementing missing OAuth validation checks, improve protections against race conditions<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 4 --><!--description LSBmaXg6IHByZXZlbnQgT0F1dGggcmVkaXJlY3QgVVJJIHNwb29maW5nIHZpYSBub24tYXNjaWkgY2FzZSBjb2xsaXNpb24=-->fix: prevent OAuth redirect URI spoofing via non-ascii case collision<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12494): <!--number 12494 --><!--line 5 --><!--description LSBmaXg6IHN0cmVuZ3RoZW4gQWN0aW9ucyBBcnRpZmFjdCBWNCBzaWduYXR1cmUgYWxnb3JpdGhtIGFnYWluc3Qgc3Bvb2ZpbmcgYXR0YWNrcw==-->fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks<!--description-->
+- User Interface bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12366) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12492)): <!--number 12492 --><!--line 0 --><!--description V2hlbiB0aGUgYXV0aG9yIG9mIGEgcHVsbCByZXF1ZXN0IGlzIFtkZW5pZWQgdGhlIHJpZ2h0IHRvIHJ1biBBY3Rpb25zXShodHRwczovL2Zvcmdlam8ub3JnL2RvY3MvbmV4dC91c2VyL2FjdGlvbnMvc2VjdXJpdHktcHVsbC1yZXF1ZXN0LykgYnkgY2xpY2tpbmcgb24gdGhlICJEZW55IiBidXR0b24gb24gdGhlIHB1bGwgcmVxdWVzdCB0cnVzdCBtYW5hZ2VtZW50IHBhbmVsLCB0aGUgd29ya2Zsb3cgcnVucyBjcmVhdGVkIGZvciBhbGwgY29tbWl0cyBwdXNoZWQgdG8gdGhlIHB1bGwgcmVxdWVzdCBhcmUgY2FuY2VsbGVkLiBCZWZvcmUgdGhhdCwgcnVucyB0aGF0IHdlcmUgYXV0b21hdGljYWxseSBjYW5jZWxsZWQgYmVjYXVzZSBhIG5ld2VyIGNvbW1pdCB3YXMgcHVzaGVkIHRvIHRoZSBwdWxsIHJlcXVlc3QgW3dlcmUgc3R1Y2sgaW4gYSBzdGF0ZSB3YWl0aW5nIGZvciBhcHByb3ZhbF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2lzc3Vlcy8xMjM1MCku-->When the author of a pull request is [denied the right to run Actions](https://forgejo.org/docs/next/user/actions/security-pull-request/) by clicking on the "Deny" button on the pull request trust management panel, the workflow runs created for all commits pushed to the pull request are cancelled. Before that, runs that were automatically cancelled because a newer commit was pushed to the pull request [were stuck in a state waiting for approval](https://codeberg.org/forgejo/forgejo/issues/12350).<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12447) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12461)): <!--number 12461 --><!--line 0 --><!--description Zml4OiBwYWdpbmF0ZSB0ZWFtIG1lbWJlcnMgbGlzdA==-->fix: paginate team members list<!--description-->
+- Bug fixes
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12302) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12470)): <!--number 12470 --><!--line 0 --><!--description V2hlbiBhIHJldmlldyB3YXMgY3JlYXRlZCBhcyBwZW5kaW5nIGFuZCB0aGVuIHN1Ym1pdHRlZCwgdGhlIHJldmlldyByZXF1ZXN0IHdhc24ndCBkZWxldGVkLiBUaGVzZSByZXZpZXcgcmVxdWVzdHMgY291bGRuJ3QgYmUgcmVtb3ZlZCwgYXMgdGhlIG5vdyBleGlzdGluZyByZXZpZXcgc2hhZG93ZWQgdGhlIHJldmlldyByZXF1ZXN0LiBOb3csIHJldmlldyByZXF1ZXN0cyBnZXQgZGVsZXRlZCB3aGVuIGEgcGVuZGluZyByZXZpZXcgZnJvbSB0aGF0IHJldmlld2VyIGdldHMgc3VibWl0dGVkLCBhbmQgYnJva2VuIHJldmlldyByZXF1ZXN0cyBpbiBhbHJlYWR5IGV4aXN0aW5nIGRhdGEgY2FuIGJlIG5vcm1hbGx5IHJlbW92ZWQgdmlhIHRoZSBVSS4=-->When a review was created as pending and then submitted, the review request wasn't deleted. These review requests couldn't be removed, as the now existing review shadowed the review request. Now, review requests get deleted when a pending review from that reviewer gets submitted, and broken review requests in already existing data can be normally removed via the UI.<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12446) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12452)): <!--number 12452 --><!--line 0 --><!--description Zml4OiBtYWtlIHBhY2thZ2UgY2xlYW51cCB3b3JrIGFnYWlu-->fix: make package cleanup work again<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12370) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12422)): <!--number 12422 --><!--line 0 --><!--description Zml4OiBjbGVhbnVwIGRhdGEgYmVmb3JlIG1pZ3JhdGlvbiByZXRyeQ==-->fix: cleanup data before migration retry<!--description-->
+- Included for completeness but not user-facing (chores, etc.)
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12382) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12533)): <!--number 12533 --><!--line 0 --><!--description Zml4KGFjdGl2aXR5cHViKTogb25seSByZXR1cm4gcHVibGljIGFjdGl2aXRpZXMgb24gcmVxdWVzdCAoIzEyMzgyKQ==-->fix(activitypub): only return public activities on request (#12382)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12531): <!--number 12531 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgbWVybWFpZCB0byB2MTEuMTUuMCBbU0VDVVJJVFldICh2MTUuMC9mb3JnZWpvKQ==-->Update dependency mermaid to v11.15.0 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12503): <!--number 12503 --><!--line 0 --><!--description Y2hvcmU6IFBHUCBzaWduIC53ZWxsLWtub3duL3NlY3VyaXR5LnR4dCBbc2tpcCBjaV0=-->chore: PGP sign .well-known/security.txt [skip ci]<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12465): <!--number 12465 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb2xhbmcub3JnL3gvbmV0IHRvIHYwLjUzLjAgW1NFQ1VSSVRZXSAodjE1LjAvZm9yZ2Vqbyk=-->Update module golang.org/x/net to v0.53.0 [SECURITY] (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12433) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12467)): <!--number 12467 --><!--line 0 --><!--description W3BhZ3VyZV0gZW5zdXJlIG1vdmluZyBhbGwgY29tbWl0cyBpbiBhIHB1bGwgcmVxdWVzdA==-->[pagure] ensure moving all commits in a pull request<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12231) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12468)): <!--number 12468 --><!--line 0 --><!--description cmVmYWN0b3I6IGNsYXJpZnkgZm91ciBkaWZmZXJlbnQgb3V0cHV0cyB0aGF0IGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMgcHJvdmlkZQ==-->refactor: clarify four different outputs that authentication methods provide<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12202) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12462)): <!--number 12462 --><!--line 0 --><!--description cmVmYWN0b3I6IGNoYW5nZSBhdXRoZW50aWNhdGlvbiB0byByZXR1cm4gc3RydWN0dXJlZCBkYXRh-->refactor: change authentication to return structured data<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12456): <!--number 12456 --><!--line 0 --><!--description VXBkYXRlIGdvIHRvb2xjaGFpbiBkaXJlY3RpdmUgdG8gdjEuMjYuMyAodjE1LjAvZm9yZ2Vqbyk=-->Update go toolchain directive to v1.26.3 (v15.0/forgejo)<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12351) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12395)): <!--number 12395 --><!--line 0 --><!--description Zml4OiBnZXQgdGFnIG11c3QgcmV0dXJuIHRoZSB0YWcgc2lnbmF0dXJlIGluc3RlYWQgb2YgY29tbWl0IHNpZ25hdHVyZQ==-->fix: get tag must return the tag signature instead of commit signature<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12357) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12362)): <!--number 12362 --><!--line 0 --><!--description Zml4OiBzZXQgYHJlcG9faWRgIGZvciBtaWdyYXRlZCBhdHRhY2htZW50-->fix: set `repo_id` for migrated attachment<!--description-->
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12291) ([backported](https://codeberg.org/forgejo/forgejo/pulls/12354)): <!--number 12354 --><!--line 0 --><!--description Zml4KG9hdXRoKTogb25seSBhY2NlcHQgcmVmcmVzaCB0b2tlbnMgYXMgcmVmcmVzaCB0b2tlbnM=-->fix(oauth): only accept refresh tokens as refresh tokens<!--description-->
+<!--end release-notes-assistant-->

From 88ba1741190dd638abd3fd75fb95373e483ab695 Mon Sep 17 00:00:00 2001
From: oliverpool <git@olivier.pfad.fr>
Date: Tue, 12 May 2026 20:57:02 +0200
Subject: [PATCH 285/287] tests: better factory with forgery package (#11356)

### Context

Following the feedback in forgejo/discussions#170 (and my ambitious attempt in forgejo/forgejo#10985), it appears that having an easy-to-use factory package would greatly help get rid of the global fixtures.

I think that the global fixtures are quite harmful (recent example: https://codeberg.org/forgejo/forgejo/pulls/9906#issuecomment-10826066):
- hard to write (contributor must know where to add them)
- hard to change (may break some unrelated tests)
- hard to review (not located near the test code)
- they require the tests to execute sequentially

### Proposed way forward

The `forgery` package (the name represents faking/crafting and sounds good with Forgejo) is meant to replace global yaml fixtures with local go factories. The forgery can currently:
- create users
- create repos
- create organisations

This allowed me to drop `CreateDeclarativeRepoWithOptions` (and deprecate `CreateDeclarativeRepo`).

I think that further changes should be delayed to other PRs (I have a local branch to create `Project`)

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

*The decision if the pull request will be shown in the release notes is up to the mergers / release team.*

The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11356
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
---
 tests/e2e/debugserver_test.go                 |   2 +-
 tests/e2e/declare_repos_test.go               | 238 +++++++++---------
 tests/e2e/e2e_test.go                         |   2 +-
 tests/forgery/fs.go                           | 112 +++++++++
 tests/forgery/repo.go                         | 138 ++++++++++
 tests/forgery/user.go                         |  66 +++++
 tests/integration/actions_trigger_test.go     |  17 +-
 ...ivitypub_person_inbox_useractivity_test.go |   5 +-
 tests/integration/api_issue_test.go           |  52 ++--
 tests/integration/api_org_variables_test.go   |  29 ++-
 tests/integration/api_private_serv_test.go    |   5 +-
 tests/integration/api_push_mirror_test.go     |   9 +-
 tests/integration/api_quota_use_test.go       |  21 +-
 tests/integration/api_repo_activities_test.go |  12 +-
 tests/integration/api_wiki_test.go            |  15 +-
 tests/integration/compare_test.go             |  22 +-
 tests/integration/issue_test.go               |  25 +-
 tests/integration/migrate_test.go             |  10 +-
 tests/integration/mirror_pull_test.go         |  30 +--
 tests/integration/mirror_push_test.go         |  40 +--
 tests/integration/patch_status_test.go        |  24 +-
 tests/integration/pull_review_test.go         |  22 +-
 tests/integration/quota_use_test.go           |  29 +--
 tests/integration/repo_generate_test.go       | 111 +++-----
 tests/integration/repo_test.go                |  20 +-
 tests/integration/wiki_test.go                |   9 +-
 tests/test_utils.go                           | 224 +++++------------
 27 files changed, 680 insertions(+), 609 deletions(-)
 create mode 100644 tests/forgery/fs.go
 create mode 100644 tests/forgery/repo.go
 create mode 100644 tests/forgery/user.go

diff --git a/tests/e2e/debugserver_test.go b/tests/e2e/debugserver_test.go
index 8742790b14..e60fd44955 100644
--- a/tests/e2e/debugserver_test.go
+++ b/tests/e2e/debugserver_test.go
@@ -25,7 +25,7 @@ func TestDebugserver(t *testing.T) {
 	signal.Notify(done, syscall.SIGINT, syscall.SIGTERM)
 
 	onForgejoRun(t, func(*testing.T, *url.URL) {
-		defer DeclareGitRepos(t)()
+		DeclareGitRepos(t)
 		fmt.Println(setting.AppURL)
 		<-done
 	})
diff --git a/tests/e2e/declare_repos_test.go b/tests/e2e/declare_repos_test.go
index e72f260299..ce1e04bb4e 100644
--- a/tests/e2e/declare_repos_test.go
+++ b/tests/e2e/declare_repos_test.go
@@ -19,12 +19,11 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/indexer/stats"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/timeutil"
 	issue_service "forgejo.org/services/issue"
 	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/services/wiki"
-	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -44,7 +43,7 @@ type SetupRepo func(*user_model.User, *repo_model.Repository)
 
 // put your Git repo declarations in here
 // feel free to amend the helper function below or use the raw variant directly
-func DeclareGitRepos(t *testing.T) func() {
+func DeclareGitRepos(t *testing.T) {
 	now := timeutil.TimeStampNow()
 	postIssue := func(repo *repo_model.Repository, user *user_model.User, age int64, title, content string) {
 		issue := &issues_model.Issue{
@@ -57,45 +56,45 @@ func DeclareGitRepos(t *testing.T) func() {
 		require.NoError(t, issue_service.NewIssue(db.DefaultContext, repo, issue, nil, nil, nil))
 	}
 
-	cleanupFunctions := []func(){
-		newRepo(t, 2, "diff-test", nil, []FileChanges{{
-			Filename: "testfile",
-			Versions: []string{"hello", "hallo", "hola", "native", "ubuntu-latest", "- runs-on: ubuntu-latest", "- runs-on: debian-latest"},
-		}}, nil),
-		newRepo(t, 2, "language-stats-test", nil, []FileChanges{{
-			Filename: "main.rs",
-			Versions: []string{"fn main() {", "println!(\"Hello World!\");", "}"},
-		}}, nil),
-		newRepo(t, 2, "mentions-highlighted", nil, []FileChanges{
-			{
-				Filename:  "history1.md",
-				Versions:  []string{""},
-				CommitMsg: "A commit message which mentions @user2 in the title\nand has some additional text which mentions @user1",
-			},
-			{
-				Filename:  "history2.md",
-				Versions:  []string{""},
-				CommitMsg: "Another commit which mentions @user1 in the title\nand @user2 in the text",
-			},
-		}, nil),
-		newRepo(t, 2, "file-uploads", nil, []FileChanges{{
-			Filename: "UPLOAD_TEST.md",
-			Versions: []string{"# File upload test\nUse this repo to test various file upload features in new branches."},
-		}}, nil),
-		newRepo(t, 2, "unicode-escaping", &tests.DeclarativeRepoOptions{
-			EnabledUnits: optional.Some([]unit_model.Type{unit_model.TypeCode, unit_model.TypeWiki}),
-		}, []FileChanges{{
-			Filename: "a-file",
-			Versions: []string{"{a}{а}"},
-		}}, func(user *user_model.User, repo *repo_model.Repository) {
-			wiki.InitWiki(db.DefaultContext, repo)
-			wiki.AddWikiPage(db.DefaultContext, user, repo, "Home", "{a}{а}", "{a}{а}")
-			wiki.AddWikiPage(db.DefaultContext, user, repo, "_Sidebar", "{a}{а}", "{a}{а}")
-			wiki.AddWikiPage(db.DefaultContext, user, repo, "_Footer", "{a}{а}", "{a}{а}")
-		}),
-		newRepo(t, 2, "multiple-combo-boxes", nil, []FileChanges{{
-			Filename: ".forgejo/issue_template/multi-combo-boxes.yaml",
-			Versions: []string{`
+	newRepo(t, 2, "diff-test", nil, []FileChanges{{
+		Filename: "testfile",
+		Versions: []string{"hello", "hallo", "hola", "native", "ubuntu-latest", "- runs-on: ubuntu-latest", "- runs-on: debian-latest"},
+	}}, nil)
+	newRepo(t, 2, "language-stats-test", nil, []FileChanges{{
+		Filename: "main.rs",
+		Versions: []string{"fn main() {", "println!(\"Hello World!\");", "}"},
+	}}, nil)
+	newRepo(t, 2, "mentions-highlighted", nil, []FileChanges{
+		{
+			Filename:  "history1.md",
+			Versions:  []string{""},
+			CommitMsg: "A commit message which mentions @user2 in the title\nand has some additional text which mentions @user1",
+		},
+		{
+			Filename:  "history2.md",
+			Versions:  []string{""},
+			CommitMsg: "Another commit which mentions @user1 in the title\nand @user2 in the text",
+		},
+	}, nil)
+	newRepo(t, 2, "file-uploads", nil, []FileChanges{{
+		Filename: "UPLOAD_TEST.md",
+		Versions: []string{"# File upload test\nUse this repo to test various file upload features in new branches."},
+	}}, nil)
+	newRepo(t, 2, "unicode-escaping", map[unit_model.Type]convert.Conversion{
+		unit_model.TypeCode: nil,
+		unit_model.TypeWiki: nil,
+	}, []FileChanges{{
+		Filename: "a-file",
+		Versions: []string{"{a}{а}"},
+	}}, func(user *user_model.User, repo *repo_model.Repository) {
+		wiki.InitWiki(db.DefaultContext, repo)
+		wiki.AddWikiPage(db.DefaultContext, user, repo, "Home", "{a}{а}", "{a}{а}")
+		wiki.AddWikiPage(db.DefaultContext, user, repo, "_Sidebar", "{a}{а}", "{a}{а}")
+		wiki.AddWikiPage(db.DefaultContext, user, repo, "_Footer", "{a}{а}", "{a}{а}")
+	})
+	newRepo(t, 2, "multiple-combo-boxes", nil, []FileChanges{{
+		Filename: ".forgejo/issue_template/multi-combo-boxes.yaml",
+		Versions: []string{`
 name: "Multiple combo-boxes"
 description: "To show something"
 body:
@@ -108,79 +107,70 @@ body:
   attributes:
     label: two
 `},
-		}}, nil),
-		newRepo(t, 11, "dependency-test", &tests.DeclarativeRepoOptions{
-			UnitConfig: optional.Some(map[unit_model.Type]convert.Conversion{
-				unit_model.TypeIssues: &repo_model.IssuesConfig{
-					EnableDependencies: true,
-				},
-			}),
-		}, []FileChanges{}, func(user *user_model.User, repo *repo_model.Repository) {
-			postIssue(repo, user, 500, "first issue here", "an issue created earlier")
-			postIssue(repo, user, 400, "second issue here", "not the right issue, but in the right repo")
-			postIssue(repo, user, 300, "third issue here", "depends on things")
-			postIssue(repo, user, 200, "unrelated issue", "shrug emoji")
-			postIssue(repo, user, 100, "newest issue", "very new")
-		}),
-		newRepo(t, 11, "dependency-test-2", &tests.DeclarativeRepoOptions{
-			UnitConfig: optional.Some(map[unit_model.Type]convert.Conversion{
-				unit_model.TypeIssues: &repo_model.IssuesConfig{
-					EnableDependencies: true,
-				},
-			}),
-		}, []FileChanges{}, func(user *user_model.User, repo *repo_model.Repository) {
-			postIssue(repo, user, 450, "right issue", "an issue containing word right")
-			postIssue(repo, user, 150, "left issue", "an issue containing word left")
-		}),
-		newRepo(t, 2, "long-diff-test", nil, []FileChanges{{
-			Filename: "test-README.md",
-			Versions: []string{
-				readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/0-README.md"),
-			},
-		}}, func(user *user_model.User, repo *repo_model.Repository) {
-			commit1Sha := addCommitToBranch(t, user, repo, "main", "test-branch", "test-README.md", "",
-				readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/1-README.md"))
-			commit2Sha := addCommitToBranch(t, user, repo, "test-branch", "test-branch", "test-README.md", commit1Sha,
-				readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/2-README.md"))
-			addCommitToBranch(t, user, repo, "test-branch", "test-branch", "test-README.md", commit2Sha,
-				readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/3-README.md"))
-		}),
-		newRepo(t, 2, "huge-diff-test", nil, []FileChanges{{
-			Filename: "glossary.po",
-			Versions: []string{
-				func() string {
-					var sb strings.Builder
-					sb.Write([]byte("0"))
-					for i := 1; i < 2000; i++ {
-						sb.WriteString(strconv.Itoa(i))
-						sb.WriteByte('\n')
+	}}, nil)
+	newRepo(t, 11, "dependency-test", map[unit_model.Type]convert.Conversion{
+		unit_model.TypeIssues: &repo_model.IssuesConfig{
+			EnableDependencies: true,
+		},
+		unit_model.TypeCode: nil,
+	}, []FileChanges{}, func(user *user_model.User, repo *repo_model.Repository) {
+		postIssue(repo, user, 500, "first issue here", "an issue created earlier")
+		postIssue(repo, user, 400, "second issue here", "not the right issue, but in the right repo")
+		postIssue(repo, user, 300, "third issue here", "depends on things")
+		postIssue(repo, user, 200, "unrelated issue", "shrug emoji")
+		postIssue(repo, user, 100, "newest issue", "very new")
+	})
+	newRepo(t, 11, "dependency-test-2", map[unit_model.Type]convert.Conversion{
+		unit_model.TypeIssues: &repo_model.IssuesConfig{
+			EnableDependencies: true,
+		},
+		unit_model.TypeCode: nil,
+	}, []FileChanges{}, func(user *user_model.User, repo *repo_model.Repository) {
+		postIssue(repo, user, 450, "right issue", "an issue containing word right")
+		postIssue(repo, user, 150, "left issue", "an issue containing word left")
+	})
+	newRepo(t, 2, "long-diff-test", nil, []FileChanges{{
+		Filename: "test-README.md",
+		Versions: []string{
+			readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/0-README.md"),
+		},
+	}}, func(user *user_model.User, repo *repo_model.Repository) {
+		commit1Sha := addCommitToBranch(t, user, repo, "main", "test-branch", "test-README.md", "",
+			readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/1-README.md"))
+		commit2Sha := addCommitToBranch(t, user, repo, "test-branch", "test-branch", "test-README.md", commit1Sha,
+			readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/2-README.md"))
+		addCommitToBranch(t, user, repo, "test-branch", "test-branch", "test-README.md", commit2Sha,
+			readStringFile(t, "tests/e2e/declarative-repo/long-diff-test/3-README.md"))
+	})
+	newRepo(t, 2, "huge-diff-test", nil, []FileChanges{{
+		Filename: "glossary.po",
+		Versions: []string{
+			func() string {
+				var sb strings.Builder
+				sb.Write([]byte("0"))
+				for i := 1; i < 2000; i++ {
+					sb.WriteString(strconv.Itoa(i))
+					sb.WriteByte('\n')
+				}
+				return sb.String()
+			}(),
+		},
+	}}, func(user *user_model.User, repo *repo_model.Repository) {
+		addCommitToBranch(t, user, repo, "main", "main-2", "glossary.po", "",
+			func() string {
+				var sb strings.Builder
+				sb.Write([]byte("0"))
+				for i := 1; i < 2000; i++ {
+					sb.WriteString(strconv.Itoa(i))
+					if i%12 == 0 {
+						sb.WriteString("Blub")
 					}
-					return sb.String()
-				}(),
-			},
-		}}, func(user *user_model.User, repo *repo_model.Repository) {
-			addCommitToBranch(t, user, repo, "main", "main-2", "glossary.po", "",
-				func() string {
-					var sb strings.Builder
-					sb.Write([]byte("0"))
-					for i := 1; i < 2000; i++ {
-						sb.WriteString(strconv.Itoa(i))
-						if i%12 == 0 {
-							sb.WriteString("Blub")
-						}
-						sb.WriteByte('\n')
-					}
-					return sb.String()
-				}())
-		}),
-		// add your repo declarations here
-	}
-
-	return func() {
-		for _, cleanup := range cleanupFunctions {
-			cleanup()
-		}
-	}
+					sb.WriteByte('\n')
+				}
+				return sb.String()
+			}())
+	})
+	// add your repo declarations here
 }
 
 func readStringFile(t *testing.T, fn string) string {
@@ -189,18 +179,20 @@ func readStringFile(t *testing.T, fn string) string {
 	return string(c)
 }
 
-func newRepo(t *testing.T, userID int64, repoName string, initOpts *tests.DeclarativeRepoOptions, fileChanges []FileChanges, setup SetupRepo) func() {
+func newRepo(t *testing.T, userID int64, repoName string, enabledUnits map[unit_model.Type]convert.Conversion, fileChanges []FileChanges, setup SetupRepo) {
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
 
-	opts := tests.DeclarativeRepoOptions{}
-	if initOpts != nil {
-		opts = *initOpts
+	somerepo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{
+		Name:  repoName,
+		Files: forgery.FilesInit{},
+	})
+	if len(enabledUnits) == 0 {
+		forgery.EnableRepoUnit(t, somerepo, unit_model.TypeCode, nil)
+		forgery.EnableRepoUnit(t, somerepo, unit_model.TypeIssues, nil)
 	}
-	opts.Name = optional.Some(repoName)
-	if !opts.EnabledUnits.Has() {
-		opts.EnabledUnits = optional.Some([]unit_model.Type{unit_model.TypeCode, unit_model.TypeIssues})
+	for unit, config := range enabledUnits {
+		forgery.EnableRepoUnit(t, somerepo, unit, config)
 	}
-	somerepo, _, cleanupFunc := tests.CreateDeclarativeRepoWithOptions(t, user, opts)
 
 	var lastCommitID string
 	for _, file := range fileChanges {
@@ -252,8 +244,6 @@ func newRepo(t *testing.T, userID int64, repoName string, initOpts *tests.Declar
 
 	err := stats.UpdateRepoIndexer(somerepo)
 	require.NoError(t, err)
-
-	return cleanupFunc
 }
 
 func addCommitToBranch(t *testing.T, user *user_model.User, repo *repo_model.Repository, oldBranch, newBranch, filename, lastSha, content string) string {
diff --git a/tests/e2e/e2e_test.go b/tests/e2e/e2e_test.go
index 9168cb8b51..5ce6029f07 100644
--- a/tests/e2e/e2e_test.go
+++ b/tests/e2e/e2e_test.go
@@ -120,7 +120,7 @@ func TestE2e(t *testing.T) {
 
 			// Default 2 minute timeout
 			onForgejoRun(t, func(*testing.T, *url.URL) {
-				defer DeclareGitRepos(t)()
+				DeclareGitRepos(t)
 				thisTest := runArgs
 				// when all tests are run, use unique artifacts directories per test to preserve artifacts from other tests
 				if testVisual {
diff --git a/tests/forgery/fs.go b/tests/forgery/fs.go
new file mode 100644
index 0000000000..f41b193702
--- /dev/null
+++ b/tests/forgery/fs.go
@@ -0,0 +1,112 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgery
+
+import (
+	"fmt"
+	"io"
+	"io/fs"
+	"strings"
+	"testing/fstest"
+	"time"
+
+	repo_model "forgejo.org/models/repo"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/git"
+	files_service "forgejo.org/services/repository/files"
+)
+
+type MapFS = fstest.MapFS
+
+// when a file has one of this mode, it needs specific git handling
+// other non-zero modes are rejected
+const (
+	modeSubmodule = fs.ModeNamedPipe // hacky, but
+	modeSymlink   = fs.ModeSymlink
+)
+
+func MapFile(data string) *fstest.MapFile {
+	return &fstest.MapFile{
+		Data: []byte(data),
+	}
+}
+
+func MapSymlink(target string) *fstest.MapFile {
+	return &fstest.MapFile{
+		Data: []byte(target),
+		Mode: modeSymlink,
+	}
+}
+
+func MapSubmodule(sha string) *fstest.MapFile {
+	return &fstest.MapFile{
+		Data: []byte(sha),
+		Mode: modeSubmodule,
+	}
+}
+
+func initRepo(doer *user_model.User, repo *repo_model.Repository, format git.ObjectFormat, fsys fs.FS, commitMessage string) (string, error) {
+	t, err := files_service.NewTemporaryUploadRepository(git.DefaultContext, repo)
+	if err != nil {
+		return "", err
+	}
+	defer t.Close()
+	if err := t.Init(format.Name()); err != nil {
+		return "", err
+	}
+
+	if err := fs.WalkDir(fsys, ".", func(path string, d fs.DirEntry, err error) error {
+		if err != nil || d.IsDir() {
+			return err
+		}
+
+		var content io.Reader
+		mode := git.EntryModeBlob
+		switch d.Type() {
+		case modeSymlink:
+			target, err := fs.ReadLink(fsys, path)
+			if err != nil {
+				return err
+			}
+			content = strings.NewReader(target)
+			mode = git.EntryModeSymlink
+		case modeSubmodule:
+			mode = git.EntryModeCommit
+			fallthrough
+		case 0:
+			f, err := fsys.Open(path)
+			if err != nil {
+				return err
+			}
+			defer f.Close()
+
+			content = f
+		default:
+			return fmt.Errorf("unexpected file type in forgery.CreateRepository %s: %s", path, d.Type())
+		}
+
+		// add object to the database
+		objectHash, err := t.HashObject(content)
+		if err != nil {
+			return err
+		}
+		// Add the object to the index
+		return t.AddObjectToIndex(mode.String(), objectHash, path)
+	}); err != nil {
+		return "", err
+	}
+
+	treeHash, err := t.WriteTree()
+	if err != nil {
+		return "", err
+	}
+
+	now := time.Now()
+	commitHash, err := t.CommitTreeWithDate("", doer, doer, treeHash, commitMessage, false, now, now)
+	if err != nil {
+		return "", err
+	}
+
+	return commitHash, t.Push(doer, commitHash, repo.DefaultBranch)
+}
diff --git a/tests/forgery/repo.go b/tests/forgery/repo.go
new file mode 100644
index 0000000000..bfa0a51681
--- /dev/null
+++ b/tests/forgery/repo.go
@@ -0,0 +1,138 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgery
+
+import (
+	"cmp"
+	"io/fs"
+	"testing"
+
+	repo_model "forgejo.org/models/repo"
+	unit_model "forgejo.org/models/unit"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/git"
+	repo_service "forgejo.org/services/repository"
+	wiki_service "forgejo.org/services/wiki"
+
+	"github.com/stretchr/testify/require"
+	"xorm.io/xorm/convert"
+)
+
+type CreateRepositoryOptions struct {
+	Name string // if nil a unique name (derived from the test name) will be generated
+
+	// Content of the initial commit, if nil the git repo will be left uninitialized.
+	// Use [MapFS] or [FilesInit] to setup the initial files.
+	Files fs.FS
+
+	ObjectFormat git.ObjectFormat // If nil, SHA1
+	IsTemplate   bool
+	IsPrivate    bool
+
+	LatestSha   *string // if not nil, the commit sha after initializing the repo with the Files will be written to this ref
+	SkipCleanup bool    // if true the repo will not be deleted at the end of the test (can be useful to debug locally)
+}
+
+// FilesInit specifies the templates to use upon repository initialization.
+type FilesInit struct {
+	Readme     string
+	Gitignores string
+	License    string
+}
+
+func (FilesInit) Open(name string) (fs.File, error) {
+	panic("FilesInit is only a sentinel value")
+}
+
+// CreateRepository returns the repo, owner and opts can be nil
+func CreateRepository(t testing.TB, owner *user_model.User, opts *CreateRepositoryOptions) *repo_model.Repository {
+	t.Helper()
+
+	if owner == nil {
+		owner = CreateUser(t, nil) // if specific options are needed, create the owner manually
+	}
+	if opts == nil {
+		opts = &CreateRepositoryOptions{}
+	}
+
+	repoName := opts.Name
+	if repoName == "" {
+		repoName = "repo-" + uniqueSafeName(t.Name())
+	}
+
+	gitFormat := cmp.Or(opts.ObjectFormat, git.Sha1ObjectFormat)
+
+	// Create the repository
+	createOptions := repo_service.CreateRepoOptions{
+		Name:             repoName,
+		Description:      "Test Repo",
+		DefaultBranch:    "main",
+		IsTemplate:       opts.IsTemplate,
+		ObjectFormatName: gitFormat.Name(),
+		IsPrivate:        opts.IsPrivate,
+	}
+	if fi, ok := opts.Files.(FilesInit); ok {
+		createOptions.AutoInit = true
+		createOptions.Readme = cmp.Or(fi.Readme, "Default")
+		createOptions.Gitignores = fi.Gitignores
+		createOptions.License = fi.License
+	}
+	repo, err := repo_service.CreateRepositoryDirectly(t.Context(), owner, owner, createOptions)
+	require.NoError(t, err)
+	if !opts.SkipCleanup {
+		t.Cleanup(func() {
+			_ = repo_service.DeleteRepository(t.Context(), owner, repo, false)
+		})
+	}
+	require.NotEmpty(t, repo)
+
+	if !createOptions.AutoInit && opts.Files != nil {
+		sha, err := initRepo(owner, repo, gitFormat, opts.Files, "init")
+		require.NoError(t, err)
+		if opts.LatestSha != nil {
+			*opts.LatestSha = sha
+		}
+
+		// reload the repo since pushing a commit might update the model via the push_update queue (IsEmpty for instance)
+		repo, err = repo_model.GetRepositoryByID(t.Context(), repo.ID)
+		require.NoError(t, err)
+	}
+	repo.Owner = owner
+
+	return repo
+}
+
+func InitWiki(t testing.TB, repo *repo_model.Repository, branch string) {
+	// Set the wiki branch in the database first
+	repo.WikiBranch = branch
+	err := repo_model.UpdateRepositoryCols(t.Context(), repo, "wiki_branch")
+	require.NoError(t, err)
+
+	// Initialize the wiki
+	err = wiki_service.InitWiki(t.Context(), repo)
+	require.NoError(t, err)
+
+	// Add a new wiki page
+	err = wiki_service.AddWikiPage(t.Context(), repo.Owner, repo, "Home", "Welcome to the wiki!", "Add a Home page")
+	require.NoError(t, err)
+}
+
+// config may be nil
+func EnableRepoUnit(t testing.TB, repo *repo_model.Repository, unit unit_model.Type, config convert.Conversion) {
+	t.Helper()
+
+	err := repo_service.UpdateRepositoryUnits(t.Context(), repo, []repo_model.RepoUnit{{
+		RepoID: repo.ID,
+		Type:   unit,
+		Config: config,
+	}}, nil)
+	require.NoError(t, err)
+}
+
+func DisableRepoUnits(t testing.TB, repo *repo_model.Repository, units ...unit_model.Type) {
+	t.Helper()
+
+	err := repo_service.UpdateRepositoryUnits(t.Context(), repo, nil, units)
+	require.NoError(t, err)
+}
diff --git a/tests/forgery/user.go b/tests/forgery/user.go
new file mode 100644
index 0000000000..1175297497
--- /dev/null
+++ b/tests/forgery/user.go
@@ -0,0 +1,66 @@
+// Copyright 2026 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package forgery
+
+import (
+	"math/rand/v2"
+	"regexp"
+	"strconv"
+	"testing"
+
+	org_model "forgejo.org/models/organization"
+	user_model "forgejo.org/models/user"
+
+	"github.com/stretchr/testify/require"
+)
+
+var nameCleaner = regexp.MustCompile(`[^a-zA-Z0-9-]+`) // exclude "_", to prevent multiple consecutive dashes
+
+// uniqueSafeName replaces specials chars with _ and appends a random hex suffix
+func uniqueSafeName(testName string) string {
+	return nameCleaner.ReplaceAllLiteralString(testName, "_") + "-" + strconv.FormatUint(uint64(rand.Uint32()), 16)
+}
+
+type CreateUserOptions struct {
+	IsAdmin bool
+}
+
+const userPassword = "password"
+
+func CreateUser(t testing.TB, opts *CreateUserOptions) *user_model.User {
+	t.Helper()
+
+	if opts == nil {
+		opts = &CreateUserOptions{}
+	}
+	u := &user_model.User{}
+
+	name := "user-" + uniqueSafeName(t.Name())
+
+	u.Name = name
+	u.Email = name + "@test.forgejo.org"
+	u.Passwd = userPassword
+	u.IsAdmin = opts.IsAdmin
+
+	err := user_model.CreateUser(t.Context(), u)
+	require.NoError(t, err)
+	return u
+}
+
+func CreateOrganisation(t testing.TB, owner *user_model.User) *org_model.Organization {
+	t.Helper()
+
+	if owner == nil {
+		owner = CreateUser(t, nil) // if specific options are needed, create the owner manually
+	}
+	o := &org_model.Organization{}
+
+	name := "org-" + uniqueSafeName(t.Name())
+
+	o.Name = name
+
+	err := org_model.CreateOrganization(t.Context(), o, owner)
+	require.NoError(t, err)
+	return o
+}
diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go
index 914acadf14..f5898682ce 100644
--- a/tests/integration/actions_trigger_test.go
+++ b/tests/integration/actions_trigger_test.go
@@ -36,6 +36,7 @@ import (
 	repo_service "forgejo.org/services/repository"
 	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -1212,17 +1213,13 @@ jobs:
 				user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 				// create the repo
-				repo, sha, f := tests.CreateDeclarativeRepo(t, user2, "repo-workflow-dispatch",
-					[]unit_model.Type{unit_model.TypeActions}, nil,
-					[]*files_service.ChangeRepoFile{
-						{
-							Operation:     "create",
-							TreePath:      fmt.Sprintf("%s/%s", testCase.workflowDirectory, testCase.workflowID),
-							ContentReader: strings.NewReader(testCase.workflowContent),
-						},
+				var sha string
+				repo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+					Files: forgery.MapFS{
+						fmt.Sprintf("%s/%s", testCase.workflowDirectory, testCase.workflowID): forgery.MapFile(testCase.workflowContent),
 					},
-				)
-				defer f()
+					LatestSha: &sha,
+				})
 
 				schedules, err := db.Find[actions_model.ActionSchedule](t.Context(), actions_model.FindScheduleOptions{RepoID: repo.ID})
 				require.NoError(t, err)
diff --git a/tests/integration/api_activitypub_person_inbox_useractivity_test.go b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
index 025bba024a..458627127d 100644
--- a/tests/integration/api_activitypub_person_inbox_useractivity_test.go
+++ b/tests/integration/api_activitypub_person_inbox_useractivity_test.go
@@ -21,7 +21,7 @@ import (
 	"forgejo.org/routers"
 	"forgejo.org/services/contexttest"
 	"forgejo.org/services/federation"
-	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	ap "github.com/go-ap/activitypub"
 	"github.com/stretchr/testify/assert"
@@ -122,8 +122,7 @@ func TestActivityPubPersonInboxNoteToDistant(t *testing.T) {
 		localSession2 := loginUser(t, localUser2.LoginName)
 		localSecssion2Token := getTokenForLoggedInUser(t, localSession2, auth_model.AccessTokenScopeWriteIssue)
 
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, localUser2, tests.DeclarativeRepoOptions{})
-		defer f()
+		repo := forgery.CreateRepository(t, localUser2, nil)
 
 		// follow (distant follows local)
 		followActivity := fmt.Appendf(nil,
diff --git a/tests/integration/api_issue_test.go b/tests/integration/api_issue_test.go
index 7f601fa303..512ebf56e4 100644
--- a/tests/integration/api_issue_test.go
+++ b/tests/integration/api_issue_test.go
@@ -20,15 +20,14 @@ import (
 	"forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"xorm.io/xorm/convert"
 )
 
 func TestAPIListIssues(t *testing.T) {
@@ -752,35 +751,28 @@ func TestAPISearchIssuesAccessTokenResources(t *testing.T) {
 func TestAPIInternalAndExternalIssueTracker(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-	otherUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	repoOptions := &forgery.CreateRepositoryOptions{
+		Files: forgery.FilesInit{}, // some tests will fail with 404 if the repository is empty
+	}
+	user := forgery.CreateUser(t, &forgery.CreateUserOptions{
+		IsAdmin: true,
+	})
+	otherUser := forgery.CreateUser(t, nil)
 	token := getUserToken(t, user.Name, auth_model.AccessTokenScopeAll)
 
-	internalIssueRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-		Name:          optional.Some("internal-issues"),
-		EnabledUnits:  optional.Some([]unit.Type{unit.TypeIssues}),
-		DisabledUnits: optional.Some([]unit.Type{unit.TypeExternalTracker}),
-		UnitConfig: optional.Some(map[unit.Type]convert.Conversion{
-			unit.TypeIssues: &repo_model.IssuesConfig{
-				EnableTimetracker:  true,
-				EnableDependencies: true,
-			},
-		}),
+	internalIssueRepo := forgery.CreateRepository(t, user, repoOptions)
+	forgery.DisableRepoUnits(t, internalIssueRepo, unit.TypeExternalTracker)
+	forgery.EnableRepoUnit(t, internalIssueRepo, unit.TypeIssues, &repo_model.IssuesConfig{
+		EnableTimetracker:  true,
+		EnableDependencies: true,
 	})
-	defer reset()
 
-	externalIssueRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-		Name:          optional.Some("external-issues"),
-		EnabledUnits:  optional.Some([]unit.Type{unit.TypeExternalTracker}),
-		DisabledUnits: optional.Some([]unit.Type{unit.TypeIssues}),
-	})
-	defer reset()
+	externalIssueRepo := forgery.CreateRepository(t, user, repoOptions)
+	forgery.DisableRepoUnits(t, externalIssueRepo, unit.TypeIssues)
+	forgery.EnableRepoUnit(t, internalIssueRepo, unit.TypeExternalTracker, nil)
 
-	disabledIssueRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-		Name:          optional.Some("disabled-issues"),
-		DisabledUnits: optional.Some([]unit.Type{unit.TypeIssues, unit.TypeExternalTracker}),
-	})
-	defer reset()
+	disabledIssueRepo := forgery.CreateRepository(t, user, repoOptions)
+	forgery.DisableRepoUnits(t, disabledIssueRepo, unit.TypeIssues, unit.TypeExternalTracker)
 
 	runTest := func(t *testing.T, repo *repo_model.Repository, requestAllowed bool) {
 		t.Helper()
@@ -937,15 +929,13 @@ func TestAPIIssueDependencyPermissions(t *testing.T) {
 	actingUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
 	token := getUserToken(t, actingUser.Name, auth_model.AccessTokenScopeAll)
 
-	actingUserRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, actingUser, tests.DeclarativeRepoOptions{})
-	defer reset()
+	actingUserRepo := forgery.CreateRepository(t, actingUser, nil)
 	actingUserIssue := createIssue(t, actingUser, actingUserRepo, "source issue", "some content")
 
 	otherUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-	otherUserRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, otherUser, tests.DeclarativeRepoOptions{
-		IsPrivate: optional.Some(true),
+	otherUserRepo := forgery.CreateRepository(t, otherUser, &forgery.CreateRepositoryOptions{
+		IsPrivate: true,
 	})
-	defer reset()
 	otherUserIssue := createIssue(t, otherUser, otherUserRepo, "target issue", "some content")
 
 	apiEndpoint := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/dependencies", actingUserRepo.OwnerName, actingUserRepo.Name, actingUserIssue.Index)
diff --git a/tests/integration/api_org_variables_test.go b/tests/integration/api_org_variables_test.go
index 982c2f8fa5..0f0347f1fd 100644
--- a/tests/integration/api_org_variables_test.go
+++ b/tests/integration/api_org_variables_test.go
@@ -10,10 +10,9 @@ import (
 
 	actions_model "forgejo.org/models/actions"
 	auth_model "forgejo.org/models/auth"
-	org_model "forgejo.org/models/organization"
-	"forgejo.org/models/unittest"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -22,8 +21,9 @@ import (
 func TestAPIOrgVariablesCreateOrganizationVariable(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	org := unittest.AssertExistsAndLoadBean(t, &org_model.Organization{Name: "org3"})
-	session := loginUser(t, "user2")
+	owner := forgery.CreateUser(t, nil)
+	org := forgery.CreateOrganisation(t, owner)
+	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
 	cases := []struct {
@@ -98,8 +98,9 @@ func TestAPIOrgVariablesCreateOrganizationVariable(t *testing.T) {
 func TestAPIOrgVariablesUpdateOrganizationVariable(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	org := unittest.AssertExistsAndLoadBean(t, &org_model.Organization{Name: "org3"})
-	session := loginUser(t, "user2")
+	owner := forgery.CreateUser(t, nil)
+	org := forgery.CreateOrganisation(t, owner)
+	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
 	variableName := "test_update_var"
@@ -194,10 +195,12 @@ func TestAPIOrgVariablesUpdateOrganizationVariable(t *testing.T) {
 func TestAPIOrgVariablesDeleteOrganizationVariable(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	org := unittest.AssertExistsAndLoadBean(t, &org_model.Organization{Name: "org3"})
+	owner := forgery.CreateUser(t, nil)
+	org := forgery.CreateOrganisation(t, owner)
+
 	variable, err := actions_model.InsertVariable(t.Context(), org.ID, 0, "FORGEJO_FORBIDDEN", "illegal")
 	require.NoError(t, err)
-	session := loginUser(t, "user2")
+	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
 	variableName := "test_delete_var"
@@ -226,8 +229,9 @@ func TestAPIOrgVariablesDeleteOrganizationVariable(t *testing.T) {
 func TestAPIOrgVariablesGetSingleOrganizationVariable(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	org := unittest.AssertExistsAndLoadBean(t, &org_model.Organization{Name: "org3"})
-	session := loginUser(t, "user2")
+	owner := forgery.CreateUser(t, nil)
+	org := forgery.CreateOrganisation(t, owner)
+	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
 	name := "some_variable"
@@ -258,8 +262,9 @@ func TestAPIOrgVariablesGetSingleOrganizationVariable(t *testing.T) {
 func TestAPIOrgVariablesGetAllOrganizationVariables(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	org := unittest.AssertExistsAndLoadBean(t, &org_model.Organization{Name: "org3"})
-	session := loginUser(t, "user2")
+	owner := forgery.CreateUser(t, nil)
+	org := forgery.CreateOrganisation(t, owner)
+	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
 
 	variables := map[string]string{"second": "Dolor sit amet", "first": "Lorem ipsum"}
diff --git a/tests/integration/api_private_serv_test.go b/tests/integration/api_private_serv_test.go
index dd45f54c36..738925172c 100644
--- a/tests/integration/api_private_serv_test.go
+++ b/tests/integration/api_private_serv_test.go
@@ -17,7 +17,7 @@ import (
 	"forgejo.org/modules/private"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
-	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -167,8 +167,7 @@ func TestAPIPrivateServAndNoServWithRequiredTwoFactor(t *testing.T) {
 
 		runTest := func(t *testing.T, user *user_model.User, useTOTP, servAllowed bool) {
 			t.Helper()
-			repo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{})
-			defer reset()
+			repo := forgery.CreateRepository(t, user, nil)
 
 			pubKey, err := asymkey_model.AddPublicKey(ctx, user.ID, "tmp-key-"+user.Name, "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBGXEEzWmm1dxb+57RoK5KVCL0w2eNv9cqJX2AGGVlkFsVDhOXHzsadS3LTK4VlEbbrDMJdoti9yM8vclA8IeRacAAAAEc3NoOg== nocomment", 0)
 			require.NoError(t, err)
diff --git a/tests/integration/api_push_mirror_test.go b/tests/integration/api_push_mirror_test.go
index b31c5cc766..8abaa1b919 100644
--- a/tests/integration/api_push_mirror_test.go
+++ b/tests/integration/api_push_mirror_test.go
@@ -26,7 +26,6 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@@ -34,6 +33,7 @@ import (
 	mirror_service "forgejo.org/services/mirror"
 	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -313,12 +313,7 @@ func TestAPIPushMirrorSSH(t *testing.T) {
 		assert.False(t, srcRepo.HasWiki())
 		session := loginUser(t, user.Name)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-		pushToRepo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:         optional.Some("push-mirror-test"),
-			AutoInit:     optional.Some(false),
-			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
-		})
-		defer f()
+		pushToRepo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{})
 
 		sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName())
 
diff --git a/tests/integration/api_quota_use_test.go b/tests/integration/api_quota_use_test.go
index 1ca44cc17e..97d5cab6a2 100644
--- a/tests/integration/api_quota_use_test.go
+++ b/tests/integration/api_quota_use_test.go
@@ -22,7 +22,6 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/migration"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@@ -31,6 +30,7 @@ import (
 	"forgejo.org/services/forms"
 	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -281,9 +281,10 @@ func prepareQuotaEnv(t *testing.T, username string) *quotaEnv {
 	env.cleanups = append(env.cleanups, userCleanup)
 
 	// Create a repository
-	repo, _, repoCleanup := tests.CreateDeclarativeRepoWithOptions(t, env.User.User, tests.DeclarativeRepoOptions{})
+	repo := forgery.CreateRepository(t, env.User.User, &forgery.CreateRepositoryOptions{
+		Files: forgery.FilesInit{}, // some tests will fail with 404 if the repository is empty
+	})
 	env.Repo = repo
-	env.cleanups = append(env.cleanups, repoCleanup)
 
 	return &env
 }
@@ -476,10 +477,9 @@ func testAPIQuotaEnforcement(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
 		// Create a template repository
-		template, _, cleanup := tests.CreateDeclarativeRepoWithOptions(t, env.User.User, tests.DeclarativeRepoOptions{
-			IsTemplate: optional.Some(true),
+		template := forgery.CreateRepository(t, env.User.User, &forgery.CreateRepositoryOptions{
+			IsTemplate: true,
 		})
-		defer cleanup()
 
 		// Drop the quota to 0
 		defer env.SetRuleLimit(t, "all", 0)()
@@ -513,8 +513,7 @@ func testAPIQuotaEnforcement(t *testing.T) {
 
 	t.Run("#/repos/{username}/{reponame}", func(t *testing.T) {
 		// Lets create a new repo to play with.
-		repo, _, repoCleanup := tests.CreateDeclarativeRepoWithOptions(t, env.User.User, tests.DeclarativeRepoOptions{})
-		defer repoCleanup()
+		repo := forgery.CreateRepository(t, env.User.User, nil)
 
 		// Drop the quota to 0
 		defer env.SetRuleLimit(t, "all", 0)()
@@ -1198,8 +1197,7 @@ func testAPIQuotaEnforcement(t *testing.T) {
 				defer tests.PrintCurrentTest(t)()
 
 				// Create a repository to transfer
-				repo, _, cleanup := tests.CreateDeclarativeRepoWithOptions(t, env.User.User, tests.DeclarativeRepoOptions{})
-				defer cleanup()
+				repo := forgery.CreateRepository(t, env.User.User, nil)
 
 				// Initiate repo transfer
 				req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer", env.User.User.Name, repo.Name), api.TransferRepoOption{
@@ -1233,8 +1231,7 @@ func testAPIQuotaEnforcement(t *testing.T) {
 				defer env.SetRuleLimit(t, "deny-all", -1)()
 
 				// Create a repository to transfer
-				repo, _, cleanup := tests.CreateDeclarativeRepoWithOptions(t, env.User.User, tests.DeclarativeRepoOptions{})
-				defer cleanup()
+				repo := forgery.CreateRepository(t, env.User.User, nil)
 
 				// Initiate repo transfer
 				req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer", env.User.User.Name, repo.Name), api.TransferRepoOption{
diff --git a/tests/integration/api_repo_activities_test.go b/tests/integration/api_repo_activities_test.go
index 08e10ad79e..43e813ba83 100644
--- a/tests/integration/api_repo_activities_test.go
+++ b/tests/integration/api_repo_activities_test.go
@@ -9,10 +9,10 @@ import (
 	"testing"
 
 	auth_model "forgejo.org/models/auth"
-	"forgejo.org/models/unittest"
-	user_model "forgejo.org/models/user"
 	api "forgejo.org/modules/structs"
+	notify_service "forgejo.org/services/notify"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -20,9 +20,9 @@ import (
 func TestAPIRepoActivityFeeds(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-	repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, owner, tests.DeclarativeRepoOptions{})
-	defer f()
+	repo := forgery.CreateRepository(t, nil, nil)
+	owner := repo.Owner
+	notify_service.CreateRepository(t.Context(), owner, owner, repo)
 
 	feedURL := fmt.Sprintf("/api/v1/repos/%s/activities/feeds", repo.FullName())
 	assertAndReturnActivities := func(t *testing.T, length int) []api.Activity {
@@ -66,7 +66,7 @@ func TestAPIRepoActivityFeeds(t *testing.T) {
 	t.Run("a new watcher, no new activities", func(t *testing.T) {
 		defer tests.PrintCurrentTest(t)()
 
-		watcher := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		watcher := forgery.CreateUser(t, nil)
 		watcherSession := loginUser(t, watcher.Name)
 		watcherToken := getTokenForLoggedInUser(t, watcherSession, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeReadUser)
 
diff --git a/tests/integration/api_wiki_test.go b/tests/integration/api_wiki_test.go
index d1a4102060..9639621591 100644
--- a/tests/integration/api_wiki_test.go
+++ b/tests/integration/api_wiki_test.go
@@ -16,10 +16,10 @@ import (
 	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/optional"
 	api "forgejo.org/modules/structs"
 	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -342,11 +342,7 @@ func TestAPISetWikiGlobalEditability(t *testing.T) {
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
 	// Create a new repository for testing purposes
-	repo, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit_model.Type{
-		unit_model.TypeCode,
-		unit_model.TypeWiki,
-	}, nil, nil)
-	defer f()
+	repo := forgery.CreateRepository(t, user, nil)
 	urlStr := fmt.Sprintf("/api/v1/repos/%s", repo.FullName())
 
 	assertGlobalEditability := func(t *testing.T, editability bool) {
@@ -433,11 +429,8 @@ func TestAPIListPageRevisions(t *testing.T) {
 
 func TestAPIWikiNonMasterBranch(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, _ *url.URL) {
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			WikiBranch: optional.Some("main"),
-		})
-		defer f()
+		repo := forgery.CreateRepository(t, nil, nil)
+		forgery.InitWiki(t, repo, "main")
 
 		uris := []string{
 			"revisions/Home",
diff --git a/tests/integration/compare_test.go b/tests/integration/compare_test.go
index 070f7e1b20..57c31a0dca 100644
--- a/tests/integration/compare_test.go
+++ b/tests/integration/compare_test.go
@@ -15,13 +15,11 @@ import (
 	repo_model "forgejo.org/models/repo"
 	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
-	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/gitrepo"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/test"
 	repo_service "forgejo.org/services/repository"
-	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/stretchr/testify/assert"
@@ -343,22 +341,16 @@ func TestCompareCrossRepo(t *testing.T) {
 
 func TestCompareCodeExpand(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
-		owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-
 		// Create a new repository, with a file that has many lines
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, owner, tests.DeclarativeRepoOptions{
-			Files: optional.Some([]*files_service.ChangeRepoFile{
-				{
-					Operation:     "create",
-					TreePath:      "docs.md",
-					ContentReader: strings.NewReader("01\n02\n03\n04\n05\n06\n07\n08\n09\n0a\n0b\n0c\n0d\n0e\n0f\n10\n11\n12\n12\n13\n14\n15\n16\n17\n18\n19\n1a\n1b\n1c\n1d\n1e\n1f\n20\n"),
-				},
-			}),
+		repo := forgery.CreateRepository(t, nil, &forgery.CreateRepositoryOptions{
+			Files: forgery.MapFS{
+				"docs.md": forgery.MapFile("01\n02\n03\n04\n05\n06\n07\n08\n09\n0a\n0b\n0c\n0d\n0e\n0f\n10\n11\n12\n12\n13\n14\n15\n16\n17\n18\n19\n1a\n1b\n1c\n1d\n1e\n1f\n20\n"),
+			},
 		})
-		defer f()
+		owner := repo.Owner
 
 		// Fork the repository
-		forker := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		forker := forgery.CreateUser(t, nil)
 		session := loginUser(t, forker.Name)
 		testRepoFork(t, session, owner.Name, repo.Name, forker.Name, repo.Name+"-copy")
 		testCreateBranch(t, session, forker.Name, repo.Name+"-copy", "branch/main", "code-expand", http.StatusSeeOther)
diff --git a/tests/integration/issue_test.go b/tests/integration/issue_test.go
index c0ecf6b3bc..5285e83df6 100644
--- a/tests/integration/issue_test.go
+++ b/tests/integration/issue_test.go
@@ -26,16 +26,15 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/indexer/issues"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/references"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/translation"
 	repo_service "forgejo.org/services/repository"
-	files_service "forgejo.org/services/repository/files"
 	user_service "forgejo.org/services/user"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/stretchr/testify/assert"
@@ -489,8 +488,7 @@ func TestIssueDependencies(t *testing.T) {
 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
 
-	repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, owner, tests.DeclarativeRepoOptions{})
-	defer f()
+	repo := forgery.CreateRepository(t, owner, nil)
 
 	createIssue := func(t *testing.T, title string) api.Issue {
 		t.Helper()
@@ -1359,13 +1357,9 @@ func TestIssueForm(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 		session := loginUser(t, user2.Name)
-		repo, _, f := tests.CreateDeclarativeRepo(t, user2, "",
-			[]unit_model.Type{unit_model.TypeCode, unit_model.TypeIssues}, nil,
-			[]*files_service.ChangeRepoFile{
-				{
-					Operation: "create",
-					TreePath:  ".forgejo/issue_template/test.yaml",
-					ContentReader: strings.NewReader(`name: Test
+		repo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+			Files: forgery.MapFS{
+				".forgejo/issue_template/test.yaml": forgery.MapFile(`name: Test
 about: Hello World
 body:
   - type: checkboxes
@@ -1375,10 +1369,8 @@ body:
       options:
         - label: This is a label
 `),
-				},
 			},
-		)
-		defer f()
+		})
 
 		t.Run("Choose list", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
@@ -1407,10 +1399,7 @@ body:
 func TestIssueUnsubscription(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			AutoInit: optional.Some(false),
-		})
-		defer f()
+		repo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{})
 		session := loginUser(t, user.Name)
 
 		issueURL := testNewIssue(t, session, user.Name, repo.Name, "Issue title", "Description")
diff --git a/tests/integration/migrate_test.go b/tests/integration/migrate_test.go
index 7d244ce60f..8f609a2bfe 100644
--- a/tests/integration/migrate_test.go
+++ b/tests/integration/migrate_test.go
@@ -20,13 +20,13 @@ import (
 	"forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/translation"
 	"forgejo.org/services/migrations"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -196,11 +196,9 @@ func TestMigrateWithWiki(t *testing.T) {
 		defer test.MockVariableValue(&setting.AppVer, "1.16.0")()
 		require.NoError(t, migrations.Init())
 
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			WikiBranch: optional.Some("obscure-name"),
-		})
-		defer f()
+		repo := forgery.CreateRepository(t, nil, nil)
+		forgery.InitWiki(t, repo, "obscure-name")
+		user := repo.Owner
 
 		session := loginUser(t, user.Name)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeReadMisc)
diff --git a/tests/integration/mirror_pull_test.go b/tests/integration/mirror_pull_test.go
index 9a520ae5a5..9b831f4beb 100644
--- a/tests/integration/mirror_pull_test.go
+++ b/tests/integration/mirror_pull_test.go
@@ -22,7 +22,6 @@ import (
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/migration"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/process"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/structs"
@@ -34,6 +33,7 @@ import (
 	repo_service "forgejo.org/services/repository"
 	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/google/uuid"
@@ -183,19 +183,14 @@ func TestMirrorPull(t *testing.T) {
 					user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
 					// Create the source repository that will be mirrored.
-					sourceRepo, sourceRepoSha, cleanupSource := tests.CreateDeclarativeRepoWithOptions(t, user2,
-						tests.DeclarativeRepoOptions{
-							IsPrivate: optional.Some(mc.privateSource),
-							Files: optional.Some([]*files_service.ChangeRepoFile{
-								{
-									Operation:     "create",
-									TreePath:      "docs.md",
-									ContentReader: strings.NewReader("hello, world"),
-								},
-							}),
+					var sourceRepoSha string
+					sourceRepo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+						IsPrivate: mc.privateSource,
+						Files: forgery.MapFS{
+							"docs.md": forgery.MapFile("hello, world"),
 						},
-					)
-					defer cleanupSource()
+						LatestSha: &sourceRepoSha,
+					})
 					require.NotEmpty(t, sourceRepoSha)
 
 					// Create pull mirror
@@ -239,10 +234,7 @@ func TestMirrorPull(t *testing.T) {
 
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 
-		mirrorRepo, _, cleanupMirror := tests.CreateDeclarativeRepoWithOptions(t, user2,
-			tests.DeclarativeRepoOptions{},
-		)
-		defer cleanupMirror()
+		mirrorRepo := forgery.CreateRepository(t, user2, nil)
 
 		// Write to the repo a config file that would have plausibly existed before EncryptedRemoteAddress was
 		// introduced:
@@ -343,8 +335,8 @@ func createPullMirrorViaWeb(t *testing.T, sourceRepo *repo_model.Repository, aut
 			body := resp.Body.String()
 			lastBody = body
 			// Looking for the repo page to be fully populated indicating that the migration is complete:
-			// Check that the first commit message is present:
-			if !strings.Contains(body, "Initial commit") {
+			// Check that the committed file is present:
+			if !strings.Contains(body, "docs.md") {
 				return false
 			}
 			// Check that the fork button is present:
diff --git a/tests/integration/mirror_push_test.go b/tests/integration/mirror_push_test.go
index 3f5a8223c8..95981c9ce6 100644
--- a/tests/integration/mirror_push_test.go
+++ b/tests/integration/mirror_push_test.go
@@ -21,12 +21,10 @@ import (
 	auth_model "forgejo.org/models/auth"
 	"forgejo.org/models/db"
 	repo_model "forgejo.org/models/repo"
-	"forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/gitrepo"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@@ -37,6 +35,7 @@ import (
 	mirror_service "forgejo.org/services/mirror"
 	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/stretchr/testify/assert"
@@ -228,12 +227,7 @@ func TestSSHPushMirror(t *testing.T) {
 		assert.False(t, srcRepo.HasWiki())
 		sess := loginUser(t, user.Name)
 
-		pushToRepo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:         optional.Some("push-mirror-misc-test"),
-			AutoInit:     optional.Some(false),
-			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
-		})
-		defer f()
+		pushToRepo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{})
 		sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName())
 
 		t.Run("Mutual exclusive", func(t *testing.T) {
@@ -286,12 +280,7 @@ func TestSSHPushMirror(t *testing.T) {
 		testMirrorPush := func(t *testing.T, srcRepo *repo_model.Repository, expectedSHA string) {
 			t.Helper()
 
-			pushToRepo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-				Name:         optional.Some("push-mirror-test"),
-				AutoInit:     optional.Some(false),
-				EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
-			})
-			defer f()
+			pushToRepo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{})
 			sshURL := fmt.Sprintf("ssh://%s@%s/%s.git", setting.SSH.User, net.JoinHostPort(setting.SSH.ListenHost, strconv.Itoa(setting.SSH.ListenPort)), pushToRepo.FullName())
 
 			var pushMirror *repo_model.PushMirror
@@ -404,8 +393,7 @@ func TestPushMirrorBranchFilterWebUI(t *testing.T) {
 		srcRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
 		sess := loginUser(t, user.Name)
 
-		mirrorRepo, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit.Type{unit.TypeCode}, nil, nil)
-		defer f()
+		mirrorRepo := forgery.CreateRepository(t, user, nil)
 
 		ctx := NewAPITestContext(t, user.LowerName, srcRepo.Name, auth_model.AccessTokenScopeReadRepository)
 		ctx.Session = sess
@@ -595,12 +583,8 @@ func TestPushMirrorSettings(t *testing.T) {
 		srcRepo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
 		assert.False(t, srcRepo.HasWiki())
 		sess := loginUser(t, user.Name)
-		pushToRepo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:         optional.Some("push-mirror-test"),
-			AutoInit:     optional.Some(false),
-			EnabledUnits: optional.Some([]unit.Type{unit.TypeCode}),
-		})
-		defer f()
+
+		pushToRepo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{})
 
 		t.Run("Adding", func(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
@@ -904,8 +888,7 @@ func TestPushMirrorWebUIToAPIIntegration(t *testing.T) {
 		session := loginUser(t, user.Name)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAll)
 
-		mirrorRepo, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit.Type{unit.TypeCode}, nil, nil)
-		defer f()
+		mirrorRepo := forgery.CreateRepository(t, user, nil)
 
 		ctx := NewAPITestContext(t, user.LowerName, srcRepo.Name, auth_model.AccessTokenScopeReadRepository)
 		ctx.Session = session
@@ -941,8 +924,7 @@ func TestPushMirrorWebUIToAPIIntegration(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
 			// Create another mirror repo for this test
-			mirrorRepo2, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit.Type{unit.TypeCode}, nil, nil)
-			defer f()
+			mirrorRepo2 := forgery.CreateRepository(t, user, nil)
 			remoteAddress2 := fmt.Sprintf("%s%s/%s", u.String(), url.PathEscape(user.Name), url.PathEscape(mirrorRepo2.Name))
 
 			// Create push mirror with empty branch filter via web UI
@@ -967,8 +949,7 @@ func TestPushMirrorWebUIToAPIIntegration(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
 			// Create another mirror repo for this test
-			mirrorRepo3, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit.Type{unit.TypeCode}, nil, nil)
-			defer f()
+			mirrorRepo3 := forgery.CreateRepository(t, user, nil)
 			remoteAddress3 := fmt.Sprintf("%s%s/%s", u.String(), url.PathEscape(user.Name), url.PathEscape(mirrorRepo3.Name))
 
 			// Create push mirror with complex branch filter via web UI
@@ -994,8 +975,7 @@ func TestPushMirrorWebUIToAPIIntegration(t *testing.T) {
 			defer tests.PrintCurrentTest(t)()
 
 			// Create another mirror repo for this test
-			mirrorRepo4, _, f := tests.CreateDeclarativeRepo(t, user, "", []unit.Type{unit.TypeCode}, nil, nil)
-			defer f()
+			mirrorRepo4 := forgery.CreateRepository(t, user, nil)
 			remoteAddress4 := fmt.Sprintf("%s%s/%s", u.String(), url.PathEscape(user.Name), url.PathEscape(mirrorRepo4.Name))
 
 			// First create a push mirror via API with initial branch filter
diff --git a/tests/integration/patch_status_test.go b/tests/integration/patch_status_test.go
index 9ada94bfc0..1acce03d6b 100644
--- a/tests/integration/patch_status_test.go
+++ b/tests/integration/patch_status_test.go
@@ -10,22 +10,19 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 	"time"
 
 	issues_model "forgejo.org/models/issues"
 	repo_model "forgejo.org/models/repo"
-	unit_model "forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/test"
 	pull_service "forgejo.org/services/pull"
-	files_service "forgejo.org/services/repository/files"
 	shared_automerge "forgejo.org/services/shared/automerge"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -36,24 +33,17 @@ func TestPatchStatus(t *testing.T) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
 		session := loginUser(t, user2.Name)
 
-		var objectFormat optional.Option[string]
+		var objectFormat git.ObjectFormat
 		if git.SupportHashSha256 {
-			objectFormat = optional.Some("sha256")
+			objectFormat = git.Sha256ObjectFormat
 		}
 
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user2, tests.DeclarativeRepoOptions{
-			AutoInit:     optional.Some(true),
-			EnabledUnits: optional.Some([]unit_model.Type{unit_model.TypeCode}),
+		repo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+			Files: forgery.MapFS{
+				".spokeperson": forgery.MapFile("n0toose"),
+			},
 			ObjectFormat: objectFormat,
-			Files: optional.Some([]*files_service.ChangeRepoFile{
-				{
-					Operation:     "create",
-					TreePath:      ".spokeperson",
-					ContentReader: strings.NewReader("n0toose"),
-				},
-			}),
 		})
-		defer f()
 
 		testAutomergeQueued := func(t *testing.T, pr *issues_model.PullRequest, expected issues_model.PullRequestStatus) {
 			t.Helper()
diff --git a/tests/integration/pull_review_test.go b/tests/integration/pull_review_test.go
index 8c7b302c68..3c0f4344f1 100644
--- a/tests/integration/pull_review_test.go
+++ b/tests/integration/pull_review_test.go
@@ -38,6 +38,7 @@ import (
 	repo_service "forgejo.org/services/repository"
 	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/google/uuid"
@@ -1816,21 +1817,14 @@ func newPullRequestCommentPlacementTester(t *testing.T) *PullRequestCommentPlace
 		content.WriteString(fmt.Sprintf("Line %d\n", i+1)) // +1 -> make "Line N" appear on the Nth line and avoid off-by-one confusions
 	}
 
-	repo, initialSHA, reset := tests.CreateDeclarativeRepoWithOptions(t, user2, tests.DeclarativeRepoOptions{
-		Files: optional.Some([]*files_service.ChangeRepoFile{
-			{
-				Operation:     "create",
-				TreePath:      "file1.md",
-				ContentReader: strings.NewReader(content.String()),
-			},
-			{
-				Operation:     "create",
-				TreePath:      "file2.md",
-				ContentReader: strings.NewReader(content.String()),
-			},
-		}),
+	var initialSHA string
+	repo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+		Files: forgery.MapFS{
+			"file1.md": forgery.MapFile(content.String()),
+			"file2.md": forgery.MapFile(content.String()),
+		},
+		LatestSha: &initialSHA,
 	})
-	t.Cleanup(reset)
 
 	return &PullRequestCommentPlacementTester{
 		t:           t,
diff --git a/tests/integration/quota_use_test.go b/tests/integration/quota_use_test.go
index dd5afd1aed..fb9619adee 100644
--- a/tests/integration/quota_use_test.go
+++ b/tests/integration/quota_use_test.go
@@ -19,7 +19,6 @@ import (
 	org_model "forgejo.org/models/organization"
 	quota_model "forgejo.org/models/quota"
 	repo_model "forgejo.org/models/repo"
-	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
 	"forgejo.org/modules/setting"
@@ -29,8 +28,8 @@ import (
 	app_context "forgejo.org/services/context"
 	repo_service "forgejo.org/services/repository"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
-	gouuid "github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -1025,13 +1024,13 @@ func createQuotaWebEnv(t *testing.T) *quotaWebEnv {
 		user := quotaWebEnvUser{}
 
 		// Create the user
-		userName := gouuid.NewString()
-		apiCreateUser(t, userName)
-		user.User = unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: userName})
-		user.Session = loginUser(t, userName)
+		user.User = forgery.CreateUser(t, nil)
+		user.Session = loginUser(t, user.User.Name)
 
 		// Create a repository for the user
-		repo, _, _ := tests.CreateDeclarativeRepoWithOptions(t, user.User, tests.DeclarativeRepoOptions{})
+		repo := forgery.CreateRepository(t, user.User, &forgery.CreateRepositoryOptions{
+			Files: forgery.FilesInit{},
+		})
 		user.Repo = repo
 
 		return user
@@ -1072,25 +1071,21 @@ func createQuotaWebEnv(t *testing.T) *quotaWebEnv {
 		org := quotaWebEnvOrg{}
 
 		// Create the org
-		userName := gouuid.NewString()
-		org.Org = &org_model.Organization{
-			Name: userName,
-		}
-		err := org_model.CreateOrganization(db.DefaultContext, org.Org, owner)
-		require.NoError(t, err)
+		org.Org = forgery.CreateOrganisation(t, owner)
 
 		// Create a repository for the org
-		orgUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: org.Org.ID})
-		repo, _, _ := tests.CreateDeclarativeRepoWithOptions(t, orgUser, tests.DeclarativeRepoOptions{})
+		repo := forgery.CreateRepository(t, org.Org.AsUser(), &forgery.CreateRepositoryOptions{
+			Files: forgery.FilesInit{},
+		})
 		org.Repo = repo
 
 		// Create a quota group for them
-		group, err := quota_model.CreateGroup(db.DefaultContext, userName)
+		group, err := quota_model.CreateGroup(db.DefaultContext, org.Org.Name)
 		require.NoError(t, err)
 		org.QuotaGroup = group
 
 		// Create a rule
-		rule, err := quota_model.CreateRule(db.DefaultContext, userName, limit, quota_model.LimitSubjects{quota_model.LimitSubjectSizeAll})
+		rule, err := quota_model.CreateRule(db.DefaultContext, org.Org.Name, limit, quota_model.LimitSubjects{quota_model.LimitSubjectSizeAll})
 		require.NoError(t, err)
 		org.QuotaRule = rule
 
diff --git a/tests/integration/repo_generate_test.go b/tests/integration/repo_generate_test.go
index 637f0a478d..aec2a89719 100644
--- a/tests/integration/repo_generate_test.go
+++ b/tests/integration/repo_generate_test.go
@@ -17,12 +17,11 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/test"
 	"forgejo.org/modules/translation"
-	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -243,40 +242,27 @@ func TestRepoGenerateTemplating(t *testing.T) {
 		expected := `# %s
 	This is a Repo By %s
 	ThisIsThe%sInAnInlineWay`
-		templateName := "my_template"
-		generatedName := "my_generated"
 
-		userName := "user1"
-		session := loginUser(t, userName)
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: userName})
-
-		template, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:       optional.Some(templateName),
-			IsTemplate: optional.Some(true),
-			Files: optional.Some([]*files_service.ChangeRepoFile{
-				{
-					Operation:     "create",
-					TreePath:      ".forgejo/template",
-					ContentReader: strings.NewReader("**/Readme.md"),
-				},
-				{
-					Operation:     "create",
-					TreePath:      "dira-${REPO_NAME}/dirb-${REPO_NAME}/Readme.md",
-					ContentReader: strings.NewReader(input),
-				},
-			}),
+		template := forgery.CreateRepository(t, nil, &forgery.CreateRepositoryOptions{
+			IsTemplate: true,
+			Files: forgery.MapFS{
+				".forgejo/template":                             forgery.MapFile("**/Readme.md"),
+				"dira-${REPO_NAME}/dirb-${REPO_NAME}/Readme.md": forgery.MapFile(input),
+			},
 		})
-		defer f()
+		user := template.Owner
+		session := loginUser(t, user.Name)
 
 		// The repo.TemplateID field is not initialized. Luckily, the ID field holds the expected value
 		templateID := strconv.FormatInt(template.ID, 10)
+		generatedName := "my_generated"
 
 		testRepoGenerateSuccess(
 			t,
 			session,
 			templateID,
 			user.Name,
-			templateName,
+			template.Name,
 			user,
 			user,
 			generatedName,
@@ -310,9 +296,10 @@ func TestRepoGenerateTemplating(t *testing.T) {
 
 func TestRepoGenerateTemplatingSymlink(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
-		userName := "user1"
-		session := loginUser(t, userName)
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: userName})
+		user := forgery.CreateUser(t, &forgery.CreateUserOptions{
+			IsAdmin: true, // required to see the detailed error message on the error response
+		})
+		session := loginUser(t, user.Name)
 
 		testCases := []struct {
 			name          string
@@ -337,34 +324,18 @@ func TestRepoGenerateTemplatingSymlink(t *testing.T) {
 
 		for i, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
-				templateName := fmt.Sprintf("my_template-%d", i)
-				generatedName := fmt.Sprintf("my_generated-%d", i)
-				template, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-					Name:       optional.Some(templateName),
-					IsTemplate: optional.Some(true),
-					Files: optional.Some([]*files_service.ChangeRepoFile{
-						{
-							Operation:     "create",
-							TreePath:      ".forgejo/template",
-							ContentReader: strings.NewReader("**/Readme.md"),
-						},
-						{
-							Operation:     "create",
-							TreePath:      "actual-contents.txt",
-							ContentReader: strings.NewReader("Here are some contents. $REPO_NAME"),
-						},
-						{
-							Operation:     "create",
-							TreePath:      "problem/Readme.md",
-							ContentReader: strings.NewReader(tc.symlinkTarget),
-							Options:       files_service.RepoFileOptionMode(git.EntryModeSymlink),
-						},
-					}),
+				template := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{
+					IsTemplate: true,
+					Files: forgery.MapFS{
+						".forgejo/template":   forgery.MapFile("**/Readme.md"),
+						"actual-contents.txt": forgery.MapFile("Here are some contents. $REPO_NAME"),
+						"problem/Readme.md":   forgery.MapSymlink(tc.symlinkTarget),
+					},
 				})
-				defer f()
 
 				// The repo.TemplateID field is not initialized. Luckily, the ID field holds the expected value
 				templateID := strconv.FormatInt(template.ID, 10)
+				generatedName := fmt.Sprintf("my_generated-%d", i)
 
 				if tc.expectedError != "" {
 					resp := testRepoGenerateFailure(
@@ -372,7 +343,7 @@ func TestRepoGenerateTemplatingSymlink(t *testing.T) {
 						session,
 						templateID,
 						user.Name,
-						templateName,
+						template.Name,
 						user,
 						user,
 						generatedName,
@@ -384,7 +355,7 @@ func TestRepoGenerateTemplatingSymlink(t *testing.T) {
 						session,
 						templateID,
 						user.Name,
-						templateName,
+						template.Name,
 						user,
 						user,
 						generatedName,
@@ -419,36 +390,28 @@ func TestRepoGenerateTemplatingSymlink(t *testing.T) {
 
 func TestRepoGenerateTemplatingSymlinkGlobFile(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
-		templateName := "my_template"
-		generatedName := "my_generated"
-
-		userName := "user1"
-		session := loginUser(t, userName)
-		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: userName})
-
-		template, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:       optional.Some(templateName),
-			IsTemplate: optional.Some(true),
-			Files: optional.Some([]*files_service.ChangeRepoFile{
-				{
-					Operation:     "create",
-					TreePath:      ".forgejo/template",
-					ContentReader: strings.NewReader("/etc/passwd"),
-					Options:       files_service.RepoFileOptionMode(git.EntryModeSymlink),
-				},
-			}),
+		user := forgery.CreateUser(t, &forgery.CreateUserOptions{
+			IsAdmin: true, // required to see the detailed error message on the error response
+		})
+		session := loginUser(t, user.Name)
+
+		template := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{
+			IsTemplate: true,
+			Files: forgery.MapFS{
+				".forgejo/template": forgery.MapSymlink("/etc/passwd"),
+			},
 		})
-		defer f()
 
 		// The repo.TemplateID field is not initialized. Luckily, the ID field holds the expected value
 		templateID := strconv.FormatInt(template.ID, 10)
+		generatedName := "my_generated"
 
 		resp := testRepoGenerateFailure(
 			t,
 			session,
 			templateID,
 			user.Name,
-			templateName,
+			template.Name,
 			user,
 			user,
 			generatedName,
diff --git a/tests/integration/repo_test.go b/tests/integration/repo_test.go
index 299299ff0b..16dc7cd483 100644
--- a/tests/integration/repo_test.go
+++ b/tests/integration/repo_test.go
@@ -24,7 +24,6 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/optional"
 	"forgejo.org/modules/setting"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/test"
@@ -32,6 +31,7 @@ import (
 	repo_service "forgejo.org/services/repository"
 	files_service "forgejo.org/services/repository/files"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/stretchr/testify/assert"
@@ -1369,21 +1369,17 @@ func TestInitInstructions(t *testing.T) {
 
 	forEachObjectFormat(t, func(t *testing.T, objectFormat git.ObjectFormat) {
 		defer tests.PrintCurrentTest(t)()
-		name := objectFormat.Name()
+
 		var init string
-		if name == "sha1" {
+		if objectFormat == git.Sha1ObjectFormat {
 			init = "git init"
 		} else {
-			init = fmt.Sprintf("git init --object-format=%s", name)
+			init = fmt.Sprintf("git init --object-format=%s", objectFormat.Name())
 		}
 
-		repo, _, f := tests.CreateDeclarativeRepoWithOptions(t, user, tests.DeclarativeRepoOptions{
-			Name:         optional.Some(name + "-instruction"),
-			AutoInit:     optional.Some(false),
-			EnabledUnits: optional.Some([]unit_model.Type{unit_model.TypeCode}),
-			ObjectFormat: optional.Some(name),
+		repo := forgery.CreateRepository(t, user, &forgery.CreateRepositoryOptions{
+			ObjectFormat: objectFormat,
 		})
-		defer f()
 
 		portMatcher := regexp.MustCompile(`localhost:\d+`)
 		resp := session.MakeRequest(t, NewRequest(t, "GET", "/"+repo.FullName()), http.StatusOK)
@@ -1394,7 +1390,7 @@ func TestInitInstructions(t *testing.T) {
 git switch -c main
 git add README.md
 git commit -m "first commit"
-git remote add origin http://localhost/user2/%s-instruction.git
-git push -u origin main`, init, name), portMatcher.ReplaceAllString(htmlDoc.Find(".empty-repo-guide code").First().Text(), "localhost"))
+git remote add origin http://localhost/user2/%s.git
+git push -u origin main`, init, repo.Name), portMatcher.ReplaceAllString(htmlDoc.Find(".empty-repo-guide code").First().Text(), "localhost"))
 	})
 }
diff --git a/tests/integration/wiki_test.go b/tests/integration/wiki_test.go
index 1fd9378852..efccd20ef8 100644
--- a/tests/integration/wiki_test.go
+++ b/tests/integration/wiki_test.go
@@ -20,10 +20,10 @@ import (
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/optional"
 	api "forgejo.org/modules/structs"
 	"forgejo.org/modules/util"
 	"forgejo.org/tests"
+	"forgejo.org/tests/forgery"
 
 	"github.com/PuerkitoBio/goquery"
 	"github.com/google/uuid"
@@ -95,11 +95,10 @@ func doRepoWikiGitOperation(t *testing.T, serverURL *url.URL, method RepoWikiMet
 	repo := "repo1"
 	if target == RepoWikiPrivate {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-		privateRepo, _, reset := tests.CreateDeclarativeRepoWithOptions(t, user2, tests.DeclarativeRepoOptions{
-			IsPrivate:    optional.Some(true),
-			EnabledUnits: optional.Some([]unit_model.Type{unit_model.TypeWiki}),
+		privateRepo := forgery.CreateRepository(t, user2, &forgery.CreateRepositoryOptions{
+			IsPrivate: true,
 		})
-		defer reset()
+		forgery.EnableRepoUnit(t, privateRepo, unit_model.TypeWiki, nil)
 
 		session := loginUser(t, user2.LoginName)
 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
diff --git a/tests/test_utils.go b/tests/test_utils.go
index 5e5b04c860..8314e8c58a 100644
--- a/tests/test_utils.go
+++ b/tests/test_utils.go
@@ -15,10 +15,10 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
-	"slices"
 	"strings"
 	"sync/atomic"
 	"testing"
+	"testing/fstest"
 	"time"
 
 	"forgejo.org/models/db"
@@ -29,10 +29,9 @@ import (
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/base"
 	"forgejo.org/modules/git"
-	"forgejo.org/modules/gitrepo"
 	"forgejo.org/modules/graceful"
 	"forgejo.org/modules/log"
-	"forgejo.org/modules/optional"
+	"forgejo.org/modules/options"
 	"forgejo.org/modules/process"
 	repo_module "forgejo.org/modules/repository"
 	"forgejo.org/modules/setting"
@@ -40,12 +39,10 @@ import (
 	"forgejo.org/modules/testlogger"
 	"forgejo.org/modules/util"
 	"forgejo.org/routers"
-	repo_service "forgejo.org/services/repository"
+	"forgejo.org/services/notify"
 	files_service "forgejo.org/services/repository/files"
-	wiki_service "forgejo.org/services/wiki"
+	"forgejo.org/tests/forgery"
 
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"xorm.io/xorm/convert"
 
@@ -386,169 +383,74 @@ func Printf(format string, args ...any) {
 	testlogger.Printf(format, args...)
 }
 
-type DeclarativeRepoOptions struct {
-	Name          optional.Option[string]
-	EnabledUnits  optional.Option[[]unit_model.Type]
-	DisabledUnits optional.Option[[]unit_model.Type]
-	UnitConfig    optional.Option[map[unit_model.Type]convert.Conversion]
-	Files         optional.Option[[]*files_service.ChangeRepoFile]
-	WikiBranch    optional.Option[string]
-	AutoInit      optional.Option[bool]
-	IsTemplate    optional.Option[bool]
-	ObjectFormat  optional.Option[string]
-	IsPrivate     optional.Option[bool]
-}
-
-func CreateDeclarativeRepoWithOptions(t *testing.T, owner *user_model.User, opts DeclarativeRepoOptions) (*repo_model.Repository, string, func()) {
-	t.Helper()
-
-	// Not using opts.Name.ValueOrDefault() here to avoid unnecessarily
-	// generating an UUID when a name is specified.
-	var repoName string
-	if has, value := opts.Name.Get(); has {
-		repoName = value
-	} else {
-		repoName = uuid.NewString()
-	}
-
-	var autoInit bool
-	if has, value := opts.AutoInit.Get(); has {
-		autoInit = value
-	} else {
-		autoInit = true
-	}
-
-	// Create the repository
-	repo, err := repo_service.CreateRepository(db.DefaultContext, owner, owner, repo_service.CreateRepoOptions{
-		Name:             repoName,
-		Description:      "Temporary Repo",
-		AutoInit:         autoInit,
-		Gitignores:       "",
-		License:          "WTFPL",
-		Readme:           "Default",
-		DefaultBranch:    "main",
-		IsTemplate:       opts.IsTemplate.ValueOrZeroValue(),
-		ObjectFormatName: opts.ObjectFormat.ValueOrZeroValue(),
-		IsPrivate:        opts.IsPrivate.ValueOrZeroValue(),
-	})
-	require.NoError(t, err)
-	assert.NotEmpty(t, repo)
-
-	// Populate `enabledUnits` if we have any enabled.
-	var enabledUnits []repo_model.RepoUnit
-	if has, units := opts.EnabledUnits.Get(); has {
-		enabledUnits = make([]repo_model.RepoUnit, len(units))
-
-		for i, unitType := range units {
-			var config convert.Conversion
-			if cfg, ok := opts.UnitConfig.ValueOrZeroValue()[unitType]; ok {
-				config = cfg
-			}
-			enabledUnits[i] = repo_model.RepoUnit{
-				RepoID: repo.ID,
-				Type:   unitType,
-				Config: config,
-			}
-		}
-	}
-
-	// Adjust the repo units according to our parameters.
-	if opts.EnabledUnits.Has() || opts.DisabledUnits.Has() {
-		err := repo_service.UpdateRepositoryUnits(db.DefaultContext, repo, enabledUnits, opts.DisabledUnits.ValueOrDefault(nil))
-		require.NoError(t, err)
-	}
-
-	// Add files, if any.
-	var sha string
-	if has, files := opts.Files.Get(); has {
-		assert.True(t, autoInit, "Files cannot be specified if AutoInit is disabled")
-
-		commitID, err := gitrepo.GetBranchCommitID(git.DefaultContext, repo, "main")
-		require.NoError(t, err)
-
-		resp, err := files_service.ChangeRepoFiles(git.DefaultContext, repo, owner, &files_service.ChangeRepoFilesOptions{
-			Files:     files,
-			Message:   "add files",
-			OldBranch: "main",
-			NewBranch: "main",
-			Author: &files_service.IdentityOptions{
-				Name:  owner.Name,
-				Email: owner.Email,
-			},
-			Committer: &files_service.IdentityOptions{
-				Name:  owner.Name,
-				Email: owner.Email,
-			},
-			Dates: &files_service.CommitDateOptions{
-				Author:    time.Now(),
-				Committer: time.Now(),
-			},
-			LastCommitID: commitID,
-		})
-		require.NoError(t, err)
-		assert.NotEmpty(t, resp)
-
-		sha = resp.Commit.SHA
-	}
-
-	// If there's a Wiki branch specified, create a wiki, and a default wiki page.
-	if has, value := opts.WikiBranch.Get(); has {
-		// Set the wiki branch in the database first
-		repo.WikiBranch = value
-		err := repo_model.UpdateRepositoryCols(db.DefaultContext, repo, "wiki_branch")
-		require.NoError(t, err)
-
-		// Initialize the wiki
-		err = wiki_service.InitWiki(db.DefaultContext, repo)
-		require.NoError(t, err)
-
-		// Add a new wiki page
-		err = wiki_service.AddWikiPage(db.DefaultContext, owner, repo, "Home", "Welcome to the wiki!", "Add a Home page")
-		require.NoError(t, err)
-	}
-
-	// Return the repo, the top commit, and a defer-able function to delete the
-	// repo.
-	return repo, sha, func() {
-		_ = repo_service.DeleteRepository(db.DefaultContext, owner, repo, false)
-	}
-}
-
+// Deprecated: use forgery.CreateRepository instead
 func CreateDeclarativeRepo(t *testing.T, owner *user_model.User, name string, enabledUnits, disabledUnits []unit_model.Type, files []*files_service.ChangeRepoFile) (*repo_model.Repository, string, func()) {
 	t.Helper()
 
-	var opts DeclarativeRepoOptions
-
-	if name != "" {
-		opts.Name = optional.Some(name)
+	opts := &forgery.CreateRepositoryOptions{
+		LatestSha: new(string),
+		Name:      name,
 	}
-	if enabledUnits != nil {
-		opts.EnabledUnits = optional.Some(enabledUnits)
 
-		if slices.Contains(enabledUnits, unit_model.TypePullRequests) {
-			opts.UnitConfig = optional.Some(map[unit_model.Type]convert.Conversion{
-				unit_model.TypePullRequests: &repo_model.PullRequestsConfig{
-					AllowMerge:           true,
-					AllowRebase:          true,
-					AllowRebaseMerge:     true,
-					AllowSquash:          true,
-					AllowFastForwardOnly: true,
-					AllowManualMerge:     true,
-					AllowRebaseUpdate:    true,
-					DefaultMergeStyle:    repo_model.MergeStyleMerge,
-					DefaultUpdateStyle:   repo_model.UpdateStyleMerge,
-				},
-			})
+	if len(files) > 0 {
+		licenseData, err := options.License("CC0-1.0")
+		require.NoError(t, err)
+		mfs := forgery.MapFS{
+			"README.md": forgery.MapFile("# " + t.Name() + "\n\nThis is a test repo created via test_utils"),
+			"LICENSE":   &fstest.MapFile{Data: licenseData},
 		}
+		for _, f := range files {
+			require.Empty(t, f.FromTreePath, f.TreePath)
+			if f.Operation != "create" {
+				require.Equal(t, "README.md", f.TreePath, "%q operation only expected on README.md", f.Operation)
+				if f.Operation == "delete" {
+					delete(mfs, f.TreePath)
+					continue
+				}
+				require.Equal(t, "update", f.Operation, "only update/delete operations are supported on README.md")
+			}
+			if f.SHA != "" {
+				require.Nil(t, f.ContentReader, f.TreePath)
+				mfs[f.TreePath] = forgery.MapSubmodule(f.SHA)
+			} else {
+				require.Nil(t, f.Options, f.TreePath)
+
+				data, err := io.ReadAll(f.ContentReader)
+				require.NoError(t, err)
+				mfs[f.TreePath] = &fstest.MapFile{
+					Data: data,
+				}
+			}
+		}
+		opts.Files = mfs
+	} else {
+		opts.Files = forgery.FilesInit{}
+	}
+
+	repo := forgery.CreateRepository(t, owner, opts)
+	notify.CreateRepository(t.Context(), owner, owner, repo) // CreateDeclarativeRepoWithOptions didn't call CreateRepositoryDirectly; notify manually to keep the same behavior
+
+	for _, unitType := range enabledUnits {
+		var config convert.Conversion
+		if unitType == unit_model.TypePullRequests {
+			config = &repo_model.PullRequestsConfig{
+				AllowMerge:           true,
+				AllowRebase:          true,
+				AllowRebaseMerge:     true,
+				AllowSquash:          true,
+				AllowFastForwardOnly: true,
+				AllowManualMerge:     true,
+				AllowRebaseUpdate:    true,
+				DefaultMergeStyle:    repo_model.MergeStyleMerge,
+				DefaultUpdateStyle:   repo_model.UpdateStyleMerge,
+			}
+		}
+		forgery.EnableRepoUnit(t, repo, unitType, config)
 	}
 	if disabledUnits != nil {
-		opts.DisabledUnits = optional.Some(disabledUnits)
+		forgery.DisableRepoUnits(t, repo, disabledUnits...)
 	}
-	if files != nil {
-		opts.Files = optional.Some(files)
-	}
-
-	return CreateDeclarativeRepoWithOptions(t, owner, opts)
+	return repo, *opts.LatestSha, func() {}
 }
 
 func WriteImageBody(t *testing.T, buff bytes.Buffer, filename string, body *bytes.Buffer) string {

From 6e5dbfa1692e6a5ca48470a79c1ddceca1143bc9 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 12 May 2026 22:41:07 +0200
Subject: [PATCH 286/287] fix: handle boolean workflow inputs correctly before
 jobparser evaluates with them (#12539)

Fixes https://code.forgejo.org/forgejo/forgejo-actions-feature-requests/issues/112.

Currently boolean `workflow_dispatch` values are being passed as strings during Forgejo's job parsing, causing both true & false to have the same behaviour when evaluated in a condition like this:

```
on:
  workflow_dispatch:
    inputs:
      win32:
        type: boolean

jobs:
  job1:
    strategy:
      matrix:
        runner: ${{ fromJSON(inputs.win32 == 'true' && '["win32", "win64"]' || '["win64"]') }}
    steps: # ...
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [ ] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12539
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
---
 services/actions/workflows.go             |  8 ++++
 tests/integration/actions_trigger_test.go | 58 +++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/services/actions/workflows.go b/services/actions/workflows.go
index a08a069cc1..d7d0f781d6 100644
--- a/services/actions/workflows.go
+++ b/services/actions/workflows.go
@@ -97,6 +97,8 @@ func (entry *Workflow) Dispatch(ctx context.Context, inputGetter InputValueGette
 		title = fullWorkflowID
 	}
 
+	// Runner expects a `map[string]string` for inputs in in the payload dispatch, but newer code in the Runner's
+	// jobparser library takes a map[string]any which is more directly actionable for parsing:
 	inputs := make(map[string]string)
 	inputsAny := make(map[string]any)
 	if workflowDispatch := wf.WorkflowDispatchConfig(); workflowDispatch != nil {
@@ -109,6 +111,12 @@ func (entry *Workflow) Dispatch(ctx context.Context, inputGetter InputValueGette
 			}
 			inputs[key] = value
 			inputsAny[key] = value
+			// To match the behaviour of the runner when parsing map[string]string into map[string]any, check for
+			// boolean type inputs and convert them to booleans for expression evaluation:
+			// https://code.forgejo.org/forgejo/runner/src/commit/d5693e379c034a3afcb920087570d9a6e179e86e/act/runner/expression.go#L435-L439
+			if input.Type == "boolean" {
+				inputsAny[key] = value == "true"
+			}
 		}
 	}
 
diff --git a/tests/integration/actions_trigger_test.go b/tests/integration/actions_trigger_test.go
index f5898682ce..19edb8b4ad 100644
--- a/tests/integration/actions_trigger_test.go
+++ b/tests/integration/actions_trigger_test.go
@@ -1009,6 +1009,64 @@ func TestActionsWorkflowDispatchDynamicMatrix(t *testing.T) {
 	})
 }
 
+// Early in the job parsing, dynamic matrices may need to access workflow inputs.  Boolean inputs need special handling
+// which is what this test case covers.
+func TestActionsWorkflowDispatchDynamicMatrixBooleanInput(t *testing.T) {
+	onApplicationRun(t, func(t *testing.T, u *url.URL) {
+		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+		// create the repo
+		repo, sha, f := tests.CreateDeclarativeRepo(t, user2, "repo-workflow-dispatch",
+			[]unit_model.Type{unit_model.TypeActions}, nil,
+			[]*files_service.ChangeRepoFile{
+				{
+					Operation: "create",
+					TreePath:  ".forgejo/workflows/dispatch.yml",
+					ContentReader: strings.NewReader(
+						"name: test\n" +
+							"on:\n" +
+							"  workflow_dispatch:\n" +
+							"    inputs:\n" +
+							"      win32:\n" +
+							"        description: 'Boolean'\n" +
+							"        required: false\n" +
+							"        type: boolean\n" +
+							"jobs:\n" +
+							"  test:\n" +
+							"    runs-on: ubuntu-latest\n" +
+							"    strategy:\n" +
+							"      matrix:\n" +
+							"        runner: ${{ fromJSON(inputs.win32 && '[\"win32\", \"win64\"]' || '[\"win64\"]') }}\n" +
+							"    steps:\n" +
+							"      - run: echo helloworld\n",
+					),
+				},
+			},
+		)
+		defer f()
+
+		gitRepo, err := gitrepo.OpenRepository(db.DefaultContext, repo)
+		require.NoError(t, err)
+		defer gitRepo.Close()
+
+		workflow, err := actions_service.GetWorkflowFromCommit(gitRepo, "main", "dispatch.yml")
+		require.NoError(t, err)
+		assert.Equal(t, "refs/heads/main", workflow.Ref)
+		assert.Equal(t, sha, workflow.Commit.ID.String())
+
+		inputGetter := func(key string) string {
+			return "false"
+		}
+
+		run, _, err := workflow.Dispatch(db.DefaultContext, inputGetter, repo, user2)
+		require.NoError(t, err)
+
+		jobs, err := actions_model.GetRunJobsByRunID(t.Context(), run.ID)
+		require.NoError(t, err)
+		assert.Len(t, jobs, 1)
+	})
+}
+
 func TestActionsWorkflowDispatchReusableWorkflow(t *testing.T) {
 	onApplicationRun(t, func(t *testing.T, u *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

From cc146bfa8aac4f7c2dd881bb85a8ca70448b82b0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Wed, 13 May 2026 08:30:01 +0200
Subject: [PATCH 287/287] Update data.forgejo.org/forgejo/forgejo Docker tag to
 v11.0.14 (forgejo) (#12543)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12543
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
---
 .forgejo/workflows/build-release-integration.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
index 0c17898d43..3d024f5f9e 100644
--- a/.forgejo/workflows/build-release-integration.yml
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -2,7 +2,7 @@ name: Integration tests for the release process
 enable-email-notifications: true
 
 env:
-  FORGEJO_VERSION: 11.0.13 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
+  FORGEJO_VERSION: 11.0.14 # renovate: datasource=docker depName=data.forgejo.org/forgejo/forgejo
 
 on:
   push: