Mathieu Fenniak 3d6acf5e8c ci: add semgrep detection for API code ignoring repo-specific access tokens (#11476) ... This PR is part of a series (#11311). Prevents the usage of three internal APIs in the web API code: - `repo_model.SearchRepoOptions{}` without an `AuthorizationReducer` - `organization.SearchTeamRepoOptions{}` without an `AuthorizationReducer` - `access_model.GetUserRepoPermission()`, which doesn't take an `AuthorizationReducer` -- use `GetUserRepoPermissionWithReducer` instead. A couple lingering usages are marked with `// nosemgrep: ...` as they have been inspected and considered correct as-is. The `GetUserRepoPermission` is tested via the `.semgrep/tests` files; the other rules have been tested manually. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11476 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>		2026-03-03 17:55:35 +01:00
..
api	ci: add semgrep detection for API code ignoring repo-specific access tokens (#11476)	2026-03-03 17:55:35 +01:00
common	chore: fix typos throughout the codebase (#10753)	2026-01-26 22:57:33 +01:00
install	fix: don't clobber authorized_keys file during installation (#10948)	2026-01-23 18:38:09 +01:00
private	feat: detailed permission denied message on push (#10941)	2026-01-29 01:48:46 +01:00
utils	[PORT] drop utils.IsExternalURL (and expand IsRiskyRedirectURL tests) (#3167)	2024-04-15 13:03:08 +00:00
web	feat: add trace logging for oauth2 callback (#11175)	2026-03-02 02:08:21 +01:00
init.go	fix: don't clobber authorized_keys file during installation (#10948)	2026-01-23 18:38:09 +01:00