Merge of upstream 'release' into G-Node/gogs 'master'

.dockerignore

@@ -1,5 +1,5 @@
-packager
-packager/**
+.packager
+.packager/**
 scripts
 scripts/**
 .github/
@@ -8,7 +8,6 @@ config.codekit
 .dockerignore
 *.yml
 *.md
-.bra.toml
 .editorconfig
 .gitignore
 Dockerfile*

.editorconfig

@@ -16,7 +16,7 @@ indent_size = 4
 indent_style = tab
 indent_size = 2
 
-[*.{less,yml}]
+[*.{less, yml}]
 indent_style = space
 indent_size = 2
 

.gitattributes

@@ -3,7 +3,6 @@ conf/license/* linguist-vendored
 public/assets/* linguist-vendored
 public/plugins/* linguist-vendored
 public/css/themes/* linguist-vendored
-public/css/github.min.css linguist-vendored
 public/css/semantic-2.4.2.min.css linguist-vendored
 public/js/libs/* linguist-vendored
 public/js/jquery-3.4.1.min.js linguist-vendored

.github/ISSUE_TEMPLATE/bug_report.md

@@ -22,8 +22,11 @@ The issue will be closed without any explanation if it does not satisfy any of f
 **Describe the bug**
 <!-- A clear and concise description of what the bug is -->
 
-**Gogs version or commit**
-<!-- The version number or the commit SHA of the Gogs instance you use -->
+**Gogs version and commit**
+<!-- 
+  The version number or the commit SHA of the Gogs instance you use.
+  You can find these information in the admin dashboard ("/admin").
+-->
 
 **Git version**
 

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: "Code scanning - action"
+
+on:
+  push:
+    branches: [master]
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  CodeQL-Build:
+
+    # CodeQL runs on ubuntu-latest and windows-latest
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      # Override language selection by uncommenting this and choosing your languages
+      # with:
+      #   languages: go, javascript, csharp, python, cpp, java
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/go.yml

@@ -0,0 +1,54 @@
+name: Go
+on:
+  push:
+    branches:
+      - master
+      - main
+      - 'release/**'
+    paths:
+      - '**.go'
+  pull_request:
+    paths:
+      - '**.go'
+env:
+  GOPROXY: "https://proxy.golang.org"
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run golangci-lint
+        uses: actions-contrib/golangci-lint@v1
+        with:
+          args: 'run --timeout=30m'
+
+  test:
+    name: Test
+    strategy:
+      matrix:
+        go-version: [1.14.x, 1.15.x]
+        platform: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Run unit tests
+        run: go test -v -race -coverprofile=coverage -covermode=atomic ./...
+      - name: Upload coverage report to Codecov
+        uses: codecov/[email protected]
+        with:
+          file: ./coverage
+          flags: unittests
+      - name: Cache downloaded modules
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-

.github/workflows/lsif.yml

@@ -1,17 +1,20 @@
 name: LSIF
 on: [push]
 jobs:
-  build:
+  lsif-go:
+    if: github.repository == 'gogs/gogs'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
       - name: Generate LSIF data
         uses: sourcegraph/lsif-go-action@master
+      - name: Upload LSIF data to sourcegraph.com
+        continue-on-error: true
+        uses: docker://sourcegraph/src-cli:latest
         with:
-          verbose: 'true'
-      - name: Upload LSIF data
-        uses: sourcegraph/lsif-upload-action@master
+          args: lsif upload -github-token=${{ secrets.GITHUB_TOKEN }}
+      - name: Upload LSIF data to sourcegraph.unknwon.cn
         continue-on-error: true
+        uses: docker://sourcegraph/src-cli:latest
         with:
-          endpoint: https://sourcegraph.com
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          args: -endpoint=https://sourcegraph.unknwon.cn lsif upload -github-token=${{ secrets.GITHUB_TOKEN }}

.github/workflows/shell.yml

@@ -0,0 +1,13 @@
+name: Shell
+on:
+  push:
+    branches: [master]
+  pull_request:
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master

.gitignore

@@ -4,7 +4,6 @@
 log/
 custom/
 data/
-.vendor/
 .idea/
 *.iml
 public/img/avatar/

CHANGELOG.md

@@ -2,19 +2,69 @@
 
 All notable changes to Gogs are documented in this file.
 
-## 0.12.0+dev (`master`)
+## 0.13.0+dev (`main`)
 
 ### Added
 
+- An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
+- Add new configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
+
+### Changed
+
+- The default branch has been changed to `main`. [#6285](https://github.com/gogs/gogs/pull/6285)
+- MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work. [#6295](https://github.com/gogs/gogs/pull/6295)
+- Use [Task](https://github.com/go-task/task) as the default build tool for development. [#6297](https://github.com/gogs/gogs/pull/6297)
+
+### Fixed
+
+- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
+- [Security] Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
+
+
+### Removed
+
+- ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
+- Configuration section `[mailer]` is no longer used.
+- Configuration section `[service]` is no longer used.
+- Configuration option `APP_NAME` is no longer used.
+- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used.
+- Configuration option `[database] PASSWD` is no longer used.
+- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used.
+- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used.
+- Configuration option `[auth] ENABLE_CAPTCHA` is no longer used.
+- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is no longer used.
+- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is no longer used.
+- Configuration option `[session] GC_INTERVAL_TIME` is no longer used.
+- Configuration option `[session] SESSION_LIFE_TIME` is no longer used.
+- Configuration option `[server] ROOT_URL` is no longer used.
+- Configuration option `[server] LANDING_PAGE` is no longer used.
+- Configuration option `[database] DB_TYPE` is no longer used.
+- Configuration option `[database] PASSWD` is no longer used.
+
+## 0.12.1
+
+### Fixed
+
+- The `updated_at` field is now correctly updated when updates an issue. [#6209](https://github.com/gogs/gogs/issues/6209)
+- Fixed a regression which created `login_source.cfg` column to have `VARCHAR(255)` instead of `TEXT` in MySQL. [#6280](https://github.com/gogs/gogs/issues/6280)
+
+## 0.12.0
+
+### Added
+
+- Support for Git LFS, you can read documentation for both [user](https://github.com/gogs/gogs/blob/master/docs/user/lfs.md) and [admin](https://github.com/gogs/gogs/blob/master/docs/admin/lfs.md). [#1322](https://github.com/gogs/gogs/issues/1322)
 - Allow admin to remove observers from the repository. [#5803](https://github.com/gogs/gogs/pull/5803)
 - Use `Last-Modified` HTTP header for raw files. [#5811](https://github.com/gogs/gogs/issues/5811)
 - Support syntax highlighting for SAS code files (i.e. `.r`, `.sas`, `.tex`, `.yaml`). [#5856](https://github.com/gogs/gogs/pull/5856)
 - Able to fill in pull request title with a template. [#5901](https://github.com/gogs/gogs/pull/5901)
 - Able to override static files under `public/` directory, please refer to [documentation](https://gogs.io/docs/features/custom_template) for usage. [#5920](https://github.com/gogs/gogs/pull/5920)
+- New API endpoint `GET /admin/teams/:teamid/members` to list members of a team. [#5877](https://github.com/gogs/gogs/issues/5877)
+- Support backup with retention policy for Docker deployments. [#6140](https://github.com/gogs/gogs/pull/6140)
 
 ### Changed
 
-- The required Go version to compile source code changed to 1.13.
+- The organization profile page has changed to display at most 12 members. [#5506](https://github.com/gogs/gogs/issues/5506)
+- The required Go version to compile source code changed to 1.14.
 - All assets are now embedded into binary and served from memory by default. Set `[server] LOAD_ASSETS_FROM_DISK = true` to load them from disk. [#5920](https://github.com/gogs/gogs/pull/5920)
 - Application and Go versions are removed from page footer and only show in the admin dashboard.
 - Build tag for running as Windows Service has been changed from `miniwinsvc` to `minwinsvc`.
@@ -32,18 +82,31 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
 - Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`.
 - Configuration option `[session] SESSION_LIFE_TIME` is deprecated and will end support in 0.13.0, please start using `[session] MAX_LIFE_TIME`.
+- The name `-` is reserved and cannot be used for users or organizations.
 
 ### Fixed
 
 - [Security] Potential open redirection with i18n.
 - [Security] Potential ability to delete files outside a repository.
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
+- [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
+- [Security] Potential SSRF attack via webhooks. [#5366](https://github.com/gogs/gogs/issues/5366)
+- [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
+- [Security] Potential stored XSS attack in some browsers. [#5397](https://github.com/gogs/gogs/issues/5397)
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
+- File both modified and renamed within a commit treated as separate files. [#5056](https://github.com/gogs/gogs/issues/5056)
+- Unable to restore the database backup to MySQL 8.0 with syntax error. [#5602](https://github.com/gogs/gogs/issues/5602)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
 - Disallow multiple tokens with same name. [#5587](https://github.com/gogs/gogs/issues/5587) [#5820](https://github.com/gogs/gogs/pull/5820)
 - Enable Federated Avatar Lookup could cause server to crash. [#5848](https://github.com/gogs/gogs/issues/5848)
 - Private repositories are hidden in the organization's view. [#5869](https://github.com/gogs/gogs/issues/5869)
+- Users have access to base repository cannot view commits in forks. [#5878](https://github.com/gogs/gogs/issues/5878)
 - Server error when changing email address in user settings page. [#5899](https://github.com/gogs/gogs/issues/5899)
+- Fall back to use RFC 3339 as time layout when misconfigured. [#6098](https://github.com/gogs/gogs/issues/6098)
+- Unable to update team with server error. [#6185](https://github.com/gogs/gogs/issues/6185)
+- Webhooks are not fired after push when `[service] REQUIRE_SIGNIN_VIEW = true`.
+- Files with identical content are randomly displayed one of them.
 
 ### Removed
 
@@ -54,6 +117,7 @@ All notable changes to Gogs are documented in this file.
 - Configuration option `[session] ENABLE_SET_COOKIE`
 - Configuration option `[release.attachment] PATH`
 - Configuration option `[webhook] QUEUE_LENGTH`
+- Build tag `sqlite`, which means CGO is now required.
 
 ---
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:alpine3.10 AS binarybuilder
+FROM golang:alpine3.11 AS binarybuilder
 RUN apk --no-cache --no-progress add --virtual \
   build-deps \
   build-base \
@@ -7,10 +7,10 @@ RUN apk --no-cache --no-progress add --virtual \
 
 WORKDIR /go/src/github.com/G-Node/gogs
 COPY . .
-RUN make build-no-gen TAGS="sqlite cert pam"
+RUN make build-no-gen TAGS="cert pam"
 
-FROM alpine:3.10
-ADD https://github.com/tianon/gosu/releases/download/1.10/gosu-amd64 /usr/sbin/gosu
+FROM alpine:3.11
+ADD https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64 /usr/sbin/gosu
 RUN chmod +x /usr/sbin/gosu \
   && echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories \
   && apk --no-cache --no-progress add \
@@ -49,7 +49,7 @@ COPY --from=binarybuilder /go/src/github.com/G-Node/gogs/gogs .
 RUN ./docker/finalize.sh
 
 # Configure Docker Container
-VOLUME ["/data"]
+VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
 ENTRYPOINT ["/app/gogs/docker/start.sh"]
 CMD ["/bin/s6-svscan", "/app/gogs/docker/s6/"]