31231

1231
2026-05-28 21:30:36 +00:00 · 2026-05-28 17:20:19 -04:00 · 2026-05-28 17:10:08 -04:00 · 2026-05-28 16:53:38 -04:00 · 2026-05-28 16:40:47 -04:00 · 2026-05-28 16:31:27 -04:00
2626 changed files with 341734 additions and 54560 deletions
@@ -1,19 +0,0 @@
-[run]
-init_cmds = [
-	#["grep", "-rn", "FIXME", "."],
-	["./gogs", "web"]
-]
-watch_all = true
-watch_dirs = [
-	"$WORKDIR/cmd",
-	"$WORKDIR/models",
-	"$WORKDIR/modules",
-	"$WORKDIR/routers"
-]
-watch_exts = [".go"]
-build_delay = 1500
-cmds = [
-	["go", "install", "-race"], # sqlite redis memcache cert pam tidb
-	["go", "build", "-race"],
-	["./gogs", "web"]
-]
@@ -0,0 +1,13 @@
+Analyze and help fix the GitHub Security Advisory (GHSA) at: $ARGUMENTS
+
+Steps:
+1. Fetch the GHSA page using `gh api repos/gogs/gogs/security-advisories` and understand the vulnerability details (description, severity, affected versions, CWE).
+2. Verify the reported vulnerability actually exists, and why.
+3. Identify the affected code in this repository.
+4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
+5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
+6. Run all the usual build and test commands.
+7. If a changelog entry is warranted (user will specify), add it to CHANGELOG.md with a placeholder for the PR link.
+8. Create a branch named after the GHSA ID, commit, and push.
+9. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.
+10. If a changelog entry was added, update it with the PR link, then commit and push again.
@@ -1,20 +1,16 @@
-.git
-.git/
-.git/*
-conf
-conf/
-conf/*
-packager
-packager/
-packager/*
 scripts
-scripts/
-scripts/*
+scripts/**
+.github/
+.github/**
+.dockerignore
 *.yml
 *.md
-.bra.toml
 .editorconfig
 .gitignore
-.gopmfile
-config.codekit
-LICENSE
+Dockerfile*
+gogs
+node_modules
+**/node_modules
+public/dist
+**/*.tsbuildinfo
+**/.vite
@@ -4,9 +4,20 @@ root = true

 [*]
 charset = utf-8
-end_of_line = lf
-indent_style = tab
+insert_final_newline = true
+trim_trailing_whitespace = true

-[*.yml]
+[*.go]
+indent_style = tab
+indent_size = 4
+
+[*.tmpl]
+indent_style = tab
+indent_size = 2
+
+[*.{less, yml}]
 indent_style = space
 indent_size = 2
+
+[*.js]
+indent_size = 2
@@ -0,0 +1,8 @@
+conf/gitignore/** linguist-vendored
+conf/license/** linguist-vendored
+public/assets/** linguist-vendored
+public/plugins/** linguist-vendored
+public/css/themes/** linguist-vendored
+public/css/semantic-* linguist-vendored
+public/js/libs/** linguist-vendored
+public/js/semantic-* linguist-vendored
@@ -0,0 +1,2 @@
+# Default
+* @unknwon
@@ -0,0 +1,77 @@
+# Welcome to Gogs contributing guide
+
+Thank you for investing your time in contributing to our projects!
+
+Read our [Code of Conduct](https://go.dev/conduct) to keep our community approachable and respectable.
+
+In this guide you will get an overview of the contribution workflow from opening an issue, creating a PR, reviewing, and merging the PR.
+
+Use the table of contents icon <img src="https://github.com/github/docs/raw/50561895328b8f369694973252127b7d93899d83/assets/images/table-of-contents.png" width="25" height="25" /> on the top left corner of this document to get to a specific section of this guide quickly.
+
+## New contributor guide
+
+To get an overview of the project, read the [README](/README.md). Here are some resources to help you get started with open source contributions:
+
+- [Finding ways to contribute to open source on GitHub](https://docs.github.com/en/get-started/exploring-projects-on-github/finding-ways-to-contribute-to-open-source-on-github)
+- [Set up Git](https://docs.github.com/en/get-started/quickstart/set-up-git)
+- [GitHub flow](https://docs.github.com/en/get-started/quickstart/github-flow)
+- [Collaborating with pull requests](https://docs.github.com/en/github/collaborating-with-pull-requests)
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Talk, then code](https://www.craft.do/s/kyHVs6OoE4Dj5V)
+
+In addition to the general guides with open source contributions, you would also need to:
+
+- Have basic knowledge about web applications development, database management systems and programming in [Go](https://go.dev/).
+- Have a working local development setup with a reasonable good IDE or editor like [Visual Studio Code](https://code.visualstudio.com/docs/languages/go), [GoLand](https://www.jetbrains.com/go/) or [Vim](https://github.com/fatih/vim-go).
+- [Set up your development environment](/docs/dev/local_development.md).
+
+## Issues
+
+### Ask for help
+
+Before opening an issue, please make sure the problem you're encountering isn't already addressed on the [Troubleshooting](https://gogs.io/asking/troubleshooting) and [FAQs](https://gogs.io/asking/faq) pages.
+
+### Create a new issue
+
+- For questions, ask in [Discussions](https://github.com/gogs/gogs/discussions).
+- [Check to make sure](https://docs.github.com/en/github/searching-for-information-on-github/searching-on-github/searching-issues-and-pull-requests#search-by-the-title-body-or-comments) someone hasn't already opened a similar [issue](https://github.com/gogs/gogs/issues).
+- If a similar issue doesn't exist, open a new issue using a relevant [issue form](https://github.com/gogs/gogs/issues/new/choose).
+- Blank issues that are not coming from maintainers will be closed without a response.
+
+### Pick up an issue to solve
+
+- Scan through our [existing issues](https://github.com/gogs/gogs/issues) to find one that interests you.
+- The [👋 good first issue](https://github.com/gogs/gogs/issues?q=is%3Aissue+is%3Aopen+label%3A%22%F0%9F%91%8B+good+first+issue%22) is a good place to start exploring issues that are well-groomed for newcomers.
+- Do not hesitate to ask for more details or clarifying questions on the issue!
+- Communicate on the issue you are intended to pick up _before_ starting working on it.
+- Every issue that gets picked up will have an expected timeline for the implementation, the issue may be reassigned after the expected timeline. Please be responsible and proactive on the communication 🙇‍♂️
+
+## Add new features or make big changes
+
+New features or big changes require proposals before we may be able to accept any contribution. Proposals should be posted to the [Discussions - Proposal](https://github.com/gogs/gogs/discussions/categories/proposal) category for review and discussions. GitHub Discussions provides sub-threading which is much more suitable than GitHub Issues for discussions to happen. Please read [Write a proposal for open source contributions](https://unknwon.io/posts/220210-write-a-proposal-for-open-source-contributions/) to begin with.
+
+## Pull requests
+
+When you're finished with the changes, create a pull request, or a series of pull requests if necessary.
+
+Contributing to another codebase is not as simple as code changes, it is also about contributing influence to the design. Therefore, we kindly ask you that:
+
+- Please acknowledge that no pull request is guaranteed to be merged.
+- Please always do a self-review before requesting reviews from others.
+- Please expect code review to be strict and may have multiple rounds.
+- Please make self-contained incremental changes, pull requests with huge diff may be rejected for review.
+- Please use English in code comments and docstring.
+- Please do not force push unless absolutely necessary. Force pushes make review much harder in multiple rounds, and we use [Squash and merge](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#squash-and-merge-your-pull-request-commits) so you don't need to worry about messy commits and just focus on the changes.
+
+### Things we do not accept
+
+1. Updates to locale files (`conf/locale_xx-XX.ini`) other than the `conf/locale_en-US.ini`. Please read the [guide for localizing Gogs](https://gogs.io/advancing/localization).
+1. Docker compose files.
+
+### Coding guidelines
+
+1. Please read the Sourcegraph's [Go style guide](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/doc/dev/background-information/languages/go.md).
+
+## Your PR is merged!
+
+Congratulations 🎉🎉 Thanks again for taking the effort to have this journey with us 🌟
@@ -0,0 +1,82 @@
+name: Bug report
+description: File a bug report to help us improve
+labels: ["\U0001F48A bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+        
+        - Please use English :)
+        - For questions, ask in [Discussions](https://github.com/gogs/gogs/discussions).
+        - Before you file an issue read the [Contributing guide](https://github.com/gogs/gogs/blob/main/.github/CONTRIBUTING.md).
+        - Check to make sure someone hasn't already opened a similar [issue](https://github.com/gogs/gogs/issues).
+  - type: input
+    attributes:
+      label: Gogs version
+      description: |
+        Please specify the exact Gogs version you're reporting for, e.g. "0.12.3". You can find the version information in the admin dashboard (`/admin`).
+        
+        _Note that "gogs/gogs:latest" is not a Gogs version, it does not mean anything._
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Git version
+      description: |
+        Please specify the exact Git version you're using of both server and client. You can find the version information by running `git version`.
+      value: |
+        - Server: 
+        - Client: 
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Operating system
+      description: |
+        Please specify the exact operating system name and version you're reporting for, e.g. "Windows 10", "CentOS 7", "Ubuntu 20.04".
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Database
+      description: |
+        Please specify the exact database and version you're reporting for, e.g. "PostgreSQL 9.6", "MySQL 5.7", "SQLite 3".
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the bug
+      description: A clear and concise description of what the bug is.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: To reproduce
+      description: The steps to reproduce the problem described above.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: |
+        Links? References? Suggestions? Anything that will give us more context about the issue you are encountering!
+        
+        Please include any error logs found in the `log/gogs.log` file. Otherwise, we probably won't be able to help you much.
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://go.dev/conduct)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Ask questions
+    url: https://github.com/gogs/gogs/discussions
+    about: Please ask questions in Discussions.
+  - name: Make a proposal
+    url: https://github.com/gogs/gogs/discussions/categories/proposal
+    about: Please make proposals in Discussions.
@@ -0,0 +1,46 @@
+---
+name: "Dev: Release a minor version"
+about: ONLY USED BY MAINTAINERS.
+assignees: "unknwon"
+title: "Release [VERSION]"
+labels: 📸 release
+---
+
+_This is generated from the [minor release template](https://github.com/gogs/gogs/blob/main/.github/ISSUE_TEMPLATE/dev_release_minor_version.md)._
+
+## Before release
+
+On the `main` branch:
+
+- [ ] Close stale issues with the label [status: needs feedback](https://github.com/gogs/gogs/issues?q=is%3Aissue+is%3Aopen+label%3A%22status%3A+needs+feedback%22).
+- [ ] [Sync locales from Crowdin](https://github.com/gogs/gogs/blob/main/docs/dev/import_locale.md).
+- [ ] [Update CHANGELOG](https://github.com/gogs/gogs/commit/f1102a7a7c545ec221d2906f02fa19170d96f96d) to include entries for the current minor release.
+	- Do not forget adding entries for GHSA patches.
+- [ ] Cut a new release branch `release/<MAJOR>.<MINOR>`, e.g. `release/0.14`.
+
+## During release
+
+On the release branch:
+
+- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.14.0+dev` -> `0.14.0`.
+- [ ] Wait for GitHub Actions to complete and no failed jobs.
+- [ ] Publish new RC releases (e.g. `v0.14.0-rc.1`, `v0.14.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker and release workflows both succeed.
+	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current minor release.
+- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
+	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+- [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
+- [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.
+
+## After release
+
+On the `main` branch:
+
+- [ ] Update the repository mirror on [Gitee](https://gitee.com/unknwon/gogs).
+- [ ] Create a new release announcement in [Discussions](https://github.com/gogs/gogs/discussions/categories/announcements).
+- [ ] Send a tweet on the [official Twitter account](https://twitter.com/GogsHQ) for the minor release.
+- [ ] Close the milestone for the minor release.
+- [ ] [Bump the hard-coded version](https://github.com/gogs/gogs/commit/a98968436cd5841cf691bb0b80c54c81470d1676) to the new develop version, e.g. `0.14.0+dev` -> `0.15.0+dev`.
+- [ ] Run `grep -rnw "\(LEGACY\|Deprecated\)" internal` to identify deprecated code that is aimed to be removed in current develop version.
+- [ ] **After 14 days**, publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.
@@ -0,0 +1,49 @@
+---
+name: "Dev: Release a patch version"
+about: ONLY USED BY MAINTAINERS.
+assignees: "unknwon"
+title: "Release [VERSION]"
+labels: 📸 release
+---
+
+_This is generated from the [patch release template](https://github.com/gogs/gogs/blob/main/.github/ISSUE_TEMPLATE/dev_release_patch_version.md)._
+
+## Before release
+
+On the release branch:
+
+- [ ] Make sure all commits are cherry-picked from the `main` branch by checking the patch milestone.
+	- Run `moon run gogs:build-prod --force` for every cherry-picked commit to make sure there is no compilation error.
+- [ ] [Update CHANGELOG on the `main` branch](https://github.com/gogs/gogs/commit/f1102a7a7c545ec221d2906f02fa19170d96f96d) to include entries for the current patch release.
+
+## During release
+
+On the release branch:
+
+- [ ] [Update the hard-coded version](https://github.com/gogs/gogs/commit/f0e3cd90f8d7695960eeef2e4e54b2e717302f6c) to the current release, e.g. `0.12.0` -> `0.12.1`.
+- [ ] Wait for GitHub Actions to complete and no failed jobs.
+- [ ] Publish new RC releases in [GitHub release](https://github.com/gogs/gogs/releases) (e.g. `v0.12.0-rc.1`, `v0.12.0-rc.2`) ⚠️ **on the release branch** ⚠️ and ensure Docker workflow succeeds.
+	- [ ] Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+	- [ ] Download one of the release archives and run through application setup to make sure nothing blows up.
+- [ ] Publish a new [GitHub release](https://github.com/gogs/gogs/releases) ⚠️ **on the release branch** ⚠️ with entries from [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md) for the current patch release and all previous releases with same minor version.
+- [ ] Update all previous GitHub releases with same minor version with the warning:
+	```
+	**ℹ️ Heads up! There is a new patch release [0.12.1](https://github.com/gogs/gogs/releases/tag/v0.12.1) available, we recommend directly installing or upgrading to that version.**
+	```
+- [ ] [Wait for new image tags for the current release](https://github.com/gogs/gogs/actions/workflows/docker.yml?query=event%3Arelease) to be created automatically on both [Docker Hub](https://hub.docker.com/r/gogs/gogs/tags) and [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs).
+	- Pull down the Docker image and [run through application setup](https://github.com/gogs/gogs/blob/main/docker/README.md) to make sure nothing blows up.
+- [ ] Download all release archives and [generate SHA256 checksum](https://github.com/gogs/gogs/blob/main/docs/dev/release/sha256.sh) for all binaries to the file `checksum_sha256.txt`.
+- [ ] Upload all archives and `checksum_sha256.txt` to https://dl.gogs.io.
+
+## After release
+
+On the `main` branch:
+
+- [ ] Post the following message on issues that are included in the patch milestone:
+    ```
+    The <MAJOR>.<MINOR>.<PATCH> has been released that includes the patch of the reported issue.
+    ```
+- [ ] Create a new release announcement in [Discussions](https://github.com/gogs/gogs/discussions/categories/announcements).
+- [ ] Send a tweet on the [official Twitter account](https://twitter.com/GogsHQ) for the patch release.
+- [ ] Close the milestone for the patch release.
+- [ ] **After 14 days**, publish [GitHub security advisories](https://github.com/gogs/gogs/security) for security patches included in the release.
@@ -0,0 +1,32 @@
+name: Improve documentation
+description: Suggest an idea or a patch for documentation
+labels: ["📖 documentation"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this form!
+        
+        - Please use English :)
+        - For questions, ask in [Discussions](https://github.com/gogs/gogs/discussions).
+        - Before you file an issue read the [Contributing guide](https://github.com/gogs/gogs/blob/main/.github/CONTRIBUTING.md).
+        - Check to make sure someone hasn't already opened a similar [issue](https://github.com/gogs/gogs/issues).
+  - type: textarea
+    attributes:
+      label: What needs to be improved? Please describe
+      description: A clear and concise description of what is wrong or missing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Why do you think it is important?
+      description: A clear and concise explanation of the rationale.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://go.dev/conduct)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
@@ -0,0 +1,47 @@
+name: Feature request
+description: Suggest an idea for this project
+labels: ["\U0001F3AF feature"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this form!
+        
+        - Please use English :)
+        - For questions, ask in [Discussions](https://github.com/gogs/gogs/discussions).
+        - Before you file an issue read the [Contributing guide](https://github.com/gogs/gogs/blob/main/.github/CONTRIBUTING.md).
+        - Check to make sure someone hasn't already opened a similar [issue](https://github.com/gogs/gogs/issues).
+  - type: textarea
+    attributes:
+      label: Describe the feature
+      description: A clear and concise description of what the feature is, e.g. I think it is reasonable to have [...]
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Describe alternatives you've considered
+      description: A clear and concise description of any alternative solutions or features you've considered.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Additional context
+      description: |
+        Links? References? Suggestions? Anything that will give us more context about the feature you are requesting!
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false
+  - type: checkboxes
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://go.dev/conduct)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true
@@ -0,0 +1,9 @@
+# Docs: https://git.io/JCUAY
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    commit-message:
+      prefix: "mod:"
@@ -0,0 +1,16 @@
+## Describe the pull request
+
+A clear and concise description of what the pull request is about, i.e. what problem should be fixed? 
+
+Link to the issue: <!-- paste the issue link here, or put "n/a" if not applicable -->
+
+## Checklist
+
+- [ ] I agree to follow the [Code of Conduct](https://go.dev/conduct) by submitting this pull request.
+- [ ] I have read and acknowledge the [Contributing guide](https://github.com/gogs/gogs/blob/main/.github/CONTRIBUTING.md).
+- [ ] I have added test cases to cover the new code or have provided the test plan. (if applicable)
+- [ ] I have added an entry to [CHANGELOG](https://github.com/gogs/gogs/blob/main/CHANGELOG.md). (if applicable)
+
+## Test plan
+
+<!-- Please provide concrete but concise steps to proof things are working as stated, see an example in https://github.com/gogs/gogs/pull/7345 -->
@@ -0,0 +1,75 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    paths:
+      - '.github/workflows/codeql.yml'
+  schedule:
+    - cron: '0 19 * * 0'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          # We must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head.
+          fetch-depth: 2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      #- run: |
+      #   make bootstrap
+      #   make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.28.3
@@ -0,0 +1,26 @@
+name: DigitalOcean
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  garbage-collection:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Install doctl
+        uses: digitalocean/action-doctl@5727c67aa3c2c34ae9462d5a0ecfea8a1b31e5ce # v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Run garbage collection
+        run: |
+          # --force: Required for CI to skip confirmation prompts
+          # --include-untagged-manifests: Deletes unreferenced manifests to maximize space
+          doctl registry garbage-collection start --force --include-untagged-manifests
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
@@ -0,0 +1,397 @@
+name: Docker
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.trivy.yaml'
+      - 'Dockerfile'
+      - 'Dockerfile.next'
+      - 'docker/**'
+      - 'docker-next/**'
+      - '.github/workflows/docker.yml'
+  release:
+    types: [ published ]
+
+jobs:
+  buildx-next:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
+    concurrency:
+      group: ${{ github.workflow }}-next-${{ github.ref }}
+      cancel-in-progress: true
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      packages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        with:
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to DigitalOcean Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: registry.digitalocean.com
+          username: ${{ secrets.DIGITALOCEAN_USERNAME }}
+          password: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+      - name: Build and push next-gen images
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Dockerfile.next
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            gogs/gogs:edge
+            ghcr.io/gogs/gogs:edge
+            registry.digitalocean.com/gogs/gogs:edge
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          image-ref: gogs/gogs:edge
+          exit-code: '1'
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  deploy-demo:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
+    needs: buildx-next
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Configure kubectl
+        run: |
+          mkdir -p ~/.kube
+          echo "${KUBECONFIG}" | base64 -d > ~/.kube/config
+        env:
+          KUBECONFIG: ${{ secrets.DIGITALOCEAN_K8S_CLUSTER_KUBECONFIG }}
+      - name: Restart gogs-demo deployment
+        timeout-minutes: 5
+        run: |
+          set -ex
+          kubectl rollout restart deployment gogs-demo -n gogs
+          kubectl rollout status deployment gogs-demo -n gogs
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  buildx-pull-request:
+    if: ${{ github.event_name == 'pull_request'}}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Compute short commit SHA
+        id: short-sha
+        uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
+      - name: Build and push images
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:7d
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          image-ref: ttl.sh/gogs/gogs-${{ steps.short-sha.outputs.sha }}:7d
+          exit-code: '1'
+
+  buildx-next-pull-request:
+    if: ${{ github.event_name == 'pull_request'}}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Compute short commit SHA
+        id: short-sha
+        uses: benjlevesque/short-sha@599815c8ee942a9616c92bcfb4f947a3b670ab0b # v3.0
+      - name: Build and push next-gen images
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Dockerfile.next
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ttl.sh/gogs/gogs-next-${{ steps.short-sha.outputs.sha }}:7d
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          image-ref: ttl.sh/gogs/gogs-next-${{ steps.short-sha.outputs.sha }}:7d
+          exit-code: '1'
+
+  # Updates to the following section needs to be synced to all release branches within their lifecycles.
+  buildx-release:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      packages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          # Full history with tags is required so the next step can determine
+          # whether this release is the highest stable version across the repo.
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Compute image tags
+        run: |
+          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+          TAGS="gogs/gogs:$IMAGE_TAG
+          ghcr.io/gogs/gogs:$IMAGE_TAG"
+
+          # For stable releases (no prerelease suffix per semver), add the
+          # minor-version tag only if this release is the highest patch of that
+          # minor line, and add `latest` only if this release is the highest
+          # stable version across the repository. Back-patches on older lines
+          # must not clobber moving tags.
+          if [[ ! "$IMAGE_TAG" =~ - ]]; then
+            STABLE_TAGS=$(git tag --list 'v*' | sed 's/^v//' | grep -v -- '-' || true)
+            HIGHEST_STABLE=$(echo "$STABLE_TAGS" | sort -V | tail -n 1)
+            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
+            # `|| true` keeps the step running when `grep` finds no matches,
+            # since bash runs with `-e -o pipefail` in GitHub Actions.
+            HIGHEST_IN_MINOR=$(echo "$STABLE_TAGS" | { grep "^${MINOR_TAG}\." || true; } | sort -V | tail -n 1)
+
+            if [[ "$IMAGE_TAG" == "$HIGHEST_IN_MINOR" ]]; then
+              TAGS="$TAGS
+          gogs/gogs:$MINOR_TAG
+          ghcr.io/gogs/gogs:$MINOR_TAG"
+            fi
+            if [[ "$IMAGE_TAG" == "$HIGHEST_STABLE" ]]; then
+              TAGS="$TAGS
+          gogs/gogs:latest
+          ghcr.io/gogs/gogs:latest"
+            fi
+          fi
+
+          echo "TAGS<<EOF" >> $GITHUB_ENV
+          echo "$TAGS" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        with:
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push images
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ env.TAGS }}
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          image-ref: gogs/gogs:${{ env.IMAGE_TAG }}
+          exit-code: '1'
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  # Updates to the following section needs to be synced to all release branches within their lifecycles.
+  buildx-next-release:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      packages: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          # Full history with tags is required so the next step can determine
+          # whether this release is the highest stable version across the repo.
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Compute image tags
+        run: |
+          IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+
+          TAGS="gogs/gogs:next-$IMAGE_TAG
+          ghcr.io/gogs/gogs:next-$IMAGE_TAG"
+
+          # For stable releases (no prerelease suffix per semver), add the
+          # minor-version tag only if this release is the highest patch of that
+          # minor line, and add `next-latest` only if this release is the
+          # highest stable version across the repository. Back-patches on older
+          # lines must not clobber moving tags.
+          if [[ ! "$IMAGE_TAG" =~ - ]]; then
+            STABLE_TAGS=$(git tag --list 'v*' | sed 's/^v//' | grep -v -- '-' || true)
+            HIGHEST_STABLE=$(echo "$STABLE_TAGS" | sort -V | tail -n 1)
+            MINOR_TAG=$(echo "$IMAGE_TAG" | cut -d. -f1,2)
+            # `|| true` keeps the step running when `grep` finds no matches,
+            # since bash runs with `-e -o pipefail` in GitHub Actions.
+            HIGHEST_IN_MINOR=$(echo "$STABLE_TAGS" | { grep "^${MINOR_TAG}\." || true; } | sort -V | tail -n 1)
+
+            if [[ "$IMAGE_TAG" == "$HIGHEST_IN_MINOR" ]]; then
+              TAGS="$TAGS
+          gogs/gogs:next-$MINOR_TAG
+          ghcr.io/gogs/gogs:next-$MINOR_TAG"
+            fi
+            if [[ "$IMAGE_TAG" == "$HIGHEST_STABLE" ]]; then
+              TAGS="$TAGS
+          gogs/gogs:next-latest
+          ghcr.io/gogs/gogs:next-latest"
+            fi
+          fi
+
+          echo "TAGS<<EOF" >> $GITHUB_ENV
+          echo "$TAGS" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        with:
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push next-gen images
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Dockerfile.next
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: ${{ env.TAGS }}
+      - name: Scan for container vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          image-ref: gogs/gogs:next-${{ env.IMAGE_TAG }}
+          exit-code: '1'
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  digitalocean-gc:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'gogs/gogs' }}
+    needs: buildx-next
+    permissions:
+      contents: read
+    uses: ./.github/workflows/digitalocean_gc.yml
+    secrets: inherit
+
+  digitalocean-gc-pull-request:
+    if: ${{ github.event_name == 'pull_request' && github.repository == 'gogs/gogs' }}
+    needs: buildx-next-pull-request
+    permissions:
+      contents: read
+    uses: ./.github/workflows/digitalocean_gc.yml
+    secrets: inherit
@@ -0,0 +1,172 @@
+name: Go
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - '.golangci.yml'
+      - '.github/workflows/go.yml'
+  pull_request:
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - '.golangci.yml'
+      - '.github/workflows/go.yml'
+env:
+  GOPROXY: "https://proxy.golang.org"
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    permissions:
+      contents: read       # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Install Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.26.x
+      - name: Check Go module tidiness and generated files
+        shell: bash
+        run: |
+          go mod tidy
+          go generate ./...
+          STATUS=$(git status --porcelain)
+          if [ ! -z "$STATUS" ]; then
+            echo "Unstaged files:"
+            echo $STATUS
+            echo "Run 'go mod tidy' or 'go generate ./...' and commit them"
+            exit 1
+          fi
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7.0.1
+        with:
+          version: latest
+          args: --timeout=30m
+
+  test:
+    name: Test
+    strategy:
+      matrix:
+        go-version: [ 1.26.x ]
+        platform: [ ubuntu-latest, macos-latest ]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Install Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Run tests with coverage
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  # Running tests with race detection consumes too much memory on Windows,
+  # see https://github.com/golang/go/issues/46099 for details.
+  test-windows:
+    name: Test Windows
+    strategy:
+      matrix:
+        go-version: [ 1.26.x ]
+        platform: [ windows-latest ]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Install Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Run tests with coverage
+        run: go test -shuffle=on -v -coverprofile=coverage -covermode=atomic ./...
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
+
+  postgres:
+    name: Postgres
+    strategy:
+      matrix:
+        go-version: [ 1.26.x ]
+        platform: [ ubuntu-latest ]
+    runs-on: ${{ matrix.platform }}
+    services:
+      postgres:
+        image: postgres:9.6
+        env:
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Install Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Run tests with coverage
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
+        env:
+          GOGS_DATABASE_TYPE: postgres
+          PGPORT: 5432
+          PGHOST: localhost
+          PGUSER: postgres
+          PGPASSWORD: postgres
+          PGSSLMODE: disable
+
+  mysql:
+    name: MySQL
+    strategy:
+      matrix:
+        go-version: [ 1.26.x ]
+        platform: [ ubuntu-22.04 ] # Use the lowest version possible for backwards compatibility
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Start MySQL server
+        run: sudo systemctl start mysql
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Install Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Run tests with coverage
+        run: |
+          go test -shuffle=on -v -race -coverprofile=coverage -covermode=atomic -json ./internal/database/... > test-report.json
+          go install github.com/mfridman/tparse@latest
+          tparse -all -file=test-report.json
+        env:
+          GOGS_DATABASE_TYPE: mysql
+          MYSQL_USER: root
+          MYSQL_PASSWORD: root
+          MYSQL_HOST: localhost
+          MYSQL_PORT: 3306
@@ -0,0 +1,25 @@
+name: 'Lock Threads'
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: lock
+
+jobs:
+  action:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
+        with:
+          github-token: ${{ github.token }}
+          issue-inactive-days: '90'
+          issue-lock-reason: 'resolved'
+          pr-inactive-days: '365'
+          pr-lock-reason: 'resolved'
@@ -0,0 +1,216 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/release.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GOPROXY: "https://proxy.golang.org"
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build ${{ matrix.goos }}/${{ matrix.goarch }}${{ matrix.suffix }}
+    if: ${{ github.repository == 'gogs/gogs' }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - {goos: linux, goarch: amd64, runner: ubuntu-latest}
+          - {goos: linux, goarch: arm64, runner: ubuntu-latest}
+          - {goos: linux, goarch: "386", runner: ubuntu-latest}
+          - {goos: darwin, goarch: amd64, runner: macos-latest}
+          - {goos: darwin, goarch: arm64, runner: macos-latest}
+          - {goos: windows, goarch: amd64, runner: ubuntu-latest}
+          - {goos: windows, goarch: arm64, runner: ubuntu-latest}
+          - {goos: windows, goarch: "386", runner: ubuntu-latest}
+          - {goos: windows, goarch: amd64, suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
+          - {goos: windows, goarch: arm64, suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
+          - {goos: windows, goarch: "386", suffix: "_mws", tags: minwinsvc, runner: ubuntu-latest}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.26.x
+      - name: Set up pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: pnpm
+      - name: Build web assets
+        run: |
+          pnpm install --frozen-lockfile
+          pnpm --filter gogs-web run build
+      - name: Determine version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "release" ]; then
+            echo "version=${{ github.event.release.tag_name }}" | sed 's/version=v/version=/' >> "$GITHUB_OUTPUT"
+            echo "release_tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event_name }}" = "push" ] && [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "version=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+            echo "release_tag=latest-commit-build" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+            echo "release_tag=release-archive-testing" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Build binary
+        env:
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+          CGO_ENABLED: "0"
+        run: |
+          BINARY_NAME="gogs"
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            BINARY_NAME="gogs.exe"
+          fi
+
+          TAGS="prod"
+          if [ -n "${{ matrix.tags }}" ]; then
+            TAGS="$TAGS ${{ matrix.tags }}"
+          fi
+
+          go build -v \
+            -ldflags "
+              -X \"gogs.io/gogs/internal/conf.BuildTime=$(date -u '+%Y-%m-%d %I:%M:%S %Z')\"
+              -X \"gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)\"
+            " \
+            -tags "$TAGS" \
+            -trimpath -o "$BINARY_NAME" ./cmd/gogs
+      - name: Import Apple signing certificate
+        if: ${{ matrix.goos == 'darwin' }}
+        env:
+          APPLE_DEVELOPER_ID_CERTIFICATE_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_BASE64 }}
+          APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }}
+          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: |
+          if [ -z "$APPLE_DEVELOPER_ID_CERTIFICATE_BASE64" ] || [ -z "$APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD" ] || [ -z "$APPLE_KEYCHAIN_PASSWORD" ]; then
+            echo "Missing required Apple signing secrets." >&2
+            exit 1
+          fi
+
+          CERTIFICATE_PATH="$RUNNER_TEMP/developer_id_application.p12"
+          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+
+          printf '%s' "$APPLE_DEVELOPER_ID_CERTIFICATE_BASE64" | base64 -d > "$CERTIFICATE_PATH"
+          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$CERTIFICATE_PATH" -P "$APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH"
+          security default-keychain -s "$KEYCHAIN_PATH"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$APPLE_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+      - name: Sign macOS binary
+        if: ${{ matrix.goos == 'darwin' }}
+        env:
+          APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
+        run: |
+          if [ -z "$APPLE_DEVELOPER_IDENTITY" ]; then
+            echo "Missing required Apple signing identity secret." >&2
+            exit 1
+          fi
+
+          security find-identity -v -p codesigning
+          codesign --force --options runtime --timestamp --sign "$APPLE_DEVELOPER_IDENTITY" "gogs"
+          codesign --verify --verbose=2 "gogs"
+      - name: Prepare archive contents
+        run: |
+          mkdir -p dist/gogs
+          BINARY_NAME="gogs"
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            BINARY_NAME="gogs.exe"
+          fi
+          cp "$BINARY_NAME" dist/gogs/
+          cp LICENSE README.md dist/gogs/
+          cp -r scripts dist/gogs/
+      - name: Create archives
+        working-directory: dist
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          ARCHIVE_BASE="gogs_${VERSION}_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}"
+
+          zip -r "${ARCHIVE_BASE}.zip" gogs
+
+          if [ "${{ matrix.goos }}" = "linux" ]; then
+            tar -czvf "${ARCHIVE_BASE}.tar.gz" gogs
+          fi
+      - name: Notarize macOS archive
+        if: ${{ matrix.goos == 'darwin' }}
+        env:
+          APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
+          APPLE_NOTARY_KEY_BASE64: ${{ secrets.APPLE_NOTARY_KEY_BASE64 }}
+          APPLE_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
+        run: |
+          if [ -z "$APPLE_NOTARY_ISSUER_ID" ] || [ -z "$APPLE_NOTARY_KEY_BASE64" ] || [ -z "$APPLE_NOTARY_KEY_ID" ]; then
+            echo "Missing required Apple notarization secrets." >&2
+            exit 1
+          fi
+
+          VERSION="${{ steps.version.outputs.version }}"
+          ARCHIVE_PATH="dist/gogs_${VERSION}_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}.zip"
+          NOTARY_KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_NOTARY_KEY_ID}.p8"
+
+          printf '%s' "$APPLE_NOTARY_KEY_BASE64" | base64 -d > "$NOTARY_KEY_PATH"
+          xcrun notarytool submit "$ARCHIVE_PATH" \
+            --key "$NOTARY_KEY_PATH" \
+            --key-id "$APPLE_NOTARY_KEY_ID" \
+            --issuer "$APPLE_NOTARY_ISSUER_ID" \
+            --wait
+      - name: Upload to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+
+          if [ "${{ github.event_name }}" != "release" ]; then
+            git tag -f "$RELEASE_TAG"
+            git push origin "$RELEASE_TAG" --force || true
+
+            RELEASE_TITLE="Release archive testing"
+            RELEASE_NOTES="Automated testing release for workflow development."
+            if [ "$RELEASE_TAG" = "latest-commit-build" ]; then
+              RELEASE_TITLE="Latest commit build"
+              RELEASE_NOTES="Automated build from the latest commit on main branch. This release is updated automatically with every push to main."
+            fi
+
+            gh release view "$RELEASE_TAG" || gh release create "$RELEASE_TAG" --title "$RELEASE_TITLE" --notes "$RELEASE_NOTES" --prerelease
+          fi
+
+          PATTERN="_${{ matrix.goos }}_${{ matrix.goarch }}${{ matrix.suffix }}\."
+          gh release view "$RELEASE_TAG" --json assets --jq ".assets[].name" | grep "$PATTERN" | while read -r asset; do
+            gh release delete-asset "$RELEASE_TAG" "$asset" --yes || true
+          done
+
+          gh release upload "$RELEASE_TAG" dist/gogs_*.zip --clobber
+          if [ "${{ matrix.goos }}" = "linux" ]; then
+            gh release upload "$RELEASE_TAG" dist/gogs_*.tar.gz --clobber
+          fi
+
+  notify-failure:
+    name: Notify on failure
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    steps:
+      - name: Send email on failure
+        uses: unknwon/send-email-on-failure@89339a1bc93f4ad1d30f3b7e4911fcba985c9adb # v1
+        with:
+          smtp_username: ${{ secrets.SMTP_USERNAME }}
+          smtp_password: ${{ secrets.SMTP_PASSWORD }}
@@ -0,0 +1,17 @@
+name: Shell
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
@@ -0,0 +1,54 @@
+name: Web
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+    paths:
+      - 'web/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - 'package.json'
+      - 'conf/locale/locale_*.ini'
+      - '.github/workflows/web.yml'
+  pull_request:
+    paths:
+      - 'web/**'
+      - 'pnpm-lock.yaml'
+      - 'pnpm-workspace.yaml'
+      - 'package.json'
+      - 'conf/locale/locale_*.ini'
+      - '.github/workflows/web.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  web:
+    name: Lint and build
+    runs-on: ubuntu-latest
+    env:
+      MOON_COLOR: "true"
+      FORCE_COLOR: "1"
+    steps:
+      - name: Check out code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          fetch-depth: 0
+      - name: Set up pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+      - name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 24
+          cache: pnpm
+      - name: Set up moon
+        uses: moonrepo/setup-toolchain@261c62cb5b0f580c7be7c8cd0f023a2e96756095 # v0.6.4
+        with:
+          auto-install: false
+      - name: Lint
+        run: moon run web:lint
+      - name: Build
+        run: moon run web:build
+      - name: Check for uncommitted changes
+        run: git diff --exit-code --stat
@@ -1,39 +1,19 @@
-.DS_Store
-*.db
-*.log
+# Build artifacts and cache
+.bin/
+dist/
+.moon/cache/
+node_modules/
+.agents/skills/
+.claude/skills
+
+# Runtime data
 log/
 custom/
 data/
-.vendor/
+
+# Configuration and application files
 .idea/
-*.iml
-public/img/avatar/
-files/
-*.o
-*.a
-*.so
-_obj
-_test
-*.[568vq]
-[568vq].out
-*.cgo1.go
-*.cgo2.c
-_cgo_defun.c
-_cgo_gotypes.go
-_cgo_export.*
-_testmain.go
-*.exe
-*.exe~
-/gogs
-profile/
-__pycache__
-*.pem
-output*
-.brackets.json
-docker/fig.yml
-docker/docker/Dockerfile
-docker/docker/init_gogs.sh
-gogs.sublime-project
-gogs.sublime-workspace
-.tags*
-release
+.envrc
+
+# System junk
+.DS_Store
@@ -0,0 +1,42 @@
+version: "2"
+linters:
+  enable:
+    - nakedret
+    - rowserrcheck
+    - unconvert
+    - unparam
+  settings:
+    govet:
+      disable:
+        # printf: non-constant format string in call to fmt.Errorf (govet)
+        # showing up since golangci-lint version 1.60.1
+        - printf
+    staticcheck:
+      checks:
+        - all
+        - "-SA1019" # This project is under active refactoring and not all code is up to date.
+        - "-QF1001" # I'm a math noob
+        - "-ST1016" # Some legit code uses this pattern
+    nakedret:
+      max-func-lines: 0 # Disallow any unnamed return statement
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
@@ -1,50 +0,0 @@
-[target]
-path = github.com/gogits/gogs
-
-[deps]
-github.com/bradfitz/gomemcache = commit:72a68649ba
-github.com/codegangsta/cli = commit:b5232bb
-github.com/go-macaron/binding = commit:2502aaf
-github.com/go-macaron/cache = commit:5617353
-github.com/go-macaron/captcha = commit:8aa5919
-github.com/go-macaron/csrf = commit:715bca0
-github.com/go-macaron/gzip = commit:4938e9b
-github.com/go-macaron/i18n = commit:d2d3329
-github.com/go-macaron/inject = commit:c5ab7bf
-github.com/go-macaron/session = commit:66031fc
-github.com/go-macaron/toolbox = commit:ab30a81
-github.com/go-sql-driver/mysql = commit:d512f20
-github.com/go-xorm/core = commit:acb6f00
-github.com/go-xorm/xorm = commit:a8fba4d
-github.com/gogits/git-module = commit:5cd57b9
-github.com/gogits/go-gogs-client = commit:78460e9
-github.com/issue9/identicon = commit:f8c0d2c
-github.com/kardianos/minwinsvc = commit:cad6b2b
-github.com/klauspost/compress = commit:f7ff951
-github.com/klauspost/cpuid = commit:ef30b90
-github.com/klauspost/crc32 = commit:41b6596
-github.com/lib/pq = commit:11fc39a
-github.com/mattn/go-sqlite3 = commit:5651a9d
-github.com/mcuadros/go-version = commit:d52711f
-github.com/microcosm-cc/bluemonday = commit:4ac6f27
-github.com/msteinert/pam = commit:02ccfbf
-github.com/nfnt/resize = commit:dc93e1b98c
-github.com/russross/blackfriday = commit:d18b67a
-github.com/shurcooL/sanitized_anchor_name = commit:10ef21a
-github.com/Unknwon/cae = commit:7f5e046
-github.com/Unknwon/com = commit:28b053d
-github.com/Unknwon/i18n = commit:3b48b66
-github.com/Unknwon/paginater = commit:7748a72
-golang.org/x/net = commit:28273ec
-golang.org/x/text = commit:cf49866
-golang.org/x/crypto = commit:f18420e
-gopkg.in/asn1-ber.v1 = commit:4e86f43
-gopkg.in/gomail.v2 = commit:fbb71dd
-gopkg.in/ini.v1 = commit:77178f2
-gopkg.in/ldap.v2 = commit:e9a325d
-gopkg.in/macaron.v1 = commit:1c6dd87
-gopkg.in/redis.v2 = commit:e617904962
-
-[res]
-include = public|scripts|templates
-
@@ -0,0 +1,4 @@
+Joe Chen <jc@unknwon.io> Unknwon <u@gogs.io>
+Joe Chen <jc@unknwon.io> 无闻 <u@gogs.io>
+Joe Chen <jc@unknwon.io> ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
+Joe Chen <jc@unknwon.io> ᴜɴᴋɴᴡᴏɴ <jc@unknwon.io>
@@ -0,0 +1,4 @@
+$schema: "https://moonrepo.dev/schemas/tasks.json"
+
+taskOptions:
+  outputStyle: "stream"
@@ -0,0 +1,9 @@
+$schema: "https://moonrepo.dev/schemas/workspace.json"
+
+projects:
+  gogs: "."
+  web: "web"
+
+vcs:
+  client: "git"
+  defaultBranch: "main"
@@ -1,27 +0,0 @@
-targets:
-  debian-7: &debian
-    build_dependencies:
-      - libpam0g-dev
-    dependencies:
-      - libpam0g
-      - git
-  debian-8:
-    <<: *debian
-  ubuntu-14.04:
-    <<: *debian
-  ubuntu-12.04:
-    <<: *debian
-  centos-6: &el
-    build_dependencies:
-      - pam-devel
-    dependencies:
-      - pam
-      - git
-  centos-7:
-    <<: *el
-before:
-  - mv packager/Procfile .
-  - mv packager/.godir .
-after:
-  - mv bin/main gogs
-after_install: ./packager/hooks/postinst
@@ -1,26 +0,0 @@
-language: go
-
-go:
-  - 1.4
-  - 1.5
-
-before_install:
-  - sudo apt-get update -qq
-  - sudo apt-get install -y libpam-dev
-  - go get github.com/msteinert/pam 
-
-install:
-  - go get -t -v ./...
-
-script: go build -v -tags "pam"
-
-notifications:
-  email:
-    - u@gogs.io
-  slack: gophercn:o5pSanyTeNhnfYc3QnG0X7Wx
-  webhooks:
-    urls:
-      - https://webhooks.gitter.im/e/b590f8e03882f7aedc3e
-    on_success: change 
-    on_failure: always 
-    on_start: never     
@@ -0,0 +1,48 @@
+## Core principles
+
+- Stop telling me "You're right", it just shows how incompetent you are. Do it right on your first try, fact-check and review after changes. If you are not sure, ask for help.
+- When you see changes made outside your knowledge, use the current version as your new starting point. Do not blindly overwrite those changes or you suck. Even if you have to update the code, always respect the pattern in the surrounding context!
+
+## Style and mechanics
+
+This applies to all texts, including but not limited to UI, documentation, code comments.
+
+- Use sentence case. Preserve original casing for brand names.
+- End with a period for a full sentence.
+- Never use em dashes (`—`) or en dashes (`–`) in prose. Rewrite the sentence with a comma, period, colon, or parentheses instead. Exception: em/en dashes are allowed as visual separators in UI design (e.g., between a title and description, in a terminal prompt label) where they function as a graphic element rather than punctuation.
+- Do not overuse semicolons. Two short sentences are almost always clearer than one sentence joined by a semicolon. Reserve the semicolon for the rare case where the two clauses are so tightly coupled that splitting them loses meaning, never as a default em-dash replacement or a way to chain related thoughts.
+- Do not add comments that repeat what the code is doing, always prefer more descriptive names. Do add comments for intentions that aren't obvious via reading the code alone. This rule takes precedence over matching existing patterns.
+
+## Coding guidelines
+
+- Use `github.com/cockroachdb/errors` for error handling.
+- Use `github.com/stretchr/testify` for assertions in tests. Be mindful about the choice of `require` and `assert`, the former should be used when the test cannot proceed meaningfully after a failed assertion.
+- Every 5xx response must log the error directly inside the handler, do not log errors in a shared helper.
+
+## Localization
+
+- Only edit `conf/locale/locale_en-US.ini`. The other `locale_*.ini` files are community-maintained translations. Do not add, remove, or rewrite keys in them, even when removing keys that are dead on the Go/template side.
+
+## UI guidelines
+
+- Design mobile-friendly. Every UI must look and work well on narrow viewports before adding desktop refinements via responsive breakpoints. Test at ~375px width before considering a UI done.
+- Meet WCAG 2.2 AA at minimum. Specifically: every interactive control has a discernible accessible name (visible label or `aria-label`); color is never the sole carrier of information (pair with text, icon, or shape); text and meaningful icons meet 4.5:1 contrast against their background (3:1 for large text and UI components); focus is always visible and never trapped; touch targets are at least 24×24 CSS px (40×40 preferred). When unsure, lean toward more contrast, larger targets, and explicit labels.
+- For work under `web/`, follow the patterns in [`web/DESIGN.md`](web/DESIGN.md) (typography, color hierarchy, surface chrome, file naming, accessibility specifics). Update that doc when a pattern is used in two places.
+- When a page needs server data to render, fetch it in the TanStack Router route's `loader` so the page only mounts after the response arrives. Do not fire that fetch from a `useEffect` inside the page component, which causes a flash of empty UI before the data lands.
+
+## Build instructions
+
+- Prefer `moon run <project>:<task>` over vanilla `go` or `pnpm` commands when available (e.g. `moon run gogs:build`, `moon run web:dev`). Pass `--force` to bypass cache when necessary.
+- Run `moon run gogs:lint` after every time you finish changing Go code, and `moon run web:lint` after changing frontend code; fix all linter errors.
+
+## Tool-use guidance
+
+- Use `gh` CLI to access information on github.com that is not publicly available.
+- Run the Chrome DevTools MCP in headless mode so it does not steal focus from the user's foreground browser session. After finishing any task that used the Chrome DevTools MCP, kill all `chrome-devtools-mcp` processes with `pkill -f chrome-devtools-mcp`.
+
+## Source code control
+
+- When pushing changes to a pull request from a fork, use SSH address and do not add remote.
+- Never commit on the `main` branch directly unless being explicitly asked to do so. A single ask only grants a single commit action on the `main` branch.
+- Never amend commits unless being explicitly asked to do so.
+- When creating a git worktree, the worktree directory name must match its branch name. Do not use random or generated suffixes.
@@ -0,0 +1,332 @@
+# Changelog
+
+All notable changes to Gogs are documented in this file.
+
+## 0.15.0+dev (`main`)
+
+### Changed
+
+- Docker builds from `main` are now published only as `gogs/gogs:edge`, using the next-generation `Dockerfile.next`. The legacy `Dockerfile` no longer produces `main` builds. The `gogs/gogs:latest` and `gogs/gogs:next-latest` tags now always point to the highest published stable release, never to a back-patch on an older line. [#8278](https://github.com/gogs/gogs/pull/8278)
+
+### Fixed
+
+- _Security:_ Denial of service in repository and wiki file listing pages via crafted file names. [#8116](https://github.com/gogs/gogs/pull/8116) - [GHSA-3qq3-668m-v9mj](https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj)
+- _Security:_ Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in `[auth] TRUSTED_PROXY_IPS`. [#8264](https://github.com/gogs/gogs/pull/8264) - [GHSA-w6j9-vw59-27wv](https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv)
+- _Security:_ Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. [#8263](https://github.com/gogs/gogs/pull/8263) - [GHSA-c4v7-xg93-qf8g](https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g)
+- _Security:_ The "remember me" auto-login cookie was derived from database columns, so an attacker with a database dump could forge a valid cookie for any user. The auto-login cookie path has been removed entirely. Persistence is now provided by the server-issued session cookie. [#8289](https://github.com/gogs/gogs/pull/8289) - [GHSA-4pph-25p3-pw73](https://github.com/gogs/gogs/security/advisories/GHSA-4pph-25p3-pw73)
+
+### Removed
+
+- The `gogs cert` subcommand. [#8153](https://github.com/gogs/gogs/pull/8153)
+- The `[email] DISABLE_HELO` configuration option. HELO/EHLO is now always sent during SMTP handshake. [#8164](https://github.com/gogs/gogs/pull/8164)
+- Support for MSSQL as the database backend. Stay on 0.14 for continued usage. [#8173](https://github.com/gogs/gogs/pull/8173)
+- Support for `memcache` as the cache adapter. Stay on 0.14 for continued usage. [#8270](https://github.com/gogs/gogs/pull/8270)
+- The `/debug`, `/debug/pprof/*`, `/debug/profile/*`, and `/urlmap.json` endpoints. [#8271](https://github.com/gogs/gogs/pull/8271)
+
+## 0.14.2
+
+### Fixed
+
+- _Security:_ Cross-repository LFS object overwrite via missing content hash verification. [#8166](https://github.com/gogs/gogs/pull/8166) - [GHSA-gmf8-978x-2fg2](https://github.com/gogs/gogs/security/advisories/GHSA-gmf8-978x-2fg2)
+- _Security:_ Stored XSS via data URI in issue comments. [#8174](https://github.com/gogs/gogs/pull/8174) - [GHSA-xrcr-gmf5-2r8j](https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j)
+- _Security:_ Release tag option injection in release deletion. [#8175](https://github.com/gogs/gogs/pull/8175) - [GHSA-v9vm-r24h-6rqm](https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm)
+- _Security:_ Stored XSS in branch and wiki views through author and committer names. [#8176](https://github.com/gogs/gogs/pull/8176) - [GHSA-vgvf-m4fw-938j](https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j)
+- _Security:_ DOM-based XSS via issue meta selection on the issue page. [#8178](https://github.com/gogs/gogs/pull/8178) - [GHSA-vgjm-2cpf-4g7c](https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c)
+- Unable to update files via web editor and API. [#8184](https://github.com/gogs/gogs/pull/8184)
+
+### Removed
+
+- Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc)
+
+## 0.14.1
+
+### Added
+
+- Support comparing tags in addition to branches. [#6141](https://github.com/gogs/gogs/issues/6141)
+- Show file name in browser tab title when viewing files. [#5896](https://github.com/gogs/gogs/pull/5896)
+- Support using TLS for Redis session provider using `[session] PROVIDER_CONFIG = ...,tls=true`. [#7860](https://github.com/gogs/gogs/pull/7860)
+- Support expanading values in `app.ini` from environment variables, e.g. `[database] PASSWORD = ${DATABASE_PASSWORD}`. [#8057](https://github.com/gogs/gogs/pull/8057)
+- Support custom logout URL that users get redirected to after sign out using `[auth] CUSTOM_LOGOUT_URL`. [#8089](https://github.com/gogs/gogs/pull/8089)
+- Start publishing next-generation, security-focused Docker image via `gogs/gogs:next-latest`, which will become the default image distribution (`gogs/gogs:latest`) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as `gogs/gogs:legacy-latest` starting 0.16.0, and be completely removed no earlier than 0.17.0. [#8061](https://github.com/gogs/gogs/pull/8061)
+
+### Changed
+
+- The required Go version to compile source code changed to 1.25.
+- The build tag `cert` has been removed, and the `gogs cert` subcommand is now always available. [#7883](https://github.com/gogs/gogs/pull/7883)
+- Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. [#7882](https://github.com/gogs/gogs/issues/7882)
+- Updated Mermaid JS to 11.9.0. [#8009](https://github.com/gogs/gogs/pull/8009)
+- Halt the repository creation and leave the directory untouched if the repository root already exists. [#8091](https://github.com/gogs/gogs/pull/8091)
+
+### Fixed
+
+- _Security:_ Unauthenticated file upload. [#8128](https://github.com/gogs/gogs/pull/8128) - [GHSA-fc3h-92p8-h36f](https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f)
+- _Security:_ Protected branch bypass in web UI. [#8124](https://github.com/gogs/gogs/pull/8124) - [GHSA-2c6v-8r3v-gh6p](https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p)
+- _Security:_ Authorization bypass allows cross-repository label modification. [#8123](https://github.com/gogs/gogs/pull/8123) - [GHSA-cv22-72px-f4gh](https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh)
+- _Security:_ Cross-repository comment deletion. [#8119](https://github.com/gogs/gogs/pull/8119) - [GHSA-jj5m-h57j-5gv7](https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7)
+- 500 error on repository watchers and stargazers pages when using MSSQL. [#5482](https://github.com/gogs/gogs/issues/5482)
+- Submodules using `ssh://` protocol and a port number are not rendered correctly. [#4941](https://github.com/gogs/gogs/issues/4941)
+- Missing link to user profile on the first commit in commits history page. [#7404](https://github.com/gogs/gogs/issues/7404)
+- Unable to delete or display files with special characters in their names. [#7596](https://github.com/gogs/gogs/issues/7596)
+- Docker healthcheck fails when `HTTP_PROXY` or `HTTPS_PROXY` environment variables are set. [#7529](https://github.com/gogs/gogs/issues/7529)
+
+## 0.13.4
+
+### Fixed
+
+- _Security:_ DoS in repository mirror sync. [#8065](https://github.com/gogs/gogs/pull/8065) - [GHSA-cr88-6mqm-4g57](https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57)
+- _Security:_ RCE in repository put contents API. [#8082](https://github.com/gogs/gogs/pull/8082) - [GHSA-gg64-xxr9-qhjp](https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp)
+- _Security:_ Arbitrary file deletion via path traversal in wiki page update. [#8099](https://github.com/gogs/gogs/pull/8099) - [GHSA-jp7c-wj6q-3qf2](https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2)
+- _Security:_ 2FA bypass via recovery code. [#8100](https://github.com/gogs/gogs/pull/8100) - [GHSA-p6x6-9mx6-26wj](https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj)
+- _Security:_ Authorization bypass in repository deletion API. [#8101](https://github.com/gogs/gogs/pull/8101) - [GHSA-rjv5-9px2-fqw6](https://github.com/gogs/gogs/security/advisories/GHSA-rjv5-9px2-fqw6)
+- _Security:_ Update repository content via API with read-only permission. [#8102](https://github.com/gogs/gogs/pull/8102) - [GHSA-5qhx-gwfj-6jqr](https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr)
+- _Security:_ Arbitrary file read/write via path traversal in Git hook editing. [#8103](https://github.com/gogs/gogs/pull/8103) - [GHSA-mrph-w4hh-gx3g](https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g)
+- _Security:_ Stored XSS via Mermaid diagrams. [`2c88cd4`](https://github.com/gogs/gogs/commit/2c88cd4d9fdc346d8e06d82f5368d657c10e79c2) - [GHSA-26gq-grmh-6xm6](https://github.com/gogs/gogs/security/advisories/GHSA-26gq-grmh-6xm6)
+- Route `GET /api/v1/user/repos` responses 500 when accessible repositories contain forks. [#8069](https://github.com/gogs/gogs/pull/8069)
+- Newer Git versions that uses default branch `main` cause wiki initialization to fail. [#8094](https://github.com/gogs/gogs/pull/8094)
+
+## 0.13.3
+
+### Fixed
+
+- _Security:_ Stored XSS in PDF renderer. [GHSA-xh32-cx6c-cp4v](https://github.com/gogs/gogs/security/advisories/GHSA-xh32-cx6c-cp4v)
+- _Security:_ Path Traversal in file editing UI. [GHSA-wj44-9vcg-wjq7](https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7)
+- Randomly timeout on repository file uploads. [#7890](https://github.com/gogs/gogs/pull/7890)
+- Unable to override email templates in custom directory. [#7905](https://github.com/gogs/gogs/pull/7905)
+
+## 0.13.2
+
+### Fixed
+
+- _Security:_ Path Traversal in file editing UI. [GHSA-r7j8-5h9c-f6fx](https://github.com/gogs/gogs/security/advisories/GHSA-r7j8-5h9c-f6fx)
+- _Security:_ Path Traversal in file update API. [GHSA-qf5v-rp47-55gg](https://github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55gg)
+- _Security:_ Argument Injection in the built-in SSH server. [GHSA-vm62-9jw3-c8w3](https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3)
+- _Security:_ Deletion of internal files. [GHSA-ccqv-43vm-4f3w](https://github.com/gogs/gogs/security/advisories/GHSA-ccqv-43vm-4f3w)
+- _Security:_ Argument Injection during changes preview. [GHSA-9pp6-wq8c-3w2c](https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c)
+- _Security:_ Argument Injection when tagging new releases. [GHSA-m27m-h5gj-wwmg](https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg)
+- Use the non-deprecated section name `[email]` during installation for email settings. [#7704](https://github.com/gogs/gogs/pull/7704)
+- Use the non-deprecated section name `[email] PASSWORD` during installation for email password. [#7807](https://github.com/gogs/gogs/pull/7807)
+- Make purple template label color to actually use the hexcode of purple. [#7722](https://github.com/gogs/gogs/pull/7722)
+
+## 0.13.0
+
+### Added
+
+- Support using personal access token in the password field. [#3866](https://github.com/gogs/gogs/issues/3866)
+- An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
+- New API endpoint `PUT /repos/:owner/:repo/contents/:path` for creating and update repository contents. [#5967](https://github.com/gogs/gogs/issues/5967)
+- New configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
+- New configuration option `[server] SSH_SERVER_MACS` for setting list of accepted MACs for connections to builtin SSH server. [#6434](https://github.com/gogs/gogs/issues/6434)
+- New configuration option `[repository] DEFAULT_BRANCH` for setting default branch name for new repositories. [#7291](https://github.com/gogs/gogs/issues/7291)
+- New configuration option `[server] SSH_SERVER_ALGORITHMS` for specifying the list of accepted key exchange algorithms for connections to builtin SSH server. [#7345](https://github.com/gogs/gogs/pull/7345)
+- Support specifying custom schema for PostgreSQL. [#6695](https://github.com/gogs/gogs/pull/6695)
+- Support rendering Mermaid diagrams in Markdown. [#6776](https://github.com/gogs/gogs/pull/6776)
+- Docker: Allow passing extra arguments to the `backup` command. [#7060](https://github.com/gogs/gogs/pull/7060)
+- New languages support: Mongolian, Romanian. [#6510](https://github.com/gogs/gogs/pull/6510) [#7082](https://github.com/gogs/gogs/pull/7082)
+
+### Changed
+
+- The default branch has been changed to `main`. [#6285](https://github.com/gogs/gogs/pull/6285)
+- MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work. [#6295](https://github.com/gogs/gogs/pull/6295)
+- Use [Task](https://github.com/go-task/task) as the build tool. [#6297](https://github.com/gogs/gogs/pull/6297)
+- The required Go version to compile source code changed to 1.18.
+- Access tokens are now stored using their SHA256 hashes instead of raw values. [#7008](https://github.com/gogs/gogs/pull/7008)
+
+### Fixed
+
+- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
+- Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. [#7267](https://github.com/gogs/gogs/pull/7267)
+- Mistakenly include the "data" directory under the custom directory in the Docker setup. [#7343](https://github.com/gogs/gogs/pull/7343)
+- Unable to start after data recovery with an outdated migration version. [#7125](https://github.com/gogs/gogs/issues/7125)
+
+### Removed
+
+- ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
+- Configuration section `[mailer]` is no longer used, please use `[email]`.
+- Configuration section `[service]` is no longer used, please use `[auth]`.
+- Configuration option `APP_NAME` is no longer used, please use `BRAND_NAME`.
+- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used, please use `[auth] REVERSE_PROXY_AUTHENTICATION_HEADER`.
+- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used, please use `[auth] ACTIVATE_CODE_LIVES`.
+- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used, please use `[auth] RESET_PASSWORD_CODE_LIVES`.
+- Configuration option `[auth] ENABLE_CAPTCHA` is no longer used, please use `[auth] ENABLE_REGISTRATION_CAPTCHA`.
+- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is no longer used, please use `[user] ENABLE_EMAIL_NOTIFICATION`.
+- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is no longer used, please use `[auth] REQUIRE_EMAIL_CONFIRMATION`.
+- Configuration option `[session] GC_INTERVAL_TIME` is no longer used, please use `[session] GC_INTERVAL`.
+- Configuration option `[session] SESSION_LIFE_TIME` is no longer used, please use `[session] MAX_LIFE_TIME`.
+- Configuration option `[server] ROOT_URL` is no longer used, please use `[server] EXTERNAL_URL`.
+- Configuration option `[server] LANDING_PAGE` is no longer used, please use `[server] LANDING_URL`.
+- Configuration option `[database] DB_TYPE` is no longer used, please use `[database] TYPE`.
+- Configuration option `[database] PASSWD` is no longer used, please use `[database] PASSWORD`.
+- Remove option to use Makefile as the build tool. [#6980](https://github.com/gogs/gogs/pull/6980)
+
+## 0.12.11
+
+### Fixed
+
+- _Security:_ Stored XSS for issue assignees. [#7145](https://github.com/gogs/gogs/issues/7145)
+- _Security:_ OS Command Injection in repo editor on case-insensitive file systems. [#7030](https://github.com/gogs/gogs/issues/7030)
+- Unable to render repository pages with implicit submodules (e.g. `get submodule "REDACTED": revision does not exist`). [#6436](https://github.com/gogs/gogs/issues/6436)
+
+## 0.12.10
+
+### Changed
+
+- Support using `[security] LOCAL_NETWORK_ALLOWLIST = *` to allow all hostnames. [#7111](https://github.com/gogs/gogs/pull/7111)
+
+### Fixed
+
+- Unable to send webhooks to local network addresses after configured `[security] LOCAL_NETWORK_ALLOWLIST`. [#7074](https://github.com/gogs/gogs/issues/7074)
+
+## 0.12.9
+
+### Fixed
+
+- _Security:_ OS Command Injection in file editor. [#7000](https://github.com/gogs/gogs/issues/7000)
+- _Security:_ Sanitize `DisplayName` in repository issue list. [#7009](https://github.com/gogs/gogs/pull/7009)
+- _Security:_ Path Traversal in file editor on Windows. [#7001](https://github.com/gogs/gogs/issues/7001)
+- _Security:_ Path Traversal in Git HTTP endpoints. [#7002](https://github.com/gogs/gogs/issues/7002)
+- Unable to init repository during creation on Windows. [#6967](https://github.com/gogs/gogs/issues/6967)
+- Mysterious panic on `Value not found for type *repo.HTTPContext`. [#6963](https://github.com/gogs/gogs/issues/6963)
+
+## 0.12.8
+
+### Changed
+
+- All users (including admins) need to use the configuration option `[security] LOCAL_NETWORK_ALLOWLIST` to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. [#6988](https://github.com/gogs/gogs/pull/6988)
+
+### Fixed
+
+- _Security:_ SSRF in webhook. [#6901](https://github.com/gogs/gogs/issues/6901)
+- _Security:_ XSS in cookies. [#6953](https://github.com/gogs/gogs/issues/6953)
+- _Security:_ OS Command Injection in file uploading. [#6968](https://github.com/gogs/gogs/issues/6968)
+- _Security:_ Remote Command Execution in file editing. [#6555](https://github.com/gogs/gogs/issues/6555)
+
+## 0.12.7
+
+### Fixed
+
+- _Security:_ Stored XSS in issues. [#6919](https://github.com/gogs/gogs/issues/6919)
+- Invalid character in `Access-Control-Allow-Credentials` response header. [#4983](https://github.com/gogs/gogs/issues/4983)
+- Mysterious `ssh: overflow reading version string` errors from builtin SSH server. [#6882](https://github.com/gogs/gogs/issues/6882)
+
+## 0.12.6
+
+### Fixed
+
+- _Security:_ Remote command execution in file uploading. [#6833](https://github.com/gogs/gogs/issues/6833)
+- _Regression:_ Unable to migrate repository from other local Git hosting. Added a new configuration option `[security] LOCAL_NETWORK_ALLOWLIST`, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. [#6841](https://github.com/gogs/gogs/issues/6841)
+- Slow start of Docker containers using NAS devices. [#6554](https://github.com/gogs/gogs/issues/6554)
+
+## 0.12.5
+
+### Fixed
+
+- _Security:_ Potential SSRF in repository migration. [#6754](https://github.com/gogs/gogs/issues/6754)
+- _Security:_ Improper PAM authorization handling. [#6810](https://github.com/gogs/gogs/issues/6810)
+
+## 0.12.4
+
+### Fixed
+
+- _Security:_ Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
+- _Regression:_ Fixed smart links for issues stops rendering. [#6506](https://github.com/gogs/gogs/issues/6506)
+- Added `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409)
+
+## 0.12.3
+
+### Fixed
+
+- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
+- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
+- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
+
+## 0.12.2
+
+### Fixed
+
+- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
+- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
+- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
+- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
+
+## 0.12.1
+
+### Fixed
+
+- The `updated_at` field is now correctly updated when updates an issue. [#6209](https://github.com/gogs/gogs/issues/6209)
+- Fixed a regression which created `login_source.cfg` column to have `VARCHAR(255)` instead of `TEXT` in MySQL. [#6280](https://github.com/gogs/gogs/issues/6280)
+
+## 0.12.0
+
+### Added
+
+- Support for Git LFS, you can read documentation for both [user](https://github.com/gogs/gogs/blob/main/docs/user/lfs.md) and [admin](https://github.com/gogs/gogs/blob/main/docs/admin/lfs.md). [#1322](https://github.com/gogs/gogs/issues/1322)
+- Allow admin to remove observers from the repository. [#5803](https://github.com/gogs/gogs/pull/5803)
+- Use `Last-Modified` HTTP header for raw files. [#5811](https://github.com/gogs/gogs/issues/5811)
+- Support syntax highlighting for SAS code files (i.e. `.r`, `.sas`, `.tex`, `.yaml`). [#5856](https://github.com/gogs/gogs/pull/5856)
+- Able to fill in pull request title with a template. [#5901](https://github.com/gogs/gogs/pull/5901)
+- Able to override static files under `public/` directory, please refer to [documentation](https://gogs.io/docs/features/custom_template) for usage. [#5920](https://github.com/gogs/gogs/pull/5920)
+- New API endpoint `GET /admin/teams/:teamid/members` to list members of a team. [#5877](https://github.com/gogs/gogs/issues/5877)
+- Support backup with retention policy for Docker deployments. [#6140](https://github.com/gogs/gogs/pull/6140)
+
+### Changed
+
+- The organization profile page has changed to display at most 12 members. [#5506](https://github.com/gogs/gogs/issues/5506)
+- The required Go version to compile source code changed to 1.14.
+- All assets are now embedded into binary and served from memory by default. Set `[server] LOAD_ASSETS_FROM_DISK = true` to load them from disk. [#5920](https://github.com/gogs/gogs/pull/5920)
+- Application and Go versions are removed from page footer and only show in the admin dashboard.
+- Build tag for running as Windows Service has been changed from `miniwinsvc` to `minwinsvc`.
+- Configuration option `APP_NAME` is deprecated and will end support in 0.13.0, please start using `BRAND_NAME`.
+- Configuration option `[server] ROOT_URL` is deprecated and will end support in 0.13.0, please start using `[server] EXTERNAL_URL`.
+- Configuration option `[server] LANDING_PAGE` is deprecated and will end support in 0.13.0, please start using `[server] LANDING_URL`.
+- Configuration option `[database] DB_TYPE` is deprecated and will end support in 0.13.0, please start using `[database] TYPE`.
+- Configuration option `[database] PASSWD` is deprecated and will end support in 0.13.0, please start using `[database] PASSWORD`.
+- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is deprecated and will end support in 0.13.0, please start using `[auth] REVERSE_PROXY_AUTHENTICATION_HEADER`.
+- Configuration section `[mailer]` is deprecated and will end support in 0.13.0, please start using `[email]`.
+- Configuration section `[service]` is deprecated and will end support in 0.13.0, please start using `[auth]`.
+- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] ACTIVATE_CODE_LIVES`.
+- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`.
+- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is deprecated and will end support in 0.13.0, please start using `[auth] REQUIRE_EMAIL_CONFIRMATION`.
+- Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`.
+- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
+- Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`.
+- Configuration option `[session] SESSION_LIFE_TIME` is deprecated and will end support in 0.13.0, please start using `[session] MAX_LIFE_TIME`.
+- The name `-` is reserved and cannot be used for users or organizations.
+
+### Fixed
+
+- [Security] Potential open redirection with i18n.
+- [Security] Potential ability to delete files outside a repository.
+- [Security] Potential ability to set primary email on others' behalf from their verified emails.
+- [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
+- [Security] Potential SSRF attack via webhooks. [#5366](https://github.com/gogs/gogs/issues/5366)
+- [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
+- [Security] Potential stored XSS attack in some browsers. [#5397](https://github.com/gogs/gogs/issues/5397)
+- [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
+- [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
+- File both modified and renamed within a commit treated as separate files. [#5056](https://github.com/gogs/gogs/issues/5056)
+- Unable to restore the database backup to MySQL 8.0 with syntax error. [#5602](https://github.com/gogs/gogs/issues/5602)
+- Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)
+- Disallow multiple tokens with same name. [#5587](https://github.com/gogs/gogs/issues/5587) [#5820](https://github.com/gogs/gogs/pull/5820)
+- Enable Federated Avatar Lookup could cause server to crash. [#5848](https://github.com/gogs/gogs/issues/5848)
+- Private repositories are hidden in the organization's view. [#5869](https://github.com/gogs/gogs/issues/5869)
+- Users have access to base repository cannot view commits in forks. [#5878](https://github.com/gogs/gogs/issues/5878)
+- Server error when changing email address in user settings page. [#5899](https://github.com/gogs/gogs/issues/5899)
+- Fall back to use RFC 3339 as time layout when misconfigured. [#6098](https://github.com/gogs/gogs/issues/6098)
+- Unable to update team with server error. [#6185](https://github.com/gogs/gogs/issues/6185)
+- Webhooks are not fired after push when `[service] REQUIRE_SIGNIN_VIEW = true`.
+- Files with identical content are randomly displayed one of them.
+
+### Removed
+
+- Configuration option `[other] SHOW_FOOTER_VERSION`
+- Configuration option `[server] STATIC_ROOT_PATH`
+- Configuration option `[repository] MIRROR_QUEUE_LENGTH`
+- Configuration option `[repository] PULL_REQUEST_QUEUE_LENGTH`
+- Configuration option `[session] ENABLE_SET_COOKIE`
+- Configuration option `[release.attachment] PATH`
+- Configuration option `[webhook] QUEUE_LENGTH`
+- Build tag `sqlite`, which means CGO is now required.
+
+---
+
+**Older change logs can be found on [GitHub](https://github.com/gogs/gogs/releases?after=v0.12.0).**
@@ -0,0 +1 @@
+AGENTS.md
@@ -0,0 +1,2 @@
+# Default
+* @gogs/core
@@ -1,67 +0,0 @@
-# Contributing to Gogs
-
-> This guidelines sheet is forked from [CONTRIBUTING.md](https://github.com/drone/drone/blob/8d9c7cee56d6c2eac81dc156ce27be6716d97e68/CONTRIBUTING.md).
-
-Gogs is not perfect, and it has bugs or incomplete features in rare cases. You're welcome to tell us, or to contribute some code. This document describes details about how can you contribute to Gogs project.
-
-## Contribution guidelines
-
-Depends on the situation, you will:
-
- Find a bug and create an issue
- Need more functionality and make a feature request
- Want to contribute code and open a pull request
- Run into issue and need help
-
-### Bug Report
-
-If you find something you consider a bug, please create a issue on [GitHub](https://github.com/gogits/gogs/issues). To avoid wasting time and reduce back-and-forth communication with team members, please include at least the following information in a form comfortable for you:
-
- Bug Description
- Gogs Version
- Git Version
- System Type
- Error Log
- Other information
-
-Please take a moment to check that an issue on [GitHub](https://github.com/gogits/gogs/issues) doesn't already exist documenting your bug report or improvement proposal. If it does, it never hurts to add a quick "+1" or "I have this problem too". This will help prioritize the most common problems and requests.
-
-#### Bug Report Example
-
-Gogs crashed when creating a repository with a license, using v0.5.13.0207, SQLite3, Git 1.9.0, Ubuntu 12.04.
-
-Error log:
-
-```
-2014/09/01 07:21:49 [E] nil pointer
-```
-
-### Feature Request
-
-There is no standard form of making a feature request. Just try to describe the feature as clearly as possible, because team members may not have experience with the functionality you're talking about.
-
-### Pull Request
-
-Please read detailed information on [Wiki](https://github.com/gogits/gogs/wiki/Contributing-Code).
-
-### Ask For Help
-
-Before opening an issue, please make sure your problem isn't already addressed on the [Troubleshooting](http://gogs.io/docs/intro/troubleshooting.md) and [FAQs](http://gogs.io/docs/intro/faqs.html) pages.
-
-## Things To Notice
-
-Please take a moment to check that an issue on [GitHub](https://github.com/gogits/gogs/issues) or card on [Trello](https://trello.com/b/uxAoeLUl/gogs-go-git-service) doesn't already exist documenting your bug report or improvement proposal. If it does, it never hurts to add a quick "+1" or "I have this problem too". This will help prioritize the most common problems and requests.
-
-## Code of conduct
-
-As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, age, or religion.
-
-Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior can be reported by emailing u@gogs.io
-
-This Code of Conduct is adapted from the [Contributor Covenant](http:contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)
@@ -1,22 +1,56 @@
-FROM alpine:3.2
-MAINTAINER roemer.jp@gmail.com
+FROM --platform=$BUILDPLATFORM node:24-alpine AS webbuilder
+RUN corepack enable
+WORKDIR /src
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY web ./web
+COPY conf/locale ./conf/locale
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter gogs-web run build

-# Install system utils & Gogs runtime dependencies
-ADD https://github.com/tianon/gosu/releases/download/1.6/gosu-amd64 /usr/sbin/gosu
-RUN echo "@edge http://dl-4.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories \
- && echo "@community http://dl-4.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories \
- && apk -U --no-progress upgrade \
- && apk -U --no-progress add ca-certificates bash git linux-pam s6@edge curl openssh socat \
- && chmod +x /usr/sbin/gosu
+FROM golang:1.26-alpine3.23 AS binarybuilder
+RUN apk --no-cache --no-progress add --virtual \
+  build-deps \
+  build-base \
+  git \
+  linux-pam-dev

-ENV GOGS_CUSTOM /data/gogs
+WORKDIR /gogs.io/gogs
+COPY . .
+COPY --from=webbuilder /src/public/dist ./public/dist

-COPY . /app/gogs/
-WORKDIR /app/gogs/
-RUN ./docker/build.sh
+RUN go build -v -trimpath -tags "pam prod" \
+  -ldflags "-X 'gogs.io/gogs/internal/conf.BuildTime=$(date -u '+%Y-%m-%d %I:%M:%S %Z')' -X 'gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)'" \
+  -o .bin/gogs ./cmd/gogs

-# Configure Docker Container
-VOLUME ["/data"]
+FROM alpine:3.23
+RUN apk --no-cache --no-progress add \
+  bash \
+  ca-certificates \
+  curl \
+  git \
+  linux-pam \
+  openssh \
+  s6 \
+  shadow \
+  socat \
+  tzdata \
+  rsync \
+  "zlib>1.3.2"
+
+ENV GOGS_CUSTOM=/data/gogs
+
+# Configure LibC Name Service
+COPY docker/nsswitch.conf /etc/nsswitch.conf
+
+WORKDIR /app/gogs
+COPY docker ./docker
+COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
+
+RUN ./docker/build/finalize.sh
+
+# Configure Docker Container
+VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
-ENTRYPOINT ["docker/start.sh"]
-CMD ["/bin/s6-svscan", "/app/gogs/docker/s6/"]
+HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
+ENTRYPOINT ["/app/gogs/docker/start.sh"]
+CMD ["/usr/bin/s6-svscan", "/app/gogs/docker/s6/"]
@@ -0,0 +1,62 @@
+FROM --platform=$BUILDPLATFORM node:24-alpine AS webbuilder
+RUN corepack enable
+WORKDIR /src
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY web ./web
+COPY conf/locale ./conf/locale
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter gogs-web run build
+
+FROM golang:1.26-alpine3.23 AS binarybuilder
+RUN apk --no-cache --no-progress add --virtual \
+  build-deps \
+  build-base \
+  git \
+  linux-pam-dev
+
+WORKDIR /gogs.io/gogs
+COPY . .
+COPY --from=webbuilder /src/public/dist ./public/dist
+
+RUN go build -v -trimpath -tags "pam prod" \
+  -ldflags "-X 'gogs.io/gogs/internal/conf.BuildTime=$(date -u '+%Y-%m-%d %I:%M:%S %Z')' -X 'gogs.io/gogs/internal/conf.BuildCommit=$(git rev-parse HEAD)'" \
+  -o .bin/gogs ./cmd/gogs
+
+FROM alpine:3.23
+
+# Create git user and group with fixed UID/GID at build time for better K8s security context support.
+# Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups.
+ARG GOGS_UID=1000
+ARG GOGS_GID=1000
+RUN addgroup -g ${GOGS_GID} -S git && \
+    adduser -u ${GOGS_UID} -G git -H -D -g 'Gogs Git User' -h /data/git -s /bin/sh git
+
+RUN apk --no-cache --no-progress add \
+  bash \
+  ca-certificates \
+  curl \
+  git \
+  linux-pam \
+  openssh-keygen \
+  "zlib>1.3.2"
+
+ENV GOGS_CUSTOM=/data/gogs
+
+WORKDIR /app/gogs
+COPY --from=binarybuilder /gogs.io/gogs/.bin/gogs .
+COPY docker-next/start.sh .
+RUN chmod +x start.sh && \
+    mkdir -p /data && \
+    ln -s /data/git /home/git && \
+    chown -R git:git /app/gogs /data
+
+# Configure Docker Container
+VOLUME ["/data", "/backup"]
+EXPOSE 22 3000
+HEALTHCHECK CMD (curl --noproxy localhost -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
+
+# Run as non-root user by default for better K8s security context support.
+USER git:git
+
+ENTRYPOINT ["/app/gogs/start.sh"]
+CMD ["/app/gogs/gogs", "web"]
@@ -1,22 +0,0 @@
-FROM sander85/rpi-alpine:latest
-MAINTAINER roemer.jp@gmail.com, raxetul@gmail.com
-
-# Install system utils & Gogs runtime dependencies
-ADD https://github.com/tianon/gosu/releases/download/1.6/gosu-armhf /usr/sbin/gosu
-RUN echo "@edge http://dl-4.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories \
- && echo "@community http://dl-4.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories \
- && apk -U --no-progress upgrade \
- && apk -U --no-progress add ca-certificates bash git linux-pam s6@edge curl openssh socat \
- && chmod +x /usr/sbin/gosu
-
-ENV GOGS_CUSTOM /data/gogs
-
-COPY . /app/gogs/
-WORKDIR /app/gogs/
-RUN ./docker/build.sh
-
-# Configure Docker Container
-VOLUME ["/data"]
-EXPOSE 22 3000
-ENTRYPOINT ["docker/start.sh"]
-CMD ["/usr/bin/s6-svscan", "/app/gogs/docker/s6/"]
@@ -1,4 +1,4 @@
-Copyright (c) 2014 All Gogs Contributors
+Copyright (c) The Gogs Authors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -1,48 +0,0 @@
-LDFLAGS += -X "github.com/gogits/gogs/modules/setting.BuildTime=$(shell date -u '+%Y-%m-%d %I:%M:%S %Z')"
-LDFLAGS += -X "github.com/gogits/gogs/modules/setting.BuildGitHash=$(shell git rev-parse HEAD)"
-
-DATA_FILES := $(shell find conf | sed 's/ /\\ /g')
-LESS_FILES := $(wildcard public/less/gogs.less public/less/_*.less)
-GENERATED  := modules/bindata/bindata.go public/css/gogs.css
-
-TAGS = ""
-
-RELEASE_ROOT = "release"
-RELEASE_GOGS = "release/gogs"
-NOW = $(shell date -u '+%Y%m%d%I%M%S')
-
-.PHONY: build pack release bindata clean
-
-.IGNORE: public/css/gogs.css
-
-build: $(GENERATED)
-	go install -ldflags '$(LDFLAGS)' -tags '$(TAGS)'
-	cp '$(GOPATH)/bin/gogs' .
-
-govet:
-	go tool vet -composites=false -methods=false -structtags=false .
-
-pack:
-	rm -rf $(RELEASE_GOGS)
-	mkdir -p $(RELEASE_GOGS)
-	cp -r gogs LICENSE README.md README_ZH.md templates public scripts $(RELEASE_GOGS)
-	rm -rf $(RELEASE_GOGS)/public/config.codekit $(RELEASE_GOGS)/public/less
-	cd $(RELEASE_ROOT) && zip -r gogs.$(NOW).zip "gogs"
-
-release: build pack
-
-bindata: modules/bindata/bindata.go
-
-modules/bindata/bindata.go: $(DATA_FILES)
-	go-bindata -o=$@ -ignore="\\.DS_Store|README.md" -pkg=bindata conf/...
-
-less: public/css/gogs.css
-
-public/css/gogs.css: $(LESS_FILES)
-	lessc $< $@
-
-clean:
-	go clean -i ./...
-
-clean-mac: clean
-	find . -name ".DS_Store" -print0 | xargs -0 rm
@@ -1,127 +1,111 @@
-Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?branch=master)](https://travis-ci.org/gogits/gogs) [![Docker Repository on Quay](https://quay.io/repository/gogs/gogs/status "Docker Repository on Quay")](https://quay.io/repository/gogs/gogs) [![Crowdin](https://d322cqt584bo4o.cloudfront.net/gogs/localized.svg)](https://crowdin.com/project/gogs) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gogits/gogs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-=====================

-![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
+ <p>
+  <div align="center">
+    <img src="docs/images/logo-light.svg#gh-light-mode-only" alt="Gogs">
+    <img src="docs/images/logo-dark.svg#gh-dark-mode-only" alt="Gogs">
+  </div>
+  <div align="center">
+    <a href="https://github.com/gogs/gogs/actions?query=branch%3Amain"><img
+  src="https://img.shields.io/github/checks-status/gogs/gogs/main?logo=github&style=for-the-badge" alt="GitHub Workflow Status"></a>
+    <a href="https://sourcegraph.com/github.com/gogs/gogs"><img
+src="https://img.shields.io/badge/view%20on-Sourcegraph-brightgreen.svg?style=for-the-badge&logo=sourcegraph" alt="Sourcegraph"></a>
+  </div>
+  <div align="center">
+    👉 Deploy on DigitalOcean and <a href="https://m.do.co/c/5aeb02268b55">get $200 in free credits</a>!
+  </div>
+</p>

-##### Current version: 0.8.10
+## 🔮 Vision

-| Web | UI  | Preview  |
-|:-------------:|:-------:|:-------:|
-|![Dashboard](https://gogs.io/img/screenshots/1.png)|![Repository](https://gogs.io/img/screenshots/2.png)|![Commits History](https://gogs.io/img/screenshots/3.png)|
-|![Profile](https://gogs.io/img/screenshots/4.png)|![Admin Dashboard](https://gogs.io/img/screenshots/5.png)|![Diff](https://gogs.io/img/screenshots/6.png)|
-|![Issues](https://gogs.io/img/screenshots/7.png)|![Releases](https://gogs.io/img/screenshots/8.png)|![Organization](https://gogs.io/img/screenshots/9.png)|
+The Gogs (`/gɑgz/`) project aims to build a simple, stable and extensible self-hosted Git service that can be set up in the most painless way. With Go, this can be done with an independent binary distribution across all platforms that Go supports, including Linux, macOS, Windows and ARM-based systems.

-### NOTICES
+## 📡 Overview

- :bangbang: You **MUST** read [CONTRIBUTING.md](CONTRIBUTING.md) for bug report and contributing code. :bangbang:
- Please [start discussion](http://forum.gogs.io/category/2/general-discussion) or [ask a question](http://forum.gogs.io/category/4/getting-help) on [the forum](http://forum.gogs.io/). GitHub issue tracker only keeps **bugs** and **feature requests**, all other topics will be closed without reason.
- Due to testing purpose, data of [try.gogs.io](https://try.gogs.io) was reset in **Jan 28, 2015** and will reset multiple times after. Please do **NOT** put your important data on the site.
- The demo site [try.gogs.io](https://try.gogs.io) is running under `develop` branch.
- If you think there are vulnerabilities in the project, please talk privately to **u@gogs.io**. Thanks!
- If you're interested in using APIs, we have experimental support with [documentation](https://github.com/gogits/go-gogs-client/wiki).
- If your team/company is using Gogs and would like to put your logo on [our website](http://gogs.io), contact us by any means.
-
-[简体中文](README_ZH.md)
-
-## Purpose
-
-The goal of this project is to make the easiest, fastest, and most painless way of setting up a self-hosted Git service. With Go, this can be done with an independent binary distribution across **ALL platforms** that Go supports, including Linux, Mac OS X, Windows and ARM.
-
-## Overview
-
- Please see the [Documentation](http://gogs.io/docs/intro) for common usages and change log.
- See the [Trello Board](https://trello.com/b/uxAoeLUl/gogs-go-git-service) to follow the develop team.
+- Please visit [our home page](https://gogs.io) for user documentation.
+- Please refer to [CHANGELOG.md](CHANGELOG.md) for list of changes in each releases.
 - Want to try it before doing anything else? Do it [online](https://try.gogs.io/gogs/gogs)!
- Having trouble? Get help with [Troubleshooting](http://gogs.io/docs/intro/troubleshooting.html).
- Want to help with localization? Check out the [guide](http://gogs.io/docs/features/i18n.html)!
+- Having trouble? Help yourself with [troubleshooting](https://gogs.io/asking/troubleshooting) or ask questions in [Discussions](https://github.com/gogs/gogs/discussions).
+- Want to help with localization? Check out the [localization documentation](https://gogs.io/advancing/localization).
+- Ready to get hands dirty? Read our [contributing guide](.github/CONTRIBUTING.md).
+- Hmm... What about APIs? We have experimental support with [documentation](https://gogs.io/api-reference).

-## Features
+## 💌 Features

- Activity timeline
- SSH and HTTP/HTTPS protocols
- SMTP/LDAP/Reverse proxy authentication
- Reverse proxy with sub-path
- Account/Organization/Repository management
- Repository/Organization webhooks (including Slack)
- Repository Git hooks/deploy keys
- Repository issues, pull requests and wiki
- Add/Remove repository collaborators
- Gravatar and custom source
- Mail service
- Administration panel
- Supports MySQL, PostgreSQL, SQLite3 and [TiDB](https://github.com/pingcap/tidb) (experimental)
- Multi-language support ([14 languages](https://crowdin.com/project/gogs))
+- User dashboard, user profile and activity timeline.
+- Access repositories via SSH, HTTP and HTTPS protocols.
+- User, organization and repository management.
+- Repository and organization webhooks, including Slack, Discord and Dingtalk.
+- Repository Git hooks, deploy keys and Git LFS.
+- Repository issues, pull requests, wiki, protected branches and collaboration.
+- Migrate and mirror repositories with wiki from other code hosts.
+- Web editor for quick editing repository files and wiki.
+- Jupyter Notebook and PDF rendering.
+- Authentication via SMTP, LDAP, reverse proxy, GitHub.com and GitHub Enterprise with 2FA.
+- Customize HTML templates, static files and many others.
+- Rich database backend support, including PostgreSQL, MySQL, SQLite3 or any database backend that speaks one of those protocols.
+- Have localization over [31 languages](https://crowdin.com/project/gogs).

-## System Requirements
+## 💾 Hardware requirements

- A cheap Raspberry Pi is powerful enough for basic functionality.
- 2 CPU cores and 1GB RAM would be the baseline for teamwork.
+- A Raspberry Pi or $5 Digital Ocean Droplet is more than enough to get you started. Some even use 64MB RAM Docker [CaaS](https://www.docker.com/blog/containers-as-a-service-caas/).
+- 2 CPU cores and 512MB RAM would be the baseline for teamwork.
+- Increase CPU cores when your team size gets significantly larger, memory footprint remains low.

-## Browser Support
+## 💻 Browser support

 - Please see [Semantic UI](https://github.com/Semantic-Org/Semantic-UI#browser-support) for specific versions of supported browsers.
- The official support minimal size  is **1024*768**, UI may still looks right in smaller size but no promises and fixes.
+- The smallest resolution officially supported is **1024*768**, however the UI may still look right in smaller resolutions, but no promises or fixes.

-## Installation
+## 📜 Installation

-Make sure you install the [prerequisites](http://gogs.io/docs/installation) first.
+Please follow [the guide in our documentation](https://gogs.io/getting-started/installation).

-There are 5 ways to install Gogs:
+### Deploy to cloud

- [Install from binary](http://gogs.io/docs/installation/install_from_binary.html)
- [Install from source](http://gogs.io/docs/installation/install_from_source.html)
- [Install from packages](http://gogs.io/docs/installation/install_from_packages.html)
- [Ship with Docker](https://github.com/gogits/gogs/tree/master/docker)
- [Install with Vagrant](https://github.com/geerlingguy/ansible-vagrant-examples/tree/master/gogs)
+- [Cloudron](https://www.cloudron.io/store/io.gogs.cloudronapp.html)
+- [YunoHost](https://github.com/YunoHost-Apps/gogs_ynh)
+- [alwaysdata](https://www.alwaysdata.com/en/marketplace/gogs/)

 ### Tutorials

+- [Private Git Web Portal in Raspberry PI With Gogs](https://peppe8o.com/private-git-web-portal-in-raspberry-pi-with-gogs/)
 - [How To Set Up Gogs on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-gogs-on-ubuntu-14-04)
- [Run your own GitHub-like service with the help of Docker](http://blog.hypriot.com/post/run-your-own-github-like-service-with-docker/)
- [使用 Gogs 搭建自己的 Git 服务器](https://mynook.info/blog/post/host-your-own-git-server-using-gogs) (Chinese)
- [阿里云上 Ubuntu 14.04 64 位安装 Gogs](http://my.oschina.net/luyao/blog/375654) (Chinese)
+- [Run your own GitHub-like service with the help of Docker](https://blog.hypriot.com/post/run-your-own-github-like-service-with-docker/)
+- [Dockerized Gogs git server and alpine postgres in 20 minutes or less](https://garthwaite.org/docker-gogs.html)
+- [Host Your Own Private GitHub with Gogs](https://eladnava.com/host-your-own-private-github-with-gogs-io/)
+- [使用 Gogs 搭建自己的 Git 服务器](https://blog.mynook.info/post/host-your-own-git-server-using-gogs/) (Chinese)
+- [阿里云上 Ubuntu 14.04 64 位安装 Gogs](https://my.oschina.net/luyao/blog/375654) (Chinese)
 - [Installing Gogs on FreeBSD](https://www.codejam.info/2015/03/installing-gogs-on-freebsd.html)
- [Gogs on Raspberry Pi](http://blog.meinside.pe.kr/Gogs-on-Raspberry-Pi/)
+- [How to install Gogs on a Linux Server (DigitalOcean)](https://www.youtube.com/watch?v=deSfX0gqefE)

-### Screencasts
-
- [Instalando Gogs no Ubuntu](https://www.youtube.com/watch?v=4UkHAR1F7ZA) (Português)
-
-### Deploy to Cloud
-
- [OpenShift](https://github.com/tkisme/gogs-openshift)
- [Cloudron](https://cloudron.io/appstore.html#io.gogs.cloudronapp)
- [Scaleway](https://www.scaleway.com/imagehub/gogs/)
- [Portal](https://portaldemo.xyz/cloud/)
- [Sandstorm](https://github.com/cem/gogs-sandstorm)
- [sloppy.io](https://github.com/sloppyio/quickstarters/tree/master/gogs)
-
-## Software and Service Support
-
- [Drone](https://github.com/drone/drone) (CI)
- [Fabric8](http://fabric8.io/) (DevOps)
- [Taiga](https://taiga.io/) (Project Management)
-
-### Product Support
+## 📦 Software, service and product support

+- [Jenkins](https://plugins.jenkins.io/gogs-webhook/) (CI)
+- [Puppet](https://forge.puppet.com/modules/Siteminds/gogs) (IT)
 - [Synology](https://www.synology.com) (Docker)
- [One Space](http://www.onespace.cc) (App Store)
+- [Syncloud](https://syncloud.org/) (App Store)

-## Acknowledgments
+## 🙇‍♂️ Acknowledgments

- Router and middleware mechanism of [Macaron](https://github.com/go-macaron/macaron).
- Modules design is inspired by [WeTalk](https://github.com/beego/wetalk).
- System Monitor Status is inspired by [GoBlog](https://github.com/fuxiaohei/goblog).
- Thanks [lavachen](http://www.lavachen.cn/) and [Rocker](http://weibo.com/rocker1989) for designing Logo.
- Thanks [Crowdin](https://crowdin.com/project/gogs) for providing open source translation plan.
- Thanks [DigitalOcean](https://www.digitalocean.com) for hosting home and demo sites.
+<p>This project is proudly supported by:</p>
+<p>
+  <a href="https://m.do.co/c/5aeb02268b55">
+    <img src="https://opensource.nyc3.cdn.digitaloceanspaces.com/attribution/assets/SVG/DO_Logo_horizontal_blue.svg" width="201px">
+  </a>
+</p>

-## Contributors
+Other acknowledgments:

- Ex-team members [@lunny](https://github.com/lunny), [@fuxiaohei](https://github.com/fuxiaohei) and [@slene](https://github.com/slene).
- See [contributors page](https://github.com/gogits/gogs/graphs/contributors) for full list of contributors.
+- Thanks [Egon Elbre](https://twitter.com/egonelbre) for designing the original version of the logo.
+- Thanks [Mintlify](https://mintlify.com) for sponsoring open source documentation plan.
+- Thanks [Crowdin](https://crowdin.com) for sponsoring open source translation plan.
+- Thanks [Buildkite](https://buildkite.com) for sponsoring open source CI/CD plan.
+
+## 👋 Contributors
+
+- See [contributors page](https://github.com/gogs/gogs/graphs/contributors) for top 100 contributors.
 - See [TRANSLATORS](conf/locale/TRANSLATORS) for public list of translators.

-## License
+## ⚖️ License

-This project is under the MIT License. See the [LICENSE](https://github.com/gogits/gogs/blob/master/LICENSE) file for the full license text.
+This project is under the MIT License. See the [LICENSE](https://github.com/gogs/gogs/blob/main/LICENSE) file for the full license text.
@@ -1,99 +0,0 @@
-Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?branch=master)](https://travis-ci.org/gogits/gogs)
-=====================
-
-Gogs (Go Git Service) 是一款极易搭建的自助 Git 服务。
-
-## 开发目的
-
-Gogs 的目标是打造一个最简单、最快速和最轻松的方式搭建自助 Git 服务。使用 Go 语言开发使得 Gogs 能够通过独立的二进制分发，并且支持 Go 语言支持的 **所有平台**，包括 Linux、Mac OS X、Windows 以及 ARM 平台。
-
-## 项目概览
-
- 有关基本用法和变更日志，请通过 [使用手册](http://gogs.io/docs/intro/) 查看。
- 您可以到 [Trello Board](https://trello.com/b/uxAoeLUl/gogs-go-git-service) 跟随开发团队的脚步。
- 想要先睹为快？直接去 [在线体验](https://try.gogs.io/gogs/gogs) 。
- 使用过程中遇到问题？尝试从 [故障排查](http://gogs.io/docs/intro/troubleshooting.html) 页面获取帮助。
- 希望帮助多国语言界面的翻译吗？请立即访问 [详情页面](http://gogs.io/docs/features/i18n.html)！
-
-## 功能特性
-
- 支持活动时间线
- 支持 SSH 以及 HTTP/HTTPS 协议
- 支持 SMTP、LDAP 和反向代理的用户认证
- 支持反向代理子路径
- 支持用户、组织和仓库管理系统
- 支持仓库和组织级别 Web 钩子（包括 Slack 集成）
- 支持仓库 Git 钩子和部署密钥
- 支持仓库工单（Issue）、合并请求（Pull Request）以及 Wiki
- 支持添加和删除仓库协作者
- 支持 Gravatar 以及自定义源
- 支持邮件服务
- 支持后台管理面板
- 支持 MySQL、PostgreSQL、SQLite3 和 [TiDB](https://github.com/pingcap/tidb)（实验性支持） 数据库
- 支持多语言本地化（[14 种语言]([more](https://crowdin.com/project/gogs))）
-
-## 系统要求
-
- 最低的系统硬件要求为一个廉价的树莓派
- 如果用于团队项目，建议使用 2 核 CPU 及 1GB 内存
-
-## 浏览器支持
-
- 请根据 [Semantic UI](https://github.com/Semantic-Org/Semantic-UI#browser-support) 查看具体支持的浏览器版本。
- 官方支持的最小 UI 尺寸为 **1024*768**，UI 不一定会在更小尺寸的设备上被破坏，但我们无法保证且不会修复。
-
-## 安装部署
-
-在安装 Gogs 之前，您需要先安装 [基本环境](http://gogs.io/docs/installation)。
-
-然后，您可以通过以下 5 种方式来安装 Gogs：
-
- [二进制安装](http://gogs.io/docs/installation/install_from_binary.html)
- [源码安装](http://gogs.io/docs/installation/install_from_source.html)
- [包管理安装](http://gogs.io/docs/installation/install_from_packages.html)
- [采用 Docker 部署](https://github.com/gogits/gogs/tree/master/docker)
- [通过 Vagrant 安装](https://github.com/geerlingguy/ansible-vagrant-examples/tree/master/gogs)
-
-### 使用教程
-
- [使用 Gogs 搭建自己的 Git 服务器](https://mynook.info/blog/post/host-your-own-git-server-using-gogs)
- [阿里云上 Ubuntu 14.04 64 位安装 Gogs](http://my.oschina.net/luyao/blog/375654)
-
-### 云端部署
-
- [OpenShift](https://github.com/tkisme/gogs-openshift)
- [Cloudron](https://cloudron.io/appstore.html#io.gogs.cloudronapp)
- [Scaleway](https://www.scaleway.com/imagehub/gogs/)
- [Portal](https://portaldemo.xyz/cloud/)
- [Sandstorm](https://github.com/cem/gogs-sandstorm)
- [sloppy.io](https://github.com/sloppyio/quickstarters/tree/master/gogs)
-
-## 软件及服务支持
-
- [Drone](https://github.com/drone/drone)（CI）
- [Fabric8](http://fabric8.io/)（DevOps）
- [Taiga](https://taiga.io/)（项目管理）
-
-### 产品支持
-
- [Synology](https://www.synology.com)（Docker）
- [One Space](http://www.onespace.cc)（应用商店）
-
-## 特别鸣谢
-
- 基于 [Macaron](https://github.com/go-macaron/macaron) 的路由与中间件机制。
- 基于 [WeTalk](https://github.com/beego/wetalk) 修改的模块设计。
- 基于 [GoBlog](https://github.com/fuxiaohei/goblog) 修改的系统监视状态。
- 感谢 [lavachen](http://www.lavachen.cn/) 和 [Rocker](http://weibo.com/rocker1989) 设计的 Logo。
- 感谢 [Crowdin](https://crowdin.com/project/gogs) 提供免费的开源项目本地化支持。
- 感谢 [DigitalOcean](https://www.digitalocean.com) 提供主站和体验站点的服务器赞助。
-
-## 贡献成员
-
- 前团队成员 [@lunny](https://github.com/lunny)、[@fuxiaohei](https://github.com/fuxiaohei) 和 [@slene](https://github.com/slene)。
- 您可以通过查看 [贡献者页面](https://github.com/gogits/gogs/graphs/contributors) 获取完整的贡献者列表。
- 您可以通过查看 [TRANSLATORS](conf/locale/TRANSLATORS) 文件获取公开的翻译人员列表。
-
-## 授权许可
-
-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/gogits/gogs/blob/master/LICENSE) 文件中。
@@ -0,0 +1,27 @@
+# Security policy
+
+## Supported versions
+
+Only the latest minor version releases are supported (e.g., 0.14) for patching vulnerabilities. You can find the latest minor version in the [GitHub releases](https://github.com/gogs/gogs/releases) page. 
+
+Existing vulnerability reports are being tracked in [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories). Not all accepted GHSA are published.
+
+## Vulnerability lifecycle
+
+> [!important]
+> Starting **Nov 9, 2023 00:00 UTC**, only security vulnerabilities reported through [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories/new) are accepted.
+> Pre-existing vulnerability reported through https://huntr.dev/ or email (`security@gogs.io`) will continue to be worked through.
+
+1. Report an advisory for the vulnerability.
+    - Please be aware that **only advisories reported in plain English** will be reviewed.
+    - We DO NOT accept vulnerabilities cannot be reproduced on the latest `main` commit.
+1. Project maintainers review the advisory:
+    - Ask clarifying questions
+    - Make sure there was no prior advisory exists for the same vulnerability
+    - Confirm or deny the vulnerability
+1. Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.
+    - The latter is usually significantly slower.
+1. Patch releases will be made for the supported versions.
+1. After 14 days of the release, publish the corresponding advisory on [GitHub Security Advisories](https://github.com/gogs/gogs/security/advisories).
+
+Thank you for making open source community a better place!
@@ -1,161 +0,0 @@
-// +build cert
-
-// Copyright 2009 The Go Authors. All rights reserved.
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"log"
-	"math/big"
-	"net"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/codegangsta/cli"
-)
-
-var CmdCert = cli.Command{
-	Name:  "cert",
-	Usage: "Generate self-signed certificate",
-	Description: `Generate a self-signed X.509 certificate for a TLS server. 
-Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
-	Action: runCert,
-	Flags: []cli.Flag{
-		stringFlag("host", "", "Comma-separated hostnames and IPs to generate a certificate for"),
-		stringFlag("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521"),
-		intFlag("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set"),
-		stringFlag("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011"),
-		durationFlag("duration", 365*24*time.Hour, "Duration that certificate is valid for"),
-		boolFlag("ca", "whether this cert should be its own Certificate Authority"),
-	},
-}
-
-func publicKey(priv interface{}) interface{} {
-	switch k := priv.(type) {
-	case *rsa.PrivateKey:
-		return &k.PublicKey
-	case *ecdsa.PrivateKey:
-		return &k.PublicKey
-	default:
-		return nil
-	}
-}
-
-func pemBlockForKey(priv interface{}) *pem.Block {
-	switch k := priv.(type) {
-	case *rsa.PrivateKey:
-		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
-	case *ecdsa.PrivateKey:
-		b, err := x509.MarshalECPrivateKey(k)
-		if err != nil {
-			log.Fatal("unable to marshal ECDSA private key: %v", err)
-		}
-		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
-	default:
-		return nil
-	}
-}
-
-func runCert(ctx *cli.Context) {
-	if len(ctx.String("host")) == 0 {
-		log.Fatal("Missing required --host parameter")
-	}
-
-	var priv interface{}
-	var err error
-	switch ctx.String("ecdsa-curve") {
-	case "":
-		priv, err = rsa.GenerateKey(rand.Reader, ctx.Int("rsa-bits"))
-	case "P224":
-		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-	case "P256":
-		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	case "P384":
-		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-	case "P521":
-		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
-	default:
-		log.Fatalf("Unrecognized elliptic curve: %q", ctx.String("ecdsa-curve"))
-	}
-	if err != nil {
-		log.Fatalf("Failed to generate private key: %s", err)
-	}
-
-	var notBefore time.Time
-	if len(ctx.String("start-date")) == 0 {
-		notBefore = time.Now()
-	} else {
-		notBefore, err = time.Parse("Jan 2 15:04:05 2006", ctx.String("start-date"))
-		if err != nil {
-			log.Fatalf("Failed to parse creation date: %s", err)
-		}
-	}
-
-	notAfter := notBefore.Add(ctx.Duration("duration"))
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		log.Fatalf("Failed to generate serial number: %s", err)
-	}
-
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Acme Co"},
-			CommonName:   "Gogs",
-		},
-		NotBefore: notBefore,
-		NotAfter:  notAfter,
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	hosts := strings.Split(ctx.String("host"), ",")
-	for _, h := range hosts {
-		if ip := net.ParseIP(h); ip != nil {
-			template.IPAddresses = append(template.IPAddresses, ip)
-		} else {
-			template.DNSNames = append(template.DNSNames, h)
-		}
-	}
-
-	if ctx.Bool("ca") {
-		template.IsCA = true
-		template.KeyUsage |= x509.KeyUsageCertSign
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
-	if err != nil {
-		log.Fatalf("Failed to create certificate: %s", err)
-	}
-
-	certOut, err := os.Create("cert.pem")
-	if err != nil {
-		log.Fatalf("Failed to open cert.pem for writing: %s", err)
-	}
-	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	certOut.Close()
-	log.Println("Written cert.pem")
-
-	keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		log.Fatal("failed to open key.pem for writing: %v", err)
-	}
-	pem.Encode(keyOut, pemBlockForKey(priv))
-	keyOut.Close()
-	log.Println("Written key.pem")
-}
@@ -1,26 +0,0 @@
-// +build !cert
-
-// Copyright 2009 The Go Authors. All rights reserved.
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/codegangsta/cli"
-)
-
-var CmdCert = cli.Command{
-	Name:        "cert",
-	Usage:       "Generate self-signed certificate",
-	Description: `Please use build tags "cert" to rebuild Gogs in order to have this ability`,
-	Action:      runCert,
-}
-
-func runCert(ctx *cli.Context) {
-	fmt.Println("Command cert not available, please use build tags 'cert' to rebuild.")
-	os.Exit(1)
-}
@@ -1,42 +0,0 @@
-// Copyright 2015 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"time"
-
-	"github.com/codegangsta/cli"
-)
-
-func stringFlag(name, value, usage string) cli.StringFlag {
-	return cli.StringFlag{
-		Name:  name,
-		Value: value,
-		Usage: usage,
-	}
-}
-
-func boolFlag(name, usage string) cli.BoolFlag {
-	return cli.BoolFlag{
-		Name:  name,
-		Usage: usage,
-	}
-}
-
-func intFlag(name string, value int, usage string) cli.IntFlag {
-	return cli.IntFlag{
-		Name:  name,
-		Value: value,
-		Usage: usage,
-	}
-}
-
-func durationFlag(name string, value time.Duration, usage string) cli.DurationFlag {
-	return cli.DurationFlag{
-		Name:  name,
-		Value: value,
-		Usage: usage,
-	}
-}
@@ -1,97 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"fmt"
-	"log"
-	"os"
-	"path"
-	"time"
-
-	"io/ioutil"
-
-	"github.com/Unknwon/cae/zip"
-	"github.com/codegangsta/cli"
-
-	"github.com/gogits/gogs/models"
-	"github.com/gogits/gogs/modules/setting"
-)
-
-var CmdDump = cli.Command{
-	Name:  "dump",
-	Usage: "Dump Gogs files and database",
-	Description: `Dump compresses all related files and database into zip file.
-It can be used for backup and capture Gogs server image to send to maintainer`,
-	Action: runDump,
-	Flags: []cli.Flag{
-		stringFlag("config, c", "custom/conf/app.ini", "Custom configuration file path"),
-		boolFlag("verbose, v", "show process details"),
-	},
-}
-
-func runDump(ctx *cli.Context) {
-	if ctx.IsSet("config") {
-		setting.CustomConf = ctx.String("config")
-	}
-	setting.NewContext()
-	models.LoadConfigs()
-	models.SetEngine()
-
-	TmpWorkDir, err := ioutil.TempDir(os.TempDir(), "gogs-dump-")
-	if err != nil {
-		log.Fatalf("Fail to create tmp work directory: %v", err)
-	}
-	log.Printf("Creating tmp work dir: %s", TmpWorkDir)
-
-	reposDump := path.Join(TmpWorkDir, "gogs-repo.zip")
-	dbDump := path.Join(TmpWorkDir, "gogs-db.sql")
-
-	log.Printf("Dumping local repositories...%s", setting.RepoRootPath)
-	zip.Verbose = ctx.Bool("verbose")
-	if err := zip.PackTo(setting.RepoRootPath, reposDump, true); err != nil {
-		log.Fatalf("Fail to dump local repositories: %v", err)
-	}
-
-	log.Printf("Dumping database...")
-	if err := models.DumpDatabase(dbDump); err != nil {
-		log.Fatalf("Fail to dump database: %v", err)
-	}
-
-	fileName := fmt.Sprintf("gogs-dump-%d.zip", time.Now().Unix())
-	log.Printf("Packing dump files...")
-	z, err := zip.Create(fileName)
-	if err != nil {
-		os.Remove(fileName)
-		log.Fatalf("Fail to create %s: %v", fileName, err)
-	}
-
-	if err := z.AddFile("gogs-repo.zip", reposDump); err !=nil {
-		log.Fatalf("Fail to include gogs-repo.zip: %v", err)
-	}
-	if err := z.AddFile("gogs-db.sql", dbDump); err !=nil {
-		log.Fatalf("Fail to include gogs-db.sql: %v", err)
-	}
-	customDir, err := os.Stat(setting.CustomPath)
-	if err == nil && customDir.IsDir() {
-		if err := z.AddDir("custom", setting.CustomPath); err !=nil {
-			log.Fatalf("Fail to include custom: %v", err)
-	    }
-	} else {
-		log.Printf("Custom dir %s doesn't exist, skipped", setting.CustomPath)
-	}
-	if err := z.AddDir("log", setting.LogRootPath); err !=nil {
-		log.Fatalf("Fail to include log: %v", err)
-	}
-	// FIXME: SSH key file.
-	if err = z.Close(); err != nil {
-		os.Remove(fileName)
-		log.Fatalf("Fail to save %s: %v", fileName, err)
-	}
-
-	log.Printf("Removing tmp work dir: %s", TmpWorkDir)
-	os.RemoveAll(TmpWorkDir)
-	log.Printf("Finish dumping in file %s", fileName)
-}
@@ -0,0 +1,189 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"runtime"
+
+	"github.com/cockroachdb/errors"
+	"github.com/urfave/cli/v3"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+)
+
+var (
+	adminCommand = cli.Command{
+		Name:  "admin",
+		Usage: "Perform admin operations on command line",
+		Description: `Allow using internal logic of Gogs without hacking into the source code
+to make automatic initialization process more smoothly`,
+		Commands: []*cli.Command{
+			&subcmdCreateUser,
+			&subcmdDeleteInactivateUsers,
+			&subcmdDeleteRepositoryArchives,
+			&subcmdDeleteMissingRepositories,
+			&subcmdGitGcRepos,
+			&subcmdRewriteAuthorizedKeys,
+			&subcmdSyncRepositoryHooks,
+			&subcmdReinitMissingRepositories,
+		},
+	}
+
+	subcmdCreateUser = cli.Command{
+		Name:   "create-user",
+		Usage:  "Create a new user in database",
+		Action: runCreateUser,
+		Flags: []cli.Flag{
+			stringFlag("name", "", "Username"),
+			stringFlag("password", "", "User password"),
+			stringFlag("email", "", "User email address"),
+			boolFlag("admin", "User is an admin"),
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdDeleteInactivateUsers = cli.Command{
+		Name:  "delete-inactive-users",
+		Usage: "Delete all inactive accounts",
+		Action: adminDashboardOperation(
+			func() error { return database.Handle.Users().DeleteInactivated() },
+			"All inactivated accounts have been deleted successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdDeleteRepositoryArchives = cli.Command{
+		Name:  "delete-repository-archives",
+		Usage: "Delete all repositories archives",
+		Action: adminDashboardOperation(
+			database.DeleteRepositoryArchives,
+			"All repositories archives have been deleted successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdDeleteMissingRepositories = cli.Command{
+		Name:  "delete-missing-repositories",
+		Usage: "Delete all repository records that lost Git files",
+		Action: adminDashboardOperation(
+			database.DeleteMissingRepositories,
+			"All repositories archives have been deleted successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdGitGcRepos = cli.Command{
+		Name:  "collect-garbage",
+		Usage: "Do garbage collection on repositories",
+		Action: adminDashboardOperation(
+			database.GitGcRepos,
+			"All repositories have done garbage collection successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdRewriteAuthorizedKeys = cli.Command{
+		Name:  "rewrite-authorized-keys",
+		Usage: "Rewrite '.ssh/authorized_keys' file (caution: non-Gogs keys will be lost)",
+		Action: adminDashboardOperation(
+			database.RewriteAuthorizedKeys,
+			"All public keys have been rewritten successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdSyncRepositoryHooks = cli.Command{
+		Name:  "resync-hooks",
+		Usage: "Resync pre-receive, update and post-receive hooks",
+		Action: adminDashboardOperation(
+			database.SyncRepositoryHooks,
+			"All repositories' pre-receive, update and post-receive hooks have been resynced successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+
+	subcmdReinitMissingRepositories = cli.Command{
+		Name:  "reinit-missing-repositories",
+		Usage: "Reinitialize all repository records that lost Git files",
+		Action: adminDashboardOperation(
+			database.ReinitMissingRepositories,
+			"All repository records that lost Git files have been reinitialized successfully",
+		),
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+)
+
+func runCreateUser(ctx context.Context, cmd *cli.Command) error {
+	if !cmd.IsSet("name") {
+		return errors.New("Username is not specified")
+	} else if !cmd.IsSet("password") {
+		return errors.New("Password is not specified")
+	} else if !cmd.IsSet("email") {
+		return errors.New("Email is not specified")
+	}
+
+	err := conf.Init(configFromLineage(cmd))
+	if err != nil {
+		return errors.Wrap(err, "init configuration")
+	}
+	conf.InitLogging(true)
+
+	if _, err = database.SetEngine(); err != nil {
+		return errors.Wrap(err, "set engine")
+	}
+
+	user, err := database.Handle.Users().Create(
+		ctx,
+		cmd.String("name"),
+		cmd.String("email"),
+		database.CreateUserOptions{
+			Password:  cmd.String("password"),
+			Activated: true,
+			Admin:     cmd.Bool("admin"),
+		},
+	)
+	if err != nil {
+		return errors.Wrap(err, "create user")
+	}
+
+	fmt.Printf("New user %q has been successfully created!\n", user.Name)
+	return nil
+}
+
+func adminDashboardOperation(operation func() error, successMessage string) func(context.Context, *cli.Command) error {
+	return func(_ context.Context, cmd *cli.Command) error {
+		err := conf.Init(configFromLineage(cmd))
+		if err != nil {
+			return errors.Wrap(err, "init configuration")
+		}
+		conf.InitLogging(true)
+
+		if _, err = database.SetEngine(); err != nil {
+			return errors.Wrap(err, "set engine")
+		}
+
+		if err := operation(); err != nil {
+			functionName := runtime.FuncForPC(reflect.ValueOf(operation).Pointer()).Name()
+			return errors.Newf("%s: %v", functionName, err)
+		}
+
+		fmt.Printf("%s\n", successMessage)
+		return nil
+	}
+}
@@ -0,0 +1,194 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/unknwon/cae/zip"
+	"github.com/urfave/cli/v3"
+	"gopkg.in/ini.v1"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/osx"
+)
+
+var backupCommand = cli.Command{
+	Name:  "backup",
+	Usage: "Backup files and database",
+	Description: `Backup dumps and compresses all related files and database into zip file,
+which can be used for migrating Gogs to another server. The output format is meant to be
+portable among all supported database engines.`,
+	Action: runBackup,
+	Flags: []cli.Flag{
+		stringFlag("config, c", "", "Custom configuration file path"),
+		boolFlag("verbose, v", "Show process details"),
+		stringFlag("tempdir, t", os.TempDir(), "Temporary directory path"),
+		stringFlag("target", "./", "Target directory path to save backup archive"),
+		stringFlag("archive-name", fmt.Sprintf("gogs-backup-%s.zip", time.Now().Format("20060102150405")), "Name of backup archive"),
+		boolFlag("database-only", "Only dump database"),
+		boolFlag("exclude-mirror-repos", "Exclude mirror repositories"),
+		boolFlag("exclude-repos", "Exclude repositories"),
+	},
+}
+
+const (
+	currentBackupFormatVersion = 1
+	archiveRootDir             = "gogs-backup"
+)
+
+func runBackup(ctx context.Context, cmd *cli.Command) error {
+	zip.Verbose = cmd.Bool("verbose")
+
+	err := conf.Init(configFromLineage(cmd))
+	if err != nil {
+		return errors.Wrap(err, "init configuration")
+	}
+	conf.InitLogging(true)
+
+	conn, err := database.SetEngine()
+	if err != nil {
+		return errors.Wrap(err, "set engine")
+	}
+
+	tmpDir := cmd.String("tempdir")
+	if !osx.Exist(tmpDir) {
+		log.Fatal("'--tempdir' does not exist: %s", tmpDir)
+	}
+	rootDir, err := os.MkdirTemp(tmpDir, "gogs-backup-")
+	if err != nil {
+		log.Fatal("Failed to create backup root directory '%s': %v", rootDir, err)
+	}
+	log.Info("Backup root directory: %s", rootDir)
+
+	// Metadata
+	metaFile := path.Join(rootDir, "metadata.ini")
+	metadata := ini.Empty()
+	metadata.Section("").Key("VERSION").SetValue(strconv.Itoa(currentBackupFormatVersion))
+	metadata.Section("").Key("DATE_TIME").SetValue(time.Now().String())
+	metadata.Section("").Key("GOGS_VERSION").SetValue(conf.App.Version)
+	if err = metadata.SaveTo(metaFile); err != nil {
+		log.Fatal("Failed to save metadata '%s': %v", metaFile, err)
+	}
+
+	archiveName := filepath.Join(cmd.String("target"), cmd.String("archive-name"))
+	log.Info("Packing backup files to: %s", archiveName)
+
+	z, err := zip.Create(archiveName)
+	if err != nil {
+		log.Fatal("Failed to create backup archive '%s': %v", archiveName, err)
+	}
+	if err = z.AddFile(archiveRootDir+"/metadata.ini", metaFile); err != nil {
+		log.Fatal("Failed to include 'metadata.ini': %v", err)
+	}
+
+	// Database
+	dbDir := filepath.Join(rootDir, "db")
+	if err = database.DumpDatabase(ctx, conn, dbDir, cmd.Bool("verbose")); err != nil {
+		log.Fatal("Failed to dump database: %v", err)
+	}
+	if err = z.AddDir(archiveRootDir+"/db", dbDir); err != nil {
+		log.Fatal("Failed to include 'db': %v", err)
+	}
+
+	if !cmd.Bool("database-only") {
+		// Custom files
+		err = addCustomDirToBackup(z)
+		if err != nil {
+			log.Fatal("Failed to add custom directory to backup: %v", err)
+		}
+
+		// Data files
+		for _, dir := range []string{"ssh", "attachments", "avatars", "repo-avatars"} {
+			dirPath := filepath.Join(conf.Server.AppDataPath, dir)
+			if !osx.IsDir(dirPath) {
+				continue
+			}
+
+			if err = z.AddDir(path.Join(archiveRootDir+"/data", dir), dirPath); err != nil {
+				log.Fatal("Failed to include 'data': %v", err)
+			}
+		}
+	}
+
+	// Repositories
+	if !cmd.Bool("exclude-repos") && !cmd.Bool("database-only") {
+		reposDump := filepath.Join(rootDir, "repositories.zip")
+		log.Info("Dumping repositories in %q", conf.Repository.Root)
+		if cmd.Bool("exclude-mirror-repos") {
+			repos, err := database.GetNonMirrorRepositories()
+			if err != nil {
+				log.Fatal("Failed to get non-mirror repositories: %v", err)
+			}
+			reposZip, err := zip.Create(reposDump)
+			if err != nil {
+				log.Fatal("Failed to create %q: %v", reposDump, err)
+			}
+			baseDir := filepath.Base(conf.Repository.Root)
+			for _, r := range repos {
+				name := r.FullName() + ".git"
+				if err := reposZip.AddDir(filepath.Join(baseDir, name), filepath.Join(conf.Repository.Root, name)); err != nil {
+					log.Fatal("Failed to add %q: %v", name, err)
+				}
+			}
+			if err = reposZip.Close(); err != nil {
+				log.Fatal("Failed to save %q: %v", reposDump, err)
+			}
+		} else {
+			if err = zip.PackTo(conf.Repository.Root, reposDump, true); err != nil {
+				log.Fatal("Failed to dump repositories: %v", err)
+			}
+		}
+		log.Info("Repositories dumped to: %s", reposDump)
+
+		if err = z.AddFile(archiveRootDir+"/repositories.zip", reposDump); err != nil {
+			log.Fatal("Failed to include %q: %v", reposDump, err)
+		}
+	}
+
+	if err = z.Close(); err != nil {
+		log.Fatal("Failed to save backup archive '%s': %v", archiveName, err)
+	}
+
+	_ = os.RemoveAll(rootDir)
+	log.Info("Backup succeed! Archive is located at: %s", archiveName)
+	log.Stop()
+	return nil
+}
+
+func addCustomDirToBackup(z *zip.ZipArchive) error {
+	customDir := conf.CustomDir()
+	entries, err := os.ReadDir(customDir)
+	if err != nil {
+		return errors.Wrap(err, "list custom directory entries")
+	}
+
+	for _, e := range entries {
+		if e.Name() == "data" {
+			// Skip the "data" directory because it lives under the "custom" directory in
+			// the Docker setup and will be backed up separately.
+			log.Trace(`Skipping "data" directory in custom directory`)
+			continue
+		}
+
+		add := z.AddFile
+		if e.IsDir() {
+			add = z.AddDir
+		}
+		err = add(
+			fmt.Sprintf("%s/custom/%s", archiveRootDir, e.Name()),
+			filepath.Join(customDir, e.Name()),
+		)
+		if err != nil {
+			return errors.Wrapf(err, "add %q", e.Name())
+		}
+	}
+	return nil
+}
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/urfave/cli/v3"
+)
+
+func stringFlag(name, value, usage string) *cli.StringFlag {
+	parts := strings.SplitN(name, ", ", 2)
+	f := &cli.StringFlag{
+		Name:  parts[0],
+		Value: value,
+		Usage: usage,
+	}
+	if len(parts) > 1 {
+		f.Aliases = []string{parts[1]}
+	}
+	return f
+}
+
+// configFromLineage walks the command lineage to find the --config flag value.
+// This is needed because subcommands may not directly see flags set on parent commands.
+func configFromLineage(cmd *cli.Command) string {
+	for _, c := range cmd.Lineage() {
+		if c.IsSet("config") {
+			return c.String("config")
+		}
+	}
+	return ""
+}
+
+func intFlag(name string, value int, usage string) *cli.IntFlag {
+	parts := strings.SplitN(name, ", ", 2)
+	f := &cli.IntFlag{
+		Name:  parts[0],
+		Value: value,
+		Usage: usage,
+	}
+	if len(parts) > 1 {
+		f.Aliases = []string{parts[1]}
+	}
+	return f
+}
+
+func boolFlag(name, usage string) *cli.BoolFlag {
+	parts := strings.SplitN(name, ", ", 2)
+	f := &cli.BoolFlag{
+		Name:  parts[0],
+		Usage: usage,
+	}
+	if len(parts) > 1 {
+		f.Aliases = []string{parts[1]}
+	}
+	return f
+}
@@ -0,0 +1,273 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/urfave/cli/v3"
+	log "unknwon.dev/clog/v2"
+
+	"github.com/gogs/git-module"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/email"
+	"gogs.io/gogs/internal/httplib"
+	"gogs.io/gogs/internal/osx"
+)
+
+var (
+	hookCommand = cli.Command{
+		Name:        "hook",
+		Usage:       "Delegate commands to corresponding Git hooks",
+		Description: "All sub-commands should only be called by Git",
+		Flags: []cli.Flag{
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+		Commands: []*cli.Command{
+			&subcmdHookPreReceive,
+			&subcmdHookUpadte,
+			&subcmdHookPostReceive,
+		},
+	}
+
+	subcmdHookPreReceive = cli.Command{
+		Name:        "pre-receive",
+		Usage:       "Delegate pre-receive Git hook",
+		Description: "This command should only be called by Git",
+		Action:      runHookPreReceive,
+	}
+	subcmdHookUpadte = cli.Command{
+		Name:        "update",
+		Usage:       "Delegate update Git hook",
+		Description: "This command should only be called by Git",
+		Action:      runHookUpdate,
+	}
+	subcmdHookPostReceive = cli.Command{
+		Name:        "post-receive",
+		Usage:       "Delegate post-receive Git hook",
+		Description: "This command should only be called by Git",
+		Action:      runHookPostReceive,
+	}
+)
+
+func runHookPreReceive(_ context.Context, cmd *cli.Command) error {
+	if os.Getenv("SSH_ORIGINAL_COMMAND") == "" {
+		return nil
+	}
+	setup(cmd, "pre-receive.log", true)
+
+	isWiki := strings.Contains(os.Getenv(database.EnvRepoCustomHooksPath), ".wiki.git/")
+
+	buf := bytes.NewBuffer(nil)
+	scanner := bufio.NewScanner(os.Stdin)
+	for scanner.Scan() {
+		buf.Write(scanner.Bytes())
+		buf.WriteByte('\n')
+
+		if isWiki {
+			continue
+		}
+
+		fields := bytes.Fields(scanner.Bytes())
+		if len(fields) != 3 {
+			continue
+		}
+		oldCommitID := string(fields[0])
+		newCommitID := string(fields[1])
+		branchName := git.RefShortName(string(fields[2]))
+
+		// Branch protection
+		repoID, _ := strconv.ParseInt(os.Getenv(database.EnvRepoID), 10, 64)
+		protectBranch, err := database.GetProtectBranchOfRepoByName(repoID, branchName)
+		if err != nil {
+			if database.IsErrBranchNotExist(err) {
+				continue
+			}
+			fail("Internal error", "GetProtectBranchOfRepoByName [repo_id: %d, branch: %s]: %v", repoID, branchName, err)
+		}
+		if !protectBranch.Protected {
+			continue
+		}
+
+		// Whitelist users can bypass require pull request check
+		bypassRequirePullRequest := false
+
+		// Check if user is in whitelist when enabled
+		userID, _ := strconv.ParseInt(os.Getenv(database.EnvAuthUserID), 10, 64)
+		if protectBranch.EnableWhitelist {
+			if !database.IsUserInProtectBranchWhitelist(repoID, userID, branchName) {
+				fail(fmt.Sprintf("Branch '%s' is protected and you are not in the push whitelist", branchName), "")
+			}
+
+			bypassRequirePullRequest = true
+		}
+
+		// Check if branch allows direct push
+		if !bypassRequirePullRequest && protectBranch.RequirePullRequest {
+			fail(fmt.Sprintf("Branch '%s' is protected and commits must be merged through pull request", branchName), "")
+		}
+
+		// check and deletion
+		if newCommitID == git.EmptyID {
+			fail(fmt.Sprintf("Branch '%s' is protected from deletion", branchName), "")
+		}
+
+		// Check force push
+		output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).
+			RunInDir(database.RepoPath(os.Getenv(database.EnvRepoOwnerName), os.Getenv(database.EnvRepoName)))
+		if err != nil {
+			fail("Internal error", "Failed to detect force push: %v", err)
+		} else if len(output) > 0 {
+			fail(fmt.Sprintf("Branch '%s' is protected from force push", branchName), "")
+		}
+	}
+
+	customHooksPath := filepath.Join(os.Getenv(database.EnvRepoCustomHooksPath), "pre-receive")
+	if !osx.IsFile(customHooksPath) {
+		return nil
+	}
+
+	var hookCmd *exec.Cmd
+	if conf.IsWindowsRuntime() {
+		hookCmd = exec.Command("bash.exe", "custom_hooks/pre-receive")
+	} else {
+		hookCmd = exec.Command(customHooksPath)
+	}
+	hookCmd.Dir = database.RepoPath(os.Getenv(database.EnvRepoOwnerName), os.Getenv(database.EnvRepoName))
+	hookCmd.Stdout = os.Stdout
+	hookCmd.Stdin = buf
+	hookCmd.Stderr = os.Stderr
+	if err := hookCmd.Run(); err != nil {
+		fail("Internal error", "Failed to execute custom pre-receive hook: %v", err)
+	}
+	return nil
+}
+
+func runHookUpdate(_ context.Context, cmd *cli.Command) error {
+	if os.Getenv("SSH_ORIGINAL_COMMAND") == "" {
+		return nil
+	}
+	setup(cmd, "update.log", false)
+
+	args := cmd.Args().Slice()
+	if len(args) != 3 {
+		fail("Arguments received are not equal to three", "Arguments received are not equal to three")
+	} else if args[0] == "" {
+		fail("First argument 'refName' is empty", "First argument 'refName' is empty")
+	}
+
+	customHooksPath := filepath.Join(os.Getenv(database.EnvRepoCustomHooksPath), "update")
+	if !osx.IsFile(customHooksPath) {
+		return nil
+	}
+
+	var hookCmd *exec.Cmd
+	if conf.IsWindowsRuntime() {
+		hookCmd = exec.Command("bash.exe", append([]string{"custom_hooks/update"}, args...)...)
+	} else {
+		hookCmd = exec.Command(customHooksPath, args...)
+	}
+	hookCmd.Dir = database.RepoPath(os.Getenv(database.EnvRepoOwnerName), os.Getenv(database.EnvRepoName))
+	hookCmd.Stdout = os.Stdout
+	hookCmd.Stdin = os.Stdin
+	hookCmd.Stderr = os.Stderr
+	if err := hookCmd.Run(); err != nil {
+		fail("Internal error", "Failed to execute custom pre-receive hook: %v", err)
+	}
+	return nil
+}
+
+func runHookPostReceive(_ context.Context, cmd *cli.Command) error {
+	if os.Getenv("SSH_ORIGINAL_COMMAND") == "" {
+		return nil
+	}
+	setup(cmd, "post-receive.log", true)
+
+	// Post-receive hook does more than just gather Git information,
+	// so we need to setup additional services for email notifications.
+	email.NewContext()
+
+	isWiki := strings.Contains(os.Getenv(database.EnvRepoCustomHooksPath), ".wiki.git/")
+
+	buf := bytes.NewBuffer(nil)
+	scanner := bufio.NewScanner(os.Stdin)
+	for scanner.Scan() {
+		buf.Write(scanner.Bytes())
+		buf.WriteByte('\n')
+
+		// TODO: support news feeds for wiki
+		if isWiki {
+			continue
+		}
+
+		fields := bytes.Fields(scanner.Bytes())
+		if len(fields) != 3 {
+			continue
+		}
+
+		pusherID, _ := strconv.ParseInt(os.Getenv(database.EnvAuthUserID), 10, 64)
+		options := database.PushUpdateOptions{
+			OldCommitID:  string(fields[0]),
+			NewCommitID:  string(fields[1]),
+			FullRefspec:  string(fields[2]),
+			PusherID:     pusherID,
+			PusherName:   os.Getenv(database.EnvAuthUserName),
+			RepoUserName: os.Getenv(database.EnvRepoOwnerName),
+			RepoName:     os.Getenv(database.EnvRepoName),
+		}
+		if err := database.PushUpdate(options); err != nil {
+			log.Error("PushUpdate: %v", err)
+		}
+
+		// Ask for running deliver hook and test pull request tasks
+		q := make(url.Values)
+		q.Add("branch", git.RefShortName(options.FullRefspec))
+		q.Add("secret", os.Getenv(database.EnvRepoOwnerSaltMd5))
+		q.Add("pusher", os.Getenv(database.EnvAuthUserID))
+		reqURL := fmt.Sprintf("%s%s/%s/tasks/trigger?%s", conf.Server.LocalRootURL, options.RepoUserName, options.RepoName, q.Encode())
+		log.Trace("Trigger task: %s", reqURL)
+
+		resp, err := httplib.Get(reqURL).
+			SetTLSClientConfig(&tls.Config{
+				InsecureSkipVerify: true,
+			}).Response()
+		if err == nil {
+			_ = resp.Body.Close()
+			if resp.StatusCode/100 != 2 {
+				log.Error("Failed to trigger task: unsuccessful response code %d", resp.StatusCode)
+			}
+		} else {
+			log.Error("Failed to trigger task: %v", err)
+		}
+	}
+
+	customHooksPath := filepath.Join(os.Getenv(database.EnvRepoCustomHooksPath), "post-receive")
+	if !osx.IsFile(customHooksPath) {
+		return nil
+	}
+
+	var hookCmd *exec.Cmd
+	if conf.IsWindowsRuntime() {
+		hookCmd = exec.Command("bash.exe", "custom_hooks/post-receive")
+	} else {
+		hookCmd = exec.Command(customHooksPath)
+	}
+	hookCmd.Dir = database.RepoPath(os.Getenv(database.EnvRepoOwnerName), os.Getenv(database.EnvRepoName))
+	hookCmd.Stdout = os.Stdout
+	hookCmd.Stdin = buf
+	hookCmd.Stderr = os.Stderr
+	if err := hookCmd.Run(); err != nil {
+		fail("Internal error", "Failed to execute custom post-receive hook: %v", err)
+	}
+	return nil
+}
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/urfave/cli/v3"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/osx"
+)
+
+var (
+	importCommand = cli.Command{
+		Name:  "import",
+		Usage: "Import portable data as local Gogs data",
+		Description: `Allow user import data from other Gogs installations to local instance
+without manually hacking the data files`,
+		Commands: []*cli.Command{
+			&subcmdImportLocale,
+		},
+	}
+
+	subcmdImportLocale = cli.Command{
+		Name:   "locale",
+		Usage:  "Import locale files to local repository",
+		Action: runImportLocale,
+		Flags: []cli.Flag{
+			stringFlag("source", "", "Source directory that stores new locale files"),
+			stringFlag("target", "", "Target directory that stores old locale files"),
+			stringFlag("config, c", "", "Custom configuration file path"),
+		},
+	}
+)
+
+func runImportLocale(_ context.Context, cmd *cli.Command) error {
+	if !cmd.IsSet("source") {
+		return errors.New("source directory is not specified")
+	} else if !cmd.IsSet("target") {
+		return errors.New("target directory is not specified")
+	}
+	if !osx.IsDir(cmd.String("source")) {
+		return errors.Newf("source directory %q does not exist or is not a directory", cmd.String("source"))
+	} else if !osx.IsDir(cmd.String("target")) {
+		return errors.Newf("target directory %q does not exist or is not a directory", cmd.String("target"))
+	}
+
+	err := conf.Init(configFromLineage(cmd))
+	if err != nil {
+		return errors.Wrap(err, "init configuration")
+	}
+
+	now := time.Now()
+
+	var line []byte
+	badChars := []byte(`="`)
+	escapedQuotes := []byte(`\"`)
+	regularQuotes := []byte(`"`)
+	// Cut out en-US.
+	for _, lang := range conf.I18n.Langs[1:] {
+		name := fmt.Sprintf("locale_%s.ini", lang)
+		source := filepath.Join(cmd.String("source"), name)
+		target := filepath.Join(cmd.String("target"), name)
+		if !osx.IsFile(source) {
+			continue
+		}
+
+		// Crowdin surrounds double quotes for strings contain quotes inside,
+		// this breaks INI parser, we need to fix that.
+		sr, err := os.Open(source)
+		if err != nil {
+			return errors.Newf("open: %v", err)
+		}
+
+		tw, err := os.Create(target)
+		if err != nil {
+			return errors.Newf("create: %v", err)
+		}
+
+		scanner := bufio.NewScanner(sr)
+		for scanner.Scan() {
+			line = scanner.Bytes()
+			idx := bytes.Index(line, badChars)
+			if idx > -1 && line[len(line)-1] == '"' {
+				// We still want the "=" sign
+				line = append(line[:idx+1], line[idx+2:len(line)-1]...)
+				line = bytes.ReplaceAll(line, escapedQuotes, regularQuotes)
+			}
+			_, _ = tw.Write(line)
+			_, _ = tw.WriteString("\n")
+		}
+		_ = sr.Close()
+		_ = tw.Close()
+
+		// Modification time of files from Crowdin often ahead of current,
+		// so we need to set back to current.
+		_ = os.Chtimes(target, now, now)
+	}
+
+	fmt.Println("Locale files has been successfully imported!")
+	return nil
+}
@@ -0,0 +1,89 @@
+package web
+
+import (
+	"crypto/tls"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/cache"
+	"github.com/flamego/cache/redis"
+	"gopkg.in/ini.v1"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/strx"
+)
+
+func parseCacheOptions(confOpts conf.CacheOptions) (cache.Options, error) {
+	opts := cache.Options{
+		GCInterval: time.Duration(confOpts.Interval) * time.Second,
+	}
+
+	switch strx.Coalesce(strings.ToLower(confOpts.Adapter), "memory") {
+	case "memory":
+		opts.Initer = cache.MemoryIniter()
+	case "file":
+		opts.Initer = cache.FileIniter()
+		opts.Config = cache.FileConfig{RootDir: confOpts.Host}
+	case "redis":
+		cfg, err := parseRedisConfig(confOpts.Host)
+		if err != nil {
+			return cache.Options{}, errors.Wrap(err, "parse redis config")
+		}
+		opts.Initer = redis.Initer()
+		opts.Config = cfg
+	default:
+		return cache.Options{}, errors.Errorf("unsupported adapter %q", confOpts.Adapter)
+	}
+	return opts, nil
+}
+
+func parseRedisConfig(host string) (redis.Config, error) {
+	cfg, err := ini.Load([]byte(strings.ReplaceAll(host, ",", "\n")))
+	if err != nil {
+		return redis.Config{}, errors.Wrap(err, "load HOST")
+	}
+
+	var config redis.Config
+	for k, v := range cfg.Section("").KeysHash() {
+		switch k {
+		case "network":
+			config.Options.Network = v
+		case "addr":
+			config.Options.Addr = v
+		case "password":
+			config.Options.Password = v
+		case "db":
+			n, err := strconv.Atoi(v)
+			if err != nil {
+				return redis.Config{}, errors.Wrapf(err, "parse db %q", v)
+			}
+			config.Options.DB = n
+		case "pool_size":
+			n, err := strconv.Atoi(v)
+			if err != nil {
+				return redis.Config{}, errors.Wrapf(err, "parse pool_size %q", v)
+			}
+			config.Options.PoolSize = n
+		case "idle_timeout":
+			d, err := time.ParseDuration(v + "s")
+			if err != nil {
+				return redis.Config{}, errors.Wrapf(err, "parse idle_timeout %q", v)
+			}
+			config.Options.ConnMaxIdleTime = d
+		case "prefix":
+			config.KeyPrefix = v
+		case "tls":
+			// Matches go-macaron/session/redis: any non-empty `tls=` value enables
+			// TLS with InsecureSkipVerify.
+			config.Options.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+		case "hset_name":
+			// Macaron stored values in a single Redis hash named by this key,
+			// whereas Flamego stores per-key with KeyPrefix, so this knob has no equivalent.
+		default:
+			return redis.Config{}, errors.Errorf("unsupported redis HOST key %q", k)
+		}
+	}
+	return config, nil
+}
@@ -0,0 +1,88 @@
+package web
+
+import (
+	"net/http"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/flamego"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/ptrx"
+)
+
+// repoContext is the request-scoped viewer of the repository. Viewer can be an
+// authenticated or anonymous user.
+type repoContext struct {
+	Owner *database.User
+	Repo  *database.Repository
+
+	ViewerID     int64
+	viewerAccess database.AccessMode
+}
+
+func (c *repoContext) ViewerCanRead() bool {
+	return c.viewerAccess >= database.AccessModeRead
+}
+
+func (c *repoContext) ViewerCanWrite() bool {
+	return c.viewerAccess >= database.AccessModeWrite
+}
+
+func (c *repoContext) ViewerCanAdminister() bool {
+	return c.viewerAccess >= database.AccessModeAdmin
+}
+
+// withRepoContext injects the repoContext of the repository derived from the
+// route.
+func withRepoContext(c flamego.Context, user *database.User) {
+	ctx := c.Request().Context()
+	w := c.ResponseWriter()
+	ownerName := c.Param("owner")
+	repoName := c.Param("repo")
+
+	owner, err := database.Handle.Users().GetByUsername(ctx, ownerName)
+	if err != nil {
+		if database.IsErrUserNotExist(err) {
+			writeErrorResponse(w, http.StatusNotFound, errors.New("repository does not exist"))
+			return
+		}
+		log.Error("repoContext: get user by username %q: %v", ownerName, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "get owner"))
+		return
+	}
+
+	repo, err := database.Handle.Repositories().GetByName(ctx, owner.ID, repoName)
+	if err != nil {
+		if database.IsErrRepoNotExist(err) {
+			writeErrorResponse(w, http.StatusNotFound, errors.New("repository does not exist"))
+			return
+		}
+		log.Error("repoContext: get repo by name %q/%q: %v", ownerName, repoName, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "get repo"))
+		return
+	}
+
+	viewer := ptrx.Deref(user, database.User{})
+	var viewerAccess database.AccessMode
+	if viewer.IsAdmin {
+		viewerAccess = database.AccessModeOwner
+	} else {
+		viewerAccess = database.Handle.Permissions().AccessMode(
+			ctx,
+			viewer.ID,
+			repo.ID,
+			database.AccessModeOptions{
+				OwnerID: owner.ID,
+				Private: repo.IsPrivate,
+			},
+		)
+	}
+
+	c.Map(&repoContext{
+		Owner:        owner,
+		Repo:         repo,
+		ViewerID:     viewer.ID,
+		viewerAccess: viewerAccess,
+	})
+}
@@ -0,0 +1,869 @@
+package web
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/http/fcgi"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/cache"
+	"github.com/flamego/captcha"
+	"github.com/flamego/flamego"
+	"github.com/go-macaron/binding"
+	macaroncache "github.com/go-macaron/cache"
+	"github.com/go-macaron/csrf"
+	"github.com/go-macaron/gzip"
+	"github.com/go-macaron/i18n"
+	"github.com/go-macaron/session"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"gopkg.in/macaron.v1"
+	log "unknwon.dev/clog/v2"
+
+	embedConf "gogs.io/gogs/conf"
+	"gogs.io/gogs/internal/app"
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/context"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/form"
+	"gogs.io/gogs/internal/osx"
+	"gogs.io/gogs/internal/route"
+	"gogs.io/gogs/internal/route/admin"
+	apiv1 "gogs.io/gogs/internal/route/api/v1"
+	"gogs.io/gogs/internal/route/lfs"
+	"gogs.io/gogs/internal/route/org"
+	"gogs.io/gogs/internal/route/repo"
+	"gogs.io/gogs/internal/route/user"
+	"gogs.io/gogs/internal/template"
+	"gogs.io/gogs/internal/urlx"
+	"gogs.io/gogs/public"
+	"gogs.io/gogs/templates"
+)
+
+// Run starts the web server with the given configuration path and port override.
+func Run(configPath string, portOverride int) error {
+	err := route.GlobalInit(configPath)
+	if err != nil {
+		return errors.Wrap(err, "initialize application")
+	}
+
+	m, err := newMacaron()
+	if err != nil {
+		return errors.Wrap(err, "initialize macaron")
+	}
+
+	webHandler, err := newRoutingHandler()
+	if err != nil {
+		return errors.Wrap(err, "initialize web handler")
+	}
+
+	reqSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: true})
+	ignSignIn := context.Toggle(&context.ToggleOptions{SignInRequired: conf.Auth.RequireSigninView})
+
+	bindIgnErr := binding.BindIgnErr
+
+	m.SetAutoHead(true)
+
+	m.Group("", func() {
+		m.Get("/", ignSignIn, route.Home)
+		m.Group("/explore", func() {
+			m.Get("", func(c *context.Context) {
+				c.Redirect(conf.Server.Subpath + "/explore/repos")
+			})
+			m.Get("/repos", route.ExploreRepos)
+			m.Get("/users", route.ExploreUsers)
+			m.Get("/organizations", route.ExploreOrganizations)
+		}, ignSignIn)
+		m.Combo("/install", route.InstallInit).Get(route.Install).
+			Post(bindIgnErr(form.Install{}), route.InstallPost)
+		m.Get("/^:type(issues|pulls)$", reqSignIn, user.Issues)
+
+		// ***** START: User *****
+		m.Group("/user/settings", func() {
+			m.Get("", user.Settings)
+			m.Post("", bindIgnErr(form.UpdateProfile{}), user.SettingsPost)
+			m.Combo("/avatar").Get(user.SettingsAvatar).
+				Post(binding.MultipartForm(form.Avatar{}), user.SettingsAvatarPost)
+			m.Post("/avatar/delete", user.SettingsDeleteAvatar)
+			m.Combo("/email").Get(user.SettingsEmails).
+				Post(bindIgnErr(form.AddEmail{}), user.SettingsEmailPost)
+			m.Post("/email/delete", user.DeleteEmail)
+			m.Get("/password", user.SettingsPassword)
+			m.Post("/password", bindIgnErr(form.ChangePassword{}), user.SettingsPasswordPost)
+			m.Combo("/ssh").Get(user.SettingsSSHKeys).
+				Post(bindIgnErr(form.AddSSHKey{}), user.SettingsSSHKeysPost)
+			m.Post("/ssh/delete", user.DeleteSSHKey)
+			m.Group("/security", func() {
+				m.Get("", user.SettingsSecurity)
+				m.Combo("/two_factor_enable").Get(user.SettingsTwoFactorEnable).
+					Post(user.SettingsTwoFactorEnablePost)
+				m.Combo("/two_factor_recovery_codes").Get(user.SettingsTwoFactorRecoveryCodes).
+					Post(user.SettingsTwoFactorRecoveryCodesPost)
+				m.Post("/two_factor_disable", user.SettingsTwoFactorDisable)
+			})
+			m.Group("/repositories", func() {
+				m.Get("", user.SettingsRepos)
+				m.Post("/leave", user.SettingsLeaveRepo)
+			})
+			m.Group("/organizations", func() {
+				m.Get("", user.SettingsOrganizations)
+				m.Post("/leave", user.SettingsLeaveOrganization)
+			})
+
+			settingsHandler := user.NewSettingsHandler(user.NewSettingsStore())
+			m.Combo("/applications").Get(settingsHandler.Applications()).
+				Post(bindIgnErr(form.NewAccessToken{}), settingsHandler.ApplicationsPost())
+			m.Post("/applications/delete", settingsHandler.DeleteApplication())
+			m.Route("/delete", "GET,POST", user.SettingsDelete)
+		}, reqSignIn, func(c *context.Context) {
+			c.Data["PageIsUserSettings"] = true
+		})
+
+		m.Group("/user", func() {
+			m.Any("/activate_email", user.ActivateEmail)
+			m.Get("/email2user", user.Email2User)
+		})
+		// ***** END: User *****
+
+		reqAdmin := context.Toggle(&context.ToggleOptions{SignInRequired: true, AdminRequired: true})
+
+		// ***** START: Admin *****
+		m.Group("/admin", func() {
+			m.Combo("").Get(admin.Dashboard).Post(admin.Operation) // "/admin"
+			m.Get("/config", admin.Config)
+			m.Post("/config/test_mail", admin.SendTestMail)
+			m.Get("/monitor", admin.Monitor)
+
+			m.Group("/users", func() {
+				m.Get("", admin.Users)
+				m.Combo("/new").Get(admin.NewUser).Post(bindIgnErr(form.AdminCrateUser{}), admin.NewUserPost)
+				m.Combo("/:userid").Get(admin.EditUser).Post(bindIgnErr(form.AdminEditUser{}), admin.EditUserPost)
+				m.Post("/:userid/delete", admin.DeleteUser)
+			})
+
+			m.Group("/orgs", func() {
+				m.Get("", admin.Organizations)
+			})
+
+			m.Group("/repos", func() {
+				m.Get("", admin.Repos)
+				m.Post("/delete", admin.DeleteRepo)
+			})
+
+			m.Group("/auths", func() {
+				m.Get("", admin.Authentications)
+				m.Combo("/new").Get(admin.NewAuthSource).Post(bindIgnErr(form.Authentication{}), admin.NewAuthSourcePost)
+				m.Combo("/:authid").Get(admin.EditAuthSource).
+					Post(bindIgnErr(form.Authentication{}), admin.EditAuthSourcePost)
+				m.Post("/:authid/delete", admin.DeleteAuthSource)
+			})
+
+			m.Group("/notices", func() {
+				m.Get("", admin.Notices)
+				m.Post("/delete", admin.DeleteNotices)
+				m.Get("/empty", admin.EmptyNotices)
+			})
+		}, reqAdmin)
+		// ***** END: Admin *****
+
+		m.Group("", func() {
+			m.Group("/:username", func() {
+				m.Get("", user.Profile)
+				m.Get("/followers", user.Followers)
+				m.Get("/following", user.Following)
+				m.Get("/stars", user.Stars)
+			}, context.InjectParamsUser())
+
+			m.Get("/attachments/:uuid", func(c *context.Context) {
+				attach, err := database.GetAttachmentByUUID(c.Params(":uuid"))
+				if err != nil {
+					c.NotFoundOrError(err, "get attachment by UUID")
+					return
+				} else if !osx.IsFile(attach.LocalPath()) {
+					c.NotFound()
+					return
+				}
+
+				fr, err := os.Open(attach.LocalPath())
+				if err != nil {
+					c.Error(err, "open attachment file")
+					return
+				}
+				defer fr.Close()
+
+				c.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
+				c.Header().Set("Cache-Control", "public,max-age=86400")
+				c.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, attach.Name))
+
+				if _, err = io.Copy(c.Resp, fr); err != nil {
+					c.Error(err, "copy from file to response")
+					return
+				}
+			})
+		}, ignSignIn)
+
+		m.Group("", func() {
+			m.Post("/issues/attachments", repo.UploadIssueAttachment)
+			m.Post("/releases/attachments", repo.UploadReleaseAttachment)
+		}, reqSignIn)
+
+		m.Group("/:username", func() {
+			m.Post("/action/:action", user.Action)
+		}, reqSignIn, context.InjectParamsUser())
+
+		reqRepoAdmin := context.RequireRepoAdmin()
+		reqRepoWriter := context.RequireRepoWriter()
+
+		webhookRoutes := func() {
+			m.Group("", func() {
+				m.Get("", repo.Webhooks)
+				m.Post("/delete", repo.DeleteWebhook)
+				m.Get("/:type/new", repo.WebhooksNew)
+				m.Post("/gogs/new", bindIgnErr(form.NewWebhook{}), repo.WebhooksNewPost)
+				m.Post("/slack/new", bindIgnErr(form.NewSlackHook{}), repo.WebhooksSlackNewPost)
+				m.Post("/discord/new", bindIgnErr(form.NewDiscordHook{}), repo.WebhooksDiscordNewPost)
+				m.Post("/dingtalk/new", bindIgnErr(form.NewDingtalkHook{}), repo.WebhooksDingtalkNewPost)
+				m.Get("/:id", repo.WebhooksEdit)
+				m.Post("/gogs/:id", bindIgnErr(form.NewWebhook{}), repo.WebhooksEditPost)
+				m.Post("/slack/:id", bindIgnErr(form.NewSlackHook{}), repo.WebhooksSlackEditPost)
+				m.Post("/discord/:id", bindIgnErr(form.NewDiscordHook{}), repo.WebhooksDiscordEditPost)
+				m.Post("/dingtalk/:id", bindIgnErr(form.NewDingtalkHook{}), repo.WebhooksDingtalkEditPost)
+			}, repo.InjectOrgRepoContext())
+		}
+
+		// ***** START: Organization *****
+		m.Group("/org", func() {
+			m.Group("", func() {
+				m.Get("/create", org.Create)
+				m.Post("/create", bindIgnErr(form.CreateOrg{}), org.CreatePost)
+			}, func(c *context.Context) {
+				if !c.User.CanCreateOrganization() {
+					c.NotFound()
+				}
+			})
+
+			m.Group("/:org", func() {
+				m.Get("/dashboard", user.Dashboard)
+				m.Get("/^:type(issues|pulls)$", user.Issues)
+				m.Get("/members", org.Members)
+				m.Get("/members/action/:action", org.MembersAction)
+
+				m.Get("/teams", org.Teams)
+			}, context.OrgAssignment(true))
+
+			m.Group("/:org", func() {
+				m.Get("/teams/:team", org.TeamMembers)
+				m.Get("/teams/:team/repositories", org.TeamRepositories)
+				m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction)
+				m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction)
+			}, context.OrgAssignment(true, false, true))
+
+			m.Group("/:org", func() {
+				m.Get("/teams/new", org.NewTeam)
+				m.Post("/teams/new", bindIgnErr(form.CreateTeam{}), org.NewTeamPost)
+				m.Get("/teams/:team/edit", org.EditTeam)
+				m.Post("/teams/:team/edit", bindIgnErr(form.CreateTeam{}), org.EditTeamPost)
+				m.Post("/teams/:team/delete", org.DeleteTeam)
+
+				m.Group("/settings", func() {
+					m.Combo("").Get(org.Settings).
+						Post(bindIgnErr(form.UpdateOrgSetting{}), org.SettingsPost)
+					m.Post("/avatar", binding.MultipartForm(form.Avatar{}), org.SettingsAvatar)
+					m.Post("/avatar/delete", org.SettingsDeleteAvatar)
+					m.Group("/hooks", webhookRoutes)
+					m.Route("/delete", "GET,POST", org.SettingsDelete)
+				})
+
+				m.Route("/invitations/new", "GET,POST", org.Invitation)
+			}, context.OrgAssignment(true, true))
+		}, reqSignIn)
+		// ***** END: Organization *****
+
+		// ***** START: Repository *****
+		m.Group("/repo", func() {
+			m.Get("/create", repo.Create)
+			m.Post("/create", bindIgnErr(form.CreateRepo{}), repo.CreatePost)
+			m.Get("/migrate", repo.Migrate)
+			m.Post("/migrate", bindIgnErr(form.MigrateRepo{}), repo.MigratePost)
+			m.Combo("/fork/:repoid").Get(repo.Fork).
+				Post(bindIgnErr(form.CreateRepo{}), repo.ForkPost)
+		}, reqSignIn)
+
+		m.Group("/:username/:reponame", func() {
+			m.Group("/settings", func() {
+				m.Combo("").Get(repo.Settings).
+					Post(bindIgnErr(form.RepoSetting{}), repo.SettingsPost)
+				m.Combo("/avatar").Get(repo.SettingsAvatar).
+					Post(binding.MultipartForm(form.Avatar{}), repo.SettingsAvatarPost)
+				m.Post("/avatar/delete", repo.SettingsDeleteAvatar)
+				m.Group("/collaboration", func() {
+					m.Combo("").Get(repo.SettingsCollaboration).Post(repo.SettingsCollaborationPost)
+					m.Post("/access_mode", repo.ChangeCollaborationAccessMode)
+					m.Post("/delete", repo.DeleteCollaboration)
+				})
+				m.Group("/branches", func() {
+					m.Get("", repo.SettingsBranches)
+					m.Post("/default_branch", repo.UpdateDefaultBranch)
+					m.Combo("/*").Get(repo.SettingsProtectedBranch).
+						Post(bindIgnErr(form.ProtectBranch{}), repo.SettingsProtectedBranchPost)
+				}, func(c *context.Context) {
+					if c.Repo.Repository.IsMirror {
+						c.NotFound()
+						return
+					}
+				})
+
+				m.Group("/hooks", func() {
+					webhookRoutes()
+
+					m.Group("/:id", func() {
+						m.Post("/test", repo.TestWebhook)
+						m.Post("/redelivery", repo.RedeliveryWebhook)
+					})
+
+					m.Group("/git", func() {
+						m.Get("", repo.SettingsGitHooks)
+						m.Combo("/:name").Get(repo.SettingsGitHooksEdit).
+							Post(repo.SettingsGitHooksEditPost)
+					}, context.GitHookService())
+				})
+
+				m.Group("/keys", func() {
+					m.Combo("").Get(repo.SettingsDeployKeys).
+						Post(bindIgnErr(form.AddSSHKey{}), repo.SettingsDeployKeysPost)
+					m.Post("/delete", repo.DeleteDeployKey)
+				})
+			}, func(c *context.Context) {
+				c.Data["PageIsSettings"] = true
+			})
+		}, reqSignIn, context.RepoAssignment(), reqRepoAdmin, context.RepoRef())
+
+		m.Post("/:username/:reponame/action/:action", reqSignIn, context.RepoAssignment(), repo.Action)
+		m.Group("/:username/:reponame", func() {
+			m.Get("/issues", repo.RetrieveLabels, repo.Issues)
+			m.Get("/issues/:index", repo.ViewIssue)
+			m.Get("/labels/", repo.RetrieveLabels, repo.Labels)
+			m.Get("/milestones", repo.Milestones)
+		}, ignSignIn, context.RepoAssignment(true))
+		m.Group("/:username/:reponame", func() {
+			// FIXME: should use different URLs but mostly same logic for comments of issue and pull request.
+			// So they can apply their own enable/disable logic on routers.
+			m.Group("/issues", func() {
+				m.Combo("/new", repo.MustEnableIssues).Get(context.RepoRef(), repo.NewIssue).
+					Post(bindIgnErr(form.NewIssue{}), repo.NewIssuePost)
+
+				m.Group("/:index", func() {
+					m.Post("/title", repo.UpdateIssueTitle)
+					m.Post("/content", repo.UpdateIssueContent)
+					m.Combo("/comments").Post(bindIgnErr(form.CreateComment{}), repo.NewComment)
+				})
+			})
+			m.Group("/comments/:id", func() {
+				m.Post("", repo.UpdateCommentContent)
+				m.Post("/delete", repo.DeleteComment)
+			})
+		}, reqSignIn, context.RepoAssignment(true))
+		m.Group("/:username/:reponame", func() {
+			m.Group("/wiki", func() {
+				m.Get("/?:page", repo.Wiki)
+				m.Get("/_pages", repo.WikiPages)
+			}, repo.MustEnableWiki, context.RepoRef())
+		}, ignSignIn, context.RepoAssignment(false, true))
+
+		m.Group("/:username/:reponame", func() {
+			// FIXME: should use different URLs but mostly same logic for comments of issue and pull request.
+			// So they can apply their own enable/disable logic on routers.
+			m.Group("/issues", func() {
+				m.Group("/:index", func() {
+					m.Post("/label", repo.UpdateIssueLabel)
+					m.Post("/milestone", repo.UpdateIssueMilestone)
+					m.Post("/assignee", repo.UpdateIssueAssignee)
+				}, reqRepoWriter)
+			})
+			m.Group("/labels", func() {
+				m.Post("/new", bindIgnErr(form.CreateLabel{}), repo.NewLabel)
+				m.Post("/edit", bindIgnErr(form.CreateLabel{}), repo.UpdateLabel)
+				m.Post("/delete", repo.DeleteLabel)
+				m.Post("/initialize", bindIgnErr(form.InitializeLabels{}), repo.InitializeLabels)
+			}, reqRepoWriter, context.RepoRef())
+			m.Group("/milestones", func() {
+				m.Combo("/new").Get(repo.NewMilestone).
+					Post(bindIgnErr(form.CreateMilestone{}), repo.NewMilestonePost)
+				m.Get("/:id/edit", repo.EditMilestone)
+				m.Post("/:id/edit", bindIgnErr(form.CreateMilestone{}), repo.EditMilestonePost)
+				m.Get("/:id/:action", repo.ChangeMilestonStatus)
+				m.Post("/delete", repo.DeleteMilestone)
+			}, reqRepoWriter, context.RepoRef())
+
+			m.Group("/releases", func() {
+				m.Get("/new", repo.NewRelease)
+				m.Post("/new", bindIgnErr(form.NewRelease{}), repo.NewReleasePost)
+				m.Post("/delete", repo.DeleteRelease)
+				m.Get("/edit/*", repo.EditRelease)
+				m.Post("/edit/*", bindIgnErr(form.EditRelease{}), repo.EditReleasePost)
+			}, repo.MustBeNotBare, reqRepoWriter, func(c *context.Context) {
+				c.Data["PageIsViewFiles"] = true
+			})
+
+			// FIXME: Should use c.Repo.PullRequest to unify the template. Same-repo PR URLs include a
+			// redundant head user, e.g. /org1/test-repo/compare/master...org1:develop should be
+			// /org1/test-repo/compare/master...develop.
+			m.Combo("/compare/*", repo.MustAllowPulls).Get(repo.CompareAndPullRequest).
+				Post(bindIgnErr(form.NewIssue{}), repo.CompareAndPullRequestPost)
+
+			m.Group("", func() {
+				m.Combo("/_edit/*").Get(repo.EditFile).
+					Post(bindIgnErr(form.EditRepoFile{}), repo.EditFilePost)
+				m.Combo("/_new/*").Get(repo.NewFile).
+					Post(bindIgnErr(form.EditRepoFile{}), repo.NewFilePost)
+				m.Post("/_preview/*", bindIgnErr(form.EditPreviewDiff{}), repo.DiffPreviewPost)
+				m.Combo("/_delete/*").Get(repo.DeleteFile).
+					Post(bindIgnErr(form.DeleteRepoFile{}), repo.DeleteFilePost)
+
+				m.Group("", func() {
+					m.Combo("/_upload/*").Get(repo.UploadFile).
+						Post(bindIgnErr(form.UploadRepoFile{}), repo.UploadFilePost)
+					m.Post("/upload-file", repo.UploadFileToServer)
+					m.Post("/upload-remove", bindIgnErr(form.RemoveUploadFile{}), repo.RemoveUploadFileFromServer)
+				}, func(c *context.Context) {
+					if !conf.Repository.Upload.Enabled {
+						c.NotFound()
+						return
+					}
+				})
+			}, repo.MustBeNotBare, reqRepoWriter, context.RepoRef(), func(c *context.Context) {
+				if !c.Repo.CanEnableEditor() {
+					c.NotFound()
+					return
+				}
+
+				c.Data["PageIsViewFiles"] = true
+			})
+		}, reqSignIn, context.RepoAssignment())
+
+		m.Group("/:username/:reponame", func() {
+			m.Group("", func() {
+				m.Get("/releases", repo.MustBeNotBare, repo.Releases)
+				m.Get("/pulls", repo.RetrieveLabels, repo.Pulls)
+				m.Get("/pulls/:index", repo.ViewPull)
+			}, context.RepoRef())
+
+			m.Group("/branches", func() {
+				m.Get("", repo.Branches)
+				m.Get("/all", repo.AllBranches)
+				m.Post("/delete/*", reqSignIn, reqRepoWriter, repo.DeleteBranchPost)
+			}, repo.MustBeNotBare, func(c *context.Context) {
+				c.Data["PageIsViewFiles"] = true
+			})
+
+			m.Group("/wiki", func() {
+				m.Group("", func() {
+					m.Combo("/_new").Get(repo.NewWiki).
+						Post(bindIgnErr(form.NewWiki{}), repo.NewWikiPost)
+					m.Combo("/:page/_edit").Get(repo.EditWiki).
+						Post(bindIgnErr(form.NewWiki{}), repo.EditWikiPost)
+					m.Post("/:page/delete", repo.DeleteWikiPagePost)
+				}, reqSignIn, reqRepoWriter)
+			}, repo.MustEnableWiki, context.RepoRef())
+
+			m.Get("/archive/*", repo.MustBeNotBare, repo.Download)
+
+			m.Group("/pulls/:index", func() {
+				m.Get("/commits", context.RepoRef(), repo.ViewPullCommits)
+				m.Get("/files", context.RepoRef(), repo.ViewPullFiles)
+				m.Post("/merge", reqRepoWriter, repo.MergePullRequest)
+			}, repo.MustAllowPulls)
+
+			m.Group("", func() {
+				m.Get("/src/*", repo.Home)
+				m.Get("/commits/*", repo.RefCommits)
+				m.Get("/forks", repo.Forks)
+			}, repo.MustBeNotBare, context.RepoRef())
+			// Bridged to Flamego to skip the legacy `RepoRef` middleware, which double-resolves the ref.
+			m.Get("/raw/*", flamegoBridger(webHandler))
+			m.Get("/commit/:sha([a-f0-9]{7,40})\\.:ext(patch|diff)", flamegoBridger(webHandler))
+			// Constrain SHA shape so non-matching `/commit/...` paths 404 instead of loading the SPA with a bad param.
+			m.Get("/commit/:sha([a-f0-9]{7,40})$", repo.MustBeNotBare, func(c *context.Context) { c.ServeWeb() })
+
+			m.Get("/compare/:before([a-z0-9]{40})\\.\\.\\.:after([a-z0-9]{40})", repo.MustBeNotBare, context.RepoRef(), repo.CompareDiff)
+		}, ignSignIn, context.RepoAssignment())
+		m.Group("/:username/:reponame", func() {
+			m.Get("", repo.Home)
+			m.Get("/stars", repo.Stars)
+			m.Get("/watchers", repo.Watchers)
+		}, context.ServeGoGet(), ignSignIn, context.RepoAssignment(), context.RepoRef())
+		// ***** END: Repository *****
+
+		// **********************
+		// ----- API routes -----
+		// **********************
+
+		// TODO: Without session and CSRF
+		m.Group("/api", func() {
+			apiv1.RegisterRoutes(m)
+		}, ignSignIn)
+
+		m.Any("/api/web/*", flamegoBridger(webHandler))
+		m.Get("/redirect", flamegoBridger(webHandler))
+		m.Get("/captcha/*", flamegoBridger(webHandler))
+		m.Any("/*", func(c *context.Context) { c.ServeWeb() })
+	},
+		session.Sessioner(session.Options{
+			Provider:       conf.Session.Provider,
+			ProviderConfig: conf.Session.ProviderConfig,
+			CookieName:     conf.Session.CookieName,
+			CookiePath:     conf.Server.Subpath,
+			Gclifetime:     conf.Session.GCInterval,
+			Maxlifetime:    conf.Session.MaxLifeTime,
+			Secure:         conf.Session.CookieSecure,
+			CookieLifeTime: 86400 * conf.Security.LoginRememberDays,
+		}),
+		csrf.Csrfer(csrf.Options{
+			Secret:         conf.Security.SecretKey,
+			Header:         "X-CSRF-Token",
+			Cookie:         conf.Session.CSRFCookieName,
+			CookieDomain:   conf.Server.URL.Hostname(),
+			CookiePath:     conf.Server.Subpath,
+			CookieHttpOnly: true,
+			SetCookie:      true,
+			Secure:         conf.Server.URL.Scheme == "https",
+		}),
+		context.Contexter(context.NewStore(), webHandler),
+	)
+
+	// ***************************
+	// ----- HTTP Git routes -----
+	// ***************************
+
+	m.Group("/:username/:reponame", func() {
+		m.Get("/tasks/trigger", repo.TriggerTask)
+
+		m.Group("/info/lfs", func() {
+			lfs.RegisterRoutes(m.Router)
+		})
+
+		gitHTTP := []macaron.Handler{context.ServeGoGet(), repo.HTTPContexter(repo.NewStore()), repo.HTTP}
+		m.Route("/info/refs", "GET,OPTIONS", gitHTTP...)
+		m.Route("/HEAD", "GET,OPTIONS", gitHTTP...)
+		m.Route("/git-upload-pack", "POST,OPTIONS", gitHTTP...)
+		m.Route("/git-receive-pack", "POST,OPTIONS", gitHTTP...)
+		m.Route("/objects/info/alternates", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/info/http-alternates", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/info/packs", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/info/*", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/:prefix([0-9a-f]{2})/:suffix([0-9a-f]{38})", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/pack/pack-:sha([0-9a-f]{40}).pack", "GET,OPTIONS", gitHTTP...)
+		m.Route("/objects/pack/pack-:sha([0-9a-f]{40}).idx", "GET,OPTIONS", gitHTTP...)
+	})
+
+	// ***************************
+	// ----- Internal routes -----
+	// ***************************
+
+	m.Group("/-", func() {
+		m.Get("/metrics", app.MetricsFilter(), promhttp.Handler()) // "/-/metrics"
+
+		m.Group("/api", func() {
+			m.Post("/sanitize_ipynb", app.SanitizeIpynb()) // "/-/api/sanitize_ipynb"
+		})
+	})
+
+	// **********************
+	// ----- robots.txt -----
+	// **********************
+
+	m.Get("/robots.txt", func(w http.ResponseWriter, r *http.Request) {
+		if conf.HasRobotsTxt {
+			http.ServeFile(w, r, filepath.Join(conf.CustomDir(), "robots.txt"))
+		} else {
+			w.WriteHeader(http.StatusNotFound)
+		}
+	})
+
+	// Flag for port number in case first time run conflict.
+	if portOverride > 0 {
+		port := strconv.Itoa(portOverride)
+		conf.Server.URL.Host = strings.Replace(conf.Server.URL.Host, ":"+conf.Server.URL.Port(), ":"+port, 1)
+		conf.Server.ExternalURL = conf.Server.URL.String()
+		conf.Server.HTTPPort = portOverride
+	}
+
+	var listenAddr string
+	if conf.Server.Protocol == "unix" {
+		listenAddr = conf.Server.HTTPAddr
+	} else {
+		listenAddr = fmt.Sprintf("%s:%d", conf.Server.HTTPAddr, conf.Server.HTTPPort)
+	}
+	log.Info("Available on %s", conf.Server.ExternalURL)
+
+	switch conf.Server.Protocol {
+	case "http":
+		err = http.ListenAndServe(listenAddr, m)
+
+	case "https":
+		tlsMinVersion := tls.VersionTLS12
+		switch conf.Server.TLSMinVersion {
+		case "TLS13":
+			tlsMinVersion = tls.VersionTLS13
+		case "TLS12":
+			tlsMinVersion = tls.VersionTLS12
+		case "TLS11":
+			tlsMinVersion = tls.VersionTLS11
+		case "TLS10":
+			tlsMinVersion = tls.VersionTLS10
+		}
+		server := &http.Server{
+			Addr: listenAddr,
+			TLSConfig: &tls.Config{
+				MinVersion:               uint16(tlsMinVersion),
+				CurvePreferences:         []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521},
+				PreferServerCipherSuites: true,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				},
+			}, Handler: m,
+		}
+		err = server.ListenAndServeTLS(conf.Server.CertFile, conf.Server.KeyFile)
+
+	case "fcgi":
+		err = fcgi.Serve(nil, m)
+
+	case "unix":
+		if osx.Exist(listenAddr) {
+			err = os.Remove(listenAddr)
+			if err != nil {
+				return errors.Wrap(err, "remove existing Unix domain socket")
+			}
+		}
+
+		var listener *net.UnixListener
+		listener, err = net.ListenUnix("unix", &net.UnixAddr{Name: listenAddr, Net: "unix"})
+		if err != nil {
+			return errors.Wrap(err, "listen on Unix network")
+		}
+
+		// FIXME: add proper implementation of signal capture on all protocols
+		// execute this on SIGTERM or SIGINT: listener.Close()
+		if err = os.Chmod(listenAddr, conf.Server.UnixSocketMode); err != nil {
+			return errors.Wrap(err, "change permission of Unix domain socket")
+		}
+		err = http.Serve(listener, m)
+
+	default:
+		return errors.Newf("unexpected server protocol: %s", conf.Server.Protocol)
+	}
+
+	if err != nil {
+		return errors.Wrap(err, "start server")
+	}
+
+	return nil
+}
+
+func newRoutingHandler() (http.Handler, error) {
+	f := flamego.New()
+	f.Use(flamego.Recovery())
+	f.Use(flamegoInjector)
+	f.Use(captcha.Captchaer(captcha.Options{URLPrefix: "/captcha/"}))
+
+	cacherOpts, err := parseCacheOptions(conf.Cache)
+	if err != nil {
+		return nil, errors.Wrap(err, "parse cache options")
+	}
+	f.Use(cache.Cacher(cacherOpts))
+
+	f.ReturnHandler(func(c flamego.Context, statusCode int, resp any, err error) {
+		w := c.ResponseWriter()
+		w.Header().Set("Cache-Control", "no-store")
+		if err != nil {
+			msg := err.Error()
+			if statusCode >= http.StatusInternalServerError && conf.IsProdMode() {
+				msg = "Internal server error"
+			}
+			resp = map[string]any{"error": msg}
+		}
+		if resp == nil {
+			w.WriteHeader(statusCode)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		w.WriteHeader(statusCode)
+		_ = json.NewEncoder(w).Encode(resp)
+	})
+
+	f.Get("/redirect", getRedirect)
+
+	// The captcha middleware writes the response. This route exists so the request reaches it.
+	f.Get("/captcha/image.jpeg", func() {})
+
+	f.Group("/{owner}/{repo}", func() {
+		f.Get("/commit/{sha: /[0-9a-f]{7,40}/}.{format: /(diff|patch)/}", getRepoCommitRaw)
+		f.Get("/raw/{ref}/{filepath: **}", getRepoRawFile)
+	}, withRepoContext)
+
+	mountWebAPIRoutes(f)
+	err = mountWebAppRoutes(f)
+	if err != nil {
+		return nil, errors.Wrap(err, "mount web app routes")
+	}
+	return f, nil
+}
+
+func getRedirect(c flamego.Context) {
+	to := c.Request().URL.Query().Get("to")
+	if !urlx.IsSameSite(to) {
+		to = conf.Server.Subpath + "/"
+	}
+	c.Redirect(to, http.StatusSeeOther)
+}
+
+// newMacaron initializes Macaron instance.
+func newMacaron() (*macaron.Macaron, error) {
+	m := macaron.New()
+	if !conf.Server.DisableRouterLog {
+		m.Use(macaron.Logger())
+	}
+	m.Use(macaron.Recovery())
+	if conf.Server.EnableGzip {
+		m.Use(gzip.Gziper())
+	}
+	if conf.Server.Protocol == "fcgi" {
+		m.SetURLPrefix(conf.Server.Subpath)
+	}
+
+	// Register custom middleware first to make it possible to override files under "public".
+	m.Use(macaron.Static(
+		filepath.Join(conf.CustomDir(), "public"),
+		macaron.StaticOptions{
+			SkipLogging: conf.Server.DisableRouterLog,
+		},
+	))
+	var publicFs http.FileSystem
+	if !conf.Server.LoadAssetsFromDisk {
+		publicFs = http.FS(public.Files)
+	}
+	m.Use(macaron.Static(
+		filepath.Join(conf.WorkDir(), "public"),
+		macaron.StaticOptions{
+			ETag:        true,
+			SkipLogging: conf.Server.DisableRouterLog,
+			FileSystem:  publicFs,
+		},
+	))
+
+	m.Use(macaron.Static(
+		conf.Picture.AvatarUploadPath,
+		macaron.StaticOptions{
+			ETag:        true,
+			Prefix:      conf.UsersAvatarPathPrefix,
+			SkipLogging: conf.Server.DisableRouterLog,
+		},
+	))
+	m.Use(macaron.Static(
+		conf.Picture.RepositoryAvatarUploadPath,
+		macaron.StaticOptions{
+			ETag:        true,
+			Prefix:      database.RepoAvatarURLPrefix,
+			SkipLogging: conf.Server.DisableRouterLog,
+		},
+	))
+
+	customDir := filepath.Join(conf.CustomDir(), "templates")
+	renderOpt := macaron.RenderOptions{
+		Directory:         filepath.Join(conf.WorkDir(), "templates"),
+		AppendDirectories: []string{customDir},
+		Funcs:             template.FuncMap(),
+		IndentJSON:        macaron.Env != macaron.PROD,
+	}
+	if !conf.Server.LoadAssetsFromDisk {
+		renderOpt.TemplateFileSystem = templates.NewTemplateFileSystem("", customDir)
+	}
+	m.Use(macaron.Renderer(renderOpt))
+
+	localeNames, err := embedConf.FileNames("locale")
+	if err != nil {
+		return nil, errors.Wrap(err, "list locale files")
+	}
+	localeFiles := make(map[string][]byte)
+	for _, name := range localeNames {
+		localeFiles[name], err = embedConf.Files.ReadFile("locale/" + name)
+		if err != nil {
+			return nil, errors.Wrapf(err, "read locale file %q", name)
+		}
+	}
+	m.Use(i18n.I18n(i18n.Options{
+		SubURL:          conf.Server.Subpath,
+		Files:           localeFiles,
+		CustomDirectory: filepath.Join(conf.CustomDir(), "conf", "locale"),
+		Langs:           conf.I18n.Langs,
+		Names:           conf.I18n.Names,
+		DefaultLang:     "en-US",
+		Redirect:        true,
+	}))
+	m.Use(macaroncache.Cacher(macaroncache.Options{
+		Adapter:       conf.Cache.Adapter,
+		AdapterConfig: conf.Cache.Host,
+		Interval:      conf.Cache.Interval,
+	}))
+	m.Route("/healthcheck", http.MethodHead+","+http.MethodGet, healthCheck)
+	return m, nil
+}
+
+// renderIndex returns the index.html shell with per-request substitutions
+// applied for the given WebContext.
+func renderIndex(index []byte, wc context.WebContext) ([]byte, error) {
+	// json.Marshal escapes <, >, and &, so the payload cannot break out of the surrounding <script>.
+	payload, err := json.Marshal(struct {
+		Lang   string `json:"lang"`
+		SubURL string `json:"subURL"`
+	}{
+		Lang:   wc.Lang,
+		SubURL: wc.SubURL,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "marshal web context")
+	}
+	script := `<script>window.__webContext=` + string(payload) +
+		`;document.documentElement.lang=window.__webContext.lang;</script>`
+
+	pairs := []string{
+		"{{.WebContext}}", script,
+	}
+	if wc.SubURL != "" {
+		// Prefix Vite's absolute root paths with the subpath for non-root mounts.
+		pairs = append(pairs,
+			`src="/assets/`, `src="`+wc.SubURL+`/assets/`,
+			`href="/assets/`, `href="`+wc.SubURL+`/assets/`,
+			`src="/src/`, `src="`+wc.SubURL+`/src/`,
+			`href="/img/`, `href="`+wc.SubURL+`/img/`,
+		)
+	}
+	return []byte(strings.NewReplacer(pairs...).Replace(string(index))), nil
+}
+
+func healthCheck(w http.ResponseWriter, r *http.Request) {
+	if err := database.Ping(); err != nil {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		w.WriteHeader(http.StatusServiceUnavailable)
+		_, _ = fmt.Fprintf(w, "* Database connection: %s\n", err)
+		return
+	}
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.WriteHeader(http.StatusOK)
+	if r.Method == http.MethodHead {
+		return
+	}
+	_, _ = w.Write([]byte("* Database connection: OK\n"))
+}
@@ -0,0 +1,182 @@
+package web
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/flamego"
+	"github.com/gogs/git-module"
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/gitx"
+	"gogs.io/gogs/internal/repox"
+	"gogs.io/gogs/internal/tool"
+	log "unknwon.dev/clog/v2"
+)
+
+// whitespaceFlag maps the `whitespace` query value to its `git diff` flag.
+// `ignore-change` (`-b`) still surfaces added/removed blank lines, unlike
+// `ignore-all` (`-w`). Empty or unknown values disable whitespace handling.
+func whitespaceFlag(v string) string {
+	switch v {
+	case "ignore-all":
+		return "-w"
+	case "ignore-change":
+		return "-b"
+	default:
+		return ""
+	}
+}
+
+func writeErrorResponse(w http.ResponseWriter, code int, err error) {
+	w.Header().Set("Cache-Control", "no-store")
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+	message := err.Error()
+	// Match the JSON-API ReturnHandler: in prod, never leak 5xx detail.
+	if code >= http.StatusInternalServerError && conf.IsProdMode() {
+		message = "Internal server error"
+	}
+	w.WriteHeader(code)
+	_ = json.NewEncoder(w).Encode(map[string]string{"error": message})
+}
+
+func getRepoCommitRaw(c flamego.Context, repoCtx *repoContext) {
+	w := c.ResponseWriter()
+	if !repoCtx.ViewerCanRead() {
+		writeErrorResponse(w, http.StatusNotFound, errors.New("repository does not exist"))
+		return
+	}
+
+	owner := repoCtx.Owner
+	repo := repoCtx.Repo
+	sha := c.Param("sha")
+	format := c.Param("format")
+
+	gitRepo, err := git.Open(repox.RepositoryPath(owner.Name, repo.Name))
+	if err != nil {
+		log.Error("getRepoCommitRaw: open repository %q/%q: %v", owner.Name, repo.Name, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "open repository"))
+		return
+	}
+
+	if _, err = gitRepo.CatFileCommit(sha); err != nil {
+		if gitx.IsErrRevisionNotExist(err) {
+			writeErrorResponse(w, http.StatusNotFound, errors.New("commit does not exist"))
+			return
+		}
+		log.Error("getRepoCommitRaw: cat-file commit %q in %q/%q: %v", sha, owner.Name, repo.Name, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "cat-file commit"))
+		return
+	}
+
+	var rawOpts []git.RawDiffOptions
+	if flag := whitespaceFlag(c.Request().URL.Query().Get("whitespace")); flag != "" {
+		rawOpts = append(rawOpts, git.RawDiffOptions{
+			CommandOptions: git.CommandOptions{Args: []string{flag}},
+		})
+	}
+
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	if err = gitRepo.RawDiff(sha, git.RawDiffFormat(format), w, rawOpts...); err != nil {
+		log.Error("getRepoCommitRaw: get raw diff %s: %v", sha, err)
+	}
+}
+
+// resolveRef resolves ref as a commit SHA, then a branch name, then a tag
+// name, in that order. A branch and tag of the same name resolve to the branch.
+func resolveRef(gitRepo *git.Repository, ref string) (*git.Commit, error) {
+	commit, err := gitRepo.CatFileCommit(ref)
+	if err == nil {
+		return commit, nil
+	}
+	if !gitx.IsErrRevisionNotExist(err) {
+		return nil, errors.Wrap(err, "cat-file commit")
+	}
+	commit, err = gitRepo.BranchCommit(ref)
+	if err == nil {
+		return commit, nil
+	}
+	if !gitx.IsErrRevisionNotExist(err) {
+		return nil, errors.Wrap(err, "get branch commit")
+	}
+	commit, err = gitRepo.TagCommit(ref)
+	if err != nil {
+		return nil, errors.Wrap(err, "get tag commit")
+	}
+	return commit, nil
+}
+
+func getRepoRawFile(c flamego.Context, repoCtx *repoContext) {
+	w := c.ResponseWriter()
+	if !repoCtx.ViewerCanRead() {
+		writeErrorResponse(w, http.StatusNotFound, errors.New("repository does not exist"))
+		return
+	}
+
+	owner := repoCtx.Owner
+	repo := repoCtx.Repo
+	rawRef := c.Param("ref")
+	filepath := c.Param("filepath")
+
+	ref, err := url.PathUnescape(rawRef)
+	if err != nil {
+		writeErrorResponse(w, http.StatusNotFound, errors.New("ref does not exist"))
+		return
+	}
+
+	gitRepo, err := git.Open(repox.RepositoryPath(owner.Name, repo.Name))
+	if err != nil {
+		log.Error("getRepoRawFile: open repository %q/%q: %v", owner.Name, repo.Name, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "open repository"))
+		return
+	}
+
+	commit, err := resolveRef(gitRepo, ref)
+	if err != nil {
+		if gitx.IsErrRevisionNotExist(err) {
+			writeErrorResponse(w, http.StatusNotFound, errors.New("ref does not exist"))
+			return
+		}
+		log.Error("getRepoRawFile: resolve ref %q in %q/%q: %v", ref, owner.Name, repo.Name, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "resolve ref"))
+		return
+	}
+
+	blob, err := commit.Blob(filepath)
+	if err != nil {
+		if gitx.IsErrRevisionNotExist(err) || errors.Is(err, git.ErrNotBlob) {
+			writeErrorResponse(w, http.StatusNotFound, errors.New("file does not exist"))
+			return
+		}
+		log.Error("getRepoRawFile: blob %s:%s in %q/%q: %v", commit.ID, filepath, owner.Name, repo.Name, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "get blob"))
+		return
+	}
+
+	data, err := blob.Bytes()
+	if err != nil {
+		log.Error("getRepoRawFile: read blob %s:%s: %v", commit.ID, filepath, err)
+		writeErrorResponse(w, http.StatusInternalServerError, errors.Wrap(err, "read blob"))
+		return
+	}
+
+	if pathCommit, err := commit.CommitByPath(git.CommitByRevisionOptions{Path: filepath}); err == nil && pathCommit != nil {
+		w.Header().Set("Last-Modified", pathCommit.Committer.When.Format(http.TimeFormat))
+	}
+
+	render, _ := strconv.ParseBool(c.Request().URL.Query().Get("render"))
+	switch {
+	case !tool.IsTextFile(data) && !tool.IsImageFile(data):
+		w.Header().Set("Content-Disposition", `attachment; filename="`+path.Base(filepath)+`"`)
+		w.Header().Set("Content-Transfer-Encoding", "binary")
+	case tool.IsTextFile(data) && (!conf.Repository.EnableRawFileRenderMode || !render):
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	}
+
+	_, _ = w.Write(data)
+}
@@ -0,0 +1,219 @@
+package web
+
+import (
+	stdctx "context"
+	"encoding/json"
+	"net/http"
+	"reflect"
+	"regexp"
+	"strings"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/binding"
+	"github.com/flamego/flamego"
+	"github.com/flamego/session"
+	"github.com/flamego/validator"
+	"github.com/go-macaron/i18n"
+	macaronsession "github.com/go-macaron/session"
+	"gopkg.in/macaron.v1"
+
+	"gogs.io/gogs/internal/context"
+	"gogs.io/gogs/internal/database"
+)
+
+type (
+	webAPIUserKey    struct{}
+	webAPISessionKey struct{}
+	webAPIMacaronKey struct{}
+	webAPILocaleKey  struct{}
+)
+
+func flamegoBridger(webHandler http.Handler) func(c *context.Context, l i18n.Locale) {
+	return func(c *context.Context, l i18n.Locale) {
+		ctx := c.Req.Context()
+		ctx = stdctx.WithValue(ctx, webAPIUserKey{}, c.User)
+		ctx = stdctx.WithValue(ctx, webAPISessionKey{}, c.Session)
+		ctx = stdctx.WithValue(ctx, webAPIMacaronKey{}, c.Context)
+		ctx = stdctx.WithValue(ctx, webAPILocaleKey{}, l)
+		webHandler.ServeHTTP(c.Resp, c.Req.WithContext(ctx))
+	}
+}
+
+func flamegoInjector(c flamego.Context) {
+	ctx := c.Request().Context()
+	user, _ := ctx.Value(webAPIUserKey{}).(*database.User)
+	sess, _ := ctx.Value(webAPISessionKey{}).(macaronsession.Store)
+	mc, _ := ctx.Value(webAPIMacaronKey{}).(*macaron.Context)
+	l, _ := ctx.Value(webAPILocaleKey{}).(i18n.Locale)
+	c.Map(user, sess, mc, l)
+	c.MapTo(flamegoSessionAdapter{sess: sess}, (*session.Session)(nil))
+}
+
+// flamegoSessionAdapter exposes the underlying Macaron session via the Flamego
+// session interface so the captcha middleware (and any future Flamego-native
+// session consumer) can read/write the same session store the rest of the app
+// uses.
+type flamegoSessionAdapter struct {
+	sess macaronsession.Store
+}
+
+func (s flamegoSessionAdapter) ID() string                      { return s.sess.ID() }
+func (s flamegoSessionAdapter) Get(key interface{}) interface{} { return s.sess.Get(key) }
+func (s flamegoSessionAdapter) Set(key, val interface{})        { _ = s.sess.Set(key, val) }
+func (s flamegoSessionAdapter) SetFlash(val interface{})        { _ = s.sess.Set("_flash", val) }
+func (s flamegoSessionAdapter) Delete(key interface{})          { _ = s.sess.Delete(key) }
+func (s flamegoSessionAdapter) Flush()                          { _ = s.sess.Flush() }
+func (s flamegoSessionAdapter) Encode() ([]byte, error)         { return nil, nil }
+
+func enforceWebAPIMaxBodySize(c flamego.Context) {
+	r := c.Request().Request
+	r.Body = http.MaxBytesReader(c.ResponseWriter(), r.Body, 4*1024) // 4 KiB
+}
+
+// webAPIValidator is the shared validator instance used by every webapi
+// binding. Registering the json-tag name function makes validation errors
+// carry the wire field name (e.g. "recoveryCode") via ve.Field(), so the
+// 400 payload keys match what the React client sends and reads.
+var webAPIValidator = func() *validator.Validate {
+	v := validator.New()
+	v.RegisterTagNameFunc(func(fld reflect.StructField) string {
+		name := strings.SplitN(fld.Tag.Get("json"), ",", 2)[0]
+		if name == "-" {
+			return ""
+		}
+		return name
+	})
+	_ = v.RegisterValidation("alphadashdot", func(fl validator.FieldLevel) bool {
+		return !alphaDashDotInvalid.MatchString(fl.Field().String())
+	})
+	return v
+}()
+
+var alphaDashDotInvalid = regexp.MustCompile(`[^\d\w\-_\.]`)
+
+// bindJSON binds the request body to T. On binding or validation failure it
+// short-circuits with a 400 carrying the standard renderBindingErrors payload,
+// so downstream handlers can drop the `if len(bindErrs) > 0` boilerplate and
+// the binding.Errors parameter entirely.
+func bindJSON(model any) flamego.Handler {
+	return binding.JSON(model, binding.Options{
+		Validator: webAPIValidator,
+		ErrorHandler: func(c flamego.Context, l i18n.Locale, errs binding.Errors) {
+			w := c.ResponseWriter()
+			w.Header().Set("Cache-Control", "no-store")
+			w.Header().Set("Content-Type", "application/json; charset=utf-8")
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(renderBindingErrors(l, errs))
+		},
+	})
+}
+
+func mountWebAPIRoutes(f *flamego.Flame) {
+	f.Group("/api/web", func() {
+		f.Group("/user", func() {
+			f.Get("/info", getUserInfo)
+			f.Combo("/sign-up").
+				Get(getUserSignUp).
+				Post(bindJSON(userSignUpRequest{}), postUserSignUp)
+			f.Group("/reset-password", func() {
+				f.Combo("").
+					Get(getUserResetPassword).
+					Post(bindJSON(userResetPasswordEmailRequest{}), postUserResetPassword)
+				f.Post("/complete", bindJSON(userResetPasswordCompleteRequest{}), postUserResetPasswordComplete)
+			})
+			f.Combo("/sign-in").
+				Get(getUserSignIn).
+				Post(bindJSON(userSignInRequest{}), postUserSignIn)
+			f.Group("/mfa", func() {
+				f.Combo("").
+					Get(getUserMFA).
+					Post(bindJSON(userMFARequest{}), postUserMFA)
+				f.Post("/recovery", bindJSON(userMFARecoveryRequest{}), postUserMFARecovery)
+			})
+			f.Group("/activate", func() {
+				f.Combo("").
+					Get(getUserActivate).
+					Post(postUserActivate)
+				f.Post("/complete", bindJSON(userActivateCompleteRequest{}), postUserActivateComplete)
+			})
+			f.Post("/sign-out", postUserSignOut)
+		})
+		f.Group("/{owner}/{repo}", func() {
+			f.Get("/header", getRepoHeader)
+			f.Get("/commit/{sha: /[0-9a-f]{7,40}/}", getRepoCommit)
+			f.Combo("/watch").Post(postRepoWatch).Delete(deleteRepoWatch)
+			f.Combo("/star").Post(postRepoStar).Delete(deleteRepoStar)
+		}, withRepoContext)
+	}, enforceWebAPIMaxBodySize)
+}
+
+// fieldErrors maps JSON field names to per-field localized messages. A non-nil
+// value renders inline under the input. A nil value marks the input as
+// invalid (highlight + focus eligibility) without duplicating text. Used in
+// concert with bindingErrorResponse.Error to surface one banner message while
+// highlighting multiple inputs.
+type fieldErrors map[string]*string
+
+// bindingErrorResponse carries form-validation failures. Error is the top-level
+// message shown as a banner above the form (used when the failure is not tied
+// to a specific input, e.g. malformed body, bad credentials).
+type bindingErrorResponse struct {
+	Error  string      `json:"error,omitempty"`
+	Fields fieldErrors `json:"fields,omitempty"`
+}
+
+// ruleSuffixKeys maps a validator tag to the shared "form.*_error" suffix key
+// (e.g. "max" -> "form.max_size_error"). Messages are composed as
+// <field label> + <suffix>, mirroring the legacy Macaron binding behavior.
+var ruleSuffixKeys = map[string]string{
+	"required":     "form.require_error",
+	"max":          "form.max_size_error",
+	"min":          "form.min_size_error",
+	"len":          "form.size_error",
+	"email":        "form.email_error",
+	"url":          "form.url_error",
+	"alphadashdot": "form.alpha_dash_dot_error",
+}
+
+// renderBindingErrors maps binding.Errors to the response shape, looking up
+// localized messages via the request's locale. The per-field label comes from
+// "form.<StructField>" (e.g. "form.UserName"); the rule suffix comes from
+// ruleSuffixKeys. Rule parameters (e.g. "254" for `max=254`) are passed
+// through to the suffix translation for %s expansion. Always HTTP 400.
+func renderBindingErrors(l i18n.Locale, errs binding.Errors) *bindingErrorResponse {
+	for _, e := range errs {
+		if e.Category == binding.ErrorCategoryDeserialization {
+			return &bindingErrorResponse{Error: l.Tr("form.invalid_request") + ": " + e.Err.Error()}
+		}
+	}
+
+	out := make(fieldErrors)
+	for _, e := range errs {
+		var ves validator.ValidationErrors
+		ok := errors.As(e.Err, &ves)
+		if !ok {
+			continue
+		}
+		for _, ve := range ves {
+			field := ve.Field()
+			if _, exists := out[field]; exists {
+				// Keep the first rule that failed for a given field so the client renders one
+				// message per input. Subsequent rules surface only after the first is fixed.
+				continue
+			}
+			label := l.Tr("form." + ve.StructField())
+			suffixKey, known := ruleSuffixKeys[ve.Tag()]
+			var msg string
+			switch {
+			case !known:
+				msg = l.Tr("form.unknown_error") + " " + ve.Tag()
+			case ve.Param() != "":
+				msg = label + l.Tr(suffixKey, ve.Param())
+			default:
+				msg = label + l.Tr(suffixKey)
+			}
+			out[field] = &msg
+		}
+	}
+	return &bindingErrorResponse{Fields: out}
+}
@@ -0,0 +1,248 @@
+package web
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/flamego"
+	"github.com/gogs/git-module"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/gitx"
+	"gogs.io/gogs/internal/repox"
+	"gogs.io/gogs/internal/strx"
+	"gogs.io/gogs/internal/tool"
+)
+
+type repoHeader struct {
+	ID                   int64  `json:"id"`
+	Owner                string `json:"owner"`
+	Name                 string `json:"name"`
+	AvatarURL            string `json:"avatarURL"`
+	Visibility           string `json:"visibility"`
+	MirrorOf             string `json:"mirrorOf,omitempty"`
+	WatchCount           int    `json:"watchCount"`
+	StarCount            int    `json:"starCount"`
+	ForkCount            int    `json:"forkCount"`
+	IssuesEnabled        bool   `json:"issuesEnabled"`
+	OpenIssueCount       int    `json:"openIssueCount"`
+	PullRequestsEnabled  bool   `json:"pullRequestsEnabled"`
+	OpenPullRequestCount int    `json:"openPullRequestCount"`
+	WikiEnabled          bool   `json:"wikiEnabled"`
+
+	ViewerCanAdminister bool `json:"viewerCanAdminister"`
+	ViewerIsWatching    bool `json:"viewerIsWatching"`
+	ViewerIsStarring    bool `json:"viewerIsStarring"`
+}
+
+func getRepoHeader(repoCtx *repoContext) (statusCode int, resp *repoHeader, err error) {
+	owner := repoCtx.Owner
+	repo := repoCtx.Repo
+
+	issuesEnabled := repo.EnableIssues
+	wikiEnabled := repo.EnableWiki
+	if !repoCtx.ViewerCanRead() {
+		if !repo.IsPartialPublic() {
+			return http.StatusNotFound, nil, errors.New("repository does not exist")
+		}
+		issuesEnabled = repo.CanGuestViewIssues()
+		wikiEnabled = repo.CanGuestViewWiki()
+	}
+
+	visibility := "public"
+	if repo.IsPrivate {
+		visibility = "private"
+	}
+
+	resp = &repoHeader{
+		ID:                   repo.ID,
+		Owner:                owner.Name,
+		Name:                 repo.Name,
+		AvatarURL:            strx.Coalesce(repo.AvatarLink(), owner.AvatarURL()),
+		Visibility:           visibility,
+		WatchCount:           repo.NumWatches,
+		StarCount:            repo.NumStars,
+		ForkCount:            repo.NumForks,
+		IssuesEnabled:        issuesEnabled,
+		OpenIssueCount:       repo.NumIssues - repo.NumClosedIssues,
+		PullRequestsEnabled:  repo.AllowsPulls(),
+		OpenPullRequestCount: repo.NumPulls - repo.NumClosedPulls,
+		WikiEnabled:          wikiEnabled,
+
+		ViewerCanAdminister: repoCtx.ViewerCanAdminister(),
+		ViewerIsWatching:    database.IsWatching(repoCtx.ViewerID, repo.ID),
+		ViewerIsStarring:    database.IsStarring(repoCtx.ViewerID, repo.ID),
+	}
+
+	if repo.IsMirror {
+		mirror, err := database.GetMirrorByRepoID(repo.ID)
+		if err != nil {
+			log.Error("getRepoHeader: get mirror by repo ID %d: %v", repo.ID, err)
+		} else if mirror != nil {
+			resp.MirrorOf = mirror.Address()
+		}
+	}
+
+	return http.StatusOK, resp, nil
+}
+
+type repoCommitSignature struct {
+	Name       string    `json:"name"`
+	Email      string    `json:"email"`
+	When       time.Time `json:"when"`
+	AvatarURL  string    `json:"avatarURL"`
+	ProfileURL string    `json:"profileURL,omitempty"`
+}
+
+type repoCommit struct {
+	SHA     string              `json:"sha"`
+	Subject string              `json:"subject"`
+	Body    string              `json:"body"`
+	Author  repoCommitSignature `json:"author"`
+	Parents []string            `json:"parents"`
+}
+
+func getRepoCommit(c flamego.Context, repoCtx *repoContext) (statusCode int, resp *repoCommit, err error) {
+	if !repoCtx.ViewerCanRead() {
+		return http.StatusNotFound, nil, errors.New("repository does not exist")
+	}
+
+	ctx := c.Request().Context()
+	owner := repoCtx.Owner
+	repo := repoCtx.Repo
+	commitID := c.Param("sha")
+
+	gitRepo, err := git.Open(repox.RepositoryPath(owner.Name, repo.Name))
+	if err != nil {
+		log.Error("getRepoCommit: open repository %q/%q: %v", owner.Name, repo.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "open repository")
+	}
+
+	commit, err := gitRepo.CatFileCommit(commitID)
+	if err != nil {
+		if gitx.IsErrRevisionNotExist(err) {
+			return http.StatusNotFound, nil, nil
+		}
+		log.Error("getRepoCommit: cat-file commit %q in %q/%q: %v", commitID, owner.Name, repo.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "cat-file commit")
+	}
+
+	parents := make([]string, commit.ParentsCount())
+	for i := 0; i < commit.ParentsCount(); i++ {
+		sha, err := commit.ParentID(i)
+		if err != nil {
+			log.Error("getRepoCommit: parent ID %d for %q in %q/%q: %v", i, commitID, owner.Name, repo.Name, err)
+			return http.StatusInternalServerError, nil, errors.Wrap(err, "parent ID")
+		}
+		parents[i] = sha.String()
+	}
+
+	toSignature := func(s *git.Signature) repoCommitSignature {
+		sig := repoCommitSignature{
+			Name:      s.Name,
+			Email:     s.Email,
+			When:      s.When.UTC(),
+			AvatarURL: tool.AvatarLink(s.Email),
+		}
+		if u, err := database.Handle.Users().GetByEmail(ctx, s.Email); err == nil && u != nil {
+			sig.ProfileURL = conf.Server.Subpath + "/" + u.Name
+		}
+		return sig
+	}
+
+	subject := commit.Summary()
+	var body string
+	if msg := commit.Message; len(msg) > len(subject) {
+		body = msg[len(subject):]
+	}
+
+	return http.StatusOK, &repoCommit{
+		SHA:     commitID,
+		Subject: subject,
+		Body:    body,
+		Author:  toSignature(commit.Author),
+		Parents: parents,
+	}, nil
+}
+
+type repoWatchResponse struct {
+	WatchCount int `json:"watchCount"`
+}
+
+func repoWatchAction(ctx context.Context, repoCtx *repoContext, watching bool) (statusCode int, resp *repoWatchResponse, err error) {
+	if repoCtx.ViewerCanRead() {
+		return http.StatusNotFound, nil, errors.New("repository does not exist")
+	}
+
+	repo := repoCtx.Repo
+
+	if watching {
+		err = database.Handle.Repositories().Watch(ctx, repoCtx.ViewerID, repo.ID)
+	} else {
+		err = database.WatchRepo(repoCtx.ViewerID, repo.ID, false)
+	}
+	if err != nil {
+		log.Error("repoWatchAction: set watching=%t for user %d on repo %d: %v", watching, repoCtx.ViewerID, repo.ID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "watch repo")
+	}
+
+	updated, err := database.Handle.Repositories().GetByName(ctx, repo.OwnerID, repo.Name)
+	if err != nil {
+		log.Error("repoWatchAction: reload repo %d (%q): %v", repo.ID, repo.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "reload repo")
+	}
+	return http.StatusOK, &repoWatchResponse{
+		WatchCount: updated.NumWatches,
+	}, nil
+}
+
+func postRepoWatch(c flamego.Context, repoCtx *repoContext) (statusCode int, resp *repoWatchResponse, err error) {
+	return repoWatchAction(c.Request().Context(), repoCtx, true)
+}
+
+func deleteRepoWatch(c flamego.Context, repoCtx *repoContext) (statusCode int, resp *repoWatchResponse, err error) {
+	return repoWatchAction(c.Request().Context(), repoCtx, false)
+}
+
+type repoStarResponse struct {
+	StarCount int `json:"starCount"`
+}
+
+func repoStarAction(ctx context.Context, repoCtx *repoContext, starring bool) (statusCode int, resp *repoStarResponse, err error) {
+	if !repoCtx.ViewerCanRead() {
+		return http.StatusNotFound, nil, errors.New("repository does not exist")
+	}
+
+	repo := repoCtx.Repo
+
+	if starring {
+		err = database.Handle.Repositories().Star(ctx, repoCtx.ViewerID, repo.ID)
+	} else {
+		err = database.StarRepo(repoCtx.ViewerID, repo.ID, false)
+	}
+	if err != nil {
+		log.Error("repoStarAction: set starred=%t for user %d on repo %d: %v", starring, repoCtx.ViewerID, repo.ID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "star repo")
+	}
+
+	updated, err := database.Handle.Repositories().GetByName(ctx, repo.OwnerID, repo.Name)
+	if err != nil {
+		log.Error("repoStarAction: reload repo %d (%q): %v", repo.ID, repo.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "reload repo")
+	}
+	return http.StatusOK, &repoStarResponse{
+		StarCount: updated.NumStars,
+	}, nil
+}
+
+func postRepoStar(c flamego.Context, repoCtx *repoContext) (statusCode int, resp *repoStarResponse, err error) {
+	return repoStarAction(c.Request().Context(), repoCtx, true)
+}
+
+func deleteRepoStar(c flamego.Context, repoCtx *repoContext) (statusCode int, resp *repoStarResponse, err error) {
+	return repoStarAction(c.Request().Context(), repoCtx, false)
+}
@@ -0,0 +1,514 @@
+package web
+
+import (
+	stdctx "context"
+	"encoding/hex"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/cache"
+	"github.com/flamego/captcha"
+	"github.com/flamego/session"
+	"github.com/go-macaron/i18n"
+	macaronsession "github.com/go-macaron/session"
+	"gopkg.in/macaron.v1"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/auth"
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/email"
+	"gogs.io/gogs/internal/tool"
+	"gogs.io/gogs/internal/userx"
+)
+
+func parseUserFromCode(ctx stdctx.Context, code string) (user *database.User) {
+	if len(code) <= tool.TimeLimitCodeLength {
+		return nil
+	}
+
+	hexStr := code[tool.TimeLimitCodeLength:]
+	if b, err := hex.DecodeString(hexStr); err == nil {
+		if user, err = database.Handle.Users().GetByUsername(ctx, string(b)); user != nil {
+			return user
+		} else if !database.IsErrUserNotExist(err) {
+			log.Error("parseUserFromCode: get user by name %q: %v", string(b), err)
+		}
+	}
+	return nil
+}
+
+func verifyUserActiveCode(ctx stdctx.Context, code string) (user *database.User) {
+	if user = parseUserFromCode(ctx, code); user != nil {
+		prefix := code[:tool.TimeLimitCodeLength]
+		data := strconv.FormatInt(user.ID, 10) + user.Email + user.LowerName + user.Password + user.Rands
+		if tool.VerifyTimeLimitCode(data, conf.Auth.ActivateCodeLives, prefix) {
+			return user
+		}
+	}
+	return nil
+}
+
+type loginSource struct {
+	ID        int64  `json:"id"`
+	Name      string `json:"name"`
+	IsDefault bool   `json:"isDefault"`
+}
+
+type getUserSignInResponse struct {
+	LoginSources []loginSource `json:"loginSources"`
+}
+
+type getUserSignUpResponse struct {
+	RegistrationDisabled bool `json:"registrationDisabled"`
+	CaptchaEnabled       bool `json:"captchaEnabled"`
+}
+
+func getUserSignUp() (statusCode int, resp *getUserSignUpResponse, err error) {
+	return http.StatusOK, &getUserSignUpResponse{
+		RegistrationDisabled: conf.Auth.DisableRegistration,
+		CaptchaEnabled:       conf.Auth.EnableRegistrationCaptcha,
+	}, nil
+}
+
+type userSignUpRequest struct {
+	UserName string `json:"userName" validate:"required,alphadashdot,max=35"`
+	Email    string `json:"email" validate:"required,email,max=254"`
+	Password string `json:"password" validate:"required,max=255"`
+	Captcha  string `json:"captcha"`
+}
+
+type userSignUpResponse struct {
+	EmailConfirmationRequired bool   `json:"emailConfirmationRequired,omitempty"`
+	Email                     string `json:"email,omitempty"`
+	Hours                     int    `json:"hours,omitempty"`
+}
+
+func postUserSignUp(r *http.Request, mc *macaron.Context, ca cache.Cache, l i18n.Locale, cpt captcha.Captcha, req userSignUpRequest) (statusCode int, resp any, err error) {
+	if conf.Auth.DisableRegistration {
+		return http.StatusForbidden, &bindingErrorResponse{Error: l.Tr("auth.disable_register_prompt")}, nil
+	}
+	if conf.Auth.EnableRegistrationCaptcha && !cpt.ValidText(req.Captcha) {
+		msg := l.Tr("form.captcha_incorrect")
+		return http.StatusUnauthorized, &bindingErrorResponse{
+			Fields: fieldErrors{"captcha": &msg},
+		}, nil
+	}
+	u, err := database.Handle.Users().Create(
+		r.Context(),
+		req.UserName,
+		req.Email,
+		database.CreateUserOptions{
+			Password:  req.Password,
+			Activated: !conf.Auth.RequireEmailConfirmation,
+		},
+	)
+	if err != nil {
+		switch {
+		case database.IsErrUserAlreadyExist(err):
+			msg := l.Tr("form.username_been_taken")
+			return http.StatusUnprocessableEntity, &bindingErrorResponse{Fields: fieldErrors{"userName": &msg}}, nil
+		case database.IsErrEmailAlreadyUsed(err):
+			msg := l.Tr("form.email_been_used")
+			return http.StatusUnprocessableEntity, &bindingErrorResponse{Fields: fieldErrors{"email": &msg}}, nil
+		case database.IsErrNameNotAllowed(err):
+			msg := l.Tr("user.form.name_not_allowed", err.(database.ErrNameNotAllowed).Value())
+			return http.StatusBadRequest, &bindingErrorResponse{Fields: fieldErrors{"userName": &msg}}, nil
+		default:
+			log.Error("postUserSignUp: create user %q: %v", req.UserName, err)
+			return http.StatusInternalServerError, nil, errors.Wrap(err, "create user")
+		}
+	}
+	log.Trace("Account created: %s", u.Name)
+
+	if database.Handle.Users().Count(r.Context()) == 1 {
+		v := true
+		err := database.Handle.Users().Update(
+			r.Context(),
+			u.ID,
+			database.UpdateUserOptions{
+				IsActivated: &v,
+				IsAdmin:     &v,
+			},
+		)
+		if err != nil {
+			log.Error("postUserSignUp: update first user %q: %v", u.Name, err)
+			return http.StatusInternalServerError, nil, errors.Wrap(err, "update user")
+		}
+	}
+
+	if conf.Auth.RequireEmailConfirmation && u.ID > 1 {
+		if err := email.SendActivateAccountMail(mc, database.NewMailerUser(u)); err != nil {
+			log.Error("postUserSignUp: send activation mail to user %q: %v", u.Name, err)
+		}
+		if err := ca.Set(r.Context(), userx.MailResendCacheKey(u.ID), 1, 180*time.Second); err != nil {
+			log.Error("postUserSignUp: put mail resend cache for user %q: %v", u.Name, err)
+		}
+		return http.StatusOK, &userSignUpResponse{
+			EmailConfirmationRequired: true,
+			Email:                     u.Email,
+			Hours:                     conf.Auth.ActivateCodeLives / 60,
+		}, nil
+	}
+
+	return http.StatusOK, &userSignUpResponse{}, nil
+}
+
+func getUserSignIn(r *http.Request) (statusCode int, resp *getUserSignInResponse, err error) {
+	sources, err := database.Handle.LoginSources().List(r.Context(), database.ListLoginSourceOptions{OnlyActivated: true})
+	if err != nil {
+		log.Error("getUserSignIn: list activated login sources: %v", err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "list activated login sources")
+	}
+	loginSources := make([]loginSource, 0, len(sources))
+	for _, s := range sources {
+		loginSources = append(loginSources, loginSource{ID: s.ID, Name: s.Name, IsDefault: s.IsDefault})
+	}
+	return http.StatusOK, &getUserSignInResponse{LoginSources: loginSources}, nil
+}
+
+type userSignInRequest struct {
+	Username    string `json:"username" validate:"required,max=254"`
+	Password    string `json:"password" validate:"required,max=255"`
+	LoginSource int64  `json:"loginSource"`
+}
+
+type getUserResetPasswordResponse struct {
+	EmailEnabled bool `json:"emailEnabled"`
+	Valid        bool `json:"valid"`
+}
+
+func getUserResetPassword(r *http.Request) (statusCode int, resp *getUserResetPasswordResponse, err error) {
+	code := r.URL.Query().Get("code")
+	return http.StatusOK, &getUserResetPasswordResponse{
+		EmailEnabled: conf.Email.Enabled,
+		Valid:        code != "" && verifyUserActiveCode(r.Context(), code) != nil,
+	}, nil
+}
+
+type userResetPasswordEmailRequest struct {
+	Email string `json:"email" validate:"required,email,max=254"`
+}
+
+type userResetPasswordCompleteRequest struct {
+	Code     string `json:"code" validate:"required"`
+	Password string `json:"password" validate:"required,min=6,max=255"`
+}
+
+type userResetPasswordResponse struct {
+	Hours         int  `json:"hours,omitempty"`
+	ResendLimited bool `json:"resendLimited,omitempty"`
+}
+
+func postUserResetPassword(r *http.Request, ca cache.Cache, l i18n.Locale, req userResetPasswordEmailRequest) (statusCode int, resp any, err error) {
+	if !conf.Email.Enabled {
+		return http.StatusForbidden, &bindingErrorResponse{Error: l.Tr("auth.disable_register_mail")}, nil
+	}
+
+	ctx := r.Context()
+	u, err := database.Handle.Users().GetByEmail(ctx, req.Email)
+	if err != nil {
+		if database.IsErrUserNotExist(err) {
+			return http.StatusOK, &userResetPasswordResponse{Hours: conf.Auth.ActivateCodeLives / 60}, nil
+		}
+		log.Error("postUserResetPassword: get user by email %q: %v", req.Email, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "get user by email")
+	}
+
+	if !u.IsLocal() {
+		msg := l.Tr("auth.non_local_account")
+		return http.StatusForbidden, &bindingErrorResponse{Fields: fieldErrors{"email": &msg}}, nil
+	}
+
+	if _, err := ca.Get(ctx, userx.MailResendCacheKey(u.ID)); err == nil {
+		return http.StatusOK, &userResetPasswordResponse{
+			Hours:         conf.Auth.ActivateCodeLives / 60,
+			ResendLimited: true,
+		}, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		log.Error("postUserResetPassword: get mail resend cache for user %q: %v", u.Name, err)
+	}
+
+	if err = email.SendResetPasswordMail(l, database.NewMailerUser(u)); err != nil {
+		log.Error("postUserResetPassword: send reset password mail to user %q: %v", u.Name, err)
+	}
+	if err = ca.Set(ctx, userx.MailResendCacheKey(u.ID), 1, 180*time.Second); err != nil {
+		log.Error("postUserResetPassword: put mail resend cache for user %q: %v", u.Name, err)
+	}
+
+	return http.StatusOK, &userResetPasswordResponse{Hours: conf.Auth.ActivateCodeLives / 60}, nil
+}
+
+func postUserResetPasswordComplete(r *http.Request, l i18n.Locale, req userResetPasswordCompleteRequest) (statusCode int, resp any, err error) {
+	u := verifyUserActiveCode(r.Context(), req.Code)
+	if u == nil {
+		return http.StatusBadRequest, &bindingErrorResponse{Error: l.Tr("auth.invalid_code")}, nil
+	}
+
+	if err := database.Handle.Users().Update(r.Context(), u.ID, database.UpdateUserOptions{Password: &req.Password}); err != nil {
+		log.Error("postUserResetPasswordComplete: update password for user %q: %v", u.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "update user")
+	}
+
+	log.Trace("User password reset: %s", u.Name)
+	return http.StatusNoContent, nil, nil
+}
+
+type userSignInResponse struct {
+	// MFA is true when the account has MFA enabled and the password step
+	// succeeded but a second factor is still required. The client should
+	// navigate to /user/mfa to complete the challenge.
+	MFA bool `json:"mfa,omitempty"`
+}
+
+func postUserSignIn(r *http.Request, sess session.Session, mc *macaron.Context, l i18n.Locale, req userSignInRequest) (statusCode int, resp any, err error) {
+	u, err := database.Handle.Users().Authenticate(r.Context(), req.Username, req.Password, req.LoginSource)
+	if err != nil {
+		switch {
+		case auth.IsErrBadCredentials(err):
+			return http.StatusUnauthorized, &bindingErrorResponse{
+				Error:  l.Tr("form.username_password_incorrect"),
+				Fields: fieldErrors{"username": nil, "password": nil},
+			}, nil
+		case database.IsErrLoginSourceMismatch(err):
+			return http.StatusUnprocessableEntity, nil, errors.New(l.Tr("form.auth_source_mismatch"))
+		default:
+			log.Error("postUserSignIn: authenticate user %q: %v", req.Username, err)
+			return http.StatusInternalServerError, nil, errors.Wrap(err, "authenticate user")
+		}
+	}
+
+	if database.Handle.TwoFactors().IsEnabled(r.Context(), u.ID) {
+		sess.Set("mfaUserID", u.ID)
+		return http.StatusOK, &userSignInResponse{MFA: true}, nil
+	}
+
+	completeSignIn(sess, mc, u)
+	return http.StatusOK, &userSignInResponse{}, nil
+}
+
+// completeSignIn finalizes the sign-in session for u: writes the auth session,
+// clears any in-flight MFA state, and sets the login-status cookie. The
+// caller is responsible for navigating to a post-login destination via
+// /redirect?to=.
+func completeSignIn(sess session.Session, mc *macaron.Context, u *database.User) {
+	sess.Set("uid", u.ID)
+	sess.Set("uname", u.Name)
+	sess.Delete("mfaUserID")
+
+	mc.SetCookie(conf.Session.CSRFCookieName, "", -1, conf.Server.Subpath)
+	if conf.Security.EnableLoginStatusCookie {
+		mc.SetCookie(conf.Security.LoginStatusCookieName, "true", 0, conf.Server.Subpath)
+	}
+}
+
+func getUserMFA(sess session.Session) (statusCode int, resp any, err error) {
+	if _, ok := sess.Get("mfaUserID").(int64); !ok {
+		return http.StatusNotFound, nil, nil
+	}
+	return http.StatusNoContent, nil, nil
+}
+
+type userMFARequest struct {
+	Passcode string `json:"passcode" validate:"required,len=6"`
+}
+
+type userMFAResponse struct{}
+
+func postUserMFA(r *http.Request, sess session.Session, mc *macaron.Context, ca cache.Cache, l i18n.Locale, req userMFARequest) (statusCode int, resp any, err error) {
+	userID, ok := sess.Get("mfaUserID").(int64)
+	if !ok {
+		return http.StatusUnauthorized, &bindingErrorResponse{Error: l.Tr("auth.mfa_session_expired")}, nil
+	}
+
+	t, err := database.Handle.TwoFactors().GetByUserID(r.Context(), userID)
+	if err != nil {
+		log.Error("postUserMFA: get two factor by user ID %d: %v", userID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "get two factor by user ID")
+	}
+
+	valid, err := t.ValidateTOTP(req.Passcode)
+	if err != nil {
+		log.Error("postUserMFA: validate TOTP for user %d: %v", userID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "validate TOTP")
+	}
+	if !valid {
+		msg := l.Tr("auth.mfa_invalid_passcode")
+		return http.StatusUnauthorized, &bindingErrorResponse{
+			Fields: fieldErrors{"passcode": &msg},
+		}, nil
+	}
+
+	cacheKey := userx.TwoFactorCacheKey(userID, req.Passcode)
+	if _, err := ca.Get(r.Context(), cacheKey); err == nil {
+		msg := l.Tr("auth.mfa_reused_passcode")
+		return http.StatusUnauthorized, &bindingErrorResponse{
+			Fields: fieldErrors{"passcode": &msg},
+		}, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		log.Error("postUserMFA: get two factor passcode cache for user %d: %v", userID, err)
+	}
+	if err = ca.Set(r.Context(), cacheKey, 1, 60*time.Second); err != nil {
+		log.Error("postUserMFA: cache two factor passcode for user %d: %v", userID, err)
+	}
+
+	u, err := database.Handle.Users().GetByID(r.Context(), userID)
+	if err != nil {
+		log.Error("postUserMFA: get user by ID %d: %v", userID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "get user by ID")
+	}
+
+	completeSignIn(sess, mc, u)
+	return http.StatusOK, &userMFAResponse{}, nil
+}
+
+type userMFARecoveryRequest struct {
+	RecoveryCode string `json:"recoveryCode" validate:"required,len=11"`
+}
+
+func postUserMFARecovery(r *http.Request, sess session.Session, mc *macaron.Context, l i18n.Locale, req userMFARecoveryRequest) (statusCode int, resp any, err error) {
+	userID, ok := sess.Get("mfaUserID").(int64)
+	if !ok {
+		return http.StatusUnauthorized, &bindingErrorResponse{Error: l.Tr("auth.mfa_session_expired")}, nil
+	}
+
+	if err := database.Handle.TwoFactors().UseRecoveryCode(r.Context(), userID, req.RecoveryCode); err != nil {
+		if database.IsTwoFactorRecoveryCodeNotFound(err) {
+			msg := l.Tr("auth.mfa_invalid_recovery_code")
+			return http.StatusUnauthorized, &bindingErrorResponse{
+				Fields: fieldErrors{"recoveryCode": &msg},
+			}, nil
+		}
+		log.Error("postUserMFARecovery: use recovery code for user %d: %v", userID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "use recovery code")
+	}
+
+	u, err := database.Handle.Users().GetByID(r.Context(), userID)
+	if err != nil {
+		log.Error("postUserMFARecovery: get user by ID %d: %v", userID, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "get user by ID")
+	}
+
+	completeSignIn(sess, mc, u)
+	return http.StatusOK, &userMFAResponse{}, nil
+}
+
+type userInfo struct {
+	Username              string `json:"username"`
+	AvatarURL             string `json:"avatarURL"`
+	IsAdmin               bool   `json:"isAdmin"`
+	CanCreateOrganization bool   `json:"canCreateOrganization"`
+}
+
+func getUserInfo(user *database.User) (statusCode int, resp *userInfo, err error) {
+	if user == nil {
+		return http.StatusNoContent, nil, nil
+	}
+	return http.StatusOK,
+		&userInfo{
+			Username:              user.Name,
+			AvatarURL:             user.AvatarURL(),
+			IsAdmin:               user.IsAdmin,
+			CanCreateOrganization: user.CanCreateOrganization(),
+		},
+		nil
+}
+
+type getUserActivateResponse struct {
+	Email             string `json:"email,omitempty"`
+	CodeLifetimeHours int    `json:"codeLifetimeHours,omitempty"`
+}
+
+func getUserActivate(u *database.User) (statusCode int, resp any, err error) {
+	if u == nil {
+		return http.StatusUnauthorized, nil, nil
+	}
+	// An already-active and authenticated user has no business on the activation page.
+	if u.IsActive {
+		return http.StatusNotFound, nil, nil
+	}
+	return http.StatusOK, &getUserActivateResponse{
+		Email:             u.Email,
+		CodeLifetimeHours: conf.Auth.ActivateCodeLives / 60,
+	}, nil
+}
+
+type postUserActivateResponse struct {
+	RateLimited       bool `json:"rateLimited,omitempty"`
+	CodeLifetimeHours int  `json:"codeLifetimeHours,omitempty"`
+}
+
+func postUserActivate(r *http.Request, u *database.User, mc *macaron.Context, ca cache.Cache, l i18n.Locale) (statusCode int, resp any, err error) {
+	if u == nil {
+		return http.StatusUnauthorized, nil, nil
+	}
+	if u.IsActive {
+		return http.StatusNotFound, nil, nil
+	}
+	if !conf.Auth.RequireEmailConfirmation {
+		return http.StatusForbidden, &bindingErrorResponse{Error: l.Tr("auth.disable_register_mail")}, nil
+	}
+
+	ctx := r.Context()
+	if _, err := ca.Get(ctx, userx.MailResendCacheKey(u.ID)); err == nil {
+		return http.StatusOK, &postUserActivateResponse{
+			RateLimited:       true,
+			CodeLifetimeHours: conf.Auth.ActivateCodeLives / 60,
+		}, nil
+	} else if !errors.Is(err, os.ErrNotExist) {
+		log.Error("postUserActivate: get mail resend cache for user %q: %v", u.Name, err)
+	}
+
+	if err := email.SendActivateAccountMail(mc, database.NewMailerUser(u)); err != nil {
+		log.Error("postUserActivate: send activation mail to user %q: %v", u.Name, err)
+	}
+	if err := ca.Set(ctx, userx.MailResendCacheKey(u.ID), 1, 180*time.Second); err != nil {
+		log.Error("postUserActivate: put mail resend cache for user %q: %v", u.Name, err)
+	}
+	return http.StatusOK, &postUserActivateResponse{CodeLifetimeHours: conf.Auth.ActivateCodeLives / 60}, nil
+}
+
+type userActivateCompleteRequest struct {
+	Code string `json:"code" validate:"required"`
+}
+
+func postUserActivateComplete(r *http.Request, sess session.Session, mc *macaron.Context, l i18n.Locale, req userActivateCompleteRequest) (statusCode int, resp any, err error) {
+	target := verifyUserActiveCode(r.Context(), req.Code)
+	if target == nil {
+		return http.StatusBadRequest, &bindingErrorResponse{Error: l.Tr("auth.invalid_code")}, nil
+	}
+
+	v := true
+	if err := database.Handle.Users().Update(
+		r.Context(),
+		target.ID,
+		database.UpdateUserOptions{
+			GenerateNewRands: true,
+			IsActivated:      &v,
+		},
+	); err != nil {
+		log.Error("postUserActivateComplete: update user %q: %v", target.Name, err)
+		return http.StatusInternalServerError, nil, errors.Wrap(err, "update user")
+	}
+
+	log.Trace("User activated: %s", target.Name)
+	completeSignIn(sess, mc, target)
+	return http.StatusNoContent, nil, nil
+}
+
+type postUserSignOutResponse struct {
+	RedirectTo string `json:"redirectTo,omitempty"`
+}
+
+func postUserSignOut(sess macaronsession.Store, mc *macaron.Context) (statusCode int, resp *postUserSignOutResponse, err error) {
+	_ = sess.Flush()
+	_ = sess.Destory(mc)
+	mc.SetCookie(conf.Session.CSRFCookieName, "", -1, conf.Server.Subpath)
+	if conf.Auth.CustomLogoutURL != "" {
+		return http.StatusOK, &postUserSignOutResponse{RedirectTo: conf.Auth.CustomLogoutURL}, nil
+	}
+	return http.StatusNoContent, nil, nil
+}
@@ -0,0 +1,62 @@
+//go:build !prod
+
+package web
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/flamego"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/context"
+)
+
+func mountWebAppRoutes(f *flamego.Flame) error {
+	viteURL, err := url.Parse("http://localhost:5173")
+	if err != nil {
+		return errors.Wrap(err, "parse Vite URL")
+	}
+	proxy := httputil.NewSingleHostReverseProxy(viteURL)
+	proxy.ModifyResponse = func(resp *http.Response) error {
+		if !strings.HasPrefix(resp.Header.Get("Content-Type"), "text/html") {
+			return nil
+		}
+		raw, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return errors.Wrap(err, "read Vite response body")
+		}
+		_ = resp.Body.Close()
+		wc := context.WebContextFrom(resp.Request)
+		body, err := renderIndex(raw, wc)
+		if err != nil {
+			log.Error("Failed to render index: %v", err)
+			body = []byte("Internal Server Error\n")
+			resp.StatusCode = http.StatusInternalServerError
+			resp.Status = http.StatusText(http.StatusInternalServerError)
+			resp.Header.Set("Content-Type", "text/plain; charset=utf-8")
+		} else if wc.StatusCode > 0 {
+			resp.StatusCode = wc.StatusCode
+			resp.Status = http.StatusText(wc.StatusCode)
+		}
+		resp.Body = io.NopCloser(bytes.NewReader(body))
+		resp.ContentLength = int64(len(body))
+		resp.Header.Set("Content-Length", strconv.Itoa(len(body)))
+		// The upstream validators describe the unmodified body. Drop them
+		// so the browser does not satisfy a conditional request from a
+		// cached copy that has a stale injected lang attribute.
+		resp.Header.Del("ETag")
+		resp.Header.Del("Last-Modified")
+		return nil
+	}
+	f.Any("/{**}", func(w http.ResponseWriter, r *http.Request) {
+		proxy.ServeHTTP(w, r)
+	})
+	return nil
+}
@@ -0,0 +1,68 @@
+//go:build prod
+
+package web
+
+import (
+	"io/fs"
+	"net/http"
+
+	"github.com/cockroachdb/errors"
+	"github.com/flamego/flamego"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/context"
+	"gogs.io/gogs/public"
+)
+
+func mountWebAppRoutes(f *flamego.Flame) error {
+	webFS, err := fs.Sub(public.WebAssets, "dist")
+	if err != nil {
+		return errors.Wrap(err, "load embedded web assets")
+	}
+	// Prefix matches the path rewrites renderIndex applies to the index
+	// shell. Without it the browser fetches /<subpath>/assets/... and the
+	// static handler looks them up in webFS at "<subpath>/assets/...",
+	// which has no <subpath> directory, so every asset would 404 and fall
+	// through to the wildcard handler as text/html.
+	//
+	// Index is set to a sentinel that does not exist in the FS so flamego.Static
+	// never serves the raw index.html for "/" requests. The catch-all below
+	// always renders the shell through renderIndex instead, ensuring template
+	// substitutions are applied.
+	f.Use(flamego.Static(flamego.StaticOptions{
+		FileSystem: http.FS(webFS),
+		Prefix:     conf.Server.Subpath,
+		Index:      "__disabled__",
+	}))
+
+	index, err := public.WebAssets.ReadFile("dist/index.html")
+	if err != nil {
+		return errors.Wrap(err, `read "dist/index.html"`)
+	}
+
+	f.Get("/{**}", func(w http.ResponseWriter, r *http.Request) {
+		wc := context.WebContextFrom(r)
+		body, err := renderIndex(index, wc)
+		if err != nil {
+			log.Error("Failed to render index: %v", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		// The body is rewritten per request (lang injection, future
+		// runtime config), so caching it would serve stale content to
+		// any user whose request resolves to a different locale. Use
+		// no-store rather than no-cache so the browser cannot keep a
+		// copy at all, not even for revalidation. Static assets keep
+		// their normal caching via flamego.Static.
+		w.Header().Set("Cache-Control", "no-store")
+		status := wc.StatusCode
+		if status <= 0 {
+			status = http.StatusOK
+		}
+		w.WriteHeader(status)
+		_, _ = w.Write(body)
+	})
+	return nil
+}
@@ -0,0 +1,55 @@
+// Gogs is a painless self-hosted Git Service.
+package main
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/urfave/cli/v3"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/cmd/gogs/internal/web"
+	"gogs.io/gogs/internal/conf"
+)
+
+func init() {
+	conf.App.Version = "0.15.0+dev"
+}
+
+var webCommand = cli.Command{
+	Name:        "web",
+	Usage:       "Start the web server",
+	Description: "Serves the web interface, API, and HTTP Git endpoints.",
+	Action: func(_ context.Context, cmd *cli.Command) error {
+		var portOverride int
+		if cmd.IsSet("port") {
+			portOverride = cmd.Int("port")
+		}
+		return web.Run(configFromLineage(cmd), portOverride)
+	},
+	Flags: []cli.Flag{
+		intFlag("port, p", 3000, "Alternative listening port to use"),
+		stringFlag("config, c", filepath.Join(conf.CustomDir(), "conf", "app.ini"), "Custom configuration file path"),
+	},
+}
+
+func main() {
+	cmd := &cli.Command{
+		Name:    "Gogs",
+		Usage:   "The painless way to host your own Git service",
+		Version: conf.App.Version,
+		Commands: []*cli.Command{
+			&webCommand,
+			&servCommand,
+			&hookCommand,
+			&adminCommand,
+			&importCommand,
+			&backupCommand,
+			&restoreCommand,
+		},
+	}
+	if err := cmd.Run(context.Background(), os.Args); err != nil {
+		log.Fatal("Failed to start application: %v", err)
+	}
+}
@@ -0,0 +1,161 @@
+package main
+
+import (
+	"context"
+	"os"
+	"path"
+	"path/filepath"
+
+	"github.com/cockroachdb/errors"
+	"github.com/unknwon/cae/zip"
+	"github.com/urfave/cli/v3"
+	"gopkg.in/ini.v1"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+	"gogs.io/gogs/internal/osx"
+	"gogs.io/gogs/internal/semverx"
+)
+
+var restoreCommand = cli.Command{
+	Name:  "restore",
+	Usage: "Restore files and database from backup",
+	Description: `Restore imports all related files and database from a backup archive.
+The backup version must lower or equal to current Gogs version. You can also import
+backup from other database engines, which is useful for database migrating.
+
+If corresponding files or database tables are not presented in the archive, they will
+be skipped and remain unchanged.`,
+	Action: runRestore,
+	Flags: []cli.Flag{
+		stringFlag("config, c", "", "Custom configuration file path"),
+		boolFlag("verbose, v", "Show process details"),
+		stringFlag("tempdir, t", os.TempDir(), "Temporary directory path"),
+		stringFlag("from", "", "Path to backup archive"),
+		boolFlag("database-only", "Only import database"),
+		boolFlag("exclude-repos", "Exclude repositories"),
+	},
+}
+
+// lastSupportedVersionOfFormat returns the last supported version of the backup archive
+// format that is able to import.
+var lastSupportedVersionOfFormat = map[int]string{}
+
+func runRestore(ctx context.Context, cmd *cli.Command) error {
+	zip.Verbose = cmd.Bool("verbose")
+
+	tmpDir := cmd.String("tempdir")
+	if !osx.IsDir(tmpDir) {
+		log.Fatal("'--tempdir' does not exist: %s", tmpDir)
+	}
+	archivePath := path.Join(tmpDir, archiveRootDir)
+
+	// Make sure there was no leftover and also clean up afterwards
+	err := os.RemoveAll(archivePath)
+	if err != nil {
+		log.Fatal("Failed to clean up previous leftover in %q: %v", archivePath, err)
+	}
+	defer func() { _ = os.RemoveAll(archivePath) }()
+
+	log.Info("Restoring backup from: %s", cmd.String("from"))
+	err = zip.ExtractTo(cmd.String("from"), tmpDir)
+	if err != nil {
+		log.Fatal("Failed to extract backup archive: %v", err)
+	}
+
+	// Check backup version
+	metaFile := filepath.Join(archivePath, "metadata.ini")
+	if !osx.IsFile(metaFile) {
+		log.Fatal("File 'metadata.ini' is missing")
+	}
+	metadata, err := ini.Load(metaFile)
+	if err != nil {
+		log.Fatal("Failed to load metadata '%s': %v", metaFile, err)
+	}
+	backupVersion := metadata.Section("").Key("GOGS_VERSION").MustString("999.0")
+	if semverx.Compare(conf.App.Version, "<", backupVersion) {
+		log.Fatal("Current Gogs version is lower than backup version: %s < %s", conf.App.Version, backupVersion)
+	}
+	formatVersion := metadata.Section("").Key("VERSION").MustInt()
+	if formatVersion == 0 {
+		log.Fatal("Failed to determine the backup format version from metadata '%s': %s", metaFile, "VERSION is not presented")
+	}
+	if formatVersion != currentBackupFormatVersion {
+		log.Fatal("Backup format version found is %d but this binary only supports %d\nThe last known version that is able to import your backup is %s",
+			formatVersion, currentBackupFormatVersion, lastSupportedVersionOfFormat[formatVersion])
+	}
+
+	// If config file is not present in backup, user must set this file via flag.
+	// Otherwise, it's optional to set config file flag.
+	configFile := filepath.Join(archivePath, "custom", "conf", "app.ini")
+	var customConf string
+	if lineageConf := configFromLineage(cmd); lineageConf != "" {
+		customConf = lineageConf
+	} else if !osx.IsFile(configFile) {
+		log.Fatal("'--config' is not specified and custom config file is not found in backup")
+	} else {
+		customConf = configFile
+	}
+
+	err = conf.Init(customConf)
+	if err != nil {
+		return errors.Wrap(err, "init configuration")
+	}
+	conf.InitLogging(true)
+
+	conn, err := database.SetEngine()
+	if err != nil {
+		return errors.Wrap(err, "set engine")
+	}
+
+	// Database
+	dbDir := path.Join(archivePath, "db")
+	if err = database.ImportDatabase(ctx, conn, dbDir, cmd.Bool("verbose")); err != nil {
+		log.Fatal("Failed to import database: %v", err)
+	}
+
+	if !cmd.Bool("database-only") {
+		// Custom files
+		if osx.IsDir(conf.CustomDir()) {
+			if err = os.Rename(conf.CustomDir(), conf.CustomDir()+".bak"); err != nil {
+				log.Fatal("Failed to backup current 'custom': %v", err)
+			}
+		}
+		if err = os.Rename(filepath.Join(archivePath, "custom"), conf.CustomDir()); err != nil {
+			log.Fatal("Failed to import 'custom': %v", err)
+		}
+
+		// Data files
+		_ = os.MkdirAll(conf.Server.AppDataPath, os.ModePerm)
+		for _, dir := range []string{"attachments", "avatars", "repo-avatars"} {
+			// Skip if backup archive does not have corresponding data
+			srcPath := filepath.Join(archivePath, "data", dir)
+			if !osx.IsDir(srcPath) {
+				continue
+			}
+
+			dirPath := filepath.Join(conf.Server.AppDataPath, dir)
+			if osx.IsDir(dirPath) {
+				if err = os.Rename(dirPath, dirPath+".bak"); err != nil {
+					log.Fatal("Failed to backup current 'data': %v", err)
+				}
+			}
+			if err = os.Rename(srcPath, dirPath); err != nil {
+				log.Fatal("Failed to import 'data': %v", err)
+			}
+		}
+	}
+
+	// Repositories
+	reposPath := filepath.Join(archivePath, "repositories.zip")
+	if !cmd.Bool("exclude-repos") && !cmd.Bool("database-only") && osx.IsFile(reposPath) {
+		if err := zip.ExtractTo(reposPath, filepath.Dir(conf.Repository.Root)); err != nil {
+			log.Fatal("Failed to extract 'repositories.zip': %v", err)
+		}
+	}
+
+	log.Info("Restore succeed!")
+	log.Stop()
+	return nil
+}
@@ -0,0 +1,274 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/urfave/cli/v3"
+	log "unknwon.dev/clog/v2"
+
+	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/database"
+)
+
+const (
+	accessDeniedMessage = "Repository does not exist or you do not have access"
+)
+
+var servCommand = cli.Command{
+	Name:        "serv",
+	Usage:       "This command should only be called by SSH shell",
+	Description: `Serv provide access auth for repositories`,
+	Action:      runServ,
+	Flags: []cli.Flag{
+		stringFlag("config, c", "", "Custom configuration file path"),
+	},
+}
+
+// fail prints user message to the Git client (i.e. os.Stderr) and
+// logs error message on the server side. When not in "prod" mode,
+// error message is also printed to the client for easier debugging.
+func fail(userMessage, errMessage string, args ...any) {
+	_, _ = fmt.Fprintln(os.Stderr, "Gogs:", userMessage)
+
+	if len(errMessage) > 0 {
+		if !conf.IsProdMode() {
+			fmt.Fprintf(os.Stderr, errMessage+"\n", args...)
+		}
+		log.Error(errMessage, args...)
+	}
+
+	log.Stop()
+	os.Exit(1)
+}
+
+func setup(cmd *cli.Command, logFile string, connectDB bool) {
+	conf.HookMode = true
+
+	customConf := configFromLineage(cmd)
+
+	err := conf.Init(customConf)
+	if err != nil {
+		fail("Internal error", "Failed to init configuration: %v", err)
+	}
+	conf.InitLogging(true)
+
+	level := log.LevelTrace
+	if conf.IsProdMode() {
+		level = log.LevelError
+	}
+
+	err = log.NewFile(log.FileConfig{
+		Level:    level,
+		Filename: filepath.Join(conf.Log.RootPath, "hooks", logFile),
+		FileRotationConfig: log.FileRotationConfig{
+			Rotate:  true,
+			Daily:   true,
+			MaxDays: 3,
+		},
+	})
+	if err != nil {
+		fail("Internal error", "Failed to init file logger: %v", err)
+	}
+	log.Remove(log.DefaultConsoleName) // Remove the primary logger
+
+	if !connectDB {
+		return
+	}
+
+	if conf.UseSQLite3 {
+		_ = os.Chdir(conf.WorkDir())
+	}
+
+	if _, err := database.SetEngine(); err != nil {
+		fail("Internal error", "Failed to set database engine: %v", err)
+	}
+}
+
+func parseSSHCmd(cmd string) (string, string) {
+	ss := strings.SplitN(cmd, " ", 2)
+	if len(ss) != 2 {
+		return "", ""
+	}
+	return ss[0], strings.Replace(ss[1], "'/", "'", 1)
+}
+
+func checkDeployKey(key *database.PublicKey, repo *database.Repository) {
+	// Check if this deploy key belongs to current repository.
+	if !database.HasDeployKey(key.ID, repo.ID) {
+		fail("Key access denied", "Deploy key access denied: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
+	}
+
+	// Update deploy key activity.
+	deployKey, err := database.GetDeployKeyByRepo(key.ID, repo.ID)
+	if err != nil {
+		fail("Internal error", "GetDeployKey: %v", err)
+	}
+
+	deployKey.Updated = time.Now()
+	if err = database.UpdateDeployKey(deployKey); err != nil {
+		fail("Internal error", "UpdateDeployKey: %v", err)
+	}
+}
+
+var allowedCommands = map[string]database.AccessMode{
+	"git-upload-pack":    database.AccessModeRead,
+	"git-upload-archive": database.AccessModeRead,
+	"git-receive-pack":   database.AccessModeWrite,
+}
+
+func runServ(ctx context.Context, cmd *cli.Command) error {
+	setup(cmd, "serv.log", true)
+
+	if conf.SSH.Disabled {
+		println("Gogs: SSH has been disabled")
+		return nil
+	}
+
+	if cmd.Args().Len() < 1 {
+		fail("Not enough arguments", "Not enough arguments")
+	}
+
+	sshCmd := os.Getenv("SSH_ORIGINAL_COMMAND")
+	if sshCmd == "" {
+		println("Hi there, You've successfully authenticated, but Gogs does not provide shell access.")
+		println("If this is unexpected, please log in with password and setup Gogs under another user.")
+		return nil
+	}
+
+	verb, args := parseSSHCmd(sshCmd)
+	repoFullName := strings.ToLower(strings.Trim(args, "'"))
+	repoFields := strings.SplitN(repoFullName, "/", 2)
+	if len(repoFields) != 2 {
+		fail("Invalid repository path", "Invalid repository path: %v", args)
+	}
+	ownerName := strings.ToLower(repoFields[0])
+	repoName := strings.TrimSuffix(strings.ToLower(repoFields[1]), ".git")
+	repoName = strings.TrimSuffix(repoName, ".wiki")
+
+	owner, err := database.Handle.Users().GetByUsername(ctx, ownerName)
+	if err != nil {
+		if database.IsErrUserNotExist(err) {
+			fail("Repository owner does not exist", "Unregistered owner: %s", ownerName)
+		}
+		fail("Internal error", "Failed to get repository owner '%s': %v", ownerName, err)
+	}
+
+	repo, err := database.GetRepositoryByName(owner.ID, repoName)
+	if err != nil {
+		if database.IsErrRepoNotExist(err) {
+			fail(accessDeniedMessage, "Repository does not exist: %s/%s", owner.Name, repoName)
+		}
+		fail("Internal error", "Failed to get repository: %v", err)
+	}
+	repo.Owner = owner
+
+	requestMode, ok := allowedCommands[verb]
+	if !ok {
+		fail("Unknown git command", "Unknown git command '%s'", verb)
+	}
+
+	// Prohibit push to mirror repositories.
+	if requestMode > database.AccessModeRead && repo.IsMirror {
+		fail("Mirror repository is read-only", "")
+	}
+
+	// Allow anonymous (user is nil) clone for public repositories.
+	var user *database.User
+
+	keyID, _ := strconv.ParseInt(strings.TrimPrefix(cmd.Args().Get(0), "key-"), 10, 64)
+	key, err := database.GetPublicKeyByID(keyID)
+	if err != nil {
+		fail("Invalid key ID", "Invalid key ID '%s': %v", cmd.Args().Get(0), err)
+	}
+
+	if requestMode == database.AccessModeWrite || repo.IsPrivate {
+		// Check deploy key or user key.
+		if key.IsDeployKey() {
+			if key.Mode < requestMode {
+				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
+			}
+			checkDeployKey(key, repo)
+		} else {
+			user, err = database.Handle.Users().GetByKeyID(ctx, key.ID)
+			if err != nil {
+				fail("Internal error", "Failed to get user by key ID '%d': %v", key.ID, err)
+			}
+
+			mode := database.Handle.Permissions().AccessMode(ctx, user.ID, repo.ID,
+				database.AccessModeOptions{
+					OwnerID: repo.OwnerID,
+					Private: repo.IsPrivate,
+				},
+			)
+			if mode < requestMode {
+				clientMessage := accessDeniedMessage
+				if mode >= database.AccessModeRead {
+					clientMessage = "You do not have sufficient authorization for this action"
+				}
+				fail(clientMessage,
+					"User '%s' does not have level '%v' access to repository '%s'",
+					user.Name, requestMode, repoFullName)
+			}
+		}
+	} else {
+		// Check if the key can access to the repository in case of it is a deploy key (a deploy keys != user key).
+		// A deploy key doesn't represent a signed in user, so in a site with Auth.RequireSignInView enabled,
+		// we should give read access only in repositories where this deploy key is in use. In other cases,
+		// a server or system using an active deploy key can get read access to all repositories on a Gogs instance.
+		if key.IsDeployKey() && conf.Auth.RequireSigninView {
+			checkDeployKey(key, repo)
+		}
+	}
+
+	// Update user key activity.
+	if key.ID > 0 {
+		key, err := database.GetPublicKeyByID(key.ID)
+		if err != nil {
+			fail("Internal error", "GetPublicKeyByID: %v", err)
+		}
+
+		key.Updated = time.Now()
+		if err = database.UpdatePublicKey(key); err != nil {
+			fail("Internal error", "UpdatePublicKey: %v", err)
+		}
+	}
+
+	// Special handle for Windows.
+	if conf.IsWindowsRuntime() {
+		verb = strings.Replace(verb, "-", " ", 1)
+	}
+
+	var gitCmd *exec.Cmd
+	verbs := strings.Split(verb, " ")
+	if len(verbs) == 2 {
+		gitCmd = exec.Command(verbs[0], verbs[1], repoFullName)
+	} else {
+		gitCmd = exec.Command(verb, repoFullName)
+	}
+	if requestMode == database.AccessModeWrite {
+		gitCmd.Env = append(os.Environ(), database.ComposeHookEnvs(database.ComposeHookEnvsOptions{
+			AuthUser:  user,
+			OwnerName: owner.Name,
+			OwnerSalt: owner.Salt,
+			RepoID:    repo.ID,
+			RepoName:  repo.Name,
+			RepoPath:  repo.RepoPath(),
+		})...)
+	}
+	gitCmd.Dir = conf.Repository.Root
+	gitCmd.Stdout = os.Stdout
+	gitCmd.Stdin = os.Stdin
+	gitCmd.Stderr = os.Stderr
+	if err = gitCmd.Run(); err != nil {
+		fail("Internal error", "Failed to execute git command: %v", err)
+	}
+
+	return nil
+}
@@ -1,285 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"crypto/tls"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/Unknwon/com"
-	"github.com/codegangsta/cli"
-
-	"github.com/gogits/gogs/models"
-	"github.com/gogits/gogs/modules/base"
-	"github.com/gogits/gogs/modules/httplib"
-	"github.com/gogits/gogs/modules/log"
-	"github.com/gogits/gogs/modules/setting"
-	"github.com/gogits/gogs/modules/uuid"
-)
-
-const (
-	_ACCESS_DENIED_MESSAGE = "Repository does not exist or you do not have access"
-)
-
-var CmdServ = cli.Command{
-	Name:        "serv",
-	Usage:       "This command should only be called by SSH shell",
-	Description: `Serv provide access auth for repositories`,
-	Action:      runServ,
-	Flags: []cli.Flag{
-		stringFlag("config, c", "custom/conf/app.ini", "Custom configuration file path"),
-	},
-}
-
-func setup(logPath string) {
-	setting.NewContext()
-	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
-
-	if setting.DisableSSH {
-		println("Gogs: SSH has been disabled")
-		os.Exit(1)
-	}
-
-	models.LoadConfigs()
-
-	if setting.UseSQLite3 || setting.UseTiDB {
-		workDir, _ := setting.WorkDir()
-		os.Chdir(workDir)
-	}
-
-	models.SetEngine()
-}
-
-func parseCmd(cmd string) (string, string) {
-	ss := strings.SplitN(cmd, " ", 2)
-	if len(ss) != 2 {
-		return "", ""
-	}
-	return ss[0], strings.Replace(ss[1], "'/", "'", 1)
-}
-
-var (
-	allowedCommands = map[string]models.AccessMode{
-		"git-upload-pack":    models.ACCESS_MODE_READ,
-		"git-upload-archive": models.ACCESS_MODE_READ,
-		"git-receive-pack":   models.ACCESS_MODE_WRITE,
-	}
-)
-
-func fail(userMessage, logMessage string, args ...interface{}) {
-	fmt.Fprintln(os.Stderr, "Gogs:", userMessage)
-
-	if len(logMessage) > 0 {
-		if !setting.ProdMode {
-			fmt.Fprintf(os.Stderr, logMessage+"\n", args...)
-		}
-		log.GitLogger.Fatal(3, logMessage, args...)
-		return
-	}
-
-	log.GitLogger.Close()
-	os.Exit(1)
-}
-
-func handleUpdateTask(uuid string, user, repoUser *models.User, reponame string, isWiki bool) {
-	task, err := models.GetUpdateTaskByUUID(uuid)
-	if err != nil {
-		if models.IsErrUpdateTaskNotExist(err) {
-			log.GitLogger.Trace("No update task is presented: %s", uuid)
-			return
-		}
-		log.GitLogger.Fatal(2, "GetUpdateTaskByUUID: %v", err)
-	} else if err = models.DeleteUpdateTaskByUUID(uuid); err != nil {
-		log.GitLogger.Fatal(2, "DeleteUpdateTaskByUUID: %v", err)
-	}
-
-	if isWiki {
-		return
-	}
-
-	if err = models.Update(task.RefName, task.OldCommitID, task.NewCommitID,
-		user.Name, repoUser.Name, reponame, user.Id); err != nil {
-		log.GitLogger.Error(2, "Update: %v", err)
-	}
-
-	// Ask for running deliver hook and test pull request tasks.
-	reqURL := setting.LocalURL + repoUser.Name + "/" + reponame + "/tasks/trigger?branch=" +
-		strings.TrimPrefix(task.RefName, "refs/heads/") + "&secret=" + base.EncodeMD5(repoUser.Salt)
-	log.GitLogger.Trace("Trigger task: %s", reqURL)
-
-	resp, err := httplib.Head(reqURL).SetTLSClientConfig(&tls.Config{
-		InsecureSkipVerify: true,
-	}).Response()
-	if err == nil {
-		resp.Body.Close()
-		if resp.StatusCode/100 != 2 {
-			log.GitLogger.Error(2, "Fail to trigger task: not 2xx response code")
-		}
-	} else {
-		log.GitLogger.Error(2, "Fail to trigger task: %v", err)
-	}
-}
-
-func runServ(c *cli.Context) {
-	if c.IsSet("config") {
-		setting.CustomConf = c.String("config")
-	}
-	setup("serv.log")
-
-	if len(c.Args()) < 1 {
-		fail("Not enough arguments", "Not enough arguments")
-	}
-
-	cmd := os.Getenv("SSH_ORIGINAL_COMMAND")
-	if len(cmd) == 0 {
-		println("Hi there, You've successfully authenticated, but Gogs does not provide shell access.")
-		println("If this is unexpected, please log in with password and setup Gogs under another user.")
-		return
-	}
-
-	verb, args := parseCmd(cmd)
-	repoPath := strings.ToLower(strings.Trim(args, "'"))
-	rr := strings.SplitN(repoPath, "/", 2)
-	if len(rr) != 2 {
-		fail("Invalid repository path", "Invalid repository path: %v", args)
-	}
-	username := strings.ToLower(rr[0])
-	reponame := strings.ToLower(strings.TrimSuffix(rr[1], ".git"))
-
-	isWiki := false
-	if strings.HasSuffix(reponame, ".wiki") {
-		isWiki = true
-		reponame = reponame[:len(reponame)-5]
-	}
-
-	repoUser, err := models.GetUserByName(username)
-	if err != nil {
-		if models.IsErrUserNotExist(err) {
-			fail("Repository owner does not exist", "Unregistered owner: %s", username)
-		}
-		fail("Internal error", "Failed to get repository owner (%s): %v", username, err)
-	}
-
-	repo, err := models.GetRepositoryByName(repoUser.Id, reponame)
-	if err != nil {
-		if models.IsErrRepoNotExist(err) {
-			fail(_ACCESS_DENIED_MESSAGE, "Repository does not exist: %s/%s", repoUser.Name, reponame)
-		}
-		fail("Internal error", "Failed to get repository: %v", err)
-	}
-
-	requestedMode, has := allowedCommands[verb]
-	if !has {
-		fail("Unknown git command", "Unknown git command %s", verb)
-	}
-
-	// Prohibit push to mirror repositories.
-	if requestedMode > models.ACCESS_MODE_READ && repo.IsMirror {
-		fail("mirror repository is read-only", "")
-	}
-
-	// Allow anonymous clone for public repositories.
-	var (
-		keyID int64
-		user  *models.User
-	)
-	if requestedMode == models.ACCESS_MODE_WRITE || repo.IsPrivate {
-		keys := strings.Split(c.Args()[0], "-")
-		if len(keys) != 2 {
-			fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
-		}
-
-		key, err := models.GetPublicKeyByID(com.StrTo(keys[1]).MustInt64())
-		if err != nil {
-			fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
-		}
-		keyID = key.ID
-
-		// Check deploy key or user key.
-		if key.Type == models.KEY_TYPE_DEPLOY {
-			if key.Mode < requestedMode {
-				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
-			}
-			// Check if this deploy key belongs to current repository.
-			if !models.HasDeployKey(key.ID, repo.ID) {
-				fail("Key access denied", "Key access denied: %d-%d", key.ID, repo.ID)
-			}
-
-			// Update deploy key activity.
-			deployKey, err := models.GetDeployKeyByRepo(key.ID, repo.ID)
-			if err != nil {
-				fail("Internal error", "GetDeployKey: %v", err)
-			}
-
-			deployKey.Updated = time.Now()
-			if err = models.UpdateDeployKey(deployKey); err != nil {
-				fail("Internal error", "UpdateDeployKey: %v", err)
-			}
-		} else {
-			user, err = models.GetUserByKeyID(key.ID)
-			if err != nil {
-				fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
-			}
-
-			mode, err := models.AccessLevel(user, repo)
-			if err != nil {
-				fail("Internal error", "Fail to check access: %v", err)
-			} else if mode < requestedMode {
-				clientMessage := _ACCESS_DENIED_MESSAGE
-				if mode >= models.ACCESS_MODE_READ {
-					clientMessage = "You do not have sufficient authorization for this action"
-				}
-				fail(clientMessage,
-					"User %s does not have level %v access to repository %s",
-					user.Name, requestedMode, repoPath)
-			}
-		}
-	}
-
-	uuid := uuid.NewV4().String()
-	os.Setenv("uuid", uuid)
-
-	// Special handle for Windows.
-	if setting.IsWindows {
-		verb = strings.Replace(verb, "-", " ", 1)
-	}
-
-	var gitcmd *exec.Cmd
-	verbs := strings.Split(verb, " ")
-	if len(verbs) == 2 {
-		gitcmd = exec.Command(verbs[0], verbs[1], repoPath)
-	} else {
-		gitcmd = exec.Command(verb, repoPath)
-	}
-	gitcmd.Dir = setting.RepoRootPath
-	gitcmd.Stdout = os.Stdout
-	gitcmd.Stdin = os.Stdin
-	gitcmd.Stderr = os.Stderr
-	if err = gitcmd.Run(); err != nil {
-		fail("Internal error", "Failed to execute git command: %v", err)
-	}
-
-	if requestedMode == models.ACCESS_MODE_WRITE {
-		handleUpdateTask(uuid, user, repoUser, reponame, isWiki)
-	}
-
-	// Update user key activity.
-	if keyID > 0 {
-		key, err := models.GetPublicKeyByID(keyID)
-		if err != nil {
-			fail("Internal error", "GetPublicKeyById: %v", err)
-		}
-
-		key.Updated = time.Now()
-		if err = models.UpdatePublicKey(key); err != nil {
-			fail("Internal error", "UpdatePublicKey: %v", err)
-		}
-	}
-}
@@ -1,55 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"os"
-
-	"github.com/codegangsta/cli"
-
-	"github.com/gogits/gogs/models"
-	"github.com/gogits/gogs/modules/log"
-	"github.com/gogits/gogs/modules/setting"
-)
-
-var CmdUpdate = cli.Command{
-	Name:        "update",
-	Usage:       "This command should only be called by SSH shell",
-	Description: `Update get pushed info and insert into database`,
-	Action:      runUpdate,
-	Flags: []cli.Flag{
-		stringFlag("config, c", "custom/conf/app.ini", "Custom configuration file path"),
-	},
-}
-
-func runUpdate(c *cli.Context) {
-	if c.IsSet("config") {
-		setting.CustomConf = c.String("config")
-	}
-	cmd := os.Getenv("SSH_ORIGINAL_COMMAND")
-	if cmd == "" {
-		return
-	}
-
-	setup("update.log")
-
-	args := c.Args()
-	if len(args) != 3 {
-		log.GitLogger.Fatal(2, "received less 3 parameters")
-	} else if args[0] == "" {
-		log.GitLogger.Fatal(2, "refName is empty, shouldn't use")
-	}
-
-	task := models.UpdateTask{
-		UUID:        os.Getenv("uuid"),
-		RefName:     args[0],
-		OldCommitID: args[1],
-		NewCommitID: args[2],
-	}
-
-	if err := models.AddUpdateTask(&task); err != nil {
-		log.GitLogger.Fatal(2, "AddUpdateTask: %v", err)
-	}
-}
@@ -1,562 +0,0 @@
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package cmd
-
-import (
-	"crypto/tls"
-	"fmt"
-	gotmpl "html/template"
-	"io/ioutil"
-	"net/http"
-	"net/http/fcgi"
-	"os"
-	"path"
-	"strings"
-
-	"github.com/codegangsta/cli"
-	"github.com/go-macaron/binding"
-	"github.com/go-macaron/cache"
-	"github.com/go-macaron/captcha"
-	"github.com/go-macaron/csrf"
-	"github.com/go-macaron/gzip"
-	"github.com/go-macaron/i18n"
-	"github.com/go-macaron/session"
-	"github.com/go-macaron/toolbox"
-	"github.com/go-xorm/xorm"
-	"github.com/mcuadros/go-version"
-	"gopkg.in/ini.v1"
-	"gopkg.in/macaron.v1"
-
-	"github.com/gogits/git-module"
-
-	"github.com/gogits/gogs/models"
-	"github.com/gogits/gogs/modules/auth"
-	"github.com/gogits/gogs/modules/avatar"
-	"github.com/gogits/gogs/modules/bindata"
-	"github.com/gogits/gogs/modules/log"
-	"github.com/gogits/gogs/modules/middleware"
-	"github.com/gogits/gogs/modules/setting"
-	"github.com/gogits/gogs/modules/template"
-	"github.com/gogits/gogs/routers"
-	"github.com/gogits/gogs/routers/admin"
-	apiv1 "github.com/gogits/gogs/routers/api/v1"
-	"github.com/gogits/gogs/routers/dev"
-	"github.com/gogits/gogs/routers/org"
-	"github.com/gogits/gogs/routers/repo"
-	"github.com/gogits/gogs/routers/user"
-)
-
-var CmdWeb = cli.Command{
-	Name:  "web",
-	Usage: "Start Gogs web server",
-	Description: `Gogs web server is the only thing you need to run,
-and it takes care of all the other things for you`,
-	Action: runWeb,
-	Flags: []cli.Flag{
-		stringFlag("port, p", "3000", "Temporary port number to prevent conflict"),
-		stringFlag("config, c", "custom/conf/app.ini", "Custom configuration file path"),
-	},
-}
-
-type VerChecker struct {
-	ImportPath string
-	Version    func() string
-	Expected   string
-}
-
-// checkVersion checks if binary matches the version of templates files.
-func checkVersion() {
-	// Templates.
-	data, err := ioutil.ReadFile(setting.StaticRootPath + "/templates/.VERSION")
-	if err != nil {
-		log.Fatal(4, "Fail to read 'templates/.VERSION': %v", err)
-	}
-	if string(data) != setting.AppVer {
-		log.Fatal(4, "Binary and template file version does not match, did you forget to recompile?")
-	}
-
-	// Check dependency version.
-	checkers := []VerChecker{
-		{"github.com/go-xorm/xorm", func() string { return xorm.Version }, "0.4.4.1029"},
-		{"github.com/go-macaron/binding", binding.Version, "0.1.0"},
-		{"github.com/go-macaron/cache", cache.Version, "0.1.2"},
-		{"github.com/go-macaron/csrf", csrf.Version, "0.0.3"},
-		{"github.com/go-macaron/i18n", i18n.Version, "0.2.0"},
-		{"github.com/go-macaron/session", session.Version, "0.1.6"},
-		{"github.com/go-macaron/toolbox", toolbox.Version, "0.1.0"},
-		{"gopkg.in/ini.v1", ini.Version, "1.8.4"},
-		{"gopkg.in/macaron.v1", macaron.Version, "0.8.0"},
-		{"github.com/gogits/git-shell", git.Version, "0.2.1"},
-	}
-	for _, c := range checkers {
-		if !version.Compare(c.Version(), c.Expected, ">=") {
-			log.Fatal(4, "Package '%s' version is too old (%s -> %s), did you forget to update?", c.ImportPath, c.Version(), c.Expected)
-		}
-	}
-}
-
-// newMacaron initializes Macaron instance.
-func newMacaron() *macaron.Macaron {
-	m := macaron.New()
-	if !setting.DisableRouterLog {
-		m.Use(macaron.Logger())
-	}
-	m.Use(macaron.Recovery())
-	if setting.EnableGzip {
-		m.Use(gzip.Gziper())
-	}
-	if setting.Protocol == setting.FCGI {
-		m.SetURLPrefix(setting.AppSubUrl)
-	}
-	m.Use(macaron.Static(
-		path.Join(setting.StaticRootPath, "public"),
-		macaron.StaticOptions{
-			SkipLogging: setting.DisableRouterLog,
-		},
-	))
-	m.Use(macaron.Static(
-		setting.AvatarUploadPath,
-		macaron.StaticOptions{
-			Prefix:      "avatars",
-			SkipLogging: setting.DisableRouterLog,
-		},
-	))
-	m.Use(macaron.Renderer(macaron.RenderOptions{
-		Directory:  path.Join(setting.StaticRootPath, "templates"),
-		Funcs:      []gotmpl.FuncMap{template.Funcs},
-		IndentJSON: macaron.Env != macaron.PROD,
-	}))
-
-	localeNames, err := bindata.AssetDir("conf/locale")
-	if err != nil {
-		log.Fatal(4, "Fail to list locale files: %v", err)
-	}
-	localFiles := make(map[string][]byte)
-	for _, name := range localeNames {
-		localFiles[name] = bindata.MustAsset("conf/locale/" + name)
-	}
-	m.Use(i18n.I18n(i18n.Options{
-		SubURL:          setting.AppSubUrl,
-		Files:           localFiles,
-		CustomDirectory: path.Join(setting.CustomPath, "conf/locale"),
-		Langs:           setting.Langs,
-		Names:           setting.Names,
-		DefaultLang:     "en-US",
-		Redirect:        true,
-	}))
-	m.Use(cache.Cacher(cache.Options{
-		Adapter:       setting.CacheAdapter,
-		AdapterConfig: setting.CacheConn,
-		Interval:      setting.CacheInternal,
-	}))
-	m.Use(captcha.Captchaer(captcha.Options{
-		SubURL: setting.AppSubUrl,
-	}))
-	m.Use(session.Sessioner(setting.SessionConfig))
-	m.Use(csrf.Csrfer(csrf.Options{
-		Secret:     setting.SecretKey,
-		SetCookie:  true,
-		Header:     "X-Csrf-Token",
-		CookiePath: setting.AppSubUrl,
-	}))
-	m.Use(toolbox.Toolboxer(m, toolbox.Options{
-		HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
-			&toolbox.HealthCheckFuncDesc{
-				Desc: "Database connection",
-				Func: models.Ping,
-			},
-		},
-	}))
-	m.Use(middleware.Contexter())
-	return m
-}
-
-func runWeb(ctx *cli.Context) {
-	if ctx.IsSet("config") {
-		setting.CustomConf = ctx.String("config")
-	}
-	routers.GlobalInit()
-	checkVersion()
-
-	m := newMacaron()
-
-	reqSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true})
-	ignSignIn := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: setting.Service.RequireSignInView})
-	ignSignInAndCsrf := middleware.Toggle(&middleware.ToggleOptions{DisableCsrf: true})
-	reqSignOut := middleware.Toggle(&middleware.ToggleOptions{SignOutRequire: true})
-
-	bindIgnErr := binding.BindIgnErr
-
-	// Routers.
-	m.Get("/", ignSignIn, routers.Home)
-	m.Get("/explore", ignSignIn, routers.Explore)
-	m.Combo("/install", routers.InstallInit).Get(routers.Install).
-		Post(bindIgnErr(auth.InstallForm{}), routers.InstallPost)
-	m.Get("/^:type(issues|pulls)$", reqSignIn, user.Issues)
-
-	// ***** START: API *****
-	m.Group("/api", func() {
-		apiv1.RegisterRoutes(m)
-	}, ignSignIn)
-	// ***** END: API *****
-
-	// ***** START: User *****
-	m.Group("/user", func() {
-		m.Get("/login", user.SignIn)
-		m.Post("/login", bindIgnErr(auth.SignInForm{}), user.SignInPost)
-		m.Get("/sign_up", user.SignUp)
-		m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost)
-		m.Get("/reset_password", user.ResetPasswd)
-		m.Post("/reset_password", user.ResetPasswdPost)
-	}, reqSignOut)
-
-	m.Group("/user/settings", func() {
-		m.Get("", user.Settings)
-		m.Post("", bindIgnErr(auth.UpdateProfileForm{}), user.SettingsPost)
-		m.Post("/avatar", binding.MultipartForm(auth.UploadAvatarForm{}), user.SettingsAvatar)
-		m.Combo("/email").Get(user.SettingsEmails).
-			Post(bindIgnErr(auth.AddEmailForm{}), user.SettingsEmailPost)
-		m.Post("/email/delete", user.DeleteEmail)
-		m.Get("/password", user.SettingsPassword)
-		m.Post("/password", bindIgnErr(auth.ChangePasswordForm{}), user.SettingsPasswordPost)
-		m.Combo("/ssh").Get(user.SettingsSSHKeys).
-			Post(bindIgnErr(auth.AddSSHKeyForm{}), user.SettingsSSHKeysPost)
-		m.Post("/ssh/delete", user.DeleteSSHKey)
-		m.Combo("/applications").Get(user.SettingsApplications).
-			Post(bindIgnErr(auth.NewAccessTokenForm{}), user.SettingsApplicationsPost)
-		m.Post("/applications/delete", user.SettingsDeleteApplication)
-		m.Route("/delete", "GET,POST", user.SettingsDelete)
-	}, reqSignIn, func(ctx *middleware.Context) {
-		ctx.Data["PageIsUserSettings"] = true
-	})
-
-	m.Group("/user", func() {
-		// r.Get("/feeds", binding.Bind(auth.FeedsForm{}), user.Feeds)
-		m.Any("/activate", user.Activate)
-		m.Any("/activate_email", user.ActivateEmail)
-		m.Get("/email2user", user.Email2User)
-		m.Get("/forget_password", user.ForgotPasswd)
-		m.Post("/forget_password", user.ForgotPasswdPost)
-		m.Get("/logout", user.SignOut)
-	})
-	// ***** END: User *****
-
-	// Gravatar service.
-	avt := avatar.CacheServer("public/img/avatar/", "public/img/avatar_default.jpg")
-	os.MkdirAll("public/img/avatar/", os.ModePerm)
-	m.Get("/avatar/:hash", avt.ServeHTTP)
-
-	adminReq := middleware.Toggle(&middleware.ToggleOptions{SignInRequire: true, AdminRequire: true})
-
-	// ***** START: Admin *****
-	m.Group("/admin", func() {
-		m.Get("", adminReq, admin.Dashboard)
-		m.Get("/config", admin.Config)
-		m.Get("/monitor", admin.Monitor)
-
-		m.Group("/users", func() {
-			m.Get("", admin.Users)
-			m.Combo("/new").Get(admin.NewUser).Post(bindIgnErr(auth.AdminCrateUserForm{}), admin.NewUserPost)
-			m.Combo("/:userid").Get(admin.EditUser).Post(bindIgnErr(auth.AdminEditUserForm{}), admin.EditUserPost)
-			m.Post("/:userid/delete", admin.DeleteUser)
-		})
-
-		m.Group("/orgs", func() {
-			m.Get("", admin.Organizations)
-		})
-
-		m.Group("/repos", func() {
-			m.Get("", admin.Repos)
-			m.Post("/delete", admin.DeleteRepo)
-		})
-
-		m.Group("/auths", func() {
-			m.Get("", admin.Authentications)
-			m.Combo("/new").Get(admin.NewAuthSource).Post(bindIgnErr(auth.AuthenticationForm{}), admin.NewAuthSourcePost)
-			m.Combo("/:authid").Get(admin.EditAuthSource).
-				Post(bindIgnErr(auth.AuthenticationForm{}), admin.EditAuthSourcePost)
-			m.Post("/:authid/delete", admin.DeleteAuthSource)
-		})
-
-		m.Group("/notices", func() {
-			m.Get("", admin.Notices)
-			m.Post("/delete", admin.DeleteNotices)
-			m.Get("/empty", admin.EmptyNotices)
-		})
-	}, adminReq)
-	// ***** END: Admin *****
-
-	m.Group("", func() {
-		m.Get("/:username", user.Profile)
-		m.Get("/attachments/:uuid", func(ctx *middleware.Context) {
-			attach, err := models.GetAttachmentByUUID(ctx.Params(":uuid"))
-			if err != nil {
-				if models.IsErrAttachmentNotExist(err) {
-					ctx.Error(404)
-				} else {
-					ctx.Handle(500, "GetAttachmentByUUID", err)
-				}
-				return
-			}
-
-			fr, err := os.Open(attach.LocalPath())
-			if err != nil {
-				ctx.Handle(500, "Open", err)
-				return
-			}
-			defer fr.Close()
-
-			ctx.Header().Set("Cache-Control", "public,max-age=86400")
-			// Fix #312. Attachments with , in their name are not handled correctly by Google Chrome.
-			// We must put the name in " manually.
-			if err = repo.ServeData(ctx, "\""+attach.Name+"\"", fr); err != nil {
-				ctx.Handle(500, "ServeData", err)
-				return
-			}
-		})
-		m.Post("/issues/attachments", repo.UploadIssueAttachment)
-	}, ignSignIn)
-
-	if macaron.Env == macaron.DEV {
-		m.Get("/template/*", dev.TemplatePreview)
-	}
-
-	reqRepoAdmin := middleware.RequireRepoAdmin()
-	reqRepoPusher := middleware.RequireRepoPusher()
-
-	// ***** START: Organization *****
-	m.Group("/org", func() {
-		m.Get("/create", org.Create)
-		m.Post("/create", bindIgnErr(auth.CreateOrgForm{}), org.CreatePost)
-
-		m.Group("/:org", func() {
-			m.Get("/dashboard", user.Dashboard)
-			m.Get("/^:type(issues|pulls)$", user.Issues)
-			m.Get("/members", org.Members)
-			m.Get("/members/action/:action", org.MembersAction)
-
-			m.Get("/teams", org.Teams)
-			m.Get("/teams/:team", org.TeamMembers)
-			m.Get("/teams/:team/repositories", org.TeamRepositories)
-			m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction)
-			m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction)
-		}, middleware.OrgAssignment(true))
-
-		m.Group("/:org", func() {
-			m.Get("/teams/new", org.NewTeam)
-			m.Post("/teams/new", bindIgnErr(auth.CreateTeamForm{}), org.NewTeamPost)
-			m.Get("/teams/:team/edit", org.EditTeam)
-			m.Post("/teams/:team/edit", bindIgnErr(auth.CreateTeamForm{}), org.EditTeamPost)
-			m.Post("/teams/:team/delete", org.DeleteTeam)
-
-			m.Group("/settings", func() {
-				m.Combo("").Get(org.Settings).
-					Post(bindIgnErr(auth.UpdateOrgSettingForm{}), org.SettingsPost)
-				m.Post("/avatar", binding.MultipartForm(auth.UploadAvatarForm{}), org.SettingsAvatar)
-
-				m.Group("/hooks", func() {
-					m.Get("", org.Webhooks)
-					m.Post("/delete", org.DeleteWebhook)
-					m.Get("/:type/new", repo.WebhooksNew)
-					m.Post("/gogs/new", bindIgnErr(auth.NewWebhookForm{}), repo.WebHooksNewPost)
-					m.Post("/slack/new", bindIgnErr(auth.NewSlackHookForm{}), repo.SlackHooksNewPost)
-					m.Get("/:id", repo.WebHooksEdit)
-					m.Post("/gogs/:id", bindIgnErr(auth.NewWebhookForm{}), repo.WebHooksEditPost)
-					m.Post("/slack/:id", bindIgnErr(auth.NewSlackHookForm{}), repo.SlackHooksEditPost)
-				})
-
-				m.Route("/delete", "GET,POST", org.SettingsDelete)
-			})
-
-			m.Route("/invitations/new", "GET,POST", org.Invitation)
-		}, middleware.OrgAssignment(true, true))
-	}, reqSignIn)
-	// ***** END: Organization *****
-
-	// ***** START: Repository *****
-	m.Group("/repo", func() {
-		m.Get("/create", repo.Create)
-		m.Post("/create", bindIgnErr(auth.CreateRepoForm{}), repo.CreatePost)
-		m.Get("/migrate", repo.Migrate)
-		m.Post("/migrate", bindIgnErr(auth.MigrateRepoForm{}), repo.MigratePost)
-		m.Combo("/fork/:repoid").Get(repo.Fork).
-			Post(bindIgnErr(auth.CreateRepoForm{}), repo.ForkPost)
-	}, reqSignIn)
-
-	m.Group("/:username/:reponame", func() {
-		m.Group("/settings", func() {
-			m.Combo("").Get(repo.Settings).
-				Post(bindIgnErr(auth.RepoSettingForm{}), repo.SettingsPost)
-			m.Route("/collaboration", "GET,POST", repo.Collaboration)
-
-			m.Group("/hooks", func() {
-				m.Get("", repo.Webhooks)
-				m.Post("/delete", repo.DeleteWebhook)
-				m.Get("/:type/new", repo.WebhooksNew)
-				m.Post("/gogs/new", bindIgnErr(auth.NewWebhookForm{}), repo.WebHooksNewPost)
-				m.Post("/slack/new", bindIgnErr(auth.NewSlackHookForm{}), repo.SlackHooksNewPost)
-				m.Get("/:id", repo.WebHooksEdit)
-				m.Post("/:id/test", repo.TestWebhook)
-				m.Post("/gogs/:id", bindIgnErr(auth.NewWebhookForm{}), repo.WebHooksEditPost)
-				m.Post("/slack/:id", bindIgnErr(auth.NewSlackHookForm{}), repo.SlackHooksEditPost)
-
-				m.Group("/git", func() {
-					m.Get("", repo.GitHooks)
-					m.Combo("/:name").Get(repo.GitHooksEdit).
-						Post(repo.GitHooksEditPost)
-				}, middleware.GitHookService())
-			})
-
-			m.Group("/keys", func() {
-				m.Combo("").Get(repo.DeployKeys).
-					Post(bindIgnErr(auth.AddSSHKeyForm{}), repo.DeployKeysPost)
-				m.Post("/delete", repo.DeleteDeployKey)
-			})
-
-		}, func(ctx *middleware.Context) {
-			ctx.Data["PageIsSettings"] = true
-		})
-	}, reqSignIn, middleware.RepoAssignment(), reqRepoAdmin, middleware.RepoRef())
-
-	m.Group("/:username/:reponame", func() {
-		m.Get("/action/:action", repo.Action)
-
-		m.Group("/issues", func() {
-			m.Combo("/new", repo.MustEnableIssues).Get(middleware.RepoRef(), repo.NewIssue).
-				Post(bindIgnErr(auth.CreateIssueForm{}), repo.NewIssuePost)
-
-			m.Combo("/:index/comments").Post(bindIgnErr(auth.CreateCommentForm{}), repo.NewComment)
-			m.Group("/:index", func() {
-				m.Post("/label", repo.UpdateIssueLabel)
-				m.Post("/milestone", repo.UpdateIssueMilestone)
-				m.Post("/assignee", repo.UpdateIssueAssignee)
-			}, reqRepoAdmin)
-
-			m.Group("/:index", func() {
-				m.Post("/title", repo.UpdateIssueTitle)
-				m.Post("/content", repo.UpdateIssueContent)
-			})
-		})
-		m.Post("/comments/:id", repo.UpdateCommentContent)
-		m.Group("/labels", func() {
-			m.Post("/new", bindIgnErr(auth.CreateLabelForm{}), repo.NewLabel)
-			m.Post("/edit", bindIgnErr(auth.CreateLabelForm{}), repo.UpdateLabel)
-			m.Post("/delete", repo.DeleteLabel)
-		}, reqRepoAdmin, middleware.RepoRef())
-		m.Group("/milestones", func() {
-			m.Combo("/new").Get(repo.NewMilestone).
-				Post(bindIgnErr(auth.CreateMilestoneForm{}), repo.NewMilestonePost)
-			m.Get("/:id/edit", repo.EditMilestone)
-			m.Post("/:id/edit", bindIgnErr(auth.CreateMilestoneForm{}), repo.EditMilestonePost)
-			m.Get("/:id/:action", repo.ChangeMilestonStatus)
-			m.Post("/delete", repo.DeleteMilestone)
-		}, reqRepoAdmin, middleware.RepoRef())
-
-		m.Group("/releases", func() {
-			m.Get("/new", repo.NewRelease)
-			m.Post("/new", bindIgnErr(auth.NewReleaseForm{}), repo.NewReleasePost)
-			m.Get("/edit/:tagname", repo.EditRelease)
-			m.Post("/edit/:tagname", bindIgnErr(auth.EditReleaseForm{}), repo.EditReleasePost)
-			m.Post("/delete", repo.DeleteRelease)
-		}, reqRepoAdmin, middleware.RepoRef())
-
-		m.Combo("/compare/*", repo.MustEnablePulls).Get(repo.CompareAndPullRequest).
-			Post(bindIgnErr(auth.CreateIssueForm{}), repo.CompareAndPullRequestPost)
-	}, reqSignIn, middleware.RepoAssignment())
-
-	m.Group("/:username/:reponame", func() {
-		m.Group("", func() {
-			m.Get("/releases", repo.Releases)
-			m.Get("/^:type(issues|pulls)$", repo.RetrieveLabels, repo.Issues)
-			m.Get("/^:type(issues|pulls)$/:index", repo.ViewIssue)
-			m.Get("/labels/", repo.RetrieveLabels, repo.Labels)
-			m.Get("/milestones", repo.Milestones)
-		}, middleware.RepoRef())
-
-		// m.Get("/branches", repo.Branches)
-
-		m.Group("/wiki", func() {
-			m.Get("/?:page", repo.Wiki)
-			m.Get("/_pages", repo.WikiPages)
-
-			m.Group("", func() {
-				m.Combo("/_new").Get(repo.NewWiki).
-					Post(bindIgnErr(auth.NewWikiForm{}), repo.NewWikiPost)
-				m.Combo("/:page/_edit").Get(repo.EditWiki).
-					Post(bindIgnErr(auth.NewWikiForm{}), repo.EditWikiPost)
-			}, reqSignIn, reqRepoPusher)
-		}, repo.MustEnableWiki, middleware.RepoRef())
-
-		m.Get("/archive/*", repo.Download)
-
-		m.Group("/pulls/:index", func() {
-			m.Get("/commits", repo.ViewPullCommits)
-			m.Get("/files", repo.ViewPullFiles)
-			m.Post("/merge", reqRepoAdmin, repo.MergePullRequest)
-		}, repo.MustEnablePulls)
-
-		m.Group("", func() {
-			m.Get("/src/*", repo.Home)
-			m.Get("/raw/*", repo.SingleDownload)
-			m.Get("/commits/*", repo.RefCommits)
-			m.Get("/commit/*", repo.Diff)
-			m.Get("/stars", repo.Stars)
-			m.Get("/watchers", repo.Watchers)
-			m.Get("/forks", repo.Forks)
-		}, middleware.RepoRef())
-
-		m.Get("/compare/:before([a-z0-9]{40})...:after([a-z0-9]{40})", repo.CompareDiff)
-	}, ignSignIn, middleware.RepoAssignment())
-
-	m.Group("/:username", func() {
-		m.Group("/:reponame", func() {
-			m.Get("", repo.Home)
-			m.Get("\\.git$", repo.Home)
-		}, ignSignIn, middleware.RepoAssignment(true), middleware.RepoRef())
-
-		m.Group("/:reponame", func() {
-			m.Any("/*", ignSignInAndCsrf, repo.HTTP)
-			m.Head("/tasks/trigger", repo.TriggerTask)
-		})
-	})
-	// ***** END: Repository *****
-
-	// robots.txt
-	m.Get("/robots.txt", func(ctx *middleware.Context) {
-		if setting.HasRobotsTxt {
-			ctx.ServeFileContent(path.Join(setting.CustomPath, "robots.txt"))
-		} else {
-			ctx.Error(404)
-		}
-	})
-
-	// Not found handler.
-	m.NotFound(routers.NotFound)
-
-	// Flag for port number in case first time run conflict.
-	if ctx.IsSet("port") {
-		setting.AppUrl = strings.Replace(setting.AppUrl, setting.HttpPort, ctx.String("port"), 1)
-		setting.HttpPort = ctx.String("port")
-	}
-
-	var err error
-	listenAddr := fmt.Sprintf("%s:%s", setting.HttpAddr, setting.HttpPort)
-	log.Info("Listen: %v://%s%s", setting.Protocol, listenAddr, setting.AppSubUrl)
-	switch setting.Protocol {
-	case setting.HTTP:
-		err = http.ListenAndServe(listenAddr, m)
-	case setting.HTTPS:
-		server := &http.Server{Addr: listenAddr, TLSConfig: &tls.Config{MinVersion: tls.VersionTLS10}, Handler: m}
-		err = server.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
-	case setting.FCGI:
-		err = fcgi.Serve(nil, m)
-	default:
-		log.Fatal(4, "Invalid protocol: %s", setting.Protocol)
-	}
-
-	if err != nil {
-		log.Fatal(4, "Fail to start server: %v", err)
-	}
-}
@@ -1,7 +0,0 @@
-Execute following command in ROOT directory when anything is changed:
-
-$ go-bindata -o=modules/bindata/bindata.go -ignore="\\.DS_Store|README.md" -pkg=bindata conf/...
-
-Add -debug flag to make life easier in development(somehow isn't working):
-
-$ go-bindata -debug -o=modules/bindata/bindata.go -ignore="\\.DS_Store|README.md" -pkg=bindata conf/...
@@ -1,24 +1,486 @@
-# NEVER EVER MODIFY THIS FILE
-# PLEASE MAKE CHANGES ON CORRESPONDING CUSTOM CONFIG FILE
+# !!! NEVER EVER MODIFY THIS FILE !!!
+# !!! PLEASE MAKE CHANGES ON CORRESPONDING CUSTOM CONFIG FILE !!!
+# !!! IF YOU ARE PACKAGING PROVIDER, PLEASE MAKE OWN COPY OF IT !!!

-; App name that shows on every page title
-APP_NAME = Gogs: Go Git Service
-; Change it if you run locally
+; The brand name of the application, can be your company or team name.
+BRAND_NAME = Gogs
+; The system user who should be running the applications. It has no effect on Windows,
+; otherwise, it should match the value of $USER environment variable.
 RUN_USER = git
-; Either "dev", "prod" or "test", default is "dev"
+; The running mode of the application, can be either "dev", "prod" or "test".
 RUN_MODE = dev

+[server]
+; The public-facing URL for the application.
+EXTERNAL_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
+; The public-facing domain name for the application.
+DOMAIN = localhost
+; The protocol that is used to serve direct traffic to the application.
+; Currently supports "http", "https", "fcgi" and "unix".
+PROTOCOL = http
+; The address to be listened by the application.
+HTTP_ADDR = 0.0.0.0
+; The port number to be listened by the application.
+HTTP_PORT = 3000
+; Generate steps:
+; $ ./gogs cert -ca=true -duration=8760h0m0s -host=myhost.example.com
+;
+; Or from a .pfx file exported from the Windows certificate store (do
+; not forget to export the private key):
+; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+CERT_FILE = custom/https/cert.pem
+KEY_FILE = custom/https/key.pem
+; The minimum allowed TLS version, currently supports "TLS10", "TLS11", "TLS12", and "TLS13".
+TLS_MIN_VERSION = TLS12
+; File permission when serve traffic via Unix domain socket.
+UNIX_SOCKET_PERMISSION = 666
+; Local (DMZ) URL for workers (e.g. SSH update) accessing web service.
+; In most cases you do not need to change the default value.
+; Alter it only if your SSH server node is not the same as HTTP node.
+LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
+
+; Whether to disable using CDN for static files regardless.
+OFFLINE_MODE = false
+; Whether to disable logging in router.
+DISABLE_ROUTER_LOG = true
+; Whether to enable application level GZIP compression.
+ENABLE_GZIP = false
+
+; The path for storing application specific data.
+APP_DATA_PATH = data
+; Whether to enable to load assets (i.e. "conf", "templates", "public") from disk instead of embedded bindata.
+LOAD_ASSETS_FROM_DISK = false
+
+; The landing page URL for anonymous users, the value should not include
+; subpath that is handled by the reverse proxy.
+LANDING_URL = /
+
+; Whether to disable SSH access to the application entirely.
+DISABLE_SSH = false
+; The domain name to be exposed in SSH clone URL.
+SSH_DOMAIN = %(DOMAIN)s
+; The port number to be exposed in SSH clone URL.
+SSH_PORT = 22
+; The path of SSH root directory, default is "$HOME/.ssh".
+SSH_ROOT_PATH =
+; The path to ssh-keygen, default is "ssh-keygen" and let shell find out which one to call.
+SSH_KEYGEN_PATH = ssh-keygen
+; The directory to create temporary files when test a public key using ssh-keygen,
+; default is the system temporary directory.
+SSH_KEY_TEST_PATH =
+; Whether to check minimum public key size with corresponding type.
+MINIMUM_KEY_SIZE_CHECK = false
+; Whether to rewrite "~/.ssh/authorized_keys" file at start, ignored when use builtin SSH server.
+REWRITE_AUTHORIZED_KEYS_AT_START = false
+; Whether to start a builtin SSH server.
+START_SSH_SERVER = false
+; The network interface for builtin SSH server to listen on.
+SSH_LISTEN_HOST = 0.0.0.0
+; The port number for builtin SSH server to listen on.
+SSH_LISTEN_PORT = %(SSH_PORT)s
+; The list of accepted ciphers for connections to builtin SSH server.
+SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
+; The list of accepted MACs for connections to builtin SSH server.
+SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1
+; The list of accepted key exchange algorithms for connections to builtin SSH server.
+SSH_SERVER_ALGORITHMS = rsa, ecdsa, ed25519
+
+; Define allowed algorithms and their minimum key length (use -1 to disable a type).
+[ssh.minimum_key_sizes]
+ED25519 = 256
+ECDSA   = 256
+RSA     = 2048
+DSA     = 1024
+
 [repository]
+; The root path for storing managed repositories, default is "~/gogs-repositories"
 ROOT =
+; The script type server supports, sometimes could be "sh".
 SCRIPT_TYPE = bash
-; Default ANSI charset
-ANSI_CHARSET = 
-; Force every new repository to be private
+; Default ANSI charset for an unrecognized charset.
+ANSI_CHARSET =
+; Whether to force every new repository to be private.
 FORCE_PRIVATE = false
-; Global maximum creation limit of repository per user, -1 means no limit
+; The global limit of number of repositories a user can create, -1 means no limit.
 MAX_CREATION_LIMIT = -1
-; Patch test queue length, make it as large as possible
-PULL_REQUEST_QUEUE_LENGTH = 10000
+; Preferred Licenses to place at the top of the list.
+; Name must match file name in "conf/license" or "custom/conf/license".
+PREFERRED_LICENSES = Apache License 2.0, MIT License
+; Whether to disable Git interaction with repositories via HTTP/HTTPS protocol.
+DISABLE_HTTP_GIT = false
+; Whether to enable ability to migrate repository by server local path.
+ENABLE_LOCAL_PATH_MIGRATION = false
+; Whether to enable render mode for raw file. There are potential security risks.
+ENABLE_RAW_FILE_RENDER_MODE = false
+; The maximum number of goroutines that can be run at the same time for a single
+; fetch request. Usually, the value depend of how many CPU (cores) you have. If
+; the value is non-positive, it matches the number of CPUs available to the application.
+COMMITS_FETCH_CONCURRENCY = 0
+; Default branch name when creating new repositories.
+DEFAULT_BRANCH = master
+
+[repository.editor]
+; List of file extensions that should have line wraps in the CodeMirror editor.
+; Separate extensions with a comma.
+LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd
+; Valid file modes that have a preview API associated with them, such as "/api/v1/markdown".
+; Separate values by commas. Preview tab in edit mode won't show if the file extension doesn't match.
+PREVIEWABLE_FILE_MODES = markdown
+
+[repository.upload]
+; Whether to enable repository file uploads.
+ENABLED = true
+; The path to temporarily store uploads (content under this path gets wiped out on every start).
+TEMP_PATH = data/tmp/uploads
+; File types that are allowed to be uploaded, e.g. "image/jpeg|image/png". Leave empty to allow any file type.
+ALLOWED_TYPES =
+; The maximum size of each file in MB.
+FILE_MAX_SIZE = 3
+; The maximum number of files per upload.
+MAX_FILES = 5
+
+[database]
+; The database backend, either "postgres", "mysql" or "sqlite3".
+TYPE = postgres
+HOST = 127.0.0.1:5432
+NAME = gogs
+USER = gogs
+PASSWORD =
+; For "postgres" only
+SCHEMA = public
+; For "postgres" only, either "disable", "require" or "verify-full".
+SSL_MODE = disable
+; For "sqlite3" only, make sure to use absolute path.
+PATH = data/gogs.db
+; The maximum open connections of the pool.
+MAX_OPEN_CONNS = 30
+; The maximum idle connections of the pool.
+MAX_IDLE_CONNS = 30
+
+[security]
+; Whether to show the install page, set this to "true" to bypass it.
+INSTALL_LOCK = false
+; The secret to encrypt cookie values, 2FA code, etc.
+; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
+SECRET_KEY = !#@FDEWREWR&*(
+; The number of days a sign-in session persists across browser restarts.
+LOGIN_REMEMBER_DAYS = 7
+; Whether to set secure cookie.
+COOKIE_SECURE = false
+; Whether to set cookie to indicate user login status.
+ENABLE_LOGIN_STATUS_COOKIE = false
+; The cookie name to store user login status.
+LOGIN_STATUS_COOKIE_NAME = login_status
+; A comma separated list of hostnames that are explicitly allowed to be accessed within the local network.
+; Use "*" to allow all hostnames.
+LOCAL_NETWORK_ALLOWLIST =
+
+[email]
+; Whether to enable the email service.
+ENABLED = false
+; The prefix prepended to the subject line.
+SUBJECT_PREFIX = `[%(BRAND_NAME)s] `
+; The SMTP server with its port, e.g. smtp.mailgun.org:587, smtp.gmail.com:587, smtp.qq.com:465
+; If the port ends is "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409.
+; If the server supports STARTTLS it will always be used.
+HOST = smtp.mailgun.org:587
+; The email from address (RFC 5322). This can be just an email address, or the `"Name" <email@example.com>` format.
+FROM = noreply@gogs.localhost
+; The login user.
+USER = noreply@gogs.localhost
+; The login password.
+PASSWORD =
+
+; The custom hostname for HELO operation, default is from system.
+HELO_HOSTNAME =
+
+; Whether to skip verifying the certificate of the server. Only use this for self-signed certificates.
+SKIP_VERIFY = false
+; Whether to use client certificates.
+USE_CERTIFICATE = false
+CERT_FILE = custom/email/cert.pem
+KEY_FILE = custom/email/key.pem
+
+; Whether to use "text/plain" as content format.
+USE_PLAIN_TEXT = false
+; Whether to attach a plaintext alternative to the MIME message while sending HTML emails.
+; It is used to support older mail clients and make spam filters happier.
+ADD_PLAIN_TEXT_ALT = false
+
+[auth]
+; The valid duration of activate code in minutes.
+ACTIVATE_CODE_LIVES = 180
+; The valid duration of reset password code in minutes.
+RESET_PASSWORD_CODE_LIVES = 180
+; Whether to require email confirmation for adding new email addresses.
+; Enable this option will also require user to confirm the email for registration.
+REQUIRE_EMAIL_CONFIRMATION = false
+; Whether to disallow anonymous users visiting the site.
+REQUIRE_SIGNIN_VIEW = false
+; Whether to disable self-registration. When disabled, accounts would have to be created by admins.
+DISABLE_REGISTRATION = false
+; Whether to enable captcha validation for registration
+ENABLE_REGISTRATION_CAPTCHA = true
+
+; Whether to enable reverse proxy authentication via HTTP header.
+ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+; Whether to automatically create new users for reverse proxy authentication.
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+; The HTTP header used as username for reverse proxy authentication.
+REVERSE_PROXY_AUTHENTICATION_HEADER = X-WEBAUTH-USER
+; Lists the IPs or CIDR ranges whose requests are allowed to set the reverse
+; proxy authentication header.
+TRUSTED_PROXY_IPS = 127.0.0.0/8,::1/128
+
+[user]
+; Whether to enable email notifications for users.
+ENABLE_EMAIL_NOTIFICATION = false
+
+[session]
+; The session provider, either "memory", "file", or "redis".
+PROVIDER = memory
+; The configuration for respective provider:
+; - memory: does not need any config yet
+; - file: session file path, e.g. `data/sessions`
+; - redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180,tls=true
+PROVIDER_CONFIG = data/sessions
+; The cookie name to store the session identifier.
+COOKIE_NAME = i_like_gogs
+; Whether to set cookie in HTTPS only.
+COOKIE_SECURE = false
+; The GC interval in seconds for session data.
+GC_INTERVAL = 3600
+; The maximum idle time in seconds before a session record is garbage-collected.
+; Set lower than `[security] LOGIN_REMEMBER_DAYS * 86400` to enforce a sliding
+; idle timeout. Otherwise the session lives for the full cookie lifetime.
+MAX_LIFE_TIME = 604800
+; The cookie name for CSRF token.
+CSRF_COOKIE_NAME = _csrf
+
+[cache]
+; The cache adapter, either "memory" or "redis".
+ADAPTER = memory
+; For "memory" only, GC interval in seconds.
+INTERVAL = 60
+; For "redis", connection host address:
+; - redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+HOST =
+
+[http]
+; The value for "Access-Control-Allow-Origin" header, default is not to present.
+ACCESS_CONTROL_ALLOW_ORIGIN =
+
+[lfs]
+; The storage backend for uploading new objects.
+STORAGE = local
+; The root path to store LFS objects on local file system.
+OBJECTS_PATH = data/lfs-objects
+; The path to temporarily store LFS objects during upload verification.
+OBJECTS_TEMP_PATH = data/tmp/lfs-objects
+
+[attachment]
+; Whether to enabled upload attachments in general.
+ENABLED = true
+; The path to store attachments on the file system.
+PATH = data/attachments
+; File types that are allowed to be uploaded, e.g. "image/jpeg|image/png". Leave empty to allow any file type.
+ALLOWED_TYPES = image/jpeg|image/png
+; The maximum size of each file in MB.
+MAX_SIZE = 4
+; The maximum number of files per upload.
+MAX_FILES = 5
+
+[release.attachment]
+; Whether to enabled upload attachments for releases.
+ENABLED = true
+; File types that are allowed to be uploaded, e.g. "image/jpeg|image/png". Leave empty to allow any file type.
+ALLOWED_TYPES = */*
+; The maximum size of each file in MB.
+MAX_SIZE = 32
+; The maximum number of files per upload.
+MAX_FILES = 10
+
+[time]
+; Specifies the format for fully outputed dates.
+; Values should be one of the following:
+; ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano.
+; For more information about the format see http://golang.org/pkg/time/#pkg-constants.
+FORMAT = RFC1123
+
+[picture]
+; The path to store user avatars on the file system.
+AVATAR_UPLOAD_PATH = data/avatars
+; The path to store repository avatars on the file system.
+REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
+; Chinese users can use a custom avatar source, such as http://cn.gravatar.com/avatar/.
+GRAVATAR_SOURCE = gravatar
+; Whether to disable Gravatar, this value will be forced to be true in offline mode.
+DISABLE_GRAVATAR = false
+; Whether to enable federated avatar lookup uses DNS to discover avatar associated
+; with emails, see https://www.libravatar.org for details.
+; This value will be forced to be false in offline mode or when Gravatar is disabled.
+ENABLE_FEDERATED_AVATAR = false
+
+[markdown]
+; Whether to enable hard line break extension.
+ENABLE_HARD_LINE_BREAK = false
+; The list of custom URL schemes that are allowed as links when rendering Markdown.
+; For example, "git" (for "git://") and "magnet" (for "magnet://").
+CUSTOM_URL_SCHEMES =
+; The list of file extensions that should be rendered/edited as Markdown.
+; Separate extensions with a comma. To render files with no extension as markdown, just put a comma.
+FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
+
+[smartypants]
+; Whether to enable the Smartypants extension.
+ENABLED = false
+FRACTIONS = true
+DASHES = true
+LATEX_DASHES = true
+ANGLED_QUOTES = true
+
+[admin]
+; Whether to disable regular (non-admin) users to create organizations.
+DISABLE_REGULAR_ORG_CREATION = false
+
+[webhook]
+; The list of enabled types for users to use, can be "gogs", "slack", "discord", "dingtalk".
+TYPES = gogs, slack, discord, dingtalk
+; Deliver timeout in seconds.
+DELIVER_TIMEOUT = 15
+; Whether to allow insecure certification.
+SKIP_TLS_VERIFY = false
+; The number of history information in each page.
+PAGING_NUM = 10
+
+; General settings of loggers.
+[log]
+; The root path for all log files, default is "log/" subdirectory.
+ROOT_PATH =
+; Can be "console", "file", "slack" and "discord".
+; Use comma to separate multiple modes, e.g. "console, file"
+MODE = console
+; Buffer length of channel, keep it as it is if you don't know what it is.
+BUFFER_LEN = 100
+; Either "Trace", "Info", "Warn", "Error", "Fatal", default is "Trace"
+LEVEL = Trace
+
+; For "console" mode only
+[log.console]
+; Comment out to inherit
+; LEVEL =
+
+; For "file" mode only
+[log.file]
+; Comment out to inherit
+; LEVEL =
+; Whether to enable automated log rotate (switch of following options).
+LOG_ROTATE = true
+; Whether to segment log files daily.
+DAILY_ROTATE = true
+; The maximum size shift of single file, default is 28 means 1 << 28 = 256MB.
+MAX_SIZE_SHIFT = 28
+; The maximum number of lines of single file.
+MAX_LINES = 1000000
+; The expired days of log file (delete after max days).
+MAX_DAYS = 7
+
+; For "slack" mode only
+[log.slack]
+; Comment out to inherit
+; LEVEL =
+; Webhook URL
+URL =
+
+[log.discord]
+; Comment out to inherit
+; LEVEL =
+; Webhook URL
+URL =
+; The username to be displayed in notification.
+USERNAME = %(BRAND_NAME)s
+
+[log.xorm]
+; Enable file rotation
+ROTATE = true
+; Rotate every day
+ROTATE_DAILY = true
+; Rotate once file size excesses x MB
+MAX_SIZE = 100
+; Maximum days to keep logger files
+MAX_DAYS = 3
+
+[log.gorm]
+; Whether to enable file rotation.
+ROTATE = true
+; Whether to rotate file every day.
+ROTATE_DAILY = true
+; The maximum file size in MB before next rotate.
+MAX_SIZE = 100
+; The maximum days to keep files.
+MAX_DAYS = 3
+
+[cron]
+; Enable running cron tasks periodically.
+ENABLED = true
+; Run cron tasks when Gogs starts.
+RUN_AT_START = false
+
+[cron.update_mirrors]
+; Defines how often the mirror syncer checks if any mirror needs to be synchronized (based on the mirror update interval).
+SCHEDULE = @every 10m
+
+; Repository health check
+[cron.repo_health_check]
+SCHEDULE = @every 24h
+TIMEOUT = 60s
+; Arguments for command 'git fsck', e.g. "--unreachable --tags"
+; see more on http://git-scm.com/docs/git-fsck/1.7.5
+ARGS =
+
+; Check repository statistics
+[cron.check_repo_stats]
+RUN_AT_START = true
+SCHEDULE = @every 24h
+
+; Cleanup repository archives
+[cron.repo_archive_cleanup]
+RUN_AT_START = false
+SCHEDULE = @every 24h
+; Time duration to check if archive should be cleaned
+OLDER_THAN = 24h
+
+[git]
+; Disables highlight of added and removed changes
+DISABLE_DIFF_HIGHLIGHT = false
+; Max number of files shown in diff view
+MAX_GIT_DIFF_FILES = 100
+; Max number of lines allowed of a single file in diff view
+MAX_GIT_DIFF_LINES = 1000
+; Max number of characters of a line allowed in diff view
+MAX_GIT_DIFF_LINE_CHARACTERS = 2000
+; Arguments for command 'git gc', e.g. "--aggressive --auto"
+; see more on http://git-scm.com/docs/git-gc/1.7.5
+GC_ARGS =
+
+; Operation timeout in seconds
+[git.timeout]
+MIGRATE = 600
+MIRROR = 300
+CLONE = 300
+PULL = 300
+DIFF = 60
+GC = 60
+
+[mirror]
+; Defines the default interval (in hours) until the next sync for a mirror (after a successful mirror sync).
+; It can be overridden individually for each mirror repository in the settings.
+DEFAULT_INTERVAL = 8
+
+[api]
+; Max number of items will response in a page
+MAX_RESPONSE_ITEMS = 50

 [ui]
 ; Number of repositories that are showed in one explore page
@@ -27,6 +489,12 @@ EXPLORE_PAGING_NUM = 20
 ISSUE_PAGING_NUM = 10
 ; Number of maximum commits showed in one activity feed
 FEED_MAX_COMMIT_NUM = 5
+; Value of "theme-color" meta tag, used by Android >= 5.0
+; An invalid color like "none" or "disable" will have the default style
+; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
+THEME_COLOR_META_TAG = `#ff5343`
+; Max size in bytes of files to be displayed (default is 8MB)
+MAX_DISPLAY_FILE_SIZE = 8388608

 [ui.admin]
 ; Number of users that are showed in one page
@@ -38,294 +506,39 @@ NOTICE_PAGING_NUM = 25
 ; Number of organization that are showed in one page
 ORG_PAGING_NUM = 50

-[markdown]
-; Enable hard line break extension
-ENABLE_HARD_LINE_BREAK = false
+[ui.user]
+; Number of repos that are showed in one page
+REPO_PAGING_NUM = 15
+; Number of news feeds that are showed in one page
+NEWS_FEED_PAGING_NUM = 20
+; Number of commits that are showed in one page
+COMMITS_PAGING_NUM = 30

-[server]
-PROTOCOL = http
-DOMAIN = localhost
-ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
-HTTP_ADDR =
-HTTP_PORT = 3000
-; Local (DMZ) URL for Gogs workers (such as SSH update) accessing web service.
-; In most cases you do not need to change the default value.
-; Alter it only if your SSH server node is not the same as HTTP node.
-LOCAL_ROOT_URL = http://localhost:%(HTTP_PORT)s/
-; Disable SSH feature when not available
-DISABLE_SSH = false
-; Whether use builtin SSH server or not.
-START_SSH_SERVER = false
-SSH_PORT = 22
-; Disable CDN even in "prod" mode
-OFFLINE_MODE = false
-DISABLE_ROUTER_LOG = false
-; Generate steps:
-; $ ./gogs cert -ca=true -duration=8760h0m0s -host=myhost.example.com
-;
-; Or from a .pfx file exported from the Windows certificate store (do
-; not forget to export the private key):
-; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
-; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
-CERT_FILE = custom/https/cert.pem
-KEY_FILE = custom/https/key.pem
-; Upper level of template and static file path
-; default is the path where Gogs is executed
-STATIC_ROOT_PATH =
-; Application level GZIP support
-ENABLE_GZIP = false
-; Landing page for non-logged users, can be "home" or "explore"
-LANDING_PAGE = home
-
-[database]
-; Either "mysql", "postgres" or "sqlite3", it's your choice
-DB_TYPE = mysql
-HOST = 127.0.0.1:3306
-NAME = gogs
-USER = root
-PASSWD =
-; For "postgres" only, either "disable", "require" or "verify-full"
-SSL_MODE = disable
-; For "sqlite3" and "tidb"
-PATH = data/gogs.db
-
-[admin]
-
-[security]
-INSTALL_LOCK = false
-; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-SECRET_KEY = !#@FDEWREWR&*(
-; Auto-login remember days
-LOGIN_REMEMBER_DAYS = 7
-COOKIE_USERNAME = gogs_awesome
-COOKIE_REMEMBER_NAME = gogs_incredible
-; Reverse proxy authentication header name of user name
-REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
-
-[service]
-ACTIVE_CODE_LIVE_MINUTES = 180
-RESET_PASSWD_CODE_LIVE_MINUTES = 180
-; User need to confirm e-mail for registration
-REGISTER_EMAIL_CONFIRM = false
-; Does not allow register and admin create account only
-DISABLE_REGISTRATION = false
-; User must sign in to view anything.
-REQUIRE_SIGNIN_VIEW = false
-; Cache avatar as picture
-ENABLE_CACHE_AVATAR = false
-; Mail notification
-ENABLE_NOTIFY_MAIL = false
-; More detail: https://github.com/gogits/gogs/issues/165
-ENABLE_REVERSE_PROXY_AUTHENTICATION = false
-ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
-; Do not check minimum key size with corresponding type
-DISABLE_MINIMUM_KEY_SIZE_CHECK = false
-; Enable captcha validation for registration
-ENABLE_CAPTCHA = true
-
-; used to filter keys which are too short
-[service.minimum_key_sizes]
-ED25519 = 256
-ECDSA   = 256
-NTRU    = 1087
-MCE     = 1702
-McE     = 1702
-RSA     = 1024
-DSA     = 1024
-
-[webhook]
-; Hook task queue length
-QUEUE_LENGTH = 1000
-; Deliver timeout in seconds
-DELIVER_TIMEOUT = 5
-; Allow insecure certification
-SKIP_TLS_VERIFY = false
-; Number of history information in each page
-PAGING_NUM = 10
-
-[mailer]
-ENABLED = false
-; Buffer length of channel, keep it as it is if you don't know what it is.
-SEND_BUFFER_LEN = 100
-; Name displayed in mail title
-SUBJECT = %(APP_NAME)s
-; Mail server
-; Gmail: smtp.gmail.com:587
-; QQ: smtp.qq.com:25
-; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST = 
-; Disable HELO operation when hostname are different.
-DISABLE_HELO = 
-; Custom hostname for HELO operation, default is from system.
-HELO_HOSTNAME = 
-; Do not verify the certificate of the server. Only use this for self-signed certificates
-SKIP_VERIFY = 
-; Use client certificate
-USE_CERTIFICATE = false
-CERT_FILE = custom/mailer/cert.pem
-KEY_FILE = custom/mailer/key.pem
-; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format 
-FROM =
-; Mailer user name and password
-USER =
-PASSWD =
-
-[cache]
-; Either "memory", "redis", or "memcache", default is "memory"
-ADAPTER = memory
-; For "memory" only, GC interval in seconds, default is 60
-INTERVAL = 60
-; For "redis" and "memcache", connection host address
-; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
-; memcache: `127.0.0.1:11211`
-HOST =
-
-[session]
-; Either "memory", "file", "redis" or "mysql", default is "memory"
-PROVIDER = memory
-; Provider config options
-; memory: not have any config yet
-; file: session file path, e.g. `data/sessions`
-; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
-; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-PROVIDER_CONFIG = data/sessions
-; Session cookie name
-COOKIE_NAME = i_like_gogits
-; If you use session in https only, default is false
-COOKIE_SECURE = false
-; Enable set cookie, default is true
-ENABLE_SET_COOKIE = true
-; Session GC time interval, default is 86400
-GC_INTERVAL_TIME = 86400
-; Session life time, default is 86400
-SESSION_LIFE_TIME = 86400
-
-[picture]
-; The place to picture data, either "server" or "qiniu", default is "server"
-SERVICE = server
-AVATAR_UPLOAD_PATH = data/avatars
-; Chinese users can choose "duoshuo"
-; or a custom avatar source, like: http://cn.gravatar.com/avatar/
-GRAVATAR_SOURCE = gravatar
-DISABLE_GRAVATAR = false
-
-[attachment]
-; Whether attachments are enabled. Defaults to `true`
-ENABLE = true
-; Path for attachments. Defaults to `data/attachments`
-PATH = data/attachments
-; One or more allowed types, e.g. image/jpeg|image/png
-ALLOWED_TYPES = image/jpeg|image/png
-; Max size of each file. Defaults to 32MB
-MAX_SIZE = 4
-; Max number of files per upload. Defaults to 10
-MAX_FILES = 5
-
-[time]
-; Specifies the format for fully outputed dates. Defaults to RFC1123
-; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
-; For more information about the format see http://golang.org/pkg/time/#pkg-constants
-FORMAT =
-
-[log]
-ROOT_PATH =
-; Either "console", "file", "conn", "smtp" or "database", default is "console"
-; Use comma to separate multiple modes, e.g. "console, file"
-MODE = console
-; Buffer length of channel, keep it as it is if you don't know what it is.
-BUFFER_LEN = 10000
-; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
-LEVEL = Trace
-
-; For "console" mode only
-[log.console]
-LEVEL =
-
-; For "file" mode only
-[log.file]
-LEVEL =
-; This enables automated log rotate(switch of following options), default is true
-LOG_ROTATE = true
-; Max line number of single file, default is 1000000
-MAX_LINES = 1000000
-; Max size shift of single file, default is 28 means 1 << 28, 256MB
-MAX_SIZE_SHIFT = 28
-; Segment log daily, default is true
-DAILY_ROTATE = true
-; Expired days of log file(delete after max days), default is 7
-MAX_DAYS = 7
-
-; For "conn" mode only
-[log.conn]
-LEVEL =
-; Reconnect host for every single message, default is false
-RECONNECT_ON_MSG = false
-; Try to reconnect when connection is lost, default is false
-RECONNECT = false
-; Either "tcp", "unix" or "udp", default is "tcp"
-PROTOCOL = tcp
-; Host address
-ADDR =
-
-; For "smtp" mode only
-[log.smtp]
-LEVEL =
-; Name displayed in mail title, default is "Diagnostic message from server"
-SUBJECT = Diagnostic message from server
-; Mail server
-HOST =
-; Mailer user name and password
-USER =
-PASSWD =
-; Receivers, can be one or more, e.g. ["1@example.com","2@example.com"]
-RECEIVERS =
-
-; For "database" mode only
-[log.database]
-LEVEL =
-; Either "mysql" or "postgres"
-DRIVER =
-; Based on xorm, e.g.: root:root@localhost/gogs?charset=utf8
-CONN =
-
-[cron]
-; Enable running cron tasks periodically.
+[prometheus]
+; Whether to enable Prometheus metrics.
 ENABLED = true
-; Run cron tasks when Gogs starts.
-RUN_AT_START = false
+; Whether to enable HTTP Basic Authentication to protect metrics data.
+ENABLE_BASIC_AUTH = false
+; The username for HTTP Basic Authentication.
+BASIC_AUTH_USERNAME =
+; The password for HTTP Basic Authentication.
+BASIC_AUTH_PASSWORD =

-; Update mirrors
-[cron.update_mirrors]
-SCHEDULE = @every 1h
-
-; Repository health check
-[cron.repo_health_check]
-SCHEDULE = @every 24h
-TIMEOUT = 60s
-; Arguments for command 'git fsck', e.g. "--unreachable --tags"
-; see more on http://git-scm.com/docs/git-fsck/1.7.5
-ARGS = 
-
-; Check repository statistics
-[cron.check_repo_stats]
-RUN_AT_START = true
-SCHEDULE = @every 24h
-
-[git]
-MAX_GIT_DIFF_LINES = 10000
-; Arguments for command 'git gc', e.g. "--aggressive --auto"
-; see more on http://git-scm.com/docs/git-gc/1.7.5
-GC_ARGS = 
+; Extension mapping to highlight class
+; e.g. .toml=ini
+[highlight.mapping]

 [i18n]
-LANGS = en-US,zh-CN,zh-HK,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT
-NAMES = English,简体中文,繁體中文,Deutsch,Français,Nederlands,Latviešu,Русский,日本語,Español,Português do Brasil,Polski,български,Italiano
+LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR,gl-ES,uk-UA,en-GB,hu-HU,sk-SK,id-ID,fa-IR,vi-VN,pt-PT,mn-MN,ro-RO
+NAMES = English,简体中文,繁體中文（香港）,繁體中文（臺灣）,Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어,galego,українська,English (United Kingdom),Magyar,Slovenčina,Indonesian,Persian,Vietnamese,Português,Монгол,Română

-; Used for datetimepicker
+; Used for jQuery DateTimePicker,
+; list of supported languages in https://xdsoft.net/jqplugins/datetimepicker/#lang
 [i18n.datelang]
 en-US = en
 zh-CN = zh
 zh-HK = zh-TW
+zh-TW = zh-TW
 de-DE = de
 fr-FR = fr
 nl-NL = nl
@@ -337,12 +550,24 @@ pt-BR = pt-BR
 pl-PL = pl
 bg-BG = bg
 it-IT = it
-
-; Extension mapping to highlight class
-; e.g. .toml=ini
-[highlight.mapping]
+fi-FI = fi
+tr-TR = tr
+cs-CZ = cs-CZ
+sr-SP = sr
+sv-SE = sv
+ko-KR = ko
+gl-ES = gl
+uk-UA = uk
+en-GB = en-GB
+hu-HU = hu
+sk-SK = sk
+id-ID = id
+fa-IR = fa
+vi-VN = vi
+pt-PT = pt
+mn-MN = mn
+ro-RO = ro

 [other]
-SHOW_FOOTER_BRANDING = false
-; Show version information about gogs and go in the footer
-SHOW_FOOTER_VERSION = true
+; Show time of template execution in the footer
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
@@ -0,0 +1,10 @@
+# This is an example of GitHub authentication
+#
+id           = 105
+type         = github
+name         = GitHub
+is_activated = true
+
+[config]
+api_endpoint = https://api.github.com/
+
@@ -0,0 +1,29 @@
+# This is an example of LDAP (BindDN) authentication
+#
+id           = 101
+type         = ldap_bind_dn
+name         = LDAP BindDN
+is_activated = true
+
+[config]
+host               = mydomain.com
+port               = 636
+# 0 - Unencrypted, 1 - LDAPS, 2 - StartTLS
+security_protocol  = 0
+skip_verify        = false
+bind_dn            = 
+bind_password      = 
+user_base          = ou=Users,dc=mydomain,dc=com
+attribute_username = 
+attribute_name     = 
+attribute_surname  = 
+attribute_mail     = mail
+attributes_in_bind = false
+filter             = (&(objectClass=posixAccount)(cn=%s))
+admin_filter       = 
+group_enabled      = false
+group_dn           = 
+group_filter       = 
+group_member_uid   = 
+user_uid           = 
+
@@ -0,0 +1,30 @@
+# This is an example of LDAP (simple auth) authentication
+#
+id           = 102
+type         = ldap_simple_auth
+name         = LDAP Simple Auth
+is_activated = true
+
+[config]
+host               = mydomain.com
+port               = 636
+# 0 - Unencrypted, 1 - LDAPS, 2 - StartTLS
+security_protocol  = 0
+skip_verify        = false
+bind_dn            = 
+bind_password      = 
+user_base          = 
+user_dn            = cn=%s,ou=Users,dc=mydomain,dc=com
+attribute_username = 
+attribute_name     = 
+attribute_surname  = 
+attribute_mail     = mail
+attributes_in_bind = false
+filter             = (&(objectClass=posixAccount)(cn=%s))
+admin_filter       = 
+group_enabled      = false
+group_dn           = 
+group_filter       = 
+group_member_uid   = 
+user_uid           = 
+
@@ -0,0 +1,10 @@
+# This is an example of PAM authentication
+#
+id           = 104
+type         = pam
+name         = System Auth
+is_activated = true
+
+[config]
+service_name = system-auth
+
@@ -0,0 +1,16 @@
+# This is an example of SMTP authentication
+#
+id           = 103
+type         = smtp
+name         = GMail
+is_activated = true
+
+[config]
+# Either "PLAIN" or "LOGIN"
+auth            = PLAIN
+host            = smtp.gmail.com
+port            = 587
+allowed_domains = 
+tls             = true
+skip_verify     = false
+
@@ -0,0 +1,23 @@
+package conf
+
+import (
+	"embed"
+)
+
+//go:embed app.ini **/*
+var Files embed.FS
+
+// FileNames returns a list of filenames exists in the given direction within
+// Files. The list includes names of subdirectories.
+func FileNames(dir string) ([]string, error) {
+	entries, err := Files.ReadDir(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	fileNames := make([]string, 0, len(entries))
+	for _, entry := range entries {
+		fileNames = append(fileNames, entry.Name())
+	}
+	return fileNames, nil
+}
@@ -0,0 +1,16 @@
+package conf
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFileNames(t *testing.T) {
+	names, err := FileNames(".")
+	require.NoError(t, err)
+
+	want := []string{"app.ini", "auth.d", "gitignore", "label", "license", "locale", "readme"}
+	assert.Equal(t, want, names)
+}
@@ -0,0 +1,63 @@
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Ruby plugin and RubyMine
+/.rakeTasks
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### PhpStorm Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
@@ -0,0 +1,76 @@
+# Visual Studio 2015 user specific files
+.vs/
+
+# Compiled Object files
+*.slo
+*.lo
+*.o
+*.obj
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Compiled Dynamic libraries
+*.so
+*.dylib
+*.dll
+
+# Fortran module files
+*.mod
+
+# Compiled Static libraries
+*.lai
+*.la
+*.a
+*.lib
+
+# Executables
+*.exe
+*.out
+*.app
+*.ipa
+
+# These project files can be generated by the engine
+*.xcodeproj
+*.xcworkspace
+*.sln
+*.suo
+*.opensdf
+*.sdf
+*.VC.db
+*.VC.opendb
+
+# Precompiled Assets
+SourceArt/**/*.png
+SourceArt/**/*.tga
+
+# Binary Files
+Binaries/*
+Plugins/*/Binaries/*
+
+# Builds
+Build/*
+
+# Whitelist PakBlacklist-<BuildConfiguration>.txt files
+!Build/*/
+Build/*/**
+!Build/*/PakBlacklist*.txt
+
+# Don't ignore icon files in Build
+!Build/**/*.ico
+
+# Built data for maps
+*_BuiltData.uasset
+
+# Configuration files generated by the Editor
+Saved/*
+
+# Compiled source files for the engine to use
+Intermediate/*
+Plugins/*/Intermediate/*
+
+# Cache files for the editor to use
+DerivedDataCache/*
+
+
@@ -0,0 +1,63 @@
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Ruby plugin and RubyMine
+/.rakeTasks
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+### WebStorm Patch ###
+# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
+
+# *.iml
+# modules.xml
+# .idea/misc.xml
+# *.ipr
+
+# Sonarlint plugin
+.idea/sonarlint
@@ -1,24 +1,25 @@
-.DS_Store
-.AppleDouble
-.LSOverride
-
-# Icon must end with two \r
-Icon
-
-# Thumbnails
-._*
-
-# Files that might appear in the root of a volume
-.DocumentRevisions-V100
-.fseventsd
-.Spotlight-V100
-.TemporaryItems
-.Trashes
-.VolumeIcon.icns
-
-# Directories potentially created on remote AFP share
-.AppleDB
-.AppleDesktop
-Network Trash Folder
-Temporary Items
-.apdisk
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
@@ -0,0 +1,7 @@
+#ee0701 bug
+#cccccc duplicate
+#84b6eb enhancement
+#128a0c help wanted
+#e6e6e6 invalid
+#cc317c question
+#ffffff wontfix
@@ -1,39 +0,0 @@
-Creative Commons CC0 1.0 Universal
-CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER.
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
-
-i. the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
-
-ii. moral rights retained by the original author(s) and/or performer(s);
-
-iii. publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
-
-iv. rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
-
-v. rights protecting the extraction, dissemination, use and reuse of data in a Work;
-
-vi. database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
-
-vii. other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
-a. No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
-
-b. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
-
-c. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
-
-d. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.
@@ -1,6 +1,5 @@
 ISC License:
-Copyright (c) 2004-2010 by Internet Systems Consortium, Inc. ("ISC") 
-Copyright (c) 1995-2003 by Internet Software Consortium
+Copyright (c) Year(s), Company or Person's Name

 Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

@@ -7,35 +7,82 @@ Akihiro YAGASAKI <yaggytter AT momiage DOT com>
 Aleksejs Grocevs <aleksejs AT grocevs DOT pro>
 Aleksey Tarakin <hukendo AT yandex DOT ru>
 Alexander Steinhöfer <kontakt AT lx-s DOT de>
+Alexandre Espinosa Menor <aemenor DOT gmail DOT com>
 Alexandre Magno <alexandre DOT mbm AT gmail DOT com>
+Anders B. Hansen <anders AT birkoe DOT com>
+András Schenkerik <moviesharkteam AT gmail DOT com>
 Andrey Nering <andrey AT nering DOT com DOT br>
+Andrey Paskal <apaskal AT gmail DOT com>
+Andrey Solomatin <toadron AT yandex DOT ru>
+Antoine GIRARD <sapk AT sapk DOT fr>
 Arthur Aslanyan <arthur DOT e DOT aslanyan AT gmail DOT com>
+Aurelien Darragon <aurelien DOT darragon AT gmail DOT com>
 Barış Arda Yılmaz <ardayilmazgamer AT gmail DOT com>
+Bo-Yi Wu <appleboy DOT tw AT gmail DOT com>
+Breton Corentin <contact AT neodarz DOT net>
+Camille Baronnet <gogs AT camillebaronnet DOT fr>
+Changwoo Ryu <cwryu AT debian DOT org>
 Christoph Kisfeld <christoph DOT kisfeld AT gmail DOT com>
 Cysioland
+Damaris Padieu <damizx AT hotmail DOT fr>
 Daniel Speichert <daniel AT speichert DOT pl>
 David Yzaguirre <dvdyzag AT gmail DOT com>
+Denys Khomenko
 Dmitriy Nogay <me AT catwhocode DOT ga>
+Enrico Testori hypertesto AT gmail DOT com
 Ezequiel Gonzalez Rial <gonrial AT gmail DOT com>
+Farhan Naysee <wpmagic70 AT gmail DOT com>
+Flávio Monteiro <flaviomonteiro2013 AT gmail DOT com>
+Gabriel Dugny <gabriel DOT dugny AT gmail DOT com>
+Ganesha <reekoheek AT gmail DOT com>
 Gregor Santner <gdev AT live DOT de>
+Halil Kaya <halil AT halilkaya DOT net>
 Hamid Feizabadi <hamidfzm AT gmail DOT com>
 Huimin Wang <wanghm2009 AT hotmail DOT co DOT jp>
-ilko
+ilko <kontact-mr.k AT outlook DOT com">
 Ilya Makarov
+Jamie Mansfield <dev AT jamierocks DOT uk>
+Javier Ortiz Bultron <javier DOT ortiz DOT 78 AT gmail DOT com>
+Jean THOMAS <contact AT tibounise DOT com>
+John Behm <jxsl13 AT googlemail DOT com>
+Jonas De Kegel <jonasgithub [AT] gmail [DOT] com>
+Joubert RedRat <me+github AT redrat DOT com DOT br>
 Juraj Bubniak <contact AT jbub DOT eu>
 Lafriks <lafriks AT gmail DOT com>
 Lauri Ojansivu <x AT xet7 DOT org>
+Luca Bozzo <luca AT bozzo DOT it>
+Luca Kröger <l DOT kroeger01 AT gmail DOT com>
 Luc Stepniewski <luc AT stepniewski DOT fr>
+Łukasz Jan Niemier <lukasz AT niemier DOT pl>
 Marc Schiller <marc AT schiller DOT im>
+Marvin Menzerath <github AT marvin-menzerath DOT de>
+Mathias Rangel Wulff <m AT rawu DOT dk>
+Michael Härtl <haertl DOT mike AT gmail DOT com>
 Miguel de la Cruz <miguel AT mcrx DOT me>
 Mikhail Burdin <xdshot9000 AT gmail DOT com>
+Mohammad Gholami <gholami DOT mohammad DOT mgh AT gmail DOT com>
 Morten Sørensen <klim8d AT gmail DOT com>
+Muhammad Fawwaz Orabi <mfawwaz93 AT gmail DOT com>
 Nakao Takamasa <at.mattenn AT gmail DOT com>
 Natan Albuquerque <natanalbuquerque5 AT gmail DOT com>
 Odilon Junior <odilon DOT junior93 AT gmail DOT com>
+Oleksandr Yermakov <olexander DOT yermakov AT gmail DOT com>
+Óscar García Amor <ogarcia AT connectical DOT com>
+Pablo Saavedra <psaavedra AT igalia DOT com>
+Pierre Prinetti >meatqrawldotnet<
+Richard Bukovansky <richard DOT bukovansky @ gmail DOT com>
+Robert Nuske <robert DOT nuske AT web DOT de>
+Robin Hübner <profan AT prfn DOT se>
+Rste Risafov <risafov AT lazy DOT com>
+SeongJae Park <sj38 DOT park AT gmail DOT com>
+Sergey Stepanov <sergystepanov AT gmail DOT com>
+Simona Iacob <s AT zp1 DOT net>
 Thomas Fanninger <gogs DOT thomas AT fanninger DOT at>
 Tilmann Bach <tilmann AT outlook DOT com>
 Toni Villena Jiménez <tonivj5 AT gmail DOT com>
+Vincent AMSTOUTZ <vincent DOT amstoutz AT outlook DOT fr>
+Vladimir Jigulin mogaika AT yandex DOT ru
 Vladimir Vissoultchev <wqweto AT gmail DOT com>
+Vongola <me AT vongola DOT tw>
 YJSoft <yjsoft AT yjsoft DOT pe DOT kr>
-Łukasz Jan Niemier <lukasz AT niemier DOT pl>
+Oscar Quisbert <quisbert_karos AT outlook DOT com>
--- a/Show More
+++ b/Show More