7f0d53eb90
Merge branch 'main' into lunny/add_reply_code_review
2026-05-25 21:58:27 -07:00
28ba9b915b
Move sdk from code.gitea.io/sdk/gitea to gitea.dev/sdk ( #1006 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/1006
Reviewed-by: Zettat123 <39446+zettat123@noreply.gitea.com >
2026-05-26 04:51:09 +00:00
a664449282
Use git command instead of go git ( #1005 )
...
Remove go git library because it doesn't support sha256 repository but have an interface so that we could have other backend for the future.
Reviewed-on: https://gitea.com/gitea/tea/pulls/1005
Reviewed-by: Zettat123 <39446+zettat123@noreply.gitea.com >
2026-05-23 20:24:47 +00:00
bbe97a5e23
fix(deps): update module golang.org/x/crypto to v0.52.0 [security] ( #1002 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto ) | [`v0.51.0` → `v0.52.0`](https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.51.0...refs/tags/v0.52.0 ) |  |  |
---
### Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
[CVE-2026-39833](https://nvd.nist.gov/vuln/detail/CVE-2026-39833 ) / [GO-2026-5005](https://pkg.go.dev/vuln/GO-2026-5005 )
<details>
<summary>More information</summary>
#### Details
The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79436 ](https://go.dev/issue/79436 )
- [https://go.dev/cl/778640 ](https://go.dev/cl/778640 )
- [https://go.dev/cl/778641 ](https://go.dev/cl/778641 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5005 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
[CVE-2026-39832](https://nvd.nist.gov/vuln/detail/CVE-2026-39832 ) / [GO-2026-5006](https://pkg.go.dev/vuln/GO-2026-5006 )
<details>
<summary>More information</summary>
#### Details
When adding a key to a remote agent constraint extensions such as restrict-destination-v00@​openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79435 ](https://go.dev/issue/79435 )
- [https://go.dev/cl/778642 ](https://go.dev/cl/778642 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5006 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
[CVE-2026-46597](https://nvd.nist.gov/vuln/detail/CVE-2026-46597 ) / [GO-2026-5013](https://pkg.go.dev/vuln/GO-2026-5013 )
<details>
<summary>More information</summary>
#### Details
An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79561 ](https://go.dev/issue/79561 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781620 ](https://go.dev/cl/781620 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5013 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
[CVE-2026-39828](https://nvd.nist.gov/vuln/detail/CVE-2026-39828 ) / [GO-2026-5014](https://pkg.go.dev/vuln/GO-2026-5014 )
<details>
<summary>More information</summary>
#### Details
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79562 ](https://go.dev/issue/79562 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781621 ](https://go.dev/cl/781621 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5014 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
[CVE-2026-39835](https://nvd.nist.gov/vuln/detail/CVE-2026-39835 ) / [GO-2026-5015](https://pkg.go.dev/vuln/GO-2026-5015 )
<details>
<summary>More information</summary>
#### Details
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79563 ](https://go.dev/issue/79563 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781660 ](https://go.dev/cl/781660 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5015 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
[CVE-2026-39827](https://nvd.nist.gov/vuln/detail/CVE-2026-39827 ) / [GO-2026-5016](https://pkg.go.dev/vuln/GO-2026-5016 )
<details>
<summary>More information</summary>
#### Details
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.
#### Severity
Unknown
#### References
- [https://go.dev/issue/35127 ](https://go.dev/issue/35127 )
- [https://go.dev/cl/781320 ](https://go.dev/cl/781320 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5016 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
[CVE-2026-39830](https://nvd.nist.gov/vuln/detail/CVE-2026-39830 ) / [GO-2026-5017](https://pkg.go.dev/vuln/GO-2026-5017 )
<details>
<summary>More information</summary>
#### Details
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79564 ](https://go.dev/issue/79564 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781640 ](https://go.dev/cl/781640 )
- [https://go.dev/cl/781664 ](https://go.dev/cl/781664 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5017 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
[CVE-2026-39829](https://nvd.nist.gov/vuln/detail/CVE-2026-39829 ) / [GO-2026-5018](https://pkg.go.dev/vuln/GO-2026-5018 )
<details>
<summary>More information</summary>
#### Details
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79565 ](https://go.dev/issue/79565 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781641 ](https://go.dev/cl/781641 )
- [https://go.dev/cl/781661 ](https://go.dev/cl/781661 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5018 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh
[CVE-2026-39831](https://nvd.nist.gov/vuln/detail/CVE-2026-39831 ) / [GO-2026-5019](https://pkg.go.dev/vuln/GO-2026-5019 )
<details>
<summary>More information</summary>
#### Details
The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@​openssh.com, sk-ssh-ed25519@​openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79566 ](https://go.dev/issue/79566 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781662 ](https://go.dev/cl/781662 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5019 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
[CVE-2026-39834](https://nvd.nist.gov/vuln/detail/CVE-2026-39834 ) / [GO-2026-5020](https://pkg.go.dev/vuln/GO-2026-5020 )
<details>
<summary>More information</summary>
#### Details
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79567 ](https://go.dev/issue/79567 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781663 ](https://go.dev/cl/781663 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5020 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking auth bypass via unenforced @​revoked status in golang.org/x/crypto/ssh/knownhosts
[CVE-2026-42508](https://nvd.nist.gov/vuln/detail/CVE-2026-42508 ) / [GO-2026-5021](https://pkg.go.dev/vuln/GO-2026-5021 )
<details>
<summary>More information</summary>
#### Details
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @​revoked.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79568 ](https://go.dev/issue/79568 )
- [https://go.dev/cl/781220 ](https://go.dev/cl/781220 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5021 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh
[CVE-2026-46595](https://nvd.nist.gov/vuln/detail/CVE-2026-46595 ) / [GO-2026-5023](https://pkg.go.dev/vuln/GO-2026-5023 )
<details>
<summary>More information</summary>
#### Details
Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79570 ](https://go.dev/issue/79570 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
- [https://go.dev/cl/781642 ](https://go.dev/cl/781642 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5023 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
[CVE-2026-46598](https://nvd.nist.gov/vuln/detail/CVE-2026-46598 ) / [GO-2026-5033](https://pkg.go.dev/vuln/GO-2026-5033 )
<details>
<summary>More information</summary>
#### Details
For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79596 ](https://go.dev/issue/79596 )
- [https://go.dev/cl/781360 ](https://go.dev/cl/781360 )
- [https://groups.google.com/g/golang-announce/c/a082jnz-LvI ](https://groups.google.com/g/golang-announce/c/a082jnz-LvI )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5033 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE5MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
---------
Co-authored-by: silverwind <2021+silverwind@noreply.gitea.com >
Reviewed-on: https://gitea.com/gitea/tea/pulls/1002
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-22 21:21:18 +00:00
82323c7270
chore(deps): update module golang.org/x/net to v0.55.0 [security] ( #1001 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [golang.org/x/net](https://pkg.go.dev/golang.org/x/net ) | [`v0.54.0` → `v0.55.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.54.0...refs/tags/v0.55.0 ) |  |  |
---
### Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
[CVE-2026-42506](https://nvd.nist.gov/vuln/detail/CVE-2026-42506 ) / [GO-2026-5025](https://pkg.go.dev/vuln/GO-2026-5025 )
<details>
<summary>More information</summary>
#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79571 ](https://go.dev/issue/79571 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
- [https://go.dev/cl/781700 ](https://go.dev/cl/781700 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5025 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna
[CVE-2026-39821](https://nvd.nist.gov/vuln/detail/CVE-2026-39821 ) / [GO-2026-5026](https://pkg.go.dev/vuln/GO-2026-5026 )
<details>
<summary>More information</summary>
#### Details
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.
This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
#### Severity
Unknown
#### References
- [https://go.dev/cl/767220 ](https://go.dev/cl/767220 )
- [https://go.dev/issue/78760 ](https://go.dev/issue/78760 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5026 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
[CVE-2026-42502](https://nvd.nist.gov/vuln/detail/CVE-2026-42502 ) / [GO-2026-5027](https://pkg.go.dev/vuln/GO-2026-5027 )
<details>
<summary>More information</summary>
#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79572 ](https://go.dev/issue/79572 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
- [https://go.dev/cl/781701 ](https://go.dev/cl/781701 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5027 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
[CVE-2026-25680](https://nvd.nist.gov/vuln/detail/CVE-2026-25680 ) / [GO-2026-5028](https://pkg.go.dev/vuln/GO-2026-5028 )
<details>
<summary>More information</summary>
#### Details
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
#### Severity
Unknown
#### References
- [https://go.dev/cl/781702 ](https://go.dev/cl/781702 )
- [https://go.dev/issue/79573 ](https://go.dev/issue/79573 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5028 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
[CVE-2026-25681](https://nvd.nist.gov/vuln/detail/CVE-2026-25681 ) / [GO-2026-5029](https://pkg.go.dev/vuln/GO-2026-5029 )
<details>
<summary>More information</summary>
#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79574 ](https://go.dev/issue/79574 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
- [https://go.dev/cl/781703 ](https://go.dev/cl/781703 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5029 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Invoking duplicate attributes can cause XSS in golang.org/x/net/html
[CVE-2026-27136](https://nvd.nist.gov/vuln/detail/CVE-2026-27136 ) / [GO-2026-5030](https://pkg.go.dev/vuln/GO-2026-5030 )
<details>
<summary>More information</summary>
#### Details
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
#### Severity
Unknown
#### References
- [https://go.dev/issue/79575 ](https://go.dev/issue/79575 )
- [https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 ](https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 )
- [https://go.dev/cl/781685 ](https://go.dev/cl/781685 )
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2026-5030 ) and the [Go Vulnerability Database](https://github.com/golang/vulndb ) ([CC-BY 4.0](https://github.com/golang/vulndb#license )).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTEuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE5MS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://gitea.com/gitea/tea/pulls/1001
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-22 20:51:54 +00:00
861201541d
fix(deps): update module golang.org/x/sys to v0.45.0 ( #1000 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys ) | [`v0.44.0` → `v0.45.0`](https://cs.opensource.google/go/x/sys/+/refs/tags/v0.44.0...refs/tags/v0.45.0 ) |  |  |
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5MC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://gitea.com/gitea/tea/pulls/1000
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-22 07:35:59 +00:00
ef0dc62dd6
fix(deps): update module github.com/go-git/go-git/v5 to v5.19.1 ( #996 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) | `v5.19.0` → `v5.19.1` |  |  |
---
### Release Notes
<details>
<summary>go-git/go-git (github.com/go-git/go-git/v5)</summary>
### [`v5.19.1`](https://github.com/go-git/go-git/releases/tag/v5.19.1 )
[Compare Source](https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1 )
#### What's Changed
- v5: plumbing: transport/ssh, Shell-quote path by [@​hiddeco](https://github.com/hiddeco ) in [#​2068](https://github.com/go-git/go-git/pull/2068 )
- v5: git: submodule, Fix relative URL resolution by [@​hiddeco](https://github.com/hiddeco ) in [#​2070](https://github.com/go-git/go-git/pull/2070 )
- v5: git: submodule, canonical remote for relative URLs by [@​hiddeco](https://github.com/hiddeco ) in [#​2074](https://github.com/go-git/go-git/pull/2074 )
- v5: git: submodule, error on remote without URLs by [@​hiddeco](https://github.com/hiddeco ) in [#​2078](https://github.com/go-git/go-git/pull/2078 )
- v5: plumbing: format/idxfile, Validate offset64 indices by [@​hiddeco](https://github.com/hiddeco ) in [#​2084](https://github.com/go-git/go-git/pull/2084 )
- v5: \*: Reject malformed variable-length integers by [@​hiddeco](https://github.com/hiddeco ) in [#​2092](https://github.com/go-git/go-git/pull/2092 )
- v5: plumbing: format/packfile, Tighten delta validation by [@​hiddeco](https://github.com/hiddeco ) in [#​2091](https://github.com/go-git/go-git/pull/2091 )
- v5: Add `worktreeFilesystem` wrapper for worktree and hardening by [@​hiddeco](https://github.com/hiddeco ) in [#​2100](https://github.com/go-git/go-git/pull/2100 )
- v5: config: validate submodule names by [@​hiddeco](https://github.com/hiddeco ) in [#​2082](https://github.com/go-git/go-git/pull/2082 )
- build: Update module github.com/go-git/go-git/v5 to v5.19.0 \[SECURITY] (releases/v5.x) by [@​go-git-renovate](https://github.com/go-git-renovate )\[bot] in [#​2111](https://github.com/go-git/go-git/pull/2111 )
- v5: git: Allow MkdirAll on worktree-root paths by [@​hiddeco](https://github.com/hiddeco ) in [#​2117](https://github.com/go-git/go-git/pull/2117 )
- v5: git: Stop validating symlink target paths by [@​pjbgf](https://github.com/pjbgf ) in [#​2116](https://github.com/go-git/go-git/pull/2116 )
- v5: plumbing: format decoder input bounds and contracts by [@​hiddeco](https://github.com/hiddeco ) in [#​2125](https://github.com/go-git/go-git/pull/2125 )
- plumbing: format/packfile, cap delta chain depth in parser by [@​pjbgf](https://github.com/pjbgf ) in [#​2137](https://github.com/go-git/go-git/pull/2137 )
**Full Changelog**: <https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1 >
</details>
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4Mi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://gitea.com/gitea/tea/pulls/996
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-19 04:53:00 +00:00
6134351048
bump go deps
2026-05-14 12:01:28 -04:00
2cc45f1cce
fix(deps): update github.com/urfave/cli to v3.9.0 ( #993 )
...
Fix https://gitea.com/gitea/tea/issues/975
Reviewed-on: https://gitea.com/gitea/tea/pulls/993
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Minjie Fang <wingsallen@gmail.com >
Co-committed-by: Minjie Fang <wingsallen@gmail.com >
2026-05-14 05:15:33 +00:00
19dd8b1b4b
fix(deps): update module code.gitea.io/sdk/gitea to v0.25.0 ( #984 )
...
Bumping gitea SDK to version v0.25.0
Currently there is an issue when users try to use SSH to authenticate to a gitea server. The issue is already reported here #983
The problem was that `*gitea.HTTPSign` embeds `ssh.Signer` (not `ssh.AlgorithmSigner`).
`httpsig v1.2.4` type-asserts the signer to `ssh.AlgorithmSigner` for RSA keys and panics because `*HTTPSign` doesn't expose `SignWithAlgorithm`.
Fix: SDK v0.25.0 adds `SignWithAlgorithm` to `HTTPSign`, satisfying `ssh.AlgorithmSigner`.
Reviewed-on: https://gitea.com/gitea/tea/pulls/984
Reviewed-by: techknowlogick <9+techknowlogick@noreply.gitea.com >
Co-authored-by: Carlos Grillet <carlosbeta5000@gmail.com >
Co-committed-by: Carlos Grillet <carlosbeta5000@gmail.com >
2026-05-07 17:29:39 +00:00
6af01bb13d
Add reply to code review
2026-05-05 21:21:44 -07:00
e686e8d0bd
fix(deps): update module github.com/go-authgate/sdk-go to v0.10.0 ( #976 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [github.com/go-authgate/sdk-go](https://github.com/go-authgate/sdk-go ) | `v0.9.0` → `v0.10.0` |  |  |
---
### Release Notes
<details>
<summary>go-authgate/sdk-go (github.com/go-authgate/sdk-go)</summary>
### [`v0.10.0`](https://github.com/go-authgate/sdk-go/releases/tag/v0.10.0 )
[Compare Source](https://github.com/go-authgate/sdk-go/compare/v0.9.0...v0.10.0 )
#### Changelog
##### Others
- [`5b43693`](https://github.com/go-authgate/sdk-go/commit/5b436935ca0c587301754ee8e43dc04329b34623 ): feat(jwksauth)!: align with upstream JWT\_PRIVATE\_CLAIM\_PREFIX ([#​27](https://github.com/go-authgate/sdk-go/issues/27 )) ([@​appleboy](https://github.com/appleboy ))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNiIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Reviewed-on: https://gitea.com/gitea/tea/pulls/976
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-04 02:06:58 +00:00
1f6fd97fc1
fix(deps): update module github.com/go-authgate/sdk-go to v0.9.0 ( #974 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [github.com/go-authgate/sdk-go](https://github.com/go-authgate/sdk-go ) | `v0.8.0` → `v0.9.0` |  |  |
---
### Release Notes
<details>
<summary>go-authgate/sdk-go (github.com/go-authgate/sdk-go)</summary>
### [`v0.9.0`](https://github.com/go-authgate/sdk-go/releases/tag/v0.9.0 )
[Compare Source](https://github.com/go-authgate/sdk-go/compare/v0.8.0...v0.9.0 )
#### Changelog
##### Documentation updates
- [`86d33f3`](https://github.com/go-authgate/sdk-go/commit/86d33f315c3eddfe92f37e4d8b3ac30afbc0ef72 ): docs(jwksauth): tighten readme table column widths ([@​appleboy](https://github.com/appleboy ))
##### Others
- [`545d96f`](https://github.com/go-authgate/sdk-go/commit/545d96fd43d8a6e6bc76a3c6b28683ffa3eace06 ): refactor(jwksauth)!: rename Tenant to Domain and add Tenant sub-claim ([#​25](https://github.com/go-authgate/sdk-go/issues/25 )) ([@​appleboy](https://github.com/appleboy ))
- [`1e73580`](https://github.com/go-authgate/sdk-go/commit/1e73580c87f2be874101c4ccc02f3dd1ceb17c53 ): feat(jwksauth)!: adopt slog-style Logger interface ([#​24](https://github.com/go-authgate/sdk-go/issues/24 )) ([@​appleboy](https://github.com/appleboy ))
- [`7af1bc4`](https://github.com/go-authgate/sdk-go/commit/7af1bc463714a2c4e6aea1741c87b20fdbba21ce ): test(jwksauth): fix stale Tenant references in policy reject test ([#​26](https://github.com/go-authgate/sdk-go/issues/26 )) ([@​appleboy](https://github.com/appleboy ))
</details>
---
Reviewed-on: https://gitea.com/gitea/tea/pulls/974
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-02 02:04:23 +00:00
27e6083e23
fix(deps): update module github.com/go-authgate/sdk-go to v0.8.0 ( #972 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [github.com/go-authgate/sdk-go](https://github.com/go-authgate/sdk-go ) | `v0.7.0` → `v0.8.0` |  |  |
---
### Release Notes
<details>
<summary>go-authgate/sdk-go (github.com/go-authgate/sdk-go)</summary>
### [`v0.8.0`](https://github.com/go-authgate/sdk-go/releases/tag/v0.8.0 )
[Compare Source](https://github.com/go-authgate/sdk-go/compare/v0.7.0...v0.8.0 )
#### Changelog
##### Refactor
- [`62ccff0`](https://github.com/go-authgate/sdk-go/commit/62ccff06c837abe9c9cd6d8411525e3d25344cf1 ): refactor(jwksauth): share OIDC discovery and drop tenant cache ([#​23](https://github.com/go-authgate/sdk-go/issues/23 )) ([@​appleboy](https://github.com/appleboy ))
- [`088ee3b`](https://github.com/go-authgate/sdk-go/commit/088ee3bd2d5f891c03d27212a6ed5283b1434282 ): refactor(sdk): harden HTTP reads and improve code quality ([#​18](https://github.com/go-authgate/sdk-go/issues/18 )) ([@​appleboy](https://github.com/appleboy ))
- [`aa17bc2`](https://github.com/go-authgate/sdk-go/commit/aa17bc2373b675b0f0882672706c66a0f523b05f ): refactor: simplify oauth client and token source flows ([#​22](https://github.com/go-authgate/sdk-go/issues/22 )) ([@​appleboy](https://github.com/appleboy ))
</details>
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Reviewed-on: https://gitea.com/gitea/tea/pulls/972
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-05-01 23:16:49 +00:00
b100d4c939
fix(deps): update module github.com/go-authgate/sdk-go to v0.7.0 ( #970 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/970
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-04-29 03:28:15 +00:00
d0b7ea09e8
fix(deps): update module charm.land/lipgloss/v2 to v2.0.3 ( #959 )
...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [charm.land/lipgloss/v2](https://github.com/charmbracelet/lipgloss ) | `v2.0.2` → `v2.0.3` |  |  |
---
### Release Notes
<details>
<summary>charmbracelet/lipgloss (charm.land/lipgloss/v2)</summary>
### [`v2.0.3`](https://github.com/charmbracelet/lipgloss/releases/tag/v2.0.3 )
[Compare Source](https://github.com/charmbracelet/lipgloss/compare/v2.0.2...v2.0.3 )
#### Changelog
##### Fixed
- [`472d718`](https://github.com/charmbracelet/lipgloss/commit/472d718e2314596549bee2c0c8ccf8beea5f25ae ): fix: Avoid background color query hang ([#​636](https://github.com/charmbracelet/lipgloss/issues/636 )) ([@​jedevc](https://github.com/jedevc ))
##### Docs
- [`9e39a0a`](https://github.com/charmbracelet/lipgloss/commit/9e39a0ad4f4fc779d620f17783cee3494da6ae29 ): docs: fix README typo ([#​629](https://github.com/charmbracelet/lipgloss/issues/629 )) ([@​Rohan5commit](https://github.com/Rohan5commit ))
- [`cd93a9f`](https://github.com/charmbracelet/lipgloss/commit/cd93a9f5d2e3cb151da83150db29751d92585d23 ): docs: fix tree comment typo ([#​634](https://github.com/charmbracelet/lipgloss/issues/634 )) ([@​Rohan5commit](https://github.com/Rohan5commit ))
***
<a href="https://charm.land/ "><img alt="The Charm logo" src="https://stuff.charm.sh/charm-banner-next.jpg " width="400"></a>
Thoughts? Questions? We love hearing from you. Feel free to reach out on [X](https://x.com/charmcli ), [Discord](https://charm.land/discord ), [Slack](https://charm.land/slack ), [The Fediverse](https://mastodon.social/@​charmcli ), [Bluesky](https://bsky.app/profile/charm.land ).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTEuMCIsInVwZGF0ZWRJblZlciI6IjQzLjExMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Reviewed-on: https://gitea.com/gitea/tea/pulls/959
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-04-20 19:34:25 +00:00
20914a1375
fix(deps): update module github.com/go-git/go-git/v5 to v5.18.0 ( #961 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/961
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-04-20 01:11:50 +00:00
84ecd16f9c
fix(deps): update Go dependencies to latest versions ( #955 )
...
## Summary
- Upgrade all Go module dependencies to their latest versions
- Includes updates to charm.land, golang.org/x, goldmark, go-crypto, and other indirect dependencies
- Project builds cleanly with all updates
## Test plan
- [x] `go build ./...` passes
- [x] CI pipeline passes
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Reviewed-on: https://gitea.com/gitea/tea/pulls/955
Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com >
Co-committed-by: Bo-Yi Wu <appleboy.tw@gmail.com >
2026-04-10 01:40:40 +00:00
0489d8c275
fix(deps): update module golang.org/x/sys to v0.43.0 ( #951 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/951
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-04-09 14:16:37 +00:00
366069315f
fix(deps): update module github.com/go-git/go-git/v5 to v5.17.2 ( #943 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/943
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-04-01 18:14:14 +00:00
1e13681663
fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 ( #942 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/942
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-30 07:00:31 +00:00
bfbec3fc00
fix(deps): update module code.gitea.io/sdk/gitea to v0.24.1 ( #936 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/936
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-27 06:04:29 +00:00
e31a167e54
fix(deps): update module github.com/go-authgate/sdk-go to v0.6.1 ( #935 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/935
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-27 03:47:06 +00:00
6a7c3e4efa
fix(deps): update module github.com/urfave/cli/v3 to v3.8.0 ( #937 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/937
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-27 03:46:50 +00:00
9a462247bd
fix(deps): update module github.com/olekukonko/tablewriter to v1.1.4 ( #933 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/933
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-13 00:18:26 +00:00
ec658cfc33
chore(deps): update Go dependencies and CI workflow action versions ( #932 )
...
## Summary
- Run `go get -u ./...` and `go mod tidy` to update all Go dependencies
- Update CI workflow action versions:
- `crazy-max/ghaction-import-gpg`: v6 → v7
- `goreleaser/goreleaser-action`: v6 → v7
- `docker/setup-qemu-action`: v3 → v4
- `docker/setup-buildx-action`: v3 → v4
- `docker/login-action`: v3 → v4
- `docker/build-push-action`: v6 → v7
## Notable Go dependency updates
- `github.com/urfave/cli/v3`: v3.6.2 → v3.7.0
- `github.com/ProtonMail/go-crypto`: v1.3.0 → v1.4.0
- `charm.land/huh/v2`: v2.0.1 → v2.0.3
- `golang.org/x/crypto`: v0.48.0 → v0.49.0
- `golang.org/x/net`: v0.49.0 → v0.52.0
Reviewed-on: https://gitea.com/gitea/tea/pulls/932
Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com >
Co-committed-by: Bo-Yi Wu <appleboy.tw@gmail.com >
2026-03-12 05:28:47 +00:00
302c946cb8
feat: store OAuth tokens in OS keyring via credstore ( #926 )
...
## Summary
- Introduce `github.com/go-authgate/sdk-go/credstore` to store OAuth tokens securely in the OS keyring (macOS Keychain / Linux Secret Service / Windows Credential Manager), with automatic fallback to an encrypted JSON file
- Add `AuthMethod` field to `Login` struct; new OAuth logins are marked `auth_method: oauth` and no longer write `token`/`refresh_token`/`token_expiry` to `config.yml`
- Add `GetAccessToken()` / `GetRefreshToken()` / `GetTokenExpiry()` accessors that transparently read from credstore for OAuth logins, with fallback to YAML fields for legacy logins
- Update all token reference sites across the codebase to use the new accessors
- Non-OAuth logins (token, SSH) are completely unaffected; no migration of existing tokens
## Key files
| File | Role |
|------|------|
| `modules/config/credstore.go` | **New** — credstore wrapper (Load/Save/Delete) |
| `modules/config/login.go` | Login struct, token accessors, refresh logic |
| `modules/auth/oauth.go` | OAuth flow, token creation / re-authentication |
| `modules/api/client.go`, `cmd/login/helper.go`, `cmd/login/oauth_refresh.go` | Token reference updates |
| `modules/task/pull_*.go`, `modules/task/repo_clone.go` | Git operation token reference updates |
## Test plan
- [x] `go build ./...` compiles successfully
- [x] `go test ./...` all tests pass
- [x] `tea login add --oauth` completes OAuth flow; verify config.yml has `auth_method: oauth` but no token/refresh_token/token_expiry
- [x] `tea repos ls` API calls work (token read from credstore)
- [x] `tea login delete <name>` credstore token is also removed
- [x] Existing non-OAuth logins continue to work unchanged
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Reviewed-on: https://gitea.com/gitea/tea/pulls/926
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com >
Co-committed-by: Bo-Yi Wu <appleboy.tw@gmail.com >
2026-03-12 02:49:14 +00:00
c797624fcf
Update to charm libraries v2 ( #923 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/923
Reviewed-by: techknowlogick <9+techknowlogick@noreply.gitea.com >
Co-authored-by: Michal Suchanek <msuchanek@suse.de >
Co-committed-by: Michal Suchanek <msuchanek@suse.de >
2026-03-09 16:36:00 +00:00
3372c9ec59
fix(deps): update module golang.org/x/oauth2 to v0.36.0 ( #919 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/919
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-03-09 16:19:28 +00:00
d019f0dd72
fix(deps): update module github.com/go-git/go-git/v5 to v5.17.0 ( #910 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/910
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-26 17:59:28 +00:00
dfd400f15b
Fix termenv OSC RGBA handling ( #907 )
...
Fixes : #889
Reviewed-on: https://gitea.com/gitea/tea/pulls/907
Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.com >
Co-authored-by: Michal Suchanek <msuchanek@suse.de >
Co-committed-by: Michal Suchanek <msuchanek@suse.de >
2026-02-12 16:16:53 +00:00
ea795775af
fix(deps): update module golang.org/x/crypto to v0.48.0 ( #905 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/905
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-10 00:43:00 +00:00
1093ef1524
fix(deps): update module github.com/go-git/go-git/v5 to v5.16.5 ( #904 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/904
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-10 00:42:45 +00:00
873a44f897
fix(deps): update module golang.org/x/sys to v0.41.0 ( #901 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/901
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-09 05:22:44 +00:00
47f74ea696
fix(deps): update module golang.org/x/oauth2 to v0.35.0 ( #900 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/900
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-09 04:56:34 +00:00
49a9032d8a
Move versions/filelocker into dedicated subpackages, and consistent headers in http requests ( #888 )
...
- move filelocker logic into dedicated subpackage
- consistent useragent in requests
Reviewed-on: https://gitea.com/gitea/tea/pulls/888
Co-authored-by: techknowlogick <techknowlogick@gitea.com >
Co-committed-by: techknowlogick <techknowlogick@gitea.com >
2026-02-05 18:05:43 +00:00
29488a1f46
build w/ go1.25 ( #886 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/886
Co-authored-by: techknowlogick <techknowlogick@gitea.com >
Co-committed-by: techknowlogick <techknowlogick@gitea.com >
2026-02-04 19:27:25 +00:00
037d1aad23
fix(deps): update module github.com/charmbracelet/lipgloss to v2 ( #885 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/885
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-04 00:56:04 +00:00
ae9eb4f2c0
Add locking to ensure safe concurrent access to config file ( #881 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/881
Co-authored-by: techknowlogick <techknowlogick@gitea.com >
Co-committed-by: techknowlogick <techknowlogick@gitea.com >
2026-02-03 23:48:18 +00:00
864face284
fix(deps): update module golang.org/x/oauth2 to v0.34.0 ( #878 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/878
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-03 01:06:03 +00:00
383c5fdc03
fix(deps): update module github.com/urfave/cli/v3 to v3.6.2 ( #876 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/876
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-03 01:00:21 +00:00
7801310a18
fix(deps): update module github.com/olekukonko/tablewriter to v1.1.3 ( #875 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/875
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2026-02-03 01:00:03 +00:00
ae740a66e8
update sdk version ( #868 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/868
Co-authored-by: techknowlogick <techknowlogick@gitea.com >
Co-committed-by: techknowlogick <techknowlogick@gitea.com >
2026-02-02 19:54:44 +00:00
587b31503d
Upgrade dependencies ( #849 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/849
2025-11-24 19:21:55 +00:00
45771265c4
update gitea sdk to v0.22 ( #813 )
...
needed because of: https://gitea.com/gitea/go-sdk/commit/25b5fb0ff757f95731b5f3240153a4da59cf6c68
closes: https://gitea.com/gitea/tea/issues/812
Reviewed-on: https://gitea.com/gitea/tea/pulls/813
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com >
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com >
2025-09-10 23:18:05 +00:00
4c00b8b571
Use bubbletea instead of survey for interacting with TUI ( #786 )
...
Fix #772
Reviewed-on: https://gitea.com/gitea/tea/pulls/786
Reviewed-by: Bo-Yi Wu (吳柏毅) <appleboy.tw@gmail.com >
2025-08-11 18:23:52 +00:00
ffff540aa7
fix(deps): update module github.com/urfave/cli/v3 to v3.3.8 ( #766 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/urfave/cli/v3](https://github.com/urfave/cli ) | require | patch | `v3.3.3` -> `v3.3.8` |
---
### Release Notes
<details>
<summary>urfave/cli (github.com/urfave/cli/v3)</summary>
### [`v3.3.8`](https://github.com/urfave/cli/releases/tag/v3.3.8 )
[Compare Source](https://github.com/urfave/cli/compare/v3.3.7...v3.3.8 )
#### What's Changed
- Remove "alpha" wording around `v3` series by [@​meatballhat](https://github.com/meatballhat ) in https://github.com/urfave/cli/pull/2155
**Full Changelog**: https://github.com/urfave/cli/compare/v3.3.7...v3.3.8
### [`v3.3.7`](https://github.com/urfave/cli/releases/tag/v3.3.7 )
[Compare Source](https://github.com/urfave/cli/compare/v3.3.6...v3.3.7 )
#### What's Changed
- fix: add missing `IsLocal` for BoolWithInverseFlag by [@​huiyifyj](https://github.com/huiyifyj ) in https://github.com/urfave/cli/pull/2151
- Fix OnUsageError Trigger When Error Is Caused by Mutually Exclusive Flags by [@​Ali-Doustkani](https://github.com/Ali-Doustkani ) in https://github.com/urfave/cli/pull/2152
#### New Contributors
- [@​Ali-Doustkani](https://github.com/Ali-Doustkani ) made their first contribution in https://github.com/urfave/cli/pull/2152
**Full Changelog**: https://github.com/urfave/cli/compare/v3.3.6...v3.3.7
### [`v3.3.6`](https://github.com/urfave/cli/releases/tag/v3.3.6 )
[Compare Source](https://github.com/urfave/cli/compare/v3.3.5...v3.3.6 )
#### What's Changed
- Fish completions with identically named sub-commands now work by [@​bittrance](https://github.com/bittrance ) in https://github.com/urfave/cli/pull/2130
**Full Changelog**: https://github.com/urfave/cli/compare/v3.3.5...v3.3.6
### [`v3.3.5`](https://github.com/urfave/cli/releases/tag/v3.3.5 )
[Compare Source](https://github.com/urfave/cli/compare/v3.3.4...v3.3.5 )
#### What's Changed
- Fix:(issue\_2137) Ensure default value for bool with inverse flag is h… by [@​dearchap](https://github.com/dearchap ) in https://github.com/urfave/cli/pull/2138
- Fix:(issue\_2131) Show help text for BoolWithInverseFlag by [@​Juneezee](https://github.com/Juneezee ) in https://github.com/urfave/cli/pull/2142
**Full Changelog**: https://github.com/urfave/cli/compare/v3.3.4...v3.3.5
### [`v3.3.4`](https://github.com/urfave/cli/releases/tag/v3.3.4 )
[Compare Source](https://github.com/urfave/cli/compare/v3.3.3...v3.3.4 )
#### What's Changed
- Fix Docs(issue\_2125) Add PathFlag to StringFlag migration by [@​dearchap](https://github.com/dearchap ) in https://github.com/urfave/cli/pull/2136
- fix: remove extraneous space from subcommand help template by [@​G-Rath](https://github.com/G-Rath ) in https://github.com/urfave/cli/pull/2140
- Fix:(issue\_2135) Correct formatting of default subcommand USAGE text by [@​zzspoon](https://github.com/zzspoon ) in https://github.com/urfave/cli/pull/2139
#### New Contributors
- [@​zzspoon](https://github.com/zzspoon ) made their first contribution in https://github.com/urfave/cli/pull/2139
**Full Changelog**: https://github.com/urfave/cli/compare/v3.3.3...v3.3.4
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40OS42IiwidXBkYXRlZEluVmVyIjoiNDAuNDkuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Reviewed-on: https://gitea.com/gitea/tea/pulls/766
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2025-06-16 17:07:00 +00:00
f09d6ca46b
fix(deps): update module github.com/go-git/go-git/v5 to v5.16.2 ( #765 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/765
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2025-06-10 14:52:26 +00:00
0e54bae0c4
migrate tea to urfave v3 ( #760 )
...
I tested this somewhat, but I haven't been using the cli before so I'm not sure if there are changes - there shouldn't be though.
Reviewed-on: https://gitea.com/gitea/tea/pulls/760
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com >
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com >
2025-06-10 05:19:59 +00:00
177b7397f3
fix(deps): update module github.com/go-git/go-git/v5 to v5.16.1 ( #762 )
...
Reviewed-on: https://gitea.com/gitea/tea/pulls/762
Co-authored-by: Renovate Bot <renovate-bot@gitea.com >
Co-committed-by: Renovate Bot <renovate-bot@gitea.com >
2025-06-06 00:13:48 +00:00
Lunny Xiao
