Log the real reason when authentication fails (but don't show the user) (#25414 ) (#25660 )

Backport #25414 by @lunny Fix #24498 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Fix UI misalignment on user setting page (#25629 ) (#25656 )
2023-07-03 19:26:36 -04:00 · 2023-07-03 21:16:58 +00:00 · 2023-07-03 16:17:30 +02:00 · 2023-07-03 16:14:25 +02:00 · 2023-07-03 14:23:35 +03:00 · 2023-07-03 17:09:38 +08:00
3819 changed files with 71582 additions and 111567 deletions
--- a/.changelog.yml
+++ b/.changelog.yml
@ -13,42 +13,46 @@ groups:
  -
    name: BREAKING
    labels:
-      - pr/breaking
+      - kind/breaking
  -
    name: SECURITY
    labels:
-      - topic/security
+      - kind/security
  -
    name: FEATURES
    labels:
-      - type/feature
+      - kind/feature
  -
    name: API
    labels:
-      - modifies/api
+      - kind/api
  -
    name: ENHANCEMENTS
    labels:
-      - type/enhancement
-      - type/refactoring
-      - topic/ui
+      - kind/enhancement
+      - kind/refactor
+      - kind/ui
  -
    name: BUGFIXES
    labels:
-      - type/bug
+      - kind/bug
  -
    name: TESTING
    labels:
-      - type/testing
+      - kind/testing
+  -
+    name: TRANSLATION
+    labels:
+      - kind/translation
  -
    name: BUILD
    labels:
-      - topic/build
-      - topic/code-linting
+      - kind/build
+      - kind/lint
  -
    name: DOCS
    labels:
-      - type/docs
+      - kind/docs
  -
    name: MISC
    default: true
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,40 +0,0 @@
-{
-  "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.22-bullseye",
-  "features": {
-    // installs nodejs into container
-    "ghcr.io/devcontainers/features/node:1": {
-      "version":"20"
-    },
-    "ghcr.io/devcontainers/features/git-lfs:1.1.0": {},
-    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
-    "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.12"
-    }
-  },
-  "customizations": {
-    "vscode": {
-      "settings": {},
-      // same extensions as Gitpod, should match /.gitpod.yml
-      "extensions": [
-        "editorconfig.editorconfig",
-        "dbaeumer.vscode-eslint",
-        "golang.go",
-        "stylelint.vscode-stylelint",
-        "DavidAnson.vscode-markdownlint",
-        "Vue.volar",
-        "ms-azuretools.vscode-docker",
-        "zixuanchen.vitest-explorer",
-        "qwtel.sqlite-viewer",
-        "GitHub.vscode-pull-request-github"
-      ]
-    }
-  },
-  "portsAttributes": {
-    "3000": {
-      "label": "Gitea Web",
-      "onAutoForward": "notify"
-    }
-  },
-  "postCreateCommand": "make deps"
-}
--- a/.dockerignore
+++ b/.dockerignore
@ -75,10 +75,10 @@ cpu.out
 /yarn.lock
 /yarn-error.log
 /npm-debug.log*
-/public/assets/js
-/public/assets/css
-/public/assets/fonts
-/public/assets/img/webpack
+/public/js
+/public/css
+/public/fonts
+/public/img/webpack
 /vendor
 /web_src/fomantic/node_modules
 /web_src/fomantic/build/*
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,426 @@
+---
+kind: pipeline
+name: release-version
+
+platform:
+  os: linux
+  arch: amd64
+
+workspace:
+  base: /source
+  path: /
+
+trigger:
+  event:
+    - tag
+
+volumes:
+  - name: deps
+    temp: {}
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git fetch --tags --force
+
+  - name: deps-frontend
+    image: node:20
+    pull: always
+    commands:
+      - make deps-frontend
+
+  - name: deps-backend
+    image: gitea/test_env:linux-1.20-amd64
+    pull: always
+    commands:
+      - make deps-backend
+    volumes:
+      - name: deps
+        path: /go
+
+  - name: static
+    image: techknowlogick/xgo:go-1.20.x
+    pull: always
+    commands:
+      # Upgrade to node 20 once https://github.com/techknowlogick/xgo/issues/163 is resolved
+      - curl -sL https://deb.nodesource.com/setup_16.x | bash - && apt-get -qqy install nodejs
+      - export PATH=$PATH:$GOPATH/bin
+      - make release
+    environment:
+      GOPROXY: https://goproxy.io # proxy.golang.org is blocked in China, this proxy is not
+      TAGS: bindata sqlite sqlite_unlock_notify
+      DEBIAN_FRONTEND: noninteractive
+    depends_on: [fetch-tags]
+    volumes:
+      - name: deps
+        path: /go
+
+  - name: gpg-sign
+    image: plugins/gpgsign:1
+    pull: always
+    settings:
+      detach_sign: true
+      excludes:
+        - "dist/release/*.sha256"
+      files:
+        - "dist/release/*"
+    environment:
+      GPGSIGN_KEY:
+        from_secret: gpgsign_key
+      GPGSIGN_PASSPHRASE:
+        from_secret: gpgsign_passphrase
+    depends_on: [static]
+
+  - name: release-tag
+    image: woodpeckerci/plugin-s3:latest
+    pull: always
+    settings:
+      acl:
+        from_secret: aws_s3_acl
+      region:
+        from_secret: aws_s3_region
+      bucket:
+        from_secret: aws_s3_bucket
+      endpoint:
+        from_secret: aws_s3_endpoint
+      path_style:
+        from_secret: aws_s3_path_style
+      source: "dist/release/*"
+      strip_prefix: dist/release/
+      target: "/gitea/${DRONE_TAG##v}"
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: aws_access_key_id
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: aws_secret_access_key
+    depends_on: [gpg-sign]
+
+  - name: github
+    image: plugins/github-release:latest
+    pull: always
+    settings:
+      files:
+        - "dist/release/*"
+      file_exists: overwrite
+    environment:
+      GITHUB_TOKEN:
+        from_secret: github_token
+    depends_on: [gpg-sign]
+
+---
+kind: pipeline
+type: docker
+name: docker-linux-amd64-release-version
+
+platform:
+  os: linux
+  arch: amd64
+
+trigger:
+  ref:
+    include:
+      - "refs/tags/**"
+    exclude:
+      - "refs/tags/**-rc*"
+  paths:
+    exclude:
+      - "docs/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    image: plugins/docker:latest
+    pull: always
+    settings:
+      auto_tag: true
+      auto_tag_suffix: linux-amd64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: plugins/docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: true
+      auto_tag_suffix: linux-amd64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+---
+
+kind: pipeline
+type: docker
+name: docker-linux-amd64-release-candidate-version
+
+platform:
+  os: linux
+  arch: amd64
+
+trigger:
+  ref:
+    - "refs/tags/**-rc*"
+  paths:
+    exclude:
+      - "docs/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    image: plugins/docker:latest
+    pull: always
+    settings:
+      tags: ${DRONE_TAG##v}-linux-amd64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: plugins/docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      tags: ${DRONE_TAG##v}-linux-amd64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+---
+kind: pipeline
+type: docker
+name: docker-linux-arm64-release-version
+
+platform:
+  os: linux
+  arch: arm64
+
+trigger:
+  ref:
+    include:
+      - "refs/tags/**"
+    exclude:
+      - "refs/tags/**-rc*"
+  paths:
+    exclude:
+      - "docs/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    image: plugins/docker:latest
+    pull: always
+    settings:
+      auto_tag: true
+      auto_tag_suffix: linux-arm64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: plugins/docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: true
+      auto_tag_suffix: linux-arm64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+---
+kind: pipeline
+type: docker
+name: docker-linux-arm64-release-candidate-version
+
+platform:
+  os: linux
+  arch: arm64
+
+trigger:
+  ref:
+    - "refs/tags/**-rc*"
+  paths:
+    exclude:
+      - "docs/**"
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    pull: always
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    image: plugins/docker:latest
+    pull: always
+    settings:
+      tags: ${DRONE_TAG##v}-linux-arm64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: plugins/docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      tags: ${DRONE_TAG##v}-linux-arm64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=https://goproxy.io
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+      DOCKER_BUILDKIT: 1
+    when:
+      event:
+        exclude:
+        - pull_request
+
+---
+kind: pipeline
+type: docker
+name: docker-manifest-version
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: manifest-rootless
+    image: plugins/manifest
+    pull: always
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: docker/manifest.rootless.tmpl
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+
+  - name: manifest
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: docker/manifest.tmpl
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+
+trigger:
+  ref:
+  - "refs/tags/**"
+  paths:
+    exclude:
+      - "docs/**"
+
+depends_on:
+  - docker-linux-amd64-release-version
+  - docker-linux-amd64-release-candidate-version
+  - docker-linux-arm64-release-version
+  - docker-linux-arm64-release-candidate-version
--- a/.eslintrc.yaml
+++ b/.eslintrc.yaml
@ -10,29 +10,25 @@ parserOptions:

 plugins:
  - "@eslint-community/eslint-plugin-eslint-comments"
-  - "@stylistic/eslint-plugin-js"
  - eslint-plugin-array-func
-  - eslint-plugin-github
-  - eslint-plugin-i
+  - eslint-plugin-custom-elements
+  - eslint-plugin-import
  - eslint-plugin-jquery
  - eslint-plugin-no-jquery
  - eslint-plugin-no-use-extend-native
  - eslint-plugin-regexp
  - eslint-plugin-sonarjs
  - eslint-plugin-unicorn
-  - eslint-plugin-vitest
-  - eslint-plugin-vitest-globals
  - eslint-plugin-wc

 env:
-  es2024: true
+  es2022: true
  node: true

+globals:
+  __webpack_public_path__: true
+
 overrides:
-  - files: ["web_src/**/*"]
-    globals:
-      __webpack_public_path__: true
-      process: false # https://github.com/webpack/webpack/issues/15833
  - files: ["web_src/**/*", "docs/**/*"]
    env:
      browser: true
@ -44,67 +40,11 @@ overrides:
      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
  - files: ["build/generate-images.js"]
    rules:
-      i/no-unresolved: [0]
-      i/no-extraneous-dependencies: [0]
+      import/no-unresolved: [0]
+      import/no-extraneous-dependencies: [0]
  - files: ["*.config.*"]
    rules:
-      i/no-unused-modules: [0]
-  - files: ["**/*.test.*", "web_src/js/test/setup.js"]
-    env:
-      vitest-globals/env: true
-    rules:
-      vitest/consistent-test-filename: [0]
-      vitest/consistent-test-it: [0]
-      vitest/expect-expect: [0]
-      vitest/max-expects: [0]
-      vitest/max-nested-describe: [0]
-      vitest/no-alias-methods: [0]
-      vitest/no-commented-out-tests: [0]
-      vitest/no-conditional-expect: [0]
-      vitest/no-conditional-in-test: [0]
-      vitest/no-conditional-tests: [0]
-      vitest/no-disabled-tests: [0]
-      vitest/no-done-callback: [0]
-      vitest/no-duplicate-hooks: [0]
-      vitest/no-focused-tests: [0]
-      vitest/no-hooks: [0]
-      vitest/no-identical-title: [2]
-      vitest/no-interpolation-in-snapshots: [0]
-      vitest/no-large-snapshots: [0]
-      vitest/no-mocks-import: [0]
-      vitest/no-restricted-matchers: [0]
-      vitest/no-restricted-vi-methods: [0]
-      vitest/no-standalone-expect: [0]
-      vitest/no-test-prefixes: [0]
-      vitest/no-test-return-statement: [0]
-      vitest/prefer-called-with: [0]
-      vitest/prefer-comparison-matcher: [0]
-      vitest/prefer-each: [0]
-      vitest/prefer-equality-matcher: [0]
-      vitest/prefer-expect-resolves: [0]
-      vitest/prefer-hooks-in-order: [0]
-      vitest/prefer-hooks-on-top: [2]
-      vitest/prefer-lowercase-title: [0]
-      vitest/prefer-mock-promise-shorthand: [0]
-      vitest/prefer-snapshot-hint: [0]
-      vitest/prefer-spy-on: [0]
-      vitest/prefer-strict-equal: [0]
-      vitest/prefer-to-be: [0]
-      vitest/prefer-to-be-falsy: [0]
-      vitest/prefer-to-be-object: [0]
-      vitest/prefer-to-be-truthy: [0]
-      vitest/prefer-to-contain: [0]
-      vitest/prefer-to-have-length: [0]
-      vitest/prefer-todo: [0]
-      vitest/require-hook: [0]
-      vitest/require-to-throw-message: [0]
-      vitest/require-top-level-describe: [0]
-      vitest/valid-describe-callback: [2]
-      vitest/valid-expect: [2]
-      vitest/valid-title: [2]
-  - files: ["web_src/js/modules/fetch.js", "web_src/js/standalone/**/*"]
-    rules:
-      no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression]
+      import/no-unused-modules: [0]

 rules:
  "@eslint-community/eslint-comments/disable-enable-pair": [2]
@ -116,74 +56,11 @@ rules:
  "@eslint-community/eslint-comments/no-unused-enable": [2]
  "@eslint-community/eslint-comments/no-use": [0]
  "@eslint-community/eslint-comments/require-description": [0]
-  "@stylistic/js/array-bracket-newline": [0]
-  "@stylistic/js/array-bracket-spacing": [2, never]
-  "@stylistic/js/array-element-newline": [0]
-  "@stylistic/js/arrow-parens": [2, always]
-  "@stylistic/js/arrow-spacing": [2, {before: true, after: true}]
-  "@stylistic/js/block-spacing": [0]
-  "@stylistic/js/brace-style": [2, 1tbs, {allowSingleLine: true}]
-  "@stylistic/js/comma-dangle": [2, only-multiline]
-  "@stylistic/js/comma-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/comma-style": [2, last]
-  "@stylistic/js/computed-property-spacing": [2, never]
-  "@stylistic/js/dot-location": [2, property]
-  "@stylistic/js/eol-last": [2]
-  "@stylistic/js/function-call-spacing": [2, never]
-  "@stylistic/js/function-call-argument-newline": [0]
-  "@stylistic/js/function-paren-newline": [0]
-  "@stylistic/js/generator-star-spacing": [0]
-  "@stylistic/js/implicit-arrow-linebreak": [0]
-  "@stylistic/js/indent": [2, 2, {ignoreComments: true, SwitchCase: 1}]
-  "@stylistic/js/key-spacing": [2]
-  "@stylistic/js/keyword-spacing": [2]
-  "@stylistic/js/linebreak-style": [2, unix]
-  "@stylistic/js/lines-around-comment": [0]
-  "@stylistic/js/lines-between-class-members": [0]
-  "@stylistic/js/max-len": [0]
-  "@stylistic/js/max-statements-per-line": [0]
-  "@stylistic/js/multiline-ternary": [0]
-  "@stylistic/js/new-parens": [2]
-  "@stylistic/js/newline-per-chained-call": [0]
-  "@stylistic/js/no-confusing-arrow": [0]
-  "@stylistic/js/no-extra-parens": [0]
-  "@stylistic/js/no-extra-semi": [2]
-  "@stylistic/js/no-floating-decimal": [0]
-  "@stylistic/js/no-mixed-operators": [0]
-  "@stylistic/js/no-mixed-spaces-and-tabs": [2]
-  "@stylistic/js/no-multi-spaces": [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
-  "@stylistic/js/no-multiple-empty-lines": [2, {max: 1, maxEOF: 0, maxBOF: 0}]
-  "@stylistic/js/no-tabs": [2]
-  "@stylistic/js/no-trailing-spaces": [2]
-  "@stylistic/js/no-whitespace-before-property": [2]
-  "@stylistic/js/nonblock-statement-body-position": [2]
-  "@stylistic/js/object-curly-newline": [0]
-  "@stylistic/js/object-curly-spacing": [2, never]
-  "@stylistic/js/object-property-newline": [0]
-  "@stylistic/js/one-var-declaration-per-line": [0]
-  "@stylistic/js/operator-linebreak": [2, after]
-  "@stylistic/js/padded-blocks": [2, never]
-  "@stylistic/js/padding-line-between-statements": [0]
-  "@stylistic/js/quote-props": [0]
-  "@stylistic/js/quotes": [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
-  "@stylistic/js/rest-spread-spacing": [2, never]
-  "@stylistic/js/semi": [2, always, {omitLastInOneLineBlock: true}]
-  "@stylistic/js/semi-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/semi-style": [2, last]
-  "@stylistic/js/space-before-blocks": [2, always]
-  "@stylistic/js/space-before-function-paren": [0]
-  "@stylistic/js/space-in-parens": [2, never]
-  "@stylistic/js/space-infix-ops": [2]
-  "@stylistic/js/space-unary-ops": [2]
-  "@stylistic/js/spaced-comment": [2, always]
-  "@stylistic/js/switch-colon-spacing": [2]
-  "@stylistic/js/template-curly-spacing": [2, never]
-  "@stylistic/js/template-tag-spacing": [2, never]
-  "@stylistic/js/wrap-iife": [2, inside]
-  "@stylistic/js/wrap-regex": [0]
-  "@stylistic/js/yield-star-spacing": [2, after]
  accessor-pairs: [2]
+  array-bracket-newline: [0]
+  array-bracket-spacing: [2, never]
  array-callback-return: [2, {checkForEach: true}]
+  array-element-newline: [0]
  array-func/avoid-reverse: [2]
  array-func/from-map: [2]
  array-func/no-unnecessary-this-arg: [2]
@ -191,96 +68,101 @@ rules:
  array-func/prefer-flat-map: [0] # handled by unicorn/prefer-array-flat-map
  array-func/prefer-flat: [0] # handled by unicorn/prefer-array-flat
  arrow-body-style: [0]
+  arrow-parens: [2, always]
+  arrow-spacing: [2, {before: true, after: true}]
  block-scoped-var: [2]
+  brace-style: [2, 1tbs, {allowSingleLine: true}]
  camelcase: [0]
  capitalized-comments: [0]
  class-methods-use-this: [0]
+  comma-dangle: [2, only-multiline]
+  comma-spacing: [2, {before: false, after: true}]
+  comma-style: [2, last]
  complexity: [0]
+  computed-property-spacing: [2, never]
  consistent-return: [0]
  consistent-this: [0]
  constructor-super: [2]
  curly: [0]
+  custom-elements/expose-class-on-global: [0]
+  custom-elements/extends-correct-class: [2]
+  custom-elements/file-name-matches-element: [2]
+  custom-elements/no-constructor: [2]
+  custom-elements/no-customized-built-in-elements: [2]
+  custom-elements/no-dom-traversal-in-attributechangedcallback: [2]
+  custom-elements/no-dom-traversal-in-connectedcallback: [2]
+  custom-elements/no-exports-with-element: [2]
+  custom-elements/no-method-prefixed-with-on: [2]
+  custom-elements/no-unchecked-define: [0]
+  custom-elements/one-element-per-file: [0]
+  custom-elements/tag-name-matches-class: [2]
+  custom-elements/valid-tag-name: [2]
  default-case-last: [2]
  default-case: [0]
  default-param-last: [0]
+  dot-location: [2, property]
  dot-notation: [0]
+  eol-last: [2]
  eqeqeq: [2]
  for-direction: [2]
+  func-call-spacing: [2, never]
  func-name-matching: [2]
  func-names: [0]
  func-style: [0]
+  function-call-argument-newline: [0]
+  function-paren-newline: [0]
+  generator-star-spacing: [0]
  getter-return: [2]
-  github/a11y-aria-label-is-well-formatted: [0]
-  github/a11y-no-title-attribute: [0]
-  github/a11y-no-visually-hidden-interactive-element: [0]
-  github/a11y-role-supports-aria-props: [0]
-  github/a11y-svg-has-accessible-name: [0]
-  github/array-foreach: [0]
-  github/async-currenttarget: [2]
-  github/async-preventdefault: [2]
-  github/authenticity-token: [0]
-  github/get-attribute: [0]
-  github/js-class-name: [0]
-  github/no-blur: [0]
-  github/no-d-none: [0]
-  github/no-dataset: [2]
-  github/no-dynamic-script-tag: [2]
-  github/no-implicit-buggy-globals: [2]
-  github/no-inner-html: [0]
-  github/no-innerText: [2]
-  github/no-then: [2]
-  github/no-useless-passive: [2]
-  github/prefer-observers: [2]
-  github/require-passive-events: [2]
-  github/unescaped-html-literal: [0]
  grouped-accessor-pairs: [2]
  guard-for-in: [0]
  id-blacklist: [0]
  id-length: [0]
  id-match: [0]
-  i/consistent-type-specifier-style: [0]
-  i/default: [0]
-  i/dynamic-import-chunkname: [0]
-  i/export: [2]
-  i/exports-last: [0]
-  i/extensions: [2, always, {ignorePackages: true}]
-  i/first: [2]
-  i/group-exports: [0]
-  i/max-dependencies: [0]
-  i/named: [2]
-  i/namespace: [0]
-  i/newline-after-import: [0]
-  i/no-absolute-path: [0]
-  i/no-amd: [2]
-  i/no-anonymous-default-export: [0]
-  i/no-commonjs: [2]
-  i/no-cycle: [2, {ignoreExternal: true, maxDepth: 1}]
-  i/no-default-export: [0]
-  i/no-deprecated: [0]
-  i/no-dynamic-require: [0]
-  i/no-empty-named-blocks: [2]
-  i/no-extraneous-dependencies: [2]
-  i/no-import-module-exports: [0]
-  i/no-internal-modules: [0]
-  i/no-mutable-exports: [0]
-  i/no-named-as-default-member: [0]
-  i/no-named-as-default: [2]
-  i/no-named-default: [0]
-  i/no-named-export: [0]
-  i/no-namespace: [0]
-  i/no-nodejs-modules: [0]
-  i/no-relative-packages: [0]
-  i/no-relative-parent-imports: [0]
-  i/no-restricted-paths: [0]
-  i/no-self-import: [2]
-  i/no-unassigned-import: [0]
-  i/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$", ^vitest/]}]
-  i/no-unused-modules: [2, {unusedExports: true}]
-  i/no-useless-path-segments: [2, {commonjs: true}]
-  i/no-webpack-loader-syntax: [2]
-  i/order: [0]
-  i/prefer-default-export: [0]
-  i/unambiguous: [0]
+  implicit-arrow-linebreak: [0]
+  import/consistent-type-specifier-style: [0]
+  import/default: [0]
+  import/dynamic-import-chunkname: [0]
+  import/export: [2]
+  import/exports-last: [0]
+  import/extensions: [2, always, {ignorePackages: true}]
+  import/first: [2]
+  import/group-exports: [0]
+  import/max-dependencies: [0]
+  import/named: [2]
+  import/namespace: [0]
+  import/newline-after-import: [0]
+  import/no-absolute-path: [0]
+  import/no-amd: [2]
+  import/no-anonymous-default-export: [0]
+  import/no-commonjs: [2]
+  import/no-cycle: [2, {ignoreExternal: true, maxDepth: 1}]
+  import/no-default-export: [0]
+  import/no-deprecated: [0]
+  import/no-dynamic-require: [0]
+  import/no-empty-named-blocks: [2]
+  import/no-extraneous-dependencies: [2]
+  import/no-import-module-exports: [0]
+  import/no-internal-modules: [0]
+  import/no-mutable-exports: [0]
+  import/no-named-as-default-member: [0]
+  import/no-named-as-default: [2]
+  import/no-named-default: [0]
+  import/no-named-export: [0]
+  import/no-namespace: [0]
+  import/no-nodejs-modules: [0]
+  import/no-relative-packages: [0]
+  import/no-relative-parent-imports: [0]
+  import/no-restricted-paths: [0]
+  import/no-self-import: [2]
+  import/no-unassigned-import: [0]
+  import/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$"]}]
+  import/no-unused-modules: [2, {unusedExports: true}]
+  import/no-useless-path-segments: [2, {commonjs: true}]
+  import/no-webpack-loader-syntax: [2]
+  import/order: [0]
+  import/prefer-default-export: [0]
+  import/unambiguous: [0]
+  indent: [2, 2, {SwitchCase: 1}]
  init-declarations: [0]
  jquery/no-ajax-events: [2]
  jquery/no-ajax: [0]
@ -296,7 +178,7 @@ rules:
  jquery/no-delegate: [2]
  jquery/no-each: [0]
  jquery/no-extend: [2]
-  jquery/no-fade: [2]
+  jquery/no-fade: [0]
  jquery/no-filter: [0]
  jquery/no-find: [0]
  jquery/no-global-eval: [2]
@ -309,7 +191,7 @@ rules:
  jquery/no-is-function: [2]
  jquery/no-is: [0]
  jquery/no-load: [2]
-  jquery/no-map: [2]
+  jquery/no-map: [0]
  jquery/no-merge: [2]
  jquery/no-param: [2]
  jquery/no-parent: [0]
@ -331,17 +213,27 @@ rules:
  jquery/no-val: [0]
  jquery/no-when: [2]
  jquery/no-wrap: [2]
+  key-spacing: [2]
+  keyword-spacing: [2]
  line-comment-position: [0]
+  linebreak-style: [2, unix]
+  lines-around-comment: [0]
+  lines-between-class-members: [0]
  logical-assignment-operators: [0]
  max-classes-per-file: [0]
  max-depth: [0]
+  max-len: [0]
  max-lines-per-function: [0]
  max-lines: [0]
  max-nested-callbacks: [0]
  max-params: [0]
+  max-statements-per-line: [0]
  max-statements: [0]
  multiline-comment-style: [2, separate-lines]
+  multiline-ternary: [0]
  new-cap: [0]
+  new-parens: [2]
+  newline-per-chained-call: [0]
  no-alert: [0]
  no-array-constructor: [2]
  no-async-promise-executor: [0]
@ -353,6 +245,7 @@ rules:
  no-class-assign: [2]
  no-compare-neg-zero: [2]
  no-cond-assign: [2, except-parens]
+  no-confusing-arrow: [0]
  no-console: [1, {allow: [debug, info, warn, error]}]
  no-const-assign: [2]
  no-constant-binary-expression: [2]
@ -382,7 +275,10 @@ rules:
  no-extra-bind: [2]
  no-extra-boolean-cast: [2]
  no-extra-label: [0]
+  no-extra-parens: [0]
+  no-extra-semi: [2]
  no-fallthrough: [2]
+  no-floating-decimal: [0]
  no-func-assign: [2]
  no-global-assign: [2]
  no-implicit-coercion: [2]
@ -451,7 +347,7 @@ rules:
  no-jquery/no-load: [2]
  no-jquery/no-map-collection: [0]
  no-jquery/no-map-util: [2]
-  no-jquery/no-map: [2]
+  no-jquery/no-map: [0]
  no-jquery/no-merge: [2]
  no-jquery/no-node-name: [2]
  no-jquery/no-noop: [2]
@ -496,7 +392,10 @@ rules:
  no-loss-of-precision: [2]
  no-magic-numbers: [0]
  no-misleading-character-class: [2]
+  no-mixed-operators: [0]
+  no-mixed-spaces-and-tabs: [2]
  no-multi-assign: [0]
+  no-multi-spaces: [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
  no-multi-str: [2]
  no-negated-condition: [0]
  no-nested-ternary: [0]
@ -520,8 +419,9 @@ rules:
  no-restricted-exports: [0]
  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top, __dirname, __filename]
  no-restricted-imports: [0]
-  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression, {selector: "CallExpression[callee.name='fetch']", message: "use modules/fetch.js instead"}]
+  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement]
  no-return-assign: [0]
+  no-return-await: [0]
  no-script-url: [2]
  no-self-assign: [2, {props: true}]
  no-self-compare: [2]
@ -530,10 +430,12 @@ rules:
  no-shadow-restricted-names: [2]
  no-shadow: [0]
  no-sparse-arrays: [2]
+  no-tabs: [2]
  no-template-curly-in-string: [2]
  no-ternary: [0]
  no-this-before-super: [2]
  no-throw-literal: [2]
+  no-trailing-spaces: [2]
  no-undef-init: [2]
  no-undef: [2, {typeof: true}]
  no-undefined: [0]
@ -563,25 +465,33 @@ rules:
  no-var: [2]
  no-void: [2]
  no-warning-comments: [0]
+  no-whitespace-before-property: [2]
  no-with: [0] # handled by no-restricted-syntax
+  nonblock-statement-body-position: [2]
+  object-curly-newline: [0]
+  object-curly-spacing: [2, never]
  object-shorthand: [2, always]
  one-var-declaration-per-line: [0]
  one-var: [0]
  operator-assignment: [2, always]
  operator-linebreak: [2, after]
+  padded-blocks: [2, never]
+  padding-line-between-statements: [0]
  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
  prefer-const: [2, {destructuring: all, ignoreReadBeforeAssign: true}]
  prefer-destructuring: [0]
  prefer-exponentiation-operator: [2]
  prefer-named-capture-group: [0]
  prefer-numeric-literals: [2]
-  prefer-object-has-own: [2]
+  prefer-object-has-own: [0]
  prefer-object-spread: [2]
  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
  prefer-regex-literals: [2]
  prefer-rest-params: [2]
  prefer-spread: [2]
  prefer-template: [2]
+  quote-props: [0]
+  quotes: [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
  radix: [2, as-needed]
  regexp/confusing-quantifier: [2]
  regexp/control-character-escape: [2]
@ -598,7 +508,6 @@ rules:
  regexp/no-empty-character-class: [0]
  regexp/no-empty-group: [2]
  regexp/no-empty-lookarounds-assertion: [2]
-  regexp/no-empty-string-literal: [2]
  regexp/no-escape-backspace: [2]
  regexp/no-extra-lookaround-assertions: [0]
  regexp/no-invalid-regexp: [2]
@ -629,8 +538,6 @@ rules:
  regexp/no-useless-non-capturing-group: [2]
  regexp/no-useless-quantifier: [2]
  regexp/no-useless-range: [2]
-  regexp/no-useless-set-operand: [2]
-  regexp/no-useless-string-literal: [2]
  regexp/no-useless-two-nums-quantifier: [2]
  regexp/no-zero-quantifier: [2]
  regexp/optimal-lookaround-quantifier: [2]
@ -650,12 +557,10 @@ rules:
  regexp/prefer-regexp-exec: [2]
  regexp/prefer-regexp-test: [2]
  regexp/prefer-result-array-groups: [0]
-  regexp/prefer-set-operation: [2]
  regexp/prefer-star-quantifier: [2]
  regexp/prefer-unicode-codepoint-escapes: [2]
  regexp/prefer-w: [0]
  regexp/require-unicode-regexp: [0]
-  regexp/simplify-set-operations: [2]
  regexp/sort-alternatives: [0]
  regexp/sort-character-class-elements: [0]
  regexp/sort-flags: [0]
@ -666,6 +571,10 @@ rules:
  require-await: [0]
  require-unicode-regexp: [0]
  require-yield: [2]
+  rest-spread-spacing: [2, never]
+  semi-spacing: [2, {before: false, after: true}]
+  semi-style: [2, last]
+  semi: [2, always, {omitLastInOneLineBlock: true}]
  sonarjs/cognitive-complexity: [0]
  sonarjs/elseif-without-else: [0]
  sonarjs/max-switch-cases: [0]
@ -701,8 +610,16 @@ rules:
  sort-imports: [0]
  sort-keys: [0]
  sort-vars: [0]
+  space-before-blocks: [2, always]
+  space-in-parens: [2, never]
+  space-infix-ops: [2]
+  space-unary-ops: [2]
+  spaced-comment: [2, always]
  strict: [0]
+  switch-colon-spacing: [2]
  symbol-description: [2]
+  template-curly-spacing: [2, never]
+  template-tag-spacing: [2, never]
  unicode-bom: [2, never]
  unicorn/better-regex: [0]
  unicorn/catch-error-name: [0]
@ -746,9 +663,9 @@ rules:
  unicorn/no-this-assignment: [2]
  unicorn/no-typeof-undefined: [2]
  unicorn/no-unnecessary-await: [2]
-  unicorn/no-unnecessary-polyfills: [2]
  unicorn/no-unreadable-array-destructuring: [0]
  unicorn/no-unreadable-iife: [2]
+  unicorn/no-unsafe-regex: [0]
  unicorn/no-unused-properties: [2]
  unicorn/no-useless-fallback-in-spread: [2]
  unicorn/no-useless-length-check: [2]
@ -775,7 +692,7 @@ rules:
  unicorn/prefer-dom-node-remove: [2]
  unicorn/prefer-dom-node-text-content: [2]
  unicorn/prefer-event-target: [2]
-  unicorn/prefer-export-from: [0]
+  unicorn/prefer-export-from: [2, {ignoreUsedVariables: true}]
  unicorn/prefer-includes: [2]
  unicorn/prefer-json-parse-buffer: [0]
  unicorn/prefer-keyboard-event-key: [2]
@ -821,25 +738,15 @@ rules:
  valid-typeof: [2, {requireStringLiterals: true}]
  vars-on-top: [0]
  wc/attach-shadow-constructor: [2]
-  wc/define-tag-after-class-definition: [0]
-  wc/expose-class-on-global: [0]
-  wc/file-name-matches-element: [2]
-  wc/guard-define-call: [0]
  wc/guard-super-call: [2]
-  wc/max-elements-per-file: [0]
-  wc/no-child-traversal-in-attributechangedcallback: [2]
-  wc/no-child-traversal-in-connectedcallback: [2]
  wc/no-closed-shadow-root: [2]
  wc/no-constructor-attributes: [2]
  wc/no-constructor-params: [2]
-  wc/no-constructor: [2]
-  wc/no-customized-built-in-elements: [2]
-  wc/no-exports-with-element: [0]
-  wc/no-invalid-element-name: [2]
-  wc/no-invalid-extends: [2]
-  wc/no-method-prefixed-with-on: [2]
+  wc/no-invalid-element-name: [0] # covered by custom-elements/valid-tag-name
  wc/no-self-class: [2]
  wc/no-typos: [2]
  wc/require-listener-teardown: [2]
-  wc/tag-name-matches-class: [2]
+  wrap-iife: [2, inside]
+  wrap-regex: [0]
+  yield-star-spacing: [2, after]
  yoda: [2, never]
--- a/.gitattributes
+++ b/.gitattributes
@ -1,7 +1,7 @@
 * text=auto eol=lf
 *.tmpl linguist-language=Handlebars
 /assets/*.json linguist-generated
-/public/assets/img/svg/*.svg linguist-generated
+/public/img/svg/*.svg linguist-generated
 /templates/swagger/v1_json.tmpl linguist-generated
 /vendor/** -text -eol linguist-vendored
 /web_src/fomantic/build/** linguist-generated
--- a/.gitea/issue_template.md
+++ b/.gitea/issue_template.md
@ -5,7 +5,7 @@
    2. Please ask questions or configuration/deploy problems on our Discord
       server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
    3. Please take a moment to check that your issue doesn't already exist.
-    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
+    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
    5. Please give all relevant information below for bug reports, because
       incomplete details will be handled as an invalid report.
 -->
@ -26,7 +26,7 @@
  - [ ] No
 - Log gist:
 <!-- It really is important to provide pertinent logs -->
-<!-- Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help -->
+<!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems -->
 <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini -->

 ## Description
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1 +1,2 @@
 open_collective: gitea
+custom: https://www.bountysource.com/teams/gitea
--- a/.github/ISSUE_TEMPLATE/bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yaml
@ -1,91 +1,94 @@
 name: Bug Report
 description: Found something you weren't expecting? Report it here!
-labels: ["type/bug"]
+labels: kind/bug
 body:
-  - type: markdown
-    attributes:
-      value: |
-        NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-        3. Make sure you are using the latest release and
-           take a moment to check that your issue hasn't been reported before.
-        4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-        5. It's really important to provide pertinent details and logs (https://docs.gitea.com/help/support),
-           incomplete details will be handled as an invalid report.
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: |
-        Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-        If you are using a proxy or a CDN (e.g. Cloudflare) in front of Gitea, please disable the proxy/CDN fully and access Gitea directly to confirm the issue still persists without those services.
-  - type: input
-    id: gitea-ver
-    attributes:
-      label: Gitea Version
-      description: Gitea version (or commit reference) of your instance
-    validations:
-      required: true
-  - type: dropdown
-    id: can-reproduce
-    attributes:
-      label: Can you reproduce the bug on the Gitea demo site?
-      description: |
-        If so, please provide a URL in the Description field
-        URL of Gitea demo: https://try.gitea.io
-      options:
-        - "Yes"
-        - "No"
-    validations:
-      required: true
-  - type: markdown
-    attributes:
-      value: |
-        It's really important to provide pertinent logs
-        Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help
-        In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
-  - type: input
-    id: logs
-    attributes:
-      label: Log Gist
-      description: Please provide a gist URL of your logs, with any sensitive information (e.g. API keys) removed/hidden
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: If this issue involves the Web Interface, please provide one or more screenshots
-  - type: input
-    id: git-ver
-    attributes:
-      label: Git Version
-      description: The version of git running on the server
-  - type: input
-    id: os-ver
-    attributes:
-      label: Operating System
-      description: The operating system you are using to run Gitea
-  - type: textarea
-    id: run-info
-    attributes:
-      label: How are you running Gitea?
-      description: |
-        Please include information on whether you built Gitea yourself, used one of our downloads, are using https://try.gitea.io or are using some other package
-        Please also tell us how you are running Gitea, e.g. if it is being run from docker, a command-line, systemd etc.
-        If you are using a package or systemd tell us what distribution you are using
-    validations:
-      required: true
-  - type: dropdown
-    id: database
-    attributes:
-      label: Database
-      description: What database system are you running?
-      options:
-        - PostgreSQL
-        - MySQL/MariaDB
-        - MSSQL
-        - SQLite
+- type: markdown
+  attributes:
+    value: |
+      NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
+- type: markdown
+  attributes:
+    value: |
+      1. Please speak English, this is the language all maintainers can speak and write.
+      2. Please ask questions or configuration/deploy problems on our Discord
+         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
+      3. Make sure you are using the latest release and
+         take a moment to check that your issue hasn't been reported before.
+      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+      5. Please give all relevant information below for bug reports, because
+         incomplete details will be handled as an invalid report.
+      6. In particular it's really important to provide pertinent logs. You must give us DEBUG level logs.
+         Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
+         In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
+- type: textarea
+  id: description
+  attributes:
+    label: Description
+    description: |
+      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
+      If you are using a proxy or a CDN (e.g. Cloudflare) in front of Gitea, please disable the proxy/CDN fully and access Gitea directly to confirm the issue still persists without those services.
+- type: input
+  id: gitea-ver
+  attributes:
+    label: Gitea Version
+    description: Gitea version (or commit reference) of your instance
+  validations:
+    required: true
+- type: dropdown
+  id: can-reproduce
+  attributes:
+    label: Can you reproduce the bug on the Gitea demo site?
+    description: |
+      If so, please provide a URL in the Description field
+      URL of Gitea demo: https://try.gitea.io
+    options:
+    - "Yes"
+    - "No"
+  validations:
+    required: true
+- type: markdown
+  attributes:
+    value: |
+      It's really important to provide pertinent logs
+      Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
+      In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
+- type: input
+  id: logs
+  attributes:
+    label: Log Gist
+    description: Please provide a gist URL of your logs, with any sensitive information (e.g. API keys) removed/hidden
+- type: textarea
+  id: screenshots
+  attributes:
+    label: Screenshots
+    description: If this issue involves the Web Interface, please provide one or more screenshots
+- type: input
+  id: git-ver
+  attributes:
+    label: Git Version
+    description: The version of git running on the server
+- type: input
+  id: os-ver
+  attributes:
+    label: Operating System
+    description: The operating system you are using to run Gitea
+- type: textarea
+  id: run-info
+  attributes:
+    label: How are you running Gitea?
+    description: |
+      Please include information on whether you built Gitea yourself, used one of our downloads, are using https://try.gitea.io or are using some other package
+      Please also tell us how you are running Gitea, e.g. if it is being run from docker, a command-line, systemd etc.
+      If you are using a package or systemd tell us what distribution you are using
+  validations:
+    required: true
+- type: dropdown
+  id: database
+  attributes:
+    label: Database
+    description: What database system are you running?
+    options:
+    - PostgreSQL
+    - MySQL
+    - MSSQL
+    - SQLite
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -8,9 +8,9 @@ contact_links:
    about: Please ask questions and discuss configuration or deployment problems here.
  - name: Discourse Forum
    url: https://discourse.gitea.io
-    about: Questions and configuration or deployment problems can also be discussed on our forum.
+    about: Questions and configuration or deployment problems can also be discussed on our forum.    
  - name: Frequently Asked Questions
-    url: https://docs.gitea.com/help/faq
+    url: https://docs.gitea.io/en-us/faq
    about: Please check if your question isn't mentioned here.
  - name: Crowdin Translations
    url: https://crowdin.com/project/gitea
--- a/.github/ISSUE_TEMPLATE/feature-request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature-request.yaml
@ -1,24 +1,24 @@
 name: Feature Request
 description: Got an idea for a feature that Gitea doesn't have currently?  Submit your idea here!
-labels: ["type/proposal"]
+labels: ["kind/feature", "kind/proposal"]
 body:
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-        3. Please take a moment to check that your feature hasn't already been suggested.
-  - type: textarea
-    id: description
-    attributes:
-      label: Feature Description
-      placeholder: |
-        I think it would be great if Gitea had...
-    validations:
-      required: true
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: If you can, provide screenshots of an implementation on another site e.g. GitHub
+- type: markdown
+  attributes:
+    value: |
+      1. Please speak English, this is the language all maintainers can speak and write.
+      2. Please ask questions or configuration/deploy problems on our Discord
+         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
+      3. Please take a moment to check that your feature hasn't already been suggested.
+- type: textarea
+  id: description
+  attributes:
+    label: Feature Description
+    placeholder: |
+      I think it would be great if Gitea had...
+  validations:
+    required: true
+- type: textarea
+  id: screenshots
+  attributes:
+    label: Screenshots
+    description: If you can, provide screenshots of an implementation on another site e.g. GitHub
--- a/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
@ -1,66 +1,66 @@
 name: Web Interface Bug Report
 description: Something doesn't look quite as it should?  Report it here!
-labels: ["type/bug", "topic/ui"]
+labels: ["kind/bug", "kind/ui"]
 body:
-  - type: markdown
-    attributes:
-      value: |
-        NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
-  - type: markdown
-    attributes:
-      value: |
-        1. Please speak English, this is the language all maintainers can speak and write.
-        2. Please ask questions or configuration/deploy problems on our Discord
-           server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
-        3. Please take a moment to check that your issue doesn't already exist.
-        4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
-        5. Please give all relevant information below for bug reports, because
-           incomplete details will be handled as an invalid report.
-        6. In particular it's really important to provide pertinent logs. If you are certain that this is a javascript
-           error, show us the javascript console. If the error appears to relate to Gitea the server you must also give us
-           DEBUG level logs. (See https://docs.gitea.com/administration/logging-config#collecting-logs-for-help)
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: |
-        Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
-        If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services.
-  - type: textarea
-    id: screenshots
-    attributes:
-      label: Screenshots
-      description: Please provide at least 1 screenshot showing the issue.
-    validations:
-      required: true
-  - type: input
-    id: gitea-ver
-    attributes:
-      label: Gitea Version
-      description: Gitea version (or commit reference) your instance is running
-    validations:
-      required: true
-  - type: dropdown
-    id: can-reproduce
-    attributes:
-      label: Can you reproduce the bug on the Gitea demo site?
-      description: |
-        If so, please provide a URL in the Description field
-        URL of Gitea demo: https://try.gitea.io
-      options:
-        - "Yes"
-        - "No"
-    validations:
-      required: true
-  - type: input
-    id: os-ver
-    attributes:
-      label: Operating System
-      description: The operating system you are using to access Gitea
-  - type: input
-    id: browser-ver
-    attributes:
-      label: Browser Version
-      description: The browser and version that you are using to access Gitea
-    validations:
-      required: true
+- type: markdown
+  attributes:
+    value: |
+      NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.
+- type: markdown
+  attributes:
+    value: |
+      1. Please speak English, this is the language all maintainers can speak and write.
+      2. Please ask questions or configuration/deploy problems on our Discord
+         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
+      3. Please take a moment to check that your issue doesn't already exist.
+      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+      5. Please give all relevant information below for bug reports, because
+         incomplete details will be handled as an invalid report.
+      6. In particular it's really important to provide pertinent logs. If you are certain that this is a javascript
+         error, show us the javascript console. If the error appears to relate to Gitea the server you must also give us
+         DEBUG level logs. (See https://docs.gitea.io/en-us/logging-configuration/#debugging-problems)
+- type: textarea
+  id: description
+  attributes:
+    label: Description
+    description: |
+      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below)
+      If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services.
+- type: textarea
+  id: screenshots
+  attributes:
+    label: Screenshots
+    description: Please provide at least 1 screenshot showing the issue.
+  validations:
+    required: true
+- type: input
+  id: gitea-ver
+  attributes:
+    label: Gitea Version
+    description: Gitea version (or commit reference) your instance is running
+  validations:
+    required: true
+- type: dropdown
+  id: can-reproduce
+  attributes:
+    label: Can you reproduce the bug on the Gitea demo site?
+    description: |
+      If so, please provide a URL in the Description field
+      URL of Gitea demo: https://try.gitea.io
+    options:
+    - "Yes"
+    - "No"
+  validations:
+    required: true
+- type: input
+  id: os-ver
+  attributes:
+    label: Operating System
+    description: The operating system you are using to access Gitea
+- type: input
+  id: browser-ver
+  attributes:
+    label: Browser Version
+    description: The browser and version that you are using to access Gitea
+  validations:
+    required: true
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@ -1,5 +0,0 @@
-self-hosted-runner:
-  labels:
-    - actuated-4cpu-8gb
-    - actuated-4cpu-16gb
-    - nscloud
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@ -1,84 +0,0 @@
-modifies/docs:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "**/*.md"
-          - "docs/**"
-
-modifies/frontend:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "web_src/**"
-          - "tailwind.config.js"
-          - "webpack.config.js"
-
-modifies/templates:
-  - changed-files:
-      - all-globs-to-any-file:
-          - "templates/**"
-          - "!templates/swagger/v1_json.tmpl"
-
-modifies/api:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "routers/api/**"
-          - "templates/swagger/v1_json.tmpl"
-
-modifies/cli:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "cmd/**"
-
-modifies/translation:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "options/locale/*.ini"
-
-modifies/migrations:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "models/migrations/**"
-
-modifies/internal:
-  - changed-files:
-      - any-glob-to-any-file:
-          - ".air.toml"
-          - "Makefile"
-          - "Dockerfile"
-          - "Dockerfile.rootless"
-          - ".dockerignore"
-          - "docker/**"
-          - ".editorconfig"
-          - ".eslintrc.yaml"
-          - ".golangci.yml"
-          - ".gitpod.yml"
-          - ".markdownlint.yaml"
-          - ".spectral.yaml"
-          - ".stylelintrc.yaml"
-          - ".yamllint.yaml"
-          - ".github/**"
-          - ".gitea/"
-          - ".devcontainer/**"
-          - "build.go"
-          - "build/**"
-          - "contrib/**"
-
-modifies/dependencies:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "package.json"
-          - "package-lock.json"
-          - "poetry.toml"
-          - "poetry.lock"
-          - "go.mod"
-          - "go.sum"
-          - "pyproject.toml"
-
-modifies/go:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "**/*.go"
-
-modifies/js:
-  - changed-files:
-      - any-glob-to-any-file:
-          - "**/*.js"
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,54 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 60
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 14
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - status/blocked 
+  - kind/security 
+  - lgtm/done
+  - reviewed/confirmed
+  - priority/critical
+  - kind/proposal
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had recent activity. 
+  I am here to help clear issues left open even if solved or waiting for more insight.
+  This issue will be closed if no further activity occurs during the next 2 weeks.
+  If the issue is still valid just add a comment to keep it alive.
+  Thank you for your contributions.
+
+# Comment to post when closing a stale Issue or Pull Request.
+closeComment: >
+  This issue has been automatically closed because of inactivity.
+  You can re-open it if needed.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 1
+
+# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
+pulls:
+  daysUntilStale: 60
+  daysUntilClose: 60
+  markComment: >
+    This pull request has been automatically marked as stale because it has not had
+    recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you
+    for your contributions.
+  closeComment: >
+    This pull request has been automatically closed because of inactivity.
+    You can re-open it if needed.
--- a/.github/workflows/cron-licenses.yml
+++ b/.github/workflows/cron-licenses.yml
@ -10,15 +10,14 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea'
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.1"
      - run: make generate-license generate-gitignore
        timeout-minutes: 40
      - name: push translations to repo
-        uses: appleboy/git-push-action@v0.0.3
+        uses: appleboy/git-push-action@v0.0.2
        with:
          author_email: "teabot@gitea.io"
          author_name: GiteaBot
--- a/.github/workflows/cron-lock.yml
+++ b/.github/workflows/cron-lock.yml
@ -17,7 +17,6 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea'
    steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v4
        with:
-          issue-inactive-days: 10
-          pr-inactive-days: 7
+          issue-inactive-days: 45
--- a/.github/workflows/cron-translations.yml
+++ b/.github/workflows/cron-translations.yml
@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea'
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: download from crowdin
        uses: docker://jonasfranz/crowdin
        env:
@ -22,7 +22,7 @@ jobs:
      - name: update locales
        run: ./build/update-locales.sh
      - name: push translations to repo
-        uses: appleboy/git-push-action@v0.0.3
+        uses: appleboy/git-push-action@v0.0.2
        with:
          author_email: "teabot@gitea.io"
          author_name: GiteaBot
@ -35,7 +35,7 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'go-gitea/gitea'
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      - name: push translations to crowdin
        uses: docker://jonasfranz/crowdin
        env:
--- a/.github/workflows/disk-clean.yml
+++ b/.github/workflows/disk-clean.yml
@ -1,25 +0,0 @@
-name: disk-clean
-
-on:
-  workflow_call:
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
-        with:
-          # this might remove tools that are actually needed,
-          # if set to "true" but frees about 6 GB
-          tool-cache: false
-
-          # all of these default to true, but feel free to set to
-          # "false" if necessary for your workflow
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: false
-          docker-images: false
-          swap-storage: true
--- a/.github/workflows/files-changed.yml
+++ b/.github/workflows/files-changed.yml
@ -4,95 +4,50 @@ on:
  workflow_call:
    outputs:
      backend:
+        description: "whether backend files changed"
        value: ${{ jobs.detect.outputs.backend }}
      frontend:
+        description: "whether frontend files changed"
        value: ${{ jobs.detect.outputs.frontend }}
      docs:
+        description: "whether docs files changed"
        value: ${{ jobs.detect.outputs.docs }}
      actions:
+        description: "whether actions files changed"
        value: ${{ jobs.detect.outputs.actions }}
-      templates:
-        value: ${{ jobs.detect.outputs.templates }}
-      docker:
-        value: ${{ jobs.detect.outputs.docker }}
-      swagger:
-        value: ${{ jobs.detect.outputs.swagger }}
-      yaml:
-        value: ${{ jobs.detect.outputs.yaml }}

 jobs:
  detect:
+    name: detect which files changed
    runs-on: ubuntu-latest
    timeout-minutes: 3
+    # Map a step output to a job output
    outputs:
      backend: ${{ steps.changes.outputs.backend }}
      frontend: ${{ steps.changes.outputs.frontend }}
      docs: ${{ steps.changes.outputs.docs }}
      actions: ${{ steps.changes.outputs.actions }}
-      templates: ${{ steps.changes.outputs.templates }}
-      docker: ${{ steps.changes.outputs.docker }}
-      swagger: ${{ steps.changes.outputs.swagger }}
-      yaml: ${{ steps.changes.outputs.yaml }}
    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@v3
+      - uses: dorny/paths-filter@v2
        id: changes
        with:
          filters: |
            backend:
              - "**/*.go"
-              - "templates/**/*.tmpl"
-              - "assets/emoji.json"
+              - "**/*.tmpl"
              - "go.mod"
              - "go.sum"
-              - "Makefile"
-              - ".golangci.yml"
-              - ".editorconfig"
-              - "options/locale/locale_en-US.ini"

            frontend:
              - "**/*.js"
              - "web_src/**"
-              - "assets/emoji.json"
              - "package.json"
              - "package-lock.json"
-              - "Makefile"
-              - ".eslintrc.yaml"
-              - ".stylelintrc.yaml"
-              - ".npmrc"

            docs:
              - "**/*.md"
              - "docs/**"
-              - ".markdownlint.yaml"
-              - "package.json"
-              - "package-lock.json"

            actions:
              - ".github/workflows/*"
-              - "Makefile"
-
-            templates:
-              - "templates/**/*.tmpl"
-              - "pyproject.toml"
-              - "poetry.lock"
-
-            docker:
-              - "Dockerfile"
-              - "Dockerfile.rootless"
-              - "docker/**"
-              - "Makefile"
-
-            swagger:
-              - "templates/swagger/v1_json.tmpl"
-              - "Makefile"
-              - "package.json"
-              - "package-lock.json"
-              - ".spectral.yaml"
-
-            yaml:
-              - "**/*.yml"
-              - "**/*.yaml"
-              - ".yamllint.yaml"
-              - "pyproject.toml"
-              - "poetry.lock"
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@ -16,75 +16,25 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make lint-backend
        env:
          TAGS: bindata sqlite sqlite_unlock_notify

-  lint-templates:
-    if: needs.files-changed.outputs.templates == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install poetry
-      - run: make deps-py
-      - run: make lint-templates
-
-  lint-yaml:
-    if: needs.files-changed.outputs.yaml == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install poetry
-      - run: make deps-py
-      - run: make lint-yaml
-
-  lint-swagger:
-    if: needs.files-changed.outputs.swagger == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: make deps-frontend
-      - run: make lint-swagger
-
-  lint-spell:
-    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - run: make lint-spell
-
  lint-go-windows:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make lint-go-windows lint-go-vet
@ -98,10 +48,10 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make lint-go
@ -113,10 +63,10 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make --always-make checks-backend # ensure the "go-licenses" make target runs
@ -126,14 +76,13 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
        with:
          node-version: 20
      - run: make deps-frontend
      - run: make lint-frontend
      - run: make checks-frontend
-      - run: make test-frontend
      - run: make frontend

  backend:
@ -141,14 +90,14 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
      # no frontend build here as backend should be able to build
      # even without any frontend files
-      - run: make deps-backend
+      - run: make deps-backend deps-tools
      - run: go build -o gitea_no_gcc # test if build succeeds without the sqlite tag
      - name: build-backend-arm64
        run: make backend # test cross compile
@ -173,22 +122,19 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
        with:
          node-version: 20
      - run: make deps-frontend
      - run: make lint-md
-      - run: make docs
+      - run: make docs # test if build could succeed

  actions:
    if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
      - run: make lint-actions
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    services:
      pgsql:
-        image: postgres:12
+        image: postgres:15
        env:
          POSTGRES_DB: test
          POSTGRES_PASSWORD: postgres
@ -31,28 +31,24 @@ jobs:
      minio:
        # as github actions doesn't support "entrypoint", we need to use a non-official image
        # that has a custom entrypoint set to "minio server /data"
-        image: bitnami/minio:2023.8.31
+        image: bitnami/minio:2021.3.17
        env:
-          MINIO_ROOT_USER: 123456
-          MINIO_ROOT_PASSWORD: 12345678
+          MINIO_ACCESS_KEY: 123456
+          MINIO_SECRET_KEY: 12345678
        ports:
          - "9000:9000"
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.0"
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 pgsql ldap minio" | sudo tee -a /etc/hosts'
      - run: make deps-backend
      - run: make backend
        env:
          TAGS: bindata
-      - name: run migration tests
-        run: make test-pgsql-migration
-      - name: run tests
-        run: make test-pgsql
+      - run: make test-pgsql-migration test-pgsql
        timeout-minutes: 50
        env:
          TAGS: bindata gogit
@ -66,19 +62,15 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.0"
      - run: make deps-backend
      - run: make backend
        env:
          TAGS: bindata gogit sqlite sqlite_unlock_notify
-      - name: run migration tests
-        run: make test-sqlite-migration
-      - name: run tests
-        run: make test-sqlite
+      - run: make test-sqlite-migration test-sqlite
        timeout-minutes: 50
        env:
          TAGS: bindata gogit sqlite sqlite_unlock_notify
@ -91,18 +83,26 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    services:
+      mysql:
+        image: mysql:5.7
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: yes
+          MYSQL_DATABASE: test
+        ports:
+          - "3306:3306"
      elasticsearch:
        image: elasticsearch:7.5.0
        env:
          discovery.type: single-node
        ports:
          - "9200:9200"
-      meilisearch:
-        image: getmeili/meilisearch:v1.2.0
-        env:
-          MEILI_ENV: development # disable auth
+      smtpimap:
+        image: tabascoterrier/docker-imap-devel:latest
        ports:
-          - "7700:7700"
+          - "25:25"
+          - "143:143"
+          - "587:587"
+          - "993:993"
      redis:
        image: redis
        options: >- # wait until redis has started
@ -120,13 +120,12 @@ jobs:
        ports:
          - "9000:9000"
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.0"
      - name: Add hosts to /etc/hosts
-        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch meilisearch smtpimap" | sudo tee -a /etc/hosts'
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
      - run: make deps-backend
      - run: make backend
        env:
@ -144,16 +143,16 @@ jobs:
          RACE_ENABLED: true
          GITHUB_READ_TOKEN: ${{ secrets.GITHUB_READ_TOKEN }}

-  test-mysql:
+  test-mysql5:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    services:
      mysql:
-        image: mysql:8.0
+        image: mysql:5.7
        env:
-          MYSQL_ALLOW_EMPTY_PASSWORD: true
-          MYSQL_DATABASE: testgitea
+          MYSQL_ALLOW_EMPTY_PASSWORD: yes
+          MYSQL_DATABASE: test
        ports:
          - "3306:3306"
      elasticsearch:
@ -170,34 +169,60 @@ jobs:
          - "587:587"
          - "993:993"
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.0"
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql elasticsearch smtpimap" | sudo tee -a /etc/hosts'
      - run: make deps-backend
      - run: make backend
        env:
          TAGS: bindata
-      - name: run migration tests
-        run: make test-mysql-migration
      - name: run tests
-        run: make integration-test-coverage
+        run: make test-mysql-migration integration-test-coverage
        env:
          TAGS: bindata
          RACE_ENABLED: true
          USE_REPO_TEST_DIR: 1
          TEST_INDEXER_CODE_ES_URL: "http://elastic:changeme@elasticsearch:9200"

+  test-mysql8:
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
+    needs: files-changed
+    runs-on: ubuntu-latest
+    services:
+      mysql8:
+        image: mysql:8
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: yes
+          MYSQL_DATABASE: testgitea
+        ports:
+          - "3306:3306"
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ">=1.20.0"
+      - name: Add hosts to /etc/hosts
+        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mysql8" | sudo tee -a /etc/hosts'
+      - run: make deps-backend
+      - run: make backend
+        env:
+          TAGS: bindata
+      - run: make test-mysql8-migration test-mysql8
+        timeout-minutes: 50
+        env:
+          TAGS: bindata
+          USE_REPO_TEST_DIR: 1
+
  test-mssql:
    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    services:
      mssql:
-        image: mcr.microsoft.com/mssql/server:2017-latest
+        image: mcr.microsoft.com/mssql/server:latest
        env:
          ACCEPT_EULA: Y
          MSSQL_PID: Standard
@ -205,20 +230,17 @@ jobs:
        ports:
          - "1433:1433"
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
-          check-latest: true
+          go-version: ">=1.20.0"
      - name: Add hosts to /etc/hosts
        run: '[ -e "/.dockerenv" ] || [ -e "/run/.containerenv" ] || echo "127.0.0.1 mssql" | sudo tee -a /etc/hosts'
      - run: make deps-backend
      - run: make backend
        env:
          TAGS: bindata
-      - run: make test-mssql-migration
-      - name: run tests
-        run: make test-mssql
+      - run: make test-mssql-migration test-mssql
        timeout-minutes: 50
        env:
          TAGS: bindata
--- a/.github/workflows/pull-docker-dryrun.yml
+++ b/.github/workflows/pull-docker-dryrun.yml
@ -11,25 +11,13 @@ jobs:
  files-changed:
    uses: ./.github/workflows/files-changed.yml

-  regular:
-    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
+  docker-dryrun:
+    if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/build-push-action@v5
+      - uses: docker/setup-buildx-action@v2
+      - uses: docker/build-push-action@v4
        with:
          push: false
          tags: gitea/gitea:linux-amd64
-
-  rootless:
-    if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/build-push-action@v5
-        with:
-          push: false
-          file: Dockerfile.rootless
-          tags: gitea/gitea:linux-amd64
--- a/.github/workflows/pull-e2e-tests.yml
+++ b/.github/workflows/pull-e2e-tests.yml
@ -16,12 +16,12 @@ jobs:
    needs: files-changed
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v3
        with:
          node-version: 20
      - run: make deps-frontend frontend deps-backend
--- a/.github/workflows/pull-labeler.yml
+++ b/.github/workflows/pull-labeler.yml
@ -1,20 +0,0 @@
-name: labeler
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  labeler:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - uses: actions/labeler@v5
-        with:
-          sync-labels: true
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@ -1,28 +1,22 @@
-name: release-nightly
+name: release-nightly-assets

 on:
  push:
-    branches: [main, release/v*]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+    branches: [ main, release/v* ]

 jobs:
-  disk-clean:
-    uses: ./.github/workflows/disk-clean.yml
  nightly-binary:
-    runs-on: nscloud
+    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v4
        with:
-          go-version-file: go.mod
+          go-version: ">=1.20"
          check-latest: true
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v3
        with:
          node-version: 20
      - run: make deps-frontend deps-backend
@ -32,7 +26,7 @@ jobs:
          TAGS: bindata sqlite sqlite_unlock_notify
      - name: import gpg key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@ -48,28 +42,24 @@ jobs:
          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
          echo "Cleaned name is ${REF_NAME}"
          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-  nightly-docker-rootful:
+        uses: jakejarvis/s3-sync-action@master
+        env:
+          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          SOURCE_DIR: dist/release
+          DEST_DIR: gitea/${{ steps.clean_name.outputs.branch }}
+  nightly-docker:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
      - name: Get cleaned branch name
        id: clean_name
        run: |
@ -81,51 +71,19 @@ jobs:
          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: fetch go modules
-        run: make vendor
      - name: build rootful docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v4
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: gitea/gitea:${{ steps.clean_name.outputs.branch }}
-  nightly-docker-rootless:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          # if main then say nightly otherwise cleanup name
-          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
-            echo "branch=nightly" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\///' -e 's/release\/v//')
-          echo "branch=${REF_NAME}-nightly" >> "$GITHUB_OUTPUT"
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: fetch go modules
-        run: make vendor
      - name: build rootless docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v4
        with:
          context: .
          platforms: linux/amd64,linux/arm64
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@ -1,132 +0,0 @@
-name: release-tag-rc
-
-on:
-  push:
-    tags:
-      - "v1*-rc*"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  binary:
-    runs-on: nscloud
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: make deps-frontend deps-backend
-      # xgo build
-      - run: make release
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-      - name: sign binaries
-        run: |
-          for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
-          done
-      # clean branch name to get the folder name in S3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
-          echo "Cleaned name is ${REF_NAME}"
-          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
-        with:
-          gh-cli-version: 2.39.1
-      - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-  docker-rootful:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: gitea/gitea
-          flavor: |
-            latest=false
-          # 1.2.3-rc0
-          tags: |
-            type=semver,pattern={{version}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: build rootful docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-  docker-rootless:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: gitea/gitea
-          # each tag below will have the suffix of -rootless
-          flavor: |
-            latest=false
-            suffix=-rootless
-          # 1.2.3-rc0
-          tags: |
-            type=semver,pattern={{version}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: build rootless docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: Dockerfile.rootless
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@ -1,143 +0,0 @@
-name: release-tag-version
-
-on:
-  push:
-    tags:
-      - "v1.*"
-      - "!v1*-rc*"
-      - "!v1*-dev"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  binary:
-    runs-on: nscloud
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: make deps-frontend deps-backend
-      # xgo build
-      - run: make release
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
-      - name: import gpg key
-        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
-          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
-      - name: sign binaries
-        run: |
-          for f in dist/release/*; do
-            echo '${{ secrets.GPGSIGN_PASSPHRASE }}' | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u ${{ steps.import_gpg.outputs.fingerprint }} --output "$f.asc" "$f"
-          done
-      # clean branch name to get the folder name in S3
-      - name: Get cleaned branch name
-        id: clean_name
-        run: |
-          REF_NAME=$(echo "${{ github.ref }}" | sed -e 's/refs\/heads\///' -e 's/refs\/tags\/v//' -e 's/release\/v//')
-          echo "Cleaned name is ${REF_NAME}"
-          echo "branch=${REF_NAME}" >> "$GITHUB_OUTPUT"
-      - name: configure aws
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      - name: upload binaries to s3
-        run: |
-          aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
-      - name: Install GH CLI
-        uses: dev-hanz-ops/install-gh-cli-action@v0.1.0
-        with:
-          gh-cli-version: 2.39.1
-      - name: create github release
-        run: |
-          gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-  docker-rootful:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: gitea/gitea
-          # this will generate tags in the following format:
-          # latest
-          # 1
-          # 1.2
-          # 1.2.3
-          tags: |
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{version}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: build rootful docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-  docker-rootless:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # fetch all commits instead of only the last as some branches are long lived and could have many between versions
-      # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
-      - run: git fetch --unshallow --quiet --tags --force
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: gitea/gitea
-          # each tag below will have the suffix of -rootless
-          flavor: |
-            suffix=-rootless,onlatest=true
-          # this will generate tags in the following format (with -rootless suffix added):
-          # latest
-          # 1
-          # 1.2
-          # 1.2.3
-          tags: |
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{version}}
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: build rootless docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: Dockerfile.rootless
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
--- a/.gitignore
+++ b/.gitignore
@ -11,11 +11,10 @@ _test
 .idea
 # Goland's output filename can not be set manually
 /go_build_*
-/gitea_*

 # MS VSCode
 .vscode
-__debug_bin*
+__debug_bin

 *.cgo1.go
 *.cgo2.c
@ -69,15 +68,13 @@ cpu.out
 /tests/*.ini
 /tests/**/*.git/**/*.sample
 /node_modules
-/.venv
 /yarn.lock
 /yarn-error.log
 /npm-debug.log*
-/public/assets/js
-/public/assets/css
-/public/assets/fonts
-/public/assets/licenses.txt
-/public/assets/img/webpack
+/public/js
+/public/css
+/public/fonts
+/public/img/webpack
 /vendor
 /web_src/fomantic/node_modules
 /web_src/fomantic/build/*
@ -96,7 +93,6 @@ cpu.out
 /.go-licenses

 # Snapcraft
-/gitea_a*.txt
 snap/.snapcraft/
 parts/
 stage/
--- a/.gitpod.yml
+++ b/.gitpod.yml
@ -10,19 +10,10 @@ tasks:
  - name: Run backend
    command: |
      gp sync-await setup
-
-      # Get the URL and extract the domain
-      url=$(gp url 3000)
-      domain=$(echo $url | awk -F[/:] '{print $4}')
-
-      if [ -f custom/conf/app.ini ]; then
-        sed -i "s|^ROOT_URL =.*|ROOT_URL = ${url}/|" custom/conf/app.ini
-        sed -i "s|^DOMAIN =.*|DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^SSH_DOMAIN =.*|SSH_DOMAIN = ${domain}|" custom/conf/app.ini
-        sed -i "s|^NO_REPLY_ADDRESS =.*|SSH_DOMAIN = noreply.${domain}|" custom/conf/app.ini
-      else
+      if [ ! -f custom/conf/app.ini ]
+      then
        mkdir -p custom/conf/
-        echo -e "[server]\nROOT_URL = ${url}/" > custom/conf/app.ini
+        echo -e "[server]\nROOT_URL=$(gp url 3000)/" > custom/conf/app.ini
        echo -e "\n[database]\nDB_TYPE = sqlite3\nPATH = $GITPOD_REPO_ROOT/data/gitea.db" >> custom/conf/app.ini
      fi
      export TAGS="sqlite sqlite_unlock_notify"
@ -43,8 +34,7 @@ vscode:
    - Vue.volar
    - ms-azuretools.vscode-docker
    - zixuanchen.vitest-explorer
-    - qwtel.sqlite-viewer
-    - GitHub.vscode-pull-request-github
+    - alexcvzz.vscode-sqlite

 ports:
  - name: Gitea
--- a/.golangci.yml
+++ b/.golangci.yml
@ -29,6 +29,7 @@ linters:
  fast: false

 run:
+  go: "1.20"
  timeout: 10m
  skip-dirs:
    - node_modules
@ -74,22 +75,18 @@ linters-settings:
      - name: modifies-value-receiver
  gofumpt:
    extra-rules: true
+    lang-version: "1.20"
  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: encoding/json
-            desc: use gitea's modules/json instead of encoding/json
-          - pkg: github.com/unknwon/com
-            desc: use gitea's util and replacements
-          - pkg: io/ioutil
-            desc: use os or io instead
-          - pkg: golang.org/x/exp
-            desc: it's experimental and unreliable
-          - pkg: code.gitea.io/gitea/modules/git/internal
-            desc: do not use the internal package, use AddXxx function instead
-          - pkg: gopkg.in/ini.v1
-            desc: do not use the ini package, use gitea's config system instead
+    list-type: denylist
+    # Check the list against standard lib.
+    include-go-root: true
+    packages-with-error-message:
+      - encoding/json: "use gitea's modules/json instead of encoding/json"
+      - github.com/unknwon/com: "use gitea's util and replacements"
+      - io/ioutil: "use os or io instead"
+      - golang.org/x/exp: "it's experimental and unreliable."
+      - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"
+      - gopkg.in/ini.v1: "do not use the ini package, use gitea's config system instead"

 issues:
  max-issues-per-linter: 0
--- a/.ignore
+++ b/.ignore
@ -5,5 +5,4 @@
 /modules/public/bindata.go
 /modules/templates/bindata.go
 /vendor
-/public/assets
 node_modules
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@ -1,15 +1,18 @@
 commands-show-output: false
 fenced-code-language: false
 first-line-h1: false
-heading-increment: false
+header-increment: false
 line-length: {code_blocks: false, tables: false, stern: true, line_length: -1}
 no-alt-text: false
 no-bare-urls: false
-no-emphasis-as-heading: false
+no-blanks-blockquote: false
+no-duplicate-header: {allow_different_nesting: true}
+no-emphasis-as-header: false
 no-empty-links: false
 no-hard-tabs: {code_blocks: false}
 no-inline-html: false
 no-space-in-code: false
 no-space-in-emphasis: false
+no-trailing-punctuation: false
 no-trailing-spaces: {br_spaces: 0}
 single-h1: false
--- a/.stylelintrc.yaml
+++ b/.stylelintrc.yaml
@ -1,7 +1,5 @@
 plugins:
  - stylelint-declaration-strict-value
-  - stylelint-declaration-block-no-ignored-properties
-  - "@stylistic/stylelint-plugin"

 ignoreFiles:
  - "**/*.go"
@ -17,89 +15,12 @@ overrides:
    customSyntax: postcss-html

 rules:
-  "@stylistic/at-rule-name-case": null
-  "@stylistic/at-rule-name-newline-after": null
-  "@stylistic/at-rule-name-space-after": null
-  "@stylistic/at-rule-semicolon-newline-after": null
-  "@stylistic/at-rule-semicolon-space-before": null
-  "@stylistic/block-closing-brace-empty-line-before": null
-  "@stylistic/block-closing-brace-newline-after": null
-  "@stylistic/block-closing-brace-newline-before": null
-  "@stylistic/block-closing-brace-space-after": null
-  "@stylistic/block-closing-brace-space-before": null
-  "@stylistic/block-opening-brace-newline-after": null
-  "@stylistic/block-opening-brace-newline-before": null
-  "@stylistic/block-opening-brace-space-after": null
-  "@stylistic/block-opening-brace-space-before": null
-  "@stylistic/color-hex-case": lower
-  "@stylistic/declaration-bang-space-after": never
-  "@stylistic/declaration-bang-space-before": null
-  "@stylistic/declaration-block-semicolon-newline-after": null
-  "@stylistic/declaration-block-semicolon-newline-before": null
-  "@stylistic/declaration-block-semicolon-space-after": null
-  "@stylistic/declaration-block-semicolon-space-before": never
-  "@stylistic/declaration-block-trailing-semicolon": null
-  "@stylistic/declaration-colon-newline-after": null
-  "@stylistic/declaration-colon-space-after": null
-  "@stylistic/declaration-colon-space-before": never
-  "@stylistic/function-comma-newline-after": null
-  "@stylistic/function-comma-newline-before": null
-  "@stylistic/function-comma-space-after": null
-  "@stylistic/function-comma-space-before": null
-  "@stylistic/function-max-empty-lines": 0
-  "@stylistic/function-parentheses-newline-inside": never-multi-line
-  "@stylistic/function-parentheses-space-inside": null
-  "@stylistic/function-whitespace-after": null
-  "@stylistic/indentation": 2
-  "@stylistic/linebreaks": null
-  "@stylistic/max-empty-lines": 1
-  "@stylistic/max-line-length": null
-  "@stylistic/media-feature-colon-space-after": null
-  "@stylistic/media-feature-colon-space-before": never
-  "@stylistic/media-feature-name-case": null
-  "@stylistic/media-feature-parentheses-space-inside": null
-  "@stylistic/media-feature-range-operator-space-after": always
-  "@stylistic/media-feature-range-operator-space-before": always
-  "@stylistic/media-query-list-comma-newline-after": null
-  "@stylistic/media-query-list-comma-newline-before": null
-  "@stylistic/media-query-list-comma-space-after": null
-  "@stylistic/media-query-list-comma-space-before": null
-  "@stylistic/named-grid-areas-alignment": null
-  "@stylistic/no-empty-first-line": null
-  "@stylistic/no-eol-whitespace": true
-  "@stylistic/no-extra-semicolons": true
-  "@stylistic/no-missing-end-of-source-newline": null
-  "@stylistic/number-leading-zero": null
-  "@stylistic/number-no-trailing-zeros": null
-  "@stylistic/property-case": lower
-  "@stylistic/selector-attribute-brackets-space-inside": null
-  "@stylistic/selector-attribute-operator-space-after": null
-  "@stylistic/selector-attribute-operator-space-before": null
-  "@stylistic/selector-combinator-space-after": null
-  "@stylistic/selector-combinator-space-before": null
-  "@stylistic/selector-descendant-combinator-no-non-space": null
-  "@stylistic/selector-list-comma-newline-after": null
-  "@stylistic/selector-list-comma-newline-before": null
-  "@stylistic/selector-list-comma-space-after": always-single-line
-  "@stylistic/selector-list-comma-space-before": never-single-line
-  "@stylistic/selector-max-empty-lines": 0
-  "@stylistic/selector-pseudo-class-case": lower
-  "@stylistic/selector-pseudo-class-parentheses-space-inside": never
-  "@stylistic/selector-pseudo-element-case": lower
-  "@stylistic/string-quotes": double
-  "@stylistic/unicode-bom": null
-  "@stylistic/unit-case": lower
-  "@stylistic/value-list-comma-newline-after": null
-  "@stylistic/value-list-comma-newline-before": null
-  "@stylistic/value-list-comma-space-after": null
-  "@stylistic/value-list-comma-space-before": null
-  "@stylistic/value-list-max-empty-lines": 0
  alpha-value-notation: null
  annotation-no-unknown: true
  at-rule-allowed-list: null
  at-rule-disallowed-list: null
  at-rule-empty-line-before: null
-  at-rule-no-unknown: [true, {ignoreAtRules: [tailwind]}]
+  at-rule-no-unknown: true
  at-rule-no-vendor-prefix: true
  at-rule-property-required-list: null
  block-no-empty: true
@ -127,7 +48,7 @@ rules:
  declaration-no-important: null
  declaration-property-max-values: null
  declaration-property-unit-allowed-list: null
-  declaration-property-unit-disallowed-list: {line-height: [em]}
+  declaration-property-unit-disallowed-list: null
  declaration-property-value-allowed-list: null
  declaration-property-value-disallowed-list: null
  declaration-property-value-no-unknown: true
@ -151,7 +72,7 @@ rules:
  keyframe-declaration-no-important: true
  keyframe-selector-notation: null
  keyframes-name-pattern: null
-  length-zero-no-unit: [true, ignore: [custom-properties], ignoreFunctions: [var]]
+  length-zero-no-unit: true
  max-nesting-depth: null
  media-feature-name-allowed-list: null
  media-feature-name-disallowed-list: null
@ -161,7 +82,6 @@ rules:
  media-feature-name-value-allowed-list: null
  media-feature-name-value-no-unknown: true
  media-feature-range-notation: null
-  media-query-no-invalid: true
  named-grid-areas-no-invalid: true
  no-descending-specificity: null
  no-duplicate-at-import-rules: true
@ -173,14 +93,13 @@ rules:
  no-unknown-animations: null
  no-unknown-custom-properties: null
  number-max-precision: null
-  plugin/declaration-block-no-ignored-properties: true
  property-allowed-list: null
  property-disallowed-list: null
  property-no-unknown: true
  property-no-vendor-prefix: null
  rule-empty-line-before: null
  rule-selector-property-disallowed-list: null
-  scale-unlimited/declaration-strict-value: [[/color$/, font-weight], {ignoreValues: /^(inherit|transparent|unset|initial|currentcolor|none)$/, ignoreFunctions: false, disableFix: true, expandShorthand: true}]
+  scale-unlimited/declaration-strict-value: [[color, background-color, border-color, font-weight], {ignoreValues: /^(inherit|transparent|unset|initial|currentcolor|none)$/, ignoreFunctions: false, disableFix: true}]
  selector-attribute-name-disallowed-list: null
  selector-attribute-operator-allowed-list: null
  selector-attribute-operator-disallowed-list: null
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@ -1,44 +0,0 @@
-extends: default
-
-rules:
-  braces:
-    min-spaces-inside: 0
-    max-spaces-inside: 1
-    min-spaces-inside-empty: 0
-    max-spaces-inside-empty: 0
-
-  brackets:
-    min-spaces-inside: 0
-    max-spaces-inside: 1
-    min-spaces-inside-empty: 0
-    max-spaces-inside-empty: 0
-
-  comments:
-    require-starting-space: true
-    ignore-shebangs: true
-    min-spaces-from-content: 1
-
-  comments-indentation:
-    level: error
-
-  document-start:
-    level: error
-    present: false
-
-  document-end:
-    present: false
-
-  empty-lines:
-    max: 1
-
-  indentation:
-    spaces: 2
-
-  line-length: disable
-
-  truthy:
-    allowed-values: ["true", "false", "on", "off"]
-
-ignore: |
-  .venv
-  node_modules
--- a/4
+++ b/4
@ -42,13 +42,13 @@ GARGS = "--no-print-directory"

 # The GNU convention is to use the lowercased `prefix` variable/macro to
 # specify the installation directory. Humor them.
-GPREFIX =
+GPREFIX = ""
 .if defined(PREFIX) && ! defined(prefix)
    GPREFIX = 'prefix = "$(PREFIX)"'
 .endif

 .BEGIN: .SILENT
-	which $(GMAKE) || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)
+	which $(GMAKE) || printf "Error: GNU Make is required!\n\n" 1>&2 && false

 .PHONY: FRC
 $(.TARGETS): FRC
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -8,7 +8,6 @@
    - [How to report issues](#how-to-report-issues)
    - [Types of issues](#types-of-issues)
    - [Discuss your design before the implementation](#discuss-your-design-before-the-implementation)
-    - [Issue locking](#issue-locking)
  - [Building Gitea](#building-gitea)
  - [Dependencies](#dependencies)
    - [Backend](#backend)
@ -35,7 +34,7 @@
      - [Backport PRs](#backport-prs)
  - [Documentation](#documentation)
  - [API v1](#api-v1)
-    - [GitHub API compatibility](#github-api-compatibility)
+    - [GitHub API compatability](#github-api-compatability)
    - [Adding/Maintaining API routes](#addingmaintaining-api-routes)
    - [When to use what HTTP method](#when-to-use-what-http-method)
    - [Requirements for API routes](#requirements-for-api-routes)
@ -48,7 +47,6 @@
  - [Release Cycle](#release-cycle)
  - [Maintainers](#maintainers)
  - [Technical Oversight Committee (TOC)](#technical-oversight-committee-toc)
-    - [TOC election process](#toc-election-process)
    - [Current TOC members](#current-toc-members)
    - [Previous TOC/owners members](#previous-tocowners-members)
  - [Governance Compensation](#governance-compensation)
@ -62,7 +60,7 @@
 ## Introduction

 This document explains how to contribute changes to the Gitea project. \
-It assumes you have followed the [installation instructions](https://docs.gitea.com/category/installation). \
+It assumes you have followed the [installation instructions](https://docs.gitea.io/en-us/). \
 Sensitive security-related issues should be reported to [security@gitea.io](mailto:security@gitea.io).

 For configuring IDEs for Gitea development, see the [contributed IDE configurations](contrib/ide/).
@ -104,13 +102,6 @@ the goals for the project and tools.

 Pull requests should not be the place for architecture discussions.

-### Issue locking
-
-Commenting on closed or merged issues/PRs is strongly discouraged.
-Such comments will likely be overlooked as some maintainers may not view notifications on closed issues, thinking that the item is resolved.
-As such, commenting on closed/merged issues/PRs may be disabled prior to the scheduled auto-locking if a discussion starts or if unrelated comments are posted.
-If further discussion is needed, we encourage you to open a new issue instead and we recommend linking to the issue/PR in question for context.
-
 ## Building Gitea

 See the [development setup instructions](https://docs.gitea.com/development/hacking-on-gitea).
@ -119,7 +110,7 @@ See the [development setup instructions](https://docs.gitea.com/development/hack

 ### Backend

-Go dependencies are managed using [Go Modules](https://go.dev/cmd/go/#hdr-Module_maintenance). \
+Go dependencies are managed using [Go Modules](https://golang.org/cmd/go/#hdr-Module_maintenance). \
 You can find more details in the [go mod documentation](https://go.dev/ref/mod) and the [Go Modules Wiki](https://github.com/golang/go/wiki/Modules).

 Pull requests should only modify `go.mod` and `go.sum` where it is related to your change, be it a bugfix or a new feature. \
@ -176,7 +167,7 @@ Here's how to run the test suite:

 |  Command                               | Action                                           |              |
 | :------------------------------------- | :----------------------------------------------- | ------------ |
-|``make test[\#SpecificTestName]``       |  run unit test(s)  | |
+|``make test[\#SpecificTestName]``       |  run unit test(s)  |
 |``make test-sqlite[\#SpecificTestName]``|  run [integration](tests/integration) test(s) for SQLite |[More details](tests/integration/README.md)  |
 |``make test-e2e-sqlite[\#SpecificTestName]``|  run [end-to-end](tests/e2e) test(s) for SQLite |[More details](tests/e2e/README.md)  |

@ -212,20 +203,10 @@ Some of the key points:

 In the PR title, describe the problem you are fixing, not how you are fixing it. \
 Use the first comment as a summary of your PR. \
-In the PR summary, you can describe exactly how you are fixing this problem.
-
+In the PR summary, you can describe exactly how you are fixing this problem. \
 Keep this summary up-to-date as the PR evolves. \
 If your PR changes the UI, you must add **after** screenshots in the PR summary. \
-If you are not implementing a new feature, you should also post **before** screenshots for comparison.
-
-If you are implementing a new feature, your PR will only be merged if your screenshots are up to date.\
-Furthermore, feature PRs will only be merged if their summary contains a clear usage description (understandable for users) and testing description (understandable for reviewers).
-You should strive to combine both into a single description.
-
-Another requirement for merging PRs is that the PR is labeled correctly.\
-However, this is not your job as a contributor, but the job of the person merging your PR.\
-If you think that your PR was labeled incorrectly, or notice that it was merged without labels, please let us know.
-
+If you are not implementing a new feature, you should also post **before** screenshots for comparison. \
 If your PR closes some issues, you must note that in a way that both GitHub and Gitea understand, i.e. by appending a paragraph like

 ```text
@ -244,20 +225,17 @@ PRs without a milestone may not be merged.

 ### Labels

-Almost all labels used inside Gitea can be classified as one of the following:
-
- `modifies/…`: Determines which parts of the codebase are affected. These labels will be set through the CI.
- `topic/…`:  Determines the conceptual component of Gitea that is affected, i.e. issues, projects, or authentication. At best, PRs should only target one component but there might be overlap. Must be set manually.
- `type/…`: Determines the type of an issue or PR (feature, refactoring, docs, bug, …). If GitHub supported scoped labels, these labels would be exclusive, so you should set **exactly** one, not more or less (every PR should fall into one of the provided categories, and only one).
- `issue/…` / `pr/…`: Labels that are specific to issues or PRs respectively and that are only necessary in a given context, i.e. `issue/not-a-bug` or `pr/need-2-approvals`
-
-Every PR should be labeled correctly with every label that applies.
-
-There are also some labels that will be managed automatically.\
-In particular, these are
+Every PR should be labeled correctly with every label that applies. \
+This includes especially the distinction between `bug` (fixing existing functionality), `feature` (new functionality), `enhancement` (upgrades for existing functionality), and `refactoring` (improving the internal code structure without changing the output (much)). \
+Furthermore,

 - the amount of pending required approvals
- has all `backport`s or needs a manual backport
+- whether this PR is `blocked`, a `backport` or `breaking`
+- if it targets the `ui` or `api`
+- if it increases the application `speed`
+- reduces `memory usage`
+
+are oftentimes notable labels.

 ### Breaking PRs

@ -274,16 +252,13 @@ Changing the default value of a setting or replacing the setting with another on

 #### How to handle breaking PRs?

-If your PR has a breaking change, you must add two things to the summary of your PR:
+If your PR has a breaking change, you must add a `BREAKING` section to your PR summary, e.g.

-1. A reasoning why this breaking change is necessary
-2. A `BREAKING` section explaining in simple terms (understandable for a typical user) how this PR affects users and how to mitigate these changes. This section can look for example like
-
-```md
+```
 ## :warning: BREAKING :warning:
 ```

-Breaking PRs will not be merged as long as not both of these requirements are met.
+To explain how this will affect users and how to mitigate these changes.

 ### Maintaining open PRs

@ -364,7 +339,7 @@ If you add a new feature or change an existing aspect of Gitea, the documentatio

 The API is documented by [swagger](http://try.gitea.io/api/swagger) and is based on [the GitHub API](https://docs.github.com/en/rest).

-### GitHub API compatibility
+### GitHub API compatability

 Gitea's API should use the same endpoints and fields as the GitHub API as far as possible, unless there are good reasons to deviate. \
 If Gitea provides functionality that GitHub does not, a new endpoint can be created. \
@ -464,7 +439,7 @@ We assume in good faith that the information you provide is legally binding.
 We adopted a release schedule to streamline the process of working on, finishing, and issuing releases. \
 The overall goal is to make a major release every three or four months, which breaks down into two or three months of general development followed by one month of testing and polishing known as the release freeze. \
 All the feature pull requests should be
-merged before feature freeze. All feature pull requests haven't been merged before this feature freeze will be moved to next milestone, please notice our feature freeze announcement on discord. And, during the frozen period, a corresponding
+merged before feature freeze. And, during the frozen period, a corresponding
 release branch is open for fixes backported from main branch. Release candidates
 are made during this period for user testing to
 obtain a final version that is maintained in this branch.
@ -495,53 +470,36 @@ if possible provide GPG signed commits.
 https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
 https://help.github.com/articles/signing-commits-with-gpg/

-Furthermore, any account with write access (like bots and TOC members) **must** use 2FA.
-https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/
-
 ## Technical Oversight Committee (TOC)

-At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions are elected as it has been over the past years, and the other three consist of appointed members from the Gitea company.
-https://blog.gitea.com/quarterly-23q1/
+At the start of 2023, the `Owners` team was dissolved. Instead, the governance charter proposed a technical oversight committee (TOC) which expands the ownership team of the Gitea project from three elected positions to six positions. Three positions would be elected as it has been over the past years, and the other three would consist of appointed members from the Gitea company.
+https://blog.gitea.io/2023/02/gitea-quarterly-report-23q1/

-### TOC election process
-
-Any maintainer is eligible to be part of the community TOC if they are not associated with the Gitea company.
-A maintainer can either nominate themselves, or can be nominated by other maintainers to be a candidate for the TOC election.
-If you are nominated by someone else, you must first accept your nomination before the vote starts to be a candidate.
-
-The TOC is elected for one year, the TOC election happens yearly.
-After the announcement of the results of the TOC election, elected members have two weeks time to confirm or refuse the seat.
-If an elected member does not answer within this timeframe, they are automatically assumed to refuse the seat.
-Refusals result in the person with the next highest vote getting the same choice.
-As long as seats are empty in the TOC, members of the previous TOC can fill them until an elected member accepts the seat.
-
-If an elected member that accepts the seat does not have 2FA configured yet, they will be temporarily counted as `answer pending` until they manage to configure 2FA, thus leaving their seat empty for this duration.
+When the new community members have been elected, the old members will give up ownership to the newly elected members. For security reasons, TOC members or any account with write access (like a bot) must use 2FA.
+https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

 ### Current TOC members

- 2024-01-01 ~ 2024-12-31
+- 2023-01-01 ~ 2023-12-31 - https://blog.gitea.io/2023/02/gitea-quarterly-report-23q1/
  - Company
    - [Jason Song](https://gitea.com/wolfogre) <i@wolfogre.com>
    - [Lunny Xiao](https://gitea.com/lunny) <xiaolunwen@gmail.com>
-    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.com>
+    - [Matti Ranta](https://gitea.com/techknowlogick) <techknowlogick@gitea.io>
  - Community
    - [6543](https://gitea.com/6543) <6543@obermui.de>
-    - [delvh](https://gitea.com/delvh) <dev.lh@web.de>
+    - [Andrew Thornton](https://gitea.com/zeripath) <art27@cantab.net>
    - [John Olheiser](https://gitea.com/jolheiser) <john.olheiser@gmail.com>

 ### Previous TOC/owners members

 Here's the history of the owners and the time they served:

- [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
+- [Lunny Xiao](https://gitea.com/lunny) - 2016, 2017, [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872)
 - [Kim Carlbäcker](https://github.com/bkcsoft) - 2016, 2017
 - [Thomas Boerger](https://gitea.com/tboerger) - 2016, 2017
 - [Lauris Bukšis-Haberkorns](https://gitea.com/lafriks) - [2018](https://github.com/go-gitea/gitea/issues/3255), [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801)
- [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
- [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872), 2023
- [6543](https://gitea.com/6543) - 2023
- [John Olheiser](https://gitea.com/jolheiser) - 2023
- [Jason Song](https://gitea.com/wolfogre) - 2023
+- [Matti Ranta](https://gitea.com/techknowlogick) - [2019](https://github.com/go-gitea/gitea/issues/5572), [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872)
+- [Andrew Thornton](https://gitea.com/zeripath) - [2020](https://github.com/go-gitea/gitea/issues/9230), [2021](https://github.com/go-gitea/gitea/issues/13801), [2022](https://github.com/go-gitea/gitea/issues/17872)

 ## Governance Compensation

--- a/40
+++ b/40
@ -1,5 +1,5 @@
-# Build stage
-FROM docker.io/library/golang:1.22-alpine3.19 AS build-env
+#Build stage
+FROM docker.io/library/golang:1.20-alpine3.18 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -9,39 +9,21 @@ ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS

-# Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+#Build deps
+RUN apk --no-cache add build-base git nodejs npm

-# Setup repo
+#Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea

-# Checkout version if set
+#Checkout version if set
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 && make clean-all build

 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-# Copy local files
-COPY docker/root /tmp/local
-
-# Set permissions
-RUN chmod 755 /tmp/local/usr/bin/entrypoint \
-              /tmp/local/usr/local/bin/gitea \
-              /tmp/local/etc/s6/gitea/* \
-              /tmp/local/etc/s6/openssh/* \
-              /tmp/local/etc/s6/.s6-svscan/* \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
-
-FROM docker.io/library/alpine:3.19
+FROM docker.io/library/alpine:3.18
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 22 3000
@ -57,8 +39,7 @@ RUN apk --no-cache add \
    s6 \
    sqlite \
    su-exec \
-    gnupg \
-    && rm -rf /var/cache/apk/*
+    gnupg

 RUN addgroup \
    -S -g 1000 \
@ -80,7 +61,10 @@ VOLUME ["/data"]
 ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/bin/s6-svscan", "/etc/s6"]

-COPY --from=build-env /tmp/local /
+COPY docker/root /
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
+RUN chmod 755 /usr/bin/entrypoint /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
+RUN chmod 755 /etc/s6/gitea/* /etc/s6/openssh/* /etc/s6/.s6-svscan/*
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@ -1,5 +1,5 @@
-# Build stage
-FROM docker.io/library/golang:1.22-alpine3.19 AS build-env
+#Build stage
+FROM docker.io/library/golang:1.20-alpine3.18 AS build-env

 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@ -10,36 +10,20 @@ ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS

 #Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+RUN apk --no-cache add build-base git nodejs npm

-# Setup repo
+#Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea

-# Checkout version if set
+#Checkout version if set
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 && make clean-all build

 # Begin env-to-ini build
 RUN go build contrib/environment-to-ini/environment-to-ini.go

-# Copy local files
-COPY docker/rootless /tmp/local
-
-# Set permissions
-RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
-              /tmp/local/usr/local/bin/docker-setup.sh \
-              /tmp/local/usr/local/bin/gitea \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
-
-FROM docker.io/library/alpine:3.19
+FROM docker.io/library/alpine:3.18
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 2222 3000
@ -51,8 +35,7 @@ RUN apk --no-cache add \
    gettext \
    git \
    curl \
-    gnupg \
-    && rm -rf /var/cache/apk/*
+    gnupg

 RUN addgroup \
    -S -g 1000 \
@ -68,19 +51,21 @@ RUN addgroup \
 RUN mkdir -p /var/lib/gitea /etc/gitea
 RUN chown git:git /var/lib/gitea /etc/gitea

-COPY --from=build-env /tmp/local /
+COPY docker/rootless /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
+RUN chmod 755 /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-setup.sh /app/gitea/gitea /usr/local/bin/gitea /usr/local/bin/environment-to-ini
+RUN chmod 644 /etc/profile.d/gitea_bash_autocomplete.sh

-# git:git
+#git:git
 USER 1000:1000
 ENV GITEA_WORK_DIR /var/lib/gitea
 ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
 ENV TMPDIR /tmp/gitea

-# TODO add to docs the ability to define the ini to load (useful to test and revert a config)
+#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
@ -88,3 +73,4 @@ WORKDIR /var/lib/gitea

 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []
+
--- a/8
+++ b/8
@ -52,11 +52,3 @@ Xinyi Gong <hestergong@gmail.com> (@HesterG)
 wxiaoguang <wxiaoguang@gmail.com> (@wxiaoguang)
 Gary Moon <gary@garymoon.net> (@garymoon)
 Philip Peterson <philip.c.peterson@gmail.com> (@philip-peterson)
-Denys Konovalov <kontakt@denyskon.de> (@denyskon)
-Punit Inani <punitinani1@gmail.com> (@puni9869)
-CaiCandong  <1290147055@qq.com> (@caicandong)
-Rui Chen  <rui@chenrui.dev> (@chenrui333)
-Nanguan Lin <nanguanlin6@gmail.com> (@lng2020)
-kerwin612 <kerwin612@qq.com> (@kerwin612)
-Gary Wang <git@blumia.net> (@BLumia)
-Tim-Niclas Oelschläger <zokki.softwareschmiede@gmail.com> (@zokkis)
--- a/245
+++ b/245
@ -23,19 +23,19 @@ SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,

-XGO_VERSION := go-1.22.x
+XGO_VERSION := go-1.20.x

-AIR_PACKAGE ?= github.com/cosmtrek/air@v1.49.0
+AIR_PACKAGE ?= github.com/cosmtrek/air@v1.43.0
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.7.0
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.6.0
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.1
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11
-MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.4.1
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@db51e79a0e37c572d8b59ae0c58bf2bbbbe53285
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.5.0
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2
+GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11
+MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.4
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.0.3
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.6.26
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest
+ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@latest

 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@ -49,14 +49,10 @@ ifeq ($(HAS_GO), yes)
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif

-ifeq ($(GOOS),windows)
-	IS_WINDOWS := yes
-else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
-	ifeq ($(GOOS),)
-		IS_WINDOWS := yes
-	endif
-endif
-ifeq ($(IS_WINDOWS),yes)
+ifeq ($(OS), Windows_NT)
+	GOFLAGS := -v -buildmode=exe
+	EXECUTABLE ?= gitea.exe
+else ifeq ($(OS), Windows)
 	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 else
@ -72,7 +68,7 @@ endif

 EXTRA_GOFLAGS ?=

-MAKE_VERSION := $(shell "$(MAKE)" -v | cat | head -n 1)
+MAKE_VERSION := $(shell "$(MAKE)" -v | head -n 1)
 MAKE_EVIDENCE_DIR := .make_evidence

 ifeq ($(RACE_ENABLED),true)
@ -86,6 +82,12 @@ HUGO_VERSION ?= 0.111.3
 GITHUB_REF_TYPE ?= branch
 GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)

+# backwards compatible to build with Drone
+ifneq ($(DRONE_TAG),)
+	GITHUB_REF_TYPE := tag
+	GITHUB_REF_NAME := $(DRONE_TAG)
+endif
+
 ifneq ($(GITHUB_REF_TYPE),branch)
 	VERSION ?= $(subst v,,$(GITHUB_REF_NAME))
 	GITEA_VERSION ?= $(VERSION)
@ -115,21 +117,20 @@ LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64

 GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
 GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list code.gitea.io/gitea/models/migrations/...) code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
-MIGRATE_TEST_PACKAGES ?= $(shell $(GO) list code.gitea.io/gitea/models/migrations/...)

 FOMANTIC_WORK_DIR := web_src/fomantic

 WEBPACK_SOURCES := $(shell find web_src/js web_src/css -type f)
-WEBPACK_CONFIGS := webpack.config.js tailwind.config.js
-WEBPACK_DEST := public/assets/js/index.js public/assets/css/index.css
-WEBPACK_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts public/assets/img/webpack
+WEBPACK_CONFIGS := webpack.config.js
+WEBPACK_DEST := public/js/index.js public/css/index.css
+WEBPACK_DEST_ENTRIES := public/js public/css public/fonts public/img/webpack

 BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
 BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))

 GENERATED_GO_DEST := modules/charset/invisible_gen.go modules/charset/ambiguous_gen.go

-SVG_DEST_DIR := public/assets/img/svg
+SVG_DEST_DIR := public/img/svg

 AIR_TMP_DIR := .air

@ -147,9 +148,6 @@ TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMAN
 GO_DIRS := build cmd models modules routers services tests
 WEB_DIRS := web_src/js web_src/css

-SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github
-EDITORCONFIG_FILES := templates .github/workflows options/locale/locale_en-US.ini
-
 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/options/bindata.go ! -path modules/public/bindata.go ! -path modules/templates/bindata.go)
 GO_SOURCES += $(GENERATED_GO_DEST)
@ -166,8 +164,8 @@ ifdef DEPS_PLAYWRIGHT
 endif

 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
-SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape}}/api/v1"|g
-SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape}}/api/v1"|"basePath": "/api/v1"|g
+SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g
+SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g
 SWAGGER_EXCLUDE := code.gitea.io/sdk
 SWAGGER_NEWLINE_COMMAND := -e '$$a\'

@ -175,6 +173,10 @@ TEST_MYSQL_HOST ?= mysql:3306
 TEST_MYSQL_DBNAME ?= testgitea
 TEST_MYSQL_USERNAME ?= root
 TEST_MYSQL_PASSWORD ?=
+TEST_MYSQL8_HOST ?= mysql8:3306
+TEST_MYSQL8_DBNAME ?= testgitea
+TEST_MYSQL8_USERNAME ?= root
+TEST_MYSQL8_PASSWORD ?=
 TEST_PGSQL_HOST ?= pgsql:5432
 TEST_PGSQL_DBNAME ?= testgitea
 TEST_PGSQL_USERNAME ?= postgres
@ -201,10 +203,10 @@ help:
 	@echo " - clean                            delete backend and integration files"
 	@echo " - clean-all                        delete backend, frontend and integration files"
 	@echo " - deps                             install dependencies"
+	@echo " - deps-docs                        install docs dependencies"
 	@echo " - deps-frontend                    install frontend dependencies"
 	@echo " - deps-backend                     install backend dependencies"
 	@echo " - deps-tools                       install tool dependencies"
-	@echo " - deps-py                          install python dependencies"
 	@echo " - lint                             lint everything"
 	@echo " - lint-fix                         lint everything and fix issues"
 	@echo " - lint-actions                     lint action workflow files"
@ -221,10 +223,6 @@ help:
 	@echo " - lint-css-fix                     lint css files and fix issues"
 	@echo " - lint-md                          lint markdown files"
 	@echo " - lint-swagger                     lint swagger files"
-	@echo " - lint-templates                   lint template files"
-	@echo " - lint-yaml                        lint yaml files"
-	@echo " - lint-spell                       lint spelling"
-	@echo " - lint-spell-fix                   lint spelling and fix issues"
 	@echo " - checks                           run various consistency checks"
 	@echo " - checks-frontend                  check frontend files"
 	@echo " - checks-backend                   check backend files"
@ -232,9 +230,6 @@ help:
 	@echo " - test-frontend                    test frontend files"
 	@echo " - test-backend                     test backend files"
 	@echo " - test-e2e[\#TestSpecificName]     test end to end using playwright"
-	@echo " - update                           update js and py dependencies"
-	@echo " - update-js                        update js dependencies"
-	@echo " - update-py                        update py dependencies"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
 	@echo " - fomantic                         build fomantic files"
@ -284,15 +279,16 @@ clean-all: clean

 .PHONY: clean
 clean:
+	$(GO) clean -i ./...
 	rm -rf $(EXECUTABLE) $(DIST) $(BINDATA_DEST) $(BINDATA_HASH) \
 		integrations*.test \
 		e2e*.test \
-		tests/integration/gitea-integration-* \
-		tests/integration/indexers-* \
-		tests/mysql.ini tests/pgsql.ini tests/mssql.ini man/ \
-		tests/e2e/gitea-e2e-*/ \
-		tests/e2e/indexers-*/ \
-		tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/
+		tests/integration/gitea-integration-pgsql/ tests/integration/gitea-integration-mysql/ tests/integration/gitea-integration-mysql8/ tests/integration/gitea-integration-sqlite/ \
+		tests/integration/gitea-integration-mssql/ tests/integration/indexers-mysql/ tests/integration/indexers-mysql8/ tests/integration/indexers-pgsql tests/integration/indexers-sqlite \
+		tests/integration/indexers-mssql tests/mysql.ini tests/mysql8.ini tests/pgsql.ini tests/mssql.ini man/ \
+		tests/e2e/gitea-e2e-pgsql/ tests/e2e/gitea-e2e-mysql/ tests/e2e/gitea-e2e-mysql8/ tests/e2e/gitea-e2e-sqlite/ \
+		tests/e2e/gitea-e2e-mssql/ tests/e2e/indexers-mysql/ tests/e2e/indexers-mysql8/ tests/e2e/indexers-pgsql/ tests/e2e/indexers-sqlite/ \
+		tests/e2e/indexers-mssql/ tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/

 .PHONY: fmt
 fmt:
@ -314,6 +310,10 @@ fmt-check: fmt
 	  exit 1; \
 	fi

+.PHONY: misspell-check
+misspell-check:
+	go run $(MISSPELL_PACKAGE) -error $(GO_DIRS) $(WEB_DIRS)
+
 .PHONY: $(TAGS_EVIDENCE)
 $(TAGS_EVIDENCE):
 	@mkdir -p $(MAKE_EVIDENCE_DIR)
@ -353,19 +353,19 @@ checks: checks-frontend checks-backend
 checks-frontend: lockfile-check svg-check

 .PHONY: checks-backend
-checks-backend: tidy-check swagger-check fmt-check swagger-validate security-check
+checks-backend: tidy-check swagger-check fmt-check misspell-check swagger-validate security-check

 .PHONY: lint
-lint: lint-frontend lint-backend lint-spell
+lint: lint-frontend lint-backend

 .PHONY: lint-fix
-lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix
+lint-fix: lint-frontend-fix lint-backend-fix

 .PHONY: lint-frontend
-lint-frontend: lint-js lint-css
+lint-frontend: lint-js lint-css lint-md lint-swagger

 .PHONY: lint-frontend-fix
-lint-frontend-fix: lint-js-fix lint-css-fix
+lint-frontend-fix: lint-js-fix lint-css-fix lint-md lint-swagger

 .PHONY: lint-backend
 lint-backend: lint-go lint-go-vet lint-editorconfig
@ -375,11 +375,11 @@ lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig

 .PHONY: lint-js
 lint-js: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue web_src/js build *.config.js tests/e2e
+	npx eslint --color --max-warnings=0 --ext js,vue web_src/js build *.config.js docs/assets/js tests/e2e

 .PHONY: lint-js-fix
 lint-js-fix: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue web_src/js build *.config.js tests/e2e --fix
+	npx eslint --color --max-warnings=0 --ext js,vue web_src/js build *.config.js docs/assets/js tests/e2e --fix

 .PHONY: lint-css
 lint-css: node_modules
@ -397,14 +397,6 @@ lint-swagger: node_modules
 lint-md: node_modules
 	npx markdownlint docs *.md

-.PHONY: lint-spell
-lint-spell:
-	@go run $(MISSPELL_PACKAGE) -error $(SPELLCHECK_FILES)
-
-.PHONY: lint-spell-fix
-lint-spell-fix:
-	@go run $(MISSPELL_PACKAGE) -w $(SPELLCHECK_FILES)
-
 .PHONY: lint-go
 lint-go:
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
@ -428,20 +420,12 @@ lint-go-vet:

 .PHONY: lint-editorconfig
 lint-editorconfig:
-	@$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) $(EDITORCONFIG_FILES)
+	$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) templates .github/workflows

 .PHONY: lint-actions
 lint-actions:
 	$(GO) run $(ACTIONLINT_PACKAGE)

-.PHONY: lint-templates
-lint-templates: .venv
-	@poetry run djlint $(shell find templates -type f -iname '*.tmpl')
-
-.PHONY: lint-yaml
-lint-yaml: .venv
-	@poetry run yamllint .
-
 .PHONY: watch
 watch:
 	@bash build/watch.sh
@ -560,6 +544,27 @@ test-mysql\#%: integrations.mysql.test generate-ini-mysql
 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test

+generate-ini-mysql8:
+	sed -e 's|{{TEST_MYSQL8_HOST}}|${TEST_MYSQL8_HOST}|g' \
+		-e 's|{{TEST_MYSQL8_DBNAME}}|${TEST_MYSQL8_DBNAME}|g' \
+		-e 's|{{TEST_MYSQL8_USERNAME}}|${TEST_MYSQL8_USERNAME}|g' \
+		-e 's|{{TEST_MYSQL8_PASSWORD}}|${TEST_MYSQL8_PASSWORD}|g' \
+		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
+		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
+		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+			tests/mysql8.ini.tmpl > tests/mysql8.ini
+
+.PHONY: test-mysql8
+test-mysql8: integrations.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./integrations.mysql8.test
+
+.PHONY: test-mysql8\#%
+test-mysql8\#%: integrations.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)
+
+.PHONY: test-mysql8-migration
+test-mysql8-migration: migrations.mysql8.test migrations.individual.mysql8.test
+
 generate-ini-pgsql:
 	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
 		-e 's|{{TEST_PGSQL_DBNAME}}|${TEST_PGSQL_DBNAME}|g' \
@ -604,7 +609,8 @@ test-mssql\#%: integrations.mssql.test generate-ini-mssql
 test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test

 .PHONY: playwright
-playwright: deps-frontend
+playwright: $(PLAYWRIGHT_DIR)
+	npm install --no-save @playwright/test
 	npx playwright install $(PLAYWRIGHT_FLAGS)

 .PHONY: test-e2e%
@ -631,6 +637,14 @@ test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
 test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*

+.PHONY: test-e2e-mysql8
+test-e2e-mysql8: playwright e2e.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./e2e.mysql8.test
+
+.PHONY: test-e2e-mysql8\#%
+test-e2e-mysql8\#%: playwright e2e.mysql8.test generate-ini-mysql8
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./e2e.mysql8.test -test.run TestE2e/$*
+
 .PHONY: test-e2e-pgsql
 test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test
@ -674,6 +688,9 @@ integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sq
 integrations.mysql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test

+integrations.mysql8.test: git-check $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql8.test
+
 integrations.pgsql.test: git-check $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test

@ -694,6 +711,11 @@ migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test

+.PHONY: migrations.mysql8.test
+migrations.mysql8.test: $(GO_SOURCES) generate-ini-mysql8
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini ./migrations.mysql8.test
+
 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
@ -711,23 +733,36 @@ migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite

 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES)
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done

-.PHONY: migrations.individual.sqlite.test\#%
+.PHONY: migrations.individual.mysql8.test
+migrations.individual.mysql8.test: $(GO_SOURCES)
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql8.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done
+
+.PHONY: migrations.individual.mysql8.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES)
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done

 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*

+
 .PHONY: migrations.individual.mssql.test
 migrations.individual.mssql.test: $(GO_SOURCES) generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg -test.failfast; \
+	done

 .PHONY: migrations.individual.mssql.test\#%
 migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql
@ -735,7 +770,9 @@ migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql

 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -p 1 $(MIGRATE_TEST_PACKAGES)
+	for pkg in $(shell $(GO) list code.gitea.io/gitea/models/migrations/...); do \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg; \
+	done

 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
@ -744,6 +781,9 @@ migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
 e2e.mysql.test: $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test

+e2e.mysql8.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql8.test
+
 e2e.pgsql.test: $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test

@ -800,18 +840,30 @@ release-windows: | $(DIST_DIRS)
 ifeq (,$(findstring gogit,$(TAGS)))
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo gogit $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION)-gogit .
 endif
+ifneq ($(DRONE_TAG),)
+	cp /build/* $(DIST)/binaries
+endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out gitea-$(VERSION) .
+ifneq ($(DRONE_TAG),)
+	cp /build/* $(DIST)/binaries
+endif

 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin-10.12/amd64,darwin-10.12/arm64' -out gitea-$(VERSION) .
+ifneq ($(DRONE_TAG),)
+	cp /build/* $(DIST)/binaries
+endif

 .PHONY: release-freebsd
 release-freebsd: | $(DIST_DIRS)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'freebsd/amd64' -out gitea-$(VERSION) .
+ifneq ($(DRONE_TAG),)
+	cp /build/* $(DIST)/binaries
+endif

 .PHONY: release-copy
 release-copy: | $(DIST_DIRS)
@ -823,7 +875,7 @@ release-check: | $(DIST_DIRS)

 .PHONY: release-compress
 release-compress: | $(DIST_DIRS)
-	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PACKAGE) -k -9 $${file}; done;
+	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PAGAGE) -k -9 $${file}; done;

 .PHONY: release-sources
 release-sources: | $(DIST_DIRS)
@ -837,13 +889,20 @@ release-sources: | $(DIST_DIRS)

 .PHONY: release-docs
 release-docs: | $(DIST_DIRS) docs
-	tar -czf $(DIST)/release/gitea-docs-$(VERSION).tar.gz -C ./docs .
+	tar -czf $(DIST)/release/gitea-docs-$(VERSION).tar.gz -C ./docs/public .
+
+.PHONY: docs
+docs: deps-docs
+	cd docs; make trans-copy clean build-offline;
+
+.PHONY: deps-docs
+deps-docs:
+	@hash hugo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		curl -sL https://github.com/gohugoio/hugo/releases/download/v$(HUGO_VERSION)/hugo_$(HUGO_VERSION)_Linux-64bit.tar.gz | tar zxf - -C /tmp && mkdir -p ~/go/bin && mv /tmp/hugo ~/go/bin/hugo && chmod +x ~/go/bin/hugo; \
+	fi

 .PHONY: deps
-deps: deps-frontend deps-backend deps-tools deps-py
-
-.PHONY: deps-py
-deps-py: .venv
+deps: deps-frontend deps-backend deps-tools deps-docs

 .PHONY: deps-frontend
 deps-frontend: node_modules
@ -858,7 +917,7 @@ deps-tools:
 	$(GO) install $(EDITORCONFIG_CHECKER_PACKAGE)
 	$(GO) install $(GOFUMPT_PACKAGE)
 	$(GO) install $(GOLANGCI_LINT_PACKAGE)
-	$(GO) install $(GXZ_PACKAGE)
+	$(GO) install $(GXZ_PAGAGE)
 	$(GO) install $(MISSPELL_PACKAGE)
 	$(GO) install $(SWAGGER_PACKAGE)
 	$(GO) install $(XGO_PACKAGE)
@ -870,34 +929,19 @@ node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules

-.venv: poetry.lock
-	poetry install --no-root
-	@touch .venv
-
-.PHONY: update
-update: update-js update-py
-
-.PHONY: update-js
-update-js: node-check | node_modules
-	npx updates -u -f package.json
+.PHONY: npm-update
+npm-update: node-check | node_modules
+	npx updates -cu
 	rm -rf node_modules package-lock.json
 	npm install --package-lock
 	@touch node_modules

-.PHONY: update-py
-update-py: node-check | node_modules
-	npx updates -u -f pyproject.toml
-	rm -rf .venv poetry.lock
-	poetry install --no-root
-	@touch .venv
-
 .PHONY: fomantic
 fomantic:
 	rm -rf $(FOMANTIC_WORK_DIR)/build
 	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
 	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
 	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
-	$(SED_INPLACE) -e 's/  overrideBrowserslist\r/  overrideBrowserslist: ["defaults"]\r/g' $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/tasks/config/tasks.js
 	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build
 	# fomantic uses "touchstart" as click event for some browsers, it's not ideal, so we force fomantic to always use "click" as click event
 	$(SED_INPLACE) -e 's/clickEvent[ \t]*=/clickEvent = "click", unstableClickEvent =/g' $(FOMANTIC_WORK_DIR)/build/semantic.js
@ -959,7 +1003,7 @@ generate-gitignore:

 .PHONY: generate-images
 generate-images: | node_modules
-	npm install --no-save fabric@6.0.0-beta19 imagemin-zopfli@7
+	npm install --no-save --no-package-lock fabric@5 imagemin-zopfli@7
 	node build/generate-images.js $(TAGS)

 .PHONY: generate-manpage
@ -977,8 +1021,3 @@ docker:

 # This endif closes the if at the top of the file
 endif
-
-# Disable parallel execution because it would break some targets that don't
-# specify exact dependencies like 'backend' which does currently not depend
-# on 'frontend' to enable Node.js-less builds from source tarballs.
-.NOTPARALLEL:
--- a/README.md
+++ b/README.md
@ -1,16 +1,16 @@
 <p align="center">
  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/assets/img/gitea.svg" width="220"/>
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
  </a>
 </p>
 <h1 align="center">Gitea - Git with a cup of tea</h1>

 <p align="center">
-  <a href="https://github.com/go-gitea/gitea/actions/workflows/release-nightly.yml?query=branch%3Amain" title="Release Nightly">
-    <img src="https://github.com/go-gitea/gitea/actions/workflows/release-nightly.yml/badge.svg?branch=main">
+  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
  </a>
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
-    <img src="https://img.shields.io/discord/322538954119184384.svg?logo=discord&logoColor=white&label=Discord&color=5865F2">
+    <img src="https://img.shields.io/discord/322538954119184384.svg">
  </a>
  <a href="https://app.codecov.io/gh/go-gitea/gitea" title="Codecov">
    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
@ -45,6 +45,9 @@
  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
  </a>
+  <a href="https://app.bountysource.com/teams/gitea" title="Bountysource">
+    <img src="https://img.shields.io/bountysource/team/gitea/activity">
+  </a>
 </p>

 <p align="center">
@ -59,16 +62,11 @@ painless way of setting up a self-hosted Git service.
 As Gitea is written in Go, it works across **all** the platforms and
 architectures that are supported by Go, including Linux, macOS, and
 Windows on x86, amd64, ARM and PowerPC architectures.
+You can try it out using [the online demo](https://try.gitea.io/).
 This project has been
-[forked](https://blog.gitea.com/welcome-to-gitea/) from
+[forked](https://blog.gitea.io/2016/12/welcome-to-gitea/) from
 [Gogs](https://gogs.io) since November of 2016, but a lot has changed.

-For online demonstrations, you can visit [try.gitea.io](https://try.gitea.io).
-
-For accessing free Gitea service (with a limited number of repositories), you can visit [gitea.com](https://gitea.com/user/login).
-
-To quickly deploy your own dedicated Gitea instance on Gitea Cloud, you can start a free trial at [cloud.gitea.com](https://cloud.gitea.com).
-
 ## Building

 From the root of the source tree, run:
@ -81,28 +79,30 @@ or if SQLite support is required:

 The `build` target is split into two sub-targets:

- `make backend` which requires [Go Stable](https://go.dev/dl/), the required version is defined in [go.mod](/go.mod).
- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater.
+- `make backend` which requires [Go Stable](https://go.dev/dl/), required version is defined in [go.mod](/go.mod).
+- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.

-Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js.
+When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.

-More info: https://docs.gitea.com/installation/install-from-source
+Parallelism (`make -j <num>`) is not supported.
+
+More info: https://docs.gitea.io/en-us/install-from-source/

 ## Using

    ./gitea web

-> [!NOTE]
-> If you're interested in using our APIs, we have experimental support with [documentation](https://try.gitea.io/api/swagger).
+NOTE: If you're interested in using our APIs, we have experimental
+support with [documentation](https://try.gitea.io/api/swagger).

 ## Contributing

 Expected workflow is: Fork -> Patch -> Push -> Pull Request

-> [!NOTE]
->
-> 1. **YOU MUST READ THE [CONTRIBUTORS GUIDE](CONTRIBUTING.md) BEFORE STARTING TO WORK ON A PULL REQUEST.**
-> 2. If you have found a vulnerability in the project, please write privately to **security@gitea.io**. Thanks!
+NOTES:
+
+1. **YOU MUST READ THE [CONTRIBUTORS GUIDE](CONTRIBUTING.md) BEFORE STARTING TO WORK ON A PULL REQUEST.**
+2. If you have found a vulnerability in the project, please write privately to **security@gitea.io**. Thanks!

 ## Translating

@ -110,17 +110,19 @@ Translations are done through Crowdin. If you want to translate to a new languag

 You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope to fill it as questions pop up.

-https://docs.gitea.com/contributing/localization
+https://docs.gitea.io/en-us/contributing/translation-guidelines/

 [![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)

 ## Further information

-For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.com/).
+For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.io/en-us/).
 If you have questions that are not covered by the documentation, you can get in contact with us on our [Discord server](https://discord.gg/Gitea) or create  a post in the [discourse forum](https://discourse.gitea.io/).

 We maintain a list of Gitea-related projects at [gitea/awesome-gitea](https://gitea.com/gitea/awesome-gitea).

+The Hugo-based documentation theme is hosted at [gitea/theme](https://gitea.com/gitea/theme).
+
 The official Gitea CLI is developed at [gitea/tea](https://gitea.com/gitea/tea).

 ## Authors
@ -149,6 +151,7 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 <a href="https://opencollective.com/gitea/sponsor/7/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/7/avatar.svg"></a>
 <a href="https://opencollective.com/gitea/sponsor/8/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/8/avatar.svg"></a>
 <a href="https://opencollective.com/gitea/sponsor/9/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/9/avatar.svg"></a>
+<a href="https://cynkra.com/" target="_blank"><img src="https://images.opencollective.com/cynkra/logo/square/64/192.png"></a>

 ## FAQ

@ -173,5 +176,5 @@ Looking for an overview of the interface? Check it out!
 |![Dashboard](https://dl.gitea.com/screenshots/home_timeline.png)|![User Profile](https://dl.gitea.com/screenshots/user_profile.png)|![Global Issues](https://dl.gitea.com/screenshots/global_issues.png)|
 |:---:|:---:|:---:|
 |![Branches](https://dl.gitea.com/screenshots/branches.png)|![Web Editor](https://dl.gitea.com/screenshots/web_editor.png)|![Activity](https://dl.gitea.com/screenshots/activity.png)|
-|![New Migration](https://dl.gitea.com/screenshots/migration.png)|![Migrating](https://dl.gitea.com/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)|
-|![Pull Request Dark](https://dl.gitea.com/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.com/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.com/screenshots/diff_dark.png)|
+|![New Migration](https://dl.gitea.com/screenshots/migration.png)|![Migrating](https://dl.gitea.com/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)
+![Pull Request Dark](https://dl.gitea.com/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.com/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.com/screenshots/diff_dark.png)|
--- a/README_ZH.md
+++ b/README_ZH.md
@ -1,13 +1,13 @@
 <p align="center">
  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/assets/img/gitea.svg" width="220"/>
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
  </a>
 </p>
 <h1 align="center">Gitea - Git with a cup of tea</h1>

 <p align="center">
-  <a href="https://github.com/go-gitea/gitea/actions/workflows/release-nightly.yml?query=branch%3Amain" title="Release Nightly">
-    <img src="https://github.com/go-gitea/gitea/actions/workflows/release-nightly.yml/badge.svg?branch=main">
+  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
  </a>
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
    <img src="https://img.shields.io/discord/322538954119184384.svg">
@ -45,6 +45,9 @@
  <a href="https://www.tickgit.com/browse?repo=github.com/go-gitea/gitea&branch=main" title="TODOs">
    <img src="https://badgen.net/https/api.tickgit.com/badgen/github.com/go-gitea/gitea/main">
  </a>
+  <a href="https://app.bountysource.com/teams/gitea" title="Bountysource">
+    <img src="https://img.shields.io/bountysource/team/gitea/activity">
+  </a>
 </p>

 <p align="center">
@ -55,11 +58,7 @@

 Gitea 的首要目标是创建一个极易安装，运行非常快速，安装和使用体验良好的自建 Git 服务。我们采用 Go 作为后端语言，这使我们只要生成一个可执行程序即可。并且他还支持跨平台，支持 Linux, macOS 和 Windows 以及各种架构，除了 x86，amd64，还包括 ARM 和 PowerPC。

-如果你想试用在线演示，请访问 [try.gitea.io](https://try.gitea.io/)。
-
-如果你想使用免费的 Gitea 服务（有仓库数量限制），请访问 [gitea.com](https://gitea.com/user/login)。
-
-如果你想在 Gitea Cloud 上快速部署你自己独享的 Gitea 实例，请访问 [cloud.gitea.com](https://cloud.gitea.com) 开始免费试用。
+如果您想试用一下，请访问 [在线Demo](https://try.gitea.io/)！

 ## 提示

@ -69,7 +68,7 @@ Gitea 的首要目标是创建一个极易安装，运行非常快速，安装

 ## 文档

-关于如何安装请访问我们的 [文档站](https://docs.gitea.com/zh-cn/category/installation)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/gitea) 和 QQ群 328432459 来和我们交流。
+关于如何安装请访问我们的 [文档站](https://docs.gitea.io/zh-cn/)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/gitea) 和 QQ群 328432459 来和我们交流。

 ## 贡献流程

@ -95,5 +94,5 @@ Fork -> Patch -> Push -> Pull Request
 |![Dashboard](https://dl.gitea.com/screenshots/home_timeline.png)|![User Profile](https://dl.gitea.com/screenshots/user_profile.png)|![Global Issues](https://dl.gitea.com/screenshots/global_issues.png)|
 |:---:|:---:|:---:|
 |![Branches](https://dl.gitea.com/screenshots/branches.png)|![Web Editor](https://dl.gitea.com/screenshots/web_editor.png)|![Activity](https://dl.gitea.com/screenshots/activity.png)|
-|![New Migration](https://dl.gitea.com/screenshots/migration.png)|![Migrating](https://dl.gitea.com/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)|
-|![Pull Request Dark](https://dl.gitea.com/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.com/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.com/screenshots/diff_dark.png)|
+|![New Migration](https://dl.gitea.com/screenshots/migration.png)|![Migrating](https://dl.gitea.com/screenshots/migration.gif)|![Pull Request View](https://image.ibb.co/e02dSb/6.png)
+![Pull Request Dark](https://dl.gitea.com/screenshots/pull_requests_dark.png)|![Diff Review Dark](https://dl.gitea.com/screenshots/review_dark.png)|![Diff Dark](https://dl.gitea.com/screenshots/diff_dark.png)|
--- a/SECURITY.md
+++ b/SECURITY.md
@ -4,15 +4,13 @@ The Gitea maintainers take security seriously.

 If you discover a security issue, please bring it to their attention right away!

-Previous vulnerabilities are listed at https://about.gitea.com/security.
-
 ## Reporting a Vulnerability

 Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`.

 ## Protecting Security Information

-Due to the sensitive nature of security information, you can use the below GPG public key to encrypt your mail body.
+Due to the sensitive nature of security information, you can use below GPG public key encrypt your mail body.

 The PGP key is valid until June 24, 2024.

--- a/assets/emoji.json
+++ b/assets/emoji.json
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
--- a/build/backport-locales.go
+++ b/build/backport-locales.go
@ -12,7 +12,6 @@ import (
 	"path/filepath"
 	"strings"

-	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/setting"
 )

@ -59,7 +58,7 @@ func main() {

 	// use old en-US as the base, and copy the new translations to the old locales
 	enUsOld := inisOld["options/locale/locale_en-US.ini"]
-	brokenWarned := make(container.Set[string])
+	brokenWarned := map[string]bool{}
 	for path, iniOld := range inisOld {
 		if iniOld == enUsOld {
 			continue
@ -78,7 +77,7 @@ func main() {
 					broken := oldStr != "" && strings.Count(oldStr, "%") != strings.Count(newStr, "%")
 					broken = broken || strings.Contains(oldStr, "\n") || strings.Contains(oldStr, "\n")
 					if broken {
-						brokenWarned.Add(secOld.Name() + "." + keyEnUs.Name())
+						brokenWarned[secOld.Name()+"."+keyEnUs.Name()] = true
 						fmt.Println("----")
 						fmt.Printf("WARNING: skip broken locale: %s , [%s] %s\n", path, secEnUS.Name(), keyEnUs.Name())
 						fmt.Printf("\told: %s\n", strings.ReplaceAll(oldStr, "\n", "\\n"))
@ -104,7 +103,7 @@ func main() {
 				broken = broken || strings.HasPrefix(str, "`\"")
 				broken = broken || strings.Count(str, `"`)%2 == 1
 				broken = broken || strings.Count(str, "`")%2 == 1
-				if broken && !brokenWarned.Contains(sec.Name()+"."+key.Name()) {
+				if broken && !brokenWarned[sec.Name()+"."+key.Name()] {
 					fmt.Printf("WARNING: found broken locale: %s , [%s] %s\n", path, sec.Name(), key.Name())
 					fmt.Printf("\tstr: %s\n", strings.ReplaceAll(str, "\n", "\\n"))
 					fmt.Println("----")
--- a/build/code-batch-process.go
+++ b/build/code-batch-process.go
@ -25,7 +25,7 @@ import (

 var optionLogVerbose bool

-func logVerbose(msg string, args ...any) {
+func logVerbose(msg string, args ...interface{}) {
 	if optionLogVerbose {
 		log.Printf(msg, args...)
 	}
--- a/build/generate-emoji.go
+++ b/build/generate-emoji.go
@ -25,7 +25,7 @@ import (

 const (
 	gemojiURL         = "https://raw.githubusercontent.com/github/gemoji/master/db/emoji.json"
-	maxUnicodeVersion = 15
+	maxUnicodeVersion = 14
 )

 var flagOut = flag.String("o", "modules/emoji/emoji_data.go", "out")
--- a/build/generate-go-licenses.go
+++ b/build/generate-go-licenses.go
@ -15,8 +15,6 @@ import (
 	"regexp"
 	"sort"
 	"strings"
-
-	"code.gitea.io/gitea/modules/container"
 )

 // regexp is based on go-license, excluding README and NOTICE
@ -57,14 +55,20 @@ func main() {
 	//    yml
 	//
 	// It could be removed once we have a better regex.
-	excludedExt := container.SetOf(".gitignore", ".go", ".mod", ".sum", ".toml", ".yml")
-
+	excludedExt := map[string]bool{
+		".gitignore": true,
+		".go":        true,
+		".mod":       true,
+		".sum":       true,
+		".toml":      true,
+		".yml":       true,
+	}
 	var paths []string
 	err := filepath.WalkDir(base, func(path string, entry fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if entry.IsDir() || !licenseRe.MatchString(entry.Name()) || excludedExt.Contains(filepath.Ext(entry.Name())) {
+		if entry.IsDir() || !licenseRe.MatchString(entry.Name()) || excludedExt[filepath.Ext(entry.Name())] {
 			return nil
 		}
 		paths = append(paths, path)
--- a/build/generate-images.js
+++ b/build/generate-images.js
@ -1,13 +1,20 @@
 #!/usr/bin/env node
 import imageminZopfli from 'imagemin-zopfli';
 import {optimize} from 'svgo';
-import {loadSVGFromString, Canvas, Rect, util} from 'fabric/node';
+import {fabric} from 'fabric';
 import {readFile, writeFile} from 'node:fs/promises';
-import {argv, exit} from 'node:process';

-function doExit(err) {
+function exit(err) {
  if (err) console.error(err);
-  exit(err ? 1 : 0);
+  process.exit(err ? 1 : 0);
+}
+
+function loadSvg(svg) {
+  return new Promise((resolve) => {
+    fabric.loadSVGFromString(svg, (objects, options) => {
+      resolve({objects, options});
+    });
+  });
 }

 async function generate(svg, path, {size, bg}) {
@ -28,14 +35,14 @@ async function generate(svg, path, {size, bg}) {
    return;
  }

-  const {objects, options} = await loadSVGFromString(svg);
-  const canvas = new Canvas();
+  const {objects, options} = await loadSvg(svg);
+  const canvas = new fabric.Canvas();
  canvas.setDimensions({width: size, height: size});
  const ctx = canvas.getContext('2d');
  ctx.scale(options.width ? (size / options.width) : 1, options.height ? (size / options.height) : 1);

  if (bg) {
-    canvas.add(new Rect({
+    canvas.add(new fabric.Rect({
      left: 0,
      top: 0,
      height: size * (1 / (size / options.height)),
@ -44,7 +51,7 @@ async function generate(svg, path, {size, bg}) {
    }));
  }

-  canvas.add(util.groupSVGElements(objects, options));
+  canvas.add(fabric.util.groupSVGElements(objects, options));
  canvas.renderAll();

  let png = Buffer.from([]);
@ -57,23 +64,19 @@ async function generate(svg, path, {size, bg}) {
 }

 async function main() {
-  const gitea = argv.slice(2).includes('gitea');
+  const gitea = process.argv.slice(2).includes('gitea');
  const logoSvg = await readFile(new URL('../assets/logo.svg', import.meta.url), 'utf8');
  const faviconSvg = await readFile(new URL('../assets/favicon.svg', import.meta.url), 'utf8');

  await Promise.all([
-    generate(logoSvg, '../public/assets/img/logo.svg', {size: 32}),
-    generate(logoSvg, '../public/assets/img/logo.png', {size: 512}),
-    generate(faviconSvg, '../public/assets/img/favicon.svg', {size: 32}),
-    generate(faviconSvg, '../public/assets/img/favicon.png', {size: 180}),
-    generate(logoSvg, '../public/assets/img/avatar_default.png', {size: 200}),
-    generate(logoSvg, '../public/assets/img/apple-touch-icon.png', {size: 180, bg: true}),
-    gitea && generate(logoSvg, '../public/assets/img/gitea.svg', {size: 32}),
+    generate(logoSvg, '../public/img/logo.svg', {size: 32}),
+    generate(logoSvg, '../public/img/logo.png', {size: 512}),
+    generate(faviconSvg, '../public/img/favicon.svg', {size: 32}),
+    generate(faviconSvg, '../public/img/favicon.png', {size: 180}),
+    generate(logoSvg, '../public/img/avatar_default.png', {size: 200}),
+    generate(logoSvg, '../public/img/apple-touch-icon.png', {size: 180, bg: true}),
+    gitea && generate(logoSvg, '../public/img/gitea.svg', {size: 32}),
  ]);
 }

-try {
-  doExit(await main());
-} catch (err) {
-  doExit(err);
-}
+main().then(exit).catch(exit);
--- a/build/generate-svg.js
+++ b/build/generate-svg.js
@ -4,16 +4,15 @@ import {optimize} from 'svgo';
 import {parse} from 'node:path';
 import {readFile, writeFile, mkdir} from 'node:fs/promises';
 import {fileURLToPath} from 'node:url';
-import {exit} from 'node:process';

 const glob = (pattern) => fastGlob.sync(pattern, {
  cwd: fileURLToPath(new URL('..', import.meta.url)),
  absolute: true,
 });

-function doExit(err) {
+function exit(err) {
  if (err) console.error(err);
-  exit(err ? 1 : 0);
+  process.exit(err ? 1 : 0);
 }

 async function processFile(file, {prefix, fullName} = {}) {
@ -45,7 +44,7 @@ async function processFile(file, {prefix, fullName} = {}) {
    ],
  });

-  await writeFile(fileURLToPath(new URL(`../public/assets/img/svg/${name}.svg`, import.meta.url)), data);
+  await writeFile(fileURLToPath(new URL(`../public/img/svg/${name}.svg`, import.meta.url)), data);
 }

 function processFiles(pattern, opts) {
@ -54,18 +53,14 @@ function processFiles(pattern, opts) {

 async function main() {
  try {
-    await mkdir(fileURLToPath(new URL('../public/assets/img/svg', import.meta.url)), {recursive: true});
+    await mkdir(fileURLToPath(new URL('../public/img/svg', import.meta.url)), {recursive: true});
  } catch {}

  await Promise.all([
    ...processFiles('node_modules/@primer/octicons/build/svg/*-16.svg', {prefix: 'octicon'}),
    ...processFiles('web_src/svg/*.svg'),
-    ...processFiles('public/assets/img/gitea.svg', {fullName: 'gitea-gitea'}),
+    ...processFiles('public/img/gitea.svg', {fullName: 'gitea-gitea'}),
  ]);
 }

-try {
-  doExit(await main());
-} catch (err) {
-  doExit(err);
-}
+main().then(exit).catch(exit);
--- a/cmd/actions.go
+++ b/cmd/actions.go
@ -9,30 +9,30 @@ import (
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 var (
 	// CmdActions represents the available actions sub-commands.
-	CmdActions = &cli.Command{
-		Name:  "actions",
-		Usage: "Manage Gitea Actions",
-		Subcommands: []*cli.Command{
+	CmdActions = cli.Command{
+		Name:        "actions",
+		Usage:       "",
+		Description: "Commands for managing Gitea Actions",
+		Subcommands: []cli.Command{
 			subcmdActionsGenRunnerToken,
 		},
 	}

-	subcmdActionsGenRunnerToken = &cli.Command{
+	subcmdActionsGenRunnerToken = cli.Command{
 		Name:    "generate-runner-token",
 		Usage:   "Generate a new token for a runner to use to register with the server",
 		Action:  runGenerateActionsRunnerToken,
 		Aliases: []string{"grt"},
 		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:    "scope",
-				Aliases: []string{"s"},
-				Value:   "",
-				Usage:   "{owner}[/{repo}] - leave empty for a global runner",
+			cli.StringFlag{
+				Name:  "scope, s",
+				Value: "",
+				Usage: "{owner}[/{repo}] - leave empty for a global runner",
 			},
 		},
 	}
@ -50,6 +50,6 @@ func runGenerateActionsRunnerToken(c *cli.Context) error {
 	if extra.HasError() {
 		return handleCliResponseExtra(extra)
 	}
-	_, _ = fmt.Printf("%s\n", respText.Text)
+	_, _ = fmt.Printf("%s\n", respText)
 	return nil
 }
--- a/cmd/admin.go
+++ b/cmd/admin.go
@ -5,25 +5,36 @@
 package cmd

 import (
-	"context"
+	"errors"
 	"fmt"
+	"net/url"
+	"os"
+	"strings"
+	"text/tabwriter"

+	asymkey_model "code.gitea.io/gitea/models/asymkey"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/modules/git"
-	"code.gitea.io/gitea/modules/gitrepo"
+	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
 	repo_module "code.gitea.io/gitea/modules/repository"
+	"code.gitea.io/gitea/modules/util"
+	auth_service "code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/auth/source/smtp"
+	repo_service "code.gitea.io/gitea/services/repository"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 var (
 	// CmdAdmin represents the available admin sub-command.
-	CmdAdmin = &cli.Command{
+	CmdAdmin = cli.Command{
 		Name:  "admin",
-		Usage: "Perform common administrative operations",
-		Subcommands: []*cli.Command{
+		Usage: "Command line interface to perform common administrative operations",
+		Subcommands: []cli.Command{
 			subcmdUser,
 			subcmdRepoSyncReleases,
 			subcmdRegenerate,
@ -32,31 +43,43 @@ var (
 		},
 	}

-	subcmdRepoSyncReleases = &cli.Command{
+	subcmdRepoSyncReleases = cli.Command{
 		Name:   "repo-sync-releases",
 		Usage:  "Synchronize repository releases with tags",
 		Action: runRepoSyncReleases,
 	}

-	subcmdRegenerate = &cli.Command{
+	subcmdRegenerate = cli.Command{
 		Name:  "regenerate",
 		Usage: "Regenerate specific files",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			microcmdRegenHooks,
 			microcmdRegenKeys,
 		},
 	}

-	subcmdAuth = &cli.Command{
+	microcmdRegenHooks = cli.Command{
+		Name:   "hooks",
+		Usage:  "Regenerate git-hooks",
+		Action: runRegenerateHooks,
+	}
+
+	microcmdRegenKeys = cli.Command{
+		Name:   "keys",
+		Usage:  "Regenerate authorized_keys file",
+		Action: runRegenerateKeys,
+	}
+
+	subcmdAuth = cli.Command{
 		Name:  "auth",
 		Usage: "Modify external auth providers",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			microcmdAuthAddOauth,
 			microcmdAuthUpdateOauth,
-			microcmdAuthAddLdapBindDn,
-			microcmdAuthUpdateLdapBindDn,
-			microcmdAuthAddLdapSimpleAuth,
-			microcmdAuthUpdateLdapSimpleAuth,
+			cmdAuthAddLdapBindDn,
+			cmdAuthUpdateLdapBindDn,
+			cmdAuthAddLdapSimpleAuth,
+			cmdAuthUpdateLdapSimpleAuth,
 			microcmdAuthAddSMTP,
 			microcmdAuthUpdateSMTP,
 			microcmdAuthList,
@ -64,33 +87,257 @@ var (
 		},
 	}

-	subcmdSendMail = &cli.Command{
-		Name:   "sendmail",
-		Usage:  "Send a message to all users",
-		Action: runSendMail,
+	microcmdAuthList = cli.Command{
+		Name:   "list",
+		Usage:  "List auth sources",
+		Action: runListAuth,
 		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "title",
-				Usage: `a title of a message`,
-				Value: "",
+			cli.IntFlag{
+				Name:  "min-width",
+				Usage: "Minimal cell width including any padding for the formatted table",
+				Value: 0,
 			},
-			&cli.StringFlag{
-				Name:  "content",
-				Usage: "a content of a message",
-				Value: "",
+			cli.IntFlag{
+				Name:  "tab-width",
+				Usage: "width of tab characters in formatted table (equivalent number of spaces)",
+				Value: 8,
 			},
-			&cli.BoolFlag{
-				Name:    "force",
-				Aliases: []string{"f"},
-				Usage:   "A flag to bypass a confirmation step",
+			cli.IntFlag{
+				Name:  "padding",
+				Usage: "padding added to a cell before computing its width",
+				Value: 1,
+			},
+			cli.StringFlag{
+				Name:  "pad-char",
+				Usage: `ASCII char used for padding if padchar == '\\t', the Writer will assume that the width of a '\\t' in the formatted output is tabwidth, and cells are left-aligned independent of align_left (for correct-looking results, tabwidth must correspond to the tab width in the viewer displaying the result)`,
+				Value: "\t",
+			},
+			cli.BoolFlag{
+				Name:  "vertical-bars",
+				Usage: "Set to true to print vertical bars between columns",
 			},
 		},
 	}

-	idFlag = &cli.Int64Flag{
+	idFlag = cli.Int64Flag{
 		Name:  "id",
 		Usage: "ID of authentication source",
 	}
+
+	microcmdAuthDelete = cli.Command{
+		Name:   "delete",
+		Usage:  "Delete specific auth source",
+		Flags:  []cli.Flag{idFlag},
+		Action: runDeleteAuth,
+	}
+
+	oauthCLIFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "name",
+			Value: "",
+			Usage: "Application Name",
+		},
+		cli.StringFlag{
+			Name:  "provider",
+			Value: "",
+			Usage: "OAuth2 Provider",
+		},
+		cli.StringFlag{
+			Name:  "key",
+			Value: "",
+			Usage: "Client ID (Key)",
+		},
+		cli.StringFlag{
+			Name:  "secret",
+			Value: "",
+			Usage: "Client Secret",
+		},
+		cli.StringFlag{
+			Name:  "auto-discover-url",
+			Value: "",
+			Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",
+		},
+		cli.StringFlag{
+			Name:  "use-custom-urls",
+			Value: "false",
+			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
+		},
+		cli.StringFlag{
+			Name:  "custom-tenant-id",
+			Value: "",
+			Usage: "Use custom Tenant ID for OAuth endpoints",
+		},
+		cli.StringFlag{
+			Name:  "custom-auth-url",
+			Value: "",
+			Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-token-url",
+			Value: "",
+			Usage: "Use a custom Token URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-profile-url",
+			Value: "",
+			Usage: "Use a custom Profile URL (option for GitLab/GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "custom-email-url",
+			Value: "",
+			Usage: "Use a custom Email URL (option for GitHub)",
+		},
+		cli.StringFlag{
+			Name:  "icon-url",
+			Value: "",
+			Usage: "Custom icon URL for OAuth2 login source",
+		},
+		cli.BoolFlag{
+			Name:  "skip-local-2fa",
+			Usage: "Set to true to skip local 2fa for users authenticated by this source",
+		},
+		cli.StringSliceFlag{
+			Name:  "scopes",
+			Value: nil,
+			Usage: "Scopes to request when to authenticate against this OAuth2 source",
+		},
+		cli.StringFlag{
+			Name:  "required-claim-name",
+			Value: "",
+			Usage: "Claim name that has to be set to allow users to login with this source",
+		},
+		cli.StringFlag{
+			Name:  "required-claim-value",
+			Value: "",
+			Usage: "Claim value that has to be set to allow users to login with this source",
+		},
+		cli.StringFlag{
+			Name:  "group-claim-name",
+			Value: "",
+			Usage: "Claim name providing group names for this source",
+		},
+		cli.StringFlag{
+			Name:  "admin-group",
+			Value: "",
+			Usage: "Group Claim value for administrator users",
+		},
+		cli.StringFlag{
+			Name:  "restricted-group",
+			Value: "",
+			Usage: "Group Claim value for restricted users",
+		},
+		cli.StringFlag{
+			Name:  "group-team-map",
+			Value: "",
+			Usage: "JSON mapping between groups and org teams",
+		},
+		cli.BoolFlag{
+			Name:  "group-team-map-removal",
+			Usage: "Activate automatic team membership removal depending on groups",
+		},
+	}
+
+	microcmdAuthUpdateOauth = cli.Command{
+		Name:   "update-oauth",
+		Usage:  "Update existing Oauth authentication source",
+		Action: runUpdateOauth,
+		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),
+	}
+
+	microcmdAuthAddOauth = cli.Command{
+		Name:   "add-oauth",
+		Usage:  "Add new Oauth authentication source",
+		Action: runAddOauth,
+		Flags:  oauthCLIFlags,
+	}
+
+	subcmdSendMail = cli.Command{
+		Name:   "sendmail",
+		Usage:  "Send a message to all users",
+		Action: runSendMail,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "title",
+				Usage: `a title of a message`,
+				Value: "",
+			},
+			cli.StringFlag{
+				Name:  "content",
+				Usage: "a content of a message",
+				Value: "",
+			},
+			cli.BoolFlag{
+				Name:  "force,f",
+				Usage: "A flag to bypass a confirmation step",
+			},
+		},
+	}
+
+	smtpCLIFlags = []cli.Flag{
+		cli.StringFlag{
+			Name:  "name",
+			Value: "",
+			Usage: "Application Name",
+		},
+		cli.StringFlag{
+			Name:  "auth-type",
+			Value: "PLAIN",
+			Usage: "SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5) default PLAIN",
+		},
+		cli.StringFlag{
+			Name:  "host",
+			Value: "",
+			Usage: "SMTP Host",
+		},
+		cli.IntFlag{
+			Name:  "port",
+			Usage: "SMTP Port",
+		},
+		cli.BoolTFlag{
+			Name:  "force-smtps",
+			Usage: "SMTPS is always used on port 465. Set this to force SMTPS on other ports.",
+		},
+		cli.BoolTFlag{
+			Name:  "skip-verify",
+			Usage: "Skip TLS verify.",
+		},
+		cli.StringFlag{
+			Name:  "helo-hostname",
+			Value: "",
+			Usage: "Hostname sent with HELO. Leave blank to send current hostname",
+		},
+		cli.BoolTFlag{
+			Name:  "disable-helo",
+			Usage: "Disable SMTP helo.",
+		},
+		cli.StringFlag{
+			Name:  "allowed-domains",
+			Value: "",
+			Usage: "Leave empty to allow all domains. Separate multiple domains with a comma (',')",
+		},
+		cli.BoolTFlag{
+			Name:  "skip-local-2fa",
+			Usage: "Skip 2FA to log on.",
+		},
+		cli.BoolTFlag{
+			Name:  "active",
+			Usage: "This Authentication Source is Activated.",
+		},
+	}
+
+	microcmdAuthAddSMTP = cli.Command{
+		Name:   "add-smtp",
+		Usage:  "Add new SMTP authentication source",
+		Action: runAddSMTP,
+		Flags:  smtpCLIFlags,
+	}
+
+	microcmdAuthUpdateSMTP = cli.Command{
+		Name:   "update-smtp",
+		Usage:  "Update existing SMTP authentication source",
+		Action: runUpdateSMTP,
+		Flags:  append(smtpCLIFlags[:1], append([]cli.Flag{idFlag}, smtpCLIFlags[1:]...)...),
+	}
 )

 func runRepoSyncReleases(_ *cli.Context) error {
@ -101,10 +348,6 @@ func runRepoSyncReleases(_ *cli.Context) error {
 		return err
 	}

-	if err := git.InitSimple(ctx); err != nil {
-		return err
-	}
-
 	log.Trace("Synchronizing repository releases (this may take a while)")
 	for page := 1; ; page++ {
 		repos, count, err := repo_model.SearchRepositoryByName(ctx, &repo_model.SearchRepoOptions{
@ -123,25 +366,25 @@ func runRepoSyncReleases(_ *cli.Context) error {
 		log.Trace("Processing next %d repos of %d", len(repos), count)
 		for _, repo := range repos {
 			log.Trace("Synchronizing repo %s with path %s", repo.FullName(), repo.RepoPath())
-			gitRepo, err := gitrepo.OpenRepository(ctx, repo)
+			gitRepo, err := git.OpenRepository(ctx, repo.RepoPath())
 			if err != nil {
 				log.Warn("OpenRepository: %v", err)
 				continue
 			}

-			oldnum, err := getReleaseCount(ctx, repo.ID)
+			oldnum, err := getReleaseCount(repo.ID)
 			if err != nil {
 				log.Warn(" GetReleaseCountByRepoID: %v", err)
 			}
 			log.Trace(" currentNumReleases is %d, running SyncReleasesWithTags", oldnum)

-			if err = repo_module.SyncReleasesWithTags(ctx, repo, gitRepo); err != nil {
+			if err = repo_module.SyncReleasesWithTags(repo, gitRepo); err != nil {
 				log.Warn(" SyncReleasesWithTags: %v", err)
 				gitRepo.Close()
 				continue
 			}

-			count, err = getReleaseCount(ctx, repo.ID)
+			count, err = getReleaseCount(repo.ID)
 			if err != nil {
 				log.Warn(" GetReleaseCountByRepoID: %v", err)
 				gitRepo.Close()
@ -157,12 +400,360 @@ func runRepoSyncReleases(_ *cli.Context) error {
 	return nil
 }

-func getReleaseCount(ctx context.Context, id int64) (int64, error) {
-	return db.Count[repo_model.Release](
-		ctx,
+func getReleaseCount(id int64) (int64, error) {
+	return repo_model.GetReleaseCountByRepoID(
+		db.DefaultContext,
+		id,
 		repo_model.FindReleasesOptions{
-			RepoID:      id,
 			IncludeTags: true,
 		},
 	)
 }
+
+func runRegenerateHooks(_ *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
+}
+
+func runRegenerateKeys(_ *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+	return asymkey_model.RewriteAllPublicKeys()
+}
+
+func parseOAuth2Config(c *cli.Context) *oauth2.Source {
+	var customURLMapping *oauth2.CustomURLMapping
+	if c.IsSet("use-custom-urls") {
+		customURLMapping = &oauth2.CustomURLMapping{
+			TokenURL:   c.String("custom-token-url"),
+			AuthURL:    c.String("custom-auth-url"),
+			ProfileURL: c.String("custom-profile-url"),
+			EmailURL:   c.String("custom-email-url"),
+			Tenant:     c.String("custom-tenant-id"),
+		}
+	} else {
+		customURLMapping = nil
+	}
+	return &oauth2.Source{
+		Provider:                      c.String("provider"),
+		ClientID:                      c.String("key"),
+		ClientSecret:                  c.String("secret"),
+		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
+		CustomURLMapping:              customURLMapping,
+		IconURL:                       c.String("icon-url"),
+		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
+		Scopes:                        c.StringSlice("scopes"),
+		RequiredClaimName:             c.String("required-claim-name"),
+		RequiredClaimValue:            c.String("required-claim-value"),
+		GroupClaimName:                c.String("group-claim-name"),
+		AdminGroup:                    c.String("admin-group"),
+		RestrictedGroup:               c.String("restricted-group"),
+		GroupTeamMap:                  c.String("group-team-map"),
+		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
+	}
+}
+
+func runAddOauth(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	config := parseOAuth2Config(c)
+	if config.Provider == "openidConnect" {
+		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
+		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
+			return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)
+		}
+	}
+
+	return auth_model.CreateSource(&auth_model.Source{
+		Type:     auth_model.OAuth2,
+		Name:     c.String("name"),
+		IsActive: true,
+		Cfg:      config,
+	})
+}
+
+func runUpdateOauth(c *cli.Context) error {
+	if !c.IsSet("id") {
+		return fmt.Errorf("--id flag is missing")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
+	if err != nil {
+		return err
+	}
+
+	oAuth2Config := source.Cfg.(*oauth2.Source)
+
+	if c.IsSet("name") {
+		source.Name = c.String("name")
+	}
+
+	if c.IsSet("provider") {
+		oAuth2Config.Provider = c.String("provider")
+	}
+
+	if c.IsSet("key") {
+		oAuth2Config.ClientID = c.String("key")
+	}
+
+	if c.IsSet("secret") {
+		oAuth2Config.ClientSecret = c.String("secret")
+	}
+
+	if c.IsSet("auto-discover-url") {
+		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
+	}
+
+	if c.IsSet("icon-url") {
+		oAuth2Config.IconURL = c.String("icon-url")
+	}
+
+	if c.IsSet("scopes") {
+		oAuth2Config.Scopes = c.StringSlice("scopes")
+	}
+
+	if c.IsSet("required-claim-name") {
+		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
+	}
+	if c.IsSet("required-claim-value") {
+		oAuth2Config.RequiredClaimValue = c.String("required-claim-value")
+	}
+
+	if c.IsSet("group-claim-name") {
+		oAuth2Config.GroupClaimName = c.String("group-claim-name")
+	}
+	if c.IsSet("admin-group") {
+		oAuth2Config.AdminGroup = c.String("admin-group")
+	}
+	if c.IsSet("restricted-group") {
+		oAuth2Config.RestrictedGroup = c.String("restricted-group")
+	}
+	if c.IsSet("group-team-map") {
+		oAuth2Config.GroupTeamMap = c.String("group-team-map")
+	}
+	if c.IsSet("group-team-map-removal") {
+		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
+	}
+
+	// update custom URL mapping
+	customURLMapping := &oauth2.CustomURLMapping{}
+
+	if oAuth2Config.CustomURLMapping != nil {
+		customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL
+		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
+		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
+		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
+		customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant
+	}
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
+		customURLMapping.TokenURL = c.String("custom-token-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {
+		customURLMapping.AuthURL = c.String("custom-auth-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {
+		customURLMapping.ProfileURL = c.String("custom-profile-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {
+		customURLMapping.EmailURL = c.String("custom-email-url")
+	}
+
+	if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {
+		customURLMapping.Tenant = c.String("custom-tenant-id")
+	}
+
+	oAuth2Config.CustomURLMapping = customURLMapping
+	source.Cfg = oAuth2Config
+
+	return auth_model.UpdateSource(source)
+}
+
+func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
+	if c.IsSet("auth-type") {
+		conf.Auth = c.String("auth-type")
+		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
+		if !util.SliceContainsString(validAuthTypes, strings.ToUpper(c.String("auth-type"))) {
+			return errors.New("Auth must be one of PLAIN/LOGIN/CRAM-MD5")
+		}
+		conf.Auth = c.String("auth-type")
+	}
+	if c.IsSet("host") {
+		conf.Host = c.String("host")
+	}
+	if c.IsSet("port") {
+		conf.Port = c.Int("port")
+	}
+	if c.IsSet("allowed-domains") {
+		conf.AllowedDomains = c.String("allowed-domains")
+	}
+	if c.IsSet("force-smtps") {
+		conf.ForceSMTPS = c.BoolT("force-smtps")
+	}
+	if c.IsSet("skip-verify") {
+		conf.SkipVerify = c.BoolT("skip-verify")
+	}
+	if c.IsSet("helo-hostname") {
+		conf.HeloHostname = c.String("helo-hostname")
+	}
+	if c.IsSet("disable-helo") {
+		conf.DisableHelo = c.BoolT("disable-helo")
+	}
+	if c.IsSet("skip-local-2fa") {
+		conf.SkipLocalTwoFA = c.BoolT("skip-local-2fa")
+	}
+	return nil
+}
+
+func runAddSMTP(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	if !c.IsSet("name") || len(c.String("name")) == 0 {
+		return errors.New("name must be set")
+	}
+	if !c.IsSet("host") || len(c.String("host")) == 0 {
+		return errors.New("host must be set")
+	}
+	if !c.IsSet("port") {
+		return errors.New("port must be set")
+	}
+	active := true
+	if c.IsSet("active") {
+		active = c.BoolT("active")
+	}
+
+	var smtpConfig smtp.Source
+	if err := parseSMTPConfig(c, &smtpConfig); err != nil {
+		return err
+	}
+
+	// If not set default to PLAIN
+	if len(smtpConfig.Auth) == 0 {
+		smtpConfig.Auth = "PLAIN"
+	}
+
+	return auth_model.CreateSource(&auth_model.Source{
+		Type:     auth_model.SMTP,
+		Name:     c.String("name"),
+		IsActive: active,
+		Cfg:      &smtpConfig,
+	})
+}
+
+func runUpdateSMTP(c *cli.Context) error {
+	if !c.IsSet("id") {
+		return fmt.Errorf("--id flag is missing")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
+	if err != nil {
+		return err
+	}
+
+	smtpConfig := source.Cfg.(*smtp.Source)
+
+	if err := parseSMTPConfig(c, smtpConfig); err != nil {
+		return err
+	}
+
+	if c.IsSet("name") {
+		source.Name = c.String("name")
+	}
+
+	if c.IsSet("active") {
+		source.IsActive = c.BoolT("active")
+	}
+
+	source.Cfg = smtpConfig
+
+	return auth_model.UpdateSource(source)
+}
+
+func runListAuth(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	authSources, err := auth_model.Sources()
+	if err != nil {
+		return err
+	}
+
+	flags := tabwriter.AlignRight
+	if c.Bool("vertical-bars") {
+		flags |= tabwriter.Debug
+	}
+
+	padChar := byte('\t')
+	if len(c.String("pad-char")) > 0 {
+		padChar = c.String("pad-char")[0]
+	}
+
+	// loop through each source and print
+	w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags)
+	fmt.Fprintf(w, "ID\tName\tType\tEnabled\n")
+	for _, source := range authSources {
+		fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive)
+	}
+	w.Flush()
+
+	return nil
+}
+
+func runDeleteAuth(c *cli.Context) error {
+	if !c.IsSet("id") {
+		return fmt.Errorf("--id flag is missing")
+	}
+
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	if err := initDB(ctx); err != nil {
+		return err
+	}
+
+	source, err := auth_model.GetSourceByID(c.Int64("id"))
+	if err != nil {
+		return err
+	}
+
+	return auth_service.DeleteSource(source)
+}
--- a/cmd/admin_auth.go
+++ b/cmd/admin_auth.go
@ -1,110 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"text/tabwriter"
-
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/db"
-	auth_service "code.gitea.io/gitea/services/auth"
-
-	"github.com/urfave/cli/v2"
-)
-
-var (
-	microcmdAuthDelete = &cli.Command{
-		Name:   "delete",
-		Usage:  "Delete specific auth source",
-		Flags:  []cli.Flag{idFlag},
-		Action: runDeleteAuth,
-	}
-	microcmdAuthList = &cli.Command{
-		Name:   "list",
-		Usage:  "List auth sources",
-		Action: runListAuth,
-		Flags: []cli.Flag{
-			&cli.IntFlag{
-				Name:  "min-width",
-				Usage: "Minimal cell width including any padding for the formatted table",
-				Value: 0,
-			},
-			&cli.IntFlag{
-				Name:  "tab-width",
-				Usage: "width of tab characters in formatted table (equivalent number of spaces)",
-				Value: 8,
-			},
-			&cli.IntFlag{
-				Name:  "padding",
-				Usage: "padding added to a cell before computing its width",
-				Value: 1,
-			},
-			&cli.StringFlag{
-				Name:  "pad-char",
-				Usage: `ASCII char used for padding if padchar == '\\t', the Writer will assume that the width of a '\\t' in the formatted output is tabwidth, and cells are left-aligned independent of align_left (for correct-looking results, tabwidth must correspond to the tab width in the viewer displaying the result)`,
-				Value: "\t",
-			},
-			&cli.BoolFlag{
-				Name:  "vertical-bars",
-				Usage: "Set to true to print vertical bars between columns",
-			},
-		},
-	}
-)
-
-func runListAuth(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	authSources, err := db.Find[auth_model.Source](ctx, auth_model.FindSourcesOptions{})
-	if err != nil {
-		return err
-	}
-
-	flags := tabwriter.AlignRight
-	if c.Bool("vertical-bars") {
-		flags |= tabwriter.Debug
-	}
-
-	padChar := byte('\t')
-	if len(c.String("pad-char")) > 0 {
-		padChar = c.String("pad-char")[0]
-	}
-
-	// loop through each source and print
-	w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags)
-	fmt.Fprintf(w, "ID\tName\tType\tEnabled\n")
-	for _, source := range authSources {
-		fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive)
-	}
-	w.Flush()
-
-	return nil
-}
-
-func runDeleteAuth(c *cli.Context) error {
-	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	return auth_service.DeleteSource(ctx, source)
-}
--- a/cmd/admin_auth_ldap.go
+++ b/cmd/admin_auth_ldap.go
@ -11,131 +11,131 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/services/auth/source/ldap"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 type (
 	authService struct {
 		initDB            func(ctx context.Context) error
-		createAuthSource  func(context.Context, *auth.Source) error
-		updateAuthSource  func(context.Context, *auth.Source) error
-		getAuthSourceByID func(ctx context.Context, id int64) (*auth.Source, error)
+		createAuthSource  func(*auth.Source) error
+		updateAuthSource  func(*auth.Source) error
+		getAuthSourceByID func(id int64) (*auth.Source, error)
 	}
 )

 var (
 	commonLdapCLIFlags = []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "name",
 			Usage: "Authentication name.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "not-active",
 			Usage: "Deactivate the authentication source.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "active",
 			Usage: "Activate the authentication source.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "security-protocol",
 			Usage: "Security protocol name.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-tls-verify",
 			Usage: "Disable TLS verification.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "host",
 			Usage: "The address where the LDAP server can be reached.",
 		},
-		&cli.IntFlag{
+		cli.IntFlag{
 			Name:  "port",
 			Usage: "The port to use when connecting to the LDAP server.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "user-search-base",
 			Usage: "The LDAP base at which user accounts will be searched for.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "user-filter",
 			Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "admin-filter",
 			Usage: "An LDAP filter specifying if a user should be given administrator privileges.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "restricted-filter",
 			Usage: "An LDAP filter specifying if a user should be given restricted status.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "allow-deactivate-all",
 			Usage: "Allow empty search results to deactivate all users.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "username-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user name.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "firstname-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s first name.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "surname-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s surname.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "email-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s email address.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "avatar-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
 		},
 	}

 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "bind-dn",
 			Usage: "The DN to bind to the LDAP server with when searching for the user.",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "bind-password",
 			Usage: "The password for the Bind DN, if any.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "attributes-in-bind",
 			Usage: "Fetch attributes in bind DN context.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "synchronize-users",
 			Usage: "Enable user synchronization.",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "disable-synchronize-users",
 			Usage: "Disable user synchronization.",
 		},
-		&cli.UintFlag{
+		cli.UintFlag{
 			Name:  "page-size",
 			Usage: "Search page size.",
 		})

 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "user-dn",
-			Usage: "The user's DN.",
+			Usage: "The user’s DN.",
 		})

-	microcmdAuthAddLdapBindDn = &cli.Command{
+	cmdAuthAddLdapBindDn = cli.Command{
 		Name:  "add-ldap",
 		Usage: "Add new LDAP (via Bind DN) authentication source",
 		Action: func(c *cli.Context) error {
@ -144,7 +144,7 @@ var (
 		Flags: ldapBindDnCLIFlags,
 	}

-	microcmdAuthUpdateLdapBindDn = &cli.Command{
+	cmdAuthUpdateLdapBindDn = cli.Command{
 		Name:  "update-ldap",
 		Usage: "Update existing LDAP (via Bind DN) authentication source",
 		Action: func(c *cli.Context) error {
@ -153,7 +153,7 @@ var (
 		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),
 	}

-	microcmdAuthAddLdapSimpleAuth = &cli.Command{
+	cmdAuthAddLdapSimpleAuth = cli.Command{
 		Name:  "add-ldap-simple",
 		Usage: "Add new LDAP (simple auth) authentication source",
 		Action: func(c *cli.Context) error {
@ -162,7 +162,7 @@ var (
 		Flags: ldapSimpleAuthCLIFlags,
 	}

-	microcmdAuthUpdateLdapSimpleAuth = &cli.Command{
+	cmdAuthUpdateLdapSimpleAuth = cli.Command{
 		Name:  "update-ldap-simple",
 		Usage: "Update existing LDAP (simple auth) authentication source",
 		Action: func(c *cli.Context) error {
@ -289,12 +289,12 @@ func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {

 // getAuthSource gets the login source by its id defined in the command line flags.
 // It returns an error if the id is not set, does not match any source or if the source is not of expected type.
-func (a *authService) getAuthSource(ctx context.Context, c *cli.Context, authType auth.Type) (*auth.Source, error) {
+func (a *authService) getAuthSource(c *cli.Context, authType auth.Type) (*auth.Source, error) {
 	if err := argsSet(c, "id"); err != nil {
 		return nil, err
 	}

-	authSource, err := a.getAuthSourceByID(ctx, c.Int64("id"))
+	authSource, err := a.getAuthSourceByID(c.Int64("id"))
 	if err != nil {
 		return nil, err
 	}
@ -332,7 +332,7 @@ func (a *authService) addLdapBindDn(c *cli.Context) error {
 		return err
 	}

-	return a.createAuthSource(ctx, authSource)
+	return a.createAuthSource(authSource)
 }

 // updateLdapBindDn updates a new LDAP via Bind DN authentication source.
@ -344,7 +344,7 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error {
 		return err
 	}

-	authSource, err := a.getAuthSource(ctx, c, auth.LDAP)
+	authSource, err := a.getAuthSource(c, auth.LDAP)
 	if err != nil {
 		return err
 	}
@ -354,7 +354,7 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error {
 		return err
 	}

-	return a.updateAuthSource(ctx, authSource)
+	return a.updateAuthSource(authSource)
 }

 // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
@ -383,7 +383,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 		return err
 	}

-	return a.createAuthSource(ctx, authSource)
+	return a.createAuthSource(authSource)
 }

 // updateLdapBindDn updates a new LDAP (simple auth) authentication source.
@ -395,7 +395,7 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
 		return err
 	}

-	authSource, err := a.getAuthSource(ctx, c, auth.DLDAP)
+	authSource, err := a.getAuthSource(c, auth.DLDAP)
 	if err != nil {
 		return err
 	}
@ -405,5 +405,5 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
 		return err
 	}

-	return a.updateAuthSource(ctx, authSource)
+	return a.updateAuthSource(authSource)
 }
--- a/cmd/admin_auth_ldap_test.go
+++ b/cmd/admin_auth_ldap_test.go
@ -11,7 +11,7 @@ import (
 	"code.gitea.io/gitea/services/auth/source/ldap"

 	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 func TestAddLdapBindDn(t *testing.T) {
@ -210,15 +210,15 @@ func TestAddLdapBindDn(t *testing.T) {
 			initDB: func(context.Context) error {
 				return nil
 			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			createAuthSource: func(authSource *auth.Source) error {
 				createdAuthSource = authSource
 				return nil
 			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			updateAuthSource: func(authSource *auth.Source) error {
 				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
 				return nil
 			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+			getAuthSourceByID: func(id int64) (*auth.Source, error) {
 				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
 				return nil, nil
 			},
@ -226,7 +226,7 @@ func TestAddLdapBindDn(t *testing.T) {

 		// Create a copy of command to test
 		app := cli.NewApp()
-		app.Flags = microcmdAuthAddLdapBindDn.Flags
+		app.Flags = cmdAuthAddLdapBindDn.Flags
 		app.Action = service.addLdapBindDn

 		// Run it
@ -441,15 +441,15 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 			initDB: func(context.Context) error {
 				return nil
 			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			createAuthSource: func(authSource *auth.Source) error {
 				createdAuthSource = authSource
 				return nil
 			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			updateAuthSource: func(authSource *auth.Source) error {
 				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
 				return nil
 			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+			getAuthSourceByID: func(id int64) (*auth.Source, error) {
 				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
 				return nil, nil
 			},
@ -457,7 +457,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {

 		// Create a copy of command to test
 		app := cli.NewApp()
-		app.Flags = microcmdAuthAddLdapSimpleAuth.Flags
+		app.Flags = cmdAuthAddLdapSimpleAuth.Flags
 		app.Action = service.addLdapSimpleAuth

 		// Run it
@ -896,15 +896,15 @@ func TestUpdateLdapBindDn(t *testing.T) {
 			initDB: func(context.Context) error {
 				return nil
 			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			createAuthSource: func(authSource *auth.Source) error {
 				assert.FailNow(t, "case %d: should not call createAuthSource", n)
 				return nil
 			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			updateAuthSource: func(authSource *auth.Source) error {
 				updatedAuthSource = authSource
 				return nil
 			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+			getAuthSourceByID: func(id int64) (*auth.Source, error) {
 				if c.id != 0 {
 					assert.Equal(t, c.id, id, "case %d: wrong id", n)
 				}
@ -920,7 +920,7 @@ func TestUpdateLdapBindDn(t *testing.T) {

 		// Create a copy of command to test
 		app := cli.NewApp()
-		app.Flags = microcmdAuthUpdateLdapBindDn.Flags
+		app.Flags = cmdAuthUpdateLdapBindDn.Flags
 		app.Action = service.updateLdapBindDn

 		// Run it
@ -1286,15 +1286,15 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 			initDB: func(context.Context) error {
 				return nil
 			},
-			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			createAuthSource: func(authSource *auth.Source) error {
 				assert.FailNow(t, "case %d: should not call createAuthSource", n)
 				return nil
 			},
-			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
+			updateAuthSource: func(authSource *auth.Source) error {
 				updatedAuthSource = authSource
 				return nil
 			},
-			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
+			getAuthSourceByID: func(id int64) (*auth.Source, error) {
 				if c.id != 0 {
 					assert.Equal(t, c.id, id, "case %d: wrong id", n)
 				}
@ -1310,7 +1310,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {

 		// Create a copy of command to test
 		app := cli.NewApp()
-		app.Flags = microcmdAuthUpdateLdapSimpleAuth.Flags
+		app.Flags = cmdAuthUpdateLdapSimpleAuth.Flags
 		app.Action = service.updateLdapSimpleAuth

 		// Run it
--- a/cmd/admin_auth_oauth.go
+++ b/cmd/admin_auth_oauth.go
@ -1,298 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"fmt"
-	"net/url"
-
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/services/auth/source/oauth2"
-
-	"github.com/urfave/cli/v2"
-)
-
-var (
-	oauthCLIFlags = []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Value: "",
-			Usage: "Application Name",
-		},
-		&cli.StringFlag{
-			Name:  "provider",
-			Value: "",
-			Usage: "OAuth2 Provider",
-		},
-		&cli.StringFlag{
-			Name:  "key",
-			Value: "",
-			Usage: "Client ID (Key)",
-		},
-		&cli.StringFlag{
-			Name:  "secret",
-			Value: "",
-			Usage: "Client Secret",
-		},
-		&cli.StringFlag{
-			Name:  "auto-discover-url",
-			Value: "",
-			Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",
-		},
-		&cli.StringFlag{
-			Name:  "use-custom-urls",
-			Value: "false",
-			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
-		},
-		&cli.StringFlag{
-			Name:  "custom-tenant-id",
-			Value: "",
-			Usage: "Use custom Tenant ID for OAuth endpoints",
-		},
-		&cli.StringFlag{
-			Name:  "custom-auth-url",
-			Value: "",
-			Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-token-url",
-			Value: "",
-			Usage: "Use a custom Token URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-profile-url",
-			Value: "",
-			Usage: "Use a custom Profile URL (option for GitLab/GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "custom-email-url",
-			Value: "",
-			Usage: "Use a custom Email URL (option for GitHub)",
-		},
-		&cli.StringFlag{
-			Name:  "icon-url",
-			Value: "",
-			Usage: "Custom icon URL for OAuth2 login source",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Set to true to skip local 2fa for users authenticated by this source",
-		},
-		&cli.StringSliceFlag{
-			Name:  "scopes",
-			Value: nil,
-			Usage: "Scopes to request when to authenticate against this OAuth2 source",
-		},
-		&cli.StringFlag{
-			Name:  "required-claim-name",
-			Value: "",
-			Usage: "Claim name that has to be set to allow users to login with this source",
-		},
-		&cli.StringFlag{
-			Name:  "required-claim-value",
-			Value: "",
-			Usage: "Claim value that has to be set to allow users to login with this source",
-		},
-		&cli.StringFlag{
-			Name:  "group-claim-name",
-			Value: "",
-			Usage: "Claim name providing group names for this source",
-		},
-		&cli.StringFlag{
-			Name:  "admin-group",
-			Value: "",
-			Usage: "Group Claim value for administrator users",
-		},
-		&cli.StringFlag{
-			Name:  "restricted-group",
-			Value: "",
-			Usage: "Group Claim value for restricted users",
-		},
-		&cli.StringFlag{
-			Name:  "group-team-map",
-			Value: "",
-			Usage: "JSON mapping between groups and org teams",
-		},
-		&cli.BoolFlag{
-			Name:  "group-team-map-removal",
-			Usage: "Activate automatic team membership removal depending on groups",
-		},
-	}
-
-	microcmdAuthAddOauth = &cli.Command{
-		Name:   "add-oauth",
-		Usage:  "Add new Oauth authentication source",
-		Action: runAddOauth,
-		Flags:  oauthCLIFlags,
-	}
-
-	microcmdAuthUpdateOauth = &cli.Command{
-		Name:   "update-oauth",
-		Usage:  "Update existing Oauth authentication source",
-		Action: runUpdateOauth,
-		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),
-	}
-)
-
-func parseOAuth2Config(c *cli.Context) *oauth2.Source {
-	var customURLMapping *oauth2.CustomURLMapping
-	if c.IsSet("use-custom-urls") {
-		customURLMapping = &oauth2.CustomURLMapping{
-			TokenURL:   c.String("custom-token-url"),
-			AuthURL:    c.String("custom-auth-url"),
-			ProfileURL: c.String("custom-profile-url"),
-			EmailURL:   c.String("custom-email-url"),
-			Tenant:     c.String("custom-tenant-id"),
-		}
-	} else {
-		customURLMapping = nil
-	}
-	return &oauth2.Source{
-		Provider:                      c.String("provider"),
-		ClientID:                      c.String("key"),
-		ClientSecret:                  c.String("secret"),
-		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
-		CustomURLMapping:              customURLMapping,
-		IconURL:                       c.String("icon-url"),
-		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
-		Scopes:                        c.StringSlice("scopes"),
-		RequiredClaimName:             c.String("required-claim-name"),
-		RequiredClaimValue:            c.String("required-claim-value"),
-		GroupClaimName:                c.String("group-claim-name"),
-		AdminGroup:                    c.String("admin-group"),
-		RestrictedGroup:               c.String("restricted-group"),
-		GroupTeamMap:                  c.String("group-team-map"),
-		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
-	}
-}
-
-func runAddOauth(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	config := parseOAuth2Config(c)
-	if config.Provider == "openidConnect" {
-		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
-		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
-			return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)
-		}
-	}
-
-	return auth_model.CreateSource(ctx, &auth_model.Source{
-		Type:     auth_model.OAuth2,
-		Name:     c.String("name"),
-		IsActive: true,
-		Cfg:      config,
-	})
-}
-
-func runUpdateOauth(c *cli.Context) error {
-	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	oAuth2Config := source.Cfg.(*oauth2.Source)
-
-	if c.IsSet("name") {
-		source.Name = c.String("name")
-	}
-
-	if c.IsSet("provider") {
-		oAuth2Config.Provider = c.String("provider")
-	}
-
-	if c.IsSet("key") {
-		oAuth2Config.ClientID = c.String("key")
-	}
-
-	if c.IsSet("secret") {
-		oAuth2Config.ClientSecret = c.String("secret")
-	}
-
-	if c.IsSet("auto-discover-url") {
-		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
-	}
-
-	if c.IsSet("icon-url") {
-		oAuth2Config.IconURL = c.String("icon-url")
-	}
-
-	if c.IsSet("scopes") {
-		oAuth2Config.Scopes = c.StringSlice("scopes")
-	}
-
-	if c.IsSet("required-claim-name") {
-		oAuth2Config.RequiredClaimName = c.String("required-claim-name")
-	}
-	if c.IsSet("required-claim-value") {
-		oAuth2Config.RequiredClaimValue = c.String("required-claim-value")
-	}
-
-	if c.IsSet("group-claim-name") {
-		oAuth2Config.GroupClaimName = c.String("group-claim-name")
-	}
-	if c.IsSet("admin-group") {
-		oAuth2Config.AdminGroup = c.String("admin-group")
-	}
-	if c.IsSet("restricted-group") {
-		oAuth2Config.RestrictedGroup = c.String("restricted-group")
-	}
-	if c.IsSet("group-team-map") {
-		oAuth2Config.GroupTeamMap = c.String("group-team-map")
-	}
-	if c.IsSet("group-team-map-removal") {
-		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
-	}
-
-	// update custom URL mapping
-	customURLMapping := &oauth2.CustomURLMapping{}
-
-	if oAuth2Config.CustomURLMapping != nil {
-		customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL
-		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
-		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
-		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
-		customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant
-	}
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
-		customURLMapping.TokenURL = c.String("custom-token-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {
-		customURLMapping.AuthURL = c.String("custom-auth-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {
-		customURLMapping.ProfileURL = c.String("custom-profile-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {
-		customURLMapping.EmailURL = c.String("custom-email-url")
-	}
-
-	if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {
-		customURLMapping.Tenant = c.String("custom-tenant-id")
-	}
-
-	oAuth2Config.CustomURLMapping = customURLMapping
-	source.Cfg = oAuth2Config
-
-	return auth_model.UpdateSource(ctx, source)
-}
--- a/cmd/admin_auth_stmp.go
+++ b/cmd/admin_auth_stmp.go
@ -1,201 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/modules/util"
-	"code.gitea.io/gitea/services/auth/source/smtp"
-
-	"github.com/urfave/cli/v2"
-)
-
-var (
-	smtpCLIFlags = []cli.Flag{
-		&cli.StringFlag{
-			Name:  "name",
-			Value: "",
-			Usage: "Application Name",
-		},
-		&cli.StringFlag{
-			Name:  "auth-type",
-			Value: "PLAIN",
-			Usage: "SMTP Authentication Type (PLAIN/LOGIN/CRAM-MD5) default PLAIN",
-		},
-		&cli.StringFlag{
-			Name:  "host",
-			Value: "",
-			Usage: "SMTP Host",
-		},
-		&cli.IntFlag{
-			Name:  "port",
-			Usage: "SMTP Port",
-		},
-		&cli.BoolFlag{
-			Name:  "force-smtps",
-			Usage: "SMTPS is always used on port 465. Set this to force SMTPS on other ports.",
-			Value: true,
-		},
-		&cli.BoolFlag{
-			Name:  "skip-verify",
-			Usage: "Skip TLS verify.",
-			Value: true,
-		},
-		&cli.StringFlag{
-			Name:  "helo-hostname",
-			Value: "",
-			Usage: "Hostname sent with HELO. Leave blank to send current hostname",
-		},
-		&cli.BoolFlag{
-			Name:  "disable-helo",
-			Usage: "Disable SMTP helo.",
-			Value: true,
-		},
-		&cli.StringFlag{
-			Name:  "allowed-domains",
-			Value: "",
-			Usage: "Leave empty to allow all domains. Separate multiple domains with a comma (',')",
-		},
-		&cli.BoolFlag{
-			Name:  "skip-local-2fa",
-			Usage: "Skip 2FA to log on.",
-			Value: true,
-		},
-		&cli.BoolFlag{
-			Name:  "active",
-			Usage: "This Authentication Source is Activated.",
-			Value: true,
-		},
-	}
-
-	microcmdAuthAddSMTP = &cli.Command{
-		Name:   "add-smtp",
-		Usage:  "Add new SMTP authentication source",
-		Action: runAddSMTP,
-		Flags:  smtpCLIFlags,
-	}
-
-	microcmdAuthUpdateSMTP = &cli.Command{
-		Name:   "update-smtp",
-		Usage:  "Update existing SMTP authentication source",
-		Action: runUpdateSMTP,
-		Flags:  append(smtpCLIFlags[:1], append([]cli.Flag{idFlag}, smtpCLIFlags[1:]...)...),
-	}
-)
-
-func parseSMTPConfig(c *cli.Context, conf *smtp.Source) error {
-	if c.IsSet("auth-type") {
-		conf.Auth = c.String("auth-type")
-		validAuthTypes := []string{"PLAIN", "LOGIN", "CRAM-MD5"}
-		if !util.SliceContainsString(validAuthTypes, strings.ToUpper(c.String("auth-type"))) {
-			return errors.New("Auth must be one of PLAIN/LOGIN/CRAM-MD5")
-		}
-		conf.Auth = c.String("auth-type")
-	}
-	if c.IsSet("host") {
-		conf.Host = c.String("host")
-	}
-	if c.IsSet("port") {
-		conf.Port = c.Int("port")
-	}
-	if c.IsSet("allowed-domains") {
-		conf.AllowedDomains = c.String("allowed-domains")
-	}
-	if c.IsSet("force-smtps") {
-		conf.ForceSMTPS = c.Bool("force-smtps")
-	}
-	if c.IsSet("skip-verify") {
-		conf.SkipVerify = c.Bool("skip-verify")
-	}
-	if c.IsSet("helo-hostname") {
-		conf.HeloHostname = c.String("helo-hostname")
-	}
-	if c.IsSet("disable-helo") {
-		conf.DisableHelo = c.Bool("disable-helo")
-	}
-	if c.IsSet("skip-local-2fa") {
-		conf.SkipLocalTwoFA = c.Bool("skip-local-2fa")
-	}
-	return nil
-}
-
-func runAddSMTP(c *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	if !c.IsSet("name") || len(c.String("name")) == 0 {
-		return errors.New("name must be set")
-	}
-	if !c.IsSet("host") || len(c.String("host")) == 0 {
-		return errors.New("host must be set")
-	}
-	if !c.IsSet("port") {
-		return errors.New("port must be set")
-	}
-	active := true
-	if c.IsSet("active") {
-		active = c.Bool("active")
-	}
-
-	var smtpConfig smtp.Source
-	if err := parseSMTPConfig(c, &smtpConfig); err != nil {
-		return err
-	}
-
-	// If not set default to PLAIN
-	if len(smtpConfig.Auth) == 0 {
-		smtpConfig.Auth = "PLAIN"
-	}
-
-	return auth_model.CreateSource(ctx, &auth_model.Source{
-		Type:     auth_model.SMTP,
-		Name:     c.String("name"),
-		IsActive: active,
-		Cfg:      &smtpConfig,
-	})
-}
-
-func runUpdateSMTP(c *cli.Context) error {
-	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
-	}
-
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-
-	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
-	if err != nil {
-		return err
-	}
-
-	smtpConfig := source.Cfg.(*smtp.Source)
-
-	if err := parseSMTPConfig(c, smtpConfig); err != nil {
-		return err
-	}
-
-	if c.IsSet("name") {
-		source.Name = c.String("name")
-	}
-
-	if c.IsSet("active") {
-		source.IsActive = c.Bool("active")
-	}
-
-	source.Cfg = smtpConfig
-
-	return auth_model.UpdateSource(ctx, source)
-}
--- a/cmd/admin_regenerate.go
+++ b/cmd/admin_regenerate.go
@ -1,46 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"code.gitea.io/gitea/modules/graceful"
-	asymkey_service "code.gitea.io/gitea/services/asymkey"
-	repo_service "code.gitea.io/gitea/services/repository"
-
-	"github.com/urfave/cli/v2"
-)
-
-var (
-	microcmdRegenHooks = &cli.Command{
-		Name:   "hooks",
-		Usage:  "Regenerate git-hooks",
-		Action: runRegenerateHooks,
-	}
-
-	microcmdRegenKeys = &cli.Command{
-		Name:   "keys",
-		Usage:  "Regenerate authorized_keys file",
-		Action: runRegenerateKeys,
-	}
-)
-
-func runRegenerateHooks(_ *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	return repo_service.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
-}
-
-func runRegenerateKeys(_ *cli.Context) error {
-	ctx, cancel := installSignals()
-	defer cancel()
-
-	if err := initDB(ctx); err != nil {
-		return err
-	}
-	return asymkey_service.RewriteAllPublicKeys(ctx)
-}
--- a/cmd/admin_user.go
+++ b/cmd/admin_user.go
@ -4,13 +4,13 @@
 package cmd

 import (
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var subcmdUser = &cli.Command{
+var subcmdUser = cli.Command{
 	Name:  "user",
 	Usage: "Modify users",
-	Subcommands: []*cli.Command{
+	Subcommands: []cli.Command{
 		microcmdUserCreate,
 		microcmdUserList,
 		microcmdUserChangePassword,
--- a/cmd/admin_user_change_password.go
+++ b/cmd/admin_user_change_password.go
@ -4,38 +4,31 @@
 package cmd

 import (
+	"context"
 	"errors"
 	"fmt"

 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/auth/password"
-	"code.gitea.io/gitea/modules/optional"
+	pwd "code.gitea.io/gitea/modules/auth/password"
 	"code.gitea.io/gitea/modules/setting"
-	user_service "code.gitea.io/gitea/services/user"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserChangePassword = &cli.Command{
+var microcmdUserChangePassword = cli.Command{
 	Name:   "change-password",
 	Usage:  "Change a user's password",
 	Action: runChangePassword,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Value:   "",
-			Usage:   "The user to change password for",
+		cli.StringFlag{
+			Name:  "username,u",
+			Value: "",
+			Usage: "The user to change password for",
 		},
-		&cli.StringFlag{
-			Name:    "password",
-			Aliases: []string{"p"},
-			Value:   "",
-			Usage:   "New password to set for user",
-		},
-		&cli.BoolFlag{
-			Name:  "must-change-password",
-			Usage: "User must change password",
+		cli.StringFlag{
+			Name:  "password,p",
+			Value: "",
+			Usage: "New password to set for user",
 		},
 	},
 }
@ -51,32 +44,31 @@ func runChangePassword(c *cli.Context) error {
 	if err := initDB(ctx); err != nil {
 		return err
 	}
+	if len(c.String("password")) < setting.MinPasswordLength {
+		return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
+	}

-	user, err := user_model.GetUserByName(ctx, c.String("username"))
+	if !pwd.IsComplexEnough(c.String("password")) {
+		return errors.New("Password does not meet complexity requirements")
+	}
+	pwned, err := pwd.IsPwned(context.Background(), c.String("password"))
 	if err != nil {
 		return err
 	}
-
-	var mustChangePassword optional.Option[bool]
-	if c.IsSet("must-change-password") {
-		mustChangePassword = optional.Some(c.Bool("must-change-password"))
+	if pwned {
+		return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
+	}
+	uname := c.String("username")
+	user, err := user_model.GetUserByName(ctx, uname)
+	if err != nil {
+		return err
+	}
+	if err = user.SetPassword(c.String("password")); err != nil {
+		return err
 	}

-	opts := &user_service.UpdateAuthOptions{
-		Password:           optional.Some(c.String("password")),
-		MustChangePassword: mustChangePassword,
-	}
-	if err := user_service.UpdateAuth(ctx, user, opts); err != nil {
-		switch {
-		case errors.Is(err, password.ErrMinLength):
-			return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
-		case errors.Is(err, password.ErrComplexity):
-			return errors.New("Password does not meet complexity requirements")
-		case errors.Is(err, password.ErrIsPwned):
-			return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
-		default:
-			return err
-		}
+	if err = user_model.UpdateUserCols(ctx, user, "passwd", "passwd_hash_algo", "salt"); err != nil {
+		return err
 	}

 	fmt.Printf("%s's password has been successfully updated!\n", user.Name)
--- a/cmd/admin_user_create.go
+++ b/cmd/admin_user_create.go
@ -6,59 +6,60 @@ package cmd
 import (
 	"errors"
 	"fmt"
+	"os"

 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 	pwd "code.gitea.io/gitea/modules/auth/password"
-	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserCreate = &cli.Command{
+var microcmdUserCreate = cli.Command{
 	Name:   "create",
 	Usage:  "Create a new user in database",
 	Action: runCreateUser,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "name",
 			Usage: "Username. DEPRECATED: use username instead",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "username",
 			Usage: "Username",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "password",
 			Usage: "User password",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "email",
 			Usage: "User email address",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "admin",
 			Usage: "User is an admin",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "random-password",
 			Usage: "Generate a random password for the user",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "must-change-password",
 			Usage: "Set this option to false to prevent forcing the user to change their password after initial login, (Default: true)",
 		},
-		&cli.IntFlag{
+		cli.IntFlag{
 			Name:  "random-password-length",
 			Usage: "Length of the random password to be generated",
 			Value: 12,
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "access-token",
 			Usage: "Generate access token for the user",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "restricted",
 			Usage: "Make a restricted user account",
 		},
@ -86,7 +87,7 @@ func runCreateUser(c *cli.Context) error {
 		username = c.String("username")
 	} else {
 		username = c.String("name")
-		_, _ = fmt.Fprintf(c.App.ErrWriter, "--name flag is deprecated. Use --username instead.\n")
+		fmt.Fprintf(os.Stderr, "--name flag is deprecated. Use --username instead.\n")
 	}

 	ctx, cancel := installSignals()
@ -115,7 +116,7 @@ func runCreateUser(c *cli.Context) error {

 	// If this is the first user being created.
 	// Take it as the admin and don't force a password update.
-	if n := user_model.CountUsers(ctx, nil); n == 0 {
+	if n := user_model.CountUsers(nil); n == 0 {
 		changePassword = false
 	}

@ -123,10 +124,10 @@ func runCreateUser(c *cli.Context) error {
 		changePassword = c.Bool("must-change-password")
 	}

-	restricted := optional.None[bool]()
+	restricted := util.OptionalBoolNone

 	if c.IsSet("restricted") {
-		restricted = optional.Some(c.Bool("restricted"))
+		restricted = util.OptionalBoolOf(c.Bool("restricted"))
 	}

 	// default user visibility in app.ini
@ -142,11 +143,11 @@ func runCreateUser(c *cli.Context) error {
 	}

 	overwriteDefault := &user_model.CreateUserOverwriteOptions{
-		IsActive:     optional.Some(true),
+		IsActive:     util.OptionalBoolTrue,
 		IsRestricted: restricted,
 	}

-	if err := user_model.CreateUser(ctx, u, overwriteDefault); err != nil {
+	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
 		return fmt.Errorf("CreateUser: %w", err)
 	}

@ -156,7 +157,7 @@ func runCreateUser(c *cli.Context) error {
 			UID:  u.ID,
 		}

-		if err := auth_model.NewAccessToken(ctx, t); err != nil {
+		if err := auth_model.NewAccessToken(t); err != nil {
 			return err
 		}

--- a/cmd/admin_user_delete.go
+++ b/cmd/admin_user_delete.go
@ -11,28 +11,26 @@ import (
 	"code.gitea.io/gitea/modules/storage"
 	user_service "code.gitea.io/gitea/services/user"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserDelete = &cli.Command{
+var microcmdUserDelete = cli.Command{
 	Name:  "delete",
 	Usage: "Delete specific user by id, name or email",
 	Flags: []cli.Flag{
-		&cli.Int64Flag{
+		cli.Int64Flag{
 			Name:  "id",
 			Usage: "ID of user of the user to delete",
 		},
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Usage:   "Username of the user to delete",
+		cli.StringFlag{
+			Name:  "username,u",
+			Usage: "Username of the user to delete",
 		},
-		&cli.StringFlag{
-			Name:    "email",
-			Aliases: []string{"e"},
-			Usage:   "Email of the user to delete",
+		cli.StringFlag{
+			Name:  "email,e",
+			Usage: "Email of the user to delete",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "purge",
 			Usage: "Purge user, all their repositories, organizations and comments",
 		},
--- a/cmd/admin_user_generate_access_token.go
+++ b/cmd/admin_user_generate_access_token.go
@ -9,29 +9,27 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserGenerateAccessToken = &cli.Command{
+var microcmdUserGenerateAccessToken = cli.Command{
 	Name:  "generate-access-token",
 	Usage: "Generate an access token for a specific user",
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Usage:   "Username",
+		cli.StringFlag{
+			Name:  "username,u",
+			Usage: "Username",
 		},
-		&cli.StringFlag{
-			Name:    "token-name",
-			Aliases: []string{"t"},
-			Usage:   "Token name",
-			Value:   "gitea-admin",
+		cli.StringFlag{
+			Name:  "token-name,t",
+			Usage: "Token name",
+			Value: "gitea-admin",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "raw",
 			Usage: "Display only the token value",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "scopes",
 			Value: "",
 			Usage: "Comma separated list of scopes to apply to access token",
@ -57,29 +55,18 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}

-	// construct token with name and user so we can make sure it is unique
-	t := &auth_model.AccessToken{
-		Name: c.String("token-name"),
-		UID:  user.ID,
-	}
-
-	exist, err := auth_model.AccessTokenByNameExists(ctx, t)
+	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
 	if err != nil {
 		return err
 	}
-	if exist {
-		return fmt.Errorf("access token name has been used already")
+
+	t := &auth_model.AccessToken{
+		Name:  c.String("token-name"),
+		UID:   user.ID,
+		Scope: accessTokenScope,
 	}

-	// make sure the scopes are valid
-	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
-	if err != nil {
-		return fmt.Errorf("invalid access token scope provided: %w", err)
-	}
-	t.Scope = accessTokenScope
-
-	// create the token
-	if err := auth_model.NewAccessToken(ctx, t); err != nil {
+	if err := auth_model.NewAccessToken(t); err != nil {
 		return err
 	}

--- a/cmd/admin_user_list.go
+++ b/cmd/admin_user_list.go
@ -10,15 +10,15 @@ import (

 	user_model "code.gitea.io/gitea/models/user"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserList = &cli.Command{
+var microcmdUserList = cli.Command{
 	Name:   "list",
 	Usage:  "List users",
 	Action: runListUsers,
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "admin",
 			Usage: "List only admin users",
 		},
@ -33,7 +33,7 @@ func runListUsers(c *cli.Context) error {
 		return err
 	}

-	users, err := user_model.GetAllUsers(ctx)
+	users, err := user_model.GetAllUsers()
 	if err != nil {
 		return err
 	}
@ -48,7 +48,7 @@ func runListUsers(c *cli.Context) error {
 			}
 		}
 	} else {
-		twofa := user_model.UserList(users).GetTwoFaStatus(ctx)
+		twofa := user_model.UserList(users).GetTwoFaStatus()
 		fmt.Fprintf(w, "ID\tUsername\tEmail\tIsActive\tIsAdmin\t2FA\n")
 		for _, u := range users {
 			fmt.Fprintf(w, "%d\t%s\t%s\t%t\t%t\t%t\n", u.ID, u.Name, u.Email, u.IsActive, u.IsAdmin, twofa[u.ID])
--- a/cmd/admin_user_must_change_password.go
+++ b/cmd/admin_user_must_change_password.go
@ -9,25 +9,23 @@ import (

 	user_model "code.gitea.io/gitea/models/user"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-var microcmdUserMustChangePassword = &cli.Command{
+var microcmdUserMustChangePassword = cli.Command{
 	Name:   "must-change-password",
 	Usage:  "Set the must change password flag for the provided users or all users",
 	Action: runMustChangePassword,
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:    "all",
-			Aliases: []string{"A"},
-			Usage:   "All users must change password, except those explicitly excluded with --exclude",
+		cli.BoolFlag{
+			Name:  "all,A",
+			Usage: "All users must change password, except those explicitly excluded with --exclude",
 		},
-		&cli.StringSliceFlag{
-			Name:    "exclude",
-			Aliases: []string{"e"},
-			Usage:   "Do not change the must-change-password flag for these users",
+		cli.StringSliceFlag{
+			Name:  "exclude,e",
+			Usage: "Do not change the must-change-password flag for these users",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "unset",
 			Usage: "Instead of setting the must-change-password flag, unset it",
 		},
@ -50,7 +48,7 @@ func runMustChangePassword(c *cli.Context) error {
 		return err
 	}

-	n, err := user_model.SetMustChangePassword(ctx, all, mustChangePassword, c.Args().Slice(), exclude)
+	n, err := user_model.SetMustChangePassword(ctx, all, mustChangePassword, c.Args(), exclude)
 	if err != nil {
 		return err
 	}
--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -20,50 +20,50 @@ import (
 	"strings"
 	"time"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdCert represents the available cert sub-command.
-var CmdCert = &cli.Command{
+var CmdCert = cli.Command{
 	Name:  "cert",
 	Usage: "Generate self-signed certificate",
 	Description: `Generate a self-signed X.509 certificate for a TLS server.
 Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
 	Action: runCert,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "host",
 			Value: "",
 			Usage: "Comma-separated hostnames and IPs to generate a certificate for",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "ecdsa-curve",
 			Value: "",
 			Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",
 		},
-		&cli.IntFlag{
+		cli.IntFlag{
 			Name:  "rsa-bits",
-			Value: 3072,
+			Value: 2048,
 			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "start-date",
 			Value: "",
 			Usage: "Creation date formatted as Jan 1 15:04:05 2011",
 		},
-		&cli.DurationFlag{
+		cli.DurationFlag{
 			Name:  "duration",
 			Value: 365 * 24 * time.Hour,
 			Usage: "Duration that certificate is valid for",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "ca",
 			Usage: "whether this cert should be its own Certificate Authority",
 		},
 	},
 }

-func publicKey(priv any) any {
+func publicKey(priv interface{}) interface{} {
 	switch k := priv.(type) {
 	case *rsa.PrivateKey:
 		return &k.PublicKey
@ -74,7 +74,7 @@ func publicKey(priv any) any {
 	}
 }

-func pemBlockForKey(priv any) *pem.Block {
+func pemBlockForKey(priv interface{}) *pem.Block {
 	switch k := priv.(type) {
 	case *rsa.PrivateKey:
 		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
@ -94,7 +94,7 @@ func runCert(c *cli.Context) error {
 		return err
 	}

-	var priv any
+	var priv interface{}
 	var err error
 	switch c.String("ecdsa-curve") {
 	case "":
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -20,7 +20,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // argsSet checks that all the required arguments are set. args is a list of
@ -109,24 +109,15 @@ func setupConsoleLogger(level log.Level, colorize bool, out io.Writer) {
 	log.GetManager().GetLogger(log.DEFAULT).ReplaceAllWriters(writer)
 }

-func globalBool(c *cli.Context, name string) bool {
-	for _, ctx := range c.Lineage() {
-		if ctx.Bool(name) {
-			return true
-		}
-	}
-	return false
-}
-
 // PrepareConsoleLoggerLevel by default, use INFO level for console logger, but some sub-commands (for git/ssh protocol) shouldn't output any log to stdout.
 // Any log appears in git stdout pipe will break the git protocol, eg: client can't push and hangs forever.
 func PrepareConsoleLoggerLevel(defaultLevel log.Level) func(*cli.Context) error {
 	return func(c *cli.Context) error {
 		level := defaultLevel
-		if globalBool(c, "quiet") {
+		if c.Bool("quiet") || c.GlobalBoolT("quiet") {
 			level = log.FATAL
 		}
-		if globalBool(c, "debug") || globalBool(c, "verbose") {
+		if c.Bool("debug") || c.GlobalBool("debug") || c.Bool("verbose") || c.GlobalBool("verbose") {
 			level = log.TRACE
 		}
 		log.SetConsoleLogger(log.DEFAULT, "console-default", level)
--- a/cmd/doctor_convert.go
+++ b/cmd/doctor_convert.go
@ -10,18 +10,18 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

-// cmdDoctorConvert represents the available convert sub-command.
-var cmdDoctorConvert = &cli.Command{
+// CmdConvert represents the available convert sub-command.
+var CmdConvert = cli.Command{
 	Name:        "convert",
 	Usage:       "Convert the database",
 	Description: "A command to convert an existing MySQL database from utf8 to utf8mb4 or MSSQL database from varchar to nvarchar",
-	Action:      runDoctorConvert,
+	Action:      runConvert,
 }

-func runDoctorConvert(ctx *cli.Context) error {
+func runConvert(ctx *cli.Context) error {
 	stdCtx, cancel := installSignals()
 	defer cancel()

@ -37,8 +37,8 @@ func runDoctorConvert(ctx *cli.Context) error {

 	switch {
 	case setting.Database.Type.IsMySQL():
-		if err := db.ConvertDatabaseTable(); err != nil {
-			log.Fatal("Failed to convert database & table: %v", err)
+		if err := db.ConvertUtf8ToUtf8mb4(); err != nil {
+			log.Fatal("Failed to convert database from utf8 to utf8mb4: %v", err)
 			return err
 		}
 		fmt.Println("Converted successfully, please confirm your database's character set is now utf8mb4")
--- a/cmd/docs.go
+++ b/cmd/docs.go
@ -8,11 +8,11 @@ import (
 	"os"
 	"strings"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdDocs represents the available docs sub-command.
-var CmdDocs = &cli.Command{
+var CmdDocs = cli.Command{
 	Name:        "docs",
 	Usage:       "Output CLI documentation",
 	Description: "A command to output Gitea's CLI documentation, optionally to a file.",
@ -23,9 +23,8 @@ var CmdDocs = &cli.Command{
 			Usage: "Output man pages instead",
 		},
 		&cli.StringFlag{
-			Name:    "output",
-			Aliases: []string{"o"},
-			Usage:   "Path to output to instead of stdout (will overwrite if exists)",
+			Name:  "output, o",
+			Usage: "Path to output to instead of stdout (will overwrite if exists)",
 		},
 	},
 }
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@ -14,72 +14,61 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/migrations"
 	migrate_base "code.gitea.io/gitea/models/migrations/base"
-	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/doctor"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/services/doctor"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 	"xorm.io/xorm"
 )

 // CmdDoctor represents the available doctor sub-command.
-var CmdDoctor = &cli.Command{
+var CmdDoctor = cli.Command{
 	Name:        "doctor",
-	Usage:       "Diagnose and optionally fix problems, convert or re-create database tables",
-	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-
-	Subcommands: []*cli.Command{
-		cmdDoctorCheck,
-		cmdRecreateTable,
-		cmdDoctorConvert,
-	},
-}
-
-var cmdDoctorCheck = &cli.Command{
-	Name:        "check",
 	Usage:       "Diagnose and optionally fix problems",
 	Description: "A command to diagnose problems with the current Gitea instance according to the given configuration. Some problems can optionally be fixed by modifying the database or data storage.",
-	Action:      runDoctorCheck,
+	Action:      runDoctor,
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "list",
 			Usage: "List the available checks",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "default",
 			Usage: "Run the default checks (if neither --run or --all is set, this is the default behaviour)",
 		},
-		&cli.StringSliceFlag{
+		cli.StringSliceFlag{
 			Name:  "run",
 			Usage: "Run the provided checks - (if --default is set, the default checks will also run)",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "all",
 			Usage: "Run all the available checks",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "fix",
 			Usage: "Automatically fix what we can",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "log-file",
-			Usage: `Name of the log file (no verbose log output by default). Set to "-" to output to stdout`,
+			Usage: `Name of the log file (default: "doctor.log"). Set to "-" to output to stdout, set to "" to disable`,
 		},
-		&cli.BoolFlag{
-			Name:    "color",
-			Aliases: []string{"H"},
-			Usage:   "Use color for outputted information",
+		cli.BoolFlag{
+			Name:  "color, H",
+			Usage: "Use color for outputted information",
 		},
 	},
+	Subcommands: []cli.Command{
+		cmdRecreateTable,
+	},
 }

-var cmdRecreateTable = &cli.Command{
+var cmdRecreateTable = cli.Command{
 	Name:      "recreate-table",
 	Usage:     "Recreate tables from XORM definitions and copy the data.",
 	ArgsUsage: "[TABLE]... : (TABLEs to recreate - leave blank for all)",
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "debug",
 			Usage: "Print SQL commands sent",
 		},
@ -143,9 +132,16 @@ func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
 	setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)

 	logFile := ctx.String("log-file")
-	if logFile == "" {
-		return // if no doctor log-file is set, do not show any log from default logger
-	} else if logFile == "-" {
+	if !ctx.IsSet("log-file") {
+		logFile = "doctor.log"
+	}
+
+	if len(logFile) == 0 {
+		// if no doctor log-file is set, do not show any log from default logger
+		return
+	}
+
+	if logFile == "-" {
 		setupConsoleLogger(log.TRACE, colorize, os.Stdout)
 	} else {
 		logFile, _ = filepath.Abs(logFile)
@ -159,7 +155,7 @@ func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
 	}
 }

-func runDoctorCheck(ctx *cli.Context) error {
+func runDoctor(ctx *cli.Context) error {
 	stdCtx, cancel := installSignals()
 	defer cancel()

@ -178,7 +174,6 @@ func runDoctorCheck(ctx *cli.Context) error {
 	if ctx.IsSet("list") {
 		w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
 		_, _ = w.Write([]byte("Default\tName\tTitle\n"))
-		doctor.SortChecks(doctor.Checks)
 		for _, check := range doctor.Checks {
 			if check.IsDefault {
 				_, _ = w.Write([]byte{'*'})
@ -194,19 +189,25 @@ func runDoctorCheck(ctx *cli.Context) error {

 	var checks []*doctor.Check
 	if ctx.Bool("all") {
-		checks = make([]*doctor.Check, len(doctor.Checks))
-		copy(checks, doctor.Checks)
+		checks = doctor.Checks
 	} else if ctx.IsSet("run") {
 		addDefault := ctx.Bool("default")
-		runNamesSet := container.SetOf(ctx.StringSlice("run")...)
-		for _, check := range doctor.Checks {
-			if (addDefault && check.IsDefault) || runNamesSet.Contains(check.Name) {
-				checks = append(checks, check)
-				runNamesSet.Remove(check.Name)
-			}
+		names := ctx.StringSlice("run")
+		for i, name := range names {
+			names[i] = strings.ToLower(strings.TrimSpace(name))
 		}
-		if len(runNamesSet) > 0 {
-			return fmt.Errorf("unknown checks: %q", strings.Join(runNamesSet.Values(), ","))
+
+		for _, check := range doctor.Checks {
+			if addDefault && check.IsDefault {
+				checks = append(checks, check)
+				continue
+			}
+			for _, name := range names {
+				if name == check.Name {
+					checks = append(checks, check)
+					break
+				}
+			}
 		}
 	} else {
 		for _, check := range doctor.Checks {
@ -215,5 +216,6 @@ func runDoctorCheck(ctx *cli.Context) error {
 			}
 		}
 	}
+
 	return doctor.RunChecks(stdCtx, colorize, ctx.Bool("fix"), checks)
 }
--- a/cmd/doctor_test.go
+++ b/cmd/doctor_test.go
@ -1,33 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/services/doctor"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v2"
-)
-
-func TestDoctorRun(t *testing.T) {
-	doctor.Register(&doctor.Check{
-		Title: "Test Check",
-		Name:  "test-check",
-		Run:   func(ctx context.Context, logger log.Logger, autofix bool) error { return nil },
-
-		SkipDatabaseInitialization: true,
-	})
-	app := cli.NewApp()
-	app.Commands = []*cli.Command{cmdDoctorCheck}
-	err := app.Run([]string{"./gitea", "check", "--run", "test-check"})
-	assert.NoError(t, err)
-	err = app.Run([]string{"./gitea", "check", "--run", "no-such"})
-	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
-	err = app.Run([]string{"./gitea", "check", "--run", "test-check,no-such"})
-	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
-}
--- a/cmd/dump.go
+++ b/cmd/dump.go
@ -22,7 +22,7 @@ import (

 	"gitea.com/go-chi/session"
 	"github.com/mholt/archiver/v3"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 func addReader(w archiver.Writer, r io.ReadCloser, info os.FileInfo, customName string, verbose bool) error {
@ -96,71 +96,64 @@ var outputTypeEnum = &outputType{
 }

 // CmdDump represents the available dump sub-command.
-var CmdDump = &cli.Command{
+var CmdDump = cli.Command{
 	Name:  "dump",
 	Usage: "Dump Gitea files and database",
 	Description: `Dump compresses all related files and database into zip file.
 It can be used for backup and capture Gitea server image to send to maintainer`,
 	Action: runDump,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "file",
-			Aliases: []string{"f"},
-			Value:   fmt.Sprintf("gitea-dump-%d.zip", time.Now().Unix()),
-			Usage:   "Name of the dump file which will be created. Supply '-' for stdout. See type for available types.",
+		cli.StringFlag{
+			Name:  "file, f",
+			Value: fmt.Sprintf("gitea-dump-%d.zip", time.Now().Unix()),
+			Usage: "Name of the dump file which will be created. Supply '-' for stdout. See type for available types.",
 		},
-		&cli.BoolFlag{
-			Name:    "verbose",
-			Aliases: []string{"V"},
-			Usage:   "Show process details",
+		cli.BoolFlag{
+			Name:  "verbose, V",
+			Usage: "Show process details",
 		},
-		&cli.BoolFlag{
-			Name:    "quiet",
-			Aliases: []string{"q"},
-			Usage:   "Only display warnings and errors",
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Only display warnings and errors",
 		},
-		&cli.StringFlag{
-			Name:    "tempdir",
-			Aliases: []string{"t"},
-			Value:   os.TempDir(),
-			Usage:   "Temporary dir path",
+		cli.StringFlag{
+			Name:  "tempdir, t",
+			Value: os.TempDir(),
+			Usage: "Temporary dir path",
 		},
-		&cli.StringFlag{
-			Name:    "database",
-			Aliases: []string{"d"},
-			Usage:   "Specify the database SQL syntax: sqlite3, mysql, mssql, postgres",
+		cli.StringFlag{
+			Name:  "database, d",
+			Usage: "Specify the database SQL syntax",
 		},
-		&cli.BoolFlag{
-			Name:    "skip-repository",
-			Aliases: []string{"R"},
-			Usage:   "Skip the repository dumping",
+		cli.BoolFlag{
+			Name:  "skip-repository, R",
+			Usage: "Skip the repository dumping",
 		},
-		&cli.BoolFlag{
-			Name:    "skip-log",
-			Aliases: []string{"L"},
-			Usage:   "Skip the log dumping",
+		cli.BoolFlag{
+			Name:  "skip-log, L",
+			Usage: "Skip the log dumping",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-custom-dir",
 			Usage: "Skip custom directory",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-lfs-data",
 			Usage: "Skip LFS data",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-attachment-data",
 			Usage: "Skip attachment data",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-package-data",
 			Usage: "Skip package data",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "skip-index",
 			Usage: "Skip bleve index data",
 		},
-		&cli.GenericFlag{
+		cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
 			Usage: fmt.Sprintf("Dump output format: %s", outputTypeEnum.Join()),
@ -168,7 +161,7 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 	},
 }

-func fatal(format string, args ...any) {
+func fatal(format string, args ...interface{}) {
 	fmt.Fprintf(os.Stderr, format+"\n", args...)
 	log.Fatal(format, args...)
 }
@ -243,7 +236,7 @@ func runDump(ctx *cli.Context) error {
 		return err
 	}

-	var iface any
+	var iface interface{}
 	if fileName == "-" {
 		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))
 	} else {
@ -452,7 +445,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		return err
 	}
 	for _, file := range files {
-		currentAbsPath := filepath.Join(absPath, file.Name())
+		currentAbsPath := path.Join(absPath, file.Name())
 		currentInsidePath := path.Join(insidePath, file.Name())
 		if file.IsDir() {
 			if !util.SliceContainsString(excludeAbsPath, currentAbsPath) {
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@ -19,58 +19,57 @@ import (
 	"code.gitea.io/gitea/services/convert"
 	"code.gitea.io/gitea/services/migrations"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdDumpRepository represents the available dump repository sub-command.
-var CmdDumpRepository = &cli.Command{
+var CmdDumpRepository = cli.Command{
 	Name:        "dump-repo",
 	Usage:       "Dump the repository from git/github/gitea/gitlab",
 	Description: "This is a command for dumping the repository data.",
 	Action:      runDumpRepository,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "git_service",
 			Value: "",
 			Usage: "Git service, git, github, gitea, gitlab. If clone_addr could be recognized, this could be ignored.",
 		},
-		&cli.StringFlag{
-			Name:    "repo_dir",
-			Aliases: []string{"r"},
-			Value:   "./data",
-			Usage:   "Repository dir path to store the data",
+		cli.StringFlag{
+			Name:  "repo_dir, r",
+			Value: "./data",
+			Usage: "Repository dir path to store the data",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "clone_addr",
 			Value: "",
 			Usage: "The URL will be clone, currently could be a git/github/gitea/gitlab http/https URL",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "auth_username",
 			Value: "",
 			Usage: "The username to visit the clone_addr",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "auth_password",
 			Value: "",
 			Usage: "The password to visit the clone_addr",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "auth_token",
 			Value: "",
 			Usage: "The personal token to visit the clone_addr",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "owner_name",
 			Value: "",
 			Usage: "The data will be stored on a directory with owner name if not empty",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "repo_name",
 			Value: "",
 			Usage: "The data will be stored on a directory with repository name if not empty",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "units",
 			Value: "",
 			Usage: `Which items will be migrated, one or more units should be separated as comma.
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@ -19,74 +19,70 @@ import (
 	"code.gitea.io/gitea/modules/util"

 	"github.com/gobwas/glob"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdEmbedded represents the available extract sub-command.
 var (
-	CmdEmbedded = &cli.Command{
+	CmdEmbedded = cli.Command{
 		Name:        "embedded",
 		Usage:       "Extract embedded resources",
 		Description: "A command for extracting embedded resources, like templates and images",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			subcmdList,
 			subcmdView,
 			subcmdExtract,
 		},
 	}

-	subcmdList = &cli.Command{
+	subcmdList = cli.Command{
 		Name:   "list",
 		Usage:  "List files matching the given pattern",
 		Action: runList,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:    "include-vendored",
-				Aliases: []string{"vendor"},
-				Usage:   "Include files under public/vendor as well",
+			cli.BoolFlag{
+				Name:  "include-vendored,vendor",
+				Usage: "Include files under public/vendor as well",
 			},
 		},
 	}

-	subcmdView = &cli.Command{
+	subcmdView = cli.Command{
 		Name:   "view",
 		Usage:  "View a file matching the given pattern",
 		Action: runView,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:    "include-vendored",
-				Aliases: []string{"vendor"},
-				Usage:   "Include files under public/vendor as well",
+			cli.BoolFlag{
+				Name:  "include-vendored,vendor",
+				Usage: "Include files under public/vendor as well",
 			},
 		},
 	}

-	subcmdExtract = &cli.Command{
+	subcmdExtract = cli.Command{
 		Name:   "extract",
 		Usage:  "Extract resources",
 		Action: runExtract,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
-				Name:    "include-vendored",
-				Aliases: []string{"vendor"},
-				Usage:   "Include files under public/vendor as well",
+			cli.BoolFlag{
+				Name:  "include-vendored,vendor",
+				Usage: "Include files under public/vendor as well",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "overwrite",
 				Usage: "Overwrite files if they already exist",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "rename",
 				Usage: "Rename files as {name}.bak if they already exist (overwrites previous .bak)",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "custom",
 				Usage: "Extract to the 'custom' directory as per app.ini",
 			},
-			&cli.StringFlag{
-				Name:    "destination",
-				Aliases: []string{"dest-dir"},
-				Usage:   "Extract to the specified directory",
+			cli.StringFlag{
+				Name:  "destination,dest-dir",
+				Usage: "Extract to the specified directory",
 			},
 		},
 	}
@ -103,7 +99,7 @@ type assetFile struct {
 func initEmbeddedExtractor(c *cli.Context) error {
 	setupConsoleLogger(log.ERROR, log.CanColorStderr, os.Stderr)

-	patterns, err := compileCollectPatterns(c.Args().Slice())
+	patterns, err := compileCollectPatterns(c.Args())
 	if err != nil {
 		return err
 	}
@ -179,7 +175,7 @@ func runExtractDo(c *cli.Context) error {
 		return err
 	}

-	if c.NArg() == 0 {
+	if len(c.Args()) == 0 {
 		return fmt.Errorf("a list of pattern of files to extract is mandatory (e.g. '**' for all)")
 	}

--- a/cmd/generate.go
+++ b/cmd/generate.go
@ -11,43 +11,43 @@ import (
 	"code.gitea.io/gitea/modules/generate"

 	"github.com/mattn/go-isatty"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 var (
 	// CmdGenerate represents the available generate sub-command.
-	CmdGenerate = &cli.Command{
+	CmdGenerate = cli.Command{
 		Name:  "generate",
-		Usage: "Generate Gitea's secrets/keys/tokens",
-		Subcommands: []*cli.Command{
+		Usage: "Command line interface for running generators",
+		Subcommands: []cli.Command{
 			subcmdSecret,
 		},
 	}

-	subcmdSecret = &cli.Command{
+	subcmdSecret = cli.Command{
 		Name:  "secret",
 		Usage: "Generate a secret token",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			microcmdGenerateInternalToken,
 			microcmdGenerateLfsJwtSecret,
 			microcmdGenerateSecretKey,
 		},
 	}

-	microcmdGenerateInternalToken = &cli.Command{
+	microcmdGenerateInternalToken = cli.Command{
 		Name:   "INTERNAL_TOKEN",
 		Usage:  "Generate a new INTERNAL_TOKEN",
 		Action: runGenerateInternalToken,
 	}

-	microcmdGenerateLfsJwtSecret = &cli.Command{
+	microcmdGenerateLfsJwtSecret = cli.Command{
 		Name:    "JWT_SECRET",
 		Aliases: []string{"LFS_JWT_SECRET"},
 		Usage:   "Generate a new JWT_SECRET",
 		Action:  runGenerateLfsJwtSecret,
 	}

-	microcmdGenerateSecretKey = &cli.Command{
+	microcmdGenerateSecretKey = cli.Command{
 		Name:   "SECRET_KEY",
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
@ -70,12 +70,12 @@ func runGenerateInternalToken(c *cli.Context) error {
 }

 func runGenerateLfsJwtSecret(c *cli.Context) error {
-	_, jwtSecretBase64, err := generate.NewJwtSecretWithBase64()
+	JWTSecretBase64, err := generate.NewJwtSecretBase64()
 	if err != nil {
 		return err
 	}

-	fmt.Printf("%s", jwtSecretBase64)
+	fmt.Printf("%s", JWTSecretBase64)

 	if isatty.IsTerminal(os.Stdout.Fd()) {
 		fmt.Printf("\n")
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -20,7 +20,7 @@ import (
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 const (
@ -29,12 +29,12 @@ const (

 var (
 	// CmdHook represents the available hooks sub-command.
-	CmdHook = &cli.Command{
+	CmdHook = cli.Command{
 		Name:        "hook",
-		Usage:       "(internal) Should only be called by Git",
-		Description: "Delegate commands to corresponding Git hooks",
+		Usage:       "Delegate commands to corresponding Git hooks",
+		Description: "This should only be called by Git",
 		Before:      PrepareConsoleLoggerLevel(log.FATAL),
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			subcmdHookPreReceive,
 			subcmdHookUpdate,
 			subcmdHookPostReceive,
@ -42,47 +42,47 @@ var (
 		},
 	}

-	subcmdHookPreReceive = &cli.Command{
+	subcmdHookPreReceive = cli.Command{
 		Name:        "pre-receive",
 		Usage:       "Delegate pre-receive Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookPreReceive,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 	}
-	subcmdHookUpdate = &cli.Command{
+	subcmdHookUpdate = cli.Command{
 		Name:        "update",
 		Usage:       "Delegate update Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookUpdate,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 	}
-	subcmdHookPostReceive = &cli.Command{
+	subcmdHookPostReceive = cli.Command{
 		Name:        "post-receive",
 		Usage:       "Delegate post-receive Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookPostReceive,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 	}
 	// Note: new hook since git 2.29
-	subcmdHookProcReceive = &cli.Command{
+	subcmdHookProcReceive = cli.Command{
 		Name:        "proc-receive",
 		Usage:       "Delegate proc-receive Git hook",
 		Description: "This command should only be called by Git",
 		Action:      runHookProcReceive,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
@ -376,9 +376,7 @@ Gitea or set your environment appropriately.`, "")
 		oldCommitIDs[count] = string(fields[0])
 		newCommitIDs[count] = string(fields[1])
 		refFullNames[count] = git.RefName(fields[2])
-
-		commitID, _ := git.NewIDFromString(newCommitIDs[count])
-		if refFullNames[count] == git.BranchPrefix+"master" && !commitID.IsZero() && count == total {
+		if refFullNames[count] == git.BranchPrefix+"master" && newCommitIDs[count] != git.EmptySHA && count == total {
 			masterPushed = true
 		}
 		count++
@ -671,8 +669,7 @@ Gitea or set your environment appropriately.`, "")
 		if err != nil {
 			return err
 		}
-		commitID, _ := git.NewIDFromString(rs.OldOID)
-		if !commitID.IsZero() {
+		if rs.OldOID != git.EmptySHA {
 			err = writeDataPktLine(ctx, os.Stdout, []byte("option old-oid "+rs.OldOID))
 			if err != nil {
 				return err
--- a/cmd/keys.go
+++ b/cmd/keys.go
@ -11,40 +11,35 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdKeys represents the available keys sub-command
-var CmdKeys = &cli.Command{
-	Name:        "keys",
-	Usage:       "(internal) Should only be called by SSH server",
-	Description: "Queries the Gitea database to get the authorized command for a given ssh key fingerprint",
-	Before:      PrepareConsoleLoggerLevel(log.FATAL),
-	Action:      runKeys,
+var CmdKeys = cli.Command{
+	Name:   "keys",
+	Usage:  "This command queries the Gitea database to get the authorized command for a given ssh key fingerprint",
+	Before: PrepareConsoleLoggerLevel(log.FATAL),
+	Action: runKeys,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "expected",
-			Aliases: []string{"e"},
-			Value:   "git",
-			Usage:   "Expected user for whom provide key commands",
+		cli.StringFlag{
+			Name:  "expected, e",
+			Value: "git",
+			Usage: "Expected user for whom provide key commands",
 		},
-		&cli.StringFlag{
-			Name:    "username",
-			Aliases: []string{"u"},
-			Value:   "",
-			Usage:   "Username trying to log in by SSH",
+		cli.StringFlag{
+			Name:  "username, u",
+			Value: "",
+			Usage: "Username trying to log in by SSH",
 		},
-		&cli.StringFlag{
-			Name:    "type",
-			Aliases: []string{"t"},
-			Value:   "",
-			Usage:   "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
+		cli.StringFlag{
+			Name:  "type, t",
+			Value: "",
+			Usage: "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
 		},
-		&cli.StringFlag{
-			Name:    "content",
-			Aliases: []string{"k"},
-			Value:   "",
-			Usage:   "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
+		cli.StringFlag{
+			Name:  "content, k",
+			Value: "",
+			Usage: "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
 		},
 	},
 }
@ -71,13 +66,13 @@ func runKeys(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()

-	setup(ctx, c.Bool("debug"))
+	setup(ctx, false)

 	authorizedString, extra := private.AuthorizedPublicKeyByContent(ctx, content)
 	// do not use handleCliResponseExtra or cli.NewExitError, if it exists immediately, it breaks some tests like Test_CmdKeys
 	if extra.Error != nil {
 		return extra.Error
 	}
-	_, _ = fmt.Fprintln(c.App.Writer, strings.TrimSpace(authorizedString.Text))
+	fmt.Println(strings.TrimSpace(authorizedString))
 	return nil
 }
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@ -9,7 +9,7 @@ import (
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 func runSendMail(c *cli.Context) error {
@ -45,6 +45,6 @@ func runSendMail(c *cli.Context) error {
 	if extra.HasError() {
 		return handleCliResponseExtra(extra)
 	}
-	_, _ = fmt.Printf("Sent %s email(s) to all users\n", respText.Text)
+	_, _ = fmt.Printf("Sent %s email(s) to all users\n", respText)
 	return nil
 }
--- a/cmd/main.go
+++ b/cmd/main.go
@ -1,179 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package cmd
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-
-	"github.com/urfave/cli/v2"
-)
-
-// cmdHelp is our own help subcommand with more information
-// Keep in mind that the "./gitea help"(subcommand) is different from "./gitea --help"(flag), the flag doesn't parse the config or output "DEFAULT CONFIGURATION:" information
-func cmdHelp() *cli.Command {
-	c := &cli.Command{
-		Name:      "help",
-		Aliases:   []string{"h"},
-		Usage:     "Shows a list of commands or help for one command",
-		ArgsUsage: "[command]",
-		Action: func(c *cli.Context) (err error) {
-			lineage := c.Lineage() // The order is from child to parent: help, doctor, Gitea, {Command:nil}
-			targetCmdIdx := 0
-			if c.Command.Name == "help" {
-				targetCmdIdx = 1
-			}
-			if lineage[targetCmdIdx+1].Command != nil {
-				err = cli.ShowCommandHelp(lineage[targetCmdIdx+1], lineage[targetCmdIdx].Command.Name)
-			} else {
-				err = cli.ShowAppHelp(c)
-			}
-			_, _ = fmt.Fprintf(c.App.Writer, `
-DEFAULT CONFIGURATION:
-   AppPath:    %s
-   WorkPath:   %s
-   CustomPath: %s
-   ConfigFile: %s
-
-`, setting.AppPath, setting.AppWorkPath, setting.CustomPath, setting.CustomConf)
-			return err
-		},
-	}
-	return c
-}
-
-func appGlobalFlags() []cli.Flag {
-	return []cli.Flag{
-		// make the builtin flags at the top
-		cli.HelpFlag,
-
-		// shared configuration flags, they are for global and for each sub-command at the same time
-		// eg: such command is valid: "./gitea --config /tmp/app.ini web --config /tmp/app.ini", while it's discouraged indeed
-		// keep in mind that the short flags like "-C", "-c" and "-w" are globally polluted, they can't be used for sub-commands anymore.
-		&cli.StringFlag{
-			Name:    "custom-path",
-			Aliases: []string{"C"},
-			Usage:   "Set custom path (defaults to '{WorkPath}/custom')",
-		},
-		&cli.StringFlag{
-			Name:    "config",
-			Aliases: []string{"c"},
-			Value:   setting.CustomConf,
-			Usage:   "Set custom config file (defaults to '{WorkPath}/custom/conf/app.ini')",
-		},
-		&cli.StringFlag{
-			Name:    "work-path",
-			Aliases: []string{"w"},
-			Usage:   "Set Gitea's working path (defaults to the Gitea's binary directory)",
-		},
-	}
-}
-
-func prepareSubcommandWithConfig(command *cli.Command, globalFlags []cli.Flag) {
-	command.Flags = append(append([]cli.Flag{}, globalFlags...), command.Flags...)
-	command.Action = prepareWorkPathAndCustomConf(command.Action)
-	command.HideHelp = true
-	if command.Name != "help" {
-		command.Subcommands = append(command.Subcommands, cmdHelp())
-	}
-	for i := range command.Subcommands {
-		prepareSubcommandWithConfig(command.Subcommands[i], globalFlags)
-	}
-}
-
-// prepareWorkPathAndCustomConf wraps the Action to prepare the work path and custom config
-// It can't use "Before", because each level's sub-command's Before will be called one by one, so the "init" would be done multiple times
-func prepareWorkPathAndCustomConf(action cli.ActionFunc) func(ctx *cli.Context) error {
-	return func(ctx *cli.Context) error {
-		var args setting.ArgWorkPathAndCustomConf
-		// from children to parent, check the global flags
-		for _, curCtx := range ctx.Lineage() {
-			if curCtx.IsSet("work-path") && args.WorkPath == "" {
-				args.WorkPath = curCtx.String("work-path")
-			}
-			if curCtx.IsSet("custom-path") && args.CustomPath == "" {
-				args.CustomPath = curCtx.String("custom-path")
-			}
-			if curCtx.IsSet("config") && args.CustomConf == "" {
-				args.CustomConf = curCtx.String("config")
-			}
-		}
-		setting.InitWorkPathAndCommonConfig(os.Getenv, args)
-		if ctx.Bool("help") || action == nil {
-			// the default behavior of "urfave/cli": "nil action" means "show help"
-			return cmdHelp().Action(ctx)
-		}
-		return action(ctx)
-	}
-}
-
-func NewMainApp(version, versionExtra string) *cli.App {
-	app := cli.NewApp()
-	app.Name = "Gitea"
-	app.HelpName = "gitea"
-	app.Usage = "A painless self-hosted Git service"
-	app.Description = `Gitea program contains "web" and other subcommands. If no subcommand is given, it starts the web server by default. Use "web" subcommand for more web server arguments, use other subcommands for other purposes.`
-	app.Version = version + versionExtra
-	app.EnableBashCompletion = true
-
-	// these sub-commands need to use config file
-	subCmdWithConfig := []*cli.Command{
-		cmdHelp(), // the "help" sub-command was used to show the more information for "work path" and "custom config"
-		CmdWeb,
-		CmdServ,
-		CmdHook,
-		CmdKeys,
-		CmdDump,
-		CmdAdmin,
-		CmdMigrate,
-		CmdDoctor,
-		CmdManager,
-		CmdEmbedded,
-		CmdMigrateStorage,
-		CmdDumpRepository,
-		CmdRestoreRepository,
-		CmdActions,
-	}
-
-	// these sub-commands do not need the config file, and they do not depend on any path or environment variable.
-	subCmdStandalone := []*cli.Command{
-		CmdCert,
-		CmdGenerate,
-		CmdDocs,
-	}
-
-	app.DefaultCommand = CmdWeb.Name
-
-	globalFlags := appGlobalFlags()
-	app.Flags = append(app.Flags, cli.VersionFlag)
-	app.Flags = append(app.Flags, globalFlags...)
-	app.HideHelp = true // use our own help action to show helps (with more information like default config)
-	app.Before = PrepareConsoleLoggerLevel(log.INFO)
-	for i := range subCmdWithConfig {
-		prepareSubcommandWithConfig(subCmdWithConfig[i], globalFlags)
-	}
-	app.Commands = append(app.Commands, subCmdWithConfig...)
-	app.Commands = append(app.Commands, subCmdStandalone...)
-
-	return app
-}
-
-func RunMainApp(app *cli.App, args ...string) error {
-	err := app.Run(args)
-	if err == nil {
-		return nil
-	}
-	if strings.HasPrefix(err.Error(), "flag provided but not defined:") {
-		// the cli package should already have output the error message, so just exit
-		cli.OsExiter(1)
-		return err
-	}
-	_, _ = fmt.Fprintf(app.ErrWriter, "Command error: %v\n", err)
-	cli.OsExiter(1)
-	return err
-}
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -4,175 +4,13 @@
 package cmd

 import (
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
 	"testing"

 	"code.gitea.io/gitea/models/unittest"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/test"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/urfave/cli/v2"
 )

 func TestMain(m *testing.M) {
-	unittest.MainTest(m)
-}
-
-func makePathOutput(workPath, customPath, customConf string) string {
-	return fmt.Sprintf("WorkPath=%s\nCustomPath=%s\nCustomConf=%s", workPath, customPath, customConf)
-}
-
-func newTestApp(testCmdAction func(ctx *cli.Context) error) *cli.App {
-	app := NewMainApp("version", "version-extra")
-	testCmd := &cli.Command{Name: "test-cmd", Action: testCmdAction}
-	prepareSubcommandWithConfig(testCmd, appGlobalFlags())
-	app.Commands = append(app.Commands, testCmd)
-	app.DefaultCommand = testCmd.Name
-	return app
-}
-
-type runResult struct {
-	Stdout   string
-	Stderr   string
-	ExitCode int
-}
-
-func runTestApp(app *cli.App, args ...string) (runResult, error) {
-	outBuf := new(strings.Builder)
-	errBuf := new(strings.Builder)
-	app.Writer = outBuf
-	app.ErrWriter = errBuf
-	exitCode := -1
-	defer test.MockVariableValue(&cli.ErrWriter, app.ErrWriter)()
-	defer test.MockVariableValue(&cli.OsExiter, func(code int) {
-		if exitCode == -1 {
-			exitCode = code // save the exit code once and then reset the writer (to simulate the exit)
-			app.Writer, app.ErrWriter, cli.ErrWriter = io.Discard, io.Discard, io.Discard
-		}
-	})()
-	err := RunMainApp(app, args...)
-	return runResult{outBuf.String(), errBuf.String(), exitCode}, err
-}
-
-func TestCliCmd(t *testing.T) {
-	defaultWorkPath := filepath.Dir(setting.AppPath)
-	defaultCustomPath := filepath.Join(defaultWorkPath, "custom")
-	defaultCustomConf := filepath.Join(defaultCustomPath, "conf/app.ini")
-
-	cli.CommandHelpTemplate = "(command help template)"
-	cli.AppHelpTemplate = "(app help template)"
-	cli.SubcommandHelpTemplate = "(subcommand help template)"
-
-	cases := []struct {
-		env map[string]string
-		cmd string
-		exp string
-	}{
-		// main command help
-		{
-			cmd: "./gitea help",
-			exp: "DEFAULT CONFIGURATION:",
-		},
-
-		// parse paths
-		{
-			cmd: "./gitea test-cmd",
-			exp: makePathOutput(defaultWorkPath, defaultCustomPath, defaultCustomConf),
-		},
-		{
-			cmd: "./gitea -c /tmp/app.ini test-cmd",
-			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
-		},
-		{
-			cmd: "./gitea test-cmd -c /tmp/app.ini",
-			exp: makePathOutput(defaultWorkPath, defaultCustomPath, "/tmp/app.ini"),
-		},
-		{
-			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
-			cmd: "./gitea test-cmd",
-			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/custom/conf/app.ini"),
-		},
-		{
-			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
-			cmd: "./gitea test-cmd --work-path /tmp/other",
-			exp: makePathOutput("/tmp/other", "/tmp/other/custom", "/tmp/other/custom/conf/app.ini"),
-		},
-		{
-			env: map[string]string{"GITEA_WORK_DIR": "/tmp"},
-			cmd: "./gitea test-cmd --config /tmp/app-other.ini",
-			exp: makePathOutput("/tmp", "/tmp/custom", "/tmp/app-other.ini"),
-		},
-	}
-
-	app := newTestApp(func(ctx *cli.Context) error {
-		_, _ = fmt.Fprint(ctx.App.Writer, makePathOutput(setting.AppWorkPath, setting.CustomPath, setting.CustomConf))
-		return nil
+	unittest.MainTest(m, &unittest.TestOptions{
+		GiteaRootPath: "..",
 	})
-	var envBackup []string
-	for _, s := range os.Environ() {
-		if strings.HasPrefix(s, "GITEA_") && strings.Contains(s, "=") {
-			envBackup = append(envBackup, s)
-		}
-	}
-	clearGiteaEnv := func() {
-		for _, s := range os.Environ() {
-			if strings.HasPrefix(s, "GITEA_") {
-				_ = os.Unsetenv(s)
-			}
-		}
-	}
-	defer func() {
-		clearGiteaEnv()
-		for _, s := range envBackup {
-			k, v, _ := strings.Cut(s, "=")
-			_ = os.Setenv(k, v)
-		}
-	}()
-
-	for _, c := range cases {
-		clearGiteaEnv()
-		for k, v := range c.env {
-			_ = os.Setenv(k, v)
-		}
-		args := strings.Split(c.cmd, " ") // for test only, "split" is good enough
-		r, err := runTestApp(app, args...)
-		assert.NoError(t, err, c.cmd)
-		assert.NotEmpty(t, c.exp, c.cmd)
-		assert.Contains(t, r.Stdout, c.exp, c.cmd)
-	}
-}
-
-func TestCliCmdError(t *testing.T) {
-	app := newTestApp(func(ctx *cli.Context) error { return fmt.Errorf("normal error") })
-	r, err := runTestApp(app, "./gitea", "test-cmd")
-	assert.Error(t, err)
-	assert.Equal(t, 1, r.ExitCode)
-	assert.Equal(t, "", r.Stdout)
-	assert.Equal(t, "Command error: normal error\n", r.Stderr)
-
-	app = newTestApp(func(ctx *cli.Context) error { return cli.Exit("exit error", 2) })
-	r, err = runTestApp(app, "./gitea", "test-cmd")
-	assert.Error(t, err)
-	assert.Equal(t, 2, r.ExitCode)
-	assert.Equal(t, "", r.Stdout)
-	assert.Equal(t, "exit error\n", r.Stderr)
-
-	app = newTestApp(func(ctx *cli.Context) error { return nil })
-	r, err = runTestApp(app, "./gitea", "test-cmd", "--no-such")
-	assert.Error(t, err)
-	assert.Equal(t, 1, r.ExitCode)
-	assert.Equal(t, "Incorrect Usage: flag provided but not defined: -no-such\n\n", r.Stdout)
-	assert.Equal(t, "", r.Stderr) // the cli package's strange behavior, the error message is not in stderr ....
-
-	app = newTestApp(func(ctx *cli.Context) error { return nil })
-	r, err = runTestApp(app, "./gitea", "test-cmd")
-	assert.NoError(t, err)
-	assert.Equal(t, -1, r.ExitCode) // the cli.OsExiter is not called
-	assert.Equal(t, "", r.Stdout)
-	assert.Equal(t, "", r.Stderr)
 }
--- a/cmd/manager.go
+++ b/cmd/manager.go
@ -9,16 +9,16 @@ import (

 	"code.gitea.io/gitea/modules/private"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 var (
 	// CmdManager represents the manager command
-	CmdManager = &cli.Command{
+	CmdManager = cli.Command{
 		Name:        "manager",
 		Usage:       "Manage the running gitea process",
 		Description: "This is a command for managing the running gitea process",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			subcmdShutdown,
 			subcmdRestart,
 			subcmdReloadTemplates,
@ -27,80 +27,80 @@ var (
 			subCmdProcesses,
 		},
 	}
-	subcmdShutdown = &cli.Command{
+	subcmdShutdown = cli.Command{
 		Name:  "shutdown",
 		Usage: "Gracefully shutdown the running process",
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 		Action: runShutdown,
 	}
-	subcmdRestart = &cli.Command{
+	subcmdRestart = cli.Command{
 		Name:  "restart",
 		Usage: "Gracefully restart the running process - (not implemented for windows servers)",
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 		Action: runRestart,
 	}
-	subcmdReloadTemplates = &cli.Command{
+	subcmdReloadTemplates = cli.Command{
 		Name:  "reload-templates",
 		Usage: "Reload template files in the running process",
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 		Action: runReloadTemplates,
 	}
-	subcmdFlushQueues = &cli.Command{
+	subcmdFlushQueues = cli.Command{
 		Name:   "flush-queues",
 		Usage:  "Flush queues in the running process",
 		Action: runFlushQueues,
 		Flags: []cli.Flag{
-			&cli.DurationFlag{
+			cli.DurationFlag{
 				Name:  "timeout",
 				Value: 60 * time.Second,
 				Usage: "Timeout for the flushing process",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "non-blocking",
 				Usage: "Set to true to not wait for flush to complete before returning",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
 		},
 	}
-	subCmdProcesses = &cli.Command{
+	subCmdProcesses = cli.Command{
 		Name:   "processes",
 		Usage:  "Display running processes within the current process",
 		Action: runProcesses,
 		Flags: []cli.Flag{
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name: "debug",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "flat",
 				Usage: "Show processes as flat table rather than as tree",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "no-system",
 				Usage: "Do not show system processes",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "stacktraces",
 				Usage: "Show stacktraces",
 			},
-			&cli.BoolFlag{
+			cli.BoolFlag{
 				Name:  "json",
 				Usage: "Output as json",
 			},
-			&cli.StringFlag{
+			cli.StringFlag{
 				Name:  "cancel",
 				Usage: "Process PID to cancel. (Only available for non-system processes.)",
 			},
--- a/cmd/manager_logging.go
+++ b/cmd/manager_logging.go
@ -10,61 +10,49 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/private"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 var (
 	defaultLoggingFlags = []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "logger",
 			Usage: `Logger name - will default to "default"`,
-		},
-		&cli.StringFlag{
+		}, cli.StringFlag{
 			Name:  "writer",
 			Usage: "Name of the log writer - will default to mode",
-		},
-		&cli.StringFlag{
+		}, cli.StringFlag{
 			Name:  "level",
 			Usage: "Logging level for the new logger",
-		},
-		&cli.StringFlag{
-			Name:    "stacktrace-level",
-			Aliases: []string{"L"},
-			Usage:   "Stacktrace logging level",
-		},
-		&cli.StringFlag{
-			Name:    "flags",
-			Aliases: []string{"F"},
-			Usage:   "Flags for the logger",
-		},
-		&cli.StringFlag{
-			Name:    "expression",
-			Aliases: []string{"e"},
-			Usage:   "Matching expression for the logger",
-		},
-		&cli.StringFlag{
-			Name:    "prefix",
-			Aliases: []string{"p"},
-			Usage:   "Prefix for the logger",
-		},
-		&cli.BoolFlag{
+		}, cli.StringFlag{
+			Name:  "stacktrace-level, L",
+			Usage: "Stacktrace logging level",
+		}, cli.StringFlag{
+			Name:  "flags, F",
+			Usage: "Flags for the logger",
+		}, cli.StringFlag{
+			Name:  "expression, e",
+			Usage: "Matching expression for the logger",
+		}, cli.StringFlag{
+			Name:  "prefix, p",
+			Usage: "Prefix for the logger",
+		}, cli.BoolFlag{
 			Name:  "color",
 			Usage: "Use color in the logs",
-		},
-		&cli.BoolFlag{
+		}, cli.BoolFlag{
 			Name: "debug",
 		},
 	}

-	subcmdLogging = &cli.Command{
+	subcmdLogging = cli.Command{
 		Name:  "logging",
 		Usage: "Adjust logging commands",
-		Subcommands: []*cli.Command{
+		Subcommands: []cli.Command{
 			{
 				Name:  "pause",
 				Usage: "Pause logging (Gitea will buffer logs up to a certain point and will drop them after that point)",
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
+					cli.BoolFlag{
 						Name: "debug",
 					},
 				},
@ -73,7 +61,7 @@ var (
 				Name:  "resume",
 				Usage: "Resume logging",
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
+					cli.BoolFlag{
 						Name: "debug",
 					},
 				},
@ -82,7 +70,7 @@ var (
 				Name:  "release-and-reopen",
 				Usage: "Cause Gitea to release and re-open files used for logging",
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
+					cli.BoolFlag{
 						Name: "debug",
 					},
 				},
@ -92,9 +80,9 @@ var (
 				Usage:     "Remove a logger",
 				ArgsUsage: "[name] Name of logger to remove",
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
+					cli.BoolFlag{
 						Name: "debug",
-					}, &cli.StringFlag{
+					}, cli.StringFlag{
 						Name:  "logger",
 						Usage: `Logger name - will default to "default"`,
 					},
@ -103,48 +91,32 @@ var (
 			}, {
 				Name:  "add",
 				Usage: "Add a logger",
-				Subcommands: []*cli.Command{
+				Subcommands: []cli.Command{
 					{
 						Name:  "file",
 						Usage: "Add a file logger",
 						Flags: append(defaultLoggingFlags, []cli.Flag{
-							&cli.StringFlag{
-								Name:    "filename",
-								Aliases: []string{"f"},
-								Usage:   "Filename for the logger - this must be set.",
-							},
-							&cli.BoolFlag{
-								Name:    "rotate",
-								Aliases: []string{"r"},
-								Usage:   "Rotate logs",
-								Value:   true,
-							},
-							&cli.Int64Flag{
-								Name:    "max-size",
-								Aliases: []string{"s"},
-								Usage:   "Maximum size in bytes before rotation",
-							},
-							&cli.BoolFlag{
-								Name:    "daily",
-								Aliases: []string{"d"},
-								Usage:   "Rotate logs daily",
-								Value:   true,
-							},
-							&cli.IntFlag{
-								Name:    "max-days",
-								Aliases: []string{"D"},
-								Usage:   "Maximum number of daily logs to keep",
-							},
-							&cli.BoolFlag{
-								Name:    "compress",
-								Aliases: []string{"z"},
-								Usage:   "Compress rotated logs",
-								Value:   true,
-							},
-							&cli.IntFlag{
-								Name:    "compression-level",
-								Aliases: []string{"Z"},
-								Usage:   "Compression level to use",
+							cli.StringFlag{
+								Name:  "filename, f",
+								Usage: "Filename for the logger - this must be set.",
+							}, cli.BoolTFlag{
+								Name:  "rotate, r",
+								Usage: "Rotate logs",
+							}, cli.Int64Flag{
+								Name:  "max-size, s",
+								Usage: "Maximum size in bytes before rotation",
+							}, cli.BoolTFlag{
+								Name:  "daily, d",
+								Usage: "Rotate logs daily",
+							}, cli.IntFlag{
+								Name:  "max-days, D",
+								Usage: "Maximum number of daily logs to keep",
+							}, cli.BoolTFlag{
+								Name:  "compress, z",
+								Usage: "Compress rotated logs",
+							}, cli.IntFlag{
+								Name:  "compression-level, Z",
+								Usage: "Compression level to use",
 							},
 						}...),
 						Action: runAddFileLogger,
@ -152,25 +124,18 @@ var (
 						Name:  "conn",
 						Usage: "Add a net conn logger",
 						Flags: append(defaultLoggingFlags, []cli.Flag{
-							&cli.BoolFlag{
-								Name:    "reconnect-on-message",
-								Aliases: []string{"R"},
-								Usage:   "Reconnect to host for every message",
-							},
-							&cli.BoolFlag{
-								Name:    "reconnect",
-								Aliases: []string{"r"},
-								Usage:   "Reconnect to host when connection is dropped",
-							},
-							&cli.StringFlag{
-								Name:    "protocol",
-								Aliases: []string{"P"},
-								Usage:   "Set protocol to use: tcp, unix, or udp (defaults to tcp)",
-							},
-							&cli.StringFlag{
-								Name:    "address",
-								Aliases: []string{"a"},
-								Usage:   "Host address and port to connect to (defaults to :7020)",
+							cli.BoolFlag{
+								Name:  "reconnect-on-message, R",
+								Usage: "Reconnect to host for every message",
+							}, cli.BoolFlag{
+								Name:  "reconnect, r",
+								Usage: "Reconnect to host when connection is dropped",
+							}, cli.StringFlag{
+								Name:  "protocol, P",
+								Usage: "Set protocol to use: tcp, unix, or udp (defaults to tcp)",
+							}, cli.StringFlag{
+								Name:  "address, a",
+								Usage: "Host address and port to connect to (defaults to :7020)",
 							},
 						}...),
 						Action: runAddConnLogger,
@ -180,10 +145,9 @@ var (
 				Name:  "log-sql",
 				Usage: "Set LogSQL",
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
+					cli.BoolFlag{
 						Name: "debug",
-					},
-					&cli.BoolFlag{
+					}, cli.BoolFlag{
 						Name:  "off",
 						Usage: "Switch off SQL logging",
 					},
@ -214,7 +178,7 @@ func runAddConnLogger(c *cli.Context) error {
 	defer cancel()

 	setup(ctx, c.Bool("debug"))
-	vals := map[string]any{}
+	vals := map[string]interface{}{}
 	mode := "conn"
 	vals["net"] = "tcp"
 	if c.IsSet("protocol") {
@ -244,7 +208,7 @@ func runAddFileLogger(c *cli.Context) error {
 	defer cancel()

 	setup(ctx, c.Bool("debug"))
-	vals := map[string]any{}
+	vals := map[string]interface{}{}
 	mode := "file"
 	if c.IsSet("filename") {
 		vals["filename"] = c.String("filename")
@ -272,7 +236,7 @@ func runAddFileLogger(c *cli.Context) error {
 	return commonAddLogger(c, mode, vals)
 }

-func commonAddLogger(c *cli.Context, mode string, vals map[string]any) error {
+func commonAddLogger(c *cli.Context, mode string, vals map[string]interface{}) error {
 	if len(c.String("level")) > 0 {
 		vals["level"] = log.LevelFromString(c.String("level")).String()
 	}
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@ -11,11 +11,11 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdMigrate represents the available migrate sub-command.
-var CmdMigrate = &cli.Command{
+var CmdMigrate = cli.Command{
 	Name:        "migrate",
 	Usage:       "Migrate the database",
 	Description: "This is a command for migrating the database, so that you can run gitea admin create-user before starting the server.",
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@ -20,73 +20,70 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdMigrateStorage represents the available migrate storage sub-command.
-var CmdMigrateStorage = &cli.Command{
+var CmdMigrateStorage = cli.Command{
 	Name:        "migrate-storage",
 	Usage:       "Migrate the storage",
 	Description: "Copies stored files from storage configured in app.ini to parameter-configured storage",
 	Action:      runMigrateStorage,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "type",
-			Aliases: []string{"t"},
-			Value:   "",
-			Usage:   "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log'",
+		cli.StringFlag{
+			Name:  "type, t",
+			Value: "",
+			Usage: "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log'",
 		},
-		&cli.StringFlag{
-			Name:    "storage",
-			Aliases: []string{"s"},
-			Value:   "",
-			Usage:   "New storage type: local (default) or minio",
+		cli.StringFlag{
+			Name:  "storage, s",
+			Value: "",
+			Usage: "New storage type: local (default) or minio",
 		},
-		&cli.StringFlag{
-			Name:    "path",
-			Aliases: []string{"p"},
-			Value:   "",
-			Usage:   "New storage placement if store is local (leave blank for default)",
+		cli.StringFlag{
+			Name:  "path, p",
+			Value: "",
+			Usage: "New storage placement if store is local (leave blank for default)",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-endpoint",
 			Value: "",
 			Usage: "Minio storage endpoint",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-access-key-id",
 			Value: "",
 			Usage: "Minio storage accessKeyID",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-secret-access-key",
 			Value: "",
 			Usage: "Minio storage secretAccessKey",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-bucket",
 			Value: "",
 			Usage: "Minio storage bucket",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-location",
 			Value: "",
 			Usage: "Minio storage location to create bucket",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-base-path",
 			Value: "",
 			Usage: "Minio storage base path on the bucket",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "minio-use-ssl",
 			Usage: "Enable SSL for minio",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "minio-insecure-skip-verify",
 			Usage: "Skip SSL verification",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "minio-checksum-algorithm",
 			Value: "",
 			Usage: "Minio checksum algorithm (default/md5)",
@ -110,9 +107,6 @@ func migrateLFS(ctx context.Context, dstStorage storage.ObjectStorage) error {

 func migrateAvatars(ctx context.Context, dstStorage storage.ObjectStorage) error {
 	return db.Iterate(ctx, nil, func(ctx context.Context, user *user_model.User) error {
-		if user.CustomAvatarRelativePath() == "" {
-			return nil
-		}
 		_, err := storage.Copy(dstStorage, user.CustomAvatarRelativePath(), storage.Avatars, user.CustomAvatarRelativePath())
 		return err
 	})
@ -120,9 +114,6 @@ func migrateAvatars(ctx context.Context, dstStorage storage.ObjectStorage) error

 func migrateRepoAvatars(ctx context.Context, dstStorage storage.ObjectStorage) error {
 	return db.Iterate(ctx, nil, func(ctx context.Context, repo *repo_model.Repository) error {
-		if repo.CustomAvatarRelativePath() == "" {
-			return nil
-		}
 		_, err := storage.Copy(dstStorage, repo.CustomAvatarRelativePath(), storage.RepoAvatars, repo.CustomAvatarRelativePath())
 		return err
 	})
@ -191,7 +182,7 @@ func runMigrateStorage(ctx *cli.Context) error {
 	case string(setting.LocalStorageType):
 		p := ctx.String("path")
 		if p == "" {
-			log.Fatal("Path must be given when storage is local")
+			log.Fatal("Path must be given when storage is loal")
 			return nil
 		}
 		dstStorage, err = storage.NewLocalStorage(
--- a/cmd/migrate_storage_test.go
+++ b/cmd/migrate_storage_test.go
@ -9,7 +9,6 @@ import (
 	"strings"
 	"testing"

-	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/packages"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
@ -31,7 +30,7 @@ func TestMigratePackages(t *testing.T) {
 	assert.NoError(t, err)
 	defer buf.Close()

-	v, f, err := packages_service.CreatePackageAndAddFile(db.DefaultContext, &packages_service.PackageCreationInfo{
+	v, f, err := packages_service.CreatePackageAndAddFile(&packages_service.PackageCreationInfo{
 		PackageInfo: packages_service.PackageInfo{
 			Owner:       creator,
 			PackageType: packages.TypeGeneric,
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@ -9,39 +9,38 @@ import (
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // CmdRestoreRepository represents the available restore a repository sub-command.
-var CmdRestoreRepository = &cli.Command{
+var CmdRestoreRepository = cli.Command{
 	Name:        "restore-repo",
 	Usage:       "Restore the repository from disk",
 	Description: "This is a command for restoring the repository data.",
 	Action:      runRestoreRepository,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "repo_dir",
-			Aliases: []string{"r"},
-			Value:   "./data",
-			Usage:   "Repository dir path to restore from",
+		cli.StringFlag{
+			Name:  "repo_dir, r",
+			Value: "./data",
+			Usage: "Repository dir path to restore from",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "owner_name",
 			Value: "",
 			Usage: "Restore destination owner name",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "repo_name",
 			Value: "",
 			Usage: "Restore destination repository name",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "units",
 			Value: "",
 			Usage: `Which items will be restored, one or more units should be separated as comma.
 wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "validation",
 			Usage: "Sanity check the content of the files before trying to load them",
 		},
--- a/cmd/serv.go
+++ b/cmd/serv.go
@ -30,9 +30,9 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/services/lfs"

-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/kballard/go-shellquote"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 const (
@ -40,17 +40,17 @@ const (
 )

 // CmdServ represents the available serv sub-command.
-var CmdServ = &cli.Command{
+var CmdServ = cli.Command{
 	Name:        "serv",
-	Usage:       "(internal) Should only be called by SSH shell",
+	Usage:       "This command should only be called by SSH shell",
 	Description: "Serv provides access auth for repositories",
 	Before:      PrepareConsoleLoggerLevel(log.FATAL),
 	Action:      runServ,
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name: "enable-pprof",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name: "debug",
 		},
 	},
@ -63,10 +63,21 @@ func setup(ctx context.Context, debug bool) {
 		setupConsoleLogger(log.FATAL, false, os.Stderr)
 	}
 	setting.MustInstalled()
+	if debug {
+		setting.RunMode = "dev"
+	}
+
+	// Check if setting.RepoRootPath exists. It could be the case that it doesn't exist, this can happen when
+	// `[repository]` `ROOT` is a relative path and $GITEA_WORK_DIR isn't passed to the SSH connection.
 	if _, err := os.Stat(setting.RepoRootPath); err != nil {
-		_ = fail(ctx, "Unable to access repository path", "Unable to access repository path %q, err: %v", setting.RepoRootPath, err)
+		if os.IsNotExist(err) {
+			_ = fail(ctx, "Incorrect configuration, no repository directory.", "Directory `[repository].ROOT` %q was not found, please check if $GITEA_WORK_DIR is passed to the SSH connection or make `[repository].ROOT` an absolute value.", setting.RepoRootPath)
+		} else {
+			_ = fail(ctx, "Incorrect configuration, repository directory is inaccessible", "Directory `[repository].ROOT` %q is inaccessible. err: %v", setting.RepoRootPath, err)
+		}
 		return
 	}
+
 	if err := git.InitSimple(context.Background()); err != nil {
 		_ = fail(ctx, "Failed to init git", "Failed to init git, err: %v", err)
 	}
@ -84,7 +95,7 @@ var (

 // fail prints message to stdout, it's mainly used for git serv and git hook commands.
 // The output will be passed to git client and shown to user.
-func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error {
+func fail(ctx context.Context, userMessage, logMsgFmt string, args ...interface{}) error {
 	if userMessage == "" {
 		userMessage = "Internal Server Error (no specific error)"
 	}
@ -108,7 +119,7 @@ func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error
 		}
 		_ = private.SSHLog(ctx, true, logMsg)
 	}
-	return cli.Exit("", 1)
+	return cli.NewExitError("", 1)
 }

 // handleCliResponseExtra handles the extra response from the cli sub-commands
@ -119,7 +130,7 @@ func handleCliResponseExtra(extra private.ResponseExtra) error {
 		_, _ = fmt.Fprintln(os.Stdout, extra.UserMsg)
 	}
 	if extra.HasError() {
-		return cli.Exit(extra.Error, 1)
+		return cli.NewExitError(extra.Error, 1)
 	}
 	return nil
 }
@ -136,20 +147,20 @@ func runServ(c *cli.Context) error {
 		return nil
 	}

-	if c.NArg() < 1 {
+	if len(c.Args()) < 1 {
 		if err := cli.ShowSubcommandHelp(c); err != nil {
 			fmt.Printf("error showing subcommand help: %v\n", err)
 		}
 		return nil
 	}

-	keys := strings.Split(c.Args().First(), "-")
+	keys := strings.Split(c.Args()[0], "-")
 	if len(keys) != 2 || keys[0] != "key" {
-		return fail(ctx, "Key ID format error", "Invalid key argument: %s", c.Args().First())
+		return fail(ctx, "Key ID format error", "Invalid key argument: %s", c.Args()[0])
 	}
 	keyID, err := strconv.ParseInt(keys[1], 10, 64)
 	if err != nil {
-		return fail(ctx, "Key ID parsing error", "Invalid key argument: %s", c.Args().Get(1))
+		return fail(ctx, "Key ID parsing error", "Invalid key argument: %s", c.Args()[1])
 	}

 	cmd := os.Getenv("SSH_ORIGINAL_COMMAND")
@ -205,18 +216,16 @@ func runServ(c *cli.Context) error {
 		}
 	}

+	// LowerCase and trim the repoPath as that's how they are stored.
+	repoPath = strings.ToLower(strings.TrimSpace(repoPath))
+
 	rr := strings.SplitN(repoPath, "/", 2)
 	if len(rr) != 2 {
 		return fail(ctx, "Invalid repository path", "Invalid repository path: %v", repoPath)
 	}

-	username := rr[0]
-	reponame := strings.TrimSuffix(rr[1], ".git")
-
-	// LowerCase and trim the repoPath as that's how they are stored.
-	// This should be done after splitting the repoPath into username and reponame
-	// so that username and reponame are not affected.
-	repoPath = strings.ToLower(strings.TrimSpace(repoPath))
+	username := strings.ToLower(rr[0])
+	reponame := strings.ToLower(strings.TrimSuffix(rr[1], ".git"))

 	if alphaDashDotPattern.MatchString(reponame) {
 		return fail(ctx, "Invalid repo name", "Invalid repo name: %s", reponame)
--- a/cmd/web.go
+++ b/cmd/web.go
@ -15,24 +15,22 @@ import (

 	_ "net/http/pprof" // Used for debugging if enabled and a web server is running

-	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
-	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/routers"
 	"code.gitea.io/gitea/routers/install"

 	"github.com/felixge/fgprof"
-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

 // PIDFile could be set from build tag
 var PIDFile = "/run/gitea.pid"

 // CmdWeb represents the available web sub-command.
-var CmdWeb = &cli.Command{
+var CmdWeb = cli.Command{
 	Name:  "web",
 	Usage: "Start Gitea web server",
 	Description: `Gitea web server is the only thing you need to run,
@ -40,29 +38,26 @@ and it takes care of all the other things for you`,
 	Before: PrepareConsoleLoggerLevel(log.INFO),
 	Action: runWeb,
 	Flags: []cli.Flag{
-		&cli.StringFlag{
-			Name:    "port",
-			Aliases: []string{"p"},
-			Value:   "3000",
-			Usage:   "Temporary port number to prevent conflict",
+		cli.StringFlag{
+			Name:  "port, p",
+			Value: "3000",
+			Usage: "Temporary port number to prevent conflict",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "install-port",
 			Value: "3000",
 			Usage: "Temporary port number to run the install page on to prevent conflict",
 		},
-		&cli.StringFlag{
-			Name:    "pid",
-			Aliases: []string{"P"},
-			Value:   PIDFile,
-			Usage:   "Custom pid file path",
+		cli.StringFlag{
+			Name:  "pid, P",
+			Value: PIDFile,
+			Usage: "Custom pid file path",
 		},
-		&cli.BoolFlag{
-			Name:    "quiet",
-			Aliases: []string{"q"},
-			Usage:   "Only display Fatal logging errors until logging is set-up",
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Only display Fatal logging errors until logging is set-up",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "verbose",
 			Usage: "Set initial logging to TRACE level until logging is properly set-up",
 		},
@ -107,18 +102,13 @@ func createPIDFile(pidPath string) {
 	}
 }

-func showWebStartupMessage(msg string) {
-	log.Info("Gitea version: %s%s", setting.AppVer, setting.AppBuiltWith)
-	log.Info("* RunMode: %s", setting.RunMode)
-	log.Info("* AppPath: %s", setting.AppPath)
-	log.Info("* WorkPath: %s", setting.AppWorkPath)
-	log.Info("* CustomPath: %s", setting.CustomPath)
-	log.Info("* ConfigFile: %s", setting.CustomConf)
-	log.Info("%s", msg)
-}
-
 func serveInstall(ctx *cli.Context) error {
-	showWebStartupMessage("Prepare to run install page")
+	log.Info("Gitea version: %s%s", setting.AppVer, setting.AppBuiltWith)
+	log.Info("App path: %s", setting.AppPath)
+	log.Info("Work path: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Config file: %s", setting.CustomConf)
+	log.Info("Prepare to run install page")

 	routers.InitWebInstallPage(graceful.GetManager().HammerContext())

@ -155,42 +145,33 @@ func serveInstalled(ctx *cli.Context) error {
 	setting.LoadCommonSettings()
 	setting.MustInstalled()

-	showWebStartupMessage("Prepare to run web server")
+	log.Info("Gitea version: %s%s", setting.AppVer, setting.AppBuiltWith)
+	log.Info("App path: %s", setting.AppPath)
+	log.Info("Work path: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Config file: %s", setting.CustomConf)
+	log.Info("Run mode: %s", setting.RunMode)
+	log.Info("Prepare to run web server")

 	if setting.AppWorkPathMismatch {
 		log.Error("WORK_PATH from config %q doesn't match other paths from environment variables or command arguments. "+
-			"Only WORK_PATH in config should be set and used. Please make sure the path in config file is correct, "+
-			"remove the other outdated work paths from environment variables and command arguments", setting.CustomConf)
+			"Only WORK_PATH in config should be set and used. Please remove the other outdated work paths from environment variables and command arguments", setting.CustomConf)
 	}

 	rootCfg := setting.CfgProvider
 	if rootCfg.Section("").Key("WORK_PATH").String() == "" {
 		saveCfg, err := rootCfg.PrepareSaving()
 		if err != nil {
-			log.Error("Unable to prepare saving WORK_PATH=%s to config %q: %v\nYou should set it manually, otherwise there might be bugs when accessing the git repositories.", setting.AppWorkPath, setting.CustomConf, err)
+			log.Error("Unable to prepare saving WORK_PATH=%s to config %q: %v\nYou must set it manually, otherwise there might be bugs when accessing the git repositories.", setting.AppWorkPath, setting.CustomConf, err)
 		} else {
 			rootCfg.Section("").Key("WORK_PATH").SetValue(setting.AppWorkPath)
 			saveCfg.Section("").Key("WORK_PATH").SetValue(setting.AppWorkPath)
 			if err = saveCfg.Save(); err != nil {
-				log.Error("Unable to update WORK_PATH=%s to config %q: %v\nYou should set it manually, otherwise there might be bugs when accessing the git repositories.", setting.AppWorkPath, setting.CustomConf, err)
+				log.Error("Unable to update WORK_PATH=%s to config %q: %v\nYou must set it manually, otherwise there might be bugs when accessing the git repositories.", setting.AppWorkPath, setting.CustomConf, err)
 			}
 		}
 	}

-	// in old versions, user's custom web files are placed in "custom/public", and they were served as "http://domain.com/assets/xxx"
-	// now, Gitea only serves pre-defined files in the "custom/public" folder basing on the web root, the user should move their custom files to "custom/public/assets"
-	publicFiles, _ := public.AssetFS().ListFiles(".")
-	publicFilesSet := container.SetOf(publicFiles...)
-	publicFilesSet.Remove(".well-known")
-	publicFilesSet.Remove("assets")
-	publicFilesSet.Remove("robots.txt")
-	for _, fn := range publicFilesSet.Values() {
-		log.Error("Found legacy public asset %q in CustomPath. Please move it to %s/public/assets/%s", fn, setting.CustomPath, fn)
-	}
-	if _, err := os.Stat(filepath.Join(setting.CustomPath, "robots.txt")); err == nil {
-		log.Error(`Found legacy public asset "robots.txt" in CustomPath. Please move it to %s/public/robots.txt`, setting.CustomPath)
-	}
-
 	routers.InitWebInstalled(graceful.GetManager().HammerContext())

 	// We check that AppDataPath exists here (it should have been created during installation)
@ -208,8 +189,8 @@ func serveInstalled(ctx *cli.Context) error {
 	}

 	// Set up Chi routes
-	webRoutes := routers.NormalRoutes()
-	err := listen(webRoutes, true)
+	c := routers.NormalRoutes(graceful.GetManager().HammerContext())
+	err := listen(c, true)
 	<-graceful.GetManager().Done()
 	log.Info("PID: %d Gitea Web Finished", os.Getpid())
 	log.GetManager().Close()
--- a/contrib/backport/backport.go
+++ b/contrib/backport/backport.go
@ -17,8 +17,8 @@ import (
 	"strings"
 	"syscall"

-	"github.com/google/go-github/v57/github"
-	"github.com/urfave/cli/v2"
+	"github.com/google/go-github/v52/github"
+	"github.com/urfave/cli"
 	"gopkg.in/yaml.v3"
 )

@ -32,55 +32,55 @@ func main() {
 	app.ArgsUsage = "<PR-to-backport>"

 	app.Flags = []cli.Flag{
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "version",
 			Usage: "Version branch to backport on to",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "upstream",
 			Value: "origin",
 			Usage: "Upstream remote for the Gitea upstream",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "release-branch",
 			Value: "",
 			Usage: "Release branch to backport on. Will default to release/<version>",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "cherry-pick",
 			Usage: "SHA to cherry-pick as backport",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "backport-branch",
 			Usage: "Backport branch to backport on to (default: backport-<pr>-<version>",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "remote",
 			Value: "",
 			Usage: "Remote for your fork of the Gitea upstream",
 		},
-		&cli.StringFlag{
+		cli.StringFlag{
 			Name:  "fork-user",
 			Value: "",
 			Usage: "Forked user name on Github",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "no-fetch",
 			Usage: "Set this flag to prevent fetch of remote branches",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "no-amend-message",
 			Usage: "Set this flag to prevent automatic amendment of the commit message",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "no-push",
 			Usage: "Set this flag to prevent pushing the backport up to your fork",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "no-xdg-open",
 			Usage: "Set this flag to not use xdg-open to open the PR URL",
 		},
-		&cli.BoolFlag{
+		cli.BoolFlag{
 			Name:  "continue",
 			Usage: "Set this flag to continue from a git cherry-pick that has broken",
 		},
@ -151,7 +151,7 @@ func runBackport(c *cli.Context) error {

 	localReleaseBranch := path.Join(upstream, upstreamReleaseBranch)

-	args := c.Args().Slice()
+	args := c.Args()
 	if len(args) == 0 && pr == "" {
 		return fmt.Errorf("no PR number provided\nProvide a PR number to backport")
 	} else if len(args) != 1 && pr == "" {
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@ -5,13 +5,17 @@ package main

 import (
 	"os"
+	"strings"

 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

-	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli"
 )

+// EnvironmentPrefix environment variables prefixed with this represent ini values to write
+const EnvironmentPrefix = "GITEA"
+
 func main() {
 	app := cli.NewApp()
 	app.Name = "environment-to-ini"
@ -46,29 +50,34 @@ func main() {
 	and "GITEA__LOG_0x2E_CONSOLE__STDERR=false". Other examples can be found
 	on the configuration cheat sheet.`
 	app.Flags = []cli.Flag{
-		&cli.StringFlag{
-			Name:    "custom-path",
-			Aliases: []string{"C"},
-			Value:   setting.CustomPath,
-			Usage:   "Custom path file path",
+		cli.StringFlag{
+			Name:  "custom-path, C",
+			Value: setting.CustomPath,
+			Usage: "Custom path file path",
 		},
-		&cli.StringFlag{
-			Name:    "config",
-			Aliases: []string{"c"},
-			Value:   setting.CustomConf,
-			Usage:   "Custom configuration file path",
+		cli.StringFlag{
+			Name:  "config, c",
+			Value: setting.CustomConf,
+			Usage: "Custom configuration file path",
 		},
-		&cli.StringFlag{
-			Name:    "work-path",
-			Aliases: []string{"w"},
-			Value:   setting.AppWorkPath,
-			Usage:   "Set the gitea working path",
+		cli.StringFlag{
+			Name:  "work-path, w",
+			Value: setting.AppWorkPath,
+			Usage: "Set the gitea working path",
 		},
-		&cli.StringFlag{
-			Name:    "out",
-			Aliases: []string{"o"},
-			Value:   "",
-			Usage:   "Destination file to write to",
+		cli.StringFlag{
+			Name:  "out, o",
+			Value: "",
+			Usage: "Destination file to write to",
+		},
+		cli.BoolFlag{
+			Name:  "clear",
+			Usage: "Clears the matched variables from the environment",
+		},
+		cli.StringFlag{
+			Name:  "prefix, p",
+			Value: EnvironmentPrefix,
+			Usage: "Environment prefix to look for - will be suffixed by __ (2 underscores)",
 		},
 	}
 	app.Action = runEnvironmentToIni
@ -79,8 +88,6 @@ func main() {
 }

 func runEnvironmentToIni(c *cli.Context) error {
-	// the config system may change the environment variables, so get a copy first, to be used later
-	env := append([]string{}, os.Environ()...)
 	setting.InitWorkPathAndCfgProvider(os.Getenv, setting.ArgWorkPathAndCustomConf{
 		WorkPath:   c.String("work-path"),
 		CustomPath: c.String("custom-path"),
@ -92,7 +99,9 @@ func runEnvironmentToIni(c *cli.Context) error {
 		log.Fatal("Failed to load custom conf '%s': %v", setting.CustomConf, err)
 	}

-	changed := setting.EnvironmentToConfig(cfg, env)
+	prefixGitea := c.String("prefix") + "__"
+	suffixFile := "__FILE"
+	changed := setting.EnvironmentToConfig(cfg, prefixGitea, suffixFile, os.Environ())

 	// try to save the config file
 	destination := c.String("out")
@ -107,5 +116,19 @@ func runEnvironmentToIni(c *cli.Context) error {
 		}
 	}

+	// clear Gitea's specific environment variables if requested
+	if c.Bool("clear") {
+		for _, kv := range os.Environ() {
+			idx := strings.IndexByte(kv, '=')
+			if idx < 0 {
+				continue
+			}
+			eKey := kv[:idx]
+			if strings.HasPrefix(eKey, prefixGitea) {
+				_ = os.Unsetenv(eKey)
+			}
+		}
+	}
+
 	return nil
 }
--- a/contrib/fixtures/fixture_generation.go
+++ b/contrib/fixtures/fixture_generation.go
@ -5,7 +5,6 @@
 package main

 import (
-	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@ -19,7 +18,7 @@ import (

 var (
 	generators = []struct {
-		gen  func(ctx context.Context) (string, error)
+		gen  func() (string, error)
 		name string
 	}{
 		{
@ -42,17 +41,16 @@ func main() {
 		fmt.Printf("PrepareTestDatabase: %+v\n", err)
 		os.Exit(1)
 	}
-	ctx := context.Background()
 	if len(os.Args) == 0 {
 		for _, r := range os.Args {
-			if err := generate(ctx, r); err != nil {
+			if err := generate(r); err != nil {
 				fmt.Printf("generate '%s': %+v\n", r, err)
 				os.Exit(1)
 			}
 		}
 	} else {
 		for _, g := range generators {
-			if err := generate(ctx, g.name); err != nil {
+			if err := generate(g.name); err != nil {
 				fmt.Printf("generate '%s': %+v\n", g.name, err)
 				os.Exit(1)
 			}
@ -60,10 +58,10 @@ func main() {
 	}
 }

-func generate(ctx context.Context, name string) error {
+func generate(name string) error {
 	for _, g := range generators {
 		if g.name == name {
-			data, err := g.gen(ctx)
+			data, err := g.gen()
 			if err != nil {
 				return err
 			}
--- a/contrib/gitea-monitoring-mixin/config.libsonnet
+++ b/contrib/gitea-monitoring-mixin/config.libsonnet
@ -7,7 +7,7 @@
    dashboardTimezone: 'default',
    dashboardRefresh: '1m',

-    // please see https://docs.gitea.com/administration/config-cheat-sheet#metrics-metrics
+    // please see https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics
    // Show issue by repository metrics with format gitea_issues_by_repository{repository="org/repo"} 5.
    // Requires Gitea 1.16.0 with ENABLED_ISSUE_BY_REPOSITORY set to true.
    showIssuesByRepository: true,
--- a/contrib/legal/privacy.html.sample
+++ b/contrib/legal/privacy.html.sample
@ -37,7 +37,7 @@

   <h3>With your Consent</h3>

-   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.com/development/oauth2-provider">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>
+   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.io/en-us/oauth2-provider/">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>

   <h3>With Service Providers</h3>

@ -144,7 +144,7 @@

   <h3>Data Portability</h3>

-   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>
+   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.io/en-us/migrations-interfaces/">perform migrations using the provided interfaces</a>, for example.</p>

   <h3>Data Retention and Deletion of Data</h3>

@ -183,7 +183,7 @@

  <h2>Changes to this Privacy Policy</h2>

-  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>
+  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p> 

  <h2>Contact</h2>

--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@ -1,5 +1,6 @@
 [Unit]
 Description=Gitea (Git with a cup of tea)
+After=syslog.target
 After=network.target
 ###
 # Don't forget to add the database service dependencies
@ -51,7 +52,7 @@ After=network.target
 # Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
 # LimitNOFILE=524288:524288
 RestartSec=2s
-Type=simple
+Type=notify
 User=git
 Group=git
 WorkingDirectory=/var/lib/gitea/
@ -61,6 +62,7 @@ WorkingDirectory=/var/lib/gitea/
 ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
 Restart=always
 Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+WatchdogSec=30s
 # If you install Git to directory prefix other than default PATH (which happens
 # for example if you install other versions of Git side-to-side with
 # distribution version), uncomment below line and add that prefix to PATH
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -4,7 +4,7 @@
 ;; Do not copy the whole file as-is, as it contains some invalid sections for illustrative purposes.
 ;; If you don't know what a setting is you should not set it.
 ;;
-;; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentation.
+;; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.


 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -12,27 +12,30 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; These values are environment-dependent but form the basis of a lot of values. They will be
-;; reported as part of the default configuration when running `gitea help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
+;; reported as part of the default configuration when running `gitea --help` or on start-up. The order they are emitted there is slightly different but we will list them here in the order they are set-up.
 ;;
 ;; - _`AppPath`_: This is the absolute path of the running gitea binary.
 ;; - _`AppWorkPath`_: This refers to "working path" of the `gitea` binary. It is determined by using the first set thing in the following hierarchy:
-;;   - The "WORK_PATH" option in "app.ini" file
 ;;   - The `--work-path` flag passed to the binary
 ;;   - The environment variable `$GITEA_WORK_DIR`
 ;;   - A built-in value set at build time (see building from source)
 ;;   - Otherwise it defaults to the directory of the _`AppPath`_
-;;   - If any of the above are relative paths then they are made absolute against the directory of the _`AppPath`_
-;; - _`CustomPath`_: This is the base directory for custom templates and other options. It is determined by using the first set thing in the following hierarchy:
+;;   - If any of the above are relative paths then they are made absolute against
+;; the directory of the _`AppPath`_
+;; - _`CustomPath`_: This is the base directory for custom templates and other options.
+;; It is determined by using the first set thing in the following hierarchy:
 ;;   - The `--custom-path` flag passed to the binary
 ;;   - The environment variable `$GITEA_CUSTOM`
 ;;   - A built-in value set at build time (see building from source)
 ;;   - Otherwise it defaults to _`AppWorkPath`_`/custom`
-;;   - If any of the above are relative paths then they are made absolute against the directory of the _`AppWorkPath`_
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`AppWorkPath`_
 ;; - _`CustomConf`_: This is the path to the `app.ini` file.
 ;;   - The `--config` flag passed to the binary
 ;;   - A built-in value set at build time (see building from source)
 ;;   - Otherwise it defaults to _`CustomPath`_`/conf/app.ini`
-;;   - If any of the above are relative paths then they are made absolute against the directory of the _`CustomPath`_
+;;   - If any of the above are relative paths then they are made absolute against the
+;; the directory of the _`CustomPath`_
 ;;
 ;; In addition there is _`StaticRootPath`_ which can be set as a built-in at build time, but will otherwise default to _`AppWorkPath`_

@ -49,9 +52,6 @@ RUN_USER = ; git
 ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
 ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
 ;RUN_MODE = prod
-;;
-;; The working directory, see the comment of AppWorkPath above
-;WORK_PATH =

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -60,7 +60,6 @@ RUN_USER = ; git
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; The protocol the server listens on. One of 'http', 'https', 'http+unix', 'fcgi' or 'fcgi+unix'. Defaults to 'http'
-;; Note: Value must be lowercase.
 ;PROTOCOL = http
 ;;
 ;; Expect PROXY protocol headers on connections
@ -120,13 +119,10 @@ RUN_USER = ; git
 ;; Permission for unix socket
 ;UNIX_SOCKET_PERMISSION = 666
 ;;
-;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. In
-;; most cases you do not need to change the default value. Alter it only if
-;; your SSH server node is not the same as HTTP node. For different protocol, the default
-;; values are different. If `PROTOCOL` is `http+unix`, the default value is `http://unix/`.
-;; If `PROTOCOL` is `fcgi` or `fcgi+unix`, the default value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`.
-;; If listen on `0.0.0.0`, the default value is `%(PROTOCOL)s://localhost:%(HTTP_PORT)s/`, Otherwise the default
-;; value is `%(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/`.
+;; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
+;; In most cases you do not need to change the default value.
+;; Alter it only if your SSH server node is not the same as HTTP node.
+;; Do not set this variable if PROTOCOL is set to 'unix'.
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;;
 ;; When making local connections pass the PROXY protocol header.
@ -194,8 +190,8 @@ RUN_USER = ; git
 ;; Use `ssh-keygen` to parse public SSH keys. The value is passed to the shell. By default, Gitea does the parsing itself.
 ;SSH_KEYGEN_PATH =
 ;;
-;; Enable SSH Authorized Key Backup when rewriting all keys, default is false
-;SSH_AUTHORIZED_KEYS_BACKUP = false
+;; Enable SSH Authorized Key Backup when rewriting all keys, default is true
+;SSH_AUTHORIZED_KEYS_BACKUP = true
 ;;
 ;; Determines which principals to allow
 ;; - empty: if SSH_TRUSTED_USER_CA_KEYS is empty this will default to off, otherwise will default to email, username.
@ -234,7 +230,7 @@ RUN_USER = ; git
 ;MINIMUM_KEY_SIZE_CHECK = false
 ;;
 ;; Disable CDN even in "prod" mode
-;OFFLINE_MODE = true
+;OFFLINE_MODE = false
 ;;
 ;; TLS Settings: Either ACME or manual
 ;; (Other common TLS configuration are found before)
@ -304,10 +300,7 @@ RUN_USER = ; git
 ;;
 ;;
 ;; LFS authentication secret, change this yourself
-;LFS_JWT_SECRET =
-;;
-;; Alternative location to specify LFS authentication secret. You cannot specify both this and LFS_JWT_SECRET, and must pick one
-;LFS_JWT_SECRET_URI = file:/etc/gitea/lfs_jwt_secret
+LFS_JWT_SECRET =
 ;;
 ;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
 ;LFS_HTTP_AUTH_EXPIRY = 24h
@ -351,7 +344,9 @@ NAME = gitea
 USER = root
 ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+;CHARSET = utf8mb4 ;either "utf8" or "utf8mb4", default is "utf8mb4".
+;;
+;; NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -383,7 +378,6 @@ USER = root
 ;NAME = gitea
 ;USER = SA
 ;PASSWD = MwantsaSecurePassword1
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -412,10 +406,6 @@ USER = root
 ;;
 ;; Whether execute database models migrations automatically
 ;AUTO_MIGRATION = true
-;;
-;; Threshold value (in seconds) beyond which query execution time is logged as a warning in the xorm logger
-;;
-;SLOW_QUERY_THRESHOLD = 5s

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -435,7 +425,7 @@ SECRET_KEY =
 ;SECRET_KEY_URI = file:/etc/gitea/secret_key
 ;;
 ;; Secret used to validate communication within Gitea binary.
-INTERNAL_TOKEN =
+INTERNAL_TOKEN=
 ;;
 ;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
 ;INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token
@ -461,7 +451,7 @@ INTERNAL_TOKEN =
 ;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
 ;;
 ;; The minimum password length for new Users
-;MIN_PASSWORD_LENGTH = 8
+;MIN_PASSWORD_LENGTH = 6
 ;;
 ;; Set to true to allow users to import local server paths
 ;IMPORT_LOCAL_PATHS = false
@ -498,11 +488,6 @@ INTERNAL_TOKEN =
 ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
 ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
 ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
-;;
-;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
-;; stemming from cached/logged plain-text API tokens.
-;; In future releases, this will become the default behavior
-;DISABLE_QUERY_AUTH_TOKEN = false

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -528,7 +513,7 @@ INTERNAL_TOKEN =
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
 ;; Enables OAuth2 provider
-ENABLED = true
+ENABLE = true
 ;;
 ;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, EdDSA
 ;JWT_SIGNING_ALGORITHM = RS256
@ -542,9 +527,6 @@ ENABLED = true
 ;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512.
 ;JWT_SECRET =
 ;;
-;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
-;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
-;;
 ;; Lifetime of an OAuth2 access token in seconds
 ;ACCESS_TOKEN_EXPIRATION_TIME = 3600
 ;;
@ -556,12 +538,6 @@ ENABLED = true
 ;;
 ;; Maximum length of oauth2 token/cookie stored on server
 ;MAX_TOKEN_LENGTH = 32767
-;;
-;; Pre-register OAuth2 applications for some universally useful services
-;; * https://github.com/hickford/git-credential-oauth
-;; * https://github.com/git-ecosystem/git-credential-manager
-;; * https://gitea.com/gitea/tea
-;DEFAULT_APPLICATIONS = git-credential-oauth, git-credential-manager, tea

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -772,8 +748,6 @@ LEVEL = Info
 ;;
 ;; More detail: https://github.com/gogits/gogs/issues/165
 ;ENABLE_REVERSE_PROXY_AUTHENTICATION = false
-; Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible.
-;ENABLE_REVERSE_PROXY_AUTHENTICATION_API = false
 ;ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
 ;ENABLE_REVERSE_PROXY_EMAIL = false
 ;ENABLE_REVERSE_PROXY_FULL_NAME = false
@ -847,15 +821,6 @@ LEVEL = Info
 ;; Dependencies can be added from any repository where the user is granted access or only from the current repository depending on this setting.
 ;ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
 ;;
-;; Default map service. No external API support has been included. A service has to allow
-;; searching using URL parameters, the location will be appended to the URL as escaped query parameter.
-;; Disabled by default, some example values are:
-;; - OpenStreetMap: https://www.openstreetmap.org/search?query=
-;; - Google Maps: https://www.google.com/maps/place/
-;; - MapQuest: https://www.mapquest.com/search/
-;; - Bing Maps: https://www.bing.com/maps?where1=
-; USER_LOCATION_MAP_URL =
-;;
 ;; Enable heatmap on users profiles.
 ;ENABLE_USER_HEATMAP = true
 ;;
@ -956,12 +921,6 @@ LEVEL = Info
 ;GO_GET_CLONE_URL_PROTOCOL = https
 ;;
 ;; Close issues as long as a commit on any branch marks it as fixed
-;DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false
-;;
-;; Allow users to push local repositories to Gitea and have them automatically created for a user or an org
-;ENABLE_PUSH_CREATE_USER = false
-;ENABLE_PUSH_CREATE_ORG = false
-;;
 ;; Comma separated list of globally disabled repo units. Allowed values: repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects, repo.packages, repo.actions.
 ;DISABLED_REPO_UNITS =
 ;;
@ -969,7 +928,7 @@ LEVEL = Info
 ;; Note: Code and Releases can currently not be deactivated. If you specify default repo units you should still list them for future compatibility.
 ;; External wiki and issue tracker can't be enabled by default as it requires additional settings.
 ;; Disabled repo units will not be added to new repositories regardless if it is in the default list.
-;DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions
+;DEFAULT_REPO_UNITS = repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages
 ;;
 ;; Comma separated list of default forked repo units.
 ;; The set of allowed values and rules are the same as DEFAULT_REPO_UNITS.
@ -1033,8 +992,8 @@ LEVEL = Info
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES =
 ;;
-;; Max size of each file in megabytes. Defaults to 50MB
-;FILE_MAX_SIZE = 50
+;; Max size of each file in megabytes. Defaults to 3MB
+;FILE_MAX_SIZE = 3
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@ -1054,7 +1013,7 @@ LEVEL = Info
 ;; List of keywords used in Pull Request comments to automatically reopen a related issue
 ;REOPEN_KEYWORDS = reopen,reopens,reopened
 ;;
-;; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash, fast-forward-only
+;; Set default merge style for repository creating, valid options: merge, rebase, rebase-merge, squash
 ;DEFAULT_MERGE_STYLE = merge
 ;;
 ;; In the default merge message for squash commits include at most this many commits
@ -1077,9 +1036,6 @@ LEVEL = Info
 ;;
 ;; In addition to testing patches using the three-way merge method, re-test conflicting patches with git apply
 ;TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY = false
-;;
-;; Retarget child pull requests to the parent pull request branch target on merge of parent pull request. It only works on merged PRs where the head and base branch target the same repo.
-;RETARGET_CHILDREN_ON_MERGE = true

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1173,9 +1129,15 @@ LEVEL = Info
 ;; enable cors headers (disabled by default)
 ;ENABLED = false
 ;;
-;; list of requesting origins that are allowed, eg: "https://*.example.com"
+;; scheme of allowed requests
+;SCHEME = http
+;;
+;; list of requesting domains that are allowed
 ;ALLOW_DOMAIN = *
 ;;
+;; allow subdomains of headers listed above to request
+;ALLOW_SUBDOMAIN = false
+;;
 ;; list of methods allowed to request
 ;METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
 ;;
@ -1221,28 +1183,22 @@ LEVEL = Info
 ;; Max size of files to be displayed (default is 8MiB)
 ;MAX_DISPLAY_FILE_SIZE = 8388608
 ;;
-;; Detect ambiguous unicode characters in file contents and show warnings on the UI
-;AMBIGUOUS_UNICODE_DETECTION = true
-;;
 ;; Whether the email of the user should be shown in the Explore Users page
 ;SHOW_USER_EMAIL = true
 ;;
 ;; Set the default theme for the Gitea install
-;DEFAULT_THEME = gitea-auto
+;DEFAULT_THEME = auto
 ;;
 ;; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`.
-;THEMES = gitea-auto,gitea-light,gitea-dark
+;THEMES = auto,gitea,arc-green
 ;;
 ;; All available reactions users can choose on issues/prs and comments.
 ;; Values can be emoji alias (:smile:) or a unicode emoji.
-;; For custom reactions, add a tightly cropped square image to public/assets/img/emoji/reaction_name.png
+;; For custom reactions, add a tightly cropped square image to public/img/emoji/reaction_name.png
 ;REACTIONS = +1, -1, laugh, hooray, confused, heart, rocket, eyes
 ;;
-;; Change the number of users that are displayed in reactions tooltip (triggered by mouse hover).
-;REACTION_MAX_USER_NUM = 10
-;;
 ;; Additional Emojis not defined in the utf8 standard
-;; By default we support gitea (:gitea:), to add more copy them to public/assets/img/emoji/emoji_name.png and add it to this config.
+;; By default we support gitea (:gitea:), to add more copy them to public/img/emoji/emoji_name.png and add it to this config.
 ;; Dont mistake it for Reactions.
 ;CUSTOM_EMOJIS = gitea, codeberg, gitlab, git, github, gogs
 ;;
@ -1255,14 +1211,6 @@ LEVEL = Info
 ;; Whether to only show relevant repos on the explore page when no keyword is specified and default sorting is used.
 ;; A repo is considered irrelevant if it's a fork or if it has no metadata (no description, no icon, no topic).
 ;ONLY_SHOW_RELEVANT_REPOS = false
-;;
-;; Change the sort type of the explore pages.
-;; Default is "recentupdate", but you also have "alphabetically", "reverselastlogin", "newest", "oldest".
-;EXPLORE_PAGING_DEFAULT_SORT = recentupdate
-;;
-;; The tense all timestamps should be rendered in. Possible values are `absolute` time (i.e. 1970-01-01, 11:59) and `mixed`.
-;; `mixed` means most timestamps are rendered in relative time (i.e. 2 days ago).
-;PREFERRED_TIMESTAMP_TENSE = mixed

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1371,7 +1319,7 @@ LEVEL = Info
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
+;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
 ;DSA = -1 ; set to 1024 to switch on

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1389,10 +1337,10 @@ LEVEL = Info
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
 ;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
-;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
-;ISSUE_INDEXER_CONN_STR =
+;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch
+;ISSUE_INDEXER_CONN_STR = http://elastic:changeme@localhost:9200
 ;;
-;; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch or meilisearch.
+;; Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
 ;ISSUE_INDEXER_NAME = gitea_issues
 ;;
 ;; Timeout the indexer if it takes longer than this to start.
@ -1450,7 +1398,7 @@ LEVEL = Info
 ;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
 ;;
 ;; Default queue length before a channel queue will block
-;LENGTH = 100000
+;LENGTH = 100
 ;;
 ;; Batch size to send for batched queues
 ;BATCH_LENGTH = 20
@ -1466,8 +1414,8 @@ LEVEL = Info
 ;; Provides the suffix of the default redis/disk unique queue set name - specific queues can be overridden within in their [queue.name] sections.
 ;SET_NAME = "_unique"
 ;;
-;; Maximum number of worker go-routines for the queue. Default value is "CpuNum/2" clipped to between 1 and 10.
-;MAX_WORKERS = ; (dynamic)
+;; Dynamically scale the worker pool to at this many workers
+;MAX_WORKERS = 10

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1480,11 +1428,6 @@ LEVEL = Info
 ;;
 ;; Default configuration for email notifications for users (user configurable). Options: enabled, onmention, disabled
 ;DEFAULT_EMAIL_NOTIFICATIONS = enabled
-;; Disabled features for users, could be "deletion", "manage_ssh_keys","manage_gpg_keys" more features can be disabled in future
-;; - deletion: a user cannot delete their own account
-;; - manage_ssh_keys: a user cannot configure ssh keys
-;; - manage_gpg_keys: a user cannot configure gpg keys
-;USER_DISABLED_FEATURES =

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -1549,10 +1492,6 @@ LEVEL = Info
 ;; userid = use the userid / sub attribute
 ;; nickname = use the nickname attribute
 ;; email = use the username part of the email attribute
-;; Note: `nickname` and `email` options will normalize input strings using the following criteria:
-;; - diacritics are removed
-;; - the characters in the set `['´\x60]` are removed
-;; - the characters in the set `[\s~+]` are replaced with `-`
 ;USERNAME = nickname
 ;;
 ;; Update avatar if available from oauth2 provider.
@ -1727,6 +1666,9 @@ LEVEL = Info
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
+;; if the cache enabled
+;ENABLED = true
+;;
 ;; Either "memory", "redis", "memcache", or "twoqueue". default is "memory"
 ;ADAPTER = memory
 ;;
@ -1751,6 +1693,8 @@ LEVEL = Info
 ;[cache.last_commit]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; if the cache enabled
+;ENABLED = true
 ;;
 ;; Time to keep items in cache if not used, default is 8760 hours.
 ;; Setting it to -1 disables caching
@ -1780,8 +1724,8 @@ LEVEL = Info
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
 ;;
-;; If you use session in https only: true or false. If not set, it defaults to `true` if the ROOT_URL is an HTTPS URL.
-;COOKIE_SECURE =
+;; If you use session in https only, default is false
+;COOKIE_SECURE = false
 ;;
 ;; Session GC time interval in seconds, default is 86400 (1 day)
 ;GC_INTERVAL_TIME = 86400
@ -1846,8 +1790,8 @@ LEVEL = Info
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES = .csv,.docx,.fodg,.fodp,.fods,.fodt,.gif,.gz,.jpeg,.jpg,.log,.md,.mov,.mp4,.odf,.odg,.odp,.ods,.odt,.patch,.pdf,.png,.pptx,.svg,.tgz,.txt,.webm,.xls,.xlsx,.zip
 ;;
-;; Max size of each file. Defaults to 2048MB
-;MAX_SIZE = 2048
+;; Max size of each file. Defaults to 4MB
+;MAX_SIZE = 4
 ;;
 ;; Max number of files per upload. Defaults to 5
 ;MAX_FILES = 5
@ -1860,9 +1804,8 @@ LEVEL = Info
 ;; Currently, only `minio` is supported.
 ;SERVE_DIRECT = false
 ;;
-;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
-;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
-;PATH = attachments
+;; Path for attachments. Defaults to `data/attachments` only available when STORAGE_TYPE is `local`
+;PATH = data/attachments
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
@ -2596,20 +2539,10 @@ LEVEL = Info

 ; [actions]
 ;; Enable/Disable actions capabilities
-;ENABLED = true
+;ENABLED = false
 ;;
 ;; Default platform to get action plugins, `github` for `https://github.com`, `self` for the current Gitea instance.
 ;DEFAULT_ACTIONS_URL = github
-;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
-;ARTIFACT_RETENTION_DAYS = 90
-;; Timeout to stop the task which have running status, but haven't been updated for a long time
-;ZOMBIE_TASK_TIMEOUT = 10m
-;; Timeout to stop the tasks which have running status and continuous updates, but don't end for a long time
-;ENDLESS_TASK_TIMEOUT = 3h
-;; Timeout to cancel the jobs which have waiting status, but haven't been picked by a runner for a long time
-;ABANDONED_JOB_TIMEOUT = 24h
-;; Strings committers can place inside a commit message or PR title to skip executing the corresponding actions workflow
-;SKIP_WORKFLOW_STRINGS = [skip ci],[ci skip],[no ci],[skip actions],[actions skip]

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/docker/README.md
+++ b/docker/README.md
@ -4,4 +4,4 @@ Dockerfile is found in root of repository.

 Docker image can be found on [docker hub](https://hub.docker.com/r/gitea/gitea)

-Documentation on using docker image can be found on [Gitea Docs site](https://docs.gitea.com/installation/install-with-docker-rootless)
+Documentation on using docker image can be found on [Gitea Docs site](https://docs.gitea.io/en-us/install-with-docker/)
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@ -1,14 +1,12 @@
 image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}{{#if (hasPrefix "refs/heads/release/v" build.ref)}}{{trimPrefix "refs/heads/release/v" build.ref}}-{{/if}}nightly{{/if}}-rootless
 {{#if build.tags}}
 {{#unless (contains "-rc" build.tag)}}
-{{#unless (contains "-dev" build.tag)}}
 tags:
 {{#each build.tags}}
  - {{this}}-rootless
 {{/each}}
  - "latest-rootless"
 {{/unless}}
-{{/unless}}
 {{/if}}
 manifests:
  -
--- a/Show More
+++ b/Show More