aboutsummaryrefslogtreecommitdiffstats
path: root/services/packages
Commit message (Collapse)AuthorAgeFilesLines
* Fix package upload temp path (#34196)wxiaoguang7 days1-6/+15
| | | | | Fix #34195 The temp dir should be created when it is used.
* Fix bug when migrating repository (#34182)Lunny Xiao7 days1-1/+1
| | | This PR fixed a bug which is a regression from #31035
* Fix invalid version in RPM package path (#34112)KN4CK3R2025-04-031-2/+1
|
* Enable addtional linters (#34085)TheFox0x72025-04-013-6/+8
| | | | | | | | enable mirror, usestdlibbars and perfsprint part of: https://github.com/go-gitea/gitea/issues/34083 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Add a config option to block "expensive" pages for anonymous users (#34024)wxiaoguang2025-03-301-1/+1
| | | | | | | | | | | Fix #33966 ``` ;; User must sign in to view anything. ;; It could be set to "expensive" to block anonymous users accessing some pages which consume a lot of resources, ;; for example: block anonymous AI crawlers from accessing repo code pages. ;; The "expensive" mode is experimental and subject to change. ;REQUIRE_SIGNIN_VIEW = false ```
* Decouple context from repository related structs (#33823)TheFox0x72025-03-081-14/+14
| | | Calls that required context implicitly are made to pass it as argument
* Add composor source field (#33502)Lunny Xiao2025-02-281-8/+9
| | | Fix #33066
* Add API to support link package to repository and unlink it (#33481)Lunny Xiao2025-02-161-0/+78
| | | | | | | Fix #21062 --------- Co-authored-by: Zettat123 <zettat123@gmail.com>
* Only show the latest version in the Arch index (#33262)Exploding Dragon2025-02-133-12/+166
| | | | | | | | | | Only show the latest version of the package in the arch repo. closes #33534 --------- Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Support choose email when creating a commit via web UI (#33432)wxiaoguang2025-01-301-3/+7
| | | Initial PR for #24469
* Use ProtonMail/go-crypto to replace keybase/go-crypto (#33402)wxiaoguang2025-01-272-7/+7
| | | | | | Fix #33400 The keybase/go-crypto is no longer maintained and it generates malformed signatures, ProtonMail/go-crypto is the actively maintained fork.
* Refactor package (routes and error handling, npm peer dependency) (#33111)wxiaoguang2025-01-061-8/+6
|
* Fix Arch package metadata introduced incorrect field (#32881)Exploding Dragon2024-12-181-1/+2
| | | | | | Incorrect content was introduced while generating the index, which has now been removed, and the missing fields have been added. ![](https://github.com/user-attachments/assets/4fbb8884-337e-43b1-939f-a5ba687f7ffd)
* Add Arch package registry (#32692)KN4CK3R2024-12-044-4/+419
| | | | | | | | | | | | | | | | | | | | | | | Close #25037 Close #31037 This PR adds a Arch package registry usable with pacman. ![grafik](https://github.com/user-attachments/assets/81cdb0c2-02f9-4733-bee2-e48af6b45224) Rewrite of #25396 and #31037. You can follow [this tutorial](https://wiki.archlinux.org/title/Creating_packages) to build a package for testing. Docs PR: https://gitea.com/gitea/docs/pulls/111 Co-authored-by: [d1nch8g@ion.lc](mailto:d1nch8g@ion.lc) Co-authored-by: @ExplodingDragon --------- Co-authored-by: dancheg97 <dancheg97@fmnx.su> Co-authored-by: dragon <ExplodingFKL@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Fix `missing signature key` error when pulling Docker images with ↵Zettat1232024-10-311-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `SERVE_DIRECT` enabled (#32365) Fix #28121 I did some tests and found that the `missing signature key` error is caused by an incorrect `Content-Type` header. Gitea correctly sets the `Content-Type` header when serving files. https://github.com/go-gitea/gitea/blob/348d1d0f322ca57c459acd902f54821d687ca804/routers/api/packages/container/container.go#L712-L717 However, when `SERVE_DIRECT` is enabled, the `Content-Type` header may be set to an incorrect value by the storage service. To fix this issue, we can use query parameters to override response header values. https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html <img width="600px" src="https://github.com/user-attachments/assets/f2ff90f0-f1df-46f9-9680-b8120222c555" /> In this PR, I introduced a new parameter to the `URL` method to support additional parameters. ``` URL(path, name string, reqParams url.Values) (*url.URL, error) ``` --- Most S3-like services support specifying the content type when storing objects. However, Gitea always use `application/octet-stream`. Therefore, I believe we also need to improve the `Save` method to support storing objects with the correct content type. https://github.com/go-gitea/gitea/blob/b7fb20e73e63b8edc9b90c52073e248bef428fcc/modules/storage/minio.go#L214-L221
* Fix db engine (#32351)wxiaoguang2024-10-272-5/+6
| | | Fix #32349
* Do not escape relative path in RPM primary index (#32038)KN4CK3R2024-09-161-2/+1
| | | | | Fixes #32021 Do not escape the relative path.
* Fix nuget/conan/container packages upload bugs (#31967)Lunny Xiao2024-09-051-9/+21
|
* Fix RPM resource leak (#31794)KN4CK3R2024-08-082-32/+39
| | | | | | | Fixes a resource leak introduced by #27069. - add defer - move sign code out of `repository.go`
* Add signature support for the RPM module (#27069)Exploding Dragon2024-08-061-3/+35
| | | | | | | | close #27031 If the rpm package does not contain a matching gpg signature, the installation will fail. See (#27031) , now auto-signing rpm uploads. This option is turned off by default for compatibility.
* remove util.OptionalBool and related functions (#29513)65432024-03-023-8/+8
| | | | | | and migrate affected code _last refactoring bits to replace **util.OptionalBool** with **optional.Option[bool]**_
* Integrate alpine `noarch` packages into other architectures index (#29137)KN4CK3R2024-02-251-8/+48
| | | | | | | | | | | | Fixes #26691 Revert #24972 The alpine package manager expects `noarch` packages in the index of other architectures too. --------- Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Use general token signing secret (#29205)wxiaoguang2024-02-181-2/+2
| | | Use a clearly defined "signing secret" for token signing.
* Fix debian InRelease Acquire-By-Hash newline (#29204)Robin Schoonover2024-02-171-1/+1
| | | | | | | | | | | | | | | | There is a missing newline when generating the debian apt repo InRelease file, which results in output like: ``` [...] Date: Wed, 14 Feb 2024 05:03:01 UTC Acquire-By-Hash: yesMD5Sum: 51a518dbddcd569ac3e0cebf330c800a 3018 main-dev/binary-amd64/Packages [...] ``` It appears this would probably result in apt ignoring the Acquire-By-Hash setting and not using the by-hash functionality, although I'm not sure how to confirm it.
* Propagate install_if and provider_priority to APKINDEX (#28899)Sergey Bugaev2024-02-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves https://github.com/go-gitea/gitea/issues/28704 Example of an entry in the generated `APKINDEX` file: ``` C:Q1xCO3H9LTTEbhKt9G1alSC87I56c= P:hello V:2.12-r1 A:x86_64 T:The GNU Hello program produces a familiar, friendly greeting U:https://www.gnu.org/software/hello/ L:GPL-3.0-or-later S:15403 I:36864 o:hello m: t:1705934118 D:so:libc.musl-x86_64.so.1 p:cmd:hello=2.12-r1 i:foobar=1.0 !baz k:42 ``` the `i:` and `k:` entries are new. --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Fix some RPM registry flaws (#28782)KN4CK3R2024-01-192-17/+57
| | | | | | | | | | | | | | | | | | | Related #26984 (https://github.com/go-gitea/gitea/pull/26984#issuecomment-1889588912) Fix admin cleanup message. Fix models `Get` not respecting default values. Rebuild RPM repository files after cleanup. Do not add RPM group to package version name. Force stable sorting of Alpine/Debian/RPM repository data. Fix missing deferred `Close`. Add tests for multiple RPM groups. Removed non-cached `ReplaceAllStringRegex`. If there are multiple groups available, it's stated in the package installation screen: ![grafik](https://github.com/go-gitea/gitea/assets/1666336/8f132760-882c-4ab8-9678-77e47dfc4415)
* Fix reverting a merge commit failing (#28794)Mihir Joshi2024-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #22236 --- Error occurring currently while trying to revert commit using read-tree -m approach: > 2022/12/26 16:04:43 ...rvices/pull/patch.go:240:AttemptThreeWayMerge() [E] [63a9c61a] Unable to run read-tree -m! Error: exit status 128 - fatal: this operation must be run in a work tree > - fatal: this operation must be run in a work tree We need to clone a non-bare repository for `git read-tree -m` to work. https://github.com/go-gitea/gitea/commit/bb371aee6ecf5e570cdf7b5f7f0d6f47a607a325 adds support to create a non-bare cloned temporary upload repository. After cloning a non-bare temporary upload repository, we [set default index](https://github.com/go-gitea/gitea/blob/main/services/repository/files/cherry_pick.go#L37) (`git read-tree HEAD`). This operation ends up resetting the git index file (see investigation details below), due to which, we need to call `git update-index --refresh` afterward. Here's the diff of the index file before and after we execute SetDefaultIndex: https://www.diffchecker.com/hyOP3eJy/ Notice the **ctime**, **mtime** are set to 0 after SetDefaultIndex. You can reproduce the same behavior using these steps: ```bash $ git clone https://try.gitea.io/me-heer/test.git -s -b main $ cd test $ git read-tree HEAD $ git read-tree -m 1f085d7ed8 1f085d7ed8 9933caed00 error: Entry '1' not uptodate. Cannot merge. ``` After which, we can fix like this: ``` $ git update-index --refresh $ git read-tree -m 1f085d7ed8 1f085d7ed8 9933caed00 ```
* Support for grouping RPMs using paths (#26984)Exploding Dragon2024-01-121-22/+25
| | | | | | | | | | | | The current rpm repository places all packages in the same repository, and different systems (el7,f34) may hit packages that do not belong to this distribution ( #25304 ) , which now supports grouping of rpm. ![图片](https://github.com/go-gitea/gitea/assets/33776693/d1e1d99f-7799-4b2b-a19b-cb2a5c692914) Fixes #25304 . Fixes #27056 . Refactor: [#25866](https://github.com/go-gitea/gitea/pull/25866)
* Fix alpine package files are not rebuilt (#28638)Nanguan Lin2023-12-311-0/+5
| | | | | I noticed the `BuildAllRepositoryFiles` function under the Alpine folder is unused and I thought it was a bug. But I'm not sure about this. Was it on purpose?
* Adjust object format interface (#28469)Lunny Xiao2023-12-171-1/+1
| | | | | | | - Remove `ObjectFormatID` - Remove function `ObjectFormatFromID`. - Use `Sha1ObjectFormat` directly but not a pointer because it's an empty struct. - Store `ObjectFormatName` in `repository` struct
* Abstract hash function usage (#28138)Adam Majer2023-12-131-1/+1
| | | | | | Refactor Hash interfaces and centralize hash function. This will allow easier introduction of different hash function later on. This forms the "no-op" part of the SHA256 enablement patch.
* Fix possible nil pointer access (#28428)KN4CK3R2023-12-124-28/+14
| | | | There could be a nil pointer exception if the file is not found because that specific error is suppressed but not handled.
* Fix RPM/Debian signature key creation (#28352)KN4CK3R2023-12-052-4/+3
| | | | | | | Fixes #28324 The name parameter can't contain some characters (https://github.com/keybase/go-crypto/blob/master/openpgp/keys.go#L680) but is optional. Therefore just use an empty string.
* Revert "packages: Calculate package size quota using package creator ID ↵Lunny Xiao2023-11-141-1/+3
| | | | | instead of owner ID (#28007)" (#28049) This reverts commit #28007 60522fc96f1fa4675e95010e4b1535e0eac21910.
* packages: Calculate package size quota using package creator ID instead of ↵Danila Fominykh2023-11-141-3/+1
| | | | | | | | | | | | | | | | | | | | owner ID (#28007) Changed behavior to calculate package quota limit using package `creator ID` instead of `owner ID`. Currently, users are allowed to create an unlimited number of organizations, each of which has its own package limit quota, resulting in the ability for users to have unlimited package space in different organization scopes. This fix will calculate package quota based on `package version creator ID` instead of `package version owner ID` (which might be organization), so that users are not allowed to take more space than configured package settings. Also, there is a side case in which users can publish packages to a specific package version, initially published by different user, taking that user package size quota. Version in fix should be better because the total amount of space is limited to the quota for users sharing the same organization scope.
* List all Debian package versions in `Packages` (#27786)KN4CK3R2023-10-291-7/+8
| | | | | | Closes #27783 This PR lists all and not only the latest package versions in the `Packages` index.
* Close all hashed buffers (#27787)KN4CK3R2023-10-253-0/+18
| | | | Add missing `.Close()` calls. The current code does not delete the temporary files if the data grows over 32mb.
* Do not force creation of _cargo-index repo on publish (#27266)merlleu2023-10-242-5/+11
| | | | | | | | | | | | | | | | | | | | | | Hello there, Cargo Index over HTTP is now prefered over git for package updates: we should not force users who do not need the GIT repo to have the repo created/updated on each publish (it can still be created in the packages settings). The current behavior when publishing is to check if the repo exist and create it on the fly if not, then update it's content. Cargo HTTP Index does not rely on the repo itself so this will be useless for everyone not using the git protocol for cargo registry. This PR only disable the creation on the fly of the repo when publishing a crate. This is linked to #26844 (error 500 when trying to publish a crate if user is missing write access to the repo) because it's now optional. --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* Another round of `db.DefaultContext` refactor (#27103)JakobDev2023-09-254-50/+55
| | | | | | | Part of #27065 --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
* More refactoring of `db.DefaultContext` (#27083)JakobDev2023-09-153-19/+20
| | | Next step of #27065
* move repository deletion to service layer (#26948)Lunny Xiao2023-09-081-1/+1
| | | Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Move createrepository from module to service layer (#26927)Lunny Xiao2023-09-061-2/+2
| | | | Repository creation depends on many models, so moving it to service layer is better.
* Move notification interface to services layer (#26915)Lunny Xiao2023-09-051-4/+4
| | | Extract from #22266
* Reduce some allocations in type conversion (#26772)Chongyi Zheng2023-08-291-1/+1
|
* Add auth-required to config.json for Cargo http registry (#26729)merlleu2023-08-281-6/+9
| | | | | | | | | | | | | | | | | | | | | | | Cargo registry-auth feature requires config.json to have a property auth-required set to true in order to send token to all registry requests. This is ok for git index because you can manually edit the config.json file to add the auth-required, but when using sparse (setting index url to "sparse+https://git.example.com/api/packages/{owner}/cargo/"), the config.json is dynamically rendered, and does not reflect changes to the config.json file in the repo. I see two approaches: - Serve the real config.json file when fetching the config.json on the cargo service. - Automatically detect if the registry requires authorization. (This is what I implemented in this PR). What the PR does: - When a cargo index repository is created, on the config.json, set auth-required to wether or not the repository is private. - When the cargo/config.json endpoint is called, set auth-required to wether or not the request was authorized using an API token.
* Allow package cleanup from admin page (#25307)KN4CK3R2023-08-081-4/+22
| | | | | | | | | | | | | | | Until now expired package data gets deleted daily by a cronjob. The admin page shows the size of all packages and the size of unreferenced data. The users (#25035, #20631) expect the deletion of this data if they run the cronjob from the admin page but the job only deletes data older than 24h. This PR adds a new button which deletes all expired data. ![grafik](https://github.com/go-gitea/gitea/assets/1666336/b3e35d73-9496-4fa7-a20c-e5d30b1f6850) --------- Co-authored-by: silverwind <me@silverwind.io>
* Prevent newline errors with Debian packages (#26332)KN4CK3R2023-08-051-1/+1
| | | Fixes #26313
* Fix version in rpm repodata/primary.xml.gz (#26009)Peter Verraedt2023-07-211-3/+3
| | | | | | | | The version listed in rpm repodata should only contain the rpm version (1.0.0) and not the combination of version and release (1.0.0-2). We correct this behaviour in primary.xml.gz, filelists.xml.gz and others.xml.gz. Signed-off-by: Peter Verraedt <peter@verraedt.be>
* Bump github.com/golang-jwt/jwt to v5 (#25975)harryzcy2023-07-191-1/+1
| | | | | | | | | | | | | | | | Bumping `github.com/golang-jwt/jwt` from v4 to v5. `github.com/golang-jwt/jwt` v5 is bringing some breaking changes: - standard `Valid()` method on claims is removed. It's replaced by `ClaimsValidator` interface implementing `Validator()` method instead, which is called after standard validation. Gitea doesn't seem to be using this logic. - `jwt.Token` has a field `Valid`, so it's checked in `ParseToken` function in `services/auth/source/oauth2/token.go` --------- Co-authored-by: Giteabot <teabot@gitea.io>
* Replace `interface{}` with `any` (#25686)silverwind2023-07-042-2/+2
| | | | | Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).