Merge branch 'main' into fix-incorrect-recently-pushed-new-branches-check

2023-08-28 10:22:05 +09:00 · 2023-08-28 10:22:05 +09:00 · 60fd886265
parent 44c80aed15 c533991519
commit 60fd886265
268 changed files with 2865 additions and 2025 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,6 +1,6 @@
 {
  "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.20-bullseye",
+  "image": "mcr.microsoft.com/devcontainers/go:1.21-bullseye",
  "features": {
    // installs nodejs into container
    "ghcr.io/devcontainers/features/node:1": {
--- a/.gitea/issue_template.md
+++ b/.gitea/issue_template.md
@ -5,7 +5,7 @@
    2. Please ask questions or configuration/deploy problems on our Discord
       server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
    3. Please take a moment to check that your issue doesn't already exist.
-    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+    4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
    5. Please give all relevant information below for bug reports, because
       incomplete details will be handled as an invalid report.
 -->
@ -26,7 +26,7 @@
  - [ ] No
 - Log gist:
 <!-- It really is important to provide pertinent logs -->
-<!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems -->
+<!-- Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help -->
 <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini -->

 ## Description
--- a/.github/ISSUE_TEMPLATE/bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yaml
@ -14,11 +14,11 @@ body:
         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
      3. Make sure you are using the latest release and
         take a moment to check that your issue hasn't been reported before.
-      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
      5. Please give all relevant information below for bug reports, because
         incomplete details will be handled as an invalid report.
      6. In particular it's really important to provide pertinent logs. You must give us DEBUG level logs.
-         Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
+         Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help
         In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
 - type: textarea
  id: description
@ -50,7 +50,7 @@ body:
  attributes:
    value: |
      It's really important to provide pertinent logs
-      Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems
+      Please read https://docs.gitea.com/administration/logging-config#collecting-logs-for-help
      In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini
 - type: input
  id: logs
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -8,9 +8,9 @@ contact_links:
    about: Please ask questions and discuss configuration or deployment problems here.
  - name: Discourse Forum
    url: https://discourse.gitea.io
-    about: Questions and configuration or deployment problems can also be discussed on our forum.    
+    about: Questions and configuration or deployment problems can also be discussed on our forum.
  - name: Frequently Asked Questions
-    url: https://docs.gitea.io/en-us/faq
+    url: https://docs.gitea.com/help/faq
    about: Please check if your question isn't mentioned here.
  - name: Crowdin Translations
    url: https://crowdin.com/project/gitea
--- a/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
+++ b/.github/ISSUE_TEMPLATE/ui.bug-report.yaml
@ -13,12 +13,12 @@ body:
      2. Please ask questions or configuration/deploy problems on our Discord
         server (https://discord.gg/gitea) or forum (https://discourse.gitea.io).
      3. Please take a moment to check that your issue doesn't already exist.
-      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq)
+      4. Make sure it's not mentioned in the FAQ (https://docs.gitea.com/help/faq)
      5. Please give all relevant information below for bug reports, because
         incomplete details will be handled as an invalid report.
      6. In particular it's really important to provide pertinent logs. If you are certain that this is a javascript
         error, show us the javascript console. If the error appears to relate to Gitea the server you must also give us
-         DEBUG level logs. (See https://docs.gitea.io/en-us/logging-configuration/#debugging-problems)
+         DEBUG level logs. (See https://docs.gitea.com/administration/logging-config#collecting-logs-for-help)
 - type: textarea
  id: description
  attributes:
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -60,7 +60,7 @@
 ## Introduction

 This document explains how to contribute changes to the Gitea project. \
-It assumes you have followed the [installation instructions](https://docs.gitea.io/en-us/). \
+It assumes you have followed the [installation instructions](https://docs.gitea.com/category/installation). \
 Sensitive security-related issues should be reported to [security@gitea.io](mailto:security@gitea.io).

 For configuring IDEs for Gitea development, see the [contributed IDE configurations](contrib/ide/).
--- a/README.md
+++ b/README.md
@ -86,7 +86,7 @@ When building from the official source tarballs which include pre-built frontend

 Parallelism (`make -j <num>`) is not supported.

-More info: https://docs.gitea.io/en-us/install-from-source/
+More info: https://docs.gitea.com/installation/install-from-source

 ## Using

@ -110,13 +110,13 @@ Translations are done through Crowdin. If you want to translate to a new languag

 You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope to fill it as questions pop up.

-https://docs.gitea.io/en-us/contributing/translation-guidelines/
+https://docs.gitea.com/contributing/localization

 [![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)

 ## Further information

-For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.io/en-us/).
+For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.com/).
 If you have questions that are not covered by the documentation, you can get in contact with us on our [Discord server](https://discord.gg/Gitea) or create  a post in the [discourse forum](https://discourse.gitea.io/).

 We maintain a list of Gitea-related projects at [gitea/awesome-gitea](https://gitea.com/gitea/awesome-gitea).
@ -151,7 +151,6 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 <a href="https://opencollective.com/gitea/sponsor/7/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/7/avatar.svg"></a>
 <a href="https://opencollective.com/gitea/sponsor/8/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/8/avatar.svg"></a>
 <a href="https://opencollective.com/gitea/sponsor/9/website" target="_blank"><img src="https://opencollective.com/gitea/sponsor/9/avatar.svg"></a>
-<a href="https://cynkra.com/" target="_blank"><img src="https://images.opencollective.com/cynkra/logo/square/64/192.png"></a>

 ## FAQ

--- a/README_ZH.md
+++ b/README_ZH.md
@ -68,7 +68,7 @@ Gitea 的首要目标是创建一个极易安装，运行非常快速，安装

 ## 文档

-关于如何安装请访问我们的 [文档站](https://docs.gitea.io/zh-cn/)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/gitea) 和 QQ群 328432459 来和我们交流。
+关于如何安装请访问我们的 [文档站](https://docs.gitea.com/zh-cn/category/installation)，如果没有找到对应的文档，你也可以通过 [Discord - 英文](https://discord.gg/gitea) 和 QQ群 328432459 来和我们交流。

 ## 贡献流程

--- a/cmd/cert.go
+++ b/cmd/cert.go
@ -43,7 +43,7 @@ Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
 		},
 		&cli.IntFlag{
 			Name:  "rsa-bits",
-			Value: 2048,
+			Value: 3072,
 			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
 		},
 		&cli.StringFlag{
--- a/contrib/gitea-monitoring-mixin/config.libsonnet
+++ b/contrib/gitea-monitoring-mixin/config.libsonnet
@ -7,7 +7,7 @@
    dashboardTimezone: 'default',
    dashboardRefresh: '1m',

-    // please see https://docs.gitea.io/en-us/config-cheat-sheet/#metrics-metrics
+    // please see https://docs.gitea.com/administration/config-cheat-sheet#metrics-metrics
    // Show issue by repository metrics with format gitea_issues_by_repository{repository="org/repo"} 5.
    // Requires Gitea 1.16.0 with ENABLED_ISSUE_BY_REPOSITORY set to true.
    showIssuesByRepository: true,
--- a/contrib/legal/privacy.html.sample
+++ b/contrib/legal/privacy.html.sample
@ -37,7 +37,7 @@

   <h3>With your Consent</h3>

-   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.io/en-us/oauth2-provider/">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>
+   <p>We share your User Personal Information, if you consent, after letting you know what information will be shared, with whom, and why. For example, if you allow third party applications to access your Account using <a href="https://docs.gitea.com/development/oauth2-provider">OAuth2 providers</a>, we share all information associated with your Account, including private repos and organizations. You may also direct us through your action on Your Gitea Instance to share your User Personal Information, such as when joining an Organization.</p>

   <h3>With Service Providers</h3>

@ -144,7 +144,7 @@

   <h3>Data Portability</h3>

-   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.io/en-us/migrations-interfaces/">perform migrations using the provided interfaces</a>, for example.</p>
+   <p>As a Your Gitea Instance User, you can always take your data with you. You can clone your repositories to your computer, or you can <a href="https://docs.gitea.com/development/migrations-interfaces">perform migrations using the provided interfaces</a>, for example.</p>

   <h3>Data Retention and Deletion of Data</h3>

@ -183,7 +183,7 @@

  <h2>Changes to this Privacy Policy</h2>

-  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p> 
+  <p>Although most changes are likely to be minor, Your Gitea Instance may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your account.</p>

  <h2>Contact</h2>

--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -4,7 +4,7 @@
 ;; Do not copy the whole file as-is, as it contains some invalid sections for illustrative purposes.
 ;; If you don't know what a setting is you should not set it.
 ;;
-;; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
+;; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentation.


 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ -454,7 +454,7 @@ INTERNAL_TOKEN=
 ;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
 ;;
 ;; The minimum password length for new Users
-;MIN_PASSWORD_LENGTH = 6
+;MIN_PASSWORD_LENGTH = 8
 ;;
 ;; Set to true to allow users to import local server paths
 ;IMPORT_LOCAL_PATHS = false
@ -1339,7 +1339,7 @@ LEVEL = Info
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
+;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
 ;DSA = -1 ; set to 1024 to switch on

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/docker/README.md
+++ b/docker/README.md
@ -4,4 +4,4 @@ Dockerfile is found in root of repository.

 Docker image can be found on [docker hub](https://hub.docker.com/r/gitea/gitea)

-Documentation on using docker image can be found on [Gitea Docs site](https://docs.gitea.io/en-us/install-with-docker/)
+Documentation on using docker image can be found on [Gitea Docs site](https://docs.gitea.com/installation/install-with-docker-rootless)
--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@ -11,7 +11,7 @@ fi

 if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
    echo "Generating /data/ssh/ssh_host_rsa_key..."
-    ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
+    ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
 fi

 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
--- a/docs/content/administration/command-line.en-us.md
+++ b/docs/content/administration/command-line.en-us.md
@ -313,7 +313,7 @@ directory and will overwrite any existing files.
  - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
    are P224, P256, P384, P521.
  - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
-    set. (default: 2048).
+    set. (default: 3072).
  - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
  - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
  - `--ca`: If provided, this cert generates it's own certificate authority. Optional.
--- a/docs/content/administration/command-line.zh-cn.md
+++ b/docs/content/administration/command-line.zh-cn.md
@ -295,7 +295,7 @@ menu:
 - 选项：
  - `--host value`：逗号分隔的主机名和IP地址列表，此证书适用于这些主机。支持使用通配符。必填。
  - `--ecdsa-curve value`：用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。
-  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：2048）。
+  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：3072）。
  - `--start-date value`：证书的创建日期。可选。（格式：`Jan 1 15:04:05 2011`）。
  - `--duration value`：证书有效期。可选。（默认值：8760h0m0s）
  - `--ca`：如果提供此选项，则证书将生成自己的证书颁发机构。可选。
--- a/docs/content/administration/config-cheat-sheet.en-us.md
+++ b/docs/content/administration/config-cheat-sheet.en-us.md
@ -559,7 +559,7 @@ And the following unique queues:
    - `scrypt`:    `scrypt$65536$16$2$50`
  - Adjusting the algorithm parameters using this functionality is done at your own risk.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
- `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
+- `MIN_PASSWORD_LENGTH`: **8**: Minimum password length for new users.
 - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
  - lower - use one or more lower latin characters
  - upper - use one or more upper latin characters
@ -681,7 +681,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type

 - `ED25519`: **256**
 - `ECDSA`: **256**
- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
+- `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length.
 - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider

 ## Webhook (`webhook`)
--- a/docs/content/administration/config-cheat-sheet.zh-cn.md
+++ b/docs/content/administration/config-cheat-sheet.zh-cn.md
@ -648,7 +648,7 @@ Gitea 创建以下非唯一队列：

 - `ED25519`：**256**
 - `ECDSA`：**256**
- `RSA`：**2047**：我们在这里设置为2047，因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。
+- `RSA`：**3071**：我们在这里设置为2047，因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。
 - `DSA`：**-1**：默认情况下禁用DSA。设置为**1024**以重新启用，但请注意可能需要重新配置您的SSHD提供者

 ## Webhook (`webhook`)
--- a/docs/content/administration/customizing-gitea.en-us.md
+++ b/docs/content/administration/customizing-gitea.en-us.md
@ -36,7 +36,7 @@ Application settings can be found in file `CustomConf` which is by default,
 Again `gitea help` will allow you review this variable and you can override it using the
 `--config` option on the `gitea` binary.

- [Quick Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
+- [Quick Cheat Sheet](administration/config-cheat-sheet.md)
 - [Complete List](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)

 If the `CustomPath` folder can't be found despite checking `gitea help`, check the `GITEA_CUSTOM`
@ -44,7 +44,7 @@ environment variable; this can be used to override the default path to something
 `GITEA_CUSTOM` might, for example, be set by an init script. You can check whether the value
 is set under the "Configuration" tab on the site administration page.

- [List of Environment Variables](https://docs.gitea.io/en-us/environment-variables/)
+- [List of Environment Variables](administration/environment-variables.md)

 **Note:** Gitea must perform a full restart to see configuration changes.

@ -84,7 +84,7 @@ for C++ repositories, we want to replace `options/gitignore/C++`. To do this, a
 must be placed in `$GITEA_CUSTOM/options/gitignore/C++` (see about the location of the `CustomPath`
 directory at the top of this document).

-Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://golang.org/pkg/html/template/),
+Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://pkg.go.dev/html/template),
 which can be modified by placing replacements below the `$GITEA_CUSTOM/templates` directory.

 To obtain any embedded file (including templates), the [`gitea embedded` tool](administration/cmd-embedded.md) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/main/templates) directory of Gitea source (Note: the example link is from the `main` branch. Make sure to use templates compatible with the release you are using).
@ -108,7 +108,7 @@ just place it under your "$GITEA_CUSTOM/public/assets/" directory (for instance
 To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
 `<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`

-For more information, see [Adding Legal Pages](https://docs.gitea.io/en-us/adding-legal-pages).
+For more information, see [Adding Legal Pages](administration/adding-legal-pages.md).

 You can add new tabs in the same way, putting them in `extra_tabs.tmpl`.
 The exact HTML needed to match the style of other tabs is in the file
@ -371,10 +371,10 @@ A full list of supported emoji's is at [emoji list](https://gitea.com/gitea/gite
 ## Customizing the look of Gitea

 The default built-in themes are `gitea` (light), `arc-green` (dark), and `auto` (chooses light or dark depending on operating system settings).
-The default theme can be changed via `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini`.
+The default theme can be changed via `DEFAULT_THEME` in the [ui](administration/config-cheat-sheet.md#ui-ui) section of `app.ini`.

 Gitea also has support for user themes, which means every user can select which theme should be used.
-The list of themes a user can choose from can be configured with the `THEMES` value in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini`.
+The list of themes a user can choose from can be configured with the `THEMES` value in the [ui](administration/config-cheat-sheet.md#ui-ui) section of `app.ini`.

 To make a custom theme available to all users:

--- a/docs/content/administration/customizing-gitea.zh-cn.md
+++ b/docs/content/administration/customizing-gitea.zh-cn.md
@ -23,13 +23,13 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 将会自动创建包括 `custom/` 在内的必要应用目录，应用本身的配置存放在
 `custom/conf/app.ini` 当中。在发行版中可能会以 `/etc/gitea/` 的形式为 `custom` 设置一个符号链接，查看配置详情请移步：

- [快速备忘单](https://docs.gitea.io/en-us/config-cheat-sheet/)
+- [快速备忘单](administration/config-cheat-sheet.md)
 - [完整配置清单](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)

 如果您在 binary 同目录下无法找到 `custom` 文件夹，请检查您的 `GITEA_CUSTOM`
 环境变量配置， 因为它可能被配置到了其他地方（可能被一些启动脚本设置指定了目录）。

- [环境变量清单](https://docs.gitea.io/en-us/specific-variables/)
+- [环境变量清单](administration/environment-variables.md)

 **注：** 必须完全重启 Gitea 以使配置生效。

@ -87,4 +87,4 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 ## 更改 Gitea 外观

 Gitea 目前由两种内置主题，分别为默认 `gitea` 主题和深色主题 `arc-green`，您可以通过修改
-`app.ini` [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) 部分的 `DEFAULT_THEME` 的值来变更至一个可用的 Gitea 外观。
+`app.ini` [ui](administration/config-cheat-sheet.md#ui-ui) 部分的 `DEFAULT_THEME` 的值来变更至一个可用的 Gitea 外观。
--- a/docs/content/administration/fail2ban-setup.en-us.md
+++ b/docs/content/administration/fail2ban-setup.en-us.md
@ -119,7 +119,7 @@ proxy_set_header X-Real-IP $remote_addr;

 The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
 as well as the list of IP addresses and networks that describe trusted proxy servers
-(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).
+(See the [configuration cheat sheet](administration/config-cheat-sheet.md#security-security) for more information).

 ```
 REVERSE_PROXY_LIMIT = 1
--- a/docs/content/administration/fail2ban-setup.zh-cn.md
+++ b/docs/content/administration/fail2ban-setup.zh-cn.md
@ -91,4 +91,4 @@ REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
 `REVERSE_PROXY_LIMIT` 限制反向代理服务器的层数，设置为 `0` 表示不使用这些标头。
 `REVERSE_PROXY_TRUSTED_PROXIES` 表示受信任的反向代理服务器网络地址，
 经过该网络地址转发来的流量会经过解析 `X-Real-IP` 头部得到真实客户端地址。
-（参考 [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security)）
+（参考 [configuration cheat sheet](administration/config-cheat-sheet.md#security-security)）
--- a/docs/content/administration/mail-templates.en-us.md
+++ b/docs/content/administration/mail-templates.en-us.md
@ -18,7 +18,7 @@ menu:
 # Mail templates

 To craft the e-mail subject and contents for certain operations, Gitea can be customized by using templates. The templates
-for these functions are located under the [`custom` directory](https://docs.gitea.io/en-us/customizing-gitea/).
+for these functions are located under the [`custom` directory](administration/customizing-gitea.md).
 Gitea has an internal template that serves as default in case there's no custom alternative.

 Custom templates are loaded when Gitea starts. Changes made to them are not recognized until Gitea is restarted again.
@ -165,7 +165,7 @@ If the template fails to render, it will be noticed only at the moment the mail
 A default subject is used if the subject template fails, and whatever was rendered successfully
 from the the _mail body_ is used, disregarding the rest.

-Please check [Gitea's logs](https://docs.gitea.io/en-us/logging-configuration/) for error messages in case of trouble.
+Please check [Gitea's logs](administration/logging-config.md) for error messages in case of trouble.

 ## Example

--- a/docs/content/administration/mail-templates.zh-cn.md
+++ b/docs/content/administration/mail-templates.zh-cn.md
@ -17,7 +17,7 @@ menu:

 # 邮件模板

-为了定制特定操作的电子邮件主题和内容，可以使用模板来自定义 Gitea。这些功能的模板位于 [`custom` 目录](https://docs.gitea.io/en-us/customizing-gitea/) 下。
+为了定制特定操作的电子邮件主题和内容，可以使用模板来自定义 Gitea。这些功能的模板位于 [`custom` 目录](administration/customizing-gitea.md) 下。
 如果没有自定义的替代方案，Gitea 将使用内部模板作为默认模板。

 自定义模板在 Gitea 启动时加载。对它们的更改在 Gitea 重新启动之前不会被识别。
@ -148,7 +148,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://golang.org/pkg/t
 如果模板无法呈现，则只有在发送邮件时才会注意到。
 如果主题模板失败，将使用默认主题，如果从 _邮件正文_ 中成功呈现了任何内容，则将使用该内容，忽略其他内容。

-如果遇到问题，请检查 [Gitea的日志](https://docs.gitea.io/en-us/logging-configuration/) 以获取错误消息。
+如果遇到问题，请检查 [Gitea的日志](administration/logging-config.md) 以获取错误消息。

 ## 示例

--- a/docs/content/administration/repo-indexer.en-us.md
+++ b/docs/content/administration/repo-indexer.en-us.md
@ -19,7 +19,7 @@ menu:

 ## Setting up the repository indexer

-Gitea can search through the files of the repositories by enabling this function in your [`app.ini`](https://docs.gitea.io/en-us/config-cheat-sheet/):
+Gitea can search through the files of the repositories by enabling this function in your [`app.ini`](administration/config-cheat-sheet.md):

 ```ini
 [indexer]
--- a/docs/content/administration/repo-indexer.zh-cn.md
+++ b/docs/content/administration/repo-indexer.zh-cn.md
@ -19,7 +19,7 @@ menu:

 ## 设置仓库索引器

-通过在您的 [`app.ini`](https://docs.gitea.io/en-us/config-cheat-sheet/) 中启用此功能，Gitea 可以通过仓库的文件进行搜索：
+通过在您的 [`app.ini`](administration/config-cheat-sheet.md) 中启用此功能，Gitea 可以通过仓库的文件进行搜索：

 ```ini
 [indexer]
--- a/docs/content/development/api-usage.en-us.md
+++ b/docs/content/development/api-usage.en-us.md
@ -21,7 +21,7 @@ menu:

 By default, `ENABLE_SWAGGER` is true, and
 `MAX_RESPONSE_ITEMS` is set to 50. See [Config Cheat
-Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for more
+Sheet](administration/config-cheat-sheet.md) for more
 information.

 ## Authentication
@ -76,7 +76,7 @@ interface: `Settings | Applications | Generate New Token`.

 ## OAuth2 Provider

-Access tokens obtained from Gitea's [OAuth2 provider](https://docs.gitea.io/en-us/oauth2-provider) are accepted by these methods:
+Access tokens obtained from Gitea's [OAuth2 provider](development/oauth2-provider.md) are accepted by these methods:

 - `Authorization bearer ...` header in HTTP headers
 - `token=...` parameter in URL query string
--- a/docs/content/development/api-usage.zh-cn.md
+++ b/docs/content/development/api-usage.zh-cn.md
@ -20,7 +20,7 @@ menu:
 ## 开启/配置 API 访问

 通常情况下， `ENABLE_SWAGGER` 默认开启并且参数 `MAX_RESPONSE_ITEMS` 默认为 50。您可以从 [Config Cheat
-Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) 中获取更多配置相关信息。
+Sheet](administration/config-cheat-sheet.md) 中获取更多配置相关信息。

 ## 通过 API 认证

--- a/docs/content/development/oauth2-provider.en-us.md
+++ b/docs/content/development/oauth2-provider.en-us.md
@ -148,7 +148,7 @@ For public clients, a redirect URI of a loopback IP address such as `http://127.

   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.

-3. Use the `access_token` to make [API requests](https://docs.gitea.io/en-us/api-usage#oauth2) to access the user's resources.
+3. Use the `access_token` to make [API requests](development/api-usage.md#oauth2-provider) to access the user's resources.

 ### Public client (PKCE)

@ -210,4 +210,4 @@ After you have generated this values, you can continue with your request.

   The `REDIRECT_URI` in the `access_token` request must match the `REDIRECT_URI` in the `authorize` request.

-3. Use the `access_token` to make [API requests](https://docs.gitea.io/en-us/api-usage#oauth2) to access the user's resources.
+3. Use the `access_token` to make [API requests](development/api-usage.md#oauth2-provider) to access the user's resources.
--- a/docs/content/development/oauth2-provider.zh-cn.md
+++ b/docs/content/development/oauth2-provider.zh-cn.md
@ -134,4 +134,4 @@ Gitea 支持私密和公共客户端类型，[参见 RFC 6749](https://datatrack

   `access_token` 请求中的 `REDIRECT_URI` 必须与 `authorize` 请求中的 `REDIRECT_URI` 相符。

-3. 使用 `access_token` 来构造 [API 请求](https://docs.gitea.io/en-us/api-usage#oauth2) 以读写用户的资源。
+3. 使用 `access_token` 来构造 [API 请求](development/api-usage.md#oauth2-provider) 以读写用户的资源。
--- a/docs/content/development/oauth2-provider.zh-tw.md
+++ b/docs/content/development/oauth2-provider.zh-tw.md
@ -93,4 +93,4 @@ Gitea 支援作為 OAuth2 提供者，能讓第三方程式能在使用者同意

   `access_token` 請求中的 `REDIRECT_URI` 必須符合 `authorize` 請求中的 `REDIRECT_URI`。

-1. 發送 [API requests](https://docs.gitea.io/en-us/api-usage#oauth2) 時使用 `access_token` 以存取使用者的資源。
+1. 發送 [API requests](development/api-usage.md#oauth2-provider) 時使用 `access_token` 以存取使用者的資源。
--- a/docs/content/help/support.zh-tw.md
+++ b/docs/content/help/support.zh-tw.md
@ -28,7 +28,7 @@ menu:
 3. 您看到的任何錯誤訊息
 4. 儘可能地在 [try.gitea.io](https://try.gitea.io) 觸發您的問題並記下步驟，以便其他人能重現那個問題。
    - 這將讓我們更有機會快速地找出問題的根源並解決它。
-5. 堆棧跟踪，[請參考英文文檔](https://docs.gitea.io/en-us/seek-help/)
+5. 堆棧跟踪，[請參考英文文檔](https://docs.gitea.com/help/support)

 ## 錯誤回報

--- a/docs/content/installation/with-docker-rootless.en-us.md
+++ b/docs/content/installation/with-docker-rootless.en-us.md
@ -254,7 +254,7 @@ documented above, please note that `db` must be used as the database hostname.

 # Customization

-Customization files described [here](https://docs.gitea.io/en-us/customizing-gitea/) should
+Customization files described [here](administration/customizing-gitea.md) should
 be placed in `/var/lib/gitea/custom` directory. If using host volumes, it's quite easy to access these
 files; for named volumes, this is done through another container or by direct access at
 `/var/lib/docker/volumes/gitea_gitea/_/var_lib_gitea`. The configuration file will be saved at
@ -313,7 +313,7 @@ services:
      - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```

-To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](https://docs.gitea.io/en-us/command-line/#generate).
+To set required TOKEN and SECRET values, consider using Gitea's built-in [generate utility functions](administration/command-line.md#generate).

 # SSH Container Passthrough

@ -342,7 +342,7 @@ Once the wrapper is in place, you can make it the shell for the `git` user:
 sudo usermod -s /usr/local/bin/gitea-shell git
 ```

-Now that all the SSH commands are forwarded to the container, you need to set up the SSH authentication on the host. This is done by leveraging the [SSH AuthorizedKeysCommand](https://docs.gitea.io/en-us/command-line/#keys) to match the keys against those accepted by Gitea. Add the following block to `/etc/ssh/sshd_config`, on the host:
+Now that all the SSH commands are forwarded to the container, you need to set up the SSH authentication on the host. This is done by leveraging the [SSH AuthorizedKeysCommand](administration/command-line.md#keys) to match the keys against those accepted by Gitea. Add the following block to `/etc/ssh/sshd_config`, on the host:

 ```bash
 Match User git
--- a/docs/content/installation/with-docker-rootless.zh-cn.md
+++ b/docs/content/installation/with-docker-rootless.zh-cn.md
@ -281,7 +281,7 @@ services:
      - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```

-要设置所需的 TOKEN 和 SECRET 值，可以使用 Gitea 的内置[生成使用函数](https://docs.gitea.io/en-us/command-line/#generate).
+要设置所需的 TOKEN 和 SECRET 值，可以使用 Gitea 的内置[生成使用函数](administration/command-line.md#generate).

 # SSH 容器透传

@ -310,7 +310,7 @@ sudo chmod +x /usr/local/bin/gitea-shell
 sudo usermod -s /usr/local/bin/gitea-shell git
 ```

-现在，所有的 SSH 命令都会被转发到容器，您需要在主机上设置 SSH 认证。这可以通过利用 [SSH AuthorizedKeysCommand](https://docs.gitea.io/en-us/command-line/#keys) 来匹配 Gitea 接受的密钥。在主机的 `/etc/ssh/sshd_config` 文件中添加以下代码块：
+现在，所有的 SSH 命令都会被转发到容器，您需要在主机上设置 SSH 认证。这可以通过利用 [SSH AuthorizedKeysCommand](administration/command-line.md#keys) 来匹配 Gitea 接受的密钥。在主机的 `/etc/ssh/sshd_config` 文件中添加以下代码块：

 ```bash
 Match User git
--- a/docs/content/installation/with-docker.en-us.md
+++ b/docs/content/installation/with-docker.en-us.md
@ -261,7 +261,7 @@ documented above, please note that `db` must be used as the database hostname.

 ## Customization

-Customization files described [here](https://docs.gitea.io/en-us/customizing-gitea/) should
+Customization files described [here](administration/customizing-gitea.md) should
 be placed in `/data/gitea` directory. If using host volumes, it's quite easy to access these
 files; for named volumes, this is done through another container or by direct access at
 `/var/lib/docker/volumes/gitea_gitea/_data`. The configuration file will be saved at
@ -309,7 +309,7 @@ services:
      - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```

-Gitea will generate new secrets/tokens for every new installation automatically and write them into the app.ini. If you want to set the secrets/tokens manually, you can use the following docker commands to use of Gitea's built-in [generate utility functions](https://docs.gitea.io/en-us/command-line/#generate). Do not lose/change your SECRET_KEY after the installation, otherwise the encrypted data can not be decrypted anymore.
+Gitea will generate new secrets/tokens for every new installation automatically and write them into the app.ini. If you want to set the secrets/tokens manually, you can use the following docker commands to use of Gitea's built-in [generate utility functions](administration/command-line.md#generate). Do not lose/change your SECRET_KEY after the installation, otherwise the encrypted data can not be decrypted anymore.

 The following commands will output a new `SECRET_KEY` and `INTERNAL_TOKEN` to `stdout`, which you can then place in your environment variables.

@ -553,7 +553,7 @@ In this option, the idea is that the host SSH uses an `AuthorizedKeysCommand` in

 Now all attempts to login as the `git` user on the host will be forwarded to the docker - including the `SSH_ORIGINAL_COMMAND`. We now need to set-up SSH authentication on the host.

-We will do this by leveraging the [SSH AuthorizedKeysCommand](https://docs.gitea.io/en-us/command-line/#keys) to match the keys against those accepted by Gitea.
+We will do this by leveraging the [SSH AuthorizedKeysCommand](administration/command-line.md#keys) to match the keys against those accepted by Gitea.

 Add the following block to `/etc/ssh/sshd_config`, on the host:

--- a/docs/content/installation/with-docker.fr-fr.md
+++ b/docs/content/installation/with-docker.fr-fr.md
@ -103,7 +103,7 @@ Vous devriez maintenant avoir deux conteneurs Docker pour Gitea et PostgreSQL pl

 # Personnalisation

-Les fichier personnalisés ([voir les instructions](https://docs.gitea.io/en-us/customizing-gitea/)) peuvent être placés dans le répertoire `/data/gitea`.
+Les fichier personnalisés ([voir les instructions](administration/customizing-gitea.md)) peuvent être placés dans le répertoire `/data/gitea`.

 Le fichier de configuration sera sauvegardé à l'emplacement suivant : `/data/gitea/conf/app.ini`

--- a/docs/content/installation/with-docker.zh-cn.md
+++ b/docs/content/installation/with-docker.zh-cn.md
@ -260,7 +260,7 @@ MySQL 或 PostgreSQL 容器将需要分别创建。

 ## 自定义

-[此处](https://docs.gitea.io/zh-cn/customizing-gitea/)描述的定制文件应放在 `/data/gitea` 目录中。如果使用主机卷，则访问这些文件非常容易；对于命名卷，可以通过另一个容器或通过直接访问 `/var/lib/docker/volumes/gitea_gitea/_data` 来完成。安装后，配置文件将保存在 `/data/gitea/conf/app.ini` 中。
+[此处](administration/customizing-gitea.md)描述的定制文件应放在 `/data/gitea` 目录中。如果使用主机卷，则访问这些文件非常容易；对于命名卷，可以通过另一个容器或通过直接访问 `/var/lib/docker/volumes/gitea_gitea/_data` 来完成。安装后，配置文件将保存在 `/data/gitea/conf/app.ini` 中。

 ## 升级

@ -293,7 +293,7 @@ services:
      - GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
 ```

-Gitea 将为每次新安装自动生成新的 `SECRET_KEY` 并将它们写入 `app.ini`。 如果您想手动设置 `SECRET_KEY`，您可以使用以下 docker 命令来使用 Gitea 内置的[方法](https://docs.gitea.io/en-us/command-line/#generate)生成 `SECRET_KEY`。 安装后请妥善保管您的 `SECRET_KEY`，如若丢失则无法解密已加密的数据。
+Gitea 将为每次新安装自动生成新的 `SECRET_KEY` 并将它们写入 `app.ini`。 如果您想手动设置 `SECRET_KEY`，您可以使用以下 docker 命令来使用 Gitea 内置的[方法](administration/command-line.md#generate)生成 `SECRET_KEY`。 安装后请妥善保管您的 `SECRET_KEY`，如若丢失则无法解密已加密的数据。

 以下命令将向 `stdout` 输出一个新的 `SECRET_KEY` 和 `INTERNAL_TOKEN`，然后您可以将其放入环境变量中。

--- a/docs/content/usage/actions/act-runner.en-us.md
+++ b/docs/content/usage/actions/act-runner.en-us.md
@ -81,7 +81,7 @@ docker run --entrypoint="" --rm -it gitea/act_runner:latest act_runner generate-
 When you are using the docker image, you can specify the configuration file by using the `CONFIG_FILE` environment variable. Make sure that the file is mounted into the container as a volume:

 ```bash
-docker run -v $(pwd)/config.yaml:/config.yaml -e CONFIG_FILE=/config.yaml ...
+docker run -v $PWD/config.yaml:/config.yaml -e CONFIG_FILE=/config.yaml ...
 ```

 You may notice the commands above are both incomplete, because it is not the time to run the act runner yet.
@ -157,8 +157,8 @@ If you are using the docker image, behaviour will be slightly different. Registr

 ```bash
 docker run \
-    -v $(pwd)/config.yaml:/config.yaml \
-    -v $(pwd)/data:/data \
+    -v $PWD/config.yaml:/config.yaml \
+    -v $PWD/data:/data \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -e CONFIG_FILE=/config.yaml \
    -e GITEA_INSTANCE_URL=<instance_url> \
--- a/docs/content/usage/actions/design.en-us.md
+++ b/docs/content/usage/actions/design.en-us.md
@ -112,7 +112,7 @@ You can configure your Gitea instance to fetch actions or images from your intra

 In fact, your Gitea instance can serve as both the actions marketplace and the image registry.
 You can mirror actions repositories from GitHub to your Gitea instance, and use them as normal.
-And [Gitea Container Registry](https://docs.gitea.io/en-us/usage/packages/container/) can be used as a Docker image registry.
+And [Gitea Container Registry](usage/packages/container.md) can be used as a Docker image registry.

 ### Connection 4, job containers to internet

--- a/docs/content/usage/actions/design.zh-cn.md
+++ b/docs/content/usage/actions/design.zh-cn.md
@ -113,7 +113,7 @@ act runner 必须能够连接到Gitea以接收任务并发送执行结果回来

 实际上，您的Gitea实例可以同时充当 Actions 市场和镜像注册表。
 您可以将GitHub上的Actions仓库镜像到您的Gitea实例，并将其用作普通Actions。
-而 [Gitea 容器注册表](https://docs.gitea.io/en-us/usage/packages/container/) 可用作Docker镜像注册表。
+而 [Gitea 容器注册表](usage/packages/container.md) 可用作Docker镜像注册表。

 ### 连接 4，Job容器到互联网

--- a/docs/content/usage/actions/faq.en-us.md
+++ b/docs/content/usage/actions/faq.en-us.md
@ -61,7 +61,7 @@ For example:
 Be careful, the `https://` or `http://` prefix is necessary!

 Alternatively, if you want your runners to download actions from GitHub or your own Gitea instance by default, you can configure it by setting `[actions].DEFAULT_ACTIONS_URL`.
-See [Configuration Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions).
+See [Configuration Cheat Sheet](administration/config-cheat-sheet.md#actions-actions).

 This is one of the differences from GitHub Actions, but it should allow users much more flexibility in how they run Actions.

@ -69,7 +69,7 @@ This is one of the differences from GitHub Actions, but it should allow users mu

 Runners have no more permissions than simply connecting to your Gitea instance.
 When any runner receives a job to run, it will temporarily gain limited permission to the repository associated with the job.
-If you want to give more permissions to the runner, allowing it to access more private repositories or external systems, you can pass [secrets](https://docs.gitea.io/en-us/usage/secrets/) to it.
+If you want to give more permissions to the runner, allowing it to access more private repositories or external systems, you can pass [secrets](usage/secrets.md) to it.

 Refined permission control to Actions is a complicated job.
 In the future, we will add more options to Gitea to make it more configurable, such as allowing more write access to repositories or read access to all repositories in the same organization.
--- a/docs/content/usage/actions/faq.zh-cn.md
+++ b/docs/content/usage/actions/faq.zh-cn.md
@ -61,7 +61,7 @@ DEFAULT_REPO_UNITS = ...,repo.actions
 注意，`https://`或`http://`前缀是必需的！

 另外，如果您希望您的Runner默认从GitHub或您自己的Gitea实例下载Actions，可以通过设置 `[actions].DEFAULT_ACTIONS_URL`进行配置。
-参见[配置速查表](https://docs.gitea.io/en-us/config-cheat-sheet/#actions-actions)。
+参见[配置速查表](administration/config-cheat-sheet.md#actions-actions)。

 这是与GitHub Actions的一个区别，但它应该允许用户以更灵活的方式运行Actions。

@ -69,7 +69,7 @@ DEFAULT_REPO_UNITS = ...,repo.actions

 Runner仅具有连接到您的Gitea实例的权限。
 当任何Runner接收到要运行的Job时，它将临时获得与Job关联的仓库的有限权限。
-如果您想为Runner提供更多权限，允许它访问更多私有仓库或外部系统，您可以向其传递[密钥](https://docs.gitea.io/en-us/usage/secrets/)。
+如果您想为Runner提供更多权限，允许它访问更多私有仓库或外部系统，您可以向其传递[密钥](usage/secrets.md)。

 对于 Actions 的细粒度权限控制是一项复杂的工作。
 在未来，我们将添加更多选项以使Gitea更可配置，例如允许对仓库进行更多写访问或对同一组织中的所有仓库进行读访问。
--- a/docs/content/usage/authentication.en-us.md
+++ b/docs/content/usage/authentication.en-us.md
@ -197,7 +197,7 @@ administrative user.
    field is set to `mail.com`, then Gitea will expect the `user email` field
    for an authenticated GIT instance to be `gituser@mail.com`.[^2]

-**Note**: PAM support is added via [build-time flags](https://docs.gitea.io/en-us/install-from-source/#build),
+**Note**: PAM support is added via [build-time flags](installation/install-from-source.md#build),
 and the official binaries provided do not have this enabled.  PAM requires that
 the necessary libpam dynamic library be available and the necessary PAM
 development headers be accessible to the compiler.
--- a/docs/content/usage/authentication.zh-cn.md
+++ b/docs/content/usage/authentication.zh-cn.md
@ -162,7 +162,7 @@ PAM提供了一种机制，通过对用户进行PAM认证来自动将其添加
    - PAM电子邮件域:用户认证时要附加的电子邮件后缀。例如，如果登录系统期望一个名为gituse的用户，
  并且将此字段设置为mail.com，那么Gitea在验证一个GIT实例的用户时将期望user emai字段为gituser@mail.com[^2]。

-**Note**: PAM 支持通过[build-time flags](https://docs.gitea.io/en-us/install-from-source/#build)添加,
+**Note**: PAM 支持通过[build-time flags](installation/install-from-source.md#build)添加,
 而官方提供的二进制文件通常不会默认启用此功能。PAM需要确保系统上有必要的libpam动态库，并且编译器可以访问必要的PAM开发头文件。

 [^1]: 例如，在Debian "Bullseye"上使用标准Linux登录，可以使用`common-session-noninteractive`。这个值对于其他版本的Debian，
--- a/docs/content/usage/multi-factor-authentication.en-us.md
+++ b/docs/content/usage/multi-factor-authentication.en-us.md
@ -0,0 +1,35 @@
+---
+date: "2023-08-22T14:21:00+08:00"
+title: "Usage: Multi-factor Authentication (MFA)"
+slug: "multi-factor-authentication"
+weight: 15
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Multi-factor Authentication (MFA)"
+    weight: 15
+    identifier: "multi-factor-authentication"
+---
+
+# Multi-factor Authentication (MFA)
+
+Multi-factor Authentication (also referred to as MFA or 2FA) enhances security by requiring a time-sensitive set of credentials in addition to a password.
+If a password were later to be compromised, logging into Gitea will not be possible without the additional credentials and the account would remain secure.
+Gitea supports both TOTP (Time-based One-Time Password) tokens and FIDO-based hardware keys using the Webauthn API.
+
+MFA can be configured within the "Security" tab of the user settings page.
+
+## MFA Considerations
+
+Enabling MFA on a user does affect how the Git HTTP protocol can be used with the Git CLI.
+This interface does not support MFA, and trying to use a password normally will no longer be possible whilst MFA is enabled.
+If SSH is not an option for Git operations, an access token can be generated within the "Applications" tab of the user settings page.
+This access token can be used as if it were a password in order to allow the Git CLI to function over HTTP.
+
+> **Warning** - By its very nature, an access token sidesteps the security benefits of MFA.
+> It must be kept secure and should only be used as a last resort.
+
+The Gitea API supports providing the relevant TOTP password in the `X-Gitea-OTP` header, as described in [API Usage](development/api-usage.md).
+This should be used instead of an access token where possible.
--- a/go.mod
+++ b/go.mod
@ -90,6 +90,7 @@ require (
 	github.com/prometheus/client_golang v1.16.0
 	github.com/quasoft/websspi v1.1.2
 	github.com/redis/go-redis/v9 v9.0.5
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sassoftware/go-rpmutils v0.2.0
 	github.com/sergi/go-diff v1.3.1
@ -254,7 +255,6 @@ require (
 	github.com/rhysd/actionlint v1.6.25 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
--- a/models/actions/run.go
+++ b/models/actions/run.go
@ -43,6 +43,7 @@ type ActionRun struct {
 	EventPayload      string                       `xorm:"LONGTEXT"`
 	TriggerEvent      string                       // the trigger event defined in the `on` configuration of the triggered workflow
 	Status            Status                       `xorm:"index"`
+	Version           int                          `xorm:"version default 0"` // Status could be updated concomitantly, so an optimistic lock is needed
 	Started           timeutil.TimeStamp
 	Stopped           timeutil.TimeStamp
 	Created           timeutil.TimeStamp `xorm:"created"`
@ -332,12 +333,22 @@ func GetRunByIndex(ctx context.Context, repoID, index int64) (*ActionRun, error)
 	return run, nil
 }

+// UpdateRun updates a run.
+// It requires the inputted run has Version set.
+// It will return error if the version is not matched (it means the run has been changed after loaded).
 func UpdateRun(ctx context.Context, run *ActionRun, cols ...string) error {
 	sess := db.GetEngine(ctx).ID(run.ID)
 	if len(cols) > 0 {
 		sess.Cols(cols...)
 	}
-	_, err := sess.Update(run)
+	affected, err := sess.Update(run)
+	if err != nil {
+		return err
+	}
+	if affected == 0 {
+		return fmt.Errorf("run has changed")
+		// It's impossible that the run is not found, since Gitea never deletes runs.
+	}

 	if run.Status != 0 || util.SliceContains(cols, "status") {
 		if run.RepoID == 0 {
@ -358,7 +369,7 @@ func UpdateRun(ctx context.Context, run *ActionRun, cols ...string) error {
 		}
 	}

-	return err
+	return nil
 }

 type ActionRunIndex db.ResourceIndex
--- a/models/actions/run_job.go
+++ b/models/actions/run_job.go
@ -114,32 +114,41 @@ func UpdateRunJob(ctx context.Context, job *ActionRunJob, cond builder.Cond, col
 	if affected != 0 && util.SliceContains(cols, "status") && job.Status.IsWaiting() {
 		// if the status of job changes to waiting again, increase tasks version.
 		if err := IncreaseTaskVersion(ctx, job.OwnerID, job.RepoID); err != nil {
-			return affected, err
+			return 0, err
 		}
 	}

 	if job.RunID == 0 {
 		var err error
 		if job, err = GetRunJobByID(ctx, job.ID); err != nil {
-			return affected, err
+			return 0, err
 		}
 	}

-	jobs, err := GetRunJobsByRunID(ctx, job.RunID)
-	if err != nil {
-		return affected, err
+	{
+		// Other goroutines may aggregate the status of the run and update it too.
+		// So we need load the run and its jobs before updating the run.
+		run, err := GetRunByID(ctx, job.RunID)
+		if err != nil {
+			return 0, err
+		}
+		jobs, err := GetRunJobsByRunID(ctx, job.RunID)
+		if err != nil {
+			return 0, err
+		}
+		run.Status = aggregateJobStatus(jobs)
+		if run.Started.IsZero() && run.Status.IsRunning() {
+			run.Started = timeutil.TimeStampNow()
+		}
+		if run.Stopped.IsZero() && run.Status.IsDone() {
+			run.Stopped = timeutil.TimeStampNow()
+		}
+		if err := UpdateRun(ctx, run, "status", "started", "stopped"); err != nil {
+			return 0, fmt.Errorf("update run %d: %w", run.ID, err)
+		}
 	}

-	runStatus := aggregateJobStatus(jobs)
-
-	run := &ActionRun{
-		ID:     job.RunID,
-		Status: runStatus,
-	}
-	if runStatus.IsDone() {
-		run.Stopped = timeutil.TimeStampNow()
-	}
-	return affected, UpdateRun(ctx, run)
+	return affected, nil
 }

 func aggregateJobStatus(jobs []*ActionRunJob) Status {
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@ -0,0 +1,120 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+	"time"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/timeutil"
+	webhook_module "code.gitea.io/gitea/modules/webhook"
+
+	"github.com/robfig/cron/v3"
+)
+
+// ActionSchedule represents a schedule of a workflow file
+type ActionSchedule struct {
+	ID            int64
+	Title         string
+	Specs         []string
+	RepoID        int64                  `xorm:"index"`
+	Repo          *repo_model.Repository `xorm:"-"`
+	OwnerID       int64                  `xorm:"index"`
+	WorkflowID    string
+	TriggerUserID int64
+	TriggerUser   *user_model.User `xorm:"-"`
+	Ref           string
+	CommitSHA     string
+	Event         webhook_module.HookEventType
+	EventPayload  string `xorm:"LONGTEXT"`
+	Content       []byte
+	Created       timeutil.TimeStamp `xorm:"created"`
+	Updated       timeutil.TimeStamp `xorm:"updated"`
+}
+
+func init() {
+	db.RegisterModel(new(ActionSchedule))
+}
+
+// GetSchedulesMapByIDs returns the schedules by given id slice.
+func GetSchedulesMapByIDs(ids []int64) (map[int64]*ActionSchedule, error) {
+	schedules := make(map[int64]*ActionSchedule, len(ids))
+	return schedules, db.GetEngine(db.DefaultContext).In("id", ids).Find(&schedules)
+}
+
+// GetReposMapByIDs returns the repos by given id slice.
+func GetReposMapByIDs(ids []int64) (map[int64]*repo_model.Repository, error) {
+	repos := make(map[int64]*repo_model.Repository, len(ids))
+	return repos, db.GetEngine(db.DefaultContext).In("id", ids).Find(&repos)
+}
+
+var cronParser = cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
+
+// CreateScheduleTask creates new schedule task.
+func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
+	// Return early if there are no rows to insert
+	if len(rows) == 0 {
+		return nil
+	}
+
+	// Begin transaction
+	ctx, committer, err := db.TxContext(ctx)
+	if err != nil {
+		return err
+	}
+	defer committer.Close()
+
+	// Loop through each schedule row
+	for _, row := range rows {
+		// Create new schedule row
+		if err = db.Insert(ctx, row); err != nil {
+			return err
+		}
+
+		// Loop through each schedule spec and create a new spec row
+		now := time.Now()
+
+		for _, spec := range row.Specs {
+			// Parse the spec and check for errors
+			schedule, err := cronParser.Parse(spec)
+			if err != nil {
+				continue // skip to the next spec if there's an error
+			}
+
+			// Insert the new schedule spec row
+			if err = db.Insert(ctx, &ActionScheduleSpec{
+				RepoID:     row.RepoID,
+				ScheduleID: row.ID,
+				Spec:       spec,
+				Next:       timeutil.TimeStamp(schedule.Next(now).Unix()),
+			}); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Commit transaction
+	return committer.Commit()
+}
+
+func DeleteScheduleTaskByRepo(ctx context.Context, id int64) error {
+	ctx, committer, err := db.TxContext(ctx)
+	if err != nil {
+		return err
+	}
+	defer committer.Close()
+
+	if _, err := db.GetEngine(ctx).Delete(&ActionSchedule{RepoID: id}); err != nil {
+		return err
+	}
+
+	if _, err := db.GetEngine(ctx).Delete(&ActionScheduleSpec{RepoID: id}); err != nil {
+		return err
+	}
+
+	return committer.Commit()
+}
--- a/models/actions/schedule_list.go
+++ b/models/actions/schedule_list.go
@ -0,0 +1,94 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/container"
+
+	"xorm.io/builder"
+)
+
+type ScheduleList []*ActionSchedule
+
+// GetUserIDs returns a slice of user's id
+func (schedules ScheduleList) GetUserIDs() []int64 {
+	ids := make(container.Set[int64], len(schedules))
+	for _, schedule := range schedules {
+		ids.Add(schedule.TriggerUserID)
+	}
+	return ids.Values()
+}
+
+func (schedules ScheduleList) GetRepoIDs() []int64 {
+	ids := make(container.Set[int64], len(schedules))
+	for _, schedule := range schedules {
+		ids.Add(schedule.RepoID)
+	}
+	return ids.Values()
+}
+
+func (schedules ScheduleList) LoadTriggerUser(ctx context.Context) error {
+	userIDs := schedules.GetUserIDs()
+	users := make(map[int64]*user_model.User, len(userIDs))
+	if err := db.GetEngine(ctx).In("id", userIDs).Find(&users); err != nil {
+		return err
+	}
+	for _, schedule := range schedules {
+		if schedule.TriggerUserID == user_model.ActionsUserID {
+			schedule.TriggerUser = user_model.NewActionsUser()
+		} else {
+			schedule.TriggerUser = users[schedule.TriggerUserID]
+		}
+	}
+	return nil
+}
+
+func (schedules ScheduleList) LoadRepos() error {
+	repoIDs := schedules.GetRepoIDs()
+	repos, err := repo_model.GetRepositoriesMapByIDs(repoIDs)
+	if err != nil {
+		return err
+	}
+	for _, schedule := range schedules {
+		schedule.Repo = repos[schedule.RepoID]
+	}
+	return nil
+}
+
+type FindScheduleOptions struct {
+	db.ListOptions
+	RepoID  int64
+	OwnerID int64
+}
+
+func (opts FindScheduleOptions) toConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+	if opts.OwnerID > 0 {
+		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
+	}
+
+	return cond
+}
+
+func FindSchedules(ctx context.Context, opts FindScheduleOptions) (ScheduleList, int64, error) {
+	e := db.GetEngine(ctx).Where(opts.toConds())
+	if !opts.ListAll && opts.PageSize > 0 && opts.Page >= 1 {
+		e.Limit(opts.PageSize, (opts.Page-1)*opts.PageSize)
+	}
+	var schedules ScheduleList
+	total, err := e.Desc("id").FindAndCount(&schedules)
+	return schedules, total, err
+}
+
+func CountSchedules(ctx context.Context, opts FindScheduleOptions) (int64, error) {
+	return db.GetEngine(ctx).Where(opts.toConds()).Count(new(ActionSchedule))
+}
--- a/models/actions/schedule_spec.go
+++ b/models/actions/schedule_spec.go
@ -0,0 +1,50 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"github.com/robfig/cron/v3"
+)
+
+// ActionScheduleSpec represents a schedule spec of a workflow file
+type ActionScheduleSpec struct {
+	ID         int64
+	RepoID     int64                  `xorm:"index"`
+	Repo       *repo_model.Repository `xorm:"-"`
+	ScheduleID int64                  `xorm:"index"`
+	Schedule   *ActionSchedule        `xorm:"-"`
+
+	// Next time the job will run, or the zero time if Cron has not been
+	// started or this entry's schedule is unsatisfiable
+	Next timeutil.TimeStamp `xorm:"index"`
+	// Prev is the last time this job was run, or the zero time if never.
+	Prev timeutil.TimeStamp
+	Spec string
+
+	Created timeutil.TimeStamp `xorm:"created"`
+	Updated timeutil.TimeStamp `xorm:"updated"`
+}
+
+func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
+	return cronParser.Parse(s.Spec)
+}
+
+func init() {
+	db.RegisterModel(new(ActionScheduleSpec))
+}
+
+func UpdateScheduleSpec(ctx context.Context, spec *ActionScheduleSpec, cols ...string) error {
+	sess := db.GetEngine(ctx).ID(spec.ID)
+	if len(cols) > 0 {
+		sess.Cols(cols...)
+	}
+	_, err := sess.Update(spec)
+	return err
+}
--- a/models/actions/schedule_spec_list.go
+++ b/models/actions/schedule_spec_list.go
@ -0,0 +1,106 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package actions
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/container"
+
+	"xorm.io/builder"
+)
+
+type SpecList []*ActionScheduleSpec
+
+func (specs SpecList) GetScheduleIDs() []int64 {
+	ids := make(container.Set[int64], len(specs))
+	for _, spec := range specs {
+		ids.Add(spec.ScheduleID)
+	}
+	return ids.Values()
+}
+
+func (specs SpecList) LoadSchedules() error {
+	scheduleIDs := specs.GetScheduleIDs()
+	schedules, err := GetSchedulesMapByIDs(scheduleIDs)
+	if err != nil {
+		return err
+	}
+	for _, spec := range specs {
+		spec.Schedule = schedules[spec.ScheduleID]
+	}
+
+	repoIDs := specs.GetRepoIDs()
+	repos, err := GetReposMapByIDs(repoIDs)
+	if err != nil {
+		return err
+	}
+	for _, spec := range specs {
+		spec.Repo = repos[spec.RepoID]
+	}
+
+	return nil
+}
+
+func (specs SpecList) GetRepoIDs() []int64 {
+	ids := make(container.Set[int64], len(specs))
+	for _, spec := range specs {
+		ids.Add(spec.RepoID)
+	}
+	return ids.Values()
+}
+
+func (specs SpecList) LoadRepos() error {
+	repoIDs := specs.GetRepoIDs()
+	repos, err := repo_model.GetRepositoriesMapByIDs(repoIDs)
+	if err != nil {
+		return err
+	}
+	for _, spec := range specs {
+		spec.Repo = repos[spec.RepoID]
+	}
+	return nil
+}
+
+type FindSpecOptions struct {
+	db.ListOptions
+	RepoID int64
+	Next   int64
+}
+
+func (opts FindSpecOptions) toConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.RepoID > 0 {
+		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
+	}
+
+	if opts.Next > 0 {
+		cond = cond.And(builder.Lte{"next": opts.Next})
+	}
+
+	return cond
+}
+
+func FindSpecs(ctx context.Context, opts FindSpecOptions) (SpecList, int64, error) {
+	e := db.GetEngine(ctx).Where(opts.toConds())
+	if opts.PageSize > 0 && opts.Page >= 1 {
+		e.Limit(opts.PageSize, (opts.Page-1)*opts.PageSize)
+	}
+	var specs SpecList
+	total, err := e.Desc("id").FindAndCount(&specs)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	if err := specs.LoadSchedules(); err != nil {
+		return nil, 0, err
+	}
+	return specs, total, nil
+}
+
+func CountSpecs(ctx context.Context, opts FindSpecOptions) (int64, error) {
+	return db.GetEngine(ctx).Where(opts.toConds()).Count(new(ActionScheduleSpec))
+}
--- a/models/actions/task.go
+++ b/models/actions/task.go
@ -317,14 +317,6 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
 		return nil, false, nil
 	}

-	if job.Run.Status.IsWaiting() {
-		job.Run.Status = StatusRunning
-		job.Run.Started = now
-		if err := UpdateRun(ctx, job.Run, "status", "started"); err != nil {
-			return nil, false, err
-		}
-	}
-
 	task.Job = job

 	if err := commiter.Commit(); err != nil {
--- a/models/git/commit_status.go
+++ b/models/git/commit_status.go
@ -22,6 +22,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/translation"

 	"xorm.io/builder"
 	"xorm.io/xorm"
@ -191,6 +192,11 @@ func (status *CommitStatus) APIURL(ctx context.Context) string {
 	return status.Repo.APIURL() + "/statuses/" + url.PathEscape(status.SHA)
 }

+// LocaleString returns the locale string name of the Status
+func (status *CommitStatus) LocaleString(lang translation.Locale) string {
+	return lang.Tr("repo.commitstatus." + status.State.String())
+}
+
 // CalcCommitStatus returns commit status state via some status, the commit statues should order by id desc
 func CalcCommitStatus(statuses []*CommitStatus) *CommitStatus {
 	var lastStatus *CommitStatus
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@ -23,6 +23,7 @@ import (
 	"code.gitea.io/gitea/modules/references"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/translation"
 	"code.gitea.io/gitea/modules/util"

 	"xorm.io/builder"
@ -181,40 +182,32 @@ func (t CommentType) HasAttachmentSupport() bool {
 	return false
 }

-// RoleDescriptor defines comment tag type
-type RoleDescriptor int
+// RoleInRepo presents the user's participation in the repo
+type RoleInRepo string
+
+// RoleDescriptor defines comment "role" tags
+type RoleDescriptor struct {
+	IsPoster   bool
+	RoleInRepo RoleInRepo
+}

 // Enumerate all the role tags.
 const (
-	RoleDescriptorNone RoleDescriptor = iota
-	RoleDescriptorPoster
-	RoleDescriptorWriter
-	RoleDescriptorOwner
+	RoleRepoOwner                RoleInRepo = "owner"
+	RoleRepoMember               RoleInRepo = "member"
+	RoleRepoCollaborator         RoleInRepo = "collaborator"
+	RoleRepoFirstTimeContributor RoleInRepo = "first_time_contributor"
+	RoleRepoContributor          RoleInRepo = "contributor"
 )

-// WithRole enable a specific tag on the RoleDescriptor.
-func (rd RoleDescriptor) WithRole(role RoleDescriptor) RoleDescriptor {
-	return rd | (1 << role)
+// LocaleString returns the locale string name of the role
+func (r RoleInRepo) LocaleString(lang translation.Locale) string {
+	return lang.Tr("repo.issues.role." + string(r))
 }

-func stringToRoleDescriptor(role string) RoleDescriptor {
-	switch role {
-	case "Poster":
-		return RoleDescriptorPoster
-	case "Writer":
-		return RoleDescriptorWriter
-	case "Owner":
-		return RoleDescriptorOwner
-	default:
-		return RoleDescriptorNone
-	}
-}
-
-// HasRole returns if a certain role is enabled on the RoleDescriptor.
-func (rd RoleDescriptor) HasRole(role string) bool {
-	roleDescriptor := stringToRoleDescriptor(role)
-	bitValue := rd & (1 << roleDescriptor)
-	return (bitValue > 0)
+// LocaleHelper returns the locale tooltip of the role
+func (r RoleInRepo) LocaleHelper(lang translation.Locale) string {
+	return lang.Tr("repo.issues.role." + string(r) + "_helper")
 }

 // Comment represents a comment in commit and issue page.
--- a/models/issues/issue_stats.go
+++ b/models/issues/issue_stats.go
@ -116,70 +116,71 @@ func GetIssueStats(opts *IssuesOptions) (*IssueStats, error) {
 func getIssueStatsChunk(opts *IssuesOptions, issueIDs []int64) (*IssueStats, error) {
 	stats := &IssueStats{}

-	countSession := func(opts *IssuesOptions, issueIDs []int64) *xorm.Session {
-		sess := db.GetEngine(db.DefaultContext).
-			Join("INNER", "repository", "`issue`.repo_id = `repository`.id")
-		if len(opts.RepoIDs) > 1 {
-			sess.In("issue.repo_id", opts.RepoIDs)
-		} else if len(opts.RepoIDs) == 1 {
-			sess.And("issue.repo_id = ?", opts.RepoIDs[0])
-		}
-
-		if len(issueIDs) > 0 {
-			sess.In("issue.id", issueIDs)
-		}
-
-		applyLabelsCondition(sess, opts)
-
-		applyMilestoneCondition(sess, opts)
-
-		applyProjectCondition(sess, opts)
-
-		if opts.AssigneeID > 0 {
-			applyAssigneeCondition(sess, opts.AssigneeID)
-		} else if opts.AssigneeID == db.NoConditionID {
-			sess.Where("issue.id NOT IN (SELECT issue_id FROM issue_assignees)")
-		}
-
-		if opts.PosterID > 0 {
-			applyPosterCondition(sess, opts.PosterID)
-		}
-
-		if opts.MentionedID > 0 {
-			applyMentionedCondition(sess, opts.MentionedID)
-		}
-
-		if opts.ReviewRequestedID > 0 {
-			applyReviewRequestedCondition(sess, opts.ReviewRequestedID)
-		}
-
-		if opts.ReviewedID > 0 {
-			applyReviewedCondition(sess, opts.ReviewedID)
-		}
-
-		switch opts.IsPull {
-		case util.OptionalBoolTrue:
-			sess.And("issue.is_pull=?", true)
-		case util.OptionalBoolFalse:
-			sess.And("issue.is_pull=?", false)
-		}
-
-		return sess
-	}
+	sess := db.GetEngine(db.DefaultContext).
+		Join("INNER", "repository", "`issue`.repo_id = `repository`.id")

 	var err error
-	stats.OpenCount, err = countSession(opts, issueIDs).
+	stats.OpenCount, err = applyIssuesOptions(sess, opts, issueIDs).
 		And("issue.is_closed = ?", false).
 		Count(new(Issue))
 	if err != nil {
 		return stats, err
 	}
-	stats.ClosedCount, err = countSession(opts, issueIDs).
+	stats.ClosedCount, err = applyIssuesOptions(sess, opts, issueIDs).
 		And("issue.is_closed = ?", true).
 		Count(new(Issue))
 	return stats, err
 }

+func applyIssuesOptions(sess *xorm.Session, opts *IssuesOptions, issueIDs []int64) *xorm.Session {
+	if len(opts.RepoIDs) > 1 {
+		sess.In("issue.repo_id", opts.RepoIDs)
+	} else if len(opts.RepoIDs) == 1 {
+		sess.And("issue.repo_id = ?", opts.RepoIDs[0])
+	}
+
+	if len(issueIDs) > 0 {
+		sess.In("issue.id", issueIDs)
+	}
+
+	applyLabelsCondition(sess, opts)
+
+	applyMilestoneCondition(sess, opts)
+
+	applyProjectCondition(sess, opts)
+
+	if opts.AssigneeID > 0 {
+		applyAssigneeCondition(sess, opts.AssigneeID)
+	} else if opts.AssigneeID == db.NoConditionID {
+		sess.Where("issue.id NOT IN (SELECT issue_id FROM issue_assignees)")
+	}
+
+	if opts.PosterID > 0 {
+		applyPosterCondition(sess, opts.PosterID)
+	}
+
+	if opts.MentionedID > 0 {
+		applyMentionedCondition(sess, opts.MentionedID)
+	}
+
+	if opts.ReviewRequestedID > 0 {
+		applyReviewRequestedCondition(sess, opts.ReviewRequestedID)
+	}
+
+	if opts.ReviewedID > 0 {
+		applyReviewedCondition(sess, opts.ReviewedID)
+	}
+
+	switch opts.IsPull {
+	case util.OptionalBoolTrue:
+		sess.And("issue.is_pull=?", true)
+	case util.OptionalBoolFalse:
+		sess.And("issue.is_pull=?", false)
+	}
+
+	return sess
+}
+
 // GetUserIssueStats returns issue statistic information for dashboard by given conditions.
 func GetUserIssueStats(filterMode int, opts IssuesOptions) (*IssueStats, error) {
 	if opts.User == nil {
--- a/models/issues/label.go
+++ b/models/issues/label.go
@ -113,10 +113,11 @@ func (l *Label) CalOpenIssues() {

 // SetArchived set the label as archived
 func (l *Label) SetArchived(isArchived bool) {
-	if isArchived && l.ArchivedUnix.IsZero() {
-		l.ArchivedUnix = timeutil.TimeStampNow()
-	} else {
+	if !isArchived {
 		l.ArchivedUnix = timeutil.TimeStamp(0)
+	} else if isArchived && l.ArchivedUnix.IsZero() {
+		// Only change the date when it is newly archived.
+		l.ArchivedUnix = timeutil.TimeStampNow()
 	}
 }

--- a/models/issues/pull_list.go
+++ b/models/issues/pull_list.go
@ -199,3 +199,16 @@ func (prs PullRequestList) GetIssueIDs() []int64 {
 	}
 	return issueIDs
 }
+
+// HasMergedPullRequestInRepo returns whether the user(poster) has merged pull-request in the repo
+func HasMergedPullRequestInRepo(ctx context.Context, repoID, posterID int64) (bool, error) {
+	return db.GetEngine(ctx).
+		Join("INNER", "pull_request", "pull_request.issue_id = issue.id").
+		Where("repo_id=?", repoID).
+		And("poster_id=?", posterID).
+		And("is_pull=?", true).
+		And("pull_request.has_merged=?", true).
+		Select("issue.id").
+		Limit(1).
+		Get(new(Issue))
+}
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -524,6 +524,10 @@ var migrations = []Migration{
 	NewMigration("Fix PackageProperty typo", v1_21.FixPackagePropertyTypo),
 	// v271 -> v272
 	NewMigration("Allow archiving labels", v1_21.AddArchivedUnixColumInLabelTable),
+	// v272 -> v273
+	NewMigration("Add Version to ActionRun table", v1_21.AddVersionToActionRunTable),
+	// v273 -> v274
+	NewMigration("Add Action Schedule Table", v1_21.AddActionScheduleTable),
 }

 // GetCurrentDBVersion returns the current db version
--- a/models/migrations/v1_21/v272.go
+++ b/models/migrations/v1_21/v272.go
@ -0,0 +1,14 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_21 //nolint
+import (
+	"xorm.io/xorm"
+)
+
+func AddVersionToActionRunTable(x *xorm.Engine) error {
+	type ActionRun struct {
+		Version int `xorm:"version default 0"`
+	}
+	return x.Sync(new(ActionRun))
+}
--- a/models/migrations/v1_21/v273.go
+++ b/models/migrations/v1_21/v273.go
@ -0,0 +1,45 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_21 //nolint
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func AddActionScheduleTable(x *xorm.Engine) error {
+	type ActionSchedule struct {
+		ID            int64
+		Title         string
+		Specs         []string
+		RepoID        int64 `xorm:"index"`
+		OwnerID       int64 `xorm:"index"`
+		WorkflowID    string
+		TriggerUserID int64
+		Ref           string
+		CommitSHA     string
+		Event         string
+		EventPayload  string `xorm:"LONGTEXT"`
+		Content       []byte
+		Created       timeutil.TimeStamp `xorm:"created"`
+		Updated       timeutil.TimeStamp `xorm:"updated"`
+	}
+
+	type ActionScheduleSpec struct {
+		ID         int64
+		RepoID     int64 `xorm:"index"`
+		ScheduleID int64 `xorm:"index"`
+		Spec       string
+		Next       timeutil.TimeStamp `xorm:"index"`
+		Prev       timeutil.TimeStamp
+
+		Created timeutil.TimeStamp `xorm:"created"`
+		Updated timeutil.TimeStamp `xorm:"updated"`
+	}
+
+	return x.Sync(
+		new(ActionSchedule),
+		new(ActionScheduleSpec),
+	)
+}
--- a/models/repo.go
+++ b/models/repo.go
@ -170,6 +170,8 @@ func DeleteRepository(doer *user_model.User, uid, repoID int64) error {
 		&actions_model.ActionRunJob{RepoID: repoID},
 		&actions_model.ActionRun{RepoID: repoID},
 		&actions_model.ActionRunner{RepoID: repoID},
+		&actions_model.ActionScheduleSpec{RepoID: repoID},
+		&actions_model.ActionSchedule{RepoID: repoID},
 		&actions_model.ActionArtifact{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
--- a/models/repo/pushmirror.go
+++ b/models/repo/pushmirror.go
@ -128,7 +128,7 @@ func GetPushMirrorsByRepoID(ctx context.Context, repoID int64, listOptions db.Li
 func GetPushMirrorsSyncedOnCommit(ctx context.Context, repoID int64) ([]*PushMirror, error) {
 	mirrors := make([]*PushMirror, 0, 10)
 	return mirrors, db.GetEngine(ctx).
-		Where("repo_id=? AND sync_on_commit=?", repoID, true).
+		Where("repo_id = ? AND sync_on_commit = ?", repoID, true).
 		Find(&mirrors)
 }

--- a/models/repo/release.go
+++ b/models/repo/release.go
@ -133,6 +133,11 @@ func (r *Release) HTMLURL() string {
 	return r.Repo.HTMLURL() + "/releases/tag/" + util.PathEscapeSegments(r.TagName)
 }

+// APIUploadURL the api url to upload assets to a release. release must have attributes loaded
+func (r *Release) APIUploadURL() string {
+	return r.APIURL() + "/assets"
+}
+
 // Link the relative url for a release on the web UI. release must have attributes loaded
 func (r *Release) Link() string {
 	return r.Repo.Link() + "/releases/tag/" + util.PathEscapeSegments(r.TagName)
--- a/models/repo/repo_list.go
+++ b/models/repo/repo_list.go
@ -130,6 +130,10 @@ type SearchRepoOptions struct {
 	// True -> include just collaborative
 	// False -> include just non-collaborative
 	Collaborate util.OptionalBool
+	// What type of unit the user can be collaborative in,
+	// it is ignored if Collaborate is False.
+	// TypeInvalid means any unit type.
+	UnitType unit.Type
 	// None -> include forks AND non-forks
 	// True -> include just forks
 	// False -> include just non-forks
@ -384,19 +388,25 @@ func SearchRepositoryCondition(opts *SearchRepoOptions) builder.Cond {

 		if opts.Collaborate != util.OptionalBoolFalse {
 			// A Collaboration is:
-			collaborateCond := builder.And(
-				// 1. Repository we don't own
-				builder.Neq{"owner_id": opts.OwnerID},
-				// 2. But we can see because of:
-				builder.Or(
-					// A. We have unit independent access
-					UserAccessRepoCond("`repository`.id", opts.OwnerID),
-					// B. We are in a team for
-					UserOrgTeamRepoCond("`repository`.id", opts.OwnerID),
-					// C. Public repositories in organizations that we are member of
-					userOrgPublicRepoCondPrivate(opts.OwnerID),
-				),
-			)
+
+			collaborateCond := builder.NewCond()
+			// 1. Repository we don't own
+			collaborateCond = collaborateCond.And(builder.Neq{"owner_id": opts.OwnerID})
+			// 2. But we can see because of:
+			{
+				userAccessCond := builder.NewCond()
+				// A. We have unit independent access
+				userAccessCond = userAccessCond.Or(UserAccessRepoCond("`repository`.id", opts.OwnerID))
+				// B. We are in a team for
+				if opts.UnitType == unit.TypeInvalid {
+					userAccessCond = userAccessCond.Or(UserOrgTeamRepoCond("`repository`.id", opts.OwnerID))
+				} else {
+					userAccessCond = userAccessCond.Or(userOrgTeamUnitRepoCond("`repository`.id", opts.OwnerID, opts.UnitType))
+				}
+				// C. Public repositories in organizations that we are member of
+				userAccessCond = userAccessCond.Or(userOrgPublicRepoCondPrivate(opts.OwnerID))
+				collaborateCond = collaborateCond.And(userAccessCond)
+			}
 			if !opts.Private {
 				collaborateCond = collaborateCond.And(builder.Expr("owner_id NOT IN (SELECT org_id FROM org_user WHERE org_user.uid = ? AND org_user.is_public = ?)", opts.OwnerID, false))
 			}
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@ -6,12 +6,14 @@ package secret
 import (
 	"context"
 	"errors"
+	"fmt"
 	"strings"

 	"code.gitea.io/gitea/models/db"
 	secret_module "code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"

 	"xorm.io/builder"
 )
@ -26,6 +28,25 @@ type Secret struct {
 	CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
 }

+// ErrSecretNotFound represents a "secret not found" error.
+type ErrSecretNotFound struct {
+	Name string
+}
+
+// IsErrSecretNotFound checks if an error is a ErrSecretNotFound.
+func IsErrSecretNotFound(err error) bool {
+	_, ok := err.(ErrSecretNotFound)
+	return ok
+}
+
+func (err ErrSecretNotFound) Error() string {
+	return fmt.Sprintf("secret was not found [name: %s]", err.Name)
+}
+
+func (err ErrSecretNotFound) Unwrap() error {
+	return util.ErrNotExist
+}
+
 // newSecret Creates a new already encrypted secret
 func newSecret(ownerID, repoID int64, name, data string) *Secret {
 	return &Secret{
@ -93,3 +114,49 @@ func FindSecrets(ctx context.Context, opts FindSecretsOptions) ([]*Secret, error
 func CountSecrets(ctx context.Context, opts *FindSecretsOptions) (int64, error) {
 	return db.GetEngine(ctx).Where(opts.toConds()).Count(new(Secret))
 }
+
+// UpdateSecret changes org or user reop secret.
+func UpdateSecret(ctx context.Context, orgID, repoID int64, name, data string) error {
+	sc := new(Secret)
+	name = strings.ToUpper(name)
+	has, err := db.GetEngine(ctx).
+		Where("owner_id=?", orgID).
+		And("repo_id=?", repoID).
+		And("name=?", name).
+		Get(sc)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrSecretNotFound{Name: name}
+	}
+
+	encrypted, err := secret_module.EncryptSecret(setting.SecretKey, data)
+	if err != nil {
+		return err
+	}
+
+	sc.Data = encrypted
+	_, err = db.GetEngine(ctx).ID(sc.ID).Cols("data").Update(sc)
+	return err
+}
+
+// DeleteSecret deletes secret from an organization.
+func DeleteSecret(ctx context.Context, orgID, repoID int64, name string) error {
+	sc := new(Secret)
+	has, err := db.GetEngine(ctx).
+		Where("owner_id=?", orgID).
+		And("repo_id=?", repoID).
+		And("name=?", strings.ToUpper(name)).
+		Get(sc)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrSecretNotFound{Name: name}
+	}
+
+	if _, err := db.GetEngine(ctx).ID(sc.ID).Delete(new(Secret)); err != nil {
+		return fmt.Errorf("Delete: %w", err)
+	}
+
+	return nil
+}
--- a/modules/actions/workflows.go
+++ b/modules/actions/workflows.go
@ -95,18 +95,25 @@ func GetEventsFromContent(content []byte) ([]*jobparser.Event, error) {
 	return events, nil
 }

-func DetectWorkflows(gitRepo *git.Repository, commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) ([]*DetectedWorkflow, error) {
+func DetectWorkflows(
+	gitRepo *git.Repository,
+	commit *git.Commit,
+	triggedEvent webhook_module.HookEventType,
+	payload api.Payloader,
+) ([]*DetectedWorkflow, []*DetectedWorkflow, error) {
 	entries, err := ListWorkflows(commit)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	workflows := make([]*DetectedWorkflow, 0, len(entries))
+	schedules := make([]*DetectedWorkflow, 0, len(entries))
 	for _, entry := range entries {
 		content, err := GetContentFromEntry(entry)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
+
 		events, err := GetEventsFromContent(content)
 		if err != nil {
 			log.Warn("ignore invalid workflow %q: %v", entry.Name(), err)
@ -114,6 +121,14 @@ func DetectWorkflows(gitRepo *git.Repository, commit *git.Commit, triggedEvent w
 		}
 		for _, evt := range events {
 			log.Trace("detect workflow %q for event %#v matching %q", entry.Name(), evt, triggedEvent)
+			if evt.IsSchedule() {
+				dwf := &DetectedWorkflow{
+					EntryName:    entry.Name(),
+					TriggerEvent: evt.Name,
+					Content:      content,
+				}
+				schedules = append(schedules, dwf)
+			}
 			if detectMatched(gitRepo, commit, triggedEvent, payload, evt) {
 				dwf := &DetectedWorkflow{
 					EntryName:    entry.Name(),
@ -125,7 +140,7 @@ func DetectWorkflows(gitRepo *git.Repository, commit *git.Commit, triggedEvent w
 		}
 	}

-	return workflows, nil
+	return workflows, schedules, nil
 }

 func detectMatched(gitRepo *git.Repository, commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader, evt *jobparser.Event) bool {
--- a/modules/activitypub/user_settings.go
+++ b/modules/activitypub/user_settings.go
@ -8,7 +8,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )

-const rsaBits = 2048
+const rsaBits = 3072

 // GetKeyPair function returns a user's private and public keys
 func GetKeyPair(user *user_model.User) (pub, priv string, err error) {
--- a/modules/context/context.go
+++ b/modules/context/context.go
@ -107,6 +107,29 @@ func GetValidateContext(req *http.Request) (ctx *ValidateContext) {
 	return ctx
 }

+func NewTemplateContextForWeb(ctx *Context) TemplateContext {
+	tmplCtx := NewTemplateContext(ctx)
+	tmplCtx["Locale"] = ctx.Base.Locale
+	tmplCtx["AvatarUtils"] = templates.NewAvatarUtils(ctx)
+	return tmplCtx
+}
+
+func NewWebContext(base *Base, render Render, session session.Store) *Context {
+	ctx := &Context{
+		Base:    base,
+		Render:  render,
+		Session: session,
+
+		Cache: mc.GetCache(),
+		Link:  setting.AppSubURL + strings.TrimSuffix(base.Req.URL.EscapedPath(), "/"),
+		Repo:  &Repository{PullRequest: &PullRequest{}},
+		Org:   &Organization{},
+	}
+	ctx.TemplateContext = NewTemplateContextForWeb(ctx)
+	ctx.Flash = &middleware.Flash{DataStore: ctx, Values: url.Values{}}
+	return ctx
+}
+
 // Contexter initializes a classic context for a request.
 func Contexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
@ -127,21 +150,8 @@ func Contexter() func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			base, baseCleanUp := NewBaseContext(resp, req)
-			ctx := &Context{
-				Base:    base,
-				Cache:   mc.GetCache(),
-				Link:    setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/"),
-				Render:  rnd,
-				Session: session.GetSession(req),
-				Repo:    &Repository{PullRequest: &PullRequest{}},
-				Org:     &Organization{},
-			}
 			defer baseCleanUp()
-
-			// TODO: "install.go" also shares the same logic, which should be refactored to a general function
-			ctx.TemplateContext = NewTemplateContext(ctx)
-			ctx.TemplateContext["Locale"] = ctx.Locale
-			ctx.TemplateContext["AvatarUtils"] = templates.NewAvatarUtils(ctx)
+			ctx := NewWebContext(base, rnd, session.GetSession(req))

 			ctx.Data.MergeFrom(middleware.CommonTemplateContextData())
 			ctx.Data["Context"] = ctx // TODO: use "ctx" in template and remove this
@ -172,8 +182,7 @@ func Contexter() func(next http.Handler) http.Handler {
 				}
 			}

-			// prepare an empty Flash message for current request
-			ctx.Flash = &middleware.Flash{DataStore: ctx, Values: url.Values{}}
+			// if there are new messages in the ctx.Flash, write them into cookie
 			ctx.Resp.Before(func(resp ResponseWriter) {
 				if val := ctx.Flash.Encode(); val != "" {
 					middleware.SetSiteCookie(ctx.Resp, CookieNameFlash, val, 0)
--- a/modules/context/package.go
+++ b/modules/context/package.go
@ -154,12 +154,10 @@ func PackageContexter() func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			base, baseCleanUp := NewBaseContext(resp, req)
-			ctx := &Context{
-				Base:   base,
-				Render: renderer, // it is still needed when rendering 500 page in a package handler
-			}
 			defer baseCleanUp()

+			// it is still needed when rendering 500 page in a package handler
+			ctx := NewWebContext(base, renderer, nil)
 			ctx.Base.AppendContextValue(WebContextKey, ctx)
 			next.ServeHTTP(ctx.Resp, ctx.Req)
 		})
--- a/modules/git/commit.go
+++ b/modules/git/commit.go
@ -495,7 +495,7 @@ func GetCommitFileStatus(ctx context.Context, repoPath, commitID string) (*Commi
 	}()

 	stderr := new(bytes.Buffer)
-	err := NewCommand(ctx, "log", "--name-status", "-c", "--pretty=format:", "--parents", "--no-renames", "-z", "-1").AddDynamicArguments(commitID).Run(&RunOpts{
+	err := NewCommand(ctx, "log", "--name-status", "-m", "--pretty=format:", "--first-parent", "--no-renames", "-z", "-1").AddDynamicArguments(commitID).Run(&RunOpts{
 		Dir:    repoPath,
 		Stdout: w,
 		Stderr: stderr,
--- a/modules/git/commit_test.go
+++ b/modules/git/commit_test.go
@ -255,3 +255,26 @@ func TestParseCommitFileStatus(t *testing.T) {
 		assert.Equal(t, kase.modified, fileStatus.Modified)
 	}
 }
+
+func TestGetCommitFileStatusMerges(t *testing.T) {
+	bareRepo1Path := filepath.Join(testReposDir, "repo6_merge")
+
+	commitFileStatus, err := GetCommitFileStatus(DefaultContext, bareRepo1Path, "022f4ce6214973e018f02bf363bf8a2e3691f699")
+	assert.NoError(t, err)
+
+	expected := CommitFileStatus{
+		[]string{
+			"add_file.txt",
+		},
+		[]string{
+			"to_remove.txt",
+		},
+		[]string{
+			"to_modify.txt",
+		},
+	}
+
+	assert.Equal(t, commitFileStatus.Added, expected.Added)
+	assert.Equal(t, commitFileStatus.Removed, expected.Removed)
+	assert.Equal(t, commitFileStatus.Modified, expected.Modified)
+}
--- a/modules/git/tests/repos/repo6_merge/HEAD
+++ b/modules/git/tests/repos/repo6_merge/HEAD
@ -0,0 +1 @@
+ref: refs/heads/main
--- a/modules/git/tests/repos/repo6_merge/objects/02/2f4ce6214973e018f02bf363bf8a2e3691f699
+++ b/modules/git/tests/repos/repo6_merge/objects/02/2f4ce6214973e018f02bf363bf8a2e3691f699
--- a/modules/git/tests/repos/repo6_merge/objects/05/45879290cc368a8becebc4aa34002c52d5fecc
+++ b/modules/git/tests/repos/repo6_merge/objects/05/45879290cc368a8becebc4aa34002c52d5fecc
--- a/modules/git/tests/repos/repo6_merge/objects/1e/5d0a65fe099ef12d24b28f783896e4b8172576
+++ b/modules/git/tests/repos/repo6_merge/objects/1e/5d0a65fe099ef12d24b28f783896e4b8172576
--- a/modules/git/tests/repos/repo6_merge/objects/37/d35c7ed39e4e16d0b579a5b995b7e30b0e9411
+++ b/modules/git/tests/repos/repo6_merge/objects/37/d35c7ed39e4e16d0b579a5b995b7e30b0e9411
@ -0,0 +1,2 @@
+x<01>ÍM
+1†a×=Eö‚$µÍLAÄ«ô'Á‡‘iæþR½€›g÷~_ÝÖu1 ˜N¶‹@mZ)g<>2…D‘j™Š*_“fŒÌs¥4ïòaÏm“np>—Áˆç€Ì>!œÑ#ºú½1ù;p]ìxÿæuyIwÑN4Ã
--- a/modules/git/tests/repos/repo6_merge/objects/38/ec3e0cdc88bde01014bda4a5dd9fc835f41439
+++ b/modules/git/tests/repos/repo6_merge/objects/38/ec3e0cdc88bde01014bda4a5dd9fc835f41439
@ -0,0 +1,2 @@
+x█нM
+б0├aв9еЛ≥ЭM2 БU Ф╛∙=©т╦yv/╪С╤╝к гН0:@╠Р$╠│Uя╛╚.≈[й>╚ ■l⌠▀IлsЙxР╘З8'T╞╟R╧д╓S,╙╠$x.
ж И=n[╖│в═СНuГ╢s!+9╟┬ВBGvлfЧm
Э≤▌uШ─зr┤ЫЪа>╝
--- a/modules/git/tests/repos/repo6_merge/objects/66/7e0fbc6bc02c2285d17f542e89b23c0fa5482b
+++ b/modules/git/tests/repos/repo6_merge/objects/66/7e0fbc6bc02c2285d17f542e89b23c0fa5482b
--- a/modules/git/tests/repos/repo6_merge/objects/9f/d90b1d524c0fea776ed5e6476da02ea1740597
+++ b/modules/git/tests/repos/repo6_merge/objects/9f/d90b1d524c0fea776ed5e6476da02ea1740597
--- a/modules/git/tests/repos/repo6_merge/objects/ae/4b035e7c4afbc000576cee3f713ea0c2f1e1e2
+++ b/modules/git/tests/repos/repo6_merge/objects/ae/4b035e7c4afbc000576cee3f713ea0c2f1e1e2
@ -0,0 +1,5 @@
+xŤÎM
+1@a×=Eö‚¤?iń*mšÁÇ‘™xOŕćŰ=x˛.Ëlŕ™O¶©R˘Z80ŠÄ\[í*Ú%µb
+<EFBFBD>&qď¶éË –IŠŽČšÔç<C394>ť
+7ęĚÔ‹Fě¨śĽwícŹuÓÝŕzx?¸ÜŔçš0ç
+ś1 :ům™ţ¸6LóSÝŔí>&
--- a/modules/git/tests/repos/repo6_merge/objects/ba/2906d0666cf726c7eaadd2cd3db615dedfdf3a
+++ b/modules/git/tests/repos/repo6_merge/objects/ba/2906d0666cf726c7eaadd2cd3db615dedfdf3a
--- a/modules/git/tests/repos/repo6_merge/objects/c1/a95c2eff8151c6d1437a0d5d3322a73ff38fb8
+++ b/modules/git/tests/repos/repo6_merge/objects/c1/a95c2eff8151c6d1437a0d5d3322a73ff38fb8
--- a/modules/git/tests/repos/repo6_merge/objects/cc/d1d4d594029e68c388ecef5aa3063fa1055831
+++ b/modules/git/tests/repos/repo6_merge/objects/cc/d1d4d594029e68c388ecef5aa3063fa1055831
--- a/modules/git/tests/repos/repo6_merge/objects/cd/fc1aaf7a149151cb7bff639fafe05668d4bbd2
+++ b/modules/git/tests/repos/repo6_merge/objects/cd/fc1aaf7a149151cb7bff639fafe05668d4bbd2
--- a/modules/git/tests/repos/repo6_merge/objects/d1/792641396ff7630d35fbb0b74b86b0c71bca77
+++ b/modules/git/tests/repos/repo6_merge/objects/d1/792641396ff7630d35fbb0b74b86b0c71bca77
--- a/modules/git/tests/repos/repo6_merge/objects/ec/d11d8da0f25eaa99f64a37a82da98685f381e2
+++ b/modules/git/tests/repos/repo6_merge/objects/ec/d11d8da0f25eaa99f64a37a82da98685f381e2
--- a/modules/git/tests/repos/repo6_merge/objects/fa/49b077972391ad58037050f2a75f74e3671e92
+++ b/modules/git/tests/repos/repo6_merge/objects/fa/49b077972391ad58037050f2a75f74e3671e92
--- a/modules/git/tests/repos/repo6_merge/refs/heads/main
+++ b/modules/git/tests/repos/repo6_merge/refs/heads/main
@ -0,0 +1 @@
+022f4ce6214973e018f02bf363bf8a2e3691f699
--- a/modules/git/tests/repos/repo6_merge/refs/heads/merge/add_file
+++ b/modules/git/tests/repos/repo6_merge/refs/heads/merge/add_file
@ -0,0 +1 @@
+ae4b035e7c4afbc000576cee3f713ea0c2f1e1e2
--- a/modules/git/tests/repos/repo6_merge/refs/heads/merge/modify_file
+++ b/modules/git/tests/repos/repo6_merge/refs/heads/merge/modify_file
@ -0,0 +1 @@
+d1792641396ff7630d35fbb0b74b86b0c71bca77
--- a/modules/git/tests/repos/repo6_merge/refs/heads/merge/remove_file
+++ b/modules/git/tests/repos/repo6_merge/refs/heads/merge/remove_file
@ -0,0 +1 @@
+38ec3e0cdc88bde01014bda4a5dd9fc835f41439
--- a/modules/indexer/issues/indexer.go
+++ b/modules/indexer/issues/indexer.go
@ -13,6 +13,7 @@ import (

 	db_model "code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/modules/container"
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/indexer/issues/bleve"
 	"code.gitea.io/gitea/modules/indexer/issues/db"
@ -277,7 +278,7 @@ func IsAvailable(ctx context.Context) bool {
 }

 // SearchOptions indicates the options for searching issues
-type SearchOptions internal.SearchOptions
+type SearchOptions = internal.SearchOptions

 const (
 	SortByCreatedDesc  = internal.SortByCreatedDesc
@ -291,7 +292,6 @@ const (
 )

 // SearchIssues search issues by options.
-// It returns issue ids and a bool value indicates if the result is imprecise.
 func SearchIssues(ctx context.Context, opts *SearchOptions) ([]int64, int64, error) {
 	indexer := *globalIndexer.Load()

@ -305,7 +305,7 @@ func SearchIssues(ctx context.Context, opts *SearchOptions) ([]int64, int64, err
 		indexer = db.NewIndexer()
 	}

-	result, err := indexer.Search(ctx, (*internal.SearchOptions)(opts))
+	result, err := indexer.Search(ctx, opts)
 	if err != nil {
 		return nil, 0, err
 	}
@ -317,3 +317,38 @@ func SearchIssues(ctx context.Context, opts *SearchOptions) ([]int64, int64, err

 	return ret, result.Total, nil
 }
+
+// CountIssues counts issues by options. It is a shortcut of SearchIssues(ctx, opts) but only returns the total count.
+func CountIssues(ctx context.Context, opts *SearchOptions) (int64, error) {
+	opts = opts.Copy(func(options *SearchOptions) { opts.Paginator = &db_model.ListOptions{PageSize: 0} })
+
+	_, total, err := SearchIssues(ctx, opts)
+	return total, err
+}
+
+// CountIssuesByRepo counts issues by options and group by repo id.
+// It's not a complete implementation, since it requires the caller should provide the repo ids.
+// That means opts.RepoIDs must be specified, and opts.AllPublic must be false.
+// It's good enough for the current usage, and it can be improved if needed.
+// TODO: use "group by" of the indexer engines to implement it.
+func CountIssuesByRepo(ctx context.Context, opts *SearchOptions) (map[int64]int64, error) {
+	if len(opts.RepoIDs) == 0 {
+		return nil, fmt.Errorf("opts.RepoIDs must be specified")
+	}
+	if opts.AllPublic {
+		return nil, fmt.Errorf("opts.AllPublic must be false")
+	}
+
+	repoIDs := container.SetOf(opts.RepoIDs...).Values()
+	ret := make(map[int64]int64, len(repoIDs))
+	// TODO: it could be faster if do it in parallel for some indexer engines. Improve it if users report it's slow.
+	for _, repoID := range repoIDs {
+		count, err := CountIssues(ctx, opts.Copy(func(o *internal.SearchOptions) { o.RepoIDs = []int64{repoID} }))
+		if err != nil {
+			return nil, err
+		}
+		ret[repoID] = count
+	}
+
+	return ret, nil
+}
--- a/modules/indexer/issues/internal/model.go
+++ b/modules/indexer/issues/internal/model.go
@ -109,6 +109,19 @@ type SearchOptions struct {
 	SortBy SortBy // sort by field
 }

+// Copy returns a copy of the options.
+// Be careful, it's not a deep copy, so `SearchOptions.RepoIDs = {...}` is OK while `SearchOptions.RepoIDs[0] = ...` is not.
+func (o *SearchOptions) Copy(edit ...func(options *SearchOptions)) *SearchOptions {
+	if o == nil {
+		return nil
+	}
+	v := *o
+	for _, e := range edit {
+		e(&v)
+	}
+	return &v
+}
+
 type SortBy string

 const (
--- a/modules/notification/notification.go
+++ b/modules/notification/notification.go
@ -16,7 +16,6 @@ import (
 	"code.gitea.io/gitea/modules/notification/base"
 	"code.gitea.io/gitea/modules/notification/indexer"
 	"code.gitea.io/gitea/modules/notification/mail"
-	"code.gitea.io/gitea/modules/notification/mirror"
 	"code.gitea.io/gitea/modules/notification/ui"
 	"code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
@ -38,7 +37,6 @@ func NewContext() {
 	}
 	RegisterNotifier(indexer.NewNotifier())
 	RegisterNotifier(action.NewNotifier())
-	RegisterNotifier(mirror.NewNotifier())
 }

 // NotifyNewWikiPage notifies creating new wiki pages to notifiers
--- a/modules/packages/conda/metadata_test.go
+++ b/modules/packages/conda/metadata_test.go
@ -19,9 +19,9 @@ const (
 	packageName      = "gitea"
 	packageVersion   = "1.0.1"
 	description      = "Package Description"
-	projectURL       = "https://gitea.io"
-	repositoryURL    = "https://gitea.io/gitea/gitea"
-	documentationURL = "https://docs.gitea.io"
+	projectURL       = "https://gitea.com"
+	repositoryURL    = "https://gitea.com/gitea/gitea"
+	documentationURL = "https://docs.gitea.com"
 )

 func TestParsePackage(t *testing.T) {
--- a/modules/packages/container/metadata_test.go
+++ b/modules/packages/container/metadata_test.go
@ -17,9 +17,9 @@ func TestParseImageConfig(t *testing.T) {
 	description := "Image Description"
 	author := "Gitea"
 	license := "MIT"
-	projectURL := "https://gitea.io"
+	projectURL := "https://gitea.com"
 	repositoryURL := "https://gitea.com/gitea"
-	documentationURL := "https://docs.gitea.io"
+	documentationURL := "https://docs.gitea.com"

 	configOCI := `{"config": {"labels": {"` + labelAuthors + `": "` + author + `", "` + labelLicenses + `": "` + license + `", "` + labelURL + `": "` + projectURL + `", "` + labelSource + `": "` + repositoryURL + `", "` + labelDocumentation + `": "` + documentationURL + `", "` + labelDescription + `": "` + description + `"}}, "history": [{"created_by": "do it 1"}, {"created_by": "dummy #(nop) do it 2"}]}`

--- a/modules/packages/pub/metadata_test.go
+++ b/modules/packages/pub/metadata_test.go
@ -18,9 +18,9 @@ const (
 	packageName      = "gitea"
 	packageVersion   = "1.0.1"
 	description      = "Package Description"
-	projectURL       = "https://gitea.io"
-	repositoryURL    = "https://gitea.io/gitea/gitea"
-	documentationURL = "https://docs.gitea.io"
+	projectURL       = "https://gitea.com"
+	repositoryURL    = "https://gitea.com/gitea/gitea"
+	documentationURL = "https://docs.gitea.com"
 )

 const pubspecContent = `name: ` + packageName + `
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@ -124,7 +124,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
 	}

-	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
+	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(8)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
 	DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
--- a/modules/setting/ssh.go
+++ b/modules/setting/ssh.go
@ -60,7 +60,7 @@ var SSH = struct {
 	ServerMACs:                    []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
 	KeygenPath:                    "",
 	MinimumKeySizeCheck:           true,
-	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
+	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 3071},
 	ServerHostKeys:                []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
 	AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
 	PerWriteTimeout:               PerWriteTimeout,
--- a/Show More
+++ b/Show More