Fix verifyCommits error when push a new branch (#26664)

> ### Description
> If a new branch is pushed, and the repository has a rule that would
require signed commits for the new branch, the commit is rejected with a
500 error regardless of whether it's signed.
> 
> When pushing a new branch, the "old" commit is the empty ID
(0000000000000000000000000000000000000000). verifyCommits has no
provision for this and passes an invalid commit range to git rev-list.
Prior to 1.19 this wasn't an issue because only pre-existing individual
branches could be protected.
> 
> I was able to reproduce with
[try.gitea.io/CraigTest/test](https://try.gitea.io/CraigTest/test),
which is set up with a blanket rule to require commits on all branches.


Fix #25565
Very thanks to @Craig-Holmquist-NTI for reporting the bug and suggesting
an valid solution!

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

.github/workflows/files-changed.yml

@@ -43,6 +43,8 @@ jobs:
               - "go.mod"
               - "go.sum"
               - "Makefile"
+              - ".golangci.yml"
+              - ".editorconfig"
 
             frontend:
               - "**/*.js"
@@ -51,16 +53,21 @@ jobs:
               - "package.json"
               - "package-lock.json"
               - "Makefile"
+              - ".eslintrc.yaml"
+              - ".stylelintrc.yaml"
+              - ".npmrc"
 
             docs:
               - "**/*.md"
               - "docs/**"
+              - ".markdownlint.yaml"
 
             actions:
               - ".github/workflows/*"
 
             templates:
               - "templates/**/*.tmpl"
+              - "pyproject.toml"
               - "poetry.lock"
 
             docker:
@@ -72,3 +79,6 @@ jobs:
             swagger:
               - "templates/swagger/v1_json.tmpl"
               - "Makefile"
+              - "package.json"
+              - "package-lock.json"
+              - ".spectral.yml"

.golangci.yml

@@ -29,7 +29,7 @@ linters:
   fast: false
 
 run:
-  go: "1.20"
+  go: "1.21"
   timeout: 10m
   skip-dirs:
     - node_modules
@@ -75,7 +75,7 @@ linters-settings:
       - name: modifies-value-receiver
   gofumpt:
     extra-rules: true
-    lang-version: "1.20"
+    lang-version: "1.21"
   depguard:
     rules:
       main:

README.md

@@ -79,10 +79,10 @@ or if SQLite support is required:
 
 The `build` target is split into two sub-targets:
 
-- `make backend` which requires [Go Stable](https://go.dev/dl/), required version is defined in [go.mod](/go.mod).
-- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.
+- `make backend` which requires [Go Stable](https://go.dev/dl/), the required version is defined in [go.mod](/go.mod).
+- `make frontend` which requires [Node.js LTS](https://nodejs.org/en/download/) or greater.
 
-When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.
+Internet connectivity is required to download the go and npm modules. When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js.
 
 Parallelism (`make -j <num>`) is not supported.
 

models/fixtures/email_address.yml

@@ -277,3 +277,11 @@
   lower_email: user2-2@example.com
   is_activated: false
   is_primary: false
+
+-
+  id: 36
+  uid: 36
+  email: abcde@gitea.com
+  lower_email: abcde@gitea.com
+  is_activated: true
+  is_primary: false

models/fixtures/gpg_key.yml

@@ -1 +1,23 @@
-[] # empty
+-
+  id: 5
+  owner_id: 36
+  key_id: B15431642629B826
+  primary_key_id:
+  content: xsDNBGTrY3UBDAC2HLBqmMplAV15qSnC7g1c4dV406f5EHNhFr95Nup2My6b2eafTlvedv77s8PT/I7F3fy4apOZs5A7w2SsPlLMcQ3ev4uGOsxRtkq5RLy1Yb6SNueX0Da2UVKR5KTC5Q6BWaqxwS0IjKOLZ/xz0Pbe/ClV3bZSKBEY2omkVo3Z0HZ771vB2clPRvGJ/IdeKOsZ3ZytSFXfyiJBdARmeSPmydXLil8+Ibq5iLAeow5PK8hK1TCOnKHzLWNqcNq70tyjoHvcGi70iGjoVEEUgPCLLuU8WmzTJwlvA3BuDzjtaO7TLo/jdE6iqkHtMSS8x+43sAH6hcFRCWAVh/0Uq7n36uGDfNxGnX3YrmX3LR9x5IsBES1rGGWbpxio4o5GIf/Xd+JgDd9rzJCqRuZ3/sW/TxK38htWaVNZV0kMkHUCTc1ctzWpCm635hbFCHBhPYIp+/z206khkAKDbz/CNuU91Wazsh7KO07wrwDtxfDDbInJ8TfHE2TGjzjQzgChfmcAEQEAAQ==
+  verified: true
+  can_sign: true
+  can_encrypt_comms: true
+  can_encrypt_storage: true
+  can_certify: true
+
+-
+  id: 6
+  owner_id: 36
+  key_id: EE3AF48454AFD619
+  primary_key_id: B15431642629B826
+  content: zsDNBGTrY3UBDADsHrzuOicQaPdUQm0+0UNrs92cESm/j/4yBBUk+sfLZAo6J99c4eh4nAQzzZ7al080rYKB0G+7xoRz1eHcQH6zrVcqB8KYtf/sdY47WaMiMyxM+kTSvzp7tsv7QuSQZ0neUEXRyYMz5ttBfIjWUd+3NDItuHyB+MtNWlS3zXgaUbe5VifqKaNmzN0Ye4yXTKcpypE3AOqPVz+iIFv3c6TmsqLHJaR4VoicCleAqLyF/28WsJO7M9dDW+EM3MZVnsVpycTURyHAJGfSk10waQZAaRwmarCN/q0KEJ+aEAK/SRliUneBZoMO5hY5iBeG432tofwaQqAahPv9uXIb1n2JEMKwnMlMA9UGD1AcDbywfj1m/ZGBBw95i4Ekkfn43RvV3THr7uJU/dRqqP+iic4MwpUrOxqELW/kmeHXlBcNbZZhEEvwRoW7U2/9eeuog4nRleRJ0pi/xOP9wmxkKjaIPIK3phdBtEpVk4w/UTAWNdyIIrFggukeAnZFyGJwlm8AEQEAAQ==
+  verified: true
+  can_sign: true
+  can_encrypt_comms: true
+  can_encrypt_storage: true
+  can_certify: true

models/fixtures/user.yml

@@ -1301,7 +1301,7 @@
   lower_name: limited_org36
   name: limited_org36
   full_name: Limited Org 36
-  email: limited_org36@example.com
+  email: abcde@gitea.com
   keep_email_private: false
   email_notifications_preference: enabled
   passwd: ZogKvWdyEx:password
@@ -1320,7 +1320,7 @@
   allow_create_organization: true
   prohibit_login: false
   avatar: avatar22
-  avatar_email: limited_org36@example.com
+  avatar_email: abcde@gitea.com
   use_custom_avatar: false
   num_followers: 0
   num_following: 0

models/migrations/v1_16/v210.go

@@ -4,7 +4,6 @@
 package v1_16 //nolint
 
 import (
-	"crypto/elliptic"
 	"encoding/base32"
 	"fmt"
 	"strings"
@@ -123,13 +122,17 @@ func RemigrateU2FCredentials(x *xorm.Engine) error {
 				if err != nil {
 					continue
 				}
+				pubKey, err := parsed.PubKey.ECDH()
+				if err != nil {
+					continue
+				}
 				remigrated := &webauthnCredential{
 					ID:              reg.ID,
 					Name:            reg.Name,
 					LowerName:       strings.ToLower(reg.Name),
 					UserID:          reg.UserID,
 					CredentialID:    base32.HexEncoding.EncodeToString(parsed.KeyHandle),
-					PublicKey:       elliptic.Marshal(elliptic.P256(), parsed.PubKey.X, parsed.PubKey.Y),
+					PublicKey:       pubKey.Bytes(),
 					AttestationType: "fido-u2f",
 					AAGUID:          []byte{},
 					SignCount:       reg.Counter,

models/secret/secret.go

@@ -160,3 +160,31 @@ func DeleteSecret(ctx context.Context, orgID, repoID int64, name string) error {
 
 	return nil
 }
+
+// CreateOrUpdateSecret creates or updates a secret and returns true if it was created
+func CreateOrUpdateSecret(ctx context.Context, orgID, repoID int64, name, data string) (bool, error) {
+	sc := new(Secret)
+	name = strings.ToUpper(name)
+	has, err := db.GetEngine(ctx).
+		Where("owner_id=?", orgID).
+		And("repo_id=?", repoID).
+		And("name=?", name).
+		Get(sc)
+	if err != nil {
+		return false, err
+	}
+
+	if !has {
+		_, err = InsertEncryptedSecret(ctx, orgID, repoID, name, data)
+		if err != nil {
+			return false, err
+		}
+		return true, nil
+	}
+
+	if err := UpdateSecret(ctx, orgID, repoID, name, data); err != nil {
+		return false, err
+	}
+
+	return false, nil
+}

modules/git/log_name_status.go

@@ -374,7 +374,6 @@ heaploop:
 			break heaploop
 		}
 		parentRemaining.Remove(current.CommitID)
-		if current.Paths != nil {
 		for i, found := range current.Paths {
 			if !found {
 				continue
@@ -397,7 +396,6 @@ heaploop:
 				}
 			}
 		}
-		}
 
 		if remaining <= 0 {
 			break heaploop

modules/setting/service.go

@@ -223,7 +223,7 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 	Service.UserDeleteWithCommentsMaxTime = sec.Key("USER_DELETE_WITH_COMMENTS_MAX_TIME").MustDuration(0)
 	sec.Key("VALID_SITE_URL_SCHEMES").MustString("http,https")
 	Service.ValidSiteURLSchemes = sec.Key("VALID_SITE_URL_SCHEMES").Strings(",")
-	schemes := make([]string, len(Service.ValidSiteURLSchemes))
+	schemes := make([]string, 0, len(Service.ValidSiteURLSchemes))
 	for _, scheme := range Service.ValidSiteURLSchemes {
 		scheme = strings.ToLower(strings.TrimSpace(scheme))
 		if scheme != "" {

options/locale/locale_en-US.ini

@@ -970,6 +970,7 @@ trust_model_helper_collaborator_committer = Collaborator+Committer: Trust signat
 trust_model_helper_default = Default: Use the default trust model for this installation
 create_repo = Create Repository
 default_branch = Default Branch
+default_branch_label = default
 default_branch_helper = The default branch is the base branch for pull requests and code commits.
 mirror_prune = Prune
 mirror_prune_desc = Remove obsolete remote-tracking references

package-lock.json

@@ -17,21 +17,21 @@
         "@primer/octicons": "19.6.0",
         "@webcomponents/custom-elements": "1.6.0",
         "add-asset-webpack-plugin": "2.0.1",
-        "ansi_up": "6.0.0",
+        "ansi_up": "6.0.2",
         "asciinema-player": "3.5.0",
         "clippie": "4.0.6",
         "css-loader": "6.8.1",
         "dropzone": "6.0.0-beta.2",
         "easymde": "2.18.0",
-        "esbuild-loader": "4.0.0",
+        "esbuild-loader": "4.0.2",
         "escape-goat": "4.0.0",
         "fast-glob": "3.3.1",
-        "jquery": "3.7.0",
+        "jquery": "3.7.1",
         "jquery.are-you-sure": "1.9.0",
         "katex": "0.16.8",
         "license-checker-webpack-plugin": "0.2.1",
         "lightningcss-loader": "2.1.0",
-        "mermaid": "10.3.1",
+        "mermaid": "10.4.0",
         "mini-css-extract-plugin": "2.7.6",
         "minimatch": "9.0.3",
         "monaco-editor": "0.41.0",
@@ -58,16 +58,16 @@
         "@eslint-community/eslint-plugin-eslint-comments": "4.1.0",
         "@playwright/test": "1.37.1",
         "@stoplight/spectral-cli": "6.10.1",
-        "@vitejs/plugin-vue": "4.3.1",
-        "eslint": "8.47.0",
+        "@vitejs/plugin-vue": "4.3.4",
+        "eslint": "8.48.0",
         "eslint-plugin-array-func": "3.1.8",
         "eslint-plugin-custom-elements": "0.0.8",
-        "eslint-plugin-import": "2.28.0",
+        "eslint-plugin-import": "2.28.1",
         "eslint-plugin-jquery": "1.5.1",
         "eslint-plugin-no-jquery": "2.7.0",
         "eslint-plugin-no-use-extend-native": "0.5.0",
         "eslint-plugin-regexp": "1.15.0",
-        "eslint-plugin-sonarjs": "0.20.0",
+        "eslint-plugin-sonarjs": "0.21.0",
         "eslint-plugin-unicorn": "48.0.1",
         "eslint-plugin-vue": "9.17.0",
         "eslint-plugin-vue-scoped-css": "2.5.0",
@@ -80,9 +80,9 @@
         "stylelint-declaration-strict-value": "1.9.2",
         "stylelint-stylistic": "0.4.3",
         "svgo": "3.0.2",
-        "updates": "14.3.5",
+        "updates": "14.4.0",
         "vite-string-plugin": "1.1.2",
-        "vitest": "0.34.2"
+        "vitest": "0.34.3"
       },
       "engines": {
         "node": ">= 16.0.0"
@@ -992,9 +992,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "8.47.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.47.0.tgz",
-      "integrity": "sha512-P6omY1zv5MItm93kLM8s2vr1HICJH8v0dvddDhysbIuZ+vcjOHg5Zbkf1mTkcmi2JA9oBG2anOkRnW8WJTS8Og==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.48.0.tgz",
+      "integrity": "sha512-ZSjtmelB7IJfWD2Fvb7+Z+ChTIKWq6kjda95fLcQKNS5aheVHn4IkfgRQE3sIIzTcSLwLcLZUD9UBt+V7+h+Pw==",
       "dev": true,
       "engines": {
         "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1146,9 +1146,9 @@
       }
     },
     "node_modules/@jest/schemas": {
-      "version": "29.6.0",
-      "resolved": "https://registry.npmjs.org/@jest/schemas/-/schemas-29.6.0.tgz",
-      "integrity": "sha512-rxLjXyJBTL4LQeJW3aKo0M/+GkCOXsO+8i9Iu7eDb6KwtP65ayoDsitrdPBtujxQ88k4wI2FNYfa6TOGwSn6cQ==",
+      "version": "29.6.3",
+      "resolved": "https://registry.npmjs.org/@jest/schemas/-/schemas-29.6.3.tgz",
+      "integrity": "sha512-mo5j5X+jIZmJQveBKeS/clAueipV7KgiX1vMgCxam1RNYiqE1w62n0/tJJnHtjW8ZHcQco5gY85jA3mi0L+nSA==",
       "dev": true,
       "dependencies": {
         "@sinclair/typebox": "^0.27.8"
@@ -2030,9 +2030,9 @@
       "dev": true
     },
     "node_modules/@vitejs/plugin-vue": {
-      "version": "4.3.1",
-      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-4.3.1.tgz",
-      "integrity": "sha512-tUBEtWcF7wFtII7ayNiLNDTCE1X1afySEo+XNVMNkFXaThENyCowIEX095QqbJZGTgoOcSVDJGlnde2NG4jtbQ==",
+      "version": "4.3.4",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-4.3.4.tgz",
+      "integrity": "sha512-ciXNIHKPriERBisHFBvnTbfKa6r9SAesOYXeGDzgegcvy9Q4xdScSHAmKbNT0M3O0S9LKhIf5/G+UYG4NnnzYw==",
       "dev": true,
       "engines": {
         "node": "^14.18.0 || >=16.0.0"
@@ -2043,13 +2043,13 @@
       }
     },
     "node_modules/@vitest/expect": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-0.34.2.tgz",
-      "integrity": "sha512-EZm2dMNlLyIfDMha17QHSQcg2KjeAZaXd65fpPzXY5bvnfx10Lcaz3N55uEe8PhF+w4pw+hmrlHLLlRn9vkBJg==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-0.34.3.tgz",
+      "integrity": "sha512-F8MTXZUYRBVsYL1uoIft1HHWhwDbSzwAU9Zgh8S6WFC3YgVb4AnFV2GXO3P5Em8FjEYaZtTnQYoNwwBrlOMXgg==",
       "dev": true,
       "dependencies": {
-        "@vitest/spy": "0.34.2",
-        "@vitest/utils": "0.34.2",
+        "@vitest/spy": "0.34.3",
+        "@vitest/utils": "0.34.3",
         "chai": "^4.3.7"
       },
       "funding": {
@@ -2057,12 +2057,12 @@
       }
     },
     "node_modules/@vitest/runner": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-0.34.2.tgz",
-      "integrity": "sha512-8ydGPACVX5tK3Dl0SUwxfdg02h+togDNeQX3iXVFYgzF5odxvaou7HnquALFZkyVuYskoaHUOqOyOLpOEj5XTA==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-0.34.3.tgz",
+      "integrity": "sha512-lYNq7N3vR57VMKMPLVvmJoiN4bqwzZ1euTW+XXYH5kzr3W/+xQG3b41xJn9ChJ3AhYOSoweu974S1V3qDcFESA==",
       "dev": true,
       "dependencies": {
-        "@vitest/utils": "0.34.2",
+        "@vitest/utils": "0.34.3",
         "p-limit": "^4.0.0",
         "pathe": "^1.1.1"
       },
@@ -2098,9 +2098,9 @@
       }
     },
     "node_modules/@vitest/snapshot": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-0.34.2.tgz",
-      "integrity": "sha512-qhQ+xy3u4mwwLxltS4Pd4SR+XHv4EajiTPNY3jkIBLUApE6/ce72neJPSUQZ7bL3EBuKI+NhvzhGj3n5baRQUQ==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-0.34.3.tgz",
+      "integrity": "sha512-QyPaE15DQwbnIBp/yNJ8lbvXTZxS00kRly0kfFgAD5EYmCbYcA+1EEyRalc93M0gosL/xHeg3lKAClIXYpmUiQ==",
       "dev": true,
       "dependencies": {
         "magic-string": "^0.30.1",
@@ -2112,9 +2112,9 @@
       }
     },
     "node_modules/@vitest/snapshot/node_modules/magic-string": {
-      "version": "0.30.2",
-      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.2.tgz",
-      "integrity": "sha512-lNZdu7pewtq/ZvWUp9Wpf/x7WzMTsR26TWV03BRZrXFsv+BI6dy8RAiKgm1uM/kyR0rCfUcqvOlXKG66KhIGug==",
+      "version": "0.30.3",
+      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.3.tgz",
+      "integrity": "sha512-B7xGbll2fG/VjP+SWg4sX3JynwIU0mjoTc6MPpKNuIvftk6u6vqhDnk1R80b8C2GBR6ywqy+1DcKBrevBg+bmw==",
       "dev": true,
       "dependencies": {
         "@jridgewell/sourcemap-codec": "^1.4.15"
@@ -2124,9 +2124,9 @@
       }
     },
     "node_modules/@vitest/spy": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-0.34.2.tgz",
-      "integrity": "sha512-yd4L9OhfH6l0Av7iK3sPb3MykhtcRN5c5K5vm1nTbuN7gYn+yvUVVsyvzpHrjqS7EWqn9WsPJb7+0c3iuY60tA==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-0.34.3.tgz",
+      "integrity": "sha512-N1V0RFQ6AI7CPgzBq9kzjRdPIgThC340DGjdKdPSE8r86aUSmeliTUgkTqLSgtEwWWsGfBQ+UetZWhK0BgJmkQ==",
       "dev": true,
       "dependencies": {
         "tinyspy": "^2.1.1"
@@ -2136,9 +2136,9 @@
       }
     },
     "node_modules/@vitest/utils": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-0.34.2.tgz",
-      "integrity": "sha512-Lzw+kAsTPubhoQDp1uVAOP6DhNia1GMDsI9jgB0yMn+/nDaPieYQ88lKqz/gGjSHL4zwOItvpehec9OY+rS73w==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-0.34.3.tgz",
+      "integrity": "sha512-kiSnzLG6m/tiT0XEl4U2H8JDBjFtwVlaE8I3QfGiMFR0QvnRDfYfdP3YvTBWM/6iJDAyaPY6yVQiCTUc7ZzTHA==",
       "dev": true,
       "dependencies": {
         "diff-sequences": "^29.4.3",
@@ -2607,9 +2607,9 @@
       }
     },
     "node_modules/ansi_up": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/ansi_up/-/ansi_up-6.0.0.tgz",
-      "integrity": "sha512-3lnYPwXYbCSXQw52OWemps5mgfYuNsX3R5fgkHXoUDpRe8Ex/ivir1AdQLUWkdpQLyQZS/v3ofY8JGQDORwuLQ==",
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/ansi_up/-/ansi_up-6.0.2.tgz",
+      "integrity": "sha512-3G3vKvl1ilEp7J1u6BmULpMA0xVoW/f4Ekqhl8RTrJrhEBkonKn5k3bUc5Xt+qDayA6iDX0jyUh3AbZjB/l0tw==",
       "engines": {
         "node": "*"
       }
@@ -3088,9 +3088,9 @@
       ]
     },
     "node_modules/chai": {
-      "version": "4.3.7",
-      "resolved": "https://registry.npmjs.org/chai/-/chai-4.3.7.tgz",
-      "integrity": "sha512-HLnAzZ2iupm25PlN0xFreAlBA5zaBSv3og0DdeGA4Ar6h6rJ3A0rolRUKJhSF2V10GZKDgWF/VmAEsNWjCRB+A==",
+      "version": "4.3.8",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-4.3.8.tgz",
+      "integrity": "sha512-vX4YvVVtxlfSZ2VecZgFUTU5qPCYsobVI2O9FmwEXBhDigYGQA6jRXCycIs1yJnnWbZ6/+a2zNIF5DfVCcJBFQ==",
       "dev": true,
       "dependencies": {
         "assertion-error": "^1.1.0",
@@ -4222,9 +4222,9 @@
       }
     },
     "node_modules/diff-sequences": {
-      "version": "29.4.3",
-      "resolved": "https://registry.npmjs.org/diff-sequences/-/diff-sequences-29.4.3.tgz",
-      "integrity": "sha512-ofrBgwpPhCD85kMKtE9RYFFq6OC1A89oW2vvgWZNCwxrUpRUILopY7lsYyMDSjc8g6U6aiO0Qubg6r4Wgt5ZnA==",
+      "version": "29.6.3",
+      "resolved": "https://registry.npmjs.org/diff-sequences/-/diff-sequences-29.6.3.tgz",
+      "integrity": "sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==",
       "dev": true,
       "engines": {
         "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
@@ -4596,12 +4596,12 @@
       }
     },
     "node_modules/esbuild-loader": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/esbuild-loader/-/esbuild-loader-4.0.0.tgz",
-      "integrity": "sha512-J7TJWyHV2YHmflZaXLZ0Vf4wYmixDyGTw26bt4Ok+XOqSyYA4VWAVt2zJGqIfCA7TwZRDKN8hvus4akN2yAbmA==",
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/esbuild-loader/-/esbuild-loader-4.0.2.tgz",
+      "integrity": "sha512-kj88m0yrtTEJDeUEF+3TZsq7t9VPzQQj7UmXAzUbIaipoYSrd0UxKAcg4l9CBgP8uVoploiw+nKr8DIv6Y9gXw==",
       "dependencies": {
         "esbuild": "^0.19.0",
-        "get-tsconfig": "^4.6.2",
+        "get-tsconfig": "^4.7.0",
         "loader-utils": "^2.0.4",
         "webpack-sources": "^1.4.3"
       },
@@ -4644,15 +4644,15 @@
       }
     },
     "node_modules/eslint": {
-      "version": "8.47.0",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.47.0.tgz",
-      "integrity": "sha512-spUQWrdPt+pRVP1TTJLmfRNJJHHZryFmptzcafwSvHsceV81djHOdnEeDmkdotZyLNjDhrOasNK8nikkoG1O8Q==",
+      "version": "8.48.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.48.0.tgz",
+      "integrity": "sha512-sb6DLeIuRXxeM1YljSe1KEx9/YYeZFQWcV8Rq9HfigmdDEugjLEVEa1ozDjL6YDjBpQHPJxJzze+alxi4T3OLg==",
       "dev": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
         "@eslint/eslintrc": "^2.1.2",
-        "@eslint/js": "^8.47.0",
+        "@eslint/js": "8.48.0",
         "@humanwhocodes/config-array": "^0.11.10",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@nodelib/fs.walk": "^1.2.8",
@@ -4765,9 +4765,9 @@
       }
     },
     "node_modules/eslint-plugin-import": {
-      "version": "2.28.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.28.0.tgz",
-      "integrity": "sha512-B8s/n+ZluN7sxj9eUf7/pRFERX0r5bnFA2dCaLHy2ZeaQEAz0k+ZZkFWRFHJAqxfxQDx6KLv9LeIki7cFdwW+Q==",
+      "version": "2.28.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-import/-/eslint-plugin-import-2.28.1.tgz",
+      "integrity": "sha512-9I9hFlITvOV55alzoKBI+K9q74kv0iKMeY6av5+umsNwayt59fz692daGyjR+oStBQgx6nwR9rXldDev3Clw+A==",
       "dev": true,
       "dependencies": {
         "array-includes": "^3.1.6",
@@ -4779,13 +4779,12 @@
         "eslint-import-resolver-node": "^0.3.7",
         "eslint-module-utils": "^2.8.0",
         "has": "^1.0.3",
-        "is-core-module": "^2.12.1",
+        "is-core-module": "^2.13.0",
         "is-glob": "^4.0.3",
         "minimatch": "^3.1.2",
         "object.fromentries": "^2.0.6",
         "object.groupby": "^1.0.0",
         "object.values": "^1.1.6",
-        "resolve": "^1.22.3",
         "semver": "^6.3.1",
         "tsconfig-paths": "^3.14.2"
       },
@@ -4904,9 +4903,9 @@
       }
     },
     "node_modules/eslint-plugin-sonarjs": {
-      "version": "0.20.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.20.0.tgz",
-      "integrity": "sha512-BRhZ7BY/oTr6DDaxvx58ReTg7R+J8T+Y2ZVGgShgpml25IHBTIG7EudUtHuJD1zhtMgUEt59x3VNvUQRo2LV6w==",
+      "version": "0.21.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.21.0.tgz",
+      "integrity": "sha512-oezUDfFT5S6j3rQheZ4DLPrbetPmMS7zHIKWGHr0CM3g5JgyZroz1FpIKa4jV83NsGpmgIeagpokWDKIJzRQmw==",
       "dev": true,
       "engines": {
         "node": ">=14"
@@ -6463,9 +6462,9 @@
       }
     },
     "node_modules/jquery": {
-      "version": "3.7.0",
-      "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.7.0.tgz",
-      "integrity": "sha512-umpJ0/k8X0MvD1ds0P9SfowREz2LenHsQaxSohMZ5OMNEU2r0tf8pdeEFTHMFxWVxKNyU9rTtK3CWzUCTKJUeQ=="
+      "version": "3.7.1",
+      "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.7.1.tgz",
+      "integrity": "sha512-m4avr8yL8kmFN8psrbFFFmB/If14iN5o9nw/NgnnM+kybDJpRsAynV2BsfpTYrTRysYUdADVD7CkUUizgkpLfg=="
     },
     "node_modules/jquery.are-you-sure": {
       "version": "1.9.0",
@@ -7417,9 +7416,9 @@
       }
     },
     "node_modules/mermaid": {
-      "version": "10.3.1",
-      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-10.3.1.tgz",
-      "integrity": "sha512-hkenh7WkuRWPcob3oJtrN3W+yzrrIYuWF1OIfk/d0xGE8UWlvDhfexaHmDwwe8DKQgqMLI8DWEPwGprxkumjuw==",
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-10.4.0.tgz",
+      "integrity": "sha512-4QCQLp79lvz7UZxow5HUX7uWTPJOaQBVExduo91tliXC7v78i6kssZOPHxLL+Xs30KU72cpPn3g3imw/xm/gaw==",
       "dependencies": {
         "@braintree/sanitize-url": "^6.0.1",
         "@types/d3-scale": "^4.0.3",
@@ -7969,15 +7968,15 @@
       }
     },
     "node_modules/mlly": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.4.0.tgz",
-      "integrity": "sha512-ua8PAThnTwpprIaU47EPeZ/bPUVp2QYBbWMphUQpVdBI3Lgqzm5KZQ45Agm3YJedHXaIHl6pBGabaLSUPPSptg==",
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.4.1.tgz",
+      "integrity": "sha512-SCDs78Q2o09jiZiE2WziwVBEqXQ02XkGdUy45cbJf+BpYRIjArXRJ1Wbowxkb+NaM9DWvS3UC9GiO/6eqvQ/pg==",
       "dev": true,
       "dependencies": {
-        "acorn": "^8.9.0",
+        "acorn": "^8.10.0",
         "pathe": "^1.1.1",
         "pkg-types": "^1.0.3",
-        "ufo": "^1.1.2"
+        "ufo": "^1.3.0"
       }
     },
     "node_modules/monaco-editor": {
@@ -8797,12 +8796,12 @@
       }
     },
     "node_modules/pretty-format": {
-      "version": "29.6.2",
-      "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-29.6.2.tgz",
-      "integrity": "sha512-1q0oC8eRveTg5nnBEWMXAU2qpv65Gnuf2eCQzSjxpWFkPaPARwqZZDGuNE0zPAZfTCHzIk3A8dIjwlQKKLphyg==",
+      "version": "29.6.3",
+      "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-29.6.3.tgz",
+      "integrity": "sha512-ZsBgjVhFAj5KeK+nHfF1305/By3lechHQSMWCTl8iHSbfOm2TN5nHEtFc/+W7fAyUeCs2n5iow72gld4gW0xDw==",
       "dev": true,
       "dependencies": {
-        "@jest/schemas": "^29.6.0",
+        "@jest/schemas": "^29.6.3",
         "ansi-styles": "^5.0.0",
         "react-is": "^18.0.0"
       },
@@ -10511,9 +10510,9 @@
       "dev": true
     },
     "node_modules/ufo": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.2.0.tgz",
-      "integrity": "sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==",
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.3.0.tgz",
+      "integrity": "sha512-bRn3CsoojyNStCZe0BG0Mt4Nr/4KF+rhFlnNXybgqt5pXHNFRlqinSoQaTrGyzE4X8aHplSb+TorH+COin9Yxw==",
       "dev": true
     },
     "node_modules/uint8-to-base64": {
@@ -10587,9 +10586,9 @@
       }
     },
     "node_modules/updates": {
-      "version": "14.3.5",
-      "resolved": "https://registry.npmjs.org/updates/-/updates-14.3.5.tgz",
-      "integrity": "sha512-kx1sm2RXd9guF3lAmAaC8mpfAlG5iSPHiPkSJtEC5d/Gaa+NoxwxcuySb0c5pBFlzuGGU8ZxxQ0qRl9HLfwRRg==",
+      "version": "14.4.0",
+      "resolved": "https://registry.npmjs.org/updates/-/updates-14.4.0.tgz",
+      "integrity": "sha512-fAB49LEq46XlJfQmLDWHt3Yt7XpSAxj1GwO6MxgEMHlGbhyGLSNu2hPYuSzipNRhO7phJNp8UDi0kikn/RAwwQ==",
       "dev": true,
       "bin": {
         "updates": "bin/updates.js"
@@ -10736,9 +10735,9 @@
       }
     },
     "node_modules/vite-node": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-0.34.2.tgz",
-      "integrity": "sha512-JtW249Zm3FB+F7pQfH56uWSdlltCo1IOkZW5oHBzeQo0iX4jtC7o1t9aILMGd9kVekXBP2lfJBEQt9rBh07ebA==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-0.34.3.tgz",
+      "integrity": "sha512-+0TzJf1g0tYXj6tR2vEyiA42OPq68QkRZCu/ERSo2PtsDJfBpDyEfuKbRvLmZqi/CgC7SCBtyC+WjTGNMRIaig==",
       "dev": true,
       "dependencies": {
         "cac": "^6.7.14",
@@ -11173,19 +11172,19 @@
       }
     },
     "node_modules/vitest": {
-      "version": "0.34.2",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-0.34.2.tgz",
-      "integrity": "sha512-WgaIvBbjsSYMq/oiMlXUI7KflELmzM43BEvkdC/8b5CAod4ryAiY2z8uR6Crbi5Pjnu5oOmhKa9sy7uk6paBxQ==",
+      "version": "0.34.3",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-0.34.3.tgz",
+      "integrity": "sha512-7+VA5Iw4S3USYk+qwPxHl8plCMhA5rtfwMjgoQXMT7rO5ldWcdsdo3U1QD289JgglGK4WeOzgoLTsGFu6VISyQ==",
       "dev": true,
       "dependencies": {
         "@types/chai": "^4.3.5",
         "@types/chai-subset": "^1.3.3",
         "@types/node": "*",
-        "@vitest/expect": "0.34.2",
-        "@vitest/runner": "0.34.2",
-        "@vitest/snapshot": "0.34.2",
-        "@vitest/spy": "0.34.2",
-        "@vitest/utils": "0.34.2",
+        "@vitest/expect": "0.34.3",
+        "@vitest/runner": "0.34.3",
+        "@vitest/snapshot": "0.34.3",
+        "@vitest/spy": "0.34.3",
+        "@vitest/utils": "0.34.3",
         "acorn": "^8.9.0",
         "acorn-walk": "^8.2.0",
         "cac": "^6.7.14",
@@ -11200,7 +11199,7 @@
         "tinybench": "^2.5.0",
         "tinypool": "^0.7.0",
         "vite": "^3.0.0 || ^4.0.0",
-        "vite-node": "0.34.2",
+        "vite-node": "0.34.3",
         "why-is-node-running": "^2.2.2"
       },
       "bin": {

package.json

@@ -16,21 +16,21 @@
     "@primer/octicons": "19.6.0",
     "@webcomponents/custom-elements": "1.6.0",
     "add-asset-webpack-plugin": "2.0.1",
-    "ansi_up": "6.0.0",
+    "ansi_up": "6.0.2",
     "asciinema-player": "3.5.0",
     "clippie": "4.0.6",
     "css-loader": "6.8.1",
     "dropzone": "6.0.0-beta.2",
     "easymde": "2.18.0",
-    "esbuild-loader": "4.0.0",
+    "esbuild-loader": "4.0.2",
     "escape-goat": "4.0.0",
     "fast-glob": "3.3.1",
-    "jquery": "3.7.0",
+    "jquery": "3.7.1",
     "jquery.are-you-sure": "1.9.0",
     "katex": "0.16.8",
     "license-checker-webpack-plugin": "0.2.1",
     "lightningcss-loader": "2.1.0",
-    "mermaid": "10.3.1",
+    "mermaid": "10.4.0",
     "mini-css-extract-plugin": "2.7.6",
     "minimatch": "9.0.3",
     "monaco-editor": "0.41.0",
@@ -57,16 +57,16 @@
     "@eslint-community/eslint-plugin-eslint-comments": "4.1.0",
     "@playwright/test": "1.37.1",
     "@stoplight/spectral-cli": "6.10.1",
-    "@vitejs/plugin-vue": "4.3.1",
-    "eslint": "8.47.0",
+    "@vitejs/plugin-vue": "4.3.4",
+    "eslint": "8.48.0",
     "eslint-plugin-array-func": "3.1.8",
     "eslint-plugin-custom-elements": "0.0.8",
-    "eslint-plugin-import": "2.28.0",
+    "eslint-plugin-import": "2.28.1",
     "eslint-plugin-jquery": "1.5.1",
     "eslint-plugin-no-jquery": "2.7.0",
     "eslint-plugin-no-use-extend-native": "0.5.0",
     "eslint-plugin-regexp": "1.15.0",
-    "eslint-plugin-sonarjs": "0.20.0",
+    "eslint-plugin-sonarjs": "0.21.0",
     "eslint-plugin-unicorn": "48.0.1",
     "eslint-plugin-vue": "9.17.0",
     "eslint-plugin-vue-scoped-css": "2.5.0",
@@ -79,9 +79,9 @@
     "stylelint-declaration-strict-value": "1.9.2",
     "stylelint-stylistic": "0.4.3",
     "svgo": "3.0.2",
-    "updates": "14.3.5",
+    "updates": "14.4.0",
     "vite-string-plugin": "1.1.2",
-    "vitest": "0.34.2"
+    "vitest": "0.34.3"
   },
   "browserslist": [
     "defaults",

routers/api/actions/runner/utils.go

@@ -55,8 +55,12 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
 
 func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
 	secrets := map[string]string{}
+
+	secrets["GITHUB_TOKEN"] = task.Token
+	secrets["GITEA_TOKEN"] = task.Token
+
 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
-		// ignore secrets for fork pull request
+		// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
 		// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
 		// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
 		return secrets
@@ -82,13 +86,6 @@ func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s
 		}
 	}
 
-	if _, ok := secrets["GITHUB_TOKEN"]; !ok {
-		secrets["GITHUB_TOKEN"] = task.Token
-	}
-	if _, ok := secrets["GITEA_TOKEN"]; !ok {
-		secrets["GITEA_TOKEN"] = task.Token
-	}
-
 	return secrets
 }
 

routers/api/v1/api.go

@@ -933,6 +933,10 @@ func Routes() *web.Route {
 					m.Post("/accept", repo.AcceptTransfer)
 					m.Post("/reject", repo.RejectTransfer)
 				}, reqToken())
+				m.Group("/actions/secrets", func() {
+					m.Combo("/{secretname}").
+						Put(reqToken(), reqOwner(), bind(api.CreateOrUpdateSecretOption{}), repo.CreateOrUpdateSecret)
+				})
 				m.Group("/hooks/git", func() {
 					m.Combo("").Get(repo.ListGitHooks)
 					m.Group("/{id}", func() {
@@ -1301,7 +1305,7 @@ func Routes() *web.Route {
 			m.Group("/actions/secrets", func() {
 				m.Get("", reqToken(), reqOrgOwnership(), org.ListActionsSecrets)
 				m.Combo("/{secretname}").
-					Put(reqToken(), reqOrgOwnership(), bind(api.CreateOrUpdateSecretOption{}), org.CreateOrUpdateOrgSecret).
+					Put(reqToken(), reqOrgOwnership(), bind(api.CreateOrUpdateSecretOption{}), org.CreateOrUpdateSecret).
 					Delete(reqToken(), reqOrgOwnership(), org.DeleteOrgSecret)
 			})
 			m.Group("/public_members", func() {

routers/api/v1/org/action.go

@@ -74,7 +74,7 @@ func listActionsSecrets(ctx *context.APIContext) {
 }
 
 // create or update one secret of the organization
-func CreateOrUpdateOrgSecret(ctx *context.APIContext) {
+func CreateOrUpdateSecret(ctx *context.APIContext) {
 	// swagger:operation PUT /orgs/{org}/actions/secrets/{secretname} organization updateOrgSecret
 	// ---
 	// summary: Create or Update a secret value in an organization
@@ -108,28 +108,19 @@ func CreateOrUpdateOrgSecret(ctx *context.APIContext) {
 	//     "$ref": "#/responses/forbidden"
 	secretName := ctx.Params(":secretname")
 	if err := actions.NameRegexMatch(secretName); err != nil {
-		ctx.Error(http.StatusBadRequest, "CreateOrUpdateOrgSecret", err)
+		ctx.Error(http.StatusBadRequest, "CreateOrUpdateSecret", err)
 		return
 	}
 	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
-	err := secret_model.UpdateSecret(
-		ctx, ctx.Org.Organization.ID, 0, secretName, opt.Data,
-	)
-	if secret_model.IsErrSecretNotFound(err) {
-		_, err := secret_model.InsertEncryptedSecret(
-			ctx, ctx.Org.Organization.ID, 0, secretName, actions.ReserveLineBreakForTextarea(opt.Data),
-		)
+	isCreated, err := secret_model.CreateOrUpdateSecret(ctx, ctx.Org.Organization.ID, 0, secretName, opt.Data)
 	if err != nil {
-			ctx.Error(http.StatusInternalServerError, "InsertEncryptedSecret", err)
+		ctx.Error(http.StatusInternalServerError, "CreateOrUpdateSecret", err)
 		return
 	}
+	if isCreated {
 		ctx.Status(http.StatusCreated)
 		return
 	}
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "UpdateSecret", err)
-		return
-	}
 
 	ctx.Status(http.StatusNoContent)
 }

routers/api/v1/repo/action.go

@@ -0,0 +1,75 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"net/http"
+
+	secret_model "code.gitea.io/gitea/models/secret"
+	"code.gitea.io/gitea/modules/context"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/routers/web/shared/actions"
+)
+
+// create or update one secret of the repository
+func CreateOrUpdateSecret(ctx *context.APIContext) {
+	// swagger:operation PUT /repos/{owner}/{repo}/actions/secrets/{secretname} repository updateRepoSecret
+	// ---
+	// summary: Create or Update a secret value in a repository
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repository
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repository
+	//   type: string
+	//   required: true
+	// - name: secretname
+	//   in: path
+	//   description: name of the secret
+	//   type: string
+	//   required: true
+	// - name: body
+	//   in: body
+	//   schema:
+	//     "$ref": "#/definitions/CreateOrUpdateSecretOption"
+	// responses:
+	//   "201":
+	//     description: response when creating a secret
+	//   "204":
+	//     description: response when updating a secret
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+
+	owner := ctx.Repo.Owner
+	repo := ctx.Repo.Repository
+
+	secretName := ctx.Params(":secretname")
+	if err := actions.NameRegexMatch(secretName); err != nil {
+		ctx.Error(http.StatusBadRequest, "CreateOrUpdateSecret", err)
+		return
+	}
+	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
+	isCreated, err := secret_model.CreateOrUpdateSecret(ctx, owner.ID, repo.ID, secretName, opt.Data)
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "CreateOrUpdateSecret", err)
+		return
+	}
+	if isCreated {
+		ctx.Status(http.StatusCreated)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}

routers/api/v1/repo/pull.go

@@ -326,11 +326,9 @@ func CreatePullRequest(ctx *context.APIContext) {
 			return
 		}
 
-		labelIDs = make([]int64, len(form.Labels))
-		orgLabelIDs := make([]int64, len(form.Labels))
-
-		for i := range labels {
-			labelIDs[i] = labels[i].ID
+		labelIDs = make([]int64, 0, len(labels))
+		for _, label := range labels {
+			labelIDs = append(labelIDs, label.ID)
 		}
 
 		if ctx.Repo.Owner.IsOrganization() {
@@ -340,13 +338,13 @@ func CreatePullRequest(ctx *context.APIContext) {
 				return
 			}
 
-			for i := range orgLabels {
-				orgLabelIDs[i] = orgLabels[i].ID
+			orgLabelIDs := make([]int64, 0, len(orgLabels))
+			for _, orgLabel := range orgLabels {
+				orgLabelIDs = append(orgLabelIDs, orgLabel.ID)
 			}
-		}
-
 			labelIDs = append(labelIDs, orgLabelIDs...)
 		}
+	}
 
 	if form.Milestone > 0 {
 		milestone, err := issues_model.GetMilestoneByRepoID(ctx, ctx.Repo.Repository.ID, form.Milestone)

routers/private/hook_verification.go

@@ -28,9 +28,17 @@ func verifyCommits(oldCommitID, newCommitID string, repo *git.Repository, env []
 		_ = stdoutWriter.Close()
 	}()
 
+	var command *git.Command
+	if oldCommitID == git.EmptySHA {
+		// When creating a new branch, the oldCommitID is empty, by using "newCommitID --not --all":
+		// List commits that are reachable by following the newCommitID, exclude "all" existing heads/tags commits
+		// So, it only lists the new commits received, doesn't list the commits already present in the receiving repository
+		command = git.NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(newCommitID).AddArguments("--not", "--all")
+	} else {
+		command = git.NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(oldCommitID + "..." + newCommitID)
+	}
 	// This is safe as force pushes are already forbidden
-	err = git.NewCommand(repo.Ctx, "rev-list").AddDynamicArguments(oldCommitID + "..." + newCommitID).
-		Run(&git.RunOpts{
+	err = command.Run(&git.RunOpts{
 		Env:    env,
 		Dir:    repo.Path,
 		Stdout: stdoutWriter,

routers/private/hook_verification_test.go

@@ -0,0 +1,43 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package private
+
+import (
+	"context"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var testReposDir = "tests/repos/"
+
+func TestVerifyCommits(t *testing.T) {
+	unittest.PrepareTestEnv(t)
+
+	gitRepo, err := git.OpenRepository(context.Background(), testReposDir+"repo1_hook_verification")
+	defer gitRepo.Close()
+	assert.NoError(t, err)
+
+	testCases := []struct {
+		base, head string
+		verified   bool
+	}{
+		{"72920278f2f999e3005801e5d5b8ab8139d3641c", "d766f2917716d45be24bfa968b8409544941be32", true},
+		{git.EmptySHA, "93eac826f6188f34646cea81bf426aa5ba7d3bfe", true}, // New branch with verified commit
+		{"9779d17a04f1e2640583d35703c62460b2d86e0a", "72920278f2f999e3005801e5d5b8ab8139d3641c", false},
+		{git.EmptySHA, "9ce3f779ae33f31fce17fac3c512047b75d7498b", false}, // New branch with unverified commit
+	}
+
+	for _, tc := range testCases {
+		err = verifyCommits(tc.base, tc.head, gitRepo, nil)
+		if tc.verified {
+			assert.NoError(t, err)
+		} else {
+			assert.Error(t, err)
+		}
+	}
+}

routers/private/main_test.go

@@ -0,0 +1,17 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package private
+
+import (
+	"path/filepath"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m, &unittest.TestOptions{
+		GiteaRootPath: filepath.Join("..", ".."),
+	})
+}

routers/private/tests/repos/repo1_hook_verification/HEAD

@@ -0,0 +1 @@
+ref: refs/heads/main

routers/private/tests/repos/repo1_hook_verification/config

@@ -0,0 +1,6 @@
+[core]
+	repositoryformatversion = 0
+	filemode = false
+	bare = true
+	symlinks = false
+	ignorecase = true

routers/private/tests/repos/repo1_hook_verification/info/refs

@@ -0,0 +1 @@
+d766f2917716d45be24bfa968b8409544941be32	refs/heads/main

routers/private/tests/repos/repo1_hook_verification/logs/HEAD

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 d766f2917716d45be24bfa968b8409544941be32 Gitea <gitea@fake.local> 1693148474 +0800	push

routers/private/tests/repos/repo1_hook_verification/logs/refs/heads/main

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 d766f2917716d45be24bfa968b8409544941be32 Gitea <gitea@fake.local> 1693148474 +0800	push

routers/private/tests/repos/repo1_hook_verification/objects/72/920278f2f999e3005801e5d5b8ab8139d3641c

@@ -0,0 +1,2 @@
+x
•ŽK
+1]çÙÒéüAÄS¸ï$Í"32ooð®ŠWð òÞ{›!žæ`–˜JC%¡.˜$Ár]sѱe$ïmòâMƒ·)£÷±(O`ªbtlÐE[:;4–àHÐ1_û<5F>”rayýáþl“é’÷~“ÊE­L@cå€Xv…Mþã":µMÛƒG«_}À?Ý

routers/private/tests/repos/repo1_hook_verification/objects/97/79d17a04f1e2640583d35703c62460b2d86e0a

@@ -0,0 +1,2 @@
+x
•<>1
+!ES{ŠéAwGGa	9EúQgW·Èí#¹AªÞû©ÕZ§/£‹€³Œ–p±ì(¤(<28>ó®óBhÈÛ¼&ᙟãÝ:pLY`ûÍãU†ð-µzŸÁ°ô†\µ×ZM:<3A>†ü¡¨Êå€óxJ/ûG}
:µ3

routers/private/tests/repos/repo1_hook_verification/objects/cb/a4c30c196a0e03e7bdf6eeb8393d14b9d073aa

@@ -0,0 +1,3 @@
+x
•ŽA
+Â0E]ç³$™L“ˆx•L2µ]´•<C2B4>
+ÞÞê
\}ø¼ÿøe[–¹:{êM’°õZ5bŠ8$¡–Ävž°fÉRÍ37];Ôˆìbt¡Ò úå3‡$‰,tXœ¨G“÷>m
²”ªpýÅý1wÍ—²-7p<37>½£Ä„p¶ÉZs´Ç±®L̾¾´Íã¤åµLæëe@ó

routers/private/tests/repos/repo1_hook_verification/objects/d7/66f2917716d45be24bfa968b8409544941be32

@@ -0,0 +1,3 @@
+x
•’Ë®«FE3æ+zn%44æ!%Qxƒ<78>Û€
s˜AÓ`8Øæëã{£Ì2IM¶j•ª´¥Údèûf²Ìý2<C3BD>”‚"‡$§e‰¶
+-(â ­Ä!´ÝJ"åaŲ@•BaîùHo3 ŸVØòå<$<24>/)å$JøJD’B¡•H¤§˜ü{¾#ÈRRðûOù«nfšÿF†þOÀ‰
+âq[°<>2„̇~ŒÍô¬Ô÷zjjðë<C3B0>ÒLÛÅÀ·}prm¬Fqhþä`@Ø«¦ªš®ª¥Õ˜fî?3Ç[7Š³…ê¨Ð)	^™þuÿÖ¿,µ<>Æl7©zÝÿr|&«Ou4<75>Ø9Ó:µÎQjôû·êÕ1x±õå6ÍQ‡÷ƒÀ%Áåtû‰sò¸íV‰|( V¿<56>,aL,ù«G~²Ç<16>¹‹<C2B9>‹r¥ùûî@·`·Àþ$[!	XËŠep©Œæ[8	oýä(›« k£Z´Î³yóeйÙÆÄ«Y²¿kÖd€¯6•3¾;3ÜÔ	RÔiÞ‹dYÓDk91V]/Cê#º¾&ÿêpo´Fáb¯‹¶}§¹ô¦òuW&]+m xaqdÜIõX¯þ3
Žƒ3¶×ÆK’ÚÓI#Æi_ärgðñÁ<C3B1>ôôõÄ©7<C2A9>=ú`@[õŠ&AóṲ̂ÞLÖo–‹3~MÆóõü8MGtö²ï>ÄôŒx›¼vQ²(…<>aÅÄWŸo"¡Ës±r‰z”°eÓÅ­}å†QDñ
óÖ¨fK)ó˜mÆr>>•ª†¿‚†ÝÌš$ÇF8³x™
Ä×^J<>k{mczþI*²^ÆMb‡þ	m¸6Š”M~h¹pÕÍ
{¡¡±0€ö•]€?nUwgþÉ ‰<C2A0>ÿJ ³Ð±©Þ<ó7Û2

routers/private/tests/repos/repo1_hook_verification/objects/info/packs

@@ -0,0 +1 @@
+

routers/private/tests/repos/repo1_hook_verification/objects/tmp_objdir-incoming-a21648/cb/a4c30c196a0e03e7bdf6eeb8393d14b9d073aa

@@ -0,0 +1,3 @@
+x
•ŽA
+Â0E]ç³$™L“ˆx•L2µ]´•<C2B4>
+ÞÞê
\}ø¼ÿøe[–¹:{êM’°õZ5bŠ8$¡–Ävž°fÉRÍ37];Ôˆìbt¡Ò úå3‡$‰,tXœ¨G“÷>m
²”ªpýÅý1wÍ—²-7p<37>½£Ä„p¶ÉZs´Ç±®L̾¾´Íã¤åµLæëe@ó

routers/private/tests/repos/repo1_hook_verification/refs/heads/main

@@ -0,0 +1 @@
+d766f2917716d45be24bfa968b8409544941be32

routers/private/tests/repos/repo1_hook_verification_dummy_gpg_key.txt

@@ -0,0 +1,127 @@
+# GPG key for abcde@gitea.com
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGTrY3UBDAC2HLBqmMplAV15qSnC7g1c4dV406f5EHNhFr95Nup2My6b2eaf
+Tlvedv77s8PT/I7F3fy4apOZs5A7w2SsPlLMcQ3ev4uGOsxRtkq5RLy1Yb6SNueX
+0Da2UVKR5KTC5Q6BWaqxwS0IjKOLZ/xz0Pbe/ClV3bZSKBEY2omkVo3Z0HZ771vB
+2clPRvGJ/IdeKOsZ3ZytSFXfyiJBdARmeSPmydXLil8+Ibq5iLAeow5PK8hK1TCO
+nKHzLWNqcNq70tyjoHvcGi70iGjoVEEUgPCLLuU8WmzTJwlvA3BuDzjtaO7TLo/j
+dE6iqkHtMSS8x+43sAH6hcFRCWAVh/0Uq7n36uGDfNxGnX3YrmX3LR9x5IsBES1r
+GGWbpxio4o5GIf/Xd+JgDd9rzJCqRuZ3/sW/TxK38htWaVNZV0kMkHUCTc1ctzWp
+Cm635hbFCHBhPYIp+/z206khkAKDbz/CNuU91Wazsh7KO07wrwDtxfDDbInJ8TfH
+E2TGjzjQzgChfmcAEQEAAbQXYWJjZGUgPGFiY2RlQGdpdGVhLmNvbT6JAc4EEwEI
+ADgWIQRo/BkcvP70fnQCv16xVDFkJim4JgUCZOtjdQIbAwULCQgHAgYVCgkICwIE
+FgIDAQIeAQIXgAAKCRCxVDFkJim4Js6+C/9yIjHqcyM88hQAYQUoiPYfgJ0f2NsD
+Ai/XypyDaFbRy9Wqm3oKvMr9L9G5xgOXshjRaRWOpODAwLmtVrJfOV5BhxLEcBcO
+2hDdM3ycp8Gt7+Fx/o0cUjPiiC18hh3K5LRfeE7oYynSJDgjoDNuzIMuyoWuJPNc
++IcE4roND55qyyyC9ObrTLz1GgGm1bXtkHhZ1NdOfQ4q8M48K39Jn7pmnmSX3R74
+CSU6flh/o9AtzGLjU70JUOLFcWnR5D0iEI8mOsdfEHr+p+CvDVG9l4unPhMunT+Q
+OUwV2DEmqo9P+yIert1ucVTDoSf+FrRaKUHg8r1Tt6T4/4GyIeSxG72NImK0h8jz
++bADPZhxuG4UR1Mj8bilqhWgODFPi/5DrDsNMWq1pEvjn6f4pCUx0IDTnPTniOXt
+afXtAD4Rz0rwJWYqgeJFHgjXzaxBiOE1bhS26NPEvyAa0T9Tj3E73ICMESAmVad2
+JqO/mVxkLDGWdpXM7qB8bO2YGMOplrTvWaa5AY0EZOtjdQEMAOwevO46JxBo91RC
+bT7RQ2uz3ZwRKb+P/jIEFST6x8tkCjon31zh6HicBDPNntqXTzStgoHQb7vGhHPV
+4dxAfrOtVyoHwpi1/+x1jjtZoyIzLEz6RNK/Onu2y/tC5JBnSd5QRdHJgzPm20F8
+iNZR37c0Mi24fIH4y01aVLfNeBpRt7lWJ+opo2bM3Rh7jJdMpynKkTcA6o9XP6Ig
+W/dzpOayosclpHhWiJwKV4CovIX/bxawk7sz10Nb4QzcxlWexWnJxNRHIcAkZ9KT
+XTBpBkBpHCZqsI3+rQoQn5oQAr9JGWJSd4Fmgw7mFjmIF4bjfa2h/BpCoBqE+/25
+chvWfYkQwrCcyUwD1QYPUBwNvLB+PWb9kYEHD3mLgSSR+fjdG9XdMevu4lT91Gqo
+/6KJzgzClSs7GoQtb+SZ4deUFw1tlmEQS/BGhbtTb/1566iDidGV5EnSmL/E4/3C
+bGQqNog8gremF0G0SlWTjD9RMBY13IgisWCC6R4CdkXIYnCWbwARAQABiQG2BBgB
+CAAgFiEEaPwZHLz+9H50Ar9esVQxZCYpuCYFAmTrY3UCGwwACgkQsVQxZCYpuCb1
+AAv/dI5YtGxBXaHAMj+lOLmZi5w4t0M7Zafa8tNnWrBwj4KixiXEt52i5YKxuaVD
+3+/cMqidSDp0M5Cxx0wcmnmg+mdFFcowtXIXuk1TGTcHcOCPoXgF6gfoGimNNE1A
+w1+EnC4/TbjMCKEM7b2QZ7/CgkBxZJWbScN4Jtawory9LEQqo0/epYJwf+79GHIJ
+rpODAPiPJEMKmlej23KyoFuusOi17C0vHCf3GZNj4F2So3LOrcs51qTlOum2MdL5
+oTdqffatzs6p4u5bHBxyRugQlQggTRSK+TXLdxnFXr9ukXjIC2mFir7CCnZHw4e+
+2JwZfaAom0ZX+pLwrReSop4BPPU2YDzt3XCUk0S9kpiOsN7iFWUMCFreIE50DOxt
+9406kSGopYKVaifbDl4MdLXM4v+oucLe7/yOViT/dm4FcIytIR+jzC8MaLQTB23e
+uzm2wOjI1YOwv7Il6PWZyDdU+tyzXcaJ7wSFBeQFZZtqph2TItCeV04HoaKHHc25
+4akc
+=OYIo
+-----END PGP PUBLIC KEY BLOCK-----
+
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQWGBGTrY3UBDAC2HLBqmMplAV15qSnC7g1c4dV406f5EHNhFr95Nup2My6b2eaf
+Tlvedv77s8PT/I7F3fy4apOZs5A7w2SsPlLMcQ3ev4uGOsxRtkq5RLy1Yb6SNueX
+0Da2UVKR5KTC5Q6BWaqxwS0IjKOLZ/xz0Pbe/ClV3bZSKBEY2omkVo3Z0HZ771vB
+2clPRvGJ/IdeKOsZ3ZytSFXfyiJBdARmeSPmydXLil8+Ibq5iLAeow5PK8hK1TCO
+nKHzLWNqcNq70tyjoHvcGi70iGjoVEEUgPCLLuU8WmzTJwlvA3BuDzjtaO7TLo/j
+dE6iqkHtMSS8x+43sAH6hcFRCWAVh/0Uq7n36uGDfNxGnX3YrmX3LR9x5IsBES1r
+GGWbpxio4o5GIf/Xd+JgDd9rzJCqRuZ3/sW/TxK38htWaVNZV0kMkHUCTc1ctzWp
+Cm635hbFCHBhPYIp+/z206khkAKDbz/CNuU91Wazsh7KO07wrwDtxfDDbInJ8TfH
+E2TGjzjQzgChfmcAEQEAAf4HAwKN54iG/XBl5/UViAmmiESRj3u+uJC9EztalVbj
+156bjamUHBYIoCH4SBB0l0bR/o9ZN3vE4ZvyF3OyJ0AKF9epjWIuz7S+QIm1NLzk
+IqwRyfGPsktwtZOF1CsathN4RyJL5/3nB9g4BLYfRARe9lwU0C0HQjBwAVj8m6RN
++wMTHZqW7tUN75npgPRLUI30H3GPVm3yLfS88Ol8nd31r7V0JsXZ2/mM9CWF4sUy
+o1DW3P/rBn49s/x2qL/acEL+5PK7suFBP8Pjp5cwGjnSehoWeOclXgstkg3OEryY
+2JP74muDVmaEVOAk7wiRjUD7HYuEOm/MbphFyen7QtO8WtN3IRKgNm19v5Skd4AF
+NW9ZAdQOk2yHw7zyRk7HOPmEbEstbyE1RYWIfgZGjJlEJ2DI5ABwVJJ3W6DRPiZ3
+owd/JxBUVu/wigIjbg6z6ZQd/bn1XwKyhyTtgyTyILzE1gqtO7xs1XmK3wcww794
+cVLjqSnAdaeXMt4P+sDA17Wqky0f/jQ9kq7/tv7ipq9jvp9RaQ1ccRsz+mGgBVl+
+oLg4klKN47ZQGt0SQpLzHLL8SHzY0dz5US+Z2J+hdZia6jEmfilY9r4WPe7djMYz
+Na908DmcbjfAg4XHPqVRXjgraUiT2YTo2LOV2dHn7550hJ/JshpOVqrJUrjhCgDN
+usEMK3KXJkFvf6zflMv3t8HMD2SGBfpCJSwDaW+mrmtpR6a5laoZxg/009qZqgpj
+FuenLuZmgYrHXozMXllwi6MLvSE/ioXrK4fqvpAwzOk6ArqZdWfxoJDYNQKXVL7z
+Arniq9Ctaag8hr5T+JoZ9wNPNVF/LuEwPTWDur4qpU07KqWt9OFKPsEDNzxVZfNM
+vtSCYvQ1uUH3CbPLQvPpd5TnyhjwKYtTzyW4OcuZHrWIZp9fZi5QdhWxobqGQiBk
++nRNFe0FPVEN0VcNdYJIDKcDLsOYCkGy08tucZnbKtr8JaK7XBSOo9Frg1i/j4Aa
+GnXWlkMTVAkuxLZPATTOgdBoYmHMYKQvw31aFBrf3QU9c3EEg9UPYFMErVIeBHBB
+BS+E7QZToHScCG1zezlr4rdqarkz0Yvzc3aduoSAOJHDf/Il+tOkepMne1y5fi72
+5UT1yWGbXXkTCV/pM6s0pLaEvNHmGvPQ6VGbJ//5w+42PFD1d7yEai53OgSZNs7B
++Ie/6Vq5GYzTM0bT3/o7/O1Zi56y791YKaas9wgxOhmMIZ0hsTecQJLJZGotUlOv
+V7fZUhPRc4ksUeCyM3G0E89ilFtY6NuPcWQ8yMeS4sRRLmie+iaT+kNvAqL5mXvg
+WNLhFIXPC1gpGLB8lpT5YEY647aPjQEig7QXYWJjZGUgPGFiY2RlQGdpdGVhLmNv
+bT6JAc4EEwEIADgWIQRo/BkcvP70fnQCv16xVDFkJim4JgUCZOtjdQIbAwULCQgH
+AgYVCgkICwIEFgIDAQIeAQIXgAAKCRCxVDFkJim4Js6+C/9yIjHqcyM88hQAYQUo
+iPYfgJ0f2NsDAi/XypyDaFbRy9Wqm3oKvMr9L9G5xgOXshjRaRWOpODAwLmtVrJf
+OV5BhxLEcBcO2hDdM3ycp8Gt7+Fx/o0cUjPiiC18hh3K5LRfeE7oYynSJDgjoDNu
+zIMuyoWuJPNc+IcE4roND55qyyyC9ObrTLz1GgGm1bXtkHhZ1NdOfQ4q8M48K39J
+n7pmnmSX3R74CSU6flh/o9AtzGLjU70JUOLFcWnR5D0iEI8mOsdfEHr+p+CvDVG9
+l4unPhMunT+QOUwV2DEmqo9P+yIert1ucVTDoSf+FrRaKUHg8r1Tt6T4/4GyIeSx
+G72NImK0h8jz+bADPZhxuG4UR1Mj8bilqhWgODFPi/5DrDsNMWq1pEvjn6f4pCUx
+0IDTnPTniOXtafXtAD4Rz0rwJWYqgeJFHgjXzaxBiOE1bhS26NPEvyAa0T9Tj3E7
+3ICMESAmVad2JqO/mVxkLDGWdpXM7qB8bO2YGMOplrTvWaadBYYEZOtjdQEMAOwe
+vO46JxBo91RCbT7RQ2uz3ZwRKb+P/jIEFST6x8tkCjon31zh6HicBDPNntqXTzSt
+goHQb7vGhHPV4dxAfrOtVyoHwpi1/+x1jjtZoyIzLEz6RNK/Onu2y/tC5JBnSd5Q
+RdHJgzPm20F8iNZR37c0Mi24fIH4y01aVLfNeBpRt7lWJ+opo2bM3Rh7jJdMpynK
+kTcA6o9XP6IgW/dzpOayosclpHhWiJwKV4CovIX/bxawk7sz10Nb4QzcxlWexWnJ
+xNRHIcAkZ9KTXTBpBkBpHCZqsI3+rQoQn5oQAr9JGWJSd4Fmgw7mFjmIF4bjfa2h
+/BpCoBqE+/25chvWfYkQwrCcyUwD1QYPUBwNvLB+PWb9kYEHD3mLgSSR+fjdG9Xd
+Mevu4lT91Gqo/6KJzgzClSs7GoQtb+SZ4deUFw1tlmEQS/BGhbtTb/1566iDidGV
+5EnSmL/E4/3CbGQqNog8gremF0G0SlWTjD9RMBY13IgisWCC6R4CdkXIYnCWbwAR
+AQAB/gcDAgtreHsdznsa9bAha2g+J5zygs7rp95KvqRm4SGrgWPnngMewrHXrJAx
+REUQFbOYJKvb6+SB47N8BTIh/nEY/B6dpvC36QSHB0XAgkktiOhdS2rTlrq+bKse
+rZzoM/jbcxS3/cwi4VWH4lQhz7TLZtQxFZDuwyiik8/m5KscMxQrbYJg++4KpFQQ
+En7RRUO0hEaYdnqQ9t3M8SWLwZn2yK3hzBE0gkQ8CJA3Zokv3DO7FSsAX823O25B
+X7NgIpmbHCeYK6YV0gjQUKP1o3Sf7DhJzO1iltg0+obNTDl9RoeFgxTVORCdUlGA
+kPdgoBbAGtadpZlCMThn7FlIn+ogqwQpAcoSTZjX31SOQBBpgMW9yf3GTNk2Nvrn
+08zIA0hnUWFfc4VY6fbjbX5bF0jpoJ3XG6Hwa1VVRwQGFLxFV23TbZ+baLLuxEBx
+A86XDC5zWFMwF/7aYL8oeXgoI+499u9G4Gw9G87va7rQXlTQJcHQRqu9YaGcxwOi
+UslhNtVWz52iIURappUfFaGBRGUvtx2DOTgn4m099nnPaKDUiLmc4bFIHwzyA7Pl
+RdAmLosrxSyIxHdlUOS/KshucXXKGVoYkJqGLXNQCY6x2zbyBPX9/a/0P59UP/WU
+qwAHuGbXlToGhSKZzC8KmVs12tyQsAZ/47D+G29kEcRlaey1+N3Uor1jN7D66uyj
+M1jYFhBudNIuuTR8sfrYjmbYIj8y0bgvF4RN6sU1padoTETadWNyIcFiRMZQ0oQd
+KJBa3CxdqQZ2EU4a5jkA4UTQE13IySh7eNbYP5VwBgr3Z59gcbouKfFxKBhmPHF2
+BAmC0VXI2BgqKNqM6QgVj5UKrp41AX4D+iIhyKa0D3rapuIywXg1AtsrAlrOU/Ig
+tQCj/a0NjIVJpLqVKBUdd4Eea69fDCJGIoaDNyp7qwo+nA1O2oDbc32EryJYUkHm
+XMoLmx5y+/rxRsRevBv0ojwu3zsx2K93M1wHYd0z+SJsU8QGFinoFgYcmNp/tgMW
+WtHBN4AijDuDSZAyG+MrWIj3NS4mbajx+utEIn3DC/ofFPlTmgX3OvpOPG1hnhBH
+xSZUME+znOnqJMpUqnna4jbHEPwvRIXUY6InFKgl1Bu4grww/oo3qi7NwWL0Mcdy
+qabWhdlEz5N/QBBPWVQllelgI+xTmZoCRUhh1mn+PM900vXXeM/DIALnxEXs9I/m
+l4wPdLZlCdaKZS8vv33adyS6i9gWfI3NPWxZ2TyqC7nf5D5OK1zKSu3iWx17nXn2
+ak5hZnaXfzTxuZL3E8KZD/qsDm80c2PXFitogJTih37N6A8UQOJPtWbkfvPiwUvI
+gw0oouggn0iJQVNoiQG2BBgBCAAgFiEEaPwZHLz+9H50Ar9esVQxZCYpuCYFAmTr
+Y3UCGwwACgkQsVQxZCYpuCb1AAv/dI5YtGxBXaHAMj+lOLmZi5w4t0M7Zafa8tNn
+WrBwj4KixiXEt52i5YKxuaVD3+/cMqidSDp0M5Cxx0wcmnmg+mdFFcowtXIXuk1T
+GTcHcOCPoXgF6gfoGimNNE1Aw1+EnC4/TbjMCKEM7b2QZ7/CgkBxZJWbScN4Jtaw
+ory9LEQqo0/epYJwf+79GHIJrpODAPiPJEMKmlej23KyoFuusOi17C0vHCf3GZNj
+4F2So3LOrcs51qTlOum2MdL5oTdqffatzs6p4u5bHBxyRugQlQggTRSK+TXLdxnF
+Xr9ukXjIC2mFir7CCnZHw4e+2JwZfaAom0ZX+pLwrReSop4BPPU2YDzt3XCUk0S9
+kpiOsN7iFWUMCFreIE50DOxt9406kSGopYKVaifbDl4MdLXM4v+oucLe7/yOViT/
+dm4FcIytIR+jzC8MaLQTB23euzm2wOjI1YOwv7Il6PWZyDdU+tyzXcaJ7wSFBeQF
+ZZtqph2TItCeV04HoaKHHc254akc
+=PPG4
+-----END PGP PRIVATE KEY BLOCK-----

routers/web/repo/compare.go

@@ -460,7 +460,7 @@ func ParseCompareInfo(ctx *context.Context) *CompareInfo {
 		rootRepo.ID != ci.HeadRepo.ID &&
 		rootRepo.ID != baseRepo.ID {
 		canRead := access_model.CheckRepoUnitUser(ctx, rootRepo, ctx.Doer, unit.TypeCode)
-		if canRead && rootRepo.AllowsPulls() {
+		if canRead {
 			ctx.Data["RootRepo"] = rootRepo
 			if !fileOnly {
 				branches, tags, err := getBranchesAndTagsForRepo(ctx, rootRepo)

routers/web/user/home.go

@@ -157,7 +157,7 @@ func Milestones(ctx *context.Context) {
 	}
 
 	repoOpts := repo_model.SearchRepoOptions{
-		Actor:         ctxUser,
+		Actor:         ctx.Doer,
 		OwnerID:       ctxUser.ID,
 		Private:       true,
 		AllPublic:     false, // Include also all public repositories of users and public organisations
@@ -449,7 +449,7 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 	// - Team has read permission to repository.
 	repoOpts := &repo_model.SearchRepoOptions{
 		Actor:       ctx.Doer,
-		OwnerID:     ctx.Doer.ID,
+		OwnerID:     ctxUser.ID,
 		Private:     true,
 		AllPublic:   false,
 		AllLimited:  false,

services/repository/files/temp_repo.go

@@ -114,12 +114,12 @@ func (t *TemporaryUploadRepository) LsFiles(filenames ...string) ([]string, erro
 		return nil, err
 	}
 
-	filelist := make([]string, len(filenames))
+	fileList := make([]string, 0, len(filenames))
 	for _, line := range bytes.Split(stdOut.Bytes(), []byte{'\000'}) {
-		filelist = append(filelist, string(line))
+		fileList = append(fileList, string(line))
 	}
 
-	return filelist, nil
+	return fileList, nil
 }
 
 // RemoveFilesFromIndex removes the given files from the index

templates/devtest/flex-list.tmpl

@@ -1,8 +1,8 @@
 {{template "base/head" .}}
 <link rel="stylesheet" href="{{AssetUrlPrefix}}/css/devtest.css?v={{AssetVersion}}">
-<div class="page-content devtest ui container">
-	<div>
-		<h1>Flex List</h1>
+<div class="page-content devtest">
+	<div class="ui container">
+		<h1 class="gt-border-secondary-bottom">Flex List (standalone)</h1>
 		<div class="flex-list">
 			<div class="flex-item">
 				<div class="flex-item-leading">
@@ -84,6 +84,23 @@
 				</div>
 			</div>
 		</div>
+
+		<div class="divider gt-my-0"></div>
+
+		<h1>Flex List (with "ui segment")</h1>
+		<div class="ui attached segment">
+			<div class="flex-list">
+				<div class="flex-item">item 1</div>
+				<div class="flex-item">item 2</div>
+			</div>
+		</div>
+		<div class="ui attached segment">
+			<h1>Flex List (with "ui segment")</h1>
+			<div class="flex-list">
+				<div class="flex-item">item 1</div>
+				<div class="flex-item">item 2</div>
+			</div>
+		</div>
 	</div>
 </div>
 {{template "base/footer" .}}

templates/repo/branch_dropdown.tmpl

@@ -30,6 +30,7 @@
 		'textCreateBranchFrom': {{.root.locale.Tr "repo.branch.create_from"}},
 		'textBranches': {{.root.locale.Tr "repo.branches"}},
 		'textTags': {{.root.locale.Tr "repo.tags"}},
+		'textDefaultBranchLabel': {{.root.locale.Tr "repo.default_branch_label"}},
 
 		'mode': '{{if or .root.IsViewTag .isTag}}tags{{else}}branches{{end}}',
 		'showBranchesInDropdown': {{$showBranchesInDropdown}},

templates/repo/diff/compare.tmpl

@@ -77,7 +77,7 @@
 							<div class="item" data-url="{{$.OwnForkRepo.Link}}/compare/{{PathEscapeSegments .}}{{$.CompareSeparator}}{{PathEscape $.HeadUser.Name}}/{{PathEscape $.HeadRepo.Name}}:{{PathEscapeSegments $.HeadBranch}}">{{$OwnForkCompareName}}:{{.}}</div>
 						{{end}}
 					{{end}}
-					{{if .RootRepo}}
+					{{if and .RootRepo .RootRepo.AllowsPulls}}
 						{{range .RootRepoBranches}}
 							<div class="item" data-url="{{$.RootRepo.Link}}/compare/{{PathEscapeSegments .}}{{$.CompareSeparator}}{{PathEscape $.HeadUser.Name}}/{{PathEscape $.HeadRepo.Name}}:{{PathEscapeSegments $.HeadBranch}}">{{$RootRepoCompareName}}:{{.}}</div>
 						{{end}}

templates/swagger/v1_json.tmpl

@@ -3230,6 +3230,65 @@
         }
       }
     },
+    "/repos/{owner}/{repo}/actions/secrets/{secretname}": {
+      "put": {
+        "consumes": [
+          "application/json"
+        ],
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Create or Update a secret value in a repository",
+        "operationId": "updateRepoSecret",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repository",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repository",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the secret",
+            "name": "secretname",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "schema": {
+              "$ref": "#/definitions/CreateOrUpdateSecretOption"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": "response when creating a secret"
+          },
+          "204": {
+            "description": "response when updating a secret"
+          },
+          "400": {
+            "$ref": "#/responses/error"
+          },
+          "403": {
+            "$ref": "#/responses/forbidden"
+          }
+        }
+      }
+    },
     "/repos/{owner}/{repo}/activities/feeds": {
       "get": {
         "produces": [

web_src/css/base.css

@@ -18,7 +18,7 @@
   /* non-color variables */
   --border-radius: 4px;
   --border-radius-medium: 6px;
-  --border-radius-circle: 100%;
+  --border-radius-circle: 50%;
   --opacity-disabled: 0.55;
   --height-loading: 16rem;
   --tab-size: 4;

web_src/css/modules/navbar.css

@@ -133,8 +133,8 @@
   left: 6px;
   top: -9px;
   min-width: 17px;
-  min-height: 17px;
-  border-radius: var(--border-radius-circle);
+  height: 17px;
+  border-radius: 11px; /* (height + 2 * borderThickness) / 2 */
   display: flex;
   align-items: center;
   justify-content: center;

web_src/css/shared/flex-list.css

@@ -6,10 +6,7 @@
   display: flex;
   gap: 8px;
   align-items: flex-start;
-}
-
-.flex-item:not(:last-child) {
-  padding-bottom: 8px;
+  padding: 1em 0;
 }
 
 .flex-item-baseline {
@@ -92,5 +89,13 @@
 
 .flex-list > .flex-item + .flex-item {
   border-top: 1px solid var(--color-secondary);
-  padding-top: 8px;
+}
+
+/* Fomantic UI segment has default "padding: 1em", so here it removes the padding-top and padding-bottom accordingly */
+.ui.segment > .flex-list:first-child > .flex-item:first-child {
+  padding-top: 0;
+}
+
+.ui.segment > .flex-list:last-child > .flex-item:last-child {
+  padding-bottom: 0;
 }

web_src/fomantic/build/semantic.css

@@ -10928,531 +10928,6 @@ a.ui.black.header:hover {
 /*******************************
          Site Overrides
 *******************************/
-/*!
- * # Fomantic-UI - Item
- * http://github.com/fomantic/Fomantic-UI/
- *
- *
- * Released under the MIT license
- * http://opensource.org/licenses/MIT
- *
- */
-
-/*******************************
-            Standard
-*******************************/
-
-/*--------------
-      Item
----------------*/
-
-.ui.items > .item {
-  display: flex;
-  margin: 1em 0;
-  width: 100%;
-  min-height: 0;
-  background: transparent;
-  padding: 0;
-  border: none;
-  border-radius: 0;
-  box-shadow: none;
-  transition: box-shadow 0.1s ease;
-  z-index: '';
-}
-
-.ui.items > .item a {
-  cursor: pointer;
-}
-
-/*--------------
-      Items
----------------*/
-
-.ui.items {
-  margin: 1.5em 0;
-}
-
-.ui.items:first-child {
-  margin-top: 0 !important;
-}
-
-.ui.items:last-child {
-  margin-bottom: 0 !important;
-}
-
-/*--------------
-      Item
----------------*/
-
-.ui.items > .item:after {
-  display: block;
-  content: ' ';
-  height: 0;
-  clear: both;
-  overflow: hidden;
-  visibility: hidden;
-}
-
-.ui.items > .item:first-child {
-  margin-top: 0;
-}
-
-.ui.items > .item:last-child {
-  margin-bottom: 0;
-}
-
-/*--------------
-     Images
----------------*/
-
-.ui.items > .item > .image {
-  position: relative;
-  flex: 0 0 auto;
-  display: block;
-  float: none;
-  margin: 0;
-  padding: 0;
-  max-height: '';
-  align-self: start;
-}
-
-.ui.items > .item > .image > img {
-  display: block;
-  width: 100%;
-  height: auto;
-  border-radius: 0.125rem;
-  border: none;
-}
-
-.ui.items > .item > .image:only-child > img {
-  border-radius: 0;
-}
-
-/*--------------
-     Content
----------------*/
-
-.ui.items > .item > .content {
-  display: block;
-  flex: 1 1 auto;
-  background: none;
-  color: rgba(0, 0, 0, 0.87);
-  margin: 0;
-  padding: 0;
-  box-shadow: none;
-  font-size: 1em;
-  border: none;
-  border-radius: 0;
-}
-
-.ui.items > .item > .content:after {
-  display: block;
-  content: ' ';
-  height: 0;
-  clear: both;
-  overflow: hidden;
-  visibility: hidden;
-}
-
-.ui.items > .item > .image + .content {
-  min-width: 0;
-  width: auto;
-  display: block;
-  margin-left: 0;
-  align-self: start;
-  padding-left: 1.5em;
-}
-
-.ui.items > .item > .content > .header {
-  display: inline-block;
-  margin: -0.21425em 0 0;
-  font-family: var(--fonts-regular);
-  font-weight: 500;
-  color: rgba(0, 0, 0, 0.85);
-}
-
-/* Default Header Size */
-
-.ui.items > .item > .content > .header:not(.ui) {
-  font-size: 1.28571429em;
-}
-
-/*--------------
-     Floated
----------------*/
-
-.ui.items > .item [class*="left floated"] {
-  float: left;
-}
-
-.ui.items > .item [class*="right floated"] {
-  float: right;
-}
-
-/*--------------
-  Content Image
----------------*/
-
-.ui.items > .item .content img {
-  align-self: center;
-  width: '';
-}
-
-.ui.items > .item img.avatar,
-.ui.items > .item .avatar img {
-  width: '';
-  height: '';
-  border-radius: 500rem;
-}
-
-/*--------------
-   Description
----------------*/
-
-.ui.items > .item > .content > .description {
-  margin-top: 0.6em;
-  max-width: auto;
-  font-size: 1em;
-  line-height: 1.4285em;
-  color: rgba(0, 0, 0, 0.87);
-}
-
-/*--------------
-    Paragraph
----------------*/
-
-.ui.items > .item > .content p {
-  margin: 0 0 0.5em;
-}
-
-.ui.items > .item > .content p:last-child {
-  margin-bottom: 0;
-}
-
-/*--------------
-      Meta
----------------*/
-
-.ui.items > .item .meta {
-  margin: 0.5em 0 0.5em;
-  font-size: 1em;
-  line-height: 1em;
-  color: rgba(0, 0, 0, 0.6);
-}
-
-.ui.items > .item .meta * {
-  margin-right: 0.3em;
-}
-
-.ui.items > .item .meta :last-child {
-  margin-right: 0;
-}
-
-.ui.items > .item .meta [class*="right floated"] {
-  margin-right: 0;
-  margin-left: 0.3em;
-}
-
-/*--------------
-      Links
----------------*/
-
-/* Generic */
-
-.ui.items > .item > .content a:not(.ui) {
-  color: '';
-  transition: color 0.1s ease;
-}
-
-.ui.items > .item > .content a:not(.ui):hover {
-  color: '';
-}
-
-/* Header */
-
-.ui.items > .item > .content > a.header {
-  color: rgba(0, 0, 0, 0.85);
-}
-
-.ui.items > .item > .content > a.header:hover {
-  color: #1e70bf;
-}
-
-/* Meta */
-
-.ui.items > .item .meta > a:not(.ui) {
-  color: rgba(0, 0, 0, 0.4);
-}
-
-.ui.items > .item .meta > a:not(.ui):hover {
-  color: rgba(0, 0, 0, 0.87);
-}
-
-/*--------------
-     Labels
----------------*/
-
-/*-----Star----- */
-
-/* Icon */
-
-.ui.items > .item > .content .favorite.icon {
-  cursor: pointer;
-  opacity: 0.75;
-  transition: color 0.1s ease;
-}
-
-.ui.items > .item > .content .favorite.icon:hover {
-  opacity: 1;
-  color: #FFB70A;
-}
-
-.ui.items > .item > .content .active.favorite.icon {
-  color: #FFE623;
-}
-
-/*-----Like----- */
-
-/* Icon */
-
-.ui.items > .item > .content .like.icon {
-  cursor: pointer;
-  opacity: 0.75;
-  transition: color 0.1s ease;
-}
-
-.ui.items > .item > .content .like.icon:hover {
-  opacity: 1;
-  color: #FF2733;
-}
-
-.ui.items > .item > .content .active.like.icon {
-  color: #FF2733;
-}
-
-/*----------------
-  Extra Content
------------------*/
-
-.ui.items > .item .extra {
-  display: block;
-  position: relative;
-  background: none;
-  margin: 0.5rem 0 0;
-  width: 100%;
-  padding: 0 0 0;
-  top: 0;
-  left: 0;
-  color: rgba(0, 0, 0, 0.4);
-  box-shadow: none;
-  transition: color 0.1s ease;
-  border-top: none;
-}
-
-.ui.items > .item .extra > * {
-  margin: 0.25rem 0.5rem 0.25rem 0;
-}
-
-.ui.items > .item .extra > [class*="right floated"] {
-  margin: 0.25rem 0 0.25rem 0.5rem;
-}
-
-.ui.items > .item .extra:after {
-  display: block;
-  content: ' ';
-  height: 0;
-  clear: both;
-  overflow: hidden;
-  visibility: hidden;
-}
-
-/*******************************
-          Responsive
-*******************************/
-
-/* Default Image Width */
-
-.ui.items > .item > .image:not(.ui) {
-  width: 175px;
-}
-
-/* Tablet Only */
-
-@media only screen and (min-width: 768px) and (max-width: 991.98px) {
-  .ui.items > .item {
-    margin: 1em 0;
-  }
-
-  .ui.items > .item > .image:not(.ui) {
-    width: 150px;
-  }
-
-  .ui.items > .item > .image + .content {
-    display: block;
-    padding: 0 0 0 1em;
-  }
-}
-
-/* Mobile Only */
-
-@media only screen and (max-width: 767.98px) {
-  .ui.items:not(.unstackable) > .item {
-    flex-direction: column;
-    margin: 2em 0;
-  }
-
-  .ui.items:not(.unstackable) > .item > .image {
-    display: block;
-    margin-left: auto;
-    margin-right: auto;
-  }
-
-  .ui.items:not(.unstackable) > .item > .image,
-  .ui.items:not(.unstackable) > .item > .image > img {
-    max-width: 100% !important;
-    width: auto !important;
-    max-height: 250px !important;
-  }
-
-  .ui.items:not(.unstackable) > .item > .image + .content {
-    display: block;
-    padding: 1.5em 0 0;
-  }
-}
-
-/*******************************
-           Variations
-*******************************/
-
-/*-------------------
-         Aligned
-  --------------------*/
-
-.ui.items > .item > .image + [class*="top aligned"].content {
-  align-self: flex-start;
-}
-
-.ui.items > .item > .image + [class*="middle aligned"].content {
-  align-self: center;
-}
-
-.ui.items > .item > .image + [class*="bottom aligned"].content {
-  align-self: flex-end;
-}
-
-/*--------------
-       Relaxed
-  ---------------*/
-
-.ui.relaxed.items > .item {
-  margin: 1.5em 0;
-}
-
-.ui[class*="very relaxed"].items > .item {
-  margin: 2em 0;
-}
-
-/*-------------------
-        Divided
-  --------------------*/
-
-.ui.divided.items > .item {
-  border-top: 1px solid rgba(34, 36, 38, 0.15);
-  margin: 0;
-  padding: 1em 0;
-}
-
-.ui.divided.items > .item:first-child {
-  border-top: none;
-  margin-top: 0 !important;
-  padding-top: 0 !important;
-}
-
-.ui.divided.items > .item:last-child {
-  margin-bottom: 0 !important;
-  padding-bottom: 0 !important;
-}
-
-/* Relaxed Divided */
-
-.ui.relaxed.divided.items > .item {
-  margin: 0;
-  padding: 1.5em 0;
-}
-
-.ui[class*="very relaxed"].divided.items > .item {
-  margin: 0;
-  padding: 2em 0;
-}
-
-/*-------------------
-          Link
-  --------------------*/
-
-.ui.items a.item:hover,
-.ui.link.items > .item:hover {
-  cursor: pointer;
-}
-
-.ui.items a.item:hover .content .header,
-.ui.link.items > .item:hover .content .header {
-  color: #1e70bf;
-}
-
-/*--------------
-      Size
----------------*/
-
-.ui.items > .item {
-  font-size: 1em;
-}
-
-.ui.mini.items > .item {
-  font-size: 0.78571429em;
-}
-
-.ui.tiny.items > .item {
-  font-size: 0.85714286em;
-}
-
-.ui.small.items > .item {
-  font-size: 0.92857143em;
-}
-
-.ui.large.items > .item {
-  font-size: 1.14285714em;
-}
-
-.ui.big.items > .item {
-  font-size: 1.28571429em;
-}
-
-.ui.huge.items > .item {
-  font-size: 1.42857143em;
-}
-
-.ui.massive.items > .item {
-  font-size: 1.71428571em;
-}
-
-/*---------------
-     Unstackable
-  ----------------*/
-
-@media only screen and (max-width: 767.98px) {
-  .ui.unstackable.items > .item > .image,
-  .ui.unstackable.items > .item > .image > img {
-    width: 125px !important;
-  }
-}
-
-/*******************************
-         Theme Overrides
-*******************************/
-
-/*******************************
-    User Variable Overrides
-*******************************/
 /*!
  * # Fomantic-UI - Label
  * http://github.com/fomantic/Fomantic-UI/

web_src/fomantic/semantic.json

@@ -31,7 +31,6 @@
     "grid",
     "header",
     "input",
-    "item",
     "label",
     "list",
     "menu",

web_src/js/components/RepoBranchTagSelector.vue

@@ -30,6 +30,9 @@
         <div class="loading-indicator is-loading" v-if="isLoading"/>
         <div v-for="(item, index) in filteredItems" :key="item.name" class="item" :class="{selected: item.selected, active: active === index}" @click="selectItem(item)" :ref="'listItem' + index">
           {{ item.name }}
+          <div class="ui label" v-if="item.name===defaultBranch && mode === 'branches'">
+            {{ textDefaultBranchLabel }}
+          </div>
           <a v-show="enableFeed && mode === 'branches'" role="button" class="rss-icon ui compact right" :href="rssURLPrefix + item.url" target="_blank" @click.stop>
             <!-- creating a lot of Vue component is pretty slow, so we use a static SVG here -->
             <svg width="14" height="14" class="svg octicon-rss"><use href="#svg-symbol-octicon-rss"/></svg>

web_src/js/utils.test.js

@@ -133,17 +133,22 @@ test('toAbsoluteUrl', () => {
   expect(() => toAbsoluteUrl('path')).toThrowError('unsupported');
 });
 
-const uint8array = (s) => new TextEncoder().encode(s);
 test('encodeURLEncodedBase64, decodeURLEncodedBase64', () => {
+  // TextEncoder is Node.js API while Uint8Array is jsdom API and their outputs are not
+  // structurally comparable, so we convert to array to compare. The conversion can be
+  // removed once https://github.com/jsdom/jsdom/issues/2524 is resolved.
+  const encoder = new TextEncoder();
+  const uint8array = encoder.encode.bind(encoder);
+
   expect(encodeURLEncodedBase64(uint8array('AA?'))).toEqual('QUE_'); // standard base64: "QUE/"
   expect(encodeURLEncodedBase64(uint8array('AA~'))).toEqual('QUF-'); // standard base64: "QUF+"
 
-  expect(decodeURLEncodedBase64('QUE/')).toEqual(uint8array('AA?'));
-  expect(decodeURLEncodedBase64('QUF+')).toEqual(uint8array('AA~'));
-  expect(decodeURLEncodedBase64('QUE_')).toEqual(uint8array('AA?'));
-  expect(decodeURLEncodedBase64('QUF-')).toEqual(uint8array('AA~'));
+  expect(Array.from(decodeURLEncodedBase64('QUE/'))).toEqual(Array.from(uint8array('AA?')));
+  expect(Array.from(decodeURLEncodedBase64('QUF+'))).toEqual(Array.from(uint8array('AA~')));
+  expect(Array.from(decodeURLEncodedBase64('QUE_'))).toEqual(Array.from(uint8array('AA?')));
+  expect(Array.from(decodeURLEncodedBase64('QUF-'))).toEqual(Array.from(uint8array('AA~')));
 
   expect(encodeURLEncodedBase64(uint8array('a'))).toEqual('YQ'); // standard base64: "YQ=="
-  expect(decodeURLEncodedBase64('YQ')).toEqual(uint8array('a'));
-  expect(decodeURLEncodedBase64('YQ==')).toEqual(uint8array('a'));
+  expect(Array.from(decodeURLEncodedBase64('YQ'))).toEqual(Array.from(uint8array('a')));
+  expect(Array.from(decodeURLEncodedBase64('YQ=='))).toEqual(Array.from(uint8array('a')));
 });