Commit graph

591 commits

Author SHA1 Message Date
Gusted
2102163f2f Merge pull request 'chore: avoid using gock' (#6311) from gusted/forgejo-gock into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6311
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-12-20 21:15:11 +00:00
Renovate Bot
3d55c2976a Update module golang.org/x/net to v0.33.0 2024-12-18 23:14:16 +00:00
Gusted
c26c60ccd1
chore: avoid using gock
- Avoid using gock to do HTTP mocking, this is fairly simply to do
ourselves and avoids a dependency, this commit does right that.
2024-12-18 06:40:02 +01:00
Gusted
5ec1cae50e Merge pull request 'Update module github.com/blevesearch/bleve/v2 to v2.4.4 (forgejo)' (#6306) from renovate/forgejo-github.com-blevesearch-bleve-v2-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6306
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-18 04:48:46 +00:00
Gusted
60e19ce502 Merge pull request 'Update module github.com/go-chi/chi/v5 to v5.2.0 (forgejo)' (#6282) from renovate/forgejo-github.com-go-chi-chi-v5-5.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6282
Reviewed-by: Otto <otto@codeberg.org>
2024-12-18 00:06:44 +00:00
Renovate Bot
22d19ab575 Update module github.com/blevesearch/bleve/v2 to v2.4.4 2024-12-18 00:05:20 +00:00
Renovate Bot
46e0a0306c Update module google.golang.org/protobuf to v1.36.0 2024-12-17 00:03:31 +00:00
Renovate Bot
c718379722 Update module github.com/go-chi/chi/v5 to v5.2.0 2024-12-16 02:04:22 +00:00
Renovate Bot
ad9c5acba9 Update module github.com/gliderlabs/ssh to v0.3.8 (forgejo) (#6258)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6258
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-13 05:55:36 +00:00
Earl Warren
da76eb3962 Merge pull request 'Update module golang.org/x/crypto to v0.31.0 (forgejo)' (#6243) from renovate/forgejo-golang.org-x-crypto-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6243
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-12 05:58:41 +00:00
Gusted
3e1b03838e
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
2024-12-12 05:54:07 +01:00
Renovate Bot
eda4d1b753 Update module golang.org/x/crypto to v0.31.0 2024-12-12 00:03:06 +00:00
Renovate Bot
3bca714bb2 Update github.com/grafana/go-json digest to a119ee5 2024-12-11 00:03:09 +00:00
Renovate Bot
2d259670c6 Update x/tools to v0.28.0 (forgejo) (#6190)
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-07 00:36:49 +00:00
Earl Warren
e801d53e61 Merge pull request 'Update module golang.org/x/net to v0.32.0 (forgejo)' (#6175) from renovate/forgejo-golang.org-x-net-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6175
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-06 05:47:25 +00:00
Renovate Bot
2300141b84 Update module golang.org/x/net to v0.32.0 2024-12-06 02:03:26 +00:00
Royce Remer
f6273e2250 Make LFS http_client parallel within a batch. (#32369)
Signed-off-by: Royce Remer <royceremer@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-12-06 00:17:57 +01:00
Gusted
bf59f6b1ee Merge pull request 'Update module golang.org/x/image to v0.23.0 (forgejo)' (#6160) from renovate/forgejo-golang.org-x-image-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6160
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-05 14:57:14 +00:00
Michael Kriese
70892c4813 Merge pull request 'build: only require go minor' (#6151) from viceice/forgejo:build/pin-go-to-minor-only into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6151
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-05 08:36:03 +00:00
Renovate Bot
0c449f7b24 Update module golang.org/x/image to v0.23.0 2024-12-05 04:03:53 +00:00
Renovate Bot
67b25cb9e6 Update module golang.org/x/crypto to v0.30.0 2024-12-05 02:02:57 +00:00
Michael Kriese
1167716b7b
build: only require go minor 2024-12-04 21:21:14 +01:00
Renovate Bot
4df855f37c Update module code.forgejo.org/go-chi/session to v1.0.1 (forgejo) (#6150)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6150
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-04 20:19:11 +00:00
Renovate Bot
91e4cf3744 Update module code.forgejo.org/go-chi/captcha to v1.0.1 (forgejo) (#6148)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6148
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-04 17:46:56 +00:00
Renovate Bot
6354fd8ae9 Update dependency go to v1.23.4 (forgejo) (#6145)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6145
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-04 14:53:31 +00:00
Michael Kriese
5efd29e54e
build: relax required go version for local development 2024-12-04 09:37:13 +01:00
Mathieu Fenniak
77fafbe578 Add a "summary card" to issues & PRs for consumption by OpenGraph clients (#6053)
## Overview

Hi all, I'm a first-time contributor to Forgejo.  I was looking for something interesting to contribute and the first thing that caught my attention was https://codeberg.org/forgejo/forgejo/issues/6043, a request for an enhancement to include "issue previews" when publishing links to social media platforms.  As a bit of background, the way these platforms work is that they search for meta tags in the posted link's content, and if they find a meta `og:image` (along with other meta tags) they'll pull the image to include in the social media post.  Forgejo currently provides an `og:image` tag but it just renders the repository or repository-owner's avatar.

This PR will render `og:image` for an issue or PR into a link to `{...}/summary-card`, which is a dynamically generated image that contains a summary of the issue.

## Design Notes

### Rendering / Rasterization

The tricky part of solving this problem is rendering an image that combines some text, some images, and some layout elements.  To address this, I've created a `card` module which allows for a handful of operations:
- Create a new rendered image (a "Card")
- Add a margin to a card
- Split the card, horizontally or vertically, into two pieces with a proportional layout (eg. 70%/30%, as desired), each of which are "Cards" that render into the same root image
- Render text into a card, with line-wrapping and text-alignment capabilities
- Render an image onto a card
- Fetches an external image as safely as possible (for server-side fetch of Gravatar, etc.)

The card module can be reused to create `og:image` summary cards for any object in the future, although obviously it's capabilities are limited.  The current implementation is on issues/PRs.

I considered a few alternative approaches before taking this approach, and here's why I rejected those options:
- Provide the summary card as an SVG object which could be rendered much more easily with a template file -- however, support for SVG isn't defined as positive for OpenGraph, and a quick look through some existing implementations suggest that it is not widely supported, if at all
- Rendering as HTML/CSS, or SVG, and then using an external tool to convert into a PNG (or other static) image -- this would be much nicer and easier to implement, but would require tying in some very heavy-weight dependencies
- Rendering using a more sophisticated graphics library, eg. cairo -- also would be nicer and easier to implement, but again a heavy dependency for a small functionality

As a result of the limited capabilities of the new card module, summary cards don't have icons on them (which would require SVG rasterization) or pretty status badges with colors and rounded rects.  In the future if better drawing capabilities were added, the graphics could be improved, but it doesn't seem too important.

### External Avatars

In order to rasterize a user's avatar onto the summary card, it might have to be retrieved by the server from the external source (eg. Gravatar).  A `fetchExternalImage` routine attempts to do this in the safest way possible to protect the server from any possible security exposure from this; (a) verifying that the content-types are acceptable, (b) ensuring that the file-size and image-size are within the safe bounds that are used for custom avatars, (c) using a very-short timeout to avoid stalling the server if an external dependency is offline.

### Caching

Summary cards are cached after rendered.  This has the downside of causing updates to statuses, avatars, titles, etc. being stale on the summary card for the cache TTL.  However, during testing I found that some social media engines like Mastodon will cause the summary card to be accessed a significant number of times after being referenced by a post, causing a mini-tornado of requests.  The cache compensates for this to avoid server load in this situation.

### Scope

I'm considering out-of-scope:
- Summary cards on other objects (eg. repos, users) can be left for future implementation

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- ~~I added test coverage for JavaScript changes...~~ n/a, no JS changes
  - [x] ~~in `web_src/js/*.test.js` if it can be unit tested.~~
  - [x] ~~in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).~~
- Manual testing
  - [x] Access & attach screenshots of both an issue and a pull-request's summary card; see below
  - [x] Ensure reasonable (non-crash) behavior of rendering text with glyphs outside the font -- correctly rendered as replacement unicode chars
  - [x] Using a public test instance, verify that og:image behavior looks good on platforms like Mastodon and BlueSky
    - [x] Bluesky: 
    - [x] Mastodon:    (Note that the summary card will be requested many times as the post is federated; either each server, or each client, will fetch it itself)
    - [x] OpenGraph test site (https://www.opengraph.xyz/): 
    - [x] Discord: Looks OK ; needs "twitter:card" to be set to "summary_large_image" to display the large-scale image, but (a) that's probably annoying to use, (b) probably wrong because it doesn't match Twitter Card's spec for a "photographic image", and (c) don't want to encourage/continue use of vendor-specific tag
  - [x] Verify cases with user avatar missing (or autogen), and repo avatar missing (falls back to repo owner avatar)

Pull request summary card:
![image](/attachments/b64283e3-9a3c-4f19-9d00-961662ffe86b)

Issue summary card:
![image](/attachments/318ce589-02e0-493e-b10c-5b2cb2627db2)

(images to the right are the custom repo avatar, w/ fallback to the repo owner avatar)

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
  - OpenGraph capabilities are expected to work in the background without user awareness, and so there is no need for documentation to explain the capabilities for users.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6053
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2024-11-29 15:02:03 +00:00
Otto
48b91fa31a Merge pull request 'Improve Swagger documentation for user endpoints' (#6050) from JakobDev/forgejo:userswagger into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6050
Reviewed-by: Otto <otto@codeberg.org>
2024-11-28 20:42:19 +00:00
JakobDev
76fb2afc40
Run make tidy 2024-11-28 19:36:55 +01:00
Renovate Bot
8f0de303f3 Update module github.com/stretchr/testify to v1.10.0 2024-11-24 00:03:18 +00:00
Gusted
6d0f2c1b82 Merge pull request 'Update module google.golang.org/grpc to v1.68.0 (forgejo)' (#5969) from renovate/forgejo-google.golang.org-grpc-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5969
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-16 12:25:41 +00:00
Renovate Bot
66dfb2813c Update github.com/grafana/go-json digest to f14426c 2024-11-16 00:03:23 +00:00
Renovate Bot
cdc38ace39 Update module google.golang.org/grpc to v1.68.0 2024-11-15 02:03:08 +00:00
Renovate Bot
8206d509fc Update module code.forgejo.org/forgejo/act to v1.22.0 2024-11-14 02:03:09 +00:00
Renovate Bot
c0309ee367 Update module github.com/blevesearch/bleve/v2 to v2.4.3 2024-11-14 00:03:01 +00:00
Renovate Bot
58ee2386d7 Update module github.com/buildkite/terminal-to-html/v3 to v3.16.4 2024-11-12 02:04:00 +00:00
Gusted
d51847103d Merge pull request 'Update module golang.org/x/net to v0.31.0 (forgejo)' (#5890) from renovate/forgejo-golang.org-x-net-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5890
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-10 03:49:16 +00:00
Renovate Bot
b462351933 Update module golang.org/x/net to v0.31.0 2024-11-10 02:13:04 +00:00
Gusted
11667f07c5
chore: lazy-loaded version of goccy/go-json
- This uses a forked version of https://github.com/goccy/go-json, that
has [this pull request](https://github.com/goccy/go-json/pull/490)
applied. It reduces the heap memory usage by 8MiB (idle heap usage from
startup: 40126.59kB -> 32073.56kB). This should be generally safe to
replace as goccy/go-json doesn't see frequent updates and the other user
of this fork is grafana which is another big Go project.
- The only user of this library is minio, but having a configuration
with minio is not a common setup, AFAIK, so this is essentialy wasted
memory for most Forgejo instances. Having it lazy-loaded solves that
problem.
2024-11-10 02:32:35 +01:00
Renovate Bot
71d3e4c317 Update module golang.org/x/crypto to v0.29.0 2024-11-10 00:03:52 +00:00
Renovate Bot
dffee135f8 Update module code.forgejo.org/go-chi/captcha to v1 (forgejo) (#5864)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5864
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-09 07:28:23 +00:00
Renovate Bot
5ab832ba87 Update module code.forgejo.org/go-chi/session to v1 (forgejo) (#5865)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5865
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 23:37:13 +00:00
Renovate Bot
bf69683df6 Update module code.forgejo.org/go-chi/cache to v1 (forgejo) (#5863)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5863
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 21:12:20 +00:00
Renovate Bot
d2a3eefcd0 Update module code.forgejo.org/go-chi/binding to v1 (forgejo) (#5862)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5862
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 17:43:48 +00:00
Renovate Bot
94650c27a8 Update dependency go to v1.23.3 2024-11-07 00:03:28 +00:00
Gusted
310376525b
[CHORE] Use forked binding library
- Use the forked [binding](https://code.forgejo.org/go-chi/binding)
library. This library has two benefits, it removes the usage of
`github.com/goccy/go-json` (has no benefit as the minimo library is also
using it). It adds the `TrimSpace` feature, which will during the
binding part trim the spaces around the value it got from the form, this
is done before validation.
2024-11-05 22:47:34 +01:00
Renovate Bot
2f8d502541 Update module github.com/gorilla/sessions to v1.4.0 2024-11-03 00:04:40 +00:00
Renovate Bot
370dbbc579 Update module github.com/yuin/goldmark to v1.7.8 2024-11-02 14:04:01 +00:00
Gusted
3f1f19865d Merge pull request 'Update module github.com/fsnotify/fsnotify to v1.8.0 (forgejo)' (#5775) from renovate/forgejo-github.com-fsnotify-fsnotify-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5775
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-02 11:41:37 +00:00
Renovate Bot
bd58136c5d Update module github.com/meilisearch/meilisearch-go to v0.29.0 (forgejo) (#5738)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5738
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-02 07:32:05 +00:00