Merge fc4b73eac9 into 4c06c98dda

Explicitely specify all workflow
[`permissions`](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions).
This will fix [26 CodeQL
alerts](https://github.com/go-gitea/gitea/security/code-scanning?query=permissions+is%3Aopen+branch%3Amain+).

.github/workflows/cron-licenses.yml

@@ -9,8 +9,10 @@ jobs:
   cron-licenses:
     runs-on: ubuntu-latest
     if: github.repository == 'go-gitea/gitea'
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod

.github/workflows/cron-translations.yml

@@ -9,8 +9,10 @@ jobs:
   crowdin-pull:
     runs-on: ubuntu-latest
     if: github.repository == 'go-gitea/gitea'
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: crowdin/github-action@v1
         with:
           upload_sources: true

.github/workflows/files-changed.yml

@@ -24,6 +24,8 @@ jobs:
   detect:
     runs-on: ubuntu-latest
     timeout-minutes: 3
+    permissions:
+      contents: read
     outputs:
       backend: ${{ steps.changes.outputs.backend }}
       frontend: ${{ steps.changes.outputs.frontend }}
@@ -34,7 +36,7 @@ jobs:
       swagger: ${{ steps.changes.outputs.swagger }}
       yaml: ${{ steps.changes.outputs.yaml }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: dorny/paths-filter@v3
         id: changes
         with:

.github/workflows/pull-compliance.yml

@@ -15,8 +15,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -30,8 +32,10 @@ jobs:
     if: needs.files-changed.outputs.templates == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: astral-sh/setup-uv@v6
       - run: uv python install 3.12
       - uses: pnpm/action-setup@v4
@@ -46,8 +50,10 @@ jobs:
     if: needs.files-changed.outputs.yaml == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: astral-sh/setup-uv@v6
       - run: uv python install 3.12
       - run: make deps-py
@@ -57,8 +63,10 @@ jobs:
     if: needs.files-changed.outputs.swagger == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v5
         with:
@@ -70,8 +78,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.templates == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -82,8 +92,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -99,8 +111,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -114,8 +128,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -127,8 +143,10 @@ jobs:
     if: needs.files-changed.outputs.frontend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v5
         with:
@@ -143,8 +161,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -175,8 +195,10 @@ jobs:
     if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v5
         with:
@@ -188,8 +210,10 @@ jobs:
     if: needs.files-changed.outputs.actions == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod

.github/workflows/pull-db-tests.yml

@@ -15,6 +15,8 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       pgsql:
         image: postgres:14
@@ -38,7 +40,7 @@ jobs:
         ports:
           - "9000:9000"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -65,8 +67,10 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -90,6 +94,8 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       elasticsearch:
         image: elasticsearch:7.5.0
@@ -124,7 +130,7 @@ jobs:
         ports:
           - 10000:10000
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -152,6 +158,8 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       mysql:
         # the bitnami mysql image has more options than the official one, it's easier to customize
@@ -177,7 +185,7 @@ jobs:
           - "587:587"
           - "993:993"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -203,6 +211,8 @@ jobs:
     if: needs.files-changed.outputs.backend == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     services:
       mssql:
         image: mcr.microsoft.com/mssql/server:2019-latest
@@ -217,7 +227,7 @@ jobs:
         ports:
           - 10000:10000
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod

.github/workflows/pull-docker-dryrun.yml

@@ -15,8 +15,10 @@ jobs:
     if: needs.files-changed.outputs.docker == 'true' || needs.files-changed.outputs.actions == 'true'
     needs: files-changed
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: docker/setup-buildx-action@v3
       - name: Build regular container image
         uses: docker/build-push-action@v5

.github/workflows/release-nightly.yml

@@ -11,8 +11,10 @@ concurrency:
 jobs:
   nightly-binary:
     runs-on: namespace-profile-gitea-release-binary
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
@@ -56,12 +58,14 @@ jobs:
       - name: upload binaries to s3
         run: |
           aws s3 sync dist/release s3://${{ secrets.AWS_S3_BUCKET }}/gitea/${{ steps.clean_name.outputs.branch }} --no-progress
+
   nightly-container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force

.github/workflows/release-tag-rc.yml

@@ -12,8 +12,10 @@ concurrency:
 jobs:
   binary:
     runs-on: namespace-profile-gitea-release-binary
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
@@ -66,12 +68,14 @@ jobs:
           gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --draft --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+
   container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force

.github/workflows/release-tag-version.yml

@@ -15,9 +15,10 @@ jobs:
   binary:
     runs-on: namespace-profile-gitea-release-binary
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force
@@ -70,12 +71,14 @@ jobs:
           gh release create ${{ github.ref_name }} --title ${{ github.ref_name }} --notes-from-tag dist/release/*
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+
   container:
     runs-on: namespace-profile-gitea-release-docker
     permissions:
+      contents: read
       packages: write # to publish to ghcr.io
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       # fetch all commits instead of only the last as some branches are long lived and could have many between versions
       # fetch all tags to ensure that "git describe" reports expected Gitea version, eg. v1.21.0-dev-1-g1234567
       - run: git fetch --unshallow --quiet --tags --force

models/issues/issue_list.go

@@ -559,6 +559,74 @@ func (issues IssueList) LoadDiscussComments(ctx context.Context) error {
 	return issues.loadComments(ctx, builder.Eq{"comment.type": CommentTypeComment})
 }
 
+// GetBlockedByCounts returns a map of issue ID to number of open issues that are blocking it
+func (issues IssueList) GetBlockedByCount(ctx context.Context) (map[int64]int64, error) {
+	type BlockedByCount struct {
+		IssueID int64
+		Count   int64
+	}
+
+	bCounts := make([]*BlockedByCount, len(issues))
+	ids := make([]int64, len(issues))
+	for i, issue := range issues {
+		ids[i] = issue.ID
+	}
+
+	sess := db.GetEngine(ctx).In("issue_id", ids)
+	err := sess.Select("issue_id, count(issue_dependency.id) as `count`").
+		Join("INNER", "issue", "issue.id = issue_dependency.dependency_id").
+		Where("is_closed = ?", false).
+		GroupBy("issue_id").
+		OrderBy("issue_id").
+		Table("issue_dependency").
+		Find(&bCounts)
+	if err != nil {
+		return nil, err
+	}
+
+	blockedByCountMap := make(map[int64]int64, len(issues))
+	for _, c := range bCounts {
+		if c != nil {
+			blockedByCountMap[c.IssueID] = c.Count
+		}
+	}
+
+	return blockedByCountMap, nil
+}
+
+// GetBlockingCounts returns a map of issue ID to number of issues that are blocked by it
+func (issues IssueList) GetBlockingCount(ctx context.Context) (map[int64]int64, error) {
+	type BlockingCount struct {
+		IssueID int64
+		Count   int64
+	}
+
+	bCounts := make([]*BlockingCount, 0, len(issues))
+	ids := make([]int64, len(issues))
+	for i, issue := range issues {
+		ids[i] = issue.ID
+	}
+
+	sess := db.GetEngine(ctx).In("dependency_id", ids)
+	err := sess.Select("dependency_id as `issue_id`, count(id) as `count`").
+		GroupBy("dependency_id").
+		OrderBy("dependency_id").
+		Table("issue_dependency").
+		Find(&bCounts)
+	if err != nil {
+		return nil, err
+	}
+
+	blockingCountMap := make(map[int64]int64, len(issues))
+	for _, c := range bCounts {
+		if c != nil {
+			blockingCountMap[c.IssueID] = c.Count
+		}
+	}
+
+	return blockingCountMap, nil
+}
+
 // GetApprovalCounts returns a map of issue ID to slice of approval counts
 // FIXME: only returns official counts due to double counting of non-official approvals
 func (issues IssueList) GetApprovalCounts(ctx context.Context) (map[int64][]*ReviewCount, error) {

options/locale/locale_en-US.ini

@@ -1811,6 +1811,10 @@ issues.dependency.add_error_dep_not_exist = Dependency does not exist.
 issues.dependency.add_error_dep_exists = Dependency already exists.
 issues.dependency.add_error_cannot_create_circular = You cannot create a dependency with two issues that block each other.
 issues.dependency.add_error_dep_not_same_repo = Both issues must be in the same repository.
+issues.dependency.blocking_count_1 = "This issue is blocking %d other issue."
+issues.dependency.blocking_count_n = "This issue is blocking %d other issues."
+issues.dependency.blocked_by_count_1 = "This issue is blocked by %d issue."
+issues.dependency.blocked_by_count_n = "This issue is blocked by %d issues."
 issues.review.self.approval = You cannot approve your own pull request.
 issues.review.self.rejection = You cannot request changes on your own pull request.
 issues.review.approve = "approved these changes %s"

routers/web/repo/issue_list.go

@@ -654,6 +654,18 @@ func prepareIssueFilterAndList(ctx *context.Context, milestoneID, projectID int6
 		return
 	}
 
+	blockingCounts, err := issues.GetBlockingCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockingCounts", err)
+		return
+	}
+
+	blockedByCounts, err := issues.GetBlockedByCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockedByCounts", err)
+		return
+	}
+
 	if ctx.IsSigned {
 		if err := issues.LoadIsRead(ctx, ctx.Doer.ID); err != nil {
 			ctx.ServerError("LoadIsRead", err)
@@ -718,6 +730,21 @@ func prepareIssueFilterAndList(ctx *context.Context, milestoneID, projectID int6
 		return 0
 	}
 
+	ctx.Data["BlockingCounts"] = func(issueID int64) int64 {
+		counts, ok := blockingCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+	ctx.Data["BlockedByCounts"] = func(issueID int64) int64 {
+		counts, ok := blockedByCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+
 	retrieveProjectsForIssueList(ctx, repo)
 	if ctx.Written() {
 		return

routers/web/user/home.go

@@ -627,6 +627,33 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		}
 		return 0
 	}
+
+	blockingCounts, err := issues.GetBlockingCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockingCounts", err)
+		return
+	}
+
+	blockedByCounts, err := issues.GetBlockedByCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockedByCounts", err)
+		return
+	}
+	ctx.Data["BlockingCounts"] = func(issueID int64) int64 {
+		counts, ok := blockingCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+	ctx.Data["BlockedByCounts"] = func(issueID int64) int64 {
+		counts, ok := blockedByCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+
 	ctx.Data["CommitLastStatus"] = lastStatus
 	ctx.Data["CommitStatuses"] = commitStatuses
 	ctx.Data["IssueStats"] = issueStats

routers/web/user/notification.go

@@ -279,6 +279,32 @@ func NotificationSubscriptions(ctx *context.Context) {
 		return 0
 	}
 
+	blockingCounts, err := issues.GetBlockingCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockingCounts", err)
+		return
+	}
+
+	blockedByCounts, err := issues.GetBlockedByCount(ctx)
+	if err != nil {
+		ctx.ServerError("BlockedByCounts", err)
+		return
+	}
+	ctx.Data["BlockingCounts"] = func(issueID int64) int64 {
+		counts, ok := blockingCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+	ctx.Data["BlockedByCounts"] = func(issueID int64) int64 {
+		counts, ok := blockedByCounts[issueID]
+		if !ok {
+			return 0
+		}
+		return counts
+	}
+
 	ctx.Data["Status"] = 1
 	ctx.Data["Title"] = ctx.Tr("notification.subscriptions")
 

templates/shared/issuelist.tmpl

@@ -1,6 +1,10 @@
 <div id="issue-list" class="flex-list">
 	{{$approvalCounts := .ApprovalCounts}}
+	{{$blockedByCounts := .BlockedByCounts}}
+	{{$blockingCounts := .BlockingCounts}}
 	{{range .Issues}}
+		{{$blockedByCount := call $blockedByCounts .ID}}
+		{{$blockingCount := call $blockingCounts .ID}}
 		<div class="flex-item">
 
 			<div class="flex-item-leading">
@@ -22,6 +26,22 @@
 								{{template "repo/commit_statuses" dict "Status" (index $.CommitLastStatus .PullRequest.ID) "Statuses" (index $.CommitStatuses .PullRequest.ID)}}
 							{{end}}
 						{{end}}
+						{{if gt $blockedByCount 0}}
+							<div class="ui label label-blocking">
+								<span data-tooltip-content="{{ctx.Locale.TrN $blockedByCount "repo.issues.dependency.blocked_by_count_1" "repo.issues.dependency.blocked_by_count_n" $blockedByCount}}" class="text red flex-text-block">
+									{{svg "octicon-blocked" 16}}
+									{{$blockedByCount}}
+								</span>
+							</div>
+						{{end}}
+						{{if and (gt $blockingCount 0) (not .IsClosed)}}
+							<div class="ui label label-blocking">
+								<span data-tooltip-content="{{ctx.Locale.TrN $blockingCount "repo.issues.dependency.blocking_count_1" "repo.issues.dependency.blocking_count_n" $blockingCount}}" class="text red flex-text-block">
+									{{svg "octicon-report" 16}}
+									{{$blockingCount}}
+								</span>
+							</div>
+						{{end}}
 						<span class="labels-list">
 							{{range .Labels}}
 								<a href="?q={{$.Keyword}}&type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}{{if ne $.listType "milestone"}}&milestone={{$.MilestoneID}}{{end}}&assignee={{$.AssigneeID}}&poster={{$.PosterID}}{{if $.ShowArchivedLabels}}&archived=true{{end}}">{{ctx.RenderUtils.RenderLabel .}}</a>

web_src/css/repo/issue-label.css

@@ -56,3 +56,10 @@
   top: 10px;
   right: 5px;
 }
+
+.label-blocking {
+  border: 1px solid var(--color-secondary) !important;
+  background: none transparent !important;
+  margin-left: 1px;
+  margin-right: 1px;
+}