Changelog 1.15.6 (#17457 )

* Changelog 1.15.6 Unforunately #17435 is a somewhat critical bug and therefore we should really release 1.15.6 as soon as possible. ## [1.15.6](https://github.com/go-gitea/gitea/releases/tag/v1.15.6) - 2021-10-27 * BUGFIXES * Prevent panic in serv.go with Deploy Keys (#17434) (#17435) * Fix CSV render error (#17406) (#17431) * Read expected buffer size (#17409) (#17430) Signed-off-by: Andrew Thornton <art27@cantab.net> * Add 17456 and its backport Signed-off-by: Andrew Thornton <art27@cantab.net> * Add 17464 Signed-off-by: Andrew Thornton <art27@cantab.net> * Add final pr * Update date Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Make commit-statuses popup show correctly (#17447 ) (#17466 )
2025-08-13 05:51:54 +02:00 · 2021-10-28 16:11:23 +08:00 · 2021-10-28 08:42:31 +01:00 · 2021-10-28 14:07:29 +08:00 · 2021-10-28 11:33:18 +08:00 · 2021-10-26 01:24:29 +02:00
3259 changed files with 214001 additions and 119847 deletions
--- a/.changelog.yml
+++ b/.changelog.yml
@@ -14,28 +14,28 @@ groups:
    name: BREAKING
    labels:
      - kind/breaking
-  -
-    name: FEATURES
-    labels:
-      - kind/feature
  -
    name: SECURITY
    labels:
      - kind/security
+  -
+    name: FEATURES
+    labels:
+      - kind/feature
  -
    name: API
    labels:
      - kind/api
-  -
-    name: BUGFIXES
-    labels:
-      - kind/bug
  -
    name: ENHANCEMENTS
    labels:
      - kind/enhancement
      - kind/refactor
      - kind/ui
+  -
+    name: BUGFIXES
+    labels:
+      - kind/bug
  -
    name: TESTING
    labels:
--- a/.drone.yml
+++ b/.drone.yml
@@ -4,7 +4,7 @@ name: compliance

 platform:
  os: linux
-  arch: arm64
+  arch: amd64

 trigger:
  event:
@@ -27,7 +27,7 @@ steps:

  - name: lint-backend
    pull: always
-    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
+    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    commands:
      - make lint-backend
    environment:
@@ -37,7 +37,7 @@ steps:

  - name: lint-backend-windows
    pull: always
-    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
+    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    commands:
      - make golangci-lint vet
    environment:
@@ -49,7 +49,7 @@ steps:

  - name: lint-backend-gogit
    pull: always
-    image: gitea/test_env:linux-arm64  # https://gitea.com/gitea/test-env
+    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    commands:
      - make lint-backend
    environment:
@@ -70,15 +70,21 @@ steps:
      - make checks-backend
    depends_on: [lint-backend]

+  - name: test-frontend
+    image: node:14
+    commands:
+      - make test-frontend
+    depends_on: [lint-frontend]
+
  - name: build-frontend
    image: node:14
    commands:
      - make frontend
-    depends_on: [lint-frontend]
+    depends_on: [test-frontend]

  - name: build-backend-no-gcc
    pull: always
-    image: golang:1.14 # this step is kept as the lowest version of golang that we support
+    image: golang:1.16 # this step is kept as the lowest version of golang that we support
    environment:
      GO111MODULE: on
      GOPROXY: off
@@ -147,7 +153,7 @@ services:
      MYSQL_DATABASE: test

  - name: mysql8
-    image: mysql:8.0
+    image: mysql:8
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: yes
      MYSQL_DATABASE: testgitea
@@ -271,7 +277,7 @@ steps:
      - test-mysql
    when:
      branch:
-        - master
+        - main
      event:
        - push
        - pull_request
@@ -288,7 +294,7 @@ steps:
      - generate-coverage
    when:
      branch:
-        - master
+        - main
      event:
        - push
        - pull_request
@@ -313,7 +319,7 @@ trigger:
 services:
  - name: pgsql
    pull: default
-    image: postgres:9.5
+    image: postgres:10
    environment:
      POSTGRES_DB: test
      POSTGRES_PASSWORD: postgres
@@ -377,7 +383,7 @@ platform:

 trigger:
  branch:
-    - master
+    - main
  event:
    - cron
  cron:
@@ -408,6 +414,7 @@ steps:
    settings:
      author_email: "teabot@gitea.io"
      author_name: GiteaBot
+      branch: main
      commit: true
      commit_message: "[skip ci] Updated translations via Crowdin"
      remote: "git@github.com:go-gitea/gitea.git"
@@ -437,7 +444,7 @@ platform:

 trigger:
  branch:
-    - master
+    - main
  event:
    - cron
  cron:
@@ -455,6 +462,7 @@ steps:
    settings:
      author_email: "teabot@gitea.io"
      author_name: GiteaBot
+      branch: main
      commit: true
      commit_message: "[skip ci] Updated licenses and gitignores "
      remote: "git@github.com:go-gitea/gitea.git"
@@ -476,7 +484,7 @@ workspace:

 trigger:
  branch:
-    - master
+    - main
    - "release/*"
  event:
    - push
@@ -495,7 +503,7 @@ steps:
    pull: always
    image: techknowlogick/xgo:go-1.16.x
    commands:
-      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt-get install -y nodejs
      - export PATH=$PATH:$GOPATH/bin
      - make release
    environment:
@@ -519,10 +527,10 @@ steps:

  - name: release-branch
    pull: always
-    image: plugins/s3:1
+    image: woodpeckerci/plugin-s3:latest
    settings:
      acl: public-read
-      bucket: releases
+      bucket: gitea-artifacts
      endpoint: https://storage.gitea.io
      path_style: true
      source: "dist/release/*"
@@ -539,16 +547,16 @@ steps:
      event:
        - push

-  - name: release-master
-    image: plugins/s3:1
+  - name: release-main
+    image: woodpeckerci/plugin-s3:latest
    settings:
      acl: public-read
-      bucket: releases
+      bucket: gitea-artifacts
      endpoint: https://storage.gitea.io
      path_style: true
      source: "dist/release/*"
      strip_prefix: dist/release/
-      target: /gitea/master
+      target: /gitea/main
    environment:
      AWS_ACCESS_KEY_ID:
        from_secret: aws_access_key_id
@@ -556,7 +564,7 @@ steps:
        from_secret: aws_secret_access_key
    when:
      branch:
-        - master
+        - main
      event:
        - push

@@ -591,7 +599,7 @@ steps:
    pull: always
    image: techknowlogick/xgo:go-1.16.x
    commands:
-      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt-get install -y nodejs
      - export PATH=$PATH:$GOPATH/bin
      - make release
    environment:
@@ -615,10 +623,10 @@ steps:

  - name: release-tag
    pull: always
-    image: plugins/s3:1
+    image: woodpeckerci/plugin-s3:latest
    settings:
      acl: public-read
-      bucket: releases
+      bucket: gitea-artifacts
      endpoint: https://storage.gitea.io
      path_style: true
      source: "dist/release/*"
@@ -677,13 +685,13 @@ steps:
        from_secret: netlify_token
    when:
      branch:
-        - master
+        - main
      event:
        - push

 ---
 kind: pipeline
-name: docker-linux-amd64-release
+name: docker-linux-amd64-release-version

 platform:
  os: linux
@@ -695,7 +703,6 @@ depends_on:

 trigger:
  ref:
-  - refs/heads/master
  - "refs/tags/**"
  event:
    exclude:
@@ -709,7 +716,7 @@ steps:

  - name: publish
    pull: always
-    image: plugins/docker:linux-amd64
+    image: techknowlogick/drone-docker:latest
    settings:
      auto_tag: true
      auto_tag_suffix: linux-amd64
@@ -726,7 +733,7 @@ steps:
        - pull_request

  - name: publish-rootless
-    image: plugins/docker:linux-amd64
+    image: techknowlogick/drone-docker:latest
    settings:
      dockerfile: Dockerfile.rootless
      auto_tag: true
@@ -746,6 +753,70 @@ steps:
        exclude:
        - pull_request

+---
+kind: pipeline
+name: docker-linux-amd64-release
+
+platform:
+  os: linux
+  arch: amd64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+  - refs/heads/main
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    pull: always
+    image: techknowlogick/drone-docker:latest
+    settings:
+      auto_tag: false
+      tags: dev-linux-amd64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=off
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: false
+      tags: dev-linux-amd64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=off
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+    when:
+      event:
+        exclude:
+        - pull_request
+
 ---
 kind: pipeline
 name: docker-linux-arm64-dry-run
@@ -764,7 +835,7 @@ trigger:
 steps:
  - name: dryrun
    pull: always
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
    settings:
      dry_run: true
      repo: gitea/gitea
@@ -780,7 +851,7 @@ steps:

 ---
 kind: pipeline
-name: docker-linux-arm64-release
+name: docker-linux-arm64-release-version

 platform:
  os: linux
@@ -792,7 +863,6 @@ depends_on:

 trigger:
  ref:
-  - refs/heads/master
  - "refs/tags/**"
  event:
    exclude:
@@ -806,7 +876,7 @@ steps:

  - name: publish
    pull: always
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
    settings:
      auto_tag: true
      auto_tag_suffix: linux-arm64
@@ -826,7 +896,7 @@ steps:
        - pull_request

  - name: publish-rootless
-    image: plugins/docker:linux-arm64
+    image: techknowlogick/drone-docker:latest
    settings:
      dockerfile: Dockerfile.rootless
      auto_tag: true
@@ -848,7 +918,73 @@ steps:

 ---
 kind: pipeline
-name: docker-manifest
+name: docker-linux-arm64-release
+
+platform:
+  os: linux
+  arch: arm64
+
+depends_on:
+  - testing-amd64
+  - testing-arm64
+
+trigger:
+  ref:
+  - refs/heads/main
+  event:
+    exclude:
+    - cron
+
+steps:
+  - name: fetch-tags
+    image: docker:git
+    commands:
+      - git fetch --tags --force
+
+  - name: publish
+    pull: always
+    image: techknowlogick/drone-docker:latest
+    settings:
+      auto_tag: false
+      tags: dev-linux-arm64
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=off
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+    when:
+      event:
+        exclude:
+        - pull_request
+
+  - name: publish-rootless
+    image: techknowlogick/drone-docker:latest
+    settings:
+      dockerfile: Dockerfile.rootless
+      auto_tag: false
+      tags: dev-linux-arm64-rootless
+      repo: gitea/gitea
+      build_args:
+        - GOPROXY=off
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+    environment:
+      PLUGIN_MIRROR:
+        from_secret: plugin_mirror
+    when:
+      event:
+        exclude:
+        - pull_request
+---
+kind: pipeline
+name: docker-manifest-version

 platform:
  os: linux
@@ -880,12 +1016,54 @@ steps:

 trigger:
  ref:
-  - refs/heads/master
  - "refs/tags/**"
  event:
    exclude:
    - cron

+depends_on:
+  - docker-linux-amd64-release-version
+  - docker-linux-arm64-release-version
+
+---
+kind: pipeline
+name: docker-manifest
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: manifest-rootless
+    pull: always
+    image: plugins/manifest
+    settings:
+      auto_tag: false
+      ignore_missing: true
+      spec: docker/manifest.rootless.tmpl
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+
+  - name: manifest
+    image: plugins/manifest
+    settings:
+      auto_tag: false
+      ignore_missing: true
+      spec: docker/manifest.tmpl
+      password:
+        from_secret: docker_password
+      username:
+        from_secret: docker_username
+
+trigger:
+  ref:
+  - refs/heads/main
+  event:
+    exclude:
+    - cron
+
 depends_on:
  - docker-linux-amd64-release
  - docker-linux-arm64-release
@@ -903,7 +1081,7 @@ clone:

 trigger:
  branch:
-    - master
+    - main
    - "release/*"
  event:
    - push
@@ -919,7 +1097,10 @@ depends_on:
  - release-latest
  - docker-linux-amd64-release
  - docker-linux-arm64-release
+  - docker-linux-amd64-release-version
+  - docker-linux-arm64-release-version
  - docker-manifest
+  - docker-manifest-version
  - docs

 steps:
--- a/.editorconfig
+++ b/.editorconfig
@@ -12,6 +12,15 @@ insert_final_newline = true
 [*.{go,tmpl,html}]
 indent_style = tab

+[templates/custom/*.tmpl]
+insert_final_newline = false
+
+[templates/swagger/v1_json.tmpl]
+indent_style = space
+
+[templates/user/auth/oidc_wellknown.tmpl]
+indent_style = space
+
 [Makefile]
 indent_style = tab

--- a/.eslintrc
+++ b/.eslintrc
@@ -53,6 +53,12 @@ overrides:
    rules:
      import/no-unresolved: [0]
      import/no-extraneous-dependencies: [0]
+  - files: ["*.test.js"]
+    env:
+      jest: true
+  - files: ["*.config.js"]
+    rules:
+      import/no-unused-modules: [0]

 rules:
  accessor-pairs: [2]
@@ -344,6 +350,7 @@ rules:
  unicode-bom: [2, never]
  unicorn/better-regex: [0]
  unicorn/catch-error-name: [0]
+  unicorn/consistent-destructuring: [2]
  unicorn/consistent-function-scoping: [2]
  unicorn/custom-error-definition: [0]
  unicorn/empty-brace-spaces: [2]
@@ -356,19 +363,25 @@ rules:
  unicorn/import-style: [0]
  unicorn/new-for-builtins: [2]
  unicorn/no-abusive-eslint-disable: [0]
+  unicorn/no-array-for-each: [0]
  unicorn/no-array-instanceof: [0]
+  unicorn/no-array-push-push: [2]
  unicorn/no-console-spaces: [0]
+  unicorn/no-document-cookie: [2]
  unicorn/no-fn-reference-in-iterator: [0]
  unicorn/no-for-loop: [0]
  unicorn/no-hex-escape: [0]
  unicorn/no-keyword-prefix: [0]
  unicorn/no-lonely-if: [2]
  unicorn/no-nested-ternary: [0]
+  unicorn/no-new-array: [0]
  unicorn/no-new-buffer: [0]
  unicorn/no-null: [0]
  unicorn/no-object-as-default-parameter: [2]
  unicorn/no-process-exit: [0]
  unicorn/no-reduce: [2]
+  unicorn/no-static-only-class: [2]
+  unicorn/no-this-assignment: [2]
  unicorn/no-unreadable-array-destructuring: [0]
  unicorn/no-unsafe-regex: [0]
  unicorn/no-unused-properties: [2]
@@ -378,24 +391,33 @@ rules:
  unicorn/numeric-separators-style: [0]
  unicorn/prefer-add-event-listener: [2]
  unicorn/prefer-array-find: [2]
+  unicorn/prefer-array-flat-map: [2]
+  unicorn/prefer-array-flat: [2]
+  unicorn/prefer-array-index-of: [2]
+  unicorn/prefer-array-some: [2]
  unicorn/prefer-dataset: [2]
  unicorn/prefer-date-now: [2]
+  unicorn/prefer-default-parameters: [0]
  unicorn/prefer-event-key: [2]
  unicorn/prefer-includes: [2]
  unicorn/prefer-math-trunc: [2]
  unicorn/prefer-modern-dom-apis: [0]
+  unicorn/prefer-module: [2]
  unicorn/prefer-negative-index: [2]
  unicorn/prefer-node-append: [0]
+  unicorn/prefer-node-protocol: [0]
  unicorn/prefer-node-remove: [0]
  unicorn/prefer-number-properties: [0]
  unicorn/prefer-optional-catch-binding: [2]
  unicorn/prefer-query-selector: [0]
  unicorn/prefer-reflect-apply: [0]
+  unicorn/prefer-regexp-test: [2]
  unicorn/prefer-replace-all: [0]
  unicorn/prefer-set-has: [0]
  unicorn/prefer-spread: [0]
  unicorn/prefer-starts-ends-with: [2]
  unicorn/prefer-string-slice: [0]
+  unicorn/prefer-switch: [0]
  unicorn/prefer-ternary: [0]
  unicorn/prefer-text-content: [2]
  unicorn/prefer-trim-start-end: [2]
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,6 +1,6 @@
 Please check the following:

-1. Make sure you are targeting the `master` branch, pull requests on release branches are only allowed for bug fixes.
+1. Make sure you are targeting the `main` branch, pull requests on release branches are only allowed for bug fixes.
 2. Read contributing guidelines: https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md
 3. Describe what your pull request does and which issue you're targeting (if any)

--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,7 @@ _testmain.go

 *coverage.out
 coverage.all
+cpu.out

 /modules/options/bindata.go
 /modules/options/bindata.go.hash
@@ -75,11 +76,14 @@ coverage.all
 /integrations/mssql.ini
 /node_modules
 /yarn.lock
+/yarn-error.log
+/npm-debug.log*
 /public/js
 /public/serviceworker.js
 /public/css
 /public/fonts
 /public/img/webpack
+/web_src/fomantic/node_modules
 /web_src/fomantic/build/*
 !/web_src/fomantic/build/semantic.js
 !/web_src/fomantic/build/semantic.css
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -70,9 +70,6 @@ issues:
    - path: modules/log/
      linters:
        - errcheck
-    - path: routers/routes/web.go
-      linters:
-        - dupl
    - path: routers/api/v1/repo/issue_subscription.go
      linters:
        - dupl
@@ -114,3 +111,4 @@ issues:
      linters:
        - staticcheck
      text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
+
--- a/.npmrc
+++ b/.npmrc
@@ -1,4 +1,5 @@
 audit=false
 fund=false
+update-notifier=false
 package-lock=true
 save-exact=true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,454 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

-## [1.14.2](https://github.com/go-gitea/gitea/releases/tag/v1.14.2) - 2021-05-08
+## [1.15.6](https://github.com/go-gitea/gitea/releases/tag/v1.15.6) - 2021-10-28
+
+* BUGFIXES
+  * Prevent panic in serv.go with Deploy Keys (#17434) (#17435)
+  * Fix CSV render error (#17406) (#17431)
+  * Read expected buffer size (#17409) (#17430)
+  * Ensure that restricted users can access repos for which they are members (#17460) (#17464)
+  * Make commit-statuses popup show correctly (#17447) (#17466)
+* TESTING
+  * Add integration tests for private.NoServCommand and private.ServCommand (#17456) (#17463)
+
+## [1.15.5](https://github.com/go-gitea/gitea/releases/tag/v1.15.5) - 2021-10-21
+
+* SECURITY
+  * Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
+  * Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
+* BUGFIXES
+  * Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
+  * Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
+  * Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
+  * Ensure popup text is aligned left (backport for 1.15) (#17343)
+  * Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
+  * Disable core.protectNTFS (#17300) (#17302)
+  * Use pointer for wrappedConn methods (#17295) (#17296)
+  * AutoRegistration is supposed to be working with disabled registration (backport) (#17292)
+  * Handle duplicate keys on GPG key ring (#17242) (#17284)
+  * Fix SVG side by side comparison link (#17375) (#17391)
+
+## [1.15.4](https://github.com/go-gitea/gitea/releases/tag/v1.15.4) - 2021-10-08
+* BUGFIXES
+  * Raw file API: don't try to interpret 40char filenames as commit SHA (#17185) (#17272)
+  * Don't allow merged PRs to be reopened (#17192) (#17271)
+  * Fix incorrect repository count on organization tab of dashboard (#17256) (#17266)
+  * Fix unwanted team review request deletion (#17257) (#17264)
+  * Fix broken Activities link in team dashboard (#17255) (#17258)
+  * API pull's head/base have correct permission(#17214) (#17245)
+  * Fix stange behavior of DownloadPullDiffOrPatch in incorect index (#17223) (#17227)
+  * Upgrade xorm to v1.2.5 (#17177) (#17188)
+  * Fix missing repo link in issue/pull assigned emails (#17183) (#17184)
+  * Fix bug of get context user (#17169) (#17172)
+  * Nicely handle missing user in collaborations (#17049) (#17166)
+  * Add Horizontal scrollbar to inner menu on Chrome (#17086) (#17164)
+  * Fix wrong i18n keys (#17150) (#17153)
+  * Fix Archive Creation: correct transaction ending (#17151)
+  * Prevent panic in Org mode HighlightCodeBlock (#17140) (#17141)
+  * Create doctor command to fix repo_units broken by dumps from 1.14.3-1.14.6 (#17136) (#17137)
+* ENHANCEMENT
+  * Check user instead of organization when creating a repo from a template via API (#16346) (#17195)
+* TRANSLATION
+  * v1.15 fix Sprintf format 'verbs' in locale files (#17187)
+
+
+## [1.15.3](https://github.com/go-gitea/gitea/releases/tag/v1.15.3) - 2021-09-19
+
+* ENHANCEMENTS
+  * Add fluid to ui container class to remove margin (#16396) (#16976)
+  * Add caller to cat-file batch calls (#17082) (#17089)
+* BUGFIXES
+  * Render full plain readme. (#17083) (#17090)
+  * Upgrade xorm to v1.2.4 (#17059)
+  * Fix bug of migrate comments which only fetch one page (#17055) (#17058)
+  * Do not show issue context popup on external issues (#17050) (#17054)
+  * Decrement Fork Num when converting from Fork (#17035) (#17046)
+  * Correctly rollback in ForkRepository (#17034) (#17045)
+  * Fix missing close in WalkGitLog (#17008) (#17009)
+  * Add prefix to SVG id/class attributes (#16997) (#17000)
+  * Fix bug of migrated repository not index (#16991) (#16996)
+  * Skip AllowedUserVisibilityModes validation on update user if it is an organisation (#16988) (#16990)
+  * Fix storage Iterate bug and Add storage doctor to delete garbage attachments (#16971) (#16977)
+  * Fix issue with issue default mail template (#16956) (#16975)
+  * Ensure that rebase conflicts are handled in updates (#16952) (#16960)
+  * Prevent panic on diff generation (#16950) (#16951)
+
+## [1.15.2](https://github.com/go-gitea/gitea/releases/tag/v1.15.2) - 2021-09-03
+
+* BUGFIXES
+  * Add unique constraint back into issue_index (#16938)
+  * Close storage objects before cleaning (#16934) (#16942)
+
+## [1.15.1](https://github.com/go-gitea/gitea/releases/tag/v1.15.1) - 2021-09-02
+
+* BUGFIXES
+  * Allow BASIC authentication access to /:owner/:repo/releases/download/* (#16916) (#16923)
+  * Prevent leave changes dialogs due to autofill fields (#16912) (#16920)
+  * Ignore review comment when ref commit is missed (#16905) (#16919)
+  * Fix wrong attachment removal (#16915) (#16917)
+  * Gitlab Migrator: dont ignore reactions of last request (#16903) (#16913)
+  * Correctly return the number of Repositories for Organizations (#16807) (#16911)
+  * Test if LFS object is accessible (#16865) (#16904)
+  * Fix git.Blob.DataAsync(): close pipe since we return a NopCloser (#16899) (#16900)
+  * Fix dump and restore respository (#16698) (#16898)
+  * Repare and Improve GetDiffRangeWithWhitespaceBehavior (#16894) (#16895)
+  * Fix wiki raw commit diff/patch view (#16891) (#16892)
+  * Ensure wiki repos are all closed (#16886) (#16888)
+  * List limited and private orgs if authenticated on API (#16866) (#16879)
+  * Simplify split diff view generation and remove JS dependency (#16775) (#16863)
+  * Ensure that the default visibility is set on the user create page (#16845) (#16862)
+  * In Render tolerate not being passed a context (#16842) (#16858)
+  * Upgrade xorm to v1.2.2 (#16663) & Add test to ensure that dumping of login sources remains correct (#16847) (#16848)
+  * Report the correct number of pushes on the feeds (#16811) (#16822)
+  * Add primary_key to issue_index (#16813) (#16820)
+  * Prevent NPE on empty commit (#16812) (#16819)
+  * Fix branch pagination error (#16805) (#16816)
+  * Add missing return to handleSettingRemoteAddrError (#16794) (#16795)
+  * Remove spurious / from issues.opened_by (#16793)
+  * Ensure that template compilation panics are sent to the logs (#16788) (#16792)
+  * Update caddyserver/certmagic (#16789) (#16790)
+
+## [1.15.0](https://github.com/go-gitea/gitea/releases/tag/v1.15.0) - 2021-08-21
+
+* BREAKING
+  * Make app.ini permissions more restrictive (#16266)
+  * Refactor Webhook + Add X-Hub-Signature (#16176)
+  * Add asymmetric JWT signing (#16010)
+  * Clean-up the settings hierarchy for issue_indexer queue (#16001)
+  * Change default queue settings to be low go-routines (#15964)
+  * Improve assets handler middleware (#15961)
+  * Rename StaticUrlPrefix to AssetUrlPrefix (#15779)
+  * Use a generic markup class to display externally rendered files and diffs (#15735)
+  * Add frontend testing, require node 12 (#15315)
+  * Move (custom) assets into subpath `/assets` (#15219)
+  * Use level config in log section when sub log section not set level (#15176)
+  * Links in markdown should be absolute to the repository not the server (#15088)
+  * Upgrade to the latest version of golang-jwt (#16590) (#16606)
+  * Set minimum supported version of go to 1.16 (#16710)
+* SECURITY
+  * Encrypt LDAP bind password in db with SECRET_KEY (#15547)
+  * Remove random password in Dockerfiles (#15362)
+  * Upgrade to the latest version of golang-jwt and increase minimum go to 1.15 (#16590) (#16606)
+  * Correctly create of git-daemon-export-ok files (#16508) (#16514)
+  * Don't show private user's repo in explore view (#16550) (#16554)
+  * Update node tar dependency to 6.1.6 (#16622) (#16623)
+* FEATURES
+  * Update Go-Git to take advantage of LargeObjectThreshold (#16316)
+  * Support custom mime type mapping for text files (#16304)
+  * Link to previous blames in file blame page (#16259)
+  * Add LRU mem cache implementation (#16226)
+  * Localize Email Templates (#16200)
+  * Make command in authorized keys a template (#16003)
+  * Add possibility to make branch in branch page (#15960)
+  * Add email headers (#15939)
+  * Make tasklist checkboxes clickable (#15791)
+  * Add selecting tags on the compare page (#15723)
+  * Add cron job to delete old actions from database (#15688)
+  * On open repository open common cat file batch and batch-check (#15667)
+  * Add tag protection (#15629)
+  * Add push to remote mirror repository (#15157)
+  * Add Image Diff for SVG files (#14867)
+  * Add dashboard milestone search and repo milestone search by name. (#14866)
+  * Add LFS Migration and Mirror (#14726)
+  * Improve notifications for WIP draft PR's (#14663)
+  * Disable Stars config option (#14653)
+  * GPG Key Ownership verification with Signed Token (#14054)
+  * OAuth2 auto-register (#5123)
+* API
+  * Return updated repository when changing repository using API (#16420)
+  * Let branch/tag name be a valid ref to get CI status (#16400)
+  * Add endpoint to get commits of PR (#16300)
+  * Allow COMMENT reviews to not specify a body (#16229)
+  * Add subject-type filter to list notification API endpoints (#16177)
+  * ListReleases add filter for draft and pre-releases (#16175)
+  * ListIssues add more filters (#16174)
+  * Issue Search Add filter for MilestoneNames (#16173)
+  * GET / SET User Settings (#16169)
+  * Expose repo.GetReviewers() & repo.GetAssignees() (#16168)
+  * User expose counters (#16167)
+  * Add repoGetTag (#16166)
+  * Add repoCreateTag (#16165)
+  * Creating a repo from a template repo via API (#15958)
+  * Add Active and ProhibitLogin to API (#15689)
+  * Add Location, Website and Description to API (#15675)
+  * Expose resolver via API (#15167)
+  * Swagger AccessToken fixes (#16574) (#16597)
+  * Set AllowedHeaders on API CORS handler (#16524) (#16618)
+* ENHANCEMENTS
+  * Support HTTP/2 in Let's Encrypt (#16371)
+  * Introduce NotifySubjectType (#16320)
+  * Add forge emojies (#16296)
+  * Implemented head_commit for webhooks (#16282)
+  * Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback (#16278)
+  * Add previous/next buttons to review comments (#16273)
+  * Review comments: break-word for long file names (#16272)
+  * Add configuration to restrict allowed user visibility modes (#16271)
+  * Add scroll-margin-top to account for sticky header (#16269)
+  * Add --quiet and --verbose to gitea web to control initial logging (#16260)
+  * Use gitea logging module for git module (#16243)
+  * Add tests for all webhooks (#16214)
+  * Add button to delete undeleted repositories from failed migrations (#16197)
+  * Speed up git diff highlight generation (#16180)
+  * Add OpenID claims "profile" and "email". (#16141)
+  * Reintroduce squash merge default comment as a config setting (#16134)
+  * Add sanitizer rules per renderer (#16110)
+  * Improve performance of dashboard list orgs (#16099)
+  * Refactor assert statements in tests (#16089)
+  * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086)
+  * Remove unnecessary goroutine (#16080)
+  * Add attachments for PR reviews (#16075)
+  * Make the github migration less rate limit waiting to get comment per page from repository but not per issue (#16070)
+  * Add Visible modes function from Organisation to Users too (#16069)
+  * Add checkbox to delete pull branch after successful merge (#16049)
+  * Make commit info cancelable (#16032)
+  * Make modules/context.Context a context.Context (#16031)
+  * Unified custom config creation (#16012)
+  * Make sshd_config more flexible regarding connections (#16009)
+  * Append to existing trailers in generated squash commit message (#15980)
+  * Always store primary email address into email_address table and also the state (#15956)
+  * Load issue/PR context popup data only when needed (#15955)
+  * Remove remaining fontawesome usage in templates (#15952)
+  * Remove fomantic accordion module (#15951)
+  * Small refactoring of modules/private (#15947)
+  * Double the avatar size factor (#15941)
+  * Add curl to rootless docker image (#15908)
+  * Replace clipboard.js with async clipboard api (#15899)
+  * Allow custom highlight mapping beyond file extensions (#15808)
+  * Add trace logging to SSO methods (#15803)
+  * Refactor routers directory (#15800)
+  * Allow only internal registration (#15795)
+  * Add a new internal hook to save ssh log (#15787)
+  * Respect default merge message syntax when parsing item references (#15772)
+  * OAuth2 login: Set account link to "login" as default behavior (#15768)
+  * Use single shared random string generation function (#15741)
+  * Hold the event source when there are no listeners (#15725)
+  * Code comments improvements (#15722)
+  * Provide OIDC compliant user info endpoint (#15721)
+  * Fix webkit calendar icon color on arc-green (#15713)
+  * Improve Light Chroma style (#15699)
+  * Only use boost workers for leveldb shadow queues (#15696)
+  * Add compare tag dropdown to releases page (#15695)
+  * Add caret styling CSS (#15651)
+  * Remove x-ua-compatible meta tag (#15640)
+  * Refactor of link creation (#15619)
+  * Add a new table issue_index to store the max issue index so that issue could be deleted with no duplicated index (#15599)
+  * Rewrite of the LFS server (#15523)
+  * Display more repository type on admin repository management (#15440)
+  * Remove usage of some JS globals (#15378)
+  * SHA in merged commit comment should be rendered ui sha (#15376)
+  * Add well-known config for OIDC (#15355)
+  * Use route rather than use thus reducing the number of stack frames (#15301)
+  * Code Formats, Nits & Unused Func/Var deletions (#15286)
+  * Let package git depend on setting but not opposite (#15241)
+  * Fixed sanitize errors (#15240)
+  * response simple text message for not html request when 404 (#15229)
+  * Remove file-loader dependency (#15196)
+  * Refactor renders (#15175)
+  * Add mimetype mapping settings (#15133)
+  * Add Status Updates whilst Gitea migrations are occurring (#15076)
+  * Reload locales in initialisation if needed by utilizing i18n.Reset (#15073)
+  * Counterwork seemingly unclickable repo button labels (#15064)
+  * Add DefaultMergeStyle option to repository (#14789)
+  * Added support for gopher URLs. (#14749)
+  * Rework repository archive (#14723)
+  * Add links to toggle WIP status (#14677)
+  * Add Tabular Diff for CSV files (#14661)
+  * Use milestone deadline when sorting issues (#14551)
+* BUGFIXES
+  * Fix invalid params and typo of email templates (#16394)
+  * Fix activation of primary email addresses (#16385)
+  * Fix calculation for finalPage in repo-search component (#16382)
+  * Specify user in rootless container numerically (#16361)
+  * Detect encoding changes while parsing diff (#16330)
+  * Fix U2F error reasons always hidden (#16327)
+  * Prevent zombie processes (#16314)
+  * Escape reference to `user` table in models.SearchEmails (#16313)
+  * Fix default push instructions on empty repos (#16302)
+  * Fix modified files list in webhooks when there is a space (#16288)
+  * Fix webhook commits wrong hash on HEAD reset (#16283)
+  * Fuzzer finds an NPE due to incorrect URLPrefix (#16249)
+  * Don't WARN log UserNotExist errors on ExternalUserLogin failure (#16238)
+  * Do not show No match found for tribute (#16231)
+  * Fix "Copy Link" for pull requests (#16230)
+  * Fix diff expansion is missing final line in a file (#16222)
+  * Fix private repo permission problem (#16142)
+  * Fix not able to update local created non-urlencoded wiki pages (#16139)
+  * More efficiently parse shas for shaPostProcessor (#16101)
+  * Fix `doctor --run check-db-consistency --fix` with label fix (#16094)
+  * Prevent webhook action buttons from shifting (#16087)
+  * Change default TMPDIR path in rootless containers (#16077)
+  * Fix typo and add TODO notice (#16064)
+  * Use git log name-status in get last commit (#16059)
+  * Fix 500 Error with branch and tag sharing the same name (#16040)
+  * Fix get tag when migration (#16014)
+  * Add custom emoji support (#16004)
+  * Use filepath.ToSlash and Join in indexer defaults and queues (#15971)
+  * Add permission check for ``GenerateRepository`` (#15946)
+  * Ensure settings for Service and Mailer are read on the install page (#15943)
+  * Fix layout of milestone view (#15927)
+  * Unregister non-matching serviceworkers (#15834)
+  * Multiple Queue improvements: LevelDB Wait on empty, shutdown empty shadow level queue, reduce goroutines etc (#15693)
+  * Attachment support repository route (#15580)
+  * Fix missing icons and colorpicker when mounted on suburl (#15501)
+  * Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304)
+  * Prevent double-login for Git HTTP and LFS and simplify login (#15303)
+  * Resolve Object { type: "error", data: undefined } in stopwatch.js (#15278)
+  * Fix heatmap activity (#15252)
+  * Remove vendored copy of fomantic-dropdown (#15193)
+  * Update repository size on cron gc task (#15177)
+  * Add NeedPostProcess for Parser interface to improve performance of csv parser and some external parser (#15153)
+  * Add code block highlight to orgmode back (#14222)
+  * Remove User.GetOrganizations() (#14032)
+  * Restore Accessibility for Dropdown (#16576) (#16617)
+  * Pass down SignedUserName down to AccessLogger context (#16605) (#16616)
+  * Fix table alignment in markdown (#16596) (#16602)
+  * Fix 500 on first wiki page (#16586) (#16598)
+  * Lock goth/gothic and Re-attempt OAuth2 registration on login if registration failed at startup (#16564) (#16570)
+  * Upgrade levelqueue to v0.4.0 (#16560) (#16561)
+  * Handle too long PR titles correctly (#16517) (#16549)
+  * Fix data race in bleve indexer (#16474) (#16509)
+  * Restore CORS on git smart http protocol (#16496) (#16506)
+  * Fix race in log (#16490) (#16505)
+  * Fix prepareWikiFileName to respect existing unescaped files (#16487) (#16498)
+  * Make cancel from CatFileBatch and CatFileBatchCheck wait for the command to end (#16479) (#16480)
+  * Update notification table with only latest data (#16445) (#16469)
+  * Fix crash following ldap authentication update (#16447) (#16448)
+  * Fix direct creation of external users on admin page (partial #16612) (#16613)
+  * Prevent 500 on draft releases without tag (#16634) (#16636)
+  * Restore creation of git-daemon-export-ok files (#16508) (#16514)
+  * Fix data race in bleve indexer (#16474) (#16509)
+  * Restore CORS on git smart http protocol (#16496) (#16506)
+  * Fix race in log (#16490) (#16505)
+  * Fix prepareWikiFileName to respect existing unescaped files (#16487) (#16498)
+  * Make cancel from CatFileBatch and CatFileBatchCheck wait for the command to end (#16479) (#16480)
+  * Update notification table with only latest data (#16445) (#16469)
+  * Fix crash following ldap authentication update (#16447) (#16448)
+  * Restore compatibility with SQLServer 2008 R2 in migrations (#16638)
+  * Fix direct creation of external users on admin page (#16613)
+  * Fix go-git implementation of GetNote when passed a non-existent commit (#16658) (#16659)
+  * Fix NPE in fuzzer (#16680) (#16682)
+  * Set issue_index when finishing migration (#16685) (#16687)
+  * Skip patch download when no patch file exists (#16356) (#16681)
+  * Ensure empty lines are copiable and final new line too (#16678) (#16692)
+  * Fix wrong user in OpenID response (#16736) (#16741)
+  * Do not use thin scrollbars on Firefox (#16738) (#16745)
+  * Recreate Tables should Recreate indexes on MySQL (#16718) (#16739)
+  * Keep attachments on tasklist update (#16750) (#16757)
+* TESTING
+  * Bump `postgres` and `mysql` versions (#15710)
+  * Add tests for clone from wiki (#15513)
+  * Fix Benchmark tests, remove a broken one & add two new  (#15250)
+  * Create Proper Migration tests (#15116)
+* TRANSLATION
+  * Use a special name for update default branch on repository setting (#15893)
+  * Fix mirror_lfs source string in en-US locale (#15369)
+* BUILD
+  * Upgrade xorm to v1.1.1 (#16339)
+  * Disable legal comments in esbuild (#15929)
+  * Switch to Node 16 to build fronted  (#15804)
+  * Use esbuild to minify CSS (#15756)
+  * Use binary version of revive linter (#15739)
+  * Fix: npx webpack make: *** [Makefile:699: public/js/index.js] Error -… (#15465)
+  * Stop packaging node_modules in release tarballs (#15273)
+  * Introduce esbuild on webpack (#14578)
+* DOCS
+  * Update queue workers documentation (#15999)
+  * Comment out app.example.ini (#15807)
+  * Improve logo customization docs (#15754)
+  * Add some response status on api docs (#15399)
+  * Rework Token API comments (#15162)
+  * Add better errors for disabled account recovery (#15117)
+* MISC
+  * Remove utf8 option from installation page (#16126)
+  * Use Wants= over Requires= in systemd file (#15897)
+
+## [1.14.6](https://github.com/go-gitea/gitea/releases/tag/v1.14.6) - 2021-08-04
+
+* SECURITY
+  * Bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) (#16540)
+  * Switch to maintained JWT lib (#16532) (#16535)
+  * Upgrade to latest version of golang-jwt (as forked for 1.14) (#16590) (#16607)
+* BUGFIXES
+  * Add basic edit ldap auth test & actually fix #16252 (#16465) (#16495)
+  * Make cancel from CatFileBatch and CatFileBatchCheck wait for the command to end (#16479) (#16481)
+
+## [1.14.5](https://github.com/go-gitea/gitea/releases/tag/v1.14.5) - 2021-07-16
+
+* SECURITY
+  * Hide mirror passwords on repo settings page (#16022) (#16355)
+  * Update bluemonday to v1.0.15 (#16379) (#16380)
+* BUGFIXES
+  * Retry rename on lock induced failures (#16435) (#16439)
+  * Validate issue index before querying DB (#16406) (#16410)
+  * Fix crash following ldap authentication update (#16447) (#16449)
+* ENHANCEMENTS
+  * Redirect on bad CSRF instead of presenting bad page (#14937) (#16378)
+
+## [1.14.4](https://github.com/go-gitea/gitea/releases/tag/v1.14.4) - 2021-07-06
+
+* BUGFIXES
+  * Fix relative links in postprocessed images (#16334) (#16340)
+  * Fix list_options GetStartEnd (#16303) (#16305)
+  * Fix API to use author for commits instead of committer (#16276) (#16277)
+  * Handle misencoding of login_source cfg in mssql (#16268) (#16275)
+  * Fixed issues not updated by commits (#16254) (#16261)
+  * Improve efficiency in FindRenderizableReferenceNumeric and getReference (#16251) (#16255)
+  * Use html.Parse rather than html.ParseFragment (#16223) (#16225)
+  * Fix milestone counters on new issue (#16183) (#16224)
+  * reqOrgMembership calls need to be preceded by reqToken (#16198) (#16219)
+
+## [1.14.3](https://github.com/go-gitea/gitea/releases/tag/v1.14.3) - 2021-06-18
+
+* SECURITY
+  * Encrypt migration credentials at rest (#15895) (#16187)
+  * Only check access tokens if they are likely to be tokens (#16164) (#16171)
+  * Add missing SameSite settings for the i_like_gitea cookie (#16037) (#16039)
+  * Fix setting of SameSite on cookies (#15989) (#15991)
+* API
+  * Repository object only count releases as releases (#16184) (#16190)
+  * EditOrg respect RepoAdminChangeTeamAccess option (#16184) (#16190)
+  * Fix overly strict edit pr permissions (#15900) (#16081)
+* BUGFIXES
+  * Run processors on whole of text (#16155) (#16185)
+  * Class `issue-keyword` is being incorrectly stripped off spans (#16163) (#16172)
+  * Fix language switch for install page (#16043) (#16128)
+  * Fix bug on getIssueIDsByRepoID (#16119) (#16124)
+  * Set self-adjusting deadline for connection writing (#16068) (#16123)
+  * Fix http path bug (#16117) (#16120)
+  * Fix data URI scramble (#16098) (#16118)
+  * Merge all deleteBranch as one function and also fix bug when delete branch don't close related PRs (#16067) (#16097)
+  * git migration: don't prompt interactively for clone credentials (#15902) (#16082)
+  * Fix case change in ownernames (#16045) (#16050)
+  * Don't manipulate input params in email notification (#16011) (#16033)
+  * Remove branch URL before IssueRefURL (#15968) (#15970)
+  * Fix layout of milestone view (#15927) (#15940)
+  * GitHub Migration, migrate draft releases too (#15884) (#15888)
+  * Close the gitrepo when deleting the repository (#15876) (#15887)
+  * Upgrade xorm to v1.1.0 (#15869) (#15885)
+  * Fix blame row height alignment (#15863) (#15883)
+  * Fix error message when saving generated LOCAL_ROOT_URL config (#15880) (#15882)
+  * Backport Fix LFS commit finder not working (#15856) (#15874)
+  * Stop calling WriteHeader in Write (#15862) (#15873)
+  * Add timeout to writing to responses (#15831) (#15872)
+  * Return go-get info on subdirs (#15642) (#15871)
+  * Restore PAM user autocreation functionality (#15825) (#15867)
+  * Fix truncate utf8 string (#15828) (#15854)
+  * Fix bound address/port for caddy's certmagic library (#15758) (#15848)
+  * Upgrade unrolled/render to v1.1.1 (#15845) (#15846)
+  * Queue manager FlushAll can loop rapidly - add delay (#15733) (#15840)
+  * Tagger can be empty, as can Commit and Author - tolerate this (#15835) (#15839)
+  * Set autocomplete off on branches selector (#15809) (#15833)
+  * Add missing error to Doctor log (#15813) (#15824)
+  * Move restore repo to internal router and invoke from command to avoid open the same db file or queues files (#15790) (#15816)
+* ENHANCEMENTS
+  * Removable media support to snap package (#16136) (#16138)
+  * Move sans-serif fallback font higher than emoji fonts (#15855) (#15892)
+* DOCKER
+  * Only write config in environment-to-ini if there are changes (#15861) (#15868)
+  * Only offer hostcertificates if they exist (#15849) (#15853)
+
+## [1.14.2](https://github.com/go-gitea/gitea/releases/tag/v1.14.2) - 2021-05-09

 * API
  * Make change repo settings work on empty repos (#15778) (#15789)
@@ -90,6 +537,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Respect approved email domain list for externally validated user registration (#15014)
  * Add reverse proxy configuration support for remote IP address detection (#14959)
  * Ensure validation occurs on clone addresses too (#14994)
+  * Fix several render issues highlighted during fuzzing (#14986)
 * BREAKING
  * Fix double 'push tag' action feed (#15078) (#15083)
  * Remove possible resource leak (#15067) (#15082)
@@ -388,7 +836,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Fix bug on avatar middleware (#15124) (#15125)
  * Fix another clusterfuzz identified issue (#15096) (#15114)
 * API
-  * Fix nil pointer exception in get pull reviews API (#15106)
+  * Fix nil exeption for get pull reviews API #15104 (#15106)
 * BUGFIXES
  * Fix markdown rendering in milestone content (#15056) (#15092)

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -3,12 +3,14 @@
 ## Table of Contents

 - [Contribution Guidelines](#contribution-guidelines)
+  - [Table of Contents](#table-of-contents)
  - [Introduction](#introduction)
  - [Bug reports](#bug-reports)
  - [Discuss your design](#discuss-your-design)
  - [Testing redux](#testing-redux)
  - [Vendoring](#vendoring)
  - [Translation](#translation)
+  - [Building Gitea](#building-gitea)
  - [Code review](#code-review)
  - [Styleguide](#styleguide)
  - [Design guideline](#design-guideline)
@@ -226,18 +228,18 @@ We assume in good faith that the information you provide is legally binding.

 We adopted a release schedule to streamline the process of working
 on, finishing, and issuing releases. The overall goal is to make a
-minor release every two months, which breaks down into one month of
+minor release every three or four months, which breaks down into two or three months of
 general development followed by one month of testing and polishing
 known as the release freeze. All the feature pull requests should be
-merged in the first month of one release period. And, during the frozen
-period, a corresponding release branch is open for fixes backported from
-master. Release candidates are made during this period for user testing to
+merged before feature freeze. And, during the frozen period, a corresponding 
+release branch is open for fixes backported from main branch. Release candidates 
+are made during this period for user testing to
 obtain a final version that is maintained in this branch. A release is
 maintained by issuing patch releases to only correct critical problems
 such as crashes or security issues.

-Major release cycles are bimonthly. They always begin on the 25th and end on
-the 24th (i.e., the 25th of December to February 24th).
+Major release cycles are seasonal. They always begin on the 25th and end on
+the 24th (i.e., the 25th of December to March 24th).

 During a development cycle, we may also publish any necessary minor releases
 for the previous version. For example, if the latest, published release is
--- a/2
+++ b/2
@@ -53,7 +53,7 @@ RUN addgroup \
    -u 1000 \
    -G git \
    git && \
-  echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd
+  echo "git:*" | chpasswd -e

 ENV USER git
 ENV GITEA_CUSTOM /data/gitea
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -35,6 +35,7 @@ RUN apk --no-cache add \
    ca-certificates \
    gettext \
    git \
+    curl \
    gnupg

 RUN addgroup \
@@ -46,8 +47,7 @@ RUN addgroup \
    -s /bin/bash \
    -u 1000 \
    -G git \
-    git && \
-  echo "git:$(dd if=/dev/urandom bs=24 count=1 status=none | base64)" | chpasswd
+    git

 RUN mkdir -p /var/lib/gitea /etc/gitea
 RUN chown git:git /var/lib/gitea /etc/gitea
@@ -56,10 +56,13 @@ COPY docker/rootless /
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /usr/local/bin/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini

-USER git:git
+#git:git
+USER 1000:1000
 ENV GITEA_WORK_DIR /var/lib/gitea
 ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
+ENV TMPDIR /tmp/gitea
+
 #TODO add to docs the ability to define the ini to load (usefull to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
--- a/3
+++ b/3
@@ -41,3 +41,6 @@ Karl Heinz Marbaise <kama@soebes.de> (@khmarbaise)
 Norwin Roosen <git@nroo.de> (@noerw)
 Kyle Dumont <kdumontnu@gmail.com> (@kdumontnu)
 Patrick Schratz <patrick.schratz@gmail.com> (@pat-s)
+Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
+Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
+Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
--- a/119
+++ b/119
@@ -25,8 +25,8 @@ HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 COMMA := ,

 XGO_VERSION := go-1.16.x
-MIN_GO_VERSION := 001014000
-MIN_NODE_VERSION := 010013000
+MIN_GO_VERSION := 001016000
+MIN_NODE_VERSION := 012017000

 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@@ -43,6 +43,9 @@ endif
 ifeq ($(OS), Windows_NT)
 	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
+else ifeq ($(OS), Windows)
+	GOFLAGS := -v -buildmode=exe
+	EXECUTABLE ?= gitea.exe
 else
 	GOFLAGS := -v
 	EXECUTABLE ?= gitea
@@ -61,8 +64,9 @@ EXTRA_GOFLAGS ?=
 MAKE_VERSION := $(shell $(MAKE) -v | head -n 1)
 MAKE_EVIDENCE_DIR := .make_evidence

-ifneq ($(RACE_ENABLED),)
-	GOTESTFLAGS ?= -race
+ifeq ($(RACE_ENABLED),true)
+	GOFLAGS += -race
+	GOTESTFLAGS += -race
 endif

 STORED_VERSION_FILE := VERSION
@@ -74,7 +78,7 @@ else
 	ifneq ($(DRONE_BRANCH),)
 		VERSION ?= $(subst release/v,,$(DRONE_BRANCH))
 	else
-		VERSION ?= master
+		VERSION ?= main
 	endif

 	STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
@@ -89,11 +93,9 @@ LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(G

 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64

-GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/integrations/migration-test,$(filter-out code.gitea.io/gitea/integrations,$(shell $(GO) list -mod=vendor ./... | grep -v /vendor/)))
+GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/models/migrations code.gitea.io/gitea/integrations/migration-test code.gitea.io/gitea/integrations,$(shell $(GO) list -mod=vendor ./... | grep -v /vendor/))

-FOMANTIC_CONFIGS := semantic.json web_src/fomantic/theme.config.less web_src/fomantic/_site/globals/site.variables
-FOMANTIC_DEST := web_src/fomantic/build/semantic.js web_src/fomantic/build/semantic.css
-FOMANTIC_DEST_DIR := web_src/fomantic/build
+FOMANTIC_WORK_DIR := web_src/fomantic

 WEBPACK_SOURCES := $(shell find web_src/js web_src/less -type f)
 WEBPACK_CONFIGS := webpack.config.js
@@ -113,6 +115,8 @@ TAGS_EVIDENCE := $(MAKE_EVIDENCE_DIR)/tags

 TEST_TAGS ?= sqlite sqlite_unlock_notify

+TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMANTIC_WORK_DIR)/node_modules $(DIST) $(MAKE_EVIDENCE_DIR) $(AIR_TMP_DIR)
+
 GO_DIRS := cmd integrations models modules routers build services vendor tools

 GO_SOURCES := $(wildcard *.go)
@@ -171,6 +175,9 @@ help:
 	@echo " - checks                           run various consistency checks"
 	@echo " - checks-frontend                  check frontend files"
 	@echo " - checks-backend                   check backend files"
+	@echo " - test                             test everything"
+	@echo " - test-frontend                    test frontend files"
+	@echo " - test-backend                     test backend files"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
 	@echo " - fomantic                         build fomantic files"
@@ -193,7 +200,7 @@ help:
 go-check:
 	$(eval GO_VERSION := $(shell printf "%03d%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9.]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea requires Go 1.14 or greater to build. You can get it at https://golang.org/dl/"; \
+		echo "Gitea requires Go 1.16 or greater to build. You can get it at https://golang.org/dl/"; \
 		exit 1; \
 	fi

@@ -207,15 +214,16 @@ git-check:
 .PHONY: node-check
 node-check:
 	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
+	$(eval MIN_NODE_VER_FMT := $(shell printf "%g.%g.%g" $(shell echo $(MIN_NODE_VERSION) | grep -o ...)))
 	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
 	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
-		echo "Gitea requires Node.js 10 or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
+		echo "Gitea requires Node.js $(MIN_NODE_VER_FMT) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
 		exit 1; \
 	fi

 .PHONY: clean-all
 clean-all: clean
-	rm -rf $(WEBPACK_DEST_ENTRIES)
+	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules

 .PHONY: clean
 clean:
@@ -278,7 +286,10 @@ errcheck:

 .PHONY: revive
 revive:
-	GO111MODULE=on $(GO) run -mod=vendor build/lint.go -config .revive.toml -exclude=./vendor/... ./... || exit 1
+	@hash revive > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		GO111MODULE=off $(GO) get -u github.com/mgechev/revive; \
+	fi
+	@revive -config .revive.toml -exclude=./vendor/... ./...

 .PHONY: misspell-check
 misspell-check:
@@ -286,7 +297,7 @@ misspell-check:
 		GO111MODULE=off $(GO) get -u github.com/client9/misspell/cmd/misspell; \
 	fi
 	@echo "Running misspell-check..."
-	@misspell -error -i unknwon,destory $(GO_SOURCES_OWN)
+	@misspell -error -i unknwon $(GO_SOURCES_OWN)

 .PHONY: misspell
 misspell:
@@ -320,8 +331,9 @@ lint: lint-frontend lint-backend

 .PHONY: lint-frontend
 lint-frontend: node_modules
-	npx eslint --color --max-warnings=0 web_src/js build templates webpack.config.js
+	npx eslint --color --max-warnings=0 web_src/js build templates *.config.js
 	npx stylelint --color --max-warnings=0 web_src/less
+	npx editorconfig-checker templates

 .PHONY: lint-backend
 lint-backend: golangci-lint revive vet
@@ -343,16 +355,23 @@ watch-backend: go-check
 	air -c .air.conf

 .PHONY: test
-test:
+test: test-frontend test-backend
+
+.PHONY: test-backend
+test-backend:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
 	@$(GO) test $(GOTESTFLAGS) -mod=vendor -tags='$(TEST_TAGS)' $(GO_PACKAGES)

+.PHONY: test-frontend
+test-frontend: node_modules
+	@NODE_OPTIONS="--experimental-vm-modules --no-warnings" npx jest --color
+
 .PHONY: test-check
 test-check:
 	@echo "Running test-check...";
 	@diff=$$(git status -s); \
 	if [ -n "$$diff" ]; then \
-		echo "make test has changed files in the source tree:"; \
+		echo "make test-backend has changed files in the source tree:"; \
 		echo "$${diff}"; \
 		echo "You should change the tests to create these files in a temporary directory."; \
 		echo "Do not simply add these files to .gitignore"; \
@@ -362,7 +381,7 @@ test-check:
 .PHONY: test\#%
 test\#%:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test -mod=vendor -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_PACKAGES)
+	@$(GO) test -mod=vendor $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_PACKAGES)

 .PHONY: coverage
 coverage:
@@ -399,8 +418,9 @@ test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)

 .PHONY: test-sqlite-migration
-test-sqlite-migration:  migrations.sqlite.test generate-ini-sqlite
+test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test

 generate-ini-mysql:
 	sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \
@@ -419,8 +439,9 @@ test-mysql\#%: integrations.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql-migration
-test-mysql-migration: migrations.mysql.test generate-ini-mysql
+test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql.ini ./migrations.individual.mysql.test

 generate-ini-mysql8:
 	sed -e 's|{{TEST_MYSQL8_HOST}}|${TEST_MYSQL8_HOST}|g' \
@@ -439,8 +460,9 @@ test-mysql8\#%: integrations.mysql8.test generate-ini-mysql8
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./integrations.mysql8.test -test.run $(subst .,/,$*)

 .PHONY: test-mysql8-migration
-test-mysql8-migration: migrations.mysql8.test generate-ini-mysql8
+test-mysql8-migration: migrations.mysql8.test migrations.individual.mysql8.test generate-ini-mysql8
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.mysql8.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mysql8.ini ./migrations.individual.mysql8.test

 generate-ini-pgsql:
 	sed -e 's|{{TEST_PGSQL_HOST}}|${TEST_PGSQL_HOST}|g' \
@@ -460,8 +482,9 @@ test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)

 .PHONY: test-pgsql-migration
-test-pgsql-migration: migrations.pgsql.test generate-ini-pgsql
+test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/pgsql.ini ./migrations.individual.pgsql.test

 generate-ini-mssql:
 	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
@@ -480,8 +503,9 @@ test-mssql\#%: integrations.mssql.test generate-ini-mssql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)

 .PHONY: test-mssql-migration
-test-mssql-migration: migrations.mssql.test generate-ini-mssql
+test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test generate-ini-mssql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.mssql.test -test.failfast
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/mssql.ini ./migrations.individual.mssql.test -test.failfast

 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test generate-ini-sqlite
@@ -541,6 +565,26 @@ migrations.mssql.test: $(GO_SOURCES)
 migrations.sqlite.test: $(GO_SOURCES)
 	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/integrations/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'

+.PHONY: migrations.individual.mysql.test
+migrations.individual.mysql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql.test
+
+.PHONY: migrations.individual.mysql8.test
+migrations.individual.mysql8.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mysql8.test
+
+.PHONY: migrations.individual.pgsql.test
+migrations.individual.pgsql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.pgsql.test
+
+.PHONY: migrations.individual.mssql.test
+migrations.individual.mssql.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.mssql.test
+
+.PHONY: migrations.individual.sqlite.test
+migrations.individual.sqlite.test: $(GO_SOURCES)
+	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/models/migrations -o migrations.individual.sqlite.test -tags '$(TEST_TAGS)'
+
 .PHONY: check
 check: test

@@ -552,7 +596,7 @@ install: $(wildcard *.go)
 build: frontend backend

 .PHONY: frontend
-frontend: node-check $(WEBPACK_DEST)
+frontend: $(WEBPACK_DEST)

 .PHONY: backend
 backend: go-check generate $(EXECUTABLE)
@@ -620,9 +664,11 @@ release-compress: | $(DIST_DIRS)
 	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && gxz -k -9 $${file}; done;

 .PHONY: release-sources
-release-sources: | $(DIST_DIRS) node_modules
+release-sources: | $(DIST_DIRS)
 	echo $(VERSION) > $(STORED_VERSION_FILE)
-	tar --exclude=./$(DIST) --exclude=./.git --exclude=./$(MAKE_EVIDENCE_DIR) --exclude=./node_modules/.cache --exclude=./$(AIR_TMP_DIR) -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .
+# bsdtar needs a ^ to prevent matching subdirectories
+	$(eval EXCL := --exclude=$(shell tar --help | grep -q bsdtar && echo "^")./)
+	tar $(addprefix $(EXCL),$(TAR_EXCLUDES)) -czf $(DIST)/release/gitea-src-$(VERSION).tar.gz .
 	rm -f $(STORED_VERSION_FILE)

 .PHONY: release-docs
@@ -648,22 +694,19 @@ npm-update: node-check | node_modules
 	@touch node_modules

 .PHONY: fomantic
-fomantic: $(FOMANTIC_DEST)
-
-$(FOMANTIC_DEST): $(FOMANTIC_CONFIGS) | node_modules
-	@if [ ! -d node_modules/fomantic-ui ]; then \
-		npm install --no-save --no-package-lock fomantic-ui@2.8.7; \
-	fi
-	rm -rf $(FOMANTIC_DEST_DIR)
-	cp -f web_src/fomantic/theme.config.less node_modules/fomantic-ui/src/theme.config
-	cp -rf web_src/fomantic/_site/* node_modules/fomantic-ui/src/_site/
-	npx gulp -f node_modules/fomantic-ui/gulpfile.js build
-	@touch $(FOMANTIC_DEST)
+fomantic:
+	rm -rf $(FOMANTIC_WORK_DIR)/build
+	cd $(FOMANTIC_WORK_DIR) && npm install --no-save
+	cp -f $(FOMANTIC_WORK_DIR)/theme.config.less $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/theme.config
+	cp -rf $(FOMANTIC_WORK_DIR)/_site $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/
+	cp -f web_src/js/vendor/dropdown.js $(FOMANTIC_WORK_DIR)/node_modules/fomantic-ui/src/definitions/modules
+	cd $(FOMANTIC_WORK_DIR) && npx gulp -f node_modules/fomantic-ui/gulpfile.js build

 .PHONY: webpack
 webpack: $(WEBPACK_DEST)

-$(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json | node_modules
+$(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json
+	@$(MAKE) -s node-check node_modules
 	rm -rf $(WEBPACK_DEST_ENTRIES)
 	npx webpack
 	@touch $(WEBPACK_DEST)
--- a/README.md
+++ b/README.md
@@ -1,22 +1,19 @@
 <p align="center">
  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/master/public/img/gitea.svg" width="220"/>
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
  </a>
 </p>
 <h1 align="center">Gitea - Git with a cup of tea</h1>

 <p align="center">
  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
-    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/master">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
  </a>
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
    <img src="https://img.shields.io/discord/322538954119184384.svg">
  </a>
-  <a href="https://microbadger.com/images/gitea/gitea" title="Get your own image badge on microbadger.com">
-    <img src="https://images.microbadger.com/badges/image/gitea/gitea.svg">
-  </a>
  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
-    <img src="https://codecov.io/gh/go-gitea/gitea/branch/master/graph/badge.svg">
+    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
  </a>
  <a href="https://godoc.org/code.gitea.io/gitea" title="Go Report Card">
    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
@@ -77,13 +74,11 @@ or if sqlite support is required:
 The `build` target is split into two sub-targets:

 - `make backend` which requires [Go 1.13](https://golang.org/dl/) or greater.
- `make frontend` which requires [Node.js 10.13](https://nodejs.org/en/download/) or greater.
+- `make frontend` which requires [Node.js 12.17](https://nodejs.org/en/download/) or greater and Internet connectivity to download npm dependencies.

-If pre-built frontend files are present it is possible to only build the backend:
+When building from the official source tarballs which include pre-built frontend files, the `frontend` target will not be triggered, making it possible to build without Node.js and Internet connectivity.

-    TAGS="bindata" make backend
-
-Parallelism is not supported for these targets, so please don't include `-j <num>`.
+Parallelism (`make -j <num>`) is not supported.

 More info: https://docs.gitea.io/en-us/install-from-source/

@@ -103,6 +98,16 @@ NOTES:
 1. **YOU MUST READ THE [CONTRIBUTORS GUIDE](CONTRIBUTING.md) BEFORE STARTING TO WORK ON A PULL REQUEST.**
 2. If you have found a vulnerability in the project, please write privately to **security@gitea.io**. Thanks!

+## Translating
+
+Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there. 
+
+You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope fo fill it as questions pop up.
+
+https://docs.gitea.io/en-us/translation-guidelines/
+
+[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+
 ## Further information

 For more information and instructions about how to install Gitea, please look at our [documentation](https://docs.gitea.io/en-us/).
@@ -152,7 +157,7 @@ We're [working on it](https://github.com/go-gitea/gitea/issues/1029).
 ## License

 This project is licensed under the MIT License.
-See the [LICENSE](https://github.com/go-gitea/gitea/blob/master/LICENSE) file
+See the [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) file
 for the full license text.

 ## Screenshots
--- a/README_ZH.md
+++ b/README_ZH.md
@@ -1,13 +1,13 @@
 <p align="center">
  <a href="https://gitea.io/">
-    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/master/public/img/gitea.svg" width="220"/>
+    <img alt="Gitea" src="https://raw.githubusercontent.com/go-gitea/gitea/main/public/img/gitea.svg" width="220"/>
  </a>
 </p>
 <h1 align="center">Gitea - Git with a cup of tea</h1>

 <p align="center">
  <a href="https://drone.gitea.io/go-gitea/gitea" title="Build Status">
-    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/master">
+    <img src="https://drone.gitea.io/api/badges/go-gitea/gitea/status.svg?ref=refs/heads/main">
  </a>
  <a href="https://discord.gg/Gitea" title="Join the Discord chat at https://discord.gg/Gitea">
    <img src="https://img.shields.io/discord/322538954119184384.svg">
@@ -16,7 +16,7 @@
    <img src="https://images.microbadger.com/badges/image/gitea/gitea.svg">
  </a>
  <a href="https://codecov.io/gh/go-gitea/gitea" title="Codecov">
-    <img src="https://codecov.io/gh/go-gitea/gitea/branch/master/graph/badge.svg">
+    <img src="https://codecov.io/gh/go-gitea/gitea/branch/main/graph/badge.svg">
  </a>
  <a href="https://godoc.org/code.gitea.io/gitea" title="Go Report Card">
    <img src="https://goreportcard.com/badge/code.gitea.io/gitea">
@@ -71,6 +71,11 @@ Gitea 的首要目标是创建一个极易安装，运行非常快速，安装

 Fork -> Patch -> Push -> Pull Request

+## 翻译
+
+多语言翻译是基于Crowdin进行的.
+[![Crowdin](https://badges.crowdin.net/gitea/localized.svg)](https://crowdin.com/project/gitea)
+
 ## 作者

 * [Maintainers](https://github.com/orgs/go-gitea/people)
@@ -79,7 +84,7 @@ Fork -> Patch -> Push -> Pull Request

 ## 授权许可

-本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/master/LICENSE) 文件中。
+本项目采用 MIT 开源授权许可证，完整的授权说明已放置在 [LICENSE](https://github.com/go-gitea/gitea/blob/main/LICENSE) 文件中。

 ## 截图

--- a/build.go
+++ b/build.go
@@ -10,14 +10,6 @@ package main
 // These libraries will not be included in a normal compilation.

 import (
-	// for lint
-	_ "github.com/mgechev/dots"
-	_ "github.com/mgechev/revive/formatter"
-	_ "github.com/mgechev/revive/lint"
-	_ "github.com/mgechev/revive/rule"
-	_ "github.com/mitchellh/go-homedir"
-	_ "github.com/pelletier/go-toml"
-
 	// for embed
 	_ "github.com/shurcooL/vfsgen"

--- a/build/generate-images.js
+++ b/build/generate-images.js
@@ -1,12 +1,12 @@
-#!/usr/bin/env node
-'use strict';
-
-const imageminZopfli = require('imagemin-zopfli');
-const Svgo = require('svgo');
-const {fabric} = require('fabric');
-const {readFile, writeFile} = require('fs').promises;
-const {resolve} = require('path');
+import imageminZopfli from 'imagemin-zopfli';
+import {optimize, extendDefaultPlugins} from 'svgo';
+import {fabric} from 'fabric';
+import fs from 'fs';
+import {resolve, dirname} from 'path';
+import {fileURLToPath} from 'url';

+const {readFile, writeFile} = fs.promises;
+const __dirname = dirname(fileURLToPath(import.meta.url));
 const logoFile = resolve(__dirname, '../assets/logo.svg');

 function exit(err) {
@@ -24,14 +24,15 @@ function loadSvg(svg) {

 async function generate(svg, outputFile, {size, bg}) {
  if (outputFile.endsWith('.svg')) {
-    const svgo = new Svgo({
-      plugins: [
-        {removeDimensions: true},
-        {addAttributesToSVGElement: {attributes: [{width: size}, {height: size}]}},
-      ],
+    const {data} = optimize(svg, {
+      plugins: extendDefaultPlugins([
+        'removeDimensions',
+        {
+          name: 'addAttributesToSVGElement',
+          params: {attributes: [{width: size}, {height: size}]}
+        },
+      ]),
    });
-
-    const {data} = await svgo.optimize(svg);
    await writeFile(outputFile, data);
    return;
  }
--- a/build/generate-svg.js
+++ b/build/generate-svg.js
@@ -1,11 +1,11 @@
-#!/usr/bin/env node
-'use strict';
-
-const fastGlob = require('fast-glob');
-const Svgo = require('svgo');
-const {resolve, parse} = require('path');
-const {readFile, writeFile, mkdir} = require('fs').promises;
+import fastGlob from 'fast-glob';
+import {optimize, extendDefaultPlugins} from 'svgo';
+import {resolve, parse, dirname} from 'path';
+import fs from 'fs';
+import {fileURLToPath} from 'url';

+const {readFile, writeFile, mkdir} = fs.promises;
+const __dirname = dirname(fileURLToPath(import.meta.url));
 const glob = (pattern) => fastGlob.sync(pattern, {cwd: resolve(__dirname), absolute: true});
 const outputDir = resolve(__dirname, '../public/img/svg');

@@ -25,31 +25,21 @@ async function processFile(file, {prefix, fullName} = {}) {
    if (prefix === 'octicon') name = name.replace(/-[0-9]+$/, ''); // chop of '-16' on octicons
  }

-  const svgo = new Svgo({
-    plugins: [
-      {removeXMLNS: true},
-      {removeDimensions: true},
+  const {data} = optimize(await readFile(file, 'utf8'), {
+    plugins: extendDefaultPlugins([
+      'removeXMLNS',
+      'removeDimensions',
+      {name: 'prefixIds', params: {prefix: () => name}},
      {
-        addClassesToSVGElement: {
-          classNames: [
-            'svg',
-            name,
-          ],
-        },
+        name: 'addClassesToSVGElement',
+        params: {classNames: ['svg', name]},
      },
      {
-        addAttributesToSVGElement: {
-          attributes: [
-            {'width': '16'},
-            {'height': '16'},
-            {'aria-hidden': 'true'},
-          ],
-        },
+        name: 'addAttributesToSVGElement',
+        params: {attributes: [{'width': '16'}, {'height': '16'}, {'aria-hidden': 'true'}]},
      },
-    ],
+    ]),
  });
-
-  const {data} = await svgo.optimize(await readFile(file, 'utf8'));
  await writeFile(resolve(outputDir, `${name}.svg`), data);
 }

--- a/build/lint.go
+++ b/build/lint.go
@@ -1,325 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright (c) 2018 Minko Gechev. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-// +build ignore
-
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/mgechev/dots"
-	"github.com/mgechev/revive/formatter"
-	"github.com/mgechev/revive/lint"
-	"github.com/mgechev/revive/rule"
-	"github.com/mitchellh/go-homedir"
-	"github.com/pelletier/go-toml"
-)
-
-func fail(err string) {
-	fmt.Fprintln(os.Stderr, err)
-	os.Exit(1)
-}
-
-var defaultRules = []lint.Rule{
-	&rule.VarDeclarationsRule{},
-	&rule.PackageCommentsRule{},
-	&rule.DotImportsRule{},
-	&rule.BlankImportsRule{},
-	&rule.ExportedRule{},
-	&rule.VarNamingRule{},
-	&rule.IndentErrorFlowRule{},
-	&rule.IfReturnRule{},
-	&rule.RangeRule{},
-	&rule.ErrorfRule{},
-	&rule.ErrorNamingRule{},
-	&rule.ErrorStringsRule{},
-	&rule.ReceiverNamingRule{},
-	&rule.IncrementDecrementRule{},
-	&rule.ErrorReturnRule{},
-	&rule.UnexportedReturnRule{},
-	&rule.TimeNamingRule{},
-	&rule.ContextKeysType{},
-	&rule.ContextAsArgumentRule{},
-}
-
-var allRules = append([]lint.Rule{
-	&rule.ArgumentsLimitRule{},
-	&rule.CyclomaticRule{},
-	&rule.FileHeaderRule{},
-	&rule.EmptyBlockRule{},
-	&rule.SuperfluousElseRule{},
-	&rule.ConfusingNamingRule{},
-	&rule.GetReturnRule{},
-	&rule.ModifiesParamRule{},
-	&rule.ConfusingResultsRule{},
-	&rule.DeepExitRule{},
-	&rule.UnusedParamRule{},
-	&rule.UnreachableCodeRule{},
-	&rule.AddConstantRule{},
-	&rule.FlagParamRule{},
-	&rule.UnnecessaryStmtRule{},
-	&rule.StructTagRule{},
-	&rule.ModifiesValRecRule{},
-	&rule.ConstantLogicalExprRule{},
-	&rule.BoolLiteralRule{},
-	&rule.RedefinesBuiltinIDRule{},
-	&rule.ImportsBlacklistRule{},
-	&rule.FunctionResultsLimitRule{},
-	&rule.MaxPublicStructsRule{},
-	&rule.RangeValInClosureRule{},
-	&rule.RangeValAddress{},
-	&rule.WaitGroupByValueRule{},
-	&rule.AtomicRule{},
-	&rule.EmptyLinesRule{},
-	&rule.LineLengthLimitRule{},
-	&rule.CallToGCRule{},
-	&rule.DuplicatedImportsRule{},
-	&rule.ImportShadowingRule{},
-	&rule.BareReturnRule{},
-	&rule.UnusedReceiverRule{},
-	&rule.UnhandledErrorRule{},
-	&rule.CognitiveComplexityRule{},
-	&rule.StringOfIntRule{},
-}, defaultRules...)
-
-var allFormatters = []lint.Formatter{
-	&formatter.Stylish{},
-	&formatter.Friendly{},
-	&formatter.JSON{},
-	&formatter.NDJSON{},
-	&formatter.Default{},
-	&formatter.Unix{},
-	&formatter.Checkstyle{},
-	&formatter.Plain{},
-}
-
-func getFormatters() map[string]lint.Formatter {
-	result := map[string]lint.Formatter{}
-	for _, f := range allFormatters {
-		result[f.Name()] = f
-	}
-	return result
-}
-
-func getLintingRules(config *lint.Config) []lint.Rule {
-	rulesMap := map[string]lint.Rule{}
-	for _, r := range allRules {
-		rulesMap[r.Name()] = r
-	}
-
-	lintingRules := []lint.Rule{}
-	for name := range config.Rules {
-		rule, ok := rulesMap[name]
-		if !ok {
-			fail("cannot find rule: " + name)
-		}
-		lintingRules = append(lintingRules, rule)
-	}
-
-	return lintingRules
-}
-
-func parseConfig(path string) *lint.Config {
-	config := &lint.Config{}
-	file, err := ioutil.ReadFile(path)
-	if err != nil {
-		fail("cannot read the config file")
-	}
-	err = toml.Unmarshal(file, config)
-	if err != nil {
-		fail("cannot parse the config file: " + err.Error())
-	}
-	return config
-}
-
-func normalizeConfig(config *lint.Config) {
-	if config.Confidence == 0 {
-		config.Confidence = 0.8
-	}
-	severity := config.Severity
-	if severity != "" {
-		for k, v := range config.Rules {
-			if v.Severity == "" {
-				v.Severity = severity
-			}
-			config.Rules[k] = v
-		}
-		for k, v := range config.Directives {
-			if v.Severity == "" {
-				v.Severity = severity
-			}
-			config.Directives[k] = v
-		}
-	}
-}
-
-func getConfig() *lint.Config {
-	config := defaultConfig()
-	if configPath != "" {
-		config = parseConfig(configPath)
-	}
-	normalizeConfig(config)
-	return config
-}
-
-func getFormatter() lint.Formatter {
-	formatters := getFormatters()
-	formatter := formatters["default"]
-	if formatterName != "" {
-		f, ok := formatters[formatterName]
-		if !ok {
-			fail("unknown formatter " + formatterName)
-		}
-		formatter = f
-	}
-	return formatter
-}
-
-func buildDefaultConfigPath() string {
-	var result string
-	if homeDir, err := homedir.Dir(); err == nil {
-		result = filepath.Join(homeDir, "revive.toml")
-		if _, err := os.Stat(result); err != nil {
-			result = ""
-		}
-	}
-
-	return result
-}
-
-func defaultConfig() *lint.Config {
-	defaultConfig := lint.Config{
-		Confidence: 0.0,
-		Severity:   lint.SeverityWarning,
-		Rules:      map[string]lint.RuleConfig{},
-	}
-	for _, r := range defaultRules {
-		defaultConfig.Rules[r.Name()] = lint.RuleConfig{}
-	}
-	return &defaultConfig
-}
-
-func normalizeSplit(strs []string) []string {
-	res := []string{}
-	for _, s := range strs {
-		t := strings.Trim(s, " \t")
-		if len(t) > 0 {
-			res = append(res, t)
-		}
-	}
-	return res
-}
-
-func getPackages() [][]string {
-	globs := normalizeSplit(flag.Args())
-	if len(globs) == 0 {
-		globs = append(globs, ".")
-	}
-
-	packages, err := dots.ResolvePackages(globs, normalizeSplit(excludePaths))
-	if err != nil {
-		fail(err.Error())
-	}
-
-	return packages
-}
-
-type arrayFlags []string
-
-func (i *arrayFlags) String() string {
-	return strings.Join([]string(*i), " ")
-}
-
-func (i *arrayFlags) Set(value string) error {
-	*i = append(*i, value)
-	return nil
-}
-
-var configPath string
-var excludePaths arrayFlags
-var formatterName string
-var help bool
-
-var originalUsage = flag.Usage
-
-func init() {
-	flag.Usage = func() {
-		originalUsage()
-	}
-	// command line help strings
-	const (
-		configUsage    = "path to the configuration TOML file, defaults to $HOME/revive.toml, if present (i.e. -config myconf.toml)"
-		excludeUsage   = "list of globs which specify files to be excluded (i.e. -exclude foo/...)"
-		formatterUsage = "formatter to be used for the output (i.e. -formatter stylish)"
-	)
-
-	defaultConfigPath := buildDefaultConfigPath()
-
-	flag.StringVar(&configPath, "config", defaultConfigPath, configUsage)
-	flag.Var(&excludePaths, "exclude", excludeUsage)
-	flag.StringVar(&formatterName, "formatter", "", formatterUsage)
-	flag.Parse()
-}
-
-func main() {
-	config := getConfig()
-	formatter := getFormatter()
-	packages := getPackages()
-
-	revive := lint.New(func(file string) ([]byte, error) {
-		return ioutil.ReadFile(file)
-	})
-
-	lintingRules := getLintingRules(config)
-
-	failures, err := revive.Lint(packages, lintingRules, *config)
-	if err != nil {
-		fail(err.Error())
-	}
-
-	formatChan := make(chan lint.Failure)
-	exitChan := make(chan bool)
-
-	var output string
-	go (func() {
-		output, err = formatter.Format(formatChan, *config)
-		if err != nil {
-			fail(err.Error())
-		}
-		exitChan <- true
-	})()
-
-	exitCode := 0
-	for f := range failures {
-		if f.Confidence < config.Confidence {
-			continue
-		}
-		if exitCode == 0 {
-			exitCode = config.WarningCode
-		}
-		if c, ok := config.Rules[f.RuleName]; ok && c.Severity == lint.SeverityError {
-			exitCode = config.ErrorCode
-		}
-		if c, ok := config.Directives[f.RuleName]; ok && c.Severity == lint.SeverityError {
-			exitCode = config.ErrorCode
-		}
-
-		formatChan <- f
-	}
-
-	close(formatChan)
-	<-exitChan
-	if output != "" {
-		fmt.Println(output)
-	}
-
-	os.Exit(exitCode)
-}
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -517,7 +517,7 @@ func runDeleteUser(c *cli.Context) error {
 	return models.DeleteUser(user)
 }

-func runRepoSyncReleases(c *cli.Context) error {
+func runRepoSyncReleases(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
@@ -583,14 +583,14 @@ func getReleaseCount(id int64) (int64, error) {
 	)
 }

-func runRegenerateHooks(c *cli.Context) error {
+func runRegenerateHooks(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
 	return repo_module.SyncRepositoryHooks(graceful.GetManager().ShutdownContext())
 }

-func runRegenerateKeys(c *cli.Context) error {
+func runRegenerateKeys(_ *cli.Context) error {
 	if err := initDB(); err != nil {
 		return err
 	}
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -7,9 +7,13 @@
 package cmd

 import (
+	"context"
 	"errors"
 	"fmt"
+	"os"
+	"os/signal"
 	"strings"
+	"syscall"

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
@@ -66,3 +70,25 @@ func initDBDisableConsole(disableConsole bool) error {
 	}
 	return nil
 }
+
+func installSignals() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+		// install notify
+		signalChannel := make(chan os.Signal, 1)
+
+		signal.Notify(
+			signalChannel,
+			syscall.SIGINT,
+			syscall.SIGTERM,
+		)
+		select {
+		case <-signalChannel:
+		case <-ctx.Done():
+		}
+		cancel()
+		signal.Reset()
+	}()
+
+	return ctx, cancel
+}
--- a/cmd/convert.go
+++ b/cmd/convert.go
@@ -27,10 +27,10 @@ func runConvert(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	if !setting.Database.UseMySQL {
--- a/cmd/doctor.go
+++ b/cmd/doctor.go
@@ -124,7 +124,6 @@ func runRecreateTable(ctx *cli.Context) error {
 }

 func runDoctor(ctx *cli.Context) error {
-
 	// Silence the default loggers
 	log.DelNamedLogger("console")
 	log.DelNamedLogger(log.DEFAULT)
--- a/cmd/dump.go
+++ b/cmd/dump.go
@@ -280,7 +280,7 @@ func runDump(ctx *cli.Context) error {
 	}

 	if ctx.IsSet("skip-custom-dir") && ctx.Bool("skip-custom-dir") {
-		log.Info("Skiping custom directory")
+		log.Info("Skipping custom directory")
 	} else {
 		customDir, err := os.Stat(setting.CustomPath)
 		if err == nil && customDir.IsDir() {
--- a/cmd/dump_repo.go
+++ b/cmd/dump_repo.go
@@ -69,7 +69,7 @@ var CmdDumpRepository = cli.Command{
 		cli.StringFlag{
 			Name:  "units",
 			Value: "",
-			Usage: `Which items will be migrated, one or more units should be separated as comma. 
+			Usage: `Which items will be migrated, one or more units should be separated as comma.
 wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
 		},
 	},
@@ -80,10 +80,10 @@ func runDumpRepository(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	var (
--- a/cmd/embedded.go
+++ b/cmd/embedded.go
@@ -19,6 +19,7 @@ import (
 	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
+	"code.gitea.io/gitea/modules/util"

 	"github.com/gobwas/glob"
 	"github.com/urfave/cli"
@@ -271,7 +272,7 @@ func extractAsset(d string, a asset, overwrite, rename bool) error {
 	} else if !fi.Mode().IsRegular() {
 		return fmt.Errorf("%s already exists, but it's not a regular file", dest)
 	} else if rename {
-		if err := os.Rename(dest, dest+".bak"); err != nil {
+		if err := util.Rename(dest, dest+".bak"); err != nil {
 			return fmt.Errorf("Error creating backup for %s: %v", dest, err)
 		}
 		// Attempt to respect file permissions mask (even if user:group will be set anew)
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -71,7 +71,7 @@ func runGenerateInternalToken(c *cli.Context) error {
 }

 func runGenerateLfsJwtSecret(c *cli.Context) error {
-	JWTSecretBase64, err := generate.NewJwtSecret()
+	JWTSecretBase64, err := generate.NewJwtSecretBase64()
 	if err != nil {
 		return err
 	}
--- a/cmd/hook.go
+++ b/cmd/hook.go
@@ -152,21 +152,22 @@ func runHookPreReceive(c *cli.Context) error {
 	if os.Getenv(models.EnvIsInternal) == "true" {
 		return nil
 	}
+	ctx, cancel := installSignals()
+	defer cancel()

 	setup("hooks/pre-receive.log", c.Bool("debug"))

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
-			fail(`Rejecting changes as Gitea environment not set.
+			return fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
-		} else {
-			return nil
 		}
+		return nil
 	}

-	// the environment setted on serv command
-	isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
+	// the environment is set by serv command
+	isWiki := os.Getenv(models.EnvRepoIsWiki) == "true"
 	username := os.Getenv(models.EnvRepoUsername)
 	reponame := os.Getenv(models.EnvRepoName)
 	userID, _ := strconv.ParseInt(os.Getenv(models.EnvPusherID), 10, 64)
@@ -179,7 +180,7 @@ Gitea or set your environment appropriately.`, "")
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
 		GitPushOptions:                  pushOptions(),
-		ProtectedBranchID:               prID,
+		PullRequestID:                   prID,
 		IsDeployKey:                     isDeployKey,
 	}

@@ -221,8 +222,8 @@ Gitea or set your environment appropriately.`, "")
 		total++
 		lastline++

-		// If the ref is a branch, check if it's protected
-		if strings.HasPrefix(refFullName, git.BranchPrefix) {
+		// If the ref is a branch or tag, check if it's protected
+		if strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
@@ -230,19 +231,19 @@ Gitea or set your environment appropriately.`, "")
 			fmt.Fprintf(out, "*")

 			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d branches\n", count)
+				fmt.Fprintf(out, " Checking %d references\n", count)

 				hookOptions.OldCommitIDs = oldCommitIDs
 				hookOptions.NewCommitIDs = newCommitIDs
 				hookOptions.RefFullNames = refFullNames
-				statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
+				statusCode, msg := private.HookPreReceive(ctx, username, reponame, hookOptions)
 				switch statusCode {
 				case http.StatusOK:
 					// no-op
 				case http.StatusInternalServerError:
-					fail("Internal Server Error", msg)
+					return fail("Internal Server Error", msg)
 				default:
-					fail(msg, "")
+					return fail(msg, "")
 				}
 				count = 0
 				lastline = 0
@@ -261,14 +262,14 @@ Gitea or set your environment appropriately.`, "")
 		hookOptions.NewCommitIDs = newCommitIDs[:count]
 		hookOptions.RefFullNames = refFullNames[:count]

-		fmt.Fprintf(out, " Checking %d branches\n", count)
+		fmt.Fprintf(out, " Checking %d references\n", count)

-		statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
+		statusCode, msg := private.HookPreReceive(ctx, username, reponame, hookOptions)
 		switch statusCode {
 		case http.StatusInternalServerError:
-			fail("Internal Server Error", msg)
+			return fail("Internal Server Error", msg)
 		case http.StatusForbidden:
-			fail(msg, "")
+			return fail(msg, "")
 		}
 	} else if lastline > 0 {
 		fmt.Fprintf(out, "\n")
@@ -285,8 +286,11 @@ func runHookUpdate(c *cli.Context) error {
 }

 func runHookPostReceive(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	// First of all run update-server-info no matter what
-	if _, err := git.NewCommand("update-server-info").Run(); err != nil {
+	if _, err := git.NewCommand("update-server-info").SetParentContext(ctx).Run(); err != nil {
 		return fmt.Errorf("Failed to call 'git update-server-info': %v", err)
 	}

@@ -299,12 +303,11 @@ func runHookPostReceive(c *cli.Context) error {

 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
-			fail(`Rejecting changes as Gitea environment not set.
+			return fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
-		} else {
-			return nil
 		}
+		return nil
 	}

 	var out io.Writer
@@ -320,9 +323,9 @@ Gitea or set your environment appropriately.`, "")
 		}
 	}

-	// the environment setted on serv command
+	// the environment is set by serv command
 	repoUser := os.Getenv(models.EnvRepoUsername)
-	isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
+	isWiki := os.Getenv(models.EnvRepoIsWiki) == "true"
 	repoName := os.Getenv(models.EnvRepoName)
 	pusherID, _ := strconv.ParseInt(os.Getenv(models.EnvPusherID), 10, 64)
 	pusherName := os.Getenv(models.EnvPusherName)
@@ -371,11 +374,11 @@ Gitea or set your environment appropriately.`, "")
 			hookOptions.OldCommitIDs = oldCommitIDs
 			hookOptions.NewCommitIDs = newCommitIDs
 			hookOptions.RefFullNames = refFullNames
-			resp, err := private.HookPostReceive(repoUser, repoName, hookOptions)
+			resp, err := private.HookPostReceive(ctx, repoUser, repoName, hookOptions)
 			if resp == nil {
 				_ = dWriter.Close()
 				hookPrintResults(results)
-				fail("Internal Server Error", err)
+				return fail("Internal Server Error", err)
 			}
 			wasEmpty = wasEmpty || resp.RepoWasEmpty
 			results = append(results, resp.Results...)
@@ -386,9 +389,9 @@ Gitea or set your environment appropriately.`, "")
 	if count == 0 {
 		if wasEmpty && masterPushed {
 			// We need to tell the repo to reset the default branch to master
-			err := private.SetDefaultBranch(repoUser, repoName, "master")
+			err := private.SetDefaultBranch(ctx, repoUser, repoName, "master")
 			if err != nil {
-				fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
+				return fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
 			}
 		}
 		fmt.Fprintf(out, "Processed %d references in total\n", total)
@@ -404,11 +407,11 @@ Gitea or set your environment appropriately.`, "")

 	fmt.Fprintf(out, " Processing %d references\n", count)

-	resp, err := private.HookPostReceive(repoUser, repoName, hookOptions)
+	resp, err := private.HookPostReceive(ctx, repoUser, repoName, hookOptions)
 	if resp == nil {
 		_ = dWriter.Close()
 		hookPrintResults(results)
-		fail("Internal Server Error", err)
+		return fail("Internal Server Error", err)
 	}
 	wasEmpty = wasEmpty || resp.RepoWasEmpty
 	results = append(results, resp.Results...)
@@ -417,9 +420,9 @@ Gitea or set your environment appropriately.`, "")

 	if wasEmpty && masterPushed {
 		// We need to tell the repo to reset the default branch to master
-		err := private.SetDefaultBranch(repoUser, repoName, "master")
+		err := private.SetDefaultBranch(ctx, repoUser, repoName, "master")
 		if err != nil {
-			fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
+			return fail("Internal Server Error", "SetDefaultBranch failed with Error: %v", err)
 		}
 	}
 	_ = dWriter.Close()
--- a/cmd/keys.go
+++ b/cmd/keys.go
@@ -62,9 +62,12 @@ func runKeys(c *cli.Context) error {
 		return errors.New("No key type and content provided")
 	}

+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("keys.log", false)

-	authorizedString, err := private.AuthorizedPublicKeyByContent(content)
+	authorizedString, err := private.AuthorizedPublicKeyByContent(ctx, content)
 	if err != nil {
 		return err
 	}
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@@ -14,6 +14,9 @@ import (
 )

 func runSendMail(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setting.NewContext()

 	if err := argsSet(c, "title"); err != nil {
@@ -39,7 +42,7 @@ func runSendMail(c *cli.Context) error {
 		}
 	}

-	status, message := private.SendEmail(subject, body, nil)
+	status, message := private.SendEmail(ctx, subject, body, nil)
 	if status != http.StatusOK {
 		fmt.Printf("error: %s\n", message)
 		return nil
--- a/cmd/manager.go
+++ b/cmd/manager.go
@@ -236,10 +236,13 @@ func runRemoveLogger(c *cli.Context) error {
 		group = log.DEFAULT
 	}
 	name := c.Args().First()
-	statusCode, msg := private.RemoveLogger(group, name)
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	statusCode, msg := private.RemoveLogger(ctx, group, name)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -371,10 +374,13 @@ func commonAddLogger(c *cli.Context, mode string, vals map[string]interface{}) e
 	if c.IsSet("name") {
 		name = c.String("name")
 	}
-	statusCode, msg := private.AddLogger(group, name, mode, vals)
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	statusCode, msg := private.AddLogger(ctx, group, name, mode, vals)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -382,11 +388,14 @@ func commonAddLogger(c *cli.Context, mode string, vals map[string]interface{}) e
 }

 func runShutdown(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.Shutdown()
+	statusCode, msg := private.Shutdown(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -394,11 +403,14 @@ func runShutdown(c *cli.Context) error {
 }

 func runRestart(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.Restart()
+	statusCode, msg := private.Restart(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -406,11 +418,14 @@ func runRestart(c *cli.Context) error {
 }

 func runFlushQueues(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.FlushQueues(c.Duration("timeout"), c.Bool("non-blocking"))
+	statusCode, msg := private.FlushQueues(ctx, c.Duration("timeout"), c.Bool("non-blocking"))
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -418,11 +433,14 @@ func runFlushQueues(c *cli.Context) error {
 }

 func runPauseLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.PauseLogging()
+	statusCode, msg := private.PauseLogging(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -430,11 +448,14 @@ func runPauseLogging(c *cli.Context) error {
 }

 func runResumeLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.ResumeLogging()
+	statusCode, msg := private.ResumeLogging(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
@@ -442,11 +463,14 @@ func runResumeLogging(c *cli.Context) error {
 }

 func runReleaseReopenLogging(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	setup("manager", c.Bool("debug"))
-	statusCode, msg := private.ReleaseReopenLogging()
+	statusCode, msg := private.ReleaseReopenLogging(ctx)
 	switch statusCode {
 	case http.StatusInternalServerError:
-		fail("InternalServerError", msg)
+		return fail("InternalServerError", msg)
 	}

 	fmt.Fprintln(os.Stdout, msg)
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@@ -28,10 +28,10 @@ func runMigrate(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	if err := models.NewEngine(context.Background(), migrations.Migrate); err != nil {
--- a/cmd/migrate_storage.go
+++ b/cmd/migrate_storage.go
@@ -110,10 +110,10 @@ func runMigrateStorage(ctx *cli.Context) error {
 		return err
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
+	log.Info("AppPath: %s", setting.AppPath)
+	log.Info("AppWorkPath: %s", setting.AppWorkPath)
+	log.Info("Custom path: %s", setting.CustomPath)
+	log.Info("Log path: %s", setting.LogRootPath)
 	setting.InitDBConfig()

 	if err := models.NewEngine(context.Background(), migrations.Migrate); err != nil {
@@ -184,7 +184,7 @@ func runMigrateStorage(ctx *cli.Context) error {
 		return fmt.Errorf("Unsupported storage: %s", ctx.String("type"))
 	}

-	log.Warn("All files have been copied to the new placement but old files are still on the orignial placement.")
+	log.Warn("All files have been copied to the new placement but old files are still on the original placement.")

 	return nil
 }
--- a/cmd/restore_repo.go
+++ b/cmd/restore_repo.go
@@ -5,15 +5,12 @@
 package cmd

 import (
-	"context"
-	"strings"
+	"errors"
+	"net/http"

 	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/migrations"
-	"code.gitea.io/gitea/modules/migrations/base"
+	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/storage"
-	pull_service "code.gitea.io/gitea/services/pull"

 	"github.com/urfave/cli"
 )
@@ -43,77 +40,29 @@ var CmdRestoreRepository = cli.Command{
 		cli.StringFlag{
 			Name:  "units",
 			Value: "",
-			Usage: `Which items will be restored, one or more units should be separated as comma. 
+			Usage: `Which items will be restored, one or more units should be separated as comma.
 wiki, issues, labels, releases, release_assets, milestones, pull_requests, comments are allowed. Empty means all units.`,
 		},
 	},
 }

-func runRestoreRepository(ctx *cli.Context) error {
-	if err := initDB(); err != nil {
-		return err
+func runRestoreRepository(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
+	setting.NewContext()
+
+	statusCode, errStr := private.RestoreRepo(
+		ctx,
+		c.String("repo_dir"),
+		c.String("owner_name"),
+		c.String("repo_name"),
+		c.StringSlice("units"),
+	)
+	if statusCode == http.StatusOK {
+		return nil
 	}

-	log.Trace("AppPath: %s", setting.AppPath)
-	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
-	log.Trace("Custom path: %s", setting.CustomPath)
-	log.Trace("Log path: %s", setting.LogRootPath)
-	setting.InitDBConfig()
-
-	if err := storage.Init(); err != nil {
-		return err
-	}
-
-	if err := pull_service.Init(); err != nil {
-		return err
-	}
-
-	var opts = base.MigrateOptions{
-		RepoName: ctx.String("repo_name"),
-	}
-
-	if len(ctx.String("units")) == 0 {
-		opts.Wiki = true
-		opts.Issues = true
-		opts.Milestones = true
-		opts.Labels = true
-		opts.Releases = true
-		opts.Comments = true
-		opts.PullRequests = true
-		opts.ReleaseAssets = true
-	} else {
-		units := strings.Split(ctx.String("units"), ",")
-		for _, unit := range units {
-			switch strings.ToLower(unit) {
-			case "wiki":
-				opts.Wiki = true
-			case "issues":
-				opts.Issues = true
-			case "milestones":
-				opts.Milestones = true
-			case "labels":
-				opts.Labels = true
-			case "releases":
-				opts.Releases = true
-			case "release_assets":
-				opts.ReleaseAssets = true
-			case "comments":
-				opts.Comments = true
-			case "pull_requests":
-				opts.PullRequests = true
-			}
-		}
-	}
-
-	if err := migrations.RestoreRepository(
-		context.Background(),
-		ctx.String("repo_dir"),
-		ctx.String("owner_name"),
-		ctx.String("repo_name"),
-	); err != nil {
-		log.Fatal("Failed to restore repository: %v", err)
-		return err
-	}
-
-	return nil
+	log.Fatal("Failed to restore repository: %v", errStr)
+	return errors.New(errStr)
 }
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -17,13 +17,13 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/lfs"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/pprof"
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/lfs"

-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt"
 	jsoniter "github.com/json-iterator/go"
 	"github.com/kballard/go-shellquote"
 	"github.com/urfave/cli"
@@ -72,7 +72,10 @@ var (
 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)
 )

-func fail(userMessage, logMessage string, args ...interface{}) {
+func fail(userMessage, logMessage string, args ...interface{}) error {
+	// There appears to be a chance to cause a zombie process and failure to read the Exit status
+	// if nothing is outputted on stdout.
+	fmt.Fprintln(os.Stdout, "")
 	fmt.Fprintln(os.Stderr, "Gitea:", userMessage)

 	if len(logMessage) > 0 {
@@ -80,11 +83,19 @@ func fail(userMessage, logMessage string, args ...interface{}) {
 			fmt.Fprintf(os.Stderr, logMessage+"\n", args...)
 		}
 	}
+	ctx, cancel := installSignals()
+	defer cancel()

-	os.Exit(1)
+	if len(logMessage) > 0 {
+		_ = private.SSHLog(ctx, true, fmt.Sprintf(logMessage+": ", args...))
+	}
+	return cli.NewExitError(fmt.Sprintf("Gitea: %s", userMessage), 1)
 }

 func runServ(c *cli.Context) error {
+	ctx, cancel := installSignals()
+	defer cancel()
+
 	// FIXME: This needs to internationalised
 	setup("serv.log", c.Bool("debug"))

@@ -102,18 +113,18 @@ func runServ(c *cli.Context) error {

 	keys := strings.Split(c.Args()[0], "-")
 	if len(keys) != 2 || keys[0] != "key" {
-		fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
+		return fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
 	}
 	keyID, err := strconv.ParseInt(keys[1], 10, 64)
 	if err != nil {
-		fail("Key ID format error", "Invalid key argument: %s", c.Args()[1])
+		return fail("Key ID format error", "Invalid key argument: %s", c.Args()[1])
 	}

 	cmd := os.Getenv("SSH_ORIGINAL_COMMAND")
 	if len(cmd) == 0 {
-		key, user, err := private.ServNoCommand(keyID)
+		key, user, err := private.ServNoCommand(ctx, keyID)
 		if err != nil {
-			fail("Internal error", "Failed to check provided key: %v", err)
+			return fail("Internal error", "Failed to check provided key: %v", err)
 		}
 		switch key.Type {
 		case models.KeyTypeDeploy:
@@ -131,11 +142,11 @@ func runServ(c *cli.Context) error {

 	words, err := shellquote.Split(cmd)
 	if err != nil {
-		fail("Error parsing arguments", "Failed to parse arguments: %v", err)
+		return fail("Error parsing arguments", "Failed to parse arguments: %v", err)
 	}

 	if len(words) < 2 {
-		fail("Too few arguments", "Too few arguments in cmd: %s", cmd)
+		return fail("Too few arguments", "Too few arguments in cmd: %s", cmd)
 	}

 	verb := words[0]
@@ -147,7 +158,7 @@ func runServ(c *cli.Context) error {
 	var lfsVerb string
 	if verb == lfsAuthenticateVerb {
 		if !setting.LFS.StartServer {
-			fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
+			return fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
 		}

 		if len(words) > 2 {
@@ -160,37 +171,37 @@ func runServ(c *cli.Context) error {

 	rr := strings.SplitN(repoPath, "/", 2)
 	if len(rr) != 2 {
-		fail("Invalid repository path", "Invalid repository path: %v", repoPath)
+		return fail("Invalid repository path", "Invalid repository path: %v", repoPath)
 	}

 	username := strings.ToLower(rr[0])
 	reponame := strings.ToLower(strings.TrimSuffix(rr[1], ".git"))

 	if alphaDashDotPattern.MatchString(reponame) {
-		fail("Invalid repo name", "Invalid repo name: %s", reponame)
+		return fail("Invalid repo name", "Invalid repo name: %s", reponame)
 	}

 	if setting.EnablePprof || c.Bool("enable-pprof") {
 		if err := os.MkdirAll(setting.PprofDataPath, os.ModePerm); err != nil {
-			fail("Error while trying to create PPROF_DATA_PATH", "Error while trying to create PPROF_DATA_PATH: %v", err)
+			return fail("Error while trying to create PPROF_DATA_PATH", "Error while trying to create PPROF_DATA_PATH: %v", err)
 		}

 		stopCPUProfiler, err := pprof.DumpCPUProfileForUsername(setting.PprofDataPath, username)
 		if err != nil {
-			fail("Internal Server Error", "Unable to start CPU profile: %v", err)
+			return fail("Internal Server Error", "Unable to start CPU profile: %v", err)
 		}
 		defer func() {
 			stopCPUProfiler()
 			err := pprof.DumpMemProfileForUsername(setting.PprofDataPath, username)
 			if err != nil {
-				fail("Internal Server Error", "Unable to dump Mem Profile: %v", err)
+				_ = fail("Internal Server Error", "Unable to dump Mem Profile: %v", err)
 			}
 		}()
 	}

 	requestedMode, has := allowedCommands[verb]
 	if !has {
-		fail("Unknown git command", "Unknown git command %s", verb)
+		return fail("Unknown git command", "Unknown git command %s", verb)
 	}

 	if verb == lfsAuthenticateVerb {
@@ -199,21 +210,20 @@ func runServ(c *cli.Context) error {
 		} else if lfsVerb == "download" {
 			requestedMode = models.AccessModeRead
 		} else {
-			fail("Unknown LFS verb", "Unknown lfs verb %s", lfsVerb)
+			return fail("Unknown LFS verb", "Unknown lfs verb %s", lfsVerb)
 		}
 	}

-	results, err := private.ServCommand(keyID, username, reponame, requestedMode, verb, lfsVerb)
+	results, err := private.ServCommand(ctx, keyID, username, reponame, requestedMode, verb, lfsVerb)
 	if err != nil {
 		if private.IsErrServCommand(err) {
 			errServCommand := err.(private.ErrServCommand)
 			if errServCommand.StatusCode != http.StatusInternalServerError {
-				fail("Unauthorized", "%s", errServCommand.Error())
-			} else {
-				fail("Internal Server Error", "%s", errServCommand.Error())
+				return fail("Unauthorized", "%s", errServCommand.Error())
 			}
+			return fail("Internal Server Error", "%s", errServCommand.Error())
 		}
-		fail("Internal Server Error", "%s", err.Error())
+		return fail("Internal Server Error", "%s", err.Error())
 	}
 	os.Setenv(models.EnvRepoIsWiki, strconv.FormatBool(results.IsWiki))
 	os.Setenv(models.EnvRepoName, results.RepoName)
@@ -246,7 +256,7 @@ func runServ(c *cli.Context) error {
 		// Sign and get the complete encoded token as a string using the secret
 		tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
 		if err != nil {
-			fail("Internal error", "Failed to sign JWT token: %v", err)
+			return fail("Internal error", "Failed to sign JWT token: %v", err)
 		}

 		tokenAuthentication := &models.LFSTokenResponse{
@@ -259,7 +269,7 @@ func runServ(c *cli.Context) error {
 		enc := json.NewEncoder(os.Stdout)
 		err = enc.Encode(tokenAuthentication)
 		if err != nil {
-			fail("Internal error", "Failed to encode LFS json response: %v", err)
+			return fail("Internal error", "Failed to encode LFS json response: %v", err)
 		}
 		return nil
 	}
@@ -272,9 +282,9 @@ func runServ(c *cli.Context) error {
 	var gitcmd *exec.Cmd
 	verbs := strings.Split(verb, " ")
 	if len(verbs) == 2 {
-		gitcmd = exec.Command(verbs[0], verbs[1], repoPath)
+		gitcmd = exec.CommandContext(ctx, verbs[0], verbs[1], repoPath)
 	} else {
-		gitcmd = exec.Command(verb, repoPath)
+		gitcmd = exec.CommandContext(ctx, verb, repoPath)
 	}

 	gitcmd.Dir = setting.RepoRootPath
@@ -282,13 +292,13 @@ func runServ(c *cli.Context) error {
 	gitcmd.Stdin = os.Stdin
 	gitcmd.Stderr = os.Stderr
 	if err = gitcmd.Run(); err != nil {
-		fail("Internal error", "Failed to execute git command: %v", err)
+		return fail("Internal error", "Failed to execute git command: %v", err)
 	}

 	// Update user key activity.
 	if results.KeyID > 0 {
-		if err = private.UpdatePublicKeyInRepo(results.KeyID, results.RepoID); err != nil {
-			fail("Internal error", "UpdatePublicKeyInRepo: %v", err)
+		if err = private.UpdatePublicKeyInRepo(ctx, results.KeyID, results.RepoID); err != nil {
+			return fail("Internal error", "UpdatePublicKeyInRepo: %v", err)
 		}
 	}

--- a/cmd/web.go
+++ b/cmd/web.go
@@ -16,9 +16,8 @@ import (
 	"code.gitea.io/gitea/modules/graceful"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers"
-	"code.gitea.io/gitea/routers/routes"
+	"code.gitea.io/gitea/routers/install"

 	context2 "github.com/gorilla/context"
 	"github.com/urfave/cli"
@@ -48,6 +47,14 @@ and it takes care of all the other things for you`,
 			Value: setting.PIDFile,
 			Usage: "Custom pid file path",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Only display Fatal logging errors until logging is set-up",
+		},
+		cli.BoolFlag{
+			Name:  "verbose",
+			Usage: "Set initial logging to TRACE level until logging is properly set-up",
+		},
 	},
 }

@@ -72,6 +79,19 @@ func runHTTPRedirector() {
 }

 func runWeb(ctx *cli.Context) error {
+	if ctx.Bool("verbose") {
+		_ = log.DelLogger("console")
+		log.NewLogger(0, "console", "console", fmt.Sprintf(`{"level": "trace", "colorize": %t, "stacktraceLevel": "none"}`, log.CanColorStdout))
+	} else if ctx.Bool("quiet") {
+		_ = log.DelLogger("console")
+		log.NewLogger(0, "console", "console", fmt.Sprintf(`{"level": "fatal", "colorize": %t, "stacktraceLevel": "none"}`, log.CanColorStdout))
+	}
+	defer func() {
+		if panicked := recover(); panicked != nil {
+			log.Fatal("PANIC: %v\n%s", panicked, string(log.Stack(2)))
+		}
+	}()
+
 	managerCtx, cancel := context.WithCancel(context.Background())
 	graceful.InitManager(managerCtx)
 	defer cancel()
@@ -89,7 +109,7 @@ func runWeb(ctx *cli.Context) error {
 	}

 	// Perform pre-initialization
-	needsInstall := routers.PreInstallInit(graceful.GetManager().HammerContext())
+	needsInstall := install.PreloadSettings(graceful.GetManager().HammerContext())
 	if needsInstall {
 		// Flag for port number in case first time run conflict
 		if ctx.IsSet("port") {
@@ -102,7 +122,7 @@ func runWeb(ctx *cli.Context) error {
 				return err
 			}
 		}
-		c := routes.InstallRoutes()
+		c := install.Routes()
 		err := listen(c, false)
 		select {
 		case <-graceful.GetManager().IsShutdown():
@@ -135,7 +155,7 @@ func runWeb(ctx *cli.Context) error {
 	}

 	// Set up Chi routes
-	c := routes.NormalRoutes()
+	c := routers.NormalRoutes()
 	err := listen(c, true)
 	<-graceful.GetManager().Done()
 	log.Info("PID: %d Gitea Web Finished", os.Getpid())
@@ -152,19 +172,6 @@ func setPort(port string) error {
 	case setting.FCGI:
 	case setting.FCGIUnix:
 	default:
-		// Save LOCAL_ROOT_URL if port changed
-		cfg := ini.Empty()
-		isFile, err := util.IsFile(setting.CustomConf)
-		if err != nil {
-			log.Fatal("Unable to check if %s is a file", err)
-		}
-		if isFile {
-			// Keeps custom settings if there is already something.
-			if err := cfg.Append(setting.CustomConf); err != nil {
-				return fmt.Errorf("Failed to load custom conf '%s': %v", setting.CustomConf, err)
-			}
-		}
-
 		defaultLocalURL := string(setting.Protocol) + "://"
 		if setting.HTTPAddr == "0.0.0.0" {
 			defaultLocalURL += "localhost"
@@ -173,10 +180,10 @@ func setPort(port string) error {
 		}
 		defaultLocalURL += ":" + setting.HTTPPort + "/"

-		cfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
-		if err := cfg.SaveTo(setting.CustomConf); err != nil {
-			return fmt.Errorf("Error saving generated JWT Secret to custom config: %v", err)
-		}
+		// Save LOCAL_ROOT_URL if port changed
+		setting.CreateOrAppendToCustomConf(func(cfg *ini.File) {
+			cfg.Section("server").Key("LOCAL_ROOT_URL").SetValue(defaultLocalURL)
+		})
 	}
 	return nil
 }
--- a/cmd/web_letsencrypt.go
+++ b/cmd/web_letsencrypt.go
@@ -6,6 +6,7 @@ package cmd

 import (
 	"net/http"
+	"strconv"
 	"strings"

 	"code.gitea.io/gitea/modules/log"
@@ -18,10 +19,19 @@ import (
 func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler) error {

 	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
-	// Due to docker port mapping this can't be checked programatically
+	// Due to docker port mapping this can't be checked programmatically
 	// TODO: these are placeholders until we add options for each in settings with appropriate warning
 	enableHTTPChallenge := true
 	enableTLSALPNChallenge := true
+	altHTTPPort := 0
+	altTLSALPNPort := 0
+
+	if p, err := strconv.Atoi(setting.PortToRedirect); err == nil {
+		altHTTPPort = p
+	}
+	if p, err := strconv.Atoi(setting.HTTPPort); err == nil {
+		altTLSALPNPort = p
+	}

 	magic := certmagic.NewDefault()
 	magic.Storage = &certmagic.FileStorage{Path: directory}
@@ -30,9 +40,12 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 		Agreed:                  setting.LetsEncryptTOS,
 		DisableHTTPChallenge:    !enableHTTPChallenge,
 		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
+		ListenHost:              setting.HTTPAddr,
+		AltTLSALPNPort:          altTLSALPNPort,
+		AltHTTPPort:             altHTTPPort,
 	})

-	magic.Issuer = myACME
+	magic.Issuers = []certmagic.Issuer{myACME}

 	// this obtains certificates or renews them if necessary
 	err := magic.ManageSync([]string{domain})
@@ -41,6 +54,7 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 	}

 	tlsConfig := magic.TLSConfig()
+	tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")

 	if enableHTTPChallenge {
 		go func() {
--- a/contrib/environment-to-ini/environment-to-ini.go
+++ b/contrib/environment-to-ini/environment-to-ini.go
@@ -110,6 +110,8 @@ func runEnvironmentToIni(c *cli.Context) error {
 	}
 	cfg.NameMapper = ini.SnackCase

+	changed := false
+
 	prefix := c.String("prefix") + "__"

 	for _, kv := range os.Environ() {
@@ -143,15 +145,21 @@ func runEnvironmentToIni(c *cli.Context) error {
 				continue
 			}
 		}
+		oldValue := key.Value()
+		if !changed && oldValue != value {
+			changed = true
+		}
 		key.SetValue(value)
 	}
 	destination := c.String("out")
 	if len(destination) == 0 {
 		destination = setting.CustomConf
 	}
-	err = cfg.SaveTo(destination)
-	if err != nil {
-		return err
+	if destination != setting.CustomConf || changed {
+		err = cfg.SaveTo(destination)
+		if err != nil {
+			return err
+		}
 	}
 	if c.Bool("clear") {
 		for _, kv := range os.Environ() {
--- a/contrib/pr/checkout.go
+++ b/contrib/pr/checkout.go
@@ -26,12 +26,12 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
+	gitea_git "code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/external"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers"
-	"code.gitea.io/gitea/routers/routes"

 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
@@ -80,7 +80,7 @@ func runPR() {
 	setting.RunUser = curUser.Username

 	log.Printf("[PR] Loading fixtures data ...\n")
-	setting.CheckLFSVersion()
+	gitea_git.CheckLFSVersion()
 	//models.LoadConfigs()
 	/*
 		setting.Database.Type = "sqlite3"
@@ -114,9 +114,9 @@ func runPR() {

 	log.Printf("[PR] Setting up router\n")
 	//routers.GlobalInit()
-	external.RegisterParsers()
+	external.RegisterRenderers()
 	markup.Init()
-	c := routes.NormalRoutes()
+	c := routers.NormalRoutes()

 	log.Printf("[PR] Ready for testing !\n")
 	log.Printf("[PR] Login with user1, user2, user3, ... with pass: password\n")
--- a/contrib/systemd/gitea.service
+++ b/contrib/systemd/gitea.service
@@ -3,14 +3,23 @@ Description=Gitea (Git with a cup of tea)
 After=syslog.target
 After=network.target
 ###
-# Don't forget to add the database service requirements
+# Don't forget to add the database service dependencies
 ###
 #
-#Requires=mysql.service
-#Requires=mariadb.service
-#Requires=postgresql.service
-#Requires=memcached.service
-#Requires=redis.service
+#Wants=mysql.service
+#After=mysql.service
+#
+#Wants=mariadb.service
+#After=mariadb.service
+#
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service
 #
 ###
 # If using socket activation for main http/s
--- a/contrib/update_dependencies.sh
+++ b/contrib/update_dependencies.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+grep 'git' go.mod | grep '\.com' | grep -v indirect | grep -v replace | cut -f 2 | cut -d ' ' -f 1 | while read line; do
+  go get -u "$line"
+  make vendor
+  git add .
+  git commit -S -m "update $line"
+done
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
--- a/docker/manifest.rootless.tmpl
+++ b/docker/manifest.rootless.tmpl
@@ -1,18 +1,19 @@
-image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-rootless
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-rootless
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
  - {{this}}-rootless
 {{/each}}
+  - "latest-rootless"
 {{/if}}
 manifests:
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64-rootless
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-amd64-rootless
    platform:
      architecture: amd64
      os: linux
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64-rootless
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}-linux-arm64-rootless
    platform:
      architecture: arm64
      os: linux
--- a/docker/manifest.tmpl
+++ b/docker/manifest.tmpl
@@ -1,19 +1,20 @@
-image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}dev{{/if}}
 {{#if build.tags}}
 tags:
 {{#each build.tags}}
  - {{this}}
 {{/each}}
+  - "latest"
 {{/if}}
 manifests:
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-amd64
    platform:
      architecture: amd64
      os: linux
  -
-    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    image: gitea/gitea:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{else}}dev-{{/if}}linux-arm64
    platform:
      architecture: arm64
      os: linux
-      variant: v8
+      variant: v8
--- a/docker/root/etc/s6/gitea/setup
+++ b/docker/root/etc/s6/gitea/setup
@@ -23,7 +23,7 @@ if [ ! -f ${GITEA_CUSTOM}/conf/app.ini ]; then
        INSTALL_LOCK=true
    fi

-    # Substitude the environment variables in the template
+    # Substitute the environment variables in the template
    APP_NAME=${APP_NAME:-"Gitea: Git with a cup of tea"} \
    RUN_MODE=${RUN_MODE:-"prod"} \
    DOMAIN=${DOMAIN:-"localhost"} \
--- a/docker/root/etc/s6/openssh/setup
+++ b/docker/root/etc/s6/openssh/setup
@@ -24,9 +24,31 @@ if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
    ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
 fi

+if [ -e /data/ssh/ssh_host_ed25519_cert ]; then
+  SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_rsa_cert ]; then
+  SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
+  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_dsa_cert ]; then
+  SSH_DSA_CERT=${SSH_DSA_CERT:-"/data/ssh/ssh_host_dsa_cert"}
+fi
+
 if [ -d /etc/ssh ]; then
    SSH_PORT=${SSH_PORT:-"22"} \
    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
+    SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
+    SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
+    SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
+    SSH_DSA_CERT="${SSH_DSA_CERT:+"HostCertificate "}${SSH_DSA_CERT}" \
+    SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
+    SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
    envsubst < /etc/templates/sshd_config > /etc/ssh/sshd_config

    chmod 0644 /etc/ssh/sshd_config
--- a/docker/root/etc/templates/sshd_config
+++ b/docker/root/etc/templates/sshd_config
@@ -5,16 +5,19 @@ AddressFamily any
 ListenAddress 0.0.0.0
 ListenAddress ::

+${SSH_MAX_STARTUPS}
+${SSH_MAX_SESSIONS}
+
 LogLevel INFO

 HostKey /data/ssh/ssh_host_ed25519_key
-HostCertificate /data/ssh/ssh_host_ed25519_cert
+${SSH_ED25519_CERT}
 HostKey /data/ssh/ssh_host_rsa_key
-HostCertificate /data/ssh/ssh_host_rsa_cert
+${SSH_RSA_CERT}
 HostKey /data/ssh/ssh_host_ecdsa_key
-HostCertificate /data/ssh/ssh_host_ecdsa_cert
+${SSH_ECDSA_CERT}
 HostKey /data/ssh/ssh_host_dsa_key
-HostCertificate /data/ssh/ssh_host_dsa_cert
+${SSH_DSA_CERT}

 AuthorizedKeysFile .ssh/authorized_keys
 AuthorizedPrincipalsFile .ssh/authorized_principals
--- a/docker/rootless/usr/local/bin/docker-setup.sh
+++ b/docker/rootless/usr/local/bin/docker-setup.sh
@@ -25,7 +25,7 @@ if [ ! -f ${GITEA_APP_INI} ]; then
        INSTALL_LOCK=true
    fi

-    # Substitude the environment variables in the template
+    # Substitute the environment variables in the template
    APP_NAME=${APP_NAME:-"Gitea: Git with a cup of tea"} \
    RUN_MODE=${RUN_MODE:-"prod"} \
    RUN_USER=${USER:-"git"} \
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -31,4 +31,4 @@ update: $(THEME)
 $(THEME): $(THEME)/theme.toml
 $(THEME)/theme.toml:
 	mkdir -p $$(dirname $@)
-	curl -s $(ARCHIVE) | tar xz -C $$(dirname $@)
+	curl -L -s $(ARCHIVE) | tar xz -C $$(dirname $@)
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -18,10 +18,10 @@ params:
  description: Git with a cup of tea
  author: The Gitea Authors
  website: https://docs.gitea.io
-  version: 1.13.3
-  minGoVersion: 1.14
+  version: 1.14.6
+  minGoVersion: 1.16
  goVersion: 1.16
-  minNodeVersion: 10.13
+  minNodeVersion: 12.17

 outputs:
  home:
--- a/docs/content/doc/advanced/adding-legal-pages.en-us.md
+++ b/docs/content/doc/advanced/adding-legal-pages.en-us.md
@@ -32,7 +32,7 @@ You absolutely must not place a general ToS or privacy statement that implies th
 Create or append to `/path/to/custom/templates/custom/extra_links_footer.tmpl`:

 ```go
-<a class="item" href="{{AppSubUrl}}/privacy.html">Privacy Policy</a>
+<a class="item" href="{{AppSubUrl}}/assets/privacy.html">Privacy Policy</a>
 ```

 Restart Gitea to see the changes.
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -59,7 +59,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `MIRROR_QUEUE_LENGTH`: **1000**: Patch test queue length, increase if pull request patch
   testing starts hanging.
 - `PREFERRED_LICENSES`: **Apache License 2.0,MIT License**: Preferred Licenses to place at
-   the top of the list. Name must match file name in conf/license or custom/conf/license.
+   the top of the list. Name must match file name in options/license or custom/options/license.
 - `DISABLE_HTTP_GIT`: **false**: Disable the ability to interact with repositories over the
   HTTP protocol.
 - `USE_COMPAT_SSH_URI`: **false**: Force ssh:// clone url instead of scp-style uri when
@@ -75,6 +75,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `PREFIX_ARCHIVE_FILES`: **true**: Prefix archive files by placing them in a directory named after the repository.
 - `DISABLE_MIRRORS`: **false**: Disable the creation of **new** mirrors. Pre-existing mirrors remain valid.
 - `DISABLE_MIGRATIONS`: **false**: Disable migrating feature.
+- `DISABLE_STARS`: **false**: Disable stars feature.
 - `DEFAULT_BRANCH`: **master**: Default branch name of all repositories.
 - `ALLOW_ADOPTION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to adopt unadopted repositories
 - `ALLOW_DELETION_OF_UNADOPTED_REPOSITORIES`: **false**: Allow non-admin users to delete unadopted repositories
@@ -93,10 +94,11 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `REOPEN_KEYWORDS`: **reopen**, **reopens**, **reopened**: List of keywords used in Pull Request comments to automatically reopen
 a related issue
 - `DEFAULT_MERGE_MESSAGE_COMMITS_LIMIT`: **50**: In the default merge message for squash commits include at most this many commits. Set to `-1` to include all commits
- `DEFAULT_MERGE_MESSAGE_SIZE`: **5120**: In the default merge message for squash commits limit the size of the commit messages. Set to `-1` to have no limit.
+- `DEFAULT_MERGE_MESSAGE_SIZE`: **5120**: In the default merge message for squash commits limit the size of the commit messages. Set to `-1` to have no limit. Only used if `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES` is `true`.
 - `DEFAULT_MERGE_MESSAGE_ALL_AUTHORS`: **false**: In the default merge message for squash commits walk all commits to include all authors in the Co-authored-by otherwise just use those in the limited list
 - `DEFAULT_MERGE_MESSAGE_MAX_APPROVERS`: **10**: In default merge messages limit the number of approvers listed as `Reviewed-by:`. Set to `-1` to include all.
 - `DEFAULT_MERGE_MESSAGE_OFFICIAL_APPROVERS_ONLY`: **true**: In default merge messages only include approvers who are officially allowed to review.
+- `POPULATE_SQUASH_COMMENT_WITH_COMMIT_MESSAGES`: **false**: In default squash-merge messages include the commit message of all commits comprising the pull request.

 ### Repository - Issue (`repository.issue`)

@@ -126,8 +128,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
  - Options other than `never` and `always` can be combined as a comma separated list.
 - `DEFAULT_TRUST_MODEL`: **collaborator**: \[collaborator, committer, collaboratorcommitter\]: The default trust model used for verifying commits.
   - `collaborator`: Trust signatures signed by keys of collaborators.
-   - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the commmitter).
-   - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the commiter.
+   - `committer`: Trust signatures that match committers (This matches GitHub and will force Gitea signed commits to have Gitea as the committer).
+   - `collaboratorcommitter`: Trust signatures signed by keys of collaborators which match the committer.
 - `WIKI`: **never**: \[never, pubkey, twofa, always, parentsigned\]: Sign commits to wiki.
 - `CRUD_ACTIONS`: **pubkey, twofa, parentsigned**: \[never, pubkey, twofa, parentsigned, always\]: Sign CRUD actions.
  - Options as above, with the addition of:
@@ -142,6 +144,15 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 - `LOCAL_COPY_PATH`: **tmp/local-repo**: Path for temporary local repository copies. Defaults to `tmp/local-repo`

+## Repository -  MIME type mapping (`repository.mimetype_mapping`)
+
+Configuration for set the expected MIME type based on file extensions of downloadable files. Configuration presents in key-value pairs and file extensions starts with leading `.`.
+
+The following configuration set `Content-Type: application/vnd.android.package-archive` header when downloading files with `.apk` file extension.
+```ini
+.apk=application/vnd.android.package-archive
+```
+
 ## CORS (`cors`)

 - `ENABLED`: **false**: enable cors headers (disabled by default)
@@ -169,7 +180,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `MAX_DISPLAY_FILE_SIZE`: **8388608**: Max size of files to be displayed (default is 8MiB)
 - `REACTIONS`: All available reactions users can choose on issues/prs and comments
    Values can be emoji alias (:smile:) or a unicode emoji.
-    For custom reactions, add a tightly cropped square image to public/emoji/img/reaction_name.png
+    For custom reactions, add a tightly cropped square image to public/img/emoji/reaction_name.png
+- `CUSTOM_EMOJIS`: **gitea, codeberg, gitlab, git, github, gogs**: Additional Emojis not defined in the utf8 standard.
+    By default we support gitea (:gitea:), to add more copy them to public/img/emoji/emoji_name.png and
+    add it to this config.
 - `DEFAULT_SHOW_FULL_NAME`: **false**: Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
 - `SEARCH_REPO_DESCRIPTION`: **true**: Whether to search within description at repository search on explore page.
 - `USE_SERVICE_WORKER`: **true**: Whether to enable a Service Worker to cache frontend assets.
@@ -198,6 +212,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 - `ENABLE_RENDER`: **true**: Whether to render SVG files as images.  If SVG rendering is disabled, SVG files are displayed as text and cannot be embedded in markdown files as images.

+### UI - CSV Files (`ui.csv`)
+
+- `MAX_FILE_SIZE`: **524288** (512kb): Maximum allowed file size in bytes to render CSV files as table. (Set to 0 for no limit).
+
 ## Markdown (`markdown`)

 - `ENABLE_HARD_LINE_BREAK_IN_COMMENTS`: **true**: Render soft line breaks as hard line breaks in comments, which
@@ -237,6 +255,9 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
   most cases you do not need to change the default value. Alter it only if
   your SSH server node is not the same as HTTP node. Do not set this variable
   if `PROTOCOL` is set to `unix`.
+- `PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the connection. (Set to 0 to
+   disable all timeouts.)
+- `PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to connections.

 - `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
 - `START_SSH_SERVER`: **false**: When enabled, use the built-in SSH server.
@@ -253,6 +274,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `SSH_AUTHORIZED_PRINCIPALS_ALLOW`: **off** or **username, email**: \[off, username, email, anything\]: Specify the principals values that users are allowed to use as principal. When set to `anything` no checks are done on the principal string. When set to `off` authorized principal are not allowed to be set.
 - `SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE`: **false/true**: Gitea will create a authorized_principals file by default when it is not using the internal ssh server and `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
 - `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**: Enable SSH Authorized Principals Backup when rewriting all keys, default is true if `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`.
+- `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models.PublicKey` and the others are strings which are shellquoted.
 - `SSH_SERVER_CIPHERS`: **aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128**: For the built-in SSH server, choose the ciphers to support for SSH connections, for system SSH this setting has no effect.
 - `SSH_SERVER_KEY_EXCHANGES`: **diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect.
 - `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect
@@ -260,6 +282,9 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `SSH_KEY_TEST_PATH`: **/tmp**: Directory to create temporary files in when testing public keys using ssh-keygen, default is the system temporary directory.
 - `SSH_KEYGEN_PATH`: **ssh-keygen**: Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
 - `SSH_EXPOSE_ANONYMOUS`: **false**: Enable exposure of SSH clone URL to anonymous visitors, default is false.
+- `SSH_PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the SSH connections. (Set to
+  0 to disable all timeouts.)
+- `SSH_PER_WRITE_PER_KB_TIMEOUT`: **10s**: Timeout per Kb written to SSH connections.
 - `MINIMUM_KEY_SIZE_CHECK`: **true**: Indicate whether to check minimum key size with corresponding type.

 - `OFFLINE_MODE`: **false**: Disables use of CDN for static files and Gravatar for profile pictures.
@@ -320,9 +345,9 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `PATH`: **data/gitea.db**: For SQLite3 only, the database file path.
 - `LOG_SQL`: **true**: Log the executed SQL.
 - `DB_RETRIES`: **10**: How many ORM init / DB connect attempts allowed.
- `DB_RETRY_BACKOFF`: **3s**: time.Duration to wait before trying another ORM init / DB connect attempt, if failure occured.
+- `DB_RETRY_BACKOFF`: **3s**: time.Duration to wait before trying another ORM init / DB connect attempt, if failure occurred.
 - `MAX_OPEN_CONNS` **0**: Database maximum open connections - default is 0, meaning there is no limit.
- `MAX_IDLE_CONNS` **2**: Max idle database connections on connnection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
+- `MAX_IDLE_CONNS` **2**: Max idle database connections on connection pool, default is 2 - this will be capped to `MAX_OPEN_CONNS`.
 - `CONN_MAX_LIFETIME` **0 or 3s**: Sets the maximum amount of time a DB connection may be reused - default is 0, meaning there is no limit (except on MySQL where it is 3s - see #6804 & #7071).

 Please see #8540 & #8273 for further discussion of the appropriate values for `MAX_OPEN_CONNS`, `MAX_IDLE_CONNS` & `CONN_MAX_LIFETIME` and their
@@ -335,10 +360,10 @@ relation to port exhaustion.
 - `ISSUE_INDEXER_NAME`: **gitea_issues**: Issue indexer name, available when ISSUE_INDEXER_TYPE is elasticsearch
 - `ISSUE_INDEXER_PATH`: **indexers/issues.bleve**: Index file used for issue search; available when ISSUE_INDEXER_TYPE is bleve and elasticsearch.
 - The next 4 configuration values are deprecated and should be set in `queue.issue_indexer` however are kept for backwards compatibility:
- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`.
- `ISSUE_INDEXER_QUEUE_DIR`: **indexers/issues.queue**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved.
- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`.
- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number.
+- `ISSUE_INDEXER_QUEUE_TYPE`: **levelqueue**: Issue indexer queue, currently supports:`channel`, `levelqueue`, `redis`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_DIR`: **queues/common**: When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this will be the path where the queue will be saved. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_CONN_STR`: **addrs=127.0.0.1:6379 db=0**: When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string. When `ISSUE_INDEXER_QUEUE_TYPE` is `levelqueue`, this is a directory or additional options of the form `leveldb://path/to/db?option=value&....`, and overrides `ISSUE_INDEXER_QUEUE_DIR`. **DEPRECATED** use settings in `[queue.issue_indexer]`.
+- `ISSUE_INDEXER_QUEUE_BATCH_NUMBER`: **20**: Batch queue number. **DEPRECATED** use settings in `[queue.issue_indexer]`.

 - `REPO_INDEXER_ENABLED`: **false**: Enables code search (uses a lot of disk space, about 6 times more than the repository size).
 - `REPO_INDEXER_TYPE`: **bleve**: Code search engine type, could be `bleve` or `elasticsearch`.
@@ -349,29 +374,29 @@ relation to port exhaustion.
 - `REPO_INDEXER_INCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **include** in the index. Use `**.txt` to match any files with .txt extension. An empty list means include all files.
 - `REPO_INDEXER_EXCLUDE`: **empty**: A comma separated list of glob patterns (see https://github.com/gobwas/glob) to **exclude** from the index. Files that match this list will not be indexed, even if they match in `REPO_INDEXER_INCLUDE`.
 - `REPO_INDEXER_EXCLUDE_VENDORED`: **true**: Exclude vendored files from index.
- `UPDATE_BUFFER_LEN`: **20**: Buffer length of index request.
+- `UPDATE_BUFFER_LEN`: **20**: Buffer length of index request. **DEPRECATED** use settings in `[queue.issue_indexer]`.
 - `MAX_FILE_SIZE`: **1048576**: Maximum size in bytes of files to be indexed.
 - `STARTUP_TIMEOUT`: **30s**: If the indexer takes longer than this timeout to start - fail. (This timeout will be added to the hammer time above for child processes - as bleve will not start until the previous parent is shutdown.) Set to zero to never timeout.

 ## Queue (`queue` and `queue.*`)

 - `TYPE`: **persistable-channel**: General queue type, currently support: `persistable-channel` (uses a LevelDB internally), `channel`, `level`, `redis`, `dummy`
- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`name`**.
+- `DATADIR`: **queues/**: Base DataDir for storing persistent and level queues. `DATADIR` for individual queues can be set in `queue.name` sections but will default to `DATADIR/`**`common`**. (Previously each queue would default to `DATADIR/`**`name`**.)
 - `LENGTH`: **20**: Maximal queue size before channel queues block
 - `BATCH_LENGTH`: **20**: Batch data before passing to the handler
 - `CONN_STR`: **redis://127.0.0.1:6379/0**: Connection string for the redis queue type. Options can be set using query params. Similarly LevelDB options can also be set using: **leveldb://relative/path?option=value** or **leveldb:///absolute/path?option=value**, and will override `DATADIR`
- `QUEUE_NAME`: **_queue**: The suffix for default redis and disk queue name. Individual queues will default to **`name`**`QUEUE_NAME` but can be overriden in the specific `queue.name` section.
+- `QUEUE_NAME`: **_queue**: The suffix for default redis and disk queue name. Individual queues will default to **`name`**`QUEUE_NAME` but can be overridden in the specific `queue.name` section.
 - `SET_NAME`: **_unique**: The suffix that will be added to the default redis and disk queue `set` name for unique queues. Individual queues will default to
 **`name`**`QUEUE_NAME`_`SET_NAME`_ but can be overridden in the specific `queue.name` section.
 - `WRAP_IF_NECESSARY`: **true**: Will wrap queues with a timeoutable queue if the selected queue is not ready to be created - (Only relevant for the level queue.)
 - `MAX_ATTEMPTS`: **10**: Maximum number of attempts to create the wrapped queue
 - `TIMEOUT`: **GRACEFUL_HAMMER_TIME + 30s**: Timeout the creation of the wrapped queue if it takes longer than this to create.
 - Queues by default come with a dynamically scaling worker pool. The following settings configure this:
- `WORKERS`: **1**: Number of initial workers for the queue.
+- `WORKERS`: **0** (v1.14 and before: **1**): Number of initial workers for the queue.
 - `MAX_WORKERS`: **10**: Maximum number of worker go-routines for the queue.
 - `BLOCK_TIMEOUT`: **1s**: If the queue blocks for this time, boost the number of workers - the `BLOCK_TIMEOUT` will then be doubled before boosting again whilst the boost is ongoing.
 - `BOOST_TIMEOUT`: **5m**: Boost workers will timeout after this long.
- `BOOST_WORKERS`: **5**: This many workers will be added to the worker pool if there is a boost.
+- `BOOST_WORKERS`: **1** (v1.14 and before: **5**): This many workers will be added to the worker pool if there is a boost.

 ## Admin (`admin`)

@@ -425,6 +450,21 @@ relation to port exhaustion.
 - `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
   OpenID URI's to block.

+## OAuth2 Client (`oauth2_client`)
+
+- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
+- `ENABLE_AUTO_REGISTRATION`: **false**: Automatically create user accounts for new oauth2 users.
+- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts:
+    - userid - use the userid / sub attribute
+    - nickname - use the nickname attribute
+    - email - use the username part of the email attribute
+- `UPDATE_AVATAR`: **false**: Update avatar if available from oauth2 provider. Update will be performed on each login.
+- `ACCOUNT_LINKING`: **login**: How to handle if an account / email already exists:
+    - disabled - show an error
+    - login - show an account linking login
+    - auto - automatically link with the account (Please be aware that this will grant access to an existing account just because the same username or email is provided. You must make sure that this does not cause issues with your authentication providers.)
+
 ## Service (`service`)

 - `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration.
@@ -475,12 +515,16 @@ relation to port exhaustion.
 - `SHOW_MILESTONES_DASHBOARD_PAGE`: **true** Enable this to show the milestones dashboard page - a view of all the user's milestones
 - `AUTO_WATCH_NEW_REPOS`: **true**: Enable this to let all organisation users watch new repos when they are created
 - `AUTO_WATCH_ON_CHANGES`: **false**: Enable this to make users watch a repository after their first commit to it
+- `DEFAULT_USER_VISIBILITY`: **public**: Set default visibility mode for users, either "public", "limited" or "private".
+- `ALLOWED_USER_VISIBILITY_MODES`: **public,limited,private**: Set which visibility modes a user can have
 - `DEFAULT_ORG_VISIBILITY`: **public**: Set default visibility mode for organisations, either "public", "limited" or "private".
 - `DEFAULT_ORG_MEMBER_VISIBLE`: **false** True will make the membership of the users visible when added to the organisation.
+- `ALLOW_ONLY_INTERNAL_REGISTRATION`: **false** Set to true to force registration only via gitea.
 - `ALLOW_ONLY_EXTERNAL_REGISTRATION`: **false** Set to true to force registration only using third-party services.
- `NO_REPLY_ADDRESS`: **DOMAIN** Default value for the domain part of the user's email address in the git log if he has set KeepEmailPrivate to true.
+- `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
  The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
 - `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
+- `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles

 ### Service - Expore (`service.explore`)

@@ -512,9 +556,9 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 - `DISABLE_HELO`: **\<empty\>**: Disable HELO operation.
 - `HELO_HOSTNAME`: **\<empty\>**: Custom hostname for HELO operation.
 - `HOST`: **\<empty\>**: SMTP mail host address and port (example: smtp.gitea.io:587).
-  - Using opportunistic TLS via STARTTLS on port 587 is recommended per RFC 6409.
+  - As per RFC 8314, if supported, Implicit TLS/SMTPS on port 465 is recommended, otherwise opportunistic TLS via STARTTLS on port 587 should be used.
 - `IS_TLS_ENABLED` :  **false** : Forcibly use TLS to connect even if not on a default SMTPS port.
-  - Note, if the port ends with `465` SMTPS/SMTP over TLS will be used despite this setting.
+  - Note, if the port ends with `465` Implicit TLS/SMTPS/SMTP over TLS will be used despite this setting.
  - Otherwise if `IS_TLS_ENABLED=false` and the server supports `STARTTLS` this will be used. Thus if `STARTTLS` is preferred you should set `IS_TLS_ENABLED=false`.
 - `FROM`: **\<empty\>**: Mail from address, RFC 5322. This can be just an email address, or
   the "Name" \<email@example.com\> format.
@@ -546,11 +590,12 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 ## Cache (`cache`)

 - `ENABLED`: **true**: Enable the cache.
- `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, or `memcache`.
- `INTERVAL`: **60**: Garbage Collection interval (sec), for memory cache only.
- `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`.
+- `ADAPTER`: **memory**: Cache engine adapter, either `memory`, `redis`, `twoqueue` or `memcache`. (`twoqueue` represents a size limited LRU cache.)
+- `INTERVAL`: **60**: Garbage Collection interval (sec), for memory and twoqueue cache only.
+- `HOST`: **\<empty\>**: Connection string for `redis` and `memcache`. For `twoqueue` sets configuration for the queue.
   - Redis: `redis://:macaron@127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
   - Memcache: `127.0.0.1:9090;127.0.0.1:9091`
+   - TwoQueue LRU cache: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000` representing the maximum number of objects stored in the cache.
 - `ITEM_TTL`: **16h**: Time to keep items in cache if not used, Setting it to 0 disables caching.

 ## Cache - LastCommitCache settings (`cache.last_commit`)
@@ -562,7 +607,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 ## Session (`session`)

 - `PROVIDER`: **memory**: Session engine provider \[memory, file, redis, db, mysql, couchbase, memcache, postgres\].
- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for others, the connection string.
+- `PROVIDER_CONFIG`: **data/sessions**: For file, the root path; for db, empty (database config will be used); for others, the connection string.
 - `COOKIE_SECURE`: **false**: Enable this to force using HTTPS for all session access.
 - `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
 - `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
@@ -627,6 +672,7 @@ Default templates for project boards:
 - `ROUTER`: **console**: The mode or name of the log the router should log to. (If you set this to `,` it will log to default gitea logger.)
 NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take effect. Configure each mode in per mode log subsections `\[log.modename.router\]`.
 - `ENABLE_ACCESS_LOG`: **false**: Creates an access.log in NCSA common log format, or as per the following template
+- `ENABLE_SSH_LOG`: **false**: save ssh log to log file
 - `ACCESS`: **file**: Logging mode for the access logger, use a comma to separate values. Configure each mode in per mode log subsections `\[log.modename.access\]`. By default the file mode will log to `$ROOT_PATH/access.log`. (If you set this to `,` it will log to the default gitea logger.)
 - `ACCESS_LOG_TEMPLATE`: **`{{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"`**: Sets the template used to create the access log.
  - The following variables are available:
@@ -683,6 +729,11 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef
 - `RUN_AT_START`: **false**: Run cron tasks at application start-up.
 - `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.

+- `SCHEDULE` accept formats
+   - Full crontab specs, e.g. `* * * * * ?`
+   - Descriptors, e.g. `@midnight`, `@every 1h30m` ...
+   - See more: [cron decument](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+
 ### Basic cron tasks - enabled by default

 #### Cron - Cleanup old repository archives (`cron.archive_cleanup`)
@@ -766,6 +817,13 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef
 - `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
 - `SCHEDULE`: **@every 72h**: Cron syntax for scheduling repository archive cleanup, e.g. `@every 1h`.

+#### Cron -  Delete all old actions from database ('cron.delete_old_actions')
+- `ENABLED`: **false**: Enable service.
+- `RUN_AT_START`: **false**: Run tasks at start up time (if ENABLED).
+- `NO_SUCCESS_NOTICE`: **false**: Set to true to switch off success notices.
+- `SCHEDULE`: **@every 128h**: Cron syntax for scheduling a work, e.g. `@every 128h`.
+- `OLDER_THAN`: **@every 8760h**: any action older than this expression will be deleted from database, suggest using `8760h` (1 year) because that's the max length of heatmap.
+
 ## Git (`git`)

 - `PATH`: **""**: The path of git executable. If empty, Gitea searches through the PATH environment.
@@ -780,7 +838,8 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef
 - `PULL_REQUEST_PUSH_MESSAGE`: **true**: Respond to pushes to a non-default branch with a URL for creating a Pull Request (if the repository has them enabled)
 - `VERBOSE_PUSH`: **true**: Print status information about pushes as they are being processed.
 - `VERBOSE_PUSH_DELAY`: **5s**: Only print verbose information if push takes longer than this delay.
-
+- `LARGE_OBJECT_THRESHOLD`: **1048576**: (Go-Git only), don't cache objects greater than this in memory. (Set to 0 to disable.)
+- `DISABLE_CORE_PROTECT_NTFS`: **false** Set to true to forcibly set `core.protectNTFS` to false.
 ## Git - Timeout settings (`git.timeout`)
 - `DEFAUlT`: **360**: Git operations default timeout seconds.
 - `MIGRATE`: **600**: Migrate external repositories timeout seconds.
@@ -808,7 +867,9 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef
 - `ACCESS_TOKEN_EXPIRATION_TIME`: **3600**: Lifetime of an OAuth2 access token in seconds
 - `REFRESH_TOKEN_EXPIRATION_TIME`: **730**: Lifetime of an OAuth2 refresh token in hours
 - `INVALIDATE_REFRESH_TOKENS`: **false**: Check if refresh token has already been used
- `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this a unique string.
+- `JWT_SIGNING_ALGORITHM`: **RS256**: Algorithm used to sign OAuth2 tokens. Valid values: \[`HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`\]
+- `JWT_SECRET`: **\<empty\>**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`.
+- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you.
 - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider

 ## i18n (`i18n`)
@@ -827,14 +888,16 @@ Gitea can support Markup using external tools. The example below will add a mark
 ```ini
 [markup.asciidoc]
 ENABLED = true
+NEED_POSTPROCESS = true
 FILE_EXTENSIONS = .adoc,.asciidoc
 RENDER_COMMAND = "asciidoc --out-file=- -"
 IS_INPUT_FILE = false
 ```

 - ENABLED: **false** Enable markup support; set to **true** to enable this renderer.
+- NEED\_POSTPROCESS: **true** set to **true** to replace links / sha1 and etc.
 - FILE\_EXTENSIONS: **\<empty\>** List of file extensions that should be rendered by an external
-   command. Multiple extentions needs a comma as splitter.
+   command. Multiple extensions needs a comma as splitter.
 - RENDER\_COMMAND: External command to render all matching extensions.
 - IS\_INPUT\_FILE: **false** Input is not a standard input but a file param followed `RENDER_COMMAND`.

@@ -852,17 +915,21 @@ Gitea supports customizing the sanitization policy for rendered HTML. The exampl
 ELEMENT = span
 ALLOW_ATTR = class
 REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+
+ALLOW_DATA_URI_IMAGES = true
 ```

 - `ELEMENT`: The element this policy applies to. Must be non-empty.
 - `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty.
 - `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute.
+ - `ALLOW_DATA_URI_IMAGES`: **false** Allow data uri images (`<img src="data:image/png;base64,..."/>`).

 Multiple sanitisation rules can be defined by adding unique subsections, e.g. `[markup.sanitizer.TeX-2]`.
+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`.
+If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.

 ## Time (`time`)

- `FORMAT`: Time format to diplay on UI. i.e. RFC1123 or 2006-01-02 15:04:05
+- `FORMAT`: Time format to display on UI. i.e. RFC1123 or 2006-01-02 15:04:05
 - `DEFAULT_UI_LOCATION`: Default location of time on the UI, so that we can display correct user's time on UI. i.e. Shanghai/Asia

 ## Task (`task`)
@@ -936,6 +1003,23 @@ MINIO_USE_SSL = false

 And used by `[attachment]`, `[lfs]` and etc. as `STORAGE_TYPE`.

+## Repository Archive Storage (`storage.repo-archive`)
+
+Configuration for repository archive storage. It will inherit from default `[storage]` or
+`[storage.xxx]` when set `STORAGE_TYPE` to `xxx`. The default of `PATH`
+is `data/repo-archive` and the default of `MINIO_BASE_PATH` is `repo-archive/`.
+
+- `STORAGE_TYPE`: **local**: Storage type for repo archive, `local` for local disk or `minio` for s3 compatible object storage service or other name defined with `[storage.xxx]`
+- `SERVE_DIRECT`: **false**: Allows the storage driver to redirect to authenticated URLs to serve files directly. Currently, only Minio/S3 is supported via signed URLs, local does nothing.
+- `PATH`: **./data/repo-archive**: Where to store archive files, only available when `STORAGE_TYPE` is `local`.
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio endpoint to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID to connect only available when `STORAGE_TYPE` is `minio`
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey to connect only available when `STORAGE_TYPE is` `minio`
+- `MINIO_BUCKET`: **gitea**: Minio bucket to store the lfs only available when `STORAGE_TYPE` is `minio`
+- `MINIO_LOCATION`: **us-east-1**: Minio location to create bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path on the bucket only available when `STORAGE_TYPE` is `minio`
+- `MINIO_USE_SSL`: **false**: Minio enabled ssl only available when `STORAGE_TYPE` is `minio`
+
 ## Other (`other`)

 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
--- a/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.zh-cn.md
@@ -245,6 +245,11 @@ test01.xls: application/vnd.ms-excel; charset=binary

 - `ENABLED`: 是否在后台运行定期任务。
 - `RUN_AT_START`: 是否启动时自动运行。
+- `SCHEDULE` 所接受的格式
+   - 完整 crontab 控制, 例如 `* * * * * ?`
+   - 描述符, 例如 `@midnight`, `@every 1h30m` ...
+   - 更多细节参见 [cron api文档](https://pkg.go.dev/github.com/gogs/cron@v0.0.0-20171120032916-9f6c956d3e14)
+

 ### Cron - Update Mirrors (`cron.update_mirrors`)

@@ -297,12 +302,14 @@ test01.xls: application/vnd.ms-excel; charset=binary
 ```ini
 [markup.asciidoc]
 ENABLED = false
+NEED_POSTPROCESS = true
 FILE_EXTENSIONS = .adoc,.asciidoc
 RENDER_COMMAND = "asciidoc --out-file=- -"
 IS_INPUT_FILE = false
 ```

 - ENABLED: 是否启用，默认为false。
+- NEED\_POSTPROCESS: **true** 设置为 true 则会替换渲染文件中的内部链接和Commit ID 等。
 - FILE_EXTENSIONS: 关联的文档的扩展名，多个扩展名用都好分隔。
 - RENDER_COMMAND: 工具的命令行命令及参数。
 - IS_INPUT_FILE: 输入方式是最后一个参数为文件路径还是从标准输入读取。
@@ -375,6 +382,21 @@ MINIO_USE_SSL = false

 然后你在 `[attachment]`, `[lfs]` 等中可以把这个名字用作 `STORAGE_TYPE` 的值。

+## Repository Archive Storage (`storage.repo-archive`)
+
+Repository archive 的存储配置。 如果 `STORAGE_TYPE` 为空，则此配置将从 `[storage]` 继承。如果不为 `local` 或者 `minio` 而为 `xxx`， 则从 `[storage.xxx]` 继承。当继承时， `PATH` 默认为 `data/repo-archive`，`MINIO_BASE_PATH` 默认为 `repo-archive/`。
+
+- `STORAGE_TYPE`: **local**: Repository archive 的存储类型，`local` 将存储到磁盘，`minio` 将存储到 s3 兼容的对象服务。
+- `SERVE_DIRECT`: **false**: 允许直接重定向到存储系统。当前，仅 Minio/S3 是支持的。
+- `PATH`: 存放 Repository archive 上传的文件的地方，默认是 `data/repo-archive`。
+- `MINIO_ENDPOINT`: **localhost:9000**: Minio 地址，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_ACCESS_KEY_ID`: Minio accessKeyID，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_SECRET_ACCESS_KEY`: Minio secretAccessKey，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BUCKET`: **gitea**: Minio bucket，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_LOCATION`: **us-east-1**: Minio location ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_BASE_PATH`: **repo-archive/**: Minio base path ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+- `MINIO_USE_SSL`: **false**: Minio 是否启用 ssl ，仅当 `STORAGE_TYPE` 为 `minio` 时有效。
+
 ## Other (`other`)

 - `SHOW_FOOTER_BRANDING`: 为真则在页面底部显示Gitea的字样。
--- a/docs/content/doc/advanced/customizing-gitea.en-us.md
+++ b/docs/content/doc/advanced/customizing-gitea.en-us.md
@@ -35,14 +35,14 @@ Again `gitea help` will allow you review this variable and you can override it u
 `--config` option on the `gitea` binary.

 - [Quick Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
- [Complete List](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.example.ini)
+- [Complete List](https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini)

 If the `CustomPath` folder can't be found despite checking `gitea help`, check the `GITEA_CUSTOM`
 environment variable; this can be used to override the default path to something else.
 `GITEA_CUSTOM` might, for example, be set by an init script. You can check whether the value
 is set under the "Configuration" tab on the site administration page.

- [List of Environment Variables](https://docs.gitea.io/en-us/specific-variables/)
+- [List of Environment Variables](https://docs.gitea.io/en-us/environment-variables/)

 **Note:** Gitea must perform a full restart to see configuration changes.

@@ -56,24 +56,20 @@ To make Gitea serve custom public files (like pages and images), use the folder
 `$GITEA_CUSTOM/public/` as the webroot. Symbolic links will be followed.

 For example, a file `image.png` stored in `$GITEA_CUSTOM/public/`, can be accessed with
-the url `http://gitea.domain.tld/image.png`.
+the url `http://gitea.domain.tld/assets/image.png`.

-## Changing the default logo
+## Changing the logo

-To build a custom logo replace `assets/logo.svg` and run `make generate-images`. This will update
-these customizable logo files which you can then place in `$GITEA_CUSTOM/public/img` on your server:
+To build a custom logo clone the Gitea source repository, replace `assets/logo.svg` and run
+`make generate-images`. This will update below output files which you can then place in `$GITEA_CUSTOM/public/img` on your server:

- `public/img/logo.svg`
- `public/img/logo.png`
- `public/img/favicon.png`
- `public/img/avatar_default.png`
- `public/img/apple-touch-icon.png`
+- `public/img/logo.svg` - Used for favicon, site icon, app icon
+- `public/img/logo.png` - Used for Open Graph
+- `public/img/favicon.png` - Used as fallback for browsers that don't support SVG favicons
+- `public/img/avatar_default.png` - Used as the default avatar image
+- `public/img/apple-touch-icon.png` - Used on iOS devices for bookmarks

-## Changing the default avatar
-
-Either generate it via above method or place the png image at the following path:
-
- `$GITEA_CUSTOM/public/img/avatar_default.png`
+In case the source image is not in vector format, you can attempt to convert a raster image using tools like [this](https://www.aconvert.com/image/png-to-svg/).

 ## Customizing Gitea pages and resources

@@ -87,14 +83,14 @@ directory at the top of this document).
 Every single page of Gitea can be changed. Dynamic content is generated using [go templates](https://golang.org/pkg/html/template/),
 which can be modified by placing replacements below the `$GITEA_CUSTOM/templates` directory.

-To obtain any embedded file (including templates), the [`gitea embedded` tool]({{< relref "doc/advanced/cmd-embedded.en-us.md" >}}) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/master/templates) directory of Gitea source (Note: the example link is from the `master` branch. Make sure to use templates compatible with the release you are using).
+To obtain any embedded file (including templates), the [`gitea embedded` tool]({{< relref "doc/advanced/cmd-embedded.en-us.md" >}}) can be used. Alternatively, they can be found in the [`templates`](https://github.com/go-gitea/gitea/tree/main/templates) directory of Gitea source (Note: the example link is from the `main` branch. Make sure to use templates compatible with the release you are using).

 Be aware that any statement contained inside `{{` and `}}` are Gitea's template syntax and
 shouldn't be touched without fully understanding these components.

 ### Customizing startpage / homepage

-Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/master/templates/home.tmpl) for your version of Gitea from `templates` to `$GITEA_CUSTOM/templates`.
+Copy [`home.tmpl`](https://github.com/go-gitea/gitea/blob/main/templates/home.tmpl) for your version of Gitea from `templates` to `$GITEA_CUSTOM/templates`.
 Edit as you wish.
 Dont forget to restart your gitea to apply the changes.

@@ -106,14 +102,14 @@ For instance, let's say you are in Germany and must add the famously legally-req
 just place it under your "$GITEA_CUSTOM/public/" directory (for instance `$GITEA_CUSTOM/public/impressum.html`) and put a link to it in either `$GITEA_CUSTOM/templates/custom/extra_links.tmpl` or `$GITEA_CUSTOM/templates/custom/extra_links_footer.tmpl`.

 To match the current style, the link should have the class name "item", and you can use `{{AppSubUrl}}` to get the base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`

 For more information, see [Adding Legal Pages](https://docs.gitea.io/en-us/adding-legal-pages).

 You can add new tabs in the same way, putting them in `extra_tabs.tmpl`.
 The exact HTML needed to match the style of other tabs is in the file
 `templates/repo/header.tmpl`
-([source in GitHub](https://github.com/go-gitea/gitea/blob/master/templates/repo/header.tmpl))
+([source in GitHub](https://github.com/go-gitea/gitea/blob/main/templates/repo/header.tmpl))

 ### Other additions to the page

@@ -142,7 +138,7 @@ copy javascript files from https://gitea.com/davidsvantesson/plantuml-code-highl
 <script src="https://your-server.com/plantuml_codeblock_parse.js"></script>
 <script>
  <!-- Replace call with address to your plantuml server-->
-  parsePlantumlCodeBlocks("http://www.plantuml..com/plantuml");
+  parsePlantumlCodeBlocks("http://www.plantuml.com/plantuml");
 </script>
 {{end}}
 ```
@@ -178,13 +174,13 @@ You can display STL file directly in Gitea by adding:

  if ($('.view-raw>a[href$=".stl" i]').length) {
    $("body").append(
-      '<link href="/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
+      '<link href="/assets/Madeleine.js/src/css/Madeleine.css" rel="stylesheet">'
    );
    Promise.all([
-      lS("/Madeleine.js/src/lib/stats.js"),
-      lS("/Madeleine.js/src/lib/detector.js"),
-      lS("/Madeleine.js/src/lib/three.min.js"),
-      lS("/Madeleine.js/src/Madeleine.js"),
+      lS("/assets/Madeleine.js/src/lib/stats.js"),
+      lS("/assets/Madeleine.js/src/lib/detector.js"),
+      lS("/assets/Madeleine.js/src/lib/three.min.js"),
+      lS("/assets/Madeleine.js/src/Madeleine.js"),
    ]).then(function () {
      $(".view-raw")
        .attr("id", "view-raw")
@@ -192,7 +188,7 @@ You can display STL file directly in Gitea by adding:
      new Madeleine({
        target: "view-raw",
        data: $('.view-raw>a[href$=".stl" i]').attr("href"),
-        path: "/Madeleine.js/src",
+        path: "/assets/Madeleine.js/src",
      });
      $('.view-raw>a[href$=".stl"]').remove();
    });
@@ -258,7 +254,7 @@ Then restart gitea and open a STL file on your gitea instance.

 The `$GITEA_CUSTOM/templates/mail` folder allows changing the body of every mail of Gitea.
 Templates to override can be found in the
-[`templates/mail`](https://github.com/go-gitea/gitea/tree/master/templates/mail)
+[`templates/mail`](https://github.com/go-gitea/gitea/tree/main/templates/mail)
 directory of Gitea source.
 Override by making a copy of the file under `$GITEA_CUSTOM/templates/mail` using a
 full path structure matching source.
@@ -282,7 +278,7 @@ To add custom .gitignore, add a file with existing [.gitignore rules](https://gi

 ### Labels

-To add a custom label set, add a file that follows the [label format](https://github.com/go-gitea/gitea/blob/master/options/label/Default) to `$GITEA_CUSTOM/options/label`
+To add a custom label set, add a file that follows the [label format](https://github.com/go-gitea/gitea/blob/main/options/label/Default) to `$GITEA_CUSTOM/options/label`
 `#hex-color label name ; label description`

 ### Licenses
@@ -293,7 +289,7 @@ To add a custom license, add a file with the license text to `$GITEA_CUSTOM/opti

 Locales are managed via our [crowdin](https://crowdin.com/project/gitea).
 You can override a locale by placing an altered locale file in `$GITEA_CUSTOM/options/locale`.
-Gitea's default locale files can be found in the [`options/locale`](https://github.com/go-gitea/gitea/tree/master/options/locale) source folder and these should be used as examples for your changes.
+Gitea's default locale files can be found in the [`options/locale`](https://github.com/go-gitea/gitea/tree/main/options/locale) source folder and these should be used as examples for your changes.

 To add a completely new locale, as well as placing the file in the above location, you will need to add the new lang and name to the `[i18n]` section in your `app.ini`. Keep in mind that Gitea will use those settings as **overrides**, so if you want to keep the other languages as well you will need to copy/paste the default values and add your own to them.

--- a/docs/content/doc/advanced/customizing-gitea.zh-cn.md
+++ b/docs/content/doc/advanced/customizing-gitea.zh-cn.md
@@ -40,7 +40,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板

 将自定义的公共文件（比如页面和图片）作为 webroot 放在 `custom/public/` 中来让 Gitea 提供这些自定义内容（符号链接将被追踪）。

-举例说明：`image.png` 存放在 `custom/public/`中，那么它可以通过链接 http://gitea.domain.tld/image.png 访问。
+举例说明：`image.png` 存放在 `custom/public/`中，那么它可以通过链接 http://gitea.domain.tld/assets/image.png 访问。

 ## 修改默认头像

@@ -61,7 +61,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板
 "custom/public/"目录下（比如 `custom/public/impressum.html`）并且将它与 `custom/templates/custom/extra_links.tmpl` 链接起来即可。

 这个链接应当使用一个名为“item”的 class 来匹配当前样式，您可以使用 `{{AppSubUrl}}` 来获取 base URL:
-`<a class="item" href="{{AppSubUrl}}/impressum.html">Impressum</a>`
+`<a class="item" href="{{AppSubUrl}}/assets/impressum.html">Impressum</a>`

 同理，您可以将页签添加到 `extra_tabs.tmpl` 中，使用同样的方式来添加页签。它的具体样式需要与
 `templates/repo/header.tmpl` 中已有的其他选项卡的样式匹配
--- a/docs/content/doc/advanced/external-renderers.en-us.md
+++ b/docs/content/doc/advanced/external-renderers.en-us.md
@@ -64,13 +64,13 @@ IS_INPUT_FILE = false
 [markup.jupyter]
 ENABLED = true
 FILE_EXTENSIONS = .ipynb
-RENDER_COMMAND = "jupyter nbconvert --stdout --to html --template basic "
-IS_INPUT_FILE = true
+RENDER_COMMAND = "jupyter nbconvert --stdin --stdout --to html --template basic"
+IS_INPUT_FILE = false

 [markup.restructuredtext]
 ENABLED = true
 FILE_EXTENSIONS = .rst
-RENDER_COMMAND = rst2html.py
+RENDER_COMMAND = "timeout 30s pandoc +RTS -M512M -RTS -f rst"
 IS_INPUT_FILE = false
 ```

@@ -90,11 +90,79 @@ FILE_EXTENSIONS = .md,.markdown
 RENDER_COMMAND  = pandoc -f markdown -t html --katex
 ```

-You must define `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` in each section.
+You must define `ELEMENT` and `ALLOW_ATTR` in each section.

 To define multiple entries, add a unique alphanumeric suffix (e.g., `[markup.sanitizer.1]` and `[markup.sanitizer.something]`).

+To apply a sanitisation rules only for a specify external renderer they must use the renderer name, e.g. `[markup.sanitizer.asciidoc.rule-1]`, `[markup.sanitizer.<renderer>.rule-1]`.
+
+**Note**: If the rule is defined above the renderer ini section or the name does not match a renderer it is applied to every renderer.
+
 Once your configuration changes have been made, restart Gitea to have changes take effect.

 **Note**: Prior to Gitea 1.12 there was a single `markup.sanitiser` section with keys that were redefined for multiple rules, however,
 there were significant problems with this method of configuration necessitating configuration through multiple sections.
+
+### Example: Office DOCX
+
+Display Office DOCX files with [`pandoc`](https://pandoc.org/):
+```ini
+[markup.docx]
+ENABLED = true
+FILE_EXTENSIONS = .docx
+RENDER_COMMAND = "pandoc --from docx --to html --self-contained --template /path/to/basic.html"
+
+[markup.sanitizer.docx.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+The template file has the following content:
+```
+$body$
+```
+
+### Example: Jupyter Notebook
+
+Display Jupyter Notebook files with [`nbconvert`](https://github.com/jupyter/nbconvert):
+```ini
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter-nbconvert --stdin --stdout --to html --template basic"
+
+[markup.sanitizer.jupyter.img]
+ALLOW_DATA_URI_IMAGES = true
+```
+
+## Customizing CSS
+The external renderer is specified in the .ini in the format `[markup.XXXXX]` and the HTML supplied by your external renderer will be wrapped in a `<div>` with classes `markup` and `XXXXX`. The `markup` class provides out of the box styling (as does `markdown` if `XXXXX` is `markdown`). Otherwise you can use these classes to specifically target the contents of your rendered HTML. 
+
+And so you could write some CSS:
+```css
+.markup.XXXXX html {
+  font-size: 100%;
+  overflow-y: scroll;
+  -webkit-text-size-adjust: 100%;
+  -ms-text-size-adjust: 100%;
+}
+
+.markup.XXXXX body {
+  color: #444;
+  font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif;
+  font-size: 12px;
+  line-height: 1.7;
+  padding: 1em;
+  margin: auto;
+  max-width: 42em;
+  background: #fefefe;
+}
+
+.markup.XXXXX p {
+  color: orangered;
+}
+```
+
+Add your stylesheet to your custom directory e.g `custom/public/css/my-style-XXXXX.css` and import it using a custom header file `custom/templates/custom/header.tmpl`:
+```html
+<link type="text/css" href="{{AppSubUrl}}/assets/css/my-style-XXXXX.css" />
+```
--- a/docs/content/doc/advanced/logging-documentation.en-us.md
+++ b/docs/content/doc/advanced/logging-documentation.en-us.md
@@ -282,7 +282,7 @@ ROUTER = console
 COLORIZE = false ; this can be true if you can strip out the ansi coloring
 ```

-Sometimes it will be helpful get some specific `TRACE` level logging retricted
+Sometimes it will be helpful get some specific `TRACE` level logging restricted
 to messages that match a specific `EXPRESSION`. Adjusting the `MODE` in the
 `[log]` section to `MODE = console,traceconsole` to add a new logger output
 `traceconsole` and then adding its corresponding section would be helpful:
@@ -437,7 +437,8 @@ Gitea includes built-in log rotation, which should be enough for most deployment

 - Disable built-in log rotation by setting `LOG_ROTATE` to `false` in your `app.ini`.
 - Install `logrotate`.
- Configure `logrotate` to match your deployment requirements, see `man 8 logrotate` for configuration syntax details. In the `postrotate/endscript` block send Gitea a `USR1` signal via `kill -USR1` or `kill -10`, or run `gitea manager logging release-and-reopen` (with the appropriate environment). Ensure that your configurations apply to all files emitted by Gitea loggers as described in the above sections.
- Always do `logrotate /etc/logrotate.conf --debug` to test your configurations.
+- Configure `logrotate` to match your deployment requirements, see `man 8 logrotate` for configuration syntax details. In the `postrotate/endscript` block send Gitea a `USR1` signal via `kill -USR1` or `kill -10` to the `gitea` process itself, or run `gitea manager logging release-and-reopen` (with the appropriate environment). Ensure that your configurations apply to all files emitted by Gitea loggers as described in the above sections.
+- Always do `logrotate /etc/logrotate.conf --debug` to test your configurations. 
+- If you are using docker and are running from outside of the container you can use `docker exec -u $OS_USER $CONTAINER_NAME sh -c 'gitea manager logging release-and-reopen'` or `docker exec $CONTAINER_NAME sh -c '/bin/s6-svc -1 /etc/s6/gitea/'` or send `USR1` directly to the gitea process itself.

 The next `logrotate` jobs will include your configurations, so no restart is needed. You can also immediately reload `logrotate` with `logrotate /etc/logrotate.conf --force`.
--- a/docs/content/doc/advanced/mail-templates-us.md
+++ b/docs/content/doc/advanced/mail-templates-us.md
@@ -130,7 +130,7 @@ did not include a subject part), Gitea's **internal default** will be used.
 The internal default (fallback) subject is the equivalent of:

 ```sh
-{{.SubjectPrefix}}[{{.Repo}}] {{.Issue.Title}} (#.Issue.Index)
+{{.SubjectPrefix}}[{{.Repo}}] {{.Issue.Title}} (#{{.Issue.Index}})
 ```

 For example: `Re: [mike/stuff] New color palette (#38)`
--- a/docs/content/doc/advanced/protected-tags.en-us.md
+++ b/docs/content/doc/advanced/protected-tags.en-us.md
@@ -0,0 +1,57 @@
+---
+date: "2021-05-14T00:00:00-00:00"
+title: "Protected tags"
+slug: "protected-tags"
+weight: 45
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Protected tags"
+    weight: 45
+    identifier: "protected-tags"
+---
+
+# Protected tags
+
+Protected tags allow control over who has permission to create or update git tags. Each rule allows you to match either an individual tag name, or use an appropriate pattern to control multiple tags at once. 
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Setting up protected tags
+
+To protect a tag, you need to follow these steps:
+
+1. Go to the repository’s **Settings** > **Tags** page.
+1. Type a pattern to match a name. You can use a single name, a [glob pattern](https://pkg.go.dev/github.com/gobwas/glob#Compile) or a regular expression.
+1. Choose the allowed users and/or teams. If you leave these fields empty no one is allowed to create or modify this tag.
+1. Select **Save** to save the configuration.
+
+## Pattern protected tags
+
+The pattern uses [glob](https://pkg.go.dev/github.com/gobwas/glob#Compile) or regular expressions to match a tag name. For regular expressions you need to enclose the pattern in slashes.
+
+Examples:
+
+| Type  | Pattern Protected Tag    | Possible Matching Tags                  |
+| ----- | ------------------------ | --------------------------------------- |
+| Glob  | `v*`                     | `v`, `v-1`, `version2`                  |
+| Glob  | `v[0-9]`                 | `v0`, `v1` up to `v9`                   |
+| Glob  | `*-release`              | `2.1-release`, `final-release`          |
+| Glob  | `gitea`                  | only `gitea`                            |
+| Glob  | `*gitea*`                | `gitea`, `2.1-gitea`, `1_gitea-release` |
+| Glob  | `{v,rel}-*`              | `v-`, `v-1`, `v-final`, `rel-`, `rel-x` |
+| Glob  | `*`                      | matches all possible tag names          |
+| Regex | `/\Av/`                  | `v`, `v-1`, `version2`                  |
+| Regex | `/\Av[0-9]\z/`           | `v0`, `v1` up to `v9`                   |
+| Regex | `/\Av\d+\.\d+\.\d+\z/`   | `v1.0.17`, `v2.1.0`                     |
+| Regex | `/\Av\d+(\.\d+){0,2}\z/` | `v1`, `v2.1`, `v1.2.34`                 |
+| Regex | `/-release\z/`           | `2.1-release`, `final-release`          |
+| Regex | `/gitea/`                | `gitea`, `2.1-gitea`, `1_gitea-release` |
+| Regex | `/\Agitea\z/`            | only `gitea`                            |
+| Regex | `/^gitea$/`              | only `gitea`                            |
+| Regex | `/\A(v\|rel)-/`          | `v-`, `v-1`, `v-final`, `rel-`, `rel-x` |
+| Regex | `/.+/`                   | matches all possible tag names          |
--- a/docs/content/doc/advanced/repo-mirror.en-us.md
+++ b/docs/content/doc/advanced/repo-mirror.en-us.md
@@ -0,0 +1,88 @@
+---
+date: "2021-05-13T00:00:00-00:00"
+title: "Repository Mirror"
+slug: "repo-mirror"
+weight: 45
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Repository Mirror"
+    weight: 45
+    identifier: "repo-mirror"
+---
+
+# Repository Mirror
+
+Repository mirroring allows for the mirroring of repositories to and from external sources. You can use it to mirror branches, tags, and commits between repositories.
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Use cases
+
+The following are some possible use cases for repository mirroring:
+
+- You migrated to Gitea but still need to keep your project in another source. In that case, you can simply set it up to mirror to Gitea (pull) and all the essential history of commits, tags, and branches are available in your Gitea instance.
+- You have old projects in another source that you don’t use actively anymore, but don’t want to remove for archiving purposes. In that case, you can create a push mirror so that your active Gitea repository can push its changes to the old location.
+
+## Pulling from a remote repository
+
+For an existing remote repository, you can set up pull mirroring as follows:
+
+1. Select **New Migration** in the **Create...** menu on the top right.
+2. Select the remote repository service.
+3. Enter a repository URL.
+4. If the repository needs authentication fill in your authentication information.
+5. Check the box **This repository will be a mirror**.
+5. Select **Migrate repository** to save the configuration.
+
+The repository now gets mirrored periodically from the remote repository. You can force a sync by selecting **Synchronize Now** in the repository settings.
+
+## Pushing to a remote repository
+
+For an existing repository, you can set up push mirroring as follows:
+
+1. In your repository, go to **Settings** > **Repository**, and then the **Mirror Settings** section.
+2. Enter a repository URL.
+3. If the repository needs authentication expand the **Authorization** section and fill in your authentication information.
+4. Select **Add Push Mirror** to save the configuration.
+
+The repository now gets mirrored periodically to the remote repository. You can force a sync by selecting **Synchronize Now**. In case of an error a message displayed to help you resolve it.
+
+:exclamation::exclamation: **NOTE:** This will force push to the remote repository. This will overwrite any changes in the remote repository! :exclamation::exclamation:
+
+### Setting up a push mirror from Gitea to GitHub
+
+To set up a mirror from Gitea to GitHub, you need to follow these steps:
+
+1. Create a [GitHub personal access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with the *public_repo* box checked.
+2. Fill in the **Git Remote Repository URL**: `https://github.com/<your_github_group>/<your_github_project>.git`.
+3. Fill in the **Authorization** fields with your GitHub username and the personal access token.
+4. Select **Add Push Mirror** to save the configuration.
+
+The repository pushes shortly thereafter. To force a push, select the **Synchronize Now** button.
+
+### Setting up a push mirror from Gitea to GitLab
+
+To set up a mirror from Gitea to GitLab, you need to follow these steps:
+
+1. Create a [GitLab personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with *write_repository* scope.
+2. Fill in the **Git Remote Repository URL**: `https://<destination host>/<your_gitlab_group_or_name>/<your_gitlab_project>.git`.
+3. Fill in the **Authorization** fields with `oauth2` as **Username** and your GitLab personal access token as **Password**.
+4. Select **Add Push Mirror** to save the configuration.
+
+The repository pushes shortly thereafter. To force a push, select the **Synchronize Now** button.
+
+### Setting up a push mirror from Gitea to Bitbucket
+
+To set up a mirror from Gitea to Bitbucket, you need to follow these steps:
+
+1. Create a [Bitbucket app password](https://support.atlassian.com/bitbucket-cloud/docs/app-passwords/) with the *Repository Write* box checked.
+2. Fill in the **Git Remote Repository URL**: `https://bitbucket.org/<your_bitbucket_group_or_name>/<your_bitbucket_project>.git`.
+3. Fill in the **Authorization** fields with your Bitbucket username and the app password as **Password**.
+4. Select **Add Push Mirror** to save the configuration.
+
+The repository pushes shortly thereafter. To force a push, select the **Synchronize Now** button.
--- a/docs/content/doc/advanced/signing.en-us.md
+++ b/docs/content/doc/advanced/signing.en-us.md
@@ -109,7 +109,7 @@ when creating a repository. The possible values are:
 - `always`: Always sign

 Options other than `never` and `always` can be combined as a comma
-separated list.
+separated list. The commit will be signed if all selected options are true.

 ### `WIKI`

@@ -123,7 +123,7 @@ The possible values are:
 - `always`: Always sign

 Options other than `never` and `always` can be combined as a comma
-separated list.
+separated list. The commit will be signed if all selected options are true.

 ### `CRUD_ACTIONS`

@@ -137,7 +137,7 @@ editor or API CRUD actions. The possible values are:
 - `always`: Always sign

 Options other than `never` and `always` can be combined as a comma
-separated list.
+separated list. The change will be signed if all selected options are true.

 ### `MERGES`

@@ -154,7 +154,7 @@ The possible options are:
 - `always`: Always sign

 Options other than `never` and `always` can be combined as a comma
-separated list.
+separated list. The merge will be signed if all selected options are true.

 ## Obtaining the Public Key of the Signing Key

--- a/docs/content/doc/developers/api-usage.en-us.md
+++ b/docs/content/doc/developers/api-usage.en-us.md
@@ -40,8 +40,42 @@ better understand this by looking at the code -- as of this writing,
 Gitea parses queries and headers to find the token in
 [modules/auth/auth.go](https://github.com/go-gitea/gitea/blob/6efdcaed86565c91a3dc77631372a9cc45a58e89/modules/auth/auth.go#L47).

-You can create an API key token via your Gitea installation's web interface:
-`Settings | Applications | Generate New Token`.
+## Generating and listing API tokens
+
+A new token can be generated with a `POST` request to
+`/users/:name/tokens`.
+
+Note that `/users/:name/tokens` is a special endpoint and requires you
+to authenticate using `BasicAuth` and a password, as follows:
+
+
+```sh
+$ curl -XPOST -H "Content-Type: application/json"  -k -d '{"name":"test"}' -u username:password https://gitea.your.host/api/v1/users/<username>/tokens
+{"id":1,"name":"test","sha1":"9fcb1158165773dd010fca5f0cf7174316c3e37d","token_last_eight":"16c3e37d"}
+```
+
+The ``sha1`` (the token) is only returned once and is not stored in
+plain-text.  It will not be displayed when listing tokens with a `GET`
+request; e.g.
+
+```sh
+$ curl --request GET --url https://yourusername:password@gitea.your.host/api/v1/users/<username>/tokens
+[{"name":"test","sha1":"","token_last_eight:"........":},{"name":"dev","sha1":"","token_last_eight":"........"}]
+```
+
+To use the API with basic authentication with two factor authentication
+enabled, you'll need to send an additional header that contains the one
+time password (6 digitrotating token).
+An example of the header is `X-Gitea-OTP: 123456` where `123456`
+is where you'd place the code from your authenticator.
+Here is how the request would look like in curl:
+
+```sh
+$ curl -H "X-Gitea-OTP: 123456" --request GET --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
+```
+
+You can also create an API key token via your Gitea installation's web
+interface: `Settings | Applications | Generate New Token`.

 ## OAuth2 Provider

@@ -79,25 +113,8 @@ API Reference guide is auto-generated by swagger and available on:
 or on
 [gitea demo instance](https://try.gitea.io/api/swagger)

-## Listing your issued tokens via the API
-
-As mentioned in
-[#3842](https://github.com/go-gitea/gitea/issues/3842#issuecomment-397743346),
-`/users/:name/tokens` is special and requires you to authenticate
-using BasicAuth, as follows:
-
-### Using basic authentication:
-
-```sh
-$ curl --request GET --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
-[{"name":"test","sha1":"..."},{"name":"dev","sha1":"..."}]
-```
-
-As of v1.8.0 of Gitea, if using basic authentication with the API and your user has two factor authentication enabled, you'll need to send an additional header that contains the one time password (6 digit rotating token). An example of the header is `X-Gitea-OTP: 123456` where `123456` is where you'd place the code from your authenticator. Here is how the request would look like in curl:
-
-```sh
-$ curl -H "X-Gitea-OTP: 123456" --request GET --url https://yourusername:yourpassword@gitea.your.host/api/v1/users/yourusername/tokens
-```
+The OpenAPI document is at:
+`https://gitea.your.host/swagger.v1.json`

 ## Sudo

--- a/docs/content/doc/developers/hacking-on-gitea.en-us.md
+++ b/docs/content/doc/developers/hacking-on-gitea.en-us.md
@@ -73,6 +73,8 @@ One of these three distributions of Make will run on Windows:
  - The binary is called `mingw32-make.exe` instead of `make.exe`. Add the `bin` folder to `PATH`.
 - [Chocolatey package](https://chocolatey.org/packages/make). Run `choco install make`

+**Note**: If you are attempting to build using make with Windows Command Prompt, you may run into issues. The above prompts (git bash, or mingw) are recommended, however if you only have command prompt (or potentially powershell) you can set environment variables using the [set](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1) command, e.g. `set TAGS=bindata`.
+
 ## Downloading and cloning the Gitea source code

 The recommended method of obtaining the source code is by using `git clone`.
@@ -86,7 +88,7 @@ from within the `$GOPATH`, hence the `go get` approach is no longer recommended.

 ## Forking Gitea

-Download the master Gitea source code as above. Then, fork the
+Download the main Gitea source code as above. Then, fork the
 [Gitea repository](https://github.com/go-gitea/gitea) on GitHub,
 and either switch the git remote origin for your fork or add your fork as another remote:

@@ -123,11 +125,11 @@ TAGS="bindata sqlite sqlite_unlock_notify" make build

 The `build` target will execute both `frontend` and `backend` sub-targets. If the `bindata` tag is present, the frontend files will be compiled into the binary. It is recommended to leave out the tag when doing frontend development so that changes will be reflected.

-See `make help` for all available `make` targets. Also see [`.drone.yml`](https://github.com/go-gitea/gitea/blob/master/.drone.yml) to see how our continuous integration works.
+See `make help` for all available `make` targets. Also see [`.drone.yml`](https://github.com/go-gitea/gitea/blob/main/.drone.yml) to see how our continuous integration works.

 ## Building continuously

-To run and continously rebuild when source files change:
+To run and continuously rebuild when source files change:

 ```bash
 make watch
@@ -216,7 +218,7 @@ You should validate your generated Swagger file and spell-check it with:
 make swagger-validate misspell-check
 ```

-You should commit the changed swagger JSON file. The continous integration
+You should commit the changed swagger JSON file. The continuous integration
 server will check that this has been done using:

 ```bash
@@ -276,7 +278,7 @@ require `git lfs` to be installed. Other database tests are available but
 may need adjustment to the local environment.

 Look at
-[`integrations/README.md`](https://github.com/go-gitea/gitea/blob/master/integrations/README.md)
+[`integrations/README.md`](https://github.com/go-gitea/gitea/blob/main/integrations/README.md)
 for more information and how to run a single test.

 Our continuous integration will test the code passes its unit tests and that
@@ -304,19 +306,19 @@ be cleaned up.

 A `launch.json` and `tasks.json` are provided within `contrib/ide/vscode` for
 Visual Studio Code. Look at
-[`contrib/ide/README.md`](https://github.com/go-gitea/gitea/blob/master/contrib/ide/README.md)
+[`contrib/ide/README.md`](https://github.com/go-gitea/gitea/blob/main/contrib/ide/README.md)
 for more information.

 ## Submitting PRs

 Once you're happy with your changes, push them up and open a pull request. It
 is recommended that you allow Gitea Managers and Owners to modify your PR
-branches as we will need to update it to master before merging and/or may be
+branches as we will need to update it to main before merging and/or may be
 able to help fix issues directly.

 Any PR requires two approvals from the Gitea maintainers and needs to pass the
-continous integration. Take a look at our
-[`CONTRIBUTING.md`](https://github.com/go-gitea/gitea/blob/master/CONTRIBUTING.md)
+continuous integration. Take a look at our
+[`CONTRIBUTING.md`](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md)
 document.

 If you need more help pop on to [Discord](https://discord.gg/gitea) #Develop
--- a/docs/content/doc/developers/integrations.en-us.md
+++ b/docs/content/doc/developers/integrations.en-us.md
@@ -20,7 +20,7 @@ projects.

 We are curating a list over at [awesome-gitea](https://gitea.com/gitea/awesome-gitea) to track these!

-If you are looking for [CI/CD](https://gitea.com/gitea/awesome-gitea#devops),
-an [SDK](https://gitea.com/gitea/awesome-gitea#sdk),
-or even some extra [themes](https://gitea.com/gitea/awesome-gitea#themes),
+If you are looking for [CI/CD](https://gitea.com/gitea/awesome-gitea#user-content-devops),
+an [SDK](https://gitea.com/gitea/awesome-gitea#user-content-sdk),
+or even some extra [themes](https://gitea.com/gitea/awesome-gitea#user-content-themes),
 you can find them listed in the [awesome-gitea](https://gitea.com/gitea/awesome-gitea) repository!
--- a/docs/content/doc/developers/integrations.zh-tw.md
+++ b/docs/content/doc/developers/integrations.zh-tw.md
@@ -19,4 +19,4 @@ Gitea 有著很棒的第三方整合社群， 以及其它有著一流支援的

 我們持續的整理一份清單以追蹤他們！請到 [awesome-gitea](https://gitea.com/gitea/awesome-gitea) 查看。

-如果您正在找尋有關 [CI/CD](https://gitea.com/gitea/awesome-gitea#devops)、[SDK](https://gitea.com/gitea/awesome-gitea#sdk) 或是其它佈景主題，您可以在存儲庫 [awesome-gitea](https://gitea.com/gitea/awesome-gitea) 找到他們。
+如果您正在找尋有關 [CI/CD](https://gitea.com/gitea/awesome-gitea#user-content-devops)、[SDK](https://gitea.com/gitea/awesome-gitea#user-content-sdk) 或是其它佈景主題，您可以在存儲庫 [awesome-gitea](https://gitea.com/gitea/awesome-gitea) 找到他們。
--- a/docs/content/doc/developers/migrations.en-us.md
+++ b/docs/content/doc/developers/migrations.en-us.md
@@ -20,7 +20,7 @@ repository data from other git host platforms to Gitea or, in the future, migrat
 git host platforms.  
 Currently, migrations from Github, Gitlab, and other Gitea instances are implemented.

-First of all, Gitea defines some standard objects in packages [modules/migrations/base](https://github.com/go-gitea/gitea/tree/master/modules/migrations/base).  
+First of all, Gitea defines some standard objects in packages [modules/migrations/base](https://github.com/go-gitea/gitea/tree/main/modules/migrations/base).  
 They are `Repository`, `Milestone`, `Release`, `ReleaseAsset`, `Label`, `Issue`, `Comment`, `PullRequest`, `Reaction`, `Review`, `ReviewComment`.

 ## Downloader Interfaces
@@ -31,11 +31,11 @@ To migrate from a new git host platform, there are two steps to be updated.
 - You should implement a `DownloaderFactory` which will be used to detect if the URL matches and create the above `Downloader`.
   - You'll need to register the `DownloaderFactory` via `RegisterDownloaderFactory` on `init()`.

-You can find these interfaces in [downloader.go](https://github.com/go-gitea/gitea/blob/master/modules/migrations/base/downloader.go).
+You can find these interfaces in [downloader.go](https://github.com/go-gitea/gitea/blob/main/modules/migrations/base/downloader.go).

 ## Uploader Interface

 Currently, only a `GiteaLocalUploader` is implemented, so we only save downloaded
 data via this `Uploader` to the local Gitea instance. Other uploaders are not supported at this time.

-You can find these interfaces in [uploader.go](https://github.com/go-gitea/gitea/blob/master/modules/migrations/base/uploader.go).
+You can find these interfaces in [uploader.go](https://github.com/go-gitea/gitea/blob/main/modules/migrations/base/uploader.go).
--- a/docs/content/doc/developers/oauth2-provider.md
+++ b/docs/content/doc/developers/oauth2-provider.md
@@ -23,10 +23,13 @@ Gitea supports acting as an OAuth2 provider to allow third party applications to

 ## Endpoints

-| Endpoint               | URL                         |
-| ---------------------- | --------------------------- |
-| Authorization Endpoint | `/login/oauth/authorize`    |
-| Access Token Endpoint  | `/login/oauth/access_token` |
+| Endpoint                 | URL                                 |
+| ------------------------ | ----------------------------------- |
+| OpenID Connect Discovery | `/.well-known/openid-configuration` |
+| Authorization Endpoint   | `/login/oauth/authorize`            |
+| Access Token Endpoint    | `/login/oauth/access_token`         |
+| OpenID Connect UserInfo  | `/login/oauth/userinfo`             |
+| JSON Web Key Set         | `/login/oauth/keys`                 |

 ## Supported OAuth2 Grants

--- a/docs/content/doc/features/authentication.en-us.md
+++ b/docs/content/doc/features/authentication.en-us.md
@@ -88,8 +88,8 @@ Adds the following fields:
 - Bind Password (optional)

  - The password for the Bind DN specified above, if any. _Note: The password
-    is stored in plaintext at the server. As such, ensure that the Bind DN
-    has as few privileges as possible._
+    is stored encrypted with the SECRET_KEY on the server. It is still recommended
+    to ensure that the Bind DN has as few privileges as possible._

 - User Search Base **(required)**

@@ -259,7 +259,7 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y

 - Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:

-  - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)
+  - Start `Command Prompt` or `PowerShell` as a privileged domain user (eg. Domain Administrator)
  - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:

  ```sh
@@ -283,7 +283,7 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y
 - Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer

 - If it does not work, make sure that:
-  - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.
+  - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are running on the same computer NTLM will be preferred over Kerberos.
  - There is only one `HTTP/...` SPN for the host
  - The SPN contains only the hostname, without the port
  - You have added the URL of the web app to the `Local intranet zone`
--- a/docs/content/doc/help/faq.en-us.md
+++ b/docs/content/doc/help/faq.en-us.md
@@ -85,6 +85,12 @@ If certain clone options aren't showing up (HTTP/S or SSH), the following option
 `DISABLE_SSH`: if set to true, there will be no SSH link  
 `SSH_EXPOSE_ANONYMOUS`: if set to false, SSH links will be hidden for anonymous users

+## File upload fails with: 413 Request Entity Too Large
+
+This error occurs when the reverse proxy limits the file upload size.
+
+See the [reverse proxy guide]({{< relref "doc/usage/reverse-proxies.en-us.md" >}}) for a solution with nginx.
+
 ## Custom Templates not loading or working incorrectly

 Gitea's custom templates must be added to the correct location or Gitea will not find and use them.  
@@ -142,7 +148,7 @@ The current way to achieve this is to create/modify a user with a max repo creat

 Restricted users are limited to a subset of the content based on their organization/team memberships and collaborations, ignoring the public flag on organizations/repos etc.\_\_

-Example use case: A company runs a Gitea instance that requires login. Most repos are public (accessible/browseable by all co-workers).
+Example use case: A company runs a Gitea instance that requires login. Most repos are public (accessible/browsable by all co-workers).

 At some point, a customer or third party needs access to a specific repo and only that repo. Making such a customer account restricted and granting any needed access using team membership(s) and/or collaboration(s) is a simple way to achieve that without the need to make everything private.

@@ -324,7 +330,13 @@ is too small. Gitea requires that the `ROWFORMAT` for its tables is `DYNAMIC`.

 If you are receiving an error line containing `Error 1071: Specified key was too long; max key length is 1000 bytes...`
 then you are attempting to run Gitea on tables which use the ISAM engine. While this may have worked by chance in previous versions of Gitea, it has never been officially supported and
-you must use InnoDB. You should run `ALTER TABLE table_name ENGINE=InnoDB;` for each table in the database.
+you must use InnoDB. You should run `ALTER TABLE table_name ENGINE=InnoDB;` for each table in the database.  
+If you are using MySQL 5, another possible fix is
+```mysql
+SET GLOBAL innodb_file_format=Barracuda;
+SET GLOBAL innodb_file_per_table=1;
+SET GLOBAL innodb_large_prefix=1;
+```

 ## Why Are Emoji Broken On MySQL

--- a/docs/content/doc/help/seek-help.en-us.md
+++ b/docs/content/doc/help/seek-help.en-us.md
@@ -33,4 +33,4 @@ If you found a bug, please create an [issue on GitHub](https://github.com/go-git

 ## Chinese Support

-Support for the Chinese language is provided at [gocn.vip](https://gocn.vip/topic/gitea).
+Support for the Chinese language is provided at [Our discourse](https://discourse.gitea.io/c/5-category/5).
--- a/docs/content/doc/help/seek-help.zh-cn.md
+++ b/docs/content/doc/help/seek-help.zh-cn.md
@@ -18,6 +18,6 @@ menu:
 如果您在使用或者开发过程中遇到问题，请到以下渠道咨询：

 - 到[Github issue](https://github.com/go-gitea/gitea/issues)提问(因为项目维护人员来自世界各地，为保证沟通顺畅，请使用英文提问)
- 中文问题到[gocn.vip](https://gocn.vip/topic/gitea)提问
+- 中文问题到 [Gitea 论坛](https://discourse.gitea.io/c/5-category/5)提问
 - 访问 [Discord server - 英文](https://discord.gg/Gitea)
 - 加入 QQ群 328432459 获得进一步的支持
--- a/docs/content/doc/installation/from-binary.en-us.md
+++ b/docs/content/doc/installation/from-binary.en-us.md
@@ -32,13 +32,17 @@ chmod +x gitea
 ```

 ## Verify GPG signature
-Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries. To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the gpg command line tool.
+Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries.
+To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the gpg command line tool.

 ```sh
 gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
 gpg --verify gitea-{{< version >}}-linux-amd64.asc gitea-{{< version >}}-linux-amd64
 ```

+Look for the text `Good signature from "Teabot <teabot@gitea.io>"` to assert a good binary,
+despite warnings like `This key is not certified with a trusted signature!`.
+
 ## Recommended server configuration

 **NOTE:** Many of the following directories can be configured using [Environment Variables]({{< relref "doc/advanced/environment-variables.en-us.md" >}}) as well!
@@ -79,7 +83,7 @@ chmod 770 /etc/gitea
 chmod 750 /etc/gitea
 chmod 640 /etc/gitea/app.ini
 ```
-If you don't want the web installer to be able to write the config file at all, it is also possible to make the config file read-only for the gitea user (owner/group `root:root`, mode `0660`), and set `INSTALL_LOCK = true`. In that case all database configuration details must be set beforehand in the config file, as well as the `SECRET_KEY` and `INTERNAL_TOKEN` values. See the [command line documentation]({{< relref "doc/usage/command-line.en-us.md" >}}) for information on using `gitea generate secret INTERNAL_TOKEN`.
+If you don't want the web installer to be able to write the config file at all, it is also possible to make the config file read-only for the gitea user (owner/group `root:git`, mode `0640`), and set `INSTALL_LOCK = true`. In that case all database configuration details must be set beforehand in the config file, as well as the `SECRET_KEY` and `INTERNAL_TOKEN` values. See the [command line documentation]({{< relref "doc/usage/command-line.en-us.md" >}}) for information on using `gitea generate secret INTERNAL_TOKEN`.

 ### Configure Gitea's working directory

--- a/docs/content/doc/installation/from-package.en-us.md
+++ b/docs/content/doc/installation/from-package.en-us.md
@@ -2,7 +2,7 @@
 date: "2016-12-01T16:00:00+02:00"
 title: "Installation from package"
 slug: "install-from-package"
-weight: 10
+weight: 20
 toc: false
 draft: false
 menu:
@@ -92,18 +92,6 @@ is in `/usr/local/etc/rc.d/gitea`.

 To enable Gitea to run as a service, run `sysrc gitea_enable=YES` and start it with `service gitea start`.

-## Cloudron
-
-Gitea is available as a 1-click install on [Cloudron](https://cloudron.io).
-Cloudron makes it easy to run apps like Gitea on your server and keep them up-to-date and secure.
-
-[![Install](/cloudron.svg)](https://cloudron.io/button.html?app=io.gitea.cloudronapp)
-
-The Gitea package is maintained [here](https://git.cloudron.io/cloudron/gitea-app).
-
-There is a [demo instance](https://my.demo.cloudron.io) (username: cloudron password: cloudron) where
-you can experiment with running Gitea.
-
 ## Third-party

 Various other third-party packages of Gitea exist.
--- a/docs/content/doc/installation/from-source.en-us.md
+++ b/docs/content/doc/installation/from-source.en-us.md
@@ -54,8 +54,8 @@ git clone https://github.com/go-gitea/gitea
 no longer necessary.)

 Decide which version of Gitea to build and install. Currently, there are
-multiple options to choose from. The `master` branch represents the current
-development version. To build with master, skip to the [build section](#build).
+multiple options to choose from. The `main` branch represents the current
+development version. To build with main, skip to the [build section](#build).

 To work with tagged releases, the following commands can be used:

@@ -89,7 +89,7 @@ To build from source, the following programs must be present on the system:
 - `node` {{< min-node-version >}} or higher with `npm`, see [here](https://nodejs.org/en/download/)
 - `make`, see <a href='{{< relref "doc/developers/hacking-on-gitea.en-us.md" >}}#installing-make'>here</a>

-Various [make tasks](https://github.com/go-gitea/gitea/blob/master/Makefile)
+Various [make tasks](https://github.com/go-gitea/gitea/blob/main/Makefile)
 are provided to keep the build process as simple as possible.

 Depending on requirements, the following build tags can be included.
--- a/docs/content/doc/installation/on-cloud-provider.md
+++ b/docs/content/doc/installation/on-cloud-provider.md
@@ -0,0 +1,44 @@
+---
+date: "2016-12-01T16:00:00+02:00"
+title: "Install on Cloud Provider"
+slug: "install-on-cloud-provider"
+weight: 20
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "installation"
+    name: "On cloud provider"
+    weight: 20
+    identifier: "install-on-cloud-provider"
+---
+
+# Installation on Cloud Provider
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Cloudron
+
+Gitea is available as a 1-click install on [Cloudron](https://cloudron.io).
+Cloudron makes it easy to run apps like Gitea on your server and keep them up-to-date and secure.
+
+[![Install](/cloudron.svg)](https://cloudron.io/button.html?app=io.gitea.cloudronapp)
+
+The Gitea package is maintained [here](https://git.cloudron.io/cloudron/gitea-app).
+
+There is a [demo instance](https://my.demo.cloudron.io) (username: cloudron password: cloudron) where
+you can experiment with running Gitea.
+
+## Vultr
+
+Gitea can found in [Vultr](https://www.vultr.com)'s marketplace.
+
+To deploy it have a look at https://www.vultr.com/marketplace/apps/gitea.
+
+## DigitalOcean
+
+[DigitalOcean](https://www.digitalocean.com) has gitea as droplet in his marketplace.
+
+Just create a new [Gitea Droplet](https://marketplace.digitalocean.com/apps/gitea).
--- a/docs/content/doc/installation/with-docker-rootless.en-us.md
+++ b/docs/content/doc/installation/with-docker-rootless.en-us.md
@@ -32,15 +32,14 @@ image as a service. Since there is no database available, one can be initialized
 Create a directory for `data` and `config` then paste the following content into a file named `docker-compose.yml`.
 Note that the volume should be owned by the user/group with the UID/GID specified in the config file. By default Gitea in docker will use uid:1000 gid:1000. If needed you can set ownership on those folders with the command: `sudo chown 1000:1000 config/ data/`
 If you don't give the volume correct permissions, the container may not start.
-Also be aware that the tag `:latest-rootless` will install the current development version.
-For a stable release you can use `:1-rootless` or specify a certain release like `:{{< version >}}-rootless`.
+For a stable release you could use `:latest-rootless`, `:1-rootless` or specify a certain release like `:{{< version >}}-rootless`, but if you'd like to use the latest development version then `:dev-rootless` would be an appropriate tag.

 ```yaml
 version: "2"

 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
    restart: always
    volumes:
      - ./data:/var/lib/gitea
@@ -63,7 +62,7 @@ version: "2"

 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
    restart: always
    volumes:
      - ./data:/var/lib/gitea
@@ -87,13 +86,13 @@ version: "2"

 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
 +    environment:
-+      - DB_TYPE=mysql
-+      - DB_HOST=db:3306
-+      - DB_NAME=gitea
-+      - DB_USER=gitea
-+      - DB_PASSWD=gitea
+      - GITEA__database__DB_TYPE=mysql
+      - GITEA__database__HOST=db:3306
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
    restart: always
    volumes:
      - ./data:/var/lib/gitea
@@ -107,7 +106,7 @@ services:
 +      - db
 +
 +  db:
-+    image: mysql:5.7
+    image: mysql:8
 +    restart: always
 +    environment:
 +      - MYSQL_ROOT_PASSWORD=gitea
@@ -128,13 +127,13 @@ version: "2"

 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
    environment:
-+      - DB_TYPE=postgres
-+      - DB_HOST=db:5432
-+      - DB_NAME=gitea
-+      - DB_USER=gitea
-+      - DB_PASSWD=gitea
+      - GITEA__database__DB_TYPE=postgres
+      - GITEA__database__HOST=db:5432
+      - GITEA__database__NAME=gitea
+      - GITEA__database__USER=gitea
+      - GITEA__database__PASSWD=gitea
    restart: always
    volumes:
      - ./data:/var/lib/gitea
@@ -148,7 +147,7 @@ services:
 +      - db
 +
 +  db:
-+    image: postgres:9.6
+    image: postgres:13
 +    restart: always
 +    environment:
 +      - POSTGRES_USER=gitea
@@ -174,7 +173,7 @@ version: "2"
 +
 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
    restart: always
    volumes:
 -      - ./data:/var/lib/gitea
@@ -201,7 +200,7 @@ version: "2"

 services:
  server:
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:{{< version >}}-rootless
    restart: always
 +    user: 1001
    volumes:
@@ -233,31 +232,6 @@ favorite browser to finalize the installation. Visit http://server-ip:3000 and f
 installation wizard. If the database was started with the `docker-compose` setup as
 documented above, please note that `db` must be used as the database hostname.

-## Environments variables
-
-You can configure some of Gitea's settings via environment variables:
-
-(Default values are provided in **bold**)
-
-* `APP_NAME`: **"Gitea: Git with a cup of tea"**: Application name, used in the page title.
-* `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".
-* `SSH_DOMAIN`: **localhost**: Domain name of this server, used for the displayed clone URL in Gitea's UI.
-* `SSH_PORT`: **2222**: SSH port displayed in clone URL.
-* `SSH_LISTEN_PORT`: **%(SSH\_PORT)s**: Port for the built-in SSH server.
-* `DISABLE_SSH`: **false**: Disable SSH feature when it's not available.
-* `HTTP_PORT`: **3000**: HTTP listen port.
-* `ROOT_URL`: **""**: Overwrite the automatically generated public URL. This is useful if the internal and the external URL don't match (e.g. in Docker).
-* `LFS_START_SERVER`: **false**: Enables git-lfs support.
-* `DB_TYPE`: **sqlite3**: The database type in use \[mysql, postgres, mssql, sqlite3\].
-* `DB_HOST`: **localhost:3306**: Database host address and port.
-* `DB_NAME`: **gitea**: Database name.
-* `DB_USER`: **root**: Database username.
-* `DB_PASSWD`: **"\<empty>"**: Database user password. Use \`your password\` for quoting if you use special characters in the password.
-* `INSTALL_LOCK`: **false**: Disallow access to the install page.
-* `SECRET_KEY`: **""**: Global secret key. This should be changed. If this has a value and `INSTALL_LOCK` is empty, `INSTALL_LOCK` will automatically set to `true`.
-* `DISABLE_REGISTRATION`: **false**: Disable registration, after which only admin can create accounts for users.
-* `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page.
-
 # Customization

 Customization files described [here](https://docs.gitea.io/en-us/customizing-gitea/) should
@@ -287,11 +261,11 @@ docker-compose up -d
 - Rename folder (inside volume) gitea to custom
 - Edit app.ini if needed
  - Set START_SSH_SERVER = true
- Use image gitea/gitea:latest-rootless
+- Use image gitea/gitea:{{< version >}}-rootless

 ## Managing Deployments With Environment Variables

-In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/master/contrib/environment-to-ini).
+In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini).

 These environment variables can be passed to the docker container in `docker-compose.yml`. The following example will enable an smtp mail server if the required env variables `GITEA__mailer__FROM`, `GITEA__mailer__HOST`, `GITEA__mailer__PASSWD` are set on the host or in a `.env` file in the same directory as `docker-compose.yml`:

--- a/docs/content/doc/installation/with-docker.en-us.md
+++ b/docs/content/doc/installation/with-docker.en-us.md
@@ -34,8 +34,7 @@ image as a service. Since there is no database available, one can be initialized
 Create a directory like `gitea` and paste the following content into a file named `docker-compose.yml`.
 Note that the volume should be owned by the user/group with the UID/GID specified in the config file.
 If you don't give the volume correct permissions, the container may not start.
-Also be aware that the tag `:latest` will install the current development version.
-For a stable release you can use `:1` or specify a certain release like `:{{< version >}}`.
+For a stable release you can use `:latest`, `:1` or specify a certain release like `:{{< version >}}`, but if you'd like to use the latest development version of Gitea then you could use the `:dev` tag.

 ```yaml
 version: "3"
@@ -118,11 +117,11 @@ services:
    environment:
      - USER_UID=1000
      - USER_GID=1000
-+     - DB_TYPE=mysql
-+     - DB_HOST=db:3306
-+     - DB_NAME=gitea
-+     - DB_USER=gitea
-+     - DB_PASSWD=gitea
+     - GITEA__database__DB_TYPE=mysql
+     - GITEA__database__HOST=db:3306
+     - GITEA__database__NAME=gitea
+     - GITEA__database__USER=gitea
+     - GITEA__database__PASSWD=gitea
    restart: always
    networks:
      - gitea
@@ -137,7 +136,7 @@ services:
 +      - db
 +
 +  db:
-+    image: mysql:5.7
+    image: mysql:8
 +    restart: always
 +    environment:
 +      - MYSQL_ROOT_PASSWORD=gitea
@@ -169,11 +168,11 @@ services:
    environment:
      - USER_UID=1000
      - USER_GID=1000
-+     - DB_TYPE=postgres
-+     - DB_HOST=db:5432
-+     - DB_NAME=gitea
-+     - DB_USER=gitea
-+     - DB_PASSWD=gitea
+     - GITEA__database__DB_TYPE=postgres
+     - GITEA__database__HOST=db:5432
+     - GITEA__database__NAME=gitea
+     - GITEA__database__USER=gitea
+     - GITEA__database__PASSWD=gitea
    restart: always
    networks:
      - gitea
@@ -188,7 +187,7 @@ services:
 +      - db
 +
 +  db:
-+    image: postgres:9.6
+    image: postgres:13
 +    restart: always
 +    environment:
 +      - POSTGRES_USER=gitea
@@ -256,31 +255,9 @@ favorite browser to finalize the installation. Visit http://server-ip:3000 and f
 installation wizard. If the database was started with the `docker-compose` setup as
 documented above, please note that `db` must be used as the database hostname.

-## Environment variables
+## Configure the user inside Gitea using environment variables 

-You can configure some of Gitea's settings via environment variables:
-
-(Default values are provided in **bold**)
-
- `APP_NAME`: **"Gitea: Git with a cup of tea"**: Application name, used in the page title.
- `RUN_MODE`: **prod**: Application run mode, affects performance and debugging. Either "dev", "prod" or "test".
- `DOMAIN`: **localhost**: Domain name of this server, used for the displayed http clone URL in Gitea's UI.
- `SSH_DOMAIN`: **localhost**: Domain name of this server, used for the displayed ssh clone URL in Gitea's UI. If the install page is enabled, SSH Domain Server takes DOMAIN value in the form (which overwrite this setting on save).
- `SSH_PORT`: **22**: SSH port displayed in clone URL.
- `SSH_LISTEN_PORT`: **%(SSH_PORT)s**: Port for the built-in SSH server.
- `DISABLE_SSH`: **false**: Disable SSH feature when it's not available. If you want to disable SSH feature, you should set SSH port to `0` when installing Gitea.
- `HTTP_PORT`: **3000**: HTTP listen port.
- `ROOT_URL`: **""**: Overwrite the automatically generated public URL. This is useful if the internal and the external URL don't match (e.g. in Docker).
- `LFS_START_SERVER`: **false**: Enables git-lfs support.
- `DB_TYPE`: **sqlite3**: The database type in use \[mysql, postgres, mssql, sqlite3\].
- `DB_HOST`: **localhost:3306**: Database host address and port.
- `DB_NAME`: **gitea**: Database name.
- `DB_USER`: **root**: Database username.
- `DB_PASSWD`: **"\<empty>"**: Database user password. Use \`your password\` for quoting if you use special characters in the password.
- `INSTALL_LOCK`: **false**: Disallow access to the install page.
- `SECRET_KEY`: **""**: Global secret key. This should be changed. If this has a value and `INSTALL_LOCK` is empty, `INSTALL_LOCK` will automatically set to `true`.
- `DISABLE_REGISTRATION`: **false**: Disable registration, after which only admin can create accounts for users.
- `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page.
+- `USER`: **git**: The username of the user that runs Gitea within the container.
 - `USER_UID`: **1000**: The UID (Unix user ID) of the user that runs Gitea within the container. Match this to the UID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
 - `USER_GID`: **1000**: The GID (Unix group ID) of the user that runs Gitea within the container. Match this to the GID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).

--- a/docs/content/doc/installation/with-docker.zh-cn.md
+++ b/docs/content/doc/installation/with-docker.zh-cn.md
@@ -122,7 +122,7 @@ services:
 +      - db
 +
 +  db:
-+    image: mysql:5.7
+    image: mysql:8
 +    restart: always
 +    environment:
 +      - MYSQL_ROOT_PASSWORD=gitea
@@ -172,7 +172,7 @@ services:
 +      - db
 +
 +  db:
-+    image: postgres:9.6
+    image: postgres:13
 +    restart: always
 +    environment:
 +      - POSTGRES_USER=gitea
--- a/docs/content/doc/upgrade/from-gogs.en-us.md
+++ b/docs/content/doc/upgrade/from-gogs.en-us.md
@@ -96,7 +96,7 @@ See [#4286](https://github.com/go-gitea/gitea/issues/4286).

 ## Add Gitea to startup on Unix

-Update the appropriate file from [gitea/contrib](https://github.com/go-gitea/gitea/tree/master/contrib)
+Update the appropriate file from [gitea/contrib](https://github.com/go-gitea/gitea/tree/main/contrib)
 with the right environment variables.

 For distros with systemd:
--- a/docs/content/doc/usage/command-line.en-us.md
+++ b/docs/content/doc/usage/command-line.en-us.md
@@ -46,6 +46,8 @@ Starts the server:
  - `--port number`, `-p number`: Port number. Optional. (default: 3000). Overrides configuration file.
  - `--install-port number`: Port number to run the install page on. Optional. (default: 3000). Overrides configuration file.
  - `--pid path`, `-P path`: Pidfile path. Optional.
+  - `--quiet`, `-q`: Only emit Fatal logs on the console for logs emitted before logging set up.
+  - `--verbose`: Emit tracing logs on the console for logs emitted before logging is set-up.
 - Examples:
  - `gitea web`
  - `gitea web --port 80`
--- a/docs/content/doc/usage/email-setup.en-us.md
+++ b/docs/content/doc/usage/email-setup.en-us.md
@@ -19,12 +19,15 @@ menu:

 {{< toc >}}

-To use Gitea's built-in Email support, update the `app.ini` config file [mailer] section:
+Gitea has mailer functionality for sending transactional emails (such as registration confirmation). It can be configured to either use Sendmail (or compatible MTAs like Postfix and msmtp) or directly use SMTP server.

-## Sendmail version
+## Using Sendmail

-Use the operating system’s sendmail command instead of SMTP. This is common on Linux servers.  
-Note: For use in the official Gitea Docker image, please configure with the SMTP version.
+Use `sendmail` command as mailer.
+
+Note: For use in the official Gitea Docker image, please configure with the SMTP version (see the following section).
+
+Note: For Internet-facing sites consult documentation of your MTA for instructions to send emails over TLS. Also set up SPF, DMARC, and DKIM DNS records to make emails sent be accepted as legitimate by various email providers.

 ```ini
 [mailer]
@@ -34,7 +37,9 @@ MAILER_TYPE   = sendmail
 SENDMAIL_PATH = /usr/sbin/sendmail
 ```

-## SMTP version
+## Using SMTP
+
+Directly use SMTP server as relay. This option is useful if you don't want to set up MTA on your instance but you have an account at email provider.

 ```ini
 [mailer]
@@ -47,17 +52,19 @@ USER           = gitea@mydomain.com
 PASSWD         = `password`
 ```

- Restart Gitea for the configuration changes to take effect.
+Restart Gitea for the configuration changes to take effect.

- To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > SMTP Mailer Configuration.
+To send a test email to validate the settings, go to Gitea > Site Administration > Configuration > SMTP Mailer Configuration.

 For the full list of options check the [Config Cheat Sheet]({{< relref "doc/advanced/config-cheat-sheet.en-us.md" >}})

- Please note: authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
-  - Via the server supporting TLS through STARTTLS - usually provided on port 587. (Also known as Opportunistic TLS.)
-  - SMTPS connection (SMTP over transport layer security) via the default port 465.
+Please note: authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. TLS encryption can be through:
+  - STARTTLS (also known as Opportunistic TLS) via port 587. Initial connection is done over cleartext, but then be upgraded over TLS if the server supports it.
+  - SMTPS connection (SMTP over TLS) via the default port 465. Connection to the server use TLS from the beginning.
  - Forced SMTPS connection with `IS_TLS_ENABLED=true`. (These are both known as Implicit TLS.)
- This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+This is due to protections imposed by the Go internal libraries against STRIPTLS attacks.
+
+Note that Implicit TLS is recommended by [RFC8314](https://tools.ietf.org/html/rfc8314#section-3) since 2018.

 ### Gmail

@@ -74,3 +81,4 @@ MAILER_TYPE    = smtp
 IS_TLS_ENABLED = true
 HELO_HOSTNAME  = example.com
 ```
+
--- a/docs/content/doc/usage/fail2ban-setup.en-us.md
+++ b/docs/content/doc/usage/fail2ban-setup.en-us.md
@@ -29,22 +29,32 @@ on a bad authentication from the web or CLI using SSH or HTTP respectively:
 ```log
 2020/10/15 16:05:09 modules/ssh/ssh.go:143:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

 ```log
 2020/10/15 16:05:09 modules/ssh/ssh.go:155:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

 ```log
 2020/10/15 16:05:09 modules/ssh/ssh.go:198:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

 ```log
 2020/10/15 16:05:09 modules/ssh/ssh.go:213:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)

 ```log
 2020/10/15 16:05:09 modules/ssh/ssh.go:227:publicKeyHandler() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
 ```
+(DEPRECATED: This may be a false positive as the user may still go on to correctly authenticate.)
+
+```log
+2020/10/15 16:05:09 modules/ssh/ssh.go:249:sshConnectionFailed() [W] Failed authentication attempt from xxx.xxx.xxx.xxx
+```
+(From 1.15 this new message will available and doesn't have any of the false positive results that above messages from publicKeyHandler do. This will only be logged if the user has completely failed authentication.)

 ```log
 2020/10/15 16:08:44 ...s/context/context.go:204:HandleText() [E] invalid credentials from xxx.xxx.xxx.xxx
--- a/docs/content/doc/usage/git-lfs-support.md
+++ b/docs/content/doc/usage/git-lfs-support.md
@@ -24,3 +24,5 @@ LFS_START_SERVER = true
 ; Where your lfs files reside, default is data/lfs.
 LFS_CONTENT_PATH = /home/gitea/data/lfs
 ```
+
+**Note**: LFS server support needs at least Git v2.1.2 installed on the server
--- a/docs/content/doc/usage/reverse-proxies.en-us.md
+++ b/docs/content/doc/usage/reverse-proxies.en-us.md
@@ -120,6 +120,14 @@ server {
 }
 ```

+## Resolving Error: 413 Request Entity Too Large
+
+This error indicates nginx is configured to restrict the file upload size.
+
+In your nginx config file containing your Gitea proxy directive, find the `location { ... }` block for Gitea and add the line
+`client_max_body_size 16M;` to set this limit to 16 megabytes or any other number of choice.
+
+
 ## Apache HTTPD

 If you want Apache HTTPD to serve your Gitea instance, you can add the following to your Apache HTTPD configuration (usually located at `/etc/apache2/httpd.conf` in Ubuntu):
@@ -221,12 +229,28 @@ If you wish to run Gitea with IIS. You will need to setup IIS with URL Rewrite a
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
+    <system.web>
+        <httpRuntime requestPathInvalidCharacters="" />
+    </system.web>
    <system.webServer>
+        <security>
+          <requestFiltering>
+            <hiddenSegments>
+              <clear />
+            </hiddenSegments>
+            <denyUrlSequences>
+              <clear />
+            </denyUrlSequences>
+            <fileExtensions allowUnlisted="true">
+              <clear />
+            </fileExtensions>
+          </requestFiltering>
+        </security>
        <rewrite>
-            <rules>
+            <rules useOriginalURLEncoding="false">
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
-                    <action type="Rewrite" url="http://127.0.0.1:3000/{R:1}" />
+                    <action type="Rewrite" url="http://127.0.0.1:3000{UNENCODED_URL}" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="HTTP_ACCEPT_ENCODING" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
@@ -255,6 +279,16 @@ If you wish to run Gitea with IIS. You will need to setup IIS with URL Rewrite a
            </outboundRules>
        </rewrite>
        <urlCompression doDynamicCompression="true" />
+        <handlers>
+          <clear />
+          <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
+        </handlers>
+        <!-- Map all extensions to the same MIME type, so all files can be
+               downloaded. -->
+        <staticContent>
+          <clear />
+          <mimeMap fileExtension="*" mimeType="application/octet-stream" />
+        </staticContent>
    </system.webServer>
 </configuration>
 ```
--- a/docs/content/page/index.de-de.md
+++ b/docs/content/page/index.de-de.md
@@ -32,5 +32,5 @@ Gitea ist ein [Gogs](http://gogs.io)-Fork.

 ## Browser Unterstützung

- Letzten 2 Versions von Chrome, Firefox, Safari, Edge (EdgeHTML) and Edge (Chromium)
+- Letzten 2 Versions von Chrome, Firefox, Safari und Edge
 - Firefox ESR
--- a/docs/content/page/index.en-us.md
+++ b/docs/content/page/index.en-us.md
@@ -117,7 +117,7 @@ Windows, on architectures like amd64, i386, ARM, PowerPC, and others.
        - Configuration viewer
            - Everything in config file
        - System notices
-            - When somthing unexpected happens
+            - When something unexpected happens
        - Monitoring
            - Current processes
            - Cron jobs
@@ -155,7 +155,7 @@ Windows, on architectures like amd64, i386, ARM, PowerPC, and others.
            - Libravatar
            - Custom
        - Password
-        - Mutiple email addresses
+        - Multiple email addresses
        - SSH Keys
        - Connected applications
        - Two factor authentication
@@ -262,7 +262,7 @@ Windows, on architectures like amd64, i386, ARM, PowerPC, and others.

 ## Browser Support

- Last 2 versions of Chrome, Firefox, Safari, Edge (EdgeHTML) and Edge (Chromium)
+- Last 2 versions of Chrome, Firefox, Safari and Edge
 - Firefox ESR

 ## Components
--- a/docs/content/page/index.zh-tw.md
+++ b/docs/content/page/index.zh-tw.md
@@ -261,7 +261,7 @@ Gitea 是從 [Gogs](http://gogs.io) Fork 出來的，請閱讀部落格文章 [G

 ## 瀏覽器支援

- 最近 2 個版本的 Chrome, Firefox, Safari, Edge (EdgeHTML), Edge (Chromium)
+- 最近 2 個版本的 Chrome, Firefox, Safari, Edge
 - Firefox ESR

 ## 元件
--- a/go.mod
+++ b/go.mod
@@ -10,138 +10,128 @@ require (
 	gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e
 	gitea.com/go-chi/captcha v0.0.0-20210110083842-e7696c336a1e
 	gitea.com/go-chi/session v0.0.0-20210108030337-0cb48c5ba8ee
-	gitea.com/lunny/levelqueue v0.3.0
-	github.com/Microsoft/go-winio v0.4.16 // indirect
+	gitea.com/lunny/levelqueue v0.4.1
+	github.com/Microsoft/go-winio v0.5.0 // indirect
 	github.com/NYTimes/gziphandler v1.1.1
-	github.com/PuerkitoBio/goquery v1.5.1
-	github.com/RoaringBitmap/roaring v0.5.5 // indirect
-	github.com/alecthomas/chroma v0.8.2
-	github.com/andybalholm/brotli v1.0.1 // indirect
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
-	github.com/blevesearch/bleve/v2 v2.0.2
+	github.com/ProtonMail/go-crypto v0.0.0-20210705153151-cc34b1f6908b // indirect
+	github.com/PuerkitoBio/goquery v1.7.0
+	github.com/RoaringBitmap/roaring v0.9.1 // indirect
+	github.com/alecthomas/chroma v0.9.2
+	github.com/andybalholm/brotli v1.0.3 // indirect
+	github.com/andybalholm/cascadia v1.2.0 // indirect
+	github.com/blevesearch/bleve/v2 v2.0.6
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect
-	github.com/caddyserver/certmagic v0.12.0
+	github.com/caddyserver/certmagic v0.14.1
 	github.com/chi-middleware/proxy v1.1.1
 	github.com/couchbase/go-couchbase v0.0.0-20210224140812-5740cd35f448 // indirect
 	github.com/couchbase/gomemcached v0.1.2 // indirect
 	github.com/couchbase/goutils v0.0.0-20210118111533-e33d3ffb5401 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
-	github.com/denisenkom/go-mssqldb v0.9.0
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/dlclark/regexp2 v1.4.0 // indirect
+	github.com/denisenkom/go-mssqldb v0.10.0
+	github.com/djherbis/buffer v1.2.0
+	github.com/djherbis/nio/v3 v3.0.1
 	github.com/dustin/go-humanize v1.0.0
-	github.com/editorconfig/editorconfig-core-go/v2 v2.4.1
+	github.com/editorconfig/editorconfig-core-go/v2 v2.4.2
 	github.com/emirpasic/gods v1.12.0
 	github.com/ethantkoenig/rupture v1.0.0
-	github.com/gliderlabs/ssh v0.3.2
-	github.com/glycerine/go-unsnap-stream v0.0.0-20210130063903-47dfef350d96 // indirect
+	github.com/gliderlabs/ssh v0.3.3
 	github.com/go-asn1-ber/asn1-ber v1.5.3 // indirect
 	github.com/go-chi/chi v1.5.4
-	github.com/go-chi/cors v1.1.1
-	github.com/go-enry/go-enry/v2 v2.6.1
-	github.com/go-git/go-billy/v5 v5.0.0
-	github.com/go-git/go-git/v5 v5.2.0
-	github.com/go-ldap/ldap/v3 v3.2.4
-	github.com/go-openapi/errors v0.20.0 // indirect
-	github.com/go-openapi/validate v0.20.2 // indirect
-	github.com/go-redis/redis/v8 v8.6.0
-	github.com/go-sql-driver/mysql v1.5.0
-	github.com/go-swagger/go-swagger v0.26.1
-	github.com/go-testfixtures/testfixtures/v3 v3.5.0
+	github.com/go-chi/cors v1.2.0
+	github.com/go-enry/go-enry/v2 v2.7.1
+	github.com/go-git/go-billy/v5 v5.3.1
+	github.com/go-git/go-git/v5 v5.4.3-0.20210630082519-b4368b2a2ca4
+	github.com/go-ldap/ldap/v3 v3.3.0
+	github.com/go-redis/redis/v8 v8.11.0
+	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-swagger/go-swagger v0.27.0
+	github.com/go-testfixtures/testfixtures/v3 v3.6.1
 	github.com/gobwas/glob v0.2.3
 	github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28
 	github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
-	github.com/golang/snappy v0.0.3 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/go-github/v32 v32.1.0
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.2.0
 	github.com/gorilla/context v1.1.1
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gorilla/sessions v1.2.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
-	github.com/hashicorp/go-version v1.2.1
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/go-version v1.3.1
+	github.com/hashicorp/golang-lru v0.5.4
 	github.com/huandu/xstrings v1.3.2
-	github.com/imdario/mergo v0.3.11 // indirect
-	github.com/issue9/assert v1.3.2 // indirect
-	github.com/issue9/identicon v1.0.1
+	github.com/issue9/identicon v1.2.0
 	github.com/jaytaylor/html2text v0.0.0-20200412013138-3577fbdbcff7
-	github.com/json-iterator/go v1.1.10
+	github.com/json-iterator/go v1.1.11
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/kevinburke/ssh_config v1.1.0 // indirect
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
-	github.com/klauspost/compress v1.11.8
+	github.com/klauspost/compress v1.13.1
+	github.com/klauspost/cpuid/v2 v2.0.8 // indirect
 	github.com/klauspost/pgzip v1.2.5 // indirect
 	github.com/lafriks/xormstore v1.4.0
-	github.com/lib/pq v1.9.0
-	github.com/libdns/libdns v0.2.0 // indirect
+	github.com/lib/pq v1.10.2
 	github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/markbates/goth v1.67.1
-	github.com/mattn/go-isatty v0.0.12
-	github.com/mattn/go-runewidth v0.0.10 // indirect
-	github.com/mattn/go-sqlite3 v1.14.6
-	github.com/mgechev/dots v0.0.0-20190921121421-c36f7dcfbb81
-	github.com/mgechev/revive v1.0.3
-	github.com/mholt/acmez v0.1.3 // indirect
+	github.com/markbates/goth v1.68.0
+	github.com/mattn/go-isatty v0.0.13
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mattn/go-sqlite3 v1.14.8
 	github.com/mholt/archiver/v3 v3.5.0
-	github.com/microcosm-cc/bluemonday v1.0.7
-	github.com/miekg/dns v1.1.40 // indirect
+	github.com/microcosm-cc/bluemonday v1.0.16
+	github.com/miekg/dns v1.1.43 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.10
+	github.com/minio/minio-go/v7 v7.0.12
 	github.com/minio/sha256-simd v1.0.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mrjones/oauth v0.0.0-20190623134757-126b35219450 // indirect
 	github.com/msteinert/pam v0.0.0-20201130170657-e61372126161
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
-	github.com/niklasfasching/go-org v1.4.0
+	github.com/niklasfasching/go-org v1.5.0
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/oliamb/cutter v0.2.2
-	github.com/olivere/elastic/v7 v7.0.22
-	github.com/pelletier/go-toml v1.8.1
-	github.com/pierrec/lz4/v4 v4.1.3 // indirect
+	github.com/olivere/elastic/v7 v7.0.25
+	github.com/pelletier/go-toml v1.9.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.8 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.3.0
-	github.com/prometheus/client_golang v1.9.0
-	github.com/prometheus/common v0.18.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/prometheus/client_golang v1.11.0
 	github.com/quasoft/websspi v1.0.0
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rs/xid v1.3.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sergi/go-diff v1.1.0
+	github.com/sergi/go-diff v1.2.0
 	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
-	github.com/spf13/afero v1.5.1 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/syndtr/goleveldb v1.0.0
-	github.com/tinylib/msgp v1.1.5 // indirect
 	github.com/tstranex/u2f v1.0.0
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/unknwon/com v1.0.1
-	github.com/unknwon/i18n v0.0.0-20200823051745-09abd91c7f2c
+	github.com/unknwon/i18n v0.0.0-20210321134014-0ebbf2df1c44
 	github.com/unknwon/paginater v0.0.0-20200328080006-042474bd0eae
-	github.com/unrolled/render v1.1.0
+	github.com/unrolled/render v1.4.0
 	github.com/urfave/cli v1.22.5
-	github.com/willf/bitset v1.1.11 // indirect
-	github.com/xanzy/go-gitlab v0.44.0
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xanzy/go-gitlab v0.50.1
 	github.com/yohcop/openid-go v1.0.0
-	github.com/yuin/goldmark v1.3.3
-	github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
+	github.com/yuin/goldmark v1.4.0
+	github.com/yuin/goldmark-highlighting v0.0.0-20210516132338-9216f9c5aa01
 	github.com/yuin/goldmark-meta v1.0.0
+	go.etcd.io/bbolt v1.3.6 // indirect
 	go.jolheiser.com/hcaptcha v0.0.4
 	go.jolheiser.com/pwn v0.0.3
-	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.16.0 // indirect
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
-	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
-	golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93
-	golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44
-	golang.org/x/text v0.3.5
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
+	go.uber.org/atomic v1.8.0 // indirect
+	go.uber.org/multierr v1.7.0 // indirect
+	go.uber.org/zap v1.18.1 // indirect
+	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
+	golang.org/x/net v0.0.0-20211020060615-d418f374d309
+	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
+	golang.org/x/text v0.3.6
+	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 // indirect
 	golang.org/x/tools v0.1.0
+	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gopkg.in/ini.v1 v1.62.0
@@ -149,7 +139,9 @@ require (
 	mvdan.cc/xurls/v2 v2.2.0
 	strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251
 	xorm.io/builder v0.3.9
-	xorm.io/xorm v1.0.7
+	xorm.io/xorm v1.2.5
 )

-replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4
+replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
+
+replace github.com/golang-jwt/jwt v3.2.1+incompatible => github.com/golang-jwt/jwt v3.2.2+incompatible
--- a/go.sum
+++ b/go.sum
--- a/integrations/README.md
+++ b/integrations/README.md
@@ -28,7 +28,7 @@ make test-sqlite
 Setup a mysql database inside docker
 ```
 docker run -e "MYSQL_DATABASE=test" -e "MYSQL_ALLOW_EMPTY_PASSWORD=yes" -p 3306:3306 --rm --name mysql mysql:latest #(just ctrl-c to stop db and clean the container)
-docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" --rm --name elasticsearch elasticsearch:7.6.0 #(in a secound terminal, just ctrl-c to stop db and clean the container)
+docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" --rm --name elasticsearch elasticsearch:7.6.0 #(in a second terminal, just ctrl-c to stop db and clean the container)
 ```
 Start tests based on the database container
 ```
--- a/integrations/README_ZH.md
+++ b/integrations/README_ZH.md
@@ -26,7 +26,7 @@ make test-sqlite
 ## 如何使用 mysql 数据库进行集成测试
 首先在docker容器里部署一个 mysql 数据库
 ```
-docker run -e "MYSQL_DATABASE=test" -e "MYSQL_ALLOW_EMPTY_PASSWORD=yes" -p 3306:3306 --rm --name mysql mysql:5.7 #(just ctrl-c to stop db and clean the container) 
+docker run -e "MYSQL_DATABASE=test" -e "MYSQL_ALLOW_EMPTY_PASSWORD=yes" -p 3306:3306 --rm --name mysql mysql:8 #(just ctrl-c to stop db and clean the container) 
 ```
 之后便可以基于这个数据库进行集成测试
 ```
@@ -36,7 +36,7 @@ TEST_MYSQL_HOST=localhost:3306 TEST_MYSQL_DBNAME=test TEST_MYSQL_USERNAME=root T
 ## 如何使用 pgsql 数据库进行集成测试
 同上，首先在 docker 容器里部署一个 pgsql 数据库
 ```
-docker run -e "POSTGRES_DB=test" -p 5432:5432 --rm --name pgsql postgres:9.5 #(just ctrl-c to stop db and clean the container) 
+docker run -e "POSTGRES_DB=test" -p 5432:5432 --rm --name pgsql postgres:13 #(just ctrl-c to stop db and clean the container) 
 ```
 之后便可以基于这个数据库进行集成测试
 ```
--- a/integrations/api_admin_test.go
+++ b/integrations/api_admin_test.go
@@ -195,7 +195,7 @@ func TestAPIEditUser(t *testing.T) {
 	assert.EqualValues(t, "email is not allowed to be empty string", errMap["message"].(string))

 	user2 := models.AssertExistsAndLoadBean(t, &models.User{LoginName: "user2"}).(*models.User)
-	assert.Equal(t, false, user2.IsRestricted)
+	assert.False(t, user2.IsRestricted)
 	bTrue := true
 	req = NewRequestWithJSON(t, "PATCH", urlStr, api.EditUserOption{
 		// required
@@ -206,5 +206,5 @@ func TestAPIEditUser(t *testing.T) {
 	})
 	session.MakeRequest(t, req, http.StatusOK)
 	user2 = models.AssertExistsAndLoadBean(t, &models.User{LoginName: "user2"}).(*models.User)
-	assert.Equal(t, true, user2.IsRestricted)
+	assert.True(t, user2.IsRestricted)
 }
--- a/integrations/api_branch_test.go
+++ b/integrations/api_branch_test.go
@@ -151,22 +151,28 @@ func testAPICreateBranches(t *testing.T, giteaURL *url.URL) {
 	for _, test := range tests {
 		defer resetFixtures(t)
 		session := ctx.Session
-		token := getTokenForLoggedInUser(t, session)
-		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/my-noo-repo/branches?token="+token, &api.CreateBranchRepoOption{
-			BranchName:    test.NewBranch,
-			OldBranchName: test.OldBranch,
-		})
-		resp := session.MakeRequest(t, req, test.ExpectedHTTPStatus)
-
-		var branch api.Branch
-		DecodeJSON(t, resp, &branch)
-
-		if test.ExpectedHTTPStatus == http.StatusCreated {
-			assert.EqualValues(t, test.NewBranch, branch.Name)
-		}
+		testAPICreateBranch(t, session, "user2", "my-noo-repo", test.OldBranch, test.NewBranch, test.ExpectedHTTPStatus)
 	}
 }

+func testAPICreateBranch(t testing.TB, session *TestSession, user, repo, oldBranch, newBranch string, status int) bool {
+	token := getTokenForLoggedInUser(t, session)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+user+"/"+repo+"/branches?token="+token, &api.CreateBranchRepoOption{
+		BranchName:    newBranch,
+		OldBranchName: oldBranch,
+	})
+	resp := session.MakeRequest(t, req, status)
+
+	var branch api.Branch
+	DecodeJSON(t, resp, &branch)
+
+	if status == http.StatusCreated {
+		assert.EqualValues(t, newBranch, branch.Name)
+	}
+
+	return resp.Result().StatusCode == status
+}
+
 func TestAPIBranchProtection(t *testing.T) {
 	defer prepareTestEnv(t)()

--- a/integrations/api_gpg_keys_test.go
+++ b/integrations/api_gpg_keys_test.go
@@ -29,14 +29,13 @@ func TestGPGKeys(t *testing.T) {
 		results     []int
 	}{
 		{name: "NoLogin", makeRequest: MakeRequest, token: "",
-			results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
+			results: []int{http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized, http.StatusUnauthorized},
 		},
 		{name: "LoggedAsUser2", makeRequest: session.MakeRequest, token: token,
-			results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusCreated}},
+			results: []int{http.StatusOK, http.StatusOK, http.StatusNotFound, http.StatusNoContent, http.StatusUnprocessableEntity, http.StatusNotFound, http.StatusCreated, http.StatusNotFound, http.StatusCreated}},
 	}

 	for _, tc := range tt {
-
 		//Basic test on result code
 		t.Run(tc.name, func(t *testing.T) {
 			t.Run("ViewOwnGPGKeys", func(t *testing.T) {
@@ -61,7 +60,7 @@ func TestGPGKeys(t *testing.T) {
 			t.Run("CreateValidGPGKey", func(t *testing.T) {
 				testCreateValidGPGKey(t, tc.makeRequest, tc.token, tc.results[6])
 			})
-			t.Run("CreateValidSecondaryEmailGPGKey", func(t *testing.T) {
+			t.Run("CreateValidSecondaryEmailGPGKeyNotActivated", func(t *testing.T) {
 				testCreateValidSecondaryEmailGPGKey(t, tc.makeRequest, tc.token, tc.results[7])
 			})
 		})
@@ -75,46 +74,32 @@ func TestGPGKeys(t *testing.T) {
 		req := NewRequest(t, "GET", "/api/v1/user/gpg_keys?token="+token) //GET all keys
 		resp := session.MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &keys)
+		assert.Len(t, keys, 1)

 		primaryKey1 := keys[0] //Primary key 1
 		assert.EqualValues(t, "38EA3BCED732982C", primaryKey1.KeyID)
-		assert.EqualValues(t, 1, len(primaryKey1.Emails))
+		assert.Len(t, primaryKey1.Emails, 1)
 		assert.EqualValues(t, "user2@example.com", primaryKey1.Emails[0].Email)
-		assert.EqualValues(t, true, primaryKey1.Emails[0].Verified)
+		assert.True(t, primaryKey1.Emails[0].Verified)

 		subKey := primaryKey1.SubsKey[0] //Subkey of 38EA3BCED732982C
 		assert.EqualValues(t, "70D7C694D17D03AD", subKey.KeyID)
-		assert.EqualValues(t, 0, len(subKey.Emails))
-
-		primaryKey2 := keys[1] //Primary key 2
-		assert.EqualValues(t, "FABF39739FE1E927", primaryKey2.KeyID)
-		assert.EqualValues(t, 1, len(primaryKey2.Emails))
-		assert.EqualValues(t, "user21@example.com", primaryKey2.Emails[0].Email)
-		assert.EqualValues(t, false, primaryKey2.Emails[0].Verified)
+		assert.Empty(t, subKey.Emails)

 		var key api.GPGKey
 		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey1.ID, 10)+"?token="+token) //Primary key 1
 		resp = session.MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &key)
 		assert.EqualValues(t, "38EA3BCED732982C", key.KeyID)
-		assert.EqualValues(t, 1, len(key.Emails))
+		assert.Len(t, key.Emails, 1)
 		assert.EqualValues(t, "user2@example.com", key.Emails[0].Email)
-		assert.EqualValues(t, true, key.Emails[0].Verified)
+		assert.True(t, key.Emails[0].Verified)

 		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(subKey.ID, 10)+"?token="+token) //Subkey of 38EA3BCED732982C
 		resp = session.MakeRequest(t, req, http.StatusOK)
 		DecodeJSON(t, resp, &key)
 		assert.EqualValues(t, "70D7C694D17D03AD", key.KeyID)
-		assert.EqualValues(t, 0, len(key.Emails))
-
-		req = NewRequest(t, "GET", "/api/v1/user/gpg_keys/"+strconv.FormatInt(primaryKey2.ID, 10)+"?token="+token) //Primary key 2
-		resp = session.MakeRequest(t, req, http.StatusOK)
-		DecodeJSON(t, resp, &key)
-		assert.EqualValues(t, "FABF39739FE1E927", key.KeyID)
-		assert.EqualValues(t, 1, len(key.Emails))
-		assert.EqualValues(t, "user21@example.com", key.Emails[0].Email)
-		assert.EqualValues(t, false, key.Emails[0].Verified)
-
+		assert.Empty(t, key.Emails)
 	})

 	//Check state after basic add
@@ -124,7 +109,7 @@ func TestGPGKeys(t *testing.T) {
 			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/not-signed?token="+token)
 			resp := session.MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
-			assert.EqualValues(t, false, branch.Commit.Verification.Verified)
+			assert.False(t, branch.Commit.Verification.Verified)
 		})

 		t.Run("SignedWithNotValidatedEmail", func(t *testing.T) {
@@ -132,7 +117,7 @@ func TestGPGKeys(t *testing.T) {
 			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign-not-yet-validated?token="+token)
 			resp := session.MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
-			assert.EqualValues(t, false, branch.Commit.Verification.Verified)
+			assert.False(t, branch.Commit.Verification.Verified)
 		})

 		t.Run("SignedWithValidEmail", func(t *testing.T) {
@@ -140,7 +125,7 @@ func TestGPGKeys(t *testing.T) {
 			req := NewRequest(t, "GET", "/api/v1/repos/user2/repo16/branches/good-sign?token="+token)
 			resp := session.MakeRequest(t, req, http.StatusOK)
 			DecodeJSON(t, resp, &branch)
-			assert.EqualValues(t, true, branch.Commit.Verification.Verified)
+			assert.True(t, branch.Commit.Verification.Verified)
 		})
 	})
 }
@@ -231,35 +216,46 @@ uy6MA3VSB99SK9ducGmE1Jv8mcziREroz2TEGr0zPs6h
 }

 func testCreateValidSecondaryEmailGPGKey(t *testing.T, makeRequest makeRequestFunc, token string, expected int) {
-	//User2 <user21@example.com> //secondary and not activated
+	//User2 <user2-2@example.com> //secondary and not activated
 	testCreateGPGKey(t, makeRequest, token, expected, `-----BEGIN PGP PUBLIC KEY BLOCK-----

-mQENBFmGWN4BCAC18V4tVGO65VLCV7p14FuXJlUtZ5CuYMvgEkcOqrvRaBSW9ao4
-PGESOhJpfWpnW3QgJniYndLzPpsmdHEclEER6aZjiNgReWPOjHD5tykWocZAJqXD
-eY1ym59gvVMLcfbV2yQsyR2hbJlc+dJsl16tigSEe3nwxZSw2IsW92pgEzT9JNUr
-Q+mC8dw4dqY0tYmFazYUGNxufUc/twgQT/Or1aNs0az5Q6Jft4rrTRsh/S7We0VB
-COKGkdcQyYgAls7HJBuPjQRi6DM9VhgBSHLAgSLyaUcZvhZBJr8Qe/q4PP3/kYDJ
-wm4RMnjOLz2pFZPgtRqgcAwpmFtLrACbEB3JABEBAAG0GlVzZXIyIDx1c2VyMjFA
-ZXhhbXBsZS5jb20+iQFUBBMBCAA+FiEEPOLHOjPSO42DWM57+r85c5/h6ScFAlmG
-WN4CGwMFCQPCZwAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ+r85c5/h6Sfx
-Lgf/dq64NBV8+X9an3seaLxePRviva48e4K67/wV/JxtXNO5Z/DhMGz5kHXCsG9D
-CXuWYO8ehlTjEnMZ6qqdDnY+H6bQsb2OS5oPn4RwpPXslAjEKtojPAr0dDsMS2DB
-dUuIm1AoOnewOVO0OFRf1EqX1bivxnN0FVMcO0m8AczfnKDaGb0y/qg/Y9JAsKqp
-j5pZNMWUkntRtGySeJ4CVJMmkVKJAHsa1Qj6MKdFeid4h4y94cBJ4ZdyBxNdpQOx
-ydf0doicovfeqGNO4oWzsGP4RBK2CqGPCUT+EFl20jPvMkKwOjxgqc8p0z3b2UT9
-+9bnmCGHgF/fW1HJ3iKmfFPqnLkBDQRZhljeAQgA5AirU/NJGgm19ZJYFOiHftjS
-azbrPxGeD3cSqmvDPIMc1DNZGfQV5D4EVumnVbQBtL6xHFoGKz9KisUMbe4a/X2J
-S8JmIphQWG0vMJX1DaZIzr2gT71MnPD7JMGsSUCh5dIKpTNTZX4w+oGPGOu0/UlL
-x0448AryKwp30J2p6D4GeI0nb03n35S2lTOpnHDn1wj7Jl/8LS2fdFOdNaNHXSZe
-twdSwJKhyBEiScgeHBDyKqo8zWkYoSb9eA2HiYlbVaiNtp24KP1mIEpiUdrRjWno
-zauYSZGHZlOFMgF4dKWuetPiuH9m7UYZGKyMLfQ9vYFb+xcPh2bLCQHJ1OEmMQAR
-AQABiQE8BBgBCAAmFiEEPOLHOjPSO42DWM57+r85c5/h6ScFAlmGWN4CGwwFCQPC
-ZwAACgkQ+r85c5/h6Sfjfwf+O4WEjRdvPJLxNy7mfAGoAqDMHIwyH/tVzYgyVhnG
-h/+cfRxJbGc3rpjYdr8dmvghzjEAout8uibPWaIqs63RCAPGPqgWLfxNO5c8+y8V
-LZMVOTV26l2olkkdBWAuhLqKTNh6TiQva03yhOgHWj4XDvFfxICWPFXVd6t5ELpD
-iApGu1OAj8JfhmzbG03Yzx+Ku7bWDxMonx3V/IDEu5LS5zrboHYDKCA53bXXghoi
-Aceqql+PKrDwEjoY4bptwMHLmcjGjdCQ//Qx1neho7nZcS7xjTucY8gQuulwCyXF
-y6wM+wMz8dunIG9gw4+Re6c4Rz9tX1kzxLrU7Pl21tMqfg==
-=0N/9
+mQGNBGC2K2cBDAC1+Xgk+8UfhASVgRngQi4rnQ8k0t+bWsBz4Czd26+cxVDRwlTT
+8PALdrbrY/e9iXjcVcZ8Npo4UYe7/LfnL57dc7tgbenRGYYrWyVoNNv58BVw4xCY
+RmgvdHWIIPGuz3aME0smHxbJ2KewYTqjTPuVKF/wrHTwCpVWdjYKC5KDo3yx0mro
+xf9vOJOnkWNMiEw7TiZfkrbUqxyA53BVsSNKRX5C3b4FJcVT7eiAq7sDAaFxjEHy
+ahZslmvg7XZxWzSVzxDNesR7f4xuop8HBjzaluJoVuwiyWculTvz1b6hyHVQr+ad
+h8JGjj1tySI65OTFsTuptsfHXjtjl/NR4P6BXkf+FVwweaTQaEzpHkv0m9b9pY43
+CY/8XtS4uNPermiLG/Z0BB1eOCdoOQVHpjOa55IXQWhxXB6NZVyowiUbrR7jLDQy
+5JP7D1HmErTR8JRm3VDqGbSaCgugRgFX+lb/fpgFp9k02OeK+JQudolZOt1mVk+T
+C4xmEWxfiH15/JMAEQEAAbQbdXNlcjIgPHVzZXIyLTJAZXhhbXBsZS5jb20+iQHU
+BBMBCAA+FiEEB/Y4DM3Ba2H9iXmlPO9G70C+/D4FAmC2K2cCGwMFCQPCZwAFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQPO9G70C+/D59/Av/XZIhCH4X2FpxCO3d
+oCa+sbYkBL5xeUoPfAx5ThXzqL/tllO88TKTMEGZF3k5pocXWH0xmhqlvDTcdb0i
+W3O0CN8FLmuotU51c0JC1mt9zwJP9PeJNyqxrMm01Yzj55z/Dz3QHSTlDjrWTWjn
+YBqDf2HfdM177oydfSYmevZni1aDmBalWpFPRvqISCO7uFnvg1hJQ5mD/0qie663
+QJ8LAAANg32H9DyPnYi9wU62WX0DMUVTjKctT3cnYCbirjjJ7ZlCCm+cf61CRX1B
+E1Ng/Ef3ZcUfXWitZSjfET/pKEMSNjsQawFpZ/LPCBl+UPHzaTPAASeGJvcbZ3py
+wZQLQc1MCu2hmMBQ8zHQTdS2Pp0RISxCQLYvVQL6DrcJDNiSqn9p9RQt5c5r5Pjx
+80BIPcjj3glOVP7PYE2azQAkt6reEjhimwCfjeDpiPnkBTY7Av2jCcUFhhemDY/j
+TRXK1paLphhJ36zC22SeHGxNNakjjuUakqB85DEUeoWuVm6ouQGNBGC2K2cBDADx
+G2rIAgMjdPtofhkEZXwv6zdNwmYOlIIM+59bam9Ep/vFq8F5f+xldevm5dvM8SeR
+pNwDGSOUf5OKBWBdsJFhlYBl7+EcKd/Tent/XS6JoA9ffF33b+r04L543+ykiKON
+WYeYi0F4WwYTIQgqZHJze1sPVkYGR5F0bL8PAcLuwd5dzZVi/q2HakrGdg29N8oY
+b/XnoR7FflPrNYdzO6hawi5Inx7KS7aWa0ZkARb0F4HSct+/m6nAZVsoJINLudyQ
+ut2NWeU8rWIm1hqyIxQFvuQJy46umq++10J/sWA98bkg41Rx+72+eP7DM5v8IgUp
+clJsfljRXIBWbmRAVZvtNI7PX9fwMMhf4M7wHO7G2WV39o1exKps5xFFcn8PUQiX
+jCSR81M145CgCdmLUR1y0pdkN/WIqjXBhkPIvO2dxEcodMNHb1aUUuUOnww6+xIP
+8rGVw+a2DUiALc8Qr5RP21AYKRctfiwhSQh2KODveMtyLI3U9C/eLRPp+QM3XB8A
+EQEAAYkBvAQYAQgAJhYhBAf2OAzNwWth/Yl5pTzvRu9Avvw+BQJgtitnAhsMBQkD
+wmcAAAoJEDzvRu9Avvw+3FcMAJBwupyJ4zwQFxTJ5BkDlusG3U2FXEf3bDrXhvNd
+qi8eS8Vo/vRiH/w/my5JFpz1o2tJToryF71D+uF5DTItalKquhsQ9reAEmXggqOh
+9Jd9mWJIEEWcRORiLNDKENKvE8bouw4U4hRaSF0IaGzAe5mO+oOvwal8L97wFxrZ
+4leM1GzkopiuNfbkkBBw2KJcMjYBHzzXSCALnVwhjbgkBEWPIg38APT3cr9KfnMM
+q8+tvsGLj4piAl3Lww7+GhSsDOUXH8btR41BSAQDrbO5q6oi/h4nuxoNmQIDW/Ug
+s+dd5hnY2FtHRjb4FCR9kAjdTE6stc8wzohWfbg1N+12TTA2ylByAumICVXixavH
+RJ7l0OiWJk388qw9mqh3k8HcBxL7OfDlFC9oPmCS0iYiIwW/Yc80kBhoxcvl/Xa7
+mIMMn8taHIaQO7v9ln2EVQYTzbNCmwTw9ovTM0j/Pbkg2EftfP1TCoxQHvBnsCED
+6qgtsUdi5eviONRkBgeZtN3oxA==
+=MgDv
 -----END PGP PUBLIC KEY BLOCK-----`)
 }
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -14,9 +14,9 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
-	auth "code.gitea.io/gitea/modules/forms"
 	"code.gitea.io/gitea/modules/queue"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/services/forms"

 	jsoniter "github.com/json-iterator/go"
 	"github.com/stretchr/testify/assert"
@@ -263,7 +263,7 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
 			owner, repo, index, ctx.Token)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &auth.MergePullRequestForm{
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			MergeMessageField: "doAPIMergePullRequest Merge",
 			Do:                string(models.MergeStyleMerge),
 		})
@@ -275,7 +275,7 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 			DecodeJSON(t, resp, &err)
 			assert.EqualValues(t, "Please try again later", err.Message)
 			queue.GetManager().FlushAll(context.Background(), 5*time.Second)
-			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &auth.MergePullRequestForm{
+			req = NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 				MergeMessageField: "doAPIMergePullRequest Merge",
 				Do:                string(models.MergeStyleMerge),
 			})
@@ -298,7 +298,7 @@ func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID str
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s",
 			owner, repo, index, ctx.Token)
-		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &auth.MergePullRequestForm{
+		req := NewRequestWithJSON(t, http.MethodPost, urlStr, &forms.MergePullRequestForm{
 			Do:            string(models.MergeStyleManuallyMerged),
 			MergeCommitID: commitID,
 		})
--- a/integrations/api_issue_reaction_test.go
+++ b/integrations/api_issue_reaction_test.go
@@ -61,7 +61,7 @@ func TestAPIIssuesReactions(t *testing.T) {
 	DecodeJSON(t, resp, &apiReactions)
 	expectResponse := make(map[int]api.Reaction)
 	expectResponse[0] = api.Reaction{
-		User:     convert.ToUser(user2, true, true),
+		User:     convert.ToUser(user2, user2),
 		Reaction: "eyes",
 		Created:  time.Unix(1573248003, 0),
 	}
@@ -121,12 +121,12 @@ func TestAPICommentReactions(t *testing.T) {
 	DecodeJSON(t, resp, &apiReactions)
 	expectResponse := make(map[int]api.Reaction)
 	expectResponse[0] = api.Reaction{
-		User:     convert.ToUser(user2, true, true),
+		User:     convert.ToUser(user2, user2),
 		Reaction: "laugh",
 		Created:  time.Unix(1573248004, 0),
 	}
 	expectResponse[1] = api.Reaction{
-		User:     convert.ToUser(user1, true, true),
+		User:     convert.ToUser(user1, user1),
 		Reaction: "laugh",
 		Created:  time.Unix(1573248005, 0),
 	}
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -25,9 +25,10 @@ func TestAPIListIssues(t *testing.T) {

 	session := loginUser(t, owner.Name)
 	token := getTokenForLoggedInUser(t, session)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all&token=%s",
-		owner.Name, repo.Name, token)
-	resp := session.MakeRequest(t, req, http.StatusOK)
+	link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner.Name, repo.Name))
+
+	link.RawQuery = url.Values{"token": {token}, "state": {"all"}}.Encode()
+	resp := session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	var apiIssues []*api.Issue
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, models.GetCount(t, &models.Issue{RepoID: repo.ID}))
@@ -36,15 +37,34 @@ func TestAPIListIssues(t *testing.T) {
 	}

 	// test milestone filter
-	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all&type=all&milestones=ignore,milestone1,3,4&token=%s",
-		owner.Name, repo.Name, token)
-	resp = session.MakeRequest(t, req, http.StatusOK)
+	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "type": {"all"}, "milestones": {"ignore,milestone1,3,4"}}.Encode()
+	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	if assert.Len(t, apiIssues, 2) {
 		assert.EqualValues(t, 3, apiIssues[0].Milestone.ID)
 		assert.EqualValues(t, 1, apiIssues[1].Milestone.ID)
 	}

+	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "created_by": {"user2"}}.Encode()
+	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	if assert.Len(t, apiIssues, 1) {
+		assert.EqualValues(t, 5, apiIssues[0].ID)
+	}
+
+	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "assigned_by": {"user1"}}.Encode()
+	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	if assert.Len(t, apiIssues, 1) {
+		assert.EqualValues(t, 1, apiIssues[0].ID)
+	}
+
+	link.RawQuery = url.Values{"token": {token}, "state": {"all"}, "mentioned_by": {"user4"}}.Encode()
+	resp = session.MakeRequest(t, NewRequest(t, "GET", link.String()), http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	if assert.Len(t, apiIssues, 1) {
+		assert.EqualValues(t, 1, apiIssues[0].ID)
+	}
 }

 func TestAPICreateIssue(t *testing.T) {
@@ -65,8 +85,8 @@ func TestAPICreateIssue(t *testing.T) {
 	resp := session.MakeRequest(t, req, http.StatusCreated)
 	var apiIssue api.Issue
 	DecodeJSON(t, resp, &apiIssue)
-	assert.Equal(t, apiIssue.Body, body)
-	assert.Equal(t, apiIssue.Title, title)
+	assert.Equal(t, body, apiIssue.Body)
+	assert.Equal(t, title, apiIssue.Title)

 	models.AssertExistsAndLoadBean(t, &models.Issue{
 		RepoID:     repoBefore.ID,
@@ -202,6 +222,20 @@ func TestAPISearchIssues(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, 1)
+
+	query = url.Values{"milestones": {"milestone1"}, "state": {"all"}}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 1)
+
+	query = url.Values{"milestones": {"milestone1,milestone3"}, "state": {"all"}}
+	link.RawQuery = query.Encode()
+	req = NewRequest(t, "GET", link.String())
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 2)
 }

 func TestAPISearchIssuesWithLabels(t *testing.T) {
--- a/integrations/api_notification_test.go
+++ b/integrations/api_notification_test.go
@@ -45,14 +45,14 @@ func TestAPINotification(t *testing.T) {

 	assert.Len(t, apiNL, 3)
 	assert.EqualValues(t, 4, apiNL[0].ID)
-	assert.EqualValues(t, true, apiNL[0].Unread)
-	assert.EqualValues(t, false, apiNL[0].Pinned)
+	assert.True(t, apiNL[0].Unread)
+	assert.False(t, apiNL[0].Pinned)
 	assert.EqualValues(t, 3, apiNL[1].ID)
-	assert.EqualValues(t, false, apiNL[1].Unread)
-	assert.EqualValues(t, true, apiNL[1].Pinned)
+	assert.False(t, apiNL[1].Unread)
+	assert.True(t, apiNL[1].Pinned)
 	assert.EqualValues(t, 2, apiNL[2].ID)
-	assert.EqualValues(t, false, apiNL[2].Unread)
-	assert.EqualValues(t, false, apiNL[2].Pinned)
+	assert.False(t, apiNL[2].Unread)
+	assert.False(t, apiNL[2].Pinned)

 	// -- GET /repos/{owner}/{repo}/notifications --
 	req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/notifications?status-types=unread&token=%s", user2.Name, repo1.Name, token))
@@ -74,8 +74,8 @@ func TestAPINotification(t *testing.T) {
 	DecodeJSON(t, resp, &apiN)

 	assert.EqualValues(t, 5, apiN.ID)
-	assert.EqualValues(t, false, apiN.Pinned)
-	assert.EqualValues(t, true, apiN.Unread)
+	assert.False(t, apiN.Pinned)
+	assert.True(t, apiN.Unread)
 	assert.EqualValues(t, "issue4", apiN.Subject.Title)
 	assert.EqualValues(t, "Issue", apiN.Subject.Type)
 	assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
--- a/integrations/api_oauth2_apps_test.go
+++ b/integrations/api_oauth2_apps_test.go
@@ -123,7 +123,7 @@ func testAPIGetOAuth2Application(t *testing.T) {
 	assert.EqualValues(t, existApp.ClientID, expectedApp.ClientID)
 	assert.Len(t, expectedApp.ClientID, 36)
 	assert.Empty(t, expectedApp.ClientSecret)
-	assert.EqualValues(t, len(expectedApp.RedirectURIs), 1)
+	assert.Len(t, expectedApp.RedirectURIs, 1)
 	assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0])
 	models.AssertExistsAndLoadBean(t, &models.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
 }
@@ -156,7 +156,7 @@ func testAPIUpdateOAuth2Application(t *testing.T) {
 	DecodeJSON(t, resp, &app)
 	expectedApp := app

-	assert.EqualValues(t, len(expectedApp.RedirectURIs), 2)
+	assert.Len(t, expectedApp.RedirectURIs, 2)
 	assert.EqualValues(t, expectedApp.RedirectURIs[0], appBody.RedirectURIs[0])
 	assert.EqualValues(t, expectedApp.RedirectURIs[1], appBody.RedirectURIs[1])
 	models.AssertExistsAndLoadBean(t, &models.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name})
--- a/Show More
+++ b/Show More