Merge remote-tracking branch 'origin/main' into xormigrate

2024-09-01 14:56:30 +00:00 · 2024-07-20 12:17:41 +02:00 · 2024-07-20 12:17:41 +02:00 · be176edf79
commit be176edf79
parent 507abd1892 ba9589a92d
20 changed files with 455 additions and 372 deletions
--- a/go.mod
+++ b/go.mod
@ -91,7 +91,7 @@ require (
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.19.1
 	github.com/quasoft/websspi v1.1.2
-	github.com/redis/go-redis/v9 v9.5.3
+	github.com/redis/go-redis/v9 v9.6.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sassoftware/go-rpmutils v0.4.0
--- a/go.sum
+++ b/go.sum
@ -749,8 +749,8 @@ github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43Z
 github.com/quasoft/websspi v1.1.2 h1:/mA4w0LxWlE3novvsoEL6BBA1WnjJATbjkh1kFrTidw=
 github.com/quasoft/websspi v1.1.2/go.mod h1:HmVdl939dQ0WIXZhyik+ARdI03M6bQzaSEKcgpFmewk=
 github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/redis/go-redis/v9 v9.5.3 h1:fOAp1/uJG+ZtcITgZOfYFmTKPE7n4Vclj1wZFgRciUU=
+github.com/redis/go-redis/v9 v9.6.0 h1:NLck+Rab3AOTHw21CGRpvQpgTrAU4sgdCswqGtlhGRA=
-github.com/redis/go-redis/v9 v9.5.3/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/v9 v9.6.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rhysd/actionlint v1.7.1 h1:WJaDzyT1StBWVKGSsZPYnbV0HF9Y9/vD6KFdZQL42qE=
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@ -37,10 +37,11 @@ type OAuth2Application struct {
 	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
 	// "Authorization servers MUST record the client type in the client registration details"
 	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-	ConfidentialClient bool               `xorm:"NOT NULL DEFAULT TRUE"`
+	ConfidentialClient         bool               `xorm:"NOT NULL DEFAULT TRUE"`
-	RedirectURIs       []string           `xorm:"redirect_uris JSON TEXT"`
+	SkipSecondaryAuthorization bool               `xorm:"NOT NULL DEFAULT FALSE"`
-	CreatedUnix        timeutil.TimeStamp `xorm:"INDEX created"`
+	RedirectURIs               []string           `xorm:"redirect_uris JSON TEXT"`
-	UpdatedUnix        timeutil.TimeStamp `xorm:"INDEX updated"`
+	CreatedUnix                timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix                timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 func init() {
@ -251,21 +252,23 @@ func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Applica
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
-	Name               string
+	Name                       string
-	UserID             int64
+	UserID                     int64
-	ConfidentialClient bool
+	ConfidentialClient         bool
-	RedirectURIs       []string
+	SkipSecondaryAuthorization bool
 	RedirectURIs               []string
 }
 // CreateOAuth2Application inserts a new oauth2 application
 func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error) {
 	clientID := uuid.New().String()
 	app := &OAuth2Application{
-		UID:                opts.UserID,
+		UID:                        opts.UserID,
-		Name:               opts.Name,
+		Name:                       opts.Name,
-		ClientID:           clientID,
+		ClientID:                   clientID,
-		RedirectURIs:       opts.RedirectURIs,
+		RedirectURIs:               opts.RedirectURIs,
-		ConfidentialClient: opts.ConfidentialClient,
+		ConfidentialClient:         opts.ConfidentialClient,
 		SkipSecondaryAuthorization: opts.SkipSecondaryAuthorization,
 	}
 	if err := db.Insert(ctx, app); err != nil {
 		return nil, err
@ -275,11 +278,12 @@ func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOp
 // UpdateOAuth2ApplicationOptions holds options to update an oauth2 application
 type UpdateOAuth2ApplicationOptions struct {
-	ID                 int64
+	ID                         int64
-	Name               string
+	Name                       string
-	UserID             int64
+	UserID                     int64
-	ConfidentialClient bool
+	ConfidentialClient         bool
-	RedirectURIs       []string
+	SkipSecondaryAuthorization bool
 	RedirectURIs               []string
 }
 // UpdateOAuth2Application updates an oauth2 application
@ -305,6 +309,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
 	app.ConfidentialClient = opts.ConfidentialClient
 	app.SkipSecondaryAuthorization = opts.SkipSecondaryAuthorization
 	if err = updateOAuth2Application(ctx, app); err != nil {
 		return nil, err
@ -315,7 +320,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 }
 func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
-	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {
+	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client", "skip_secondary_authorization").Update(app); err != nil {
 		return err
 	}
 	return nil
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -566,6 +566,8 @@ var migrations = []*xormigrate.Migration{
 	NewMigration("Add content version to issue and comment table", v1_23.AddContentVersionToIssueAndComment),
 	// v300 -> v301
 	NewMigration("Add force-push branch protection support", v1_23.AddForcePushBranchProtection),
 	// v301 -> v302
 	NewMigration("Add skip_secondary_authorization option to oauth2 application table", v1_23.AddSkipSecondaryAuthColumnToOAuth2ApplicationTable),
 }
 // EnsureUpToDate will check if the db is at the correct version
--- a/models/migrations/v1_23/v301.go
+++ b/models/migrations/v1_23/v301.go
@ -3,310 +3,12 @@
 package v1_23 //nolint
-import (
+import "xorm.io/xorm"
 	"fmt"
-	"code.gitea.io/gitea/modules/log"
+// AddSkipSeconderyAuthToOAuth2ApplicationTable: add SkipSecondaryAuthorization column, setting existing rows to false
-	"code.gitea.io/gitea/modules/setting"
+func AddSkipSecondaryAuthColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
-
+	type oauth2Application struct {
-	"src.techknowlogick.com/xormigrate"
+		SkipSecondaryAuthorization bool `xorm:"NOT NULL DEFAULT FALSE"`
-	"xorm.io/xorm"
+	}
-)
+	return x.Sync(new(oauth2Application))
 const (
 	minDBVersion       = 70 // Gitea 1.5.3
 	oldMigrationsCount = 230
 	expectedVersion    = minDBVersion + oldMigrationsCount
 )
 var oldMigrationNames = []string{
 	"add issue_dependencies",
 	"protect each scratch token",
 	"add review",
 	"add must_change_password column for users table",
 	"add approval whitelists to protected branches",
 	"clear nonused data which not deleted when user was deleted",
 	"add pull request rebase with merge commit",
 	"add theme to users",
 	"rename repo is_bare to repo is_empty",
 	"add can close issues via commit in any branch",
 	"add is locked to issues",
 	"update U2F counter type",
 	"hot fix for wrong release sha1 on release table",
 	"add uploader id for table attachment",
 	"add table to store original imported gpg keys",
 	"hash application token",
 	"add http method to webhook",
 	"add avatar field to repository",
 	"add commit status context field to commit_status",
 	"add original author/url migration info to issues, comments, and repo ",
 	"change length of some repository columns",
 	"add index on owner_id of repository and type, review_id of comment",
 	"remove orphaned repository index statuses",
 	"add email notification enabled preference to user",
 	"add enable_status_check, status_check_contexts to protected_branch",
 	"add table columns for cross referencing issues",
 	"delete orphaned attachments",
 	"add repo_admin_change_team_access to user",
 	"add original author name and id on migrated release",
 	"add task table and status column for repository table",
 	"update migration repositories' service type",
 	"change length of some external login users columns",
 	"update migration repositories' service type v2",
 	"Add WhitelistDeployKeys to protected branch",
 	"remove unnecessary columns from label",
 	"add includes_all_repositories to teams",
 	"add column `mode` to table watch",
 	"Add template options to repository",
 	"Add comment_id on table notification",
 	"add can_create_org_repo to team",
 	"change review content type to text",
 	"update branch protection for can push and whitelist enable",
 	"remove release attachments which repository deleted",
 	"new feature: change target branch of pull requests",
 	"Remove authentication credentials from stored URL",
 	"add user_id prefix to existing user avatar name",
 	"Extend TrackedTimes",
 	"Add block on rejected reviews branch protection",
 	"Add commit id and stale to reviews",
 	"Fix migrated repositories' git service type",
 	"Add owner_name on table repository",
 	"add is_restricted column for users table",
 	"Add Require Signed Commits to ProtectedBranch",
 	"Add original information for reactions",
 	"Add columns to user and repository",
 	"Add some columns on review for migration",
 	"Fix topic repository count",
 	"add repository code language statistics",
 	"fix merge base for pull requests",
 	"remove dependencies from deleted repositories",
 	"Expand webhooks for more granularity",
 	"Add IsSystemWebhook column to webhooks table",
 	"Add Branch Protection Protected Files Column",
 	"Add EmailHash Table",
 	"Refix merge base for merged pull requests",
 	"Add OrgID column to Labels table",
 	"Add CommitsAhead and CommitsBehind Column to PullRequest Table",
 	"Add Branch Protection Block Outdated Branch",
 	"Add ResolveDoerID to Comment table",
 	"prepend refs/heads/ to issue refs",
 	"Save detected language file size to database instead of percent",
 	"Add KeepActivityPrivate to User table",
 	"Ensure Repository.IsArchived is not null",
 	"recalculate Stars number for all user",
 	"update Matrix Webhook http method to 'PUT'",
 	"Increase Language field to 50 in LanguageStats",
 	"Add projects info to repository table",
 	"create review for 0 review id code comments",
 	"remove issue dependency comments who refer to non existing issues",
 	"Add Created and Updated to Milestone table",
 	"add primary key to repo_topic",
 	"set default password algorithm to Argon2",
 	"add TrustModel field to Repository",
 	"add Team review request support",
 	"add timestamps to Star, Label, Follow, Watch and Collaboration",
 	"add changed_protected_files column for pull_request table",
 	"fix publisher ID for tag releases",
 	"ensure repo topics are up-to-date",
 	"code comment replies should have the commitID of the review they are replying to",
 	"update reactions constraint",
 	"Add block on official review requests branch protection",
 	"Convert task type from int to string",
 	"Convert webhook task type from int to string",
 	"Convert topic name from 25 to 50",
 	"Add scope and nonce columns to oauth2_grant table",
 	"Convert hook task type from char(16) to varchar(16) and trim the column",
 	"Where Password is Valid with Empty String delete it",
 	"Add user redirect",
 	"Recreate user table to fix default values",
 	"Update DeleteBranch comments to set the old_ref to the commit_sha",
 	"Add Dismissed to Review table",
 	"Add Sorting to ProjectBoard table",
 	"Add sessions table for go-chi/session",
 	"Add time_id column to Comment",
 	"Create repo transfer table",
 	"Fix Postgres ID Sequences broken by recreate-table",
 	"Remove invalid labels from comments",
 	"Delete orphaned IssueLabels",
 	"Add LFS columns to Mirror",
 	"Convert avatar url to text",
 	"Delete credentials from past migrations",
 	"Always save primary email on email address table",
 	"Add issue resource index table",
 	"Create PushMirror table",
 	"Rename Task errors to message",
 	"Add new table repo_archiver",
 	"Create protected tag table",
 	"Drop unneeded webhook related columns",
 	"Add key is verified to gpg key",
 	"Unwrap ldap.Sources",
 	"Add agit flow pull request support",
 	"Alter issue/comment table TEXT fields to LONGTEXT",
 	"RecreateIssueResourceIndexTable to have a primary key instead of an unique index",
 	"Add repo id column for attachment table",
 	"Add Branch Protection Unprotected Files Column",
 	"Add table commit_status_index",
 	"Add Color to ProjectBoard table",
 	"Add renamed_branch table",
 	"Add issue content history table",
 	"No-op (remote version is using AppState now)",
 	"Add table app_state",
 	"Drop table remote_version (if exists)",
 	"Create key/value table for user settings",
 	"Add Sorting to ProjectIssue table",
 	"Add key is verified to ssh key",
 	"Migrate to higher varchar on user struct",
 	"Add authorize column to team_unit table",
 	"Add webauthn table and migrate u2f data to webauthn - NO-OPED",
 	"Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive - NO-OPED",
 	"Increase WebAuthentication CredentialID size to 410 - NO-OPED",
 	"v208 was completely broken - remigrate",
 	"Create ForeignReference table",
 	"Add package tables",
 	"Add allow edits from maintainers to PullRequest table",
 	"Add auto merge table",
 	"allow to view files in PRs",
 	"No-op (Improve Action table indices v1)",
 	"Alter hook_task table TEXT fields to LONGTEXT",
 	"Improve Action table indices v2",
 	"Add sync_on_commit column to push_mirror table",
 	"Add container repository property",
 	"Store WebAuthentication CredentialID as bytes and increase size to at least 1024",
 	"Drop old CredentialID column",
 	"Rename CredentialIDBytes column to CredentialID",
 	"Add badges to users",
 	"Alter gpg_key/public_key content TEXT fields to MEDIUMTEXT",
 	"Conan and generic packages do not need to be semantically versioned",
 	"Create key/value table for system settings",
 	"Add TeamInvite table",
 	"Update counts of all open milestones",
 	"Add ConfidentialClient column (default true) to OAuth2Application table",
 	"Add index for hook_task",
 	"Alter package_version.metadata_json to LONGTEXT",
 	"Add header_authorization_encrypted column to webhook table",
 	"Add package cleanup rule table",
 	"Add index for access_token",
 	"Create secrets table",
 	"Drop ForeignReference table",
 	"Add updated unix to LFSMetaObject",
 	"Add scope for access_token",
 	"Add actions tables",
 	"Add card_type column to project table",
 	"Alter gpg_key_import content TEXT field to MEDIUMTEXT",
 	"Add exclusive label",
 	"Add NeedApproval to actions tables",
 	"Rename Webhook org_id to owner_id",
 	"Add missed column owner_id for project table",
 	"Fix incorrect project type",
 	"Add version column to action_runner table",
 	"Improve Action table indices v3",
 	"Change Container Metadata",
 	"Fix incorrect owner team unit access mode",
 	"Fix incorrect admin team unit access mode",
 	"Fix ExternalTracker and ExternalWiki accessMode in owner and admin team",
 	"Add ActionTaskOutput table",
 	"Add ArchivedUnix Column",
 	"Add is_internal column to package",
 	"Add Actions Artifact table",
 	"Add PinOrder Column",
 	"Convert scoped access tokens",
 	"Drop custom_labels column of action_runner table",
 	"Add variable table",
 	"Add TriggerEvent to action_run table",
 	"Add git_size and lfs_size columns to repository table",
 	"Add branch table",
 	"Alter Actions Artifact table",
 	"Reduce commit status",
 	"Add action_tasks_version table",
 	"Update Action Ref",
 	"Drop deleted branch table",
 	"Fix PackageProperty typo",
 	"Allow archiving labels",
 	"Add Version to ActionRun table",
 	"Add Action Schedule Table",
 	"Add Actions artifacts expiration date",
 	"Add ScheduleID for ActionRun",
 	"Add RemoteAddress to mirrors",
 	"Add Index to issue_user.issue_id",
 	"Add Index to comment.dependent_issue_id",
 	"Add Index to action.user_id",
 	"Rename user themes",
 	"Add auth_token table",
 	"Add Index to pull_auto_merge.doer_id",
 	"Add combined Index to issue_user.uid and issue_id",
 	"Add ignore stale approval column on branch table",
 	"Add PreviousDuration to ActionRun",
 	"Add support for SHA256 git repositories",
 	"Use Slug instead of ID for Badges",
 	"Add user_blocking table",
 	"Add default_wiki_branch to repository table",
 	"Add PayloadVersion to HookTask",
 	"Add Index to attachment.comment_id",
 	"Ensure every project has exactly one default column - No Op",
 	"Ensure every project has exactly one default column",
 	"Add unique index for project issue table",
 	"Add commit status summary table",
 	"Add missing field of commit status summary table",
 	"Add everyone_access_mode for repo_unit",
 	"Drop wrongly created table o_auth2_application",
 	"Add content version to issue and comment table",
 }
 // Version describes the version table. Should have only one row with id==1
 type Version struct {
 	ID      int64 `xorm:"pk autoincr"`
 	Version int64
 }
 func MigrateToXormigrate(x *xorm.Engine) error {
 	if err := x.Sync(new(Version)); err != nil {
 		return fmt.Errorf("sync: %w", err)
 	}
 	currentVersion := &Version{ID: 1}
 	has, err := x.Get(currentVersion)
 	if err != nil {
 		return fmt.Errorf("get: %w", err)
 	} else if !has {
 		// If the version record does not exist we think
 		// it is a fresh installation and we can skip all migrations.
 		currentVersion.ID = 0
 		currentVersion.Version = expectedVersion
 		if _, err = x.InsertOne(currentVersion); err != nil {
 			return fmt.Errorf("insert: %w", err)
 		}
 	}
 	v := currentVersion.Version
 	if minDBVersion > v {
 		log.Fatal(`Gitea no longer supports auto-migration from your previously installed version.
 Please try upgrading to a lower version first (suggested v1.6.4), then upgrade to this version.`)
 		return nil
 	}
 	// Downgrading Gitea's database version not supported
 	if int(v-minDBVersion) > oldMigrationsCount {
 		msg := fmt.Sprintf("Your database (migration version: %d) is for a newer Gitea, you can not use the newer database for this old Gitea release (%d).", v, expectedVersion)
 		msg += "\nGitea will exit to keep your database safe and unchanged. Please use the correct Gitea release, do not change the migration version manually (incorrect manual operation may lose data)."
 		if !setting.IsProd {
 			msg += fmt.Sprintf("\nIf you are in development and really know what you're doing, you can force changing the migration version by executing: UPDATE version SET version=%d WHERE id=1;", expectedVersion)
 		}
 		log.Fatal("Migration Error: %s", msg)
 		return nil
 	}
 	// Remove old version table
 	if err := x.DropTables(new(Version)); err != nil {
 		return err
 	}
 	// add migrations that already have been run
 	for _, i := range oldMigrationNames {
 		if _, err := x.Insert(&xormigrate.Migration{ID: i}); err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/models/migrations/v1_23/v302.go
+++ b/models/migrations/v1_23/v302.go
@ -0,0 +1,314 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package v1_23 //nolint
 import (
 	"fmt"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"src.techknowlogick.com/xormigrate"
 	"xorm.io/xorm"
 )
 const (
 	minDBVersion       = 70 // Gitea 1.5.3
 	oldMigrationsCount = 230
 	expectedVersion    = minDBVersion + oldMigrationsCount
 )
 var oldMigrationNames = []string{
 	"add issue_dependencies",
 	"protect each scratch token",
 	"add review",
 	"add must_change_password column for users table",
 	"add approval whitelists to protected branches",
 	"clear nonused data which not deleted when user was deleted",
 	"add pull request rebase with merge commit",
 	"add theme to users",
 	"rename repo is_bare to repo is_empty",
 	"add can close issues via commit in any branch",
 	"add is locked to issues",
 	"update U2F counter type",
 	"hot fix for wrong release sha1 on release table",
 	"add uploader id for table attachment",
 	"add table to store original imported gpg keys",
 	"hash application token",
 	"add http method to webhook",
 	"add avatar field to repository",
 	"add commit status context field to commit_status",
 	"add original author/url migration info to issues, comments, and repo ",
 	"change length of some repository columns",
 	"add index on owner_id of repository and type, review_id of comment",
 	"remove orphaned repository index statuses",
 	"add email notification enabled preference to user",
 	"add enable_status_check, status_check_contexts to protected_branch",
 	"add table columns for cross referencing issues",
 	"delete orphaned attachments",
 	"add repo_admin_change_team_access to user",
 	"add original author name and id on migrated release",
 	"add task table and status column for repository table",
 	"update migration repositories' service type",
 	"change length of some external login users columns",
 	"update migration repositories' service type v2",
 	"Add WhitelistDeployKeys to protected branch",
 	"remove unnecessary columns from label",
 	"add includes_all_repositories to teams",
 	"add column `mode` to table watch",
 	"Add template options to repository",
 	"Add comment_id on table notification",
 	"add can_create_org_repo to team",
 	"change review content type to text",
 	"update branch protection for can push and whitelist enable",
 	"remove release attachments which repository deleted",
 	"new feature: change target branch of pull requests",
 	"Remove authentication credentials from stored URL",
 	"add user_id prefix to existing user avatar name",
 	"Extend TrackedTimes",
 	"Add block on rejected reviews branch protection",
 	"Add commit id and stale to reviews",
 	"Fix migrated repositories' git service type",
 	"Add owner_name on table repository",
 	"add is_restricted column for users table",
 	"Add Require Signed Commits to ProtectedBranch",
 	"Add original information for reactions",
 	"Add columns to user and repository",
 	"Add some columns on review for migration",
 	"Fix topic repository count",
 	"add repository code language statistics",
 	"fix merge base for pull requests",
 	"remove dependencies from deleted repositories",
 	"Expand webhooks for more granularity",
 	"Add IsSystemWebhook column to webhooks table",
 	"Add Branch Protection Protected Files Column",
 	"Add EmailHash Table",
 	"Refix merge base for merged pull requests",
 	"Add OrgID column to Labels table",
 	"Add CommitsAhead and CommitsBehind Column to PullRequest Table",
 	"Add Branch Protection Block Outdated Branch",
 	"Add ResolveDoerID to Comment table",
 	"prepend refs/heads/ to issue refs",
 	"Save detected language file size to database instead of percent",
 	"Add KeepActivityPrivate to User table",
 	"Ensure Repository.IsArchived is not null",
 	"recalculate Stars number for all user",
 	"update Matrix Webhook http method to 'PUT'",
 	"Increase Language field to 50 in LanguageStats",
 	"Add projects info to repository table",
 	"create review for 0 review id code comments",
 	"remove issue dependency comments who refer to non existing issues",
 	"Add Created and Updated to Milestone table",
 	"add primary key to repo_topic",
 	"set default password algorithm to Argon2",
 	"add TrustModel field to Repository",
 	"add Team review request support",
 	"add timestamps to Star, Label, Follow, Watch and Collaboration",
 	"add changed_protected_files column for pull_request table",
 	"fix publisher ID for tag releases",
 	"ensure repo topics are up-to-date",
 	"code comment replies should have the commitID of the review they are replying to",
 	"update reactions constraint",
 	"Add block on official review requests branch protection",
 	"Convert task type from int to string",
 	"Convert webhook task type from int to string",
 	"Convert topic name from 25 to 50",
 	"Add scope and nonce columns to oauth2_grant table",
 	"Convert hook task type from char(16) to varchar(16) and trim the column",
 	"Where Password is Valid with Empty String delete it",
 	"Add user redirect",
 	"Recreate user table to fix default values",
 	"Update DeleteBranch comments to set the old_ref to the commit_sha",
 	"Add Dismissed to Review table",
 	"Add Sorting to ProjectBoard table",
 	"Add sessions table for go-chi/session",
 	"Add time_id column to Comment",
 	"Create repo transfer table",
 	"Fix Postgres ID Sequences broken by recreate-table",
 	"Remove invalid labels from comments",
 	"Delete orphaned IssueLabels",
 	"Add LFS columns to Mirror",
 	"Convert avatar url to text",
 	"Delete credentials from past migrations",
 	"Always save primary email on email address table",
 	"Add issue resource index table",
 	"Create PushMirror table",
 	"Rename Task errors to message",
 	"Add new table repo_archiver",
 	"Create protected tag table",
 	"Drop unneeded webhook related columns",
 	"Add key is verified to gpg key",
 	"Unwrap ldap.Sources",
 	"Add agit flow pull request support",
 	"Alter issue/comment table TEXT fields to LONGTEXT",
 	"RecreateIssueResourceIndexTable to have a primary key instead of an unique index",
 	"Add repo id column for attachment table",
 	"Add Branch Protection Unprotected Files Column",
 	"Add table commit_status_index",
 	"Add Color to ProjectBoard table",
 	"Add renamed_branch table",
 	"Add issue content history table",
 	"No-op (remote version is using AppState now)",
 	"Add table app_state",
 	"Drop table remote_version (if exists)",
 	"Create key/value table for user settings",
 	"Add Sorting to ProjectIssue table",
 	"Add key is verified to ssh key",
 	"Migrate to higher varchar on user struct",
 	"Add authorize column to team_unit table",
 	"Add webauthn table and migrate u2f data to webauthn - NO-OPED",
 	"Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive - NO-OPED",
 	"Increase WebAuthentication CredentialID size to 410 - NO-OPED",
 	"v208 was completely broken - remigrate",
 	"Create ForeignReference table",
 	"Add package tables",
 	"Add allow edits from maintainers to PullRequest table",
 	"Add auto merge table",
 	"allow to view files in PRs",
 	"No-op (Improve Action table indices v1)",
 	"Alter hook_task table TEXT fields to LONGTEXT",
 	"Improve Action table indices v2",
 	"Add sync_on_commit column to push_mirror table",
 	"Add container repository property",
 	"Store WebAuthentication CredentialID as bytes and increase size to at least 1024",
 	"Drop old CredentialID column",
 	"Rename CredentialIDBytes column to CredentialID",
 	"Add badges to users",
 	"Alter gpg_key/public_key content TEXT fields to MEDIUMTEXT",
 	"Conan and generic packages do not need to be semantically versioned",
 	"Create key/value table for system settings",
 	"Add TeamInvite table",
 	"Update counts of all open milestones",
 	"Add ConfidentialClient column (default true) to OAuth2Application table",
 	"Add index for hook_task",
 	"Alter package_version.metadata_json to LONGTEXT",
 	"Add header_authorization_encrypted column to webhook table",
 	"Add package cleanup rule table",
 	"Add index for access_token",
 	"Create secrets table",
 	"Drop ForeignReference table",
 	"Add updated unix to LFSMetaObject",
 	"Add scope for access_token",
 	"Add actions tables",
 	"Add card_type column to project table",
 	"Alter gpg_key_import content TEXT field to MEDIUMTEXT",
 	"Add exclusive label",
 	"Add NeedApproval to actions tables",
 	"Rename Webhook org_id to owner_id",
 	"Add missed column owner_id for project table",
 	"Fix incorrect project type",
 	"Add version column to action_runner table",
 	"Improve Action table indices v3",
 	"Change Container Metadata",
 	"Fix incorrect owner team unit access mode",
 	"Fix incorrect admin team unit access mode",
 	"Fix ExternalTracker and ExternalWiki accessMode in owner and admin team",
 	"Add ActionTaskOutput table",
 	"Add ArchivedUnix Column",
 	"Add is_internal column to package",
 	"Add Actions Artifact table",
 	"Add PinOrder Column",
 	"Convert scoped access tokens",
 	"Drop custom_labels column of action_runner table",
 	"Add variable table",
 	"Add TriggerEvent to action_run table",
 	"Add git_size and lfs_size columns to repository table",
 	"Add branch table",
 	"Alter Actions Artifact table",
 	"Reduce commit status",
 	"Add action_tasks_version table",
 	"Update Action Ref",
 	"Drop deleted branch table",
 	"Fix PackageProperty typo",
 	"Allow archiving labels",
 	"Add Version to ActionRun table",
 	"Add Action Schedule Table",
 	"Add Actions artifacts expiration date",
 	"Add ScheduleID for ActionRun",
 	"Add RemoteAddress to mirrors",
 	"Add Index to issue_user.issue_id",
 	"Add Index to comment.dependent_issue_id",
 	"Add Index to action.user_id",
 	"Rename user themes",
 	"Add auth_token table",
 	"Add Index to pull_auto_merge.doer_id",
 	"Add combined Index to issue_user.uid and issue_id",
 	"Add ignore stale approval column on branch table",
 	"Add PreviousDuration to ActionRun",
 	"Add support for SHA256 git repositories",
 	"Use Slug instead of ID for Badges",
 	"Add user_blocking table",
 	"Add default_wiki_branch to repository table",
 	"Add PayloadVersion to HookTask",
 	"Add Index to attachment.comment_id",
 	"Ensure every project has exactly one default column - No Op",
 	"Ensure every project has exactly one default column",
 	"Add unique index for project issue table",
 	"Add commit status summary table",
 	"Add missing field of commit status summary table",
 	"Add everyone_access_mode for repo_unit",
 	"Drop wrongly created table o_auth2_application",
 	"Add content version to issue and comment table",
 	"Add force-push branch protection support",
 	"Add skip_secondary_authorization option to oauth2 application table",
 }
 // Version describes the version table. Should have only one row with id==1
 type Version struct {
 	ID      int64 `xorm:"pk autoincr"`
 	Version int64
 }
 func MigrateToXormigrate(x *xorm.Engine) error {
 	if err := x.Sync(new(Version)); err != nil {
 		return fmt.Errorf("sync: %w", err)
 	}
 	currentVersion := &Version{ID: 1}
 	has, err := x.Get(currentVersion)
 	if err != nil {
 		return fmt.Errorf("get: %w", err)
 	} else if !has {
 		// If the version record does not exist we think
 		// it is a fresh installation and we can skip all migrations.
 		currentVersion.ID = 0
 		currentVersion.Version = expectedVersion
 		if _, err = x.InsertOne(currentVersion); err != nil {
 			return fmt.Errorf("insert: %w", err)
 		}
 	}
 	v := currentVersion.Version
 	if minDBVersion > v {
 		log.Fatal(`Gitea no longer supports auto-migration from your previously installed version.
 Please try upgrading to a lower version first (suggested v1.6.4), then upgrade to this version.`)
 		return nil
 	}
 	// Downgrading Gitea's database version not supported
 	if int(v-minDBVersion) > oldMigrationsCount {
 		msg := fmt.Sprintf("Your database (migration version: %d) is for a newer Gitea, you can not use the newer database for this old Gitea release (%d).", v, expectedVersion)
 		msg += "\nGitea will exit to keep your database safe and unchanged. Please use the correct Gitea release, do not change the migration version manually (incorrect manual operation may lose data)."
 		if !setting.IsProd {
 			msg += fmt.Sprintf("\nIf you are in development and really know what you're doing, you can force changing the migration version by executing: UPDATE version SET version=%d WHERE id=1;", expectedVersion)
 		}
 		log.Fatal("Migration Error: %s", msg)
 		return nil
 	}
 	// Remove old version table
 	if err := x.DropTables(new(Version)); err != nil {
 		return err
 	}
 	// add migrations that already have been run
 	for _, i := range oldMigrationNames {
 		if _, err := x.Insert(&xormigrate.Migration{ID: i}); err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/modules/structs/user_app.go
+++ b/modules/structs/user_app.go
@ -31,21 +31,23 @@ type CreateAccessTokenOption struct {
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
-	Name               string   `json:"name" binding:"Required"`
+	Name                       string   `json:"name" binding:"Required"`
-	ConfidentialClient bool     `json:"confidential_client"`
+	ConfidentialClient         bool     `json:"confidential_client"`
-	RedirectURIs       []string `json:"redirect_uris" binding:"Required"`
+	SkipSecondaryAuthorization bool     `json:"skip_secondary_authorization"`
 	RedirectURIs               []string `json:"redirect_uris" binding:"Required"`
 }
 // OAuth2Application represents an OAuth2 application.
 // swagger:response OAuth2Application
 type OAuth2Application struct {
-	ID                 int64     `json:"id"`
+	ID                         int64     `json:"id"`
-	Name               string    `json:"name"`
+	Name                       string    `json:"name"`
-	ClientID           string    `json:"client_id"`
+	ClientID                   string    `json:"client_id"`
-	ClientSecret       string    `json:"client_secret"`
+	ClientSecret               string    `json:"client_secret"`
-	ConfidentialClient bool      `json:"confidential_client"`
+	ConfidentialClient         bool      `json:"confidential_client"`
-	RedirectURIs       []string  `json:"redirect_uris"`
+	SkipSecondaryAuthorization bool      `json:"skip_secondary_authorization"`
-	Created            time.Time `json:"created"`
+	RedirectURIs               []string  `json:"redirect_uris"`
 	Created                    time.Time `json:"created"`
 }
 // OAuth2ApplicationList represents a list of OAuth2 applications.
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -914,6 +914,7 @@ create_oauth2_application_success = You have successfully created a new OAuth2 a
 update_oauth2_application_success = You have successfully updated the OAuth2 application.
 oauth2_application_name = Application Name
 oauth2_confidential_client = Confidential Client. Select for apps that keep the secret confidential, such as web apps. Do not select for native apps including desktop and mobile apps.
 oauth2_skip_secondary_authorization = Skip authorization for public clients after granting access once. <strong>May pose a security risk.</strong>
 oauth2_redirect_uris = Redirect URIs. Please use a new line for every URI.
 save_application = Save
 oauth2_client_id = Client ID
--- a/routers/api/v1/user/app.go
+++ b/routers/api/v1/user/app.go
@ -223,10 +223,11 @@ func CreateOauth2Application(ctx *context.APIContext) {
 	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
 	app, err := auth_model.CreateOAuth2Application(ctx, auth_model.CreateOAuth2ApplicationOptions{
-		Name:               data.Name,
+		Name:                       data.Name,
-		UserID:             ctx.Doer.ID,
+		UserID:                     ctx.Doer.ID,
-		RedirectURIs:       data.RedirectURIs,
+		RedirectURIs:               data.RedirectURIs,
-		ConfidentialClient: data.ConfidentialClient,
+		ConfidentialClient:         data.ConfidentialClient,
 		SkipSecondaryAuthorization: data.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		ctx.Error(http.StatusBadRequest, "", "error creating oauth2 application")
@ -381,11 +382,12 @@ func UpdateOauth2Application(ctx *context.APIContext) {
 	data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions)
 	app, err := auth_model.UpdateOAuth2Application(ctx, auth_model.UpdateOAuth2ApplicationOptions{
-		Name:               data.Name,
+		Name:                       data.Name,
-		UserID:             ctx.Doer.ID,
+		UserID:                     ctx.Doer.ID,
-		ID:                 appID,
+		ID:                         appID,
-		RedirectURIs:       data.RedirectURIs,
+		RedirectURIs:               data.RedirectURIs,
-		ConfidentialClient: data.ConfidentialClient,
+		ConfidentialClient:         data.ConfidentialClient,
 		SkipSecondaryAuthorization: data.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		if auth_model.IsErrOauthClientIDInvalid(err) || auth_model.IsErrOAuthApplicationNotFound(err) {
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -469,9 +469,9 @@ func AuthorizeOAuth(ctx *context.Context) {
 		return
 	}
-	// Redirect if user already granted access and the application is confidential.
+	// Redirect if user already granted access and the application is confidential or trusted otherwise
-	// I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2
+	// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2
-	if app.ConfidentialClient && grant != nil {
+	if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil {
 		code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
 		if err != nil {
 			handleServerError(ctx, form.State, form.RedirectURI)
--- a/routers/web/user/setting/oauth2_common.go
+++ b/routers/web/user/setting/oauth2_common.go
@ -49,10 +49,11 @@ func (oa *OAuth2CommonHandlers) AddApp(ctx *context.Context) {
 	// TODO validate redirect URI
 	app, err := auth.CreateOAuth2Application(ctx, auth.CreateOAuth2ApplicationOptions{
-		Name:               form.Name,
+		Name:                       form.Name,
-		RedirectURIs:       util.SplitTrimSpace(form.RedirectURIs, "\n"),
+		RedirectURIs:               util.SplitTrimSpace(form.RedirectURIs, "\n"),
-		UserID:             oa.OwnerID,
+		UserID:                     oa.OwnerID,
-		ConfidentialClient: form.ConfidentialClient,
+		ConfidentialClient:         form.ConfidentialClient,
 		SkipSecondaryAuthorization: form.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		ctx.ServerError("CreateOAuth2Application", err)
@ -102,11 +103,12 @@ func (oa *OAuth2CommonHandlers) EditSave(ctx *context.Context) {
 	// TODO validate redirect URI
 	var err error
 	if ctx.Data["App"], err = auth.UpdateOAuth2Application(ctx, auth.UpdateOAuth2ApplicationOptions{
-		ID:                 ctx.PathParamInt64("id"),
+		ID:                         ctx.PathParamInt64("id"),
-		Name:               form.Name,
+		Name:                       form.Name,
-		RedirectURIs:       util.SplitTrimSpace(form.RedirectURIs, "\n"),
+		RedirectURIs:               util.SplitTrimSpace(form.RedirectURIs, "\n"),
-		UserID:             oa.OwnerID,
+		UserID:                     oa.OwnerID,
-		ConfidentialClient: form.ConfidentialClient,
+		ConfidentialClient:         form.ConfidentialClient,
 		SkipSecondaryAuthorization: form.SkipSecondaryAuthorization,
 	}); err != nil {
 		ctx.ServerError("UpdateOAuth2Application", err)
 		return
--- a/services/convert/convert.go
+++ b/services/convert/convert.go
@ -455,13 +455,14 @@ func ToTopicResponse(topic *repo_model.Topic) *api.TopicResponse {
 // ToOAuth2Application convert from auth.OAuth2Application to api.OAuth2Application
 func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application {
 	return &api.OAuth2Application{
-		ID:                 app.ID,
+		ID:                         app.ID,
-		Name:               app.Name,
+		Name:                       app.Name,
-		ClientID:           app.ClientID,
+		ClientID:                   app.ClientID,
-		ClientSecret:       app.ClientSecret,
+		ClientSecret:               app.ClientSecret,
-		ConfidentialClient: app.ConfidentialClient,
+		ConfidentialClient:         app.ConfidentialClient,
-		RedirectURIs:       app.RedirectURIs,
+		SkipSecondaryAuthorization: app.SkipSecondaryAuthorization,
-		Created:            app.CreatedUnix.AsTime(),
+		RedirectURIs:               app.RedirectURIs,
 		Created:                    app.CreatedUnix.AsTime(),
 	}
 }
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@ -365,9 +365,10 @@ func (f *NewAccessTokenForm) GetScope() (auth_model.AccessTokenScope, error) {
 // EditOAuth2ApplicationForm form for editing oauth2 applications
 type EditOAuth2ApplicationForm struct {
-	Name               string `binding:"Required;MaxSize(255)" form:"application_name"`
+	Name                       string `binding:"Required;MaxSize(255)" form:"application_name"`
-	RedirectURIs       string `binding:"Required" form:"redirect_uris"`
+	RedirectURIs               string `binding:"Required" form:"redirect_uris"`
-	ConfidentialClient bool   `form:"confidential_client"`
+	ConfidentialClient         bool   `form:"confidential_client"`
 	SkipSecondaryAuthorization bool   `form:"skip_secondary_authorization"`
 }
 // Validate validates the fields
--- a/services/repository/branch.go
+++ b/services/repository/branch.go
@ -147,6 +147,23 @@ func DelDivergenceFromCache(repoID int64, branchName string) error {
 	return cache.GetCache().Delete(getDivergenceCacheKey(repoID, branchName))
 }
 // DelRepoDivergenceFromCache deletes all divergence caches of a repository
 func DelRepoDivergenceFromCache(ctx context.Context, repoID int64) error {
 	dbBranches, err := db.Find[git_model.Branch](ctx, git_model.FindBranchOptions{
 		RepoID:      repoID,
 		ListOptions: db.ListOptionsAll,
 	})
 	if err != nil {
 		return err
 	}
 	for i := range dbBranches {
 		if err := DelDivergenceFromCache(repoID, dbBranches[i].Name); err != nil {
 			log.Error("DelDivergenceFromCache: %v", err)
 		}
 	}
 	return nil
 }
 func loadOneBranch(ctx context.Context, repo *repo_model.Repository, dbBranch *git_model.Branch, protectedBranches *git_model.ProtectedBranchRules,
 	repoIDToRepo map[int64]*repo_model.Repository,
 	repoIDToGitRepo map[int64]*git.Repository,
--- a/services/repository/push.go
+++ b/services/repository/push.go
@ -221,8 +221,14 @@ func pushUpdates(optsList []*repo_module.PushUpdateOptions) error {
 				}
 				// delete cache for divergence
-				if err := DelDivergenceFromCache(repo.ID, branch); err != nil {
+				if branch == repo.DefaultBranch {
-					log.Error("DelDivergenceFromCache: %v", err)
+					if err := DelRepoDivergenceFromCache(ctx, repo.ID); err != nil {
 						log.Error("DelRepoDivergenceFromCache: %v", err)
 					}
 				} else {
 					if err := DelDivergenceFromCache(repo.ID, branch); err != nil {
 						log.Error("DelDivergenceFromCache: %v", err)
 					}
 				}
 				commits := repo_module.GitToPushCommits(l)
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -19875,6 +19875,10 @@
            "type": "string"
          },
          "x-go-name": "RedirectURIs"
        },
        "skip_secondary_authorization": {
          "type": "boolean",
          "x-go-name": "SkipSecondaryAuthorization"
        }
      },
      "x-go-package": "code.gitea.io/gitea/modules/structs"
@ -23002,6 +23006,10 @@
            "type": "string"
          },
          "x-go-name": "RedirectURIs"
        },
        "skip_secondary_authorization": {
          "type": "boolean",
          "x-go-name": "SkipSecondaryAuthorization"
        }
      },
      "x-go-package": "code.gitea.io/gitea/modules/structs"
--- a/templates/user/settings/applications_oauth2_edit_form.tmpl
+++ b/templates/user/settings/applications_oauth2_edit_form.tmpl
@ -44,7 +44,13 @@
 		<div class="field {{if .Err_ConfidentialClient}}error{{end}}">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_confidential_client"}}</label>
-				<input type="checkbox" name="confidential_client" {{if .App.ConfidentialClient}}checked{{end}}>
+				<input class="disable-setting" type="checkbox" name="confidential_client" data-target="#skip-secondary-authorization" {{if .App.ConfidentialClient}}checked{{end}}>
 			</div>
 		</div>
 		<div class="field {{if .Err_SkipSecondaryAuthorization}}error{{end}} {{if .App.ConfidentialClient}}disabled{{end}}" id="skip-secondary-authorization">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_skip_secondary_authorization"}}</label>
 				<input type="checkbox" name="skip_secondary_authorization" {{if .App.SkipSecondaryAuthorization}}checked{{end}}>
 			</div>
 		</div>
 		<button class="ui primary button">
--- a/templates/user/settings/applications_oauth2_list.tmpl
+++ b/templates/user/settings/applications_oauth2_list.tmpl
@ -64,7 +64,13 @@
 		<div class="field {{if .Err_ConfidentialClient}}error{{end}}">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_confidential_client"}}</label>
-				<input type="checkbox" name="confidential_client" checked>
+				<input class="disable-setting" type="checkbox" name="confidential_client" data-target="#skip-secondary-authorization" checked>
 			</div>
 		</div>
 		<div class="field {{if .Err_SkipSecondaryAuthorization}}error{{end}} disabled" id="skip-secondary-authorization">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_skip_secondary_authorization"}}</label>
 				<input type="checkbox" name="skip_secondary_authorization">
 			</div>
 		</div>
 		<button class="ui primary button">
--- a/web_src/js/features/oauth2-settings.ts
+++ b/web_src/js/features/oauth2-settings.ts
@ -0,0 +1,5 @@
 export function initOAuth2SettingsDisableCheckbox() {
  for (const e of document.querySelectorAll('.disable-setting')) e.addEventListener('change', ({target}) => {
    document.querySelector(e.getAttribute('data-target')).classList.toggle('disabled', target.checked);
  });
 }
--- a/web_src/js/index.ts
+++ b/web_src/js/index.ts
@ -78,6 +78,7 @@ import {initDirAuto} from './modules/dirauto.ts';
 import {initRepositorySearch} from './features/repo-search.ts';
 import {initColorPickers} from './features/colorpicker.ts';
 import {initAdminSelfCheck} from './features/admin/selfcheck.ts';
 import {initOAuth2SettingsDisableCheckbox} from './features/oauth2-settings.ts';
 import {initGlobalFetchAction} from './features/common-fetch-action.ts';
 import {
  initFootLanguageMenu,
@ -225,5 +226,7 @@ onDomReady(() => {
    initPdfViewer,
    initScopedAccessTokenCategories,
    initColorPickers,
    initOAuth2SettingsDisableCheckbox,
  ]);
 });