Merge pull request '[gitea] week 2024-32 cherry pick (gitea/main -> forgejo)' (#4801) from earl-warren/wcp/2024-32 into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4801 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-06 05:47:20 +00:00 · 2024-08-06 05:47:20 +00:00 · 517637137c
commit 517637137c
parent fb311fcf10 359f712b46
46 changed files with 661 additions and 179 deletions
--- a/.deadcode-out
+++ b/.deadcode-out
@ -74,10 +74,6 @@ code.gitea.io/gitea/models/project
 code.gitea.io/gitea/models/repo
 	DeleteAttachmentsByIssue
 	releaseSorter.Len
 	releaseSorter.Less
 	releaseSorter.Swap
 	SortReleases
 	FindReposMapByIDs
 	IsErrTopicNotExist
 	ErrTopicNotExist.Error
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -2774,7 +2774,9 @@ LEVEL = Info
 ;ENABLED = true
 ;; Default address to get action plugins, e.g. the default value means downloading from "https://code.forgejo.org/actions/checkout" for "uses: actions/checkout@v3"
 ;DEFAULT_ACTIONS_URL = https://code.forgejo.org
-;; Default artifact retention time in days, default is 90 days
+;; Logs retention time in days. Old logs will be deleted after this period.
 ;LOG_RETENTION_DAYS = 365
 ;; Default artifact retention time in days. Artifacts could have their own retention periods by setting the `retention-days` option in `actions/upload-artifact` step.
 ;ARTIFACT_RETENTION_DAYS = 90
 ;; Timeout to stop the task which have running status, but haven't been updated for a long time
 ;ZOMBIE_TASK_TIMEOUT = 10m
--- a/models/actions/runner.go
+++ b/models/actions/runner.go
@ -26,14 +26,25 @@ import (
 )
 // ActionRunner represents runner machines
 //
 // It can be:
 //  1. global runner, OwnerID is 0 and RepoID is 0
 //  2. org/user level runner, OwnerID is org/user ID and RepoID is 0
 //  3. repo level runner, OwnerID is 0 and RepoID is repo ID
 //
 // Please note that it's not acceptable to have both OwnerID and RepoID to be non-zero,
 // or it will be complicated to find runners belonging to a specific owner.
 // For example, conditions like `OwnerID = 1` will also return runner {OwnerID: 1, RepoID: 1},
 // but it's a repo level runner, not an org/user level runner.
 // To avoid this, make it clear with {OwnerID: 0, RepoID: 1} for repo level runners.
 type ActionRunner struct {
 	ID          int64
 	UUID        string                 `xorm:"CHAR(36) UNIQUE"`
 	Name        string                 `xorm:"VARCHAR(255)"`
 	Version     string                 `xorm:"VARCHAR(64)"`
-	OwnerID     int64                  `xorm:"index"` // org level runner, 0 means system
+	OwnerID     int64                  `xorm:"index"`
 	Owner       *user_model.User       `xorm:"-"`
-	RepoID      int64                  `xorm:"index"` // repo level runner, if OwnerID also is zero, then it's a global
+	RepoID      int64                  `xorm:"index"`
 	Repo        *repo_model.Repository `xorm:"-"`
 	Description string                 `xorm:"TEXT"`
 	Base        int                    // 0 native 1 docker 2 virtual machine
@ -176,7 +187,7 @@ func init() {
 type FindRunnerOptions struct {
 	db.ListOptions
 	RepoID        int64
-	OwnerID       int64
+	OwnerID       int64 // it will be ignored if RepoID is set
 	Sort          string
 	Filter        string
 	IsOnline      optional.Option[bool]
@ -193,8 +204,7 @@ func (opts FindRunnerOptions) ToConds() builder.Cond {
 			c = c.Or(builder.Eq{"repo_id": 0, "owner_id": 0})
 		}
 		cond = cond.And(c)
-	}
+	} else if opts.OwnerID > 0 { // OwnerID is ignored if RepoID is set
 	if opts.OwnerID > 0 {
 		c := builder.NewCond().And(builder.Eq{"owner_id": opts.OwnerID})
 		if opts.WithAvailable {
 			c = c.Or(builder.Eq{"repo_id": 0, "owner_id": 0})
@ -297,6 +307,11 @@ func DeleteRunner(ctx context.Context, id int64) error {
 // CreateRunner creates new runner.
 func CreateRunner(ctx context.Context, t *ActionRunner) error {
 	if t.OwnerID != 0 && t.RepoID != 0 {
 		// It's trying to create a runner that belongs to a repository, but OwnerID has been set accidentally.
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		t.OwnerID = 0
 	}
 	return db.Insert(ctx, t)
 }
--- a/models/actions/runner_token.go
+++ b/models/actions/runner_token.go
@ -15,12 +15,23 @@ import (
 )
 // ActionRunnerToken represents runner tokens
 //
 // It can be:
 //  1. global token, OwnerID is 0 and RepoID is 0
 //  2. org/user level token, OwnerID is org/user ID and RepoID is 0
 //  3. repo level token, OwnerID is 0 and RepoID is repo ID
 //
 // Please note that it's not acceptable to have both OwnerID and RepoID to be non-zero,
 // or it will be complicated to find tokens belonging to a specific owner.
 // For example, conditions like `OwnerID = 1` will also return token {OwnerID: 1, RepoID: 1},
 // but it's a repo level token, not an org/user level token.
 // To avoid this, make it clear with {OwnerID: 0, RepoID: 1} for repo level tokens.
 type ActionRunnerToken struct {
 	ID       int64
 	Token    string                 `xorm:"UNIQUE"`
-	OwnerID  int64                  `xorm:"index"` // org level runner, 0 means system
+	OwnerID  int64                  `xorm:"index"`
 	Owner    *user_model.User       `xorm:"-"`
-	RepoID   int64                  `xorm:"index"` // repo level runner, if orgid also is zero, then it's a global
+	RepoID   int64                  `xorm:"index"`
 	Repo     *repo_model.Repository `xorm:"-"`
 	IsActive bool                   // true means it can be used
@ -58,7 +69,14 @@ func UpdateRunnerToken(ctx context.Context, r *ActionRunnerToken, cols ...string
 }
 // NewRunnerToken creates a new active runner token and invalidate all old tokens
 // ownerID will be ignored and treated as 0 if repoID is non-zero.
 func NewRunnerToken(ctx context.Context, ownerID, repoID int64) (*ActionRunnerToken, error) {
 	if ownerID != 0 && repoID != 0 {
 		// It's trying to create a runner token that belongs to a repository, but OwnerID has been set accidentally.
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		ownerID = 0
 	}
 	token, err := util.CryptoRandomString(40)
 	if err != nil {
 		return nil, err
@ -84,6 +102,12 @@ func NewRunnerToken(ctx context.Context, ownerID, repoID int64) (*ActionRunnerTo
 // GetLatestRunnerToken returns the latest runner token
 func GetLatestRunnerToken(ctx context.Context, ownerID, repoID int64) (*ActionRunnerToken, error) {
 	if ownerID != 0 && repoID != 0 {
 		// It's trying to get a runner token that belongs to a repository, but OwnerID has been set accidentally.
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		ownerID = 0
 	}
 	var runnerToken ActionRunnerToken
 	has, err := db.GetEngine(ctx).Where("owner_id=? AND repo_id=?", ownerID, repoID).
 		OrderBy("id DESC").Get(&runnerToken)
--- a/models/actions/schedule.go
+++ b/models/actions/schedule.go
@ -13,8 +13,6 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/timeutil"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"github.com/robfig/cron/v3"
 )
 // ActionSchedule represents a schedule of a workflow file
@ -53,8 +51,6 @@ func GetReposMapByIDs(ctx context.Context, ids []int64) (map[int64]*repo_model.R
 	return repos, db.GetEngine(ctx).In("id", ids).Find(&repos)
 }
 var cronParser = cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
 // CreateScheduleTask creates new schedule task.
 func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
 	// Return early if there are no rows to insert
@ -80,19 +76,21 @@ func CreateScheduleTask(ctx context.Context, rows []*ActionSchedule) error {
 		now := time.Now()
 		for _, spec := range row.Specs {
 			specRow := &ActionScheduleSpec{
 				RepoID:     row.RepoID,
 				ScheduleID: row.ID,
 				Spec:       spec,
 			}
 			// Parse the spec and check for errors
-			schedule, err := cronParser.Parse(spec)
+			schedule, err := specRow.Parse()
 			if err != nil {
 				continue // skip to the next spec if there's an error
 			}
 			specRow.Next = timeutil.TimeStamp(schedule.Next(now).Unix())
 			// Insert the new schedule spec row
-			if err = db.Insert(ctx, &ActionScheduleSpec{
+			if err = db.Insert(ctx, specRow); err != nil {
 				RepoID:     row.RepoID,
 				ScheduleID: row.ID,
 				Spec:       spec,
 				Next:       timeutil.TimeStamp(schedule.Next(now).Unix()),
 			}); err != nil {
 				return err
 			}
 		}
--- a/models/actions/schedule_spec.go
+++ b/models/actions/schedule_spec.go
@ -5,6 +5,8 @@ package actions
 import (
 	"context"
 	"strings"
 	"time"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
@ -32,8 +34,29 @@ type ActionScheduleSpec struct {
 	Updated timeutil.TimeStamp `xorm:"updated"`
 }
 // Parse parses the spec and returns a cron.Schedule
 // Unlike the default cron parser, Parse uses UTC timezone as the default if none is specified.
 func (s *ActionScheduleSpec) Parse() (cron.Schedule, error) {
-	return cronParser.Parse(s.Spec)
+	parser := cron.NewParser(cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor)
 	schedule, err := parser.Parse(s.Spec)
 	if err != nil {
 		return nil, err
 	}
 	// If the spec has specified a timezone, use it
 	if strings.HasPrefix(s.Spec, "TZ=") || strings.HasPrefix(s.Spec, "CRON_TZ=") {
 		return schedule, nil
 	}
 	specSchedule, ok := schedule.(*cron.SpecSchedule)
 	// If it's not a spec schedule, like "@every 5m", timezone is not relevant
 	if !ok {
 		return schedule, nil
 	}
 	// Set the timezone to UTC
 	specSchedule.Location = time.UTC
 	return specSchedule, nil
 }
 func init() {
--- a/models/actions/schedule_spec_test.go
+++ b/models/actions/schedule_spec_test.go
@ -0,0 +1,71 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package actions
 import (
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestActionScheduleSpec_Parse(t *testing.T) {
 	// Mock the local timezone is not UTC
 	local := time.Local
 	tz, err := time.LoadLocation("Asia/Shanghai")
 	require.NoError(t, err)
 	defer func() {
 		time.Local = local
 	}()
 	time.Local = tz
 	now, err := time.Parse(time.RFC3339, "2024-07-31T15:47:55+08:00")
 	require.NoError(t, err)
 	tests := []struct {
 		name    string
 		spec    string
 		want    string
 		wantErr assert.ErrorAssertionFunc
 	}{
 		{
 			name:    "regular",
 			spec:    "0 10 * * *",
 			want:    "2024-07-31T10:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
 			name:    "invalid",
 			spec:    "0 10 * *",
 			want:    "",
 			wantErr: assert.Error,
 		},
 		{
 			name:    "with timezone",
 			spec:    "TZ=America/New_York 0 10 * * *",
 			want:    "2024-07-31T14:00:00Z",
 			wantErr: assert.NoError,
 		},
 		{
 			name:    "timezone irrelevant",
 			spec:    "@every 5m",
 			want:    "2024-07-31T07:52:55Z",
 			wantErr: assert.NoError,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			s := &ActionScheduleSpec{
 				Spec: tt.spec,
 			}
 			got, err := s.Parse()
 			tt.wantErr(t, err)
 			if err == nil {
 				assert.Equal(t, tt.want, got.Next(now).UTC().Format(time.RFC3339))
 			}
 		})
 	}
 }
--- a/models/actions/task.go
+++ b/models/actions/task.go
@ -35,7 +35,7 @@ type ActionTask struct {
 	RunnerID int64              `xorm:"index"`
 	Status   Status             `xorm:"index"`
 	Started  timeutil.TimeStamp `xorm:"index"`
-	Stopped  timeutil.TimeStamp
+	Stopped  timeutil.TimeStamp `xorm:"index(stopped_log_expired)"`
 	RepoID            int64  `xorm:"index"`
 	OwnerID           int64  `xorm:"index"`
@ -51,8 +51,8 @@ type ActionTask struct {
 	LogInStorage bool       // read log from database or from storage
 	LogLength    int64      // lines count
 	LogSize      int64      // blob size
-	LogIndexes   LogIndexes `xorm:"LONGBLOB"` // line number to offset
+	LogIndexes   LogIndexes `xorm:"LONGBLOB"`                   // line number to offset
-	LogExpired   bool       // files that are too old will be deleted
+	LogExpired   bool       `xorm:"index(stopped_log_expired)"` // files that are too old will be deleted
 	Created timeutil.TimeStamp `xorm:"created"`
 	Updated timeutil.TimeStamp `xorm:"updated index"`
@ -470,6 +470,16 @@ func StopTask(ctx context.Context, taskID int64, status Status) error {
 	return nil
 }
 func FindOldTasksToExpire(ctx context.Context, olderThan timeutil.TimeStamp, limit int) ([]*ActionTask, error) {
 	e := db.GetEngine(ctx)
 	tasks := make([]*ActionTask, 0, limit)
 	// Check "stopped > 0" to avoid deleting tasks that are still running
 	return tasks, e.Where("stopped > 0 AND stopped < ? AND log_expired = ?", olderThan, false).
 		Limit(limit).
 		Find(&tasks)
 }
 func isSubset(set, subset []string) bool {
 	m := make(container.Set[string], len(set))
 	for _, v := range set {
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@ -5,7 +5,6 @@ package actions
 import (
 	"context"
 	"errors"
 	"strings"
 	"code.gitea.io/gitea/models/db"
@ -15,6 +14,18 @@ import (
 	"xorm.io/builder"
 )
 // ActionVariable represents a variable that can be used in actions
 //
 // It can be:
 //  1. global variable, OwnerID is 0 and RepoID is 0
 //  2. org/user level variable, OwnerID is org/user ID and RepoID is 0
 //  3. repo level variable, OwnerID is 0 and RepoID is repo ID
 //
 // Please note that it's not acceptable to have both OwnerID and RepoID to be non-zero,
 // or it will be complicated to find variables belonging to a specific owner.
 // For example, conditions like `OwnerID = 1` will also return variable {OwnerID: 1, RepoID: 1},
 // but it's a repo level variable, not an org/user level variable.
 // To avoid this, make it clear with {OwnerID: 0, RepoID: 1} for repo level variables.
 type ActionVariable struct {
 	ID          int64              `xorm:"pk autoincr"`
 	OwnerID     int64              `xorm:"UNIQUE(owner_repo_name)"`
@ -29,30 +40,26 @@ func init() {
 	db.RegisterModel(new(ActionVariable))
 }
 func (v *ActionVariable) Validate() error {
 	if v.OwnerID != 0 && v.RepoID != 0 {
 		return errors.New("a variable should not be bound to an owner and a repository at the same time")
 	}
 	return nil
 }
 func InsertVariable(ctx context.Context, ownerID, repoID int64, name, data string) (*ActionVariable, error) {
 	if ownerID != 0 && repoID != 0 {
 		// It's trying to create a variable that belongs to a repository, but OwnerID has been set accidentally.
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		ownerID = 0
 	}
 	variable := &ActionVariable{
 		OwnerID: ownerID,
 		RepoID:  repoID,
 		Name:    strings.ToUpper(name),
 		Data:    data,
 	}
 	if err := variable.Validate(); err != nil {
 		return variable, err
 	}
 	return variable, db.Insert(ctx, variable)
 }
 type FindVariablesOpts struct {
 	db.ListOptions
 	OwnerID int64
 	RepoID  int64
 	OwnerID int64 // it will be ignored if RepoID is set
 	Name    string
 }
@ -60,8 +67,13 @@ func (opts FindVariablesOpts) ToConds() builder.Cond {
 	cond := builder.NewCond()
 	// Since we now support instance-level variables,
 	// there is no need to check for null values for `owner_id` and `repo_id`
 	cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	if opts.RepoID != 0 { // if RepoID is set
 		// ignore OwnerID and treat it as 0
 		cond = cond.And(builder.Eq{"owner_id": 0})
 	} else {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
 	if opts.Name != "" {
 		cond = cond.And(builder.Eq{"name": strings.ToUpper(opts.Name)})
--- a/models/git/branch.go
+++ b/models/git/branch.go
@ -385,6 +385,13 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str
 		return err
 	}
 	// 4.1 Update all not merged pull request head branch name
 	if _, err = sess.Table("pull_request").Where("head_repo_id=? AND head_branch=? AND has_merged=?",
 		repo.ID, from, false).
 		Update(map[string]any{"head_branch": to}); err != nil {
 		return err
 	}
 	// 5. insert renamed branch record
 	renamedBranch := &RenamedBranch{
 		RepoID: repo.ID,
--- a/models/git/commit_status.go
+++ b/models/git/commit_status.go
@ -141,13 +141,17 @@ func GetNextCommitStatusIndex(ctx context.Context, repoID int64, sha string) (in
 	return newIdx, nil
 }
-func (status *CommitStatus) loadAttributes(ctx context.Context) (err error) {
+func (status *CommitStatus) loadRepository(ctx context.Context) (err error) {
 	if status.Repo == nil {
 		status.Repo, err = repo_model.GetRepositoryByID(ctx, status.RepoID)
 		if err != nil {
 			return fmt.Errorf("getRepositoryByID [%d]: %w", status.RepoID, err)
 		}
 	}
 	return nil
 }
 func (status *CommitStatus) loadCreator(ctx context.Context) (err error) {
 	if status.Creator == nil && status.CreatorID > 0 {
 		status.Creator, err = user_model.GetUserByID(ctx, status.CreatorID)
 		if err != nil {
@ -157,6 +161,13 @@ func (status *CommitStatus) loadAttributes(ctx context.Context) (err error) {
 	return nil
 }
 func (status *CommitStatus) loadAttributes(ctx context.Context) (err error) {
 	if err := status.loadRepository(ctx); err != nil {
 		return err
 	}
 	return status.loadCreator(ctx)
 }
 // APIURL returns the absolute APIURL to this commit-status.
 func (status *CommitStatus) APIURL(ctx context.Context) string {
 	_ = status.loadAttributes(ctx)
@ -168,6 +179,25 @@ func (status *CommitStatus) LocaleString(lang translation.Locale) string {
 	return lang.TrString("repo.commitstatus." + status.State.String())
 }
 // HideActionsURL set `TargetURL` to an empty string if the status comes from Gitea Actions
 func (status *CommitStatus) HideActionsURL(ctx context.Context) {
 	if status.RepoID == 0 {
 		return
 	}
 	if status.Repo == nil {
 		if err := status.loadRepository(ctx); err != nil {
 			log.Error("loadRepository: %v", err)
 			return
 		}
 	}
 	prefix := fmt.Sprintf("%s/actions", status.Repo.Link())
 	if strings.HasPrefix(status.TargetURL, prefix) {
 		status.TargetURL = ""
 	}
 }
 // CalcCommitStatus returns commit status state via some status, the commit statues should order by id desc
 func CalcCommitStatus(statuses []*CommitStatus) *CommitStatus {
 	if len(statuses) == 0 {
@ -471,3 +501,19 @@ func ConvertFromGitCommit(ctx context.Context, commits []*git.Commit, repo *repo
 		repo,
 	)
 }
 // CommitStatusesHideActionsURL hide Gitea Actions urls
 func CommitStatusesHideActionsURL(ctx context.Context, statuses []*CommitStatus) {
 	idToRepos := make(map[int64]*repo_model.Repository)
 	for _, status := range statuses {
 		if status == nil {
 			continue
 		}
 		if status.Repo == nil {
 			status.Repo = idToRepos[status.RepoID]
 		}
 		status.HideActionsURL(ctx)
 		idToRepos[status.RepoID] = status.Repo
 	}
 }
--- a/models/git/commit_status_test.go
+++ b/models/git/commit_status_test.go
@ -4,9 +4,11 @@
 package git_test
 import (
 	"fmt"
 	"testing"
 	"time"
 	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
@ -240,3 +242,26 @@ func TestFindRepoRecentCommitStatusContexts(t *testing.T) {
 		assert.Equal(t, "compliance/lint-backend", contexts[0])
 	}
 }
 func TestCommitStatusesHideActionsURL(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
 	run := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRun{ID: 791, RepoID: repo.ID})
 	require.NoError(t, run.LoadAttributes(db.DefaultContext))
 	statuses := []*git_model.CommitStatus{
 		{
 			RepoID:    repo.ID,
 			TargetURL: fmt.Sprintf("%s/jobs/%d", run.Link(), run.Index),
 		},
 		{
 			RepoID:    repo.ID,
 			TargetURL: "https://mycicd.org/1",
 		},
 	}
 	git_model.CommitStatusesHideActionsURL(db.DefaultContext, statuses)
 	assert.Empty(t, statuses[0].TargetURL)
 	assert.Equal(t, "https://mycicd.org/1", statuses[1].TargetURL)
 }
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@ -593,6 +593,12 @@ var migrations = []Migration{
 	// v299 -> v300
 	NewMigration("Add content version to issue and comment table", v1_23.AddContentVersionToIssueAndComment),
 	// v300 -> v301
 	NewMigration("Add force-push branch protection support", v1_23.AddForcePushBranchProtection),
 	// v301 -> v302
 	NewMigration("Add skip_secondary_authorization option to oauth2 application table", v1_23.AddSkipSecondaryAuthColumnToOAuth2ApplicationTable),
 	// v302 -> v303
 	NewMigration("Add index to action_task stopped log_expired", v1_23.AddIndexToActionTaskStoppedLogExpired),
 }
 // GetCurrentDBVersion returns the current db version
--- a/models/migrations/v1_23/v300.go
+++ b/models/migrations/v1_23/v300.go
@ -0,0 +1,17 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package v1_23 //nolint
 import "xorm.io/xorm"
 func AddForcePushBranchProtection(x *xorm.Engine) error {
 	type ProtectedBranch struct {
 		CanForcePush                 bool    `xorm:"NOT NULL DEFAULT false"`
 		EnableForcePushAllowlist     bool    `xorm:"NOT NULL DEFAULT false"`
 		ForcePushAllowlistUserIDs    []int64 `xorm:"JSON TEXT"`
 		ForcePushAllowlistTeamIDs    []int64 `xorm:"JSON TEXT"`
 		ForcePushAllowlistDeployKeys bool    `xorm:"NOT NULL DEFAULT false"`
 	}
 	return x.Sync(new(ProtectedBranch))
 }
--- a/models/migrations/v1_23/v301.go
+++ b/models/migrations/v1_23/v301.go
@ -0,0 +1,14 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package v1_23 //nolint
 import "xorm.io/xorm"
 // AddSkipSeconderyAuthToOAuth2ApplicationTable: add SkipSecondaryAuthorization column, setting existing rows to false
 func AddSkipSecondaryAuthColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
 	type oauth2Application struct {
 		SkipSecondaryAuthorization bool `xorm:"NOT NULL DEFAULT FALSE"`
 	}
 	return x.Sync(new(oauth2Application))
 }
--- a/models/migrations/v1_23/v302.go
+++ b/models/migrations/v1_23/v302.go
@ -0,0 +1,18 @@
 // Copyright 2024 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package v1_23 //nolint
 import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"xorm.io/xorm"
 )
 func AddIndexToActionTaskStoppedLogExpired(x *xorm.Engine) error {
 	type ActionTask struct {
 		Stopped    timeutil.TimeStamp `xorm:"index(stopped_log_expired)"`
 		LogExpired bool               `xorm:"index(stopped_log_expired)"`
 	}
 	return x.Sync(new(ActionTask))
 }
--- a/models/project/project.go
+++ b/models/project/project.go
@ -103,6 +103,13 @@ type Project struct {
 	ClosedDateUnix timeutil.TimeStamp
 }
 // Ghost Project is a project which has been deleted
 const GhostProjectID = -1
 func (p *Project) IsGhost() bool {
 	return p.ID == GhostProjectID
 }
 func (p *Project) LoadOwner(ctx context.Context) (err error) {
 	if p.Owner != nil {
 		return nil
--- a/models/repo/release.go
+++ b/models/repo/release.go
@ -413,32 +413,6 @@ func GetReleaseAttachments(ctx context.Context, rels ...*Release) (err error) {
 	return err
 }
 type releaseSorter struct {
 	rels []*Release
 }
 func (rs *releaseSorter) Len() int {
 	return len(rs.rels)
 }
 func (rs *releaseSorter) Less(i, j int) bool {
 	diffNum := rs.rels[i].NumCommits - rs.rels[j].NumCommits
 	if diffNum != 0 {
 		return diffNum > 0
 	}
 	return rs.rels[i].CreatedUnix > rs.rels[j].CreatedUnix
 }
 func (rs *releaseSorter) Swap(i, j int) {
 	rs.rels[i], rs.rels[j] = rs.rels[j], rs.rels[i]
 }
 // SortReleases sorts releases by number of commits and created time.
 func SortReleases(rels []*Release) {
 	sorter := &releaseSorter{rels: rels}
 	sort.Sort(sorter)
 }
 // UpdateReleasesMigrationsByType updates all migrated repositories' releases from gitServiceType to replace originalAuthorID to posterID
 func UpdateReleasesMigrationsByType(ctx context.Context, gitServiceType structs.GitServiceType, originalAuthorID string, posterID int64) error {
 	_, err := db.GetEngine(ctx).Table("release").
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@ -766,17 +766,18 @@ func GetRepositoryByOwnerAndName(ctx context.Context, ownerName, repoName string
 // GetRepositoryByName returns the repository by given name under user if exists.
 func GetRepositoryByName(ctx context.Context, ownerID int64, name string) (*Repository, error) {
-	repo := &Repository{
+	var repo Repository
-		OwnerID:   ownerID,
+	has, err := db.GetEngine(ctx).
-		LowerName: strings.ToLower(name),
+		Where("`owner_id`=?", ownerID).
-	}
+		And("`lower_name`=?", strings.ToLower(name)).
-	has, err := db.GetEngine(ctx).Get(repo)
+		NoAutoCondition().
 		Get(&repo)
 	if err != nil {
 		return nil, err
 	} else if !has {
 		return nil, ErrRepoNotExist{0, ownerID, "", name}
 	}
-	return repo, err
+	return &repo, err
 }
 // getRepositoryURLPathSegments returns segments (owner, reponame) extracted from a url
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@ -5,7 +5,6 @@ package secret
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
@ -22,6 +21,19 @@ import (
 )
 // Secret represents a secret
 //
 // It can be:
 //  1. org/user level secret, OwnerID is org/user ID and RepoID is 0
 //  2. repo level secret, OwnerID is 0 and RepoID is repo ID
 //
 // Please note that it's not acceptable to have both OwnerID and RepoID to be non-zero,
 // or it will be complicated to find secrets belonging to a specific owner.
 // For example, conditions like `OwnerID = 1` will also return secret {OwnerID: 1, RepoID: 1},
 // but it's a repo level secret, not an org/user level secret.
 // To avoid this, make it clear with {OwnerID: 0, RepoID: 1} for repo level secrets.
 //
 // Please note that it's not acceptable to have both OwnerID and RepoID to zero, global secrets are not supported.
 // It's for security reasons, admin may be not aware of that the secrets could be stolen by any user when setting them as global.
 type Secret struct {
 	ID          int64
 	OwnerID     int64              `xorm:"INDEX UNIQUE(owner_repo_name) NOT NULL"`
@ -46,6 +58,15 @@ func (err ErrSecretNotFound) Unwrap() error {
 // InsertEncryptedSecret Creates, encrypts, and validates a new secret with yet unencrypted data and insert into database
 func InsertEncryptedSecret(ctx context.Context, ownerID, repoID int64, name, data string) (*Secret, error) {
 	if ownerID != 0 && repoID != 0 {
 		// It's trying to create a secret that belongs to a repository, but OwnerID has been set accidentally.
 		// Remove OwnerID to avoid confusion; it's not worth returning an error here.
 		ownerID = 0
 	}
 	if ownerID == 0 && repoID == 0 {
 		return nil, fmt.Errorf("%w: ownerID and repoID cannot be both zero, global secrets are not supported", util.ErrInvalidArgument)
 	}
 	encrypted, err := secret_module.EncryptSecret(setting.SecretKey, data)
 	if err != nil {
 		return nil, err
@ -56,9 +77,6 @@ func InsertEncryptedSecret(ctx context.Context, ownerID, repoID int64, name, dat
 		Name:    strings.ToUpper(name),
 		Data:    encrypted,
 	}
 	if err := secret.Validate(); err != nil {
 		return secret, err
 	}
 	return secret, db.Insert(ctx, secret)
 }
@ -66,29 +84,25 @@ func init() {
 	db.RegisterModel(new(Secret))
 }
 func (s *Secret) Validate() error {
 	if s.OwnerID == 0 && s.RepoID == 0 {
 		return errors.New("the secret is not bound to any scope")
 	}
 	return nil
 }
 type FindSecretsOptions struct {
 	db.ListOptions
 	OwnerID  int64
 	RepoID   int64
 	OwnerID  int64 // it will be ignored if RepoID is set
 	SecretID int64
 	Name     string
 }
 func (opts FindSecretsOptions) ToConds() builder.Cond {
 	cond := builder.NewCond()
-	if opts.OwnerID > 0 {
+
 	cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	if opts.RepoID != 0 { // if RepoID is set
 		// ignore OwnerID and treat it as 0
 		cond = cond.And(builder.Eq{"owner_id": 0})
 	} else {
 		cond = cond.And(builder.Eq{"owner_id": opts.OwnerID})
 	}
-	if opts.RepoID > 0 {
+
 		cond = cond.And(builder.Eq{"repo_id": opts.RepoID})
 	}
 	if opts.SecretID != 0 {
 		cond = cond.And(builder.Eq{"id": opts.SecretID})
 	}
--- a/modules/lfs/http_client.go
+++ b/modules/lfs/http_client.go
@ -136,14 +136,13 @@ func (c *HTTPClient) performOperation(ctx context.Context, objects []Pointer, dc
 	for _, object := range result.Objects {
 		if object.Error != nil {
-			objectError := errors.New(object.Error.Message)
+			log.Trace("Error on object %v: %v", object.Pointer, object.Error)
 			log.Trace("Error on object %v: %v", object.Pointer, objectError)
 			if uc != nil {
-				if _, err := uc(object.Pointer, objectError); err != nil {
+				if _, err := uc(object.Pointer, object.Error); err != nil {
 					return err
 				}
 			} else {
-				if err := dc(object.Pointer, nil, objectError); err != nil {
+				if err := dc(object.Pointer, nil, object.Error); err != nil {
 					return err
 				}
 			}
--- a/modules/lfs/shared.go
+++ b/modules/lfs/shared.go
@ -4,7 +4,11 @@
 package lfs
 import (
 	"errors"
 	"fmt"
 	"time"
 	"code.gitea.io/gitea/modules/util"
 )
 const (
@ -64,6 +68,39 @@ type ObjectError struct {
 	Message string `json:"message"`
 }
 var (
 	// See https://github.com/git-lfs/git-lfs/blob/main/docs/api/batch.md#successful-responses
 	// LFS object error codes should match HTTP status codes where possible:
 	//   404 - The object does not exist on the server.
 	//   409 - The specified hash algorithm disagrees with the server's acceptable options.
 	//   410 - The object was removed by the owner.
 	//   422 - Validation error.
 	ErrObjectNotExist     = util.ErrNotExist // the object does not exist on the server
 	ErrObjectHashMismatch = errors.New("the specified hash algorithm disagrees with the server's acceptable options")
 	ErrObjectRemoved      = errors.New("the object was removed by the owner")
 	ErrObjectValidation   = errors.New("validation error")
 )
 func (e *ObjectError) Error() string {
 	return fmt.Sprintf("[%d] %s", e.Code, e.Message)
 }
 func (e *ObjectError) Unwrap() error {
 	switch e.Code {
 	case 404:
 		return ErrObjectNotExist
 	case 409:
 		return ErrObjectHashMismatch
 	case 410:
 		return ErrObjectRemoved
 	case 422:
 		return ErrObjectValidation
 	default:
 		return errors.New(e.Message)
 	}
 }
 // PointerBlob associates a Git blob with a Pointer.
 type PointerBlob struct {
 	Hash string
--- a/modules/repository/repo.go
+++ b/modules/repository/repo.go
@ -6,6 +6,7 @@ package repository
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"strings"
@ -182,6 +183,10 @@ func StoreMissingLfsObjectsInRepository(ctx context.Context, repo *repo_model.Re
 	downloadObjects := func(pointers []lfs.Pointer) error {
 		err := lfsClient.Download(ctx, pointers, func(p lfs.Pointer, content io.ReadCloser, objectError error) error {
 			if objectError != nil {
 				if errors.Is(objectError, lfs.ErrObjectNotExist) {
 					log.Warn("Repo[%-v]: Ignore missing LFS object %-v: %v", repo, p, objectError)
 					return nil
 				}
 				return objectError
 			}
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@ -12,10 +12,11 @@ import (
 // Actions settings
 var (
 	Actions = struct {
 		LogStorage            *Storage // how the created logs should be stored
 		ArtifactStorage       *Storage // how the created artifacts should be stored
 		ArtifactRetentionDays int64    `ini:"ARTIFACT_RETENTION_DAYS"`
 		Enabled               bool
 		LogStorage            *Storage          // how the created logs should be stored
 		LogRetentionDays      int64             `ini:"LOG_RETENTION_DAYS"`
 		ArtifactStorage       *Storage          // how the created artifacts should be stored
 		ArtifactRetentionDays int64             `ini:"ARTIFACT_RETENTION_DAYS"`
 		DefaultActionsURL     defaultActionsURL `ini:"DEFAULT_ACTIONS_URL"`
 		ZombieTaskTimeout     time.Duration     `ini:"ZOMBIE_TASK_TIMEOUT"`
 		EndlessTaskTimeout    time.Duration     `ini:"ENDLESS_TASK_TIMEOUT"`
@ -61,10 +62,17 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 	if err != nil {
 		return err
 	}
 	// default to 1 year
 	if Actions.LogRetentionDays <= 0 {
 		Actions.LogRetentionDays = 365
 	}
 	actionsSec, _ := rootCfg.GetSection("actions.artifacts")
 	Actions.ArtifactStorage, err = getStorage(rootCfg, "actions_artifacts", "", actionsSec)
 	if err != nil {
 		return err
 	}
 	// default to 90 days in Github Actions
 	if Actions.ArtifactRetentionDays <= 0 {
@ -75,5 +83,5 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 	Actions.EndlessTaskTimeout = sec.Key("ENDLESS_TASK_TIMEOUT").MustDuration(3 * time.Hour)
 	Actions.AbandonedJobTimeout = sec.Key("ABANDONED_JOB_TIMEOUT").MustDuration(24 * time.Hour)
-	return err
+	return nil
 }
--- a/modules/structs/repo_collaborator.go
+++ b/modules/structs/repo_collaborator.go
@ -5,6 +5,7 @@ package structs
 // AddCollaboratorOption options when adding a user as a collaborator of a repository
 type AddCollaboratorOption struct {
 	// enum: read,write,admin
 	Permission *string `json:"permission"`
 }
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@ -2997,10 +2997,10 @@ dashboard.delete_old_actions.started = Delete all old activities from database s
 dashboard.update_checker = Update checker
 dashboard.delete_old_system_notices = Delete all old system notices from database
 dashboard.gc_lfs = Garbage collect LFS meta objects
-dashboard.stop_zombie_tasks = Stop zombie tasks
+dashboard.stop_zombie_tasks = Stop zombie actions tasks
-dashboard.stop_endless_tasks = Stop endless tasks
+dashboard.stop_endless_tasks = Stop endless actions tasks
-dashboard.cancel_abandoned_jobs = Cancel abandoned jobs
+dashboard.cancel_abandoned_jobs = Cancel abandoned actions jobs
-dashboard.start_schedule_tasks = Start schedule tasks
+dashboard.start_schedule_tasks = Start schedule actions tasks
 dashboard.sync_branch.started = Branch sync started
 dashboard.sync_tag.started = Tag sync started
 dashboard.rebuild_issue_indexer = Rebuild issue indexer
@ -3803,6 +3803,7 @@ runs.no_workflows.quick_start = Don't know how to start with Forgejo Actions? Se
 runs.no_workflows.documentation = For more information on Forgejo Actions, see <a target="_blank" rel="noopener noreferrer" href="%s">the documentation</a>.
 runs.no_runs = The workflow has no runs yet.
 runs.empty_commit_message = (empty commit message)
 runs.expire_log_message = Logs have been purged because they were too old.
 workflow.disable = Disable workflow
 workflow.disable_success = Workflow "%s" disabled successfully.
@ -3836,6 +3837,7 @@ variables.update.failed = Failed to edit variable.
 variables.update.success = The variable has been edited.
 [projects]
 deleted.display_name = Deleted Project
 type-1.display_name = Individual project
 type-2.display_name = Repository project
 type-3.display_name = Organization project
--- a/release-notes/4801.md
+++ b/release-notes/4801.md
@ -0,0 +1,9 @@
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/0dbc6230286e113accbc6d5e829ce8dae1d1f5d4) Hide the "Details" link of commit status when the user cannot access actions.
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6e63afe31f43eaf5ff7c8595ddeaf8515c2dc0c0) The API endpoint to get the actions registration token is GET /repos/{owner}/{repo}/actions/runners/registration-token and not GET /repos/{owner}/{repo}/runners/registration-token.
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6e63afe31f43eaf5ff7c8595ddeaf8515c2dc0c0) Runner registration token via API is broken for repo level runners.
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/c784a5874066ca1a1fd518408d5767b4eb57bd69) Deleted projects causes bad popover text on issues.
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/42bb51af9b8283071e15ac6470ada9824d87cd40) Distinguish LFS object errors to ignore missing objects during migration.
 feat: [commit](https://codeberg.org/forgejo/forgejo/commit/11b6253e7532ba11dee8bc31d4c262b102674a4d) Use UTC as a timezone when running scheduled actions tasks.
 feat: [commit](https://codeberg.org/forgejo/forgejo/commit/feb43b2584b7f64ec7f9952af2b50b2210e6e6cf) The actions logs older than `[actions].LOG_RETENTION_DAYS` days are removed (the default is 365).
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6328f648decc2754ef10ee5ca6ca9785a156614c) When viewing the revision history of wiki pages, the pagination links are broken: instead of org/repo/wiki/Page?action=_revision&page=2, the link is only org/repo/wiki/Page?page=2, thus bringing the user back to the wiki page.
 fix: [commit](https://codeberg.org/forgejo/forgejo/commit/2310556158d70bf1dbfca96dc928e1be3d3f41be) Also rename the head branch of open pull requests when renaming a branch.
--- a/routers/api/v1/repo/action.go
+++ b/routers/api/v1/repo/action.go
@ -117,12 +117,11 @@ func (Action) CreateOrUpdateSecret(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
 	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
-	_, created, err := secret_service.CreateOrUpdateSecret(ctx, owner.ID, repo.ID, ctx.Params("secretname"), opt.Data)
+	_, created, err := secret_service.CreateOrUpdateSecret(ctx, 0, repo.ID, ctx.Params("secretname"), opt.Data)
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "CreateOrUpdateSecret", err)
@ -174,10 +173,9 @@ func (Action) DeleteSecret(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
-	err := secret_service.DeleteSecretByName(ctx, owner.ID, repo.ID, ctx.Params("secretname"))
+	err := secret_service.DeleteSecretByName(ctx, 0, repo.ID, ctx.Params("secretname"))
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "DeleteSecret", err)
@ -486,7 +484,7 @@ func (Action) ListVariables(ctx *context.APIContext) {
 // GetRegistrationToken returns the token to register repo runners
 func (Action) GetRegistrationToken(ctx *context.APIContext) {
-	// swagger:operation GET /repos/{owner}/{repo}/runners/registration-token repository repoGetRunnerRegistrationToken
+	// swagger:operation GET /repos/{owner}/{repo}/actions/runners/registration-token repository repoGetRunnerRegistrationToken
 	// ---
 	// summary: Get a repository's actions runner registration token
 	// produces:
@ -506,7 +504,7 @@ func (Action) GetRegistrationToken(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/RegistrationToken"
-	shared.GetRegistrationToken(ctx, ctx.Repo.Repository.OwnerID, ctx.Repo.Repository.ID)
+	shared.GetRegistrationToken(ctx, 0, ctx.Repo.Repository.ID)
 }
 var _ actions_service.API = new(Action)
--- a/routers/web/repo/actions/view.go
+++ b/routers/web/repo/actions/view.go
@ -271,6 +271,27 @@ func ViewPost(ctx *context_module.Context) {
 			step := steps[cursor.Step]
 			// if task log is expired, return a consistent log line
 			if task.LogExpired {
 				if cursor.Cursor == 0 {
 					resp.Logs.StepsLog = append(resp.Logs.StepsLog, &ViewStepLog{
 						Step:   cursor.Step,
 						Cursor: 1,
 						Lines: []*ViewStepLogLine{
 							{
 								Index:   1,
 								Message: ctx.Locale.TrString("actions.runs.expire_log_message"),
 								// Timestamp doesn't mean anything when the log is expired.
 								// Set it to the task's updated time since it's probably the time when the log has expired.
 								Timestamp: float64(task.Updated.AsTime().UnixNano()) / float64(time.Second),
 							},
 						},
 						Started: int64(step.Started),
 					})
 				}
 				continue
 			}
 			logLines := make([]*ViewStepLogLine, 0) // marshal to '[]' instead of 'null' in json
 			index := step.LogIndex + cursor.Cursor
--- a/routers/web/repo/branch.go
+++ b/routers/web/repo/branch.go
@ -70,6 +70,11 @@ func Branches(ctx *context.Context) {
 		ctx.ServerError("LoadBranches", err)
 		return
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		for key := range commitStatuses {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses[key])
 		}
 	}
 	commitStatus := make(map[string]*git_model.CommitStatus)
 	for commitID, cs := range commitStatuses {
--- a/routers/web/repo/commit.go
+++ b/routers/web/repo/commit.go
@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/charset"
@ -81,7 +82,7 @@ func Commits(ctx *context.Context) {
 		ctx.ServerError("CommitsByRange", err)
 		return
 	}
-	ctx.Data["Commits"] = git_model.ConvertFromGitCommit(ctx, commits, ctx.Repo.Repository)
+	ctx.Data["Commits"] = processGitCommits(ctx, commits)
 	ctx.Data["Username"] = ctx.Repo.Owner.Name
 	ctx.Data["Reponame"] = ctx.Repo.Repository.Name
@ -199,7 +200,7 @@ func SearchCommits(ctx *context.Context) {
 		return
 	}
 	ctx.Data["CommitCount"] = len(commits)
-	ctx.Data["Commits"] = git_model.ConvertFromGitCommit(ctx, commits, ctx.Repo.Repository)
+	ctx.Data["Commits"] = processGitCommits(ctx, commits)
 	ctx.Data["Keyword"] = query
 	if all {
@ -264,7 +265,7 @@ func FileHistory(ctx *context.Context) {
 		}
 	}
-	ctx.Data["Commits"] = git_model.ConvertFromGitCommit(ctx, commits, ctx.Repo.Repository)
+	ctx.Data["Commits"] = processGitCommits(ctx, commits)
 	ctx.Data["Username"] = ctx.Repo.Owner.Name
 	ctx.Data["Reponame"] = ctx.Repo.Repository.Name
@ -375,6 +376,9 @@ func Diff(ctx *context.Context) {
 	if err != nil {
 		log.Error("GetLatestCommitStatus: %v", err)
 	}
 	if !ctx.Repo.CanRead(unit_model.TypeActions) {
 		git_model.CommitStatusesHideActionsURL(ctx, statuses)
 	}
 	ctx.Data["CommitStatus"] = git_model.CalcCommitStatus(statuses)
 	ctx.Data["CommitStatuses"] = statuses
@ -454,3 +458,17 @@ func RawDiff(ctx *context.Context) {
 		return
 	}
 }
 func processGitCommits(ctx *context.Context, gitCommits []*git.Commit) []*git_model.SignCommitWithStatuses {
 	commits := git_model.ConvertFromGitCommit(ctx, gitCommits, ctx.Repo.Repository)
 	if !ctx.Repo.CanRead(unit_model.TypeActions) {
 		for _, commit := range commits {
 			if commit.Status == nil {
 				continue
 			}
 			commit.Status.HideActionsURL(ctx)
 			git_model.CommitStatusesHideActionsURL(ctx, commit.Statuses)
 		}
 	}
 	return commits
 }
--- a/routers/web/repo/compare.go
+++ b/routers/web/repo/compare.go
@ -643,7 +643,7 @@ func PrepareCompareDiff(
 		return false
 	}
-	commits := git_model.ConvertFromGitCommit(ctx, ci.CompareInfo.Commits, ci.HeadRepo)
+	commits := processGitCommits(ctx, ci.CompareInfo.Commits)
 	ctx.Data["Commits"] = commits
 	ctx.Data["CommitCount"] = len(commits)
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@ -346,6 +346,11 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption opt
 		ctx.ServerError("GetIssuesAllCommitStatus", err)
 		return
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		for key := range commitStatuses {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses[key])
 		}
 	}
 	if err := issues.LoadAttributes(ctx); err != nil {
 		ctx.ServerError("issues.LoadAttributes", err)
@ -1692,7 +1697,7 @@ func ViewIssue(ctx *context.Context) {
 			}
 			ghostProject := &project_model.Project{
-				ID:    -1,
+				ID:    project_model.GhostProjectID,
 				Title: ctx.Locale.TrString("repo.issues.deleted_project"),
 			}
@ -1777,6 +1782,15 @@ func ViewIssue(ctx *context.Context) {
 				ctx.ServerError("LoadPushCommits", err)
 				return
 			}
 			if !ctx.Repo.CanRead(unit.TypeActions) {
 				for _, commit := range comment.Commits {
 					if commit.Status == nil {
 						continue
 					}
 					commit.Status.HideActionsURL(ctx)
 					git_model.CommitStatusesHideActionsURL(ctx, commit.Statuses)
 				}
 			}
 		} else if comment.Type == issues_model.CommentTypeAddTimeManual ||
 			comment.Type == issues_model.CommentTypeStopTracking ||
 			comment.Type == issues_model.CommentTypeDeleteTimeManual {
--- a/routers/web/repo/pull.go
+++ b/routers/web/repo/pull.go
@ -515,6 +515,10 @@ func PrepareMergedViewPullInfo(ctx *context.Context, issue *issues_model.Issue)
 			ctx.ServerError("GetLatestCommitStatus", err)
 			return nil
 		}
 		if !ctx.Repo.CanRead(unit.TypeActions) {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses)
 		}
 		if len(commitStatuses) != 0 {
 			ctx.Data["LatestCommitStatuses"] = commitStatuses
 			ctx.Data["LatestCommitStatus"] = git_model.CalcCommitStatus(commitStatuses)
@ -577,6 +581,10 @@ func PrepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *git.C
 			ctx.ServerError("GetLatestCommitStatus", err)
 			return nil
 		}
 		if !ctx.Repo.CanRead(unit.TypeActions) {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses)
 		}
 		if len(commitStatuses) > 0 {
 			ctx.Data["LatestCommitStatuses"] = commitStatuses
 			ctx.Data["LatestCommitStatus"] = git_model.CalcCommitStatus(commitStatuses)
@ -669,6 +677,10 @@ func PrepareViewPullInfo(ctx *context.Context, issue *issues_model.Issue) *git.C
 		ctx.ServerError("GetLatestCommitStatus", err)
 		return nil
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		git_model.CommitStatusesHideActionsURL(ctx, commitStatuses)
 	}
 	if len(commitStatuses) > 0 {
 		ctx.Data["LatestCommitStatuses"] = commitStatuses
 		ctx.Data["LatestCommitStatus"] = git_model.CalcCommitStatus(commitStatuses)
@ -835,7 +847,7 @@ func ViewPullCommits(ctx *context.Context) {
 	ctx.Data["Username"] = ctx.Repo.Owner.Name
 	ctx.Data["Reponame"] = ctx.Repo.Repository.Name
-	commits := git_model.ConvertFromGitCommit(ctx, prInfo.Commits, ctx.Repo.Repository)
+	commits := processGitCommits(ctx, prInfo.Commits)
 	ctx.Data["Commits"] = commits
 	ctx.Data["CommitCount"] = len(commits)
--- a/routers/web/repo/repo.go
+++ b/routers/web/repo/repo.go
@ -683,6 +683,9 @@ func SearchRepo(ctx *context.Context) {
 		ctx.JSON(http.StatusInternalServerError, nil)
 		return
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		git_model.CommitStatusesHideActionsURL(ctx, latestCommitStatuses)
 	}
 	results := make([]*repo_service.WebSearchRepository, len(repos))
 	for i, repo := range repos {
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@ -368,6 +368,9 @@ func loadLatestCommitData(ctx *context.Context, latestCommit *git.Commit) bool {
 		if err != nil {
 			log.Error("GetLatestCommitStatus: %v", err)
 		}
 		if !ctx.Repo.CanRead(unit_model.TypeActions) {
 			git_model.CommitStatusesHideActionsURL(ctx, statuses)
 		}
 		ctx.Data["LatestCommitStatus"] = git_model.CalcCommitStatus(statuses)
 		ctx.Data["LatestCommitStatuses"] = statuses
--- a/routers/web/repo/wiki.go
+++ b/routers/web/repo/wiki.go
@ -396,6 +396,7 @@ func renderRevisionPage(ctx *context.Context) (*git.Repository, *git.TreeEntry)
 	pager := context.NewPagination(int(commitsCount), setting.Git.CommitsRangeSize, page, 5)
 	pager.SetDefaultParams(ctx)
 	pager.AddParamString("action", "_revision")
 	ctx.Data["Page"] = pager
 	return wikiRepo, entry
--- a/routers/web/user/home.go
+++ b/routers/web/user/home.go
@ -17,6 +17,7 @@ import (
 	activities_model "code.gitea.io/gitea/models/activities"
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/models/organization"
 	repo_model "code.gitea.io/gitea/models/repo"
@ -597,6 +598,11 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		ctx.ServerError("GetIssuesLastCommitStatus", err)
 		return
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		for key := range commitStatuses {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses[key])
 		}
 	}
 	// -------------------------------
 	// Fill stats to post to ctx.Data.
--- a/routers/web/user/notification.go
+++ b/routers/web/user/notification.go
@ -13,8 +13,10 @@ import (
 	activities_model "code.gitea.io/gitea/models/activities"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/optional"
@ -303,6 +305,11 @@ func NotificationSubscriptions(ctx *context.Context) {
 		ctx.ServerError("GetIssuesAllCommitStatus", err)
 		return
 	}
 	if !ctx.Repo.CanRead(unit.TypeActions) {
 		for key := range commitStatuses {
 			git_model.CommitStatusesHideActionsURL(ctx, commitStatuses[key])
 		}
 	}
 	ctx.Data["CommitLastStatus"] = lastStatus
 	ctx.Data["CommitStatuses"] = commitStatuses
 	ctx.Data["Issues"] = issues
--- a/services/actions/cleanup.go
+++ b/services/actions/cleanup.go
@ -5,19 +5,30 @@ package actions
 import (
 	"context"
 	"fmt"
 	"time"
-	"code.gitea.io/gitea/models/actions"
+	actions_model "code.gitea.io/gitea/models/actions"
 	actions_module "code.gitea.io/gitea/modules/actions"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
 	"code.gitea.io/gitea/modules/timeutil"
 )
 // Cleanup removes expired actions logs, data and artifacts
-func Cleanup(taskCtx context.Context, olderThan time.Duration) error {
+func Cleanup(ctx context.Context) error {
 	// TODO: clean up expired actions logs
 	// clean up expired artifacts
-	return CleanupArtifacts(taskCtx)
+	if err := CleanupArtifacts(ctx); err != nil {
 		return fmt.Errorf("cleanup artifacts: %w", err)
 	}
 	// clean up old logs
 	if err := CleanupLogs(ctx); err != nil {
 		return fmt.Errorf("cleanup logs: %w", err)
 	}
 	return nil
 }
 // CleanupArtifacts removes expired add need-deleted artifacts and set records expired status
@ -29,13 +40,13 @@ func CleanupArtifacts(taskCtx context.Context) error {
 }
 func cleanExpiredArtifacts(taskCtx context.Context) error {
-	artifacts, err := actions.ListNeedExpiredArtifacts(taskCtx)
+	artifacts, err := actions_model.ListNeedExpiredArtifacts(taskCtx)
 	if err != nil {
 		return err
 	}
 	log.Info("Found %d expired artifacts", len(artifacts))
 	for _, artifact := range artifacts {
-		if err := actions.SetArtifactExpired(taskCtx, artifact.ID); err != nil {
+		if err := actions_model.SetArtifactExpired(taskCtx, artifact.ID); err != nil {
 			log.Error("Cannot set artifact %d expired: %v", artifact.ID, err)
 			continue
 		}
@ -53,13 +64,13 @@ const deleteArtifactBatchSize = 100
 func cleanNeedDeleteArtifacts(taskCtx context.Context) error {
 	for {
-		artifacts, err := actions.ListPendingDeleteArtifacts(taskCtx, deleteArtifactBatchSize)
+		artifacts, err := actions_model.ListPendingDeleteArtifacts(taskCtx, deleteArtifactBatchSize)
 		if err != nil {
 			return err
 		}
 		log.Info("Found %d artifacts pending deletion", len(artifacts))
 		for _, artifact := range artifacts {
-			if err := actions.SetArtifactDeleted(taskCtx, artifact.ID); err != nil {
+			if err := actions_model.SetArtifactDeleted(taskCtx, artifact.ID); err != nil {
 				log.Error("Cannot set artifact %d deleted: %v", artifact.ID, err)
 				continue
 			}
@ -76,3 +87,40 @@ func cleanNeedDeleteArtifacts(taskCtx context.Context) error {
 	}
 	return nil
 }
 const deleteLogBatchSize = 100
 // CleanupLogs removes logs which are older than the configured retention time
 func CleanupLogs(ctx context.Context) error {
 	olderThan := timeutil.TimeStampNow().AddDuration(-time.Duration(setting.Actions.LogRetentionDays) * 24 * time.Hour)
 	count := 0
 	for {
 		tasks, err := actions_model.FindOldTasksToExpire(ctx, olderThan, deleteLogBatchSize)
 		if err != nil {
 			return fmt.Errorf("find old tasks: %w", err)
 		}
 		for _, task := range tasks {
 			if err := actions_module.RemoveLogs(ctx, task.LogInStorage, task.LogFilename); err != nil {
 				log.Error("Failed to remove log %s (in storage %v) of task %v: %v", task.LogFilename, task.LogInStorage, task.ID, err)
 				// do not return error here, continue to next task
 				continue
 			}
 			task.LogIndexes = nil // clear log indexes since it's a heavy field
 			task.LogExpired = true
 			if err := actions_model.UpdateTask(ctx, task, "log_indexes", "log_expired"); err != nil {
 				log.Error("Failed to update task %v: %v", task.ID, err)
 				// do not return error here, continue to next task
 				continue
 			}
 			count++
 			log.Trace("Removed log %s of task %v", task.LogFilename, task.ID)
 		}
 		if len(tasks) < deleteLogBatchSize {
 			break
 		}
 	}
 	log.Info("Removed %d logs", count)
 	return nil
 }
--- a/services/cron/tasks_actions.go
+++ b/services/cron/tasks_actions.go
@ -19,6 +19,7 @@ func initActionsTasks() {
 	registerStopEndlessTasks()
 	registerCancelAbandonedJobs()
 	registerScheduleTasks()
 	registerActionsCleanup()
 }
 func registerStopZombieTasks() {
@ -63,3 +64,13 @@ func registerScheduleTasks() {
 		return actions_service.StartScheduleTasks(ctx)
 	})
 }
 func registerActionsCleanup() {
 	RegisterTaskFatal("cleanup_actions", &BaseConfig{
 		Enabled:    true,
 		RunAtStart: false,
 		Schedule:   "@midnight",
 	}, func(ctx context.Context, _ *user_model.User, _ Config) error {
 		return actions_service.Cleanup(ctx)
 	})
 }
--- a/services/cron/tasks_basic.go
+++ b/services/cron/tasks_basic.go
@ -13,7 +13,6 @@ import (
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/migrations"
 	mirror_service "code.gitea.io/gitea/services/mirror"
@ -157,20 +156,6 @@ func registerCleanupPackages() {
 	})
 }
 func registerActionsCleanup() {
 	RegisterTaskFatal("cleanup_actions", &OlderThanConfig{
 		BaseConfig: BaseConfig{
 			Enabled:    true,
 			RunAtStart: true,
 			Schedule:   "@midnight",
 		},
 		OlderThan: 24 * time.Hour,
 	}, func(ctx context.Context, _ *user_model.User, config Config) error {
 		realConfig := config.(*OlderThanConfig)
 		return actions.Cleanup(ctx, realConfig.OlderThan)
 	})
 }
 func initBasicTasks() {
 	if setting.Mirror.Enabled {
 		registerUpdateMirrorTask()
@ -187,7 +172,4 @@ func initBasicTasks() {
 	if setting.Packages.Enabled {
 		registerCleanupPackages()
 	}
 	if setting.Actions.Enabled {
 		registerActionsCleanup()
 	}
 }
--- a/services/repository/migrate.go
+++ b/services/repository/migrate.go
@ -172,6 +172,7 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 			lfsClient := lfs.NewClient(endpoint, httpTransport)
 			if err = repo_module.StoreMissingLfsObjectsInRepository(ctx, repo, gitRepo, lfsClient); err != nil {
 				log.Error("Failed to store missing LFS objects for repository: %v", err)
 				return repo, fmt.Errorf("StoreMissingLfsObjectsInRepository: %w", err)
 			}
 		}
 	}
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@ -582,13 +582,19 @@
 					{{template "shared/user/authorlink" .Poster}}
 					{{$oldProjectDisplayHtml := "Unknown Project"}}
 					{{if .OldProject}}
-						{{$trKey := printf "projects.type-%d.display_name" .OldProject.Type}}
+						{{$tooltip := ctx.Locale.Tr "projects.deleted.display_name"}}
-						{{$oldProjectDisplayHtml = HTMLFormat `<span data-tooltip-content="%s">%s</span>` (ctx.Locale.Tr $trKey) .OldProject.Title}}
+						{{if not .OldProject.IsGhost}}
 							{{$tooltip = ctx.Locale.Tr (printf "projects.type-%d.display_name" .OldProject.Type)}}
 						{{end}}
 						{{$oldProjectDisplayHtml = HTMLFormat `<span data-tooltip-content="%s">%s</span>` $tooltip .OldProject.Title}}
 					{{end}}
 					{{$newProjectDisplayHtml := "Unknown Project"}}
 					{{if .Project}}
-						{{$trKey := printf "projects.type-%d.display_name" .Project.Type}}
+						{{$tooltip := ctx.Locale.Tr "projects.deleted.display_name"}}
-						{{$newProjectDisplayHtml = HTMLFormat `<span data-tooltip-content="%s">%s</span>` (ctx.Locale.Tr $trKey) .Project.Title}}
+						{{if not .Project.IsGhost}}
 							{{$tooltip = ctx.Locale.Tr (printf "projects.type-%d.display_name" .Project.Type)}}
 						{{end}}
 						{{$newProjectDisplayHtml = HTMLFormat `<span data-tooltip-content="%s">%s</span>` $tooltip .Project.Title}}
 					{{end}}
 					{{if and (gt .OldProjectID 0) (gt .ProjectID 0)}}
 						{{ctx.Locale.Tr "repo.issues.change_project_at" $oldProjectDisplayHtml $newProjectDisplayHtml $createdStr}}
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -4598,6 +4598,39 @@
        }
      }
    },
    "/repos/{owner}/{repo}/actions/runners/registration-token": {
      "get": {
        "produces": [
          "application/json"
        ],
        "tags": [
          "repository"
        ],
        "summary": "Get a repository's actions runner registration token",
        "operationId": "repoGetRunnerRegistrationToken",
        "parameters": [
          {
            "type": "string",
            "description": "owner of the repo",
            "name": "owner",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "description": "name of the repo",
            "name": "repo",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/RegistrationToken"
          }
        }
      }
    },
    "/repos/{owner}/{repo}/actions/secrets": {
      "get": {
        "produces": [
@ -14739,39 +14772,6 @@
        }
      }
    },
    "/repos/{owner}/{repo}/runners/registration-token": {
      "get": {
        "produces": [
          "application/json"
        ],
        "tags": [
          "repository"
        ],
        "summary": "Get a repository's actions runner registration token",
        "operationId": "repoGetRunnerRegistrationToken",
        "parameters": [
          {
            "type": "string",
            "description": "owner of the repo",
            "name": "owner",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "description": "name of the repo",
            "name": "repo",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/RegistrationToken"
          }
        }
      }
    },
    "/repos/{owner}/{repo}/signing-key.gpg": {
      "get": {
        "produces": [
@ -19959,6 +19959,11 @@
      "properties": {
        "permission": {
          "type": "string",
          "enum": [
            "read",
            "write",
            "admin"
          ],
          "x-go-name": "Permission"
        }
      },
--- a/tests/integration/api_user_variables_test.go
+++ b/tests/integration/api_user_variables_test.go
@ -19,7 +19,7 @@ func TestAPIUserVariables(t *testing.T) {
 	session := loginUser(t, "user1")
 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
-	t.Run("CreateRepoVariable", func(t *testing.T) {
+	t.Run("CreateUserVariable", func(t *testing.T) {
 		cases := []struct {
 			Name           string
 			ExpectedStatus int
@ -70,7 +70,7 @@ func TestAPIUserVariables(t *testing.T) {
 		}
 	})
-	t.Run("UpdateRepoVariable", func(t *testing.T) {
+	t.Run("UpdateUserVariable", func(t *testing.T) {
 		variableName := "test_update_var"
 		url := fmt.Sprintf("/api/v1/user/actions/variables/%s", variableName)
 		req := NewRequestWithJSON(t, "POST", url, api.CreateVariableOption{