Update to Gitea 1.20

The 1.20 release is here. Upgrade to this version. Things we change: * Nodejs is updated to v20 to match the alpine 3.18 package version that gitea switched to. * Templates are updated to match upstream 1.20 templates. * We drop the deprecated LFS_CONTENT_PATH from our server config and add an equivalent [lfs] config section. * Normalize app.ini content so that gitea won't write it back out to disk which fails due to permissions (and we don't want it overriding our configs anyway). For this we need to add WORK_PATH, oauth2.JWT_SECRET, and normliazing spacing and quoting for entries. * Set JWT_SIGNING_PRIVATE_KEY_FILE explicitly to be located at /data/gitea/jwt/private.pem otherwise gitea attempts to create the jwt/ directory somewhere it doesn't have permissions to (I think /) and won't be persisted across containers. * Replace log.ENABLE_ACCESS_LOG with log.logger.access.MODE = file as log.ENABLE_ACCESS_LOG is deprecated and doesn't appear to work anymore. This appears to be a documentation issue or they deprecated and removed things more quickly than originaly anticipated. * Add log.ACCESS_LOG_TEMPLATE to readd source port info to the access logs. * Add a templates/custom/header.tmpl file to set theme-color as the config item for this has been removed. The 1.20.0 changelog [0] lists a number of breaking changes. I have tried to capture there here as well as potential impacts to us: * Fix WORK_DIR for docker (root) image (#25738) (#25811) * We set APP_DATA_PATH to /data/gitea in our app.ini config which means we aren't relying on the inferred value from WORK_DIR. I think this isolates us from this chnage. But we can check for any content in /app/gitea on our running containers to be sure. Note we hardcode WORK_PATH to /data/gitea because gitea attempts to write this back to our config file otherwise as a result of this change. * Restrict [actions].DEFAULT_ACTIONS_URL to only github or self (#25581) (#25604) * We disable actions. This shouldn't affect us. * Refactor path & config system (#25330) (#25416) * This is related to the first breaking changes. Basically we need to check our use of WORK_PATH and determine if we need to hardcode it to something. Probably a good idea given how they keep changing this on us... * Fix all possible setting error related storages and added some tests (#23911) (#25244) * We don't use storage configs. This shouldn't affect us. * Use a separate admin page to show global stats, remove actions stat (#25062) * The breaking change only affects the use of Prometheus which we don't have yet. * Remove the service worker (#25010) * Is listed as a breaking change for UI cleanup that we don't need to cleanup. (ui.USE_SERVICE_WORKER can be removed). * Remove meta tags theme-color and default-theme (#24960) * https://github.com/go-gitea/gitea/pull/24960 * Addressed by adding a custome templates/custom/header.tmpl file that sets this meta tag to the existing value. Note this only affects mobile clients so needs to be double checked via a mobile device. * Use [git.config] for reflog cleaning up (#24958) * Affects git.reflog config entries and we don' thave any. * Allow all URL schemes in Markdown links by default (#24805) * TODO determine if we need to limit link types and add that change if so. A point release was made to exclude bad types already. Not sure if there are others we need to add. * Redesign Scoped Access Tokens (#24767) * This breaks scoped tokens with scopes that don't exist anymore. I don't think we use scoped tokens. * Fix team members API endpoint pagination (#24754) * They 1 index the pagination of this endpoint now instead of 0 indexing it. * Rewrite logger system (#24726) * They made changes to the loggers and encourage people to check their logs work as expected when upgrading. Using our test instance logs I don't see anything that is a problem. * Increase default LFS auth timeout from 20m to 24h (#24628) * We don't LFS but can change the timeout if necssary. * Rewrite queue (#24505) * Check for 'Removed queue option:' log entries and clean up corresponding entries in app.ini. We don't have any of these entries in our logs. * Remove unused setting time.FORMAT (#24430) * We didn't have this entry in app.ini. * Refactor setting.Other and remove unused SHOW_FOOTER_BRANDING (#24270) * This setting can be removed from app.ini, but we don't set it. * Correct the access log format (#24085) * We uncorrect it because they removed source port info in the correction step. They did this because some log parsers don't understand having the port info present, but if you are behind a reverse proxy this information is very important. We run gitea behind a reverse proxy. * Reserve ".png" suffix for user/org names (#23992) * .png is no longer a valid user/org name (it didn't work before anyway). * Prefer native parser for SSH public key parsing (#23798) * If you relied on the openssh ssh-keygen executable for public key parsing then you must explicitly set config to use it. I don't think we do as the golang native parser should handle the keytypes we use. * Editor preview support for external renderers (#23333) * This removed an app.ini settings we don't seem to set. * Add Gitea Profile Readmes (#23260) * Readmes in .profile repositories will always be shown now. We don't have .profiles repos so this doesn't affect us. * Refactor ctx in templates (#23105) * This affects custom templates as we may need to replace ctx with ctxData in our templates. * I've searched our templates for 'root', 'ctx', and 'ctxData' and have found no instances. Looking at the files modifying by the commits related to this change: bd7f218dce 7c01260e1d we don't seem to override the affected files. I think we are fine as is. The 1.20.1 changelog indicates there are no breaking changes, and git diff shows no changes to the templates between 1.20.0 and 1.20.1. The 1.20.2 changelog indicates there are no breaking changes, and git diff shows no changes to the templates between 1.20.1 and 1.20.2. The 1.20.3 changelog indicates there is a single breaking change: * Fix the wrong derive path (#26271) (#26318) * If I'm reading the code correctly, I think the problem was storage configuration inheriting the base storage config and particularly the related path. Then when archival storage looked for its config the path was the root gitea storage path and it would inadverdently delete all repos when deleting a single repo or something like that. We don't use these features and these are mirrors anyway so I don't think this really affects us. [0] https://github.com/go-gitea/gitea/blob/v1.20.3/CHANGELOG.md Change-Id: I265f0ad16c0e757a11c1d889996ffe2198625a1a
2023-06-26 10:03:22 -07:00 · 2023-06-26 10:03:22 -07:00 · ef450d1bce
commit ef450d1bce
parent d0f0026f1d
7 changed files with 175 additions and 160 deletions
--- a/docker/gitea/Dockerfile
+++ b/docker/gitea/Dockerfile
@ -29,13 +29,13 @@ FROM docker.io/library/golang:1.20-bullseye AS build-env

 LABEL maintainer="infra-root@openstack.org"

-ARG GITEA_VERSION="v1.19.4"
+ARG GITEA_VERSION="v1.20.3"
 ENV TAGS "bindata $TAGS"

 #Build deps
 RUN apt-get update && apt-get -y install build-essential git apt-transport-https curl gnupg2 \
  && curl -sS https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
-  && echo "deb https://deb.nodesource.com/node_18.x bullseye main" | tee /etc/apt/sources.list.d/nodesource.list \
+  && echo "deb https://deb.nodesource.com/node_20.x bullseye main" | tee /etc/apt/sources.list.d/nodesource.list \
  && apt-get update \
  && apt-get -q --option "Dpkg::Options::=--force-confold" --assume-yes install nodejs \
  && mkdir -p ${GOPATH}/src/code.gitea.io/gitea
--- a/docker/gitea/custom/templates/base/head_navbar.tmpl
+++ b/docker/gitea/custom/templates/base/head_navbar.tmpl
@ -1,70 +1,67 @@
-<nav class="ui container" id="navbar" aria-label="{{.locale.Tr "aria.navbar"}}">
-	{{$notificationUnreadCount := 0}}
-	{{if .IsSigned}}
-		{{if .NotificationUnreadCount}}{{$notificationUnreadCount = call .NotificationUnreadCount}}{{end}}
-	{{end}}
-	<div class="item brand gt-sb">
+{{$notificationUnreadCount := 0}}
+{{if and .IsSigned .NotificationUnreadCount}}
+	{{$notificationUnreadCount = call .NotificationUnreadCount}}
+{{end}}
+
+<nav id="navbar" class="ui secondary stackable menu" aria-label="{{.locale.Tr "aria.navbar"}}">
+	<div class="item">
+		<!-- the logo -->
 		<a href="{{AppSubUrl}}/" aria-label="{{if .IsSigned}}{{.locale.Tr "dashboard"}}{{else}}{{.locale.Tr "home"}}{{end}}">
 			<img width="30" height="30" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{.locale.Tr "logo"}}" aria-hidden="true">
 		</a>
-		<div class="gt-df gt-ac">
+
+		<!-- mobile right menu, it must be here because in mobile view, each item is a flex column, the first item is a full row column -->
+		<div class="ui secondary menu navbar-mobile-right gt-gap-2">
 			{{if .IsSigned}}
-			<a href="{{AppSubUrl}}/notifications" class="tooltip mobile-only gt-mr-4 gt-mt-3" data-content="{{.locale.Tr "notifications"}}" aria-label="{{.locale.Tr "notifications"}}">
-				<span class="fitted item">
+			<a class="item gt-mx-0 gt-p-3" href="{{AppSubUrl}}/notifications" data-tooltip-content="{{.locale.Tr "notifications"}}" aria-label="{{.locale.Tr "notifications"}}">
+				<div class="gt-relative">
 					{{svg "octicon-bell"}}
-					<span class="notification_count{{if not $notificationUnreadCount}} gt-hidden{{end}}">
-						{{$notificationUnreadCount}}
-					</span>
-				</span>
+					<span class="notification_count{{if not $notificationUnreadCount}} gt-hidden{{end}}">{{$notificationUnreadCount}}</span>
+				</div>
 			</a>
 			{{end}}
-			<button class="ui icon button mobile-only" id="navbar-expand-toggle">
-				{{svg "octicon-three-bars"}}
-			</button>
+			<button class="item ui icon mini button gt-p-3 gt-m-0" id="navbar-expand-toggle">{{svg "octicon-three-bars"}}</button>
 		</div>
 	</div>

+	<!-- navbar links -->
 	{{if and .IsSigned .MustChangePassword}}
 		{{/* No links */}}
 	{{else if .IsSigned}}
 		{{if not .UnitIssuesGlobalDisabled}}
-		<a class="item {{if .PageIsIssues}}active{{end}}" href="{{AppSubUrl}}/issues">{{.locale.Tr "issues"}}</a>
+			<a class="item{{if .PageIsIssues}} active{{end}}" href="{{AppSubUrl}}/issues">{{.locale.Tr "issues"}}</a>
 		{{end}}
 		{{if not .UnitPullsGlobalDisabled}}
-		<a class="item {{if .PageIsPulls}}active{{end}}" href="{{AppSubUrl}}/pulls">{{.locale.Tr "pull_requests"}}</a>
+			<a class="item{{if .PageIsPulls}} active{{end}}" href="{{AppSubUrl}}/pulls">{{.locale.Tr "pull_requests"}}</a>
 		{{end}}
 		{{if not (and .UnitIssuesGlobalDisabled .UnitPullsGlobalDisabled)}}
-		{{if .ShowMilestonesDashboardPage}}<a class="item {{if .PageIsMilestonesDashboard}}active{{end}}" href="{{AppSubUrl}}/milestones">{{.locale.Tr "milestones"}}</a>{{end}}
+			{{if .ShowMilestonesDashboardPage}}
+				<a class="item{{if .PageIsMilestonesDashboard}} active{{end}}" href="{{AppSubUrl}}/milestones">{{.locale.Tr "milestones"}}</a>
+			{{end}}
 		{{end}}
-		<a class="item {{if .PageIsExplore}}active{{end}}" href="{{AppSubUrl}}/explore/repos">{{.locale.Tr "explore"}}</a>
+		<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/repos">{{.locale.Tr "explore"}}</a>
 	{{else if .IsLandingPageOrganizations}}
-		<a class="item {{if .PageIsExplore}}active{{end}}" href="{{AppSubUrl}}/explore/organizations">{{.locale.Tr "explore"}}</a>
+		<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/organizations">{{.locale.Tr "explore"}}</a>
 	{{else}}
-		<a class="item {{if .PageIsExplore}}active{{end}}" href="{{AppSubUrl}}/explore/repos">{{.locale.Tr "explore"}}</a>
+		<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/repos">{{.locale.Tr "explore"}}</a>
 	{{end}}

 	{{template "custom/extra_links" .}}

-	{{/* TODO
-		<div class="item">
-		<div class="ui icon input">
-		<input class="searchbox" type="text" placeholder="{{.locale.Tr "search_project"}}">
-		<i class="icon gt-df gt-ac gt-jc">{{svg "octicon-search" 16}}</i>
-		</div>
-		</div>
-	*/}}
+	{{if not .IsSigned}}
+		<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.opendev.org/opendev/infra-manual/latest/gettingstarted.html">Get Started</a>
+	{{end}}

-
-	{{if and .IsSigned .MustChangePassword}}
-		<div class="right stackable menu">
-			<div class="ui dropdown jump item tooltip" tabindex="-1" data-content="{{.locale.Tr "user_profile_and_more"}}">
-				<span class="text">
-					{{avatar $.Context .SignedUser 24 "tiny"}}
-					<span class="sr-only">{{.locale.Tr "user_profile_and_more"}}</span>
-					<span class="mobile-only">{{.SignedUser.Name}}</span>
-					<span class="fitted not-mobile" tabindex="-1">{{svg "octicon-triangle-down"}}</span>
+	<!-- the full dropdown menus -->
+	<div class="right menu">
+		{{if and .IsSigned .MustChangePassword}}
+			<div class="ui dropdown jump item" data-tooltip-content="{{.locale.Tr "user_profile_and_more"}}">
+				<span class="text gt-df gt-ac">
+					{{avatar $.Context .SignedUser 24 "gt-mr-2"}}
+					<span class="mobile-only gt-ml-2">{{.SignedUser.Name}}</span>
+					<span class="not-mobile">{{svg "octicon-triangle-down"}}</span>
 				</span>
-				<div class="menu user-menu" tabindex="-1">
+				<div class="menu user-menu">
 					<div class="ui header">
 						{{.locale.Tr "signed_in_as"}} <strong>{{.SignedUser.Name}}</strong>
 					</div>
@ -72,22 +69,20 @@
 					<div class="divider"></div>
 					<a class="item link-action" href data-url="{{AppSubUrl}}/user/logout" data-redirect="{{AppSubUrl}}/">
 						{{svg "octicon-sign-out"}}
-						{{.locale.Tr "sign_out"}}<!-- Sign Out -->
+						{{.locale.Tr "sign_out"}}
 					</a>
 				</div><!-- end content avatar menu -->
 			</div><!-- end dropdown avatar menu -->
-		</div>
-	{{else if .IsSigned}}
-		<div class="right stackable menu">
+		{{else if .IsSigned}}
 			{{if EnableTimetracking}}
-			<a class="active-stopwatch-trigger item ui gt-mx-0{{if not .ActiveStopwatch}} gt-hidden{{end}}" href="{{.ActiveStopwatch.IssueLink}}">
-				<span class="fitted gt-relative">
+			<a class="active-stopwatch-trigger item ui gt-mx-0{{if not .ActiveStopwatch}} gt-hidden{{end}}" href="{{.ActiveStopwatch.IssueLink}}" title="{{.locale.Tr "active_stopwatch"}}">
+				<div class="gt-relative">
 					{{svg "octicon-stopwatch"}}
 					<span class="header-stopwatch-dot"></span>
-					<span class="sr-mobile-only">{{.locale.Tr "active_stopwatch"}}</span>
-				</span>
+				</div>
+				<span class="mobile-only gt-ml-2">{{.locale.Tr "active_stopwatch"}}</span>
 			</a>
-			<div class="active-stopwatch-popup tippy-target">
+			<div class="active-stopwatch-popup tippy-target gt-p-3">
 				<div class="gt-df gt-ac">
 					<a class="stopwatch-link gt-df gt-ac" href="{{.ActiveStopwatch.IssueLink}}">
 						{{svg "octicon-issue-opened" 16 "gt-mr-3"}}
@ -100,64 +95,59 @@
 						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
-							class="ui button mini compact basic icon fitted tooltip"
-							data-content="{{.locale.Tr "repo.issues.stop_tracking"}}"
-							data-position="top right"
+							class="ui button mini compact basic icon"
+							data-tooltip-content="{{.locale.Tr "repo.issues.stop_tracking"}}"
 						>{{svg "octicon-square-fill"}}</button>
 					</form>
 					<form class="stopwatch-cancel" method="POST" action="{{.ActiveStopwatch.IssueLink}}/times/stopwatch/cancel">
 						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
-							class="ui button mini compact basic icon fitted tooltip"
-							data-content="{{.locale.Tr "repo.issues.cancel_tracking"}}"
-							data-position="top right"
+							class="ui button mini compact basic icon"
+							data-tooltip-content="{{.locale.Tr "repo.issues.cancel_tracking"}}"
 						>{{svg "octicon-trash"}}</button>
 					</form>
 				</div>
 			</div>
 			{{end}}

-			<a href="{{AppSubUrl}}/notifications" class="item tooltip not-mobile gt-mx-0" data-content="{{.locale.Tr "notifications"}}" aria-label="{{.locale.Tr "notifications"}}">
-				<span class="fitted item">
+			<a href="{{AppSubUrl}}/notifications" class="item not-mobile gt-mx-0" data-tooltip-content="{{.locale.Tr "notifications"}}" aria-label="{{.locale.Tr "notifications"}}">
+				<div class="gt-relative">
 					{{svg "octicon-bell"}}
-					<span class="notification_count{{if not $notificationUnreadCount}} gt-hidden{{end}}">
-						{{$notificationUnreadCount}}
-					</span>
-				</span>
+					<span class="notification_count{{if not $notificationUnreadCount}} gt-hidden{{end}}">{{$notificationUnreadCount}}</span>
+				</div>
 			</a>

-			<div class="ui dropdown jump item tooltip gt-mx-0" data-content="{{.locale.Tr "create_new"}}">
+			<div class="ui dropdown jump item gt-mx-0 gt-pr-3" data-tooltip-content="{{.locale.Tr "create_new"}}">
 				<span class="text">
-					<span class="fitted">{{svg "octicon-plus"}}</span>
-					<span class="sr-mobile-only">{{.locale.Tr "create_new"}}</span>
-					<span class="fitted not-mobile">{{svg "octicon-triangle-down"}}</span>
+					{{svg "octicon-plus"}}
+					<span class="not-mobile">{{svg "octicon-triangle-down"}}</span>
+					<span class="mobile-only">{{.locale.Tr "create_new"}}</span>
 				</span>
 				<div class="menu">
 					<a class="item" href="{{AppSubUrl}}/repo/create">
-						<span class="fitted">{{svg "octicon-plus"}}</span> {{.locale.Tr "new_repo"}}
+						{{svg "octicon-plus"}} {{.locale.Tr "new_repo"}}
 					</a>
 					{{if not .DisableMigrations}}
 						<a class="item" href="{{AppSubUrl}}/repo/migrate">
-							<span class="fitted">{{svg "octicon-repo-push"}}</span> {{.locale.Tr "new_migrate"}}
+							{{svg "octicon-repo-push"}} {{.locale.Tr "new_migrate"}}
 						</a>
 					{{end}}
 					{{if .SignedUser.CanCreateOrganization}}
 					<a class="item" href="{{AppSubUrl}}/org/create">
-						<span class="fitted">{{svg "octicon-organization"}}</span> {{.locale.Tr "new_org"}}
+						{{svg "octicon-organization"}} {{.locale.Tr "new_org"}}
 					</a>
 					{{end}}
 				</div><!-- end content create new menu -->
 			</div><!-- end dropdown menu create new -->

-			<div class="ui dropdown jump item tooltip gt-mx-0" data-content="{{.locale.Tr "user_profile_and_more"}}">
-				<span class="text">
-					{{avatar $.Context .SignedUser 24 "tiny"}}
-					<span class="sr-only">{{.locale.Tr "user_profile_and_more"}}</span>
-					<span class="mobile-only">{{.SignedUser.Name}}</span>
-					<span class="fitted not-mobile" tabindex="-1">{{svg "octicon-triangle-down"}}</span>
+			<div class="ui dropdown jump item gt-mx-0 gt-pr-3" data-tooltip-content="{{.locale.Tr "user_profile_and_more"}}">
+				<span class="text gt-df gt-ac">
+					{{avatar $.Context .SignedUser 24 "gt-mr-2"}}
+					<span class="mobile-only gt-ml-2">{{.SignedUser.Name}}</span>
+					<span class="not-mobile">{{svg "octicon-triangle-down"}}</span>
 				</span>
-				<div class="menu user-menu" tabindex="-1">
+				<div class="menu user-menu">
 					<div class="ui header">
 						{{.locale.Tr "signed_in_as"}} <strong>{{.SignedUser.Name}}</strong>
 					</div>
@ -165,7 +155,7 @@
 					<div class="divider"></div>
 					<a class="item" href="{{.SignedUser.HomeLink}}">
 						{{svg "octicon-person"}}
-						{{.locale.Tr "your_profile"}}<!-- Your profile -->
+						{{.locale.Tr "your_profile"}}
 					</a>
 					{{if not .DisableStars}}
 						<a class="item" href="{{.SignedUser.HomeLink}}?tab=stars">
@ -175,15 +165,15 @@
 					{{end}}
 					<a class="item" href="{{AppSubUrl}}/notifications/subscriptions">
 						{{svg "octicon-bell"}}
-						{{.locale.Tr "notification.subscriptions"}}<!-- Subscriptions -->
+						{{.locale.Tr "notification.subscriptions"}}
 					</a>
 					<a class="{{if .PageIsUserSettings}}active {{end}}item" href="{{AppSubUrl}}/user/settings">
 						{{svg "octicon-tools"}}
-						{{.locale.Tr "your_settings"}}<!-- Your settings -->
+						{{.locale.Tr "your_settings"}}
 					</a>
 					<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.opendev.org/opendev/infra-manual/latest/gettingstarted.html">
 						{{svg "octicon-repo-push"}}
-						Get Started<!-- Get Started -->
+						Get Started
 					</a>
 					{{if .IsAdmin}}
 						<div class="divider"></div>
@ -201,10 +191,7 @@
 					</a>
 				</div><!-- end content avatar menu -->
 			</div><!-- end dropdown avatar menu -->
-		</div><!-- end signed user right menu -->
-	{{else}}
-		<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.opendev.org/opendev/infra-manual/latest/gettingstarted.html">Get Started</a>
-		<div class="right stackable menu">
+		{{else}}
 			<!-- Intentionally removed as this is a read only gitea
 			{{if .ShowRegistrationButton}}
 				<a class="item{{if .PageIsSignUp}} active{{end}}" href="{{AppSubUrl}}/user/sign_up">
@ -215,6 +202,6 @@
 				{{svg "octicon-sign-in"}} {{.locale.Tr "sign_in"}}
 			</a>
 			-->
-		</div><!-- end anonymous right menu -->
-	{{end}}
+		{{end}}
+	</div><!-- end full right menu -->
 </nav>
--- a/docker/gitea/custom/templates/custom/header.tmpl
+++ b/docker/gitea/custom/templates/custom/header.tmpl
@ -0,0 +1 @@
+<meta name="theme-color" content="#ee265e"/>
--- a/docker/gitea/custom/templates/repo/header.tmpl
+++ b/docker/gitea/custom/templates/repo/header.tmpl
@ -13,9 +13,6 @@
 					<a href="{{.Owner.HomeLink}}">{{.Owner.Name}}</a>
 					<div class="gt-mx-2">/</div>
 					<a href="{{$.RepoLink}}">{{.Name}}</a>
-					{{if $.EnableFeed}}
-						<a href="{{$.RepoLink}}.rss"><i class="ui grey icon tooltip gt-ml-3" data-content="{{$.locale.Tr "rss_feed"}}" data-position="top center">{{svg "octicon-rss" 18}}</i></a>
-					{{end}}
 					<div class="labels gt-df gt-ac gt-fw">
 						{{if .IsTemplate}}
 							{{if .IsPrivate}}
@ -38,9 +35,12 @@
 							<span class="ui basic label">{{$.locale.Tr "repo.desc.archived"}}</span>
 						{{end}}
 					</div>
+					{{if $.EnableFeed}}
+						<a class="rss-icon gt-ml-3" href="{{$.RepoLink}}.rss" data-tooltip-content="{{$.locale.Tr "rss_feed"}}">{{svg "octicon-rss" 18}}</a>
+					{{end}}
 				</div>
-				{{if and $.IsPullMirror $.Mirror}}
-					{{$address := MirrorRemoteAddress $.Context . $.Mirror.GetRemoteName false}}
+				{{if $.PullMirror}}
+					{{$address := MirrorRemoteAddress $.Context . $.PullMirror.GetRemoteName false}}
 					<div class="fork-flag">{{$.locale.Tr "repo.mirror_from"}} <a target="_blank" rel="noopener noreferrer" href="{{$address.Address}}">{{$address.Address}}</a></div>
 				{{end}}
 				{{if .IsFork}}<div class="fork-flag">{{$.locale.Tr "repo.forked_from"}} <a href="{{.BaseRepo.Link}}">{{.BaseRepo.FullName}}</a></div>{{end}}
@ -52,16 +52,16 @@
 					{{if $.RepoTransfer}}
 						<form method="post" action="{{$.RepoLink}}/action/accept_transfer?redirect_to={{$.RepoLink}}">
 							{{$.CsrfTokenHtml}}
-							<div class="ui tooltip" data-content="{{if $.CanUserAcceptTransfer}}{{$.locale.Tr "repo.transfer.accept_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{$.locale.Tr "repo.transfer.no_permission_to_accept"}}{{end}}" data-position="bottom center">
-								<button type="submit" class="ui button {{if $.CanUserAcceptTransfer}}green {{end}} ok inverted small"{{if not $.CanUserAcceptTransfer}} disabled{{end}}>
+							<div data-tooltip-content="{{if $.CanUserAcceptTransfer}}{{$.locale.Tr "repo.transfer.accept_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{$.locale.Tr "repo.transfer.no_permission_to_accept"}}{{end}}">
+								<button type="submit" class="ui basic button {{if $.CanUserAcceptTransfer}}green {{end}} ok small"{{if not $.CanUserAcceptTransfer}} disabled{{end}}>
 									{{$.locale.Tr "repo.transfer.accept"}}
 								</button>
 							</div>
 						</form>
 						<form method="post" action="{{$.RepoLink}}/action/reject_transfer?redirect_to={{$.RepoLink}}">
 							{{$.CsrfTokenHtml}}
-							<div class="ui tooltip" data-content="{{if $.CanUserAcceptTransfer}}{{$.locale.Tr "repo.transfer.reject_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{$.locale.Tr "repo.transfer.no_permission_to_reject"}}{{end}}" data-position="bottom center">
-								<button type="submit" class="ui button {{if $.CanUserAcceptTransfer}}red {{end}}ok inverted small"{{if not $.CanUserAcceptTransfer}} disabled{{end}}>
+							<div data-tooltip-content="{{if $.CanUserAcceptTransfer}}{{$.locale.Tr "repo.transfer.reject_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{$.locale.Tr "repo.transfer.no_permission_to_reject"}}{{end}}">
+								<button type="submit" class="ui basic button {{if $.CanUserAcceptTransfer}}red {{end}}ok small"{{if not $.CanUserAcceptTransfer}} disabled{{end}}>
 									{{$.locale.Tr "repo.transfer.reject"}}
 								</button>
 							</div>
@ -69,7 +69,7 @@
 					{{end}}
 					<form method="post" action="{{$.RepoLink}}/action/{{if $.IsWatchingRepo}}un{{end}}watch?redirect_to={{$.Link}}">
 						{{$.CsrfTokenHtml}}
-						<div class="ui labeled button{{if not $.IsSigned}} tooltip{{end}}"{{if not $.IsSigned}} data-content="{{$.locale.Tr "repo.watch_guest_user"}}" data-position="top center"{{end}}>
+						<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{$.locale.Tr "repo.watch_guest_user"}}"{{end}}>
 							<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}}>
 								{{if $.IsWatchingRepo}}{{svg "octicon-eye-closed" 16}}{{$.locale.Tr "repo.unwatch"}}{{else}}{{svg "octicon-eye"}}{{$.locale.Tr "repo.watch"}}{{end}}
 							</button>
@ -81,7 +81,7 @@
 					{{if not $.DisableStars}}
 						<form method="post" action="{{$.RepoLink}}/action/{{if $.IsStaringRepo}}un{{end}}star?redirect_to={{$.Link}}">
 							{{$.CsrfTokenHtml}}
-							<div class="ui labeled button{{if not $.IsSigned}} tooltip{{end}}"{{if not $.IsSigned}} data-content="{{$.locale.Tr "repo.star_guest_user"}}" data-position="top center"{{end}}>
+							<div class="ui labeled button" {{if not $.IsSigned}}data-tooltip-content="{{$.locale.Tr "repo.star_guest_user"}}"{{end}}>
 								<button type="submit" class="ui compact small basic button"{{if not $.IsSigned}} disabled{{end}}>
 									{{if $.IsStaringRepo}}{{svg "octicon-star-fill"}}{{$.locale.Tr "repo.unstar"}}{{else}}{{svg "octicon-star"}}{{$.locale.Tr "repo.star"}}{{end}}
 								</button>
@ -94,14 +94,14 @@
 					{{if and (not .IsEmpty) ($.Permission.CanRead $.UnitTypeCode)}}
 						<div class="ui labeled button
 							{{if or (not $.IsSigned) (and (not $.CanSignedUserFork) (eq (len $.UserAndOrgForks) 0))}}
-								tooltip disabled
+								disabled
 							{{end}}"
 							{{if not $.IsSigned}}
-								data-content="{{$.locale.Tr "repo.fork_guest_user"}}"
+								data-tooltip-content="{{$.locale.Tr "repo.fork_guest_user"}}"
 							{{else if and (not $.CanSignedUserFork) (eq (len $.UserAndOrgForks) 0)}}
-								data-content="{{$.locale.Tr "repo.fork_from_self"}}"
+								data-tooltip-content="{{$.locale.Tr "repo.fork_from_self"}}"
 							{{end}}
-						data-position="top center">
+						>
 							<a class="ui compact{{if $.ShowForkModal}} show-modal{{end}} small basic button"
 								{{if not $.CanSignedUserFork}}
 									{{if gt (len $.UserAndOrgForks) 1}}
@ -119,11 +119,10 @@
 								{{svg "octicon-repo-forked"}}{{$.locale.Tr "repo.fork"}}
 							</a>
 							<div class="ui small modal" id="fork-repo-modal">
-								{{svg "octicon-x" 16 "close inside"}}
 								<div class="header">
 									{{$.locale.Tr "repo.already_forked" .Name}}
 								</div>
-								<div class="content gt-tl">
+								<div class="content gt-text-left">
 									<div class="ui list">
 										{{range $.UserAndOrgForks}}
 											<div class="ui item gt-py-3">
@ -154,7 +153,7 @@
 {{end}}
 	<div class="ui tabs container">
 		{{if not (or .Repository.IsBeingCreated .Repository.IsBroken)}}
-			<div class="ui tabular stackable menu navbar">
+			<div class="ui tabular menu navbar gt-overflow-x-auto gt-overflow-y-hidden">
 				{{if .Permission.CanRead $.UnitTypeCode}}
 				<a class="{{if .PageIsViewCode}}active {{end}}item" href="{{.RepoLink}}{{if (ne .BranchName .Repository.DefaultBranch)}}/src/{{.BranchNameSubURL}}{{end}}">
 					{{svg "octicon-code"}} {{.locale.Tr "repo.code"}}
@ -185,9 +184,18 @@
 					</a>
 				{{end}}

+				{{if and .EnableActions (not .UnitActionsGlobalDisabled) (.Permission.CanRead $.UnitTypeActions)}}
+					<a class="{{if .PageIsActions}}active {{end}}item" href="{{.RepoLink}}/actions">
+						{{svg "octicon-play"}} {{.locale.Tr "actions.actions"}}
+						{{if .Repository.NumOpenActionRuns}}
+							<span class="ui small label">{{CountFmt .Repository.NumOpenActionRuns}}</span>
+						{{end}}
+					</a>
+				{{end}}
+
 				<!-- Added to redirect PR links to Gerrit -->
 				<a class="item" href="https://review.opendev.org/#/q/status:open+project:{{.Owner.Name}}/{{.Repository.Name}}">
-					{{svg "octicon-git-pull-request"}} Proposed changes </span>
+					{{svg "octicon-git-pull-request"}} Proposed changes
 				</a>

 				{{if .Permission.CanRead $.UnitTypePackages}}
@ -207,7 +215,7 @@

 				<!-- Removed intentionally as tarballs of repos that would normally need an intelligent process to create source artifacts is not a useful feature
 				{{if and (.Permission.CanRead $.UnitTypeReleases) (not .IsEmptyRepo)}}
-				<a class="{{if .PageIsReleaseList}}active {{end}}item" href="{{.RepoLink}}/releases">
+				<a class="{{if or .PageIsReleaseList .PageIsTagList}}active {{end}}item" href="{{.RepoLink}}/releases">
 					{{svg "octicon-tag"}} {{.locale.Tr "repo.releases"}}
 					{{if .NumReleases}}
 						<span class="ui small label">{{CountFmt .NumReleases}}</span>
@ -216,12 +224,18 @@
 				{{end}}
 				-->

-				{{if or (.Permission.CanRead $.UnitTypeWiki) (.Permission.CanRead $.UnitTypeExternalWiki)}}
-					<a class="{{if .PageIsWiki}}active {{end}}item" href="{{.RepoLink}}/wiki" {{if and (.Permission.CanRead $.UnitTypeExternalWiki) (not (HasPrefix ((.Repository.MustGetUnit $.Context $.UnitTypeExternalWiki).ExternalWikiConfig.ExternalWikiURL) (.Repository.Link)))}} target="_blank" rel="noopener noreferrer" {{end}}>
+				{{if .Permission.CanRead $.UnitTypeWiki}}
+					<a class="{{if .PageIsWiki}}active {{end}}item" href="{{.RepoLink}}/wiki">
 						{{svg "octicon-book"}} {{.locale.Tr "repo.wiki"}}
 					</a>
 				{{end}}

+				{{if .Permission.CanRead $.UnitTypeExternalWiki}}
+					<a class="item" href="{{(.Repository.MustGetUnit $.Context $.UnitTypeExternalWiki).ExternalWikiConfig.ExternalWikiURL}}" target="_blank" rel="noopener noreferrer">
+						{{svg "octicon-link-external"}} {{.locale.Tr "repo.wiki"}}
+					</a>
+				{{end}}
+
 				<!-- Removed intentionally as the activity graphs don't show a complete picture of activity due to our use of Gerrit
 				{{if and (.Permission.CanReadAny $.UnitTypePullRequests $.UnitTypeIssues $.UnitTypeReleases) (not .IsEmptyRepo)}}
 					<a class="{{if .PageIsActivity}}active {{end}}item" href="{{.RepoLink}}/activity">
@ -233,20 +247,16 @@
 				{{template "custom/extra_tabs" .}}

 				{{if .Permission.IsAdmin}}
-					<div class="right menu">
-						<a class="{{if .PageIsSettings}}active {{end}}item" href="{{.RepoLink}}/settings">
-							{{svg "octicon-tools"}} {{.locale.Tr "repo.settings"}}
-						</a>
-					</div>
+					<a class="{{if .PageIsRepoSettings}}active {{end}}right item" href="{{.RepoLink}}/settings">
+						{{svg "octicon-tools"}} {{.locale.Tr "repo.settings"}}
+					</a>
 				{{end}}
 			</div>
 		{{else if .Permission.IsAdmin}}
-			<div class="ui tabular stackable menu navbar">
-				<div class="right menu">
-					<a class="{{if .PageIsSettings}}active {{end}}item" href="{{.RepoLink}}/settings">
-						{{svg "octicon-tools"}} {{.locale.Tr "repo.settings"}}
-					</a>
-				</div>
+			<div class="ui tabular menu navbar gt-overflow-x-auto gt-overflow-y-hidden">
+				<a class="{{if .PageIsRepoSettings}}active {{end}}right item" href="{{.RepoLink}}/settings">
+					{{svg "octicon-tools"}} {{.locale.Tr "repo.settings"}}
+				</a>
 			</div>
 		{{end}}
 	</div>
--- a/playbooks/roles/gitea/templates/app.ini.j2
+++ b/playbooks/roles/gitea/templates/app.ini.j2
@ -1,33 +1,34 @@
 APP_NAME = OpenDev: Free Software Needs Free Tools
 RUN_MODE = prod
 RUN_USER = git
+; TODO determine if this is appropriate for our existing installation
+WORK_PATH= /data/gitea

 [server]
-APP_DATA_PATH    = /data/gitea
-SSH_DOMAIN       = localhost
-PROTOCOL         = https
-HTTP_PORT        = 3000
-ROOT_URL         = https://opendev.org/
-DISABLE_SSH      = false
-SSH_PORT         = 22
-LFS_CONTENT_PATH = /data/git/lfs
-DOMAIN           = localhost
+APP_DATA_PATH = /data/gitea
+SSH_DOMAIN = localhost
+PROTOCOL = https
+HTTP_PORT = 3000
+ROOT_URL = https://opendev.org/
+DISABLE_SSH = false
+SSH_PORT = 22
+DOMAIN = localhost
 LFS_START_SERVER = true
-LFS_JWT_SECRET   = {{ gitea_lfs_jwt_secret }}
-OFFLINE_MODE     = false
-CERT_FILE        = /certs/cert.pem
-KEY_FILE         = /certs/key.pem
+LFS_JWT_SECRET = {{ gitea_lfs_jwt_secret }}
+OFFLINE_MODE = false
+CERT_FILE = /certs/cert.pem
+KEY_FILE = /certs/key.pem
 REDIRECT_OTHER_PORT = true
 PORT_TO_REDIRECT = 3080

 [database]
-DB_TYPE  = mysql
-HOST     = localhost:3306
-NAME     = gitea
-USER     = {{ gitea_db_username }}
-PASSWD   = {{ gitea_db_password }}
+DB_TYPE = mysql
+HOST = localhost:3306
+NAME = gitea
+USER = {{ gitea_db_username }}
+PASSWD = {{ gitea_db_password }}
 SSL_MODE = disable
-LOG_SQL  = false
+LOG_SQL = false

 [repository]
 ROOT = /data/git/repositories
@ -54,46 +55,53 @@ STARTUP_TIMEOUT = 300s

 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
-PROVIDER        = file
+PROVIDER = file

 [picture]
 AVATAR_UPLOAD_PATH = /data/gitea/avatars
-DISABLE_GRAVATAR   = true
+DISABLE_GRAVATAR = true

 [attachment]
 PATH = /data/gitea/attachments

 [log]
 ROOT_PATH = /logs
-LEVEL     = Info
+LEVEL = Info
 STACKTRACE_LEVEL = Error
-ENABLE_ACCESS_LOG = true
+logger.access.MODE = file
+{% raw -%}
+ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}" "{{.Ctx.Req.UserAgent}}"
+{% endraw %}

 [security]
-INSTALL_LOCK   = true
-SECRET_KEY     = {{ gitea_secret_key }}
+INSTALL_LOCK = true
+SECRET_KEY = {{ gitea_secret_key }}
 INTERNAL_TOKEN = {{ gitea_internal_token }}
 PASSWORD_COMPLEXITY = lower,upper,digit

 [service]
-DISABLE_REGISTRATION              = true
-SHOW_REGISTRATION_BUTTON          = false
-REQUIRE_SIGNIN_VIEW               = false
-REGISTER_EMAIL_CONFIRM            = false
-ENABLE_NOTIFY_MAIL                = false
-ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
-ENABLE_CAPTCHA                    = false
-DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DISABLE_REGISTRATION = true
+SHOW_REGISTRATION_BUTTON = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-ENABLE_TIMETRACKING               = false
-DEFAULT_ENABLE_TIMETRACKING       = false
-NO_REPLY_ADDRESS                  = noreply.example.org
+ENABLE_TIMETRACKING = false
+DEFAULT_ENABLE_TIMETRACKING = false
+NO_REPLY_ADDRESS = noreply.example.org

 [mailer]
 ENABLED = false

 [oauth2]
 ENABLE = false
+; TODO we don't do oauth2 do we need to set this value?
+JWT_SECRET = {{ gitea_oauth2_jwt_secret }}
+; TODO we don't do oauth2 do we need to set this value?
+JWT_SIGNING_PRIVATE_KEY_FILE = /data/gitea/jwt/private.pem

 [openid]
 ENABLE_OPENID_SIGNIN = false
@ -104,12 +112,13 @@ ENABLED = true
 ; List of file extensions that should be rendered by an external command
 FILE_EXTENSIONS = .rst
 ; External command to render all matching extensions
-RENDER_COMMAND = "/usr/bin/pandoc -f rst"
+RENDER_COMMAND = /usr/bin/pandoc -f rst
 ; Input is not a standard input but a file
 IS_INPUT_FILE = false

-[ui]
-THEME_COLOR_META_TAG = `#ee265e`
-
 [actions]
 ENABLED = false
+
+[lfs]
+STORAGE_TYPE = local
+PATH = /data/git/lfs
--- a/playbooks/test-gitea.yaml
+++ b/playbooks/test-gitea.yaml
@ -63,6 +63,13 @@
  vars:
    repolist: /home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/test_gitea_renames.yaml

+- hosts: "gitea"
+  tasks:
+    - name: Make gitea access logs readable by zuul for log collection
+      file:
+        path: /var/gitea/logs/access.log
+        mode: o+r
+
 # This is conveniently left here so that it can be uncommented in order to
 # autohold the system-config-run-gitea job in zuul.
 #- hosts: bridge.openstack.org
--- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
@ -1,6 +1,7 @@
 gitea_secret_key: zcHsCZsYrOUrQd24nlJS9xRCwek3uzp8X5OFQGJox4jkEbuIyeJoxtv7n00uV6Tp
 gitea_internal_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NTAyNjk3ODV9.QaommLldgEJr9E26VrPp7l7gKo3zpywTM9botpVoyqc
 gitea_lfs_jwt_secret: qzeNfUus9JJ15eJZwpSlU3P5Ca62Oei3NrjVbb97mdI
+gitea_oauth2_jwt_secret: iagierahva3far4pahguah2Eaphai1siGh7Quohcupi
 gitea_root_db_password: TlG1lNXKLfruXN0j
 gitea_db_username: gitea
 gitea_db_password: 5bfuOBKtltff0XZX
				`@ -0,0 +1 @@`
				`<meta name="theme-color" content="#ee265e"/>`