We are proud to present the release of Gitea version 1.16.1, (and 1.16.0)
We have merged [19](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+milestone%3A1.16.1+is%3Amerged) pull requests to release version 1.16.1 and [617](https://github.com/go-gitea/gitea/pulls?q=is%3Apr+milestone%3A1.16.0+is%3Amerged) to release version 1.16.0.
You can download one of our pre-built binaries from our [downloads page](https://dl.gitea.com/gitea/1.16.1/) - make sure to select the correct platform! For further details on how to install, follow our [installation guide](https://docs.gitea.com/installation/install-from-binary).
We would also like to thank all of our supporters on [Open Collective](https://opencollective.com/gitea) who are helping to sustain us financially.
**Have you heard? We now have a [swag shop](https://shop.gitea.io)! :shirt: :tea:**
<!--more-->
Now on to the changes!
## Breaking Changes (or potentially breaking)
### :exclamation: Only allow webhook to send requests to allowed hosts ([#17482](https://github.com/go-gitea/gitea/pull/17482))
For security reasons, the webhook should only send requests to allowed hosts.
This PR introduced `ALLOWED_HOST_LIST` with default value of **external** meaning that Webhooks by default can only call external hosts for security reasons.
Although `ALLOWED_HOST_LIST` was backported to 1.15 the default value is different between 1.15 and 1.16 and is more strict. If you need to allow Webhooks to call local network hosts you must explicitly allow those IPs/Hosts.
We no longer store the vendored directory within git. Users building directly from git checkouts should run `make vendor` on pulls or when changing branches.
### :exclamation: Paginate releases page & set default page size to 10 ([#16857](https://github.com/go-gitea/gitea/pull/16857))
We have reduced the number of releases shown on the releases page from 30 to 10 and add paging.
Users may change the default value by setting
```ini
[repository.release]
DEFAULT_PAGING_NUM=10
```
### :exclamation: Use shadowing script for docker ([#17846](https://github.com/go-gitea/gitea/pull/17846))
Too many docker users are caught out by the default location for the
app.ini file being environment dependent so that when they docker exec
into the container the gitea commands do not work properly and require
additional `-c` arguments to correctly pick up the configuration.
This PR simply shadows the gitea binary using variants of the FHS
compatible script to make the command gitea have the default locations
by default.
Although this PR should be non-breaking for most configurations and
should make things simpler for docker users in general, there was a
slightly unforeseen issue in that SSH passthrough configurations that
rely on the path of the gitea binary being `/app/gitea/gitea` will
need to update this to `/usr/local/bin/gitea` (likely including moving
their host shim from `/app/gitea/gitea` to `/usr/local/bin/gitea`)
Users should use `/usr/local/bin/gitea` in preference to
`/app/gitea/gitea` when executing on the docker as this will
automatically set the correct paths and environment for them.
### :exclamation: Support webauthn ([#17957](https://github.com/go-gitea/gitea/pull/17957))
U2F support has been deprecated by major browsers and therefore we've had to migrate to WebAuthn. We've attempted to create a backwards compatible migration however, the website relying party ID used for webauthentication is not the same as that used by U2F.
In order to support old u2f keys previously registered Gitea will use the app_id extension and will send the contents of [U2F] APP_ID as this app_id. This will need to match your original u2f configuration.
## Major Features
### Add agit workflow support ([#14295](https://github.com/go-gitea/gitea/pull/14295))
agit workflow is a new feature of new Git version. ref: https://git-repo.info/en/2020/03/agit-flow-and-git-repo/
![agit](/demos/14295/1.gif)
_Thanks to [**@a1012112796**](https://github.com/a1012112796)_
### Add bundle download for repository ([#14538](https://github.com/go-gitea/gitea/pull/14538))
Adds another download type for repositories [bundle](https://git-scm.com/book/en/v2/Git-Tools-Bundling).
_Thanks to [**@jolheiser**](https://github.com/jolheiser)_
### Add support for corporate WeChat webhooks ([#15910](https://github.com/go-gitea/gitea/pull/15910))
Suport corporate WeChat webhooks.
_Thanks to [**@lengyuqu**](https://github.com/lengyuqu)_
### Add RSS/Atom feed support for user actions ([#16002](https://github.com/go-gitea/gitea/pull/16002))
Add RSS/Atom feed support for user actions.
_Thanks to [**@6543**](https://github.com/6543)_
### Migrate from OneDev ([#16356](https://github.com/go-gitea/gitea/pull/16356)), GitBucket ([#16767](https://github.com/go-gitea/gitea/pull/16767)), CodeBase ([#16768](https://github.com/go-gitea/gitea/pull/16768))
Support to migrate issues/comments/pull requests and etc. from OneDev, GitBucket and CodeBase.
_Thanks to [**@KN4CK3R**](https://github.com/KN4CK3R)_
### Support unprotected file patterns ([#16395](https://github.com/go-gitea/gitea/pull/16395))
Support unprotected file patterns in a protected branch.
_Thanks to [**@jpraet**](https://github.com/jpraet)_
### Add microsoft oauth2 providers ([#16544](https://github.com/go-gitea/gitea/pull/16544))
Users commonly want to be able to use their AzureAD or MicrosoftOnline accounts with Gitea.
_Thanks to [**@zeripath**](https://github.com/zeripath)_
### Add proxy settings and support for migration and webhook ([#16704](https://github.com/go-gitea/gitea/pull/16704))
Add proxy supports which should be applied to every request to external http/https URL.
_Thanks to [**@lunny**](https://github.com/lunny)_
### Save and view issue/comment content history ([#16909](https://github.com/go-gitea/gitea/pull/16909))
The change history of an issue or comment could be review now.
![issue/comment history](/demos/16909/1.png)
_Thanks to [**@wxiaoguang**](https://github.com/wxiaoguang)_
### Basic Support for federation ([#16953](https://github.com/go-gitea/gitea/pull/16953)), ([#17071](https://github.com/go-gitea/gitea/pull/17071))
_Thanks to [**@techknowlogick**](https://github.com/techknowlogick)_
### Add copy button to markdown code blocks ([#17638](https://github.com/go-gitea/gitea/pull/17638))
![copy button](/demos/17638/1.png)
_Thanks to [**@silverwind**](https://github.com/silverwind)_
### Use git attributes to determine language, generated & vendored status for language stats and diffs, blame, and render ([#17590](https://github.com/go-gitea/gitea/pull/17590)) & ([#16773](https://github.com/go-gitea/gitea/pull/16773))
Detection of vendored, generated and language detection using .gitattributes is now supported on the blame, diff and render pages.
_Thanks to [**@zeripath**](https://github.com/zeripath)_
### Load suppressed large diffs and incomplete diffs ([#17739](https://github.com/go-gitea/gitea/pull/17739)) & ([#16829](https://github.com/go-gitea/gitea/pull/16829))
Large diffs (more than `MAX_GIT_DIFF_LINES` long) are suppressed by default in Gitea. This PR now adds a load button to allow
these to be loaded and rendered. Similarly for incomplete diffs.
_Thanks to [**@zeripath**](https://github.com/zeripath)_
### Defer Last Commit Info ([#16467](https://github.com/go-gitea/gitea/pull/16467))
One of the biggest reasons for slow repository browsing is that we used to
wait until the last commit information was generated for all files in the
repository.
This PR means that Gitea now defers this generation to a new POST endpoint that
does the look up outside of the main page request.
_Thanks to [**@zeripath**](https://github.com/zeripath)_
### Add support for ssh commit signing ([#17743](https://github.com/go-gitea/gitea/pull/17743))
This feature needs git 2.34+ and openssh 8.1+. You can sign/verify your commits with your SSH keys.
![ssh commit signing](/demos/17743/1.png)
_Thanks to [**@42wim**](https://github.com/42wim)_
### Team permission allow different unit has different permission ([#17811](https://github.com/go-gitea/gitea/pull/17811))
Now team permission setting allow different unit has different permission.
![team permission](/demos/17811/1.png)
_Thanks to [**@lunny**](https://github.com/lunny)_
### Support webauthn ([#17957](https://github.com/go-gitea/gitea/pull/17957))
Since major web browser will drop support to U2F, so we now support webauthn instead of U2F.
_Thanks to [**@e3b0c442**](https://github.com/e3b0c442), [**@lunny**](https://github.com/lunny), [**@zeripath**](https://github.com/zeripath)_
### More API Supports ([#17963](https://github.com/go-gitea/gitea/pull/17963)), ([#17652](https://github.com/go-gitea/gitea/pull/17652)), ([#17403](https://github.com/go-gitea/gitea/pull/17403)), ([#17278](https://github.com/go-gitea/gitea/pull/17278)), ([#17095](https://github.com/go-gitea/gitea/pull/17095)), ([#17232](https://github.com/go-gitea/gitea/pull/17232)), ([#16649](https://github.com/go-gitea/gitea/pull/16649))
_Thanks to [**@nitul1991**](https://github.com/nitul1991), [**@qwerty287**](https://github.com/qwerty287), [**@romdum**](https://github.com/romdum)_
* Comments on migrated issues/prs must link to the comment ID ([#18630](https://github.com/go-gitea/gitea/pull/18630)) ([#18637](https://github.com/go-gitea/gitea/pull/18637))
* Stop logging an error when notes are not found ([#18626](https://github.com/go-gitea/gitea/pull/18626)) ([#18635](https://github.com/go-gitea/gitea/pull/18635))
* Ensure that blob-excerpt links work for wiki ([#18587](https://github.com/go-gitea/gitea/pull/18587)) ([#18624](https://github.com/go-gitea/gitea/pull/18624))
* Only attempt to flush queue if the underlying worker pool is not finished ([#18593](https://github.com/go-gitea/gitea/pull/18593)) ([#18620](https://github.com/go-gitea/gitea/pull/18620))
* Ensure commit-statuses box is sized correctly in headers ([#18538](https://github.com/go-gitea/gitea/pull/18538)) ([#18606](https://github.com/go-gitea/gitea/pull/18606))
* Prevent merge messages from being sorted to the top of email chains ([#18566](https://github.com/go-gitea/gitea/pull/18566)) ([#18588](https://github.com/go-gitea/gitea/pull/18588))
* Prevent panic on prohibited user login with oauth2 ([#18562](https://github.com/go-gitea/gitea/pull/18562)) ([#18563](https://github.com/go-gitea/gitea/pull/18563))
* Collaborator trust model should trust collaborators ([#18539](https://github.com/go-gitea/gitea/pull/18539)) ([#18557](https://github.com/go-gitea/gitea/pull/18557))
* Detect conflicts with 3way merge ([#18536](https://github.com/go-gitea/gitea/pull/18536)) ([#18537](https://github.com/go-gitea/gitea/pull/18537))
* In docker rootless use $GITEA_APP_INI if provided ([#18524](https://github.com/go-gitea/gitea/pull/18524)) ([#18535](https://github.com/go-gitea/gitea/pull/18535))
* Fix for AvatarURL database type ([#18487](https://github.com/go-gitea/gitea/pull/18487)) ([#18529](https://github.com/go-gitea/gitea/pull/18529))
* Use `ImagedProvider` for gplus oauth2 provider ([#18504](https://github.com/go-gitea/gitea/pull/18504)) ([#18505](https://github.com/go-gitea/gitea/pull/18505))
* Use "read" value for General Access ([#18496](https://github.com/go-gitea/gitea/pull/18496)) ([#18500](https://github.com/go-gitea/gitea/pull/18500))
* Prevent NPE on partial match of compare URL and allow short SHA1 compare URLs ([#18472](https://github.com/go-gitea/gitea/pull/18472)) ([#18473](https://github.com/go-gitea/gitea/pull/18473))
* BUILD
* Make docker gitea/gitea:v1.16-dev etc refer to the latest build on that branch ([#18551](https://github.com/go-gitea/gitea/pull/18551)) ([#18569](https://github.com/go-gitea/gitea/pull/18569))
* DOCS
* Update 1.16.0 changelog to set #17846 as breaking ([#18533](https://github.com/go-gitea/gitea/pull/18533)) ([#18534](https://github.com/go-gitea/gitea/pull/18534))
* Paginate releases page & set default page size to 10 ([#16857](https://github.com/go-gitea/gitea/pull/16857))
* Use shadowing script for docker ([#17846](https://github.com/go-gitea/gitea/pull/17846))
* Only allow webhook to send requests to allowed hosts ([#17482](https://github.com/go-gitea/gitea/pull/17482))
* SECURITY
* Disable content sniffing on `PlainTextBytes` ([#18359](https://github.com/go-gitea/gitea/pull/18359)) ([#18365](https://github.com/go-gitea/gitea/pull/18365))
* Only view milestones from current repo ([#18414](https://github.com/go-gitea/gitea/pull/18414)) ([#18417](https://github.com/go-gitea/gitea/pull/18417))
* Sanitize user-input on file name ([#17666](https://github.com/go-gitea/gitea/pull/17666))
* Use `hostmatcher` to replace `matchlist` to improve blocking of bad hosts in Webhooks ([#17605](https://github.com/go-gitea/gitea/pull/17605))
* FEATURES
* Add/update SMTP auth providers via cli ([#18197](https://github.com/go-gitea/gitea/pull/18197))
* Support webauthn ([#17957](https://github.com/go-gitea/gitea/pull/17957))
* Team permission allow different unit has different permission ([#17811](https://github.com/go-gitea/gitea/pull/17811))
* Implement Well-Known URL for password change ([#17777](https://github.com/go-gitea/gitea/pull/17777))
* Add support for ssh commit signing ([#17743](https://github.com/go-gitea/gitea/pull/17743))
* Allow Loading of Diffs that are too large ([#17739](https://github.com/go-gitea/gitea/pull/17739))
* Add copy button to markdown code blocks ([#17638](https://github.com/go-gitea/gitea/pull/17638))
* Add .gitattribute assisted language detection to blame, diff and render ([#17590](https://github.com/go-gitea/gitea/pull/17590))
* Add `PULL_LIMIT` and `PUSH_LIMIT` to cron.update_mirror task ([#17568](https://github.com/go-gitea/gitea/pull/17568))
* Add Reindex buttons to repository settings page ([#17494](https://github.com/go-gitea/gitea/pull/17494))
* Make SSL cipher suite configurable ([#17440](https://github.com/go-gitea/gitea/pull/17440))
* Add groups scope/claim to OIDC/OAuth2 Provider ([#17367](https://github.com/go-gitea/gitea/pull/17367))
* Add simple update checker to Gitea ([#17212](https://github.com/go-gitea/gitea/pull/17212))
* Migrated Repository will show modifications when possible ([#17191](https://github.com/go-gitea/gitea/pull/17191))
* Create pub/priv keypair for federation ([#17071](https://github.com/go-gitea/gitea/pull/17071))
* Make LDAP be able to skip local 2FA ([#16954](https://github.com/go-gitea/gitea/pull/16954))
* Add nodeinfo endpoint for federation purposes ([#16953](https://github.com/go-gitea/gitea/pull/16953))
* Save and view issue/comment content history ([#16909](https://github.com/go-gitea/gitea/pull/16909))
* Use git attributes to determine generated and vendored status for language stats and diffs ([#16773](https://github.com/go-gitea/gitea/pull/16773))
* Add migrate from Codebase ([#16768](https://github.com/go-gitea/gitea/pull/16768))
* Add migration from GitBucket ([#16767](https://github.com/go-gitea/gitea/pull/16767))
* Fix repository summary on mobile ([#17322](https://github.com/go-gitea/gitea/pull/17322))
* Split `index.js` to separate files ([#17315](https://github.com/go-gitea/gitea/pull/17315))
* Show direct match on top for user search ([#17303](https://github.com/go-gitea/gitea/pull/17303))
* Frontend refactor: move Vue related code from `index.js` to `components` dir, and remove unused codes. ([#17301](https://github.com/go-gitea/gitea/pull/17301))
* Upgrade chi to v5 ([#17298](https://github.com/go-gitea/gitea/pull/17298))
* Disable form autofill ([#17291](https://github.com/go-gitea/gitea/pull/17291))
* Improve behavior of "Fork" button ([#17288](https://github.com/go-gitea/gitea/pull/17288))
* Open markdown image links in new window ([#17287](https://github.com/go-gitea/gitea/pull/17287))
* Add hints for special Wiki pages ([#17283](https://github.com/go-gitea/gitea/pull/17283))
* Move add deploy key form before the list and add a cancel button ([#17228](https://github.com/go-gitea/gitea/pull/17228))
* Allow adding multiple issues to a project ([#17226](https://github.com/go-gitea/gitea/pull/17226))
* Add metrics to get issues by repository ([#17225](https://github.com/go-gitea/gitea/pull/17225))
* Add specific event type to header ([#17222](https://github.com/go-gitea/gitea/pull/17222))
* Redirect on project after issue created ([#17211](https://github.com/go-gitea/gitea/pull/17211))
* Reference in new issue modal: dont pre-populate issue title ([#17208](https://github.com/go-gitea/gitea/pull/17208))
* Always set a unique Message-ID header ([#17206](https://github.com/go-gitea/gitea/pull/17206))
* Add projects and project boards in exposed metrics ([#17202](https://github.com/go-gitea/gitea/pull/17202))
* Add metrics to get issues by label ([#17201](https://github.com/go-gitea/gitea/pull/17201))
* Add protection to disable Gitea when run as root ([#17168](https://github.com/go-gitea/gitea/pull/17168))
* Don't return binary file changes in raw PR diffs by default ([#17158](https://github.com/go-gitea/gitea/pull/17158))
* Support sorting for project board issuses ([#17152](https://github.com/go-gitea/gitea/pull/17152))
* Force color-adjust for markdown checkboxes ([#17146](https://github.com/go-gitea/gitea/pull/17146))
* Add option to copy line permalink ([#17145](https://github.com/go-gitea/gitea/pull/17145))
* Move twofactor to models/login ([#17143](https://github.com/go-gitea/gitea/pull/17143))
* Multiple tokens support for migrating from github ([#17134](https://github.com/go-gitea/gitea/pull/17134))
* Unify issue and PR subtitles ([#17133](https://github.com/go-gitea/gitea/pull/17133))
* Make Requests Processes and create process hierarchy. Associate OpenRepository with context. ([#17125](https://github.com/go-gitea/gitea/pull/17125))
* Fix problem when database id is not increment as expected ([#17124](https://github.com/go-gitea/gitea/pull/17124))
* Avatar refactor, move avatar code from `models` to `models.avatars`, remove duplicated code ([#17123](https://github.com/go-gitea/gitea/pull/17123))
* Re-allow clipboard copy on non-https sites ([#17118](https://github.com/go-gitea/gitea/pull/17118))
* DBContext is just a Context ([#17100](https://github.com/go-gitea/gitea/pull/17100))
* Move login related structs and functions to models/login ([#17093](https://github.com/go-gitea/gitea/pull/17093))
* Add SkipLocal2FA option to pam and smtp sources ([#17078](https://github.com/go-gitea/gitea/pull/17078))
* Move db related basic functions to models/db ([#17075](https://github.com/go-gitea/gitea/pull/17075))
* Fixes username tagging in "Reference in new issue" ([#17074](https://github.com/go-gitea/gitea/pull/17074))
* Use light/dark theme based on system preference ([#17051](https://github.com/go-gitea/gitea/pull/17051))
* Always emit the configuration path ([#17036](https://github.com/go-gitea/gitea/pull/17036))
* Add user status filter to admin user management page ([#16770](https://github.com/go-gitea/gitea/pull/16770))
* Add Option to synchronize Admin & Restricted states from OIDC/OAuth2 along with Setting Scopes ([#16766](https://github.com/go-gitea/gitea/pull/16766))
* Do not use thin scrollbars on Firefox ([#16738](https://github.com/go-gitea/gitea/pull/16738))
* Download LFS in git and web workflow from minio/s3 directly (SERVE_DIRECT) ([#16731](https://github.com/go-gitea/gitea/pull/16731))
* Compute proper foreground color for labels ([#16729](https://github.com/go-gitea/gitea/pull/16729))
* Add edit button to wiki sidebar and footer ([#16719](https://github.com/go-gitea/gitea/pull/16719))
* Fix migration svg color ([#16715](https://github.com/go-gitea/gitea/pull/16715))
* Add link to vscode to repo header ([#16664](https://github.com/go-gitea/gitea/pull/16664))
* Add filter by owner and team to issue/pulls search endpoint ([#16662](https://github.com/go-gitea/gitea/pull/16662))
* Replace `list.List` with slices ([#16311](https://github.com/go-gitea/gitea/pull/16311))
* Add configuration option to restrict users by default ([#16256](https://github.com/go-gitea/gitea/pull/16256))
* Move login out of models ([#16199](https://github.com/go-gitea/gitea/pull/16199))
* Support pagination of organizations on user settings pages ([#16083](https://github.com/go-gitea/gitea/pull/16083))
* Switch migration icon to svg ([#15954](https://github.com/go-gitea/gitea/pull/15954))
* Add left padding for chunk header of split diff view ([#13397](https://github.com/go-gitea/gitea/pull/13397))
* Allow U2F 2FA without TOTP ([#11573](https://github.com/go-gitea/gitea/pull/11573))
* BUGFIXES
* GitLab reviews may not have the updated_at field set ([#18450](https://github.com/go-gitea/gitea/pull/18450)) ([#18461](https://github.com/go-gitea/gitea/pull/18461))
* Fix detection of no commits when the default branch is not master ([#18422](https://github.com/go-gitea/gitea/pull/18422)) ([#18423](https://github.com/go-gitea/gitea/pull/18423))
* Place inline diff comment dialogs on split diff in 4th and 8th columns ([#18403](https://github.com/go-gitea/gitea/pull/18403)) ([#18404](https://github.com/go-gitea/gitea/pull/18404))
* Fix restore without topic failure ([#18387](https://github.com/go-gitea/gitea/pull/18387)) ([#18400](https://github.com/go-gitea/gitea/pull/18400))
* Fix commit's time ([#18375](https://github.com/go-gitea/gitea/pull/18375)) ([#18392](https://github.com/go-gitea/gitea/pull/18392))
* Fix partial cloning a repo ([#18373](https://github.com/go-gitea/gitea/pull/18373)) ([#18377](https://github.com/go-gitea/gitea/pull/18377))
* Stop trimming preceding and suffixing spaces from editor filenames ([#18334](https://github.com/go-gitea/gitea/pull/18334))
* Prevent showing webauthn error for every time visiting `/user/settings/security` ([#18386](https://github.com/go-gitea/gitea/pull/18386))
* Fix mime-type detection for HTTP server ([#18370](https://github.com/go-gitea/gitea/pull/18370)) ([#18371](https://github.com/go-gitea/gitea/pull/18371))
* Stop trimming preceding and suffixing spaces from editor filenames ([#18334](https://github.com/go-gitea/gitea/pull/18334))
* Restore propagation of ErrDependenciesLeft ([#18325](https://github.com/go-gitea/gitea/pull/18325))