fix: ensure correct open/closed status when mirroring issues (#161)

[arunavo4]

Add verification and explicit close fallback after issue creation to
handle Gitea API's two-step close process that can fail silently.

What was fixed:

1. Issue Status Verification (mirrorGitRepoIssuesToGitea):
   - After creating an issue, verifies if the closed state was actually applied
   - If not closed, explicitly PATCHes the issue to close it
   - Logs warnings for debugging when the fallback is triggered
2. PR Status Verification (mirrorGitRepoPullRequestsToGitea):
   - Same fix applied to both the enriched and basic issue creation paths
   - Verifies closed/merged PRs are actually closed in Gitea
   - Explicit PATCH fallback if the initial creation didn't apply the state
3. Content Validation:
   - Added warning log when body content appears to be missing after sync
   - Helps identify repos with content sync issues

Root Cause:

Gitea's API first creates issues as open, then closes them separately. This two-step process can fail silently due to rate limiting, timeouts, or other errors - leaving issues in an incorrect open state.

[cloudflare-workers-and-pages]

Deploying gitea-mirror-website with    Cloudflare Pages

Latest commit:	bebbda9
Status:	✅  Deploy successful!
Preview URL:	https://e3621c70.gitea-mirror-website.pages.dev
Branch Preview URL:	https://fix-issue-161-status-sync.gitea-mirror-website.pages.dev

View logs

[github-actions]

🐳 Docker Image Built Successfully

Your PR image is available for testing:

Image Tag: pr-162
Full Image Path: ghcr.io/raylabshq/gitea-mirror:pr-162

Pull and Test

docker pull ghcr.io/raylabshq/gitea-mirror:pr-162
docker run -d   -p 4321:4321   -e BETTER_AUTH_SECRET=your-secret-here   -e BETTER_AUTH_URL=http://localhost:4321   --name gitea-mirror-test ghcr.io/raylabshq/gitea-mirror:pr-162

Docker Compose Testing

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:pr-162
    ports:
      - "4321:4321"
    environment:
      - BETTER_AUTH_SECRET=your-secret-here
      - BETTER_AUTH_URL=http://localhost:4321
      - BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:4321

💡 Note: PR images are tagged as pr-<number> and built for both linux/amd64 and linux/arm64.
Production images (latest, version tags) use the same multi-platform set.

---

📦 View in GitHub Packages

[github-actions]

🔍 Vulnerabilities of gitea-mirror:scan

📦 Image Reference gitea-mirror:scan

digest	sha256:a1838de9d5f1b8b8af7ac3966ba84fe694d7ee21c0e89e82615bf997d0abf46c
vulnerabilities
platform	linux/amd64
size	381 MB
packages	981

📦 Base Image debian:bookworm

also known as	bookworm-20251117
digest	sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730
vulnerabilities

stdlib 1.23.12 (golang) pkg:golang/stdlib@1.23.12 Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 7th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 7th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

node-forge 1.3.1 (npm) pkg:npm/node-forge@1.3.1 Uncontrolled Recursion Affected range <1.3.2 Fixed version 1.3.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.101% EPSS Percentile 29th percentile Description Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. Details An ASN.1 Denial of Service (Dos) vulnerability exists in the node-forge asn1.fromDer function within forge/lib/asn1.js. The ASN.1 DER parser implementation (_fromDer) recurses for every constructed ASN.1 value (SEQUENCE, SET, etc.) and lacks a guard limiting recursion depth. An attacker can craft a small DER blob containing a very large nesting depth of constructed TLVs which causes the Node.js V8 engine to exhaust its call stack and throw RangeError: Maximum call stack size exceeded, crashing or incapacitating the process handling the parse. This is a remote, low-cost Denial-of-Service against applications that parse untrusted ASN.1 objects. Impact This vulnerability enables an unauthenticated attacker to reliably crash a server or client using node-forge for TLS connections or certificate parsing. This vulnerability impacts the ans1.fromDer function in node-forge before patched version 1.3.2. Any downstream application using this component is impacted. These components may be leveraged by downstream applications in ways that enable full compromise of availability. Interpretation Conflict Affected range <1.3.2 Fixed version 1.3.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.017% EPSS Percentile 3rd percentile Description Summary CVE-2025-12816 has been reserved by CERT/CC Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. Details A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives. This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type). Impact This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data. This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2. https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js. The following components in node-forge are impacted. lib/asn1.js lib/x509.js lib/pkcs12.js lib/pkcs7.js lib/rsa.js lib/pbe.js lib/ed25519.js Any downstream application using these components is impacted. These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.

[github-actions]

Recommended fixes for local gitea-mirror:scan

Base image is debian:bookworm

Name	bookworm-20251117
Digest	sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730
Vulnerabilities
Pushed	1 month ago
Size	48 MB
Packages	126
Flavor	debian
OS	12

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
bookworm Newer image for same tag Also known as: 12.12 bookworm-20251208	Benefits: Same OS detected Newer image for same tag Image is smaller by 25 B Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages bookworm was pulled 14K times last month Image details: Size: 48 MB Flavor: debian OS: 12	2 weeks ago

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20251208-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 15 fewer packages Tag is preferred tag Tag was pushed more recently Image introduces no new vulnerability but removes 4 Tag is using slim variant stable-slim is the fourth most popular tag with 46K pulls per month Image details: Size: 30 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
bookworm-slim Image has same number of vulnerabilities Also known as: 12.12-slim 12-slim bookworm-20251208-slim	Benefits: Same OS detected Image is smaller by 19 MB Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant bookworm-slim was pulled 13K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
stable Image introduces no new vulnerability but removes 4 Also known as: stable-20251208	Benefits: Same OS detected Image contains 15 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 4 stable is the 7th most popular tag with 32K pulls per month Image details: Size: 49 MB Flavor: debian OS: 12	2 weeks ago
testing-slim Major OS version update Also known as: testing-20251208-slim	Benefits: Same OS detected Image is smaller by 19 MB Image contains 18 fewer packages Tag was pushed more recently Major OS version update Tag is using slim variant testing-slim is the sixth most popular tag with 33K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	2 weeks ago
sid-slim Major OS version update Also known as: sid-20251208-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 17 fewer packages Tag was pushed more recently Major OS version update Tag is using slim variant sid-slim is the 9th most popular tag with 15K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	2 weeks ago
testing Major OS version update Also known as: testing-20251208	Benefits: Same OS detected Image contains 18 fewer packages Tag was pushed more recently Image has similar size Major OS version update testing is the 8th most popular tag with 18K pulls per month Image details: Size: 48 MB Flavor: debian OS: 13	2 weeks ago
sid Major OS version update Also known as: sid-20251208	Benefits: Same OS detected Image contains 17 fewer packages Tag was pushed more recently Image has similar size Major OS version update sid was pulled 5.3K times last month Image details: Size: 49 MB Flavor: debian OS: 13	2 weeks ago

[github-actions]

Overview

Image reference	ghcr.io/raylabshq/gitea-mirror:latest	gitea-mirror:scan
- digest	e79ca38b4779	a1838de9d5f1
- tag	latest	scan
- provenance	bebbda9	oven-sh/bun@abb1b0c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	330 MB	381 MB (+51 MB)
- packages	981	981
Base Image	debian:bookworm	debian:bookworm
- vulnerabilities

Labels (8 changes)

• ± 8 changed

-org.opencontainers.image.created=2025-12-25T08:37:16.489Z
+org.opencontainers.image.created=2025-11-21T19:33:53.930Z
-org.opencontainers.image.description=Gitea Mirror auto-syncs GitHub repos to your self-hosted Gitea/Forgejo, with a sleek Web UI and easy Docker deployment.
+org.opencontainers.image.description=Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
-org.opencontainers.image.licenses=AGPL-3.0
+org.opencontainers.image.licenses=NOASSERTION
-org.opencontainers.image.revision=bebbda946583ace663f05584dd7decc3686c1390
+org.opencontainers.image.revision=abb1b0c4d75acabf1742b951a1f739068c94a7bd
-org.opencontainers.image.source=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.source=https://github.com/oven-sh/bun
-org.opencontainers.image.title=gitea-mirror
+org.opencontainers.image.title=bun
-org.opencontainers.image.url=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.url=https://github.com/oven-sh/bun
-org.opencontainers.image.version=pr-162
+org.opencontainers.image.version=1.3.3-debian