Merge branch 'main' into fix/inherit-merge-api-delete-branch-repo-settings

GiteaBot · web-flow · commit 9bb30fa0ee4b · 2025-10-22T12:36:08.000+08:00
diff --git a/models/admin/task.go b/models/admin/task.go
@@ -11,6 +11,7 @@ import (
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/migration"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
@@ -123,17 +124,17 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
 		// decrypt credentials
 		if opts.CloneAddrEncrypted != "" {
 			if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil {
-				return nil, err
+				log.Error("Unable to decrypt CloneAddr, maybe SECRET_KEY is wrong: %v", err)
 			}
 		}
 		if opts.AuthPasswordEncrypted != "" {
 			if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil {
-				return nil, err
+				log.Error("Unable to decrypt AuthPassword, maybe SECRET_KEY is wrong: %v", err)
 			}
 		}
 		if opts.AuthTokenEncrypted != "" {
 			if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil {
-				return nil, err
+				log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)
 			}
 		}
 
diff --git a/models/auth/twofactor.go b/models/auth/twofactor.go
@@ -111,11 +111,11 @@ func (t *TwoFactor) SetSecret(secretString string) error {
 func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
 	decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("ValidateTOTP invalid base64: %w", err)
 	}
 	secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("ValidateTOTP unable to decrypt (maybe SECRET_KEY is wrong): %w", err)
 	}
 	secretStr := string(secretBytes)
 	return totp.Validate(passcode, secretStr), nil
diff --git a/models/secret/secret.go b/models/secret/secret.go
@@ -178,8 +178,8 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
 	for _, secret := range append(ownerSecrets, repoSecrets...) {
 		v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data)
 		if err != nil {
-			log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
-			return nil, err
+			log.Error("Unable to decrypt Actions secret %v %q, maybe SECRET_KEY is wrong: %v", secret.ID, secret.Name, err)
+			continue
 		}
 		secrets[secret.Name] = v
 	}
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
@@ -8,6 +8,7 @@ import (
 
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/setting"
 )
@@ -66,9 +67,12 @@ func (source *Source) FromDB(bs []byte) error {
 	}
 	if source.BindPasswordEncrypt != "" {
 		source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt)
+		if err != nil {
+			log.Error("Unable to decrypt bind password for LDAP source, maybe SECRET_KEY is wrong: %v", err)
+		}
 		source.BindPasswordEncrypt = ""
 	}
-	return err
+	return nil
 }
 
 // ToDB exports a LDAPConfig to a serialized format.

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`repo_model "code.gitea.io/gitea/models/repo"`
`12`	`12`	`user_model "code.gitea.io/gitea/models/user"`
`13`	`13`	`"code.gitea.io/gitea/modules/json"`
	`14`	`+ "code.gitea.io/gitea/modules/log"`
`14`	`15`	`"code.gitea.io/gitea/modules/migration"`
`15`	`16`	`"code.gitea.io/gitea/modules/secret"`
`16`	`17`	`"code.gitea.io/gitea/modules/setting"`
`@@ -123,17 +124,17 @@ func (task Task) MigrateConfig() (migration.MigrateOptions, error) {`
`123`	`124`	`// decrypt credentials`
`124`	`125`	`if opts.CloneAddrEncrypted != "" {`
`125`	`126`	`if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil {`
`126`		`- return nil, err`
	`127`	`+ log.Error("Unable to decrypt CloneAddr, maybe SECRET_KEY is wrong: %v", err)`
`127`	`128`	`}`
`128`	`129`	`}`
`129`	`130`	`if opts.AuthPasswordEncrypted != "" {`
`130`	`131`	`if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil {`
`131`		`- return nil, err`
	`132`	`+ log.Error("Unable to decrypt AuthPassword, maybe SECRET_KEY is wrong: %v", err)`
`132`	`133`	`}`
`133`	`134`	`}`
`134`	`135`	`if opts.AuthTokenEncrypted != "" {`
`135`	`136`	`if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil {`
`136`		`- return nil, err`
	`137`	`+ log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)`
`137`	`138`	`}`
`138`	`139`	`}`
`139`	`140`
Original file line number	Diff line number	Diff line change
`@@ -111,11 +111,11 @@ func (t *TwoFactor) SetSecret(secretString string) error {`
`111`	`111`	`func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {`
`112`	`112`	`decodedStoredSecret, err := base64.StdEncoding.DecodeString(t.Secret)`
`113`	`113`	`if err != nil {`
`114`		`- return false, err`
	`114`	`+ return false, fmt.Errorf("ValidateTOTP invalid base64: %w", err)`
`115`	`115`	`}`
`116`	`116`	`secretBytes, err := secret.AesDecrypt(t.getEncryptionKey(), decodedStoredSecret)`
`117`	`117`	`if err != nil {`
`118`		`- return false, err`
	`118`	`+ return false, fmt.Errorf("ValidateTOTP unable to decrypt (maybe SECRET_KEY is wrong): %w", err)`
`119`	`119`	`}`
`120`	`120`	`secretStr := string(secretBytes)`
`121`	`121`	`return totp.Validate(passcode, secretStr), nil`
Original file line number	Diff line number	Diff line change
`@@ -178,8 +178,8 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[`
`178`	`178`	`for _, secret := range append(ownerSecrets, repoSecrets...) {`
`179`	`179`	`v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data)`
`180`	`180`	`if err != nil {`
`181`		`- log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)`
`182`		`- return nil, err`
	`181`	`+ log.Error("Unable to decrypt Actions secret %v %q, maybe SECRET_KEY is wrong: %v", secret.ID, secret.Name, err)`
	`182`	`+ continue`
`183`	`183`	`}`
`184`	`184`	`secrets[secret.Name] = v`
`185`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`
`9`	`9`	`"code.gitea.io/gitea/models/auth"`
`10`	`10`	`"code.gitea.io/gitea/modules/json"`
	`11`	`+ "code.gitea.io/gitea/modules/log"`
`11`	`12`	`"code.gitea.io/gitea/modules/secret"`
`12`	`13`	`"code.gitea.io/gitea/modules/setting"`
`13`	`14`	`)`
`@@ -66,9 +67,12 @@ func (source *Source) FromDB(bs []byte) error {`
`66`	`67`	`}`
`67`	`68`	`if source.BindPasswordEncrypt != "" {`
`68`	`69`	`source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt)`
	`70`	`+ if err != nil {`
	`71`	`+ log.Error("Unable to decrypt bind password for LDAP source, maybe SECRET_KEY is wrong: %v", err)`
	`72`	`+ }`
`69`	`73`	`source.BindPasswordEncrypt = ""`
`70`	`74`	`}`
`71`		`- return err`
	`75`	`+ return nil`
`72`	`76`	`}`
`73`	`77`
`74`	`78`	`// ToDB exports a LDAPConfig to a serialized format.`