Merge branch 'main' into feature/sort_ascending

Author: 6543

Dockerfile

@@ -1,5 +1,5 @@
 # Build stage
-FROM docker.io/library/golang:1.24-alpine3.22 AS build-env
+FROM docker.io/library/golang:1.25-alpine3.22 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}

Dockerfile.rootless

@@ -1,5 +1,5 @@
 # Build stage
-FROM docker.io/library/golang:1.24-alpine3.22 AS build-env
+FROM docker.io/library/golang:1.25-alpine3.22 AS build-env
 
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-direct}

Makefile

@@ -23,7 +23,7 @@ SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
 
-XGO_VERSION := go-1.24.x
+XGO_VERSION := go-1.25.x
 
 AIR_PACKAGE ?= github.com/air-verse/air@v1
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3

flake.lock

@@ -15,41 +15,53 @@
           with pkgs;
           let
             # only bump toolchain versions here
-            go = go_1_24;
+            go = go_1_25;
             nodejs = nodejs_24;
             python3 = python312;
+
+            # Platform-specific dependencies
+            linuxOnlyInputs = lib.optionals pkgs.stdenv.isLinux [
+              glibc.static
+            ];
+
+            linuxOnlyEnv = lib.optionalAttrs pkgs.stdenv.isLinux {
+              CFLAGS = "-I${glibc.static.dev}/include";
+              LDFLAGS = "-L ${glibc.static}/lib";
+            };
           in
-          pkgs.mkShell {
-            buildInputs = [
-              # generic
-              git
-              git-lfs
-              gnumake
-              gnused
-              gnutar
-              gzip
+          pkgs.mkShell (
+            {
+              buildInputs = [
+                # generic
+                git
+                git-lfs
+                gnumake
+                gnused
+                gnutar
+                gzip
 
-              # frontend
-              nodejs
+                # frontend
+                nodejs
 
-              # linting
-              python3
-              uv
+                # linting
+                python3
+                uv
 
-              # backend
-              go
-              glibc.static
-              gofumpt
-              sqlite
-            ];
-            CFLAGS = "-I${glibc.static.dev}/include";
-            LDFLAGS = "-L ${glibc.static}/lib";
-            GO = "${go}/bin/go";
-            GOROOT = "${go}/share/go";
+                # backend
+                go
+                gofumpt
+                sqlite
+              ]
+              ++ linuxOnlyInputs;
+
+              GO = "${go}/bin/go";
+              GOROOT = "${go}/share/go";
 
-            TAGS = "sqlite sqlite_unlock_notify";
-            STATIC = "true";
-          };
+              TAGS = "sqlite sqlite_unlock_notify";
+              STATIC = "true";
+            }
+            // linuxOnlyEnv
+          );
       }
     );
 }

flake.nix

@@ -53,7 +53,7 @@ func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
 
 	claims := actionsClaims{
 		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)),
+			ExpiresAt: jwt.NewNumericDate(now.Add(1*time.Hour + setting.Actions.EndlessTaskTimeout)),
 			NotBefore: jwt.NewNumericDate(now),
 		},
 		Scp:    fmt.Sprintf("Actions.Results:%d:%d", runID, jobID),

options/locale/locale_zh-CN.ini

@@ -290,16 +290,22 @@ Loop:
 				return false, nil, nil, err
 			}
 			defer gitRepo.Close()
-			commit, err := gitRepo.GetCommit(parentCommit)
+			isEmpty, err := gitRepo.IsEmpty()
 			if err != nil {
 				return false, nil, nil, err
 			}
-			if commit.Signature == nil {
-				return false, nil, nil, &ErrWontSign{parentSigned}
-			}
-			verification := ParseCommitWithSignature(ctx, commit)
-			if !verification.Verified {
-				return false, nil, nil, &ErrWontSign{parentSigned}
+			if !isEmpty {
+				commit, err := gitRepo.GetCommit(parentCommit)
+				if err != nil {
+					return false, nil, nil, err
+				}
+				if commit.Signature == nil {
+					return false, nil, nil, &ErrWontSign{parentSigned}
+				}
+				verification := ParseCommitWithSignature(ctx, commit)
+				if !verification.Verified {
+					return false, nil, nil, &ErrWontSign{parentSigned}
+				}
 			}
 		}
 	}

services/actions/auth.go

@@ -114,7 +114,7 @@ func DownloadHandler(ctx *context.Context) {
 				}
 			}
 
-			ctx.Resp.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", fromByte, toByte, meta.Size-fromByte))
+			ctx.Resp.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", fromByte, toByte, meta.Size))
 			ctx.Resp.Header().Set("Access-Control-Expose-Headers", "Content-Range")
 		}
 	}

services/asymkey/sign.go

@@ -354,7 +354,8 @@ func (g *GithubDownloaderV3) convertGithubRelease(ctx context.Context, rel *gith
 
 				// Prevent open redirect
 				if !hasBaseURL(redirectURL, g.baseURL) &&
-					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") {
+					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") &&
+					!hasBaseURL(redirectURL, "https://release-assets.githubusercontent.com/") {
 					WarnAndNotice("Unexpected AssetURL for assetID[%d] in %s: %s", asset.GetID(), g, redirectURL)
 
 					return io.NopCloser(strings.NewReader(redirectURL)), nil