From 7fd5d38860a9aef1a2ba3b30e882492fde84c9be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felipe=20Leopoldo=20Sologuren=20Guti=C3=A9rrez?=
 <fsologureng@users.noreply.github.com>
Date: Tue, 31 Jan 2023 22:43:06 -0300
Subject: [PATCH 01/21] Improve checkbox accessibility a bit by adding the
 title attribute (#22593)

EDIT: The main change of this PR was resolved by #22599. This
complements that PR for some cases without label and complicated layout
to be added.

NOTE: Contributed by @Forgejo.
---
 options/locale/locale_en-US.ini        | 3 +++
 templates/admin/config.tmpl            | 4 ++--
 templates/org/team/new.tmpl            | 8 ++++----
 templates/repo/editor/commit_form.tmpl | 2 +-
 templates/repo/issue/list.tmpl         | 3 +--
 templates/shared/issuelist.tmpl        | 3 +--
 6 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 3495afe859d0..de80a710e97e 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1131,6 +1131,7 @@ editor.commit_directly_to_this_branch = Commit directly to the <strong class="br
 editor.create_new_branch = Create a <strong>new branch</strong> for this commit and start a pull request.
 editor.create_new_branch_np = Create a <strong>new branch</strong> for this commit.
 editor.propose_file_change = Propose file change
+editor.new_branch_name = Name the new branch for this commit
 editor.new_branch_name_desc = New branch name…
 editor.cancel = Cancel
 editor.filename_cannot_be_empty = The filename cannot be empty.
@@ -1336,6 +1337,8 @@ issues.action_milestone = Milestone
 issues.action_milestone_no_select = No milestone
 issues.action_assignee = Assignee
 issues.action_assignee_no_select = No assignee
+issues.action_check = Check/Uncheck
+issues.action_check_all = Check/Uncheck all items
 issues.opened_by = opened %[1]s by <a href="%[2]s">%[3]s</a>
 pulls.merged_by = by <a href="%[2]s">%[3]s</a> was merged %[1]s
 pulls.merged_by_fake = by %[2]s was merged %[1]s
diff --git a/templates/admin/config.tmpl b/templates/admin/config.tmpl
index 982cfb280081..c2ab31862d97 100644
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@@ -303,14 +303,14 @@
 				<dt>{{.locale.Tr "admin.config.disable_gravatar"}}</dt>
 				<dd>
 					<div class="ui toggle checkbox">
-						<input type="checkbox" name="picture.disable_gravatar" version="{{.SystemSettings.GetVersion "picture.disable_gravatar"}}"{{if .SystemSettings.GetBool "picture.disable_gravatar"}} checked{{end}}>
+						<input type="checkbox" name="picture.disable_gravatar" version="{{.SystemSettings.GetVersion "picture.disable_gravatar"}}"{{if .SystemSettings.GetBool "picture.disable_gravatar"}} checked{{end}} title="{{.locale.Tr "admin.config.disable_gravatar"}}">
 					</div>
 				</dd>
 				<div class="ui divider"></div>
 				<dt>{{.locale.Tr "admin.config.enable_federated_avatar"}}</dt>
 				<dd>
 					<div class="ui toggle checkbox">
-						<input type="checkbox" name="picture.enable_federated_avatar" version="{{.SystemSettings.GetVersion "picture.enable_federated_avatar"}}"{{if .SystemSettings.GetBool "picture.enable_federated_avatar"}} checked{{end}}>
+						<input type="checkbox" name="picture.enable_federated_avatar" version="{{.SystemSettings.GetVersion "picture.enable_federated_avatar"}}"{{if .SystemSettings.GetBool "picture.enable_federated_avatar"}} checked{{end}} title="{{.locale.Tr "admin.config.enable_federated_avatar"}}">
 					</div>
 				</dd>
 			</dl>
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 10b5abda3145..005d7ce4e510 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -78,7 +78,7 @@
 										<tr>
 											<th>{{.locale.Tr "units.unit"}}</th>
 											<th class="center aligned">{{.locale.Tr "org.teams.none_access"}}
-											<span class="tooltip vm" data-content="{{.locale.Tr "org.teams.none_access_helper"}}">{{svg "octicon-question" 16 "ml-2"}}</th>
+											<span class="tooltip vm" data-content="{{.locale.Tr "org.teams.none_access_helper"}}">{{svg "octicon-question" 16 "ml-2"}}</span></th>
 											<th class="center aligned">{{.locale.Tr "org.teams.read_access"}}
 											<span class="tooltip vm" data-content="{{.locale.Tr "org.teams.read_access_helper"}}">{{svg "octicon-question" 16 "ml-2"}}</span></th>
 											<th class="center aligned">{{.locale.Tr "org.teams.write_access"}}
@@ -99,17 +99,17 @@
 													</td>
 													<td class="center aligned">
 														<div class="ui radio checkbox">
-															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $.Context $unit.Type) 0)}} checked{{end}}>
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $.Context $unit.Type) 0)}} checked{{end}} title="{{$.locale.Tr "org.teams.none_access"}}">
 														</div>
 													</td>
 													<td class="center aligned">
 														<div class="ui radio checkbox">
-															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $.Context $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $.Context $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}} title="{{$.locale.Tr "org.teams.read_access"}}">
 														</div>
 													</td>
 													<td class="center aligned">
 														<div class="ui radio checkbox">
-															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $.Context $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $.Context $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}} title="{{$.locale.Tr "org.teams.write_access"}}">
 														</div>
 													</td>
 												</tr>
diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl
index 8700f7740151..f4778e22d122 100644
--- a/templates/repo/editor/commit_form.tmpl
+++ b/templates/repo/editor/commit_form.tmpl
@@ -61,7 +61,7 @@
 			<div class="quick-pull-branch-name {{if not (eq .commit_choice "commit-to-new-branch")}}hide{{end}}">
 				<div class="new-branch-name-input field {{if .Err_NewBranchName}}error{{end}}">
 					{{svg "octicon-git-branch"}}
-					<input type="text" name="new_branch_name" value="{{.new_branch_name}}" class="input-contrast mr-2 js-quick-pull-new-branch-name" placeholder="{{.locale.Tr "repo.editor.new_branch_name_desc"}}" {{if eq .commit_choice "commit-to-new-branch"}}required{{end}}>
+					<input type="text" name="new_branch_name" value="{{.new_branch_name}}" class="input-contrast mr-2 js-quick-pull-new-branch-name" placeholder="{{.locale.Tr "repo.editor.new_branch_name_desc"}}" {{if eq .commit_choice "commit-to-new-branch"}}required{{end}} title="{{.locale.Tr "repo.editor.new_branch_name"}}">
 					<span class="text-muted js-quick-pull-normalization-info"></span>
 				</div>
 			</div>
diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl
index 22a6104baa88..b9ae36201678 100644
--- a/templates/repo/issue/list.tmpl
+++ b/templates/repo/issue/list.tmpl
@@ -30,8 +30,7 @@
 			<div class="six wide column">
 				{{if $.CanWriteIssuesOrPulls}}
 					<div class="ui checkbox issue-checkbox-all vm">
-						<input type="checkbox"></input>
-						<label></label>
+						<input type="checkbox" title="{{.locale.Tr "repo.issues.action_check_all"}}">
 					</div>
 				{{end}}
 				{{template "repo/issue/openclose" .}}
diff --git a/templates/shared/issuelist.tmpl b/templates/shared/issuelist.tmpl
index f3aa2610bb1a..93d54930ffdd 100644
--- a/templates/shared/issuelist.tmpl
+++ b/templates/shared/issuelist.tmpl
@@ -5,8 +5,7 @@
 			<div class="issue-item-left df">
 				{{if $.CanWriteIssuesOrPulls}}
 					<div class="ui checkbox issue-checkbox">
-						<input type="checkbox" data-issue-id={{.ID}}></input>
-						<label></label>
+						<input type="checkbox" data-issue-id={{.ID}} title="{{$.locale.Tr "repo.issues.action_check"}} «{{.Title}}»">
 					</div>
 				{{end}}
 				<div class="issue-item-icon">

From 2871ea08096cba15546f357d0ec473734ee9d8be Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 1 Feb 2023 13:32:46 +0800
Subject: [PATCH 02/21] Add more events details supports for actions (#22680)

#21937 implemented only basic events based on name because of `act`'s
limitation. So I sent a PR to parse all possible events details in
https://gitea.com/gitea/act/pulls/11 and it merged. The ref
documentation is
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows

This PR depends on that and make more detail responses for `push` events
and `pull_request` events. And it lefts more events there for future
PRs.

---------

Co-authored-by: Jason Song <i@wolfogre.com>
---
 go.mod                              |   2 +-
 go.sum                              |   4 +-
 modules/actions/workflows.go        | 154 +++++++++++++++++++++++++++-
 services/actions/notifier_helper.go |   2 +-
 4 files changed, 154 insertions(+), 8 deletions(-)

diff --git a/go.mod b/go.mod
index 5ab0f4b27d3d..b3d40403235b 100644
--- a/go.mod
+++ b/go.mod
@@ -284,7 +284,7 @@ replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142
 
 replace github.com/blevesearch/zapx/v15 v15.3.6 => github.com/zeripath/zapx/v15 v15.3.6-alignment-fix
 
-replace github.com/nektos/act => gitea.com/gitea/act v0.234.0
+replace github.com/nektos/act => gitea.com/gitea/act v0.234.2-0.20230131074955-e46ede1b1744
 
 exclude github.com/gofrs/uuid v3.2.0+incompatible
 
diff --git a/go.sum b/go.sum
index 12042dd6fdb3..864ddff1cdad 100644
--- a/go.sum
+++ b/go.sum
@@ -70,8 +70,8 @@ codeberg.org/gusted/mcaptcha v0.0.0-20220723083913-4f3072e1d570/go.mod h1:IIAjsi
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:cliQ4HHsCo6xi2oWZYKWW4bly/Ory9FuTpFPRxj/mAg=
 git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs=
-gitea.com/gitea/act v0.234.0 h1:gWgMPMKdNcMrp/o2CF/SyVKiiJLBFl+xmzfvoHCpykU=
-gitea.com/gitea/act v0.234.0/go.mod h1:2C/WbTalu1VPNgbVaZJaZDzlOtAKqkXJhdOClxkMy14=
+gitea.com/gitea/act v0.234.2-0.20230131074955-e46ede1b1744 h1:cqzKmGlX0wynSXO04NILpL25eBGwogDrKpkkbwmIpj4=
+gitea.com/gitea/act v0.234.2-0.20230131074955-e46ede1b1744/go.mod h1:2C/WbTalu1VPNgbVaZJaZDzlOtAKqkXJhdOClxkMy14=
 gitea.com/go-chi/binding v0.0.0-20221013104517-b29891619681 h1:MMSPgnVULVwV9kEBgvyEUhC9v/uviZ55hPJEMjpbNR4=
 gitea.com/go-chi/binding v0.0.0-20221013104517-b29891619681/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc=
 gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e/go.mod h1:k2V/gPDEtXGjjMGuBJiapffAXTv76H4snSmlJRLUhH0=
diff --git a/modules/actions/workflows.go b/modules/actions/workflows.go
index d340a1aa658a..c1c8e71f53b5 100644
--- a/modules/actions/workflows.go
+++ b/modules/actions/workflows.go
@@ -10,8 +10,11 @@ import (
 
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
+	api "code.gitea.io/gitea/modules/structs"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 
+	"github.com/gobwas/glob"
+	"github.com/nektos/act/pkg/jobparser"
 	"github.com/nektos/act/pkg/model"
 )
 
@@ -41,7 +44,7 @@ func ListWorkflows(commit *git.Commit) (git.Entries, error) {
 	return ret, nil
 }
 
-func DetectWorkflows(commit *git.Commit, event webhook_module.HookEventType) (map[string][]byte, error) {
+func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader) (map[string][]byte, error) {
 	entries, err := ListWorkflows(commit)
 	if err != nil {
 		return nil, err
@@ -63,13 +66,156 @@ func DetectWorkflows(commit *git.Commit, event webhook_module.HookEventType) (ma
 			log.Warn("ignore invalid workflow %q: %v", entry.Name(), err)
 			continue
 		}
-		for _, e := range workflow.On() {
-			if e == event.Event() {
+		events, err := jobparser.ParseRawOn(&workflow.RawOn)
+		if err != nil {
+			log.Warn("ignore invalid workflow %q: %v", entry.Name(), err)
+			continue
+		}
+		for _, evt := range events {
+			if evt.Name != triggedEvent.Event() {
+				continue
+			}
+
+			if detectMatched(commit, triggedEvent, payload, evt) {
 				workflows[entry.Name()] = content
-				break
 			}
 		}
 	}
 
 	return workflows, nil
 }
+
+func detectMatched(commit *git.Commit, triggedEvent webhook_module.HookEventType, payload api.Payloader, evt *jobparser.Event) bool {
+	if len(evt.Acts) == 0 {
+		return true
+	}
+
+	switch triggedEvent {
+	case webhook_module.HookEventCreate:
+		fallthrough
+	case webhook_module.HookEventDelete:
+		fallthrough
+	case webhook_module.HookEventFork:
+		log.Warn("unsupported event %q", triggedEvent.Event())
+		return false
+	case webhook_module.HookEventPush:
+		pushPayload := payload.(*api.PushPayload)
+		matchTimes := 0
+		// all acts conditions should be satisfied
+		for cond, vals := range evt.Acts {
+			switch cond {
+			case "branches", "tags":
+				for _, val := range vals {
+					if glob.MustCompile(val, '/').Match(pushPayload.Ref) {
+						matchTimes++
+						break
+					}
+				}
+			case "paths":
+				filesChanged, err := commit.GetFilesChangedSinceCommit(pushPayload.Before)
+				if err != nil {
+					log.Error("GetFilesChangedSinceCommit [commit_sha1: %s]: %v", commit.ID.String(), err)
+				} else {
+					for _, val := range vals {
+						matched := false
+						for _, file := range filesChanged {
+							if glob.MustCompile(val, '/').Match(file) {
+								matched = true
+								break
+							}
+						}
+						if matched {
+							matchTimes++
+							break
+						}
+					}
+				}
+			default:
+				log.Warn("unsupported condition %q", cond)
+			}
+		}
+		return matchTimes == len(evt.Acts)
+
+	case webhook_module.HookEventIssues:
+		fallthrough
+	case webhook_module.HookEventIssueAssign:
+		fallthrough
+	case webhook_module.HookEventIssueLabel:
+		fallthrough
+	case webhook_module.HookEventIssueMilestone:
+		fallthrough
+	case webhook_module.HookEventIssueComment:
+		fallthrough
+	case webhook_module.HookEventPullRequest:
+		prPayload := payload.(*api.PullRequestPayload)
+		matchTimes := 0
+		// all acts conditions should be satisfied
+		for cond, vals := range evt.Acts {
+			switch cond {
+			case "types":
+				for _, val := range vals {
+					if glob.MustCompile(val, '/').Match(string(prPayload.Action)) {
+						matchTimes++
+						break
+					}
+				}
+			case "branches":
+				for _, val := range vals {
+					if glob.MustCompile(val, '/').Match(prPayload.PullRequest.Base.Ref) {
+						matchTimes++
+						break
+					}
+				}
+			case "paths":
+				filesChanged, err := commit.GetFilesChangedSinceCommit(prPayload.PullRequest.Base.Ref)
+				if err != nil {
+					log.Error("GetFilesChangedSinceCommit [commit_sha1: %s]: %v", commit.ID.String(), err)
+				} else {
+					for _, val := range vals {
+						matched := false
+						for _, file := range filesChanged {
+							if glob.MustCompile(val, '/').Match(file) {
+								matched = true
+								break
+							}
+						}
+						if matched {
+							matchTimes++
+							break
+						}
+					}
+				}
+			default:
+				log.Warn("unsupported condition %q", cond)
+			}
+		}
+		return matchTimes == len(evt.Acts)
+	case webhook_module.HookEventPullRequestAssign:
+		fallthrough
+	case webhook_module.HookEventPullRequestLabel:
+		fallthrough
+	case webhook_module.HookEventPullRequestMilestone:
+		fallthrough
+	case webhook_module.HookEventPullRequestComment:
+		fallthrough
+	case webhook_module.HookEventPullRequestReviewApproved:
+		fallthrough
+	case webhook_module.HookEventPullRequestReviewRejected:
+		fallthrough
+	case webhook_module.HookEventPullRequestReviewComment:
+		fallthrough
+	case webhook_module.HookEventPullRequestSync:
+		fallthrough
+	case webhook_module.HookEventWiki:
+		fallthrough
+	case webhook_module.HookEventRepository:
+		fallthrough
+	case webhook_module.HookEventRelease:
+		fallthrough
+	case webhook_module.HookEventPackage:
+		fallthrough
+	default:
+		log.Warn("unsupported event %q", triggedEvent.Event())
+	}
+	return false
+}
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index 9c9fc644cb49..5b8f6bfdf6ef 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -137,7 +137,7 @@ func notify(ctx context.Context, input *notifyInput) error {
 		return fmt.Errorf("gitRepo.GetCommit: %w", err)
 	}
 
-	workflows, err := actions_module.DetectWorkflows(commit, input.Event)
+	workflows, err := actions_module.DetectWorkflows(commit, input.Event, input.Payload)
 	if err != nil {
 		return fmt.Errorf("DetectWorkflows: %w", err)
 	}

From 19d5b2f922c2defde579a935fbedb680eb8fff18 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Wed, 1 Feb 2023 07:24:10 +0000
Subject: [PATCH 03/21] Fix bugs with WebAuthn preventing sign in and
 registration. (#22651)

This PR fixes two bugs with Webauthn support:

* There was a longstanding bug within webauthn due to the backend using
URLEncodedBase64 but the javascript using decoding using plain base64.
This causes intermittent issues with users reporting decoding errors.
* Following the recent upgrade to webauthn there was a change in the way
the library expects RPOrigins to be configured. This leads to the
Relying Party Origin not being configured and prevents registration.

Fix #22507

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 modules/auth/webauthn/webauthn.go         |  2 +-
 modules/auth/webauthn/webauthn_test.go    |  4 +--
 web_src/js/features/user-auth-webauthn.js | 37 ++++++++++++++---------
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/modules/auth/webauthn/webauthn.go b/modules/auth/webauthn/webauthn.go
index d08f7bf7cc71..937da872ca1a 100644
--- a/modules/auth/webauthn/webauthn.go
+++ b/modules/auth/webauthn/webauthn.go
@@ -28,7 +28,7 @@ func Init() {
 		Config: &webauthn.Config{
 			RPDisplayName: setting.AppName,
 			RPID:          setting.Domain,
-			RPOrigin:      appURL,
+			RPOrigins:     []string{appURL},
 			AuthenticatorSelection: protocol.AuthenticatorSelection{
 				UserVerification: "discouraged",
 			},
diff --git a/modules/auth/webauthn/webauthn_test.go b/modules/auth/webauthn/webauthn_test.go
index 1beeb64cd6ca..15a8d7182833 100644
--- a/modules/auth/webauthn/webauthn_test.go
+++ b/modules/auth/webauthn/webauthn_test.go
@@ -15,11 +15,11 @@ func TestInit(t *testing.T) {
 	setting.Domain = "domain"
 	setting.AppName = "AppName"
 	setting.AppURL = "https://domain/"
-	rpOrigin := "https://domain"
+	rpOrigin := []string{"https://domain"}
 
 	Init()
 
 	assert.Equal(t, setting.Domain, WebAuthn.Config.RPID)
 	assert.Equal(t, setting.AppName, WebAuthn.Config.RPDisplayName)
-	assert.Equal(t, rpOrigin, WebAuthn.Config.RPOrigin)
+	assert.Equal(t, rpOrigin, WebAuthn.Config.RPOrigins)
 }
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index f11a49864ded..9c9fffd99527 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -14,9 +14,9 @@ export function initUserAuthWebAuthn() {
 
   $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})
     .done((makeAssertionOptions) => {
-      makeAssertionOptions.publicKey.challenge = decode(makeAssertionOptions.publicKey.challenge);
+      makeAssertionOptions.publicKey.challenge = decodeURLEncodedBase64(makeAssertionOptions.publicKey.challenge);
       for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {
-        makeAssertionOptions.publicKey.allowCredentials[i].id = decode(makeAssertionOptions.publicKey.allowCredentials[i].id);
+        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
       }
       navigator.credentials.get({
         publicKey: makeAssertionOptions.publicKey
@@ -56,14 +56,14 @@ function verifyAssertion(assertedCredential) {
     type: 'POST',
     data: JSON.stringify({
       id: assertedCredential.id,
-      rawId: bufferEncode(rawId),
+      rawId: encodeURLEncodedBase64(rawId),
       type: assertedCredential.type,
       clientExtensionResults: assertedCredential.getClientExtensionResults(),
       response: {
-        authenticatorData: bufferEncode(authData),
-        clientDataJSON: bufferEncode(clientDataJSON),
-        signature: bufferEncode(sig),
-        userHandle: bufferEncode(userHandle),
+        authenticatorData: encodeURLEncodedBase64(authData),
+        clientDataJSON: encodeURLEncodedBase64(clientDataJSON),
+        signature: encodeURLEncodedBase64(sig),
+        userHandle: encodeURLEncodedBase64(userHandle),
       },
     }),
     contentType: 'application/json; charset=utf-8',
@@ -85,14 +85,21 @@ function verifyAssertion(assertedCredential) {
   });
 }
 
-// Encode an ArrayBuffer into a base64 string.
-function bufferEncode(value) {
+// Encode an ArrayBuffer into a URLEncoded base64 string.
+function encodeURLEncodedBase64(value) {
   return encode(value)
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=/g, '');
 }
 
+// Dccode a URLEncoded base64 to an ArrayBuffer string.
+function decodeURLEncodedBase64(value) {
+  return decode(value
+    .replace(/_/g, '/')
+    .replace(/-/g, '+'));
+}
+
 function webauthnRegistered(newCredential) {
   const attestationObject = new Uint8Array(newCredential.response.attestationObject);
   const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
@@ -104,11 +111,11 @@ function webauthnRegistered(newCredential) {
     headers: {'X-Csrf-Token': csrfToken},
     data: JSON.stringify({
       id: newCredential.id,
-      rawId: bufferEncode(rawId),
+      rawId: encodeURLEncodedBase64(rawId),
       type: newCredential.type,
       response: {
-        attestationObject: bufferEncode(attestationObject),
-        clientDataJSON: bufferEncode(clientDataJSON),
+        attestationObject: encodeURLEncodedBase64(attestationObject),
+        clientDataJSON: encodeURLEncodedBase64(clientDataJSON),
       },
     }),
     dataType: 'json',
@@ -184,11 +191,11 @@ function webAuthnRegisterRequest() {
   }).done((makeCredentialOptions) => {
     $('#nickname').closest('div.field').removeClass('error');
 
-    makeCredentialOptions.publicKey.challenge = decode(makeCredentialOptions.publicKey.challenge);
-    makeCredentialOptions.publicKey.user.id = decode(makeCredentialOptions.publicKey.user.id);
+    makeCredentialOptions.publicKey.challenge = decodeURLEncodedBase64(makeCredentialOptions.publicKey.challenge);
+    makeCredentialOptions.publicKey.user.id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.user.id);
     if (makeCredentialOptions.publicKey.excludeCredentials) {
       for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {
-        makeCredentialOptions.publicKey.excludeCredentials[i].id = decode(makeCredentialOptions.publicKey.excludeCredentials[i].id);
+        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
       }
     }
 

From 72a83dcc82add7537d2f661aa929dd073ced65f3 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Wed, 1 Feb 2023 17:14:40 +0900
Subject: [PATCH 04/21] Explain that the no-access team unit does not affect
 public repositories (#22661)

Fixes https://github.com/go-gitea/gitea/issues/22600

Add explanations to team unit access control.

---------

Co-authored-by: Jason Song <i@wolfogre.com>
---
 options/locale/locale_en-US.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index de80a710e97e..24809c55495e 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2432,7 +2432,7 @@ teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
 teams.none_access = No Access
-teams.none_access_helper = Members cannot view or do any other action on this unit.
+teams.none_access_helper = Members cannot view or do any other action on this unit. It has no effect for public repositories.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.
 teams.read_access = Read

From 9f9a1ce92292739c3d0b5ee4bb654d883eb3b869 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Wed, 1 Feb 2023 11:48:35 +0000
Subject: [PATCH 05/21] Add missing close bracket in imagediff (#22710)

There was a missing `]` in imagediff.js:

```
const $range = $container.find("input[type='range'");
```

This PR simply adds this.

Fix #22702
---
 web_src/js/features/imagediff.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/features/imagediff.js b/web_src/js/features/imagediff.js
index 03ae3b047bf8..250ea957981f 100644
--- a/web_src/js/features/imagediff.js
+++ b/web_src/js/features/imagediff.js
@@ -263,7 +263,7 @@ export function initImageDiff() {
         height: sizes.max.height * factor + 4
       });
 
-      const $range = $container.find("input[type='range'");
+      const $range = $container.find("input[type='range']");
       const onInput = () => sizes.image1.parent().css({
         opacity: $range.val() / 100
       });

From 5882e179a93a00a0635c6c578ec6d43ce68d687b Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Wed, 1 Feb 2023 13:53:04 +0100
Subject: [PATCH 06/21] Add user secrets (#22191)

Fixes #22183
Replaces #22187

This PR adds secrets for users. I refactored the files for organizations
and repos to use the same logic and templates. I splitted the secrets
from deploy keys again and reverted the fix from #22187.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 docs/content/doc/secrets/overview.en-us.md | 16 ++--
 options/locale/locale_en-US.ini            |  2 +-
 routers/web/org/setting.go                 | 51 -------------
 routers/web/org/setting_secrets.go         | 48 ++++++++++++
 routers/web/repo/setting.go                | 39 ----------
 routers/web/repo/setting_secrets.go        | 46 ++++++++++++
 routers/web/shared/secrets/secrets.go      | 54 ++++++++++++++
 routers/web/user/setting/secrets.go        | 45 +++++++++++
 routers/web/web.go                         | 15 +++-
 templates/org/settings/secrets.tmpl        | 70 +-----------------
 templates/repo/settings/deploy_keys.tmpl   |  6 +-
 templates/repo/settings/nav.tmpl           |  3 +-
 templates/repo/settings/navbar.tmpl        |  3 +
 templates/repo/settings/secrets.tmpl       | 86 ++--------------------
 templates/shared/secrets/add_list.tmpl     | 68 +++++++++++++++++
 templates/user/settings/navbar.tmpl        |  3 +
 templates/user/settings/secrets.tmpl       | 10 +++
 17 files changed, 310 insertions(+), 255 deletions(-)
 create mode 100644 routers/web/org/setting_secrets.go
 create mode 100644 routers/web/repo/setting_secrets.go
 create mode 100644 routers/web/shared/secrets/secrets.go
 create mode 100644 routers/web/user/setting/secrets.go
 create mode 100644 templates/shared/secrets/add_list.tmpl
 create mode 100644 templates/user/settings/secrets.tmpl

diff --git a/docs/content/doc/secrets/overview.en-us.md b/docs/content/doc/secrets/overview.en-us.md
index 1a88d6cfbcc6..21fb65f98d3d 100644
--- a/docs/content/doc/secrets/overview.en-us.md
+++ b/docs/content/doc/secrets/overview.en-us.md
@@ -1,6 +1,6 @@
 ---
 date: "2022-12-19T21:26:00+08:00"
-title: "Encrypted secrets"
+title: "Secrets"
 slug: "secrets/overview"
 draft: false
 toc: false
@@ -12,24 +12,24 @@ menu:
     identifier: "overview"
 ---
 
-# Encrypted secrets
+# Secrets
 
-Encrypted secrets allow you to store sensitive information in your organization or repository.
+Secrets allow you to store sensitive information in your user, organization or repository.
 Secrets are available on Gitea 1.19+.
 
 # Naming your secrets
 
 The following rules apply to secret names:
 
-Secret names can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
+- Secret names can only contain alphanumeric characters (`[a-z]`, `[A-Z]`, `[0-9]`) or underscores (`_`). Spaces are not allowed.
 
-Secret names must not start with the `GITHUB_` and `GITEA_` prefix.
+- Secret names must not start with the `GITHUB_` and `GITEA_` prefix.
 
-Secret names must not start with a number.
+- Secret names must not start with a number.
 
-Secret names are not case-sensitive.
+- Secret names are not case-sensitive.
 
-Secret names must be unique at the level they are created at.
+- Secret names must be unique at the level they are created at.
 
 For example, a secret created at the repository level must have a unique name in that repository, and a secret created at the organization level must have a unique name at that level.
 
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 24809c55495e..8a48a68b171c 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3254,7 +3254,7 @@ creation.value_placeholder = Input any content. Whitespace at the start and end
 creation.success = The secret '%s' has been added.
 creation.failed = Failed to add secret.
 deletion = Remove secret
-deletion.description = Removing a secret will revoke its access to repositories. Continue?
+deletion.description = Removing a secret is permanent and cannot be undone. Continue?
 deletion.success = The secret has been removed.
 deletion.failed = Failed to remove secret.
 
diff --git a/routers/web/org/setting.go b/routers/web/org/setting.go
index 80f57072455b..5c9b7967c3dc 100644
--- a/routers/web/org/setting.go
+++ b/routers/web/org/setting.go
@@ -12,7 +12,6 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
-	secret_model "code.gitea.io/gitea/models/secret"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/base"
@@ -38,8 +37,6 @@ const (
 	tplSettingsHooks base.TplName = "org/settings/hooks"
 	// tplSettingsLabels template path for render labels settings
 	tplSettingsLabels base.TplName = "org/settings/labels"
-	// tplSettingsSecrets template path for render secrets settings
-	tplSettingsSecrets base.TplName = "org/settings/secrets"
 	// tplSettingsRunners template path for render runners settings
 	tplSettingsRunners base.TplName = "org/settings/runners"
 	// tplSettingsRunnersEdit template path for render runners edit settings
@@ -253,51 +250,3 @@ func Labels(ctx *context.Context) {
 	ctx.Data["LabelTemplates"] = repo_module.LabelTemplates
 	ctx.HTML(http.StatusOK, tplSettingsLabels)
 }
-
-// Secrets render organization secrets page
-func Secrets(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.secrets")
-	ctx.Data["PageIsOrgSettings"] = true
-	ctx.Data["PageIsOrgSettingsSecrets"] = true
-
-	secrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: ctx.Org.Organization.ID})
-	if err != nil {
-		ctx.ServerError("FindSecrets", err)
-		return
-	}
-	ctx.Data["Secrets"] = secrets
-
-	ctx.HTML(http.StatusOK, tplSettingsSecrets)
-}
-
-// SecretsPost add secrets
-func SecretsPost(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.AddSecretForm)
-
-	_, err := secret_model.InsertEncryptedSecret(ctx, ctx.Org.Organization.ID, 0, form.Title, form.Content)
-	if err != nil {
-		ctx.Flash.Error(ctx.Tr("secrets.creation.failed"))
-		log.Error("validate secret: %v", err)
-		ctx.Redirect(ctx.Org.OrgLink + "/settings/secrets")
-		return
-	}
-
-	log.Trace("Org %d: secret added", ctx.Org.Organization.ID)
-	ctx.Flash.Success(ctx.Tr("secrets.creation.success", form.Title))
-	ctx.Redirect(ctx.Org.OrgLink + "/settings/secrets")
-}
-
-// SecretsDelete delete secrets
-func SecretsDelete(ctx *context.Context) {
-	id := ctx.FormInt64("id")
-	if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id}); err != nil {
-		ctx.Flash.Error(ctx.Tr("secrets.deletion.failed"))
-		log.Error("delete secret %d: %v", id, err)
-	} else {
-		ctx.Flash.Success(ctx.Tr("secrets.deletion.success"))
-	}
-
-	ctx.JSON(http.StatusOK, map[string]interface{}{
-		"redirect": ctx.Org.OrgLink + "/settings/secrets",
-	})
-}
diff --git a/routers/web/org/setting_secrets.go b/routers/web/org/setting_secrets.go
new file mode 100644
index 000000000000..1cdbe35f32ad
--- /dev/null
+++ b/routers/web/org/setting_secrets.go
@@ -0,0 +1,48 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package org
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	shared "code.gitea.io/gitea/routers/web/shared/secrets"
+)
+
+const (
+	tplSettingsSecrets base.TplName = "org/settings/secrets"
+)
+
+// Secrets render organization secrets page
+func Secrets(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("secrets.secrets")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsOrgSettingsSecrets"] = true
+
+	shared.SetSecretsContext(ctx, ctx.ContextUser.ID, 0)
+	if ctx.Written() {
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplSettingsSecrets)
+}
+
+// SecretsPost add secrets
+func SecretsPost(ctx *context.Context) {
+	shared.PerformSecretsPost(
+		ctx,
+		ctx.ContextUser.ID,
+		0,
+		ctx.Org.OrgLink+"/settings/secrets",
+	)
+}
+
+// SecretsDelete delete secrets
+func SecretsDelete(ctx *context.Context) {
+	shared.PerformSecretsDelete(
+		ctx,
+		ctx.Org.OrgLink+"/settings/secrets",
+	)
+}
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index 73887195e697..e970dab3ebee 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -19,7 +19,6 @@ import (
 	"code.gitea.io/gitea/models/organization"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
-	secret_model "code.gitea.io/gitea/models/secret"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@@ -1131,33 +1130,9 @@ func DeployKeys(ctx *context.Context) {
 	}
 	ctx.Data["Deploykeys"] = keys
 
-	secrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{RepoID: ctx.Repo.Repository.ID})
-	if err != nil {
-		ctx.ServerError("FindSecrets", err)
-		return
-	}
-	ctx.Data["Secrets"] = secrets
-
 	ctx.HTML(http.StatusOK, tplDeployKeys)
 }
 
-// SecretsPost response for creating a new secret
-func SecretsPost(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.AddSecretForm)
-
-	_, err := secret_model.InsertEncryptedSecret(ctx, 0, ctx.Repo.Repository.ID, form.Title, form.Content)
-	if err != nil {
-		ctx.Flash.Error(ctx.Tr("secrets.creation.failed"))
-		log.Error("validate secret: %v", err)
-		ctx.Redirect(ctx.Repo.RepoLink + "/settings/keys")
-		return
-	}
-
-	log.Trace("Secret added: %d", ctx.Repo.Repository.ID)
-	ctx.Flash.Success(ctx.Tr("secrets.creation.success", form.Title))
-	ctx.Redirect(ctx.Repo.RepoLink + "/settings/keys")
-}
-
 // DeployKeysPost response for adding a deploy key of a repository
 func DeployKeysPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.AddKeyForm)
@@ -1219,20 +1194,6 @@ func DeployKeysPost(ctx *context.Context) {
 	ctx.Redirect(ctx.Repo.RepoLink + "/settings/keys")
 }
 
-func DeleteSecret(ctx *context.Context) {
-	id := ctx.FormInt64("id")
-	if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id}); err != nil {
-		ctx.Flash.Error(ctx.Tr("secrets.deletion.failed"))
-		log.Error("delete secret %d: %v", id, err)
-	} else {
-		ctx.Flash.Success(ctx.Tr("secrets.deletion.success"))
-	}
-
-	ctx.JSON(http.StatusOK, map[string]interface{}{
-		"redirect": ctx.Repo.RepoLink + "/settings/keys",
-	})
-}
-
 // DeleteDeployKey response for deleting a deploy key
 func DeleteDeployKey(ctx *context.Context) {
 	if err := asymkey_service.DeleteDeployKey(ctx.Doer, ctx.FormInt64("id")); err != nil {
diff --git a/routers/web/repo/setting_secrets.go b/routers/web/repo/setting_secrets.go
new file mode 100644
index 000000000000..c42dee583b92
--- /dev/null
+++ b/routers/web/repo/setting_secrets.go
@@ -0,0 +1,46 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/setting"
+	shared "code.gitea.io/gitea/routers/web/shared/secrets"
+)
+
+const (
+	tplSecrets base.TplName = "repo/settings/secrets"
+)
+
+func Secrets(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("secrets.secrets")
+	ctx.Data["PageIsSettingsSecrets"] = true
+	ctx.Data["DisableSSH"] = setting.SSH.Disabled
+
+	shared.SetSecretsContext(ctx, 0, ctx.Repo.Repository.ID)
+	if ctx.Written() {
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplSecrets)
+}
+
+func SecretsPost(ctx *context.Context) {
+	shared.PerformSecretsPost(
+		ctx,
+		0,
+		ctx.Repo.Repository.ID,
+		ctx.Repo.RepoLink+"/settings/secrets",
+	)
+}
+
+func DeleteSecret(ctx *context.Context) {
+	shared.PerformSecretsDelete(
+		ctx,
+		ctx.Repo.RepoLink+"/settings/secrets",
+	)
+}
diff --git a/routers/web/shared/secrets/secrets.go b/routers/web/shared/secrets/secrets.go
new file mode 100644
index 000000000000..e242c5e81611
--- /dev/null
+++ b/routers/web/shared/secrets/secrets.go
@@ -0,0 +1,54 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package secrets
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/models/db"
+	secret_model "code.gitea.io/gitea/models/secret"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/forms"
+)
+
+func SetSecretsContext(ctx *context.Context, ownerID, repoID int64) {
+	secrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: ownerID, RepoID: repoID})
+	if err != nil {
+		ctx.ServerError("FindSecrets", err)
+		return
+	}
+
+	ctx.Data["Secrets"] = secrets
+}
+
+func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
+	form := web.GetForm(ctx).(*forms.AddSecretForm)
+
+	s, err := secret_model.InsertEncryptedSecret(ctx, ownerID, repoID, form.Title, form.Content)
+	if err != nil {
+		log.Error("InsertEncryptedSecret: %v", err)
+		ctx.Flash.Error(ctx.Tr("secrets.creation.failed"))
+	} else {
+		ctx.Flash.Success(ctx.Tr("secrets.creation.success", s.Name))
+	}
+
+	ctx.Redirect(redirectURL)
+}
+
+func PerformSecretsDelete(ctx *context.Context, redirectURL string) {
+	id := ctx.FormInt64("id")
+
+	if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id}); err != nil {
+		log.Error("Delete secret %d failed: %v", id, err)
+		ctx.Flash.Error(ctx.Tr("secrets.deletion.failed"))
+	} else {
+		ctx.Flash.Success(ctx.Tr("secrets.deletion.success"))
+	}
+
+	ctx.JSON(http.StatusOK, map[string]interface{}{
+		"redirect": redirectURL,
+	})
+}
diff --git a/routers/web/user/setting/secrets.go b/routers/web/user/setting/secrets.go
new file mode 100644
index 000000000000..3a57897d8f60
--- /dev/null
+++ b/routers/web/user/setting/secrets.go
@@ -0,0 +1,45 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/setting"
+	shared "code.gitea.io/gitea/routers/web/shared/secrets"
+)
+
+const (
+	tplSettingsSecrets base.TplName = "user/settings/secrets"
+)
+
+func Secrets(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("secrets.secrets")
+	ctx.Data["PageIsSettingsSecrets"] = true
+
+	shared.SetSecretsContext(ctx, ctx.Doer.ID, 0)
+	if ctx.Written() {
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplSettingsSecrets)
+}
+
+func SecretsPost(ctx *context.Context) {
+	shared.PerformSecretsPost(
+		ctx,
+		ctx.Doer.ID,
+		0,
+		setting.AppSubURL+"/user/settings/secrets",
+	)
+}
+
+func SecretsDelete(ctx *context.Context) {
+	shared.PerformSecretsDelete(
+		ctx,
+		setting.AppSubURL+"/user/settings/secrets",
+	)
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index 88a12df19da2..b7128fc3a9fc 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -469,6 +469,11 @@ func RegisterRoutes(m *web.Route) {
 				})
 			})
 		}, packagesEnabled)
+		m.Group("/secrets", func() {
+			m.Get("", user_setting.Secrets)
+			m.Post("", web.Bind(forms.AddSecretForm{}), user_setting.SecretsPost)
+			m.Post("/delete", user_setting.SecretsDelete)
+		})
 		m.Get("/organization", user_setting.Organization)
 		m.Get("/repos", user_setting.Repos)
 		m.Post("/repos/unadopted", user_setting.AdoptOrDeleteRepository)
@@ -982,10 +987,12 @@ func RegisterRoutes(m *web.Route) {
 				m.Combo("").Get(repo.DeployKeys).
 					Post(web.Bind(forms.AddKeyForm{}), repo.DeployKeysPost)
 				m.Post("/delete", repo.DeleteDeployKey)
-				m.Group("/secrets", func() {
-					m.Post("", web.Bind(forms.AddSecretForm{}), repo.SecretsPost)
-					m.Post("/delete", repo.DeleteSecret)
-				})
+			})
+
+			m.Group("/secrets", func() {
+				m.Get("", repo.Secrets)
+				m.Post("", web.Bind(forms.AddSecretForm{}), repo.SecretsPost)
+				m.Post("/delete", repo.DeleteSecret)
 			})
 
 			m.Group("/lfs", func() {
diff --git a/templates/org/settings/secrets.tmpl b/templates/org/settings/secrets.tmpl
index dd2a437b7525..70add15f50fb 100644
--- a/templates/org/settings/secrets.tmpl
+++ b/templates/org/settings/secrets.tmpl
@@ -6,78 +6,10 @@
 			{{template "org/settings/navbar" .}}
 			<div class="ui twelve wide column content">
 				{{template "base/alert" .}}
-				<h4 class="ui top attached header">
-					{{.locale.Tr "secrets.secrets"}}
-					<div class="ui right">
-						<div class="ui primary tiny show-panel button" data-panel="#add-secret-panel">{{.locale.Tr "secrets.creation"}}</div>
-					</div>
-				</h4>
-				<div class="ui attached segment">
-					<div class="{{if not .HasError}}hide {{end}}mb-4" id="add-secret-panel">
-						<form class="ui form" action="{{.Link}}" method="post">
-							{{.CsrfTokenHtml}}
-							<div class="field">
-								{{.locale.Tr "secrets.description"}}
-							</div>
-							<div class="field{{if .Err_Title}} error{{end}}">
-								<label for="secret-title">{{.locale.Tr "secrets.name"}}</label>
-								<input id="secret-title" name="title" value="{{.title}}" autofocus required pattern="^[a-zA-Z_][a-zA-Z0-9_]*$" placeholder="{{.locale.Tr "secrets.creation.name_placeholder"}}">
-							</div>
-							<div class="field{{if .Err_Content}} error{{end}}">
-								<label for="secret-content">{{.locale.Tr "secrets.value"}}</label>
-								<textarea id="secret-content" name="content" required placeholder="{{.locale.Tr "secrets.creation.value_placeholder"}}">{{.content}}</textarea>
-							</div>
-							<button class="ui green button">
-								{{.locale.Tr "secrets.creation"}}
-							</button>
-							<button class="ui hide-panel button" data-panel="#add-secret-panel">
-								{{.locale.Tr "cancel"}}
-							</button>
-						</form>
-					</div>
-					{{if .Secrets}}
-					<div class="ui key list">
-						{{range .Secrets}}
-						<div class="item">
-							<div class="right floated content">
-								<button class="ui red tiny button delete-button" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
-									{{$.locale.Tr "settings.delete_key"}}
-								</button>
-							</div>
-							<div class="left floated content">
-								<i>{{svg "octicon-key" 32}}</i>
-							</div>
-							<div class="content">
-								<strong>{{.Name}}</strong>
-								<div class="print meta">******</div>
-								<div class="activity meta">
-									<i>
-										{{$.locale.Tr "settings.add_on"}}
-										<span>{{.CreatedUnix.FormatShort}}</span>
-									</i>
-								</div>
-							</div>
-						</div>
-						{{end}}
-					</div>
-					{{else}}
-						{{.locale.Tr "secrets.none"}}
-					{{end}}
-				</div>
+				{{template "shared/secrets/add_list" .}}
 			</div>
 		</div>
 	</div>
 </div>
 
-<div class="ui small basic delete modal">
-	<div class="ui header">
-		{{svg "octicon-trash" 16 "mr-2"}}
-		{{.locale.Tr "secrets.deletion"}}
-	</div>
-	<div class="content">
-		<p>{{.locale.Tr "secrets.deletion.description"}}</p>
-	</div>
-	{{template "base/delete_modal_actions" .}}
-</div>
-
 {{template "base/footer" .}}
diff --git a/templates/repo/settings/deploy_keys.tmpl b/templates/repo/settings/deploy_keys.tmpl
index 32a1258b3a9a..44c916eefbdb 100644
--- a/templates/repo/settings/deploy_keys.tmpl
+++ b/templates/repo/settings/deploy_keys.tmpl
@@ -51,7 +51,7 @@
 					{{range .Deploykeys}}
 						<div class="item">
 							<div class="right floated content">
-								<button class="ui red tiny button delete-button" data-modal-id="delete-deploy_keys-modal" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
+								<button class="ui red tiny button delete-button" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
 									{{$.locale.Tr "settings.delete_key"}}
 								</button>
 							</div>
@@ -75,11 +75,9 @@
 			{{end}}
 		</div>
 	</div>
-	<br/>
-	{{template "repo/settings/secrets" .}}
 </div>
 
-<div class="ui small basic delete modal" id="delete-deploy_keys-modal">
+<div class="ui small basic delete modal">
 	<div class="ui icon header">
 		{{svg "octicon-trash"}}
 		{{.locale.Tr "repo.settings.deploy_key_deletion"}}
diff --git a/templates/repo/settings/nav.tmpl b/templates/repo/settings/nav.tmpl
index 3c00c5e18858..3156d9b159fc 100644
--- a/templates/repo/settings/nav.tmpl
+++ b/templates/repo/settings/nav.tmpl
@@ -12,7 +12,8 @@
 			{{if or .SignedUser.AllowGitHook .SignedUser.IsAdmin}}
 				<li {{if .PageIsSettingsGitHooks}}class="current"{{end}}><a href="{{.RepoLink}}/settings/hooks/git">{{.locale.Tr "repo.settings.githooks"}}</a></li>
 			{{end}}
-			<li {{if .PageIsSettingsKeys}}class="current"{{end}}><a href="{{.RepoLink}}/settings/keys">{{.locale.Tr "secrets.secrets"}}</a></li>
+			<li {{if .PageIsSettingsKeys}}class="current"{{end}}><a href="{{.RepoLink}}/settings/keys">{{.locale.Tr "repo.settings.deploy_keys"}}</a></li>
+			<li {{if .PageIsSettingsSecrets}}class="current"{{end}}><a href="{{.RepoLink}}/settings/secrets">{{.locale.Tr "secrets.secrets"}}</a></li>
 		</ul>
 	</div>
 </div>
diff --git a/templates/repo/settings/navbar.tmpl b/templates/repo/settings/navbar.tmpl
index 2119f6b5a404..bdfbb6bf109c 100644
--- a/templates/repo/settings/navbar.tmpl
+++ b/templates/repo/settings/navbar.tmpl
@@ -25,6 +25,9 @@
 			</a>
 		{{end}}
 		<a class="{{if .PageIsSettingsKeys}}active {{end}}item" href="{{.RepoLink}}/settings/keys">
+			{{.locale.Tr "repo.settings.deploy_keys"}}
+		</a>
+		<a class="{{if .PageIsSettingsSecrets}}active {{end}}item" href="{{.RepoLink}}/settings/secrets">
 			{{.locale.Tr "secrets.secrets"}}
 		</a>
 		{{if .LFSStartServer}}
diff --git a/templates/repo/settings/secrets.tmpl b/templates/repo/settings/secrets.tmpl
index 5eb917a83b2a..71c5c5115795 100644
--- a/templates/repo/settings/secrets.tmpl
+++ b/templates/repo/settings/secrets.tmpl
@@ -1,80 +1,10 @@
-<div class="ui container">
-	<h4 class="ui top attached header">
-		{{.locale.Tr "secrets.secrets"}}
-		<div class="ui right">
-			<div class="ui primary tiny show-panel button" data-panel="#add-secret-panel">{{.locale.Tr "secrets.creation"}}</div>
-		</div>
-	</h4>
-	<div class="ui attached segment">
-		<div class="{{if not .HasError}}hide {{end}}mb-4" id="add-secret-panel">
-			<form class="ui form" action="{{.Link}}/secrets" method="post">
-				{{.CsrfTokenHtml}}
-				<div class="field">
-					{{.locale.Tr "secrets.description"}}
-				</div>
-				<div class="field{{if .Err_Title}} error{{end}}">
-					<label for="secret-title">{{.locale.Tr "secrets.name"}}</label>
-					<input id="secret-title" name="title" value="{{.title}}" autofocus required pattern="^[a-zA-Z_][a-zA-Z0-9_]*$" placeholder="{{.locale.Tr "secrets.creation.name_placeholder"}}">
-				</div>
-				<div class="field{{if .Err_Content}} error{{end}}">
-					<label for="secret-content">{{.locale.Tr "secrets.value"}}</label>
-					<textarea id="secret-content" name="content" required placeholder="{{.locale.Tr "secrets.creation.value_placeholder"}}">{{.content}}</textarea>
-				</div>
-				<button class="ui green button">
-					{{.locale.Tr "secrets.creation"}}
-				</button>
-				<button class="ui hide-panel button" data-panel="#add-secret-panel">
-					{{.locale.Tr "cancel"}}
-				</button>
-			</form>
-		</div>
-		{{if .Secrets}}
-			<div class="ui key list">
-				{{range .Secrets}}
-					<div class="item">
-						<div class="right floated content">
-							<button class="ui red tiny button delete-button" data-modal-id="delete-secret-modal" data-url="{{$.Link}}/secrets/delete" data-id="{{.ID}}">
-								{{$.locale.Tr "settings.delete_key"}}
-							</button>
-						</div>
-						<div class="left floated content">
-							<i>{{svg "octicon-key" 32}}</i>
-						</div>
-						<div class="content">
-							<strong>{{.Name}}</strong>
-							<div class="print meta">******</div>
-							<div class="activity meta">
-								<i>
-									{{$.locale.Tr "settings.add_on"}}
-									<span>{{.CreatedUnix.FormatShort}}</span>
-								</i>
-							</div>
-						</div>
-					</div>
-				{{end}}
-			</div>
-		{{else}}
-			{{.locale.Tr "secrets.none"}}
-		{{end}}
-	</div>
-</div>
-
-<div class="ui small basic delete modal" id="delete-secret-modal">
-	<div class="ui icon header">
-		{{svg "octicon-trash"}}
-		{{.locale.Tr "secrets.deletion"}}
-	</div>
-	<div class="content">
-		<p>{{.locale.Tr "secrets.deletion.description"}}</p>
-	</div>
-	<div class="actions">
-		<div class="ui red basic inverted cancel button">
-			<i class="remove icon"></i>
-			{{.locale.Tr "modal.no"}}
-		</div>
-		<div class="ui green basic inverted ok button">
-			<i class="checkmark icon"></i>
-			{{.locale.Tr "modal.yes"}}
-		</div>
+{{template "base/head" .}}
+<div class="page-content repository settings">
+	{{template "repo/header" .}}
+	{{template "repo/settings/navbar" .}}
+	<div class="ui container">
+		{{template "base/alert" .}}
+		{{template "shared/secrets/add_list" .}}
 	</div>
 </div>
+{{template "base/footer" .}}
diff --git a/templates/shared/secrets/add_list.tmpl b/templates/shared/secrets/add_list.tmpl
new file mode 100644
index 000000000000..94bc8a1695bf
--- /dev/null
+++ b/templates/shared/secrets/add_list.tmpl
@@ -0,0 +1,68 @@
+<h4 class="ui top attached header">
+	{{.locale.Tr "secrets.secrets"}}
+	<div class="ui right">
+		<div class="ui primary tiny show-panel button" data-panel="#add-secret-panel">{{.locale.Tr "secrets.creation"}}</div>
+	</div>
+</h4>
+<div class="ui attached segment">
+	<div class="{{if not .HasError}}hide {{end}}mb-4" id="add-secret-panel">
+		<form class="ui form" action="{{.Link}}" method="post">
+			{{.CsrfTokenHtml}}
+			<div class="field">
+				{{.locale.Tr "secrets.description"}}
+			</div>
+			<div class="field{{if .Err_Title}} error{{end}}">
+				<label for="secret-title">{{.locale.Tr "secrets.name"}}</label>
+				<input id="secret-title" name="title" value="{{.title}}" autofocus required pattern="^[a-zA-Z_][a-zA-Z0-9_]*$" placeholder="{{.locale.Tr "secrets.creation.name_placeholder"}}">
+			</div>
+			<div class="field{{if .Err_Content}} error{{end}}">
+				<label for="secret-content">{{.locale.Tr "secrets.value"}}</label>
+				<textarea id="secret-content" name="content" required placeholder="{{.locale.Tr "secrets.creation.value_placeholder"}}">{{.content}}</textarea>
+			</div>
+			<button class="ui green button">
+				{{.locale.Tr "secrets.creation"}}
+			</button>
+			<button class="ui hide-panel button" data-panel="#add-secret-panel">
+				{{.locale.Tr "cancel"}}
+			</button>
+		</form>
+	</div>
+	{{if .Secrets}}
+	<div class="ui key list">
+		{{range .Secrets}}
+		<div class="item">
+			<div class="right floated content">
+				<button class="ui red tiny button delete-button" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
+					{{$.locale.Tr "settings.delete_key"}}
+				</button>
+			</div>
+			<div class="left floated content">
+				<i>{{svg "octicon-key" 32}}</i>
+			</div>
+			<div class="content">
+				<strong>{{.Name}}</strong>
+				<div class="print meta">******</div>
+				<div class="activity meta">
+					<i>
+						{{$.locale.Tr "settings.add_on"}}
+						<span>{{.CreatedUnix.FormatShort}}</span>
+					</i>
+				</div>
+			</div>
+		</div>
+		{{end}}
+	</div>
+	{{else}}
+		{{.locale.Tr "secrets.none"}}
+	{{end}}
+</div>
+<div class="ui small basic delete modal">
+	<div class="ui header">
+		{{svg "octicon-trash" 16 "mr-2"}}
+		{{.locale.Tr "secrets.deletion"}}
+	</div>
+	<div class="content">
+		<p>{{.locale.Tr "secrets.deletion.description"}}</p>
+	</div>
+	{{template "base/delete_modal_actions" .}}
+</div>
diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl
index 8fd869dc40c3..8deffde0b224 100644
--- a/templates/user/settings/navbar.tmpl
+++ b/templates/user/settings/navbar.tmpl
@@ -18,6 +18,9 @@
 		<a class="{{if .PageIsSettingsKeys}}active {{end}}item" href="{{AppSubUrl}}/user/settings/keys">
 			{{.locale.Tr "settings.ssh_gpg_keys"}}
 		</a>
+		<a class="{{if .PageIsSettingsSecrets}}active {{end}}item" href="{{AppSubUrl}}/user/settings/secrets">
+			{{.locale.Tr "secrets.secrets"}}
+		</a>
 		{{if .EnablePackages}}
 		<a class="{{if .PageIsSettingsPackages}}active {{end}}item" href="{{AppSubUrl}}/user/settings/packages">
 			{{.locale.Tr "packages.title"}}
diff --git a/templates/user/settings/secrets.tmpl b/templates/user/settings/secrets.tmpl
new file mode 100644
index 000000000000..1a6875acefc1
--- /dev/null
+++ b/templates/user/settings/secrets.tmpl
@@ -0,0 +1,10 @@
+{{template "base/head" .}}
+<div class="page-content user settings secrets">
+	{{template "user/settings/navbar" .}}
+	<div class="ui container">
+		{{template "base/alert" .}}
+		{{template "shared/secrets/add_list" .}}
+	</div>
+</div>
+
+{{template "base/footer" .}}

From 6ba9ff7b4899f1057ac6e41947951da3e43b6918 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Wed, 1 Feb 2023 19:30:39 +0100
Subject: [PATCH 07/21] Add Conda package registry (#22262)

This PR adds a [Conda](https://conda.io/) package registry.
---
 custom/conf/app.example.ini                   |   2 +
 .../doc/advanced/config-cheat-sheet.en-us.md  |   1 +
 docs/content/doc/packages/conda.en-us.md      |  85 +++++
 docs/content/doc/packages/overview.en-us.md   |   1 +
 go.mod                                        |   2 +-
 models/packages/conda/search.go               |  63 ++++
 models/packages/descriptor.go                 |   3 +
 models/packages/package.go                    |   6 +
 modules/packages/conda/metadata.go            | 243 ++++++++++++++
 modules/packages/conda/metadata_test.go       | 150 +++++++++
 modules/setting/packages.go                   |   2 +
 options/locale/locale_en-US.ini               |   5 +
 public/img/svg/gitea-conda.svg                |   1 +
 routers/api/packages/api.go                   |  38 +++
 routers/api/packages/conda/conda.go           | 306 ++++++++++++++++++
 routers/api/v1/packages/package.go            |   2 +-
 services/forms/package_form.go                |   2 +-
 services/packages/packages.go                 |   2 +
 templates/package/content/conda.tmpl          |  30 ++
 templates/package/metadata/conda.tmpl         |   6 +
 templates/package/view.tmpl                   |   2 +
 templates/swagger/v1_json.tmpl                |   1 +
 tests/integration/api_packages_conda_test.go  | 274 ++++++++++++++++
 web_src/svg/gitea-conda.svg                   |  20 ++
 24 files changed, 1244 insertions(+), 3 deletions(-)
 create mode 100644 docs/content/doc/packages/conda.en-us.md
 create mode 100644 models/packages/conda/search.go
 create mode 100644 modules/packages/conda/metadata.go
 create mode 100644 modules/packages/conda/metadata_test.go
 create mode 100644 public/img/svg/gitea-conda.svg
 create mode 100644 routers/api/packages/conda/conda.go
 create mode 100644 templates/package/content/conda.tmpl
 create mode 100644 templates/package/metadata/conda.tmpl
 create mode 100644 tests/integration/api_packages_conda_test.go
 create mode 100644 web_src/svg/gitea-conda.svg

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index daf67ef4c6bf..77efe1417ba9 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -2458,6 +2458,8 @@ ROUTER = console
 ;LIMIT_SIZE_COMPOSER = -1
 ;; Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 ;LIMIT_SIZE_CONAN = -1
+;; Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+;LIMIT_SIZE_CONDA = -1
 ;; Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 ;LIMIT_SIZE_CONTAINER = -1
 ;; Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 4ef630b6be01..441bb824ad20 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -1214,6 +1214,7 @@ Task queue configuration has been moved to `queue.task`. However, the below conf
 - `LIMIT_TOTAL_OWNER_SIZE`: **-1**: Maximum size of packages a single owner can use (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 - `LIMIT_SIZE_COMPOSER`: **-1**: Maximum size of a Composer upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 - `LIMIT_SIZE_CONAN`: **-1**: Maximum size of a Conan upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
+- `LIMIT_SIZE_CONDA`: **-1**: Maximum size of a Conda upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 - `LIMIT_SIZE_CONTAINER`: **-1**: Maximum size of a Container upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 - `LIMIT_SIZE_GENERIC`: **-1**: Maximum size of a Generic upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
 - `LIMIT_SIZE_HELM`: **-1**: Maximum size of a Helm upload (`-1` means no limits, format `1000`, `1 MB`, `1 GiB`)
diff --git a/docs/content/doc/packages/conda.en-us.md b/docs/content/doc/packages/conda.en-us.md
new file mode 100644
index 000000000000..8b828475904e
--- /dev/null
+++ b/docs/content/doc/packages/conda.en-us.md
@@ -0,0 +1,85 @@
+---
+date: "2022-12-28T00:00:00+00:00"
+title: "Conda Packages Repository"
+slug: "packages/conda"
+draft: false
+toc: false
+menu:
+  sidebar:
+    parent: "packages"
+    name: "Conda"
+    weight: 25
+    identifier: "conda"
+---
+
+# Conda Packages Repository
+
+Publish [Conda](https://docs.conda.io/en/latest/) packages for your user or organization.
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Requirements
+
+To work with the Conda package registry, you need to use [conda](https://docs.conda.io/projects/conda/en/stable/user-guide/install/index.html).
+
+## Configuring the package registry
+
+To register the package registry and provide credentials, edit your `.condarc` file:
+
+```yaml
+channel_alias: https://gitea.example.com/api/packages/{owner}/conda
+channels:
+  - https://gitea.example.com/api/packages/{owner}/conda
+default_channels:
+  - https://gitea.example.com/api/packages/{owner}/conda
+```
+
+| Placeholder  | Description |
+| ------------ | ----------- |
+| `owner`      | The owner of the package. |
+
+See the [official documentation](https://conda.io/projects/conda/en/latest/user-guide/configuration/use-condarc.html) for explanations of the individual settings.
+
+If you need to provide credentials, you may embed them as part of the channel url (`https://user:password@gitea.example.com/...`).
+
+## Publish a package
+
+To publish a package, perform a HTTP PUT operation with the package content in the request body.
+
+```
+PUT https://gitea.example.com/api/packages/{owner}/conda/{channel}/{filename}
+```
+
+| Placeholder  | Description |
+| ------------ | ----------- |
+| `owner`      | The owner of the package. |
+| `channel`    | The [channel](https://conda.io/projects/conda/en/latest/user-guide/concepts/channels.html) of the package. (optional) |
+| `filename`   | The name of the file. |
+
+Example request using HTTP Basic authentication:
+
+```shell
+curl --user your_username:your_password_or_token \
+     --upload-file path/to/package-1.0.conda \
+     https://gitea.example.com/api/packages/testuser/conda/package-1.0.conda
+```
+
+You cannot publish a package if a package of the same name and version already exists. You must delete the existing package first.
+
+## Install a package
+
+To install a package from the package registry, execute one of the following commands:
+
+```shell
+conda install {package_name}
+conda install {package_name}={package_version}
+conda install -c {channel} {package_name}
+```
+
+| Parameter         | Description |
+| ----------------- | ----------- |
+| `package_name`    | The package name. |
+| `package_version` | The package version. |
+| `channel`         | The channel of the package. (optional) |
diff --git a/docs/content/doc/packages/overview.en-us.md b/docs/content/doc/packages/overview.en-us.md
index b12155e14da7..9a736c1e5641 100644
--- a/docs/content/doc/packages/overview.en-us.md
+++ b/docs/content/doc/packages/overview.en-us.md
@@ -28,6 +28,7 @@ The following package managers are currently supported:
 | ---- | -------- | -------------- |
 | [Composer]({{< relref "doc/packages/composer.en-us.md" >}}) | PHP | `composer` |
 | [Conan]({{< relref "doc/packages/conan.en-us.md" >}}) | C++ | `conan` |
+| [Conda]({{< relref "doc/packages/conda.en-us.md" >}}) | - | `conda` |
 | [Container]({{< relref "doc/packages/container.en-us.md" >}}) | - | any OCI compliant client |
 | [Generic]({{< relref "doc/packages/generic.en-us.md" >}}) | - | any HTTP client |
 | [Helm]({{< relref "doc/packages/helm.en-us.md" >}}) | - | any HTTP client, `cm-push` |
diff --git a/go.mod b/go.mod
index b3d40403235b..a929508e0de0 100644
--- a/go.mod
+++ b/go.mod
@@ -26,6 +26,7 @@ require (
 	github.com/dimiro1/reply v0.0.0-20200315094148-d0136a4c9e21
 	github.com/djherbis/buffer v1.2.0
 	github.com/djherbis/nio/v3 v3.0.1
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
 	github.com/dustin/go-humanize v1.0.0
 	github.com/editorconfig/editorconfig-core-go/v2 v2.5.1
 	github.com/emersion/go-imap v1.2.1
@@ -161,7 +162,6 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.7.0 // indirect
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
diff --git a/models/packages/conda/search.go b/models/packages/conda/search.go
new file mode 100644
index 000000000000..887441e3b2bd
--- /dev/null
+++ b/models/packages/conda/search.go
@@ -0,0 +1,63 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package conda
+
+import (
+	"context"
+	"strings"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/packages"
+	conda_module "code.gitea.io/gitea/modules/packages/conda"
+
+	"xorm.io/builder"
+)
+
+type FileSearchOptions struct {
+	OwnerID  int64
+	Channel  string
+	Subdir   string
+	Filename string
+}
+
+// SearchFiles gets all files matching the search options
+func SearchFiles(ctx context.Context, opts *FileSearchOptions) ([]*packages.PackageFile, error) {
+	var cond builder.Cond = builder.Eq{
+		"package.type":                packages.TypeConda,
+		"package.owner_id":            opts.OwnerID,
+		"package_version.is_internal": false,
+	}
+
+	if opts.Filename != "" {
+		cond = cond.And(builder.Eq{
+			"package_file.lower_name": strings.ToLower(opts.Filename),
+		})
+	}
+
+	var versionPropsCond builder.Cond = builder.Eq{
+		"package_property.ref_type": packages.PropertyTypePackage,
+		"package_property.name":     conda_module.PropertyChannel,
+		"package_property.value":    opts.Channel,
+	}
+
+	cond = cond.And(builder.In("package.id", builder.Select("package_property.ref_id").Where(versionPropsCond).From("package_property")))
+
+	var filePropsCond builder.Cond = builder.Eq{
+		"package_property.ref_type": packages.PropertyTypeFile,
+		"package_property.name":     conda_module.PropertySubdir,
+		"package_property.value":    opts.Subdir,
+	}
+
+	cond = cond.And(builder.In("package_file.id", builder.Select("package_property.ref_id").Where(filePropsCond).From("package_property")))
+
+	sess := db.GetEngine(ctx).
+		Select("package_file.*").
+		Table("package_file").
+		Join("INNER", "package_version", "package_version.id = package_file.version_id").
+		Join("INNER", "package", "package.id = package_version.package_id").
+		Where(cond)
+
+	pfs := make([]*packages.PackageFile, 0, 10)
+	return pfs, sess.Find(&pfs)
+}
diff --git a/models/packages/descriptor.go b/models/packages/descriptor.go
index 34f1cad87dc4..3b36ee22661c 100644
--- a/models/packages/descriptor.go
+++ b/models/packages/descriptor.go
@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/packages/composer"
 	"code.gitea.io/gitea/modules/packages/conan"
+	"code.gitea.io/gitea/modules/packages/conda"
 	"code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/packages/helm"
 	"code.gitea.io/gitea/modules/packages/maven"
@@ -132,6 +133,8 @@ func GetPackageDescriptor(ctx context.Context, pv *PackageVersion) (*PackageDesc
 		metadata = &composer.Metadata{}
 	case TypeConan:
 		metadata = &conan.Metadata{}
+	case TypeConda:
+		metadata = &conda.VersionMetadata{}
 	case TypeContainer:
 		metadata = &container.Metadata{}
 	case TypeGeneric:
diff --git a/models/packages/package.go b/models/packages/package.go
index a804f35de352..0015953d81d8 100644
--- a/models/packages/package.go
+++ b/models/packages/package.go
@@ -32,6 +32,7 @@ type Type string
 const (
 	TypeComposer  Type = "composer"
 	TypeConan     Type = "conan"
+	TypeConda     Type = "conda"
 	TypeContainer Type = "container"
 	TypeGeneric   Type = "generic"
 	TypeHelm      Type = "helm"
@@ -47,6 +48,7 @@ const (
 var TypeList = []Type{
 	TypeComposer,
 	TypeConan,
+	TypeConda,
 	TypeContainer,
 	TypeGeneric,
 	TypeHelm,
@@ -66,6 +68,8 @@ func (pt Type) Name() string {
 		return "Composer"
 	case TypeConan:
 		return "Conan"
+	case TypeConda:
+		return "Conda"
 	case TypeContainer:
 		return "Container"
 	case TypeGeneric:
@@ -97,6 +101,8 @@ func (pt Type) SVGName() string {
 		return "gitea-composer"
 	case TypeConan:
 		return "gitea-conan"
+	case TypeConda:
+		return "gitea-conda"
 	case TypeContainer:
 		return "octicon-container"
 	case TypeGeneric:
diff --git a/modules/packages/conda/metadata.go b/modules/packages/conda/metadata.go
new file mode 100644
index 000000000000..02dbf313ba2d
--- /dev/null
+++ b/modules/packages/conda/metadata.go
@@ -0,0 +1,243 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package conda
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/bzip2"
+	"io"
+	"strings"
+
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/validation"
+
+	"github.com/klauspost/compress/zstd"
+)
+
+var (
+	ErrInvalidStructure = util.SilentWrap{Message: "package structure is invalid", Err: util.ErrInvalidArgument}
+	ErrInvalidName      = util.SilentWrap{Message: "package name is invalid", Err: util.ErrInvalidArgument}
+	ErrInvalidVersion   = util.SilentWrap{Message: "package version is invalid", Err: util.ErrInvalidArgument}
+)
+
+const (
+	PropertyName     = "conda.name"
+	PropertyChannel  = "conda.channel"
+	PropertySubdir   = "conda.subdir"
+	PropertyMetadata = "conda.metdata"
+)
+
+// Package represents a Conda package
+type Package struct {
+	Name            string
+	Version         string
+	Subdir          string
+	VersionMetadata *VersionMetadata
+	FileMetadata    *FileMetadata
+}
+
+// VersionMetadata represents the metadata of a Conda package
+type VersionMetadata struct {
+	Description      string `json:"description,omitempty"`
+	Summary          string `json:"summary,omitempty"`
+	ProjectURL       string `json:"project_url,omitempty"`
+	RepositoryURL    string `json:"repository_url,omitempty"`
+	DocumentationURL string `json:"documentation_url,omitempty"`
+	License          string `json:"license,omitempty"`
+	LicenseFamily    string `json:"license_family,omitempty"`
+}
+
+// FileMetadata represents the metadata of a Conda package file
+type FileMetadata struct {
+	IsCondaPackage bool     `json:"is_conda"`
+	Architecture   string   `json:"architecture,omitempty"`
+	NoArch         string   `json:"noarch,omitempty"`
+	Build          string   `json:"build,omitempty"`
+	BuildNumber    int64    `json:"build_number,omitempty"`
+	Dependencies   []string `json:"dependencies,omitempty"`
+	Platform       string   `json:"platform,omitempty"`
+	Timestamp      int64    `json:"timestamp,omitempty"`
+}
+
+type index struct {
+	Name          string   `json:"name"`
+	Version       string   `json:"version"`
+	Architecture  string   `json:"arch"`
+	NoArch        string   `json:"noarch"`
+	Build         string   `json:"build"`
+	BuildNumber   int64    `json:"build_number"`
+	Dependencies  []string `json:"depends"`
+	License       string   `json:"license"`
+	LicenseFamily string   `json:"license_family"`
+	Platform      string   `json:"platform"`
+	Subdir        string   `json:"subdir"`
+	Timestamp     int64    `json:"timestamp"`
+}
+
+type about struct {
+	Description      string `json:"description"`
+	Summary          string `json:"summary"`
+	ProjectURL       string `json:"home"`
+	RepositoryURL    string `json:"dev_url"`
+	DocumentationURL string `json:"doc_url"`
+}
+
+type ReaderAndReaderAt interface {
+	io.Reader
+	io.ReaderAt
+}
+
+// ParsePackageBZ2 parses the Conda package file compressed with bzip2
+func ParsePackageBZ2(r io.Reader) (*Package, error) {
+	gzr := bzip2.NewReader(r)
+
+	return parsePackageTar(gzr)
+}
+
+// ParsePackageConda parses the Conda package file compressed with zip and zstd
+func ParsePackageConda(r io.ReaderAt, size int64) (*Package, error) {
+	zr, err := zip.NewReader(r, size)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, file := range zr.File {
+		if strings.HasPrefix(file.Name, "info-") && strings.HasSuffix(file.Name, ".tar.zst") {
+			f, err := zr.Open(file.Name)
+			if err != nil {
+				return nil, err
+			}
+			defer f.Close()
+
+			dec, err := zstd.NewReader(f)
+			if err != nil {
+				return nil, err
+			}
+			defer dec.Close()
+
+			p, err := parsePackageTar(dec)
+			if p != nil {
+				p.FileMetadata.IsCondaPackage = true
+			}
+			return p, err
+		}
+	}
+
+	return nil, ErrInvalidStructure
+}
+
+func parsePackageTar(r io.Reader) (*Package, error) {
+	var i *index
+	var a *about
+
+	tr := tar.NewReader(r)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		if hdr.Typeflag != tar.TypeReg {
+			continue
+		}
+
+		if hdr.Name == "info/index.json" {
+			if err := json.NewDecoder(tr).Decode(&i); err != nil {
+				return nil, err
+			}
+
+			if !checkName(i.Name) {
+				return nil, ErrInvalidName
+			}
+
+			if !checkVersion(i.Version) {
+				return nil, ErrInvalidVersion
+			}
+
+			if a != nil {
+				break // stop loop if both files were found
+			}
+		} else if hdr.Name == "info/about.json" {
+			if err := json.NewDecoder(tr).Decode(&a); err != nil {
+				return nil, err
+			}
+
+			if !validation.IsValidURL(a.ProjectURL) {
+				a.ProjectURL = ""
+			}
+			if !validation.IsValidURL(a.RepositoryURL) {
+				a.RepositoryURL = ""
+			}
+			if !validation.IsValidURL(a.DocumentationURL) {
+				a.DocumentationURL = ""
+			}
+
+			if i != nil {
+				break // stop loop if both files were found
+			}
+		}
+	}
+
+	if i == nil {
+		return nil, ErrInvalidStructure
+	}
+	if a == nil {
+		a = &about{}
+	}
+
+	return &Package{
+		Name:    i.Name,
+		Version: i.Version,
+		Subdir:  i.Subdir,
+		VersionMetadata: &VersionMetadata{
+			License:          i.License,
+			LicenseFamily:    i.LicenseFamily,
+			Description:      a.Description,
+			Summary:          a.Summary,
+			ProjectURL:       a.ProjectURL,
+			RepositoryURL:    a.RepositoryURL,
+			DocumentationURL: a.DocumentationURL,
+		},
+		FileMetadata: &FileMetadata{
+			Architecture: i.Architecture,
+			NoArch:       i.NoArch,
+			Build:        i.Build,
+			BuildNumber:  i.BuildNumber,
+			Dependencies: i.Dependencies,
+			Platform:     i.Platform,
+			Timestamp:    i.Timestamp,
+		},
+	}, nil
+}
+
+// https://github.com/conda/conda-build/blob/db9a728a9e4e6cfc895637ca3221117970fc2663/conda_build/metadata.py#L1393
+func checkName(name string) bool {
+	if name == "" {
+		return false
+	}
+	if name != strings.ToLower(name) {
+		return false
+	}
+	return !checkBadCharacters(name, "!")
+}
+
+// https://github.com/conda/conda-build/blob/db9a728a9e4e6cfc895637ca3221117970fc2663/conda_build/metadata.py#L1403
+func checkVersion(version string) bool {
+	if version == "" {
+		return false
+	}
+	return !checkBadCharacters(version, "-")
+}
+
+func checkBadCharacters(s, additional string) bool {
+	if strings.ContainsAny(s, "=@#$%^&*:;\"'\\|<>?/ ") {
+		return true
+	}
+	return strings.ContainsAny(s, additional)
+}
diff --git a/modules/packages/conda/metadata_test.go b/modules/packages/conda/metadata_test.go
new file mode 100644
index 000000000000..2038ca370ce9
--- /dev/null
+++ b/modules/packages/conda/metadata_test.go
@@ -0,0 +1,150 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package conda
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bytes"
+	"io"
+	"testing"
+
+	"github.com/dsnet/compress/bzip2"
+	"github.com/klauspost/compress/zstd"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	packageName      = "gitea"
+	packageVersion   = "1.0.1"
+	description      = "Package Description"
+	projectURL       = "https://gitea.io"
+	repositoryURL    = "https://gitea.io/gitea/gitea"
+	documentationURL = "https://docs.gitea.io"
+)
+
+func TestParsePackage(t *testing.T) {
+	createArchive := func(files map[string][]byte) *bytes.Buffer {
+		var buf bytes.Buffer
+		tw := tar.NewWriter(&buf)
+		for filename, content := range files {
+			hdr := &tar.Header{
+				Name: filename,
+				Mode: 0o600,
+				Size: int64(len(content)),
+			}
+			tw.WriteHeader(hdr)
+			tw.Write(content)
+		}
+		tw.Close()
+		return &buf
+	}
+
+	t.Run("MissingIndexFile", func(t *testing.T) {
+		buf := createArchive(map[string][]byte{"dummy.txt": {}})
+
+		p, err := parsePackageTar(buf)
+		assert.Nil(t, p)
+		assert.ErrorIs(t, err, ErrInvalidStructure)
+	})
+
+	t.Run("MissingAboutFile", func(t *testing.T) {
+		buf := createArchive(map[string][]byte{"info/index.json": []byte(`{"name":"name","version":"1.0"}`)})
+
+		p, err := parsePackageTar(buf)
+		assert.NotNil(t, p)
+		assert.NoError(t, err)
+
+		assert.Equal(t, "name", p.Name)
+		assert.Equal(t, "1.0", p.Version)
+		assert.Empty(t, p.VersionMetadata.ProjectURL)
+	})
+
+	t.Run("InvalidName", func(t *testing.T) {
+		for _, name := range []string{"", "name!", "nAMe"} {
+			buf := createArchive(map[string][]byte{"info/index.json": []byte(`{"name":"` + name + `","version":"1.0"}`)})
+
+			p, err := parsePackageTar(buf)
+			assert.Nil(t, p)
+			assert.ErrorIs(t, err, ErrInvalidName)
+		}
+	})
+
+	t.Run("InvalidVersion", func(t *testing.T) {
+		for _, version := range []string{"", "1.0-2"} {
+			buf := createArchive(map[string][]byte{"info/index.json": []byte(`{"name":"name","version":"` + version + `"}`)})
+
+			p, err := parsePackageTar(buf)
+			assert.Nil(t, p)
+			assert.ErrorIs(t, err, ErrInvalidVersion)
+		}
+	})
+
+	t.Run("Valid", func(t *testing.T) {
+		buf := createArchive(map[string][]byte{
+			"info/index.json": []byte(`{"name":"` + packageName + `","version":"` + packageVersion + `","subdir":"linux-64"}`),
+			"info/about.json": []byte(`{"description":"` + description + `","dev_url":"` + repositoryURL + `","doc_url":"` + documentationURL + `","home":"` + projectURL + `"}`),
+		})
+
+		p, err := parsePackageTar(buf)
+		assert.NotNil(t, p)
+		assert.NoError(t, err)
+
+		assert.Equal(t, packageName, p.Name)
+		assert.Equal(t, packageVersion, p.Version)
+		assert.Equal(t, "linux-64", p.Subdir)
+		assert.Equal(t, description, p.VersionMetadata.Description)
+		assert.Equal(t, projectURL, p.VersionMetadata.ProjectURL)
+		assert.Equal(t, repositoryURL, p.VersionMetadata.RepositoryURL)
+		assert.Equal(t, documentationURL, p.VersionMetadata.DocumentationURL)
+	})
+
+	t.Run(".tar.bz2", func(t *testing.T) {
+		tarArchive := createArchive(map[string][]byte{
+			"info/index.json": []byte(`{"name":"` + packageName + `","version":"` + packageVersion + `"}`),
+		})
+
+		var buf bytes.Buffer
+		bw, _ := bzip2.NewWriter(&buf, nil)
+		io.Copy(bw, tarArchive)
+		bw.Close()
+
+		br := bytes.NewReader(buf.Bytes())
+
+		p, err := ParsePackageBZ2(br)
+		assert.NotNil(t, p)
+		assert.NoError(t, err)
+
+		assert.Equal(t, packageName, p.Name)
+		assert.Equal(t, packageVersion, p.Version)
+		assert.False(t, p.FileMetadata.IsCondaPackage)
+	})
+
+	t.Run(".conda", func(t *testing.T) {
+		tarArchive := createArchive(map[string][]byte{
+			"info/index.json": []byte(`{"name":"` + packageName + `","version":"` + packageVersion + `"}`),
+		})
+
+		var infoBuf bytes.Buffer
+		zsw, _ := zstd.NewWriter(&infoBuf)
+		io.Copy(zsw, tarArchive)
+		zsw.Close()
+
+		var buf bytes.Buffer
+		zpw := zip.NewWriter(&buf)
+		w, _ := zpw.Create("info-x.tar.zst")
+		w.Write(infoBuf.Bytes())
+		zpw.Close()
+
+		br := bytes.NewReader(buf.Bytes())
+
+		p, err := ParsePackageConda(br, int64(br.Len()))
+		assert.NotNil(t, p)
+		assert.NoError(t, err)
+
+		assert.Equal(t, packageName, p.Name)
+		assert.Equal(t, packageVersion, p.Version)
+		assert.True(t, p.FileMetadata.IsCondaPackage)
+	})
+}
diff --git a/modules/setting/packages.go b/modules/setting/packages.go
index 120fbb5bda8e..d0cd80aa0358 100644
--- a/modules/setting/packages.go
+++ b/modules/setting/packages.go
@@ -27,6 +27,7 @@ var (
 		LimitTotalOwnerSize  int64
 		LimitSizeComposer    int64
 		LimitSizeConan       int64
+		LimitSizeConda       int64
 		LimitSizeContainer   int64
 		LimitSizeGeneric     int64
 		LimitSizeHelm        int64
@@ -66,6 +67,7 @@ func newPackages() {
 	Packages.LimitTotalOwnerSize = mustBytes(sec, "LIMIT_TOTAL_OWNER_SIZE")
 	Packages.LimitSizeComposer = mustBytes(sec, "LIMIT_SIZE_COMPOSER")
 	Packages.LimitSizeConan = mustBytes(sec, "LIMIT_SIZE_CONAN")
+	Packages.LimitSizeConda = mustBytes(sec, "LIMIT_SIZE_CONDA")
 	Packages.LimitSizeContainer = mustBytes(sec, "LIMIT_SIZE_CONTAINER")
 	Packages.LimitSizeGeneric = mustBytes(sec, "LIMIT_SIZE_GENERIC")
 	Packages.LimitSizeHelm = mustBytes(sec, "LIMIT_SIZE_HELM")
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 8a48a68b171c..8465660cc075 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3159,6 +3159,11 @@ conan.details.repository = Repository
 conan.registry = Setup this registry from the command line:
 conan.install = To install the package using Conan, run the following command:
 conan.documentation = For more information on the Conan registry, see <a target="_blank" rel="noopener noreferrer" href="https://docs.gitea.io/en-us/packages/conan/">the documentation</a>.
+conda.registry = Setup this registry as a Conda repository in your <code>.condarc</code> file:
+conda.install = To install the package using Conda, run the following command:
+conda.documentation = For more information on the Conda registry, see <a target="_blank" rel="noopener noreferrer" href="https://docs.gitea.io/en-us/packages/conda/">the documentation</a>.
+conda.details.repository_site = Repository Site
+conda.details.documentation_site = Documentation Site
 container.details.type = Image Type
 container.details.platform = Platform
 container.details.repository_site = Repository Site
diff --git a/public/img/svg/gitea-conda.svg b/public/img/svg/gitea-conda.svg
new file mode 100644
index 000000000000..cd4817adf2e3
--- /dev/null
+++ b/public/img/svg/gitea-conda.svg
@@ -0,0 +1 @@
+<svg viewBox="0 0 32 32" class="svg gitea-conda" width="16" height="16" aria-hidden="true"><path fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068" d="M16.559 8.137a7.2 7.2 0 0 0-1.234-1.708 7.586 7.586 0 0 0-.19 2.183 5.161 5.161 0 0 1 1.424-.475ZM13.617 9.466a7.992 7.992 0 0 0-1.993-1.2 8.123 8.123 0 0 0 .885 2.183c0 .063.443-.475 1.108-.981ZM17.445 7.188a9.143 9.143 0 0 1 1.3-2.246A7.585 7.585 0 0 0 17 2.854a8.35 8.35 0 0 0-1.3 2.278 8.451 8.451 0 0 1 1.74 2.056ZM11.592 11.744a10.276 10.276 0 0 0-2.692-.158 7.478 7.478 0 0 0 1.93 1.9 6.858 6.858 0 0 1 .759-1.74zM6.878 15.161a7.44 7.44 0 0 1 2.942-1.139 10.019 10.019 0 0 1-2.056-2.278 7.639 7.639 0 0 0-2.847 1.2 7.11 7.11 0 0 0 1.961 2.215zM10.516 14.876a6.16 6.16 0 0 0-2.815.886 9.936 9.936 0 0 0 2.815 1.2 7.683 7.683 0 0 1 0-2.088zM14.281 5.543A7.839 7.839 0 0 0 11.592 4.4 8.361 8.361 0 0 0 11.4 7a8.875 8.875 0 0 1 2.47 1.264 10.292 10.292 0 0 1 .411-2.721ZM24.025 3.234a20.488 20.488 0 0 1 .917 4.112 6.823 6.823 0 0 0-3.068 1.519 7.443 7.443 0 0 1 1.55 1.044 1.351 1.351 0 0 0 1.645.316 36.938 36.938 0 0 0 2.721-2.72 1.273 1.273 0 0 0-.159-1.835 20.521 20.521 0 0 0-3.606-2.436ZM4.379 12.06a8.67 8.67 0 0 1 2.847-1.26 7.763 7.763 0 0 1-.759-2.974 14.687 14.687 0 0 0-2.088 4.234ZM11.339 10.668a9.991 9.991 0 0 1-.949-2.784 7.928 7.928 0 0 0-2.911-.126 7.312 7.312 0 0 0 .791 2.879 9.664 9.664 0 0 1 3.069.031ZM6.119 15.73a8.894 8.894 0 0 1-2.025-2.373 14.208 14.208 0 0 0-.063 4.9 8.522 8.522 0 0 1 2.088-2.527Z"/><path fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068" d="M22.538 3.487A7.581 7.581 0 0 0 20.323 5.1a11.789 11.789 0 0 1 .823 2.5 9.775 9.775 0 0 1 2.309-1.329 6.593 6.593 0 0 0-.917-2.784ZM19.374 6.3a8.608 8.608 0 0 0-.822 1.676 9.645 9.645 0 0 1 1.329.19 7.568 7.568 0 0 0-.507-1.866ZM19.659 3.9a9.577 9.577 0 0 1 2.056-1.487A15.38 15.38 0 0 0 18.046 2a9.709 9.709 0 0 1 1.613 1.9Z"/><path fill="#43b02a" d="M27.378 23.892c-1.993-1.9-2.4-3.132-4.081-1.835a7.837 7.837 0 0 1-12.591-4.144A10.179 10.179 0 0 1 6.878 16.3a9.427 9.427 0 0 0-2.562 3.321h-.032C7.163 30.5 21.178 33.035 27.663 26.233c1.076-1.139.095-1.933-.285-2.341ZM6.309 20.855a7.559 7.559 0 0 1 .917-2.025 6.872 6.872 0 0 0 2.151.538c1.013 2.689 4.556 6.264 8.922 6.264a9.632 9.632 0 0 0 6.3-2.309 12.841 12.841 0 0 1 1.772 1.771c.095.127.095.159.095.159-5.766 5.03-15.538 4.302-20.157-4.398Z"/><path fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".067" d="M10.67 4.11a19.934 19.934 0 0 0-.214 2.509 10.512 10.512 0 0 0-2.689-.093A18 18 0 0 1 10.67 4.11ZM12.26 3.274a9.107 9.107 0 0 1 2.445 1.053 14.083 14.083 0 0 1 1.253-2.137 12.106 12.106 0 0 0-3.698 1.084z"/></svg>
\ No newline at end of file
diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index 78eb5e860be2..7a07fea815e8 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/packages/composer"
 	"code.gitea.io/gitea/routers/api/packages/conan"
+	"code.gitea.io/gitea/routers/api/packages/conda"
 	"code.gitea.io/gitea/routers/api/packages/container"
 	"code.gitea.io/gitea/routers/api/packages/generic"
 	"code.gitea.io/gitea/routers/api/packages/helm"
@@ -167,6 +168,43 @@ func CommonRoutes(ctx gocontext.Context) *web.Route {
 				})
 			})
 		}, reqPackageAccess(perm.AccessModeRead))
+		r.Group("/conda", func() {
+			var (
+				downloadPattern = regexp.MustCompile(`\A(.+/)?(.+)/((?:[^/]+(?:\.tar\.bz2|\.conda))|(?:current_)?repodata\.json(?:\.bz2)?)\z`)
+				uploadPattern   = regexp.MustCompile(`\A(.+/)?([^/]+(?:\.tar\.bz2|\.conda))\z`)
+			)
+
+			r.Get("/*", func(ctx *context.Context) {
+				m := downloadPattern.FindStringSubmatch(ctx.Params("*"))
+				if len(m) == 0 {
+					ctx.Status(http.StatusNotFound)
+					return
+				}
+
+				ctx.SetParams("channel", strings.TrimSuffix(m[1], "/"))
+				ctx.SetParams("architecture", m[2])
+				ctx.SetParams("filename", m[3])
+
+				switch m[3] {
+				case "repodata.json", "repodata.json.bz2", "current_repodata.json", "current_repodata.json.bz2":
+					conda.EnumeratePackages(ctx)
+				default:
+					conda.DownloadPackageFile(ctx)
+				}
+			})
+			r.Put("/*", reqPackageAccess(perm.AccessModeWrite), func(ctx *context.Context) {
+				m := uploadPattern.FindStringSubmatch(ctx.Params("*"))
+				if len(m) == 0 {
+					ctx.Status(http.StatusNotFound)
+					return
+				}
+
+				ctx.SetParams("channel", strings.TrimSuffix(m[1], "/"))
+				ctx.SetParams("filename", m[2])
+
+				conda.UploadPackageFile(ctx)
+			})
+		}, reqPackageAccess(perm.AccessModeRead))
 		r.Group("/generic", func() {
 			r.Group("/{packagename}/{packageversion}", func() {
 				r.Delete("", reqPackageAccess(perm.AccessModeWrite), generic.DeletePackage)
diff --git a/routers/api/packages/conda/conda.go b/routers/api/packages/conda/conda.go
new file mode 100644
index 000000000000..2ff619fed4e0
--- /dev/null
+++ b/routers/api/packages/conda/conda.go
@@ -0,0 +1,306 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package conda
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	packages_model "code.gitea.io/gitea/models/packages"
+	conda_model "code.gitea.io/gitea/models/packages/conda"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
+	packages_module "code.gitea.io/gitea/modules/packages"
+	conda_module "code.gitea.io/gitea/modules/packages/conda"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/routers/api/packages/helper"
+	packages_service "code.gitea.io/gitea/services/packages"
+
+	"github.com/dsnet/compress/bzip2"
+)
+
+func apiError(ctx *context.Context, status int, obj interface{}) {
+	helper.LogAndProcessError(ctx, status, obj, func(message string) {
+		ctx.JSON(status, struct {
+			Reason  string `json:"reason"`
+			Message string `json:"message"`
+		}{
+			Reason:  http.StatusText(status),
+			Message: message,
+		})
+	})
+}
+
+func EnumeratePackages(ctx *context.Context) {
+	type Info struct {
+		Subdir string `json:"subdir"`
+	}
+
+	type PackageInfo struct {
+		Name          string   `json:"name"`
+		Version       string   `json:"version"`
+		NoArch        string   `json:"noarch"`
+		Subdir        string   `json:"subdir"`
+		Timestamp     int64    `json:"timestamp"`
+		Build         string   `json:"build"`
+		BuildNumber   int64    `json:"build_number"`
+		Dependencies  []string `json:"depends"`
+		License       string   `json:"license"`
+		LicenseFamily string   `json:"license_family"`
+		HashMD5       string   `json:"md5"`
+		HashSHA256    string   `json:"sha256"`
+		Size          int64    `json:"size"`
+	}
+
+	type RepoData struct {
+		Info          Info                    `json:"info"`
+		Packages      map[string]*PackageInfo `json:"packages"`
+		PackagesConda map[string]*PackageInfo `json:"packages.conda"`
+		Removed       map[string]*PackageInfo `json:"removed"`
+	}
+
+	repoData := &RepoData{
+		Info: Info{
+			Subdir: ctx.Params("architecture"),
+		},
+		Packages:      make(map[string]*PackageInfo),
+		PackagesConda: make(map[string]*PackageInfo),
+		Removed:       make(map[string]*PackageInfo),
+	}
+
+	pfs, err := conda_model.SearchFiles(ctx, &conda_model.FileSearchOptions{
+		OwnerID: ctx.Package.Owner.ID,
+		Channel: ctx.Params("channel"),
+		Subdir:  repoData.Info.Subdir,
+	})
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	if len(pfs) == 0 {
+		apiError(ctx, http.StatusNotFound, nil)
+		return
+	}
+
+	pds := make(map[int64]*packages_model.PackageDescriptor)
+
+	for _, pf := range pfs {
+		pd, exists := pds[pf.VersionID]
+		if !exists {
+			pv, err := packages_model.GetVersionByID(ctx, pf.VersionID)
+			if err != nil {
+				apiError(ctx, http.StatusInternalServerError, err)
+				return
+			}
+
+			pd, err = packages_model.GetPackageDescriptor(ctx, pv)
+			if err != nil {
+				apiError(ctx, http.StatusInternalServerError, err)
+				return
+			}
+
+			pds[pf.VersionID] = pd
+		}
+
+		var pfd *packages_model.PackageFileDescriptor
+		for _, d := range pd.Files {
+			if d.File.ID == pf.ID {
+				pfd = d
+				break
+			}
+		}
+
+		var fileMetadata *conda_module.FileMetadata
+		if err := json.Unmarshal([]byte(pfd.Properties.GetByName(conda_module.PropertyMetadata)), &fileMetadata); err != nil {
+			apiError(ctx, http.StatusInternalServerError, err)
+			return
+		}
+
+		versionMetadata := pd.Metadata.(*conda_module.VersionMetadata)
+
+		pi := &PackageInfo{
+			Name:          pd.PackageProperties.GetByName(conda_module.PropertyName),
+			Version:       pd.Version.Version,
+			NoArch:        fileMetadata.NoArch,
+			Subdir:        repoData.Info.Subdir,
+			Timestamp:     fileMetadata.Timestamp,
+			Build:         fileMetadata.Build,
+			BuildNumber:   fileMetadata.BuildNumber,
+			Dependencies:  fileMetadata.Dependencies,
+			License:       versionMetadata.License,
+			LicenseFamily: versionMetadata.LicenseFamily,
+			HashMD5:       pfd.Blob.HashMD5,
+			HashSHA256:    pfd.Blob.HashSHA256,
+			Size:          pfd.Blob.Size,
+		}
+
+		if fileMetadata.IsCondaPackage {
+			repoData.PackagesConda[pfd.File.Name] = pi
+		} else {
+			repoData.Packages[pfd.File.Name] = pi
+		}
+	}
+
+	resp := ctx.Resp
+
+	var w io.Writer = resp
+
+	if strings.HasSuffix(ctx.Params("filename"), ".json") {
+		resp.Header().Set("Content-Type", "application/json")
+	} else {
+		resp.Header().Set("Content-Type", "application/x-bzip2")
+
+		zw, err := bzip2.NewWriter(w, nil)
+		if err != nil {
+			apiError(ctx, http.StatusInternalServerError, err)
+			return
+		}
+		defer zw.Close()
+
+		w = zw
+	}
+
+	resp.WriteHeader(http.StatusOK)
+
+	if err := json.NewEncoder(w).Encode(repoData); err != nil {
+		log.Error("JSON encode: %v", err)
+	}
+}
+
+func UploadPackageFile(ctx *context.Context) {
+	upload, close, err := ctx.UploadStream()
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	if close {
+		defer upload.Close()
+	}
+
+	buf, err := packages_module.CreateHashedBufferFromReader(upload, 32*1024*1024)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	defer buf.Close()
+
+	var pck *conda_module.Package
+	if strings.HasSuffix(strings.ToLower(ctx.Params("filename")), ".tar.bz2") {
+		pck, err = conda_module.ParsePackageBZ2(buf)
+	} else {
+		pck, err = conda_module.ParsePackageConda(buf, buf.Size())
+	}
+	if err != nil {
+		if errors.Is(err, util.ErrInvalidArgument) {
+			apiError(ctx, http.StatusBadRequest, err)
+		} else {
+			apiError(ctx, http.StatusInternalServerError, err)
+		}
+		return
+	}
+
+	if _, err := buf.Seek(0, io.SeekStart); err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	fullName := pck.Name
+
+	channel := ctx.Params("channel")
+	if channel != "" {
+		fullName = channel + "/" + pck.Name
+	}
+
+	extension := ".tar.bz2"
+	if pck.FileMetadata.IsCondaPackage {
+		extension = ".conda"
+	}
+
+	fileMetadataRaw, err := json.Marshal(pck.FileMetadata)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	_, _, err = packages_service.CreatePackageOrAddFileToExisting(
+		&packages_service.PackageCreationInfo{
+			PackageInfo: packages_service.PackageInfo{
+				Owner:       ctx.Package.Owner,
+				PackageType: packages_model.TypeConda,
+				Name:        fullName,
+				Version:     pck.Version,
+			},
+			SemverCompatible: false,
+			Creator:          ctx.Doer,
+			Metadata:         pck.VersionMetadata,
+			PackageProperties: map[string]string{
+				conda_module.PropertyName:    pck.Name,
+				conda_module.PropertyChannel: channel,
+			},
+		},
+		&packages_service.PackageFileCreationInfo{
+			PackageFileInfo: packages_service.PackageFileInfo{
+				Filename:     fmt.Sprintf("%s-%s-%s%s", pck.Name, pck.Version, pck.FileMetadata.Build, extension),
+				CompositeKey: pck.Subdir,
+			},
+			Creator: ctx.Doer,
+			Data:    buf,
+			IsLead:  true,
+			Properties: map[string]string{
+				conda_module.PropertySubdir:   pck.Subdir,
+				conda_module.PropertyMetadata: string(fileMetadataRaw),
+			},
+		},
+	)
+	if err != nil {
+		switch err {
+		case packages_model.ErrDuplicatePackageFile:
+			apiError(ctx, http.StatusConflict, err)
+		case packages_service.ErrQuotaTotalCount, packages_service.ErrQuotaTypeSize, packages_service.ErrQuotaTotalSize:
+			apiError(ctx, http.StatusForbidden, err)
+		default:
+			apiError(ctx, http.StatusInternalServerError, err)
+		}
+		return
+	}
+
+	ctx.Status(http.StatusCreated)
+}
+
+func DownloadPackageFile(ctx *context.Context) {
+	pfs, err := conda_model.SearchFiles(ctx, &conda_model.FileSearchOptions{
+		OwnerID:  ctx.Package.Owner.ID,
+		Channel:  ctx.Params("channel"),
+		Subdir:   ctx.Params("architecture"),
+		Filename: ctx.Params("filename"),
+	})
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+
+	if len(pfs) != 1 {
+		apiError(ctx, http.StatusNotFound, nil)
+		return
+	}
+
+	pf := pfs[0]
+
+	s, _, err := packages_service.GetPackageFileStream(ctx, pf)
+	if err != nil {
+		apiError(ctx, http.StatusInternalServerError, err)
+		return
+	}
+	defer s.Close()
+
+	ctx.ServeContent(s, &context.ServeHeaderOptions{
+		Filename:     pf.Name,
+		LastModified: pf.CreatedUnix.AsLocalTime(),
+	})
+}
diff --git a/routers/api/v1/packages/package.go b/routers/api/v1/packages/package.go
index 6f9083ba327b..5ffefc4862c1 100644
--- a/routers/api/v1/packages/package.go
+++ b/routers/api/v1/packages/package.go
@@ -40,7 +40,7 @@ func ListPackages(ctx *context.APIContext) {
 	//   in: query
 	//   description: package type filter
 	//   type: string
-	//   enum: [composer, conan, container, generic, helm, maven, npm, nuget, pub, pypi, rubygems, vagrant]
+	//   enum: [composer, conan, conda, container, generic, helm, maven, npm, nuget, pub, pypi, rubygems, vagrant]
 	// - name: q
 	//   in: query
 	//   description: name filter
diff --git a/services/forms/package_form.go b/services/forms/package_form.go
index 734bb05dc69f..e78e64ef7ed1 100644
--- a/services/forms/package_form.go
+++ b/services/forms/package_form.go
@@ -15,7 +15,7 @@ import (
 type PackageCleanupRuleForm struct {
 	ID            int64
 	Enabled       bool
-	Type          string `binding:"Required;In(composer,conan,container,generic,helm,maven,npm,nuget,pub,pypi,rubygems,vagrant)"`
+	Type          string `binding:"Required;In(composer,conan,conda,container,generic,helm,maven,npm,nuget,pub,pypi,rubygems,vagrant)"`
 	KeepCount     int    `binding:"In(0,1,5,10,25,50,100)"`
 	KeepPattern   string `binding:"RegexPattern"`
 	RemoveDays    int    `binding:"In(0,7,14,30,60,90,180)"`
diff --git a/services/packages/packages.go b/services/packages/packages.go
index 754dfa711023..9e52cb145096 100644
--- a/services/packages/packages.go
+++ b/services/packages/packages.go
@@ -339,6 +339,8 @@ func CheckSizeQuotaExceeded(ctx context.Context, doer, owner *user_model.User, p
 		typeSpecificSize = setting.Packages.LimitSizeComposer
 	case packages_model.TypeConan:
 		typeSpecificSize = setting.Packages.LimitSizeConan
+	case packages_model.TypeConda:
+		typeSpecificSize = setting.Packages.LimitSizeConda
 	case packages_model.TypeContainer:
 		typeSpecificSize = setting.Packages.LimitSizeContainer
 	case packages_model.TypeGeneric:
diff --git a/templates/package/content/conda.tmpl b/templates/package/content/conda.tmpl
new file mode 100644
index 000000000000..ecc26bce98e6
--- /dev/null
+++ b/templates/package/content/conda.tmpl
@@ -0,0 +1,30 @@
+{{if eq .PackageDescriptor.Package.Type "conda"}}
+	<h4 class="ui top attached header">{{.locale.Tr "packages.installation"}}</h4>
+	<div class="ui attached segment">
+		<div class="ui form">
+			<div class="field">
+				<label>{{svg "octicon-code"}} {{.locale.Tr "packages.conda.registry" | Safe}}</label>
+				<div class="markup"><pre class="code-block"><code>channel_alias: {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/conda
+channels:
+&#32;&#32;- {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/conda
+default_channels:
+&#32;&#32;- {{AppUrl}}api/packages/{{.PackageDescriptor.Owner.Name}}/conda</code></pre></div>
+			</div>
+			<div class="field">
+				<label>{{svg "octicon-terminal"}} {{.locale.Tr "packages.conda.install"}}</label>
+				{{$channel := .PackageDescriptor.PackageProperties.GetByName "conda.channel"}}
+				<div class="markup"><pre class="code-block"><code>conda install{{if $channel}} -c {{$channel}}{{end}} {{.PackageDescriptor.PackageProperties.GetByName "conda.name"}}={{.PackageDescriptor.Version.Version}}</code></pre></div>
+			</div>
+			<div class="field">
+				<label>{{.locale.Tr "packages.conda.documentation" | Safe}}</label>
+			</div>
+		</div>
+	</div>
+
+	{{if or .PackageDescriptor.Metadata.Description .PackageDescriptor.Metadata.Summary}}
+		<h4 class="ui top attached header">{{.locale.Tr "packages.about"}}</h4>
+		<div class="ui attached segment">
+			{{if .PackageDescriptor.Metadata.Description}}{{.PackageDescriptor.Metadata.Description}}{{else}}{{.PackageDescriptor.Metadata.Summary}}{{end}}
+		</div>
+	{{end}}
+{{end}}
diff --git a/templates/package/metadata/conda.tmpl b/templates/package/metadata/conda.tmpl
new file mode 100644
index 000000000000..2201c803562b
--- /dev/null
+++ b/templates/package/metadata/conda.tmpl
@@ -0,0 +1,6 @@
+{{if eq .PackageDescriptor.Package.Type "conda"}}
+	{{if .PackageDescriptor.Metadata.License}}<div class="item">{{svg "octicon-law" 16 "mr-3"}} {{.PackageDescriptor.Metadata.License}}</div>{{end}}
+	{{if .PackageDescriptor.Metadata.ProjectURL}}<div class="item">{{svg "octicon-link-external" 16 "mr-3"}} <a href="{{.PackageDescriptor.Metadata.ProjectURL}}" target="_blank" rel="noopener noreferrer me">{{.locale.Tr "packages.details.project_site"}}</a></div>{{end}}
+	{{if .PackageDescriptor.Metadata.RepositoryURL}}<div class="item">{{svg "octicon-link-external" 16 "mr-3"}} <a href="{{.PackageDescriptor.Metadata.RepositoryURL}}" target="_blank" rel="noopener noreferrer me">{{.locale.Tr "packages.conda.details.repository_site"}}</a></div>{{end}}
+	{{if .PackageDescriptor.Metadata.DocumentationURL}}<div class="item">{{svg "octicon-link-external" 16 "mr-3"}} <a href="{{.PackageDescriptor.Metadata.DocumentationURL}}" target="_blank" rel="noopener noreferrer me">{{.locale.Tr "packages.conda.details.documentation_site"}}</a></div>{{end}}
+{{end}}
diff --git a/templates/package/view.tmpl b/templates/package/view.tmpl
index a5b2a2ef68a3..2222480e7cd3 100644
--- a/templates/package/view.tmpl
+++ b/templates/package/view.tmpl
@@ -21,6 +21,7 @@
 				<div class="twelve wide column">
 					{{template "package/content/composer" .}}
 					{{template "package/content/conan" .}}
+					{{template "package/content/conda" .}}
 					{{template "package/content/container" .}}
 					{{template "package/content/generic" .}}
 					{{template "package/content/helm" .}}
@@ -44,6 +45,7 @@
 							<div class="item">{{svg "octicon-download" 16 "mr-3"}} {{.PackageDescriptor.Version.DownloadCount}}</div>
 							{{template "package/metadata/composer" .}}
 							{{template "package/metadata/conan" .}}
+							{{template "package/metadata/conda" .}}
 							{{template "package/metadata/container" .}}
 							{{template "package/metadata/generic" .}}
 							{{template "package/metadata/helm" .}}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 726b771cfc73..5a3f2c2bb9e9 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -2102,6 +2102,7 @@
             "enum": [
               "composer",
               "conan",
+              "conda",
               "container",
               "generic",
               "helm",
diff --git a/tests/integration/api_packages_conda_test.go b/tests/integration/api_packages_conda_test.go
new file mode 100644
index 000000000000..daa7dca55fa2
--- /dev/null
+++ b/tests/integration/api_packages_conda_test.go
@@ -0,0 +1,274 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/packages"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	conda_module "code.gitea.io/gitea/modules/packages/conda"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/dsnet/compress/bzip2"
+	"github.com/klauspost/compress/zstd"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPackageConda(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+
+	packageName := "test_package"
+	packageVersion := "1.0.1"
+
+	channel := "test-channel"
+	root := fmt.Sprintf("/api/packages/%s/conda", user.Name)
+
+	t.Run("Upload", func(t *testing.T) {
+		tarContent := func() []byte {
+			var buf bytes.Buffer
+			tw := tar.NewWriter(&buf)
+
+			content := []byte(`{"name":"` + packageName + `","version":"` + packageVersion + `","subdir":"noarch","build":"xxx"}`)
+
+			hdr := &tar.Header{
+				Name: "info/index.json",
+				Mode: 0o600,
+				Size: int64(len(content)),
+			}
+			tw.WriteHeader(hdr)
+			tw.Write(content)
+			tw.Close()
+			return buf.Bytes()
+		}()
+
+		t.Run(".tar.bz2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			var buf bytes.Buffer
+			bw, _ := bzip2.NewWriter(&buf, nil)
+			io.Copy(bw, bytes.NewReader(tarContent))
+			bw.Close()
+
+			filename := fmt.Sprintf("%s-%s.tar.bz2", packageName, packageVersion)
+
+			req := NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
+			MakeRequest(t, req, http.StatusUnauthorized)
+
+			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
+			AddBasicAuthHeader(req, user.Name)
+			MakeRequest(t, req, http.StatusCreated)
+
+			req = NewRequestWithBody(t, "PUT", root+"/"+filename, bytes.NewReader(buf.Bytes()))
+			AddBasicAuthHeader(req, user.Name)
+			MakeRequest(t, req, http.StatusConflict)
+
+			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeConda)
+			assert.NoError(t, err)
+			assert.Len(t, pvs, 1)
+
+			pd, err := packages.GetPackageDescriptor(db.DefaultContext, pvs[0])
+			assert.NoError(t, err)
+			assert.Nil(t, pd.SemVer)
+			assert.IsType(t, &conda_module.VersionMetadata{}, pd.Metadata)
+			assert.Equal(t, packageName, pd.Package.Name)
+			assert.Equal(t, packageVersion, pd.Version.Version)
+			assert.Empty(t, pd.PackageProperties.GetByName(conda_module.PropertyChannel))
+		})
+
+		t.Run(".conda", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			var infoBuf bytes.Buffer
+			zsw, _ := zstd.NewWriter(&infoBuf)
+			io.Copy(zsw, bytes.NewReader(tarContent))
+			zsw.Close()
+
+			var buf bytes.Buffer
+			zpw := zip.NewWriter(&buf)
+			w, _ := zpw.Create("info-x.tar.zst")
+			w.Write(infoBuf.Bytes())
+			zpw.Close()
+
+			fullName := channel + "/" + packageName
+			filename := fmt.Sprintf("%s-%s.conda", packageName, packageVersion)
+
+			req := NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
+			MakeRequest(t, req, http.StatusUnauthorized)
+
+			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
+			AddBasicAuthHeader(req, user.Name)
+			MakeRequest(t, req, http.StatusCreated)
+
+			req = NewRequestWithBody(t, "PUT", root+"/"+channel+"/"+filename, bytes.NewReader(buf.Bytes()))
+			AddBasicAuthHeader(req, user.Name)
+			MakeRequest(t, req, http.StatusConflict)
+
+			pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeConda)
+			assert.NoError(t, err)
+			assert.Len(t, pvs, 2)
+
+			pds, err := packages.GetPackageDescriptors(db.DefaultContext, pvs)
+			assert.NoError(t, err)
+
+			assert.Condition(t, func() bool {
+				for _, pd := range pds {
+					if pd.Package.Name == fullName {
+						return true
+					}
+				}
+				return false
+			})
+
+			for _, pd := range pds {
+				if pd.Package.Name == fullName {
+					assert.Nil(t, pd.SemVer)
+					assert.IsType(t, &conda_module.VersionMetadata{}, pd.Metadata)
+					assert.Equal(t, fullName, pd.Package.Name)
+					assert.Equal(t, packageVersion, pd.Version.Version)
+					assert.Equal(t, channel, pd.PackageProperties.GetByName(conda_module.PropertyChannel))
+				}
+			}
+		})
+	})
+
+	t.Run("Download", func(t *testing.T) {
+		t.Run(".tar.bz2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/noarch/%s-%s-xxx.tar.bz2", root, packageName, packageVersion))
+			MakeRequest(t, req, http.StatusOK)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/noarch/%s-%s-xxx.tar.bz2", root, channel, packageName, packageVersion))
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+
+		t.Run(".conda", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/noarch/%s-%s-xxx.conda", root, packageName, packageVersion))
+			MakeRequest(t, req, http.StatusNotFound)
+
+			req = NewRequest(t, "GET", fmt.Sprintf("%s/%s/noarch/%s-%s-xxx.conda", root, channel, packageName, packageVersion))
+			MakeRequest(t, req, http.StatusOK)
+		})
+	})
+
+	t.Run("EnumeratePackages", func(t *testing.T) {
+		type Info struct {
+			Subdir string `json:"subdir"`
+		}
+
+		type PackageInfo struct {
+			Name          string   `json:"name"`
+			Version       string   `json:"version"`
+			NoArch        string   `json:"noarch"`
+			Subdir        string   `json:"subdir"`
+			Timestamp     int64    `json:"timestamp"`
+			Build         string   `json:"build"`
+			BuildNumber   int64    `json:"build_number"`
+			Dependencies  []string `json:"depends"`
+			License       string   `json:"license"`
+			LicenseFamily string   `json:"license_family"`
+			HashMD5       string   `json:"md5"`
+			HashSHA256    string   `json:"sha256"`
+			Size          int64    `json:"size"`
+		}
+
+		type RepoData struct {
+			Info          Info                    `json:"info"`
+			Packages      map[string]*PackageInfo `json:"packages"`
+			PackagesConda map[string]*PackageInfo `json:"packages.conda"`
+			Removed       map[string]*PackageInfo `json:"removed"`
+		}
+
+		req := NewRequest(t, "GET", fmt.Sprintf("%s/noarch/repodata.json", root))
+		resp := MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "application/json", resp.Header().Get("Content-Type"))
+
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/noarch/repodata.json.bz2", root))
+		resp = MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "application/x-bzip2", resp.Header().Get("Content-Type"))
+
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/noarch/current_repodata.json", root))
+		resp = MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "application/json", resp.Header().Get("Content-Type"))
+
+		req = NewRequest(t, "GET", fmt.Sprintf("%s/noarch/current_repodata.json.bz2", root))
+		resp = MakeRequest(t, req, http.StatusOK)
+		assert.Equal(t, "application/x-bzip2", resp.Header().Get("Content-Type"))
+
+		t.Run(".tar.bz2", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			pv, err := packages.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages.TypeConda, packageName, packageVersion)
+			assert.NoError(t, err)
+
+			pd, err := packages.GetPackageDescriptor(db.DefaultContext, pv)
+			assert.NoError(t, err)
+
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/noarch/repodata.json", root))
+			resp := MakeRequest(t, req, http.StatusOK)
+
+			var result RepoData
+			DecodeJSON(t, resp, &result)
+
+			assert.Equal(t, "noarch", result.Info.Subdir)
+			assert.Empty(t, result.PackagesConda)
+			assert.Empty(t, result.Removed)
+
+			filename := fmt.Sprintf("%s-%s-xxx.tar.bz2", packageName, packageVersion)
+			assert.Contains(t, result.Packages, filename)
+			packageInfo := result.Packages[filename]
+			assert.Equal(t, packageName, packageInfo.Name)
+			assert.Equal(t, packageVersion, packageInfo.Version)
+			assert.Equal(t, "noarch", packageInfo.Subdir)
+			assert.Equal(t, "xxx", packageInfo.Build)
+			assert.Equal(t, pd.Files[0].Blob.HashMD5, packageInfo.HashMD5)
+			assert.Equal(t, pd.Files[0].Blob.HashSHA256, packageInfo.HashSHA256)
+			assert.Equal(t, pd.Files[0].Blob.Size, packageInfo.Size)
+		})
+
+		t.Run(".conda", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+
+			pv, err := packages.GetVersionByNameAndVersion(db.DefaultContext, user.ID, packages.TypeConda, channel+"/"+packageName, packageVersion)
+			assert.NoError(t, err)
+
+			pd, err := packages.GetPackageDescriptor(db.DefaultContext, pv)
+			assert.NoError(t, err)
+
+			req := NewRequest(t, "GET", fmt.Sprintf("%s/%s/noarch/repodata.json", root, channel))
+			resp := MakeRequest(t, req, http.StatusOK)
+
+			var result RepoData
+			DecodeJSON(t, resp, &result)
+
+			assert.Equal(t, "noarch", result.Info.Subdir)
+			assert.Empty(t, result.Packages)
+			assert.Empty(t, result.Removed)
+
+			filename := fmt.Sprintf("%s-%s-xxx.conda", packageName, packageVersion)
+			assert.Contains(t, result.PackagesConda, filename)
+			packageInfo := result.PackagesConda[filename]
+			assert.Equal(t, packageName, packageInfo.Name)
+			assert.Equal(t, packageVersion, packageInfo.Version)
+			assert.Equal(t, "noarch", packageInfo.Subdir)
+			assert.Equal(t, "xxx", packageInfo.Build)
+			assert.Equal(t, pd.Files[0].Blob.HashMD5, packageInfo.HashMD5)
+			assert.Equal(t, pd.Files[0].Blob.HashSHA256, packageInfo.HashSHA256)
+			assert.Equal(t, pd.Files[0].Blob.Size, packageInfo.Size)
+		})
+	})
+}
diff --git a/web_src/svg/gitea-conda.svg b/web_src/svg/gitea-conda.svg
new file mode 100644
index 000000000000..c5797c8c1047
--- /dev/null
+++ b/web_src/svg/gitea-conda.svg
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg">
+<path d="M16.559,8.137a7.2,7.2,0,0,0-1.234-1.708,7.586,7.586,0,0,0-.19,2.183,5.161,5.161,0,0,1,1.424-.475Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M13.617,9.466a7.992,7.992,0,0,0-1.993-1.2,8.123,8.123,0,0,0,.885,2.183c0,.063.443-.475,1.108-.981Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M17.445,7.188a9.143,9.143,0,0,1,1.3-2.246A7.585,7.585,0,0,0,17,2.854a8.35,8.35,0,0,0-1.3,2.278,8.451,8.451,0,0,1,1.74,2.056Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="m11.592 11.744a10.276 10.276 0 0 0-2.692-0.158 7.478 7.478 0 0 0 1.93 1.9 6.858 6.858 0 0 1 0.759-1.74z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="m6.878 15.161a7.44 7.44 0 0 1 2.942-1.139 10.019 10.019 0 0 1-2.056-2.278 7.639 7.639 0 0 0-2.847 1.2 7.11 7.11 0 0 0 1.961 2.215z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="m10.516 14.876a6.16 6.16 0 0 0-2.815 0.886 9.936 9.936 0 0 0 2.815 1.2 7.683 7.683 0 0 1 0-2.088z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M14.281,5.543A7.839,7.839,0,0,0,11.592,4.4,8.361,8.361,0,0,0,11.4,7,8.875,8.875,0,0,1,13.87,8.264a10.292,10.292,0,0,1,.411-2.721Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M24.025,3.234a20.488,20.488,0,0,1,.917,4.112,6.823,6.823,0,0,0-3.068,1.519,7.443,7.443,0,0,1,1.55,1.044,1.351,1.351,0,0,0,1.645.316,36.938,36.938,0,0,0,2.721-2.72,1.273,1.273,0,0,0-.159-1.835,20.521,20.521,0,0,0-3.606-2.436Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M4.379,12.06A8.67,8.67,0,0,1,7.226,10.8a7.763,7.763,0,0,1-.759-2.974A14.687,14.687,0,0,0,4.379,12.06Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M11.339,10.668a9.991,9.991,0,0,1-.949-2.784,7.928,7.928,0,0,0-2.911-.126,7.312,7.312,0,0,0,.791,2.879,9.664,9.664,0,0,1,3.069.031Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M6.119,15.73a8.894,8.894,0,0,1-2.025-2.373,14.208,14.208,0,0,0-.063,4.9A8.522,8.522,0,0,1,6.119,15.73Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M22.538,3.487A7.581,7.581,0,0,0,20.323,5.1a11.789,11.789,0,0,1,.823,2.5,9.775,9.775,0,0,1,2.309-1.329,6.593,6.593,0,0,0-.917-2.784Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M19.374,6.3a8.608,8.608,0,0,0-.822,1.676h0a9.645,9.645,0,0,1,1.329.19A7.568,7.568,0,0,0,19.374,6.3Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M19.659,3.9a9.577,9.577,0,0,1,2.056-1.487A15.38,15.38,0,0,0,18.046,2a9.709,9.709,0,0,1,1.613,1.9Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".068489px"/>
+<path d="M27.378,23.892c-1.993-1.9-2.4-3.132-4.081-1.835a7.837,7.837,0,0,1-12.591-4.144A10.179,10.179,0,0,1,6.878,16.3a9.427,9.427,0,0,0-2.562,3.321H4.284C7.163,30.5,21.178,33.035,27.663,26.233,28.739,25.094,27.758,24.3,27.378,23.892ZM6.309,20.855a7.559,7.559,0,0,1,.917-2.025,6.872,6.872,0,0,0,2.151.538c1.013,2.689,4.556,6.264,8.922,6.264a9.632,9.632,0,0,0,6.3-2.309,12.841,12.841,0,0,1,1.772,1.771c.095.127.095.159.095.159C20.7,30.283,10.928,29.555,6.309,20.855Z" fill="#43b02a"/>
+<path d="M10.67,4.11a19.934,19.934,0,0,0-.214,2.509,10.512,10.512,0,0,0-2.689-.093A18,18,0,0,1,10.67,4.11Z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".066605px"/>
+<path d="m12.26 3.274a9.107 9.107 0 0 1 2.445 1.053 14.083 14.083 0 0 1 1.253-2.137 12.106 12.106 0 0 0-3.698 1.084z" fill="#43b02a" fill-rule="evenodd" stroke="#43b02a" stroke-width=".066605px"/>
+</svg>

From b6b8feb3dec19e7bc96bc583acf10c01afca3362 Mon Sep 17 00:00:00 2001
From: delvh <leon@kske.dev>
Date: Wed, 1 Feb 2023 20:14:40 +0100
Subject: [PATCH 08/21] Enable `@<user>`- completion popup on the release
 description textarea (#22359)

For some unknown reason, this was previously disabled.
Additionally removed an unused return value.
---
 routers/web/repo/release.go         | 15 +++++++++++++++
 web_src/js/features/repo-release.js |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/routers/web/repo/release.go b/routers/web/repo/release.go
index 54f503642bc9..5204b5fd0075 100644
--- a/routers/web/repo/release.go
+++ b/routers/web/repo/release.go
@@ -328,6 +328,14 @@ func NewRelease(ctx *context.Context) {
 		}
 	}
 	ctx.Data["IsAttachmentEnabled"] = setting.Attachment.Enabled
+	var err error
+	// Get assignees.
+	ctx.Data["Assignees"], err = repo_model.GetRepoAssignees(ctx, ctx.Repo.Repository)
+	if err != nil {
+		ctx.ServerError("GetAssignees", err)
+		return
+	}
+
 	upload.AddUploadContext(ctx, "release")
 	ctx.HTML(http.StatusOK, tplReleaseNew)
 }
@@ -484,6 +492,13 @@ func EditRelease(ctx *context.Context) {
 	}
 	ctx.Data["attachments"] = rel.Attachments
 
+	// Get assignees.
+	ctx.Data["Assignees"], err = repo_model.GetRepoAssignees(ctx, rel.Repo)
+	if err != nil {
+		ctx.ServerError("GetAssignees", err)
+		return
+	}
+
 	ctx.HTML(http.StatusOK, tplReleaseNew)
 }
 
diff --git a/web_src/js/features/repo-release.js b/web_src/js/features/repo-release.js
index e84cc53d1731..7589d108f977 100644
--- a/web_src/js/features/repo-release.js
+++ b/web_src/js/features/repo-release.js
@@ -17,12 +17,12 @@ export function initRepoRelease() {
 export function initRepoReleaseEditor() {
   const $editor = $('.repository.new.release .content-editor');
   if ($editor.length === 0) {
-    return false;
+    return;
   }
 
   (async () => {
     const $textarea = $editor.find('textarea');
-    await attachTribute($textarea.get(), {mentions: false, emoji: true});
+    await attachTribute($textarea.get(), {mentions: true, emoji: true});
     const easyMDE = await createCommentEasyMDE($textarea);
     initCompMarkupContentPreviewTab($editor);
     const $dropzone = $editor.parent().find('.dropzone');

From 1e0e79dcbfb21971ac4cd591585672517117d4f0 Mon Sep 17 00:00:00 2001
From: Brecht Van Lommel <brecht@blender.org>
Date: Wed, 1 Feb 2023 22:28:06 +0100
Subject: [PATCH 09/21] Fix cache-control header clearing comment text when
 editing issue (#22604)

The `no-store` cache control added in #20432 is causing form input to be
cleared unnecessarily on page reload. Instead use
`max-age=0,private,must-revalidate` which avoids this.

This was particularly a problem when typing a long comment for an issue
and then for example changing the label. The page would be reloaded and
lose the unsubmitted comment.

Fixes #22603
---
 modules/httpcache/httpcache.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/httpcache/httpcache.go b/modules/httpcache/httpcache.go
index 1247a81fea3c..d7d9ce0b7ebf 100644
--- a/modules/httpcache/httpcache.go
+++ b/modules/httpcache/httpcache.go
@@ -21,12 +21,12 @@ func AddCacheControlToHeader(h http.Header, maxAge time.Duration, additionalDire
 
 	if setting.IsProd {
 		if maxAge == 0 {
-			directives = append(directives, "no-store")
+			directives = append(directives, "max-age=0", "private", "must-revalidate")
 		} else {
 			directives = append(directives, "private", "max-age="+strconv.Itoa(int(maxAge.Seconds())))
 		}
 	} else {
-		directives = append(directives, "no-store")
+		directives = append(directives, "max-age=0", "private", "must-revalidate")
 
 		// to remind users they are using non-prod setting.
 		h.Add("X-Gitea-Debug", "RUN_MODE="+setting.RunMode)

From 15c035775a9684cf409ec8bf8a082ae5293a03ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felipe=20Leopoldo=20Sologuren=20Guti=C3=A9rrez?=
 <fsologureng@users.noreply.github.com>
Date: Wed, 1 Feb 2023 19:56:10 -0300
Subject: [PATCH 10/21] Add main landmark to templates and adjust titles
 (#22670)

* Add main aria landmark to templates
 * Adjust some titles to improve understanding of location in navigation

Contributed by @Forgejo
---
 routers/web/admin/hooks.go                                | 1 +
 routers/web/repo/setting.go                               | 6 +++---
 routers/web/repo/setting_protected_branch.go              | 4 ++--
 routers/web/repo/tag.go                                   | 2 +-
 routers/web/user/setting/account.go                       | 2 +-
 routers/web/user/setting/adopt.go                         | 2 +-
 routers/web/user/setting/applications.go                  | 2 +-
 routers/web/user/setting/keys.go                          | 2 +-
 routers/web/user/setting/profile.go                       | 8 ++++----
 routers/web/user/setting/security/security.go             | 2 +-
 templates/admin/applications/list.tmpl                    | 2 +-
 templates/admin/applications/oauth2_edit.tmpl             | 2 +-
 templates/admin/auth/edit.tmpl                            | 2 +-
 templates/admin/auth/list.tmpl                            | 2 +-
 templates/admin/auth/new.tmpl                             | 2 +-
 templates/admin/config.tmpl                               | 2 +-
 templates/admin/dashboard.tmpl                            | 2 +-
 templates/admin/emails/list.tmpl                          | 2 +-
 templates/admin/hook_new.tmpl                             | 2 +-
 templates/admin/hooks.tmpl                                | 2 +-
 templates/admin/monitor.tmpl                              | 2 +-
 templates/admin/notice.tmpl                               | 2 +-
 templates/admin/org/list.tmpl                             | 2 +-
 templates/admin/packages/list.tmpl                        | 2 +-
 templates/admin/queue.tmpl                                | 2 +-
 templates/admin/repo/list.tmpl                            | 2 +-
 templates/admin/repo/unadopted.tmpl                       | 2 +-
 templates/admin/stacktrace.tmpl                           | 2 +-
 templates/admin/user/edit.tmpl                            | 2 +-
 templates/admin/user/list.tmpl                            | 2 +-
 templates/admin/user/new.tmpl                             | 2 +-
 templates/explore/code.tmpl                               | 2 +-
 templates/explore/organizations.tmpl                      | 2 +-
 templates/explore/repos.tmpl                              | 2 +-
 templates/explore/users.tmpl                              | 2 +-
 templates/home.tmpl                                       | 2 +-
 templates/install.tmpl                                    | 2 +-
 templates/org/create.tmpl                                 | 2 +-
 templates/org/home.tmpl                                   | 2 +-
 templates/org/member/members.tmpl                         | 2 +-
 templates/org/projects/list.tmpl                          | 2 +-
 templates/org/projects/new.tmpl                           | 2 +-
 templates/org/projects/view.tmpl                          | 2 +-
 templates/org/settings/applications.tmpl                  | 2 +-
 templates/org/settings/applications_oauth2_edit.tmpl      | 2 +-
 templates/org/settings/delete.tmpl                        | 2 +-
 templates/org/settings/hook_new.tmpl                      | 2 +-
 templates/org/settings/hooks.tmpl                         | 2 +-
 templates/org/settings/labels.tmpl                        | 2 +-
 templates/org/settings/options.tmpl                       | 2 +-
 templates/org/settings/packages.tmpl                      | 2 +-
 templates/org/settings/packages_cleanup_rules_edit.tmpl   | 2 +-
 .../org/settings/packages_cleanup_rules_preview.tmpl      | 2 +-
 templates/org/settings/secrets.tmpl                       | 2 +-
 templates/org/team/invite.tmpl                            | 2 +-
 templates/org/team/members.tmpl                           | 2 +-
 templates/org/team/new.tmpl                               | 2 +-
 templates/org/team/repositories.tmpl                      | 2 +-
 templates/org/team/teams.tmpl                             | 2 +-
 templates/package/settings.tmpl                           | 2 +-
 templates/package/view.tmpl                               | 2 +-
 templates/post-install.tmpl                               | 2 +-
 templates/projects/list.tmpl                              | 2 +-
 templates/projects/new.tmpl                               | 2 +-
 templates/projects/view.tmpl                              | 2 +-
 templates/repo/activity.tmpl                              | 2 +-
 templates/repo/branch/list.tmpl                           | 2 +-
 templates/repo/commit_page.tmpl                           | 2 +-
 templates/repo/commits.tmpl                               | 2 +-
 templates/repo/create.tmpl                                | 2 +-
 templates/repo/diff/compare.tmpl                          | 2 +-
 templates/repo/editor/cherry_pick.tmpl                    | 2 +-
 templates/repo/editor/delete.tmpl                         | 2 +-
 templates/repo/editor/edit.tmpl                           | 2 +-
 templates/repo/editor/patch.tmpl                          | 2 +-
 templates/repo/editor/upload.tmpl                         | 2 +-
 templates/repo/empty.tmpl                                 | 2 +-
 templates/repo/find/files.tmpl                            | 2 +-
 templates/repo/forks.tmpl                                 | 2 +-
 templates/repo/graph.tmpl                                 | 2 +-
 templates/repo/home.tmpl                                  | 2 +-
 templates/repo/issue/choose.tmpl                          | 2 +-
 templates/repo/issue/labels.tmpl                          | 2 +-
 templates/repo/issue/list.tmpl                            | 2 +-
 templates/repo/issue/milestone_issues.tmpl                | 2 +-
 templates/repo/issue/milestone_new.tmpl                   | 2 +-
 templates/repo/issue/milestones.tmpl                      | 2 +-
 templates/repo/issue/new.tmpl                             | 2 +-
 templates/repo/issue/view.tmpl                            | 2 +-
 templates/repo/migrate/codebase.tmpl                      | 2 +-
 templates/repo/migrate/git.tmpl                           | 2 +-
 templates/repo/migrate/gitbucket.tmpl                     | 2 +-
 templates/repo/migrate/gitea.tmpl                         | 2 +-
 templates/repo/migrate/github.tmpl                        | 2 +-
 templates/repo/migrate/gitlab.tmpl                        | 2 +-
 templates/repo/migrate/gogs.tmpl                          | 2 +-
 templates/repo/migrate/migrate.tmpl                       | 2 +-
 templates/repo/migrate/migrating.tmpl                     | 2 +-
 templates/repo/migrate/onedev.tmpl                        | 2 +-
 templates/repo/packages.tmpl                              | 2 +-
 templates/repo/projects/list.tmpl                         | 2 +-
 templates/repo/projects/new.tmpl                          | 2 +-
 templates/repo/projects/view.tmpl                         | 2 +-
 templates/repo/pulls/commits.tmpl                         | 2 +-
 templates/repo/pulls/files.tmpl                           | 2 +-
 templates/repo/pulls/fork.tmpl                            | 2 +-
 templates/repo/release/list.tmpl                          | 2 +-
 templates/repo/release/new.tmpl                           | 2 +-
 templates/repo/search.tmpl                                | 2 +-
 templates/repo/settings/branches.tmpl                     | 2 +-
 templates/repo/settings/collaboration.tmpl                | 2 +-
 templates/repo/settings/deploy_keys.tmpl                  | 2 +-
 templates/repo/settings/githook_edit.tmpl                 | 2 +-
 templates/repo/settings/githooks.tmpl                     | 2 +-
 templates/repo/settings/lfs.tmpl                          | 2 +-
 templates/repo/settings/lfs_file.tmpl                     | 2 +-
 templates/repo/settings/lfs_file_find.tmpl                | 2 +-
 templates/repo/settings/lfs_locks.tmpl                    | 2 +-
 templates/repo/settings/lfs_pointers.tmpl                 | 2 +-
 templates/repo/settings/options.tmpl                      | 2 +-
 templates/repo/settings/protected_branch.tmpl             | 2 +-
 templates/repo/settings/tags.tmpl                         | 2 +-
 templates/repo/settings/webhook/base.tmpl                 | 2 +-
 templates/repo/settings/webhook/new.tmpl                  | 2 +-
 templates/repo/watchers.tmpl                              | 2 +-
 templates/repo/wiki/new.tmpl                              | 2 +-
 templates/repo/wiki/pages.tmpl                            | 2 +-
 templates/repo/wiki/revision.tmpl                         | 2 +-
 templates/repo/wiki/start.tmpl                            | 2 +-
 templates/repo/wiki/view.tmpl                             | 2 +-
 templates/status/404.tmpl                                 | 2 +-
 templates/status/500.tmpl                                 | 2 +-
 templates/user/auth/activate.tmpl                         | 2 +-
 templates/user/auth/change_passwd.tmpl                    | 2 +-
 templates/user/auth/finalize_openid.tmpl                  | 2 +-
 templates/user/auth/forgot_passwd.tmpl                    | 2 +-
 templates/user/auth/grant.tmpl                            | 2 +-
 templates/user/auth/grant_error.tmpl                      | 2 +-
 templates/user/auth/link_account.tmpl                     | 2 +-
 templates/user/auth/prohibit_login.tmpl                   | 2 +-
 templates/user/auth/reset_passwd.tmpl                     | 2 +-
 templates/user/auth/signin.tmpl                           | 2 +-
 templates/user/auth/signin_openid.tmpl                    | 2 +-
 templates/user/auth/signup.tmpl                           | 2 +-
 templates/user/auth/signup_openid_connect.tmpl            | 2 +-
 templates/user/auth/signup_openid_register.tmpl           | 2 +-
 templates/user/auth/twofa.tmpl                            | 2 +-
 templates/user/auth/twofa_scratch.tmpl                    | 2 +-
 templates/user/code.tmpl                                  | 2 +-
 templates/user/dashboard/dashboard.tmpl                   | 2 +-
 templates/user/dashboard/issues.tmpl                      | 2 +-
 templates/user/dashboard/milestones.tmpl                  | 2 +-
 templates/user/notification/notification_div.tmpl         | 2 +-
 .../user/notification/notification_subscriptions.tmpl     | 2 +-
 templates/user/overview/package_versions.tmpl             | 2 +-
 templates/user/overview/packages.tmpl                     | 2 +-
 templates/user/profile.tmpl                               | 2 +-
 templates/user/project.tmpl                               | 2 +-
 templates/user/settings/account.tmpl                      | 2 +-
 templates/user/settings/appearance.tmpl                   | 2 +-
 templates/user/settings/applications.tmpl                 | 2 +-
 templates/user/settings/applications_oauth2_edit.tmpl     | 2 +-
 templates/user/settings/keys.tmpl                         | 2 +-
 templates/user/settings/organization.tmpl                 | 2 +-
 templates/user/settings/packages.tmpl                     | 2 +-
 templates/user/settings/packages_cleanup_rules_edit.tmpl  | 2 +-
 .../user/settings/packages_cleanup_rules_preview.tmpl     | 2 +-
 templates/user/settings/profile.tmpl                      | 2 +-
 templates/user/settings/repos.tmpl                        | 2 +-
 templates/user/settings/security/security.tmpl            | 2 +-
 templates/user/settings/security/twofa_enroll.tmpl        | 2 +-
 171 files changed, 177 insertions(+), 176 deletions(-)

diff --git a/routers/web/admin/hooks.go b/routers/web/admin/hooks.go
index 57cf5f49e5b6..46dc734d252f 100644
--- a/routers/web/admin/hooks.go
+++ b/routers/web/admin/hooks.go
@@ -22,6 +22,7 @@ const (
 func DefaultOrSystemWebhooks(ctx *context.Context) {
 	var err error
 
+	ctx.Data["Title"] = ctx.Tr("admin.hooks")
 	ctx.Data["PageIsAdminSystemHooks"] = true
 	ctx.Data["PageIsAdminDefaultHooks"] = true
 
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index e970dab3ebee..da52957548be 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -60,7 +60,7 @@ const (
 // SettingsCtxData is a middleware that sets all the general context data for the
 // settings template.
 func SettingsCtxData(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.settings")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.options")
 	ctx.Data["PageIsSettingsOptions"] = true
 	ctx.Data["ForcePrivate"] = setting.Repository.ForcePrivate
 	ctx.Data["MirrorsEnabled"] = setting.Mirror.Enabled
@@ -879,7 +879,7 @@ func handleSettingRemoteAddrError(ctx *context.Context, err error, form *forms.R
 
 // Collaboration render a repository's collaboration page
 func Collaboration(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.settings")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.collaboration")
 	ctx.Data["PageIsSettingsCollaboration"] = true
 
 	users, err := repo_model.GetCollaborators(ctx, ctx.Repo.Repository.ID, db.ListOptions{})
@@ -1119,7 +1119,7 @@ func GitHooksEditPost(ctx *context.Context) {
 
 // DeployKeys render the deploy keys list of a repository page
 func DeployKeys(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.settings.deploy_keys")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.deploy_keys") + " / " + ctx.Tr("secrets.secrets")
 	ctx.Data["PageIsSettingsKeys"] = true
 	ctx.Data["DisableSSH"] = setting.SSH.Disabled
 
diff --git a/routers/web/repo/setting_protected_branch.go b/routers/web/repo/setting_protected_branch.go
index 31abde1ef680..a54565c1f151 100644
--- a/routers/web/repo/setting_protected_branch.go
+++ b/routers/web/repo/setting_protected_branch.go
@@ -31,7 +31,7 @@ const (
 
 // ProtectedBranchRules render the page to protect the repository
 func ProtectedBranchRules(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.settings")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.branches")
 	ctx.Data["PageIsSettingsBranches"] = true
 
 	rules, err := git_model.FindRepoProtectedBranchRules(ctx, ctx.Repo.Repository.ID)
@@ -46,7 +46,7 @@ func ProtectedBranchRules(ctx *context.Context) {
 
 // SetDefaultBranchPost set default branch
 func SetDefaultBranchPost(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("repo.settings")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.branches.update_default_branch")
 	ctx.Data["PageIsSettingsBranches"] = true
 
 	repo := ctx.Repo.Repository
diff --git a/routers/web/repo/tag.go b/routers/web/repo/tag.go
index aa9edc73755d..95bc6dfce7f8 100644
--- a/routers/web/repo/tag.go
+++ b/routers/web/repo/tag.go
@@ -133,7 +133,7 @@ func DeleteProtectedTagPost(ctx *context.Context) {
 }
 
 func setTagsContext(ctx *context.Context) error {
-	ctx.Data["Title"] = ctx.Tr("repo.settings")
+	ctx.Data["Title"] = ctx.Tr("repo.settings.tags")
 	ctx.Data["PageIsSettingsTags"] = true
 
 	protectedTags, err := git_model.GetProtectedTags(ctx, ctx.Repo.Repository.ID)
diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go
index 95b3b4040d96..dbaa8fd351b2 100644
--- a/routers/web/user/setting/account.go
+++ b/routers/web/user/setting/account.go
@@ -30,7 +30,7 @@ const (
 
 // Account renders change user's password, user's email and user suicide page
 func Account(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.account")
 	ctx.Data["PageIsSettingsAccount"] = true
 	ctx.Data["Email"] = ctx.Doer.Email
 	ctx.Data["EnableNotifyMail"] = setting.Service.EnableNotifyMail
diff --git a/routers/web/user/setting/adopt.go b/routers/web/user/setting/adopt.go
index 0aaf5920bc6d..844d6fa166a1 100644
--- a/routers/web/user/setting/adopt.go
+++ b/routers/web/user/setting/adopt.go
@@ -17,7 +17,7 @@ import (
 
 // AdoptOrDeleteRepository adopts or deletes a repository
 func AdoptOrDeleteRepository(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.adopt")
 	ctx.Data["PageIsSettingsRepos"] = true
 	allowAdopt := ctx.IsUserSiteAdmin() || setting.Repository.AllowAdoptionOfUnadoptedRepositories
 	ctx.Data["allowAdopt"] = allowAdopt
diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index b66806ff2de0..ac935e51bbb3 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -21,7 +21,7 @@ const (
 
 // Applications render manage access token page
 func Applications(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.applications")
 	ctx.Data["PageIsSettingsApplications"] = true
 
 	loadApplicationsData(ctx)
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index ec50eef9c18d..0ecc39ecd17e 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -23,7 +23,7 @@ const (
 
 // Keys render user's SSH/GPG public keys page
 func Keys(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.ssh_gpg_keys")
 	ctx.Data["PageIsSettingsKeys"] = true
 	ctx.Data["DisableSSH"] = setting.SSH.Disabled
 	ctx.Data["BuiltinSSH"] = setting.SSH.StartBuiltinServer
diff --git a/routers/web/user/setting/profile.go b/routers/web/user/setting/profile.go
index af161952501b..e01f3cdeea94 100644
--- a/routers/web/user/setting/profile.go
+++ b/routers/web/user/setting/profile.go
@@ -42,7 +42,7 @@ const (
 
 // Profile render user's profile page
 func Profile(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.profile")
 	ctx.Data["PageIsSettingsProfile"] = true
 	ctx.Data["AllowedUserVisibilityModes"] = setting.Service.AllowedUserVisibilityModesSlice.ToVisibleTypeSlice()
 
@@ -219,7 +219,7 @@ func DeleteAvatar(ctx *context.Context) {
 
 // Organization render all the organization of the user
 func Organization(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.organization")
 	ctx.Data["PageIsSettingsOrganization"] = true
 
 	opts := organization.FindOrgOptions{
@@ -254,7 +254,7 @@ func Organization(ctx *context.Context) {
 
 // Repos display a list of all repositories of the user
 func Repos(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.repos")
 	ctx.Data["PageIsSettingsRepos"] = true
 	ctx.Data["allowAdopt"] = ctx.IsUserSiteAdmin() || setting.Repository.AllowAdoptionOfUnadoptedRepositories
 	ctx.Data["allowDelete"] = ctx.IsUserSiteAdmin() || setting.Repository.AllowDeleteOfUnadoptedRepositories
@@ -360,7 +360,7 @@ func Repos(ctx *context.Context) {
 
 // Appearance render user's appearance settings
 func Appearance(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.appearance")
 	ctx.Data["PageIsSettingsAppearance"] = true
 
 	var hiddenCommentTypes *big.Int
diff --git a/routers/web/user/setting/security/security.go b/routers/web/user/setting/security/security.go
index db6faaed6e19..6e6e7efb0b2c 100644
--- a/routers/web/user/setting/security/security.go
+++ b/routers/web/user/setting/security/security.go
@@ -22,7 +22,7 @@ const (
 
 // Security render change user's password page and 2FA
 func Security(ctx *context.Context) {
-	ctx.Data["Title"] = ctx.Tr("settings")
+	ctx.Data["Title"] = ctx.Tr("settings.security")
 	ctx.Data["PageIsSettingsSecurity"] = true
 
 	if ctx.FormString("openid.return_to") != "" {
diff --git a/templates/admin/applications/list.tmpl b/templates/admin/applications/list.tmpl
index 6d627129df0e..4da6cb044659 100644
--- a/templates/admin/applications/list.tmpl
+++ b/templates/admin/applications/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin config">
+<div role="main" aria-label="{{.Title}}" class="page-content admin config">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		<div class="twelve wide column content">
diff --git a/templates/admin/applications/oauth2_edit.tmpl b/templates/admin/applications/oauth2_edit.tmpl
index 84d821eccace..20231c4b1ca9 100644
--- a/templates/admin/applications/oauth2_edit.tmpl
+++ b/templates/admin/applications/oauth2_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin config">
+<div role="main" aria-label="{{.Title}}" class="page-content admin config">
 	{{template "admin/navbar" .}}
 
 	{{template "user/settings/applications_oauth2_edit_form" .}}
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index bf9d53152c2e..91e4b1df5251 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin edit authentication">
+<div role="main" aria-label="{{.Title}}" class="page-content admin edit authentication">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/auth/list.tmpl b/templates/admin/auth/list.tmpl
index c43287ee1ae0..afe814cc6cb2 100644
--- a/templates/admin/auth/list.tmpl
+++ b/templates/admin/auth/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin authentication">
+<div role="main" aria-label="{{.Title}}" class="page-content admin authentication">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 213c621b42f2..ab84dfccaf98 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin new authentication">
+<div role="main" aria-label="{{.Title}}" class="page-content admin new authentication">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/config.tmpl b/templates/admin/config.tmpl
index c2ab31862d97..8f572c839612 100644
--- a/templates/admin/config.tmpl
+++ b/templates/admin/config.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin config">
+<div role="main" aria-label="{{.Title}}" class="page-content admin config">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/dashboard.tmpl b/templates/admin/dashboard.tmpl
index 80eea91210cc..40f28068d7d6 100644
--- a/templates/admin/dashboard.tmpl
+++ b/templates/admin/dashboard.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin dashboard">
+<div role="main" aria-label="{{.Title}}" class="page-content admin dashboard">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/emails/list.tmpl b/templates/admin/emails/list.tmpl
index f5f6a86dc8ae..091f5011f953 100644
--- a/templates/admin/emails/list.tmpl
+++ b/templates/admin/emails/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/hook_new.tmpl b/templates/admin/hook_new.tmpl
index 407eae9646cb..0c018ff2939e 100644
--- a/templates/admin/hook_new.tmpl
+++ b/templates/admin/hook_new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin settings new webhook">
+<div role="main" aria-label="{{.Title}}" class="page-content admin settings new webhook">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/hooks.tmpl b/templates/admin/hooks.tmpl
index a23cff434269..26f92c706410 100644
--- a/templates/admin/hooks.tmpl
+++ b/templates/admin/hooks.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin hooks">
+<div role="main" aria-label="{{.Title}}" class="page-content admin hooks">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/monitor.tmpl b/templates/admin/monitor.tmpl
index f11d071ea433..d53e9e18dcc8 100644
--- a/templates/admin/monitor.tmpl
+++ b/templates/admin/monitor.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin monitor">
+<div role="main" aria-label="{{.Title}}" class="page-content admin monitor">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/notice.tmpl b/templates/admin/notice.tmpl
index 36752d47b26e..a2c7ca2f6ae8 100644
--- a/templates/admin/notice.tmpl
+++ b/templates/admin/notice.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin notice">
+<div role="main" aria-label="{{.Title}}" class="page-content admin notice">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/org/list.tmpl b/templates/admin/org/list.tmpl
index 11dc23c60eb9..9bf7a6268e5b 100644
--- a/templates/admin/org/list.tmpl
+++ b/templates/admin/org/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/packages/list.tmpl b/templates/admin/packages/list.tmpl
index 4c96d2bf1053..bb36ca1ae358 100644
--- a/templates/admin/packages/list.tmpl
+++ b/templates/admin/packages/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/queue.tmpl b/templates/admin/queue.tmpl
index 675ec417e40e..19dd70da1214 100644
--- a/templates/admin/queue.tmpl
+++ b/templates/admin/queue.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin monitor">
+<div role="main" aria-label="{{.Title}}" class="page-content admin monitor">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/repo/list.tmpl b/templates/admin/repo/list.tmpl
index 837802f0d0ce..11216b8c8639 100644
--- a/templates/admin/repo/list.tmpl
+++ b/templates/admin/repo/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/repo/unadopted.tmpl b/templates/admin/repo/unadopted.tmpl
index 0c27c80e930b..ca0b4c3bb9a0 100644
--- a/templates/admin/repo/unadopted.tmpl
+++ b/templates/admin/repo/unadopted.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/stacktrace.tmpl b/templates/admin/stacktrace.tmpl
index 91929deaa888..4e16036ae3a3 100644
--- a/templates/admin/stacktrace.tmpl
+++ b/templates/admin/stacktrace.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin monitor">
+<div role="main" aria-label="{{.Title}}" class="page-content admin monitor">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index 9e0f1d89fd15..ef436c718a6d 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin edit user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin edit user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/user/list.tmpl b/templates/admin/user/list.tmpl
index 67a726eb3f6d..88af2172b761 100644
--- a/templates/admin/user/list.tmpl
+++ b/templates/admin/user/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/admin/user/new.tmpl b/templates/admin/user/new.tmpl
index 9fdf0dce93dd..e5ca864cb77d 100644
--- a/templates/admin/user/new.tmpl
+++ b/templates/admin/user/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content admin new user">
+<div role="main" aria-label="{{.Title}}" class="page-content admin new user">
 	{{template "admin/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/explore/code.tmpl b/templates/explore/code.tmpl
index f4e46d119876..924a3e627482 100644
--- a/templates/explore/code.tmpl
+++ b/templates/explore/code.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content explore users">
+<div role="main" aria-label="{{.Title}}" class="page-content explore users">
 	{{template "explore/navbar" .}}
 	<div class="ui container">
 		{{template "code/searchform" .}}
diff --git a/templates/explore/organizations.tmpl b/templates/explore/organizations.tmpl
index 36267baf3395..56c6ee56a076 100644
--- a/templates/explore/organizations.tmpl
+++ b/templates/explore/organizations.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content explore users">
+<div role="main" aria-label="{{.Title}}" class="page-content explore users">
 	{{template "explore/navbar" .}}
 	<div class="ui container">
 		{{template "explore/search" .}}
diff --git a/templates/explore/repos.tmpl b/templates/explore/repos.tmpl
index 457ad74115e4..dfede2ffcc06 100644
--- a/templates/explore/repos.tmpl
+++ b/templates/explore/repos.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content explore repositories">
+<div role="main" aria-label="{{.Title}}" class="page-content explore repositories">
 	{{template "explore/navbar" .}}
 	<div class="ui container">
 		{{template "explore/repo_search" .}}
diff --git a/templates/explore/users.tmpl b/templates/explore/users.tmpl
index 5fb79c0dd027..336daea7c8a2 100644
--- a/templates/explore/users.tmpl
+++ b/templates/explore/users.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content explore users">
+<div role="main" aria-label="{{.Title}}" class="page-content explore users">
 	{{template "explore/navbar" .}}
 	<div class="ui container">
 		{{template "explore/search" .}}
diff --git a/templates/home.tmpl b/templates/home.tmpl
index 87192fa55b6e..52ad1b12dfc1 100644
--- a/templates/home.tmpl
+++ b/templates/home.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content home">
+<div role="main" aria-label="{{if .IsSigned}}{{.locale.Tr "dashboard"}}{{else}}{{.locale.Tr "home"}}{{end}}" class="page-content home">
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center aligned centered column">
 			<div>
diff --git a/templates/install.tmpl b/templates/install.tmpl
index 0625f43cc4e6..3d33dcbcb766 100644
--- a/templates/install.tmpl
+++ b/templates/install.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content install">
+<div role="main" aria-label="{{.Title}}" class="page-content install">
 	<div class="ui middle very relaxed page grid">
 		<div class="sixteen wide center aligned centered column">
 			<h3 class="ui top attached header">
diff --git a/templates/org/create.tmpl b/templates/org/create.tmpl
index 26c432303ce0..8da46fb325b2 100644
--- a/templates/org/create.tmpl
+++ b/templates/org/create.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization new org">
+<div role="main" aria-label="{{.Title}}" class="page-content organization new org">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/org/home.tmpl b/templates/org/home.tmpl
index eea5a076db66..b3724e7a63f1 100644
--- a/templates/org/home.tmpl
+++ b/templates/org/home.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization profile">
+<div role="main" aria-label="{{.Title}}" class="page-content organization profile">
 	<div class="ui container df">
 		{{avatar .Org 140 "org-avatar"}}
 		<div id="org-info">
diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl
index fceb0801341b..b4f788e52308 100644
--- a/templates/org/member/members.tmpl
+++ b/templates/org/member/members.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization members">
+<div role="main" aria-label="{{.Title}}" class="page-content organization members">
 	{{template "org/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/org/projects/list.tmpl b/templates/org/projects/list.tmpl
index 544ed387423c..1f113b28c84c 100644
--- a/templates/org/projects/list.tmpl
+++ b/templates/org/projects/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "user/overview/header" .}}
 	{{template "projects/list" .}}
 </div>
diff --git a/templates/org/projects/new.tmpl b/templates/org/projects/new.tmpl
index b3d6c6001e37..f550cdc828d2 100644
--- a/templates/org/projects/new.tmpl
+++ b/templates/org/projects/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "user/overview/header" .}}
 	{{template "projects/new" .}}
 </div>
diff --git a/templates/org/projects/view.tmpl b/templates/org/projects/view.tmpl
index 03327e253001..c2d8f015f105 100644
--- a/templates/org/projects/view.tmpl
+++ b/templates/org/projects/view.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "user/overview/header" .}}
 	{{template "projects/view" .}}
 </div>
diff --git a/templates/org/settings/applications.tmpl b/templates/org/settings/applications.tmpl
index 8bdd99deb862..35736df591eb 100644
--- a/templates/org/settings/applications.tmpl
+++ b/templates/org/settings/applications.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings options">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings options">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/applications_oauth2_edit.tmpl b/templates/org/settings/applications_oauth2_edit.tmpl
index 2c7fa842b3b3..861651a15e7d 100644
--- a/templates/org/settings/applications_oauth2_edit.tmpl
+++ b/templates/org/settings/applications_oauth2_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings options">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings options">
 	{{template "org/header" .}}
 
 	{{template "user/settings/applications_oauth2_edit_form" .}}
diff --git a/templates/org/settings/delete.tmpl b/templates/org/settings/delete.tmpl
index 8a38dcafe356..669e393e1dec 100644
--- a/templates/org/settings/delete.tmpl
+++ b/templates/org/settings/delete.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings delete">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings delete">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/hook_new.tmpl b/templates/org/settings/hook_new.tmpl
index 081f5a283948..4685225f4c86 100644
--- a/templates/org/settings/hook_new.tmpl
+++ b/templates/org/settings/hook_new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings new webhook">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings new webhook">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/hooks.tmpl b/templates/org/settings/hooks.tmpl
index cb0243bb1eb4..3abbc62ecf87 100644
--- a/templates/org/settings/hooks.tmpl
+++ b/templates/org/settings/hooks.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings webhooks">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings webhooks">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/labels.tmpl b/templates/org/settings/labels.tmpl
index a6b5405a4284..5436bcba05ca 100644
--- a/templates/org/settings/labels.tmpl
+++ b/templates/org/settings/labels.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings labels">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings labels">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/options.tmpl b/templates/org/settings/options.tmpl
index 1b12c1221b97..b52639fb19b9 100644
--- a/templates/org/settings/options.tmpl
+++ b/templates/org/settings/options.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings options">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings options">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/packages.tmpl b/templates/org/settings/packages.tmpl
index bb5d95e1072a..412a9813c21b 100644
--- a/templates/org/settings/packages.tmpl
+++ b/templates/org/settings/packages.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings packages">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings packages">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/packages_cleanup_rules_edit.tmpl b/templates/org/settings/packages_cleanup_rules_edit.tmpl
index 8c3725f4d7e9..195c21da0c54 100644
--- a/templates/org/settings/packages_cleanup_rules_edit.tmpl
+++ b/templates/org/settings/packages_cleanup_rules_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings packages">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings packages">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/packages_cleanup_rules_preview.tmpl b/templates/org/settings/packages_cleanup_rules_preview.tmpl
index e0e4652c367e..771e6cb8f3dc 100644
--- a/templates/org/settings/packages_cleanup_rules_preview.tmpl
+++ b/templates/org/settings/packages_cleanup_rules_preview.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings packages admin">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings packages admin">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/settings/secrets.tmpl b/templates/org/settings/secrets.tmpl
index 70add15f50fb..909c16f4484e 100644
--- a/templates/org/settings/secrets.tmpl
+++ b/templates/org/settings/secrets.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization settings webhooks">
+<div role="main" aria-label="{{.Title}}" class="page-content organization settings webhooks">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/team/invite.tmpl b/templates/org/team/invite.tmpl
index a696d9949800..ef365dee3a0d 100644
--- a/templates/org/team/invite.tmpl
+++ b/templates/org/team/invite.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization invite">
+<div role="main" aria-label="{{.Title}}" class="page-content organization invite">
 	<div class="ui container">
 		{{template "base/alert" .}}
 		<div class="ui centered card">
diff --git a/templates/org/team/members.tmpl b/templates/org/team/members.tmpl
index 1a58dc5339ec..13bd6c5b5db2 100644
--- a/templates/org/team/members.tmpl
+++ b/templates/org/team/members.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization teams">
+<div role="main" aria-label="{{.Title}}" class="page-content organization teams">
 	{{template "org/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 005d7ce4e510..d9d3902fe1a3 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization new team">
+<div role="main" aria-label="{{.Title}}" class="page-content organization new team">
 	{{template "org/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/org/team/repositories.tmpl b/templates/org/team/repositories.tmpl
index 80bdf7b3dbfc..0391a762faf2 100644
--- a/templates/org/team/repositories.tmpl
+++ b/templates/org/team/repositories.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization teams">
+<div role="main" aria-label="{{.Title}}" class="page-content organization teams">
 	{{template "org/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/org/team/teams.tmpl b/templates/org/team/teams.tmpl
index 5399f3a59408..66ac4a421196 100644
--- a/templates/org/team/teams.tmpl
+++ b/templates/org/team/teams.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content organization teams">
+<div role="main" aria-label="{{.Title}}" class="page-content organization teams">
 	{{template "org/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/package/settings.tmpl b/templates/package/settings.tmpl
index d1475be593c6..a2c4bd4c2829 100644
--- a/templates/package/settings.tmpl
+++ b/templates/package/settings.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings options">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings options">
 	{{template "user/overview/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/package/view.tmpl b/templates/package/view.tmpl
index 2222480e7cd3..4611cdb8d840 100644
--- a/templates/package/view.tmpl
+++ b/templates/package/view.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository view issue packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository view issue packages">
 	{{template "user/overview/header" .}}
 	<div class="ui container">
 		<div>
diff --git a/templates/post-install.tmpl b/templates/post-install.tmpl
index 4abfe171dddd..e098f43fda82 100644
--- a/templates/post-install.tmpl
+++ b/templates/post-install.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content install">
+<div role="main" aria-label="{{.Title}}" class="page-content install">
 	<div class="ui container">
 		<div class="ui grid">
 			<div class="sixteen wide column content">
diff --git a/templates/projects/list.tmpl b/templates/projects/list.tmpl
index ae2eaec6eaa7..21a3350a75db 100644
--- a/templates/projects/list.tmpl
+++ b/templates/projects/list.tmpl
@@ -1,4 +1,4 @@
-<div class="page-content repository projects">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects">
 	<div class="ui container">
 		{{if .CanWriteProjects}}
 			<div class="navbar">
diff --git a/templates/projects/new.tmpl b/templates/projects/new.tmpl
index 1069102792b1..04192c64c261 100644
--- a/templates/projects/new.tmpl
+++ b/templates/projects/new.tmpl
@@ -1,4 +1,4 @@
-<div class="page-content repository projects edit-project new milestone">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects edit-project new milestone">
 	<div class="ui container">
 		<div class="navbar">
 			{{if and .CanWriteProjects .PageIsEditProject}}
diff --git a/templates/projects/view.tmpl b/templates/projects/view.tmpl
index ac72acb82b6a..42eb578074d8 100644
--- a/templates/projects/view.tmpl
+++ b/templates/projects/view.tmpl
@@ -1,4 +1,4 @@
-<div class="page-content repository projects view-project">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects view-project">
 	<div class="ui container">
 		<div class="ui two column stackable grid">
 			<div class="column">
diff --git a/templates/repo/activity.tmpl b/templates/repo/activity.tmpl
index cc6ca95edbdb..255951824d27 100644
--- a/templates/repo/activity.tmpl
+++ b/templates/repo/activity.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository commits">
+<div role="main" aria-label="{{.Title}}" class="page-content repository commits">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<h2 class="ui header"><time data-format="date" datetime="{{.DateFrom}}">{{.DateFrom}}</time> - <time data-format="date" datetime="{{.DateUntil}}">{{.DateUntil}}</time>
diff --git a/templates/repo/branch/list.tmpl b/templates/repo/branch/list.tmpl
index abce6591bd43..ee844299ab69 100644
--- a/templates/repo/branch/list.tmpl
+++ b/templates/repo/branch/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content ui repository branches">
+<div role="main" aria-label="{{.Title}}" class="page-content ui repository branches">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl
index 6a40d5fbee56..b847a282bdd6 100644
--- a/templates/repo/commit_page.tmpl
+++ b/templates/repo/commit_page.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository diff">
+<div role="main" aria-label="{{.Title}}" class="page-content repository diff">
 	{{template "repo/header" .}}
 	<div class="ui container {{if .IsSplitStyle}}fluid padded{{end}}">
 		{{$class := ""}}
diff --git a/templates/repo/commits.tmpl b/templates/repo/commits.tmpl
index 9282e1d387ef..0188a39281db 100644
--- a/templates/repo/commits.tmpl
+++ b/templates/repo/commits.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository commits">
+<div role="main" aria-label="{{.Title}}" class="page-content repository commits">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "repo/sub_menu" .}}
diff --git a/templates/repo/create.tmpl b/templates/repo/create.tmpl
index 455bbf757e69..115d829e4f95 100644
--- a/templates/repo/create.tmpl
+++ b/templates/repo/create.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new repo">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new repo">
 	<div class="ui middle very relaxed page one column grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/diff/compare.tmpl b/templates/repo/diff/compare.tmpl
index 029e7717a44e..1010863b799d 100644
--- a/templates/repo/diff/compare.tmpl
+++ b/templates/repo/diff/compare.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository diff {{if .PageIsComparePull}}compare pull{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content repository diff {{if .PageIsComparePull}}compare pull{{end}}">
 	{{template "repo/header" .}}
 	<div class="ui container {{if .IsSplitStyle}}fluid padded{{end}}">
 
diff --git a/templates/repo/editor/cherry_pick.tmpl b/templates/repo/editor/cherry_pick.tmpl
index 7f016f4649b1..55c6252991aa 100644
--- a/templates/repo/editor/cherry_pick.tmpl
+++ b/templates/repo/editor/cherry_pick.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file editor edit">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file editor edit">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/editor/delete.tmpl b/templates/repo/editor/delete.tmpl
index 08493944bf26..2c0c2fc792e0 100644
--- a/templates/repo/editor/delete.tmpl
+++ b/templates/repo/editor/delete.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file editor delete">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file editor delete">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/editor/edit.tmpl b/templates/repo/editor/edit.tmpl
index ebe56ec477fe..3bc9da99b044 100644
--- a/templates/repo/editor/edit.tmpl
+++ b/templates/repo/editor/edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file editor edit">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file editor edit">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/editor/patch.tmpl b/templates/repo/editor/patch.tmpl
index ad72a256e7af..892adf957b60 100644
--- a/templates/repo/editor/patch.tmpl
+++ b/templates/repo/editor/patch.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file editor edit">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file editor edit">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/editor/upload.tmpl b/templates/repo/editor/upload.tmpl
index f8496d5911aa..211859113f78 100644
--- a/templates/repo/editor/upload.tmpl
+++ b/templates/repo/editor/upload.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file editor upload">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file editor upload">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/empty.tmpl b/templates/repo/empty.tmpl
index 24547758a7f4..cb883e8df5ae 100644
--- a/templates/repo/empty.tmpl
+++ b/templates/repo/empty.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository quickstart">
+<div role="main" aria-label="{{.Title}}" class="page-content repository quickstart">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/repo/find/files.tmpl b/templates/repo/find/files.tmpl
index 00fa6dc8ff60..ab6f03f4ada5 100644
--- a/templates/repo/find/files.tmpl
+++ b/templates/repo/find/files.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository">
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="df ac">
diff --git a/templates/repo/forks.tmpl b/templates/repo/forks.tmpl
index 56e60d4229e8..b328dc0c1961 100644
--- a/templates/repo/forks.tmpl
+++ b/templates/repo/forks.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository forks">
+<div role="main" aria-label="{{.Title}}" class="page-content repository forks">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<h2 class="ui dividing header">
diff --git a/templates/repo/graph.tmpl b/templates/repo/graph.tmpl
index 7efd6ec023d4..52c013a5d1da 100644
--- a/templates/repo/graph.tmpl
+++ b/templates/repo/graph.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository commits">
+<div role="main" aria-label="{{.Title}}" class="page-content repository commits">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div id="git-graph-container" class="ui segment{{if eq .Mode "monochrome"}} monochrome{{end}}">
diff --git a/templates/repo/home.tmpl b/templates/repo/home.tmpl
index 82e6626e333a..bdca346f8b2b 100644
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file list {{if .IsBlame}}blame{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file list {{if .IsBlame}}blame{{end}}">
 	{{template "repo/header" .}}
 	<div class="ui container {{if .IsBlame}}fluid padded{{end}}">
 		{{template "base/alert" .}}
diff --git a/templates/repo/issue/choose.tmpl b/templates/repo/issue/choose.tmpl
index 609cd4843683..192754f5f776 100644
--- a/templates/repo/issue/choose.tmpl
+++ b/templates/repo/issue/choose.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new issue">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new issue">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/issue/labels.tmpl b/templates/repo/issue/labels.tmpl
index 88cfd124a722..82cfcd071204 100644
--- a/templates/repo/issue/labels.tmpl
+++ b/templates/repo/issue/labels.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository labels">
+<div role="main" aria-label="{{.Title}}" class="page-content repository labels">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl
index b9ae36201678..23bcc60f94f7 100644
--- a/templates/repo/issue/list.tmpl
+++ b/templates/repo/issue/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository">
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui three column grid issue-list-headers">
diff --git a/templates/repo/issue/milestone_issues.tmpl b/templates/repo/issue/milestone_issues.tmpl
index f3e28208adb9..f0d6ae6bfe98 100644
--- a/templates/repo/issue/milestone_issues.tmpl
+++ b/templates/repo/issue/milestone_issues.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository">
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui two column stackable grid">
diff --git a/templates/repo/issue/milestone_new.tmpl b/templates/repo/issue/milestone_new.tmpl
index 06469c4b54c6..ac34fb0f0d18 100644
--- a/templates/repo/issue/milestone_new.tmpl
+++ b/templates/repo/issue/milestone_new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new milestone">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new milestone">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/issue/milestones.tmpl b/templates/repo/issue/milestones.tmpl
index 3282e895ebc4..0d0a18b631fc 100644
--- a/templates/repo/issue/milestones.tmpl
+++ b/templates/repo/issue/milestones.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository milestones">
+<div role="main" aria-label="{{.Title}}" class="page-content repository milestones">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/issue/new.tmpl b/templates/repo/issue/new.tmpl
index 496b4b5a7018..6abff2adde79 100644
--- a/templates/repo/issue/new.tmpl
+++ b/templates/repo/issue/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new issue">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new issue">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/issue/view.tmpl b/templates/repo/issue/view.tmpl
index e2d1d7ed95cb..c92b50444c5a 100644
--- a/templates/repo/issue/view.tmpl
+++ b/templates/repo/issue/view.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository view issue pull">
+<div role="main" aria-label="{{.Title}}" class="page-content repository view issue pull">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui two column grid">
diff --git a/templates/repo/migrate/codebase.tmpl b/templates/repo/migrate/codebase.tmpl
index 0f9b377f212e..e20bd70e718f 100644
--- a/templates/repo/migrate/codebase.tmpl
+++ b/templates/repo/migrate/codebase.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/git.tmpl b/templates/repo/migrate/git.tmpl
index 1ef031ee1f81..0757948a6c45 100644
--- a/templates/repo/migrate/git.tmpl
+++ b/templates/repo/migrate/git.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/gitbucket.tmpl b/templates/repo/migrate/gitbucket.tmpl
index 5e6b3b452839..020115be6ccf 100644
--- a/templates/repo/migrate/gitbucket.tmpl
+++ b/templates/repo/migrate/gitbucket.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/gitea.tmpl b/templates/repo/migrate/gitea.tmpl
index f56f9df5ec7a..ef28e15ee5fd 100644
--- a/templates/repo/migrate/gitea.tmpl
+++ b/templates/repo/migrate/gitea.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/github.tmpl b/templates/repo/migrate/github.tmpl
index c4249f8904b8..b6c39134f0b7 100644
--- a/templates/repo/migrate/github.tmpl
+++ b/templates/repo/migrate/github.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/gitlab.tmpl b/templates/repo/migrate/gitlab.tmpl
index a959833e9668..454194542e4f 100644
--- a/templates/repo/migrate/gitlab.tmpl
+++ b/templates/repo/migrate/gitlab.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/gogs.tmpl b/templates/repo/migrate/gogs.tmpl
index 6d331b9e8fe6..acd7ec950eb0 100644
--- a/templates/repo/migrate/gogs.tmpl
+++ b/templates/repo/migrate/gogs.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/migrate/migrate.tmpl b/templates/repo/migrate/migrate.tmpl
index ff96e6793bad..e69cb5724b1f 100644
--- a/templates/repo/migrate/migrate.tmpl
+++ b/templates/repo/migrate/migrate.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			{{template "repo/migrate/helper" .}}
diff --git a/templates/repo/migrate/migrating.tmpl b/templates/repo/migrate/migrating.tmpl
index c06f4b57292a..e6d329a1ab79 100644
--- a/templates/repo/migrate/migrating.tmpl
+++ b/templates/repo/migrate/migrating.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository">
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui grid">
diff --git a/templates/repo/migrate/onedev.tmpl b/templates/repo/migrate/onedev.tmpl
index 18256aca5dc1..ec8c06cc70d2 100644
--- a/templates/repo/migrate/onedev.tmpl
+++ b/templates/repo/migrate/onedev.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new migrate">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new migrate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/packages.tmpl b/templates/repo/packages.tmpl
index 69bea014d7ec..47fa338a4403 100644
--- a/templates/repo/packages.tmpl
+++ b/templates/repo/packages.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "repo/header" .}}
 	{{template "package/shared/list" .}}
 </div>
diff --git a/templates/repo/projects/list.tmpl b/templates/repo/projects/list.tmpl
index 274734f515a0..f717934b3373 100644
--- a/templates/repo/projects/list.tmpl
+++ b/templates/repo/projects/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository projects milestones">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects milestones">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/projects/new.tmpl b/templates/repo/projects/new.tmpl
index 5edca90886bc..79f9380dce6f 100644
--- a/templates/repo/projects/new.tmpl
+++ b/templates/repo/projects/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository projects edit-project new milestone">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects edit-project new milestone">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/projects/view.tmpl b/templates/repo/projects/view.tmpl
index 262efd2e0e80..1c09aade3520 100644
--- a/templates/repo/projects/view.tmpl
+++ b/templates/repo/projects/view.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository projects view-project">
+<div role="main" aria-label="{{.Title}}" class="page-content repository projects view-project">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui two column stackable grid">
diff --git a/templates/repo/pulls/commits.tmpl b/templates/repo/pulls/commits.tmpl
index 64f377d7a4b7..bb113da268ff 100644
--- a/templates/repo/pulls/commits.tmpl
+++ b/templates/repo/pulls/commits.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository view issue pull commits">
+<div role="main" aria-label="{{.Title}}" class="page-content repository view issue pull commits">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="navbar">
diff --git a/templates/repo/pulls/files.tmpl b/templates/repo/pulls/files.tmpl
index 9b2400000286..e5e91bf5c33f 100644
--- a/templates/repo/pulls/files.tmpl
+++ b/templates/repo/pulls/files.tmpl
@@ -3,7 +3,7 @@
 <input type="hidden" id="repolink" value="{{$.RepoRelPath}}">
 <input type="hidden" id="issueIndex" value="{{.Issue.Index}}"/>
 
-<div class="page-content repository view issue pull files diff">
+<div role="main" aria-label="{{.Title}}" class="page-content repository view issue pull files diff">
 	{{template "repo/header" .}}
 	<div class="ui container {{if .IsSplitStyle}}fluid padded{{end}}">
 		<div class="navbar">
diff --git a/templates/repo/pulls/fork.tmpl b/templates/repo/pulls/fork.tmpl
index 4e20642cf612..d3e017aa03ba 100644
--- a/templates/repo/pulls/fork.tmpl
+++ b/templates/repo/pulls/fork.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new fork">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new fork">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/repo/release/list.tmpl b/templates/repo/release/list.tmpl
index 9f4104bec5c1..f38106cfdfd4 100644
--- a/templates/repo/release/list.tmpl
+++ b/templates/repo/release/list.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository release">
+<div role="main" aria-label="{{.Title}}" class="page-content repository release">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/release/new.tmpl b/templates/repo/release/new.tmpl
index 1781a36cfcad..b4b7186a9a79 100644
--- a/templates/repo/release/new.tmpl
+++ b/templates/repo/release/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new release">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new release">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<h2 class="ui dividing header">
diff --git a/templates/repo/search.tmpl b/templates/repo/search.tmpl
index c68d20cdd2db..e4f1d01a08b3 100644
--- a/templates/repo/search.tmpl
+++ b/templates/repo/search.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository file list">
+<div role="main" aria-label="{{.Title}}" class="page-content repository file list">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui repo-search">
diff --git a/templates/repo/settings/branches.tmpl b/templates/repo/settings/branches.tmpl
index ad3b3275e888..f7127fd7934e 100644
--- a/templates/repo/settings/branches.tmpl
+++ b/templates/repo/settings/branches.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings edit">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings edit">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/collaboration.tmpl b/templates/repo/settings/collaboration.tmpl
index 2f932b4c3958..1d0c66036725 100644
--- a/templates/repo/settings/collaboration.tmpl
+++ b/templates/repo/settings/collaboration.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings collaboration">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings collaboration">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/deploy_keys.tmpl b/templates/repo/settings/deploy_keys.tmpl
index 44c916eefbdb..ff9628d3502b 100644
--- a/templates/repo/settings/deploy_keys.tmpl
+++ b/templates/repo/settings/deploy_keys.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/githook_edit.tmpl b/templates/repo/settings/githook_edit.tmpl
index 69421d2cb039..a4f877822521 100644
--- a/templates/repo/settings/githook_edit.tmpl
+++ b/templates/repo/settings/githook_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings edit githook">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings edit githook">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/githooks.tmpl b/templates/repo/settings/githooks.tmpl
index 9fa396c8d573..81d61fcd169e 100644
--- a/templates/repo/settings/githooks.tmpl
+++ b/templates/repo/settings/githooks.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings githooks">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings githooks">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/lfs.tmpl b/templates/repo/settings/lfs.tmpl
index 405fc624bea7..566a701efb2a 100644
--- a/templates/repo/settings/lfs.tmpl
+++ b/templates/repo/settings/lfs.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings lfs">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings lfs">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/lfs_file.tmpl b/templates/repo/settings/lfs_file.tmpl
index 6d20aaddef12..eb67de20a018 100644
--- a/templates/repo/settings/lfs_file.tmpl
+++ b/templates/repo/settings/lfs_file.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings lfs">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings lfs">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container repository file list">
diff --git a/templates/repo/settings/lfs_file_find.tmpl b/templates/repo/settings/lfs_file_find.tmpl
index fb0ad98667a0..d5983ca1cc8d 100644
--- a/templates/repo/settings/lfs_file_find.tmpl
+++ b/templates/repo/settings/lfs_file_find.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings lfs">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings lfs">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container repository file list">
diff --git a/templates/repo/settings/lfs_locks.tmpl b/templates/repo/settings/lfs_locks.tmpl
index 26d5688106df..73bfe08adae7 100644
--- a/templates/repo/settings/lfs_locks.tmpl
+++ b/templates/repo/settings/lfs_locks.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings lfs">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings lfs">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container repository file list">
diff --git a/templates/repo/settings/lfs_pointers.tmpl b/templates/repo/settings/lfs_pointers.tmpl
index 07633e33428f..8eebc6e870a1 100644
--- a/templates/repo/settings/lfs_pointers.tmpl
+++ b/templates/repo/settings/lfs_pointers.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings lfs">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings lfs">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/options.tmpl b/templates/repo/settings/options.tmpl
index 0383364279da..cc298ddd849f 100644
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings options">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings options">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/protected_branch.tmpl b/templates/repo/settings/protected_branch.tmpl
index 7a4405efb7bc..030b9d02569c 100644
--- a/templates/repo/settings/protected_branch.tmpl
+++ b/templates/repo/settings/protected_branch.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings branches">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings branches">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/tags.tmpl b/templates/repo/settings/tags.tmpl
index 56ce278e5868..1b2d6f7c88b7 100644
--- a/templates/repo/settings/tags.tmpl
+++ b/templates/repo/settings/tags.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings edit">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings edit">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/webhook/base.tmpl b/templates/repo/settings/webhook/base.tmpl
index a9404790dc4a..442434007ddb 100644
--- a/templates/repo/settings/webhook/base.tmpl
+++ b/templates/repo/settings/webhook/base.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings webhooks">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings webhooks">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/settings/webhook/new.tmpl b/templates/repo/settings/webhook/new.tmpl
index 2722e099beea..5102390db9b7 100644
--- a/templates/repo/settings/webhook/new.tmpl
+++ b/templates/repo/settings/webhook/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository settings new webhook">
+<div role="main" aria-label="{{.Title}}" class="page-content repository settings new webhook">
 	{{template "repo/header" .}}
 	{{template "repo/settings/navbar" .}}
 	<div class="ui container">
diff --git a/templates/repo/watchers.tmpl b/templates/repo/watchers.tmpl
index 6afb89b268df..ebd8f0faadf1 100644
--- a/templates/repo/watchers.tmpl
+++ b/templates/repo/watchers.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository watchers">
+<div role="main" aria-label="{{.Title}}" class="page-content repository watchers">
 	{{template "repo/header" .}}
 	{{template "repo/user_cards" .}}
 </div>
diff --git a/templates/repo/wiki/new.tmpl b/templates/repo/wiki/new.tmpl
index 26c19c0a43f0..194e40122b99 100644
--- a/templates/repo/wiki/new.tmpl
+++ b/templates/repo/wiki/new.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository wiki new">
+<div role="main" aria-label="{{.Title}}" class="page-content repository wiki new">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/repo/wiki/pages.tmpl b/templates/repo/wiki/pages.tmpl
index 3c53fe1e8ade..ea5b9709c47a 100644
--- a/templates/repo/wiki/pages.tmpl
+++ b/templates/repo/wiki/pages.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository wiki pages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository wiki pages">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<h2 class="ui header df ac sb">
diff --git a/templates/repo/wiki/revision.tmpl b/templates/repo/wiki/revision.tmpl
index b49441f4eb84..c5256ab5347f 100644
--- a/templates/repo/wiki/revision.tmpl
+++ b/templates/repo/wiki/revision.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository wiki revisions">
+<div role="main" aria-label="{{.Title}}" class="page-content repository wiki revisions">
 	{{template "repo/header" .}}
 	{{$title := .title}}
 	<div class="ui container">
diff --git a/templates/repo/wiki/start.tmpl b/templates/repo/wiki/start.tmpl
index e353fcab41ba..c98ee6f3c906 100644
--- a/templates/repo/wiki/start.tmpl
+++ b/templates/repo/wiki/start.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository wiki start">
+<div role="main" aria-label="{{.Title}}" class="page-content repository wiki start">
 	{{template "repo/header" .}}
 	<div class="ui container">
 		<div class="ui center segment">
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl
index 3cd6617dd9ad..b5e65dffcf27 100644
--- a/templates/repo/wiki/view.tmpl
+++ b/templates/repo/wiki/view.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository wiki view">
+<div role="main" aria-label="{{.Title}}" class="page-content repository wiki view">
 	{{template "repo/header" .}}
 	{{$title := .title}}
 	<div class="ui container">
diff --git a/templates/status/404.tmpl b/templates/status/404.tmpl
index 8dd4cfb8ae38..fcef783f6821 100644
--- a/templates/status/404.tmpl
+++ b/templates/status/404.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content ui container center full-screen-width {{if .IsRepo}}repository{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content ui container center full-screen-width {{if .IsRepo}}repository{{end}}">
 	{{if .IsRepo}}{{template "repo/header" .}}{{end}}
 	<div class="ui container center">
 		<p style="margin-top: 100px"><img src="{{AssetUrlPrefix}}/img/404.png" alt="404"/></p>
diff --git a/templates/status/500.tmpl b/templates/status/500.tmpl
index cdedd947a086..89dfeac3f2c6 100644
--- a/templates/status/500.tmpl
+++ b/templates/status/500.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content ui container full-screen-width center">
+<div role="main" aria-label="{{.Title}}" class="page-content ui container full-screen-width center">
 	<p style="margin-top: 100px"><img src="{{AssetUrlPrefix}}/img/500.png" alt="500"/></p>
 	<div class="ui divider"></div>
 	<br>
diff --git a/templates/user/auth/activate.tmpl b/templates/user/auth/activate.tmpl
index ef72ef1e5450..5a44529d18d6 100644
--- a/templates/user/auth/activate.tmpl
+++ b/templates/user/auth/activate.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user activate">
+<div role="main" aria-label="{{.Title}}" class="page-content user activate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty" action="{{AppSubUrl}}/user/activate" method="post">
diff --git a/templates/user/auth/change_passwd.tmpl b/templates/user/auth/change_passwd.tmpl
index b1d8c9db2cb8..e05f46fa6b2c 100644
--- a/templates/user/auth/change_passwd.tmpl
+++ b/templates/user/auth/change_passwd.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
 	<div class="ui container">
 		{{template "user/auth/change_passwd_inner" .}}
 	</div>
diff --git a/templates/user/auth/finalize_openid.tmpl b/templates/user/auth/finalize_openid.tmpl
index 39163b30beeb..2b833d9b3269 100644
--- a/templates/user/auth/finalize_openid.tmpl
+++ b/templates/user/auth/finalize_openid.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin">
 	<div class="ui container">
 		<div class="ui grid">
 			{{template "user/auth/finalize_openid_navbar" .}}
diff --git a/templates/user/auth/forgot_passwd.tmpl b/templates/user/auth/forgot_passwd.tmpl
index cd42085e2833..f80e28937e13 100644
--- a/templates/user/auth/forgot_passwd.tmpl
+++ b/templates/user/auth/forgot_passwd.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user forgot password">
+<div role="main" aria-label="{{.Title}}" class="page-content user forgot password">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty" action="{{.Link}}" method="post">
diff --git a/templates/user/auth/grant.tmpl b/templates/user/auth/grant.tmpl
index 682614dee58b..c906db3e0a17 100644
--- a/templates/user/auth/grant.tmpl
+++ b/templates/user/auth/grant.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content ui one column stackable center aligned page grid oauth2-authorize-application-box">
+<div role="main" aria-label="{{.Title}}" class="page-content ui one column stackable center aligned page grid oauth2-authorize-application-box">
 	<div class="column seven wide">
 		<div class="ui middle centered raised segments">
 			<h3 class="ui top attached header">
diff --git a/templates/user/auth/grant_error.tmpl b/templates/user/auth/grant_error.tmpl
index b775ac9b9224..cfb7e8663b00 100644
--- a/templates/user/auth/grant_error.tmpl
+++ b/templates/user/auth/grant_error.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content ui one column stackable center aligned page grid oauth2-authorize-application-box {{if .IsRepo}}repository{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content ui one column stackable center aligned page grid oauth2-authorize-application-box {{if .IsRepo}}repository{{end}}">
 	{{if .IsRepo}}{{template "repo/header" .}}{{end}}
 	<div class="column seven wide">
 		<div class="ui middle centered raised segments">
diff --git a/templates/user/auth/link_account.tmpl b/templates/user/auth/link_account.tmpl
index 4525bf551af5..1e059f68144a 100644
--- a/templates/user/auth/link_account.tmpl
+++ b/templates/user/auth/link_account.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user link-account">
+<div role="main" aria-label="{{.Title}}" class="page-content user link-account">
 	<div class="ui secondary pointing tabular top attached borderless menu new-menu navbar">
 		<div class="new-menu-inner">
 			<!-- TODO handle .ShowRegistrationButton once other login bugs are fixed -->
diff --git a/templates/user/auth/prohibit_login.tmpl b/templates/user/auth/prohibit_login.tmpl
index d002ad7ae0af..ddb16a7f2651 100644
--- a/templates/user/auth/prohibit_login.tmpl
+++ b/templates/user/auth/prohibit_login.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user activate">
+<div role="main" aria-label="{{.Title}}" class="page-content user activate">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form">
diff --git a/templates/user/auth/reset_passwd.tmpl b/templates/user/auth/reset_passwd.tmpl
index e55eb8d330ea..449377869894 100644
--- a/templates/user/auth/reset_passwd.tmpl
+++ b/templates/user/auth/reset_passwd.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user reset password">
+<div role="main" aria-label="{{.Title}}" class="page-content user reset password">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form ignore-dirty" action="{{.Link}}" method="post">
diff --git a/templates/user/auth/signin.tmpl b/templates/user/auth/signin.tmpl
index d6cb7cc949f6..b0e9ce8c74fa 100644
--- a/templates/user/auth/signin.tmpl
+++ b/templates/user/auth/signin.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
 	{{template "user/auth/signin_navbar" .}}
 	<div class="ui middle very relaxed page grid">
 		<div class="ui container column fluid">
diff --git a/templates/user/auth/signin_openid.tmpl b/templates/user/auth/signin_openid.tmpl
index 87004eda92cc..7a54589fd9e0 100644
--- a/templates/user/auth/signin_openid.tmpl
+++ b/templates/user/auth/signin_openid.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin openid">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin openid">
 	{{template "user/auth/signin_navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/auth/signup.tmpl b/templates/user/auth/signup.tmpl
index 7b11731c8062..1d03f610dcee 100644
--- a/templates/user/auth/signup.tmpl
+++ b/templates/user/auth/signup.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
 	<div class="ui middle very relaxed page grid">
 		{{template "user/auth/signup_inner" .}}
 	</div>
diff --git a/templates/user/auth/signup_openid_connect.tmpl b/templates/user/auth/signup_openid_connect.tmpl
index 36f0277b4028..89a2e410e89a 100644
--- a/templates/user/auth/signup_openid_connect.tmpl
+++ b/templates/user/auth/signup_openid_connect.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signup">
+<div role="main" aria-label="{{.Title}}" class="page-content user signup">
 	{{template "user/auth/signup_openid_navbar" .}}
 	<div class="ui container">
 				{{template "base/alert" .}}
diff --git a/templates/user/auth/signup_openid_register.tmpl b/templates/user/auth/signup_openid_register.tmpl
index e54600ec8220..a490ea5a74d8 100644
--- a/templates/user/auth/signup_openid_register.tmpl
+++ b/templates/user/auth/signup_openid_register.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signup">
+<div role="main" aria-label="{{.Title}}" class="page-content user signup">
 	{{template "user/auth/signup_openid_navbar" .}}
 	<div class="ui container">
 				{{template "base/alert" .}}
diff --git a/templates/user/auth/twofa.tmpl b/templates/user/auth/twofa.tmpl
index 5c735b27b6c8..4002266054e2 100644
--- a/templates/user/auth/twofa.tmpl
+++ b/templates/user/auth/twofa.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/user/auth/twofa_scratch.tmpl b/templates/user/auth/twofa_scratch.tmpl
index bb3bbaa07f06..4ed7fce55e9d 100644
--- a/templates/user/auth/twofa_scratch.tmpl
+++ b/templates/user/auth/twofa_scratch.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user signin">
+<div role="main" aria-label="{{.Title}}" class="page-content user signin">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/user/code.tmpl b/templates/user/code.tmpl
index ecd6aa566cad..338aae2be169 100644
--- a/templates/user/code.tmpl
+++ b/templates/user/code.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository code-search">
+<div role="main" aria-label="{{.Title}}" class="page-content repository code-search">
 	{{template "user/overview/header" .}}
 	<div class="ui container">
 		{{template "code/searchform" .}}
diff --git a/templates/user/dashboard/dashboard.tmpl b/templates/user/dashboard/dashboard.tmpl
index 3eb8294e7725..d4553ea61ba2 100644
--- a/templates/user/dashboard/dashboard.tmpl
+++ b/templates/user/dashboard/dashboard.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content dashboard feeds">
+<div role="main" aria-label="{{.Title}}" class="page-content dashboard feeds">
 	{{template "user/dashboard/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/dashboard/issues.tmpl b/templates/user/dashboard/issues.tmpl
index 4ff6772a7293..ab7a403fa3a3 100644
--- a/templates/user/dashboard/issues.tmpl
+++ b/templates/user/dashboard/issues.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content dashboard issues">
+<div role="main" aria-label="{{.Title}}" class="page-content dashboard issues">
 	{{template "user/dashboard/navbar" .}}
 	<div class="ui container">
 		<div class="ui stackable grid">
diff --git a/templates/user/dashboard/milestones.tmpl b/templates/user/dashboard/milestones.tmpl
index fc9c92278fc2..736d703ee8ec 100644
--- a/templates/user/dashboard/milestones.tmpl
+++ b/templates/user/dashboard/milestones.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content dashboard issues repository milestones">
+<div role="main" aria-label="{{.Title}}" class="page-content dashboard issues repository milestones">
 	{{template "user/dashboard/navbar" .}}
 	<div class="ui container">
 		<div class="ui stackable grid">
diff --git a/templates/user/notification/notification_div.tmpl b/templates/user/notification/notification_div.tmpl
index 7c9f4d4a9be4..702dd419a391 100644
--- a/templates/user/notification/notification_div.tmpl
+++ b/templates/user/notification/notification_div.tmpl
@@ -1,4 +1,4 @@
-<div class="page-content user notification" id="notification_div" data-params="{{.Page.GetParams}}" data-sequence-number="{{.SequenceNumber}}">
+<div role="main" aria-label="{{.Title}}" class="page-content user notification" id="notification_div" data-params="{{.Page.GetParams}}" data-sequence-number="{{.SequenceNumber}}">
 	<div class="ui container">
 		<h1 class="ui dividing header">{{.locale.Tr "notification.notifications"}}</h1>
 		<div class="ui top attached tabular menu">
diff --git a/templates/user/notification/notification_subscriptions.tmpl b/templates/user/notification/notification_subscriptions.tmpl
index aa89c12ddedd..2083902c5af7 100644
--- a/templates/user/notification/notification_subscriptions.tmpl
+++ b/templates/user/notification/notification_subscriptions.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user notification" id="notification_subscriptions" data-params="{{.Page.GetParams}}" data-sequence-number="{{.SequenceNumber}}">
+<div role="main" aria-label="{{.Title}}" class="page-content user notification" id="notification_subscriptions" data-params="{{.Page.GetParams}}" data-sequence-number="{{.SequenceNumber}}">
 	<div class="ui container">
 		<div class="ui top attached tabular menu">
 			<a href="{{AppSubUrl}}/notifications/subscriptions" class="{{if eq .Status 1}}active {{end}}item">
diff --git a/templates/user/overview/package_versions.tmpl b/templates/user/overview/package_versions.tmpl
index c647d5a71cd2..0bab740f5c26 100644
--- a/templates/user/overview/package_versions.tmpl
+++ b/templates/user/overview/package_versions.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "user/overview/header" .}}
 	{{template "package/shared/versionlist" .}}
 </div>
diff --git a/templates/user/overview/packages.tmpl b/templates/user/overview/packages.tmpl
index 8c3ca36c319a..8f8597c42d17 100644
--- a/templates/user/overview/packages.tmpl
+++ b/templates/user/overview/packages.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository packages">
+<div role="main" aria-label="{{.Title}}" class="page-content repository packages">
 	{{template "user/overview/header" .}}
 	{{template "package/shared/list" .}}
 </div>
diff --git a/templates/user/profile.tmpl b/templates/user/profile.tmpl
index 74211eb67b85..512e1187cd0b 100644
--- a/templates/user/profile.tmpl
+++ b/templates/user/profile.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user profile">
+<div role="main" aria-label="{{.Title}}" class="page-content user profile">
 	<div class="ui container">
 		<div class="ui stackable grid">
 			<div class="ui five wide column">
diff --git a/templates/user/project.tmpl b/templates/user/project.tmpl
index d38d84d95cfb..59eff13aa712 100644
--- a/templates/user/project.tmpl
+++ b/templates/user/project.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content repository new repo">
+<div role="main" aria-label="{{.Title}}" class="page-content repository new repo">
 	<div class="ui middle very relaxed page grid">
 		<div class="column">
 			<form class="ui form" action="{{.Link}}" method="post">
diff --git a/templates/user/settings/account.tmpl b/templates/user/settings/account.tmpl
index 3070e8889c08..9a57bd572267 100644
--- a/templates/user/settings/account.tmpl
+++ b/templates/user/settings/account.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings account">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings account">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/appearance.tmpl b/templates/user/settings/appearance.tmpl
index 233e682621bb..528fe52f2b43 100644
--- a/templates/user/settings/appearance.tmpl
+++ b/templates/user/settings/appearance.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings sshkeys">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings sshkeys">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
index 5cea142238f5..29d76862f54d 100644
--- a/templates/user/settings/applications.tmpl
+++ b/templates/user/settings/applications.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings applications">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings applications">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/applications_oauth2_edit.tmpl b/templates/user/settings/applications_oauth2_edit.tmpl
index eb40976fb197..d2ca83b90d12 100644
--- a/templates/user/settings/applications_oauth2_edit.tmpl
+++ b/templates/user/settings/applications_oauth2_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings applications">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings applications">
 	{{template "user/settings/navbar" .}}
 
 	{{template "user/settings/applications_oauth2_edit_form" .}}
diff --git a/templates/user/settings/keys.tmpl b/templates/user/settings/keys.tmpl
index c88868d000f4..9a4be2b2c2c0 100644
--- a/templates/user/settings/keys.tmpl
+++ b/templates/user/settings/keys.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings sshkeys">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings sshkeys">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/organization.tmpl b/templates/user/settings/organization.tmpl
index 703ac8ad8edb..8f1f682abf49 100644
--- a/templates/user/settings/organization.tmpl
+++ b/templates/user/settings/organization.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings organization">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings organization">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/packages.tmpl b/templates/user/settings/packages.tmpl
index 2612313454e8..9aae14f93432 100644
--- a/templates/user/settings/packages.tmpl
+++ b/templates/user/settings/packages.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings packages">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings packages">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/packages_cleanup_rules_edit.tmpl b/templates/user/settings/packages_cleanup_rules_edit.tmpl
index 4cf642b7e166..114c825a4839 100644
--- a/templates/user/settings/packages_cleanup_rules_edit.tmpl
+++ b/templates/user/settings/packages_cleanup_rules_edit.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings packages">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings packages">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/packages_cleanup_rules_preview.tmpl b/templates/user/settings/packages_cleanup_rules_preview.tmpl
index 20041f9a42fd..d37e5148b380 100644
--- a/templates/user/settings/packages_cleanup_rules_preview.tmpl
+++ b/templates/user/settings/packages_cleanup_rules_preview.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings packages admin">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings packages admin">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "package/shared/cleanup_rules/preview" .}}
diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl
index 87b6e37ed52a..a362bf2c2d9f 100644
--- a/templates/user/settings/profile.tmpl
+++ b/templates/user/settings/profile.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings profile">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings profile">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/repos.tmpl b/templates/user/settings/repos.tmpl
index 54ea7ad2e169..c655aa86d716 100644
--- a/templates/user/settings/repos.tmpl
+++ b/templates/user/settings/repos.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings repos">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings repos">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/security/security.tmpl b/templates/user/settings/security/security.tmpl
index d93be9f64016..d412a4f4e844 100644
--- a/templates/user/settings/security/security.tmpl
+++ b/templates/user/settings/security/security.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings security">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings security">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
diff --git a/templates/user/settings/security/twofa_enroll.tmpl b/templates/user/settings/security/twofa_enroll.tmpl
index 0eb543f7471c..b7e1f4b7cc28 100644
--- a/templates/user/settings/security/twofa_enroll.tmpl
+++ b/templates/user/settings/security/twofa_enroll.tmpl
@@ -1,5 +1,5 @@
 {{template "base/head" .}}
-<div class="page-content user settings twofa">
+<div role="main" aria-label="{{.Title}}" class="page-content user settings twofa">
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}

From 3f2e7213720c299b3cace485e97584f0b512bcb7 Mon Sep 17 00:00:00 2001
From: Lukas <lukas@slucky.de>
Date: Thu, 2 Feb 2023 04:10:37 +0100
Subject: [PATCH 11/21] Allow setting access token scope by CLI (#22648)

Followup for #20908 to allow setting the scopes when creating new access
token via CLI.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
---
 cmd/admin.go | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/cmd/admin.go b/cmd/admin.go
index a662011f9c07..8f8c68f9810c 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -180,6 +180,11 @@ var (
 				Name:  "raw",
 				Usage: "Display only the token value",
 			},
+			cli.StringFlag{
+				Name:  "scopes",
+				Value: "",
+				Usage: "Comma separated list of scopes to apply to access token",
+			},
 		},
 		Action: runGenerateAccessToken,
 	}
@@ -698,9 +703,15 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}
 
+	accessTokenScope, err := auth_model.AccessTokenScope(c.String("scopes")).Normalize()
+	if err != nil {
+		return err
+	}
+
 	t := &auth_model.AccessToken{
-		Name: c.String("token-name"),
-		UID:  user.ID,
+		Name:  c.String("token-name"),
+		UID:   user.ID,
+		Scope: accessTokenScope,
 	}
 
 	if err := auth_model.NewAccessToken(t); err != nil {

From 4e946e5a7d79c3a933eefc8584444bc02f52b874 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 2 Feb 2023 11:49:28 +0800
Subject: [PATCH 12/21] Small refactor for loading PRs (#22652)

---
 models/issues/pull_list.go | 5 +++--
 services/pull/pull.go      | 1 -
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/models/issues/pull_list.go b/models/issues/pull_list.go
index 12dbff107d15..007c2fd90333 100644
--- a/models/issues/pull_list.go
+++ b/models/issues/pull_list.go
@@ -173,8 +173,9 @@ func (prs PullRequestList) loadAttributes(ctx context.Context) error {
 	for i := range issues {
 		set[issues[i].ID] = issues[i]
 	}
-	for i := range prs {
-		prs[i].Issue = set[prs[i].IssueID]
+	for _, pr := range prs {
+		pr.Issue = set[pr.IssueID]
+		pr.Issue.PullRequest = pr // panic here means issueIDs and prs are not in sync
 	}
 	return nil
 }
diff --git a/services/pull/pull.go b/services/pull/pull.go
index c983c4f3e78e..317875d2112d 100644
--- a/services/pull/pull.go
+++ b/services/pull/pull.go
@@ -298,7 +298,6 @@ func AddTestPullRequestTask(doer *user_model.User, repoID int64, branch string,
 						}
 					}
 
-					pr.Issue.PullRequest = pr
 					notification.NotifyPullRequestSynchronized(ctx, doer, pr)
 				}
 			}

From 5d9c64b3feeab32678a983d4256272c010a0e057 Mon Sep 17 00:00:00 2001
From: crystal <71373843+CrystalCommunication@users.noreply.github.com>
Date: Wed, 1 Feb 2023 21:51:02 -0700
Subject: [PATCH 13/21] Fix line spacing for plaintext previews (#22699)

Adding `<br>` between each line is not necessary since the entire file
is rendered inside a `<pre>`

fixes https://codeberg.org/Codeberg/Community/issues/915
---
 modules/charset/escape.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/modules/charset/escape.go b/modules/charset/escape.go
index 3b1c20697793..5608836a4510 100644
--- a/modules/charset/escape.go
+++ b/modules/charset/escape.go
@@ -44,7 +44,7 @@ func EscapeControlReader(reader io.Reader, writer io.Writer, locale translation.
 	return streamer.escaped, err
 }
 
-// EscapeControlStringReader escapes the unicode control sequences in a provided reader of string content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte
+// EscapeControlStringReader escapes the unicode control sequences in a provided reader of string content and writer in a locale and returns the findings as an EscapeStatus and the escaped []byte. HTML line breaks are not inserted after every newline by this method.
 func EscapeControlStringReader(reader io.Reader, writer io.Writer, locale translation.Locale, allowed ...rune) (escaped *EscapeStatus, err error) {
 	bufRd := bufio.NewReader(reader)
 	outputStream := &HTMLStreamerWriter{Writer: writer}
@@ -65,10 +65,6 @@ func EscapeControlStringReader(reader io.Reader, writer io.Writer, locale transl
 			}
 			break
 		}
-		if err := streamer.SelfClosingTag("br"); err != nil {
-			streamer.escaped.HasError = true
-			return streamer.escaped, err
-		}
 	}
 	return streamer.escaped, err
 }

From c46f53a627393766b6a7a4efc10218cbb792e7e3 Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Thu, 2 Feb 2023 13:39:55 +0800
Subject: [PATCH 14/21] Fix diff UI for unexpandable items (#22700)

Follows #21094

Before:

There are 2 problems:

1. Sometimes, the header starts with a number, sometimes, it starts with
an icon button. It makes the UI look like misaligned.
2. The second item's bottom border is too thick (actually, that's an
empty element with border, which should be hidden as well)
3. (An old problem) the number is not mono-font


![image](https://user-images.githubusercontent.com/2114189/215935944-003fe2d3-69bf-413c-bbae-0a4668a508c3.png)


After:

Fix above problems.


![image](https://user-images.githubusercontent.com/2114189/215944811-b867a20c-110c-47a2-aa52-572a8162a44d.png)

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
---
 templates/repo/diff/box.tmpl | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/templates/repo/diff/box.tmpl b/templates/repo/diff/box.tmpl
index f74714499ae5..798a7eae14d1 100644
--- a/templates/repo/diff/box.tmpl
+++ b/templates/repo/diff/box.tmpl
@@ -76,19 +76,18 @@
 						{{$isImage := or (call $.IsBlobAnImage $blobBase) (call $.IsBlobAnImage $blobHead)}}
 						{{$isCsv := (call $.IsCsvFile $file)}}
 						{{$showFileViewToggle := or $isImage (and (not $file.IsIncomplete) $isCsv)}}
-						<div class="diff-file-box diff-box file-content {{TabSizeClass $.Editorconfig $file.Name}} mt-3" id="diff-{{$file.NameHash}}" data-old-filename="{{$file.OldName}}" data-new-filename="{{$file.Name}}" {{if $file.ShouldBeHidden}}data-folded="true"{{end}}>
+						{{$isExpandable := or (gt $file.Addition 0) (gt $file.Deletion 0) $file.IsBin}}
+						<div class="diff-file-box diff-box file-content {{TabSizeClass $.Editorconfig $file.Name}} mt-3" id="diff-{{$file.NameHash}}" data-old-filename="{{$file.OldName}}" data-new-filename="{{$file.Name}}" {{if or ($file.ShouldBeHidden) (not $isExpandable)}}data-folded="true"{{end}}>
 							<h4 class="diff-file-header sticky-2nd-row ui top attached normal header df ac sb">
 								<div class="df ac">
-									{{if or (gt $file.Addition 0) (gt $file.Deletion 0) $file.IsBin}}
-										<a role="button" class="fold-file muted mr-2">
-											{{if $file.ShouldBeHidden}}
-												{{svg "octicon-chevron-right" 18}}
-											{{else}}
-												{{svg "octicon-chevron-down" 18}}
-											{{end}}
-										</a>
-									{{end}}
-									<div class="bold df ac">
+									<a role="button" class="fold-file muted mr-2" {{if not $isExpandable}}style="visibility: hidden"{{end}}>
+										{{if $file.ShouldBeHidden}}
+											{{svg "octicon-chevron-right" 18}}
+										{{else}}
+											{{svg "octicon-chevron-down" 18}}
+										{{end}}
+									</a>
+									<div class="bold df ac mono">
 										{{if $file.IsBin}}
 											<span class="ml-1 mr-3">
 												{{$.locale.Tr "repo.diff.bin"}}

From 9ef8bfb69bea6de663b1fbc595375a1dd78e7e35 Mon Sep 17 00:00:00 2001
From: yp05327 <576951401@qq.com>
Date: Thu, 2 Feb 2023 15:53:14 +0900
Subject: [PATCH 15/21] set user dashboard org visibility to basic (#22706)

Same to https://github.com/go-gitea/gitea/pull/22674 and
https://github.com/go-gitea/gitea/pull/22605

Sorry to create 3 PR to fix this.
I checked all span with class `org-visibility`, i think this is the last
one :)

And I found that private/limited user has no private/limited tag in
dashboard. but org does.
If it is ok i will add this feature in another pr.

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/user/dashboard/navbar.tmpl | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/user/dashboard/navbar.tmpl b/templates/user/dashboard/navbar.tmpl
index 4b20bf52680f..ab3d5029d145 100644
--- a/templates/user/dashboard/navbar.tmpl
+++ b/templates/user/dashboard/navbar.tmpl
@@ -7,8 +7,8 @@
 					<span class="truncated-item-name">{{.ContextUser.ShortName 40}}</span>
 					{{if .ContextUser.IsOrganization}}
 						<span class="org-visibility">
-							{{if .ContextUser.Visibility.IsLimited}}<div class="ui orange tiny horizontal label">{{.locale.Tr "org.settings.visibility.limited_shortname"}}</div>{{end}}
-							{{if .ContextUser.Visibility.IsPrivate}}<div class="ui red tiny horizontal label">{{.locale.Tr "org.settings.visibility.private_shortname"}}</div>{{end}}
+							{{if .ContextUser.Visibility.IsLimited}}<div class="ui basic tiny horizontal label">{{.locale.Tr "org.settings.visibility.limited_shortname"}}</div>{{end}}
+							{{if .ContextUser.Visibility.IsPrivate}}<div class="ui basic tiny horizontal label">{{.locale.Tr "org.settings.visibility.private_shortname"}}</div>{{end}}
 						</span>
 					{{end}}
 					{{svg "octicon-triangle-down" 14 "dropdown icon"}}
@@ -27,8 +27,8 @@
 								{{avatar .}}
 								<span class="truncated-item-name">{{.ShortName 40}}</span>
 								<span class="org-visibility">
-									{{if .Visibility.IsLimited}}<div class="ui orange tiny horizontal label">{{$.locale.Tr "org.settings.visibility.limited_shortname"}}</div>{{end}}
-									{{if .Visibility.IsPrivate}}<div class="ui red tiny horizontal label">{{$.locale.Tr "org.settings.visibility.private_shortname"}}</div>{{end}}
+									{{if .Visibility.IsLimited}}<div class="ui basic tiny horizontal label">{{$.locale.Tr "org.settings.visibility.limited_shortname"}}</div>{{end}}
+									{{if .Visibility.IsPrivate}}<div class="ui basic tiny horizontal label">{{$.locale.Tr "org.settings.visibility.private_shortname"}}</div>{{end}}
 								</span>
 							</a>
 						{{end}}

From 98770d3db8198714789c3182c14950d365ae4fb1 Mon Sep 17 00:00:00 2001
From: Pavel Ezhov <crazytushkan@gmail.com>
Date: Thu, 2 Feb 2023 10:45:00 +0300
Subject: [PATCH 16/21] Fix group filter for ldap source sync (#22506)

There are 2 separate flows of creating a user: authentication and source
sync.
When a group filter is defined, source sync ignores group filter, while
authentication respects it.
With this PR I've fixed this behavior, so both flows now apply this
filter when searching users in LDAP in a unified way.

- Unified LDAP group membership lookup for authentication and source
sync flows
- Replaced custom group membership lookup (used for authentication flow)
with an existing listLdapGroupMemberships method (used for source sync
flow)
- Modified listLdapGroupMemberships and getUserAttributeListedInGroup in
a way group lookup could be called separately
- Added user filtering based on a group membership for a source sync
- Added tests to cover this logic

Co-authored-by: Pavel Ezhov <paejov@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 services/auth/source/ldap/source_search.go | 137 +++++++++++----------
 tests/integration/auth_ldap_test.go        |  99 +++++++++++++--
 2 files changed, 159 insertions(+), 77 deletions(-)

diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index 68ebba391769..16f13029f925 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -196,22 +196,39 @@ func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
 }
 
 // List all group memberships of a user
-func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string) []string {
+func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGroupFilter bool) []string {
 	var ldapGroups []string
-	groupFilter := fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
+	var searchFilter string
+
+	groupFilter, ok := source.sanitizedGroupFilter(source.GroupFilter)
+	if !ok {
+		return ldapGroups
+	}
+
+	groupDN, ok := source.sanitizedGroupDN(source.GroupDN)
+	if !ok {
+		return ldapGroups
+	}
+
+	if applyGroupFilter {
+		searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
+	} else {
+		searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
+	}
+
 	result, err := l.Search(ldap.NewSearchRequest(
-		source.GroupDN,
+		groupDN,
 		ldap.ScopeWholeSubtree,
 		ldap.NeverDerefAliases,
 		0,
 		0,
 		false,
-		groupFilter,
+		searchFilter,
 		[]string{},
 		nil,
 	))
 	if err != nil {
-		log.Error("Failed group search using filter[%s]: %v", groupFilter, err)
+		log.Error("Failed group search in LDAP with filter [%s]: %v", searchFilter, err)
 		return ldapGroups
 	}
 
@@ -238,9 +255,7 @@ func (source *Source) mapLdapGroupsToTeams() map[string]map[string][]string {
 }
 
 // getMappedMemberships : returns the organizations and teams to modify the users membership
-func (source *Source) getMappedMemberships(l *ldap.Conn, uid string) (map[string][]string, map[string][]string) {
-	// get all LDAP group memberships for user
-	usersLdapGroups := source.listLdapGroupMemberships(l, uid)
+func (source *Source) getMappedMemberships(usersLdapGroups []string, uid string) (map[string][]string, map[string][]string) {
 	// unmarshall LDAP group team map from configs
 	ldapGroupsToTeams := source.mapLdapGroupsToTeams()
 	membershipsToAdd := map[string][]string{}
@@ -260,6 +275,14 @@ func (source *Source) getMappedMemberships(l *ldap.Conn, uid string) (map[string
 	return membershipsToAdd, membershipsToRemove
 }
 
+func (source *Source) getUserAttributeListedInGroup(entry *ldap.Entry) string {
+	if strings.ToLower(source.UserUID) == "dn" {
+		return entry.DN
+	}
+
+	return entry.GetAttributeValue(source.UserUID)
+}
+
 // SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
 func (source *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {
 	// See https://tools.ietf.org/search/rfc4513#section-5.1.2
@@ -375,58 +398,30 @@ func (source *Source) SearchEntry(name, passwd string, directBind bool) *SearchR
 	firstname := sr.Entries[0].GetAttributeValue(source.AttributeName)
 	surname := sr.Entries[0].GetAttributeValue(source.AttributeSurname)
 	mail := sr.Entries[0].GetAttributeValue(source.AttributeMail)
-	uid := sr.Entries[0].GetAttributeValue(source.UserUID)
-	if source.UserUID == "dn" || source.UserUID == "DN" {
-		uid = sr.Entries[0].DN
-	}
 
-	// Check group membership
-	if source.GroupsEnabled && source.GroupFilter != "" {
-		groupFilter, ok := source.sanitizedGroupFilter(source.GroupFilter)
-		if !ok {
-			return nil
-		}
-		groupDN, ok := source.sanitizedGroupDN(source.GroupDN)
-		if !ok {
-			return nil
-		}
+	teamsToAdd := make(map[string][]string)
+	teamsToRemove := make(map[string][]string)
 
-		log.Trace("Fetching groups '%v' with filter '%s' and base '%s'", source.GroupMemberUID, groupFilter, groupDN)
-		groupSearch := ldap.NewSearchRequest(
-			groupDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, groupFilter,
-			[]string{source.GroupMemberUID},
-			nil)
+	// Check group membership
+	if source.GroupsEnabled {
+		userAttributeListedInGroup := source.getUserAttributeListedInGroup(sr.Entries[0])
+		usersLdapGroups := source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
 
-		srg, err := l.Search(groupSearch)
-		if err != nil {
-			log.Error("LDAP group search failed: %v", err)
-			return nil
-		} else if len(srg.Entries) < 1 {
-			log.Error("LDAP group search failed: 0 entries")
+		if source.GroupFilter != "" && len(usersLdapGroups) == 0 {
 			return nil
 		}
 
-		isMember := false
-	Entries:
-		for _, group := range srg.Entries {
-			for _, member := range group.GetAttributeValues(source.GroupMemberUID) {
-				if (source.UserUID == "dn" && member == sr.Entries[0].DN) || member == uid {
-					isMember = true
-					break Entries
-				}
-			}
-		}
-
-		if !isMember {
-			log.Error("LDAP group membership test failed")
-			return nil
+		if source.GroupTeamMap != "" || source.GroupTeamMapRemoval {
+			teamsToAdd, teamsToRemove = source.getMappedMemberships(usersLdapGroups, userAttributeListedInGroup)
 		}
 	}
 
 	if isAttributeSSHPublicKeySet {
 		sshPublicKey = sr.Entries[0].GetAttributeValues(source.AttributeSSHPublicKey)
 	}
+
 	isAdmin := checkAdmin(l, source, userDN)
+
 	var isRestricted bool
 	if !isAdmin {
 		isRestricted = checkRestricted(l, source, userDN)
@@ -436,12 +431,6 @@ func (source *Source) SearchEntry(name, passwd string, directBind bool) *SearchR
 		Avatar = sr.Entries[0].GetRawAttributeValue(source.AttributeAvatar)
 	}
 
-	teamsToAdd := make(map[string][]string)
-	teamsToRemove := make(map[string][]string)
-	if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {
-		teamsToAdd, teamsToRemove = source.getMappedMemberships(l, uid)
-	}
-
 	if !directBind && source.AttributesInBind {
 		// binds user (checking password) after looking-up attributes in BindDN context
 		err = bindUser(l, userDN, passwd)
@@ -520,19 +509,29 @@ func (source *Source) SearchEntries() ([]*SearchResult, error) {
 		return nil, err
 	}
 
-	result := make([]*SearchResult, len(sr.Entries))
+	result := make([]*SearchResult, 0, len(sr.Entries))
 
-	for i, v := range sr.Entries {
+	for _, v := range sr.Entries {
 		teamsToAdd := make(map[string][]string)
 		teamsToRemove := make(map[string][]string)
-		if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {
-			userAttributeListedInGroup := v.GetAttributeValue(source.UserUID)
-			if source.UserUID == "dn" || source.UserUID == "DN" {
-				userAttributeListedInGroup = v.DN
+
+		if source.GroupsEnabled {
+			userAttributeListedInGroup := source.getUserAttributeListedInGroup(v)
+
+			if source.GroupFilter != "" {
+				usersLdapGroups := source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
+				if len(usersLdapGroups) == 0 {
+					continue
+				}
+			}
+
+			if source.GroupTeamMap != "" || source.GroupTeamMapRemoval {
+				usersLdapGroups := source.listLdapGroupMemberships(l, userAttributeListedInGroup, false)
+				teamsToAdd, teamsToRemove = source.getMappedMemberships(usersLdapGroups, userAttributeListedInGroup)
 			}
-			teamsToAdd, teamsToRemove = source.getMappedMemberships(l, userAttributeListedInGroup)
 		}
-		result[i] = &SearchResult{
+
+		user := &SearchResult{
 			Username:       v.GetAttributeValue(source.AttributeUsername),
 			Name:           v.GetAttributeValue(source.AttributeName),
 			Surname:        v.GetAttributeValue(source.AttributeSurname),
@@ -541,16 +540,22 @@ func (source *Source) SearchEntries() ([]*SearchResult, error) {
 			LdapTeamAdd:    teamsToAdd,
 			LdapTeamRemove: teamsToRemove,
 		}
-		if !result[i].IsAdmin {
-			result[i].IsRestricted = checkRestricted(l, source, v.DN)
+
+		if !user.IsAdmin {
+			user.IsRestricted = checkRestricted(l, source, v.DN)
 		}
+
 		if isAttributeSSHPublicKeySet {
-			result[i].SSHPublicKey = v.GetAttributeValues(source.AttributeSSHPublicKey)
+			user.SSHPublicKey = v.GetAttributeValues(source.AttributeSSHPublicKey)
 		}
+
 		if isAtributeAvatarSet {
-			result[i].Avatar = v.GetRawAttributeValue(source.AttributeAvatar)
+			user.Avatar = v.GetRawAttributeValue(source.AttributeAvatar)
 		}
-		result[i].LowerName = strings.ToLower(result[i].Username)
+
+		user.LowerName = strings.ToLower(user.Username)
+
+		result = append(result, user)
 	}
 
 	return result, nil
diff --git a/tests/integration/auth_ldap_test.go b/tests/integration/auth_ldap_test.go
index 88571ecd614e..9dfa4c73d83e 100644
--- a/tests/integration/auth_ldap_test.go
+++ b/tests/integration/auth_ldap_test.go
@@ -11,12 +11,14 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/organization"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/translation"
 	"code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/auth/source/ldap"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
@@ -102,13 +104,28 @@ func getLDAPServerHost() string {
 	return host
 }
 
-func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...string) {
+func getLDAPServerPort() string {
+	port := os.Getenv("TEST_LDAP_PORT")
+	if len(port) == 0 {
+		port = "389"
+	}
+	return port
+}
+
+func addAuthSourceLDAP(t *testing.T, sshKeyAttribute, groupFilter string, groupMapParams ...string) {
 	groupTeamMapRemoval := "off"
 	groupTeamMap := ""
 	if len(groupMapParams) == 2 {
 		groupTeamMapRemoval = groupMapParams[0]
 		groupTeamMap = groupMapParams[1]
 	}
+
+	// Modify user filter to test group filter explicitly
+	userFilter := "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))"
+	if groupFilter != "" {
+		userFilter = "(&(objectClass=inetOrgPerson)(uid=%s))"
+	}
+
 	session := loginUser(t, "user1")
 	csrf := GetCSRF(t, session, "/admin/auths/new")
 	req := NewRequestWithValues(t, "POST", "/admin/auths/new", map[string]string{
@@ -116,11 +133,11 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...s
 		"type":                     "2",
 		"name":                     "ldap",
 		"host":                     getLDAPServerHost(),
-		"port":                     "389",
+		"port":                     getLDAPServerPort(),
 		"bind_dn":                  "uid=gitea,ou=service,dc=planetexpress,dc=com",
 		"bind_password":            "password",
 		"user_base":                "ou=people,dc=planetexpress,dc=com",
-		"filter":                   "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))",
+		"filter":                   userFilter,
 		"admin_filter":             "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)",
 		"restricted_filter":        "(uid=leela)",
 		"attribute_username":       "uid",
@@ -133,6 +150,7 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...s
 		"groups_enabled":           "on",
 		"group_dn":                 "ou=people,dc=planetexpress,dc=com",
 		"group_member_uid":         "member",
+		"group_filter":             groupFilter,
 		"group_team_map":           groupTeamMap,
 		"group_team_map_removal":   groupTeamMapRemoval,
 		"user_uid":                 "DN",
@@ -146,7 +164,7 @@ func TestLDAPUserSignin(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "")
+	addAuthSourceLDAP(t, "", "")
 
 	u := gitLDAPUsers[0]
 
@@ -163,7 +181,7 @@ func TestLDAPUserSignin(t *testing.T) {
 
 func TestLDAPAuthChange(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "")
+	addAuthSourceLDAP(t, "", "")
 
 	session := loginUser(t, "user1")
 	req := NewRequest(t, "GET", "/admin/auths")
@@ -221,7 +239,7 @@ func TestLDAPUserSync(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "")
+	addAuthSourceLDAP(t, "", "")
 	auth.SyncExternalUsers(context.Background(), true)
 
 	session := loginUser(t, "user1")
@@ -266,13 +284,72 @@ func TestLDAPUserSync(t *testing.T) {
 	}
 }
 
+func TestLDAPUserSyncWithGroupFilter(t *testing.T) {
+	if skipLDAPTests() {
+		t.Skip()
+		return
+	}
+	defer tests.PrepareTestEnv(t)()
+	addAuthSourceLDAP(t, "", "(cn=git)")
+
+	// Assert a user not a member of the LDAP group "cn=git" cannot login
+	// This test may look like TestLDAPUserSigninFailed but it is not.
+	// The later test uses user filter containing group membership filter (memberOf)
+	// This test is for the case when LDAP user records may not be linked with
+	// all groups the user is a member of, the user filter is modified accordingly inside
+	// the addAuthSourceLDAP based on the value of the groupFilter
+	u := otherLDAPUsers[0]
+	testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").Tr("form.username_password_incorrect"))
+
+	auth.SyncExternalUsers(context.Background(), true)
+
+	// Assert members of LDAP group "cn=git" are added
+	for _, gitLDAPUser := range gitLDAPUsers {
+		unittest.BeanExists(t, &user_model.User{
+			Name: gitLDAPUser.UserName,
+		})
+	}
+
+	// Assert everyone else is not added
+	for _, gitLDAPUser := range otherLDAPUsers {
+		unittest.AssertNotExistsBean(t, &user_model.User{
+			Name: gitLDAPUser.UserName,
+		})
+	}
+
+	ldapSource := unittest.AssertExistsAndLoadBean(t, &auth_model.Source{
+		Name: "ldap",
+	})
+	ldapConfig := ldapSource.Cfg.(*ldap.Source)
+	ldapConfig.GroupFilter = "(cn=ship_crew)"
+	auth_model.UpdateSource(ldapSource)
+
+	auth.SyncExternalUsers(context.Background(), true)
+
+	for _, gitLDAPUser := range gitLDAPUsers {
+		if gitLDAPUser.UserName == "fry" || gitLDAPUser.UserName == "leela" || gitLDAPUser.UserName == "bender" {
+			// Assert members of the LDAP group "cn-ship_crew" are still active
+			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
+				Name: gitLDAPUser.UserName,
+			})
+			assert.True(t, user.IsActive, "User %s should be active", gitLDAPUser.UserName)
+		} else {
+			// Assert everyone else is inactive
+			user := unittest.AssertExistsAndLoadBean(t, &user_model.User{
+				Name: gitLDAPUser.UserName,
+			})
+			assert.False(t, user.IsActive, "User %s should be inactive", gitLDAPUser.UserName)
+		}
+	}
+}
+
 func TestLDAPUserSigninFailed(t *testing.T) {
 	if skipLDAPTests() {
 		t.Skip()
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "")
+	addAuthSourceLDAP(t, "", "")
 
 	u := otherLDAPUsers[0]
 	testLoginFailed(t, u.UserName, u.Password, translation.NewLocale("en-US").Tr("form.username_password_incorrect"))
@@ -284,7 +361,7 @@ func TestLDAPUserSSHKeySync(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "sshPublicKey")
+	addAuthSourceLDAP(t, "sshPublicKey", "")
 
 	auth.SyncExternalUsers(context.Background(), true)
 
@@ -317,7 +394,7 @@ func TestLDAPGroupTeamSyncAddMember(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
+	addAuthSourceLDAP(t, "", "", "on", `{"cn=ship_crew,ou=people,dc=planetexpress,dc=com":{"org26": ["team11"]},"cn=admin_staff,ou=people,dc=planetexpress,dc=com": {"non-existent": ["non-existent"]}}`)
 	org, err := organization.GetOrgByName("org26")
 	assert.NoError(t, err)
 	team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
@@ -362,7 +439,7 @@ func TestLDAPGroupTeamSyncRemoveMember(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
+	addAuthSourceLDAP(t, "", "", "on", `{"cn=dispatch,ou=people,dc=planetexpress,dc=com": {"org26": ["team11"]}}`)
 	org, err := organization.GetOrgByName("org26")
 	assert.NoError(t, err)
 	team, err := organization.GetTeam(db.DefaultContext, org.ID, "team11")
@@ -398,7 +475,7 @@ func TestBrokenLDAPMapUserSignin(t *testing.T) {
 		return
 	}
 	defer tests.PrepareTestEnv(t)()
-	addAuthSourceLDAP(t, "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)
+	addAuthSourceLDAP(t, "", "", "on", `{"NOT_A_VALID_JSON"["MISSING_DOUBLE_POINT"]}`)
 
 	u := gitLDAPUsers[0]
 

From 368d43643f8f8ed1bfb1462d5cae586c90e93383 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 2 Feb 2023 20:40:08 +0800
Subject: [PATCH 17/21] Fix actions workflow branches match bug (#22724)

caused by #22680

`pushPayload.Ref` and `prPayload.PullRequest.Base.Ref` have the format
like `refs/heads/<branch_name>`, so we need to trim the prefix before
comparing.
---
 modules/actions/workflows.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/actions/workflows.go b/modules/actions/workflows.go
index c1c8e71f53b5..7f0e6e456436 100644
--- a/modules/actions/workflows.go
+++ b/modules/actions/workflows.go
@@ -75,7 +75,6 @@ func DetectWorkflows(commit *git.Commit, triggedEvent webhook_module.HookEventTy
 			if evt.Name != triggedEvent.Event() {
 				continue
 			}
-
 			if detectMatched(commit, triggedEvent, payload, evt) {
 				workflows[entry.Name()] = content
 			}
@@ -105,8 +104,9 @@ func detectMatched(commit *git.Commit, triggedEvent webhook_module.HookEventType
 		for cond, vals := range evt.Acts {
 			switch cond {
 			case "branches", "tags":
+				refShortName := git.RefName(pushPayload.Ref).ShortName()
 				for _, val := range vals {
-					if glob.MustCompile(val, '/').Match(pushPayload.Ref) {
+					if glob.MustCompile(val, '/').Match(refShortName) {
 						matchTimes++
 						break
 					}
@@ -160,8 +160,9 @@ func detectMatched(commit *git.Commit, triggedEvent webhook_module.HookEventType
 					}
 				}
 			case "branches":
+				refShortName := git.RefName(prPayload.PullRequest.Base.Ref).ShortName()
 				for _, val := range vals {
-					if glob.MustCompile(val, '/').Match(prPayload.PullRequest.Base.Ref) {
+					if glob.MustCompile(val, '/').Match(refShortName) {
 						matchTimes++
 						break
 					}

From ccb38512818dd3ee86f7960ed6cdf34754e4d09f Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Fri, 3 Feb 2023 01:39:38 +0800
Subject: [PATCH 18/21] Add some comments for recent code (#22725)

When using the main branch, I found that some changed code didn't have
comments.

This PR adds some comments.
---
 models/dbfs/dbfs.go            | 29 +++++++++++++++++++++++++++++
 modules/httpcache/httpcache.go |  2 ++
 tests/mysql.ini.tmpl           |  1 +
 3 files changed, 32 insertions(+)

diff --git a/models/dbfs/dbfs.go b/models/dbfs/dbfs.go
index 89d3dc7cbc91..6b5b3beeb274 100644
--- a/models/dbfs/dbfs.go
+++ b/models/dbfs/dbfs.go
@@ -10,6 +10,35 @@ import (
 	"code.gitea.io/gitea/models/db"
 )
 
+/*
+The reasons behind the DBFS (database-filesystem) package:
+When a Gitea action is running, the Gitea action server should collect and store all the logs.
+
+The requirements are:
+* The running logs must be stored across the cluster if the Gitea servers are deployed as a cluster.
+* The logs will be archived to Object Storage (S3/MinIO, etc.) after a period of time.
+* The Gitea action UI should be able to render the running logs and the archived logs.
+
+Some possible solutions for the running logs:
+* [Not ideal] Using local temp file: it can not be shared across the cluster.
+* [Not ideal] Using shared file in the filesystem of git repository: although at the moment, the Gitea cluster's
+	git repositories must be stored in a shared filesystem, in the future, Gitea may need a dedicated Git Service Server
+	to decouple the shared filesystem. Then the action logs will become a blocker.
+* [Not ideal] Record the logs in a database table line by line: it has a couple of problems:
+	- It's difficult to make multiple increasing sequence (log line number) for different databases.
+	- The database table will have a lot of rows and be affected by the big-table performance problem.
+	- It's difficult to load logs by using the same interface as other storages.
+  - It's difficult to calculate the size of the logs.
+
+The DBFS solution:
+* It can be used in a cluster.
+* It can share the same interface (Read/Write/Seek) as other storages.
+* It's very friendly to database because it only needs to store much fewer rows than the log-line solution.
+* In the future, when Gitea action needs to limit the log size (other CI/CD services also do so), it's easier to calculate the log file size.
+* Even sometimes the UI needs to render the tailing lines, the tailing lines can be found be counting the "\n" from the end of the file by seek.
+  The seeking and finding is not the fastest way, but it's still acceptable and won't affect the performance too much.
+*/
+
 type dbfsMeta struct {
 	ID              int64  `xorm:"pk autoincr"`
 	FullPath        string `xorm:"VARCHAR(500) UNIQUE NOT NULL"`
diff --git a/modules/httpcache/httpcache.go b/modules/httpcache/httpcache.go
index d7d9ce0b7ebf..f0caa30eb82b 100644
--- a/modules/httpcache/httpcache.go
+++ b/modules/httpcache/httpcache.go
@@ -19,6 +19,8 @@ import (
 func AddCacheControlToHeader(h http.Header, maxAge time.Duration, additionalDirectives ...string) {
 	directives := make([]string, 0, 2+len(additionalDirectives))
 
+	// "max-age=0 + must-revalidate" (aka "no-cache") is preferred instead of "no-store"
+	// because browsers may restore some input fields after navigate-back / reload a page.
 	if setting.IsProd {
 		if maxAge == 0 {
 			directives = append(directives, "max-age=0", "private", "must-revalidate")
diff --git a/tests/mysql.ini.tmpl b/tests/mysql.ini.tmpl
index b7ed98c34e91..1dd7bfab2a49 100644
--- a/tests/mysql.ini.tmpl
+++ b/tests/mysql.ini.tmpl
@@ -126,6 +126,7 @@ INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTU1NTE2MTh9.h
 ENABLED = true
 
 [email.incoming]
+; temporarily disabled because the incoming mail tests are flaky due to the IMAP server (during integration tests) couldn't be not ready in time sometimes.
 ENABLED = false
 HOST = smtpimap
 PORT = 993

From 2914c5299b37c3f98997fc923b0b715c9b3f750a Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Thu, 2 Feb 2023 18:25:54 +0000
Subject: [PATCH 19/21] Improve error report when user passes a private key
 (#22726)

The error reported when a user passes a private ssh key as their ssh
public key is not very nice.

This PR improves this slightly.

Ref #22693

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: delvh <dev.lh@web.de>
---
 models/asymkey/error.go          | 3 +++
 models/asymkey/ssh_key_parse.go  | 3 +++
 options/locale/locale_en-US.ini  | 1 +
 routers/web/repo/setting.go      | 4 ++++
 routers/web/user/setting/keys.go | 2 ++
 5 files changed, 13 insertions(+)

diff --git a/models/asymkey/error.go b/models/asymkey/error.go
index 1d486082f461..03bc82302f10 100644
--- a/models/asymkey/error.go
+++ b/models/asymkey/error.go
@@ -24,6 +24,9 @@ func (err ErrKeyUnableVerify) Error() string {
 	return fmt.Sprintf("Unable to verify key content [result: %s]", err.Result)
 }
 
+// ErrKeyIsPrivate is returned when the provided key is a private key not a public key
+var ErrKeyIsPrivate = util.NewSilentWrapErrorf(util.ErrInvalidArgument, "the provided key is a private key")
+
 // ErrKeyNotExist represents a "KeyNotExist" kind of error.
 type ErrKeyNotExist struct {
 	ID int64
diff --git a/models/asymkey/ssh_key_parse.go b/models/asymkey/ssh_key_parse.go
index 1df6db6fa721..8693c87e76b2 100644
--- a/models/asymkey/ssh_key_parse.go
+++ b/models/asymkey/ssh_key_parse.go
@@ -96,6 +96,9 @@ func parseKeyString(content string) (string, error) {
 			if block == nil {
 				return "", fmt.Errorf("failed to parse PEM block containing the public key")
 			}
+			if strings.Contains(block.Type, "PRIVATE") {
+				return "", ErrKeyIsPrivate
+			}
 
 			pub, err := x509.ParsePKIXPublicKey(block.Bytes)
 			if err != nil {
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 8465660cc075..26217293a5ef 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -518,6 +518,7 @@ organization_leave_success = You have successfully left the organization %s.
 invalid_ssh_key = Cannot verify your SSH key: %s
 invalid_gpg_key = Cannot verify your GPG key: %s
 invalid_ssh_principal = Invalid principal: %s
+must_use_public_key = The key you provided is a private key. Please do not upload your private key anywhere. Use your public key instead.
 unable_verify_ssh_key = "Cannot verify the SSH key; double-check it for mistakes."
 auth_failed = Authentication failed: %v
 
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index da52957548be..2cc263e5bbfd 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -1158,6 +1158,10 @@ func DeployKeysPost(ctx *context.Context) {
 			ctx.Flash.Info(ctx.Tr("settings.ssh_disabled"))
 		} else if asymkey_model.IsErrKeyUnableVerify(err) {
 			ctx.Flash.Info(ctx.Tr("form.unable_verify_ssh_key"))
+		} else if err == asymkey_model.ErrKeyIsPrivate {
+			ctx.Data["HasError"] = true
+			ctx.Data["Err_Content"] = true
+			ctx.Flash.Error(ctx.Tr("form.must_use_public_key"))
 		} else {
 			ctx.Data["HasError"] = true
 			ctx.Data["Err_Content"] = true
diff --git a/routers/web/user/setting/keys.go b/routers/web/user/setting/keys.go
index 0ecc39ecd17e..6debf95bbce0 100644
--- a/routers/web/user/setting/keys.go
+++ b/routers/web/user/setting/keys.go
@@ -159,6 +159,8 @@ func KeysPost(ctx *context.Context) {
 				ctx.Flash.Info(ctx.Tr("settings.ssh_disabled"))
 			} else if asymkey_model.IsErrKeyUnableVerify(err) {
 				ctx.Flash.Info(ctx.Tr("form.unable_verify_ssh_key"))
+			} else if err == asymkey_model.ErrKeyIsPrivate {
+				ctx.Flash.Error(ctx.Tr("form.must_use_public_key"))
 			} else {
 				ctx.Flash.Error(ctx.Tr("form.invalid_ssh_key", err.Error()))
 			}

From 82728a7cecfe4d254890545fea49d6afde4f40db Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Fri, 3 Feb 2023 04:48:48 +0800
Subject: [PATCH 20/21] Do not overwrite empty DefaultBranch (#22708)

Fix #21994.
And fix #19470.

While generating new repo from a template, it does something like
"commit to git repo, re-fetch repo model from DB, and update default
branch if it's empty".


https://github.com/go-gitea/gitea/blob/19d5b2f922c2defde579a935fbedb680eb8fff18/modules/repository/generate.go#L241-L253

Unfortunately, when load repo from DB, the default branch will be set to
`setting.Repository.DefaultBranch` if it's empty:


https://github.com/go-gitea/gitea/blob/19d5b2f922c2defde579a935fbedb680eb8fff18/models/repo/repo.go#L228-L233

I believe it's a very old temporary patch but has been kept for many
years, see:
[2d2d85bb](https://github.com/go-gitea/gitea/commit/2d2d85bb#diff-1851799b06733db4df3ec74385c1e8850ee5aedee70b8b55366910d22725eea8)

I know it's a risk to delete it, may lead to potential behavioral
changes, but we cannot keep the outdated `FIXME` forever. On the other
hand, an empty `DefaultBranch` does make sense: an empty repo doesn't
have one conceptually (actually, Gitea will still set it to
`setting.Repository.DefaultBranch` to make it safer).
---
 models/fixtures/repository.yml | 26 ++++++++++++++++++++++++++
 models/repo/repo.go            |  5 -----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/models/fixtures/repository.yml b/models/fixtures/repository.yml
index 5d4781ad44f7..ef3cfbbbec7c 100644
--- a/models/fixtures/repository.yml
+++ b/models/fixtures/repository.yml
@@ -4,6 +4,7 @@
   owner_name: user2
   lower_name: repo1
   name: repo1
+  default_branch: master
   num_watches: 4
   num_stars: 0
   num_forks: 0
@@ -34,6 +35,7 @@
   owner_name: user2
   lower_name: repo2
   name: repo2
+  default_branch: master
   num_watches: 0
   num_stars: 1
   num_forks: 0
@@ -64,6 +66,7 @@
   owner_name: user3
   lower_name: repo3
   name: repo3
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -94,6 +97,7 @@
   owner_name: user5
   lower_name: repo4
   name: repo4
+  default_branch: master
   num_watches: 0
   num_stars: 1
   num_forks: 0
@@ -274,6 +278,7 @@
   owner_name: user12
   lower_name: repo10
   name: repo10
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 1
@@ -304,6 +309,7 @@
   owner_name: user13
   lower_name: repo11
   name: repo11
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -425,6 +431,7 @@
   owner_name: user2
   lower_name: repo15
   name: repo15
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -455,6 +462,7 @@
   owner_name: user2
   lower_name: repo16
   name: repo16
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -905,6 +913,7 @@
   owner_name: user2
   lower_name: repo20
   name: repo20
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -965,6 +974,7 @@
   owner_name: user2
   lower_name: utf8
   name: utf8
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1055,6 +1065,7 @@
   owner_name: user2
   lower_name: commits_search_test
   name: commits_search_test
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1085,6 +1096,7 @@
   owner_name: user2
   lower_name: git_hooks_test
   name: git_hooks_test
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1115,6 +1127,7 @@
   owner_name: limited_org
   lower_name: public_repo_on_limited_org
   name: public_repo_on_limited_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1145,6 +1158,7 @@
   owner_name: limited_org
   lower_name: private_repo_on_limited_org
   name: private_repo_on_limited_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1175,6 +1189,7 @@
   owner_name: privated_org
   lower_name: public_repo_on_private_org
   name: public_repo_on_private_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1205,6 +1220,7 @@
   owner_name: privated_org
   lower_name: private_repo_on_private_org
   name: private_repo_on_private_org
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1235,6 +1251,7 @@
   owner_name: user2
   lower_name: glob
   name: glob
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1295,6 +1312,7 @@
   owner_name: user27
   lower_name: template1
   name: template1
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1355,6 +1373,7 @@
   owner_name: org26
   lower_name: repo_external_tracker
   name: repo_external_tracker
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1385,6 +1404,7 @@
   owner_name: org26
   lower_name: repo_external_tracker_numeric
   name: repo_external_tracker_numeric
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1415,6 +1435,7 @@
   owner_name: org26
   lower_name: repo_external_tracker_alpha
   name: repo_external_tracker_alpha
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1445,6 +1466,7 @@
   owner_name: user27
   lower_name: repo49
   name: repo49
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1475,6 +1497,7 @@
   owner_name: user30
   lower_name: repo50
   name: repo50
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1505,6 +1528,7 @@
   owner_name: user30
   lower_name: repo51
   name: repo51
+  default_branch: master
   num_watches: 0
   num_stars: 0
   num_forks: 0
@@ -1565,6 +1589,7 @@
   owner_name: user30
   lower_name: renderer
   name: renderer
+  default_branch: master
   is_archived: false
   is_empty: false
   is_private: false
@@ -1592,6 +1617,7 @@
   owner_name: user2
   lower_name: lfs
   name: lfs
+  default_branch: master
   is_empty: false
   is_archived: false
   is_private: true
diff --git a/models/repo/repo.go b/models/repo/repo.go
index 831eb22dc5a5..06ec34ed631a 100644
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@@ -227,11 +227,6 @@ func (repo *Repository) IsBroken() bool {
 
 // AfterLoad is invoked from XORM after setting the values of all fields of this object.
 func (repo *Repository) AfterLoad() {
-	// FIXME: use models migration to solve all at once.
-	if len(repo.DefaultBranch) == 0 {
-		repo.DefaultBranch = setting.Repository.DefaultBranch
-	}
-
 	repo.NumOpenIssues = repo.NumIssues - repo.NumClosedIssues
 	repo.NumOpenPulls = repo.NumPulls - repo.NumClosedPulls
 	repo.NumOpenMilestones = repo.NumMilestones - repo.NumClosedMilestones

From 891391689a26e0bc3dcb1558512d3c2b6857232d Mon Sep 17 00:00:00 2001
From: jladbrook <jhladbrook@gmail.com>
Date: Fri, 3 Feb 2023 06:24:45 +0000
Subject: [PATCH 21/21] Update button is shown when a Pull Request is marked
 WIP - Issue #21740 (#22683)

Fix #21740.

Updated the Pull Request template so that the 'Update branch by merge'
button is visible for WIP PR's. Making the behaviour match a non WIP-PR.

Previous WIP page with changes pending on the branch:


![image](https://user-images.githubusercontent.com/1656302/215738307-e68a2f92-5ff8-4f48-a541-35ca81d1f1a4.png)

Updated UI adding the update button:


![image](https://user-images.githubusercontent.com/1656302/215737872-e0e9d712-b7aa-4b90-b7ed-6a92a14fc182.png)

## Notes

* have not removed the **$canAutoMerge** variable from the pull.tmpl on
this
[line](https://github.com/go-gitea/gitea/blob/36dc11869d0401b796a7a3f74627fec842a4a89a/templates/repo/issue/view_content/pull.tmpl#L131)
- doesn't appear to be used elsewhere but wasn't sure
* In order to avoid duplicating code corresponding UI code was added to
a new tmpl file, ```update_branch_by_merge.tmpl``` and is called in two
places from ```pull.tmpl```.

---------

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
---
 templates/repo/issue/view_content/pull.tmpl   | 40 +------------------
 .../view_content/update_branch_by_merge.tmpl  | 39 ++++++++++++++++++
 2 files changed, 41 insertions(+), 38 deletions(-)
 create mode 100644 templates/repo/issue/view_content/update_branch_by_merge.tmpl

diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl
index 1f94001db06e..dc671eb6d670 100644
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@@ -190,6 +190,7 @@
 						{{end}}
 					</div>
 				</div>
+				{{template "repo/issue/view_content/update_branch_by_merge" (dict "locale" .locale "Issue" .Issue  "UpdateAllowed" .UpdateAllowed "UpdateByRebaseAllowed" .UpdateByRebaseAllowed "Link" .Link)}}
 			{{else if .Issue.PullRequest.IsChecking}}
 				<div class="item">
 					<i class="icon icon-octicon">{{svg "octicon-sync"}}</i>
@@ -282,44 +283,7 @@
 						</div>
 					{{end}}
 				{{end}}
-				{{if and (gt .Issue.PullRequest.CommitsBehind 0) (not  .Issue.IsClosed) (not .Issue.PullRequest.IsChecking) (not .IsPullFilesConflicted) (not .IsPullRequestBroken) (not $canAutoMerge)}}
-					<div class="ui divider"></div>
-					<div class="item item-section">
-						<div class="item-section-left">
-							<i class="icon icon-octicon">{{svg "octicon-alert"}}</i>
-							{{$.locale.Tr "repo.pulls.outdated_with_base_branch"}}
-						</div>
-						<div class="item-section-right">
-							{{if and .UpdateAllowed .UpdateByRebaseAllowed}}
-								<div class="dib">
-									<div class="ui buttons update-button">
-										<button class="ui button" data-do="{{.Link}}/update" data-redirect="{{.Link}}">
-											<span class="button-text">
-												{{$.locale.Tr "repo.pulls.update_branch"}}
-											</span>
-										</button>
-
-										<div class="ui dropdown icon button no-text">
-											{{svg "octicon-triangle-down" 14 "dropdown icon"}}
-											<div class="menu">
-												<div class="item active selected" data-do="{{.Link}}/update">{{$.locale.Tr "repo.pulls.update_branch"}}</div>
-												<div class="item" data-do="{{.Link}}/update?style=rebase">{{$.locale.Tr "repo.pulls.update_branch_rebase"}}</div>
-											</div>
-										</div>
-									</div>
-								</div>
-							{{end}}
-							{{if and .UpdateAllowed (not .UpdateByRebaseAllowed)}}
-								<form action="{{.Link}}/update" method="post" class="ui update-branch-form">
-									{{.CsrfTokenHtml}}
-									<button class="ui compact button" data-do="update">
-										<span class="ui text">{{$.locale.Tr "repo.pulls.update_branch"}}</span>
-									</button>
-								</form>
-							{{end}}
-						</div>
-					</div>
-				{{end}}
+				{{template "repo/issue/view_content/update_branch_by_merge" (dict "locale" .locale "Issue" .Issue  "UpdateAllowed" .UpdateAllowed "UpdateByRebaseAllowed" .UpdateByRebaseAllowed "Link" .Link)}}
 				{{if .Issue.PullRequest.IsEmpty}}
 					<div class="ui divider"></div>
 
diff --git a/templates/repo/issue/view_content/update_branch_by_merge.tmpl b/templates/repo/issue/view_content/update_branch_by_merge.tmpl
new file mode 100644
index 000000000000..3bc8dcca9752
--- /dev/null
+++ b/templates/repo/issue/view_content/update_branch_by_merge.tmpl
@@ -0,0 +1,39 @@
+{{$canAutoMerge := false}}
+{{if and (gt .Issue.PullRequest.CommitsBehind 0) (not  .Issue.IsClosed) (not .Issue.PullRequest.IsChecking) (not .IsPullFilesConflicted) (not .IsPullRequestBroken) (not $canAutoMerge)}}
+	<div class="ui divider"></div>
+	<div class="item item-section">
+		<div class="item-section-left">
+			<i class="icon icon-octicon">{{svg "octicon-alert"}}</i>
+			{{$.locale.Tr "repo.pulls.outdated_with_base_branch"}}
+		</div>
+		<div class="item-section-right">
+			{{if and .UpdateAllowed .UpdateByRebaseAllowed}}
+				<div class="dib">
+					<div class="ui buttons update-button">
+						<button class="ui button" data-do="{{.Link}}/update" data-redirect="{{.Link}}">
+							<span class="button-text">
+								{{$.locale.Tr "repo.pulls.update_branch"}}
+							</span>
+						</button>
+
+						<div class="ui dropdown icon button no-text">
+							{{svg "octicon-triangle-down" 14 "dropdown icon"}}
+							<div class="menu">
+								<div class="item active selected" data-do="{{.Link}}/update">{{$.locale.Tr "repo.pulls.update_branch"}}</div>
+								<div class="item" data-do="{{.Link}}/update?style=rebase">{{$.locale.Tr "repo.pulls.update_branch_rebase"}}</div>
+							</div>
+						</div>
+					</div>
+				</div>
+			{{end}}
+			{{if and .UpdateAllowed (not .UpdateByRebaseAllowed)}}
+				<form action="{{.Link}}/update" method="post" class="ui update-branch-form">
+					{{.CsrfTokenHtml}}
+					<button class="ui compact button" data-do="update">
+						<span class="ui text">{{$.locale.Tr "repo.pulls.update_branch"}}</span>
+					</button>
+				</form>
+			{{end}}
+		</div>
+	</div>
+{{end}}