%global debug_package %{nil} Name: repogoon Version: 0.11.7 Release: 20260212 Summary: Self-hosted Git repository hosting platform BuildArch: %{_target_cpu} License: MPL-2.0 Source0: %{name}-%{version}.tar.gz BuildRequires: nodejs BuildRequires: nodejs-npm BuildRequires: systemd-rpm-macros BuildRequires: gcc-c++ BuildRequires: make BuildRequires: python3 Requires: nodejs Requires: nodejs-npm Requires: git-core Requires(pre): shadow-utils Requires(post): systemd Requires(preun): systemd Requires(postun): systemd # Provide the user/group that %pre creates (satisfies auto-generated deps from file attrs) Provides: user(repogoon) Provides: group(repogoon) # Optional dependencies Recommends: nginx Recommends: certbot Recommends: yq Recommends: sqlite Suggests: postgresql-server Suggests: mariadb-server %description RepoGoon is a self-hosted Git repository hosting platform built with Node.js and Express. Features include: - Multiple database backends (SQLite, PostgreSQL, MySQL, Oracle, Convex) - YAML-based configuration - LDAP and OIDC authentication support - Dynamic rate limiting - Built-in web interface - CLI management tool (rgoon-ctl) %prep %setup -q %build # Prevent prebuild-install from downloading prebuilt binaries # This forces compilation from source during npm ci export npm_config_build_from_source=true export PREBUILD_ARCH="%{_target_cpu}" # Install dependencies with ignore-scripts to prevent prebuild downloads npm ci --ignore-scripts # Delete ANY prebuilt binaries that might exist in the package # This ensures we don't accidentally ship generic prebuilds with old glibc deps find node_modules -type d -name "prebuilds" -exec rm -rf {} + 2>/dev/null || true # Only delete node-gyp build outputs (Release/Debug), not package directories like workbox-build/build find node_modules -type d -name "Release" -path "*/build/*" -exec rm -rf {} + 2>/dev/null || true find node_modules -type d -name "Debug" -path "*/build/*" -exec rm -rf {} + 2>/dev/null || true # Rebuild all native modules from source npm rebuild --build-from-source # Build the frontend and server npm run build:all # Remove dev dependencies for production npm prune --omit=dev %install # Create directories install -d %{buildroot}%{_datadir}/%{name} install -d %{buildroot}%{_sysconfdir}/%{name} install -d %{buildroot}%{_localstatedir}/lib/%{name} install -d %{buildroot}%{_localstatedir}/lib/%{name}/repos install -d %{buildroot}%{_localstatedir}/lib/%{name}/avatars install -d %{buildroot}%{_localstatedir}/lib/%{name}/backup install -d %{buildroot}%{_localstatedir}/log/%{name} install -d %{buildroot}%{_bindir} install -d %{buildroot}%{_unitdir} install -d %{buildroot}%{_sysconfdir}/nginx/conf.d # Copy application files cp -r server %{buildroot}%{_datadir}/%{name}/ cp -r dist %{buildroot}%{_datadir}/%{name}/ cp -r node_modules %{buildroot}%{_datadir}/%{name}/ cp package.json %{buildroot}%{_datadir}/%{name}/ cp -r convex %{buildroot}%{_datadir}/%{name}/ # Copy public directory but exclude avatars (handled by symlink) # We copy to a temporary location first or just copy and clean up cp -r public %{buildroot}%{_datadir}/%{name}/ rm -rf %{buildroot}%{_datadir}/%{name}/public/avatars # Install nginx template install -d %{buildroot}%{_datadir}/%{name}/nginx install -m 0644 nginx/repogoon.conf.template %{buildroot}%{_datadir}/%{name}/nginx/ # Install configuration file (as default template) install -m 0640 config.yml %{buildroot}%{_sysconfdir}/%{name}/config.yml.default # Only create config.yml if it doesn't exist (handled in %post) # Install CLI tool install -m 0755 rgoon-ctl %{buildroot}%{_bindir}/rgoon-ctl # Install man page install -d %{buildroot}%{_mandir}/man1 install -m 0644 man/rgoon-ctl.1 %{buildroot}%{_mandir}/man1/rgoon-ctl.1 # Create symlink for config ln -sf %{_sysconfdir}/%{name}/config.yml %{buildroot}%{_datadir}/%{name}/config.yml # Create symlinks for data directories ln -sf %{_localstatedir}/lib/%{name}/repos %{buildroot}%{_datadir}/%{name}/repos install -d %{buildroot}%{_datadir}/%{name}/public ln -sf %{_localstatedir}/lib/%{name}/avatars %{buildroot}%{_datadir}/%{name}/public/avatars # Install systemd service file install -d %{buildroot}/usr/lib/systemd/system install -m 0644 repogoon.service %{buildroot}/usr/lib/systemd/system/repogoon.service # Create environment file template cat > %{buildroot}%{_sysconfdir}/%{name}/environment << 'EOF' # RepoGoon environment variables # Uncomment and modify as needed # NODE_ENV=production # REPOGOON_CONFIG=/etc/repogoon/config.yml EOF %pre # Create repogoon user and group getent group repogoon >/dev/null || groupadd -r repogoon getent passwd repogoon >/dev/null || \ useradd -r -g repogoon -d %{_localstatedir}/lib/%{name} \ -s /sbin/nologin -c "RepoGoon service account" repogoon # Create backup before upgrade if [ $1 -ge 2 ]; then BACKUP_DIR=%{_localstatedir}/lib/%{name}/backup BACKUP_NAME="$(date +%%Y%%m%%d-%%H%%M%%S)-repogoon_backup" BACKUP_PATH="$BACKUP_DIR/$BACKUP_NAME" # Ensure backup directory exists mkdir -p "$BACKUP_DIR" mkdir -p "$BACKUP_PATH" echo "Creating pre-upgrade backup at $BACKUP_PATH..." # Backup application files if [ -d %{_datadir}/%{name} ]; then cp -a %{_datadir}/%{name} "$BACKUP_PATH/app" 2>/dev/null || true fi # Backup configuration if [ -d %{_sysconfdir}/%{name} ]; then cp -a %{_sysconfdir}/%{name} "$BACKUP_PATH/config" 2>/dev/null || true fi # Backup data (repos, avatars) - exclude the backup dir itself if [ -d %{_localstatedir}/lib/%{name} ]; then mkdir -p "$BACKUP_PATH/data" for item in repos avatars branding; do if [ -d "%{_localstatedir}/lib/%{name}/$item" ]; then cp -a "%{_localstatedir}/lib/%{name}/$item" "$BACKUP_PATH/data/" 2>/dev/null || true fi done fi # Set ownership chown -R repogoon:repogoon "$BACKUP_PATH" 2>/dev/null || true echo "Backup completed: $BACKUP_PATH" fi exit 0 %post %systemd_post %{name}.service # Config file handling CONFIG_FILE=%{_sysconfdir}/%{name}/config.yml DEFAULT_CONFIG=%{_sysconfdir}/%{name}/config.yml.default detect_reverse_proxy() { # Detect common reverse proxy setups that forward traffic to local upstreams. # Returns 0 when likely behind a proxy, 1 otherwise. if [ -d /etc/nginx ] && grep -RqsE \ '(proxy_set_header[[:space:]]+X-Forwarded-(For|Proto)|proxy_pass[[:space:]]+http://(127\.0\.0\.1|localhost|0\.0\.0\.0))' \ /etc/nginx 2>/dev/null; then return 0 fi if [ -d /etc/httpd ] && grep -RqsE \ '(ProxyPass|RequestHeader[[:space:]]+set[[:space:]]+X-Forwarded-(For|Proto))' \ /etc/httpd 2>/dev/null; then return 0 fi if [ -d /etc/apache2 ] && grep -RqsE \ '(ProxyPass|RequestHeader[[:space:]]+set[[:space:]]+X-Forwarded-(For|Proto))' \ /etc/apache2 2>/dev/null; then return 0 fi return 1 } get_trust_proxy_value() { local file="$1" if command -v yq >/dev/null 2>&1; then yq '.server.trustProxy' "$file" 2>/dev/null | sed 's/^"//' | sed 's/"$//' else grep -E '^[[:space:]]*trustProxy:' "$file" 2>/dev/null | head -1 | awk -F: '{print $2}' | xargs fi } set_trust_proxy_true() { local file="$1" if command -v yq >/dev/null 2>&1; then yq -i '.server.trustProxy = true' "$file" else if grep -qE '^[[:space:]]*trustProxy:' "$file"; then sed -i 's/^\([[:space:]]*trustProxy:[[:space:]]*\).*/\1true/' "$file" else sed -i '/^[[:space:]]*server:[[:space:]]*$/a\ trustProxy: true' "$file" fi fi } ensure_esbuild_executable() { local app_dir="%{_datadir}/%{name}" local esbuild_bins if [ ! -d "$app_dir/node_modules/@esbuild" ]; then return 0 fi esbuild_bins=$(find "$app_dir/node_modules/@esbuild" -type f -path "*/bin/esbuild" 2>/dev/null || true) if [ -z "$esbuild_bins" ]; then return 0 fi for esbuild_bin in $esbuild_bins; do chown root:repogoon "$esbuild_bin" 2>/dev/null || true chmod 0750 "$esbuild_bin" 2>/dev/null || true done } ensure_node_bin_targets_executable() { local app_dir="%{_datadir}/%{name}" local bin_dir="$app_dir/node_modules/.bin" local bin_entry local target if [ ! -d "$bin_dir" ]; then return 0 fi find "$bin_dir" -maxdepth 1 -mindepth 1 \( -type f -o -type l \) 2>/dev/null | while IFS= read -r bin_entry; do if [ -f "$bin_entry" ]; then chown root:repogoon "$bin_entry" 2>/dev/null || true chmod 0750 "$bin_entry" 2>/dev/null || true fi target=$(readlink -f "$bin_entry" 2>/dev/null || true) case "$target" in "$app_dir"/node_modules/*) if [ -f "$target" ]; then chown root:repogoon "$target" 2>/dev/null || true chmod 0750 "$target" 2>/dev/null || true fi ;; esac done } if [ $1 -eq 1 ]; then # First install - copy default config if [ ! -f "$CONFIG_FILE" ]; then cp "$DEFAULT_CONFIG" "$CONFIG_FILE" chown repogoon:repogoon "$CONFIG_FILE" chmod 0640 "$CONFIG_FILE" fi # Set ownership on first install chown -R repogoon:repogoon %{_localstatedir}/lib/%{name} chown -R repogoon:repogoon %{_localstatedir}/log/%{name} echo "" echo "==========================================" echo " RepoGoon installed successfully!" echo "==========================================" echo "" echo "Next steps:" echo " 1. Configure: sudo rgoon-ctl --setup" echo " 2. Start: sudo systemctl start repogoon" echo " 3. Enable on boot: sudo systemctl enable repogoon" echo "" echo "Configuration: /etc/repogoon/config.yml" echo "Data directory: /var/lib/repogoon" echo "Logs: journalctl -u repogoon" echo "" elif [ $1 -ge 2 ]; then # Upgrade - merge new options into existing config if [ -f "$CONFIG_FILE" ] && [ -f "$DEFAULT_CONFIG" ]; then # Check if yq is available for smart merging if command -v yq &> /dev/null; then # Create backup # cp "$CONFIG_FILE" "$CONFIG_FILE.bak.$(date +%%Y%%m%%d%%H%%M%%S)" # Config is already backed up in %pre to /var/lib/repogoon/backup/ # Merge: default config provides new keys, existing config provides values # This adds any new keys from default while preserving user's existing values # Note: We strip comments from the existing config before merge to prevent # yq from duplicating header comments with each upgrade TEMP_CONFIG=$(mktemp) TEMP_EXISTING=$(mktemp) yq '... comments=""' "$CONFIG_FILE" > "$TEMP_EXISTING" 2>/dev/null yq eval-all 'select(fileIndex == 0) * select(fileIndex == 1)' "$DEFAULT_CONFIG" "$TEMP_EXISTING" > "$TEMP_CONFIG" 2>/dev/null if [ $? -eq 0 ] && [ -s "$TEMP_CONFIG" ]; then cat "$TEMP_CONFIG" > "$CONFIG_FILE" echo "Config updated: new options merged, existing values preserved" else echo "Config merge skipped: check $DEFAULT_CONFIG for new options" fi rm -f "$TEMP_CONFIG" "$TEMP_EXISTING" else # yq not available - notify user to check for new options echo "" echo "NOTE: New configuration options may be available." echo "Compare your config with: $DEFAULT_CONFIG" echo "Or install 'yq' for automatic config merging on future updates." echo "" fi fi # Upgrade safety check: detect reverse proxy deployments and ensure trustProxy is enabled. if [ -f "$CONFIG_FILE" ]; then TRUST_PROXY_VALUE="$(get_trust_proxy_value "$CONFIG_FILE")" case "$TRUST_PROXY_VALUE" in true|True|TRUE|1) TRUST_PROXY_ENABLED=1 ;; *) TRUST_PROXY_ENABLED=0 ;; esac if detect_reverse_proxy; then if [ "$TRUST_PROXY_ENABLED" -eq 0 ]; then if set_trust_proxy_true "$CONFIG_FILE"; then chown repogoon:repogoon "$CONFIG_FILE" 2>/dev/null || true chmod 0640 "$CONFIG_FILE" 2>/dev/null || true echo "Detected reverse proxy configuration; set server.trustProxy=true in $CONFIG_FILE" else echo "WARNING: Reverse proxy detected but failed to set server.trustProxy=true automatically." echo "Please set server.trustProxy=true in $CONFIG_FILE" fi fi fi fi fi # Ensure tsx/esbuild runtime binaries are executable on install and upgrade. ensure_esbuild_executable ensure_node_bin_targets_executable %preun %systemd_preun %{name}.service %postun %systemd_postun_with_restart %{name}.service # Remove user/group on complete uninstall if [ $1 -eq 0 ]; then userdel repogoon 2>/dev/null || : groupdel repogoon 2>/dev/null || : fi %files %license LICENSE %doc README.md # Application %defattr(0640,root,repogoon,0750) %dir %{_datadir}/%{name} %{_datadir}/%{name}/server %{_datadir}/%{name}/dist %{_datadir}/%{name}/node_modules # Ensure binaries in node_modules are executable %attr(0750,root,repogoon) %{_datadir}/%{name}/node_modules/.bin/* %attr(0750,root,repogoon) %{_datadir}/%{name}/node_modules/@esbuild/*/bin/esbuild %attr(0750,root,repogoon) %{_datadir}/%{name}/node_modules/convex/bin/* %{_datadir}/%{name}/package.json %{_datadir}/%{name}/nginx %{_datadir}/%{name}/config.yml %{_datadir}/%{name}/repos %{_datadir}/%{name}/public %{_datadir}/%{name}/convex # CLI tool %attr(0755,root,root) %{_bindir}/rgoon-ctl %{_mandir}/man1/rgoon-ctl.1* # Configuration %dir %attr(0750,root,repogoon) %{_sysconfdir}/%{name} %config(noreplace) %attr(0640,root,repogoon) %{_sysconfdir}/%{name}/config.yml.default %ghost %config(noreplace) %attr(0640,root,repogoon) %{_sysconfdir}/%{name}/config.yml %config(noreplace) %attr(0640,root,repogoon) %{_sysconfdir}/%{name}/environment # Systemd /usr/lib/systemd/system/%{name}.service # Data directories %dir %attr(0750,repogoon,repogoon) %{_localstatedir}/lib/%{name} %dir %attr(0750,repogoon,repogoon) %{_localstatedir}/lib/%{name}/repos %dir %attr(0750,repogoon,repogoon) %{_localstatedir}/lib/%{name}/avatars %dir %attr(0750,repogoon,repogoon) %{_localstatedir}/lib/%{name}/backup %dir %attr(0750,repogoon,repogoon) %{_localstatedir}/log/%{name} %changelog * Thu Feb 12 2026 BurningPho3nix - 0.11.7-20260212 - Fixed file browser path duplication issue in web interface. - Updated git ls-tree output parsing to correctly handle full relative paths. * Thu Feb 12 2026 BurningPho3nix - 0.11.6-20260212 - Fixed "dubious ownership" errors in git operations by enforcing safe.directory=* for all git commands. - Ensures compatibility when service user (repogoon) accesses repositories with strict ownership checks. * Thu Feb 12 2026 BurningPho3nix - 0.11.5-20260212 - Fixed ENOENT errors for public directory access in production. - Updated path resolution to correctly identify public directory location in RPM installs. * Thu Feb 12 2026 BurningPho3nix - 0.11.4-20260212 - Fixed MODULE_NOT_FOUND errors in production by using absolute path resolution. - Added paths.ts utility for robust dev/prod directory detection. - Fixed hook installation path resolution in production environments. * Thu Feb 12 2026 BurningPho3nix - 0.11.3-20260212 - Fixed RPM build to compile both frontend and server artifacts via `npm run build:all`. - Ensures `dist/server/index.js` is included for `systemd` startup with `node dist/server/index.js`. * Thu Feb 12 2026 BurningPho3nix - 0.11.2-20260212 - Added middleware test coverage for disabled-account checks across session and token authentication paths. - Improved middleware integration test reliability for async auth/scope flow execution. - Updated project dependencies to newer patch releases, including AWS SDK S3 client, TypeScript toolchain, and runtime libraries. * Tue Feb 10 2026 BurningPho3nix - 0.11.1-20260210 - Fixed production startup failure where tsx could not execute @esbuild/*/bin/esbuild (EACCES). - Added explicit executable file permissions for node_modules/@esbuild/*/bin/esbuild in RPM payload. - Added install/upgrade %post remediation to enforce root:repogoon ownership and 0750 mode on esbuild binaries. - Fixed Convex CLI execution failures where node_modules/.bin/convex symlink target lacked execute permissions. - Added explicit executable file permissions for node_modules/convex/bin/* in RPM payload. - Added install/upgrade %post remediation for node_modules/.bin entries and resolved in-package targets. - Added config-first internal hook secret resolution with environment fallback for compatibility. - Added setup-time generation of server.internalSecret and a dedicated rgoon-ctl command to generate it when missing. * Tue Feb 10 2026 BurningPho3nix - 0.11.0-20260210 - Completed TypeScript rewrite/migration across server, frontend, routes, middleware, and database drivers. - Security hardening summary since TypeScript rewrite phase started: - Fixed multiple path traversal and arbitrary file access/write vectors in repository content, snippets, and release asset handling. - Replaced weak token/identifier randomness with cryptographic RNG in core token generation paths. - Strengthened SSRF defenses: - enforced URL validation for migration/webhook targets (protocol/host/private-IP/embedded-credential checks), - disabled redirect following on outbound webhook and migration API fetches. - Hardened authentication/session boundaries: - added session ID regeneration on login-equivalent flows (local, OIDC, 2FA completion, email verification), - enforced disabled-account checks in auth middleware, admin middleware, and token-authenticated API access paths, - enforced disabled-account checks in forced-2FA enrollment and 2FA login-completion flows, - aligned OIDC flow with force-2FA/disabled-account policy checks. - Closed route-level auth consistency gaps: - replaced custom avatar-route auth with shared `requireAuth` middleware so central account-status checks always apply, - fixed admin self-delete guard ID comparison to avoid type-mismatch bypass edge cases. - Mitigated OIDC access risks: - sanitized returnTo redirects to prevent open redirect abuse, - added pending OIDC state cap and cleanup safeguards. - Expanded auth abuse protection: - added rate limits for 2FA setup/verify-required, resend-verification, and OIDC login endpoints, - restricted API access until mandatory 2FA setup is completed. - Hardened deployment/network trust assumptions: - made trust proxy configurable (`server.trustProxy`) and enforced stricter production validation, - added strict CORS allowlist behavior with explicit credential safety checks, - added startup logging of effective API access policy. - RPM upgrade hardening: - detect common reverse-proxy deployments during package update and auto-enable `server.trustProxy` when appropriate. * Mon Feb 09 2026 BurningPho3nix - 0.10.6-20260209 - Fixed permission issues with node_modules/.bin/* - Fixed permission issues with rgoon-ctl * Mon Feb 09 2026 BurningPho3nix - 0.10.5-20260209 - Moved documentation (Roadmap, Contributing, Security Policy) to Wiki - Updated rgoon-ctl to set default API host to 127.0.0.1 for security - Added log file path verification to rgoon-ctl setup - Updated logging configuration defaults * Mon Feb 09 2026 BurningPho3nix - 0.10.4-20260209 - Fixed broken/incorrect wiki links in README.md - Fixed snippet clone URL generation to respect domain and SSL settings - Fixed release upload directory creation to be more robust (added error handling and existence check) - Ensured release upload directory exists on server start * Mon Feb 09 2026 BurningPho3nix - 0.10.3-20260209 - Fixed snippet creation failure in Convex driver by adding missing functions - Fixed regex validation error in repository settings (escaped hyphen) - Audited all database drivers for snippet function consistency * Mon Feb 09 2026 BurningPho3nix - 0.10.2-20260209 - Fixed 2FA session timeout issues (clock skew and missing method crash) - Added common password check to validation logic * Fri Feb 06 2026 BurningPho3nix - 0.10.1-20260206 - Fixed 410 Authentication errors during 2FA - Fixed 500 Registration error * Fri Feb 06 2026 BurningPho3nix - 0.10.0-20260206 - Added Releases feature for publishing versioned releases with assets - Added Snippets feature for sharing public code snippets - Updated in-repo documentation and wiki pages - Added a man page for rgoon-ctl * Tue Feb 03 2026 BurningPho3nix - 0.9.2-20260203 - Added TypeScript definition files for better type support (tsconfig.json) - Added express-session type definitions for enhanced session management - Refactored database driver selection for improved readability and maintainability - Updated validation middleware documentation for clarity - Removed unused password validation function from auth.js - Simplified error handling in Login component for better user experience * Tue Feb 03 2026 BurningPho3nix - 0.9.1-20260203 - Updated to version 0.9.1 - Fixed TypeError in request logger serializers (guard against undefined req/res objects) - Added null checks before accessing headers in logger serializers - Fixed logger serializer to use originalUrl if available * Mon Feb 02 2026 BurningPho3nix - 0.9.0-20260202 - Updated to version 0.9.0 * Fri Jan 30 2026 BurningPho3nix - 0.8.7-20260130 - Fixed wiki "require is not defined" error (added execFileSync to ES module imports) - Fixed CSRF middleware blocking internal API calls (pre-receive hook validation) * Thu Jan 29 2026 BurningPho3nix - 0.8.6-20260129 - SECURITY: Fixed command injection in Git operations (now uses execFile with parameterized args) - SECURITY: Fixed LDAP injection vulnerability (added RFC 4515 filter escaping) - SECURITY: Fixed missing authorization on comment deletion (added permission checks) - SECURITY: Fixed SSRF in repository migration (added URL validation and private IP blocking) - SECURITY: Strengthened password policy (10+ chars with complexity requirements) - SECURITY: Fixed LFS routes lacking authorization (added auth middleware and access checks) - SECURITY: Fixed missing authorization on issue close/reopen endpoints - SECURITY: Fixed path traversal via encoded characters (multi-decode and canonical path validation) - SECURITY: Fixed user ID disclosure in 2FA flow (now uses temporary pending tokens) - SECURITY: Added CSRF protection using Double Submit Cookie pattern - SECURITY: Added webhook secret encryption at rest (AES-256-GCM) - SECURITY: Added user-based rate limiting for authenticated requests - SECURITY: Added session secret validation (fails startup in production if weak) - SECURITY: Removed token scopes from error responses (prevents scope enumeration) - SECURITY: Added security headers (CSP, X-Frame-Options, HSTS, X-Content-Type-Options, etc.) - SECURITY: Sanitized verbose error messages in production environment - SECURITY: Fixed email enumeration (consistent response messages) - Added cookie-parser dependency for CSRF token handling - Added encryption utility module for sensitive data at rest - Removed unused shellEscape and execGitSync functions from git utilities * Thu Jan 22 2026 BurningPho3nix - 0.8.5-20260122 - Updated footer source link URL to repogoon.org for consistency - Improved Convex getAllUsers performance with concurrent user normalization (Promise.all) * Thu Jan 22 2026 BurningPho3nix - 0.8.4-20260122 - Added admin account disable/enable feature with dedicated `disabled` column - Added initial Let's Encrypt certificate creation to rgoon-ctl setup wizard - Fixed TypeError on /users page (added optional chaining for undefined fields) - Fixed similar potential crashes in Discovery and StarredRepos pages - Added `disabled` column migration for all database backends (SQLite, MySQL, PostgreSQL, Oracle, Convex) * Wed Jan 21 2026 BurningPho3nix - 0.8.3-20260121 - Added wiki routes to server index for public access without authentication - Streamlined documentation by consolidating DEPLOY.md into README.md - Added links to Wiki for detailed guides - Fixed wiki internal links navigating to wrong page (now uses React Router navigation) * Wed Jan 21 2026 BurningPho3nix - 0.8.2-20260121 - Added wiki clone URL display with copy-to-clipboard feature - Added auto-creation of wiki repository on first push - Fixed git initialization to use configured default branch (--initial-branch option) - Improved wiki routing and authorization checks * Wed Jan 21 2026 BurningPho3nix - 0.8.1-20260121 - Fixed Convex driver normalization for pull request functions (_id to id conversion) - Fixed missing await in triggerWebhooks causing "webhooks is not iterable" error - Fixed parseInt calls on Convex string IDs causing "Pull request not found" errors - Fixed avatar URL expansion for PR authors and comment authors in Convex driver - Fixed null/undefined handling for optional Convex parameters * Wed Jan 21 2026 BurningPho3nix - 0.8.0-20260121 - Added Issue and PR Templates: auto-loads from .repogoon/ or .github/ directories - Added Merge Strategies: support for squash and rebase merge options with UI dropdown - Added PR Diff Viewer: syntax-highlighted diff display with unified/split view toggle - Added Git-backed Wiki: per-repository wiki with markdown editor and search - Added Code Search: full-text and regex search using git grep with match highlighting - Added GitHub Migration: import repositories, issues, PRs, and labels from GitHub - Added default_merge_strategy column to all database drivers - Added Wiki navigation tab to repository pages - Added Search button to repository header * Tue Jan 20 2026 BurningPho3nix - 0.7.7-20260120 - Added global error handlers for uncaught exceptions and unhandled promise rejections - Refactored repository ID retrieval to consistently use _id or id across all routes - Made writeFile function asynchronous for improved performance and error handling - Enhanced repository access checks with consistent group ID usage - Fixed group owners not having write access to their repositories - Added canEdit flag to file content API response for permission-based UI controls - Refactored token authentication middleware to use promise chaining - Added logging for authentication errors and improved session management - Fixed group route members data serialization for JSON responses * Mon Jan 19 2026 BurningPho3nix - 0.7.6-20260119 - Refactored repository retrieval to support group and user ownership - Enhanced repository creation logic to prevent naming conflicts with group repositories - Added automatic backup functionality during RPM upgrades (pre-upgrade safety) - Fixed config file header duplication on RPM upgrades (yq merge was preserving comments from both files) * Sun Jan 18 2026 BurningPho3nix - 0.7.5-20260118 - Added force_2fa enforcement: users without 2FA are now required to set it up during login - Added PAT requirement for Git access when users have 2FA enabled (password auth blocked) - Fixed token creation in Convex driver (expiresAt type conversion from string/null to number/undefined) * Sun Jan 18 2026 BurningPho3nix - 0.7.4-20260118 - Fixed install-hooks command exiting early due to bash arithmetic with set -e * Sat Jan 17 2026 BurningPho3nix - 0.7.3-20260117 - Fixed protected branch enforcement not working with Convex backend - Fixed excluded_users field type mismatch (now stores usernames instead of user IDs) - Fixed isBranchProtected returning unnormalized Convex documents - Fixed pre-receive hook not resolving relative GIT_DIR paths - Fixed branch protection matching to prioritize specific patterns over wildcards - Added automatic hook installation on service start/restart - Added debug logging to internal push validation API * Sat Jan 17 2026 BurningPho3nix - 0.7.1-20260117 - Added install-hooks command in rgoon-ctl for Git hook management across all repositories - Added internal API routes for hook validation and installation - Enhanced branch protection enforcement with automatic hook installation - Updated dependencies: AWS SDK to 3.971.0, better-sqlite3 to 12.6.2, mysql2 to 3.16.1 - Enhanced error handling in repository and group management - Fixed Convex driver bugfixes - Added ESLint for improved code quality * Fri Jan 16 2026 BurningPho3nix - 0.7.0-20260116 - Added excluded users feature for branch protection rules - Users in exclusion list can bypass branch protection (push directly without PR) - Added user autocomplete with search API integration - Added scrollable modal with styled scrollbar - Updated all database drivers (SQLite, MySQL, PostgreSQL, Oracle, Convex) * Thu Jan 15 2026 BurningPho3nix - 0.6.7-20260115 - Fixed COPR installation failure: added Provides for user(repogoon) and group(repogoon) - Fixed branch protection API: corrected frontend endpoint URLs and backend namespace handling * Thu Jan 15 2026 BurningPho3nix - 0.6.6-20260115 - fixed minor annoyances and bugs - Auto-deploy Convex functions on server start/restart when database type is convex - Added _run_convex_deploy helper to rgoon-ctl for automatic schema synchronization * Wed Jan 14 2026 BurningPho3nix - 0.6.5-20260114 - Fixed ENOENT startup crash for branding directory on RPM installs - Branding assets (logo uploads) now stored in /var/lib/repogoon/branding * Wed Jan 14 2026 BurningPho3nix - 0.6.4-20260114 - Fixed starred repos showing wrong owner name for group repositories - Fixed starred repos not displaying group avatar correctly - Added storage URL conversion for Convex avatar fields * Tue Jan 13 2026 BurningPho3nix - 0.6.3-20260113 - Fixed group avatar consistency - Fixed user avatar in group members list - Resolved 500 error on git clone * Tue Jan 13 2026 BurningPho3nix - 0.6.2-20260113 - Fixed migrate-db to properly convert SQLite datetime strings to Convex timestamps - Added Convex import mutations for proper ID mapping during migration - Foreign key references now correctly resolve to Convex document IDs * Tue Jan 13 2026 BurningPho3nix - 0.6.1.20260113-1 - Added migrate-db command to rgoon-ctl for database migration between backends - Supports migration between sqlite, postgresql, mysql, oracle, and convex - Example: rgoon-ctl migrate-db --from sqlite --to convex * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-9 - Fixed 2fa_enforce issue * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-8 - Added Starred Repositories page (/starred) - Fixed star status not displaying correctly on repo pages * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-7 - Fixed white flash on page refresh (inline theme initialization) - Fixed MIME type error for static assets in production - Added footer links (source code, MPL-2.0 license) * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-6 - Added links to the footer * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-5 - Added proper markdown rendering for legal pages, READMEs, issues, and pull requests - Fixed Git Smart HTTP 403 Forbidden error during push (added authentication & authorization) - Fixed incorrect repository storage path during migration to groups * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-4 - Added Group Avatar upload and management support - Refined Group and User avatar display across the platform (Discovery, Groups, Repo Details) - Unified owner identity retrieval across all database drivers - Added star counts to public repository discovery results - Added Git Smart HTTP support (clone/push over HTTP) - Fixed private repository browsing (authenticated tree and blob routes) - Fixed web UI file creation and editing JSON parse errors - Added repository visibility toggle in settings * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-3 - Fixed Pull Requests not loading for Group repositories - Fixed Repository Settings visibility for public Group repositories - Fixed Repository Transfer not working for all database types * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-2 - Added Group Migration support (backend & frontend) - Fixed Clone URL generation to respect configured domain - Improved Migration UI with standardized dropdowns * Mon Jan 12 2026 BurningPho3nix - 0.6.20260112-1 - Added GitLab repository migration feature (issues, MRs, wiki, history) - Updated Clone UI (Protocol renaming, removed Local Path) - Added migration support for all database drivers (SQLite, MySQL, PG, Oracle, Convex) * Mon Jan 12 2026 BurningPho3nix - 0.5.20260112-1 - Added email verification for new user registration - Added SMTP configuration support - Fixed Admin User Management status display - Standardized database drivers for user status * Mon Jan 12 2026 BurningPho3nix - 0.4.20260112-1 - Corrected license to MPL-2.0 - Updated documentation for admin credentials - UI rework * Sun Jan 11 2026 BurningPho3nix - 0.3.20260111-6 - Fixed GLIBC_2.17 dependency issue by forcing rebuild of all native modules - Aggressively cleaned prebuilt binaries from node_modules * Sun Jan 11 2026 BurningPho3nix - 0.3.20260111-1 - Added Convex serverless backend support - Completed Oracle database driver implementation - Added smart config merging on updates (preserves user settings) - Fixed nginx template for modern nginx (http2 on directive) - Fixed yaml_set to handle types correctly - Fixed nginx config path detection for CentOS/RHEL - Added current password verification for password changes * Sat Jan 10 2026 BurningPho3nix - 0.3.20260109-1 - Added YAML configuration system - Added multi-database support (SQLite, PostgreSQL, MySQL, Oracle, Convex) - Added rgoon-ctl CLI management tool - Added LDAP and OIDC authentication support - Added Let's Encrypt auto-renewal support - Added dynamic rate limiting from database - Added RPM packaging with systemd service