From 887a683af97b570a0fb117068c980f3086133ae4 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Sun, 9 Jul 2023 13:58:06 +0200
Subject: [PATCH] Update tool dependencies, lock govulncheck and actionlint
 (#25655)

- Update all tool dependencies
- Lock `govulncheck` and `actionlint` to their latest tags

---------

Co-authored-by: 6543 <m.huber@kithara.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 .golangci.yml                              | 25 +++++++++-------
 Makefile                                   | 10 +++----
 models/activities/notification.go          | 10 +++----
 models/asymkey/gpg_key_common.go           |  2 +-
 models/issues/comment.go                   | 10 +++----
 models/issues/comment_list.go              | 22 ++++++--------
 models/issues/issue.go                     | 15 +++++-----
 models/issues/issue_label.go               |  4 +--
 models/issues/issue_update.go              | 34 +++++++++++-----------
 models/issues/review.go                    | 18 ++++++------
 models/issues/tracked_time.go              |  2 +-
 models/migrations/v1_14/v166.go            |  6 ++--
 models/repo.go                             |  4 +--
 modules/activitypub/client.go              | 14 ++++-----
 modules/activitypub/user_settings.go       | 12 ++++----
 modules/context/api.go                     |  4 +--
 modules/git/batch_reader.go                | 20 +++++--------
 modules/git/commit.go                      |  2 +-
 modules/git/git.go                         |  2 +-
 modules/git/repo_base_nogogit.go           |  2 +-
 modules/git/repo_index.go                  |  2 +-
 modules/git/signature_nogogit.go           | 13 +++++----
 modules/nosql/manager.go                   |  2 +-
 modules/queue/workerqueue.go               |  2 +-
 routers/api/v1/activitypub/reqsignature.go | 22 ++++++--------
 services/task/migrate.go                   | 15 +++++-----
 26 files changed, 133 insertions(+), 141 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 22de387fac..7c35bdd2a8 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -77,16 +77,21 @@ linters-settings:
     extra-rules: true
     lang-version: "1.20"
   depguard:
-    list-type: denylist
-    # Check the list against standard lib.
-    include-go-root: true
-    packages-with-error-message:
-      - encoding/json: "use gitea's modules/json instead of encoding/json"
-      - github.com/unknwon/com: "use gitea's util and replacements"
-      - io/ioutil: "use os or io instead"
-      - golang.org/x/exp: "it's experimental and unreliable."
-      - code.gitea.io/gitea/modules/git/internal: "do not use the internal package, use AddXxx function instead"
-      - gopkg.in/ini.v1: "do not use the ini package, use gitea's config system instead"
+    rules:
+      main:
+        deny:
+          - pkg: encoding/json
+            desc: use gitea's modules/json instead of encoding/json
+          - pkg: github.com/unknwon/com
+            desc: use gitea's util and replacements
+          - pkg: io/ioutil
+            desc: use os or io instead
+          - pkg: golang.org/x/exp
+            desc: it's experimental and unreliable
+          - pkg: code.gitea.io/gitea/modules/git/internal
+            desc: do not use the internal package, use AddXxx function instead
+          - pkg: gopkg.in/ini.v1
+            desc: do not use the ini package, use gitea's config system instead
 
 issues:
   max-issues-per-linter: 0
diff --git a/Makefile b/Makefile
index 0c4b42a8c5..7de96f09fd 100644
--- a/Makefile
+++ b/Makefile
@@ -25,17 +25,17 @@ COMMA := ,
 
 XGO_VERSION := go-1.20.x
 
-AIR_PACKAGE ?= github.com/cosmtrek/air@v1.43.0
+AIR_PACKAGE ?= github.com/cosmtrek/air@v1.44.0
 EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.7.0
 GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.5.0
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.3
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11
 MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.4
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.5
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@latest
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v0.2.0
+ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.6.25
 
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
diff --git a/models/activities/notification.go b/models/activities/notification.go
index 75276a0443..e0af2ee8bb 100644
--- a/models/activities/notification.go
+++ b/models/activities/notification.go
@@ -343,7 +343,7 @@ func getIssueNotification(ctx context.Context, userID, issueID int64) (*Notifica
 // NotificationsForUser returns notifications for a given user and status
 func NotificationsForUser(ctx context.Context, user *user_model.User, statuses []NotificationStatus, page, perPage int) (notifications NotificationList, err error) {
 	if len(statuses) == 0 {
-		return
+		return nil, nil
 	}
 
 	sess := db.GetEngine(ctx).
@@ -372,16 +372,16 @@ func CountUnread(ctx context.Context, userID int64) int64 {
 // LoadAttributes load Repo Issue User and Comment if not loaded
 func (n *Notification) LoadAttributes(ctx context.Context) (err error) {
 	if err = n.loadRepo(ctx); err != nil {
-		return
+		return err
 	}
 	if err = n.loadIssue(ctx); err != nil {
-		return
+		return err
 	}
 	if err = n.loadUser(ctx); err != nil {
-		return
+		return err
 	}
 	if err = n.loadComment(ctx); err != nil {
-		return
+		return err
 	}
 	return err
 }
diff --git a/models/asymkey/gpg_key_common.go b/models/asymkey/gpg_key_common.go
index 5ceeee9aac..b02be2851a 100644
--- a/models/asymkey/gpg_key_common.go
+++ b/models/asymkey/gpg_key_common.go
@@ -111,7 +111,7 @@ func populateHash(hashFunc crypto.Hash, msg []byte) (hash.Hash, error) {
 func readArmoredSign(r io.Reader) (body io.Reader, err error) {
 	block, err := armor.Decode(r)
 	if err != nil {
-		return
+		return nil, err
 	}
 	if block.Type != openpgp.SignatureType {
 		return nil, fmt.Errorf("expected '" + openpgp.SignatureType + "', got: " + block.Type)
diff --git a/models/issues/comment.go b/models/issues/comment.go
index 303c23916b..be020b2e1f 100644
--- a/models/issues/comment.go
+++ b/models/issues/comment.go
@@ -749,7 +749,7 @@ func (c *Comment) LoadPushCommits(ctx context.Context) (err error) {
 
 	err = json.Unmarshal([]byte(c.Content), &data)
 	if err != nil {
-		return
+		return err
 	}
 
 	c.IsForcePush = data.IsForcePush
@@ -925,7 +925,7 @@ func createIssueDependencyComment(ctx context.Context, doer *user_model.User, is
 		cType = CommentTypeRemoveDependency
 	}
 	if err = issue.LoadRepo(ctx); err != nil {
-		return
+		return err
 	}
 
 	// Make two comments, one in each issue
@@ -937,7 +937,7 @@ func createIssueDependencyComment(ctx context.Context, doer *user_model.User, is
 		DependentIssueID: dependentIssue.ID,
 	}
 	if _, err = CreateComment(ctx, opts); err != nil {
-		return
+		return err
 	}
 
 	opts = &CreateCommentOptions{
@@ -1170,11 +1170,11 @@ func CreateAutoMergeComment(ctx context.Context, typ CommentType, pr *PullReques
 		return nil, fmt.Errorf("comment type %d cannot be used to create an auto merge comment", typ)
 	}
 	if err = pr.LoadIssue(ctx); err != nil {
-		return
+		return nil, err
 	}
 
 	if err = pr.LoadBaseRepo(ctx); err != nil {
-		return
+		return nil, err
 	}
 
 	comment, err = CreateComment(ctx, &CreateCommentOptions{
diff --git a/models/issues/comment_list.go b/models/issues/comment_list.go
index 477337443d..e9c8406c3a 100644
--- a/models/issues/comment_list.go
+++ b/models/issues/comment_list.go
@@ -468,42 +468,38 @@ func (comments CommentList) loadReviews(ctx context.Context) error {
 // loadAttributes loads all attributes
 func (comments CommentList) loadAttributes(ctx context.Context) (err error) {
 	if err = comments.LoadPosters(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.loadLabels(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.loadMilestones(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.loadOldMilestones(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.loadAssignees(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.LoadAttachments(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.loadReviews(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = comments.LoadIssues(ctx); err != nil {
-		return
+		return err
 	}
 
-	if err = comments.loadDependentIssues(ctx); err != nil {
-		return
-	}
-
-	return nil
+	return comments.loadDependentIssues(ctx)
 }
 
 // LoadAttributes loads attributes of the comments, except for attachments and
diff --git a/models/issues/issue.go b/models/issues/issue.go
index 364d53ba31..d0c5ad2bf8 100644
--- a/models/issues/issue.go
+++ b/models/issues/issue.go
@@ -222,8 +222,7 @@ func (issue *Issue) LoadPoster(ctx context.Context) (err error) {
 			if !user_model.IsErrUserNotExist(err) {
 				return fmt.Errorf("getUserByID.(poster) [%d]: %w", issue.PosterID, err)
 			}
-			err = nil
-			return
+			return nil
 		}
 	}
 	return err
@@ -316,27 +315,27 @@ func (issue *Issue) LoadMilestone(ctx context.Context) (err error) {
 // LoadAttributes loads the attribute of this issue.
 func (issue *Issue) LoadAttributes(ctx context.Context) (err error) {
 	if err = issue.LoadRepo(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadPoster(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadLabels(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadMilestone(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadProject(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadAssignees(ctx); err != nil {
-		return
+		return err
 	}
 
 	if err = issue.LoadPullRequest(ctx); err != nil && !IsErrPullRequestNotExist(err) {
diff --git a/models/issues/issue_label.go b/models/issues/issue_label.go
index f4060b1402..119a13adf2 100644
--- a/models/issues/issue_label.go
+++ b/models/issues/issue_label.go
@@ -39,7 +39,7 @@ func newIssueLabel(ctx context.Context, issue *Issue, label *Label, doer *user_m
 	}
 
 	if err = issue.LoadRepo(ctx); err != nil {
-		return
+		return err
 	}
 
 	opts := &CreateCommentOptions{
@@ -168,7 +168,7 @@ func deleteIssueLabel(ctx context.Context, issue *Issue, label *Label, doer *use
 	}
 
 	if err = issue.LoadRepo(ctx); err != nil {
-		return
+		return err
 	}
 
 	opts := &CreateCommentOptions{
diff --git a/models/issues/issue_update.go b/models/issues/issue_update.go
index 9453ddc085..9607b21a67 100644
--- a/models/issues/issue_update.go
+++ b/models/issues/issue_update.go
@@ -538,10 +538,10 @@ func FindAndUpdateIssueMentions(ctx context.Context, issue *Issue, doer *user_mo
 // don't have access to reading it. Teams are expanded into their users, but organizations are ignored.
 func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *user_model.User, mentions []string) (users []*user_model.User, err error) {
 	if len(mentions) == 0 {
-		return
+		return nil, nil
 	}
 	if err = issue.LoadRepo(ctx); err != nil {
-		return
+		return nil, err
 	}
 
 	resolved := make(map[string]bool, 10)
@@ -635,7 +635,7 @@ func ResolveIssueMentionsByVisibility(ctx context.Context, issue *Issue, doer *u
 		}
 	}
 	if len(mentionUsers) == 0 {
-		return
+		return users, err
 	}
 
 	if users == nil {
@@ -702,66 +702,66 @@ func DeleteIssuesByRepoID(ctx context.Context, repoID int64) (attachmentPaths []
 	// Delete content histories
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&ContentHistory{}); err != nil {
-		return
+		return nil, err
 	}
 
 	// Delete comments and attachments
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&Comment{}); err != nil {
-		return
+		return nil, err
 	}
 
 	// Dependencies for issues in this repository
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&IssueDependency{}); err != nil {
-		return
+		return nil, err
 	}
 
 	// Delete dependencies for issues in other repositories
 	if _, err = sess.In("dependency_id", deleteCond).
 		Delete(&IssueDependency{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&IssueUser{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&Reaction{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&IssueWatch{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&Stopwatch{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&TrackedTime{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&project_model.ProjectIssue{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = sess.In("dependent_issue_id", deleteCond).
 		Delete(&Comment{}); err != nil {
-		return
+		return nil, err
 	}
 
 	var attachments []*repo_model.Attachment
 	if err = sess.In("issue_id", deleteCond).
 		Find(&attachments); err != nil {
-		return
+		return nil, err
 	}
 
 	for j := range attachments {
@@ -770,11 +770,11 @@ func DeleteIssuesByRepoID(ctx context.Context, repoID int64) (attachmentPaths []
 
 	if _, err = sess.In("issue_id", deleteCond).
 		Delete(&repo_model.Attachment{}); err != nil {
-		return
+		return nil, err
 	}
 
 	if _, err = db.DeleteByBean(ctx, &Issue{RepoID: repoID}); err != nil {
-		return
+		return nil, err
 	}
 
 	return attachmentPaths, err
diff --git a/models/issues/review.go b/models/issues/review.go
index dbacfa3a87..3ec2c00fe9 100644
--- a/models/issues/review.go
+++ b/models/issues/review.go
@@ -136,10 +136,10 @@ func init() {
 // LoadCodeComments loads CodeComments
 func (r *Review) LoadCodeComments(ctx context.Context) (err error) {
 	if r.CodeComments != nil {
-		return
+		return err
 	}
 	if err = r.loadIssue(ctx); err != nil {
-		return
+		return err
 	}
 	r.CodeComments, err = fetchCodeCommentsByReview(ctx, r.Issue, nil, r, false)
 	return err
@@ -147,7 +147,7 @@ func (r *Review) LoadCodeComments(ctx context.Context) (err error) {
 
 func (r *Review) loadIssue(ctx context.Context) (err error) {
 	if r.Issue != nil {
-		return
+		return err
 	}
 	r.Issue, err = GetIssueByID(ctx, r.IssueID)
 	return err
@@ -156,7 +156,7 @@ func (r *Review) loadIssue(ctx context.Context) (err error) {
 // LoadReviewer loads reviewer
 func (r *Review) LoadReviewer(ctx context.Context) (err error) {
 	if r.ReviewerID == 0 || r.Reviewer != nil {
-		return
+		return err
 	}
 	r.Reviewer, err = user_model.GetPossibleUserByID(ctx, r.ReviewerID)
 	return err
@@ -186,7 +186,7 @@ func LoadReviewers(ctx context.Context, reviews []*Review) (err error) {
 // LoadReviewerTeam loads reviewer team
 func (r *Review) LoadReviewerTeam(ctx context.Context) (err error) {
 	if r.ReviewerTeamID == 0 || r.ReviewerTeam != nil {
-		return
+		return nil
 	}
 
 	r.ReviewerTeam, err = organization.GetTeamByID(ctx, r.ReviewerTeamID)
@@ -196,16 +196,16 @@ func (r *Review) LoadReviewerTeam(ctx context.Context) (err error) {
 // LoadAttributes loads all attributes except CodeComments
 func (r *Review) LoadAttributes(ctx context.Context) (err error) {
 	if err = r.loadIssue(ctx); err != nil {
-		return
+		return err
 	}
 	if err = r.LoadCodeComments(ctx); err != nil {
-		return
+		return err
 	}
 	if err = r.LoadReviewer(ctx); err != nil {
-		return
+		return err
 	}
 	if err = r.LoadReviewerTeam(ctx); err != nil {
-		return
+		return err
 	}
 	return err
 }
diff --git a/models/issues/tracked_time.go b/models/issues/tracked_time.go
index 1d7592926b..d117b74bc0 100644
--- a/models/issues/tracked_time.go
+++ b/models/issues/tracked_time.go
@@ -302,7 +302,7 @@ func DeleteTime(t *TrackedTime) error {
 func deleteTimes(ctx context.Context, opts FindTrackedTimesOptions) (removedTime int64, err error) {
 	removedTime, err = GetTrackedSeconds(ctx, opts)
 	if err != nil || removedTime == 0 {
-		return
+		return removedTime, err
 	}
 
 	_, err = opts.toSession(db.GetEngine(ctx)).Table("tracked_time").Cols("deleted").Update(&TrackedTime{Deleted: true})
diff --git a/models/migrations/v1_14/v166.go b/models/migrations/v1_14/v166.go
index de7626076a..78f33e8f9b 100644
--- a/models/migrations/v1_14/v166.go
+++ b/models/migrations/v1_14/v166.go
@@ -78,14 +78,14 @@ func RecalculateUserEmptyPWD(x *xorm.Engine) (err error) {
 	for start := 0; ; start += batchSize {
 		users := make([]*User, 0, batchSize)
 		if err = sess.Limit(batchSize, start).Where(builder.Neq{"passwd": ""}, 0).Find(&users); err != nil {
-			return
+			return err
 		}
 		if len(users) == 0 {
 			break
 		}
 
 		if err = sess.Begin(); err != nil {
-			return
+			return err
 		}
 
 		for _, user := range users {
@@ -100,7 +100,7 @@ func RecalculateUserEmptyPWD(x *xorm.Engine) (err error) {
 		}
 
 		if err = sess.Commit(); err != nil {
-			return
+			return err
 		}
 	}
 
diff --git a/models/repo.go b/models/repo.go
index 9044fc8aed..7579d2ad73 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -628,14 +628,14 @@ func DoctorUserStarNum() (err error) {
 	for start := 0; ; start += batchSize {
 		users := make([]user_model.User, 0, batchSize)
 		if err = db.GetEngine(db.DefaultContext).Limit(batchSize, start).Where("type = ?", 0).Cols("id").Find(&users); err != nil {
-			return
+			return err
 		}
 		if len(users) == 0 {
 			break
 		}
 
 		if err = updateUserStarNumbers(users); err != nil {
-			return
+			return err
 		}
 	}
 
diff --git a/modules/activitypub/client.go b/modules/activitypub/client.go
index ed5c9990d6..fa1b57638f 100644
--- a/modules/activitypub/client.go
+++ b/modules/activitypub/client.go
@@ -63,19 +63,19 @@ type Client struct {
 // NewClient function
 func NewClient(user *user_model.User, pubID string) (c *Client, err error) {
 	if err = containsRequiredHTTPHeaders(http.MethodGet, setting.Federation.GetHeaders); err != nil {
-		return
+		return nil, err
 	} else if err = containsRequiredHTTPHeaders(http.MethodPost, setting.Federation.PostHeaders); err != nil {
-		return
+		return nil, err
 	}
 
 	priv, err := GetPrivateKey(user)
 	if err != nil {
-		return
+		return nil, err
 	}
 	privPem, _ := pem.Decode([]byte(priv))
 	privParsed, err := x509.ParsePKCS1PrivateKey(privPem.Bytes)
 	if err != nil {
-		return
+		return nil, err
 	}
 
 	c = &Client{
@@ -99,14 +99,14 @@ func (c *Client) NewRequest(b []byte, to string) (req *http.Request, err error)
 	buf := bytes.NewBuffer(b)
 	req, err = http.NewRequest(http.MethodPost, to, buf)
 	if err != nil {
-		return
+		return nil, err
 	}
 	req.Header.Add("Content-Type", ActivityStreamsContentType)
 	req.Header.Add("Date", CurrentTime())
 	req.Header.Add("User-Agent", "Gitea/"+setting.AppVer)
 	signer, _, err := httpsig.NewSigner(c.algs, c.digestAlg, c.postHeaders, httpsig.Signature, httpsigExpirationTime)
 	if err != nil {
-		return
+		return nil, err
 	}
 	err = signer.SignRequest(c.priv, c.pubID, req, b)
 	return req, err
@@ -116,7 +116,7 @@ func (c *Client) NewRequest(b []byte, to string) (req *http.Request, err error)
 func (c *Client) Post(b []byte, to string) (resp *http.Response, err error) {
 	var req *http.Request
 	if req, err = c.NewRequest(b, to); err != nil {
-		return
+		return nil, err
 	}
 	resp, err = c.client.Do(req)
 	return resp, err
diff --git a/modules/activitypub/user_settings.go b/modules/activitypub/user_settings.go
index 2d156c17e6..20b3d759c2 100644
--- a/modules/activitypub/user_settings.go
+++ b/modules/activitypub/user_settings.go
@@ -15,22 +15,22 @@ func GetKeyPair(user *user_model.User) (pub, priv string, err error) {
 	var settings map[string]*user_model.Setting
 	settings, err = user_model.GetSettings(user.ID, []string{user_model.UserActivityPubPrivPem, user_model.UserActivityPubPubPem})
 	if err != nil {
-		return
+		return pub, priv, err
 	} else if len(settings) == 0 {
 		if priv, pub, err = util.GenerateKeyPair(rsaBits); err != nil {
-			return
+			return pub, priv, err
 		}
 		if err = user_model.SetUserSetting(user.ID, user_model.UserActivityPubPrivPem, priv); err != nil {
-			return
+			return pub, priv, err
 		}
 		if err = user_model.SetUserSetting(user.ID, user_model.UserActivityPubPubPem, pub); err != nil {
-			return
+			return pub, priv, err
 		}
-		return
+		return pub, priv, err
 	} else {
 		priv = settings[user_model.UserActivityPubPrivPem].SettingValue
 		pub = settings[user_model.UserActivityPubPubPem].SettingValue
-		return
+		return pub, priv, err
 	}
 }
 
diff --git a/modules/context/api.go b/modules/context/api.go
index 93a587d436..a367597e8a 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -294,7 +294,7 @@ func ReferencesGitRepo(allowEmpty ...bool) func(ctx *APIContext) (cancel context
 	return func(ctx *APIContext) (cancel context.CancelFunc) {
 		// Empty repository does not have reference information.
 		if ctx.Repo.Repository.IsEmpty && !(len(allowEmpty) != 0 && allowEmpty[0]) {
-			return
+			return nil
 		}
 
 		// For API calls.
@@ -303,7 +303,7 @@ func ReferencesGitRepo(allowEmpty ...bool) func(ctx *APIContext) (cancel context
 			gitRepo, err := git.OpenRepository(ctx, repoPath)
 			if err != nil {
 				ctx.Error(http.StatusInternalServerError, "RepoRef Invalid repo "+repoPath, err)
-				return
+				return cancel
 			}
 			ctx.Repo.GitRepo = gitRepo
 			// We opened it, we should close it
diff --git a/modules/git/batch_reader.go b/modules/git/batch_reader.go
index 75539c0d0a..891e8a2384 100644
--- a/modules/git/batch_reader.go
+++ b/modules/git/batch_reader.go
@@ -148,27 +148,25 @@ func CatFileBatch(ctx context.Context, repoPath string) (WriteCloserError, *bufi
 func ReadBatchLine(rd *bufio.Reader) (sha []byte, typ string, size int64, err error) {
 	typ, err = rd.ReadString('\n')
 	if err != nil {
-		return
+		return sha, typ, size, err
 	}
 	if len(typ) == 1 {
 		typ, err = rd.ReadString('\n')
 		if err != nil {
-			return
+			return sha, typ, size, err
 		}
 	}
 	idx := strings.IndexByte(typ, ' ')
 	if idx < 0 {
 		log.Debug("missing space typ: %s", typ)
-		err = ErrNotExist{ID: string(sha)}
-		return
+		return sha, typ, size, ErrNotExist{ID: string(sha)}
 	}
 	sha = []byte(typ[:idx])
 	typ = typ[idx+1:]
 
 	idx = strings.IndexByte(typ, ' ')
 	if idx < 0 {
-		err = ErrNotExist{ID: string(sha)}
-		return
+		return sha, typ, size, ErrNotExist{ID: string(sha)}
 	}
 
 	sizeStr := typ[idx+1 : len(typ)-1]
@@ -285,14 +283,12 @@ func ParseTreeLine(rd *bufio.Reader, modeBuf, fnameBuf, shaBuf []byte) (mode, fn
 	// Read the Mode & fname
 	readBytes, err = rd.ReadSlice('\x00')
 	if err != nil {
-		return
+		return mode, fname, sha, n, err
 	}
 	idx := bytes.IndexByte(readBytes, ' ')
 	if idx < 0 {
 		log.Debug("missing space in readBytes ParseTreeLine: %s", readBytes)
-
-		err = &ErrNotExist{}
-		return
+		return mode, fname, sha, n, &ErrNotExist{}
 	}
 
 	n += idx + 1
@@ -319,7 +315,7 @@ func ParseTreeLine(rd *bufio.Reader, modeBuf, fnameBuf, shaBuf []byte) (mode, fn
 	}
 	n += len(fnameBuf)
 	if err != nil {
-		return
+		return mode, fname, sha, n, err
 	}
 	fnameBuf = fnameBuf[:len(fnameBuf)-1]
 	fname = fnameBuf
@@ -331,7 +327,7 @@ func ParseTreeLine(rd *bufio.Reader, modeBuf, fnameBuf, shaBuf []byte) (mode, fn
 		read, err = rd.Read(shaBuf[idx:20])
 		n += read
 		if err != nil {
-			return
+			return mode, fname, sha, n, err
 		}
 		idx += read
 	}
diff --git a/modules/git/commit.go b/modules/git/commit.go
index ff654f394d..729e3b4672 100644
--- a/modules/git/commit.go
+++ b/modules/git/commit.go
@@ -435,7 +435,7 @@ func (c *Commit) GetBranchName() (string, error) {
 // LoadBranchName load branch name for commit
 func (c *Commit) LoadBranchName() (err error) {
 	if len(c.Branch) != 0 {
-		return
+		return nil
 	}
 
 	c.Branch, err = c.GetBranchName()
diff --git a/modules/git/git.go b/modules/git/git.go
index c9d174e118..12d2f94e51 100644
--- a/modules/git/git.go
+++ b/modules/git/git.go
@@ -171,7 +171,7 @@ func InitFull(ctx context.Context) (err error) {
 	}
 
 	if err = InitSimple(ctx); err != nil {
-		return
+		return err
 	}
 
 	// when git works with gnupg (commit signing), there should be a stable home for gnupg commands
diff --git a/modules/git/repo_base_nogogit.go b/modules/git/repo_base_nogogit.go
index e0f2d563b3..414e4eb1a8 100644
--- a/modules/git/repo_base_nogogit.go
+++ b/modules/git/repo_base_nogogit.go
@@ -87,7 +87,7 @@ func (repo *Repository) CatFileBatchCheck(ctx context.Context) (WriteCloserError
 // Close this repository, in particular close the underlying gogitStorage if this is not nil
 func (repo *Repository) Close() (err error) {
 	if repo == nil {
-		return
+		return nil
 	}
 	if repo.batchCancel != nil {
 		repo.batchCancel()
diff --git a/modules/git/repo_index.go b/modules/git/repo_index.go
index 5ff2a2e4fc..34dd1e0129 100644
--- a/modules/git/repo_index.go
+++ b/modules/git/repo_index.go
@@ -48,7 +48,7 @@ func (repo *Repository) readTreeToIndex(id SHA1, indexFilename ...string) error
 func (repo *Repository) ReadTreeToTemporaryIndex(treeish string) (filename, tmpDir string, cancel context.CancelFunc, err error) {
 	tmpDir, err = os.MkdirTemp("", "index")
 	if err != nil {
-		return
+		return filename, tmpDir, cancel, err
 	}
 
 	filename = filepath.Join(tmpDir, ".tmp-index")
diff --git a/modules/git/signature_nogogit.go b/modules/git/signature_nogogit.go
index a203d5ce6d..25277f99d5 100644
--- a/modules/git/signature_nogogit.go
+++ b/modules/git/signature_nogogit.go
@@ -43,12 +43,13 @@ func (s *Signature) Decode(b []byte) {
 //
 // but without the "author " at the beginning (this method should)
 // be used for author and committer.
+// FIXME: there are a lot of "return sig, err" (but the err is also nil), that's the old behavior, to avoid breaking
 func newSignatureFromCommitline(line []byte) (sig *Signature, err error) {
 	sig = new(Signature)
 	emailStart := bytes.LastIndexByte(line, '<')
 	emailEnd := bytes.LastIndexByte(line, '>')
 	if emailStart == -1 || emailEnd == -1 || emailEnd < emailStart {
-		return
+		return sig, err
 	}
 
 	if emailStart > 0 { // Empty name has already occurred, even if it shouldn't
@@ -58,7 +59,7 @@ func newSignatureFromCommitline(line []byte) (sig *Signature, err error) {
 
 	hasTime := emailEnd+2 < len(line)
 	if !hasTime {
-		return
+		return sig, err
 	}
 
 	// Check date format.
@@ -66,7 +67,7 @@ func newSignatureFromCommitline(line []byte) (sig *Signature, err error) {
 	if firstChar >= 48 && firstChar <= 57 {
 		idx := bytes.IndexByte(line[emailEnd+2:], ' ')
 		if idx < 0 {
-			return
+			return sig, err
 		}
 
 		timestring := string(line[emailEnd+2 : emailEnd+2+idx])
@@ -75,14 +76,14 @@ func newSignatureFromCommitline(line []byte) (sig *Signature, err error) {
 
 		idx += emailEnd + 3
 		if idx >= len(line) || idx+5 > len(line) {
-			return
+			return sig, err
 		}
 
 		timezone := string(line[idx : idx+5])
 		tzhours, err1 := strconv.ParseInt(timezone[0:3], 10, 64)
 		tzmins, err2 := strconv.ParseInt(timezone[3:], 10, 64)
 		if err1 != nil || err2 != nil {
-			return
+			return sig, err
 		}
 		if tzhours < 0 {
 			tzmins *= -1
@@ -92,7 +93,7 @@ func newSignatureFromCommitline(line []byte) (sig *Signature, err error) {
 	} else {
 		sig.When, err = time.Parse(GitTimeLayout, string(line[emailEnd+2:]))
 		if err != nil {
-			return
+			return sig, err
 		}
 	}
 	return sig, err
diff --git a/modules/nosql/manager.go b/modules/nosql/manager.go
index 31e43297dc..375c2b5d00 100644
--- a/modules/nosql/manager.go
+++ b/modules/nosql/manager.go
@@ -71,7 +71,7 @@ func valToTimeDuration(vs []string) (result time.Duration) {
 			result = time.Duration(val)
 		}
 		if err == nil {
-			return
+			return result
 		}
 	}
 	return result
diff --git a/modules/queue/workerqueue.go b/modules/queue/workerqueue.go
index e0d5183bd9..b28fd88027 100644
--- a/modules/queue/workerqueue.go
+++ b/modules/queue/workerqueue.go
@@ -93,7 +93,7 @@ func (q *WorkerPoolQueue[T]) GetQueueItemNumber() int {
 
 func (q *WorkerPoolQueue[T]) FlushWithContext(ctx context.Context, timeout time.Duration) (err error) {
 	if q.isBaseQueueDummy() {
-		return
+		return nil
 	}
 
 	log.Debug("Try to flush queue %q with timeout %v", q.GetName(), timeout)
diff --git a/routers/api/v1/activitypub/reqsignature.go b/routers/api/v1/activitypub/reqsignature.go
index 2d945c27a5..3f60ed7776 100644
--- a/routers/api/v1/activitypub/reqsignature.go
+++ b/routers/api/v1/activitypub/reqsignature.go
@@ -25,19 +25,16 @@ func getPublicKeyFromResponse(b []byte, keyID *url.URL) (p crypto.PublicKey, err
 	person := ap.PersonNew(ap.IRI(keyID.String()))
 	err = person.UnmarshalJSON(b)
 	if err != nil {
-		err = fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %w", err)
-		return
+		return nil, fmt.Errorf("ActivityStreams type cannot be converted to one known to have publicKey property: %w", err)
 	}
 	pubKey := person.PublicKey
 	if pubKey.ID.String() != keyID.String() {
-		err = fmt.Errorf("cannot find publicKey with id: %s in %s", keyID, string(b))
-		return
+		return nil, fmt.Errorf("cannot find publicKey with id: %s in %s", keyID, string(b))
 	}
 	pubKeyPem := pubKey.PublicKeyPem
 	block, _ := pem.Decode([]byte(pubKeyPem))
 	if block == nil || block.Type != "PUBLIC KEY" {
-		err = fmt.Errorf("could not decode publicKeyPem to PUBLIC KEY pem block type")
-		return
+		return nil, fmt.Errorf("could not decode publicKeyPem to PUBLIC KEY pem block type")
 	}
 	p, err = x509.ParsePKIXPublicKey(block.Bytes)
 	return p, err
@@ -49,13 +46,12 @@ func fetch(iri *url.URL) (b []byte, err error) {
 	req.Header("User-Agent", "Gitea/"+setting.AppVer)
 	resp, err := req.Response()
 	if err != nil {
-		return
+		return nil, err
 	}
 	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
-		err = fmt.Errorf("url IRI fetch [%s] failed with status (%d): %s", iri, resp.StatusCode, resp.Status)
-		return
+		return nil, fmt.Errorf("url IRI fetch [%s] failed with status (%d): %s", iri, resp.StatusCode, resp.Status)
 	}
 	b, err = io.ReadAll(io.LimitReader(resp.Body, setting.Federation.MaxSize))
 	return b, err
@@ -67,21 +63,21 @@ func verifyHTTPSignatures(ctx *gitea_context.APIContext) (authenticated bool, er
 	// 1. Figure out what key we need to verify
 	v, err := httpsig.NewVerifier(r)
 	if err != nil {
-		return
+		return false, err
 	}
 	ID := v.KeyId()
 	idIRI, err := url.Parse(ID)
 	if err != nil {
-		return
+		return false, err
 	}
 	// 2. Fetch the public key of the other actor
 	b, err := fetch(idIRI)
 	if err != nil {
-		return
+		return false, err
 	}
 	pubKey, err := getPublicKeyFromResponse(b, idIRI)
 	if err != nil {
-		return
+		return false, err
 	}
 	// 3. Verify the other actor's key
 	algo := httpsig.Algorithm(setting.Federation.Algorithms[0])
diff --git a/services/task/migrate.go b/services/task/migrate.go
index bebdb5078b..52b6220a04 100644
--- a/services/task/migrate.go
+++ b/services/task/migrate.go
@@ -71,7 +71,7 @@ func runMigrateTask(t *admin_model.Task) (err error) {
 	}()
 
 	if err = t.LoadRepo(); err != nil {
-		return
+		return err
 	}
 
 	// if repository is ready, then just finish the task
@@ -80,16 +80,16 @@ func runMigrateTask(t *admin_model.Task) (err error) {
 	}
 
 	if err = t.LoadDoer(); err != nil {
-		return
+		return err
 	}
 	if err = t.LoadOwner(); err != nil {
-		return
+		return err
 	}
 
 	var opts *migration.MigrateOptions
 	opts, err = t.MigrateConfig()
 	if err != nil {
-		return
+		return err
 	}
 
 	opts.MigrateToRepoID = t.RepoID
@@ -101,7 +101,7 @@ func runMigrateTask(t *admin_model.Task) (err error) {
 	t.StartTime = timeutil.TimeStampNow()
 	t.Status = structs.TaskStatusRunning
 	if err = t.UpdateCols("start_time", "status"); err != nil {
-		return
+		return err
 	}
 
 	// check whether the task should be canceled, this goroutine is also managed by process manager
@@ -133,12 +133,11 @@ func runMigrateTask(t *admin_model.Task) (err error) {
 
 	if err == nil {
 		log.Trace("Repository migrated [%d]: %s/%s", t.Repo.ID, t.Owner.Name, t.Repo.Name)
-		return
+		return nil
 	}
 
 	if repo_model.IsErrRepoAlreadyExist(err) {
-		err = errors.New("the repository name is already used")
-		return
+		return errors.New("the repository name is already used")
 	}
 
 	// remoteAddr may contain credentials, so we sanitize it