Migrate from webpack to vite (#37002)

Replace webpack with Vite 8 as the frontend bundler. Frontend build is
around 3-4 times faster than before. Will work on all platforms
including riscv64 (via wasm).

`iife.js` is a classic render-blocking script in `<head>` (handles web
components/early DOM setup). `index.js` is loaded as a `type="module"`
script in the footer. All other JS chunks are also module scripts
(supported in all browsers since 2018).

Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and
resolved at runtime via the Vite manifest, eliminating the `?v=` cache
busting (which was unreliable in some scenarios like vscode dev build).

Replaces: https://github.com/go-gitea/gitea/pull/36896
Fixes: https://github.com/go-gitea/gitea/issues/17793
Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

modules/graceful/server_http.go

@@ -12,7 +12,12 @@ import (
 
 func newHTTPServer(network, address, name string, handler http.Handler) (*Server, ServeFunction) {
 	server := NewServer(network, address, name)
+	protocols := http.Protocols{}
+	protocols.SetHTTP1(true)
+	protocols.SetHTTP2(true)            // HTTP/2 can only be used when Gitea is configured to use TLS
+	protocols.SetUnencryptedHTTP2(true) // Allow HTTP/2 without TLS, in case Gitea is behind a reverse proxy
 	httpServer := http.Server{
+		Protocols:   &protocols,
 		Handler:     handler,
 		BaseContext: func(net.Listener) context.Context { return GetManager().HammerContext() },
 	}

modules/markup/external/openapi.go

@@ -9,6 +9,7 @@ import (
 	"io"
 
 	"code.gitea.io/gitea/modules/markup"
+	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )
@@ -61,19 +62,17 @@ func (p *openAPIRenderer) Render(ctx *markup.RenderContext, input io.Reader, out
 <html>
 <head>
 	<meta name="viewport" content="width=device-width, initial-scale=1">
-	<link rel="stylesheet" href="%s/assets/css/swagger.css?v=%s">
+	<link rel="stylesheet" href="%s">
 </head>
 <body>
 	<div id="swagger-ui"><textarea class="swagger-spec-content" data-spec-filename="%s">%s</textarea></div>
-	<script src="%s/assets/js/swagger.js?v=%s"></script>
+	<script type="module" src="%s"></script>
 </body>
 </html>`,
-		setting.StaticURLPrefix,
-		setting.AssetVersion,
+		public.AssetURI("css/swagger.css"),
 		html.EscapeString(ctx.RenderOptions.RelativePath),
 		html.EscapeString(util.UnsafeBytesToString(content)),
-		setting.StaticURLPrefix,
-		setting.AssetVersion,
+		public.AssetURI("js/swagger.js"),
 	))
 	return err
 }

modules/markup/render.go

@@ -16,6 +16,7 @@ import (
 
 	"code.gitea.io/gitea/modules/htmlutil"
 	"code.gitea.io/gitea/modules/markup/internal"
+	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/typesniffer"
 	"code.gitea.io/gitea/modules/util"
@@ -237,10 +238,10 @@ func RenderWithRenderer(ctx *RenderContext, renderer Renderer, input io.Reader,
 			return renderIFrame(ctx, extOpts.ContentSandbox, output)
 		}
 		// else: this is a standalone page, fallthrough to the real rendering, and add extra JS/CSS
-		extraStyleHref := setting.AppSubURL + "/assets/css/external-render-iframe.css"
-		extraScriptSrc := setting.AppSubURL + "/assets/js/external-render-iframe.js"
+		extraStyleHref := public.AssetURI("css/external-render-iframe.css")
+		extraScriptSrc := public.AssetURI("js/external-render-iframe.js")
 		// "<script>" must go before "<link>", to make Golang's http.DetectContentType() can still recognize the content as "text/html"
-		extraHeadHTML = htmlutil.HTMLFormat(`<script src="%s"></script><link rel="stylesheet" href="%s">`, extraScriptSrc, extraStyleHref)
+		extraHeadHTML = htmlutil.HTMLFormat(`<script type="module" src="%s"></script><link rel="stylesheet" href="%s">`, extraScriptSrc, extraStyleHref)
 	}
 
 	ctx.usedByRender = true

modules/public/manifest.go

@@ -0,0 +1,156 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import (
+	"io"
+	"path"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+type manifestEntry struct {
+	File    string   `json:"file"`
+	Name    string   `json:"name"`
+	IsEntry bool     `json:"isEntry"`
+	CSS     []string `json:"css"`
+}
+
+type manifestDataStruct struct {
+	paths     map[string]string // unhashed path -> hashed path
+	names     map[string]string // hashed path -> entry name
+	modTime   int64
+	checkTime time.Time
+}
+
+var (
+	manifestData atomic.Pointer[manifestDataStruct]
+	manifestFS   = sync.OnceValue(AssetFS)
+)
+
+const manifestPath = "assets/.vite/manifest.json"
+
+func parseManifest(data []byte) (map[string]string, map[string]string) {
+	var manifest map[string]manifestEntry
+	if err := json.Unmarshal(data, &manifest); err != nil {
+		log.Error("Failed to parse frontend manifest: %v", err)
+		return nil, nil
+	}
+
+	paths := make(map[string]string)
+	names := make(map[string]string)
+	for _, entry := range manifest {
+		if !entry.IsEntry || entry.Name == "" {
+			continue
+		}
+		// Build unhashed key from file path: "js/index.js", "css/theme-gitea-dark.css"
+		dir := path.Dir(entry.File)
+		ext := path.Ext(entry.File)
+		key := dir + "/" + entry.Name + ext
+		paths[key] = entry.File
+		names[entry.File] = entry.Name
+		// Map associated CSS files, e.g. "css/index.css" -> "css/index.B3zrQPqD.css"
+		for _, css := range entry.CSS {
+			cssKey := path.Dir(css) + "/" + entry.Name + path.Ext(css)
+			paths[cssKey] = css
+			names[css] = entry.Name
+		}
+	}
+	return paths, names
+}
+
+func reloadManifest(existingData *manifestDataStruct) *manifestDataStruct {
+	now := time.Now()
+	data := existingData
+	if data != nil && now.Sub(data.checkTime) < time.Second {
+		// a single request triggers multiple calls to getHashedPath
+		// do not check the manifest file too frequently
+		return data
+	}
+
+	f, err := manifestFS().Open(manifestPath)
+	if err != nil {
+		log.Error("Failed to open frontend manifest: %v", err)
+		return data
+	}
+	defer f.Close()
+
+	fi, err := f.Stat()
+	if err != nil {
+		log.Error("Failed to stat frontend manifest: %v", err)
+		return data
+	}
+
+	needReload := data == nil || fi.ModTime().UnixNano() != data.modTime
+	if !needReload {
+		return data
+	}
+	manifestContent, err := io.ReadAll(f)
+	if err != nil {
+		log.Error("Failed to read frontend manifest: %v", err)
+		return data
+	}
+	return storeManifestFromBytes(manifestContent, fi.ModTime().UnixNano(), now)
+}
+
+func storeManifestFromBytes(manifestContent []byte, modTime int64, checkTime time.Time) *manifestDataStruct {
+	paths, names := parseManifest(manifestContent)
+	data := &manifestDataStruct{
+		paths:     paths,
+		names:     names,
+		modTime:   modTime,
+		checkTime: checkTime,
+	}
+	manifestData.Store(data)
+	return data
+}
+
+func getManifestData() *manifestDataStruct {
+	data := manifestData.Load()
+
+	// In production the manifest is immutable (embedded in the binary).
+	// In dev mode, check if it changed on disk (for watch-frontend).
+	if data == nil || !setting.IsProd {
+		data = reloadManifest(data)
+	}
+	if data == nil {
+		data = &manifestDataStruct{}
+	}
+	return data
+}
+
+// getHashedPath resolves an unhashed asset path (origin path) to its content-hashed path from the frontend manifest.
+// Example: getHashedPath("js/index.js") returns "js/index.C6Z2MRVQ.js"
+// Falls back to returning the input path unchanged if the manifest is unavailable.
+func getHashedPath(originPath string) string {
+	data := getManifestData()
+	if p, ok := data.paths[originPath]; ok {
+		return p
+	}
+	return originPath
+}
+
+// AssetURI returns the URI for a frontend asset.
+// It may return a relative path or a full URL depending on the StaticURLPrefix setting.
+// In Vite dev mode, known entry points are mapped to their source paths
+// so the reverse proxy serves them from the Vite dev server.
+// In production, it resolves the content-hashed path from the manifest.
+func AssetURI(originPath string) string {
+	if src := viteDevSourceURL(originPath); src != "" {
+		return src
+	}
+	return setting.StaticURLPrefix + "/assets/" + getHashedPath(originPath)
+}
+
+// AssetNameFromHashedPath returns the asset entry name for a given hashed asset path.
+// Example: returns "theme-gitea-dark" for "css/theme-gitea-dark.CyAaQnn5.css".
+// Returns empty string if the path is not found in the manifest.
+func AssetNameFromHashedPath(hashedPath string) string {
+	return getManifestData().names[hashedPath]
+}

modules/public/manifest_test.go

@@ -0,0 +1,91 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import (
+	"testing"
+	"time"
+
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestViteManifest(t *testing.T) {
+	defer test.MockVariableValue(&setting.IsProd, true)()
+
+	const testManifest = `{
+	"web_src/js/index.ts": {
+		"file": "js/index.C6Z2MRVQ.js",
+		"name": "index",
+		"src": "web_src/js/index.ts",
+		"isEntry": true,
+		"css": ["css/index.B3zrQPqD.css"]
+	},
+	"web_src/js/standalone/swagger.ts": {
+		"file": "js/swagger.SujiEmYM.js",
+		"name": "swagger",
+		"src": "web_src/js/standalone/swagger.ts",
+		"isEntry": true,
+		"css": ["css/swagger._-APWT_3.css"]
+	},
+	"web_src/css/themes/theme-gitea-dark.css": {
+		"file": "css/theme-gitea-dark.CyAaQnn5.css",
+		"name": "theme-gitea-dark",
+		"src": "web_src/css/themes/theme-gitea-dark.css",
+		"isEntry": true
+	},
+	"web_src/js/features/eventsource.sharedworker.ts": {
+		"file": "js/eventsource.sharedworker.Dug1twio.js",
+		"name": "eventsource.sharedworker",
+		"src": "web_src/js/features/eventsource.sharedworker.ts",
+		"isEntry": true
+	},
+	"_chunk.js": {
+		"file": "js/chunk.abc123.js",
+		"name": "chunk"
+	}
+}`
+
+	t.Run("EmptyManifest", func(t *testing.T) {
+		storeManifestFromBytes([]byte(``), 0, time.Now())
+		assert.Equal(t, "/assets/js/index.js", AssetURI("js/index.js"))
+		assert.Equal(t, "/assets/css/theme-gitea-dark.css", AssetURI("css/theme-gitea-dark.css"))
+		assert.Equal(t, "", AssetNameFromHashedPath("css/no-such-file.css"))
+	})
+
+	t.Run("ParseManifest", func(t *testing.T) {
+		storeManifestFromBytes([]byte(testManifest), 0, time.Now())
+		paths, names := manifestData.Load().paths, manifestData.Load().names
+
+		// JS entries
+		assert.Equal(t, "js/index.C6Z2MRVQ.js", paths["js/index.js"])
+		assert.Equal(t, "js/swagger.SujiEmYM.js", paths["js/swagger.js"])
+		assert.Equal(t, "js/eventsource.sharedworker.Dug1twio.js", paths["js/eventsource.sharedworker.js"])
+
+		// Associated CSS from JS entries
+		assert.Equal(t, "css/index.B3zrQPqD.css", paths["css/index.css"])
+		assert.Equal(t, "css/swagger._-APWT_3.css", paths["css/swagger.css"])
+
+		// CSS-only entries
+		assert.Equal(t, "css/theme-gitea-dark.CyAaQnn5.css", paths["css/theme-gitea-dark.css"])
+
+		// Non-entry chunks should not be included
+		assert.Empty(t, paths["js/chunk.js"])
+
+		// Names: hashed path -> entry name
+		assert.Equal(t, "index", names["js/index.C6Z2MRVQ.js"])
+		assert.Equal(t, "index", names["css/index.B3zrQPqD.css"])
+		assert.Equal(t, "swagger", names["js/swagger.SujiEmYM.js"])
+		assert.Equal(t, "swagger", names["css/swagger._-APWT_3.css"])
+		assert.Equal(t, "theme-gitea-dark", names["css/theme-gitea-dark.CyAaQnn5.css"])
+		assert.Equal(t, "eventsource.sharedworker", names["js/eventsource.sharedworker.Dug1twio.js"])
+
+		// Test Asset related functions
+		assert.Equal(t, "/assets/js/index.C6Z2MRVQ.js", AssetURI("js/index.js"))
+		assert.Equal(t, "/assets/css/theme-gitea-dark.CyAaQnn5.css", AssetURI("css/theme-gitea-dark.css"))
+		assert.Equal(t, "theme-gitea-dark", AssetNameFromHashedPath("css/theme-gitea-dark.CyAaQnn5.css"))
+	})
+}

modules/public/vitedev.go

@@ -0,0 +1,168 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import (
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/routing"
+)
+
+const viteDevPortFile = "public/assets/.vite/dev-port"
+
+var viteDevProxy atomic.Pointer[httputil.ReverseProxy]
+
+func getViteDevProxy() *httputil.ReverseProxy {
+	if proxy := viteDevProxy.Load(); proxy != nil {
+		return proxy
+	}
+
+	portFile := filepath.Join(setting.StaticRootPath, viteDevPortFile)
+	data, err := os.ReadFile(portFile)
+	if err != nil {
+		return nil
+	}
+	port := strings.TrimSpace(string(data))
+	if port == "" {
+		return nil
+	}
+
+	target, err := url.Parse("http://localhost:" + port)
+	if err != nil {
+		log.Error("Failed to parse Vite dev server URL: %v", err)
+		return nil
+	}
+
+	// there is a strange error log (from Golang's HTTP package)
+	// 2026/03/28 19:50:13 modules/log/misc.go:72:(*loggerToWriter).Write() [I] Unsolicited response received on idle HTTP channel starting with "HTTP/1.1 400 Bad Request\r\n\r\n"; err=<nil>
+	// maybe it is caused by that the Vite dev server doesn't support keep-alive connections? or different keep-alive timeouts?
+	transport := &http.Transport{
+		IdleConnTimeout:       5 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Second,
+	}
+	log.Info("Proxying Vite dev server requests to %s", target)
+	proxy := &httputil.ReverseProxy{
+		Transport: transport,
+		Rewrite: func(r *httputil.ProxyRequest) {
+			r.SetURL(target)
+			r.Out.Host = target.Host
+		},
+		ModifyResponse: func(resp *http.Response) error {
+			// add a header to indicate the Vite dev server port,
+			// make developers know that this request is proxied to Vite dev server and which port it is
+			resp.Header.Add("X-Gitea-Vite-Port", port)
+			return nil
+		},
+		ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
+			log.Error("Error proxying to Vite dev server: %v", err)
+			http.Error(w, "Error proxying to Vite dev server: "+err.Error(), http.StatusBadGateway)
+		},
+	}
+	viteDevProxy.Store(proxy)
+	return proxy
+}
+
+// ViteDevMiddleware proxies matching requests to the Vite dev server.
+// It is registered as middleware in non-production mode and lazily discovers
+// the Vite dev server port from the port file written by the viteDevServerPortPlugin.
+// It is needed because there are container-based development, only Gitea web server's port is exposed.
+func ViteDevMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+		if !isViteDevRequest(req) {
+			next.ServeHTTP(resp, req)
+			return
+		}
+		proxy := getViteDevProxy()
+		if proxy == nil {
+			next.ServeHTTP(resp, req)
+			return
+		}
+		routing.MarkLongPolling(resp, req)
+		proxy.ServeHTTP(resp, req)
+	})
+}
+
+// isViteDevMode returns true if the Vite dev server port file exists.
+// In production mode, the result is cached after the first check.
+func isViteDevMode() bool {
+	if setting.IsProd {
+		return false
+	}
+	portFile := filepath.Join(setting.StaticRootPath, viteDevPortFile)
+	_, err := os.Stat(portFile)
+	return err == nil
+}
+
+func viteDevSourceURL(name string) string {
+	if !isViteDevMode() {
+		return ""
+	}
+	if strings.HasPrefix(name, "css/theme-") {
+		// Only redirect built-in themes to Vite source; custom themes are served from custom/public/assets/css/
+		themeFile := strings.TrimPrefix(name, "css/")
+		srcPath := filepath.Join(setting.StaticRootPath, "web_src/css/themes", themeFile)
+		if _, err := os.Stat(srcPath); err == nil {
+			return setting.AppSubURL + "/web_src/css/themes/" + themeFile
+		}
+		return ""
+	}
+	if strings.HasPrefix(name, "css/") {
+		return setting.AppSubURL + "/web_src/" + name
+	}
+	if name == "js/eventsource.sharedworker.js" {
+		return setting.AppSubURL + "/web_src/js/features/eventsource.sharedworker.ts"
+	}
+	if name == "js/iife.js" {
+		return setting.AppSubURL + "/web_src/js/__vite_iife.js"
+	}
+	if name == "js/index.js" {
+		return setting.AppSubURL + "/web_src/js/index.ts"
+	}
+	return ""
+}
+
+// isViteDevRequest returns true if the request should be proxied to the Vite dev server.
+// Ref: Vite source packages/vite/src/node/constants.ts and packages/vite/src/shared/constants.ts
+func isViteDevRequest(req *http.Request) bool {
+	if req.Header.Get("Upgrade") == "websocket" {
+		wsProtocol := req.Header.Get("Sec-WebSocket-Protocol")
+		return wsProtocol == "vite-hmr" || wsProtocol == "vite-ping"
+	}
+	path := req.URL.Path
+
+	// vite internal requests
+	if strings.HasPrefix(path, "/@vite/") /* HMR client */ ||
+		strings.HasPrefix(path, "/@fs/") /* out-of-root file access, see vite.config.ts: fs.allow */ ||
+		strings.HasPrefix(path, "/@id/") /* virtual modules */ {
+		return true
+	}
+
+	// local source requests (VITE-DEV-SERVER-SECURITY: don't serve sensitive files outside the allowed paths)
+	if strings.HasPrefix(path, "/node_modules/") ||
+		strings.HasPrefix(path, "/public/assets/") ||
+		strings.HasPrefix(path, "/web_src/") {
+		return true
+	}
+
+	// Vite uses a path relative to project root and adds "?import" to non-JS/CSS asset imports:
+	// - {WebSite}/public/assets/... (e.g. SVG icons from "{RepoRoot}/public/assets/img/svg/")
+	// - {WebSite}/assets/emoji.json: it is an exception for the frontend assets, it is imported by JS code, but:
+	//   - KEEP IN MIND: all static frontend assets are served from "{AssetFS}/assets" to "{WebSite}/assets" by Gitea Web Server
+	//   - "{AssetFS}" is a layered filesystem from "{RepoRoot}/public" or embedded assets, and user's custom files in "{CustomPath}/public"
+	//   - "{RepoRoot}/assets/emoji.json" just happens to have the dir name "assets", it is not related to frontend assets
+	//   - BAD DESIGN: indeed it is a "conflicted and polluted name" sample
+	if path == "/assets/emoji.json" {
+		return true
+	}
+	return false
+}

modules/setting/server.go

@@ -72,9 +72,6 @@ var (
 	// It maps to ini:"LOCAL_ROOT_URL" in [server]
 	LocalURL string
 
-	// AssetVersion holds an opaque value that is used for cache-busting assets
-	AssetVersion string
-
 	// appTempPathInternal is the temporary path for the app, it is only an internal variable
 	// DO NOT use it directly, always use AppDataTempDir
 	appTempPathInternal string
@@ -317,8 +314,6 @@ func loadServerFrom(rootCfg ConfigProvider) {
 	}
 
 	AbsoluteAssetURL = MakeAbsoluteAssetURL(appURL, StaticURLPrefix)
-	AssetVersion = strings.ReplaceAll(AppVer, "+", "~") // make sure the version string is clear (no real escaping is needed)
-
 	manifestBytes := MakeManifestData(AppName, AppURL, AbsoluteAssetURL)
 	ManifestData = `application/json;base64,` + base64.StdEncoding.EncodeToString(manifestBytes)
 

modules/templates/helper.go

@@ -6,15 +6,18 @@ package templates
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"net/url"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/htmlutil"
 	"code.gitea.io/gitea/modules/markup"
+	"code.gitea.io/gitea/modules/public"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/svg"
 	"code.gitea.io/gitea/modules/templates/eval"
@@ -68,6 +71,8 @@ func NewFuncMap() template.FuncMap {
 			return strconv.FormatInt(time.Since(startTime).Nanoseconds()/1e6, 10) + "ms"
 		},
 
+		"AssetURI":     public.AssetURI,
+		"ScriptImport": scriptImport,
 		// -----------------------------------------------------------------
 		// setting
 		"AppName": func() string {
@@ -92,9 +97,6 @@ func NewFuncMap() template.FuncMap {
 		"AppDomain": func() string { // documented in mail-templates.md
 			return setting.Domain
 		},
-		"AssetVersion": func() string {
-			return setting.AssetVersion
-		},
 		"ShowFooterTemplateLoadTime": func() bool {
 			return setting.Other.ShowFooterTemplateLoadTime
 		},
@@ -303,3 +305,30 @@ func QueryBuild(a ...any) template.URL {
 	}
 	return template.URL(s)
 }
+
+var globalVars = sync.OnceValue(func() (ret struct {
+	scriptImportRemainingPart string
+},
+) {
+	// add onerror handler to alert users when the script fails to load:
+	// * for end users: there were many users reporting that "UI doesn't work", actually they made mistakes in their config
+	// * for developers: help them to remember to run "make watch-frontend" to build frontend assets
+	// the message will be directly put in the onerror JS code's string
+	onScriptErrorPrompt := `Please make sure the asset files can be accessed.`
+	if !setting.IsProd {
+		onScriptErrorPrompt += `\n\nFor development, run: make watch-frontend.`
+	}
+	onScriptErrorJS := fmt.Sprintf(`alert('Failed to load asset file from ' + this.src + '. %s')`, onScriptErrorPrompt)
+	ret.scriptImportRemainingPart = `onerror="` + html.EscapeString(onScriptErrorJS) + `"></script>`
+	return ret
+})
+
+func scriptImport(path string, typ ...string) template.HTML {
+	if len(typ) > 0 {
+		if typ[0] == "module" {
+			return template.HTML(`<script type="module" src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
+		}
+		panic("unsupported script type: " + typ[0])
+	}
+	return template.HTML(`<script src="` + html.EscapeString(public.AssetURI(path)) + `" ` + globalVars().scriptImportRemainingPart)
+}

modules/web/handler.go

@@ -4,7 +4,9 @@
 package web
 
 import (
+	"bufio"
 	"fmt"
+	"net"
 	"net/http"
 	"reflect"
 
@@ -47,6 +49,13 @@ func (r *responseWriter) WriteHeader(statusCode int) {
 	r.respWriter.WriteHeader(statusCode)
 }
 
+func (r *responseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if hj, ok := r.respWriter.(http.Hijacker); ok {
+		return hj.Hijack()
+	}
+	return nil, nil, http.ErrNotSupported
+}
+
 var (
 	httpReqType    = reflect.TypeFor[*http.Request]()
 	respWriterType = reflect.TypeFor[http.ResponseWriter]()

modules/web/routing/context.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 
 	"code.gitea.io/gitea/modules/gtprof"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/reqctx"
 )
 
@@ -40,6 +41,18 @@ func MarkLongPolling(resp http.ResponseWriter, req *http.Request) {
 
 	record.lock.Lock()
 	record.isLongPolling = true
+	record.logLevel = log.TRACE
+	record.lock.Unlock()
+}
+
+func MarkLogLevelTrace(resp http.ResponseWriter, req *http.Request) {
+	record, ok := req.Context().Value(contextKey).(*requestRecord)
+	if !ok {
+		return
+	}
+
+	record.lock.Lock()
+	record.logLevel = log.TRACE
 	record.lock.Unlock()
 }
 

modules/web/routing/logger.go

@@ -5,7 +5,6 @@ package routing
 
 import (
 	"net/http"
-	"strings"
 	"time"
 
 	"code.gitea.io/gitea/modules/log"
@@ -36,17 +35,8 @@ var (
 
 func logPrinter(logger log.Logger) func(trigger Event, record *requestRecord) {
 	const callerName = "HTTPRequest"
-	logTrace := func(fmt string, args ...any) {
-		logger.Log(2, &log.Event{Level: log.TRACE, Caller: callerName}, fmt, args...)
-	}
-	logInfo := func(fmt string, args ...any) {
-		logger.Log(2, &log.Event{Level: log.INFO, Caller: callerName}, fmt, args...)
-	}
-	logWarn := func(fmt string, args ...any) {
-		logger.Log(2, &log.Event{Level: log.WARN, Caller: callerName}, fmt, args...)
-	}
-	logError := func(fmt string, args ...any) {
-		logger.Log(2, &log.Event{Level: log.ERROR, Caller: callerName}, fmt, args...)
+	logRequest := func(level log.Level, fmt string, args ...any) {
+		logger.Log(2, &log.Event{Level: level, Caller: callerName}, fmt, args...)
 	}
 	return func(trigger Event, record *requestRecord) {
 		if trigger == StartEvent {
@@ -57,7 +47,7 @@ func logPrinter(logger log.Logger) func(trigger Event, record *requestRecord) {
 			}
 			// when a request starts, we have no information about the handler function information, we only have the request path
 			req := record.request
-			logTrace("router: %s %v %s for %s", startMessage, log.ColoredMethod(req.Method), req.RequestURI, req.RemoteAddr)
+			logRequest(log.TRACE, "router: %s %v %s for %s", startMessage, log.ColoredMethod(req.Method), req.RequestURI, req.RemoteAddr)
 			return
 		}
 
@@ -73,12 +63,12 @@ func logPrinter(logger log.Logger) func(trigger Event, record *requestRecord) {
 
 		if trigger == StillExecutingEvent {
 			message := slowMessage
-			logf := logWarn
+			logLevel := log.WARN
 			if isLongPolling {
-				logf = logInfo
+				logLevel = log.INFO
 				message = pollingMessage
 			}
-			logf("router: %s %v %s for %s, elapsed %v @ %s",
+			logRequest(logLevel, "router: %s %v %s for %s, elapsed %v @ %s",
 				message,
 				log.ColoredMethod(req.Method), req.RequestURI, req.RemoteAddr,
 				log.ColoredTime(time.Since(record.startTime)),
@@ -88,7 +78,7 @@ func logPrinter(logger log.Logger) func(trigger Event, record *requestRecord) {
 		}
 
 		if panicErr != nil {
-			logWarn("router: %s %v %s for %s, panic in %v @ %s, err=%v",
+			logRequest(log.WARN, "router: %s %v %s for %s, panic in %v @ %s, err=%v",
 				failedMessage,
 				log.ColoredMethod(req.Method), req.RequestURI, req.RemoteAddr,
 				log.ColoredTime(time.Since(record.startTime)),
@@ -102,21 +92,22 @@ func logPrinter(logger log.Logger) func(trigger Event, record *requestRecord) {
 		if v, ok := record.responseWriter.(types.ResponseStatusProvider); ok {
 			status = v.WrittenStatus()
 		}
-		logf := logInfo
+		logLevel := record.logLevel
+		if logLevel == log.UNDEFINED {
+			logLevel = log.INFO
+		}
 		// lower the log level for some specific requests, in most cases these logs are not useful
 		if status > 0 && status < 400 &&
-			strings.HasPrefix(req.RequestURI, "/assets/") /* static assets */ ||
-			req.RequestURI == "/user/events" /* Server-Sent Events (SSE) handler */ ||
 			req.RequestURI == "/api/actions/runner.v1.RunnerService/FetchTask" /* Actions Runner polling */ {
-			logf = logTrace
+			logLevel = log.TRACE
 		}
 		message := completedMessage
 		if isUnknownHandler {
-			logf = logError
+			logLevel = log.ERROR
 			message = unknownHandlerMessage
 		}
 
-		logf("router: %s %v %s for %s, %v %v in %v @ %s",
+		logRequest(logLevel, "router: %s %v %s for %s, %v %v in %v @ %s",
 			message,
 			log.ColoredMethod(req.Method), req.RequestURI, req.RemoteAddr,
 			log.ColoredStatus(status), log.ColoredStatus(status, http.StatusText(status)), log.ColoredTime(time.Since(record.startTime)),

modules/web/routing/requestrecord.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	"code.gitea.io/gitea/modules/log"
 )
 
 type requestRecord struct {
@@ -23,6 +25,7 @@ type requestRecord struct {
 
 	// mutable fields
 	isLongPolling bool
+	logLevel      log.Level
 	funcInfo      *FuncInfo
 	panicError    error
 }