Accepting request 1190962 from home:ojkastl_buildservice:Branch_devel_tools_scm

update to 7.0.6 OBS-URL: https://build.opensuse.org/request/show/1190962 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=27
2024-08-01 16:34:02 +00:00 · 2024-08-01 16:34:02 +00:00 · 3b35cb0d92
commit 3b35cb0d92
23 changed files with 16066 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+<?xml version="1.0" ?>
+<services>
+  <service name="download_files" mode="manual" />
+  <service name="node_modules" mode="manual">
+    <param name="cpio">node_modules.obscpio</param>
+    <param name="output">node_modules.spec.inc</param>
+    <param name="source-offset">10000</param>
+  </service>
+</services>
--- a/apparmor-usr.bin.forgejo
+++ b/apparmor-usr.bin.forgejo
@ -0,0 +1,88 @@
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
+
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+
+  network inet  stream,
+  network inet6 stream,
+
+  /usr/bin/forgejo mr,
+  /usr/bin/gzip mr,
+
+  # Grant read access to config files
+  /etc/mime.types r,
+  /usr/share/mime/globs2 r,
+  /etc/machine-id r,
+  /etc/forgejo/ r,
+  /etc/forgejo/{conf,https,mailer}/ r,
+  /etc/forgejo/https/*.{crt,key,pem} r,
+
+  # Access to config file app.ini
+  /etc/forgejo/conf/app.ini r,
+  # Config must be writeable for initial setup
+  # to restrict to read-only access admin can do after setup:
+  # chown root:gitea /etc/gitea/conf/app.ini
+  # chmod 0640 /etc/gitea/conf/app.ini
+  owner /etc/forgejo/conf/app.ini w,
+
+  # Grant read access to public custom static content
+  /etc/forgejo/public/ r,
+  /etc/forgejo/public/** r,
+
+  # allow invoking executables
+  /usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
+  /usr/{lib,libexec}/git/git ix,
+  /usr/{lib,libexec}/git/git-remote-http ix,
+  /usr/share/git-core/templates/ r,
+  /usr/share/git-core/templates/** r,
+  /etc/gitconfig r,
+
+  # Grant read access to static content
+  /usr/share/forgejo/** r,
+
+  # Grant read access to some process parameters
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{PROC}/sys/net/core/somaxconn r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
+
+  # Grant read access to working directory
+  /var/lib/forgejo/ r,
+
+  # Allow TTY access
+  /dev/tty rw,
+
+  # Grant access to various data/repo directories
+  owner /tmp/patch* rw,
+  owner /tmp/index* rw,
+  owner /tmp/forgejo** rwl,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
+  owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
+  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
+  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
+  owner /var/lib/forgejo/https/** rwkl,
+
+  # Ugly!
+  /usr/share/forgejo/.gitconfig rw,
+  /usr/share/forgejo/.gitconfig.lock rw,
+  /var/lib/forgejo/.ssh/ rw,
+  /var/lib/forgejo/.ssh/* rw,
+  /var/lib/forgejo/.local/** rw,
+
+  # for writing access log file
+  /var/log/forgejo/ rw,
+  /var/log/forgejo/access.log rw,
+  /var/log/forgejo/access.log.* w,
+  /var/log/forgejo/doctors-* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.forgejo>
+}
--- a/custom-app.ini.patch
+++ b/custom-app.ini.patch
@ -0,0 +1,177 @@
+Index: gitea-1.21.3/custom/conf/app.example.ini
+===================================================================
+--- gitea-1.21.3.orig/custom/conf/app.example.ini
+++ gitea-1.21.3/custom/conf/app.example.ini
+@@ -44,7 +44,7 @@
+ APP_NAME = ; Gitea: Git with a cup of tea
+ ;;
+ ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
+-RUN_USER = ; git
+RUN_USER = ; forgejo
+ ;;
+ ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
+ ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
+@@ -273,15 +273,17 @@ RUN_USER = ; git
+ ;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+ ;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+ ;; Paths are relative to CUSTOM_PATH
+-;CERT_FILE = https/cert.pem
+-;KEY_FILE = https/key.pem
+CERT_FILE = /etc/forgejo/https/cert.pem
+KEY_FILE = /etc/forgejo/https/key.pem
+ ;;
+ ;; Root directory containing templates and static files.
+ ;; default is the path where Gitea is executed
+ ;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
+STATIC_ROOT_PATH = /usr/share/forgejo
+ ;;
+ ;; Default path for App data
+ ;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
+APP_DATA_PATH = /var/lib/forgejo/data
+ ;;
+ ;; Enable gzip compression for runtime-generated content, static resources excluded
+ ;ENABLE_GZIP = false
+@@ -293,6 +295,7 @@ RUN_USER = ; git
+ ;;
+ ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
+ ;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
+PPROF_DATA_PATH = /var/lib/forgejo/data/tmp/pprof
+ ;;
+ ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
+ ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
+@@ -368,7 +371,7 @@ USER = root
+ ;; SQLite Configuration
+ ;;
+ ;DB_TYPE = sqlite3
+-;PATH= ; defaults to data/forgejo.db
+;PATH= /var/lib/forgejo/data/gitea.db ; defaults to data/forgejo.db
+ ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+ ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
+ ;;
+@@ -561,14 +564,14 @@ ENABLE = true
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
+-;ROOT_PATH =
+ROOT_PATH = /var/log/forgejo
+ ;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Main Logger
+ ;;
+ ;; Either "console", "file" or "conn", default is "console"
+ ;; Use comma to separate multiple modes, e.g. "console, file"
+-MODE = console
+MODE = console, file
+ ;;
+ ;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
+ LEVEL = Info
+@@ -904,7 +907,7 @@ LEVEL = Info
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
+ ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
+-;ROOT =
+ROOT = /var/lib/forgejo/repositories
+ ;;
+ ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
+ ;SCRIPT_TYPE = bash
+@@ -1014,7 +1017,7 @@ LEVEL = Info
+ ;ENABLED = true
+ ;;
+ ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
+-;TEMP_PATH = data/tmp/uploads
+TEMP_PATH = /var/lib/forgejo/data/tmp/uploads
+ ;;
+ ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+ ;ALLOWED_TYPES =
+@@ -1368,7 +1371,7 @@ LEVEL = Info
+ ;ISSUE_INDEXER_TYPE = bleve
+ ;;
+ ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
+-;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
+;ISSUE_INDEXER_PATH = /var/lib/forgejo/indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
+ ;;
+ ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
+ ;ISSUE_INDEXER_CONN_STR =
+@@ -1395,7 +1398,7 @@ LEVEL = Info
+ ;REPO_INDEXER_TYPE = bleve
+ ;;
+ ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
+-;REPO_INDEXER_PATH = indexers/repos.bleve
+;REPO_INDEXER_PATH = /var/lib/forgejo/indexers/repos.bleve
+ ;;
+ ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
+ ;REPO_INDEXER_CONN_STR =
+@@ -1429,6 +1432,7 @@ LEVEL = Info
+ ;;
+ ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
+ ;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
+DATADIR = /var/lib/forgejo/queues/
+ ;;
+ ;; Default queue length before a channel queue will block
+ ;LENGTH = 100000
+@@ -1752,7 +1756,7 @@ LEVEL = Info
+ ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+ ;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+ ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
+-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
+ ;;
+ ;; Session cookie name
+ ;COOKIE_NAME = i_like_gitea
+@@ -1839,7 +1843,7 @@ LEVEL = Info
+ ;;
+ ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
+ ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
+-;PATH = attachments
+PATH = /var/lib/forgejo/data/attachments
+ ;;
+ ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+ ;MINIO_ENDPOINT = localhost:9000
+@@ -1857,7 +1861,7 @@ LEVEL = Info
+ ;MINIO_LOCATION = us-east-1
+ ;;
+ ;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
+-;MINIO_BASE_PATH = attachments/
+;MINIO_BASE_PATH = /var/lib/forgejo/attachments/
+ ;;
+ ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+ ;MINIO_USE_SSL = false
+@@ -2428,10 +2432,10 @@ LEVEL = Info
+ ;;
+ ;STORAGE_TYPE = local
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = packages/
+;MINIO_BASE_PATH = /var/lib/forgejo/packages/
+ ;;
+ ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
+-;CHUNKED_UPLOAD_PATH = tmp/package-upload
+;CHUNKED_UPLOAD_PATH = /var/lib/forgejo/tmp/package-upload
+ ;;
+ ;; Maximum count of package versions a single owner can have (`-1` means no limits)
+ ;LIMIT_TOTAL_OWNER_COUNT = -1
+@@ -2498,10 +2502,10 @@ LEVEL = Info
+ ;STORAGE_TYPE = local
+ ;;
+ ;; Where your lfs files reside, default is data/lfs.
+-;PATH = data/repo-archive
+;PATH = /var/lib/forgejo/data/repo-archive
+ ;;
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = repo-archive/
+;MINIO_BASE_PATH = /var/lib/forgejo/repo-archive/
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+@@ -2521,10 +2525,10 @@ LEVEL = Info
+ ;STORAGE_TYPE = local
+ ;;
+ ;; Where your lfs files reside, default is data/lfs.
+-;PATH = data/lfs
+;PATH = /var/lib/forgejo/data/lfs
+ ;;
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = lfs/
+;MINIO_BASE_PATH = /var/lib/forgejo/lfs/
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/forgejo-src-7.0.5.tar.gz
+++ b/forgejo-src-7.0.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:647efd8b70e312e1d8aa349a535bae1c9cce5c095a7a2ebe0d0b0ec84ff1e198
+size 55031691
--- a/forgejo-src-7.0.5.tar.gz.asc
+++ b/forgejo-src-7.0.5.tar.gz.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZoWjbAAKCRCkthotxZI3
+EOPsAQDia3FAbVWnztj3h+SqLvI+7faAzVy2IMGsQpOrPuHleAEAsf+PqLn3rzz2
+CWqTPCo4MWRuYUi6ELY3SS4Xug/DgAM=
+=DqT0
+-----END PGP SIGNATURE-----
--- a/forgejo-src-7.0.6.tar.gz
+++ b/forgejo-src-7.0.6.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b33ca271d4d8ecf00ce80d2ee14888d40265ab648b880fd9bb9916bf9e88b15b
+size 53489756
--- a/forgejo-src-7.0.6.tar.gz.asc
+++ b/forgejo-src-7.0.6.tar.gz.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZqjZygAKCRCkthotxZI3
+EJmNAP9IiHThCEotiYrOt3YzdOeaEAM3vfLzyf4PN1jWibbiogEAzGyWuho+MH8z
+9TqdaLJIF/T3L62r/TgZ+mlZ0HHkLQM=
+=ExB8
+-----END PGP SIGNATURE-----
--- a/forgejo.changes
+++ b/forgejo.changes
@ -0,0 +1,251 @@
+-------------------------------------------------------------------
+Thu Aug  1 10:50:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 7.0.6:
+  * Two frontend features were removed because a license
+    incompatibility was discovered. Read more in the companion blog
+    post.
+    - PR (backported from): Mermaid rendering: %%{init:
+      {"flowchart": {"defaultRenderer": "elk"}} }%% will now fail
+      because ELK is no longer included.
+    - PR (backported from): Repository citation: Removed the
+      ability to export citations in APA format.
+  * User Interface bug fixes
+    - PR (backported from): Replace vue-bar-graph with chart.js
+    - PR (backported from): Show AGit label on merged PR
+    - PR (backported from): Fix mobile UI for organisation creation
+  * Bug fixes
+    - PR (backported from): fix(api): issue state change is not
+      idempotent
+    - PR (backported from): Reserve the devtest username
+    - PR (backported from): fix(actions): no edited event triggered
+      when a title is changed
+    - PR (backported from): Load attachments for
+      /issues/comments/{id}
+    - PR (backported from): When searching for users, page the
+      results by default, and respect the default paging limits
+    - PR (backported from): the "View command line instructions"
+      link in pull requests and the "Copy content" button in file
+      editor are not accessible
+    - PR (backported from): Use correct SHA in GetCommitPullRequest
+  * Localization
+    - PR (backported from): Update of translations from Weblate
+    - PR: Update of translations from Weblate
+    - PR (backported from): 3 translation updates from Weblate - PR
+      1, PR 2, PR 3
+
+-------------------------------------------------------------------
+Mon Jul 15 06:28:18 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- fix typo Environemnt in forgejo.service
+
+-------------------------------------------------------------------
+Fri Jul  5 07:13:38 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 7.0.5:
+  * Fixed: CVE-2024-24791 - GO-2024-2963 Denial of service due to improper 
+    100-continue handling in net/http
+  * Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead 
+    of Default URLs" checkbox (missing checkbox, irrelevant fields).
+  * Fixed: git push to an adopted repository fails.
+  * Fixed: markdown doesn't render math within brackets
+  * Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
+  * Fixed: error 500 when processing crafted TIFF files.
+  * Fixed: wrong placeholder text in the form for adding repository collaborator.
+
+-------------------------------------------------------------------
+Sun Jun 16 12:52:27 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.4:
+  * Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
+    of invalid zip files differs from the behavior of most zip implementations.
+    This misalignment could be exploited to create an zip file with contents that
+    vary depending on the implementation reading the file.
+  * the OAuth2 implementation does not always require authentication for public
+    clients, a requirement of RFC 6749 Section 10.2
+  * forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
+  * avatar files can be found in storage while they do not exist in the database.
+  * repository admins are always denied the right to force merge and instance admins
+    are subject to restrictions to merge that must only apply to repository admins.
+  * non conformance with the Nix tarball fetcher immutable link protocol.
+  * migrated activities (such as reviews) are mapped to the user who initiated the
+    migration rather than the Ghost user, if the external user cannot be mapped to a
+    local one. This mapping mismatch leads to internal server errors in some cases.
+  *  a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
+  * using a subquery for user deletion is a performance bottleneck when using mariadb 10
+    because only mariadb 11 takes advantage of the available index.
+  * a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
+  * SourceHut Builds webhook fail when the triggers field is used.
+  * the label list rendering in the issue and pull request timeline is displayed on
+    multiple lines instead of a single one.
+  * Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
+  * automerge does not happen when the approval count reaches the required threshold.
+  * the FORCE_PRIVATE=true setting is not consistently enforced.
+  * CSRF validation errors when OAuth is not enabled.
+  * headlines in rendered org-mode do not have a margin on the top
+
+-------------------------------------------------------------------
+Wed May 22 20:41:58 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.3:
+  * CVE-2024-24788: a malformed DNS message in response to a query can
+    cause the lookup functions to get stuck in an infinite loop
+  * backticks in mermaid block diagram labels are not sanitized properly
+  * migration of a repository from gogs fails when it is hosted at a subpath.
+  * when creating an OAuth2 application the redirect URLs are not enforced to
+    be mandatory
+  * the API incorrectly excludes repositories where code is not enabled
+  * "Allow edits from maintainers" cannot be modified via the pull request web UI
+  * repository activity feeds (including RSS and Atom feeds) contain
+    repeated activities
+  * uploading maven packages with metadata being uploaded separately will fail
+  * the mail notification sent about commits pushed to pull requests are empty
+  * inline emails attachments are not properly handled when commenting on an
+    issue via email
+  * the links to .zip and tar.gz on the tag list web UI fail
+  * expanding code diff while previewing a pull request before it is created fails
+  * the CLI is not able to migrate Forgejo Actions artifacts
+  * when adopting a repository, the default branch is not taken into account
+  * when using reverse proxy authentication, logout will not be taken into
+    account when immediately trying to login afterwards
+  * pushing to the master branch of a sha256 repository fails
+  * a very long project column name will make the action menu inaccessible
+  * a useless error is displayed when the title of a merged pull request is
+    modified
+  * workflow badges are not working for workflows that are not running on push
+    (such as scheduled workflows, and ones that run on tags and pull requests)
+
+-------------------------------------------------------------------
+Fri May  3 00:35:37 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.2:
+  * regression where subscribing to or unsubscribing from an issue in a
+    repository with no code produced an internal server error.
+  * regression makes all the refs sent in Gitea webhooks to be full refs and
+    might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
+    contained the full ref). This issue has been fixed in the main branch of
+    Woodpecker CI as well.
+  *  the webhook branch filter wrongly applied the match on the full ref for
+     branch creation and deletion (wrongly skipping events).
+  * toggling the WIP state of a pull request is possible from the sidebar,
+    but not from the footer.
+  * when mentioning a user, the markup post-processor does not handle the case
+    where the mentioned user does not exist: it tries to skip to the next node,
+    which in turn, ended up skipping the rest of the line.
+  * excessive and unnecessary database queries when a user with no repositories
+    is viewing their dashboard.
+  * duplicate status check contexts show in the branch protection settings.
+  * profile info fails to render german singular translation.
+  * inline attachments of incoming emails (as they occur for example with Apple
+    Mail) are not attached to comments.
+
+-------------------------------------------------------------------
+Sat Apr 27 14:53:09 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.1:
+  * LFS data corruption when running the forgejo doctor check --fix CLI command
+    or setting [cron.gc_lfs].ENABLED=true (the default is false)
+  * non backward compatible change in the forgejo admin user create CLI command
+  * error 500 because of an incorrect evaluation of the template when visiting
+    the LFS settings of a repository
+  * GET /repos/{owner}/{name} API endpoint always returns an empty string for
+    the object_format_name field
+  * fuzzy search may fail with bleve
+
+-------------------------------------------------------------------
+Thu Apr 25 02:27:22 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.0:
+  This is only an excerpt from the full changelog, which you can find
+  in your RELEASE-NOTES.md or at
+  https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0
+  * MySQL 8.0 or PostgreSQL 12 are the minimum supported versions.
+    The database must be migrated before upgrading.
+    The requirements regarding SQLite did not change.
+  * The per_page parameter is no longer a synonym for limit in the
+    /repos/{owner}/{repo}/releases API endpoint.
+  * The date format of the created and last_update fields of the 
+    /repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors
+    API endpoint changed to be timestamps instead of numbers.
+  * Labels used by pprof endpoint have been changed
+  * The fogejo admin user create CLI command requires a password change
+    by default when creating the first user
+
+-------------------------------------------------------------------
+Sat Apr 20 12:39:56 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 1.21.11-1:
+  * error 500 on tag creation when a workflow exists
+
+- update to 1.21.11-0:
+  * Fixed a privilege escalation through git push options that
+    allows any user to change the visibility of any repository they can see,
+    regardless of their level of access.
+  * Fixed a bug that allows user-supplied, non-sandboxed JavaScript to be run
+    from the same domain as the forge, via
+    /{owner}/{repo}/render/branch/{branch}/{filename} URLs.
+  * Close file in upload function
+  * Prevent registering runners for deleted repositories.
+    Prevents 500 Internal Server Error in admin interface.
+  * More reliable pagination support when migrating from gitbucket
+  * Fix automerge when used with actions
+
+- fix apparmor profile
+
+-------------------------------------------------------------------
+Fri Apr  5 18:39:07 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- update to 1.21.10-0:
+  * CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to
+    read arbitrary amounts of header data
+  * Fix to not remove repository avatars when the doctor runs with --fix
+    on the repository archives.
+  * Detect protected branch on branch rename.
+  * Don't delete inactive emails explicitly.
+  * Fix user interface when a review is deleted without refreshing.
+  * Fix paths when finding files via the web interface that were not escaped.
+  * Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org.
+  * Fix duplicate migrated milestones.
+  * Fix inline math blocks can't be preceeded/followed by alphanumerical
+    characters.
+
+-------------------------------------------------------------------
+Thu Mar 28 06:58:20 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- increase golang dep to 1.22, to imitate the CI/CD of forgejo
+- revise how the apparmor package gets build + add selinux
+
+-------------------------------------------------------------------
+Sat Mar 23 21:21:28 UTC 2024 - Richard Rahl <user@localhost>
+
+- update to 1.21.8-0:
+  * Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a
+    500 error.
+  * Prevent error 500 on /user/settings/security when SignedUser has a linked
+    account from a deactivated authentication source.
+  * Fix error 500 when pushing release to an empty repo.
+  * Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize.
+  * Fix error 500 when deleting account with incorrect password or unsupported login type.
+  * handle user-defined name anchors like [Link](#link) linking to <a name="link"></a>Link.
+  * Use correct head commit for CODEOWNER.
+  * Fix manual merge button.
+  * Make meilisearch do exact search for issues.
+  * Fix PR creation via api between branches of same repo with head field namespaced.
+
+-------------------------------------------------------------------
+Fri Mar  8 07:35:29 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- add apparmor profile leeched off of the gitea packaging
+
+- update to 1.21.7-0:
+  * Fix tarball/zipball download bug.
+  * Ensure HasIssueContentHistory takes into account comment_id.
+  * The google.golang.org/protobuf module was bumped to version v1.33.0 to fix
+    a bug in the google.golang.org/protobuf/encoding/protojson package which
+    could cause the Unmarshal function to enter an infinite loop when handling
+    some invalid inputs
+
+-------------------------------------------------------------------
+Fri Feb  9 10:07:58 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- initial packaging
--- a/forgejo.fc
+++ b/forgejo.fc
@ -0,0 +1,5 @@
+/usr/bin/forgejo		--	gen_context(system_u:object_r:forgejo_exec_t,s0)
+
+/var/lib/forgejo(/.*)?		gen_context(system_u:object_r:forgejo_var_lib_t,s0)
+
+/var/log/forgejo(/.*)?		gen_context(system_u:object_r:forgejo_log_t,s0)
--- a/forgejo.if
+++ b/forgejo.if
@ -0,0 +1,218 @@
+
+## <summary>policy for forgejo</summary>
+
+########################################
+## <summary>
+##	Execute forgejo_exec_t in the forgejo domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`forgejo_domtrans',`
+	gen_require(`
+		type forgejo_t, forgejo_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, forgejo_exec_t, forgejo_t)
+')
+
+######################################
+## <summary>
+##	Execute forgejo in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_exec',`
+	gen_require(`
+		type forgejo_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, forgejo_exec_t)
+')
+########################################
+## <summary>
+##	Read forgejo's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`forgejo_read_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Append to forgejo log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_append_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, forgejo_log_t, forgejo_log_t)
+	manage_files_pattern($1, forgejo_log_t, forgejo_log_t)
+	manage_lnk_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Search forgejo lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_search_lib',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	allow $1 forgejo_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read forgejo lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_read_lib_files',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_lib_files',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_lib_dirs',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an forgejo environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`forgejo_admin',`
+	gen_require(`
+		type forgejo_t;
+		type forgejo_log_t;
+		type forgejo_var_lib_t;
+	')
+
+	allow $1 forgejo_t:process { signal_perms };
+	ps_process_pattern($1, forgejo_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 forgejo_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, forgejo_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, forgejo_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
--- a/forgejo.keyring
+++ b/forgejo.keyring
@ -0,0 +1,39 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Hostname: 
+Version: Hockeypuck 2.2
+
+xjMEY3T/yhYJKwYBBAHaRw8BAQdAVxqCQrSbpDNrx8CiTM8PUAVqdCyv2UmBDhpP
+HZIpoIDNHUZvcmdlam8gPGNvbnRhY3RAZm9yZ2Vqby5vcmc+wsB+BBMWCgDmAhsD
+BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWS
+NxAFAmN7KZI2FIAAAAAAEAAdcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZmxvc3Mu
+c29jaWFsL0Bmb3JnZWpvMRSAAAAAABAAGHByb29mQGFyaWFkbmUuaWRkbnM6Zm9y
+Z2Vqby5vcmc/dHlwZT1UWFRBFIAAAAAAEAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBz
+Oi8vY29kZWJlcmcub3JnL2Zvcmdlam8vZ2l0ZWFfcHJvb2YACgkQpLYaLcWSNxAv
+oQEAsbFLqcqjAoRTKpP++D6s0pZgnekV7W3sz1uumKLLUm4A/RvjfnPaK9XAZHEn
+o0RDksu0xaw673pPmYXWVYQqdVACwsBHBBMWCgCvAhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmN4pwNBFIAAAAAA
+EAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8v
+Z2l0ZWFfcHJvb2YxFIAAAAAAEAAYcHJvb2ZAYXJpYWRuZS5pZGRuczpmb3JnZWpv
+Lm9yZz90eXBlPVRYVAAKCRCkthotxZI3EDVfAQCX3Bwc7JFu/JSVSXkMAiO9KqKz
+oQv0FKfNI4zc7OZTuwEAro2IK2nt72W/+O+rHMDN97n0qQYLjcEy2wiOguYPPgfC
+dQQQFggAHRYhBD3JQbKWDZMPhcHxD2Hhmc0+gu5GBQJjkUDQAAoJEGHhmc0+gu5G
+/noA/2Nhnj9ec6GFil+yzfcaf2JYZnTkOYuhxhHhLVVDc2u2AQDNClLXyLeOp8YQ
+r3sDEVLIf8IUpmRyhdf5lnR7dOXADc0mRm9yZ2VqbyBSZWxlYXNlcyA8cmVsZWFz
+ZUBmb3JnZWpvLm9yZz7CkAQTFgoAOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX
+gBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJjeKH0AAoJEKS2Gi3FkjcQC5YBAKwC
+GFDDSpX0JwBrzIP8W8ElwHvdBz2XDg8LwyQgr722AP9r01rbFwY4axDxpNj+BUFx
+wD5Fhza1cE3932eTsSOPDsJ1BBAWCAAdFiEEPclBspYNkw+FwfEPYeGZzT6C7kYF
+AmORQNAACgkQYeGZzT6C7kZgCQD9E3NRV6SUBw7IdbIG9w0oUcn/RMsSmTXMAmas
+LO3ilCUBAPVs56RxvNdA5cLJeZwRlqZ10nnJekb2wnQPyohB2GcOzjMEY3UANBYJ
+KwYBBAHaRw8BAQdAKvAs2Ij2RamYUzz4sBgsc2J+4fEwvSMcTp6rPZizRhfCwDUE
+GBYIACYWIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCY3UANAIbAgUJAeEzgACBCRCk
+thotxZI3EHYgBBkWCAAdFiEE98vwIJTnZl4X7WxE44G/PlDVNwcFAmN1ADQACgkQ
+44G/PlDVNwdIlgD+K15nuEec+VTFdP7YY3SxM8Rjg2EtXk007+LM7XQfN9sBAOLj
+BTzIdaaKOpoAkGQ9Th/IphSUOnPYZVO5a6cN+wAM458A/itf3urQehI5SbKtbRqI
+DhqQZQVAcEeG2eQFunuofjDWAQDt/gE5XgTiQgnkTcqAX7GQeE74O/Q5vDtX10Nj
+bzV7D844BGN0/8oSCisGAQQBl1UBBQEBB0CZnRfIHxTVhOF8kdhbe4YJsePyVFi8
+USfuDXy4HgIHRgMBCAfCeAQYFggAIBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJj
+dP/KAhsMAAoJEKS2Gi3FkjcQdroA/jHFqt7y/r/5zdK4TYYp+5jlOgM5ZI7pNhWh
+tIFbqmx9AQCKSJf2YgPBLNJSL/86vpE9b6IvTE/8ENR/7xYaIA7oAg==
+=urT2
+-----END PGP PUBLIC KEY BLOCK-----
--- a/forgejo.service
+++ b/forgejo.service
@ -0,0 +1,33 @@
+[Unit]
+Description=Forgejo (Beyond coding. We forge.)
+After=network.target
+
+[Service]
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+# LimitNOFILE=524288:524288
+RestartSec=2s
+Type=simple
+User=forgejo
+Group=forgejo
+WorkingDirectory=/var/lib/forgejo/
+ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
+Restart=always
+Environment=USER=forgejo
+Environment=HOME=/usr/share/forgejo
+Environment=GITEA_WORK_DIR=/var/lib/forgejo
+Environment=GITEA_CUSTOM=/etc/forgejo
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+
+[Install]
+WantedBy=multi-user.target
--- a/forgejo.sh
+++ b/forgejo.sh
@ -0,0 +1,56 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" forgejo.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se forgejo`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> forgejo.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile forgejo.pp || exit
+/usr/sbin/semodule -i forgejo.pp
+
+# Generate a man page of the installed module
+sepolicy manpage -p . -d forgejo_t
+# Fixing the file context on /usr/bin/forgejo
+/sbin/restorecon -F -R -v /usr/bin/forgejo
+# Fixing the file context on /var/log/forgejo
+/sbin/restorecon -F -R -v /var/log/forgejo
+# Fixing the file context on /var/lib/forgejo
+/sbin/restorecon -F -R -v /var/lib/forgejo
+# Generate a rpm package for the newly generated policy
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba forgejo_selinux.spec
--- a/forgejo.spec
+++ b/forgejo.spec
@ -0,0 +1,201 @@
+#
+# spec file for package forgejo
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if 0%{?suse_version} > 1600
+%bcond_without selinux
+%bcond_without apparmor
+%else
+%if 0%{?suse_version} == 1600
+%bcond_without selinux
+%bcond_with apparmor
+%else
+# Leap & SLE
+%bcond_with selinux
+%bcond_without apparmor
+%endif
+%endif
+Name:           forgejo
+Version:        7.0.6
+Release:        0
+Summary:        Self-hostable forge
+License:        MIT
+Group:          Development/Tools/Version Control
+URL:            https://forgejo.org
+Source0:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz
+Source1:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc
+Source2:        http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6c0dc2bcdd183550a4b61a2dc5923710#/%{name}.keyring
+Source3:        package-lock.json
+Source4:        node_modules.spec.inc
+%include        %{_sourcedir}/node_modules.spec.inc
+Source5:        node_modules.sums
+Source6:        %{name}.service
+Source7:        %{name}.sysusers
+Source8:        %{name}.fc
+Source9:        %{name}.if
+Source10:       %{name}.sh
+Source11:       %{name}.te
+Source12:       apparmor-usr.bin.%{name}
+Source99:       get-sources.sh
+Patch0:         custom-app.ini.patch
+BuildRequires:  golang-packaging
+BuildRequires:  golang(API) = 1.22
+## node >= 20
+%if 0%{?suse_version} == 1500
+BuildRequires:  nodejs-devel-default
+BuildRequires:  npm-default
+%else
+BuildRequires:  nodejs-packaging
+%endif
+BuildRequires:  local-npm-registry
+BuildRequires:  make
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
+Requires:       git-core
+Requires:       git-lfs
+Requires:       (%{name}-apparmor if apparmor-abstractions)
+Requires:       (%{name}-selinux if selinux-policy-targeted)
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+BuildRequires:  libapparmor-devel
+%endif
+%if %{with selinux}
+BuildRequires:  checkpolicy
+BuildRequires:  selinux-policy-devel
+%endif
+%{systemd_requires}
+%{sysusers_requires}
+
+%if %{with apparmor}
+%package apparmor
+Summary:        Apparmor profile for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+
+%description apparmor
+This package adds the Apparmor profile to %{name}
+%endif
+
+%if %{with selinux}
+%package selinux
+Summary:        Selinux support for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+Requires:       selinux-policy-targeted
+
+%description selinux
+This package adds SELinux enforcement to %{name}.
+%endif
+
+%description
+Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo
+– the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.
+
+%prep
+%autosetup -p1 -n %{name}-src-%{version}
+local-npm-registry %{_sourcedir} install --also=dev
+
+%build
+%sysusers_generate_pre %{SOURCE7} %{name} %{name}.conf
+export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
+export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
+%make_build build
+
+%install
+install -d %{buildroot}%{_bindir}
+install -d %{buildroot}%{_datadir}/%{name}
+install -d %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
+ln -s %{name} %{buildroot}%{_bindir}/gitea
+install -d %{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
+install -d %{buildroot}%{_sysconfdir}/%{name}
+install -d %{buildroot}%{_localstatedir}/log/%{name}
+install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
+install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
+install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 %{SOURCE7} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+%if %{with apparmor}
+install -d %{buildroot}%{_sysconfdir}/apparmor.d
+install -Dm0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+cd %{_sourcedir}
+make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
+install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+%pre -f %{name}.pre
+%service_add_pre %{name}.service
+
+%post
+%service_add_post %{name}.service
+
+%if %{with apparmor}
+%post apparmor
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+%post selinux
+semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
+
+%preun selinux
+semodule -r %{name} 2>/dev/null || :
+%endif
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%check
+#as of now, broken
+#%%make_build test
+
+%files
+%license LICENSE
+%doc README.md RELEASE-NOTES.md CONTRIBUTING.md
+%{_unitdir}/%{name}.service
+%{_bindir}/%{name}
+%{_bindir}/gitea
+%defattr(0660,root,forgejo,770)
+%{_localstatedir}/log/%{name}
+%defattr(0660,forgejo,forgejo,750)
+%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
+%{_sysconfdir}/%{name}
+%{_datadir}/%{name}
+%{_sharedstatedir}/%{name}
+%{_sysusersdir}/%{name}.conf
+
+%if %{with apparmor}
+%files apparmor
+%dir %{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+%files selinux
+%dir %{_datadir}/selinux/devel/include/distributed
+%{_datadir}/selinux/packages/%{name}
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+%changelog
--- a/forgejo.sysusers
+++ b/forgejo.sysusers
@ -0,0 +1,3 @@
+# Type 	Name ID GECOS [HOME] Shell
+g forgejo - - -
+u forgejo - "Forgejo" /var/lib/forgejo /usr/bin/bash
--- a/forgejo.te
+++ b/forgejo.te
@ -0,0 +1,41 @@
+policy_module(forgejo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type forgejo_t;
+type forgejo_exec_t;
+init_daemon_domain(forgejo_t, forgejo_exec_t)
+
+permissive forgejo_t;
+
+type forgejo_log_t;
+logging_log_file(forgejo_log_t)
+
+type forgejo_var_lib_t;
+files_type(forgejo_var_lib_t)
+
+########################################
+#
+# forgejo local policy
+#
+allow forgejo_t self:fifo_file rw_fifo_file_perms;
+allow forgejo_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+manage_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+manage_lnk_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+logging_log_filetrans(forgejo_t, forgejo_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+manage_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+manage_lnk_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+files_var_lib_filetrans(forgejo_t, forgejo_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(forgejo_t)
+
+files_read_etc_files(forgejo_t)
+
+miscfiles_read_localization(forgejo_t)
--- a/get-sources.sh
+++ b/get-sources.sh
@ -0,0 +1,41 @@
+#!/usr/bin/sh
+
+set -e
+
+if [[ -z "$1" ]]; then
+echo "Please enter the version you want to update to";
+exit 1;
+fi
+
+VERSION="$1"
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "patching spec file and downloading the tarball"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+sed -i -e 's|Version: .*|Version:        '${VERSION}'|g' forgejo.spec
+osc service ra download_files
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "extracting package-lock.json"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+tar xf forgejo-src-${VERSION}.tar.gz forgejo-src-${VERSION}/package-lock.json
+cp forgejo-src-${VERSION}/package-lock.json .
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Downloading node_modules"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+osc service ra node_modules
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Cleanup Step"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+rm -r forgejo-src-${VERSION}
+rm node_modules.sums
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Done! Have fun building and testing"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
--- a/node_modules.obscpio
+++ b/node_modules.obscpio
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f5ea0007b140d739de145225fce8a34d2e257d06891cdf39ca350e6bd3136236
+size 185686620
--- a/node_modules.spec.inc
+++ b/node_modules.spec.inc
--- a/node_modules.sums
+++ b/node_modules.sums
--- a/package-lock.json
+++ b/package-lock.json