pool/forgejo
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to 9.0.1:

Browse Source 
* Forgejo generates a token which is used to authenticate web endpoints that
    are only meant to be used internally, for instance when the SSH daemon is
    used to push a commit with Git. The verification of this token was not done
    in constant time and was susceptible to timing attacks.
  * Because of a missing permission check, the branch used to propose a pull
    request to a repository can always be deleted by the user performing the merge.
  * Fix boolean inputs in workflow_dispatch
  * package arch database not updating when uploading "any" architecture
  * correct SQL query for active issues
  * specify default value for EXPLORE_DEFAULT_SORT.
  * fix: Add recentupdated as recognized sort option
  * Update dependency mermaid to v11.3.0 (v9.0/forgejo)
  * Always update expiration time when creating an artifact
  * Update scheduled tasks even if changes are pushed by "ActionsUser"
  * Fix disable 2fa bug
  * i18n: update of translations from Codeberg Translate
  * fix: make branch protection work for new branches
  * link to security policy in security.txt
  * fix: don't show truncated comments in RSS/Atom feeds
  * fix: typo on releases for source code downloads
  * Revert "add gap between branch dropdown and PR button"
  * fix: Don't double escape delete branch text
  * fix: Add server logging for OAuth server errors
  * forgejo-cli is now a symlink and cannot be used for sanity checks
  * fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later

OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=43
This commit is contained in:
Richard Rahl 2024-10-29 05:44:32 +00:00 committed by Git OBS Bridge
commit ce6404f852
31 changed files with 19665 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

9
_service Normal file
View File

@ -0,0 +1,9 @@
<?xml version="1.0" ?>
<services>
<service name="download_files" mode="manual" />
<service name="node_modules" mode="manual">
<param name="cpio">node_modules.obscpio</param>
<param name="output">node_modules.spec.inc</param>
<param name="source-offset">10000</param>
</service>
</services>

217
custom-app.ini.patch Normal file
View File

@ -0,0 +1,217 @@
diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patched/custom/conf/app.example.ini
--- forgejo-src-8.0.0/custom/conf/app.example.ini 2024-07-30 06:40:03.000000000 +0200
+++ forgejo-src-8.0.0-patched/custom/conf/app.example.ini 2024-08-01 20:24:55.972480197 +0200
@@ -51,7 +51,7 @@
;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
;;
;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
-RUN_USER = ; git
+RUN_USER = ; forgejo
;;
;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
@@ -284,15 +284,17 @@
;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
;; Paths are relative to CUSTOM_PATH
-;CERT_FILE = https/cert.pem
-;KEY_FILE = https/key.pem
+CERT_FILE = /etc/forgejo/https/cert.pem
+KEY_FILE = /etc/forgejo/https/key.pem
;;
;; Root directory containing templates and static files.
;; default is the path where Gitea is executed
;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
+STATIC_ROOT_PATH = /usr/share/forgejo
;;
;; Default path for App data
;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
+APP_DATA_PATH = /var/lib/forgejo/data
;;
;; Enable gzip compression for runtime-generated content, static resources excluded
;ENABLE_GZIP = false
@@ -304,6 +306,7 @@
;;
;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
+PPROF_DATA_PATH = /var/lib/forgejo/data/tmp/pprof
;;
;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
@@ -355,10 +358,10 @@
;;
;; MySQL Configuration
;;
-DB_TYPE = mysql
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
-NAME = gitea
-USER = root
+;DB_TYPE = mysql
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;NAME = forgejo
+;USER = root
;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
@@ -369,7 +372,7 @@
;;
;DB_TYPE = postgres
;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
-;NAME = gitea
+;NAME = forgejo
;USER = root
;PASSWD =
;SCHEMA =
@@ -379,21 +382,10 @@
;;
;; SQLite Configuration
;;
-;DB_TYPE = sqlite3
-;PATH= ; defaults to data/forgejo.db
-;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
-;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
-;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;
-;; MSSQL Configuration
-;;
-;DB_TYPE = mssql
-;HOST = 172.17.0.2:1433
-;NAME = gitea
-;USER = SA
-;PASSWD = MwantsaSecurePassword1
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+DB_TYPE = sqlite3
+PATH= /var/lib/forgejo/data/forgejo.db ; defaults to data/forgejo.db
+SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
@@ -579,14 +571,14 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
-;ROOT_PATH =
+ROOT_PATH = /var/log/forgejo
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Main Logger
;;
;; Either "console", "file" or "conn", default is "console"
;; Use comma to separate multiple modes, e.g. "console, file"
-MODE = console
+MODE = console, file
;;
;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
LEVEL = Info
@@ -946,7 +938,7 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
-;ROOT =
+ROOT = /var/lib/forgejo/repositories
;;
;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
;SCRIPT_TYPE = bash
@@ -1065,7 +1057,7 @@
;ENABLED = true
;;
;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
-;TEMP_PATH = data/tmp/uploads
+TEMP_PATH = /var/lib/forgejo/data/tmp/uploads
;;
;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
;ALLOWED_TYPES =
@@ -1444,7 +1436,7 @@
;ISSUE_INDEXER_TYPE = bleve
;;
;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
-;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
+;ISSUE_INDEXER_PATH = /var/lib/forgejo/indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
;;
;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
;ISSUE_INDEXER_CONN_STR =
@@ -1471,7 +1463,7 @@
;REPO_INDEXER_TYPE = bleve
;;
;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
-;REPO_INDEXER_PATH = indexers/repos.bleve
+;REPO_INDEXER_PATH = /var/lib/forgejo/indexers/repos.bleve
;;
;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
;REPO_INDEXER_CONN_STR =
@@ -1510,6 +1502,7 @@
;;
;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
+DATADIR = /var/lib/forgejo/queues/
;;
;; Default queue length before a channel queue will block
;LENGTH = 100000
@@ -1852,7 +1845,7 @@
;; file: session file path, e.g. `data/sessions`
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
;;
;; Session cookie name
;COOKIE_NAME = i_like_gitea
@@ -1939,7 +1932,7 @@
;;
;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
-;PATH = attachments
+PATH = /var/lib/forgejo/data/attachments
;;
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
;MINIO_ENDPOINT = localhost:9000
@@ -1965,7 +1958,7 @@
;MINIO_LOCATION = us-east-1
;;
;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
-;MINIO_BASE_PATH = attachments/
+;MINIO_BASE_PATH = /var/lib/forgejo/attachments/
;;
;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
;MINIO_USE_SSL = false
@@ -2548,10 +2541,10 @@
;;
;STORAGE_TYPE = local
;; override the minio base path if storage type is minio
-;MINIO_BASE_PATH = packages/
+;MINIO_BASE_PATH = /var/lib/forgejo/packages/
;;
;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
-;CHUNKED_UPLOAD_PATH = tmp/package-upload
+;CHUNKED_UPLOAD_PATH = /var/lib/forgejo/tmp/package-upload
;;
;; Maximum count of package versions a single owner can have (`-1` means no limits)
;LIMIT_TOTAL_OWNER_COUNT = -1
@@ -2618,10 +2611,10 @@
;STORAGE_TYPE = local
;;
;; Where your lfs files reside, default is data/lfs.
-;PATH = data/repo-archive
+;PATH = /var/lib/forgejo/data/repo-archive
;;
;; override the minio base path if storage type is minio
-;MINIO_BASE_PATH = repo-archive/
+;MINIO_BASE_PATH = /var/lib/forgejo/repo-archive/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2641,10 +2634,10 @@
;STORAGE_TYPE = local
;;
;; Where your lfs files reside, default is data/lfs.
-;PATH = data/lfs
+;PATH = /var/lib/forgejo/data/lfs
;;
;; override the minio base path if storage type is minio
-;MINIO_BASE_PATH = lfs/
+;MINIO_BASE_PATH = /var/lib/forgejo/lfs/
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

28
dont-strip.patch Normal file
View File

@ -0,0 +1,28 @@
diff -rub forgejo-src-9.0.0/Makefile forgejo-src-9.0.0-patched/Makefile
--- forgejo-src-9.0.0/Makefile 2024-10-16 05:56:39.000000000 +0200
+++ forgejo-src-9.0.0-patched/Makefile 2024-10-17 16:41:54.550837598 +0200
@@ -803,7 +803,7 @@
.PHONY: install $(TAGS_PREREQ)
install: $(wildcard *.go)
- CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
+ CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'
.PHONY: build
build: frontend backend
@@ -831,13 +831,13 @@
@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"
$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
- CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+ CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@
forgejo: $(EXECUTABLE)
ln -f $(EXECUTABLE) forgejo
static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
- CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+ CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
.PHONY: release
release: frontend generate release-linux release-copy release-compress vendor release-sources release-check

3
forgejo-src-7.0.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:647efd8b70e312e1d8aa349a535bae1c9cce5c095a7a2ebe0d0b0ec84ff1e198
size 55031691

7
forgejo-src-7.0.5.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZoWjbAAKCRCkthotxZI3
EOPsAQDia3FAbVWnztj3h+SqLvI+7faAzVy2IMGsQpOrPuHleAEAsf+PqLn3rzz2
CWqTPCo4MWRuYUi6ELY3SS4Xug/DgAM=
=DqT0
-----END PGP SIGNATURE-----

3
forgejo-src-7.0.6.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b33ca271d4d8ecf00ce80d2ee14888d40265ab648b880fd9bb9916bf9e88b15b
size 53489756

7
forgejo-src-7.0.6.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZqjZygAKCRCkthotxZI3
EJmNAP9IiHThCEotiYrOt3YzdOeaEAM3vfLzyf4PN1jWibbiogEAzGyWuho+MH8z
9TqdaLJIF/T3L62r/TgZ+mlZ0HHkLQM=
=ExB8
-----END PGP SIGNATURE-----

3
forgejo-src-8.0.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
size 53413049

7
forgejo-src-8.0.1.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
=JG8G
-----END PGP SIGNATURE-----

3
forgejo-src-8.0.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:36929dbc206753f80766ea59b35adaf3cb28ed53fc89ac8640271f8766673546
size 53459258

7
forgejo-src-8.0.2.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZtB4+QAKCRCkthotxZI3
EI/zAQCAYMjC1aNDQi173NnEsZ+6157ZngCPoT9YB3gzzmOaFAD+LQEyZ3PrsrJe
/d8N+5Wyvj7ymLsUWzyTNpVZOtaNjQM=
=jAB5
-----END PGP SIGNATURE-----

3
forgejo-src-9.0.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:21364d6c1635711189f25da5dc343b3b28e8ade20a5f00202301ccc364adc1d2
size 53905348

7
forgejo-src-9.0.0.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZw/5ogAKCRCkthotxZI3
EKC/AP9zdT9HGtdr1R84h8wJfMQryhV2VHQ0DZIvHL3OJU1OgAEAmT7X00H/MgRB
oNnConnjMe+xLtIntIFitFFXd971oQ0=
=JQRz
-----END PGP SIGNATURE-----

3
forgejo-src-9.0.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6748c49677374947eb619b13f9ede983682ae117b8c0405442cc9afc847c4040
size 53961959

7
forgejo-src-9.0.1.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZx+nywAKCRCkthotxZI3
ENlLAQCGXdYLfhCxIU8bKx+n2hvTvkbJPmPxs7FVhDtggAuq5gEAxubIGrthDqw9
Qr9g7bvuMR7solGMkjzsB73IHqMsXwU=
=g0qb
-----END PGP SIGNATURE-----

64
forgejo.apparmor Normal file
View File

@ -0,0 +1,64 @@
abi <abi/3.0>,
include <tunables/global>
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/mysql>
include <abstractions/nameservice>
include <abstractions/opencl-pocl>
include <abstractions/openssl>
include <abstractions/user-tmp>
include if exists <local/usr.bin.forgejo>
network inet stream,
network inet6 stream,
/etc/forgejo/ r,
/etc/forgejo/conf/app.ini r,
/etc/forgejo/public/ r,
/etc/forgejo/public/** r,
/etc/forgejo/{conf,https,mailer}/ r,
/etc/gitconfig r,
/etc/mime.types r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
/usr/bin/forgejo mr,
/usr/bin/git mr,
/usr/bin/gzip mr,
/usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
/usr/libexec/git/git-write-tree mrix,
/usr/share/forgejo/** r,
/usr/share/forgejo/.gitconfig rw,
/usr/share/forgejo/.gitconfig.lock rw,
/usr/share/git-core/templates/ r,
/usr/share/git-core/templates/** r,
/usr/share/mime/globs2 r,
/usr/{lib,libexec}/git/git ix,
/usr/{lib,libexec}/git/git-remote-http ix,
/var/ r,
/var/lib/ r,
/var/lib/forgejo/ r,
/var/lib/forgejo/.local/** rw,
/var/lib/forgejo/.ssh/ rw,
/var/lib/forgejo/.ssh/* rw,
/var/log/forgejo/ rw,
/var/log/forgejo/access.log rw,
/var/log/forgejo/access.log.* w,
/var/log/forgejo/doctors-* rw,
@{PROC}/sys/net/core/somaxconn r,
owner /etc/forgejo/conf/app.ini w,
owner /tmp/forgejo** rwl,
owner /tmp/index* rw,
owner /tmp/patch* rw,
owner /usr/share/forgejo/** rw,
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
owner /var/lib/forgejo/https/** rwlk,
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
owner /var/log/forgejo/gitea.log w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
}

499
forgejo.changes Normal file
View File

@ -0,0 +1,499 @@
-------------------------------------------------------------------
Mon Oct 28 17:09:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 9.0.1:
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later
-------------------------------------------------------------------
Thu Oct 17 14:52:33 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 9.0.0:
* OIDC integrations that POST to /login/oauth/introspect without sending HTTP
basic authentication will now fail
* The public scope of an application token does not filter out private repositories,
organizations or packages in some cases
* Drop support to build Forgejo with the optional go-git Git backend
* Set created_by as the default filter for /issues and /pulls
* Set fuzzy as default for issue search.
* Improve commit graph layout.
* Add support for iconify icons.
* Allow multi-line relationship labels.
* Adds architecture diagrams which allows users to show relations between services.
* Improve diffs generated by Forgejo.
* Add rel="nofollow" to in-list labels.
* Distinguish between new tags, releases and pre-releases on activity page.
* Highlighted code search results.
* Refactor repo migration items.
* Add package counter to repo/user/org overview pages.
* Replace vue-bar-graph with chart.js.
* Add more emoji and code block rendering in issues.
* Bad spacing on new release page.
* Milestone assignment in new issue.
* git-grep: ensure bounded default for MatchesPerFile.
* Incorrect go to citation button.
* Incorrect HTMX support for profile card.
* Accessibility keyboard support for test actions.
* Update pull request icons.
* "Assign to me" button on PR and Issues.
* Add architecture-specific removal support for arch package.
* Add bin to Composer Metadata.
* Internationalization user experience improvements on team permissions and issue closing.
* Support allowed hosts for migrations to work with proxy.
* Trivial default quota configuration.
* Language detection in the repository learned about the following languages:
Luau, BQN, Cron table, NMODL, Pkl, templ, FIRRTL, Julia REPL, Caddyfile.
* The following extensions or filenames in a repository are associated with the matching language:
.sublime-color-scheme, MODULE.bazel.lock, Cargo.toml.orig, tsx, justfile, .zig.zon, .envrc.
* Remove support for Couchbase as a session provider; it instead will now fallback to the file provider.
* git-grep: allow searching for words with initial dashes.
* git-grep: skip binary files.
* Forgejo Actions logs are compressed by default.
* Support grouping by any path for arch package.
* Remove expensive nearest branch calculatations ($.BranchName) from commit diff view
* Allow push mirrors to use a SSH key as the authentication method for the mirroring action
instead of using user:password authentication.
* Use UTC as a timezone when running scheduled actions tasks.
* The actions logs older than [actions].LOG_RETENTION_DAYS days are removed (the default is 365).
* Add signature support for the RPM module.
* Allow color and background-color style properties for table cells.
* support pull_request_target event for commit status.
* support delete user email in admin panel.
* Notify owner about TOTP enrollment.
* Email notifications are now sent when account security changes are made: password changed
* Enable INVALIDATE_REFRESH_TOKENS.
* Sort milestones by name by default instead of the due date.
* allow synchronizing user status from OAuth2 login providers.
* add option to change mail from user display name.
* issue Templates: add option to have dropdown printed list.
* the default setting attachment.ALLOWED_TYPES was adjusted to allow .webp attachments in issues
* Convert milestone to HTMX.
* Use the full user name in emails to address the recipient, when available.
* Enhancing OAuth2 Provider with Granular Scopes for Resource Access.
* Display URLs in .sh-session files.
* The caching of contributor stats was improved
* Add support for LFS server implementations which have batch API responses in an older/deprecated schema.
* Forgejo Actions artifacts support range requests to resume a download.
* Added the foundations of a flexible, configurable quota system.
* Logs journald integration.
* A release asset can be a URL instead of a file.
* Don't allow owner team with incorrect unit access (includes doctor fix).
* Schedule workflows are canceled when pushing to the default branch.
* Incorrect Discord webhook JSON for issue events.
* wrong last modify time.
* Repo Activity: count new issues that were closed.
* incorrect /tokens API.
* Do not escape relative path in RPM primary index.
* Handle invalid target when creating releases using API.
* /repos/{owner}/{repo}/pulls/{index}/files endpoint not populating previous_filename.
* Improve textarea paste.
* Handle "close" actionable references for manual merges.
* Team admins are allowed to search team members via the API.
* Don't return 500 if mirror url contains special chars.
* Agit automerge is not working properly.
* Improve the display of PR & issue short links.
* Migrate scoped GitLab labels as scoped Forgejo labels.
* /repos/{owner}/{repo}/pulls/{index} requested_reviewers contains null for teams.
* Validate title length when updating an issue.
* Hide the "Details" link of commit status when the user cannot access actions.
* Runner registration token via API is broken for repo level runners.
* Deleted projects causes bad popover text on issues.
* Distinguish LFS object errors to ignore missing objects during migration.
* When viewing the revision history of wiki pages, the pagination links are broken
* Also rename the head branch of open pull requests when renaming a branch.
* add return type to GetRawFileOrLFS and GetRawFile.
* properly filter issue list given no assignees filter.
* Cron task to cleanup dangling container images with version sha256:*.
* Allow updates to runners' secrets.
* Do not fire webhook notifications for updates and deletions of comments that are part of an ongoing review
* Fixed social media previews for links to wiki pages.
* Updated translations
* Improve the clarity of confirmation in email messages.
* Fine tune language for units.
* Improve translation strings for webhook events.
* Allow different translations of creation links and titles.
* English strings improvements for internationalization.
-------------------------------------------------------------------
Wed Oct 9 13:22:28 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- add dont-strip.patch for not stripping the main binary (so we can
create debuginfo package)
-------------------------------------------------------------------
Wed Oct 9 05:46:17 UTC 2024 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
- Add package environment-to-ini for OCI containers
-------------------------------------------------------------------
Tue Sep 10 07:49:29 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 8.0.3:
* replace v-html with v-text in branch search inputbox for XSS protection
* mitigate CVE-2024-43788 (upgrade webpack)
* Translation updates
-------------------------------------------------------------------
Thu Aug 29 16:06:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 8.0.2:
* Overflow for images on project cards.
* Allow unreacting from comment popover.
* The scope of application tokens is not verified when writing
containers or Conan packages.
* When a Forgejo Actions workflow includes a workflow_dispatch with
inputs and other events (for instance push), it is silently ignored
because of a parsing error.
* Automerge on AGit pull requests is ignored.
* Show lock owner instead of repo owner on LFS setting page.
* Render plain text file if the LFS object doesn't exist.
* Panic of ssh public key page after deletion of an auth source.
* Add missing repository type filter parameters to pager.
* Reverted a change from Gitea which prevented allow/reject reviews on
merged or closed PRs. This change was not considered by the Forgejo
UI team and there is a consensus that it feels like a regression,
since it interferes with workflows known to be used by Forgejo users
without providing a tangible benefit.
* Run full PR checks on AGit push.
* Updated translations
-------------------------------------------------------------------
Fri Aug 9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 8.0.1:
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
permission on a repository description to inject a client-side script into
the web page viewed by the visitor. This XSS allows for href in anchor
elements to be set to a javascript: URI in the repository description,
which will execute the specified script upon clicking (and not upon
loading). AllowStandardURLs is now called for the repository description
policy, which ensures that URIs in anchor elements are mailto:, http://
or https:// and thereby disallowing the javascript: URI.
* Do not include trailing EOL character when counting lines
* Add background to reactions on hover
* Prevent uppercase in header of dashboard context selector
* Fix page layout in admin settings
* Ensure all filters are persistent in issue filters
* Allow 4 charachter SHA in /src/commit
- update to 8.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
Highlights:
* remove Microsoft SQL Server support
* introduce a branch/tag dropdown in the code search page
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
* API endpoints for managing tag protection.
* add Reviewed-on and Reviewed-by variables to the merge template
* display an error when an issue comment is edited simultaneously by
two users instead of silently overriding one of them
* when installing Forgejo through the built-in installer, open
(self-) registration is now disabled by default
* add support for the reddit and Hubspot OAuth providers.
* CERT management was improved when ENABLE_ACME=true
* language detection in the repository got additional languages
* add an immutable tarball link to archive download headers for Nix
* Show the AGit label on merged pull requests
- fix apparmor profile
- set sqlite3 as the default installation database
- add a rule for firewalld
-------------------------------------------------------------------
Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 7.0.7:
This is a security release. See the documentation for more
information on the upgrade procedure.
* Security
- A change introduced in Forgejo v1.21 allows a Forgejo user
with write permission on a repository description to inject a
client-side script into the web page viewed by the visitor.
This XSS allows for href in anchor elements to be set to a
javascript: URI in the repository description, which will
execute the specified script upon clicking (and not upon
loading). AllowStandardURLs is now called for the repository
description policy, which ensures that URIs in anchor
elements are mailto:, http:// or https:// and thereby
disallowing the javascript: URI.
* Bug fixes
- PR (backported): disallow javascript: URI in the repository
description
* Localization
- PR (backported): i18n: backport of #4568 #4668 and #4783 to
v7
-------------------------------------------------------------------
Thu Aug 1 10:50:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 7.0.6:
* Two frontend features were removed because a license
incompatibility was discovered. Read more in the companion blog
post.
- PR (backported from): Mermaid rendering: %%{init:
{"flowchart": {"defaultRenderer": "elk"}} }%% will now fail
because ELK is no longer included.
- PR (backported from): Repository citation: Removed the
ability to export citations in APA format.
* User Interface bug fixes
- PR (backported from): Replace vue-bar-graph with chart.js
- PR (backported from): Show AGit label on merged PR
- PR (backported from): Fix mobile UI for organisation creation
* Bug fixes
- PR (backported from): fix(api): issue state change is not
idempotent
- PR (backported from): Reserve the devtest username
- PR (backported from): fix(actions): no edited event triggered
when a title is changed
- PR (backported from): Load attachments for
/issues/comments/{id}
- PR (backported from): When searching for users, page the
results by default, and respect the default paging limits
- PR (backported from): the "View command line instructions"
link in pull requests and the "Copy content" button in file
editor are not accessible
- PR (backported from): Use correct SHA in GetCommitPullRequest
* Localization
- PR (backported from): Update of translations from Weblate
- PR: Update of translations from Weblate
- PR (backported from): 3 translation updates from Weblate - PR
1, PR 2, PR 3
-------------------------------------------------------------------
Mon Jul 15 06:28:18 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- fix typo Environemnt in forgejo.service
-------------------------------------------------------------------
Fri Jul 5 07:13:38 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 7.0.5:
* Fixed: CVE-2024-24791 - GO-2024-2963 Denial of service due to improper
100-continue handling in net/http
* Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead
of Default URLs" checkbox (missing checkbox, irrelevant fields).
* Fixed: git push to an adopted repository fails.
* Fixed: markdown doesn't render math within brackets
* Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
* Fixed: error 500 when processing crafted TIFF files.
* Fixed: wrong placeholder text in the form for adding repository collaborator.
-------------------------------------------------------------------
Sun Jun 16 12:52:27 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 7.0.4:
* Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
of invalid zip files differs from the behavior of most zip implementations.
This misalignment could be exploited to create an zip file with contents that
vary depending on the implementation reading the file.
* the OAuth2 implementation does not always require authentication for public
clients, a requirement of RFC 6749 Section 10.2
* forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
* avatar files can be found in storage while they do not exist in the database.
* repository admins are always denied the right to force merge and instance admins
are subject to restrictions to merge that must only apply to repository admins.
* non conformance with the Nix tarball fetcher immutable link protocol.
* migrated activities (such as reviews) are mapped to the user who initiated the
migration rather than the Ghost user, if the external user cannot be mapped to a
local one. This mapping mismatch leads to internal server errors in some cases.
* a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
* using a subquery for user deletion is a performance bottleneck when using mariadb 10
because only mariadb 11 takes advantage of the available index.
* a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
* SourceHut Builds webhook fail when the triggers field is used.
* the label list rendering in the issue and pull request timeline is displayed on
multiple lines instead of a single one.
* Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
* automerge does not happen when the approval count reaches the required threshold.
* the FORCE_PRIVATE=true setting is not consistently enforced.
* CSRF validation errors when OAuth is not enabled.
* headlines in rendered org-mode do not have a margin on the top
-------------------------------------------------------------------
Wed May 22 20:41:58 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 7.0.3:
* CVE-2024-24788: a malformed DNS message in response to a query can
cause the lookup functions to get stuck in an infinite loop
* backticks in mermaid block diagram labels are not sanitized properly
* migration of a repository from gogs fails when it is hosted at a subpath.
* when creating an OAuth2 application the redirect URLs are not enforced to
be mandatory
* the API incorrectly excludes repositories where code is not enabled
* "Allow edits from maintainers" cannot be modified via the pull request web UI
* repository activity feeds (including RSS and Atom feeds) contain
repeated activities
* uploading maven packages with metadata being uploaded separately will fail
* the mail notification sent about commits pushed to pull requests are empty
* inline emails attachments are not properly handled when commenting on an
issue via email
* the links to .zip and tar.gz on the tag list web UI fail
* expanding code diff while previewing a pull request before it is created fails
* the CLI is not able to migrate Forgejo Actions artifacts
* when adopting a repository, the default branch is not taken into account
* when using reverse proxy authentication, logout will not be taken into
account when immediately trying to login afterwards
* pushing to the master branch of a sha256 repository fails
* a very long project column name will make the action menu inaccessible
* a useless error is displayed when the title of a merged pull request is
modified
* workflow badges are not working for workflows that are not running on push
(such as scheduled workflows, and ones that run on tags and pull requests)
-------------------------------------------------------------------
Fri May 3 00:35:37 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 7.0.2:
* regression where subscribing to or unsubscribing from an issue in a
repository with no code produced an internal server error.
* regression makes all the refs sent in Gitea webhooks to be full refs and
might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
contained the full ref). This issue has been fixed in the main branch of
Woodpecker CI as well.
* the webhook branch filter wrongly applied the match on the full ref for
branch creation and deletion (wrongly skipping events).
* toggling the WIP state of a pull request is possible from the sidebar,
but not from the footer.
* when mentioning a user, the markup post-processor does not handle the case
where the mentioned user does not exist: it tries to skip to the next node,
which in turn, ended up skipping the rest of the line.
* excessive and unnecessary database queries when a user with no repositories
is viewing their dashboard.
* duplicate status check contexts show in the branch protection settings.
* profile info fails to render german singular translation.
* inline attachments of incoming emails (as they occur for example with Apple
Mail) are not attached to comments.
-------------------------------------------------------------------
Sat Apr 27 14:53:09 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 7.0.1:
* LFS data corruption when running the forgejo doctor check --fix CLI command
or setting [cron.gc_lfs].ENABLED=true (the default is false)
* non backward compatible change in the forgejo admin user create CLI command
* error 500 because of an incorrect evaluation of the template when visiting
the LFS settings of a repository
* GET /repos/{owner}/{name} API endpoint always returns an empty string for
the object_format_name field
* fuzzy search may fail with bleve
-------------------------------------------------------------------
Thu Apr 25 02:27:22 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 7.0.0:
This is only an excerpt from the full changelog, which you can find
in your RELEASE-NOTES.md or at
https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0
* MySQL 8.0 or PostgreSQL 12 are the minimum supported versions.
The database must be migrated before upgrading.
The requirements regarding SQLite did not change.
* The per_page parameter is no longer a synonym for limit in the
/repos/{owner}/{repo}/releases API endpoint.
* The date format of the created and last_update fields of the
/repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors
API endpoint changed to be timestamps instead of numbers.
* Labels used by pprof endpoint have been changed
* The fogejo admin user create CLI command requires a password change
by default when creating the first user
-------------------------------------------------------------------
Sat Apr 20 12:39:56 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- update to 1.21.11-1:
* error 500 on tag creation when a workflow exists
- update to 1.21.11-0:
* Fixed a privilege escalation through git push options that
allows any user to change the visibility of any repository they can see,
regardless of their level of access.
* Fixed a bug that allows user-supplied, non-sandboxed JavaScript to be run
from the same domain as the forge, via
/{owner}/{repo}/render/branch/{branch}/{filename} URLs.
* Close file in upload function
* Prevent registering runners for deleted repositories.
Prevents 500 Internal Server Error in admin interface.
* More reliable pagination support when migrating from gitbucket
* Fix automerge when used with actions
- fix apparmor profile
-------------------------------------------------------------------
Fri Apr 5 18:39:07 UTC 2024 - Richard Rahl <rrahl0@proton.me>
- update to 1.21.10-0:
* CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to
read arbitrary amounts of header data
* Fix to not remove repository avatars when the doctor runs with --fix
on the repository archives.
* Detect protected branch on branch rename.
* Don't delete inactive emails explicitly.
* Fix user interface when a review is deleted without refreshing.
* Fix paths when finding files via the web interface that were not escaped.
* Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org.
* Fix duplicate migrated milestones.
* Fix inline math blocks can't be preceeded/followed by alphanumerical
characters.
-------------------------------------------------------------------
Thu Mar 28 06:58:20 UTC 2024 - Richard Rahl <rrahl0@proton.me>
- increase golang dep to 1.22, to imitate the CI/CD of forgejo
- revise how the apparmor package gets build + add selinux
-------------------------------------------------------------------
Sat Mar 23 21:21:28 UTC 2024 - Richard Rahl <user@localhost>
- update to 1.21.8-0:
* Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a
500 error.
* Prevent error 500 on /user/settings/security when SignedUser has a linked
account from a deactivated authentication source.
* Fix error 500 when pushing release to an empty repo.
* Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize.
* Fix error 500 when deleting account with incorrect password or unsupported login type.
* handle user-defined name anchors like [Link](#link) linking to <a name="link"></a>Link.
* Use correct head commit for CODEOWNER.
* Fix manual merge button.
* Make meilisearch do exact search for issues.
* Fix PR creation via api between branches of same repo with head field namespaced.
-------------------------------------------------------------------
Fri Mar 8 07:35:29 UTC 2024 - Richard Rahl <rrahl0@proton.me>
- add apparmor profile leeched off of the gitea packaging
- update to 1.21.7-0:
* Fix tarball/zipball download bug.
* Ensure HasIssueContentHistory takes into account comment_id.
* The google.golang.org/protobuf module was bumped to version v1.33.0 to fix
a bug in the google.golang.org/protobuf/encoding/protojson package which
could cause the Unmarshal function to enter an infinite loop when handling
some invalid inputs
-------------------------------------------------------------------
Fri Feb 9 10:07:58 UTC 2024 - Richard Rahl <rrahl0@proton.me>
- initial packaging

5
forgejo.fc Normal file
View File

@ -0,0 +1,5 @@
/usr/bin/forgejo -- gen_context(system_u:object_r:forgejo_exec_t,s0)
/var/lib/forgejo(/.*)? gen_context(system_u:object_r:forgejo_var_lib_t,s0)
/var/log/forgejo(/.*)? gen_context(system_u:object_r:forgejo_log_t,s0)

6
forgejo.firewalld Normal file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Forgejo</short>
<description>Forgejo is a self-hostable forge. It was forked from gitea, and has the old UI style from GitHub.</description>
<port protocol="tcp" port="3000"/>
</service>

218
forgejo.if Normal file
View File

@ -0,0 +1,218 @@
## <summary>policy for forgejo</summary>
########################################
## <summary>
## Execute forgejo_exec_t in the forgejo domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`forgejo_domtrans',`
gen_require(`
type forgejo_t, forgejo_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, forgejo_exec_t, forgejo_t)
')
######################################
## <summary>
## Execute forgejo in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_exec',`
gen_require(`
type forgejo_exec_t;
')
corecmd_search_bin($1)
can_exec($1, forgejo_exec_t)
')
########################################
## <summary>
## Read forgejo's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`forgejo_read_log',`
gen_require(`
type forgejo_log_t;
')
logging_search_logs($1)
read_files_pattern($1, forgejo_log_t, forgejo_log_t)
')
########################################
## <summary>
## Append to forgejo log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_append_log',`
gen_require(`
type forgejo_log_t;
')
logging_search_logs($1)
append_files_pattern($1, forgejo_log_t, forgejo_log_t)
')
########################################
## <summary>
## Manage forgejo log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_manage_log',`
gen_require(`
type forgejo_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, forgejo_log_t, forgejo_log_t)
manage_files_pattern($1, forgejo_log_t, forgejo_log_t)
manage_lnk_files_pattern($1, forgejo_log_t, forgejo_log_t)
')
########################################
## <summary>
## Search forgejo lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_search_lib',`
gen_require(`
type forgejo_var_lib_t;
')
allow $1 forgejo_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read forgejo lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_read_lib_files',`
gen_require(`
type forgejo_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
')
########################################
## <summary>
## Manage forgejo lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_manage_lib_files',`
gen_require(`
type forgejo_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
')
########################################
## <summary>
## Manage forgejo lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`forgejo_manage_lib_dirs',`
gen_require(`
type forgejo_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an forgejo environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`forgejo_admin',`
gen_require(`
type forgejo_t;
type forgejo_log_t;
type forgejo_var_lib_t;
')
allow $1 forgejo_t:process { signal_perms };
ps_process_pattern($1, forgejo_t)
tunable_policy(`deny_ptrace',`',`
allow $1 forgejo_t:process ptrace;
')
logging_search_logs($1)
admin_pattern($1, forgejo_log_t)
files_search_var_lib($1)
admin_pattern($1, forgejo_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

39
forgejo.keyring Normal file
View File

@ -0,0 +1,39 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname:
Version: Hockeypuck 2.2
xjMEY3T/yhYJKwYBBAHaRw8BAQdAVxqCQrSbpDNrx8CiTM8PUAVqdCyv2UmBDhpP
HZIpoIDNHUZvcmdlam8gPGNvbnRhY3RAZm9yZ2Vqby5vcmc+wsB+BBMWCgDmAhsD
BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWS
NxAFAmN7KZI2FIAAAAAAEAAdcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZmxvc3Mu
c29jaWFsL0Bmb3JnZWpvMRSAAAAAABAAGHByb29mQGFyaWFkbmUuaWRkbnM6Zm9y
Z2Vqby5vcmc/dHlwZT1UWFRBFIAAAAAAEAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBz
Oi8vY29kZWJlcmcub3JnL2Zvcmdlam8vZ2l0ZWFfcHJvb2YACgkQpLYaLcWSNxAv
oQEAsbFLqcqjAoRTKpP++D6s0pZgnekV7W3sz1uumKLLUm4A/RvjfnPaK9XAZHEn
o0RDksu0xaw673pPmYXWVYQqdVACwsBHBBMWCgCvAhsDBQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmN4pwNBFIAAAAAA
EAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8v
Z2l0ZWFfcHJvb2YxFIAAAAAAEAAYcHJvb2ZAYXJpYWRuZS5pZGRuczpmb3JnZWpv
Lm9yZz90eXBlPVRYVAAKCRCkthotxZI3EDVfAQCX3Bwc7JFu/JSVSXkMAiO9KqKz
oQv0FKfNI4zc7OZTuwEAro2IK2nt72W/+O+rHMDN97n0qQYLjcEy2wiOguYPPgfC
dQQQFggAHRYhBD3JQbKWDZMPhcHxD2Hhmc0+gu5GBQJjkUDQAAoJEGHhmc0+gu5G
/noA/2Nhnj9ec6GFil+yzfcaf2JYZnTkOYuhxhHhLVVDc2u2AQDNClLXyLeOp8YQ
r3sDEVLIf8IUpmRyhdf5lnR7dOXADc0mRm9yZ2VqbyBSZWxlYXNlcyA8cmVsZWFz
ZUBmb3JnZWpvLm9yZz7CkAQTFgoAOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX
gBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJjeKH0AAoJEKS2Gi3FkjcQC5YBAKwC
GFDDSpX0JwBrzIP8W8ElwHvdBz2XDg8LwyQgr722AP9r01rbFwY4axDxpNj+BUFx
wD5Fhza1cE3932eTsSOPDsJ1BBAWCAAdFiEEPclBspYNkw+FwfEPYeGZzT6C7kYF
AmORQNAACgkQYeGZzT6C7kZgCQD9E3NRV6SUBw7IdbIG9w0oUcn/RMsSmTXMAmas
LO3ilCUBAPVs56RxvNdA5cLJeZwRlqZ10nnJekb2wnQPyohB2GcOzjMEY3UANBYJ
KwYBBAHaRw8BAQdAKvAs2Ij2RamYUzz4sBgsc2J+4fEwvSMcTp6rPZizRhfCwDUE
GBYIACYWIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCY3UANAIbAgUJAeEzgACBCRCk
thotxZI3EHYgBBkWCAAdFiEE98vwIJTnZl4X7WxE44G/PlDVNwcFAmN1ADQACgkQ
44G/PlDVNwdIlgD+K15nuEec+VTFdP7YY3SxM8Rjg2EtXk007+LM7XQfN9sBAOLj
BTzIdaaKOpoAkGQ9Th/IphSUOnPYZVO5a6cN+wAM458A/itf3urQehI5SbKtbRqI
DhqQZQVAcEeG2eQFunuofjDWAQDt/gE5XgTiQgnkTcqAX7GQeE74O/Q5vDtX10Nj
bzV7D844BGN0/8oSCisGAQQBl1UBBQEBB0CZnRfIHxTVhOF8kdhbe4YJsePyVFi8
USfuDXy4HgIHRgMBCAfCeAQYFggAIBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJj
dP/KAhsMAAoJEKS2Gi3FkjcQdroA/jHFqt7y/r/5zdK4TYYp+5jlOgM5ZI7pNhWh
tIFbqmx9AQCKSJf2YgPBLNJSL/86vpE9b6IvTE/8ENR/7xYaIA7oAg==
=urT2
-----END PGP PUBLIC KEY BLOCK-----

33
forgejo.service Normal file
View File

@ -0,0 +1,33 @@
[Unit]
Description=Forgejo (Beyond coding. We forge.)
After=network.target
[Service]
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
# LimitNOFILE=524288:524288
RestartSec=2s
Type=simple
User=forgejo
Group=forgejo
WorkingDirectory=/var/lib/forgejo/
ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
Restart=always
Environment=USER=forgejo
Environment=HOME=/usr/share/forgejo
Environment=GITEA_WORK_DIR=/var/lib/forgejo
Environment=GITEA_CUSTOM=/etc/forgejo
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
[Install]
WantedBy=multi-user.target

238
forgejo.spec Normal file
View File

@ -0,0 +1,238 @@
#
# spec file for package forgejo
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version} > 1600
%bcond_without selinux
%bcond_without apparmor
%else
%if 0%{?suse_version} == 1600
%bcond_without selinux
%bcond_with apparmor
%else
# Leap & SLE
%bcond_with selinux
%bcond_without apparmor
%endif
%endif
Name: forgejo
Version: 9.0.1
Release: 0
Summary: Self-hostable forge
License: GPL-3.0-or-later
Group: Development/Tools/Version Control
URL: https://forgejo.org
Source0: https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz
Source1: https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc
Source2: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6c0dc2bcdd183550a4b61a2dc5923710#/%{name}.keyring
Source3: package-lock.json
Source4: node_modules.spec.inc
%include %{_sourcedir}/node_modules.spec.inc
Source5: %{name}.service
Source6: %{name}.sysusers
Source7: %{name}.fc
Source8: %{name}.if
Source9: %{name}.te
Source10: %{name}.apparmor
Source11: %{name}.firewalld
Source99: get-sources.sh
Patch0: custom-app.ini.patch
Patch1: dont-strip.patch
BuildRequires: golang-packaging
BuildRequires: golang(API) = 1.23
## node >= 20
%if 0%{?suse_version} == 1500
BuildRequires: nodejs-devel-default
BuildRequires: npm-default
%else
BuildRequires: nodejs-packaging
%endif
BuildRequires: firewall-macros
BuildRequires: firewalld
BuildRequires: local-npm-registry
BuildRequires: make
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
Requires: git-core
Requires: git-lfs
Requires: (%{name}-apparmor if apparmor-abstractions)
Requires: (%{name}-firewalld if firewalld)
Requires: (%{name}-selinux if selinux-policy-targeted)
%if %{with apparmor}
BuildRequires: apparmor-abstractions
BuildRequires: apparmor-rpm-macros
BuildRequires: libapparmor-devel
%endif
%if %{with selinux}
BuildRequires: checkpolicy
BuildRequires: selinux-policy-devel
%endif
%{systemd_requires}
%{sysusers_requires}
%package firewalld
Summary: Firewalld profile for %{name}
BuildArch: noarch
%description firewalld
This package adds a firewalld service profile to %{name}
%if %{with apparmor}
%package apparmor
Summary: Apparmor profile for %{name}
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
%description apparmor
This package adds the Apparmor profile to %{name}
%endif
%if %{with selinux}
%package selinux
Summary: Selinux support for %{name}
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
Requires: selinux-policy-targeted
%description selinux
This package adds SELinux enforcement to %{name}.
%endif
%package environment-to-ini
Summary: Configuration params via environment variables for %{name}
Requires: %{name} = %{version}-%{release}
%description environment-to-ini
OCI Container users can change arbitrary configuration
via environment variables with this tool
Forgejo needs to use an ini file for configuration because the running
environment that starts the OCI container may not be the same as that used
by the hooks. An ini file also gives a good default and means that
users do not have to completely provide a full environment.
%description
Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo
the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.
%prep
%autosetup -p1 -n %{name}-src-%{version}
local-npm-registry %{_sourcedir} install --also=dev
%build
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
%make_build build
go build ${EXTRA_GOFLAGS} -o contrib/environment-to-ini/environment-to-ini contrib/environment-to-ini/environment-to-ini.go
%install
install -d %{buildroot}%{_bindir}
install -d %{buildroot}%{_datadir}/%{name}
install -d %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
install -Dm0755 contrib/environment-to-ini/environment-to-ini %{buildroot}%{_bindir}
ln -s %{name} %{buildroot}%{_bindir}/gitea
install -d %{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
install -d %{buildroot}%{_sysconfdir}/%{name}
install -d %{buildroot}%{_localstatedir}/log/%{name}
install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with apparmor}
install -d %{buildroot}%{_sysconfdir}/apparmor.d
install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
%endif
%if %{with selinux}
cd %{_sourcedir}
make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
#firewalld service file
install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
%pre -f %{name}.pre
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
%post firewalld
%firewalld_reload
%if %{with apparmor}
%post apparmor
%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
%endif
%if %{with selinux}
%post selinux
semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
%preun selinux
semodule -r %{name} 2>/dev/null || :
%endif
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
%check
#as of now, broken
#%%make_build test
%files
%license LICENSE
%doc README.md RELEASE-NOTES.md CONTRIBUTING.md
%{_unitdir}/%{name}.service
%{_bindir}/%{name}
%{_bindir}/gitea
%defattr(0660,root,forgejo,770)
%{_localstatedir}/log/%{name}
%defattr(0660,forgejo,forgejo,750)
%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
%{_sysconfdir}/%{name}
%{_datadir}/%{name}
%{_sharedstatedir}/%{name}
%{_sysusersdir}/%{name}.conf
%if %{with apparmor}
%files apparmor
%dir %{_sysconfdir}/apparmor.d
%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}
%endif
%if %{with selinux}
%files selinux
%dir %{_datadir}/selinux/devel/include/distributed
%{_datadir}/selinux/packages/%{name}
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
%files firewalld
%{_prefix}/lib/firewalld/services/%{name}.xml
%files environment-to-ini
%{_bindir}/environment-to-ini
%changelog

3
forgejo.sysusers Normal file
View File

@ -0,0 +1,3 @@
# Type Name ID GECOS [HOME] Shell
g forgejo - - -
u forgejo - "Forgejo" /var/lib/forgejo /usr/bin/bash

41
forgejo.te Normal file
View File

@ -0,0 +1,41 @@
policy_module(forgejo, 1.0.0)
########################################
#
# Declarations
#
type forgejo_t;
type forgejo_exec_t;
init_daemon_domain(forgejo_t, forgejo_exec_t)
permissive forgejo_t;
type forgejo_log_t;
logging_log_file(forgejo_log_t)
type forgejo_var_lib_t;
files_type(forgejo_var_lib_t)
########################################
#
# forgejo local policy
#
allow forgejo_t self:fifo_file rw_fifo_file_perms;
allow forgejo_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
manage_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
manage_lnk_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
logging_log_filetrans(forgejo_t, forgejo_log_t, { dir file lnk_file })
manage_dirs_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
manage_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
manage_lnk_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
files_var_lib_filetrans(forgejo_t, forgejo_var_lib_t, { dir file lnk_file })
domain_use_interactive_fds(forgejo_t)
files_read_etc_files(forgejo_t)
miscfiles_read_localization(forgejo_t)

41
get-sources.sh Normal file
View File

@ -0,0 +1,41 @@
#!/usr/bin/sh
set -e
if [[ -z "$1" ]]; then
echo "Please enter the version you want to update to";
exit 1;
fi
VERSION="$1"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "patching spec file and downloading the tarball"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
sed -i -e 's|Version: .*|Version: '${VERSION}'|g' forgejo.spec
osc service ra download_files
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "extracting package-lock.json"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
tar xf forgejo-src-${VERSION}.tar.gz forgejo-src-${VERSION}/package-lock.json
cp forgejo-src-${VERSION}/package-lock.json .
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "Downloading node_modules"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
osc service ra node_modules
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "Cleanup Step"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
rm -r forgejo-src-${VERSION}
rm node_modules.sums
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "Done! Have fun building and testing"
echo "++++++++++++++++++++++++++++++++++++++++++++++"

3
node_modules.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b424002185eb0cfdfd4595ae155c0b8ab1574bc92c67bcaedeca2bdecd78fe89
size 210358804

1165
node_modules.spec.inc Normal file
View File

File diff suppressed because it is too large Load Diff

16972
package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff