Accepting request 1193293 from devel:tools:scm
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages (forwarded request 1193292 from rrahl0) OBS-URL: https://build.opensuse.org/request/show/1193293 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=13
This commit is contained in:
commit
fe1055e9bc
@ -1,9 +1,8 @@
|
|||||||
Index: gitea-1.21.3/custom/conf/app.example.ini
|
diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patched/custom/conf/app.example.ini
|
||||||
===================================================================
|
--- forgejo-src-8.0.0/custom/conf/app.example.ini 2024-07-30 06:40:03.000000000 +0200
|
||||||
--- gitea-1.21.3.orig/custom/conf/app.example.ini
|
+++ forgejo-src-8.0.0-patched/custom/conf/app.example.ini 2024-08-01 20:24:55.972480197 +0200
|
||||||
+++ gitea-1.21.3/custom/conf/app.example.ini
|
@@ -51,7 +51,7 @@
|
||||||
@@ -44,7 +44,7 @@
|
;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
|
||||||
APP_NAME = ; Gitea: Git with a cup of tea
|
|
||||||
;;
|
;;
|
||||||
;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
|
;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
|
||||||
-RUN_USER = ; git
|
-RUN_USER = ; git
|
||||||
@ -11,7 +10,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
|
;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
|
||||||
;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
|
;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
|
||||||
@@ -273,15 +273,17 @@ RUN_USER = ; git
|
@@ -284,15 +284,17 @@
|
||||||
;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
|
;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
|
||||||
;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
|
;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
|
||||||
;; Paths are relative to CUSTOM_PATH
|
;; Paths are relative to CUSTOM_PATH
|
||||||
@ -31,7 +30,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Enable gzip compression for runtime-generated content, static resources excluded
|
;; Enable gzip compression for runtime-generated content, static resources excluded
|
||||||
;ENABLE_GZIP = false
|
;ENABLE_GZIP = false
|
||||||
@@ -293,6 +295,7 @@ RUN_USER = ; git
|
@@ -304,6 +306,7 @@
|
||||||
;;
|
;;
|
||||||
;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
|
;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
|
||||||
;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
|
;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
|
||||||
@ -39,16 +38,57 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
|
;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
|
||||||
;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
|
;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
|
||||||
@@ -368,7 +371,7 @@ USER = root
|
@@ -355,10 +358,10 @@
|
||||||
|
;;
|
||||||
|
;; MySQL Configuration
|
||||||
|
;;
|
||||||
|
-DB_TYPE = mysql
|
||||||
|
-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
|
||||||
|
-NAME = gitea
|
||||||
|
-USER = root
|
||||||
|
+;DB_TYPE = mysql
|
||||||
|
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
|
||||||
|
+;NAME = forgejo
|
||||||
|
+;USER = root
|
||||||
|
;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
|
||||||
|
;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
|
||||||
|
;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
|
||||||
|
@@ -369,7 +372,7 @@
|
||||||
|
;;
|
||||||
|
;DB_TYPE = postgres
|
||||||
|
;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
|
||||||
|
-;NAME = gitea
|
||||||
|
+;NAME = forgejo
|
||||||
|
;USER = root
|
||||||
|
;PASSWD =
|
||||||
|
;SCHEMA =
|
||||||
|
@@ -379,21 +382,10 @@
|
||||||
|
;;
|
||||||
;; SQLite Configuration
|
;; SQLite Configuration
|
||||||
;;
|
;;
|
||||||
;DB_TYPE = sqlite3
|
-;DB_TYPE = sqlite3
|
||||||
-;PATH= ; defaults to data/forgejo.db
|
-;PATH= ; defaults to data/forgejo.db
|
||||||
+;PATH= /var/lib/forgejo/data/gitea.db ; defaults to data/forgejo.db
|
-;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
|
||||||
;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
|
-;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
|
||||||
;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
|
-;;
|
||||||
|
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
-;;
|
||||||
|
-;; MSSQL Configuration
|
||||||
|
-;;
|
||||||
|
-;DB_TYPE = mssql
|
||||||
|
-;HOST = 172.17.0.2:1433
|
||||||
|
-;NAME = gitea
|
||||||
|
-;USER = SA
|
||||||
|
-;PASSWD = MwantsaSecurePassword1
|
||||||
|
-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
|
||||||
|
+DB_TYPE = sqlite3
|
||||||
|
+PATH= /var/lib/forgejo/data/forgejo.db ; defaults to data/forgejo.db
|
||||||
|
+SQLITE_TIMEOUT = ; Query timeout defaults to: 500
|
||||||
|
+SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
|
||||||
;;
|
;;
|
||||||
@@ -561,14 +564,14 @@ ENABLE = true
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
;;
|
||||||
|
@@ -579,14 +571,14 @@
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
|
;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
|
||||||
@ -65,7 +105,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
|
;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
|
||||||
LEVEL = Info
|
LEVEL = Info
|
||||||
@@ -904,7 +907,7 @@ LEVEL = Info
|
@@ -946,7 +938,7 @@
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
|
;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
|
||||||
;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
|
;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
|
||||||
@ -74,7 +114,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
|
;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
|
||||||
;SCRIPT_TYPE = bash
|
;SCRIPT_TYPE = bash
|
||||||
@@ -1014,7 +1017,7 @@ LEVEL = Info
|
@@ -1065,7 +1057,7 @@
|
||||||
;ENABLED = true
|
;ENABLED = true
|
||||||
;;
|
;;
|
||||||
;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
|
;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
|
||||||
@ -83,7 +123,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
|
;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
|
||||||
;ALLOWED_TYPES =
|
;ALLOWED_TYPES =
|
||||||
@@ -1368,7 +1371,7 @@ LEVEL = Info
|
@@ -1444,7 +1436,7 @@
|
||||||
;ISSUE_INDEXER_TYPE = bleve
|
;ISSUE_INDEXER_TYPE = bleve
|
||||||
;;
|
;;
|
||||||
;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
|
;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
|
||||||
@ -92,7 +132,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
|
;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
|
||||||
;ISSUE_INDEXER_CONN_STR =
|
;ISSUE_INDEXER_CONN_STR =
|
||||||
@@ -1395,7 +1398,7 @@ LEVEL = Info
|
@@ -1471,7 +1463,7 @@
|
||||||
;REPO_INDEXER_TYPE = bleve
|
;REPO_INDEXER_TYPE = bleve
|
||||||
;;
|
;;
|
||||||
;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
|
;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
|
||||||
@ -101,7 +141,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
|
;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
|
||||||
;REPO_INDEXER_CONN_STR =
|
;REPO_INDEXER_CONN_STR =
|
||||||
@@ -1429,6 +1432,7 @@ LEVEL = Info
|
@@ -1510,6 +1502,7 @@
|
||||||
;;
|
;;
|
||||||
;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
|
;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
|
||||||
;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
|
;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
|
||||||
@ -109,16 +149,16 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Default queue length before a channel queue will block
|
;; Default queue length before a channel queue will block
|
||||||
;LENGTH = 100000
|
;LENGTH = 100000
|
||||||
@@ -1752,7 +1756,7 @@ LEVEL = Info
|
@@ -1852,7 +1845,7 @@
|
||||||
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
|
;; file: session file path, e.g. `data/sessions`
|
||||||
;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
|
;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
|
||||||
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
|
;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
|
||||||
-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
|
-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
|
||||||
+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
|
+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
|
||||||
;;
|
;;
|
||||||
;; Session cookie name
|
;; Session cookie name
|
||||||
;COOKIE_NAME = i_like_gitea
|
;COOKIE_NAME = i_like_gitea
|
||||||
@@ -1839,7 +1843,7 @@ LEVEL = Info
|
@@ -1939,7 +1932,7 @@
|
||||||
;;
|
;;
|
||||||
;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
|
;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
|
||||||
;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
|
;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
|
||||||
@ -127,7 +167,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
|
;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
|
||||||
;MINIO_ENDPOINT = localhost:9000
|
;MINIO_ENDPOINT = localhost:9000
|
||||||
@@ -1857,7 +1861,7 @@ LEVEL = Info
|
@@ -1965,7 +1958,7 @@
|
||||||
;MINIO_LOCATION = us-east-1
|
;MINIO_LOCATION = us-east-1
|
||||||
;;
|
;;
|
||||||
;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
|
;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
|
||||||
@ -136,7 +176,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
|
;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
|
||||||
;MINIO_USE_SSL = false
|
;MINIO_USE_SSL = false
|
||||||
@@ -2428,10 +2432,10 @@ LEVEL = Info
|
@@ -2548,10 +2541,10 @@
|
||||||
;;
|
;;
|
||||||
;STORAGE_TYPE = local
|
;STORAGE_TYPE = local
|
||||||
;; override the minio base path if storage type is minio
|
;; override the minio base path if storage type is minio
|
||||||
@ -149,7 +189,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
;;
|
;;
|
||||||
;; Maximum count of package versions a single owner can have (`-1` means no limits)
|
;; Maximum count of package versions a single owner can have (`-1` means no limits)
|
||||||
;LIMIT_TOTAL_OWNER_COUNT = -1
|
;LIMIT_TOTAL_OWNER_COUNT = -1
|
||||||
@@ -2498,10 +2502,10 @@ LEVEL = Info
|
@@ -2618,10 +2611,10 @@
|
||||||
;STORAGE_TYPE = local
|
;STORAGE_TYPE = local
|
||||||
;;
|
;;
|
||||||
;; Where your lfs files reside, default is data/lfs.
|
;; Where your lfs files reside, default is data/lfs.
|
||||||
@ -162,7 +202,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
|
|||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
@@ -2521,10 +2525,10 @@ LEVEL = Info
|
@@ -2641,10 +2634,10 @@
|
||||||
;STORAGE_TYPE = local
|
;STORAGE_TYPE = local
|
||||||
;;
|
;;
|
||||||
;; Where your lfs files reside, default is data/lfs.
|
;; Where your lfs files reside, default is data/lfs.
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ba66fa2bf335149d6bda0a943bcbb2021af3692f10c10ede646cdcabfe762029
|
|
||||||
size 53549049
|
|
@ -1,7 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYTZAAKCRCkthotxZI3
|
|
||||||
EPgYAP9o2VTTDnul4cDr6xEfw9k90sk323uk4WhcSktc+qgxqwEAmUKcJ4pk7scZ
|
|
||||||
O2O5Ru3o7nomtBPrflFoGJXKO8ACrQ8=
|
|
||||||
=7IAF
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
forgejo-src-8.0.1.tar.gz
Normal file
3
forgejo-src-8.0.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
|
||||||
|
size 53413049
|
7
forgejo-src-8.0.1.tar.gz.asc
Normal file
7
forgejo-src-8.0.1.tar.gz.asc
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
|
||||||
|
EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
|
||||||
|
0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
|
||||||
|
=JG8G
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,88 +1,64 @@
|
|||||||
abi <abi/3.0>,
|
abi <abi/3.0>,
|
||||||
|
|
||||||
#include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
|
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
|
||||||
|
include <abstractions/base>
|
||||||
#include <abstractions/base>
|
include <abstractions/mysql>
|
||||||
#include <abstractions/nameservice>
|
include <abstractions/nameservice>
|
||||||
#include <abstractions/openssl>
|
include <abstractions/opencl-pocl>
|
||||||
#include <abstractions/user-tmp>
|
include <abstractions/openssl>
|
||||||
#include <abstractions/mysql>
|
include <abstractions/user-tmp>
|
||||||
|
include if exists <local/usr.bin.forgejo>
|
||||||
|
|
||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
/usr/bin/forgejo mr,
|
|
||||||
/usr/bin/gzip mr,
|
|
||||||
|
|
||||||
# Grant read access to config files
|
|
||||||
/etc/mime.types r,
|
|
||||||
/usr/share/mime/globs2 r,
|
|
||||||
/etc/machine-id r,
|
|
||||||
/etc/forgejo/ r,
|
/etc/forgejo/ r,
|
||||||
/etc/forgejo/{conf,https,mailer}/ r,
|
|
||||||
/etc/forgejo/https/*.{crt,key,pem} r,
|
|
||||||
|
|
||||||
# Access to config file app.ini
|
|
||||||
/etc/forgejo/conf/app.ini r,
|
/etc/forgejo/conf/app.ini r,
|
||||||
# Config must be writeable for initial setup
|
|
||||||
# to restrict to read-only access admin can do after setup:
|
|
||||||
# chown root:gitea /etc/gitea/conf/app.ini
|
|
||||||
# chmod 0640 /etc/gitea/conf/app.ini
|
|
||||||
owner /etc/forgejo/conf/app.ini w,
|
|
||||||
|
|
||||||
# Grant read access to public custom static content
|
|
||||||
/etc/forgejo/public/ r,
|
/etc/forgejo/public/ r,
|
||||||
/etc/forgejo/public/** r,
|
/etc/forgejo/public/** r,
|
||||||
|
/etc/forgejo/{conf,https,mailer}/ r,
|
||||||
# allow invoking executables
|
|
||||||
/usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
|
|
||||||
/usr/{lib,libexec}/git/git ix,
|
|
||||||
/usr/{lib,libexec}/git/git-remote-http ix,
|
|
||||||
/usr/share/git-core/templates/ r,
|
|
||||||
/usr/share/git-core/templates/** r,
|
|
||||||
/etc/gitconfig r,
|
/etc/gitconfig r,
|
||||||
|
/etc/mime.types r,
|
||||||
# Grant read access to static content
|
|
||||||
/usr/share/forgejo/** r,
|
|
||||||
|
|
||||||
# Grant read access to some process parameters
|
|
||||||
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||||
@{PROC}/sys/net/core/somaxconn r,
|
/usr/bin/forgejo mr,
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
/usr/bin/git mr,
|
||||||
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
|
/usr/bin/gzip mr,
|
||||||
|
/usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
|
||||||
# Grant read access to working directory
|
/usr/libexec/git/git-write-tree mrix,
|
||||||
/var/lib/forgejo/ r,
|
/usr/share/forgejo/** r,
|
||||||
|
|
||||||
# Allow TTY access
|
|
||||||
/dev/tty rw,
|
|
||||||
|
|
||||||
# Grant access to various data/repo directories
|
|
||||||
owner /tmp/patch* rw,
|
|
||||||
owner /tmp/index* rw,
|
|
||||||
owner /tmp/forgejo** rwl,
|
|
||||||
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
|
|
||||||
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
|
|
||||||
owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
|
|
||||||
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
|
|
||||||
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
|
|
||||||
owner /var/lib/forgejo/https/** rwkl,
|
|
||||||
|
|
||||||
# Ugly!
|
|
||||||
/usr/share/forgejo/.gitconfig rw,
|
/usr/share/forgejo/.gitconfig rw,
|
||||||
/usr/share/forgejo/.gitconfig.lock rw,
|
/usr/share/forgejo/.gitconfig.lock rw,
|
||||||
|
/usr/share/git-core/templates/ r,
|
||||||
|
/usr/share/git-core/templates/** r,
|
||||||
|
/usr/share/mime/globs2 r,
|
||||||
|
/usr/{lib,libexec}/git/git ix,
|
||||||
|
/usr/{lib,libexec}/git/git-remote-http ix,
|
||||||
|
/var/ r,
|
||||||
|
/var/lib/ r,
|
||||||
|
/var/lib/forgejo/ r,
|
||||||
|
/var/lib/forgejo/.local/** rw,
|
||||||
/var/lib/forgejo/.ssh/ rw,
|
/var/lib/forgejo/.ssh/ rw,
|
||||||
/var/lib/forgejo/.ssh/* rw,
|
/var/lib/forgejo/.ssh/* rw,
|
||||||
/var/lib/forgejo/.local/** rw,
|
|
||||||
|
|
||||||
# for writing access log file
|
|
||||||
/var/log/forgejo/ rw,
|
/var/log/forgejo/ rw,
|
||||||
/var/log/forgejo/access.log rw,
|
/var/log/forgejo/access.log rw,
|
||||||
/var/log/forgejo/access.log.* w,
|
/var/log/forgejo/access.log.* w,
|
||||||
/var/log/forgejo/doctors-* rw,
|
/var/log/forgejo/doctors-* rw,
|
||||||
|
@{PROC}/sys/net/core/somaxconn r,
|
||||||
|
owner /etc/forgejo/conf/app.ini w,
|
||||||
|
owner /tmp/forgejo** rwl,
|
||||||
|
owner /tmp/index* rw,
|
||||||
|
owner /tmp/patch* rw,
|
||||||
|
owner /usr/share/forgejo/** rw,
|
||||||
|
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
|
||||||
|
owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
|
||||||
|
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
|
||||||
|
owner /var/lib/forgejo/https/** rwlk,
|
||||||
|
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
|
||||||
|
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
|
||||||
|
owner /var/log/forgejo/gitea.log w,
|
||||||
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
|
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
|
||||||
include if exists <local/usr.bin.forgejo>
|
|
||||||
}
|
}
|
@ -1,3 +1,44 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
|
||||||
|
|
||||||
|
- update to 8.0.1:
|
||||||
|
* A change introduced in Forgejo v1.21 allows a Forgejo user with write
|
||||||
|
permission on a repository description to inject a client-side script into
|
||||||
|
the web page viewed by the visitor. This XSS allows for href in anchor
|
||||||
|
elements to be set to a javascript: URI in the repository description,
|
||||||
|
which will execute the specified script upon clicking (and not upon
|
||||||
|
loading). AllowStandardURLs is now called for the repository description
|
||||||
|
policy, which ensures that URIs in anchor elements are mailto:, http://
|
||||||
|
or https:// and thereby disallowing the javascript: URI.
|
||||||
|
* Do not include trailing EOL character when counting lines
|
||||||
|
* Add background to reactions on hover
|
||||||
|
* Prevent uppercase in header of dashboard context selector
|
||||||
|
* Fix page layout in admin settings
|
||||||
|
* Ensure all filters are persistent in issue filters
|
||||||
|
* Allow 4 charachter SHA in /src/commit
|
||||||
|
- update to 8.0.0:
|
||||||
|
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
|
||||||
|
|
||||||
|
Highlights:
|
||||||
|
* remove Microsoft SQL Server support
|
||||||
|
* introduce a branch/tag dropdown in the code search page
|
||||||
|
* added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
|
||||||
|
* API endpoints for managing tag protection.
|
||||||
|
* add Reviewed-on and Reviewed-by variables to the merge template
|
||||||
|
* display an error when an issue comment is edited simultaneously by
|
||||||
|
two users instead of silently overriding one of them
|
||||||
|
* when installing Forgejo through the built-in installer, open
|
||||||
|
(self-) registration is now disabled by default
|
||||||
|
* add support for the reddit and Hubspot OAuth providers.
|
||||||
|
* CERT management was improved when ENABLE_ACME=true
|
||||||
|
* language detection in the repository got additional languages
|
||||||
|
* add an immutable tarball link to archive download headers for Nix
|
||||||
|
* Show the AGit label on merged pull requests
|
||||||
|
- fix apparmor profile
|
||||||
|
- set sqlite3 as the default installation database
|
||||||
|
- add a rule for firewalld
|
||||||
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
Fri Aug 9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
||||||
|
|
||||||
|
6
forgejo.firewalld
Normal file
6
forgejo.firewalld
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<service>
|
||||||
|
<short>Forgejo</short>
|
||||||
|
<description>Forgejo is a self-hostable forge. It was forked from gitea, and has the old UI style from GitHub.</description>
|
||||||
|
<port protocol="tcp" port="3000"/>
|
||||||
|
</service>
|
56
forgejo.sh
56
forgejo.sh
@ -1,56 +0,0 @@
|
|||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
DIRNAME=`dirname $0`
|
|
||||||
cd $DIRNAME
|
|
||||||
USAGE="$0 [ --update ]"
|
|
||||||
if [ `id -u` != 0 ]; then
|
|
||||||
echo 'You must be root to run this script'
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $# -eq 1 ]; then
|
|
||||||
if [ "$1" = "--update" ] ; then
|
|
||||||
time=`ls -l --time-style="+%x %X" forgejo.te | awk '{ printf "%s %s", $6, $7 }'`
|
|
||||||
rules=`ausearch --start $time -m avc --raw -se forgejo`
|
|
||||||
if [ x"$rules" != "x" ] ; then
|
|
||||||
echo "Found avc's to update policy with"
|
|
||||||
echo -e "$rules" | audit2allow -R
|
|
||||||
echo "Do you want these changes added to policy [y/n]?"
|
|
||||||
read ANS
|
|
||||||
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
|
|
||||||
echo "Updating policy"
|
|
||||||
echo -e "$rules" | audit2allow -R >> forgejo.te
|
|
||||||
# Fall though and rebuild policy
|
|
||||||
else
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "No new avcs found"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo -e $USAGE
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
elif [ $# -ge 2 ] ; then
|
|
||||||
echo -e $USAGE
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Building and Loading Policy"
|
|
||||||
set -x
|
|
||||||
make -f /usr/share/selinux/devel/Makefile forgejo.pp || exit
|
|
||||||
/usr/sbin/semodule -i forgejo.pp
|
|
||||||
|
|
||||||
# Generate a man page of the installed module
|
|
||||||
sepolicy manpage -p . -d forgejo_t
|
|
||||||
# Fixing the file context on /usr/bin/forgejo
|
|
||||||
/sbin/restorecon -F -R -v /usr/bin/forgejo
|
|
||||||
# Fixing the file context on /var/log/forgejo
|
|
||||||
/sbin/restorecon -F -R -v /var/log/forgejo
|
|
||||||
# Fixing the file context on /var/lib/forgejo
|
|
||||||
/sbin/restorecon -F -R -v /var/lib/forgejo
|
|
||||||
# Generate a rpm package for the newly generated policy
|
|
||||||
|
|
||||||
pwd=$(pwd)
|
|
||||||
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba forgejo_selinux.spec
|
|
44
forgejo.spec
44
forgejo.spec
@ -30,7 +30,7 @@
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
Name: forgejo
|
Name: forgejo
|
||||||
Version: 7.0.7
|
Version: 8.0.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Self-hostable forge
|
Summary: Self-hostable forge
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -42,14 +42,13 @@ Source2: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6
|
|||||||
Source3: package-lock.json
|
Source3: package-lock.json
|
||||||
Source4: node_modules.spec.inc
|
Source4: node_modules.spec.inc
|
||||||
%include %{_sourcedir}/node_modules.spec.inc
|
%include %{_sourcedir}/node_modules.spec.inc
|
||||||
Source5: node_modules.sums
|
Source5: %{name}.service
|
||||||
Source6: %{name}.service
|
Source6: %{name}.sysusers
|
||||||
Source7: %{name}.sysusers
|
Source7: %{name}.fc
|
||||||
Source8: %{name}.fc
|
Source8: %{name}.if
|
||||||
Source9: %{name}.if
|
Source9: %{name}.te
|
||||||
Source10: %{name}.sh
|
Source10: %{name}.apparmor
|
||||||
Source11: %{name}.te
|
Source11: %{name}.firewalld
|
||||||
Source12: apparmor-usr.bin.%{name}
|
|
||||||
Source99: get-sources.sh
|
Source99: get-sources.sh
|
||||||
Patch0: custom-app.ini.patch
|
Patch0: custom-app.ini.patch
|
||||||
BuildRequires: golang-packaging
|
BuildRequires: golang-packaging
|
||||||
@ -61,6 +60,8 @@ BuildRequires: npm-default
|
|||||||
%else
|
%else
|
||||||
BuildRequires: nodejs-packaging
|
BuildRequires: nodejs-packaging
|
||||||
%endif
|
%endif
|
||||||
|
BuildRequires: firewall-macros
|
||||||
|
BuildRequires: firewalld
|
||||||
BuildRequires: local-npm-registry
|
BuildRequires: local-npm-registry
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
@ -68,6 +69,7 @@ BuildRequires: sysuser-tools
|
|||||||
Requires: git-core
|
Requires: git-core
|
||||||
Requires: git-lfs
|
Requires: git-lfs
|
||||||
Requires: (%{name}-apparmor if apparmor-abstractions)
|
Requires: (%{name}-apparmor if apparmor-abstractions)
|
||||||
|
Requires: (%{name}-firewalld if firewalld)
|
||||||
Requires: (%{name}-selinux if selinux-policy-targeted)
|
Requires: (%{name}-selinux if selinux-policy-targeted)
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
BuildRequires: apparmor-abstractions
|
BuildRequires: apparmor-abstractions
|
||||||
@ -81,6 +83,13 @@ BuildRequires: selinux-policy-devel
|
|||||||
%{systemd_requires}
|
%{systemd_requires}
|
||||||
%{sysusers_requires}
|
%{sysusers_requires}
|
||||||
|
|
||||||
|
%package firewalld
|
||||||
|
Summary: Firewalld profile for %{name}
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description firewalld
|
||||||
|
This package adds a firewalld service profile to %{name}
|
||||||
|
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
%package apparmor
|
%package apparmor
|
||||||
Summary: Apparmor profile for %{name}
|
Summary: Apparmor profile for %{name}
|
||||||
@ -111,7 +120,7 @@ Providing Git hosting for your project, friends, company or community? Forgejo (
|
|||||||
local-npm-registry %{_sourcedir} install --also=dev
|
local-npm-registry %{_sourcedir} install --also=dev
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%sysusers_generate_pre %{SOURCE7} %{name} %{name}.conf
|
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
|
||||||
export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
|
export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
|
||||||
export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
|
export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
|
||||||
%make_build build
|
%make_build build
|
||||||
@ -126,12 +135,12 @@ install -d %{buildroot}%{_sysconfdir}/%{name}
|
|||||||
install -d %{buildroot}%{_localstatedir}/log/%{name}
|
install -d %{buildroot}%{_localstatedir}/log/%{name}
|
||||||
install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
|
install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
|
||||||
install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
|
install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
|
||||||
install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}.service
|
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
|
||||||
install -D -m 0644 %{SOURCE7} %{buildroot}%{_sysusersdir}/%{name}.conf
|
install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||||
|
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
install -d %{buildroot}%{_sysconfdir}/apparmor.d
|
install -d %{buildroot}%{_sysconfdir}/apparmor.d
|
||||||
install -Dm0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
|
install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{with selinux}
|
%if %{with selinux}
|
||||||
@ -141,12 +150,18 @@ install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{na
|
|||||||
install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
#firewalld service file
|
||||||
|
install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
|
||||||
|
|
||||||
%pre -f %{name}.pre
|
%pre -f %{name}.pre
|
||||||
%service_add_pre %{name}.service
|
%service_add_pre %{name}.service
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post %{name}.service
|
%service_add_post %{name}.service
|
||||||
|
|
||||||
|
%post firewalld
|
||||||
|
%firewalld_reload
|
||||||
|
|
||||||
%if %{with apparmor}
|
%if %{with apparmor}
|
||||||
%post apparmor
|
%post apparmor
|
||||||
%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
|
%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
|
||||||
@ -198,4 +213,7 @@ semodule -r %{name} 2>/dev/null || :
|
|||||||
%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%files firewalld
|
||||||
|
%config(noreplace) %{_prefix}/lib/firewalld/services/%{name}.xml
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
version https://git-lfs.github.com/spec/v1
|
||||||
oid sha256:f5ea0007b140d739de145225fce8a34d2e257d06891cdf39ca350e6bd3136236
|
oid sha256:b460b33350264ff646c4480d291e710828bff706703ef3e7da7991a692e22e54
|
||||||
size 185686620
|
size 276597904
|
||||||
|
File diff suppressed because it is too large
Load Diff
1001
node_modules.sums
1001
node_modules.sums
File diff suppressed because it is too large
Load Diff
4360
package-lock.json
generated
4360
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user