- Update to version 14.0.2:
* fix(ui): tippy menu styles too broad, affecting switch in PR review
* fix(ui): add missing translation for code search when keyword is empty string
* fix(ui): improve force-push layout alignment
* feat: enable SQLite WAL by default
* fix: allow test delivery for webhooks not enabled for push events
* fix: empty dynamic matrix can leave action run hanging incomplete
* Fix not decreasing watch count when blocking user
* fix: don't clobber authorized_keys file during installation
* fix(api): default new release 'title' field to label name, if not provided
* fix: remove infinite loop in UpdateRunJobWithoutNotification when run in transaction
* feat: strip newlines on og image rendering
* fix: don't return AdditionalTasks from FetchTask if there is no Task
* fix: use ALTER TABLE in SQLite DropTableColumns(), allowing unexpected
database sources to work better in migrations
* fix: migrations/github: avoid getting the first issues page twice
* fix NewMockWebServer(): Headers never reached the http client
* fix: migrations/github: Wait & retry when primary rate limit is hit
* fix: detect renames when using diff-tree
- Update to version 14.0.1:
* fix: use strict-origin as referrer policy
* fix: make concurrency group job cancellation effect runs that are failed
* fix: recreate-tables doesn't work on PostgreSQL with multiple Forgejo schemas
- Update to version 14.0.0:
* new feature: ssh managed by forgejo now breaks startup, if an unexpected key
is being found, can be overridden with
[server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS = true in their app.ini file
* CSRF attacks are now prevented via a stateless method
* fix!: paginate GET /api/v1/admin/hooks response
* fix!: Prevent forked .profile repositories from displaying profile content
OBS-URL: https://build.opensuse.org/request/show/1330153
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=90
- Update to version 13.0.3:
* fix dependency repo perms in Create/RemoveIssueDependency
* draft releases could be read before being published
* misconfigured security checks on tag delete web form
* incorrect logic in "Update PR" did not enforce head branch protection rules
correctly
* issue owner can delete another user's comment's edit history on same issue
* tag protection rules can be bypassed during tag delete operation
* fix: support git clone when /tmp has noexec
* fix: get new session from enginegroup instead of masterengine
* fix: endless redirection loop between /user/settings/change_password and
/user/settings/security
* fix(alt): handle package names with dots in ALT repository
* fix: pull request review comment position
* fix: less restrictive matrix room_id pattern
* fix: add required headers to Pagure migration
* fix: prevent orgs from being added as members of orgs
* fix(api): set all hook event types
* fix: don't show ConEmu OSC escape sequences
* fix: set tag message on tag addition
* fix: construct project links in timeline better
- remove patches fix-CVE-2025-47911.patch and fix-CVE-2025-58190.patch,
fixed upstream (forwarded request 1321396 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1321397
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=39
- Update to version 13.0.3:
* fix dependency repo perms in Create/RemoveIssueDependency
* draft releases could be read before being published
* misconfigured security checks on tag delete web form
* incorrect logic in "Update PR" did not enforce head branch protection rules
correctly
* issue owner can delete another user's comment's edit history on same issue
* tag protection rules can be bypassed during tag delete operation
* fix: support git clone when /tmp has noexec
* fix: get new session from enginegroup instead of masterengine
* fix: endless redirection loop between /user/settings/change_password and
/user/settings/security
* fix(alt): handle package names with dots in ALT repository
* fix: pull request review comment position
* fix: less restrictive matrix room_id pattern
* fix: add required headers to Pagure migration
* fix: prevent orgs from being added as members of orgs
* fix(api): set all hook event types
* fix: don't show ConEmu OSC escape sequences
* fix: set tag message on tag addition
* fix: construct project links in timeline better
- remove patches fix-CVE-2025-47911.patch and fix-CVE-2025-58190.patch,
fixed upstream
OBS-URL: https://build.opensuse.org/request/show/1321396
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=88
- Update to version 13.0.2:
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits (forwarded request 1313898 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1313899
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=38
- Update to version 13.0.2:
* Vulnerability (Critical): prevent writing to out-of-repo symlink
destinations while evaluating template repos
* Vulnerability (Medium): prevent .forgejo/template from being out-of-repo
content
* Vulnerability (Medium): return on error if an LFS token cannot be parsed
* Vulnerability (Low): prevent commit API from leaking user's hidden email
address on valid GPG signed commits
OBS-URL: https://build.opensuse.org/request/show/1313898
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=86
- Update to version 13.0.1:
User Interface bug fixes:
* fix: Use scrollHeight for rendered iframe if offsetHeight is
unavailable
Bug fixes:
* fix: db.Iterate can miss records, can return records twice
which caused a data corruption of the secret table in v13.0.0
* fix: release email links
- Changes in 13.0.0:
Security features:
* Add configurable global 2FA enforcement
* migrate action secrets to keying to store them more securely
Breaking features:
* bump the minimum required Git version from 2.0.0 to 2.34.1
* Forgejo Actions workflows are verified with a YAML schema and
common errors such as using an incorrect context
(e.g. ${{ badcontext.FORGEJO_REPOSITORY }}) or a typo in a
required keyword (e.g. ruins-on: instead of runs-on:) will be
reported in the action page and the web page that displays the
file in the repository. It is recommended to verify existing
workflows are successfully verified prior to upgrading,
as explained in the Forgejo runner release notes.
Breaking bug fixes:
* The artifact-url ouput returned by the upload-artifact@v4
action can be used to download the artifact. It was previously
404. To implement this compatibility fix, the web UI URL to
download artifacts
(i.e. /{owner}/{repo}/actions/runs/{run_id}/artifacts/{artifact_name})
now relies on an identifier that is unique accross the
instance. URLs to download artifacts that were bookmarked or
copied prior to this change use an id relative to the
repository and will no longer work. It previously was
/{owner}/{repo}/actions/runs/{run_index}/artifacts/{artifact_name},
note the difference between {run_id} and {run_index}.
The new URL can be obtained again by visiting the parent page,
which still uses the relative id
(/{owner}/{repo}/actions/runs/{run_index}).
User Interface features:
* ability to view previous logs for Actions runs that have been
retried
* show CI status on force-pushes
* improve org header with new noJS dropdown and more
options
* improve multiline file preview and anchor detection
* render ordered checkbox lists with numbers
* Admin interface for abuse reports
* show timestamp on release attachments
* add tag label to commit list view
* support Markdown editor bold & italic keyboard shortcuts
* improve rendering commit links for PR commits,
external repos and diffs
* add links to assigners in issue comments
* use simplified visibility label in dashboard orgs
list
* improve custom emojis
* improve the global noJS notice
* improve display of repo topics
* add links to review request targets in issue comments
* improve subscriptions screen filters
* implement hover for switch
* Pretty-print commit counts and other numbers
User Interface bug fixes:
* add markup class to project descriptions
* make releases filtering responsive
* reworked file preview placement towards better HTML validity
* fix alignment of items in tag signature
* unescape file names in commit hash links
* visually distinguish the branch name in action description
* preserved 'Custom access' even after no permissions
* show participants in mention suggestions in pr review
* apply background color to wiki content
* improve signature box responsiveness
* ignore existence of commits for force pushes
* make unicode escape work in wiki
* prevent initial 'blank' display of action logs view,
remove unnecessary API calls
* don't allow comment boxes to stretch outside diff boundries
on small device UI
* hide edit button on tag releases, improve ghost user display,
fix tag signature banner
* resolved 500 error upon clicking 'Clear milestone' button when
there's no milestones available in Issue page
* compare branches even with pull requests disabled
Features:
* Uploaded avatar images can sometimes contain unexpected
metadata such as the location where the image was created,
or the device the image was created with, stored in a format
called EXIF. Forgejo now removes EXIF data when custom user and
repository images are uploaded in order to reduce the risk of
personally identifiable information being leaked unexpectedly.
A new CLI subcommand forgejo doctor avatar-strip-exif can be
used to strip EXIF information from all existing avatars; we
recommend that administrators run this command once after
upgrade in order to minimize this risk for existing stored
files.
* assorted ActivityPub code only refactors
* feat(logger): rename settings for consistency and remove
obsolete settings
* Bring "remove a label from issue" API in line with GitHub
equivalent
* reject password reset attempts for OAuth2 users without a
current password
* feat(log): better parseable and configurable ssh-logs
* add configurable timeout for automatically removing resolved
reports
* Add support for migrating from Pagure
* add _URI entries for mail config
* Improved signature handling & instance actor
* Sent user activities to distant federated server
* Add ActivityPub Person follow from distant
* chore: remove goroutine PID logging
* git/blob: GetContentBase64 with fewer allocations and no
goroutine
* make API pull and compare endpoint references to head more
robust
* git/commit: re-implement submodules file reader
* add EXCLUSION to logging mode
* add sort parameter for users/search api endpoint
* Allow converting mirror repos to normal through the API
* update broken git hook error
* avoid expensive SQL for org home
* make upload URL compatible with GitHub API
* allow more README formats for .profile
* AGit push options starting with {base64} are decoded
* search in the docs directory for issue and pull request
templates
* improve checking if diffs differ
* enable H2C for the HTTP server
* detect Interlisp sources as text
* add option to allow non-local users to change usernames
* chroma: 5d56970 Add uv.lock to TOML lexer
* chroma: a53c924 create Lexer for Nu
* chroma: abe0195 create lexer for lox
* chroma: f3be4c6 create lexer for Gemtext
* chroma: acd21c6 add aspect-ratio property to css.xml
* chroma: d0ad679 improve Go lexer
* Introduce global Merge Message Templates
* chroma: 970eacc add MoonScript lexer
* chroma: bc60826 add Core lexer
* push mirror to have option to only push selected branches
* if OAuth2 is disabled return 'Not found' for openid
configuration
* add --attribute-ssh-pubic-key to forgejo admin auth add-oauth
and update-oauth CLI
* feat(ui): add repository description to og:image:alt
Bug fixes:
* quota evaluation rules not working properly
* artifacts can be downloaded using their id instead of their
name
* fix: failure to parse on block results in unconditional
workflow execution
* Fix invisible iframes with RENDER_CONTENT_MODE=iframe
* fix: package cleaned rule fails if the keep count is too high
* prevent user-entered text with | characters from being
truncated in activity feed
* PR review dismissals were not appearing in activity feed
* comment starting with a mermaid block displays error in
activity feed
* Markdown: generate unique per comment HTML IDs for footnotes
and headers
* very long commit messages cause pushed commits to fail to
display on the action feed on MySQL
* parse extra weird tree mode value
* respect UI DEFAULT_SHOW_FULL_NAME setting in email
From: headers
* check target repo limit instead of user repo limit
* enable multi-line math equations in wiki
* Actions log view stops refreshing after the displayed job is
finished, even if other jobs are still running
* standardize truncation of user-entered comment text in
activity feed
* allow Actions tokens to access repos readable by signed in
users
* allow Forgejo Actions environment variables starting with CI
* chroma: 1ca24c9 correct lexing AS keyword for docker
* chroma: 1f48e65 markdown: don't delegate to HTML lexer
* chroma: dfb2819 Fixed ObjectPascal comment issue
* chroma: 2c20473 RPGLE: various lexer & style fixes
* chroma: c803d79 zig: detect zig object notation files as zig
* chroma: ffedbf4 kotlin: detect kotlin script files as kotlin (forwarded request 1312199 from mia)
OBS-URL: https://build.opensuse.org/request/show/1312210
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=37
- Update to version 13.0.1:
User Interface bug fixes:
* fix: Use scrollHeight for rendered iframe if offsetHeight is
unavailable
Bug fixes:
* fix: db.Iterate can miss records, can return records twice
which caused a data corruption of the secret table in v13.0.0
* fix: release email links
- Changes in 13.0.0:
Security features:
* Add configurable global 2FA enforcement
* migrate action secrets to keying to store them more securely
Breaking features:
* bump the minimum required Git version from 2.0.0 to 2.34.1
* Forgejo Actions workflows are verified with a YAML schema and
common errors such as using an incorrect context
(e.g. ${{ badcontext.FORGEJO_REPOSITORY }}) or a typo in a
required keyword (e.g. ruins-on: instead of runs-on:) will be
reported in the action page and the web page that displays the
file in the repository. It is recommended to verify existing
workflows are successfully verified prior to upgrading,
as explained in the Forgejo runner release notes.
Breaking bug fixes:
* The artifact-url ouput returned by the upload-artifact@v4
action can be used to download the artifact. It was previously
404. To implement this compatibility fix, the web UI URL to
download artifacts
(i.e. /{owner}/{repo}/actions/runs/{run_id}/artifacts/{artifact_name})
now relies on an identifier that is unique accross the
instance. URLs to download artifacts that were bookmarked or
copied prior to this change use an id relative to the
repository and will no longer work. It previously was
/{owner}/{repo}/actions/runs/{run_index}/artifacts/{artifact_name},
note the difference between {run_id} and {run_index}.
The new URL can be obtained again by visiting the parent page,
which still uses the relative id
(/{owner}/{repo}/actions/runs/{run_index}).
User Interface features:
* ability to view previous logs for Actions runs that have been
retried
* show CI status on force-pushes
* improve org header with new noJS dropdown and more
options
* improve multiline file preview and anchor detection
* render ordered checkbox lists with numbers
* Admin interface for abuse reports
* show timestamp on release attachments
* add tag label to commit list view
* support Markdown editor bold & italic keyboard shortcuts
* improve rendering commit links for PR commits,
external repos and diffs
* add links to assigners in issue comments
* use simplified visibility label in dashboard orgs
list
* improve custom emojis
* improve the global noJS notice
* improve display of repo topics
* add links to review request targets in issue comments
* improve subscriptions screen filters
* implement hover for switch
* Pretty-print commit counts and other numbers
User Interface bug fixes:
* add markup class to project descriptions
* make releases filtering responsive
* reworked file preview placement towards better HTML validity
* fix alignment of items in tag signature
* unescape file names in commit hash links
* visually distinguish the branch name in action description
* preserved 'Custom access' even after no permissions
* show participants in mention suggestions in pr review
* apply background color to wiki content
* improve signature box responsiveness
* ignore existence of commits for force pushes
* make unicode escape work in wiki
* prevent initial 'blank' display of action logs view,
remove unnecessary API calls
* don't allow comment boxes to stretch outside diff boundries
on small device UI
* hide edit button on tag releases, improve ghost user display,
fix tag signature banner
* resolved 500 error upon clicking 'Clear milestone' button when
there's no milestones available in Issue page
* compare branches even with pull requests disabled
Features:
* Uploaded avatar images can sometimes contain unexpected
metadata such as the location where the image was created,
or the device the image was created with, stored in a format
called EXIF. Forgejo now removes EXIF data when custom user and
repository images are uploaded in order to reduce the risk of
personally identifiable information being leaked unexpectedly.
A new CLI subcommand forgejo doctor avatar-strip-exif can be
used to strip EXIF information from all existing avatars; we
recommend that administrators run this command once after
upgrade in order to minimize this risk for existing stored
files.
* assorted ActivityPub code only refactors
* feat(logger): rename settings for consistency and remove
obsolete settings
* Bring "remove a label from issue" API in line with GitHub
equivalent
* reject password reset attempts for OAuth2 users without a
current password
* feat(log): better parseable and configurable ssh-logs
* add configurable timeout for automatically removing resolved
reports
* Add support for migrating from Pagure
* add _URI entries for mail config
* Improved signature handling & instance actor
* Sent user activities to distant federated server
* Add ActivityPub Person follow from distant
* chore: remove goroutine PID logging
* git/blob: GetContentBase64 with fewer allocations and no
goroutine
* make API pull and compare endpoint references to head more
robust
* git/commit: re-implement submodules file reader
* add EXCLUSION to logging mode
* add sort parameter for users/search api endpoint
* Allow converting mirror repos to normal through the API
* update broken git hook error
* avoid expensive SQL for org home
* make upload URL compatible with GitHub API
* allow more README formats for .profile
* AGit push options starting with {base64} are decoded
* search in the docs directory for issue and pull request
templates
* improve checking if diffs differ
* enable H2C for the HTTP server
* detect Interlisp sources as text
* add option to allow non-local users to change usernames
* chroma: 5d56970 Add uv.lock to TOML lexer
* chroma: a53c924 create Lexer for Nu
* chroma: abe0195 create lexer for lox
* chroma: f3be4c6 create lexer for Gemtext
* chroma: acd21c6 add aspect-ratio property to css.xml
* chroma: d0ad679 improve Go lexer
* Introduce global Merge Message Templates
* chroma: 970eacc add MoonScript lexer
* chroma: bc60826 add Core lexer
* push mirror to have option to only push selected branches
* if OAuth2 is disabled return 'Not found' for openid
configuration
* add --attribute-ssh-pubic-key to forgejo admin auth add-oauth
and update-oauth CLI
* feat(ui): add repository description to og:image:alt
Bug fixes:
* quota evaluation rules not working properly
* artifacts can be downloaded using their id instead of their
name
* fix: failure to parse on block results in unconditional
workflow execution
* Fix invisible iframes with RENDER_CONTENT_MODE=iframe
* fix: package cleaned rule fails if the keep count is too high
* prevent user-entered text with | characters from being
truncated in activity feed
* PR review dismissals were not appearing in activity feed
* comment starting with a mermaid block displays error in
activity feed
* Markdown: generate unique per comment HTML IDs for footnotes
and headers
* very long commit messages cause pushed commits to fail to
display on the action feed on MySQL
* parse extra weird tree mode value
* respect UI DEFAULT_SHOW_FULL_NAME setting in email
From: headers
* check target repo limit instead of user repo limit
* enable multi-line math equations in wiki
* Actions log view stops refreshing after the displayed job is
finished, even if other jobs are still running
* standardize truncation of user-entered comment text in
activity feed
* allow Actions tokens to access repos readable by signed in
users
* allow Forgejo Actions environment variables starting with CI
* chroma: 1ca24c9 correct lexing AS keyword for docker
* chroma: 1f48e65 markdown: don't delegate to HTML lexer
* chroma: dfb2819 Fixed ObjectPascal comment issue
* chroma: 2c20473 RPGLE: various lexer & style fixes
* chroma: c803d79 zig: detect zig object notation files as zig
* chroma: ffedbf4 kotlin: detect kotlin script files as kotlin
OBS-URL: https://build.opensuse.org/request/show/1312199
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=84
- update to version 12.0.4:
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: [quota.default].TOTAL config setting supports unit suffixes
* fix: quotas double counting repo size when calculating size:all
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* fix(api): set default pagination and Link header for repoListTags
* chore: build-release must close the cascading pull request
- update to version 12.0.3:
* Update dependency mermaid to v11.10.0 [SECURITY]
* fix(ui): clear fields when canceling adding ssh key
* fix(api): deactivate issue api for disabled or external issue-tracker
* fix: migration failing when importing either issues or PRs but not the other
* fix: do better parsing of file modes
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 12.0.2:
* fix: email comments are removed from email addresses
* fix: validate CSRF on non-safe methods All PUT/DELETE
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email When the primary
email is changed before it is validated
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has (forwarded request 1306119 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1306120
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=35
- update to version 12.0.4:
* Do not display the title of unsubscribed issues or pull requests in the
notification web page
* fix: package cleanup rules are not applied when there are more than 200
packages
* fix: [quota.default].TOTAL config setting supports unit suffixes
* fix: quotas double counting repo size when calculating size:all
* fix: LFS GC is never running because of a bug in the parsing of the INI file
* fix(api): set default pagination and Link header for repoListTags
* chore: build-release must close the cascading pull request
- update to version 12.0.3:
* Update dependency mermaid to v11.10.0 [SECURITY]
* fix(ui): clear fields when canceling adding ssh key
* fix(api): deactivate issue api for disabled or external issue-tracker
* fix: migration failing when importing either issues or PRs but not the other
* fix: do better parsing of file modes
* Update module github.com/ulikunitz/xz to v0.5.15
- update to version 12.0.2:
* fix: email comments are removed from email addresses
* fix: validate CSRF on non-safe methods All PUT/DELETE
* fix: use credential helpers for git clones When performing a git clone that
requires credentials
* fix: consistently enforce 2FA on OpenID 2.0
* fix: delete old auth token upon replacing primary email When the primary
email is changed before it is validated
* fix: require password login for creation of new token
* fix: ensure GetUserByEmail only considers validated emails
* fix: don't allow credentials in migrate/push mirror URL
* fix: only redirect to a new owner (organization or user) if the user has
OBS-URL: https://build.opensuse.org/request/show/1306119
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=80
- update to version 12.0.1:
* allow for tracked time to be removed again
* correct image source for quoted reply
* prevent render failure on faulty org settings post
* Revert "remove API authentication methods that uses the URL query"
* upgrade fails or hang at migration[31]: Migrate maven package
name concatenation
* make the action feed resilient to database inconsistencies
* make sure to use unaltered fields when saving a shadow copy
for updated profiles or comments
* follow symlinks for local assets
* use correct ACME default
- remove get-sources.sh, use obs tooling
- include apparmor in Leap 16
- update to version 12.0.0:
* remove API authentication methods that uses the URL query
* relax email requirements
* consider WebAuthn & SSH for instance signing
* add SSH signing support for instances
* forgejo docs command is deprecated
* remove the legacy TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY setting
* fail if sha is not provided to the POST
/repos/{owner}/{repo}/contents API endpoint
* transform fediverse handles
* add user visibility description in the settings page
* add model viewer for .glb (GLTF) model in file view
* show size constraints of custom avatar
* add links to milestones and projects in issue comments
* global styling for the kbd tag (forwarded request 1295900 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1295901
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=34
- update to version 12.0.1:
* allow for tracked time to be removed again
* correct image source for quoted reply
* prevent render failure on faulty org settings post
* Revert "remove API authentication methods that uses the URL query"
* upgrade fails or hang at migration[31]: Migrate maven package
name concatenation
* make the action feed resilient to database inconsistencies
* make sure to use unaltered fields when saving a shadow copy
for updated profiles or comments
* follow symlinks for local assets
* use correct ACME default
- remove get-sources.sh, use obs tooling
- include apparmor in Leap 16
- update to version 12.0.0:
* remove API authentication methods that uses the URL query
* relax email requirements
* consider WebAuthn & SSH for instance signing
* add SSH signing support for instances
* forgejo docs command is deprecated
* remove the legacy TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY setting
* fail if sha is not provided to the POST
/repos/{owner}/{repo}/contents API endpoint
* transform fediverse handles
* add user visibility description in the settings page
* add model viewer for .glb (GLTF) model in file view
* show size constraints of custom avatar
* add links to milestones and projects in issue comments
* global styling for the kbd tag
OBS-URL: https://build.opensuse.org/request/show/1295900
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=78
- update to 11.0.3:
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field (forwarded request 1291759 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1291760
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=33
- update to 11.0.3:
* fixing git security vulnerability
* add missing lazy load attribute to images
* backport of translation updates
* do not ignore automerge while a PR is checking for conflicts
* user activation with uppercase email address
* collaborator can edit wiki with write access
* fix: corrupted wiki unit default permission
* fix: skip empty tokens in SearchOptions.Tokens()
* fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks
* fix(ui): release: name is overridden with tag name on edit
* Revert "fix(api): document is_system_webhook field
OBS-URL: https://build.opensuse.org/request/show/1291759
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=76
- Update to 11.0.2:
* Features
- make Forgejo Actions server logs less noisy
* Bug fixes
- do not fail when release or wiki is set in /repos/migrate API
- ignore expired artifacts for quota calculation
- pull request cross references
- quote reply in Chromium
- fix: make hash pattern more strict
* Included for completeness but not worth a release note
- remove download attribute from external assets
- bleve to v2.5.2 with changes made in backport of 2.5.0
- show membership of limited orgs
- date dependency go to v1.24.3 (v11.0/forgejo)
- drop unused @typescript-eslint/parser package
- suppress non actionable XORM warnings
- aggregate deleted team as ghost team
- center footer links
- fix force-push compare line layout
- parse change-id in the git commit header
- Update module github.com/blevesearch/bleve/v2 to v2.5.1 (v11.0/forgejo) - abandoned
- improve force-push compare line layout
- Remove "create branch" button on mirrored repos
- Update module github.com/msteinert/pam/v2 to v2.1.0 (v11.0/forgejo)
- replace ß with ss in normalizeUserName
- document is_system_webhook field
- remove artificial delay for PR update
OBS-URL: https://build.opensuse.org/request/show/1286928
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=74
- update to 11.0.1:
* If LFS is enabled on a Forgejo instance with [server].LFS_START_SERVER =
true, it was possible for a registered user to upload LFS files to a
repository to which they only had read access.
* A user account with 2fa (two factor authentication) enrolled with a
security key was not enforced when using an external account
* fix: display the list of tasks in the runner edit page
* fix(ui): use gap in switch items
* fix(ui/pr): use eye icon for reviews
* fix(ui): rescope menu height patch to overflow menu
* fix(ui): show commit icon in branch dropdown button when viewing a commit
* i18n: backport of translation updates
* fix(i18n): prevent incorrect logging on strings missing in JSON locales
* chore: replace github.com/go-testfixtures/testfixtures
* fix: use linguist-generated for language stats
* chore: tune down remote user promotion debug message shown as error
* fix: set default restricted for OAuth2 user
* chore: merge tests.AddFixtures and unittest.OverrideFixtures
* fix(ui): make pagination labels always visible to screenreader
* fix: delay-write trace.dat for forgejo diagnosis
* Update module github.com/mattn/go-sqlite3 to v1.14.28 (v11.0/forgejo) (forwarded request 1274876 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1274877
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=29
- update to 11.0.1:
* If LFS is enabled on a Forgejo instance with [server].LFS_START_SERVER =
true, it was possible for a registered user to upload LFS files to a
repository to which they only had read access.
* A user account with 2fa (two factor authentication) enrolled with a
security key was not enforced when using an external account
* fix: display the list of tasks in the runner edit page
* fix(ui): use gap in switch items
* fix(ui/pr): use eye icon for reviews
* fix(ui): rescope menu height patch to overflow menu
* fix(ui): show commit icon in branch dropdown button when viewing a commit
* i18n: backport of translation updates
* fix(i18n): prevent incorrect logging on strings missing in JSON locales
* chore: replace github.com/go-testfixtures/testfixtures
* fix: use linguist-generated for language stats
* chore: tune down remote user promotion debug message shown as error
* fix: set default restricted for OAuth2 user
* chore: merge tests.AddFixtures and unittest.OverrideFixtures
* fix(ui): make pagination labels always visible to screenreader
* fix: delay-write trace.dat for forgejo diagnosis
* Update module github.com/mattn/go-sqlite3 to v1.14.28 (v11.0/forgejo)
OBS-URL: https://build.opensuse.org/request/show/1274876
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=67
- update to 11.0.0:
* add ability to regenerate access tokens
* drop SSPI auth support and more Windows files
* localize theme names
* improve incorrect ROOT_URL warning
* admin user view
* welcome screen for user dashboard
* improve "URL" handling in markdown editor
* display to maintainers in pull request when it is editable
* simplify pronouns in user settings
* split Forgejo landing page template to allow patching or removing Forgejo
introduction section
* set default release title to tag name
* add quota overview
* allow opening a single-file diff from file history view
* reduce noise in the timeline of issues and pull requests. If certain
timeline events are performed within a certain timeframe of each other with
no other events in between, they will be combined into a single timeline
event, and any contradictory actions will be canceled and not displayed.
The older the events, the wider the timeframe will become.
* i18n: make Danish available in UI
* Updates from Codeberg Translate
* Features
* return run_number in workflow dispatch
* add more sorting to own repository list
* add sort parameter to list issues API
* make it possible to track the progress of manually triggered workflows
* interpret Precedence: auto_reply as an auto reply
* parse multipart/related parts as attachments & guess filename
* added missing nuget V2 properties to API (forwarded request 1270596 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1270597
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=28
- update to 11.0.0:
* add ability to regenerate access tokens
* drop SSPI auth support and more Windows files
* localize theme names
* improve incorrect ROOT_URL warning
* admin user view
* welcome screen for user dashboard
* improve "URL" handling in markdown editor
* display to maintainers in pull request when it is editable
* simplify pronouns in user settings
* split Forgejo landing page template to allow patching or removing Forgejo
introduction section
* set default release title to tag name
* add quota overview
* allow opening a single-file diff from file history view
* reduce noise in the timeline of issues and pull requests. If certain
timeline events are performed within a certain timeframe of each other with
no other events in between, they will be combined into a single timeline
event, and any contradictory actions will be canceled and not displayed.
The older the events, the wider the timeframe will become.
* i18n: make Danish available in UI
* Updates from Codeberg Translate
* Features
* return run_number in workflow dispatch
* add more sorting to own repository list
* add sort parameter to list issues API
* make it possible to track the progress of manually triggered workflows
* interpret Precedence: auto_reply as an auto reply
* parse multipart/related parts as attachments & guess filename
* added missing nuget V2 properties to API
OBS-URL: https://build.opensuse.org/request/show/1270596
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=65
- update to 10.0.2:
* update of translations
* When migrating from a Forgejo version lower than v10, the TOTP secrets
found to be corrupted are now transparently removed
* replies to pending review comments no longer generate a notification
* consider public issues for project boards
* the rootless Forgejo image version label is not set
* do not allow SSH url for migration
* setting.Service.EnableInternalSignIn = false is disabling forgotten password
* show internal login prompt for account linking
* enable ssh mirrors in rootless Forgejo images
* render link in heading correctly in wiki TOC
* Update module github.com/redis/go-redis/v9
* fix: consider issues in repository accessible via access table
* fix(api): miss-spelled description, corrected to public
* fix: revert issue rendering for <a> element
* chore(ci): ensure the manually cached Go can be run
* chore(ci): Get Go binary from GOROOT instead of hardcoded path
* fix: return 404 for empty repositories
* fix: delay deleting authorization token
* fix: native parsing of ssh certificate key
* fix(ui): hide extra PR property labels on title edit
* fix: always set stripped slashes on http request
* fix(ui): hide 'New migration' button on org pages with migrations disabled
* ui: update language stats layout and click behavior
* Update dependency go to v1.23.6
- add patch fix-CVE-2025-22869.patch, fixing bsc#1239488, bsc#1239276, bsc#1234574
OBS-URL: https://build.opensuse.org/request/show/1255088
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=60
- move permissions of the log dir and the data dir
from forgejo:forgejo u=rwX,g=rwX,o=
to forgejo:forgejo u=rwX,g=rX,o=
- update apparmor profile to a profile that is less broad.
- create all directories before actually installing files
- make the HOME dir in the service file the same as the user
- migrate existing authorized keys files
from %{_datadir}/%{name}/.ssh/authorized_keys
to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys
- fix file list to lock down permissions more
- don't require the apparmor subpackage when apparmor is installed
the current profile is rather bad and it should be possible to
keep it out.
- user should actually use /var/lib/forgejo/data/home
OBS-URL: https://build.opensuse.org/request/show/1251907
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53
- update to 10.0.1:
* Verify the ID of Forgejo Actions web endpoints belongs to the repository to
prevent the deletion of runners or variables or the modification of
variables
* Enforce permissions on publicly available user or organizations projects to
not leak information from issues and pull requests that belong to private
repositories
* fix(ui): display verified icon for default gpg key
* fix: load settings for valid user and email check
* Teach the doctor to remove orphaned two_factor with forgejo doctor check --run check-db-consistency --fix
* fix: listing tokens must not require basic auth
OBS-URL: https://build.opensuse.org/request/show/1244415
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=51
- update to 10.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/10.0.0.md
* Fix and refactor markdown rendering
* migrate TOTP secrets to keying
* Ensure source_id parameter is not skipped when set to 0 and correctly
filter users in /api/v1/admin/users endpoint
* Rework user profile settings
* Rework new repository dialog
* Show repository size on mobile
* Add links to commit lists in contributors graph page
* Add copy path button to file view
* Put issue actions in a single row on mobile
* Don't display email in profile settings when hidden
* Highlight user mention in comments and commit messages
* When bleve is used for issue search, a fuzzy search now applies to each
word instead of all of them, as if they were a phrase
* Add search to releases page
* Combine review requests comments
* If you select a portion of a comment and use the 'Quote reply' feature in
the context menu, only that portion will be quoted
* Set "your repositories" as the default filter for org dashboards
* Add button to create a Markdown table in a comment
* Add a bullet symbol between author and committer
* Added link to show all Issues/PullRequests
* Fix Action log UI race condition that occasionally prevents logs from loading
* Fix wiki search overflowing on wide screens
* Move "forgot_password"-link to fix login tab order
* Update help links on page with no workflows
* Add Low German to list of default languages
* i18n: Add dummy language for checking translation keys (forwarded request 1238298 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1238299
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=21
- update to 10.0.0:
full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/10.0.0.md
* Fix and refactor markdown rendering
* migrate TOTP secrets to keying
* Ensure source_id parameter is not skipped when set to 0 and correctly
filter users in /api/v1/admin/users endpoint
* Rework user profile settings
* Rework new repository dialog
* Show repository size on mobile
* Add links to commit lists in contributors graph page
* Add copy path button to file view
* Put issue actions in a single row on mobile
* Don't display email in profile settings when hidden
* Highlight user mention in comments and commit messages
* When bleve is used for issue search, a fuzzy search now applies to each
word instead of all of them, as if they were a phrase
* Add search to releases page
* Combine review requests comments
* If you select a portion of a comment and use the 'Quote reply' feature in
the context menu, only that portion will be quoted
* Set "your repositories" as the default filter for org dashboards
* Add button to create a Markdown table in a comment
* Add a bullet symbol between author and committer
* Added link to show all Issues/PullRequests
* Fix Action log UI race condition that occasionally prevents logs from loading
* Fix wiki search overflowing on wide screens
* Move "forgot_password"-link to fix login tab order
* Update help links on page with no workflows
* Add Low German to list of default languages
* i18n: Add dummy language for checking translation keys
OBS-URL: https://build.opensuse.org/request/show/1238298
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=49
- update to 9.0.3:
* When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true, it was possible for a registered user to
impersonate another user
* Revert "allow synchronizing user status from OAuth2 login providers" Fix
* wiki search overflowing on wide screens Do not rewrite ssh keys files when
* deleting a user without one fix: doctor fails with pq: syntax error at or
* near "." whilst counting
Authorization token without existing User
* fix: Do not delete global Oauth2 applications Strict matching of allowed
* content for sanitizer for asciicast
and csv rendering
* fix: remove softbreak from github legacy callout fix: correct permission
* loading for limited organisation fix: clean up log files that no longer
* exist fix: return correct type in GetSubModule Improve Swagger documentation
* for user endpoints fix: normalize guessed languages from enry Show page
* titles in wiki search results fix(test): TestGitAttributeCheckerError must
* allow broken pipe fix: check read permissions for code owner review requests
* fix: use better code to group UID and stopwatches fix: api repo compare with
* commit hashes bug: correctly generate oauth2 jwt signing key
- disable gpg verification for this release (forwarded request 1230940 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1230941
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=20
- update to 9.0.3:
* When Forgejo is configured to run the internal ssh server with
[server].START_SSH_SERVER=true, it was possible for a registered user to
impersonate another user
* Revert "allow synchronizing user status from OAuth2 login providers" Fix
* wiki search overflowing on wide screens Do not rewrite ssh keys files when
* deleting a user without one fix: doctor fails with pq: syntax error at or
* near "." whilst counting
Authorization token without existing User
* fix: Do not delete global Oauth2 applications Strict matching of allowed
* content for sanitizer for asciicast
and csv rendering
* fix: remove softbreak from github legacy callout fix: correct permission
* loading for limited organisation fix: clean up log files that no longer
* exist fix: return correct type in GetSubModule Improve Swagger documentation
* for user endpoints fix: normalize guessed languages from enry Show page
* titles in wiki search results fix(test): TestGitAttributeCheckerError must
* allow broken pipe fix: check read permissions for code owner review requests
* fix: use better code to group UID and stopwatches fix: api repo compare with
* commit hashes bug: correctly generate oauth2 jwt signing key
- disable gpg verification for this release
OBS-URL: https://build.opensuse.org/request/show/1230940
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=47
- update to 9.0.2:
* it was possible to use a token sent via email for secondary email validation
to reset the password instead. In other words, a token sent for a given
action (registration, password reset or secondary email validation) could
be used to perform a different action.
* a fork of a public repository would show in the list of forks, even if its
owner was not a public user or organization.
* the members of an organization team with read access to a repository (e.g.
to read issues) but no read access to the code could read the RSS or atom
feeds which include the commit activity. Reading the RSS or atom feeds is
now denied unless the team has read permissions on the code.
* the tokens used when replying by email to issues or pull requests were
weaker than the rfc2104 recommendations.
* a registered user could modify the update frequency of any push mirror.
* it was possible to use basic authorization (i.e. user:password) for requests
to the API even when security keys were enrolled for a user.
* some markup sanitation rules were not as strong as they could be.
* when Forgejo is configured to enable instance wide search (e.g. with bleve),
results found in the repositories of private or limited users were displayed
to anonymous visitors.
* fix: handle renamed dependency for cargo registry.
* support www.github.com for migrations.
* move forgot_password-link to fix login tab order.
* code owners will not be mentioned when a pull request comes from a forked
repository.
* labels are missing in the pull request payload removing a label.
* in a Forgejo Actions workflow, the unlabeled event type for pull requests
was incorrectly mapped to the labeled event type.
* when a Forgejo Actions issue or pull request workflow is triggered by an
labeled or unlabeled event type, it misses information about the label added (forwarded request 1224536 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1224537
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=19
- update to 9.0.2:
* it was possible to use a token sent via email for secondary email validation
to reset the password instead. In other words, a token sent for a given
action (registration, password reset or secondary email validation) could
be used to perform a different action.
* a fork of a public repository would show in the list of forks, even if its
owner was not a public user or organization.
* the members of an organization team with read access to a repository (e.g.
to read issues) but no read access to the code could read the RSS or atom
feeds which include the commit activity. Reading the RSS or atom feeds is
now denied unless the team has read permissions on the code.
* the tokens used when replying by email to issues or pull requests were
weaker than the rfc2104 recommendations.
* a registered user could modify the update frequency of any push mirror.
* it was possible to use basic authorization (i.e. user:password) for requests
to the API even when security keys were enrolled for a user.
* some markup sanitation rules were not as strong as they could be.
* when Forgejo is configured to enable instance wide search (e.g. with bleve),
results found in the repositories of private or limited users were displayed
to anonymous visitors.
* fix: handle renamed dependency for cargo registry.
* support www.github.com for migrations.
* move forgot_password-link to fix login tab order.
* code owners will not be mentioned when a pull request comes from a forked
repository.
* labels are missing in the pull request payload removing a label.
* in a Forgejo Actions workflow, the unlabeled event type for pull requests
was incorrectly mapped to the labeled event type.
* when a Forgejo Actions issue or pull request workflow is triggered by an
labeled or unlabeled event type, it misses information about the label added
OBS-URL: https://build.opensuse.org/request/show/1224536
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=45
- update to 9.0.1:
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later (forwarded request 1218912 from rrahl0)
OBS-URL: https://build.opensuse.org/request/show/1218913
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=18
- update to 9.0.1:
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later
OBS-URL: https://build.opensuse.org/request/show/1218912
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=43
