forgejo

SHA256

Author	SHA256	Message	Date
Richard Rahl	2b7227954c	Accepting request 1330153 from home:rrahl0 - Update to version 14.0.2: * fix(ui): tippy menu styles too broad, affecting switch in PR review * fix(ui): add missing translation for code search when keyword is empty string * fix(ui): improve force-push layout alignment * feat: enable SQLite WAL by default * fix: allow test delivery for webhooks not enabled for push events * fix: empty dynamic matrix can leave action run hanging incomplete * Fix not decreasing watch count when blocking user * fix: don't clobber authorized_keys file during installation * fix(api): default new release 'title' field to label name, if not provided * fix: remove infinite loop in UpdateRunJobWithoutNotification when run in transaction * feat: strip newlines on og image rendering * fix: don't return AdditionalTasks from FetchTask if there is no Task * fix: use ALTER TABLE in SQLite DropTableColumns(), allowing unexpected database sources to work better in migrations * fix: migrations/github: avoid getting the first issues page twice * fix NewMockWebServer(): Headers never reached the http client * fix: migrations/github: Wait & retry when primary rate limit is hit * fix: detect renames when using diff-tree - Update to version 14.0.1: * fix: use strict-origin as referrer policy * fix: make concurrency group job cancellation effect runs that are failed * fix: recreate-tables doesn't work on PostgreSQL with multiple Forgejo schemas - Update to version 14.0.0: * new feature: ssh managed by forgejo now breaks startup, if an unexpected key is being found, can be overridden with [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS = true in their app.ini file * CSRF attacks are now prevented via a stateless method * fix!: paginate GET /api/v1/admin/hooks response * fix!: Prevent forked .profile repositories from displaying profile content OBS-URL: https://build.opensuse.org/request/show/1330153 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=90	2026-01-31 13:16:51 +00:00
Richard Rahl	37881542a7	Accepting request 1313898 from home:rrahl0 - Update to version 13.0.2: * Vulnerability (Critical): prevent writing to out-of-repo symlink destinations while evaluating template repos * Vulnerability (Medium): prevent .forgejo/template from being out-of-repo content * Vulnerability (Medium): return on error if an LFS token cannot be parsed * Vulnerability (Low): prevent commit API from leaking user's hidden email address on valid GPG signed commits OBS-URL: https://build.opensuse.org/request/show/1313898 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=86	2025-10-27 16:33:53 +00:00
Richard Rahl	b33a648d5f	Accepting request 1312199 from home:mia:branches:devel:tools:scm - Update to version 13.0.1: User Interface bug fixes: * fix: Use scrollHeight for rendered iframe if offsetHeight is unavailable Bug fixes: * fix: db.Iterate can miss records, can return records twice which caused a data corruption of the secret table in v13.0.0 * fix: release email links - Changes in 13.0.0: Security features: * Add configurable global 2FA enforcement * migrate action secrets to keying to store them more securely Breaking features: * bump the minimum required Git version from 2.0.0 to 2.34.1 * Forgejo Actions workflows are verified with a YAML schema and common errors such as using an incorrect context (e.g. ${{ badcontext.FORGEJO_REPOSITORY }}) or a typo in a required keyword (e.g. ruins-on: instead of runs-on:) will be reported in the action page and the web page that displays the file in the repository. It is recommended to verify existing workflows are successfully verified prior to upgrading, as explained in the Forgejo runner release notes. Breaking bug fixes: * The artifact-url ouput returned by the upload-artifact@v4 action can be used to download the artifact. It was previously 404. To implement this compatibility fix, the web UI URL to download artifacts (i.e. /{owner}/{repo}/actions/runs/{run_id}/artifacts/{artifact_name}) now relies on an identifier that is unique accross the instance. URLs to download artifacts that were bookmarked or copied prior to this change use an id relative to the repository and will no longer work. It previously was /{owner}/{repo}/actions/runs/{run_index}/artifacts/{artifact_name}, note the difference between {run_id} and {run_index}. The new URL can be obtained again by visiting the parent page, which still uses the relative id (/{owner}/{repo}/actions/runs/{run_index}). User Interface features: * ability to view previous logs for Actions runs that have been retried * show CI status on force-pushes * improve org header with new noJS dropdown and more options * improve multiline file preview and anchor detection * render ordered checkbox lists with numbers * Admin interface for abuse reports * show timestamp on release attachments * add tag label to commit list view * support Markdown editor bold & italic keyboard shortcuts * improve rendering commit links for PR commits, external repos and diffs * add links to assigners in issue comments * use simplified visibility label in dashboard orgs list * improve custom emojis * improve the global noJS notice * improve display of repo topics * add links to review request targets in issue comments * improve subscriptions screen filters * implement hover for switch * Pretty-print commit counts and other numbers User Interface bug fixes: * add markup class to project descriptions * make releases filtering responsive * reworked file preview placement towards better HTML validity * fix alignment of items in tag signature * unescape file names in commit hash links * visually distinguish the branch name in action description * preserved 'Custom access' even after no permissions * show participants in mention suggestions in pr review * apply background color to wiki content * improve signature box responsiveness * ignore existence of commits for force pushes * make unicode escape work in wiki * prevent initial 'blank' display of action logs view, remove unnecessary API calls * don't allow comment boxes to stretch outside diff boundries on small device UI * hide edit button on tag releases, improve ghost user display, fix tag signature banner * resolved 500 error upon clicking 'Clear milestone' button when there's no milestones available in Issue page * compare branches even with pull requests disabled Features: * Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly. A new CLI subcommand forgejo doctor avatar-strip-exif can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files. * assorted ActivityPub code only refactors * feat(logger): rename settings for consistency and remove obsolete settings * Bring "remove a label from issue" API in line with GitHub equivalent * reject password reset attempts for OAuth2 users without a current password * feat(log): better parseable and configurable ssh-logs * add configurable timeout for automatically removing resolved reports * Add support for migrating from Pagure * add _URI entries for mail config * Improved signature handling & instance actor * Sent user activities to distant federated server * Add ActivityPub Person follow from distant * chore: remove goroutine PID logging * git/blob: GetContentBase64 with fewer allocations and no goroutine * make API pull and compare endpoint references to head more robust * git/commit: re-implement submodules file reader * add EXCLUSION to logging mode * add sort parameter for users/search api endpoint * Allow converting mirror repos to normal through the API * update broken git hook error * avoid expensive SQL for org home * make upload URL compatible with GitHub API * allow more README formats for .profile * AGit push options starting with {base64} are decoded * search in the docs directory for issue and pull request templates * improve checking if diffs differ * enable H2C for the HTTP server * detect Interlisp sources as text * add option to allow non-local users to change usernames * chroma: 5d56970 Add uv.lock to TOML lexer * chroma: a53c924 create Lexer for Nu * chroma: abe0195 create lexer for lox * chroma: f3be4c6 create lexer for Gemtext * chroma: acd21c6 add aspect-ratio property to css.xml * chroma: d0ad679 improve Go lexer * Introduce global Merge Message Templates * chroma: 970eacc add MoonScript lexer * chroma: bc60826 add Core lexer * push mirror to have option to only push selected branches * if OAuth2 is disabled return 'Not found' for openid configuration * add --attribute-ssh-pubic-key to forgejo admin auth add-oauth and update-oauth CLI * feat(ui): add repository description to og:image:alt Bug fixes: * quota evaluation rules not working properly * artifacts can be downloaded using their id instead of their name * fix: failure to parse on block results in unconditional workflow execution * Fix invisible iframes with RENDER_CONTENT_MODE=iframe * fix: package cleaned rule fails if the keep count is too high * prevent user-entered text with \| characters from being truncated in activity feed * PR review dismissals were not appearing in activity feed * comment starting with a mermaid block displays error in activity feed * Markdown: generate unique per comment HTML IDs for footnotes and headers * very long commit messages cause pushed commits to fail to display on the action feed on MySQL * parse extra weird tree mode value * respect UI DEFAULT_SHOW_FULL_NAME setting in email From: headers * check target repo limit instead of user repo limit * enable multi-line math equations in wiki * Actions log view stops refreshing after the displayed job is finished, even if other jobs are still running * standardize truncation of user-entered comment text in activity feed * allow Actions tokens to access repos readable by signed in users * allow Forgejo Actions environment variables starting with CI * chroma: 1ca24c9 correct lexing AS keyword for docker * chroma: 1f48e65 markdown: don't delegate to HTML lexer * chroma: dfb2819 Fixed ObjectPascal comment issue * chroma: 2c20473 RPGLE: various lexer & style fixes * chroma: c803d79 zig: detect zig object notation files as zig * chroma: ffedbf4 kotlin: detect kotlin script files as kotlin OBS-URL: https://build.opensuse.org/request/show/1312199 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=84	2025-10-19 10:49:18 +00:00
Richard Rahl	1eb2e13cb9	Accepting request 1306119 from home:rrahl0 - update to version 12.0.4: * Do not display the title of unsubscribed issues or pull requests in the notification web page * fix: package cleanup rules are not applied when there are more than 200 packages * fix: [quota.default].TOTAL config setting supports unit suffixes * fix: quotas double counting repo size when calculating size:all * fix: LFS GC is never running because of a bug in the parsing of the INI file * fix(api): set default pagination and Link header for repoListTags * chore: build-release must close the cascading pull request - update to version 12.0.3: * Update dependency mermaid to v11.10.0 [SECURITY] * fix(ui): clear fields when canceling adding ssh key * fix(api): deactivate issue api for disabled or external issue-tracker * fix: migration failing when importing either issues or PRs but not the other * fix: do better parsing of file modes * Update module github.com/ulikunitz/xz to v0.5.15 - update to version 12.0.2: * fix: email comments are removed from email addresses * fix: validate CSRF on non-safe methods All PUT/DELETE * fix: use credential helpers for git clones When performing a git clone that requires credentials * fix: consistently enforce 2FA on OpenID 2.0 * fix: delete old auth token upon replacing primary email When the primary email is changed before it is validated * fix: require password login for creation of new token * fix: ensure GetUserByEmail only considers validated emails * fix: don't allow credentials in migrate/push mirror URL * fix: only redirect to a new owner (organization or user) if the user has OBS-URL: https://build.opensuse.org/request/show/1306119 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=80	2025-09-20 11:35:09 +00:00
Richard Rahl	1a92e5411a	Accepting request 1295900 from home:rrahl0 - update to version 12.0.1: * allow for tracked time to be removed again * correct image source for quoted reply * prevent render failure on faulty org settings post * Revert "remove API authentication methods that uses the URL query" * upgrade fails or hang at migration[31]: Migrate maven package name concatenation * make the action feed resilient to database inconsistencies * make sure to use unaltered fields when saving a shadow copy for updated profiles or comments * follow symlinks for local assets * use correct ACME default - remove get-sources.sh, use obs tooling - include apparmor in Leap 16 - update to version 12.0.0: * remove API authentication methods that uses the URL query * relax email requirements * consider WebAuthn & SSH for instance signing * add SSH signing support for instances * forgejo docs command is deprecated * remove the legacy TEST_CONFLICTING_PATCHES_WITH_GIT_APPLY setting * fail if sha is not provided to the POST /repos/{owner}/{repo}/contents API endpoint * transform fediverse handles * add user visibility description in the settings page * add model viewer for .glb (GLTF) model in file view * show size constraints of custom avatar * add links to milestones and projects in issue comments * global styling for the kbd tag OBS-URL: https://build.opensuse.org/request/show/1295900 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=78	2025-07-26 15:45:26 +00:00
Richard Rahl	8037b2dc94	Accepting request 1193292 from home:rrahl0 - update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/request/show/1193292 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31	2024-08-11 22:22:28 +00:00
Richard Rahl	18ab27778e	Accepting request 1190962 from home:ojkastl_buildservice:Branch_devel_tools_scm update to 7.0.6 OBS-URL: https://build.opensuse.org/request/show/1190962 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=27	2024-08-01 16:34:02 +00:00

7 Commits