- update to 10.0.1:

* Verify the ID of Forgejo Actions web endpoints belongs to the repository to
    prevent the deletion of runners or variables or the modification of
    variables
  * Enforce permissions on publicly available user or organizations projects to
    not leak information from issues and pull requests that belong to private
    repositories
  * fix(ui): display verified icon for default gpg key
  * fix: load settings for valid user and email check
  * Teach the doctor to remove orphaned two_factor with forgejo doctor check --run check-db-consistency --fix
  * fix: listing tokens must not require basic auth

OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=51

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_service

@@ -0,0 +1,9 @@
+<?xml version="1.0" ?>
+<services>
+  <service name="download_files" mode="manual" />
+  <service name="node_modules" mode="manual">
+    <param name="cpio">node_modules.obscpio</param>
+    <param name="output">node_modules.spec.inc</param>
+    <param name="source-offset">10000</param>
+  </service>
+</services>

custom-app.ini.patch

@@ -0,0 +1,187 @@
+diff -rub forgejo-src-10.0.0/custom/conf/app.example.ini forgejo-src-10.0.0-patched/custom/conf/app.example.ini
+--- forgejo-src-10.0.0/custom/conf/app.example.ini	2025-01-16 07:37:10.000000000 +0100
++++ forgejo-src-10.0.0-patched/custom/conf/app.example.ini	2025-01-16 14:05:03.035772154 +0100
+@@ -51,7 +51,7 @@
+ ;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
+ ;;
+ ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
+-RUN_USER = ; git
++RUN_USER = ; forgejo
+ ;;
+ ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
+ ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
+@@ -284,15 +284,15 @@
+ ;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+ ;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+ ;; Paths are relative to CUSTOM_PATH
+-;CERT_FILE = https/cert.pem
+-;KEY_FILE = https/key.pem
++CERT_FILE = /etc/forgejo/https/cert.pem
++KEY_FILE = /etc/forgejo/https/key.pem
+ ;;
+ ;; Root directory containing templates and static files.
+ ;; default is the path where Gitea is executed
+-;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
++STATIC_ROOT_PATH = /usr/share/forgejo
+ ;;
+ ;; Default path for App data
+-;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
++;APP_DATA_PATH = /var/lib/forgejo/data
+ ;;
+ ;; Enable gzip compression for runtime-generated content, static resources excluded
+ ;ENABLE_GZIP = false
+@@ -303,7 +303,7 @@
+ ;ENABLE_PPROF = false
+ ;;
+ ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
+-;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
++PPROF_DATA_PATH = /var/lib/forgejo/data/tmp/pprof
+ ;;
+ ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
+ ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
+@@ -370,7 +370,7 @@
+ ;;
+ ;DB_TYPE = mysql
+ ;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+-;NAME = gitea
++;NAME = forgejo
+ ;USER = root
+ ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
+ ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
+@@ -382,7 +382,7 @@
+ ;;
+ ;DB_TYPE = postgres
+ ;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
+-;NAME = gitea
++;NAME = forgejo
+ ;USER = root
+ ;PASSWD =
+ ;SCHEMA =
+@@ -573,14 +573,14 @@
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
+-;ROOT_PATH =
++ROOT_PATH = /var/log/forgejo
+ ;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Main Logger
+ ;;
+ ;; Either "console", "file" or "conn", default is "console"
+ ;; Use comma to separate multiple modes, e.g. "console, file"
+-MODE = console
++MODE = console, file
+ ;;
+ ;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
+ LEVEL = Info
+@@ -962,7 +962,7 @@
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
+ ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
+-;ROOT =
++ROOT = /var/lib/forgejo/repositories
+ ;;
+ ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
+ ;SCRIPT_TYPE = bash
+@@ -1081,7 +1081,7 @@
+ ;ENABLED = true
+ ;;
+ ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
+-;TEMP_PATH = data/tmp/uploads
++TEMP_PATH = /var/lib/forgejo/data/tmp/uploads
+ ;;
+ ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
+ ;ALLOWED_TYPES =
+@@ -1460,7 +1460,7 @@
+ ;ISSUE_INDEXER_TYPE = bleve
+ ;;
+ ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
+-;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
++ISSUE_INDEXER_PATH = /var/lib/forgejo/indexers/issues.bleve
+ ;;
+ ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
+ ;ISSUE_INDEXER_CONN_STR =
+@@ -1487,7 +1487,7 @@
+ ;REPO_INDEXER_TYPE = bleve
+ ;;
+ ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
+-;REPO_INDEXER_PATH = indexers/repos.bleve
++REPO_INDEXER_PATH = /var/lib/forgejo/indexers.bleve
+ ;;
+ ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
+ ;REPO_INDEXER_CONN_STR =
+@@ -1525,7 +1525,7 @@
+ ;TYPE = persistable-channel
+ ;;
+ ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
+-;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
++DATADIR = /var/lib/forgejo/queues
+ ;;
+ ;; Default queue length before a channel queue will block
+ ;LENGTH = 100000
+@@ -1872,7 +1872,7 @@
+ ;; file: session file path, e.g. `data/sessions`
+ ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
+ ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
+-;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
++PROVIDER_CONFIG = /var/lib/forgejo/data/sessions
+ ;;
+ ;; Session cookie name
+ ;COOKIE_NAME = i_like_gitea
+@@ -1959,7 +1959,7 @@
+ ;;
+ ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
+ ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
+-;PATH = attachments
++PATH = /var/lib/forgejo/data/attachments
+ ;;
+ ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
+ ;MINIO_ENDPOINT = localhost:9000
+@@ -1985,7 +1985,7 @@
+ ;MINIO_LOCATION = us-east-1
+ ;;
+ ;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
+-;MINIO_BASE_PATH = attachments/
++;MINIO_BASE_PATH = /var/lib/forgejo/attachments/
+ ;;
+ ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
+ ;MINIO_USE_SSL = false
+@@ -2568,10 +2568,10 @@
+ ;;
+ ;STORAGE_TYPE = local
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = packages/
++;MINIO_BASE_PATH = /var/lib/forgejo/packages/
+ ;;
+ ;; Path for chunked uploads. Defaults to APP_DATA_PATH + `tmp/package-upload`
+-;CHUNKED_UPLOAD_PATH = tmp/package-upload
++;CHUNKED_UPLOAD_PATH = /var/lib/forgejo/tmp/package-upload
+ ;;
+ ;; Maximum count of package versions a single owner can have (`-1` means no limits)
+ ;LIMIT_TOTAL_OWNER_COUNT = -1
+@@ -2640,10 +2640,10 @@
+ ;STORAGE_TYPE = local
+ ;;
+ ;; Where your lfs files reside, default is data/lfs.
+-;PATH = data/repo-archive
++;PATH = /var/lib/forgejo/data/repo-archive
+ ;;
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = repo-archive/
++;MINIO_BASE_PATH = /var/lib/forgejo/repo-archive/
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+@@ -2663,10 +2663,10 @@
+ ;STORAGE_TYPE = local
+ ;;
+ ;; Where your lfs files reside, default is data/lfs.
+-;PATH = data/lfs
++;PATH = /var/lib/forgejo/data/lfs
+ ;;
+ ;; override the minio base path if storage type is minio
+-;MINIO_BASE_PATH = lfs/
++;MINIO_BASE_PATH = /var/lib/forgejo/lfs/
+ 
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

dont-strip.patch

@@ -0,0 +1,28 @@
+diff -rub forgejo-src-9.0.0/Makefile forgejo-src-9.0.0-patched/Makefile
+--- forgejo-src-9.0.0/Makefile	2024-10-16 05:56:39.000000000 +0200
++++ forgejo-src-9.0.0-patched/Makefile	2024-10-17 16:41:54.550837598 +0200
+@@ -803,7 +803,7 @@
+ 
+ .PHONY: install $(TAGS_PREREQ)
+ install: $(wildcard *.go)
+-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
++	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'
+ 
+ .PHONY: build
+ build: frontend backend
+@@ -831,13 +831,13 @@
+ 	@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"
+ 
+ $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
+-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
++	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@
+ 
+ forgejo: $(EXECUTABLE)
+ 	ln -f $(EXECUTABLE) forgejo
+ 
+ static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
+-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
++	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+ 
+ .PHONY: release
+ release: frontend generate release-linux release-copy release-compress vendor release-sources release-check

forgejo-src-10.0.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1d48d2aafa88f7a4ca8d38d93dc084bb762902d401da2a0b547fb7628b29853
+size 56895191

forgejo-src-10.0.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c6be3d48481da4ec38d754bd19ea3696408dbdb575a5648b125f4df4911bcca
+size 56997906

forgejo-src-7.0.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:647efd8b70e312e1d8aa349a535bae1c9cce5c095a7a2ebe0d0b0ec84ff1e198
+size 55031691

forgejo-src-7.0.5.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZoWjbAAKCRCkthotxZI3
+EOPsAQDia3FAbVWnztj3h+SqLvI+7faAzVy2IMGsQpOrPuHleAEAsf+PqLn3rzz2
+CWqTPCo4MWRuYUi6ELY3SS4Xug/DgAM=
+=DqT0
+-----END PGP SIGNATURE-----

forgejo-src-7.0.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b33ca271d4d8ecf00ce80d2ee14888d40265ab648b880fd9bb9916bf9e88b15b
+size 53489756

forgejo-src-7.0.6.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZqjZygAKCRCkthotxZI3
+EJmNAP9IiHThCEotiYrOt3YzdOeaEAM3vfLzyf4PN1jWibbiogEAzGyWuho+MH8z
+9TqdaLJIF/T3L62r/TgZ+mlZ0HHkLQM=
+=ExB8
+-----END PGP SIGNATURE-----

forgejo-src-8.0.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
+size 53413049

forgejo-src-8.0.1.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
+EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
+0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
+=JG8G
+-----END PGP SIGNATURE-----

forgejo-src-8.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:36929dbc206753f80766ea59b35adaf3cb28ed53fc89ac8640271f8766673546
+size 53459258

forgejo-src-8.0.2.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZtB4+QAKCRCkthotxZI3
+EI/zAQCAYMjC1aNDQi173NnEsZ+6157ZngCPoT9YB3gzzmOaFAD+LQEyZ3PrsrJe
+/d8N+5Wyvj7ymLsUWzyTNpVZOtaNjQM=
+=jAB5
+-----END PGP SIGNATURE-----

forgejo-src-9.0.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:21364d6c1635711189f25da5dc343b3b28e8ade20a5f00202301ccc364adc1d2
+size 53905348

forgejo-src-9.0.0.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZw/5ogAKCRCkthotxZI3
+EKC/AP9zdT9HGtdr1R84h8wJfMQryhV2VHQ0DZIvHL3OJU1OgAEAmT7X00H/MgRB
+oNnConnjMe+xLtIntIFitFFXd971oQ0=
+=JQRz
+-----END PGP SIGNATURE-----

forgejo-src-9.0.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6748c49677374947eb619b13f9ede983682ae117b8c0405442cc9afc847c4040
+size 53961959

forgejo-src-9.0.1.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZx+nywAKCRCkthotxZI3
+ENlLAQCGXdYLfhCxIU8bKx+n2hvTvkbJPmPxs7FVhDtggAuq5gEAxubIGrthDqw9
+Qr9g7bvuMR7solGMkjzsB73IHqMsXwU=
+=g0qb
+-----END PGP SIGNATURE-----

forgejo-src-9.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4de691751256e75258573815f14406905999e991c1d9790c6069dfef47319e1d
+size 53992927

forgejo-src-9.0.2.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZzeoLwAKCRCkthotxZI3
+EH4iAP9XuioervFeW/MxfUHj1/zL2knDYYZAKnuWcPi19BytYwEA3KxcVlrvTgWL
+oZBSoqn0BWtIkmlOtRxDxu8mBGXrRgw=
+=/4OE
+-----END PGP SIGNATURE-----

forgejo.apparmor

@@ -0,0 +1,64 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/mysql>
+  include <abstractions/nameservice>
+  include <abstractions/opencl-pocl>
+  include <abstractions/openssl>
+  include <abstractions/user-tmp>
+  include if exists <local/usr.bin.forgejo>
+
+  network inet stream,
+  network inet6 stream,
+
+  /etc/forgejo/ r,
+  /etc/forgejo/conf/app.ini r,
+  /etc/forgejo/public/ r,
+  /etc/forgejo/public/** r,
+  /etc/forgejo/{conf,https,mailer}/ r,
+  /etc/gitconfig r,
+  /etc/mime.types r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /usr/bin/forgejo mr,
+  /usr/bin/git mr,
+  /usr/bin/gzip mr,
+  /usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
+  /usr/libexec/git/git-write-tree mrix,
+  /usr/share/forgejo/** r,
+  /usr/share/forgejo/.gitconfig rw,
+  /usr/share/forgejo/.gitconfig.lock rw,
+  /usr/share/git-core/templates/ r,
+  /usr/share/git-core/templates/** r,
+  /usr/share/mime/globs2 r,
+  /usr/{lib,libexec}/git/git ix,
+  /usr/{lib,libexec}/git/git-remote-http ix,
+  /var/ r,
+  /var/lib/ r,
+  /var/lib/forgejo/ r,
+  /var/lib/forgejo/.local/** rw,
+  /var/lib/forgejo/.ssh/ rw,
+  /var/lib/forgejo/.ssh/* rw,
+  /var/log/forgejo/ rw,
+  /var/log/forgejo/access.log rw,
+  /var/log/forgejo/access.log.* w,
+  /var/log/forgejo/doctors-* rw,
+  @{PROC}/sys/net/core/somaxconn r,
+  owner /etc/forgejo/conf/app.ini w,
+  owner /tmp/forgejo** rwl,
+  owner /tmp/index* rw,
+  owner /tmp/patch* rw,
+  owner /usr/share/forgejo/** rw,
+  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
+  owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
+  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
+  owner /var/lib/forgejo/https/** rwlk,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
+  owner /var/log/forgejo/gitea.log w,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
+
+}

forgejo.changes

@@ -0,0 +1,647 @@
+-------------------------------------------------------------------
+Sat Feb  8 19:51:39 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 10.0.1:
+  * Verify the ID of Forgejo Actions web endpoints belongs to the repository to
+    prevent the deletion of runners or variables or the modification of
+    variables
+  * Enforce permissions on publicly available user or organizations projects to
+    not leak information from issues and pull requests that belong to private
+    repositories
+  * fix(ui): display verified icon for default gpg key
+  * fix: load settings for valid user and email check
+  * Teach the doctor to remove orphaned two_factor with forgejo doctor check --run check-db-consistency --fix
+  * fix: listing tokens must not require basic auth
+
+-------------------------------------------------------------------
+Thu Jan 16 15:16:58 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 10.0.0:
+  full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/10.0.0.md
+  * Fix and refactor markdown rendering
+  * migrate TOTP secrets to keying
+  * Ensure source_id parameter is not skipped when set to 0 and correctly
+    filter users in /api/v1/admin/users endpoint
+  * Rework user profile settings
+  * Rework new repository dialog
+  * Show repository size on mobile
+  * Add links to commit lists in contributors graph page
+  * Add copy path button to file view
+  * Put issue actions in a single row on mobile
+  * Don't display email in profile settings when hidden
+  * Highlight user mention in comments and commit messages
+  * When bleve is used for issue search, a fuzzy search now applies to each
+    word instead of all of them, as if they were a phrase
+  * Add search to releases page
+  * Combine review requests comments
+  * If you select a portion of a comment and use the 'Quote reply' feature in
+    the context menu, only that portion will be quoted
+  * Set "your repositories" as the default filter for org dashboards
+  * Add button to create a Markdown table in a comment
+  * Add a bullet symbol between author and committer
+  * Added link to show all Issues/PullRequests
+  * Fix Action log UI race condition that occasionally prevents logs from loading
+  * Fix wiki search overflowing on wide screens
+  * Move "forgot_password"-link to fix login tab order
+  * Update help links on page with no workflows
+  * Add Low German to list of default languages
+  * i18n: Add dummy language for checking translation keys
+  * Updates for translations
+  * Add summary card for repos and releases
+  * Implement update branch API
+  * Allow changing default branch update style
+  * Add sorting functionality to /api/v1/admin/users endpoint
+  * Add Swift login endpoint
+  * Make LFS http_client parallel within a batch
+  * Improve performance of notifications page for MySQL
+  * Filepath filter for code search
+  * Add option to disable builtin authentication
+  * Add github compatible tarball download API endpoints
+  * Improve performance of allowed org repo creation query
+  * Allow the actions user to login via the jwt token
+  * Add a "summary card" to issues & PRs for consumption by OpenGraph clients
+  * Add a doctor check to disable the "Actions" unit for mirrors
+  * Make AVIF Images work with Forgejo
+  * Trim spaces from repo names on form submission
+  * Add new [lfs_client].BATCH_SIZE and [server].LFS_MAX_BATCH_SIZE config settings.
+  * Add setting to block disposable emails
+  * mermaid: Add the Kanban board diagram type.
+  * mermaid: Class diagram includes a new "classBox" shape, classDef statement,
+    support for styling the default class and lollipop interfaces.
+  * Add DISABLE_ORGANIZATIONS_PAGE and DISABLE_CODE_PAGE settings for explore pages
+  * Add branch deletion for scheduled PRs
+  * The requested_reviewers data is included in more webhook events.
+  * Support migrating GitHub/GitLab PR draft status.
+  * Language detection in the repository learned about the following languages:
+    - Java Template Engine, Noir, Cylc, iCalendar, vCard (aka. VCF: Virtual
+      Contact File) and Variant Call Format (VCF), B4X, Carbon, LiveCode
+      Script, Dune (OCaml build system)
+  * Allow filtering pull requests by poster in the API.
+  * Add support for searching users by email.
+  * New mermaid flowchart shapes.
+  * Code search results when using the bleve indexer are sorted by relevance.
+  * Add bin to Composer Metadata.
+  * Support regexp in git-grep search
+  * Git notes can be modified via the API or the UI
+
+-------------------------------------------------------------------
+Fri Dec 13 05:19:57 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.3:
+  * When Forgejo is configured to run the internal ssh server with
+    [server].START_SSH_SERVER=true, it was possible for a registered user to
+    impersonate another user
+  * Revert "allow synchronizing user status from OAuth2 login providers" Fix
+  * wiki search overflowing on wide screens Do not rewrite ssh keys files when
+  * deleting a user without one fix: doctor fails with pq: syntax error at or
+  * near "." whilst counting
+    Authorization token without existing User
+  * fix: Do not delete global Oauth2 applications Strict matching of allowed
+  * content for sanitizer for asciicast
+    and csv rendering
+  * fix: remove softbreak from github legacy callout fix: correct permission
+  * loading for limited organisation fix: clean up log files that no longer
+  * exist fix: return correct type in GetSubModule Improve Swagger documentation
+  * for user endpoints fix: normalize guessed languages from enry Show page
+  * titles in wiki search results fix(test): TestGitAttributeCheckerError must
+  * allow broken pipe fix: check read permissions for code owner review requests
+  * fix: use better code to group UID and stopwatches fix: api repo compare with
+  * commit hashes bug: correctly generate oauth2 jwt signing key
+- disable gpg verification for this release
+
+-------------------------------------------------------------------
+Sat Nov 16 03:16:51 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.2:
+  * it was possible to use a token sent via email for secondary email validation
+    to reset the password instead. In other words, a token sent for a given
+    action (registration, password reset or secondary email validation) could
+    be used to perform a different action.
+  * a fork of a public repository would show in the list of forks, even if its
+    owner was not a public user or organization.
+  * the members of an organization team with read access to a repository (e.g.
+    to read issues) but no read access to the code could read the RSS or atom
+    feeds which include the commit activity. Reading the RSS or atom feeds is
+    now denied unless the team has read permissions on the code.
+  * the tokens used when replying by email to issues or pull requests were
+    weaker than the rfc2104 recommendations.
+  * a registered user could modify the update frequency of any push mirror.
+  * it was possible to use basic authorization (i.e. user:password) for requests
+    to the API even when security keys were enrolled for a user.
+  * some markup sanitation rules were not as strong as they could be.
+  * when Forgejo is configured to enable instance wide search (e.g. with bleve),
+    results found in the repositories of private or limited users were displayed
+    to anonymous visitors.
+  * fix: handle renamed dependency for cargo registry.
+  * support www.github.com for migrations.
+  * move forgot_password-link to fix login tab order.
+  * code owners will not be mentioned when a pull request comes from a forked
+    repository.
+  * labels are missing in the pull request payload removing a label.
+  * in a Forgejo Actions workflow, the unlabeled event type for pull requests
+    was incorrectly mapped to the labeled event type.
+  * when a Forgejo Actions issue or pull request workflow is triggered by an
+    labeled or unlabeled event type, it misses information about the label added
+    or removed. It is now available in the label data member of the event payload.
+  * pull request workflow must always update the head SHA commit status.
+  * fix git-grep for code search when git version is below 2.38.
+
+-------------------------------------------------------------------
+Mon Oct 28 17:09:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.1:
+  * Forgejo generates a token which is used to authenticate web endpoints that
+    are only meant to be used internally, for instance when the SSH daemon is
+    used to push a commit with Git. The verification of this token was not done
+    in constant time and was susceptible to timing attacks.
+  * Because of a missing permission check, the branch used to propose a pull
+    request to a repository can always be deleted by the user performing the merge.
+  * Fix boolean inputs in workflow_dispatch
+  * package arch database not updating when uploading "any" architecture
+  * correct SQL query for active issues
+  * specify default value for EXPLORE_DEFAULT_SORT.
+  * fix: Add recentupdated as recognized sort option
+  * Update dependency mermaid to v11.3.0 (v9.0/forgejo)
+  * Always update expiration time when creating an artifact
+  * Update scheduled tasks even if changes are pushed by "ActionsUser"
+  * Fix disable 2fa bug
+  * i18n: update of translations from Codeberg Translate
+  * fix: make branch protection work for new branches
+  * link to security policy in security.txt
+  * fix: don't show truncated comments in RSS/Atom feeds
+  * fix: typo on releases for source code downloads
+  * Revert "add gap between branch dropdown and PR button"
+  * fix: Don't double escape delete branch text
+  * fix: Add server logging for OAuth server errors
+  * forgejo-cli is now a symlink and cannot be used for sanity checks
+  * fix: correct documentation for non 200 responses in swagger
+- forgejo is since 9.0.0 GPL-3.0-or-later
+
+-------------------------------------------------------------------
+Thu Oct 17 14:52:33 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 9.0.0:
+  * OIDC integrations that POST to /login/oauth/introspect without sending HTTP
+    basic authentication will now fail
+  * The public scope of an application token does not filter out private repositories,
+    organizations or packages in some cases
+  * Drop support to build Forgejo with the optional go-git Git backend
+  * Set created_by as the default filter for /issues and /pulls
+  * Set fuzzy as default for issue search.
+  * Improve commit graph layout.
+  * Add support for iconify icons.
+  * Allow multi-line relationship labels.
+  * Adds architecture diagrams which allows users to show relations between services.
+  * Improve diffs generated by Forgejo.
+  * Add rel="nofollow" to in-list labels.
+  * Distinguish between new tags, releases and pre-releases on activity page.
+  * Highlighted code search results.
+  * Refactor repo migration items.
+  * Add package counter to repo/user/org overview pages.
+  * Replace vue-bar-graph with chart.js.
+  * Add more emoji and code block rendering in issues.
+  * Bad spacing on new release page.
+  * Milestone assignment in new issue.
+  * git-grep: ensure bounded default for MatchesPerFile.
+  * Incorrect go to citation button.
+  * Incorrect HTMX support for profile card.
+  * Accessibility keyboard support for test actions.
+  * Update pull request icons.
+  * "Assign to me" button on PR and Issues.
+  * Add architecture-specific removal support for arch package.
+  * Add bin to Composer Metadata.
+  * Internationalization user experience improvements on team permissions and issue closing.
+  * Support allowed hosts for migrations to work with proxy.
+  * Trivial default quota configuration.
+  * Language detection in the repository learned about the following languages:
+    Luau, BQN, Cron table, NMODL, Pkl, templ, FIRRTL, Julia REPL, Caddyfile.
+  * The following extensions or filenames in a repository are associated with the matching language:
+    .sublime-color-scheme, MODULE.bazel.lock, Cargo.toml.orig, tsx, justfile, .zig.zon, .envrc.
+  * Remove support for Couchbase as a session provider; it instead will now fallback to the file provider.
+  * git-grep: allow searching for words with initial dashes.
+  * git-grep: skip binary files.
+  * Forgejo Actions logs are compressed by default.
+  * Support grouping by any path for arch package.
+  * Remove expensive nearest branch calculatations ($.BranchName) from commit diff view
+  * Allow push mirrors to use a SSH key as the authentication method for the mirroring action
+    instead of using user:password authentication.
+  * Use UTC as a timezone when running scheduled actions tasks.
+  * The actions logs older than [actions].LOG_RETENTION_DAYS days are removed (the default is 365).
+  * Add signature support for the RPM module.
+  * Allow color and background-color style properties for table cells.
+  * support pull_request_target event for commit status.
+  * support delete user email in admin panel.
+  * Notify owner about TOTP enrollment.
+  * Email notifications are now sent when account security changes are made: password changed
+  * Enable INVALIDATE_REFRESH_TOKENS.
+  * Sort milestones by name by default instead of the due date.
+  * allow synchronizing user status from OAuth2 login providers.
+  * add option to change mail from user display name.
+  * issue Templates: add option to have dropdown printed list.
+  * the default setting attachment.ALLOWED_TYPES was adjusted to allow .webp attachments in issues
+  * Convert milestone to HTMX.
+  * Use the full user name in emails to address the recipient, when available.
+  * Enhancing OAuth2 Provider with Granular Scopes for Resource Access.
+  * Display URLs in .sh-session files.
+  * The caching of contributor stats was improved
+  * Add support for LFS server implementations which have batch API responses in an older/deprecated schema.
+  * Forgejo Actions artifacts support range requests to resume a download.
+  * Added the foundations of a flexible, configurable quota system.
+  * Logs journald integration.
+  * A release asset can be a URL instead of a file.
+  * Don't allow owner team with incorrect unit access (includes doctor fix).
+  * Schedule workflows are canceled when pushing to the default branch.
+  * Incorrect Discord webhook JSON for issue events.
+  * wrong last modify time.
+  * Repo Activity: count new issues that were closed.
+  * incorrect /tokens API.
+  * Do not escape relative path in RPM primary index.
+  * Handle invalid target when creating releases using API.
+  * /repos/{owner}/{repo}/pulls/{index}/files endpoint not populating previous_filename.
+  * Improve textarea paste.
+  * Handle "close" actionable references for manual merges.
+  * Team admins are allowed to search team members via the API.
+  * Don't return 500 if mirror url contains special chars.
+  * Agit automerge is not working properly.
+  * Improve the display of PR & issue short links.
+  * Migrate scoped GitLab labels as scoped Forgejo labels.
+  * /repos/{owner}/{repo}/pulls/{index} requested_reviewers contains null for teams.
+  * Validate title length when updating an issue.
+  * Hide the "Details" link of commit status when the user cannot access actions.
+  * Runner registration token via API is broken for repo level runners.
+  * Deleted projects causes bad popover text on issues.
+  * Distinguish LFS object errors to ignore missing objects during migration.
+  * When viewing the revision history of wiki pages, the pagination links are broken
+  * Also rename the head branch of open pull requests when renaming a branch.
+  * add return type to GetRawFileOrLFS and GetRawFile.
+  * properly filter issue list given no assignees filter.
+  * Cron task to cleanup dangling container images with version sha256:*.
+  * Allow updates to runners' secrets.
+  * Do not fire webhook notifications for updates and deletions of comments that are part of an ongoing review
+  * Fixed social media previews for links to wiki pages.
+  * Updated translations
+  * Improve the clarity of confirmation in email messages.
+  * Fine tune language for units.
+  * Improve translation strings for webhook events.
+  * Allow different translations of creation links and titles.
+  * English strings improvements for internationalization.
+
+-------------------------------------------------------------------
+Wed Oct  9 13:22:28 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- add dont-strip.patch for not stripping the main binary (so we can
+  create debuginfo package)
+
+-------------------------------------------------------------------
+Wed Oct  9 05:46:17 UTC 2024 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
+
+- Add package environment-to-ini for OCI containers
+
+-------------------------------------------------------------------
+Tue Sep 10 07:49:29 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 8.0.3:
+  * replace v-html with v-text in branch search inputbox for XSS protection
+  * mitigate CVE-2024-43788 (upgrade webpack)
+  * Translation updates
+
+-------------------------------------------------------------------
+Thu Aug 29 16:06:05 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 8.0.2:
+  * Overflow for images on project cards.
+  * Allow unreacting from comment popover.
+  * The scope of application tokens is not verified when writing
+    containers or Conan packages.
+  * When a Forgejo Actions workflow includes a workflow_dispatch with
+    inputs and other events (for instance push), it is silently ignored
+    because of a parsing error.
+  * Automerge on AGit pull requests is ignored.
+  * Show lock owner instead of repo owner on LFS setting page.
+  * Render plain text file if the LFS object doesn't exist.
+  * Panic of ssh public key page after deletion of an auth source.
+  * Add missing repository type filter parameters to pager.
+  * Reverted a change from Gitea which prevented allow/reject reviews on
+    merged or closed PRs. This change was not considered by the Forgejo
+    UI team and there is a consensus that it feels like a regression,
+    since it interferes with workflows known to be used by Forgejo users
+    without providing a tangible benefit.
+  * Run full PR checks on AGit push.
+  * Updated translations
+
+-------------------------------------------------------------------
+Fri Aug  9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 8.0.1:
+  * A change introduced in Forgejo v1.21 allows a Forgejo user with write
+    permission on a repository description to inject a client-side script into
+    the web page viewed by the visitor. This XSS allows for href in anchor
+    elements to be set to a javascript: URI in the repository description,
+    which will execute the specified script upon clicking (and not upon
+    loading). AllowStandardURLs is now called for the repository description
+    policy, which ensures that URIs in anchor elements are mailto:, http:// 
+    or https:// and thereby disallowing the javascript: URI.
+  * Do not include trailing EOL character when counting lines
+  * Add background to reactions on hover
+  * Prevent uppercase in header of dashboard context selector
+  * Fix page layout in admin settings
+  * Ensure all filters are persistent in issue filters
+  * Allow 4 charachter SHA in /src/commit
+- update to 8.0.0:
+  full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
+
+  Highlights:
+    * remove Microsoft SQL Server support
+    * introduce a branch/tag dropdown in the code search page
+    * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
+    * API endpoints for managing tag protection.
+    * add Reviewed-on and Reviewed-by variables to the merge template
+    * display an error when an issue comment is edited simultaneously by
+      two users instead of silently overriding one of them
+    * when installing Forgejo through the built-in installer, open
+      (self-) registration is now disabled by default
+    * add support for the reddit and Hubspot OAuth providers.
+    * CERT management was improved when ENABLE_ACME=true
+    * language detection in the repository got additional languages
+    * add an immutable tarball link to archive download headers for Nix
+    * Show the AGit label on merged pull requests
+- fix apparmor profile
+- set sqlite3 as the default installation database
+- add a rule for firewalld
+
+
+-------------------------------------------------------------------
+Fri Aug  9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 7.0.7:
+  This is a security release. See the documentation for more
+  information on the upgrade procedure.
+  * Security
+    - A change introduced in Forgejo v1.21 allows a Forgejo user
+      with write permission on a repository description to inject a
+      client-side script into the web page viewed by the visitor.
+      This XSS allows for href in anchor elements to be set to a
+      javascript: URI in the repository description, which will
+      execute the specified script upon clicking (and not upon
+      loading). AllowStandardURLs is now called for the repository
+      description policy, which ensures that URIs in anchor
+      elements are mailto:, http:// or https:// and thereby
+      disallowing the javascript: URI.
+  * Bug fixes
+    - PR (backported): disallow javascript: URI in the repository
+      description
+  * Localization
+    - PR (backported): i18n: backport of #4568 #4668 and #4783 to
+      v7
+
+-------------------------------------------------------------------
+Thu Aug  1 10:50:53 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 7.0.6:
+  * Two frontend features were removed because a license
+    incompatibility was discovered. Read more in the companion blog
+    post.
+    - PR (backported from): Mermaid rendering: %%{init:
+      {"flowchart": {"defaultRenderer": "elk"}} }%% will now fail
+      because ELK is no longer included.
+    - PR (backported from): Repository citation: Removed the
+      ability to export citations in APA format.
+  * User Interface bug fixes
+    - PR (backported from): Replace vue-bar-graph with chart.js
+    - PR (backported from): Show AGit label on merged PR
+    - PR (backported from): Fix mobile UI for organisation creation
+  * Bug fixes
+    - PR (backported from): fix(api): issue state change is not
+      idempotent
+    - PR (backported from): Reserve the devtest username
+    - PR (backported from): fix(actions): no edited event triggered
+      when a title is changed
+    - PR (backported from): Load attachments for
+      /issues/comments/{id}
+    - PR (backported from): When searching for users, page the
+      results by default, and respect the default paging limits
+    - PR (backported from): the "View command line instructions"
+      link in pull requests and the "Copy content" button in file
+      editor are not accessible
+    - PR (backported from): Use correct SHA in GetCommitPullRequest
+  * Localization
+    - PR (backported from): Update of translations from Weblate
+    - PR: Update of translations from Weblate
+    - PR (backported from): 3 translation updates from Weblate - PR
+      1, PR 2, PR 3
+
+-------------------------------------------------------------------
+Mon Jul 15 06:28:18 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- fix typo Environemnt in forgejo.service
+
+-------------------------------------------------------------------
+Fri Jul  5 07:13:38 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 7.0.5:
+  * Fixed: CVE-2024-24791 - GO-2024-2963 Denial of service due to improper 
+    100-continue handling in net/http
+  * Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead 
+    of Default URLs" checkbox (missing checkbox, irrelevant fields).
+  * Fixed: git push to an adopted repository fails.
+  * Fixed: markdown doesn't render math within brackets
+  * Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
+  * Fixed: error 500 when processing crafted TIFF files.
+  * Fixed: wrong placeholder text in the form for adding repository collaborator.
+
+-------------------------------------------------------------------
+Sun Jun 16 12:52:27 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.4:
+  * Fixed: CVE-2024-24789: the archive/zip package's handling of certain types
+    of invalid zip files differs from the behavior of most zip implementations.
+    This misalignment could be exploited to create an zip file with contents that
+    vary depending on the implementation reading the file.
+  * the OAuth2 implementation does not always require authentication for public
+    clients, a requirement of RFC 6749 Section 10.2
+  * forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
+  * avatar files can be found in storage while they do not exist in the database.
+  * repository admins are always denied the right to force merge and instance admins
+    are subject to restrictions to merge that must only apply to repository admins.
+  * non conformance with the Nix tarball fetcher immutable link protocol.
+  * migrated activities (such as reviews) are mapped to the user who initiated the
+    migration rather than the Ghost user, if the external user cannot be mapped to a
+    local one. This mapping mismatch leads to internal server errors in some cases.
+  *  a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
+  * using a subquery for user deletion is a performance bottleneck when using mariadb 10
+    because only mariadb 11 takes advantage of the available index.
+  * a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
+  * SourceHut Builds webhook fail when the triggers field is used.
+  * the label list rendering in the issue and pull request timeline is displayed on
+    multiple lines instead of a single one.
+  * Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
+  * automerge does not happen when the approval count reaches the required threshold.
+  * the FORCE_PRIVATE=true setting is not consistently enforced.
+  * CSRF validation errors when OAuth is not enabled.
+  * headlines in rendered org-mode do not have a margin on the top
+
+-------------------------------------------------------------------
+Wed May 22 20:41:58 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.3:
+  * CVE-2024-24788: a malformed DNS message in response to a query can
+    cause the lookup functions to get stuck in an infinite loop
+  * backticks in mermaid block diagram labels are not sanitized properly
+  * migration of a repository from gogs fails when it is hosted at a subpath.
+  * when creating an OAuth2 application the redirect URLs are not enforced to
+    be mandatory
+  * the API incorrectly excludes repositories where code is not enabled
+  * "Allow edits from maintainers" cannot be modified via the pull request web UI
+  * repository activity feeds (including RSS and Atom feeds) contain
+    repeated activities
+  * uploading maven packages with metadata being uploaded separately will fail
+  * the mail notification sent about commits pushed to pull requests are empty
+  * inline emails attachments are not properly handled when commenting on an
+    issue via email
+  * the links to .zip and tar.gz on the tag list web UI fail
+  * expanding code diff while previewing a pull request before it is created fails
+  * the CLI is not able to migrate Forgejo Actions artifacts
+  * when adopting a repository, the default branch is not taken into account
+  * when using reverse proxy authentication, logout will not be taken into
+    account when immediately trying to login afterwards
+  * pushing to the master branch of a sha256 repository fails
+  * a very long project column name will make the action menu inaccessible
+  * a useless error is displayed when the title of a merged pull request is
+    modified
+  * workflow badges are not working for workflows that are not running on push
+    (such as scheduled workflows, and ones that run on tags and pull requests)
+
+-------------------------------------------------------------------
+Fri May  3 00:35:37 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.2:
+  * regression where subscribing to or unsubscribing from an issue in a
+    repository with no code produced an internal server error.
+  * regression makes all the refs sent in Gitea webhooks to be full refs and
+    might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG
+    contained the full ref). This issue has been fixed in the main branch of
+    Woodpecker CI as well.
+  *  the webhook branch filter wrongly applied the match on the full ref for
+     branch creation and deletion (wrongly skipping events).
+  * toggling the WIP state of a pull request is possible from the sidebar,
+    but not from the footer.
+  * when mentioning a user, the markup post-processor does not handle the case
+    where the mentioned user does not exist: it tries to skip to the next node,
+    which in turn, ended up skipping the rest of the line.
+  * excessive and unnecessary database queries when a user with no repositories
+    is viewing their dashboard.
+  * duplicate status check contexts show in the branch protection settings.
+  * profile info fails to render german singular translation.
+  * inline attachments of incoming emails (as they occur for example with Apple
+    Mail) are not attached to comments.
+
+-------------------------------------------------------------------
+Sat Apr 27 14:53:09 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.1:
+  * LFS data corruption when running the forgejo doctor check --fix CLI command
+    or setting [cron.gc_lfs].ENABLED=true (the default is false)
+  * non backward compatible change in the forgejo admin user create CLI command
+  * error 500 because of an incorrect evaluation of the template when visiting
+    the LFS settings of a repository
+  * GET /repos/{owner}/{name} API endpoint always returns an empty string for
+    the object_format_name field
+  * fuzzy search may fail with bleve
+
+-------------------------------------------------------------------
+Thu Apr 25 02:27:22 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 7.0.0:
+  This is only an excerpt from the full changelog, which you can find
+  in your RELEASE-NOTES.md or at
+  https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0
+  * MySQL 8.0 or PostgreSQL 12 are the minimum supported versions.
+    The database must be migrated before upgrading.
+    The requirements regarding SQLite did not change.
+  * The per_page parameter is no longer a synonym for limit in the
+    /repos/{owner}/{repo}/releases API endpoint.
+  * The date format of the created and last_update fields of the 
+    /repos/{owner}/{repo}/push_mirrors and /repos/{owner}/{repo}/push_mirrors
+    API endpoint changed to be timestamps instead of numbers.
+  * Labels used by pprof endpoint have been changed
+  * The fogejo admin user create CLI command requires a password change
+    by default when creating the first user
+
+-------------------------------------------------------------------
+Sat Apr 20 12:39:56 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to 1.21.11-1:
+  * error 500 on tag creation when a workflow exists
+
+- update to 1.21.11-0:
+  * Fixed a privilege escalation through git push options that
+    allows any user to change the visibility of any repository they can see,
+    regardless of their level of access.
+  * Fixed a bug that allows user-supplied, non-sandboxed JavaScript to be run
+    from the same domain as the forge, via
+    /{owner}/{repo}/render/branch/{branch}/{filename} URLs.
+  * Close file in upload function
+  * Prevent registering runners for deleted repositories.
+    Prevents 500 Internal Server Error in admin interface.
+  * More reliable pagination support when migrating from gitbucket
+  * Fix automerge when used with actions
+
+- fix apparmor profile
+
+-------------------------------------------------------------------
+Fri Apr  5 18:39:07 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- update to 1.21.10-0:
+  * CVE-2023-45288 which permits an attacker to cause an HTTP/2 endpoint to
+    read arbitrary amounts of header data
+  * Fix to not remove repository avatars when the doctor runs with --fix
+    on the repository archives.
+  * Detect protected branch on branch rename.
+  * Don't delete inactive emails explicitly.
+  * Fix user interface when a review is deleted without refreshing.
+  * Fix paths when finding files via the web interface that were not escaped.
+  * Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org.
+  * Fix duplicate migrated milestones.
+  * Fix inline math blocks can't be preceeded/followed by alphanumerical
+    characters.
+
+-------------------------------------------------------------------
+Thu Mar 28 06:58:20 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- increase golang dep to 1.22, to imitate the CI/CD of forgejo
+- revise how the apparmor package gets build + add selinux
+
+-------------------------------------------------------------------
+Sat Mar 23 21:21:28 UTC 2024 - Richard Rahl <user@localhost>
+
+- update to 1.21.8-0:
+  * Fix /api/v1/{owner}/{repo}/issue_templates which was always failing with a
+    500 error.
+  * Prevent error 500 on /user/settings/security when SignedUser has a linked
+    account from a deactivated authentication source.
+  * Fix error 500 when pushing release to an empty repo.
+  * Fix incorrect rendering csv file when file size is larger than UI.CSV.MaxFileSize.
+  * Fix error 500 when deleting account with incorrect password or unsupported login type.
+  * handle user-defined name anchors like [Link](#link) linking to <a name="link"></a>Link.
+  * Use correct head commit for CODEOWNER.
+  * Fix manual merge button.
+  * Make meilisearch do exact search for issues.
+  * Fix PR creation via api between branches of same repo with head field namespaced.
+
+-------------------------------------------------------------------
+Fri Mar  8 07:35:29 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- add apparmor profile leeched off of the gitea packaging
+
+- update to 1.21.7-0:
+  * Fix tarball/zipball download bug.
+  * Ensure HasIssueContentHistory takes into account comment_id.
+  * The google.golang.org/protobuf module was bumped to version v1.33.0 to fix
+    a bug in the google.golang.org/protobuf/encoding/protojson package which
+    could cause the Unmarshal function to enter an infinite loop when handling
+    some invalid inputs
+
+-------------------------------------------------------------------
+Fri Feb  9 10:07:58 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- initial packaging

forgejo.fc

@@ -0,0 +1,5 @@
+/usr/bin/forgejo		--	gen_context(system_u:object_r:forgejo_exec_t,s0)
+
+/var/lib/forgejo(/.*)?		gen_context(system_u:object_r:forgejo_var_lib_t,s0)
+
+/var/log/forgejo(/.*)?		gen_context(system_u:object_r:forgejo_log_t,s0)

forgejo.firewalld

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Forgejo</short>
+  <description>Forgejo is a self-hostable forge. It was forked from gitea, and has the old UI style from GitHub.</description>
+  <port protocol="tcp" port="3000"/>
+</service>

forgejo.if

@@ -0,0 +1,218 @@
+
+## <summary>policy for forgejo</summary>
+
+########################################
+## <summary>
+##	Execute forgejo_exec_t in the forgejo domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`forgejo_domtrans',`
+	gen_require(`
+		type forgejo_t, forgejo_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, forgejo_exec_t, forgejo_t)
+')
+
+######################################
+## <summary>
+##	Execute forgejo in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_exec',`
+	gen_require(`
+		type forgejo_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, forgejo_exec_t)
+')
+########################################
+## <summary>
+##	Read forgejo's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`forgejo_read_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Append to forgejo log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_append_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_log',`
+	gen_require(`
+		type forgejo_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, forgejo_log_t, forgejo_log_t)
+	manage_files_pattern($1, forgejo_log_t, forgejo_log_t)
+	manage_lnk_files_pattern($1, forgejo_log_t, forgejo_log_t)
+')
+
+########################################
+## <summary>
+##	Search forgejo lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_search_lib',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	allow $1 forgejo_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read forgejo lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_read_lib_files',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_lib_files',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage forgejo lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`forgejo_manage_lib_dirs',`
+	gen_require(`
+		type forgejo_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an forgejo environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`forgejo_admin',`
+	gen_require(`
+		type forgejo_t;
+		type forgejo_log_t;
+		type forgejo_var_lib_t;
+	')
+
+	allow $1 forgejo_t:process { signal_perms };
+	ps_process_pattern($1, forgejo_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 forgejo_t:process ptrace;
+    ')
+
+	logging_search_logs($1)
+	admin_pattern($1, forgejo_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, forgejo_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

forgejo.keyring

@@ -0,0 +1,39 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: Hostname: 
+Version: Hockeypuck 2.2
+
+xjMEY3T/yhYJKwYBBAHaRw8BAQdAVxqCQrSbpDNrx8CiTM8PUAVqdCyv2UmBDhpP
+HZIpoIDNHUZvcmdlam8gPGNvbnRhY3RAZm9yZ2Vqby5vcmc+wsB+BBMWCgDmAhsD
+BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWS
+NxAFAmN7KZI2FIAAAAAAEAAdcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZmxvc3Mu
+c29jaWFsL0Bmb3JnZWpvMRSAAAAAABAAGHByb29mQGFyaWFkbmUuaWRkbnM6Zm9y
+Z2Vqby5vcmc/dHlwZT1UWFRBFIAAAAAAEAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBz
+Oi8vY29kZWJlcmcub3JnL2Zvcmdlam8vZ2l0ZWFfcHJvb2YACgkQpLYaLcWSNxAv
+oQEAsbFLqcqjAoRTKpP++D6s0pZgnekV7W3sz1uumKLLUm4A/RvjfnPaK9XAZHEn
+o0RDksu0xaw673pPmYXWVYQqdVACwsBHBBMWCgCvAhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmN4pwNBFIAAAAAA
+EAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8v
+Z2l0ZWFfcHJvb2YxFIAAAAAAEAAYcHJvb2ZAYXJpYWRuZS5pZGRuczpmb3JnZWpv
+Lm9yZz90eXBlPVRYVAAKCRCkthotxZI3EDVfAQCX3Bwc7JFu/JSVSXkMAiO9KqKz
+oQv0FKfNI4zc7OZTuwEAro2IK2nt72W/+O+rHMDN97n0qQYLjcEy2wiOguYPPgfC
+dQQQFggAHRYhBD3JQbKWDZMPhcHxD2Hhmc0+gu5GBQJjkUDQAAoJEGHhmc0+gu5G
+/noA/2Nhnj9ec6GFil+yzfcaf2JYZnTkOYuhxhHhLVVDc2u2AQDNClLXyLeOp8YQ
+r3sDEVLIf8IUpmRyhdf5lnR7dOXADc0mRm9yZ2VqbyBSZWxlYXNlcyA8cmVsZWFz
+ZUBmb3JnZWpvLm9yZz7CkAQTFgoAOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX
+gBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJjeKH0AAoJEKS2Gi3FkjcQC5YBAKwC
+GFDDSpX0JwBrzIP8W8ElwHvdBz2XDg8LwyQgr722AP9r01rbFwY4axDxpNj+BUFx
+wD5Fhza1cE3932eTsSOPDsJ1BBAWCAAdFiEEPclBspYNkw+FwfEPYeGZzT6C7kYF
+AmORQNAACgkQYeGZzT6C7kZgCQD9E3NRV6SUBw7IdbIG9w0oUcn/RMsSmTXMAmas
+LO3ilCUBAPVs56RxvNdA5cLJeZwRlqZ10nnJekb2wnQPyohB2GcOzjMEY3UANBYJ
+KwYBBAHaRw8BAQdAKvAs2Ij2RamYUzz4sBgsc2J+4fEwvSMcTp6rPZizRhfCwDUE
+GBYIACYWIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCY3UANAIbAgUJAeEzgACBCRCk
+thotxZI3EHYgBBkWCAAdFiEE98vwIJTnZl4X7WxE44G/PlDVNwcFAmN1ADQACgkQ
+44G/PlDVNwdIlgD+K15nuEec+VTFdP7YY3SxM8Rjg2EtXk007+LM7XQfN9sBAOLj
+BTzIdaaKOpoAkGQ9Th/IphSUOnPYZVO5a6cN+wAM458A/itf3urQehI5SbKtbRqI
+DhqQZQVAcEeG2eQFunuofjDWAQDt/gE5XgTiQgnkTcqAX7GQeE74O/Q5vDtX10Nj
+bzV7D844BGN0/8oSCisGAQQBl1UBBQEBB0CZnRfIHxTVhOF8kdhbe4YJsePyVFi8
+USfuDXy4HgIHRgMBCAfCeAQYFggAIBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJj
+dP/KAhsMAAoJEKS2Gi3FkjcQdroA/jHFqt7y/r/5zdK4TYYp+5jlOgM5ZI7pNhWh
+tIFbqmx9AQCKSJf2YgPBLNJSL/86vpE9b6IvTE/8ENR/7xYaIA7oAg==
+=urT2
+-----END PGP PUBLIC KEY BLOCK-----

forgejo.service

@@ -0,0 +1,33 @@
+[Unit]
+Description=Forgejo (Beyond coding. We forge.)
+After=network.target
+
+[Service]
+# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
+# LimitNOFILE=524288:524288
+RestartSec=2s
+Type=simple
+User=forgejo
+Group=forgejo
+WorkingDirectory=/var/lib/forgejo/
+ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
+Restart=always
+Environment=USER=forgejo
+Environment=HOME=/usr/share/forgejo
+Environment=GITEA_WORK_DIR=/var/lib/forgejo
+Environment=GITEA_CUSTOM=/etc/forgejo
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+
+[Install]
+WantedBy=multi-user.target

forgejo.spec

@@ -0,0 +1,237 @@
+#
+# spec file for package forgejo
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if 0%{?suse_version} > 1600
+%bcond_without selinux
+%bcond_without apparmor
+%else
+%if 0%{?suse_version} == 1600
+%bcond_without selinux
+%bcond_with apparmor
+%else
+# Leap & SLE
+%bcond_with selinux
+%bcond_without apparmor
+%endif
+%endif
+Name:           forgejo
+Version:        10.0.1
+Release:        0
+Summary:        Self-hostable forge
+License:        GPL-3.0-or-later
+Group:          Development/Tools/Version Control
+URL:            https://forgejo.org
+Source0:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz
+# something is broken with the verification, works fine manually
+#Source1:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc
+#Source2:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6c0dc2bcdd183550a4b61a2dc5923710#/%{name}.keyring
+Source3:        package-lock.json
+Source4:        node_modules.spec.inc
+%include        %{_sourcedir}/node_modules.spec.inc
+Source5:        %{name}.service
+Source6:        %{name}.sysusers
+Source7:        %{name}.fc
+Source8:        %{name}.if
+Source9:        %{name}.te
+Source10:       %{name}.apparmor
+Source11:       %{name}.firewalld
+Source99:       get-sources.sh
+Patch0:         custom-app.ini.patch
+Patch1:         dont-strip.patch
+BuildRequires:  golang-packaging
+BuildRequires:  golang(API) = 1.23
+## node >= 20
+%if 0%{?suse_version} == 1500
+BuildRequires:  nodejs-devel-default
+BuildRequires:  npm-default
+%else
+BuildRequires:  nodejs-packaging
+%endif
+BuildRequires:  firewall-macros
+BuildRequires:  firewalld
+BuildRequires:  local-npm-registry
+BuildRequires:  make
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
+Requires:       git-core
+Requires:       git-lfs
+Requires:       (%{name}-apparmor if apparmor-abstractions)
+Requires:       (%{name}-firewalld if firewalld)
+Requires:       (%{name}-selinux if selinux-policy-targeted)
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+BuildRequires:  libapparmor-devel
+%endif
+%if %{with selinux}
+BuildRequires:  checkpolicy
+BuildRequires:  selinux-policy-devel
+%endif
+%{systemd_requires}
+%{sysusers_requires}
+
+%package firewalld
+Summary:        Firewalld profile for %{name}
+BuildArch:      noarch
+
+%description firewalld
+This package adds a firewalld service profile to %{name}
+
+%if %{with apparmor}
+%package apparmor
+Summary:        Apparmor profile for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+
+%description apparmor
+This package adds the Apparmor profile to %{name}
+%endif
+
+%if %{with selinux}
+%package selinux
+Summary:        Selinux support for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{version}-%{release}
+Requires:       selinux-policy-targeted
+
+%description selinux
+This package adds SELinux enforcement to %{name}.
+%endif
+
+%package environment-to-ini
+Summary:        Configuration params via environment variables for %{name}
+Requires:       %{name} = %{version}-%{release}
+
+%description environment-to-ini
+OCI Container users can change arbitrary configuration
+via environment variables with this tool
+
+Forgejo needs to use an ini file for configuration because the running
+environment that starts the OCI container may not be the same as that used
+by the hooks. An ini file also gives a good default and means that
+users do not have to completely provide a full environment.
+
+%description
+Providing Git hosting for your project, friends, company or community? Forgejo
+(/for'd͡ʒe.jo/ inspired by forĝejo – the Esperanto word for forge) has you
+covered with its intuitive interface, light and easy hosting and a lot of
+builtin functionality.
+
+%prep
+%autosetup -p1 -n %{name}-src-%{version}
+local-npm-registry %{_sourcedir} install --also=dev
+
+%build
+%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
+export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
+export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
+%make_build build
+go build ${EXTRA_GOFLAGS} -o contrib/environment-to-ini/environment-to-ini contrib/environment-to-ini/environment-to-ini.go
+
+%install
+install -d %{buildroot}%{_bindir}
+install -d %{buildroot}%{_datadir}/%{name}
+install -d %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
+install -Dm0755 contrib/environment-to-ini/environment-to-ini %{buildroot}%{_bindir}
+ln -s %{name} %{buildroot}%{_bindir}/gitea
+install -d %{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
+install -d %{buildroot}%{_sysconfdir}/%{name}
+install -d %{buildroot}%{_localstatedir}/log/%{name}
+install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
+install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
+install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+%if %{with apparmor}
+install -d %{buildroot}%{_sysconfdir}/apparmor.d
+install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+cd %{_sourcedir}
+make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
+install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+#firewalld service file
+install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
+
+%pre -f %{name}.pre
+%service_add_pre %{name}.service
+
+%post
+%service_add_post %{name}.service
+
+%post firewalld
+%firewalld_reload
+
+%if %{with apparmor}
+%post apparmor
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+%post selinux
+semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
+
+%preun selinux
+semodule -r %{name} 2>/dev/null || :
+%endif
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%files
+%license LICENSE
+%doc README.md RELEASE-NOTES.md CONTRIBUTING.md
+%{_unitdir}/%{name}.service
+%{_bindir}/%{name}
+%{_bindir}/gitea
+%defattr(0660,root,forgejo,770)
+%{_localstatedir}/log/%{name}
+%defattr(0660,forgejo,forgejo,750)
+%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
+%{_sysconfdir}/%{name}
+%{_datadir}/%{name}
+%{_sharedstatedir}/%{name}
+%{_sysusersdir}/%{name}.conf
+
+%if %{with apparmor}
+%files apparmor
+%dir %{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%endif
+
+%if %{with selinux}
+%files selinux
+%dir %{_datadir}/selinux/devel/include/distributed
+%{_datadir}/selinux/packages/%{name}
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
+%files firewalld
+%{_prefix}/lib/firewalld/services/%{name}.xml
+
+%files environment-to-ini
+%{_bindir}/environment-to-ini
+
+%changelog

forgejo.sysusers

@@ -0,0 +1,3 @@
+# Type 	Name ID GECOS [HOME] Shell
+g forgejo - - -
+u forgejo - "Forgejo" /var/lib/forgejo /usr/bin/bash

forgejo.te

@@ -0,0 +1,41 @@
+policy_module(forgejo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type forgejo_t;
+type forgejo_exec_t;
+init_daemon_domain(forgejo_t, forgejo_exec_t)
+
+permissive forgejo_t;
+
+type forgejo_log_t;
+logging_log_file(forgejo_log_t)
+
+type forgejo_var_lib_t;
+files_type(forgejo_var_lib_t)
+
+########################################
+#
+# forgejo local policy
+#
+allow forgejo_t self:fifo_file rw_fifo_file_perms;
+allow forgejo_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+manage_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+manage_lnk_files_pattern(forgejo_t, forgejo_log_t, forgejo_log_t)
+logging_log_filetrans(forgejo_t, forgejo_log_t, { dir file lnk_file })
+
+manage_dirs_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+manage_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+manage_lnk_files_pattern(forgejo_t, forgejo_var_lib_t, forgejo_var_lib_t)
+files_var_lib_filetrans(forgejo_t, forgejo_var_lib_t, { dir file lnk_file })
+
+domain_use_interactive_fds(forgejo_t)
+
+files_read_etc_files(forgejo_t)
+
+miscfiles_read_localization(forgejo_t)

get-sources.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/sh
+
+set -e
+
+if [[ -z "$1" ]]; then
+echo "Please enter the version you want to update to";
+exit 1;
+fi
+
+VERSION="$1"
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "patching spec file and downloading the tarball"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+sed -i -e 's|Version: .*|Version:        '${VERSION}'|g' forgejo.spec
+osc service ra download_files
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "extracting package-lock.json"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+tar xf forgejo-src-${VERSION}.tar.gz forgejo-src-${VERSION}/package-lock.json
+cp forgejo-src-${VERSION}/package-lock.json .
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Downloading node_modules"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+osc service ra node_modules
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Cleanup Step"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+
+rm -r forgejo-src-${VERSION}
+rm node_modules.sums
+
+echo "++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Done! Have fun building and testing"
+echo "++++++++++++++++++++++++++++++++++++++++++++++"

node_modules.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dc57741d1c3deeec7d2dca960342eb9cfcc1bf8fd3b7385564bc317e9c44a31d
+size 206754640