Accepting request 1321397 from devel:tools:scm

- Update to version 13.0.3:
  * fix dependency repo perms in Create/RemoveIssueDependency
  * draft releases could be read before being published
  * misconfigured security checks on tag delete web form
  * incorrect logic in "Update PR" did not enforce head branch protection rules
    correctly
  * issue owner can delete another user's comment's edit history on same issue
  * tag protection rules can be bypassed during tag delete operation
  * fix: support git clone when /tmp has noexec
  * fix: get new session from enginegroup instead of masterengine
  * fix: endless redirection loop between /user/settings/change_password and
    /user/settings/security
  * fix(alt): handle package names with dots in ALT repository
  * fix: pull request review comment position
  * fix: less restrictive matrix room_id pattern
  * fix: add required headers to Pagure migration
  * fix: prevent orgs from being added as members of orgs
  * fix(api): set all hook event types
  * fix: don't show ConEmu OSC escape sequences
  * fix: set tag message on tag addition
  * fix: construct project links in timeline better
- remove patches fix-CVE-2025-47911.patch and fix-CVE-2025-58190.patch,
  fixed upstream (forwarded request 1321396 from rrahl0)

OBS-URL: https://build.opensuse.org/request/show/1321397
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/forgejo?expand=0&rev=39

README.SUSE

@@ -0,0 +1,40 @@
+ SUSE Specific Notes
+---------------------
+
+By default the package does not allow writing to `/etc/forgejo/conf/app.ini`.
+This is not a problem during normal runtime. But during the initial setup forgejo
+wants to write to this file. We can temporarily allow it with:
+
+```
+chown -R forgejo: /etc/forgejo/conf/
+```
+
+If apparmor is enabled as well, we need to temporarily allow writing there as well.
+You can check this with:
+
+```
+ps aufxZ | grep '^forgejo'
+forgejo (enforce) ...
+```
+
+If it is running in apparmor use this to allow the temporary permissions:
+
+```
+echo "/etc/forgejo/conf/app.ini rwlk," >> /etc/apparmor.d/local/forgejo
+apparmor_parser -r /etc/apparmor.d/forgejo
+```
+
+Once the initial installation is done you can use this to restore the permissions:
+
+```
+rpm --setugids --setperms forgejo
+```
+
+And remove the line from the `/etc/apparmor.d/local/forgejo`  file again and reload
+the profile with
+
+```
+apparmor_parser -r /etc/apparmor.d/forgejo
+```
+
+

_service

@@ -1,6 +1,10 @@
 <?xml version="1.0" ?>
 <services>
   <service name="download_files" mode="manual" />
+  <service name="extract_file" mode="manual">
+    <param name="archive">forgejo-src-*.tar.gz</param>
+    <param name="files">forgejo-src-*/package-lock.json</param>
+  </service>
   <service name="node_modules" mode="manual">
     <param name="cpio">node_modules.obscpio</param>
     <param name="output">node_modules.spec.inc</param>

custom-app.ini.patch

@@ -1,6 +1,6 @@
-diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patched/custom/conf/app.example.ini
---- forgejo-src-8.0.0/custom/conf/app.example.ini	2024-07-30 06:40:03.000000000 +0200
-+++ forgejo-src-8.0.0-patched/custom/conf/app.example.ini	2024-08-01 20:24:55.972480197 +0200
+diff -rub forgejo-src-10.0.0/custom/conf/app.example.ini forgejo-src-10.0.0-patched/custom/conf/app.example.ini
+--- forgejo-src-10.0.0/custom/conf/app.example.ini	2025-01-16 07:37:10.000000000 +0100
++++ forgejo-src-10.0.0-patched/custom/conf/app.example.ini	2025-01-16 14:05:03.035772154 +0100
 @@ -51,7 +51,7 @@
  ;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
  ;;
@@ -10,7 +10,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
  ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
-@@ -284,15 +284,17 @@
+@@ -284,15 +284,15 @@
  ;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
  ;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
  ;; Paths are relative to CUSTOM_PATH
@@ -21,39 +21,34 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Root directory containing templates and static files.
  ;; default is the path where Gitea is executed
- ;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
+-;STATIC_ROOT_PATH = ; Will default to the built-in value _`StaticRootPath`_
 +STATIC_ROOT_PATH = /usr/share/forgejo
  ;;
  ;; Default path for App data
- ;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
-+APP_DATA_PATH = /var/lib/forgejo/data
+-;APP_DATA_PATH = data ; relative paths will be made absolute with _`AppWorkPath`_
++;APP_DATA_PATH = /var/lib/forgejo/data
  ;;
  ;; Enable gzip compression for runtime-generated content, static resources excluded
  ;ENABLE_GZIP = false
-@@ -304,6 +306,7 @@
+@@ -303,7 +303,7 @@
+ ;ENABLE_PPROF = false
  ;;
  ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
- ;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
+-;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
 +PPROF_DATA_PATH = /var/lib/forgejo/data/tmp/pprof
  ;;
  ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
  ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
-@@ -355,10 +358,10 @@
+@@ -370,7 +370,7 @@
  ;;
- ;; MySQL Configuration
- ;;
--DB_TYPE = mysql
--HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
--NAME = gitea
--USER = root
-+;DB_TYPE = mysql
-+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+ ;DB_TYPE = mysql
+ ;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+-;NAME = gitea
 +;NAME = forgejo
-+;USER = root
+ ;USER = root
  ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
  ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
- ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
-@@ -369,7 +372,7 @@
+@@ -382,7 +382,7 @@
  ;;
  ;DB_TYPE = postgres
  ;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
@@ -62,33 +57,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;USER = root
  ;PASSWD =
  ;SCHEMA =
-@@ -379,21 +382,10 @@
- ;;
- ;; SQLite Configuration
- ;;
--;DB_TYPE = sqlite3
--;PATH= ; defaults to data/forgejo.db
--;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
--;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
--;;
--;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--;;
--;; MSSQL Configuration
--;;
--;DB_TYPE = mssql
--;HOST = 172.17.0.2:1433
--;NAME = gitea
--;USER = SA
--;PASSWD = MwantsaSecurePassword1
--;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
-+DB_TYPE = sqlite3
-+PATH= /var/lib/forgejo/data/forgejo.db ; defaults to data/forgejo.db
-+SQLITE_TIMEOUT = ; Query timeout defaults to: 500
-+SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
- ;;
- ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- ;;
-@@ -579,14 +571,14 @@
+@@ -573,14 +573,14 @@
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
@@ -105,7 +74,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
  LEVEL = Info
-@@ -946,7 +938,7 @@
+@@ -962,7 +962,7 @@
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
  ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
@@ -114,7 +83,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
  ;SCRIPT_TYPE = bash
-@@ -1065,7 +1057,7 @@
+@@ -1081,7 +1081,7 @@
  ;ENABLED = true
  ;;
  ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
@@ -123,42 +92,43 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
  ;ALLOWED_TYPES =
-@@ -1444,7 +1436,7 @@
+@@ -1460,7 +1460,7 @@
  ;ISSUE_INDEXER_TYPE = bleve
  ;;
  ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
 -;ISSUE_INDEXER_PATH = indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
-+;ISSUE_INDEXER_PATH = /var/lib/forgejo/indexers/issues.bleve ; Relative paths will be made absolute against _`AppWorkPath`_.
++ISSUE_INDEXER_PATH = /var/lib/forgejo/indexers/issues.bleve
  ;;
  ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
  ;ISSUE_INDEXER_CONN_STR =
-@@ -1471,7 +1463,7 @@
+@@ -1487,7 +1487,7 @@
  ;REPO_INDEXER_TYPE = bleve
  ;;
  ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
 -;REPO_INDEXER_PATH = indexers/repos.bleve
-+;REPO_INDEXER_PATH = /var/lib/forgejo/indexers/repos.bleve
++REPO_INDEXER_PATH = /var/lib/forgejo/indexers.bleve
  ;;
  ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
  ;REPO_INDEXER_CONN_STR =
-@@ -1510,6 +1502,7 @@
+@@ -1525,7 +1525,7 @@
+ ;TYPE = persistable-channel
  ;;
  ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
- ;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
-+DATADIR = /var/lib/forgejo/queues/
+-;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
++DATADIR = /var/lib/forgejo/queues
  ;;
  ;; Default queue length before a channel queue will block
  ;LENGTH = 100000
-@@ -1852,7 +1845,7 @@
+@@ -1872,7 +1872,7 @@
  ;; file: session file path, e.g. `data/sessions`
  ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
  ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 -;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
-+;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
++PROVIDER_CONFIG = /var/lib/forgejo/data/sessions
  ;;
  ;; Session cookie name
  ;COOKIE_NAME = i_like_gitea
-@@ -1939,7 +1932,7 @@
+@@ -1959,7 +1959,7 @@
  ;;
  ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
  ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
@@ -167,7 +137,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
  ;MINIO_ENDPOINT = localhost:9000
-@@ -1965,7 +1958,7 @@
+@@ -1985,7 +1985,7 @@
  ;MINIO_LOCATION = us-east-1
  ;;
  ;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
@@ -176,7 +146,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
  ;MINIO_USE_SSL = false
-@@ -2548,10 +2541,10 @@
+@@ -2568,10 +2568,10 @@
  ;;
  ;STORAGE_TYPE = local
  ;; override the minio base path if storage type is minio
@@ -189,7 +159,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  ;;
  ;; Maximum count of package versions a single owner can have (`-1` means no limits)
  ;LIMIT_TOTAL_OWNER_COUNT = -1
-@@ -2618,10 +2611,10 @@
+@@ -2640,10 +2640,10 @@
  ;STORAGE_TYPE = local
  ;;
  ;; Where your lfs files reside, default is data/lfs.
@@ -202,7 +172,7 @@ diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patche
  
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-@@ -2641,10 +2634,10 @@
+@@ -2663,10 +2663,10 @@
  ;STORAGE_TYPE = local
  ;;
  ;; Where your lfs files reside, default is data/lfs.

forgejo-abstraction.apparmor

@@ -0,0 +1,29 @@
+  include <abstractions/base>
+  include <abstractions/mysql>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/user-tmp>
+
+  /usr/bin/forgejo rm,
+
+  /etc/machine-id r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{PROC}/sys/net/core/somaxconn r,
+
+  /etc/forgejo/ r,
+  /etc/forgejo/conf/app.ini r,
+  /etc/forgejo/public/ r,
+  /etc/forgejo/public/** r,
+  /etc/forgejo/{conf,https,mailer}/ r,
+
+  /usr/share/forgejo/** r,
+
+  /usr/lib{,exec}/git/git Px -> forgejo//git,
+  /usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,
+
+  /usr/share/mime/globs2 r,
+  /etc/mime.types r,
+
+  include if exists <forgejo.d/forgejo.d>
+  include if exists <locatl/usr.bin.forgejo>
+  include if exists <local/forgejo>

forgejo-hooks-abstraction.apparmor

@@ -0,0 +1,9 @@
+    include <abstractions/base>
+    include <abstractions/bash>
+    include <abstractions/consoles>
+
+    /usr/bin/bash ix,
+
+    /usr/bin/env      rPx -> forgejo//simple_tool,
+    /usr/bin/cat      rPx -> forgejo//simple_tool,
+    /usr/bin/basename rPx -> forgejo//simple_tool,

forgejo-src-13.0.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2054f0dce0eb8be6e1a8e765d931ee515241e09fe6928ecbb698447c73c11e6f
+size 55923384

forgejo-src-13.0.3.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQQPUnz5Oj0NCSXTxV7QqCAFDhYJ5QUCaSBeUAAKCRDQqCAFDhYJ
+5dmdAQD1i98A1+lm6c4GYczfSsVcanNimulPK9en1IX74Tn4HwD/fJVK5vs9uZTl
+ZGyG+QDvgtNTUOcV+1DpEplRrVFCZwU=
+=OVCU
+-----END PGP SIGNATURE-----

forgejo-src-7.0.5.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:647efd8b70e312e1d8aa349a535bae1c9cce5c095a7a2ebe0d0b0ec84ff1e198
-size 55031691

forgejo-src-7.0.5.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZoWjbAAKCRCkthotxZI3
-EOPsAQDia3FAbVWnztj3h+SqLvI+7faAzVy2IMGsQpOrPuHleAEAsf+PqLn3rzz2
-CWqTPCo4MWRuYUi6ELY3SS4Xug/DgAM=
-=DqT0
------END PGP SIGNATURE-----

forgejo-src-7.0.6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b33ca271d4d8ecf00ce80d2ee14888d40265ab648b880fd9bb9916bf9e88b15b
-size 53489756

forgejo-src-7.0.6.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZqjZygAKCRCkthotxZI3
-EJmNAP9IiHThCEotiYrOt3YzdOeaEAM3vfLzyf4PN1jWibbiogEAzGyWuho+MH8z
-9TqdaLJIF/T3L62r/TgZ+mlZ0HHkLQM=
-=ExB8
------END PGP SIGNATURE-----

forgejo-src-8.0.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
-size 53413049

forgejo-src-8.0.1.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
-EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
-0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
-=JG8G
------END PGP SIGNATURE-----

forgejo-src-8.0.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:36929dbc206753f80766ea59b35adaf3cb28ed53fc89ac8640271f8766673546
-size 53459258

forgejo-src-8.0.2.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZtB4+QAKCRCkthotxZI3
-EI/zAQCAYMjC1aNDQi173NnEsZ+6157ZngCPoT9YB3gzzmOaFAD+LQEyZ3PrsrJe
-/d8N+5Wyvj7ymLsUWzyTNpVZOtaNjQM=
-=jAB5
------END PGP SIGNATURE-----

forgejo-src-8.0.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b543532cf01453967c331063639b172600cccd62d815e6815a4f05a25a0b0795
-size 53477625

forgejo-src-8.0.3.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZtsxWAAKCRCkthotxZI3
-EAh8AP90yVVcubO3mXqS/+WHEMdpUTd6jjLt7zMKSX3yHHU2qQEA0p0lql1rQB+Z
-MlThqgELrTiJexK2AbxVadvxRFKBqQc=
-=tHBI
------END PGP SIGNATURE-----

forgejo.apparmor

@@ -2,63 +2,156 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/mysql>
-  include <abstractions/nameservice>
-  include <abstractions/opencl-pocl>
-  include <abstractions/openssl>
-  include <abstractions/user-tmp>
-  include if exists <local/usr.bin.forgejo>
+@{APP_DATADIR} = /var/lib/forgejo
+@{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories @{APP_DATADIR}/repositories
 
-  network inet stream,
+profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
+  include <abstractions/forgejo>
+
+  network inet  stream,
   network inet6 stream,
 
-  /etc/forgejo/ r,
-  /etc/forgejo/conf/app.ini r,
-  /etc/forgejo/public/ r,
-  /etc/forgejo/public/** r,
-  /etc/forgejo/{conf,https,mailer}/ r,
-  /etc/gitconfig r,
-  /etc/mime.types r,
-  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  /usr/bin/forgejo mr,
-  /usr/bin/git mr,
-  /usr/bin/gzip mr,
-  /usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
-  /usr/libexec/git/git-write-tree mrix,
-  /usr/share/forgejo/** r,
-  /usr/share/forgejo/.gitconfig rw,
-  /usr/share/forgejo/.gitconfig.lock rw,
-  /usr/share/git-core/templates/ r,
-  /usr/share/git-core/templates/** r,
-  /usr/share/mime/globs2 r,
-  /usr/{lib,libexec}/git/git ix,
-  /usr/{lib,libexec}/git/git-remote-http ix,
-  /var/ r,
-  /var/lib/ r,
-  /var/lib/forgejo/ r,
-  /var/lib/forgejo/.local/** rw,
-  /var/lib/forgejo/.ssh/ rw,
-  /var/lib/forgejo/.ssh/* rw,
-  /var/log/forgejo/ rw,
-  /var/log/forgejo/access.log rw,
-  /var/log/forgejo/access.log.* w,
-  /var/log/forgejo/doctors-* rw,
-  @{PROC}/sys/net/core/somaxconn r,
-  owner /etc/forgejo/conf/app.ini w,
-  owner /tmp/forgejo** rwl,
-  owner /tmp/index* rw,
-  owner /tmp/patch* rw,
-  owner /usr/share/forgejo/** rw,
-  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
-  owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
-  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
-  owner /var/lib/forgejo/https/** rwlk,
-  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
-  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
-  owner /var/log/forgejo/gitea.log w,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
+  /usr/bin/forgejo Cx -> forgejo-session-exec,
 
+  signal (send) peer=forgejo//*,
+
+  profile forgejo-session-exec {
+    include <abstractions/forgejo>
+
+    include if exists <forgejo.d/forgejo-session-exec.d>
+    include if exists <local/forgejo-session-exec>
+  }
+
+  profile forgejo-hooks {
+    include <abstractions/forgejo>
+
+    include if exists <forgejo.d/forgejo-hooks.d>
+    include if exists <local/forgejo-hooks>
+  }
+
+  profile git {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    signal (receive) peer=forgejo,
+
+    /etc/gitconfig r,
+    /usr/lib{,exec}/git/* rmix,
+    /usr/share/git-core/** r,
+
+    /usr/bin/bash Px -> forgejo//git-bash,
+
+    owner @{APP_DATADIR}/data/home/.gitconfig rwlk,
+    owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk,
+
+    owner @{APP_REPOSITORY_DIRS}/ r,
+    owner @{APP_REPOSITORY_DIRS}/** rwlk,
+
+    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/pre-receive  Px -> forgejo//hooks-pre-receive,
+    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/post-receive Px -> forgejo//hooks-post-receive,
+    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/proc-receive Px -> forgejo//hooks-proc-receive,
+
+    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/update Px -> forgejo//hooks-update,
+
+    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/ r,
+    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/** rwlk,
+
+    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/ r,
+    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/** rwlk,
+
+    include if exists <forgejo.d/git.d>
+    include if exists <local/forgejo-git>
+  }
+
+  profile git-bash {
+    include <abstractions/base>
+    include <abstractions/bash>
+    include <abstractions/consoles>
+
+    /usr/bin/bash rm,
+
+    /usr/lib{,exec}/git/git Px -> forgejo//git,
+    /usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,
+  }
+
+  profile hooks-pre-receive {
+    include <abstractions/forgejo-hooks>
+
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/ r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/gitea Px -> forgejo//hooks-gitea,
+
+    include if exists <forgejo.d/hooks-pre-receive.d>
+    include if exists <local/forgejo-hooks-pre-receive>
+  }
+
+  profile hooks-post-receive {
+    include <abstractions/forgejo-hooks>
+
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/ r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/gitea Px -> forgejo//hooks-gitea,
+
+    include if exists <forgejo.d/hooks-post-receive.d>
+    include if exists <local/forgejo-hooks-post-receive>
+  }
+
+  profile hooks-proc-receive {
+    include <abstractions/forgejo-hooks>
+
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/ r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/gitea Px -> forgejo//hooks-gitea,
+
+    include if exists <forgejo.d/hooks-proc-receive.d>
+    include if exists <local/forgejo-hooks-proc-receive>
+  }
+
+  profile hooks-update {
+    include <abstractions/forgejo-hooks>
+
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/ r,
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/gitea Px -> forgejo//hooks-gitea,
+
+    include if exists <forgejo.d/hooks-update.d>
+    include if exists <local/forgejo-hooks-update>
+  }
+
+  profile hooks-gitea {
+    include <abstractions/forgejo-hooks>
+
+    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/*.d/gitea r,
+    /usr/bin/forgejo Px -> forgejo//forgejo-hooks,
+  }
+
+  profile simple_tool {
+    include <abstractions/base>
+
+    /usr/bin/env      rm,
+    /usr/bin/cat      rm,
+    /usr/bin/basename rm,
+  }
+
+  owner @{APP_DATADIR}/ r,
+
+  owner @{APP_DATADIR}/data/ r,
+  owner @{APP_DATADIR}/data/** rwlk,
+
+  owner @{APP_DATADIR}/https/ r,
+  owner @{APP_DATADIR}/https/** rwlk,
+
+  owner @{APP_DATADIR}/indexers/ r,
+  owner @{APP_DATADIR}/indexers/** rwlk,
+
+  owner @{APP_DATADIR}/queues/ r,
+  owner @{APP_DATADIR}/queues/** rwlk,
+
+  owner @{APP_REPOSITORY_DIRS}/ r,
+  owner @{APP_REPOSITORY_DIRS}/** rwlk,
+
+  owner /var/log/forgejo/ r,
+  owner /var/log/forgejo/gitea.log* rwlk,
 }

forgejo.keyring

@@ -1,39 +1,64 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: Hostname: 
-Version: Hockeypuck 2.2
+Comment: EB11 4F5E 6C0D C2BC DD18  3550 A4B6 1A2D C592 3710
+Comment: Forgejo <contact@forgejo.org>
+Comment: Forgejo Releases <release@forgejo.org>
 
 xjMEY3T/yhYJKwYBBAHaRw8BAQdAVxqCQrSbpDNrx8CiTM8PUAVqdCyv2UmBDhpP
 HZIpoIDNHUZvcmdlam8gPGNvbnRhY3RAZm9yZ2Vqby5vcmc+wsB+BBMWCgDmAhsD
 BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWS
-NxAFAmN7KZI2FIAAAAAAEAAdcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZmxvc3Mu
-c29jaWFsL0Bmb3JnZWpvMRSAAAAAABAAGHByb29mQGFyaWFkbmUuaWRkbnM6Zm9y
-Z2Vqby5vcmc/dHlwZT1UWFRBFIAAAAAAEAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBz
-Oi8vY29kZWJlcmcub3JnL2Zvcmdlam8vZ2l0ZWFfcHJvb2YACgkQpLYaLcWSNxAv
-oQEAsbFLqcqjAoRTKpP++D6s0pZgnekV7W3sz1uumKLLUm4A/RvjfnPaK9XAZHEn
-o0RDksu0xaw673pPmYXWVYQqdVACwsBHBBMWCgCvAhsDBQsJCAcDBRUKCQgLBRYC
-AwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmN4pwNBFIAAAAAA
-EAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8v
-Z2l0ZWFfcHJvb2YxFIAAAAAAEAAYcHJvb2ZAYXJpYWRuZS5pZGRuczpmb3JnZWpv
-Lm9yZz90eXBlPVRYVAAKCRCkthotxZI3EDVfAQCX3Bwc7JFu/JSVSXkMAiO9KqKz
-oQv0FKfNI4zc7OZTuwEAro2IK2nt72W/+O+rHMDN97n0qQYLjcEy2wiOguYPPgfC
-dQQQFggAHRYhBD3JQbKWDZMPhcHxD2Hhmc0+gu5GBQJjkUDQAAoJEGHhmc0+gu5G
-/noA/2Nhnj9ec6GFil+yzfcaf2JYZnTkOYuhxhHhLVVDc2u2AQDNClLXyLeOp8YQ
-r3sDEVLIf8IUpmRyhdf5lnR7dOXADc0mRm9yZ2VqbyBSZWxlYXNlcyA8cmVsZWFz
-ZUBmb3JnZWpvLm9yZz7CkAQTFgoAOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX
-gBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJjeKH0AAoJEKS2Gi3FkjcQC5YBAKwC
-GFDDSpX0JwBrzIP8W8ElwHvdBz2XDg8LwyQgr722AP9r01rbFwY4axDxpNj+BUFx
-wD5Fhza1cE3932eTsSOPDsJ1BBAWCAAdFiEEPclBspYNkw+FwfEPYeGZzT6C7kYF
-AmORQNAACgkQYeGZzT6C7kZgCQD9E3NRV6SUBw7IdbIG9w0oUcn/RMsSmTXMAmas
-LO3ilCUBAPVs56RxvNdA5cLJeZwRlqZ10nnJekb2wnQPyohB2GcOzjMEY3UANBYJ
-KwYBBAHaRw8BAQdAKvAs2Ij2RamYUzz4sBgsc2J+4fEwvSMcTp6rPZizRhfCwDUE
-GBYIACYWIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCY3UANAIbAgUJAeEzgACBCRCk
-thotxZI3EHYgBBkWCAAdFiEE98vwIJTnZl4X7WxE44G/PlDVNwcFAmN1ADQACgkQ
-44G/PlDVNwdIlgD+K15nuEec+VTFdP7YY3SxM8Rjg2EtXk007+LM7XQfN9sBAOLj
-BTzIdaaKOpoAkGQ9Th/IphSUOnPYZVO5a6cN+wAM458A/itf3urQehI5SbKtbRqI
-DhqQZQVAcEeG2eQFunuofjDWAQDt/gE5XgTiQgnkTcqAX7GQeE74O/Q5vDtX10Nj
-bzV7D844BGN0/8oSCisGAQQBl1UBBQEBB0CZnRfIHxTVhOF8kdhbe4YJsePyVFi8
-USfuDXy4HgIHRgMBCAfCeAQYFggAIBYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJj
-dP/KAhsMAAoJEKS2Gi3FkjcQdroA/jHFqt7y/r/5zdK4TYYp+5jlOgM5ZI7pNhWh
-tIFbqmx9AQCKSJf2YgPBLNJSL/86vpE9b6IvTE/8ENR/7xYaIA7oAg==
-=urT2
+NxAFAmSc08VBFIAAAAAAEAAocHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJl
+cmcub3JnL2Zvcmdlam8vZ2l0ZWFfcHJvb2Y2FIAAAAAAEAAdcHJvb2ZAYXJpYWRu
+ZS5pZGh0dHBzOi8vZmxvc3Muc29jaWFsL0Bmb3JnZWpvMRSAAAAAABAAGHByb29m
+QGFyaWFkbmUuaWRkbnM6Zm9yZ2Vqby5vcmc/dHlwZT1UWFQACgkQpLYaLcWSNxDM
+2wEA6bOel3R25z3YUXL4hI2S8jRkJbOQawq0vgUnYNgS9hcBAK2zq4Zt4ctvSB+x
+TqhR6Zi6aqSD3QrRnUVvV1xZhdkEwsCABBMWCgDoAhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAhkBFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmScz7JDFIAAAAAA
+EAAqcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vY29kZWJlcmcub3JnL2Zvcmdlam8v
+Zm9yZ2Vqb19wcm9vZjYUgAAAAAAQAB1wcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9m
+bG9zcy5zb2NpYWwvQGZvcmdlam8xFIAAAAAAEAAYcHJvb2ZAYXJpYWRuZS5pZGRu
+czpmb3JnZWpvLm9yZz90eXBlPVRYVAAKCRCkthotxZI3EBJ1AP9UeN1HFGz90r34
+PGrOj1225HfJzdWgamEUkEKEwShcIQD+K/o7sLJM+C/mJXaCixAZgvRd9/rYq27T
+9Y2rTQybSwnCwH4EExYKAOYCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4ACGQEW
+IQTrEU9ebA3CvN0YNVCkthotxZI3EAUCY3spkjYUgAAAAAAQAB1wcm9vZkBhcmlh
+ZG5lLmlkaHR0cHM6Ly9mbG9zcy5zb2NpYWwvQGZvcmdlam8xFIAAAAAAEAAYcHJv
+b2ZAYXJpYWRuZS5pZGRuczpmb3JnZWpvLm9yZz90eXBlPVRYVEEUgAAAAAAQAChw
+cm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9naXRl
+YV9wcm9vZgAKCRCkthotxZI3EC+hAQCxsUupyqMChFMqk/74PqzSlmCd6RXtbezP
+W66YostSbgD9G+N+c9or1cBkcSejREOSy7TFrDrvek+ZhdZVhCp1UALCwEcEExYK
+AK8CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQTrEU9ebA3CvN0YNVCk
+thotxZI3EAUCY3inA0EUgAAAAAAQAChwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9j
+b2RlYmVyZy5vcmcvZm9yZ2Vqby9naXRlYV9wcm9vZjEUgAAAAAAQABhwcm9vZkBh
+cmlhZG5lLmlkZG5zOmZvcmdlam8ub3JnP3R5cGU9VFhUAAoJEKS2Gi3FkjcQNV8B
+AJfcHBzskW78lJVJeQwCI70qorOhC/QUp80jjNzs5lO7AQCujYgrae3vZb/476sc
+wM33ufSpBguNwTLbCI6C5g8+B80mRm9yZ2VqbyBSZWxlYXNlcyA8cmVsZWFzZUBm
+b3JnZWpvLm9yZz7CkAQTFgoAOAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYh
+BOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJjeKH0AAoJEKS2Gi3FkjcQC5YBAKwCGFDD
+SpX0JwBrzIP8W8ElwHvdBz2XDg8LwyQgr722AP9r01rbFwY4axDxpNj+BUFxwD5F
+hza1cE3932eTsSOPDsKQBBMWCAA4FiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAFAmN4
+k+kCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQpLYaLcWSNxBHrQD+PFo/
+ii8p72HP0KsJbHPGnS/Sk9pFGd16fs1Hd88JHj0A/10XNyGQgwbe+X+K/a97vWW8
+vAzA1EtFIMfCGhIO8EoIzjMEY3UANBYJKwYBBAHaRw8BAQdAKvAs2Ij2RamYUzz4
+sBgsc2J+4fEwvSMcTp6rPZizRhfCwDUEGBYIACYWIQTrEU9ebA3CvN0YNVCkthot
+xZI3EAUCY3UANAIbAgUJAeEzgACBCRCkthotxZI3EHYgBBkWCAAdFiEE98vwIJTn
+Zl4X7WxE44G/PlDVNwcFAmN1ADQACgkQ44G/PlDVNwdIlgD+K15nuEec+VTFdP7Y
+Y3SxM8Rjg2EtXk007+LM7XQfN9sBAOLjBTzIdaaKOpoAkGQ9Th/IphSUOnPYZVO5
+a6cN+wAM458A/itf3urQehI5SbKtbRqIDhqQZQVAcEeG2eQFunuofjDWAQDt/gE5
+XgTiQgnkTcqAX7GQeE74O/Q5vDtX10NjbzV7D84zBGeOav0WCSsGAQQB2kcPAQEH
+QI2JXHjIx25g9WZHNyjkdUiRBPl5Y1JjjJCPvXM0/9RjwsA1BBgWCAAmFiEE6xFP
+XmwNwrzdGDVQpLYaLcWSNxAFAmeOav0CGwIFCQO1OAAAgQkQpLYaLcWSNxB2IAQZ
+FggAHRYhBA9SfPk6PQ0JJdPFXtCoIAUOFgnlBQJnjmr9AAoJENCoIAUOFgnljUwA
++wSjU/mk4xGIlwzJdPnnNzIsiMeqtuYokbSrOIxXIhP1AP93qtVr+kOu3pDs9JC+
+8CYG0DK1QD1LmlGP59WRGevSCXChAQDy6SCfnfcr5P4fYaz04+Tl0CDUkFOGP+sV
+S/isPTssbAD9H2hKJKEmwuAd2MeFA3Bo3z5rUVWkfAcnv7Oy7u+OWQfOMwRlfHnh
+FgkrBgEEAdpHDwEBB0DGoKPPOOx7rnqT318eykUkMJbk83MhcBqrecOADO3i2sLA
+NQQYFggAJhYhBOsRT15sDcK83Rg1UKS2Gi3FkjcQBQJlfHnhAhsCBQkCx+oAAIEJ
+EKS2Gi3FkjcQdiAEGRYIAB0WIQTfMxnqNtWZwdSmg9SzsfYKxXfyogUCZXx54QAK
+CRCzsfYKxXfyoocRAP48OQpiBTkwC7kLLyuqVlP1t0hBQddr4i4rIV8Ug5tHzwEA
+pl8Q+S4k/ROQS5FOhy7GBC337SncJFJYDD0pTcSecw+J3AEAn4qax72Oyfb0vaPY
+m+WdqsfVBd2Hd2vJIwCjglp55B0BALIJE6nvACcKzTRUj7AQSLGvELGfJfM320xX
+E0ZVBZkKzjgEY3T/yhIKKwYBBAGXVQEFAQEHQJmdF8gfFNWE4XyR2Ft7hgmx4/JU
+WLxRJ+4NfLgeAgdGAwEIB8J4BBgWCAAgFiEE6xFPXmwNwrzdGDVQpLYaLcWSNxAF
+AmN0/8oCGwwACgkQpLYaLcWSNxB2ugD+McWq3vL+v/nN0rhNhin7mOU6Azlkjuk2
+FaG0gVuqbH0BAIpIl/ZiA8Es0lIv/zq+kT1voi9MT/wQ1H/vFhogDugC
+=zbGk
 -----END PGP PUBLIC KEY BLOCK-----

forgejo.service

@@ -13,7 +13,7 @@ WorkingDirectory=/var/lib/forgejo/
 ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
 Restart=always
 Environment=USER=forgejo
-Environment=HOME=/usr/share/forgejo
+Environment=HOME=/var/lib/forgejo/data/home
 Environment=GITEA_WORK_DIR=/var/lib/forgejo
 Environment=GITEA_CUSTOM=/etc/forgejo
 # added automatically, for details please see

forgejo.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package forgejo
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,43 +16,39 @@
 #
 
 
-%if 0%{?suse_version} > 1600
+%if 0%{?suse_version} >= 1600
 %bcond_without selinux
 %bcond_without apparmor
 %else
-%if 0%{?suse_version} == 1600
-%bcond_without selinux
-%bcond_with apparmor
-%else
-# Leap & SLE
+# Leap & SLE 15.X
 %bcond_with selinux
 %bcond_without apparmor
 %endif
-%endif
 Name:           forgejo
-Version:        8.0.3
+Version:        13.0.3
 Release:        0
 Summary:        Self-hostable forge
-License:        MIT
+License:        GPL-3.0-or-later
 Group:          Development/Tools/Version Control
 URL:            https://forgejo.org
-Source0:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz
-Source1:        https://codeberg.org/%{name}/%{name}/releases/download/v%{version}/%{name}-src-%{version}.tar.gz.asc
-Source2:        http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6c0dc2bcdd183550a4b61a2dc5923710#/%{name}.keyring
+Source0:        https://codeberg.org/forgejo/forgejo/releases/download/v%{version}/forgejo-src-%{version}.tar.gz
+Source1:        https://codeberg.org/forgejo/forgejo/releases/download/v%{version}/forgejo-src-%{version}.tar.gz.asc
+Source2:        https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710#/forgejo.keyring
 Source3:        package-lock.json
 Source4:        node_modules.spec.inc
 %include        %{_sourcedir}/node_modules.spec.inc
-Source5:        %{name}.service
-Source6:        %{name}.sysusers
-Source7:        %{name}.fc
-Source8:        %{name}.if
-Source9:        %{name}.te
-Source10:       %{name}.apparmor
-Source11:       %{name}.firewalld
-Source99:       get-sources.sh
+Source5:        forgejo.service
+Source6:        forgejo.sysusers
+Source7:        forgejo.fc
+Source8:        forgejo.if
+Source9:        forgejo.te
+Source10:       forgejo.apparmor
+Source11:       forgejo.firewalld
+Source12:       forgejo-abstraction.apparmor
+Source13:       forgejo-hooks-abstraction.apparmor
+Source99:       README.SUSE
 Patch0:         custom-app.ini.patch
-BuildRequires:  golang-packaging
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) >= 1.25
 ## node >= 20
 %if 0%{?suse_version} == 1500
 BuildRequires:  nodejs-devel-default
@@ -60,6 +56,7 @@ BuildRequires:  npm-default
 %else
 BuildRequires:  nodejs-packaging
 %endif
+BuildRequires:  fdupes
 BuildRequires:  firewall-macros
 BuildRequires:  firewalld
 BuildRequires:  local-npm-registry
@@ -68,9 +65,10 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
 Requires:       git-core
 Requires:       git-lfs
-Requires:       (%{name}-apparmor if apparmor-abstractions)
-Requires:       (%{name}-firewalld if firewalld)
-Requires:       (%{name}-selinux if selinux-policy-targeted)
+Requires:       (forgejo-apparmor if apparmor-abstractions)
+Requires:       (forgejo-firewalld if firewalld)
+Requires:       (forgejo-selinux if selinux-policy-targeted)
+Conflicts:      forgejo-longterm
 %if %{with apparmor}
 BuildRequires:  apparmor-abstractions
 BuildRequires:  apparmor-rpm-macros
@@ -86,6 +84,7 @@ BuildRequires:  selinux-policy-devel
 %package firewalld
 Summary:        Firewalld profile for %{name}
 BuildArch:      noarch
+Conflicts:      forgejo-longterm-firewalld
 
 %description firewalld
 This package adds a firewalld service profile to %{name}
@@ -94,6 +93,7 @@ This package adds a firewalld service profile to %{name}
 %package apparmor
 Summary:        Apparmor profile for %{name}
 BuildArch:      noarch
+Conflicts:      forgejo-longterm-apparmor
 Requires:       %{name} = %{version}-%{release}
 
 %description apparmor
@@ -104,6 +104,7 @@ This package adds the Apparmor profile to %{name}
 %package selinux
 Summary:        Selinux support for %{name}
 BuildArch:      noarch
+Conflicts:      forgejo-longterm-selinux
 Requires:       %{name} = %{version}-%{release}
 Requires:       selinux-policy-targeted
 
@@ -111,109 +112,165 @@ Requires:       selinux-policy-targeted
 This package adds SELinux enforcement to %{name}.
 %endif
 
+%package environment-to-ini
+Summary:        Configuration params via environment variables for %{name}
+Conflicts:      forgejo-longterm-environment-to-ini
+Requires:       %{name} = %{version}-%{release}
+
+%description environment-to-ini
+OCI Container users can change arbitrary configuration
+via environment variables with this tool
+
+Forgejo needs to use an ini file for configuration because the running
+environment that starts the OCI container may not be the same as that used
+by the hooks. An ini file also gives a good default and means that
+users do not have to completely provide a full environment.
+
 %description
-Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo
-– the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.
+Providing Git hosting for your project, friends, company or community? Forgejo
+(/for'd͡ʒe.jo/ inspired by forĝejo – the Esperanto word for forge) has you
+covered with its intuitive interface, light and easy hosting and a lot of
+builtin functionality.
 
 %prep
-%autosetup -p1 -n %{name}-src-%{version}
-local-npm-registry %{_sourcedir} install --also=dev
+%autosetup -p1 -n forgejo-src-%{version}
+local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps
+cp %{SOURCE99} .
 
 %build
-%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
+%sysusers_generate_pre %{SOURCE6} forgejo forgejo.conf
+export TAGS="timetzdata sqlite sqlite_unlock_notify"
 export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
-export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
-%make_build build
+STRIP=0 %make_build build
+go build ${EXTRA_GOFLAGS} -o contrib/environment-to-ini/environment-to-ini contrib/environment-to-ini/environment-to-ini.go
 
 %install
-install -d %{buildroot}%{_bindir}
-install -d %{buildroot}%{_datadir}/%{name}
-install -d %{buildroot}%{_datadir}/%{name}/{conf,https,mailer}
-ln -s %{name} %{buildroot}%{_bindir}/gitea
-install -d %{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
-install -d %{buildroot}%{_sysconfdir}/%{name}
-install -d %{buildroot}%{_localstatedir}/log/%{name}
-install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
-install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
-install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
-install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -d -D \
+  %{buildroot}%{_bindir} %{buildroot}%{_datadir}/forgejo/{conf,https,mailer}
+
+cp -r options %{buildroot}%{_datadir}/forgejo/
+cp -r public %{buildroot}%{_datadir}/forgejo/
+cp -r templates %{buildroot}%{_datadir}/forgejo/
+
+install -d -m 0750 \
+  %{buildroot}%{_sharedstatedir}/forgejo/{data,https,indexers,queues,repositories} \
+  %{buildroot}%{_sharedstatedir}/forgejo/data/home/.ssh \
+  %{buildroot}%{_sysconfdir}/forgejo \
+  %{buildroot}%{_localstatedir}/log/forgejo
+
+install -D -m 0755 contrib/environment-to-ini/environment-to-ini %{buildroot}%{_bindir}
+install -D -m 0755 %{_builddir}/forgejo-src-%{version}/gitea     %{buildroot}%{_bindir}/forgejo
+ln -s forgejo %{buildroot}%{_bindir}/gitea
+
+install -D -m 0640 %{_builddir}/forgejo-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/forgejo/conf/app.ini
+
+install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/forgejo.service
+install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/forgejo.conf
 
 %if %{with apparmor}
-install -d %{buildroot}%{_sysconfdir}/apparmor.d
-install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
+install -D -d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/abstractions \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo-session-exec.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo-hooks.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/git.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-pre-receive.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-post-receive.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-proc-receive.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/hooks-update.d \
+  %{buildroot}%{_sysconfdir}/apparmor.d/forgejo.d/forgejo.d
+
+install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/forgejo
+install -Dm0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/forgejo
+install -Dm0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/forgejo-hooks
 %endif
 
 %if %{with selinux}
 cd %{_sourcedir}
-make -f %{_datadir}/selinux/devel/Makefile %{name}.pp
-install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{name}.pp
-install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+make -f %{_datadir}/selinux/devel/Makefile forgejo.pp
+install -Dm0644 forgejo.pp %{buildroot}%{_datadir}/selinux/packages/forgejo/forgejo.pp
+install -Dm0644 forgejo.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/forgejo.if
 %endif
 
 #firewalld service file
-install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
+install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/forgejo.xml
 
-%pre -f %{name}.pre
-%service_add_pre %{name}.service
+%fdupes %{buildroot}
+
+%pre -f forgejo.pre
+%service_add_pre forgejo.service
 
 %post
-%service_add_post %{name}.service
+if [ -e %{_datadir}/forgejo/.ssh/authorized_keys ] ; then
+  mv %{_datadir}/forgejo/.ssh/authorized_keys %{_sharedstatedir}/forgejo/data/home/.ssh/authorized_keys
+fi
+%service_add_post forgejo.service
 
 %post firewalld
 %firewalld_reload
 
 %if %{with apparmor}
 %post apparmor
-%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%apparmor_reload %{_sysconfdir}/apparmor.d/forgejo
 %endif
 
 %if %{with selinux}
 %post selinux
-semodule -i %{_datadir}/selinux/packages/%{name}/%{name}.pp 2>/dev/null || :
+semodule -i %{_datadir}/selinux/packages/forgejo/forgejo.pp 2>/dev/null || :
 
 %preun selinux
-semodule -r %{name} 2>/dev/null || :
+semodule -r forgejo 2>/dev/null || :
 %endif
 
 %preun
-%service_del_preun %{name}.service
+%service_del_preun forgejo.service
 
 %postun
-%service_del_postun %{name}.service
-
-%check
-#as of now, broken
-#%%make_build test
+%service_del_postun forgejo.service
 
 %files
 %license LICENSE
-%doc README.md RELEASE-NOTES.md CONTRIBUTING.md
-%{_unitdir}/%{name}.service
-%{_bindir}/%{name}
+%doc README.md RELEASE-NOTES.md CONTRIBUTING.md README.SUSE
+%{_bindir}/forgejo
 %{_bindir}/gitea
-%defattr(0660,root,forgejo,770)
-%{_localstatedir}/log/%{name}
-%defattr(0660,forgejo,forgejo,750)
-%config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
-%{_sysconfdir}/%{name}
-%{_datadir}/%{name}
-%{_sharedstatedir}/%{name}
-%{_sysusersdir}/%{name}.conf
+%{_datadir}/forgejo
+%{_sysusersdir}/forgejo.conf
+%{_unitdir}/forgejo.service
+%defattr(0640,root,forgejo,750)
+%config(noreplace) %{_sysconfdir}/forgejo/conf/app.ini
+%dir %{_sysconfdir}/forgejo
+%dir %{_sysconfdir}/forgejo/conf
+%defattr(0640,forgejo,forgejo,750)
+%{_localstatedir}/log/forgejo
+%{_sharedstatedir}/forgejo
 
 %if %{with apparmor}
 %files apparmor
+%config %{_sysconfdir}/apparmor.d/abstractions/forgejo*
+%config %{_sysconfdir}/apparmor.d/forgejo
 %dir %{_sysconfdir}/apparmor.d
-%config %{_sysconfdir}/apparmor.d/usr.bin.%{name}
+%dir %{_sysconfdir}/apparmor.d/forgejo.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo-hooks.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo-session-exec.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/forgejo.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/git.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-post-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-pre-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-proc-receive.d
+%dir %{_sysconfdir}/apparmor.d/forgejo.d/hooks-update.d
 %endif
 
 %if %{with selinux}
 %files selinux
 %dir %{_datadir}/selinux/devel/include/distributed
-%{_datadir}/selinux/packages/%{name}
-%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%{_datadir}/selinux/devel/include/distributed/forgejo.if
+%{_datadir}/selinux/packages/forgejo
 %endif
 
 %files firewalld
-%{_prefix}/lib/firewalld/services/%{name}.xml
+%{_prefix}/lib/firewalld/services/forgejo.xml
+
+%files environment-to-ini
+%{_bindir}/environment-to-ini
 
 %changelog

forgejo.sysusers

@@ -1,3 +1,3 @@
 # Type 	Name ID GECOS [HOME] Shell
 g forgejo - - -
-u forgejo - "Forgejo" /var/lib/forgejo /usr/bin/bash
+u forgejo - "Forgejo" /var/lib/forgejo/data/home /usr/bin/bash

get-sources.sh

@@ -1,41 +0,0 @@
-#!/usr/bin/sh
-
-set -e
-
-if [[ -z "$1" ]]; then
-echo "Please enter the version you want to update to";
-exit 1;
-fi
-
-VERSION="$1"
-
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-echo "patching spec file and downloading the tarball"
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-
-sed -i -e 's|Version: .*|Version:        '${VERSION}'|g' forgejo.spec
-osc service ra download_files
-
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-echo "extracting package-lock.json"
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-
-tar xf forgejo-src-${VERSION}.tar.gz forgejo-src-${VERSION}/package-lock.json
-cp forgejo-src-${VERSION}/package-lock.json .
-
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-echo "Downloading node_modules"
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-
-osc service ra node_modules
-
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-echo "Cleanup Step"
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-
-rm -r forgejo-src-${VERSION}
-rm node_modules.sums
-
-echo "++++++++++++++++++++++++++++++++++++++++++++++"
-echo "Done! Have fun building and testing"
-echo "++++++++++++++++++++++++++++++++++++++++++++++"

node_modules.obscpio

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:dd1ad2428c1b1e75e403b81f397718994274d5f918e686ab3cf7b58386f4afb7
-size 276615400
+oid sha256:9cd6d5ed1646acdff4ba148607dc8a7d631d9db8d27e79bafe2928a87a881b67
+size 355043868