Forgejo Release Notes

Forgejo v13.0 release notes

Forgejo v13.0 was released on 16 October 2025. You will find a short selection of the changes it introduces below and a complete list in the release notes.

A dedicated test instance is available to try it out. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help in the chat room.

Summary

Content moderation is one of the main roadblocks for federation. A first step is now available to users and admins. It was completed while ActivityPub related pull requests were worked on in parallel and merged.

Security was improved under the hood for Forgejo Actions secrets now using a more secure module introduced in 2024 and already in use for TOTP secrets since Forgejo v10. In addition it is now possible to require 2FA instance wide.

Forgejo Actions usability was improved with access to all run attempts of each workflow: they were stored but not available via the web UI. The workflow files are now statically checked, for early detection of errors such as the usage of a wrong context in an expression like ${{ forgejo.server_url }}.

Reporting abusive content

Moderation on public Forgejo instance is a hard and time-consuming task as there are no builtin tools to help with this. Although self-moderation allows users with no elevated privileges to block abusive behavior, it is sometime necessary to get an instance administrator involved.

It is now possible to report users, organizations, repositories, issues, pull request or comments that should be looked at by instance administrators. A category and an explanation of why the content is problematic must be attached.

Those reports are then made available in the admin interface.

When multiple reports are submitted for the same content, they are grouped and the counter from the right side shows how many open reports are linked to that content. Clicking on this counter will open a details page where the full details of all grouped reports can be viewed.

Migration from Pagure

Repositories from Pagure can be migrated to Forgejo. It can be used, for instance, in the context of the transition of Fedora from Pagure to Forgejo that was decided in December 2024.

Configurable global 2FA enforcement

The [security].GLOBAL_TWO_FACTOR_REQUIREMENT setting was added to require two factor authentication (TOTP, etc.) for either all users or instance administrators.

Avatar image privacy

Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly.

A new CLI subcommand forgejo doctor avatar-strip-exif can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files.

View previous Forgejo Actions attempts

It is now possible to view previous logs for Actions runs that have been retried.

Static check of Actions workflow files

Forgejo Actions workflows are statically verified in the web UI for common errors such as using an incorrect context (e.g. ${{ badcontext.FORGEJO_REPOSITORY }}) or a typo in a required keyword (e.g. ruins-on: instead of runs-on: ). It is reported in the action page and the web page that displays the file in the repository.

This is in addition to similar tooling provided by the Forgejo runner itself and helps detect errors as soon as possible.

Show CI status on force push

When force-pushing to a pull request, a line is added to the conversation view to compare the two. However, the CI status of commits in such line was hidden behind an additional click. It is now displayed next to the SHA of each commit, similar to commits from normal pushes.

Markdown editor bold & italic keyboard shortcuts

Keyboard shortcuts were implemented in the markdown editor for formatting features Bold and Italic so that they can be used more quickly. Behavior of using shortcuts is the same as clicking the buttons.

Timestamps on release attachments

The time when a release attachment was uploaded is now shown among other information about it.

Tags are shown in commit lists

When viewing repository’s commits, tags are now shown next to the commits they are associated with.

Logger mode settings LOGGER__MODE

The logger settings were renamed from logger..MODE to LOGGER__MODE to help setting them with environment variables when using a container image. For instance:

docker run --rm -e FORGEJO__log__LOGGER_ACCESS_MODE=file ... codeberg.org/forgejo/forgejo:13

Configuration files using logger..MODE are still supported but they are no longer documented. This change is specially useful when the name of the setting goes through various transformations that convert lowercase to uppercase, such as the Forgejo helm chart.

Release schedule and Long Term Support

The time based release schedule was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.

Version | Release date | End Of Life
11.0 (LTS) | 16 April 2025 | 16 July 2026
13.0 | 16 October 2025 | 15 January 2026
14.0 | 15 January 2026 | 16 April 2026

13.0-test daily releases

Releases are built daily from the latest changes found in the v13.0/forgejo development branch. They are deployed to the https://v13.next.forgejo.org instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:

• OCI images: root and rootless
• Binaries

Their names are staying the same but they are replaced by new builds every day.

Get Forgejo v13.0

See the download page for instructions on how to install Forgejo, and read the release notes for more information.

Upgrading

Carefully read the breaking bug fixes section of the release notes.

The actual upgrade process is as simple as replacing the binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 13.0 tag tag to stay up to date with the latest 13.0.Y patch release automatically.

Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!

Donate

Forgejo is proud to be funded transparently. Additionally, it accept donations through Liberapay. It is also possible to donate to Codeberg e.V. in case the Liberapay option does not work out for you, and part of the funding is used to compensate for work on Forgejo.

However, the Liberapay team allows for money to go directly to developers without a round-trip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for the project. The distribution of funds through Liberapay is transparently controlled using the decision-making process, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.

Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.

Original source Report a problem

Forgejo v12.0 release notes

Forgejo v12.0 was released on 17 July 2025. You will find a short selection of the changes it introduces below and a complete list in the release notes.

A dedicated test instance is available to try it out. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help on the Fediverse, or in the chat room.

This release marks the Forgejo v7.0 LTS series as End of Life. Forgejo v11.0 was published three months ago and will be supported until 15 July 2026, when Forgejo v16.0 is published. Admins of Forgejo instances with version v7.0 are recommended to upgrade to v11.0 as soon as possible as only it and v12.0 will receive security patches from now on.

Summary

User research and design is where Forgejo User eXperience (UX) and User Interface (UI) are discussed and improved. It is not about mimicking other forges but observing what users do and improve accordingly. For instance:

• Most Forgejo user have visited their profile page at least once and some may use it as their landing page. It is in constant need for improvement while minimizing the impact on habits that users developed over time. The redesign of the user profile was done in that spirit. It adds more actions while also making better use of the available space.
• There are a number of hidden features in Forgejo that only few people actually use because their UX is not good enough. The ability to review pull requests one commit at a time was among them and it was made easier to discover and more convenient to use.
• Forgejo Actions may be used to schedule jobs that run daily, just like cron. But failures could got unnoticed for a long time, waiting for a user to visit the actions page. By adding an option to the workflow, an email notification can now be sent when a job fails.

In large part because Forgejo is used at scale by Codeberg, performance issues are discovered that are not easily detected on smaller instances. For instance, each open pull request is checked for conflict every time a new commit is pushed to the target branch, blocking the ability to merge them. This I/O intensive and time consuming step is optimized, saving resources and allowing faster merges.

Forgejo security features rely on a mixture OpenPGP and SSH. Since SSH is more widely known, Forgejo is gradually implementing alternatives using SSH for tasks that previously required OpenPGP. In this release it is now possible to use SSH instead of OpenPGP for instance signing.

Excessive crawling is a recurring chore for all Forgejo instances, large and small. A robots.txt file is included by default to reduce the impact of crawlers by letting them know which URLs should be avoided.

Improved UX for per-commit reviews

When a pull request has a well organized series of commit, it may be convenient for the reviewer to focus on each of them individually instead of using the larger diff that shows all of them at once. It is already possible in Forgejo but it is also one of the lesser known features, in part because it was inconvenient to use and discover. This was improved as follows:

• The new next (“Next”) and previous (“Prev”) buttons can be used to navigate the list of commits which is more convenient than using the pull down menu.
• The review button (“Finish Review”) can be accessed from the per-commit review page instead of being inactive.
• The links in the pull request pages (conversation and list of commits) lead to the per-commit review page instead of the commit display page. Unless they were made redundant by a force push.
• The commit message is now displayed in the per-commit review page so the reviewer does not need to navigate away to find it.

Keeping forks in sync

If you have a fork and want to keep it synchronized with upstream, the new sync fork feature provides a way to do that. It also indicates whether your fork is behind and/or ahead and by how many commits.

glTF viewer

If you open a glTF model in Forgejo, you will now be able to preview this model in the Forgejo UI without having to download the model and open it in an external tool. Support for previewing other 3D formats is an open issue.

Forgejo Actions email notifications on failure

If a workflow fails, a mail will be sent provided the workflow contains enable-email-notifications: true. The recipient depends on the context:

• Pull requests: the user who opened the pull request.
• Push: the user who pushed the commit.
• Scheduled: the user who owns the repository or the contact email of the organization.
• Dispatch: the user who triggered the dispatch.

UI and UX improvements

• If you try to create a repository and you have hit the limit on the amount of repositories you are allowed to create, it is now clearer which limit you hit.
• The size and dimensions constraints of the custom avatar is now shown in the UI. You no longer have to find out about this requirement after failing to upload an avatar.
• Pasting images into the comment editor will now show that image in the ‘dropzone’.
• The user profile has been redesigned. The most notable change is that actions have been moved to a dropdown and several new actions were added.
• The ‘Write’/‘Preview’ switch has been reworked to use the new switch element.
• The migration screen was redesigned to make it more usable and make better use of the available screen space.

Automatically refreshing workflows

Endlessly staring at many workflows in the ‘Actions’ tab to see if they pass is a favorite activity of many developers. Forgejo now refreshes the status of these workflows every 30 seconds so you no longer have to open each workflow in a new tab or wear out your F5 key.

Localized relative time

In many places of the Forgejo UI you will find relative time, the logic of this component was provided by github/relative-time-element. Forgejo encountered two issues with this library: it was not possible to localize the relative time and there are cases that it does not show the correct relative time. This library is now replaced by Forgejo’s own implementation (1, 2) that allows for localized relative time and uses a simpler approach to calculating relative time that does not run into the same bugs the previous library did.

Faster conflict checking

Due to Forgejo’s nature it relies a lot on Git commands to perform its job in a efficient manner. Forgejo stores repositories as bare repositories and this means that it is not always possible to use commands that require a working tree. For certain operations a temporary clone is created for the sole purpose of using such Git operations. For large repositories this can end up causing a lot of I/O. One of such example was pull request conflict checking, which was reported by a user to cause I/O loads proportional to the amount of open pull requests. Upon re-examining available git commands git merge-tree --write-tree allows for conflict checking to happen without requiring a working tree. If Forgejo is run with a Git version greater or equal than 2.38 you will enjoy this improved performance.

API changes

• Two new API endpoints were added to retrieve actions runs of a repository and retrieve specific runs by their ID.
• A new API endpoint was added that is able to retrieve multiples blobs at once. This endpoint was added to help get support for Forgejo in Sveltia CMS.
• Endpoints that return the metadata of a file now also returns when the last commit was committed. This change helps GitNex with showing this information in directory listings of a repository, similar how Forgejo shows that information.
• It is now possible to lists packages and retrieve info about a package without a token if the profile is public. This is public information and was not required to be guarded behind a token check.

Redirecting fediverse handles

Forgejo will now transform fediverse handles (ex. @[email protected] and ![email protected]) into links to https://fedirect.toolforge.org, a website hosted by Wikimedia, to redirect fediverse handles to their respective URLs via Webfinger. Forgejo is working on implementing proper federated mentions that will also notify users on other federated services, which the redirection does not do.

Tabs indentations in the comment editor

If you have typed comments and tried to use Tab you have noticed that it does nothing, this is frustrating especially if you try to type lists. Tab handling is now implemented in Forgejo to do indentations. A lot of time has been spent to make sure it is accessible and works in a consistent and expected behavior to address concerns raised last year in a previous implementation.

Relaxing the requirements on email addresses

In response to a security report Gitea restricted the allowed syntax of email addresses in early 2022 and some email addresses could not be used despite being conformant to the RFC. This change has now been reverted and the security issue that would allow for command injection was fixed, thus removing the need for strict requirements on the syntax of email addresses.

Instance signing with SSH

Commits that are created by Forgejo (e.g. file edits and merge commits) can be signed by the Forgejo instance via a GPG key. It is now also possible to instead use SSH signing, it has the unique capability of being done by a TPM via an ssh-agent. In addition the instance signing documentation was reworded to use clearer language and be easier to read for instance admins.

Removing deprecated API authentication methods

The API has several authentication methods, two of them are now removed after being deprecated in 2023. The two methods would look in the URL query for the access_token and token parameter. Passing authentication via the URL is not secure and can lead to them being logged and thus being exposed. It is now fully removed and there’s no option to enable these methods again.

Default robots.txt

Forgejo instances have in the last several months been hit hard by all sorts of new crawlers. One of the easiest way that crawlers disrupt Forgejo instances is by navigating to expensive to serve endpoints, creating many repo archives and filling disk space or getting lost in trying many different issue filters. Forgejo now serves a strong restrictive robots.txt, if no robots.txt is set. This should help with reducing the impact of crawlers that respect robots.txt by not navigating to endpoints that can disrupt Forgejo instances.

Forgejo build time optimization

The build process compresses the frontend assets via gzip into the Forgejo binary with vfsgen so that Forgejo can serve these assets. The build process now compresses the frontend assets with Zstd, which is 4x faster than gzip. As an added benefit, assets are now served via Zstd with a fallback to on-the-fly gzip for browsers that do not support Zstd. It also resulted in reducing the Forgejo binary by 2 MiB.

One of Forgejo’s dependencies, specifically go-rpmutils, contained a dependency that is a CGO wrapper around Zstd’s reference library. Although Forgejo’s did not use this CGO dependency, Go unconditionally compiled it and it took almost as long as compiling the CGO SQLite3 driver. Forgejo now has a fork of go-rpmutils without this CGO dependency, resulting in a shorter build time of Forgejo.

xorm EngineGroup connections for optimized database query routing and load balancing

With this addition, read-only queries are automatically routed to database read-replicas in a load-balanced way, keeping the primary free for writes. Multiple load balancing policies can be selected.

Note: This requires a HA database setup with multiple nodes (at least 3) and only works with Postgres or MySQL.

Reducing the usage of Fomantic.

Forgejo uses Fomantic-UI for historical reasons. In many cases it is not needed, does not provide good accessibility and lock components behind a javascript requirement that could also have been implemented via CSS and semantic HTML. In this release, there are two changes that reduce the use of Fomantic.

• The module that dims the entire page and displays a modal has been replaced with Forgejo’s own dimming module. This allows browser testing to happen and avoid regressions.
• Fomantic-UI comes with a lot of CSS, Forgejo does not use all this CSS. Unused font size classes were removed. This reduces the size of the compiled CSS file and ensures that we do not accidentally depend on it in the future.

Container images based on Alpine 3.22

The v12 container images are built from the latest Alpine 3.22 patch release. It includes:

• Git 2.49.1
• GnuPG 2.4.7
• SQLite 3.49.2
• OpenSSH 10.0

Release schedule and Long Term Support

The time based release schedule was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.

Version | Release date | End Of Life
11.0 (LTS) | 16 April 2025 | 16 July 2026
12.0 | 17 July 2025 | 16 October 2025
13.0 | 16 October 2025 | 15 January 2026

12.0-test daily releases

Releases are built daily from the latest changes found in the v12.0/forgejo development branch. They are deployed to the https://v12.next.forgejo.org instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:

• OCI images: root and rootless
• Binaries

Their names are staying the same but they are replaced by new builds every day.

Get Forgejo v12.0

See the download page for instructions on how to install Forgejo, and read the release notes for more information.

Upgrading

Carefully read the breaking bug fixes section of the release notes.

The actual upgrade process is as simple as replacing the binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 12.0 tag to stay up to date with the latest 12.0.Y patch release automatically.

Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!

Donate

Forgejo is proud to be funded transparently. Additionally, it accept donations through Liberapay. It is also possible to donate to Codeberg e.V. in case the Liberapay option does not work out for you, and part of the funding is used to compensate for work on Forgejo.

However, the Liberapay team allows for money to go directly to developers without a round-trip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for the project. The distribution of funds through Liberapay is transparently controlled using the decision-making process, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.

Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.

Original source Report a problem

Forgejo v11.0 Release Notes

Forgejo v11.0 was released on 16 April 2025. You will find a short selection of the changes it introduces below and a complete list in the release notes.

This release marks the end of life for the previous stable version v10. The LTS series Forgejo v7 is still supported until 16 July 2025. Forgejo v11.0 will be supported until 15 July 2026, when Forgejo v16.0 is published. Admins of Forgejo instances with version v10 are recommended to prepare for an upgrade in time so that applying potential future security patches does not involve a major upgrade.

A dedicated test instance is available to try it out. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help on the Fediverse, or in the chat room.

Summary

Forgejo v11.0 is the second LTS (Long Term Support) release, following v7.0 published in April 2024. It is the preferred choice for instances that value stability more than newer features published quarterly. Forgejo v7.0 will be supported for three more months, until 16 July 2025, an overlap that allows Forgejo admins to upgrade on their own time.

In addition to this blog post, the blog posts of the releases published since v7.0 contain the highlights of the changes that an instance upgrading directly from v7.0 to v11.0 will benefit from.

• v8.0
• v9.0
• v10.0

New features

Below is short selection of the most notable changes. The complete list is available in the release notes.

• PR: user interface to see an overview of the quotas.
• PR: add the ability to regenerate access tokens.
• PR: welcome screen for user dashboard. It is shown when there’s no activity in the feed and can also be customized by instance admins.
• PR: display to maintainers in PR when it is editable.
• PR: adds the following boolean operators for searching issues when using an indexer:
  • +term: term MUST be present for any result
  • -term: negation; exclude results that contain term
  • "this is a term": matches the exact phrase this is a term
    In all cases the special characters can be escaped by prefixing them with .
• PR: add API endpoints with the ability to search for Forgejo Actions jobs (repo, org and global level).

Container images based on Alpine 3.21

The v11 container images are built from the latest Alpine 3.21 patch release. It includes:

• Git 2.47
• GnuPG 2.4
• SQLite 3.48
• OpenSSH 9.9

Autoscaling capabilities and k8s

End of 2024, a discussion on autoscaling was initiated by a team that is growing, and the workloads they run on Forgejo Actions were increasing. To meet these demands, they needed to increase parallelization when running jobs without unnecessarily blocking or over-provisioning resources. Moving to an autoscaling model would help them achieve this, ensuring that resources are only allocated when there are tasks to process.

Here are the key points:

1. Pending tasks

• To enable autoscaling for Forgejo runners, Forgejo itself needs to provide a way to obtain the number of tasks waiting to be executed.
• Conversations started with KEDA contributors to create a PR where you can define a Forgejo autoscalers based on these pending tasks.
• These tasks should be accessible at the organization, user, and repository levels and will match how you configure the autoscaler.

1. Forgejo Runner lifecycle change

• Forgejo runners operate as persistent daemons. To better integrate with KEDA job autoscaling it was proposed to change the runner lifecycle to function as jobs instead of long-running processes.
• An experimental fork of the actual runners existed and added a new command on the code to execute all tasks and exit.
• This allowed runners to scale to 0 when no jobs are running, optimizing resource usage in dynamic environments.

This project was concluded early 2025 and is available both in Forgejo v11.0 and the Forgejo runner v6.3.1:

• Documentation
• Forgejo
• Forgejo runner

Release schedule and Long Term Support

The time based release schedule was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.

Version | Release date | End Of Life
7.0 (LTS) | 23 April 2024 | 16 July 2025
10.0 | 16 January 2025 | 16 April 2025
11.0 (LTS) | 16 April 2025 | 15 July 2026

11.0-test daily releases

Releases are built daily from the latest changes found in the v11.0/forgejo development branch. They are deployed to the https://v11.next.forgejo.org instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:

• OCI images: root and rootless
• Binaries

Their names are staying the same but they are replaced by new builds every day.

Localization

Forgejo is now available in Danish! The work was started and completed by Tacaly with help of other contributors and coordinated by the localization team.

This release is the first to be shipped with a new format for storing translations better suited for this purpose, enabling better translatability, easier integration with external tooling and better defined syntax. This version supports both new and legacy formats and mostly relies on the latter. A more significant impact of this change is expected to be seen in upcoming versions of Forgejo.

Get Forgejo v11.0

See the download page for instructions on how to install Forgejo, and read the release notes for more information.

Upgrading

Carefully read the breaking bug fixes section of the release notes.

The actual upgrade process is as simple as replacing the binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 11.0 tag tag to stay up to date with the latest 11.0.Y patch release automatically.

Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!

Donate

Forgejo is proud to be funded transparently. Additionally, it accept donations through Liberapay. It is also possible to donate to Codeberg e.V. in case the Liberapay option does not work out for you, and part of the funding is used to compensate for work on Forgejo.

However, the Liberapay team allows for money to go directly to developers without a round-trip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for the project. The distribution of funds through Liberapay is transparently controlled using the decision-making process, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.

Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.

Original source Report a problem

Forgejo v10.0.1 and Forgejo v7.0.13 released

Forgejo v10.0.1 and Forgejo v7.0.13 were released 8 February 2025.
This release fixes permissions enforcement of Forgejo Actions and projects.
This release also contains other bug fixes, as detailed in the corresponding milestone.

Recommended Action

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

Impact

These security issues can be exploited:

• by users who are registered on the instance, to delete Forgejo Actions runners and variables or modify variables.
• to get the titles, authors, labels and creation dates of issues or pull requests in private repositories, when they are referenced by a project from the containing user or organization.

Forgejo Actions web endpoints vulnerable to manually crafted identifiers

Some Forgejo Actions related web endpoints, such as deleting a Forgejo Actions variable, rely on an identifier unique to an object (a variable in this example).
The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a variable in the example) also belongs to the repository the permissions are checked against. Without this check it was possible both to perform destructive actions (runners and variables) or to modify variables in repositories unrelated to the request, including private ones.
The vulnerable endpoints were fixed and tests were added to verify the fixes are effective.

User or organization wide projects leaking information about private issues or pull requests

If a project is created in a user or an organization, it can be used to display some information about issues or pull requests extracted from the repositories they contain:

• title
• author
• creation date
• labels
• URL to the issue or pull request
  When a publicly readable user or organization contains a private repository, a user with access to this private repository can add an issue or pull request to the publicly available project. A user who was not allowed to read the private repository was able to see the information about the issue or pull request displayed in the project. When this same user visits the URL of the issue or pull request, they are denied access because they do not have the required permissions.
  The vulnerable web endpoints were fixed and tests written to verify the fix is effective.

Forgejo gives advance warning of security releases

Similar to what is done when a Go release contains a security fix, Forgejo publishes advance warning of security releases. They do not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch the dedicated tracker or subscribe to the RSS feed.
Third parties may also get more information ahead of time when they agree to comply with the Forgejo Security Policy.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!

Original source Report a problem

Forgejo v10.0 release

Forgejo v10.0 was released 16 January 2025. You will find a short selection of the changes it introduces below and a complete list in the release notes.

This release marks the end of life for the previous stable version v9. The LTS series Forgejo v7 is still supported until 16 July 2025. Forgejo v10.0 will be supported until 16 April 2025, when Forgejo v11.0 is published. Admins of Forgejo instances with version v9 are recommended to prepare for an upgrade in time so that applying potential future security patches does not involve a major upgrade.

A dedicated test instance is available to try it out. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help on the Fediverse, or in the chat room.

Summary

Forgejo v10.0 is the last version to allow a transparent upgrade from Gitea v1.22 or lower. In 2023 Forgejo was a soft fork, a set of patches maintained by the Forgejo community on top of Gitea. Early 2024 it became a hard fork and the codebases started to diverge. Forgejo and Gitea are now effectively different codebases although they share the same history back from the early days of Gogs.

If you are running Gitea v1.22 or lower and consider migrating to Forgejo long after v10.0 was published, it will still be possible, provided you upgrade to Forgejo v10.0 first and then upgrade to a newer Forgejo version. This will be a two steps upgrade instead of a single step.

New features

Below is short selection of the most notable changes. The complete list is available in the release notes.

• PR: Rework the new repository dialog.
• PR: Git notes can be modified via the API or the UI.
• PR: Add button to create Markdown table.
• PR: If you select a portion of a comment and use the ‘Quote reply’ feature in the context menu, only that portion will be quoted. The markdown syntax is preserved.
• PR: Add link to show all issues and pull requests.
• PR: Highlight user mention in comments and commit messages.
• PR & PR: Add a “summary card” to issues, PRs, repositories and releases for consumption by OpenGraph clients.
• PR: Filepath filter for code search.
• PR: Add links to commit lists in contributors graph page.
• PR: Add search to releases page.
• PR: Migrate TOTP secrets to keying.
• PR: When bleve is used for issue search, a fuzzy search now applies to each word instead of all of them, as if they were a phrase. For instance, searching for activitypub spam moderation previously returned no result in Forgejo discussions and now returns the relevant issues. If the search results are too broad, or for searching exact phrases prefer using an exact search. Sorting by newest is still available as a non default option under Sort. The query was also reworked to improve performances. It makes a significant difference for large instances such as Codeberg.
• PR: Improve performance of notifications page for MySQL.

Hardened TOTP secrets

The TOTP secrets were stored using the secret module. They now use the keying module which is easier to use and relies on better practices to store secrets in a databases.

The keying module tries to solve two problems, the lack of key separation and the lack of AEAD being used for encryption. The secret module doesn’t provide this and is hard to adjust to provide this functionality.

For encryption, the additional data is now a parameter that can be used, as the underlying primitive is an AEAD construction. This allows for context binding to happen and can be seen as defense-in-depth; it ensures that if a value X is encrypted for context Y (e.g. ID=3, Column="private_key") it will only decrypt if that context Y is also given in the Decrypt function. This makes a confused deputy attack harder to exploit.

Gitea compatibility

Forgejo v10.0 has automated upgrade tests from Gitea v1.22 to Forgejo v10.0.

• An instance running Gitea versions up to v1.21 can be upgraded to Forgejo v7.0 or v8.0
• An instance running Gitea v1.22 can be upgraded to Forgejo v8.0, v9.0 or v10.0

Future Forgejo versions will not support upgrades from Gitea instances running version v1.23 or above. Read more about Gitea compatibility and upgrades in the dedicated blog post.

Note on some harmless warnings

You may see migration warnings (and in some cases errors) when Forgejo starts. Most of them can be ignored as long as they do not prevent the instance from starting. However, they are confusing and you may want to get rid of them. More information can be found about that in the corresponding issue, as well as instructions to resolve them. If in doubt, do not hesitate to ask for advice.

Release schedule and Long Term Support

The time based release schedule was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.

Version Release date End Of Life 7.0 (LTS) 23 April 2024 16 July 2025 9.0 16 October 2024 16 January 2025 10.0 16 January 2025 16 April 2025 11.0 (LTS) 16 April 2025 15 July 2026

10.0-test daily releases

Releases are built daily from the latest changes found in the v10.0/forgejo development branch. They are deployed to the https://v10.next.forgejo.org instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:

• OCI images: root and rootless
• Binaries

Their names are staying the same but they are replaced by new builds every day.

Localization

This release contains the latest translation updates from the project on Codeberg Translate. They include a significant number of new translations and improvements to many languages, with particularly large refactors in Latvian and Simplified Chinese.

A new language has been made available: Low German (Plattdüütsch). It is already fully completed, only proofreading remains.

A new convenient feature has been added which allows to easily identify translation keys in the interface by simply appending lang=dummy to the URL parameters. It is also useful to quickly look up the UI template within the source code.

Get Forgejo v10.0

See the download page for instructions on how to install Forgejo, and read the release notes for more information.

Upgrading

Carefully read the Breaking bug fixes section of the release notes.

The actual upgrade process is as simple as replacing the binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 10.0 tag tag to stay up to date with the latest 10.0.Y patch release automatically.

Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!

Donate

Forgejo is proud to be funded transparently. Additionally, it accept donations through Liberapay. It is also possible to donate to Codeberg e.V. in case the Liberapay option does not work out for you, and part of the funding is used to compensate for work on Forgejo.

However, the Liberapay team allows for money to go directly to developers without a round-trip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for the project. The distribution of funds through Liberapay is transparently controlled using the decision-making process, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.

Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.

Original source Report a problem