forgejo/RELEASE-NOTES.md
2024-07-24 15:14:38 +02:00

273 KiB
Raw Blame History

Release Notes

A minor or major Forgejo release is published every three months, with more patch releases in between depending on the severity of the bug and security fixes it contains.

A patch or minor release (e.g. upgrading from v7.0.0 to v7.0.1 or v7.1.0) does not require manual intervention. But major releases where the first version number changes (e.g. upgrading from v1.21 to v7.0) contain breaking changes and the release notes explain how to deal with them.

Upcoming releases (not available yet)

8.0.0

A companion blog post provides additional context on this release. In addition to the pull requests listed below, you will find a complete list in the v8.0 milestone.

  • Breaking
  • User interface features & enhancements
    • PR (backported from): Replace vue-bar-graph with chart.js
    • PR: make the tooltip of the author label in comments clearer.
    • PR: only show the RSS feed button and Public activity tab in user profiles when the activity can be accessed and add messages about visibility.
    • PR: reorder repo tabs for better UX: (i) Actions is now the last tab (ii) Packages are located after Releases (iii) this puts Projects after Pull requests. (tab positions may depend on which units are enabled in the repo).
    • PR: code search results are now displayed in a foldable box.
    • PR: disable the Subscribe button for guest users.
    • PR:
      • Added Enter key handling to the new Markdown editor: Pressing Enter while in a list, quote or code block will copy the prefix to the new line - Ordered list index will be increased for the new line, and task list "checkbox" will be unchecked.
      • Added indent/unindent function for a line or selection. Currently available as toolbar buttons (#4263).
    • PR: added support for displaying images based on the users current color code by using an anchor of #dark-mode-only or #light-mode-only respectively. Also supporting the github variants (e.g. #gh-dark-mode-only).
    • PR: use CSS-native pattern for image diff background, add dark theme support.
    • PR: allow navigating to the organization dashboard from the organization view.
    • PR: when PDFs are displayed in the repository, the full height of the screen is now used instead of a predefined fixed height.
    • PR: added support for grouping of log-lines inside steps between the special ::group::{title} and ::endgroup:: workflow commands. A runner of v3.4.2 or later is needed.
    • PR: the default for [repository].USE_COMPAT_SSH_URI has been changed to true. With this change, Forgejo defaults to using the same URL style for SSH clone URLs as for HTTPS ones, instead of the former scp-style.
  • Features & Enhancements
    • PR (backported from): add support for LFS server implementations which have batch API responses in an older/deprecated schema.
    • PR: introduce a branch/tag dropdown in the code search page if using git-grep.
    • PR: added support for fuzzy searching in /user/repo/issues and /user/repo/pulls.
    • PR:
      • feat(perf): commit reduce memory usage for chunked artifact uploads to S3.
      • feat: commit allow downloading draft releases assets.
      • feat: commit API endpoints for managing tag protection.
      • feat: commit extract and display readme and comments for Composer packages.
      • fix: commit when a repository is adopted, its object format is not set in the database.
      • fix: commit during a migration from bitbucket, LFS downloads fail.
    • PR: a help overlay, triggered by "?" key can be displayed when viewing asciinema files (.cast extension) and SGR color sequence are supported.
    • PR: strikethrough in markdown can be achieved with a single ~ in addition to ~~.
    • PR:
    • PR: the Gitea/Forgejo webhook payload includes additional fields (html_url, additions, deletions, review_comments...) for better compatbility with OpenProject.
    • PR: when an OAuth grant request submitted to a Forgejo user is denied, the server from which the request originates is notified that it has been denied.
    • PR:
    • PR: when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default.
    • PR: support setting the default attribute of the issue template dropdown field
    • PR: For federated-star we introduce a new repository setting to define following repositories. That is a workaround till we find a better way to express repository federation.
    • PR: Basic wiki content search using git-grep. The search results include the first ten matched files. Only the first three matches per file are displayed.
    • PR: support using label names when changing issue labels.
    • PR: parse prefix parameter from redis URI for queues and use that as prefix to keys.
    • PR: neutralize delete runners' UUID to prevent collisions with new records.
    • PR: implement a non-caching version of the RubyGems compact API for bundler dependency resolution.
    • PR: add support for the reddit and Hubspot OAuth providers.
    • PR: when parsing incoming emails, remove tspecials from type/subtype. According to the RFC, content type and subtype cannot contain special characters and any such character will fail parsing. Removing the characters from the type/subtype can help successfully parsing the content type that contains some extra garbage.
    • PR: there are a couple of new configs to define the name of the instance. The more important is APP_SLOGAN. It permits to configure a slogan for the site and it is optional. The other is APP_DISPLAY_NAME_FORMAT and permits to customize the aspect of the full display name for the instance used in some parts of the UI as: (i) Title page, (ii) Homepage head title (ii) Open Graph site and title meta tags. Its default value is APP_NAME: APP_SLOGAN. The config APP_DISPLAY_NAME_FORMAT is used only if APP_SLOGAN is set otherwise the full display name shows only APP_NAME value.
    • PR:
    • PR:
      • CERT management was improved when ENABLE_ACME=true
        • Draft support for draft-03 of ACME Renewal Information (ARI) which assists with deciding when to renew certificates. This augments CertMagic's already-advanced logic using cert lifetime and OCSP/revocation status.
        • New ZeroSSLIssuer uses the ZeroSSL API to get certificates. ZeroSSL also has an ACME endpoint, which can still be accesed using the existing ACMEIssuer, as always. Their proprietary API is paid, but has extra features like IP certificates, better reliability, and support.
        • DNS challenges should be smoother in some cases as we've improved propagation checking.
        • In the odd case your ACME account disappears from the ACME server, CertMagic will automatically retry with a new account. (This happens in some test/dev environments.)
        • ACME accounts are identified only by their public keys, but CertMagic maps accounts by CA+email for practical/storage reasons. So now you can "pin" an account key to use by specifying your email and the account public key in your config, which is useful if you need to absolutely be sure to use a specific account (like if you get rate limit exemptions from a CA).
    • PR:
    • PR: support Code Search for non-default branches and tags when the repository indexer is disabled.
    • PR: add an immutable tarball link to archive download headers for Nix.
    • PR: allow to customize the domain name used as a fallback when synchronizing sources from ldap default domain name.
    • PR: the default config for database.MAX_OPEN_CONNS changed from 0 (unlimited) to 100 to avoid problems if it exceeds the limit by the database server. If you require high concurrency, try to increase this value for both Forgejo and your database server.
    • PR: infer the [email.incoming].PORT setting from .USE_TLS.
    • PR: reverted the rootless container image path in GITEA_APP_INI from /etc/gitea/app.ini to its default value of /var/lib/gitea/custom/conf/app.ini. This allows container users to not have to mount two separate volumes (one for the configuration data and one for the configuration .ini file). A warning is issued for users with the legacy configuration on how to update to the new path.
    • PR: added support for the workflow_dispatch trigger in Forgejo Actions.
    • PR: support Proof Key for Code Exchange (PKCE - RFC7636) for external login using the OpenID Connect authentication source.
    • PR: allow hiding auto generated release archives.
  • Bug fixes
    • PR (backported from): The milestone section in the sidebar on the issue and pull request page now uses HTMX. If you update the milestone of a issue or pull request it will no longer reload the whole page and instead update the current page with the new information about the milestone update. This should provide a smoother user experience.
    • PR (backported from): Fix mobile UI for organisation creation.
    • PR (backported from): Fixes: Forgejo Actions does not trigger an edited event when the title of an issue or pull request is changed.
    • PR (backported from): Load attachments for /issues/comments/{id}.
    • PR (backported from): Fixed: the "View command line instructions" link in pull requests and the "Copy content" button in file editor are not accessible.
    • PR (backported from): Use correct SHA in GetCommitPullRequest
    • PR (backported from): Fixed: unknown git push options are rejected instead of being ignored.
    • PR: Fixed: markdown [*[a]*](b) is incorrectly rendered as <p><a href="b"><em>[a]</em></a></p>.
    • PR: Fixed: markdown files displayed in the UI that have an unescaped backtick in the image alt could (accidentally) trigger an inline code.
    • PR: Fixed: when the git repository is empty, it is not possible to unsubscribe from an issue.
    • PR: Fixed: it is not possible to remove attachments from an empty comment.
    • PR: Fixed: the /api/v1/repos/{owner}/{repo}/wiki API endpoints is using a hardcoded "master" branch for the wiki, rather than the branch they really use.
    • PR: Fixed: using the API to search for users, the results are not paged by default an the default paging limits are not respected.
  • Localization

7.0.5

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of pull requests included in this release.

  • regreSSHion

    Recommended action when running Forgejo from a:

    • binary - upgrade the OpenSSH server that was installed independently.
    • root OCI image - upgrade to Forgejo 7.0.5.
    • rootless OCI image - no upgrade is necessary.

    CVE-2024-6387 also known as regreSSHion is an Unauthenticated Remote Code Execution (RCE) vulnerability in OpenSSHs server (sshd) on glibc-based Linux systems. It is strongly recommended that an OpenSSH server installed independently of Forgejo is upgraded as soon as possible.

    All Forgejo OCI root images, including 7.0.5 contain an OpenSSH server. They are based on https://alpinelinux.org/ which relies on https://musl.libc.org/ and not https://en.wikipedia.org/wiki/Glibc. As a precaution the Forgejo v7.0.5 root OCI image contains an updated OpenSSH server patched for CVE-2024-6387.

    The Forgejo OCI rootless images, including 7.0.5, do not contain an OpenSSH server, they rely on the internal Forgejo implementation of the SSH protocol.

  • Security:

    • Compiled with Go v1.22.5. Fixed: CVE-2024-24791 - GO-2024-2963: Denial of service due to improper 100-continue handling in net/http. The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
  • Bug fixes:

    • backport - PR: Fixed: authentication Source Administration page wrongfully handles the "Custom URLs Instead of Default URLs" checkbox (missing checkbox, irrelevant fields).
    • backport - PR: Fixed: git push to an adopted repository fails.
    • backport - PR - commit: Fixed: markdown doesn't render math within brackets
    • backport - PR - commit: Fixed: selecting the "No Project" filter in the issue/pull request list has no effect
    • backport - PR: Fixed: error 500 when processing crafted TIFF files.
    • backport - PR: Fixed: wrong placeholder text in the form for adding repository collaborator.

7.0.4

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of commits included in this release.

  • Security:

    • PR. Fixed: CVE-2024-24789: the archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file.
    • PR - (fix & test). Fixed: the OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.
  • Bug fixes:

    • backport - PR. Fixed: forgejo migrate-storage --type actions-artifacts always fails because it picks the wrong path.
    • backport - PR. Fixed: avatar files can be found in storage while they do not exist in the database.
    • backport - PR. Fixed: repository admins are always denied the right to force merge and instance admins are subject to restrictions to merge that must only apply to repository admins.
    • backport - PR. Fixed: non conformance with the Nix tarball fetcher immutable link protocol.
    • backport - PR. Fixed: migrated activities (such as reviews) are mapped to the user who initiated the migration rather than the Ghost user, if the external user cannot be mapped to a local one. This mapping mismatch leads to internal server errors in some cases.
    • backport - PR. Fixed: a v7.0.0 regression causes [admin].SEND_NOTIFICATION_EMAIL_ON_NEW_USER=true to always be ignored.
    • backport - PR. Fixed: using a subquery for user deletion is a performance bottleneck when using mariadb 10 because only mariadb 11 takes advantage of the available index.
    • backport - PR. Fixed: a v7.0.3 regression causes the expanding diffs in pull requests to fail with a 404 error.
    • backport - PR. Fixed: SourceHut Builds webhook fail when the triggers field is used.
    • backport - PR. Fixed: the label list rendering in the issue and pull request timeline is displayed on multiple lines instead of a single one.
    • backport - PR - commit. Fixed: NuGet Package fails choco info pkgname when pkgname is also a substring of another package Id.
    • backport - PR - commit. Fixed: "Git hooks of this repository seem to be broken." warning when pushing more than one branch at a time.
    • backport - PR - commit. Fixed: automerge does not happen when the approval count reaches the required threshold.
    • backport - PR - commit. Fixed: the FORCE_PRIVATE=true setting is not consistently enforced.
    • backport - PR - commit. Fixed: CSRF validation errors when OAuth is not enabled.
    • backport - PR. Fixed: headlines in rendered org-mode do not have a margin on the top
  • Localization:

    • Improvements to English locale: [1], [2].
    • Translation updates: [1], [2], [3].

7.0.3

This is a security release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of commits included in this release.

  • Container image upgrades

    In the Forgejo v7.0.3 container images, the Git version was upgraded to 2.43.4 which includes fixes for multiple vulnerabilities. However, the vulnerabilities with a high impact can be exploited when Git is used in an environment (or Operating Systems) which is different from the Forgejo OCI image.

  • Security:

  • Bug fixes:

    • PR. Fixed: migration of a repository from gogs fails when it is hosted at a subpath.
    • PR. Fixed: when creating an OAuth2 application the redirect URLs are not enforced to be mandatory.
    • PR. Fixed: the API incorrectly excludes repositories where code is not enabled.
    • PR. Fixed: "Allow edits from maintainers" cannot be modified via the pull request web UI.
    • PR. Fixed: repository activity feeds (including RSS and Atom feeds) contain repeated activities.
    • PR. Fixed: uploading maven packages with metadata being uploaded separately will fail.
    • PR. Fixed: the mail notification sent about commits pushed to pull requests are empty.
    • PR. Fixed: inline emails attachments are not properly handled when commenting on an issue via email.
    • PR. Fixed: the links to .zip and tar.gz on the tag list web UI fail.
    • PR. Fixed: expanding code diff while previewing a pull request before it is created fails.
    • PR. Fixed: the CLI is not able to migrate Forgejo Actions artifacts.
    • PR. Fixed: when adopting a repository, the default branch is not taken into account.
    • PR. Fixed: when using reverse proxy authentication, logout will not be taken into account when immediately trying to login afterwards.
    • PR. Fixed: pushing to the master branch of a sha256 repository fails.
    • PR. Fixed: a very long project column name will make the action menu inaccessible.
    • PR. Fixed: a useless error is displayed when the title of a merged pull request is modified.
    • PR. Fixed: workflow badges are not working for workflows that are not running on push (such as scheduled workflows, and ones that run on tags and pull requests).
  • Localization:

  • Gitea v1.21 compatibility

    This section is for information only and does not require any action.

    The semantic version of the Forgejo 7.0 releases are:

    • v7.0.0+gitea-1.22.0
    • v7.0.1+gitea-1.22.0
    • v7.0.2+gitea-1.22.0
    • v7.0.3+gitea-1.21.11

    Gitea v1.22 is not published yet as of 21 May 2024 and in reality all Forgejo v7.0 releases are compatible with Gitea v1.21.11. Advertising they will be compatible with an unpublished Gitea version was incorrect. The Gitea v1.22 release was anticipated to happen shortly after Forgejo v7.0 was published on 23 April 2024 because it was already in the late stages of its release candidate lifecycle. However, around 27 April, the Gitea release candidates were dropped and the release candidates restarted from the Gitea development branch.

7.0.2

This is a bug fix release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of commits included in this release.

  • Bug fixes:
    • PR: a v7.0.0 regression where subscribing to or unsubscribing from an issue in a repository with no code produced an internal server error.
    • PR: a v7.0.0 regression makes all the refs sent in Gitea webhooks to be full refs and might break Woodpecker CI pipelines triggered on tag (CI_COMMIT_TAG contained the full ref). This issue has been fixed in the main branch of Woodpecker CI as well.
    • PR: the webhook branch filter wrongly applied the match on the full ref for branch creation and deletion (wrongly skipping events).
    • PR: toggling the WIP state of a pull request is possible from the sidebar, but not from the footer.
    • PR: when mentioning a user, the markup post-processor does not handle the case where the mentioned user does not exist: it tries to skip to the next node, which in turn, ended up skipping the rest of the line.
    • PR: excessive and unnecessary database queries when a user with no repositories is viewing their dashboard.
    • PR: duplicate status check contexts show in the branch protection settings.
    • PR: profile info fails to render german singular translation.
    • PR: inline attachments of incoming emails (as they occur for example with Apple Mail) are not attached to comments.

7.0.1

This is a bug fix release. See the documentation for more information on the upgrade procedure.

In addition to the following notable bug fixes, you can browse the full list of commits included in this release.

7.0.0

The complete list of commits included in the Forgejo v7.0.0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.21/forgejo..origin/v7.0/forgejo

1.21.11-2

The complete list of new commits included in the Forgejo v1.21.11-2 release can be reviewed here, or from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo
$ git -C forgejo log --oneline --no-merges v1.21.11-1..v1.21.11-2

This stable release contains a security fix.

  • Recommended Action

    We recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated to 6.0.13+0-gitea-1.21.10

  • Security fix

    • PR. Fixed: the OAuth2 implementation does not always require authentication for public clients, a requirement of RFC 6749 Section 10.2. A malicious client can impersonate another client and obtain access to protected resources if the impersonated client fails to, or is unable to, keep its client credentials confidential.

1.21.11-1

This stable release contains a single bug fix for a regression introduced in v1.21.11-0 by which creating a tag via the API would fail with error 500 on a repository a where Forgejo Actions workflow triggered by tags exists.

1.21.11-0

The complete list of new commits included in the Forgejo v1.21.11-0 release can be reviewed here, or from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo
$ git -C forgejo log --oneline --no-merges v1.21.10-0..v1.21.11-0

This stable release contains bug fixes and security fixes.

1.21.10-0

The complete list of commits included in the Forgejo v1.21.10-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.8-0..v1.21.10-0

This stable release contains bug fixes and a security fix.

Note that there is no Forgejo v1.21.9-0 release. The release numbering of the Forgejo v1.21 patch series follows the Gitea release numbering. However, the publication of Gitea v1.21.9 and Gitea v1.21.10 were a few days apart because of a regression that is not present on Forgejo and there was no need to publish Forgejo v1.21.9-0.

1.21.8-0

The complete list of commits included in the Forgejo v1.21.8-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.7-0..v1.21.8-0

This stable release contains bug fixes.

1.21.7-0

The complete list of commits included in the Forgejo v1.21.7-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.6-0..v1.21.7-0

This stable release contains bug fixes and a security fix.

1.21.6-0

The complete list of commits included in the Forgejo v1.21.6-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.5-0..v1.21.6-0

This stable release contains bug fixes and a security fix, as explained in the v1.21.6-0 companion blog post.

1.21.5-0

The complete list of commits included in the Forgejo v1.21.5-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.4-0..v1.21.5-0

This stable release includes bug fixes as well as documentation improvements.

1.21.4-0

The complete list of commits included in the Forgejo v1.21.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.3-0..v1.21.4-0

This stable release includes security and bug fixes as well as documentation improvements.

1.21.3-0

The complete list of commits included in the Forgejo v1.21.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.2-1..v1.21.3-0

This stable release includes bug fixes. It was built with an updated version of the Go Cryptography package that fixes CVE-2023-48795. As explained in the corresponding Go issue: "The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel."

1.21.2-1

The complete list of commits included in the Forgejo v1.21.2-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.2-0..v1.21.2-1

This stable release contains a security fix, as explained in the v1.21.2-1 companion blog post.

1.21.2-0

The complete list of commits included in the Forgejo v1.21.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.21.1-0..v1.21.2-0

This stable release includes bug fixes. It was built with Go v1.21.5 that fixes CVE-2023-39326 which a malicious HTTP client can exploit to cause a server to automatically read a large amount of data. It allows for memory exhaustion in the situation that HTTP chunked encoding requests can reach Forgejo.

1.21.1-0

The complete list of commits included in the Forgejo v1.21.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.20/forgejo..origin/v1.21/forgejo

1.20.6-1

The complete list of commits included in the Forgejo v1.20.6-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.6-0..v1.20.6-1

This stable release contains a security fix.

1.20.6-0

The complete list of commits included in the Forgejo v1.20.6-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.5-1..v1.20.6-0

This stable release contains a security fix, as explained in the v1.20.6-0 companion blog post.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated to 5.0.7+0-gitea-1.20.6

  • Breaking change

    Prior to this release, a token scoped to read or write permissions on issues was allowed to access both issues and pull requests, regardless of the restrictions imposed to the team in which they belong. In a team it is possible to grant finer grained permissions, for instance to allow a user to access issues but not pull requests. These restrictions are now enforced and API calls that previously succeeded on /api/v1/repos/{org}/{repo}/issues or other endpoints common to both issues and pull requests could return 404. Granting the user the necessary permissions in the team in which they belong will allow them to use that endpoint again.

  • Security fix

    Additional API and web endpoints now fail when given manually crafted identifiers.

1.20.5-1

The complete list of commits included in the Forgejo v1.20.5-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.5-0..v1.20.5-1

This stable release contains critical security fixes, as explained in the v1.20.5-1 companion blog post.

1.20.5-0

The complete list of commits included in the Forgejo v1.20.5-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.4-1..v1.20.5-0

This stable release contains an important security fix, as explained in the v1.20.5-0 companion blog post.

1.20.4-1

The complete list of commits included in the Forgejo v1.20.4-1 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.4-0..v1.20.4-1

This stable release includes bug fixes.

1.20.4-0

The complete list of commits included in the Forgejo v1.20.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.3-0..v1.20.4-0

This stable release includes bug fixes and two features.

1.20.3-0

The complete list of commits included in the Forgejo v1.20.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.2-0..v1.20.3-0

This stable release includes bug fixes and a safeguard against a regression that may lead to data loss. The [storage*] sections in the app.ini file may cause the files for some subsystems - Attachments, LFS, Avatars, Repository avatars, Repository archives, Packages - to be merged together or misplaced. The safeguard detects this situation and Forgejo will not start to prevent data loss. If your instance is in this situation, follow the instructions in the companion blog post.

1.20.2-0

The complete list of commits included in the Forgejo v1.20.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.20.1-0..v1.20.2-0

This stable release includes bug fixes and displays warnings in the administration panel when deprecated entries are found in app.ini.

1.20.1-0

The complete list of commits included in the Forgejo v1.20.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/forgejo
  • Container images upgraded to Alpine 3.18

    The Forgejo container images are now based on Alpine 3.18 instead of Alpine 3.17.

1.19.4-0

The complete list of commits included in the Forgejo v1.19.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.3-0..v1.19.4-0

This stable release contains security fixes.

1.19.3-0

The complete list of commits included in the Forgejo v1.19.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.2-0..v1.19.3-0

This stable release contains security fixes.

1.19.2-0

The complete list of commits included in the Forgejo v1.19.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.1-0..v1.19.2-0

This stable release contains important security fixes.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated from 4.1.0+0-gitea-1.19.1 to 4.2.0+0-gitea-1.19.2 because of the changes introduced in the internal CI.

  • Security fixes

    • Token scopes were not enforced in some cases (patch 1 and patch 2). The scoped token were introduced in Forgejo v1.19 allow for the creation of application tokens that only have limited permissions, such as creating packages or accessing repositories. Prior to Forgejo v1.19 tokens could be used to perform any operation the user issuing the token could.
    • Permissions to delete secrets was not enforced. The experimental internal CI relies on secrets managed via the web interface, for instance to communicate credentials to a job. Secrets are only used in the context of the experimental internal CI.
  • Bug fixes

    The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

  • Container image upgrades

    In the Forgejo container images the Git version was upgraded to 2.38.5 as a precaution. The Forgejo security team analyzed the security fixes it contains and concluded that Forgejo is not affected.

1.19.1-0

The complete list of commits included in the Forgejo v1.19.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-3..v1.19.1-0

This stable release includes bug fixes. Functional changes related to the experimental CI have also been backported.

1.19.0-3

The complete list of commits included in the Forgejo v1.19.0-3 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-2..v1.19.0-3

This stable release includes security updates and bug fixes.

1.19.0-2

The complete list of commits included in the Forgejo v1.19.0-2 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo
  • Breaking changes

    • Scoped access tokens

      Forgejo access token, used with the API can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before. However, newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories.

      For instance, the /users/{username}/tokens API endpoint will require the scopes: ['all', 'sudo'] parameter and the forgejo admin user generate-access-token will require the --scopes all,sudo argument obtain tokens with unlimited access as before for admin users.

      Read more about the scoped tokens.

    • Disable all units except code and pulls on forks

      When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure DEFAULT_FORK_REPO_UNITS to be the same value as DEFAULT_REPO_UNITS.

    • Filter repositories by default on the explore page

      The explore page now always filters out repositories that are considered not relevant because they are either forks or have no topic and not description and no icon. A link is shown to display all repositories, unfiltered.

      Explore repositories
    • Remove deprecated DSA host key from Docker Container Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html

    • Additional restrictions on valid user names

      The algorithm for validating user names was modified and some users may have invalid names. The command forgejo doctor --run check-user-names will list all of them so they can be renamed.

      If a Forgejo instance has users or organizations named forgejo-actions and gitea-actions, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named Actions.

    • Semantic version

      Since v1.18.5, in addition to the Forgejo release number, a semantic version number (e.g. v3.0.0) can be obtained from the number key of a new /api/forgejo/v1/version endpoint.

      Now, it reflects the Gitea version that Forgejo depends on, is no longer prefixed with v (e.g. 3.0.0+0-gitea-1.19.0), and can be obtained from the version key of the same endpoint.

  • Features

  • User Interface improvements

  • Container images upgraded to Alpine 3.17

    The Forgejo container images are now based on Alpine 3.17 instead of Alpine 3.16. It includes an upgrade from git 2.36.5 to git 2.38.4 and from openssh 9.0p1 to openssh 9.1p1.

1.18.5-0

This stable release contains an important security fix for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described in detail in a companion blog post.

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

If PASSWORD_HASH_ALGO is explicitly set in app.ini, comment it out so that the stronger algorithm is used instead.

All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.

Forgejo

Gitea

Note that there is no Forgejo v1.18.4-N because Gitea v1.18.4 was replaced by Gitea v1.18.5 a few days after its release because of a regression. Forgejo was not affected.

1.18.3-2

This stable release includes a security fix for git and bug fixes.

Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 Februrary 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. All major GNU/Linux distributions also provide updated packages via their security update channels.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Forgejo

Gitea

1.18.3-1

This stable release includes bug fixes.

Forgejo

Gitea

1.18.3-0

This stable release includes bug fixes.

Forgejo

Gitea

1.18.2-1

This stable release includes a security fix. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Gitea

1.18.2-0

This stable release includes bug fixes.

Gitea

1.18.1-0

This is the first Forgejo stable point release.

Forgejo

Critical security update for Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Read more in the Forgejo blog.

Release process stability

The release process based on Woodpecker CI was entirely reworked to be more resilient to transient errors. A new release is first uploaded into the new Forgejo experimental organization for testing purposes.

Automated end to end testing of releases was implemented with a full development cycle including the creation of a new repository and a run of CI. It relieves the user and developer from the burden of tedious manual testing.

Container environment variables

When running a container, all environment variables starting with FORGEJO__ can be used instead of GITEA__. For backward compatibility with existing scripts, it is still possible to use GITEA__ instead of FORGEJO__. For instance:

docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true codeberg.org/forgejo/forgejo:1.18.1-0

Forgejo hook types

A new forgejo hook type is available and behaves exactly the same as the existing gitea hook type. It will be used to implement additional features specific to Forgejo in a way that will be backward compatible with Gitea.

X-Forgejo headers

Wherever a X-Gitea header is received or sent, an identical X-Forgejo is added. For instance when a notification mail is sent, the X-Forgejo-Reason header is set to explain why. Or when a webhook is sent, the X-Forgejo-Event header is set with push, tag, etc. for Woodpecker CI to decide on an action.

Look and feel fixes

The Forgejo theme was modified to take into account user feedback.

Gitea

1.18.0-1

This is the first Forgejo release.

Forgejo improvements

Woodpecker CI

A new CI configuration based on Woodpecker CI was created. It is used to:

Look and feel

The default themes were replaced by Forgejo themes and the landing page was modified to display the Forgejo logo and names but the look and feel remains otherwise identical to Gitea.

Landing page

Privacy

Gitea instances fetch https://dl.gitea.io/gitea/version.json weekly by default, which raises privacy concerns. In Forgejo this feature needs to be explicitly activated at installation time or by modifying the configuration file. Forgejo also provides an alternative RSS feed to be informed when a new release is published.

Gitea

1.18.0-0

This release was replaced by 1.18.0-1 a few hours after being published because the release process was interrupted.

1.18.0-rc1-2

This is the first Forgejo release candidate.