crystal
/
forgejo
forked from forgejo/forgejo
1
0
Fork 0
Code Issues Pull Requests Activity
forgejo/RELEASE-NOTES.md

99 KiB
Raw Permalink Blame History

Release Notes

A Forgejo release is published shortly after a Gitea release is published and they have matching release numbers. Additional Forgejo releases may be published to address urgent security issues or bug fixes. Forgejo release notes include all Gitea release notes.

The Forgejo admin should carefully read the required manual actions before upgrading. A point release (e.g. v1.19.1 or v1.19.2) does not require manual actions but others might (e.g. v1.18.0, v1.19.0).

DRAFT 1.20.0-0

The complete list of commits included in the Forgejo v1.20.0-? release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/forgejo
  • Forgejo Semantic Version The semantic version was updated to 5.0.0+0-gitea-1.20.0 because it contains breaking changes.
  • [CI]
    • Workflows are now available to run tests on Forgejo itself. It is not enabled yet on Codeberg but will work if the repository is mirrored on an instance where Forgejo Actions is enabled.
  • [MODERATION]
    • Blocking another user is desirable if they are acting maliciously or are spamming your repository. When you block a user, Forgejo does not explicitly notify them, but they may learn through an interaction with you that is blocked. Read more about blocking users.
  • [PACKAGES]
  • [A11Y]
    • [A11Y] commit 6c35454654 Improve accessibility for issue comments 22612
    • [A11Y] commit a78e0b7dad Add accessibility to the menu on the navbar 23059
    • [A11Y] commit e8935606f5 Scoped labels: set aria-disabled on muted Exclusive option for a11y 23306
    • [A11Y] commit d4f35bd681 Use a general approch to improve a11y for all checkboxes and dropdowns. 23542
    • [A11Y RTL] commit 32d9c47ec7 Add RTL rendering support to Markdown 24816
    • [A11Y] commit e95b42e187 Improve accessibility when (re-)viewing files 24817
    • [A11Y] commit 87f0f7e670 Add aria attributes to interactive time tooltips. 23661
  • [TIME]
    • [TIME] commit b7b5834831 Use auto-updating, natively hoverable, localized time elements 23988
    • [TIME] commit 25faee3c5f Fix date display bug 24047
    • [TIME] commit 97176754be Localize milestone related time strings 24051
    • [TIME] commit 70bb4984cd Allow using localized absolute date times within phrases with place holders and localize issue due date events 24275
    • [TIME] commit 5bc9f7fcf9 Improve commit date in commit graph 24399
    • [TIME] commit 62ca5825f7 Fix incorrect last online time in runner_edit.tmpl 24376
    • [TIME] commit dbb3736785 Fix incorrect webhook time and use relative-time to display it 24477
    • [TIME] commit 3d266dd0f3 In TestViewRepo2, convert computed timezones to local time 24579
  • [WIKI]
  • [UI / UX]
    • [BREAKING UX preview render] commit 84daddc2fa Editor preview support for external renderers 23333
    • [BREAKING branding] commit d44e1565da Refactor setting.Other and remove unused SHOW_FOOTER_BRANDING (#24270)
    • [BREAKING theme tags] commit c7612d178c Remove meta tags theme-color and default-theme 24960
    • [BREAKING UI] commit 520eb57d76 Use a separate admin page to show global stats, remove actions stat 25062
    • [UI] commit 6e90a1459b Add word-break to sidebar-item-link 23146
    • [UI] commit 303b72c2d1 Fix Fomantic UI's touchstart fastclick, always use click for click events 23065
    • [UI] commit 10cdcb9ea8 Add "Reviewed by you" filter for pull requests 22927
    • [UI] commit 843f81113e Projects: rename Board to Column in interface and improve consistency 22767
    • [UI] commit f4920c9c7f Add pagination for dashboard and user activity feeds 22937
    • [UI] commit d20b29d7ce Fix height for sticky head on large screen on PR page 23111
    • [ACTIONS] commit edf98a2dc3 Require approval to run actions for fork pull request 22803
    • [UI] commit 0bc8bb3cc4 Make issue meta dropdown support Enter, confirm before reloading 23014
    • [UI] commit 403f3e9208 Use the correct selector to hide the checkmark of selected labels on clear 23224
    • [UI] commit 7a5af25592 Fix incorrect checkbox behaviors in the dashboard repolist's filter 23147
    • [UI] commit 188c8c12c2 Make Ctrl+Enter submit a pending comment (starting review) instead of submitting a single comment 23245
    • [UI BIG] commit 7f9d58fab8 Support paste treepath when creating a new file or updating the file name 23209
    • [UI] commit ea1d09718c Fix commit retrieval by tag 21804
    • [UI] commit 0945bf63d3 Fix missed .hide class 23208
    • [UI BIG] commit de6c718b46 Allow <video> in MarkDown 22892
    • [UI BIG] commit 545495dcb0 Pull Requests: add button to compare force pushed commits 22857
    • [UI] commit ea7f0d6fcf Change interactiveBorder to fix popup preview 23169
    • [UI] commit d949d8e074 add user visibility in dashboard navbar 22747
    • [UX] commit dad057b639 Handle OpenID discovery URL errors a little nicer when creating/editing sources 23397
    • [UX] commit d647e74502 Improve squash merge commit author and co-author with private emails 22977
    • [UI] commit 17c8a0523a Fix and move "Use this template" button 23398
    • [UI] commit a04eeb2a54 Show edit/close/delete button on organization wide repositories 23388
    • [UI] commit e72290fd9a Sync the class change of Edit Column Button to JS code 23400
    • [UI] commit 75022f8b1a Refactor branch/tag selector dropdown (first step) 23394
    • [UX] commit 3de9e63fd0 Hide target selector if tag exists when creating new release 23171
    • [UI] commit cf29ee6dd2 Add missing tabs to org projects page 22705
    • [UI] commit bf730528ca Fix 'View File' button in code search 23478
    • [UI] commit aac07d010f Add workflow error notification in ui 23404
    • [UI] commit 6ff5400af9 Make branches list page operations remember current page 23420
    • [UI] commit e82f1b15c7 Refactor dashboard repo list to Vue SFC 23405
    • [UI] commit 81fe5d6185 Convert <div class="button"> to <button class="button"> 23337
    • [UX] commit 5eea61dbc8 Fix missing commit status in PR which from forked repo 23351
    • [UX UI search] commit 661e78bed5 Allow both fullname and username search when DEFAULT_SHOW_FULL_NAME is true 23463
    • [UI] commit 39d3711f30 Change Close to either Close issue or Close pull request 23506
    • [UX review] commit a8c30a45fa Publish Review buttons should indicate why they are disabled 23598
    • [UI] commit 529bac1950 Polyfill the window.customElements 23592
    • [UI GPG] commit 12ddc48c5c Use octicon-verified for gpg signatures 23529
    • [UI stars] commit 06c067bb0f Remove stars in dashboard repo list 23530
    • [UI] commit 272cf6a2a9 Make time tooltips interactive 23526
    • [UI] commit 389e83f7eb Improve <SvgIcon> to make it output svg node and optimize performance 23570
    • [UX issue config] commit f384b13f1c Implement Issue Config 20956
    • [UI] commit 2c585d62a4 User/Org Feed render description as per web 23887
    • [UI TAGS] commit b78c955958 Fix tags view 23243
    • [UI] commit 9cefb7be73 Fix new issue/pull request btn margin when it is next to sort 23647
    • [UX preview] commit ac64c82974 Allow new file and edit file preview if it has editable extension 23624
    • [UI] commit ca905b82df Append (comment) when a link points at a comment rather than the whole issue 23734
    • [UX diff] commit aa4d1d94f7 Diff improvements 23553
    • [UX ONLY_SHOW_RELEVANT_REPOS] commit e57e1144c5 Add ONLY_SHOW_RELEVANT_REPOS back, fix explore page bug, make code more strict 23766
    • commit ed5e7d03c6 Don't apply the group filter when listing LDAP group membership if it is empty 23745
    • [UX allow . in name] commit 88033438aa Support "." char as user name for User/Orgs in RSS/ATOM/GPG/KEYS path ... 23874
    • [UI] commit ca5722a0fa Ensure RSS icon is present on all repo tabs 23904
    • [UI] commit 6eb678374b Refactor authors dropdown (send get request from frontend to avoid long wait time) 23890
    • [UX RELEASE permalink] commit 42919ccb7c Make Release Download URLs predictable 23891
    • [UX project] commit 6a4be2cb6a Add cardtype to org/user level project on creation, edit and view 24043
    • [UX] commit 52b17bfa07 Add repository counter badge to repository tab 24205
    • [UX dump] commit cb1536471b Add --quiet option to gitea dump 22969
    • [UI] commit 774d1a0fbd Tweak pull request branch delete ui 23951
    • [UI] commit 9c33cbd344 Fix no edit/close/delete button in org repo project view page 24301
    • [UX] commit c41bc4f127 Display when a repo was archived 22664
    • [UI] commit 83022013c8 Fix layouts of admin table / adapt repo / email test 24370
    • [UX] commit e9b39250b2 Improve pull request merge box when pull request merged and branch deleted. [24397](https:// - [UI] commit 94d6b5b09d Add "Updated" column for admin repositories list 24429 github.com/go-gitea/gitea/pull/24397)
    • [UI] commit 72e956b79a Improve protected branch setting page 24379
    • [UX goto issue] commit 1144b1d129 Add goto issue id function 24479
    • [UI] commit 97b70a0cd4 Add org visibility label to non-organization's dashboard 24558
    • [UX] commit 4daf40505a Sort users and orgs on explore by recency by default 24279
    • [UX graceful restart] commit 7565e5c3de Implement systemd-notify protocol 21151
    • [UX] commit 4810fe55e3 Add status indicator on main home screen for each repo 24638
    • [UX] commit b5c26fa825 Add markdown preview to Submit Review Textarea 24672
    • [UX issue template] commit c4303efc23 Support markdown editor for issue template 24400
    • [UI] commit 4aec1f87a4 Remove highlight in repo list 24675
    • [UI] commit 8251b317f7 Improve empty notifications display 24668
    • [UX] commit f6e029e6c7 Make repo migration cancelable and fix various bugs 24605
    • [UI] commit b3af7484bc Fix missing badges in org settings page 24654
    • [UI RSS] commit 67db6b6976 RSS icon fixes 24476
    • [UX notification list] commit f7ede92f82 Notification list enhancements, fix striped tables on dark theme 24639
    • [UI] commit ea7954f069 Modify luminance calculation and extract related functions into single files 24586
    • [UX review] commit ae0fa64ef6 Review fixes and enhancements 24526
    • [UI] commit df00ccacc9 Fix invite display 24447
    • [UX] commit e8173c2c33 Move Rename branch from repo settings page to the page of branches list 24380
    • [UX] commit 3f0651d4d6 Improve milestone filter on issues page 22423
    • [UI] commit 8f4dafcd4e Rework header bar on issue, pull requests and milestone 24420
    • [UI] commit 8bbbf7e6b8 Remove fluid on compare diff page 24627
    • [UI avatar] commit 82224c54e0 Improve avatar uploading / resizing / compressing, remove Fomantic card module 24653
    • [UI] commit b9fad73e9f Unification of registration fields order 24737
    • [UI] commit 6a3a54cf48 Remove background on user dashboard filter bar 24779
    • [UX] commit b807d2f620 Support no label/assignee filter and batch clearing labels/assignees 24707
    • [UI] commit 5c0745c034 Add validations.required check to dropdown field 24849
    • [UX notifications list] commit 27c221aa5d Rework notifications list 24812
    • [UI] commit 35ce7ca25b Hide 'Mirror Settings' when unneeded, improve hints 24433
    • [UX] commit a70d853d06 Consolidate the two review boxes into one 24738
    • [UI] commit e3897148f9 Minor UI improvements: logo alignment, auth map editor, auth name display 25043
    • [UX tree view] commit 72eedfb915 Show file tree by default 25052
    • [UX diff copy] commit c5ede35124 Add button on diff header to copy file name, misc diff header tweaks 24986
    • [UI] commit 58536093b3 Add details summary for vertical menus in settings to allow toggling 25098
    • [UI] commit 7d192cb674 Add Progressbar to Milestone Page 25050
    • [UI] commit 7abe958f5b Fix color for transfer related buttons when having no permission to act 24510
    • [UI] commit 4a722c9a45 Make Issue/PR/projects more compact, misc CSS tweaks 24459
  • [PERF]
    • [PERF] commit 1319ba6742 Use minio/sha256-simd for accelerated SHA256 23052
    • [PERF] commit ef4fc30246 Speed up HasUserStopwatch & GetActiveStopwatch 23051
    • [PERF] commit 0268ee5c37 Do not create commit graph for temporary repos 23219
    • [PERF] commit 75ea0d5dba Faster git.GetDivergingCommits 24482
    • [PERF] commit df48af2229 Order pull request conflict checking by recently updated, for each push 23220
  • [AUTH]
    • [MAIL smtp auth] commit 8be6da3e2f Add ntlm authentication support for mail 23811
    • [AUTH LDAP] commit b8c19e7a11 Update LDAP filters to include both username and email address 24547
    • [AUTH PKCE] commit 7d855efb1f Allow for PKCE flow without client secret + add docs 25033
    • [AUTH OAuth redirect] commit ca35dec18b Add ability to set multiple redirect URIs in OAuth application UI 25072
  • [REFACTOR]
    • [BREAKING REFACTOR logger] commit 4647660776 Rewrite logger system 24726
    • [BREAKING REFACTOR queue] commit 6f9c278559 Rewrite queue 24505
    • [REFACTOR pull mirror] commit 99283415bc Refactor Pull Mirror and fix out-of-sync bugs 24732
    • [REFACTOR git] commit f4538791f5 Refactor internal API for git commands, use meaningful messages instead of "Internal Server Error" 23687
    • [REFACTOR route] commit 92fd3fc4fd Refactor "route" related code, fix Safari cookie bug 24330
    • [REFACTOR] commit 8598356df1 Refactor and tidy-up the merge/update branch code 22568
    • [REFACTOR] commit 542cec98f8 Refactor merge/update git command calls 23366
    • [REFACTOR] commit ec261b63e1 Refactor repo commit list 23690
    • [REFACTOR cookie] commit 5b9557aef5 Refactor cookie 24107
    • [REFACTOR web route] commit b9a97ccd0e Refactor web route 24080
    • [REFACTOR issue stats] commit 38cf43d060 Some refactors for issues stats 24793
    • [REFACTOR] commit c59a057297 Refactor rename user and rename organization 24052
    • [REWORK logger] commit 0d54395fb5 Improve logger Pause handling 24946
    • [REWORK queue / logger] commit 18f26cfbf7 Improve queue and logger context 24924
    • [REFACTOR scoped token] commit 18de83b2a3 Redesign Scoped Access Tokens 24767
    • [REFACTOR ini] commit de4a21fcb4 Refactor INI package (first step) 25024
    • [REFACTOR diffFileInfo] commit ee99cf6313 Refactor diffFileInfo / DiffTreeStore 24998
  • [TEMPLATES]
    • [TEMPLATES expressions] commit 5b89670a31 Use a general Eval function for expressions in templates. 23927
    • [CMD reload templates] commit 3588edbb08 Add gitea manager reload-templates command 24843
  • [RSS]
  • [API]
    • [API EMAIL] commit d56bb74201 add admin API email endpoints 22792
    • [API USER RENAME] commit 03591f0f95 add user rename endpoint to admin api 22789
    • [API admin search] commit 6f9cc617fc Add login name and source id for admin user searching API 23376
    • [API] commit 574d8fe6d6 Add absent repounits to create/edit repo API 23500
    • [API issue dependencies] commit 3cab9c6b0c Add API to manage issue dependencies 17935
    • [API activity feeds] commit 6b0df6d8da Add activity feeds API 23494
    • [API license] commit fb37eefa28 Add API for License templates 23009
    • [API gitignore] commit 36a5d4c2f3 Add API for gitignore templates 22783
    • [API upload empty repo] commit cf465b4721 Support uploading file to empty repo by API 24357
    • [API COMMIT --not] commit f766b00293 Add ability to specify '--not' from GetAllCommits 24409
    • [API GetAllCommits] commit 1dd83dbb91 Filters for GetAllCommits 24568
    • [API get single commit] commit 5930ab5fdf Filter get single commit 24613
    • [API create branch] commit cd9a13ebb4 Create a branch directly from commit on the create branch API 22956
    • [BREAKING API team] commit 0a3c4d4a59 Fix team members API endpoint pagination 24754
    • [API label templates] commit 25dc1556cd Add API for Label templates 24602
    • [API changing/creating/deleting multiple files] commit 275d4b7e3f API endpoint for changing/creating/deleting multiple files 24887
  • [FEATURES]
    • [BREAKING] (maybe) commit f5987c24e2 Make gitea serv respect git binary home 23138
    • [README] commit 52e24167e5 Test renderReadmeFile 23185
    • [REFLOGS] commit 757b4c17e9 Support reflogs 22451
    • [DOCTOR] commit df411819eb Check LFS/Packages settings in dump and doctor command 23631
    • [MINIO] commit 0e7bec1849 Add InsecureSkipVerify to Minio Client for Storage 23166
    • [MINIO MD5 checksum] commit 5727056ea1 Make minio package support legacy MD5 checksum 23768
    • [PRIVACY email display] commit 6706ac2a0f Fix profile page email display, respect settings 23747
    • [INDEX meilisearch] commit 92c160d8e7 Add meilisearch support 23136
    • [PRIVACY email] commit 5e1bd8af5f Show visibility status of email in own profile 23900
    • [BREAKING SSH key parsing] commit 7a8a4f5432 Prefer native parser for SSH public key parsing 23798
    • [REDIS] commit 985f76dc4b Update redis library to support redis v7 24114
    • [RESERVED users] commit 1819c4b59b Add new user types reserved, bot, and remote 24026
    • [NEW files to empty repo] commit e422342eeb Allow adding new files to an empty repo 24164
    • [WEBP avatars] commit 65fe0fb22c Allow webp images as avatars 24248
    • [MARKDOWN livemd] commit 58caf422e6 Add .livemd as a markdown extension 22730
    • [FOLLOW org] commit cc64a92560 Add follow organization and fix the logic of following page 24345
    • [PROFILE README] commit c090f87a8d Add Gitea Profile Readmes 23260
    • [HTTP RANGE] commit 023a048f52 Make repository response support HTTP range request 24592
    • [status check pattern] commit e7c2231dee Support for status check pattern 24633
    • [EMAIL allow/block] commit 2cb66fff60 Support wildcard in email domain allow/block list 24831
    • [INSTALL page] commit abcf5a7b5e Fix install page context, make the install page tests really test 24858
    • [environment-to-ini FILE] commit c21605951b Make environment-to-ini support loading key value from file 24832
    • [APP ini git config] commit 8080ace6fc Support changing git config through app.ini, use diff.algorithm=histogram by default 24860
    • [PIN issues] commit aaa1094663 Add the ability to pin Issues 24406
    • [BREAKING reflog / config] commit 2f149c5c9d Use [git.config] for reflog cleaning up 24958
    • [SEARCH skip forks mirrors] commit 033d92997f Allow skipping forks and mirrors from being indexed 23187
  • [WEBHOOK]
    • [WEBHOOKS] commit 2173f14708 Add user webhooks 21563
    • [WEBHOOK] commit 9e04627aca Fix incorrect HookEventType of pull request review comments 23650
    • [WEBHOOK review request] commit 309354c70e New webhook trigger for receiving Pull Request review requests 24481
  • [DISCARDED]
    • [GITEA only BREAKING service worker] commit 50bd7d0b24 Remove the service worker 25010

  • Container images upgraded to Alpine 3.18

    The Forgejo container images are now based on Alpine 3.18 instead of Alpine 3.1.17 It includes an upgrade from git ...

1.19.3-0

The complete list of commits included in the Forgejo v1.19.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.2-0..v1.19.3-0

This stable release contains security fixes.

1.19.2-0

The complete list of commits included in the Forgejo v1.19.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.1-0..v1.19.2-0

This stable release contains important security fixes.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated from 4.1.0+0-gitea-1.19.1 to 4.2.0+0-gitea-1.19.2 because of the changes introduced in the internal CI.

  • Security fixes

    • Token scopes were not enforced in some cases (patch 1 and patch 2). The scoped token were introduced in Forgejo v1.19 allow for the creation of application tokens that only have limited permissions, such as creating packages or accessing repositories. Prior to Forgejo v1.19 tokens could be used to perform any operation the user issuing the token could.
    • Permissions to delete secrets was not enforced. The experimental internal CI relies on secrets managed via the web interface, for instance to communicate credentials to a job. Secrets are only used in the context of the experimental internal CI.

  • Bug fixes

    The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

  • Container image upgrades

    In the Forgejo container images the Git version was upgraded to 2.38.5 as a precaution. The Forgejo security team analyzed the security fixes it contains and concluded that Forgejo is not affected.

1.19.1-0

The complete list of commits included in the Forgejo v1.19.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-3..v1.19.1-0

This stable release includes bug fixes. Functional changes related to the experimental CI have also been backported.

1.19.0-3

The complete list of commits included in the Forgejo v1.19.0-3 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-2..v1.19.0-3

This stable release includes security updates and bug fixes.

1.19.0-2

The complete list of commits included in the Forgejo v1.19.0-2 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo

  • Breaking changes

    • Scoped access tokens

      Forgejo access token, used with the API can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before. However, newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories.

      For instance, the /users/{username}/tokens API endpoint will require the scopes: ['all', 'sudo'] parameter and the forgejo admin user generate-access-token will require the --scopes all,sudo argument obtain tokens with ulimited access as before for admin users.

      Read more about the scoped tokens.

    • Disable all units except code and pulls on forks

      When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure DEFAULT_FORK_REPO_UNITS to be the same value as DEFAULT_REPO_UNITS.

    • Filter repositories by default on the explore page

      The explore page now always filters out repositories that are considered not relevant because they are either forks or have no topic and not description and no icon. A link is shown to display all repositories, unfiltered.

      Explore repositories

    • Remove deprecated DSA host key from Docker Container Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html

    • Additional restrictions on valid user names

      The algorithm for validating user names was modified and some users may have invalid names. The command forgejo doctor --run check-user-names will list all of them so they can be renamed.

      If a Forgejo instance has users or organizations named forgejo-actions and gitea-actions, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named Actions.

    • Semantic version

      Since v1.18.5, in addition to the Forgejo release number, a semantic version number (e.g. v3.0.0) can be obtained from the number key of a new /api/forgejo/v1/version endpoint.

      Now, it reflects the Gitea version that Forgejo depends on, is no longer prefixed with v (e.g. 3.0.0+0-gitea-1.19.0), and can be obtained from the version key of the same endpoint.

  • Features

  • User Interface improvements

  • Container images upgraded to Alpine 3.17

    The Forgejo container images are now based on Alpine 3.17 instead of Alpine 3.16. It includes an upgrade from git 2.36.5 to git 2.38.4 and from openssh 9.0p1 to openssh 9.1p1.

1.18.5-0

This stable release contains an important security fix for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described in detail in a companion blog post.

Recommended Action

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

If PASSWORD_HASH_ALGO is explicitly set in app.ini, comment it out so that the stronger algorithm is used instead.

All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.

Forgejo

Gitea

Note that there is no Forgejo v1.18.4-N because Gitea v1.18.4 was replaced by Gitea v1.18.5 a few days after its release because of a regression. Forgejo was not affected.

1.18.3-2

This stable release includes a security fix for git and bug fixes.

Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 Februrary 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. All major GNU/Linux distributions also provide updated packages via their security update channels.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Forgejo

Gitea

1.18.3-1

This stable release includes bug fixes.

Forgejo

Gitea

1.18.3-0

This stable release includes bug fixes.

Forgejo

Gitea

1.18.2-1

This stable release includes a security fix. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Gitea

1.18.2-0

This stable release includes bug fixes.

Gitea

1.18.1-0

This is the first Forgejo stable point release.

Forgejo

Critical security update for Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Read more in the Forgejo blog.

Release process stability

The release process based on Woodpecker CI was entirely reworked to be more resilient to transient errors. A new release is first uploaded into the new Forgejo experimental organization for testing purposes.

Automated end to end testing of releases was implemented with a full development cycle including the creation of a new repository and a run of CI. It relieves the user and developer from the burden of tedious manual testing.

Container environment variables

When running a container, all environment variables starting with FORGEJO__ can be used instead of GITEA__. For backward compatibility with existing scripts, it is still possible to use GITEA__ instead of FORGEJO__. For instance:

docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true codeberg.org/forgejo/forgejo:1.18.1-0

Forgejo hook types

A new forgejo hook type is available and behaves exactly the same as the existing gitea hook type. It will be used to implement additional features specific to Forgejo in a way that will be backward compatible with Gitea.

X-Forgejo headers

Wherever a X-Gitea header is received or sent, an identical X-Forgejo is added. For instance when a notification mail is sent, the X-Forgejo-Reason header is set to explain why. Or when a webhook is sent, the X-Forgejo-Event header is set with push, tag, etc. for Woodpecker CI to decide on an action.

Look and feel fixes

The Forgejo theme was modified to take into account user feedback.

Gitea

1.18.0-1

This is the first Forgejo release.

Forgejo improvements

Woodpecker CI

A new CI configuration based on Woodpecker CI was created. It is used to:

Look and feel

The default themes were replaced by Forgejo themes and the landing page was modified to display the Forgejo logo and names but the look and feel remains otherwise identical to Gitea.

Landing page

Privacy

Gitea instances fetch https://dl.gitea.io/gitea/version.json weekly by default, which raises privacy concerns. In Forgejo this feature needs to be explicitly activated at installation time or by modifying the configuration file. Forgejo also provides an alternative RSS feed to be informed when a new release is published.

Gitea

1.18.0-0

This release was replaced by 1.18.0-1 a few hours after being published because the release process was interrupted.

1.18.0-rc1-2

This is the first Forgejo release candidate.