Forgejo v1.21.1-0 is here and you will find the most interesting changes it introduces below. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help on the Fediverse, or in the chat room.
Actions: server side, secrets can be managed via the API and the
pull_request_targetmakes it possible to securely run workflows on pull requests, even when they need to access secrets. A major version of the Forgejo runner was also published and it is now capable of running actions on Docker, LXC or in a shell.
Blocking a user: repository transfers originating from the blocked user are canceled and the blocked user is removed from the list of collaborators on repositories owned by the user doing the blocking. This self-moderation feature introduced in v1.20 is most useful on large Forgejo instances and was since deployed on Codeberg. It has been used a few times by the Forgejo moderation team in cases that did not require admin privileges.
Documentation: new sections were added to the developer guide such as the user interface customization, which is considered an internal detail and requires intimate knowledge of the codebase to be maintained. Every new feature listed in the release notes was matched with an update in the documentation because it is intended to become an exhaustive reference. The documentation repository was split out of the website repository and restructured to facilitate the maintenance and contribution workflow.
Shortcut to create a PR: a button is automatically shown if you recently pushed to branch and will open a PR with the default branch as a base.
New user mail notification: When a Forgejo instance has open registration, it is occasionally subject to spam accounts. With the
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = truesetting, the Forgejo admin will receive a mail when a new account is created and can immediately act on it, instead of discovering a dozen of spam bots a much later.
Additional language detection: Bluespec BH, D2, Go Workspace, Gradle Kotlin DSL, Hosts File, LOLCODE, MDX, Nasal, Nushell, Pact, RBS, Rez, Sweave, TL-Verilog, Typst, WDL, WGSL, WebAssembly Interface Type
Read more in the Forgejo v1.21.1-0 release notes.
Forgejo is only as stable and robust as the test infrastructure that verifies it works. Forgejo Actions is not just a feature, it is an integral part of what makes Forgejo whole. With v1.21 this self-sustainable ecosystem grew with more components such as end to end testing and upgrade tests running older versions of Forgejo. Each repository is independent but it is not isolated from the others. Developers do not need to manually keep them in sync, they are bound together with tests. As more components are added, these tests will be the cement keeping them together, allowing developers to focus on what matters.
Server side the most notable improvements are:
pull_request_targetevent is implemented and can securely access secrets because it runs using the workflows from the base branch instead of the pull request.
- The API can now be used to manage secrets for users, organizations and repositories.
- Registration tokens can register multiple runners instead of a single one.
- Variables can be used in addition to secrets to configure workflows when there is no need for secrecy.
- Recurring actions similar to cron jobs can be defined in the main branch.
- Uploaded artifacts can be automatically cleaned up.
- When a new commit is pushed to a branch, the workflows triggered by previous commits are automatically canceled.
- It is now possible to upload multiple artifacts instead of a single one.
- The labels can be communicated to Forgejo from the runner when they connect instead of just during registration.
Client side, the newer version of the Forgejo runner that is responsible for running the workflows now comes in two flavors:
It is tested with itself to verify a new version does not introduce a trivial regression that would break Forgejo, using an action to cascade pull requests between repositories.
Until recently all Forgejo commits could have been merged into Gitea overnight. But as of October 2023 Gitea requires a copyright assignment in addition to the MIT license. It means that the most significant contributions such as blocking a user will not be merged into Gitea and are unique to Forgejo v1.21 and later.
Forgejo continues to include all of Gitea and guarantees a 100% drop-in replacement for Gitea admins. No action is required, it is enough to replace the Gitea binary or the container image with the equivalent Forgejo release and restart.
Such an upgrade may be motivated to benefit from security fixes that only exist in Forgejo, such as the Long-term authentication vulnerability which is fixed since Forgejo v1.20.5-0 and will also be in Gitea v1.22 early 2024.
Forgejo support federation? Not yet. Was there progress? Yes.
Forges have existed for over twenty years and none of them has achieved data portability let alone federation. Forgejo is yet to celebrate the publication of its first release and it will take it a little time to get there.
Carefully read the breaking changes section of the release notes.
The actual upgrade process is as simple as replacing the binary or container image
with the corresponding Forgejo binary
or container image.
If you’re using the container images, you can use the
to stay up to date with the latest
1.21.x point release automatically.
Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.21.
If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!