Forgejo monthly update - April 2024

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

Contributors got together to celebrate the release of Forgejo v7.0 and Codeberg was upgraded the next day. A lot of effort went into the automation of the development process, for dependency management and releases, so that contributors can focus on what matters most. As Forgejo matures, more and more of the work is about day to day management of bug reports, localization, security, etc. All aspects that make Forgejo a product that can be relied on for the years ahead. 17 interviews were conducted to better understand how Forgejo is used and shape its roadmap in a user centered way.

Forgejo 7.0

Forgejo v7.0 was published 23 April with translations in Bulgarian, Esperanto, Filipino and Slovenian; SourceHut builds integration; support for the SHA-256 hash function in Git; source code search by default and more. It also is the first Long Term Support version and will receive updates until July 2025. The adoption of semantic versioning is the reason for the version bump from v1.21 to v7.0 and is compatible with existing tools.

Regressions and 7.0.1

Previous Forgejo releases were synchronized with the Gitea release cycle and usually published after the first patch release, when the most disruptive bugs or regressions were discovered and fixed.Forgejo became a hard fork two months ago and it was its first major release. Two significant regressions were discovered less than 48h after the release. Their impact and workarounds were documented by amending the 7.0.0 release notes while the 7.0.1 patch release was prepared. It was released four days later.

Celebration and motivations

On 27 April Forgejo contributors got together in a videoconference to celebrate the publication of the 7.0 release and remember the evolution of the project since its inception in 2022. They also shared their motivations and goals for 2024 in a discussion for everyone to know what they find important, but also what motivates them to contribute to a given topic.

Codeberg upgrade

The Codeberg staging instance was used with Forgejo 7.0 release candidates and a copy of the production data in an attempt to identify scaling issues and regressions.

The Codeberg specific patches were ported (new templates and CSS need to be adapted) and Codeberg was migrated to 7.0 on 28 April.

Release notes quality

In order to improve the quality of the release notes, a new requirement to merging a pull request was discussed and led to an agreement proposal. The author of a pull request would be required to provide a snippet if their change needs to show in the release notes.

Backport automation

The git-backporting action was improved to support:

multiple targets
notifications on error
merged and squash pull requests

As expected it is now used to backport most pull requests from the development branch to the v7.0/forgejo branch.

The release notes themselves that were previously only found in the development branch are now also backported to the stable branch where they belong.

Code

https://codeberg.org/forgejo/forgejo

Notable improvements and bug fixes:

Security

There is no direct impact of the xz backdoor (CVE-2024-3094) on Forgejo. This CVE got a lot of attention and a blog post was published to explain why Forgejo is not affected.

The Forgejo v1.21.11-0 release was published 18 April and contains two security fixes: a privilege escalation that allows any registered user to change the visibility of any public repository; and a cross-site scripting (XSS) vulnerability that enabled attackers to run unsandboxed client-side scripts on pages served from the forge’s domain.

User Research

The work started early March on Forgejo Usability and Designing a modern contribution workflow led to 17 interviews for which transcripts were archived. They provide material that can be re-used in various contexts, even for the benefit of forges other than Forgejo.

Some of the information already influenced decisions and implementation details in discussions, and issues were created in response to the user interviews, for example to improve the new repo units button and feedback for features that are still in development, such as improving assignment to issues.

A discussion on how to move on with user research was started.

A survey started on Exploring the Contributor Experience where Forgejo contributors are asked to answer a series of questions.

Dependency Management

The dependency update dashboard is used daily to observe and update Forgejo dependencies. When a new release is available, a daily scheduled workflow will create a pull request which:

will be merged automatically, for instance if it is a patch upgrade from a dependency known to have a trusted release process
be reviewed by a Forgejo contributor to decided if it worth an upgrade

With hundreds of dependencies, there is a significant backlog to absorb and it is done incrementally by improving the configuration file with:

groups of dependencies, for instance postcss where multiple dependencies are treated as one
automerging patch releases
adding custom dependency detection

When Forgejo became a hard fork two months ago, maintainers switched from rebasing weekly on top of Gitea to cherry picking commits instead. A tool has been developed to make this process easier, and automate as much of it as possible. As the tool keeps evolving, the weekly cherry pick pull request become easier to create, review, and even includes interesting statistics at the bottom of the summary.

Forgejo v1.20 end of life

With the release of Forgejo 7.0, the Forgejo v1.20 release is EOL (End Of Life) and will no longer receive security patches. The last of them was backported and made available in the v1.20/forgejo branch for the benefit of source builds in April.

The end-to-end tests were also updated to remove v1.20 support and the policy to managed legacy tests was documented.

Debian packages

The Debian package has undergone extensive changes. In addition to gaining support for Forgejo v7.0 LTS, its CI was migrated to Forgejo Actions and includes a pull request test suite. The repository now has an LTS release channel. Enhancements are in the works to remove Forgejo’s common data from the compiled binaries and instead storing it in a forgejo-common package. This lays the groundwork for things like multi-architecture builds.

A call for maintainers was posted so that there are at least three maintainers to ensure:

Debian packages are available within 12 hours of Forgejo releases
Pull requests can be reviewed by at least one maintainer

References:

https://codeberg.org/forgejo-contrib/forgejo-deb

Helm chart

The Forgejo helm chart had one major updates.

References:

https://codeberg.org/forgejo-contrib/forgejo-helm/releases

Localization

The localization keeps going forward. 1 member was onboarded and 2 more applications were created. Some optimizations to the merge process were made to make it go faster. 6 batches of updates were merged, containing total of 2273 new translations and 1913 improvements. The translation effort had finally seen the light with the Forgejo 7.0.0 release, which is the first release containing major Forgejo localization improvements. There are still countless improvements to be made for many languages and you can help to improve the localization too. Learn how.

Federation

The pull request to implement federated stars is passes tests and is ready for merging. It is a very large pull request and it was requested by reviewers to split it into smaller, more manageable pull requests. In the same way the large webhook refactor was done. The first pull request was open and is its final stage to validate ActivityPub messages.

A new pull request to implement federated search was proposed with a demonstration searching for an actor on https://next.forgejo.org from a locally running Forgejo instance.

Governance

Sustainability

The discussion started on Forgejo durability in the next 10 years led to drafting a grant proposal for the new Free and Open Source Software Sustainability Fund. It proposes the creation of a non-profit organization managed transparently so that it can be audited at any time. Its purpose would be to define a collective roadmap and use the grant to fund the work. To preserve the Forgejo dynamic that is key to its momentum, it will be setup to ensure volunteers keep being its driving force.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please ask for an update.

A minority of Forgejo contributors earn a living by implementing the roadmap co-created by the Forgejo community, see the sustainability repository for the details.