Forgejo monthly update - March 2025

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

Forgejo v11.0 on its way

The Forgejo v11.0 branch was cut on 26 March 2025 as planned for the target release date of 16 April 2025. It is the second major release prepared with the Forgejo release manager. It was not quite right yet, and the sequence of automated and manually steps has been rearranged for clarity. There is still a lot of room for automation, but the bits that are in place (cutting branches in git, setting new branch protection, archiving backport labels and creating new ones, etc.) already save valuable human time.

Forgejo v11.0 will be an LTS release and will therefore receive security updates for at least a year. However, this also means that the old LTS release v7.0 is approaching the end of support. The end of life for Forgejo v7.0 is scheduled for 16 July 2025. You should therefore be prepared to upgrade your instance if you are running version 7.0.

Forgejo v7.0.14, v10.0.2 and v10.0.3

Forgejo v7.0.14 has been released on 19 March 2025. This release is part of the LTS release cycle and contains two bug fixes.

On 21 March 2025, Forgejo v10.0.2 has been released. This release contains several bug fixes, but also introduced a regression that caused unnecessary escaping of URLs. Symptoms were e.g. not being able to access theme files if they contained a space or double escaping of links. Work to fix this regression started immediately after receiving the report and was fixed in v10.0.3, which was released on 23 March 2025.

The Helm chart for the use of Forgejo in k8s has been updated according to the Forgejo releases.

Forgejo runner

Two new versions (v6.3.0 and v6.3.1) of the Forgejo runner have been released. The latest version v6.3.1 was released on 24 March 2025. Version v6.3 contains a security fix related to caches.

In addition, a blog post is being drafted that summarizes the findings of the security audit that began last year and explains how they relate to the latest security fixes.

Accessibility and usability

Contributions to Forgejo are growing steadily, but the human effort to maintain it doesn’t seem to be growing proportionally. Achieving high quality in Forgejo is a goal, but this also requires reviewing pull requests for accessibility and regressions in usability.

Currently, the accessibility and user research teams are understaffed. So if you have some spare time and are interested in these topics, we would appreciate your help to make Forgejo even better and more inclusive. Please have a look at the call for help if you are interested.

code.forgejo.org downtime

An incident occurred on 3 March that caused code.forgejo.org to be unavailable for 7 hours. This was the longest downtime since September 2024, all others lasted less than 10 minutes. The cause is still unknown and it shouldn’t happen again: k8s has been modified to restart Forgejo if it goes down for a long time. The pattern of this bug is unknown and has not reappeared since.

Improved Forgejo actions availability

The last step of a major effort to improve the availability of the Forgejo actions repositories has been completed. It started with moving the infrastructure to a k8s cluster and was completed this month with making the actions available as read-only repositories. The setup is based on a git-http-backend behind an apache2 server that is publicly exposed through a traefik reverse proxy.

This improves the availability of data.forgejo.org because:

  • It is not affected by the DDoS or excessive crawling that recently hit code.forgejo.org, as it does not provide a web interface, only Git Smart HTTP
  • It is independent of code.forgejo.org and simpler (no authentication, read-only)
  • There are two servers at all times.

As DDoS and excessive crawling intensify in 2025, and the likelihood of code.forgejo.org becoming slow or even unavailable increases, these changes will prevent the Forgejo runner workflows that need to git clone actions such as actions/checkout or docker/build-push-action from being affected.

OCI registries rate limiting

The Forgejo runner relies heavily on OCI images. They are cached locally when possible, but they eventually hit the registry and can run into rate limiting. Last year the Forgejo CI was interrupted because the host was rate limited by Docker Hub and mirrors were set up to work around the problem. It took a while to change all the references, but it has been months since a rate-limiting problem has surfaced.

A critical moment will come on 1 April 2025, when an even tighter rate limit will be imposed by Docker Hub. If some references were overlooked, disruptions may occur.

DDoS on code.forgejo.org and crawlers

The DDoS that hit code.forgejo.org last month has not returned, and the IP ranges that were blocked are no longer blocked. They mostly covered residential areas, not data centers. The ranges could have been used by a virus activated on a network-connected device connecting from a residential home. There’s really no way to tell, and it didn’t feel right to continue blocking a large number of IPs, as one of them could belong to a real Forgejo user.

In recent weeks, a growing number of Free Software-related projects (LWN, FreeBSD, Pagure, etc.) have reported similar problems, and there is an ongoing discussion collecting comments and links to what seems to be a global trend in 2025.

This month there was excessive and anonymous crawling by a previously known offender using a different set of IP ranges. This was dealt with quickly as usual by blocking a few IP ranges.

In an effort to improve monitoring of the cluster, Headlamp has been added to the cluster, displaying prometheus graphs of the resource usage of the services running on the k8s cluster. It is promising, but has yet to prove effective for forensic analysis and monitoring of ongoing and emerging problems.

Localization

Improvements have been made to the merge workflow. Previously, when merging pull requests, translation updates were squashed into a single commit. This meant that Weblate components had to be temporarily locked, and it’s internal Git branch had to be reset each time. This month, the squash add-on was installed so that Weblate always produces a single squashed commit. This change has made merging pull requests safer, with fewer additional actions. The documentation has been updated to reflect this.

A new linter has been introduced to verify that all translation keys used are present in at least the base language. By default, this linter issues warnings and has already identified several missing translations. This is a valuable addition to the existing testing requirements for new features or fixes and improves the overall quality.

The Danish translation is now complete. The work was started by Tacaly in December 2024 and took about 3 months to complete with the help of other contributors. It will be available in the UI with the v11.0 LTS release.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is intended to reflect this diversity and to acknowledge all the contributions made over the past month. If you are missing, please ask for an update.