Forgejo monthly report - September 2025

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

Releases

Forgejo v13.0.0 release candidates

The Forgejo v13.0.0 branch has been cut and the release is scheduled for October 16. code.forgejo.org is running it ahead of time, to discover and fix problems ahead of time. Additionally, a call for help with tests was posted to the chat room for the first time. Preparations for the associated blog post have also started.

You can help us improve it by trying it out and checking that the features you normally use, as well as the new ones, work as expected.

It can be tried on:

Before deployment, please read the release notes, address any breaking changes that could affect your deployment and ensure that everything is backed up.

Pre-release versions are available:

Report any regressions you find in the issue tracker. If the issues you’re facing are related to security, please report them to the security team according to the security policy.

Forgejo runner v11

Forgejo runner v11 has been released. This is the first release since the discussion about changing the license of the runner to GPLv3+ was concluded. This means that, since version v11, Forgejo runner is licensed under GPLv3+, just like Forgejo.

The Forgejo runner release process is lighter than the Forgejo release process. For example, there are no release candidates that are tested in production before the release becomes available to everyone. Consequently, regressions are discovered after the release is published, impacting users who upgrade first. This has happened twice (with versions v10.0.0 and v11.1.0). Fortunately, the regression was discovered on the same day that a new release was published, so the damage was minimal.

Both of these regressions were caused by human error combined with insufficient code coverage. The pull requests that introduced the regressions were properly tested and reviewed properly. However, the author and reviewer overlooked the problem, which occurred in a code path that lacked coverage. The odds of that combination happening again will be lower in the future as code coverage constantly improves.

Call for help

Forgejo runner

The exceptional effort to fix, reproduce and triage all Forgejo Action bugs in the runner and Forgejo itself has been successfully concluded. Currently, there are around twenty open bugs in total, all of which have received attention in the past few weeks.

To keep these numbers low and ensure that bugs do not linger longer than necessary, more contributors are needed. If you would like to help, watch the Forgejo runner repository and grab a bug as soon as it appears. The person who filed the bug may need help providing enough information to reproduce the problem. Once it is confirmed and reproducible, you can start working on a fix right away.

Discussions

Designing a security feature

Although Forgejo is organized and encourages features to be designed and supported by user research, the process is time consuming. The most frequent method of moving from an idea to implementation is filing a feature request in the issue tracker, which is then supported by a pull request.

Allowing Forgejo Actions workflows to run from pull requests that originate from a fork is a long-standing problem, so a design discussion was created to consider all aspects of the problem, including threat modeling, collecting evidence of how users currently cope with the problem, and user interface and user experience.

The scope is limited, but as can be seen by browsing the discussions, it has undergone a few iterations. While time-consuming, this process is ultimately faster than implementing a solution that would require refactoring shortly after release. The reality is that, once a solution is implemented, however clunky it may be, it tends to stay because refactoring is a lot of work, and explaining it to users is difficult. Fixing a problem is easy. Improving an imperfect solution is trickier.

Documentation

Forgejo runner

Many users have trouble using docker commands, such as docker build, with self-hosted Forgejo runners. The default setup blocks access to Docker. A new guide is available to help administrators set this up safely: Utilizing Docker within Actions.

In the monthly report for August, the security warning about the Forgejo runner was removed. However, Forgejo runner still poses a risk because it lets people run code remotely, even when the software is secure. For this reason, another guide was written: Securing Forgejo Actions Deployments. This guide helps administrators to build a secure deployment that is appropriate for their needs.

Feedback on these guides is welcome on the forgejo/docs repo.

Notable Pull Requests

For a number of historical reasons, the Forgejo database currently operates without any foreign key constraints. The project uses alternative compensation mechanisms, such as an extensive and growing test automation suite and a doctor tool that checks and aligns database records for consistency, to ensure data quality. However, the absence of foreign key support is a technical debt to be overcome.

In September, an effort began to enhance the xorm object-relational mapper library in a soft-fork project to support foreign key management across all Forgejo-supported database engines. After adding seven new features for foreign key management to xorm, Forgejo switched to the new version of xorm, which unblocked development of the first foreign key addition.

Forgejo has an estimated 239 relational links between database tables. The first foreign key addition will add four foreign keys, covering about 1.7% overall.

Federation

For a high-level overview, check out the federation roadmap.

Progress on the federation in Forgejo has been ongoing but under the radar this month. The active team around the federation has met twice to prepare and submit a funding application for federated issues, among other things.

Localization

There was an influx of new contributors, higher than usual.

However, even with the simplified renewal process for maintainers, this increase in contributors isn’t reflected in the number of applications for maintainers. Currently, this does not cause an issue, but it may in the future. If you are an active translator, please consider applying to be a maintainer.

Infrastructure

Mail server

Codeberg recently setup an SMTP server for its own use and offered it to the Forgejo infrastructure. It is still in the experimental stage and is currently configured for the v11.next.forgejo.org and v12.next.forgejo.org instances only. A webmail has been setup to assist with associated maintenance tasks.

k8s changes testing

Having infrastructure as code brings challenges relating to testing the actual impact of a change. As there are many layers involved, it is not always immediately clear how a single line will affect the YAML files that will be generated and interpreted by the cluster. This can have damaging effects when a bug is introduced.

Snapshots have been added to the repository and can be conveniently updated and compared. Previously, doing so required running non-trivial command lines.

CI hardware crashed

On 15 and 23 September, the hardware dedicated to the runners crashed because the OOM Killer reacted to excessive memory consumption. In both cases the LDAP server that was spawned to test the LDAP Forgejo features was identified as being responsible. However, as it has not changed in years, the reason for this is unclear. This may be related to recent changes in the Forgejo runner, some of which relate to gracefully shutting down services gracefully.

The six-year-old image running an outdated Debian Stretch and an outdated LDAP server has been upgraded. The image is now built from a dedicated repository, derived from a maintained base image, which minimises the maintenance overhead. The old image will be deprecated. The tests had to be slightly adapted to match.

Other

Matrix security disclosure

On 16 July 2025, Matrix announced in a predisclosure that a security vulnerability had been found in the current room versions and that it had been fixed. For us, this means that all rooms on Matrix must be updated.

Five rooms have been updated so far, and this work is ongoing. We are monitoring the adoption of the security fix and plan to complete the remaining updates soon. An announcement will be made in every room before it is updated.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature.

The following list of contributors is intended to reflect this diversity and to acknowledge all the contributions made over the past month. If you are missing, please ask for an update.