Dependency management

Forgejo relies on hundreds of Free Software components and they all need to be updated on a regular basis, with appropriate tooling and methods.

Releases

Software referenced by a release (even if such a release is the hash of a commit). They are listed in the dependency dashboard which is updated by renovate from the renovate.json configuration file.

Pull requests are opened when an upgrade is available and the decision to merge (positive review) or not (request for change review) depends on what the upgrade offers.

  • The PR contains information about the release. If it does not, it has detailed references that can be used to browse the commits in the dependency source repository and figure out what the changes are.
  • The comment of the review:
    • explains the decision (needed, not needed)
    • explains why the change has an impact on Forgejo
  • If the upgrade is needed, user visible changes must be included in the draft release notes for the upcoming release.
  • Security fix and important bug fixes are backported to the stable releases.
  • Set the dependency label

Soft forks

Permanent

Temporary

Cherry-picking

lxc-helpers

Injects itself via a workflow in its dependencies.

Gitea

Cherry-picked in the Forgejo codebase on a regular basis using a dedicated CLI tool.