Forgejo v1.20 is available

Forgejo v1.20.1-0 is here and you will find the most interesting changes it introduces below. Before upgrading it is strongly recommended to make a full backup as explained in the upgrade guide and carefully read all breaking changes from the release notes. If in doubt, do not hesitate to ask for help on the Fediverse, or in the chat room.

Actions: the internal CI graduated from experimental to alpha and is now used by Forgejo to verify pull requests and to create releases, including this one. It comes with a user documentation that includes examples and an extensive administrator guide to set it up.
User profile: the Forgejo home page for a user can now be a Markdown file instead of the list of repositories they own.
New markdown editor: the editor used when creating issues, adding comments, etc. is now GitHub markdown.
Blocking users: is a new self-moderation tool a user or an organization can use to prevent users from interacting with the repositories they own.
Pinned issues: it is now possible to select issues and pull requests to show on top of the list.
Registries: additional registries are now available for SWIFT, debian, RPM, alpine, Go and CRAN.
API endpoints: new API endpoints are now available for email, renaming a user, issue dependencies management, activity feeds, license templates, gitignore templates, uploading files to an empty repository, creating a branch directly from commit, label templates, changing/creating/deleting multiple files.

Forgejo Actions

Although Forgejo Actions is not yet production ready, it became good enough for Forgejo itself to use in production. It verifies pull requests (see also the testing workflow), builds and publishes releases (this one and the release candidates before it).

List of actions

It is still considered alpha stage because:

the Forgejo runner is not secure enough
a single Forgejo runner will poll Forgejo every two seconds by default which is not scalable
some errors only show in the Forgejo runner logs and not in the Forgejo user interface which is not a good user experience

Details of a task

The potential security bugs are a concern and Forgejo took the following precautions to reduce the risks in its own infrastructure.

Do not trust any web application with secrets. The Forgejo release process needs a GPG private key to sign the binaries before they are uploaded. A web application with a large attack surface such as Forgejo or GitLab must not be trusted to keep such a secret safe. Instead a Forgejo instance dedicated to signing the releases was installed behind a VPN.
LXC containers confinement. All Forgejo runners are deployed in dedicated LXC containers and re-installed from scratch from time to time.

In addition, the required pull request approval prevents unknown users from triggering a task that would include a malicious workflow.

User profile

By default the profile page of a user is the list of repositories they own. It is possible to customize it with a short description that shows to the left, under their avatar. It can now be fully personalized with a markdown file that is displayed instead of the list of repositories.

New markdown editor

The web editor used when creating issues, adding comments, etc. changed from EasyMDE to GitHub markdown. To help with the transition it is still possible to switch back to using EasyMDE with the double arrow button in the menubar.

GitHub markdown editor

This new markdown editor does not provide any WYSIWIG features. As shown in the demo it is merely a helper for users who are not familiar with markdown.

GitHub markdown example

Want to add a list? Click on the list menu item and see that a star is inserted for you. Select a word and click the bold button so it is surrounded by two stars. Nothing fancier. By comparison the EasyMDE editor has more features such as showing in bold the word that is surrounded by two stars.

EasyMDE editor

Unfortunately it is no longer actively maintained and enough has long standing bugs to justify a replacement.

Blocking users

On large Forgejo instances with ten of thousands of users it may be challenging for the moderation team to properly address all requests. The most common one being a malicious user spamming issues with advertisements or unwanted noise. It will be immediately noticed by the repository owner and it may take a while for the moderation team to act.

The owner of a repository or an organization can now block a user as soon as they notice an undesirable interaction. When they go to the profile page of the user, a new Block button shows on the left.

Block button on user profile

After confirmation the user will be added to the list of blocked users.

Blocking a user confirmation

From the Blocked Users tab in their profile, the user can unblock them when the relationship gets better.

List of blocked users

The user being blocked is not notified and does not see any difference until they try to participate in a repository from which they are blocked. Their action will fail with a message informing them they have been blocked.

Forbidden interaction from the point of view of the blocked user

Pin issues

Issues and pull requests can be pinned and will show on top of the list of issues (or pull requests). They can be re-arranged by dragging them.

Profile page

Theming and custom templates

The themes and templates changed a lot in this release and there is no documentation explaining how and why. The hope is that the users will discover the changes and not be overly confused.

This is also a reminder that Forgejo considers themes and templates to be a part of the internals and require an understanding of the source codebase to be modified and adapted after each release. In other words, if a Forgejo admin extracted templates and modified them on a v1.19 instance they will need to read the source code to figure out how they need to be modified to keep working with v1.20.

Federation

Does Forgejo support federation? Not yet. Was there progress? Yes.

The monthly report has details on these progress and the State of the Forge Federation: 2023 edition published last month explains how Forgejo fits in the big picture.

Forges have existed for twenty years and none of them has achieved data portability let alone federation. Forgejo is yet to celebrate its first birthday and it will take it a little time to get there. One thing is for sure: at this point no other forge is doing concrete work in this direction.

Get Forgejo v1.20

See the download page for instructions on how to install Forgejo, and read the release notes for more information.

Upgrading

Carefully read the breaking changes section of the release notes.

The actual upgrade process is as simple as replacing the binary or container image with the corresponding Forgejo binary or container image. If you’re using the container images, you can use the 1.20 tag to stay up to date with the latest 1.20.x point release automatically.

Make sure to check the Forgejo upgrade documentation for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.20.

Contribute to Forgejo

If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in the issue tracker for feature requests or bug reports, reach out on the Fediverse, or drop into the Matrix space (main chat room) and say hi!