Forgejo monthly update - November 2023

Forgejo was created in October 2022 after a for profit company took over the Gitea project. In the beginning they were almost identical, except for the name and the color. But in the past year, this difference in governance led to choices that made Forgejo significantly and durably different from Gitea.

Better security. Forgejo focuses on identifying and fixing security vulnerabilities as soon as they are discovered. Gitea is always notified in advance via encrypted channels (e.g. Forgejo v1.20.5-1 or Forgejo v1.20.5-0).
More features. Forgejo includes all of Gitea features and integrates new one as soon as they are available. It is a 100% compatible drop-in replacement with additional features, self moderation being the first one.
Better stability. Forgejo relies on end-to-end and upgrade tests. The upgrade tests were introduced to address an instability caused by a regression in the storage settings.

Since its inception Forgejo has been strongly committed to provide forge federation. This long term work keeps contributors busy daily and it will still be a while before it is complete. Your help will make a difference and you are kindly invited to join the team. Your work will not help build a startup chasing unicorns, it will benefit the general public and yourself. You will only use Free Software as Forgejo is developed with Forgejo on Codeberg with a CI and releases powered by Forgejo Actions.

Development

v1.21 release

After eight release candidates over eight weeks, the Forgejo v1.21 release was published and the companion blog post provides a summary of the work it includes.

In flight pull requests

Most pull requests are opened and closed within a week. But some of them take a longer time, either because they are more complex or because they are taken care of by volunteers who can only occasionally work on them in their free time. This is a list of those that were updated since the last monthly report. If they are of interest to you, reviewing the changes or providing solutions would be appreciated.

End to end tests

Forgejo contributors developed end to end tests which require running actual instances and realistic use cases. The proved particularly useful to fix and debug the regressions related to storage settings and verifying the workflows sent to the Forgejo runner succeed.

There were all moved into a dedicated repository where they can conveniently be run and developed rather than being scattered in the Forgejo repository itself or the setup-forgejo action.

Experimental releases

Starting 25 November 2023, test releases including the latest developments will be published on a regular basis, usually every week. They will be used to run https://next.forgejo.org. It is not recommended to use them in production.

Testing requirements

As a rule changes introduced in Forgejo are associated with tests that verify they work. Without such tests they are prone to regressions over time and more difficult to review. However, it is sometime challenging to create a new test when the underlying codebase lacks the basic infrastructure to do so. It is the case, for instance, for the JavaScript parts of the frontend or more generally user interface changes in Forgejo. As an exception, some pull requests will be merged without tests and tagged as such when they can be contributed back to the main author of the codebase and not burden Forgejo with the associated technical debt.

Federation

A new pull request was open to implement federated stars and an activity summary was published.

The F3 refactor is making daily progress.

The task list created a year ago to track federation work is now updated monthly.

Forgejo Actions

With the 3.2.0 release of the Forgejo runner, the LXC backend was improved and can now be configured with capabilities to run k8s. It unblocked the work started a few months ago to verify a helm chart using Forgejo can run in a workflow.

Groundwork for IPv6 support is done and needs testing before it can be released.

Security releases

Late October, the Forgejo security team discovered critical vulnerabilities and worked on fixes that were published as part of Forgejo v1.21 and backported to Forgejo v1.20.5-1 after a 30-day embargo. To better prepare for such upgrades, Forgejo admins can now watch a repository dedicated to security announcements or subscribe to the associated RSS feed.

The severity of the vulnerabilities motivated security team members to write a post-mortem and ask for input and ideas in an open discussion.

User research

Although it is largely agreed that user research is one of the areas where Forgejo needs more work, it has not seen significant progress in the past year. The effort has resumed, starting with sorting issues into categories. The goal is to better understand Forgejo users.

Hardware infrastructure

As https://code.forgejo.org keeps growing, new hardware is being provisioned so it can move from the cloud and have more disk space, mostly.

Governance and communication

The moderation team is now composed of two members. A Forgejo contributor also applied to the security team.

A few new members were added to the contributors team and it does not require a formal application process.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please ask for an update.

A minority of Forgejo contributors earn a living by implementing the roadmap co-created by the Forgejo community, see the sustainability repository for the details.