Forgejo monthly report - November 2025

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

Releases

Forgejo v13.0.3

The security team has been busy fixing multiple security issues and has published v13.0.3 and v11.0.8.

These releases fix security issues and some bugs. We strongly recommend that all Forgejo installations be upgraded to the latest version.

Forgejo runner v12

Forgejo runner v12 has been released. This is a major version update due to a change in system requirements, requiring a Git installation. This requirement is included in Forgejo runner’s OCI containers. However, binary users may need to install a Git package, and packaging redistributors may need to update for the new system requirement.

Since the last major release noted in the September update, Forgejo runner has received 31 minor bug fixes and seven feature enhancements.

Users may note improved job startup times, reduced resource usage, and more accurate remote tag resolution after remote Git operations were overhauled: 1, 2 and 3.
A Git pre-commit hook was added to allow users to validate their Forgejo Actions files before committing them to their repositories.
Forgejo runner now builds on OpenBSD, DragonFly BSD, and Illumos (with host-executor support only).

Forgejo Helm chart v15.0.3

As usual, the Forgejo Helm chart received a new patch release to update the default Forgejo version to the latest released one.

Accessibility

To provide Forgejo users with disabilities with an easy way to report issues if they cannot navigate to the issue tracker, a second contact point was established through the Matrix channel #forgejo-accessibility:matrix.org. All Forgejo users with disabilities and those interested in addressing them are encouraged to join the chat.

Going forward, the channel can be used to

report accessibility issues with Forgejo instances, shifting the responsibility of issue tracking from impaired users to Forgejo contributors.
discuss accessible design and requirements between contributors and users.
invite potentially affected users to participate in the design process early on via user testing and feedback.

The chat does not replace the issue tracker. Advanced users are still encouraged to use the tracker to report accessibility problems.

User research

The user research team looks for input not only from Forgejo users but also from people who could show us their workflow from other software solutions, such as dealing with moderation reports on social media instances and forums or developing software using other forges. Please help the team by scheduling a 45 minutes research session.

The insights will help improving the contribution workflow, improving instance’s moderation tools and provide valuable insights into other topics that are currently in the process of being (re-)designed.

Additionally, there is an ongoing discussion about improving the user research and design workflow. An effective user research and design workflow is essential for developing and implementing features that are relevant to users, easy to understand and intuitive to use.

Federation

For a high-level overview, check out the federation roadmap.

During the analysis of federated user activities, it was determined that Mastodon requires an outbox and that it signs incoming activities differently compared to GoToSocial. Although these issues have been resolved, further analysis is required.

In the meantime, work started on “Enhance Signature Handling for Actors”. This will enable signature handling to support more types of actors. Currently, only user and instance actors are supported. Implementation of signature handling for actors began with the addition of support for users and instances.

Handle federated key material as first-class citizens instead of attaching them to their actors: PR.
Simplify signature validation to the least common denominator: PR.
Add support for RFC9421 signatures, which Mastodon may implement soon: PR.

Furthermore, work is underway on the implementation of “Federated Search”. The first pull request in progress is:

Enhance Webfinger for upcoming actor types, such as repository or organization: PR.

Infrastructure

Six months ago, distributed crawling hit code.forgejo.org, and the mitigation measures put in place then held until a few weeks ago. The mitigation measures relied on JavaScript-based proof-of-work, but the crawling software learned to resolve the measures, allowing the attack to return.

Since November 24, a new blocking strategy has been implemented and successfully blocked around one million unique IPs daily. Only 5,000 unique IP addresses reach code.forgejo.org daily, and no reports of legitimate traffic being blocked have been received.

Furthermore, transparent Nginx servers were added to act as caching proxies for the /avatars and /assets routes, in order to reduce the load on all Forgejo instances running in the Kubernetes cluster.

Other

Dutch government shows interest in Forgejo

The Dutch government has expressed interest in using Forgejo for its national code platform. Currently, they rely on GitHub, but they are looking for alternatives for storing, collaborating and building government code. This is part of the Open Source Program Office (OSPo)‘s efforts to regain digital sovereignty. Throughout the month, a call also took place between a representative from the office and some Forgejo contributors.

Moreover, it is pleasing to hear that the office expressed interest in exploring ways to contribute back to the project.

Matrix security disclosure

On 16 July 2025, Matrix announced in a predisclosure that a security vulnerability had been found in the current room versions, which had been fixed. This means for us that all rooms on Matrix must be updated.

The development room was updated on November 23 due to unexpected state behavior. The last rooms to be updated are the Federation and Chat room.

We are monitoring the adoption of the security fix and plan to complete the remaining updates soon. An announcement will be made in each room before it is updated.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature.

The following list of contributors is intended to reflect this diversity and to acknowledge all the contributions made over the past month. If you are missing, please ask for an update.