forgejo/RELEASE-NOTES.md
2023-03-04 14:02:08 +01:00

50 KiB

Release Notes

A Forgejo release is published shortly after a Gitea release is published and they have matching release numbers. Additional Forgejo releases may be published to address urgent security issues or bug fixes. Forgejo release notes include all Gitea release notes.

The Forgejo admin should carefully read the required manual actions before upgrading. A point release (e.g. v1.19.1 or v1.19.2) does not require manual actions but others might (e.g. v1.18.0, v1.19.0).

DRAFT 1.19.0-0

These are draft release notes for the upcoming Forgejo v1.19.0-0 release. They are improved while release candidates are made available for testing in the https://codeberg.org/forgejo-experimental organization. Contributions are welcome! Read more...

The complete list of commits included in the Forgejo v1.19.0-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo

Breaking changes

Support scoped access tokens

Forgejo access token, used with the API can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before.

However, newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories.

For instance, the /users/{username}/tokens API endpoint will require the scopes: ['all', 'sudo'] parameter and the forgejo admin user generate-access-token will require the --scopes all,sudo argument obtain tokens with ulimited access as before for admin users.

Read more about the scoped tokens.

Repositories: by default disable all units except code and pulls on forks

When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure DEFAULT_FORK_REPO_UNITS to be the same value as DEFAULT_REPO_UNITS.

Remove ONLY_SHOW_RELEVANT_REPOS setting

  • (description)

Remove deprecated DSA host key from Docker Container

Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html

Webhook authorization header

Any webhook can now specify an Authorization header to be sent along every request.

  • (why is it breaking?)

Additional restrictions on valid user names

The algorithm for validating user names was modified and some users may have invalid names. The command forgejo doctor --run check-user-names will list all of them so they can be renamed.

If a Forgejo instance has users or organizations named forgejo-actions and gitea-actions, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named Actions.

Features

Documentation

The first version of the Forgejo documentation is available and covers the administration of Forgejo, from installation to troubleshooting.

Incoming emails

You can now set up Forgejo to receive incoming email. When enabled, it is now possible to reply to an email notification from Forgejo and:

  • Add a comment to an issue or a pull request
  • Unsubscribe to the notifications

Read more...

Packages registries

Option to prohibit fork if user reached maximum limit of repositories

It is possible for a user to create as many fork as they want, even when a quota on the number of repositories is imposed. The new ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT setting can now be set to false so forks are prohibited if that means exceeding the quota.

Read more about repository configurations

Scoped labels

Labels that contain a forward slash (/) separator are displayed with a slightly different color before and after the separator, as a visual aid. The first part of the label defines its "scope".

Label list

When creating a label with a scope, it is possible to make it exclusive.

New label

Such an exclusive label cannot be used at the same time as other labels in the same scope. In this example only one of the the exclusive labels forgejo/ui and forgejo/i18n can be selected and is shown with a leading dot. Multiple non exclusive labels can be selected and are shown with a leading checkmark.

New label

Support org/user level projects

It is now possible to create projects (kanban boards) for an organization or a user, in the same way it was possible for an individual repository.

Map OIDC groups to Orgs/Teams

When a user logs in Forgejo using an provider such as Keycloak, they can now automatically be part of a Forgejo team, depending on the OIDC group they belong to. For instance:

{"Developer": {"MyForgejoOrganization": ["MyForgejoTeam1", "MyForgejoTeam2"]}}

Means that the user who is in the OIDC group Developer will automatically be a member of the MyForgejoTeam1 and MyForgejoTeam2 teams in the MyForgejoOrganization organization.

This mapping is set when adding a new Authentication Source in the Site Administration panel.

OIDC Group mapping part1

...

OIDC Group mapping part2

Read more...

RSS feed for releases and tags

A RSS feed is now available for releases at /{owner}/{repo}/releases.rss and tags at /{owner}/{repo}/tags.rss.

Supports wildcard protected branch

Instead of selected a branch to be protected, the name of the branch must be specified and can be a pattern such as precious*.

Read more about branch protection.

Garbage collect LFS

Add a doctor command for full garbage collection of LFS: forgejo doctor --run gc-lfs.

Additions to the API

Support disabling database auto migration

  • (description)

Option to disable releases on a repository

It is now possible to disable releases on a repository, in the same way it is possible to disable issues or packages.

Actions: an experimental CI/CD

It appears for the first time in this Forgejo release but is not yet fit for production. It is not fully implemented and may be insecure. However, as long as it is not enabled, it presents no risk to existing Forgejo instances.

If a repository has a file such as .forgejo/workflows/test.yml, it will be interpreted, for instance to run tests and verify the code in the repository works as expected (Continuous Integration). It can also be used to create HTML pages for a website and publish them (Continous Deployment). The syntax is similar to GitHub Actions and the jobs can be controled from the Forgejo web interface. Read more...

Actions

User Interface improvements

Review box on small screens

The rendering of the review box is improved on small screens.

Copy citation file content in APA and BibTex format

If a BibTeX file named CITATION.bib is at the root of the repository, it can be conveniently copied and converted in APA by following the Cite this repository link.

Citation link

It will open a dialog box with the available formats and a preview of the content.

Citation dialog

The CFF format is also supported when a CITATION.cff file used instead.

Display asciicast

Files with the .cast extension are displayed in the Forgejo web interface as asciicast v2 files using asciinema-player.

Attention blocks Note and Warning

For each quote block, the first **Note** or **Warning** gets an icon prepended to it and its text is colored accordingly.

Attention block

Support for commit cross references

A commit hash can now be prefixed by the repository to be referenced from a comment in another repository: owner/repo@commit.

Enable @- completion popup on the release description textarea

  • (description)

Preview images for Issue cards in Project Board view

  • (description)

Add "Copy" button to file view of raw text

  • (description)

Setting to allow edits on PRs by maintainers

  • (description)

Container images upgraded to Alpine 3.17

The Forgejo container images are now based on Alpine 3.17 instead of Alpine 3.16. It includes an upgrade from git 2.36.5 to git 2.38.4 and from openssh 9.0p1 to openssh 9.1p1.

1.18.5-0

This stable release contains an important security fix for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described in detail in a companion blog post.

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

If PASSWORD_HASH_ALGO is explicitly set in app.ini, comment it out so that the stronger algorithm is used instead.

All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.

Forgejo

Gitea

Note that there is no Forgejo v1.18.4-N because Gitea v1.18.4 was replaced by Gitea v1.18.5 a few days after its release because of a regression. Forgejo was not affected.

1.18.3-2

This stable release includes a security fix for git and bug fixes.

Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 Februrary 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. All major GNU/Linux distributions also provide updated packages via their security update channels.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Forgejo

Gitea

1.18.3-1

This stable release includes bug fixes.

Forgejo

Gitea

1.18.3-0

This stable release includes bug fixes.

Forgejo

Gitea

1.18.2-1

This stable release includes a security fix. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Gitea

1.18.2-0

This stable release includes bug fixes.

Gitea

1.18.1-0

This is the first Forgejo stable point release.

Forgejo

Critical security update for Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Read more in the Forgejo blog.

Release process stability

The release process based on Woodpecker CI was entirely reworked to be more resilient to transient errors. A new release is first uploaded into the new Forgejo experimental organization for testing purposes.

Automated end to end testing of releases was implemented with a full development cycle including the creation of a new repository and a run of CI. It relieves the user and developer from the burden of tedious manual testing.

Container environment variables

When running a container, all environment variables starting with FORGEJO__ can be used instead of GITEA__. For backward compatibility with existing scripts, it is still possible to use GITEA__ instead of FORGEJO__. For instance:

docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true codeberg.org/forgejo/forgejo:1.18.1-0

Forgejo hook types

A new forgejo hook type is available and behaves exactly the same as the existing gitea hook type. It will be used to implement additional features specific to Forgejo in a way that will be backward compatible with Gitea.

X-Forgejo headers

Wherever a X-Gitea header is received or sent, an identical X-Forgejo is added. For instance when a notification mail is sent, the X-Forgejo-Reason header is set to explain why. Or when a webhook is sent, the X-Forgejo-Event header is set with push, tag, etc. for Woodpecker CI to decide on an action.

Look and feel fixes

The Forgejo theme was modified to take into account user feedback.

Gitea

1.18.0-1

This is the first Forgejo release.

Forgejo improvements

Woodpecker CI

A new CI configuration based on Woodpecker CI was created. It is used to:

Look and feel

The default themes were replaced by Forgejo themes and the landing page was modified to display the Forgejo logo and names but the look and feel remains otherwise identical to Gitea.

Landing page

Privacy

Gitea instances fetch https://dl.gitea.io/gitea/version.json weekly by default, which raises privacy concerns. In Forgejo this feature needs to be explicitly activated at installation time or by modifying the configuration file. Forgejo also provides an alternative RSS feed to be informed when a new release is published.

Gitea

1.18.0-0

This release was replaced by 1.18.0-1 a few hours after being published because the release process was interrupted.

1.18.0-rc1-2

This is the first Forgejo release candidate.