forgejo/RELEASE-NOTES.md
Loïc Dachary 0557568f61
[DOCS] RELEASE-NOTES.md
(cherry picked from commit b07123ee7b)
(cherry picked from commit ca85c880b4)
(cherry picked from commit 723ead94cb)
(cherry picked from commit ff148318da)

[DOCS] RELEASE-NOTES: 1.19.0

(cherry picked from commit e84e43887b)

[DOCS] RELEASE-NOTES: add scoped access tokens

(cherry picked from commit 688f831853)

[DOCS] RELEASE-NOTES: Scoped labels

(cherry picked from commit 747479a07b)

[DOCS] RELEASE-NOTES: OIDC groups

(cherry picked from commit 10c505fe89)

[DOCS] RELEASE-NOTES: Copy Link is broken

On firefox it fails with Uncaught TypeError: navigator.clipboard is
   undefined
On chromium it fails with Uncaught TypeError: Cannot read properties of undefined (reading 'writeText')

(cherry picked from commit 148b2ff093)

[DOCS] RELEASE-NOTES: Copy citation

(cherry picked from commit d0f217735f)

[DOCS] RELEASE-NOTES: Support org/user level projects

(cherry picked from commit de845c7bcf)

[DOCS] RELEASE-NOTES: v1.19 has a documentation

(cherry picked from commit 9a5b46da32)

[DOCS] RELEASE-NOTES: do not split webhook section

(cherry picked from commit 00ed020321)

[DOCS] RELEASE-NOTES: Incoming emails

(cherry picked from commit 06c455b33b)

[DOCS] RELEASE-NOTES: secrets are an implementation detail

(cherry picked from commit 8236dc3a57)

[DOCS] RELEASE-NOTES: Prohibit fork if user reached maximum

(cherry picked from commit 0f80b8c696)

[DOCS] RELEASE-NOTES: scoped tokens: do not duplicate the docs

(cherry picked from commit 9bc4793c07)

[DOCS] RELEASE-NOTES: rss feed for tags and releases

(cherry picked from commit 599b36fada)

[DOCS] RELEASE-NOTES: protected branches wildcard

(cherry picked from commit 2b316c4950)

[DOCS] RELEASE-NOTES: disable releases

(cherry picked from commit 9a60773f1d)

[DOCS] RELEASE-NOTES: review box

(cherry picked from commit 09867dd122)

[DOCS] RELEASE-NOTES: asciicast support

(cherry picked from commit ea9658379b)

[DOCS] RELEASE-NOTES: attention blocks

(cherry picked from commit 70b387750b)

[DOCS] RELEASE-NOTES: commit cross reference

(cherry picked from commit fe706dad13)

[DOCS] RELEASE-NOTES: strip user completion border case

(cherry picked from commit 33ca51b4b6)

[DOCS] RELEASE-NOTES: card preview

(cherry picked from commit 626cd78ca6)

[DOCS] RELEASE-NOTES: raw copy button

(cherry picked from commit edfb467d64)

[DOCS] RELEASE-NOTES: allow edits by maintainers by default

(cherry picked from commit 7006405bc6)

[DOCS] RELEASE-NOTES: database auto migration is a little arcane

(cherry picked from commit 78030fa9af)

[DOCS] RELEASE-NOTES: fix typos & minor rewording

(cherry picked from commit ae1d47f656)
(cherry picked from commit ad08ca9955)

[DOCS] RELEASE-NOTES: webhook authorization header

(cherry picked from commit c35e2c4f6f)

[DOCS] RELEASE-NOTES: video element in markdown

(cherry picked from commit bcb0bd51d2)

[DOCS] RELEASE-NOTES: move scoped labels to the documentation

(cherry picked from commit c5eedaf4f3)

[DOCS] RELEASE-NOTES: cosmetic improvements

(cherry picked from commit b93df350d9)

[DOCS] RELEASE-NOTES: 1.19.0-0 is really : 1.19.0-2

(cherry picked from commit 60d770c2c9)

[DOCS] RELEASE-NOTES: relevant repositories

(cherry picked from commit de6ed5b87f)
(cherry picked from commit 71d91fdf22)

[DOCS] RELEASE-NOTES: semantic version

(cherry picked from commit af062d77f0)

[DOCS] RELEASE-NOTES: reflogs

(cherry picked from commit 084713d8aa)
(cherry picked from commit 90ad322a56)

[DOCS] RELEASE-NOTES: fix broken link to OIDC mapping

(cherry picked from commit 802a252eb5)

[DOCS] RELEASE-NOTES: Fix spaces

(cherry picked from commit a605d36ab6)

[DOCS] RELEASE-NOTES: SemVer

(cherry picked from commit 7b29c90035)
(cherry picked from commit 82799195c9)
(cherry picked from commit 5d9c2e9ec6)

[DOCS] RELEASE-NOTES: 1.19.0-3

(cherry picked from commit c599b2947d)
(cherry picked from commit 8a37027ae7)

[DOCS] RELEASE-NOTES: v1.19.1-0

(cherry picked from commit 89b9e96cc7)
(cherry picked from commit 2b4e881a4e)

[DOCS] RELEASE-NOTES: 1.19.2-0

(cherry picked from commit 0c0d2ec46c)
(cherry picked from commit 437b8caae4)

[DOCS] RELEASE-NOTES: 1.19.3-0

(cherry picked from commit 040740917e)

[DOCS] RELEASE-NOTES: 1.19.3-0 (fix typo)

(cherry picked from commit 24516cb22a)
(cherry picked from commit 429c8e6525)
(cherry picked from commit 8247bddb45)
(cherry picked from commit d77d7b7be7)
(cherry picked from commit a64c899b1d)
(cherry picked from commit 0803eaa2e3)
(cherry picked from commit 8538f2897e)
(cherry picked from commit 45b9037d3c)
(cherry picked from commit 928705f870)
(cherry picked from commit 19e683468c)
(cherry picked from commit 5ae55e8e34)
(cherry picked from commit 7c224d84cf)

[DOCS] RELEASE-NOTES: 1.20.0

(cherry picked from commit 3fbcdd235b)
(cherry picked from commit e7a621acae)
(cherry picked from commit 70adac6d66)

[DOCS] RELEASE-NOTES: 1.20.0-0-rc0 (squash) rewording

(cherry picked from commit 1b79fab57d)

[DOCS] RELEASE-NOTES: 1.20.0-0-rc0 (squash) time

(cherry picked from commit cfd599a132)

[DOCS] RELEASE-NOTES: 1.20.0-0-rc0 (squash) wiki

(cherry picked from commit 6aa2ab41c6)

pick changes from #829

(cherry picked from commit f599598101)

[DOCS] RELEASE-NOTES: 1.20.0-0-rc0 (squash) ui

(cherry picked from commit 5f0aa769b1)

features

(cherry picked from commit d1e788ff4e)

typos

(cherry picked from commit 088d4b2d61)

Mirror Settings

(cherry picked from commit 161412affd)

features

(cherry picked from commit 10cb0379e2)

fix typo

(cherry picked from commit aee096b040)

TODO

(cherry picked from commit 0d4e0bb4a9)

typo

(cherry picked from commit b76a3c1a84)
(cherry picked from commit 4c354196c2)
(cherry picked from commit 6323c6d1a2)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) Woodpecker CI archive repository

(cherry picked from commit 154ee5bc9c)

[DOCS] RELEASE-NOTES: 1.20.0 (squash)

(cherry picked from commit 656f955448)

[DOCS] RELEASE-NOTES: 1.19.4-0

(cherry picked from commit 85bd997176)

[DOCS] RELEASE-NOTES: 1.19.4-0 (squash) fix typo

(cherry picked from commit e5c364c586)
(cherry picked from commit c123048e51)
(cherry picked from commit ad2fedb693)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) blog

Pick changes from https://blog.gitea.com/release-of-1.20.0/

(cherry picked from commit c8068a9d7b)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) Gitea release notes

Review https://github.com/go-gitea/gitea/releases/tag/v1.20.0

(cherry picked from commit dd58b50403)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) commits

git log --no-merges --oneline 64ed262e1..gitea/release/v1.20 . ':(exclude,glob)docs/**' ':(exclude)CONTRIBUTING.md' ':(exclude)MAINTAINERS' ':(exclude,glob).github/**' ':(exclude)CHANGELOG.md' ':(exclude,glob)options/locale/**' ':(exclude,glob)options/license/**' ':(exclude,glob)snap/**' ':(exclude).drone.yml' ':(exclude)custom/conf/app.example.ini'

9159964ad Avoid opening/closing PRs which are already merged (#25883) (#25903)
9369b3831 Skip unuseful error message in dev mode when watching local filesystem (#25919) (#25927)
6e82d0bb7 Add shutting down notice (#25920) (#25922)
36b9a86bd Fix incorrect milestone count when provide a keyword (#25880) (#25904)
de8127e78 fix incorrect repo url when changed the case of ownername (#25733) (#25881)
de8127e78 fix incorrect repo url when changed the case of ownername (#25733) (#25881)
186f07bbf Make `add line comment` buttons focusable (#25894) (#25896)
45b1f4dd3 Add support for different Maven POM encoding (#25873) (#25890)
026e745b9 Fix incorrect release count (#25879) (#25887)
c334be828 Fix empty project displayed in issue sidebar (#25802) (#25854)
353dcc5ad Fix the error message when the token is incorrect (#25701) (#25836)
abe9c641c Show correct SSL Mode on "install page" (#25818) (#25838)
052e65e63 Fix incorrect oldest sort in project list (#25806) (#25835)
c1a10be07 Fix activity type match in `matchPullRequestEvent` (#25746) (#25796)
2b79d3fd5 For API attachments, use API URL (#25639) (#25814)
b4460cf54 Make "install page" respect environment config (#25648) (#25799)
a1bc2aa05 Avoid amending the Rebase and Fast-forward merge if there is no message template (#25779) (#25809)
d713cf615 Fix WORK_DIR for docker (root) image (#25738) (#25811)
012b804a9 Clarify "text-align" CSS helpers, fix clone button padding (#25763) (#25764)
372b622c2 Revert package access change from #23879 (#25707) (#25785)
06bcdfe77 Remove unused code (#25734) (#25788)
a5a3c8141 Fix notification list bugs (#25781) (#25787)
ea2c9de3c Test if container blob is accessible before mounting (#22759) (#25784)
348a6bf70 Always pass 6-digit hex color to monaco (#25780) (#25782)
91dadeddd Translate untranslated string in issues list (#25759) (#25761)
32eaba1b4 Hide `add file` button for pull mirrors (#25748) (#25751)
917ca5ded Several fixes for mobile UI (#25634) (#25689)
e595dfeec Allow/fix review (approve/reject) of empty PRs (#25690) (#25732)
03cacf971 Check `ctx.Written()` for `GetActionIssue` (#25698) (#25711)
68e0c802f Show correct naming for 1 comment (#25704) (#25712)
09668b2e2 Correct permissions for `.ssh` and `authorized_keys` (#25721) (#25730)
04eea29ec Fix tags header and pretty format numbers (#25624) (#25694)
511be9fe6 Fix position of org follow button (#25688) (#25692)
24e64fe37 Replace `interface{}` with `any` (#25686) (#25687)
4e310133f Prevent duplicate image loading (#25675) (#25684)
491f36d32 Actions list enhancements (#25601) (#25678)
5510ed34f Fix the nil pointer when assigning issues to projects (#25665) (#25677)
39fce5750 Prevent SVG shrinking (#25652) (#25669)
1f9037604 Fix show more for image on diff page (#25672) (#25673)
0af6542a3 Add unit test for repository collaboration (#25640) (#25658)
69bdcf41f Log the real reason when authentication fails (but don't show the user) (#25414) (#25660)
e610b0389 Fix UI misalignment on user setting page (#25629) (#25656)
13ffa287b  Fix bug of branches API with tests(#25578) (#25579)

(cherry picked from commit 3e9e862e5e)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) reorder breaking

(cherry picked from commit 4e4cdddc55)

address rome-user review

(cherry picked from commit 8791fe88b1)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) reword breaking

- removed the section about the changed themes: it is an internal
detail and redundant with the above warning regarding themes &
templates

(cherry picked from commit b34e9a7b19)

[DOCS] RELEASE-NOTES: 1.20.0 (squash) minor rewording

The CI & Actions sections were grouped together.

(cherry picked from commit ed236e1ee8)

[DOCS] RELEASE-NOTES: 1.20.1-0 (squash)

(cherry picked from commit 3c11eb1de5)

[DOCS] RELEASE-NOTES: 1.20.1-0 (squash) Forgejo features/optimizations

(cherry picked from commit c516fd0c7a)

[DOCS] RELEASE-NOTES: 1.20.1-0 (squash) fix typo in Alpine version

(cherry picked from commit 1c2a5b5162)

[DOCS] RELEASE-NOTES: 1.20.1-0 (squash) comment out obsoleted queue keys

(cherry picked from commit 8c0d9459c5)

[DOCS] RELEASE-NOTES: 1.20.1-0 (squash) WORK_PATH breaking change

(cherry picked from commit f4ea3b27f5)
2023-07-26 14:40:00 +02:00

97 KiB

Release Notes

A Forgejo release is published shortly after a Gitea release is published and they have matching release numbers. Additional Forgejo releases may be published to address urgent security issues or bug fixes. Forgejo release notes include all Gitea release notes.

The Forgejo admin should carefully read the required manual actions before upgrading. A point release (e.g. v1.19.1 or v1.19.2) does not require manual actions but others might (e.g. v1.18.0, v1.19.0).

1.20.1-0

The complete list of commits included in the Forgejo v1.20.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.19/forgejo..origin/v1.20/forgejo
  • Container images upgraded to Alpine 3.18

    The Forgejo container images are now based on Alpine 3.18 instead of Alpine 3.17.

1.19.4-0

The complete list of commits included in the Forgejo v1.19.4-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.3-0..v1.19.4-0

This stable release contains security fixes.

1.19.3-0

The complete list of commits included in the Forgejo v1.19.3-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.2-0..v1.19.3-0

This stable release contains security fixes.

1.19.2-0

The complete list of commits included in the Forgejo v1.19.2-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.1-0..v1.19.2-0

This stable release contains important security fixes.

  • Recommended Action

    We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

  • Forgejo Semantic Version

    The semantic version was updated from 4.1.0+0-gitea-1.19.1 to 4.2.0+0-gitea-1.19.2 because of the changes introduced in the internal CI.

  • Security fixes

    • Token scopes were not enforced in some cases (patch 1 and patch 2). The scoped token were introduced in Forgejo v1.19 allow for the creation of application tokens that only have limited permissions, such as creating packages or accessing repositories. Prior to Forgejo v1.19 tokens could be used to perform any operation the user issuing the token could.
    • Permissions to delete secrets was not enforced. The experimental internal CI relies on secrets managed via the web interface, for instance to communicate credentials to a job. Secrets are only used in the context of the experimental internal CI.
  • Bug fixes

    The most prominent ones are described here, others can be found in the list of commits included in the release as described above.

  • Container image upgrades

    In the Forgejo container images the Git version was upgraded to 2.38.5 as a precaution. The Forgejo security team analyzed the security fixes it contains and concluded that Forgejo is not affected.

1.19.1-0

The complete list of commits included in the Forgejo v1.19.1-0 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-3..v1.19.1-0

This stable release includes bug fixes. Functional changes related to the experimental CI have also been backported.

1.19.0-3

The complete list of commits included in the Forgejo v1.19.0-3 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges v1.19.0-2..v1.19.0-3

This stable release includes security updates and bug fixes.

1.19.0-2

The complete list of commits included in the Forgejo v1.19.0-2 release can be reviewed from the command line with:

$ git clone https://codeberg.org/forgejo/forgejo/
$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo
  • Breaking changes

    • Scoped access tokens

      Forgejo access token, used with the API can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before. However, newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories.

      For instance, the /users/{username}/tokens API endpoint will require the scopes: ['all', 'sudo'] parameter and the forgejo admin user generate-access-token will require the --scopes all,sudo argument obtain tokens with ulimited access as before for admin users.

      Read more about the scoped tokens.

    • Disable all units except code and pulls on forks

      When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure DEFAULT_FORK_REPO_UNITS to be the same value as DEFAULT_REPO_UNITS.

    • Filter repositories by default on the explore page

      The explore page now always filters out repositories that are considered not relevant because they are either forks or have no topic and not description and no icon. A link is shown to display all repositories, unfiltered.

      Explore repositories
    • Remove deprecated DSA host key from Docker Container Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html

    • Additional restrictions on valid user names

      The algorithm for validating user names was modified and some users may have invalid names. The command forgejo doctor --run check-user-names will list all of them so they can be renamed.

      If a Forgejo instance has users or organizations named forgejo-actions and gitea-actions, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named Actions.

    • Semantic version

      Since v1.18.5, in addition to the Forgejo release number, a semantic version number (e.g. v3.0.0) can be obtained from the number key of a new /api/forgejo/v1/version endpoint.

      Now, it reflects the Gitea version that Forgejo depends on, is no longer prefixed with v (e.g. 3.0.0+0-gitea-1.19.0), and can be obtained from the version key of the same endpoint.

  • Features

  • User Interface improvements

  • Container images upgraded to Alpine 3.17

    The Forgejo container images are now based on Alpine 3.17 instead of Alpine 3.16. It includes an upgrade from git 2.36.5 to git 2.38.4 and from openssh 9.0p1 to openssh 9.1p1.

1.18.5-0

This stable release contains an important security fix for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described in detail in a companion blog post.

We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

If PASSWORD_HASH_ALGO is explicitly set in app.ini, comment it out so that the stronger algorithm is used instead.

All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.

Forgejo

Gitea

Note that there is no Forgejo v1.18.4-N because Gitea v1.18.4 was replaced by Gitea v1.18.5 a few days after its release because of a regression. Forgejo was not affected.

1.18.3-2

This stable release includes a security fix for git and bug fixes.

Git

Git recently announced new versions to address two CVEs (CVE-2023-22490, CVE-2023-23946). On 14 Februrary 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. All major GNU/Linux distributions also provide updated packages via their security update channels.

We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.3-2

Forgejo

Gitea

1.18.3-1

This stable release includes bug fixes.

Forgejo

Gitea

1.18.3-0

This stable release includes bug fixes.

Forgejo

Gitea

1.18.2-1

This stable release includes a security fix. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.

We strongly recommend that all installations are upgraded to the latest version as soon as possible.

Gitea

1.18.2-0

This stable release includes bug fixes.

Gitea

1.18.1-0

This is the first Forgejo stable point release.

Forgejo

Critical security update for Git

Git recently announced new versions to address two CVEs (CVE-2022-23521, CVE-2022-41903). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

  • When using a Forgejo binary: upgrade the git package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7
  • When using a Forgejo container image: docker pull codeberg.org/forgejo/forgejo:1.18.1-0

Read more in the Forgejo blog.

Release process stability

The release process based on Woodpecker CI was entirely reworked to be more resilient to transient errors. A new release is first uploaded into the new Forgejo experimental organization for testing purposes.

Automated end to end testing of releases was implemented with a full development cycle including the creation of a new repository and a run of CI. It relieves the user and developer from the burden of tedious manual testing.

Container environment variables

When running a container, all environment variables starting with FORGEJO__ can be used instead of GITEA__. For backward compatibility with existing scripts, it is still possible to use GITEA__ instead of FORGEJO__. For instance:

docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true codeberg.org/forgejo/forgejo:1.18.1-0

Forgejo hook types

A new forgejo hook type is available and behaves exactly the same as the existing gitea hook type. It will be used to implement additional features specific to Forgejo in a way that will be backward compatible with Gitea.

X-Forgejo headers

Wherever a X-Gitea header is received or sent, an identical X-Forgejo is added. For instance when a notification mail is sent, the X-Forgejo-Reason header is set to explain why. Or when a webhook is sent, the X-Forgejo-Event header is set with push, tag, etc. for Woodpecker CI to decide on an action.

Look and feel fixes

The Forgejo theme was modified to take into account user feedback.

Gitea

1.18.0-1

This is the first Forgejo release.

Forgejo improvements

Woodpecker CI

A new CI configuration based on Woodpecker CI was created. It is used to:

Look and feel

The default themes were replaced by Forgejo themes and the landing page was modified to display the Forgejo logo and names but the look and feel remains otherwise identical to Gitea.

Landing page

Privacy

Gitea instances fetch https://dl.gitea.io/gitea/version.json weekly by default, which raises privacy concerns. In Forgejo this feature needs to be explicitly activated at installation time or by modifying the configuration file. Forgejo also provides an alternative RSS feed to be informed when a new release is published.

Gitea

1.18.0-0

This release was replaced by 1.18.0-1 a few hours after being published because the release process was interrupted.

1.18.0-rc1-2

This is the first Forgejo release candidate.