feat: implement repo-specific access tokens broadly for universal API permission checks #11437

Merged

mfenniak merged 2 commits from finegrained-pr3-broad-perm-checks into forgejo 2026-02-28 19:47:07 +01:00

Conversation 3 Commits 2 Files changed 6 +85 -8

mfenniak commented 2026-02-26 03:10:54 +01:00

Member

Copy link

Repository-specific personal access tokens will allow a user's access tokens to be restricted to accessing zero-or-more specific repositories. Currently they can be configured as "All", or "Public only", and this project will add a third configuration option allowing specific repositories.

This PR is part of a series (#11311), and builds on the infrastructure work in #11434. In this PR, repository-specific access tokens are implemented on the universal permission checks performed by the API middleware, affecting ~182 API endpoints that perform permission checks based upon repositories referenced in their API path (eg. /v1/api/repos/{owner}/{repo}/...).

Breaking change: API access with a public-only access token would previously return a 403 Forbidden error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return 404 Not Found instead, consistent with how repository-specific access tokens, and other permissions checks, are implemented in order to reduce the risk of data probing through error messages.

For larger context on the usage and future incoming work, the description of #11311 can be referenced.

Checklist

The contributor guide contains information that will be helpful to first time contributors. There also are a few conditions for merging Pull Requests in Forgejo repositories. You are also welcome to join the Forgejo development chatroom.

Tests for Go changes

(can be removed for JavaScript changes)

• I added test coverage for Go changes...
  • in their respective *_test.go for unit tests.
  • in the tests/integration directory if it involves interactions with a live Forgejo server.
• I ran...
  • make pr-go before pushing

Documentation

• I created a pull request to the documentation to explain to Forgejo users how to use this change.
• I did not document these changes and I do not expect someone else to do it.

Release notes

• This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
  • As there is no end-user accessibility to create repo-specific access tokens, this functionality will not be accessible to end-users yet. But the breaking change in error APIs for public-only access tokens will be visible to end-users.
• This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Release notes

• Breaking features
  • PR: implement repo-specific access tokens broadly for universal API permission checks. Breaking: API access with a public-only access token would previously return a 403 Forbidden error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return 404 Not Found instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.

Repository-specific personal access tokens will allow a user's access tokens to be restricted to accessing zero-or-more specific repositories. Currently they can be configured as "All", or "Public only", and this project will add a third configuration option allowing specific repositories. This PR is part of a series (#11311), and builds on the infrastructure work in #11434. In this PR, repository-specific access tokens are implemented on the universal permission checks performed by the API middleware, affecting ~182 API endpoints that perform permission checks based upon repositories referenced in their API path (eg. `/v1/api/repos/{owner}/{repo}/...`). **Breaking change:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how repository-specific access tokens, and other permissions checks, are implemented in order to reduce the risk of data probing through error messages. For larger context on the usage and future incoming work, the description of #11311 can be referenced. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - As there is no end-user accessibility to create repo-specific access tokens, this functionality will not be accessible to end-users yet. But the breaking change in error APIs for public-only access tokens will be visible to end-users. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks. **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description--> <!--end release-notes-assistant-->

mfenniak added the

enhancement/feature

test

present

breaking

labels 2026-02-26 03:10:54 +01:00

mfenniak added 3 commits 2026-02-26 03:10:54 +01:00

chore: remove 'nolint:unused' on createFineGrainedRepoAccessToken 3a1e3d8c12

feat: update ctx.Repo perm checks to respect fine-grained access token ... 16b527ea4d

**Breaking**: ctx.Repo is used for hundreds of permissions checks which
may not have previously respected "public-only" access tokens.  In many
cases these permission checks were enforced by API middlewares or
explicit checks, but it's likely that some permission checks on private
repositories when using "public-only" access tokens would previously
have worked, and will now be blocked.

test: update tests for changes to public-only token 403->404 77f9fbd969

mfenniak requested reviews from Gusted, Cyborus, aahlenst 2026-02-26 03:10:54 +01:00

mfenniak referenced this pull request 2026-02-26 03:22:36 +01:00

WIP: feat: backend support for fine-grained repo-level access tokens [skip ci] #11311

aahlenst approved these changes 2026-02-26 13:33:05 +01:00

Dismissed

mfenniak referenced this pull request 2026-02-26 21:16:42 +01:00

feat: core infrastructure for repository-specific access tokens #11434

mfenniak referenced this pull request 2026-02-27 03:04:55 +01:00

WIP: feat: backend support for fine-grained repo-level access tokens [skip ci] #11311

mfenniak force-pushed finegrained-pr3-broad-perm-checks from 77f9fbd969 to 8222b36209 2026-02-27 04:05:57 +01:00 Compare

mfenniak changed target branch from finegrained-pr1-infrastructure to forgejo 2026-02-27 17:17:33 +01:00

mfenniak force-pushed finegrained-pr3-broad-perm-checks from 8222b36209 to 8b5ac665d2 2026-02-27 17:21:38 +01:00 Compare

mfenniak force-pushed finegrained-pr3-broad-perm-checks from 8b5ac665d2 to 1686597af3 2026-02-27 17:30:00 +01:00 Compare

mfenniak commented 2026-02-27 17:31:10 +01:00

Author

Member

Copy link

Added breaking change description to release-notes/11437.md so that the breaking part of the change is described in the release notes (not just the PR title).

Added breaking change description to `release-notes/11437.md` so that the breaking part of the change is described in the release notes (not just the PR title).

mfenniak added the

worth a release-note

label 2026-02-27 20:35:51 +01:00

forgejo-release-notes-assistant commented 2026-02-27 20:36:44 +01:00

Member

Copy link

Where does that come from?

The following is a preview of the release notes for this pull request, as they will appear in the upcoming release. They are derived from the content of the `release-notes/11437.md` file, if it exists, or the title of the pull request. They were also added at the bottom of the description of this pull request for easier reference.

This message and the release notes originate from a call to the release-notes-assistant.

@@ -31,2 +31,10 @@
     - As there is no end-user accessibility to create repo-specific access tokens, this functionality will not be accessible to end-users yet.  But the breaking change in error APIs for public-only access tokens will be visible to end-users.
 - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
+
+<!--start release-notes-assistant-->
+
+## Release notes
+<!--URL:https://codeberg.org/forgejo/forgejo-->
+- Breaking features
+  - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks.  **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path.  As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description-->
+<!--end release-notes-assistant-->

Release notes

• Breaking features
  • PR: implement repo-specific access tokens broadly for universal API permission checks. Breaking: API access with a public-only access token would previously return a 403 Forbidden error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return 404 Not Found instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.

<details> <summary>Where does that come from?</summary> The following is a preview of the release notes for this pull request, as they will appear in the upcoming release. They are derived from the content of the `release-notes/11437.md` file, if it exists, or the title of the pull request. They were also added at the bottom of the description of this pull request for easier reference. This message and the release notes originate from a call to the [release-notes-assistant](https://code.forgejo.org/forgejo/release-notes-assistant). ```diff @@ -31,2 +31,10 @@ - As there is no end-user accessibility to create repo-specific access tokens, this functionality will not be accessible to end-users yet. But the breaking change in error APIs for public-only access tokens will be visible to end-users. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. + +<!--start release-notes-assistant--> + +## Release notes +<!--URL:https://codeberg.org/forgejo/forgejo--> +- Breaking features + - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks. **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description--> +<!--end release-notes-assistant--> ``` </details> <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/11437): <!--number 11437 --><!--line 0 --><!--description aW1wbGVtZW50IHJlcG8tc3BlY2lmaWMgYWNjZXNzIHRva2VucyBicm9hZGx5IGZvciB1bml2ZXJzYWwgQVBJIHBlcm1pc3Npb24gY2hlY2tzLiAgKipCcmVha2luZzoqKiBBUEkgYWNjZXNzIHdpdGggYSBwdWJsaWMtb25seSBhY2Nlc3MgdG9rZW4gd291bGQgcHJldmlvdXNseSByZXR1cm4gYSBgNDAzIEZvcmJpZGRlbmAgZXJyb3Igd2hlbiBhdHRlbXB0aW5nIHRvIGFjY2VzcyBhIHByaXZhdGUgcmVwb3NpdG9yeSB3aGVyZSB0aGUgcmVwb3NpdG9yeSBpcyBvbiB0aGUgQVBJIHBhdGguICBBcyBwYXJ0IG9mIGluY29ycG9yYXRpbmcgdGhlIHB1YmxpYy1vbmx5IGxvZ2ljIGludG8gdGhlIGNlbnRyYWxpemVkIHBlcm1pc3Npb24gY2hlY2ssIHRoZXNlIEFQSXMgd2lsbCBub3cgcmV0dXJuIGA0MDQgTm90IEZvdW5kYCBpbnN0ZWFkLCBjb25zaXN0ZW50IHdpdGggaG93IG1vc3QgcGVybWlzc2lvbiBjaGVja3MgYXJlIGltcGxlbWVudGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBkYXRhIHByb2JpbmcgdGhyb3VnaCBlcnJvciBtZXNzYWdlcy4=-->implement repo-specific access tokens broadly for universal API permission checks. **Breaking:** API access with a public-only access token would previously return a `403 Forbidden` error when attempting to access a private repository where the repository is on the API path. As part of incorporating the public-only logic into the centralized permission check, these APIs will now return `404 Not Found` instead, consistent with how most permission checks are implemented in order to reduce the risk of data probing through error messages.<!--description--> <!--end release-notes-assistant-->

mfenniak force-pushed finegrained-pr3-broad-perm-checks from 1686597af3 to 80f631590c 2026-02-28 18:02:41 +01:00 Compare

aahlenst approved these changes 2026-02-28 19:43:34 +01:00

mfenniak merged commit 48da8f9888 into forgejo 2026-02-28 19:47:07 +01:00

mfenniak deleted branch finegrained-pr3-broad-perm-checks 2026-02-28 19:47:09 +01:00

mfenniak referenced this pull request from a commit 2026-02-28 19:47:09 +01:00

feat: implement repo-specific access tokens broadly for universal API permission checks (#11437)

forgejo-release-notes-assistant added this to the Forgejo v15.0.0 milestone 2026-02-28 19:47:24 +01:00

mfenniak referenced this pull request 2026-02-28 23:10:42 +01:00

feat: implement repo-specific access tokens for imperative API permission checks #11457

Sign in to join this conversation.

Reviewers

No reviewers

Gusted

Cyborus

aahlenst

Labels

Clear labels   

arch

riscv64

Archived

  

backport/v1.19

Scheduled for backport to Forgejo v1.19

Archived

  

backport/v1.20

Scheduled for backport to Forgejo v1.20

Archived

  

backport/v1.21/forgejo

Scheduled for backport to Forgejo v1.21

Archived

  

backport/v10.0/forgejo

Automated backport to v10.0

Archived

  

backport/v11.0/forgejo

Automated backport to v11.0

  

backport/v12.0/forgejo

Automated backport to v12.0

Archived

  

backport/v13.0/forgejo

Automated backport to v13.0

Archived

  

backport/v14.0/forgejo

Automated backport to v14.0

  

backport/v7.0/forgejo

Scheduled for backport to Forgejo v7.0

Archived

  

backport/v8.0/forgejo

Scheduled for backport to Forgejo v8.0

Archived

  

backport/v9.0/forgejo

Scheduled for backport to Forgejo v9.0

Archived

  

breaking

The release containing this change is not backward compatible

  

bug

Something is not working

Archived

  

bug

confirmed

it can be reproduced

  

bug

duplicate

bug has already been reported in the Forgejo tracker

  

bug

needs-more-info

the information provided does not contain enough details

  

bug

new-report

bug has just been reported and need triage (default label on issue creation)

  

bug

reported-upstream

bug cannot be fixed within Forgejo easily, it has been reported upstream

  

code/actions

Forgejo Actions feature

  

code/api

API

  

code/auth

Forgejo Authentication

  

code/auth/faidp

Forgejo as Identity Provider (in OAuth/OIDC flow)

  

code/auth/farp

Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  

code/email

Everything related to email in Forgejo

  

code/federation

Federation

  

code/git

Related to the Git backend in Forgejo

  

code/migrations

Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  

code/packages

Forgejo package and container registry

  

code/wiki

  

database

MySQL

https://www.mysql.com/

  

database

PostgreSQL

https://www.postgresql.org/

  

database

SQLite

https://sqlite.org/

  

dependency-upgrade

https://codeberg.org/forgejo/forgejo/issues/2779

  

dependency

certmagic

github.com/caddyserver/certmagic

Archived

  

dependency

chart.js

https://github.com/chartjs/Chart.js

Archived

  

dependency

Chi

https://github.com/go-chi/chi/

Archived

  

dependency

Chroma

https://github.com/alecthomas/chroma/

Archived

  

dependency

citation.js

https://github.com/larsgw/citation.js/

Archived

  

dependency

codespell

https://github.com/codespell-project/codespell

Archived

  

dependency

css-loader

https://github.com/webpack-contrib/css-loader

Archived

  

dependency

devcontainers

https://github.com/devcontainers/cli

Archived

  

dependency

dropzone

https://github.com/dropzone/dropzone

Archived

  

dependency

editorconfig-checker

https://github.com/editorconfig-checker/editorconfig-checker

Archived

  

dependency

elasticsearch

https://www.elastic.co/elasticsearch

Archived

  

dependency

enmime

https://github.com/jhillyerd/enmime

Archived

  

dependency

F3

https://f3.forgefriends.org/

  

dependency

ForgeFed

https://forgefed.org

  

dependency

garage

https://git.deuxfleurs.fr/Deuxfleurs/garage

  

dependency

Git

https://git-scm.com/

Archived

  

dependency

git-backporting

https://github.com/kiegroup/git-backporting

Archived

  

dependency

Gitea

https://github.com/go-gitea/gitea

  

dependency

gitignore

https://github.com/github/gitignore

Archived

  

dependency

go-ap

https://github.com/go-ap/activitypub

Archived

  

dependency

go-enry

https://github.com/go-enry/go-enry

Archived

  

dependency

go-gitlab

https://github.com/xanzy/go-gitlab

Archived

  

dependency

Go-org

https://github.com/niklasfasching/go-org

Archived

  

dependency

go-rpmutils

https://github.com/sassoftware/go-rpmutils

Archived

  

dependency

go-sql-driver mysql

https://github.com/go-sql-driver/mysql/

Archived

  

dependency

go-swagger

github.com/go-swagger/go-swagger

Archived

  

dependency

go-version

https://github.com/hashicorp/go-version

Archived

  

dependency

go-webauthn

https://github.com/go-webauthn/webauthn

Archived

  

dependency

gocron

https://github.com/go-co-op/gocron

Archived

  

dependency

Golang

https://go.dev/

  

dependency

goldmark

https://github.com/yuin/goldmark

Archived

  

dependency

goquery

github.com/PuerkitoBio/goquery

Archived

  

dependency

Goth

https://github.com/markbates/goth/

Archived

  

dependency

grpc-go

https://github.com/grpc/grpc-go

Archived

  

dependency

happy-dom

https://github.com/capricorn86/happy-dom

Archived

  

dependency

Helm

https://helm.sh/

Archived

  

dependency

image-spec

https://github.com/opencontainers/image-spec

Archived

  

dependency

jsonschema

https://github.com/santhosh-tekuri/jsonschema

Archived

  

dependency

KaTeX

https://github.com/KaTeX/KaTeX

Archived

  

dependency

lint

All linting tools and libraries

Archived

  

dependency

MariaDB

https://mariadb.com/

Archived

  

dependency

Mermaid

https://github.com/mermaid-js/mermaid/

Archived

  

dependency

minio-go

https://github.com/minio/minio-go/

Archived

  

dependency

misspell

github.com/golangci/misspell/cmd/misspell

Archived

  

dependency

Monaco

https://github.com/microsoft/monaco-editor

Archived

  

dependency

PDFobject

https://pdfobject.com/

Archived

  

dependency

playwright

https://playwright.dev/

Archived

  

dependency

postcss

https://github.com/postcss/postcss

Archived

  

dependency

postcss-plugins

https://github.com/csstools/postcss-plugins

Archived

  

dependency

pprof

https://github.com/google/pprof

Archived

  

dependency

prometheus client_golang

https://github.com/prometheus/client_golang

Archived

  

dependency

protobuf

https://google.golang.org/protobuf

Archived

  

dependency

relative-time-element

https://github.com/github/relative-time-element

Archived

  

dependency

renovate

https://github.com/renovatebot/renovate

Archived

  

dependency

reply

https://code.forgejo.org/forgejo/reply

Archived

  

dependency

ssh

https://github.com/gliderlabs/ssh

Archived

  

dependency

swagger-ui

https://github.com/swagger-api/swagger-ui

Archived

  

dependency

tailwind

https://tailwindcss.com/

Archived

  

dependency

temporal-polyfill

https://github.com/fullcalendar/temporal-polyfill

Archived

  

dependency

terminal-to-html

github.com/buildkite/terminal-to-html

Archived

  

dependency

tests-only

Undifferentiated dependencies used for testing only

Archived

  

dependency

text-expander-element

https://github.com/github/text-expander-element

Archived

  

dependency

urfave

https://github.com/urfave/cli

Archived

  

dependency

vfsgen

https://github.com/lunny/vfsgen

Archived

  

dependency

vite

https://vitejs.dev/

Archived

  

dependency

Woodpecker CI

https://woodpecker-ci.org/

Archived

  

dependency

x tools

https://golang.org/x/tools

Archived

  

dependency

XORM

https://gitea.com/xorm/xorm

Archived

  

Discussion

  

duplicate

This issue or pull request already exists

  

enhancement/feature

New feature

  

forgejo/accessibility

Accessibility (a11y)

  

forgejo/branding

Branding (logo, name, tagline etc.)

  

forgejo/ci

Forgejo Actions CI configuration

  

forgejo/commit-graph

The commit graph feature and page.

  

forgejo/documentation

  

forgejo/furnace cleanup

Keeping Forgejo in sync with its dependencies and contributing back to them

Archived

  

forgejo/i18n

t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  

forgejo/interop

Interoperability with other services: Webhooks, bridges, integrations

  

forgejo/moderation

Moderation

  

forgejo/privacy

Privacy first

  

forgejo/release

Release management

  

forgejo/scaling

Performance and scaling

  

forgejo/security

Security (please disclose responsibly)

  

forgejo/ui

User interface

  

Gain

High

User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  

Gain

Nice to have

This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  

Gain

Undefined

Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  

Gain

Very High

User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  

good first issue

Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  

i18n/backport-stable

This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  

impact

large

Large impact: Potential data loss, many users affected, major degradation in UX.

  

impact

medium

Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  

impact

small

Small impact: No data loss, workarounds might be available, affects few users.

  

impact

unknown

Report was not yet triaged to assess impact.

  

Incompatible license

This pull request contains changes that are not (yet) compatible with the current Forgejo license

  

issue

closed

The issue was resolved in the repository of the dependency

  

issue

do-not-exist-yet

An issue should be created in the respository of the dependency

  

issue

open

An open issue exists in the upstream repository of the dependency

  

manual test

Pull requests that have been merged with a manual test

Archived

  

Manually tested during feature freeze

The manual test instructions were followed

  

OS

FreeBSD

Specific to the FreeBSD Operating System

  

OS

Linux

Specific to (GNU/)Linux Operating Systems

  

OS

macOS

Specific to the MacOS Operating System

  

OS

Windows

Specific to the Windows Operating System

  

problem

A user report about a problem. Needs to be triaged to find potential solutions.

  

QA

  

regression

found in the version of the milestone and not before

  

release blocker

Issues that must be fixed before the release can be published

  

Release Cycle

Feature Freeze

Only bug fixes with automated tests (except for CSS/JavaScript)

  

release-blocker

v7.0

Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Archived

  

release-blocker

v7.0.1

Issues that must be fixed before Forgejo v7.0.1 can be released

Archived

  

release-blocker

v7.0.2

Issues that must be fixed before Forgejo v7.0.2 can be released

Archived

  

release-blocker

v7.0.3

Issues that must be fixed before Forgejo v7.0.3 can be released

Archived

  

release-blocker

v7.0.4

Issues that must be fixed before Forgejo v7.0.4 can be released

Archived

  

release-blocker

v8.0.0

Issues that must be fixed before Forgejo v8.0.0 can be released

Archived

  

release-blocker/v9.0.0

Issues that must be fixed before Forgejo v9.0.0 can be released

Archived

  

run-all-playwright-tests

Add this label to a PR to run all playwright tests manually.

  

run-end-to-end-tests

Trigger additional tests on the PR when it is ready to be merged

  

test

manual

manual testing has been documented

  

test

needed

test should be added

  

test

needs-help

help needed to add a test

  

test

not-needed

no additional test is needed

  

test

present

test has been added

  

untested

Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Archived

  

User research - time-tracker

Time tracking feature for issues and the JS stopwatch.

  

valuable code

This PR was closed because the implementation is incomplete

  

worth a release-note

Add this PR to the release notes

  

User research - Accessibility

Requires input about accessibility features, likely involves user testing.

  

User research - Blocked

Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  

User research - Community

Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  

User research - Config (instance)

Instance-wide configuration, authentication and other admin-only needs.

  

User research - Errors

How to deal with errors in the application and write helpful error messages.

  

User research - Filters

How filter and search is being worked with.

  

User research - Future backlog

The issue might be inspiring for future design work.

  

User research - Git workflow

AGit, fork-based and new Git workflow, PR creation etc

  

User research - Labels

Active research about Labels

  

User research - Moderation

Moderation Featuers for Admins are undergoing active User Research

  

User research - Needs input

Use this label to let the User Research team know their input is requested.

  

User research - Notifications/Dashboard

Research on how users should know what to do next.

  

User research - Rendering

Text rendering, markup languages etc

  

User research - Repo creation

Active research about the New Repo dialog.

  

User research - Repo units

The repo sections, disabling them and the "Add more" button.

  

User research - Security

  

User research - Settings (in-app)

How to structure in-app settings in the future?

No labels

arch

riscv64

backport/v1.19

backport/v1.20

backport/v1.21/forgejo

backport/v10.0/forgejo

backport/v11.0/forgejo

backport/v12.0/forgejo

backport/v13.0/forgejo

backport/v14.0/forgejo

backport/v7.0/forgejo

backport/v8.0/forgejo

backport/v9.0/forgejo

breaking

bug

bug

confirmed

bug

duplicate

bug

needs-more-info

bug

new-report

bug

reported-upstream

code/actions

code/api

code/auth

code/auth/faidp

code/auth/farp

code/email

code/federation

code/git

code/migrations

code/packages

code/wiki

database

MySQL

database

PostgreSQL

database

SQLite

dependency-upgrade

dependency

certmagic

dependency

chart.js

dependency

Chi

dependency

Chroma

dependency

citation.js

dependency

codespell

dependency

css-loader

dependency

devcontainers

dependency

dropzone

dependency

editorconfig-checker

dependency

elasticsearch

dependency

enmime

dependency

F3

dependency

ForgeFed

dependency

garage

dependency

Git

dependency

git-backporting

dependency

Gitea

dependency

gitignore

dependency

go-ap

dependency

go-enry

dependency

go-gitlab

dependency

Go-org

dependency

go-rpmutils

dependency

go-sql-driver mysql

dependency

go-swagger

dependency

go-version

dependency

go-webauthn

dependency

gocron

dependency

Golang

dependency

goldmark

dependency

goquery

dependency

Goth

dependency

grpc-go

dependency

happy-dom

dependency

Helm

dependency

image-spec

dependency

jsonschema

dependency

KaTeX

dependency

lint

dependency

MariaDB

dependency

Mermaid

dependency

minio-go

dependency

misspell

dependency

Monaco

dependency

PDFobject

dependency

playwright

dependency

postcss

dependency

postcss-plugins

dependency

pprof

dependency

prometheus client_golang

dependency

protobuf

dependency

relative-time-element

dependency

renovate

dependency

reply

dependency

ssh

dependency

swagger-ui

dependency

tailwind

dependency

temporal-polyfill

dependency

terminal-to-html

dependency

tests-only

dependency

text-expander-element

dependency

urfave

dependency

vfsgen

dependency

vite

dependency

Woodpecker CI

dependency

x tools

dependency

XORM

Discussion

duplicate

enhancement/feature

forgejo/accessibility

forgejo/branding

forgejo/ci

forgejo/commit-graph

forgejo/documentation

forgejo/furnace cleanup

forgejo/i18n

forgejo/interop

forgejo/moderation

forgejo/privacy

forgejo/release

forgejo/scaling

forgejo/security

forgejo/ui

Gain

High

Gain

Nice to have

Gain

Undefined

Gain

Very High

good first issue

i18n/backport-stable

impact

large

impact

medium

impact

small

impact

unknown

Incompatible license

issue

closed

issue

do-not-exist-yet

issue

open

manual test

Manually tested during feature freeze

OS

FreeBSD

OS

Linux

OS

macOS

OS

Windows

problem

QA

regression

release blocker

Release Cycle

Feature Freeze

release-blocker

v7.0

release-blocker

v7.0.1

release-blocker

v7.0.2

release-blocker

v7.0.3

release-blocker

v7.0.4

release-blocker

v8.0.0

release-blocker/v9.0.0

run-all-playwright-tests

run-end-to-end-tests

test

manual

test

needed

test

needs-help

test

not-needed

test

present

untested

User research - time-tracker

valuable code

worth a release-note

User research - Accessibility

User research - Blocked

User research - Community

User research - Config (instance)

User research - Errors

User research - Filters

User research - Future backlog

User research - Git workflow

User research - Labels

User research - Moderation

User research - Needs input

User research - Notifications/Dashboard

User research - Rendering

User research - Repo creation

User research - Repo units

User research - Security

User research - Settings (in-app)

Milestone

Clear milestone

No items

No milestone

Forgejo v15.0.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo/forgejo!11437

No description provided.