forgejo/forgejo
forgejo/forgejo
109
3.8k
Fork 659
Code Issues 1.2k Pull requests 160 Releases 95 Packages 1 Activity Actions 24

ci: add semgrep detection for API code ignoring repo-specific access tokens #11476

Merged
mfenniak merged 5 commits from finegrained-pr7-semgrep into forgejo 2026-03-03 17:55:37 +01:00
Conversation 1 Commits 5 Files changed 6 +218
mfenniak commented 2026-03-02 23:39:07 +01:00
Member
Copy link

This PR is part of a series (#11311).

Prevents the usage of three internal APIs in the web API code:

  • repo_model.SearchRepoOptions{} without an AuthorizationReducer
  • organization.SearchTeamRepoOptions{} without an AuthorizationReducer
  • access_model.GetUserRepoPermission(), which doesn't take an AuthorizationReducer -- use GetUserRepoPermissionWithReducer instead.

A couple lingering usages are marked with // nosemgrep: ... as they have been inspected and considered correct as-is.

The GetUserRepoPermission is tested via the .semgrep/tests files; the other rules have been tested manually.

Checklist

The contributor guide contains information that will be helpful to first time contributors. There also are a few conditions for merging Pull Requests in Forgejo repositories. You are also welcome to join the Forgejo development chatroom.

Documentation

  • I created a pull request to the documentation to explain to Forgejo users how to use this change.
  • I did not document these changes and I do not expect someone else to do it.

Release notes

  • This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
  • This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
This PR is part of a series (#11311). Prevents the usage of three internal APIs in the web API code: - `repo_model.SearchRepoOptions{}` without an `AuthorizationReducer` - `organization.SearchTeamRepoOptions{}` without an `AuthorizationReducer` - `access_model.GetUserRepoPermission()`, which doesn't take an `AuthorizationReducer` -- use `GetUserRepoPermissionWithReducer` instead. A couple lingering usages are marked with `// nosemgrep: ...` as they have been inspected and considered correct as-is. The `GetUserRepoPermission` is tested via the `.semgrep/tests` files; the other rules have been tested manually. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
ci: add semgrep detection for incorrect GetUserRepoPermission
All checks were successful
issue-labels / backporting (pull_request_target) Has been skipped
Details
testing / semgrep/ci (pull_request) Successful in 18s
Details
issue-labels / cascade (pull_request_target) Has been skipped
Details
Integration tests for the release process / release-simulation (push) Successful in 5m34s
Details
issue-labels / release-notes (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 3s
Details
testing / frontend-checks (pull_request) Successful in 1m21s
Details
testing / backend-checks (pull_request) Successful in 3m37s
Details
testing / test-unit (pull_request) Successful in 7m50s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 2m24s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 3m12s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 2m25s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 2m28s
Details
testing / test-mysql (pull_request) Successful in 28m18s
Details
testing / test-e2e (pull_request) Successful in 28m20s
Details
testing / test-sqlite (pull_request) Successful in 34m23s
Details
testing / test-pgsql (pull_request) Successful in 40m39s
Details
testing / security-check (pull_request) Successful in 1m44s
Details
a274a3d662
 
Whenever GetUserRepoPermission is invoked with a `*context.APIContext`,
or whenever it is invoked from code in `routers/api`, a semgrep-powered
error will identify that fine-grained access token limitations aren't
implemented and that GetUserRepoPermissionWithReducer may be preferred.
aahlenst reviewed 2026-03-03 15:39:07 +01:00
routers/api/packages/npm/npm.go Outdated
@ -171,0 +173,4 @@
// permission checks. Repo-specific access tokens aren't expected to be used with `package:write` scope, so
// there's currently no need to change this to GetUserRepoPermissionWithReducer -- and because package APIs
// doesn't take use an `APIContext`, we don't have access to a reducer to provide to it.
//
aahlenst commented 2026-03-03 15:37:03 +01:00
Member
Copy link

Repo-specific access tokens aren't expected to be used with package:write scope.

I don't follow. Packages, at least OCI images, can be attached to repositories.

In any case, I find the description a bit unclear. I tried to reword it:

AuthorizationReducer is not applicable to this usage of GetUserRepoPermission() because it is used to figure out whether the user has the permission package:write. Repository-specific access tokens are not supposed to curtail package:write.
> Repo-specific access tokens aren't expected to be used with `package:write` scope. I don't follow. Packages, at least OCI images, can be attached to repositories. In any case, I find the description a bit unclear. I tried to reword it: ``` AuthorizationReducer is not applicable to this usage of GetUserRepoPermission() because it is used to figure out whether the user has the permission package:write. Repository-specific access tokens are not supposed to curtail package:write. ```
mfenniak commented 2026-03-03 17:01:28 +01:00
Author
Member
Copy link

@aahlenst wrote in #11476 (comment):

Repo-specific access tokens aren't expected to be used with package:write scope.

I don't follow. Packages, at least OCI images, can be attached to repositories.

Repo-specific access tokens will be restricted to only providing the read:repository, write:repository, read:issue, and write:issue scopes. Any other configuration will fail to create an access token (I'm still authoring the PRs to create repo-specific access tokens, so I don't have code to link here). This is the meaning of the statement "Repo-specific access tokens aren't expected to be used with package:write scope."

I'll take a pass at rewriting this comment to clarify it.

@aahlenst wrote in https://codeberg.org/forgejo/forgejo/pulls/11476#issuecomment-11163926: > > Repo-specific access tokens aren't expected to be used with `package:write` scope. > > I don't follow. Packages, at least OCI images, can be attached to repositories. Repo-specific access tokens will be restricted to only providing the `read:repository`, `write:repository`, `read:issue`, and `write:issue` scopes. Any other configuration will fail to create an access token (I'm still authoring the PRs to create repo-specific access tokens, so I don't have code to link here). This is the meaning of the statement "Repo-specific access tokens aren't expected to be used with `package:write` scope." I'll take a pass at rewriting this comment to clarify it.
mfenniak commented 2026-03-03 17:09:37 +01:00
Author
Member
Copy link

Revision a274a3d662..a8fef29b10:

// GetUserRepoPermission is used, which doesn't take into account any `AuthorizationReducer` from access
// tokens.  At present, `AuthorizationReducer` only provides capabilities to implement repo-specific access
// tokens.  It is not possible to create a repo-specific access token with the `package:write` scope, and
// that scope is required to call this API, so implementing `AuthorizationReducer` is not necessary here.
//
// This access check would need revision if either: package-specific access tokens were created, or,
// `package:write` scope was permitted on a repo-specific access token.
//
// (Because package APIs doesn't take use an `APIContext`, we don't have access to a reducer to provide to
// GetUserRepoPermissionWithReducer, otherwise we'd just do it and not spend so much time describing why we
// don't have to.)
//
// nosemgrep: forgejo-api-suspicious-GetUserRepoPermission

(The fact that this is a weird access check is removed from the comment because it's irrelevant to the ignore. While packages in general can be linked to repositories, as you've noted, this appears to be the only access check in the package API that looks for permission to write to the linked repository. 🤷 It stands out as a possible mistake, but, not really relevant to why we can ignore repo-specific access tokens here.)

Revision https://codeberg.org/forgejo/forgejo/compare/a274a3d66253075ce278bc187bf14f71904609a7..a8fef29b1024d70ea5b0619b345ce9177c76057b: ```go // GetUserRepoPermission is used, which doesn't take into account any `AuthorizationReducer` from access // tokens. At present, `AuthorizationReducer` only provides capabilities to implement repo-specific access // tokens. It is not possible to create a repo-specific access token with the `package:write` scope, and // that scope is required to call this API, so implementing `AuthorizationReducer` is not necessary here. // // This access check would need revision if either: package-specific access tokens were created, or, // `package:write` scope was permitted on a repo-specific access token. // // (Because package APIs doesn't take use an `APIContext`, we don't have access to a reducer to provide to // GetUserRepoPermissionWithReducer, otherwise we'd just do it and not spend so much time describing why we // don't have to.) // // nosemgrep: forgejo-api-suspicious-GetUserRepoPermission ``` (The fact that this is a weird access check is removed from the comment because it's irrelevant to the ignore. While packages in general can be linked to repositories, as you've noted, this appears to be the only access check in the package API that looks for permission to write to the linked repository. 🤷 It stands out as a possible mistake, but, not really relevant to why we can ignore repo-specific access tokens here.)
aahlenst marked this conversation as resolved
mfenniak force-pushed finegrained-pr7-semgrep from a274a3d662
All checks were successful
issue-labels / backporting (pull_request_target) Has been skipped
Details
testing / semgrep/ci (pull_request) Successful in 18s
Details
issue-labels / cascade (pull_request_target) Has been skipped
Details
Integration tests for the release process / release-simulation (push) Successful in 5m34s
Details
issue-labels / release-notes (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 3s
Details
testing / frontend-checks (pull_request) Successful in 1m21s
Details
testing / backend-checks (pull_request) Successful in 3m37s
Details
testing / test-unit (pull_request) Successful in 7m50s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 2m24s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 3m12s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 2m25s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 2m28s
Details
testing / test-mysql (pull_request) Successful in 28m18s
Details
testing / test-e2e (pull_request) Successful in 28m20s
Details
testing / test-sqlite (pull_request) Successful in 34m23s
Details
testing / test-pgsql (pull_request) Successful in 40m39s
Details
testing / security-check (pull_request) Successful in 1m44s
Details
to a8fef29b10
All checks were successful
issue-labels / release-notes (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 2s
Details
testing / backend-checks (pull_request) Successful in 4m0s
Details
testing / frontend-checks (pull_request) Successful in 1m12s
Details
testing / semgrep/ci (pull_request) Successful in 16s
Details
testing / test-unit (pull_request) Successful in 7m12s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 2m6s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 2m12s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 2m14s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 2m18s
Details
testing / test-e2e (pull_request) Successful in 22m20s
Details
testing / test-mysql (pull_request) Successful in 24m3s
Details
testing / test-sqlite (pull_request) Successful in 27m10s
Details
testing / test-pgsql (pull_request) Successful in 32m15s
Details
testing / security-check (pull_request) Successful in 57s
Details
issue-labels / backporting (pull_request_target) Has been skipped
Details
milestone / set (pull_request_target) Successful in 15s
Details
2026-03-03 17:07:29 +01:00 Compare
aahlenst approved these changes 2026-03-03 17:17:19 +01:00
mfenniak merged commit 3d6acf5e8c into forgejo 2026-03-03 17:55:37 +01:00
mfenniak deleted branch finegrained-pr7-semgrep 2026-03-03 17:55:39 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Cyborus
Gusted
aahlenst
Labels
Clear labels   
arch
riscv64

Archived

  
backport/v1.19

Scheduled for backport to Forgejo v1.19

Archived

  
backport/v1.20

Scheduled for backport to Forgejo v1.20

Archived

  
backport/v1.21/forgejo

Scheduled for backport to Forgejo v1.21

Archived

  
backport/v10.0/forgejo

Automated backport to v10.0

Archived

  
backport/v11.0/forgejo

Automated backport to v11.0

  
backport/v12.0/forgejo

Automated backport to v12.0

Archived

  
backport/v13.0/forgejo

Automated backport to v13.0

Archived

  
backport/v14.0/forgejo

Automated backport to v14.0

  
backport/v7.0/forgejo

Scheduled for backport to Forgejo v7.0

Archived

  
backport/v8.0/forgejo

Scheduled for backport to Forgejo v8.0

Archived

  
backport/v9.0/forgejo

Scheduled for backport to Forgejo v9.0

Archived

  
breaking

The release containing this change is not backward compatible

  
bug

Something is not working

Archived

  
bug
confirmed
it can be reproduced

  
bug
duplicate
bug has already been reported in the Forgejo tracker

  
bug
needs-more-info
the information provided does not contain enough details

  
bug
new-report
bug has just been reported and need triage (default label on issue creation)

  
bug
reported-upstream
bug cannot be fixed within Forgejo easily, it has been reported upstream

  
code/actions

Forgejo Actions feature

  
code/api

API

  
code/auth

Forgejo Authentication

  
code/auth/faidp

Forgejo as Identity Provider (in OAuth/OIDC flow)

  
code/auth/farp

Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  
code/email

Everything related to email in Forgejo

  
code/federation

Federation

  
code/git

Related to the Git backend in Forgejo

  
code/migrations

Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  
code/packages

Forgejo package and container registry

  
code/wiki
  
database
MySQL
https://www.mysql.com/

  
database
PostgreSQL
https://www.postgresql.org/

  
database
SQLite
https://sqlite.org/

  
dependency-upgrade

https://codeberg.org/forgejo/forgejo/issues/2779

  
dependency
certmagic
github.com/caddyserver/certmagic

Archived

  
dependency
chart.js
https://github.com/chartjs/Chart.js

Archived

  
dependency
Chi
https://github.com/go-chi/chi/

Archived

  
dependency
Chroma
https://github.com/alecthomas/chroma/

Archived

  
dependency
citation.js
https://github.com/larsgw/citation.js/

Archived

  
dependency
codespell
https://github.com/codespell-project/codespell

Archived

  
dependency
css-loader
https://github.com/webpack-contrib/css-loader

Archived

  
dependency
devcontainers
https://github.com/devcontainers/cli

Archived

  
dependency
dropzone
https://github.com/dropzone/dropzone

Archived

  
dependency
editorconfig-checker
https://github.com/editorconfig-checker/editorconfig-checker

Archived

  
dependency
elasticsearch
https://www.elastic.co/elasticsearch

Archived

  
dependency
enmime
https://github.com/jhillyerd/enmime

Archived

  
dependency
F3
https://f3.forgefriends.org/

  
dependency
ForgeFed
https://forgefed.org

  
dependency
garage
https://git.deuxfleurs.fr/Deuxfleurs/garage

  
dependency
Git
https://git-scm.com/

Archived

  
dependency
git-backporting
https://github.com/kiegroup/git-backporting

Archived

  
dependency
Gitea
https://github.com/go-gitea/gitea

  
dependency
gitignore
https://github.com/github/gitignore

Archived

  
dependency
go-ap
https://github.com/go-ap/activitypub

Archived

  
dependency
go-enry
https://github.com/go-enry/go-enry

Archived

  
dependency
go-gitlab
https://github.com/xanzy/go-gitlab

Archived

  
dependency
Go-org
https://github.com/niklasfasching/go-org

Archived

  
dependency
go-rpmutils
https://github.com/sassoftware/go-rpmutils

Archived

  
dependency
go-sql-driver mysql
https://github.com/go-sql-driver/mysql/

Archived

  
dependency
go-swagger
github.com/go-swagger/go-swagger

Archived

  
dependency
go-version
https://github.com/hashicorp/go-version

Archived

  
dependency
go-webauthn
https://github.com/go-webauthn/webauthn

Archived

  
dependency
gocron
https://github.com/go-co-op/gocron

Archived

  
dependency
Golang
https://go.dev/

  
dependency
goldmark
https://github.com/yuin/goldmark

Archived

  
dependency
goquery
github.com/PuerkitoBio/goquery

Archived

  
dependency
Goth
https://github.com/markbates/goth/

Archived

  
dependency
grpc-go
https://github.com/grpc/grpc-go

Archived

  
dependency
happy-dom
https://github.com/capricorn86/happy-dom

Archived

  
dependency
Helm
https://helm.sh/

Archived

  
dependency
image-spec
https://github.com/opencontainers/image-spec

Archived

  
dependency
jsonschema
https://github.com/santhosh-tekuri/jsonschema

Archived

  
dependency
KaTeX
https://github.com/KaTeX/KaTeX

Archived

  
dependency
lint
All linting tools and libraries

Archived

  
dependency
MariaDB
https://mariadb.com/

Archived

  
dependency
Mermaid
https://github.com/mermaid-js/mermaid/

Archived

  
dependency
minio-go
https://github.com/minio/minio-go/

Archived

  
dependency
misspell
github.com/golangci/misspell/cmd/misspell

Archived

  
dependency
Monaco
https://github.com/microsoft/monaco-editor

Archived

  
dependency
PDFobject
https://pdfobject.com/

Archived

  
dependency
playwright
https://playwright.dev/

Archived

  
dependency
postcss
https://github.com/postcss/postcss

Archived

  
dependency
postcss-plugins
https://github.com/csstools/postcss-plugins

Archived

  
dependency
pprof
https://github.com/google/pprof

Archived

  
dependency
prometheus client_golang
https://github.com/prometheus/client_golang

Archived

  
dependency
protobuf
https://google.golang.org/protobuf

Archived

  
dependency
relative-time-element
https://github.com/github/relative-time-element

Archived

  
dependency
renovate
https://github.com/renovatebot/renovate

Archived

  
dependency
reply
https://code.forgejo.org/forgejo/reply

Archived

  
dependency
ssh
https://github.com/gliderlabs/ssh

Archived

  
dependency
swagger-ui
https://github.com/swagger-api/swagger-ui

Archived

  
dependency
tailwind
https://tailwindcss.com/

Archived

  
dependency
temporal-polyfill
https://github.com/fullcalendar/temporal-polyfill

Archived

  
dependency
terminal-to-html
github.com/buildkite/terminal-to-html

Archived

  
dependency
tests-only
Undifferentiated dependencies used for testing only

Archived

  
dependency
text-expander-element
https://github.com/github/text-expander-element

Archived

  
dependency
urfave
https://github.com/urfave/cli

Archived

  
dependency
vfsgen
https://github.com/lunny/vfsgen

Archived

  
dependency
vite
https://vitejs.dev/

Archived

  
dependency
Woodpecker CI
https://woodpecker-ci.org/

Archived

  
dependency
x tools
https://golang.org/x/tools

Archived

  
dependency
XORM
https://gitea.com/xorm/xorm

Archived

  
Discussion

   
duplicate

This issue or pull request already exists

  
enhancement/feature

New feature

  
forgejo/accessibility

Accessibility (a11y)

  
forgejo/branding

Branding (logo, name, tagline etc.)

  
forgejo/ci

Forgejo Actions CI configuration

  
forgejo/commit-graph

The commit graph feature and page.

  
forgejo/documentation

   
forgejo/furnace cleanup

Keeping Forgejo in sync with its dependencies and contributing back to them

Archived

  
forgejo/i18n

t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  
forgejo/interop

Interoperability with other services: Webhooks, bridges, integrations

  
forgejo/moderation

Moderation

  
forgejo/privacy

Privacy first

  
forgejo/release

Release management

  
forgejo/scaling

Performance and scaling

  
forgejo/security

Security (please disclose responsibly)

  
forgejo/ui

User interface

  
Gain
High
User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  
Gain
Nice to have
This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  
Gain
Undefined
Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  
Gain
Very High
User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  
good first issue

Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  
i18n/backport-stable

This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  
impact
large
Large impact: Potential data loss, many users affected, major degradation in UX.

  
impact
medium
Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  
impact
small
Small impact: No data loss, workarounds might be available, affects few users.

  
impact
unknown
Report was not yet triaged to assess impact.

  
Incompatible license

This pull request contains changes that are not (yet) compatible with the current Forgejo license

  
issue
closed
The issue was resolved in the repository of the dependency

  
issue
do-not-exist-yet
An issue should be created in the respository of the dependency

  
issue
open
An open issue exists in the upstream repository of the dependency

  
manual test

Pull requests that have been merged with a manual test

Archived

  
Manually tested during feature freeze

The manual test instructions were followed

  
OS
FreeBSD
Specific to the FreeBSD Operating System

  
OS
Linux
Specific to (GNU/)Linux Operating Systems

  
OS
macOS
Specific to the MacOS Operating System

  
OS
Windows
Specific to the Windows Operating System

  
problem

A user report about a problem. Needs to be triaged to find potential solutions.

  
QA

   
regression

found in the version of the milestone and not before

  
release blocker

Issues that must be fixed before the release can be published

  
Release Cycle
Feature Freeze
Only bug fixes with automated tests (except for CSS/JavaScript)

  
release-blocker
v7.0
Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Archived

  
release-blocker
v7.0.1
Issues that must be fixed before Forgejo v7.0.1 can be released

Archived

  
release-blocker
v7.0.2
Issues that must be fixed before Forgejo v7.0.2 can be released

Archived

  
release-blocker
v7.0.3
Issues that must be fixed before Forgejo v7.0.3 can be released

Archived

  
release-blocker
v7.0.4
Issues that must be fixed before Forgejo v7.0.4 can be released

Archived

  
release-blocker
v8.0.0
Issues that must be fixed before Forgejo v8.0.0 can be released

Archived

  
release-blocker/v9.0.0

Issues that must be fixed before Forgejo v9.0.0 can be released

Archived

  
run-all-playwright-tests

Add this label to a PR to run all playwright tests manually.

  
run-end-to-end-tests

Trigger additional tests on the PR when it is ready to be merged

  
test
manual
manual testing has been documented

  
test
needed
test should be added

  
test
needs-help
help needed to add a test

  
test
not-needed
no additional test is needed

  
test
present
test has been added

  
untested

Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Archived

  
User research - time-tracker

Time tracking feature for issues and the JS stopwatch.

  
valuable code

This PR was closed because the implementation is incomplete

  
worth a release-note

Add this PR to the release notes

  
User research - Accessibility

Requires input about accessibility features, likely involves user testing.

  
User research - Blocked

Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  
User research - Community

Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  
User research - Config (instance)

Instance-wide configuration, authentication and other admin-only needs.

  
User research - Errors

How to deal with errors in the application and write helpful error messages.

  
User research - Filters

How filter and search is being worked with.

  
User research - Future backlog

The issue might be inspiring for future design work.

  
User research - Git workflow

AGit, fork-based and new Git workflow, PR creation etc

  
User research - Labels

Active research about Labels

  
User research - Moderation

Moderation Featuers for Admins are undergoing active User Research

  
User research - Needs input

Use this label to let the User Research team know their input is requested.

  
User research - Notifications/Dashboard

Research on how users should know what to do next.

  
User research - Rendering

Text rendering, markup languages etc

  
User research - Repo creation

Active research about the New Repo dialog.

  
User research - Repo units

The repo sections, disabling them and the "Add more" button.

  
User research - Security

   
User research - Settings (in-app)

How to structure in-app settings in the future?

No labels
arch
riscv64
backport/v1.19
backport/v1.20
backport/v1.21/forgejo
backport/v10.0/forgejo
backport/v11.0/forgejo
backport/v12.0/forgejo
backport/v13.0/forgejo
backport/v14.0/forgejo
backport/v7.0/forgejo
backport/v8.0/forgejo
backport/v9.0/forgejo
breaking
bug
bug
confirmed
bug
duplicate
bug
needs-more-info
bug
new-report
bug
reported-upstream
code/actions
code/api
code/auth
code/auth/faidp
code/auth/farp
code/email
code/federation
code/git
code/migrations
code/packages
code/wiki
database
MySQL
database
PostgreSQL
database
SQLite
dependency-upgrade
dependency
certmagic
dependency
chart.js
dependency
Chi
dependency
Chroma
dependency
citation.js
dependency
codespell
dependency
css-loader
dependency
devcontainers
dependency
dropzone
dependency
editorconfig-checker
dependency
elasticsearch
dependency
enmime
dependency
F3
dependency
ForgeFed
dependency
garage
dependency
Git
dependency
git-backporting
dependency
Gitea
dependency
gitignore
dependency
go-ap
dependency
go-enry
dependency
go-gitlab
dependency
Go-org
dependency
go-rpmutils
dependency
go-sql-driver mysql
dependency
go-swagger
dependency
go-version
dependency
go-webauthn
dependency
gocron
dependency
Golang
dependency
goldmark
dependency
goquery
dependency
Goth
dependency
grpc-go
dependency
happy-dom
dependency
Helm
dependency
image-spec
dependency
jsonschema
dependency
KaTeX
dependency
lint
dependency
MariaDB
dependency
Mermaid
dependency
minio-go
dependency
misspell
dependency
Monaco
dependency
PDFobject
dependency
playwright
dependency
postcss
dependency
postcss-plugins
dependency
pprof
dependency
prometheus client_golang
dependency
protobuf
dependency
relative-time-element
dependency
renovate
dependency
reply
dependency
ssh
dependency
swagger-ui
dependency
tailwind
dependency
temporal-polyfill
dependency
terminal-to-html
dependency
tests-only
dependency
text-expander-element
dependency
urfave
dependency
vfsgen
dependency
vite
dependency
Woodpecker CI
dependency
x tools
dependency
XORM
Discussion
duplicate
enhancement/feature
forgejo/accessibility
forgejo/branding
forgejo/ci
forgejo/commit-graph
forgejo/documentation
forgejo/furnace cleanup
forgejo/i18n
forgejo/interop
forgejo/moderation
forgejo/privacy
forgejo/release
forgejo/scaling
forgejo/security
forgejo/ui
Gain
High
Gain
Nice to have
Gain
Undefined
Gain
Very High
good first issue
i18n/backport-stable
impact
large
impact
medium
impact
small
impact
unknown
Incompatible license
issue
closed
issue
do-not-exist-yet
issue
open
manual test
Manually tested during feature freeze
OS
FreeBSD
OS
Linux
OS
macOS
OS
Windows
problem
QA
regression
release blocker
Release Cycle
Feature Freeze
release-blocker
v7.0
release-blocker
v7.0.1
release-blocker
v7.0.2
release-blocker
v7.0.3
release-blocker
v7.0.4
release-blocker
v8.0.0
release-blocker/v9.0.0
run-all-playwright-tests
run-end-to-end-tests
test
manual
test
needed
test
needs-help
test
not-needed
test
present
untested
User research - time-tracker
valuable code
worth a release-note
User research - Accessibility
User research - Blocked
User research - Community
User research - Config (instance)
User research - Errors
User research - Filters
User research - Future backlog
User research - Git workflow
User research - Labels
User research - Moderation
User research - Needs input
User research - Notifications/Dashboard
User research - Rendering
User research - Repo creation
User research - Repo units
User research - Security
User research - Settings (in-app)
Milestone
Clear milestone
No items
No milestone
Forgejo v15.0.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/forgejo!11476
No description provided.