From 45b9037d3c0c243ffaab84b22d89e00371a2851e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 2 Jan 2023 22:49:15 +0100 Subject: [PATCH] [DOCS] RELEASE-NOTES.md (cherry picked from commit b07123ee7b441946bdeacf38dfbabde705427f63) (cherry picked from commit ca85c880b476428b407c30b4b1776b2e008c9330) (cherry picked from commit 723ead94cb63e8d703f0159a02e2fcaff2f1bb30) (cherry picked from commit ff148318da221be77813675437026985a19107a7) [DOCS] RELEASE-NOTES: 1.19.0 (cherry picked from commit e84e43887beae3a2f18afb8ef71fdc17078413bc) [DOCS] RELEASE-NOTES: add scoped access tokens (cherry picked from commit 688f831853ef179d511cc7594dd23cc46ccef654) [DOCS] RELEASE-NOTES: Scoped labels (cherry picked from commit 747479a07b3b7b329016337025eddbc82c4073a4) [DOCS] RELEASE-NOTES: OIDC groups (cherry picked from commit 10c505fe8941b81824f08e4c6a39d12517c182bc) [DOCS] RELEASE-NOTES: Copy Link is broken On firefox it fails with Uncaught TypeError: navigator.clipboard is undefined On chromium it fails with Uncaught TypeError: Cannot read properties of undefined (reading 'writeText') (cherry picked from commit 148b2ff093fa87672aa09d09484b7803bbdecc39) [DOCS] RELEASE-NOTES: Copy citation (cherry picked from commit d0f217735f506d0f4fb414f38860d821cd1925b5) [DOCS] RELEASE-NOTES: Support org/user level projects (cherry picked from commit de845c7bcf4637f442a612fafb6a663c7dc69473) [DOCS] RELEASE-NOTES: v1.19 has a documentation (cherry picked from commit 9a5b46da32fa12c32215a0c0a8b233c14a10c9b0) [DOCS] RELEASE-NOTES: do not split webhook section (cherry picked from commit 00ed02032124ca75644ec2365f054c56d7e68d20) [DOCS] RELEASE-NOTES: Incoming emails (cherry picked from commit 06c455b33bf39a7595a31a983dbaab7e28795f55) [DOCS] RELEASE-NOTES: secrets are an implementation detail (cherry picked from commit 8236dc3a573f9cdb892894416268d3a115c77fd1) [DOCS] RELEASE-NOTES: Prohibit fork if user reached maximum (cherry picked from commit 0f80b8c696ef8c407466605588f341b710a023ab) [DOCS] RELEASE-NOTES: scoped tokens: do not duplicate the docs (cherry picked from commit 9bc4793c078e115ab5d59fda89fb43765dcb0526) [DOCS] RELEASE-NOTES: rss feed for tags and releases (cherry picked from commit 599b36fada5f12a3fb4e0eed4f787606af701e46) [DOCS] RELEASE-NOTES: protected branches wildcard (cherry picked from commit 2b316c495056b9ae9191f51f550eb0a5c76ae6c1) [DOCS] RELEASE-NOTES: disable releases (cherry picked from commit 9a60773f1dcaf241b43707c2009e0223d0b3eed9) [DOCS] RELEASE-NOTES: review box (cherry picked from commit 09867dd1220c66c6ad468f9f0a0a22740510f373) [DOCS] RELEASE-NOTES: asciicast support (cherry picked from commit ea9658379b25f9c1dec487fd5d9139d37735e113) [DOCS] RELEASE-NOTES: attention blocks (cherry picked from commit 70b387750b2fea65e68aa2b1486ffcfef0dbd2fd) [DOCS] RELEASE-NOTES: commit cross reference (cherry picked from commit fe706dad13db9f3ad4fd6699b20337712e7a674b) [DOCS] RELEASE-NOTES: strip user completion border case (cherry picked from commit 33ca51b4b699ba347d395796d80eebab09b1a2f6) [DOCS] RELEASE-NOTES: card preview (cherry picked from commit 626cd78ca6d2c95dcd90c33d0f9e3e99f48912e7) [DOCS] RELEASE-NOTES: raw copy button (cherry picked from commit edfb467d64190df7b8056e5ced164678ea5a1ea7) [DOCS] RELEASE-NOTES: allow edits by maintainers by default (cherry picked from commit 7006405bc6113f4b7acd26d91d1f928022d00bdf) [DOCS] RELEASE-NOTES: database auto migration is a little arcane (cherry picked from commit 78030fa9af4a05e2092d54e18e7b2dee2037c299) [DOCS] RELEASE-NOTES: fix typos & minor rewording (cherry picked from commit ae1d47f656df2c11c140095d8710361ebe545af5) (cherry picked from commit ad08ca9955304663367fa66e8d2097b78bc5b438) [DOCS] RELEASE-NOTES: webhook authorization header (cherry picked from commit c35e2c4f6f985be5763363ae2b03e5d23378f0d2) [DOCS] RELEASE-NOTES: video element in markdown (cherry picked from commit bcb0bd51d2114a7f086358b568928c3feeefea57) [DOCS] RELEASE-NOTES: move scoped labels to the documentation (cherry picked from commit c5eedaf4f398ca232ca65f132d504425dd8ac3ba) [DOCS] RELEASE-NOTES: cosmetic improvements (cherry picked from commit b93df350d96c0cb8b6b6b924a1dd8af1551f2263) [DOCS] RELEASE-NOTES: 1.19.0-0 is really : 1.19.0-2 (cherry picked from commit 60d770c2c95d841c597f619e73582bbdfcdb0143) [DOCS] RELEASE-NOTES: relevant repositories (cherry picked from commit de6ed5b87f845bb86f4d3aa4085f373958797ebe) (cherry picked from commit 71d91fdf22d04cb8d0c88eac87a9a59e1c558bd7) [DOCS] RELEASE-NOTES: semantic version (cherry picked from commit af062d77f0641426aa048e5975585b01652aea01) [DOCS] RELEASE-NOTES: reflogs (cherry picked from commit 084713d8aae787e2db76219f29840f006967ff92) (cherry picked from commit 90ad322a56bd67f717e32e8a1a419033add3655a) [DOCS] RELEASE-NOTES: fix broken link to OIDC mapping (cherry picked from commit 802a252eb5ddb411574cd7a8c9645fffd88de469) [DOCS] RELEASE-NOTES: Fix spaces (cherry picked from commit a605d36ab63cba34770b14e0073ee6b9dbb3b511) [DOCS] RELEASE-NOTES: SemVer (cherry picked from commit 7b29c90035f243944340952c234e2caec84527e7) (cherry picked from commit 82799195c9208d43a6c6d8da1fd6f7560f224b09) (cherry picked from commit 5d9c2e9ec67ea7d39532d61bbf5aed3e1161d669) [DOCS] RELEASE-NOTES: 1.19.0-3 (cherry picked from commit c599b2947d9da682da156fad459be76f09bda999) (cherry picked from commit 8a37027ae78f42f211e179bc4080488485982a87) [DOCS] RELEASE-NOTES: v1.19.1-0 (cherry picked from commit 89b9e96cc778a6cc2a063201252e9e2c1042a355) (cherry picked from commit 2b4e881a4e43ea0ab522e4d8c127a2b4ccdb10d7) [DOCS] RELEASE-NOTES: 1.19.2-0 (cherry picked from commit 0c0d2ec46cbc34d42b36af7e4096ee8e149a77ae) (cherry picked from commit 437b8caae4d3045c00f671758dd287f005805cf6) [DOCS] RELEASE-NOTES: 1.19.3-0 (cherry picked from commit 040740917e24c7d97ace3f46723e88163bafb533) [DOCS] RELEASE-NOTES: 1.19.3-0 (fix typo) (cherry picked from commit 24516cb22ab3768d076d5da87afa5f135e4409da) (cherry picked from commit 429c8e652549072d0c695b7c3e7c9f447aea8b5b) (cherry picked from commit 8247bddb45de2e5a275551d50a84ccfe5cc28e7d) (cherry picked from commit d77d7b7be72d0de250d97cdedb9381a1cdc1562e) (cherry picked from commit a64c899b1dde2ebeb620569b16cf982eb519e475) (cherry picked from commit 0803eaa2e3b470f866e48fde7c6253666bfc5982) (cherry picked from commit 8538f2897e49027e6f30e477401a97ddf22beb5b) --- RELEASE-NOTES.md | 808 ++++++++++++++++++ .../images/forgejo-v1.18.0-rc1-2-landing.jpg | Bin 0 -> 108791 bytes .../images/forgejo-v1.19-citation-dialog.png | Bin 0 -> 14459 bytes .../images/forgejo-v1.19-citation-link.png | Bin 0 -> 20716 bytes .../images/forgejo-v1.19-note-warning.png | Bin 0 -> 26889 bytes releases/images/forgejo-v1.19-oidc-part1.png | Bin 0 -> 31091 bytes releases/images/forgejo-v1.19-oidc-part2.png | Bin 0 -> 33754 bytes .../images/forgejo-v1.19-raw-copy-after.png | Bin 0 -> 20867 bytes .../images/forgejo-v1.19-raw-copy-before.png | Bin 0 -> 18495 bytes releases/images/forgejo-v1.19-relevant.png | Bin 0 -> 41638 bytes releases/images/forgejo-v1.19.0-0-rc0.png | Bin 0 -> 131219 bytes 11 files changed, 808 insertions(+) create mode 100644 RELEASE-NOTES.md create mode 100644 releases/images/forgejo-v1.18.0-rc1-2-landing.jpg create mode 100644 releases/images/forgejo-v1.19-citation-dialog.png create mode 100644 releases/images/forgejo-v1.19-citation-link.png create mode 100644 releases/images/forgejo-v1.19-note-warning.png create mode 100644 releases/images/forgejo-v1.19-oidc-part1.png create mode 100644 releases/images/forgejo-v1.19-oidc-part2.png create mode 100644 releases/images/forgejo-v1.19-raw-copy-after.png create mode 100644 releases/images/forgejo-v1.19-raw-copy-before.png create mode 100644 releases/images/forgejo-v1.19-relevant.png create mode 100644 releases/images/forgejo-v1.19.0-0-rc0.png diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md new file mode 100644 index 0000000000..8321aef56e --- /dev/null +++ b/RELEASE-NOTES.md @@ -0,0 +1,808 @@ +# Release Notes + +A Forgejo release is published shortly after a Gitea release is published and they have [matching release numbers](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/RELEASE.md#release-numbering). Additional Forgejo releases may be published to address urgent security issues or bug fixes. Forgejo release notes include all Gitea release notes. + +The Forgejo admin should carefully read the required manual actions before upgrading. A point release (e.g. v1.19.1 or v1.19.2) does not require manual actions but others might (e.g. v1.18.0, v1.19.0). + +## 1.19.3-0 + +The [complete list of commits](https://codeberg.org/forgejo/forgejo/commits/branch/v1.19/forgejo) included in the `Forgejo v1.19.3-0` release can be reviewed from the command line with: + +```shell +$ git clone https://codeberg.org/forgejo/forgejo/ +$ git -C forgejo log --oneline --no-merges v1.19.2-0..v1.19.3-0 +``` + +This stable release contains security fixes. + +* Recommended Action + + We recommend that all Forgejo installations are upgraded to the latest version. + +* [Forgejo Semantic Version](https://forgejo.org/docs/v1.19/user/semver/) + + The semantic version was updated from `4.2.0+0-gitea-1.19.2` to `4.2.1+0-gitea-1.19.3` because of the rebuild with [Go version 1.20.4](https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved). + +* Security fixes + + * Forgejo was recompiled with Go version v1.20.4 published 2 May 2023. It fixes [three vulnerabilities](https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved) ([CVE-2023-29400](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29400), [CVE-2023-24540](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540), [CVE-2023-24539](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24539)) related to the [html/template](https://pkg.go.dev/html/template) package. The [Forgejo security team](https://forgejo.org/.well-known/security.txt) analyzed the security fixes it contains and concluded that Forgejo is not affected but recommended a rebuild as a precaution. + +* Bug fixes + + The most prominent one is described here, others can be found in the list of commits included in the release as described above. + + * [Allow users that are not signed in to browse the tag list](https://codeberg.org/forgejo/forgejo/commit/e76b3f72b23bf778a562682d829744451b27d615). Requiring users to be signed in to view the tag list was a regression introduced in Forgejo v1.19.2-0. + +## 1.19.2-0 + +The [complete list of commits](https://codeberg.org/forgejo/forgejo/commits/branch/v1.19/forgejo) included in the `Forgejo v1.19.2-0` release can be reviewed from the command line with: + +```shell +$ git clone https://codeberg.org/forgejo/forgejo/ +$ git -C forgejo log --oneline --no-merges v1.19.1-0..v1.19.2-0 +``` + +This stable release contains **important security fixes**. + +* Recommended Action + + We **strongly recommend** that all Forgejo installations are upgraded to the latest version as soon as possible. + +* [Forgejo Semantic Version](https://forgejo.org/docs/v1.19/user/semver/) + + The semantic version was updated from `4.1.0+0-gitea-1.19.1` to `4.2.0+0-gitea-1.19.2` because of the changes introduced in the internal CI. + +* Security fixes + + * Token scopes were not enforced in some cases ([patch 1](https://codeberg.org/forgejo/forgejo/commit/7c3ac69c0) and [patch 2](https://codeberg.org/forgejo/forgejo/commit/10d3ed53f1cc6d383b52637bedd7bc3679476eb4)). The [scoped token](https://forgejo.org/docs/v1.19/user/oauth2-provider/#scoped-tokens) were introduced in Forgejo v1.19 allow for the creation of application tokens that only have limited permissions, such as creating packages or accessing repositories. Prior to Forgejo v1.19 tokens could be used to perform any operation the user issuing the token could. + * [Permissions to delete secrets was not enforced](https://codeberg.org/forgejo/forgejo/commit/68d80eb56). The experimental internal CI relies on secrets managed via the web interface, for instance to communicate credentials to a job. Secrets are only used in the context of the experimental internal CI. + +* Bug fixes + + The most prominent ones are described here, others can be found in the list of commits included in the release as described above. + + * [Restore public access to some API endpoints](https://codeberg.org/forgejo/forgejo/commit/b00f7c3c545c6a00a747a5aea7596f45c50157ac). When [scoped token](https://forgejo.org/docs/v1.19/user/oauth2-provider/#scoped-tokens) introduced in Forgejo v1.19, some API endpoints that were previously accessible anonymously became restricted: `/orgs`, `/orgs/{org}`, `/orgs/{org}/repos`, `/orgs/{org}/public_members`, `/orgs/{org}/public_members/{username}`, `/orgs/{org}/labels`. + * [Fix 2-dot direct compare to use the right base commit](https://codeberg.org/forgejo/forgejo/commit/494e373292962de34b7ea7efd3f4a8d2f27daa26). For 2-dot direct compare, the base commit should be used in the title and templates, as is used elsewhere, not the common ancestor which is used for 3-dot compare. + * [Make CORS work](https://codeberg.org/forgejo/forgejo/commit/2e6e5bc9c96ebb760f28c08423bb0c244ca7e01c). No [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) headers were set, even if CORS was enabled in the configuration. + * [Fix issue attachment removal](https://codeberg.org/forgejo/forgejo/commit/d5f2c9d74d63443cc2abbcabc268cf1121f58e8b). When an attachment was removed from an issue or review comment, all of the image/attachment links were broken. + * [Fix wiki write permissions for users who do not have repository write permissions](https://codeberg.org/forgejo/forgejo/commit/8c465206e2fea27076fdb986ea0478729653f0b5). When a team member had write access to the wiki but not to the code repository, some operations (deleting a page for instance) were denied. + * [Respect the REGISTER_MANUAL_CONFIRM setting when registering via OAuth](https://codeberg.org/forgejo/forgejo/commit/116b6d5b27c40b248281f5fd543f7aa8df0d59d3). Contrary to the local registration, the OAuth registration flow activated a newly registered user regardless of the value of `REGISTER_MANUAL_CONFIRM`. + * [Fix tags list for repos whose release setting is disabled](https://codeberg.org/forgejo/forgejo/commit/eeee32cdc3aab4d2086b24aae670a39501c9ea99). When releases was disabled the "tags" button led to a `Not Found` page, even when tags existed. + +* Container image upgrades + + In the Forgejo container images the Git version was upgraded to [2.38.5](https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.5.txt) as a precaution. The [Forgejo security team](https://forgejo.org/.well-known/security.txt) analyzed the security fixes it contains and concluded that Forgejo is not affected. + +## 1.19.1-0 + +The [complete list of commits](https://codeberg.org/forgejo/forgejo/commits/branch/v1.19/forgejo) included in the `Forgejo v1.19.1-0` release can be reviewed from the command line with: + +```shell +$ git clone https://codeberg.org/forgejo/forgejo/ +$ git -C forgejo log --oneline --no-merges v1.19.0-3..v1.19.1-0 +``` + +This stable release includes bug fixes. Functional changes related to the experimental CI have also been backported. + +* Recommended Action + + We recommend that all installations are upgraded to the latest version. + +* [Forgejo Semantic Version](https://forgejo.org/docs/v1.19/user/semver/) + + The semantic version was updated from `4.0.0+0-gitea-1.19.0` to `4.1.0+0-gitea-1.19.1` because of the changes introduced in the internal CI. + +* Bug fixes + + The most prominent ones are described here, others can be found in the list of commits included in the release as described above. + + * [Fix RSS/ATOM/GPG/KEYS path for users (or orgs) with a dot in their name](https://codeberg.org/forgejo/forgejo/commit/085b56302cfd9a949319a3a1e32e008b4a0d0772). It is allowed for a user (or an organization) to have a dot in their name, for instance `user.name`. Because of a [bug in Chi](https://codeberg.org/forgejo/forgejo/issues/652) it was not possible to access `/user.name.png`, `/user.name.gpg`, etc. A workaround was implemented while a [proper fix is being discussed](https://github.com/go-chi/chi/pull/811). + * [Creating a tag via the web interface no longer requires a title](https://codeberg.org/forgejo/forgejo/commit/1b8ecd179bdb58427b99c2c2eb9ad5a45abf7055). + * [Use fully qualified URLs in Dockerfile](https://codeberg.org/forgejo/forgejo/commit/833a4b177596debc138e5723219fd063d067bd5b). The Dockerfile to create the Forgejo container image now uses the fully qualified image `docker.io/library/golang:1.20-alpine3.17` instead of `golang:1.20-alpine3.17`. This allows for building on platforms that don't have docker hub as the default container registry. + * [Redis use Get/Set instead of Rename when Regenerate session id](https://codeberg.org/forgejo/forgejo/commit/3a7cb1a83b4ecd89421b5656b8caeb30c2b13c7c). The old sid and new sid may be in different redis cluster slot. + * [Do not escape space between PyPI repository url and package name](https://codeberg.org/forgejo/forgejo/commit/cfde557e231417b7fb3cde3e9bab70d05b7d182f). It also adds a trailing slash to the PyPI repository URL in accordance to [Python PEP-503](https://peps.python.org/pep-0503/). + * [Fix failure when using the API and an empty rule_name to protect a branch](https://codeberg.org/forgejo/forgejo/commit/abf0386e2ef6b56c048c04cd3d6913f453c87cb1). The `rule_name` parameter for the [/repos/{owner}/{repo}/branch_protections](https://code.forgejo.org/api/swagger#/repository/repoCreateBranchProtection) API now defaults to the branch name instead of being empty. + * [Fix branch protection priority](https://codeberg.org/forgejo/forgejo/commit/580da8f35320dbd15b168bf8ccfaff6187ff87e0). Contrary to [the documentation](https://forgejo.org/docs/v1.19/user/protection/#protected-branches) it was possible for a glob rule to take precedence over a non-glob rule. + * [Fix deleting an issue when the git repo does not exist](https://codeberg.org/forgejo/forgejo/commit/1d8ae34e57e46b84a885b4f072d949344c5977c4). If a project had an issue tracker (such as the [Forgejo discussion](https://codeberg.org/forgejo/discussions/issues)) but [no git repository](https://codeberg.org/forgejo/discussions/), trying to delete an issue would fail. + * [Fix accidental overwriting of LDAP team memberships](https://codeberg.org/forgejo/forgejo/commit/66aa85429684aca45753ac9578492ed3f7507ea3). If an LDAP user is a member of two groups, the LDAP group sync only matched the last group. + +## 1.19.0-3 + +The [complete list of commits](https://codeberg.org/forgejo/forgejo/commits/branch/v1.19/forgejo) included in the `Forgejo v1.19.0-3` release can be reviewed from the command line with: + +```shell +$ git clone https://codeberg.org/forgejo/forgejo/ +$ git -C forgejo log --oneline --no-merges v1.19.0-2..v1.19.0-3 +``` + +This stable release includes security updates and bug fixes. + +* Recommended Action + + We recommend that all installations are upgraded to the latest version. + +* Security + + The [Forgejo security team](https://forgejo.org/.well-known/security.txt) analyzed the vulnerabilities fixed in the latest [Go 1.20.3 packages](https://go.dev/doc/devel/release#go1.20.minor) and [Alpine 3.17.3](https://alpinelinux.org/posts/Alpine-3.17.3-released.html) and concluded that Forgejo is not affected. + + As a precaution the Forgejo v1.19.0-3 binaries were compiled with [Go 1.20.3 packages](https://go.dev/doc/devel/release#go1.20.minor) as published on 4 April 2023 and the container images were built with [Alpine 3.17.3](https://alpinelinux.org/posts/Alpine-3.17.3-released.html) as published on 29 March 2023. + +* [Forgejo Semantic Version](https://forgejo.org/docs/v1.19/user/semver/) + + The semantic version was updated from `3.0.0+0-gitea-1.19.0` to `4.0.0+0-gitea-1.19.0` because of the breaking changes described below. + +* Breaking changes + + They should not have a significant impact because they are related to experimental features (federation and CI). + + * [Use User.ID instead of User.Name in ActivityPub API for Person IRI](https://codeberg.org/forgejo/forgejo/commit/2fcd57d5ae5b5926e5b0b87e46f78ad4ac83cbbd) + + The ActivityPub id is an HTTPS URI that should remain constant, even if +the user changes their name. + + * [Actions unit is repo.actions instead of actions.actions](https://codeberg.org/forgejo/forgejo/commit/9596bd3712caec440859fce93d05e19cf95e5330) + + All instances of `actions.actions` in the `DISABLED_REPO_UNITS` or `DEFAULT_REPO_UNITS` configuration variables must be replaced with `repo.actions`. + +* Bug fixes + + They are for the most part about user interface and actions. The most prominent ones are: + + * [Do not filter repositories by default on the explore page](https://codeberg.org/forgejo/forgejo/commit/d15f20b2d2ce613cc8b36536995f29f81797c002). The behavior of the explore page is back to what it was in Forgejo v1.18. Changing it was confusing. + * [Skip LFS when disabled in dump and doctor](https://codeberg.org/forgejo/forgejo/commit/b6a2323981a7a89205a382ddf0542e205e292d3d). + * [Do not display own email on the profile](https://codeberg.org/forgejo/forgejo/commit/1fed0e1adc8dd2d27d2d7e34dda29c8e79e5e6e8). + * [Make minio package support legacy MD5 checksum](https://codeberg.org/forgejo/forgejo/commit/b73d1ac1eb7d5c985749dc721bbea7ebd14f9c83). + * [Do not triggers Webhooks and actions on closed PR](https://codeberg.org/forgejo/forgejo/commit/a04535e212b04c0f6643a4f36904a3d1bf30c63f). + +## 1.19.0-2 + +The [complete list of commits](https://codeberg.org/forgejo/forgejo/commits/branch/v1.19/forgejo) included in the `Forgejo v1.19.0-2` release can be reviewed from the command line with: + +```shell +$ git clone https://codeberg.org/forgejo/forgejo/ +$ git -C forgejo log --oneline --no-merges origin/v1.18/forgejo..origin/v1.19/forgejo +``` + +* Breaking changes + * [Scoped access tokens](https://codeberg.org/forgejo/forgejo/commit/de484e86bc) + + Forgejo access token, used with the [API](https://forgejo.org/docs/v1.19/admin/api-usage/) can now have a "scope" that limits what it can access. Existing tokens stored in the database and created before Forgejo v1.19 had unlimited access. For backward compatibility, their access will remain the same and they will continue to work as before. However, **newly created token that do not specify a scope will now only have read-only access to public user profile and public repositories**. + + For instance, the `/users/{username}/tokens` API endpoint will require the `scopes: ['all', 'sudo']` parameter and the `forgejo admin user generate-access-token` will require the `--scopes all,sudo` argument obtain tokens with ulimited access as before for admin users. + + [Read more about the scoped tokens](https://forgejo.org/docs/v1.19/user/oauth2-provider/#scoped-tokens). + + * [Disable all units except code and pulls on forks](https://codeberg.org/forgejo/forgejo/commit/2741546be) + + When forking a repository, the fork will now have issues, projects, releases, packages and wiki disabled. These can be enabled in the repository settings afterwards. To change back to the previous default behavior, configure `DEFAULT_FORK_REPO_UNITS` to be the same value as `DEFAULT_REPO_UNITS`. + + * [Filter repositories by default on the explore page](https://codeberg.org/forgejo/forgejo/commit/4d20a4a1b) + + The explore page now always filters out repositories that are considered not relevant because they are either forks or have no topic and not description and no icon. A link is shown to display all repositories, unfiltered. + + Explore repositories + + * [Remove deprecated DSA host key from Docker Container](https://codeberg.org/forgejo/forgejo/commit/f17edfaf5a31ea3f4e9152424b75c2c4986acbe3) + Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm, and recommend against its use. http://www.openssh.com/legacy.html + + * Additional restrictions on valid user names + + The algorithm for validating user names was modified and some users may have invalid names. The command `forgejo doctor --run check-user-names` will list all of them so they can be renamed. + + If a Forgejo instance has users or organizations named `forgejo-actions` and `gitea-actions`, they will also need to be renamed before the upgrade. They are now reserved names for the experimental internal CI/CD named `Actions`. + + * [Semantic version](https://forgejo.org/docs/latest/user/semver) + + Since v1.18.5, in addition to the Forgejo release number, a [semantic version](https://semver.org/#semantic-versioning-200) number (e.g. `v3.0.0`) can be obtained from the `number` key of a new `/api/forgejo/v1/version` endpoint. + + Now, it reflects the Gitea version that Forgejo depends on, is no longer prefixed with `v` (e.g. `3.0.0+0-gitea-1.19.0`), and can be obtained from the `version` key of the same endpoint. +* Features + + * [Documentation](https://forgejo.org/docs/latest/) + The first version of the [Forgejo documentation](https://forgejo.org/docs/latest/) is available and covers the administration of Forgejo, from installation to troubleshooting. + + [Read more about semantic versions](https://forgejo.codeberg.page/docs/v1.19/user/semver) + + * [Webhook authorization header](https://codeberg.org/forgejo/forgejo/commit/b6e81357bd6fb80f8ba94c513f89a210beb05313) + Forgejo webhooks can be configured to send an [authorization header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization) to the target. + + [Read more about the webhook authorization header](https://forgejo.codeberg.page/docs/v1.19/user/webhooks/#authorization-header) + + * [Incoming emails](https://codeberg.org/forgejo/forgejo/commit/fc037b4b825f0501a1489e10d7c822435d825cb7) + You can now set up Forgejo to receive incoming email. When enabled, it is now possible to reply to an email notification from Forgejo and: + * Add a comment to an issue or a pull request + * Unsubscribe to the notifications + + [Read more about incoming emails](https://forgejo.org/docs/v1.19/admin/incoming-email/) + + * Packages registries + * Support for [Cargo](https://forgejo.org/docs/v1.19/admin/packages/cargo/), [Conda](https://forgejo.org/docs/v1.19/admin/packages/conda/) and [Chef](https://forgejo.org/docs/v1.19/admin/packages/chef/) + * [Cleanup rules](https://codeberg.org/forgejo/forgejo/commit/32db62515) + * [Quota limits](https://codeberg.org/forgejo/forgejo/commit/20674dd05) + + * [Option to prohibit fork if user reached maximum limit of repositories](https://codeberg.org/forgejo/forgejo/commit/7cc7db73b) + It is possible for a user to create as many fork as they want, even when a quota on the number of repositories is imposed. The new `ALLOW_FORK_WITHOUT_MAXIMUM_LIMIT` setting can now be set to `false` so forks are prohibited if that means exceeding the quota. + + [Read more about repository configurations](https://forgejo.org/docs/v1.19/admin/config-cheat-sheet/#repository-repository) + + * [Scoped labels](https://codeberg.org/forgejo/forgejo/commit/6221a6fd5) + Labels that contain a forward slash (**/**) separator are displayed with a slightly different color before and after the separator, as a visual aid. The first part of the label defines its "scope". + + [Read more about scoped labels](https://forgejo.org/docs/v1.19/user/labels/). + + * [Support org/user level projects](https://codeberg.org/forgejo/forgejo/commit/6fe3c8b39) + It is now possible to create projects (kanban boards) for an organization or a user, in the same way it was possible for an individual repository. + + * [Map OIDC groups to Orgs/Teams](https://codeberg.org/forgejo/forgejo/commit/e8186f1c0) + When a user logs in Forgejo using an provider such as [Keycloak](https://www.keycloak.org/), they can now automatically be part of a Forgejo team, depending on the OIDC group they belong to. For instance: + + ```json + {"Developer": {"MyForgejoOrganization": ["MyForgejoTeam1", "MyForgejoTeam2"]}} + ``` + + Means that the user who is in the OIDC group `Developer` will automatically be a member of the `MyForgejoTeam1` and `MyForgejoTeam2` teams in the `MyForgejoOrganization` organization. + This mapping is set when adding a new `Authentication Source` in the `Site Administration` panel. + + OIDC Group mapping part1 + + ... + + OIDC Group mapping part2 + + [Read more about OIDC groups mapping](https://forgejo.org/docs/v1.19/user/oauth2-provider/#endpoints) + + * [RSS feed for releases and tags](https://codeberg.org/forgejo/forgejo/commit/48d71b7d6) + + A RSS feed is now available for releases at `/{owner}/{repo}/releases.rss` and tags at `/{owner}/{repo}/tags.rss`. + + * [Supports wildcard protected branch](https://codeberg.org/forgejo/forgejo/commit/2782c1439) + + Instead of selecting a branch to be protected, the name of the branch must be specified and can be a pattern such as `precious*`. + + [Read more about branch protection](https://forgejo.org/docs/v1.19/user/protection/#protected-branches). + + * [Garbage collect LFS](https://codeberg.org/forgejo/forgejo/commit/651fe4bb7) + Add a doctor command for full garbage collection of LFS: `forgejo doctor --run gc-lfs`. + + * Additions to the API + + * [Management for issue/pull and comment attachments](https://codeberg.org/forgejo/forgejo/commit/3c59d31bc) + * [Get latest release](https://codeberg.org/forgejo/forgejo/commit/4d072a4c4) + * [System hook](https://codeberg.org/forgejo/forgejo/commit/c0015979a) + + * [Option to disable releases on a repository](https://codeberg.org/forgejo/forgejo/commit/faa96553d) + + It is now possible to disable releases on a repository, in the same way it is possible to disable issues or packages. + + * [Git reflog support](https://codeberg.org/forgejo/forgejo/commit/757b4c17e) + The [git reflog](https://git-scm.com/docs/git-reflog) are now active by default on all repositories and + kept around for 90 days. It allows the Forgejo admin to recover the previous tip of a branch after an + accidental force push. + + [Read more about reflog](https://forgejo.org/docs/v1.19/admin/config-cheat-sheet/#git---reflog-settings-gitreflog) + + * [Actions](https://codeberg.org/forgejo/forgejo/commit/4011821c946e8db032be86266dd9364ccb204118): an experimental CI/CD + + It appears for the first time in this Forgejo release but is not yet fit for production. It is not fully implemented and may be insecure. However, as long as it is not enabled, it presents no risk to existing Forgejo instances. + + If a repository has a file such as `.forgejo/workflows/test.yml`, it will be interpreted, for instance to run tests and verify the code in the repository works as expected (Continuous Integration). It can also be used to create HTML pages for a website and publish them (Continous Deployment). The syntax is similar to GitHub Actions and the jobs can be controled from the Forgejo web interface. + + [Read more about Forgejo Actions](https://forgejo.codeberg.page/2023-02-27-forgejo-actions/) + + Actions + +* User Interface improvements + + * [Review box on small screens](https://codeberg.org/forgejo/forgejo/commit/1fcf96ad0) + The rendering of the review box is improved on small screens. + + * [Video element enabled in markdown](https://codeberg.org/forgejo/forgejo/commit/f8a40dafb) + The `