mirrors/forgejo-docs
1
0
Fork 0
mirror of https://codeberg.org/forgejo/docs.git synced 2025-04-26 05:30:40 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'upstream/next' into next

Browse source
This commit is contained in:
Aivaras 2025-04-24 12:35:06 +03:00
commit 8f23ad3a0c
13 changed files with 229 additions and 156 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
docs/_images/user/pull-request/pull-request-reviewers.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 16 KiB

4
docs/admin/command-line.md
View file

@ -295,6 +295,8 @@ OPTIONS:
--must-change-password Set this option to false to prevent forcing the user to change their password after initial login
--random-password-length value Length of the random password to be generated (default: 12)
--access-token Generate access token for the user (default: false)
--access-token-name value Name of the generated access token (default: "gitea-admin")
--access-token-scopes value Scopes of the generated access token, comma separated. Examples: "all", "public-only,read:issue", "write:repository,write:user" (default: "all")
--restricted Make a restricted user account (default: false)
```
@ -383,7 +385,7 @@ OPTIONS:
--username value, -u value Username
--token-name value, -t value Token name (default: "gitea-admin")
--raw Display only the token value (default: false)
--scopes value Comma separated list of scopes to apply to access token
--scopes value Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user" (default: "all")
```
### admin user must-change-password

9
docs/admin/config-cheat-sheet.md
View file

@ -149,8 +149,9 @@ In addition, there is _`StaticRootPath`_, which can be set as a built-in at buil
### Repository - Signing (`repository.signing`)
- `SIGNING_KEY`: **default**: \[none, KEYID, default \]: Key to sign with.
- `SIGNING_NAME` & `SIGNING_EMAIL`: If a KEYID is provided as the `SIGNING_KEY`, use these as the Name and Email address of the signer. These should match the published name and email address for the key.
- `FORMAT`: **openpgp**: \[openpgp, ssh\]: Signing format that Forgejo should use, openpgp uses GPG and ssh uses OpenSSH.
- `SIGNING_KEY`: **default**: \[none, KEYID, default, path/to/ssh/key\]: Key to sign with. If `FORMAT` is set to **ssh** this should be set to an absolute path to an public OpenSSH key.
- `SIGNING_NAME` & `SIGNING_EMAIL`: if a KEYID is provided as the `SIGNING_KEY`, use these as the Name and Email address of the signer. These should match publicized name and email address for the key.
- `INITIAL_COMMIT`: **always**: \[never, pubkey, twofa, always\]: Sign initial commit.
- `never`: Never sign.
- `pubkey`: Only sign if the user has a public key.
@ -1139,8 +1140,8 @@ This section only performs "set" config; a removed config key from this section
## i18n (`i18n`)
- `LANGS`: **en-US,zh-CN,zh-HK,zh-TW,da,de-DE,nds,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pt-PT,pl-PL,bg,it-IT,fi-FI,fil,eo,tr-TR,cs-CZ,sl,sv-SE,ko-KR,el-GR,fa-IR,hu-HU,id-ID**:
List of locales shown in the language selector. The first locale will be used as the default if the user's browser language doesn't match any locale in the list.
- `NAMES`: **English,简体中文,繁體中文(香港),繁體中文(台灣),Danish,Deutsch,Plattdüütsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia**: Visible names corresponding to the locales.
List of locales shown in language selector. The first locale will be used as the default if user browser's language doesn't match any locale in the list.
- `NAMES`: **English,简体中文,繁體中文(香港),繁體中文(台灣),Dansk,Deutsch,Plattdüütsch,Français,Nederlands,Latviešu,Русский,Українська,日本語,Español,Português do Brasil,Português de Portugal,Polski,Български,Italiano,Suomi,Filipino,Esperanto,Türkçe,Čeština,Slovenščina,Svenska,한국어,Ελληνικά,فارسی,Magyar nyelv,Bahasa Indonesia**: Visible names corresponding to the locales
## Markup (`markup`)

2
docs/admin/email-setup.md
View file

@ -25,6 +25,8 @@ Restart Forgejo for the configuration changes to take effect.
To send a test email to validate the settings, go to Forgejo > Site Administration > Configuration > SMTP Mailer Configuration.
To enable users to receive email notifications for pull requests or issues, you can set `ENABLE_NOTIFY_MAIL=true` in the configuration.
For the full list of options check the [Config Cheat Sheet](../config-cheat-sheet/#mailer-mailer).
> **NOTE:** authentication is only supported when the SMTP server communication is encrypted with TLS or `HOST=localhost`. This is due to protections imposed by the Go internal libraries against STRIPTLS attacks. TLS encryption can be through:

2
docs/admin/index.md
View file

@ -23,7 +23,7 @@ These documents are targeted to people who run Forgejo on their machines.
- [Forgejo CLI](./command-line/)
- [Search Engines and robots.txt](./search-engines-indexation/)
- [Recommended Settings and Tips](./recommendations/)
- [GPG Commit Signatures](./signing/)
- [Instance Commit Signing](./signing/)
- [Moderation tools](./moderation/)
- [Adopt existing git directories](./adopt/)
- [Interface customization](./customization/)

16
docs/admin/installation-docker.md
View file

@ -6,12 +6,12 @@ license: 'CC-BY-SA-4.0'
Forgejo provides [container images](https://codeberg.org/forgejo/-/packages/container/forgejo/versions) for use with Docker or other containerization tools.
```shell
docker pull codeberg.org/forgejo/forgejo:10
docker pull codeberg.org/forgejo/forgejo:11
```
If `codeberg.org` cannot be accessed, you can replace every mention of `codeberg.org` with `data.forgejo.org` to use our mirror.
The **10** tag is set to be the latest minor release, starting with **10.0.x**. The **10** tag will then be equal to **10.0.4** when it is released and so on. The **10.0** tag is also set to be the latest patch version release.
The **11** tag is set to be the latest minor release, starting with **11.0.x**. The **11** tag will then be equal to **11.0.4** when it is released and so on. The **11.0** tag is also set to be the latest patch version release.
Upgrading from **X** to **X+1** (for instance from **9** to **10**) requires a [manual operation and human verification](../upgrade/). However it is possible to use the **X** tag (for instance **10**) to get the latest minor release automatically.
@ -26,7 +26,7 @@ networks:
services:
server:
image: codeberg.org/forgejo/forgejo:10
image: codeberg.org/forgejo/forgejo:11
container_name: forgejo
environment:
- USER_UID=1000
@ -61,7 +61,7 @@ Save the following files in `/etc/containers/systemd`, as port 222 requires elev
ContainerName=forgejo
Environment=USER_UID=1000
Environment=USER_GID=1000
Image=codeberg.org/forgejo/forgejo:10
Image=codeberg.org/forgejo/forgejo:11
Network=forgejo.network
PublishPort=3000:3000
PublishPort=222:22
@ -139,7 +139,7 @@ networks:
services:
server:
image: codeberg.org/forgejo/forgejo:10
image: codeberg.org/forgejo/forgejo:11
container_name: forgejo
environment:
- USER_UID=1000
@ -185,7 +185,7 @@ networks:
services:
server:
image: codeberg.org/forgejo/forgejo:10
image: codeberg.org/forgejo/forgejo:11
container_name: forgejo
environment:
- USER_UID=1000
@ -283,8 +283,8 @@ networks:
services:
server:
- image: codeberg.org/forgejo/forgejo:10
+ image: codeberg.org/forgejo/forgejo:10-rootless
- image: codeberg.org/forgejo/forgejo:11
+ image: codeberg.org/forgejo/forgejo:11-rootless
container_name: forgejo
+ user: "1024:100"
- environment:

10
docs/admin/release-schedule.md
View file

@ -14,8 +14,8 @@ Forgejo stable releases are published on a fixed schedule, every quarter. The mo
| 9.0 | 25 September 2024 | 16 October 2024 | 16 January 2025 |
| 10.0 | 25 December 2024 | 16 January 2025 | 16 April 2025 |
| 11.0 (LTS) | 26 March 2025 | 16 April 2025 | **15 July 2026** |
| 12.0 | 25 June 2025 | 16 July 2025 | 15 October 2025 |
| 13.0 | 24 September 2025 | 15 October 2025 | 14 January 2026 |
| 14.0 | 24 December 2025 | 14 January 2026 | 15 April 2026 |
| 15.0 (LTS) | 25 March 2026 | 15 April 2026 | **14 July 2027** |
| 16.0 | 24 June 2026 | 15 July 2026 | 14 October 2026 |
| 12.0 | 25 June 2025 | 17 July 2025 | 15 October 2025 |
| 13.0 | 24 September 2025 | 16 October 2025 | 14 January 2026 |
| 14.0 | 24 December 2025 | 15 January 2026 | 15 April 2026 |
| 15.0 (LTS) | 25 March 2026 | 16 April 2026 | **14 July 2027** |
| 16.0 | 24 June 2026 | 16 July 2026 | 14 October 2026 |

17
docs/admin/runner-installation.md
View file

@ -9,21 +9,21 @@ It needs to be installed separately from the main Forgejo instance. For security
Each `Forgejo Runner` release is published for all supported architectures as:
- [binaries](https://data.forgejo.org/forgejo/runner/releases)
- [OCI images](https://data.forgejo.org/forgejo/-/packages/container/runner/versions)
- [binaries](https://code.forgejo.org/forgejo/runner/releases)
- [OCI images](https://code.forgejo.org/forgejo/-/packages/container/runner/)
## Binary installation
### Downloading and installing the binary
Download the latest [binary release](https://data.forgejo.org/forgejo/runner/releases) and verify its signature:
Download the latest [binary release](https://code.forgejo.org/forgejo/runner/releases) and verify its signature:
```shell
$ export RUNNER_VERSION=$(curl -X 'GET' https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq .name -r | cut -c 2-)
$ wget -O forgejo-runner https://data.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64
$ wget -O forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64
$ chmod +x forgejo-runner
$ wget -O forgejo-runner.asc https://data.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64.asc
$ wget -O forgejo-runner.asc https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64.asc
$ gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
$ gpg --verify forgejo-runner.asc forgejo-runner
Good signature from "Forgejo <contact@forgejo.org>"
@ -34,14 +34,13 @@ Next, copy the downloaded binary to `/usr/local/bin` and make it executable:
```shell
$ cp forgejo-runner /usr/local/bin/forgejo-runner
$ chmod +x /usr/local/bin/forgejo-runner
```
You should now be able to test the runner by running `forgejo-runner -v`:
```
$ forgejo-runner -v
forgejo-runner version v4.0.0
forgejo-runner version v6.3.1
```
### Setting up the runner user
@ -94,7 +93,7 @@ The `Forgejo runner` relies on application containers (Docker, Podman, etc.) or
```shell
$ lxc-helpers.sh lxc_container_run forgejo-runners -- sudo --user debian bash
$ sudo apt-get install docker.io wget gnupg2
$ wget -O forgejo-runner https://data.forgejo.org/forgejo/runner/releases/download/v4.0.0/forgejo-runner-amd64
$ wget -O forgejo-runner https://code.forgejo.org/forgejo/runner/releases/download/v6.3.1/forgejo-runner-6.3.1-linux-amd64
...
```
@ -280,7 +279,7 @@ Use `journalctl -u forgejo-runner.service` to read the runner logs.
## OCI image installation
The [OCI images](https://data.forgejo.org/forgejo/-/packages/container/runner/versions)
The [OCI images](https://code.forgejo.org/forgejo/-/packages/container/runner/)
are built from the Dockerfile which is [found in the source directory](https://code.forgejo.org/forgejo/runner/src/branch/main/Dockerfile). It contains the `forgejo-runner` binary.
```shell

281
docs/admin/signing.md
View file

@ -1,144 +1,183 @@
---
title: 'GPG Commit Signatures'
license: 'Apache-2.0'
origin_url: 'https://github.com/go-gitea/gitea/blob/e865de1e9d65dc09797d165a51c8e705d2a86030/docs/content/administration/signing.en-us.md'
title: Instance Commit Signing
license: 'CC-BY-SA-4.0'
---
Forgejo will verify GPG commit signatures in the provided tree by
checking if the commits are signed by a key within the Forgejo database,
or if the commit matches the default key for Git.
Forgejo has the ability to sign commits when Forgejo themselves generates those commits, such as:
Keys are not checked to determine if they have expired or revoked.
Keys are also not checked with keyservers.
- Repository initialisation
- Wiki changes
- CRUD actions using the web editor or the API
- Merges from pull requests
A commit will be marked with an unlocked icon if no key can be
found to verify it.
## Configuration
## Automatic Signing
In order for Forgejo to sign commits, it has to know how it should be signing commits and when to sign commits.
Unless otherwise indicated, all configuration settings discussed on this page are for the `[repository.signing]` section.
There are a number of places where Forgejo will generate commits itself:
### Signing key
- Repository Initialisation
- Wiki Changes
- CRUD actions using the editor or the API
- Merges from Pull Requests
Forgejo offers two formats to sign commits with: GPG and SSH.
If you meet the requirements of SSH, then it is strongly preferred to use that instead of GPG.
## Installing and generating a GPG key for Forgejo
#### SSH
Forgejo generates all its commits using the server `git`
command - and the `gpg` command will be used for
signing.
For Forgejo to do SSH commit signing, it needs a Git version equal to or newer than 2.34.0 and `ssh-keygen` binary equal to or newer than version 8.2p1.[^1]
## General Configuration
[^1]: The git version check is already done by Forgejo, but for `ssh-keygen` only the presence of the binary is checked.
Forgejo's configuration for signing can be found with the
`[repository.signing]` section of `app.ini`:
You need a dedicated OpenSSH key pair for instance signing.
If you don't have such key pair yet you can generate one via `ssh-keygen`[^2] or you also could store the SSH key in TPM, there is [a dedicated section](#using-ssh-tpm-agent) with instructions on how to do that.
[^2]: https://docs.codeberg.org/security/ssh-key/ contains instructions for generating an SSH key pair, you should not generate a FIDO2 (`-sk` type) key pair as that will not work with Forgejo.
Forgejo needs to be told that it should use SSH signing and which SSH key to use, this should be configured as followed:
```ini
FORMAT = ssh
SIGNING_KEY = /absolute/path/to/public/ssh/key.pub
```
The value for the `SIGNING_KEY` setting needs to be an absolute path to the public key, where the private key needs to be available in the path without the `.pub` suffix.
Forgejo also needs to be told who the committer of the commit is, which requires a name and email and should be configured as followed:
```ini
SIGNING_NAME = "forgejo.org Instance"
SIGNING_EMAIL = "noreply@forgejo.org"
```
#### GPG
There are two ways to tell Forgejo which GPG key should be used for commit signing.
```ini
...
[repository.signing]
SIGNING_KEY = default
SIGNING_NAME =
SIGNING_EMAIL =
INITIAL_COMMIT = always
CRUD_ACTIONS = pubkey, twofa, parentsigned
WIKI = never
MERGES = pubkey, twofa, basesigned, commitssigned
...
```
### `SIGNING_KEY`
Will use the git config to determine the signing key: if the value of `commit.gpgsign` is set to true, then it will use the values of `user.signingkey`, `user.name` and `user.email` for the signing key, committer name and committer email respectively.
There are three main options:
---
- `none` - this prevents Forgejo from signing any commits.
- `default` - Forgejo will default to the key configured within `git config`.
- `KEYID` - Forgejo will sign commits with the GPG key with the ID
`KEYID`. In this case you should provide a `SIGNING_NAME` and
`SIGNING_EMAIL` to be displayed for this key.
The `default` option will interrogate `git config` for
`commit.gpgsign` option - if this is set, then it will use the results
of the `user.signingkey`, `user.name` and `user.email`.
By default, Forgejo will look for the signing key in `[git].HOME_PATH/.gnupg`.
However, this path differs from where GnuPG stores keys by default (`$HOME/.gnupg`).
There are 2 possible solutions here:
1. Move the `.gnupg` folder after importing/generating keys;
2. Set the `GNUPGHOME` environment variable to help Forgejo find the correct keychain.
### `INITIAL_COMMIT`
This option determines whether Forgejo should sign the initial commit
when creating a repository. The possible values are:
- `never`: Never sign
- `pubkey`: Only sign if the user has a public key
- `twofa`: Only sign if the user logs in with two factor authentication
- `always`: Always sign
Options other than `never` and `always` can be combined as a comma
separated list. The commit will be signed if all selected options are true.
### `WIKI`
This options determines if Forgejo should sign commits to the Wiki.
The possible values are:
- `never`: Never sign
- `pubkey`: Only sign if the user has a public key
- `twofa`: Only sign if the user logs in with two-factor authentication
- `parentsigned`: Only sign if the parent commit is signed.
- `always`: Always sign
Options other than `never` and `always` can be combined as a comma
separated list. The commit will be signed if all selected options are true.
### `CRUD_ACTIONS`
This option determines if Forgejo should sign commits from the web
editor or API CRUD actions. The possible values are:
- `never`: Never sign
- `pubkey`: Only sign if the user has a public key
- `twofa`: Only sign if the user logs in with two-factor authentication
- `parentsigned`: Only sign if the parent commit is signed.
- `always`: Always sign
Options other than `never` and `always` can be combined as a comma
separated list. The change will be signed if all selected options are true.
### `MERGES`
This option determines if Forgejo should sign merge commits from PRs.
The possible options are:
- `never`: Never sign
- `pubkey`: Only sign if the user has a public key
- `twofa`: Only sign if the user logs in with two-factor authentication
- `basesigned`: Only sign if the parent commit in the base repository is signed.
- `headsigned`: Only sign if the head commit in the head branch is signed.
- `commitssigned`: Only sign if all the commits in the head branch to the merge point are signed.
- `approved`: Only sign approved merges to a protected branch.
- `always`: Always sign
Options other than `never` and `always` can be combined as a comma
separated list. The merge will be signed if all selected options are true.
## Obtaining the Public Key of the Signing Key
The public key used to sign Forgejo's commits can be obtained from the API at:
```sh
/api/v1/signing-key.gpg
```ini
SIGNING_KEY = GPG-KEY-ID
SIGNING_NAME = "forgejo.org Instance"
SIGNING_EMAIL = "noreply@forgejo.org"
```
In cases where there is a repository specific key this can be obtained from:
Will use the GPG keyid to search for the key in the GPG keyring. Forgejo searches for this key in a directory, which can be computed as follows: If a `GNUPGHOME` environment variable is set, this is used.
Otherwise the `.gnupg` directory in the directory corresponding to the value of the `HOME_PATH` setting in the `[git]` section is used (`[git].HOME_PATH/.gnupg` so to say).
It should be noted that by default, GPG does not use that keyring and you should take extra care when importing or generating the key, for example by setting the value of the `GNUPGHOME` environment to the directory Forgejo uses.
```sh
/api/v1/repos/:username/:reponame/signing-key.gpg
### Signing operations
There are several operations for which Forgejo will generate a commit and thus be able to sign the commit.
For each operation you can specify under which conditions Forgejo should sign the commit.
For each operation, you can combine the values as a comma-separated list.
There are two special values that are valid values for each operation and cannot be combined with any other value for that operation: `always` and `never`.
The first value, if set, will always sign the commit and the second value, if set, will never sign the commit.
#### Initial commit
When should Forgejo sign the initial commit when creating a repository.
The possible values for the `INITIAL_COMMIT` setting are:
- `pubkey`: Only if the user has added a GPG key to its account.
- `twofa`: Only if the user is enrolled into two-factor authentication.
#### Wiki
When should Forgejo sign commits to the wiki.
The possible values for the `WIKI` setting are:
- `pubkey`: Only if the user has added a GPG key to its account.
- `twofa`: Only if the user is enrolled into two-factor authentication.
- `parentsigned`: Only if the parent commit is signed.
#### CRUD actions
When should Forgejo sign commits that are created for file changes via the web editor or API.
The possible values for the `CRUD_ACTIONS` setting are:
- `pubkey`: Only if the user has added a GPG key to its account.
- `twofa`: Only if the user is enrolled into two-factor authentication.
- `parentsigned`: Only if the parent commit is signed.
#### Pull request merges
When should Forgejo sign merge commits from pull requests.
The possible values for the `MERGES` setting are:
- `pubkey`: Only if the user has added a GPG key to its account.
- `twofa`: Only if the user is enrolled into two-factor authentication.
- `basesigned`: Only if the parent commit in the base repository is signed.
- `headsigned`: Only if the head commit in the head branch is signed.
- `commitssigned`: Only if all the commits in the head branch to the merge point are signed.
- `approved`: Only if the pull request targets a protected branch and has at least one approval.
## Obtaining the instance signing key
If a GPG instance signing key is set, the GPG public key can be obtained at the API route, `/api/v1/signing-key.gpg`.
If a repository specific GPG key is set, it can be obtained at the API route, `/api/v1/repos/{username}/{reponame}/signing-key.gpg`
If a SSH instance signing key is set, the SSH public key can be obtained at the API route, `/api/v1/signing-key.ssh`.
## Using ssh-tpm-agent
It is possible to use [ssh-tpm-agent](https://github.com/Foxboron/ssh-tpm-agent) so that the SSH private key resides in a [Trusted Platform Module (TPM)](https://en.wikipedia.org/wiki/Trusted_Platform_Module) and therefore makes it harder to leak the SSH private key as it does not reside on the filesystem. To use this, the server that Forgejo runs on must have access to TPM 2.0.
This section only explains how to make the SSH private key available to Forgejo, not how to configure Forgejo to use it.
Follow [the instruction from ssh-tpm-agent](https://github.com/Foxboron/ssh-tpm-agent#usage) to create a key or import an existing key.
An instance key is expected to be a long-lived key[^3] and therefore it is advisable to follow the 'Import existing key' guide as it allows you to backup the private key in a safe place and in case of a recovery, restore the instance SSH key.
[^3]: Rotating instance keys is currently not possible.
ssh-tpm-agent acts as an [`ssh-agent(1)`](https://man.archlinux.org/man/ssh-agent.1) and in order for Forgejo to use ssh-tpm-agent to sign commits with, it needs to have a `SSH_AUTH_SOCK` environment set when launching the Forgejo binary.
How to pass this to Forgejo depends on how you run Forgejo, we consider two situation: a Systemd service on bare-metal or containerized (for example, via Docker).
In either case, the host will need to install the systemd unit service by running `ssh-tpm-agent --install-user-units`.
### Systemd service
In the `[Service]` section, add the following (it is fine to have multiple `Environment` keys):
```toml
Environment=SSH_AUTH_SOCK="/socket/path"
```
Where `/socket/path` is replaced with the value of `ssh-tpm-agent --print-socket`.
### Containerized
We take [the default docker-compose file](../installation-docker/#docker) as an example.
We add an environment variable and a volume mount to the compose file:
```yaml
networks:
forgejo:
external: false
services:
server:
image: codeberg.org/forgejo/forgejo:10
container_name: forgejo
environment:
- USER_UID=1000
- USER_GID=1000
+ - SSH_AUTH_SOCK=$SOCKET_PATH
restart: always
networks:
- forgejo
volumes:
- ./forgejo:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
+ - $SOCKET_PATH:$SOCKET_PATH
ports:
- "3000:3000"
- "222:22"
```
Where `$SOCKET_PATH` is to be replaced with the value of `ssh-tpm-agent --print-socket`.
Another volume would need to be added that exposes the public OpenSSH key, the container path should match with the path that is specified for the `SIGNING_KEY` setting.

2
docs/user/actions.md
View file

@ -10,7 +10,7 @@ The following guide explains key **concepts** to help understand how `workflows`
## Quick start
- Verify that `Enable Repository Actions` is checked in the `Repository` tab of the `/{owner}/{repository}/settings` page. If the checkbox does not show it means the administrator of the Forgejo instance did not activate the feature.
- Verify that `Enable Repository Actions` is checked in the `Repository` tab of the `/{owner}/{repository}/settings/units#overview` page. If the checkbox does not show it means the administrator of the Forgejo instance did not activate the feature.
![enable actions](../_images/user/actions/enable-repository.png)
- Add the following to the `.forgejo/workflows/demo.yaml` file in the repository.
```yaml

2
docs/user/packages/chef.md
View file

@ -14,7 +14,7 @@ To work with the Chef package registry, you have to use [`knife`](https://docs.c
The Chef package registry does not use an username:password authentication but signed requests with a private:public key pair.
Visit the package owner settings page to create the necessary key pair.
Only the public key is stored inside Forgejo. if you loose access to the private key you must re-generate the key pair.
Only the public key is stored inside Forgejo. If you lose access to the private key you must re-generate the key pair.
[Configure `knife`](https://docs.chef.io/workstation/knife_setup/) to use the downloaded private key with your Forgejo username as `client_name`.
## Configure the package registry

30
docs/user/pull-requests-and-git-flow.md
View file

@ -69,6 +69,36 @@ When a pull request contains multiple commits, the button to the left of the `Re
![Review a single commit](../_images/user/pull-request/pull-request-review-commit.png)
## Review requests and code owners
On the right-hand sidebar of the pull request page there is a `Reviewers` section. Clicking its title will open a dropdown menu using which you may request a review from one or more repository collaborators.
![Reviewers panel](../_images/user/pull-request/pull-request-reviewers.png)
Review requests may additionally be automated by adding a `CODEOWNERS` file either to the root of the repository, or the `docs` or `.forgejo` directories.
Lines in this file represent rules. Each rule consists of a [Go-formatted regular expression](https://pkg.go.dev/regexp/syntax) matching paths to changed files, followed by the names of one or more users and/or organization teams, all separated by whitespaces. The regular expression may also be prepended with an exclamation mark (`!`) to create a negative rule.
Users are referenced by their usernames. Teams are referenced by the name of the organization, followed by a slash (`/`) and the name of the team. Both may optionally be prepended with an `@` sign.
When a pull request is submitted, the changes are checked against the rules in the `CODEOWNERS` file. When the path to any of the changed files matches the regular expression of a non-negative rule, a review of the pull request is automatically requested from all users and/or teams referenced by the rule. Negative rules do the opposite reviews are requested when any of the changed files _do not match_ the regular expression.
A `CODEOWNERS` file may contain empty lines and comments, which begin with a hash (`#`) character.
An example `CODEOWNERS` file may look like this:
```
# Request review from User001 whenever anything in `src` changes
src/.* @User001
# Request review from the editors team in MyOrg whenever anything
# in `docs` changes
docs/.* @MyOrg/editors
# Request review from User002 whenever anything but `README.md` changes
!README\.md User002
```
## Keep it up-to-date: rebase pull requests to upstream
Sometimes the upstream project repository is evolving while we are working on a feature branch, and we need to rebase and resolve merge conflicts for upstream changes into our feature branch. This is not hard:

10
release-schedule.json
View file

@ -4,9 +4,9 @@
{ "major": "9", "minor": "0", "cut": "2024-09-25", "release": "2024-10-16", "eol": "2025-01-16", "lts": false },
{ "major": "10", "minor": "0", "cut": "2024-12-25", "release": "2025-01-16", "eol": "2025-04-16", "lts": false },
{ "major": "11", "minor": "0", "cut": "2025-03-26", "release": "2025-04-16", "eol": "2026-07-15", "lts": true },
{ "major": "12", "minor": "0", "cut": "2025-06-25", "release": "2025-07-16", "eol": "2025-10-15", "lts": false },
{ "major": "13", "minor": "0", "cut": "2025-09-24", "release": "2025-10-15", "eol": "2026-01-14", "lts": false },
{ "major": "14", "minor": "0", "cut": "2025-12-24", "release": "2026-01-14", "eol": "2026-04-15", "lts": false },
{ "major": "15", "minor": "0", "cut": "2026-03-25", "release": "2026-04-15", "eol": "2027-07-14", "lts": true },
{ "major": "16", "minor": "0", "cut": "2026-06-24", "release": "2026-07-15", "eol": "2026-10-14", "lts": false }
{ "major": "12", "minor": "0", "cut": "2025-06-25", "release": "2025-07-17", "eol": "2025-10-15", "lts": false },
{ "major": "13", "minor": "0", "cut": "2025-09-24", "release": "2025-10-16", "eol": "2026-01-14", "lts": false },
{ "major": "14", "minor": "0", "cut": "2025-12-24", "release": "2026-01-15", "eol": "2026-04-15", "lts": false },
{ "major": "15", "minor": "0", "cut": "2026-03-25", "release": "2026-04-16", "eol": "2027-07-14", "lts": true },
{ "major": "16", "minor": "0", "cut": "2026-06-24", "release": "2026-07-16", "eol": "2026-10-14", "lts": false }
]