forgejo/forgejo
forgejo/forgejo
108
3.5k
Fork 602
Code Issues 1.1k Pull requests 117 Releases 91 Packages 1 Activity Actions 17
Beyond coding. We forge. https://forgejo.org
24,330 commits 28 branches 271 tags 245 MiB
  • Go 77.6%
  • go-html-template 10.8%
  • Roff 4.2%
  • JavaScript 2.7%
  • CSS 1.9%
  • Other 2.6%
Find a file
Gusted 2a8881c4ca
All checks were successful
/ release (push) Has been skipped
Details
testing-integration / test-unit (push) Has been skipped
Details
testing-integration / test-sqlite (push) Has been skipped
Details
testing-integration / test-mariadb (v10.6) (push) Has been skipped
Details
testing-integration / test-mariadb (v11.8) (push) Has been skipped
Details
testing / backend-checks (push) Successful in 4m55s
Details
testing / frontend-checks (push) Successful in 1m7s
Details
testing / test-unit (push) Successful in 8m43s
Details
testing / test-e2e (push) Successful in 27m59s
Details
testing / test-remote-cacher (redis) (push) Successful in 3m11s
Details
testing / test-remote-cacher (valkey) (push) Successful in 3m31s
Details
testing / test-remote-cacher (garnet) (push) Successful in 3m43s
Details
testing / test-mysql (push) Successful in 32m6s
Details
testing / test-remote-cacher (redict) (push) Successful in 3m53s
Details
testing / test-sqlite (push) Successful in 38m18s
Details
testing / test-pgsql (push) Successful in 42m48s
Details
testing / security-check (push) Successful in 1m56s
Details
fix: use strict-origin as referrer policy (#10851) 
- Resolves forgejo/forgejo#10849
- Yes, the referrer policy is causing cross-origin protection to fail.
Why? Because someone really cared about privacy, the referrer policy was
set to no-referrer. So no `Referrer` HTTP header and `Origin` is either
omited or set to `null`, because hey the browser isn't allowed to leak
it via that header either. The new cross-origin protection relies on
Sec-Fetch metadata to determine if the request is same-origin or not.
This metadata is only sent to trustworthy origins, and thus not when
you visit Forgejo on your intranet. But the new protection has a
fallback to compare the Origin to the Host header... but the Origin
header was conviently set to `null` to protect the user's privacy.
- We now set the referrer policy to strict-origin, which means only for
same-origin requests a Origin header is set. For cross-origin the
behavior is unchanged and the user's privacy is preserved.

Reviewed-on: #10851
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2026-01-16 00:03:07 +01:00
.devcontainer Update Node.js to v24 (forgejo) (#10091) 2025-11-12 19:41:48 +01:00
.forgejo Update renovate to v42.78.1 (forgejo) (#10784) 2026-01-12 13:34:09 +01:00
assets Update module github.com/minio/minio-go/v7 to v7.0.98 (forgejo) (#10842) 2026-01-15 13:04:48 +01:00
build feat: teach lint-locale-usage about ObjectVerification.Reason (#10755) 2026-01-11 09:40:49 +01:00
cmd fix: pin github.com/urfave/cli to v3.5.0 (#10828) 2026-01-15 11:05:02 +01:00
contrib chore: rename 'forgejo_migrations' to 'forgejo_migrations_legacy' 2025-10-14 14:40:49 -06:00
custom/conf feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
docker bugfix check for alternate ssh host certificate location (#34146) 2025-04-14 15:53:35 +02:00
models feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
modules feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
options fix: internal server error on a large .gitmodules (#10744) 2026-01-10 10:44:59 +01:00
public chore(security): update security.txt with new expiration date (#10447) 2025-12-17 12:32:42 +01:00
release-notes chore(release): delete 10037 and 9840 release notes (#10837) 2026-01-14 17:30:03 +01:00
release-notes-published chore(release-notes): Forgejo v14.0.0 (#10832) 2026-01-15 14:52:18 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
services feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
templates fix: use strict-origin as referrer policy (#10851) 2026-01-16 00:03:07 +01:00
tests feat: add OIDC workload identity federation support (#10481) 2026-01-15 03:39:00 +01:00
tools chore: remove gopls in Makefile (#8205) 2025-06-17 08:28:26 +02:00
web_src fix: proper styling for global time tracker popup (#10827) 2026-01-14 11:14:32 +01:00
.air.toml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.deadcode-out fix: internal server error on a large .gitmodules (#10744) 2026-01-10 10:44:59 +01:00
.dockerignore fix: Dockerfile should re-use bindata files when possible 2025-06-13 14:00:57 +02:00
.editorconfig i18n(next): convert indention style to tabs: en, editorconfig (#10661) 2026-01-02 05:56:48 +01:00
.envrc.example Make direnv optional to let developers use their own direnv configuration 2024-11-06 20:34:49 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore feat(build): improve lint-locale-usage further (#8736) 2025-08-27 23:47:34 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml chore(lint): Add exceptions for dbfs_model and unittest (#10275) 2025-12-09 14:34:06 +01:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.node-version Update Node.js to v24.13.0 (forgejo) (#10822) 2026-01-14 06:58:56 +01:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml chore(release-notes): teach release-notes-assistant that v11.0 is LTS (#10638) 2025-12-30 10:00:22 +01:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile feat: Makefile & BSDmakefile changes (#7455) 2025-04-27 10:04:32 +00:00
CODEOWNERS chore: add @0xllx0 to federation codeowners (#10716) 2026-01-09 23:53:06 +01:00
CONTRIBUTING.md docs: replace Developer Guide link with the new Contributor Guide one. 2024-08-26 13:22:39 +03:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update data.forgejo.org/oci/alpine Docker tag to v3.23 (forgejo) (#10326) 2025-12-18 15:21:39 +01:00
Dockerfile.rootless Update data.forgejo.org/oci/alpine Docker tag to v3.23 (forgejo) (#10326) 2025-12-18 15:21:39 +01:00
eslint.config.mjs feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
flake.lock chore: bump nixpkgs in flake.lock (#10128) 2025-11-16 01:18:26 +01:00
flake.nix refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
go.mod Update dependency go to v1.25.6 (forgejo) (#10850) 2026-01-15 22:42:10 +01:00
go.sum Update module github.com/minio/minio-go/v7 to v7.0.98 (forgejo) (#10842) 2026-01-15 13:04:48 +01:00
LICENSE Forgejo v9.0 is GPLv3+ 2024-08-22 09:09:29 +02:00
main.go fix: do not mix urfave v2 with urfave v3 (#8168) 2025-06-12 15:38:03 +02:00
Makefile chore: Teach Makefile to handle node pre-release versions (#10790) 2026-01-13 16:34:27 +01:00
manifest.scm Add a GNU Guix manifest (#8038) 2025-06-03 08:08:17 +02:00
package-lock.json Update dependency asciinema-player to v3.14.0 (forgejo) (#10759) 2026-01-14 10:21:20 +01:00
package.json Update dependency asciinema-player to v3.14.0 (forgejo) (#10759) 2026-01-14 10:21:20 +01:00
playwright.config.ts chore: remove webkit and mobile safari from playwright (#10103) 2025-11-13 17:23:08 +01:00
README.md chore: fix a few typos in the documentation (#9134) 2025-09-04 01:53:40 +02:00
release-notes-assistant.sh chore: improve the wording of the "not worth a release note" category (#8542) 2025-07-18 07:19:15 +02:00
RELEASE-NOTES.md chore(release-notes): fix release notes of chroma update in v8.0.0 2025-10-05 17:10:38 +05:00
renovate.json chore: run renovate on v14 branch, remove v13 (#10752) 2026-01-09 19:33:38 +01:00
shell.nix chore: use interactive sqlite via nix (#10439) 2025-12-17 13:20:33 +01:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js fix: Do not scan all Go files for tailwind classes 2024-08-24 15:45:50 +02:00
tsconfig.json feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
vitest.config.ts feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
webpack.config.js feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00

README.md

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo – the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of built-in functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

License

Forgejo is distributed under the terms of the GPL version 3.0 or any later version.

The agreement for this license was documented in June 2023 and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.