Release v0.3.0 — Update Forgejo 14.0.2 → 14.0.3 (OP#2042) #4

Merged

Mike Bros merged 3 commits from release/0.3.0 into main

2026-03-14 01:51:11 +00:00

Gravity Bot commented

2026-03-14 01:37:33 +00:00

Collaborator

Summary

Update Neptune Forgejo from upstream 14.0.2 to 14.0.3 (security + bugfix patch release).

OP#2043: Updated forgejo-upstream submodule to v14.0.3
OP#2044: Audited all 10 custom template overrides — zero upstream conflicts
OP#2045: Pulled and deployed updated container image
OP#2046: Smoke tested all 11 custom features — all passed
OP#2047: Cut release v0.3.0
Added publish.yml CI workflow for automated tag creation and release promotion
Added VERSION file for version detection

Upstream Changes (Forgejo 14.0.3)

Security Fixes (7)

PKCE OAuth validation for S256 algorithm
OAuth Bearer token scope enforcement via HTTP basic auth
Attachment permission checks on web endpoints
Release notification access control for removed/inactive users
Project state modification permission checks (open/closed via IDOR)
PR automerge cancellation permission checks
Post-login redirect path traversal prevention

Bug Fixes

Search sort options, modal display, input fields in modals
Label overflow in PR CI checks on mobile
/v2 endpoint basic auth, GitLab import crashes
Dynamic matrix 'needs' access, SQLite locking defaults
Atom feed compare links, repo avatar upload, Action job approval

Maintenance

Go updated to v1.25.8
Dependency security updates (svgo, circl, minimatch, webpack, chi)

Custom Template Audit

All 10 overridden templates unchanged between v14.0.2 and v14.0.3 upstream. Only 2 unrelated templates changed (rpm.tmpl, search/issue/syntax.tmpl). No merge work required.

New: Publish CI Workflow

Added .forgejo/workflows/publish.yml that triggers on push to main:

Detects version change via VERSION file
Creates and pushes git tag v{version}
Promotes draft Forgejo release to published

Requires PACKAGE_TOKEN secret with repo scope.

Test Plan

Catppuccin themes (4 flavors, 14 accents, auto variants)
Theme preview system (user + admin)
Copy Logs + Expand/Collapse All on action runs
Fetch & Switch buttons (clone panel, branch list, PR header)
Custom branding (logo, favicon)
Footer version badge shows 14.0.3
Action runner connected

Checklist

All version tasks closed in Gravity PM
PACKAGE_TOKEN secret configured (required for publish workflow)

Refs OP#2042

## Summary Update Neptune Forgejo from upstream 14.0.2 to 14.0.3 (security + bugfix patch release). - OP#2043: Updated `forgejo-upstream` submodule to v14.0.3 - OP#2044: Audited all 10 custom template overrides — zero upstream conflicts - OP#2045: Pulled and deployed updated container image - OP#2046: Smoke tested all 11 custom features — all passed - OP#2047: Cut release v0.3.0 - Added `publish.yml` CI workflow for automated tag creation and release promotion - Added `VERSION` file for version detection ## Upstream Changes (Forgejo 14.0.3) ### Security Fixes (7) - PKCE OAuth validation for S256 algorithm - OAuth Bearer token scope enforcement via HTTP basic auth - Attachment permission checks on web endpoints - Release notification access control for removed/inactive users - Project state modification permission checks (open/closed via IDOR) - PR automerge cancellation permission checks - Post-login redirect path traversal prevention ### Bug Fixes - Search sort options, modal display, input fields in modals - Label overflow in PR CI checks on mobile - /v2 endpoint basic auth, GitLab import crashes - Dynamic matrix 'needs' access, SQLite locking defaults - Atom feed compare links, repo avatar upload, Action job approval ### Maintenance - Go updated to v1.25.8 - Dependency security updates (svgo, circl, minimatch, webpack, chi) ## Custom Template Audit All 10 overridden templates unchanged between v14.0.2 and v14.0.3 upstream. Only 2 unrelated templates changed (`rpm.tmpl`, `search/issue/syntax.tmpl`). No merge work required. ## New: Publish CI Workflow Added `.forgejo/workflows/publish.yml` that triggers on push to main: 1. Detects version change via `VERSION` file 2. Creates and pushes git tag `v{version}` 3. Promotes draft Forgejo release to published Requires `PACKAGE_TOKEN` secret with repo scope. ## Test Plan - [x] Catppuccin themes (4 flavors, 14 accents, auto variants) - [x] Theme preview system (user + admin) - [x] Copy Logs + Expand/Collapse All on action runs - [x] Fetch & Switch buttons (clone panel, branch list, PR header) - [x] Custom branding (logo, favicon) - [x] Footer version badge shows 14.0.3 - [x] Action runner connected ## Checklist - [x] All version tasks closed in Gravity PM - [x] PACKAGE_TOKEN secret configured (required for publish workflow) Refs OP#2042

Gravity Bot added 2 commits

2026-03-14 01:37:34 +00:00

chore: update forgejo-upstream submodule to v14.0.3 fa965eb187

Closes OP#2043

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs: audit confirms no template conflicts for 14.0.3 aeb041152c

All 10 custom template overrides are unchanged between v14.0.2 and
v14.0.3 upstream. Only 2 unrelated templates changed (rpm.tmpl,
search/issue/syntax.tmpl). No merge work required.

Closes OP#2044

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Mike Bros added 1 commit

2026-03-14 01:49:43 +00:00

ci: add publish workflow for automated release promotion c6534c878b

Adds:
- VERSION file for version detection (0.3.0)
- .forgejo/workflows/publish.yml that on push to main:
  1. Detects version changes via VERSION file
  2. Creates and pushes git tag v{version}
  3. Promotes draft Forgejo release to published

Requires PACKAGE_TOKEN secret with repo scope.

Refs OP#2047

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>