gitforge/release-notes-published/15.0.3.md
2026-06-10 07:53:28 +02:00

16 KiB

Release notes

  • Security bug fixes
    • PR: - fix: prevent stored XSS in user display name on Actions page
    • PR: - fix: LFS locks must belong to the intended repo, port from Gitea
    • PR: - fix: prevent unauthorized access to draft releases via API
    • PR: - fix: prevent writes to OpenID visibility which may affect other users
    • PR: - fix: prevent viewing private PRs that are linked to public issues on public projects
    • PR (backported): fix: do not migrate confidential issues and internal notes from Gitlab
  • User Interface features
    • PR (backported): fix: improve visibility of mismatched repository & package visibility
  • User Interface bug fixes
    • PR (backported): fix: display the actions trust management panel on merged and closed pull requests
    • PR (backported): fix(ui): improve contrast of checkboxes in markup
    • PR (backported): fix(ui): hide some disallowed actions that lead to 404 errors in archived repos
    • PR (backported): fix(ui): do not clip overflow in workflow dispatch menu
    • PR (backported): fix: show the actions trust management panel when runs from trusted users are pending approval
    • PR (backported): fix: always display the pull request merge box if there are actions pending approval
    • PR (backported): fix(ui): fix typo in issue sort dropdown; relevance was misnamed as relevency
    • PR (backported): fix: do not hide previous attempts without task for latest attempt
    • PR (backported): fix(ui): use URL query escaping for SSH key verification reload token link
  • Features
    • PR: Update module ini to v1.67.3 to improve config parse performance
  • Bug fixes
    • PR (backported): fix(doctor): ensure the doctor runs with the same settings.AppPath as Forgejo
    • PR (backported): fix: make email token extraction case-insensitive (#12436)
    • PR (backported): fix: cancel dependent jobs when rerunning jobs
    • PR (backported): fix: check quota in LFS uploads against the repository owner, not operating user
    • PR (backported): fix: load repo language for converting to api struct
    • PR (backported): fix: debian package cleanup failure due to xorm connection corruption
    • PR (backported): fix: workflow with pull_request trigger and path filter not run when merging
    • PR (backported): fix: update statuses in phases to prevent out of order updates from stalling workflows
    • PR (backported): fix: return 404 instead of 500 for non-existing SHA in commit status endpoint
    • PR (backported): fix(issue-search): single exclude query was erroneosly considered as must
    • PR (backported): fix: remove link to artefacts that have expired
    • PR (backported): fix: wipe run artifacts before rerun (#12523)
  • Included for completeness but not user-facing (chores, etc.)
    • PR: Update playwright monorepo to v1.60.0 (v15.0/forgejo)
    • PR: Update go toolchain directive to v1.26.4 [SECURITY] (v15.0/forgejo)
    • PR (backported): refactor(tests): use forgery.CreateRepository in more places
    • PR (backported): refactor(forgery): CreateProject helper to reduce dependency on global fixture when testing
    • PR (backported): fix: keep run in sync when rerunning individual jobs
    • PR: Update module golang.org/x/image to v0.41.0 [SECURITY] (v15.0/forgejo)
    • PR: fix: make tidy-check failure after recent merges
    • PR: Update module code.forgejo.org/forgejo/runner/v12 to v12.10.2 (v15.0/forgejo)
    • PR (backported): chore: replace github.com/robfig/cron/v3 (#12365)
    • PR (backported): fix: adds missing AppSubUrl to the webmanifest's location
    • PR: Update module golang.org/x/net to v0.55.0 [SECURITY] (v15.0/forgejo)
    • PR: Update module golang.org/x/crypto to v0.52.0 [SECURITY] (v15.0/forgejo)
    • PR: Update module code.forgejo.org/forgejo/levelqueue to v1.1.0 (v15.0/forgejo)
    • PR (backported): chore: tidy up uploading migration code
    • PR: Update module code.forgejo.org/forgejo/runner/v12 to v12.10.1 (v15.0/forgejo)
    • PR (backported): fix: make the fork API respect CanCreateOrgRepo policy
    • PR (backported): fix(e2e): Race condition in dialog modal test
    • PR (backported): tests: better factory with forgery package
    • PR (backported): refactor: delegate to service for run cancellation (#12142)
    • PR (backported): fix(e2e): Dialog modal max-width rendering failure
    • PR (backported): refactor: move rerun logic to services