Forgejo v15.0 is available

April 20, 2026
aisecurityprivacybusiness
A rustic anvil sits atop a wooden stump in a dimly lit workshop, suggesting traditional blacksmithing.
Photo by M. Talha ÇORBACI on Pexels

A milestone release

Forgejo v15.0 landed on 16 April 2026, and yes — this one’s the 100th release, a neat milestone for the lightweight, community-driven, self‑hosted code collaboration platform. Short story: it polishes day‑to‑day usability, tightens security, and adds horsepower for advanced Actions workflows. Want to kick the tires first? A dedicated test instance is available. But don’t be cavalier — a full backup and a careful read of the release notes (and intermediate breaking changes if you’re coming from v11.0) are strongly recommended.

What’s new

UI tweaks make issue filtering and the releases list easier to navigate. Admins get an automatic shortcut: containers uploaded to the package registry are auto‑linked to repositories when the image’s org.opencontainers.image.source label points to a repo URL or the container name starts with {owner}/{repo}. You can edit Git notes from the single‑commit view in pull requests. Forgejo Actions now supports expanding reusable workflows, OpenID Connect for secure third‑party access, smoother runner registration, and ephemeral runners for autoscaling — useful for teams pushing CI into the cloud without leaving credentials lying around.

Breaking changes and gotchas

Heads up: default cookie names have been stripped of branding. Unless you’ve already renamed cookies in your config, everyone will be forced to log in after upgrade — you can preserve sessions by setting COOKIE_REMEMBER_NAME back to gitea_incredible. Container users running rootless images: the old backward‑compatibility in entrypoints for /etc/gitea/app.ini has been removed; move your config to /var/lib/gitea/custom/conf/app.ini or override GITEA_APP_INI. Also expect changed authorization behavior around repository‑scoped access tokens and “public only” tokens — these alignments were intentional but are documented as breaking changes, so review Access Token Scope notes before you flip the switch.

Upgrade advice — proceed with eyes open

This release is practical and pragmatic: small UX wins and meaningful security advances, not a flashy rebrand. But upgrades bite when you least expect them. Back up, test on the provided instance, read the rollup of v12–v14 breaking changes if you’re jumping from v11, and ask for help in the chat room if anything smells off. Time for a celebratory commit? Sure. Just clear your cookies first — literally.

Sources: forgejo.org, Lobsters