From 1ff059023a8d2d81c03e2ec0d4d50593cf70c8bc Mon Sep 17 00:00:00 2001
From: 0ko <0ko@noreply.codeberg.org>
Date: Sun, 21 Dec 2025 16:53:06 +0000
Subject: [PATCH 01/34] chore(release): v15.0 exists (#1310)

Like https://code.forgejo.org/forgejo/end-to-end/pulls/710 and https://code.forgejo.org/forgejo/end-to-end/pulls/1057 (+ https://code.forgejo.org/forgejo/end-to-end/pulls/1058/files)

End-to-end for latest nonLTS is usually retired earlier than EoL to save power per https://code.forgejo.org/forgejo/end-to-end/pulls/1058#issuecomment-61424.

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1310
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Co-committed-by: 0ko <0ko@noreply.codeberg.org>
---
 forgejo/sources/15.0 | 1 +
 lib/lib.sh           | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 forgejo/sources/15.0

diff --git a/forgejo/sources/15.0 b/forgejo/sources/15.0
new file mode 100644
index 00000000..595283d3
--- /dev/null
+++ b/forgejo/sources/15.0
@@ -0,0 +1 @@
+https://codeberg.org/forgejo/forgejo forgejo 15.0.0
diff --git a/lib/lib.sh b/lib/lib.sh
index 691acc6f..843c9b53 100644
--- a/lib/lib.sh
+++ b/lib/lib.sh
@@ -26,7 +26,7 @@ IP=$(hostname -I | cut -f1 -d' ')
 #
 # Forgejo releases for which a branch exists (7.0/forgejo etc.)
 #
-RELEASE_NUMBERS="11.0 13.0 14.0"
+RELEASE_NUMBERS="11.0 14.0 15.0"
 
 PREFIX===============
 export DIR=/tmp/forgejo-end-to-end

From 37fdd131e21e13d60fd27cb9fb6ce1b9ec402497 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 28 Dec 2025 14:42:32 +0000
Subject: [PATCH 02/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.0.7 (#1343)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1343
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index d85eb6f6..3c1153c0 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.6
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.7
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From a8a26c92961a1a84577f0d274a2d84e52aa744e8 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Sun, 28 Dec 2025 16:29:05 +0000
Subject: [PATCH 03/34] test: add reusable workflow expansion test (#1316)

end-to-end test covering https://codeberg.org/forgejo/forgejo/pulls/10525.

![image](/attachments/2bca39ea-67d9-4ae6-a940-e2b5f77b11d4)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1316
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 actions/actions.sh                            |  4 +++
 .../.forgejo/workflows/reusable.yml           | 28 +++++++++++++++++++
 .../.forgejo/workflows/test.yml               | 20 +++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml
 create mode 100644 actions/example-workflow-call-expansion/.forgejo/workflows/test.yml

diff --git a/actions/actions.sh b/actions/actions.sh
index 5ddffd1f..1dc6b14e 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -180,5 +180,9 @@ function test_actions() {
         if dpkg --compare-versions $version ge 14.0; then
             run actions_verify_example matrix-dynamic
         fi
+
+        if dpkg --compare-versions $version ge 15.0; then
+            run actions_verify_example workflow-call-expansion
+        fi
     done
 }
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml
new file mode 100644
index 00000000..b5bcdde4
--- /dev/null
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml
@@ -0,0 +1,28 @@
+on:
+  workflow_call:
+
+jobs:
+  callee-1:
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: indicate callee-1 hit
+        run: touch /srv/example/callee-1
+
+  callee-2:
+    needs: callee-1
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-1 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-1
+      - name: indicate callee-2 hit
+        run: touch /srv/example/callee-2
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
new file mode 100644
index 00000000..484cdc29
--- /dev/null
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@@ -0,0 +1,20 @@
+on:
+  push:
+
+jobs:
+  caller:
+    uses: ./.forgejo/workflows/reusable.yml
+
+  verify:
+    needs: [caller]
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-1 & callee-2 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-1
+          test -f /srv/example/callee-2

From cc2a2e85f7a65f2ec6771a75ce83492cfb51e839 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Mon, 29 Dec 2025 02:58:01 +0000
Subject: [PATCH 04/34] test: add reusable workflow expansion test for outputs
 (#1322)

In the "reusable workflow expansion" case (that is, when `runs-on` is not provided), this PR adds tests for `on.workflow_call.outputs`, and expands the test case to have two layers of reusable workflows to cover quirky behaviours that were discovered during manual testing.

Manual invocation successful:
![image](/attachments/0406a783-4ef6-4854-a376-421ccc86b854)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1322
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .../.forgejo/workflows/reusable-layer-1.yml   | 49 +++++++++++++++++++
 .../.forgejo/workflows/reusable-layer-2.yml   | 37 ++++++++++++++
 .../.forgejo/workflows/reusable.yml           | 28 -----------
 .../.forgejo/workflows/test.yml               | 17 +++++--
 4 files changed, 99 insertions(+), 32 deletions(-)
 create mode 100644 actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
 create mode 100644 actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
 delete mode 100644 actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml

diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
new file mode 100644
index 00000000..bc0b7dc9
--- /dev/null
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
@@ -0,0 +1,49 @@
+on:
+  workflow_call:
+    outputs:
+      output1:
+        value: ${{ jobs.callee-1.outputs.job-output }}
+      output2:
+        value: ${{ jobs.callee-2.outputs.job-output }}
+      output3:
+        value: ${{ jobs.layer-2.outputs.output3 }}
+      output4:
+        value: ${{ jobs.layer-2.outputs.output4 }}
+
+jobs:
+  callee-1:
+    runs-on: docker
+    outputs:
+      job-output: callee-1-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: indicate callee-1 hit
+        run: touch /srv/example/callee-1
+
+  layer-2:
+    uses: ./.forgejo/workflows/reusable-layer-2.yml
+
+  callee-2:
+    needs: [callee-1, layer-2]
+    runs-on: docker
+    outputs:
+      job-output: callee-2-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-1 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-1
+      - name: verify layer-2 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-3
+          test -f /srv/example/callee-4
+      - name: indicate callee-2 hit
+        run: touch /srv/example/callee-2
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
new file mode 100644
index 00000000..1633ff7c
--- /dev/null
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
@@ -0,0 +1,37 @@
+on:
+  workflow_call:
+    outputs:
+      output3:
+        value: ${{ jobs.callee-3.outputs.job-output }}
+      output4:
+        value: ${{ jobs.callee-4.outputs.job-output }}
+
+jobs:
+  callee-3:
+    runs-on: docker
+    outputs:
+      job-output: callee-3-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: indicate callee-3 hit
+        run: touch /srv/example/callee-3
+
+  callee-4:
+    needs: callee-3
+    runs-on: docker
+    outputs:
+      job-output: callee-4-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-3 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-3
+      - name: indicate callee-4 hit
+        run: touch /srv/example/callee-4
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml
deleted file mode 100644
index b5bcdde4..00000000
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-on:
-  workflow_call:
-
-jobs:
-  callee-1:
-    runs-on: docker
-    container:
-      image: data.forgejo.org/oci/node:22-bookworm
-      volumes:
-        - /srv/example:/srv/example
-    steps:
-      - name: indicate callee-1 hit
-        run: touch /srv/example/callee-1
-
-  callee-2:
-    needs: callee-1
-    runs-on: docker
-    container:
-      image: data.forgejo.org/oci/node:22-bookworm
-      volumes:
-        - /srv/example:/srv/example
-    steps:
-      - name: verify callee-1 completed
-        run: |
-          set -x
-          test -f /srv/example/callee-1
-      - name: indicate callee-2 hit
-        run: touch /srv/example/callee-2
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
index 484cdc29..564475ec 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@@ -2,19 +2,28 @@ on:
   push:
 
 jobs:
-  caller:
-    uses: ./.forgejo/workflows/reusable.yml
+  layer-1:
+    uses: ./.forgejo/workflows/reusable-layer-1.yml
 
   verify:
-    needs: [caller]
+    needs: [layer-1]
     runs-on: docker
     container:
       image: data.forgejo.org/oci/node:22-bookworm
       volumes:
         - /srv/example:/srv/example
     steps:
-      - name: verify callee-1 & callee-2 completed
+      - name: verify callee-[0-4] completed
         run: |
           set -x
           test -f /srv/example/callee-1
           test -f /srv/example/callee-2
+          test -f /srv/example/callee-3
+          test -f /srv/example/callee-4
+      - name: verify workflow outputs
+        run: |
+          set -x
+          test "callee-1-output" = "${{ needs.layer-1.outputs.output1 }}"
+          test "callee-2-output" = "${{ needs.layer-1.outputs.output2 }}"
+          test "callee-3-output" = "${{ needs.layer-1.outputs.output3 }}"
+          test "callee-4-output" = "${{ needs.layer-1.outputs.output4 }}"

From 1fbbc4277c7275ebfcc1f15e6f96bc10c8c3b1e2 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 30 Dec 2025 14:49:39 +0000
Subject: [PATCH 05/34] test: add reusable workflow expansion test for inputs
 (#1323)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1323
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .../.forgejo/workflows/reusable-layer-1.yml          | 11 +++++++++++
 .../.forgejo/workflows/reusable-layer-2.yml          | 12 ++++++++++++
 .../.forgejo/workflows/test.yml                      |  2 ++
 3 files changed, 25 insertions(+)

diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
index bc0b7dc9..c6b165b5 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
@@ -1,5 +1,9 @@
 on:
   workflow_call:
+    inputs:
+      input1:
+        required: true
+        type: string
     outputs:
       output1:
         value: ${{ jobs.callee-1.outputs.job-output }}
@@ -20,11 +24,18 @@ jobs:
       volumes:
         - /srv/example:/srv/example
     steps:
+      - name: verify workflow inputs
+        run: |
+          set -x
+          test "top-level-input1" = "${{ inputs.input1 }}"
       - name: indicate callee-1 hit
         run: touch /srv/example/callee-1
 
   layer-2:
     uses: ./.forgejo/workflows/reusable-layer-2.yml
+    with:
+      input1: ${{ inputs.input1 }}
+      input2: mid-level-input2
 
   callee-2:
     needs: [callee-1, layer-2]
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
index 1633ff7c..099c0331 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
@@ -1,5 +1,12 @@
 on:
   workflow_call:
+    inputs:
+      input1:
+        required: true
+        type: string
+      input2:
+        required: true
+        type: string
     outputs:
       output3:
         value: ${{ jobs.callee-3.outputs.job-output }}
@@ -16,6 +23,11 @@ jobs:
       volumes:
         - /srv/example:/srv/example
     steps:
+      - name: verify workflow inputs
+        run: |
+          set -x
+          test "top-level-input1" = "${{ inputs.input1 }}"
+          test "mid-level-input2" = "${{ inputs.input2 }}"
       - name: indicate callee-3 hit
         run: touch /srv/example/callee-3
 
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
index 564475ec..29e04d80 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@@ -4,6 +4,8 @@ on:
 jobs:
   layer-1:
     uses: ./.forgejo/workflows/reusable-layer-1.yml
+    with:
+      input1: top-level-input1
 
   verify:
     needs: [layer-1]

From 0e0b1429e675b4e842fa80788d99d3112370a728 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Tue, 30 Dec 2025 20:16:02 +0000
Subject: [PATCH 06/34] test: add reusable workflow expansion test for secrets
 (#1351)

Local test:
![image](/attachments/2357b06f-2506-4a31-ae51-a372e4eb4704)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1351
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .../.forgejo/workflows/reusable-layer-1.yml          |  7 +++++++
 .../.forgejo/workflows/reusable-layer-2.yml          |  6 ++++++
 .../.forgejo/workflows/test.yml                      | 10 ++++++++++
 actions/example-workflow-call-expansion/run.sh       | 12 ++++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 actions/example-workflow-call-expansion/run.sh

diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
index c6b165b5..1e806711 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
@@ -28,6 +28,12 @@ jobs:
         run: |
           set -x
           test "top-level-input1" = "${{ inputs.input1 }}"
+      - name: verify workflow secrets
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
       - name: indicate callee-1 hit
         run: touch /srv/example/callee-1
 
@@ -36,6 +42,7 @@ jobs:
     with:
       input1: ${{ inputs.input1 }}
       input2: mid-level-input2
+    secrets: inherit
 
   callee-2:
     needs: [callee-1, layer-2]
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
index 099c0331..eaf37ba1 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
@@ -28,6 +28,12 @@ jobs:
           set -x
           test "top-level-input1" = "${{ inputs.input1 }}"
           test "mid-level-input2" = "${{ inputs.input2 }}"
+      - name: verify workflow secrets inherited
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
       - name: indicate callee-3 hit
         run: touch /srv/example/callee-3
 
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
index 29e04d80..dfa29afc 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@@ -6,6 +6,9 @@ jobs:
     uses: ./.forgejo/workflows/reusable-layer-1.yml
     with:
       input1: top-level-input1
+    secrets:
+      secret1: AAAA
+      secret2: BBBB1234
 
   verify:
     needs: [layer-1]
@@ -15,6 +18,13 @@ jobs:
       volumes:
         - /srv/example:/srv/example
     steps:
+      - name: verify test config secret
+        run: |
+          set -x
+          # SECRET3 is set on the repo, but not passed into `reusable-layer-1.yml` so that we can test secrets don't
+          # leak into the workflow if they're not explicitly defined. This check verifies that the test environment has
+          # that secret, otherwise the test assertions that it isn't present within the workflow would be meaningless.
+          test "CCCC" = "${{ secrets.secret3 }}"
       - name: verify callee-[0-4] completed
         run: |
           set -x
diff --git a/actions/example-workflow-call-expansion/run.sh b/actions/example-workflow-call-expansion/run.sh
new file mode 100644
index 00000000..07ca4cb7
--- /dev/null
+++ b/actions/example-workflow-call-expansion/run.sh
@@ -0,0 +1,12 @@
+repo=root/example-$example
+api=$url/api/v1
+
+# Prepare test repo
+forgejo-test-helper.sh push_workflow actions/example-$example $url root example-$example setup-forgejo $token
+sha=$(forgejo-test-helper.sh branch_tip $url $repo main)
+
+# Install a repo secret
+forgejo-curl.sh api_json -X PUT --data-raw '{"data":"CCCC"}' $api/repos/$repo/actions/secrets/SECRET3
+
+# Wait for action to complete
+forgejo-test-helper.sh wait_success $url root/example-$example $sha

From 6e89c972c3911dd1efeac512cfbda0f87355620a Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 1 Jan 2026 18:17:58 +0000
Subject: [PATCH 07/34] test: add reusable workflow expansion test for ${{
 needs... }} (#1362)

end-to-end tests for https://codeberg.org/forgejo/forgejo/pulls/10647

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1362
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .../.forgejo/workflows/reusable-layer-1.yml          |  7 +++++++
 .../.forgejo/workflows/reusable-layer-2.yml          |  8 ++++++++
 .../.forgejo/workflows/test.yml                      | 12 ++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
index 1e806711..649392c1 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml
@@ -4,6 +4,9 @@ on:
       input1:
         required: true
         type: string
+      input3:
+        required: true
+        type: string
     outputs:
       output1:
         value: ${{ jobs.callee-1.outputs.job-output }}
@@ -28,6 +31,7 @@ jobs:
         run: |
           set -x
           test "top-level-input1" = "${{ inputs.input1 }}"
+          test "dynamic output" = "${{ inputs.input3 }}"
       - name: verify workflow secrets
         run: |
           set -x
@@ -38,10 +42,13 @@ jobs:
         run: touch /srv/example/callee-1
 
   layer-2:
+    needs: [callee-1]
     uses: ./.forgejo/workflows/reusable-layer-2.yml
     with:
       input1: ${{ inputs.input1 }}
       input2: mid-level-input2
+      input3: ${{ inputs.input3 }}
+      input4: ${{ needs.callee-1.outputs.job-output }}
     secrets: inherit
 
   callee-2:
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
index eaf37ba1..3b633ebd 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml
@@ -7,6 +7,12 @@ on:
       input2:
         required: true
         type: string
+      input3:
+        required: true
+        type: string
+      input4:
+        required: true
+        type: string
     outputs:
       output3:
         value: ${{ jobs.callee-3.outputs.job-output }}
@@ -28,6 +34,8 @@ jobs:
           set -x
           test "top-level-input1" = "${{ inputs.input1 }}"
           test "mid-level-input2" = "${{ inputs.input2 }}"
+          test "dynamic output" = "${{ inputs.input3 }}"
+          test "callee-1-output" = "${{ inputs.input4 }}"
       - name: verify workflow secrets inherited
         run: |
           set -x
diff --git a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
index dfa29afc..cd9290a2 100644
--- a/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-call-expansion/.forgejo/workflows/test.yml
@@ -2,10 +2,22 @@ on:
   push:
 
 jobs:
+  pre-job:
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+    outputs:
+      dynamic: "${{ steps.dynamic-step.outputs.dynamic }}"
+    steps:
+      - id: dynamic-step
+        run: echo "dynamic=dynamic output" >> $FORGEJO_OUTPUT
+
   layer-1:
+    needs: [pre-job]
     uses: ./.forgejo/workflows/reusable-layer-1.yml
     with:
       input1: top-level-input1
+      input3: ${{ needs.pre-job.outputs.dynamic }}
     secrets:
       secret1: AAAA
       secret2: BBBB1234

From 1064337c896760f28a02dc01377a632683958df2 Mon Sep 17 00:00:00 2001
From: Mathieu Fenniak <mathieu@fenniak.net>
Date: Thu, 1 Jan 2026 22:16:33 +0000
Subject: [PATCH 08/34] ci: run Forgejo Actions & Packages test w/ dynamic
 matrix (#1367)

Incorporates these changes:
- When `forgejo/build-from-sources` is present, Actions & Packages tests are run only against the built versions.  Otherwise, they are run against the versions defined in `$RELEASE_NUMBERS`
- Updates Packages tests which are testing Alpine publishing to use currently supported Alpine releases
- Actions & Packages tests are run in a matrix, allowing parallel execution

Only the Actions & Packages tests take a significant amount of time (>10 minutes), so changes have been limited to those test suites -- every test suite that is moved into a matrix adds additional overhead in the 1 minute `prepare-end-to-end` step.

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1367
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
---
 .forgejo/workflows/end-to-end.yml                  | 14 ++++++++++++--
 .../.forgejo/workflows/test.yml                    |  2 ++
 actions/example-cache-pull-request/run.sh          |  2 ++
 packages/alpine-10.0                               |  1 -
 packages/alpine.sh                                 |  8 +++++---
 .../package-source/forgejo-2173/APKBUILD           |  0
 .../package-source/forgejo-2173/forgejo_2173       |  0
 .../package-source/forgejo-2173/forgejo_2173.init  |  0
 .../package-source/forgejo-2174/APKBUILD           |  0
 .../package-source/forgejo-2174/forgejo_2174       |  0
 .../package-source/forgejo-2174/forgejo_2174.init  |  0
 packages/{alpine-7.0 => alpine}/test.sh            |  0
 packages/packages.sh                               |  4 +++-
 13 files changed, 24 insertions(+), 7 deletions(-)
 delete mode 120000 packages/alpine-10.0
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2173/APKBUILD (100%)
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2173/forgejo_2173 (100%)
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2173/forgejo_2173.init (100%)
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2174/APKBUILD (100%)
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2174/forgejo_2174 (100%)
 rename packages/{alpine-7.0 => alpine}/package-source/forgejo-2174/forgejo_2174.init (100%)
 rename packages/{alpine-7.0 => alpine}/test.sh (100%)

diff --git a/.forgejo/workflows/end-to-end.yml b/.forgejo/workflows/end-to-end.yml
index 27c917a6..3921e400 100644
--- a/.forgejo/workflows/end-to-end.yml
+++ b/.forgejo/workflows/end-to-end.yml
@@ -18,6 +18,7 @@ jobs:
       image: 'data.forgejo.org/oci/node:20-bookworm'
     outputs:
       built: "${{ steps.build.outputs.built }}"
+      forgejo_versions_json: "${{ steps.build.outputs.forgejo_versions_json }}"
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: https://data.forgejo.org/actions/setup-go@v5
@@ -31,6 +32,8 @@ jobs:
 
           if ! test -f forgejo/build-from-sources; then
              echo forgejo/build-from-sources is not present, do not build any version from source
+             source lib/lib.sh
+             echo "forgejo_versions_json=$(node -p "JSON.stringify(process.argv[1].split(' '))" "$RELEASE_NUMBERS")" >> $FORGEJO_OUTPUT
              echo "built=no" >> $FORGEJO_OUTPUT
              exit 0
           fi
@@ -52,6 +55,7 @@ jobs:
             mv $forgejo /tmp/forgejo-upload/forgejo-$version
           done
 
+          echo "forgejo_versions_json=$(node -p "JSON.stringify(process.argv[1].split(' '))" "$(cat forgejo/build-from-sources)")" >> $FORGEJO_OUTPUT
           echo "built=yes" >> $FORGEJO_OUTPUT
 
       - name: steps context dump for debug
@@ -70,12 +74,15 @@ jobs:
   packages:
     needs: [build]
     runs-on: lxc-trixie
+    strategy:
+      matrix:
+        forgejo_version: ${{ fromJSON(needs.build.outputs.forgejo_versions_json) }}
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/prepare-end-to-end
         with:
             built: ${{ needs.build.outputs.built }}
-      - run: su forgejo -c "./end-to-end.sh test_packages"
+      - run: su forgejo -c "./end-to-end.sh test_packages ${{ matrix.forgejo_version }}"
       - if: ${{ needs.build.outputs.built == 'yes' }}
         uses: ./.forgejo/upload-coverage
         with:
@@ -87,13 +94,16 @@ jobs:
   actions:
     needs: [build]
     runs-on: lxc-trixie
+    strategy:
+      matrix:
+        forgejo_version: ${{ fromJSON(needs.build.outputs.forgejo_versions_json) }}
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/prepare-end-to-end
         with:
             built: ${{ needs.build.outputs.built }}
       - run: ./end-to-end.sh prepare_dockerd
-      - run: su forgejo -c "./end-to-end.sh test_actions"
+      - run: su forgejo -c "./end-to-end.sh test_actions ${{ matrix.forgejo_version }}"
       - if: ${{ needs.build.outputs.built == 'yes' }}
         uses: ./.forgejo/upload-coverage
         with:
diff --git a/actions/example-cache-pull-request/.forgejo/workflows/test.yml b/actions/example-cache-pull-request/.forgejo/workflows/test.yml
index aad6b08b..43a96d41 100644
--- a/actions/example-cache-pull-request/.forgejo/workflows/test.yml
+++ b/actions/example-cache-pull-request/.forgejo/workflows/test.yml
@@ -79,6 +79,7 @@ jobs:
       - name: determine if the PR is from a fork
         id: forked
         run: |
+          set -x
           if test ${{ forge.event.pull_request.base.repo.full_name }} = ${{ forge.event.pull_request.head.repo.full_name }} ; then
             echo value=false >> $FORGEJO_OUTPUT
           else
@@ -87,6 +88,7 @@ jobs:
 
       - name: save event
         run: |
+          set -x
           d=/srv/example/cache-pull-request/contexts/${{ forgejo.event.pull_request.head.repo.owner.username }}/$FORGEJO_EVENT_NAME
           mkdir -p $d
           cat > $d/forgejo-${{ forgejo.event.action }} <<'EOF'
diff --git a/actions/example-cache-pull-request/run.sh b/actions/example-cache-pull-request/run.sh
index 544b652a..85020281 100755
--- a/actions/example-cache-pull-request/run.sh
+++ b/actions/example-cache-pull-request/run.sh
@@ -53,6 +53,7 @@ function main() {
     # wait for the opened event to succeed using the cache on all pull requests
     #
     if ! forgejo.sh retry $EXAMPLE_DIR/assert-contexts-opened.sh; then
+        echo "assert-contexts-opened.sh failed; printing related logs and information:"
         find $d
         sed -e 's/^/[RUNNER LOGS]/' <$FORGEJO_RUNNER_LOGS
         return 1
@@ -69,6 +70,7 @@ function main() {
     # wait for the closed event to succeed using the cache on all pull requests
     #
     if ! forgejo.sh retry $EXAMPLE_DIR/assert-contexts-closed.sh; then
+        echo "assert-contexts-closed.sh failed; printing related logs and information:"
         find $d
         sed -e 's/^/[RUNNER LOGS]/' <$FORGEJO_RUNNER_LOGS
         return 1
diff --git a/packages/alpine-10.0 b/packages/alpine-10.0
deleted file mode 120000
index b34295a0..00000000
--- a/packages/alpine-10.0
+++ /dev/null
@@ -1 +0,0 @@
-alpine-7.0
\ No newline at end of file
diff --git a/packages/alpine.sh b/packages/alpine.sh
index c8679a51..ce5c4ac8 100644
--- a/packages/alpine.sh
+++ b/packages/alpine.sh
@@ -7,7 +7,7 @@ function test_packages_alpine_version() {
     reset_forgejo $PACKAGES_DIR/alpine-app.ini
     start_forgejo $forgejo_version
 
-    local d=$PACKAGES_DIR/alpine-$forgejo_version
+    local d=$PACKAGES_DIR/alpine
     local token=$(cat $DIR/forgejo-curl/token)
     local url=http://${HOST_PORT}
 
@@ -16,8 +16,10 @@ function test_packages_alpine_version() {
 }
 
 function test_packages_alpine() {
-    for alpine_version in 3.20 3.21; do
-        for forgejo_version in 7.0 10.0; do
+    local forgejo_versions="${1:-$RELEASE_NUMBERS}"
+
+    for alpine_version in 3.22 3.23; do
+        for forgejo_version in $forgejo_versions; do
             test_packages_alpine_version $alpine_version $forgejo_version
         done
     done
diff --git a/packages/alpine-7.0/package-source/forgejo-2173/APKBUILD b/packages/alpine/package-source/forgejo-2173/APKBUILD
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2173/APKBUILD
rename to packages/alpine/package-source/forgejo-2173/APKBUILD
diff --git a/packages/alpine-7.0/package-source/forgejo-2173/forgejo_2173 b/packages/alpine/package-source/forgejo-2173/forgejo_2173
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2173/forgejo_2173
rename to packages/alpine/package-source/forgejo-2173/forgejo_2173
diff --git a/packages/alpine-7.0/package-source/forgejo-2173/forgejo_2173.init b/packages/alpine/package-source/forgejo-2173/forgejo_2173.init
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2173/forgejo_2173.init
rename to packages/alpine/package-source/forgejo-2173/forgejo_2173.init
diff --git a/packages/alpine-7.0/package-source/forgejo-2174/APKBUILD b/packages/alpine/package-source/forgejo-2174/APKBUILD
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2174/APKBUILD
rename to packages/alpine/package-source/forgejo-2174/APKBUILD
diff --git a/packages/alpine-7.0/package-source/forgejo-2174/forgejo_2174 b/packages/alpine/package-source/forgejo-2174/forgejo_2174
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2174/forgejo_2174
rename to packages/alpine/package-source/forgejo-2174/forgejo_2174
diff --git a/packages/alpine-7.0/package-source/forgejo-2174/forgejo_2174.init b/packages/alpine/package-source/forgejo-2174/forgejo_2174.init
similarity index 100%
rename from packages/alpine-7.0/package-source/forgejo-2174/forgejo_2174.init
rename to packages/alpine/package-source/forgejo-2174/forgejo_2174.init
diff --git a/packages/alpine-7.0/test.sh b/packages/alpine/test.sh
similarity index 100%
rename from packages/alpine-7.0/test.sh
rename to packages/alpine/test.sh
diff --git a/packages/packages.sh b/packages/packages.sh
index 002ed796..4fc9c6a4 100644
--- a/packages/packages.sh
+++ b/packages/packages.sh
@@ -7,5 +7,7 @@ PACKAGES_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source $PACKAGES_DIR/alpine.sh
 
 function test_packages() {
-    run test_packages_alpine
+    local forgejo_versions="${1:-$RELEASE_NUMBERS}"
+
+    run test_packages_alpine $forgejo_versions
 }

From a57c631faedbb9a17ad86383e06bacd27ae77dea Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Mon, 5 Jan 2026 14:34:58 +0000
Subject: [PATCH 09/34] feat(federation): add scenario-mastodon setup and
 teardown (#1274)

2/5 taken out of #1269

This patch adds the setup and teardown of Mastodon for use in the end-to-end tests

Co-Authored-By: zam <mirco.zachmann@meissa.de>
Co-Authored-By: erik <erik.seiert@meissa-gmbh.de>
Co-Authored-By: Michael Jerger <michael.jerger@meissa-gmbh.de>

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1274
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Reviewed-by: Beowulf <beowulf@noreply.code.forgejo.org>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 federation/federation.sh                      |  1 +
 federation/scenario-mastodon/.gitignore       |  3 +
 .../scenario-mastodon/TEST_INSTRUCTION.md     | 38 ++++++++
 federation/scenario-mastodon/compose.yaml     | 95 +++++++++++++++++++
 .../forgejo-app/config/app.ini                | 32 +++++++
 .../forgejo-app/init/create_test_account.sh   |  7 ++
 .../forgejo-app/init/init.sh                  | 10 ++
 .../scenario-mastodon/forgejo/certs/.gitkeep  |  0
 .../forgejo/etc/lighttpd.conf                 | 22 +++++
 .../scenario-mastodon/forgejo/init/init.sh    |  6 ++
 federation/scenario-mastodon/functions.sh     | 32 +++++++
 .../mastodon-app/init/create_test_account.sh  | 14 +++
 .../mastodon-app/init/init.sh                 |  8 ++
 .../mastodon-sidekiq/init/init.sh             |  7 ++
 .../certs/custom-snakeoil-rootCA.crt          | 19 ++++
 .../certs/custom-snakeoil-rootCA.key          | 28 ++++++
 federation/scenario-mastodon/run.sh           | 17 ++++
 federation/scenario-mastodon/setup.sh         | 48 ++++++++++
 federation/scenario-mastodon/teardown.sh      |  8 ++
 19 files changed, 395 insertions(+)
 create mode 100644 federation/scenario-mastodon/.gitignore
 create mode 100644 federation/scenario-mastodon/TEST_INSTRUCTION.md
 create mode 100644 federation/scenario-mastodon/compose.yaml
 create mode 100644 federation/scenario-mastodon/forgejo-app/config/app.ini
 create mode 100755 federation/scenario-mastodon/forgejo-app/init/create_test_account.sh
 create mode 100755 federation/scenario-mastodon/forgejo-app/init/init.sh
 create mode 100644 federation/scenario-mastodon/forgejo/certs/.gitkeep
 create mode 100644 federation/scenario-mastodon/forgejo/etc/lighttpd.conf
 create mode 100755 federation/scenario-mastodon/forgejo/init/init.sh
 create mode 100644 federation/scenario-mastodon/functions.sh
 create mode 100755 federation/scenario-mastodon/mastodon-app/init/create_test_account.sh
 create mode 100755 federation/scenario-mastodon/mastodon-app/init/init.sh
 create mode 100755 federation/scenario-mastodon/mastodon-sidekiq/init/init.sh
 create mode 100644 federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.crt
 create mode 100644 federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.key
 create mode 100644 federation/scenario-mastodon/run.sh
 create mode 100755 federation/scenario-mastodon/setup.sh
 create mode 100644 federation/scenario-mastodon/teardown.sh

diff --git a/federation/federation.sh b/federation/federation.sh
index 5dbc596d..95682c8c 100755
--- a/federation/federation.sh
+++ b/federation/federation.sh
@@ -78,6 +78,7 @@ function test_federation() {
         # NOTE: newline seperated, not comma :>
         scenarios=(
             "star 7.1"
+            "mastodon 14.0"
         )
 
         for scenario_version_str in "${scenarios[@]}"; do
diff --git a/federation/scenario-mastodon/.gitignore b/federation/scenario-mastodon/.gitignore
new file mode 100644
index 00000000..041e9d6f
--- /dev/null
+++ b/federation/scenario-mastodon/.gitignore
@@ -0,0 +1,3 @@
+/resources/certs/forgejo*
+/forgejo/certs/*
+!/forgejo/certs/.gitkeep
diff --git a/federation/scenario-mastodon/TEST_INSTRUCTION.md b/federation/scenario-mastodon/TEST_INSTRUCTION.md
new file mode 100644
index 00000000..82d957b0
--- /dev/null
+++ b/federation/scenario-mastodon/TEST_INSTRUCTION.md
@@ -0,0 +1,38 @@
+# Manual testing
+
+1. compile forgejo binary to test on a debian/ubuntu system
+2. start applications
+    * local forgejo:
+        ```sh
+        cd federation/scenario-mastodon
+        # create cert & startup & create test accounts
+        SCENARIO_DIR="." ./setup.sh
+        # Mastodon password in "/tmp/forgejo-end-to-end/federation_scenario-mastodon-env"
+        # Bind forgejo to localhost:3003 and set the domain to `forgejo`
+        ```
+    * containerized forgejo:
+        ```sh
+        cd federation/scenario-mastodon
+        # Generate self-signed certs on first run
+        source ./functions.sh
+        generate_certs forgejo "./resources/certs"
+        mv "./resources/certs/forgejo"* "forgejo/certs"
+
+        # Setup container
+        export FORGEJO_PATH="/path/to/forgejo/binary"
+        export COMPOSE_PROFILES="forgejo_container"
+        export MASTODON_HOST="mastodon-app"
+
+        podman-compose up -d
+        podman-compose exec forgejo-app bash -c "/init/create_test_account.sh"
+        # Mastodon password is the last line of the output
+        podman-compose exec mastodon-app bash -c "/init/create_test_account.sh"
+        ```
+3. login to mastodon: http://localhost:4000
+   1. test@localhost - password from start app.
+4. search for forgejo user: `https://forgejo/api/v1/activitypub/user-id/1`
+5. Press follow
+6. FYI:
+   1. login to forgejo: http://localhost:3003/
+   2. me - me
+   3. swagger-uri: http://localhost:3003/api/swagger#/activitypub
diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
new file mode 100644
index 00000000..0a39c17e
--- /dev/null
+++ b/federation/scenario-mastodon/compose.yaml
@@ -0,0 +1,95 @@
+networks:
+    external_network:
+    internal_network:
+        internal: true
+
+services:
+    forgejo:
+        image: code.forgejo.org/oci/alpine:latest
+        volumes:
+            - ./forgejo/certs/:/usr/local/share/ca-certificates/
+            - ./forgejo/init/:/init/
+            - ./forgejo/etc/lighttpd.conf:/etc/lighttpd.conf
+        restart: unless-stopped
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    forgejo-app:
+        profiles:
+            - forgejo_container
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/debian-containerfile
+        image: code.forgejo.org/federation/debian:trixie-cacerts
+        tmpfs:
+            - /data
+        volumes:
+            - ./forgejo-app/init/:/init/
+            - ./forgejo-app/config/:/config/
+            - ./resources/certs/:/usr/local/share/ca-certificates/
+            - "${FORGEJO_PATH}:/usr/local/bin/forgejo"
+        ports:
+            - 3003:3003
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    postgres:
+        image: code.forgejo.org/oci/postgres:14
+        tmpfs:
+            - /var/lib/postgresql/data
+        environment:
+            POSTGRES_USER: postgres
+            POSTGRES_DB: postgres
+            POSTGRES_PASSWORD: postgres
+            POSTGRES_HOST_AUTH_METHOD: trust
+        networks:
+            - internal_network
+
+    redis:
+        image: code.forgejo.org/oci/redis:7.2
+        tmpfs:
+            - /var/lib/redis/
+        networks:
+            - internal_network
+
+    mastodon-app:
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
+        image: code.forgejo.org/federation/mastodon:v4.5-test
+        volumes:
+            - ./resources/certs:/usr/local/share/ca-certificates/
+            - ./mastodon-app/init/:/init/
+        environment: &mastodon_env
+            DB_HOST: postgres
+            DB_USER: postgres
+            DB_PASS: postgres
+            REDIS_HOST: redis
+            PORT: 4000
+            LOCAL_DOMAIN: ${MASTODON_HOST}:4000
+            ALTERNATE_DOMAINS: ${MASTODON_HOST},localhost
+            EMAIL_DOMAIN_ALLOWLIST: localhost
+            AUTHORIZED_FETCH: "true"
+            ALLOWED_PRIVATE_ADDRESSES: 0.0.0.0/0,::/0
+            SECRET_KEY_BASE: bc1bdb4d3d57a2c292a8f145d5d3c921
+            ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
+            ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
+            ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
+        ports:
+            - "4000:4000"
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    mastodon-sidekiq:
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
+        image: code.forgejo.org/federation/mastodon:v4.5-test
+        volumes:
+            - ./resources/certs:/usr/local/share/ca-certificates/
+            - ./mastodon-sidekiq/init/:/init/
+        restart: unless-stopped
+        environment: *mastodon_env
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - internal_network
diff --git a/federation/scenario-mastodon/forgejo-app/config/app.ini b/federation/scenario-mastodon/forgejo-app/config/app.ini
new file mode 100644
index 00000000..55ef4f61
--- /dev/null
+++ b/federation/scenario-mastodon/forgejo-app/config/app.ini
@@ -0,0 +1,32 @@
+RUN_MODE = prod
+
+[server]
+APP_DATA_PATH = /data
+DOMAIN = forgejo
+ROOT_URL = https://forgejo/
+HTTP_PORT = 3003
+PROTOCOL = http
+
+[queue]
+TYPE = immediate
+
+[database]
+DB_TYPE = sqlite3
+PATH = /data/forgejo.db
+
+[log]
+MODE = console
+LEVEL = debug
+
+[security]
+INSTALL_LOCK = true
+
+[repository]
+ENABLE_PUSH_CREATE_USER = true
+DEFAULT_PUSH_CREATE_PRIVATE = false
+
+[federation]
+ENABLED = true
+
+[session]
+COOKIE_SECURE = false
diff --git a/federation/scenario-mastodon/forgejo-app/init/create_test_account.sh b/federation/scenario-mastodon/forgejo-app/init/create_test_account.sh
new file mode 100755
index 00000000..33fc4807
--- /dev/null
+++ b/federation/scenario-mastodon/forgejo-app/init/create_test_account.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+sleep 10
+
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user create --username me --password me --email "me@example.com" --admin --must-change-password=false
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user create --username to-be-followd --password to-be-followd --email "to-be-followd@example.com" --admin --must-change-password=false
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user generate-access-token -u me -t token --scopes write:activitypub,write:repository,write:user
diff --git a/federation/scenario-mastodon/forgejo-app/init/init.sh b/federation/scenario-mastodon/forgejo-app/init/init.sh
new file mode 100755
index 00000000..3848fa53
--- /dev/null
+++ b/federation/scenario-mastodon/forgejo-app/init/init.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+
+sudo mkdir -p /data/forgejo
+sudo chown forgejo:forgejo /data/forgejo
+sudo install -D -o forgejo -g forgejo /config/app.ini /etc/forgejo/app.ini
+
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini
+
diff --git a/federation/scenario-mastodon/forgejo/certs/.gitkeep b/federation/scenario-mastodon/forgejo/certs/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/federation/scenario-mastodon/forgejo/etc/lighttpd.conf b/federation/scenario-mastodon/forgejo/etc/lighttpd.conf
new file mode 100644
index 00000000..325779ad
--- /dev/null
+++ b/federation/scenario-mastodon/forgejo/etc/lighttpd.conf
@@ -0,0 +1,22 @@
+server.document-root = "/var/www"
+
+server.modules = (
+    "mod_openssl",
+    "mod_proxy"
+)
+
+$SERVER["socket"] == ":443" {
+    ssl.engine = "enable"
+    ssl.pemfile = "/usr/local/share/ca-certificates/forgejo-snakeoil.crt"
+    ssl.privkey = "/usr/local/share/ca-certificates/forgejo-snakeoil.key"
+}
+
+proxy.server = (
+    "" => (
+        "forgejo" => (
+            "host" => "host.containers.internal",
+            "port" => 3003,
+        )
+    )
+)
+
diff --git a/federation/scenario-mastodon/forgejo/init/init.sh b/federation/scenario-mastodon/forgejo/init/init.sh
new file mode 100755
index 00000000..6660768d
--- /dev/null
+++ b/federation/scenario-mastodon/forgejo/init/init.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+apk add lighttpd
+
+lighttpd -D -f /etc/lighttpd.conf
+
diff --git a/federation/scenario-mastodon/functions.sh b/federation/scenario-mastodon/functions.sh
new file mode 100644
index 00000000..507131cc
--- /dev/null
+++ b/federation/scenario-mastodon/functions.sh
@@ -0,0 +1,32 @@
+function generate_certs() {
+
+    host=${1}
+    cert_location=${2}
+
+    rootCertificate="${cert_location}/custom-snakeoil-rootCA.crt"
+    rootCertKey="${cert_location}/custom-snakeoil-rootCA.key"
+    extensionFile="${cert_location}/${host}-snakeoil.ext"
+    keyFile="${cert_location}/${host}-snakeoil.key"
+    csrFile="${cert_location}/${host}-snakeoil.csr"
+    crtAltSubFile="${cert_location}/${host}-snakeoil.crt"
+
+    cat << EOF > ${extensionFile}
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${host}
+DNS.2 = localhost
+EOF
+
+    # Create CSR
+    openssl req -newkey rsa:2048 -nodes -keyout ${keyFile} \
+        -out ${csrFile} -subj "/CN=${host}" -addext "subjectAltName=DNS:localhost"
+
+    # Sign Our CSR with the root CA cert
+    openssl x509 -req -CA ${rootCertificate} \
+        -CAkey ${rootCertKey} \
+        -in ${csrFile} \
+        -out ${crtAltSubFile} \
+        -days 3650 -CAcreateserial -extfile ${extensionFile}
+}
\ No newline at end of file
diff --git a/federation/scenario-mastodon/mastodon-app/init/create_test_account.sh b/federation/scenario-mastodon/mastodon-app/init/create_test_account.sh
new file mode 100755
index 00000000..283000fb
--- /dev/null
+++ b/federation/scenario-mastodon/mastodon-app/init/create_test_account.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+account_create="$(tootctl accounts create test --email test@localhost --role Owner --confirmed)"
+tootctl account modify test --approve
+
+echo "${account_create}"
+
+password=$(echo "${account_create}" |
+        tail -n 1 |
+        sed 's/New password: //' |
+        sed 's/\r//'
+)
+
+echo "$password"
diff --git a/federation/scenario-mastodon/mastodon-app/init/init.sh b/federation/scenario-mastodon/mastodon-app/init/init.sh
new file mode 100755
index 00000000..731aa55d
--- /dev/null
+++ b/federation/scenario-mastodon/mastodon-app/init/init.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+sudo touch /opt/mastodon/log/prod.log
+sudo chown mastodon: /opt/mastodon/log/prod.log
+rails db:setup
+bundle exec puma -C config/puma.rb
+#sleep 2h
diff --git a/federation/scenario-mastodon/mastodon-sidekiq/init/init.sh b/federation/scenario-mastodon/mastodon-sidekiq/init/init.sh
new file mode 100755
index 00000000..af9c5190
--- /dev/null
+++ b/federation/scenario-mastodon/mastodon-sidekiq/init/init.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+sudo touch /opt/mastodon/log/prod.log
+sudo chown mastodon: /opt/mastodon/log/prod.log
+bundle exec sidekiq
+#sleep 2h
diff --git a/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.crt b/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.crt
new file mode 100644
index 00000000..91a0d144
--- /dev/null
+++ b/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIUU+o53CfULAHTgPuCq/Ua8JRTWLIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQY29kZS5mb3JnZWpvLm9yZzAgFw0yNTEwMjMwODI2NTVa
+GA8yMTI1MDkyOTA4MjY1NVowGzEZMBcGA1UEAwwQY29kZS5mb3JnZWpvLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJl1YjGLoYK5J7wCbgL7WCZ
+DGznwmp2SxpxJx/9Y6Pldt1QXTp0/VrR/H8iu3bNh13jmupXTKyGHU94MTNHER1T
+/jbGw8LRPWCIYNjpYFZU17glTGs/DOieh7acuuvu+imoamk1oRLVaaHDewz09Tc2
+wkklCH+2ME2TC6mHIqpHOLO//ESEU0Glo+/mVMEcTJf9zdDhSGhZPKhXEaWgrLMo
+EV3r0hpxHCE21OeaRrOKjMtOfp6/v0yKAsJ0QbLHXw1JDauiMWHUxp1H3jIHGgtc
+0ALdiS1fhYi8zX3bkbMfctjREVtbhO0Aqps5pvDjhjTNyTmSQ3dkkU37W7Mz+WkC
+AwEAAaNTMFEwHQYDVR0OBBYEFKXOSikliKVL6VYbbcaOR3k3khKyMB8GA1UdIwQY
+MBaAFKXOSikliKVL6VYbbcaOR3k3khKyMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBADE4RGzIXT3LsLGxqRiuOPrXnOTy6izD0sXraJGPWOTEm0MB
+H+MnV1YmqRiafwCTbKyiTfzF50JX0zwa6NnkK7k7tyht7O2B0/1VfsrIaXGBP05B
+pZMC1bMSaDEu+zvRUDFvNiE5Oxkw0LGy44o36e3SNCEXMCYU3fiTX/5IxfB/a1Bk
++5tNfpK4CKwyk2/pb8ClgBldYGxfp/hyzTVh7y4c5bSRzoawGxq2ipfmJbSBYEme
+vyySFXJI1W9ih8utE2sQKbRS7YrwxSNS9Uj6qwixTlHB5a/MzlFmD630VkmkI1qq
+5VkQxq7dJSTlVHX8qiQqvGoPPIp5ucbBDmyj2A8=
+-----END CERTIFICATE-----
diff --git a/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.key b/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.key
new file mode 100644
index 00000000..b4b13057
--- /dev/null
+++ b/federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCiZdWIxi6GCuSe
+8Am4C+1gmQxs58JqdksacScf/WOj5XbdUF06dP1a0fx/Irt2zYdd45rqV0yshh1P
+eDEzRxEdU/42xsPC0T1giGDY6WBWVNe4JUxrPwzonoe2nLrr7vopqGppNaES1Wmh
+w3sM9PU3NsJJJQh/tjBNkwuphyKqRzizv/xEhFNBpaPv5lTBHEyX/c3Q4UhoWTyo
+VxGloKyzKBFd69IacRwhNtTnmkaziozLTn6ev79MigLCdEGyx18NSQ2rojFh1Mad
+R94yBxoLXNAC3YktX4WIvM1925GzH3LY0RFbW4TtAKqbOabw44Y0zck5kkN3ZJFN
++1uzM/lpAgMBAAECggEAAdGmR0j0k/ISyfhYnFJfFAfBN+x0a1wl7rOjDP/Tg7r9
+Ln21yzYTJJcfnu5TaOfLH84KrRwrT6JhhfaYn64PC8PmH/rXDftPsFSOt/DZo2+B
+vaSgGyWcMVqdnNOOep6IXq36rr3krwQra14Rmbbm36AYihh+iuzbB4w0vPvpwDwv
+G9DITTLrIwDRbXReZ13FjqphP5dqT6jG7BnRLe7vyQ7CJwYdUDLkg2YLykwbHvco
+DISS3IoYgF5R7KaGpwH2iFmeHYwXaVH9Y0RyjEvxp87iK8Awvm4yn7hWBx9NsMm2
+of7107TlFBU81JbG09KQZ+mS3S4C9XfQScqBoP66tQKBgQDYS4QhwkYFNusN8z+U
+63IGMxJXMF0bvF1zqjhrfkdX16jDD7v8cMbZAjk80obmRdhFpNiuaCT7dbnXpt7L
+Ppfu6IkcJsAJc32lbWGc56XzfzDnNecvQbCbMnRYI5GDzcTTY+ObgyhJv4SwuD3E
+kdHhxOFPuxlLFey9eg9vC6ADnQKBgQDANX5oEqvVty8gn+cOU3fEiqQ+ZqvcgMcL
+CUQYIAUDvXjZuXTbU0cSzgZnZi3JwtEVwj0u+0eXXlju6AVgKC/yd4aIpQ2f6hXO
+UlODWIqiNq3lVgjatO6zQ2CXuBeV7crX6odNrhkvSwSPNlC2Ra7QZ8Uk0PpX0sTm
+JyuMA/WBPQKBgQCkqulPYj44nhTZrAUN9Sn7+knOQy2/feqPsln9zEe4YqFCz+nI
+SHu6nuzAl27IRQhgDR5BuVvebUQtIAeiKGc3JaWs3vt4topDtUCJWfqHpJ+whuMY
+oSQ5I3Jb38ha1f8xCG0x6ep0KvB0MfAkhPeKsH7wWnrpJSn1HsY9PlZ2KQKBgQCS
+/xZKb6UdEDipocDqkukw1bsgwhLD03TmOtLqBGrxXlFzacM2DW14sznwkBOKj0Sq
+eF+kc6Zf3Fb1d1rNHE73B3RLQre1yiedIBcgh3GW92xszSx+XwuC64+O2Mqo7jBI
+iuOpg/Fc2umEwUxe6dH1Lrd2HaCn09ikD+bc8RYsHQKBgQDXfAiAf3MdzG8+4zgD
+kzfZsUXRUm3ACqrkhlUOzPsh2y5yGO0gxkrUR4ps2+wn0aapwYi+JdbEHpDqI4Ze
+vE3d8ZgLF4ER+uuiayuItMIFa8T0AiH1oJMptUY4kgj1AaG0b3+ZxU/uGXjpciyA
+a7/psxJ+in3AQ005JGir8rx+gA==
+-----END PRIVATE KEY-----
diff --git a/federation/scenario-mastodon/run.sh b/federation/scenario-mastodon/run.sh
new file mode 100644
index 00000000..7e07a1b8
--- /dev/null
+++ b/federation/scenario-mastodon/run.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-$scenario-env"
+
+if [[ -z "$password" ]]; then
+    exit 1
+fi
+
+if [[ -z "$port" ]]; then
+    exit 1
+fi
+
+status_code="$(curl -o /dev/null -w '%{http_code}' "http://localhost:$port/")"
+if [[ "$status_code" != "200" ]]; then
+    exit 1
+fi
+
diff --git a/federation/scenario-mastodon/setup.sh b/federation/scenario-mastodon/setup.sh
new file mode 100755
index 00000000..cb9efb98
--- /dev/null
+++ b/federation/scenario-mastodon/setup.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+source "$SCENARIO_DIR/../../lib/lib.sh"
+source "$SCENARIO_DIR/functions.sh"
+
+echo "Setting up Forgejo x Mastodon"
+
+if [[ ! -d "$DIR" ]]; then
+    mkdir -p "$DIR"
+fi
+
+echo "Generating forgejo & mastodon self-signed certificate"
+
+generate_certs forgejo "$SCENARIO_DIR/resources/certs"
+
+mv "$SCENARIO_DIR/resources/certs/forgejo"* "$SCENARIO_DIR/forgejo/certs/"
+
+export MASTODON_HOST="localhost"
+
+podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    up -d
+
+function wait_up() {
+    command="$(podman-compose \
+        -f "$SCENARIO_DIR/compose.yaml" \
+        exec mastodon-app \
+        bin/tootctl accounts
+    )"
+
+    first="$(head -n 1 <<< "$command")"
+    [[ "$first" == *"Commands:"* ]] && echo "ready"
+}
+
+retry wait_up
+
+password="$(podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    exec mastodon-app \
+    bash -c "/init/create_test_account.sh" | \
+    tail -n 1 | \
+    sed 's/\r//'
+)"
+
+cat << EOF > "$DIR/federation_scenario-mastodon-env"
+password="$password"
+port="4000"
+EOF
diff --git a/federation/scenario-mastodon/teardown.sh b/federation/scenario-mastodon/teardown.sh
new file mode 100644
index 00000000..5e5d35f4
--- /dev/null
+++ b/federation/scenario-mastodon/teardown.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    down
+
+rm "$DIR/federation_scenario-mastodon-env"
+

From 45417622c0bf1446b572cde22e70bdf4df290a29 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Mon, 5 Jan 2026 17:36:57 +0000
Subject: [PATCH 10/34] feat(federation): add scenario-gotosocial setup and
 teardown (#1275)

3/5 taken out of #1269

This patch adds the setup and teardown of GoToSocial for use in the end-to-end tests

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1275
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 federation/federation.sh                   |  1 +
 federation/scenario-gotosocial/.gitignore  |  0
 federation/scenario-gotosocial/run.sh      | 16 ++++++
 federation/scenario-gotosocial/setup.sh    | 58 ++++++++++++++++++++++
 federation/scenario-gotosocial/teardown.sh | 12 +++++
 run.sh                                     | 11 ++++
 6 files changed, 98 insertions(+)
 create mode 100644 federation/scenario-gotosocial/.gitignore
 create mode 100644 federation/scenario-gotosocial/run.sh
 create mode 100644 federation/scenario-gotosocial/setup.sh
 create mode 100644 federation/scenario-gotosocial/teardown.sh
 create mode 100755 run.sh

diff --git a/federation/federation.sh b/federation/federation.sh
index 95682c8c..4d7c09a5 100755
--- a/federation/federation.sh
+++ b/federation/federation.sh
@@ -79,6 +79,7 @@ function test_federation() {
         scenarios=(
             "star 7.1"
             "mastodon 14.0"
+            "gotosocial 14.0"
         )
 
         for scenario_version_str in "${scenarios[@]}"; do
diff --git a/federation/scenario-gotosocial/.gitignore b/federation/scenario-gotosocial/.gitignore
new file mode 100644
index 00000000..e69de29b
diff --git a/federation/scenario-gotosocial/run.sh b/federation/scenario-gotosocial/run.sh
new file mode 100644
index 00000000..9fd57a7b
--- /dev/null
+++ b/federation/scenario-gotosocial/run.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-$scenario-env"
+
+if [[ -z "$password" ]]; then
+    exit 1
+fi
+
+if [[ -z "$port" ]]; then
+    exit 1
+fi
+
+status_code="$(curl -o /dev/null -w '%{http_code}' "http://localhost:$port/")"
+if [[ "$status_code" != "200" ]]; then
+    exit 1
+fi
diff --git a/federation/scenario-gotosocial/setup.sh b/federation/scenario-gotosocial/setup.sh
new file mode 100644
index 00000000..13d97057
--- /dev/null
+++ b/federation/scenario-gotosocial/setup.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+source $SCENARIO_DIR/../../lib/lib.sh
+
+GTS_VERSION="0.20.2" # renovate: datasource=docker depName=data.forgejo.org/oci/gotosocial
+
+echo "setting up gotosocial"
+
+tmpdir="$(mktemp --tmpdir -d gts.XXXXXXXXXX)"
+cat << EOF > "$tmpdir/config.yaml"
+host: "localhost:8080"
+protocol: http
+db-type: sqlite
+db-address: /mount/gts.db3
+
+http-client:
+  allow-ips: ["0.0.0.0/0", "::/0"]
+  insecure-outgoing: true
+EOF
+
+podman unshare \
+    chown 1000:1000 -R $tmpdir
+
+container_id="$(
+    podman run \
+        -d \
+        --env "GTS_CONFIG_PATH=/mount/config.yaml" \
+        -v "$tmpdir:/mount" \
+        -p "8080:8080" \
+        --network=host \
+        "data.forgejo.org/oci/gotosocial:$GTS_VERSION" \
+        server start
+)"
+
+function wait_gts_ready() {
+    http_status=$(curl -s -w \
+        "%{http_code}" -o /dev/null \
+        "http://localhost:8080/"
+    )
+
+    [[ "$http_status" == 200 ]] && echo "ready"
+}
+
+retry wait_gts_ready
+
+password="verysecurepassword"
+podman exec -it "$container_id" /gotosocial/gotosocial admin \
+    account create \
+    --username "test" \
+    --email "test@localhost" \
+    --password "$password"
+
+cat << EOF > "$DIR/federation_scenario-gotosocial-env"
+password="$password"
+port="8080"
+container_id="$container_id"
+EOF
+
diff --git a/federation/scenario-gotosocial/teardown.sh b/federation/scenario-gotosocial/teardown.sh
new file mode 100644
index 00000000..6e6d556a
--- /dev/null
+++ b/federation/scenario-gotosocial/teardown.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-gotosocial-env"
+
+if [[ -z "$container_id" ]]; then
+    echo "gotosocial container ID not found, container may not be stopped"
+    exit 1
+fi
+
+podman stop "$container_id"
+rm "$DIR/federation_scenario-gotosocial-env"
+
diff --git a/run.sh b/run.sh
new file mode 100755
index 00000000..92a91611
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+podman build -t forgejo-e2e .
+patchelf ../forgejo/forgejo --set-interpreter /lib64/ld-linux-x86-64.so.2
+podman run \
+    -it --privileged \
+    -v ../forgejo/gitea:/srv/forgejo-binaries/forgejo-14.0 \
+    -p 3001-3003:3001-3003 \
+    -p 4000:4000 \
+    -p 8080:8080 \
+    forgejo-e2e

From 0ddc6beceb3b20722256d14fd7103224520b7311 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 10 Jan 2026 15:21:40 +0000
Subject: [PATCH 11/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.0 (#1402)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | minor | `v3.0.7` → `v3.1.0` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.0`](https://code.forgejo.org/actions/setup-forgejo/compare/v3.0.7...v3.1.0)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.0.7...v3.1.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43MS4wIiwidXBkYXRlZEluVmVyIjoiNDIuNzEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1402
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index 3c1153c0..cd4b0f37 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.7
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.0
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 03ee700046df0332c6d6d7d94205836d74b911c0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sun, 18 Jan 2026 15:20:42 +0000
Subject: [PATCH 12/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.1 (#1465)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1465
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index cd4b0f37..1d41fa79 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.0
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.1
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 25c472b90bc1886a5d3c45770eb6196d1b833ccb Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Sun, 18 Jan 2026 20:15:11 +0000
Subject: [PATCH 13/34] test: test cloning of private reusable workflows
 (#1436)

Verify that Forgejo Runner can access a reusable workflow that is stored in a private repository.

That should help prevent https://code.forgejo.org/forgejo/runner/issues/1274 from happening again.

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1436
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 actions/actions.sh                            |  2 +-
 .../.forgejo/workflows/reusable.yaml          | 10 +++++
 .../.forgejo/workflows/test.yaml              | 11 +++++
 actions/example-private-workflow-call/run.sh  | 42 +++++++++++++++++++
 .../example-private-workflow-call/setup.sh    |  1 +
 5 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
 create mode 100644 actions/example-private-workflow-call/.forgejo/workflows/test.yaml
 create mode 100644 actions/example-private-workflow-call/run.sh
 create mode 100644 actions/example-private-workflow-call/setup.sh

diff --git a/actions/actions.sh b/actions/actions.sh
index 1dc6b14e..f97fd8a5 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -143,7 +143,7 @@ function test_actions() {
             done
         fi
 
-        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context; do
+        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call; do
             run actions_verify_example $example
         done
 
diff --git a/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml b/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
new file mode 100644
index 00000000..48832449
--- /dev/null
+++ b/actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: "docker"
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    steps:
+      - run: echo 'OK'
diff --git a/actions/example-private-workflow-call/.forgejo/workflows/test.yaml b/actions/example-private-workflow-call/.forgejo/workflows/test.yaml
new file mode 100644
index 00000000..9bb279b3
--- /dev/null
+++ b/actions/example-private-workflow-call/.forgejo/workflows/test.yaml
@@ -0,0 +1,11 @@
+on:
+  push:
+
+jobs:
+  test:
+    # `runs-on` disables workflow expansion. We want that in this case, because then Forgejo Runner has to authenticate
+    # itself to access the reusable workflow.
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    uses: ./.forgejo/workflows/reusable.yaml
diff --git a/actions/example-private-workflow-call/run.sh b/actions/example-private-workflow-call/run.sh
new file mode 100644
index 00000000..e71dc991
--- /dev/null
+++ b/actions/example-private-workflow-call/run.sh
@@ -0,0 +1,42 @@
+api="$url/api/v1"
+export d=/srv/example/private-workflow-call
+
+function main() {
+    mkdir -p "$d"
+
+    local repo
+    repo="root/example-$example"
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    # push_workflow creates the repository and triggers a first workflow run. Wait for it to succeed. Ensures that the
+    # workflow is valid.
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+
+    # Make the repository private. That is necessary to verify that Forgejo Runner includes the correct credentials when
+    # cloning the workflow.
+    forgejo-curl.sh api_json -X PATCH --data-raw '{"private":true}' "$api/repos/root/example-$example"
+
+    # Create a new commit that triggers a new workflow run that can be identified uniquely.
+    (
+        cd "$d" || exit 1
+        git clone "$url/root/example-$example"
+        cd "example-$example" || exit 1
+         git config user.email root@example.com
+        git config user.name username
+        echo "A new file" > test.txt
+        git add .
+        git commit -m 'Commit a new file'
+        git push
+    )
+
+    # Wait for the workflow pulled from the private repository to succeed.
+    local new_sha
+    new_sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    [[ "$new_sha" != "$sha" ]] || exit 1
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$new_sha"
+}
+
+main
diff --git a/actions/example-private-workflow-call/setup.sh b/actions/example-private-workflow-call/setup.sh
new file mode 100644
index 00000000..fd443948
--- /dev/null
+++ b/actions/example-private-workflow-call/setup.sh
@@ -0,0 +1 @@
+mkdir -p /srv/example/private-workflow-call

From 372409f76b946f9fabed82d6154aa1dc841b8c93 Mon Sep 17 00:00:00 2001
From: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Date: Mon, 19 Jan 2026 01:47:27 +0000
Subject: [PATCH 14/34] test: test offline runner registration (#1449)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1449
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
---
 actions/actions.sh                            |  2 +-
 .../.forgejo/workflows/test.yaml              |  9 +++++
 actions/example-create-runner-file/run.sh     | 40 +++++++++++++++++++
 .../runner-config.yaml                        | 31 ++++++++++++++
 lib/lib.sh                                    | 11 +++++
 5 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 actions/example-create-runner-file/.forgejo/workflows/test.yaml
 create mode 100644 actions/example-create-runner-file/run.sh
 create mode 100644 actions/example-create-runner-file/runner-config.yaml

diff --git a/actions/actions.sh b/actions/actions.sh
index f97fd8a5..9ee52ef0 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -143,7 +143,7 @@ function test_actions() {
             done
         fi
 
-        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call; do
+        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call create-runner-file; do
             run actions_verify_example $example
         done
 
diff --git a/actions/example-create-runner-file/.forgejo/workflows/test.yaml b/actions/example-create-runner-file/.forgejo/workflows/test.yaml
new file mode 100644
index 00000000..e44397dd
--- /dev/null
+++ b/actions/example-create-runner-file/.forgejo/workflows/test.yaml
@@ -0,0 +1,9 @@
+on:
+  push:
+
+jobs:
+  test:
+    runs-on: create-runner-file
+    steps:
+      - run: |
+          echo "OK"
diff --git a/actions/example-create-runner-file/run.sh b/actions/example-create-runner-file/run.sh
new file mode 100644
index 00000000..637132e5
--- /dev/null
+++ b/actions/example-create-runner-file/run.sh
@@ -0,0 +1,40 @@
+source "lib/lib.sh"
+
+api="$url/api/v1"
+
+function main() {
+    local repo
+    repo="root/example-$example"
+
+    secret="$(openssl rand -hex 20)"
+    runner_name="runner-$(openssl rand -hex 5)"
+
+    create_offline_registration_token "$runner_name" root "$secret"
+
+    # Changing to $DIR is necessary so that `.runner` gets created there. Otherwise, `forgejo-runner` would not pick it up.
+    pushd "$DIR" || exit 1
+    ./forgejo-runner -c "$EXAMPLE_DIR/runner-config.yaml" create-runner-file --instance "http://$IP:3000" --name "$runner_name" --secret "$secret" --connect
+    popd || exit 1
+
+    FORGEJO_RUNNER_CONFIG="$EXAMPLE_DIR/runner-config.yaml" forgejo-runner.sh reload
+
+    label_count=$(jq '.labels | length ' "$DIR/.runner")
+    if [[ "$label_count" != "1" ]] ; then
+      echo "Unexpected number of labels in .runner file: $label_count instead of 1" >&2
+      exit 1
+    fi
+
+    runner_label=$(jq -r '.labels[0]' "$DIR/.runner")
+    if [[ "$runner_label" != "create-runner-file:docker://code.forgejo.org/oci/node:24-trixie" ]] ; then
+      echo "Unexpected runner label: '$runner_label' instead of create-runner-file:docker://code.forgejo.org/oci/node:24-trixie" >&2
+      exit 1
+    fi
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+}
+
+main
diff --git a/actions/example-create-runner-file/runner-config.yaml b/actions/example-create-runner-file/runner-config.yaml
new file mode 100644
index 00000000..7096728f
--- /dev/null
+++ b/actions/example-create-runner-file/runner-config.yaml
@@ -0,0 +1,31 @@
+
+log:
+  level: debug
+
+runner:
+  file: .runner
+  capacity: 1
+  env_file: .env
+  timeout: 3h
+  insecure: false
+  fetch_timeout: 5s
+  fetch_interval: 2s
+  labels:
+    - "create-runner-file:docker://code.forgejo.org/oci/node:24-trixie"
+
+cache:
+  enabled: true
+  dir: "/srv/example/cache"
+  host: ""
+  port: 0
+
+container:
+  network: "bridge"
+  privileged: false
+  options:
+  workdir_parent:
+  valid_volumes: ["/srv/example"]
+  docker_host: ""
+
+host:
+  workdir_parent:
diff --git a/lib/lib.sh b/lib/lib.sh
index 843c9b53..b1e9409f 100644
--- a/lib/lib.sh
+++ b/lib/lib.sh
@@ -415,6 +415,17 @@ EOF
     cp -a $DOT_FORGEJO_CURL $work_path/forgejo-curl
 }
 
+function create_offline_registration_token() {
+  local name="$1"
+  local scope="$2"
+  local secret="$3"
+
+  local work_path
+  work_path="$DIR/$(work_path_base "$config")"
+
+  "$work_path/forgejocli" forgejo-cli actions register --name "$name" --scope "$scope" --secret "$secret"
+}
+
 function stop_daemon() {
     local daemon=$1
 

From e05f0b5bf84d471cf4b8ee1c3c67831815b73252 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Mon, 19 Jan 2026 08:45:35 +0000
Subject: [PATCH 15/34] fix(federation): downgrade GoToSocial (#1448)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1448
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: famfo <famfo@famfo.xyz>
Co-committed-by: famfo <famfo@famfo.xyz>
---
 federation/scenario-gotosocial/setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/federation/scenario-gotosocial/setup.sh b/federation/scenario-gotosocial/setup.sh
index 13d97057..fcf9a432 100644
--- a/federation/scenario-gotosocial/setup.sh
+++ b/federation/scenario-gotosocial/setup.sh
@@ -2,7 +2,7 @@
 
 source $SCENARIO_DIR/../../lib/lib.sh
 
-GTS_VERSION="0.20.2" # renovate: datasource=docker depName=data.forgejo.org/oci/gotosocial
+GTS_VERSION="0.20.0" # renovate: datasource=docker depName=data.forgejo.org/oci/gotosocial
 
 echo "setting up gotosocial"
 

From b3299acd69207c9c0802d14988ff83e4337cba17 Mon Sep 17 00:00:00 2001
From: Mario Minardi <mminardi@shaw.ca>
Date: Thu, 22 Jan 2026 15:22:22 +0000
Subject: [PATCH 16/34] feat: add OIDC workload identity federation tests
 (#1364)

Add end-to-end tests for workload identity federation.

Depends on https://code.forgejo.org/forgejo/runner/pulls/1232
Depends on https://codeberg.org/forgejo/forgejo/pulls/10481

Signed-off-by: Mario Minardi <mminardi@shaw.ca>

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1364
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Mario Minardi <mminardi@shaw.ca>
Co-committed-by: Mario Minardi <mminardi@shaw.ca>
---
 actions/actions.sh                            |  1 +
 .../.forgejo/workflows/test.yml               | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 actions/example-id-tokens/.forgejo/workflows/test.yml

diff --git a/actions/actions.sh b/actions/actions.sh
index 9ee52ef0..0b200824 100755
--- a/actions/actions.sh
+++ b/actions/actions.sh
@@ -183,6 +183,7 @@ function test_actions() {
 
         if dpkg --compare-versions $version ge 15.0; then
             run actions_verify_example workflow-call-expansion
+            run actions_verify_example id-tokens
         fi
     done
 }
diff --git a/actions/example-id-tokens/.forgejo/workflows/test.yml b/actions/example-id-tokens/.forgejo/workflows/test.yml
new file mode 100644
index 00000000..31c49156
--- /dev/null
+++ b/actions/example-id-tokens/.forgejo/workflows/test.yml
@@ -0,0 +1,78 @@
+on: [push]
+
+env:
+    JWT_CLI_VERSION: 6.2.0 # renovate: datasource=github-releases depName=jwt-cli packageName=mike-engel/jwt-cli
+
+jobs:
+    generation-allowed:
+        enable-openid-connect: true
+        runs-on: docker
+        container:
+            image: data.forgejo.org/oci/ci:1
+        steps:
+            - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/${{ env.JWT_CLI_VERSION }}/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
+            - name: validate token generation works
+              run: |
+                  RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | jq -r ".value")
+                  if [[ -z "RAW_JWT" ]]; then
+                    echo "Error: RAW_JWT should be set"
+                    exit 1
+                  fi
+
+                  DECODED_JWT_BODY=$(echo $RAW_JWT | jq -R 'split(".") | .[1] | @base64d | fromjson')
+                  if [[ -z "$DECODED_JWT_BODY" ]]; then
+                    echo "Error: DECODED_JWT_BODY should be set"
+                    exit 1
+                  fi
+
+                  ISS=$(echo $DECODED_JWT_BODY | jq -r '.iss')
+                  if [[ -z "$ISS" ]]; then
+                    echo "Error: ISS should be set"
+                    exit 1
+                  fi
+
+                  curl "$ISS/.well-known/keys" > jwks.json
+                  JWKS=$(cat ./jwks.json)
+                  if [[ -z "$JWKS" ]]; then
+                    echo "Error: JWKS should be set"
+                    exit 1
+                  fi
+
+                  # Verify that the JWT decodes with the JWKS data
+                  ./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1)
+
+                  WORKFLOW=$(echo $DECODED_JWT_BODY | jq -r '.workflow')
+                  AUD=$(echo $DECODED_JWT_BODY | jq -r '.aud')
+                  EVENT_NAME=$(echo $DECODED_JWT_BODY | jq -r '.event_name')
+                  SUB=$(echo $DECODED_JWT_BODY | jq -r '.sub')
+                  if [[ "$WORKFLOW" != "test.yml" ]]; then
+                    echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
+                    exit 1
+                  fi
+                  if [[ "$AUD" != "exampleAudience" ]]; then
+                    echo "Error: AUD should be exampleAudience but is $AUD"
+                    exit 1
+                  fi
+                  if [[ "$EVENT_NAME" != "push" ]]; then
+                    echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
+                    exit 1
+                  fi
+                  if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/heads/main" ]]; then
+                    echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/heads/main but is $SUB"
+                    exit 1
+                  fi
+
+    generation-not-allowed:
+        enable-openid-connect: false
+        runs-on: docker
+        steps:
+            - name: check variables are unset
+              run: |
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi

From 47a8f5147b333c91edcd6ab491c0a646669b2502 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 23 Jan 2026 09:08:34 +0000
Subject: [PATCH 17/34] Replace code.forgejo.org/federation/mastodon Docker tag
 with data.forgejo.org/federation/mastodon v4.5-test (#1489)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1489
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 federation/scenario-mastodon/compose.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
index 0a39c17e..47f242e3 100644
--- a/federation/scenario-mastodon/compose.yaml
+++ b/federation/scenario-mastodon/compose.yaml
@@ -56,7 +56,7 @@ services:
 
     mastodon-app:
         # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
-        image: code.forgejo.org/federation/mastodon:v4.5-test
+        image: data.forgejo.org/federation/mastodon:v4.5-test
         volumes:
             - ./resources/certs:/usr/local/share/ca-certificates/
             - ./mastodon-app/init/:/init/
@@ -84,7 +84,7 @@ services:
 
     mastodon-sidekiq:
         # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
-        image: code.forgejo.org/federation/mastodon:v4.5-test
+        image: data.forgejo.org/federation/mastodon:v4.5-test
         volumes:
             - ./resources/certs:/usr/local/share/ca-certificates/
             - ./mastodon-sidekiq/init/:/init/

From 6821a5adb5d5b31cea9b6b2424b7fb7922f87ae2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 24 Jan 2026 02:43:17 +0000
Subject: [PATCH 18/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.2 (#1505)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | patch | `v3.1.1` → `v3.1.2` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.2`](https://code.forgejo.org/actions/setup-forgejo/releases/tag/v3.1.2)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.1...v3.1.2)

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/actions/setup-forgejo-->

- other
  - [PR](https://code.forgejo.org/actions/setup-forgejo/pulls/852): <!--number 852 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjEyLjYuMQ==-->Update dependency forgejo/runner to v12.6.1<!--description-->
  - [PR](https://code.forgejo.org/actions/setup-forgejo/pulls/846): <!--number 846 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjEyLjYuMA==-->Update dependency forgejo/runner to v12.6.0<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1505
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index 1d41fa79..fab4de3c 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.1
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.2
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 736c1dd909ed99ddbe056656589f1830bfde3abc Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 04:02:25 +0000
Subject: [PATCH 19/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.3 (#1515)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://data.forgejo.org/actions/setup-forgejo](https://code.forgejo.org/actions/setup-forgejo) | action | patch | `v3.1.2` → `v3.1.3` |

---

### Release Notes

<details>
<summary>actions/setup-forgejo (https://data.forgejo.org/actions/setup-forgejo)</summary>

### [`v3.1.3`](https://code.forgejo.org/actions/setup-forgejo/releases/tag/v3.1.3)

[Compare Source](https://code.forgejo.org/actions/setup-forgejo/compare/v3.1.2...v3.1.3)

<!--start release-notes-assistant-->

<!--URL:https://code.forgejo.org/actions/setup-forgejo-->

- other
  - [PR](https://code.forgejo.org/actions/setup-forgejo/pulls/860): <!--number 860 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjEyLjYuMg==-->Update dependency forgejo/runner to v12.6.2<!--description-->

<!--end release-notes-assistant-->

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi40IiwidXBkYXRlZEluVmVyIjoiNDIuOTIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1515
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index fab4de3c..a26695dd 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.2
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.3
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 390c68f447e2d494de18332f106afb836b391856 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 21:17:01 +0000
Subject: [PATCH 20/34] Replace code.forgejo.org/oci/python Docker tag with
 data.forgejo.org/oci/python slim (#1497)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| code.forgejo.org/oci/python → data.forgejo.org/oci/python | container | replacement | `slim` → `slim` |

This is a special PR that replaces `code.forgejo.org/oci/python` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1497
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-shell/.forgejo/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/example-shell/.forgejo/workflows/test.yml b/actions/example-shell/.forgejo/workflows/test.yml
index cede5140..71f098ab 100644
--- a/actions/example-shell/.forgejo/workflows/test.yml
+++ b/actions/example-shell/.forgejo/workflows/test.yml
@@ -47,7 +47,7 @@ jobs:
     needs: [alpine]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/python:slim
+      image: data.forgejo.org/oci/python:slim
     steps:
       - name: python => python {0}
         shell: python

From d4dfeef16a87a5a46c0f68ec38585663b1d8831a Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 21:43:39 +0000
Subject: [PATCH 21/34] Replace code.forgejo.org/oci/postgres Docker tag with
 data.forgejo.org/oci/postgres (#1496)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [code.forgejo.org/oci/postgres](https://hub.docker.com/_/postgres) ([source](https://github.com/docker-library/postgres)) → [data.forgejo.org/oci/postgres](https://hub.docker.com/_/postgres) | service | replacement | `15` → `15` |
| [code.forgejo.org/oci/postgres](https://hub.docker.com/_/postgres) ([source](https://github.com/docker-library/postgres)) → [data.forgejo.org/oci/postgres](https://hub.docker.com/_/postgres) |  | replacement | `14` → `14` |

This is a special PR that replaces `code.forgejo.org/oci/postgres` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1496
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-service/.forgejo/workflows/test.yml | 4 ++--
 federation/scenario-mastodon/compose.yaml           | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/actions/example-service/.forgejo/workflows/test.yml b/actions/example-service/.forgejo/workflows/test.yml
index 1eeb3ec5..aa39890c 100644
--- a/actions/example-service/.forgejo/workflows/test.yml
+++ b/actions/example-service/.forgejo/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: docker
     services:
       pgsql:
-        image: code.forgejo.org/oci/postgres:15
+        image: data.forgejo.org/oci/postgres:15
         env:
           POSTGRES_DB: test
           POSTGRES_PASSWORD: postgres
@@ -27,7 +27,7 @@ jobs:
 
     services:
       pgsql:
-        image: code.forgejo.org/oci/postgres:15
+        image: data.forgejo.org/oci/postgres:15
         env:
           POSTGRES_DB: test
           POSTGRES_PASSWORD: postgres
diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
index 47f242e3..54d937ce 100644
--- a/federation/scenario-mastodon/compose.yaml
+++ b/federation/scenario-mastodon/compose.yaml
@@ -36,7 +36,7 @@ services:
             - internal_network
 
     postgres:
-        image: code.forgejo.org/oci/postgres:14
+        image: data.forgejo.org/oci/postgres:14
         tmpfs:
             - /var/lib/postgresql/data
         environment:

From cd91235a8652dd70302a0b6c7d64dabc3755e02c Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 21:44:02 +0000
Subject: [PATCH 22/34] Replace code.forgejo.org/oci/docker Docker tag with
 data.forgejo.org/oci/docker (#1494)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [code.forgejo.org/oci/docker](https://hub.docker.com/_/docker) ([source](https://github.com/docker-library/docker)) → [data.forgejo.org/oci/docker](https://hub.docker.com/_/docker) | container | replacement | `28-cli` → `28-cli` |

This is a special PR that replaces `code.forgejo.org/oci/docker` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1494
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-with-docker-host/.forgejo/workflows/test.yml   | 2 +-
 actions/example-with-docker-socket/.forgejo/workflows/test.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/actions/example-with-docker-host/.forgejo/workflows/test.yml b/actions/example-with-docker-host/.forgejo/workflows/test.yml
index 277114e6..454a10da 100644
--- a/actions/example-with-docker-host/.forgejo/workflows/test.yml
+++ b/actions/example-with-docker-host/.forgejo/workflows/test.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/docker:28-cli
+      image: data.forgejo.org/oci/docker:28-cli
     steps:
       - run: ls -l /var/run/docker.sock
       - run: docker ps
diff --git a/actions/example-with-docker-socket/.forgejo/workflows/test.yml b/actions/example-with-docker-socket/.forgejo/workflows/test.yml
index 277114e6..454a10da 100644
--- a/actions/example-with-docker-socket/.forgejo/workflows/test.yml
+++ b/actions/example-with-docker-socket/.forgejo/workflows/test.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/docker:28-cli
+      image: data.forgejo.org/oci/docker:28-cli
     steps:
       - run: ls -l /var/run/docker.sock
       - run: docker ps

From ed965a3179b863499fcd7cdf635370c0ba9d4e16 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 21:44:43 +0000
Subject: [PATCH 23/34] Replace code.forgejo.org/oci/debian Docker tag with
 data.forgejo.org/oci/debian trixie (#1493)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| code.forgejo.org/oci/debian → data.forgejo.org/oci/debian | container | replacement | `trixie` → `trixie` |
| code.forgejo.org/oci/debian → data.forgejo.org/oci/debian | service | replacement | `trixie` → `trixie` |

This is a special PR that replaces `code.forgejo.org/oci/debian` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1493
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-cron/.forgejo/workflows/test.yml          | 2 +-
 .../example-post-7-0-schedule/.forgejo/workflows/test.yml | 2 +-
 .../.forgejo/workflows/schedule_continue.yml              | 2 +-
 actions/example-service/.forgejo/workflows/test.yml       | 8 ++++----
 .../example-workflow-dispatch/.forgejo/workflows/test.yml | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/actions/example-cron/.forgejo/workflows/test.yml b/actions/example-cron/.forgejo/workflows/test.yml
index 8b23779a..58ae70a6 100644
--- a/actions/example-cron/.forgejo/workflows/test.yml
+++ b/actions/example-cron/.forgejo/workflows/test.yml
@@ -6,7 +6,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:
diff --git a/actions/example-post-7-0-schedule/.forgejo/workflows/test.yml b/actions/example-post-7-0-schedule/.forgejo/workflows/test.yml
index 202382dc..94eb4961 100644
--- a/actions/example-post-7-0-schedule/.forgejo/workflows/test.yml
+++ b/actions/example-post-7-0-schedule/.forgejo/workflows/test.yml
@@ -6,7 +6,7 @@ jobs:
   test:
     runs-on: ${{ vars.TEST_SCHEDULE_RUNSON }}
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:
diff --git a/actions/example-schedule-noncancel/.forgejo/workflows/schedule_continue.yml b/actions/example-schedule-noncancel/.forgejo/workflows/schedule_continue.yml
index 76ee59b8..7cc5bdb3 100644
--- a/actions/example-schedule-noncancel/.forgejo/workflows/schedule_continue.yml
+++ b/actions/example-schedule-noncancel/.forgejo/workflows/schedule_continue.yml
@@ -5,7 +5,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       volumes:
         - /srv/example:/srv/example
     steps:
diff --git a/actions/example-service/.forgejo/workflows/test.yml b/actions/example-service/.forgejo/workflows/test.yml
index aa39890c..11132c96 100644
--- a/actions/example-service/.forgejo/workflows/test.yml
+++ b/actions/example-service/.forgejo/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
   simple:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
 
     services:
       pgsql:
@@ -43,7 +43,7 @@ jobs:
     needs: [simple]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid --volume /srv/example-service-volume-invalid:/srv/example-service-volume-invalid"
 
     steps:
@@ -58,12 +58,12 @@ jobs:
     needs: [volume-on-step]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
 
     services:
       myservice:
-        image: code.forgejo.org/oci/debian:trixie
+        image: data.forgejo.org/oci/debian:trixie
         options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
         cmd: ["bash", "-c", "echo -n SUCCESS > /srv/example-service-volume-valid ; sleep infinity"]
 
diff --git a/actions/example-workflow-dispatch/.forgejo/workflows/test.yml b/actions/example-workflow-dispatch/.forgejo/workflows/test.yml
index 766b21d8..3839f7b5 100644
--- a/actions/example-workflow-dispatch/.forgejo/workflows/test.yml
+++ b/actions/example-workflow-dispatch/.forgejo/workflows/test.yml
@@ -44,7 +44,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:

From 5cbe4d73dd9155f9d7226dacb5336b5748320357 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Mon, 26 Jan 2026 21:46:01 +0000
Subject: [PATCH 24/34] Replace alpine packages with
 data.forgejo.org/oci/alpine latest (#1490)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| code.forgejo.org/oci/alpine → data.forgejo.org/oci/alpine | container | replacement | `latest` → `latest` |
| [code.forgejo.org/oci/alpine](https://hub.docker.com/_/alpine) ([source](https://github.com/alpinelinux/docker-alpine)) → [data.forgejo.org/oci/alpine](https://hub.docker.com/_/alpine) | container | replacement | `3.21` → `3.21` |
| code.forgejo.org/oci/alpine → data.forgejo.org/oci/alpine |  | replacement | `latest` → `latest` |

This is a special PR that replaces `code.forgejo.org/oci/alpine` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44NS4zIiwidXBkYXRlZEluVmVyIjoiNDIuODUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1490
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-container/.forgejo/workflows/test.yml | 2 +-
 actions/example-shell/.forgejo/workflows/test.yml     | 2 +-
 federation/scenario-mastodon/compose.yaml             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/actions/example-container/.forgejo/workflows/test.yml b/actions/example-container/.forgejo/workflows/test.yml
index ded75cd8..aad6cb73 100644
--- a/actions/example-container/.forgejo/workflows/test.yml
+++ b/actions/example-container/.forgejo/workflows/test.yml
@@ -3,6 +3,6 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/alpine:3.21
+      image: data.forgejo.org/oci/alpine:3.21
     steps:
       - run: grep Alpine /etc/os-release
diff --git a/actions/example-shell/.forgejo/workflows/test.yml b/actions/example-shell/.forgejo/workflows/test.yml
index 71f098ab..5dad0b6e 100644
--- a/actions/example-shell/.forgejo/workflows/test.yml
+++ b/actions/example-shell/.forgejo/workflows/test.yml
@@ -25,7 +25,7 @@ jobs:
     needs: [sh-fallback]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/alpine:latest
+      image: data.forgejo.org/oci/alpine:latest
     steps:
       - name: default is bash but with a fallback to sh in case it does not exist
         run: |
diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
index 54d937ce..fbd7c20d 100644
--- a/federation/scenario-mastodon/compose.yaml
+++ b/federation/scenario-mastodon/compose.yaml
@@ -5,7 +5,7 @@ networks:
 
 services:
     forgejo:
-        image: code.forgejo.org/oci/alpine:latest
+        image: data.forgejo.org/oci/alpine:latest
         volumes:
             - ./forgejo/certs/:/usr/local/share/ca-certificates/
             - ./forgejo/init/:/init/

From d50ffce2a0010b271d20b9654693d709fd895df2 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Tue, 27 Jan 2026 03:04:58 +0000
Subject: [PATCH 25/34] Update data.forgejo.org/oci/alpine Docker tag to v3.23
 (#1518)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [data.forgejo.org/oci/alpine](https://hub.docker.com/_/alpine) ([source](https://github.com/alpinelinux/docker-alpine)) | container | minor | `3.21` → `3.23` |

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi40IiwidXBkYXRlZEluVmVyIjoiNDIuOTIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1518
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 actions/example-container/.forgejo/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions/example-container/.forgejo/workflows/test.yml b/actions/example-container/.forgejo/workflows/test.yml
index aad6cb73..ecf04290 100644
--- a/actions/example-container/.forgejo/workflows/test.yml
+++ b/actions/example-container/.forgejo/workflows/test.yml
@@ -3,6 +3,6 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: data.forgejo.org/oci/alpine:3.21
+      image: data.forgejo.org/oci/alpine:3.23
     steps:
       - run: grep Alpine /etc/os-release

From de9eafb57450f198004619fbce1df815b5f04be0 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 30 Jan 2026 05:55:18 +0000
Subject: [PATCH 26/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.4 (#1536)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1536
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index a26695dd..bdb69f96 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.3
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.4
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 35a7a26227acecca7e686720a4b31c9eaa298cf7 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 30 Jan 2026 05:55:37 +0000
Subject: [PATCH 27/34] Replace code.forgejo.org/oci/redis Docker tag with
 data.forgejo.org/oci/redis 7.2 (#1498)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1498
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 federation/scenario-mastodon/compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
index fbd7c20d..655585be 100644
--- a/federation/scenario-mastodon/compose.yaml
+++ b/federation/scenario-mastodon/compose.yaml
@@ -48,7 +48,7 @@ services:
             - internal_network
 
     redis:
-        image: code.forgejo.org/oci/redis:7.2
+        image: data.forgejo.org/oci/redis:7.2
         tmpfs:
             - /var/lib/redis/
         networks:

From be5b4438faf65a7bb650af083b5cf5c11eec4a0b Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 30 Jan 2026 05:55:51 +0000
Subject: [PATCH 28/34] Replace code.forgejo.org/federation/debian Docker tag
 with data.forgejo.org/federation/debian trixie-cacerts (#1495)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1495
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 federation/scenario-mastodon/compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/federation/scenario-mastodon/compose.yaml b/federation/scenario-mastodon/compose.yaml
index 655585be..ea7c28a6 100644
--- a/federation/scenario-mastodon/compose.yaml
+++ b/federation/scenario-mastodon/compose.yaml
@@ -20,7 +20,7 @@ services:
         profiles:
             - forgejo_container
         # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/debian-containerfile
-        image: code.forgejo.org/federation/debian:trixie-cacerts
+        image: data.forgejo.org/federation/debian:trixie-cacerts
         tmpfs:
             - /data
         volumes:

From 83c2cbcfad793688c0f4df496f8494a987c58b4b Mon Sep 17 00:00:00 2001
From: viceice <michael.kriese@gmx.de>
Date: Thu, 19 Feb 2026 10:57:55 +0000
Subject: [PATCH 29/34] chore(renovate): separate test actions (#1595)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1595
Co-authored-by: viceice <michael.kriese@gmx.de>
Co-committed-by: viceice <michael.kriese@gmx.de>
---
 renovate.json | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/renovate.json b/renovate.json
index cd7ea572..17dfc86a 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,5 +2,13 @@
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": [
         "local>forgejo/renovate-config"
+    ],
+    "packagesRules": [
+        {
+            "description": "Separate test actions",
+            "matchFileNames": ["actions/**"],
+            "additionalBranchPrefix": "actions",
+            "commitMessageTopic": "{{depName}} (test actions)"
+        }
     ]
 }

From ea59d6dbabb5e0cc0bffd05fdccfb2c417a9debc Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 19 Feb 2026 10:58:31 +0000
Subject: [PATCH 30/34] Update https://data.forgejo.org/actions/setup-forgejo
 action to v3.1.6 (#1591)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1591
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/prepare-end-to-end/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/prepare-end-to-end/action.yml b/.forgejo/prepare-end-to-end/action.yml
index bdb69f96..8ae5cdd8 100644
--- a/.forgejo/prepare-end-to-end/action.yml
+++ b/.forgejo/prepare-end-to-end/action.yml
@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.4
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.6
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

From 68e5105bfefa98f688f1bc7424fa4cd812d8b3f3 Mon Sep 17 00:00:00 2001
From: viceice <michael.kriese@gmx.de>
Date: Thu, 19 Feb 2026 11:00:40 +0000
Subject: [PATCH 31/34] chore(renovate): typo

---
 renovate.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/renovate.json b/renovate.json
index 17dfc86a..6b4cadc2 100644
--- a/renovate.json
+++ b/renovate.json
@@ -3,7 +3,7 @@
     "extends": [
         "local>forgejo/renovate-config"
     ],
-    "packagesRules": [
+    "packageRules": [
         {
             "description": "Separate test actions",
             "matchFileNames": ["actions/**"],

From 1b43342fa00eb0a56267b0d086622655cce4fa80 Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Thu, 19 Feb 2026 14:26:22 +0000
Subject: [PATCH 32/34] Update dependency go to v1.25 (#1597)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1597
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/end-to-end.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/end-to-end.yml b/.forgejo/workflows/end-to-end.yml
index 3921e400..3d7c59a6 100644
--- a/.forgejo/workflows/end-to-end.yml
+++ b/.forgejo/workflows/end-to-end.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: https://data.forgejo.org/actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.25"
       - name: lib/build.sh
         id: build
         run: |

From d0470cb8eab4f2d941fa38bbd53a3f0c793ee88e Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Fri, 20 Feb 2026 11:53:05 +0000
Subject: [PATCH 33/34] Update Node.js to v24 (#1594)

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1594
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/end-to-end.yml | 2 +-
 Dockerfile                        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/end-to-end.yml b/.forgejo/workflows/end-to-end.yml
index 3d7c59a6..d5d877f6 100644
--- a/.forgejo/workflows/end-to-end.yml
+++ b/.forgejo/workflows/end-to-end.yml
@@ -15,7 +15,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:24-bookworm'
     outputs:
       built: "${{ steps.build.outputs.built }}"
       forgejo_versions_json: "${{ steps.build.outputs.forgejo_versions_json }}"
diff --git a/Dockerfile b/Dockerfile
index 781aa497..e31cb6d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM data.forgejo.org/oci/node:22-trixie
+FROM data.forgejo.org/oci/node:24-trixie
 
 ENV PATH=$PATH:/setup-forgejo
 ENV _CONTAINERS_USERNS_CONFIGURED=""

From 10e19db36615ca7eba19923f7998b35bec6cffdb Mon Sep 17 00:00:00 2001
From: Renovate Bot <bot@kriese.eu>
Date: Sat, 21 Feb 2026 02:15:00 +0000
Subject: [PATCH 34/34] Replace Node.js with data.forgejo.org/oci/node
 24-trixie (#1604)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [data.forgejo.org/oci/node](https://hub.docker.com/_/node) ([source](https://github.com/nodejs/docker-node)) | container | replacement | `24-bookworm` → `24-trixie` |

This is a special PR that replaces `data.forgejo.org/oci/node` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1604
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
---
 .forgejo/workflows/end-to-end.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/end-to-end.yml b/.forgejo/workflows/end-to-end.yml
index d5d877f6..eab71f76 100644
--- a/.forgejo/workflows/end-to-end.yml
+++ b/.forgejo/workflows/end-to-end.yml
@@ -15,7 +15,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:24-bookworm'
+      image: 'data.forgejo.org/oci/node:24-trixie'
     outputs:
       built: "${{ steps.build.outputs.built }}"
       forgejo_versions_json: "${{ steps.build.outputs.forgejo_versions_json }}"