Replace Node.js with data.forgejo.org/oci/node 24-trixie (#1604)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [data.forgejo.org/oci/node](https://hub.docker.com/_/node) ([source](https://github.com/nodejs/docker-node)) | container | replacement | `24-bookworm` → `24-trixie` |

This is a special PR that replaces `data.forgejo.org/oci/node` with the community suggested minimal stable replacement version.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://code.forgejo.org/forgejo/end-to-end/pulls/1604
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>

.forgejo/prepare-end-to-end/action.yml

@@ -15,7 +15,7 @@ runs:
             /usr/local/bin/garage
           key: S3
 
-      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.0.6
+      - uses: https://data.forgejo.org/actions/setup-forgejo@v3.1.6
         with:
           install-only: true
       - run: forgejo-binary.sh ensure_user forgejo

.forgejo/workflows/end-to-end.yml

@@ -15,14 +15,15 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: 'data.forgejo.org/oci/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:24-trixie'
     outputs:
       built: "${{ steps.build.outputs.built }}"
+      forgejo_versions_json: "${{ steps.build.outputs.forgejo_versions_json }}"
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: https://data.forgejo.org/actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version: "1.25"
       - name: lib/build.sh
         id: build
         run: |
@@ -31,6 +32,8 @@ jobs:
 
           if ! test -f forgejo/build-from-sources; then
              echo forgejo/build-from-sources is not present, do not build any version from source
+             source lib/lib.sh
+             echo "forgejo_versions_json=$(node -p "JSON.stringify(process.argv[1].split(' '))" "$RELEASE_NUMBERS")" >> $FORGEJO_OUTPUT
              echo "built=no" >> $FORGEJO_OUTPUT
              exit 0
           fi
@@ -52,6 +55,7 @@ jobs:
             mv $forgejo /tmp/forgejo-upload/forgejo-$version
           done
 
+          echo "forgejo_versions_json=$(node -p "JSON.stringify(process.argv[1].split(' '))" "$(cat forgejo/build-from-sources)")" >> $FORGEJO_OUTPUT
           echo "built=yes" >> $FORGEJO_OUTPUT
 
       - name: steps context dump for debug
@@ -70,12 +74,15 @@ jobs:
   packages:
     needs: [build]
     runs-on: lxc-trixie
+    strategy:
+      matrix:
+        forgejo_version: ${{ fromJSON(needs.build.outputs.forgejo_versions_json) }}
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/prepare-end-to-end
         with:
             built: ${{ needs.build.outputs.built }}
-      - run: su forgejo -c "./end-to-end.sh test_packages"
+      - run: su forgejo -c "./end-to-end.sh test_packages ${{ matrix.forgejo_version }}"
       - if: ${{ needs.build.outputs.built == 'yes' }}
         uses: ./.forgejo/upload-coverage
         with:
@@ -87,13 +94,16 @@ jobs:
   actions:
     needs: [build]
     runs-on: lxc-trixie
+    strategy:
+      matrix:
+        forgejo_version: ${{ fromJSON(needs.build.outputs.forgejo_versions_json) }}
     steps:
       - uses: https://data.forgejo.org/actions/checkout@v4
       - uses: ./.forgejo/prepare-end-to-end
         with:
             built: ${{ needs.build.outputs.built }}
       - run: ./end-to-end.sh prepare_dockerd
-      - run: su forgejo -c "./end-to-end.sh test_actions"
+      - run: su forgejo -c "./end-to-end.sh test_actions ${{ matrix.forgejo_version }}"
       - if: ${{ needs.build.outputs.built == 'yes' }}
         uses: ./.forgejo/upload-coverage
         with:

Dockerfile

@@ -1,4 +1,4 @@
-FROM data.forgejo.org/oci/node:22-trixie
+FROM data.forgejo.org/oci/node:24-trixie
 
 ENV PATH=$PATH:/setup-forgejo
 ENV _CONTAINERS_USERNS_CONFIGURED=""

actions/actions.sh

@@ -143,7 +143,7 @@ function test_actions() {
             done
         fi
 
-        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context; do
+        for example in echo matrix needs workflow-call lxc config-options cache cache-pull-request checkout service container expression local-action docker-action if if-fail push tag push-cancel artifacts pull-request context private-workflow-call create-runner-file; do
             run actions_verify_example $example
         done
 
@@ -180,5 +180,10 @@ function test_actions() {
         if dpkg --compare-versions $version ge 14.0; then
             run actions_verify_example matrix-dynamic
         fi
+
+        if dpkg --compare-versions $version ge 15.0; then
+            run actions_verify_example workflow-call-expansion
+            run actions_verify_example id-tokens
+        fi
     done
 }

actions/example-cache-pull-request/.forgejo/workflows/test.yml

@@ -79,6 +79,7 @@ jobs:
       - name: determine if the PR is from a fork
         id: forked
         run: |
+          set -x
           if test ${{ forge.event.pull_request.base.repo.full_name }} = ${{ forge.event.pull_request.head.repo.full_name }} ; then
             echo value=false >> $FORGEJO_OUTPUT
           else
@@ -87,6 +88,7 @@ jobs:
 
       - name: save event
         run: |
+          set -x
           d=/srv/example/cache-pull-request/contexts/${{ forgejo.event.pull_request.head.repo.owner.username }}/$FORGEJO_EVENT_NAME
           mkdir -p $d
           cat > $d/forgejo-${{ forgejo.event.action }} <<'EOF'

actions/example-cache-pull-request/run.sh

@@ -53,6 +53,7 @@ function main() {
     # wait for the opened event to succeed using the cache on all pull requests
     #
     if ! forgejo.sh retry $EXAMPLE_DIR/assert-contexts-opened.sh; then
+        echo "assert-contexts-opened.sh failed; printing related logs and information:"
         find $d
         sed -e 's/^/[RUNNER LOGS]/' <$FORGEJO_RUNNER_LOGS
         return 1
@@ -69,6 +70,7 @@ function main() {
     # wait for the closed event to succeed using the cache on all pull requests
     #
     if ! forgejo.sh retry $EXAMPLE_DIR/assert-contexts-closed.sh; then
+        echo "assert-contexts-closed.sh failed; printing related logs and information:"
         find $d
         sed -e 's/^/[RUNNER LOGS]/' <$FORGEJO_RUNNER_LOGS
         return 1

actions/example-container/.forgejo/workflows/test.yml

@@ -3,6 +3,6 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/alpine:3.21
+      image: data.forgejo.org/oci/alpine:3.23
     steps:
       - run: grep Alpine /etc/os-release

actions/example-create-runner-file/.forgejo/workflows/test.yaml

@@ -0,0 +1,9 @@
+on:
+  push:
+
+jobs:
+  test:
+    runs-on: create-runner-file
+    steps:
+      - run: |
+          echo "OK"

actions/example-create-runner-file/run.sh

@@ -0,0 +1,40 @@
+source "lib/lib.sh"
+
+api="$url/api/v1"
+
+function main() {
+    local repo
+    repo="root/example-$example"
+
+    secret="$(openssl rand -hex 20)"
+    runner_name="runner-$(openssl rand -hex 5)"
+
+    create_offline_registration_token "$runner_name" root "$secret"
+
+    # Changing to $DIR is necessary so that `.runner` gets created there. Otherwise, `forgejo-runner` would not pick it up.
+    pushd "$DIR" || exit 1
+    ./forgejo-runner -c "$EXAMPLE_DIR/runner-config.yaml" create-runner-file --instance "http://$IP:3000" --name "$runner_name" --secret "$secret" --connect
+    popd || exit 1
+
+    FORGEJO_RUNNER_CONFIG="$EXAMPLE_DIR/runner-config.yaml" forgejo-runner.sh reload
+
+    label_count=$(jq '.labels | length ' "$DIR/.runner")
+    if [[ "$label_count" != "1" ]] ; then
+      echo "Unexpected number of labels in .runner file: $label_count instead of 1" >&2
+      exit 1
+    fi
+
+    runner_label=$(jq -r '.labels[0]' "$DIR/.runner")
+    if [[ "$runner_label" != "create-runner-file:docker://code.forgejo.org/oci/node:24-trixie" ]] ; then
+      echo "Unexpected runner label: '$runner_label' instead of create-runner-file:docker://code.forgejo.org/oci/node:24-trixie" >&2
+      exit 1
+    fi
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+}
+
+main

actions/example-create-runner-file/runner-config.yaml

@@ -0,0 +1,31 @@
+
+log:
+  level: debug
+
+runner:
+  file: .runner
+  capacity: 1
+  env_file: .env
+  timeout: 3h
+  insecure: false
+  fetch_timeout: 5s
+  fetch_interval: 2s
+  labels:
+    - "create-runner-file:docker://code.forgejo.org/oci/node:24-trixie"
+
+cache:
+  enabled: true
+  dir: "/srv/example/cache"
+  host: ""
+  port: 0
+
+container:
+  network: "bridge"
+  privileged: false
+  options:
+  workdir_parent:
+  valid_volumes: ["/srv/example"]
+  docker_host: ""
+
+host:
+  workdir_parent:

actions/example-cron/.forgejo/workflows/test.yml

@@ -6,7 +6,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:

actions/example-id-tokens/.forgejo/workflows/test.yml

@@ -0,0 +1,78 @@
+on: [push]
+
+env:
+    JWT_CLI_VERSION: 6.2.0 # renovate: datasource=github-releases depName=jwt-cli packageName=mike-engel/jwt-cli
+
+jobs:
+    generation-allowed:
+        enable-openid-connect: true
+        runs-on: docker
+        container:
+            image: data.forgejo.org/oci/ci:1
+        steps:
+            - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/${{ env.JWT_CLI_VERSION }}/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
+            - name: validate token generation works
+              run: |
+                  RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | jq -r ".value")
+                  if [[ -z "RAW_JWT" ]]; then
+                    echo "Error: RAW_JWT should be set"
+                    exit 1
+                  fi
+
+                  DECODED_JWT_BODY=$(echo $RAW_JWT | jq -R 'split(".") | .[1] | @base64d | fromjson')
+                  if [[ -z "$DECODED_JWT_BODY" ]]; then
+                    echo "Error: DECODED_JWT_BODY should be set"
+                    exit 1
+                  fi
+
+                  ISS=$(echo $DECODED_JWT_BODY | jq -r '.iss')
+                  if [[ -z "$ISS" ]]; then
+                    echo "Error: ISS should be set"
+                    exit 1
+                  fi
+
+                  curl "$ISS/.well-known/keys" > jwks.json
+                  JWKS=$(cat ./jwks.json)
+                  if [[ -z "$JWKS" ]]; then
+                    echo "Error: JWKS should be set"
+                    exit 1
+                  fi
+
+                  # Verify that the JWT decodes with the JWKS data
+                  ./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1)
+
+                  WORKFLOW=$(echo $DECODED_JWT_BODY | jq -r '.workflow')
+                  AUD=$(echo $DECODED_JWT_BODY | jq -r '.aud')
+                  EVENT_NAME=$(echo $DECODED_JWT_BODY | jq -r '.event_name')
+                  SUB=$(echo $DECODED_JWT_BODY | jq -r '.sub')
+                  if [[ "$WORKFLOW" != "test.yml" ]]; then
+                    echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
+                    exit 1
+                  fi
+                  if [[ "$AUD" != "exampleAudience" ]]; then
+                    echo "Error: AUD should be exampleAudience but is $AUD"
+                    exit 1
+                  fi
+                  if [[ "$EVENT_NAME" != "push" ]]; then
+                    echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
+                    exit 1
+                  fi
+                  if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/heads/main" ]]; then
+                    echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/heads/main but is $SUB"
+                    exit 1
+                  fi
+
+    generation-not-allowed:
+        enable-openid-connect: false
+        runs-on: docker
+        steps:
+            - name: check variables are unset
+              run: |
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi
+                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then
+                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
+                    exit 1
+                  fi

actions/example-post-7-0-schedule/.forgejo/workflows/test.yml

@@ -6,7 +6,7 @@ jobs:
   test:
     runs-on: ${{ vars.TEST_SCHEDULE_RUNSON }}
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:

actions/example-private-workflow-call/.forgejo/workflows/reusable.yaml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: "docker"
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    steps:
+      - run: echo 'OK'

actions/example-private-workflow-call/.forgejo/workflows/test.yaml

@@ -0,0 +1,11 @@
+on:
+  push:
+
+jobs:
+  test:
+    # `runs-on` disables workflow expansion. We want that in this case, because then Forgejo Runner has to authenticate
+    # itself to access the reusable workflow.
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:24-trixie
+    uses: ./.forgejo/workflows/reusable.yaml

actions/example-private-workflow-call/run.sh

@@ -0,0 +1,42 @@
+api="$url/api/v1"
+export d=/srv/example/private-workflow-call
+
+function main() {
+    mkdir -p "$d"
+
+    local repo
+    repo="root/example-$example"
+
+    forgejo-test-helper.sh push_workflow "actions/example-$example" "$url" root "example-$example" setup-forgejo "$token"
+
+    # push_workflow creates the repository and triggers a first workflow run. Wait for it to succeed. Ensures that the
+    # workflow is valid.
+    local sha
+    sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$sha"
+
+    # Make the repository private. That is necessary to verify that Forgejo Runner includes the correct credentials when
+    # cloning the workflow.
+    forgejo-curl.sh api_json -X PATCH --data-raw '{"private":true}' "$api/repos/root/example-$example"
+
+    # Create a new commit that triggers a new workflow run that can be identified uniquely.
+    (
+        cd "$d" || exit 1
+        git clone "$url/root/example-$example"
+        cd "example-$example" || exit 1
+         git config user.email root@example.com
+        git config user.name username
+        echo "A new file" > test.txt
+        git add .
+        git commit -m 'Commit a new file'
+        git push
+    )
+
+    # Wait for the workflow pulled from the private repository to succeed.
+    local new_sha
+    new_sha="$(forgejo-test-helper.sh branch_tip "$url" "$repo" main)"
+    [[ "$new_sha" != "$sha" ]] || exit 1
+    forgejo-test-helper.sh wait_success "$url" "$repo" "$new_sha"
+}
+
+main

actions/example-private-workflow-call/setup.sh

@@ -0,0 +1 @@
+mkdir -p /srv/example/private-workflow-call

actions/example-schedule-noncancel/.forgejo/workflows/schedule_continue.yml

@@ -5,7 +5,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       volumes:
         - /srv/example:/srv/example
     steps:

actions/example-service/.forgejo/workflows/test.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: docker
     services:
       pgsql:
-        image: code.forgejo.org/oci/postgres:15
+        image: data.forgejo.org/oci/postgres:15
         env:
           POSTGRES_DB: test
           POSTGRES_PASSWORD: postgres
@@ -23,11 +23,11 @@ jobs:
   simple:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
 
     services:
       pgsql:
-        image: code.forgejo.org/oci/postgres:15
+        image: data.forgejo.org/oci/postgres:15
         env:
           POSTGRES_DB: test
           POSTGRES_PASSWORD: postgres
@@ -43,7 +43,7 @@ jobs:
     needs: [simple]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid --volume /srv/example-service-volume-invalid:/srv/example-service-volume-invalid"
 
     steps:
@@ -58,12 +58,12 @@ jobs:
     needs: [volume-on-step]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
 
     services:
       myservice:
-        image: code.forgejo.org/oci/debian:trixie
+        image: data.forgejo.org/oci/debian:trixie
         options: "--volume /srv/example-service-volume-valid:/srv/example-service-volume-valid"
         cmd: ["bash", "-c", "echo -n SUCCESS > /srv/example-service-volume-valid ; sleep infinity"]
 

actions/example-shell/.forgejo/workflows/test.yml

@@ -25,7 +25,7 @@ jobs:
     needs: [sh-fallback]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/alpine:latest
+      image: data.forgejo.org/oci/alpine:latest
     steps:
       - name: default is bash but with a fallback to sh in case it does not exist
         run: |
@@ -47,7 +47,7 @@ jobs:
     needs: [alpine]
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/python:slim
+      image: data.forgejo.org/oci/python:slim
     steps:
       - name: python => python {0}
         shell: python

actions/example-with-docker-host/.forgejo/workflows/test.yml

@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/docker:28-cli
+      image: data.forgejo.org/oci/docker:28-cli
     steps:
       - run: ls -l /var/run/docker.sock
       - run: docker ps

actions/example-with-docker-socket/.forgejo/workflows/test.yml

@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/docker:28-cli
+      image: data.forgejo.org/oci/docker:28-cli
     steps:
       - run: ls -l /var/run/docker.sock
       - run: docker ps

actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-1.yml

@@ -0,0 +1,74 @@
+on:
+  workflow_call:
+    inputs:
+      input1:
+        required: true
+        type: string
+      input3:
+        required: true
+        type: string
+    outputs:
+      output1:
+        value: ${{ jobs.callee-1.outputs.job-output }}
+      output2:
+        value: ${{ jobs.callee-2.outputs.job-output }}
+      output3:
+        value: ${{ jobs.layer-2.outputs.output3 }}
+      output4:
+        value: ${{ jobs.layer-2.outputs.output4 }}
+
+jobs:
+  callee-1:
+    runs-on: docker
+    outputs:
+      job-output: callee-1-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify workflow inputs
+        run: |
+          set -x
+          test "top-level-input1" = "${{ inputs.input1 }}"
+          test "dynamic output" = "${{ inputs.input3 }}"
+      - name: verify workflow secrets
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
+      - name: indicate callee-1 hit
+        run: touch /srv/example/callee-1
+
+  layer-2:
+    needs: [callee-1]
+    uses: ./.forgejo/workflows/reusable-layer-2.yml
+    with:
+      input1: ${{ inputs.input1 }}
+      input2: mid-level-input2
+      input3: ${{ inputs.input3 }}
+      input4: ${{ needs.callee-1.outputs.job-output }}
+    secrets: inherit
+
+  callee-2:
+    needs: [callee-1, layer-2]
+    runs-on: docker
+    outputs:
+      job-output: callee-2-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-1 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-1
+      - name: verify layer-2 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-3
+          test -f /srv/example/callee-4
+      - name: indicate callee-2 hit
+        run: touch /srv/example/callee-2

actions/example-workflow-call-expansion/.forgejo/workflows/reusable-layer-2.yml

@@ -0,0 +1,63 @@
+on:
+  workflow_call:
+    inputs:
+      input1:
+        required: true
+        type: string
+      input2:
+        required: true
+        type: string
+      input3:
+        required: true
+        type: string
+      input4:
+        required: true
+        type: string
+    outputs:
+      output3:
+        value: ${{ jobs.callee-3.outputs.job-output }}
+      output4:
+        value: ${{ jobs.callee-4.outputs.job-output }}
+
+jobs:
+  callee-3:
+    runs-on: docker
+    outputs:
+      job-output: callee-3-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify workflow inputs
+        run: |
+          set -x
+          test "top-level-input1" = "${{ inputs.input1 }}"
+          test "mid-level-input2" = "${{ inputs.input2 }}"
+          test "dynamic output" = "${{ inputs.input3 }}"
+          test "callee-1-output" = "${{ inputs.input4 }}"
+      - name: verify workflow secrets inherited
+        run: |
+          set -x
+          test "AAAA" = "${{ secrets.secret1 }}"
+          test "BBBB1234" = "${{ secrets.secret2 }}"
+          test "" = "${{ secrets.secret3 }}" # wasn't specified to the workflow, should be absent
+      - name: indicate callee-3 hit
+        run: touch /srv/example/callee-3
+
+  callee-4:
+    needs: callee-3
+    runs-on: docker
+    outputs:
+      job-output: callee-4-output
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify callee-3 completed
+        run: |
+          set -x
+          test -f /srv/example/callee-3
+      - name: indicate callee-4 hit
+        run: touch /srv/example/callee-4

actions/example-workflow-call-expansion/.forgejo/workflows/test.yml

@@ -0,0 +1,53 @@
+on:
+  push:
+
+jobs:
+  pre-job:
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+    outputs:
+      dynamic: "${{ steps.dynamic-step.outputs.dynamic }}"
+    steps:
+      - id: dynamic-step
+        run: echo "dynamic=dynamic output" >> $FORGEJO_OUTPUT
+
+  layer-1:
+    needs: [pre-job]
+    uses: ./.forgejo/workflows/reusable-layer-1.yml
+    with:
+      input1: top-level-input1
+      input3: ${{ needs.pre-job.outputs.dynamic }}
+    secrets:
+      secret1: AAAA
+      secret2: BBBB1234
+
+  verify:
+    needs: [layer-1]
+    runs-on: docker
+    container:
+      image: data.forgejo.org/oci/node:22-bookworm
+      volumes:
+        - /srv/example:/srv/example
+    steps:
+      - name: verify test config secret
+        run: |
+          set -x
+          # SECRET3 is set on the repo, but not passed into `reusable-layer-1.yml` so that we can test secrets don't
+          # leak into the workflow if they're not explicitly defined. This check verifies that the test environment has
+          # that secret, otherwise the test assertions that it isn't present within the workflow would be meaningless.
+          test "CCCC" = "${{ secrets.secret3 }}"
+      - name: verify callee-[0-4] completed
+        run: |
+          set -x
+          test -f /srv/example/callee-1
+          test -f /srv/example/callee-2
+          test -f /srv/example/callee-3
+          test -f /srv/example/callee-4
+      - name: verify workflow outputs
+        run: |
+          set -x
+          test "callee-1-output" = "${{ needs.layer-1.outputs.output1 }}"
+          test "callee-2-output" = "${{ needs.layer-1.outputs.output2 }}"
+          test "callee-3-output" = "${{ needs.layer-1.outputs.output3 }}"
+          test "callee-4-output" = "${{ needs.layer-1.outputs.output4 }}"

actions/example-workflow-call-expansion/run.sh

@@ -0,0 +1,12 @@
+repo=root/example-$example
+api=$url/api/v1
+
+# Prepare test repo
+forgejo-test-helper.sh push_workflow actions/example-$example $url root example-$example setup-forgejo $token
+sha=$(forgejo-test-helper.sh branch_tip $url $repo main)
+
+# Install a repo secret
+forgejo-curl.sh api_json -X PUT --data-raw '{"data":"CCCC"}' $api/repos/$repo/actions/secrets/SECRET3
+
+# Wait for action to complete
+forgejo-test-helper.sh wait_success $url root/example-$example $sha

actions/example-workflow-dispatch/.forgejo/workflows/test.yml

@@ -44,7 +44,7 @@ jobs:
   test:
     runs-on: docker
     container:
-      image: code.forgejo.org/oci/debian:trixie
+      image: data.forgejo.org/oci/debian:trixie
       options: "--volume /srv/example:/srv/example"
 
     steps:

federation/federation.sh

@@ -78,6 +78,8 @@ function test_federation() {
         # NOTE: newline seperated, not comma :>
         scenarios=(
             "star 7.1"
+            "mastodon 14.0"
+            "gotosocial 14.0"
         )
 
         for scenario_version_str in "${scenarios[@]}"; do

federation/scenario-gotosocial/run.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-$scenario-env"
+
+if [[ -z "$password" ]]; then
+    exit 1
+fi
+
+if [[ -z "$port" ]]; then
+    exit 1
+fi
+
+status_code="$(curl -o /dev/null -w '%{http_code}' "http://localhost:$port/")"
+if [[ "$status_code" != "200" ]]; then
+    exit 1
+fi

federation/scenario-gotosocial/setup.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+source $SCENARIO_DIR/../../lib/lib.sh
+
+GTS_VERSION="0.20.0" # renovate: datasource=docker depName=data.forgejo.org/oci/gotosocial
+
+echo "setting up gotosocial"
+
+tmpdir="$(mktemp --tmpdir -d gts.XXXXXXXXXX)"
+cat << EOF > "$tmpdir/config.yaml"
+host: "localhost:8080"
+protocol: http
+db-type: sqlite
+db-address: /mount/gts.db3
+
+http-client:
+  allow-ips: ["0.0.0.0/0", "::/0"]
+  insecure-outgoing: true
+EOF
+
+podman unshare \
+    chown 1000:1000 -R $tmpdir
+
+container_id="$(
+    podman run \
+        -d \
+        --env "GTS_CONFIG_PATH=/mount/config.yaml" \
+        -v "$tmpdir:/mount" \
+        -p "8080:8080" \
+        --network=host \
+        "data.forgejo.org/oci/gotosocial:$GTS_VERSION" \
+        server start
+)"
+
+function wait_gts_ready() {
+    http_status=$(curl -s -w \
+        "%{http_code}" -o /dev/null \
+        "http://localhost:8080/"
+    )
+
+    [[ "$http_status" == 200 ]] && echo "ready"
+}
+
+retry wait_gts_ready
+
+password="verysecurepassword"
+podman exec -it "$container_id" /gotosocial/gotosocial admin \
+    account create \
+    --username "test" \
+    --email "test@localhost" \
+    --password "$password"
+
+cat << EOF > "$DIR/federation_scenario-gotosocial-env"
+password="$password"
+port="8080"
+container_id="$container_id"
+EOF
+

federation/scenario-gotosocial/teardown.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-gotosocial-env"
+
+if [[ -z "$container_id" ]]; then
+    echo "gotosocial container ID not found, container may not be stopped"
+    exit 1
+fi
+
+podman stop "$container_id"
+rm "$DIR/federation_scenario-gotosocial-env"
+

federation/scenario-mastodon/.gitignore

@@ -0,0 +1,3 @@
+/resources/certs/forgejo*
+/forgejo/certs/*
+!/forgejo/certs/.gitkeep

federation/scenario-mastodon/TEST_INSTRUCTION.md

@@ -0,0 +1,38 @@
+# Manual testing
+
+1. compile forgejo binary to test on a debian/ubuntu system
+2. start applications
+    * local forgejo:
+        ```sh
+        cd federation/scenario-mastodon
+        # create cert & startup & create test accounts
+        SCENARIO_DIR="." ./setup.sh
+        # Mastodon password in "/tmp/forgejo-end-to-end/federation_scenario-mastodon-env"
+        # Bind forgejo to localhost:3003 and set the domain to `forgejo`
+        ```
+    * containerized forgejo:
+        ```sh
+        cd federation/scenario-mastodon
+        # Generate self-signed certs on first run
+        source ./functions.sh
+        generate_certs forgejo "./resources/certs"
+        mv "./resources/certs/forgejo"* "forgejo/certs"
+
+        # Setup container
+        export FORGEJO_PATH="/path/to/forgejo/binary"
+        export COMPOSE_PROFILES="forgejo_container"
+        export MASTODON_HOST="mastodon-app"
+
+        podman-compose up -d
+        podman-compose exec forgejo-app bash -c "/init/create_test_account.sh"
+        # Mastodon password is the last line of the output
+        podman-compose exec mastodon-app bash -c "/init/create_test_account.sh"
+        ```
+3. login to mastodon: http://localhost:4000
+   1. test@localhost - password from start app.
+4. search for forgejo user: `https://forgejo/api/v1/activitypub/user-id/1`
+5. Press follow
+6. FYI:
+   1. login to forgejo: http://localhost:3003/
+   2. me - me
+   3. swagger-uri: http://localhost:3003/api/swagger#/activitypub

federation/scenario-mastodon/compose.yaml

@@ -0,0 +1,95 @@
+networks:
+    external_network:
+    internal_network:
+        internal: true
+
+services:
+    forgejo:
+        image: data.forgejo.org/oci/alpine:latest
+        volumes:
+            - ./forgejo/certs/:/usr/local/share/ca-certificates/
+            - ./forgejo/init/:/init/
+            - ./forgejo/etc/lighttpd.conf:/etc/lighttpd.conf
+        restart: unless-stopped
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    forgejo-app:
+        profiles:
+            - forgejo_container
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/debian-containerfile
+        image: data.forgejo.org/federation/debian:trixie-cacerts
+        tmpfs:
+            - /data
+        volumes:
+            - ./forgejo-app/init/:/init/
+            - ./forgejo-app/config/:/config/
+            - ./resources/certs/:/usr/local/share/ca-certificates/
+            - "${FORGEJO_PATH}:/usr/local/bin/forgejo"
+        ports:
+            - 3003:3003
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    postgres:
+        image: data.forgejo.org/oci/postgres:14
+        tmpfs:
+            - /var/lib/postgresql/data
+        environment:
+            POSTGRES_USER: postgres
+            POSTGRES_DB: postgres
+            POSTGRES_PASSWORD: postgres
+            POSTGRES_HOST_AUTH_METHOD: trust
+        networks:
+            - internal_network
+
+    redis:
+        image: data.forgejo.org/oci/redis:7.2
+        tmpfs:
+            - /var/lib/redis/
+        networks:
+            - internal_network
+
+    mastodon-app:
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
+        image: data.forgejo.org/federation/mastodon:v4.5-test
+        volumes:
+            - ./resources/certs:/usr/local/share/ca-certificates/
+            - ./mastodon-app/init/:/init/
+        environment: &mastodon_env
+            DB_HOST: postgres
+            DB_USER: postgres
+            DB_PASS: postgres
+            REDIS_HOST: redis
+            PORT: 4000
+            LOCAL_DOMAIN: ${MASTODON_HOST}:4000
+            ALTERNATE_DOMAINS: ${MASTODON_HOST},localhost
+            EMAIL_DOMAIN_ALLOWLIST: localhost
+            AUTHORIZED_FETCH: "true"
+            ALLOWED_PRIVATE_ADDRESSES: 0.0.0.0/0,::/0
+            SECRET_KEY_BASE: bc1bdb4d3d57a2c292a8f145d5d3c921
+            ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: fkSxKD2bF396kdQbrP1EJ7WbU7ZgNokR
+            ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: r0hvVmzBVsjxC7AMlwhOzmtc36ZCOS1E
+            ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: PhdFyyfy5xJ7WVd2lWBpcPScRQHzRTNr
+        ports:
+            - "4000:4000"
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - external_network
+            - internal_network
+
+    mastodon-sidekiq:
+        # built from https://code.forgejo.org/federation/build-mastodon/src/branch/main/mastodon-containerfile
+        image: data.forgejo.org/federation/mastodon:v4.5-test
+        volumes:
+            - ./resources/certs:/usr/local/share/ca-certificates/
+            - ./mastodon-sidekiq/init/:/init/
+        restart: unless-stopped
+        environment: *mastodon_env
+        entrypoint: "sh /init/init.sh"
+        networks:
+            - internal_network

federation/scenario-mastodon/forgejo-app/config/app.ini

@@ -0,0 +1,32 @@
+RUN_MODE = prod
+
+[server]
+APP_DATA_PATH = /data
+DOMAIN = forgejo
+ROOT_URL = https://forgejo/
+HTTP_PORT = 3003
+PROTOCOL = http
+
+[queue]
+TYPE = immediate
+
+[database]
+DB_TYPE = sqlite3
+PATH = /data/forgejo.db
+
+[log]
+MODE = console
+LEVEL = debug
+
+[security]
+INSTALL_LOCK = true
+
+[repository]
+ENABLE_PUSH_CREATE_USER = true
+DEFAULT_PUSH_CREATE_PRIVATE = false
+
+[federation]
+ENABLED = true
+
+[session]
+COOKIE_SECURE = false

federation/scenario-mastodon/forgejo-app/init/create_test_account.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+sleep 10
+
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user create --username me --password me --email "me@example.com" --admin --must-change-password=false
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user create --username to-be-followd --password to-be-followd --email "to-be-followd@example.com" --admin --must-change-password=false
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini admin user generate-access-token -u me -t token --scopes write:activitypub,write:repository,write:user

federation/scenario-mastodon/forgejo-app/init/init.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+
+sudo mkdir -p /data/forgejo
+sudo chown forgejo:forgejo /data/forgejo
+sudo install -D -o forgejo -g forgejo /config/app.ini /etc/forgejo/app.ini
+
+/usr/local/bin/forgejo -c /etc/forgejo/app.ini
+

federation/scenario-mastodon/forgejo/etc/lighttpd.conf

@@ -0,0 +1,22 @@
+server.document-root = "/var/www"
+
+server.modules = (
+    "mod_openssl",
+    "mod_proxy"
+)
+
+$SERVER["socket"] == ":443" {
+    ssl.engine = "enable"
+    ssl.pemfile = "/usr/local/share/ca-certificates/forgejo-snakeoil.crt"
+    ssl.privkey = "/usr/local/share/ca-certificates/forgejo-snakeoil.key"
+}
+
+proxy.server = (
+    "" => (
+        "forgejo" => (
+            "host" => "host.containers.internal",
+            "port" => 3003,
+        )
+    )
+)
+

federation/scenario-mastodon/forgejo/init/init.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+apk add lighttpd
+
+lighttpd -D -f /etc/lighttpd.conf
+

federation/scenario-mastodon/functions.sh

@@ -0,0 +1,32 @@
+function generate_certs() {
+
+    host=${1}
+    cert_location=${2}
+
+    rootCertificate="${cert_location}/custom-snakeoil-rootCA.crt"
+    rootCertKey="${cert_location}/custom-snakeoil-rootCA.key"
+    extensionFile="${cert_location}/${host}-snakeoil.ext"
+    keyFile="${cert_location}/${host}-snakeoil.key"
+    csrFile="${cert_location}/${host}-snakeoil.csr"
+    crtAltSubFile="${cert_location}/${host}-snakeoil.crt"
+
+    cat << EOF > ${extensionFile}
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${host}
+DNS.2 = localhost
+EOF
+
+    # Create CSR
+    openssl req -newkey rsa:2048 -nodes -keyout ${keyFile} \
+        -out ${csrFile} -subj "/CN=${host}" -addext "subjectAltName=DNS:localhost"
+
+    # Sign Our CSR with the root CA cert
+    openssl x509 -req -CA ${rootCertificate} \
+        -CAkey ${rootCertKey} \
+        -in ${csrFile} \
+        -out ${crtAltSubFile} \
+        -days 3650 -CAcreateserial -extfile ${extensionFile}
+}

federation/scenario-mastodon/mastodon-app/init/create_test_account.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+account_create="$(tootctl accounts create test --email test@localhost --role Owner --confirmed)"
+tootctl account modify test --approve
+
+echo "${account_create}"
+
+password=$(echo "${account_create}" |
+        tail -n 1 |
+        sed 's/New password: //' |
+        sed 's/\r//'
+)
+
+echo "$password"

federation/scenario-mastodon/mastodon-app/init/init.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+sudo touch /opt/mastodon/log/prod.log
+sudo chown mastodon: /opt/mastodon/log/prod.log
+rails db:setup
+bundle exec puma -C config/puma.rb
+#sleep 2h

federation/scenario-mastodon/mastodon-sidekiq/init/init.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+sudo update-ca-certificates
+sudo touch /opt/mastodon/log/prod.log
+sudo chown mastodon: /opt/mastodon/log/prod.log
+bundle exec sidekiq
+#sleep 2h

federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGTCCAgGgAwIBAgIUU+o53CfULAHTgPuCq/Ua8JRTWLIwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAwwQY29kZS5mb3JnZWpvLm9yZzAgFw0yNTEwMjMwODI2NTVa
+GA8yMTI1MDkyOTA4MjY1NVowGzEZMBcGA1UEAwwQY29kZS5mb3JnZWpvLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJl1YjGLoYK5J7wCbgL7WCZ
+DGznwmp2SxpxJx/9Y6Pldt1QXTp0/VrR/H8iu3bNh13jmupXTKyGHU94MTNHER1T
+/jbGw8LRPWCIYNjpYFZU17glTGs/DOieh7acuuvu+imoamk1oRLVaaHDewz09Tc2
+wkklCH+2ME2TC6mHIqpHOLO//ESEU0Glo+/mVMEcTJf9zdDhSGhZPKhXEaWgrLMo
+EV3r0hpxHCE21OeaRrOKjMtOfp6/v0yKAsJ0QbLHXw1JDauiMWHUxp1H3jIHGgtc
+0ALdiS1fhYi8zX3bkbMfctjREVtbhO0Aqps5pvDjhjTNyTmSQ3dkkU37W7Mz+WkC
+AwEAAaNTMFEwHQYDVR0OBBYEFKXOSikliKVL6VYbbcaOR3k3khKyMB8GA1UdIwQY
+MBaAFKXOSikliKVL6VYbbcaOR3k3khKyMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBADE4RGzIXT3LsLGxqRiuOPrXnOTy6izD0sXraJGPWOTEm0MB
+H+MnV1YmqRiafwCTbKyiTfzF50JX0zwa6NnkK7k7tyht7O2B0/1VfsrIaXGBP05B
+pZMC1bMSaDEu+zvRUDFvNiE5Oxkw0LGy44o36e3SNCEXMCYU3fiTX/5IxfB/a1Bk
++5tNfpK4CKwyk2/pb8ClgBldYGxfp/hyzTVh7y4c5bSRzoawGxq2ipfmJbSBYEme
+vyySFXJI1W9ih8utE2sQKbRS7YrwxSNS9Uj6qwixTlHB5a/MzlFmD630VkmkI1qq
+5VkQxq7dJSTlVHX8qiQqvGoPPIp5ucbBDmyj2A8=
+-----END CERTIFICATE-----

federation/scenario-mastodon/resources/certs/custom-snakeoil-rootCA.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCiZdWIxi6GCuSe
+8Am4C+1gmQxs58JqdksacScf/WOj5XbdUF06dP1a0fx/Irt2zYdd45rqV0yshh1P
+eDEzRxEdU/42xsPC0T1giGDY6WBWVNe4JUxrPwzonoe2nLrr7vopqGppNaES1Wmh
+w3sM9PU3NsJJJQh/tjBNkwuphyKqRzizv/xEhFNBpaPv5lTBHEyX/c3Q4UhoWTyo
+VxGloKyzKBFd69IacRwhNtTnmkaziozLTn6ev79MigLCdEGyx18NSQ2rojFh1Mad
+R94yBxoLXNAC3YktX4WIvM1925GzH3LY0RFbW4TtAKqbOabw44Y0zck5kkN3ZJFN
++1uzM/lpAgMBAAECggEAAdGmR0j0k/ISyfhYnFJfFAfBN+x0a1wl7rOjDP/Tg7r9
+Ln21yzYTJJcfnu5TaOfLH84KrRwrT6JhhfaYn64PC8PmH/rXDftPsFSOt/DZo2+B
+vaSgGyWcMVqdnNOOep6IXq36rr3krwQra14Rmbbm36AYihh+iuzbB4w0vPvpwDwv
+G9DITTLrIwDRbXReZ13FjqphP5dqT6jG7BnRLe7vyQ7CJwYdUDLkg2YLykwbHvco
+DISS3IoYgF5R7KaGpwH2iFmeHYwXaVH9Y0RyjEvxp87iK8Awvm4yn7hWBx9NsMm2
+of7107TlFBU81JbG09KQZ+mS3S4C9XfQScqBoP66tQKBgQDYS4QhwkYFNusN8z+U
+63IGMxJXMF0bvF1zqjhrfkdX16jDD7v8cMbZAjk80obmRdhFpNiuaCT7dbnXpt7L
+Ppfu6IkcJsAJc32lbWGc56XzfzDnNecvQbCbMnRYI5GDzcTTY+ObgyhJv4SwuD3E
+kdHhxOFPuxlLFey9eg9vC6ADnQKBgQDANX5oEqvVty8gn+cOU3fEiqQ+ZqvcgMcL
+CUQYIAUDvXjZuXTbU0cSzgZnZi3JwtEVwj0u+0eXXlju6AVgKC/yd4aIpQ2f6hXO
+UlODWIqiNq3lVgjatO6zQ2CXuBeV7crX6odNrhkvSwSPNlC2Ra7QZ8Uk0PpX0sTm
+JyuMA/WBPQKBgQCkqulPYj44nhTZrAUN9Sn7+knOQy2/feqPsln9zEe4YqFCz+nI
+SHu6nuzAl27IRQhgDR5BuVvebUQtIAeiKGc3JaWs3vt4topDtUCJWfqHpJ+whuMY
+oSQ5I3Jb38ha1f8xCG0x6ep0KvB0MfAkhPeKsH7wWnrpJSn1HsY9PlZ2KQKBgQCS
+/xZKb6UdEDipocDqkukw1bsgwhLD03TmOtLqBGrxXlFzacM2DW14sznwkBOKj0Sq
+eF+kc6Zf3Fb1d1rNHE73B3RLQre1yiedIBcgh3GW92xszSx+XwuC64+O2Mqo7jBI
+iuOpg/Fc2umEwUxe6dH1Lrd2HaCn09ikD+bc8RYsHQKBgQDXfAiAf3MdzG8+4zgD
+kzfZsUXRUm3ACqrkhlUOzPsh2y5yGO0gxkrUR4ps2+wn0aapwYi+JdbEHpDqI4Ze
+vE3d8ZgLF4ER+uuiayuItMIFa8T0AiH1oJMptUY4kgj1AaG0b3+ZxU/uGXjpciyA
+a7/psxJ+in3AQ005JGir8rx+gA==
+-----END PRIVATE KEY-----

federation/scenario-mastodon/run.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+source "$DIR/federation_scenario-$scenario-env"
+
+if [[ -z "$password" ]]; then
+    exit 1
+fi
+
+if [[ -z "$port" ]]; then
+    exit 1
+fi
+
+status_code="$(curl -o /dev/null -w '%{http_code}' "http://localhost:$port/")"
+if [[ "$status_code" != "200" ]]; then
+    exit 1
+fi
+

federation/scenario-mastodon/setup.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+source "$SCENARIO_DIR/../../lib/lib.sh"
+source "$SCENARIO_DIR/functions.sh"
+
+echo "Setting up Forgejo x Mastodon"
+
+if [[ ! -d "$DIR" ]]; then
+    mkdir -p "$DIR"
+fi
+
+echo "Generating forgejo & mastodon self-signed certificate"
+
+generate_certs forgejo "$SCENARIO_DIR/resources/certs"
+
+mv "$SCENARIO_DIR/resources/certs/forgejo"* "$SCENARIO_DIR/forgejo/certs/"
+
+export MASTODON_HOST="localhost"
+
+podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    up -d
+
+function wait_up() {
+    command="$(podman-compose \
+        -f "$SCENARIO_DIR/compose.yaml" \
+        exec mastodon-app \
+        bin/tootctl accounts
+    )"
+
+    first="$(head -n 1 <<< "$command")"
+    [[ "$first" == *"Commands:"* ]] && echo "ready"
+}
+
+retry wait_up
+
+password="$(podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    exec mastodon-app \
+    bash -c "/init/create_test_account.sh" | \
+    tail -n 1 | \
+    sed 's/\r//'
+)"
+
+cat << EOF > "$DIR/federation_scenario-mastodon-env"
+password="$password"
+port="4000"
+EOF

federation/scenario-mastodon/teardown.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+podman-compose \
+    -f "$SCENARIO_DIR/compose.yaml" \
+    down
+
+rm "$DIR/federation_scenario-mastodon-env"
+

forgejo/sources/15.0

@@ -0,0 +1 @@
+https://codeberg.org/forgejo/forgejo forgejo 15.0.0

lib/RELEASE_NUMBERS

@@ -1 +0,0 @@
-11.0 13.0 14.0

lib/lib.sh

@@ -26,7 +26,7 @@ IP=$(hostname -I | cut -f1 -d' ')
 #
 # Forgejo releases for which a branch exists (7.0/forgejo etc.)
 #
-RELEASE_NUMBERS=$(cat $LIB_DIR/RELEASE_NUMBERS)
+RELEASE_NUMBERS="11.0 14.0 15.0"
 
 PREFIX===============
 export DIR=/tmp/forgejo-end-to-end
@@ -415,6 +415,17 @@ EOF
     cp -a $DOT_FORGEJO_CURL $work_path/forgejo-curl
 }
 
+function create_offline_registration_token() {
+  local name="$1"
+  local scope="$2"
+  local secret="$3"
+
+  local work_path
+  work_path="$DIR/$(work_path_base "$config")"
+
+  "$work_path/forgejocli" forgejo-cli actions register --name "$name" --scope "$scope" --secret "$secret"
+}
+
 function stop_daemon() {
     local daemon=$1
 

packages/alpine-10.0

@@ -1 +0,0 @@
-alpine-7.0

packages/alpine.sh

@@ -7,7 +7,7 @@ function test_packages_alpine_version() {
     reset_forgejo $PACKAGES_DIR/alpine-app.ini
     start_forgejo $forgejo_version
 
-    local d=$PACKAGES_DIR/alpine-$forgejo_version
+    local d=$PACKAGES_DIR/alpine
     local token=$(cat $DIR/forgejo-curl/token)
     local url=http://${HOST_PORT}
 
@@ -16,8 +16,10 @@ function test_packages_alpine_version() {
 }
 
 function test_packages_alpine() {
-    for alpine_version in 3.20 3.21; do
-        for forgejo_version in 7.0 10.0; do
+    local forgejo_versions="${1:-$RELEASE_NUMBERS}"
+
+    for alpine_version in 3.22 3.23; do
+        for forgejo_version in $forgejo_versions; do
             test_packages_alpine_version $alpine_version $forgejo_version
         done
     done

packages/packages.sh

@@ -7,5 +7,7 @@ PACKAGES_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source $PACKAGES_DIR/alpine.sh
 
 function test_packages() {
-    run test_packages_alpine
+    local forgejo_versions="${1:-$RELEASE_NUMBERS}"
+
+    run test_packages_alpine $forgejo_versions
 }

renovate.json

@@ -2,5 +2,13 @@
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": [
         "local>forgejo/renovate-config"
+    ],
+    "packageRules": [
+        {
+            "description": "Separate test actions",
+            "matchFileNames": ["actions/**"],
+            "additionalBranchPrefix": "actions",
+            "commitMessageTopic": "{{depName}} (test actions)"
+        }
     ]
 }

run.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+podman build -t forgejo-e2e .
+patchelf ../forgejo/forgejo --set-interpreter /lib64/ld-linux-x86-64.so.2
+podman run \
+    -it --privileged \
+    -v ../forgejo/gitea:/srv/forgejo-binaries/forgejo-14.0 \
+    -p 3001-3003:3001-3003 \
+    -p 4000:4000 \
+    -p 8080:8080 \
+    forgejo-e2e