Forgejo 16.0, released 2026-07-16, introduces Authorized Integrations, a JWT-based authentication system that lets external services access Forgejo's API and Git repositories without static secrets. Building on the OpenID Connect identity tokens added in v15, this release closes the loop: Forgejo Actions workflows can now authenticate against other systems, and those systems can authenticate back. The feature works with any JWT issuer meeting Forgejo's technical requirements, including AWS, GitHub Actions, and GitLab CI/CD, making it practical to wire Forgejo into multi-forge CI pipelines without distributing and rotating access tokens.
Pull request reviews received the most visible polish. Forgejo now supports multi-line review comments, activated by holding Shift and dragging across a range of changed lines. More significantly, the project fixed a longstanding set of bugs around comment placement. Previous versions used git blame to track which commit introduced a commented line, but comments would land in the wrong location when code moved between commits or when lines were deleted. The fix introduces git blame --reverse to follow changes forward through the PR's commit history, correctly placing comments even after rebases and reorganizations. The commit list on PR pages also got a cleaner, responsive layout.
Security hardening touches several areas. Git mirror configuration now properly enforces domain restrictions by setting http.followRedirects=false, closing SSRF edge cases where HTTP redirects could bypass ALLOWED_DOMAINS settings. Containerized deployments no longer ship with REVERSE_PROXY_TRUSTED_PROXIES set to the wildcard *, which in a specific misconfiguration could allow header-based user impersonation. Incoming Git objects are now checked for consistency before acceptance, and example hook files are no longer generated in bare repositories, saving about 20 KiB per repo. In a licensing cleanup, EXIF stripping for avatar uploads was removed because it depended on an AGPL library incompatible with Forgejo's MIT license.
Forgejo Actions picks up several operational improvements. Workflow runs can now be manually prioritized to jump the queue, and the server-side evaluation of if conditions skips dispatching to a runner when possible, speeding up execution. The API gains endpoints for downloading workflow and job logs, managing artifacts, and cancelling runs. Completed runs can now be deleted through the UI or API. Users also get granular repository watch settings, letting them subscribe to issues, pull requests, or releases independently rather than the previous all-or-nothing toggle.
Forgejo 16.0 is a non-LTS release supported until 2026-10-29. The current long-term support branch is v15.0, which runs through July 2027. Binaries, OCI images (root and rootless), and a test instance are available from the download page. The project recommends a full backup before upgrading and a careful read of the breaking changes.