Forgejo v15.0 Ships Repository-Scoped Tokens, Ephemeral Runners, and OpenID Connect for Actions

The community-driven Git forge Forgejo has reached its 100th release with v15.0, a Long Term Support version that will receive patches through 2027-07-15. The headline feature for security-conscious self-hosters is repository-specific access tokens, which restrict API tokens to a defined list of repositories rather than granting blanket access across an account. Authorization logic across Forgejo's repository APIs was realigned as part of this work, so administrators should review the release notes for behavioral changes to existing public-only tokens.

Forgejo Actions, the platform's CI/CD system, picks up three substantial upgrades. Reusable workflows can now be expanded into their individual jobs, meaning each job gets its own log output and can be dispatched to different runners with different labels or platforms. OpenID Connect support lets workflows authenticate with external services using short-lived signed JWTs instead of static secrets, eliminating the risk of long-lived token leaks. Ephemeral runners round out the security story by restricting a runner registration to a single job, after which its credentials are automatically invalidated, a design that pairs well with orchestration tools managing autoscaled runner fleets.

On the usability side, runner registration has been simplified with a web-based setup flow that replaces the previous CLI-only process. The UI gains accessible label exclusion buttons for issue filtering, a responsive releases page, and improved Git notes editing directly from pull request commit views. Container images pushed to Forgejo's package registry are now automatically linked to their source repositories when the OCI org.opencontainers.image.source label is set or the image name matches the {owner}/{repo} pattern. Session cookies are no longer issued to anonymous visitors, making it straightforward for reverse proxies to distinguish authenticated traffic.

Administrators upgrading from v11.0, the previous LTS release supported until 2026-07-16, should note that default cookie names have changed and will force user re-login unless the COOKIE_REMEMBER_NAME option is restored. The rootless Docker image has also dropped legacy config path compatibility introduced back in v8.0. Full upgrade instructions and breaking change details are available in the upgrade guide.