Feed of "Mathieu Fenniak"

mfenniak commented on issue forgejo/discussions#457

2026-04-15T02:30:22+02:00

PR Review Comment Placement - Advanced Testing?

@fnetX wrote in #457 (comment):

mfenniak approved forgejo/forgejo#12114

2026-04-14T18:49:32+02:00

[v15.0/forgejo] fix(ui): a few small runners UI fixes

mfenniak commented on issue forgejo/forgejo#3571

2026-04-14T18:48:52+02:00

feat: give more power to the Action TOKEN

@Denux wrote in #3571 (comment):

mfenniak commented on issue forgejo/forgejo#12121

2026-04-14T18:46:30+02:00

problem: Decouple container auth from package registry, error handling

As @patdyn pinged me on this in Forgejo Chat, I'll throw my thoughts here... but I don't think I have a lot to contribute with my current knowledge. I am much more interested in authorization related to packages (which I have plans to extend into package-specific authorization), but related to authentication...

I don't see a big problem with verifyAuth and verifyContainerAuth. They have to be subtly different because clients have different expectations. There's a bit of code overlap that could be reduced, but it's negligible in scope (eg. if setting.Service.EnableReverseProxyAuth {). There wasn't sufficient automated testing to catch the leak from container changes to other package registries -- #11733 added some testing to cover that gap but didn't extensively touch every other registry, which seems reasonable but could still leave some future risks.

In general, affecting web, API, and packages, I don't like the fact that all our authentication mechanisms do two things: they return "who the user is" (great!), and then they populate the context with random other facets of the authentication ("IsActionsToken", "ApiTokenScope", "IsPasswordLogin", etc.). An ideal refactor of authentication would turn this into structured data -- an Authentication interface that could provide all these facets of the current authentication without having to return unstructured side-data from the auth methods. The current implementation has a huge risk to me of populating some data, and then some error occurring, and then the partially populated data being used... or, a future change in the populated data being incomplete, leaving some parts of the app accessing auth data that isn't populated anymore, which could elevate permissions.

It would be nice if the package registry as a whole had a some separation between each registry and packages/api.go -- so that I could look at one registry's endpoints without being overwhelmed by every other registry. I think that would be fairly easy code to move around, while maintaining some usage of common authentication and authorization middlewares. But this doesn't feel in scope of this issue, just comes to mind while viewing this code.

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:22+02:00

Blog post for release of Forgejo v15.0

The scale of screenshots in the blog post are quite inconsistent -- screen-sized, big, bigger, screen-sized, biggest, as you scroll through. Not a big deal, but a little strange to scroll through?

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:20+02:00

Blog post for release of Forgejo v15.0

There are currently three sections with breaking, and so mentioning "Breaking features" and "Breaking bug fixes" (and hopefully not "Breaking changes without a feature or bug label") would be warranted here.

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:17+02:00

Blog post for release of Forgejo v15.0

s/instructins/instructions/

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:13+02:00

Blog post for release of Forgejo v15.0

Alt-text: "Screenshot demonstrating the form to add a git note on an existing commit"

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:10+02:00

Blog post for release of Forgejo v15.0

"Alt key on the keyboard"

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:07+02:00

Blog post for release of Forgejo v15.0

Add PR link?

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:18:03+02:00

Blog post for release of Forgejo v15.0

s/accept/accepts/

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:06:16+02:00

Blog post for release of Forgejo v15.0

This link could have the #repository-and-organization-access anchor which is a bit more direct to the related updates.

mfenniak commented on pull request forgejo/website#843

2026-04-14T18:04:02+02:00

Blog post for release of Forgejo v15.0

There are items that are "Breaking changes without a feature or bug label" in the release notes which are kinda subtle because they don't appear at the top of the milestone page. Can we fix that somehow?

The majority of breaking changes can be summarized here to help clarify for users if you'd like, as the details in the release notes are kinda step-by-step but add up to one simple change:

Security improvements have changed the behaviour of "public-only" API access tokens, restricting APIs which previously weren't restricted.

(Or this can be placed in "Breaking change" below?)

mfenniak commented on pull request forgejo/website#843

2026-04-14T17:59:12+02:00

Blog post for release of Forgejo v15.0

FIXME: Something something. I'll come back and edit this comment with a proposed summary after I read through the rest.

mfenniak commented on pull request forgejo/website#843

2026-04-14T17:58:43+02:00

Blog post for release of Forgejo v15.0

FIXME: Something something. 🙂

mfenniak opened issue forgejo/discussions#457

2026-04-14T17:55:59+02:00

Between the v15 branch cut and release, I've been dedicating most of my Forgejo-time to bug fixing, which led me into work to address the annoying experiences around PR comment placements. I've fixed five or so issues with where comments get placed on pull requests, and diff generation attached to those comments.

My original plan was to backport these changes into v15, but as soon as the first PR was completed I felt uncomfortable with the risk of these changes. While they're covered by an automated testing suite that I'm quite happy with (TestPullRequestCommentPlacement), there is so much flexibility in where comments can be placed and how PRs can evolve. I can't be confident I've captured a lot of real-world cases.

In general, I think the risks are:

errors occur when running the new git commands which prevent creating a new comment, viewing a PR and its comments, or the internal processes to mark a comment as invalid
alternative comment methods, other than the web ui (APIs, email), place comments at unexpected places or experience errors
comments disappear when they shouldn't (which is already true in v15, so, 🤷)
comments appear in the wrong place (which is already true in v15, so, 🤷)

While I still have one or two tweaks to make, I'm starting to think about how to gain confidence on these changes while they live in the development branch. These are changes that need exposure to real users making pull requests, with other users commenting on them. Ideally those users would have enough awareness to notice things going wrong, and capacity to replay their actions enough to create and report actionable issues. An extra ideal situation would be that Forgejo developers can be provided with database extracts to support reproduction and fixing, if required. I don't think that these circumstances will arise organically with our current pre-release testing regime.

Here are some thoughts I have on how we could fill this gap:

Run code.forgejo.org on the latest forgejo build (eg. same as v16.next), perpetually.
- Development here has the right users with the qualities mentioned above.
- The work being done (usually on the runner, as the most active repo there) is usually complex enough.
- If issues occur like the recent docker authentication problem, then we'd detect it earlier in the development cycle.
- The latest build would be the one that completed forgejo-integration/forgejo's build-release.yml, so, we do have some confidence that it fundamentally works.
Run code.forgejo.org on the latest forgejo build (eg. same as v16.next), but just for the v16 dev cycle.
- Re-evaluate after three months, and either settle in to v16, or decide this was a good idea and continue.
Run code.forgejo.org on latest v15 + the PR comment patches
- If running on forgejo seems like it has too high of a risk, we could meet the same testing goals by customizing the build.
- This requires some additional build & release processes that seem awkward.
Community involvement -- if a community member can volunteer a Forgejo instance that meets the testing profile described above, then we could rely on them with either v16 or v15+patch testing.
Backport all the review comment fixes to Codeberg.
Backport all the review comment fixes to v15 before the v15 release.

My personal preference would depend on an implementation detail that I don't know a lot about: hypothetically, if code.forgejo.org was broken by a software update, what would happen to data.forgejo.org? If data.forgejo.org is "pretty coupled", such that a broken code.forgejo.org would immediately bring down data.forgejo.org, then the risks to Forgejo Actions users would be pretty high with running pre-release software. However, if they're "pretty decoupled" and data.forgejo.org can survive a code.forgejo.org outage (still serve content, but not be updated, for example), then I'd advocate in favour of "run code.forgejo.org on the latest forgejo build perpetually".

More thoughts, suggestions, and input are very welcome. 🙂

mfenniak approved forgejo/forgejo#12115

2026-04-14T17:24:42+02:00

[forgejo] fix(ui): a few small runners UI fixes

mfenniak deleted branch git-diff-corrections-on-comments from mfenniak/forgejo

2026-04-14T17:18:30+02:00

mfenniak merged pull request forgejo/forgejo#12107

2026-04-14T17:18:29+02:00

fix: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head

mfenniak pushed to forgejo at forgejo/forgejo

2026-04-14T17:18:26+02:00

179fbdb04e90a73f64e1910f8ca157fa6e1f678f fix: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head (#12107)

mfenniak commented on pull request forgejo/forgejo#12114

2026-04-14T16:42:46+02:00

[v15.0/forgejo] fix(ui): a few small runners UI fixes

#12115/files (comment)

mfenniak commented on pull request forgejo/forgejo#12115

2026-04-14T16:42:14+02:00

[forgejo] fix(ui): a few small runners UI fixes

I don't think this link makes sense. "For configuring Forgejo Runner running in containers or advanced configurations ...", and then it links to the page that describes the process that the user just went through, and doesn't have any information on "containers or advanced configurations"? @aahlenst

mfenniak commented on pull request forgejo/website#843

2026-04-14T16:36:36+02:00

Blog post for release of Forgejo v15.0

I'm not planning to rewrite this -- I'd like to have step-by-step "how to use this" content, but it probably belongs in docs to be kept up-to-date over time. 👍

mfenniak commented on issue forgejo/website#729

2026-04-14T16:34:34+02:00

Snippets for Forgejo v15.0.0 blog post

@Gusted wrote in #729 (comment):

mfenniak approved forgejo/forgejo#12111

2026-04-14T04:23:43+02:00

chore: don't load settings twice for running `web`

Seems reasonable to me. I think that manual testing is probably the only practical approach -- and as you've noted, the install page functioning is a good edge case to check.

mfenniak created pull request forgejo/forgejo#12107

2026-04-13T18:33:48+02:00

While developing tests for #12092, I came across a case where making a comment on a single-commit doesn't include the correct diff for the comment. This is because code comment placement occurs between the PR's base and the commit being viewed, but, that diff could be different from the commit's parent to the commit, which is what is being viewed on a single-commit diff.

Similar to #12055, this PR changes code comments to be more precise in their diff generation by providing the backend with both the base commit (before_commit_id) and head commit (after_commit_id) currently being viewed. As a result, the diffs attached to comments should exactly match the diffs being viewed by the user when the comment was placed.

Checklist

The contributor guide contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's AI Agreement. There also are a few conditions for merging Pull Requests in Forgejo repositories. You are also welcome to join the Forgejo development chatroom.

Tests for Go changes

I added test coverage for Go changes...
- in their respective *_test.go for unit tests.
- in the tests/integration directory if it involves interactions with a live Forgejo server.
I ran...
- make pr-go before pushing

Documentation

I created a pull request to the documentation to explain to Forgejo users how to use this change.
I did not document these changes and I do not expect someone else to do it.

Release notes

This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Release notes

Bug fixes
- PR: when reviewing in PRs, make comments relative to viewed base & head, not just viewed head

mfenniak pushed to git-diff-corrections-on-comments at mfenniak/forgejo

2026-04-13T18:33:38+02:00

7f466f148d156af882540a3b6a16cea42505b081 fix: attach diff fragment to PR comment based upon viewed diff

mfenniak pushed to git-diff-corrections-on-comments at mfenniak/forgejo

2026-04-13T18:27:22+02:00

cd3687d9563ae60f2208578ab38fd620b77abda9 fix: attach diff fragment to PR comment based upon viewed diff 92781ee898bd22efe0ef3cf273b955227edc26c2 test: comments on specific commits snapshot diffs at time of commit a797a71dea127edd3d93d976131d21d93988c246 fix: display code comments on removed lines-of-code to correct locations in PR view (#12092) 86898a7d0570205eeb751711426db2f1113ca659 Revert "Improve repo file list table semantics for screen readers (#11846)" (#12088) a1be012c4a1e99cfc482a723ebb32af26baad65c Lock file maintenance (forgejo) (#12101)

mfenniak pushed to forgejo at forgejo/forgejo

2026-04-13T18:27:10+02:00

a797a71dea127edd3d93d976131d21d93988c246 fix: display code comments on removed lines-of-code to correct locations in PR view (#12092)

mfenniak deleted branch git-blame-removed-lines-relocation from mfenniak/forgejo

2026-04-13T18:27:01+02:00