This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v8.0/admin/upgrade/). - Security [The scope of application tokens was not verified](https://codeberg.org/forgejo/forgejo/pulls/5149) when writing containers or Conan packages. This is of no consequence when the user associated with the application token does not have write access to packages. If the user has write access to packages, such a token can be used to write containers and Conan packages. An application token that was used to write containers or Conan packages without the `package:write` scope will now fail with an unauthorized error. It must be re-created to include the `package:write` scope. - User Interface bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/5029) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5032)): Overflow for images on project cards. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4798) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4919)): Allow unreacting from comment popover. - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/5149) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5151)): The scope of application tokens is not verified when writing containers or Conan packages. - [PR](https://codeberg.org/forgejo/forgejo/pulls/5065) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5080)): When a Forgejo Actions workflow includes a `workflow_dispatch` with `inputs` and other events (for instance `push`), it is silently ignored because of a parsing error. - [PR](https://codeberg.org/forgejo/forgejo/pulls/5053): Automerge on AGit pull requests is ignored. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4998) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5050)): [commit](https://codeberg.org/forgejo/forgejo/commit/7f1db1df3ee8d620f997b8e70a40c2f48ae96c0f) Show lock owner instead of repo owner on LFS setting page. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4998) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5050)): [commit](https://codeberg.org/forgejo/forgejo/commit/ebfdc659d814561f8783094e2eb26738a5500e55) Render plain text file if the LFS object doesn't exist. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4998) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5050)): [commit](https://codeberg.org/forgejo/forgejo/commit/9e066c3cad7bb1b30e2def34bd0608aac825cf58) Panic of ssh public key page after deletion of an auth source. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4998) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5050)): [commit](https://codeberg.org/forgejo/forgejo/commit/a8e25e907c66140961f28ba92403176c816dfb60) Add missing repository type filter parameters to pager. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4907) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4965)): Reverted a change from Gitea which prevented allow/reject reviews on merged or closed PRs. This change was not considered by the Forgejo UI team and there is a consensus that it feels like a regression, since it interferes with workflows known to be used by Forgejo users without providing a tangible benefit. - [PR](https://codeberg.org/forgejo/forgejo/pulls/4885) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4951)): Run full PR checks on AGit push. - Localization - [PR](https://codeberg.org/forgejo/forgejo/pulls/4984) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5116)): i18n: update of translations from Codeberg Translate - [PR](https://codeberg.org/forgejo/forgejo/pulls/4889) ([backported](https://codeberg.org/forgejo/forgejo/pulls/5114)): i18n: update of translations from Codeberg Translate