Gitea | v1.26.3

Gitea v1.26.3 released on 20-06-2026


Gitea v1.26.3 is out now. It introduces a breaking change to Actions security: bypassing the fork‑PR approval gate now requires a merged PR, so forked workflows that previously bypassed approval under other conditions will no longer do so.

See the Gitea GitHub release page for the full notes, security details and download assets.

What’s in this release

  • Breaking change for Actions: require a merged PR to bypass the fork‑PR approval gate (behavior for forked contributions is now stricter).
  • Security hardenings and fixes, including hostmatcher patches (private list and reserved IP blocking), fixes for anonymous clone access to private repos, ignoring stale OIDC external‑login links, LFS access hardening and a dependency bump of golang.org/x/net to v0.55.0.
  • Actions, API and workflow bugfixes — add Link header to ListForks API, return 404 when a job log blob is missing, exclude workflow_call from trigger detection, reject workflow_dispatch for workflows not declaring the trigger, preserve clickable run titles and several other workflow and API fixes.

Upgrade notes

  • Breaking behaviour: update CI and approval processes that relied on the old fork‑PR bypass. Ensure workflows and merge policies expect a merged PR before any bypass is allowed.
  • If the change causes disruption, test the release in staging and revert to your last known good release while you adjust workflows and approval rules.

Please share feedback or report issues on the project’s issue tracker or community channels so maintainers can see how the change affects real‑world CI and workflows.

Related posts

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...

restic | v0.19.1

restic v0 19 1: safer FUSE mounts and mountpoint checks, robust backup source and exclude handling, clearer CLI JSON output, Windows SFTP deletion fixes