forgejo/discussions
49
43

Repository-managed fork permissions & default-branch-only forks #478

Open
opened 2026年06月14日 21:57:47 +02:00 by lsmith · 1 comment

Subsystem: fork model / git.
Status: should align with the broader fork-model rethink (discussions#131 and AGit) — these are about the fork model as it stands today and should land wherever that goes. Kept separate from Issue A so creation control isn't blocked by this redesign. This ticket was split off from (discussions#477.

Problem

Under open registration we need finer control over who may fork and what a fork copies, beyond the instance-wide on/off switch.

Why current options don't cover it

Asks

  1. Repository/org-managed fork permissions — let a repository admin allow forks broadly or restrict to specific users/teams, instead of only the instance-wide switch. (This is how an outside contributor is granted the ability to fork under the umbrella scenario.)
  2. Default-branch-only forks — option to copy just the default branch when forking, rather than all branches.

Coordination

Asks here should align with the fork-model rethink (discussions#131) and AGit. Please link any existing issues/discussions to consolidate with.

Umbrella context

Who's asking: This request comes from Zentrum SDS, the Swiss public-sector digital-sovereignty initiative (anchored at the Bern University of Applied Sciences), which is planning the Forgejo-based opencode.ch code platform. "We" throughout refers to this group.

Open instances need open registration so people can file issues and contribute (fork → PR). But open registration also lets anyone create new repositories, which raises two problems:

  • Resource use — new repositories accumulate and consume shared Actions runner resources.
  • Content moderation — arbitrary repositories (spam, abuse, off-topic or unlawful content) on a public-sector-branded platform.

Both force operators to police and delete repositories by hand (a known pain on code.forgejo.org itself). The shape we want: anyone participates, only approved users create repositories.

How existing public-sector platforms handle it:

  • opencode.de (GitLab-based) — anyone can register to comment and file tickets; creating new repositories is gated by an email-domain allow-list. The planned Swiss opencode.ch (Forgejo-based) needs the same. (How an outside contributor is granted the ability to fork is exactly the gap Issue B addresses.)
  • code.overheid.nl (Forgejo-based) — avoids the problem by closing registration to government organisations only. Valid, but it hinders adoption of and contribution to the code hosted there (outside contributors, civil society, vendors can't easily fork and send PRs), undercutting the "public money, public code" goal.

This request is for operators who want registration to stay open — so the code on the platform gets real external engagement — while still controlling who creates repositories and how forks work.

Shared notes (apply to both issues):

  • Forward-looking: relation to federation. Long term, federation (ForgeFed/ActivityPub, NLnet-funded) addresses the cross-instance version of "participate without us maintaining external accounts": an external contributor keeps their home-forge identity and forks/PRs across instances, so the host never provisions accounts for them — and the "fork yes / create-repository no" split falls out naturally. These local controls and federation are complementary, not competing: federation is still experimental (federated stars/follows today; federated forks/PRs and, explicitly, access control & moderation not yet built), so the controls here are what work now; and even once federation lands, the creation allow-list (Issue A) still applies for local open registration. If anyone on the federation/moderation side has related work underway, please flag it so the access-control model doesn't diverge.
  • We'd rather upstream this than carry a soft fork, and are interested in co-designing and helping fund the work. Happy to write an RFC and prototype.
  • External-IdP deployments: where Forgejo consumes OIDC from an external identity provider (Keycloak/Zitadel/Authelia), the allow-list in Issue A is most naturally expressed as a group/claim rule at the IdP, consumed by Forgejo's existing group→team mapping. The email-domain gate is then just one way to populate that group.
**Subsystem:** fork model / git. **Status:** should **align with the broader fork-model rethink** ([discussions#131](https://codeberg.org/forgejo/discussions/issues/131) and AGit) — these are about the fork model *as it stands today* and should land wherever that goes. Kept separate from Issue A so creation control isn't blocked by this redesign. This ticket was split off from ([discussions#477](https://codeberg.org/forgejo/discussions/issues/477). ### Problem Under open registration we need finer control over **who may fork** and **what a fork copies**, beyond the instance-wide on/off switch. ### Why current options don't cover it - `DISABLE_FORKS` is **instance-wide only** — no per-repository allow-list for who may fork. - Forking appears to copy **all branches**, with no default-branch-only option (unconfirmed — please confirm; [GitHub has had default-branch-only forks since 2022](https://github.blog/changelog/2022-07-27-you-can-now-fork-a-repo-and-copy-only-the-default-branch/)). ### Asks 1. **Repository/org-managed fork permissions** — let a repository admin allow forks broadly or restrict to specific users/teams, instead of only the instance-wide switch. (This is how an outside contributor is granted the ability to fork under the umbrella scenario.) 2. **Default-branch-only forks** — option to copy just the default branch when forking, rather than all branches. ### Coordination Asks here should align with the fork-model rethink ([discussions#131](https://codeberg.org/forgejo/discussions/issues/131)) and AGit. Please link any existing issues/discussions to consolidate with. ## Umbrella context **Who's asking:** This request comes from [Zentrum SDS](https://zentrumsds.ch/), the Swiss public-sector digital-sovereignty initiative (anchored at the Bern University of Applied Sciences), which is planning the Forgejo-based **opencode.ch** code platform. "We" throughout refers to this group. Open instances need **open registration** so people can file issues and contribute (fork → PR). But open registration also lets anyone **create new repositories**, which raises two problems: - **Resource use** — new repositories accumulate and consume shared Actions runner resources. - **Content moderation** — arbitrary repositories (spam, abuse, off-topic or unlawful content) on a public-sector-branded platform. Both force operators to police and delete repositories by hand (a known pain on `code.forgejo.org` itself). **The shape we want: anyone participates, only approved users create repositories.** How existing public-sector platforms handle it: - **`opencode.de`** (GitLab-based) — anyone can register to comment and file tickets; creating new repositories is gated by an email-domain allow-list. The planned Swiss **`opencode.ch`** (Forgejo-based) needs the same. (How an outside contributor is granted the ability to *fork* is exactly the gap Issue B addresses.) - **`code.overheid.nl`** (Forgejo-based) — avoids the problem by **closing registration** to government organisations only. Valid, but it **hinders adoption of and contribution to the code hosted there** (outside contributors, civil society, vendors can't easily fork and send PRs), undercutting the "public money, public code" goal. This request is for operators who want registration to stay **open** — so the code on the platform gets real external engagement — while still controlling who creates repositories and how forks work. **Shared notes (apply to both issues):** - **Forward-looking: relation to federation.** Long term, [federation](https://nlnet.nl/project/Federated-Forgejo/) (ForgeFed/ActivityPub, NLnet-funded) addresses the *cross-instance* version of "participate without us maintaining external accounts": an external contributor keeps their home-forge identity and forks/PRs across instances, so the host never provisions accounts for them — and the "fork yes / create-repository no" split falls out naturally. These local controls and federation are **complementary, not competing**: federation is still experimental (federated stars/follows today; federated forks/PRs and, explicitly, access control & moderation not yet built), so the controls here are what work *now*; and even once federation lands, the creation allow-list (Issue A) still applies for *local* open registration. **If anyone on the federation/moderation side has related work underway, please flag it** so the access-control model doesn't diverge. - We'd rather **upstream this than carry a soft fork**, and are interested in **co-designing and helping fund** the work. Happy to write an RFC and prototype. - **External-IdP deployments:** where Forgejo consumes OIDC from an external identity provider (Keycloak/Zitadel/Authelia), the allow-list in Issue A is most naturally expressed as a **group/claim rule at the IdP**, consumed by Forgejo's existing group→team mapping. The email-domain gate is then just one way to populate that group.
Author
Copy link

Confirming the "unconfirmed — please confirm" point: a fork copies all branches by default. But the capability for default-branch-only is already present in the service layer: ForkRepoOptions.SingleBranch (in services/repository/fork.go) clones with git clone --single-branch --branch <name> and sets the fork's default branch accordingly. It simply isn't wired up: the web fork form and the REST ForkRepoOption don't expose it, and no caller sets it.

So ask 2 (default-branch-only forks) is much smaller than "implement": it's "expose the existing SingleBranch option in the fork UI + API." That looks like a self-contained, low-risk change. Happy to help with it if it's a welcome contribution.

On ask 1 (repository-managed fork permissions): confirmed there's no per-repo control today, only the instance-wide DISABLE_FORKS. That's a genuine gap for the general case. For our own public-sector, open-forking model we don't need it: contribution flows via AGit forkless PRs and org-team grants, the model resolved in #477 (now closed), so we'd prioritise ask 2, while leaving ask 1 on the table for operators who want it. Both should align with the fork-model rethink (#131) and AGit.

Confirming the "unconfirmed — please confirm" point: a fork copies **all branches** by default. But the capability for default-branch-only is **already present in the service layer**: `ForkRepoOptions.SingleBranch` (in `services/repository/fork.go`) clones with `git clone --single-branch --branch <name>` and sets the fork's default branch accordingly. It simply isn't wired up: the web fork form and the REST `ForkRepoOption` don't expose it, and no caller sets it. So **ask 2 (default-branch-only forks) is much smaller than "implement"**: it's "**expose the existing `SingleBranch` option** in the fork UI + API." That looks like a self-contained, low-risk change. Happy to help with it if it's a welcome contribution. On **ask 1 (repository-managed fork permissions):** confirmed there's no per-repo control today, only the instance-wide `DISABLE_FORKS`. That's a genuine gap for the general case. For our own public-sector, open-forking model we don't need it: contribution flows via AGit forkless PRs and org-team grants, the model resolved in [#477](https://codeberg.org/forgejo/discussions/issues/477#issuecomment-17795687) (now closed), so we'd prioritise ask 2, while leaving ask 1 on the table for operators who want it. Both should align with the fork-model rethink (#131) and AGit.
Sign in to join this conversation.
No Branch/Tag specified
No results found.
No results found.
Labels
Clear labels
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference
forgejo/discussions#478
Reference in a new issue
forgejo/discussions
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?