catalog / codeberg.org/forgejo/forgejo / criteria

forgejo — validation criteria

Per-image acceptance criteria for the codeberg.org/forgejo/forgejo profile (the self-hosted Git forge). Validated against …@sha256:55bb42be… (tag 15), derived by drop-test against forgejo's own default s6-init invocation. The deployment sets no cap_drop, so forgejo runs on the full Docker default cap set; this profile trims it 14 → 5.

Representative workload / correctness check

profiles/workloads/forgejo.sh drives the whole surface, because the container runs two root daemons under s6 and a faithful minimum must keep both alive: - web/API up (/api/v1/version); - a real DB + git write: create an admin user (sqlite write as the git user), create a repo via the API, then clone + commit + push over HTTP; - sshd reaches authentication: an unauthenticated SSH connection returns Permission denied (publickey) only if the pre-auth privilege-separation child forked (chroot + setuid). The drop-test correctness check additionally asserts the gitea web process runs as the non-root git user (uid 1000) — a health check alone is not enough (forgejo can serve /api/v1/version while failing to drop root or with git-over-SSH broken).

capabilities — derived by drop-test

Scope (run_config + out-of-band conditions)