Forgejo

The internal service is officially designated as the Edge Developer Platform (EDP). It is hosted at edp.buildth.ing. The domain selection followed a democratic team process to establish a unique identity distinct from standard corporate naming conventions.

Technical Architecture & Deployment

Infrastructure Stack

The platform is hosted on the Open Telekom Cloud (OTC). The infrastructure adheres to Infrastructure-as-Code (IaC) principles.

• Deployment Method: The official Forgejo Helm Chart is deployed via ArgoCD.
• Infrastructure Provisioning: Terraform is used to provision all underlying OTC services, including:
  • Container Orchestration: CCE (Cloud Container Engine): Kubernetes
  • Database: RDS (Distributed Cache Service): PostgreSQL
  • Caching: DCS (Distributed Cache Service): Redis
  • Object Storage: OBS (Object Storage Service, S3-compatible): for user data (avatars, attachments).
  • Search: CSS (Cloud Search Service): Elasticsearch

The “Self-Replicating” Pipeline

A key architectural feature is the ability of the platform to maintain itself. A Forgejo Action can trigger the deployment script, which runs Terraform and syncs ArgoCD, effectively allowing “Forgejo to create/update Forgejo.”

graph TD
    subgraph "Open Telekom Cloud (OTC)"
        subgraph "Control Plane"
            Dev[DevOps Engineer] -->|Triggers| Pipeline[Deployment Pipeline]
            Pipeline -->|Executes| TF[Terraform]
        end

        subgraph "Provisioned Infrastructure"
            TF -->|Provisions| CCE[(CCE K8s Cluster)]
            TF -->|Provisions| RDS[(RDS PostgreSQL)]
            TF -->|Provisions| Redis[(DCS Redis)]
            TF -->|Provisions| S3[(OBS S3 Bucket)]
            TF -->|Provisions| CSS[(CSS Elasticsearch)]
        end

        subgraph "Application Layer (on CCE K8s)"
            Pipeline -->|Helm Chart| Argo[ArgoCD]
            Argo -->|Deploys| ForgejoApp[Forgejo]
        end

        CCE -- Runs --> Argo
        CCE -- Runs --> ForgejoApp
        ForgejoApp -->|Connects| RDS
        ForgejoApp -->|Connects| Redis
        ForgejoApp -->|Connects| S3
        ForgejoApp -->|Connects| CSS
    end

Migration History

The initial environment was a manual setup on the Open Sovereign Cloud (OSC). Once the automation stack (Terraform/ArgoCD) was matured, the platform was migrated to the current OTC environment.

Application Extensions

Core Functionality

Beyond standard Git versioning, the platform utilizes:

• Releases: Hosting binaries for software distribution (e.g., Edge Connect CLI).
• CI/CD: Extensive pipeline usage for build, test, and deployment automation.
• Note on Issues: While initially used, issue tracking was migrated to JIRA to align with the broader IPCEI program standards.

GARM (Git-based Actions Runner Manager)

The primary technical innovation was the integration of GARM to enable ephemeral, scalable runners. This required extending Forgejo’s capabilities to support GitHub-compatible runner registration and webhook events.

Development Methodology & Contributions

Workflow

• Branching Strategy: Trunk-based development was utilized to ensure rapid integration.
• Collaboration: The team adopted Mob Programming. This practice proved essential for knowledge sharing and onboarding junior developers, creating a resilient and high-intensity learning environment.
• Versions: The platform evolved from Forgejo v7/8 through v11.0.3-edp1 to the current v14 (upgraded Q1 2026, IPCEICIS-7848). The Forgejo 14 upgrade resolved outstanding version lag and enabled adoption of the latest upstream GARM integration features.

Open Source Contributions

We actively contributed our extensions back to the upstream Forgejo project in a list of Codeberg.org pull requests

Artifact Caching (Pull-Through Proxy)

We implemented a feature allowing Forgejo to act as a pull-through proxy for remote container registries, optimizing bandwidth and build speeds.

• Source Code Branch: refactor-remote-registry-client

Security & Platform Hardening (2026)

A security hardening initiative was completed in Q1 2026 across the EDP platform:

Multi-Factor Authentication

MFA is now enabled and enforced for all EDP platform users at edp.buildth.ing. Users are required to configure a TOTP-compatible authenticator on next login.

Forgejo Administration Cleanup

A review of Forgejo administration accounts and service accounts was carried out. Redundant admin and bot accounts were removed or scoped down, tightening the overall access surface of the platform.

Automated Vulnerability Scanning (Trivy)

Trivy vulnerability scanning is now automated in EDP CI/CD pipelines via a Forgejo Action. Scans cover container images, source code dependencies, and IaC configurations. Results are automatically uploaded to the Dependency-Track instance for tracking and triage.

Redis Reliability Fix

Redis (the Distributed Cache Service powering Forgejo on OTC) was prone to filling up under active crawling load, causing 500 errors across Forgejo operations. An automated remediation was implemented:

• An OTC Cloud Eye alarm monitors Redis memory usage
• A notification channel triggers a cloud function when the threshold is approached
• The cloud function automatically clears Redis data before it causes Forgejo to break

This eliminates the need for manual intervention to restore Forgejo availability after Redis saturation events.

Key Performance Indicators (KPIs)

These KPIs measure the effectiveness of the Forgejo setup and quantify our strategic commitment to the Forgejo community.