Gitea
The Gitea provider tracks the tags and releases of a repository on a Gitea or Forgejo forge. One provider serves every instance of the API. The flavor key selects which public forge to target: codeberg (the default, on codeberg.org), forgejo (on code.forgejo.org), or gitea (on gitea.com).
# clover: provider=gitea repository=forgejo/forgejo constraint=minor
FROM codeberg.org/forgejo/forgejo:15.0.3
Keys
| Key | Description |
|---|---|
provider | gitea |
repository | The repository as owner/name |
flavor | Which forge to target: codeberg (default), forgejo, or gitea |
source | What to list: tags (default) or releases |
asset | Keep only releases publishing a matching asset (needs source=releases) |
constraint | How far the version may move (major/minor/patch, or a semver range) |
include | Keep only matching tags |
exclude | Drop matching tags |
prerelease | Allow or exclude prerelease versions |
cooldown | Require a minimum age before a version is eligible |
verify[-branch] | Deep-verify a secure pin against upstream |
A repository is a flat owner/name, since Gitea and Forgejo organize repositories under a single owner with no nested subgroups. Each flavor names one fixed host, so flavor=gitea tracks gitea.com/owner/name and flavor=forgejo tracks code.forgejo.org/owner/name.
Tags and releases
Gitea orders tags by creation date and offers no version sort, so the newest tag, not necessarily the highest version, heads the listing. A shallow lookup reads the first page, and when more tags remain, Clover suggests --deep to read them all. A tag records the commit SHA it points at, but a release does not (Gitea’s release target may be empty or a branch name, not a SHA), so a value=commit follower works with source=tags.
A release carries its publication date, used by cooldown, and an upstream prerelease flag, which prerelease filtering honors even when the tag itself looks stable. A tag carries no date of its own on Gitea, only its target commit’s, so Clover cannot age a tag without guessing. Rather than update past a cooldown it cannot check, a cooldown on source=tags skips the marker with a warning and holds the line; use source=releases to have it apply. A draft release is unpublished and never a candidate.
Selecting by asset
asset keeps only releases whose attachments contain a name matching its glob (or /regex/), then selects the newest of those. It requires source=releases, since only releases publish assets. Gitea does not publish a checksum alongside a release asset, so a value=sha256 follower must source one from a checksum file rather than asset metadata.
Authentication
Anonymous requests work but are rate-limited, and private repositories need a token. Authenticate once with a browser login:
clover login gitea # Codeberg (the default flavor)
clover login gitea --host gitea.com # another flavor's host
This opens the host’s authorization page, captures the result on a local loopback port, and stores a read-only token in your system keychain under that host (refreshed automatically as it expires). It uses Gitea’s built-in tea OAuth application, so no app registration is needed on a stock instance. Pass --client-id if the instance disabled its built-in applications. Because it drives a local browser and loopback, run it on your own machine, and over SSH use a token instead.
Alternatively, set CLOVER_GITEA_TOKEN (or the ecosystem-standard GITEA_TOKEN) to a personal access token with read access. The environment variable takes precedence, suiting CI and headless runs. For safety it is sent only to Codeberg, the default flavor’s host, so a marker that names a different flavor never receives the token. To authenticate against another flavor, log in with clover login gitea --host instead.