Package registry

fremforge includes a built-in package registry supporting nine package formats. Packages live inside your org and authenticate with the same Personal Access Token (PAT) you use for the API and Git operations.

Supported package types

Authentication

All registry operations authenticate with a Personal Access Token (PAT). Create one at User settings → Applications → Generate token. Required scopes:

• read:packages, pull/install packages
• write:packages, publish packages

For CI pipelines use ${{ secrets.FORGEJO_TOKEN }}. The built-in per-job token has read:packages by default. Add write:packages explicitly if the job publishes packages:

permissions:
  packages: write

npm

Add a .npmrc file to your project root:

@<org>:registry=https://npm.frem.sh/<org>/
//npm.frem.sh/<org>/:_authToken=${FORGEJO_TOKEN}

Publish (package name must be scoped @<org>/package-name):

npm publish

Install:

npm install @<org>/package-name

Docker / OCI

Log in:

docker login frem.sh -u <username> -p <PAT>

Push and pull:

docker push frem.sh/<org>/<image>:<tag>
docker pull frem.sh/<org>/<image>:<tag>

In CI, use the official login action:

- name: Login to fremforge registry
  uses: docker/login-action@v3
  with:
    registry: frem.sh
    username: ${{ github.actor }}
    password: ${{ secrets.FORGEJO_TOKEN }}

Maven

Add the distribution repository to pom.xml:

<distributionManagement>
  <repository>
    <id>fremforge</id>
    <url>https://maven.frem.sh/<org>/</url>
  </repository>
</distributionManagement>

Add credentials to ~/.m2/settings.xml:

<servers>
  <server>
    <id>fremforge</id>
    <username>your-username</username>
    <password>your-PAT</password>
  </server>
</servers>

NuGet

Register the source:

dotnet nuget add source https://nuget.frem.sh/<org>/v3/index.json \
  --name fremforge \
  --username <username> \
  --password <PAT>

PyPI

Publish with twine (username = your fremforge username, password = PAT):

twine upload --repository-url https://pypi.frem.sh/<org>/ dist/*

Install:

pip install --index-url https://pypi.frem.sh/<org>/ package-name

Or configure pip.conf persistently:

[global]
index-url = https://<username>:<PAT>@pypi.frem.sh/<org>/

Composer

Add to auth.json in your project root:

{
  "http-basic": {
    "composer.frem.sh": {
      "username": "<username>",
      "password": "<PAT>"
    }
  }
}

RubyGems

Push a gem with an API key:

gem push --key fremforge \
  --host https://rubygems.frem.sh/<org>/ \
  your-gem-0.1.0.gem

Cargo

Add the registry to .cargo/config.toml:

[registries]
fremforge = { index = "https://cargo.frem.sh/<org>/" }

Add credentials to ~/.cargo/credentials.toml:

[registries.fremforge]
token = "Bearer <PAT>"

Publish:

cargo publish --registry fremforge

Go modules

Go modules are served directly from the repository URL with no separate registry endpoint:

go get frem.sh/<org>/<repo>@v1.2.3

If your Go module is private, mark it as such so the Go toolchain skips the public proxy and checksum database:

export GOPRIVATE=frem.sh/<org>/*

GOPRIVATE is the canonical Go env var for this; it disables GOPROXY and GOSUMDB lookups for matching paths in one setting. For go get to authenticate, configure your Git credential helper to pass the PAT for frem.sh.

Container image scanning

Images pushed to the registry are automatically scanned with Trivy. Results appear in Org admin → Code security → Container images. See Security and supply chain for configuration details.

Retention and cleanup

Packages are retained indefinitely by default.

• Delete a version via UI: package detail page → Delete version.
• Delete via API: DELETE /orgs/<org>/packages/<type>/<name>/<version>
• Bulk cleanup: Org admin → Packages → Cleanup policies, match tags by regex, keep the latest N versions.

Storage quota

Cross-references

• Security and supply chain, container image scanning configuration
• CI runners, publishing packages from workflow jobs
• Public REST API, programmatic package management