When a new user logs in via Authentik OIDC for the first time,
Forgejo tries to fetch the 'picture' claim as an avatar — but
Authentik delivers a 'data:image/svg+xml;base64,...' URL that
Forgejo can't store. Result: DB has an avatar hash but no file,
so /avatars/<hash> returns 404, the <img> is in broken state,
and the activity page's canvas renderer crashes with
'drawImage on broken state'.
Fix (per user, after first login):
UPDATE "user" SET avatar = '', use_custom_avatar = false
WHERE lower_name = '<name>';
Triggers Forgejo's default identicon generation, which works.
This commit:
- Adds ADR-0007 with full root cause + three rejected alternatives
- Updates docs/adr/README.md index
- Extends stacks/forgejo/Agent.md 'Known Gotchas' with the fix
- Appends the fix to docs/runbooks/forgejo-admin-recovery.md
Applied for user 'bw' already on 2026-04-12.
Refs OP#1119
Benjamin Weinlich
09925f7eda