I am experimenting with using forgejo instead of GitHub for my personal projects. So far I like it, however I would like to make it available to the outside world at some point.

I was wondering what kind of traps I should avoid. The following things come to mind so far:

• Forgejo Actions seem like a massive potential security risk, however I do not intend to enable sign up for other
• OpenID appears to be a thing for forgejo, I do not know how it works and it seems like it would allow access to my instance even with registering disabled
• I would put the instance behind a nginx as reverse proxy, but how do you keep bot traffic to a minimum? Anubis?

I feel like there are a ton of things I have not thought of, which is why I am holding off on making anything available without a VPN so far.