Ok, so, perhaps I'm just overthinking a stupid issue here, and worried about nothing.

While upgrading from Gogs 0.13.2 to 0.13.3, I was carefully looking at the logs, to spot any mistakes I might have done during the (manual) upgrade. And I noticed a strange, recurring error on the logs, which, however, does not happen all the time:

[...]
2025/07/01 00:05:09 [TRACE] Template: repo/home
2025/07/01 00:05:09 [TRACE] Session ID: 2f5ea60dd66387f4
2025/07/01 00:05:09 [TRACE] CSRF Token: HJaUzX2iyyiAsYwpNYjP_cxnGIg6MTc1MTMyNDcwOTIwODA1Nzc5Nw
2025/07/01 00:05:09 [TRACE] Detected encoding: UTF-8 (fast)
2025/07/01 00:05:09 [TRACE] Template: repo/home
2025/07/01 00:05:14 [TRACE] Session ID: a2748cafd783d01f
2025/07/01 00:05:14 [TRACE] CSRF Token: ESvhxz6IpW0PCoQjbrPw9uL_BDM6MTc1MTMyNDcxNDQ4MzQ2NTAyMg
2025/07/01 00:05:14 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:14 [TRACE] Template: status/500
2025/07/01 00:05:14 [TRACE] Session ID: ecf5a085c99cea0c
2025/07/01 00:05:14 [TRACE] CSRF Token: jmk-qQeck9aFLqmDAv_jckcayWg6MTc1MTMyNDcxNDg5OTkyMzAwMA
2025/07/01 00:05:14 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:14 [TRACE] Template: status/500
2025/07/01 00:05:23 [TRACE] Session ID: 3e4dc0d5dab7144b
2025/07/01 00:05:23 [TRACE] CSRF Token: eKzYaDTKoDvFzQuSEMzOiF6DTtw6MTc1MTMyNDcyMzEzMjUwMjE2NQ
2025/07/01 00:05:23 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:23 [TRACE] Template: status/500
2025/07/01 00:05:23 [TRACE] Session ID: 1667f26a0bc87913
2025/07/01 00:05:23 [TRACE] CSRF Token: l0RWGNV8kzhRPmyKZga6cR6xHWw6MTc1MTMyNDcyMzY4OTEwODgwNw
2025/07/01 00:05:23 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:23 [TRACE] Template: status/500
2025/07/01 00:05:27 [TRACE] Session ID: a1c5eb6dcfdc74b6
2025/07/01 00:05:27 [TRACE] CSRF Token: kekjSXoHbbOXzcAZpPlDIZ85zMc6MTc1MTMyNDcyNzEzMTExOTQ1NA
2025/07/01 00:05:27 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:27 [TRACE] Template: status/500
2025/07/01 00:05:27 [TRACE] Session ID: 79bd511ed4ad680f
2025/07/01 00:05:27 [TRACE] CSRF Token: IotfUo7FA3GmBpekl-5FP606Kg46MTc1MTMyNDcyNzQwNTA1ODI5Nw
2025/07/01 00:05:27 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:27 [TRACE] Template: status/500
2025/07/01 00:05:28 [TRACE] Session ID: 7a42d173938506d1
2025/07/01 00:05:28 [TRACE] CSRF Token: UkmxIuDAJW1_e1Zkajg9l2vSN-Q6MTc1MTMyNDcyODQ2ODc2MDg4NQ
2025/07/01 00:05:28 [ERROR] [...io/gogs/internal/context/repo.go:280 32()] get branches: exit status 1
2025/07/01 00:05:28 [TRACE] Template: status/500
2025/07/01 00:05:28 [TRACE] Session ID: 7b1be47be41f944e
2025/07/01 00:05:28 [TRACE] CSRF Token: cCekx0Tc1SLuHc3q2CAKDBbSHx46MTc1MTMyNDcyODkyOTUxODE1MQ
2025/07/01 00:05:29 [TRACE] Template: repo/home
2025/07/01 00:05:29 [TRACE] Session ID: cdeee0d46f2b3256
2025/07/01 00:05:29 [TRACE] CSRF Token: AieryWtYd7G9MFlEonDQ534gfgQ6MTc1MTMyNDcyOTM5MzAxNzkyOA
2025/07/01 00:05:29 [TRACE] Template: repo/home
2025/07/01 00:05:32 [TRACE] Session ID: d551ea8551c43e6f
2025/07/01 00:05:32 [TRACE] CSRF Token: gMFHfL1jeEtNvaB9aqqPPs89Uk06MTc1MTMyNDczMjM0MzU5NDc3NA
[...]

Now, what surprised me at first was that there were so many trace messages for my single-user Gogs installation. While most of it is public, and some of the repos there are either mirrored from GitHub/GitLab, or they are the origin for GitHub/GitLab to mirror them — so, a few automated messages from the mirroring would be expected — otherwise, I would expect next-to-zero traffic. And, in fact, I am not really seeing any 500 errors. So, I thought, what is going on there?

And, most importantly, how can I prevent this error from happening? I first thought it was a template error (I'm using a tweaked version of a 'dark mode' template); but as you can see in the example above, several templates exhibit the error, and this doesn't really make sense.

The relevant bit of code which dumps the error comes from

// [...]
		c.Data["TagName"] = c.Repo.TagName
		branches, err := c.Repo.GitRepo.Branches()
		if err != nil {
			c.Error(err, "get branches")
			return
		}
		c.Data["Branches"] = branches
		c.Data["BranchCount"] = len(branches)
// [...]

...and, after unravelling this code, I sort of figured out that ultimately this is a call from the included github.com/gogs/git-module, which, to my surprise, contains wrapper code to fork an external instance of git to perform some of the operations (!) — I always thought that everything was handled in native Go!

So, whatever is issuing this error, it comes from an attempt at figuring out which branches are active/available/listed for a specific repository — and that operation fails, and an error is propagated until it reaches this level of the code. Unfortunately, the only "error" we get is that the forked process exited abnormally, but the reason for that remains unknown.

Theoretically, though, this shouldn't be happening "spontaneously", that is, "something" ought to be calling a specific page on Gogs, which (probably) requires a list of all branches, which, in turn, fails for some reason, but this trace doesn't log anything very useful for tracking down the culprit.

However, I had a way to figure it out!

You see, my Gogs installation, while open to the public, has two layers of protection. The first is the locally-running nginx server, which does some clever filtering measure (to catch the worst of the worst intruders) and a bit of additional caching; and on top of that, I run all my domains (well, except for two) behind the Cloudflare firewalled global caching system, which does much more clever checks than my humble nginx installation does.

Nevertheless, since it's nginx that gets the URL to pass it to Gogs — which runs on localhost and is not directly accessible from the 'net — and such URLs get logged by nginx as well. To my utter surprise... there was quite a lot of traffic there! Namely, from legitimate 'bots — the usual suspects (Google, Bing, ahrefs...) but also the brand-new ones which scrape the 'net for content to train their AIs with, such as Meta's. All these are pre-vetted by Cloudflare, of course, and even my nginx configuration, by default, lets them through — I don't really have no reason to block them, unless they're disrespecting the limits set on robots.txt (which the legitimate 'bots rarely do).

I didn't notice any 'suspicious' activity, either — just the expected, regular web-scraping URLs. Nevertheless, it seems clear to me that some of the 'bots must have the wrong URLs (which nginx cannot check for), asking for data in repositories that don't exist any more or have gone through substantial changes, which, in turn, makes Gogs give an error when trying to retrieve a non-existing repository (or a deleted branch from an existing repository). In other words, this is all 'normal and expected behaviour', and I shouldn't worry too much about it...

... right?

On the other hand, if a substantial number of invalid pages are due to failed forked processes, these do consume resources shared with other, more important processes running in the same machine; and, naturally enough, I'd love to avoid those that are simply being throwing away because they're broken/non-existing — but do that before the (useless) forking happens.

Is whatever I'm asking for feasible to do under the current version of Gogs?

If not... how could this somehow be circumvented?

That said, I thank you all in advance for any insights you may wish to share!