diff --git a/community/gitea/PKGBUILD b/community/gitea/PKGBUILD
index 70a60e088..0b993303c 100644
--- a/community/gitea/PKGBUILD
+++ b/community/gitea/PKGBUILD
@@ -7,14 +7,14 @@
 #  - don't check repo signature until author puts his keys on keyservers
 
 pkgname=gitea
-pkgver=1.11.6
-pkgrel=2
+pkgver=1.12.3
+pkgrel=1
 pkgdesc="Painless self-hosted Git service. Community managed fork of Gogs."
 arch=(x86_64)
 url="https://gitea.io"
 license=(MIT)
 depends=(git)
-makedepends=(go npm)
+makedepends=(go nodejs npm)
 optdepends=(
   'mariadb: MariaDB support'
   'memcached: MemCached support'
@@ -25,7 +25,7 @@ optdepends=(
   'sqlite: SQLite support'
 )
 backup=('etc/gitea/app.ini')
-_tag=e04839f012b2995cd2d0ba45d018c2266af9400b # git rev-parse v${pkgver}
+_tag=846e630b0d88c9ae8bda54199dffbd7de23947b9 # git rev-parse v${pkgver}
 source=("git+https://github.com/go-gitea/gitea.git#tag=${_tag}"
         gitea.tmpfiles
         gitea.service
@@ -33,9 +33,9 @@ source=("git+https://github.com/go-gitea/gitea.git#tag=${_tag}"
         gitea-arch-defaults.patch)
 sha256sums=('SKIP'
             '1521fd7edc3830c695698ffe9835709f1408040b5ec989f07410972c894fa8ba'
-            '7789b3f6699b9e111fa080226047cdc765e55ff49a3f72aac989c11c06c3e7e0'
+            '5fce4772781c588b861cb97b3aa0945ca5a9a8120285080934a0ccbcb5503da8'
             '7e7b798b8ce035c1fb55993ece41c5efb6cad5922708866804fa50ada0cf9fa5'
-            '1fb97d8c77f5e66fcbe65b7e0c04e683adfb77ce89217cec16f2da998131b0f4')
+            '33ef77053a6bc8e2f5d9b62c92681909858d78356dfc7970616c42ad1dc60c57')
 validpgpkeys=(
   8C4033A23895237CB27D52D9D9B5613BEB813F99  # Matti Ranta <matti@mdranta.net> old RSA2048, retrieved from https://github.com/techknowlogick.gpg
   B56E3C7437A49E136862F5DE9D8A57ADAA232E95  # Matti Ranta <matti@mdranta.net> new RSA4096, retrieved from https://github.com/techknowlogick.gpg
@@ -61,19 +61,20 @@ pkgver() {
 build() {
   cd ${pkgname}
   export GOGC=50
-  make generate
   export CGO_CPPFLAGS="${CPPFLAGS}"
   export CGO_CFLAGS="${CFLAGS}"
   export CGO_CXXFLAGS="${CXXFLAGS}"
   export CGO_LDFLAGS="${LDFLAGS}"
-  LDFLAGS="-linkmode external -extldflags \"${LDFLAGS}\" -X \"code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/\""
-  make EXTRA_GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw" TAGS="sqlite pam" build
+  export EXTRA_GOFLAGS="-buildmode=pie -trimpath -mod=readonly -modcacherw"
+  export LDFLAGS="-X 'code.gitea.io/gitea/modules/setting.AppWorkPath=/var/lib/gitea/'"
+  export TAGS="bindata sqlite sqlite_unlock_notify pam"
+  make frontend
+  make generate
+  make build
 }
 
 package() {
   install -Dm755 ${pkgname}/${pkgname} -t "${pkgdir}"/usr/bin/
-  install -dm755 "${pkgdir}"/usr/share/${pkgname}
-  cp -dr --no-preserve=ownership ${pkgname}/{options,public,templates} "${pkgdir}"/usr/share/${pkgname}/
   install -Dm644 ${pkgname}/LICENSE -t "${pkgdir}"/usr/share/licenses/${pkgname}/
   install -Dm644 ${pkgname}.service -t "${pkgdir}"/usr/lib/systemd/system/
   install -Dm644 ${pkgname}.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/${pkgname}.conf
diff --git a/community/gitea/gitea-arch-defaults.patch b/community/gitea/gitea-arch-defaults.patch
index feee3e091..5d7b98f0a 100644
--- a/community/gitea/gitea-arch-defaults.patch
+++ b/community/gitea/gitea-arch-defaults.patch
@@ -1,6 +1,6 @@
 --- a/custom/conf/app.ini.sample
 +++ b/custom/conf/app.ini.sample
-@@ -8,12 +8,12 @@
+@@ -7,12 +7,12 @@
  ; App name that shows in every page title
  APP_NAME = Gitea: Git with a cup of tea
  ; Change it if you run locally
@@ -16,16 +16,7 @@
  SCRIPT_TYPE = bash
  ; Default ANSI charset
  ANSI_CHARSET =
-@@ -280,7 +280,7 @@ CERT_FILE = https/cert.pem
- KEY_FILE = https/key.pem
- ; Root directory containing templates and static files.
- ; default is the path where Gitea is executed
--STATIC_ROOT_PATH =
-+STATIC_ROOT_PATH = /usr/share/gitea
- ; Default path for App data
- APP_DATA_PATH = data
- ; Application level GZIP support
-@@ -342,7 +342,7 @@ SQLITE_TIMEOUT = 500
+@@ -378,7 +378,7 @@ SQLITE_TIMEOUT = 500
  ; For iterate buffer, default is 50
  ITERATE_BUFFER_SIZE = 50
  ; Show the database generated SQL
@@ -34,7 +25,7 @@
  ; Maximum number of DB Connect retries
  DB_RETRIES = 10
  ; Backoff time per DB retry (time.Duration)
-@@ -697,10 +697,10 @@ FORMAT =
+@@ -751,10 +751,10 @@ FORMAT =
  DEFAULT_UI_LOCATION =
 
  [log]
@@ -47,7 +38,7 @@
  ; Buffer length of the channel, keep it as it is if you don't know what it is.
  BUFFER_LEN = 10000
  REDIRECT_MACARON_LOG = false
-@@ -725,7 +725,7 @@ COLORIZE = false
+@@ -779,7 +779,7 @@ COLORIZE = false
 
  ; For "console" mode only
  [log.console]
diff --git a/community/gitea/gitea.service b/community/gitea/gitea.service
index d9b2f8d64..ac10cdd2a 100644
--- a/community/gitea/gitea.service
+++ b/community/gitea/gitea.service
@@ -21,18 +21,23 @@ Restart=always
 RestartSec=2s
 CapabilityBoundingSet=
 NoNewPrivileges=True
-PrivateUsers=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHome=true
+#SecureBits=noroot-locked
 ProtectSystem=strict
-ProtectControlGroups=yes
-ProtectKernelTunables=true
-ProtectKernelModules=yes
+ProtectHome=true
 ReadWritePaths=/etc/gitea/app.ini
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
 LockPersonality=true
 MemoryDenyWriteExecute=true
 RestrictRealtime=true
+RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service