diff --git a/cc-ci-plan/upstream/gitea.md b/cc-ci-plan/upstream/gitea.md
new file mode 100644
index 0000000..f57ba92
--- /dev/null
+++ b/cc-ci-plan/upstream/gitea.md
@@ -0,0 +1,15 @@
+# Upstream sources — gitea
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app     | gitea/gitea | https://github.com/go-gitea/gitea | https://github.com/go-gitea/gitea/releases |
+| db      | postgres | https://github.com/postgres/postgres | https://www.postgresql.org/docs/release/ |
+
+## Standing notes
+- **postgres major version**: recipe uses plain postgres (not pgautoupgrade); pg_backup.sh uses pg_dump/psql (logical backup, not pg_upgrade). Major version bump (e.g. 15→16) requires operator to manually restore from logical backup — no auto-migration tooling. Bump only within same major (e.g. 15.13→15.18) unless recipe adds pg_upgrade support.
+- **compose.postgres.yml**: postgres is an optional overlay (not in the main compose.yml). The cc-ci tests determine whether the postgres overlay is used.
+- **1.25.0**: Removed deprecated auth sources — legacy auth setups may need reconfiguration.
+- **1.25.0**: CreateVariable API now returns 201 instead of 200 — API consumers may need updating.
+- **1.26.0**: Removed GET API registration-token endpoint — scripts using this endpoint must update.
+- **1.26.0**: PUBLIC_URL_DETECTION now defaults to 'auto' — verify reverse proxy setups work after upgrade.
+- **1.26.2**: Multiple CVE security fixes — strongly recommended upgrade.