diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf
index f9adb955..d271ffa0 100644
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@@ -11,6 +11,12 @@ resource "kubernetes_namespace" "forgejo" {
       "istio-injection" : "disabled"
       tier               = local.tiers.edge
       "keel.sh/enrolled" = "true"
+      # Opt out of the auto-generated tier-3-edge ResourceQuota (caps
+      # requests.memory at 4Gi). Forgejo's own pod requests 4Gi (the
+      # git + OCI-registry backbone, Guaranteed QoS), which pegged that
+      # tier quota at 100% and fired KubeQuotaAlmostFull. The
+      # forgejo-specific quota below gives headroom. Same pattern as dbaas.
+      "resource-governance/custom-quota" = "true"
     }
   }
   lifecycle {
@@ -19,6 +25,26 @@ resource "kubernetes_namespace" "forgejo" {
   }
 }
 
+# Custom ResourceQuota — replaces the tier-3-edge auto quota (opted out via the
+# resource-governance/custom-quota label above). requests.memory is 8Gi so the
+# 4Gi Forgejo pod sits at ~50% (clears KubeQuotaAlmostFull + the healthcheck
+# resourcequota check) with room for a transient migration/sidecar pod. To
+# raise Forgejo's memory limit past 4Gi later, bump requests.memory here too.
+resource "kubernetes_resource_quota" "forgejo" {
+  metadata {
+    name      = "forgejo-quota"
+    namespace = kubernetes_namespace.forgejo.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "4"
+      "requests.memory" = "8Gi"
+      "limits.memory"   = "32Gi"
+      pods              = "30"
+    }
+  }
+}
+
 module "tls_secret" {
   source          = "../../modules/kubernetes/setup_tls_secret"
   namespace       = kubernetes_namespace.forgejo.metadata[0].name