only provide token to jobs with id-token: write permission
This commit is contained in:
parent
b265b40680
commit
6351ceaaee
6 changed files with 19 additions and 8 deletions
2
go.mod
2
go.mod
|
|
@ -294,6 +294,6 @@ replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
|
||||||
|
|
||||||
replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
|
replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
|
||||||
|
|
||||||
replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.21.3
|
replace github.com/nektos/act => code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e
|
||||||
|
|
||||||
replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
|
replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -4,8 +4,6 @@ code.forgejo.org/f3/gof3/v3 v3.7.0 h1:ZfuCP8CGm8ZJbWmL+V0pUu3E0X4FCAA7GfRDy/y5/K
|
||||||
code.forgejo.org/f3/gof3/v3 v3.7.0/go.mod h1:oNhOeqD4DZYjVcNjQXIOdDX9b/1tqxi9ITLS8H9/Csw=
|
code.forgejo.org/f3/gof3/v3 v3.7.0/go.mod h1:oNhOeqD4DZYjVcNjQXIOdDX9b/1tqxi9ITLS8H9/Csw=
|
||||||
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251 h1:HTZl3CBk3ABNYtFI6TPLvJgGKFIhKT5CBk0sbOtkDKU=
|
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251 h1:HTZl3CBk3ABNYtFI6TPLvJgGKFIhKT5CBk0sbOtkDKU=
|
||||||
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:PphB88CPbx601QrWPMZATeorACeVmQlyv3u+uUMbSaM=
|
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:PphB88CPbx601QrWPMZATeorACeVmQlyv3u+uUMbSaM=
|
||||||
code.forgejo.org/forgejo/act v1.21.3 h1:EeJbrz0aar2QhIcBlOW5gjK1rjrQxcAvQSPpG/R1h5w=
|
|
||||||
code.forgejo.org/forgejo/act v1.21.3/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
|
|
||||||
code.forgejo.org/forgejo/archiver/v3 v3.5.1 h1:UmmbA7D5550uf71SQjarmrn6yKwOGxtEjb3jaYYtmSE=
|
code.forgejo.org/forgejo/archiver/v3 v3.5.1 h1:UmmbA7D5550uf71SQjarmrn6yKwOGxtEjb3jaYYtmSE=
|
||||||
code.forgejo.org/forgejo/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
|
code.forgejo.org/forgejo/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
|
||||||
code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
|
code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
|
||||||
|
|
@ -16,6 +14,8 @@ code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5 h1:A7P1liXCpJ
|
||||||
code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5/go.mod h1:YLOsiln/arX3egGtxG4QNp49G2CIqP9pqD2VL56obLc=
|
code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5/go.mod h1:YLOsiln/arX3egGtxG4QNp49G2CIqP9pqD2VL56obLc=
|
||||||
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2 h1:Ht2myT1qf4YbLcO/W3pQaWTn6PPdKz0tM5tnqMOz/Cg=
|
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2 h1:Ht2myT1qf4YbLcO/W3pQaWTn6PPdKz0tM5tnqMOz/Cg=
|
||||||
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2/go.mod h1:oJs2Q5P5I7bzJGsgHt6fVzh2jlIr/9SLAvz/ZXb87BI=
|
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2/go.mod h1:oJs2Q5P5I7bzJGsgHt6fVzh2jlIr/9SLAvz/ZXb87BI=
|
||||||
|
code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e h1:3zms7edYa3uqTRSJj+TenW3bjCBRLD3eHlWtWSO3W3E=
|
||||||
|
code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
|
||||||
code.gitea.io/actions-proto-go v0.4.0 h1:OsPBPhodXuQnsspG1sQ4eRE1PeoZyofd7+i73zCwnsU=
|
code.gitea.io/actions-proto-go v0.4.0 h1:OsPBPhodXuQnsspG1sQ4eRE1PeoZyofd7+i73zCwnsU=
|
||||||
code.gitea.io/actions-proto-go v0.4.0/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
|
code.gitea.io/actions-proto-go v0.4.0/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
|
||||||
code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
|
code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ import (
|
||||||
runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
|
runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
|
||||||
lru "github.com/hashicorp/golang-lru/v2"
|
lru "github.com/hashicorp/golang-lru/v2"
|
||||||
"github.com/nektos/act/pkg/jobparser"
|
"github.com/nektos/act/pkg/jobparser"
|
||||||
|
"github.com/nektos/act/pkg/model"
|
||||||
"google.golang.org/protobuf/types/known/timestamppb"
|
"google.golang.org/protobuf/types/known/timestamppb"
|
||||||
"xorm.io/builder"
|
"xorm.io/builder"
|
||||||
)
|
)
|
||||||
|
|
@ -56,6 +57,8 @@ type ActionTask struct {
|
||||||
|
|
||||||
Created timeutil.TimeStamp `xorm:"created"`
|
Created timeutil.TimeStamp `xorm:"created"`
|
||||||
Updated timeutil.TimeStamp `xorm:"updated index"`
|
Updated timeutil.TimeStamp `xorm:"updated index"`
|
||||||
|
|
||||||
|
Permissions model.Permissions `xorm:"json"`
|
||||||
}
|
}
|
||||||
|
|
||||||
var successfulTokenTaskCache *lru.Cache[string, any]
|
var successfulTokenTaskCache *lru.Cache[string, any]
|
||||||
|
|
@ -286,6 +289,8 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
|
||||||
_, workflowJob = gots[0].Job()
|
_, workflowJob = gots[0].Job()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
task.Permissions = workflowJob.Permissions
|
||||||
|
|
||||||
if _, err := e.Insert(task); err != nil {
|
if _, err := e.Insert(task); err != nil {
|
||||||
return nil, false, err
|
return nil, false, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,6 @@ import (
|
||||||
|
|
||||||
"code.gitea.io/gitea/models/db"
|
"code.gitea.io/gitea/models/db"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
|
||||||
"code.gitea.io/gitea/modules/timeutil"
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
|
|
||||||
"xorm.io/builder"
|
"xorm.io/builder"
|
||||||
|
|
@ -103,9 +102,7 @@ func DeleteVariable(ctx context.Context, id int64) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
|
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
|
||||||
variables := map[string]string{
|
variables := map[string]string{}
|
||||||
"ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "api/actions_idtoken?api-version=2.0",
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := run.LoadRepo(ctx); err != nil {
|
if err := run.LoadRepo(ctx); err != nil {
|
||||||
log.Error("LoadRepo: %v", err)
|
log.Error("LoadRepo: %v", err)
|
||||||
|
|
|
||||||
|
|
@ -135,7 +135,10 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
|
||||||
|
|
||||||
secrets["GITHUB_TOKEN"] = task.Token
|
secrets["GITHUB_TOKEN"] = task.Token
|
||||||
secrets["GITEA_TOKEN"] = task.Token
|
secrets["GITEA_TOKEN"] = task.Token
|
||||||
secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
|
|
||||||
|
if task.Permissions.IDToken == "write" {
|
||||||
|
secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
|
||||||
|
}
|
||||||
|
|
||||||
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
|
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
|
||||||
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
|
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
|
||||||
return nil, false, nil
|
return nil, false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log.Debug("job permissions: %+v", t.Permissions)
|
||||||
|
|
||||||
secrets, err := secret_model.GetSecretsOfTask(ctx, t)
|
secrets, err := secret_model.GetSecretsOfTask(ctx, t)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err)
|
return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err)
|
||||||
|
|
@ -41,6 +43,10 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
|
||||||
return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err)
|
return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if t.Permissions.IDToken == "write" {
|
||||||
|
vars["ACTIONS_ID_TOKEN_REQUEST_URL"] = setting.AppURL + "api/actions_idtoken?api-version=2.0"
|
||||||
|
}
|
||||||
|
|
||||||
actions.CreateCommitStatus(ctx, t.Job)
|
actions.CreateCommitStatus(ctx, t.Job)
|
||||||
|
|
||||||
task := &runnerv1.Task{
|
task := &runnerv1.Task{
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue