only provide token to jobs with id-token: write permission

This commit is contained in:
Finn 2024-09-24 23:29:49 -07:00
parent b265b40680
commit 6351ceaaee
6 changed files with 19 additions and 8 deletions

2
go.mod
View file

@ -294,6 +294,6 @@ replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
replace github.com/nektos/act => code.forgejo.org/forgejo/act v1.21.3
replace github.com/nektos/act => code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e
replace github.com/mholt/archiver/v3 => code.forgejo.org/forgejo/archiver/v3 v3.5.1

4
go.sum
View file

@ -4,8 +4,6 @@ code.forgejo.org/f3/gof3/v3 v3.7.0 h1:ZfuCP8CGm8ZJbWmL+V0pUu3E0X4FCAA7GfRDy/y5/K
code.forgejo.org/f3/gof3/v3 v3.7.0/go.mod h1:oNhOeqD4DZYjVcNjQXIOdDX9b/1tqxi9ITLS8H9/Csw=
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251 h1:HTZl3CBk3ABNYtFI6TPLvJgGKFIhKT5CBk0sbOtkDKU=
code.forgejo.org/forgejo-contrib/go-libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:PphB88CPbx601QrWPMZATeorACeVmQlyv3u+uUMbSaM=
code.forgejo.org/forgejo/act v1.21.3 h1:EeJbrz0aar2QhIcBlOW5gjK1rjrQxcAvQSPpG/R1h5w=
code.forgejo.org/forgejo/act v1.21.3/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
code.forgejo.org/forgejo/archiver/v3 v3.5.1 h1:UmmbA7D5550uf71SQjarmrn6yKwOGxtEjb3jaYYtmSE=
code.forgejo.org/forgejo/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
code.forgejo.org/forgejo/reply v1.0.2 h1:dMhQCHV6/O3L5CLWNTol+dNzDAuyCK88z4J/lCdgFuQ=
@ -16,6 +14,8 @@ code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5 h1:A7P1liXCpJ
code.forgejo.org/go-chi/captcha v0.0.0-20240905153133-df43b9250ed5/go.mod h1:YLOsiln/arX3egGtxG4QNp49G2CIqP9pqD2VL56obLc=
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2 h1:Ht2myT1qf4YbLcO/W3pQaWTn6PPdKz0tM5tnqMOz/Cg=
code.forgejo.org/go-chi/session v0.0.0-20240905153124-557e3de77cd2/go.mod h1:oJs2Q5P5I7bzJGsgHt6fVzh2jlIr/9SLAvz/ZXb87BI=
code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e h1:3zms7edYa3uqTRSJj+TenW3bjCBRLD3eHlWtWSO3W3E=
code.forgejo.org/thefinn93/act v1.21.3-0.20240916205117-e599cc69dc5e/go.mod h1:+PcvJ9iv+NTFeJSh79ra9Jbk9l0vvyA9D9me5/dbxYM=
code.gitea.io/actions-proto-go v0.4.0 h1:OsPBPhodXuQnsspG1sQ4eRE1PeoZyofd7+i73zCwnsU=
code.gitea.io/actions-proto-go v0.4.0/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=

View file

@ -21,6 +21,7 @@ import (
runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
lru "github.com/hashicorp/golang-lru/v2"
"github.com/nektos/act/pkg/jobparser"
"github.com/nektos/act/pkg/model"
"google.golang.org/protobuf/types/known/timestamppb"
"xorm.io/builder"
)
@ -56,6 +57,8 @@ type ActionTask struct {
Created timeutil.TimeStamp `xorm:"created"`
Updated timeutil.TimeStamp `xorm:"updated index"`
Permissions model.Permissions `xorm:"json"`
}
var successfulTokenTaskCache *lru.Cache[string, any]
@ -286,6 +289,8 @@ func CreateTaskForRunner(ctx context.Context, runner *ActionRunner) (*ActionTask
_, workflowJob = gots[0].Job()
}
task.Permissions = workflowJob.Permissions
if _, err := e.Insert(task); err != nil {
return nil, false, err
}

View file

@ -9,7 +9,6 @@ import (
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
"xorm.io/builder"
@ -103,9 +102,7 @@ func DeleteVariable(ctx context.Context, id int64) error {
}
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
variables := map[string]string{
"ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "api/actions_idtoken?api-version=2.0",
}
variables := map[string]string{}
if err := run.LoadRepo(ctx); err != nil {
log.Error("LoadRepo: %v", err)

View file

@ -135,7 +135,10 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
secrets["GITHUB_TOKEN"] = task.Token
secrets["GITEA_TOKEN"] = task.Token
secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
if task.Permissions.IDToken == "write" {
secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
}
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.

View file

@ -31,6 +31,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
return nil, false, nil
}
log.Debug("job permissions: %+v", t.Permissions)
secrets, err := secret_model.GetSecretsOfTask(ctx, t)
if err != nil {
return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err)
@ -41,6 +43,10 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err)
}
if t.Permissions.IDToken == "write" {
vars["ACTIONS_ID_TOKEN_REQUEST_URL"] = setting.AppURL + "api/actions_idtoken?api-version=2.0"
}
actions.CreateCommitStatus(ctx, t.Job)
task := &runnerv1.Task{