inject the vars and secrets into the job - should be environment variables eventually

2024-09-12 15:57:45 -07:00 · 2024-09-12 15:57:45 -07:00 · e4dfb8c1c7
commit e4dfb8c1c7
parent 20af05b0c6
5 changed files with 12 additions and 3 deletions
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@ -9,6 +9,7 @@ import (

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"

 	"xorm.io/builder"
@ -102,7 +103,9 @@ func DeleteVariable(ctx context.Context, id int64) error {
 }

 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
-	variables := map[string]string{}
+	variables := map[string]string{
+		"ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "/api/actions_token?api-version=2.0",
+	}

 	if err := run.LoadRepo(ctx); err != nil {
 		log.Error("LoadRepo: %v", err)
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@ -135,6 +135,7 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[

 	secrets["GITHUB_TOKEN"] = task.Token
 	secrets["GITEA_TOKEN"] = task.Token
+	secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token

 	if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
 		// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
--- a/routers/api/actions/artifacts.go
+++ b/routers/api/actions/artifacts.go
@ -135,7 +135,7 @@ func ArtifactContexter() func(next http.Handler) http.Handler {
 			// action task call server api with Bearer ACTIONS_RUNTIME_TOKEN
 			// we should verify the ACTIONS_RUNTIME_TOKEN
 			authHeader := req.Header.Get("Authorization")
-			if len(authHeader) == 0 || !strings.HasPrefix(authHeader, "Bearer ") {
+			if len(authHeader) == 0 || !strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
 				ctx.Error(http.StatusUnauthorized, "Bad authorization header")
 				return
 			}
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"

 	"code.gitea.io/gitea/modules/log"
@ -42,6 +43,8 @@ type openIDConfiguration struct {
 func OIDCRoutes(prefix string) *web.Route {
 	m := web.NewRoute()

+	prefix = strings.TrimPrefix(prefix, "/")
+
 	// TODO: generate this once and store it across restarts. In the database I assume?
 	_, caPrivateKey, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
@ -180,6 +183,7 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
 }

 func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) {
+	resp.Header().Set("Content-Type", "application/json")
 	err := json.NewEncoder(resp).Encode(o.jwks)
 	if err != nil {
 		log.Error("error encoding jwks response: ", err)
@ -189,6 +193,7 @@ func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) {
 }

 func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.Request) {
+	resp.Header().Set("Content-Type", "application/json")
 	err := json.NewEncoder(resp).Encode(o.openIDConfiguration)
 	if err != nil {
 		log.Error("error encoding jwks response: ", err)
--- a/routers/init.go
+++ b/routers/init.go
@ -195,7 +195,7 @@ func NormalRoutes() *web.Route {
 		prefix := "/api/actions"
 		r.Mount(prefix, actions_router.Routes(prefix))

-		prefix = "/api/actions_token"
+		prefix = "/api/actions_idtoken"
 		r.Mount(prefix, actions_router.OIDCRoutes(prefix)) // TODO: not sure what prefix should be used here

 		// TODO: Pipeline api used for runner internal communication with gitea server. but only artifact is used for now.