diff --git a/models/actions/variable.go b/models/actions/variable.go
index d0f917d92..5a81cd725 100644
--- a/models/actions/variable.go
+++ b/models/actions/variable.go
@@ -9,6 +9,7 @@ import (
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
"xorm.io/builder"
@@ -102,7 +103,9 @@ func DeleteVariable(ctx context.Context, id int64) error {
}
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
- variables := map[string]string{}
+ variables := map[string]string{
+ "ACTIONS_ID_TOKEN_REQUEST_URL": setting.AppURL + "/api/actions_token?api-version=2.0",
+ }
if err := run.LoadRepo(ctx); err != nil {
log.Error("LoadRepo: %v", err)
diff --git a/models/secret/secret.go b/models/secret/secret.go
index ce0ad65a7..cd78c6227 100644
--- a/models/secret/secret.go
+++ b/models/secret/secret.go
@@ -135,6 +135,7 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[
secrets["GITHUB_TOKEN"] = task.Token
secrets["GITEA_TOKEN"] = task.Token
+ secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = task.Token
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
diff --git a/routers/api/actions/artifacts.go b/routers/api/actions/artifacts.go
index bc29e4481..0d4f53982 100644
--- a/routers/api/actions/artifacts.go
+++ b/routers/api/actions/artifacts.go
@@ -135,7 +135,7 @@ func ArtifactContexter() func(next http.Handler) http.Handler {
// action task call server api with Bearer ACTIONS_RUNTIME_TOKEN
// we should verify the ACTIONS_RUNTIME_TOKEN
authHeader := req.Header.Get("Authorization")
- if len(authHeader) == 0 || !strings.HasPrefix(authHeader, "Bearer ") {
+ if len(authHeader) == 0 || !strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
ctx.Error(http.StatusUnauthorized, "Bad authorization header")
return
}
diff --git a/routers/api/actions/oidc.go b/routers/api/actions/oidc.go
index 4d5a03cf1..d6102ce63 100644
--- a/routers/api/actions/oidc.go
+++ b/routers/api/actions/oidc.go
@@ -6,6 +6,7 @@ import (
"encoding/json"
"fmt"
"net/http"
+ "strings"
"time"
"code.gitea.io/gitea/modules/log"
@@ -42,6 +43,8 @@ type openIDConfiguration struct {
func OIDCRoutes(prefix string) *web.Route {
m := web.NewRoute()
+ prefix = strings.TrimPrefix(prefix, "/")
+
// TODO: generate this once and store it across restarts. In the database I assume?
_, caPrivateKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
@@ -180,6 +183,7 @@ func (o oidcRoutes) getToken(ctx *ArtifactContext) {
}
func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) {
+ resp.Header().Set("Content-Type", "application/json")
err := json.NewEncoder(resp).Encode(o.jwks)
if err != nil {
log.Error("error encoding jwks response: ", err)
@@ -189,6 +193,7 @@ func (o oidcRoutes) getJWKS(resp http.ResponseWriter, req *http.Request) {
}
func (o oidcRoutes) getOpenIDConfiguration(resp http.ResponseWriter, req *http.Request) {
+ resp.Header().Set("Content-Type", "application/json")
err := json.NewEncoder(resp).Encode(o.openIDConfiguration)
if err != nil {
log.Error("error encoding jwks response: ", err)
diff --git a/routers/init.go b/routers/init.go
index 63cdd9cba..174fefb72 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -195,7 +195,7 @@ func NormalRoutes() *web.Route {
prefix := "/api/actions"
r.Mount(prefix, actions_router.Routes(prefix))
- prefix = "/api/actions_token"
+ prefix = "/api/actions_idtoken"
r.Mount(prefix, actions_router.OIDCRoutes(prefix)) // TODO: not sure what prefix should be used here
// TODO: Pipeline api used for runner internal communication with gitea server. but only artifact is used for now.