Fix security issues with cache by proxying access (#503)

This is the forgejo-runner-side patch for a partial overhaul of the cache system to fix some access control issues with caches. This code depends on changes in act which are being reviewed here: forgejo/act#107 Co-authored-by: Michael Kriese <michael.kriese@visualon.de> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/502 Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/503 Reviewed-by: Gusted <gusted@noreply.code.forgejo.org> Co-authored-by: Kwonunn <kwonunnx@gmail.com> Co-committed-by: Kwonunn <kwonunnx@gmail.com>
2025-09-15 18:57:01 +00:00 · 2025-03-22 00:03:09 +00:00 · 2025-03-22 00:03:09 +00:00 · 46eb63a952
commit 46eb63a952
parent e5e28d16a5
8 changed files with 139 additions and 38 deletions
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@ -37,11 +37,14 @@ type Runner struct {

 // Cache represents the configuration for caching.
 type Cache struct {
-	Enabled        *bool  `yaml:"enabled"`         // Enabled indicates whether caching is enabled. It is a pointer to distinguish between false and not set. If not set, it will be true.
-	Dir            string `yaml:"dir"`             // Dir specifies the directory path for caching.
-	Host           string `yaml:"host"`            // Host specifies the caching host.
-	Port           uint16 `yaml:"port"`            // Port specifies the caching port.
-	ExternalServer string `yaml:"external_server"` // ExternalServer specifies the URL of external cache server
+	Enabled                 *bool  `yaml:"enabled"`                    // Enabled indicates whether caching is enabled. It is a pointer to distinguish between false and not set. If not set, it will be true.
+	Dir                     string `yaml:"dir"`                        // Dir specifies the directory path for caching.
+	Host                    string `yaml:"host"`                       // Host specifies the caching host.
+	Port                    uint16 `yaml:"port"`                       // Port specifies the caching port.
+	ProxyPort               uint16 `yaml:"proxy_port"`                 // ProxyPort specifies the cache proxy port.
+	ExternalServer          string `yaml:"external_server"`            // ExternalServer specifies the URL of external cache server
+	ActionsCacheUrlOverride string `yaml:"actions_cache_url_override"` // Allows the user to override the ACTIONS_CACHE_URL passed to the workflow containers
+	Secret                  string `yaml:"secret"`                     // Shared secret to secure caches.
 }

 // Container represents the configuration for the container.