From 7f75f52aaf77a3ff91936bb792414b00807970e7 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 10 Sep 2025 09:18:50 +0000 Subject: [PATCH] Update forgejo-runner to v11 (major) (#975) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [code.forgejo.org/forgejo/runner](https://forgejo.org) ([source](https://code.forgejo.org/forgejo/runner)) | major | `9.1.1` -> `11.0.0` | | [forgejo/runner](https://code.forgejo.org/forgejo/runner) | major | `10.0.1` -> `11.0.0` | --- ### Release Notes
forgejo/runner (code.forgejo.org/forgejo/runner) ### [`v11.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v11.0.0) [Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.1...v11.0.0) - [User guide](https://forgejo.org/docs/next/user/actions/overview/) - [Administrator guide](https://forgejo.org/docs/next/admin/actions/) - [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions) Release Notes The breaking change in this release is not technical, it is the change of the license which is now GPLv3-or-later. - [PR](https://code.forgejo.org/forgejo/runner/pulls/773): chore: change the license to GPLv3-or-later *** - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/935): fix: shutdown the runner when the cache fails with a non recoverable error - [PR](https://code.forgejo.org/forgejo/runner/pulls/948): fix: also cascade if run-\*-test is set when the PR is open - [PR](https://code.forgejo.org/forgejo/runner/pulls/946): fix: graceful shutdown of tasks being interrupted by signal - [PR](https://code.forgejo.org/forgejo/runner/pulls/943): fix: lxc-systemd example: export INPUTS\_SERIAL - [PR](https://code.forgejo.org/forgejo/runner/pulls/941): fix: allow inputs context in action defaults - [PR](https://code.forgejo.org/forgejo/runner/pulls/931): fix: an expression in with: for a reusable workflow call can use env - other - [PR](https://code.forgejo.org/forgejo/runner/pulls/951): Update module golang.org/x/time to v0.13.0 - [PR](https://code.forgejo.org/forgejo/runner/pulls/950): Revert "fix: also cascade if run-\*-test is set when the PR is open ([#​948](https://github.com/forgejo/runner/issues/948))" - [PR](https://code.forgejo.org/forgejo/runner/pulls/945): Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.5 - [PR](https://code.forgejo.org/forgejo/runner/pulls/942): Update module github.com/docker/docker to v28.4.0+incompatible - [PR](https://code.forgejo.org/forgejo/runner/pulls/773): chore: change the license to GPLv3-or-later - [PR](https://code.forgejo.org/forgejo/runner/pulls/940): chore: bump version to v11 - [PR](https://code.forgejo.org/forgejo/runner/pulls/936): refactor: remove duplicate computeMac function - [PR](https://code.forgejo.org/forgejo/runner/pulls/938): Update module github.com/docker/cli to v28.4.0+incompatible - [PR](https://code.forgejo.org/forgejo/runner/pulls/934): chore: refactor act/artifactcache Handler to an interface - [PR](https://code.forgejo.org/forgejo/runner/pulls/933): Update dependency go to v1.24.7 - [PR](https://code.forgejo.org/forgejo/runner/pulls/932): Update module github.com/spf13/pflag to v1.0.10 - [PR](https://code.forgejo.org/forgejo/runner/pulls/930): Update module github.com/spf13/cobra to v1.10.1 - [PR](https://code.forgejo.org/forgejo/runner/pulls/928): Update dependency forgejo/runner to v10 ### [`v10.0.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1) [Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.0...v10.0.1) - [User guide](https://forgejo.org/docs/next/user/actions/overview/) - [Administrator guide](https://forgejo.org/docs/next/admin/actions/) - [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions) Release Notes *** - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/927): fix: pull\_request\_target events can share the cache of the repository ### [`v10.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.0) [Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.1...v10.0.0) > **Warning** Upgrade to v10.0.1 instead. A regression was found on `pull_request_target` events and is fixed in the [v10.0.1 release](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1). - [User guide](https://forgejo.org/docs/next/user/actions/overview/) - [Administrator guide](https://forgejo.org/docs/next/admin/actions/) - [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions) Release Notes - [PR](https://code.forgejo.org/forgejo/runner/pulls/925): fix(security): prevent on: pull\_request actions from mutating caches of other workflow events forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets. Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds. It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets. In order to eliminate this risk, workflows executing with the `pull_request` and `pull_request_target` events have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable. If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online. - [PR](https://code.forgejo.org/forgejo/runner/pulls/924): fix(security): ensure unique names for container images created by actions Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions) (e.g. the [example in the end-to-end tests](https://code.forgejo.org/forgejo/end-to-end/src/commit/8f920b4b7adcb920e435db1acd02407b2312ab74/actions/example-force-rebuild/.forgejo/workflows/test.yml)), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set [`[container].force_rebuild: true`](https://forgejo.org/docs/next/admin/actions/runner-installation/#configuration) in the runner configuration file. *** - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/925): fix(security): prevent on: pull\_request actions from mutating caches of other workflow events - [PR](https://code.forgejo.org/forgejo/runner/pulls/924): fix(security): ensure unique names for container images created by actions - other - [PR](https://code.forgejo.org/forgejo/runner/pulls/921): Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4 - [PR](https://code.forgejo.org/forgejo/runner/pulls/922): chore: explain the difference between `job_level` and `level` - [PR](https://code.forgejo.org/forgejo/runner/pulls/917): chore: add reminder of how to run a local test - [PR](https://code.forgejo.org/forgejo/runner/pulls/919): chore: unify cascade-setup-forgejo with cascade-forgejo - [PR](https://code.forgejo.org/forgejo/runner/pulls/873): chore: remove `github.com/pkg/errors` - [PR](https://code.forgejo.org/forgejo/runner/pulls/915): Update module github.com/stretchr/testify to v1.11.1 - [PR](https://code.forgejo.org/forgejo/runner/pulls/914): Update module google.golang.org/protobuf to v1.36.8 - [PR](https://code.forgejo.org/forgejo/runner/pulls/907): Update module go.etcd.io/bbolt to v1.4.3 - [PR](https://code.forgejo.org/forgejo/runner/pulls/906): test: remove internal timeout in TestRunnerCacheConfiguration - [PR](https://code.forgejo.org/forgejo/runner/pulls/902): chore: skip tests that require Forgejo if it is not available - [PR](https://code.forgejo.org/forgejo/runner/pulls/903): chore: rework the README - [PR](https://code.forgejo.org/forgejo/runner/pulls/904): Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 \[SECURITY] - [PR](https://code.forgejo.org/forgejo/runner/pulls/900): chore: remove TestRunContext\_GetGitHubContext - [PR](https://code.forgejo.org/forgejo/runner/pulls/899): chore: do not force GOPROXY - [PR](https://code.forgejo.org/forgejo/runner/pulls/890): Update module github.com/vektra/mockery/v2 to v2.53.5 - [PR](https://code.forgejo.org/forgejo/runner/pulls/893): chore: fix .PHONY lint targets - [PR](https://code.forgejo.org/forgejo/runner/pulls/898): Update dependency forgejo/runner to v9.1.1 - [PR](https://code.forgejo.org/forgejo/runner/pulls/897): Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1
--- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/975 Reviewed-by: Michael Kriese Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- examples/docker-compose/compose-forgejo-and-runner.yml | 4 ++-- examples/lxc-systemd/forgejo-runner-service.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index c71cbc4e..a2597d54 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -51,7 +51,7 @@ services: - 8080:3000 runner-register: - image: code.forgejo.org/forgejo/runner:9.1.1 + image: code.forgejo.org/forgejo/runner:11.0.0 links: - docker-in-docker - forgejo @@ -77,7 +77,7 @@ services: ' runner-daemon: - image: code.forgejo.org/forgejo/runner:9.1.1 + image: code.forgejo.org/forgejo/runner:11.0.0 links: - docker-in-docker - forgejo diff --git a/examples/lxc-systemd/forgejo-runner-service.sh b/examples/lxc-systemd/forgejo-runner-service.sh index 235c6e30..ac7ae172 100755 --- a/examples/lxc-systemd/forgejo-runner-service.sh +++ b/examples/lxc-systemd/forgejo-runner-service.sh @@ -22,7 +22,7 @@ trap "rm -fr $TMPDIR" EXIT : ${INPUTS_LIFETIME:=7d} DEFAULT_LXC_HELPERS_VERSION=1.0.3 # renovate: datasource=forgejo-tags depName=forgejo/lxc-helpers : ${INPUTS_LXC_HELPERS_VERSION:=$DEFAULT_LXC_HELPERS_VERSION} -DEFAULT_RUNNER_VERSION=10.0.1 # renovate: datasource=forgejo-releases depName=forgejo/runner +DEFAULT_RUNNER_VERSION=11.0.0 # renovate: datasource=forgejo-releases depName=forgejo/runner : ${INPUTS_RUNNER_VERSION:=$DEFAULT_RUNNER_VERSION} : ${KILL_AFTER:=21600} # 6h == 21600