From 877749a730db2284eb062016b1d92de94a8d0476 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 1 Sep 2025 14:24:38 +0000 Subject: [PATCH] Update dependency forgejo/runner to v10 (#928) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [forgejo/runner](https://code.forgejo.org/forgejo/runner) | major | `9.1.1` -> `10.0.1` | --- ### Release Notes
forgejo/runner (forgejo/runner) ### [`v10.0.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1) [Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.0...v10.0.1) - [User guide](https://forgejo.org/docs/next/user/actions/overview/) - [Administrator guide](https://forgejo.org/docs/next/admin/actions/) - [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions) Release Notes *** ### [`v10.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.0) [Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.1...v10.0.0) > **Warning** Upgrade to v10.0.1 instead. A regression was found on `pull_request_target` events and is fixed in the [v10.0.1 release](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1). - [User guide](https://forgejo.org/docs/next/user/actions/overview/) - [Administrator guide](https://forgejo.org/docs/next/admin/actions/) - [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions) Release Notes - [PR](https://code.forgejo.org/forgejo/runner/pulls/925): fix(security): prevent on: pull\_request actions from mutating caches of other workflow events forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets. Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds. It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets. In order to eliminate this risk, workflows executing with the `pull_request` and `pull_request_target` events have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable. If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online. - [PR](https://code.forgejo.org/forgejo/runner/pulls/924): fix(security): ensure unique names for container images created by actions Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions) (e.g. the [example in the end-to-end tests](https://code.forgejo.org/forgejo/end-to-end/src/commit/8f920b4b7adcb920e435db1acd02407b2312ab74/actions/example-force-rebuild/.forgejo/workflows/test.yml)), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set [`[container].force_rebuild: true`](https://forgejo.org/docs/next/admin/actions/runner-installation/#configuration) in the runner configuration file. *** - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/925): fix(security): prevent on: pull\_request actions from mutating caches of other workflow events - [PR](https://code.forgejo.org/forgejo/runner/pulls/924): fix(security): ensure unique names for container images created by actions - other - [PR](https://code.forgejo.org/forgejo/runner/pulls/921): Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4 - [PR](https://code.forgejo.org/forgejo/runner/pulls/922): chore: explain the difference between `job_level` and `level` - [PR](https://code.forgejo.org/forgejo/runner/pulls/917): chore: add reminder of how to run a local test - [PR](https://code.forgejo.org/forgejo/runner/pulls/919): chore: unify cascade-setup-forgejo with cascade-forgejo - [PR](https://code.forgejo.org/forgejo/runner/pulls/873): chore: remove `github.com/pkg/errors` - [PR](https://code.forgejo.org/forgejo/runner/pulls/915): Update module github.com/stretchr/testify to v1.11.1 - [PR](https://code.forgejo.org/forgejo/runner/pulls/914): Update module google.golang.org/protobuf to v1.36.8 - [PR](https://code.forgejo.org/forgejo/runner/pulls/907): Update module go.etcd.io/bbolt to v1.4.3 - [PR](https://code.forgejo.org/forgejo/runner/pulls/906): test: remove internal timeout in TestRunnerCacheConfiguration - [PR](https://code.forgejo.org/forgejo/runner/pulls/902): chore: skip tests that require Forgejo if it is not available - [PR](https://code.forgejo.org/forgejo/runner/pulls/903): chore: rework the README - [PR](https://code.forgejo.org/forgejo/runner/pulls/904): Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 \[SECURITY] - [PR](https://code.forgejo.org/forgejo/runner/pulls/900): chore: remove TestRunContext\_GetGitHubContext - [PR](https://code.forgejo.org/forgejo/runner/pulls/899): chore: do not force GOPROXY - [PR](https://code.forgejo.org/forgejo/runner/pulls/890): Update module github.com/vektra/mockery/v2 to v2.53.5 - [PR](https://code.forgejo.org/forgejo/runner/pulls/893): chore: fix .PHONY lint targets - [PR](https://code.forgejo.org/forgejo/runner/pulls/898): Update dependency forgejo/runner to v9.1.1 - [PR](https://code.forgejo.org/forgejo/runner/pulls/897): Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1
--- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). - other - [PR](https://code.forgejo.org/forgejo/runner/pulls/928): Update dependency forgejo/runner to v10 Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/928 Reviewed-by: earl-warren Co-authored-by: Renovate Bot Co-committed-by: Renovate Bot --- examples/lxc-systemd/forgejo-runner-service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/lxc-systemd/forgejo-runner-service.sh b/examples/lxc-systemd/forgejo-runner-service.sh index 7e549b7d..235c6e30 100755 --- a/examples/lxc-systemd/forgejo-runner-service.sh +++ b/examples/lxc-systemd/forgejo-runner-service.sh @@ -22,7 +22,7 @@ trap "rm -fr $TMPDIR" EXIT : ${INPUTS_LIFETIME:=7d} DEFAULT_LXC_HELPERS_VERSION=1.0.3 # renovate: datasource=forgejo-tags depName=forgejo/lxc-helpers : ${INPUTS_LXC_HELPERS_VERSION:=$DEFAULT_LXC_HELPERS_VERSION} -DEFAULT_RUNNER_VERSION=9.1.1 # renovate: datasource=forgejo-releases depName=forgejo/runner +DEFAULT_RUNNER_VERSION=10.0.1 # renovate: datasource=forgejo-releases depName=forgejo/runner : ${INPUTS_RUNNER_VERSION:=$DEFAULT_RUNNER_VERSION} : ${KILL_AFTER:=21600} # 6h == 21600