It was raised during embargo review of #925 that there are two implementations of `computeMac`; this PR fixes that.
As all the tests for `computeMac` were in the `artifactcache` package, it made more sense to keep the method there. That required reversing the dependency `artifactcache->cacheproxy` package dependency -- it makes more sense to me for the proxy to depend on the cache, rather than vice-versa.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/936): <!--number 936 --><!--line 0 --><!--description cmVmYWN0b3I6IHJlbW92ZSBkdXBsaWNhdGUgY29tcHV0ZU1hYyBmdW5jdGlvbg==-->refactor: remove duplicate computeMac function<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/936
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
- the Handler struct becomes handler (lowercase)
- the Handler interface is defined to be the existing methods
- isClosed() is added and used only in tests
- setgcAt() is added and used only in tests
---
This is to allow mocking the Handler interface for testing.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/934): <!--number 934 --><!--line 0 --><!--description Y2hvcmU6IHJlZmFjdG9yIGFjdC9hcnRpZmFjdGNhY2hlIEhhbmRsZXIgdG8gYW4gaW50ZXJmYWNl-->chore: refactor act/artifactcache Handler to an interface<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/934
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
The Forgejo runner is part of the Forgejo project. The licensing
agreement in the governance repository reads like this:
> Forgejo accepts contributions compatible with the GPLv3-or-later license.
> The license under which Forgejo is distributed will be changed upon the acceptance of such contributions.
The first step is to update the LICENSE file to reflect that
decision. The individual copyright notice of each source file will be
updated when and if relevant. If a change is made that is eligible for
copyright, the author may decide change the copyright notice from MIT
or Apache 2 to GPLv3-or-later.
Refs licensing agreement 6eb522282f/AGREEMENTS.md (licensing)
Refs blog post about the licensing agreement https://forgejo.org/2024-08-gpl/
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/773): <!--number 773 --><!--line 0 --><!--description Y2hvcmU6IGNoYW5nZSB0aGUgbGljZW5zZSB0byBHUEx2My1vci1sYXRlcg==-->chore: change the license to GPLv3-or-later<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/773
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Gusted <gusted@noreply.code.forgejo.org>
Reviewed-by: Beowulf <beowulf@noreply.code.forgejo.org>
Reviewed-by: pat-s <pat-s@noreply.code.forgejo.org>
Reviewed-by: fnetX <fnetx@noreply.code.forgejo.org>
Reviewed-by: 0ko <0ko@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [go](https://go.dev/) ([source](https://github.com/golang/go)) | toolchain | patch | `1.24.6` -> `1.24.7` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuOTEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19-->
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/933): <!--number 933 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjQuNw==-->Update dependency go to v1.24.7<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/933
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [forgejo/runner](https://code.forgejo.org/forgejo/runner) | major | `9.1.1` -> `10.0.1` |
---
### Release Notes
<details>
<summary>forgejo/runner (forgejo/runner)</summary>
### [`v10.0.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1)
[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.0...v10.0.1)
- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)
Release Notes
***
### [`v10.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.0)
[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.1...v10.0.0)
> **Warning** Upgrade to v10.0.1 instead. A regression was found on `pull_request_target` events and is fixed in the [v10.0.1 release](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1).
- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)
Release Notes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/925): <!--number 925 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogcHJldmVudCBvbjogcHVsbF9yZXF1ZXN0IGFjdGlvbnMgZnJvbSBtdXRhdGluZyBjYWNoZXMgb2Ygb3RoZXIgd29ya2Zsb3cgZXZlbnRz-->fix(security): prevent on: pull\_request actions from mutating caches of other workflow events<!--description-->
forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets.
Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds.
It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets.
In order to eliminate this risk, workflows executing with the `pull_request` and `pull_request_target` events have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable.
If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online.
- [PR](https://code.forgejo.org/forgejo/runner/pulls/924): <!--number 924 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogZW5zdXJlIHVuaXF1ZSBuYW1lcyBmb3IgY29udGFpbmVyIGltYWdlcyBjcmVhdGVkIGJ5IGFjdGlvbnM=-->fix(security): ensure unique names for container images created by actions<!--description-->
Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions) (e.g. the [example in the end-to-end tests](8f920b4b7a/actions/example-force-rebuild/.forgejo/workflows/test.yml)), it used an image tag that could collide with other workflows that happen to use the same name. The workaround for older runner versions is to set [`[container].force_rebuild: true`](https://forgejo.org/docs/next/admin/actions/runner-installation/#configuration) in the runner configuration file.
***
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/925): <!--number 925 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogcHJldmVudCBvbjogcHVsbF9yZXF1ZXN0IGFjdGlvbnMgZnJvbSBtdXRhdGluZyBjYWNoZXMgb2Ygb3RoZXIgd29ya2Zsb3cgZXZlbnRz-->fix(security): prevent on: pull\_request actions from mutating caches of other workflow events<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/924): <!--number 924 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogZW5zdXJlIHVuaXF1ZSBuYW1lcyBmb3IgY29udGFpbmVyIGltYWdlcyBjcmVhdGVkIGJ5IGFjdGlvbnM=-->fix(security): ensure unique names for container images created by actions<!--description-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/921): <!--number 921 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuNA==-->Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/922): <!--number 922 --><!--line 0 --><!--description Y2hvcmU6IGV4cGxhaW4gdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBgam9iX2xldmVsYCBhbmQgYGxldmVsYA==-->chore: explain the difference between `job_level` and `level`<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/917): <!--number 917 --><!--line 0 --><!--description Y2hvcmU6IGFkZCByZW1pbmRlciBvZiBob3cgdG8gcnVuIGEgbG9jYWwgdGVzdA==-->chore: add reminder of how to run a local test<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/919): <!--number 919 --><!--line 0 --><!--description Y2hvcmU6IHVuaWZ5IGNhc2NhZGUtc2V0dXAtZm9yZ2VqbyB3aXRoIGNhc2NhZGUtZm9yZ2Vqbw==-->chore: unify cascade-setup-forgejo with cascade-forgejo<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/873): <!--number 873 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBgZ2l0aHViLmNvbS9wa2cvZXJyb3JzYA==-->chore: remove `github.com/pkg/errors`<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/915): <!--number 915 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3N0cmV0Y2hyL3Rlc3RpZnkgdG8gdjEuMTEuMQ==-->Update module github.com/stretchr/testify to v1.11.1<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/914): <!--number 914 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnb29nbGUuZ29sYW5nLm9yZy9wcm90b2J1ZiB0byB2MS4zNi44-->Update module google.golang.org/protobuf to v1.36.8<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/907): <!--number 907 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnby5ldGNkLmlvL2Jib2x0IHRvIHYxLjQuMw==-->Update module go.etcd.io/bbolt to v1.4.3<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/906): <!--number 906 --><!--line 0 --><!--description dGVzdDogcmVtb3ZlIGludGVybmFsIHRpbWVvdXQgaW4gVGVzdFJ1bm5lckNhY2hlQ29uZmlndXJhdGlvbg==-->test: remove internal timeout in TestRunnerCacheConfiguration<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/902): <!--number 902 --><!--line 0 --><!--description Y2hvcmU6IHNraXAgdGVzdHMgdGhhdCByZXF1aXJlIEZvcmdlam8gaWYgaXQgaXMgbm90IGF2YWlsYWJsZQ==-->chore: skip tests that require Forgejo if it is not available<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/903): <!--number 903 --><!--line 0 --><!--description Y2hvcmU6IHJld29yayB0aGUgUkVBRE1F-->chore: rework the README<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/904): <!--number 904 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tdmlwZXIvbWFwc3RydWN0dXJlL3YyIChpbmRpcmVjdCkgdG8gdjIuNC4wIFtTRUNVUklUWV0=-->Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 \[SECURITY]<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/900): <!--number 900 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBUZXN0UnVuQ29udGV4dF9HZXRHaXRIdWJDb250ZXh0-->chore: remove TestRunContext\_GetGitHubContext<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/899): <!--number 899 --><!--line 0 --><!--description Y2hvcmU6IGRvIG5vdCBmb3JjZSBHT1BST1hZ-->chore: do not force GOPROXY<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/890): <!--number 890 --><!--line 0 --><!--description VXBkYXRlIG1vZHVsZSBnaXRodWIuY29tL3Zla3RyYS9tb2NrZXJ5L3YyIHRvIHYyLjUzLjU=-->Update module github.com/vektra/mockery/v2 to v2.53.5<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/893): <!--number 893 --><!--line 0 --><!--description Y2hvcmU6IGZpeCAuUEhPTlkgbGludCB0YXJnZXRz-->chore: fix .PHONY lint targets<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/898): <!--number 898 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjkuMS4x-->Update dependency forgejo/runner to v9.1.1<!--description-->
- [PR](https://code.forgejo.org/forgejo/runner/pulls/897): <!--number 897 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9ydW5uZXIgRG9ja2VyIHRhZyB0byB2OS4xLjE=-->Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1<!--description-->
<!--end release-notes-assistant-->
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuOTEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSIsInJ1bi1lbmQtdG8tZW5kLXRlc3RzIl19-->
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/928): <!--number 928 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZm9yZ2Vqby9ydW5uZXIgdG8gdjEw-->Update dependency forgejo/runner to v10<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/928
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
This is a regression introduced in v10.0.0 by which a pull_request_target event would fail because it attemps to set an isolation key, as if it was a pull request originating from a fork.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/927): <!--number 927 --><!--line 0 --><!--description Zml4OiBwdWxsX3JlcXVlc3RfdGFyZ2V0IGV2ZW50cyBjYW4gc2hhcmUgdGhlIGNhY2hlIG9mIHRoZSByZXBvc2l0b3J5-->fix: pull_request_target events can share the cache of the repository<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/927
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [code.forgejo.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `11.0.3` -> `11.0.4` |
---
### Release Notes
<details>
<summary>forgejo/forgejo (code.forgejo.org/forgejo/forgejo)</summary>
### [`v11.0.4`](https://codeberg.org/forgejo/forgejo/releases/tag/v11.0.4)
[Compare Source](https://codeberg.org/forgejo/forgejo/compare/v11.0.3...v11.0.4)
See <https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.4.md>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44Mi4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjkxLjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIktpbmQvQ2hvcmUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyJdfQ==-->
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/921): <!--number 921 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9mb3JnZWpvIERvY2tlciB0YWcgdG8gdjExLjAuNA==-->Update code.forgejo.org/forgejo/forgejo Docker tag to v11.0.4<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/921
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
Container images built by the runner are tagged with a unique name:
- based on the specified `uses` URL for remote actions.
- random for local actions.
In the case of local actions, this will create new tags for each run
but the images (and their layers) will be shared and not be
duplicated. The least recently used tags can be garbage collected by
tools such as https://github.com/stepchowfun/docuum.
Using a different method for creating the tag name for the remote
actions is to help with maintenance by establishing a direct relation
with the `uses` field. It was instead relying on a name transformed
multiple times which makes it more difficult to verify name collision
are not accidentally made possible by one of those transformations.
Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions)
(e.g. the [example in the end-to-end
tests](8f920b4b7a/actions/example-force-rebuild/.forgejo/workflows/test.yml)),
it used an image tag that could collide with other workflows that
happen to use the same name.
The workaround for older runner versions is to set
[`[container].force_rebuild: true`](https://forgejo.org/docs/next/admin/actions/runner-installation/#configuration)
in the runner configuration file.
If the tag name collide (e.g. v9.1.1), it will fail with:
```
[push.yml/test] [DEBUG] Working directory '/home/earl-warren/software/runner/act/runner/testdata/local-action-dockerfile-tag/example2'
[push.yml/test] ❌ Failure - Main [[ "example1 SOMEONE" == "example2 SOMEONE" ]]
```
So that it can be copy/pasted.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/917): <!--number 917 --><!--line 0 --><!--description Y2hvcmU6IGFkZCByZW1pbmRlciBvZiBob3cgdG8gcnVuIGEgbG9jYWwgdGVzdA==-->chore: add reminder of how to run a local test<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/917
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
Tested out of the wip-cascade branch:
- https://code.forgejo.org/forgejo/runner/actions/runs/8746
- https://code.forgejo.org/actions/setup-forgejo/pulls/646
- https://code.forgejo.org/forgejo/end-to-end/pulls/984
----
Instead of always running end-to-end tests, only run them when the
run-end-to-end-tests label is set. They are heavy duty and should not
be run when a new contributor sends their first pull request.
- fix bug: close-merge is close
- add instructions for debug
- identify the origin of the tokens
- do not needlessly run setup-forgejo integration tests
- copy/paste from cascade-forgejo.yml with the following exceptions:
- do not trigger on main
- use run-end-to-end-test instead of run-forgejo-test
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/919): <!--number 919 --><!--line 0 --><!--description Y2hvcmU6IHVuaWZ5IGNhc2NhZGUtc2V0dXAtZm9yZ2VqbyB3aXRoIGNhc2NhZGUtZm9yZ2Vqbw==-->chore: unify cascade-setup-forgejo with cascade-forgejo<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/919
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
The functionality provided by this package is also provided by the
standard library.
`fmt.Errorf` for dynamically generated errors.
`errors.new` for static errors.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/873): <!--number 873 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBgZ2l0aHViLmNvbS9wa2cvZXJyb3JzYA==-->chore: remove `github.com/pkg/errors`<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/873
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Performance has been in the range of 2.5 - 3 minutes for the "runner integration tests" step, causing this arbitrary timeout to be hit. The timeout was useful for early test development when nothing was running successfully, but meaningful now.
Fixes#905.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/906): <!--number 906 --><!--line 0 --><!--description dGVzdDogcmVtb3ZlIGludGVybmFsIHRpbWVvdXQgaW4gVGVzdFJ1bm5lckNhY2hlQ29uZmlndXJhdGlvbg==-->test: remove internal timeout in TestRunnerCacheConfiguration<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/906
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
- Explain how to run tests locally instead of pointing to the
workflow.
- Explain how to run lint checks & fix locally
- Replace the `forgejo-setup` based instructions with shorter and more
actionable instructions based out of the end-to-end tests.
- Remove the reporting bug section, the issue template has all the
information it needs. It is unlikely that someone reporting a bug
will read that section in the README before filing the bug. It
removes the suggestion to file a bug in the end-to-end repository
but I don't think it was actually beneficial to anyone in the past
two years.
- Remove the mock generation part as it is now self documented in the
job that takes care of it.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/903): <!--number 903 --><!--line 0 --><!--description Y2hvcmU6IHJld29yayB0aGUgUkVBRE1FIFtza2lwIGNhc2NhZGVd-->chore: rework the README [skip cascade]<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/903
Reviewed-by: Gusted <gusted@noreply.code.forgejo.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
It does not assert anything useful and te associated function is otherwise heavily used in many tests. It may benefit from unit testing but this test would need to be done very differently to achieve that.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/900): <!--number 900 --><!--line 0 --><!--description Y2hvcmU6IHJlbW92ZSBUZXN0UnVuQ29udGV4dF9HZXRHaXRIdWJDb250ZXh0-->chore: remove TestRunContext_GetGitHubContext<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/900
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
let `setup-go` figure it out
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/899): <!--number 899 --><!--line 0 --><!--description Y2hvcmU6IGRvIG5vdCBmb3JjZSBHT1BST1hZ-->chore: do not force GOPROXY<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/899
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [code.forgejo.org/forgejo/runner](https://forgejo.org) ([source](https://code.forgejo.org/forgejo/runner)) | patch | `9.1.0` -> `9.1.1` |
---
### Release Notes
<details>
<summary>forgejo/runner (code.forgejo.org/forgejo/runner)</summary>
### [`v9.1.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v9.1.1)
[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.0...v9.1.1)
- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)
Release Notes
***
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS43Ni4wIiwidXBkYXRlZEluVmVyIjoiNDEuNzYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSJdfQ==-->
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/897): <!--number 897 --><!--line 0 --><!--description VXBkYXRlIGNvZGUuZm9yZ2Vqby5vcmcvZm9yZ2Vqby9ydW5uZXIgRG9ja2VyIHRhZyB0byB2OS4xLjE=-->Update code.forgejo.org/forgejo/runner Docker tag to v9.1.1<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/897
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
The result of a job can only be changed to FAILURE by the Close() function of the reporter under two conditions:
- If it is UNSPECIFIED
- If the context timeout
In all other cases it must be preserved. It is possible, for instance, for a job to be SKIPPED and be associated with an error message, e.g.
```
time="2025-08-20T21:02:07+02:00" level=trace msg="evaluating expression 'success()'" dryrun=false job="Test Action/job-1" jobID=job-1 matrix="map[]"
[Test Action/job-1] [DEBUG] evaluating expression 'success()'
time="2025-08-20T21:02:07+02:00" level=trace msg="expression 'success()' evaluated to 'true'" dryrun=false job="Test Action/job-1" jobID=job-1 matrix="map[]"
[Test Action/job-1] [DEBUG] expression 'success()' evaluated to 'true'
time="2025-08-20T21:02:07+02:00" level=trace msg="'runs-on' key not defined in Test Action/job-1" dryrun=false job="Test Action/job-1" jobID=job-1 matrix="map[]"
[Test Action/job-1] 'runs-on' key not defined in Test Action/job-1
[Test Action/job-1] [DEBUG] No steps found
```
Those errors show in the logs when a job is skipped, because the worflow is empty. But they are expected and to be ignored.
Refs forgejo/runner#895
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/896): <!--number 896 --><!--line 0 --><!--description Zml4OiBhbiBlcnJvciBmcm9tIGEgU0tJUFBFRCBqb2IgZG9lcyBub3QgdHJhbnNmb3JtIGl0IGludG8gYSBGQUlMVVJF-->fix: an error from a SKIPPED job does not transform it into a FAILURE<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/896
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
Adds a limited integration test in the runner which verifies that the embedded cache server starts up, can be written to by an action, and can be read by a subsequent action. This is a solid base foundation for future nearly-end-to-end tests.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/889): <!--number 889 --><!--line 0 --><!--description dGVzdDogYWRkIGFuIGludGVncmF0aW9uIHRlc3QgZm9yIGVtYmVkZGVkIHJ1bm5lciBjYWNoZQ==-->test: add an integration test for embedded runner cache<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/889
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
When run in parallel they will race to populate the Go cache in a different way (GOPROXY is not configured the same) and that will lead to transient errors when one job tries to use the cache that is populated differently by the other job.
The chain of `needs` is adjusted accordingly and the required checks too.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
- [PR](https://code.forgejo.org/forgejo/runner/pulls/894): <!--number 894 --><!--line 0 --><!--description Y2hvcmU6IG1lcmdlIEFDVCBhbmQgcnVubmVyIHVuaXQgJiBpbnRlZ3JhdGlvbiB0ZXN0cyB0b2dldGhlcg==-->chore: merge ACT and runner unit & integration tests together<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/894
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
Data race detection identified that `getWorkflowSecrets` is mutating `rc.caller.runContext.Config.Secrets` while interpolating values, in the case where secrets are inherited by a reusable workflow. This map is also mutated earlier in evaluation by `(*RunContext).handleCredentials`. It's possible that multiple goroutines performing mutation to this shared map could cause runtime panics (not observed).
The issue is addressed creating a separate map to store interpolated secrets in `getWorkflowSecrets`, which was already the behavior in the non-inherited secret case.
Automated testing for this issue will be provided by #861 when all data races are resolved.
```
==================
WARNING: DATA RACE
Read at 0x00c0003a9620 by goroutine 2546:
runtime.mapaccess1_faststr()
/home/mfenniak/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.6.linux-amd64/src/internal/runtime/maps/runtime_faststr_swiss.go:103 +0x0
code.forgejo.org/forgejo/runner/v9/act/runner.(*RunContext).handleCredentials()
/.../forgejo-runner/act/runner/run_context.go:1395 +0xab
code.forgejo.org/forgejo/runner/v9/act/runner.(*RunContext).prepareJobContainer()
/.../forgejo-runner/act/runner/run_context.go:460 +0x2de
code.forgejo.org/forgejo/runner/v9/act/runner.(*RunContext).startContainer.func1.(*RunContext).startJobContainer.2()
/.../forgejo-runner/act/runner/run_context.go:610 +0x5e
code.forgejo.org/forgejo/runner/v9/act/runner.(*RunContext).startContainer.func1()
/.../forgejo-runner/act/runner/run_context.go:853 +0xf3
code.forgejo.org/forgejo/runner/v9/act/runner.newJobExecutor.NewPipelineExecutor.Executor.Then.func22()
/.../forgejo-runner/act/common/executor.go:136 +0x57
...snip...
Previous write at 0x00c0003a9620 by goroutine 2440:
runtime.mapassign_faststr()
/home/mfenniak/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.6.linux-amd64/src/internal/runtime/maps/runtime_faststr_swiss.go:263 +0x0
code.forgejo.org/forgejo/runner/v9/act/runner.getWorkflowSecrets()
/.../forgejo-runner/act/runner/expression.go:578 +0x547
code.forgejo.org/forgejo/runner/v9/act/runner.(*RunContext).NewExpressionEvaluatorWithEnv()
/.../forgejo-runner/act/runner/expression.go:85 +0x3fc
code.forgejo.org/forgejo/runner/v9/act/common/git.FindGitRevision()
/.../forgejo-runner/act/common/git/git.go:70 +0xe4
github.com/go-git/go-git/v5.PlainOpenWithOptions()
/home/mfenniak/go/pkg/mod/github.com/go-git/go-git/v5@v5.16.2/repository.go:332 +0x7a6
code.forgejo.org/forgejo/runner/v9/act/common/git.FindGitRevision()
/.../forgejo-runner/act/common/git/git.go:58 +0xc4
...snip...
==================
```
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/875
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
Uses the `Repo` field as an index during searches of the cache database. Removes unused indexes.
To measure the performance of this change, I created a synthetic test which wrote 10,000 records into the artifact cache DB. Of course, all benchmarks are lies that can't be generalized to real-world usage, but it seems clear from the magnitude of improvement that this fixes a flawed implementation, even if it's not perfect.
- Unmodified performance:
- Write: 196 records/second
- Read: 1 record/second
- With `Repo` index being used for reads, and other indexes being removed:
- Write: 347 records/second
- Read: 22,398 records/second
`Repo` is, I think, the only index that made sense to remain, with an eye on workflow run performance:
- `Key` -- can't be used for index because `findCache` searches for key *prefixes*, not equal values.
- `Version` -- isn't very distinct for different workflow runs (https://code.forgejo.org/actions/cache#cache-version)
- `Complete` - significant portion of the cache DB will be complete, making it the least selective possible index
- `UsedAt` & `CreatedAt` - only used in GC operation, so could remain, but this isn't a performance-sensitive codepath
Closes#874.
<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/878): <!--number 878 --><!--line 0 --><!--description Zml4OiBhcnRpZmFjdCBjYWNoZSBEQiBub3QgdXNpbmcgaW5kZXhlcyBmb3Igc2VhcmNoaW5n-->fix: artifact cache DB not using indexes for searching<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/878
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
