mirror of
https://code.forgejo.org/forgejo/runner.git
synced 2025-09-15 18:57:01 +00:00
Forgejo runner - alpha release, should not be considered secure enough to deploy in production
4c3cfd3dd7
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `v2.2.1` -> `v2.3.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data [GHSA-fv92-fjc5-jj9h](https://github.com/advisories/GHSA-fv92-fjc5-jj9h) <details> <summary>More information</summary> #### Details ##### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ##### Details OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows: |
||
|---|---|---|
| .forgejo | ||
| .github/workflows | ||
| contrib | ||
| examples | ||
| internal | ||
| scripts | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| build.go | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| README.md | ||
| RELEASE-NOTES.md | ||
| renovate.json | ||
Forgejo Runner
WARNING: this is alpha release quality code and should not be considered secure enough to deploy in production.
A daemon that connects to a Forgejo instance and runs jobs for continuous integration. The installation and usage instructions are part of the Forgejo documentation.
Reporting bugs
When filing a bug in the issue tracker, it is very helpful to propose a pull request in the end-to-end tests repository that adds a reproducer. It will fail the CI and unambiguously demonstrate that the problem exists. In most cases it is enough to add a workflow (see the echo example). For more complicated cases it is also possible to add a runner config file as well as shell scripts to setup and teardown the test case (see the service example).
Hacking
The Forgejo runner depends on a fork of ACT and is a dependency of the setup-forgejo action. See the full dependency graph for a global view.
Local debug
The repositories are checked out in the same directory:
- runner: Forgejo runner
- act: ACT
- setup-forgejo: setup-forgejo
Install dependencies
The dependencies are installed manually or with:
setup-forgejo/forgejo-dependencies.sh
Build the Forgejo runner with the local ACT
The Forgejo runner is rebuilt with the ACT directory by changing the runner/go.mod file to:
replace github.com/nektos/act => ../act
Running:
cd runner ; go mod tidy
Building:
cd runner ; rm -f forgejo-runner ; make forgejo-runner
Launch Forgejo and the runner
A Forgejo instance is launched with:
cd setup-forgejo
./forgejo.sh setup
firefox $(cat forgejo-url)
The user is root with password admin1234. The runner is registered with:
cd setup-forgejo
docker exec --user 1000 forgejo forgejo actions generate-runner-token > forgejo-runner-token
../runner/forgejo-runner register --no-interactive --instance "$(cat forgejo-url)" --name runner --token $(cat forgejo-runner-token) --labels docker:docker://node:20-bullseye,self-hosted:host://-self-hosted,lxc:lxc://debian:bullseye
And launched with:
cd setup-forgejo ; ../runner/forgejo-runner --config runner-config.yml daemon
Note that the runner-config.yml is required in that particular case
to configure the network in bridge mode, otherwise the runner will
create a network that cannot reach the forgejo instance.
Try a sample workflow
From the Forgejo web interface, create a repository and add the
following to .forgejo/workflows/try.yaml. It will launch the job and
the result can be observed from the actions tab.
on: [push]
jobs:
ls:
runs-on: docker
steps:
- uses: actions/checkout@v3
- run: |
ls ${{ github.workspace }}