mirror of
https://code.forgejo.org/forgejo/runner.git
synced 2025-09-15 18:57:01 +00:00
Forgejo runner - alpha release, should not be considered secure enough to deploy in production
877749a730
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [forgejo/runner](https://code.forgejo.org/forgejo/runner) | major | `9.1.1` -> `10.0.1` |
---
### Release Notes
<details>
<summary>forgejo/runner (forgejo/runner)</summary>
### [`v10.0.1`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1)
[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v10.0.0...v10.0.1)
- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)
Release Notes
***
### [`v10.0.0`](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.0)
[Compare Source](https://code.forgejo.org/forgejo/runner/compare/v9.1.1...v10.0.0)
> **Warning** Upgrade to v10.0.1 instead. A regression was found on `pull_request_target` events and is fixed in the [v10.0.1 release](https://code.forgejo.org/forgejo/runner/releases/tag/v10.0.1).
- [User guide](https://forgejo.org/docs/next/user/actions/overview/)
- [Administrator guide](https://forgejo.org/docs/next/admin/actions/)
- [Container images](https://code.forgejo.org/forgejo/-/packages/container/runner/versions)
Release Notes
- [PR](https://code.forgejo.org/forgejo/runner/pulls/925): <!--number 925 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogcHJldmVudCBvbjogcHVsbF9yZXF1ZXN0IGFjdGlvbnMgZnJvbSBtdXRhdGluZyBjYWNoZXMgb2Ygb3RoZXIgd29ya2Zsb3cgZXZlbnRz-->fix(security): prevent on: pull\_request actions from mutating caches of other workflow events<!--description-->
forgej-runner currently creates a safer execution environment for workflows triggered by pull requests by denying those workflows access to the repository's secrets, preventing pull requests from compromising the confidentiality of the secrets.
Workflows do have access to write to the action cache, which is shared with future workflow executions, including executions that may have access to repository secrets. This was assumed safe as the cache is a "write-once" operation based upon the cache key; if an execution writes to that cache, it will be read by other workflows only if a matching key parameter is provided, and it can not be modified again. These assumptions were identified as weak security practices with known workarounds.
It is possible for a malicious pull request to mutate the shared cache and embed untrusted artifacts, which may later be executed in workflow executions with access to secrets, risking the confidentiality of those secrets.
In order to eliminate this risk, workflows executing with the `pull_request` and `pull_request_target` events have their write operations to the cache isolated to future workflow executions from the same pull request. They can continue to read from the shared cache if applicable.
If using an external cache server configuration, both the cache server and other instances of the runner must be running the same software version. The recommended upgrade procedure in this configuration is to bring all runners offline, upgrade the cache server to the latest release and bring it online, and then bring all other runners online.
- [PR](https://code.forgejo.org/forgejo/runner/pulls/924): <!--number 924 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogZW5zdXJlIHVuaXF1ZSBuYW1lcyBmb3IgY29udGFpbmVyIGltYWdlcyBjcmVhdGVkIGJ5IGFjdGlvbnM=-->fix(security): ensure unique names for container images created by actions<!--description-->
Without this fix, when a workflow ran a local [docker action](https://forgejo.org/docs/next/user/actions/actions/#docker-actions) (e.g. the [example in the end-to-end tests](
|
||
|---|---|---|
| .forgejo | ||
| .github/workflows | ||
| act | ||
| contrib | ||
| examples | ||
| internal | ||
| release-notes | ||
| testutils | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| Makefile | ||
| README.md | ||
| RELEASE-NOTES.md | ||
| renovate.json | ||
Forgejo Runner
A daemon that connects to a Forgejo instance and runs jobs for continuous integration. The installation and usage instructions are part of the Forgejo documentation.
Reporting security-related issues
Sensitive security-related issues should be reported to security@forgejo.org using encryption.
License
The Forgejo runner source code is distributed under the terms of the following licenses:
- MIT for the most part.
- Apache 2 for parts found in the act/container directory.
Architectures & OS
The Forgejo runner is supported and tested on amd64 and arm64 (binaries and containers) on Operating Systems based on the Linux kernel.
Work may be in progress for other architectures and you can browse the corresponding issues to figure out how they make progress. If you are interested in helping them move forward, open an issue. The most challenging part is to setup and maintain a native runner long term. Once it is supported by Forgejo, the runner is expected to be available 24/7 which can be challenging. Otherwise debugging any architecture specific problem won't be possible.
Hacking
The Forgejo runner is a dependency of the setup-forgejo action. See the full dependency graph for a global view.
Building
- Install Go and
make(1) make build
Linting
make lint-checkmake lint# will fix some lint errors
Testing
The workflow that runs in the CI uses similar commands.
Without a Forgejo instance
- Install Docker
make test integration-test
The TestRunner_RunEvent test suite contains most integration tests
with real-world workflows and is time-consuming to run. During
development, it is helpful to run a specific test through a targeted
command such as this:
go test -count=1 -run='TestRunner_RunEvent$/local-action-dockerfile$' ./act/runner
With a Forgejo instance
- Run a Forgejo instance locally (for instance at http://0.0.0.0:8080) and create as shared secret
export FORGEJO_RUNNER_SECRET='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
export FORGEJO_URL=http://0.0.0.0:8080
forgejo forgejo-cli actions register --labels docker --name therunner --secret $FORGEJO_RUNNER_SECRET
make test integration-test# which will run addional tests because FORGEJO_URL is set
end-to-end
- Follow the instructions from the end-to-end tests to run actions tests locally.
./end-to-end.sh actions_teardown# stop the Forgejo and runner daemons running in the end-to-end environment( cd ~/clone-of-the-runner-repo ; make build ; cp forgejo-runner /tmp/forgejo-end-to-end/forgejo-runner )# install the runner built from sources./end-to-end.sh actions_setup 13.0# start Forgejo v13.0 and the runner daemon in the end-to-end environment./end-to-end.sh actions_verify_example echo# run the echo workflowxdg-open http://127.0.0.1:3000/root/example-echo/actions/runs/1# see the logs workflowless /tmp/forgejo-end-to-end/forgejo-runner.log# analyze the runner logsless /tmp/forgejo-end-to-end/forgejo-work-path/log/forgejo.log# analyze the Forgejo logs