mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-06-27 16:35:58 +00:00

Forgejo runner - alpha release, should not be considered secure enough to deploy in production

renovation

Find a file

Renovate Bot 9d1817c718 Update github.com/cloudflare/circl (indirect) to v1.6.1 [SECURITY] (#605 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) \| indirect \| minor \| `v1.3.7` -> `v1.6.1` \| --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results [GHSA-2x5j-vhc8-9cwm](https://github.com/advisories/GHSA-2x5j-vhc8-9cwm) / [GO-2025-3754](https://pkg.go.dev/vuln/GO-2025-3754) <details> <summary>More information</summary> #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References - [https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm](https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm) - [https://github.com/cloudflare/circl](https://github.com/cloudflare/circl) - [https://github.com/cloudflare/circl/tree/v1.6.1](https://github.com/cloudflare/circl/tree/v1.6.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-2x5j-vhc8-9cwm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl [GHSA-2x5j-vhc8-9cwm](https://github.com/advisories/GHSA-2x5j-vhc8-9cwm) / [GO-2025-3754](https://pkg.go.dev/vuln/GO-2025-3754) <details> <summary>More information</summary> #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References - [https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm](https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm) - [https://github.com/cloudflare/circl/tree/v1.6.1](https://github.com/cloudflare/circl/tree/v1.6.1) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3754) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>cloudflare/circl (github.com/cloudflare/circl)</summary> ### [`v1.6.1`](https://github.com/cloudflare/circl/releases/tag/v1.6.1): CIRCL v1.6.1 [Compare Source](https://github.com/cloudflare/circl/compare/v1.6.0...v1.6.1) #### CIRCL v1.6.1 - Fixes some point checks on the FourQ curve. - Hybrid KEM fails on low-order points. ##### What's Changed - kem/hybrid: ensure X25519 hybrids fails with low order points by [@Lekensteyn](https://github.com/Lekensteyn) in https://github.com/cloudflare/circl/pull/541 - .github: Use native ARM64 builders instead of QEMU by [@Lekensteyn](https://github.com/Lekensteyn) in https://github.com/cloudflare/circl/pull/542 - Fixes several errors on twisted Edwards curves. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/545 - Release v1.6.1 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/546 Full Changelog: https://github.com/cloudflare/circl/compare/v1.6.0...v1.6.1 ### [`v1.6.0`](https://github.com/cloudflare/circl/releases/tag/v1.6.0): CIRCL v1.6.0 [Compare Source](https://github.com/cloudflare/circl/compare/v1.5.0...v1.6.0) #### CIRCL v1.6.0 ##### New! - [Prio3](https://github.com/cloudflare/circl/blob/main/vdaf/prio3) Verifiable Distributed Aggregation Function ([draft-irtf-cfrg-vdaf](https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/)). - [X-Wing](https://github.com/cloudflare/circl/blob/main/kem/xwing): general-purpose hybrid post-quantum KEM ([draft-connolly-cfrg-xwing-kem](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/)) ##### What's Changed - Add OIDs to ML-DSA by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/519 - Adds Prio3 a set of verifiable distributed aggregation functions. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/522 - Run semgrep cronjob only in upstream repository. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/526 - X-Wing PQ/T hybrid by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/471 - ckem: move crypto/elliptic to crypto/ecdh by [@MingLLuo](https://github.com/MingLLuo) in https://github.com/cloudflare/circl/pull/529 - hpke: Update HPKE code to use ecdh stdlib package. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/530 - prio3: Adds polynomial multiplication using NTT by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/532 - Add Prio3 in readme. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/527 ##### New Contributors - [@MingLLuo](https://github.com/MingLLuo) made their first contribution in https://github.com/cloudflare/circl/pull/529 Full Changelog: https://github.com/cloudflare/circl/compare/v1.5.0...v1.6.0 ### [`v1.5.0`](https://github.com/cloudflare/circl/releases/tag/v1.5.0): CIRCL v1.5.0 [Compare Source](https://github.com/cloudflare/circl/compare/v1.4.0...v1.5.0) ### CIRCL v1.5.0 New: ML-DSA, Module-Lattice-based Digital Signature Algorithm. ##### What's Changed - kem: add X25519MLKEM768 TLS hybrid KEM by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/510 - Create semgrep.yml by [@hrushikeshdeshpande](https://github.com/hrushikeshdeshpande) in https://github.com/cloudflare/circl/pull/514 - repo: Some fixes reported by CodeQL by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/515 - Add ML-DSA (FIPS204) by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/480 - sign/mldsa: Add test for ML-DSA signature verification. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/517 - Release v1.5.0 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/518 ##### New Contributors - [@hrushikeshdeshpande](https://github.com/hrushikeshdeshpande) made their first contribution in https://github.com/cloudflare/circl/pull/514 Full Changelog: https://github.com/cloudflare/circl/compare/v1.4.0...v1.5.0 ### [`v1.4.0`](https://github.com/cloudflare/circl/releases/tag/v1.4.0): CIRCL v1.4.0 [Compare Source](https://github.com/cloudflare/circl/compare/v1.3.9...v1.4.0) ### CIRCL v1.4.0 ##### Changes New: ML-KEM compatible with FIPS-203. ##### Commit History - eddilithium3: fix typos by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/503 - Add ML-KEM (FIPS 203). by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/470 - Add ML-KEM decapsulation key check. by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/507 - Preparing for release v1.4.0 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/508 Full Changelog: https://github.com/cloudflare/circl/compare/v1.3.9...v1.4.0 ### [`v1.3.9`](https://github.com/cloudflare/circl/releases/tag/v1.3.9): CIRCL v1.3.9 [Compare Source](https://github.com/cloudflare/circl/compare/v1.3.8...v1.3.9) #### CIRCL v1.3.9 ##### Changes: - Fix bug on BLS12381 decoding elements. ##### Commit History - dilithium: fix typo by [@bwesterb](https://github.com/bwesterb) in https://github.com/cloudflare/circl/pull/498 - bls12381: Detects invalid prefix in G1 and G2 serialized elements by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/500 - Preparing CIRCL release v1.3.9 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/501 Full Changelog: https://github.com/cloudflare/circl/compare/v1.3.8...v1.3.9 ### [`v1.3.8`](https://github.com/cloudflare/circl/releases/tag/v1.3.8): CIRCL v1.3.8 [Compare Source](https://github.com/cloudflare/circl/compare/v1.3.7...v1.3.8) ### CIRCL v1.3.8 #### New - BLS Signatures on top of BLS12-381. - Adopt faster squaring in pairings. - BlindRSA compliant with RFC9474. - (Verifiable) Secret Sharing compatible with the Group interface (elliptic curves). #### Notice - Update on cpabe/tkn20 ciphertexts, read more at https://github.com/cloudflare/circl/wiki/tkn20-Ciphertext-Format-(v1.3.8) ##### What's Changed - Implement Granger-Scott faster squaring in the cyclotomic subgroup. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/449 - Updates avo and CIRCL's own dependency. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/474 - Updating documentation for OPRF package. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/475 - group: removes order method from group interface by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/356 - zk/dleq: Adding DLEQ proofs for Qn, the subgroup of squares in (Z/nZ)\* by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/451 - Reduce x/crypto and x/sys versions to match Go 1.21 by [@Lekensteyn](https://github.com/Lekensteyn) in https://github.com/cloudflare/circl/pull/476 - Bump GitHub Actions versions and use Go 1.22 and 1.21 by [@Lekensteyn](https://github.com/Lekensteyn) in https://github.com/cloudflare/circl/pull/477 - Adding rule for constant values by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/478 - Add BLS signatures over BLS12-381 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/446 - group: Implements Shamir and Feldman secret sharing. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/348 - blindrsa: add support for all variants of RFC9474 by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/479 - Explicitly installs Go with version before CodeQL analysis. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/481 - Bumps golangci-lint action by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/485 - ecc/bls12381: Ensures pairing operations don't overwrite their input by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/494 - Align to the `purego` build tag, removing `noasm` build tag by [@mattyclarkson](https://github.com/mattyclarkson) in https://github.com/cloudflare/circl/pull/492 - cpabe: Serializing ciphertext with 32-bit prefixes. by [@armfazh](https://github.com/armfazh) in https://github.com/cloudflare/circl/pull/490 ##### New Contributors - [@mattyclarkson](https://github.com/mattyclarkson) made their first contribution in https://github.com/cloudflare/circl/pull/492 Full Changelog: https://github.com/cloudflare/circl/compare/v1.3.7...v1.3.8 </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40OC40IiwidXBkYXRlZEluVmVyIjoiNDAuNDguNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/605 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>		2025-06-14 09:34:54 +00:00
.forgejo	fix: use v11 for the docker-compose example (#542 )	2025-04-18 08:14:31 +00:00
.github/workflows	Add tests to Windows build (#585 )	2025-05-30 08:12:41 +00:00
contrib	Fix comments in systemd unit service file (#274 )	2024-09-18 13:40:32 +00:00
examples	chore: fix typos and add type checking to port/addr args (#576 )	2025-06-01 15:03:22 +00:00
internal	chore: fix typos and add type checking to port/addr args (#576 )	2025-06-01 15:03:22 +00:00
scripts	add instructions to run under systemd user services	2024-02-19 09:09:57 +01:00
.dockerignore	[FORGEJO] build forgejo-runner	2023-08-23 14:44:47 +02:00
.editorconfig	Add .editorconfig and .gitattributes (#186 )	2023-05-13 23:51:22 +08:00
.gitattributes	Add .editorconfig and .gitattributes (#186 )	2023-05-13 23:51:22 +08:00
.gitignore	Add support for windows build on GitHub (#312 )	2024-11-07 07:30:12 +00:00
.golangci.yml	ci(lint): refactor code for clarity and linting compliance (#289 )	2023-07-13 01:10:54 +00:00
build.go	Support cache (#25 )	2023-02-28 23:39:30 +08:00
Dockerfile	Update data.forgejo.org/oci/alpine Docker tag to v3.21 (#591 )	2025-06-04 05:58:31 +00:00
go.mod	Update github.com/cloudflare/circl (indirect) to v1.6.1 [SECURITY] (#605 )	2025-06-14 09:34:54 +00:00
go.sum	Update github.com/cloudflare/circl (indirect) to v1.6.1 [SECURITY] (#605 )	2025-06-14 09:34:54 +00:00
LICENSE	[FORGEJO] branding	2023-08-23 16:03:12 +02:00
main.go	Refactor to new framework (#98 )	2023-04-04 21:32:04 +08:00
Makefile	chore: fix typos and add type checking to port/addr args (#576 )	2025-06-01 15:03:22 +00:00
README.md	chore: fix typos and add type checking to port/addr args (#576 )	2025-06-01 15:03:22 +00:00
RELEASE-NOTES.md	Release notes for v6.3.2 [skip cascade] [skip ci] (#573 )	2025-05-26 05:01:50 +00:00
renovate.json	chore(renovate): drop explicit config in favor of preset	2025-05-12 11:23:24 +02:00

README.md

Forgejo Runner

WARNING: this is alpha release quality code and should not be considered secure enough to deploy in production.

A daemon that connects to a Forgejo instance and runs jobs for continuous integration. The installation and usage instructions are part of the Forgejo documentation.

Reporting bugs

When filing a bug in the issue tracker, it is very helpful to propose a pull request in the end-to-end tests repository that adds a reproducer. It will fail the CI and unambiguously demonstrate that the problem exists. In most cases it is enough to add a workflow (see the echo example). For more complicated cases it is also possible to add a runner config file as well as shell scripts to setup and teardown the test case (see the service example).

Hacking

The Forgejo runner depends on a fork of ACT and is a dependency of the setup-forgejo action. See the full dependency graph for a global view.

Local debug

The repositories are checked out in the same directory:

runner: Forgejo runner
act: ACT
setup-forgejo: setup-forgejo

Install dependencies

The dependencies are installed manually or with:

setup-forgejo/forgejo-dependencies.sh

Build the Forgejo runner with the local ACT

The Forgejo runner is rebuilt with the ACT directory by changing the runner/go.mod file to:

replace github.com/nektos/act => ../act

Running:

cd runner ; go mod tidy

Building:

cd runner ; rm -f forgejo-runner ; make forgejo-runner

Launch Forgejo and the runner

A Forgejo instance is launched with:

cd setup-forgejo
./forgejo.sh setup
firefox $(cat forgejo-url)

The user is root with password admin1234. The runner is registered with:

cd setup-forgejo
docker exec --user 1000 forgejo forgejo actions generate-runner-token > forgejo-runner-token
../runner/forgejo-runner register --no-interactive --instance "$(cat forgejo-url)" --name runner --token $(cat forgejo-runner-token) --labels docker:docker://node:20-bullseye,self-hosted:host://-self-hosted,lxc:lxc://debian:bullseye

And launched with:

cd setup-forgejo ; ../runner/forgejo-runner --config runner-config.yml daemon

Note that the runner-config.yml is required in that particular case to configure the network in bridge mode, otherwise the runner will create a network that cannot reach the forgejo instance.

Try a sample workflow

From the Forgejo web interface, create a repository and add the following to .forgejo/workflows/try.yaml. It will launch the job and the result can be observed from the actions tab.

on: [push]
jobs:
  ls:
    runs-on: docker
    steps:
      - uses: actions/checkout@v3
      - run: |
          ls ${{ github.workspace }}