Allow runner to access organization repositories or implement a way for remote authentication for steps

[LJ1102]

Feature Description

I have a private gitea instance, I configured it to require sign-in, I want to use actions hosted on my instance, but when I do:

steps:
  - uses: https://my-gitea-instance/myOrg/myAction@latest

The runner is unable to clone the repository:

Unable to clone https://my-gitea-instance/myOrg/myAction refs/heads/latest: authentication required

I think the runner (that is registered to "myOrg") should be able to access repositories of the same organization or we need to be able to provide auth keys for the fetching of actions.

Screenshots

No response

[wolfogre]

I think the runner (that is registered to "myOrg") should be able to access repositories of the same organization ...

No, the runner has no more permission than fetching and reporting tasks. It can access the repo because the it gets a temporary token with some limited permissions.

It's in the planning to config the permissions of the temporary token, see #24635.

... we need to be able to provide auth keys for the fetching of actions.

@sillyguodong I think you could help.

[sillyguodong]

We have supported expression in uses in this PR.
So please upgrade your runner, and try to interpolate the token in uses by expression, like below:

uses: https://${{ secrets.GITHUB_TOKEN }}:@my-gitea-instance/myOrg/myAction

[jonas-switala]

Is there a known approach for using the solution provided by @sillyguodong to call shared workflows?

When attempting to embed the token in the URL I get the following error message:

calling workflow snippet:

jobs:
  validate-manifests:
    uses: https://${{ secrets.GITHUB_TOKEN }}:{instance}/{owner}/{repo}/.gitea/workflows/validate.yaml@v1.0.0

output:

expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual 'https://${{ secrets.GITHUB_TOKEN }}:{instance}/{owner}/{repo}/.gitea/workflows/validate.yaml@v1.0.0' Input string was not in a correct format

[brandonkal]

@jonas-switala YAML parsers can often have issues when an unquoted string has a colon which is quite ironic considering your workflow name. I would recommend quoting the string. Also that is not a valid URL, you must use an @ to separate credentials from the host. See the definition

[jonas-switala]

I finally found some time to test this again using gitea v1.22.3 and act-runner v0.2.10.
Unfortunately, it still doesn't work but at least the error is different this time (invalid userinfo). Am I still missing some parameters or is this an actual bug/error?

Workflow:

name: "Validate using shared workflow"

on:
  workflow_dispatch:
  push:
  pull_request:

jobs:
  validate:
    uses: "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>/.gitea/workflows/validate.yaml@v1.0.0"

Runner-Output:

gitea-runner-03(version:v0.2.10) received task 7689 of job 7707, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
  ☁  git clone 'https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>' # ref=v1.0.0
  cloning https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow> to /root/.cache/act/<org>-<shared-workflow>@v1.0.0
Unable to clone https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow> refs/heads/v1.0.0: parse "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>": net/url: invalid userinfo
parse "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>": net/url: invalid userinfo

Note: TEST_TOKEN is a read-only token with access to all private repos, so i can ensure this isn't an issue of insufficient permissions

[ChemiCalChems]

I finally found some time to test this again using gitea v1.22.3 and act-runner v0.2.10. Unfortunately, it still doesn't work but at least the error is different this time (invalid userinfo). Am I still missing some parameters or is this an actual bug/error?

Workflow:

name: "Validate using shared workflow"

on:
  workflow_dispatch:
  push:
  pull_request:

jobs:
  validate:
    uses: "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>/.gitea/workflows/validate.yaml@v1.0.0"

Runner-Output:

gitea-runner-03(version:v0.2.10) received task 7689 of job 7707, be triggered by event: push
workflow prepared
evaluating expression 'success()'
expression 'success()' evaluated to 'true'
  ☁  git clone 'https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>' # ref=v1.0.0
  cloning https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow> to /root/.cache/act/<org>-<shared-workflow>@v1.0.0
Unable to clone https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow> refs/heads/v1.0.0: parse "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>": net/url: invalid userinfo
parse "https://${{ secrets.TEST_TOKEN }}:@<instance>/<org>/<shared-workflow>": net/url: invalid userinfo

Note: TEST_TOKEN is a read-only token with access to all private repos, so i can ensure this isn't an issue of insufficient permissions

@jonas-switala I experience the same.

[maxsargentdev]

I have hit the same thing, and after some testing I can get it to work by hardcoding the token and providing a username. Using a username and token interpolation, or just the token interpolation itself doesn't work.

Thinking about it more, I feel like the log output would show the obfuscated **** characters if this was interpolating the secret correctly.

[maxsargentdev]

Did some more research, the change above was only added in step_action_remote.go so it doesnt work when calling a resusable workflow, which uses resusable_workflow.go.

I have hacked a (probably awful code) change in to the act library:

diff --git a/pkg/runner/reusable_workflow.go b/pkg/runner/reusable_workflow.go
index f43ba24..2eb1c1f 100644
--- a/pkg/runner/reusable_workflow.go
+++ b/pkg/runner/reusable_workflow.go
@@ -52,7 +52,14 @@ func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
 }

 func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
-       uses := rc.Run.Job().Uses
+
+       // Create a base context using context.TODO()
+       secretCtx := context.TODO()
+       // Add the map values to the context
+       for key, value := range rc.Config.Secrets {
+               secretCtx = context.WithValue(secretCtx, key, value)
+       }
+       uses := rc.NewExpressionEvaluator(secretCtx).Interpolate(secretCtx, rc.Run.Job().Uses)

        var remoteReusableWorkflow *remoteReusableWorkflow
        if strings.HasPrefix(uses, "http://") || strings.HasPrefix(uses, "https://") {
@@ -208,6 +215,7 @@ type remoteReusableWorkflow struct {
 }

 func (r *remoteReusableWorkflow) CloneURL() string {
+
        // In Gitea, r.URL always has the protocol prefix, we don't need to add extra prefix in this case.
        if strings.HasPrefix(r.URL, "http://") || strings.HasPrefix(r.URL, "https://") {
                return fmt.Sprintf("%s/%s/%s", r.URL, r.Org, r.Repo)

I rebuilt act_runner with that and it does seem to be working, so I will raise a PR over there.

Edit: PR here.