Allow runner to access organization repositories or implement a way for remote authentication for steps #25929
Comments
LJ1102
added
the
type/proposal
No, the runner has no more permission than fetching and reporting tasks. It can access the repo because the it gets a temporary token with some limited permissions. It's in the planning to config the permissions of the temporary token, see #24635.
@sillyguodong I think you could help. |
|
We have supported expression in uses: https://${{ secrets.GITHUB_TOKEN }}:@my-gitea-instance/myOrg/myAction |
|
Is there a known approach for using the solution provided by @sillyguodong to call shared workflows? When attempting to embed the token in the URL I get the following error message: calling workflow snippet:output:
|
|
@jonas-switala YAML parsers can often have issues when an unquoted string has a colon which is quite ironic considering your workflow name. I would recommend quoting the string. Also that is not a valid URL, you must use an @ to separate credentials from the host. See the definition |
|
I finally found some time to test this again using gitea v1.22.3 and act-runner v0.2.10. Workflow: Runner-Output: Note: TEST_TOKEN is a read-only token with access to all private repos, so i can ensure this isn't an issue of insufficient permissions |
@jonas-switala I experience the same. |
|
I have hit the same thing, and after some testing I can get it to work by hardcoding the token and providing a username. Using a username and token interpolation, or just the token interpolation itself doesn't work. Thinking about it more, I feel like the log output would show the obfuscated **** characters if this was interpolating the secret correctly. |
|
Did some more research, the change above was only added in I have hacked a (probably awful code) change in to the act library: diff --git a/pkg/runner/reusable_workflow.go b/pkg/runner/reusable_workflow.go
index f43ba24..2eb1c1f 100644
--- a/pkg/runner/reusable_workflow.go
+++ b/pkg/runner/reusable_workflow.go
@@ -52,7 +52,14 @@ func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
}
func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
- uses := rc.Run.Job().Uses
+
+ // Create a base context using context.TODO()
+ secretCtx := context.TODO()
+ // Add the map values to the context
+ for key, value := range rc.Config.Secrets {
+ secretCtx = context.WithValue(secretCtx, key, value)
+ }
+ uses := rc.NewExpressionEvaluator(secretCtx).Interpolate(secretCtx, rc.Run.Job().Uses)
var remoteReusableWorkflow *remoteReusableWorkflow
if strings.HasPrefix(uses, "http://") || strings.HasPrefix(uses, "https://") {
@@ -208,6 +215,7 @@ type remoteReusableWorkflow struct {
}
func (r *remoteReusableWorkflow) CloneURL() string {
+
// In Gitea, r.URL always has the protocol prefix, we don't need to add extra prefix in this case.
if strings.HasPrefix(r.URL, "http://") || strings.HasPrefix(r.URL, "https://") {
return fmt.Sprintf("%s/%s/%s", r.URL, r.Org, r.Repo)I rebuilt act_runner with that and it does seem to be working, so I will raise a PR over there. Edit: PR here. |
Feature Description
I have a private gitea instance, I configured it to require sign-in, I want to use actions hosted on my instance, but when I do:
The runner is unable to clone the repository:
I think the runner (that is registered to "myOrg") should be able to access repositories of the same organization or we need to be able to provide auth keys for the fetching of actions.
Screenshots
No response
The text was updated successfully, but these errors were encountered: