gitea actions: update / clarify maintenance on them or can we just use github actions instead ?

[tobhv]

gitea actions update clarification

Hi,

not sure whether this is a good feature request but will try anyway (it is more of a proposal).

problem / context:
gitea.com uses github compatible actions fot pipelines. but some / most of the actions offered on gitea.com are outdated and contain vulnerabilities.
example: see below trivy scanning reports on the actions/checkout repo.
i think pulling in some software as part of running a pipeline is ok as long as there is trust on that the code is maintained / safe.

questions:
from what i see each gitea actions repo is a plain mirror of github, but simply not updated ?

suggestions:
can you share some light on whether it's recommeneded to use github actions straight away or share wether there is intention to update the gitea actions ?
or it's perhaps to early to tell (since gitea actions are still work in progress?

other than that: documentation looks great, speed of gitea is excellent so thanks already for that.

Screenshots

~$ trivy repository https://gitea.com/actions/checkout
2024-02-25T22:14:58.929+0100    INFO    Need to update DB
2024-02-25T22:14:58.929+0100    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-25T22:14:58.929+0100    INFO    Downloading DB...
43.24 MiB / 43.24 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 18.83 MiB p/s 2.5s
2024-02-25T22:15:02.173+0100    INFO    Vulnerability scanning is enabled
2024-02-25T22:15:02.173+0100    INFO    Secret scanning is enabled
2024-02-25T22:15:02.173+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-25T22:15:02.173+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 450, done.
Counting objects: 100% (450/450), done.
Compressing objects: 100% (259/259), done.
Total 450 (delta 275), reused 279 (delta 152), pack-reused 0
2024-02-25T22:15:05.552+0100    INFO    To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2024-02-25T22:15:05.647+0100    INFO    Number of language-specific files: 1
2024-02-25T22:15:05.647+0100    INFO    Detecting npm vulnerabilities...

package-lock.json (npm)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬──────────┬───────────────────┬──────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │  Status  │ Installed Version │                      Fixed Version                       │                            Title                             │
├───────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @actions/core │ CVE-2022-35954 │ MEDIUM   │ fixed    │ 1.2.6             │ 1.9.1                                                    │ @actions/core has Delimiter Injection Vulnerability in       │
│               │                │          │          │                   │                                                          │ exportVariable                                               │
│               │                │          │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-35954                   │
├───────────────┼────────────────┼──────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ lodash.set    │ CVE-2020-8203  │ HIGH     │ affected │ 4.3.2             │                                                          │ nodejs-lodash: prototype pollution in zipObjectDeep function │
│               │                │          │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2020-8203                    │
├───────────────┼────────────────┤          ├──────────┼───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ qs            │ CVE-2022-24999 │          │ fixed    │ 6.10.1            │ 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, │ express: "qs" prototype poisoning causes the hang of the     │
│               │                │          │          │                   │ 6.2.4                                                    │ node process                                                 │
│               │                │          │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-24999                   │
├───────────────┼────────────────┼──────────┤          ├───────────────────┼──────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ semver        │ CVE-2022-25883 │ MEDIUM   │          │ 5.7.1             │ 7.5.2, 6.3.1, 5.7.2                                      │ nodejs-semver: Regular expression denial of service          │
│               │                │          │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-25883                   │
│               │                │          │          ├───────────────────┤                                                          │                                                              │
│               │                │          │          │ 6.3.0             │                                                          │                                                              │
│               │                │          │          │                   │                                                          │                                                              │
└───────────────┴────────────────┴──────────┴──────────┴───────────────────┴──────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
:~$ trivy repository https://github.com/actions/checkout
2024-02-25T22:16:18.054+0100    INFO    Vulnerability scanning is enabled
2024-02-25T22:16:18.054+0100    INFO    Secret scanning is enabled
2024-02-25T22:16:18.054+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-25T22:16:18.054+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 964, done.
Counting objects: 100% (964/964), done.
Compressing objects: 100% (495/495), done.
Total 964 (delta 610), reused 720 (delta 395), pack-reused 0
2024-02-25T22:16:20.797+0100    INFO    To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2024-02-25T22:16:20.869+0100    INFO    Number of language-specific files: 1
2024-02-25T22:16:20.869+0100    INFO    Detecting npm vulnerabilities...

[delvh]

Yes, Gitea Actions were exactly designed to be compatible with GitHub Actions.
While there will be some Actions that are incompatible due to slightly different APIs, the great majority should be usable no matter if you are on GitHub or Gitea.
Gitea aims for API compatibility with GitHub wherever possible, but we often lag behind in terms of support.
Regarding the forks on gitea.com:
I think the original Actions on GitHub can indeed be used as a drop-in replacement.

[wolfogre]

Your worries are exactly right. That's why here is #25581. So maybe you are using an old version of Gitea?

---

Or you have been confused by the outdated docs? #29442

[lunny]

And now there is a mirror every 12 hours for all repositories under gitea.com/actions and gitea.com/docker. I think we can close this issue now.

[GiteaBot]

We close issues that need feedback from the author if there were no new comments for a month. 🍵