From a083af17dce37b434d6b00772a95df79a986a2b0 Mon Sep 17 00:00:00 2001 From: Christopher Homberger Date: Mon, 4 Mar 2024 12:49:06 +0100 Subject: [PATCH 1/2] Add ac claim for old docker/build-push-actions@v3 Also resolves a warning for current releases ``` | ##[group]GitHub Actions runtime token ACs | ##[warning]Cannot parse GitHub Actions Runtime Token ACs: "undefined" is not valid JSON | ##[endgroup] ====> | ##[group]GitHub Actions runtime token ACs | ##[endgroup] ``` --- services/actions/auth.go | 2 ++ services/actions/auth_test.go | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/services/actions/auth.go b/services/actions/auth.go index e0f9a9015dcda..fbe8eb4f72943 100644 --- a/services/actions/auth.go +++ b/services/actions/auth.go @@ -21,6 +21,7 @@ type actionsClaims struct { TaskID int64 RunID int64 JobID int64 + Ac string `json:"ac"` } func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) { @@ -32,6 +33,7 @@ func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) { NotBefore: jwt.NewNumericDate(now), }, Scp: fmt.Sprintf("Actions.Results:%d:%d", runID, jobID), + Ac: "[]", TaskID: taskID, RunID: runID, JobID: jobID, diff --git a/services/actions/auth_test.go b/services/actions/auth_test.go index 1f62f17f52a86..6db5232128475 100644 --- a/services/actions/auth_test.go +++ b/services/actions/auth_test.go @@ -7,6 +7,7 @@ import ( "net/http" "testing" + "code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/setting" "github.com/golang-jwt/jwt/v5" @@ -29,6 +30,12 @@ func TestCreateAuthorizationToken(t *testing.T) { taskIDClaim, ok := claims["TaskID"] assert.True(t, ok, "Has TaskID claim in jwt token") assert.Equal(t, float64(taskID), taskIDClaim, "Supplied taskid must match stored one") + acClaim, ok := claims["ac"] + assert.True(t, ok, "Has ac claim in jwt token") + ac, ok := acClaim.(string) + assert.True(t, ok, "ac claim is a string") + err = json.Unmarshal([]byte(ac), &[]struct{}{}) + assert.NoError(t, err, "ac claim is a json list") } func TestParseAuthorizationToken(t *testing.T) { From 2d7c4bd7d7d33e161461e5bc33a87e895e802f10 Mon Sep 17 00:00:00 2001 From: Christopher Homberger Date: Mon, 4 Mar 2024 16:09:34 +0100 Subject: [PATCH 2/2] make buildx gha cache work --- services/actions/auth.go | 25 ++++++++++++++++++++++++- services/actions/auth_test.go | 8 +++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/services/actions/auth.go b/services/actions/auth.go index fbe8eb4f72943..8e934d89a84c8 100644 --- a/services/actions/auth.go +++ b/services/actions/auth.go @@ -9,6 +9,7 @@ import ( "strings" "time" + "code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" @@ -24,16 +25,38 @@ type actionsClaims struct { Ac string `json:"ac"` } +type actionsCacheScope struct { + Scope string + Permission actionsCachePermission +} + +type actionsCachePermission int + +const ( + actionsCachePermissionRead = 1 << iota + actionsCachePermissionWrite +) + func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) { now := time.Now() + ac, err := json.Marshal(&[]actionsCacheScope{ + { + Scope: "", + Permission: actionsCachePermissionWrite, + }, + }) + if err != nil { + return "", err + } + claims := actionsClaims{ RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), NotBefore: jwt.NewNumericDate(now), }, Scp: fmt.Sprintf("Actions.Results:%d:%d", runID, jobID), - Ac: "[]", + Ac: string(ac), TaskID: taskID, RunID: runID, JobID: jobID, diff --git a/services/actions/auth_test.go b/services/actions/auth_test.go index 6db5232128475..f73ae8ae4c36a 100644 --- a/services/actions/auth_test.go +++ b/services/actions/auth_test.go @@ -33,9 +33,11 @@ func TestCreateAuthorizationToken(t *testing.T) { acClaim, ok := claims["ac"] assert.True(t, ok, "Has ac claim in jwt token") ac, ok := acClaim.(string) - assert.True(t, ok, "ac claim is a string") - err = json.Unmarshal([]byte(ac), &[]struct{}{}) - assert.NoError(t, err, "ac claim is a json list") + assert.True(t, ok, "ac claim is a string for buildx gha cache") + scopes := []actionsCacheScope{} + err = json.Unmarshal([]byte(ac), &scopes) + assert.NoError(t, err, "ac claim is a json list for buildx gha cache") + assert.GreaterOrEqual(t, len(scopes), 1, "Expected at least one action cache scope for buildx gha cache") } func TestParseAuthorizationToken(t *testing.T) {