forgejo/runner
31
87
Fork 91
Code Issues 37 Pull requests 9 Releases 81 Packages 1 Activity Actions

feat: include auth token when cloning actions from own instance #1249

Merged
mfenniak merged 1 commit from JohnMoon-VTS/runner:token-auth into main 2025-12-31 16:25:45 +00:00
Conversation 17 Commits 1 Files changed 4 +183 -11
JohnMoon-VTS commented 2025-12-29 18:59:30 +00:00
Contributor
Copy link

Currently, when using an instance with REQUIRE_SIGNIN_VIEW = true, it
is impossible to self-host repos containing Forgejo Actions as the runner
does not pass any auth token when it attempts to clone the action.

Let's enable this workflow by passing along the default github.Token
token when we're trying to clone the action in question from our own
instance. This can happen in two cases:

  1. The remote URL is empty (e.g. actions/checkout@v5) and the default
    actions URL is set to one's own instance.
  2. The remote URL is set to one's own instance (e.g.
    https://forgejo.my-instance.com/actions/checkout@v5).

While the github.Token scope is limited to the repo where the action
is running, it does authenticate the runner to the server and allow it
to clone actions repos that are "public" on the instance. However, this
is only true since Forgejo v13.0.0 1. As such, only set the token if
the server version is reported as >= 13.0.0.

For more discussion on this feature, see:
forgejo/forgejo-actions-feature-requests#3

  • features
    • PR: feat: include auth token when cloning actions from own instance
Currently, when using an instance with `REQUIRE_SIGNIN_VIEW = true`, it is impossible to self-host repos containing Forgejo Actions as the runner does not pass any auth token when it attempts to clone the action. Let's enable this workflow by passing along the default `github.Token` token when we're trying to clone the action in question from our own instance. This can happen in two cases: 1. The remote URL is empty (e.g. `actions/checkout@v5`) and the default actions URL is set to one's own instance. 2. The remote URL is set to one's own instance (e.g. `https://forgejo.my-instance.com/actions/checkout@v5`). While the `github.Token` scope is limited to the repo where the action is running, it does authenticate the runner to the server and allow it to clone actions repos that are "public" on the instance. However, this is only true since Forgejo v13.0.0 [1]. As such, only set the token if the server version is reported as >= 13.0.0. [1]: https://codeberg.org/forgejo/forgejo/pulls/8889 For more discussion on this feature, see: https://code.forgejo.org/forgejo/forgejo-actions-feature-requests/issues/3 <!--start release-notes-assistant--> <!--URL:https://code.forgejo.org/forgejo/runner--> - features - [PR](https://code.forgejo.org/forgejo/runner/pulls/1249): <!--number 1249 --><!--line 0 --><!--description ZmVhdDogaW5jbHVkZSBhdXRoIHRva2VuIHdoZW4gY2xvbmluZyBhY3Rpb25zIGZyb20gb3duIGluc3RhbmNl-->feat: include auth token when cloning actions from own instance<!--description--> <!--end release-notes-assistant-->
viceice commented 2025-12-29 21:35:53 +00:00
Owner
Copy link

isn't the token still limited to the triggering repo for forgejo below v14? I remember some token rights expand in v14

isn't the token still limited to the triggering repo for forgejo below v14? I remember some token rights expand in v14
JohnMoon-VTS commented 2025-12-29 21:39:55 +00:00
Author
Contributor
Copy link

I am not positive what the changes are in v14, but I did test this with my 13.0.3 instance and it does work.

To be clear, my instance has REQUIRE_SIGNIN_VIEW = true and the actions repo the workflow clones is "public" within the instance.

I am not positive what the changes are in v14, but I did test this with my 13.0.3 instance and it does work. To be clear, my instance has `REQUIRE_SIGNIN_VIEW = true` and the actions repo the workflow clones is "public" within the instance.
viceice commented 2025-12-29 21:59:21 +00:00
Owner
Copy link

it's in v13, you need to make this compatible with v11 because it's lts. see below

it's in v13, you need to make this compatible with v11 because it's lts. see below - https://codeberg.org/forgejo/forgejo/pulls/8889 - https://code.forgejo.org/forgejo/runner/pulls/855
viceice requested changes 2025-12-29 21:59:52 +00:00
Dismissed
viceice left a comment
Owner
Copy link

needs to be compatible with all supported versions

needs to be compatible with all supported versions
JohnMoon-VTS commented 2025-12-29 22:13:51 +00:00
Author
Contributor
Copy link

@viceice, I'm not sure what the ask is here. If we merge this PR as is, the runner will include the token if the actions URL is set to one's own instance.

  • If the instance is <13, the clone will fail as the functionality of #855 is not added.
  • If the instance is >=13, the clone will succeed.

Without this PR:

  • If the instance is <13, the clone will fail as the token is not included.
  • If the instance is >=13, the clone will fail as the token is not included.

I must be missing something... if we merged this PR, what would be the incompatibility for users on v11?

@viceice, I'm not sure what the ask is here. If we merge this PR as is, the runner will include the token if the actions URL is set to one's own instance. - If the instance is <13, the clone will fail as the functionality of #855 is not added. - If the instance is >=13, the clone will succeed. Without this PR: - If the instance is <13, the clone will fail as the token is not included. - If the instance is >=13, the clone will fail as the token is not included. I must be missing something... if we merged this PR, what would be the incompatibility for users on v11?
viceice commented 2025-12-29 22:22:04 +00:00
Owner
Copy link

@JohnMoon-VTS wrote in #1249 (comment):

@viceice, I'm not sure what the ask is here. If we merge this PR as is, the runner will include the token if the actions URL is set to one's own instance.

  • If the instance is <13, the clone will fail as the functionality of #855 is not added.
  • If the instance is >=13, the clone will succeed.

Without this PR:

  • If the instance is <13, the clone will fail as the token is not included.
  • If the instance is >=13, the clone will fail as the token is not included.

I must be missing something... if we merged this PR, what would be the incompatibility for users on v11?

it would fail on v11 if the instance and the action repo is public and it's now passing the token which doesn't have access to public repo.

@JohnMoon-VTS wrote in https://code.forgejo.org/forgejo/runner/pulls/1249#issuecomment-71174: > @viceice, I'm not sure what the ask is here. If we merge this PR as is, the runner will include the token if the actions URL is set to one's own instance. > > * If the instance is <13, the clone will fail as the functionality of #855 is not added. > * If the instance is >=13, the clone will succeed. > > Without this PR: > > * If the instance is <13, the clone will fail as the token is not included. > * If the instance is >=13, the clone will fail as the token is not included. > > I must be missing something... if we merged this PR, what would be the incompatibility for users on v11? it would fail on v11 if the instance and the action repo is public and it's now passing the token which doesn't have access to public repo.
JohnMoon-VTS commented 2025-12-29 22:46:14 +00:00
Author
Contributor
Copy link

Understood - thank you for clarifying.

So, the two paths forward:

  1. Wait for the next LTS release and then merge.
  2. Add new information (maybe the Forgejo server version number) to the context passed from the server to the runner.
    • Then, update this PR to act on that information. If no version number is set or it's less than v13.0.0 when the expanded token access was merged, we don't set the token.

I'm happy to implement option 2. I could also see the version number context being helpful for these sorts of issues in the future, so maybe it'd be good to land that before the next LTS. Does that approach sound reasonable to you @viceice?

Understood - thank you for clarifying. So, the two paths forward: 1. Wait for the next LTS release and then merge. 2. Add new information (maybe the Forgejo server version number) to the [context passed](https://codeberg.org/forgejo/forgejo/src/commit/82624a2a8c704f6a573f80a4a4ebbb62cc93a7f7/services/actions/context.go#L113-L114) from the server to the runner. - Then, update this PR to act on that information. If no version number is set or it's less than v13.0.0 when the expanded token access was merged, we don't set the token. I'm happy to implement option 2. I could also see the version number context being helpful for these sorts of issues in the future, so maybe it'd be good to land that before the next LTS. Does that approach sound reasonable to you @viceice?
viceice commented 2025-12-29 23:35:28 +00:00
Owner
Copy link

@JohnMoon-VTS wrote in #1249 (comment):

Understood - thank you for clarifying.

So, the two paths forward:

  1. Wait for the next LTS release and then merge.

  2. Add new information (maybe the Forgejo server version number) to the context passed from the server to the runner.

    • Then, update this PR to act on that information. If no version number is set or it's less than v13.0.0 when the expanded token access was merged, we don't set the token.

I'm happy to implement option 2. I could also see the version number context being helpful for these sorts of issues in the future, so maybe it'd be good to land that before the next LTS. Does that approach sound reasonable to you @viceice?

yes. option 2 sounds good as long term solution. otherwise we're blocked again in future for sure.
I would help you to get it into v14 if you're able to get it done fast. otherwise it'll come in v15.

@JohnMoon-VTS wrote in https://code.forgejo.org/forgejo/runner/pulls/1249#issuecomment-71179: > Understood - thank you for clarifying. > > So, the two paths forward: > > 1. Wait for the next LTS release and then merge. > 2. Add new information (maybe the Forgejo server version number) to the [context passed](https://codeberg.org/forgejo/forgejo/src/commit/82624a2a8c704f6a573f80a4a4ebbb62cc93a7f7/services/actions/context.go#L113-L114) from the server to the runner. > > * Then, update this PR to act on that information. If no version number is set or it's less than v13.0.0 when the expanded token access was merged, we don't set the token. > > I'm happy to implement option 2. I could also see the version number context being helpful for these sorts of issues in the future, so maybe it'd be good to land that before the next LTS. Does that approach sound reasonable to you @viceice? yes. option 2 sounds good as long term solution. otherwise we're blocked again in future for sure. I would help you to get it into v14 if you're able to get it done fast. otherwise it'll come in v15.
viceice commented 2025-12-29 23:37:33 +00:00
Owner
Copy link

@mfenniak wdyt? maybe it should be a protocol extension, so the runner knows the server version after first contact on start-up? I don't like to post it on every job context.

@mfenniak wdyt? maybe it should be a protocol extension, so the runner knows the server version after first contact on start-up? I don't like to post it on every job context.
mfenniak commented 2025-12-30 03:11:55 +00:00
Owner
Copy link

It's a great catch in review. 👍 Even understanding the issue I would have mistaken believed the behaviour would be fine on v11. Thanks for noting it, @viceice. @JohnMoon-VTS and I did a lot of discussing to end up at the same design as #855, so I think we can also celebrate that it's the right choice if it was arrived at independently twice. 🤣

I like @JohnMoon-VTS's idea of adding version info to the context.

  • As compared to adding it to the protocol on start-up, it won't be "static" for the lifetime of a runner. If Forgejo is upgraded and the runner isn't restarted, which is quite reasonable (especially for large instances like Codeberg), the version will change on a new job.
  • I could imagine multiple reasonable use-cases for having the Forgejo server version available in the context of a job -- for example: FORGEJO_VERSION / ${{ forgejo.version }} being accessible in an action or reusable workflow would allow reasonable conditional logic like, "ah, this API isn't available yet, this API has a known bug, etc."

It's also a minor enough change that it should be reasonable to backport for Forgejo v14's release.

It's a great catch in review. 👍 Even understanding the issue I would have mistaken believed the behaviour would be fine on v11. Thanks for noting it, @viceice. @JohnMoon-VTS and I did a lot of discussing to end up at the same design as #855, so I think we can also celebrate that it's the right choice if it was arrived at independently twice. 🤣 I like @JohnMoon-VTS's idea of adding version info to the context. - As compared to adding it to the protocol on start-up, it won't be "static" for the lifetime of a runner. If Forgejo is upgraded and the runner isn't restarted, which is quite reasonable (especially for large instances like Codeberg), the version will change on a new job. - I could imagine multiple reasonable use-cases for having the Forgejo server version available in the context of a job -- for example: `FORGEJO_VERSION` / `${{ forgejo.version }}` being accessible in an action or reusable workflow would allow reasonable conditional logic like, "ah, this API isn't available yet, this API has a known bug, etc." It's also a minor enough change that it should be reasonable to backport for Forgejo v14's release.
👍 2
viceice commented 2025-12-30 08:33:03 +00:00
Owner
Copy link

@mfenniak sounds reasonable and I agree

@mfenniak sounds reasonable and I agree
aahlenst commented 2025-12-30 09:21:46 +00:00
Member
Copy link

Adding it to the context sounds good. However, it has to be done in such a way that it does not end up in github to prevent compatibility problems down the road. That might be tricky as long as forgejo is an alias of github.

Adding it to the context sounds good. However, it has to be done in such a way that it does not end up in `github` to prevent compatibility problems down the road. That might be tricky as long as `forgejo` is an alias of `github`.
JohnMoon-VTS force-pushed token-auth from c59539d36b
All checks were successful
issue-labels / release-notes (pull_request_target) Successful in 5s
Details
checks / validate mocks (pull_request) Successful in 49s
Details
checks / validate pre-commit-hooks file (pull_request) Successful in 50s
Details
checks / build and test (pull_request) Successful in 1m13s
Details
checks / runner exec tests (pull_request) Successful in 42s
Details
checks / runner integration tests (pull_request) Successful in 7m46s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 13m4s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 15m4s
Details
to 32cd48ac37
Some checks failed
cascade / forgejo (pull_request_target) Has been skipped
Details
cascade / debug (pull_request_target) Has been skipped
Details
cascade / end-to-end (pull_request_target) Has been skipped
Details
checks / build and test (pull_request) Failing after 40s
Details
checks / validate mocks (pull_request) Failing after 45s
Details
checks / runner exec tests (pull_request) Has been skipped
Details
checks / runner integration tests (pull_request) Has been skipped
Details
checks / validate pre-commit-hooks file (pull_request) Successful in 51s
Details
issue-labels / release-notes (pull_request_target) Successful in 7s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 11m36s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 14m2s
Details
2025-12-30 18:07:41 +00:00 Compare
JohnMoon-VTS force-pushed token-auth from 32cd48ac37
Some checks failed
cascade / forgejo (pull_request_target) Has been skipped
Details
cascade / debug (pull_request_target) Has been skipped
Details
cascade / end-to-end (pull_request_target) Has been skipped
Details
checks / build and test (pull_request) Failing after 40s
Details
checks / validate mocks (pull_request) Failing after 45s
Details
checks / runner exec tests (pull_request) Has been skipped
Details
checks / runner integration tests (pull_request) Has been skipped
Details
checks / validate pre-commit-hooks file (pull_request) Successful in 51s
Details
issue-labels / release-notes (pull_request_target) Successful in 7s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 11m36s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 14m2s
Details
to d3c3e2fc43
All checks were successful
cascade / forgejo (pull_request_target) Has been skipped
Details
cascade / debug (pull_request_target) Has been skipped
Details
cascade / end-to-end (pull_request_target) Has been skipped
Details
issue-labels / release-notes (pull_request_target) Successful in 5s
Details
checks / validate mocks (pull_request) Successful in 50s
Details
checks / validate pre-commit-hooks file (pull_request) Successful in 42s
Details
checks / build and test (pull_request) Successful in 3m26s
Details
checks / runner exec tests (pull_request) Successful in 32s
Details
checks / runner integration tests (pull_request) Successful in 6m43s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 11m36s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 13m26s
Details
2025-12-30 18:10:10 +00:00 Compare
JohnMoon-VTS commented 2025-12-30 19:02:44 +00:00
Author
Contributor
Copy link

This PR should be in good shape to re-review. I've added the context on the server side here: https://codeberg.org/forgejo/forgejo/pulls/10642.

In addition to the integration tests in both, I manually spun up a new server with the change and added a log message on the runner side to verify the version number is passed correctly through the context.

This PR should be in good shape to re-review. I've added the context on the server side here: https://codeberg.org/forgejo/forgejo/pulls/10642. In addition to the integration tests in both, I manually spun up a new server with the change and added a log message on the runner side to verify the version number is passed correctly through the context.
mfenniak reviewed 2025-12-30 21:42:29 +00:00
act/runner/step_action_remote.go Outdated
@ -312,0 +321,4 @@
// actions from "public" repos.
// See: https://codeberg.org/forgejo/forgejo/pulls/8889
func tokenAuthSupported(serverVersion string) (bool, error) {
v, err := semver.NewVersion(serverVersion)
mfenniak commented 2025-12-30 21:42:29 +00:00
Owner
Copy link

I'd feel more comfortable with this if it had handling for serverVersion == "" (eg. the task came from Forgejo v11, so we can definitely return false), and separately if semver.NewVersion() returned an error that we actually treated that as an error. I can imagine subtle cases may exist if, for some reason, an invalid version came through that the semver library couldn't parse... it would just silently drop token auth support rather than surfacing that error state for resolution.

I'd feel more comfortable with this if it had handling for `serverVersion == ""` (eg. the task came from Forgejo v11, so we can definitely return `false`), and separately if `semver.NewVersion()` returned an error that we actually treated that as an error. I can imagine subtle cases may exist if, for some reason, an invalid version came through that the `semver` library couldn't parse... it would just silently drop token auth support rather than surfacing that error state for resolution.
JohnMoon-VTS commented 2025-12-30 23:34:31 +00:00
Author
Contributor
Copy link

Let me know if the latest push resolves this concern!

Let me know if the latest push resolves this concern!
mfenniak commented 2025-12-30 21:44:25 +00:00
Owner
Copy link

@aahlenst wrote in #1249 (comment):

Adding it to the context sounds good. However, it has to be done in such a way that it does not end up in github to prevent compatibility problems down the road. That might be tricky as long as forgejo is an alias of github.

@JohnMoon-VTS's PR update, if I'm reading it accurately, uses the value only for detection of whether the new token auth capability is supported or not. I believe it is not yet exposed in forgejo context, which is good for the scope of this PR. We can expose it in the near future and make sure it doesn't leak into github context at that time.

@aahlenst wrote in https://code.forgejo.org/forgejo/runner/pulls/1249#issuecomment-71203: > Adding it to the context sounds good. However, it has to be done in such a way that it does not end up in `github` to prevent compatibility problems down the road. That might be tricky as long as `forgejo` is an alias of `github`. @JohnMoon-VTS's PR update, if I'm reading it accurately, uses the value only for detection of whether the new token auth capability is supported or not. I believe it is not yet exposed in `forgejo` context, which is good for the scope of this PR. We can expose it in the near future and make sure it doesn't leak into `github` context at that time.
JohnMoon-VTS force-pushed token-auth from d3c3e2fc43
All checks were successful
cascade / forgejo (pull_request_target) Has been skipped
Details
cascade / debug (pull_request_target) Has been skipped
Details
cascade / end-to-end (pull_request_target) Has been skipped
Details
issue-labels / release-notes (pull_request_target) Successful in 5s
Details
checks / validate mocks (pull_request) Successful in 50s
Details
checks / validate pre-commit-hooks file (pull_request) Successful in 42s
Details
checks / build and test (pull_request) Successful in 3m26s
Details
checks / runner exec tests (pull_request) Successful in 32s
Details
checks / runner integration tests (pull_request) Successful in 6m43s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 11m36s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 13m26s
Details
to d8ff254aee
All checks were successful
checks / validate pre-commit-hooks file (pull_request) Successful in 1m2s
Details
checks / validate mocks (pull_request) Successful in 1m19s
Details
checks / build and test (pull_request) Successful in 1m54s
Details
checks / runner exec tests (pull_request) Successful in 38s
Details
checks / runner integration tests (pull_request) Successful in 7m27s
Details
checks / integration tests (docker-latest) (pull_request) Successful in 12m35s
Details
checks / integration tests (docker-stable) (pull_request) Successful in 14m49s
Details
cascade / forgejo (pull_request_target) Has been skipped
Details
cascade / debug (pull_request_target) Has been skipped
Details
cascade / end-to-end (pull_request_target) Has been skipped
Details
issue-labels / release-notes (pull_request_target) Successful in 7s
Details
2025-12-30 23:33:49 +00:00 Compare
mfenniak approved these changes 2025-12-31 04:35:20 +00:00
viceice approved these changes 2025-12-31 07:55:17 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
mfenniak
viceice
Labels
Clear labels   
FreeBSD

   
Kind/Breaking

Breaking change that won't be backward compatible

  
Kind/Bug

Something is not working

  
Kind/Chore

It is no fun but it needs to be done, this is a chore.

  
Kind/DependencyUpdate

for pull requests that are created by renovate when updating a dependency

  
Kind/Documentation

Documentation changes

  
Kind/Enhancement

Improve existing functionality

  
Kind/Feature

New functionality

  
Kind/Security

This is security issue

  
Kind/Testing

Issue or pull request related to testing

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

  
Windows

Windows ports is an independent project, see https://github.com/Crown0815/Forgejo-runner-windows-builder

  
linux-powerpc64le

powerpc64le

  
linux-riscv64

   
linux-s390x

   
run-end-to-end-tests

Run https://code.forgejo.org/forgejo/end-to-end with a runner compiled from this pull request

  
run-forgejo-tests

Run https://codeberg.org/forgejo/forgejo tests importing the runner from this pull request

No labels
FreeBSD
Kind/Breaking
Kind/Bug
Kind/Chore
Kind/DependencyUpdate
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Windows
linux-powerpc64le
linux-riscv64
linux-s390x
run-end-to-end-tests
run-forgejo-tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/runner!1249
No description provided.