From c7c62c4f7e0f56c460e9a2b5d972fed2923f6cd0 Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Wed, 28 Feb 2024 17:24:05 +0800 Subject: [PATCH 1/6] Make runs-on support variable expression --- modules/actions/utils.go | 80 +++++++++++++++++++++++++++++ routers/api/actions/runner/utils.go | 71 +------------------------ services/actions/notifier_helper.go | 8 ++- 3 files changed, 89 insertions(+), 70 deletions(-) create mode 100644 modules/actions/utils.go diff --git a/modules/actions/utils.go b/modules/actions/utils.go new file mode 100644 index 000000000000..ebf194f93270 --- /dev/null +++ b/modules/actions/utils.go @@ -0,0 +1,80 @@ +// Copyright 2024 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package actions + +import ( + "context" + + actions_model "code.gitea.io/gitea/models/actions" + "code.gitea.io/gitea/models/db" + secret_model "code.gitea.io/gitea/models/secret" + "code.gitea.io/gitea/modules/log" + secret_module "code.gitea.io/gitea/modules/secret" + "code.gitea.io/gitea/modules/setting" +) + +func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { + secrets := map[string]string{} + + secrets["GITHUB_TOKEN"] = task.Token + secrets["GITEA_TOKEN"] = task.Token + + if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != GithubEventPullRequestTarget { + // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. + // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch + // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + return secrets + } + + ownerSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) + if err != nil { + log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) + // go on + } + repoSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID}) + if err != nil { + log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) + // go on + } + + for _, secret := range append(ownerSecrets, repoSecrets...) { + if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { + log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) + // go on + } else { + secrets[secret.Name] = v + } + } + + return secrets +} + +func GetVariablesOfRun(ctx context.Context, run *actions_model.ActionRun) map[string]string { + variables := map[string]string{} + + // Global + globalVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{}) + if err != nil { + log.Error("find global variables: %v", err) + } + + // Org / User level + ownerVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{OwnerID: run.Repo.OwnerID}) + if err != nil { + log.Error("find variables of org: %d, error: %v", run.Repo.OwnerID, err) + } + + // Repo level + repoVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{RepoID: run.RepoID}) + if err != nil { + log.Error("find variables of repo: %d, error: %v", run.RepoID, err) + } + + // Level precedence: Repo > Org / User > Global + for _, v := range append(globalVariables, append(ownerVariables, repoVariables...)...) { + variables[v.Name] = v.Data + } + + return variables +} diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index a7cb31288cab..08543161df62 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -9,13 +9,11 @@ import ( actions_model "code.gitea.io/gitea/models/actions" "code.gitea.io/gitea/models/db" - secret_model "code.gitea.io/gitea/models/secret" actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/container" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/json" "code.gitea.io/gitea/modules/log" - secret_module "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/services/actions" @@ -38,8 +36,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv Id: t.ID, WorkflowPayload: t.Job.WorkflowPayload, Context: generateTaskContext(t), - Secrets: getSecretsOfTask(ctx, t), - Vars: getVariablesOfTask(ctx, t), + Secrets: actions_module.GetSecretsOfTask(ctx, t), + Vars: actions_module.GetVariablesOfRun(ctx, t.Job.Run), } if needs, err := findTaskNeeds(ctx, t); err != nil { @@ -55,71 +53,6 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv return task, true, nil } -func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { - secrets := map[string]string{} - - secrets["GITHUB_TOKEN"] = task.Token - secrets["GITEA_TOKEN"] = task.Token - - if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { - // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. - // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch - // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target - return secrets - } - - ownerSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) - if err != nil { - log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) - // go on - } - repoSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID}) - if err != nil { - log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) - // go on - } - - for _, secret := range append(ownerSecrets, repoSecrets...) { - if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { - log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) - // go on - } else { - secrets[secret.Name] = v - } - } - - return secrets -} - -func getVariablesOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { - variables := map[string]string{} - - // Global - globalVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{}) - if err != nil { - log.Error("find global variables: %v", err) - } - - // Org / User level - ownerVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{OwnerID: task.Job.Run.Repo.OwnerID}) - if err != nil { - log.Error("find variables of org: %d, error: %v", task.Job.Run.Repo.OwnerID, err) - } - - // Repo level - repoVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{RepoID: task.Job.Run.RepoID}) - if err != nil { - log.Error("find variables of repo: %d, error: %v", task.Job.Run.RepoID, err) - } - - // Level precedence: Repo > Org / User > Global - for _, v := range append(globalVariables, append(ownerVariables, repoVariables...)...) { - variables[v.Name] = v.Data - } - - return variables -} - func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct { event := map[string]any{} _ = json.Unmarshal([]byte(t.Job.Run.EventPayload), &event) diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index b248af1d0183..92c6b1096d7e 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -18,6 +18,7 @@ import ( repo_model "code.gitea.io/gitea/models/repo" unit_model "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" + "code.gitea.io/gitea/modules/actions" actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/gitrepo" @@ -296,7 +297,12 @@ func handleWorkflows( run.NeedApproval = need } - jobs, err := jobparser.Parse(dwf.Content) + if err := run.LoadAttributes(ctx); err != nil { + log.Error("LoadAttributes %v", err) + continue + } + + jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(actions.GetVariablesOfRun(ctx, run))) if err != nil { log.Error("jobparser.Parse: %v", err) continue From 14f2606023baf839ccd2a2bfc122291df2251ff0 Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Thu, 29 Feb 2024 00:30:00 +0800 Subject: [PATCH 2/6] move to service pkg --- routers/api/actions/runner/utils.go | 4 ++-- services/actions/notifier_helper.go | 3 +-- {modules => services}/actions/utils.go | 3 ++- 3 files changed, 5 insertions(+), 5 deletions(-) rename {modules => services}/actions/utils.go (96%) diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index 08543161df62..40503540900d 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -36,8 +36,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv Id: t.ID, WorkflowPayload: t.Job.WorkflowPayload, Context: generateTaskContext(t), - Secrets: actions_module.GetSecretsOfTask(ctx, t), - Vars: actions_module.GetVariablesOfRun(ctx, t.Job.Run), + Secrets: actions.GetSecretsOfTask(ctx, t), + Vars: actions.GetVariablesOfRun(ctx, t.Job.Run), } if needs, err := findTaskNeeds(ctx, t); err != nil { diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 92c6b1096d7e..65d085051fa4 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -18,7 +18,6 @@ import ( repo_model "code.gitea.io/gitea/models/repo" unit_model "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" - "code.gitea.io/gitea/modules/actions" actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/gitrepo" @@ -302,7 +301,7 @@ func handleWorkflows( continue } - jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(actions.GetVariablesOfRun(ctx, run))) + jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(GetVariablesOfRun(ctx, run))) if err != nil { log.Error("jobparser.Parse: %v", err) continue diff --git a/modules/actions/utils.go b/services/actions/utils.go similarity index 96% rename from modules/actions/utils.go rename to services/actions/utils.go index ebf194f93270..a9e634339c5a 100644 --- a/modules/actions/utils.go +++ b/services/actions/utils.go @@ -9,6 +9,7 @@ import ( actions_model "code.gitea.io/gitea/models/actions" "code.gitea.io/gitea/models/db" secret_model "code.gitea.io/gitea/models/secret" + actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/log" secret_module "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" @@ -20,7 +21,7 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s secrets["GITHUB_TOKEN"] = task.Token secrets["GITEA_TOKEN"] = task.Token - if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != GithubEventPullRequestTarget { + if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target From 93982f54828c6cef5f9240034e6a05f20c73bd16 Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Thu, 29 Feb 2024 15:00:31 +0800 Subject: [PATCH 3/6] chore: mv function --- models/actions/variable.go | 30 +++++++++++ models/secret/secret.go | 39 ++++++++++++++ routers/api/actions/runner/utils.go | 5 +- services/actions/notifier_helper.go | 2 +- services/actions/utils.go | 81 ----------------------------- 5 files changed, 73 insertions(+), 84 deletions(-) delete mode 100644 services/actions/utils.go diff --git a/models/actions/variable.go b/models/actions/variable.go index 12717e0ae461..54053176af6f 100644 --- a/models/actions/variable.go +++ b/models/actions/variable.go @@ -10,6 +10,7 @@ import ( "strings" "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" @@ -82,3 +83,32 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) }) return count != 0, err } + +func GetVariablesOfRun(ctx context.Context, run *ActionRun) map[string]string { + variables := map[string]string{} + + // Global + globalVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{}) + if err != nil { + log.Error("find global variables: %v", err) + } + + // Org / User level + ownerVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{OwnerID: run.Repo.OwnerID}) + if err != nil { + log.Error("find variables of org: %d, error: %v", run.Repo.OwnerID, err) + } + + // Repo level + repoVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{RepoID: run.RepoID}) + if err != nil { + log.Error("find variables of repo: %d, error: %v", run.RepoID, err) + } + + // Level precedence: Repo > Org / User > Global + for _, v := range append(globalVariables, append(ownerVariables, repoVariables...)...) { + variables[v.Name] = v.Data + } + + return variables +} diff --git a/models/secret/secret.go b/models/secret/secret.go index 41e860d7f664..57320a042c40 100644 --- a/models/secret/secret.go +++ b/models/secret/secret.go @@ -9,7 +9,10 @@ import ( "fmt" "strings" + actions_model "code.gitea.io/gitea/models/actions" "code.gitea.io/gitea/models/db" + actions_module "code.gitea.io/gitea/modules/actions" + "code.gitea.io/gitea/modules/log" secret_module "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" @@ -112,3 +115,39 @@ func UpdateSecret(ctx context.Context, secretID int64, data string) error { } return err } + +func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { + secrets := map[string]string{} + + secrets["GITHUB_TOKEN"] = task.Token + secrets["GITEA_TOKEN"] = task.Token + + if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { + // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. + // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch + // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + return secrets + } + + ownerSecrets, err := db.Find[Secret](ctx, FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) + if err != nil { + log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) + // go on + } + repoSecrets, err := db.Find[Secret](ctx, FindSecretsOptions{RepoID: task.Job.Run.RepoID}) + if err != nil { + log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) + // go on + } + + for _, secret := range append(ownerSecrets, repoSecrets...) { + if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { + log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) + // go on + } else { + secrets[secret.Name] = v + } + } + + return secrets +} diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index 40503540900d..b2726607019b 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -9,6 +9,7 @@ import ( actions_model "code.gitea.io/gitea/models/actions" "code.gitea.io/gitea/models/db" + secret_model "code.gitea.io/gitea/models/secret" actions_module "code.gitea.io/gitea/modules/actions" "code.gitea.io/gitea/modules/container" "code.gitea.io/gitea/modules/git" @@ -36,8 +37,8 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv Id: t.ID, WorkflowPayload: t.Job.WorkflowPayload, Context: generateTaskContext(t), - Secrets: actions.GetSecretsOfTask(ctx, t), - Vars: actions.GetVariablesOfRun(ctx, t.Job.Run), + Secrets: secret_model.GetSecretsOfTask(ctx, t), + Vars: actions_model.GetVariablesOfRun(ctx, t.Job.Run), } if needs, err := findTaskNeeds(ctx, t); err != nil { diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 65d085051fa4..5ae70abf764c 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -301,7 +301,7 @@ func handleWorkflows( continue } - jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(GetVariablesOfRun(ctx, run))) + jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(actions_model.GetVariablesOfRun(ctx, run))) if err != nil { log.Error("jobparser.Parse: %v", err) continue diff --git a/services/actions/utils.go b/services/actions/utils.go deleted file mode 100644 index a9e634339c5a..000000000000 --- a/services/actions/utils.go +++ /dev/null @@ -1,81 +0,0 @@ -// Copyright 2024 The Gitea Authors. All rights reserved. -// SPDX-License-Identifier: MIT - -package actions - -import ( - "context" - - actions_model "code.gitea.io/gitea/models/actions" - "code.gitea.io/gitea/models/db" - secret_model "code.gitea.io/gitea/models/secret" - actions_module "code.gitea.io/gitea/modules/actions" - "code.gitea.io/gitea/modules/log" - secret_module "code.gitea.io/gitea/modules/secret" - "code.gitea.io/gitea/modules/setting" -) - -func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { - secrets := map[string]string{} - - secrets["GITHUB_TOKEN"] = task.Token - secrets["GITEA_TOKEN"] = task.Token - - if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget { - // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. - // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch - // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target - return secrets - } - - ownerSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) - if err != nil { - log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) - // go on - } - repoSecrets, err := db.Find[secret_model.Secret](ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID}) - if err != nil { - log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) - // go on - } - - for _, secret := range append(ownerSecrets, repoSecrets...) { - if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { - log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) - // go on - } else { - secrets[secret.Name] = v - } - } - - return secrets -} - -func GetVariablesOfRun(ctx context.Context, run *actions_model.ActionRun) map[string]string { - variables := map[string]string{} - - // Global - globalVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{}) - if err != nil { - log.Error("find global variables: %v", err) - } - - // Org / User level - ownerVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{OwnerID: run.Repo.OwnerID}) - if err != nil { - log.Error("find variables of org: %d, error: %v", run.Repo.OwnerID, err) - } - - // Repo level - repoVariables, err := db.Find[actions_model.ActionVariable](ctx, actions_model.FindVariablesOpts{RepoID: run.RepoID}) - if err != nil { - log.Error("find variables of repo: %d, error: %v", run.RepoID, err) - } - - // Level precedence: Repo > Org / User > Global - for _, v := range append(globalVariables, append(ownerVariables, repoVariables...)...) { - variables[v.Name] = v.Data - } - - return variables -} From 43651df1df870821d6645fe9c211ed5e09ddb08c Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Fri, 1 Mar 2024 14:28:08 +0800 Subject: [PATCH 4/6] chore: upgrade go mod --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 03f6ad121584..e8034c85f0ae 100644 --- a/go.mod +++ b/go.mod @@ -302,7 +302,7 @@ replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1 replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0 -replace github.com/nektos/act => gitea.com/gitea/act v0.2.51 +replace github.com/nektos/act => gitea.com/gitea/act v0.259.1 replace github.com/gorilla/feeds => github.com/yardenshoham/feeds v0.0.0-20240110072658-f3d0c21c0bd5 diff --git a/go.sum b/go.sum index b3b8ad8ce48f..38ff8af7d2f9 100644 --- a/go.sum +++ b/go.sum @@ -48,8 +48,8 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:cliQ4HHsCo6xi2oWZYKWW4bly/Ory9FuTpFPRxj/mAg= git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs= -gitea.com/gitea/act v0.2.51 h1:gXc/B4OlTciTTzAx9cmNyw04n2SDO7exPjAsR5Idu+c= -gitea.com/gitea/act v0.2.51/go.mod h1:CoaX2053jqBlD6JMgu4d4UgFL/rp2I14Kt5mMqcs0Z0= +gitea.com/gitea/act v0.259.1 h1:8GG1o/xtUHl3qjn5f0h/2FXrT5ubBn05TJOM5ry+FBw= +gitea.com/gitea/act v0.259.1/go.mod h1:UxZWRYqQG2Yj4+4OqfGWW5a3HELwejyWFQyU7F1jUD8= gitea.com/go-chi/binding v0.0.0-20230415142243-04b515c6d669 h1:RUBX+MK/TsDxpHmymaOaydfigEbbzqUnG1OTZU/HAeo= gitea.com/go-chi/binding v0.0.0-20230415142243-04b515c6d669/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc= gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e/go.mod h1:k2V/gPDEtXGjjMGuBJiapffAXTv76H4snSmlJRLUhH0= From eba48db10fb98482b1089f386a70f40a73b1889b Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Fri, 1 Mar 2024 21:39:52 +0800 Subject: [PATCH 5/6] chore: return err when get vars and secrets --- models/actions/variable.go | 6 ++++-- models/secret/secret.go | 12 ++++++------ routers/api/actions/runner/utils.go | 14 ++++++++++++-- services/actions/notifier_helper.go | 10 ++++++++-- 4 files changed, 30 insertions(+), 12 deletions(-) diff --git a/models/actions/variable.go b/models/actions/variable.go index 54053176af6f..b19379b6acee 100644 --- a/models/actions/variable.go +++ b/models/actions/variable.go @@ -84,19 +84,21 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) return count != 0, err } -func GetVariablesOfRun(ctx context.Context, run *ActionRun) map[string]string { +func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) { variables := map[string]string{} // Global globalVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{}) if err != nil { log.Error("find global variables: %v", err) + return nil, err } // Org / User level ownerVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{OwnerID: run.Repo.OwnerID}) if err != nil { log.Error("find variables of org: %d, error: %v", run.Repo.OwnerID, err) + return nil, err } // Repo level @@ -110,5 +112,5 @@ func GetVariablesOfRun(ctx context.Context, run *ActionRun) map[string]string { variables[v.Name] = v.Data } - return variables + return variables, nil } diff --git a/models/secret/secret.go b/models/secret/secret.go index 57320a042c40..2aae9958293c 100644 --- a/models/secret/secret.go +++ b/models/secret/secret.go @@ -116,7 +116,7 @@ func UpdateSecret(ctx context.Context, secretID int64, data string) error { return err } -func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string { +func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[string]string, error) { secrets := map[string]string{} secrets["GITHUB_TOKEN"] = task.Token @@ -126,28 +126,28 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[s // ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated. // for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch // see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target - return secrets + return secrets, nil } ownerSecrets, err := db.Find[Secret](ctx, FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID}) if err != nil { log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err) - // go on + return nil, err } repoSecrets, err := db.Find[Secret](ctx, FindSecretsOptions{RepoID: task.Job.Run.RepoID}) if err != nil { log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err) - // go on + return nil, err } for _, secret := range append(ownerSecrets, repoSecrets...) { if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) - // go on + return nil, err } else { secrets[secret.Name] = v } } - return secrets + return secrets, nil } diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index b2726607019b..ff6ec5bd54c6 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -31,14 +31,24 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv return nil, false, nil } + secrets, err := secret_model.GetSecretsOfTask(ctx, t) + if err != nil { + return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err) + } + + vars, err := actions_model.GetVariablesOfRun(ctx, t.Job.Run) + if err != nil { + return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err) + } + actions.CreateCommitStatus(ctx, t.Job) task := &runnerv1.Task{ Id: t.ID, WorkflowPayload: t.Job.WorkflowPayload, Context: generateTaskContext(t), - Secrets: secret_model.GetSecretsOfTask(ctx, t), - Vars: actions_model.GetVariablesOfRun(ctx, t.Job.Run), + Secrets: secrets, + Vars: vars, } if needs, err := findTaskNeeds(ctx, t); err != nil { diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 5ae70abf764c..93e27c954d02 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -297,11 +297,17 @@ func handleWorkflows( } if err := run.LoadAttributes(ctx); err != nil { - log.Error("LoadAttributes %v", err) + log.Error("LoadAttributes: %v", err) continue } - jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(actions_model.GetVariablesOfRun(ctx, run))) + vars, err := actions_model.GetVariablesOfRun(ctx, run) + if err != nil { + log.Error("GetVariablesOfRun: %v", err) + continue + } + + jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(vars)) if err != nil { log.Error("jobparser.Parse: %v", err) continue From 194d74fe1f6ed1e95735108a3ad095f27cf64f88 Mon Sep 17 00:00:00 2001 From: sillyguodong Date: Mon, 4 Mar 2024 10:00:44 +0800 Subject: [PATCH 6/6] chore: return err and lint error --- models/actions/variable.go | 1 + models/secret/secret.go | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/models/actions/variable.go b/models/actions/variable.go index b19379b6acee..14ded60fac1d 100644 --- a/models/actions/variable.go +++ b/models/actions/variable.go @@ -105,6 +105,7 @@ func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, repoVariables, err := db.Find[ActionVariable](ctx, FindVariablesOpts{RepoID: run.RepoID}) if err != nil { log.Error("find variables of repo: %d, error: %v", run.RepoID, err) + return nil, err } // Level precedence: Repo > Org / User > Global diff --git a/models/secret/secret.go b/models/secret/secret.go index 2aae9958293c..35bed500b937 100644 --- a/models/secret/secret.go +++ b/models/secret/secret.go @@ -141,12 +141,12 @@ func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[ } for _, secret := range append(ownerSecrets, repoSecrets...) { - if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil { + v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data) + if err != nil { log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err) return nil, err - } else { - secrets[secret.Name] = v } + secrets[secret.Name] = v } return secrets, nil