Skip to content

Commit 538efb9

Browse files
authored
Make runs-on support variable expression (#29468) (#29782)
backport #29468 Close issue: https://gitea.com/gitea/act_runner/issues/445 Follow: https://gitea.com/gitea/act/pulls/91 Move `getSecretsOfTask` and `getVariablesOfTask` under models because of circular dependency issues.
1 parent 5e3581f commit 538efb9

File tree

6 files changed

+108
-75
lines changed

6 files changed

+108
-75
lines changed

go.mod

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,11 +68,11 @@ require (
6868
github.com/json-iterator/go v1.1.12
6969
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
7070
github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
71-
github.com/klauspost/compress v1.17.0
71+
github.com/klauspost/compress v1.17.2
7272
github.com/klauspost/cpuid/v2 v2.2.5
7373
github.com/lib/pq v1.10.9
7474
github.com/markbates/goth v1.78.0
75-
github.com/mattn/go-isatty v0.0.19
75+
github.com/mattn/go-isatty v0.0.20
7676
github.com/mattn/go-sqlite3 v1.14.17
7777
github.com/meilisearch/meilisearch-go v0.25.1
7878
github.com/mholt/archiver/v3 v3.5.1
@@ -281,7 +281,7 @@ require (
281281
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
282282
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
283283
github.com/zeebo/blake3 v0.2.3 // indirect
284-
go.etcd.io/bbolt v1.3.7 // indirect
284+
go.etcd.io/bbolt v1.3.8 // indirect
285285
go.mongodb.org/mongo-driver v1.12.1 // indirect
286286
go.opentelemetry.io/otel v1.19.0 // indirect
287287
go.opentelemetry.io/otel/trace v1.19.0 // indirect
@@ -303,7 +303,7 @@ replace github.com/hashicorp/go-version => github.com/6543/go-version v1.3.1
303303

304304
replace github.com/shurcooL/vfsgen => github.com/lunny/vfsgen v0.0.0-20220105142115-2c99e1ffdfa0
305305

306-
replace github.com/nektos/act => gitea.com/gitea/act v0.2.51
306+
replace github.com/nektos/act => gitea.com/gitea/act v0.259.1
307307

308308
exclude github.com/gofrs/uuid v3.2.0+incompatible
309309

go.sum

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,8 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
5353
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
5454
git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078 h1:cliQ4HHsCo6xi2oWZYKWW4bly/Ory9FuTpFPRxj/mAg=
5555
git.sr.ht/~mariusor/go-xsd-duration v0.0.0-20220703122237-02e73435a078/go.mod h1:g/V2Hjas6Z1UHUp4yIx6bATpNzJ7DYtD0FG3+xARWxs=
56-
gitea.com/gitea/act v0.2.51 h1:gXc/B4OlTciTTzAx9cmNyw04n2SDO7exPjAsR5Idu+c=
57-
gitea.com/gitea/act v0.2.51/go.mod h1:CoaX2053jqBlD6JMgu4d4UgFL/rp2I14Kt5mMqcs0Z0=
56+
gitea.com/gitea/act v0.259.1 h1:8GG1o/xtUHl3qjn5f0h/2FXrT5ubBn05TJOM5ry+FBw=
57+
gitea.com/gitea/act v0.259.1/go.mod h1:UxZWRYqQG2Yj4+4OqfGWW5a3HELwejyWFQyU7F1jUD8=
5858
gitea.com/go-chi/binding v0.0.0-20230415142243-04b515c6d669 h1:RUBX+MK/TsDxpHmymaOaydfigEbbzqUnG1OTZU/HAeo=
5959
gitea.com/go-chi/binding v0.0.0-20230415142243-04b515c6d669/go.mod h1:77TZu701zMXWJFvB8gvTbQ92zQ3DQq/H7l5wAEjQRKc=
6060
gitea.com/go-chi/cache v0.0.0-20210110083709-82c4c9ce2d5e/go.mod h1:k2V/gPDEtXGjjMGuBJiapffAXTv76H4snSmlJRLUhH0=
@@ -654,8 +654,8 @@ github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs
654654
github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
655655
github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
656656
github.com/klauspost/compress v1.15.6/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
657-
github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
658-
github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
657+
github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4=
658+
github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
659659
github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
660660
github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
661661
github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -710,8 +710,8 @@ github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kN
710710
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
711711
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
712712
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
713-
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
714-
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
713+
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
714+
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
715715
github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
716716
github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
717717
github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -1010,8 +1010,8 @@ github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvv
10101010
github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
10111011
github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
10121012
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
1013-
go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
1014-
go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
1013+
go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
1014+
go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
10151015
go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
10161016
go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng=
10171017
go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=

models/actions/variable.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"strings"
1111

1212
"code.gitea.io/gitea/models/db"
13+
"code.gitea.io/gitea/modules/log"
1314
"code.gitea.io/gitea/modules/timeutil"
1415
"code.gitea.io/gitea/modules/util"
1516

@@ -95,3 +96,35 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error)
9596
})
9697
return count != 0, err
9798
}
99+
100+
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
101+
variables := map[string]string{}
102+
103+
// Global
104+
globalVariables, err := FindVariables(ctx, FindVariablesOpts{})
105+
if err != nil {
106+
log.Error("find global variables: %v", err)
107+
return nil, err
108+
}
109+
110+
// Org / User level
111+
ownerVariables, err := FindVariables(ctx, FindVariablesOpts{OwnerID: run.Repo.OwnerID})
112+
if err != nil {
113+
log.Error("find variables of org: %d, error: %v", run.Repo.OwnerID, err)
114+
return nil, err
115+
}
116+
117+
// Repo level
118+
repoVariables, err := FindVariables(ctx, FindVariablesOpts{RepoID: run.RepoID})
119+
if err != nil {
120+
log.Error("find variables of repo: %d, error: %v", run.RepoID, err)
121+
return nil, err
122+
}
123+
124+
// Level precedence: Repo > Org / User > Global
125+
for _, v := range append(globalVariables, append(ownerVariables, repoVariables...)...) {
126+
variables[v.Name] = v.Data
127+
}
128+
129+
return variables, nil
130+
}

models/secret/secret.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,10 @@ import (
99
"fmt"
1010
"strings"
1111

12+
actions_model "code.gitea.io/gitea/models/actions"
1213
"code.gitea.io/gitea/models/db"
14+
actions_module "code.gitea.io/gitea/modules/actions"
15+
"code.gitea.io/gitea/modules/log"
1316
secret_module "code.gitea.io/gitea/modules/secret"
1417
"code.gitea.io/gitea/modules/setting"
1518
"code.gitea.io/gitea/modules/timeutil"
@@ -128,3 +131,39 @@ func UpdateSecret(ctx context.Context, secretID int64, data string) error {
128131
}
129132
return err
130133
}
134+
135+
func GetSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) (map[string]string, error) {
136+
secrets := map[string]string{}
137+
138+
secrets["GITHUB_TOKEN"] = task.Token
139+
secrets["GITEA_TOKEN"] = task.Token
140+
141+
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
142+
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
143+
// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
144+
// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
145+
return secrets, nil
146+
}
147+
148+
ownerSecrets, err := FindSecrets(ctx, FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID})
149+
if err != nil {
150+
log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err)
151+
return nil, err
152+
}
153+
repoSecrets, err := FindSecrets(ctx, FindSecretsOptions{RepoID: task.Job.Run.RepoID})
154+
if err != nil {
155+
log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err)
156+
return nil, err
157+
}
158+
159+
for _, secret := range append(ownerSecrets, repoSecrets...) {
160+
v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data)
161+
if err != nil {
162+
log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
163+
return nil, err
164+
}
165+
secrets[secret.Name] = v
166+
}
167+
168+
return secrets, nil
169+
}

routers/api/actions/runner/utils.go

Lines changed: 12 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ import (
1414
"code.gitea.io/gitea/modules/git"
1515
"code.gitea.io/gitea/modules/json"
1616
"code.gitea.io/gitea/modules/log"
17-
secret_module "code.gitea.io/gitea/modules/secret"
1817
"code.gitea.io/gitea/modules/setting"
1918
"code.gitea.io/gitea/services/actions"
2019

@@ -31,14 +30,24 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
3130
return nil, false, nil
3231
}
3332

33+
secrets, err := secret_model.GetSecretsOfTask(ctx, t)
34+
if err != nil {
35+
return nil, false, fmt.Errorf("GetSecretsOfTask: %w", err)
36+
}
37+
38+
vars, err := actions_model.GetVariablesOfRun(ctx, t.Job.Run)
39+
if err != nil {
40+
return nil, false, fmt.Errorf("GetVariablesOfRun: %w", err)
41+
}
42+
3443
actions.CreateCommitStatus(ctx, t.Job)
3544

3645
task := &runnerv1.Task{
3746
Id: t.ID,
3847
WorkflowPayload: t.Job.WorkflowPayload,
3948
Context: generateTaskContext(t),
40-
Secrets: getSecretsOfTask(ctx, t),
41-
Vars: getVariablesOfTask(ctx, t),
49+
Secrets: secrets,
50+
Vars: vars,
4251
}
4352

4453
if needs, err := findTaskNeeds(ctx, t); err != nil {
@@ -54,65 +63,6 @@ func pickTask(ctx context.Context, runner *actions_model.ActionRunner) (*runnerv
5463
return task, true, nil
5564
}
5665

57-
func getSecretsOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
58-
secrets := map[string]string{}
59-
60-
secrets["GITHUB_TOKEN"] = task.Token
61-
secrets["GITEA_TOKEN"] = task.Token
62-
63-
if task.Job.Run.IsForkPullRequest && task.Job.Run.TriggerEvent != actions_module.GithubEventPullRequestTarget {
64-
// ignore secrets for fork pull request, except GITHUB_TOKEN and GITEA_TOKEN which are automatically generated.
65-
// for the tasks triggered by pull_request_target event, they could access the secrets because they will run in the context of the base branch
66-
// see the documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
67-
return secrets
68-
}
69-
70-
ownerSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{OwnerID: task.Job.Run.Repo.OwnerID})
71-
if err != nil {
72-
log.Error("find secrets of owner %v: %v", task.Job.Run.Repo.OwnerID, err)
73-
// go on
74-
}
75-
repoSecrets, err := secret_model.FindSecrets(ctx, secret_model.FindSecretsOptions{RepoID: task.Job.Run.RepoID})
76-
if err != nil {
77-
log.Error("find secrets of repo %v: %v", task.Job.Run.RepoID, err)
78-
// go on
79-
}
80-
81-
for _, secret := range append(ownerSecrets, repoSecrets...) {
82-
if v, err := secret_module.DecryptSecret(setting.SecretKey, secret.Data); err != nil {
83-
log.Error("decrypt secret %v %q: %v", secret.ID, secret.Name, err)
84-
// go on
85-
} else {
86-
secrets[secret.Name] = v
87-
}
88-
}
89-
90-
return secrets
91-
}
92-
93-
func getVariablesOfTask(ctx context.Context, task *actions_model.ActionTask) map[string]string {
94-
variables := map[string]string{}
95-
96-
// Org / User level
97-
ownerVariables, err := actions_model.FindVariables(ctx, actions_model.FindVariablesOpts{OwnerID: task.Job.Run.Repo.OwnerID})
98-
if err != nil {
99-
log.Error("find variables of org: %d, error: %v", task.Job.Run.Repo.OwnerID, err)
100-
}
101-
102-
// Repo level
103-
repoVariables, err := actions_model.FindVariables(ctx, actions_model.FindVariablesOpts{RepoID: task.Job.Run.RepoID})
104-
if err != nil {
105-
log.Error("find variables of repo: %d, error: %v", task.Job.Run.RepoID, err)
106-
}
107-
108-
// Level precedence: Repo > Org / User
109-
for _, v := range append(ownerVariables, repoVariables...) {
110-
variables[v.Name] = v.Data
111-
}
112-
113-
return variables
114-
}
115-
11666
func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct {
11767
event := map[string]any{}
11868
_ = json.Unmarshal([]byte(t.Job.Run.EventPayload), &event)

services/actions/notifier_helper.go

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -269,7 +269,18 @@ func handleWorkflows(
269269
run.NeedApproval = need
270270
}
271271

272-
jobs, err := jobparser.Parse(dwf.Content)
272+
if err := run.LoadAttributes(ctx); err != nil {
273+
log.Error("LoadAttributes: %v", err)
274+
continue
275+
}
276+
277+
vars, err := actions_model.GetVariablesOfRun(ctx, run)
278+
if err != nil {
279+
log.Error("GetVariablesOfRun: %v", err)
280+
continue
281+
}
282+
283+
jobs, err := jobparser.Parse(dwf.Content, jobparser.WithVars(vars))
273284
if err != nil {
274285
log.Error("jobparser.Parse: %v", err)
275286
continue

0 commit comments

Comments
 (0)