Restrict `[actions].DEFAULT_ACTIONS_URL` to only `github` or `self` (#25581) (#25604)

Backport #25581 by @wolfogre

Resolve #24789

## :warning: BREAKING :warning:

Before this, `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like
`https://gitea.com` or `http://your-git-server,https://gitea.com`, and
the default value was `https://gitea.com`.

But now, `DEFAULT_ACTIONS_URL` supports only
`github`(`https://github.com`) or `self`(the root url of current Gitea
instance), and the default value is `github`.

If it has configured with a URL, an error log will be displayed and it
will fallback to `github`.

Actually, what we really want to do is always make it
`https://github.com`, however, this may not be acceptable for some
instances of internal use, so there's extra support for `self`, but no
more, even `https://gitea.com`.

Please note that `uses: https://xxx/yyy/zzz` always works and it does
exactly what it is supposed to do.

Although it's breaking, I belive it should be backported to `v1.20` due
to some security issues.

Follow-up on the runner side:

- https://gitea.com/gitea/act_runner/pulls/262
- https://gitea.com/gitea/act/pulls/70

Co-authored-by: Jason Song <i@wolfogre.com>

1 files changed, 41 insertions, 2 deletions

diff --git a/modules/setting/actions.go b/modules/setting/actions.go
index 1c8075cd6c..a13330dcd1 100644
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@@ -5,6 +5,9 @@ package setting
 
 import (
 	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/modules/log"
 )
 
 // Actions settings
@@ -13,13 +16,36 @@ var (
 		LogStorage        *Storage // how the created logs should be stored
 		ArtifactStorage   *Storage // how the created artifacts should be stored
 		Enabled           bool
-		DefaultActionsURL string `ini:"DEFAULT_ACTIONS_URL"`
+		DefaultActionsURL defaultActionsURL `ini:"DEFAULT_ACTIONS_URL"`
 	}{
 		Enabled:           false,
-		DefaultActionsURL: "https://gitea.com",
+		DefaultActionsURL: defaultActionsURLGitHub,
 	}
 )
 
+type defaultActionsURL string
+
+func (url defaultActionsURL) URL() string {
+	switch url {
+	case defaultActionsURLGitHub:
+		return "https://github.com"
+	case defaultActionsURLSelf:
+		return strings.TrimSuffix(AppURL, "/")
+	default:
+		// This should never happen, but just in case, use GitHub as fallback
+		return "https://github.com"
+	}
+}
+
+const (
+	defaultActionsURLGitHub = "github" // https://github.com
+	defaultActionsURLSelf   = "self"   // the root URL of the self-hosted Gitea instance
+	// DefaultActionsURL only supports GitHub and the self-hosted Gitea.
+	// It's intentionally not supported more, so please be cautious before adding more like "gitea" or "gitlab".
+	// If you get some trouble with `uses: username/action_name@version` in your workflow,
+	// please consider to use `uses: https://the_url_you_want_to_use/username/action_name@version` instead.
+)
+
 func loadActionsFrom(rootCfg ConfigProvider) error {
 	sec := rootCfg.Section("actions")
 	err := sec.MapTo(&Actions)
@@ -27,6 +53,19 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
 		return fmt.Errorf("failed to map Actions settings: %v", err)
 	}
 
+	if urls := string(Actions.DefaultActionsURL); urls != defaultActionsURLGitHub && urls != defaultActionsURLSelf {
+		url := strings.Split(urls, ",")[0]
+		if strings.HasPrefix(url, "https://") || strings.HasPrefix(url, "http://") {
+			log.Error("[actions] DEFAULT_ACTIONS_URL does not support %q as custom URL any longer, fallback to %q",
+				urls,
+				defaultActionsURLGitHub,
+			)
+			Actions.DefaultActionsURL = defaultActionsURLGitHub
+		} else {
+			return fmt.Errorf("unsupported [actions] DEFAULT_ACTIONS_URL: %q", urls)
+		}
+	}
+
 	// don't support to read configuration from [actions]
 	Actions.LogStorage, err = getStorage(rootCfg, "actions_log", "", nil)
 	if err != nil {