diff options
| author | ChristopherHX <christopher.homberger@web.de> | 2024-02-02 15:25:59 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-02 14:25:59 +0000 |
| commit | a9bc590d5d10b97bd8aa050ffb720e141a600064 (patch) | |
| tree | 691cc0c9c13d67d8c738538bc095617477358743 /routers/api/actions | |
| parent | 8f9f0e4ab29c5b95b113c5382e8dc3e42e55a285 (diff) | |
| download | gitea-a9bc590d5d10b97bd8aa050ffb720e141a600064.tar.gz gitea-a9bc590d5d10b97bd8aa050ffb720e141a600064.zip | |
Add artifacts v4 jwt to job message and accept it (#28885)
This change allows act_runner / actions_runner to use jwt tokens for
`ACTIONS_RUNTIME_TOKEN` that are compatible with
actions/upload-artifact@v4.
The official Artifact actions are now validating and extracting the jwt
claim scp to get the runid and jobid, the old artifact backend also
needs to accept the same token jwt.
---
Related to #28853
I'm not familar with the auth system, maybe you know how to improve this
I have tested
- the jwt token is a valid token for artifact uploading
- the jwt token can be parsed by actions/upload-artifact@v4 and passes
their scp claim validation
Next steps would be a new artifacts@v4 backend.
~~I'm linking the act_runner change soonish.~~
act_runner change to make the change effective and use jwt tokens
<https://gitea.com/gitea/act_runner/pulls/471>
Diffstat (limited to 'routers/api/actions')
| -rw-r--r-- | routers/api/actions/artifacts.go | 34 | ||||
| -rw-r--r-- | routers/api/actions/runner/utils.go | 6 |
2 files changed, 34 insertions, 6 deletions
diff --git a/routers/api/actions/artifacts.go b/routers/api/actions/artifacts.go index 0d2062ad05..3363c4c0e8 100644 --- a/routers/api/actions/artifacts.go +++ b/routers/api/actions/artifacts.go @@ -78,6 +78,7 @@ import ( "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" web_types "code.gitea.io/gitea/modules/web/types" + actions_service "code.gitea.io/gitea/services/actions" ) const artifactRouteBase = "/_apis/pipelines/workflows/{run_id}/artifacts" @@ -137,12 +138,33 @@ func ArtifactContexter() func(next http.Handler) http.Handler { return } - authToken := strings.TrimPrefix(authHeader, "Bearer ") - task, err := actions.GetRunningTaskByToken(req.Context(), authToken) - if err != nil { - log.Error("Error runner api getting task: %v", err) - ctx.Error(http.StatusInternalServerError, "Error runner api getting task") - return + // New act_runner uses jwt to authenticate + tID, err := actions_service.ParseAuthorizationToken(req) + + var task *actions.ActionTask + if err == nil { + + task, err = actions.GetTaskByID(req.Context(), tID) + if err != nil { + log.Error("Error runner api getting task by ID: %v", err) + ctx.Error(http.StatusInternalServerError, "Error runner api getting task by ID") + return + } + if task.Status != actions.StatusRunning { + log.Error("Error runner api getting task: task is not running") + ctx.Error(http.StatusInternalServerError, "Error runner api getting task: task is not running") + return + } + } else { + // Old act_runner uses GITEA_TOKEN to authenticate + authToken := strings.TrimPrefix(authHeader, "Bearer ") + + task, err = actions.GetRunningTaskByToken(req.Context(), authToken) + if err != nil { + log.Error("Error runner api getting task: %v", err) + ctx.Error(http.StatusInternalServerError, "Error runner api getting task") + return + } } if err := task.LoadJob(req.Context()); err != nil { diff --git a/routers/api/actions/runner/utils.go b/routers/api/actions/runner/utils.go index 2555f86c80..a7cb31288c 100644 --- a/routers/api/actions/runner/utils.go +++ b/routers/api/actions/runner/utils.go @@ -151,6 +151,11 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct { refName := git.RefName(ref) + giteaRuntimeToken, err := actions.CreateAuthorizationToken(t.ID, t.Job.RunID, t.JobID) + if err != nil { + log.Error("actions.CreateAuthorizationToken failed: %v", err) + } + taskContext, err := structpb.NewStruct(map[string]any{ // standard contexts, see https://docs.github.com/en/actions/learn-github-actions/contexts#github-context "action": "", // string, The name of the action currently running, or the id of a step. GitHub removes special characters, and uses the name __run when the current step runs a script without an id. If you use the same action more than once in the same job, the name will include a suffix with the sequence number with underscore before it. For example, the first script you run will have the name __run, and the second script will be named __run_2. Similarly, the second invocation of actions/checkout will be actionscheckout2. @@ -190,6 +195,7 @@ func generateTaskContext(t *actions_model.ActionTask) *structpb.Struct { // additional contexts "gitea_default_actions_url": setting.Actions.DefaultActionsURL.URL(), + "gitea_runtime_token": giteaRuntimeToken, }) if err != nil { log.Error("structpb.NewStruct failed: %v", err) |