mirror of https://code.forgejo.org/forgejo/runner.git synced 2026-03-31 19:20:30 +02:00

A daemon that connects to a Forgejo instance and runs jobs for continuous integration. The installation and usage instructions are part of the Forgejo documentation https://forgejo.org/docs/next/admin/actions/

renovation

Go 87.5%
JavaScript 10.8%
Shell 1.3%
Makefile 0.3%

Find a file

Renovate Bot d8c1a45ff2 Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#1466 ) This PR contains the following updates: \| Package \| Change \| [Age](https://docs.renovatebot.com/merge-confidence/) \| [Confidence](https://docs.renovatebot.com/merge-confidence/) \| \|---\|---\|---\|---\| \| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) \| `v5.17.0` → `v5.17.1` \| ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.1?slim=true) \| ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-git%2fgo-git%2fv5/v5.17.0/v5.17.1?slim=true) \| --- ### go-git missing validation decoding Index v4 files leads to panic [CVE-2026-33762](https://nvd.nist.gov/vuln/detail/CVE-2026-33762) / [GHSA-gm2x-2g9h-ccm8](https://github.com/advisories/GHSA-gm2x-2g9h-ccm8) <details> <summary>More information</summary> #### Details ##### Impact `go-git`’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (`go-git` supports only `v2` and `v3`) are not vulnerable to this issue. An attacker able to supply a crafted `.git/index` file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the `.git` directory. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 2.8 / 10 (Low) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8](https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gm2x-2g9h-ccm8) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### go-git: Maliciously crafted idx file can cause asymmetric memory consumption [CVE-2026-34165](https://nvd.nist.gov/vuln/detail/CVE-2026-34165) / [GHSA-jhf3-xxhw-2wpp](https://github.com/advisories/GHSA-jhf3-xxhw-2wpp) <details> <summary>More information</summary> #### Details ##### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ##### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ##### Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project. #### Severity - CVSS Score: 5.0 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H` #### References - [https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp](https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp) - [https://github.com/go-git/go-git](https://github.com/go-git/go-git) - [https://github.com/go-git/go-git/releases/tag/v5.17.1](https://github.com/go-git/go-git/releases/tag/v5.17.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jhf3-xxhw-2wpp) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>go-git/go-git (github.com/go-git/go-git/v5)</summary> ### [`v5.17.1`](https://github.com/go-git/go-git/releases/tag/v5.17.1) [Compare Source](https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1) #### What's Changed - build: Update module github.com/cloudflare/circl to v1.6.3 \[SECURITY] (releases/v5.x) by [@go-git-renovate](https://github.com/go-git-renovate)\[bot] in [#1930](https://github.com/go-git/go-git/pull/1930) - \[v5] plumbing: format/index, Improve v4 entry name validation by [@pjbgf](https://github.com/pjbgf) in [#1935](https://github.com/go-git/go-git/pull/1935) - \[v5] plumbing: format/idxfile, Fix version and fanout checks by [@pjbgf](https://github.com/pjbgf) in [#1937](https://github.com/go-git/go-git/pull/1937) Full Changelog: <https://github.com/go-git/go-git/compare/v5.17.0...v5.17.1> </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9EZXBlbmRlbmN5VXBkYXRlIiwicnVuLWVuZC10by1lbmQtdGVzdHMiXX0=--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1466 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>		2026-03-31 00:50:44 +00:00
.forgejo	ci: update cascading-forgejo to replace fork PR module correctly (#1460 )	2026-03-28 21:29:56 +00:00
act	fix: protect against tags & branches that look like pinned SHAs but are not (#1465 )	2026-03-31 00:27:13 +00:00
contrib	chore: add config file to forgejo-runner.service (#1449 )	2026-03-25 20:17:56 +00:00
examples	Update data.forgejo.org/forgejo/runner Docker tag to v12.7.2 (#1440 )	2026-03-13 07:04:16 +00:00
internal	feat: add options for declaring a connection to `daemon`, `one-job` (#1457 )	2026-03-29 16:45:08 +00:00
release-notes	feat: add the runner validate subcommand (#757 )	2025-07-31 05:37:12 +00:00
testutils	feat: add the runner validate subcommand (#757 )	2025-07-31 05:37:12 +00:00
.dockerignore	[FORGEJO] build forgejo-runner	2023-08-23 14:44:47 +02:00
.editorconfig	Add .editorconfig and .gitattributes (#186 )	2023-05-13 23:51:22 +08:00
.gitattributes	Add .editorconfig and .gitattributes (#186 )	2023-05-13 23:51:22 +08:00
.gitignore	fix: unbreak the build for platforms w/o docker support (#1294 )	2026-01-14 20:20:05 +00:00
.golangci.yml	test: run `lint-check` during CI, add forbidigo, cleanup linter exclusions (#1181 )	2025-11-23 15:01:52 +00:00
.pre-commit-hooks.yaml	fix(pre-commit): don’t default `verbose` to on (#1015 )	2025-09-18 12:02:07 +00:00
Dockerfile	Update data.forgejo.org/oci/alpine Docker tag to v3.23 (#1288 )	2026-01-14 16:12:06 +00:00
go.mod	Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#1466 )	2026-03-31 00:50:44 +00:00
go.sum	Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#1466 )	2026-03-31 00:50:44 +00:00
LICENSE	chore: change the license to GPLv3-or-later (#773 )	2025-09-04 09:26:12 +00:00
main.go	fix: unrecoverable errors in artifactcache should have non-zero exit code (#1222 )	2025-12-15 14:50:17 +00:00
Makefile	Update module github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.11.4 (#1445 )	2026-03-23 02:09:52 +00:00
README.md	chore: change the license to GPLv3-or-later (#773 )	2025-09-04 09:26:12 +00:00
RELEASE-NOTES.md	chore: release notes are now published together with the release (#775 )	2025-07-31 08:02:20 +00:00
renovate.json	chore(renovate): change name for lxc node version	2026-01-13 11:29:01 +01:00

README.md

Forgejo Runner

A daemon that connects to a Forgejo instance and runs jobs for continuous integration. The installation and usage instructions are part of the Forgejo documentation.

Sensitive security-related issues should be reported to security@forgejo.org using encryption.

License

The Forgejo runner is distributed under the terms of the GPL version 3.0 or any later version.

Architectures & OS

The Forgejo runner is supported and tested on amd64 and arm64 (binaries and containers) on Operating Systems based on the Linux kernel.

Work may be in progress for other architectures and you can browse the corresponding issues to figure out how they make progress. If you are interested in helping them move forward, open an issue. The most challenging part is to setup and maintain a native runner long term. Once it is supported by Forgejo, the runner is expected to be available 24/7 which can be challenging. Otherwise debugging any architecture specific problem won't be possible.

Hacking

The Forgejo runner is a dependency of the setup-forgejo action. See the full dependency graph for a global view.

Building

Install Go and make(1)
make build

Linting

make lint-check
make lint # will fix some lint errors

Testing

The workflow that runs in the CI uses similar commands.

Without a Forgejo instance

Install Docker
make test integration-test

The TestRunner_RunEvent test suite contains most integration tests with real-world workflows and is time-consuming to run. During development, it is helpful to run a specific test through a targeted command such as this:

go test -count=1 -run='TestRunner_RunEvent$/local-action-dockerfile$' ./act/runner

With a Forgejo instance

Run a Forgejo instance locally (for instance at http://0.0.0.0:8080) and create as shared secret

export FORGEJO_RUNNER_SECRET='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
export FORGEJO_URL=http://0.0.0.0:8080
forgejo forgejo-cli actions register --labels docker --name therunner --secret $FORGEJO_RUNNER_SECRET

make test integration-test # which will run addional tests because FORGEJO_URL is set

end-to-end

Follow the instructions from the end-to-end tests to run actions tests locally.
./end-to-end.sh actions_teardown # stop the Forgejo and runner daemons running in the end-to-end environment
( cd ~/clone-of-the-runner-repo ; make build ; cp forgejo-runner /tmp/forgejo-end-to-end/forgejo-runner ) # install the runner built from sources
./end-to-end.sh actions_setup 13.0 # start Forgejo v13.0 and the runner daemon in the end-to-end environment
./end-to-end.sh actions_verify_example echo # run the echo workflow
xdg-open http://127.0.0.1:3000/root/example-echo/actions/runs/1 # see the logs workflow
less /tmp/forgejo-end-to-end/forgejo-runner.log # analyze the runner logs
less /tmp/forgejo-end-to-end/forgejo-work-path/log/forgejo.log # analyze the Forgejo logs