gitea/act
43
19
Fork 25
Code Issues 5 Pull Requests 3 Actions Releases 26 Activity

WIP: feat: add DefaultActionToken config #109

Draft
chizukicn wants to merge 1 commits from chizukicn/act:feat/default-action-token into main
pull from: chizukicn/act:feat/default-action-token
merge into: gitea:main
Conversation 1 Commits 1 Files Changed 2 +8 -2
chizukicn commented 2024-04-15 14:40:31 +00:00
First-time contributor
Copy Link

This PR will add a new configuration to support access to private actions instances

This PR will add a new configuration to support access to private actions instances
chizukicn added 1 commit 2024-04-15 14:40:32 +00:00
feat: add config
All checks were successful
checks / check and test (pull_request) Successful in 31s
Details
9a6a85dd98
chizukicn changed title from feat: add `DefaultActionToken` config to WIP: feat: add `DefaultActionToken` config 2024-04-15 14:54:10 +00:00
wolfogre requested changes 2024-04-16 02:54:18 +00:00
wolfogre left a comment
Owner
Copy Link

I don't think the code is enough. Could you please explain your design first?

The point is how to decide whether to pass the token to remote, what I can think of at the moment:

  • If the token is for a.com, what if uses: https://b.com/actions/demo? We should ensure that tokens are not leaked to another website it doesn't belong.
  • If the token is for a.com/org_1, what if uses: https://a.com/org_2/demo which is public? We should ensure that the token won't cause it to fail when cloning a public repo.

I'm not saying these are difficult to implement, it's just that because it involves authentication functions, we need to consider more to avoid security issues.

I don't think the code is enough. Could you please explain your design first? The point is how to decide whether to pass the token to remote, what I can think of at the moment: - If the token is for a.com, what if `uses: https://b.com/actions/demo`? We should ensure that tokens are not leaked to another website it doesn't belong. - If the token is for a.com/org_1, what if `uses: https://a.com/org_2/demo` which is public? We should ensure that the token won't cause it to fail when cloning a public repo. I'm not saying these are difficult to implement, it's just that because it involves authentication functions, we need to consider more to avoid security issues.
chizukicn commented 2024-04-16 10:20:25 +00:00
Author
First-time contributor
Copy Link

I don't think the code is enough. Could you please explain your design first?

The point is how to decide whether to pass the token to remote, what I can think of at the moment:

  • If the token is for a.com, what if uses: https://b.com/actions/demo? We should ensure that tokens are not leaked to another website it doesn't belong.
  • If the token is for a.com/org_1, what if uses: https://a.com/org_2/demo which is public? We should ensure that the token won't cause it to fail when cloning a public repo.

I'm not saying these are difficult to implement, it's just that because it involves authentication functions, we need to consider more to avoid security issues.

Yes,this code is not engouth. A judgment needs to be made here so that the token can only be used from defaultActionsInstance

> I don't think the code is enough. Could you please explain your design first? > > The point is how to decide whether to pass the token to remote, what I can think of at the moment: > > - If the token is for a.com, what if `uses: https://b.com/actions/demo`? We should ensure that tokens are not leaked to another website it doesn't belong. > - If the token is for a.com/org_1, what if `uses: https://a.com/org_2/demo` which is public? We should ensure that the token won't cause it to fail when cloning a public repo. > > I'm not saying these are difficult to implement, it's just that because it involves authentication functions, we need to consider more to avoid security issues. Yes,this code is not engouth. A judgment needs to be made here so that the token can only be used from `defaultActionsInstance`
All checks were successful
checks / check and test (pull_request) Successful in 31s
Details
This pull request is marked as a work in progress.
View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u feat/default-action-token:chizukicn-feat/default-action-token
git checkout chizukicn-feat/default-action-token

Merge

Merge the changes and update on Gitea.
git checkout main
git merge --no-ff chizukicn-feat/default-action-token
git checkout main
git merge --ff-only chizukicn-feat/default-action-token
git checkout chizukicn-feat/default-action-token
git rebase main
git checkout main
git merge --no-ff chizukicn-feat/default-action-token
git checkout main
git merge --squash chizukicn-feat/default-action-token
git checkout main
git merge --ff-only chizukicn-feat/default-action-token
git checkout main
git merge chizukicn-feat/default-action-token
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
wolfogre
Labels
Clear labels   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind
bug
Something is not working

  
kind
enhancement
New feature

  
kind
feature

  
kind
question
More information is needed

  
proposal

   
wontfix

This won't be fixed

No Label
duplicate
help wanted
invalid
kind
bug
kind
enhancement
kind
feature
kind
question
proposal
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/act#109
No description provided.
Delete Branch "chizukicn/act:feat/default-action-token"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?