gitea/act_runner
62
108
Fork 81
Code Issues 139 Pull Requests 10 Actions Releases 21 Activity

Custom Action - "repository not found" | Support authentication for uses: #285

New Issue
Open
opened 2023-07-12 12:10:30 +00:00 by ghnp5 · 11 comments
ghnp5 commented 2023-07-12 12:10:30 +00:00
Copy Link

Hello!

I created an action template inside my Gitea instance. The repo is organization/actions-sparse-checkout, and it contains an action.yml file.

Then, I'm trying to use it this way:

    steps:
      - name: Get files
        uses: https://mydomain/git/organization/actions-sparse-checkout@main
        with:
          list_of_folders: "..."
          repository: "..."

This workflow is in a repo on the same organization.

However, the "Set Up Job" step is failing with this:

🏁 Job failed
repository not found

The repository was initially private, but I've just changed that setting so it's visible.
Now it's marked as internal.

Then I made the Organization "Limited" (to authenticated users), and internal tag is now removed.

And it's still failing for the same error.

Then I made Gitea fully available to public, and now I can access the repo through "Incognito" (on Chrome), but the action is still failing with "repository not found".

Any ideas what I'm doing wrong? :)

Thanks!

Hello! I created an action template inside my Gitea instance. The repo is `organization/actions-sparse-checkout`, and it contains an `action.yml` file. Then, I'm trying to use it this way: ``` steps: - name: Get files uses: https://mydomain/git/organization/actions-sparse-checkout@main with: list_of_folders: "..." repository: "..." ``` This workflow is in a repo on the same organization. However, the "Set Up Job" step is failing with this: > 🏁 Job failed > repository not found The repository was initially `private`, but I've just changed that setting so it's visible. Now it's marked as `internal`. Then I made the Organization "Limited" (to authenticated users), and `internal` tag is now removed. And it's still failing for the same error. Then I made Gitea fully available to public, and now I can access the repo through "Incognito" (on Chrome), but the action is still failing with "repository not found". Any ideas what I'm doing wrong? :) Thanks!
ghnp5 commented 2023-07-12 12:12:06 +00:00
Author
Copy Link

Actually, I'm seeing this:

Unable to clone https://mydomain/git/organization refs/heads/main: repository not found

I think it thinks "git" is the organization/user, and "organization" is the repo!

Actually, I'm seeing this: > Unable to clone https://mydomain/git/organization refs/heads/main: repository not found I think it thinks "git" is the organization/user, and "organization" is the repo!
ghnp5 commented 2023-07-12 12:18:39 +00:00
Author
Copy Link

Alright.. I was able to work this around, by putting the link without "git/":

    steps:
      - name: Get files
        uses: https://mydomain/organization/actions-sparse-checkout@main
        with:
          list_of_folders: "..."
          repository: "..."

And by adding this instruction in the nginx config:

		location /organization/ {
			rewrite "/(.*)" /git/$1 permanent;
		}

Obviously this is not ideal, and needs to be fixed,
but at least I'm not blocked for now :)

Thanks!

Alright.. I was able to work this around, by putting the link without "git/": ``` steps: - name: Get files uses: https://mydomain/organization/actions-sparse-checkout@main with: list_of_folders: "..." repository: "..." ``` And by adding this instruction in the nginx config: ``` location /organization/ { rewrite "/(.*)" /git/$1 permanent; } ``` Obviously this is not ideal, and needs to be fixed, but at least I'm not blocked for now :) Thanks!
ghnp5 commented 2023-07-12 12:27:03 +00:00
Author
Copy Link

Just another note,
I was now trying to revert the other changes I made, by putting back REQUIRE_SIGNIN_VIEW = true,
but I see that it breaks the work flow again, with:

🏁 Job failed
authentication required

I was trying to do this:

uses: https://${{ secrets.GITHUB_TOKEN }}@mydomain/organization/actions-sparse-checkout@main

But seems it just breaks the parsing, and the token doesn't get interpolated anyway, from what I can see.

It would be nice if we could keep our Gitea instance fully private, while being able to create custom actions like this.

I'll keep the Gitea instance public, including the repo of the action, for now.

Thank you!!

Just another note, I was now trying to revert the other changes I made, by putting back `REQUIRE_SIGNIN_VIEW = true`, but I see that it breaks the work flow again, with: > 🏁 Job failed > authentication required I was trying to do this: `uses: https://${{ secrets.GITHUB_TOKEN }}@mydomain/organization/actions-sparse-checkout@main` But seems it just breaks the parsing, and the token doesn't get interpolated anyway, from what I can see. It would be nice if we could keep our Gitea instance fully private, while being able to create custom actions like this. I'll keep the Gitea instance public, including the repo of the action, for now. Thank you!!
wolfogre commented 2023-07-13 02:08:53 +00:00
Owner
Copy Link

Could you please try uses: https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/actions-sparse-checkout@main? There's a :

Could you please try `uses: https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/actions-sparse-checkout@main`? There's a `:`
ghnp5 commented 2023-07-13 08:35:54 +00:00
Author
Copy Link

Thank you @wolfogre

That didn't seem to work:

failed to get available clone url of [https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/repo@main] action, error: parse "https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/repo": net/url: invalid userinfo

Based on the logs, it seems that the ${{ }} bit isn't being interpolated.

Thank you @wolfogre That didn't seem to work: > `failed to get available clone url of [https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/repo@main] action, error: parse "https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/repo": net/url: invalid userinfo` Based on the logs, it seems that the `${{ }}` bit isn't being interpolated.
wolfogre commented 2023-07-14 02:01:19 +00:00
Owner
Copy Link

I see, so act_runner/act doesn't support it.

I see, so act_runner/act doesn't support it.
wolfogre changed title from Custom Action - "repository not found" to Custom Action - "repository not found" | Support authentication for `uses:` 2023-07-14 02:02:18 +00:00
wolfogre added the
kind
proposal
 label 2023-07-14 02:02:22 +00:00
ChristopherHX commented 2023-07-17 14:13:02 +00:00
Contributor
Copy Link

So gitea/act#75 adds support for gitea/act.

uses: https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/actions-sparse-checkout@main
Wouldn't this leak the GITHUB_TOKEN once gitea/act_runner supports it? (see

pkg/runner/step_action_remote.go Line 66 in cdc6d4bc6a
actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))
, step.Uses flows into a folder name)

Unless you modify gitea/act to not use the sanitized uses key as cache location.

So https://gitea.com/gitea/act/pulls/75 adds support for gitea/act. `uses: https://${{ secrets.GITHUB_TOKEN }}:@mydomain/organization/actions-sparse-checkout@main` Wouldn't this leak the GITHUB_TOKEN once gitea/act_runner supports it? (see https://gitea.com/gitea/act/src/commit/cdc6d4bc6a386ad68996cd4e51df4284740b988f/pkg/runner/step_action_remote.go#L66, step.Uses flows into a folder name) Unless you modify gitea/act to not use the sanitized uses key as cache location.
ghnp5 commented 2023-07-17 14:22:44 +00:00
Author
Copy Link

Hi @ChristopherHX - thank you for your reply.

Wouldn't this leak the GITHUB_TOKEN once gitea/act_runner supports it?

Both my Gitea and Act Runner are private and self-hosted.
The only reason I opened Gitea a bit now is because of this issue exactly, that I had to make the Action repo a public repo.

Unless you modify gitea/act to not use the sanitized uses key as cache location.

Apologies - I don't understand what you are referring to, here :)

Thank you again.

Hi @ChristopherHX - thank you for your reply. > Wouldn't this leak the GITHUB_TOKEN once gitea/act_runner supports it? Both my Gitea and Act Runner are private and self-hosted. The only reason I opened Gitea a bit now is because of this issue exactly, that I had to make the Action repo a public repo. > Unless you modify gitea/act to not use the sanitized uses key as cache location. Apologies - I don't understand what you are referring to, here :) Thank you again.
ChristopherHX commented 2023-07-17 14:29:14 +00:00
Contributor
Copy Link

I'm responding to wolfogre's example. (I'm a nektos/act maintainer).

Unless you modify gitea/act to not use the sanitized uses key as cache location.

Apologies - I don't understand what you are referring to, here :)

You shouldn't worry about implementation details of act, but storing the ${{secrets.GITHUB_TOKEN}} in a folder name on your filesystem is suboptimal even if everything is private.

Any unprivileged program may gain write access to your gitea via the token or other secrets, a public repo which should be private only gives read access.

I'm responding to wolfogre's example. (I'm a nektos/act maintainer). >> Unless you modify gitea/act to not use the sanitized uses key as cache location. > > Apologies - I don't understand what you are referring to, here :) You shouldn't worry about implementation details of act, but storing the `${{secrets.GITHUB_TOKEN}}` in a folder name on your filesystem is suboptimal even if everything is private. Any unprivileged program may gain **write** access to your gitea via the token or other secrets, a public repo which should be private only gives **read** access.
ghnp5 commented 2023-07-17 14:33:06 +00:00
Author
Copy Link

Ah I get it!! Sorry.

Yeah, if the cache location would contain the GITHUB_TOKEN, that would be bad - I agree! :)

Ah I get it!! Sorry. Yeah, if the cache location would contain the GITHUB_TOKEN, that would be bad - I agree! :)
sillyguodong commented 2023-07-18 01:37:30 +00:00
Member
Copy Link

but storing the ${{secrets.GITHUB_TOKEN}} in a folder name on your filesystem is suboptimal even if everything is private.

Thank for you remind, I'll make some improvements here.

> but storing the ${{secrets.GITHUB_TOKEN}} in a folder name on your filesystem is suboptimal even if everything is private. Thank for you remind, I'll make some improvements here.
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/github.com-nektos-act-0.x
renovate/alpine-3.x
renovate/actions-setup-go-5.x
renovate/golang.org-x-term-0.x
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.1
Labels
Clear labels   
kind
bug
Something is not working

  
kind
build

  
kind/compatible
  
kind
dependencies

  
kind
docs

  
kind
enhancement
New feature

  
kind
feature

  
kind
help wanted
Need some help

  
kind
proposal

  
kind
refactor

  
related
act
Related to act.

  
related
environment
Related to the environment.

  
related
exec

  
related
gitea
Related to Gitea.

  
related
workflow
Related to the workflow file or actions scripts.

  
reviewed
confirmed
confirmed issue

  
reviewed
duplicate
This issue or pull request already exists

  
reviewed
invalid
Something is wrong

  
reviewed
needs feedback

  
reviewed
wontfix
This won't be fixed

  
reviewed
workaround

No Label
kind
bug
kind
build
kind/compatible
kind
dependencies
kind
docs
kind
enhancement
kind
feature
kind
help wanted
kind
proposal
kind
refactor
related
act
related
environment
related
exec
related
gitea
related
workflow
reviewed
confirmed
reviewed
duplicate
reviewed
invalid
reviewed
needs feedback
reviewed
wontfix
reviewed
workaround
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/act_runner#285
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?