新增黑名单模式和拒绝文本配置，优化仓库匹配逻辑

2025-04-14 13:07:48 +08:00 · 2025-04-14 13:07:48 +08:00 · e1732603b3
commit e1732603b3
parent 314d43d5be
4 changed files with 16 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -18,6 +18,8 @@ runner:
        - "org1/repo2"  # 仅允许org1/repo2使用
        - "org2/*"  # 仅允许org2下的所有repo使用
        - "user1/*" # 仅允许user1下的所有repo使用
+    blacklist_mode: false # 是否启用黑名单模式，启用后为反向选择
+    reject_text: "This repository {REPO} is not allowed to use this runner {RUNNER} to run workflows." # 禁止使用actions时的提示文本
 ```

 ## 安装
--- a/internal/app/run/runner.go
+++ b/internal/app/run/runner.go
@ -121,13 +121,14 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		}
 	}()

-	// verify owner and repo
-	if !matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), r.cfg.Runner.AllowedRepos) {
-		// not matched
-		log.Warnf("Repository %s is not in allowed_repos to run workflows", task.Context.Fields["repository"].GetStringValue())
-		reporter.Logf("Repository %s is not allowed to run workflows on this runner, please add \"public\" label in \"runs-on\" to use public runners\n"+
-			"储存库 %s 不被允许在此 runner 上运行 workflows，请在 runs-on 中加上 \"public\" 以使用我们的赞助商 007idc(https://www.007idc.cn/)提供的runners", task.Context.Fields["repository"].GetStringValue())
-		return errors.New("repository not in allowed_repos")
+	matched := matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), r.cfg.Runner.AllowedRepos)
+	if (r.cfg.Runner.BlacklistMode && matched) || (!r.cfg.Runner.BlacklistMode && !matched) {
+		// replace with the real repo name {REPO} and runner name {RUNNER}
+		formattedRejectText := strings.ReplaceAll(r.cfg.Runner.RejectText, "{REPO}", task.Context.Fields["repository"].GetStringValue())
+		formattedRejectText = strings.ReplaceAll(formattedRejectText, "{RUNNER}", r.name)
+		log.Warnf(formattedRejectText)
+		reporter.Logf(formattedRejectText)
+		return errors.New("repository not matched allowed_repos")
 	}

 	reporter.Logf("%s(version:%s) received task %v of job %v, be triggered by event: %s", r.name, ver.Version(), task.Id, task.Context.Fields["job"].GetStringValue(), task.Context.Fields["event_name"].GetStringValue())
--- a/internal/pkg/config/config.example.yaml
+++ b/internal/pkg/config/config.example.yaml
@ -48,6 +48,10 @@ runner:
    - "org1/repo2"
    - "org2/*"
    - "user1/*"
+  # for global runner, if true, the runner will only run jobs except the allowed_repos.
+  blacklist_mode: false
+  # reject_text is used to show the reason why the job is rejected.
+  reject_text: "This runner is not allowed to run this job in this repository: %s."

 cache:
  # Enable cache server to use actions/cache.
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@ -32,6 +32,8 @@ type Runner struct {
 	FetchInterval   time.Duration     `yaml:"fetch_interval"`   // FetchInterval specifies the interval duration for fetching resources.
 	Labels          []string          `yaml:"labels"`           // Labels specify the labels of the runner. Labels are declared on each startup
 	AllowedRepos    []string          `yaml:"allowed_repos"`    // AllowedRepos specify the repositories that the runner is allowed to run jobs for.
+	BlacklistMode	  bool              `yaml:"blacklist_mode"`   // BlacklistMode indicates whether the runner operates in blacklist mode.
+	RejectText	  string            `yaml:"reject_text"`      // RejectText specifies the text to be displayed when a job is rejected.
 }

 // Cache represents the configuration for caching.