diff --git a/README.md b/README.md index a41784b..3c5e569 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,8 @@ runner: - "org1/repo2" # 仅允许org1/repo2使用 - "org2/*" # 仅允许org2下的所有repo使用 - "user1/*" # 仅允许user1下的所有repo使用 + blacklist_mode: false # 是否启用黑名单模式,启用后为反向选择 + reject_text: "This repository {REPO} is not allowed to use this runner {RUNNER} to run workflows." # 禁止使用actions时的提示文本 ``` ## 安装 diff --git a/internal/app/run/runner.go b/internal/app/run/runner.go index 8a62f49..6245cdb 100644 --- a/internal/app/run/runner.go +++ b/internal/app/run/runner.go @@ -121,13 +121,14 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report. } }() - // verify owner and repo - if !matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), r.cfg.Runner.AllowedRepos) { - // not matched - log.Warnf("Repository %s is not in allowed_repos to run workflows", task.Context.Fields["repository"].GetStringValue()) - reporter.Logf("Repository %s is not allowed to run workflows on this runner, please add \"public\" label in \"runs-on\" to use public runners\n"+ - "储存库 %s 不被允许在此 runner 上运行 workflows,请在 runs-on 中加上 \"public\" 以使用我们的赞助商 007idc(https://www.007idc.cn/)提供的runners", task.Context.Fields["repository"].GetStringValue()) - return errors.New("repository not in allowed_repos") + matched := matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), r.cfg.Runner.AllowedRepos) + if (r.cfg.Runner.BlacklistMode && matched) || (!r.cfg.Runner.BlacklistMode && !matched) { + // replace with the real repo name {REPO} and runner name {RUNNER} + formattedRejectText := strings.ReplaceAll(r.cfg.Runner.RejectText, "{REPO}", task.Context.Fields["repository"].GetStringValue()) + formattedRejectText = strings.ReplaceAll(formattedRejectText, "{RUNNER}", r.name) + log.Warnf(formattedRejectText) + reporter.Logf(formattedRejectText) + return errors.New("repository not matched allowed_repos") } reporter.Logf("%s(version:%s) received task %v of job %v, be triggered by event: %s", r.name, ver.Version(), task.Id, task.Context.Fields["job"].GetStringValue(), task.Context.Fields["event_name"].GetStringValue()) diff --git a/internal/pkg/config/config.example.yaml b/internal/pkg/config/config.example.yaml index e4ed364..81c189f 100644 --- a/internal/pkg/config/config.example.yaml +++ b/internal/pkg/config/config.example.yaml @@ -48,6 +48,10 @@ runner: - "org1/repo2" - "org2/*" - "user1/*" + # for global runner, if true, the runner will only run jobs except the allowed_repos. + blacklist_mode: false + # reject_text is used to show the reason why the job is rejected. + reject_text: "This runner is not allowed to run this job in this repository: %s." cache: # Enable cache server to use actions/cache. diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go index 88e772c..fb2601c 100644 --- a/internal/pkg/config/config.go +++ b/internal/pkg/config/config.go @@ -32,6 +32,8 @@ type Runner struct { FetchInterval time.Duration `yaml:"fetch_interval"` // FetchInterval specifies the interval duration for fetching resources. Labels []string `yaml:"labels"` // Labels specify the labels of the runner. Labels are declared on each startup AllowedRepos []string `yaml:"allowed_repos"` // AllowedRepos specify the repositories that the runner is allowed to run jobs for. + BlacklistMode bool `yaml:"blacklist_mode"` // BlacklistMode indicates whether the runner operates in blacklist mode. + RejectText string `yaml:"reject_text"` // RejectText specifies the text to be displayed when a job is rejected. } // Cache represents the configuration for caching.