Merge pull request 'Update module github.com/nektos/act to v0.2.80' (#14) from renovate/github.com-nektos-act-0.x into main

Reviewed-on: #14

.gitea/workflows/release-nightly.yml

@@ -1,101 +1,79 @@
 name: release-nightly
 
 on:
-  push:
-    branches: [main]
-    tags:
-      - "*"
+    push:
+        branches: [main]
+        tags:
+            - "*"
 
 jobs:
-  goreleaser:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # all history for all branches and tags
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-      - name: goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          distribution: goreleaser-pro
-          args: release --nightly
+    release-image:
+        runs-on: liteyukios-latest
+        container:
+            image: catthehacker/ubuntu:act-latest
         env:
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          S3_REGION: ${{ secrets.AWS_REGION }}
-          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
-          GORELEASER_FORCE_TOKEN: "gitea"
-          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  release-image:
-    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    env:
-      DOCKER_ORG: gitea
-      DOCKER_LATEST: nightly
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # all history for all branches and tags
+            DOCKER_ORG: gitea
+            DOCKER_LATEST: nightly
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  fetch-depth: 0 # all history for all branches and tags
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
 
-      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v3
+            - name: Set up Docker BuildX
+              uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+            - name: Login to Liteyuki Harbor
+              uses: docker/login-action@v3
+              with:
+                  registry: reg.liteyuki.icu
+                  username: ${{ secrets.HARBOR_USERNAME }}
+                  password: ${{ secrets.HARBOR_PASSWORD }}
 
-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=${GITHUB_REF_NAME#v} >> $GITHUB_OUTPUT
+            - name: Get Meta
+              id: meta
+              run: |
+                  echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
+                  echo REPO_VERSION=${GITHUB_REF_NAME#v} >> $GITHUB_OUTPUT
 
-      - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          target: basic
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
+            - name: Build and push
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: ./Dockerfile
+                  target: basic
+                  platforms: |
+                      linux/amd64
+                      linux/arm64
+                  push: true
+                  tags: |
+                      reg.liteyuki.icu/actions/liteyuki-runner:latest
 
-      - name: Build and push dind
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          target: dind
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind
+            - name: Build and push dind
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: ./Dockerfile
+                  target: dind
+                  platforms: |
+                      linux/amd64
+                      linux/arm64
+                  push: true
+                  tags: |
+                      reg.liteyuki.icu/actions/liteyuki-runner:latest-dind
 
-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          target: dind-rootless
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
+            - name: Build and push dind-rootless
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: ./Dockerfile
+                  target: dind-rootless
+                  platforms: |
+                      linux/amd64
+                      linux/arm64
+                  push: true
+                  tags: |
+                      reg.liteyuki.icu/actions/liteyuki-runner:latest-dind-rootless

.gitignore

@@ -12,3 +12,4 @@ coverage.txt
 __debug_bin
 # gorelease binary folder
 dist
+main

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine AS builder
+FROM reg.liteyuki.icu/dockerhub/golang:1.24-alpine AS builder
 
 # Do not remove `git` here, it is required for getting runner version when executing `make build`
 RUN apk add --no-cache make git
@@ -11,7 +11,7 @@ WORKDIR /opt/src/act_runner
 
 RUN make clean && make build
 
-FROM docker:dind AS dind
+FROM reg.liteyuki.icu/dockerhub/docker:dind AS dind
 
 RUN apk add --no-cache s6 bash git
 
@@ -23,7 +23,7 @@ VOLUME /data
 
 ENTRYPOINT ["s6-svscan","/etc/s6"]
 
-FROM docker:dind-rootless AS dind-rootless
+FROM reg.liteyuki.icu/dockerhub/docker:dind-rootless AS dind-rootless
 
 USER root
 RUN apk add --no-cache s6 bash git
@@ -41,7 +41,7 @@ ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
 USER rootless
 ENTRYPOINT ["s6-svscan","/etc/s6"]
 
-FROM alpine AS basic
+FROM reg.liteyuki.icu/dockerhub/alpine AS basic
 RUN apk add --no-cache tini bash git
 
 COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner

Makefile

@@ -70,7 +70,7 @@ GO_PACKAGES_TO_VET ?= $(filter-out gitea.com/gitea/act_runner/internal/pkg/clien
 
 
 TAGS ?=
-LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)"
+LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)-liteyuki-distro"
 
 all: build
 

README.md

@@ -1,3 +1,39 @@
+# Liteyuki Runner
+
+## 需求
+如果你的Gitea实例偏公共性质，又不想让所有人都能使用Actions，
+且有多个组织/用户，又不想配置多个Runner给每个仓库和组织分配一个
+
+那么这个项目应该可以满足你的需求
+
+遵循源项目许可证进行二次分发
+
+## 特色
+```yaml
+# 仅需要在原有的配置文件 runner项下添加一个allowed_repos: []string的配置项目
+# 配置非常简单，owner/repo格式。*表示所有repo或者owner
+runner:
+    allowed_repos:
+        - "org1/repo1"  # 仅允许org1/repo1使用
+        - "org1/repo2"  # 仅允许org1/repo2使用
+        - "org2/*"  # 仅允许org2下的所有repo使用
+        - "user1/*" # 仅允许user1下的所有repo使用
+    blacklist_mode: false # 是否启用黑名单模式，启用后为反向选择
+    reject_text: "This repository {REPO} is not allowed to use this runner {RUNNER} to run workflows." # 禁止使用actions时的提示文本
+```
+
+## 安装
+- (安装方法和Gitea Runner相同，只是镜像换成了我们的)
+
+```bash
+docker pull reg.liteyuki.icu/actions/liteyuki-runner:latest
+
+podman pull reg.liteyuki.icu/actions/liteyuki-runner:latest
+```
+
+
+> 下面是Gitea Runner官方文档
+
 # act runner
 
 Act runner is a runner for Gitea based on [Gitea fork](https://gitea.com/gitea/act) of [act](https://github.com/nektos/act).
@@ -26,8 +62,8 @@ make docker
 
 ## Quickstart
 
-Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it: 
-  
+Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it:
+
 ```ini
 [actions]
 ENABLED=true

go.mod

@@ -6,19 +6,19 @@ require (
 	code.gitea.io/actions-proto-go v0.4.1
 	code.gitea.io/gitea-vet v0.2.3
 	connectrpc.com/connect v1.16.2
-	github.com/avast/retry-go/v4 v4.6.0
+	github.com/avast/retry-go/v4 v4.6.1
 	github.com/docker/docker v25.0.5+incompatible
 	github.com/joho/godotenv v1.5.1
 	github.com/mattn/go-isatty v0.0.20
-	github.com/nektos/act v0.0.0 // will be replaced
+	github.com/nektos/act v0.2.80 // will be replaced
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	golang.org/x/term v0.22.0
 	golang.org/x/time v0.5.0
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/yaml.v3 v3.0.1
-	gotest.tools/v3 v3.5.1
+	gotest.tools/v3 v3.5.2
 )
 
 require (
@@ -98,4 +98,4 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
-replace github.com/nektos/act => gitea.com/gitea/act v0.261.4
+replace github.com/nektos/act => gitea.com/gitea/act v0.261.6

go.sum

@@ -8,6 +8,8 @@ dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 gitea.com/gitea/act v0.261.4 h1:Tf9eLlvsYFtKcpuxlMvf9yT3g4Hshb2Beqw6C1STuH8=
 gitea.com/gitea/act v0.261.4/go.mod h1:Pg5C9kQY1CEA3QjthjhlrqOC/QOT5NyWNjOjRHw23Ok=
+gitea.com/gitea/act v0.261.6 h1:CjZwKOyejonNFDmsXOw3wGm5Vet573hHM6VMLsxtvPY=
+gitea.com/gitea/act v0.261.6/go.mod h1:Pg5C9kQY1CEA3QjthjhlrqOC/QOT5NyWNjOjRHw23Ok=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
@@ -27,6 +29,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/avast/retry-go/v4 v4.6.0 h1:K9xNA+KeB8HHc2aWFuLb25Offp+0iVRXEvFx8IinRJA=
 github.com/avast/retry-go/v4 v4.6.0/go.mod h1:gvWlPhBVsvBbLkVGDg/KwvBv0bEkCOLRRSHKIr2PyOE=
+github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
+github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
@@ -191,6 +195,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928 h1:zjNCuOOhh1TKRU0Ru3PPPJt80z7eReswCao91gBLk00=
 github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928/go.mod h1:PCFYfAEfKT+Nd6zWvUpsXduMR1bXFLf0uGSlEF05MCI=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
@@ -335,3 +341,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=

internal/app/poll/poller.go

@@ -7,7 +7,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strings"
 	"sync"
 	"sync/atomic"
 
@@ -148,11 +147,6 @@ func (p *Poller) runTaskWithRecover(ctx context.Context, task *runnerv1.Task) {
 			log.WithError(err).Error("panic in runTaskWithRecover")
 		}
 	}()
-	// verify owner and repo
-	if matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), p.cfg.Runner.AllowedRepos) {
-		log.WithError(errors.New("allowed repos not match")).Error("allowed repos not match")
-		return
-	}
 
 	if err := p.runner.Run(ctx, task); err != nil {
 		log.WithError(err).Error("failed to run task")
@@ -193,31 +187,3 @@ func (p *Poller) fetchTask(ctx context.Context) (*runnerv1.Task, bool) {
 
 	return resp.Msg.Task, true
 }
-
-func matchAllowedRepo(targetRepo string, allowedRepos []string) bool {
-	if len(allowedRepos) == 0 {
-		return true
-	}
-
-	parts := strings.Split(targetRepo, "/")
-	if len(parts) != 2 {
-		log.Errorf("Invalid repository format: %s", targetRepo)
-		return false
-	}
-
-	targetOwner, targetRepoName := parts[0], parts[1]
-
-	for _, allowedRepo := range allowedRepos {
-		parts := strings.Split(allowedRepo, "/")
-		if len(parts) != 2 {
-			log.Warnf("Invalid allowed repository format: %s", allowedRepo)
-			continue
-		}
-		allowedOwner, allowedRepoName := parts[0], parts[1]
-		if (allowedOwner == "*" || allowedOwner == targetOwner) &&
-			(allowedRepoName == "*" || allowedRepoName == targetRepoName) {
-			return true
-		}
-	}
-	return false
-}

internal/app/run/runner.go

@@ -6,6 +6,7 @@ package run
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
@@ -120,6 +121,16 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		}
 	}()
 
+	matched := matchAllowedRepo(task.Context.Fields["repository"].GetStringValue(), r.cfg.Runner.AllowedRepos)
+	if (r.cfg.Runner.BlacklistMode && matched) || (!r.cfg.Runner.BlacklistMode && !matched) {
+		// replace with the real repo name {REPO} and runner name {RUNNER}
+		formattedRejectText := strings.ReplaceAll(r.cfg.Runner.RejectText, "{REPO}", task.Context.Fields["repository"].GetStringValue())
+		formattedRejectText = strings.ReplaceAll(formattedRejectText, "{RUNNER}", r.name)
+		log.Warnf(formattedRejectText)
+		reporter.Logf(formattedRejectText)
+		return errors.New("repository not matched allowed_repos")
+	}
+
 	reporter.Logf("%s(version:%s) received task %v of job %v, be triggered by event: %s", r.name, ver.Version(), task.Id, task.Context.Fields["job"].GetStringValue(), task.Context.Fields["event_name"].GetStringValue())
 
 	workflow, jobID, err := generateWorkflow(task)
@@ -238,3 +249,30 @@ func (r *Runner) Declare(ctx context.Context, labels []string) (*connect.Respons
 		Labels:  labels,
 	}))
 }
+
+func matchAllowedRepo(targetRepo string, allowedRepos []string) bool {
+	if len(allowedRepos) == 0 {
+		return true
+	}
+
+	parts := strings.Split(targetRepo, "/")
+	if len(parts) != 2 {
+		log.Errorf("Invalid repository format: %s", targetRepo)
+		return false
+	}
+	targetOwner, targetRepoName := parts[0], parts[1]
+
+	for _, allowedRepo := range allowedRepos {
+		parts := strings.Split(allowedRepo, "/")
+		if len(parts) != 2 {
+			log.Warnf("Invalid allowed repository format: %s", allowedRepo)
+			continue
+		}
+		allowedOwner, allowedRepoName := parts[0], parts[1]
+		if (allowedOwner == "*" || strings.ToLower(allowedOwner) == strings.ToLower(targetOwner)) &&
+			(allowedRepoName == "*" || strings.ToLower(allowedRepoName) == strings.ToLower(targetRepoName)) {
+			return true
+		}
+	}
+	return false
+}

internal/pkg/config/config.example.yaml

@@ -41,6 +41,7 @@ runner:
     - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
     - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
     - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
+    
 
   # for global runner
   allowed_repos:
@@ -48,6 +49,10 @@ runner:
     - "org1/repo2"
     - "org2/*"
     - "user1/*"
+  # for global runner, if true, the runner will only run jobs except the allowed_repos.
+  blacklist_mode: false
+  # reject_text is used to show the reason why the job is rejected.
+  reject_text: "This runner is not allowed to run this job in this repository: %s."
 
 cache:
   # Enable cache server to use actions/cache.

internal/pkg/config/config.go

@@ -32,6 +32,8 @@ type Runner struct {
 	FetchInterval   time.Duration     `yaml:"fetch_interval"`   // FetchInterval specifies the interval duration for fetching resources.
 	Labels          []string          `yaml:"labels"`           // Labels specify the labels of the runner. Labels are declared on each startup
 	AllowedRepos    []string          `yaml:"allowed_repos"`    // AllowedRepos specify the repositories that the runner is allowed to run jobs for.
+	BlacklistMode	  bool              `yaml:"blacklist_mode"`   // BlacklistMode indicates whether the runner operates in blacklist mode.
+	RejectText	  string            `yaml:"reject_text"`      // RejectText specifies the text to be displayed when a job is rejected.
 }
 
 // Cache represents the configuration for caching.

renovate.json

@@ -0,0 +1,3 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

renovate.json5

@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "local>gitea/renovate-config"
-  ]
-}