Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow runner to access organization repositories or implement a way for remote authentication for steps #25929

Open
LJ1102 opened this issue Jul 17, 2023 · 4 comments
Open

Allow runner to access organization repositories or implement a way for remote authentication for steps #25929

LJ1102 opened this issue Jul 17, 2023 · 4 comments
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@LJ1102
Copy link

LJ1102 commented Jul 17, 2023

Feature Description

I have a private gitea instance, I configured it to require sign-in, I want to use actions hosted on my instance, but when I do:

steps:
  - uses: https://my-gitea-instance/myOrg/myAction@latest

The runner is unable to clone the repository:

Unable to clone https://my-gitea-instance/myOrg/myAction refs/heads/latest: authentication required

I think the runner (that is registered to "myOrg") should be able to access repositories of the same organization or we need to be able to provide auth keys for the fetching of actions.

Screenshots

No response
@LJ1102 LJ1102 added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Jul 17, 2023
@wolfogre
Copy link
Member

I think the runner (that is registered to "myOrg") should be able to access repositories of the same organization ...

No, the runner has no more permission than fetching and reporting tasks. It can access the repo because the it gets a temporary token with some limited permissions.

It's in the planning to config the permissions of the temporary token, see #24635.

... we need to be able to provide auth keys for the fetching of actions.

@sillyguodong I think you could help.

@sillyguodong
Copy link
Contributor

sillyguodong commented Jul 20, 2023
edited
Loading

We have supported expression in uses in this PR.
So please upgrade your runner, and try to interpolate the token in uses by expression, like below:

uses: https://${{ secrets.GITHUB_TOKEN }}:@my-gitea-instance/myOrg/myAction

@wolfogre wolfogre mentioned this issue Jul 21, 2023
Closed
@jonas-switala
Copy link

Is there a known approach for using the solution provided by @sillyguodong to call shared workflows?

When attempting to embed the token in the URL I get the following error message:

calling workflow snippet:

jobs:
  validate-manifests:
    uses: https://${{ secrets.GITHUB_TOKEN }}:{instance}/{owner}/{repo}/.gitea/workflows/validate.yaml@v1.0.0

output:

expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual 'https://${{ secrets.GITHUB_TOKEN }}:{instance}/{owner}/{repo}/.gitea/workflows/validate.yaml@v1.0.0' Input string was not in a correct format

@jonas-switala jonas-switala mentioned this issue Apr 2, 2024
Open
@brandonkal
Copy link

@jonas-switala YAML parsers can often have issues when an unquoted string has a colon which is quite ironic considering your workflow name. I would recommend quoting the string. Also that is not a valid URL, you must use an @ to separate credentials from the host. See the definition

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@LJ1102 @brandonkal @wolfogre @sillyguodong @jonas-switala