mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-25 09:03:04 -04:00
c84cbd56a1
Add support for OIDC workload identity federation.
Add ID_TOKEN_SIGNING_ALGORITHM, ID_TOKEN_SIGNING_PRIVATE_KEY_FILE, and
ID_TOKEN_EXPIRATION_TIME settings to settings.actions to allow for admin
configuration of this functionality.
Add OIDC endpoints (/.well-known/openid-configuration and /.well-known/keys)
underneath the "/api/actions" route.
Add a token generation endpoint (/_apis/pipelines/workflows/{run_id}/idtoken)
underneath the "/api/actions" route.
Depends on: https://code.forgejo.org/forgejo/runner/pulls/1232
Docs PR: https://codeberg.org/forgejo/docs/pulls/1667
Signed-off-by: Mario Minardi <mminardi@shaw.ca>
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10481
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Mario Minardi <mminardi@shaw.ca>
Co-committed-by: Mario Minardi <mminardi@shaw.ca>
132 lines
4.3 KiB
Go
132 lines
4.3 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"fmt"
|
|
"path/filepath"
|
|
"strings"
|
|
"time"
|
|
|
|
"forgejo.org/modules/jwtx"
|
|
)
|
|
|
|
// Actions settings
|
|
var (
|
|
Actions = struct {
|
|
Enabled bool
|
|
LogStorage *Storage // how the created logs should be stored
|
|
LogRetentionDays int64 `ini:"LOG_RETENTION_DAYS"`
|
|
LogCompression logCompression `ini:"LOG_COMPRESSION"`
|
|
ArtifactStorage *Storage // how the created artifacts should be stored
|
|
ArtifactRetentionDays int64 `ini:"ARTIFACT_RETENTION_DAYS"`
|
|
DefaultActionsURL defaultActionsURL `ini:"DEFAULT_ACTIONS_URL"`
|
|
ZombieTaskTimeout time.Duration `ini:"ZOMBIE_TASK_TIMEOUT"`
|
|
EndlessTaskTimeout time.Duration `ini:"ENDLESS_TASK_TIMEOUT"`
|
|
AbandonedJobTimeout time.Duration `ini:"ABANDONED_JOB_TIMEOUT"`
|
|
SkipWorkflowStrings []string `ini:"SKIP_WORKFLOW_STRINGS"`
|
|
LimitDispatchInputs int64 `ini:"LIMIT_DISPATCH_INPUTS"`
|
|
ConcurrencyGroupQueueEnabled bool `ini:"CONCURRENCY_GROUP_QUEUE_ENABLED"`
|
|
IDTokenSigningAlgorithm idTokenAlgorithm `ini:"ID_TOKEN_SIGNING_ALGORITHM"`
|
|
IDTokenSigningPrivateKeyFile string `ini:"ID_TOKEN_SIGNING_PRIVATE_KEY_FILE"`
|
|
IDTokenExpirationTime int64 `ini:"ID_TOKEN_EXPIRATION_TIME"`
|
|
}{
|
|
Enabled: true,
|
|
DefaultActionsURL: defaultActionsURLForgejo,
|
|
SkipWorkflowStrings: []string{"[skip ci]", "[ci skip]", "[no ci]", "[skip actions]", "[actions skip]"},
|
|
LimitDispatchInputs: 100,
|
|
ConcurrencyGroupQueueEnabled: true,
|
|
IDTokenSigningAlgorithm: "RS256",
|
|
IDTokenSigningPrivateKeyFile: "actions_id_token/private.pem",
|
|
IDTokenExpirationTime: 3600,
|
|
}
|
|
)
|
|
|
|
type defaultActionsURL string
|
|
|
|
func (url defaultActionsURL) URL() string {
|
|
switch url {
|
|
case defaultActionsURLGitHub:
|
|
return "https://github.com"
|
|
case defaultActionsURLSelf:
|
|
return strings.TrimSuffix(AppURL, "/")
|
|
default:
|
|
return string(url)
|
|
}
|
|
}
|
|
|
|
const (
|
|
defaultActionsURLForgejo = "https://data.forgejo.org"
|
|
defaultActionsURLGitHub = "github" // https://github.com
|
|
defaultActionsURLSelf = "self" // the root URL of the self-hosted instance
|
|
)
|
|
|
|
type logCompression string
|
|
|
|
func (c logCompression) IsValid() bool {
|
|
return c.IsNone() || c.IsZstd()
|
|
}
|
|
|
|
func (c logCompression) IsNone() bool {
|
|
return strings.ToLower(string(c)) == "none"
|
|
}
|
|
|
|
func (c logCompression) IsZstd() bool {
|
|
return c == "" || strings.ToLower(string(c)) == "zstd"
|
|
}
|
|
|
|
type idTokenAlgorithm string
|
|
|
|
func (c idTokenAlgorithm) IsValid() bool {
|
|
// Empty string implies RS256
|
|
return jwtx.IsValidAsymmetricAlgorithm(string(c)) || string(c) == ""
|
|
}
|
|
|
|
func loadActionsFrom(rootCfg ConfigProvider) error {
|
|
sec := rootCfg.Section("actions")
|
|
err := sec.MapTo(&Actions)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to map Actions settings: %v", err)
|
|
}
|
|
|
|
// don't support to read configuration from [actions]
|
|
Actions.LogStorage, err = getStorage(rootCfg, "actions_log", "", nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// default to 1 year
|
|
if Actions.LogRetentionDays <= 0 {
|
|
Actions.LogRetentionDays = 365
|
|
}
|
|
|
|
actionsSec, _ := rootCfg.GetSection("actions.artifacts")
|
|
|
|
Actions.ArtifactStorage, err = getStorage(rootCfg, "actions_artifacts", "", actionsSec)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// default to 90 days in Github Actions
|
|
if Actions.ArtifactRetentionDays <= 0 {
|
|
Actions.ArtifactRetentionDays = 90
|
|
}
|
|
|
|
Actions.ZombieTaskTimeout = sec.Key("ZOMBIE_TASK_TIMEOUT").MustDuration(10 * time.Minute)
|
|
Actions.EndlessTaskTimeout = sec.Key("ENDLESS_TASK_TIMEOUT").MustDuration(3 * time.Hour)
|
|
Actions.AbandonedJobTimeout = sec.Key("ABANDONED_JOB_TIMEOUT").MustDuration(24 * time.Hour)
|
|
|
|
if !Actions.LogCompression.IsValid() {
|
|
return fmt.Errorf("invalid [actions] LOG_COMPRESSION: %q", Actions.LogCompression)
|
|
}
|
|
|
|
if !Actions.IDTokenSigningAlgorithm.IsValid() {
|
|
return fmt.Errorf("invalid [actions] ID_TOKEN_SIGNING_ALGORITHM: %q", Actions.IDTokenSigningAlgorithm)
|
|
}
|
|
|
|
if !filepath.IsAbs(Actions.IDTokenSigningPrivateKeyFile) {
|
|
Actions.IDTokenSigningPrivateKeyFile = filepath.Join(AppDataPath, Actions.IDTokenSigningPrivateKeyFile)
|
|
}
|
|
|
|
return nil
|
|
}
|