mirror of
https://gitea.com/gitea/act_runner.git
synced 2026-07-01 08:34:30 +00:00
When `DEFAULT_ACTIONS_URL=self`, action clone URLs (`uses: owner/repo@ref`) are built from the Gitea **AppURL** (`gitea_default_actions_url`), but `shouldCloneURLUseToken` compared the clone URL host only against the runner's **registered address** (`GitHubInstance`). When the runner registers with a different hostname than AppURL — same instance, different DNS (e.g. `gitea.local` vs `gitea.my-nas.lan`, internal vs external) — the strict `u1.Host == u2.Host` check returns false, so the task token is **not** attached and the action clone goes out anonymously. Against an instance with `REQUIRE_SIGNIN_VIEW=true` this fails with: ``` Unable to clone https://gitea.example/owner/action refs/heads/v1: authentication required ``` The current workaround is to make the runner's registered host exactly match `AppURL`. This PR removes the need for that. Refs: https://github.com/go-gitea/gitea/issues/27933 ## Change - `shouldCloneURLUseToken` now trusts the clone URL when its host matches **either** the registered instance (`GitHubInstance`) **or** the self-hosted default-actions instance (`DefaultActionInstance`). Embedded basic auth is still rejected, and the empty-host cases are unchanged. - A new `Config.DefaultActionInstanceIsSelfHosted` flag gates the second candidate. It is set in the daemon layer (`run/runner.go`, `exec.go`), where `github.com` and a configured `GithubMirror` are distinguishable, so the token is **never** attached for off-instance hosts.Reviewed-on: https://gitea.com/gitea/runner/pulls/1056 Reviewed-by: Zettat123 <39446+zettat123@noreply.gitea.com> Co-authored-by: bircni <bircni@icloud.com>
18 KiB
18 KiB